From e57c6a9d2e79109fd7f2311389944a05f1af19f0 Mon Sep 17 00:00:00 2001
From: yumaojun <719118794@qq.com>
Date: Fri, 20 Nov 2015 14:03:05 +0800
Subject: [PATCH 1/4] =?UTF-8?q?1.=20=E5=9C=A8=E6=8E=88=E6=9D=83=E8=A7=84?=
 =?UTF-8?q?=E5=88=99=E6=B7=BB=E5=8A=A0=E9=A1=B5=E9=9D=A2=E3=80=80=E9=80=9A?=
 =?UTF-8?q?=E8=BF=87js=20=E7=BB=99=E4=BA=88=E7=94=A8=E6=88=B7=E8=BE=93?=
 =?UTF-8?q?=E5=85=A5=E6=8F=90=E9=86=92?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 templates/jperm/perm_rule_add.html | 49 +++++++++++++++++++++++++-----
 1 file changed, 41 insertions(+), 8 deletions(-)

diff --git a/templates/jperm/perm_rule_add.html b/templates/jperm/perm_rule_add.html
index 6a34cfcf4..0eb67903d 100644
--- a/templates/jperm/perm_rule_add.html
+++ b/templates/jperm/perm_rule_add.html
@@ -26,7 +26,7 @@
                         </div>
                     </div>
                     <div class="ibox-content">
-                        <form method="post" id="userForm" class="form-horizontal" action="">
+                        <form method="post" id="ruleForm" class="form-horizontal" action="">
                             {% if error %}
                                 <div class="alert alert-warning text-center">{{ error }}</div>
                             {% endif %}
@@ -36,16 +36,16 @@
                             <div class="form-group">
                                 <label for="username" class="col-sm-2 control-label">授权名称<span class="red-fonts">*</span></label>
                                 <div class="col-sm-8">
-                                    <input id="rulename" name="rulename" placeholder="Rule Name" type="text" class="form-control" {% if error %}value="{{ username }}" {% endif %}>
+                                    <input id="rulename" name="rulename" placeholder="Rule Name" type="text" class="form-control">
                                 </div>
                             </div>
                             <div class="hr-line-dashed"></div>
                             <div class="form-group">
                                 <label for="user" class="col-sm-2 control-label">用户<span class="red-fonts">*</span></label>
-                                <div class="col-sm-8">
+                                <div class="col-sm-8" id="username">
                                     <select name="user" data-placeholder="用户名" class="chosen-select form-control m-b" multiple  tabindex="2">
                                         {% for user in users %}
-                                            <option value="{{ user.name }}">{{ user.name }}</option>
+                                            <option>{{ user.name }}</option>
                                         {% endfor %}
                                     </select>
                                 </div>
@@ -53,7 +53,7 @@
                             <div class="hr-line-dashed"></div>
                             <div class="form-group">
                                 <label for="usergroup" class="col-sm-2 control-label">用户组<span class="red-fonts">*</span></label>
-                                <div class="col-sm-8">
+                                <div class="col-sm-8" id="user_group_name">
                                     <select name="usergroup" data-placeholder="请选择用户组" class="chosen-select form-control m-b" multiple  tabindex="2">
                                         {% for user_group in user_groups %}
                                             <option value="{{ user_group.name }}">{{ user_group.name }}</option>
@@ -64,7 +64,7 @@
                             <div class="hr-line-dashed"></div>
                             <div class="form-group">
                                 <label for="asset" class="col-sm-2 control-label">资产<span class="red-fonts">*</span></label>
-                                <div class="col-sm-8">
+                                <div class="col-sm-8" id="asset_name">
                                     <select name="asset" data-placeholder="请选择资产" class="chosen-select form-control m-b" multiple  tabindex="2">
                                         {% for asset in assets %}
                                             <option value="{{ asset.ip }}">{{ asset.ip }}</option>
@@ -75,7 +75,7 @@
                             <div class="hr-line-dashed"></div>
                             <div class="form-group">
                                 <label for="assetgroup" class="col-sm-2 control-label">资产组<span class="red-fonts">*</span></label>
-                                <div class="col-sm-8">
+                                <div class="col-sm-8" id="asset_group_name">
                                     <select name="assetgroup" data-placeholder="请选择资产组" class="chosen-select form-control m-b" multiple  tabindex="2">
                                         {% for asset_group in asset_groups %}
                                             <option value="{{ asset_group.name }}">{{ asset_group.name }}</option>
@@ -86,7 +86,7 @@
                             <div class="hr-line-dashed"></div>
                             <div class="form-group">
                                 <label for="role" class="col-sm-2 control-label">角色<span class="red-fonts">*</span></label>
-                                <div class="col-sm-8">
+                                <div class="col-sm-8"　id="role_name">
                                     <select name="role" data-placeholder="请选择角色" class="chosen-select form-control m-b" multiple  tabindex="2">
                                         {% for role in roles %}
                                             <option value="{{ role.name }}">{{ role.name }}</option>
@@ -118,6 +118,39 @@
 {% endblock %}
 {% block self_footer_js %}
 <script>
+
+$('#ruleForm').submit(function() {
+    var result = {}
+    var data = $(this).serializeArray();
+    $.each(data, function(i, field){
+        result[field.name] = field.value;
+    });
+    if (result['user'] || result['usergroup'] || result['asset'] || result['assetgroup'] || result['rulename'] || result['role']) {
+        if (result['rulename'] === '') {
+            alert("请添加授权名称")
+            return false
+        }
+        if (! result['user'] && ! result['usergroup']) {
+            alert("用户和用户组必选１个")
+            return false
+        }
+        if (! result['asset'] && ! result['assetgroup']) {
+            alert("资产和资产组必选１个")
+            return false
+        }
+        if (! result['role']) {
+            alert("请填写角色")
+            return false
+        }
+        return true
+    } else {
+        alert("请填必选项")
+        return false;
+    }
+});
+
+
+
 $(document).ready(function(){
     $("input.role").click(function(){
         if($("input.role[value=GA]").is( ":checked" )){

From 1a0c9cd4e6a9d68be1cded0a64b05a02513b88e8 Mon Sep 17 00:00:00 2001
From: yumaojun <719118794@qq.com>
Date: Tue, 24 Nov 2015 22:03:58 +0800
Subject: [PATCH 2/4] =?UTF-8?q?1.=20=E6=96=B0=E5=A2=9E=20PermSudo=E8=A1=A8?=
 =?UTF-8?q?,=20=E7=94=A8=E4=BA=8E=E8=AE=B0=E5=BD=95=20sudo=E5=88=AB?=
 =?UTF-8?q?=E5=90=8D=202.=20=E5=AE=9E=E7=8E=B0Sudo=E8=A1=A8=E5=AF=B9?=
 =?UTF-8?q?=E5=BA=94=E7=9A=84=20=E6=B7=BB=E5=8A=A0=EF=BC=8C=E6=98=BE?=
 =?UTF-8?q?=E7=A4=BA=EF=BC=8C=E6=9B=B4=E6=96=B0=EF=BC=8C=E5=88=A0=E9=99=A4?=
 =?UTF-8?q?=E9=A1=B5=E9=9D=A2=203.=20=E6=B7=BB=E5=8A=A0=E8=A7=92=E8=89=B2?=
 =?UTF-8?q?=E6=97=B6=EF=BC=8C=E9=9C=80=E8=A6=81=E9=80=89=E6=8B=A9=E5=AF=B9?=
 =?UTF-8?q?=E5=BA=94=E7=9A=84=20sudo=E5=88=AB=E5=90=8D?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 jperm/ansible_api.py                |  67 +++++++++-----
 jperm/models.py                     |  17 +++-
 jperm/urls.py                       |   5 +-
 jperm/utils.py                      |  25 +++++
 jperm/views.py                      | 136 +++++++++++++++++++++++++++-
 jumpserver/templatetags/mytags.py   |   9 ++
 templates/jperm/perm_role_add.html  |  11 +++
 templates/jperm/perm_role_edit.html |  11 +++
 templates/jperm/perm_role_list.html |   3 +
 templates/jperm/perm_sudo_add.html  | 120 ++++++++++++++++++++++++
 templates/jperm/perm_sudo_edit.html | 120 ++++++++++++++++++++++++
 templates/jperm/perm_sudo_list.html | 112 +++++++++++++++++++++++
 templates/jperm/role_sudo.j2        | 126 ++++++++++++++++++++++++++
 templates/nav.html                  |   4 +-
 14 files changed, 737 insertions(+), 29 deletions(-)
 create mode 100644 templates/jperm/perm_sudo_add.html
 create mode 100644 templates/jperm/perm_sudo_edit.html
 create mode 100644 templates/jperm/perm_sudo_list.html
 create mode 100644 templates/jperm/role_sudo.j2

diff --git a/jperm/ansible_api.py b/jperm/ansible_api.py
index 3a8b50c61..ee7c2ddee 100644
--- a/jperm/ansible_api.py
+++ b/jperm/ansible_api.py
@@ -20,7 +20,6 @@ API_DIR = os.path.dirname(os.path.abspath(__file__))
 ANSIBLE_DIR = os.path.join(API_DIR, 'playbooks')
 
 
-
 class AnsibleError(StandardError):
     """
     the base AnsibleError which contains error(required),
@@ -44,7 +43,7 @@ class CommandValueError(AnsibleError):
         super(CommandValueError, self).__init__('value:invalid', field, message)
 
