Line data Source code
1 : /*
2 : * Unix SMB/CIFS implementation.
3 : *
4 : * Unit test for NFS4 ACL handling
5 : *
6 : * Copyright (C) Christof Schmitt 2019
7 : *
8 : * This program is free software; you can redistribute it and/or modify
9 : * it under the terms of the GNU General Public License as published by
10 : * the Free Software Foundation; either version 3 of the License, or
11 : * (at your option) any later version.
12 : *
13 : * This program is distributed in the hope that it will be useful,
14 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 : * GNU General Public License for more details.
17 : *
18 : * You should have received a copy of the GNU General Public License
19 : * along with this program; if not, see <http://www.gnu.org/licenses/>.
20 : */
21 :
22 : #include "nfs4_acls.c"
23 : #include "librpc/gen_ndr/idmap.h"
24 : #include "idmap_cache.h"
25 : #include <cmocka.h>
26 :
27 : struct test_sids {
28 : const char *sid_str;
29 : struct unixid unix_id;
30 : } test_sids[] = {
31 : { "S-1-5-2-123-456-789-100", { 1000, ID_TYPE_UID }},
32 : { "S-1-5-2-123-456-789-101", { 1001, ID_TYPE_GID }},
33 : { "S-1-5-2-123-456-789-102", { 1002, ID_TYPE_BOTH }},
34 : { SID_CREATOR_OWNER, { 1003, ID_TYPE_UID }},
35 : { SID_CREATOR_GROUP, { 1004, ID_TYPE_GID }},
36 : { "S-1-5-2-123-456-789-103", { 1000, ID_TYPE_GID }},
37 : { "S-1-5-2-123-456-789-104", { 1005, ID_TYPE_BOTH }},
38 : { "S-1-5-2-123-456-789-105", { 1006, ID_TYPE_BOTH }},
39 : { "S-1-5-2-123-456-789-106", { 1007, ID_TYPE_BOTH }},
40 : };
41 :
42 1 : static int group_setup(void **state)
43 : {
44 1 : struct dom_sid *sids = NULL;
45 1 : int i;
46 :
47 1 : sids = talloc_array(NULL, struct dom_sid, ARRAY_SIZE(test_sids));
48 1 : assert_non_null(sids);
49 :
50 11 : for (i = 0; i < ARRAY_SIZE(test_sids); i++) {
51 9 : assert_true(dom_sid_parse(test_sids[i].sid_str, &sids[i]));
52 9 : idmap_cache_set_sid2unixid(&sids[i], &test_sids[i].unix_id);
53 : }
54 :
55 1 : *state = sids;
56 :
57 1 : return 0;
58 :
59 : }
60 :
61 1 : static int group_teardown(void **state)
62 : {
63 1 : struct dom_sid *sids = *state;
64 1 : int i;
65 :
66 10 : for (i = 0; i < ARRAY_SIZE(test_sids); i++) {
67 9 : assert_true(idmap_cache_del_sid(&sids[i]));
68 : }
69 :
70 1 : TALLOC_FREE(sids);
71 1 : *state = NULL;
72 :
73 1 : return 0;
74 : }
75 :
76 : /*
77 : * Run this as first test to verify that the id mappings used by other
78 : * tests are available in the cache.
79 : */
80 1 : static void test_cached_id_mappings(void **state)
81 : {
82 1 : struct dom_sid *sids = *state;
83 1 : int i;
84 :
85 10 : for (i = 0; i < ARRAY_SIZE(test_sids); i++) {
86 9 : struct dom_sid *sid = &sids[i];
87 9 : struct unixid *unix_id = &test_sids[i].unix_id;
88 9 : uid_t uid;
89 9 : gid_t gid;
90 :
91 9 : switch(unix_id->type) {
92 2 : case ID_TYPE_UID:
93 2 : assert_true(sid_to_uid(sid, &uid));
94 2 : assert_int_equal(uid, unix_id->id);
95 2 : assert_false(sid_to_gid(sid, &gid));
96 2 : break;
97 3 : case ID_TYPE_GID:
98 3 : assert_false(sid_to_uid(sid, &uid));
99 3 : assert_true(sid_to_gid(sid, &gid));
100 3 : assert_int_equal(gid, unix_id->id);
101 3 : break;
102 4 : case ID_TYPE_BOTH:
103 4 : assert_true(sid_to_uid(sid, &uid));
104 4 : assert_int_equal(uid, unix_id->id);
105 4 : assert_true(sid_to_gid(sid, &gid));
106 4 : assert_int_equal(gid, unix_id->id);
107 4 : break;
108 0 : default:
109 0 : fail_msg("Unknown id type %d\n", unix_id->type);
110 0 : break;
111 : }
112 : }
113 1 : }
114 :
115 1 : static void test_empty_nfs4_to_dacl(void **state)
116 : {
117 1 : struct dom_sid *sids = *state;
118 1 : TALLOC_CTX *frame = talloc_stackframe();
119 1 : struct SMB4ACL_T *nfs4_acl;
120 1 : struct security_ace *dacl_aces;
121 1 : int good_aces;
122 1 : struct smbacl4_vfs_params params = {
123 : .mode = e_simple,
124 : .do_chown = true,
125 : .acedup = e_merge,
126 : .map_full_control = true,
127 : };
128 :
129 1 : nfs4_acl = smb_create_smb4acl(frame);
130 1 : assert_non_null(nfs4_acl);
131 :
132 1 : assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
133 : &sids[0], &sids[1], false,
134 : &dacl_aces, &good_aces));
135 :
136 1 : assert_int_equal(good_aces, 0);
137 1 : assert_null(dacl_aces);
138 :
139 1 : TALLOC_FREE(frame);
140 1 : }
141 :
142 1 : static void test_empty_dacl_to_nfs4(void **state)
143 : {
144 1 : TALLOC_CTX *frame = talloc_stackframe();
145 1 : struct SMB4ACL_T *nfs4_acl;
146 1 : struct security_acl *dacl;
147 1 : struct smbacl4_vfs_params params = {
148 : .mode = e_simple,
149 : .do_chown = true,
150 : .acedup = e_merge,
151 : .map_full_control = true,
152 : };
153 :
154 1 : dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS, 0, NULL);
155 1 : assert_non_null(dacl);
156 :
157 1 : nfs4_acl = smbacl4_win2nfs4(frame, false, dacl, ¶ms, 1001, 1002);
158 :
159 1 : assert_non_null(nfs4_acl);
160 1 : assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
161 : SEC_DESC_SELF_RELATIVE);
162 1 : assert_int_equal(smb_get_naces(nfs4_acl), 0);
163 1 : assert_null(smb_first_ace4(nfs4_acl));
164 1 : }
165 :
166 : struct ace_dacl_type_mapping {
167 : uint32_t nfs4_type;
168 : enum security_ace_type dacl_type;
169 : } ace_dacl_type_mapping[] = {
170 : { SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE, SEC_ACE_TYPE_ACCESS_ALLOWED },
171 : { SMB_ACE4_ACCESS_DENIED_ACE_TYPE, SEC_ACE_TYPE_ACCESS_DENIED },
172 : };
173 :
174 1 : static void test_acl_type_nfs4_to_dacl(void **state)
175 : {
176 1 : struct dom_sid *sids = *state;
177 1 : TALLOC_CTX *frame = talloc_stackframe();
178 1 : int i;
179 :
180 4 : for (i = 0; i < ARRAY_SIZE(ace_dacl_type_mapping); i++) {
181 2 : struct SMB4ACL_T *nfs4_acl;
182 2 : SMB_ACE4PROP_T nfs4_ace;
183 2 : struct security_ace *dacl_aces;
184 2 : int good_aces;
185 2 : struct smbacl4_vfs_params params = {
186 : .mode = e_simple,
187 : .do_chown = true,
188 : .acedup = e_merge,
189 : .map_full_control = true,
190 : };
191 :
192 2 : nfs4_acl = smb_create_smb4acl(frame);
193 2 : assert_non_null(nfs4_acl);
194 :
195 2 : nfs4_ace = (SMB_ACE4PROP_T) {
196 : .flags = 0,
197 : .who.uid = 1000,
198 2 : .aceType = ace_dacl_type_mapping[i].nfs4_type,
199 : .aceFlags = 0,
200 : .aceMask = SMB_ACE4_READ_DATA,
201 : };
202 2 : assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
203 :
204 2 : assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
205 : &sids[2], &sids[3], false,
206 : &dacl_aces, &good_aces));
207 :
208 2 : assert_int_equal(good_aces, 1);
209 2 : assert_non_null(dacl_aces);
210 :
211 2 : assert_int_equal(dacl_aces[0].type,
212 : ace_dacl_type_mapping[i].dacl_type);
213 2 : assert_int_equal(dacl_aces[0].flags, 0);
214 2 : assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
215 2 : assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
216 : }
217 :
218 1 : TALLOC_FREE(frame);
219 1 : }
220 :
221 1 : static void test_acl_type_dacl_to_nfs4(void **state)
222 : {
223 1 : struct dom_sid *sids = *state;
224 1 : TALLOC_CTX *frame = talloc_stackframe();
225 1 : int i;
226 :
227 4 : for (i = 0; i < ARRAY_SIZE(ace_dacl_type_mapping); i++) {
228 2 : struct SMB4ACL_T *nfs4_acl;
