From: Christof Schmitt <cs@samba.org>
Date: Tue, 2 Jul 2019 19:07:36 +0000 (-0700)
Subject: test_nfs4_acls: Add test for acedup settings
X-Git-Tag: samba-4.9.12~27
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5b130cc4d10c50fbdb088bead23c89938991d1b4;p=thirdparty%2Fsamba.git

test_nfs4_acls: Add test for acedup settings

The NFSv4 ACL mapping code has a setting nfs4:acedup. Depending on the
setting, when mapping from DACLs to NFSv4 ACLs, duplicate ACL entries
are either merged, ignored or rejected. Add a testcase that has
duplicate ACL entries and verify the expected behavior for all possible
settings of the nfs4:acedup option.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 9671bf2b9f055012057620207624aa2f4ea6833e)
---

diff --git a/source3/modules/test_nfs4_acls.c b/source3/modules/test_nfs4_acls.c
index 733217b1f2e..c4f3d8052e4 100644
--- a/source3/modules/test_nfs4_acls.c
+++ b/source3/modules/test_nfs4_acls.c
@@ -1175,6 +1175,129 @@ static void test_full_control_nfs4_to_dacl(void **state)
 	TALLOC_FREE(frame);
 }
 
+struct acedup_settings {
+	enum smbacl4_acedup_enum setting;
+} acedup_settings[] = {
+	{ e_dontcare },
+	{ e_reject },
+	{ e_ignore },
+	{ e_merge },
+};
+
+static void test_dacl_to_nfs4_acedup_settings(void **state)
+{
+	struct dom_sid *sids = *state;
+	TALLOC_CTX *frame = talloc_stackframe();
+	int i;
+
+	for (i = 0; i < ARRAY_SIZE(acedup_settings); i++) {
+		struct SMB4ACL_T *nfs4_acl;
+		struct SMB4ACE_T *nfs4_ace_container;
+		SMB_ACE4PROP_T *nfs4_ace;
+		struct security_ace dacl_aces[2];
+		struct security_acl *dacl;
+		struct smbacl4_vfs_params params = {
+			.mode = e_simple,
+			.do_chown = true,
+			.acedup = acedup_settings[i].setting,
+			.map_full_control = true,
+		};
+
+		init_sec_ace(&dacl_aces[0], &sids[0],
+			     SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
+			     SEC_ACE_FLAG_OBJECT_INHERIT);
+		init_sec_ace(&dacl_aces[1], &sids[0],
+			     SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA,
+			     SEC_ACE_FLAG_OBJECT_INHERIT);
+		dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
+				    ARRAY_SIZE(dacl_aces), dacl_aces);
+		assert_non_null(dacl);
+
+		nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, &params,
+					    101, 102);
+
+		switch(params.acedup) {
+		case e_dontcare:
+			assert_non_null(nfs4_acl);
+			assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
+					 SEC_DESC_SELF_RELATIVE);
+			assert_int_equal(smb_get_naces(nfs4_acl), 2);
+
+			nfs4_ace_container = smb_first_ace4(nfs4_acl);
+			assert_non_null(nfs4_ace_container);
+
+			nfs4_ace = smb_get_ace4(nfs4_ace_container);
+			assert_int_equal(nfs4_ace->flags, 0);
+			assert_int_equal(nfs4_ace->who.uid, 1000);
+			assert_int_equal(nfs4_ace->aceFlags,
+					 SMB_ACE4_FILE_INHERIT_ACE);
+			assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
+
+			nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
+			assert_non_null(nfs4_ace_container);
+			assert_null(smb_next_ace4(nfs4_ace_container));
+
+			nfs4_ace = smb_get_ace4(nfs4_ace_container);
+			assert_int_equal(nfs4_ace->flags, 0);
+			assert_int_equal(nfs4_ace->who.uid, 1000);
+			assert_int_equal(nfs4_ace->aceFlags,
+					 SMB_ACE4_FILE_INHERIT_ACE);
+			assert_int_equal(nfs4_ace->aceMask,
+					 SMB_ACE4_WRITE_DATA);
+			break;
+
+		case e_reject:
+			assert_null(nfs4_acl);
+			assert_int_equal(errno, EINVAL);
+			break;
+
+		case e_ignore:
+			assert_non_null(nfs4_acl);
+			assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
+					 SEC_DESC_SELF_RELATIVE);
+			assert_int_equal(smb_get_naces(nfs4_acl), 1);
+
+			nfs4_ace_container = smb_first_ace4(nfs4_acl);
+			assert_non_null(nfs4_ace_container);
+			assert_null(smb_next_ace4(nfs4_ace_container));
+
+			nfs4_ace = smb_get_ace4(nfs4_ace_container);
+			assert_int_equal(nfs4_ace->flags, 0);
+			assert_int_equal(nfs4_ace->who.uid, 1000);
+			assert_int_equal(nfs4_ace->aceFlags,
+					 SMB_ACE4_FILE_INHERIT_ACE);
+			assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
+			break;
+
+		case e_merge:
+			assert_non_null(nfs4_acl);
+			assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
+					 SEC_DESC_SELF_RELATIVE);
+			assert_int_equal(smb_get_naces(nfs4_acl), 1);
+
+			nfs4_ace_container = smb_first_ace4(nfs4_acl);
+			assert_non_null(nfs4_ace_container);
+			assert_null(smb_next_ace4(nfs4_ace_container));
+
+			nfs4_ace = smb_get_ace4(nfs4_ace_container);
+			assert_int_equal(nfs4_ace->flags, 0);
+			assert_int_equal(nfs4_ace->who.uid, 1000);
+			assert_int_equal(nfs4_ace->aceFlags,
+					 SMB_ACE4_FILE_INHERIT_ACE);
+			assert_int_equal(nfs4_ace->aceMask,
+					 SMB_ACE4_READ_DATA|
+					 SMB_ACE4_WRITE_DATA);
+			break;
+
+		default:
+			fail_msg("Unexpected value for acedup: %d\n",
+				 params.acedup);
+		};
+	}
+
+	TALLOC_FREE(frame);
+}
+
 int main(int argc, char **argv)
 {
 	const struct CMUnitTest tests[] = {
@@ -1192,6 +1315,7 @@ int main(int argc, char **argv)
 		cmocka_unit_test(test_dacl_creator_to_nfs4),
 		cmocka_unit_test(test_nfs4_to_dacl_creator),
 		cmocka_unit_test(test_full_control_nfs4_to_dacl),
+		cmocka_unit_test(test_dacl_to_nfs4_acedup_settings),
 	};
 
 	cmocka_set_message_output(CM_OUTPUT_SUBUNIT);