mirror of
https://github.com/samba-team/samba.git
synced 2025-01-10 01:18:15 +03:00
1a137a2f20
The previous patch introduced merging of duplicates on the mapping path from NFS4 ACL entries to DACL entries. Add a testcase to verify the expected behavior of this codepath. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
1899 lines
56 KiB
C
1899 lines
56 KiB
C
/*
|
|
* Unix SMB/CIFS implementation.
|
|
*
|
|
* Unit test for NFS4 ACL handling
|
|
*
|
|
* Copyright (C) Christof Schmitt 2019
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include "nfs4_acls.c"
|
|
#include "librpc/gen_ndr/idmap.h"
|
|
#include "idmap_cache.h"
|
|
#include <cmocka.h>
|
|
|
|
struct test_sids {
|
|
const char *sid_str;
|
|
struct unixid unix_id;
|
|
} test_sids[] = {
|
|
{ "S-1-5-2-123-456-789-100", { 1000, ID_TYPE_UID }},
|
|
{ "S-1-5-2-123-456-789-101", { 1001, ID_TYPE_GID }},
|
|
{ "S-1-5-2-123-456-789-102", { 1002, ID_TYPE_BOTH }},
|
|
{ SID_CREATOR_OWNER, { 1003, ID_TYPE_UID }},
|
|
{ SID_CREATOR_GROUP, { 1004, ID_TYPE_GID }},
|
|
{ "S-1-5-2-123-456-789-103", { 1000, ID_TYPE_GID }},
|
|
{ "S-1-5-2-123-456-789-104", { 1005, ID_TYPE_BOTH }},
|
|
{ "S-1-5-2-123-456-789-105", { 1006, ID_TYPE_BOTH }},
|
|
{ "S-1-5-2-123-456-789-106", { 1007, ID_TYPE_BOTH }},
|
|
};
|
|
|
|
static int group_setup(void **state)
|
|
{
|
|
struct dom_sid *sids = NULL;
|
|
int i;
|
|
|
|
sids = talloc_array(NULL, struct dom_sid, ARRAY_SIZE(test_sids));
|
|
assert_non_null(sids);
|
|
|
|
for (i = 0; i < ARRAY_SIZE(test_sids); i++) {
|
|
assert_true(dom_sid_parse(test_sids[i].sid_str, &sids[i]));
|
|
idmap_cache_set_sid2unixid(&sids[i], &test_sids[i].unix_id);
|
|
}
|
|
|
|
*state = sids;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
static int group_teardown(void **state)
|
|
{
|
|
struct dom_sid *sids = *state;
|
|
int i;
|
|
|
|
for (i = 0; i < ARRAY_SIZE(test_sids); i++) {
|
|
assert_true(idmap_cache_del_sid(&sids[i]));
|
|
}
|
|
|
|
TALLOC_FREE(sids);
|
|
*state = NULL;
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Run this as first test to verify that the id mappings used by other
|
|
* tests are available in the cache.
|
|
*/
|
|
static void test_cached_id_mappings(void **state)
|
|
{
|
|
struct dom_sid *sids = *state;
|
|
int i;
|
|
|
|
for (i = 0; i < ARRAY_SIZE(test_sids); i++) {
|
|
struct dom_sid *sid = &sids[i];
|
|
struct unixid *unix_id = &test_sids[i].unix_id;
|
|
uid_t uid;
|
|
gid_t gid;
|
|
|
|
switch(unix_id->type) {
|
|
case ID_TYPE_UID:
|
|
assert_true(sid_to_uid(sid, &uid));
|
|
assert_int_equal(uid, unix_id->id);
|
|
assert_false(sid_to_gid(sid, &gid));
|
|
break;
|
|
case ID_TYPE_GID:
|
|
assert_false(sid_to_uid(sid, &uid));
|
|
assert_true(sid_to_gid(sid, &gid));
|
|
assert_int_equal(gid, unix_id->id);
|
|
break;
|
|
case ID_TYPE_BOTH:
|
|
assert_true(sid_to_uid(sid, &uid));
|
|
assert_int_equal(uid, unix_id->id);
|
|
assert_true(sid_to_gid(sid, &gid));
|
|
assert_int_equal(gid, unix_id->id);
|
|
break;
|
|
default:
|
|
fail_msg("Unknown id type %d\n", unix_id->type);
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
static void test_empty_nfs4_to_dacl(void **state)
|
|
{
|
|
struct dom_sid *sids = *state;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
struct SMB4ACL_T *nfs4_acl;
|
|
struct security_ace *dacl_aces;
|
|
int good_aces;
|
|
struct smbacl4_vfs_params params = {
|
|
.mode = e_simple,
|
|
.do_chown = true,
|
|
.acedup = e_merge,
|
|
.map_full_control = true,
|
|
};
|
|
|
|
nfs4_acl = smb_create_smb4acl(frame);
|
|
assert_non_null(nfs4_acl);
|
|
|
|
assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
|
|
&sids[0], &sids[1], false,
|
|
&dacl_aces, &good_aces));
|
|
|
|
assert_int_equal(good_aces, 0);
|
|
assert_null(dacl_aces);
|
|
|
|
TALLOC_FREE(frame);
|
|
}
|
|
|
|
static void test_empty_dacl_to_nfs4(void **state)
|
|
{
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
struct SMB4ACL_T *nfs4_acl;
|
|
struct security_acl *dacl;
|
|
struct smbacl4_vfs_params params = {
|
|
.mode = e_simple,
|
|
.do_chown = true,
|
|
.acedup = e_merge,
|
|
.map_full_control = true,
|
|
};
|
|
|
|
dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS, 0, NULL);
|
|
assert_non_null(dacl);
|
|
|
|
nfs4_acl = smbacl4_win2nfs4(frame, false, dacl, ¶ms, 1001, 1002);
|
|
|
|
assert_non_null(nfs4_acl);
|
|
assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
|
|
SEC_DESC_SELF_RELATIVE);
|
|
assert_int_equal(smb_get_naces(nfs4_acl), 0);
|
|
assert_null(smb_first_ace4(nfs4_acl));
|
|
}
|
|
|
|
struct ace_dacl_type_mapping {
|
|
uint32_t nfs4_type;
|
|
enum security_ace_type dacl_type;
|
|
} ace_dacl_type_mapping[] = {
|
|
{ SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE, SEC_ACE_TYPE_ACCESS_ALLOWED },
|
|
{ SMB_ACE4_ACCESS_DENIED_ACE_TYPE, SEC_ACE_TYPE_ACCESS_DENIED },
|
|
};
|
|
|
|
static void test_acl_type_nfs4_to_dacl(void **state)
|
|
{
|
|
struct dom_sid *sids = *state;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
int i;
|
|
|
|
for (i = 0; i < ARRAY_SIZE(ace_dacl_type_mapping); i++) {
|
|
struct SMB4ACL_T *nfs4_acl;
|
|
SMB_ACE4PROP_T nfs4_ace;
|
|
struct security_ace *dacl_aces;
|
|
int good_aces;
|
|
struct smbacl4_vfs_params params = {
|
|
.mode = e_simple,
|
|
.do_chown = true,
|
|
.acedup = e_merge,
|
|
.map_full_control = true,
|
|
};
|
|
|
|
nfs4_acl = smb_create_smb4acl(frame);
|
|
assert_non_null(nfs4_acl);
|
|
|
|
nfs4_ace = (SMB_ACE4PROP_T) {
|
|
.flags = 0,
|
|
.who.uid = 1000,
|
|
.aceType = ace_dacl_type_mapping[i].nfs4_type,
|
|
.aceFlags = 0,
|
|
.aceMask = SMB_ACE4_READ_DATA,
|
|
};
|
|
assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
|
|
|
|
assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
|
|
&sids[2], &sids[3], false,
|
|
&dacl_aces, &good_aces));
|
|
|
|
assert_int_equal(good_aces, 1);
|
|
assert_non_null(dacl_aces);
|
|
|
|
assert_int_equal(dacl_aces[0].type,
|
|
ace_dacl_type_mapping[i].dacl_type);
|
|
assert_int_equal(dacl_aces[0].flags, 0);
|
|
assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
|
|
assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
|
|
}
|
|
|
|
TALLOC_FREE(frame);
|
|
}
|
|
|
|
static void test_acl_type_dacl_to_nfs4(void **state)
|
|
{
|
|
struct dom_sid *sids = *state;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
int i;
|
|
|
|
for (i = 0; i < ARRAY_SIZE(ace_dacl_type_mapping); i++) {
|
|
struct SMB4ACL_T *nfs4_acl;
|
|
struct SMB4ACE_T *nfs4_ace_container;
|
|
SMB_ACE4PROP_T *nfs4_ace;
|
|
struct security_ace dacl_aces[1];
|
|
