From f900a6e12523a3fc28c10e5ac637ed7f4aeeaba1 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs@samba.org>
Date: Tue, 2 Jul 2019 11:46:23 -0700
Subject: [PATCH] test_nfs4_acls: Add test for mapping of special NFS4 ACL
 entries to DACL entries

In addition to entries for users and groups, NFSv4 ACLs have the concept
of entries for "special" entries. Only the "owner", "group" and
"everyone" entries are currently used in the ACL mapping.

Add a testcase that verifies the mapping from NFSv4 "special" entries to
the DACL in the security descriptor. Verify that only "owner", "group"
and "everyone" are mapped and all other "special" entries are ignored.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit f86148948c7f89307a34e31f6ddede6923149d34)
---
 source3/modules/test_nfs4_acls.c | 139 +++++++++++++++++++++++++++++++
 1 file changed, 139 insertions(+)

diff --git a/source3/modules/test_nfs4_acls.c b/source3/modules/test_nfs4_acls.c
index d77eceb1b88..5b5b37adc82 100644
--- a/source3/modules/test_nfs4_acls.c
+++ b/source3/modules/test_nfs4_acls.c
@@ -621,6 +621,144 @@ static void test_dacl_permissions_to_nfs4(void **state)
 	TALLOC_FREE(frame);
 }
 
+/*
+ * Create NFS4 ACL with all possible "special" entries. Verify that
+ * the ones that should be mapped to a DACL are mapped and the other
+ * ones are ignored.
+ */
+static void test_special_nfs4_to_dacl(void **state)
+{
+	struct dom_sid *sids = *state;
+	TALLOC_CTX *frame = talloc_stackframe();
+	struct SMB4ACL_T *nfs4_acl;
+	SMB_ACE4PROP_T nfs4_ace;
+	struct security_ace *dacl_aces;
+	int good_aces;
+	struct smbacl4_vfs_params params = {
+		.mode = e_simple,
+		.do_chown = true,
+		.acedup = e_merge,
+		.map_full_control = true,
+	};
+
+	nfs4_acl = smb_create_smb4acl(frame);
+	assert_non_null(nfs4_acl);
+
+	nfs4_ace = (SMB_ACE4PROP_T) {
+		.flags		= SMB_ACE4_ID_SPECIAL,
+		.who.special_id = SMB_ACE4_WHO_OWNER,
+		.aceType	= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
+		.aceFlags	= 0,
+		.aceMask	= SMB_ACE4_READ_DATA,
+	};
+	assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
+
+	nfs4_ace = (SMB_ACE4PROP_T) {
+		.flags		= SMB_ACE4_ID_SPECIAL,
+		.who.special_id = SMB_ACE4_WHO_GROUP,
+		.aceType	= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
+		.aceFlags	= 0,
+		.aceMask	= SMB_ACE4_WRITE_DATA,
+	};
+	assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
+
+	nfs4_ace = (SMB_ACE4PROP_T) {
+		.flags		= SMB_ACE4_ID_SPECIAL,
+		.who.special_id = SMB_ACE4_WHO_EVERYONE,
+		.aceType	= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
+		.aceFlags	= 0,
+		.aceMask	= SMB_ACE4_APPEND_DATA,
+	};
+	assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
+
+	nfs4_ace = (SMB_ACE4PROP_T) {
+		.flags		= SMB_ACE4_ID_SPECIAL,
+		.who.special_id = SMB_ACE4_WHO_INTERACTIVE,
+		.aceType	= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
+		.aceFlags	= 0,
+		.aceMask	= SMB_ACE4_READ_NAMED_ATTRS,
+	};
+	assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
+
+	nfs4_ace = (SMB_ACE4PROP_T) {
+		.flags		= SMB_ACE4_ID_SPECIAL,
+		.who.special_id = SMB_ACE4_WHO_NETWORK,
+		.aceType	= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
+		.aceFlags	= 0,
+		.aceMask	= SMB_ACE4_WRITE_NAMED_ATTRS,
+	};
+	assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
+
+	nfs4_ace = (SMB_ACE4PROP_T) {
+		.flags		= SMB_ACE4_ID_SPECIAL,
+		.who.special_id = SMB_ACE4_WHO_DIALUP,
+		.aceType	= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
+		.aceFlags	= 0,
+		.aceMask	= SMB_ACE4_EXECUTE,
+	};
+	assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
+
+	nfs4_ace = (SMB_ACE4PROP_T) {
+		.flags		= SMB_ACE4_ID_SPECIAL,
+		.who.special_id = SMB_ACE4_WHO_BATCH,
+		.aceType	= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
+		.aceFlags	= 0,
+		.aceMask	= SMB_ACE4_READ_ATTRIBUTES,
+	};
+	assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
+
+	nfs4_ace = (SMB_ACE4PROP_T) {
+		.flags		= SMB_ACE4_ID_SPECIAL,
+		.who.special_id = SMB_ACE4_WHO_ANONYMOUS,
+		.aceType	= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
+		.aceFlags	= 0,
+		.aceMask	= SMB_ACE4_WRITE_ATTRIBUTES,
+	};
+	assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
+
+	nfs4_ace = (SMB_ACE4PROP_T) {
+		.flags		= SMB_ACE4_ID_SPECIAL,
+		.who.special_id = SMB_ACE4_WHO_AUTHENTICATED,
+		.aceType	= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
+		.aceFlags	= 0,
+		.aceMask	= SMB_ACE4_READ_ACL,
+	};
+	assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
+
+	nfs4_ace = (SMB_ACE4PROP_T) {
+		.flags		= SMB_ACE4_ID_SPECIAL,
+		.who.special_id = SMB_ACE4_WHO_SERVICE,
+		.aceType	= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
+		.aceFlags	= 0,
+		.aceMask	= SMB_ACE4_WRITE_ACL,
+	};
+	assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
+
+	assert_true(smbacl4_nfs42win(frame, &params, nfs4_acl,
+				     &sids[0], &sids[1], false,
+				     &dacl_aces, &good_aces));
+
+	assert_int_equal(good_aces, 3);
+	assert_non_null(dacl_aces);
+
+	assert_int_equal(dacl_aces[0].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
+	assert_int_equal(dacl_aces[0].flags, 0);
+	assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
+	assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
+
+	assert_int_equal(dacl_aces[1].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
+	assert_int_equal(dacl_aces[1].flags, 0);
+	assert_int_equal(dacl_aces[1].access_mask, SEC_FILE_WRITE_DATA);
+	assert_true(dom_sid_equal(&dacl_aces[1].trustee, &sids[1]));
+
+	assert_int_equal(dacl_aces[2].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
+	assert_int_equal(dacl_aces[2].flags, 0);
+	assert_int_equal(dacl_aces[2].access_mask, SEC_FILE_APPEND_DATA);
+	assert_true(dom_sid_equal(&dacl_aces[2].trustee, &global_sid_World));
+
+	TALLOC_FREE(frame);
+}
+
 int main(int argc, char **argv)
 {
 	const struct CMUnitTest tests[] = {
@@ -633,6 +771,7 @@ int main(int argc, char **argv)
 		cmocka_unit_test(test_ace_flags_dacl_to_nfs4),
 		cmocka_unit_test(test_nfs4_permissions_to_dacl),
 		cmocka_unit_test(test_dacl_permissions_to_nfs4),
+		cmocka_unit_test(test_special_nfs4_to_dacl),
 	};
 
 	cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
-- 
2.47.2