2 * Unix SMB/CIFS implementation.
4 * Unit test for NFS4 ACL handling
6 * Copyright (C) Christof Schmitt 2019
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "nfs4_acls.c"
23 #include "librpc/gen_ndr/idmap.h"
24 #include "idmap_cache.h"
29 struct unixid unix_id
;
31 { "S-1-5-2-123-456-789-100", { 1000, ID_TYPE_UID
}},
32 { "S-1-5-2-123-456-789-101", { 1001, ID_TYPE_GID
}},
33 { "S-1-5-2-123-456-789-102", { 1002, ID_TYPE_BOTH
}},
34 { SID_CREATOR_OWNER
, { 1003, ID_TYPE_UID
}},
35 { SID_CREATOR_GROUP
, { 1004, ID_TYPE_GID
}},
36 { "S-1-5-2-123-456-789-103", { 1000, ID_TYPE_GID
}},
37 { "S-1-5-2-123-456-789-104", { 1005, ID_TYPE_BOTH
}},
38 { "S-1-5-2-123-456-789-105", { 1006, ID_TYPE_BOTH
}},
39 { "S-1-5-2-123-456-789-106", { 1007, ID_TYPE_BOTH
}},
42 static int group_setup(void **state
)
44 struct dom_sid
*sids
= NULL
;
47 sids
= talloc_array(NULL
, struct dom_sid
, ARRAY_SIZE(test_sids
));
48 assert_non_null(sids
);
50 for (i
= 0; i
< ARRAY_SIZE(test_sids
); i
++) {
51 assert_true(dom_sid_parse(test_sids
[i
].sid_str
, &sids
[i
]));
52 idmap_cache_set_sid2unixid(&sids
[i
], &test_sids
[i
].unix_id
);
61 static int group_teardown(void **state
)
63 struct dom_sid
*sids
= *state
;
66 for (i
= 0; i
< ARRAY_SIZE(test_sids
); i
++) {
67 assert_true(idmap_cache_del_sid(&sids
[i
]));
77 * Run this as first test to verify that the id mappings used by other
78 * tests are available in the cache.
80 static void test_cached_id_mappings(void **state
)
82 struct dom_sid
*sids
= *state
;
85 for (i
= 0; i
< ARRAY_SIZE(test_sids
); i
++) {
86 struct dom_sid
*sid
= &sids
[i
];
87 struct unixid
*unix_id
= &test_sids
[i
].unix_id
;
91 switch(unix_id
->type
) {
93 assert_true(sid_to_uid(sid
, &uid
));
94 assert_int_equal(uid
, unix_id
->id
);
95 assert_false(sid_to_gid(sid
, &gid
));
98 assert_false(sid_to_uid(sid
, &uid
));
99 assert_true(sid_to_gid(sid
, &gid
));
100 assert_int_equal(gid
, unix_id
->id
);
103 assert_true(sid_to_uid(sid
, &uid
));
104 assert_int_equal(uid
, unix_id
->id
);
105 assert_true(sid_to_gid(sid
, &gid
));
106 assert_int_equal(gid
, unix_id
->id
);
109 fail_msg("Unknown id type %d\n", unix_id
->type
);
115 static void test_empty_nfs4_to_dacl(void **state
)
117 struct dom_sid
*sids
= *state
;
118 TALLOC_CTX
*frame
= talloc_stackframe();
119 struct SMB4ACL_T
*nfs4_acl
;
120 struct security_ace
*dacl_aces
;
122 struct smbacl4_vfs_params params
= {
126 .map_full_control
= true,
129 nfs4_acl
= smb_create_smb4acl(frame
);
130 assert_non_null(nfs4_acl
);
132 assert_true(smbacl4_nfs42win(frame
, ¶ms
, nfs4_acl
,
133 &sids
[0], &sids
[1], false,
134 &dacl_aces
, &good_aces
));
136 assert_int_equal(good_aces
, 0);
137 assert_null(dacl_aces
);
142 static void test_empty_dacl_to_nfs4(void **state
)
144 TALLOC_CTX
*frame
= talloc_stackframe();
145 struct SMB4ACL_T
*nfs4_acl
;
146 struct security_acl
*dacl
;
147 struct smbacl4_vfs_params params
= {
151 .map_full_control
= true,
154 dacl
= make_sec_acl(frame
, SECURITY_ACL_REVISION_ADS
, 0, NULL
);
155 assert_non_null(dacl
);
157 nfs4_acl
= smbacl4_win2nfs4(frame
, false, dacl
, ¶ms
, 1001, 1002);
159 assert_non_null(nfs4_acl
);
160 assert_int_equal(smbacl4_get_controlflags(nfs4_acl
),
161 SEC_DESC_SELF_RELATIVE
);
162 assert_int_equal(smb_get_naces(nfs4_acl
), 0);
163 assert_null(smb_first_ace4(nfs4_acl
));
166 struct ace_dacl_type_mapping
{
168 enum security_ace_type dacl_type
;
169 } ace_dacl_type_mapping
[] = {
170 { SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE
, SEC_ACE_TYPE_ACCESS_ALLOWED
},
171 { SMB_ACE4_ACCESS_DENIED_ACE_TYPE
, SEC_ACE_TYPE_ACCESS_DENIED
},
174 static void test_acl_type_nfs4_to_dacl(void **state
)
176 struct dom_sid
*sids
= *state
;
177 TALLOC_CTX
*frame
= talloc_stackframe();
180 for (i
= 0; i
< ARRAY_SIZE(ace_dacl_type_mapping
); i
++) {
181 struct SMB4ACL_T
*nfs4_acl
;
182 SMB_ACE4PROP_T nfs4_ace
;
183 struct security_ace
*dacl_aces
;
185 struct smbacl4_vfs_params params
= {
189 .map_full_control
= true,
192 nfs4_acl
= smb_create_smb4acl(frame
);
193 assert_non_null(nfs4_acl
);
195 nfs4_ace
= (SMB_ACE4PROP_T
) {
198 .aceType
= ace_dacl_type_mapping
[i
].nfs4_type
,
200 .aceMask
= SMB_ACE4_READ_DATA
,
202 assert_non_null(smb_add_ace4(nfs4_acl
, &nfs4_ace
));
204 assert_true(smbacl4_nfs42win(frame
, ¶ms
, nfs4_acl
,
205 &sids
[2], &sids
[3], false,
206 &dacl_aces
, &good_aces
));
208 assert_int_equal(good_aces
, 1);
209 assert_non_null(dacl_aces
);
211 assert_int_equal(dacl_aces
[0].type
,
212 ace_dacl_type_mapping
[i
].dacl_type
);
213 assert_int_equal(dacl_aces
[0].flags
, 0);
214 assert_int_equal(dacl_aces
[0].access_mask
, SEC_FILE_READ_DATA
);
215 assert_true(dom_sid_equal(&dacl_aces
[0].trustee
, &sids
[0]));
221 static void test_acl_type_dacl_to_nfs4(void **state
)
223 struct dom_sid
*sids
= *state
;
224 TALLOC_CTX
*frame
= talloc_stackframe();
227 for (i
= 0; i
< ARRAY_SIZE(ace_dacl_type_mapping
); i
++) {
228 struct SMB4ACL_T
*nfs4_acl
;
229 struct SMB4ACE_T
*nfs4_ace_container
;
230 SMB_ACE4PROP_T
*nfs4_ace
;
231 struct security_ace dacl_aces
[1];
232 struct security_acl
*dacl
;
233 struct smbacl4_vfs_params params
= {
237 .map_full_control
= true,
240 init_sec_ace(&dacl_aces
[0], &sids
[0],
241 ace_dacl_type_mapping
[i
].dacl_type
,
242 SEC_FILE_READ_DATA
, 0);
243 dacl
= make_sec_acl(frame
, SECURITY_ACL_REVISION_ADS
,
244 ARRAY_SIZE(dacl_aces
), dacl_aces
);
245 assert_non_null(dacl
);
247 nfs4_acl
= smbacl4_win2nfs4(frame
, false, dacl
, ¶ms
,
250 assert_non_null(nfs4_acl
);
251 assert_int_equal(smbacl4_get_controlflags(nfs4_acl
),
252 SEC_DESC_SELF_RELATIVE
);
253 assert_int_equal(smb_get_naces(nfs4_acl
), 1);
255 nfs4_ace_container
= smb_first_ace4(nfs4_acl
);
256 assert_non_null(nfs4_ace_container
);
257 assert_null(smb_next_ace4(nfs4_ace_container
));
259 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
260 assert_int_equal(nfs4_ace
->flags
, 0);
261 assert_int_equal(nfs4_ace
->who
.uid
, 1000);
262 assert_int_equal(nfs4_ace
->aceFlags
, 0);
263 assert_int_equal(nfs4_ace
->aceType
,
264 ace_dacl_type_mapping
[i
].nfs4_type
);
265 assert_int_equal(nfs4_ace
->aceMask
, SMB_ACE4_READ_DATA
);
271 struct ace_flag_mapping_nfs4_to_dacl
{
275 } ace_flags_nfs4_to_dacl
[] = {
276 { true, SMB_ACE4_FILE_INHERIT_ACE
,
277 SEC_ACE_FLAG_OBJECT_INHERIT
},
278 { false, SMB_ACE4_FILE_INHERIT_ACE
,
280 { true, SMB_ACE4_DIRECTORY_INHERIT_ACE
,
281 SEC_ACE_FLAG_CONTAINER_INHERIT
},
282 { false, SMB_ACE4_DIRECTORY_INHERIT_ACE
,
284 { true, SMB_ACE4_NO_PROPAGATE_INHERIT_ACE
,
285 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
},
286 { false, SMB_ACE4_NO_PROPAGATE_INHERIT_ACE
,
287 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
},
288 { true, SMB_ACE4_INHERIT_ONLY_ACE
,
289 SEC_ACE_FLAG_INHERIT_ONLY
},
290 { false, SMB_ACE4_INHERIT_ONLY_ACE
,
291 SEC_ACE_FLAG_INHERIT_ONLY
},
292 { true, SMB_ACE4_SUCCESSFUL_ACCESS_ACE_FLAG
,
294 { false, SMB_ACE4_SUCCESSFUL_ACCESS_ACE_FLAG
,
296 { true, SMB_ACE4_FAILED_ACCESS_ACE_FLAG
,
298 { false, SMB_ACE4_FAILED_ACCESS_ACE_FLAG
,
300 { true, SMB_ACE4_INHERITED_ACE
,
301 SEC_ACE_FLAG_INHERITED_ACE
},
302 { false, SMB_ACE4_INHERITED_ACE
,
