LCOV - code coverage report
Current view: top level - source3/modules - test_nfs4_acls.c (source / functions) Hit Total Coverage
Test: coverage report for master 98b443d9 Lines: 769 780 98.6 %
Date: 2024-05-31 13:13:24 Functions: 24 24 100.0 %

          Line data    Source code
       1             : /*
       2             :  *  Unix SMB/CIFS implementation.
       3             :  *
       4             :  *  Unit test for NFS4 ACL handling
       5             :  *
       6             :  *  Copyright (C) Christof Schmitt 2019
       7             :  *
       8             :  *  This program is free software; you can redistribute it and/or modify
       9             :  *  it under the terms of the GNU General Public License as published by
      10             :  *  the Free Software Foundation; either version 3 of the License, or
      11             :  *  (at your option) any later version.
      12             :  *
      13             :  *  This program is distributed in the hope that it will be useful,
      14             :  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
      15             :  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      16             :  *  GNU General Public License for more details.
      17             :  *
      18             :  *  You should have received a copy of the GNU General Public License
      19             :  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
      20             :  */
      21             : 
      22             : #include "nfs4_acls.c"
      23             : #include "librpc/gen_ndr/idmap.h"
      24             : #include "idmap_cache.h"
      25             : #include <cmocka.h>
      26             : 
      27             : struct test_sids {
      28             :         const char *sid_str;
      29             :         struct unixid unix_id;
      30             : } test_sids[] = {
      31             :         { "S-1-5-2-123-456-789-100",  { 1000, ID_TYPE_UID     }},
      32             :         { "S-1-5-2-123-456-789-101",  { 1001, ID_TYPE_GID     }},
      33             :         { "S-1-5-2-123-456-789-102",  { 1002, ID_TYPE_BOTH    }},
      34             :         { SID_CREATOR_OWNER,            { 1003, ID_TYPE_UID     }},
      35             :         { SID_CREATOR_GROUP,            { 1004, ID_TYPE_GID     }},
      36             :         { "S-1-5-2-123-456-789-103",  { 1000, ID_TYPE_GID     }},
      37             :         { "S-1-5-2-123-456-789-104",  { 1005, ID_TYPE_BOTH    }},
      38             :         { "S-1-5-2-123-456-789-105",  { 1006, ID_TYPE_BOTH    }},
      39             :         { "S-1-5-2-123-456-789-106",  { 1007, ID_TYPE_BOTH    }},
      40             : };
      41             : 
      42           1 : static int group_setup(void **state)
      43             : {
      44           1 :         struct dom_sid *sids = NULL;
      45           1 :         int i;
      46             : 
      47           1 :         sids = talloc_array(NULL, struct dom_sid, ARRAY_SIZE(test_sids));
      48           1 :         assert_non_null(sids);
      49             : 
      50          11 :         for (i = 0; i < ARRAY_SIZE(test_sids); i++) {
      51           9 :                 assert_true(dom_sid_parse(test_sids[i].sid_str, &sids[i]));
      52           9 :                 idmap_cache_set_sid2unixid(&sids[i], &test_sids[i].unix_id);
      53             :         }
      54             : 
      55           1 :         *state = sids;
      56             : 
      57           1 :         return 0;
      58             : 
      59             : }
      60             : 
      61           1 : static int group_teardown(void **state)
      62             : {
      63           1 :         struct dom_sid *sids = *state;
      64           1 :         int i;
      65             : 
      66          10 :         for (i = 0; i < ARRAY_SIZE(test_sids); i++) {
      67           9 :                 assert_true(idmap_cache_del_sid(&sids[i]));
      68             :         }
      69             : 
      70           1 :         TALLOC_FREE(sids);
      71           1 :         *state = NULL;
      72             : 
      73           1 :         return 0;
      74             : }
      75             : 
      76             : /*
      77             :  * Run this as first test to verify that the id mappings used by other
      78             :  * tests are available in the cache.
      79             :  */
      80           1 : static void test_cached_id_mappings(void **state)
      81             : {
      82           1 :         struct dom_sid *sids = *state;
      83           1 :         int i;
      84             : 
      85          10 :         for (i = 0; i < ARRAY_SIZE(test_sids); i++) {
      86           9 :                 struct dom_sid *sid = &sids[i];
      87           9 :                 struct unixid *unix_id = &test_sids[i].unix_id;
      88           9 :                 uid_t uid;
      89           9 :                 gid_t gid;
      90             : 
      91           9 :                 switch(unix_id->type) {
      92           2 :                 case ID_TYPE_UID:
      93           2 :                         assert_true(sid_to_uid(sid, &uid));
      94           2 :                         assert_int_equal(uid, unix_id->id);
      95           2 :                         assert_false(sid_to_gid(sid, &gid));
      96           2 :                         break;
      97           3 :                 case ID_TYPE_GID:
      98           3 :                         assert_false(sid_to_uid(sid, &uid));
      99           3 :                         assert_true(sid_to_gid(sid, &gid));
     100           3 :                         assert_int_equal(gid, unix_id->id);
     101           3 :                         break;
     102           4 :                 case ID_TYPE_BOTH:
     103           4 :                         assert_true(sid_to_uid(sid, &uid));
     104           4 :                         assert_int_equal(uid, unix_id->id);
     105           4 :                         assert_true(sid_to_gid(sid, &gid));
     106           4 :                         assert_int_equal(gid, unix_id->id);
     107           4 :                         break;
     108           0 :                 default:
     109           0 :                         fail_msg("Unknown id type %d\n", unix_id->type);
     110           0 :                         break;
     111             :                 }
     112             :         }
     113           1 : }
     114             : 
     115           1 : static void test_empty_nfs4_to_dacl(void **state)
     116             : {
     117           1 :         struct dom_sid *sids = *state;
     118           1 :         TALLOC_CTX *frame = talloc_stackframe();
     119           1 :         struct SMB4ACL_T *nfs4_acl;
     120           1 :         struct security_ace *dacl_aces;
     121           1 :         int good_aces;
     122           1 :         struct smbacl4_vfs_params params = {
     123             :                 .mode = e_simple,
     124             :                 .do_chown = true,
     125             :                 .acedup = e_merge,
     126             :                 .map_full_control = true,
     127             :         };
     128             : 
     129           1 :         nfs4_acl = smb_create_smb4acl(frame);
     130           1 :         assert_non_null(nfs4_acl);
     131             : 
     132           1 :         assert_true(smbacl4_nfs42win(frame, &params, nfs4_acl,
     133             :                                      &sids[0], &sids[1], false,
     134             :                                      &dacl_aces, &good_aces));
     135             : 
     136           1 :         assert_int_equal(good_aces, 0);
     137           1 :         assert_null(dacl_aces);
     138             : 
     139           1 :         TALLOC_FREE(frame);
     140           1 : }
