From 91a6ecc70173638aae928ddadabd93d9d46f097e Mon Sep 17 00:00:00 2001
From: Ander Punnar <ander@kvlt.ee>
Date: Thu, 30 May 2019 23:04:46 +0300
Subject: [PATCH] __acl: rewrite

---
 cdist/conf/type/__acl/explorer/checks         | 32 ++++------
 cdist/conf/type/__acl/gencode-remote          | 54 ++++++++---------
 cdist/conf/type/__acl/man.rst                 | 59 ++++++++++---------
 cdist/conf/type/__acl/parameter/optional      |  2 -
 .../type/__acl/parameter/optional_multiple    |  2 -
 .../type/__acl/parameter/required_multiple    |  1 +
 6 files changed, 66 insertions(+), 84 deletions(-)
 delete mode 100644 cdist/conf/type/__acl/parameter/optional
 delete mode 100644 cdist/conf/type/__acl/parameter/optional_multiple
 create mode 100644 cdist/conf/type/__acl/parameter/required_multiple

diff --git a/cdist/conf/type/__acl/explorer/checks b/cdist/conf/type/__acl/explorer/checks
index a2fcf44d..5b379a08 100755
--- a/cdist/conf/type/__acl/explorer/checks
+++ b/cdist/conf/type/__acl/explorer/checks
@@ -20,29 +20,17 @@
 
 # TODO check if filesystem has ACL turned on etc
 
-for parameter in user group
+grep -E '^(default:)?(user|group):' "$__object/parameter/acl" \
+| while read -r acl
 do
-    if [ ! -f "$__object/parameter/$parameter" ]
+    param="$( echo "$acl" | awk -F: '{print $(NF-2)}' )"
+    check="$( echo "$acl" | awk -F: '{print $(NF-1)}' )"
+
+    [ "$param" = 'user' ] && db=passwd || db="$param"
+
+    if ! getent "$db" "$check" > /dev/null
     then
-        continue
+        echo "missing $param '$check'" >&2
+        exit 1
     fi
-
-    while read -r acl
-    do
-        check="$( echo "$acl" | awk -F: '{print $1}' )"
-
-        if [ "$parameter" = 'user' ]
-        then
-            getent_db=passwd
-        else
-            getent_db="$parameter"
-        fi
-
-        if ! getent "$getent_db" "$check" > /dev/null
-        then
-            echo "missing $parameter '$check'" >&2
-            exit 1
-        fi
-    done \
-        < "$__object/parameter/$parameter"
 done
diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index f5b0474f..3c7085f0 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -24,41 +24,35 @@ file_is="$( cat "$__object/explorer/file_is" )"
 
 os="$( cat "$__global/explorer/os" )"
 
-acl_is="$( cat "$__object/explorer/acl_is" )"
-
 acl_path="/$__object_id"
 
-if [ -f "$__object/parameter/default" ] && [ "$file_is" = 'directory' ]
+acl_is="$( cat "$__object/explorer/acl_is" )"
+
+acl_should="$( cat "$__object/parameter/acl" )"
+
+if [ -f "$__object/parameter/default" ]
 then
-    set_default=1
-else
-    set_default=0
+    acl_should="$( echo "$acl_should" \
+        | sed 's/^default://' \
+        | sort -u \
+        | sed 's/\(.*\)/default:\1\n\1/' )"
 fi
 
-acl_should="$( for parameter in user group mask other
-do
-    if [ ! -f "$__object/parameter/$parameter" ]
-    then
-        continue
-    fi
+if [ "$file_is" = 'regular' ] \
+    && echo "$acl_should" | grep -Eq '^default:'
+then
+    # only directories can have default ACLs,
+    # but instead of error,
+    # let's just remove default entries
+    acl_should="$( echo "$acl_should" | grep -Ev '^default:' )"
+fi
 
-    while read -r acl
-    do
-        if echo "$acl" | awk -F: '{ print $NF }' | grep -Fq 'X'
-        then
-            [ "$file_is" = 'directory' ] && rep=x || rep=-
+if echo "$acl_should" | awk -F: '{ print $NF }' | grep -Fq 'X'
+then
+    [ "$file_is" = 'directory' ] && rep=x || rep=-
 
-            acl="$( echo "$acl" | sed "s/\\(.*\\)X/\\1$rep/" )"
-        fi
-
-        echo "$parameter" | grep -Eq '(mask|other)' && sep=:: || sep=:
-
-        echo "$parameter$sep$acl"
-
-        [ "$set_default" = '1' ] && echo "default:$parameter$sep$acl"
-    done \
-        < "$__object/parameter/$parameter"
-done )"
+    acl_should="$( echo "$acl_should" | sed "s/\\(.*\\)X/\\1$rep/" )"
+fi
 
 setfacl_exec='setfacl'
 
