search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
smbd: replace CHECK_WRITE() macro with calls to check_any_access_fsp()
[Samba.git] / source3 / modules / test_nfs4_acls.c
blobf47ff9b6c1eaa387bad216e469b43905a3920a34
1 /*
2 * Unix SMB/CIFS implementation.
3 *
4 * Unit test for NFS4 ACL handling
5 *
6 * Copyright (C) Christof Schmitt 2019
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "nfs4_acls.c"
23 #include "librpc/gen_ndr/idmap.h"
24 #include "idmap_cache.h"
25 #include <cmocka.h>
26
27 struct test_sids {
28 const char *sid_str;
29 struct unixid unix_id;
30 } test_sids[] = {
31 { "S-1-5-2-123-456-789-100", { 1000, ID_TYPE_UID }},
32 { "S-1-5-2-123-456-789-101", { 1001, ID_TYPE_GID }},
33 { "S-1-5-2-123-456-789-102", { 1002, ID_TYPE_BOTH }},
34 { SID_CREATOR_OWNER, { 1003, ID_TYPE_UID }},
35 { SID_CREATOR_GROUP, { 1004, ID_TYPE_GID }},
36 { "S-1-5-2-123-456-789-103", { 1000, ID_TYPE_GID }},
37 { "S-1-5-2-123-456-789-104", { 1005, ID_TYPE_BOTH }},
38 { "S-1-5-2-123-456-789-105", { 1006, ID_TYPE_BOTH }},
39 { "S-1-5-2-123-456-789-106", { 1007, ID_TYPE_BOTH }},
40 };
41
42 static int group_setup(void **state)
43 {
44 struct dom_sid *sids = NULL;
45 int i;
46
47 sids = talloc_array(NULL, struct dom_sid, ARRAY_SIZE(test_sids));
48 assert_non_null(sids);
49
50 for (i = 0; i < ARRAY_SIZE(test_sids); i++) {
51 assert_true(dom_sid_parse(test_sids[i].sid_str, &sids[i]));
52 idmap_cache_set_sid2unixid(&sids[i], &test_sids[i].unix_id);
53 }
54
55 *state = sids;
56
57 return 0;
58
59 }
60
61 static int group_teardown(void **state)
62 {
63 struct dom_sid *sids = *state;
64 int i;
65
66 for (i = 0; i < ARRAY_SIZE(test_sids); i++) {
67 assert_true(idmap_cache_del_sid(&sids[i]));
68 }
69
70 TALLOC_FREE(sids);
71 *state = NULL;
72
73 return 0;
74 }
75
76 /*
77 * Run this as first test to verify that the id mappings used by other
78 * tests are available in the cache.
79 */
80 static void test_cached_id_mappings(void **state)
81 {
82 struct dom_sid *sids = *state;
83 int i;
84
85 for (i = 0; i < ARRAY_SIZE(test_sids); i++) {
86 struct dom_sid *sid = &sids[i];
87 struct unixid *unix_id = &test_sids[i].unix_id;
88 uid_t uid;
89 gid_t gid;
90
91 switch(unix_id->type) {
92 case ID_TYPE_UID:
93 assert_true(sid_to_uid(sid, &uid));
94 assert_int_equal(uid, unix_id->id);
95 assert_false(sid_to_gid(sid, &gid));
96 break;
97 case ID_TYPE_GID:
98 assert_false(sid_to_uid(sid, &uid));
99 assert_true(sid_to_gid(sid, &gid));
100 assert_int_equal(gid, unix_id->id);
101 break;
102 case ID_TYPE_BOTH:
103 assert_true(sid_to_uid(sid, &uid));
104 assert_int_equal(uid, unix_id->id);
105 assert_true(sid_to_gid(sid, &gid));
106 assert_int_equal(gid, unix_id->id);
107 break;
108 default:
109 fail_msg("Unknown id type %d\n", unix_id->type);
110 break;
111 }
112 }
113 }
114
115 static void test_empty_nfs4_to_dacl(void **state)
116 {
117 struct dom_sid *sids = *state;
118 TALLOC_CTX *frame = talloc_stackframe();
119 struct SMB4ACL_T *nfs4_acl;
120 struct security_ace *dacl_aces;
121 int good_aces;
122 struct smbacl4_vfs_params params = {
123 .mode = e_simple,
124 .do_chown = true,
125 .acedup = e_merge,
126 .map_full_control = true,
127 };
128
129 nfs4_acl = smb_create_smb4acl(frame);
130 assert_non_null(nfs4_acl);
131
132 assert_true(smbacl4_nfs42win(frame, &params, nfs4_acl,
133 &sids[0], &sids[1], false,
134 &dacl_aces, &good_aces));
135
136 assert_int_equal(good_aces, 0);
137 assert_null(dacl_aces);
138
139 TALLOC_FREE(frame);
140 }
141
142 static void test_empty_dacl_to_nfs4(void **state)
143 {
144 TALLOC_CTX *frame = talloc_stackframe();
145 struct SMB4ACL_T *nfs4_acl;
146 struct security_acl *dacl;
147 struct smbacl4_vfs_params params = {
148 .mode = e_simple,
149 .do_chown = true,
150 .acedup = e_merge,
151 .map_full_control = true,
152 };
153
154 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS, 0, NULL);
155 assert_non_null(dacl);
156
157 nfs4_acl = smbacl4_win2nfs4(frame, false, dacl, &params, 1001, 1002);
158
159 assert_non_null(nfs4_acl);
160 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
161 SEC_DESC_SELF_RELATIVE);
162 assert_int_equal(smb_get_naces(nfs4_acl), 0);
163 assert_null(smb_first_ace4(nfs4_acl));
164 }
165
166 struct ace_dacl_type_mapping {
167 uint32_t nfs4_type;
168 enum security_ace_type dacl_type;
169 } ace_dacl_type_mapping[] = {
170 { SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE, SEC_ACE_TYPE_ACCESS_ALLOWED },
171 { SMB_ACE4_ACCESS_DENIED_ACE_TYPE, SEC_ACE_TYPE_ACCESS_DENIED },
172 };
173
174 static void test_acl_type_nfs4_to_dacl(void **state)
175 {
176 struct dom_sid *sids = *state;
177 TALLOC_CTX *frame = talloc_stackframe();
178 int i;
179
180 for (i = 0; i < ARRAY_SIZE(ace_dacl_type_mapping); i++) {
181 struct SMB4ACL_T *nfs4_acl;
182 SMB_ACE4PROP_T nfs4_ace;
183 struct security_ace *dacl_aces;
184 int good_aces;
185 struct smbacl4_vfs_params params = {
186 .mode = e_simple,
187 .do_chown = true,
188 .acedup = e_merge,
189 .map_full_control = true,
190 };
191
192 nfs4_acl = smb_create_smb4acl(frame);
193 assert_non_null(nfs4_acl);
194
195 nfs4_ace = (SMB_ACE4PROP_T) {
196 .flags = 0,
197 .who.uid = 1000,
198 .aceType = ace_dacl_type_mapping[i].nfs4_type,
199 .aceFlags = 0,
200 .aceMask = SMB_ACE4_READ_DATA,
201 };
202 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
203
204 assert_true(smbacl4_nfs42win(frame, &params, nfs4_acl,
205 &sids[2], &sids[3], false,
206 &dacl_aces, &good_aces));
207
208 assert_int_equal(good_aces, 1);
209 assert_non_null(dacl_aces);
210
211 assert_int_equal(dacl_aces[0].type,
212 ace_dacl_type_mapping[i].dacl_type);
213 assert_int_equal(dacl_aces[0].flags, 0);
214 assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
215 assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
216 }
217
218 TALLOC_FREE(frame);
219 }
220
221 static void test_acl_type_dacl_to_nfs4(void **state)
222 {
223 struct dom_sid *sids = *state;
224 TALLOC_CTX *frame = talloc_stackframe();
225 int i;
226
227 for (i = 0; i < ARRAY_SIZE(ace_dacl_type_mapping); i++) {
228 struct SMB4ACL_T *nfs4_acl;
229 struct SMB4ACE_T *nfs4_ace_container;
230 SMB_ACE4PROP_T *nfs4_ace;
231 struct security_ace dacl_aces[1];
232 struct security_acl *dacl;
233 struct smbacl4_vfs_params params = {
234 .mode = e_simple,
235 .do_chown = true,
236 .acedup = e_merge,
237 .map_full_control = true,
238 };
239