     141             : 
     142           1 : static void test_empty_dacl_to_nfs4(void **state)
     143             : {
     144           1 :         TALLOC_CTX *frame = talloc_stackframe();
     145           1 :         struct SMB4ACL_T *nfs4_acl;
     146           1 :         struct security_acl *dacl;
     147           1 :         struct smbacl4_vfs_params params = {
     148             :                 .mode = e_simple,
     149             :                 .do_chown = true,
     150             :                 .acedup = e_merge,
     151             :                 .map_full_control = true,
     152             :         };
     153             : 
     154           1 :         dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS, 0, NULL);
     155           1 :         assert_non_null(dacl);
     156             : 
     157           1 :         nfs4_acl = smbacl4_win2nfs4(frame, false, dacl, &params, 1001, 1002);
     158             : 
     159           1 :         assert_non_null(nfs4_acl);
     160           1 :         assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
     161             :                          SEC_DESC_SELF_RELATIVE);
     162           1 :         assert_int_equal(smb_get_naces(nfs4_acl), 0);
     163           1 :         assert_null(smb_first_ace4(nfs4_acl));
     164           1 : }
     165             : 
     166             : struct ace_dacl_type_mapping {
     167             :         uint32_t nfs4_type;
     168             :         enum security_ace_type dacl_type;
     169             : } ace_dacl_type_mapping[] = {
     170             :         { SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,     SEC_ACE_TYPE_ACCESS_ALLOWED   },
     171             :         { SMB_ACE4_ACCESS_DENIED_ACE_TYPE,      SEC_ACE_TYPE_ACCESS_DENIED    },
     172             : };
     173             : 
     174           1 : static void test_acl_type_nfs4_to_dacl(void **state)
     175             : {
     176           1 :         struct dom_sid *sids = *state;
     177           1 :         TALLOC_CTX *frame = talloc_stackframe();
     178           1 :         int i;
     179             : 
     180           4 :         for (i = 0; i < ARRAY_SIZE(ace_dacl_type_mapping); i++) {
     181           2 :                 struct SMB4ACL_T *nfs4_acl;
     182           2 :                 SMB_ACE4PROP_T nfs4_ace;
     183           2 :                 struct security_ace *dacl_aces;
     184           2 :                 int good_aces;
     185           2 :                 struct smbacl4_vfs_params params = {
     186             :                         .mode = e_simple,
     187             :                         .do_chown = true,
     188             :                         .acedup = e_merge,
     189             :                         .map_full_control = true,
     190             :                 };
     191             : 
     192           2 :                 nfs4_acl = smb_create_smb4acl(frame);
     193           2 :                 assert_non_null(nfs4_acl);
     194             : 
     195           2 :                 nfs4_ace = (SMB_ACE4PROP_T) {
     196             :                         .flags          = 0,
     197             :                         .who.uid        = 1000,
     198           2 :                         .aceType        = ace_dacl_type_mapping[i].nfs4_type,
     199             :                         .aceFlags       = 0,
     200             :                         .aceMask        = SMB_ACE4_READ_DATA,
     201             :                 };
     202           2 :                 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
     203             : 
     204           2 :                 assert_true(smbacl4_nfs42win(frame, &params, nfs4_acl,
     205             :                                              &sids[2], &sids[3], false,
     206             :                                              &dacl_aces, &good_aces));
     207             : 
     208           2 :                 assert_int_equal(good_aces, 1);
     209           2 :                 assert_non_null(dacl_aces);
     210             : 
     211           2 :                 assert_int_equal(dacl_aces[0].type,
     212             :                                  ace_dacl_type_mapping[i].dacl_type);
     213           2 :                 assert_int_equal(dacl_aces[0].flags, 0);
     214           2 :                 assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
     215           2 :                 assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
     216             :         }
     217             : 
     218           1 :         TALLOC_FREE(frame);
     219           1 : }
     220             : 
     221           1 : static void test_acl_type_dacl_to_nfs4(void **state)
     222             : {
     223           1 :         struct dom_sid *sids = *state;
     224           1 :         TALLOC_CTX *frame = talloc_stackframe();
     225           1 :         int i;
     226             : 
     227           4 :         for (i = 0; i < ARRAY_SIZE(ace_dacl_type_mapping); i++) {
     228           2 :                 struct SMB4ACL_T *nfs4_acl;
     229           2 :                 struct SMB4ACE_T *nfs4_ace_container;
     230           2 :                 SMB_ACE4PROP_T *nfs4_ace;
     231           2 :                 struct security_ace dacl_aces[1];
     232           2 :                 struct security_acl *dacl;
     233           2 :                 struct smbacl4_vfs_params params = {
     234             :                         .mode = e_simple,
     235             :                         .do_chown = true,
     236             :                         .acedup = e_merge,
     237             :                         .map_full_control = true,
     238             :                 };
     239             : 
     240           2 :                 init_sec_ace(&dacl_aces[0], &sids[0],
     241             :                              ace_dacl_type_mapping[i].dacl_type,
     242             :                              SEC_FILE_READ_DATA, 0);
     243           2 :                 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
     244             :                                     ARRAY_SIZE(dacl_aces), dacl_aces);
     245           2 :                 assert_non_null(dacl);
     246             : 
     247           2 :                 nfs4_acl = smbacl4_win2nfs4(frame, false, dacl, &params,
     248             :                                             101, 102);
     249             : 
     250           2 :                 assert_non_null(nfs4_acl);
     251           2 :                 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
     252             :                                  SEC_DESC_SELF_RELATIVE);
     253           2 :                 assert_int_equal(smb_get_naces(nfs4_acl), 1);
     254             : 
     255           2 :                 nfs4_ace_container = smb_first_ace4(nfs4_acl);
     256           2 :                 assert_non_null(nfs4_ace_container);
     257           2 :                 assert_null(smb_next_ace4(nfs4_ace_container));
     258             : 
     259           2 :                 nfs4_ace = smb_get_ace4(nfs4_ace_container);
     260           2 :                 assert_int_equal(nfs4_ace->flags, 0);
     261           2 :                 assert_int_equal(nfs4_ace->who.uid, 1000);
     262           2 :                 assert_int_equal(nfs4_ace->aceFlags, 0);
     263           2 :                 assert_int_equal(nfs4_ace->aceType,
     264             :                                  ace_dacl_type_mapping[i].nfs4_type);
     265           2 :                 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
     266             :         }
     267             : 
     268           1 :         TALLOC_FREE(frame);
     269           1 : }
     270             : 
     271             : struct ace_flag_mapping_nfs4_to_dacl {