struct security_acl *dacl;
|
|
struct smbacl4_vfs_params params = {
|
|
.mode = e_simple,
|
|
.do_chown = true,
|
|
.acedup = e_merge,
|
|
.map_full_control = true,
|
|
};
|
|
|
|
init_sec_ace(&dacl_aces[0], &sids[0],
|
|
ace_dacl_type_mapping[i].dacl_type,
|
|
SEC_FILE_READ_DATA, 0);
|
|
dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
|
|
ARRAY_SIZE(dacl_aces), dacl_aces);
|
|
assert_non_null(dacl);
|
|
|
|
nfs4_acl = smbacl4_win2nfs4(frame, false, dacl, ¶ms,
|
|
101, 102);
|
|
|
|
assert_non_null(nfs4_acl);
|
|
assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
|
|
SEC_DESC_SELF_RELATIVE);
|
|
assert_int_equal(smb_get_naces(nfs4_acl), 1);
|
|
|
|
nfs4_ace_container = smb_first_ace4(nfs4_acl);
|
|
assert_non_null(nfs4_ace_container);
|
|
assert_null(smb_next_ace4(nfs4_ace_container));
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_int_equal(nfs4_ace->flags, 0);
|
|
assert_int_equal(nfs4_ace->who.uid, 1000);
|
|
assert_int_equal(nfs4_ace->aceFlags, 0);
|
|
assert_int_equal(nfs4_ace->aceType,
|
|
ace_dacl_type_mapping[i].nfs4_type);
|
|
assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
|
|
}
|
|
|
|
TALLOC_FREE(frame);
|
|
}
|
|
|
|
struct ace_flag_mapping_nfs4_to_dacl {
|
|
bool is_directory;
|
|
uint32_t nfs4_flag;
|
|
uint32_t dacl_flag;
|
|
} ace_flags_nfs4_to_dacl[] = {
|
|
{ true, SMB_ACE4_FILE_INHERIT_ACE,
|
|
SEC_ACE_FLAG_OBJECT_INHERIT },
|
|
{ false, SMB_ACE4_FILE_INHERIT_ACE,
|
|
0 },
|
|
{ true, SMB_ACE4_DIRECTORY_INHERIT_ACE,
|
|
SEC_ACE_FLAG_CONTAINER_INHERIT },
|
|
{ false, SMB_ACE4_DIRECTORY_INHERIT_ACE,
|
|
0 },
|
|
{ true, SMB_ACE4_NO_PROPAGATE_INHERIT_ACE,
|
|
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT },
|
|
{ false, SMB_ACE4_NO_PROPAGATE_INHERIT_ACE,
|
|
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT },
|
|
{ true, SMB_ACE4_INHERIT_ONLY_ACE,
|
|
SEC_ACE_FLAG_INHERIT_ONLY },
|
|
{ false, SMB_ACE4_INHERIT_ONLY_ACE,
|
|
SEC_ACE_FLAG_INHERIT_ONLY },
|
|
{ true, SMB_ACE4_SUCCESSFUL_ACCESS_ACE_FLAG,
|
|
0 },
|
|
{ false, SMB_ACE4_SUCCESSFUL_ACCESS_ACE_FLAG,
|
|
0 },
|
|
{ true, SMB_ACE4_FAILED_ACCESS_ACE_FLAG,
|
|
0 },
|
|
{ false, SMB_ACE4_FAILED_ACCESS_ACE_FLAG,
|
|
0 },
|
|
{ true, SMB_ACE4_INHERITED_ACE,
|
|
SEC_ACE_FLAG_INHERITED_ACE },
|
|
{ false, SMB_ACE4_INHERITED_ACE,
|
|
SEC_ACE_FLAG_INHERITED_ACE },
|
|
};
|
|
|
|
static void test_ace_flags_nfs4_to_dacl(void **state)
|
|
{
|
|
struct dom_sid *sids = *state;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
SMB_ACE4PROP_T nfs4_ace;
|
|
int i;
|
|
|
|
for (i = 0; i < ARRAY_SIZE(ace_flags_nfs4_to_dacl); i++) {
|
|
struct SMB4ACL_T *nfs4_acl;
|
|
bool is_directory;
|
|
struct security_ace *dacl_aces;
|
|
int good_aces;
|
|
struct smbacl4_vfs_params params = {
|
|
.mode = e_simple,
|
|
.do_chown = true,
|
|
.acedup = e_merge,
|
|
.map_full_control = true,
|
|
};
|
|
|
|
nfs4_acl = smb_create_smb4acl(frame);
|
|
assert_non_null(nfs4_acl);
|
|
|
|
nfs4_ace = (SMB_ACE4PROP_T) {
|
|
.flags = 0,
|
|
.who.uid = 1000,
|
|
.aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
|
|
.aceFlags = ace_flags_nfs4_to_dacl[i].nfs4_flag,
|
|
.aceMask = SMB_ACE4_READ_DATA,
|
|
};
|
|
assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
|
|
|
|
is_directory = ace_flags_nfs4_to_dacl[i].is_directory;
|
|
|
|
assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
|
|
&sids[2], &sids[3], is_directory,
|
|
&dacl_aces, &good_aces));
|
|
|
|
assert_int_equal(good_aces, 1);
|
|
assert_non_null(dacl_aces);
|
|
|
|
assert_int_equal(dacl_aces[0].type,
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED);
|
|
assert_int_equal(dacl_aces[0].flags,
|
|
ace_flags_nfs4_to_dacl[i].dacl_flag);
|
|
assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
|
|
assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
|
|
}
|
|
|
|
TALLOC_FREE(frame);
|
|
}
|
|
|
|
struct ace_flag_mapping_dacl_to_nfs4 {
|
|
bool is_directory;
|
|
uint32_t dacl_flag;
|
|
uint32_t nfs4_flag;
|
|
} ace_flags_dacl_to_nfs4[] = {
|
|
{ true, SEC_ACE_FLAG_OBJECT_INHERIT,
|
|
SMB_ACE4_FILE_INHERIT_ACE },
|
|
{ false, SEC_ACE_FLAG_OBJECT_INHERIT,
|
|
0 },
|
|
{ true, SEC_ACE_FLAG_CONTAINER_INHERIT,
|
|
SMB_ACE4_DIRECTORY_INHERIT_ACE },
|
|
{ false, SEC_ACE_FLAG_CONTAINER_INHERIT,
|
|
0 },
|
|
{ true, SEC_ACE_FLAG_NO_PROPAGATE_INHERIT,
|
|
SMB_ACE4_NO_PROPAGATE_INHERIT_ACE },
|
|
{ false, SEC_ACE_FLAG_NO_PROPAGATE_INHERIT,
|
|
0 },
|
|
{ true, SEC_ACE_FLAG_INHERIT_ONLY,
|
|
SMB_ACE4_INHERIT_ONLY_ACE },
|
|
{ false, SEC_ACE_FLAG_INHERIT_ONLY,
|
|
0 },
|
|
{ true, SEC_ACE_FLAG_INHERITED_ACE,
|
|
SMB_ACE4_INHERITED_ACE },
|
|
{ false, SEC_ACE_FLAG_INHERITED_ACE,
|
|
SMB_ACE4_INHERITED_ACE },
|
|
{ true, SEC_ACE_FLAG_SUCCESSFUL_ACCESS,
|
|
0 },
|
|
{ false, SEC_ACE_FLAG_SUCCESSFUL_ACCESS,
|
|
0 },
|
|
{ true, SEC_ACE_FLAG_FAILED_ACCESS,
|
|
0 },
|
|
{ false, SEC_ACE_FLAG_FAILED_ACCESS,
|
|
0 },
|
|
};
|
|
|
|
static void test_ace_flags_dacl_to_nfs4(void **state)
|
|
{
|
|
struct dom_sid *sids = *state;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
int i;
|
|
|
|
for (i = 0; i < ARRAY_SIZE(ace_flags_dacl_to_nfs4); i++) {
|
|
struct SMB4ACL_T *nfs4_acl;
|
|
struct SMB4ACE_T *nfs4_ace_container;
|
|
SMB_ACE4PROP_T *nfs4_ace;
|
|
bool is_directory;
|
|
struct security_ace dacl_aces[1];
|
|
struct security_acl *dacl;
|
|
struct smbacl4_vfs_params params = {
|
|
.mode = e_simple,
|
|
.do_chown = true,
|
|
.acedup = e_merge,
|
|
.map_full_control = true,
|
|
};
|
|
|
|
init_sec_ace(&dacl_aces[0], &sids[0],
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
|
|
ace_flags_dacl_to_nfs4[i].dacl_flag);
|
|
dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
|
|
ARRAY_SIZE(dacl_aces), dacl_aces);
|
|
assert_non_null(dacl);
|
|
|
|
is_directory = ace_flags_dacl_to_nfs4[i].is_directory;
|
|
nfs4_acl = smbacl4_win2nfs4(frame, is_directory, dacl, ¶ms,
|
|
101, 102);
|
|
|
|
assert_non_null(nfs4_acl);
|
|
assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
|
|
SEC_DESC_SELF_RELATIVE);
|
|
assert_int_equal(smb_get_naces(nfs4_acl), 1);
|
|
|
|
nfs4_ace_container = smb_first_ace4(nfs4_acl);
|
|
assert_non_null(nfs4_ace_container);
|
|
assert_null(smb_next_ace4(nfs4_ace_container));
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_int_equal(nfs4_ace->flags, 0);
|
|
assert_int_equal(nfs4_ace->who.uid, 1000);
|
|
assert_int_equal(nfs4_ace->aceFlags,
|
|
ace_flags_dacl_to_nfs4[i].nfs4_flag);
|
|
assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
|
|
}
|
|
|
|
TALLOC_FREE(frame);
|
|
