Feature/ops 79 add acl support

README.md

@@ -65,6 +65,8 @@ No specific requirements
 | `samba_users`                  | []                       | List of dicts defining users that can access shares.                                                                         |
 | `samba_wins_support`           | true                     | When true, Samba will act as a WINS server                                                                                   |
 | `samba_workgroup`              | `WORKGROUP`              | Name of the server workgroup.                                                                                                |
+| `samba_acl_enabled`            | true                     | Enable extended ACL on samba shares.                                                                                         |
+| `samba_acl_mountpoints`        | []                       | List of fstab mountpoints which need to be mounted with extended ACL enabled.                                                |
 
 ### Defining users
 
@@ -171,6 +173,26 @@ A complete overview of share options follows below. Only `name` is required, the
 | `vfs_objects`          | -                               | See the Samba documentation for details.                                                       |
 | `writable`             | -                               | Writable for guests.                                                                           |
 | `write_list`           | -                               | Controls write access for registered users. Use the syntax of the corresponding Samba setting. |
+| `acl`                  | {}                              | List of default ACL permissions to be set on share directory.                                  |
+
+Example structure of the `acl` field:
+
+```yaml
+- name: username
+  type: user
+  permission: rwx
+  default: true
+- name: groupname
+  type: group
+  permission: r
+  default: true
+- name: mask
+  type: mask
+  permission: rwx
+```
+
+In case acl is enabled, acl field need to be set on each share as an empty list if it is not used for the specific share.
+
 
 The values for `valid_users` and `write_list` should be a comma separated list of users. Names prepended with `+` or `@` are interpreted as groups. The documentation for the [Samba configuration](https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html) has more details on these options.
 

defaults/main.yml

@@ -23,3 +23,7 @@ samba_local_master: 'yes'
 samba_domain_master: 'yes'
 samba_preferred_master: 'yes'
 samba_mitigate_cve_2017_7494: true
+
+samba_acl_enabled: false
+samba_acl_mountpoints:
+  - /

molecule/default/converge.yml

@@ -1,22 +1,40 @@
 ---
 - name: Converge
   hosts: all
+  become: true
   pre_tasks:
     - name: Ensure package database is up-to-date
       apt:
         update-cache: true
       failed_when: false
       changed_when: false
       when: ansible_os_family == 'Debian'
+    - name: Create groups
+      ansible.builtin.group:
+        name: "{{ item }}"
+        state: present
+      with_items:
+        - testgroup
+        - timemachine
+        - usr1
     - name: Create users
       user:
-        name: "{{ item }}"
-        groups: users
+        name: "{{ item.user }}"
+        group: "{{ item.group }}"
+        groups: "{{ item.groups | default(omit) }}"
         append: true
       with_items:
-        - usr1
-        - usr2
-        - timemachine
+        - user: usr1
+          group: users
+        - user: usr2
+          group: users
+        - user: timemachine
+          group: users
+        - user: testuser
+          group: testgroup
+        - user: testuser2
+          group: users
+
   vars:
     samba_netbios_name: SAMBA_TEST
     samba_server_string: 'Welcome to the test file server'
@@ -36,44 +54,75 @@
     # samba_server_min_protocol: SMB2
     # samba_server_max_protocol: SMB3
     samba_map_to_guest: Never
+    samba_acl_enabled: true
+    samba_acl_mountpoints:
+      - /
+
+    vault_sambauser_testuser: test
+    vault_sambauser_testuser2: test
+
+    samba_vfs_objects_full_audit:
+      - name: full_audit
+        options:
+          - name: prefix
+            value: "%u|%I|%m|%S"
+          - name: success
+            value: "mkdir rename unlink rmdir pwrite sendfile write read open"
+          - name: failure
+            value: "none"
+          - name: facility
+            value: LOCAL7
+          - name: priority
+            value: NOTICE
+
     samba_users:
       - name: usr1
         password: usr1
       - name: usr2
         password: usr2
       - name: timemachine
         password: timemachine
+      - name: testuser
+        password: "{{ vault_sambauser_testuser }}"
+      - name: testuser2
+        password: "{{ vault_sambauser_testuser2 }}"
     samba_username_map:
       - from: 'User Two'
         to: usr2
     samba_shares_root: /srv/samba
+
     samba_shares:
       - name: restrictedshare
+        acl: []
       - name: privateshare
         comment: 'Only readable/writeable by usr1'
         valid_users: usr1
         write_list: usr1
         group: usr1
         browseable: 'no'
+        acl: []
       - name: protectedshare
         public: 'yes'
         comment: 'Public, but only writeable by usr2'
         write_list: usr2
         group: users
         browseable: 'yes'
         include_file: protectedshare-include.conf
+        acl: []
       - name: publicshare
         comment: 'Public share, writeable by all members of group ‘users’'
         public: 'yes'
         write_list: +users
         group: users
         setype: public_content_t
         browseable: 'yes'
+        acl: []
       - name: guestshare
         comment: 'Share accessible for guests'
         guest_ok: 'yes'
         writable: 'yes'
         browseable: 'yes'
+        acl: []
       - name: TimeMachine
         comment: 'Share useable as a TimeMachine backup target on MacOS'
         vfs_objects:
@@ -89,5 +138,24 @@
         public: 'no'
         guest_ok: 'no'
         browseable: 'no'
+        acl: []
+      - name: testshare
+        comment: share
+        path: /data/testshare
+        owner: testuser
+        group: testgroup
+        mode: "0775"
+        acl:
+          - name: testuser2
+            type: user
+            permission: rwx
+            default: true
+          - name: testgroup
+            type: group
+            permission: rwx
+            default: true
+        write_list: testuser testuser2
+        vfs_objects: "{{ samba_vfs_objects_full_audit }}"
+
   roles:
-    - role: bertvv.samba
+    - role: bertvv.samba

