From 4c119d0cf42a0b5546c151648acc55b3446d7dc5 Mon Sep 17 00:00:00 2001
From: Mark Kusch <mark.kusch@silpion.com>
Date: Tue, 1 Nov 2016 13:32:10 +0100
Subject: [PATCH 1/6] Add tomcat version 8.5.6

Signed-off-by: Mark Kusch <mark.kusch@silpion.com>
---
 vars/versions/8.5.6.yml | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 vars/versions/8.5.6.yml

diff --git a/vars/versions/8.5.6.yml b/vars/versions/8.5.6.yml
new file mode 100644
index 0000000..3d7dc47
--- /dev/null
+++ b/vars/versions/8.5.6.yml
@@ -0,0 +1,4 @@
+---
+# SHA256 sum for the Tomcat redistributable package
+tomcat_redis_checksum: "sha256:8564cd9570adfd23394fd62a4cf999a294429e5f29017e4bb292c604eae9677b"
+tomcat_web_xml_schema_version: 3.1

From 44532aa74d5397ab91358df4767b0c8a8400db46 Mon Sep 17 00:00:00 2001
From: Mark Kusch <mark.kusch@silpion.com>
Date: Tue, 1 Nov 2016 13:32:55 +0100
Subject: [PATCH 2/6] Tomcat 8.5.N installs CATALINA_HOME/conf with umask 077

Signed-off-by: Mark Kusch <mark.kusch@silpion.com>
---
 tasks/main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tasks/main.yml b/tasks/main.yml
index 57cf285..55492ba 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -135,6 +135,7 @@
 
 - name: Register static/unmanaged conf files
   tags: tomcat
+  become: true
   register: tomcat_registered_conf_files
   always_run: true
   changed_when: false

From a8dec311e96db7672db665aab8af350d03b51c5b Mon Sep 17 00:00:00 2001
From: Mark Kusch <mark.kusch@silpion.com>
Date: Tue, 1 Nov 2016 14:48:54 +0100
Subject: [PATCH 3/6] Fixup minimum required library files access controls for
 tomcat >= 8.5 to function

Signed-off-by: Mark Kusch <mark.kusch@silpion.com>
---
 tasks/8.5-acls.yml | 26 ++++++++++++++++++++++++++
 tasks/main.yml     | 16 ++++++++++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 tasks/8.5-acls.yml

diff --git a/tasks/8.5-acls.yml b/tasks/8.5-acls.yml
new file mode 100644
index 0000000..9b1de08
--- /dev/null
+++ b/tasks/8.5-acls.yml
@@ -0,0 +1,26 @@
+---
+- name: Register files in Tomcat installation
+  tags: tomcat
+  become: true
+  register: tomcat_registered_files
+  always_run: true
+  changed_when: false
+  when: tomcat_fact_is_not_initial_check_mode
+  shell: ls -1 {{ acl_dir }}/*.jar
+
+- name: Update installation folder access controls
+  tags: tomcat
+  become: true
+  file:
+    state: directory
+    dest: '{{ acl_dir }}'
+    mode: 'o=rx'
+
+- name: Update installation files access controls
+  tags: tomcat
+  become: true
+  with_items: '{{ (tomcat_registered_files|default({})).stdout_lines|default([]) }}'
+  file:
+    state: file
+    mode: 'o=r'
+    dest: '{{ item }}'
diff --git a/tasks/main.yml b/tasks/main.yml
index 55492ba..055f7a8 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -119,6 +119,22 @@
   args:
     creates: "{{ tomcat_env_catalina_home }}/lib"
 
+# Tomcat 8.5 is packaged with umask 027 which breaks current paradigm
+#   to keep CATALINA_HOME and CATALINA_BASE files separated.
+#   Identify all jars in bin/ and lib/ directory and make them accessable
+#   to the tomcat service user(s).
+- name: Include file system access controls for tomcat >= 8.5
+  tags: tomcat
+  when:
+    - '{{ tomcat_version|version_compare("8.5", ">=") }}'
+    - '{{ tomcat_fact_is_not_initial_check_mode }}'
+  with_items:
+    - '{{ tomcat_env_catalina_home }}/bin'
+    - '{{ tomcat_env_catalina_home }}/lib'
+  loop_control:
+    loop_var: acl_dir
+  include: 8.5-acls.yml
+
 
 - name: Install instance directories
   tags: tomcat

From a2c2db5cf52354d24c5afdba42d208a43ce19488 Mon Sep 17 00:00:00 2001
From: Mark Kusch <mark.kusch@silpion.com>
Date: Tue, 1 Nov 2016 16:09:35 +0100
Subject: [PATCH 4/6] Non-systemd services call catalina.sh

