From 2cde09648cc9be18a1d857d994c270ca2e1b52c2 Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Tue, 16 Apr 2019 14:15:48 +0300
Subject: [PATCH 01/28] __acl: check if getfacl is available

---
 cdist/conf/type/__acl/explorer/acl_is | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/cdist/conf/type/__acl/explorer/acl_is b/cdist/conf/type/__acl/explorer/acl_is
index e2ae0932..bb1db89d 100755
--- a/cdist/conf/type/__acl/explorer/acl_is
+++ b/cdist/conf/type/__acl/explorer/acl_is
@@ -18,6 +18,12 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 
+if ! command -v getfacl 2>/dev/null
+then
+    echo 'getfacl not available' >&2
+    exit 1
+fi
+
 if [ -e "/$__object_id" ]
 then
     getfacl "/$__object_id" 2>/dev/null \

From d71eb3d8bdbd46848bc9c53b2523be050b083410 Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Tue, 16 Apr 2019 14:20:13 +0300
Subject: [PATCH 02/28] __acl: (open|net)bsd do not have (get|set)facl

---
 cdist/conf/type/__acl/gencode-remote | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index 8ab7b566..2ea01524 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -54,7 +54,7 @@ setfacl_exec='setfacl'
 
 if [ -f "$__object/parameter/recursive" ]
 then
-    if echo "$os" | grep -Eq 'macosx|netbsd|freebsd|openbsd'
+    if echo "$os" | grep -Eq 'macosx|freebsd'
     then
         echo "$os setfacl do not support recursive operations" >&2
     else

From ef8ff06b5f20a73c744769aecc047ff7c05e5fbb Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Tue, 16 Apr 2019 14:39:45 +0300
Subject: [PATCH 03/28] __acl: only directories can have default ACLs

---
 cdist/conf/type/__acl/explorer/file_type | 28 ++++++++++++++++++++++++
 cdist/conf/type/__acl/gencode-remote     |  8 +++++--
 2 files changed, 34 insertions(+), 2 deletions(-)
 create mode 100755 cdist/conf/type/__acl/explorer/file_type

diff --git a/cdist/conf/type/__acl/explorer/file_type b/cdist/conf/type/__acl/explorer/file_type
new file mode 100755
index 00000000..0d1edb7d
--- /dev/null
+++ b/cdist/conf/type/__acl/explorer/file_type
@@ -0,0 +1,28 @@
+#!/bin/sh -e
+#
+# 2018 Ander Punnar (ander-at-kvlt-dot-ee)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+if [ -e "/$__object_id" ]
+then
+    if [ -d "/$__object_id" ]
+    then echo d
+    elif [ -f "/$__object_id" ]
+    then echo f
+    fi
+fi
diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index 2ea01524..355cc88e 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -20,6 +20,8 @@
 
 os="$( cat "$__global/explorer/os" )"
 
+file_type="$( cat "$__object/explorer/file_type" )"
+
 acl_path="/$__object_id"
 
 acl_is="$( cat "$__object/explorer/acl_is" )"
@@ -33,7 +35,8 @@ do
     do
         echo "$parameter:$l"
 
-        if [ -f "$__object/parameter/default" ]
+        if [ -f "$__object/parameter/default" ] \
+            && [ "$file_type" = 'd' ]
         then echo "default:$parameter:$l"
         fi
     done < "$__object/parameter/$parameter"
@@ -44,7 +47,8 @@ then
 
     echo "mask::$l"
 
-    if [ -f "$__object/parameter/default" ]
+    if [ -f "$__object/parameter/default" ] \
+        && [ "$file_type" = 'd' ]
     then echo "default:mask::$l"
     fi
 fi

From ab954ffbcf285d3d83b7e61070468afc8cab1610 Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Tue, 16 Apr 2019 14:44:32 +0300
Subject: [PATCH 04/28] __acl: always check first if path exists

---
 cdist/conf/type/__acl/explorer/acl_is    | 13 +++++++------
 cdist/conf/type/__acl/explorer/file_type | 15 ++++++++-------
 cdist/conf/type/__acl/gencode-remote     |  6 ++++--
 3 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/cdist/conf/type/__acl/explorer/acl_is b/cdist/conf/type/__acl/explorer/acl_is
index bb1db89d..c5d8468d 100755
--- a/cdist/conf/type/__acl/explorer/acl_is
+++ b/cdist/conf/type/__acl/explorer/acl_is
@@ -18,15 +18,16 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 
+acl_path="/$__object_id"
+
+[ ! -e "$acl_path" ] && exit 0
+
 if ! command -v getfacl 2>/dev/null
 then
     echo 'getfacl not available' >&2
     exit 1
 fi
 