 
-class MyInventory(object):
+class MyInventory(Inventory):
     """
     this is my ansible inventory object.
     """
@@ -65,7 +64,7 @@ class MyInventory(object):
         self.inventory = Inventory(host_list=[])
         self.gen_inventory()
 
-    def add_group(self, hosts, groupname, groupvars=None):
+    def my_add_group(self, hosts, groupname, groupvars=None):
         """
         add hosts to a group
         """
@@ -83,11 +82,13 @@ class MyInventory(object):
             hostport = host.get("port")
             username = host.get("username")
             password = host.get("password")
+            sudo_password = host.get("sudo_password")
             my_host = Host(name=hostname, port=hostport)
             my_host.set_variable('ansible_ssh_host', hostname)
             my_host.set_variable('ansible_ssh_port', hostport)
             my_host.set_variable('ansible_ssh_user', username)
             my_host.set_variable('ansible_ssh_pass', password)
+
             # set other variables 
             for key, value in host.iteritems():
                 if key not in ["hostname", "port", "username", "password"]:
@@ -102,10 +103,10 @@ class MyInventory(object):
         add hosts to inventory.
         """
         if isinstance(self.resource, list):
-            self.add_group(self.resource, 'default_group')
+            self.my_add_group(self.resource, 'default_group')
         elif isinstance(self.resource, dict):
             for groupname, hosts_and_vars in self.resource.iteritems():
-                self.add_group(hosts_and_vars.get("hosts"), groupname, hosts_and_vars.get("vars"))
+                self.my_add_group(hosts_and_vars.get("hosts"), groupname, hosts_and_vars.get("vars"))
 
 
 class Command(MyInventory):
@@ -125,7 +126,7 @@ class Command(MyInventory):
 
         if module_name not in ["raw", "command", "shell"]:
             raise CommandValueError("module_name",
-                                     "module_name must be of the 'raw, command, shell'")
+                                    "module_name must be of the 'raw, command, shell'")
         hoc = Runner(module_name=module_name,
                      module_args=command,
                      timeout=timeout,
@@ -136,15 +137,17 @@ class Command(MyInventory):
                      )
         self.results = hoc.run()
 
+        ret = {}
         if self.stdout:
-            return {"ok": self.stdout}
+            ret["ok"] = self.stdout
         else:
             msg = []
             if self.stderr:
                 msg.append(self.stderr)
             if self.dark:
                 msg.append(self.dark)
-            return {"failed": msg}
+            ret["failed"] = msg
+        return ret
 
     @property
     def raw_results(self):
@@ -206,7 +209,14 @@ class Tasks(Command):
     def __init__(self, *args, **kwargs):
         super(Tasks, self).__init__(*args, **kwargs)
 
-    def __run(self, module_args, module_name="command", timeout=5, forks=10, group='default_group', pattern='*'):
+    def __run(self,
+              module_args,
+              module_name="command",
+              timeout=5,
+              forks=10,
+              group='default_group',
+              pattern='*',
+              ):
         """
         run command from andible ad-hoc.
         command  : 必须是一个需要执行的命令字符串， 比如 
@@ -219,6 +229,7 @@ class Tasks(Command):
                      subset=group,
                      pattern=pattern,
                      forks=forks,
+                     become=False,
                      )
 
         self.results = hoc.run()
@@ -272,7 +283,7 @@ class Tasks(Command):
         module_args = 'user="%s" key="{{ lookup("file", "%s") }}" state="absent"' % (user, key_path)
         self.__run(module_args, "authorized_key")
 
-        return {"status": "failed","msg": self.msg} if self.msg else {"status": "ok"}
+        return {"status": "failed", "msg": self.msg} if self.msg else {"status": "ok"}
 
     def add_user(self, username, password):
         """
@@ -310,7 +321,8 @@ class Tasks(Command):
         delete a host user.
         """
         module_args = 'name=%s state=absent remove=yes move_home=yes force=yes' % (username)
-        self.__run(module_args, "user")
+        self.__run(module_args,
+                   "user",)
 
         return {"status": "failed","msg": self.msg} if self.msg else {"status": "ok"}
 
@@ -386,9 +398,15 @@ class Tasks(Command):
                     "product_sn": setup.get("ansible_product_serial")
             }
 
-        return {"status": "failed", "msg": self.msg} if self.msg else {"status": "ok", "result": result}
-
+        return {"failed": self.msg, "ok": result}
 
+    def push_sudo(self, role_custo, role_name, role_chosen):
+        """
+        use template to render pushed sudoers file
+        :return:
+        """
+        module_args = 'src=%s dest=%s owner=root group=root mode=0440' % (username, encrypt_pass)
+        self.__run(module_args, "template")
 
 
 class CustomAggregateStats(callbacks.AggregateStats):
@@ -440,12 +458,12 @@ class MyPlaybook(MyInventory):
         playbook_path = os.path.join(ANSIBLE_DIR, playbook_relational_path)
 
         pb = PlayBook(
-            playbook = playbook_path,
-            stats = stats,
-            callbacks = playbook_cb,
-            runner_callbacks = runner_cb,
-            inventory = self.inventory,
-            extra_vars = extra_vars,
+            playbook=playbook_path,
+            stats=stats,
+            callbacks=playbook_cb,
+            runner_callbacks=runner_cb,
+            inventory=self.inventory,
+            extra_vars=extra_vars,
             check=False)
 
         self.results = pb.run()
@@ -475,9 +493,14 @@ if __name__ == "__main__":
 #                          },
 #                }
 
-    resource = [{"hostname": "127.0.0.1", "port": "22", "username": "yumaojun", "password": "yusky0902"}]
-    command = Command(resource)
-    print command.run("who")
+    resource = [{"hostname": "127.0.0.1", "port": "22", "username": "yumaojun", "password": "yusky0902",
+                 # "ansible_become": "yes",
+                 # "ansible_become_method": "sudo",
+                 # # "ansible_become_user": "root",
+                 # "ansible_become_pass": "yusky0902",
+                 }]
+    cmd = Command(resource)
+    print cmd.run('ls')
 
     # resource = [{"hostname": "192.168.10.148", "port": "22", "username": "root", "password": "xxx"}]
     # task = Tasks(resource)
diff --git a/jperm/models.py b/jperm/models.py
index dc8643b67..019411f9b 100644
--- a/jperm/models.py
+++ b/jperm/models.py
@@ -19,12 +19,23 @@ class SysUser(models.Model):
     comment = models.CharField(max_length=100, null=True, blank=True, default='')
 
 
+class PermSudo(models.Model):
+    name = models.CharField(max_length=100, unique=True)
+    date_added = models.DateTimeField(auto_now=True)
+    commands = models.TextField()
+    comment = models.CharField(max_length=100, null=True, blank=True, default='')
+
+    def __unicode__(self):
+        return self.name
+
+
 class PermRole(models.Model):
     name = models.CharField(max_length=100, unique=True)
     comment = models.CharField(max_length=100, null=True, blank=True, default='')
     password = models.CharField(max_length=100)
     key_path = models.CharField(max_length=100)
     date_added = models.DateTimeField(auto_now=True)
+    sudo = models.ManyToManyField(PermSudo, related_name='perm_role')
 
     def __unicode__(self):
         return self.name
@@ -41,4 +52,8 @@ class PermRule(models.Model):
     role = models.ManyToManyField(PermRole, related_name='perm_rule')
 
     def __unicode__(self):
-        return self.name
\ No newline at end of file
+        return self.name
+
+
+
+
diff --git a/jperm/urls.py b/jperm/urls.py
index aa80f7f75..e382a2a2c 100644
--- a/jperm/urls.py
+++ b/jperm/urls.py
@@ -13,7 +13,10 @@ urlpatterns = patterns('jperm.views',
                        (r'^role/perm_role_detail/$', perm_role_detail),
                        (r'^role/perm_role_edit/$', perm_role_edit),
                        (r'^role/perm_role_push/$', perm_role_push),
-
+                       (r'^sudo/$', perm_sudo_list),
+                       (r'^sudo/perm_sudo_add/$', perm_sudo_add),
+                       (r'^sudo/perm_sudo_delete/$', perm_sudo_delete),
+                       (r'^sudo/perm_sudo_edit/$', perm_sudo_edit),
 