303 SEC_ACE_FLAG_INHERITED_ACE
},
306 static void test_ace_flags_nfs4_to_dacl(void **state
)
308 struct dom_sid
*sids
= *state
;
309 TALLOC_CTX
*frame
= talloc_stackframe();
310 SMB_ACE4PROP_T nfs4_ace
;
313 for (i
= 0; i
< ARRAY_SIZE(ace_flags_nfs4_to_dacl
); i
++) {
314 struct SMB4ACL_T
*nfs4_acl
;
316 struct security_ace
*dacl_aces
;
318 struct smbacl4_vfs_params params
= {
322 .map_full_control
= true,
325 nfs4_acl
= smb_create_smb4acl(frame
);
326 assert_non_null(nfs4_acl
);
328 nfs4_ace
= (SMB_ACE4PROP_T
) {
331 .aceType
= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE
,
332 .aceFlags
= ace_flags_nfs4_to_dacl
[i
].nfs4_flag
,
333 .aceMask
= SMB_ACE4_READ_DATA
,
335 assert_non_null(smb_add_ace4(nfs4_acl
, &nfs4_ace
));
337 is_directory
= ace_flags_nfs4_to_dacl
[i
].is_directory
;
339 assert_true(smbacl4_nfs42win(frame
, ¶ms
, nfs4_acl
,
340 &sids
[2], &sids
[3], is_directory
,
341 &dacl_aces
, &good_aces
));
343 assert_int_equal(good_aces
, 1);
344 assert_non_null(dacl_aces
);
346 assert_int_equal(dacl_aces
[0].type
,
347 SEC_ACE_TYPE_ACCESS_ALLOWED
);
348 assert_int_equal(dacl_aces
[0].flags
,
349 ace_flags_nfs4_to_dacl
[i
].dacl_flag
);
350 assert_int_equal(dacl_aces
[0].access_mask
, SEC_FILE_READ_DATA
);
351 assert_true(dom_sid_equal(&dacl_aces
[0].trustee
, &sids
[0]));
357 struct ace_flag_mapping_dacl_to_nfs4
{
361 } ace_flags_dacl_to_nfs4
[] = {
362 { true, SEC_ACE_FLAG_OBJECT_INHERIT
,
363 SMB_ACE4_FILE_INHERIT_ACE
},
364 { false, SEC_ACE_FLAG_OBJECT_INHERIT
,
366 { true, SEC_ACE_FLAG_CONTAINER_INHERIT
,
367 SMB_ACE4_DIRECTORY_INHERIT_ACE
},
368 { false, SEC_ACE_FLAG_CONTAINER_INHERIT
,
370 { true, SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
,
371 SMB_ACE4_NO_PROPAGATE_INHERIT_ACE
},
372 { false, SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
,
374 { true, SEC_ACE_FLAG_INHERIT_ONLY
,
375 SMB_ACE4_INHERIT_ONLY_ACE
},
376 { false, SEC_ACE_FLAG_INHERIT_ONLY
,
378 { true, SEC_ACE_FLAG_INHERITED_ACE
,
379 SMB_ACE4_INHERITED_ACE
},
380 { false, SEC_ACE_FLAG_INHERITED_ACE
,
381 SMB_ACE4_INHERITED_ACE
},
382 { true, SEC_ACE_FLAG_SUCCESSFUL_ACCESS
,
384 { false, SEC_ACE_FLAG_SUCCESSFUL_ACCESS
,
386 { true, SEC_ACE_FLAG_FAILED_ACCESS
,
388 { false, SEC_ACE_FLAG_FAILED_ACCESS
,
392 static void test_ace_flags_dacl_to_nfs4(void **state
)
394 struct dom_sid
*sids
= *state
;
395 TALLOC_CTX
*frame
= talloc_stackframe();
398 for (i
= 0; i
< ARRAY_SIZE(ace_flags_dacl_to_nfs4
); i
++) {
399 struct SMB4ACL_T
*nfs4_acl
;
400 struct SMB4ACE_T
*nfs4_ace_container
;
401 SMB_ACE4PROP_T
*nfs4_ace
;
403 struct security_ace dacl_aces
[1];
404 struct security_acl
*dacl
;
405 struct smbacl4_vfs_params params
= {
409 .map_full_control
= true,
412 init_sec_ace(&dacl_aces
[0], &sids
[0],
413 SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
,
414 ace_flags_dacl_to_nfs4
[i
].dacl_flag
);
415 dacl
= make_sec_acl(frame
, SECURITY_ACL_REVISION_ADS
,
416 ARRAY_SIZE(dacl_aces
), dacl_aces
);
417 assert_non_null(dacl
);
419 is_directory
= ace_flags_dacl_to_nfs4
[i
].is_directory
;
420 nfs4_acl
= smbacl4_win2nfs4(frame
, is_directory
, dacl
, ¶ms
,
423 assert_non_null(nfs4_acl
);
424 assert_int_equal(smbacl4_get_controlflags(nfs4_acl
),
425 SEC_DESC_SELF_RELATIVE
);
426 assert_int_equal(smb_get_naces(nfs4_acl
), 1);
428 nfs4_ace_container
= smb_first_ace4(nfs4_acl
);
429 assert_non_null(nfs4_ace_container
);
430 assert_null(smb_next_ace4(nfs4_ace_container
));
432 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
433 assert_int_equal(nfs4_ace
->flags
, 0);
434 assert_int_equal(nfs4_ace
->who
.uid
, 1000);
435 assert_int_equal(nfs4_ace
->aceFlags
,
436 ace_flags_dacl_to_nfs4
[i
].nfs4_flag
);
437 assert_int_equal(nfs4_ace
->aceMask
, SMB_ACE4_READ_DATA
);
443 struct ace_perm_mapping
{
446 } perm_table_nfs4_to_dacl
[] = {
447 { SMB_ACE4_READ_DATA
, SEC_FILE_READ_DATA
},
448 { SMB_ACE4_LIST_DIRECTORY
, SEC_DIR_LIST
},
449 { SMB_ACE4_WRITE_DATA
, SEC_FILE_WRITE_DATA
},
450 { SMB_ACE4_ADD_FILE
, SEC_DIR_ADD_FILE
},
451 { SMB_ACE4_APPEND_DATA
, SEC_FILE_APPEND_DATA
},
452 { SMB_ACE4_ADD_SUBDIRECTORY
, SEC_DIR_ADD_SUBDIR
, },
453 { SMB_ACE4_READ_NAMED_ATTRS
, SEC_FILE_READ_EA
},
454 { SMB_ACE4_READ_NAMED_ATTRS
, SEC_DIR_READ_EA
},
455 { SMB_ACE4_WRITE_NAMED_ATTRS
, SEC_FILE_WRITE_EA
},
456 { SMB_ACE4_WRITE_NAMED_ATTRS
, SEC_DIR_WRITE_EA
},
457 { SMB_ACE4_EXECUTE
, SEC_FILE_EXECUTE
},
458 { SMB_ACE4_EXECUTE
, SEC_DIR_TRAVERSE
},
459 { SMB_ACE4_DELETE_CHILD
, SEC_DIR_DELETE_CHILD
},
460 { SMB_ACE4_READ_ATTRIBUTES
, SEC_FILE_READ_ATTRIBUTE
},
461 { SMB_ACE4_READ_ATTRIBUTES
, SEC_DIR_READ_ATTRIBUTE
},
462 { SMB_ACE4_WRITE_ATTRIBUTES
, SEC_FILE_WRITE_ATTRIBUTE
},
463 { SMB_ACE4_WRITE_ATTRIBUTES
, SEC_DIR_WRITE_ATTRIBUTE
},
464 { SMB_ACE4_DELETE
, SEC_STD_DELETE
},
465 { SMB_ACE4_READ_ACL
, SEC_STD_READ_CONTROL
},
466 { SMB_ACE4_WRITE_ACL
, SEC_STD_WRITE_DAC
, },
467 { SMB_ACE4_WRITE_OWNER
, SEC_STD_WRITE_OWNER
},
468 { SMB_ACE4_SYNCHRONIZE
, SEC_STD_SYNCHRONIZE
},
471 static void test_nfs4_permissions_to_dacl(void **state
)
473 struct dom_sid
*sids
= *state
;
474 TALLOC_CTX
*frame
= talloc_stackframe();
477 for (i
= 0; i
< ARRAY_SIZE(perm_table_nfs4_to_dacl
); i
++) {
478 struct SMB4ACL_T
*nfs4_acl
;
479 SMB_ACE4PROP_T nfs4_ace
;
480 struct security_ace
*dacl_aces
;
482 struct smbacl4_vfs_params params
= {
486 .map_full_control
= true,
489 nfs4_acl
= smb_create_smb4acl(frame
);
490 assert_non_null(nfs4_acl
);
492 nfs4_ace
= (SMB_ACE4PROP_T
) {
495 .aceType
= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE
,
497 .aceMask
= perm_table_nfs4_to_dacl
[i
].nfs4_perm
,
499 assert_non_null(smb_add_ace4(nfs4_acl
, &nfs4_ace
));
501 assert_true(smbacl4_nfs42win(frame
, ¶ms
, nfs4_acl
,
502 &sids
[0], &sids
[1], false,
503 &dacl_aces
, &good_aces
));
505 assert_int_equal(good_aces
, 1);
506 assert_non_null(dacl_aces
);
508 assert_int_equal(dacl_aces
[0].type
,
509 SEC_ACE_TYPE_ACCESS_ALLOWED
);
510 assert_int_equal(dacl_aces
[0].flags
, 0);
511 assert_int_equal(dacl_aces
[0].access_mask
,
512 perm_table_nfs4_to_dacl
[i
].dacl_perm
);
513 assert_true(dom_sid_equal(&dacl_aces
[0].trustee
, &sids
[0]));
519 struct ace_perm_mapping_dacl_to_nfs4
{
522 } perm_table_dacl_to_nfs4
[] = {
523 { SEC_FILE_READ_DATA
, SMB_ACE4_READ_DATA
, },
524 { SEC_DIR_LIST
, SMB_ACE4_LIST_DIRECTORY
, },
525 { SEC_FILE_WRITE_DATA
, SMB_ACE4_WRITE_DATA
, },
526 { SEC_DIR_ADD_FILE
, SMB_ACE4_ADD_FILE
, },
527 { SEC_FILE_APPEND_DATA
, SMB_ACE4_APPEND_DATA
, },
528 { SEC_DIR_ADD_SUBDIR
, SMB_ACE4_ADD_SUBDIRECTORY
, },
529 { SEC_FILE_READ_EA
, SMB_ACE4_READ_NAMED_ATTRS
, },
530 { SEC_DIR_READ_EA
, SMB_ACE4_READ_NAMED_ATTRS
, },
531 { SEC_FILE_WRITE_EA
, SMB_ACE4_WRITE_NAMED_ATTRS
, },
532 { SEC_DIR_WRITE_EA
, SMB_ACE4_WRITE_NAMED_ATTRS
, },
533 { SEC_FILE_EXECUTE
, SMB_ACE4_EXECUTE
, },
534 { SEC_DIR_TRAVERSE
, SMB_ACE4_EXECUTE
, },
535 { SEC_DIR_DELETE_CHILD
, SMB_ACE4_DELETE_CHILD
, },
536 { SEC_FILE_READ_ATTRIBUTE
, SMB_ACE4_READ_ATTRIBUTES
, },
537 { SEC_DIR_READ_ATTRIBUTE
, SMB_ACE4_READ_ATTRIBUTES
, },
538 { SEC_FILE_WRITE_ATTRIBUTE
, SMB_ACE4_WRITE_ATTRIBUTES
, },
539 { SEC_DIR_WRITE_ATTRIBUTE
, SMB_ACE4_WRITE_ATTRIBUTES
