---
# Test setup
# Use single task to save in CI runtime
- name: create test folders
  win_shell: |
    $ErrorActionPreference = 'Stop'

    $tmp_dir = '{{ test_win_acl_inheritance_path }}'
    if (Test-Path -LiteralPath $tmp_dir) {
        Remove-Item -LiteralPath $tmp_dir -Force -Recurse
    }
    New-Item -Path $tmp_dir -ItemType Directory > $null

    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
    $current_sid = ([System.DirectoryServices.AccountManagement.UserPrincipal]::Current).Sid
    $system_sid = New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList @([System.Security.Principal.WellKnownSidType]::LocalSystemSid, $null)
    $everyone_sid = New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList @([System.Security.Principal.WellKnownSidType]::WorldSid, $null)

    $sd = New-Object -TypeName System.Security.AccessControl.DirectorySecurity
    $sd.SetAccessRuleProtection($true, $false)
    $sd.AddAccessRule(
        (New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList @(
            $system_sid,
            [System.Security.AccessControl.FileSystemRights]::FullControl,
            [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit",
            [System.Security.AccessControl.PropagationFlags]::None,
            [System.Security.AccessControl.AccessControlType]::Allow
        ))
    )
    $sd.AddAccessRule(
        (New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList @(
            $current_sid,
            [System.Security.AccessControl.FileSystemRights]::FullControl,
            [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit",
            [System.Security.AccessControl.PropagationFlags]::None,
            [System.Security.AccessControl.AccessControlType]::Allow
        ))
    )
    $sd.AddAccessRule(
        (New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList @(
            $everyone_sid,
            [System.Security.AccessControl.FileSystemRights]::Read,
            [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit",
            [System.Security.AccessControl.PropagationFlags]::None,
            [System.Security.AccessControl.AccessControlType]::Allow
        ))
    )

    Set-Acl -LiteralPath $tmp_dir -AclObject $sd

    New-Item -Path "$tmp_dir\folder" -ItemType Directory > $null
    Set-Content -LiteralPath "$tmp_dir\folder\file.txt" -Value 'a'

    $system_sid.Value
    $current_sid.Value
    $everyone_sid.Value
  register: test_sids  # register the output SID values used for comparison tests below

# Run tests
- name: remove inheritance check
  win_acl_inheritance:
    path: '{{ test_win_acl_inheritance_path }}\folder'
    reorganize: True
    state: absent
  register: remove_check
  check_mode: True

- name: get actual remove inheritance check
  test_get_acl:
    path: '{{ test_win_acl_inheritance_path }}\folder'
  register: actual_remove_check

- name: assert remove inheritance check
  assert:
    that:
    - remove_check is changed
    - actual_remove_check.inherited == True
    - actual_remove_check.user_details[test_sids.stdout_lines[0]].isinherited == True
    - actual_remove_check.user_details[test_sids.stdout_lines[1]].isinherited == True
    - actual_remove_check.user_details[test_sids.stdout_lines[2]].isinherited == True

- name: remove inheritance
  win_acl_inheritance:
    path: '{{ test_win_acl_inheritance_path }}\folder'
    reorganize: True
    state: absent
  register: remove

- name: get actual remove inheritance
  test_get_acl:
    path: '{{ test_win_acl_inheritance_path }}\folder'
  register: actual_remove

- name: assert remove inheritance
  assert:
    that:
    - remove is changed
    - actual_remove.inherited == False
    - actual_remove.user_details[test_sids.stdout_lines[0]].isinherited == False
    - actual_remove.user_details[test_sids.stdout_lines[1]].isinherited == False
    - actual_remove.user_details[test_sids.stdout_lines[2]].isinherited == False

- name: remove inheritance again
  win_acl_inheritance:
    path: '{{ test_win_acl_inheritance_path }}\folder'
    reorganize: True
    state: absent
  register: remove_again

- name: assert remove inheritance again
  assert:
    that:
    - remove_again is not changed

- name: add inheritance check
  win_acl_inheritance:
    path: '{{ test_win_acl_inheritance_path }}\folder'
    reorganize: True
    state: present
  register: add_check
  check_mode: True

- name: get actual add inheritance check
  test_get_acl:
    path: '{{ test_win_acl_inheritance_path }}\folder'
  register: actual_add_check

- name: assert add inheritance check
  assert:
    that:
    - add_check is changed
    - actual_add_check.inherited == False
    - actual_add_check.user_details[test_sids.stdout_lines[0]].isinherited == False
    - actual_add_check.user_details[test_sids.stdout_lines[1]].isinherited == False
    - actual_add_check.user_details[test_sids.stdout_lines[2]].isinherited == False

- name: add inheritance
  win_acl_inheritance:
    path: '{{ test_win_acl_inheritance_path }}\folder'
    reorganize: True
    state: present
  register: add

- name: get actual add inheritance
  test_get_acl:
    path: '{{ test_win_acl_inheritance_path }}\folder'
  register: actual_add

- name: assert add inheritance
  assert:
    that:
    - add is changed
    - actual_add.inherited == True
    - actual_add.user_details[test_sids.stdout_lines[0]].isinherited == True
    - actual_add.user_details[test_sids.stdout_lines[1]].isinherited == True
    - actual_add.user_details[test_sids.stdout_lines[2]].isinherited == True

- name: add inheritance again
  win_acl_inheritance:
    path: '{{ test_win_acl_inheritance_path }}\folder'
    reorganize: True
    state: present
  register: add_again

- name: assert add inheritance again
  assert:
    that:
    - add_again is not changed

# Test cleanup
- name: remove test folder
  win_file:
    path: '{{ test_win_acl_inheritance_path }}'
    state: absent