diff options
| author | Hans-Joachim Kliemeck <git@kliemeck.de> | 2015-10-21 22:43:42 +0200 |
|---|---|---|
| committer | Hans-Joachim Kliemeck <git@kliemeck.de> | 2015-10-21 22:43:42 +0200 |
| commit | b03c7ebfa12c8b2b4877745e20aa286c9e4aa126 (patch) | |
| tree | 43210aed99e2633bf61b20a95df3288cc050098a | |
| parent | 8de49a5deaa2827407183e8680007e922c19b5d6 (diff) | |
| download | ansible-modules-extras-b03c7ebfa12c8b2b4877745e20aa286c9e4aa126.tar.gz | |
introduced state to differentiate between enabled/disabled inheritance. renamed copy to reorganize, since the meaning for inheritance=enabled is different
| -rw-r--r-- | windows/win_acl_inheritance.ps1 | 44 | ||||
| -rw-r--r-- | windows/win_acl_inheritance.py | 33 |
2 files changed, 59 insertions, 18 deletions
diff --git a/windows/win_acl_inheritance.ps1 b/windows/win_acl_inheritance.ps1 index 674180e3..35b6809d 100644 --- a/windows/win_acl_inheritance.ps1 +++ b/windows/win_acl_inheritance.ps1 @@ -26,7 +26,8 @@ $result = New-Object PSObject; Set-Attr $result "changed" $false; $path = Get-Attr $params "path" -failifempty $true -$copy = Get-Attr $params "copy" "no" -validateSet "no","yes" -resultobj $result | ConvertTo-Bool +$state = Get-Attr $params "state" "absent" -validateSet "present","absent" -resultobj $result +$reorganize = Get-Attr $params "reorganize" "no" -validateSet "no","yes" -resultobj $result | ConvertTo-Bool If (-Not (Test-Path -Path $path)) { Fail-Json $result "$path file or directory does not exist on the host" @@ -34,19 +35,44 @@ If (-Not (Test-Path -Path $path)) { Try { $objACL = Get-ACL $path - $alreadyDisabled = !$objACL.AreAccessRulesProtected + $inheritanceEnabled = !$objACL.AreAccessRulesProtected - If ($copy) { - $objACL.SetAccessRuleProtection($True, $True) - } Else { - $objACL.SetAccessRuleProtection($True, $False) - } + If (($state -eq "present") -And !$inheritanceEnabled) { + If ($reorganize) { + $objACL.SetAccessRuleProtection($True, $True) + } Else { + $objACL.SetAccessRuleProtection($True, $False) + } - If ($alreadyDisabled) { + Set-ACL $path $objACL Set-Attr $result "changed" $true; } + Elseif (($state -eq "absent") -And $inheritanceEnabled) { + # second parameter is ignored if first=$False + $objACL.SetAccessRuleProtection($False, $False) + + If ($reorganize) { + # convert explicit ACE to inherited ACE + ForEach($inheritedRule in $objACL.Access) { + If (!$inheritedRule.IsInherited) { + Continue + } + + ForEach($explicitRrule in $objACL.Access) { + If ($inheritedRule.IsInherited) { + Continue + } - Set-ACL $path $objACL + If (($inheritedRule.FileSystemRights -eq $explicitRrule.FileSystemRights) -And ($inheritedRule.AccessControlType -eq $explicitRrule.AccessControlType) -And ($inheritedRule.IdentityReference -eq $explicitRrule.IdentityReference) -And ($inheritedRule.InheritanceFlags -eq $explicitRrule.InheritanceFlags) -And ($inheritedRule.PropagationFlags -eq $explicitRrule.PropagationFlags)) { + $objACL.RemoveAccessRule($explicitRrule) + } + } + } + } + + Set-ACL $path $objACL + Set-Attr $result "changed" $true; + } } Catch { Fail-Json $result "an error occured when attempting to disable inheritance" diff --git a/windows/win_acl_inheritance.py b/windows/win_acl_inheritance.py index d5547349..6c03b9c7 100644 --- a/windows/win_acl_inheritance.py +++ b/windows/win_acl_inheritance.py @@ -25,17 +25,25 @@ DOCUMENTATION = ''' --- module: win_acl_inheritance version_added: "2.0" -short_description: Disable ACL inheritance +short_description: Change ACL inheritance description: - - Disable ACL (Access Control List) inheritance and optionally converts ACE (Access Control Entry) to dedicated ACE + - Change ACL (Access Control List) inheritance and optionally copy inherited ACE's (Access Control Entry) to dedicated ACE's or vice versa. options: path: description: - - Path to be used for disabling + - Path to be used for changing inheritance required: true - copy: + state: description: - - Indicates if the inherited ACE should be copied to dedicated ACE + - Specify whether to enable I(present) or disable I(absent) ACL inheritance + required: false + choices: + - present + - absent + default: absent + reorganize: + description: + - For P(state) = I(absent), indicates if the inherited ACE's should be copied. For P(state) = I(present), indicates if the inherited ACE's should be simplified. required: false choices: - no @@ -47,13 +55,20 @@ author: Hans-Joachim Kliemeck (@h0nIg) EXAMPLES = ''' # Playbook example --- -- name: Disable and copy +- name: Disable inherited ACE's + win_acl_inheritance: + path: 'C:\\apache\\' + state: absent + +- name: Disable and copy inherited ACE's win_acl_inheritance: path: 'C:\\apache\\' - copy: yes + state: absent + reorganize: yes -- name: Disable +- name: Enable and remove dedicated ACE's win_acl_inheritance: path: 'C:\\apache\\' - copy: no + state: present + reorganize: yes ''' |