, },
540 { SEC_STD_DELETE
, SMB_ACE4_DELETE
, },
541 { SEC_STD_READ_CONTROL
, SMB_ACE4_READ_ACL
, },
542 { SEC_STD_WRITE_DAC
, SMB_ACE4_WRITE_ACL
, },
543 { SEC_STD_WRITE_OWNER
, SMB_ACE4_WRITE_OWNER
, },
544 { SEC_STD_SYNCHRONIZE
, SMB_ACE4_SYNCHRONIZE
, },
545 { SEC_GENERIC_READ
, SMB_ACE4_READ_ACL
|
547 SMB_ACE4_READ_ATTRIBUTES
|
548 SMB_ACE4_READ_NAMED_ATTRS
|
549 SMB_ACE4_SYNCHRONIZE
},
550 { SEC_GENERIC_WRITE
, SMB_ACE4_WRITE_ACL
|
552 SMB_ACE4_WRITE_ATTRIBUTES
|
553 SMB_ACE4_WRITE_NAMED_ATTRS
|
554 SMB_ACE4_SYNCHRONIZE
},
555 { SEC_GENERIC_EXECUTE
, SMB_ACE4_READ_ACL
|
556 SMB_ACE4_READ_ATTRIBUTES
|
558 SMB_ACE4_SYNCHRONIZE
},
559 { SEC_GENERIC_ALL
, SMB_ACE4_DELETE
|
562 SMB_ACE4_WRITE_OWNER
|
563 SMB_ACE4_SYNCHRONIZE
|
564 SMB_ACE4_WRITE_ATTRIBUTES
|
565 SMB_ACE4_READ_ATTRIBUTES
|
567 SMB_ACE4_READ_NAMED_ATTRS
|
568 SMB_ACE4_WRITE_NAMED_ATTRS
|
570 SMB_ACE4_APPEND_DATA
|
572 SMB_ACE4_DELETE_CHILD
},
575 static void test_dacl_permissions_to_nfs4(void **state
)
577 struct dom_sid
*sids
= *state
;
578 TALLOC_CTX
*frame
= talloc_stackframe();
581 for (i
= 0; i
< ARRAY_SIZE(perm_table_nfs4_to_dacl
); i
++) {
582 struct SMB4ACL_T
*nfs4_acl
;
583 struct SMB4ACE_T
*nfs4_ace_container
;
584 SMB_ACE4PROP_T
*nfs4_ace
;
585 struct smbacl4_vfs_params params
= {
589 .map_full_control
= true,
591 struct security_ace dacl_aces
[1];
592 struct security_acl
*dacl
;
594 init_sec_ace(&dacl_aces
[0], &sids
[0],
595 SEC_ACE_TYPE_ACCESS_ALLOWED
,
596 perm_table_dacl_to_nfs4
[i
].dacl_perm
, 0);
597 dacl
= make_sec_acl(frame
, SECURITY_ACL_REVISION_ADS
,
598 ARRAY_SIZE(dacl_aces
), dacl_aces
);
599 assert_non_null(dacl
);
601 nfs4_acl
= smbacl4_win2nfs4(frame
, false, dacl
, ¶ms
,
604 assert_non_null(nfs4_acl
);
605 assert_int_equal(smbacl4_get_controlflags(nfs4_acl
),
606 SEC_DESC_SELF_RELATIVE
);
607 assert_int_equal(smb_get_naces(nfs4_acl
), 1);
609 nfs4_ace_container
= smb_first_ace4(nfs4_acl
);
610 assert_non_null(nfs4_ace_container
);
611 assert_null(smb_next_ace4(nfs4_ace_container
));
613 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
614 assert_int_equal(nfs4_ace
->flags
, 0);
615 assert_int_equal(nfs4_ace
->who
.uid
, 1000);
616 assert_int_equal(nfs4_ace
->aceFlags
, 0);
617 assert_int_equal(nfs4_ace
->aceMask
,
618 perm_table_dacl_to_nfs4
[i
].nfs4_perm
);
625 * Create NFS4 ACL with all possible "special" entries. Verify that
626 * the ones that should be mapped to a DACL are mapped and the other
629 static void test_special_nfs4_to_dacl(void **state
)
631 struct dom_sid
*sids
= *state
;
632 TALLOC_CTX
*frame
= talloc_stackframe();
633 struct SMB4ACL_T
*nfs4_acl
;
634 SMB_ACE4PROP_T nfs4_ace
;
635 struct security_ace
*dacl_aces
;
637 struct smbacl4_vfs_params params
= {
641 .map_full_control
= true,
644 nfs4_acl
= smb_create_smb4acl(frame
);
645 assert_non_null(nfs4_acl
);
647 nfs4_ace
= (SMB_ACE4PROP_T
) {
648 .flags
= SMB_ACE4_ID_SPECIAL
,
649 .who
.special_id
= SMB_ACE4_WHO_OWNER
,
650 .aceType
= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE
,
652 .aceMask
= SMB_ACE4_READ_DATA
,
654 assert_non_null(smb_add_ace4(nfs4_acl
, &nfs4_ace
));
656 nfs4_ace
= (SMB_ACE4PROP_T
) {
657 .flags
= SMB_ACE4_ID_SPECIAL
,
658 .who
.special_id
= SMB_ACE4_WHO_GROUP
,
659 .aceType
= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE
,
661 .aceMask
= SMB_ACE4_WRITE_DATA
,
663 assert_non_null(smb_add_ace4(nfs4_acl
, &nfs4_ace
));
665 nfs4_ace
= (SMB_ACE4PROP_T
) {
666 .flags
= SMB_ACE4_ID_SPECIAL
,
667 .who
.special_id
= SMB_ACE4_WHO_EVERYONE
,
668 .aceType
= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE
,
670 .aceMask
= SMB_ACE4_APPEND_DATA
,
672 assert_non_null(smb_add_ace4(nfs4_acl
, &nfs4_ace
));
674 nfs4_ace
= (SMB_ACE4PROP_T
) {
675 .flags
= SMB_ACE4_ID_SPECIAL
,
676 .who
.special_id
= SMB_ACE4_WHO_INTERACTIVE
,
677 .aceType
= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE
,
679 .aceMask
= SMB_ACE4_READ_NAMED_ATTRS
,
681 assert_non_null(smb_add_ace4(nfs4_acl
, &nfs4_ace
));
683 nfs4_ace
= (SMB_ACE4PROP_T
) {
684 .flags
= SMB_ACE4_ID_SPECIAL
,
685 .who
.special_id
= SMB_ACE4_WHO_NETWORK
,
686 .aceType
= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE
,
688 .aceMask
= SMB_ACE4_WRITE_NAMED_ATTRS
,
690 assert_non_null(smb_add_ace4(nfs4_acl
, &nfs4_ace
));
692 nfs4_ace
= (SMB_ACE4PROP_T
) {
693 .flags
= SMB_ACE4_ID_SPECIAL
,
694 .who
.special_id
= SMB_ACE4_WHO_DIALUP
,
695 .aceType
= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE
,
697 .aceMask
= SMB_ACE4_EXECUTE
,
699 assert_non_null(smb_add_ace4(nfs4_acl
, &nfs4_ace
));
701 nfs4_ace
= (SMB_ACE4PROP_T
) {
702 .flags
= SMB_ACE4_ID_SPECIAL
,
703 .who
.special_id
= SMB_ACE4_WHO_BATCH
,
704 .aceType
= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE
,
706 .aceMask
= SMB_ACE4_READ_ATTRIBUTES
,
708 assert_non_null(smb_add_ace4(nfs4_acl
, &nfs4_ace
));
710 nfs4_ace
= (SMB_ACE4PROP_T
) {
711 .flags
= SMB_ACE4_ID_SPECIAL
,
712 .who
.special_id
= SMB_ACE4_WHO_ANONYMOUS
,
713 .aceType
= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE
,
715 .aceMask
= SMB_ACE4_WRITE_ATTRIBUTES
,
717 assert_non_null(smb_add_ace4(nfs4_acl
, &nfs4_ace
));
719 nfs4_ace
= (SMB_ACE4PROP_T
) {
720 .flags
= SMB_ACE4_ID_SPECIAL
,
721 .who
.special_id
= SMB_ACE4_WHO_AUTHENTICATED
,
722 .aceType
= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE
,
724 .aceMask
= SMB_ACE4_READ_ACL
,
726 assert_non_null(smb_add_ace4(nfs4_acl
, &nfs4_ace
));
728 nfs4_ace
= (SMB_ACE4PROP_T
) {
729 .flags
= SMB_ACE4_ID_SPECIAL
,
730 .who
.special_id
= SMB_ACE4_WHO_SERVICE
,
731 .aceType
= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE
,
733 .aceMask
= SMB_ACE4_WRITE_ACL
,
735 assert_non_null(smb_add_ace4(nfs4_acl
, &nfs4_ace
));
737 assert_true(smbacl4_nfs42win(frame
, ¶ms
, nfs4_acl
,
738 &sids
[0], &sids
[1], false,
739 &dacl_aces
, &good_aces
));
741 assert_int_equal(good_aces
, 3);
742 assert_non_null(dacl_aces
);
744 assert_int_equal(dacl_aces
[0].type
, SEC_ACE_TYPE_ACCESS_ALLOWED
);
745 assert_int_equal(dacl_aces
[0].flags
, 0);
746 assert_int_equal(dacl_aces
[0].access_mask
, SEC_FILE_READ_DATA
);
747 assert_true(dom_sid_equal(&dacl_aces
[0].trustee
, &sids
[0]));
749 assert_int_equal(dacl_aces
[1].type
, SEC_ACE_TYPE_ACCESS_ALLOWED
);
750 assert_int_equal(dacl_aces
[1].flags
, 0);
751 assert_int_equal(dacl_aces
[1].access_mask
, SEC_FILE_WRITE_DATA
);
752 assert_true(dom_sid_equal(&dacl_aces
[1].trustee
, &sids
[1]));
754 assert_int_equal(dacl_aces
[2].type
, SEC_ACE_TYPE_ACCESS_ALLOWED
);
755 assert_int_equal(dacl_aces
[2].flags
, 0);
756 assert_int_equal(dacl_aces
[2].access_mask
, SEC_FILE_APPEND_DATA
);
757 assert_true(dom_sid_equal(&dacl_aces
[2].trustee
, &global_sid_World
));
762 static void test_dacl_to_special_nfs4(void **state
)
764 struct dom_sid
*sids
= *state
;
765 TALLOC_CTX
*frame
= talloc_stackframe();
766 struct SMB4ACL_T
*nfs4_acl
;
767 struct SMB4ACE_T
*nfs4_ace_container
;
768 SMB_ACE4PROP_T
*nfs4_ace
;
769 struct security_ace dacl_aces
[6];
770 struct security_acl
*dacl
;
771 struct smbacl4_vfs_params params
= {
774 .acedup
= e_dontcare
,
775 .map_full_control
= true,
779 * global_Sid_World is mapped to EVERYONE.