                        (r'^log/$', log),
                        (r'^sys_user_add/$', sys_user_add),
diff --git a/jperm/utils.py b/jperm/utils.py
index 63054b30b..ea68488a8 100644
--- a/jperm/utils.py
+++ b/jperm/utils.py
@@ -6,6 +6,8 @@ import os.path
 from paramiko.rsakey import RSAKey
 from os import chmod, makedirs
 from uuid import uuid4
+from django.template.loader import get_template
+from django.template import Context
 
 from jumpserver.settings import KEY_DIR
 
@@ -62,6 +64,29 @@ def gen_keys():
     return key_path_dir
 
 
+def gen_sudo(role_custom, role_name, role_chosen):
+    """
+    生成sudo file, 仅测试了cenos7
+    role_custom: 自定义支持的sudo 命令　格式: 'CMD1, CMD2, CMD3, ...'
+    role_name: role name
+    role_chosen: 选择那些sudo的命令别名：
+    　　　　NETWORKING, SOFTWARE, SERVICES, STORAGE,
+    　　　　DELEGATING, PROCESSES, LOCATE, DRIVERS
+    :return:
+    """
+    sudo_file_basename = os.path.join(os.path.dirname(KEY_DIR), 'role_sudo_file')
+    makedirs(sudo_file_basename)
+    sudo_file_path = os.path.join(sudo_file_basename, role_name)
+
+    t = get_template('role_sudo.j2')
+    content = t.render(Context({"role_custom": role_custom,
+                      "role_name": role_name,
+                      "role_chosen": role_chosen,
+                      }))
+    with open(sudo_file_path, 'w') as f:
+        f.write(content)
+    return sudo_file_path
+
 
 
 if __name__ == "__main__":
diff --git a/jperm/views.py b/jperm/views.py
index f961a8e07..7c4f59c82 100644
--- a/jperm/views.py
+++ b/jperm/views.py
@@ -9,7 +9,7 @@ from juser.user_api import gen_ssh_key
 
 from juser.models      import User, UserGroup
 from jasset.models     import Asset, AssetGroup
-from jperm.models      import PermRole, PermRule
+from jperm.models      import PermRole, PermRule, PermSudo
 from jumpserver.models import Setting
 
 from jperm.utils       import updates_dict, gen_keys, get_rand_pass
@@ -259,19 +259,24 @@ def perm_role_add(request):
 
     if request.method == "GET":
         default_password = get_rand_pass()
+        sudos = PermSudo.objects.all()
         return my_render('jperm/perm_role_add.html', locals(), request)
 
     elif request.method == "POST":
-        # 获取参数： name, comment
+        # 获取参数： name, comment, sudo
         name = request.POST.get("role_name")
         comment = request.POST.get("role_comment")
         password = request.POST.get("role_password")
+        sudos_name = request.POST.getlist("sudo_name")
+        sudos_obj = [PermSudo.objects.get(name=sudo_name) for sudo_name in sudos_name]
         encrypt_pass = CRYPTOR.encrypt(password)
         # 生成随机密码，生成秘钥对
 
         key_path = gen_keys()
         role = PermRole(name=name, comment=comment, password=encrypt_pass, key_path=key_path)
         role.save()
+        role.sudo = sudos_obj
+        role.save()
 
         msg = u"添加角色: %s" % name
         # 渲染 刷新数据
@@ -350,6 +355,7 @@ def perm_role_edit(request):
     role_id = request.GET.get("id")
     role = PermRole.objects.get(id=role_id)
     role_pass = CRYPTOR.decrypt(role.password)
+    role_sudos = role.sudo.all()
     if request.method == "GET":
         return my_render('jperm/perm_role_edit.html', locals(), request)
 
@@ -359,11 +365,14 @@ def perm_role_edit(request):
         role_password = request.POST.get("role_password")
         encrypt_role_pass = CRYPTOR.encrypt(role_password)
         role_comment = request.POST.get("role_comment")
+        role_sudo_names = request.POST.getlist("sudo_name")
+        role_sudos = [PermSudo.objects.get(name=sudo_name) for sudo_name in role_sudo_names]
 
         # 写入数据库
         role.name = role_name
         role.password = encrypt_role_pass
         role.comment = role_comment
+        role.sudo = role_sudos
 
         role.save()
         msg = u"更新系统角色： %s" % role.name
@@ -380,8 +389,6 @@ def perm_role_edit(request):
         return my_render('jperm/perm_role_list.html', locals(), request)
 
 
-
-
 @require_role('admin')
 def perm_role_push(request):
     """
@@ -461,6 +468,127 @@ def perm_role_push(request):
             return HttpResponse(u"推送系统角色： %s" % ','.join(role_names))
 
 
+@require_role('admin')
+def perm_sudo_list(request):
+    """
+    list sudo commands alias
+    :param request:
+    :return:
+    """
+    # 渲染数据
+    header_title, path1, path2 = "Sudo命令", "别名管理", "查看别名"
+
+    # 获取所有sudo 命令别名
+    sudos_list = PermSudo.objects.all()
+
+    # TODO: 搜索和分页
+    keyword = request.GET.get('search', '')
+    if keyword:
+        sudos_list = sudos_list.filter(Q(name=keyword))
+
+    sudos_list, p, sudos, page_range, current_page, show_first, show_end = pages(sudos_list, request)
+
+    return my_render('jperm/perm_sudo_list.html', locals(), request)
+
+
+@require_role('admin')
+def perm_sudo_add(request):
+    """
+    list sudo commands alias
+    :param request:
+    :return:
+    """
+    # 渲染数据
+    header_title, path1, path2 = "Sudo命令", "别名管理", "添加别名"
+
+    if request.method == "GET":
+        return my_render('jperm/perm_sudo_add.html', locals(), request)
+
+    elif request.method == "POST":
+        # 获取参数： name, comment
+        name = request.POST.get("sudo_name")
+        comment = request.POST.get("sudo_comment")
+        commands = request.POST.get("sudo_commands")
+
+        sudo = PermSudo(name=name, comment=comment, commands=commands)
+        sudo.save()
+
+        msg = u"添加Sudo命令别名: %s" % name
+        # 渲染数据
+        header_title, path1, path2 = "Sudo命令", "别名管理", "查看别名"
+        # 获取所有sudo 命令别名
+        sudos_list = PermSudo.objects.all()
+
+        # TODO: 搜索和分页
+        keyword = request.GET.get('search', '')
+        if keyword:
+            roles_list = sudos_list.filter(Q(name=keyword))
+
+        sudos_list, p, sudos, page_range, current_page, show_first, show_end = pages(sudos_list, request)
+
+        return my_render('jperm/perm_sudo_list.html', locals(), request)
+    else:
+        return HttpResponse(u"不支持该操作")
+
+
+@require_role('admin')
+def perm_sudo_edit(request):
+    """
+    list sudo commands alias
+    :param request:
+    :return:
+    """
+    # 渲染数据
+    header_title, path1, path2 = "Sudo命令", "别名管理", "编辑别名"
+
+    sudo_id = request.GET.get("id")
+    sudo = PermSudo.objects.get(id=sudo_id)
+    if request.method == "GET":
+        return my_render('jperm/perm_sudo_edit.html', locals(), request)
+
+    if request.method == "POST":
+        name = request.POST.get("sudo_name")
+        commands = request.POST.get("sudo_commands")
+        comment = request.POST.get("sudo_comment")
+        sudo.name = name
+        sudo.commands = commands
+        sudo.comment = comment
+        sudo.save()
+
+        msg = u"更新命令别名： %s" % name
+        # 渲染数据
+        header_title, path1, path2 = "Sudo命令", "别名管理", "查看别名"
+        # 获取所有sudo 命令别名
+        sudos_list = PermSudo.objects.all()
+        # TODO: 搜索和分页
+        keyword = request.GET.get('search', '')
+        if keyword:
+            sudos_list = sudos_list.filter(Q(name=keyword))
+        sudos_list, p, sudos, page_range, current_page, show_first, show_end = pages(sudos_list, request)
+        return my_render('jperm/perm_sudo_list.html', locals(), request)
+
+
+@require_role('admin')
+def perm_sudo_delete(request):
+    """
+    list sudo commands alias
+    :param request:
+    :return:
+    """
+    if request.method == "POST":
+        # 获取参数删除的role对象
+        sudo_id = request.POST.get("id")
+        sudo = PermSudo.objects.get(id=sudo_id)
+        # 数据库里删除记录
+        sudo.delete()
+        return HttpResponse(u"删除角色: %s" % sudo.name)
+    else:
+        return HttpResponse(u"不支持该操作")
+
+
+
+
+
 
 
 