-if [ -e "/$__object_id" ]
-then
-    getfacl "/$__object_id" 2>/dev/null \
-        | grep -E '^((default:)?(user|group):[^:]|(default:)?mask::)' \
-        || true
-fi
+getfacl "$acl_path" 2>/dev/null \
+    | grep -E '^((default:)?(user|group):[^:]|(default:)?mask::)' \
+    || true
diff --git a/cdist/conf/type/__acl/explorer/file_type b/cdist/conf/type/__acl/explorer/file_type
index 0d1edb7d..f45e302b 100755
--- a/cdist/conf/type/__acl/explorer/file_type
+++ b/cdist/conf/type/__acl/explorer/file_type
@@ -18,11 +18,12 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 
-if [ -e "/$__object_id" ]
-then
-    if [ -d "/$__object_id" ]
-    then echo d
-    elif [ -f "/$__object_id" ]
-    then echo f
-    fi
+acl_path="/$__object_id"
+
+[ ! -e "$acl_path" ] && exit 0
+
+if [ -d "$acl_path" ]
+then echo d
+elif [ -f "$acl_path" ]
+then echo f
 fi
diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index 355cc88e..88fc8ce0 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -18,12 +18,14 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 
+acl_path="/$__object_id"
+
+[ ! -e "$acl_path" ] && exit 0
+
 os="$( cat "$__global/explorer/os" )"
 
 file_type="$( cat "$__object/explorer/file_type" )"
 
-acl_path="/$__object_id"
-
 acl_is="$( cat "$__object/explorer/acl_is" )"
 
 acl_should="$( for parameter in user group

From 2b5887bdbd3229d75da48e32dc7e55b29b6abd54 Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Tue, 16 Apr 2019 14:51:26 +0300
Subject: [PATCH 05/28] __acl: we only care whether file is directory

---
 cdist/conf/type/__acl/explorer/{file_type => is_dir} | 5 ++---
 cdist/conf/type/__acl/gencode-remote                 | 6 +++---
 2 files changed, 5 insertions(+), 6 deletions(-)
 rename cdist/conf/type/__acl/explorer/{file_type => is_dir} (94%)

diff --git a/cdist/conf/type/__acl/explorer/file_type b/cdist/conf/type/__acl/explorer/is_dir
similarity index 94%
rename from cdist/conf/type/__acl/explorer/file_type
rename to cdist/conf/type/__acl/explorer/is_dir
index f45e302b..d3080de6 100755
--- a/cdist/conf/type/__acl/explorer/file_type
+++ b/cdist/conf/type/__acl/explorer/is_dir
@@ -23,7 +23,6 @@ acl_path="/$__object_id"
 [ ! -e "$acl_path" ] && exit 0
 
 if [ -d "$acl_path" ]
-then echo d
-elif [ -f "$acl_path" ]
-then echo f
+then echo 1
+else echo 0
 fi
diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index 88fc8ce0..a50174fa 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -24,7 +24,7 @@ acl_path="/$__object_id"
 
 os="$( cat "$__global/explorer/os" )"
 
-file_type="$( cat "$__object/explorer/file_type" )"
+is_dir="$( cat "$__object/explorer/is_dir" )"
 
 acl_is="$( cat "$__object/explorer/acl_is" )"
 
@@ -38,7 +38,7 @@ do
         echo "$parameter:$l"
 
         if [ -f "$__object/parameter/default" ] \
-            && [ "$file_type" = 'd' ]
+            && [ "$is_dir" = '1' ]
         then echo "default:$parameter:$l"
         fi
     done < "$__object/parameter/$parameter"
@@ -50,7 +50,7 @@ then
     echo "mask::$l"
 
     if [ -f "$__object/parameter/default" ] \
-        && [ "$file_type" = 'd' ]
+        && [ "$is_dir" = '1' ]
     then echo "default:mask::$l"
     fi
 fi

From 9e3cd47b9afa0a13276ca5967d689773111f6990 Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Tue, 16 Apr 2019 15:03:07 +0300
Subject: [PATCH 06/28] __acl: command -v stdout to devnull

---
 cdist/conf/type/__acl/explorer/acl_is | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cdist/conf/type/__acl/explorer/acl_is b/cdist/conf/type/__acl/explorer/acl_is
index c5d8468d..f75f4003 100755
--- a/cdist/conf/type/__acl/explorer/acl_is
+++ b/cdist/conf/type/__acl/explorer/acl_is
@@ -22,7 +22,7 @@ acl_path="/$__object_id"
 
 [ ! -e "$acl_path" ] && exit 0
 
-if ! command -v getfacl 2>/dev/null
+if ! command -v getfacl > /dev/null
 then
     echo 'getfacl not available' >&2
     exit 1

From 731986ef8b417cdc0284ffd3b43c66a9bd851f55 Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Tue, 16 Apr 2019 15:21:41 +0300
Subject: [PATCH 07/28] __acl: trying to understand X

---
 cdist/conf/type/__acl/gencode-remote | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index a50174fa..651bfce0 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -35,6 +35,16 @@ do
     fi
     while read -r l
     do
+        if echo "$l" | grep -Fq 'X'
+        then
+            if [ "$is_dir" = '1' ]
+            then
+                l="$( echo "$l" | sed 's/X/x/' )"
+            else
+                l="$( echo "$l" | sed 's/X/-/' )"
+            fi
+        fi
+
         echo "$parameter:$l"
 
         if [ -f "$__object/parameter/default" ] \

From cea639d1c901de298818c303202b9332d0f20d1a Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Tue, 16 Apr 2019 15:27:47 +0300
Subject: [PATCH 08/28] __acl: we can't remove mask

---
 cdist/conf/type/__acl/gencode-remote | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index 651bfce0..47e39e0a 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -89,7 +89,8 @@ then
     else
         echo "$acl_is" | while read -r acl
         do
-            if echo "$acl_should" | grep -Fq "$acl"
+            if echo "$acl_should" | grep -Fq "$acl" \
+                || echo "$acl" | grep -Eq '^(default:)?mask'
             then continue
             fi
 

