2 * Unix SMB/CIFS implementation.
4 * Unit test for NFS4 ACL handling
6 * Copyright (C) Christof Schmitt 2019
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "nfs4_acls.c"
23 #include "librpc/gen_ndr/idmap.h"
24 #include "idmap_cache.h"
29 struct unixid unix_id;
31 { "S-1-5-2-123-456-789-100", { 1000, ID_TYPE_UID }},
32 { "S-1-5-2-123-456-789-101", { 1001, ID_TYPE_GID }},
33 { "S-1-5-2-123-456-789-102", { 1002, ID_TYPE_BOTH }},
34 { SID_CREATOR_OWNER, { 1003, ID_TYPE_UID }},
35 { SID_CREATOR_GROUP, { 1004, ID_TYPE_GID }},
36 { "S-1-5-2-123-456-789-103", { 1000, ID_TYPE_GID }},
37 { "S-1-5-2-123-456-789-104", { 1005, ID_TYPE_BOTH }},
38 { "S-1-5-2-123-456-789-105", { 1006, ID_TYPE_BOTH }},
39 { "S-1-5-2-123-456-789-106", { 1007, ID_TYPE_BOTH }},
42 static int group_setup(void **state)
44 struct dom_sid *sids = NULL;
47 sids = talloc_array(NULL, struct dom_sid, ARRAY_SIZE(test_sids));
48 assert_non_null(sids);
50 for (i = 0; i < ARRAY_SIZE(test_sids); i++) {
51 assert_true(dom_sid_parse(test_sids[i].sid_str, &sids[i]));
52 idmap_cache_set_sid2unixid(&sids[i], &test_sids[i].unix_id);
61 static int group_teardown(void **state)
63 struct dom_sid *sids = *state;
66 for (i = 0; i < ARRAY_SIZE(test_sids); i++) {
67 assert_true(idmap_cache_del_sid(&sids[i]));
77 * Run this as first test to verify that the id mappings used by other
78 * tests are available in the cache.
80 static void test_cached_id_mappings(void **state)
82 struct dom_sid *sids = *state;
85 for (i = 0; i < ARRAY_SIZE(test_sids); i++) {
86 struct dom_sid *sid = &sids[i];
87 struct unixid *unix_id = &test_sids[i].unix_id;
91 switch(unix_id->type) {
93 assert_true(sid_to_uid(sid, &uid));
94 assert_int_equal(uid, unix_id->id);
95 assert_false(sid_to_gid(sid, &gid));
98 assert_false(sid_to_uid(sid, &uid));
99 assert_true(sid_to_gid(sid, &gid));
100 assert_int_equal(gid, unix_id->id);
103 assert_true(sid_to_uid(sid, &uid));
104 assert_int_equal(uid, unix_id->id);
105 assert_true(sid_to_gid(sid, &gid));
106 assert_int_equal(gid, unix_id->id);
109 fail_msg("Unknown id type %d\n", unix_id->type);
115 static void test_empty_nfs4_to_dacl(void **state)
117 struct dom_sid *sids = *state;
118 TALLOC_CTX *frame = talloc_stackframe();
119 struct SMB4ACL_T *nfs4_acl;
120 struct security_ace *dacl_aces;
122 struct smbacl4_vfs_params params = {
126 .map_full_control = true,
129 nfs4_acl = smb_create_smb4acl(frame);
130 assert_non_null(nfs4_acl);
132 assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
133 &sids[0], &sids[1], false,
134 &dacl_aces, &good_aces));
136 assert_int_equal(good_aces, 0);
137 assert_null(dacl_aces);
142 static void test_empty_dacl_to_nfs4(void **state)
144 TALLOC_CTX *frame = talloc_stackframe();
145 struct SMB4ACL_T *nfs4_acl;
146 struct security_acl *dacl;
147 struct smbacl4_vfs_params params = {
151 .map_full_control = true,
154 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS, 0, NULL);
155 assert_non_null(dacl);
157 nfs4_acl = smbacl4_win2nfs4(frame, false, dacl, ¶ms, 1001, 1002);
159 assert_non_null(nfs4_acl);
160 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
161 SEC_DESC_SELF_RELATIVE);
162 assert_int_equal(smb_get_naces(nfs4_acl), 0);
163 assert_null(smb_first_ace4(nfs4_acl));
166 struct ace_dacl_type_mapping {
168 enum security_ace_type dacl_type;
169 } ace_dacl_type_mapping[] = {
170 { SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE, SEC_ACE_TYPE_ACCESS_ALLOWED },
171 { SMB_ACE4_ACCESS_DENIED_ACE_TYPE, SEC_ACE_TYPE_ACCESS_DENIED },
174 static void test_acl_type_nfs4_to_dacl(void **state)
176 struct dom_sid *sids = *state;
177 TALLOC_CTX *frame = talloc_stackframe();
180 for (i = 0; i < ARRAY_SIZE(ace_dacl_type_mapping); i++) {
181 struct SMB4ACL_T *nfs4_acl;
182 SMB_ACE4PROP_T nfs4_ace;
183 struct security_ace *dacl_aces;
185 struct smbacl4_vfs_params params = {
189 .map_full_control = true,
192 nfs4_acl = smb_create_smb4acl(frame);
193 assert_non_null(nfs4_acl);
195 nfs4_ace = (SMB_ACE4PROP_T) {
198 .aceType = ace_dacl_type_mapping[i].nfs4_type,
200 .aceMask = SMB_ACE4_READ_DATA,
202 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
204 assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
205 &sids[2], &sids[3], false,
206 &dacl_aces, &good_aces));
208 assert_int_equal(good_aces, 1);
209 assert_non_null(dacl_aces);
211 assert_int_equal(dacl_aces[0].type,
212 ace_dacl_type_mapping[i].dacl_type);
213 assert_int_equal(dacl_aces[0].flags, 0);
214 assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
215 assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
221 static void test_acl_type_dacl_to_nfs4(void **state)
223 struct dom_sid *sids = *state;
224 TALLOC_CTX *frame = talloc_stackframe();
227 for (i = 0; i < ARRAY_SIZE(ace_dacl_type_mapping); i++) {
228 struct SMB4ACL_T *nfs4_acl;
229 struct SMB4ACE_T *nfs4_ace_container;
230 SMB_ACE4PROP_T *nfs4_ace;
231 struct security_ace dacl_aces[1];
232 struct security_acl *dacl;
233 struct smbacl4_vfs_params params = {
237 .map_full_control = true,
240 init_sec_ace(&dacl_aces[0], &sids[0],
241 ace_dacl_type_mapping[i].dacl_type,
242 SEC_FILE_READ_DATA, 0);
243 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
244 ARRAY_SIZE(dacl_aces), dacl_aces);
245 assert_non_null(dacl);
247 nfs4_acl = smbacl4_win2nfs4(frame, false, dacl, ¶ms,
250 assert_non_null(nfs4_acl);
251 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
252 SEC_DESC_SELF_RELATIVE);
253 assert_int_equal(smb_get_naces(nfs4_acl), 1);
255 nfs4_ace_container = smb_first_ace4(nfs4_acl);
256 assert_non_null(nfs4_ace_container);
257 assert_null(smb_next_ace4(nfs4_ace_container));
259 nfs4_ace = smb_get_ace4(nfs4_ace_container);
260 assert_int_equal(nfs4_ace->flags, 0);
261 assert_int_equal(nfs4_ace->who.uid, 1000);
262 assert_int_equal(nfs4_ace->aceFlags, 0);
263 assert_int_equal(nfs4_ace->aceType,
264 ace_dacl_type_mapping[i].nfs4_type);
265 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
271 struct ace_flag_mapping_nfs4_to_dacl {
275 } ace_flags_nfs4_to_dacl[] = {
276 { true, SMB_ACE4_FILE_INHERIT_ACE,
277 SEC_ACE_FLAG_OBJECT_INHERIT },
278 { false, SMB_ACE4_FILE_INHERIT_ACE,
280 { true, SMB_ACE4_DIRECTORY_INHERIT_ACE,
281 SEC_ACE_FLAG_CONTAINER_INHERIT },
282 { false, SMB_ACE4_DIRECTORY_INHERIT_ACE,
284 { true, SMB_ACE4_NO_PROPAGATE_INHERIT_ACE,
285 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT },
286 { false, SMB_ACE4_NO_PROPAGATE_INHERIT_ACE,
287 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT },
288 { true, SMB_ACE4_INHERIT_ONLY_ACE,
289 SEC_ACE_FLAG_INHERIT_ONLY },
290 { false, SMB_ACE4_INHERIT_ONLY_ACE,
291 SEC_ACE_FLAG_INHERIT_ONLY },
292 { true, SMB_ACE4_SUCCESSFUL_ACCESS_ACE_FLAG,
294 { false, SMB_ACE4_SUCCESSFUL_ACCESS_ACE_FLAG,
296 { true, SMB_ACE4_FAILED_ACCESS_ACE_FLAG,
298 { false, SMB_ACE4_FAILED_ACCESS_ACE_FLAG,
300 { true, SMB_ACE4_INHERITED_ACE,
301 SEC_ACE_FLAG_INHERITED_ACE },