781 init_sec_ace(&dacl_aces
[0], &global_sid_World
,
782 SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_WRITE_DATA
, 0);
784 * global_sid_Unix_NFS is ignored.
786 init_sec_ace(&dacl_aces
[1], &global_sid_Unix_NFS
,
787 SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
, 0);
789 * Anything that maps to owner or owning group with inheritance flags
790 * is NOT mapped to special owner or special group.
792 init_sec_ace(&dacl_aces
[2], &sids
[0],
793 SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
,
794 SEC_ACE_FLAG_OBJECT_INHERIT
);
795 init_sec_ace(&dacl_aces
[3], &sids
[0],
796 SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
,
797 SEC_ACE_FLAG_CONTAINER_INHERIT
|SEC_ACE_FLAG_INHERIT_ONLY
);
798 init_sec_ace(&dacl_aces
[4], &sids
[1],
799 SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
,
800 SEC_ACE_FLAG_OBJECT_INHERIT
);
801 init_sec_ace(&dacl_aces
[5], &sids
[1],
802 SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
,
803 SEC_ACE_FLAG_CONTAINER_INHERIT
|SEC_ACE_FLAG_INHERIT_ONLY
);
804 dacl
= make_sec_acl(frame
, SECURITY_ACL_REVISION_ADS
,
805 ARRAY_SIZE(dacl_aces
), dacl_aces
);
806 assert_non_null(dacl
);
808 nfs4_acl
= smbacl4_win2nfs4(frame
, true, dacl
, ¶ms
, 1000, 1001);
810 assert_non_null(nfs4_acl
);
811 assert_int_equal(smbacl4_get_controlflags(nfs4_acl
),
812 SEC_DESC_SELF_RELATIVE
);
813 assert_int_equal(smb_get_naces(nfs4_acl
), 5);
815 nfs4_ace_container
= smb_first_ace4(nfs4_acl
);
816 assert_non_null(nfs4_ace_container
);
818 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
819 assert_int_equal(nfs4_ace
->flags
, SMB_ACE4_ID_SPECIAL
);
820 assert_int_equal(nfs4_ace
->who
.special_id
, SMB_ACE4_WHO_EVERYONE
);
821 assert_int_equal(nfs4_ace
->aceFlags
, 0);
822 assert_int_equal(nfs4_ace
->aceMask
, SMB_ACE4_WRITE_DATA
);
824 nfs4_ace_container
= smb_next_ace4(nfs4_ace_container
);
825 assert_non_null(nfs4_ace_container
);
827 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
828 assert_int_equal(nfs4_ace
->flags
, 0);
829 assert_int_equal(nfs4_ace
->who
.uid
, 1000);
830 assert_int_equal(nfs4_ace
->aceFlags
, SMB_ACE4_FILE_INHERIT_ACE
);
831 assert_int_equal(nfs4_ace
->aceMask
, SMB_ACE4_READ_DATA
);
833 nfs4_ace_container
= smb_next_ace4(nfs4_ace_container
);
834 assert_non_null(nfs4_ace_container
);
836 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
837 assert_int_equal(nfs4_ace
->flags
, 0);
838 assert_int_equal(nfs4_ace
->who
.uid
, 1000);
839 assert_int_equal(nfs4_ace
->aceFlags
, SMB_ACE4_DIRECTORY_INHERIT_ACE
|
840 SMB_ACE4_INHERIT_ONLY_ACE
);
841 assert_int_equal(nfs4_ace
->aceMask
, SMB_ACE4_READ_DATA
);
843 nfs4_ace_container
= smb_next_ace4(nfs4_ace_container
);
844 assert_non_null(nfs4_ace_container
);
846 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
847 assert_int_equal(nfs4_ace
->flags
, 0);
848 assert_int_equal(nfs4_ace
->aceFlags
, SMB_ACE4_IDENTIFIER_GROUP
|
849 SMB_ACE4_FILE_INHERIT_ACE
);
850 assert_int_equal(nfs4_ace
->who
.gid
, 1001);
851 assert_int_equal(nfs4_ace
->aceMask
, SMB_ACE4_READ_DATA
);
853 nfs4_ace_container
= smb_next_ace4(nfs4_ace_container
);
854 assert_non_null(nfs4_ace_container
);
856 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
857 assert_int_equal(nfs4_ace
->flags
, 0);
858 assert_int_equal(nfs4_ace
->aceFlags
, SMB_ACE4_IDENTIFIER_GROUP
|
859 SMB_ACE4_DIRECTORY_INHERIT_ACE
|
860 SMB_ACE4_INHERIT_ONLY_ACE
);
861 assert_int_equal(nfs4_ace
->who
.gid
, 1001);
862 assert_int_equal(nfs4_ace
->aceMask
, SMB_ACE4_READ_DATA
);
864 assert_null(smb_next_ace4(nfs4_ace_container
));
869 struct creator_ace_flags
{
872 } creator_ace_flags
[] = {
875 { SEC_ACE_FLAG_INHERIT_ONLY
, 0 },
877 { SEC_ACE_FLAG_CONTAINER_INHERIT
, SMB_ACE4_DIRECTORY_INHERIT_ACE
|
878 SMB_ACE4_INHERIT_ONLY_ACE
},
880 { SEC_ACE_FLAG_CONTAINER_INHERIT
|
881 SEC_ACE_FLAG_INHERIT_ONLY
, SMB_ACE4_DIRECTORY_INHERIT_ACE
|
882 SMB_ACE4_INHERIT_ONLY_ACE
},
884 { SEC_ACE_FLAG_OBJECT_INHERIT
, SMB_ACE4_FILE_INHERIT_ACE
|
885 SMB_ACE4_INHERIT_ONLY_ACE
},
886 { SEC_ACE_FLAG_OBJECT_INHERIT
|
887 SEC_ACE_FLAG_INHERIT_ONLY
, SMB_ACE4_FILE_INHERIT_ACE
|
888 SMB_ACE4_INHERIT_ONLY_ACE
},
890 { SEC_ACE_FLAG_CONTAINER_INHERIT
|
891 SEC_ACE_FLAG_OBJECT_INHERIT
, SMB_ACE4_DIRECTORY_INHERIT_ACE
|
892 SMB_ACE4_FILE_INHERIT_ACE
|
893 SMB_ACE4_INHERIT_ONLY_ACE
},
895 { SEC_ACE_FLAG_CONTAINER_INHERIT
|
896 SEC_ACE_FLAG_OBJECT_INHERIT
|
897 SEC_ACE_FLAG_INHERIT_ONLY
, SMB_ACE4_DIRECTORY_INHERIT_ACE
|
898 SMB_ACE4_FILE_INHERIT_ACE
|
899 SMB_ACE4_INHERIT_ONLY_ACE
},
902 static void test_dacl_creator_to_nfs4(void **state
)
904 TALLOC_CTX
*frame
= talloc_stackframe();
907 for (i
= 0; i
< ARRAY_SIZE(creator_ace_flags
); i
++) {
908 struct SMB4ACL_T
*nfs4_acl
;
909 struct SMB4ACE_T
*nfs4_ace_container
;
910 SMB_ACE4PROP_T
*nfs4_ace
;
911 struct security_ace dacl_aces
[2];
912 struct security_acl
*dacl
;
913 struct smbacl4_vfs_params params
= {
917 .map_full_control
= true,
920 init_sec_ace(&dacl_aces
[0], &global_sid_Creator_Owner
,
921 SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
,
922 creator_ace_flags
[i
].dacl_flags
);
923 init_sec_ace(&dacl_aces
[1], &global_sid_Creator_Group
,
924 SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
,
925 creator_ace_flags
[i
].dacl_flags
);
926 dacl
= make_sec_acl(frame
, SECURITY_ACL_REVISION_ADS
,
927 ARRAY_SIZE(dacl_aces
), dacl_aces
);
928 assert_non_null(dacl
);
930 nfs4_acl
= smbacl4_win2nfs4(frame
, true, dacl
, ¶ms
,
933 assert_non_null(nfs4_acl
);
934 assert_int_equal(smbacl4_get_controlflags(nfs4_acl
),
935 SEC_DESC_SELF_RELATIVE
);
937 if (creator_ace_flags
[i
].nfs4_flags
== 0) {
939 * CREATOR OWNER and CREATOR GROUP not mapped
942 assert_null(smb_first_ace4(nfs4_acl
));
944 assert_int_equal(smb_get_naces(nfs4_acl
), 2);
946 nfs4_ace_container
= smb_first_ace4(nfs4_acl
);
947 assert_non_null(nfs4_ace_container
);
949 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
950 assert_non_null(nfs4_ace
);
951 assert_int_equal(nfs4_ace
->flags
, SMB_ACE4_ID_SPECIAL
);
952 assert_int_equal(nfs4_ace
->who
.special_id
,
954 assert_int_equal(nfs4_ace
->aceFlags
,
955 creator_ace_flags
[i
].nfs4_flags
);
956 assert_int_equal(nfs4_ace
->aceMask
, SMB_ACE4_READ_DATA
);
958 nfs4_ace_container
= smb_next_ace4(nfs4_ace_container
);
959 assert_non_null(nfs4_ace_container
);
960 assert_null(smb_next_ace4(nfs4_ace_container
));
962 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
963 assert_non_null(nfs4_ace
);
964 assert_int_equal(nfs4_ace
->flags
, SMB_ACE4_ID_SPECIAL
);
965 assert_int_equal(nfs4_ace
->who
.special_id
,
967 assert_int_equal(nfs4_ace
->aceFlags
,
968 creator_ace_flags
[i
].nfs4_flags
);
969 assert_int_equal(nfs4_ace
->aceMask
, SMB_ACE4_READ_DATA
);
976 struct creator_owner_nfs4_to_dacl
{
978 uint32_t nfs4_ace_flags
;
979 uint32_t dacl_ace_flags
;
980 } creator_owner_nfs4_to_dacl
[] = {
981 { SMB_ACE4_WHO_OWNER
,
982 SMB_ACE4_FILE_INHERIT_ACE
,
983 SEC_ACE_FLAG_OBJECT_INHERIT