diff --git a/jumpserver/templatetags/mytags.py b/jumpserver/templatetags/mytags.py
index 8dcdf377c..e99c30f05 100644
--- a/jumpserver/templatetags/mytags.py
+++ b/jumpserver/templatetags/mytags.py
@@ -226,3 +226,12 @@ def ip_str_to_list(ip_str):
     ip str to list
     """
     return ip_str.split(',')
+
+
+@register.filter(name='role_contain_which_sudos')
+def role_contain_which_sudos(role):
+    """
+    get role sudo commands
+    """
+    sudo_names = [sudo.name for sudo in role.sudo.all()]
+    return ','.join(sudo_names)
diff --git a/templates/jperm/perm_role_add.html b/templates/jperm/perm_role_add.html
index 243452db0..1f534ac2a 100644
--- a/templates/jperm/perm_role_add.html
+++ b/templates/jperm/perm_role_add.html
@@ -47,6 +47,17 @@
                                 </div>
                             </div>
                             <div class="hr-line-dashed"></div>
+                            <div class="form-group">
+                                <label for="sudo" class="col-sm-2 control-label">角色Sudo命令<span class="red-fonts">*</span></label>
+                                <div class="col-sm-8" id="sudo_name">
+                                    <select name="sudo_name" data-placeholder="请选择Sudo别名" class="chosen-select form-control m-b" multiple  tabindex="2">
+                                        {% for sudo in sudos %}
+                                            <option >{{ sudo.name }}</option>
+                                        {% endfor %}
+                                    </select>
+                                </div>
+                            </div>
+                            <div class="hr-line-dashed"></div>
                             <div class="form-group">
                                 <label for="role_comment" class="col-sm-2 control-label">备注</label>
                                 <div class="col-sm-8">
diff --git a/templates/jperm/perm_role_edit.html b/templates/jperm/perm_role_edit.html
index 3b5637560..b1a5cb50c 100644
--- a/templates/jperm/perm_role_edit.html
+++ b/templates/jperm/perm_role_edit.html
@@ -47,6 +47,17 @@
                                 </div>
                             </div>
                             <div class="hr-line-dashed"></div>
+                            <div class="form-group">
+                                <label for="sudo" class="col-sm-2 control-label">角色Sudo命令<span class="red-fonts">*</span></label>
+                                <div class="col-sm-8" id="sudo_name">
+                                    <select name="sudo_name" data-placeholder="请选择Sudo别名" class="chosen-select form-control m-b" multiple  tabindex="2">
+                                        {% for sudo in role_sudos %}
+                                            <option selected >{{ sudo.name }}</option>
+                                        {% endfor %}
+                                    </select>
+                                </div>
+                            </div>
+                            <div class="hr-line-dashed"></div>
                             <div class="form-group">
                                 <label for="role_comment" class="col-sm-2 control-label">备注</label>
                                 <div class="col-sm-8">
diff --git a/templates/jperm/perm_role_list.html b/templates/jperm/perm_role_list.html
index 045012ccd..060af1760 100644
--- a/templates/jperm/perm_role_list.html
+++ b/templates/jperm/perm_role_list.html
@@ -53,6 +53,7 @@
                                 <th class="text-center">名称 </th>
                                 <th class="text-center">备注</th>
                                 <th class="text-center">创建时间</th>
+                                <th class="text-center">sudo别名</th>
                                 <th class="text-center">操作</th>
                             </tr>
                         </thead>
@@ -62,6 +63,7 @@
                                 <td class="text-center"> {{ role.name }} </td>
                                 <td class="text-center"> {{ role.comment }} </td>
                                 <td class="text-center"> {{ role.date_added | date:"Y-m-d H:i:s"}} </td>
+                                <td class="text-center"> {{ role | role_contain_which_sudos }} </td>
                                 <td class="text-center">
                                     <a href="/jperm/role/perm_role_detail/?id={{ role.id }}" class="btn btn-xs btn-primary">详情</a>
                                     <a href="/jperm/role/perm_role_edit/?id={{ role.id }}" class="btn btn-xs btn-info">编辑</a>
@@ -99,6 +101,7 @@ function remove_role(role_id){
                del_row.remove()
            },
            error: function (msg) {
+               console.log(msg)
                alert("失败: " + msg)
            }
         });
diff --git a/templates/jperm/perm_sudo_add.html b/templates/jperm/perm_sudo_add.html
new file mode 100644
index 000000000..8df34a5ce
--- /dev/null
+++ b/templates/jperm/perm_sudo_add.html
@@ -0,0 +1,120 @@
+{% extends 'base.html' %}
+{% block self_head_css_js %}
+    <link href="/static/css/plugins/datapicker/datepicker3.css" rel="stylesheet">
+    <link href="/static/css/plugins/chosen/chosen.css" rel="stylesheet">
+    <script src="/static/js/plugins/chosen/chosen.jquery.js"></script>
+{% endblock %}
+{% load mytags %}
+{% block content %}
+    {% include 'nav_cat_bar.html' %}
+    <div class="wrapper wrapper-content animated fadeInRight">
+        <div class="row">
+            <div class="col-lg-10">
+                <div class="ibox float-e-margins">
+                    <div class="ibox-title">
+                        <h5>填写基本信息</h5>
+                        <div class="ibox-tools">
+                            <a class="collapse-link">
+                                <i class="fa fa-chevron-up"></i>
+                            </a>
+                            <a class="dropdown-toggle" data-toggle="dropdown" href="#">
+                                <i class="fa fa-wrench"></i>
+                            </a>
+                            <a class="close-link">
+                                <i class="fa fa-times"></i>
+                            </a>
+                        </div>
+                    </div>
+                    <div class="ibox-content">
+                        <form method="post" id="sudoForm" class="form-horizontal" action="">
+                            {% if error %}
+                                <div class="alert alert-warning text-center">{{ error }}</div>
+                            {% endif %}
+                            {% if msg %}
+                                <div class="alert alert-success text-center">{{ msg }}</div>
+                            {% endif %}
+                            <div class="form-group">
+                                <label for="sudo_name" class="col-sm-2 control-label">命令别名<span class="red-fonts">*</span></label>
+                                <div class="col-sm-8">
+                                    <input id="sudo_name" name="sudo_name" placeholder="Sudo Command Alias" type="text" class="form-control">
+                                </div>
+                            </div>
+                            <div class="hr-line-dashed"></div>
+                            <div class="form-group">
+                                <label for="sudo_commands_label" class="col-sm-2 control-label">系统命令<span class="red-fonts">*</span></label>
+                                <div class="col-sm-8">
+                                    <textarea id="sudo_commands" name="sudo_commands" class="form-control" rows="3"></textarea>
+                                </div>
+                            </div>
+                            <div class="hr-line-dashed"></div>
+                            <div class="form-group">
+                                <label for="sudo_comment" class="col-sm-2 control-label">备注</label>
+                                <div class="col-sm-8">
+                                    <input id="sudo_comment" name="sudo_comment" placeholder="Sudo Comment" type="text" class="form-control">
+                                </div>
+                            </div>
+                            <div class="hr-line-dashed"></div>
+                            <div class="form-group">
+                                <div class="col-sm-4 col-sm-offset-2">
+                                    <button class="btn btn-white" type="reset">取消</button>
+                                    <button id="submit_button" class="btn btn-primary" type="submit">确认保存</button>
+                                </div>
+                            </div>
+                        </form>
+                    </div>
+                </div>
+            </div>
+        </div>
+    </div>
+{% endblock %}
+{% block self_footer_js %}
+<script>
+$(document).ready(function(){
+    $("input.role").click(function(){
+        if($("input.role[value=GA]").is( ":checked" )){
+            $("#admin_groups").css("display", 'none');
+        }
+        else {
+
+            $("#admin_groups").css("display", 'block');
+        }
+    });
+
+    $('#use_password').click(function(){
+        if ($(this).is(':checked')){
+            $('#admin_account_password').css('display', 'block')
+        }
+        else {
+
+            $('#admin_account_password').css('display', 'none')
+        }
+    });
+
+    $('#use_publicKey').click(function(){
+        if ($(this).is(':checked')){
+
+            $('#admin_account_publicKey').css('display', 'block')
+        }
+        else {
+            $('#admin_account_publicKey').css('display', 'none')
+        }
+    });
+});
+
+var config = {
+                '.chosen-select'           : {},
+                '.chosen-select-deselect'  : {allow_single_deselect:true},
+                '.chosen-select-no-single' : {disable_search_threshold:10},
+                '.chosen-select-no-results': {no_results_text:'Oops, nothing found!'},
+                '.chosen-select-width'     : {width:"95%"}
+            };
+
+for (var selector in config) {
+    $(selector).chosen(config[selector]);
+}
+
+</script>
+    <script src="/static/js/cropper/cropper.min.js"></script>
+    <script src="/static/js/datapicker/bootstrap-datepicker.js"></script>
+{% endblock %}
+
diff --git a/templates/jperm/perm_sudo_edit.html b/templates/jperm/perm_sudo_edit.html
new file mode 100644
index 000000000..42621b93a
--- /dev/null
+++ b/templates/jperm/perm_sudo_edit.html
@@ -0,0 +1,120 @@
+{% extends 'base.html' %}
+{% block self_head_css_js %}
+    <link href="/static/css/plugins/datapicker/datepicker3.css" rel="stylesheet">
+    <link href="/static/css/plugins/chosen/chosen.css" rel="stylesheet">
+    <script src="/static/js/plugins/chosen/chosen.jquery.js"></script>
+{% endblock %}
+{% load mytags %}
+{% block content %}
+    {% include 'nav_cat_bar.html' %}
+    <div class="wrapper wrapper-content animated fadeInRight">
+        <div class="row">
+            <div class="col-lg-10">
+                <div class="ibox float-e-margins">
+                    <div class="ibox-title">
+                        <h5>填写基本信息</h5>
+                        <div class="ibox-tools">
+                            <a class="collapse-link">
+                                <i class="fa fa-chevron-up"></i>
+                            </a>
+                            <a class="dropdown-toggle" data-toggle="dropdown" href="#">
+                                <i class="fa fa-wrench"></i>
+                            </a>
+                            <a class="close-link">
+                                <i class="fa fa-times"></i>
+                            </a>
+                        </div>
+                    </div>
+                    <div class="ibox-content">
+                        <form method="post" id="sudoForm" class="form-horizontal" action="">
+                            {% if error %}
+                                <div class="alert alert-warning text-center">{{ error }}</div>
+                            {% endif %}
+                            {% if msg %}
+                                <div class="alert alert-success text-center">{{ msg }}</div>
+                            {% endif %}
+                            <div class="form-group">
+                                <label for="sudo_name" class="col-sm-2 control-label">命令别名<span class="red-fonts">*</span></label>
+                                <div class="col-sm-8">
+                                    <input id="sudo_name" name="sudo_name" placeholder="Sudo Command Alias" type="text" class="form-control" value={{ sudo.name }}>
+                                </div>
+                            </div>
+                            <div class="hr-line-dashed"></div>
+                            <div class="form-group">
+                                <label for="sudo_commands_label" class="col-sm-2 control-label">系统命令<span class="red-fonts">*</span></label>
+                                <div class="col-sm-8">
+                                    <textarea id="sudo_commands" name="sudo_commands" class="form-control" rows="3">{{ sudo.commands }}</textarea>
+                                </div>
+                            </div>
+                            <div class="hr-line-dashed"></div>
+                            <div class="form-group">
+                                <label for="sudo_comment" class="col-sm-2 control-label">备注</label>
+                                <div class="col-sm-8">
+                                    <input id="sudo_comment" name="sudo_comment" placeholder="Sudo Comment" type="text" class="form-control" value={{ sudo.commnet }}>
+                                </div>
+                            </div>
+                            <div class="hr-line-dashed"></div>
+                            <div class="form-group">
+                                <div class="col-sm-4 col-sm-offset-2">
+                                    <button class="btn btn-white" type="reset">取消</button>
+                                    <button id="submit_button" class="btn btn-primary" type="submit">确认保存</button>
+                                </div>
+                            </div>
+                        </form>
+                    </div>
+                </div>
+            </div>
+        </div>
+    </div>
+{% endblock %}
+{% block self_footer_js %}
+<script>
+$(document).ready(function(){
+    $("input.role").click(function(){
+        if($("input.role[value=GA]").is( ":checked" )){
+            $("#admin_groups").css("display", 'none');
+        }
+        else {
+
+            $("#admin_groups").css("display", 'block');
+        }
+    });
+
+    $('#use_password').click(function(){
+        if ($(this).is(':checked')){
+            $('#admin_account_password').css('display', 'block')
+        }
+        else {
+
+            $('#admin_account_password').css('display', 'none')
+        }
+    });
+
+    $('#use_publicKey').click(function(){
+        if ($(this).is(':checked')){
+
+            $('#admin_account_publicKey').css('display', 'block')
+        }
+        else {
+            $('#admin_account_publicKey').css('display', 'none')
+        }
+    });
+});
+
+var config = {
+                '.chosen-select'           : {},
+                '.chosen-select-deselect'  : {allow_single_deselect:true},
+                '.chosen-select-no-single' : {disable_search_threshold:10},
+                '.chosen-select-no-results': {no_results_text:'Oops, nothing found!'},
+                '.chosen-select-width'     : {width:"95%"}
+            };
+
+for (var selector in config) {
+    $(selector).chosen(config[selector]);
+}
+
+</script>
+    <script src="/static/js/cropper/cropper.min.js"></script>
+    <script src="/static/js/datapicker/bootstrap-datepicker.js"></script>
+{% endblock %}
+
diff --git a/templates/jperm/perm_sudo_list.html b/templates/jperm/perm_sudo_list.html
new file mode 100644
index 000000000..43f13ec10
--- /dev/null
+++ b/templates/jperm/perm_sudo_list.html
@@ -0,0 +1,112 @@
+{% extends 'base.html' %}
+{% load mytags %}
+{% block content %}
+{% include 'nav_cat_bar.html' %}
+
+<div class="wrapper wrapper-content animated fadeInRight">
+    <div class="row">
+        <div class="col-lg-10">
+            <div class="ibox float-e-margins">
+                <div>
+                    {% if error %}
+                        <div class="alert alert-warning text-center">{{ error }}</div>
+                    {% endif %}
+                    {% if msg %}
+                        <div class="alert alert-success text-center">{{ msg }}</div>
+                    {% endif %}
+                </div>
+                <div class="ibox-title">
+                    <h5> 所有Sudo命令别名</h5>
+                    <div class="ibox-tools">
+                        <a class="collapse-link">
+                            <i class="fa fa-chevron-up"></i>
+                        </a>
+                        <a class="dropdown-toggle" data-toggle="dropdown" href="#">
+                            <i class="fa fa-wrench"></i>
+                        </a>
+                        <a class="close-link">
+                            <i class="fa fa-times"></i>
+                        </a>
+                    </div>
+                </div>
+
+                <div class="ibox-content">
+                    <div class="">
+                    <a  href="/jperm/sudo/perm_sudo_add/" class="btn btn-sm btn-primary "> 添加别名 </a>
+                    <a id="del_btn" class="btn btn-sm btn-danger "> 删除所选 </a>
+                    <form id="search_form" method="get" action="" class="pull-right mail-search">
+                        <div class="input-group">
+                            <input type="text" class="form-control input-sm" id="search_input" name="search" placeholder="Search">
+                            <div class="input-group-btn">
+                                <button id='search_btn' type="submit" class="btn btn-sm btn-primary">
+                                    - 搜索 -
+                                </button>
+                            </div>
+                        </div>
+                    </form>
+                    </div>
+
+                    <table class="table table-striped table-bordered table-hover " id="editable" >
+                        <thead>
+                            <tr>
+                                <th class="text-center">命令别名 </th>
+                                <th class="text-center">系统命令</th>
+                                <th class="text-center">创建时间</th>
+                                <th class="text-center">操作</th>
+                            </tr>
+                        </thead>
+                        <tbody id="edittbody">
+                        {% for sudo in sudos %}
+                            <tr class="gradeX" id={{ sudo.id }}>
+                                <td class="text-center"> {{ sudo.name }} </td>
+                                <td class="text-center"> {{ sudo.commands }} </td>
+                                <td class="text-center"> {{ sudo.date_added | date:"Y-m-d H:i:s"}} </td>
+                                <td class="text-center">
+{#                                    <a href="/jperm/sudo/perm_sudo_detail/?id={{ sudo.id }}" class="btn btn-xs btn-primary">详情</a>#}
+                                    <a href="/jperm/sudo/perm_sudo_edit/?id={{ sudo.id }}" class="btn btn-xs btn-info">编辑</a>
+                                    <button onclick="remove_sudo({{ sudo.id }})" class="btn btn-xs btn-danger">删除</button>
+                                </td>
+                            </tr>
+                        {% endfor %}
+                        </tbody>
+                    </table>
+                    <div class="row">
+                        <div class="col-sm-6">
+                            <div class="dataTables_info" id="editable_info" role="status" aria-live="polite">
+                                Showing {{ users.start_index }} to {{ users.end_index }} of {{ p.count }} entries
+                            </div>
+                        </div>
+                        {% include 'paginator.html' %}
+                    </div>
+                </div>
+            </div>
+        </div>
+    </div>
+</div>
+
+
+<script>
+function remove_sudo(sudo_id){
+    if (confirm("确认删除")) {
+        $.ajax({
+           type: "POST",
+           url: "/jperm/sudo/perm_sudo_delete/",
+           data: "id=" + sudo_id,
+           success: function(msg){
+               alert( "成功: " + msg );
+               var del_row = $('tbody#edittbody>tr#' + sudo_id);
+               del_row.remove()
+           },
+           error: function (msg) {
+               alert("失败: " + msg)
+           }
+        });
+    }
+
+}
+</script>
+
+
+{% endblock %}
+
+
diff --git a/templates/jperm/role_sudo.j2 b/templates/jperm/role_sudo.j2
new file mode 100644
index 000000000..ae6e5924c
--- /dev/null
+++ b/templates/jperm/role_sudo.j2
@@ -0,0 +1,126 @@
+## Sudoers allows particular users to run various commands as
+## the root user, without needing the root password.
+##
+## Examples are provided at the bottom of the file for collections
+## of related commands, which can then be delegated out to particular
+## users or groups.
+##
+## This file must be edited with the 'visudo' command.
+
+## Host Aliases
+## Groups of machines. You may prefer to use hostnames (perhaps using
+## wildcards for entire domains) or IP addresses instead.
+# Host_Alias     FILESERVERS = fs1, fs2
+# Host_Alias     MAILSERVERS = smtp, smtp2
+
+## User Aliases
+## These aren't often necessary, as you can use regular groups
+## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
+## rather than USERALIAS
+# User_Alias ADMINS = jsmith, mikem
+
+
+## Command Aliases
+## These are groups of related commands...
+
+## Networking
+Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
+
+## Installation and management of software
+Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
+
+## Services
+Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
+
+## Updating the locate database
+Cmnd_Alias LOCATE = /usr/bin/updatedb
+
+## Storage
+Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
+
+## Delegating permissions
+Cmnd_Alias DELEGATING = /bin/chown, /bin/chmod, /bin/chgrp
+
+## Processes
+Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
+
+## Drivers
+Cmnd_Alias DRIVERS = /sbin/modprobe
+
+## Custom
+{% if {{ role_custom }} %}
+{% Cmnd_Alias CUSTOM = {{ role_custom }} %}
+{% endif %}
+
+# Defaults specification
+
+#
+# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
+#         You have to run "ssh -t hostname sudo <cmd>".
+#
+Defaults    requiretty
+
+#
+# Refuse to run if unable to disable echo on the tty. This setting should also be
+# changed in order to be able to use sudo without a tty. See requiretty above.
+#
+Defaults   !visiblepw
+
+#
+# Preserving HOME has security implications since many programs
+# use it when searching for configuration files. Note that HOME
+# is already set when the the env_reset option is enabled, so
+# this option is only effective for configurations where either
+# env_reset is disabled or HOME is present in the env_keep list.
+#
+Defaults    always_set_home
+
+Defaults    env_reset
+Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
+Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
+Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
+Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
+Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
+
+#
+# Adding HOME to env_keep may enable a user to run unrestricted
+# commands via sudo.
+#
+# Defaults   env_keep += "HOME"
+
+Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
+
+## Next comes the main part: which users can run what software on
+## which machines (the sudoers file can be shared between multiple
+## systems).
+## Syntax:
+##
+##      user    MACHINE=COMMANDS
+##
+## The COMMANDS section may have other options added to it.
+##
+## Allow root to run any commands anywhere
+root    ALL=(ALL)       ALL
+
+{{ role_name }} ALL = {{ role_chosen }}
+
+
+## Allows members of the 'sys' group to run networking, software,
+## service management apps and more.
+# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
+
+## Allows people in group wheel to run all commands
+%wheel  ALL=(ALL)       ALL
+
+## Same thing without a password
+# %wheel        ALL=(ALL)       NOPASSWD: ALL
+
+## Allows members of the users group to mount and unmount the
+## cdrom as root
+# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
+
+## Allows members of the users group to shutdown this system
+# %users  localhost=/sbin/shutdown -h now
+
+## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
+#includedir /etc/sudoers.d
diff --git a/templates/nav.html b/templates/nav.html
index 3f3e76d42..9ad1fb753 100644
--- a/templates/nav.html
+++ b/templates/nav.html
@@ -32,10 +32,12 @@
                     <li class="dept_perm_list dept_perm_edit">
                         <a href="/jperm/rule/">授权规则</a>
                     </li>
-
                     <li class="sudo_list sudo_edit sudo_add cmd_list cmd_edit cmd_add sudo_detail">
                         <a href="/jperm/role/">系统角色</a>
                     </li>
+                    <li class="sudo_list sudo_edit sudo_add cmd_list cmd_edit cmd_add sudo_detail">
+                        <a href="/jperm/sudo/">Sudo命令</a>
+                    </li>
                     <li class="apply_show online"><a href="/jperm/apply_show/online/">权限审批</a></li>
                     <li class="apply_show online"><a href="/jperm/log/">授权记录</a></li>
                 </ul>