302 { false, SMB_ACE4_INHERITED_ACE,
303 SEC_ACE_FLAG_INHERITED_ACE },
306 static void test_ace_flags_nfs4_to_dacl(void **state)
308 struct dom_sid *sids = *state;
309 TALLOC_CTX *frame = talloc_stackframe();
310 SMB_ACE4PROP_T nfs4_ace;
313 for (i = 0; i < ARRAY_SIZE(ace_flags_nfs4_to_dacl); i++) {
314 struct SMB4ACL_T *nfs4_acl;
316 struct security_ace *dacl_aces;
318 struct smbacl4_vfs_params params = {
322 .map_full_control = true,
325 nfs4_acl = smb_create_smb4acl(frame);
326 assert_non_null(nfs4_acl);
328 nfs4_ace = (SMB_ACE4PROP_T) {
331 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
332 .aceFlags = ace_flags_nfs4_to_dacl[i].nfs4_flag,
333 .aceMask = SMB_ACE4_READ_DATA,
335 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
337 is_directory = ace_flags_nfs4_to_dacl[i].is_directory;
339 assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
340 &sids[2], &sids[3], is_directory,
341 &dacl_aces, &good_aces));
343 assert_int_equal(good_aces, 1);
344 assert_non_null(dacl_aces);
346 assert_int_equal(dacl_aces[0].type,
347 SEC_ACE_TYPE_ACCESS_ALLOWED);
348 assert_int_equal(dacl_aces[0].flags,
349 ace_flags_nfs4_to_dacl[i].dacl_flag);
350 assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
351 assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
357 struct ace_flag_mapping_dacl_to_nfs4 {
361 } ace_flags_dacl_to_nfs4[] = {
362 { true, SEC_ACE_FLAG_OBJECT_INHERIT,
363 SMB_ACE4_FILE_INHERIT_ACE },
364 { false, SEC_ACE_FLAG_OBJECT_INHERIT,
366 { true, SEC_ACE_FLAG_CONTAINER_INHERIT,
367 SMB_ACE4_DIRECTORY_INHERIT_ACE },
368 { false, SEC_ACE_FLAG_CONTAINER_INHERIT,
370 { true, SEC_ACE_FLAG_NO_PROPAGATE_INHERIT,
371 SMB_ACE4_NO_PROPAGATE_INHERIT_ACE },
372 { false, SEC_ACE_FLAG_NO_PROPAGATE_INHERIT,
374 { true, SEC_ACE_FLAG_INHERIT_ONLY,
375 SMB_ACE4_INHERIT_ONLY_ACE },
376 { false, SEC_ACE_FLAG_INHERIT_ONLY,
378 { true, SEC_ACE_FLAG_INHERITED_ACE,
379 SMB_ACE4_INHERITED_ACE },
380 { false, SEC_ACE_FLAG_INHERITED_ACE,
381 SMB_ACE4_INHERITED_ACE },
382 { true, SEC_ACE_FLAG_SUCCESSFUL_ACCESS,
384 { false, SEC_ACE_FLAG_SUCCESSFUL_ACCESS,
386 { true, SEC_ACE_FLAG_FAILED_ACCESS,
388 { false, SEC_ACE_FLAG_FAILED_ACCESS,
392 static void test_ace_flags_dacl_to_nfs4(void **state)
394 struct dom_sid *sids = *state;
395 TALLOC_CTX *frame = talloc_stackframe();
398 for (i = 0; i < ARRAY_SIZE(ace_flags_dacl_to_nfs4); i++) {
399 struct SMB4ACL_T *nfs4_acl;
400 struct SMB4ACE_T *nfs4_ace_container;
401 SMB_ACE4PROP_T *nfs4_ace;
403 struct security_ace dacl_aces[1];
404 struct security_acl *dacl;
405 struct smbacl4_vfs_params params = {
409 .map_full_control = true,
412 init_sec_ace(&dacl_aces[0], &sids[0],
413 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
414 ace_flags_dacl_to_nfs4[i].dacl_flag);
415 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
416 ARRAY_SIZE(dacl_aces), dacl_aces);
417 assert_non_null(dacl);
419 is_directory = ace_flags_dacl_to_nfs4[i].is_directory;
420 nfs4_acl = smbacl4_win2nfs4(frame, is_directory, dacl, ¶ms,
423 assert_non_null(nfs4_acl);
424 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
425 SEC_DESC_SELF_RELATIVE);
426 assert_int_equal(smb_get_naces(nfs4_acl), 1);
428 nfs4_ace_container = smb_first_ace4(nfs4_acl);
429 assert_non_null(nfs4_ace_container);
430 assert_null(smb_next_ace4(nfs4_ace_container));
432 nfs4_ace = smb_get_ace4(nfs4_ace_container);
433 assert_int_equal(nfs4_ace->flags, 0);
434 assert_int_equal(nfs4_ace->who.uid, 1000);
435 assert_int_equal(nfs4_ace->aceFlags,
436 ace_flags_dacl_to_nfs4[i].nfs4_flag);
437 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
443 struct ace_perm_mapping {
446 } perm_table_nfs4_to_dacl[] = {
447 { SMB_ACE4_READ_DATA, SEC_FILE_READ_DATA },
448 { SMB_ACE4_LIST_DIRECTORY, SEC_DIR_LIST },
449 { SMB_ACE4_WRITE_DATA, SEC_FILE_WRITE_DATA },
450 { SMB_ACE4_ADD_FILE, SEC_DIR_ADD_FILE },
451 { SMB_ACE4_APPEND_DATA, SEC_FILE_APPEND_DATA },
452 { SMB_ACE4_ADD_SUBDIRECTORY, SEC_DIR_ADD_SUBDIR, },
453 { SMB_ACE4_READ_NAMED_ATTRS, SEC_FILE_READ_EA },
454 { SMB_ACE4_READ_NAMED_ATTRS, SEC_DIR_READ_EA },
455 { SMB_ACE4_WRITE_NAMED_ATTRS, SEC_FILE_WRITE_EA },
456 { SMB_ACE4_WRITE_NAMED_ATTRS, SEC_DIR_WRITE_EA },
457 { SMB_ACE4_EXECUTE, SEC_FILE_EXECUTE },
458 { SMB_ACE4_EXECUTE, SEC_DIR_TRAVERSE },
459 { SMB_ACE4_DELETE_CHILD, SEC_DIR_DELETE_CHILD },
460 { SMB_ACE4_READ_ATTRIBUTES, SEC_FILE_READ_ATTRIBUTE },
461 { SMB_ACE4_READ_ATTRIBUTES, SEC_DIR_READ_ATTRIBUTE },
462 { SMB_ACE4_WRITE_ATTRIBUTES, SEC_FILE_WRITE_ATTRIBUTE },
463 { SMB_ACE4_WRITE_ATTRIBUTES, SEC_DIR_WRITE_ATTRIBUTE },
464 { SMB_ACE4_DELETE, SEC_STD_DELETE },
465 { SMB_ACE4_READ_ACL, SEC_STD_READ_CONTROL },
466 { SMB_ACE4_WRITE_ACL, SEC_STD_WRITE_DAC, },
467 { SMB_ACE4_WRITE_OWNER, SEC_STD_WRITE_OWNER },
468 { SMB_ACE4_SYNCHRONIZE, SEC_STD_SYNCHRONIZE },
471 static void test_nfs4_permissions_to_dacl(void **state)
473 struct dom_sid *sids = *state;
474 TALLOC_CTX *frame = talloc_stackframe();
477 for (i = 0; i < ARRAY_SIZE(perm_table_nfs4_to_dacl); i++) {
478 struct SMB4ACL_T *nfs4_acl;
479 SMB_ACE4PROP_T nfs4_ace;
480 struct security_ace *dacl_aces;
482 struct smbacl4_vfs_params params = {
486 .map_full_control = true,
489 nfs4_acl = smb_create_smb4acl(frame);
490 assert_non_null(nfs4_acl);
492 nfs4_ace = (SMB_ACE4PROP_T) {
495 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
497 .aceMask = perm_table_nfs4_to_dacl[i].nfs4_perm,
499 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
501 assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
502 &sids[0], &sids[1], false,
503 &dacl_aces, &good_aces));
505 assert_int_equal(good_aces, 1);
506 assert_non_null(dacl_aces);
508 assert_int_equal(dacl_aces[0].type,
509 SEC_ACE_TYPE_ACCESS_ALLOWED);
510 assert_int_equal(dacl_aces[0].flags, 0);
511 assert_int_equal(dacl_aces[0].access_mask,
512 perm_table_nfs4_to_dacl[i].dacl_perm);
513 assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
519 struct ace_perm_mapping_dacl_to_nfs4 {
522 } perm_table_dacl_to_nfs4[] = {
523 { SEC_FILE_READ_DATA, SMB_ACE4_READ_DATA, },
524 { SEC_DIR_LIST, SMB_ACE4_LIST_DIRECTORY, },
525 { SEC_FILE_WRITE_DATA, SMB_ACE4_WRITE_DATA, },
526 { SEC_DIR_ADD_FILE, SMB_ACE4_ADD_FILE, },
527 { SEC_FILE_APPEND_DATA, SMB_ACE4_APPEND_DATA, },
528 { SEC_DIR_ADD_SUBDIR, SMB_ACE4_ADD_SUBDIRECTORY, },
529 { SEC_FILE_READ_EA, SMB_ACE4_READ_NAMED_ATTRS, },
530 { SEC_DIR_READ_EA, SMB_ACE4_READ_NAMED_ATTRS, },
531 { SEC_FILE_WRITE_EA, SMB_ACE4_WRITE_NAMED_ATTRS, },
532 { SEC_DIR_WRITE_EA, SMB_ACE4_WRITE_NAMED_ATTRS, },
533 { SEC_FILE_EXECUTE, SMB_ACE4_EXECUTE, },
534 { SEC_DIR_TRAVERSE, SMB_ACE4_EXECUTE, },
535 { SEC_DIR_DELETE_CHILD, SMB_ACE4_DELETE_CHILD, },
536 { SEC_FILE_READ_ATTRIBUTE, SMB_ACE4_READ_ATTRIBUTES, },
537 { SEC_DIR_READ_ATTRIBUTE, SMB_ACE4_READ_ATTRIBUTES, },
538 { SEC_FILE_WRITE_ATTRIBUTE, SMB_ACE4_WRITE_ATTRIBUTES, },
539 { SEC_DIR_WRITE_ATTRIBUTE, SMB_ACE4_WRITE_ATTRIBUTES, },