}
|
|
|
|
struct ace_perm_mapping {
|
|
uint32_t nfs4_perm;
|
|
uint32_t dacl_perm;
|
|
} perm_table_nfs4_to_dacl[] = {
|
|
{ SMB_ACE4_READ_DATA, SEC_FILE_READ_DATA },
|
|
{ SMB_ACE4_LIST_DIRECTORY, SEC_DIR_LIST },
|
|
{ SMB_ACE4_WRITE_DATA, SEC_FILE_WRITE_DATA },
|
|
{ SMB_ACE4_ADD_FILE, SEC_DIR_ADD_FILE },
|
|
{ SMB_ACE4_APPEND_DATA, SEC_FILE_APPEND_DATA },
|
|
{ SMB_ACE4_ADD_SUBDIRECTORY, SEC_DIR_ADD_SUBDIR, },
|
|
{ SMB_ACE4_READ_NAMED_ATTRS, SEC_FILE_READ_EA },
|
|
{ SMB_ACE4_READ_NAMED_ATTRS, SEC_DIR_READ_EA },
|
|
{ SMB_ACE4_WRITE_NAMED_ATTRS, SEC_FILE_WRITE_EA },
|
|
{ SMB_ACE4_WRITE_NAMED_ATTRS, SEC_DIR_WRITE_EA },
|
|
{ SMB_ACE4_EXECUTE, SEC_FILE_EXECUTE },
|
|
{ SMB_ACE4_EXECUTE, SEC_DIR_TRAVERSE },
|
|
{ SMB_ACE4_DELETE_CHILD, SEC_DIR_DELETE_CHILD },
|
|
{ SMB_ACE4_READ_ATTRIBUTES, SEC_FILE_READ_ATTRIBUTE },
|
|
{ SMB_ACE4_READ_ATTRIBUTES, SEC_DIR_READ_ATTRIBUTE },
|
|
{ SMB_ACE4_WRITE_ATTRIBUTES, SEC_FILE_WRITE_ATTRIBUTE },
|
|
{ SMB_ACE4_WRITE_ATTRIBUTES, SEC_DIR_WRITE_ATTRIBUTE },
|
|
{ SMB_ACE4_DELETE, SEC_STD_DELETE },
|
|
{ SMB_ACE4_READ_ACL, SEC_STD_READ_CONTROL },
|
|
{ SMB_ACE4_WRITE_ACL, SEC_STD_WRITE_DAC, },
|
|
{ SMB_ACE4_WRITE_OWNER, SEC_STD_WRITE_OWNER },
|
|
{ SMB_ACE4_SYNCHRONIZE, SEC_STD_SYNCHRONIZE },
|
|
};
|
|
|
|
static void test_nfs4_permissions_to_dacl(void **state)
|
|
{
|
|
struct dom_sid *sids = *state;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
int i;
|
|
|
|
for (i = 0; i < ARRAY_SIZE(perm_table_nfs4_to_dacl); i++) {
|
|
struct SMB4ACL_T *nfs4_acl;
|
|
SMB_ACE4PROP_T nfs4_ace;
|
|
struct security_ace *dacl_aces;
|
|
int good_aces;
|
|
struct smbacl4_vfs_params params = {
|
|
.mode = e_simple,
|
|
.do_chown = true,
|
|
.acedup = e_merge,
|
|
.map_full_control = true,
|
|
};
|
|
|
|
nfs4_acl = smb_create_smb4acl(frame);
|
|
assert_non_null(nfs4_acl);
|
|
|
|
nfs4_ace = (SMB_ACE4PROP_T) {
|
|
.flags = 0,
|
|
.who.uid = 1000,
|
|
.aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
|
|
.aceFlags = 0,
|
|
.aceMask = perm_table_nfs4_to_dacl[i].nfs4_perm,
|
|
};
|
|
assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
|
|
|
|
assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
|
|
&sids[0], &sids[1], false,
|
|
&dacl_aces, &good_aces));
|
|
|
|
assert_int_equal(good_aces, 1);
|
|
assert_non_null(dacl_aces);
|
|
|
|
assert_int_equal(dacl_aces[0].type,
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED);
|
|
assert_int_equal(dacl_aces[0].flags, 0);
|
|
assert_int_equal(dacl_aces[0].access_mask,
|
|
perm_table_nfs4_to_dacl[i].dacl_perm);
|
|
assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
|
|
}
|
|
|
|
TALLOC_FREE(frame);
|
|
}
|
|
|
|
struct ace_perm_mapping_dacl_to_nfs4 {
|
|
uint32_t dacl_perm;
|
|
uint32_t nfs4_perm;
|
|
} perm_table_dacl_to_nfs4[] = {
|
|
{ SEC_FILE_READ_DATA, SMB_ACE4_READ_DATA, },
|
|
{ SEC_DIR_LIST, SMB_ACE4_LIST_DIRECTORY, },
|
|
{ SEC_FILE_WRITE_DATA, SMB_ACE4_WRITE_DATA, },
|
|
{ SEC_DIR_ADD_FILE, SMB_ACE4_ADD_FILE, },
|
|
{ SEC_FILE_APPEND_DATA, SMB_ACE4_APPEND_DATA, },
|
|
{ SEC_DIR_ADD_SUBDIR, SMB_ACE4_ADD_SUBDIRECTORY, },
|
|
{ SEC_FILE_READ_EA, SMB_ACE4_READ_NAMED_ATTRS, },
|
|
{ SEC_DIR_READ_EA, SMB_ACE4_READ_NAMED_ATTRS, },
|
|
{ SEC_FILE_WRITE_EA, SMB_ACE4_WRITE_NAMED_ATTRS, },
|
|
{ SEC_DIR_WRITE_EA, SMB_ACE4_WRITE_NAMED_ATTRS, },
|
|
{ SEC_FILE_EXECUTE, SMB_ACE4_EXECUTE, },
|
|
{ SEC_DIR_TRAVERSE, SMB_ACE4_EXECUTE, },
|
|
{ SEC_DIR_DELETE_CHILD, SMB_ACE4_DELETE_CHILD, },
|
|
{ SEC_FILE_READ_ATTRIBUTE, SMB_ACE4_READ_ATTRIBUTES, },
|
|
{ SEC_DIR_READ_ATTRIBUTE, SMB_ACE4_READ_ATTRIBUTES, },
|
|
{ SEC_FILE_WRITE_ATTRIBUTE, SMB_ACE4_WRITE_ATTRIBUTES, },
|
|
{ SEC_DIR_WRITE_ATTRIBUTE, SMB_ACE4_WRITE_ATTRIBUTES, },
|
|
{ SEC_STD_DELETE, SMB_ACE4_DELETE, },
|
|
{ SEC_STD_READ_CONTROL, SMB_ACE4_READ_ACL, },
|
|
{ SEC_STD_WRITE_DAC, SMB_ACE4_WRITE_ACL, },
|
|
{ SEC_STD_WRITE_OWNER, SMB_ACE4_WRITE_OWNER, },
|
|
{ SEC_STD_SYNCHRONIZE, SMB_ACE4_SYNCHRONIZE, },
|
|
{ SEC_GENERIC_READ, SMB_ACE4_READ_ACL|
|
|
SMB_ACE4_READ_DATA|
|
|
SMB_ACE4_READ_ATTRIBUTES|
|
|
SMB_ACE4_READ_NAMED_ATTRS|
|
|
SMB_ACE4_SYNCHRONIZE },
|
|
{ SEC_GENERIC_WRITE, SMB_ACE4_WRITE_ACL|
|
|
SMB_ACE4_WRITE_DATA|
|
|
SMB_ACE4_WRITE_ATTRIBUTES|
|
|
SMB_ACE4_WRITE_NAMED_ATTRS|
|
|
SMB_ACE4_SYNCHRONIZE },
|
|
{ SEC_GENERIC_EXECUTE, SMB_ACE4_READ_ACL|
|
|
SMB_ACE4_READ_ATTRIBUTES|
|
|
SMB_ACE4_EXECUTE|
|
|
SMB_ACE4_SYNCHRONIZE },
|
|
{ SEC_GENERIC_ALL, SMB_ACE4_DELETE|
|
|
SMB_ACE4_READ_ACL|
|
|
SMB_ACE4_WRITE_ACL|
|
|
SMB_ACE4_WRITE_OWNER|
|
|
SMB_ACE4_SYNCHRONIZE|
|
|
SMB_ACE4_WRITE_ATTRIBUTES|
|
|
SMB_ACE4_READ_ATTRIBUTES|
|
|
SMB_ACE4_EXECUTE|
|
|
SMB_ACE4_READ_NAMED_ATTRS|
|
|
SMB_ACE4_WRITE_NAMED_ATTRS|
|
|
SMB_ACE4_WRITE_DATA|
|
|
SMB_ACE4_APPEND_DATA|
|
|
SMB_ACE4_READ_DATA|
|
|
SMB_ACE4_DELETE_CHILD },
|
|
};
|
|
|
|
static void test_dacl_permissions_to_nfs4(void **state)
|
|
{
|
|
struct dom_sid *sids = *state;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
int i;
|
|
|
|
for (i = 0; i < ARRAY_SIZE(perm_table_nfs4_to_dacl); i++) {
|
|
struct SMB4ACL_T *nfs4_acl;
|
|
struct SMB4ACE_T *nfs4_ace_container;
|
|
SMB_ACE4PROP_T *nfs4_ace;
|
|
struct smbacl4_vfs_params params = {
|
|
.mode = e_simple,
|
|
.do_chown = true,
|
|
.acedup = e_merge,
|
|
.map_full_control = true,
|
|
};
|
|
struct security_ace dacl_aces[1];
|
|
struct security_acl *dacl;
|
|
|
|
init_sec_ace(&dacl_aces[0], &sids[0],
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED,
|
|
perm_table_dacl_to_nfs4[i].dacl_perm, 0);
|
|
dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
|
|
ARRAY_SIZE(dacl_aces), dacl_aces);
|
|
assert_non_null(dacl);
|
|
|
|
nfs4_acl = smbacl4_win2nfs4(frame, false, dacl, ¶ms,
|
|
101, 102);
|
|
|
|
assert_non_null(nfs4_acl);
|
|
assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
|
|
SEC_DESC_SELF_RELATIVE);
|
|
assert_int_equal(smb_get_naces(nfs4_acl), 1);
|
|
|
|
nfs4_ace_container = smb_first_ace4(nfs4_acl);
|
|
assert_non_null(nfs4_ace_container);
|
|
assert_null(smb_next_ace4(nfs4_ace_container));
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_int_equal(nfs4_ace->flags, 0);
|
|
assert_int_equal(nfs4_ace->who.uid, 1000);
|
|
assert_int_equal(nfs4_ace->aceFlags, 0);
|
|
assert_int_equal(nfs4_ace->aceMask,
|
|
perm_table_dacl_to_nfs4[i].nfs4_perm);
|
|
}
|
|
|
|
TALLOC_FREE(frame);
|
|
}
|
|
|
|
/*
|
|
* Create NFS4 ACL with all possible "special" entries. Verify that
|
|
* the ones that should be mapped to a DACL are mapped and the other
|
|
* ones are ignored.