240 init_sec_ace(&dacl_aces[0], &sids[0],
241 ace_dacl_type_mapping[i].dacl_type,
242 SEC_FILE_READ_DATA, 0);
243 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
244 ARRAY_SIZE(dacl_aces), dacl_aces);
245 assert_non_null(dacl);
246
247 nfs4_acl = smbacl4_win2nfs4(frame, false, dacl, &params,
248 101, 102);
249
250 assert_non_null(nfs4_acl);
251 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
252 SEC_DESC_SELF_RELATIVE);
253 assert_int_equal(smb_get_naces(nfs4_acl), 1);
254
255 nfs4_ace_container = smb_first_ace4(nfs4_acl);
256 assert_non_null(nfs4_ace_container);
257 assert_null(smb_next_ace4(nfs4_ace_container));
258
259 nfs4_ace = smb_get_ace4(nfs4_ace_container);
260 assert_int_equal(nfs4_ace->flags, 0);
261 assert_int_equal(nfs4_ace->who.uid, 1000);
262 assert_int_equal(nfs4_ace->aceFlags, 0);
263 assert_int_equal(nfs4_ace->aceType,
264 ace_dacl_type_mapping[i].nfs4_type);
265 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
266 }
267
268 TALLOC_FREE(frame);
269 }
270
271 struct ace_flag_mapping_nfs4_to_dacl {
272 bool is_directory;
273 uint32_t nfs4_flag;
274 uint32_t dacl_flag;
275 } ace_flags_nfs4_to_dacl[] = {
276 { true, SMB_ACE4_FILE_INHERIT_ACE,
277 SEC_ACE_FLAG_OBJECT_INHERIT },
278 { false, SMB_ACE4_FILE_INHERIT_ACE,
279 0 },
280 { true, SMB_ACE4_DIRECTORY_INHERIT_ACE,
281 SEC_ACE_FLAG_CONTAINER_INHERIT },
282 { false, SMB_ACE4_DIRECTORY_INHERIT_ACE,
283 0 },
284 { true, SMB_ACE4_NO_PROPAGATE_INHERIT_ACE,
285 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT },
286 { false, SMB_ACE4_NO_PROPAGATE_INHERIT_ACE,
287 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT },
288 { true, SMB_ACE4_INHERIT_ONLY_ACE,
289 SEC_ACE_FLAG_INHERIT_ONLY },
290 { false, SMB_ACE4_INHERIT_ONLY_ACE,
291 SEC_ACE_FLAG_INHERIT_ONLY },
292 { true, SMB_ACE4_SUCCESSFUL_ACCESS_ACE_FLAG,
293 0 },
294 { false, SMB_ACE4_SUCCESSFUL_ACCESS_ACE_FLAG,
295 0 },
296 { true, SMB_ACE4_FAILED_ACCESS_ACE_FLAG,
297 0 },
298 { false, SMB_ACE4_FAILED_ACCESS_ACE_FLAG,
299 0 },
300 { true, SMB_ACE4_INHERITED_ACE,
301 SEC_ACE_FLAG_INHERITED_ACE },
302 { false, SMB_ACE4_INHERITED_ACE,
303 SEC_ACE_FLAG_INHERITED_ACE },
304 };
305
306 static void test_ace_flags_nfs4_to_dacl(void **state)
307 {
308 struct dom_sid *sids = *state;
309 TALLOC_CTX *frame = talloc_stackframe();
310 SMB_ACE4PROP_T nfs4_ace;
311 int i;
312
313 for (i = 0; i < ARRAY_SIZE(ace_flags_nfs4_to_dacl); i++) {
314 struct SMB4ACL_T *nfs4_acl;
315 bool is_directory;
316 struct security_ace *dacl_aces;
317 int good_aces;
318 struct smbacl4_vfs_params params = {
319 .mode = e_simple,
320 .do_chown = true,
321 .acedup = e_merge,
322 .map_full_control = true,
323 };
324
325 nfs4_acl = smb_create_smb4acl(frame);
326 assert_non_null(nfs4_acl);
327
328 nfs4_ace = (SMB_ACE4PROP_T) {
329 .flags = 0,
330 .who.uid = 1000,
331 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
332 .aceFlags = ace_flags_nfs4_to_dacl[i].nfs4_flag,
333 .aceMask = SMB_ACE4_READ_DATA,
334 };
335 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
336
337 is_directory = ace_flags_nfs4_to_dacl[i].is_directory;
338
339 assert_true(smbacl4_nfs42win(frame, &params, nfs4_acl,
340 &sids[2], &sids[3], is_directory,
341 &dacl_aces, &good_aces));
342
343 assert_int_equal(good_aces, 1);
344 assert_non_null(dacl_aces);
345
346 assert_int_equal(dacl_aces[0].type,
347 SEC_ACE_TYPE_ACCESS_ALLOWED);
348 assert_int_equal(dacl_aces[0].flags,
349 ace_flags_nfs4_to_dacl[i].dacl_flag);
350 assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
351 assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
352 }
353
354 TALLOC_FREE(frame);
355 }
356
357 struct ace_flag_mapping_dacl_to_nfs4 {
358 bool is_directory;
359 uint32_t dacl_flag;
360 uint32_t nfs4_flag;
361 } ace_flags_dacl_to_nfs4[] = {
362 { true, SEC_ACE_FLAG_OBJECT_INHERIT,
363 SMB_ACE4_FILE_INHERIT_ACE },
364 { false, SEC_ACE_FLAG_OBJECT_INHERIT,
365 0 },
366 { true, SEC_ACE_FLAG_CONTAINER_INHERIT,
367 SMB_ACE4_DIRECTORY_INHERIT_ACE },
368 { false, SEC_ACE_FLAG_CONTAINER_INHERIT,
369 0 },
370 { true, SEC_ACE_FLAG_NO_PROPAGATE_INHERIT,
371 SMB_ACE4_NO_PROPAGATE_INHERIT_ACE },
372 { false, SEC_ACE_FLAG_NO_PROPAGATE_INHERIT,
373 0 },
374 { true, SEC_ACE_FLAG_INHERIT_ONLY,
375 SMB_ACE4_INHERIT_ONLY_ACE },
376 { false, SEC_ACE_FLAG_INHERIT_ONLY,
377 0 },
378 { true, SEC_ACE_FLAG_INHERITED_ACE,
379 SMB_ACE4_INHERITED_ACE },
380 { false, SEC_ACE_FLAG_INHERITED_ACE,
381 SMB_ACE4_INHERITED_ACE },
382 { true, SEC_ACE_FLAG_SUCCESSFUL_ACCESS,
383 0 },
384 { false, SEC_ACE_FLAG_SUCCESSFUL_ACCESS,
385 0 },
386 { true, SEC_ACE_FLAG_FAILED_ACCESS,
387 0 },
388 { false, SEC_ACE_FLAG_FAILED_ACCESS,
389 0 },
390 };
391
392 static void test_ace_flags_dacl_to_nfs4(void **state)
393 {
394 struct dom_sid *sids = *state;
395 TALLOC_CTX *frame = talloc_stackframe();
396 int i;
397
398 for (i = 0; i < ARRAY_SIZE(ace_flags_dacl_to_nfs4); i++) {
399 struct SMB4ACL_T *nfs4_acl;
400 struct SMB4ACE_T *nfs4_ace_container;
401 SMB_ACE4PROP_T *nfs4_ace;
402 bool is_directory;
403 struct security_ace dacl_aces[1];
404 struct security_acl *dacl;
405 struct smbacl4_vfs_params params = {
406 .mode = e_simple,
407 .do_chown = true,
408 .acedup = e_merge,
409 .map_full_control = true,
410 };
411
412 init_sec_ace(&dacl_aces[0], &sids[0],
413 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
414 ace_flags_dacl_to_nfs4[i].dacl_flag);
415 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
416 ARRAY_SIZE(dacl_aces), dacl_aces);
417 assert_non_null(dacl);
418
419 is_directory = ace_flags_dacl_to_nfs4[i].is_directory;
420 nfs4_acl = smbacl4_win2nfs4(frame, is_directory, dacl, &params,
421 101, 102);
422
423 assert_non_null(nfs4_acl);
424 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
425 SEC_DESC_SELF_RELATIVE);
426 assert_int_equal(smb_get_naces(nfs4_acl), 1);
427
428 nfs4_ace_container = smb_first_ace4(nfs4_acl);
429 assert_non_null(nfs4_ace_container);
430 assert_null(smb_next_ace4(nfs4_ace_container));
431
432 nfs4_ace = smb_get_ace4(nfs4_ace_container);
433 assert_int_equal(nfs4_ace->flags, 0);
434 assert_int_equal(nfs4_ace->who.uid, 1000);
435 assert_int_equal(nfs4_ace->aceFlags,
436 ace_flags_dacl_to_nfs4[i].nfs4_flag);
437 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
438 }
439
440 TALLOC_FREE(frame);
441 }
442
443 struct ace_perm_mapping {
444 uint32_t nfs4_perm;