From 951467f8ca8d22315bcc65502f3b8bebaebe5ba9 Mon Sep 17 00:00:00 2001
From: yumaojun <719118794@qq.com>
Date: Thu, 26 Nov 2015 17:23:16 +0800
Subject: [PATCH 3/4] =?UTF-8?q?1.=20=E6=96=B0=E5=A2=9E=20PermPush=E8=A1=A8?=
 =?UTF-8?q?,=20=E7=94=A8=E4=BA=8E=E8=AE=B0=E5=BD=95=E8=A7=92=E8=89=B2?=
 =?UTF-8?q?=E7=9A=84=E6=8E=A8=E9=80=81=E8=AE=B0=E5=BD=95=202.=20=E8=A7=92?=
 =?UTF-8?q?=E8=89=B2=E6=9D=83=E9=99=90=20=E4=BB=A5=E6=9D=A5=20sudo=20?=
 =?UTF-8?q?=E5=AE=8C=E6=88=90=E3=80=82?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 jperm/ansible_api.py                | 24 +++++++++--
 jperm/models.py                     |  8 ++++
 jperm/utils.py                      | 16 ++++++++
 jperm/views.py                      | 62 +++++++++++++++++++++++------
 templates/jperm/perm_role_push.html | 10 +++++
 templates/jperm/role_sudo.j2        | 32 +++------------
 6 files changed, 109 insertions(+), 43 deletions(-)