|SEC_ACE_FLAG_INHERIT_ONLY
},
984 { SMB_ACE4_WHO_OWNER
,
985 SMB_ACE4_DIRECTORY_INHERIT_ACE
,
986 SEC_ACE_FLAG_CONTAINER_INHERIT
|SEC_ACE_FLAG_INHERIT_ONLY
},
987 { SMB_ACE4_WHO_OWNER
,
988 SMB_ACE4_FILE_INHERIT_ACE
|SMB_ACE4_DIRECTORY_INHERIT_ACE
,
989 SEC_ACE_FLAG_OBJECT_INHERIT
|SEC_ACE_FLAG_CONTAINER_INHERIT
|
990 SEC_ACE_FLAG_INHERIT_ONLY
},
991 { SMB_ACE4_WHO_GROUP
,
992 SMB_ACE4_FILE_INHERIT_ACE
,
993 SEC_ACE_FLAG_OBJECT_INHERIT
|SEC_ACE_FLAG_INHERIT_ONLY
},
994 { SMB_ACE4_WHO_GROUP
,
995 SMB_ACE4_DIRECTORY_INHERIT_ACE
,
996 SEC_ACE_FLAG_CONTAINER_INHERIT
|SEC_ACE_FLAG_INHERIT_ONLY
},
997 { SMB_ACE4_WHO_GROUP
,
998 SMB_ACE4_FILE_INHERIT_ACE
|SMB_ACE4_DIRECTORY_INHERIT_ACE
,
999 SEC_ACE_FLAG_OBJECT_INHERIT
|SEC_ACE_FLAG_CONTAINER_INHERIT
|
1000 SEC_ACE_FLAG_INHERIT_ONLY
},
1003 static void test_nfs4_to_dacl_creator(void **state
)
1005 struct dom_sid
*sids
= *state
;
1006 TALLOC_CTX
*frame
= talloc_stackframe();
1009 for (i
= 0; i
< ARRAY_SIZE(creator_owner_nfs4_to_dacl
); i
++) {
1010 struct SMB4ACL_T
*nfs4_acl
;
1011 SMB_ACE4PROP_T nfs4_ace
;
1012 struct security_ace
*dacl_aces
, *creator_dacl_ace
;
1014 struct smbacl4_vfs_params params
= {
1018 .map_full_control
= true,
1021 nfs4_acl
= smb_create_smb4acl(frame
);
1022 assert_non_null(nfs4_acl
);
1024 nfs4_ace
= (SMB_ACE4PROP_T
) {
1025 .flags
= SMB_ACE4_ID_SPECIAL
,
1027 = creator_owner_nfs4_to_dacl
[i
].special_id
,
1028 .aceType
= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE
,
1030 = creator_owner_nfs4_to_dacl
[i
].nfs4_ace_flags
,
1031 .aceMask
= SMB_ACE4_READ_DATA
,
1033 assert_non_null(smb_add_ace4(nfs4_acl
, &nfs4_ace
));
1035 assert_true(smbacl4_nfs42win(frame
, ¶ms
, nfs4_acl
,
1036 &sids
[0], &sids
[1], true,
1037 &dacl_aces
, &good_aces
));
1038 assert_non_null(dacl_aces
);
1040 if (creator_owner_nfs4_to_dacl
[i
].nfs4_ace_flags
&
1041 SMB_ACE4_INHERIT_ONLY_ACE
) {
1043 * Only one ACE entry for the CREATOR ACE entry.
1045 assert_int_equal(good_aces
, 1);
1046 creator_dacl_ace
= &dacl_aces
[0];
1049 * This creates an additional ACE entry for
1050 * the permissions on the current object.
1052 assert_int_equal(good_aces
, 2);
1054 assert_int_equal(dacl_aces
[0].type
,
1055 SEC_ACE_TYPE_ACCESS_ALLOWED
);
1056 assert_int_equal(dacl_aces
[0].flags
, 0);
1057 assert_int_equal(dacl_aces
[0].access_mask
,
1058 SEC_FILE_READ_DATA
);
1060 if (creator_owner_nfs4_to_dacl
[i
].special_id
==
1061 SMB_ACE4_WHO_OWNER
) {
1062 assert_true(dom_sid_equal(&dacl_aces
[0].trustee
,
1066 if (creator_owner_nfs4_to_dacl
[i
].special_id
==
1067 SMB_ACE4_WHO_GROUP
) {
1068 assert_true(dom_sid_equal(&dacl_aces
[0].trustee
,
1072 creator_dacl_ace
= &dacl_aces
[1];
1075 assert_int_equal(creator_dacl_ace
->type
,
1076 SEC_ACE_TYPE_ACCESS_ALLOWED
);
1077 assert_int_equal(creator_dacl_ace
->flags
,
1078 creator_owner_nfs4_to_dacl
[i
].dacl_ace_flags
);
1079 assert_int_equal(creator_dacl_ace
->access_mask
,
1080 SEC_FILE_READ_DATA
);
1081 if (creator_owner_nfs4_to_dacl
[i
].special_id
==
1082 SMB_ACE4_WHO_OWNER
) {
1083 assert_true(dom_sid_equal(&creator_dacl_ace
->trustee
,
1084 &global_sid_Creator_Owner
));
1087 if (creator_owner_nfs4_to_dacl
[i
].special_id
==
1088 SMB_ACE4_WHO_GROUP
) {
1089 assert_true(dom_sid_equal(&creator_dacl_ace
->trustee
,
1090 &global_sid_Creator_Group
));
1097 struct nfs4_to_dacl_map_full_control
{
1100 bool delete_child_added
;
1101 } nfs4_to_dacl_full_control
[] = {
1102 { true, true, false },
1103 { true, false, false },
1104 { false, true, true },
1105 { false, false, false },
1108 static void test_full_control_nfs4_to_dacl(void **state
)
1110 struct dom_sid
*sids
= *state
;
1111 TALLOC_CTX
*frame
= talloc_stackframe();
1114 for (i
= 0; i
< ARRAY_SIZE(nfs4_to_dacl_full_control
); i
++) {
1115 struct SMB4ACL_T
*nfs4_acl
;
1116 SMB_ACE4PROP_T nfs4_ace
;
1117 struct security_ace
*dacl_aces
;
1119 struct smbacl4_vfs_params params
= {
1123 .map_full_control
= nfs4_to_dacl_full_control
[i
].config
,
1125 const uint32_t nfs4_ace_mask_except_deletes
=
1126 SMB_ACE4_READ_DATA
|SMB_ACE4_WRITE_DATA
|
1127 SMB_ACE4_APPEND_DATA
|SMB_ACE4_READ_NAMED_ATTRS
|
1128 SMB_ACE4_WRITE_NAMED_ATTRS
|SMB_ACE4_EXECUTE
|
1129 SMB_ACE4_READ_ATTRIBUTES
|SMB_ACE4_WRITE_ATTRIBUTES
|
1130 SMB_ACE4_READ_ACL
|SMB_ACE4_WRITE_ACL
|
1131 SMB_ACE4_WRITE_OWNER
|SMB_ACE4_SYNCHRONIZE
;
1132 const uint32_t dacl_ace_mask_except_deletes
=
1133 SEC_FILE_READ_DATA
|SEC_FILE_WRITE_DATA
|
1134 SEC_FILE_APPEND_DATA
|SEC_FILE_READ_EA
|
1135 SEC_FILE_WRITE_EA
|SEC_FILE_EXECUTE
|
1136 SEC_FILE_READ_ATTRIBUTE
|SEC_FILE_WRITE_ATTRIBUTE
|
1137 SEC_STD_READ_CONTROL
|SEC_STD_WRITE_DAC
|
1138 SEC_STD_WRITE_OWNER
|SEC_STD_SYNCHRONIZE
;
1140 nfs4_acl
= smb_create_smb4acl(frame
);
1141 assert_non_null(nfs4_acl
);
1143 nfs4_ace
= (SMB_ACE4PROP_T
) {
1146 .aceType
= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE
,
1148 .aceMask
= nfs4_ace_mask_except_deletes
,
1150 assert_non_null(smb_add_ace4(nfs4_acl
, &nfs4_ace
));
1153 smbacl4_nfs42win(frame
, ¶ms
, nfs4_acl
,
1155 nfs4_to_dacl_full_control
[i
].is_dir
,
1156 &dacl_aces
, &good_aces
));
1158 assert_int_equal(good_aces
, 1);
1159 assert_non_null(dacl_aces
);
1161 assert_int_equal(dacl_aces
[0].type
,
1162 SEC_ACE_TYPE_ACCESS_ALLOWED
);
1163 assert_int_equal(dacl_aces
[0].flags
, 0);
1164 assert_true(dom_sid_equal(&dacl_aces
[0].trustee
, &sids
[0]));
1165 if (nfs4_to_dacl_full_control
[i
].delete_child_added
) {
1166 assert_int_equal(dacl_aces
[0].access_mask
,
1167 dacl_ace_mask_except_deletes
|
1168 SEC_DIR_DELETE_CHILD
);
1170 assert_int_equal(dacl_aces
[0].access_mask
,
1171 dacl_ace_mask_except_deletes
);
1178 struct acedup_settings
{
1179 enum smbacl4_acedup_enum setting
;
1180 } acedup_settings
[] = {
1187 static void test_dacl_to_nfs4_acedup_settings(void **state
)
1189 struct dom_sid
*sids
= *state
;
1190 TALLOC_CTX
*frame
= talloc_stackframe();
1193 for (i
= 0; i
< ARRAY_SIZE(acedup_settings
); i
++) {
1194 struct SMB4ACL_T
*nfs4_acl
;
1195 struct SMB4ACE_T
*nfs4_ace_container
;
1196 SMB_ACE4PROP_T
*nfs4_ace
;
1197 struct security_ace dacl_aces
[2];
1198 struct security_acl
*dacl
;
1199 struct smbacl4_vfs_params params
= {
1202 .acedup
= acedup_settings
[i
].setting
,
1203 .map_full_control
= true,
1206 init_sec_ace(&dacl_aces
[0], &sids
[0],
1207 SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
,
1208 SEC_ACE_FLAG_OBJECT_INHERIT
);
1209 init_sec_ace(&dacl_aces
[1], &sids
[0],
1210 SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_WRITE_DATA
,
1211 SEC_ACE_FLAG_OBJECT_INHERIT
);
1212 dacl
= make_sec_acl(frame
, SECURITY_ACL_REVISION_ADS
,
1213 ARRAY_SIZE(dacl_aces
), dacl_aces
);
1214 assert_non_null(dacl
);
1216 nfs4_acl
= smbacl4_win2nfs4(frame
, true, dacl
, ¶ms
,
1219 switch(params
.acedup
) {
1221 assert_non_null(nfs4_acl
);
1222 assert_int_equal(smbacl4_get_controlflags(nfs4_acl
),
1223 SEC_DESC_SELF_RELATIVE
);
1224 assert_int_equal(smb_get_naces(nfs4_acl
), 2);
1226 nfs4_ace_container