|
|
*/
|
|
static void test_special_nfs4_to_dacl(void **state)
|
|
{
|
|
struct dom_sid *sids = *state;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
struct SMB4ACL_T *nfs4_acl;
|
|
SMB_ACE4PROP_T nfs4_ace;
|
|
struct security_ace *dacl_aces;
|
|
int good_aces;
|
|
struct smbacl4_vfs_params params = {
|
|
.mode = e_simple,
|
|
.do_chown = true,
|
|
.acedup = e_merge,
|
|
.map_full_control = true,
|
|
};
|
|
|
|
nfs4_acl = smb_create_smb4acl(frame);
|
|
assert_non_null(nfs4_acl);
|
|
|
|
nfs4_ace = (SMB_ACE4PROP_T) {
|
|
.flags = SMB_ACE4_ID_SPECIAL,
|
|
.who.special_id = SMB_ACE4_WHO_OWNER,
|
|
.aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
|
|
.aceFlags = 0,
|
|
.aceMask = SMB_ACE4_READ_DATA,
|
|
};
|
|
assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
|
|
|
|
nfs4_ace = (SMB_ACE4PROP_T) {
|
|
.flags = SMB_ACE4_ID_SPECIAL,
|
|
.who.special_id = SMB_ACE4_WHO_GROUP,
|
|
.aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
|
|
.aceFlags = 0,
|
|
.aceMask = SMB_ACE4_WRITE_DATA,
|
|
};
|
|
assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
|
|
|
|
nfs4_ace = (SMB_ACE4PROP_T) {
|
|
.flags = SMB_ACE4_ID_SPECIAL,
|
|
.who.special_id = SMB_ACE4_WHO_EVERYONE,
|
|
.aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
|
|
.aceFlags = 0,
|
|
.aceMask = SMB_ACE4_APPEND_DATA,
|
|
};
|
|
assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
|
|
|
|
nfs4_ace = (SMB_ACE4PROP_T) {
|
|
.flags = SMB_ACE4_ID_SPECIAL,
|
|
.who.special_id = SMB_ACE4_WHO_INTERACTIVE,
|
|
.aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
|
|
.aceFlags = 0,
|
|
.aceMask = SMB_ACE4_READ_NAMED_ATTRS,
|
|
};
|
|
assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
|
|
|
|
nfs4_ace = (SMB_ACE4PROP_T) {
|
|
.flags = SMB_ACE4_ID_SPECIAL,
|
|
.who.special_id = SMB_ACE4_WHO_NETWORK,
|
|
.aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
|
|
.aceFlags = 0,
|
|
.aceMask = SMB_ACE4_WRITE_NAMED_ATTRS,
|
|
};
|
|
assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
|
|
|
|
nfs4_ace = (SMB_ACE4PROP_T) {
|
|
.flags = SMB_ACE4_ID_SPECIAL,
|
|
.who.special_id = SMB_ACE4_WHO_DIALUP,
|
|
.aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
|
|
.aceFlags = 0,
|
|
.aceMask = SMB_ACE4_EXECUTE,
|
|
};
|
|
assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
|
|
|
|
nfs4_ace = (SMB_ACE4PROP_T) {
|
|
.flags = SMB_ACE4_ID_SPECIAL,
|
|
.who.special_id = SMB_ACE4_WHO_BATCH,
|
|
.aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
|
|
.aceFlags = 0,
|
|
.aceMask = SMB_ACE4_READ_ATTRIBUTES,
|
|
};
|
|
assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
|
|
|
|
nfs4_ace = (SMB_ACE4PROP_T) {
|
|
.flags = SMB_ACE4_ID_SPECIAL,
|
|
.who.special_id = SMB_ACE4_WHO_ANONYMOUS,
|
|
.aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
|
|
.aceFlags = 0,
|
|
.aceMask = SMB_ACE4_WRITE_ATTRIBUTES,
|
|
};
|
|
assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
|
|
|
|
nfs4_ace = (SMB_ACE4PROP_T) {
|
|
.flags = SMB_ACE4_ID_SPECIAL,
|
|
.who.special_id = SMB_ACE4_WHO_AUTHENTICATED,
|
|
.aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
|
|
.aceFlags = 0,
|
|
.aceMask = SMB_ACE4_READ_ACL,
|
|
};
|
|
assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
|
|
|
|
nfs4_ace = (SMB_ACE4PROP_T) {
|
|
.flags = SMB_ACE4_ID_SPECIAL,
|
|
.who.special_id = SMB_ACE4_WHO_SERVICE,
|
|
.aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
|
|
.aceFlags = 0,
|
|
.aceMask = SMB_ACE4_WRITE_ACL,
|
|
};
|
|
assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
|
|
|
|
assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
|
|
&sids[0], &sids[1], false,
|
|
&dacl_aces, &good_aces));
|
|
|
|
assert_int_equal(good_aces, 3);
|
|
assert_non_null(dacl_aces);
|
|
|
|
assert_int_equal(dacl_aces[0].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
|
|
assert_int_equal(dacl_aces[0].flags, 0);
|
|
assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
|
|
assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
|
|
|
|
assert_int_equal(dacl_aces[1].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
|
|
assert_int_equal(dacl_aces[1].flags, 0);
|
|
assert_int_equal(dacl_aces[1].access_mask, SEC_FILE_WRITE_DATA);
|
|
assert_true(dom_sid_equal(&dacl_aces[1].trustee, &sids[1]));
|
|
|
|
assert_int_equal(dacl_aces[2].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
|
|
assert_int_equal(dacl_aces[2].flags, 0);
|
|
assert_int_equal(dacl_aces[2].access_mask, SEC_FILE_APPEND_DATA);
|
|
assert_true(dom_sid_equal(&dacl_aces[2].trustee, &global_sid_World));
|
|
|
|
TALLOC_FREE(frame);
|
|
}
|
|
|
|
static void test_dacl_to_special_nfs4(void **state)
|
|
{
|
|
struct dom_sid *sids = *state;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
struct SMB4ACL_T *nfs4_acl;
|
|
struct SMB4ACE_T *nfs4_ace_container;
|
|
SMB_ACE4PROP_T *nfs4_ace;
|
|
struct security_ace dacl_aces[6];
|
|
struct security_acl *dacl;
|
|
struct smbacl4_vfs_params params = {
|
|
.mode = e_simple,
|
|
.do_chown = true,
|
|
.acedup = e_dontcare,
|
|
.map_full_control = true,
|
|
};
|
|
|
|
/*
|
|
* global_Sid_World is mapped to EVERYONE.
|
|
*/
|
|
init_sec_ace(&dacl_aces[0], &global_sid_World,
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA, 0);
|
|
/*
|
|
* global_sid_Unix_NFS is ignored.
|
|
*/
|
|
init_sec_ace(&dacl_aces[1], &global_sid_Unix_NFS,
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA, 0);
|
|
/*
|
|
* Anything that maps to owner or owning group with inheritance flags
|
|
* is NOT mapped to special owner or special group.
|
|
*/
|
|
init_sec_ace(&dacl_aces[2], &sids[0],
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
|
|
SEC_ACE_FLAG_OBJECT_INHERIT);
|
|
init_sec_ace(&dacl_aces[3], &sids[0],
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
|
|
SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
|
|
init_sec_ace(&dacl_aces[4], &sids[1],
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
|
|
SEC_ACE_FLAG_OBJECT_INHERIT);
|
|
init_sec_ace(&dacl_aces[5], &sids[1],
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
|
|
SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
|
|
dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
|
|
ARRAY_SIZE(dacl_aces), dacl_aces);
|
|
assert_non_null(dacl);
|
|
|
|
nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, ¶ms, 1000, 1001);
|
|
|
|
assert_non_null(nfs4_acl);
|
|
assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
|
|
SEC_DESC_SELF_RELATIVE);
|
|
assert_int_equal(smb_get_naces(nfs4_acl), 5);
|
|
|
|
nfs4_ace_container = smb_first_ace4(nfs4_acl);
|
|
assert_non_null(nfs4_ace_container);
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
|
|
assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_EVERYONE);
|
|
assert_int_equal(nfs4_ace->aceFlags, 0);
|
|
assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_WRITE_DATA);
|
|
|
|
nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
|
|
assert_non_null(nfs4_ace_container);
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_int_equal(nfs4_ace->flags, 0);
|
|
assert_int_equal(nfs4_ace->who.uid, 1000);
|
|
assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_FILE_INHERIT_ACE);
|
|
assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
|
|
|
|
nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
|
|
assert_non_null(nfs4_ace_container);
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_int_equal(nfs4_ace->flags, 0);
|
|
assert_int_equal(nfs4_ace->who.uid, 1000);
|
|
assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_DIRECTORY_INHERIT_ACE|
|
|
SMB_ACE4_INHERIT_ONLY_ACE);
|
|
assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
|
|
|
|
nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
|
|
assert_non_null(nfs4_ace_container);
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_int_equal(nfs4_ace->flags, 0);
|
|
assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_IDENTIFIER_GROUP|
|
|
SMB_ACE4_FILE_INHERIT_ACE);
|
|
assert_int_equal(nfs4_ace->who.gid, 1001);
|
|
assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
|
|
|
|
nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
|
|
assert_non_null(nfs4_ace_container);
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_int_equal(nfs4_ace->flags, 0);
|
|
assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_IDENTIFIER_GROUP|
|
|
SMB_ACE4_DIRECTORY_INHERIT_ACE|
|
|
SMB_ACE4_INHERIT_ONLY_ACE);
|
|
assert_int_equal(nfs4_ace->who.gid, 1001);
|
|
assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
|
|
|
|
assert_null(smb_next_ace4(nfs4_ace_container));
|
|
|
|
TALLOC_FREE(frame);
|
|
}
|
|
|
|
struct creator_ace_flags {
|
|
uint32_t dacl_flags;
|
|
uint32_t nfs4_flags;
|
|
} creator_ace_flags[] = {
|
|
{ 0, 0 },
|
|
|
|
{ SEC_ACE_FLAG_INHERIT_ONLY, 0 },
|
|
|
|
{ SEC_ACE_FLAG_CONTAINER_INHERIT, SMB_ACE4_DIRECTORY_INHERIT_ACE|
|
|
SMB_ACE4_INHERIT_ONLY_ACE },
|
|
|
|
{ SEC_ACE_FLAG_CONTAINER_INHERIT|
|
|
SEC_ACE_FLAG_INHERIT_ONLY, SMB_ACE4_DIRECTORY_INHERIT_ACE|
|
|
SMB_ACE4_INHERIT_ONLY_ACE },
|
|
|
|
{ SEC_ACE_FLAG_OBJECT_INHERIT, SMB_ACE4_FILE_INHERIT_ACE|
|
|
SMB_ACE4_INHERIT_ONLY_ACE },
|
|
{ SEC_ACE_FLAG_OBJECT_INHERIT|
|
|
SEC_ACE_FLAG_INHERIT_ONLY, SMB_ACE4_FILE_INHERIT_ACE|
|
|
SMB_ACE4_INHERIT_ONLY_ACE },
|
|
|
|
{ SEC_ACE_FLAG_CONTAINER_INHERIT|
|
|
SEC_ACE_FLAG_OBJECT_INHERIT, SMB_ACE4_DIRECTORY_INHERIT_ACE|
|
|
SMB_ACE4_FILE_INHERIT_ACE|
|
|
SMB_ACE4_INHERIT_ONLY_ACE },
|
|
|
|
{ SEC_ACE_FLAG_CONTAINER_INHERIT|
|
|
SEC_ACE_FLAG_OBJECT_INHERIT|
|
|
SEC_ACE_FLAG_INHERIT_ONLY, SMB_ACE4_DIRECTORY_INHERIT_ACE|
|
|
SMB_ACE4_FILE_INHERIT_ACE|
|
|
SMB_ACE4_INHERIT_ONLY_ACE },
|
|
};
|
|
|
|
static void test_dacl_creator_to_nfs4(void **state)
|
|
{
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
int i;
|
|
|
|
for (i = 0; i < ARRAY_SIZE(creator_ace_flags); i++) {
|
|
struct SMB4ACL_T *nfs4_acl;
|
|
struct SMB4ACE_T *nfs4_ace_container;
|
|
SMB_ACE4PROP_T *nfs4_ace;
|
|
struct security_ace dacl_aces[2];
|
|
struct security_acl *dacl;
|
|
struct smbacl4_vfs_params params = {
|
|
.mode = e_simple,
|
|
.do_chown = true,
|
|
.acedup = e_merge,
|
|
.map_full_control = true,
|
|
};
|
|
|
|
init_sec_ace(&dacl_aces[0], &global_sid_Creator_Owner,
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
|
|
creator_ace_flags[i].dacl_flags);
|
|
init_sec_ace(&dacl_aces[1], &global_sid_Creator_Group,
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
|
|
creator_ace_flags[i].dacl_flags);
|
|
dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
|
|
ARRAY_SIZE(dacl_aces), dacl_aces);
|
|
assert_non_null(dacl);
|
|
|
|
nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, ¶ms,
|
|
101, 102);
|
|
|
|
assert_non_null(nfs4_acl);
|
|
assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
|
|
SEC_DESC_SELF_RELATIVE);
|
|
|
|
if (creator_ace_flags[i].nfs4_flags == 0) {
|
|
/*
|
|
* CREATOR OWNER and CREATOR GROUP not mapped
|
|
* in thise case.