229 2 : struct SMB4ACE_T *nfs4_ace_container;
230 2 : SMB_ACE4PROP_T *nfs4_ace;
231 2 : struct security_ace dacl_aces[1];
232 2 : struct security_acl *dacl;
233 2 : struct smbacl4_vfs_params params = {
234 : .mode = e_simple,
235 : .do_chown = true,
236 : .acedup = e_merge,
237 : .map_full_control = true,
238 : };
239 :
240 2 : init_sec_ace(&dacl_aces[0], &sids[0],
241 : ace_dacl_type_mapping[i].dacl_type,
242 : SEC_FILE_READ_DATA, 0);
243 2 : dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
244 : ARRAY_SIZE(dacl_aces), dacl_aces);
245 2 : assert_non_null(dacl);
246 :
247 2 : nfs4_acl = smbacl4_win2nfs4(frame, false, dacl, ¶ms,
248 : 101, 102);
249 :
250 2 : assert_non_null(nfs4_acl);
251 2 : assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
252 : SEC_DESC_SELF_RELATIVE);
253 2 : assert_int_equal(smb_get_naces(nfs4_acl), 1);
254 :
255 2 : nfs4_ace_container = smb_first_ace4(nfs4_acl);
256 2 : assert_non_null(nfs4_ace_container);
257 2 : assert_null(smb_next_ace4(nfs4_ace_container));
258 :
259 2 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
260 2 : assert_int_equal(nfs4_ace->flags, 0);
261 2 : assert_int_equal(nfs4_ace->who.uid, 1000);
262 2 : assert_int_equal(nfs4_ace->aceFlags, 0);
263 2 : assert_int_equal(nfs4_ace->aceType,
264 : ace_dacl_type_mapping[i].nfs4_type);
265 2 : assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
266 : }
267 :
268 1 : TALLOC_FREE(frame);
269 1 : }
270 :
271 : struct ace_flag_mapping_nfs4_to_dacl {
272 : bool is_directory;
273 : uint32_t nfs4_flag;
274 : uint32_t dacl_flag;
275 : } ace_flags_nfs4_to_dacl[] = {
276 : { true, SMB_ACE4_FILE_INHERIT_ACE,
277 : SEC_ACE_FLAG_OBJECT_INHERIT },
278 : { false, SMB_ACE4_FILE_INHERIT_ACE,
279 : 0 },
280 : { true, SMB_ACE4_DIRECTORY_INHERIT_ACE,
281 : SEC_ACE_FLAG_CONTAINER_INHERIT },
282 : { false, SMB_ACE4_DIRECTORY_INHERIT_ACE,
283 : 0 },
284 : { true, SMB_ACE4_NO_PROPAGATE_INHERIT_ACE,
285 : SEC_ACE_FLAG_NO_PROPAGATE_INHERIT },
286 : { false, SMB_ACE4_NO_PROPAGATE_INHERIT_ACE,
287 : SEC_ACE_FLAG_NO_PROPAGATE_INHERIT },
288 : { true, SMB_ACE4_INHERIT_ONLY_ACE,
289 : SEC_ACE_FLAG_INHERIT_ONLY },
290 : { false, SMB_ACE4_INHERIT_ONLY_ACE,
291 : SEC_ACE_FLAG_INHERIT_ONLY },
292 : { true, SMB_ACE4_SUCCESSFUL_ACCESS_ACE_FLAG,
293 : 0 },
294 : { false, SMB_ACE4_SUCCESSFUL_ACCESS_ACE_FLAG,
295 : 0 },
296 : { true, SMB_ACE4_FAILED_ACCESS_ACE_FLAG,
297 : 0 },
298 : { false, SMB_ACE4_FAILED_ACCESS_ACE_FLAG,
299 : 0 },
300 : { true, SMB_ACE4_INHERITED_ACE,
301 : SEC_ACE_FLAG_INHERITED_ACE },
302 : { false, SMB_ACE4_INHERITED_ACE,
303 : SEC_ACE_FLAG_INHERITED_ACE },
304 : };
305 :
306 1 : static void test_ace_flags_nfs4_to_dacl(void **state)
307 : {
308 1 : struct dom_sid *sids = *state;
309 1 : TALLOC_CTX *frame = talloc_stackframe();
310 1 : SMB_ACE4PROP_T nfs4_ace;
311 1 : int i;
312 :
313 16 : for (i = 0; i < ARRAY_SIZE(ace_flags_nfs4_to_dacl); i++) {
314 14 : struct SMB4ACL_T *nfs4_acl;
315 14 : bool is_directory;
316 14 : struct security_ace *dacl_aces;
317 14 : int good_aces;
318 14 : struct smbacl4_vfs_params params = {
319 : .mode = e_simple,
320 : .do_chown = true,
321 : .acedup = e_merge,
322 : .map_full_control = true,
323 : };
324 :
325 14 : nfs4_acl = smb_create_smb4acl(frame);
326 14 : assert_non_null(nfs4_acl);
327 :
328 14 : nfs4_ace = (SMB_ACE4PROP_T) {
329 : .flags = 0,
330 : .who.uid = 1000,
331 : .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
332 14 : .aceFlags = ace_flags_nfs4_to_dacl[i].nfs4_flag,
333 : .aceMask = SMB_ACE4_READ_DATA,
334 : };
335 14 : assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
336 :
337 14 : is_directory = ace_flags_nfs4_to_dacl[i].is_directory;
338 :
339 14 : assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
340 : &sids[2], &sids[3], is_directory,
341 : &dacl_aces, &good_aces));
342 :
343 14 : assert_int_equal(good_aces, 1);
344 14 : assert_non_null(dacl_aces);
345 :
346 14 : assert_int_equal(dacl_aces[0].type,
347 : SEC_ACE_TYPE_ACCESS_ALLOWED);
348 14 : assert_int_equal(dacl_aces[0].flags,
349 : ace_flags_nfs4_to_dacl[i].dacl_flag);
350 14 : assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
351 14 : assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
352 : }
353 :
354 1 : TALLOC_FREE(frame);
355 1 : }
356 :
357 : struct ace_flag_mapping_dacl_to_nfs4 {
358 : bool is_directory;
359 : uint32_t dacl_flag;
360 : uint32_t nfs4_flag;
361 : } ace_flags_dacl_to_nfs4[] = {
362 : { true, SEC_ACE_FLAG_OBJECT_INHERIT,
363 : SMB_ACE4_FILE_INHERIT_ACE },
364 : { false, SEC_ACE_FLAG_OBJECT_INHERIT,
365 : 0 },
366 : { true, SEC_ACE_FLAG_CONTAINER_INHERIT,
367 : SMB_ACE4_DIRECTORY_INHERIT_ACE },
368 : { false, SEC_ACE_FLAG_CONTAINER_INHERIT,
369 : 0 },
370 : { true, SEC_ACE_FLAG_NO_PROPAGATE_INHERIT,
371 : SMB_ACE4_NO_PROPAGATE_INHERIT_ACE },
372 : { false, SEC_ACE_FLAG_NO_PROPAGATE_INHERIT,
373 : 0 },
374 : { true, SEC_ACE_FLAG_INHERIT_ONLY,
375 : SMB_ACE4_INHERIT_ONLY_ACE },
376 : { false, SEC_ACE_FLAG_INHERIT_ONLY,
377 : 0 },
378 : { true, SEC_ACE_FLAG_INHERITED_ACE,
379 : SMB_ACE4_INHERITED_ACE },
380 : { false, SEC_ACE_FLAG_INHERITED_ACE,
381 : SMB_ACE4_INHERITED_ACE },
382 : { true, SEC_ACE_FLAG_SUCCESSFUL_ACCESS,
383 : 0 },
384 : { false, SEC_ACE_FLAG_SUCCESSFUL_ACCESS,
385 : 0 },
386 : { true, SEC_ACE_FLAG_FAILED_ACCESS,
387 : 0 },
388 : { false, SEC_ACE_FLAG_FAILED_ACCESS,
389 : 0 },
390 : };
391 :
392 1 : static void test_ace_flags_dacl_to_nfs4(void **state)
393 : {
394 1 : struct dom_sid *sids = *state;
395 1 : TALLOC_CTX *frame = talloc_stackframe();
396 1 : int i;
397 :
398 16 : for (i = 0; i < ARRAY_SIZE(ace_flags_dacl_to_nfs4); i++) {
399 14 : struct SMB4ACL_T *nfs4_acl;
400 14 : struct SMB4ACE_T *nfs4_ace_container;
401 14 : SMB_ACE4PROP_T *nfs4_ace;
402 14 : bool is_directory;
403 14 : struct security_ace dacl_aces[1];
404 14 : struct security_acl *dacl;
405 14 : struct smbacl4_vfs_params params = {
406 : .mode = e_simple,
407 : .do_chown = true,
408 : .acedup = e_merge,
409 : .map_full_control = true,
410 : };
411 :
412 14 : init_sec_ace(&dacl_aces[0], &sids[0],
413 : SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
414 14 : ace_flags_dacl_to_nfs4[i].dacl_flag);
415 14 : dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
416 : ARRAY_SIZE(dacl_aces), dacl_aces);
417 14 : assert_non_null(dacl);
418 :
419 14 : is_directory = ace_flags_dacl_to_nfs4[i].is_directory;
420 14 : nfs4_acl = smbacl4_win2nfs4(frame, is_directory, dacl, ¶ms,
421 : 101, 102);
422 :
423 14 : assert_non_null(nfs4_acl);
424 14 : assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
425 : SEC_DESC_SELF_RELATIVE);
426 14 : assert_int_equal(smb_get_naces(nfs4_acl), 1);
427 :
428 14 : nfs4_ace_container = smb_first_ace4(nfs4_acl);
429 14 : assert_non_null(nfs4_ace_container);
430 14 : assert_null(smb_next_ace4(nfs4_ace_container));
431 :
432 14 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
433 14 : assert_int_equal(nfs4_ace->flags, 0);
434 14 : assert_int_equal(nfs4_ace->who.uid, 1000);
435 14 : assert_int_equal(nfs4_ace->aceFlags,
436 : ace_flags_dacl_to_nfs4[i].nfs4_flag);