445 uint32_t dacl_perm;
446 } perm_table_nfs4_to_dacl[] = {
447 { SMB_ACE4_READ_DATA, SEC_FILE_READ_DATA },
448 { SMB_ACE4_LIST_DIRECTORY, SEC_DIR_LIST },
449 { SMB_ACE4_WRITE_DATA, SEC_FILE_WRITE_DATA },
450 { SMB_ACE4_ADD_FILE, SEC_DIR_ADD_FILE },
451 { SMB_ACE4_APPEND_DATA, SEC_FILE_APPEND_DATA },
452 { SMB_ACE4_ADD_SUBDIRECTORY, SEC_DIR_ADD_SUBDIR, },
453 { SMB_ACE4_READ_NAMED_ATTRS, SEC_FILE_READ_EA },
454 { SMB_ACE4_READ_NAMED_ATTRS, SEC_DIR_READ_EA },
455 { SMB_ACE4_WRITE_NAMED_ATTRS, SEC_FILE_WRITE_EA },
456 { SMB_ACE4_WRITE_NAMED_ATTRS, SEC_DIR_WRITE_EA },
457 { SMB_ACE4_EXECUTE, SEC_FILE_EXECUTE },
458 { SMB_ACE4_EXECUTE, SEC_DIR_TRAVERSE },
459 { SMB_ACE4_DELETE_CHILD, SEC_DIR_DELETE_CHILD },
460 { SMB_ACE4_READ_ATTRIBUTES, SEC_FILE_READ_ATTRIBUTE },
461 { SMB_ACE4_READ_ATTRIBUTES, SEC_DIR_READ_ATTRIBUTE },
462 { SMB_ACE4_WRITE_ATTRIBUTES, SEC_FILE_WRITE_ATTRIBUTE },
463 { SMB_ACE4_WRITE_ATTRIBUTES, SEC_DIR_WRITE_ATTRIBUTE },
464 { SMB_ACE4_DELETE, SEC_STD_DELETE },
465 { SMB_ACE4_READ_ACL, SEC_STD_READ_CONTROL },
466 { SMB_ACE4_WRITE_ACL, SEC_STD_WRITE_DAC, },
467 { SMB_ACE4_WRITE_OWNER, SEC_STD_WRITE_OWNER },
468 { SMB_ACE4_SYNCHRONIZE, SEC_STD_SYNCHRONIZE },
469 };
470
471 static void test_nfs4_permissions_to_dacl(void **state)
472 {
473 struct dom_sid *sids = *state;
474 TALLOC_CTX *frame = talloc_stackframe();
475 int i;
476
477 for (i = 0; i < ARRAY_SIZE(perm_table_nfs4_to_dacl); i++) {
478 struct SMB4ACL_T *nfs4_acl;
479 SMB_ACE4PROP_T nfs4_ace;
480 struct security_ace *dacl_aces;
481 int good_aces;
482 struct smbacl4_vfs_params params = {
483 .mode = e_simple,
484 .do_chown = true,
485 .acedup = e_merge,
486 .map_full_control = true,
487 };
488
489 nfs4_acl = smb_create_smb4acl(frame);
490 assert_non_null(nfs4_acl);
491
492 nfs4_ace = (SMB_ACE4PROP_T) {
493 .flags = 0,
494 .who.uid = 1000,
495 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
496 .aceFlags = 0,
497 .aceMask = perm_table_nfs4_to_dacl[i].nfs4_perm,
498 };
499 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
500
501 assert_true(smbacl4_nfs42win(frame, &params, nfs4_acl,
502 &sids[0], &sids[1], false,
503 &dacl_aces, &good_aces));
504
505 assert_int_equal(good_aces, 1);
506 assert_non_null(dacl_aces);
507
508 assert_int_equal(dacl_aces[0].type,
509 SEC_ACE_TYPE_ACCESS_ALLOWED);
510 assert_int_equal(dacl_aces[0].flags, 0);
511 assert_int_equal(dacl_aces[0].access_mask,
512 perm_table_nfs4_to_dacl[i].dacl_perm);
513 assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
514 }
515
516 TALLOC_FREE(frame);
517 }
518
519 struct ace_perm_mapping_dacl_to_nfs4 {
520 uint32_t dacl_perm;
521 uint32_t nfs4_perm;
522 } perm_table_dacl_to_nfs4[] = {
523 { SEC_FILE_READ_DATA, SMB_ACE4_READ_DATA, },
524 { SEC_DIR_LIST, SMB_ACE4_LIST_DIRECTORY, },
525 { SEC_FILE_WRITE_DATA, SMB_ACE4_WRITE_DATA, },
526 { SEC_DIR_ADD_FILE, SMB_ACE4_ADD_FILE, },
527 { SEC_FILE_APPEND_DATA, SMB_ACE4_APPEND_DATA, },
528 { SEC_DIR_ADD_SUBDIR, SMB_ACE4_ADD_SUBDIRECTORY, },
529 { SEC_FILE_READ_EA, SMB_ACE4_READ_NAMED_ATTRS, },
530 { SEC_DIR_READ_EA, SMB_ACE4_READ_NAMED_ATTRS, },
531 { SEC_FILE_WRITE_EA, SMB_ACE4_WRITE_NAMED_ATTRS, },
532 { SEC_DIR_WRITE_EA, SMB_ACE4_WRITE_NAMED_ATTRS, },
533 { SEC_FILE_EXECUTE, SMB_ACE4_EXECUTE, },
534 { SEC_DIR_TRAVERSE, SMB_ACE4_EXECUTE, },
535 { SEC_DIR_DELETE_CHILD, SMB_ACE4_DELETE_CHILD, },
536 { SEC_FILE_READ_ATTRIBUTE, SMB_ACE4_READ_ATTRIBUTES, },
537 { SEC_DIR_READ_ATTRIBUTE, SMB_ACE4_READ_ATTRIBUTES, },
538 { SEC_FILE_WRITE_ATTRIBUTE, SMB_ACE4_WRITE_ATTRIBUTES, },
539 { SEC_DIR_WRITE_ATTRIBUTE, SMB_ACE4_WRITE_ATTRIBUTES, },
540 { SEC_STD_DELETE, SMB_ACE4_DELETE, },
541 { SEC_STD_READ_CONTROL, SMB_ACE4_READ_ACL, },
542 { SEC_STD_WRITE_DAC, SMB_ACE4_WRITE_ACL, },
543 { SEC_STD_WRITE_OWNER, SMB_ACE4_WRITE_OWNER, },
544 { SEC_STD_SYNCHRONIZE, SMB_ACE4_SYNCHRONIZE, },
545 { SEC_GENERIC_READ, SMB_ACE4_READ_ACL|
546 SMB_ACE4_READ_DATA|
547 SMB_ACE4_READ_ATTRIBUTES|
548 SMB_ACE4_READ_NAMED_ATTRS|
549 SMB_ACE4_SYNCHRONIZE },
550 { SEC_GENERIC_WRITE, SMB_ACE4_WRITE_ACL|
551 SMB_ACE4_WRITE_DATA|
552 SMB_ACE4_WRITE_ATTRIBUTES|
553 SMB_ACE4_WRITE_NAMED_ATTRS|
554 SMB_ACE4_SYNCHRONIZE },
555 { SEC_GENERIC_EXECUTE, SMB_ACE4_READ_ACL|
556 SMB_ACE4_READ_ATTRIBUTES|
557 SMB_ACE4_EXECUTE|
558 SMB_ACE4_SYNCHRONIZE },
559 { SEC_GENERIC_ALL, SMB_ACE4_DELETE|
560 SMB_ACE4_READ_ACL|
561 SMB_ACE4_WRITE_ACL|
562 SMB_ACE4_WRITE_OWNER|
563 SMB_ACE4_SYNCHRONIZE|
564 SMB_ACE4_WRITE_ATTRIBUTES|
565 SMB_ACE4_READ_ATTRIBUTES|
566 SMB_ACE4_EXECUTE|
567 SMB_ACE4_READ_NAMED_ATTRS|
568 SMB_ACE4_WRITE_NAMED_ATTRS|
569 SMB_ACE4_WRITE_DATA|
570 SMB_ACE4_APPEND_DATA|
571 SMB_ACE4_READ_DATA|
572 SMB_ACE4_DELETE_CHILD },
573 };
574
575 static void test_dacl_permissions_to_nfs4(void **state)
576 {
577 struct dom_sid *sids = *state;
578 TALLOC_CTX *frame = talloc_stackframe();
579 int i;
580
581 for (i = 0; i < ARRAY_SIZE(perm_table_nfs4_to_dacl); i++) {
582 struct SMB4ACL_T *nfs4_acl;
583 struct SMB4ACE_T *nfs4_ace_container;
584 SMB_ACE4PROP_T *nfs4_ace;
585 struct smbacl4_vfs_params params = {
586 .mode = e_simple,
587 .do_chown = true,
588 .acedup = e_merge,
589 .map_full_control = true,
590 };
591 struct security_ace dacl_aces[1];
592 struct security_acl *dacl;
593
594 init_sec_ace(&dacl_aces[0], &sids[0],
595 SEC_ACE_TYPE_ACCESS_ALLOWED,
596 perm_table_dacl_to_nfs4[i].dacl_perm, 0);
597 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
598 ARRAY_SIZE(dacl_aces), dacl_aces);
599 assert_non_null(dacl);
600
601 nfs4_acl = smbacl4_win2nfs4(frame, false, dacl, &params,
602 101, 102);
603
604 assert_non_null(nfs4_acl);
605 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
606 SEC_DESC_SELF_RELATIVE);
607 assert_int_equal(smb_get_naces(nfs4_acl), 1);
608
609 nfs4_ace_container = smb_first_ace4(nfs4_acl);
610 assert_non_null(nfs4_ace_container);
611 assert_null(smb_next_ace4(nfs4_ace_container));
612
613 nfs4_ace = smb_get_ace4(nfs4_ace_container);
614 assert_int_equal(nfs4_ace->flags, 0);
615 assert_int_equal(nfs4_ace->who.uid, 1000);
616 assert_int_equal(nfs4_ace->aceFlags, 0);
617 assert_int_equal(nfs4_ace->aceMask,
618 perm_table_dacl_to_nfs4[i].nfs4_perm);
619 }
620
621 TALLOC_FREE(frame);
622 }
623
624 /*
625 * Create NFS4 ACL with all possible "special" entries. Verify that
626 * the ones that should be mapped to a DACL are mapped and the other
627 * ones are ignored.
