--- /dev/null
+Puppet::Type.type(:posix_acl).provide(:posixacl, parent: Puppet::Provider) do
+ desc 'Provide posix 1e acl functions using posix getfacl/setfacl commands'
+
+ commands setfacl: '/usr/bin/setfacl'
+ commands getfacl: '/usr/bin/getfacl'
+
+ confine feature: :posix
+ defaultfor operatingsystem: [:debian, :ubuntu, :redhat, :centos, :fedora, :sles]
+
+ def exists?
+ permission
+ end
+
+ def unset_perm(perm, path)
+ # Don't try to unset mode bits, it doesn't make sense!
+ return if perm =~ %r{^(((u(ser)?)|(g(roup)?)|(m(ask)?)|(o(ther)?)):):}
+
+ perm = perm.split(':')[0..-2].join(':')
+ if check_recursive
+ setfacl('-R', '-n', '-x', perm, path)
+ else
+ setfacl('-n', '-x', perm, path)
+ end
+ end
+
+ def set_perm(perm, path)
+ if check_recursive
+ setfacl('-R', '-n', '-m', perm, path)
+ else
+ setfacl('-n', '-m', perm, path)
+ end
+ end
+
+ def unset
+ @resource.value(:permission).each do |perm|
+ unset_perm(perm, @resource.value(:path))
+ end
+ end
+
+ def purge
+ if check_recursive
+ setfacl('-R', '-b', @resource.value(:path))
+ else
+ setfacl('-b', @resource.value(:path))
+ end
+ end
+
+ def permission
+ return [] unless File.exist?(@resource.value(:path))
+ value = []
+ # String#lines would be nice, but we need to support Ruby 1.8.5
+ getfacl('--absolute-names', '--no-effective', @resource.value(:path)).split("\n").each do |line|
+ # Strip comments and blank lines
+ value << line.gsub('\040', ' ') if line !~ %r{^#} && line != ''
+ end
+ value.sort
+ end
+
+ def check_recursive
+ # Changed functionality to return boolean true or false
+ @resource.value(:recursive) == :true && resource.value(:recursemode) == :lazy
+ end
+
+ def check_exact
+ @resource.value(:action) == :exact
+ end
+
+ def check_unset
+ @resource.value(:action) == :unset
+ end
+
+ def check_purge
+ @resource.value(:action) == :purge
+ end
+
+ def check_set
+ @resource.value(:action) == :set
+ end
+
+ def permission=(_value) # TODO: Investigate why we're not using this parameter
+ Puppet.debug @resource.value(:action)
+ case @resource.value(:action)
+ when :unset
+ unset
+ when :purge
+ purge
+ when :exact, :set
+ cur_perm = permission
+ perm_to_set = @resource.value(:permission) - cur_perm
+ perm_to_unset = cur_perm - @resource.value(:permission)
+ return false if perm_to_set.empty? && perm_to_unset.empty?
+ # Take supplied perms literally, unset any existing perms which
+ # are absent from ACLs given
+ if check_exact
+ perm_to_unset.each do |perm|
+ # Skip base perms in unset step
+ if perm =~ %r{^(((u(ser)?)|(g(roup)?)|(m(ask)?)|(o(ther)?)):):}
+ Puppet.debug "skipping unset of base perm: #{perm}"
+ else
+ unset_perm(perm, @resource.value(:path))
+ end
+ end
+ end
+ perm_to_set.each do |perm|
+ set_perm(perm, @resource.value(:path))
+ end
+ end
+ end
+end