540 { SEC_STD_DELETE, SMB_ACE4_DELETE, },
541 { SEC_STD_READ_CONTROL, SMB_ACE4_READ_ACL, },
542 { SEC_STD_WRITE_DAC, SMB_ACE4_WRITE_ACL, },
543 { SEC_STD_WRITE_OWNER, SMB_ACE4_WRITE_OWNER, },
544 { SEC_STD_SYNCHRONIZE, SMB_ACE4_SYNCHRONIZE, },
545 { SEC_GENERIC_READ, SMB_ACE4_READ_ACL|
547 SMB_ACE4_READ_ATTRIBUTES|
548 SMB_ACE4_READ_NAMED_ATTRS|
549 SMB_ACE4_SYNCHRONIZE },
550 { SEC_GENERIC_WRITE, SMB_ACE4_WRITE_ACL|
552 SMB_ACE4_WRITE_ATTRIBUTES|
553 SMB_ACE4_WRITE_NAMED_ATTRS|
554 SMB_ACE4_SYNCHRONIZE },
555 { SEC_GENERIC_EXECUTE, SMB_ACE4_READ_ACL|
556 SMB_ACE4_READ_ATTRIBUTES|
558 SMB_ACE4_SYNCHRONIZE },
559 { SEC_GENERIC_ALL, SMB_ACE4_DELETE|
562 SMB_ACE4_WRITE_OWNER|
563 SMB_ACE4_SYNCHRONIZE|
564 SMB_ACE4_WRITE_ATTRIBUTES|
565 SMB_ACE4_READ_ATTRIBUTES|
567 SMB_ACE4_READ_NAMED_ATTRS|
568 SMB_ACE4_WRITE_NAMED_ATTRS|
570 SMB_ACE4_APPEND_DATA|
572 SMB_ACE4_DELETE_CHILD },
575 static void test_dacl_permissions_to_nfs4(void **state)
577 struct dom_sid *sids = *state;
578 TALLOC_CTX *frame = talloc_stackframe();
581 for (i = 0; i < ARRAY_SIZE(perm_table_nfs4_to_dacl); i++) {
582 struct SMB4ACL_T *nfs4_acl;
583 struct SMB4ACE_T *nfs4_ace_container;
584 SMB_ACE4PROP_T *nfs4_ace;
585 struct smbacl4_vfs_params params = {
589 .map_full_control = true,
591 struct security_ace dacl_aces[1];
592 struct security_acl *dacl;
594 init_sec_ace(&dacl_aces[0], &sids[0],
595 SEC_ACE_TYPE_ACCESS_ALLOWED,
596 perm_table_dacl_to_nfs4[i].dacl_perm, 0);
597 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
598 ARRAY_SIZE(dacl_aces), dacl_aces);
599 assert_non_null(dacl);
601 nfs4_acl = smbacl4_win2nfs4(frame, false, dacl, ¶ms,
604 assert_non_null(nfs4_acl);
605 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
606 SEC_DESC_SELF_RELATIVE);
607 assert_int_equal(smb_get_naces(nfs4_acl), 1);
609 nfs4_ace_container = smb_first_ace4(nfs4_acl);
610 assert_non_null(nfs4_ace_container);
611 assert_null(smb_next_ace4(nfs4_ace_container));
613 nfs4_ace = smb_get_ace4(nfs4_ace_container);
614 assert_int_equal(nfs4_ace->flags, 0);
615 assert_int_equal(nfs4_ace->who.uid, 1000);
616 assert_int_equal(nfs4_ace->aceFlags, 0);
617 assert_int_equal(nfs4_ace->aceMask,
618 perm_table_dacl_to_nfs4[i].nfs4_perm);
625 * Create NFS4 ACL with all possible "special" entries. Verify that
626 * the ones that should be mapped to a DACL are mapped and the other
629 static void test_special_nfs4_to_dacl(void **state)
631 struct dom_sid *sids = *state;
632 TALLOC_CTX *frame = talloc_stackframe();
633 struct SMB4ACL_T *nfs4_acl;
634 SMB_ACE4PROP_T nfs4_ace;
635 struct security_ace *dacl_aces;
637 struct smbacl4_vfs_params params = {
641 .map_full_control = true,
644 nfs4_acl = smb_create_smb4acl(frame);
645 assert_non_null(nfs4_acl);
647 nfs4_ace = (SMB_ACE4PROP_T) {
648 .flags = SMB_ACE4_ID_SPECIAL,
649 .who.special_id = SMB_ACE4_WHO_OWNER,
650 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
652 .aceMask = SMB_ACE4_READ_DATA,
654 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
656 nfs4_ace = (SMB_ACE4PROP_T) {
657 .flags = SMB_ACE4_ID_SPECIAL,
658 .who.special_id = SMB_ACE4_WHO_GROUP,
659 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
661 .aceMask = SMB_ACE4_WRITE_DATA,
663 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
665 nfs4_ace = (SMB_ACE4PROP_T) {
666 .flags = SMB_ACE4_ID_SPECIAL,
667 .who.special_id = SMB_ACE4_WHO_EVERYONE,
668 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
670 .aceMask = SMB_ACE4_APPEND_DATA,
672 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
674 nfs4_ace = (SMB_ACE4PROP_T) {
675 .flags = SMB_ACE4_ID_SPECIAL,
676 .who.special_id = SMB_ACE4_WHO_INTERACTIVE,
677 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
679 .aceMask = SMB_ACE4_READ_NAMED_ATTRS,
681 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
683 nfs4_ace = (SMB_ACE4PROP_T) {
684 .flags = SMB_ACE4_ID_SPECIAL,
685 .who.special_id = SMB_ACE4_WHO_NETWORK,
686 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
688 .aceMask = SMB_ACE4_WRITE_NAMED_ATTRS,
690 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
692 nfs4_ace = (SMB_ACE4PROP_T) {
693 .flags = SMB_ACE4_ID_SPECIAL,
694 .who.special_id = SMB_ACE4_WHO_DIALUP,
695 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
697 .aceMask = SMB_ACE4_EXECUTE,
699 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
701 nfs4_ace = (SMB_ACE4PROP_T) {
702 .flags = SMB_ACE4_ID_SPECIAL,
703 .who.special_id = SMB_ACE4_WHO_BATCH,
704 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
706 .aceMask = SMB_ACE4_READ_ATTRIBUTES,
708 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
710 nfs4_ace = (SMB_ACE4PROP_T) {
711 .flags = SMB_ACE4_ID_SPECIAL,
712 .who.special_id = SMB_ACE4_WHO_ANONYMOUS,
713 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
715 .aceMask = SMB_ACE4_WRITE_ATTRIBUTES,
717 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
719 nfs4_ace = (SMB_ACE4PROP_T) {
720 .flags = SMB_ACE4_ID_SPECIAL,
721 .who.special_id = SMB_ACE4_WHO_AUTHENTICATED,
722 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
724 .aceMask = SMB_ACE4_READ_ACL,
726 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
728 nfs4_ace = (SMB_ACE4PROP_T) {
729 .flags = SMB_ACE4_ID_SPECIAL,
730 .who.special_id = SMB_ACE4_WHO_SERVICE,
731 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
733 .aceMask = SMB_ACE4_WRITE_ACL,
735 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
737 assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
738 &sids[0], &sids[1], false,
739 &dacl_aces, &good_aces));
741 assert_int_equal(good_aces, 3);
742 assert_non_null(dacl_aces);
744 assert_int_equal(dacl_aces[0].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
745 assert_int_equal(dacl_aces[0].flags, 0);
746 assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
747 assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
749 assert_int_equal(dacl_aces[1].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
750 assert_int_equal(dacl_aces[1].flags, 0);
751 assert_int_equal(dacl_aces[1].access_mask, SEC_FILE_WRITE_DATA);
752 assert_true(dom_sid_equal(&dacl_aces[1].trustee, &sids[1]));
754 assert_int_equal(dacl_aces[2].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
755 assert_int_equal(dacl_aces[2].flags, 0);
756 assert_int_equal(dacl_aces[2].access_mask, SEC_FILE_APPEND_DATA);
757 assert_true(dom_sid_equal(&dacl_aces[2].trustee, &global_sid_World));
762 static void test_dacl_to_special_nfs4(void **state)
764 struct dom_sid *sids = *state;
765 TALLOC_CTX *frame = talloc_stackframe();
766 struct SMB4ACL_T *nfs4_acl;
767 struct SMB4ACE_T *nfs4_ace_container;
768 SMB_ACE4PROP_T *nfs4_ace;
769 struct security_ace dacl_aces[6];
770 struct security_acl *dacl;
771 struct smbacl4_vfs_params params = {
774 .acedup = e_dontcare,
775 .map_full_control = true,
779 * global_Sid_World is mapped to EVERYONE.