628 */
629 static void test_special_nfs4_to_dacl(void **state)
630 {
631 struct dom_sid *sids = *state;
632 TALLOC_CTX *frame = talloc_stackframe();
633 struct SMB4ACL_T *nfs4_acl;
634 SMB_ACE4PROP_T nfs4_ace;
635 struct security_ace *dacl_aces;
636 int good_aces;
637 struct smbacl4_vfs_params params = {
638 .mode = e_simple,
639 .do_chown = true,
640 .acedup = e_merge,
641 .map_full_control = true,
642 };
643
644 nfs4_acl = smb_create_smb4acl(frame);
645 assert_non_null(nfs4_acl);
646
647 nfs4_ace = (SMB_ACE4PROP_T) {
648 .flags = SMB_ACE4_ID_SPECIAL,
649 .who.special_id = SMB_ACE4_WHO_OWNER,
650 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
651 .aceFlags = 0,
652 .aceMask = SMB_ACE4_READ_DATA,
653 };
654 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
655
656 nfs4_ace = (SMB_ACE4PROP_T) {
657 .flags = SMB_ACE4_ID_SPECIAL,
658 .who.special_id = SMB_ACE4_WHO_GROUP,
659 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
660 .aceFlags = 0,
661 .aceMask = SMB_ACE4_WRITE_DATA,
662 };
663 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
664
665 nfs4_ace = (SMB_ACE4PROP_T) {
666 .flags = SMB_ACE4_ID_SPECIAL,
667 .who.special_id = SMB_ACE4_WHO_EVERYONE,
668 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
669 .aceFlags = 0,
670 .aceMask = SMB_ACE4_APPEND_DATA,
671 };
672 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
673
674 nfs4_ace = (SMB_ACE4PROP_T) {
675 .flags = SMB_ACE4_ID_SPECIAL,
676 .who.special_id = SMB_ACE4_WHO_INTERACTIVE,
677 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
678 .aceFlags = 0,
679 .aceMask = SMB_ACE4_READ_NAMED_ATTRS,
680 };
681 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
682
683 nfs4_ace = (SMB_ACE4PROP_T) {
684 .flags = SMB_ACE4_ID_SPECIAL,
685 .who.special_id = SMB_ACE4_WHO_NETWORK,
686 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
687 .aceFlags = 0,
688 .aceMask = SMB_ACE4_WRITE_NAMED_ATTRS,
689 };
690 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
691
692 nfs4_ace = (SMB_ACE4PROP_T) {
693 .flags = SMB_ACE4_ID_SPECIAL,
694 .who.special_id = SMB_ACE4_WHO_DIALUP,
695 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
696 .aceFlags = 0,
697 .aceMask = SMB_ACE4_EXECUTE,
698 };
699 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
700
701 nfs4_ace = (SMB_ACE4PROP_T) {
702 .flags = SMB_ACE4_ID_SPECIAL,
703 .who.special_id = SMB_ACE4_WHO_BATCH,
704 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
705 .aceFlags = 0,
706 .aceMask = SMB_ACE4_READ_ATTRIBUTES,
707 };
708 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
709
710 nfs4_ace = (SMB_ACE4PROP_T) {
711 .flags = SMB_ACE4_ID_SPECIAL,
712 .who.special_id = SMB_ACE4_WHO_ANONYMOUS,
713 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
714 .aceFlags = 0,
715 .aceMask = SMB_ACE4_WRITE_ATTRIBUTES,
716 };
717 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
718
719 nfs4_ace = (SMB_ACE4PROP_T) {
720 .flags = SMB_ACE4_ID_SPECIAL,
721 .who.special_id = SMB_ACE4_WHO_AUTHENTICATED,
722 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
723 .aceFlags = 0,
724 .aceMask = SMB_ACE4_READ_ACL,
725 };
726 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
727
728 nfs4_ace = (SMB_ACE4PROP_T) {
729 .flags = SMB_ACE4_ID_SPECIAL,
730 .who.special_id = SMB_ACE4_WHO_SERVICE,
731 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
732 .aceFlags = 0,
733 .aceMask = SMB_ACE4_WRITE_ACL,
734 };
735 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
736
737 assert_true(smbacl4_nfs42win(frame, &params, nfs4_acl,
738 &sids[0], &sids[1], false,
739 &dacl_aces, &good_aces));
740
741 assert_int_equal(good_aces, 3);
742 assert_non_null(dacl_aces);
743
744 assert_int_equal(dacl_aces[0].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
745 assert_int_equal(dacl_aces[0].flags, 0);
746 assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
747 assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
748
749 assert_int_equal(dacl_aces[1].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
750 assert_int_equal(dacl_aces[1].flags, 0);
751 assert_int_equal(dacl_aces[1].access_mask, SEC_FILE_WRITE_DATA);
752 assert_true(dom_sid_equal(&dacl_aces[1].trustee, &sids[1]));
753
754 assert_int_equal(dacl_aces[2].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
755 assert_int_equal(dacl_aces[2].flags, 0);
756 assert_int_equal(dacl_aces[2].access_mask, SEC_FILE_APPEND_DATA);
757 assert_true(dom_sid_equal(&dacl_aces[2].trustee, &global_sid_World));
758
759 TALLOC_FREE(frame);
760 }
761
762 static void test_dacl_to_special_nfs4(void **state)
763 {
764 struct dom_sid *sids = *state;
765 TALLOC_CTX *frame = talloc_stackframe();
766 struct SMB4ACL_T *nfs4_acl;
767 struct SMB4ACE_T *nfs4_ace_container;
768 SMB_ACE4PROP_T *nfs4_ace;
769 struct security_ace dacl_aces[6];
770 struct security_acl *dacl;
771 struct smbacl4_vfs_params params = {
772 .mode = e_simple,
773 .do_chown = true,
774 .acedup = e_dontcare,
775 .map_full_control = true,
776 };
777
778 /*
779 * global_Sid_World is mapped to EVERYONE.
780 */
781 init_sec_ace(&dacl_aces[0], &global_sid_World,
782 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA, 0);
783 /*
784 * global_sid_Unix_NFS is ignored.
785 */
786 init_sec_ace(&dacl_aces[1], &global_sid_Unix_NFS,
787 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA, 0);
788 /*
789 * Anything that maps to owner or owning group with inheritance flags
790 * is NOT mapped to special owner or special group.
791 */
792 init_sec_ace(&dacl_aces[2], &sids[0],
793 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
794 SEC_ACE_FLAG_OBJECT_INHERIT);
795 init_sec_ace(&dacl_aces[3], &sids[0],
796 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
797 SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
798 init_sec_ace(&dacl_aces[4], &sids[1],
799 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
800 SEC_ACE_FLAG_OBJECT_INHERIT);
801 init_sec_ace(&dacl_aces[5], &sids[1],
802 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
803 SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
804 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
805 ARRAY_SIZE(dacl_aces), dacl_aces);
806 assert_non_null(dacl);
807
808 nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, &params, 1000, 1001);
809
810 assert_non_null(nfs4_acl);
811 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
812 SEC_DESC_SELF_RELATIVE);
813 assert_int_equal(smb_get_naces(nfs4_acl), 5);
814
815 nfs4_ace_container = smb_first_ace4(nfs4_acl);
816 assert_non_null(nfs4_ace_container);
817
818 nfs4_ace = smb_get_ace4(nfs4_ace_container);
819 assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
820 assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_EVERYONE);
821 assert_int_equal(nfs4_ace->aceFlags, 0);
822 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_WRITE_DATA);
823
824 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
825 assert_non_null(nfs4_ace_container);
826
827 nfs4_ace = smb_get_ace4(nfs4_ace_container);
828 assert_int_equal(nfs4_ace->flags, 0);
829 assert_int_equal(nfs4_ace->who.uid, 1000);
830 assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_FILE_INHERIT_ACE);
831 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
832
833 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
834 assert_non_null(nfs4_ace_container);
835
836 nfs4_ace = smb_get_ace4(nfs4_ace_container);
837 assert_int_equal(nfs4_ace->flags, 0);
838 assert_int_equal(nfs4_ace->who.uid, 1000);
839 assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_DIRECTORY_INHERIT_ACE|
840 SMB_ACE4_INHERIT_ONLY_ACE);
841 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
842
843 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
844 assert_non_null(nfs4_ace_container);
845
846 nfs4_ace = smb_get_ace4(nfs4_ace_container);
847 assert_int_equal(nfs4_ace->flags, 0);
848 assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_IDENTIFIER_GROUP|
849 SMB_ACE4_FILE_INHERIT_ACE);
850 assert_int_equal(nfs4_ace->who.gid, 1001);
851 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
852
853 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
854 assert_non_null(nfs4_ace_container);
855
856 nfs4_ace = smb_get_ace4(nfs4_ace_container);
857 assert_int_equal(nfs4_ace->flags, 0);
858 assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_IDENTIFIER_GROUP|
859 SMB_ACE4_DIRECTORY_INHERIT_ACE|
860 SMB_ACE4_INHERIT_ONLY_ACE);
861 assert_int_equal(nfs4_ace->who.gid, 1001);
862 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
863
864 assert_null(smb_next_ace4(nfs4_ace_container));
865
866 TALLOC_FREE(frame);
867 }
868
869 struct creator_ace_flags {
870 uint32_t dacl_flags;
871 uint32_t nfs4_flags;
872 } creator_ace_flags[] = {
873 { 0, 0 },
874
875 { SEC_ACE_FLAG_INHERIT_ONLY, 0 },
876
877 { SEC_ACE_FLAG_CONTAINER_INHERIT, SMB_ACE4_DIRECTORY_INHERIT_ACE|
878 SMB_ACE4_INHERIT_ONLY_ACE },
879
880 { SEC_ACE_FLAG_CONTAINER_INHERIT|
881 SEC_ACE_FLAG_INHERIT_ONLY, SMB_ACE4_DIRECTORY_INHERIT_ACE|
882 SMB_ACE4_INHERIT_ONLY_ACE },
883
884 { SEC_ACE_FLAG_OBJECT_INHERIT, SMB_ACE4_FILE_INHERIT_ACE|
885 SMB_ACE4_INHERIT_ONLY_ACE },
886 { SEC_ACE_FLAG_OBJECT_INHERIT|
887 SEC_ACE_FLAG_INHERIT_ONLY, SMB_ACE4_FILE_INHERIT_ACE|
888 SMB_ACE4_INHERIT_ONLY_ACE },
889
890 { SEC_ACE_FLAG_CONTAINER_INHERIT|
891 SEC_ACE_FLAG_OBJECT_INHERIT, SMB_ACE4_DIRECTORY_INHERIT_ACE|
892 SMB_ACE4_FILE_INHERIT_ACE|
893 SMB_ACE4_INHERIT_ONLY_ACE },
894
895 { SEC_ACE_FLAG_CONTAINER_INHERIT|
896 SEC_ACE_FLAG_OBJECT_INHERIT|
897 SEC_ACE_FLAG_INHERIT_ONLY, SMB_ACE4_DIRECTORY_INHERIT_ACE|
898 SMB_ACE4_FILE_INHERIT_ACE|
899 SMB_ACE4_INHERIT_ONLY_ACE },
900 };
901
902 static void test_dacl_creator_to_nfs4(void **state)
903 {
904 TALLOC_CTX *frame = talloc_stackframe();
905 int i;
906
907 for (i = 0; i < ARRAY_SIZE(creator_ace_flags); i++) {
908 struct SMB4ACL_T *nfs4_acl;
909 struct SMB4ACE_T *nfs4_ace_container;
910 SMB_ACE4PROP_T *nfs4_ace;
911 struct security_ace dacl_aces[2];
912 struct security_acl *dacl;
913 struct smbacl4_vfs_params params = {
914 .mode = e_simple,
915 .do_chown = true,
916 .acedup = e_merge,
917 .map_full_control = true,
918 };
919
920 init_sec_ace(&dacl_aces[0], &global_sid_Creator_Owner,
921 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
922 creator_ace_flags[i].dacl_flags);
923 init_sec_ace(&dacl_aces[1], &global_sid_Creator_Group,
924 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
925 creator_ace_flags[i].dacl_flags);
926 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
927 ARRAY_SIZE(dacl_aces), dacl_aces);
928 assert_non_null(dacl);
929
930 nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, &params,
931 101, 102);
932
933 assert_non_null(nfs4_acl);
934 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
935 SEC_DESC_SELF_RELATIVE);
936
937 if (creator_ace_flags[i].nfs4_flags == 0) {
938 /*
939 * CREATOR OWNER and CREATOR GROUP not mapped
940 * in this case.