|
|
*/
|
|
assert_null(smb_first_ace4(nfs4_acl));
|
|
} else {
|
|
assert_int_equal(smb_get_naces(nfs4_acl), 2);
|
|
|
|
nfs4_ace_container = smb_first_ace4(nfs4_acl);
|
|
assert_non_null(nfs4_ace_container);
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_non_null(nfs4_ace);
|
|
assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
|
|
assert_int_equal(nfs4_ace->who.special_id,
|
|
SMB_ACE4_WHO_OWNER);
|
|
assert_int_equal(nfs4_ace->aceFlags,
|
|
creator_ace_flags[i].nfs4_flags);
|
|
assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
|
|
|
|
nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
|
|
assert_non_null(nfs4_ace_container);
|
|
assert_null(smb_next_ace4(nfs4_ace_container));
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_non_null(nfs4_ace);
|
|
assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
|
|
assert_int_equal(nfs4_ace->who.special_id,
|
|
SMB_ACE4_WHO_GROUP);
|
|
assert_int_equal(nfs4_ace->aceFlags,
|
|
creator_ace_flags[i].nfs4_flags);
|
|
assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
|
|
}
|
|
}
|
|
|
|
TALLOC_FREE(frame);
|
|
}
|
|
|
|
struct creator_owner_nfs4_to_dacl {
|
|
uint32_t special_id;
|
|
uint32_t nfs4_ace_flags;
|
|
uint32_t dacl_ace_flags;
|
|
} creator_owner_nfs4_to_dacl[] = {
|
|
{ SMB_ACE4_WHO_OWNER,
|
|
SMB_ACE4_FILE_INHERIT_ACE,
|
|
SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY },
|
|
{ SMB_ACE4_WHO_OWNER,
|
|
SMB_ACE4_DIRECTORY_INHERIT_ACE,
|
|
SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY },
|
|
{ SMB_ACE4_WHO_OWNER,
|
|
SMB_ACE4_FILE_INHERIT_ACE|SMB_ACE4_DIRECTORY_INHERIT_ACE,
|
|
SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
|
|
SEC_ACE_FLAG_INHERIT_ONLY },
|
|
{ SMB_ACE4_WHO_GROUP,
|
|
SMB_ACE4_FILE_INHERIT_ACE,
|
|
SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY },
|
|
{ SMB_ACE4_WHO_GROUP,
|
|
SMB_ACE4_DIRECTORY_INHERIT_ACE,
|
|
SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY },
|
|
{ SMB_ACE4_WHO_GROUP,
|
|
SMB_ACE4_FILE_INHERIT_ACE|SMB_ACE4_DIRECTORY_INHERIT_ACE,
|
|
SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
|
|
SEC_ACE_FLAG_INHERIT_ONLY },
|
|
};
|
|
|
|
static void test_nfs4_to_dacl_creator(void **state)
|
|
{
|
|
struct dom_sid *sids = *state;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
int i;
|
|
|
|
for (i = 0; i < ARRAY_SIZE(creator_owner_nfs4_to_dacl); i++) {
|
|
struct SMB4ACL_T *nfs4_acl;
|
|
SMB_ACE4PROP_T nfs4_ace;
|
|
struct security_ace *dacl_aces, *creator_dacl_ace;
|
|
int good_aces;
|
|
struct smbacl4_vfs_params params = {
|
|
.mode = e_simple,
|
|
.do_chown = true,
|
|
.acedup = e_merge,
|
|
.map_full_control = true,
|
|
};
|
|
|
|
nfs4_acl = smb_create_smb4acl(frame);
|
|
assert_non_null(nfs4_acl);
|
|
|
|
nfs4_ace = (SMB_ACE4PROP_T) {
|
|
.flags = SMB_ACE4_ID_SPECIAL,
|
|
.who.special_id
|
|
= creator_owner_nfs4_to_dacl[i].special_id,
|
|
.aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
|
|
.aceFlags
|
|
= creator_owner_nfs4_to_dacl[i].nfs4_ace_flags,
|
|
.aceMask = SMB_ACE4_READ_DATA,
|
|
};
|
|
assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
|
|
|
|
assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
|
|
&sids[0], &sids[1], true,
|
|
&dacl_aces, &good_aces));
|
|
assert_non_null(dacl_aces);
|
|
|
|
if (creator_owner_nfs4_to_dacl[i].nfs4_ace_flags &
|
|
SMB_ACE4_INHERIT_ONLY_ACE) {
|
|
/*
|
|
* Only one ACE entry for the CREATOR ACE entry.
|
|
*/
|
|
assert_int_equal(good_aces, 1);
|
|
creator_dacl_ace = &dacl_aces[0];
|
|
} else {
|
|
/*
|
|
* This creates an additional ACE entry for
|
|
* the permissions on the current object.
|
|
*/
|
|
assert_int_equal(good_aces, 2);
|
|
|
|
assert_int_equal(dacl_aces[0].type,
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED);
|
|
assert_int_equal(dacl_aces[0].flags, 0);
|
|
assert_int_equal(dacl_aces[0].access_mask,
|
|
SEC_FILE_READ_DATA);
|
|
|
|
if (creator_owner_nfs4_to_dacl[i].special_id ==
|
|
SMB_ACE4_WHO_OWNER) {
|
|
assert_true(dom_sid_equal(&dacl_aces[0].trustee,
|
|
&sids[0]));
|
|
}
|
|
|
|
if (creator_owner_nfs4_to_dacl[i].special_id ==
|
|
SMB_ACE4_WHO_GROUP) {
|
|
assert_true(dom_sid_equal(&dacl_aces[0].trustee,
|
|
&sids[1]));
|
|
}
|
|
|
|
creator_dacl_ace = &dacl_aces[1];
|
|
}
|
|
|
|
assert_int_equal(creator_dacl_ace->type,
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED);
|
|
assert_int_equal(creator_dacl_ace->flags,
|
|
creator_owner_nfs4_to_dacl[i].dacl_ace_flags);
|
|
assert_int_equal(creator_dacl_ace->access_mask,
|
|
SEC_FILE_READ_DATA);
|
|
if (creator_owner_nfs4_to_dacl[i].special_id ==
|
|
SMB_ACE4_WHO_OWNER) {
|
|
assert_true(dom_sid_equal(&creator_dacl_ace->trustee,
|
|
&global_sid_Creator_Owner));
|
|
}
|
|
|
|
if (creator_owner_nfs4_to_dacl[i].special_id ==
|
|
SMB_ACE4_WHO_GROUP) {
|
|
assert_true(dom_sid_equal(&creator_dacl_ace->trustee,
|
|
&global_sid_Creator_Group));
|
|
}
|
|
}
|
|
|
|
TALLOC_FREE(frame);
|
|
}
|
|
|
|
struct nfs4_to_dacl_map_full_control{
|
|
bool is_dir;
|
|
bool config;
|
|
bool delete_child_added;
|
|
} nfs4_to_dacl_full_control[] = {
|
|
{ true, true, false },
|
|
{ true, false, false },
|
|
{ false, true, true },
|
|
{ false, false, false },
|
|
};
|
|
|
|
static void test_full_control_nfs4_to_dacl(void **state)
|
|
{
|
|
struct dom_sid *sids = *state;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
int i;
|
|
|
|
for (i = 0; i < ARRAY_SIZE(nfs4_to_dacl_full_control); i++) {
|
|
struct SMB4ACL_T *nfs4_acl;
|
|
SMB_ACE4PROP_T nfs4_ace;
|
|
struct security_ace *dacl_aces;
|
|
int good_aces;
|
|
struct smbacl4_vfs_params params = {
|
|
.mode = e_simple,
|
|
.do_chown = true,
|
|
.acedup = e_merge,
|
|
.map_full_control = nfs4_to_dacl_full_control[i].config,
|
|
};
|
|
const uint32_t nfs4_ace_mask_except_deletes =
|
|
SMB_ACE4_READ_DATA|SMB_ACE4_WRITE_DATA|
|
|
SMB_ACE4_APPEND_DATA|SMB_ACE4_READ_NAMED_ATTRS|
|
|
SMB_ACE4_WRITE_NAMED_ATTRS|SMB_ACE4_EXECUTE|
|
|
SMB_ACE4_READ_ATTRIBUTES|SMB_ACE4_WRITE_ATTRIBUTES|
|
|
SMB_ACE4_READ_ACL|SMB_ACE4_WRITE_ACL|
|
|
SMB_ACE4_WRITE_OWNER|SMB_ACE4_SYNCHRONIZE;
|
|
const uint32_t dacl_ace_mask_except_deletes =
|
|
SEC_FILE_READ_DATA|SEC_FILE_WRITE_DATA|
|
|
SEC_FILE_APPEND_DATA|SEC_FILE_READ_EA|
|
|
SEC_FILE_WRITE_EA|SEC_FILE_EXECUTE|
|
|
SEC_FILE_READ_ATTRIBUTE|SEC_FILE_WRITE_ATTRIBUTE|
|
|
SEC_STD_READ_CONTROL|SEC_STD_WRITE_DAC|
|
|
SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE;
|
|
|
|
nfs4_acl = smb_create_smb4acl(frame);
|
|
assert_non_null(nfs4_acl);
|
|
|
|
nfs4_ace = (SMB_ACE4PROP_T) {
|
|
.flags = 0,
|
|
.who.uid = 1000,
|
|
.aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
|
|
.aceFlags = 0,
|
|
.aceMask = nfs4_ace_mask_except_deletes,
|
|
};
|
|
assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
|
|
|
|
assert_true(
|
|
smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
|
|
&sids[0], &sids[1],
|
|
nfs4_to_dacl_full_control[i].is_dir,
|
|
&dacl_aces, &good_aces));
|
|
|
|
assert_int_equal(good_aces, 1);
|
|
assert_non_null(dacl_aces);
|
|
|
|
assert_int_equal(dacl_aces[0].type,
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED);
|
|
assert_int_equal(dacl_aces[0].flags, 0);
|
|
assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
|
|
if (nfs4_to_dacl_full_control[i].delete_child_added) {
|
|
assert_int_equal(dacl_aces[0].access_mask,
|
|
dacl_ace_mask_except_deletes|
|
|
SEC_DIR_DELETE_CHILD);
|
|
} else {
|
|
assert_int_equal(dacl_aces[0].access_mask,
|
|
dacl_ace_mask_except_deletes);
|
|
}
|
|
}
|
|
|
|
TALLOC_FREE(frame);
|
|
}
|
|
|
|
struct acedup_settings {
|
|
enum smbacl4_acedup_enum setting;
|
|
} acedup_settings[] = {
|
|
{ e_dontcare },
|
|
{ e_reject },
|
|
{ e_ignore },
|
|
{ e_merge },
|
|
};
|
|
|
|
static void test_dacl_to_nfs4_acedup_settings(void **state)
|
|
{
|
|
struct dom_sid *sids = *state;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
int i;
|
|
|
|