diff --git a/jperm/ansible_api.py b/jperm/ansible_api.py
index ee7c2ddee..eaf2eb404 100644
--- a/jperm/ansible_api.py
+++ b/jperm/ansible_api.py
@@ -233,6 +233,7 @@ class Tasks(Command):
                      )
 
         self.results = hoc.run()
+        return {"msg": self.msg, "result": self.results}
 
     @property
     def msg(self):
@@ -400,13 +401,29 @@ class Tasks(Command):
 
         return {"failed": self.msg, "ok": result}
 
-    def push_sudo(self, role_custo, role_name, role_chosen):
+    def push_sudo_file(self, file_path):
         """
         use template to render pushed sudoers file
         :return:
         """
-        module_args = 'src=%s dest=%s owner=root group=root mode=0440' % (username, encrypt_pass)
-        self.__run(module_args, "template")
+        module_args1 = 'src=%s dest=%s owner=root group=root mode=0440' % (file_path, '/etc/sudoers')
+        ret1 = self.__run(module_args1, "copy")
+        module_args2 = 'visudo -c | grep "parsed OK" &> /dev/null && echo "ok" || echo "failed"'
+        ret2 = self.__run(module_args2, "shell")
+        ret2_status = [host_value.get("stdout") for host_value in ret2["result"]["contacted"].values()]
+
+        result = {}
+        if not ret1["msg"]:
+            result["step1"] = "ok"
+        else:
+            result["step1"] = "failed"
+
+        if not ret2["msg"] and "failed" not in ret2_status:
+            result["step2"] = "ok"
+        else:
+            result["step2"] = "failed"
+
+        return result
 
 
 class CustomAggregateStats(callbacks.AggregateStats):
@@ -427,7 +444,6 @@ class CustomAggregateStats(callbacks.AggregateStats):
 
         self.results.append(runner_results)
 
-
     def summarize(self, host):
         """                                                                         
         Return information about a particular host                                  
diff --git a/jperm/models.py b/jperm/models.py
index 019411f9b..9fbbda50c 100644
--- a/jperm/models.py
+++ b/jperm/models.py
@@ -55,5 +55,13 @@ class PermRule(models.Model):
         return self.name
 
 
+class PermPush(models.Model):
+    date_added = models.DateTimeField(auto_now=True)
+    asset = models.ManyToManyField(Asset, related_name='perm_push')
+    asset_group = models.ManyToManyField(AssetGroup, related_name='perm_push')
+    role = models.ManyToManyField(PermRole, related_name='perm_push')
+    is_public_key = models.BooleanField(default=False)
+    is_password = models.BooleanField(default=False)
+
 
 
diff --git a/jperm/utils.py b/jperm/utils.py
index ea68488a8..450e7d13d 100644
--- a/jperm/utils.py
+++ b/jperm/utils.py
@@ -8,6 +8,7 @@ from os import chmod, makedirs
 from uuid import uuid4
 from django.template.loader import get_template
 from django.template import Context
+from tempfile import NamedTemporaryFile
 
 from jumpserver.settings import KEY_DIR
 
@@ -88,6 +89,21 @@ def gen_sudo(role_custom, role_name, role_chosen):
     return sudo_file_path
 
 
+def get_sudo_file(sudo_chosen_aliase, sudo_chosen_obj):
+    """
+    get the sudo file
+    :param kwargs:
+    :return:
+    """
+    sudo_j2 = get_template('jperm/role_sudo.j2')
+    sudo_content = sudo_j2.render(Context({"sudo_chosen_aliase": sudo_chosen_aliase,
+                                           "sudo_chosen_obj": sudo_chosen_obj}))
+    sudo_file = NamedTemporaryFile(delete=False)
+    sudo_file.write(sudo_content)
+    sudo_file.close()
+
+    return sudo_file.name
+
 
 if __name__ == "__main__":
     print gen_keys()
diff --git a/jperm/views.py b/jperm/views.py
index 7c4f59c82..8cf907a46 100644
--- a/jperm/views.py
+++ b/jperm/views.py
@@ -6,13 +6,12 @@ from jperm.models import PermLog as Log
 from jperm.models import SysUser
 from juser.user_api import gen_ssh_key
 
-
 from juser.models      import User, UserGroup
 from jasset.models     import Asset, AssetGroup
-from jperm.models      import PermRole, PermRule, PermSudo
+from jperm.models      import PermRole, PermRule, PermSudo, PermPush
 from jumpserver.models import Setting
 
-from jperm.utils       import updates_dict, gen_keys, get_rand_pass
+from jperm.utils       import updates_dict, gen_keys, get_rand_pass, get_sudo_file
 from jperm.ansible_api import Tasks
 from jperm.perm_api    import get_role_info
 
@@ -448,24 +447,61 @@ def perm_role_push(request):
         key_push = request.POST.get("use_publicKey")
         task = Tasks(push_resource)
         ret = {}
-        ret_failed = []
+        ret_failed = {}
 
-        # 因为要先建立用户，所以password 是必选项，
-        # 而push key是在 password也完成的情况下的 可选项
-        ret["password_push"] = task.add_multi_user(**role_pass)
-        if ret["password_push"].get("status") != "success":
-            ret_failed.append(1)
+        # 因为要先建立用户，所以password 是必选项，而push key是在 password也完成的情况下的 可选项
+        # 1. 以password 方式推送角色
+        if password_push:
+            ret["password_push"] = task.add_multi_user(**role_pass)
+            if ret["password_push"].get("status") != "success":
+                ret_failed["step1"] == "failed"
 
+        # 2. 以秘钥 方式推送角色
         if key_push:
+            ret["password_push"] = task.add_multi_user(**role_pass)
+            if ret["password_push"].get("status") != "success":
+                ret_failed["step2-1"] == "failed"
             ret["key_push"] = task.push_multi_key(**role_key)
             if ret["key_push"].get("status") != "success":
-                ret_failed.append(1)
+                ret_failed["step2-2"] == "failed"
 
-        print ret
+        # 3. 推送sudo配置文件
+        sudo_chosen_aliase = {}
+        sudo_alias = []
+        for role in roles_obj:
+            role_alias = [sudo.name for sudo in role.sudo.all()]
+            sudo_alias.extend(role_alias)
+            sudo_chosen_aliase[role.name] = ','.join(role_alias)
+        sudo_chosen_obj = [PermSudo.objects.get(name=sudo_name) for sudo_name in set(sudo_alias)]
+        sudo_file = get_sudo_file(sudo_chosen_aliase, sudo_chosen_obj)
+        ret_sudo = task.push_sudo_file(sudo_file)
+        if ret_sudo["step1"] != "ok" and ret_sudo["step2"] != "ok":
+            ret_failed["step3"] == "failed"
+
+        # 结果汇总统计
         if ret_failed:
-            return HttpResponse(u"推送失败")
+            # 推送失败
+            msg = u"推送失败, 原因: %s 失败" % ','.join(ret_failed.keys())
         else:
-            return HttpResponse(u"推送系统角色： %s" % ','.join(role_names))
+            # 推送成功 写会push表
+            msg = u"推送系统角色： %s" % ','.join(role_names)
+            push = PermPush(is_public_key=bool(key_push), is_password=bool(password_push))
+            push.save()
+            push.asset_group = asset_groups_obj
+            push.asset = calc_assets
+            push.role = roles_obj
+            push.save()
+
+        # 渲染 刷新数据
+        header_title, path1, path2 = "系统角色", "角色管理", "查看角色"
+        roles_list = PermRole.objects.all()
+        # TODO: 搜索和分页
+        keyword = request.GET.get('search', '')
+        if keyword:
+            roles_list = roles_list.filter(Q(name=keyword))
+
+        roles_list, p, roles, page_range, current_page, show_first, show_end = pages(roles_list, request)
+        return my_render('jperm/perm_role_list.html', locals(), request)
 
