From f48c47fc1b8ee77e4da88df216a7be33fda0cbc9 Mon Sep 17 00:00:00 2001
From: Hideki Saito <saito@fgrep.org>
Date: Fri, 28 May 2021 23:21:18 +0900
Subject: [PATCH] Add mode mode option to sysctl module

* Add basic file attribute options to manage sysctl_file permission
* Fixes #108

Signed-off-by: Hideki Saito <saito@fgrep.org>
---
 .../fragments/108_sysctl_add_mode_option.yml  |   3 +
 plugins/modules/sysctl.py                     |  33 +++++-
 .../integration/targets/sysctl/tasks/main.yml | 109 +++++++++++++++++-
 3 files changed, 142 insertions(+), 3 deletions(-)
 create mode 100644 changelogs/fragments/108_sysctl_add_mode_option.yml

diff --git a/changelogs/fragments/108_sysctl_add_mode_option.yml b/changelogs/fragments/108_sysctl_add_mode_option.yml
new file mode 100644
index 0000000..ed4260a
--- /dev/null
+++ b/changelogs/fragments/108_sysctl_add_mode_option.yml
@@ -0,0 +1,3 @@
+minor_changes:
+- sysctl - add a basic file system attribute setting option to allow the sysctl module
+  to set the file attributes to ``sysctl_file`` (https://github.com/ansible-collections/ansible.posix/issues/108).
diff --git a/plugins/modules/sysctl.py b/plugins/modules/sysctl.py
index b82b2e4..623b1c0 100644
--- a/plugins/modules/sysctl.py
+++ b/plugins/modules/sysctl.py
@@ -56,6 +56,13 @@ options:
             - Verify token value with the sysctl command and set with -w if necessary
         type: bool
         default: 'no'
+    unsafe_writes:
+        description:
+            - This option is not used.
+
+extends_documentation_fragment:
+  - ansible.builtin.files
+
 author:
 - David CHANIAL (@davixx)
 '''
@@ -93,6 +100,22 @@ EXAMPLES = r'''
     sysctl_set: yes
     state: present
     reload: yes
+
+# Set file mode 0644 to /tmp/test_sysctl.conf
+- ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_file: /tmp/test_sysctl.conf
+    reload: no
+    mode: '0644'
+
+# Set file mode rw-r--r-- to /tmp/test_sysctl.conf
+- ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_file: /tmp/test_sysctl.conf
+    reload: no
+    mode: u=rw,g=r,o=r
 '''
 
 # ==============================================================
@@ -185,6 +208,13 @@ class SysctlModule(object):
                 self.changed = True
                 self.set_proc = True
 
+        # Set file permissions if there are differences.
+        # - Ansible 2.9.x does not support 'path' like load_file_common_arguments (params, path=PATH).
+        #   so set 'sysctl_file' as 'path' in module.params.
+        self.module.params['path'] = self.sysctl_file
+        file_args = self.module.load_file_common_arguments(self.module.params)
+        self.changed = self.module.set_fs_attributes_if_different(file_args, self.changed)
+
         # Do the work
         if not self.module.check_mode:
             if self.set_proc:
@@ -394,8 +424,9 @@ def main():
             reload=dict(default=True, type='bool'),
             sysctl_set=dict(default=False, type='bool'),
             ignoreerrors=dict(default=False, type='bool'),
-            sysctl_file=dict(default='/etc/sysctl.conf', type='path')
+            sysctl_file=dict(default='/etc/sysctl.conf', type='path'),
         ),
+        add_file_common_args=True,
         supports_check_mode=True,
         required_if=[('state', 'present', ['value'])],
     )
diff --git a/tests/integration/targets/sysctl/tasks/main.yml b/tests/integration/targets/sysctl/tasks/main.yml
index c9a63c4..79fa9d0 100644
--- a/tests/integration/targets/sysctl/tasks/main.yml
+++ b/tests/integration/targets/sysctl/tasks/main.yml
@@ -216,9 +216,15 @@
 
 - name: Test on RHEL VMs
   when:
-    - ansible_facts.virtualization_type != 'docker'
-    - ansible_facts.distribution == 'RedHat'
+    - ansible_facts.virtualization_type not in ['docker', 'containerd']
+    - ansible_system == 'Linux'
   block:
+    # Initialize parameter
+    - name: Remove sysctl property using module
+      sysctl:
+        name: vm.swappiness
+        state: absent
+
     # Test reload: yes
     - name: Set sysctl property using module
       sysctl:
@@ -310,3 +316,102 @@
         that:
           - sysctl_invalid_set1 is failed
           - "'vm.mmap_rnd_bits' not in sysctl_invalid_conf_content.stdout"
+
+# Test file permissions for sysctl_file
+- name: Test to set file system permissions
+  block:
+    - set_fact:
+        output_dir_test: "{{ output_dir }}/test_sysctl"
+
+    - name: make sure our testing sub-directory does not exist
+      file:
+        path: "{{ output_dir_test }}"
+        state: absent
+
+    - name: create our testing sub-directory
+      file:
+        path: "{{ output_dir_test }}"
+        state: directory
+
+    - name: copy the example conf to the test dir
+      copy:
+        src: sysctl.conf
+        dest: "{{ output_dir_test }}/permission_test.conf"
+
+    - name: Create permission test file with 0666(check_mode)
+      sysctl:
+        name: net.ipv4.ip_forward
+        value: 1
+        mode: 0666
+        reload: no
+        sysctl_file: "{{ output_dir_test }}/permission_test.conf"
+      register: permission_test1_check_mode
+      check_mode: True
+
+    - name: Ensure permission test file has been created(check_mode)
+      assert:
+        that:
+          - permission_test1_check_mode is changed
+
+    - name: Create permission test file with 0666
+      sysctl:
+        name: net.ipv4.ip_forward
+        value: 1
+        mode: 0666
+        reload: no
+        sysctl_file: "{{ output_dir_test }}/permission_test.conf"
+      register: permission_test1
+
+    - name: Ensure permission test file has been created
+      assert:
+        that:
+          - permission_test1 is changed
+
+    - name: Get permission test file stat
+      stat:
+        path: "{{ output_dir_test }}/permission_test.conf"
+      register: stat_permission_test1
+
+    - name: Ensure file permission has been set 0666
+      assert:
+        that:
+          - stat_permission_test1.stat.mode == '0666'
+
+    - name: Modify file permission of permission test file to 0600(check_mode)
+      sysctl:
+        name: net.ipv4.ip_forward
+        value: 1
+        mode: u=rw,go=
+        reload: no
+        sysctl_file: "{{ output_dir_test }}/permission_test.conf"
+      register: permission_test2_check_mode
+      check_mode: True
+
+    - name: Ensure permission test file has been created(check_mode)
+      assert:
+        that:
+          - permission_test2_check_mode is changed
+
+    - name: Modify file permission of permission test file to 0600
+      sysctl:
+        name: net.ipv4.ip_forward
+        value: 1
+        mode: u=rw,go=
+        reload: no
+        sysctl_file: "{{ output_dir_test }}/permission_test.conf"
+      register: permission_test2
+
+    - name: Ensure permission test file has been created
+      assert:
+        that:
+          - permission_test2 is changed
+
+    - name: Get permission test file stat
+      stat:
+        path: "{{ output_dir_test }}/permission_test.conf"
+      register: stat_permission_test2
+
+    - name: Ensure file permission has been set 0600
+      assert:
+        that:
+          - stat_permission_test2.stat.mode == '0600'