Add nomask option to the acl module (#39810)

* Add nomask option to the acl module

* acl: allow to choose if and when to recalculate the effective right masks of the files

lib/ansible/modules/files/acl.py

@@ -73,6 +73,14 @@ options:
     type: bool
     default: 'no'
     version_added: "2.0"
+
+  recalculate_mask:
+    description:
+      - Select if and when to recalculate the effective right masks of the files, see setfacl documentation for more info. Incompatible with C(state=query).
+    choices: [ default, mask, no_mask ]
+    default: 'default'
+    version_added: "2.6"
+
 author:
     - Brian Coca (@bcoca)
     - Jérémie Astori (@astorije)
@@ -174,7 +182,7 @@ def build_entry(etype, entity, permissions=None, use_nfsv4_acls=False):
     return etype + ':' + entity
 
 
-def build_command(module, mode, path, follow, default, recursive, entry=''):
+def build_command(module, mode, path, follow, default, recursive, recalculate_mask, entry=''):
     '''Builds and returns a getfacl/setfacl command.'''
     if mode == 'set':
         cmd = [module.get_bin_path('setfacl', True)]
@@ -192,6 +200,11 @@ def build_command(module, mode, path, follow, default, recursive, entry=''):
     if recursive:
         cmd.append('--recursive')
 
+    if recalculate_mask == 'mask' and mode in ['set', 'rm']:
+        cmd.append('--mask')
+    elif recalculate_mask == 'no_mask' and mode in ['set', 'rm']:
+        cmd.append('--no-mask')
+
     if not follow:
         if get_platform().lower() == 'linux':
             cmd.append('--physical')
@@ -261,6 +274,12 @@ def main():
             follow=dict(required=False, type='bool', default=True),
             default=dict(required=False, type='bool', default=False),
             recursive=dict(required=False, type='bool', default=False),
+            recalculate_mask=dict(
+                required=False,
+                default='default',
+                choices=['default', 'mask', 'no_mask'],
+                type='str'
+            ),
             use_nfsv4_acls=dict(required=False, type='bool', default=False)
         ),
         supports_check_mode=True,
@@ -278,13 +297,18 @@ def main():
     follow = module.params.get('follow')
     default = module.params.get('default')
     recursive = module.params.get('recursive')
+    recalculate_mask = module.params.get('recalculate_mask')
     use_nfsv4_acls = module.params.get('use_nfsv4_acls')
 
     if not os.path.exists(path):
         module.fail_json(msg="Path not found or not accessible.")
 
-    if state == 'query' and recursive:
+    if state == 'query':
-        module.fail_json(msg="'recursive' MUST NOT be set when 'state=query'.")
+        if recursive:
+            module.fail_json(msg="'recursive' MUST NOT be set when 'state=query'.")
+
+        if recalculate_mask in ['mask', 'no_mask']:
+            module.fail_json(msg="'recalculate_mask' MUST NOT be set to 'mask' or 'no_mask' when 'state=query'.")
 
     if not entry:
         if state == 'absent' and permissions:
@@ -324,7 +348,7 @@ def main():
         entry = build_entry(etype, entity, permissions, use_nfsv4_acls)
         command = build_command(
             module, 'set', path, follow,
-            default, recursive, entry
+            default, recursive, recalculate_mask, entry
         )
         changed = acl_changed(module, command)
 
@@ -336,7 +360,7 @@ def main():
         entry = build_entry(etype, entity, use_nfsv4_acls)
         command = build_command(
             module, 'rm', path, follow,
-            default, recursive, entry
+            default, recursive, recalculate_mask, entry
         )
         changed = acl_changed(module, command)
 
@@ -349,7 +373,7 @@ def main():
 
     acl = run_acl(
         module,
-        build_command(module, 'get', path, follow, default, recursive)
+        build_command(module, 'get', path, follow, default, recursive, recalculate_mask)
     )
 
     module.exit_json(changed=changed, msg=msg, acl=acl)