781 init_sec_ace(&dacl_aces[0], &global_sid_World,
782 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA, 0);
784 * global_sid_Unix_NFS is ignored.
786 init_sec_ace(&dacl_aces[1], &global_sid_Unix_NFS,
787 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA, 0);
789 * Anything that maps to owner or owning group with inheritance flags
790 * is NOT mapped to special owner or special group.
792 init_sec_ace(&dacl_aces[2], &sids[0],
793 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
794 SEC_ACE_FLAG_OBJECT_INHERIT);
795 init_sec_ace(&dacl_aces[3], &sids[0],
796 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
797 SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
798 init_sec_ace(&dacl_aces[4], &sids[1],
799 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
800 SEC_ACE_FLAG_OBJECT_INHERIT);
801 init_sec_ace(&dacl_aces[5], &sids[1],
802 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
803 SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
804 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
805 ARRAY_SIZE(dacl_aces), dacl_aces);
806 assert_non_null(dacl);
808 nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, ¶ms, 1000, 1001);
810 assert_non_null(nfs4_acl);
811 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
812 SEC_DESC_SELF_RELATIVE);
813 assert_int_equal(smb_get_naces(nfs4_acl), 5);
815 nfs4_ace_container = smb_first_ace4(nfs4_acl);
816 assert_non_null(nfs4_ace_container);
818 nfs4_ace = smb_get_ace4(nfs4_ace_container);
819 assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
820 assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_EVERYONE);
821 assert_int_equal(nfs4_ace->aceFlags, 0);
822 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_WRITE_DATA);
824 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
825 assert_non_null(nfs4_ace_container);
827 nfs4_ace = smb_get_ace4(nfs4_ace_container);
828 assert_int_equal(nfs4_ace->flags, 0);
829 assert_int_equal(nfs4_ace->who.uid, 1000);
830 assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_FILE_INHERIT_ACE);
831 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
833 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
834 assert_non_null(nfs4_ace_container);
836 nfs4_ace = smb_get_ace4(nfs4_ace_container);
837 assert_int_equal(nfs4_ace->flags, 0);
838 assert_int_equal(nfs4_ace->who.uid, 1000);
839 assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_DIRECTORY_INHERIT_ACE|
840 SMB_ACE4_INHERIT_ONLY_ACE);
841 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
843 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
844 assert_non_null(nfs4_ace_container);
846 nfs4_ace = smb_get_ace4(nfs4_ace_container);
847 assert_int_equal(nfs4_ace->flags, 0);
848 assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_IDENTIFIER_GROUP|
849 SMB_ACE4_FILE_INHERIT_ACE);
850 assert_int_equal(nfs4_ace->who.gid, 1001);
851 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
853 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
854 assert_non_null(nfs4_ace_container);
856 nfs4_ace = smb_get_ace4(nfs4_ace_container);
857 assert_int_equal(nfs4_ace->flags, 0);
858 assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_IDENTIFIER_GROUP|
859 SMB_ACE4_DIRECTORY_INHERIT_ACE|
860 SMB_ACE4_INHERIT_ONLY_ACE);
861 assert_int_equal(nfs4_ace->who.gid, 1001);
862 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
864 assert_null(smb_next_ace4(nfs4_ace_container));
869 struct creator_ace_flags {
872 } creator_ace_flags[] = {
875 { SEC_ACE_FLAG_INHERIT_ONLY, 0 },
877 { SEC_ACE_FLAG_CONTAINER_INHERIT, SMB_ACE4_DIRECTORY_INHERIT_ACE|
878 SMB_ACE4_INHERIT_ONLY_ACE },
880 { SEC_ACE_FLAG_CONTAINER_INHERIT|
881 SEC_ACE_FLAG_INHERIT_ONLY, SMB_ACE4_DIRECTORY_INHERIT_ACE|
882 SMB_ACE4_INHERIT_ONLY_ACE },
884 { SEC_ACE_FLAG_OBJECT_INHERIT, SMB_ACE4_FILE_INHERIT_ACE|
885 SMB_ACE4_INHERIT_ONLY_ACE },
886 { SEC_ACE_FLAG_OBJECT_INHERIT|
887 SEC_ACE_FLAG_INHERIT_ONLY, SMB_ACE4_FILE_INHERIT_ACE|
888 SMB_ACE4_INHERIT_ONLY_ACE },
890 { SEC_ACE_FLAG_CONTAINER_INHERIT|
891 SEC_ACE_FLAG_OBJECT_INHERIT, SMB_ACE4_DIRECTORY_INHERIT_ACE|
892 SMB_ACE4_FILE_INHERIT_ACE|
893 SMB_ACE4_INHERIT_ONLY_ACE },
895 { SEC_ACE_FLAG_CONTAINER_INHERIT|
896 SEC_ACE_FLAG_OBJECT_INHERIT|
897 SEC_ACE_FLAG_INHERIT_ONLY, SMB_ACE4_DIRECTORY_INHERIT_ACE|
898 SMB_ACE4_FILE_INHERIT_ACE|
899 SMB_ACE4_INHERIT_ONLY_ACE },
902 static void test_dacl_creator_to_nfs4(void **state)
904 TALLOC_CTX *frame = talloc_stackframe();
907 for (i = 0; i < ARRAY_SIZE(creator_ace_flags); i++) {
908 struct SMB4ACL_T *nfs4_acl;
909 struct SMB4ACE_T *nfs4_ace_container;
910 SMB_ACE4PROP_T *nfs4_ace;
911 struct security_ace dacl_aces[2];
912 struct security_acl *dacl;
913 struct smbacl4_vfs_params params = {
917 .map_full_control = true,
920 init_sec_ace(&dacl_aces[0], &global_sid_Creator_Owner,
921 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
922 creator_ace_flags[i].dacl_flags);
923 init_sec_ace(&dacl_aces[1], &global_sid_Creator_Group,
924 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
925 creator_ace_flags[i].dacl_flags);
926 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
927 ARRAY_SIZE(dacl_aces), dacl_aces);
928 assert_non_null(dacl);
930 nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, ¶ms,
933 assert_non_null(nfs4_acl);
934 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
935 SEC_DESC_SELF_RELATIVE);
937 if (creator_ace_flags[i].nfs4_flags == 0) {
939 * CREATOR OWNER and CREATOR GROUP not mapped
942 assert_null(smb_first_ace4(nfs4_acl));
944 assert_int_equal(smb_get_naces(nfs4_acl), 2);
946 nfs4_ace_container = smb_first_ace4(nfs4_acl);
947 assert_non_null(nfs4_ace_container);
949 nfs4_ace = smb_get_ace4(nfs4_ace_container);
950 assert_non_null(nfs4_ace);
951 assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
952 assert_int_equal(nfs4_ace->who.special_id,
954 assert_int_equal(nfs4_ace->aceFlags,
955 creator_ace_flags[i].nfs4_flags);
956 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
958 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
959 assert_non_null(nfs4_ace_container);
960 assert_null(smb_next_ace4(nfs4_ace_container));
962 nfs4_ace = smb_get_ace4(nfs4_ace_container);
963 assert_non_null(nfs4_ace);
964 assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
965 assert_int_equal(nfs4_ace->who.special_id,
967 assert_int_equal(nfs4_ace->aceFlags,
968 creator_ace_flags[i].nfs4_flags);
969 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
976 struct creator_owner_nfs4_to_dacl {
978 uint32_t nfs4_ace_flags;