     272             :         bool is_directory;
     273             :         uint32_t nfs4_flag;
     274             :         uint32_t dacl_flag;
     275             : } ace_flags_nfs4_to_dacl[] = {
     276             :         { true,  SMB_ACE4_FILE_INHERIT_ACE,
     277             :           SEC_ACE_FLAG_OBJECT_INHERIT },
     278             :         { false, SMB_ACE4_FILE_INHERIT_ACE,
     279             :           0 },
     280             :         { true, SMB_ACE4_DIRECTORY_INHERIT_ACE,
     281             :           SEC_ACE_FLAG_CONTAINER_INHERIT },
     282             :         { false, SMB_ACE4_DIRECTORY_INHERIT_ACE,
     283             :           0 },
     284             :         { true, SMB_ACE4_NO_PROPAGATE_INHERIT_ACE,
     285             :           SEC_ACE_FLAG_NO_PROPAGATE_INHERIT },
     286             :         { false, SMB_ACE4_NO_PROPAGATE_INHERIT_ACE,
     287             :           SEC_ACE_FLAG_NO_PROPAGATE_INHERIT },
     288             :         { true, SMB_ACE4_INHERIT_ONLY_ACE,
     289             :           SEC_ACE_FLAG_INHERIT_ONLY },
     290             :         { false, SMB_ACE4_INHERIT_ONLY_ACE,
     291             :           SEC_ACE_FLAG_INHERIT_ONLY },
     292             :         { true, SMB_ACE4_SUCCESSFUL_ACCESS_ACE_FLAG,
     293             :           0 },
     294             :         { false, SMB_ACE4_SUCCESSFUL_ACCESS_ACE_FLAG,
     295             :           0 },
     296             :         { true, SMB_ACE4_FAILED_ACCESS_ACE_FLAG,
     297             :           0 },
     298             :         { false, SMB_ACE4_FAILED_ACCESS_ACE_FLAG,
     299             :           0 },
     300             :         { true, SMB_ACE4_INHERITED_ACE,
     301             :           SEC_ACE_FLAG_INHERITED_ACE },
     302             :         { false, SMB_ACE4_INHERITED_ACE,
     303             :           SEC_ACE_FLAG_INHERITED_ACE },
     304             : };
     305             : 
     306           1 : static void test_ace_flags_nfs4_to_dacl(void **state)
     307             : {
     308           1 :         struct dom_sid *sids = *state;
     309           1 :         TALLOC_CTX *frame = talloc_stackframe();
     310           1 :         SMB_ACE4PROP_T nfs4_ace;
     311           1 :         int i;
     312             : 
     313          16 :         for (i = 0; i < ARRAY_SIZE(ace_flags_nfs4_to_dacl); i++) {
     314          14 :                 struct SMB4ACL_T *nfs4_acl;
     315          14 :                 bool is_directory;
     316          14 :                 struct security_ace *dacl_aces;
     317          14 :                 int good_aces;
     318          14 :                 struct smbacl4_vfs_params params = {
     319             :                         .mode = e_simple,
     320             :                         .do_chown = true,
     321             :                         .acedup = e_merge,
     322             :                         .map_full_control = true,
     323             :                 };
     324             : 
     325          14 :                 nfs4_acl = smb_create_smb4acl(frame);
     326          14 :                 assert_non_null(nfs4_acl);
     327             : 
     328          14 :                 nfs4_ace = (SMB_ACE4PROP_T) {
     329             :                         .flags          = 0,
     330             :                         .who.uid        = 1000,
     331             :                         .aceType        = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
     332          14 :                         .aceFlags       = ace_flags_nfs4_to_dacl[i].nfs4_flag,
     333             :                         .aceMask        = SMB_ACE4_READ_DATA,
     334             :                 };
     335          14 :                 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
     336             : 
     337          14 :                 is_directory = ace_flags_nfs4_to_dacl[i].is_directory;
     338             : 
     339          14 :                 assert_true(smbacl4_nfs42win(frame, &params, nfs4_acl,
     340             :                                              &sids[2], &sids[3], is_directory,
     341             :                                              &dacl_aces, &good_aces));
     342             : 
     343          14 :                 assert_int_equal(good_aces, 1);
     344          14 :                 assert_non_null(dacl_aces);
     345             : 
     346          14 :                 assert_int_equal(dacl_aces[0].type,
     347             :                                  SEC_ACE_TYPE_ACCESS_ALLOWED);
     348          14 :                 assert_int_equal(dacl_aces[0].flags,
     349             :                                  ace_flags_nfs4_to_dacl[i].dacl_flag);
     350          14 :                 assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
     351          14 :                 assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
     352             :         }
     353             : 
     354           1 :         TALLOC_FREE(frame);
     355           1 : }
     356             : 
     357             : struct ace_flag_mapping_dacl_to_nfs4 {
     358             :         bool is_directory;
     359             :         uint32_t dacl_flag;
     360             :         uint32_t nfs4_flag;
     361             : } ace_flags_dacl_to_nfs4[] = {
     362             :         { true, SEC_ACE_FLAG_OBJECT_INHERIT,
     363             :           SMB_ACE4_FILE_INHERIT_ACE },
     364             :         { false, SEC_ACE_FLAG_OBJECT_INHERIT,
     365             :           0 },
     366             :         { true, SEC_ACE_FLAG_CONTAINER_INHERIT,
     367             :           SMB_ACE4_DIRECTORY_INHERIT_ACE },
     368             :         { false, SEC_ACE_FLAG_CONTAINER_INHERIT,
     369             :           0 },
     370             :         { true, SEC_ACE_FLAG_NO_PROPAGATE_INHERIT,
     371             :           SMB_ACE4_NO_PROPAGATE_INHERIT_ACE },
     372             :         { false, SEC_ACE_FLAG_NO_PROPAGATE_INHERIT,
     373             :           0 },
     374             :         { true, SEC_ACE_FLAG_INHERIT_ONLY,
     375             :           SMB_ACE4_INHERIT_ONLY_ACE },
     376             :         { false, SEC_ACE_FLAG_INHERIT_ONLY,
     377             :           0 },
     378             :         { true, SEC_ACE_FLAG_INHERITED_ACE,
     379             :           SMB_ACE4_INHERITED_ACE },
     380             :         { false, SEC_ACE_FLAG_INHERITED_ACE,
     381             :           SMB_ACE4_INHERITED_ACE },
     382             :         { true, SEC_ACE_FLAG_SUCCESSFUL_ACCESS,
     383             :           0 },
     384             :         { false, SEC_ACE_FLAG_SUCCESSFUL_ACCESS,
     385             :           0 },
     386             :         { true, SEC_ACE_FLAG_FAILED_ACCESS,
     387             :           0 },
     388             :         { false, SEC_ACE_FLAG_FAILED_ACCESS,
     389             :           0 },
     390             : };
     391             : 
     392           1 : static void test_ace_flags_dacl_to_nfs4(void **state)
     393             : {
     394           1 :         struct dom_sid *sids = *state;
     395           1 :         TALLOC_CTX *frame = talloc_stackframe();
     396           1 :         int i;
     397             : 
     398          16 :         for (i = 0; i < ARRAY_SIZE(ace_flags_dacl_to_nfs4); i++) {
     399          14 :                 struct SMB4ACL_T *nfs4_acl;
     400          14 :                 struct SMB4ACE_T *nfs4_ace_container;
     401          14 :                 SMB_ACE4PROP_T *nfs4_ace;
     402          14 :                 bool is_directory;
     403          14 :                 struct security_ace dacl_aces[1];
     404          14 :                 struct security_acl *dacl;
     405          14 :                 struct smbacl4_vfs_params params = {