 
 @require_role('admin')
diff --git a/templates/jperm/perm_role_push.html b/templates/jperm/perm_role_push.html
index 91a4c7a0d..933dcb71c 100644
--- a/templates/jperm/perm_role_push.html
+++ b/templates/jperm/perm_role_push.html
@@ -77,6 +77,16 @@
                                         </div>
                                     </div>
                                 </div>
+                                <div class="form-group">
+                                    <label for="j_group" class="col-sm-2 control-label">使用密码</label>
+                                    <div class="col-sm-1">
+                                        <div class="radio i-checks">
+                                            <label>
+                                                <input type="checkbox" value="1" id="use_password" name="use_password">
+                                            </label>
+                                        </div>
+                                    </div>
+                                </div>
                             </div>
                             <div class="hr-line-dashed"></div>
                             <div class="form-group">
diff --git a/templates/jperm/role_sudo.j2 b/templates/jperm/role_sudo.j2
index ae6e5924c..c544d33ba 100644
--- a/templates/jperm/role_sudo.j2
+++ b/templates/jperm/role_sudo.j2
@@ -23,34 +23,13 @@
 ## Command Aliases
 ## These are groups of related commands...
 
-## Networking
-Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
+{% for sudo in sudo_chosen_obj %}
+Cmnd_Alias {{ sudo.name }} = {{ sudo.commands }}
+{% endfor %}
 
-## Installation and management of software
-Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
 
-## Services
-Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
 
-## Updating the locate database
-Cmnd_Alias LOCATE = /usr/bin/updatedb
 
-## Storage
-Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
-
-## Delegating permissions
-Cmnd_Alias DELEGATING = /bin/chown, /bin/chmod, /bin/chgrp
-
-## Processes
-Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
-
-## Drivers
-Cmnd_Alias DRIVERS = /sbin/modprobe
-
-## Custom
-{% if {{ role_custom }} %}
-{% Cmnd_Alias CUSTOM = {{ role_custom }} %}
-{% endif %}
 
 # Defaults specification
 
@@ -102,8 +81,9 @@ Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
 ## Allow root to run any commands anywhere
 root    ALL=(ALL)       ALL
 
-{{ role_name }} ALL = {{ role_chosen }}
-
+{% for role, alias in sudo_chosen_aliase.items %}
+{{ role }} ALL = {{ alias }}
+{% endfor %}
 
 ## Allows members of the 'sys' group to run networking, software,
 ## service management apps and more.

From 39a0350e08f86da94c3780bc211e13dcc68deafb Mon Sep 17 00:00:00 2001
From: yumaojun <719118794@qq.com>
Date: Sat, 28 Nov 2015 19:33:21 +0800
Subject: [PATCH 4/4] =?UTF-8?q?1.=20=E5=AE=8C=E6=88=90Sudo=20=E8=A7=84?=
 =?UTF-8?q?=E5=88=99=E7=9A=84=20=E8=A7=92=E8=89=B2=E6=8E=88=E6=9D=83=202.?=
 =?UTF-8?q?=20=E8=A7=92=E8=89=B2=E8=AF=A6=E6=83=85=E9=87=8C=E9=9D=A2=20?=
 =?UTF-8?q?=E6=96=B0=E5=A2=9E=20=E6=8E=A8=E9=80=81=E8=AF=A6=E6=83=85=203.?=
 =?UTF-8?q?=20=E8=A7=92=E8=89=B2=E6=8E=A8=E9=80=81=20=E6=94=AF=E6=8C=81?=
 =?UTF-8?q?=E8=AE=A1=E7=AE=97=E4=B8=8E=E5=8F=A0=E5=8A=A0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 jperm/ansible_api.py                  |   4 +-
 jperm/perm_api.py                     |  34 ++++++++
 jperm/utils.py                        |   2 +-
 jperm/views.py                        |  31 ++++---
 templates/jperm/perm_role_detail.html |  61 +++++++++++--
 templates/jperm/role_sudo.j2          | 121 +++++---------------------
 6 files changed, 134 insertions(+), 119 deletions(-)

diff --git a/jperm/ansible_api.py b/jperm/ansible_api.py
index eaf2eb404..e8ba1d093 100644
--- a/jperm/ansible_api.py
+++ b/jperm/ansible_api.py
@@ -406,8 +406,8 @@ class Tasks(Command):
         use template to render pushed sudoers file
         :return:
         """
-        module_args1 = 'src=%s dest=%s owner=root group=root mode=0440' % (file_path, '/etc/sudoers')
-        ret1 = self.__run(module_args1, "copy")
+        module_args1 = 'test'
+        ret1 = self.__run(module_args1, "script")
         module_args2 = 'visudo -c | grep "parsed OK" &> /dev/null && echo "ok" || echo "failed"'
         ret2 = self.__run(module_args2, "shell")
         ret2_status = [host_value.get("stdout") for host_value in ret2["result"]["contacted"].values()]
diff --git a/jperm/perm_api.py b/jperm/perm_api.py
index 1b363f547..8524a52b1 100644
--- a/jperm/perm_api.py
+++ b/jperm/perm_api.py
@@ -337,6 +337,40 @@ def get_role_info(role_id, type="all"):
         return u"不支持的查询"
 
 
+def get_role_push_host(role):
+    """
+    get the role push host
+    :return: the asset object
+    """
+    # 计算该role 所有push记录 总共推送的主机
+    assets = []
+    asset_groups = []
+    for push in role.perm_push.all():
+        assets.extend(push.asset.all())
+        asset_groups.extend(push.asset_group.all())
+    group_assets = []
+    for asset_group in asset_groups:
+        group_assets.extend(asset_group.asset_set.all())
+    cacl_assets = set(assets) | set(group_assets)
+
+    # 计算所有主机 在push记录里面的 使用密码和使用秘钥状况
+    result = []
+    for asset in cacl_assets:
+        all_push = asset.perm_push.all()
+        if True in [push.is_password for push in all_push if role in push.role.all()]:
+            is_password = u"是"
+        else:
+            is_password = u"否"
+        if True in [push.is_public_key for push in all_push if role in push.role.all()]:
+            is_public_key = u"是"
+        else:
+            is_public_key = u"否"
+        result.append({"ip": asset.ip,
+                       "group": ','.join([group.name for group in asset.group.all()]),
+                       "password": is_password,
+                       "pubkey": is_public_key})
+    return result
+
 if __name__ == "__main__":
     print get_role_info(1)
 
diff --git a/jperm/utils.py b/jperm/utils.py
index 450e7d13d..43a1f004f 100644
--- a/jperm/utils.py
+++ b/jperm/utils.py
@@ -89,7 +89,7 @@ def gen_sudo(role_custom, role_name, role_chosen):
     return sudo_file_path
 
 
-def get_sudo_file(sudo_chosen_aliase, sudo_chosen_obj):
+def get_add_sudo_script(sudo_chosen_aliase, sudo_chosen_obj):
     """
     get the sudo file
     :param kwargs:
diff --git a/jperm/views.py b/jperm/views.py
index 8cf907a46..348480d64 100644
--- a/jperm/views.py
+++ b/jperm/views.py
@@ -11,9 +11,9 @@ from jasset.models     import Asset, AssetGroup
 from jperm.models      import PermRole, PermRule, PermSudo, PermPush
 from jumpserver.models import Setting
 
-from jperm.utils       import updates_dict, gen_keys, get_rand_pass, get_sudo_file
+from jperm.utils       import updates_dict, gen_keys, get_rand_pass, get_add_sudo_script
 from jperm.ansible_api import Tasks
-from jperm.perm_api    import get_role_info
+from jperm.perm_api    import get_role_info, get_role_push_host
 
 from jumpserver.api    import my_render, get_object, CRYPTOR
 
@@ -338,6 +338,7 @@ def perm_role_detail(request):
         asset_groups = role_info.get("asset_groups")
         users = role_info.get("users")
         user_groups = role_info.get("user_groups")
+        push_info = get_role_push_host(PermRole.objects.get(id=role_id))
 
         return my_render('jperm/perm_role_detail.html', locals(), request)
 
@@ -460,10 +461,10 @@ def perm_role_push(request):
         if key_push:
             ret["password_push"] = task.add_multi_user(**role_pass)
             if ret["password_push"].get("status") != "success":
-                ret_failed["step2-1"] == "failed"
+                ret_failed["step2-1"] = "failed"
             ret["key_push"] = task.push_multi_key(**role_key)
             if ret["key_push"].get("status") != "success":
-                ret_failed["step2-2"] == "failed"
+                ret_failed["step2-2"] = "failed"
 
