--- # (c) 2017, Martin Krizek # This file is part of Ansible # # Ansible is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Ansible is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Ansible. If not, see . - name: Create ansible user ansible.builtin.user: name: "{{ test_user }}" - name: Create ansible group ansible.builtin.group: name: "{{ test_group }}" - name: Clean up working directory and files ansible.builtin.file: path: "{{ output_dir }}" state: absent - name: Create working directory ansible.builtin.file: path: "{{ output_dir }}" state: directory mode: "0755" - name: Create ansible file ansible.builtin.file: path: "{{ test_file }}" state: touch mode: "0644" - name: Create ansible dir ansible.builtin.file: path: "{{ test_dir }}" state: directory mode: "0755" - name: Install acl package ansible.builtin.package: name: acl state: present ############################################################################## - name: Grant ansible user read access to a file ansible.posix.acl: path: "{{ test_file }}" entity: "{{ test_user }}" etype: user permissions: r state: present register: output - name: Debug ansible.posix.acl output ansible.builtin.debug: msg: "{{ output }}" - name: Get getfacl output ansible.builtin.command: getfacl {{ test_file | quote }} changed_when: false register: getfacl_output - name: Debug getfacl output ansible.builtin.debug: msg: "{{ getfacl_output.stdout_lines }}" - name: Verify Output ansible.builtin.assert: that: - output is changed - output is not failed - "'user:{{ test_user }}:r--' in output.acl" - "'user:{{ test_user }}:r--' in getfacl_output.stdout_lines" ############################################################################## - name: Obtain the acl for a specific file ansible.posix.acl: path: "{{ test_file }}" register: output - name: Debug ansible.posix.acl output ansible.builtin.debug: msg: "{{ output }}" - name: Get getfacl output ansible.builtin.command: getfacl {{ test_file | quote }} changed_when: false register: getfacl_output - name: Debug getfacl output ansible.builtin.debug: msg: "{{ getfacl_output.stdout_lines }}" - name: Verify output ansible.builtin.assert: that: - output is not changed - output is not failed - "'user::rw-' in output.acl" - "'user:{{ test_user }}:r--' in output.acl" - "'group::r--' in output.acl" - "'mask::r--' in output.acl" - "'other::r--' in output.acl" - "'user::rw-' in getfacl_output.stdout_lines" - "'user:{{ test_user }}:r--' in getfacl_output.stdout_lines" - "'group::r--' in getfacl_output.stdout_lines" - "'mask::r--' in getfacl_output.stdout_lines" - "'other::r--' in getfacl_output.stdout_lines" ############################################################################## # - name: Removes the acl for ansible user on a specific file ansible.posix.acl: path: "{{ test_file }}" entity: "{{ test_user }}" etype: user state: absent register: output - name: Get getfacl output ansible.builtin.command: getfacl {{ test_file | quote }} changed_when: false register: getfacl_output - name: Verify output ansible.builtin.assert: that: - output is changed - output is not failed - "'user:{{ test_user }}:r--' not in output.acl" - "'user:{{ test_user }}:r--' not in getfacl_output.stdout_lines" ############################################################################## - name: Sets default acl for ansible user on ansible dir ansible.posix.acl: path: "{{ test_dir }}" entity: "{{ test_user }}" etype: user permissions: rw default: true state: present register: output - name: Get getfacl output ansible.builtin.command: getfacl {{ test_dir | quote }} changed_when: false register: getfacl_output - name: Verify output ansible.builtin.assert: that: - output is changed - output is not failed - "'user:{{ test_user }}:rw-' in output.acl" - "'default:user:{{ test_user }}:rw-' in getfacl_output.stdout_lines" ############################################################################## - name: Cleanup ansible.builtin.command: setfacl -b {{ test_dir | quote }} changed_when: false ############################################################################## - name: Same as previous but using entry shorthand ansible.posix.acl: path: "{{ test_dir }}" entry: user:{{ test_user }}:rw- default: true state: present register: output - name: Get getfacl output ansible.builtin.command: getfacl {{ test_dir | quote }} changed_when: false register: getfacl_output - name: Verify output ansible.builtin.assert: that: - output is changed - output is not failed - "'user:{{ test_user }}:rw-' in output.acl" - "'default:user:{{ test_user }}:rw-' in getfacl_output.stdout_lines" ############################################################################## - name: Same as previous, to test idempotence ansible.posix.acl: path: "{{ test_dir }}" entry: user:{{ test_user }}:rw- default: true state: present register: output - name: Get getfacl output ansible.builtin.command: getfacl {{ test_dir | quote }} changed_when: false register: getfacl_output - name: Verify output ansible.builtin.assert: that: - output is not changed - output is not failed - "'user:{{ test_user }}:rw-' in output.acl" - "'default:user:{{ test_user }}:rw-' in getfacl_output.stdout_lines" ############################################################################## - name: Cleanup ansible.builtin.command: setfacl -b {{ test_dir | quote }} changed_when: false ############################################################################## - name: Set default acls ansible.posix.acl: path: "{{ test_dir }}" entry: "{{ item }}" default: true state: present with_items: - user:{{ test_user }}:rw- - group:{{ test_group }}:rw- - name: Remove default group test_user acl ansible.posix.acl: path: "{{ test_dir }}" entry: group:{{ test_group }}:rw- default: true state: absent register: output - name: Get getfacl output ansible.builtin.command: getfacl {{ test_dir | quote }} changed_when: false register: getfacl_output - name: Verify output ansible.builtin.assert: that: - output is changed - output is not failed - "'user::rwx' in getfacl_output.stdout_lines" - "'group::r-x' in getfacl_output.stdout_lines" - "'other::r-x' in getfacl_output.stdout_lines" - "'default:user::rwx' in getfacl_output.stdout_lines" - "'default:user:{{ test_user }}:rw-' in getfacl_output.stdout_lines" - "'default:group::r-x' in getfacl_output.stdout_lines" - "'default:mask::rwx' in getfacl_output.stdout_lines" - "'default:other::r-x' in getfacl_output.stdout_lines" - "'default:group:{{ test_group }}:rw-' not in getfacl_output.stdout_lines" ############################################################################## - name: Trigger acl module with NFSv4 and no permissions (Issue #679) ansible.posix.acl: path: "{{ test_dir }}" entity: "{{ test_user }}" etype: user state: absent use_nfsv4_acls: true register: crash_test ignore_errors: true - name: Verify the module did not crash with a TypeError ansible.builtin.assert: that: - crash_test is failed - "'unsupported operand type' not in (crash_test.module_stderr | default(''))" - "crash_test.msg is search('permissions.*required')" msg: "The module crashed with a TypeError instead of failing with a helpful error message!"