From e8f8c4c8257025ea639e31b04d1deaebb34e029e Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs@samba.org>
Date: Tue, 2 Jul 2019 11:55:59 -0700
Subject: [PATCH] test_nfs4_acls: Add test for mapping CREATOR entries to NFS4
 ACL entries

Add testcase for mapping DACL entries CREATOR OWNER and CREATOR GROUP
with inheritance flag in the security descriptor to NFSv4 "special
owner" and "special group" entries. This is the correct mapping for
these entries as inheriting "special owner" and "special group" grants
permissions to the actual owner and owning group of the new file or
directory, similar to what CREATOR entries do.

The other side is that CREATOR entries without any inheritance flags do
not make sense, so these are not mapped to NFSv4 ACL entries.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit bfcc19b705f83bdd5cf665fd4daf43e7eae997a9)
---
 source3/modules/test_nfs4_acls.c | 108 +++++++++++++++++++++++++++++++
 1 file changed, 108 insertions(+)

diff --git a/source3/modules/test_nfs4_acls.c b/source3/modules/test_nfs4_acls.c
index 46119f83dc4..dcdcb89823f 100644
--- a/source3/modules/test_nfs4_acls.c
+++ b/source3/modules/test_nfs4_acls.c
@@ -866,6 +866,113 @@ static void test_dacl_to_special_nfs4(void **state)
 	TALLOC_FREE(frame);
 }
 
+struct creator_ace_flags {
+	uint32_t dacl_flags;
+	uint32_t nfs4_flags;
+} creator_ace_flags[] = {
+	{ 0,					0 },
+
+	{ SEC_ACE_FLAG_INHERIT_ONLY,		0 },
+
+	{ SEC_ACE_FLAG_CONTAINER_INHERIT,	SMB_ACE4_DIRECTORY_INHERIT_ACE|
+						SMB_ACE4_INHERIT_ONLY_ACE },
+
+	{ SEC_ACE_FLAG_CONTAINER_INHERIT|
+	  SEC_ACE_FLAG_INHERIT_ONLY,		SMB_ACE4_DIRECTORY_INHERIT_ACE|
+						SMB_ACE4_INHERIT_ONLY_ACE },
+
+	{ SEC_ACE_FLAG_OBJECT_INHERIT,		SMB_ACE4_FILE_INHERIT_ACE|
+						SMB_ACE4_INHERIT_ONLY_ACE },
+	{ SEC_ACE_FLAG_OBJECT_INHERIT|
+	  SEC_ACE_FLAG_INHERIT_ONLY,		SMB_ACE4_FILE_INHERIT_ACE|
+						SMB_ACE4_INHERIT_ONLY_ACE },
+
+	{ SEC_ACE_FLAG_CONTAINER_INHERIT|
+	  SEC_ACE_FLAG_OBJECT_INHERIT,		SMB_ACE4_DIRECTORY_INHERIT_ACE|
+						SMB_ACE4_FILE_INHERIT_ACE|
+						SMB_ACE4_INHERIT_ONLY_ACE },
+
+	{ SEC_ACE_FLAG_CONTAINER_INHERIT|
+	  SEC_ACE_FLAG_OBJECT_INHERIT|
+	  SEC_ACE_FLAG_INHERIT_ONLY,		SMB_ACE4_DIRECTORY_INHERIT_ACE|
+						SMB_ACE4_FILE_INHERIT_ACE|
+						SMB_ACE4_INHERIT_ONLY_ACE },
+};
+
+static void test_dacl_creator_to_nfs4(void **state)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	int i;
+
+	for (i = 0; i < ARRAY_SIZE(creator_ace_flags); i++) {
+		struct SMB4ACL_T *nfs4_acl;
+		struct SMB4ACE_T *nfs4_ace_container;
+		SMB_ACE4PROP_T *nfs4_ace;
+		struct security_ace dacl_aces[2];
+		struct security_acl *dacl;
+		struct smbacl4_vfs_params params = {
+			.mode = e_simple,
+			.do_chown = true,
+			.acedup = e_merge,
+			.map_full_control = true,
+		};
+
+		init_sec_ace(&dacl_aces[0], &global_sid_Creator_Owner,
+			     SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
+			     creator_ace_flags[i].dacl_flags);
+		init_sec_ace(&dacl_aces[1], &global_sid_Creator_Group,
+			     SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
+			     creator_ace_flags[i].dacl_flags);
+		dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
+				    ARRAY_SIZE(dacl_aces), dacl_aces);
+		assert_non_null(dacl);
+
+		nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, &params,
+					    101, 102);
+
+		assert_non_null(nfs4_acl);
+		assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
+				 SEC_DESC_SELF_RELATIVE);
+
+		if (creator_ace_flags[i].nfs4_flags == 0) {
+			/*
+			 * CREATOR OWNER and CREATOR GROUP not mapped
+			 * in thise case.
+			 */
+			assert_null(smb_first_ace4(nfs4_acl));
+		} else {
+			assert_int_equal(smb_get_naces(nfs4_acl), 2);
+
+			nfs4_ace_container = smb_first_ace4(nfs4_acl);
+			assert_non_null(nfs4_ace_container);
+
+			nfs4_ace = smb_get_ace4(nfs4_ace_container);
+			assert_non_null(nfs4_ace);
+			assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
+			assert_int_equal(nfs4_ace->who.special_id,
+					 SMB_ACE4_WHO_OWNER);
+			assert_int_equal(nfs4_ace->aceFlags,
+					 creator_ace_flags[i].nfs4_flags);
+			assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
+
+			nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
+			assert_non_null(nfs4_ace_container);
+			assert_null(smb_next_ace4(nfs4_ace_container));
+
+			nfs4_ace = smb_get_ace4(nfs4_ace_container);
+			assert_non_null(nfs4_ace);
+			assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
+			assert_int_equal(nfs4_ace->who.special_id,
+					 SMB_ACE4_WHO_GROUP);
+			assert_int_equal(nfs4_ace->aceFlags,
+					 creator_ace_flags[i].nfs4_flags);
+			assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
+		}
+	}
+
+	TALLOC_FREE(frame);
+}
+
 int main(int argc, char **argv)
 {
 	const struct CMUnitTest tests[] = {
@@ -880,6 +987,7 @@ int main(int argc, char **argv)
 		cmocka_unit_test(test_dacl_permissions_to_nfs4),
 		cmocka_unit_test(test_special_nfs4_to_dacl),
 		cmocka_unit_test(test_dacl_to_special_nfs4),
+		cmocka_unit_test(test_dacl_creator_to_nfs4),
 	};
 
 	cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
-- 
2.47.2