= smb_first_ace4(nfs4_acl
);
1227 assert_non_null(nfs4_ace_container
);
1229 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
1230 assert_int_equal(nfs4_ace
->flags
, 0);
1231 assert_int_equal(nfs4_ace
->who
.uid
, 1000);
1232 assert_int_equal(nfs4_ace
->aceFlags
,
1233 SMB_ACE4_FILE_INHERIT_ACE
);
1234 assert_int_equal(nfs4_ace
->aceMask
, SMB_ACE4_READ_DATA
);
1236 nfs4_ace_container
= smb_next_ace4(nfs4_ace_container
);
1237 assert_non_null(nfs4_ace_container
);
1238 assert_null(smb_next_ace4(nfs4_ace_container
));
1240 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
1241 assert_int_equal(nfs4_ace
->flags
, 0);
1242 assert_int_equal(nfs4_ace
->who
.uid
, 1000);
1243 assert_int_equal(nfs4_ace
->aceFlags
,
1244 SMB_ACE4_FILE_INHERIT_ACE
);
1245 assert_int_equal(nfs4_ace
->aceMask
,
1246 SMB_ACE4_WRITE_DATA
);
1250 assert_null(nfs4_acl
);
1251 assert_int_equal(errno
, EINVAL
);
1255 assert_non_null(nfs4_acl
);
1256 assert_int_equal(smbacl4_get_controlflags(nfs4_acl
),
1257 SEC_DESC_SELF_RELATIVE
);
1258 assert_int_equal(smb_get_naces(nfs4_acl
), 1);
1260 nfs4_ace_container
= smb_first_ace4(nfs4_acl
);
1261 assert_non_null(nfs4_ace_container
);
1262 assert_null(smb_next_ace4(nfs4_ace_container
));
1264 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
1265 assert_int_equal(nfs4_ace
->flags
, 0);
1266 assert_int_equal(nfs4_ace
->who
.uid
, 1000);
1267 assert_int_equal(nfs4_ace
->aceFlags
,
1268 SMB_ACE4_FILE_INHERIT_ACE
);
1269 assert_int_equal(nfs4_ace
->aceMask
, SMB_ACE4_READ_DATA
);
1273 assert_non_null(nfs4_acl
);
1274 assert_int_equal(smbacl4_get_controlflags(nfs4_acl
),
1275 SEC_DESC_SELF_RELATIVE
);
1276 assert_int_equal(smb_get_naces(nfs4_acl
), 1);
1278 nfs4_ace_container
= smb_first_ace4(nfs4_acl
);
1279 assert_non_null(nfs4_ace_container
);
1280 assert_null(smb_next_ace4(nfs4_ace_container
));
1282 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
1283 assert_int_equal(nfs4_ace
->flags
, 0);
1284 assert_int_equal(nfs4_ace
->who
.uid
, 1000);
1285 assert_int_equal(nfs4_ace
->aceFlags
,
1286 SMB_ACE4_FILE_INHERIT_ACE
);
1287 assert_int_equal(nfs4_ace
->aceMask
,
1289 SMB_ACE4_WRITE_DATA
);
1293 fail_msg("Unexpected value for acedup: %d\n",
1301 struct acedup_match
{
1303 enum security_ace_type type1
;
1307 enum security_ace_type type2
;
1311 } acedup_match
[] = {
1312 { 0, SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
,
1313 SEC_ACE_FLAG_OBJECT_INHERIT
,
1314 0, SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
,
1315 SEC_ACE_FLAG_OBJECT_INHERIT
,
1317 { 0, SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
,
1318 SEC_ACE_FLAG_OBJECT_INHERIT
,
1319 1, SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
,
1320 SEC_ACE_FLAG_OBJECT_INHERIT
,
1322 { 0, SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
,
1323 SEC_ACE_FLAG_OBJECT_INHERIT
,
1324 0, SEC_ACE_TYPE_ACCESS_DENIED
, SEC_FILE_READ_DATA
,
1325 SEC_ACE_FLAG_OBJECT_INHERIT
,
1327 { 0, SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
,
1328 SEC_ACE_FLAG_OBJECT_INHERIT
,
1329 0, SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_WRITE_DATA
,
1330 SEC_ACE_FLAG_OBJECT_INHERIT
,
1332 { 0, SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
,
1333 SEC_ACE_FLAG_OBJECT_INHERIT
,
1334 0, SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
,
1335 SEC_ACE_FLAG_CONTAINER_INHERIT
,
1337 { 0, SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
,
1338 SEC_ACE_FLAG_OBJECT_INHERIT
,
1339 5, SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
,
1340 SEC_ACE_FLAG_OBJECT_INHERIT
,
1344 static void test_dacl_to_nfs4_acedup_match(void **state
)
1346 struct dom_sid
*sids
= *state
;
1347 TALLOC_CTX
*frame
= talloc_stackframe();
1350 for (i
= 0; i
< ARRAY_SIZE(acedup_match
); i
++) {
1351 struct SMB4ACL_T
*nfs4_acl
;
1352 struct SMB4ACE_T
*nfs4_ace_container
;
1353 SMB_ACE4PROP_T
*nfs4_ace
;
1354 struct security_ace dacl_aces
[2];
1355 struct security_acl
*dacl
;
1356 struct smbacl4_vfs_params params
= {
1360 .map_full_control
= true,
1363 init_sec_ace(&dacl_aces
[0],
1364 &sids
[acedup_match
[i
].sid_idx1
],
1365 acedup_match
[i
].type1
,
1366 acedup_match
[i
].ace_mask1
,
1367 acedup_match
[i
].flag1
);
1368 init_sec_ace(&dacl_aces
[1],
1369 &sids
[acedup_match
[i
].sid_idx2
],
1370 acedup_match
[i
].type2
,
1371 acedup_match
[i
].ace_mask2
,
1372 acedup_match
[i
].flag2
);
1373 dacl
= make_sec_acl(frame
, SECURITY_ACL_REVISION_ADS
,
1374 ARRAY_SIZE(dacl_aces
), dacl_aces
);
1375 assert_non_null(dacl
);
1377 nfs4_acl
= smbacl4_win2nfs4(frame
, true, dacl
, ¶ms
,
1379 assert_non_null(nfs4_acl
);
1380 assert_int_equal(smbacl4_get_controlflags(nfs4_acl
),
1381 SEC_DESC_SELF_RELATIVE
);
1383 if (acedup_match
[i
].match
) {
1384 assert_int_equal(smb_get_naces(nfs4_acl
), 1);
1386 nfs4_ace_container
= smb_first_ace4(nfs4_acl
);
1387 assert_non_null(nfs4_ace_container
);
1388 assert_null(smb_next_ace4(nfs4_ace_container
));
1390 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
1391 assert_int_equal(nfs4_ace
->flags
, 0);
1392 assert_int_equal(nfs4_ace
->who
.uid
, 1000);
1393 assert_int_equal(nfs4_ace
->aceFlags
,
1394 SMB_ACE4_FILE_INHERIT_ACE
);
1395 assert_int_equal(nfs4_ace
->aceMask
, SMB_ACE4_READ_DATA
);
1398 assert_int_equal(smb_get_naces(nfs4_acl
), 2);
1400 nfs4_ace_container
= smb_first_ace4(nfs4_acl
);
1401 assert_non_null(nfs4_ace_container
);
1403 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
1404 assert_int_equal(nfs4_ace
->flags
, 0);
1405 assert_int_equal(nfs4_ace
->who
.uid
, 1000);
1406 assert_int_equal(nfs4_ace
->aceFlags
,
1407 SMB_ACE4_FILE_INHERIT_ACE
);
1408 assert_int_equal(nfs4_ace
->aceMask
, SMB_ACE4_READ_DATA
);
1410 nfs4_ace_container
= smb_next_ace4(nfs4_ace_container
);
1411 assert_non_null(nfs4_ace_container
);
1412 assert_null(smb_next_ace4(nfs4_ace_container
));
1414 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
1415 assert_int_equal(nfs4_ace
->flags
, 0);
1422 static void test_dacl_to_nfs4_config_special(void **state
)
1424 struct dom_sid
*sids
= *state
;
1425 TALLOC_CTX
*frame
= talloc_stackframe();
1426 struct SMB4ACL_T
*nfs4_acl
;
1427 struct SMB4ACE_T
*nfs4_ace_container
;
1428 SMB_ACE4PROP_T
*nfs4_ace
;
1429 struct security_ace dacl_aces
[6];
1430 struct security_acl
*dacl
;
1431 struct smbacl4_vfs_params params
= {
1434 .acedup
= e_dontcare
,
1435 .map_full_control
= true,
1439 * global_sid_Creator_Owner or global_sid_Special_Group is NOT mapped
1440 * to SMB_ACE4_ID_SPECIAL.
1442 init_sec_ace(&dacl_aces
[0], &global_sid_Creator_Owner
,
1443 SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
,
1444 SEC_ACE_FLAG_OBJECT_INHERIT
);
1445 init_sec_ace(&dacl_aces
[1], &global_sid_Creator_Group
,
1446 SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_WRITE_DATA
,
1447 SEC_ACE_FLAG_CONTAINER_INHERIT
);
1449 * Anything that maps to owner or owning group with inheritance flags
1450 * IS mapped to special owner or special group.