for (i = 0; i < ARRAY_SIZE(acedup_settings); i++) {
|
|
struct SMB4ACL_T *nfs4_acl;
|
|
struct SMB4ACE_T *nfs4_ace_container;
|
|
SMB_ACE4PROP_T *nfs4_ace;
|
|
struct security_ace dacl_aces[2];
|
|
struct security_acl *dacl;
|
|
struct smbacl4_vfs_params params = {
|
|
.mode = e_simple,
|
|
.do_chown = true,
|
|
.acedup = acedup_settings[i].setting,
|
|
.map_full_control = true,
|
|
};
|
|
|
|
init_sec_ace(&dacl_aces[0], &sids[0],
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
|
|
SEC_ACE_FLAG_OBJECT_INHERIT);
|
|
init_sec_ace(&dacl_aces[1], &sids[0],
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA,
|
|
SEC_ACE_FLAG_OBJECT_INHERIT);
|
|
dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
|
|
ARRAY_SIZE(dacl_aces), dacl_aces);
|
|
assert_non_null(dacl);
|
|
|
|
nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, ¶ms,
|
|
101, 102);
|
|
|
|
switch(params.acedup) {
|
|
case e_dontcare:
|
|
assert_non_null(nfs4_acl);
|
|
assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
|
|
SEC_DESC_SELF_RELATIVE);
|
|
assert_int_equal(smb_get_naces(nfs4_acl), 2);
|
|
|
|
nfs4_ace_container = smb_first_ace4(nfs4_acl);
|
|
assert_non_null(nfs4_ace_container);
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_int_equal(nfs4_ace->flags, 0);
|
|
assert_int_equal(nfs4_ace->who.uid, 1000);
|
|
assert_int_equal(nfs4_ace->aceFlags,
|
|
SMB_ACE4_FILE_INHERIT_ACE);
|
|
assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
|
|
|
|
nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
|
|
assert_non_null(nfs4_ace_container);
|
|
assert_null(smb_next_ace4(nfs4_ace_container));
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_int_equal(nfs4_ace->flags, 0);
|
|
assert_int_equal(nfs4_ace->who.uid, 1000);
|
|
assert_int_equal(nfs4_ace->aceFlags,
|
|
SMB_ACE4_FILE_INHERIT_ACE);
|
|
assert_int_equal(nfs4_ace->aceMask,
|
|
SMB_ACE4_WRITE_DATA);
|
|
break;
|
|
|
|
case e_reject:
|
|
assert_null(nfs4_acl);
|
|
assert_int_equal(errno, EINVAL);
|
|
break;
|
|
|
|
case e_ignore:
|
|
assert_non_null(nfs4_acl);
|
|
assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
|
|
SEC_DESC_SELF_RELATIVE);
|
|
assert_int_equal(smb_get_naces(nfs4_acl), 1);
|
|
|
|
nfs4_ace_container = smb_first_ace4(nfs4_acl);
|
|
assert_non_null(nfs4_ace_container);
|
|
assert_null(smb_next_ace4(nfs4_ace_container));
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_int_equal(nfs4_ace->flags, 0);
|
|
assert_int_equal(nfs4_ace->who.uid, 1000);
|
|
assert_int_equal(nfs4_ace->aceFlags,
|
|
SMB_ACE4_FILE_INHERIT_ACE);
|
|
assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
|
|
break;
|
|
|
|
case e_merge:
|
|
assert_non_null(nfs4_acl);
|
|
assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
|
|
SEC_DESC_SELF_RELATIVE);
|
|
assert_int_equal(smb_get_naces(nfs4_acl), 1);
|
|
|
|
nfs4_ace_container = smb_first_ace4(nfs4_acl);
|
|
assert_non_null(nfs4_ace_container);
|
|
assert_null(smb_next_ace4(nfs4_ace_container));
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_int_equal(nfs4_ace->flags, 0);
|
|
assert_int_equal(nfs4_ace->who.uid, 1000);
|
|
assert_int_equal(nfs4_ace->aceFlags,
|
|
SMB_ACE4_FILE_INHERIT_ACE);
|
|
assert_int_equal(nfs4_ace->aceMask,
|
|
SMB_ACE4_READ_DATA|
|
|
SMB_ACE4_WRITE_DATA);
|
|
break;
|
|
|
|
default:
|
|
fail_msg("Unexpected value for acedup: %d\n",
|
|
params.acedup);
|
|
};
|
|
}
|
|
|
|
TALLOC_FREE(frame);
|
|
}
|
|
|
|
struct acedup_match {
|
|
int sid_idx1;
|
|
enum security_ace_type type1;
|
|
uint32_t ace_mask1;
|
|
uint8_t flag1;
|
|
int sid_idx2;
|
|
enum security_ace_type type2;
|
|
uint32_t ace_mask2;
|
|
uint8_t flag2;
|
|
bool match;
|
|
} acedup_match[] = {
|
|
{ 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
|
|
SEC_ACE_FLAG_OBJECT_INHERIT,
|
|
0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
|
|
SEC_ACE_FLAG_OBJECT_INHERIT,
|
|
true },
|
|
{ 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
|
|
SEC_ACE_FLAG_OBJECT_INHERIT,
|
|
1, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
|
|
SEC_ACE_FLAG_OBJECT_INHERIT,
|
|
false },
|
|
{ 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
|
|
SEC_ACE_FLAG_OBJECT_INHERIT,
|
|
0, SEC_ACE_TYPE_ACCESS_DENIED, SEC_FILE_READ_DATA,
|
|
SEC_ACE_FLAG_OBJECT_INHERIT,
|
|
false },
|
|
{ 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
|
|
SEC_ACE_FLAG_OBJECT_INHERIT,
|
|
0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA,
|
|
SEC_ACE_FLAG_OBJECT_INHERIT,
|
|
true },
|
|
{ 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
|
|
SEC_ACE_FLAG_OBJECT_INHERIT,
|
|
0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
|
|
SEC_ACE_FLAG_CONTAINER_INHERIT,
|
|
false },
|
|
{ 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
|
|
SEC_ACE_FLAG_OBJECT_INHERIT,
|
|
5, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
|
|
SEC_ACE_FLAG_OBJECT_INHERIT,
|
|
false },
|
|
};
|
|
|
|
static void test_dacl_to_nfs4_acedup_match(void **state)
|
|
{
|
|
struct dom_sid *sids = *state;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
int i;
|
|
|
|
for (i = 0; i < ARRAY_SIZE(acedup_match); i++) {
|
|
struct SMB4ACL_T *nfs4_acl;
|
|
struct SMB4ACE_T *nfs4_ace_container;
|
|
SMB_ACE4PROP_T *nfs4_ace;
|
|
struct security_ace dacl_aces[2];
|
|
struct security_acl *dacl;
|
|
struct smbacl4_vfs_params params = {
|
|
.mode = e_simple,
|
|
.do_chown = true,
|
|
.acedup = e_ignore,
|
|
.map_full_control = true,
|
|
};
|
|
|
|
init_sec_ace(&dacl_aces[0],
|
|
&sids[acedup_match[i].sid_idx1],
|
|
acedup_match[i].type1,
|
|
acedup_match[i].ace_mask1,
|
|
acedup_match[i].flag1);
|
|
init_sec_ace(&dacl_aces[1],
|
|
&sids[acedup_match[i].sid_idx2],
|
|
acedup_match[i].type2,
|
|
acedup_match[i].ace_mask2,
|
|
acedup_match[i].flag2);
|
|
dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
|
|
ARRAY_SIZE(dacl_aces), dacl_aces);
|
|
assert_non_null(dacl);
|
|
|
|
nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, ¶ms,
|
|
101, 102);
|
|
assert_non_null(nfs4_acl);
|
|
assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
|
|
SEC_DESC_SELF_RELATIVE);
|
|
|
|
if (acedup_match[i].match) {
|
|
assert_int_equal(smb_get_naces(nfs4_acl), 1);
|
|
|
|
nfs4_ace_container = smb_first_ace4(nfs4_acl);
|
|
assert_non_null(nfs4_ace_container);
|
|
assert_null(smb_next_ace4(nfs4_ace_container));
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_int_equal(nfs4_ace->flags, 0);
|
|
assert_int_equal(nfs4_ace->who.uid, 1000);
|
|
assert_int_equal(nfs4_ace->aceFlags,
|
|
SMB_ACE4_FILE_INHERIT_ACE);
|
|
assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
|
|
|
|
} else {
|
|
assert_int_equal(smb_get_naces(nfs4_acl), 2);
|
|
|
|
nfs4_ace_container = smb_first_ace4(nfs4_acl);
|
|
assert_non_null(nfs4_ace_container);
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_int_equal(nfs4_ace->flags, 0);
|
|
assert_int_equal(nfs4_ace->who.uid, 1000);
|
|
assert_int_equal(nfs4_ace->aceFlags,
|
|
SMB_ACE4_FILE_INHERIT_ACE);
|
|
assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
|
|
|
|
nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
|
|
assert_non_null(nfs4_ace_container);
|
|
assert_null(smb_next_ace4(nfs4_ace_container));
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_int_equal(nfs4_ace->flags, 0);
|
|
}
|
|
}
|
|
|
|
TALLOC_FREE(frame);
|
|
}
|
|
|
|
static void test_dacl_to_nfs4_config_special(void **state)
|
|
{
|
|
struct dom_sid *sids = *state;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
struct SMB4ACL_T *nfs4_acl;
|
|
struct SMB4ACE_T *nfs4_ace_container;
|
|
SMB_ACE4PROP_T *nfs4_ace;
|
|
struct security_ace dacl_aces[6];
|
|
struct security_acl *dacl;
|
|
struct smbacl4_vfs_params params = {
|
|
.mode = e_special,
|
|
.do_chown = true,
|
|
.acedup = e_dontcare,
|
|
.map_full_control = true,
|
|
};
|
|
|
|
/*
|
|
* global_sid_Creator_Owner or global_sid_Special_Group is NOT mapped
|
|
* to SMB_ACE4_ID_SPECIAL.