From 8b9b2c56ab534d619148e497b2e1342128168d21 Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Tue, 16 Apr 2019 15:28:25 +0300
Subject: [PATCH 09/28] __acl: be more strict because of reasons

---
 cdist/conf/type/__acl/gencode-remote | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index 47e39e0a..a989f95f 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -89,7 +89,7 @@ then
     else
         echo "$acl_is" | while read -r acl
         do
-            if echo "$acl_should" | grep -Fq "$acl" \
+            if echo "$acl_should" | grep -Eq "^$acl" \
                 || echo "$acl" | grep -Eq '^(default:)?mask'
             then continue
             fi

From 53c963b2eec3eab529bece57cdc25cd00b5557d3 Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Tue, 16 Apr 2019 15:35:11 +0300
Subject: [PATCH 10/28] __acl: be bit more precise where the X is

---
 cdist/conf/type/__acl/gencode-remote | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index a989f95f..7003c26f 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -39,9 +39,9 @@ do
         then
             if [ "$is_dir" = '1' ]
             then
-                l="$( echo "$l" | sed 's/X/x/' )"
+                l="$( echo "$l" | sed 's/X$/x/' )"
             else
-                l="$( echo "$l" | sed 's/X/-/' )"
+                l="$( echo "$l" | sed 's/X$/-/' )"
             fi
         fi
 

From e04d647d8e9f1450cdb461b3af4aa14f1d589e24 Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Tue, 16 Apr 2019 18:09:47 +0300
Subject: [PATCH 11/28] __acl: fix always check first if path exists

---
 cdist/conf/type/__acl/explorer/acl_is      |  6 ++----
 cdist/conf/type/__acl/explorer/file_exists | 24 ++++++++++++++++++++++
 cdist/conf/type/__acl/explorer/is_dir      |  6 ++----
 cdist/conf/type/__acl/gencode-remote       |  6 +++---
 4 files changed, 31 insertions(+), 11 deletions(-)
 create mode 100755 cdist/conf/type/__acl/explorer/file_exists

diff --git a/cdist/conf/type/__acl/explorer/acl_is b/cdist/conf/type/__acl/explorer/acl_is
index f75f4003..89da89f1 100755
--- a/cdist/conf/type/__acl/explorer/acl_is
+++ b/cdist/conf/type/__acl/explorer/acl_is
@@ -18,9 +18,7 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 
-acl_path="/$__object_id"
-
-[ ! -e "$acl_path" ] && exit 0
+[ ! -e "/$__object_id" ] && exit 0
 
 if ! command -v getfacl > /dev/null
 then
@@ -28,6 +26,6 @@ then
     exit 1
 fi
 
-getfacl "$acl_path" 2>/dev/null \
+getfacl "/$__object_id" 2>/dev/null \
     | grep -E '^((default:)?(user|group):[^:]|(default:)?mask::)' \
     || true
diff --git a/cdist/conf/type/__acl/explorer/file_exists b/cdist/conf/type/__acl/explorer/file_exists
new file mode 100755
index 00000000..998d407c
--- /dev/null
+++ b/cdist/conf/type/__acl/explorer/file_exists
@@ -0,0 +1,24 @@
+#!/bin/sh -e
+#
+# 2018 Ander Punnar (ander-at-kvlt-dot-ee)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+if [ -e "/$__object_id" ]
+then echo 1
+else echo 0
+fi
diff --git a/cdist/conf/type/__acl/explorer/is_dir b/cdist/conf/type/__acl/explorer/is_dir
index d3080de6..7c4e2538 100755
--- a/cdist/conf/type/__acl/explorer/is_dir
+++ b/cdist/conf/type/__acl/explorer/is_dir
@@ -18,11 +18,9 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 
-acl_path="/$__object_id"
+[ ! -e "/$__object_id" ] && exit 0
 
-[ ! -e "$acl_path" ] && exit 0
-
-if [ -d "$acl_path" ]
+if [ -d "/$__object_id" ]
 then echo 1
 else echo 0
 fi
diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index 7003c26f..91fb7117 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -18,9 +18,7 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 
-acl_path="/$__object_id"
-
-[ ! -e "$acl_path" ] && exit 0
+[ "$( cat "$__object/explorer/file_exists" )" = '0' ] && exit 0
 
 os="$( cat "$__global/explorer/os" )"
 
@@ -28,6 +26,8 @@ is_dir="$( cat "$__object/explorer/is_dir" )"
 
 acl_is="$( cat "$__object/explorer/acl_is" )"
 
+acl_path="/$__object_id"
+
 acl_should="$( for parameter in user group
 do
     if [ ! -f "$__object/parameter/$parameter" ]

From c1a34caba7c39d3f27f7dd6ba249046e04a83e1c Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Tue, 16 Apr 2019 19:06:48 +0300
Subject: [PATCH 12/28] __acl: add "other" ACL entry support and some comments,
 remove getfacl's inline comments