     406             :                         .mode = e_simple,
     407             :                         .do_chown = true,
     408             :                         .acedup = e_merge,
     409             :                         .map_full_control = true,
     410             :                 };
     411             : 
     412          14 :                 init_sec_ace(&dacl_aces[0], &sids[0],
     413             :                              SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
     414          14 :                              ace_flags_dacl_to_nfs4[i].dacl_flag);
     415          14 :                 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
     416             :                                     ARRAY_SIZE(dacl_aces), dacl_aces);
     417          14 :                 assert_non_null(dacl);
     418             : 
     419          14 :                 is_directory = ace_flags_dacl_to_nfs4[i].is_directory;
     420          14 :                 nfs4_acl = smbacl4_win2nfs4(frame, is_directory, dacl, &params,
     421             :                                             101, 102);
     422             : 
     423          14 :                 assert_non_null(nfs4_acl);
     424          14 :                 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
     425             :                                  SEC_DESC_SELF_RELATIVE);
     426          14 :                 assert_int_equal(smb_get_naces(nfs4_acl), 1);
     427             : 
     428          14 :                 nfs4_ace_container = smb_first_ace4(nfs4_acl);
     429          14 :                 assert_non_null(nfs4_ace_container);
     430          14 :                 assert_null(smb_next_ace4(nfs4_ace_container));
     431             : 
     432          14 :                 nfs4_ace = smb_get_ace4(nfs4_ace_container);
     433          14 :                 assert_int_equal(nfs4_ace->flags, 0);
     434          14 :                 assert_int_equal(nfs4_ace->who.uid, 1000);
     435          14 :                 assert_int_equal(nfs4_ace->aceFlags,
     436             :                                  ace_flags_dacl_to_nfs4[i].nfs4_flag);
     437          14 :                 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
     438             :         }
     439             : 
     440           1 :         TALLOC_FREE(frame);
     441           1 : }
     442             : 
     443             : struct ace_perm_mapping {
     444             :         uint32_t nfs4_perm;
     445             :         uint32_t dacl_perm;
     446             : } perm_table_nfs4_to_dacl[] = {
     447             :         { SMB_ACE4_READ_DATA,           SEC_FILE_READ_DATA              },
     448             :         { SMB_ACE4_LIST_DIRECTORY,      SEC_DIR_LIST                    },
     449             :         { SMB_ACE4_WRITE_DATA,          SEC_FILE_WRITE_DATA             },
     450             :         { SMB_ACE4_ADD_FILE,            SEC_DIR_ADD_FILE                },
     451             :         { SMB_ACE4_APPEND_DATA, SEC_FILE_APPEND_DATA            },
     452             :         { SMB_ACE4_ADD_SUBDIRECTORY,    SEC_DIR_ADD_SUBDIR,             },
     453             :         { SMB_ACE4_READ_NAMED_ATTRS,    SEC_FILE_READ_EA                },
     454             :         { SMB_ACE4_READ_NAMED_ATTRS,    SEC_DIR_READ_EA         },
     455             :         { SMB_ACE4_WRITE_NAMED_ATTRS,   SEC_FILE_WRITE_EA               },
     456             :         { SMB_ACE4_WRITE_NAMED_ATTRS,   SEC_DIR_WRITE_EA                },
     457             :         { SMB_ACE4_EXECUTE,             SEC_FILE_EXECUTE                },
     458             :         { SMB_ACE4_EXECUTE,             SEC_DIR_TRAVERSE                },
     459             :         { SMB_ACE4_DELETE_CHILD,        SEC_DIR_DELETE_CHILD            },
     460             :         { SMB_ACE4_READ_ATTRIBUTES,     SEC_FILE_READ_ATTRIBUTE },
     461             :         { SMB_ACE4_READ_ATTRIBUTES,     SEC_DIR_READ_ATTRIBUTE          },
     462             :         { SMB_ACE4_WRITE_ATTRIBUTES,    SEC_FILE_WRITE_ATTRIBUTE        },
     463             :         { SMB_ACE4_WRITE_ATTRIBUTES,    SEC_DIR_WRITE_ATTRIBUTE },
     464             :         { SMB_ACE4_DELETE,              SEC_STD_DELETE                  },
     465             :         { SMB_ACE4_READ_ACL,            SEC_STD_READ_CONTROL            },
     466             :         { SMB_ACE4_WRITE_ACL,           SEC_STD_WRITE_DAC,              },
     467             :         { SMB_ACE4_WRITE_OWNER, SEC_STD_WRITE_OWNER             },
     468             :         { SMB_ACE4_SYNCHRONIZE, SEC_STD_SYNCHRONIZE             },
     469             : };
     470             : 
     471           1 : static void test_nfs4_permissions_to_dacl(void **state)
     472             : {
     473           1 :         struct dom_sid *sids = *state;
     474           1 :         TALLOC_CTX *frame = talloc_stackframe();
     475           1 :         int i;
     476             : 
     477          24 :         for (i = 0; i < ARRAY_SIZE(perm_table_nfs4_to_dacl); i++) {
     478          22 :                 struct SMB4ACL_T *nfs4_acl;
     479          22 :                 SMB_ACE4PROP_T nfs4_ace;
     480          22 :                 struct security_ace *dacl_aces;
     481          22 :                 int good_aces;
     482          22 :                 struct smbacl4_vfs_params params = {
     483             :                         .mode = e_simple,
     484             :                         .do_chown = true,
     485             :                         .acedup = e_merge,
     486             :                         .map_full_control = true,
     487             :                 };
     488             : 
     489          22 :                 nfs4_acl = smb_create_smb4acl(frame);
     490          22 :                 assert_non_null(nfs4_acl);
     491             : 
     492          22 :                 nfs4_ace = (SMB_ACE4PROP_T) {
     493             :                         .flags          = 0,
     494             :                         .who.uid        = 1000,
     495             :                         .aceType        = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
     496             :                         .aceFlags       = 0,
     497          22 :                         .aceMask        = perm_table_nfs4_to_dacl[i].nfs4_perm,
     498             :                 };
     499          22 :                 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
     500             : 
     501          22 :                 assert_true(smbacl4_nfs42win(frame, &params, nfs4_acl,
     502             :                                              &sids[0], &sids[1], false,
     503             :                                              &dacl_aces, &good_aces));
     504             : 
     505          22 :                 assert_int_equal(good_aces, 1);
     506          22 :                 assert_non_null(dacl_aces);
     507             : 
     508          22 :                 assert_int_equal(dacl_aces[0].type,
     509             :                                  SEC_ACE_TYPE_ACCESS_ALLOWED);
     510          22 :                 assert_int_equal(dacl_aces[0].flags, 0);
     511          22 :                 assert_int_equal(dacl_aces[0].access_mask,
     512             :                                  perm_table_nfs4_to_dacl[i].dacl_perm);
     513          22 :                 assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
     514             :         }
     515             : 
     516           1 :         TALLOC_FREE(frame);
     517           1 : }
     518             : 
     519             : struct ace_perm_mapping_dacl_to_nfs4 {
     520             :         uint32_t dacl_perm;
     521             :         uint32_t nfs4_perm;
