From b03c7ebfa12c8b2b4877745e20aa286c9e4aa126 Mon Sep 17 00:00:00 2001
From: Hans-Joachim Kliemeck <git@kliemeck.de>
Date: Wed, 21 Oct 2015 22:43:42 +0200
Subject: introduced state to differentiate between enabled/disabled
 inheritance. renamed copy to reorganize, since the meaning for
 inheritance=enabled is different

---
 windows/win_acl_inheritance.ps1 | 44 ++++++++++++++++++++++++++++++++---------
 windows/win_acl_inheritance.py  | 33 ++++++++++++++++++++++---------
 2 files changed, 59 insertions(+), 18 deletions(-)

diff --git a/windows/win_acl_inheritance.ps1 b/windows/win_acl_inheritance.ps1
index 674180e3..35b6809d 100644
--- a/windows/win_acl_inheritance.ps1
+++ b/windows/win_acl_inheritance.ps1
@@ -26,7 +26,8 @@ $result = New-Object PSObject;
 Set-Attr $result "changed" $false;
 
 $path = Get-Attr $params "path" -failifempty $true
-$copy = Get-Attr $params "copy" "no" -validateSet "no","yes" -resultobj $result | ConvertTo-Bool
+$state = Get-Attr $params "state" "absent" -validateSet "present","absent" -resultobj $result
+$reorganize = Get-Attr $params "reorganize" "no" -validateSet "no","yes" -resultobj $result | ConvertTo-Bool
 
 If (-Not (Test-Path -Path $path)) {
     Fail-Json $result "$path file or directory does not exist on the host"
@@ -34,19 +35,44 @@ If (-Not (Test-Path -Path $path)) {
  
 Try {
     $objACL = Get-ACL $path
-    $alreadyDisabled = !$objACL.AreAccessRulesProtected
+    $inheritanceEnabled = !$objACL.AreAccessRulesProtected
 
-    If ($copy) {
-        $objACL.SetAccessRuleProtection($True, $True)
-    } Else {
-        $objACL.SetAccessRuleProtection($True, $False)
-    }
+    If (($state -eq "present") -And !$inheritanceEnabled) {
+        If ($reorganize) {
+            $objACL.SetAccessRuleProtection($True, $True)
+        } Else {
+            $objACL.SetAccessRuleProtection($True, $False)
+        }
 
-    If ($alreadyDisabled) {
+        Set-ACL $path $objACL
         Set-Attr $result "changed" $true;
     }
+    Elseif (($state -eq "absent") -And $inheritanceEnabled) {
+        # second parameter is ignored if first=$False
+        $objACL.SetAccessRuleProtection($False, $False)
+
+        If ($reorganize) {
+            # convert explicit ACE to inherited ACE
+            ForEach($inheritedRule in $objACL.Access) {
+                If (!$inheritedRule.IsInherited) {
+                    Continue
+                }
+
+                ForEach($explicitRrule in $objACL.Access) {
+                    If ($inheritedRule.IsInherited) {
+                        Continue
+                    }
 
-    Set-ACL $path $objACL
+                    If (($inheritedRule.FileSystemRights -eq $explicitRrule.FileSystemRights) -And ($inheritedRule.AccessControlType -eq $explicitRrule.AccessControlType) -And ($inheritedRule.IdentityReference -eq $explicitRrule.IdentityReference) -And ($inheritedRule.InheritanceFlags -eq $explicitRrule.InheritanceFlags) -And ($inheritedRule.PropagationFlags -eq $explicitRrule.PropagationFlags)) {
+                        $objACL.RemoveAccessRule($explicitRrule)
+                    }
+                }
+            }
+        }
+
+        Set-ACL $path $objACL
+        Set-Attr $result "changed" $true;
+    }
 }
 Catch {
     Fail-Json $result "an error occured when attempting to disable inheritance"
diff --git a/windows/win_acl_inheritance.py b/windows/win_acl_inheritance.py
index d5547349..6c03b9c7 100644
--- a/windows/win_acl_inheritance.py
+++ b/windows/win_acl_inheritance.py
@@ -25,17 +25,25 @@ DOCUMENTATION = '''
 ---
 module: win_acl_inheritance
 version_added: "2.0"
-short_description: Disable ACL inheritance
+short_description: Change ACL inheritance
 description:
-    - Disable ACL (Access Control List) inheritance and optionally converts ACE (Access Control Entry) to dedicated ACE
+    - Change ACL (Access Control List) inheritance and optionally copy inherited ACE's (Access Control Entry) to dedicated ACE's or vice versa.
 options:
   path:
     description:
-      - Path to be used for disabling
+      - Path to be used for changing inheritance
     required: true
-  copy:
+  state:
     description:
-      - Indicates if the inherited ACE should be copied to dedicated ACE
+      - Specify whether to enable I(present) or disable I(absent) ACL inheritance
+    required: false
+    choices:
+      - present
+      - absent
+    default: absent
+  reorganize:
+    description:
+      - For P(state) = I(absent), indicates if the inherited ACE's should be copied. For P(state) = I(present), indicates if the inherited ACE's should be simplified.
     required: false
     choices:
       - no
@@ -47,13 +55,20 @@ author: Hans-Joachim Kliemeck (@h0nIg)
 EXAMPLES = '''
 # Playbook example
 ---
-- name: Disable and copy
+- name: Disable inherited ACE's
+  win_acl_inheritance:
+    path: 'C:\\apache\\'
+    state: absent
+
+- name: Disable and copy inherited ACE's
   win_acl_inheritance:
     path: 'C:\\apache\\'
-    copy: yes
+    state: absent
+    reorganize: yes
 
-- name: Disable
+- name: Enable and remove dedicated ACE's
   win_acl_inheritance:
     path: 'C:\\apache\\'
-    copy: no
+    state: present
+    reorganize: yes
 '''
-- 
cgit v1.2.1