437 14 : assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
438 : }
439 :
440 1 : TALLOC_FREE(frame);
441 1 : }
442 :
443 : struct ace_perm_mapping {
444 : uint32_t nfs4_perm;
445 : uint32_t dacl_perm;
446 : } perm_table_nfs4_to_dacl[] = {
447 : { SMB_ACE4_READ_DATA, SEC_FILE_READ_DATA },
448 : { SMB_ACE4_LIST_DIRECTORY, SEC_DIR_LIST },
449 : { SMB_ACE4_WRITE_DATA, SEC_FILE_WRITE_DATA },
450 : { SMB_ACE4_ADD_FILE, SEC_DIR_ADD_FILE },
451 : { SMB_ACE4_APPEND_DATA, SEC_FILE_APPEND_DATA },
452 : { SMB_ACE4_ADD_SUBDIRECTORY, SEC_DIR_ADD_SUBDIR, },
453 : { SMB_ACE4_READ_NAMED_ATTRS, SEC_FILE_READ_EA },
454 : { SMB_ACE4_READ_NAMED_ATTRS, SEC_DIR_READ_EA },
455 : { SMB_ACE4_WRITE_NAMED_ATTRS, SEC_FILE_WRITE_EA },
456 : { SMB_ACE4_WRITE_NAMED_ATTRS, SEC_DIR_WRITE_EA },
457 : { SMB_ACE4_EXECUTE, SEC_FILE_EXECUTE },
458 : { SMB_ACE4_EXECUTE, SEC_DIR_TRAVERSE },
459 : { SMB_ACE4_DELETE_CHILD, SEC_DIR_DELETE_CHILD },
460 : { SMB_ACE4_READ_ATTRIBUTES, SEC_FILE_READ_ATTRIBUTE },
461 : { SMB_ACE4_READ_ATTRIBUTES, SEC_DIR_READ_ATTRIBUTE },
462 : { SMB_ACE4_WRITE_ATTRIBUTES, SEC_FILE_WRITE_ATTRIBUTE },
463 : { SMB_ACE4_WRITE_ATTRIBUTES, SEC_DIR_WRITE_ATTRIBUTE },
464 : { SMB_ACE4_DELETE, SEC_STD_DELETE },
465 : { SMB_ACE4_READ_ACL, SEC_STD_READ_CONTROL },
466 : { SMB_ACE4_WRITE_ACL, SEC_STD_WRITE_DAC, },
467 : { SMB_ACE4_WRITE_OWNER, SEC_STD_WRITE_OWNER },
468 : { SMB_ACE4_SYNCHRONIZE, SEC_STD_SYNCHRONIZE },
469 : };
470 :
471 1 : static void test_nfs4_permissions_to_dacl(void **state)
472 : {
473 1 : struct dom_sid *sids = *state;
474 1 : TALLOC_CTX *frame = talloc_stackframe();
475 1 : int i;
476 :
477 24 : for (i = 0; i < ARRAY_SIZE(perm_table_nfs4_to_dacl); i++) {
478 22 : struct SMB4ACL_T *nfs4_acl;
479 22 : SMB_ACE4PROP_T nfs4_ace;
480 22 : struct security_ace *dacl_aces;
481 22 : int good_aces;
482 22 : struct smbacl4_vfs_params params = {
483 : .mode = e_simple,
484 : .do_chown = true,
485 : .acedup = e_merge,
486 : .map_full_control = true,
487 : };
488 :
489 22 : nfs4_acl = smb_create_smb4acl(frame);
490 22 : assert_non_null(nfs4_acl);
491 :
492 22 : nfs4_ace = (SMB_ACE4PROP_T) {
493 : .flags = 0,
494 : .who.uid = 1000,
495 : .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
496 : .aceFlags = 0,
497 22 : .aceMask = perm_table_nfs4_to_dacl[i].nfs4_perm,
498 : };
499 22 : assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
500 :
501 22 : assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
502 : &sids[0], &sids[1], false,
503 : &dacl_aces, &good_aces));
504 :
505 22 : assert_int_equal(good_aces, 1);
506 22 : assert_non_null(dacl_aces);
507 :
508 22 : assert_int_equal(dacl_aces[0].type,
509 : SEC_ACE_TYPE_ACCESS_ALLOWED);
510 22 : assert_int_equal(dacl_aces[0].flags, 0);
511 22 : assert_int_equal(dacl_aces[0].access_mask,
512 : perm_table_nfs4_to_dacl[i].dacl_perm);
513 22 : assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
514 : }
515 :
516 1 : TALLOC_FREE(frame);
517 1 : }
518 :
519 : struct ace_perm_mapping_dacl_to_nfs4 {
520 : uint32_t dacl_perm;
521 : uint32_t nfs4_perm;
522 : } perm_table_dacl_to_nfs4[] = {
523 : { SEC_FILE_READ_DATA, SMB_ACE4_READ_DATA, },
524 : { SEC_DIR_LIST, SMB_ACE4_LIST_DIRECTORY, },
525 : { SEC_FILE_WRITE_DATA, SMB_ACE4_WRITE_DATA, },
526 : { SEC_DIR_ADD_FILE, SMB_ACE4_ADD_FILE, },
527 : { SEC_FILE_APPEND_DATA, SMB_ACE4_APPEND_DATA, },
528 : { SEC_DIR_ADD_SUBDIR, SMB_ACE4_ADD_SUBDIRECTORY, },
529 : { SEC_FILE_READ_EA, SMB_ACE4_READ_NAMED_ATTRS, },
530 : { SEC_DIR_READ_EA, SMB_ACE4_READ_NAMED_ATTRS, },
531 : { SEC_FILE_WRITE_EA, SMB_ACE4_WRITE_NAMED_ATTRS, },
532 : { SEC_DIR_WRITE_EA, SMB_ACE4_WRITE_NAMED_ATTRS, },
533 : { SEC_FILE_EXECUTE, SMB_ACE4_EXECUTE, },
534 : { SEC_DIR_TRAVERSE, SMB_ACE4_EXECUTE, },
535 : { SEC_DIR_DELETE_CHILD, SMB_ACE4_DELETE_CHILD, },
536 : { SEC_FILE_READ_ATTRIBUTE, SMB_ACE4_READ_ATTRIBUTES, },
537 : { SEC_DIR_READ_ATTRIBUTE, SMB_ACE4_READ_ATTRIBUTES, },
538 : { SEC_FILE_WRITE_ATTRIBUTE, SMB_ACE4_WRITE_ATTRIBUTES, },
539 : { SEC_DIR_WRITE_ATTRIBUTE, SMB_ACE4_WRITE_ATTRIBUTES, },
540 : { SEC_STD_DELETE, SMB_ACE4_DELETE, },
541 : { SEC_STD_READ_CONTROL, SMB_ACE4_READ_ACL, },
542 : { SEC_STD_WRITE_DAC, SMB_ACE4_WRITE_ACL, },
543 : { SEC_STD_WRITE_OWNER, SMB_ACE4_WRITE_OWNER, },
544 : { SEC_STD_SYNCHRONIZE, SMB_ACE4_SYNCHRONIZE, },
545 : { SEC_GENERIC_READ, SMB_ACE4_READ_ACL|
546 : SMB_ACE4_READ_DATA|
547 : SMB_ACE4_READ_ATTRIBUTES|
548 : SMB_ACE4_READ_NAMED_ATTRS|
549 : SMB_ACE4_SYNCHRONIZE },
550 : { SEC_GENERIC_WRITE, SMB_ACE4_WRITE_ACL|
551 : SMB_ACE4_WRITE_DATA|
552 : SMB_ACE4_WRITE_ATTRIBUTES|
553 : SMB_ACE4_WRITE_NAMED_ATTRS|
554 : SMB_ACE4_SYNCHRONIZE },
555 : { SEC_GENERIC_EXECUTE, SMB_ACE4_READ_ACL|
556 : SMB_ACE4_READ_ATTRIBUTES|
557 : SMB_ACE4_EXECUTE|
558 : SMB_ACE4_SYNCHRONIZE },
559 : { SEC_GENERIC_ALL, SMB_ACE4_DELETE|
560 : SMB_ACE4_READ_ACL|
561 : SMB_ACE4_WRITE_ACL|
562 : SMB_ACE4_WRITE_OWNER|
563 : SMB_ACE4_SYNCHRONIZE|
564 : SMB_ACE4_WRITE_ATTRIBUTES|
565 : SMB_ACE4_READ_ATTRIBUTES|
566 : SMB_ACE4_EXECUTE|
567 : SMB_ACE4_READ_NAMED_ATTRS|
568 : SMB_ACE4_WRITE_NAMED_ATTRS|
569 : SMB_ACE4_WRITE_DATA|
570 : SMB_ACE4_APPEND_DATA|
571 : SMB_ACE4_READ_DATA|
572 : SMB_ACE4_DELETE_CHILD },
573 : };
574 :
575 1 : static void test_dacl_permissions_to_nfs4(void **state)
576 : {
577 1 : struct dom_sid *sids = *state;
578 1 : TALLOC_CTX *frame = talloc_stackframe();
579 1 : int i;
580 :
581 24 : for (i = 0; i < ARRAY_SIZE(perm_table_nfs4_to_dacl); i++) {
582 22 : struct SMB4ACL_T *nfs4_acl;
583 22 : struct SMB4ACE_T *nfs4_ace_container;
584 22 : SMB_ACE4PROP_T *nfs4_ace;
585 22 : struct smbacl4_vfs_params params = {
586 : .mode = e_simple,
587 : .do_chown = true,
588 : .acedup = e_merge,
589 : .map_full_control = true,
590 : };
591 22 : struct security_ace dacl_aces[1];
592 22 : struct security_acl *dacl;
593 :
594 22 : init_sec_ace(&dacl_aces[0], &sids[0],
595 : SEC_ACE_TYPE_ACCESS_ALLOWED,
596 : perm_table_dacl_to_nfs4[i].dacl_perm, 0);
597 22 : dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
598 : ARRAY_SIZE(dacl_aces), dacl_aces);
599 22 : assert_non_null(dacl);
600 :
601 22 : nfs4_acl = smbacl4_win2nfs4(frame, false, dacl, ¶ms,
602 : 101, 102);
603 :
604 22 : assert_non_null(nfs4_acl);
605 22 : assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
606 : SEC_DESC_SELF_RELATIVE);
607 22 : assert_int_equal(smb_get_naces(nfs4_acl), 1);
608 :
609 22 : nfs4_ace_container = smb_first_ace4(nfs4_acl);
610 22 : assert_non_null(nfs4_ace_container);
611 22 : assert_null(smb_next_ace4(nfs4_ace_container));
612 :
613 22 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
614 22 : assert_int_equal(nfs4_ace->flags, 0);
615 22 : assert_int_equal(nfs4_ace->who.uid, 1000);
616 22 : assert_int_equal(nfs4_ace->aceFlags, 0);
617 22 : assert_int_equal(nfs4_ace->aceMask,
618 : perm_table_dacl_to_nfs4[i].nfs4_perm);
619 : }
620 :
621 1 : TALLOC_FREE(frame);
622 1 : }
623 :
624 : /*
625 : * Create NFS4 ACL with all possible "special" entries. Verify that
626 : * the ones that should be mapped to a DACL are mapped and the other
627 : * ones are ignored.