941 */
942 assert_null(smb_first_ace4(nfs4_acl));
943 } else {
944 assert_int_equal(smb_get_naces(nfs4_acl), 2);
945
946 nfs4_ace_container = smb_first_ace4(nfs4_acl);
947 assert_non_null(nfs4_ace_container);
948
949 nfs4_ace = smb_get_ace4(nfs4_ace_container);
950 assert_non_null(nfs4_ace);
951 assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
952 assert_int_equal(nfs4_ace->who.special_id,
953 SMB_ACE4_WHO_OWNER);
954 assert_int_equal(nfs4_ace->aceFlags,
955 creator_ace_flags[i].nfs4_flags);
956 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
957
958 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
959 assert_non_null(nfs4_ace_container);
960 assert_null(smb_next_ace4(nfs4_ace_container));
961
962 nfs4_ace = smb_get_ace4(nfs4_ace_container);
963 assert_non_null(nfs4_ace);
964 assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
965 assert_int_equal(nfs4_ace->who.special_id,
966 SMB_ACE4_WHO_GROUP);
967 assert_int_equal(nfs4_ace->aceFlags,
968 creator_ace_flags[i].nfs4_flags);
969 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
970 }
971 }
972
973 TALLOC_FREE(frame);
974 }
975
976 struct creator_owner_nfs4_to_dacl {
977 uint32_t special_id;
978 uint32_t nfs4_ace_flags;
979 uint32_t dacl_ace_flags;
980 } creator_owner_nfs4_to_dacl[] = {
981 { SMB_ACE4_WHO_OWNER,
982 SMB_ACE4_FILE_INHERIT_ACE,
983 SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY },
984 { SMB_ACE4_WHO_OWNER,
985 SMB_ACE4_DIRECTORY_INHERIT_ACE,
986 SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY },
987 { SMB_ACE4_WHO_OWNER,
988 SMB_ACE4_FILE_INHERIT_ACE|SMB_ACE4_DIRECTORY_INHERIT_ACE,
989 SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
990 SEC_ACE_FLAG_INHERIT_ONLY },
991 { SMB_ACE4_WHO_GROUP,
992 SMB_ACE4_FILE_INHERIT_ACE,
993 SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY },
994 { SMB_ACE4_WHO_GROUP,
995 SMB_ACE4_DIRECTORY_INHERIT_ACE,
996 SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY },
997 { SMB_ACE4_WHO_GROUP,
998 SMB_ACE4_FILE_INHERIT_ACE|SMB_ACE4_DIRECTORY_INHERIT_ACE,
999 SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
1000 SEC_ACE_FLAG_INHERIT_ONLY },
1001 };
1002
1003 static void test_nfs4_to_dacl_creator(void **state)
1004 {
1005 struct dom_sid *sids = *state;
1006 TALLOC_CTX *frame = talloc_stackframe();
1007 int i;
1008
1009 for (i = 0; i < ARRAY_SIZE(creator_owner_nfs4_to_dacl); i++) {
1010 struct SMB4ACL_T *nfs4_acl;
1011 SMB_ACE4PROP_T nfs4_ace;
1012 struct security_ace *dacl_aces, *creator_dacl_ace;
1013 int good_aces;
1014 struct smbacl4_vfs_params params = {
1015 .mode = e_simple,
1016 .do_chown = true,
1017 .acedup = e_merge,
1018 .map_full_control = true,
1019 };
1020
1021 nfs4_acl = smb_create_smb4acl(frame);
1022 assert_non_null(nfs4_acl);
1023
1024 nfs4_ace = (SMB_ACE4PROP_T) {
1025 .flags = SMB_ACE4_ID_SPECIAL,
1026 .who.special_id
1027 = creator_owner_nfs4_to_dacl[i].special_id,
1028 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1029 .aceFlags
1030 = creator_owner_nfs4_to_dacl[i].nfs4_ace_flags,
1031 .aceMask = SMB_ACE4_READ_DATA,
1032 };
1033 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1034
1035 assert_true(smbacl4_nfs42win(frame, &params, nfs4_acl,
1036 &sids[0], &sids[1], true,
1037 &dacl_aces, &good_aces));
1038 assert_non_null(dacl_aces);
1039
1040 if (creator_owner_nfs4_to_dacl[i].nfs4_ace_flags &
1041 SMB_ACE4_INHERIT_ONLY_ACE) {
1042 /*
1043 * Only one ACE entry for the CREATOR ACE entry.
1044 */
1045 assert_int_equal(good_aces, 1);
1046 creator_dacl_ace = &dacl_aces[0];
1047 } else {
1048 /*
1049 * This creates an additional ACE entry for
1050 * the permissions on the current object.
1051 */
1052 assert_int_equal(good_aces, 2);
1053
1054 assert_int_equal(dacl_aces[0].type,
1055 SEC_ACE_TYPE_ACCESS_ALLOWED);
1056 assert_int_equal(dacl_aces[0].flags, 0);
1057 assert_int_equal(dacl_aces[0].access_mask,
1058 SEC_FILE_READ_DATA);
1059
1060 if (creator_owner_nfs4_to_dacl[i].special_id ==
1061 SMB_ACE4_WHO_OWNER) {
1062 assert_true(dom_sid_equal(&dacl_aces[0].trustee,
1063 &sids[0]));
1064 }
1065
1066 if (creator_owner_nfs4_to_dacl[i].special_id ==
1067 SMB_ACE4_WHO_GROUP) {
1068 assert_true(dom_sid_equal(&dacl_aces[0].trustee,
1069 &sids[1]));
1070 }
1071
1072 creator_dacl_ace = &dacl_aces[1];
1073 }
1074
1075 assert_int_equal(creator_dacl_ace->type,
1076 SEC_ACE_TYPE_ACCESS_ALLOWED);
1077 assert_int_equal(creator_dacl_ace->flags,
1078 creator_owner_nfs4_to_dacl[i].dacl_ace_flags);
1079 assert_int_equal(creator_dacl_ace->access_mask,
1080 SEC_FILE_READ_DATA);
1081 if (creator_owner_nfs4_to_dacl[i].special_id ==
1082 SMB_ACE4_WHO_OWNER) {
1083 assert_true(dom_sid_equal(&creator_dacl_ace->trustee,
1084 &global_sid_Creator_Owner));
1085 }
1086
1087 if (creator_owner_nfs4_to_dacl[i].special_id ==
1088 SMB_ACE4_WHO_GROUP) {
1089 assert_true(dom_sid_equal(&creator_dacl_ace->trustee,
1090 &global_sid_Creator_Group));
1091 }
1092 }
1093
1094 TALLOC_FREE(frame);
1095 }
1096
1097 struct nfs4_to_dacl_map_full_control{
1098 bool is_dir;
1099 bool config;
1100 bool delete_child_added;
1101 } nfs4_to_dacl_full_control[] = {
1102 { true, true, false },
1103 { true, false, false },
1104 { false, true, true },
1105 { false, false, false },
1106 };
1107
1108 static void test_full_control_nfs4_to_dacl(void **state)
1109 {
1110 struct dom_sid *sids = *state;
1111 TALLOC_CTX *frame = talloc_stackframe();
1112 int i;
1113
1114 for (i = 0; i < ARRAY_SIZE(nfs4_to_dacl_full_control); i++) {
1115 struct SMB4ACL_T *nfs4_acl;
1116 SMB_ACE4PROP_T nfs4_ace;
1117 struct security_ace *dacl_aces;
1118 int good_aces;
1119 struct smbacl4_vfs_params params = {
1120 .mode = e_simple,
1121 .do_chown = true,
1122 .acedup = e_merge,
1123 .map_full_control = nfs4_to_dacl_full_control[i].config,
1124 };
1125 const uint32_t nfs4_ace_mask_except_deletes =
1126 SMB_ACE4_READ_DATA|SMB_ACE4_WRITE_DATA|
1127 SMB_ACE4_APPEND_DATA|SMB_ACE4_READ_NAMED_ATTRS|
1128 SMB_ACE4_WRITE_NAMED_ATTRS|SMB_ACE4_EXECUTE|
1129 SMB_ACE4_READ_ATTRIBUTES|SMB_ACE4_WRITE_ATTRIBUTES|
1130 SMB_ACE4_READ_ACL|SMB_ACE4_WRITE_ACL|
1131 SMB_ACE4_WRITE_OWNER|SMB_ACE4_SYNCHRONIZE;
1132 const uint32_t dacl_ace_mask_except_deletes =
1133 SEC_FILE_READ_DATA|SEC_FILE_WRITE_DATA|
1134 SEC_FILE_APPEND_DATA|SEC_FILE_READ_EA|
1135 SEC_FILE_WRITE_EA|SEC_FILE_EXECUTE|
1136 SEC_FILE_READ_ATTRIBUTE|SEC_FILE_WRITE_ATTRIBUTE|
1137 SEC_STD_READ_CONTROL|SEC_STD_WRITE_DAC|
1138 SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE;
1139
1140 nfs4_acl = smb_create_smb4acl(frame);
1141 assert_non_null(nfs4_acl);
1142
1143 nfs4_ace = (SMB_ACE4PROP_T) {
1144 .flags = 0,
1145 .who.uid = 1000,
1146 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1147 .aceFlags = 0,
1148 .aceMask = nfs4_ace_mask_except_deletes,
1149 };
1150 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1151
1152 assert_true(
1153 smbacl4_nfs42win(frame, &params, nfs4_acl,
1154 &sids[0], &sids[1],
1155 nfs4_to_dacl_full_control[i].is_dir,
1156 &dacl_aces, &good_aces));
1157
1158 assert_int_equal(good_aces, 1);
1159 assert_non_null(dacl_aces);
1160
1161 assert_int_equal(dacl_aces[0].type,
1162 SEC_ACE_TYPE_ACCESS_ALLOWED);
1163 assert_int_equal(dacl_aces[0].flags, 0);
1164 assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
1165 if (nfs4_to_dacl_full_control[i].delete_child_added) {
1166 assert_int_equal(dacl_aces[0].access_mask,
1167 dacl_ace_mask_except_deletes|
1168 SEC_DIR_DELETE_CHILD);
1169 } else {
1170 assert_int_equal(dacl_aces[0].access_mask,
1171 dacl_ace_mask_except_deletes);
1172 }
1173 }
1174
1175 TALLOC_FREE(frame);
1176 }
1177
1178 struct acedup_settings {
1179 enum smbacl4_acedup_enum setting;
1180 } acedup_settings[] = {
1181 { e_dontcare },
1182 { e_reject },
1183 { e_ignore },
1184 { e_merge },
1185 };
1186
1187 static void test_dacl_to_nfs4_acedup_settings(void **state)
1188 {
1189 struct dom_sid *sids = *state;
1190 TALLOC_CTX *frame = talloc_stackframe();
1191 int i;
1192
1193 for (i = 0; i < ARRAY_SIZE(acedup_settings); i++) {
1194 struct SMB4ACL_T *nfs4_acl;
1195 struct SMB4ACE_T *nfs4_ace_container;
