WIP: fix(config): remove dictsort that breaks sudoers

javierbertoli commented 4 years ago

PR progress checklist (to be filled in by reviewers)

[ ] Changes to documentation are appropriate (or tick if not required)
[ ] Changes to tests are appropriate (or tick if not required)
[ ] Reviews completed

What type of PR is this?

Primary type

[ ] [build] Changes related to the build system
[ ] [chore] Changes to the build process or auxiliary tools and libraries such as documentation generation
[ ] [ci] Changes to the continuous integration configuration
[ ] [feat] A new feature
[X] [fix] A bug fix
[ ] [perf] A code change that improves performance
[ ] [refactor] A code change that neither fixes a bug nor adds a feature
[X] [revert] A change used to revert a previous commit
[ ] [style] Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc.)

Secondary type

[ ] [docs] Documentation changes
[ ] [test] Adding missing or correcting existing tests

Does this PR introduce a `BREAKING CHANGE`?

YES.

Although it's quite possible that 'nothing will break', existing entries order will change and you might end up with a rendered file that does not match current one.

Related issues and/or pull requests

Describe the changes you're proposing

in bc62b6e5 dicsort was applied to the pillar entries. But in the sudoers file order matters so, using dicsort, breaks it.

From man 5 sudoers:

When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match).

Removed dictsort from the {users,groups,netgroups} specifications.

Pillar / config required to test the proposed changes

Debug log showing how the proposed changes work

Documentation checklist

[ ] Updated the README (e.g. Available states).
[ ] Updated pillar.example.

Testing checklist

[ ] Included in Kitchen (i.e. under state_top).
[ ] Covered by new/existing tests (e.g. InSpec, Serverspec, etc.).
[ ] Updated the relevant test pillar.

Additional context

pull-assistant[bot] commented 4 years ago

Best reviewed: commit by commit

Optimal code review plan

fix(config): remove dictsort that breaks sudoers

Powered by Pull Assistant. Last update 7ee2569 ... 7ee2569. Read the comment docs.

myii commented 4 years ago

@javierbertoli I'll concentrate on the map.jinja PR that @daks has put through -- hopefully he can review this PR. One minor comment for the time being: s/dicsort/dictsort/ in all places including the commit message, thanks.

daks commented 4 years ago

If I understand correctly:

in 2018 was introduced (https://github.com/saltstack-formulas/sudoers-formula/commit/bc62b6e567ad5cc781f5faf9ffcd1067e163b2bc) the |dictsort filter to make the formula application 'idempotent' (the generated file won't change at every state apply)
this filter orders the dict automatically in an order which can be different of the user will
sudo entries order is very important!

I understand the need to this PR but it will make the formula application not idempotent again, which is not critical (I think other formulas have this problem too) but not ideal neither.

I think one way to solve this problem would be to move from dictionaries to lists for data which needs a specific order but it's a more important change.

I'm interested in your opinion on that topic.

javierbertoli commented 4 years ago

@daks You're right, lists seems a more stable approach.

It's a breaking change, anyway, so we'd rather fix it the best way, right? :smile:

I'll give it a try.

saltstack-formulas / sudoers-formula