molecule/default/molecule.yml

@@ -7,6 +7,7 @@ driver:
 lint: |
   yamllint .
   ansible-lint --exclude=molecule/default/verify.yml
+  flake8 --exclude .cache
 platforms:
   #Set name and hostname
   - name: smb1
@@ -30,4 +31,7 @@ provisioner:
   name: ansible
 #Runs the verify.yml playbook. Testinfra is also a supported method. Check the Molecule documention for more information. 
 verifier:
-  name: ansible
+  name: testinfra
+  options:
+    v: 1
+    sudo: true

molecule/default/tests/test_default.py

@@ -0,0 +1,61 @@
+# -*- coding: utf-8 -*-
+# :Project:   endian.firewalld ansible role - unittests
+# :Created:   Tue 11 May 2021 22:05:46 CEST
+# :Author:    Peter Warasin <[email protected]>
+# :License:   GPLv2
+# :Copyright: © 2021 Endian s.r.l.
+#
+
+
+"""
+test_default.py - default unittest file.
+
+This file contains unittests using testinfra used to test if the
+ansible role does what we wanted that it would do.
+"""
+
+
+def test_share_directory(host):
+    """
+    Test if the cron script is installed correctly.
+
+    This test method checks if the cron script is copied
+    correctly to the test system.
+
+    :param host:     the link to the testinfra host provided by fixture
+    :type  host:     Host object
+    """
+    file1 = host.file("/data/testshare")
+    assert file1.is_directory
+    assert file1.user == "testuser"
+    assert file1.group == "testgroup"
+    assert file1.mode == 0o775
+
+
+def test_facl_on_directory(host):
+    """
+    Test if the testshare directory has the correct facl settings
+
+    :param host:     the link to the testinfra host provided by fixture
+    :type  host:     Host object
+    """
+    file1 = None
+    try:
+        file1 = host.ansible(
+            "command",
+            "getfacl /data/testshare",
+            check=False,
+        )
+    except host.ansible.AnsibleException as exc:
+        assert exc.result["failed"] is True
+        assert exc.result["msg"] == ""
+        return None
+
+    assert file1["stdout_lines"][0] == '# file: data/testshare'
+    assert file1["stdout_lines"][1] == '# owner: testuser'
+    assert file1["stdout_lines"][2] == '# group: testgroup'
+    assert file1["stdout_lines"][3] == 'user::rwx'
+    assert file1["stdout_lines"][4] == 'group::rwx'
+    assert file1["stdout_lines"][5] == 'other::r-x'
+    assert file1["stdout_lines"][7] == 'default:user:testuser2:rwx'
+    assert file1["stdout_lines"][9] == 'default:group:testgroup:rwx'

