From ee9348473aea57a76f16b801fcc4acc59c5416f4 Mon Sep 17 00:00:00 2001
From: Lee Goolsbee <lgoolsbee@atlassian.com>
Date: Tue, 11 Jun 2024 17:09:39 -0500
Subject: [PATCH 1/5] ITPLT-3785 reworked logic for limiting permissions in
 installation directories without affecting working directories

---
 roles/confluence_config/tasks/main.yml | 33 ++++++++++++++++---
 roles/crowd_config/tasks/main.yml      | 45 ++++++++++++++++++++++----
 roles/jira_config/tasks/main.yml       | 34 ++++++++++++++++---
 3 files changed, 97 insertions(+), 15 deletions(-)

diff --git a/roles/confluence_config/tasks/main.yml b/roles/confluence_config/tasks/main.yml
index 7e7d543..4625b50 100644
--- a/roles/confluence_config/tasks/main.yml
+++ b/roles/confluence_config/tasks/main.yml
@@ -66,17 +66,42 @@
     owner: "{{ atl_product_user }}"
     group: "{{ atl_product_user }}"
 
-- name: Limit permissions on the installation directory
+- name: Limit permissions on the installer temp and version cache directories, recursively
   ansible.builtin.file:
-    path: "{{ atl_product_installation_versioned }}"
+    path: "{{ item }}"
     owner: "root"
     group: "root"
     mode: "u=rwX,g=rX,o=rX"
     recurse: true
   with_items:
     - "{{ atl_installer_temp }}"
-    - "{{ atl_product_installation_versioned }}"
-    - "{{ atl_product_version_cache_dir }}"
+    - "{{ atl_product_version_cache }}"
+  changed_when: false  # For Molecule idempotence check
+
+- name: Limit permissions on the installation directory, non-recursively
+  ansible.builtin.file:
+    path: "{{ atl_product_installation_versioned }}"
+    owner: "root"
+    group: "root"
+    mode: "u=rwX,g=rX,o=rX"
+  changed_when: false  # For Molecule idempotence check
+
+- name: Find top-level files/directories in installation directory, excluding working directories
+  ansible.builtin.find:
+    paths: "{{ atl_product_installation_versioned }}"
+    depth: 1
+    file_type: any
+    excludes: logs,temp,work
+  register: atl_product_installation_versioned_file_list
+
+- name: Limit permissions on files and directories in the installation directory, recursively, excluding working directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: "root"
+    group: "root"
+    mode: "u=rwX,g=rX,o=rX"
+    recurse: true
+    loop: "{{ atl_product_installation_versioned_file_list.files }}"
   changed_when: false  # For Molecule idempotence check
 
 - name: Grant access to the product working directories
diff --git a/roles/crowd_config/tasks/main.yml b/roles/crowd_config/tasks/main.yml
index 97b06e4..39208d1 100644
--- a/roles/crowd_config/tasks/main.yml
+++ b/roles/crowd_config/tasks/main.yml
@@ -66,17 +66,50 @@
     - "{{ atl_product_shared_plugins }}"
   changed_when: false  # For Molecule idempotence check
 
-- name: Limit permissions on the installation directory
+- name: Limit permissions on the installer temp and version cache directories, recursively
   ansible.builtin.file:
-    path: "{{ atl_product_installation_versioned }}"
-    owner: "{{ atl_product_user }}"
-    group: "{{ atl_product_user }}"
+    path: "{{ item }}"
+    owner: "root"
+    group: "root"
     mode: "u=rwX,g=rX,o=rX"
     recurse: true
   with_items:
     - "{{ atl_installer_temp }}"
-    - "{{ atl_product_installation_versioned }}"
-    - "{{ atl_product_version_cache_dir }}"
+    - "{{ atl_product_version_cache }}"
+  changed_when: false  # For Molecule idempotence check
+
+- name: Limit permissions on the installation directory, non-recursively
+  ansible.builtin.file:
+    path: "{{ atl_product_installation_versioned }}"
+    owner: "root"
+    group: "root"
+    mode: "u=rwX,g=rX,o=rX"
+  changed_when: false  # For Molecule idempotence check
+
+- name: Find top-level files/directories in installation directory, excluding tomcat
+  ansible.builtin.find:
+    paths: "{{ atl_product_installation_versioned }}"
+    depth: 1
+    file_type: any
+    excludes: apache-tomcat
+  register: atl_product_installation_versioned_file_list
+
+- name: Find top-level files/directories in tomcat directory, excluding working directories
+  ansible.builtin.find:
+    paths: "{{ atl_product_installation_versioned }}/apache-tomcat"
+    depth: 1
+    file_type: any
+    excludes: logs,temp,work
+  register: atl_product_installation_versioned_tomcat_file_list
+
+- name: Limit permissions on files and directories in the installation and tomcat directories, recursively, excluding working directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: "root"
+    group: "root"
+    mode: "u=rwX,g=rX,o=rX"
+    recurse: true
+    loop: "{{ atl_product_installation_versioned_file_list.files + atl_product_installation_versioned_tomcat_file_list.files }}"
   changed_when: false  # For Molecule idempotence check
 