         # 3. 推送sudo配置文件
         sudo_chosen_aliase = {}
@@ -473,17 +474,21 @@ def perm_role_push(request):
             sudo_alias.extend(role_alias)
             sudo_chosen_aliase[role.name] = ','.join(role_alias)
         sudo_chosen_obj = [PermSudo.objects.get(name=sudo_name) for sudo_name in set(sudo_alias)]
-        sudo_file = get_sudo_file(sudo_chosen_aliase, sudo_chosen_obj)
-        ret_sudo = task.push_sudo_file(sudo_file)
-        if ret_sudo["step1"] != "ok" and ret_sudo["step2"] != "ok":
-            ret_failed["step3"] == "failed"
+
+        add_sudo_script = get_add_sudo_script(sudo_chosen_aliase, sudo_chosen_obj)
+        ret_sudo = task.push_sudo_file(add_sudo_script)
+
+        if ret_sudo["step1"] != "ok" or ret_sudo["step2"] != "ok":
+            ret_failed["step3"] = "failed"
+        os.remove(add_sudo_script)
+
 
         # 结果汇总统计
         if ret_failed:
             # 推送失败
-            msg = u"推送失败, 原因: %s 失败" % ','.join(ret_failed.keys())
+            error = u"推送失败, 原因: %s 失败" % ','.join(ret_failed.keys())
         else:
-            # 推送成功 写会push表
+            # 推送成功 回写push表
             msg = u"推送系统角色： %s" % ','.join(role_names)
             push = PermPush(is_public_key=bool(key_push), is_password=bool(password_push))
             push.save()
@@ -546,7 +551,7 @@ def perm_sudo_add(request):
         comment = request.POST.get("sudo_comment")
         commands = request.POST.get("sudo_commands")
 
-        sudo = PermSudo(name=name, comment=comment, commands=commands)
+        sudo = PermSudo(name=name.strip(), comment=comment, commands=commands.strip())
         sudo.save()
 
         msg = u"添加Sudo命令别名: %s" % name
@@ -586,8 +591,8 @@ def perm_sudo_edit(request):
         name = request.POST.get("sudo_name")
         commands = request.POST.get("sudo_commands")
         comment = request.POST.get("sudo_comment")
-        sudo.name = name
-        sudo.commands = commands
+        sudo.name = name.strip()
+        sudo.commands = commands.strip()
         sudo.comment = comment
         sudo.save()
 
diff --git a/templates/jperm/perm_role_detail.html b/templates/jperm/perm_role_detail.html
index 593ccd740..51d6ac9b2 100644
--- a/templates/jperm/perm_role_detail.html
+++ b/templates/jperm/perm_role_detail.html
@@ -5,7 +5,6 @@
 {% block content %}
     {% include 'nav_cat_bar.html' %}
     <div class="wrapper wrapper-content animated fadeInRight">
-
         <div class="row">
             <div class="col-lg-4">
                 <div class="ibox float-e-margins">
@@ -51,8 +50,8 @@
                             </div>
                         </div>
                     </div>
-                    </div>
-                    </div>
+                </div>
+            </div>
             <div class="col-lg-4">
                 <div class="ibox float-e-margins">
                     <div class="ibox-title">
@@ -97,8 +96,8 @@
                             </div>
                         </div>
                     </div>
-                    </div>
-                    </div>
+                </div>
+            </div>
             <div class="col-lg-4">
                 <div class="ibox float-e-margins">
                     <div class="ibox-title">
@@ -143,8 +142,60 @@
                             </div>
                         </div>
                     </div>
+                </div>
+            </div>
+        </div>
+        <div class="row">
+            <div class="col-lg-12">
+                <div class="ibox float-e-margins">
+                    <div class="ibox-title">
+                        <span class="label label-primary"><b>推送主机</b></span>
+                        <div class="ibox-tools">
+                            <a class="collapse-link">
+                                <i class="fa fa-chevron-up"></i>
+                            </a>
+                            <a class="dropdown-toggle" data-toggle="dropdown" href="#">
+                                <i class="fa fa-wrench"></i>
+                            </a>
+                            <ul class="dropdown-menu dropdown-user">
+                                <li><a href="#"></a>
+                                </li>
+                                <li><a href="#"></a>
+                                </li>
+                            </ul>
+                            <a class="close-link">
+                                <i class="fa fa-times"></i>
+                            </a>
+                        </div>
                     </div>
+                    <div class="ibox-content">
+                        <div>
+                            <div class="text-left">
+                                <table class="table table-striped" id="ugedit" >
+                                    <thead>
+                                        <tr>
+                                            <th class="text-center">主机</th>
+                                            <th class="text-center">主机组</th>
+                                            <th class="text-center">使用密码</th>
+                                            <th class="text-center">使用秘钥</th>
+                                        </tr>
+                                    </thead>
+                                    <tbody>
+                                    {% for host in push_info %}
+                                        <tr class="gradeX">
+                                            <td class="text-center"> {{ host.ip }} </td>
+                                            <td class="text-center"> {{ host.group }} </td>
+                                            <td class="text-center"> {{ host.password }} </td>
+                                            <td class="text-center"> {{ host.pubkey }} </td>
+                                        </tr>
+                                    {% endfor %}
+                                    </tbody>
+                                </table>
+                            </div>
+                        </div>
                     </div>
+                </div>
+            </div>
         </div>
     </div>
 
diff --git a/templates/jperm/role_sudo.j2 b/templates/jperm/role_sudo.j2
index c544d33ba..a910317eb 100644
--- a/templates/jperm/role_sudo.j2
+++ b/templates/jperm/role_sudo.j2
@@ -1,106 +1,31 @@
-## Sudoers allows particular users to run various commands as
-## the root user, without needing the root password.
-##
-## Examples are provided at the bottom of the file for collections
-## of related commands, which can then be delegated out to particular
-## users or groups.
-##
-## This file must be edited with the 'visudo' command.
-
-## Host Aliases
-## Groups of machines. You may prefer to use hostnames (perhaps using
-## wildcards for entire domains) or IP addresses instead.
-# Host_Alias     FILESERVERS = fs1, fs2
-# Host_Alias     MAILSERVERS = smtp, smtp2
-
-## User Aliases
-## These aren't often necessary, as you can use regular groups
-## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
-## rather than USERALIAS
-# User_Alias ADMINS = jsmith, mikem
+#!/bin/bash
 
 
-## Command Aliases
-## These are groups of related commands...
-
-{% for sudo in sudo_chosen_obj %}
-Cmnd_Alias {{ sudo.name }} = {{ sudo.commands }}
-{% endfor %}
+sudo_file=/etc/sudoers
 
 
+# Add Command Aliases
+add_cmd_alias() {
+    {% for sudo in sudo_chosen_obj %}
+    if $(grep '^Cmnd_Alias {{ sudo.name }}' ${sudo_file} &> /dev/null); then
+        sed -i 's@^Cmnd_Alias.*{{ sudo.name }}.*@Cmnd_Alias {{ sudo.name }} = {{ sudo.commands }}@g' ${sudo_file}
+    else
+        echo "Cmnd_Alias {{ sudo.name }} = {{ sudo.commands }}" >> ${sudo_file}
+    fi
+    {% endfor %}
+}
 
 
+add_role_chosen() {
+    {% for role, alias in sudo_chosen_aliase.items %}
+    if $(grep '^{{ role }}' ${sudo_file} &> /dev/null); then
+        sed -i 's@^{{ role }}.*@{{ role }} ALL = {{ alias }}@g' ${sudo_file}
+    else
+        echo "{{ role }} ALL = {{ alias }}"  >> ${sudo_file}
+    fi
+    {% endfor %}
+}
 
-# Defaults specification
 
-#
-# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
-#         You have to run "ssh -t hostname sudo <cmd>".
-#
-Defaults    requiretty
-
-#
-# Refuse to run if unable to disable echo on the tty. This setting should also be
-# changed in order to be able to use sudo without a tty. See requiretty above.
-#
-Defaults   !visiblepw
-
-#
-# Preserving HOME has security implications since many programs
-# use it when searching for configuration files. Note that HOME
-# is already set when the the env_reset option is enabled, so
-# this option is only effective for configurations where either
-# env_reset is disabled or HOME is present in the env_keep list.
-#
-Defaults    always_set_home
-
-Defaults    env_reset
-Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
-Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
-Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
-Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
-Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
-
-#
-# Adding HOME to env_keep may enable a user to run unrestricted
-# commands via sudo.
-#
-# Defaults   env_keep += "HOME"
-
-Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
-
-## Next comes the main part: which users can run what software on
-## which machines (the sudoers file can be shared between multiple
-## systems).
-## Syntax:
-##
-##      user    MACHINE=COMMANDS
-##
-## The COMMANDS section may have other options added to it.
-##
-## Allow root to run any commands anywhere
-root    ALL=(ALL)       ALL
-
-{% for role, alias in sudo_chosen_aliase.items %}
-{{ role }} ALL = {{ alias }}
-{% endfor %}
-
-## Allows members of the 'sys' group to run networking, software,
-## service management apps and more.
-# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
-
-## Allows people in group wheel to run all commands
-%wheel  ALL=(ALL)       ALL
-
-## Same thing without a password
-# %wheel        ALL=(ALL)       NOPASSWD: ALL
-
-## Allows members of the users group to mount and unmount the
-## cdrom as root
-# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
-
-## Allows members of the users group to shutdown this system
-# %users  localhost=/sbin/shutdown -h now
-
-## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
-#includedir /etc/sudoers.d
+add_cmd_alias
+add_role_chosen
\ No newline at end of file