Standardisation of acl role

README.md

@@ -23,9 +23,31 @@ ansible-galaxy install claranet.acl
 
 ## :gear: Role variables
 
-Variable | Default value | Description
----------|---------------|------------
-null     | **null**      | null       
+<table>
+<tr>
+<td><strong>Variable</strong></td> <td><strong>Default value</strong></td> <td><strong>Description</strong></td>
+</tr>
+<tr>
+<td> acl_config </td>
+<td>
+
+```yaml
+  - path: /etc/foo.conf
+    default: false           # can be omit
+    entity: "root"
+    etype: "user" 
+    follow: true             # can be omit
+    permissions: "rwx"
+    state: query
+    recursive: false         # can be omit
+```
+
+</td>
+
+<td>acl to set</td>
+</tr>
+
+</table>
 
 ## :arrows_counterclockwise: Dependencies
 
@@ -38,6 +60,13 @@ N/A
 - hosts: all
   roles:
     - claranet.acl
+  vars:
+  acl_config:
+    - name:        /etc/acl_directory
+      entity:      user01
+      etype:       user
+      permissions: "rw"
+      state:       present
 ```
 
 ## :closed_lock_with_key: [Hardening](HARDENING.md)

defaults/main.yml

@@ -1,2 +1,16 @@
 ---
-# defaults file for role
+# defaults file for acl
+
+# acl to set
+acl_config:
+  - path: /etc/foo.conf
+    default: false
+    entity: "root"
+    etype: "user"
+    follow: true
+    permissions: "rwx"
+    state: query
+    recursive: false
+
+# default package name
+acl_default_package_name: "acl"

molecule/default/converge.yml

@@ -1,5 +1,34 @@
 ---
 - name: Converge
   hosts: all
+  become: true
+
+  vars:
+    acl_config:
+      - path: /etc/acl_directory
+        entity: user01
+        etype: group
+        permissions: "rwx"
+        state: present
+
+  pre_tasks:
+    - name: Add users
+      ansible.builtin.user:
+        name: user01
+        shell: /bin/bash
+
+    - name: "Check if files exists"
+      ansible.builtin.stat:
+        path: "/etc/acl_directory"
+        get_attributes: false
+      register: _acl_check_files_exists
+
+    - name: Create a directory to test
+      ansible.builtin.file:
+        path: "/etc/acl_directory"
+        state: directory
+        mode: '0745'
+      when: not _acl_check_files_exists.stat.exists
+
   roles:
     - role: claranet.acl

molecule/default/molecule.yml

@@ -8,8 +8,8 @@ driver:
 platforms:
   # On "${name:-${image:-debian}", the last brace does not miss, it works like that...
   # The env var should be used when the image variable refers to a full registry path like registry.access.redhat.com/ubi8/ubi
-  - name: claranet_acl_${name:-${image:-debian}-${tag:-latest}-${scenario:-default}
-    image: ${image:-debian}:${tag:-latest}
+  - name: claranet_acl_debian_latest_default
+    image: debian:latest
     privileged: true
     tty: true
     volumes:
@@ -24,6 +24,7 @@ platforms:
 
 provisioner:
   name: ansible
+  log: true
   env:
     ANSIBLE_FORCE_COLOR: "true"
   options:

molecule/default/tests/test_default.py

@@ -2,13 +2,23 @@
 
 import os
 import stat
+
 import testinfra.utils.ansible_runner
 
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ["MOLECULE_INVENTORY_FILE"]
 ).get_hosts("all")
 
 
-def test_shell(host):
-    command = host.run("sh --version")
-    assert command.rc == 0
+def test_acl_is_installed(host):
+    _acl_package = host.package("acl")
+    assert _acl_package.is_installed
+
+
+def test_directory_exists_and_mode_has_changed(host):
+    """Validate acl directory."""
+    _directory_controlled_by_acl = host.file("/etc/acl_directory")
+
+    assert _directory_controlled_by_acl.exists
+    assert _directory_controlled_by_acl.is_directory
+    assert _directory_controlled_by_acl.mode == 0o775

tasks/amazonlinux.yml

@@ -0,0 +1,7 @@
+---
+# tasks file for REDHAT
+- name: Installing required packages
+  ansible.builtin.yum:
+    name: "{{ acl_default_package_name }}"
+    update_cache: true
+    state: present

tasks/debian.yml

@@ -0,0 +1,8 @@
+---
+# tasks file for DEBIAN
+- name: Installing required packages
+  ansible.builtin.apt:
+    name: "{{ acl_default_package_name }}"
+    update_cache: true
+    force_apt_get: true
+    state: present

tasks/main.yml

@@ -1,4 +1,5 @@
 ---
+# tasks file for acl
 - name: Gather OS specific variables
   ansible.builtin.include_vars: "{{ loop_vars }}"
   loop: "{{ query('ansible.builtin.first_found', params) }}"
@@ -16,3 +17,36 @@
       skip: true
   loop_control:
     loop_var: loop_vars
+
+- name: include distribution tasks
+  ansible.builtin.include_tasks: "{{ loop_distribution }}"
+  with_first_found:
+    - files:
+        - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version }}.yml"
+        - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version }}.yml"
+        - "{{ ansible_distribution | lower }}.yml"
+        - "{{ ansible_os_family | lower }}.yml"
+        - "{{ ansible_system | lower }}.yml"
+  loop_control:
+    loop_var: loop_distribution
+  tags:
+    - configuration
+    - packages
+
+- name: Debug
+  ansible.builtin.debug:
+    var: acl_config
+
+- name: Setup ACL information.
+  ansible.posix.acl:
+    path: "{{ item.path }}"
+    default: "{{ item.default | default(omit) }}"
+    entity: "{{ item.entity }}"
+    etype: "{{ item.etype }}"
+    follow: "{{ item.follow | default(omit) }}"
+    permissions: "{{ item.permissions }}"
+    state: "{{ item.state }}"
+    recursive: "{{ item.recursive | default(omit) }}"
+  loop: "{{ acl_config }}"
+  loop_control:
+    label: "{{ item.path }}"

tasks/redhat.yml

@@ -0,0 +1,7 @@
+---
+# tasks file for REDHAT
+- name: Installing required packages
+  ansible.builtin.yum:
+    name: "{{ acl_default_package_name }}"
+    update_cache: true
+    state: present

tasks/ubuntu.yml

@@ -0,0 +1,8 @@
+---
+# tasks file for DEBIAN
+- name: Installing required packages
+  ansible.builtin.apt:
+    name: "{{ acl_default_package_name }}"
+    update_cache: true
+    force_apt_get: true
+    state: present