|
|
*/
|
|
init_sec_ace(&dacl_aces[0], &global_sid_Creator_Owner,
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
|
|
SEC_ACE_FLAG_OBJECT_INHERIT);
|
|
init_sec_ace(&dacl_aces[1], &global_sid_Creator_Group,
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA,
|
|
SEC_ACE_FLAG_CONTAINER_INHERIT);
|
|
/*
|
|
* Anything that maps to owner or owning group with inheritance flags
|
|
* IS mapped to special owner or special group.
|
|
*/
|
|
init_sec_ace(&dacl_aces[2], &sids[0],
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
|
|
SEC_ACE_FLAG_OBJECT_INHERIT);
|
|
init_sec_ace(&dacl_aces[3], &sids[0],
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
|
|
SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
|
|
init_sec_ace(&dacl_aces[4], &sids[1],
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
|
|
SEC_ACE_FLAG_OBJECT_INHERIT);
|
|
init_sec_ace(&dacl_aces[5], &sids[1],
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
|
|
SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
|
|
dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
|
|
ARRAY_SIZE(dacl_aces), dacl_aces);
|
|
assert_non_null(dacl);
|
|
|
|
nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, ¶ms, 1000, 1001);
|
|
|
|
assert_non_null(nfs4_acl);
|
|
assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
|
|
SEC_DESC_SELF_RELATIVE);
|
|
assert_int_equal(smb_get_naces(nfs4_acl), 6);
|
|
|
|
nfs4_ace_container = smb_first_ace4(nfs4_acl);
|
|
assert_non_null(nfs4_ace_container);
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_int_equal(nfs4_ace->flags, 0);
|
|
assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_FILE_INHERIT_ACE);
|
|
assert_int_equal(nfs4_ace->who.uid, 1003);
|
|
assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
|
|
|
|
nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
|
|
assert_non_null(nfs4_ace_container);
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_int_equal(nfs4_ace->flags, 0);
|
|
assert_int_equal(nfs4_ace->aceFlags,
|
|
SMB_ACE4_IDENTIFIER_GROUP|
|
|
SMB_ACE4_DIRECTORY_INHERIT_ACE);
|
|
assert_int_equal(nfs4_ace->who.gid, 1004);
|
|
assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_WRITE_DATA);
|
|
|
|
nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
|
|
assert_non_null(nfs4_ace_container);
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
|
|
assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_OWNER);
|
|
assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_FILE_INHERIT_ACE);
|
|
assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
|
|
|
|
nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
|
|
assert_non_null(nfs4_ace_container);
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
|
|
assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_DIRECTORY_INHERIT_ACE|
|
|
SMB_ACE4_INHERIT_ONLY_ACE);
|
|
assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_OWNER);
|
|
assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
|
|
|
|
nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
|
|
assert_non_null(nfs4_ace_container);
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
|
|
assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_IDENTIFIER_GROUP|
|
|
SMB_ACE4_FILE_INHERIT_ACE);
|
|
assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_GROUP);
|
|
assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
|
|
|
|
nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
|
|
assert_non_null(nfs4_ace_container);
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
|
|
assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_IDENTIFIER_GROUP|
|
|
SMB_ACE4_DIRECTORY_INHERIT_ACE|
|
|
SMB_ACE4_INHERIT_ONLY_ACE);
|
|
assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_GROUP);
|
|
assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
|
|
|
|
assert_null(smb_next_ace4(nfs4_ace_container));
|
|
|
|
TALLOC_FREE(frame);
|
|
}
|
|
|
|
static void test_nfs4_to_dacl_config_special(void **state)
|
|
{
|
|
struct dom_sid *sids = *state;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
struct SMB4ACL_T *nfs4_acl;
|
|
SMB_ACE4PROP_T nfs4_ace;
|
|
struct security_ace *dacl_aces;
|
|
int good_aces;
|
|
struct smbacl4_vfs_params params = {
|
|
.mode = e_special,
|
|
.do_chown = true,
|
|
.acedup = e_dontcare,
|
|
.map_full_control = true,
|
|
};
|
|
|
|
nfs4_acl = smb_create_smb4acl(frame);
|
|
assert_non_null(nfs4_acl);
|
|
|
|
/*
|
|
* In config mode special, this is not mapped to Creator Owner
|
|
*/
|
|
nfs4_ace = (SMB_ACE4PROP_T) {
|
|
.flags = SMB_ACE4_ID_SPECIAL,
|
|
.who.special_id = SMB_ACE4_WHO_OWNER,
|
|
.aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
|
|
.aceFlags = SMB_ACE4_FILE_INHERIT_ACE,
|
|
.aceMask = SMB_ACE4_READ_DATA,
|
|
};
|
|
assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
|
|
|
|
/*
|
|
* In config mode special, this is not mapped to Creator Group
|
|
*/
|
|
nfs4_ace = (SMB_ACE4PROP_T) {
|
|
.flags = SMB_ACE4_ID_SPECIAL,
|
|
.who.special_id = SMB_ACE4_WHO_GROUP,
|
|
.aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
|
|
.aceFlags = SMB_ACE4_DIRECTORY_INHERIT_ACE,
|
|
.aceMask = SMB_ACE4_WRITE_DATA,
|
|
};
|
|
assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
|
|
|
|
assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
|
|
&sids[0], &sids[1], true,
|
|
&dacl_aces, &good_aces));
|
|
|
|
assert_int_equal(good_aces, 2);
|
|
assert_non_null(dacl_aces);
|
|
|
|
assert_int_equal(dacl_aces[0].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
|
|
assert_int_equal(dacl_aces[0].flags, SEC_ACE_FLAG_OBJECT_INHERIT);
|
|
assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
|
|
assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
|
|
|
|
assert_int_equal(dacl_aces[1].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
|
|
assert_int_equal(dacl_aces[1].flags, SEC_ACE_FLAG_CONTAINER_INHERIT);
|
|
assert_int_equal(dacl_aces[1].access_mask, SEC_FILE_WRITE_DATA);
|
|
assert_true(dom_sid_equal(&dacl_aces[1].trustee, &sids[1]));
|
|
|
|
TALLOC_FREE(frame);
|
|
}
|
|
|
|
struct nfs_to_dacl_idmap_both {
|
|
uint32_t nfs4_flags;
|
|
uint32_t nfs4_id;
|
|
struct dom_sid *sid;
|
|
};
|
|
|
|
static void test_nfs4_to_dacl_idmap_type_both(void **state)
|
|
{
|
|
struct dom_sid *sids = *state;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
int i;
|
|
struct nfs_to_dacl_idmap_both nfs_to_dacl_idmap_both[] = {
|
|
{ 0, 1002, &sids[2] },
|
|
{ SMB_ACE4_IDENTIFIER_GROUP, 1002, &sids[2] },
|
|
{ 0, 1005, &sids[6] },
|
|
{ SMB_ACE4_IDENTIFIER_GROUP, 1005, &sids[6] },
|
|
};
|
|
|
|
for (i = 0; i < ARRAY_SIZE(nfs_to_dacl_idmap_both); i++) {
|
|
struct SMB4ACL_T *nfs4_acl;
|
|
struct security_ace *dacl_aces;
|
|
SMB_ACE4PROP_T nfs4_ace;
|
|
int good_aces;
|
|
struct smbacl4_vfs_params params = {
|
|
.mode = e_simple,
|
|
.do_chown = true,
|
|
.acedup = e_merge,
|
|
.map_full_control = true,
|
|
};
|
|
|
|
nfs4_acl = smb_create_smb4acl(frame);
|
|
assert_non_null(nfs4_acl);
|
|
|
|
nfs4_ace = (SMB_ACE4PROP_T) {
|
|
.flags = 0,
|
|
.aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
|
|
.aceFlags = nfs_to_dacl_idmap_both[i].nfs4_flags,
|
|
.aceMask = SMB_ACE4_READ_DATA,
|
|
};
|
|
|
|
if (nfs_to_dacl_idmap_both[i].nfs4_flags &
|
|
SMB_ACE4_IDENTIFIER_GROUP) {
|
|
nfs4_ace.who.gid = nfs_to_dacl_idmap_both[i].nfs4_id;
|
|
} else {
|
|
nfs4_ace.who.uid = nfs_to_dacl_idmap_both[i].nfs4_id;
|
|
}
|
|
assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
|
|
|
|
assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
|
|
&sids[2], &sids[2],
|
|
false, &dacl_aces, &good_aces));
|
|
|
|
assert_int_equal(good_aces, 1);
|
|
assert_non_null(dacl_aces);
|
|
|
|
assert_int_equal(dacl_aces[0].type,
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED);
|
|
assert_int_equal(dacl_aces[0].flags, 0);
|
|
assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
|
|
assert_true(dom_sid_equal(&dacl_aces[0].trustee,
|
|
nfs_to_dacl_idmap_both[i].sid));
|
|
}
|
|
|
|
TALLOC_FREE(frame);
|
|
}
|
|
|
|
struct dacl_to_nfs4_idmap_both {
|
|
struct dom_sid *sid;
|
|
uint32_t dacl_flags;
|
|
uint32_t nfs4_flags;
|
|
uint32_t nfs4_ace_flags;
|
|
uint32_t nfs4_id;
|
|
int num_nfs4_aces;
|
|
};
|
|
|
|
/*
|
|
* IDMAP_TYPE_BOTH always creates group entries.