628 : */
629 1 : static void test_special_nfs4_to_dacl(void **state)
630 : {
631 1 : struct dom_sid *sids = *state;
632 1 : TALLOC_CTX *frame = talloc_stackframe();
633 1 : struct SMB4ACL_T *nfs4_acl;
634 1 : SMB_ACE4PROP_T nfs4_ace;
635 1 : struct security_ace *dacl_aces;
636 1 : int good_aces;
637 1 : struct smbacl4_vfs_params params = {
638 : .mode = e_simple,
639 : .do_chown = true,
640 : .acedup = e_merge,
641 : .map_full_control = true,
642 : };
643 :
644 1 : nfs4_acl = smb_create_smb4acl(frame);
645 1 : assert_non_null(nfs4_acl);
646 :
647 1 : nfs4_ace = (SMB_ACE4PROP_T) {
648 : .flags = SMB_ACE4_ID_SPECIAL,
649 : .who.special_id = SMB_ACE4_WHO_OWNER,
650 : .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
651 : .aceFlags = 0,
652 : .aceMask = SMB_ACE4_READ_DATA,
653 : };
654 1 : assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
655 :
656 1 : nfs4_ace = (SMB_ACE4PROP_T) {
657 : .flags = SMB_ACE4_ID_SPECIAL,
658 : .who.special_id = SMB_ACE4_WHO_GROUP,
659 : .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
660 : .aceFlags = 0,
661 : .aceMask = SMB_ACE4_WRITE_DATA,
662 : };
663 1 : assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
664 :
665 1 : nfs4_ace = (SMB_ACE4PROP_T) {
666 : .flags = SMB_ACE4_ID_SPECIAL,
667 : .who.special_id = SMB_ACE4_WHO_EVERYONE,
668 : .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
669 : .aceFlags = 0,
670 : .aceMask = SMB_ACE4_APPEND_DATA,
671 : };
672 1 : assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
673 :
674 1 : nfs4_ace = (SMB_ACE4PROP_T) {
675 : .flags = SMB_ACE4_ID_SPECIAL,
676 : .who.special_id = SMB_ACE4_WHO_INTERACTIVE,
677 : .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
678 : .aceFlags = 0,
679 : .aceMask = SMB_ACE4_READ_NAMED_ATTRS,
680 : };
681 1 : assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
682 :
683 1 : nfs4_ace = (SMB_ACE4PROP_T) {
684 : .flags = SMB_ACE4_ID_SPECIAL,
685 : .who.special_id = SMB_ACE4_WHO_NETWORK,
686 : .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
687 : .aceFlags = 0,
688 : .aceMask = SMB_ACE4_WRITE_NAMED_ATTRS,
689 : };
690 1 : assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
691 :
692 1 : nfs4_ace = (SMB_ACE4PROP_T) {
693 : .flags = SMB_ACE4_ID_SPECIAL,
694 : .who.special_id = SMB_ACE4_WHO_DIALUP,
695 : .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
696 : .aceFlags = 0,
697 : .aceMask = SMB_ACE4_EXECUTE,
698 : };
699 1 : assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
700 :
701 1 : nfs4_ace = (SMB_ACE4PROP_T) {
702 : .flags = SMB_ACE4_ID_SPECIAL,
703 : .who.special_id = SMB_ACE4_WHO_BATCH,
704 : .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
705 : .aceFlags = 0,
706 : .aceMask = SMB_ACE4_READ_ATTRIBUTES,
707 : };
708 1 : assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
709 :
710 1 : nfs4_ace = (SMB_ACE4PROP_T) {
711 : .flags = SMB_ACE4_ID_SPECIAL,
712 : .who.special_id = SMB_ACE4_WHO_ANONYMOUS,
713 : .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
714 : .aceFlags = 0,
715 : .aceMask = SMB_ACE4_WRITE_ATTRIBUTES,
716 : };
717 1 : assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
718 :
719 1 : nfs4_ace = (SMB_ACE4PROP_T) {
720 : .flags = SMB_ACE4_ID_SPECIAL,
721 : .who.special_id = SMB_ACE4_WHO_AUTHENTICATED,
722 : .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
723 : .aceFlags = 0,
724 : .aceMask = SMB_ACE4_READ_ACL,
725 : };
726 1 : assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
727 :
728 1 : nfs4_ace = (SMB_ACE4PROP_T) {
729 : .flags = SMB_ACE4_ID_SPECIAL,
730 : .who.special_id = SMB_ACE4_WHO_SERVICE,
731 : .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
732 : .aceFlags = 0,
733 : .aceMask = SMB_ACE4_WRITE_ACL,
734 : };
735 1 : assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
736 :
737 1 : assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
738 : &sids[0], &sids[1], false,
739 : &dacl_aces, &good_aces));
740 :
741 1 : assert_int_equal(good_aces, 3);
742 1 : assert_non_null(dacl_aces);
743 :
744 1 : assert_int_equal(dacl_aces[0].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
745 1 : assert_int_equal(dacl_aces[0].flags, 0);
746 1 : assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
747 1 : assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
748 :
749 1 : assert_int_equal(dacl_aces[1].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
750 1 : assert_int_equal(dacl_aces[1].flags, 0);
751 1 : assert_int_equal(dacl_aces[1].access_mask, SEC_FILE_WRITE_DATA);
752 1 : assert_true(dom_sid_equal(&dacl_aces[1].trustee, &sids[1]));
753 :
754 1 : assert_int_equal(dacl_aces[2].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
755 1 : assert_int_equal(dacl_aces[2].flags, 0);
756 1 : assert_int_equal(dacl_aces[2].access_mask, SEC_FILE_APPEND_DATA);
757 1 : assert_true(dom_sid_equal(&dacl_aces[2].trustee, &global_sid_World));
758 :
759 1 : TALLOC_FREE(frame);
760 1 : }
761 :
762 1 : static void test_dacl_to_special_nfs4(void **state)
763 : {
764 1 : struct dom_sid *sids = *state;
765 1 : TALLOC_CTX *frame = talloc_stackframe();
766 1 : struct SMB4ACL_T *nfs4_acl;
767 1 : struct SMB4ACE_T *nfs4_ace_container;
768 1 : SMB_ACE4PROP_T *nfs4_ace;
769 1 : struct security_ace dacl_aces[6];
770 1 : struct security_acl *dacl;
771 1 : struct smbacl4_vfs_params params = {
772 : .mode = e_simple,
773 : .do_chown = true,
774 : .acedup = e_dontcare,
775 : .map_full_control = true,
776 : };
777 :
778 : /*
779 : * global_Sid_World is mapped to EVERYONE.
780 : */
781 1 : init_sec_ace(&dacl_aces[0], &global_sid_World,
782 : SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA, 0);
783 : /*
784 : * global_sid_Unix_NFS is ignored.
785 : */
786 1 : init_sec_ace(&dacl_aces[1], &global_sid_Unix_NFS,
787 : SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA, 0);
788 : /*
789 : * Anything that maps to owner or owning group with inheritance flags
790 : * is NOT mapped to special owner or special group.
791 : */
792 1 : init_sec_ace(&dacl_aces[2], &sids[0],
793 : SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
794 : SEC_ACE_FLAG_OBJECT_INHERIT);
795 1 : init_sec_ace(&dacl_aces[3], &sids[0],
796 : SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
797 : SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
798 1 : init_sec_ace(&dacl_aces[4], &sids[1],
799 : SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
800 : SEC_ACE_FLAG_OBJECT_INHERIT);
801 1 : init_sec_ace(&dacl_aces[5], &sids[1],
802 : SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
803 : SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
804 1 : dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
805 : ARRAY_SIZE(dacl_aces), dacl_aces);
806 1 : assert_non_null(dacl);
807 :
808 1 : nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, ¶ms, 1000, 1001);
809 :
810 1 : assert_non_null(nfs4_acl);
811 1 : assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
812 : SEC_DESC_SELF_RELATIVE);
813 1 : assert_int_equal(smb_get_naces(nfs4_acl), 5);
814 :
815 1 : nfs4_ace_container = smb_first_ace4(nfs4_acl);
816 1 : assert_non_null(nfs4_ace_container);
817 :
818 1 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
819 1 : assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
820 1 : assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_EVERYONE);
821 1 : assert_int_equal(nfs4_ace->aceFlags, 0);
822 1 : assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_WRITE_DATA);
823 :
824 1 : nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
825 1 : assert_non_null(nfs4_ace_container);
826 :
827 1 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
828 1 : assert_int_equal(nfs4_ace->flags, 0);
829 1 : assert_int_equal(nfs4_ace->who.uid, 1000);
830 1 : assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_FILE_INHERIT_ACE);
831 1 : assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
832 :
833 1 : nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
834 1 : assert_non_null(nfs4_ace_container);
835 :
836 1 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
837 1 : assert_int_equal(nfs4_ace->flags, 0);
838 1 : assert_int_equal(nfs4_ace->who.uid, 1000);
839 1 : assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_DIRECTORY_INHERIT_ACE|
840 : SMB_ACE4_INHERIT_ONLY_ACE);
841 1 : assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
842 :
843 1 : nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
844 1 : assert_non_null(nfs4_ace_container);
845 :
846 1 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
847 1 : assert_int_equal(nfs4_ace->flags, 0);
848 1 : assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_IDENTIFIER_GROUP|
849 : SMB_ACE4_FILE_INHERIT_ACE);
850 1 : assert_int_equal(nfs4_ace->who.gid, 1001);
851 1 : assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
852 :
853 1 : nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
854 1 : assert_non_null(nfs4_ace_container);
855 :
856 1 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
857 1 : assert_int_equal(nfs4_ace->flags, 0);
858 1 : assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_IDENTIFIER_GROUP|
859 : SMB_ACE4_DIRECTORY_INHERIT_ACE|
860 : SMB_ACE4_INHERIT_ONLY_ACE);
861 1 : assert_int_equal(nfs4_ace->who.gid, 1001);
862 1 : assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
863 :
864 1 : assert_null(smb_next_ace4(nfs4_ace_container));
865 :
866 1 : TALLOC_FREE(frame);
867 1 : }
868 :
869 : struct creator_ace_flags {
870 : uint32_t dacl_flags;
871 : uint32_t nfs4_flags;
872 : } creator_ace_flags[] = {
873 : { 0, 0 },
874 :
875 : { SEC_ACE_FLAG_INHERIT_ONLY, 0 },
876 :
877 : { SEC_ACE_FLAG_CONTAINER_INHERIT, SMB_ACE4_DIRECTORY_INHERIT_ACE|
878 : SMB_ACE4_INHERIT_ONLY_ACE },
879 :
880 : { SEC_ACE_FLAG_CONTAINER_INHERIT|
881 : SEC_ACE_FLAG_INHERIT_ONLY, SMB_ACE4_DIRECTORY_INHERIT_ACE|
882 : SMB_ACE4_INHERIT_ONLY_ACE },
883 :
884 : { SEC_ACE_FLAG_OBJECT_INHERIT, SMB_ACE4_FILE_INHERIT_ACE|
885 : SMB_ACE4_INHERIT_ONLY_ACE },
886 : { SEC_ACE_FLAG_OBJECT_INHERIT|
887 : SEC_ACE_FLAG_INHERIT_ONLY, SMB_ACE4_FILE_INHERIT_ACE|
888 : SMB_ACE4_INHERIT_ONLY_ACE },
889 :
890 : { SEC_ACE_FLAG_CONTAINER_INHERIT|
891 : SEC_ACE_FLAG_OBJECT_INHERIT, SMB_ACE4_DIRECTORY_INHERIT_ACE|
892 : SMB_ACE4_FILE_INHERIT_ACE|
893 : SMB_ACE4_INHERIT_ONLY_ACE },
894 :
895 : { SEC_ACE_FLAG_CONTAINER_INHERIT|
896 : SEC_ACE_FLAG_OBJECT_INHERIT|
897 : SEC_ACE_FLAG_INHERIT_ONLY, SMB_ACE4_DIRECTORY_INHERIT_ACE|
898 : SMB_ACE4_FILE_INHERIT_ACE|
899 : SMB_ACE4_INHERIT_ONLY_ACE },
900 : };
901 :
902 1 : static void test_dacl_creator_to_nfs4(void **state)
903 : {
904 1 : TALLOC_CTX *frame = talloc_stackframe();
905 1 : int i;
906 :
907 10 : for (i = 0; i < ARRAY_SIZE(creator_ace_flags); i++) {
908 8 : struct SMB4ACL_T *nfs4_acl;
909 8 : struct SMB4ACE_T *nfs4_ace_container;
910 8 : SMB_ACE4PROP_T *nfs4_ace;
911 8 : struct security_ace dacl_aces[2];
912 8 : struct security_acl *dacl;
913 8 : struct smbacl4_vfs_params params = {
914 : .mode = e_simple,
915 : .do_chown = true,
916 : .acedup = e_merge,
917 : .map_full_control = true,
918 : };
919 :
920 8 : init_sec_ace(&dacl_aces[0], &global_sid_Creator_Owner,
921 : SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
922 8 : creator_ace_flags[i].dacl_flags);
923 8 : init_sec_ace(&dacl_aces[1], &global_sid_Creator_Group,
924 : SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
925 8 : creator_ace_flags[i].dacl_flags);
926 8 : dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
927 : ARRAY_SIZE(dacl_aces), dacl_aces);
928 8 : assert_non_null(dacl);
929 :
930 8 : nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, ¶ms,
931 : 101, 102);
932 :
933 8 : assert_non_null(nfs4_acl);
934 8 : assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
935 : SEC_DESC_SELF_RELATIVE);
936 :
937 8 : if (creator_ace_flags[i].nfs4_flags == 0) {
938 : /*
939 : * CREATOR OWNER and CREATOR GROUP not mapped
940 : * in this case.