1196 SMB_ACE4PROP_T *nfs4_ace;
1197 struct security_ace dacl_aces[2];
1198 struct security_acl *dacl;
1199 struct smbacl4_vfs_params params = {
1200 .mode = e_simple,
1201 .do_chown = true,
1202 .acedup = acedup_settings[i].setting,
1203 .map_full_control = true,
1204 };
1205
1206 init_sec_ace(&dacl_aces[0], &sids[0],
1207 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1208 SEC_ACE_FLAG_OBJECT_INHERIT);
1209 init_sec_ace(&dacl_aces[1], &sids[0],
1210 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA,
1211 SEC_ACE_FLAG_OBJECT_INHERIT);
1212 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
1213 ARRAY_SIZE(dacl_aces), dacl_aces);
1214 assert_non_null(dacl);
1215
1216 nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, &params,
1217 101, 102);
1218
1219 switch(params.acedup) {
1220 case e_dontcare:
1221 assert_non_null(nfs4_acl);
1222 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
1223 SEC_DESC_SELF_RELATIVE);
1224 assert_int_equal(smb_get_naces(nfs4_acl), 2);
1225
1226 nfs4_ace_container = smb_first_ace4(nfs4_acl);
1227 assert_non_null(nfs4_ace_container);
1228
1229 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1230 assert_int_equal(nfs4_ace->flags, 0);
1231 assert_int_equal(nfs4_ace->who.uid, 1000);
1232 assert_int_equal(nfs4_ace->aceFlags,
1233 SMB_ACE4_FILE_INHERIT_ACE);
1234 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1235
1236 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1237 assert_non_null(nfs4_ace_container);
1238 assert_null(smb_next_ace4(nfs4_ace_container));
1239
1240 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1241 assert_int_equal(nfs4_ace->flags, 0);
1242 assert_int_equal(nfs4_ace->who.uid, 1000);
1243 assert_int_equal(nfs4_ace->aceFlags,
1244 SMB_ACE4_FILE_INHERIT_ACE);
1245 assert_int_equal(nfs4_ace->aceMask,
1246 SMB_ACE4_WRITE_DATA);
1247 break;
1248
1249 case e_reject:
1250 assert_null(nfs4_acl);
1251 assert_int_equal(errno, EINVAL);
1252 break;
1253
1254 case e_ignore:
1255 assert_non_null(nfs4_acl);
1256 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
1257 SEC_DESC_SELF_RELATIVE);
1258 assert_int_equal(smb_get_naces(nfs4_acl), 1);
1259
1260 nfs4_ace_container = smb_first_ace4(nfs4_acl);
1261 assert_non_null(nfs4_ace_container);
1262 assert_null(smb_next_ace4(nfs4_ace_container));
1263
1264 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1265 assert_int_equal(nfs4_ace->flags, 0);
1266 assert_int_equal(nfs4_ace->who.uid, 1000);
1267 assert_int_equal(nfs4_ace->aceFlags,
1268 SMB_ACE4_FILE_INHERIT_ACE);
1269 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1270 break;
1271
1272 case e_merge:
1273 assert_non_null(nfs4_acl);
1274 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
1275 SEC_DESC_SELF_RELATIVE);
1276 assert_int_equal(smb_get_naces(nfs4_acl), 1);
1277
1278 nfs4_ace_container = smb_first_ace4(nfs4_acl);
1279 assert_non_null(nfs4_ace_container);
1280 assert_null(smb_next_ace4(nfs4_ace_container));
1281
1282 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1283 assert_int_equal(nfs4_ace->flags, 0);
1284 assert_int_equal(nfs4_ace->who.uid, 1000);
1285 assert_int_equal(nfs4_ace->aceFlags,
1286 SMB_ACE4_FILE_INHERIT_ACE);
1287 assert_int_equal(nfs4_ace->aceMask,
1288 SMB_ACE4_READ_DATA|
1289 SMB_ACE4_WRITE_DATA);
1290 break;
1291
1292 default:
1293 fail_msg("Unexpected value for acedup: %d\n",
1294 params.acedup);
1295 };
1296 }
1297
1298 TALLOC_FREE(frame);
1299 }
1300
1301 struct acedup_match {
1302 int sid_idx1;
1303 enum security_ace_type type1;
1304 uint32_t ace_mask1;
1305 uint8_t flag1;
1306 int sid_idx2;
1307 enum security_ace_type type2;
1308 uint32_t ace_mask2;
1309 uint8_t flag2;
1310 bool match;
1311 } acedup_match[] = {
1312 { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1313 SEC_ACE_FLAG_OBJECT_INHERIT,
1314 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1315 SEC_ACE_FLAG_OBJECT_INHERIT,
1316 true },
1317 { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1318 SEC_ACE_FLAG_OBJECT_INHERIT,
1319 1, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1320 SEC_ACE_FLAG_OBJECT_INHERIT,
1321 false },
1322 { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1323 SEC_ACE_FLAG_OBJECT_INHERIT,
1324 0, SEC_ACE_TYPE_ACCESS_DENIED, SEC_FILE_READ_DATA,
1325 SEC_ACE_FLAG_OBJECT_INHERIT,
1326 false },
1327 { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1328 SEC_ACE_FLAG_OBJECT_INHERIT,
1329 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA,
1330 SEC_ACE_FLAG_OBJECT_INHERIT,
1331 true },
1332 { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1333 SEC_ACE_FLAG_OBJECT_INHERIT,
1334 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1335 SEC_ACE_FLAG_CONTAINER_INHERIT,
1336 false },
1337 { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1338 SEC_ACE_FLAG_OBJECT_INHERIT,
1339 5, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1340 SEC_ACE_FLAG_OBJECT_INHERIT,
1341 false },
1342 };
1343
1344 static void test_dacl_to_nfs4_acedup_match(void **state)
1345 {
1346 struct dom_sid *sids = *state;
1347 TALLOC_CTX *frame = talloc_stackframe();
1348 int i;
1349
1350 for (i = 0; i < ARRAY_SIZE(acedup_match); i++) {
1351 struct SMB4ACL_T *nfs4_acl;
1352 struct SMB4ACE_T *nfs4_ace_container;
1353 SMB_ACE4PROP_T *nfs4_ace;
1354 struct security_ace dacl_aces[2];
1355 struct security_acl *dacl;
1356 struct smbacl4_vfs_params params = {
1357 .mode = e_simple,
1358 .do_chown = true,
1359 .acedup = e_ignore,
1360 .map_full_control = true,
1361 };
1362
1363 init_sec_ace(&dacl_aces[0],
1364 &sids[acedup_match[i].sid_idx1],
1365 acedup_match[i].type1,
1366 acedup_match[i].ace_mask1,
1367 acedup_match[i].flag1);
1368 init_sec_ace(&dacl_aces[1],
1369 &sids[acedup_match[i].sid_idx2],
1370 acedup_match[i].type2,
1371 acedup_match[i].ace_mask2,
1372 acedup_match[i].flag2);
1373 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
1374 ARRAY_SIZE(dacl_aces), dacl_aces);
1375 assert_non_null(dacl);
1376
1377 nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, &params,
1378 101, 102);
1379 assert_non_null(nfs4_acl);
1380 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
1381 SEC_DESC_SELF_RELATIVE);
1382
1383 if (acedup_match[i].match) {
1384 assert_int_equal(smb_get_naces(nfs4_acl), 1);
1385
1386 nfs4_ace_container = smb_first_ace4(nfs4_acl);
1387 assert_non_null(nfs4_ace_container);
1388 assert_null(smb_next_ace4(nfs4_ace_container));
1389
1390 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1391 assert_int_equal(nfs4_ace->flags, 0);
1392 assert_int_equal(nfs4_ace->who.uid, 1000);
1393 assert_int_equal(nfs4_ace->aceFlags,
1394 SMB_ACE4_FILE_INHERIT_ACE);
1395 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1396
1397 } else {
1398 assert_int_equal(smb_get_naces(nfs4_acl), 2);
1399
1400 nfs4_ace_container = smb_first_ace4(nfs4_acl);
1401 assert_non_null(nfs4_ace_container);
1402
1403 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1404 assert_int_equal(nfs4_ace->flags, 0);
1405 assert_int_equal(nfs4_ace->who.uid, 1000);
1406 assert_int_equal(nfs4_ace->aceFlags,
1407 SMB_ACE4_FILE_INHERIT_ACE);
1408 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1409
1410 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1411 assert_non_null(nfs4_ace_container);
1412 assert_null(smb_next_ace4(nfs4_ace_container));
1413
1414 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1415 assert_int_equal(nfs4_ace->flags, 0);
1416 }
1417 }
1418
1419 TALLOC_FREE(frame);
1420 }
1421
1422 static void test_dacl_to_nfs4_config_special(void **state)
1423 {
1424 struct dom_sid *sids = *state;
1425 TALLOC_CTX *frame = talloc_stackframe();
1426 struct SMB4ACL_T *nfs4_acl;
1427 struct SMB4ACE_T *nfs4_ace_container;
1428 SMB_ACE4PROP_T *nfs4_ace;
1429 struct security_ace dacl_aces[6];
1430 struct security_acl *dacl;
1431 struct smbacl4_vfs_params params = {
1432 .mode = e_special,
1433 .do_chown = true,
1434 .acedup = e_dontcare,
1435 .map_full_control = true,
1436 };
1437
1438 /*
1439 * global_sid_Creator_Owner or global_sid_Special_Group is NOT mapped
1440 * to SMB_ACE4_ID_SPECIAL.