 - name: Grant access to the product working directories
diff --git a/roles/jira_config/tasks/main.yml b/roles/jira_config/tasks/main.yml
index b514c53..ff8d803 100644
--- a/roles/jira_config/tasks/main.yml
+++ b/roles/jira_config/tasks/main.yml
@@ -75,18 +75,42 @@
     - "{{ atl_product_shared_plugins }}"
   changed_when: false  # For Molecule idempotence check
 
-
-- name: Limit permissions on the installation directory
+- name: Limit permissions on the installer temp and version cache directories, recursively
   ansible.builtin.file:
-    path: "{{ atl_product_installation_versioned }}"
+    path: "{{ item }}"
     owner: "root"
     group: "root"
     mode: "u=rwX,g=rX,o=rX"
     recurse: true
   with_items:
     - "{{ atl_installer_temp }}"
-    - "{{ atl_product_installation_versioned }}"
-    - "{{ atl_product_version_cache_dir }}"
+    - "{{ atl_product_version_cache }}"
+  changed_when: false  # For Molecule idempotence check
+
+- name: Limit permissions on the installation directory, non-recursively
+  ansible.builtin.file:
+    path: "{{ atl_product_installation_versioned }}"
+    owner: "root"
+    group: "root"
+    mode: "u=rwX,g=rX,o=rX"
+  changed_when: false  # For Molecule idempotence check
+
+- name: Find top-level files/directories in installation directory, excluding working directories
+  ansible.builtin.find:
+    paths: "{{ atl_product_installation_versioned }}"
+    depth: 1
+    file_type: any
+    excludes: logs,temp,work
+  register: atl_product_installation_versioned_file_list
+
+- name: Limit permissions on files and directories in the installation directory, recursively, excluding working directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: "root"
+    group: "root"
+    mode: "u=rwX,g=rX,o=rX"
+    recurse: true
+    loop: "{{ atl_product_installation_versioned_file_list.files }}"
   changed_when: false  # For Molecule idempotence check
 
 - name: Grant access to the product working directories

From 5caddaede18d9f95eb07cb3d1b06786d5d81b3eb Mon Sep 17 00:00:00 2001
From: Lee Goolsbee <lgoolsbee@atlassian.com>
Date: Tue, 11 Jun 2024 17:50:07 -0500
Subject: [PATCH 2/5] ITPLT-3785 can't recursively manage permissions on a
 single file; manage permissions for atl_product_version_cache file when
 written instead

---
 roles/confluence_config/tasks/main.yml | 7 ++-----
 roles/crowd_config/tasks/main.yml      | 7 ++-----
 roles/jira_config/tasks/main.yml       | 7 ++-----
 roles/product_install/tasks/main.yml   | 3 +++
 4 files changed, 9 insertions(+), 15 deletions(-)

diff --git a/roles/confluence_config/tasks/main.yml b/roles/confluence_config/tasks/main.yml
index 4625b50..b36e20e 100644
--- a/roles/confluence_config/tasks/main.yml
+++ b/roles/confluence_config/tasks/main.yml
@@ -66,16 +66,13 @@
     owner: "{{ atl_product_user }}"
     group: "{{ atl_product_user }}"
 
-- name: Limit permissions on the installer temp and version cache directories, recursively
+- name: Limit permissions on the installer temp directory, recursively
   ansible.builtin.file:
-    path: "{{ item }}"
+    path: "{{ atl_installer_temp }}"
     owner: "root"
     group: "root"
     mode: "u=rwX,g=rX,o=rX"
     recurse: true
-  with_items:
-    - "{{ atl_installer_temp }}"
-    - "{{ atl_product_version_cache }}"
   changed_when: false  # For Molecule idempotence check
 
 - name: Limit permissions on the installation directory, non-recursively
diff --git a/roles/crowd_config/tasks/main.yml b/roles/crowd_config/tasks/main.yml
index 39208d1..d3915c8 100644
--- a/roles/crowd_config/tasks/main.yml
+++ b/roles/crowd_config/tasks/main.yml
@@ -66,16 +66,13 @@
     - "{{ atl_product_shared_plugins }}"
   changed_when: false  # For Molecule idempotence check
 
