From ee9348473aea57a76f16b801fcc4acc59c5416f4 Mon Sep 17 00:00:00 2001
From: Lee Goolsbee <lgoolsbee@atlassian.com>
Date: Tue, 11 Jun 2024 17:09:39 -0500
Subject: [PATCH] ITPLT-3785 reworked logic for limiting permissions in
 installation directories without affecting working directories

---
 roles/confluence_config/tasks/main.yml | 33 ++++++++++++++++---
 roles/crowd_config/tasks/main.yml      | 45 ++++++++++++++++++++++----
 roles/jira_config/tasks/main.yml       | 34 ++++++++++++++++---
 3 files changed, 97 insertions(+), 15 deletions(-)

diff --git a/roles/confluence_config/tasks/main.yml b/roles/confluence_config/tasks/main.yml
index 7e7d543..4625b50 100644
--- a/roles/confluence_config/tasks/main.yml
+++ b/roles/confluence_config/tasks/main.yml
@@ -66,17 +66,42 @@
     owner: "{{ atl_product_user }}"
     group: "{{ atl_product_user }}"
 
-- name: Limit permissions on the installation directory
+- name: Limit permissions on the installer temp and version cache directories, recursively
   ansible.builtin.file:
-    path: "{{ atl_product_installation_versioned }}"
+    path: "{{ item }}"
     owner: "root"
     group: "root"
     mode: "u=rwX,g=rX,o=rX"
     recurse: true
   with_items:
     - "{{ atl_installer_temp }}"
-    - "{{ atl_product_installation_versioned }}"
-    - "{{ atl_product_version_cache_dir }}"
+    - "{{ atl_product_version_cache }}"
+  changed_when: false  # For Molecule idempotence check
+
+- name: Limit permissions on the installation directory, non-recursively
+  ansible.builtin.file:
+    path: "{{ atl_product_installation_versioned }}"
+    owner: "root"
+    group: "root"
+    mode: "u=rwX,g=rX,o=rX"
+  changed_when: false  # For Molecule idempotence check
+
+- name: Find top-level files/directories in installation directory, excluding working directories
+  ansible.builtin.find:
+    paths: "{{ atl_product_installation_versioned }}"
+    depth: 1
+    file_type: any
+    excludes: logs,temp,work
+  register: atl_product_installation_versioned_file_list
+
+- name: Limit permissions on files and directories in the installation directory, recursively, excluding working directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: "root"
+    group: "root"
+    mode: "u=rwX,g=rX,o=rX"
+    recurse: true
+    loop: "{{ atl_product_installation_versioned_file_list.files }}"
   changed_when: false  # For Molecule idempotence check
 
 - name: Grant access to the product working directories
diff --git a/roles/crowd_config/tasks/main.yml b/roles/crowd_config/tasks/main.yml
index 97b06e4..39208d1 100644
--- a/roles/crowd_config/tasks/main.yml
+++ b/roles/crowd_config/tasks/main.yml
@@ -66,17 +66,50 @@
     - "{{ atl_product_shared_plugins }}"
   changed_when: false  # For Molecule idempotence check
 
-- name: Limit permissions on the installation directory
+- name: Limit permissions on the installer temp and version cache directories, recursively
   ansible.builtin.file:
-    path: "{{ atl_product_installation_versioned }}"
-    owner: "{{ atl_product_user }}"
-    group: "{{ atl_product_user }}"
+    path: "{{ item }}"
+    owner: "root"
+    group: "root"
     mode: "u=rwX,g=rX,o=rX"
     recurse: true
   with_items:
     - "{{ atl_installer_temp }}"
-    - "{{ atl_product_installation_versioned }}"
-    - "{{ atl_product_version_cache_dir }}"
+    - "{{ atl_product_version_cache }}"
+  changed_when: false  # For Molecule idempotence check
+
+- name: Limit permissions on the installation directory, non-recursively
+  ansible.builtin.file:
+    path: "{{ atl_product_installation_versioned }}"
+    owner: "root"
+    group: "root"
+    mode: "u=rwX,g=rX,o=rX"
+  changed_when: false  # For Molecule idempotence check
+
+- name: Find top-level files/directories in installation directory, excluding tomcat
+  ansible.builtin.find:
+    paths: "{{ atl_product_installation_versioned }}"
+    depth: 1
+    file_type: any
+    excludes: apache-tomcat
+  register: atl_product_installation_versioned_file_list
+
+- name: Find top-level files/directories in tomcat directory, excluding working directories
+  ansible.builtin.find:
+    paths: "{{ atl_product_installation_versioned }}/apache-tomcat"
+    depth: 1
+    file_type: any
+    excludes: logs,temp,work
+  register: atl_product_installation_versioned_tomcat_file_list
+
+- name: Limit permissions on files and directories in the installation and tomcat directories, recursively, excluding working directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: "root"
+    group: "root"
+    mode: "u=rwX,g=rX,o=rX"
+    recurse: true
+    loop: "{{ atl_product_installation_versioned_file_list.files + atl_product_installation_versioned_tomcat_file_list.files }}"
   changed_when: false  # For Molecule idempotence check
 
 - name: Grant access to the product working directories
diff --git a/roles/jira_config/tasks/main.yml b/roles/jira_config/tasks/main.yml
index b514c53..ff8d803 100644
--- a/roles/jira_config/tasks/main.yml
+++ b/roles/jira_config/tasks/main.yml
@@ -75,18 +75,42 @@
     - "{{ atl_product_shared_plugins }}"
   changed_when: false  # For Molecule idempotence check
 
-
-- name: Limit permissions on the installation directory
+- name: Limit permissions on the installer temp and version cache directories, recursively
   ansible.builtin.file:
-    path: "{{ atl_product_installation_versioned }}"
+    path: "{{ item }}"
     owner: "root"
     group: "root"
     mode: "u=rwX,g=rX,o=rX"
     recurse: true
   with_items:
     - "{{ atl_installer_temp }}"
-    - "{{ atl_product_installation_versioned }}"
-    - "{{ atl_product_version_cache_dir }}"
+    - "{{ atl_product_version_cache }}"
+  changed_when: false  # For Molecule idempotence check
+
+- name: Limit permissions on the installation directory, non-recursively
+  ansible.builtin.file:
+    path: "{{ atl_product_installation_versioned }}"
+    owner: "root"
+    group: "root"
+    mode: "u=rwX,g=rX,o=rX"
+  changed_when: false  # For Molecule idempotence check
+
+- name: Find top-level files/directories in installation directory, excluding working directories
+  ansible.builtin.find:
+    paths: "{{ atl_product_installation_versioned }}"
+    depth: 1
+    file_type: any
+    excludes: logs,temp,work
+  register: atl_product_installation_versioned_file_list
+
+- name: Limit permissions on files and directories in the installation directory, recursively, excluding working directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: "root"
+    group: "root"
+    mode: "u=rwX,g=rX,o=rX"
+    recurse: true
+    loop: "{{ atl_product_installation_versioned_file_list.files }}"
   changed_when: false  # For Molecule idempotence check
 
 - name: Grant access to the product working directories