941 : */
942 2 : assert_null(smb_first_ace4(nfs4_acl));
943 : } else {
944 6 : assert_int_equal(smb_get_naces(nfs4_acl), 2);
945 :
946 6 : nfs4_ace_container = smb_first_ace4(nfs4_acl);
947 6 : assert_non_null(nfs4_ace_container);
948 :
949 6 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
950 6 : assert_non_null(nfs4_ace);
951 6 : assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
952 6 : assert_int_equal(nfs4_ace->who.special_id,
953 : SMB_ACE4_WHO_OWNER);
954 6 : assert_int_equal(nfs4_ace->aceFlags,
955 : creator_ace_flags[i].nfs4_flags);
956 6 : assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
957 :
958 6 : nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
959 6 : assert_non_null(nfs4_ace_container);
960 6 : assert_null(smb_next_ace4(nfs4_ace_container));
961 :
962 6 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
963 6 : assert_non_null(nfs4_ace);
964 6 : assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
965 6 : assert_int_equal(nfs4_ace->who.special_id,
966 : SMB_ACE4_WHO_GROUP);
967 6 : assert_int_equal(nfs4_ace->aceFlags,
968 : creator_ace_flags[i].nfs4_flags);
969 6 : assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
970 : }
971 : }
972 :
973 1 : TALLOC_FREE(frame);
974 1 : }
975 :
976 : struct creator_owner_nfs4_to_dacl {
977 : uint32_t special_id;
978 : uint32_t nfs4_ace_flags;
979 : uint32_t dacl_ace_flags;
980 : } creator_owner_nfs4_to_dacl[] = {
981 : { SMB_ACE4_WHO_OWNER,
982 : SMB_ACE4_FILE_INHERIT_ACE,
983 : SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY },
984 : { SMB_ACE4_WHO_OWNER,
985 : SMB_ACE4_DIRECTORY_INHERIT_ACE,
986 : SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY },
987 : { SMB_ACE4_WHO_OWNER,
988 : SMB_ACE4_FILE_INHERIT_ACE|SMB_ACE4_DIRECTORY_INHERIT_ACE,
989 : SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
990 : SEC_ACE_FLAG_INHERIT_ONLY },
991 : { SMB_ACE4_WHO_GROUP,
992 : SMB_ACE4_FILE_INHERIT_ACE,
993 : SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY },
994 : { SMB_ACE4_WHO_GROUP,
995 : SMB_ACE4_DIRECTORY_INHERIT_ACE,
996 : SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY },
997 : { SMB_ACE4_WHO_GROUP,
998 : SMB_ACE4_FILE_INHERIT_ACE|SMB_ACE4_DIRECTORY_INHERIT_ACE,
999 : SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
1000 : SEC_ACE_FLAG_INHERIT_ONLY },
1001 : };
1002 :
1003 1 : static void test_nfs4_to_dacl_creator(void **state)
1004 : {
1005 1 : struct dom_sid *sids = *state;
1006 1 : TALLOC_CTX *frame = talloc_stackframe();
1007 1 : int i;
1008 :
1009 8 : for (i = 0; i < ARRAY_SIZE(creator_owner_nfs4_to_dacl); i++) {
1010 6 : struct SMB4ACL_T *nfs4_acl;
1011 6 : SMB_ACE4PROP_T nfs4_ace;
1012 6 : struct security_ace *dacl_aces, *creator_dacl_ace;
1013 6 : int good_aces;
1014 6 : struct smbacl4_vfs_params params = {
1015 : .mode = e_simple,
1016 : .do_chown = true,
1017 : .acedup = e_merge,
1018 : .map_full_control = true,
1019 : };
1020 :
1021 6 : nfs4_acl = smb_create_smb4acl(frame);
1022 6 : assert_non_null(nfs4_acl);
1023 :
1024 6 : nfs4_ace = (SMB_ACE4PROP_T) {
1025 : .flags = SMB_ACE4_ID_SPECIAL,
1026 : .who.special_id
1027 6 : = creator_owner_nfs4_to_dacl[i].special_id,
1028 : .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1029 : .aceFlags
1030 6 : = creator_owner_nfs4_to_dacl[i].nfs4_ace_flags,
1031 : .aceMask = SMB_ACE4_READ_DATA,
1032 : };
1033 6 : assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1034 :
1035 6 : assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
1036 : &sids[0], &sids[1], true,
1037 : &dacl_aces, &good_aces));
1038 6 : assert_non_null(dacl_aces);
1039 :
1040 6 : if (creator_owner_nfs4_to_dacl[i].nfs4_ace_flags &
1041 : SMB_ACE4_INHERIT_ONLY_ACE) {
1042 : /*
1043 : * Only one ACE entry for the CREATOR ACE entry.
1044 : */
1045 0 : assert_int_equal(good_aces, 1);
1046 0 : creator_dacl_ace = &dacl_aces[0];
1047 : } else {
1048 : /*
1049 : * This creates an additional ACE entry for
1050 : * the permissions on the current object.
1051 : */
1052 6 : assert_int_equal(good_aces, 2);
1053 :
1054 6 : assert_int_equal(dacl_aces[0].type,
1055 : SEC_ACE_TYPE_ACCESS_ALLOWED);
1056 6 : assert_int_equal(dacl_aces[0].flags, 0);
1057 6 : assert_int_equal(dacl_aces[0].access_mask,
1058 : SEC_FILE_READ_DATA);
1059 :
1060 6 : if (creator_owner_nfs4_to_dacl[i].special_id ==
1061 : SMB_ACE4_WHO_OWNER) {
1062 3 : assert_true(dom_sid_equal(&dacl_aces[0].trustee,
1063 : &sids[0]));
1064 : }
1065 :
1066 6 : if (creator_owner_nfs4_to_dacl[i].special_id ==
1067 : SMB_ACE4_WHO_GROUP) {
1068 3 : assert_true(dom_sid_equal(&dacl_aces[0].trustee,
1069 : &sids[1]));
1070 : }
1071 :
1072 6 : creator_dacl_ace = &dacl_aces[1];
1073 : }
1074 :
1075 6 : assert_int_equal(creator_dacl_ace->type,
1076 : SEC_ACE_TYPE_ACCESS_ALLOWED);
1077 6 : assert_int_equal(creator_dacl_ace->flags,
1078 : creator_owner_nfs4_to_dacl[i].dacl_ace_flags);
1079 6 : assert_int_equal(creator_dacl_ace->access_mask,
1080 : SEC_FILE_READ_DATA);
1081 6 : if (creator_owner_nfs4_to_dacl[i].special_id ==
1082 : SMB_ACE4_WHO_OWNER) {
1083 3 : assert_true(dom_sid_equal(&creator_dacl_ace->trustee,
1084 : &global_sid_Creator_Owner));
1085 : }
1086 :
1087 6 : if (creator_owner_nfs4_to_dacl[i].special_id ==
1088 : SMB_ACE4_WHO_GROUP) {
1089 3 : assert_true(dom_sid_equal(&creator_dacl_ace->trustee,
1090 : &global_sid_Creator_Group));
1091 : }
1092 : }
1093 :
1094 1 : TALLOC_FREE(frame);
1095 1 : }
1096 :
1097 : struct nfs4_to_dacl_map_full_control{
1098 : bool is_dir;
1099 : bool config;
1100 : bool delete_child_added;
1101 : } nfs4_to_dacl_full_control[] = {
1102 : { true, true, false },
1103 : { true, false, false },
1104 : { false, true, true },
1105 : { false, false, false },
1106 : };
1107 :
1108 1 : static void test_full_control_nfs4_to_dacl(void **state)
1109 : {
1110 1 : struct dom_sid *sids = *state;
1111 1 : TALLOC_CTX *frame = talloc_stackframe();
1112 1 : int i;
1113 :
1114 6 : for (i = 0; i < ARRAY_SIZE(nfs4_to_dacl_full_control); i++) {
1115 4 : struct SMB4ACL_T *nfs4_acl;
1116 4 : SMB_ACE4PROP_T nfs4_ace;
1117 4 : struct security_ace *dacl_aces;
1118 4 : int good_aces;
1119 4 : struct smbacl4_vfs_params params = {
1120 : .mode = e_simple,
1121 : .do_chown = true,
1122 : .acedup = e_merge,
1123 4 : .map_full_control = nfs4_to_dacl_full_control[i].config,
1124 : };
1125 4 : const uint32_t nfs4_ace_mask_except_deletes =
1126 : SMB_ACE4_READ_DATA|SMB_ACE4_WRITE_DATA|
1127 : SMB_ACE4_APPEND_DATA|SMB_ACE4_READ_NAMED_ATTRS|
1128 : SMB_ACE4_WRITE_NAMED_ATTRS|SMB_ACE4_EXECUTE|
1129 : SMB_ACE4_READ_ATTRIBUTES|SMB_ACE4_WRITE_ATTRIBUTES|
1130 : SMB_ACE4_READ_ACL|SMB_ACE4_WRITE_ACL|
1131 : SMB_ACE4_WRITE_OWNER|SMB_ACE4_SYNCHRONIZE;
1132 4 : const uint32_t dacl_ace_mask_except_deletes =
1133 : SEC_FILE_READ_DATA|SEC_FILE_WRITE_DATA|
1134 : SEC_FILE_APPEND_DATA|SEC_FILE_READ_EA|
1135 : SEC_FILE_WRITE_EA|SEC_FILE_EXECUTE|
1136 : SEC_FILE_READ_ATTRIBUTE|SEC_FILE_WRITE_ATTRIBUTE|
1137 : SEC_STD_READ_CONTROL|SEC_STD_WRITE_DAC|
1138 : SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE;
1139 :
1140 4 : nfs4_acl = smb_create_smb4acl(frame);
1141 4 : assert_non_null(nfs4_acl);
1142 :
1143 4 : nfs4_ace = (SMB_ACE4PROP_T) {
1144 : .flags = 0,
1145 : .who.uid = 1000,
1146 : .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1147 : .aceFlags = 0,
1148 : .aceMask = nfs4_ace_mask_except_deletes,
1149 : };
1150 4 : assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1151 :
1152 4 : assert_true(
1153 : smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
1154 : &sids[0], &sids[1],
1155 : nfs4_to_dacl_full_control[i].is_dir,
1156 : &dacl_aces, &good_aces));
1157 :
1158 4 : assert_int_equal(good_aces, 1);
1159 4 : assert_non_null(dacl_aces);
1160 :
1161 4 : assert_int_equal(dacl_aces[0].type,
1162 : SEC_ACE_TYPE_ACCESS_ALLOWED);
1163 4 : assert_int_equal(dacl_aces[0].flags, 0);
1164 4 : assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
1165 4 : if (nfs4_to_dacl_full_control[i].delete_child_added) {
1166 1 : assert_int_equal(dacl_aces[0].access_mask,
1167 : dacl_ace_mask_except_deletes|
1168 : SEC_DIR_DELETE_CHILD);
1169 : } else {
1170 3 : assert_int_equal(dacl_aces[0].access_mask,
1171 : dacl_ace_mask_except_deletes);
1172 : }
1173 : }
1174 :
1175 1 : TALLOC_FREE(frame);
1176 1 : }
1177 :
1178 : struct acedup_settings {
1179 : enum smbacl4_acedup_enum setting;
1180 : } acedup_settings[] = {
1181 : { e_dontcare },
1182 : { e_reject },
1183 : { e_ignore },
1184 : { e_merge },
1185 : };
1186 :
1187 1 : static void test_dacl_to_nfs4_acedup_settings(void **state)
1188 : {
1189 1 : struct dom_sid *sids = *state;
1190 1 : TALLOC_CTX *frame = talloc_stackframe();
1191 1 : int i;
1192 :
1193 6 : for (i = 0; i < ARRAY_SIZE(acedup_settings); i++) {
1194 4 : struct SMB4ACL_T *nfs4_acl;
1195 4 : struct SMB4ACE_T *nfs4_ace_container;