979 uint32_t dacl_ace_flags;
980 } creator_owner_nfs4_to_dacl[] = {
981 { SMB_ACE4_WHO_OWNER,
982 SMB_ACE4_FILE_INHERIT_ACE,
983 SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY },
984 { SMB_ACE4_WHO_OWNER,
985 SMB_ACE4_DIRECTORY_INHERIT_ACE,
986 SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY },
987 { SMB_ACE4_WHO_OWNER,
988 SMB_ACE4_FILE_INHERIT_ACE|SMB_ACE4_DIRECTORY_INHERIT_ACE,
989 SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
990 SEC_ACE_FLAG_INHERIT_ONLY },
991 { SMB_ACE4_WHO_GROUP,
992 SMB_ACE4_FILE_INHERIT_ACE,
993 SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY },
994 { SMB_ACE4_WHO_GROUP,
995 SMB_ACE4_DIRECTORY_INHERIT_ACE,
996 SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY },
997 { SMB_ACE4_WHO_GROUP,
998 SMB_ACE4_FILE_INHERIT_ACE|SMB_ACE4_DIRECTORY_INHERIT_ACE,
999 SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
1000 SEC_ACE_FLAG_INHERIT_ONLY },
1003 static void test_nfs4_to_dacl_creator(void **state)
1005 struct dom_sid *sids = *state;
1006 TALLOC_CTX *frame = talloc_stackframe();
1009 for (i = 0; i < ARRAY_SIZE(creator_owner_nfs4_to_dacl); i++) {
1010 struct SMB4ACL_T *nfs4_acl;
1011 SMB_ACE4PROP_T nfs4_ace;
1012 struct security_ace *dacl_aces, *creator_dacl_ace;
1014 struct smbacl4_vfs_params params = {
1018 .map_full_control = true,
1021 nfs4_acl = smb_create_smb4acl(frame);
1022 assert_non_null(nfs4_acl);
1024 nfs4_ace = (SMB_ACE4PROP_T) {
1025 .flags = SMB_ACE4_ID_SPECIAL,
1027 = creator_owner_nfs4_to_dacl[i].special_id,
1028 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1030 = creator_owner_nfs4_to_dacl[i].nfs4_ace_flags,
1031 .aceMask = SMB_ACE4_READ_DATA,
1033 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1035 assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
1036 &sids[0], &sids[1], true,
1037 &dacl_aces, &good_aces));
1038 assert_non_null(dacl_aces);
1040 if (creator_owner_nfs4_to_dacl[i].nfs4_ace_flags &
1041 SMB_ACE4_INHERIT_ONLY_ACE) {
1043 * Only one ACE entry for the CREATOR ACE entry.
1045 assert_int_equal(good_aces, 1);
1046 creator_dacl_ace = &dacl_aces[0];
1049 * This creates an additional ACE entry for
1050 * the permissions on the current object.
1052 assert_int_equal(good_aces, 2);
1054 assert_int_equal(dacl_aces[0].type,
1055 SEC_ACE_TYPE_ACCESS_ALLOWED);
1056 assert_int_equal(dacl_aces[0].flags, 0);
1057 assert_int_equal(dacl_aces[0].access_mask,
1058 SEC_FILE_READ_DATA);
1060 if (creator_owner_nfs4_to_dacl[i].special_id ==
1061 SMB_ACE4_WHO_OWNER) {
1062 assert_true(dom_sid_equal(&dacl_aces[0].trustee,
1066 if (creator_owner_nfs4_to_dacl[i].special_id ==
1067 SMB_ACE4_WHO_GROUP) {
1068 assert_true(dom_sid_equal(&dacl_aces[0].trustee,
1072 creator_dacl_ace = &dacl_aces[1];
1075 assert_int_equal(creator_dacl_ace->type,
1076 SEC_ACE_TYPE_ACCESS_ALLOWED);
1077 assert_int_equal(creator_dacl_ace->flags,
1078 creator_owner_nfs4_to_dacl[i].dacl_ace_flags);
1079 assert_int_equal(creator_dacl_ace->access_mask,
1080 SEC_FILE_READ_DATA);
1081 if (creator_owner_nfs4_to_dacl[i].special_id ==
1082 SMB_ACE4_WHO_OWNER) {
1083 assert_true(dom_sid_equal(&creator_dacl_ace->trustee,
1084 &global_sid_Creator_Owner));
1087 if (creator_owner_nfs4_to_dacl[i].special_id ==
1088 SMB_ACE4_WHO_GROUP) {
1089 assert_true(dom_sid_equal(&creator_dacl_ace->trustee,
1090 &global_sid_Creator_Group));
1097 struct nfs4_to_dacl_map_full_control{
1100 bool delete_child_added;
1101 } nfs4_to_dacl_full_control[] = {
1102 { true, true, false },
1103 { true, false, false },
1104 { false, true, true },
1105 { false, false, false },
1108 static void test_full_control_nfs4_to_dacl(void **state)
1110 struct dom_sid *sids = *state;
1111 TALLOC_CTX *frame = talloc_stackframe();
1114 for (i = 0; i < ARRAY_SIZE(nfs4_to_dacl_full_control); i++) {
1115 struct SMB4ACL_T *nfs4_acl;
1116 SMB_ACE4PROP_T nfs4_ace;
1117 struct security_ace *dacl_aces;
1119 struct smbacl4_vfs_params params = {
1123 .map_full_control = nfs4_to_dacl_full_control[i].config,
1125 const uint32_t nfs4_ace_mask_except_deletes =
1126 SMB_ACE4_READ_DATA|SMB_ACE4_WRITE_DATA|
1127 SMB_ACE4_APPEND_DATA|SMB_ACE4_READ_NAMED_ATTRS|
1128 SMB_ACE4_WRITE_NAMED_ATTRS|SMB_ACE4_EXECUTE|
1129 SMB_ACE4_READ_ATTRIBUTES|SMB_ACE4_WRITE_ATTRIBUTES|
1130 SMB_ACE4_READ_ACL|SMB_ACE4_WRITE_ACL|
1131 SMB_ACE4_WRITE_OWNER|SMB_ACE4_SYNCHRONIZE;
1132 const uint32_t dacl_ace_mask_except_deletes =
1133 SEC_FILE_READ_DATA|SEC_FILE_WRITE_DATA|
1134 SEC_FILE_APPEND_DATA|SEC_FILE_READ_EA|
1135 SEC_FILE_WRITE_EA|SEC_FILE_EXECUTE|
1136 SEC_FILE_READ_ATTRIBUTE|SEC_FILE_WRITE_ATTRIBUTE|
1137 SEC_STD_READ_CONTROL|SEC_STD_WRITE_DAC|
1138 SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE;
1140 nfs4_acl = smb_create_smb4acl(frame);
1141 assert_non_null(nfs4_acl);
1143 nfs4_ace = (SMB_ACE4PROP_T) {
1146 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1148 .aceMask = nfs4_ace_mask_except_deletes,
1150 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1153 smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
1155 nfs4_to_dacl_full_control[i].is_dir,
1156 &dacl_aces, &good_aces));
1158 assert_int_equal(good_aces, 1);
1159 assert_non_null(dacl_aces);
1161 assert_int_equal(dacl_aces[0].type,
1162 SEC_ACE_TYPE_ACCESS_ALLOWED);
1163 assert_int_equal(dacl_aces[0].flags, 0);
1164 assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
1165 if (nfs4_to_dacl_full_control[i].delete_child_added) {
1166 assert_int_equal(dacl_aces[0].access_mask,
1167 dacl_ace_mask_except_deletes|
1168 SEC_DIR_DELETE_CHILD);
1170 assert_int_equal(dacl_aces[0].access_mask,
1171 dacl_ace_mask_except_deletes);
1178 struct acedup_settings {
1179 enum smbacl4_acedup_enum setting;
1180 } acedup_settings[] = {
1187 static void test_dacl_to_nfs4_acedup_settings(void **state)
1189 struct dom_sid *sids = *state;
1190 TALLOC_CTX *frame = talloc_stackframe();
1193 for (i = 0; i < ARRAY_SIZE(acedup_settings); i++) {
1194 struct SMB4ACL_T *nfs4_acl;
1195 struct SMB4ACE_T *nfs4_ace_container;
1196 SMB_ACE4PROP_T *nfs4_ace;
1197 struct security_ace dacl_aces[2];
1198 struct security_acl *dacl;
1199 struct smbacl4_vfs_params params = {
1202 .acedup = acedup_settings[i].setting,
1203 .map_full_control = true,
1206 init_sec_ace(&dacl_aces[0], &sids[0],
1207 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1208 SEC_ACE_FLAG_OBJECT_INHERIT);
1209 init_sec_ace(&dacl_aces[1], &sids[0],
1210 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA,
1211 SEC_ACE_FLAG_OBJECT_INHERIT);
1212 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
