search

ansible-collections / community.general

Ansible Community General Collection
https://galaxy.ansible.com/ui/repo/published/community/general/
GNU General Public License v3.0
823 stars 1.52k forks source link

community.general.sudoers adds space in string #8789

Closed yannickincyberatlantis closed 2 months ago

yannickincyberatlantis commented 2 months ago

Summary

When creating a sudo rule using the following task, the sudoers module adds an unintentional space to the string, in this case breaking the regex:

- name: Configure the user to manage Wireguard VPN services using sudo
  community.general.sudoers:
    name: sudoers_file_name
    state: present
    user: my_user
    runas: root
    commands: '/usr/bin/systemctl ^(enable|disable|start|stop|restart) wg-quick@[A-Za-z0-9]{1,15}\.service$'
    nopassword: true

The resulting sudoers file has the following contents:

my_user ALL=(root)NOPASSWD: /usr/bin/systemctl ^(enable|disable|start|stop|restart) wg-quick@[A-Za-z0-9]{1, 15}\.service$

Note the space between 1, and 15: {1, 15}

Someone on the Ansible IRC channel found a workaround for this: add the command as a list, rather than a single string. The following Ansible task does work:

- name: Configure the user to manage Wireguard VPN services using sudo
  community.general.sudoers:
    name: sudoers_file_name
    state: present
    user: my_user
    runas: root
    commands:
      - '/usr/bin/systemctl ^(enable|disable|start|stop|restart) wg-quick@[A-Za-z0-9]{1,15}\.service$'
    nopassword: true

Issue Type

Bug Report

Component Name

sudoers

Ansible Version

$ ansible --version
ansible [core 2.16.10]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/USERNAME/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.12/site-packages/ansible
  ansible collection location = /home/USERNAME/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.12.4 (main, Jun  7 2024, 00:00:00) [GCC 14.1.1 20240607 (Red Hat 14.1.1-5)] (/usr/bin/python3)
  jinja version = 3.1.4
  libyaml = True

Community.general Version

$ ansible-galaxy collection list community.general
# /home/USERNAME/.ansible/collections/ansible_collections
Collection        Version
----------------- -------
community.general 8.6.0  

# /usr/lib/python3.12/site-packages/ansible_collections
Collection        Version
----------------- -------
community.general 8.6.4

Configuration

$ ansible-config dump --only-changed
CONFIG_FILE() = /etc/ansible/ansible.cfg
EDITOR(env: EDITOR) = /usr/bin/vim
    - name: Configure the user to manage Wireguard VPN services using sudo
      community.general.sudoers:
        name: sudoers_file_name
        state: present
        user: my_user
        runas: root
        commands: '/usr/bin/systemctl ^(enable|disable|start|stop|restart) wg-quick@[A-Za-z0-9]{1,15}\.service$'
        nopassword: true

OS / Environment

Controller: Fedora 40 Target: Debian 12

Steps to Reproduce

- name: Configure the user to manage Wireguard VPN services using sudo
  community.general.sudoers:
    name: sudoers_file_name
    state: present
    user: my_user
    runas: root
    commands: '/usr/bin/systemctl ^(enable|disable|start|stop|restart) wg-quick@[A-Za-z0-9]{1,15}\.service$'
    nopassword: true

Expected Results

I expected the following line:

my_user ALL=(root)NOPASSWD: /usr/bin/systemctl ^(enable|disable|start|stop|restart) wg-quick@[A-Za-z0-9]{1,15}\.service$

Instead I got the following line:

my_user ALL=(root)NOPASSWD: /usr/bin/systemctl ^(enable|disable|start|stop|restart) wg-quick@[A-Za-z0-9]{1, 15}\.service$

Actual Results

No response

Code of Conduct

ansibullbot commented 2 months ago

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot commented 2 months ago

cc @JonEllis click here for bot help

felixfontein commented 2 months ago

This isn't a bug, that's normal Ansible behavior.

The commands option expects a list of strings. If you provide a single string, Ansible will split that string by commas. Since your string contains a comma, it will be converted to a list with two elements - something that's wrong in your case.

So simply provide a proper list here instead of a string that contains a comma. The "workaround" is not a workaround, but the correct way to use Ansible in this case.

yannickincyberatlantis commented 2 months ago

This isn't a bug, that's normal Ansible behavior.

The commands option expects a list of strings. If you provide a single string, Ansible will split that string by commas. Since your string contains a comma, it will be converted to a list with two elements - something that's wrong in your case.

So simply provide a proper list here instead of a string that contains a comma. The "workaround" is not a workaround, but the correct way to use Ansible in this case.

I see, thank you for explaining this! :)