From 303da856eff32f0b7b5382b604f463ebe22f58e2 Mon Sep 17 00:00:00 2001
From: Julien Pivotto <roidelapluie@inuits.eu>
Date: Tue, 22 Sep 2015 14:31:58 +0200
Subject: [PATCH] Better support for 'deep' recursive acls

---
 lib/puppet/type/acl.rb            | 19 ++++++++++++++++++-
 spec/unit/puppet/type/acl_spec.rb | 12 ++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/lib/puppet/type/acl.rb b/lib/puppet/type/acl.rb
index 2b499a8..4c10955 100644
--- a/lib/puppet/type/acl.rb
+++ b/lib/puppet/type/acl.rb
@@ -1,3 +1,4 @@
+require 'set'
 
 Puppet::Type.newtype(:acl) do
   desc <<-EOT
@@ -210,11 +211,27 @@ def insync?(is)
     defaultto :false
   end
 
+  def self.pick_default_perms(perms)
+    non_default = perms.reject { |perm| perm =~ /^d/ }
+    default = perms.reject { |perm| perm !~ /^d/ }.map {
+      |perm| perm.split(':')[1..-1].join(':')
+    }
+    Set.new((non_default + default).map { |perm|
+      key = perm.split(':')[0..1].join(':')
+      matching_default = default.reject { |perm| perm !~ /^#{key}:/ }
+      if (matching_default.length > 0)
+        matching_default
+      else
+        perm
+      end
+    }).to_a.flatten
+  end
+
   def newchild(path)
     full_path = ::File.join(self[:path], path)
     options = @original_parameters.merge(:name => full_path).reject { |param, value| value.nil? }
     unless File.directory?(options[:name]) then
-      options[:permission].reject! { |acl| acl.split(':', -1).length == 4 } if options.include?(:permission)
+      options[:permission] = self.class.pick_default_perms(options[:permission]) if options.include?(:permission)
     end
     [:recursive, :recursemode, :path].each do |param|
       options.delete(param) if options.include?(param)
diff --git a/spec/unit/puppet/type/acl_spec.rb b/spec/unit/puppet/type/acl_spec.rb
index 2d70ec0..acb14b1 100644
--- a/spec/unit/puppet/type/acl_spec.rb
+++ b/spec/unit/puppet/type/acl_spec.rb
@@ -129,4 +129,16 @@
     end
   end
 
+  context 'when converting default parameters' do
+    basic_perms = ['user:foo:rwx', 'group:foo:rwx']
+    advanced_perms = ['user:foo:rwx', 'group:foo:rwx', 'default:user:foo:---']
+    advanced_perms_results = ['user:foo:---', 'group:foo:rwx']
+    it 'should not do anything with no defaults' do
+      expect(acl_type.pick_default_perms(basic_perms)).to eq(basic_perms)
+    end
+    it 'should override defaults' do
+      expect(acl_type.pick_default_perms(advanced_perms)).to eq(advanced_perms_results)
+    end
+  end
+
 end