-- name: Limit permissions on the installer temp and version cache directories, recursively
+- name: Limit permissions on the installer temp directory, recursively
   ansible.builtin.file:
-    path: "{{ item }}"
+    path: "{{ atl_installer_temp }}"
     owner: "root"
     group: "root"
     mode: "u=rwX,g=rX,o=rX"
     recurse: true
-  with_items:
-    - "{{ atl_installer_temp }}"
-    - "{{ atl_product_version_cache }}"
   changed_when: false  # For Molecule idempotence check
 
 - name: Limit permissions on the installation directory, non-recursively
diff --git a/roles/jira_config/tasks/main.yml b/roles/jira_config/tasks/main.yml
index ff8d803..935318c 100644
--- a/roles/jira_config/tasks/main.yml
+++ b/roles/jira_config/tasks/main.yml
@@ -75,16 +75,13 @@
     - "{{ atl_product_shared_plugins }}"
   changed_when: false  # For Molecule idempotence check
 
-- name: Limit permissions on the installer temp and version cache directories, recursively
+- name: Limit permissions on the installer temp directory, recursively
   ansible.builtin.file:
-    path: "{{ item }}"
+    path: "{{ atl_installer_temp }}"
     owner: "root"
     group: "root"
     mode: "u=rwX,g=rX,o=rX"
     recurse: true
-  with_items:
-    - "{{ atl_installer_temp }}"
-    - "{{ atl_product_version_cache }}"
   changed_when: false  # For Molecule idempotence check
 
 - name: Limit permissions on the installation directory, non-recursively
diff --git a/roles/product_install/tasks/main.yml b/roles/product_install/tasks/main.yml
index 2801870..ca5f97a 100644
--- a/roles/product_install/tasks/main.yml
+++ b/roles/product_install/tasks/main.yml
@@ -136,6 +136,9 @@
   ansible.builtin.template:
     src: version.j2
     dest: "{{ atl_product_version_cache }}"
+    owner: "root"
+    group: "root"
+    mode: "u=rwX,g=rX,o=rX"
     force: true
 
 # For the first run a temp binary should be downloaded but moved to

From 3fd8a01e9009d03ee8737ee737ddc2e827f8da31 Mon Sep 17 00:00:00 2001
From: Lee Goolsbee <lgoolsbee@atlassian.com>
Date: Tue, 11 Jun 2024 17:53:40 -0500
Subject: [PATCH 3/5] ITPLT-3785 item.path, not just the item

---
 roles/confluence_config/tasks/main.yml | 2 +-
 roles/crowd_config/tasks/main.yml      | 2 +-
 roles/jira_config/tasks/main.yml       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/roles/confluence_config/tasks/main.yml b/roles/confluence_config/tasks/main.yml
index b36e20e..eb5d290 100644
--- a/roles/confluence_config/tasks/main.yml
+++ b/roles/confluence_config/tasks/main.yml
@@ -93,7 +93,7 @@
 
 - name: Limit permissions on files and directories in the installation directory, recursively, excluding working directories
   ansible.builtin.file:
-    path: "{{ item }}"
+    path: "{{ item.path }}"
     owner: "root"
     group: "root"
     mode: "u=rwX,g=rX,o=rX"
diff --git a/roles/crowd_config/tasks/main.yml b/roles/crowd_config/tasks/main.yml
index d3915c8..3011e17 100644
--- a/roles/crowd_config/tasks/main.yml
+++ b/roles/crowd_config/tasks/main.yml
@@ -101,7 +101,7 @@
 
 - name: Limit permissions on files and directories in the installation and tomcat directories, recursively, excluding working directories
   ansible.builtin.file:
-    path: "{{ item }}"
+    path: "{{ item.path }}"
     owner: "root"
     group: "root"
     mode: "u=rwX,g=rX,o=rX"
diff --git a/roles/jira_config/tasks/main.yml b/roles/jira_config/tasks/main.yml
index 935318c..08d5fa4 100644
--- a/roles/jira_config/tasks/main.yml
+++ b/roles/jira_config/tasks/main.yml
@@ -102,7 +102,7 @@
 
 - name: Limit permissions on files and directories in the installation directory, recursively, excluding working directories
   ansible.builtin.file:
-    path: "{{ item }}"
+    path: "{{ item.path }}"
     owner: "root"
     group: "root"
     mode: "u=rwX,g=rX,o=rX"

From 07f708484f9a0f0ca84e139f82cfa6ff1ba9a22d Mon Sep 17 00:00:00 2001
From: Lee Goolsbee <lgoolsbee@atlassian.com>
Date: Tue, 11 Jun 2024 17:55:25 -0500
Subject: [PATCH 4/5] ITPLT-3785 ugh bad indentation