---
 cdist/conf/type/__acl/explorer/acl_is    |  5 +++--
 cdist/conf/type/__acl/gencode-remote     | 21 +++++++++++++++++++--
 cdist/conf/type/__acl/man.rst            |  6 +++++-
 cdist/conf/type/__acl/parameter/optional |  1 +
 4 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/cdist/conf/type/__acl/explorer/acl_is b/cdist/conf/type/__acl/explorer/acl_is
index 89da89f1..70e18116 100755
--- a/cdist/conf/type/__acl/explorer/acl_is
+++ b/cdist/conf/type/__acl/explorer/acl_is
@@ -26,6 +26,7 @@ then
     exit 1
 fi
 
-getfacl "/$__object_id" 2>/dev/null \
-    | grep -E '^((default:)?(user|group):[^:]|(default:)?mask::)' \
+getfacl -E "/$__object_id" 2>/dev/null \
+    | grep -E '^(default:)?(user|group|(mask|other):):[^:]' \
+    | sed -r 's/#.+$//' \
     || true
diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index 91fb7117..ce88afc4 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -28,7 +28,8 @@ acl_is="$( cat "$__object/explorer/acl_is" )"
 
 acl_path="/$__object_id"
 
-acl_should="$( for parameter in user group
+acl_should="$(
+for parameter in user group
 do
     if [ ! -f "$__object/parameter/$parameter" ]
     then continue
@@ -53,6 +54,7 @@ do
         fi
     done < "$__object/parameter/$parameter"
 done
+
 if [ -f "$__object/parameter/mask" ]
 then
     l=$( cat "$__object/parameter/mask" )
@@ -64,6 +66,18 @@ then
     then echo "default:mask::$l"
     fi
 fi
+
+if [ -f "$__object/parameter/other" ]
+then
+    l=$( cat "$__object/parameter/other" )
+
+    echo "other::$l"
+
+    if [ -f "$__object/parameter/default" ] \
+        && [ "$is_dir" = '1' ]
+    then echo "default:other::$l"
+    fi
+fi
 )"
 
 setfacl_exec='setfacl'
@@ -89,8 +103,11 @@ then
     else
         echo "$acl_is" | while read -r acl
         do
+            # Skip wanted ACL entries which already exist
+            # and skip mask and other entries, because we
+            # can't actually remove them, but only change.
             if echo "$acl_should" | grep -Eq "^$acl" \
-                || echo "$acl" | grep -Eq '^(default:)?mask'
+                || echo "$acl" | grep -Eq '^(default:)?(mask|other)'
             then continue
             fi
 
diff --git a/cdist/conf/type/__acl/man.rst b/cdist/conf/type/__acl/man.rst
index c10ee1a0..40c3ead4 100644
--- a/cdist/conf/type/__acl/man.rst
+++ b/cdist/conf/type/__acl/man.rst
@@ -18,6 +18,9 @@ OPTIONAL PARAMETERS
 mask
    Add mask ACL entry.
 
+other
+   Add other ACL entry.
+
 
 OPTIONAL MULTIPLE PARAMETERS
 ----------------------------
@@ -53,7 +56,8 @@ EXAMPLES
         --user bob:r-x \
         --group project-group:rwx \
         --group some-other-group:r-x \
-        --mask r-x
+        --mask r-x \
+        --other r-x
 
 
 AUTHORS
diff --git a/cdist/conf/type/__acl/parameter/optional b/cdist/conf/type/__acl/parameter/optional
index bb4fcf2b..4b32086b 100644
--- a/cdist/conf/type/__acl/parameter/optional
+++ b/cdist/conf/type/__acl/parameter/optional
@@ -1 +1,2 @@
 mask
+other

From a1634b3ec0d8797cff33be88bf9e1487532ed12a Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Tue, 16 Apr 2019 19:24:38 +0300
Subject: [PATCH 13/28] __acl: optimize gencode-remote

---
 cdist/conf/type/__acl/gencode-remote | 57 ++++++++++------------------
 1 file changed, 21 insertions(+), 36 deletions(-)

diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index ce88afc4..fd763b8f 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -28,57 +28,42 @@ acl_is="$( cat "$__object/explorer/acl_is" )"
 
 acl_path="/$__object_id"
 
-acl_should="$(
-for parameter in user group
+acl_should="$( for parameter in user group mask other
 do
     if [ ! -f "$__object/parameter/$parameter" ]
-    then continue
+    then
+        continue
     fi
-    while read -r l
+
+    while read -r acl
     do
-        if echo "$l" | grep -Fq 'X'
+        if echo "$acl" | grep -Fq 'X'
         then
             if [ "$is_dir" = '1' ]
             then
-                l="$( echo "$l" | sed 's/X$/x/' )"
+                acl="$( echo "$acl" | sed 's/X$/x/' )"
             else
-                l="$( echo "$l" | sed 's/X$/-/' )"
+                acl="$( echo "$acl" | sed 's/X$/-/' )"
             fi
         fi
 