|
|
*/
|
|
static void test_dacl_to_nfs4_idmap_type_both(void **state)
|
|
{
|
|
struct dom_sid *sids = *state;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
int i;
|
|
|
|
struct dacl_to_nfs4_idmap_both dacl_to_nfs4_idmap_both[] = {
|
|
{ &sids[2], 0,
|
|
SMB_ACE4_ID_SPECIAL, SMB_ACE4_IDENTIFIER_GROUP, SMB_ACE4_WHO_GROUP,
|
|
2 },
|
|
{ &sids[2], SEC_ACE_FLAG_OBJECT_INHERIT,
|
|
0, SMB_ACE4_IDENTIFIER_GROUP|SMB_ACE4_FILE_INHERIT_ACE, 1002,
|
|
1 },
|
|
{ &sids[6], 0,
|
|
0, SMB_ACE4_IDENTIFIER_GROUP, 1005,
|
|
1 },
|
|
{ &sids[6], SEC_ACE_FLAG_OBJECT_INHERIT,
|
|
0, SMB_ACE4_IDENTIFIER_GROUP|SMB_ACE4_FILE_INHERIT_ACE, 1005,
|
|
1 },
|
|
};
|
|
|
|
for (i = 0; i < ARRAY_SIZE(dacl_to_nfs4_idmap_both); i++) {
|
|
struct SMB4ACL_T *nfs4_acl;
|
|
struct SMB4ACE_T *nfs4_ace_container;
|
|
SMB_ACE4PROP_T *nfs4_ace;
|
|
struct security_ace dacl_aces[1];
|
|
struct security_acl *dacl;
|
|
struct smbacl4_vfs_params params = {
|
|
.mode = e_simple,
|
|
.do_chown = true,
|
|
.acedup = e_merge,
|
|
.map_full_control = true,
|
|
};
|
|
|
|
init_sec_ace(&dacl_aces[0], dacl_to_nfs4_idmap_both[i].sid,
|
|
SEC_ACE_TYPE_ACCESS_ALLOWED,
|
|
SEC_FILE_READ_DATA,
|
|
dacl_to_nfs4_idmap_both[i].dacl_flags);
|
|
dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
|
|
ARRAY_SIZE(dacl_aces), dacl_aces);
|
|
assert_non_null(dacl);
|
|
|
|
nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, ¶ms,
|
|
1002, 1002);
|
|
|
|
assert_non_null(nfs4_acl);
|
|
assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
|
|
SEC_DESC_SELF_RELATIVE);
|
|
assert_int_equal(smb_get_naces(nfs4_acl),
|
|
dacl_to_nfs4_idmap_both[i].num_nfs4_aces);
|
|
|
|
nfs4_ace_container = smb_first_ace4(nfs4_acl);
|
|
assert_non_null(nfs4_ace_container);
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_int_equal(nfs4_ace->flags,
|
|
dacl_to_nfs4_idmap_both[i].nfs4_flags);
|
|
assert_int_equal(nfs4_ace->aceFlags,
|
|
dacl_to_nfs4_idmap_both[i].nfs4_ace_flags);
|
|
if (nfs4_ace->flags & SMB_ACE4_ID_SPECIAL) {
|
|
assert_int_equal(nfs4_ace->who.special_id,
|
|
dacl_to_nfs4_idmap_both[i].nfs4_id);
|
|
} else if (nfs4_ace->aceFlags & SMB_ACE4_IDENTIFIER_GROUP) {
|
|
assert_int_equal(nfs4_ace->who.gid,
|
|
dacl_to_nfs4_idmap_both[i].nfs4_id);
|
|
} else {
|
|
assert_int_equal(nfs4_ace->who.uid,
|
|
dacl_to_nfs4_idmap_both[i].nfs4_id);
|
|
}
|
|
assert_int_equal(nfs4_ace->aceType,
|
|
SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE);
|
|
assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
|
|
|
|
if (dacl_to_nfs4_idmap_both[i].num_nfs4_aces == 2) {
|
|
nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
|
|
assert_non_null(nfs4_ace_container);
|
|
|
|
nfs4_ace = smb_get_ace4(nfs4_ace_container);
|
|
assert_int_equal(nfs4_ace->flags,
|
|
dacl_to_nfs4_idmap_both[i].nfs4_flags);
|
|
assert_int_equal(nfs4_ace->aceFlags,
|
|
dacl_to_nfs4_idmap_both[i].nfs4_ace_flags &
|
|
~SMB_ACE4_IDENTIFIER_GROUP);
|
|
if (nfs4_ace->flags & SMB_ACE4_ID_SPECIAL) {
|
|
assert_int_equal(nfs4_ace->who.special_id,
|
|
SMB_ACE4_WHO_OWNER);
|
|
} else {
|
|
assert_int_equal(nfs4_ace->who.uid,
|
|
dacl_to_nfs4_idmap_both[i].nfs4_id);
|
|
}
|
|
assert_int_equal(nfs4_ace->aceType,
|
|
SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE);
|
|
assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
|
|
}
|
|
}
|
|
|
|
TALLOC_FREE(frame);
|
|
}
|
|
|
|
static void test_nfs4_to_dacl_remove_duplicate(void **state)
|
|
{
|
|
|
|
struct dom_sid *sids = *state;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
struct SMB4ACL_T *nfs4_acl;
|
|
SMB_ACE4PROP_T nfs4_ace;
|
|
struct security_ace *dacl_aces;
|
|
int good_aces;
|
|
struct smbacl4_vfs_params params = {
|
|
.mode = e_simple,
|
|
.do_chown = true,
|
|
.acedup = e_dontcare,
|
|
.map_full_control = true,
|
|
};
|
|
|
|
nfs4_acl = smb_create_smb4acl(frame);
|
|
assert_non_null(nfs4_acl);
|
|
|
|
nfs4_ace = (SMB_ACE4PROP_T) {
|
|
.flags = 0,
|
|
.who.uid = 1002,
|
|
.aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
|
|
.aceFlags = SMB_ACE4_INHERITED_ACE,
|
|
.aceMask = SMB_ACE4_WRITE_DATA,
|
|
};
|
|
assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
|
|
|
|
nfs4_ace = (SMB_ACE4PROP_T) {
|
|
.flags = 0,
|
|
.who.gid = 1002,
|
|
.aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
|
|
.aceFlags = SMB_ACE4_IDENTIFIER_GROUP|
|
|
SMB_ACE4_INHERITED_ACE,
|
|
.aceMask = SMB_ACE4_WRITE_DATA,
|
|
};
|
|
assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
|
|
|
|
nfs4_ace = (SMB_ACE4PROP_T) {
|
|
.flags = 0,
|
|
.who.gid = 1002,
|
|
.aceType = SMB_ACE4_ACCESS_DENIED_ACE_TYPE,
|
|
.aceFlags = SMB_ACE4_IDENTIFIER_GROUP|
|
|
SMB_ACE4_INHERITED_ACE,
|
|
.aceMask = SMB_ACE4_WRITE_DATA,
|
|
};
|
|
assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
|
|
|
|
nfs4_ace = (SMB_ACE4PROP_T) {
|
|
.flags = 0,
|
|
.who.gid = 1002,
|
|
.aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
|
|
.aceFlags = SMB_ACE4_IDENTIFIER_GROUP|
|
|
SMB_ACE4_INHERITED_ACE,
|
|
.aceMask = SMB_ACE4_WRITE_DATA,
|
|
};
|
|
assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
|
|
|
|
assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
|
|
&sids[0], &sids[1], true,
|
|
&dacl_aces, &good_aces));
|
|
|
|
assert_int_equal(good_aces, 2);
|
|
assert_non_null(dacl_aces);
|
|
|
|
assert_int_equal(dacl_aces[0].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
|
|
assert_int_equal(dacl_aces[0].flags, SEC_ACE_FLAG_INHERITED_ACE);
|
|
assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_WRITE_DATA);
|
|
assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[2]));
|
|
|
|
assert_int_equal(dacl_aces[1].type, SEC_ACE_TYPE_ACCESS_DENIED);
|
|
assert_int_equal(dacl_aces[1].flags, SEC_ACE_FLAG_INHERITED_ACE);
|
|
assert_int_equal(dacl_aces[1].access_mask, SEC_FILE_WRITE_DATA);
|
|
assert_true(dom_sid_equal(&dacl_aces[1].trustee, &sids[2]));
|
|
|
|
TALLOC_FREE(frame);
|
|
}
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
const struct CMUnitTest tests[] = {
|
|
cmocka_unit_test(test_cached_id_mappings),
|
|
cmocka_unit_test(test_empty_nfs4_to_dacl),
|
|
cmocka_unit_test(test_empty_dacl_to_nfs4),
|
|
cmocka_unit_test(test_acl_type_nfs4_to_dacl),
|
|
cmocka_unit_test(test_acl_type_dacl_to_nfs4),
|
|
cmocka_unit_test(test_ace_flags_nfs4_to_dacl),
|
|
cmocka_unit_test(test_ace_flags_dacl_to_nfs4),
|
|
cmocka_unit_test(test_nfs4_permissions_to_dacl),
|
|
cmocka_unit_test(test_dacl_permissions_to_nfs4),
|
|
cmocka_unit_test(test_special_nfs4_to_dacl),
|
|
cmocka_unit_test(test_dacl_to_special_nfs4),
|
|
cmocka_unit_test(test_dacl_creator_to_nfs4),
|
|
cmocka_unit_test(test_nfs4_to_dacl_creator),
|
|
cmocka_unit_test(test_full_control_nfs4_to_dacl),
|
|
cmocka_unit_test(test_dacl_to_nfs4_acedup_settings),
|
|
cmocka_unit_test(test_dacl_to_nfs4_acedup_match),
|
|
cmocka_unit_test(test_dacl_to_nfs4_config_special),
|
|
cmocka_unit_test(test_nfs4_to_dacl_config_special),
|
|
cmocka_unit_test(test_nfs4_to_dacl_idmap_type_both),
|
|
cmocka_unit_test(test_dacl_to_nfs4_idmap_type_both),
|
|
cmocka_unit_test(test_nfs4_to_dacl_remove_duplicate),
|
|
};
|
|
|
|
cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
|
|
|
|
if (argc != 2) {
|
|
print_error("Usage: %s smb.conf\n", argv[0]);
|
|
exit(1);
|
|
}
|
|
|
|
/*
|
|
* Initialize enough of the Samba internals to have the
|
|
* mappings tests work.
|
|
*/
|
|
talloc_stackframe();
|
|
lp_load_global(argv[1]);
|
|
|
|
return cmocka_run_group_tests(tests, group_setup, group_teardown);
|
|
}
|