1196 4 : SMB_ACE4PROP_T *nfs4_ace;
1197 4 : struct security_ace dacl_aces[2];
1198 4 : struct security_acl *dacl;
1199 4 : struct smbacl4_vfs_params params = {
1200 : .mode = e_simple,
1201 : .do_chown = true,
1202 4 : .acedup = acedup_settings[i].setting,
1203 : .map_full_control = true,
1204 : };
1205 :
1206 4 : init_sec_ace(&dacl_aces[0], &sids[0],
1207 : SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1208 : SEC_ACE_FLAG_OBJECT_INHERIT);
1209 4 : init_sec_ace(&dacl_aces[1], &sids[0],
1210 : SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA,
1211 : SEC_ACE_FLAG_OBJECT_INHERIT);
1212 4 : dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
1213 : ARRAY_SIZE(dacl_aces), dacl_aces);
1214 4 : assert_non_null(dacl);
1215 :
1216 4 : nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, ¶ms,
1217 : 101, 102);
1218 :
1219 4 : switch(params.acedup) {
1220 1 : case e_dontcare:
1221 1 : assert_non_null(nfs4_acl);
1222 1 : assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
1223 : SEC_DESC_SELF_RELATIVE);
1224 1 : assert_int_equal(smb_get_naces(nfs4_acl), 2);
1225 :
1226 1 : nfs4_ace_container = smb_first_ace4(nfs4_acl);
1227 1 : assert_non_null(nfs4_ace_container);
1228 :
1229 1 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
1230 1 : assert_int_equal(nfs4_ace->flags, 0);
1231 1 : assert_int_equal(nfs4_ace->who.uid, 1000);
1232 1 : assert_int_equal(nfs4_ace->aceFlags,
1233 : SMB_ACE4_FILE_INHERIT_ACE);
1234 1 : assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1235 :
1236 1 : nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1237 1 : assert_non_null(nfs4_ace_container);
1238 1 : assert_null(smb_next_ace4(nfs4_ace_container));
1239 :
1240 1 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
1241 1 : assert_int_equal(nfs4_ace->flags, 0);
1242 1 : assert_int_equal(nfs4_ace->who.uid, 1000);
1243 1 : assert_int_equal(nfs4_ace->aceFlags,
1244 : SMB_ACE4_FILE_INHERIT_ACE);
1245 1 : assert_int_equal(nfs4_ace->aceMask,
1246 : SMB_ACE4_WRITE_DATA);
1247 1 : break;
1248 :
1249 1 : case e_reject:
1250 1 : assert_null(nfs4_acl);
1251 1 : assert_int_equal(errno, EINVAL);
1252 1 : break;
1253 :
1254 1 : case e_ignore:
1255 1 : assert_non_null(nfs4_acl);
1256 1 : assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
1257 : SEC_DESC_SELF_RELATIVE);
1258 1 : assert_int_equal(smb_get_naces(nfs4_acl), 1);
1259 :
1260 1 : nfs4_ace_container = smb_first_ace4(nfs4_acl);
1261 1 : assert_non_null(nfs4_ace_container);
1262 1 : assert_null(smb_next_ace4(nfs4_ace_container));
1263 :
1264 1 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
1265 1 : assert_int_equal(nfs4_ace->flags, 0);
1266 1 : assert_int_equal(nfs4_ace->who.uid, 1000);
1267 1 : assert_int_equal(nfs4_ace->aceFlags,
1268 : SMB_ACE4_FILE_INHERIT_ACE);
1269 1 : assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1270 1 : break;
1271 :
1272 1 : case e_merge:
1273 1 : assert_non_null(nfs4_acl);
1274 1 : assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
1275 : SEC_DESC_SELF_RELATIVE);
1276 1 : assert_int_equal(smb_get_naces(nfs4_acl), 1);
1277 :
1278 1 : nfs4_ace_container = smb_first_ace4(nfs4_acl);
1279 1 : assert_non_null(nfs4_ace_container);
1280 1 : assert_null(smb_next_ace4(nfs4_ace_container));
1281 :
1282 1 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
1283 1 : assert_int_equal(nfs4_ace->flags, 0);
1284 1 : assert_int_equal(nfs4_ace->who.uid, 1000);
1285 1 : assert_int_equal(nfs4_ace->aceFlags,
1286 : SMB_ACE4_FILE_INHERIT_ACE);
1287 1 : assert_int_equal(nfs4_ace->aceMask,
1288 : SMB_ACE4_READ_DATA|
1289 : SMB_ACE4_WRITE_DATA);
1290 1 : break;
1291 :
1292 0 : default:
1293 0 : fail_msg("Unexpected value for acedup: %d\n",
1294 : params.acedup);
1295 4 : };
1296 : }
1297 :
1298 1 : TALLOC_FREE(frame);
1299 1 : }
1300 :
1301 : struct acedup_match {
1302 : int sid_idx1;
1303 : enum security_ace_type type1;
1304 : uint32_t ace_mask1;
1305 : uint8_t flag1;
1306 : int sid_idx2;
1307 : enum security_ace_type type2;
1308 : uint32_t ace_mask2;
1309 : uint8_t flag2;
1310 : bool match;
1311 : } acedup_match[] = {
1312 : { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1313 : SEC_ACE_FLAG_OBJECT_INHERIT,
1314 : 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1315 : SEC_ACE_FLAG_OBJECT_INHERIT,
1316 : true },
1317 : { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1318 : SEC_ACE_FLAG_OBJECT_INHERIT,
1319 : 1, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1320 : SEC_ACE_FLAG_OBJECT_INHERIT,
1321 : false },
1322 : { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1323 : SEC_ACE_FLAG_OBJECT_INHERIT,
1324 : 0, SEC_ACE_TYPE_ACCESS_DENIED, SEC_FILE_READ_DATA,
1325 : SEC_ACE_FLAG_OBJECT_INHERIT,
1326 : false },
1327 : { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1328 : SEC_ACE_FLAG_OBJECT_INHERIT,
1329 : 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA,
1330 : SEC_ACE_FLAG_OBJECT_INHERIT,
1331 : true },
1332 : { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1333 : SEC_ACE_FLAG_OBJECT_INHERIT,
1334 : 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1335 : SEC_ACE_FLAG_CONTAINER_INHERIT,
1336 : false },
1337 : { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1338 : SEC_ACE_FLAG_OBJECT_INHERIT,
1339 : 5, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1340 : SEC_ACE_FLAG_OBJECT_INHERIT,
1341 : false },
1342 : };
1343 :
1344 1 : static void test_dacl_to_nfs4_acedup_match(void **state)
1345 : {
1346 1 : struct dom_sid *sids = *state;
1347 1 : TALLOC_CTX *frame = talloc_stackframe();
1348 1 : int i;
1349 :
1350 8 : for (i = 0; i < ARRAY_SIZE(acedup_match); i++) {
1351 6 : struct SMB4ACL_T *nfs4_acl;
1352 6 : struct SMB4ACE_T *nfs4_ace_container;
1353 6 : SMB_ACE4PROP_T *nfs4_ace;
1354 6 : struct security_ace dacl_aces[2];
1355 6 : struct security_acl *dacl;
1356 6 : struct smbacl4_vfs_params params = {
1357 : .mode = e_simple,
1358 : .do_chown = true,
1359 : .acedup = e_ignore,
1360 : .map_full_control = true,
1361 : };
1362 :
1363 6 : init_sec_ace(&dacl_aces[0],
1364 6 : &sids[acedup_match[i].sid_idx1],
1365 : acedup_match[i].type1,
1366 : acedup_match[i].ace_mask1,
1367 6 : acedup_match[i].flag1);
1368 6 : init_sec_ace(&dacl_aces[1],
1369 6 : &sids[acedup_match[i].sid_idx2],
1370 : acedup_match[i].type2,
1371 : acedup_match[i].ace_mask2,
1372 6 : acedup_match[i].flag2);
1373 6 : dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
1374 : ARRAY_SIZE(dacl_aces), dacl_aces);
1375 6 : assert_non_null(dacl);
1376 :
1377 6 : nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, ¶ms,
1378 : 101, 102);
1379 6 : assert_non_null(nfs4_acl);
1380 6 : assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
1381 : SEC_DESC_SELF_RELATIVE);
1382 :
1383 6 : if (acedup_match[i].match) {
1384 2 : assert_int_equal(smb_get_naces(nfs4_acl), 1);
1385 :
1386 2 : nfs4_ace_container = smb_first_ace4(nfs4_acl);
1387 2 : assert_non_null(nfs4_ace_container);
1388 2 : assert_null(smb_next_ace4(nfs4_ace_container));
1389 :
1390 2 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
1391 2 : assert_int_equal(nfs4_ace->flags, 0);
1392 2 : assert_int_equal(nfs4_ace->who.uid, 1000);
1393 2 : assert_int_equal(nfs4_ace->aceFlags,
1394 : SMB_ACE4_FILE_INHERIT_ACE);
1395 2 : assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1396 :
1397 : } else {
1398 4 : assert_int_equal(smb_get_naces(nfs4_acl), 2);
1399 :
1400 4 : nfs4_ace_container = smb_first_ace4(nfs4_acl);
1401 4 : assert_non_null(nfs4_ace_container);
1402 :
1403 4 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
1404 4 : assert_int_equal(nfs4_ace->flags, 0);
1405 4 : assert_int_equal(nfs4_ace->who.uid, 1000);
1406 4 : assert_int_equal(nfs4_ace->aceFlags,
1407 : SMB_ACE4_FILE_INHERIT_ACE);
1408 4 : assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1409 :
1410 4 : nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1411 4 : assert_non_null(nfs4_ace_container);
1412 4 : assert_null(smb_next_ace4(nfs4_ace_container));
1413 :
1414 4 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
1415 4 : assert_int_equal(nfs4_ace->flags, 0);
1416 : }
1417 : }
1418 :
1419 1 : TALLOC_FREE(frame);
1420 1 : }
1421 :
1422 1 : static void test_dacl_to_nfs4_config_special(void **state)
1423 : {
1424 1 : struct dom_sid *sids = *state;
1425 1 : TALLOC_CTX *frame = talloc_stackframe();
1426 1 : struct SMB4ACL_T *nfs4_acl;
1427 1 : struct SMB4ACE_T *nfs4_ace_container;
1428 1 : SMB_ACE4PROP_T *nfs4_ace;
1429 1 : struct security_ace dacl_aces[6];
1430 1 : struct security_acl *dacl;
1431 1 : struct smbacl4_vfs_params params = {
1432 : .mode = e_special,
1433 : .do_chown = true,
1434 : .acedup = e_dontcare,
1435 : .map_full_control = true,
1436 : };
1437 :
1438 : /*
1439 : * global_sid_Creator_Owner or global_sid_Special_Group is NOT mapped
1440 : * to SMB_ACE4_ID_SPECIAL.
