Merge pull request #1119 from h0nIg/devel_acl_inheritance

win_acl_inheritance

2 files changed, 165 insertions, 0 deletions

diff --git a/windows/win_acl_inheritance.ps1 b/windows/win_acl_inheritance.ps1
new file mode 100644
index 00000000..1933a3a5
--- /dev/null
+++ b/windows/win_acl_inheritance.ps1
@@ -0,0 +1,86 @@
+#!powershell
+# This file is part of Ansible
+#
+# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+
+# WANT_JSON
+# POWERSHELL_COMMON
+
+
+$params = Parse-Args $args;
+
+$result = New-Object PSObject;
+Set-Attr $result "changed" $false;
+
+$path = Get-Attr $params "path" -failifempty $true
+$state = Get-Attr $params "state" "absent" -validateSet "present","absent" -resultobj $result
+$reorganize = Get-Attr $params "reorganize" "no" -validateSet "no","yes" -resultobj $result
+$reorganize = $reorganize | ConvertTo-Bool
+
+If (-Not (Test-Path -Path $path)) {
+    Fail-Json $result "$path file or directory does not exist on the host"
+}
+ 
+Try {
+    $objACL = Get-ACL $path
+    $inheritanceEnabled = !$objACL.AreAccessRulesProtected
+
+    If (($state -eq "present") -And !$inheritanceEnabled) {
+        # second parameter is ignored if first=$False
+        $objACL.SetAccessRuleProtection($False, $False)
+
+        If ($reorganize) {
+            # it wont work without intermediate save, state would be the same
+            Set-ACL $path $objACL
+            $objACL = Get-ACL $path
+
+            # convert explicit ACE to inherited ACE
+            ForEach($inheritedRule in $objACL.Access) {
+                If (!$inheritedRule.IsInherited) {
+                    Continue
+                }
+
+                ForEach($explicitRrule in $objACL.Access) {
+                    If ($explicitRrule.IsInherited) {
+                        Continue
+                    }
+
+                    If (($inheritedRule.FileSystemRights -eq $explicitRrule.FileSystemRights) -And ($inheritedRule.AccessControlType -eq $explicitRrule.AccessControlType) -And ($inheritedRule.IdentityReference -eq $explicitRrule.IdentityReference) -And ($inheritedRule.InheritanceFlags -eq $explicitRrule.InheritanceFlags) -And ($inheritedRule.PropagationFlags -eq $explicitRrule.PropagationFlags)) {
+                        $objACL.RemoveAccessRule($explicitRrule)
+                    }
+                }
+            }
+        }
+
+        Set-ACL $path $objACL
+        Set-Attr $result "changed" $true;
+    }
+    Elseif (($state -eq "absent") -And $inheritanceEnabled) {
+        If ($reorganize) {
+            $objACL.SetAccessRuleProtection($True, $True)
+        } Else {
+            $objACL.SetAccessRuleProtection($True, $False)
+        }
+
+        Set-ACL $path $objACL
+        Set-Attr $result "changed" $true;
+    }
+}
+Catch {
+    Fail-Json $result "an error occured when attempting to disable inheritance"
+}
+ 
+Exit-Json $result
diff --git a/windows/win_acl_inheritance.py b/windows/win_acl_inheritance.py
new file mode 100644
index 00000000..a4bb90a4
--- /dev/null
+++ b/windows/win_acl_inheritance.py
@@ -0,0 +1,79 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright 2015, Hans-Joachim Kliemeck <git@kliemeck.de>
+#
+# This file is part of Ansible
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+
+# this is a windows documentation stub.  actual code lives in the .ps1
+# file of the same name
+
+DOCUMENTATION = '''
+---
+module: win_acl_inheritance
+version_added: "2.1"
+short_description: Change ACL inheritance
+description:
+    - Change ACL (Access Control List) inheritance and optionally copy inherited ACE's (Access Control Entry) to dedicated ACE's or vice versa.
+options:
+  path:
+    description:
+      - Path to be used for changing inheritance
+    required: true
+  state:
+    description:
+      - Specify whether to enable I(present) or disable I(absent) ACL inheritance
+    required: false
+    choices:
+      - present
+      - absent
+    default: absent
+  reorganize:
+    description:
+      - For P(state) = I(absent), indicates if the inherited ACE's should be copied from the parent directory. This is necessary (in combination with removal) for a simple ACL instead of using multiple ACE deny entries.
+      - For P(state) = I(present), indicates if the inherited ACE's should be deduplicated compared to the parent directory. This removes complexity of the ACL structure.
+    required: false
+    choices:
+      - no
+      - yes
+    default: no
+author: Hans-Joachim Kliemeck (@h0nIg)
+'''
+
+EXAMPLES = '''
+# Playbook example
+---
+- name: Disable inherited ACE's
+  win_acl_inheritance:
+    path: 'C:\\apache\\'
+    state: absent
+
+- name: Disable and copy inherited ACE's
+  win_acl_inheritance:
+    path: 'C:\\apache\\'
+    state: absent
+    reorganize: yes
+
+- name: Enable and remove dedicated ACE's
+  win_acl_inheritance:
+    path: 'C:\\apache\\'
+    state: present
+    reorganize: yes
+'''
+
+RETURN = '''
+
+'''
\ No newline at end of file