1213 ARRAY_SIZE(dacl_aces), dacl_aces);
1214 assert_non_null(dacl);
1216 nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, ¶ms,
1219 switch(params.acedup) {
1221 assert_non_null(nfs4_acl);
1222 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
1223 SEC_DESC_SELF_RELATIVE);
1224 assert_int_equal(smb_get_naces(nfs4_acl), 2);
1226 nfs4_ace_container = smb_first_ace4(nfs4_acl);
1227 assert_non_null(nfs4_ace_container);
1229 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1230 assert_int_equal(nfs4_ace->flags, 0);
1231 assert_int_equal(nfs4_ace->who.uid, 1000);
1232 assert_int_equal(nfs4_ace->aceFlags,
1233 SMB_ACE4_FILE_INHERIT_ACE);
1234 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1236 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1237 assert_non_null(nfs4_ace_container);
1238 assert_null(smb_next_ace4(nfs4_ace_container));
1240 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1241 assert_int_equal(nfs4_ace->flags, 0);
1242 assert_int_equal(nfs4_ace->who.uid, 1000);
1243 assert_int_equal(nfs4_ace->aceFlags,
1244 SMB_ACE4_FILE_INHERIT_ACE);
1245 assert_int_equal(nfs4_ace->aceMask,
1246 SMB_ACE4_WRITE_DATA);
1250 assert_null(nfs4_acl);
1251 assert_int_equal(errno, EINVAL);
1255 assert_non_null(nfs4_acl);
1256 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
1257 SEC_DESC_SELF_RELATIVE);
1258 assert_int_equal(smb_get_naces(nfs4_acl), 1);
1260 nfs4_ace_container = smb_first_ace4(nfs4_acl);
1261 assert_non_null(nfs4_ace_container);
1262 assert_null(smb_next_ace4(nfs4_ace_container));
1264 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1265 assert_int_equal(nfs4_ace->flags, 0);
1266 assert_int_equal(nfs4_ace->who.uid, 1000);
1267 assert_int_equal(nfs4_ace->aceFlags,
1268 SMB_ACE4_FILE_INHERIT_ACE);
1269 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1273 assert_non_null(nfs4_acl);
1274 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
1275 SEC_DESC_SELF_RELATIVE);
1276 assert_int_equal(smb_get_naces(nfs4_acl), 1);
1278 nfs4_ace_container = smb_first_ace4(nfs4_acl);
1279 assert_non_null(nfs4_ace_container);
1280 assert_null(smb_next_ace4(nfs4_ace_container));
1282 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1283 assert_int_equal(nfs4_ace->flags, 0);
1284 assert_int_equal(nfs4_ace->who.uid, 1000);
1285 assert_int_equal(nfs4_ace->aceFlags,
1286 SMB_ACE4_FILE_INHERIT_ACE);
1287 assert_int_equal(nfs4_ace->aceMask,
1289 SMB_ACE4_WRITE_DATA);
1293 fail_msg("Unexpected value for acedup: %d\n",
1301 struct acedup_match {
1303 enum security_ace_type type1;
1307 enum security_ace_type type2;
1311 } acedup_match[] = {
1312 { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1313 SEC_ACE_FLAG_OBJECT_INHERIT,
1314 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1315 SEC_ACE_FLAG_OBJECT_INHERIT,
1317 { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1318 SEC_ACE_FLAG_OBJECT_INHERIT,
1319 1, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1320 SEC_ACE_FLAG_OBJECT_INHERIT,
1322 { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1323 SEC_ACE_FLAG_OBJECT_INHERIT,
1324 0, SEC_ACE_TYPE_ACCESS_DENIED, SEC_FILE_READ_DATA,
1325 SEC_ACE_FLAG_OBJECT_INHERIT,
1327 { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1328 SEC_ACE_FLAG_OBJECT_INHERIT,
1329 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA,
1330 SEC_ACE_FLAG_OBJECT_INHERIT,
1332 { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1333 SEC_ACE_FLAG_OBJECT_INHERIT,
1334 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1335 SEC_ACE_FLAG_CONTAINER_INHERIT,
1337 { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1338 SEC_ACE_FLAG_OBJECT_INHERIT,
1339 5, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1340 SEC_ACE_FLAG_OBJECT_INHERIT,
1344 static void test_dacl_to_nfs4_acedup_match(void **state)
1346 struct dom_sid *sids = *state;
1347 TALLOC_CTX *frame = talloc_stackframe();
1350 for (i = 0; i < ARRAY_SIZE(acedup_match); i++) {
1351 struct SMB4ACL_T *nfs4_acl;
1352 struct SMB4ACE_T *nfs4_ace_container;
1353 SMB_ACE4PROP_T *nfs4_ace;
1354 struct security_ace dacl_aces[2];
1355 struct security_acl *dacl;
1356 struct smbacl4_vfs_params params = {
1360 .map_full_control = true,
1363 init_sec_ace(&dacl_aces[0],
1364 &sids[acedup_match[i].sid_idx1],
1365 acedup_match[i].type1,
1366 acedup_match[i].ace_mask1,
1367 acedup_match[i].flag1);
1368 init_sec_ace(&dacl_aces[1],
1369 &sids[acedup_match[i].sid_idx2],
1370 acedup_match[i].type2,
1371 acedup_match[i].ace_mask2,
1372 acedup_match[i].flag2);
1373 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
1374 ARRAY_SIZE(dacl_aces), dacl_aces);
1375 assert_non_null(dacl);
1377 nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, ¶ms,
1379 assert_non_null(nfs4_acl);
1380 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
1381 SEC_DESC_SELF_RELATIVE);
1383 if (acedup_match[i].match) {
1384 assert_int_equal(smb_get_naces(nfs4_acl), 1);
1386 nfs4_ace_container = smb_first_ace4(nfs4_acl);
1387 assert_non_null(nfs4_ace_container);
1388 assert_null(smb_next_ace4(nfs4_ace_container));
1390 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1391 assert_int_equal(nfs4_ace->flags, 0);
1392 assert_int_equal(nfs4_ace->who.uid, 1000);
1393 assert_int_equal(nfs4_ace->aceFlags,
1394 SMB_ACE4_FILE_INHERIT_ACE);
1395 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1398 assert_int_equal(smb_get_naces(nfs4_acl), 2);
1400 nfs4_ace_container = smb_first_ace4(nfs4_acl);
1401 assert_non_null(nfs4_ace_container);
1403 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1404 assert_int_equal(nfs4_ace->flags, 0);
1405 assert_int_equal(nfs4_ace->who.uid, 1000);
1406 assert_int_equal(nfs4_ace->aceFlags,
1407 SMB_ACE4_FILE_INHERIT_ACE);
1408 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1410 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1411 assert_non_null(nfs4_ace_container);
1412 assert_null(smb_next_ace4(nfs4_ace_container));
1414 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1415 assert_int_equal(nfs4_ace->flags, 0);
1422 static void test_dacl_to_nfs4_config_special(void **state)
1424 struct dom_sid *sids = *state;
1425 TALLOC_CTX *frame = talloc_stackframe();
1426 struct SMB4ACL_T *nfs4_acl;
1427 struct SMB4ACE_T *nfs4_ace_container;
1428 SMB_ACE4PROP_T *nfs4_ace;
1429 struct security_ace dacl_aces[6];
1430 struct security_acl *dacl;
1431 struct smbacl4_vfs_params params = {
1434 .acedup = e_dontcare,
1435 .map_full_control = true,
1439 * global_sid_Creator_Owner or global_sid_Special_Group is NOT mapped
1440 * to SMB_ACE4_ID_SPECIAL.