-        echo "$parameter:$l"
+        if echo "$parameter" | grep -Eq '(mask|other)'
+        then
+            sep=::
+        else
+            sep=:
+        fi
+
+        echo "$parameter$sep$acl"
 
         if [ -f "$__object/parameter/default" ] \
             && [ "$is_dir" = '1' ]
-        then echo "default:$parameter:$l"
+        then
+            echo "default:$parameter$sep$acl"
         fi
-    done < "$__object/parameter/$parameter"
-done
-
-if [ -f "$__object/parameter/mask" ]
-then
-    l=$( cat "$__object/parameter/mask" )
-
-    echo "mask::$l"
-
-    if [ -f "$__object/parameter/default" ] \
-        && [ "$is_dir" = '1' ]
-    then echo "default:mask::$l"
-    fi
-fi
-
-if [ -f "$__object/parameter/other" ]
-then
-    l=$( cat "$__object/parameter/other" )
-
-    echo "other::$l"
-
-    if [ -f "$__object/parameter/default" ] \
-        && [ "$is_dir" = '1' ]
-    then echo "default:other::$l"
-    fi
-fi
-)"
+    done \
+        < "$__object/parameter/$parameter"
+done )"
 
 setfacl_exec='setfacl'
 

From 8b3c84dfefc5e44fa4f5ae1daa40b87e46a5076a Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Tue, 16 Apr 2019 23:15:58 +0300
Subject: [PATCH 14/28] __acl: remove whitespace before inline comments too

---
 cdist/conf/type/__acl/explorer/acl_is | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cdist/conf/type/__acl/explorer/acl_is b/cdist/conf/type/__acl/explorer/acl_is
index 70e18116..1c64ffb3 100755
--- a/cdist/conf/type/__acl/explorer/acl_is
+++ b/cdist/conf/type/__acl/explorer/acl_is
@@ -28,5 +28,5 @@ fi
 
 getfacl -E "/$__object_id" 2>/dev/null \
     | grep -E '^(default:)?(user|group|(mask|other):):[^:]' \
-    | sed -r 's/#.+$//' \
+    | sed -r 's/\s*#.+$//' \
     || true

From 7924c1339cc76bb7f8ab2c4a17cea751be7ef509 Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Tue, 16 Apr 2019 23:28:30 +0300
Subject: [PATCH 15/28] __acl: avoid duplication and safer sed for last
 occurence replacement

---
 cdist/conf/type/__acl/gencode-remote | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index fd763b8f..56c1cbc1 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -41,10 +41,12 @@ do
         then
             if [ "$is_dir" = '1' ]
             then
-                acl="$( echo "$acl" | sed 's/X$/x/' )"
+                rep=x
             else
-                acl="$( echo "$acl" | sed 's/X$/-/' )"
+                rep=-
             fi
+
+            acl="$( echo "$acl" | sed -r "s/(.*)X/\1$rep/" )"
         fi
 
         if echo "$parameter" | grep -Eq '(mask|other)'

From f23099218ab8918efde5798d15d5c025e3a0c5da Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Tue, 16 Apr 2019 23:29:38 +0300
Subject: [PATCH 16/28] __acl: juggle man sections around because user/group
 are more important parameters

---
 cdist/conf/type/__acl/man.rst | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/cdist/conf/type/__acl/man.rst b/cdist/conf/type/__acl/man.rst
index 40c3ead4..b7e74d59 100644
--- a/cdist/conf/type/__acl/man.rst
+++ b/cdist/conf/type/__acl/man.rst
@@ -13,15 +13,6 @@ ACL must be defined as 3-symbol combination, using `r`, `w`, `x` and `-`.
 See setfacl(1) and acl(5) for more details.
 
 
-OPTIONAL PARAMETERS
--------------------
-mask
-   Add mask ACL entry.
-
-other
-   Add other ACL entry.
-
-
 OPTIONAL MULTIPLE PARAMETERS
 ----------------------------
 user
@@ -31,6 +22,15 @@ group
    Add group ACL entry.
 
 
+OPTIONAL PARAMETERS
+-------------------
+mask
+   Add mask ACL entry.
+
+other
+   Add other ACL entry.
+
+
 BOOLEAN PARAMETERS
 ------------------
 recursive

From 68f61c35ff89971a93ebd511ab35d13b40dce690 Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Tue, 16 Apr 2019 23:36:54 +0300
Subject: [PATCH 17/28] __acl: check for X after last occurrence of colon

---
 cdist/conf/type/__acl/gencode-remote | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index 56c1cbc1..96b4a57c 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -37,7 +37,7 @@ do
 
     while read -r acl
     do
-        if echo "$acl" | grep -Fq 'X'
+        if echo "$acl" | sed -r 's/(.*)://' | grep -Fq 'X'
         then
             if [ "$is_dir" = '1' ]
             then

From f5d3196dd4f142c4b28c9641126d98cfb7eaaab7 Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Fri, 19 Apr 2019 11:31:38 +0300
Subject: [PATCH 18/28] __acl: getfacl's -E not supported on FreeBSD

---
 cdist/conf/type/__acl/explorer/acl_is | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cdist/conf/type/__acl/explorer/acl_is b/cdist/conf/type/__acl/explorer/acl_is
index 1c64ffb3..9ca30281 100755
--- a/cdist/conf/type/__acl/explorer/acl_is
+++ b/cdist/conf/type/__acl/explorer/acl_is
@@ -26,7 +26,7 @@ then
     exit 1
 fi
 
-getfacl -E "/$__object_id" 2>/dev/null \
+getfacl "/$__object_id" 2>/dev/null \
     | grep -E '^(default:)?(user|group|(mask|other):):[^:]' \
     | sed -r 's/\s*#.+$//' \
     || true

From 0809d89836e633af8da983df3f1333ee281938dc Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Fri, 19 Apr 2019 12:56:55 +0300
Subject: [PATCH 19/28] __acl: replace sed -r where possible or make it
 portable without -r

