modify sudo

jperm/ansible_api.py

@@ -442,23 +442,8 @@ class Tasks(Command):
         :return:
         """
         module_args1 = file_path
-        ret1 = self.__run(module_args1, "script")
-        module_args2 = 'visudo -c | grep "parsed OK" &> /dev/null && echo "ok" || echo "failed"'
-        ret2 = self.__run(module_args2, "shell")
-        ret2_status = [host_value.get("stdout") for host_value in ret2["result"]["contacted"].values()]
-
-        result = {}
-        if not ret1["msg"]:
-            result["step1"] = "ok"
-        else:
-            result["msg"] = ret1["msg"]
-
-        if not ret2["msg"] and "failed" not in ret2_status:
-            result["step2"] = "ok"
-        else:
-            result["msg"] = ret1["msg"]
-
-        return result
+        ret = self.__run(module_args1, "script")
+        return ret
 
 
 class CustomAggregateStats(callbacks.AggregateStats):

jperm/views.py

@@ -410,25 +410,8 @@ def perm_role_push(request):
         for asset_group in asset_groups_obj:
             group_assets_obj.extend(asset_group.asset_set.all())
         calc_assets = list(set(assets_obj) | set(group_assets_obj))
-
-        # 生成Inventory
-        # push_resource = []
-        # for asset in calc_assets:
-        #     if asset.use_default_auth:
-        #         username = Setting.field1
-        #         port = Setting.field2
-        #         password = Setting.field3
-        #     else:
-        #         username = asset.username
-        #         password = asset.password
-        #         port = asset.port
-        #     push_resource.append({"hostname": asset.ip,
-        #                           "port": port,
-        #                           "username": username,
-        #                           "password": password})
         push_resource = gen_resource(calc_assets)
-
-        logger.debug('推送role res: %s' % push_resource)
+        logger.debug('Push role res: %s' % push_resource)
 
         # 调用Ansible API 进行推送
         password_push = True if request.POST.get("use_password") else False
@@ -463,7 +446,7 @@ def perm_role_push(request):
 
             if ret['sudo'].get('msg'):
                 ret_failed = ret['sudo'].get('msg')
-            os.remove(add_sudo_script)
+            # os.remove(add_sudo_script)
 
         logger.debug('推送role结果: %s' % ret)
         logger.debug('推送role错误: %s' % ret_failed)

templates/jperm/perm_role_detail.html

@@ -204,7 +204,7 @@
             <div class="col-sm-4">
                 <div class="ibox float-e-margins">
                     <div class="ibox-title">
-                        <span class="label label-primary"><b>未推送主机</b></span>
+                        <span class="label label-danger"><b>未推送主机</b></span>
                         <div class="ibox-tools">
                             <a class="collapse-link">
                                 <i class="fa fa-chevron-up"></i>

templates/jperm/role_sudo.j2

@@ -1,11 +1,12 @@
 #!/bin/bash
 
 
-sudo_file=/etc/sudoers
-
+real_file=/etc/sudoers
+tmp_file=$(mktemp /tmp/XXXXXXX)
 
 # Add Command Aliases
 add_cmd_alias() {
+    sudo_file=$1
     {% for sudo in sudo_alias %}
     if $(grep '^Cmnd_Alias {{ sudo.name }}' ${sudo_file} &> /dev/null); then
         sed -i 's@^Cmnd_Alias.*{{ sudo.name }}.*@Cmnd_Alias {{ sudo.name }} = {{ sudo.commands }}@g' ${sudo_file}
@@ -17,6 +18,7 @@ add_cmd_alias() {
 
 
 add_role_chosen() {
+    sudo_file=$1
     {% for role, alias in role_chosen_aliase.items %}
         if $(grep '^{{ role }}.*' ${sudo_file} &> /dev/null); then
             sed -i 's@^{{ role }}.*@{{ role }} ALL =  NOPASSWD: {{ alias }}@g' ${sudo_file}
@@ -26,6 +28,11 @@ add_role_chosen() {
     {% endfor %}
 }
 
+check_syntax(){
+    visudo -c -f $1
+}
+
+cp $real_file $tmp_file && add_cmd_alias $tmp_file && add_role_chosen $tmp_file || exit 1
+check_syntax $tmp_file && add_cmd_alias $real_file && add_role_chosen $real_file && rm -f $tmp_file || exit 2
+check_syntax $real_file
 
-add_cmd_alias
-add_role_chosen