1441 */
1442 init_sec_ace(&dacl_aces[0], &global_sid_Creator_Owner,
1443 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1444 SEC_ACE_FLAG_OBJECT_INHERIT);
1445 init_sec_ace(&dacl_aces[1], &global_sid_Creator_Group,
1446 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA,
1447 SEC_ACE_FLAG_CONTAINER_INHERIT);
1448 /*
1449 * Anything that maps to owner or owning group with inheritance flags
1450 * IS mapped to special owner or special group.
1451 */
1452 init_sec_ace(&dacl_aces[2], &sids[0],
1453 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1454 SEC_ACE_FLAG_OBJECT_INHERIT);
1455 init_sec_ace(&dacl_aces[3], &sids[0],
1456 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1457 SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
1458 init_sec_ace(&dacl_aces[4], &sids[1],
1459 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1460 SEC_ACE_FLAG_OBJECT_INHERIT);
1461 init_sec_ace(&dacl_aces[5], &sids[1],
1462 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1463 SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
1464 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
1465 ARRAY_SIZE(dacl_aces), dacl_aces);
1466 assert_non_null(dacl);
1467
1468 nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, &params, 1000, 1001);
1469
1470 assert_non_null(nfs4_acl);
1471 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
1472 SEC_DESC_SELF_RELATIVE);
1473 assert_int_equal(smb_get_naces(nfs4_acl), 6);
1474
1475 nfs4_ace_container = smb_first_ace4(nfs4_acl);
1476 assert_non_null(nfs4_ace_container);
1477
1478 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1479 assert_int_equal(nfs4_ace->flags, 0);
1480 assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_FILE_INHERIT_ACE);
1481 assert_int_equal(nfs4_ace->who.uid, 1003);
1482 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1483
1484 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1485 assert_non_null(nfs4_ace_container);
1486
1487 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1488 assert_int_equal(nfs4_ace->flags, 0);
1489 assert_int_equal(nfs4_ace->aceFlags,
1490 SMB_ACE4_IDENTIFIER_GROUP|
1491 SMB_ACE4_DIRECTORY_INHERIT_ACE);
1492 assert_int_equal(nfs4_ace->who.gid, 1004);
1493 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_WRITE_DATA);
1494
1495 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1496 assert_non_null(nfs4_ace_container);
1497
1498 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1499 assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
1500 assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_OWNER);
1501 assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_FILE_INHERIT_ACE);
1502 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1503
1504 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1505 assert_non_null(nfs4_ace_container);
1506
1507 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1508 assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
1509 assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_DIRECTORY_INHERIT_ACE|
1510 SMB_ACE4_INHERIT_ONLY_ACE);
1511 assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_OWNER);
1512 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1513
1514 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1515 assert_non_null(nfs4_ace_container);
1516
1517 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1518 assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
1519 assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_IDENTIFIER_GROUP|
1520 SMB_ACE4_FILE_INHERIT_ACE);
1521 assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_GROUP);
1522 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1523
1524 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1525 assert_non_null(nfs4_ace_container);
1526
1527 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1528 assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
1529 assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_IDENTIFIER_GROUP|
1530 SMB_ACE4_DIRECTORY_INHERIT_ACE|
1531 SMB_ACE4_INHERIT_ONLY_ACE);
1532 assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_GROUP);
1533 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1534
1535 assert_null(smb_next_ace4(nfs4_ace_container));
1536
1537 TALLOC_FREE(frame);
1538 }
1539
1540 static void test_nfs4_to_dacl_config_special(void **state)
1541 {
1542 struct dom_sid *sids = *state;
1543 TALLOC_CTX *frame = talloc_stackframe();
1544 struct SMB4ACL_T *nfs4_acl;
1545 SMB_ACE4PROP_T nfs4_ace;
1546 struct security_ace *dacl_aces;
1547 int good_aces;
1548 struct smbacl4_vfs_params params = {
1549 .mode = e_special,
1550 .do_chown = true,
1551 .acedup = e_dontcare,
1552 .map_full_control = true,
1553 };
1554
1555 nfs4_acl = smb_create_smb4acl(frame);
1556 assert_non_null(nfs4_acl);
1557
1558 /*
1559 * In config mode special, this is not mapped to Creator Owner
1560 */
1561 nfs4_ace = (SMB_ACE4PROP_T) {
1562 .flags = SMB_ACE4_ID_SPECIAL,
1563 .who.special_id = SMB_ACE4_WHO_OWNER,
1564 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1565 .aceFlags = SMB_ACE4_FILE_INHERIT_ACE,
1566 .aceMask = SMB_ACE4_READ_DATA,
1567 };
1568 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1569
1570 /*
1571 * In config mode special, this is not mapped to Creator Group
1572 */
1573 nfs4_ace = (SMB_ACE4PROP_T) {
1574 .flags = SMB_ACE4_ID_SPECIAL,
1575 .who.special_id = SMB_ACE4_WHO_GROUP,
1576 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1577 .aceFlags = SMB_ACE4_DIRECTORY_INHERIT_ACE,
1578 .aceMask = SMB_ACE4_WRITE_DATA,
1579 };
1580 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1581
1582 assert_true(smbacl4_nfs42win(frame, &params, nfs4_acl,
1583 &sids[0], &sids[1], true,
1584 &dacl_aces, &good_aces));
1585
1586 assert_int_equal(good_aces, 2);
1587 assert_non_null(dacl_aces);
1588
1589 assert_int_equal(dacl_aces[0].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
1590 assert_int_equal(dacl_aces[0].flags, SEC_ACE_FLAG_OBJECT_INHERIT);
1591 assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
1592 assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
1593
1594 assert_int_equal(dacl_aces[1].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
1595 assert_int_equal(dacl_aces[1].flags, SEC_ACE_FLAG_CONTAINER_INHERIT);
1596 assert_int_equal(dacl_aces[1].access_mask, SEC_FILE_WRITE_DATA);
1597 assert_true(dom_sid_equal(&dacl_aces[1].trustee, &sids[1]));
1598
1599 TALLOC_FREE(frame);
1600 }
1601
1602 struct nfs_to_dacl_idmap_both {
1603 uint32_t nfs4_flags;
1604 uint32_t nfs4_id;
1605 struct dom_sid *sid;
1606 };
1607
1608 static void test_nfs4_to_dacl_idmap_type_both(void **state)
1609 {
1610 struct dom_sid *sids = *state;
1611 TALLOC_CTX *frame = talloc_stackframe();
1612 int i;
1613 struct nfs_to_dacl_idmap_both nfs_to_dacl_idmap_both[] = {
1614 { 0, 1002, &sids[2] },
1615 { SMB_ACE4_IDENTIFIER_GROUP, 1002, &sids[2] },
1616 { 0, 1005, &sids[6] },
1617 { SMB_ACE4_IDENTIFIER_GROUP, 1005, &sids[6] },
1618 };
1619
1620 for (i = 0; i < ARRAY_SIZE(nfs_to_dacl_idmap_both); i++) {
1621 struct SMB4ACL_T *nfs4_acl;
1622 struct security_ace *dacl_aces;
1623 SMB_ACE4PROP_T nfs4_ace;
1624 int good_aces;
1625 struct smbacl4_vfs_params params = {
1626 .mode = e_simple,
1627 .do_chown = true,
1628 .acedup = e_merge,
1629 .map_full_control = true,
1630 };
1631
1632 nfs4_acl = smb_create_smb4acl(frame);
1633 assert_non_null(nfs4_acl);
1634
1635 nfs4_ace = (SMB_ACE4PROP_T) {
1636 .flags = 0,
1637 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1638 .aceFlags = nfs_to_dacl_idmap_both[i].nfs4_flags,
1639 .aceMask = SMB_ACE4_READ_DATA,
1640 };
1641
1642 if (nfs_to_dacl_idmap_both[i].nfs4_flags &
1643 SMB_ACE4_IDENTIFIER_GROUP) {
1644 nfs4_ace.who.gid = nfs_to_dacl_idmap_both[i].nfs4_id;
1645 } else {
1646 nfs4_ace.who.uid = nfs_to_dacl_idmap_both[i].nfs4_id;
1647 }
1648 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1649
1650 assert_true(smbacl4_nfs42win(frame, &params, nfs4_acl,
1651 &sids[2], &sids[2],
1652 false, &dacl_aces, &good_aces));
1653
1654 assert_int_equal(good_aces, 1);
1655 assert_non_null(dacl_aces);
1656
1657 assert_int_equal(dacl_aces[0].type,
1658 SEC_ACE_TYPE_ACCESS_ALLOWED);
1659 assert_int_equal(dacl_aces[0].flags, 0);
1660 assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
1661 assert_true(dom_sid_equal(&dacl_aces[0].trustee,
1662 nfs_to_dacl_idmap_both[i].sid));
1663 }
1664
1665 TALLOC_FREE(frame);
1666 }
1667
1668 struct dacl_to_nfs4_idmap_both {
1669 struct dom_sid *sid;
1670 uint32_t dacl_flags;
1671 uint32_t nfs4_flags;
1672 uint32_t nfs4_ace_flags;
1673 uint32_t nfs4_id;
1674 int num_nfs4_aces;
1675 };
1676
1677 /*
1678 * IDMAP_TYPE_BOTH always creates group entries.