1442 init_sec_ace(&dacl_aces[0], &global_sid_Creator_Owner,
1443 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1444 SEC_ACE_FLAG_OBJECT_INHERIT);
1445 init_sec_ace(&dacl_aces[1], &global_sid_Creator_Group,
1446 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA,
1447 SEC_ACE_FLAG_CONTAINER_INHERIT);
1449 * Anything that maps to owner or owning group with inheritance flags
1450 * IS mapped to special owner or special group.
1452 init_sec_ace(&dacl_aces[2], &sids[0],
1453 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1454 SEC_ACE_FLAG_OBJECT_INHERIT);
1455 init_sec_ace(&dacl_aces[3], &sids[0],
1456 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1457 SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
1458 init_sec_ace(&dacl_aces[4], &sids[1],
1459 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1460 SEC_ACE_FLAG_OBJECT_INHERIT);
1461 init_sec_ace(&dacl_aces[5], &sids[1],
1462 SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
1463 SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
1464 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
1465 ARRAY_SIZE(dacl_aces), dacl_aces);
1466 assert_non_null(dacl);
1468 nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, ¶ms, 1000, 1001);
1470 assert_non_null(nfs4_acl);
1471 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
1472 SEC_DESC_SELF_RELATIVE);
1473 assert_int_equal(smb_get_naces(nfs4_acl), 6);
1475 nfs4_ace_container = smb_first_ace4(nfs4_acl);
1476 assert_non_null(nfs4_ace_container);
1478 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1479 assert_int_equal(nfs4_ace->flags, 0);
1480 assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_FILE_INHERIT_ACE);
1481 assert_int_equal(nfs4_ace->who.uid, 1003);
1482 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1484 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1485 assert_non_null(nfs4_ace_container);
1487 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1488 assert_int_equal(nfs4_ace->flags, 0);
1489 assert_int_equal(nfs4_ace->aceFlags,
1490 SMB_ACE4_IDENTIFIER_GROUP|
1491 SMB_ACE4_DIRECTORY_INHERIT_ACE);
1492 assert_int_equal(nfs4_ace->who.gid, 1004);
1493 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_WRITE_DATA);
1495 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1496 assert_non_null(nfs4_ace_container);
1498 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1499 assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
1500 assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_OWNER);
1501 assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_FILE_INHERIT_ACE);
1502 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1504 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1505 assert_non_null(nfs4_ace_container);
1507 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1508 assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
1509 assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_DIRECTORY_INHERIT_ACE|
1510 SMB_ACE4_INHERIT_ONLY_ACE);
1511 assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_OWNER);
1512 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1514 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1515 assert_non_null(nfs4_ace_container);
1517 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1518 assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
1519 assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_IDENTIFIER_GROUP|
1520 SMB_ACE4_FILE_INHERIT_ACE);
1521 assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_GROUP);
1522 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1524 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1525 assert_non_null(nfs4_ace_container);
1527 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1528 assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
1529 assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_IDENTIFIER_GROUP|
1530 SMB_ACE4_DIRECTORY_INHERIT_ACE|
1531 SMB_ACE4_INHERIT_ONLY_ACE);
1532 assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_GROUP);
1533 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1535 assert_null(smb_next_ace4(nfs4_ace_container));
1540 static void test_nfs4_to_dacl_config_special(void **state)
1542 struct dom_sid *sids = *state;
1543 TALLOC_CTX *frame = talloc_stackframe();
1544 struct SMB4ACL_T *nfs4_acl;
1545 SMB_ACE4PROP_T nfs4_ace;
1546 struct security_ace *dacl_aces;
1548 struct smbacl4_vfs_params params = {
1551 .acedup = e_dontcare,
1552 .map_full_control = true,
1555 nfs4_acl = smb_create_smb4acl(frame);
1556 assert_non_null(nfs4_acl);
1559 * In config mode special, this is not mapped to Creator Owner
1561 nfs4_ace = (SMB_ACE4PROP_T) {
1562 .flags = SMB_ACE4_ID_SPECIAL,
1563 .who.special_id = SMB_ACE4_WHO_OWNER,
1564 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1565 .aceFlags = SMB_ACE4_FILE_INHERIT_ACE,
1566 .aceMask = SMB_ACE4_READ_DATA,
1568 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1571 * In config mode special, this is not mapped to Creator Group
1573 nfs4_ace = (SMB_ACE4PROP_T) {
1574 .flags = SMB_ACE4_ID_SPECIAL,
1575 .who.special_id = SMB_ACE4_WHO_GROUP,
1576 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1577 .aceFlags = SMB_ACE4_DIRECTORY_INHERIT_ACE,
1578 .aceMask = SMB_ACE4_WRITE_DATA,
1580 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1582 assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
1583 &sids[0], &sids[1], true,
1584 &dacl_aces, &good_aces));
1586 assert_int_equal(good_aces, 2);
1587 assert_non_null(dacl_aces);
1589 assert_int_equal(dacl_aces[0].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
1590 assert_int_equal(dacl_aces[0].flags, SEC_ACE_FLAG_OBJECT_INHERIT);
1591 assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
1592 assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
1594 assert_int_equal(dacl_aces[1].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
1595 assert_int_equal(dacl_aces[1].flags, SEC_ACE_FLAG_CONTAINER_INHERIT);
1596 assert_int_equal(dacl_aces[1].access_mask, SEC_FILE_WRITE_DATA);
1597 assert_true(dom_sid_equal(&dacl_aces[1].trustee, &sids[1]));
1602 struct nfs_to_dacl_idmap_both {
1603 uint32_t nfs4_flags;
1605 struct dom_sid *sid;
1608 static void test_nfs4_to_dacl_idmap_type_both(void **state)
1610 struct dom_sid *sids = *state;
1611 TALLOC_CTX *frame = talloc_stackframe();
1613 struct nfs_to_dacl_idmap_both nfs_to_dacl_idmap_both[] = {
1614 { 0, 1002, &sids[2] },
1615 { SMB_ACE4_IDENTIFIER_GROUP, 1002, &sids[2] },
1616 { 0, 1005, &sids[6] },
1617 { SMB_ACE4_IDENTIFIER_GROUP, 1005, &sids[6] },
1620 for (i = 0; i < ARRAY_SIZE(nfs_to_dacl_idmap_both); i++) {
1621 struct SMB4ACL_T *nfs4_acl;
1622 struct security_ace *dacl_aces;
1623 SMB_ACE4PROP_T nfs4_ace;
1625 struct smbacl4_vfs_params params = {
1629 .map_full_control = true,
1632 nfs4_acl = smb_create_smb4acl(frame);
1633 assert_non_null(nfs4_acl);
1635 nfs4_ace = (SMB_ACE4PROP_T) {
1637 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1638 .aceFlags = nfs_to_dacl_idmap_both[i].nfs4_flags,
1639 .aceMask = SMB_ACE4_READ_DATA,
1642 if (nfs_to_dacl_idmap_both[i].nfs4_flags &
1643 SMB_ACE4_IDENTIFIER_GROUP) {
1644 nfs4_ace.who.gid = nfs_to_dacl_idmap_both[i].nfs4_id;
1646 nfs4_ace.who.uid = nfs_to_dacl_idmap_both[i].nfs4_id;
1648 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1650 assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
1652 false, &dacl_aces, &good_aces));
1654 assert_int_equal(good_aces, 1);
1655 assert_non_null(dacl_aces);
1657 assert_int_equal(dacl_aces[0].type,
1658 SEC_ACE_TYPE_ACCESS_ALLOWED);
1659 assert_int_equal(dacl_aces[0].flags, 0);
1660 assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
1661 assert_true(dom_sid_equal(&dacl_aces[0].trustee,
1662 nfs_to_dacl_idmap_both[i].sid));
1668 struct dacl_to_nfs4_idmap_both {
1669 struct dom_sid *sid;
1670 uint32_t dacl_flags;
1671 uint32_t nfs4_flags;
1672 uint32_t nfs4_ace_flags;
1678 * IDMAP_TYPE_BOTH always creates group entries.