---
 cdist/conf/type/__acl/explorer/acl_is | 3 +--
 cdist/conf/type/__acl/gencode-remote  | 6 +++---
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/cdist/conf/type/__acl/explorer/acl_is b/cdist/conf/type/__acl/explorer/acl_is
index 9ca30281..a693c023 100755
--- a/cdist/conf/type/__acl/explorer/acl_is
+++ b/cdist/conf/type/__acl/explorer/acl_is
@@ -27,6 +27,5 @@ then
 fi
 
 getfacl "/$__object_id" 2>/dev/null \
-    | grep -E '^(default:)?(user|group|(mask|other):):[^:]' \
-    | sed -r 's/\s*#.+$//' \
+    | grep -Eo '^(default:)?(user|group|(mask|other):):[^:][[:graph:]]+' \
     || true
diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index 96b4a57c..08ba60ac 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -37,7 +37,7 @@ do
 
     while read -r acl
     do
-        if echo "$acl" | sed -r 's/(.*)://' | grep -Fq 'X'
+        if echo "$acl" | awk -F: '{ print $NF }' | grep -Fq 'X'
         then
             if [ "$is_dir" = '1' ]
             then
@@ -46,7 +46,7 @@ do
                 rep=-
             fi
 
-            acl="$( echo "$acl" | sed -r "s/(.*)X/\1$rep/" )"
+            acl="$( echo "$acl" | sed "s/\(.*\)X/\1$rep/" )"
         fi
 
         if echo "$parameter" | grep -Eq '(mask|other)'
@@ -98,7 +98,7 @@ then
             then continue
             fi
 
-            no_bits="$( echo "$acl" | sed -r 's/:[rwx-]+$//' )"
+            no_bits="$( echo "$acl" | sed 's/:...$//' )"
 
             echo "$setfacl_exec -x \"$no_bits\" \"$acl_path\""
         done

From 0f3c162696c8c35afc155752f47af276c37b1acf Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Fri, 19 Apr 2019 13:16:35 +0300
Subject: [PATCH 20/28] __acl: setting default ACL in FreeBSD and macOS is
 currently not supported

---
 cdist/conf/type/__acl/gencode-remote | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index 08ba60ac..9cdcd3be 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -108,6 +108,13 @@ fi
 for acl in $acl_should
 do
     if ! echo "$acl_is" | grep -Eq "^$acl"
-    then echo "$setfacl_exec -m \"$acl\" \"$acl_path\""
+    then
+        if echo "$os" | grep -Eq 'macosx|freebsd' \
+            && echo "$acl" | grep -Eq '^default:'
+        then
+            echo "setting default ACL in $os is currently not supported. sorry :(" >&2
+        else
+            echo "$setfacl_exec -m \"$acl\" \"$acl_path\""
+        fi
     fi
 done

From 86f45db1b9b5bf91ea55e5014e39b2437a06bc70 Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Fri, 19 Apr 2019 13:30:50 +0300
Subject: [PATCH 21/28] __acl: add nice oneliners and move default ACL decision
 out of the loop

---
 cdist/conf/type/__acl/gencode-remote | 27 ++++++++++-----------------
 1 file changed, 10 insertions(+), 17 deletions(-)

diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index 9cdcd3be..99c0f7f2 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -28,6 +28,13 @@ acl_is="$( cat "$__object/explorer/acl_is" )"
 
 acl_path="/$__object_id"
 
+if [ -f "$__object/parameter/default" ] && [ "$is_dir" = '1' ]
+then
+    set_default=1
+else
+    set_default=0
+fi
+
 acl_should="$( for parameter in user group mask other
 do
     if [ ! -f "$__object/parameter/$parameter" ]
@@ -39,30 +46,16 @@ do
     do
         if echo "$acl" | awk -F: '{ print $NF }' | grep -Fq 'X'
         then
-            if [ "$is_dir" = '1' ]
-            then
-                rep=x
-            else
-                rep=-
-            fi
+            [ "$is_dir" = '1' ] && rep=x || rep=-
 
             acl="$( echo "$acl" | sed "s/\(.*\)X/\1$rep/" )"
         fi
 
-        if echo "$parameter" | grep -Eq '(mask|other)'
-        then
-            sep=::
-        else
-            sep=:
-        fi
+        echo "$parameter" | grep -Eq '(mask|other)' && sep=:: || sep=:
 
         echo "$parameter$sep$acl"
 
-        if [ -f "$__object/parameter/default" ] \
-            && [ "$is_dir" = '1' ]
-        then
-            echo "default:$parameter$sep$acl"
-        fi
+        [ "$set_default" = '1' ] && echo "default:$parameter$sep$acl"
     done \
         < "$__object/parameter/$parameter"
 done )"

From 8729e39c215381e9bdffe6269cedfba85d0e0f85 Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Fri, 19 Apr 2019 13:48:24 +0300
Subject: [PATCH 22/28] __acl: combine two explorers into one

