From eb2cb56a55a0b5a5ab5e25f768eccfffe29fedcd Mon Sep 17 00:00:00 2001
From: enothen <enothen@gmail.com>
Date: Tue, 29 Dec 2020 09:36:45 +0100
Subject: [PATCH] Added code to support command groups inside sudo rules
 (#1556)

* Added code to support command groups inside sudo rules

* Added command groups to documentation of ipa_sudorule.py

* Update changelogs/fragments/1555-ipa-sudorule-add-commandgroup.yml

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/modules/identity/ipa/ipa_sudorule.py

Co-authored-by: Felix Fontein <felix@fontein.de>

Co-authored-by: Eric Nothen <eric.nothen@payback.net>
Co-authored-by: Felix Fontein <felix@fontein.de>
---
 .../1555-ipa-sudorule-add-commandgroup.yml    |  2 ++
 plugins/modules/identity/ipa/ipa_sudorule.py  | 34 +++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 changelogs/fragments/1555-ipa-sudorule-add-commandgroup.yml

diff --git a/changelogs/fragments/1555-ipa-sudorule-add-commandgroup.yml b/changelogs/fragments/1555-ipa-sudorule-add-commandgroup.yml
new file mode 100644
index 0000000000..e1b48b4fbf
--- /dev/null
+++ b/changelogs/fragments/1555-ipa-sudorule-add-commandgroup.yml
@@ -0,0 +1,2 @@
+minor_changes:
+  - ipa_sudorule - added option to use command groups inside sudo rules (https://github.com/ansible-collections/community.general/issues/1555).
diff --git a/plugins/modules/identity/ipa/ipa_sudorule.py b/plugins/modules/identity/ipa/ipa_sudorule.py
index 9a0259bbe9..35c3327841 100644
--- a/plugins/modules/identity/ipa/ipa_sudorule.py
+++ b/plugins/modules/identity/ipa/ipa_sudorule.py
@@ -33,6 +33,14 @@ options:
     - If option is omitted commands will not be checked or changed.
     type: list
     elements: str
+  cmdgroup:
+    description:
+    - List of command groups assigned to the rule.
+    - If an empty list is passed all command groups will be removed from the rule.
+    - If option is omitted command groups will not be checked or changed.
+    type: list
+    elements: str
+    version_added: 2.0.0
   description:
     description:
     - Description of the sudo rule.
@@ -134,6 +142,21 @@ EXAMPLES = r'''
     ipa_host: ipa.example.com
     ipa_user: admin
     ipa_pass: topsecret
+
+- name: Ensure user group operations can run any commands that is part of operations-cmdgroup on any host.
+  community.general.ipa_sudorule:
+    name: sudo_operations_all
+    description: Allow operators to run any commands that is part of operations-cmdgroup on any host.
+    cmdgroup:
+    - operations-cmdgroup
+    hostcategory: all
+    sudoopt:
+    - '!authenticate'
+    usergroup:
+    - operators
+    ipa_host: ipa.example.com
+    ipa_user: admin
+    ipa_pass: topsecret
 '''
 
 RETURN = r'''
@@ -199,6 +222,9 @@ class SudoRuleIPAClient(IPAClient):
     def sudorule_add_allow_command(self, name, item):
         return self._post_json(method='sudorule_add_allow_command', name=name, item={'sudocmd': item})
 
+    def sudorule_add_allow_command_group(self, name, item):
+        return self._post_json(method='sudorule_add_allow_command_group', name=name, item={'sudocmdgroup': item})
+
     def sudorule_remove_allow_command(self, name, item):
         return self._post_json(method='sudorule_remove_allow_command', name=name, item=item)
 
@@ -254,6 +280,7 @@ def ensure(module, client):
     state = module.params['state']
     name = module.params['cn']
     cmd = module.params['cmd']
+    cmdgroup = module.params['cmdgroup']
     cmdcategory = module.params['cmdcategory']
     host = module.params['host']
     hostcategory = module.params['hostcategory']
@@ -305,6 +332,11 @@ def ensure(module, client):
             if not module.check_mode:
                 client.sudorule_add_allow_command(name=name, item=cmd)
 
+        if cmdgroup is not None:
+            changed = category_changed(module, client, 'cmdcategory', ipa_sudorule) or changed
+            if not module.check_mode:
+                client.sudorule_add_allow_command_group(name=name, item=cmdgroup)
+
         if runasusercategory is not None:
             changed = category_changed(module, client, 'iparunasusercategory', ipa_sudorule) or changed
 
@@ -361,6 +393,7 @@ def ensure(module, client):
 def main():
     argument_spec = ipa_argument_spec()
     argument_spec.update(cmd=dict(type='list', elements='str'),
+                         cmdgroup=dict(type='list', elements='str'),
                          cmdcategory=dict(type='str', choices=['all']),
                          cn=dict(type='str', required=True, aliases=['name']),
                          description=dict(type='str'),
@@ -377,6 +410,7 @@ def main():
 
     module = AnsibleModule(argument_spec=argument_spec,
                            mutually_exclusive=[['cmdcategory', 'cmd'],
+                                               ['cmdcategory', 'cmdgroup'],
                                                ['hostcategory', 'host'],
                                                ['hostcategory', 'hostgroup'],
                                                ['usercategory', 'user'],