tasks/acl.yml

@@ -0,0 +1,14 @@
+---
+- name: "samba | ACL | Set extended ACL on shares"
+  ansible.posix.acl:
+    path: "{{ item[0].path }}"
+    entity: "{{ item[1].name }}"
+    etype: "{{ item[1].type }}"
+    permissions: "{{ item[1].permission }}"
+    default: "{{ item[1].default | default(false) }}"
+    state: present
+  with_subelements:
+    - "{{ samba_shares }}"
+    - "acl"
+  when:
+    - samba_acl_enabled | bool

tasks/acltools.yml

@@ -0,0 +1,7 @@
+---
+- name: Install Samba packages
+  package:
+    name: "{{ samba_acl_packages }}"
+    state: present
+  when:
+    - samba_acl_enabled | bool

tasks/assert.yml

@@ -0,0 +1,62 @@
+---
+- name: if acl is enabled, samba_acl_mountpoints need to be set
+  assert:
+    that:
+      - samba_acl_mountpoints is defined and samba_acl_mountpoints is iterable
+    msg: "'samba_acl_mountpoints' must be a list of mount points!"
+    quiet: true
+  when:
+    - samba_acl_enabled | bool
+
+- name: if acl is enabled, check if acls are defined
+  assert:
+    that:
+      - item.acl is defined and item.acl is iterable
+    msg: "'acl' field of samba_share '{{ item.name }}' must be a list!"
+    quiet: true
+  with_items:
+    - "{{ samba_shares }}"
+  when:
+    - samba_acl_enabled | bool
+
+- name: if acl is enabled, check if all acls have required fields set
+  assert:
+    that:
+      - item[1].name is defined and item[1].name is string
+      - item[1].type is defined and item[1].type is string
+      - item[1].permission is defined and item[1].permission is string
+    msg: "'acl' of samba_share '{{ item[0].name }}' must be list of of entries \
+    which contain 'name', 'type' and 'permission' field!"
+    quiet: true
+  with_subelements:
+    - "{{ samba_shares }}"
+    - "acl"
+  when:
+    - samba_acl_enabled | bool
+
+- name: if acl is enabled, check if all acls have required fields set
+  assert:
+    that:
+      - item[1].type is defined and item[1].type in samba_acl_types
+    msg: "'acl' type of samba_share '{{ item[0].name }}' must be one of: \
+    '{{ samba_acl_types }}, got '{{ item[1].type | default(omit) }}'!"
+    quiet: true
+  with_subelements:
+    - "{{ samba_shares }}"
+    - "acl"
+  when:
+    - samba_acl_enabled | bool
+
+- name: if acl is enabled, check if all acls have correct permissions set
+  assert:
+    that:
+      - item[1].permission is defined and item[1].permission in samba_acl_permissions
+    msg: "'permission' type of samba_share '{{ item[0].name }}' must be one \
+    of: '{{ samba_acl_permissions }}, got \
+    '{{ item[1].permission | default(omit) }}'!"
+    quiet: true
+  with_subelements:
+    - "{{ samba_shares }}"
+    - "acl"
+  when:
+    - samba_acl_enabled | bool

tasks/fstab.yml

@@ -0,0 +1,15 @@
+---
+- name: "Check if chacl is working on {{ item }}"
+  shell: |
+    chacl -l {{ item }}
+  register:
+    return_chacl
+  changed_when: false
+
+- name: "Remount device {{ item }} and add -o acl"
+  ansible.posix.mount:
+    state: remounted
+    opts: acl
+    path: "{{ item }}"
+  when:
+    - return_chacl.rc != 0