     522             : } perm_table_dacl_to_nfs4[] = {
     523             :         { SEC_FILE_READ_DATA,           SMB_ACE4_READ_DATA,             },
     524             :         { SEC_DIR_LIST,         SMB_ACE4_LIST_DIRECTORY,        },
     525             :         { SEC_FILE_WRITE_DATA,          SMB_ACE4_WRITE_DATA,            },
     526             :         { SEC_DIR_ADD_FILE,             SMB_ACE4_ADD_FILE,              },
     527             :         { SEC_FILE_APPEND_DATA, SMB_ACE4_APPEND_DATA,           },
     528             :         { SEC_DIR_ADD_SUBDIR,           SMB_ACE4_ADD_SUBDIRECTORY,      },
     529             :         { SEC_FILE_READ_EA,             SMB_ACE4_READ_NAMED_ATTRS,      },
     530             :         { SEC_DIR_READ_EA,              SMB_ACE4_READ_NAMED_ATTRS,      },
     531             :         { SEC_FILE_WRITE_EA,            SMB_ACE4_WRITE_NAMED_ATTRS,     },
     532             :         { SEC_DIR_WRITE_EA,             SMB_ACE4_WRITE_NAMED_ATTRS,     },
     533             :         { SEC_FILE_EXECUTE,             SMB_ACE4_EXECUTE,               },
     534             :         { SEC_DIR_TRAVERSE,             SMB_ACE4_EXECUTE,               },
     535             :         { SEC_DIR_DELETE_CHILD, SMB_ACE4_DELETE_CHILD,          },
     536             :         { SEC_FILE_READ_ATTRIBUTE,      SMB_ACE4_READ_ATTRIBUTES,       },
     537             :         { SEC_DIR_READ_ATTRIBUTE,       SMB_ACE4_READ_ATTRIBUTES,       },
     538             :         { SEC_FILE_WRITE_ATTRIBUTE,     SMB_ACE4_WRITE_ATTRIBUTES,      },
     539             :         { SEC_DIR_WRITE_ATTRIBUTE,      SMB_ACE4_WRITE_ATTRIBUTES,      },
     540             :         { SEC_STD_DELETE,               SMB_ACE4_DELETE,                },
     541             :         { SEC_STD_READ_CONTROL, SMB_ACE4_READ_ACL,              },
     542             :         { SEC_STD_WRITE_DAC,            SMB_ACE4_WRITE_ACL,             },
     543             :         { SEC_STD_WRITE_OWNER,          SMB_ACE4_WRITE_OWNER,           },
     544             :         { SEC_STD_SYNCHRONIZE,          SMB_ACE4_SYNCHRONIZE,           },
     545             :         { SEC_GENERIC_READ,             SMB_ACE4_READ_ACL|
     546             :                                         SMB_ACE4_READ_DATA|
     547             :                                         SMB_ACE4_READ_ATTRIBUTES|
     548             :                                         SMB_ACE4_READ_NAMED_ATTRS|
     549             :                                         SMB_ACE4_SYNCHRONIZE            },
     550             :         { SEC_GENERIC_WRITE,            SMB_ACE4_WRITE_ACL|
     551             :                                         SMB_ACE4_WRITE_DATA|
     552             :                                         SMB_ACE4_WRITE_ATTRIBUTES|
     553             :                                         SMB_ACE4_WRITE_NAMED_ATTRS|
     554             :                                         SMB_ACE4_SYNCHRONIZE            },
     555             :         { SEC_GENERIC_EXECUTE,          SMB_ACE4_READ_ACL|
     556             :                                         SMB_ACE4_READ_ATTRIBUTES|
     557             :                                         SMB_ACE4_EXECUTE|
     558             :                                         SMB_ACE4_SYNCHRONIZE            },
     559             :         { SEC_GENERIC_ALL,              SMB_ACE4_DELETE|
     560             :                                         SMB_ACE4_READ_ACL|
     561             :                                         SMB_ACE4_WRITE_ACL|
     562             :                                         SMB_ACE4_WRITE_OWNER|
     563             :                                         SMB_ACE4_SYNCHRONIZE|
     564             :                                         SMB_ACE4_WRITE_ATTRIBUTES|
     565             :                                         SMB_ACE4_READ_ATTRIBUTES|
     566             :                                         SMB_ACE4_EXECUTE|
     567             :                                         SMB_ACE4_READ_NAMED_ATTRS|
     568             :                                         SMB_ACE4_WRITE_NAMED_ATTRS|
     569             :                                         SMB_ACE4_WRITE_DATA|
     570             :                                         SMB_ACE4_APPEND_DATA|
     571             :                                         SMB_ACE4_READ_DATA|
     572             :                                         SMB_ACE4_DELETE_CHILD           },
     573             : };
     574             : 
     575           1 : static void test_dacl_permissions_to_nfs4(void **state)
     576             : {
     577           1 :         struct dom_sid *sids = *state;
     578           1 :         TALLOC_CTX *frame = talloc_stackframe();
     579           1 :         int i;
     580             : 
     581          24 :         for (i = 0; i < ARRAY_SIZE(perm_table_nfs4_to_dacl); i++) {
     582          22 :                 struct SMB4ACL_T *nfs4_acl;
     583          22 :                 struct SMB4ACE_T *nfs4_ace_container;
     584          22 :                 SMB_ACE4PROP_T *nfs4_ace;
     585          22 :                 struct smbacl4_vfs_params params = {
     586             :                         .mode = e_simple,
     587             :                         .do_chown = true,
     588             :                         .acedup = e_merge,
     589             :                         .map_full_control = true,
     590             :                 };
     591          22 :                 struct security_ace dacl_aces[1];
     592          22 :                 struct security_acl *dacl;
     593             : 
     594          22 :                 init_sec_ace(&dacl_aces[0], &sids[0],
     595             :                              SEC_ACE_TYPE_ACCESS_ALLOWED,
     596             :                              perm_table_dacl_to_nfs4[i].dacl_perm, 0);
     597          22 :                 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
     598             :                                     ARRAY_SIZE(dacl_aces), dacl_aces);
     599          22 :                 assert_non_null(dacl);
     600             : 
     601          22 :                 nfs4_acl = smbacl4_win2nfs4(frame, false, dacl, &params,
     602             :                                             101, 102);
     603             : 
     604          22 :                 assert_non_null(nfs4_acl);
     605          22 :                 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
     606             :                                  SEC_DESC_SELF_RELATIVE);
     607          22 :                 assert_int_equal(smb_get_naces(nfs4_acl), 1);
     608             : 
     609          22 :                 nfs4_ace_container = smb_first_ace4(nfs4_acl);
     610          22 :                 assert_non_null(nfs4_ace_container);
     611          22 :                 assert_null(smb_next_ace4(nfs4_ace_container));
     612             : 
     613          22 :                 nfs4_ace = smb_get_ace4(nfs4_ace_container);
     614          22 :                 assert_int_equal(nfs4_ace->flags, 0);
     615          22 :                 assert_int_equal(nfs4_ace->who.uid, 1000);
     616          22 :                 assert_int_equal(nfs4_ace->aceFlags, 0);
     617          22 :                 assert_int_equal(nfs4_ace->aceMask,
     618             :                                  perm_table_dacl_to_nfs4[i].nfs4_perm);
     619             :         }
     620             : 
     621           1 :         TALLOC_FREE(frame);
     622           1 : }
     623             : 
     624             : /*
     625             :  * Create NFS4 ACL with all possible "special" entries. Verify that
     626             :  * the ones that should be mapped to a DACL are mapped and the other
     627             :  * ones are ignored.