---
 roles/confluence_config/tasks/main.yml | 2 +-
 roles/crowd_config/tasks/main.yml      | 2 +-
 roles/jira_config/tasks/main.yml       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/roles/confluence_config/tasks/main.yml b/roles/confluence_config/tasks/main.yml
index eb5d290..32f892f 100644
--- a/roles/confluence_config/tasks/main.yml
+++ b/roles/confluence_config/tasks/main.yml
@@ -98,7 +98,7 @@
     group: "root"
     mode: "u=rwX,g=rX,o=rX"
     recurse: true
-    loop: "{{ atl_product_installation_versioned_file_list.files }}"
+  loop: "{{ atl_product_installation_versioned_file_list.files }}"
   changed_when: false  # For Molecule idempotence check
 
 - name: Grant access to the product working directories
diff --git a/roles/crowd_config/tasks/main.yml b/roles/crowd_config/tasks/main.yml
index 3011e17..669bba7 100644
--- a/roles/crowd_config/tasks/main.yml
+++ b/roles/crowd_config/tasks/main.yml
@@ -106,7 +106,7 @@
     group: "root"
     mode: "u=rwX,g=rX,o=rX"
     recurse: true
-    loop: "{{ atl_product_installation_versioned_file_list.files + atl_product_installation_versioned_tomcat_file_list.files }}"
+  loop: "{{ atl_product_installation_versioned_file_list.files + atl_product_installation_versioned_tomcat_file_list.files }}"
   changed_when: false  # For Molecule idempotence check
 
 - name: Grant access to the product working directories
diff --git a/roles/jira_config/tasks/main.yml b/roles/jira_config/tasks/main.yml
index 08d5fa4..c18383e 100644
--- a/roles/jira_config/tasks/main.yml
+++ b/roles/jira_config/tasks/main.yml
@@ -107,7 +107,7 @@
     group: "root"
     mode: "u=rwX,g=rX,o=rX"
     recurse: true
-    loop: "{{ atl_product_installation_versioned_file_list.files }}"
+  loop: "{{ atl_product_installation_versioned_file_list.files }}"
   changed_when: false  # For Molecule idempotence check
 
 - name: Grant access to the product working directories

From 8113474d15f446acffe1ddd020ab9f31f43b9ed7 Mon Sep 17 00:00:00 2001
From: Lee Goolsbee <lgoolsbee@atlassian.com>
Date: Wed, 12 Jun 2024 10:50:04 -0500
Subject: [PATCH 5/5] ITPLT-3785 only recurse if the item is a directory

---
 roles/confluence_config/tasks/main.yml | 2 +-
 roles/crowd_config/tasks/main.yml      | 2 +-
 roles/jira_config/tasks/main.yml       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/roles/confluence_config/tasks/main.yml b/roles/confluence_config/tasks/main.yml
index 32f892f..00854ff 100644
--- a/roles/confluence_config/tasks/main.yml
+++ b/roles/confluence_config/tasks/main.yml
@@ -97,7 +97,7 @@
     owner: "root"
     group: "root"
     mode: "u=rwX,g=rX,o=rX"
-    recurse: true
+    recurse: "{{ item.isdir }}"
   loop: "{{ atl_product_installation_versioned_file_list.files }}"
   changed_when: false  # For Molecule idempotence check
 
diff --git a/roles/crowd_config/tasks/main.yml b/roles/crowd_config/tasks/main.yml
index 669bba7..8b1f8a1 100644
--- a/roles/crowd_config/tasks/main.yml
+++ b/roles/crowd_config/tasks/main.yml
@@ -105,7 +105,7 @@
     owner: "root"
     group: "root"
     mode: "u=rwX,g=rX,o=rX"
-    recurse: true
+    recurse: "{{ item.isdir }}"
   loop: "{{ atl_product_installation_versioned_file_list.files + atl_product_installation_versioned_tomcat_file_list.files }}"
   changed_when: false  # For Molecule idempotence check
 
diff --git a/roles/jira_config/tasks/main.yml b/roles/jira_config/tasks/main.yml
index c18383e..c9476a9 100644
--- a/roles/jira_config/tasks/main.yml
+++ b/roles/jira_config/tasks/main.yml
@@ -106,7 +106,7 @@
     owner: "root"
     group: "root"
     mode: "u=rwX,g=rX,o=rX"
-    recurse: true
+    recurse: "{{ item.isdir }}"
   loop: "{{ atl_product_installation_versioned_file_list.files }}"
   changed_when: false  # For Molecule idempotence check