1441 : */
1442 1 : init_sec_ace(&dacl_aces[0], &global_sid_Creator_Owner,
1443 : SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1444 : SEC_ACE_FLAG_OBJECT_INHERIT);
1445 1 : init_sec_ace(&dacl_aces[1], &global_sid_Creator_Group,
1446 : SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA,
1447 : SEC_ACE_FLAG_CONTAINER_INHERIT);
1448 : /*
1449 : * Anything that maps to owner or owning group with inheritance flags
1450 : * IS mapped to special owner or special group.
1451 : */
1452 1 : init_sec_ace(&dacl_aces[2], &sids[0],
1453 : SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1454 : SEC_ACE_FLAG_OBJECT_INHERIT);
1455 1 : init_sec_ace(&dacl_aces[3], &sids[0],
1456 : SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1457 : SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
1458 1 : init_sec_ace(&dacl_aces[4], &sids[1],
1459 : SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1460 : SEC_ACE_FLAG_OBJECT_INHERIT);
1461 1 : init_sec_ace(&dacl_aces[5], &sids[1],
1462 : SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1463 : SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
1464 1 : dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
1465 : ARRAY_SIZE(dacl_aces), dacl_aces);
1466 1 : assert_non_null(dacl);
1467 :
1468 1 : nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, ¶ms, 1000, 1001);
1469 :
1470 1 : assert_non_null(nfs4_acl);
1471 1 : assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
1472 : SEC_DESC_SELF_RELATIVE);
1473 1 : assert_int_equal(smb_get_naces(nfs4_acl), 6);
1474 :
1475 1 : nfs4_ace_container = smb_first_ace4(nfs4_acl);
1476 1 : assert_non_null(nfs4_ace_container);
1477 :
1478 1 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
1479 1 : assert_int_equal(nfs4_ace->flags, 0);
1480 1 : assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_FILE_INHERIT_ACE);
1481 1 : assert_int_equal(nfs4_ace->who.uid, 1003);
1482 1 : assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1483 :
1484 1 : nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1485 1 : assert_non_null(nfs4_ace_container);
1486 :
1487 1 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
1488 1 : assert_int_equal(nfs4_ace->flags, 0);
1489 1 : assert_int_equal(nfs4_ace->aceFlags,
1490 : SMB_ACE4_IDENTIFIER_GROUP|
1491 : SMB_ACE4_DIRECTORY_INHERIT_ACE);
1492 1 : assert_int_equal(nfs4_ace->who.gid, 1004);
1493 1 : assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_WRITE_DATA);
1494 :
1495 1 : nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1496 1 : assert_non_null(nfs4_ace_container);
1497 :
1498 1 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
1499 1 : assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
1500 1 : assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_OWNER);
1501 1 : assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_FILE_INHERIT_ACE);
1502 1 : assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1503 :
1504 1 : nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1505 1 : assert_non_null(nfs4_ace_container);
1506 :
1507 1 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
1508 1 : assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
1509 1 : assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_DIRECTORY_INHERIT_ACE|
1510 : SMB_ACE4_INHERIT_ONLY_ACE);
1511 1 : assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_OWNER);
1512 1 : assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1513 :
1514 1 : nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1515 1 : assert_non_null(nfs4_ace_container);
1516 :
1517 1 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
1518 1 : assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
1519 1 : assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_IDENTIFIER_GROUP|
1520 : SMB_ACE4_FILE_INHERIT_ACE);
1521 1 : assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_GROUP);
1522 1 : assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1523 :
1524 1 : nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1525 1 : assert_non_null(nfs4_ace_container);
1526 :
1527 1 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
1528 1 : assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
1529 1 : assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_IDENTIFIER_GROUP|
1530 : SMB_ACE4_DIRECTORY_INHERIT_ACE|
1531 : SMB_ACE4_INHERIT_ONLY_ACE);
1532 1 : assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_GROUP);
1533 1 : assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1534 :
1535 1 : assert_null(smb_next_ace4(nfs4_ace_container));
1536 :
1537 1 : TALLOC_FREE(frame);
1538 1 : }
1539 :
1540 1 : static void test_nfs4_to_dacl_config_special(void **state)
1541 : {
1542 1 : struct dom_sid *sids = *state;
1543 1 : TALLOC_CTX *frame = talloc_stackframe();
1544 1 : struct SMB4ACL_T *nfs4_acl;
1545 1 : SMB_ACE4PROP_T nfs4_ace;
1546 1 : struct security_ace *dacl_aces;
1547 1 : int good_aces;
1548 1 : struct smbacl4_vfs_params params = {
1549 : .mode = e_special,
1550 : .do_chown = true,
1551 : .acedup = e_dontcare,
1552 : .map_full_control = true,
1553 : };
1554 :
1555 1 : nfs4_acl = smb_create_smb4acl(frame);
1556 1 : assert_non_null(nfs4_acl);
1557 :
1558 : /*
1559 : * In config mode special, this is not mapped to Creator Owner
1560 : */
1561 1 : nfs4_ace = (SMB_ACE4PROP_T) {
1562 : .flags = SMB_ACE4_ID_SPECIAL,
1563 : .who.special_id = SMB_ACE4_WHO_OWNER,
1564 : .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1565 : .aceFlags = SMB_ACE4_FILE_INHERIT_ACE,
1566 : .aceMask = SMB_ACE4_READ_DATA,
1567 : };
1568 1 : assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1569 :
1570 : /*
1571 : * In config mode special, this is not mapped to Creator Group
1572 : */
1573 1 : nfs4_ace = (SMB_ACE4PROP_T) {
1574 : .flags = SMB_ACE4_ID_SPECIAL,
1575 : .who.special_id = SMB_ACE4_WHO_GROUP,
1576 : .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1577 : .aceFlags = SMB_ACE4_DIRECTORY_INHERIT_ACE,
1578 : .aceMask = SMB_ACE4_WRITE_DATA,
1579 : };
1580 1 : assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1581 :
1582 1 : assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
1583 : &sids[0], &sids[1], true,
1584 : &dacl_aces, &good_aces));
1585 :
1586 1 : assert_int_equal(good_aces, 2);
1587 1 : assert_non_null(dacl_aces);
1588 :
1589 1 : assert_int_equal(dacl_aces[0].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
1590 1 : assert_int_equal(dacl_aces[0].flags, SEC_ACE_FLAG_OBJECT_INHERIT);
1591 1 : assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
1592 1 : assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
1593 :
1594 1 : assert_int_equal(dacl_aces[1].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
1595 1 : assert_int_equal(dacl_aces[1].flags, SEC_ACE_FLAG_CONTAINER_INHERIT);
1596 1 : assert_int_equal(dacl_aces[1].access_mask, SEC_FILE_WRITE_DATA);
1597 1 : assert_true(dom_sid_equal(&dacl_aces[1].trustee, &sids[1]));
1598 :
1599 1 : TALLOC_FREE(frame);
1600 1 : }
1601 :
1602 : struct nfs_to_dacl_idmap_both {
1603 : uint32_t nfs4_flags;
1604 : uint32_t nfs4_id;
1605 : struct dom_sid *sid;
1606 : };
1607 :
1608 1 : static void test_nfs4_to_dacl_idmap_type_both(void **state)
1609 : {
1610 1 : struct dom_sid *sids = *state;
1611 1 : TALLOC_CTX *frame = talloc_stackframe();
1612 1 : int i;
1613 1 : struct nfs_to_dacl_idmap_both nfs_to_dacl_idmap_both[] = {
1614 1 : { 0, 1002, &sids[2] },
1615 : { SMB_ACE4_IDENTIFIER_GROUP, 1002, &sids[2] },
1616 1 : { 0, 1005, &sids[6] },
1617 : { SMB_ACE4_IDENTIFIER_GROUP, 1005, &sids[6] },
1618 : };
1619 :
1620 5 : for (i = 0; i < ARRAY_SIZE(nfs_to_dacl_idmap_both); i++) {
1621 4 : struct SMB4ACL_T *nfs4_acl;
1622 4 : struct security_ace *dacl_aces;
1623 4 : SMB_ACE4PROP_T nfs4_ace;
1624 4 : int good_aces;
1625 4 : struct smbacl4_vfs_params params = {
1626 : .mode = e_simple,
1627 : .do_chown = true,
1628 : .acedup = e_merge,
1629 : .map_full_control = true,
1630 : };
1631 :
1632 4 : nfs4_acl = smb_create_smb4acl(frame);
1633 4 : assert_non_null(nfs4_acl);
1634 :
1635 4 : nfs4_ace = (SMB_ACE4PROP_T) {
1636 : .flags = 0,
1637 : .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1638 4 : .aceFlags = nfs_to_dacl_idmap_both[i].nfs4_flags,
1639 : .aceMask = SMB_ACE4_READ_DATA,
1640 : };
1641 :
1642 4 : if (nfs_to_dacl_idmap_both[i].nfs4_flags &
1643 : SMB_ACE4_IDENTIFIER_GROUP) {
1644 2 : nfs4_ace.who.gid = nfs_to_dacl_idmap_both[i].nfs4_id;
1645 : } else {
1646 2 : nfs4_ace.who.uid = nfs_to_dacl_idmap_both[i].nfs4_id;
1647 : }
1648 4 : assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1649 :
1650 4 : assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
1651 : &sids[2], &sids[2],
1652 : false, &dacl_aces, &good_aces));
1653 :
1654 4 : assert_int_equal(good_aces, 1);
1655 4 : assert_non_null(dacl_aces);
1656 :
1657 4 : assert_int_equal(dacl_aces[0].type,
1658 : SEC_ACE_TYPE_ACCESS_ALLOWED);
1659 4 : assert_int_equal(dacl_aces[0].flags, 0);
1660 4 : assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
1661 4 : assert_true(dom_sid_equal(&dacl_aces[0].trustee,
1662 : nfs_to_dacl_idmap_both[i].sid));
1663 : }
1664 :
1665 1 : TALLOC_FREE(frame);
1666 1 : }
1667 :
1668 : struct dacl_to_nfs4_idmap_both {
1669 : struct dom_sid *sid;
1670 : uint32_t dacl_flags;
1671 : uint32_t nfs4_flags;
1672 : uint32_t nfs4_ace_flags;
1673 : uint32_t nfs4_id;
1674 : int num_nfs4_aces;
1675 : };
1676 :
1677 : /*
1678 : * IDMAP_TYPE_BOTH always creates group entries.