     628             :  */
     629           1 : static void test_special_nfs4_to_dacl(void **state)
     630             : {
     631           1 :         struct dom_sid *sids = *state;
     632           1 :         TALLOC_CTX *frame = talloc_stackframe();
     633           1 :         struct SMB4ACL_T *nfs4_acl;
     634           1 :         SMB_ACE4PROP_T nfs4_ace;
     635           1 :         struct security_ace *dacl_aces;
     636           1 :         int good_aces;
     637           1 :         struct smbacl4_vfs_params params = {
     638             :                 .mode = e_simple,
     639             :                 .do_chown = true,
     640             :                 .acedup = e_merge,
     641             :                 .map_full_control = true,
     642             :         };
     643             : 
     644           1 :         nfs4_acl = smb_create_smb4acl(frame);
     645           1 :         assert_non_null(nfs4_acl);
     646             : 
     647           1 :         nfs4_ace = (SMB_ACE4PROP_T) {
     648             :                 .flags          = SMB_ACE4_ID_SPECIAL,
     649             :                 .who.special_id = SMB_ACE4_WHO_OWNER,
     650             :                 .aceType        = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
     651             :                 .aceFlags       = 0,
     652             :                 .aceMask        = SMB_ACE4_READ_DATA,
     653             :         };
     654           1 :         assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
     655             : 
     656           1 :         nfs4_ace = (SMB_ACE4PROP_T) {
     657             :                 .flags          = SMB_ACE4_ID_SPECIAL,
     658             :                 .who.special_id = SMB_ACE4_WHO_GROUP,
     659             :                 .aceType        = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
     660             :                 .aceFlags       = 0,
     661             :                 .aceMask        = SMB_ACE4_WRITE_DATA,
     662             :         };
     663           1 :         assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
     664             : 
     665           1 :         nfs4_ace = (SMB_ACE4PROP_T) {
     666             :                 .flags          = SMB_ACE4_ID_SPECIAL,
     667             :                 .who.special_id = SMB_ACE4_WHO_EVERYONE,
     668             :                 .aceType        = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
     669             :                 .aceFlags       = 0,
     670             :                 .aceMask        = SMB_ACE4_APPEND_DATA,
     671             :         };
     672           1 :         assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
     673             : 
     674           1 :         nfs4_ace = (SMB_ACE4PROP_T) {
     675             :                 .flags          = SMB_ACE4_ID_SPECIAL,
     676             :                 .who.special_id = SMB_ACE4_WHO_INTERACTIVE,
     677             :                 .aceType        = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
     678             :                 .aceFlags       = 0,
     679             :                 .aceMask        = SMB_ACE4_READ_NAMED_ATTRS,
     680             :         };
     681           1 :         assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
     682             : 
     683           1 :         nfs4_ace = (SMB_ACE4PROP_T) {
     684             :                 .flags          = SMB_ACE4_ID_SPECIAL,
     685             :                 .who.special_id = SMB_ACE4_WHO_NETWORK,
     686             :                 .aceType        = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
     687             :                 .aceFlags       = 0,
     688             :                 .aceMask        = SMB_ACE4_WRITE_NAMED_ATTRS,
     689             :         };
     690           1 :         assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
     691             : 
     692           1 :         nfs4_ace = (SMB_ACE4PROP_T) {
     693             :                 .flags          = SMB_ACE4_ID_SPECIAL,
     694             :                 .who.special_id = SMB_ACE4_WHO_DIALUP,
     695             :                 .aceType        = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
     696             :                 .aceFlags       = 0,
     697             :                 .aceMask        = SMB_ACE4_EXECUTE,
     698             :         };
     699           1 :         assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
     700             : 
     701           1 :         nfs4_ace = (SMB_ACE4PROP_T) {
     702             :                 .flags          = SMB_ACE4_ID_SPECIAL,
     703             :                 .who.special_id = SMB_ACE4_WHO_BATCH,
     704             :                 .aceType        = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
     705             :                 .aceFlags       = 0,
     706             :                 .aceMask        = SMB_ACE4_READ_ATTRIBUTES,
     707             :         };
     708           1 :         assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
     709             : 
     710           1 :         nfs4_ace = (SMB_ACE4PROP_T) {
     711             :                 .flags          = SMB_ACE4_ID_SPECIAL,
     712             :                 .who.special_id = SMB_ACE4_WHO_ANONYMOUS,
     713             :                 .aceType        = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
     714             :                 .aceFlags       = 0,
     715             :                 .aceMask        = SMB_ACE4_WRITE_ATTRIBUTES,
     716             :         };
     717           1 :         assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
     718             : 
     719           1 :         nfs4_ace = (SMB_ACE4PROP_T) {
     720             :                 .flags          = SMB_ACE4_ID_SPECIAL,
     721             :                 .who.special_id = SMB_ACE4_WHO_AUTHENTICATED,
     722             :                 .aceType        = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
     723             :                 .aceFlags       = 0,
     724             :                 .aceMask        = SMB_ACE4_READ_ACL,
     725             :         };
     726           1 :         assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
     727             : 
     728           1 :         nfs4_ace = (SMB_ACE4PROP_T) {
     729             :                 .flags          = SMB_ACE4_ID_SPECIAL,
     730             :                 .who.special_id = SMB_ACE4_WHO_SERVICE,
     731             :                 .aceType        = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
     732             :                 .aceFlags       = 0,
     733             :                 .aceMask        = SMB_ACE4_WRITE_ACL,
     734             :         };
     735           1 :         assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
     736             : 
     737           1 :         assert_true(smbacl4_nfs42win(frame, &params, nfs4_acl,
     738             :                                      &sids[0], &sids[1], false,
     739             :                                      &dacl_aces, &good_aces));
     740             : 
     741           1 :         assert_int_equal(good_aces, 3);
     742           1 :         assert_non_null(dacl_aces);
     743             : 
     744           1 :         assert_int_equal(dacl_aces[0].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
     745           1 :         assert_int_equal(dacl_aces[0].flags, 0);
     746           1 :         assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
     747           1 :         assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
     748             : 
     749           1 :         assert_int_equal(dacl_aces[1].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
     750           1 :         assert_int_equal(dacl_aces[1].flags, 0);
     751           1 :         assert_int_equal(dacl_aces[1].access_mask, SEC_FILE_WRITE_DATA);
     752           1 :         assert_true(dom_sid_equal(&dacl_aces[1].trustee, &sids[1]));
     753             : 
     754           1 :         assert_int_equal(dacl_aces[2].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
     755           1 :         assert_int_equal(dacl_aces[2].flags, 0);
     756           1 :         assert_int_equal(dacl_aces[2].access_mask, SEC_FILE_APPEND_DATA);
     757           1 :         assert_true(dom_sid_equal(&dacl_aces[2].trustee, &global_sid_World));
     758             : 
     759           1 :         TALLOC_FREE(frame);
     760           1 : }
     761             : 
     762           1 : static void test_dacl_to_special_nfs4(void **state)
     763             : {
     764           1 :         struct dom_sid *sids = *state;
     765           1 :         TALLOC_CTX *frame = talloc_stackframe();
     766           1 :         struct SMB4ACL_T *nfs4_acl;
     767           1 :         struct SMB4ACE_T *nfs4_ace_container;
     768           1 :         SMB_ACE4PROP_T *nfs4_ace;
     769           1 :         struct security_ace dacl_aces[6];
     770           1 :         struct security_acl *dacl;
     771           1 :         struct smbacl4_vfs_params params = {
     772             :                 .mode = e_simple,
     773             :                 .do_chown = true,
     774             :                 .acedup = e_dontcare,
     775             :                 .map_full_control = true,
     776             :         };
     777             : 
     778             :         /*
     779             :          * global_Sid_World is mapped to EVERYONE.
