From 45e9ed441e6271982702e5c0eb25022142c1177a Mon Sep 17 00:00:00 2001
From: Dimitrios Apostolou <jimis@gmx.net>
Date: Mon, 15 Apr 2019 13:04:07 +0200
Subject: [PATCH 1/3] Add support for ACL mask.

---
 cdist/conf/type/__acl/explorer/acl_is    |  5 ++++-
 cdist/conf/type/__acl/gencode-remote     | 13 ++++++++++++-
 cdist/conf/type/__acl/man.rst            |  9 ++++++++-
 cdist/conf/type/__acl/parameter/optional |  1 +
 4 files changed, 25 insertions(+), 3 deletions(-)
 create mode 100644 cdist/conf/type/__acl/parameter/optional

diff --git a/cdist/conf/type/__acl/explorer/acl_is b/cdist/conf/type/__acl/explorer/acl_is
index 4dc98c51..fbb1be3f 100755
--- a/cdist/conf/type/__acl/explorer/acl_is
+++ b/cdist/conf/type/__acl/explorer/acl_is
@@ -19,5 +19,8 @@
 #
 
 if [ -e "/$__object_id" ]
-then getfacl "/$__object_id" | grep -E '^((default:|)(user|group)):[a-z]' || true
+then
+    getfacl "/$__object_id" \
+        | grep -E '^((default:)?(user|group):[^:]|(default:)?mask::)' \
+        || true
 fi
diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index a59d49e0..1c1a1b06 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -37,7 +37,18 @@ do
         then echo "default:$parameter:$l"
         fi
     done < "$__object/parameter/$parameter"
-done )"
+done
+if [ -f "$__object/parameter/mask" ]
+then
+    l=$( cat "$__object/parameter/mask" )
+
+    echo "mask::$l"
+
+    if [ -f "$__object/parameter/default" ]
+    then echo "default:mask::$l"
+    fi
+fi
+)"
 
 setfacl_exec='setfacl'
 
diff --git a/cdist/conf/type/__acl/man.rst b/cdist/conf/type/__acl/man.rst
index 39db4d75..c10ee1a0 100644
--- a/cdist/conf/type/__acl/man.rst
+++ b/cdist/conf/type/__acl/man.rst
@@ -13,6 +13,12 @@ ACL must be defined as 3-symbol combination, using `r`, `w`, `x` and `-`.
 See setfacl(1) and acl(5) for more details.
 
 
+OPTIONAL PARAMETERS
+-------------------
+mask
+   Add mask ACL entry.
+
+
 OPTIONAL MULTIPLE PARAMETERS
 ----------------------------
 user
@@ -46,7 +52,8 @@ EXAMPLES
         --user alice:rwx \
         --user bob:r-x \
         --group project-group:rwx \
-        --group some-other-group:r-x
+        --group some-other-group:r-x \
+        --mask r-x
 
 
 AUTHORS
diff --git a/cdist/conf/type/__acl/parameter/optional b/cdist/conf/type/__acl/parameter/optional
new file mode 100644
index 00000000..bb4fcf2b
--- /dev/null
+++ b/cdist/conf/type/__acl/parameter/optional
@@ -0,0 +1 @@
+mask

From 6062e3557c3e359320c386c356405dd98fbdd5f6 Mon Sep 17 00:00:00 2001
From: Dimitrios Apostolou <jimis@gmx.net>
Date: Mon, 15 Apr 2019 16:32:11 +0200
Subject: [PATCH 2/3] Output of grep should be quiet, as we care only for the
 exit code.

---
 cdist/conf/type/__acl/gencode-remote | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index 1c1a1b06..8ab7b566 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -54,7 +54,7 @@ setfacl_exec='setfacl'
 
 if [ -f "$__object/parameter/recursive" ]
 then
-    if echo "$os" | grep -E 'macosx|netbsd|freebsd|openbsd'
+    if echo "$os" | grep -Eq 'macosx|netbsd|freebsd|openbsd'
     then
         echo "$os setfacl do not support recursive operations" >&2
     else
@@ -64,7 +64,7 @@ fi
 
 if [ -f "$__object/parameter/remove" ]
 then
-    if echo "$os" | grep 'solaris'
+    if echo "$os" | grep -Fq 'solaris'
     then
         # Solaris setfacl behaves differently.
         # We will not support Solaris for now, because no way to test it.

From 437af3a0a381a70ae85b9784a25e24a1794a9e1c Mon Sep 17 00:00:00 2001
From: Dimitrios Apostolou <jimis@gmx.net>
Date: Mon, 15 Apr 2019 20:51:02 +0200
Subject: [PATCH 3/3] Silence getfacl

otherwise it always prints the message:

    getfacl: Removing leading '/' from absolute path names
---
 cdist/conf/type/__acl/explorer/acl_is | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cdist/conf/type/__acl/explorer/acl_is b/cdist/conf/type/__acl/explorer/acl_is
index fbb1be3f..e2ae0932 100755
--- a/cdist/conf/type/__acl/explorer/acl_is
+++ b/cdist/conf/type/__acl/explorer/acl_is
@@ -20,7 +20,7 @@
 
 if [ -e "/$__object_id" ]
 then
-    getfacl "/$__object_id" \
+    getfacl "/$__object_id" 2>/dev/null \
         | grep -E '^((default:)?(user|group):[^:]|(default:)?mask::)' \
         || true
 fi