---
 .../__acl/explorer/{file_exists => file_is}   | 11 ++++++--
 cdist/conf/type/__acl/explorer/is_dir         | 26 -------------------
 cdist/conf/type/__acl/gencode-remote          | 10 +++----
 3 files changed, 14 insertions(+), 33 deletions(-)
 rename cdist/conf/type/__acl/explorer/{file_exists => file_is} (81%)
 delete mode 100755 cdist/conf/type/__acl/explorer/is_dir

diff --git a/cdist/conf/type/__acl/explorer/file_exists b/cdist/conf/type/__acl/explorer/file_is
similarity index 81%
rename from cdist/conf/type/__acl/explorer/file_exists
rename to cdist/conf/type/__acl/explorer/file_is
index 998d407c..096cffd1 100755
--- a/cdist/conf/type/__acl/explorer/file_exists
+++ b/cdist/conf/type/__acl/explorer/file_is
@@ -19,6 +19,13 @@
 #
 
 if [ -e "/$__object_id" ]
-then echo 1
-else echo 0
+then
+    if [ -d "/$__object_id" ]
+    then echo directory
+    elif [ -f "/$__object_id" ]
+    then echo regular
+    else echo other
+    fi
+else
+    echo missing
 fi
diff --git a/cdist/conf/type/__acl/explorer/is_dir b/cdist/conf/type/__acl/explorer/is_dir
deleted file mode 100755
index 7c4e2538..00000000
--- a/cdist/conf/type/__acl/explorer/is_dir
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/sh -e
-#
-# 2018 Ander Punnar (ander-at-kvlt-dot-ee)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-
-[ ! -e "/$__object_id" ] && exit 0
-
-if [ -d "/$__object_id" ]
-then echo 1
-else echo 0
-fi
diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index 99c0f7f2..5bb19aa8 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -18,17 +18,17 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 
-[ "$( cat "$__object/explorer/file_exists" )" = '0' ] && exit 0
+file_is="$( cat "$__object/explorer/file_is" )"
+
+[ "$file_is" = 'missing' ] && exit 0
 
 os="$( cat "$__global/explorer/os" )"
 
-is_dir="$( cat "$__object/explorer/is_dir" )"
-
 acl_is="$( cat "$__object/explorer/acl_is" )"
 
 acl_path="/$__object_id"
 
-if [ -f "$__object/parameter/default" ] && [ "$is_dir" = '1' ]
+if [ -f "$__object/parameter/default" ] && [ "$file_is" = 'directory' ]
 then
     set_default=1
 else
@@ -46,7 +46,7 @@ do
     do
         if echo "$acl" | awk -F: '{ print $NF }' | grep -Fq 'X'
         then
-            [ "$is_dir" = '1' ] && rep=x || rep=-
+            [ "$file_is" = 'directory' ] && rep=x || rep=-
 
             acl="$( echo "$acl" | sed "s/\(.*\)X/\1$rep/" )"
         fi

From 13df0a2a2b8ac2724821fc72369eaf9f4ca1fe66 Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Fri, 19 Apr 2019 14:11:29 +0300
Subject: [PATCH 23/28] __acl: update man

---
 cdist/conf/type/__acl/man.rst | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/cdist/conf/type/__acl/man.rst b/cdist/conf/type/__acl/man.rst
index b7e74d59..bc71a0cc 100644
--- a/cdist/conf/type/__acl/man.rst
+++ b/cdist/conf/type/__acl/man.rst
@@ -3,14 +3,16 @@ cdist-type__acl(7)
 
 NAME
 ----
-cdist-type__acl - Basic wrapper around `setfacl`
+cdist-type__acl - Set ACL entries
 
 
 DESCRIPTION
 -----------
-ACL must be defined as 3-symbol combination, using `r`, `w`, `x` and `-`.
+ACL must be defined as 3-symbol combination, using ``r``, ``w``, ``x`` and ``-``.
 
-See setfacl(1) and acl(5) for more details.
+Fully supported on Linux, partial support for FreeBSD, OSX and Solaris.
+
+See ``setfacl`` and ``acl`` manpages for more details.
 
 
 OPTIONAL MULTIPLE PARAMETERS
@@ -34,13 +36,14 @@ other
 BOOLEAN PARAMETERS
 ------------------
 recursive
-   Operate recursively (Linux only).
+   Make ``setfacl`` recursive (Linux only), but not ``getfacl`` in explorer.
 
 default
-   Add default ACL entries.
+   Add default ACL entries (FreeBSD not supported).
 
 remove
    Remove undefined ACL entries (Solaris not supported).
+   ACL entries for ``mask`` and ``other`` can't be removed.
 
 
 EXAMPLES

From 6d71ae342ad826aac73dd34d7334e7b4ef97bf41 Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Fri, 19 Apr 2019 14:47:16 +0300
Subject: [PATCH 24/28] __acl: update man more

---
 cdist/conf/type/__acl/man.rst | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/cdist/conf/type/__acl/man.rst b/cdist/conf/type/__acl/man.rst
index bc71a0cc..092eb555 100644
--- a/cdist/conf/type/__acl/man.rst
+++ b/cdist/conf/type/__acl/man.rst
@@ -10,7 +10,11 @@ DESCRIPTION
 -----------
 ACL must be defined as 3-symbol combination, using ``r``, ``w``, ``x`` and ``-``.
 
-Fully supported on Linux, partial support for FreeBSD, OSX and Solaris.
+Fully supported on Linux (tested on Debian and CentOS).
+
+Partial support for FreeBSD, OSX and Solaris.
+
+OpenBSD and NetBSD support is not possible.
 
 See ``setfacl`` and ``acl`` manpages for more details.
 