1679 : */
1680 1 : static void test_dacl_to_nfs4_idmap_type_both(void **state)
1681 : {
1682 1 : struct dom_sid *sids = *state;
1683 1 : TALLOC_CTX *frame = talloc_stackframe();
1684 1 : int i;
1685 :
1686 1 : struct dacl_to_nfs4_idmap_both dacl_to_nfs4_idmap_both[] = {
1687 1 : { &sids[2], 0,
1688 : SMB_ACE4_ID_SPECIAL, SMB_ACE4_IDENTIFIER_GROUP, SMB_ACE4_WHO_GROUP,
1689 : 2 },
1690 : { &sids[2], SEC_ACE_FLAG_OBJECT_INHERIT,
1691 : 0, SMB_ACE4_IDENTIFIER_GROUP|SMB_ACE4_FILE_INHERIT_ACE, 1002,
1692 : 1 },
1693 1 : { &sids[6], 0,
1694 : 0, SMB_ACE4_IDENTIFIER_GROUP, 1005,
1695 : 1 },
1696 : { &sids[6], SEC_ACE_FLAG_OBJECT_INHERIT,
1697 : 0, SMB_ACE4_IDENTIFIER_GROUP|SMB_ACE4_FILE_INHERIT_ACE, 1005,
1698 : 1 },
1699 : };
1700 :
1701 5 : for (i = 0; i < ARRAY_SIZE(dacl_to_nfs4_idmap_both); i++) {
1702 4 : struct SMB4ACL_T *nfs4_acl;
1703 4 : struct SMB4ACE_T *nfs4_ace_container;
1704 4 : SMB_ACE4PROP_T *nfs4_ace;
1705 4 : struct security_ace dacl_aces[1];
1706 4 : struct security_acl *dacl;
1707 4 : struct smbacl4_vfs_params params = {
1708 : .mode = e_simple,
1709 : .do_chown = true,
1710 : .acedup = e_merge,
1711 : .map_full_control = true,
1712 : };
1713 :
1714 4 : init_sec_ace(&dacl_aces[0], dacl_to_nfs4_idmap_both[i].sid,
1715 : SEC_ACE_TYPE_ACCESS_ALLOWED,
1716 : SEC_FILE_READ_DATA,
1717 4 : dacl_to_nfs4_idmap_both[i].dacl_flags);
1718 4 : dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
1719 : ARRAY_SIZE(dacl_aces), dacl_aces);
1720 4 : assert_non_null(dacl);
1721 :
1722 4 : nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, ¶ms,
1723 : 1002, 1002);
1724 :
1725 4 : assert_non_null(nfs4_acl);
1726 4 : assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
1727 : SEC_DESC_SELF_RELATIVE);
1728 4 : assert_int_equal(smb_get_naces(nfs4_acl),
1729 : dacl_to_nfs4_idmap_both[i].num_nfs4_aces);
1730 :
1731 4 : nfs4_ace_container = smb_first_ace4(nfs4_acl);
1732 4 : assert_non_null(nfs4_ace_container);
1733 :
1734 4 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
1735 4 : assert_int_equal(nfs4_ace->flags,
1736 : dacl_to_nfs4_idmap_both[i].nfs4_flags);
1737 4 : assert_int_equal(nfs4_ace->aceFlags,
1738 : dacl_to_nfs4_idmap_both[i].nfs4_ace_flags);
1739 4 : if (nfs4_ace->flags & SMB_ACE4_ID_SPECIAL) {
1740 1 : assert_int_equal(nfs4_ace->who.special_id,
1741 : dacl_to_nfs4_idmap_both[i].nfs4_id);
1742 3 : } else if (nfs4_ace->aceFlags & SMB_ACE4_IDENTIFIER_GROUP) {
1743 3 : assert_int_equal(nfs4_ace->who.gid,
1744 : dacl_to_nfs4_idmap_both[i].nfs4_id);
1745 : } else {
1746 0 : assert_int_equal(nfs4_ace->who.uid,
1747 : dacl_to_nfs4_idmap_both[i].nfs4_id);
1748 : }
1749 4 : assert_int_equal(nfs4_ace->aceType,
1750 : SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE);
1751 4 : assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1752 :
1753 4 : if (dacl_to_nfs4_idmap_both[i].num_nfs4_aces == 2) {
1754 1 : nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1755 1 : assert_non_null(nfs4_ace_container);
1756 :
1757 1 : nfs4_ace = smb_get_ace4(nfs4_ace_container);
1758 1 : assert_int_equal(nfs4_ace->flags,
1759 : dacl_to_nfs4_idmap_both[i].nfs4_flags);
1760 1 : assert_int_equal(nfs4_ace->aceFlags,
1761 : dacl_to_nfs4_idmap_both[i].nfs4_ace_flags &
1762 : ~SMB_ACE4_IDENTIFIER_GROUP);
1763 1 : if (nfs4_ace->flags & SMB_ACE4_ID_SPECIAL) {
1764 1 : assert_int_equal(nfs4_ace->who.special_id,
1765 : SMB_ACE4_WHO_OWNER);
1766 : } else {
1767 0 : assert_int_equal(nfs4_ace->who.uid,
1768 : dacl_to_nfs4_idmap_both[i].nfs4_id);
1769 : }
1770 1 : assert_int_equal(nfs4_ace->aceType,
1771 : SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE);
1772 1 : assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1773 : }
1774 : }
1775 :
1776 1 : TALLOC_FREE(frame);
1777 1 : }
1778 :
1779 1 : static void test_nfs4_to_dacl_remove_duplicate(void **state)
1780 : {
1781 :
1782 1 : struct dom_sid *sids = *state;
1783 1 : TALLOC_CTX *frame = talloc_stackframe();
1784 1 : struct SMB4ACL_T *nfs4_acl;
1785 1 : SMB_ACE4PROP_T nfs4_ace;
1786 1 : struct security_ace *dacl_aces;
1787 1 : int good_aces;
1788 1 : struct smbacl4_vfs_params params = {
1789 : .mode = e_simple,
1790 : .do_chown = true,
1791 : .acedup = e_dontcare,
1792 : .map_full_control = true,
1793 : };
1794 :
1795 1 : nfs4_acl = smb_create_smb4acl(frame);
1796 1 : assert_non_null(nfs4_acl);
1797 :
1798 1 : nfs4_ace = (SMB_ACE4PROP_T) {
1799 : .flags = 0,
1800 : .who.uid = 1002,
1801 : .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1802 : .aceFlags = SMB_ACE4_INHERITED_ACE,
1803 : .aceMask = SMB_ACE4_WRITE_DATA,
1804 : };
1805 1 : assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1806 :
1807 1 : nfs4_ace = (SMB_ACE4PROP_T) {
1808 : .flags = 0,
1809 : .who.gid = 1002,
1810 : .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1811 : .aceFlags = SMB_ACE4_IDENTIFIER_GROUP|
1812 : SMB_ACE4_INHERITED_ACE,
1813 : .aceMask = SMB_ACE4_WRITE_DATA,
1814 : };
1815 1 : assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1816 :
1817 1 : nfs4_ace = (SMB_ACE4PROP_T) {
1818 : .flags = 0,
1819 : .who.gid = 1002,
1820 : .aceType = SMB_ACE4_ACCESS_DENIED_ACE_TYPE,
1821 : .aceFlags = SMB_ACE4_IDENTIFIER_GROUP|
1822 : SMB_ACE4_INHERITED_ACE,
1823 : .aceMask = SMB_ACE4_WRITE_DATA,
1824 : };
1825 1 : assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1826 :
1827 1 : nfs4_ace = (SMB_ACE4PROP_T) {
1828 : .flags = 0,
1829 : .who.gid = 1002,
1830 : .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1831 : .aceFlags = SMB_ACE4_IDENTIFIER_GROUP|
1832 : SMB_ACE4_INHERITED_ACE,
1833 : .aceMask = SMB_ACE4_WRITE_DATA,
1834 : };
1835 1 : assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1836 :
1837 1 : assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
1838 : &sids[0], &sids[1], true,
1839 : &dacl_aces, &good_aces));
1840 :
1841 1 : assert_int_equal(good_aces, 2);
1842 1 : assert_non_null(dacl_aces);
1843 :
1844 1 : assert_int_equal(dacl_aces[0].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
1845 1 : assert_int_equal(dacl_aces[0].flags, SEC_ACE_FLAG_INHERITED_ACE);
1846 1 : assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_WRITE_DATA);
1847 1 : assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[2]));
1848 :
1849 1 : assert_int_equal(dacl_aces[1].type, SEC_ACE_TYPE_ACCESS_DENIED);
1850 1 : assert_int_equal(dacl_aces[1].flags, SEC_ACE_FLAG_INHERITED_ACE);
1851 1 : assert_int_equal(dacl_aces[1].access_mask, SEC_FILE_WRITE_DATA);
1852 1 : assert_true(dom_sid_equal(&dacl_aces[1].trustee, &sids[2]));
1853 :
1854 1 : TALLOC_FREE(frame);
1855 1 : }
1856 :
1857 1 : int main(int argc, char **argv)
1858 : {
1859 1 : const struct CMUnitTest tests[] = {
1860 : cmocka_unit_test(test_cached_id_mappings),
1861 : cmocka_unit_test(test_empty_nfs4_to_dacl),
1862 : cmocka_unit_test(test_empty_dacl_to_nfs4),
1863 : cmocka_unit_test(test_acl_type_nfs4_to_dacl),
1864 : cmocka_unit_test(test_acl_type_dacl_to_nfs4),
1865 : cmocka_unit_test(test_ace_flags_nfs4_to_dacl),
1866 : cmocka_unit_test(test_ace_flags_dacl_to_nfs4),
1867 : cmocka_unit_test(test_nfs4_permissions_to_dacl),
1868 : cmocka_unit_test(test_dacl_permissions_to_nfs4),
1869 : cmocka_unit_test(test_special_nfs4_to_dacl),
1870 : cmocka_unit_test(test_dacl_to_special_nfs4),
1871 : cmocka_unit_test(test_dacl_creator_to_nfs4),
1872 : cmocka_unit_test(test_nfs4_to_dacl_creator),
1873 : cmocka_unit_test(test_full_control_nfs4_to_dacl),
1874 : cmocka_unit_test(test_dacl_to_nfs4_acedup_settings),
1875 : cmocka_unit_test(test_dacl_to_nfs4_acedup_match),
1876 : cmocka_unit_test(test_dacl_to_nfs4_config_special),
1877 : cmocka_unit_test(test_nfs4_to_dacl_config_special),
1878 : cmocka_unit_test(test_nfs4_to_dacl_idmap_type_both),
1879 : cmocka_unit_test(test_dacl_to_nfs4_idmap_type_both),
1880 : cmocka_unit_test(test_nfs4_to_dacl_remove_duplicate),
1881 : };
1882 :
1883 1 : cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
1884 :
1885 1 : if (argc != 2) {
1886 0 : print_error("Usage: %s smb.conf\n", argv[0]);
1887 0 : exit(1);
1888 : }
1889 :
1890 : /*
1891 : * Initialize enough of the Samba internals to have the
1892 : * mappings tests work.
1893 : */
1894 1 : talloc_stackframe();
1895 1 : lp_load_global(argv[1]);
1896 :
1897 1 : return cmocka_run_group_tests(tests, group_setup, group_teardown);
1898 : }
|