Signed-off-by: Mark Kusch <mark.kusch@silpion.com>
---
 tasks/8.5-acls.yml | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/tasks/8.5-acls.yml b/tasks/8.5-acls.yml
index 9b1de08..474419e 100644
--- a/tasks/8.5-acls.yml
+++ b/tasks/8.5-acls.yml
@@ -1,5 +1,5 @@
 ---
-- name: Register files in Tomcat installation
+- name: Register libraries in Tomcat installation
   tags: tomcat
   become: true
   register: tomcat_registered_files
@@ -16,7 +16,7 @@
     dest: '{{ acl_dir }}'
     mode: 'o=rx'
 
-- name: Update installation files access controls
+- name: Update installation libraries access controls
   tags: tomcat
   become: true
   with_items: '{{ (tomcat_registered_files|default({})).stdout_lines|default([]) }}'
@@ -24,3 +24,15 @@
     state: file
     mode: 'o=r'
     dest: '{{ item }}'
+
+- name: Update installation executables access controls
+  tags: tomcat
+  become: true
+  when: '{{ ansible_local.util.init.system != "systemd" }}'
+  with_items:
+    - catalina.sh
+    - setclasspath.sh
+  file:
+    state: file
+    mode: 'o=rx'
+    dest: '{{ tomcat_env_catalina_home }}/bin/{{ item }}'

From f473a61f91686e1ad62f8a95813c0df13db7daeb Mon Sep 17 00:00:00 2001
From: Mark Kusch <mark.kusch@silpion.com>
Date: Tue, 1 Nov 2016 16:11:41 +0100
Subject: [PATCH 5/6] Fix typo in tasks documentation

Signed-off-by: Mark Kusch <mark.kusch@silpion.com>
---
 tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/main.yml b/tasks/main.yml
index 055f7a8..4a89a7e 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -121,7 +121,7 @@
 
 # Tomcat 8.5 is packaged with umask 027 which breaks current paradigm
 #   to keep CATALINA_HOME and CATALINA_BASE files separated.
-#   Identify all jars in bin/ and lib/ directory and make them accessable
+#   Identify all jars in bin/ and lib/ directory and make them accessible
 #   to the tomcat service user(s).
 - name: Include file system access controls for tomcat >= 8.5
   tags: tomcat

From b976ac3aa3b22269fbe4b97787de8e9577c2cc6a Mon Sep 17 00:00:00 2001
From: Mark Kusch <mark.kusch@silpion.com>
Date: Tue, 1 Nov 2016 16:57:24 +0100
Subject: [PATCH 6/6] With systemd on tomcat >= 8.5 we add custom protocol
 handlers based on the default when running tomcat with catalina.sh

Signed-off-by: Mark Kusch <mark.kusch@silpion.com>
---
 templates/service_systemd.j2 | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/templates/service_systemd.j2 b/templates/service_systemd.j2
index 35665a6..3433620 100644
--- a/templates/service_systemd.j2
+++ b/templates/service_systemd.j2
@@ -43,6 +43,9 @@ ExecStart={{ ansible_local.java.general.java_home }}/bin/java \
 {% endif %}
 {% if item.prefer_ipv4|default(tomcat_default_prefer_ipv4) %}
   -Djava.net.preferIPv4Stack=true \
+{% endif %}
+{% if tomcat_version|version_compare('8.5', '>=') %}
+  -Djava.protocol.handler.pkgs=org.apache.catalina.webresources \
 {% endif %}
   -classpath "{{ tomcat_env_catalina_home }}/bin/bootstrap.jar:{{ tomcat_env_catalina_home }}/bin/tomcat-juli.jar" \
   org.apache.catalina.startup.Bootstrap start
@@ -71,6 +74,9 @@ ExecStop={{ ansible_local.java.general.java_home }}/bin/java \
 {% endif %}
 {% if item.prefer_ipv4|default(tomcat_default_prefer_ipv4) %}
   -Djava.net.preferIPv4Stack=true \
+{% endif %}
+{% if tomcat_version|version_compare('8.5', '>=') %}
+  -Djava.protocol.handler.pkgs=org.apache.catalina.webresources \
 {% endif %}
   -classpath "{{ tomcat_env_catalina_home }}/bin/bootstrap.jar:{{ tomcat_env_catalina_home }}/bin/tomcat-juli.jar" \
   org.apache.catalina.startup.Bootstrap stop