1452 init_sec_ace(&dacl_aces
[2], &sids
[0],
1453 SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
,
1454 SEC_ACE_FLAG_OBJECT_INHERIT
);
1455 init_sec_ace(&dacl_aces
[3], &sids
[0],
1456 SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
,
1457 SEC_ACE_FLAG_CONTAINER_INHERIT
|SEC_ACE_FLAG_INHERIT_ONLY
);
1458 init_sec_ace(&dacl_aces
[4], &sids
[1],
1459 SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
,
1460 SEC_ACE_FLAG_OBJECT_INHERIT
);
1461 init_sec_ace(&dacl_aces
[5], &sids
[1],
1462 SEC_ACE_TYPE_ACCESS_ALLOWED
, SEC_FILE_READ_DATA
,
1463 SEC_ACE_FLAG_CONTAINER_INHERIT
|SEC_ACE_FLAG_INHERIT_ONLY
);
1464 dacl
= make_sec_acl(frame
, SECURITY_ACL_REVISION_ADS
,
1465 ARRAY_SIZE(dacl_aces
), dacl_aces
);
1466 assert_non_null(dacl
);
1468 nfs4_acl
= smbacl4_win2nfs4(frame
, true, dacl
, ¶ms
, 1000, 1001);
1470 assert_non_null(nfs4_acl
);
1471 assert_int_equal(smbacl4_get_controlflags(nfs4_acl
),
1472 SEC_DESC_SELF_RELATIVE
);
1473 assert_int_equal(smb_get_naces(nfs4_acl
), 6);
1475 nfs4_ace_container
= smb_first_ace4(nfs4_acl
);
1476 assert_non_null(nfs4_ace_container
);
1478 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
1479 assert_int_equal(nfs4_ace
->flags
, 0);
1480 assert_int_equal(nfs4_ace
->aceFlags
, SMB_ACE4_FILE_INHERIT_ACE
);
1481 assert_int_equal(nfs4_ace
->who
.uid
, 1003);
1482 assert_int_equal(nfs4_ace
->aceMask
, SMB_ACE4_READ_DATA
);
1484 nfs4_ace_container
= smb_next_ace4(nfs4_ace_container
);
1485 assert_non_null(nfs4_ace_container
);
1487 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
1488 assert_int_equal(nfs4_ace
->flags
, 0);
1489 assert_int_equal(nfs4_ace
->aceFlags
,
1490 SMB_ACE4_IDENTIFIER_GROUP
|
1491 SMB_ACE4_DIRECTORY_INHERIT_ACE
);
1492 assert_int_equal(nfs4_ace
->who
.gid
, 1004);
1493 assert_int_equal(nfs4_ace
->aceMask
, SMB_ACE4_WRITE_DATA
);
1495 nfs4_ace_container
= smb_next_ace4(nfs4_ace_container
);
1496 assert_non_null(nfs4_ace_container
);
1498 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
1499 assert_int_equal(nfs4_ace
->flags
, SMB_ACE4_ID_SPECIAL
);
1500 assert_int_equal(nfs4_ace
->who
.special_id
, SMB_ACE4_WHO_OWNER
);
1501 assert_int_equal(nfs4_ace
->aceFlags
, SMB_ACE4_FILE_INHERIT_ACE
);
1502 assert_int_equal(nfs4_ace
->aceMask
, SMB_ACE4_READ_DATA
);
1504 nfs4_ace_container
= smb_next_ace4(nfs4_ace_container
);
1505 assert_non_null(nfs4_ace_container
);
1507 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
1508 assert_int_equal(nfs4_ace
->flags
, SMB_ACE4_ID_SPECIAL
);
1509 assert_int_equal(nfs4_ace
->aceFlags
, SMB_ACE4_DIRECTORY_INHERIT_ACE
|
1510 SMB_ACE4_INHERIT_ONLY_ACE
);
1511 assert_int_equal(nfs4_ace
->who
.special_id
, SMB_ACE4_WHO_OWNER
);
1512 assert_int_equal(nfs4_ace
->aceMask
, SMB_ACE4_READ_DATA
);
1514 nfs4_ace_container
= smb_next_ace4(nfs4_ace_container
);
1515 assert_non_null(nfs4_ace_container
);
1517 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
1518 assert_int_equal(nfs4_ace
->flags
, SMB_ACE4_ID_SPECIAL
);
1519 assert_int_equal(nfs4_ace
->aceFlags
, SMB_ACE4_IDENTIFIER_GROUP
|
1520 SMB_ACE4_FILE_INHERIT_ACE
);
1521 assert_int_equal(nfs4_ace
->who
.special_id
, SMB_ACE4_WHO_GROUP
);
1522 assert_int_equal(nfs4_ace
->aceMask
, SMB_ACE4_READ_DATA
);
1524 nfs4_ace_container
= smb_next_ace4(nfs4_ace_container
);
1525 assert_non_null(nfs4_ace_container
);
1527 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
1528 assert_int_equal(nfs4_ace
->flags
, SMB_ACE4_ID_SPECIAL
);
1529 assert_int_equal(nfs4_ace
->aceFlags
, SMB_ACE4_IDENTIFIER_GROUP
|
1530 SMB_ACE4_DIRECTORY_INHERIT_ACE
|
1531 SMB_ACE4_INHERIT_ONLY_ACE
);
1532 assert_int_equal(nfs4_ace
->who
.special_id
, SMB_ACE4_WHO_GROUP
);
1533 assert_int_equal(nfs4_ace
->aceMask
, SMB_ACE4_READ_DATA
);
1535 assert_null(smb_next_ace4(nfs4_ace_container
));
1540 static void test_nfs4_to_dacl_config_special(void **state
)
1542 struct dom_sid
*sids
= *state
;
1543 TALLOC_CTX
*frame
= talloc_stackframe();
1544 struct SMB4ACL_T
*nfs4_acl
;
1545 SMB_ACE4PROP_T nfs4_ace
;
1546 struct security_ace
*dacl_aces
;
1548 struct smbacl4_vfs_params params
= {
1551 .acedup
= e_dontcare
,
1552 .map_full_control
= true,
1555 nfs4_acl
= smb_create_smb4acl(frame
);
1556 assert_non_null(nfs4_acl
);
1559 * In config mode special, this is not mapped to Creator Owner
1561 nfs4_ace
= (SMB_ACE4PROP_T
) {
1562 .flags
= SMB_ACE4_ID_SPECIAL
,
1563 .who
.special_id
= SMB_ACE4_WHO_OWNER
,
1564 .aceType
= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE
,
1565 .aceFlags
= SMB_ACE4_FILE_INHERIT_ACE
,
1566 .aceMask
= SMB_ACE4_READ_DATA
,
1568 assert_non_null(smb_add_ace4(nfs4_acl
, &nfs4_ace
));
1571 * In config mode special, this is not mapped to Creator Group
1573 nfs4_ace
= (SMB_ACE4PROP_T
) {
1574 .flags
= SMB_ACE4_ID_SPECIAL
,
1575 .who
.special_id
= SMB_ACE4_WHO_GROUP
,
1576 .aceType
= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE
,
1577 .aceFlags
= SMB_ACE4_DIRECTORY_INHERIT_ACE
,
1578 .aceMask
= SMB_ACE4_WRITE_DATA
,
1580 assert_non_null(smb_add_ace4(nfs4_acl
, &nfs4_ace
));
1582 assert_true(smbacl4_nfs42win(frame
, ¶ms
, nfs4_acl
,
1583 &sids
[0], &sids
[1], true,
1584 &dacl_aces
, &good_aces
));
1586 assert_int_equal(good_aces
, 2);
1587 assert_non_null(dacl_aces
);
1589 assert_int_equal(dacl_aces
[0].type
, SEC_ACE_TYPE_ACCESS_ALLOWED
);
1590 assert_int_equal(dacl_aces
[0].flags
, SEC_ACE_FLAG_OBJECT_INHERIT
);
1591 assert_int_equal(dacl_aces
[0].access_mask
, SEC_FILE_READ_DATA
);
1592 assert_true(dom_sid_equal(&dacl_aces
[0].trustee
, &sids
[0]));
1594 assert_int_equal(dacl_aces
[1].type
, SEC_ACE_TYPE_ACCESS_ALLOWED
);
1595 assert_int_equal(dacl_aces
[1].flags
, SEC_ACE_FLAG_CONTAINER_INHERIT
);
1596 assert_int_equal(dacl_aces
[1].access_mask
, SEC_FILE_WRITE_DATA
);
1597 assert_true(dom_sid_equal(&dacl_aces
[1].trustee
, &sids
[1]));
1602 struct nfs_to_dacl_idmap_both
{
1603 uint32_t nfs4_flags
;
1605 struct dom_sid
*sid
;
1608 static void test_nfs4_to_dacl_idmap_type_both(void **state
)
1610 struct dom_sid
*sids
= *state
;
1611 TALLOC_CTX
*frame
= talloc_stackframe();
1613 struct nfs_to_dacl_idmap_both nfs_to_dacl_idmap_both
[] = {
1614 { 0, 1002, &sids
[2] },
1615 { SMB_ACE4_IDENTIFIER_GROUP
, 1002, &sids
[2] },
1616 { 0, 1005, &sids
[6] },
1617 { SMB_ACE4_IDENTIFIER_GROUP
, 1005, &sids
[6] },
1620 for (i
= 0; i
< ARRAY_SIZE(nfs_to_dacl_idmap_both
); i
++) {
1621 struct SMB4ACL_T
*nfs4_acl
;
1622 struct security_ace
*dacl_aces
;
1623 SMB_ACE4PROP_T nfs4_ace
;
1625 struct smbacl4_vfs_params params
= {
1629 .map_full_control
= true,
1632 nfs4_acl
= smb_create_smb4acl(frame
);
1633 assert_non_null(nfs4_acl
);
1635 nfs4_ace
= (SMB_ACE4PROP_T
) {
1637 .aceType
= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE
,
1638 .aceFlags
= nfs_to_dacl_idmap_both
[i
].nfs4_flags
,
1639 .aceMask
= SMB_ACE4_READ_DATA
,
1642 if (nfs_to_dacl_idmap_both
[i
].nfs4_flags
&
1643 SMB_ACE4_IDENTIFIER_GROUP
) {
1644 nfs4_ace
.who
.gid
= nfs_to_dacl_idmap_both
[i
].nfs4_id
;
1646 nfs4_ace
.who
.uid
= nfs_to_dacl_idmap_both
[i
].nfs4_id
;
1648 assert_non_null(smb_add_ace4(nfs4_acl
, &nfs4_ace
));
1650 assert_true(smbacl4_nfs42win(frame
, ¶ms
, nfs4_acl
,
1652 false, &dacl_aces
, &good_aces
));
1654 assert_int_equal(good_aces
, 1);
1655 assert_non_null(dacl_aces
);
1657 assert_int_equal(dacl_aces
[0].type
,
1658 SEC_ACE_TYPE_ACCESS_ALLOWED
);
1659 assert_int_equal(dacl_aces
[0].flags
, 0);
1660 assert_int_equal(dacl_aces
[0].access_mask
, SEC_FILE_READ_DATA
);
1661 assert_true(dom_sid_equal(&dacl_aces
[0].trustee
,
1662 nfs_to_dacl_idmap_both
[i
].sid
));
1668 struct dacl_to_nfs4_idmap_both
{
1669 struct dom_sid
*sid
;
1670 uint32_t dacl_flags
;
1671 uint32_t nfs4_flags
;
1672 uint32_t nfs4_ace_flags
;
1678 * IDMAP_TYPE_BOTH always creates group entries.