1680 static void test_dacl_to_nfs4_idmap_type_both(void **state)
1682 struct dom_sid *sids = *state;
1683 TALLOC_CTX *frame = talloc_stackframe();
1686 struct dacl_to_nfs4_idmap_both dacl_to_nfs4_idmap_both[] = {
1688 SMB_ACE4_ID_SPECIAL, SMB_ACE4_IDENTIFIER_GROUP, SMB_ACE4_WHO_GROUP,
1690 { &sids[2], SEC_ACE_FLAG_OBJECT_INHERIT,
1691 0, SMB_ACE4_IDENTIFIER_GROUP|SMB_ACE4_FILE_INHERIT_ACE, 1002,
1694 0, SMB_ACE4_IDENTIFIER_GROUP, 1005,
1696 { &sids[6], SEC_ACE_FLAG_OBJECT_INHERIT,
1697 0, SMB_ACE4_IDENTIFIER_GROUP|SMB_ACE4_FILE_INHERIT_ACE, 1005,
1701 for (i = 0; i < ARRAY_SIZE(dacl_to_nfs4_idmap_both); i++) {
1702 struct SMB4ACL_T *nfs4_acl;
1703 struct SMB4ACE_T *nfs4_ace_container;
1704 SMB_ACE4PROP_T *nfs4_ace;
1705 struct security_ace dacl_aces[1];
1706 struct security_acl *dacl;
1707 struct smbacl4_vfs_params params = {
1711 .map_full_control = true,
1714 init_sec_ace(&dacl_aces[0], dacl_to_nfs4_idmap_both[i].sid,
1715 SEC_ACE_TYPE_ACCESS_ALLOWED,
1717 dacl_to_nfs4_idmap_both[i].dacl_flags);
1718 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
1719 ARRAY_SIZE(dacl_aces), dacl_aces);
1720 assert_non_null(dacl);
1722 nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, ¶ms,
1725 assert_non_null(nfs4_acl);
1726 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
1727 SEC_DESC_SELF_RELATIVE);
1728 assert_int_equal(smb_get_naces(nfs4_acl),
1729 dacl_to_nfs4_idmap_both[i].num_nfs4_aces);
1731 nfs4_ace_container = smb_first_ace4(nfs4_acl);
1732 assert_non_null(nfs4_ace_container);
1734 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1735 assert_int_equal(nfs4_ace->flags,
1736 dacl_to_nfs4_idmap_both[i].nfs4_flags);
1737 assert_int_equal(nfs4_ace->aceFlags,
1738 dacl_to_nfs4_idmap_both[i].nfs4_ace_flags);
1739 if (nfs4_ace->flags & SMB_ACE4_ID_SPECIAL) {
1740 assert_int_equal(nfs4_ace->who.special_id,
1741 dacl_to_nfs4_idmap_both[i].nfs4_id);
1742 } else if (nfs4_ace->aceFlags & SMB_ACE4_IDENTIFIER_GROUP) {
1743 assert_int_equal(nfs4_ace->who.gid,
1744 dacl_to_nfs4_idmap_both[i].nfs4_id);
1746 assert_int_equal(nfs4_ace->who.uid,
1747 dacl_to_nfs4_idmap_both[i].nfs4_id);
1749 assert_int_equal(nfs4_ace->aceType,
1750 SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE);
1751 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1753 if (dacl_to_nfs4_idmap_both[i].num_nfs4_aces == 2) {
1754 nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
1755 assert_non_null(nfs4_ace_container);
1757 nfs4_ace = smb_get_ace4(nfs4_ace_container);
1758 assert_int_equal(nfs4_ace->flags,
1759 dacl_to_nfs4_idmap_both[i].nfs4_flags);
1760 assert_int_equal(nfs4_ace->aceFlags,
1761 dacl_to_nfs4_idmap_both[i].nfs4_ace_flags &
1762 ~SMB_ACE4_IDENTIFIER_GROUP);
1763 if (nfs4_ace->flags & SMB_ACE4_ID_SPECIAL) {
1764 assert_int_equal(nfs4_ace->who.special_id,
1765 SMB_ACE4_WHO_OWNER);
1767 assert_int_equal(nfs4_ace->who.uid,
1768 dacl_to_nfs4_idmap_both[i].nfs4_id);
1770 assert_int_equal(nfs4_ace->aceType,
1771 SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE);
1772 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
1779 static void test_nfs4_to_dacl_remove_duplicate(void **state)
1782 struct dom_sid *sids = *state;
1783 TALLOC_CTX *frame = talloc_stackframe();
1784 struct SMB4ACL_T *nfs4_acl;
1785 SMB_ACE4PROP_T nfs4_ace;
1786 struct security_ace *dacl_aces;
1788 struct smbacl4_vfs_params params = {
1791 .acedup = e_dontcare,
1792 .map_full_control = true,
1795 nfs4_acl = smb_create_smb4acl(frame);
1796 assert_non_null(nfs4_acl);
1798 nfs4_ace = (SMB_ACE4PROP_T) {
1801 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1802 .aceFlags = SMB_ACE4_INHERITED_ACE,
1803 .aceMask = SMB_ACE4_WRITE_DATA,
1805 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1807 nfs4_ace = (SMB_ACE4PROP_T) {
1810 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1811 .aceFlags = SMB_ACE4_IDENTIFIER_GROUP|
1812 SMB_ACE4_INHERITED_ACE,
1813 .aceMask = SMB_ACE4_WRITE_DATA,
1815 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1817 nfs4_ace = (SMB_ACE4PROP_T) {
1820 .aceType = SMB_ACE4_ACCESS_DENIED_ACE_TYPE,
1821 .aceFlags = SMB_ACE4_IDENTIFIER_GROUP|
1822 SMB_ACE4_INHERITED_ACE,
1823 .aceMask = SMB_ACE4_WRITE_DATA,
1825 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1827 nfs4_ace = (SMB_ACE4PROP_T) {
1830 .aceType = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
1831 .aceFlags = SMB_ACE4_IDENTIFIER_GROUP|
1832 SMB_ACE4_INHERITED_ACE,
1833 .aceMask = SMB_ACE4_WRITE_DATA,
1835 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
1837 assert_true(smbacl4_nfs42win(frame, ¶ms, nfs4_acl,
1838 &sids[0], &sids[1], true,
1839 &dacl_aces, &good_aces));
1841 assert_int_equal(good_aces, 2);
1842 assert_non_null(dacl_aces);
1844 assert_int_equal(dacl_aces[0].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
1845 assert_int_equal(dacl_aces[0].flags, SEC_ACE_FLAG_INHERITED_ACE);
1846 assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_WRITE_DATA);
1847 assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[2]));
1849 assert_int_equal(dacl_aces[1].type, SEC_ACE_TYPE_ACCESS_DENIED);
1850 assert_int_equal(dacl_aces[1].flags, SEC_ACE_FLAG_INHERITED_ACE);
1851 assert_int_equal(dacl_aces[1].access_mask, SEC_FILE_WRITE_DATA);
1852 assert_true(dom_sid_equal(&dacl_aces[1].trustee, &sids[2]));
1857 int main(int argc, char **argv)
1859 const struct CMUnitTest tests[] = {
1860 cmocka_unit_test(test_cached_id_mappings),
1861 cmocka_unit_test(test_empty_nfs4_to_dacl),
1862 cmocka_unit_test(test_empty_dacl_to_nfs4),
1863 cmocka_unit_test(test_acl_type_nfs4_to_dacl),
1864 cmocka_unit_test(test_acl_type_dacl_to_nfs4),
1865 cmocka_unit_test(test_ace_flags_nfs4_to_dacl),
1866 cmocka_unit_test(test_ace_flags_dacl_to_nfs4),
1867 cmocka_unit_test(test_nfs4_permissions_to_dacl),
1868 cmocka_unit_test(test_dacl_permissions_to_nfs4),
1869 cmocka_unit_test(test_special_nfs4_to_dacl),
1870 cmocka_unit_test(test_dacl_to_special_nfs4),
1871 cmocka_unit_test(test_dacl_creator_to_nfs4),
1872 cmocka_unit_test(test_nfs4_to_dacl_creator),
1873 cmocka_unit_test(test_full_control_nfs4_to_dacl),
1874 cmocka_unit_test(test_dacl_to_nfs4_acedup_settings),
1875 cmocka_unit_test(test_dacl_to_nfs4_acedup_match),
1876 cmocka_unit_test(test_dacl_to_nfs4_config_special),
1877 cmocka_unit_test(test_nfs4_to_dacl_config_special),
1878 cmocka_unit_test(test_nfs4_to_dacl_idmap_type_both),
1879 cmocka_unit_test(test_dacl_to_nfs4_idmap_type_both),
1880 cmocka_unit_test(test_nfs4_to_dacl_remove_duplicate),
1883 cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
1886 print_error("Usage: %s smb.conf\n", argv[0]);
1891 * Initialize enough of the Samba internals to have the
1892 * mappings tests work.
1894 talloc_stackframe();
1895 lp_load_global(argv[1]);
1897 return cmocka_run_group_tests(tests, group_setup, group_teardown);