From 05225352aa7434ec35d2691420adb1f81923d4ec Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Fri, 19 Apr 2019 14:48:26 +0300
Subject: [PATCH 25/28] __acl: check for missing users and groups (common
 mistake)

---
 .../type/__acl/explorer/missing_users_groups  | 47 +++++++++++++++++++
 cdist/conf/type/__acl/gencode-remote          |  8 ++++
 2 files changed, 55 insertions(+)
 create mode 100755 cdist/conf/type/__acl/explorer/missing_users_groups

diff --git a/cdist/conf/type/__acl/explorer/missing_users_groups b/cdist/conf/type/__acl/explorer/missing_users_groups
new file mode 100755
index 00000000..883fb84d
--- /dev/null
+++ b/cdist/conf/type/__acl/explorer/missing_users_groups
@@ -0,0 +1,47 @@
+#!/bin/sh -e
+#
+# 2019 Ander Punnar (ander-at-kvlt-dot-ee)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+[ ! -e "/$__object_id" ] && exit 0
+
+for parameter in user group
+do
+    if [ ! -f "$__object/parameter/$parameter" ]
+    then
+        continue
+    fi
+
+    while read -r acl
+    do
+		check="$( echo "$acl" | awk -F: '{print $1}' )"
+
+        if [ "$parameter" = 'user' ]
+        then
+            getent_db=passwd
+        else
+            getent_db="$parameter"
+        fi
+
+		if ! getent "$getent_db" "$check" > /dev/null
+		then
+			echo "missing $parameter '$check'"
+		fi
+    done \
+        < "$__object/parameter/$parameter"
+done
diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index 5bb19aa8..3dd0aef6 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -22,6 +22,14 @@ file_is="$( cat "$__object/explorer/file_is" )"
 
 [ "$file_is" = 'missing' ] && exit 0
 
+missing_users_groups="$( cat "$__object/explorer/missing_users_groups" )"
+
+if [ -n "$missing_users_groups" ]
+then
+    echo "$missing_users_groups" >&2
+    exit 1
+fi
+
 os="$( cat "$__global/explorer/os" )"
 
 acl_is="$( cat "$__object/explorer/acl_is" )"

From c7e6109462eab6201ae4fee5bf1b9baa2d48314c Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Fri, 19 Apr 2019 14:49:02 +0300
Subject: [PATCH 26/28] __acl: tabs vs spaces

---
 cdist/conf/type/__acl/explorer/missing_users_groups | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/cdist/conf/type/__acl/explorer/missing_users_groups b/cdist/conf/type/__acl/explorer/missing_users_groups
index 883fb84d..b4af614c 100755
--- a/cdist/conf/type/__acl/explorer/missing_users_groups
+++ b/cdist/conf/type/__acl/explorer/missing_users_groups
@@ -29,7 +29,7 @@ do
 
     while read -r acl
     do
-		check="$( echo "$acl" | awk -F: '{print $1}' )"
+        check="$( echo "$acl" | awk -F: '{print $1}' )"
 
         if [ "$parameter" = 'user' ]
         then
@@ -38,10 +38,10 @@ do
             getent_db="$parameter"
         fi
 
-		if ! getent "$getent_db" "$check" > /dev/null
-		then
-			echo "missing $parameter '$check'"
-		fi
+        if ! getent "$getent_db" "$check" > /dev/null
+        then
+            echo "missing $parameter '$check'"
+        fi
     done \
         < "$__object/parameter/$parameter"
 done

From 186ce77bb24ddb089b69a28c4c27dd1bfbbd1a71 Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Fri, 19 Apr 2019 14:58:44 +0300
Subject: [PATCH 27/28] __acl: add messaging

---
 cdist/conf/type/__acl/gencode-remote | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index 3dd0aef6..c9583520 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -102,6 +102,7 @@ then
             no_bits="$( echo "$acl" | sed 's/:...$//' )"
 
             echo "$setfacl_exec -x \"$no_bits\" \"$acl_path\""
+            echo "removed '$no_bits'" >> "$__messages_out"
         done
     fi
 fi
@@ -116,6 +117,7 @@ do
             echo "setting default ACL in $os is currently not supported. sorry :(" >&2
         else
             echo "$setfacl_exec -m \"$acl\" \"$acl_path\""
+            echo "added '$acl'" >> "$__messages_out"
         fi
     fi
 done

From 108e46abee03eaca789eb43393aaccf9f699bf7a Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Fri, 19 Apr 2019 15:04:18 +0300
Subject: [PATCH 28/28] __acl: fix removal in freebsd

---
 cdist/conf/type/__acl/gencode-remote | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index c9583520..a0f25a15 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -99,10 +99,15 @@ then
             then continue
             fi
 
-            no_bits="$( echo "$acl" | sed 's/:...$//' )"
+            if echo "$os" | grep -Eq 'macosx|freebsd'
+            then
+                remove="$acl"
+            else
+                remove="$( echo "$acl" | sed 's/:...$//' )"
+            fi
 
-            echo "$setfacl_exec -x \"$no_bits\" \"$acl_path\""
-            echo "removed '$no_bits'" >> "$__messages_out"
+            echo "$setfacl_exec -x \"$remove\" \"$acl_path\""
+            echo "removed '$remove'" >> "$__messages_out"
         done
     fi
 fi