@@ -76,7 +70,7 @@ if [ -f "$__object/parameter/remove" ]
 then
     echo "$acl_is" | while read -r acl
     do
-        # Skip wanted ACL entries which already exist
+        # skip wanted ACL entries which already exist
         # and skip mask and other entries, because we
         # can't actually remove them, but only change.
         if echo "$acl_should" | grep -Eq "^$acl" \
@@ -103,7 +97,7 @@ do
         if echo "$os" | grep -Fq 'freebsd' \
             && echo "$acl" | grep -Eq '^default:'
         then
-            echo "setting default ACL in $os is currently not supported. sorry :(" >&2
+            echo "setting default ACL in $os is currently not supported" >&2
         else
             echo "$setfacl_exec -m \"$acl\" \"$acl_path\""
             echo "added '$acl'" >> "$__messages_out"
diff --git a/cdist/conf/type/__acl/man.rst b/cdist/conf/type/__acl/man.rst
index d066aae5..a71e0d3c 100644
--- a/cdist/conf/type/__acl/man.rst
+++ b/cdist/conf/type/__acl/man.rst
@@ -8,42 +8,30 @@ cdist-type__acl - Set ACL entries
 
 DESCRIPTION
 -----------
-ACL must be defined as 3-symbol combination, using ``r``, ``w``, ``x`` and ``-``.
-
 Fully supported and tested on Linux (ext4 filesystem), partial support for FreeBSD.
 
 See ``setfacl`` and ``acl`` manpages for more details.
 
 
-OPTIONAL MULTIPLE PARAMETERS
+REQUIRED MULTIPLE PARAMETERS
 ----------------------------
-user
-   Add user ACL entry.
-
-group
-   Add group ACL entry.
-
-
-OPTIONAL PARAMETERS
--------------------
-mask
-   Add mask ACL entry.
-
-other
-   Add other ACL entry.
+acl
+   Set ACL entry following ``getfacl`` output syntax.
 
 
 BOOLEAN PARAMETERS
 ------------------
+default
+   Set all ACL entries as default too.
+   Only directories can have default ACLs.
+   Setting default ACL in FreeBSD is currently not supported.
+
 recursive
    Make ``setfacl`` recursive (Linux only), but not ``getfacl`` in explorer.
 
-default
-   Add default ACL entries (FreeBSD not supported).
-
 remove
-   Remove undefined ACL entries (Solaris not supported).
-   ACL entries for ``mask`` and ``other`` can't be removed.
+   Remove undefined ACL entries.
+   ``mask`` and ``other`` entries can't be removed, but only changed.
 
 
 EXAMPLES
@@ -52,15 +40,30 @@ EXAMPLES
 .. code-block:: sh
 
     __acl /srv/project \
+        --default \
         --recursive \
+        --remove \
+        --acl user:alice:rwx \
+        --acl user:bob:r-x \
+        --acl group:project-group:rwx \
+        --acl group:some-other-group:r-x \
+        --acl mask::r-x \
+        --acl other::r-x
+
+    # give Alice read-only access to subdir,
+    # but don't allow her to see parent content.
+
+    __acl /srv/project2 \
+        --remove \
+        --acl default:group:secret-project:rwx \
+        --acl group:secret-project:rwx \
+        --acl user:alice:--x
+
+    __acl /srv/project2/subdir \
         --default \
         --remove \
-        --user alice:rwx \
-        --user bob:r-x \
-        --group project-group:rwx \
-        --group some-other-group:r-x \
-        --mask r-x \
-        --other r-x
+        --acl group:secret-project:rwx \
+        --acl user:alice:r-x
 
 
 AUTHORS
diff --git a/cdist/conf/type/__acl/parameter/optional b/cdist/conf/type/__acl/parameter/optional
deleted file mode 100644
index 4b32086b..00000000
--- a/cdist/conf/type/__acl/parameter/optional
+++ /dev/null
@@ -1,2 +0,0 @@
-mask
-other
diff --git a/cdist/conf/type/__acl/parameter/optional_multiple b/cdist/conf/type/__acl/parameter/optional_multiple
deleted file mode 100644
index 22f5a52c..00000000
--- a/cdist/conf/type/__acl/parameter/optional_multiple
+++ /dev/null
@@ -1,2 +0,0 @@
-user
-group
diff --git a/cdist/conf/type/__acl/parameter/required_multiple b/cdist/conf/type/__acl/parameter/required_multiple
new file mode 100644
index 00000000..39fead3b
--- /dev/null
+++ b/cdist/conf/type/__acl/parameter/required_multiple
@@ -0,0 +1 @@
+acl