1679 */
1680 static void test_dacl_to_nfs4_idmap_type_both(void **state)
1681 {
1682 struct dom_sid *sids = *state;
1683 TALLOC_CTX *frame = talloc_stackframe();
1684 int i;
1685
1686 struct dacl_to_nfs4_idmap_both dacl_to_nfs4_idmap_both[] = {
1687 { &sids[2], 0,
1688 SMB_ACE4_ID_SPECIAL, SMB_ACE4_IDENTIFIER_GROUP, SMB_ACE4_WHO_GROUP,
1689 2 },
1690 { &sids[2], SEC_ACE_FLAG_OBJECT_INHERIT,
1691 0, SMB_ACE4_IDENTIFIER_GROUP|SMB_ACE4_FILE_INHERIT_ACE, 1002,
1692 1 },
1693 { &sids[6], 0,
1694 0, SMB_ACE4_IDENTIFIER_GROUP, 1005,
1695 1 },
1696 { &sids[6], SEC_ACE_FLAG_OBJECT_INHERIT,
1697 0, SMB_ACE4_IDENTIFIER_GROUP|SMB_ACE4_FILE_INHERIT_ACE, 1005,
1698 1 },
1699 };
1700
1701 for (i = 0; i < ARRAY_SIZE(dacl_to_nfs4_idmap_both); i++) {
1702 struct SMB4ACL_T *nfs4_acl;
1703 struct SMB4ACE_T *nfs4_ace_container;
1704 SMB_ACE4PROP_T *nfs4_ace;
1705 struct security_ace dacl_aces[1];
1706 struct security_acl *dacl;
1707 struct smbacl4_vfs_params params = {
1708 .mode = e_simple,
1709 .do_chown = true,
1710 .acedup = e_merge,
1711 .map_full_control = true,
1712 };
1713
1714 init_sec_ace(&dacl_aces[0], dacl_to_nfs4_idmap_both[i].sid,
1715 SEC_ACE_TYPE_ACCESS_ALLOWED,
1716 SEC_FILE_READ_DATA,
1717 dacl_to_nfs4_idmap_both[i].dacl_flags);
1718 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
1719 ARRAY_SIZE(dacl_aces), dacl_aces);
1720 assert_non_null(dacl);
1721
1722 nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, &params,
1723 1002, 1002);
1724
1725 assert_non_null(nfs4_acl);
1726 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
1727 SEC_DESC_SELF_RELATIVE);
1728 assert_int_equal(smb_get_naces(nfs4_acl),
1729 dacl_to_nfs4_idmap_both[i].num_nfs4_aces);
1730
1731 nfs4_ace_container = smb_first_ace4(nfs4_acl);
1732 assert_non_null(nfs4_ace_container);
1733
1734 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1735 assert_int_equal(nfs4_ace->flags,
1736 dacl_to_nfs4_idmap_both[i].nfs4_flags);
1737 assert_int_equal(nfs4_ace->aceFlags,
1738 dacl_to_nfs4_idmap_both[i].nfs4_ace_flags);
1739 if (nfs4_ace->flags & SMB_ACE4_ID_SPECIAL) {
1740 assert_int_equal(nfs4_ace->who.special_id,
1741 dacl_to_nfs4_idmap_both[i].nfs4_id);
1742 } else if (nfs4_ace->aceFlags & SMB_ACE4_IDENTIFIER_GROUP) {
1743 assert_int_equal(nfs4_ace->who.gid,
1744 dacl_to_nfs4_idmap_both[i].nfs4_id);
1745 } else {
1746 assert_int_equal(nfs4_ace->who.uid,
1747 dacl_to_nfs4_idmap_both[i].nfs4_id);
1748 }
1749 assert_int_equal(nfs4_ace->aceType,
1750 SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE);
1751 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1752
1753 if (dacl_to_nfs4_idmap_both[i].num_nfs4_aces == 2) {
1754 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1755 assert_non_null(nfs4_ace_container);
1756
1757 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1758 assert_int_equal(nfs4_ace->flags,
1759 dacl_to_nfs4_idmap_both[i].nfs4_flags);
1760 assert_int_equal(nfs4_ace->aceFlags,
1761 dacl_to_nfs4_idmap_both[i].nfs4_ace_flags &
1762 ~SMB_ACE4_IDENTIFIER_GROUP);
1763 if (nfs4_ace->flags & SMB_ACE4_ID_SPECIAL) {
1764 assert_int_equal(nfs4_ace->who.special_id,
1765 SMB_ACE4_WHO_OWNER);
1766 } else {
1767 assert_int_equal(nfs4_ace->who.uid,
1768 dacl_to_nfs4_idmap_both[i].nfs4_id);
1769 }
1770 assert_int_equal(nfs4_ace->aceType,
1771 SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE);
1772 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1773 }
1774 }
1775
1776 TALLOC_FREE(frame);
1777 }
1778
1779 static void test_nfs4_to_dacl_remove_duplicate(void **state)
1780 {
1781
1782 struct dom_sid *sids = *state;
1783 TALLOC_CTX *frame = talloc_stackframe();
1784 struct SMB4ACL_T *nfs4_acl;
1785 SMB_ACE4PROP_T nfs4_ace;
1786 struct security_ace *dacl_aces;
1787 int good_aces;
1788 struct smbacl4_vfs_params params = {
1789 .mode = e_simple,
1790 .do_chown = true,
1791 .acedup = e_dontcare,
1792 .map_full_control = true,
1793 };
1794
1795 nfs4_acl = smb_create_smb4acl(frame);
1796 assert_non_null(nfs4_acl);
1797
1798 nfs4_ace = (SMB_ACE4PROP_T) {
1799 .flags = 0,
1800 .who.uid = 1002,
1801 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1802 .aceFlags = SMB_ACE4_INHERITED_ACE,
1803 .aceMask = SMB_ACE4_WRITE_DATA,
1804 };
1805 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1806
1807 nfs4_ace = (SMB_ACE4PROP_T) {
1808 .flags = 0,
1809 .who.gid = 1002,
1810 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1811 .aceFlags = SMB_ACE4_IDENTIFIER_GROUP|
1812 SMB_ACE4_INHERITED_ACE,
1813 .aceMask = SMB_ACE4_WRITE_DATA,
1814 };
1815 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1816
1817 nfs4_ace = (SMB_ACE4PROP_T) {
1818 .flags = 0,
1819 .who.gid = 1002,
1820 .aceType = SMB_ACE4_ACCESS_DENIED_ACE_TYPE,
1821 .aceFlags = SMB_ACE4_IDENTIFIER_GROUP|
1822 SMB_ACE4_INHERITED_ACE,
1823 .aceMask = SMB_ACE4_WRITE_DATA,
1824 };
1825 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1826
1827 nfs4_ace = (SMB_ACE4PROP_T) {
1828 .flags = 0,
1829 .who.gid = 1002,
1830 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1831 .aceFlags = SMB_ACE4_IDENTIFIER_GROUP|
1832 SMB_ACE4_INHERITED_ACE,
1833 .aceMask = SMB_ACE4_WRITE_DATA,
1834 };
1835 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1836
1837 assert_true(smbacl4_nfs42win(frame, &params, nfs4_acl,
1838 &sids[0], &sids[1], true,
1839 &dacl_aces, &good_aces));
1840
1841 assert_int_equal(good_aces, 2);
1842 assert_non_null(dacl_aces);
1843
1844 assert_int_equal(dacl_aces[0].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
1845 assert_int_equal(dacl_aces[0].flags, SEC_ACE_FLAG_INHERITED_ACE);
1846 assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_WRITE_DATA);
1847 assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[2]));
1848
1849 assert_int_equal(dacl_aces[1].type, SEC_ACE_TYPE_ACCESS_DENIED);
1850 assert_int_equal(dacl_aces[1].flags, SEC_ACE_FLAG_INHERITED_ACE);
1851 assert_int_equal(dacl_aces[1].access_mask, SEC_FILE_WRITE_DATA);
1852 assert_true(dom_sid_equal(&dacl_aces[1].trustee, &sids[2]));
1853
1854 TALLOC_FREE(frame);
1855 }
1856
1857 int main(int argc, char **argv)
1858 {
1859 const struct CMUnitTest tests[] = {
1860 cmocka_unit_test(test_cached_id_mappings),
1861 cmocka_unit_test(test_empty_nfs4_to_dacl),
1862 cmocka_unit_test(test_empty_dacl_to_nfs4),
1863 cmocka_unit_test(test_acl_type_nfs4_to_dacl),
1864 cmocka_unit_test(test_acl_type_dacl_to_nfs4),
1865 cmocka_unit_test(test_ace_flags_nfs4_to_dacl),
1866 cmocka_unit_test(test_ace_flags_dacl_to_nfs4),
1867 cmocka_unit_test(test_nfs4_permissions_to_dacl),
1868 cmocka_unit_test(test_dacl_permissions_to_nfs4),
1869 cmocka_unit_test(test_special_nfs4_to_dacl),
1870 cmocka_unit_test(test_dacl_to_special_nfs4),
1871 cmocka_unit_test(test_dacl_creator_to_nfs4),
1872 cmocka_unit_test(test_nfs4_to_dacl_creator),
1873 cmocka_unit_test(test_full_control_nfs4_to_dacl),
1874 cmocka_unit_test(test_dacl_to_nfs4_acedup_settings),
1875 cmocka_unit_test(test_dacl_to_nfs4_acedup_match),
1876 cmocka_unit_test(test_dacl_to_nfs4_config_special),
1877 cmocka_unit_test(test_nfs4_to_dacl_config_special),
1878 cmocka_unit_test(test_nfs4_to_dacl_idmap_type_both),
1879 cmocka_unit_test(test_dacl_to_nfs4_idmap_type_both),
1880 cmocka_unit_test(test_nfs4_to_dacl_remove_duplicate),
1881 };
1882
1883 cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
1884
1885 if (argc != 2) {
1886 print_error("Usage: %s smb.conf\n", argv[0]);
1887 exit(1);
1888 }
1889
1890 /*
1891 * Initialize enough of the Samba internals to have the
1892 * mappings tests work.
1893 */
1894 talloc_stackframe();
1895 lp_load_global(argv[1]);
1896
1897 return cmocka_run_group_tests(tests, group_setup, group_teardown);
1898 }
Samba GIT mirror