From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Thu, 16 Nov 2023 22:30:03 +0000 (+1300)
Subject: libcli/security: test_run_conditional_ace tests more comparisons
X-Git-Tag: talloc-2.4.2~523
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=da077b8486251de97e4920dbdd481e7f8d0e4428;p=thirdparty%2Fsamba.git

libcli/security: test_run_conditional_ace tests more comparisons

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/libcli/security/tests/test_run_conditional_ace.c b/libcli/security/tests/test_run_conditional_ace.c
index 33d31459329..dc02e338594 100644
--- a/libcli/security/tests/test_run_conditional_ace.c
+++ b/libcli/security/tests/test_run_conditional_ace.c
@@ -247,7 +247,16 @@ static void test_composite_different_order_with_dupes(void **state)
 	INIT()
 	SD("D:(XA;;0x1f;;;AA;(@Device.colour == {\"orange\", \"blue\", \"orange\"}))");
 	USER_SIDS("WD", "AA");
-	DEVICE_CLAIMS("colour", "{\"blue\", \"orange\", \"blue\"}");
+	DEVICE_CLAIMS("colour", "{\"orange\", \"blue\", \"orange\"}");
+	DENY_CHECK(0x10);
+}
+
+static void test_composite_different_order_with_dupes_in_composite(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour == {\"orange\", \"blue\", \"orange\"}))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
 	ALLOW_CHECK(0x10);
 }
 
@@ -257,6 +266,15 @@ static void test_composite_different_order_with_SID_dupes(void **state)
 	SD("D:(XA;;0x1f;;;AA;(@Device.colour == {SID(WD), SID(AA), SID(WD)}))");
 	USER_SIDS("WD", "AA");
 	DEVICE_CLAIMS("colour", "{SID(AA), SID(AA), SID(WD)}");
+	DENY_CHECK(0x10);
+}
+
+static void test_composite_different_order_with_SID_dupes_in_composite(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour == {SID(WD), SID(AA), SID(WD)}))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{SID(AA), SID(WD)}");
 	ALLOW_CHECK(0x10);
 }
 
@@ -269,7 +287,34 @@ static void test_composite_mixed_types(void **state)
 	INIT()
 	SD("D:(XA;;0x1f;;;AA;(@Device.colour == {2, SID(WD), SID(AA), SID(WD)}))");
 	USER_SIDS("WD", "AA");
-	DEVICE_CLAIMS("colour", "{SID(AA), SID(AA), SID(WD)}");
+	DEVICE_CLAIMS("colour", "{SID(AA), SID(WD)}");
+	DENY_CHECK(0x10);
+}
+
+static void test_composite_mixed_types_different_last(void **state)
+{
+	/*
+	 * If the conditional ACE composite has mixed types, it can
+	 * never equal a claim, which only has one type.
+	 */
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour == {SID(WD), SID(AA), 2}))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{SID(AA), SID(WD)}");
+	DENY_CHECK(0x10);
+}
+
+static void test_composite_mixed_types_deny(void **state)
+{
+	/*
+	 * If the conditional ACE composite has mixed types, it can
+	 * never equal a claim, which only has one type.
+	 */
+	INIT()
+	SD("D:(XD;;0x1f;;;AA;(@Device.colour == {2, SID(WD), SID(AA), SID(WD)}))"
+		"(D;;;;;WD)");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{SID(AA), SID(WD)}");
 	DENY_CHECK(0x10);
 }
 
@@ -625,7 +670,10 @@ int main(_UNUSED_ int argc, _UNUSED_ const char **argv)
 		cmocka_unit_test(test_user_attr_any_of_missing_resource_attr),
 		cmocka_unit_test(test_user_attr_any_of_missing_user_attr),
 		cmocka_unit_test(test_composite_mixed_types),
+		cmocka_unit_test(test_composite_mixed_types_different_last),
+		cmocka_unit_test(test_composite_mixed_types_deny),
 		cmocka_unit_test(test_composite_different_order_with_SID_dupes),
+		cmocka_unit_test(test_composite_different_order_with_SID_dupes_in_composite),
 		cmocka_unit_test(test_device_claim_eq_resource_claim_2),
 		cmocka_unit_test(test_not_Not_Any_of_1),
 		cmocka_unit_test(test_not_any_of_composite_1),
@@ -661,6 +709,7 @@ int main(_UNUSED_ int argc, _UNUSED_ const char **argv)
 		cmocka_unit_test(test_composite_different_order),
 		cmocka_unit_test(test_different_case),
 		cmocka_unit_test(test_composite_different_order_with_dupes),
+		cmocka_unit_test(test_composite_different_order_with_dupes_in_composite),
 		cmocka_unit_test(test_more_values_not_equal),
 	};
 	if (isatty(1)) {
diff --git a/selftest/knownfail.d/run_conditional_ace b/selftest/knownfail.d/run_conditional_ace
new file mode 100644
index 00000000000..4527c8299cf
--- /dev/null
+++ b/selftest/knownfail.d/run_conditional_ace
@@ -0,0 +1,2 @@
+^samba.unittests.run_conditional_ace.test_composite_different_order_with_SID_dupes$
+^samba.unittests.run_conditional_ace.test_composite_different_order_with_dupes$