How to write a Chef Inspec test for the Chef Infra 'sudo' resource?

Question

Versions

• Chef Workstation version: 22.7.1006
• Chef InSpec version: 4.56.20
• Chef CLI version: 5.6.1
• Chef Habitat version: 1.6.420
• Test Kitchen version: 3.3.1
• Cookstyle version: 7.32.1
• Chef Infra Client version: 17.10.0

I'm using Kitchen to provision 3 virtual machines:

• Ubuntu 16.04
• Ubuntu 20.04
• Ubuntu 22.04

by specifying this in my kitchen.yml:

platforms:
  - name: ubuntu-16.04
  - name: ubuntu-20.04
  - name: ubuntu-20.04

Note: I'm only mentioning the above in case 'sudo' behaves differently on the different versions of Ubuntu.

Objective

Write a Chef-Infra recipe to make a user able to execute the 'sudo' command, and write a corresponding Chef-Inspec test to verify it.

What I've tried

Based on https://docs.chef.io/resources/sudo/ , I put the following in my recipe:

sudo 'admin' do
  user 'user'
end

This creates /etc/sudoers.d/admin with the proper contents:

# This file is managed by Chef Infra Client. Changes will be overwritten.

user ALL=(ALL) ALL

but does not add 'user' to the 'sudo' group.

Now, when I tried to write the Inspec test based on https://docs.chef.io/inspec/resources/user/

describe user('user') do
  its('groups') { should include('sudo') }
end

the test fails because 'user' was not added to the 'sudo' group.

When I login as 'user', I am able to execute the sudo command.

I saw this old question How to make newly created user as sudo user by using chef from 2017, and I did try the following:

group 'sudo' do
  group_name 'sudo'
  members 'user'
  action :modify
  append true
end

which makes my test pass.

But now, there seems to be 2 methods to give 'sudo' privileges to 'user' and I'm not sure if they're both equivalent.

I know I can write a test to verify the contents of /etc/sudoers.d/admin but that does not seem like the best way to achive this, especially if the different versions of Ubuntu generate different files.

Questions:

1. Given the versions of Ubuntu that I want to support, does the Chef Infra 'sudo' resource do all the necessary commands that Ubuntu needs to give 'sudo' privilege to 'user'?
2. Is there a corresponding Chef Inspec 'sudo' audit resource?
3. If not, how should I write the Chef Inspec test to verify that 'user' has 'sudo' priviledge?

Answer 1

Given the versions of Ubuntu that I want to support, does the Chef Infra 'sudo' resource do all the necessary commands that Ubuntu needs to give 'sudo' privilege to 'user'?

The sudo resource is only used for editing sudoers.d files, it does not add the user to the sudo group. See this previously asked question for understanding the difference between using sudoers.d vs adding a user to the sudo group.

Is there a corresponding Chef Inspec 'sudo' audit resource? If not, how should I write the Chef Inspec test to verify that 'user' has 'sudo' priviledge?

There is no sudo inspec resource but you can use the file resource to verify the contents of the sudoers file.

describe file('/etc/sudoers.d/admin') do
  its('content') { should match(%r{user ALL=\(ALL\) ALL}) }
end

In summary, if you plan on providing sudo permissions to a user via the sudo resource, use the inspec file resource to test your code. If you plan on giving sudo permissions via the group resource, your current inspec test would work.