1680 static void test_dacl_to_nfs4_idmap_type_both(void **state
)
1682 struct dom_sid
*sids
= *state
;
1683 TALLOC_CTX
*frame
= talloc_stackframe();
1686 struct dacl_to_nfs4_idmap_both dacl_to_nfs4_idmap_both
[] = {
1688 SMB_ACE4_ID_SPECIAL
, SMB_ACE4_IDENTIFIER_GROUP
, SMB_ACE4_WHO_GROUP
,
1690 { &sids
[2], SEC_ACE_FLAG_OBJECT_INHERIT
,
1691 0, SMB_ACE4_IDENTIFIER_GROUP
|SMB_ACE4_FILE_INHERIT_ACE
, 1002,
1694 0, SMB_ACE4_IDENTIFIER_GROUP
, 1005,
1696 { &sids
[6], SEC_ACE_FLAG_OBJECT_INHERIT
,
1697 0, SMB_ACE4_IDENTIFIER_GROUP
|SMB_ACE4_FILE_INHERIT_ACE
, 1005,
1701 for (i
= 0; i
< ARRAY_SIZE(dacl_to_nfs4_idmap_both
); i
++) {
1702 struct SMB4ACL_T
*nfs4_acl
;
1703 struct SMB4ACE_T
*nfs4_ace_container
;
1704 SMB_ACE4PROP_T
*nfs4_ace
;
1705 struct security_ace dacl_aces
[1];
1706 struct security_acl
*dacl
;
1707 struct smbacl4_vfs_params params
= {
1711 .map_full_control
= true,
1714 init_sec_ace(&dacl_aces
[0], dacl_to_nfs4_idmap_both
[i
].sid
,
1715 SEC_ACE_TYPE_ACCESS_ALLOWED
,
1717 dacl_to_nfs4_idmap_both
[i
].dacl_flags
);
1718 dacl
= make_sec_acl(frame
, SECURITY_ACL_REVISION_ADS
,
1719 ARRAY_SIZE(dacl_aces
), dacl_aces
);
1720 assert_non_null(dacl
);
1722 nfs4_acl
= smbacl4_win2nfs4(frame
, true, dacl
, ¶ms
,
1725 assert_non_null(nfs4_acl
);
1726 assert_int_equal(smbacl4_get_controlflags(nfs4_acl
),
1727 SEC_DESC_SELF_RELATIVE
);
1728 assert_int_equal(smb_get_naces(nfs4_acl
),
1729 dacl_to_nfs4_idmap_both
[i
].num_nfs4_aces
);
1731 nfs4_ace_container
= smb_first_ace4(nfs4_acl
);
1732 assert_non_null(nfs4_ace_container
);
1734 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
1735 assert_int_equal(nfs4_ace
->flags
,
1736 dacl_to_nfs4_idmap_both
[i
].nfs4_flags
);
1737 assert_int_equal(nfs4_ace
->aceFlags
,
1738 dacl_to_nfs4_idmap_both
[i
].nfs4_ace_flags
);
1739 if (nfs4_ace
->flags
& SMB_ACE4_ID_SPECIAL
) {
1740 assert_int_equal(nfs4_ace
->who
.special_id
,
1741 dacl_to_nfs4_idmap_both
[i
].nfs4_id
);
1742 } else if (nfs4_ace
->aceFlags
& SMB_ACE4_IDENTIFIER_GROUP
) {
1743 assert_int_equal(nfs4_ace
->who
.gid
,
1744 dacl_to_nfs4_idmap_both
[i
].nfs4_id
);
1746 assert_int_equal(nfs4_ace
->who
.uid
,
1747 dacl_to_nfs4_idmap_both
[i
].nfs4_id
);
1749 assert_int_equal(nfs4_ace
->aceType
,
1750 SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE
);
1751 assert_int_equal(nfs4_ace
->aceMask
, SMB_ACE4_READ_DATA
);
1753 if (dacl_to_nfs4_idmap_both
[i
].num_nfs4_aces
== 2) {
1754 nfs4_ace_container
= smb_next_ace4(nfs4_ace_container
);
1755 assert_non_null(nfs4_ace_container
);
1757 nfs4_ace
= smb_get_ace4(nfs4_ace_container
);
1758 assert_int_equal(nfs4_ace
->flags
,
1759 dacl_to_nfs4_idmap_both
[i
].nfs4_flags
);
1760 assert_int_equal(nfs4_ace
->aceFlags
,
1761 dacl_to_nfs4_idmap_both
[i
].nfs4_ace_flags
&
1762 ~SMB_ACE4_IDENTIFIER_GROUP
);
1763 if (nfs4_ace
->flags
& SMB_ACE4_ID_SPECIAL
) {
1764 assert_int_equal(nfs4_ace
->who
.special_id
,
1765 SMB_ACE4_WHO_OWNER
);
1767 assert_int_equal(nfs4_ace
->who
.uid
,
1768 dacl_to_nfs4_idmap_both
[i
].nfs4_id
);
1770 assert_int_equal(nfs4_ace
->aceType
,
1771 SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE
);
1772 assert_int_equal(nfs4_ace
->aceMask
, SMB_ACE4_READ_DATA
);
1779 static void test_nfs4_to_dacl_remove_duplicate(void **state
)
1782 struct dom_sid
*sids
= *state
;
1783 TALLOC_CTX
*frame
= talloc_stackframe();
1784 struct SMB4ACL_T
*nfs4_acl
;
1785 SMB_ACE4PROP_T nfs4_ace
;
1786 struct security_ace
*dacl_aces
;
1788 struct smbacl4_vfs_params params
= {
1791 .acedup
= e_dontcare
,
1792 .map_full_control
= true,
1795 nfs4_acl
= smb_create_smb4acl(frame
);
1796 assert_non_null(nfs4_acl
);
1798 nfs4_ace
= (SMB_ACE4PROP_T
) {
1801 .aceType
= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE
,
1802 .aceFlags
= SMB_ACE4_INHERITED_ACE
,
1803 .aceMask
= SMB_ACE4_WRITE_DATA
,
1805 assert_non_null(smb_add_ace4(nfs4_acl
, &nfs4_ace
));
1807 nfs4_ace
= (SMB_ACE4PROP_T
) {
1810 .aceType
= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE
,
1811 .aceFlags
= SMB_ACE4_IDENTIFIER_GROUP
|
1812 SMB_ACE4_INHERITED_ACE
,
1813 .aceMask
= SMB_ACE4_WRITE_DATA
,
1815 assert_non_null(smb_add_ace4(nfs4_acl
, &nfs4_ace
));
1817 nfs4_ace
= (SMB_ACE4PROP_T
) {
1820 .aceType
= SMB_ACE4_ACCESS_DENIED_ACE_TYPE
,
1821 .aceFlags
= SMB_ACE4_IDENTIFIER_GROUP
|
1822 SMB_ACE4_INHERITED_ACE
,
1823 .aceMask
= SMB_ACE4_WRITE_DATA
,
1825 assert_non_null(smb_add_ace4(nfs4_acl
, &nfs4_ace
));
1827 nfs4_ace
= (SMB_ACE4PROP_T
) {
1830 .aceType
= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE
,
1831 .aceFlags
= SMB_ACE4_IDENTIFIER_GROUP
|
1832 SMB_ACE4_INHERITED_ACE
,
1833 .aceMask
= SMB_ACE4_WRITE_DATA
,
1835 assert_non_null(smb_add_ace4(nfs4_acl
, &nfs4_ace
));
1837 assert_true(smbacl4_nfs42win(frame
, ¶ms
, nfs4_acl
,
1838 &sids
[0], &sids
[1], true,
1839 &dacl_aces
, &good_aces
));
1841 assert_int_equal(good_aces
, 2);
1842 assert_non_null(dacl_aces
);
1844 assert_int_equal(dacl_aces
[0].type
, SEC_ACE_TYPE_ACCESS_ALLOWED
);
1845 assert_int_equal(dacl_aces
[0].flags
, SEC_ACE_FLAG_INHERITED_ACE
);
1846 assert_int_equal(dacl_aces
[0].access_mask
, SEC_FILE_WRITE_DATA
);
1847 assert_true(dom_sid_equal(&dacl_aces
[0].trustee
, &sids
[2]));
1849 assert_int_equal(dacl_aces
[1].type
, SEC_ACE_TYPE_ACCESS_DENIED
);
1850 assert_int_equal(dacl_aces
[1].flags
, SEC_ACE_FLAG_INHERITED_ACE
);
1851 assert_int_equal(dacl_aces
[1].access_mask
, SEC_FILE_WRITE_DATA
);
1852 assert_true(dom_sid_equal(&dacl_aces
[1].trustee
, &sids
[2]));
1857 int main(int argc
, char **argv
)
1859 const struct CMUnitTest tests
[] = {
1860 cmocka_unit_test(test_cached_id_mappings
),
1861 cmocka_unit_test(test_empty_nfs4_to_dacl
),
1862 cmocka_unit_test(test_empty_dacl_to_nfs4
),
1863 cmocka_unit_test(test_acl_type_nfs4_to_dacl
),
1864 cmocka_unit_test(test_acl_type_dacl_to_nfs4
),
1865 cmocka_unit_test(test_ace_flags_nfs4_to_dacl
),
1866 cmocka_unit_test(test_ace_flags_dacl_to_nfs4
),
1867 cmocka_unit_test(test_nfs4_permissions_to_dacl
),
1868 cmocka_unit_test(test_dacl_permissions_to_nfs4
),
1869 cmocka_unit_test(test_special_nfs4_to_dacl
),
1870 cmocka_unit_test(test_dacl_to_special_nfs4
),
1871 cmocka_unit_test(test_dacl_creator_to_nfs4
),
1872 cmocka_unit_test(test_nfs4_to_dacl_creator
),
1873 cmocka_unit_test(test_full_control_nfs4_to_dacl
),
1874 cmocka_unit_test(test_dacl_to_nfs4_acedup_settings
),
1875 cmocka_unit_test(test_dacl_to_nfs4_acedup_match
),
1876 cmocka_unit_test(test_dacl_to_nfs4_config_special
),
1877 cmocka_unit_test(test_nfs4_to_dacl_config_special
),
1878 cmocka_unit_test(test_nfs4_to_dacl_idmap_type_both
),
1879 cmocka_unit_test(test_dacl_to_nfs4_idmap_type_both
),
1880 cmocka_unit_test(test_nfs4_to_dacl_remove_duplicate
),
1883 cmocka_set_message_output(CM_OUTPUT_SUBUNIT
);
1886 print_error("Usage: %s smb.conf\n", argv
[0]);
1891 * Initialize enough of the Samba internals to have the
1892 * mappings tests work.
1894 talloc_stackframe();
1895 lp_load_global(argv
[1]);
1897 return cmocka_run_group_tests(tests
, group_setup
, group_teardown
);