     780             :          */
     781           1 :         init_sec_ace(&dacl_aces[0], &global_sid_World,
     782             :                      SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA, 0);
     783             :         /*
     784             :          * global_sid_Unix_NFS is ignored.
     785             :          */
     786           1 :         init_sec_ace(&dacl_aces[1], &global_sid_Unix_NFS,
     787             :                      SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA, 0);
     788             :         /*
     789             :          * Anything that maps to owner or owning group with inheritance flags
     790             :          * is NOT mapped to special owner or special group.
     791             :          */
     792           1 :         init_sec_ace(&dacl_aces[2], &sids[0],
     793             :                      SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
     794             :                      SEC_ACE_FLAG_OBJECT_INHERIT);
     795           1 :         init_sec_ace(&dacl_aces[3], &sids[0],
     796             :                      SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
     797             :                      SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
     798           1 :         init_sec_ace(&dacl_aces[4], &sids[1],
     799             :                      SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
     800             :                      SEC_ACE_FLAG_OBJECT_INHERIT);
     801           1 :         init_sec_ace(&dacl_aces[5], &sids[1],
     802             :                      SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
     803             :                      SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
     804           1 :         dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
     805             :                             ARRAY_SIZE(dacl_aces), dacl_aces);
     806           1 :         assert_non_null(dacl);
     807             : 
     808           1 :         nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, &params, 1000, 1001);
     809             : 
     810           1 :         assert_non_null(nfs4_acl);
     811           1 :         assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
     812             :                          SEC_DESC_SELF_RELATIVE);
     813           1 :         assert_int_equal(smb_get_naces(nfs4_acl), 5);
     814             : 
     815           1 :         nfs4_ace_container = smb_first_ace4(nfs4_acl);
     816           1 :         assert_non_null(nfs4_ace_container);
     817             : 
     818           1 :         nfs4_ace = smb_get_ace4(nfs4_ace_container);
     819           1 :         assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
     820           1 :         assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_EVERYONE);
     821           1 :         assert_int_equal(nfs4_ace->aceFlags, 0);
     822           1 :         assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_WRITE_DATA);
     823             : 
     824           1 :         nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
     825           1 :         assert_non_null(nfs4_ace_container);
     826             : 
     827           1 :         nfs4_ace = smb_get_ace4(nfs4_ace_container);
     828           1 :         assert_int_equal(nfs4_ace->flags, 0);
     829           1 :         assert_int_equal(nfs4_ace->who.uid, 1000);
     830           1 :         assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_FILE_INHERIT_ACE);
     831           1 :         assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
     832             : 
     833           1 :         nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
     834           1 :         assert_non_null(nfs4_ace_container);
     835             : 
     836           1 :         nfs4_ace = smb_get_ace4(nfs4_ace_container);
     837           1 :         assert_int_equal(nfs4_ace->flags, 0);
     838           1 :         assert_int_equal(nfs4_ace->who.uid, 1000);
     839           1 :         assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_DIRECTORY_INHERIT_ACE|
     840             :                          SMB_ACE4_INHERIT_ONLY_ACE);
     841           1 :         assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
     842             : 
     843           1 :         nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
     844           1 :         assert_non_null(nfs4_ace_container);
     845             : 
     846           1 :         nfs4_ace = smb_get_ace4(nfs4_ace_container);
     847           1 :         assert_int_equal(nfs4_ace->flags, 0);
     848           1 :         assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_IDENTIFIER_GROUP|
     849             :                          SMB_ACE4_FILE_INHERIT_ACE);
     850           1 :         assert_int_equal(nfs4_ace->who.gid, 1001);
     851           1 :         assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
     852             : 
     853           1 :         nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
     854           1 :         assert_non_null(nfs4_ace_container);
     855             : 
     856           1 :         nfs4_ace = smb_get_ace4(nfs4_ace_container);
     857           1 :         assert_int_equal(nfs4_ace->flags, 0);
     858           1 :         assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_IDENTIFIER_GROUP|
     859             :                          SMB_ACE4_DIRECTORY_INHERIT_ACE|
     860             :                          SMB_ACE4_INHERIT_ONLY_ACE);
     861           1 :         assert_int_equal(nfs4_ace->who.gid, 1001);
     862           1 :         assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
     863             : 
     864           1 :         assert_null(smb_next_ace4(nfs4_ace_container));
     865             : 
     866           1 :         TALLOC_FREE(frame);
     867           1 : }
     868             : 
     869             : struct creator_ace_flags {
     870             :         uint32_t dacl_flags;
     871             :         uint32_t nfs4_flags;
     872             : } creator_ace_flags[] = {
     873             :         { 0,                                    0 },
     874             : 
     875             :         { SEC_ACE_FLAG_INHERIT_ONLY,            0 },
     876             : 
     877             :         { SEC_ACE_FLAG_CONTAINER_INHERIT,       SMB_ACE4_DIRECTORY_INHERIT_ACE|
     878             :                                                 SMB_ACE4_INHERIT_ONLY_ACE },
     879             : 
     880             :         { SEC_ACE_FLAG_CONTAINER_INHERIT|
     881             :           SEC_ACE_FLAG_INHERIT_ONLY,            SMB_ACE4_DIRECTORY_INHERIT_ACE|
     882             :                                                 SMB_ACE4_INHERIT_ONLY_ACE },
     883             : 
     884             :         { SEC_ACE_FLAG_OBJECT_INHERIT,          SMB_ACE4_FILE_INHERIT_ACE|
     885             :                                                 SMB_ACE4_INHERIT_ONLY_ACE },
     886             :         { SEC_ACE_FLAG_OBJECT_INHERIT|
     887             :           SEC_ACE_FLAG_INHERIT_ONLY,            SMB_ACE4_FILE_INHERIT_ACE|
     888             :                                                 SMB_ACE4_INHERIT_ONLY_ACE },
     889             : 
     890             :         { SEC_ACE_FLAG_CONTAINER_INHERIT|
     891             :           SEC_ACE_FLAG_OBJECT_INHERIT,          SMB_ACE4_DIRECTORY_INHERIT_ACE|
     892             :                                                 SMB_ACE4_FILE_INHERIT_ACE|
     893             :                                                 SMB_ACE4_INHERIT_ONLY_ACE },
     894             : 
     895             :         { SEC_ACE_FLAG_CONTAINER_INHERIT|
     896             :           SEC_ACE_FLAG_OBJECT_INHERIT|
     897             :           SEC_ACE_FLAG_INHERIT_ONLY,            SMB_ACE4_DIRECTORY_INHERIT_ACE|
     898             :                                                 SMB_ACE4_FILE_INHERIT_ACE|
     899             :                                                 SMB_ACE4_INHERIT_ONLY_ACE },
     900             : };
     901             : 
     902           1 : static void test_dacl_creator_to_nfs4(void **state)
     903             : {
     904           1 :         TALLOC_CTX *frame = talloc_stackframe();
     905           1 :         int i;
     906             : 
     907          10 :         for (i = 0; i < ARRAY_SIZE(creator_ace_flags); i++) {
     908           8 :                 struct SMB4ACL_T *nfs4_acl;
     909           8 :                 struct SMB4ACE_T *nfs4_ace_container;
     910           8 :                 SMB_ACE4PROP_T *nfs4_ace;
     911           8 :                 struct security_ace dacl_aces[2];
     912           8 :                 struct security_acl *dacl;
     913           8 :                 struct smbacl4_vfs_params params = {
     914             :                         .mode = e_simple,
     915             :                         .do_chown = true,
     916             :                         .acedup = e_merge,
     917             :                         .map_full_control = true,
     918             :                 };
     919             : 
     920           8 :                 init_sec_ace(&dacl_aces[0], &global_sid_Creator_Owner,
     921             :                              SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
     922           8 :                              creator_ace_flags[i].dacl_flags);
     923           8 :                 init_sec_ace(&dacl_aces[1], &global_sid_Creator_Group,
     924             :                              SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
     925           8 :                              creator_ace_flags[i].dacl_flags);
     926           8 :                 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
     927             :                                     ARRAY_SIZE(dacl_aces), dacl_aces);
     928           8 :                 assert_non_null(dacl);
     929             : 
     930           8 :                 nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, &params,
     931             :                                             101, 102);
     932             : 
     933           8 :                 assert_non_null(nfs4_acl);
     934           8 :                 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
     935             :                                  SEC_DESC_SELF_RELATIVE);
     936             : 
     937           8 :                 if (creator_ace_flags[i].nfs4_flags == 0) {
     938             :                         /*
     939             :                          * CREATOR OWNER and CREATOR GROUP not mapped
     940             :                          * in this case.
     941             :                          */
     942           2 :                         assert_null(smb_first_ace4(nfs4_acl));
     943             :                 } else {
     944           6 :                         assert_int_equal(smb_get_naces(nfs4_acl), 2);
     945             : 
     946           6 :                         nfs4_ace_container = smb_first_ace4(nfs4_acl);
     947           6 :                         assert_non_null(nfs4_ace_container);
     948             : 
     949           6 :                         nfs4_ace = smb_get_ace4(nfs4_ace_container);
     950           6 :                         assert_non_null(nfs4_ace);
     951           6 :                         assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
     952           6 :                         assert_int_equal(nfs4_ace->who.special_id,
     953             :                                          SMB_ACE4_WHO_OWNER);
     954           6 :                         assert_int_equal(nfs4_ace->aceFlags,
     955             :                                          creator_ace_flags[i].nfs4_flags);
     956           6 :                         assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
     957             : 
     958           6 :                         nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
     959           6 :                         assert_non_null(nfs4_ace_container);
     960           6 :                         assert_null(smb_next_ace4(nfs4_ace_container));
     961             : 
     962           6 :                         nfs4_ace = smb_get_ace4(nfs4_ace_container);
     963           6 :                         assert_non_null(nfs4_ace);
     964           6 :                         assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
     965           6 :                         assert_int_equal(nfs4_ace->who.special_id,
     966             :                                          SMB_ACE4_WHO_GROUP);
     967           6 :                         assert_int_equal(nfs4_ace->aceFlags,
     968             :                                          creator_ace_flags[i].nfs4_flags);
     969           6 :                         assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
     970             :                 }
     971             :         }
     972             : 
     973           1 :         TALLOC_FREE(frame);
     974           1 : }
     975             : 
     976             : struct creator_owner_nfs4_to_dacl {
     977             :         uint32_t special_id;
     978             :         uint32_t nfs4_ace_flags;
     979             :         uint32_t dacl_ace_flags;
     980             : } creator_owner_nfs4_to_dacl[] = {
     981             :         { SMB_ACE4_WHO_OWNER,
     982             :           SMB_ACE4_FILE_INHERIT_ACE,
     983             :           SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY },
     984             :         { SMB_ACE4_WHO_OWNER,
     985             :           SMB_ACE4_DIRECTORY_INHERIT_ACE,
     986             :           SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY },
     987             :         { SMB_ACE4_WHO_OWNER,
     988             :           SMB_ACE4_FILE_INHERIT_ACE|SMB_ACE4_DIRECTORY_INHERIT_ACE,
     989             :           SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
     990             :           SEC_ACE_FLAG_INHERIT_ONLY },
     991             :         { SMB_ACE4_WHO_GROUP,
     992             :           SMB_ACE4_FILE_INHERIT_ACE,
     993             :           SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY },
     994             :         { SMB_ACE4_WHO_GROUP,
     995             :           SMB_ACE4_DIRECTORY_INHERIT_ACE,
     996             :           SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY },
     997             :         { SMB_ACE4_WHO_GROUP,
     998             :           SMB_ACE4_FILE_INHERIT_ACE|SMB_ACE4_DIRECTORY_INHERIT_ACE,
     999             :           SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
    1000             :           SEC_ACE_FLAG_INHERIT_ONLY },
    1001             : };
    1002             : 
    1003           1 : static void test_nfs4_to_dacl_creator(void **state)
    1004             : {
    1005           1 :         struct dom_sid *sids = *state;
    1006           1 :         TALLOC_CTX *frame = talloc_stackframe();
    1007           1 :         int i;
    1008             : 
    1009           8 :         for (i = 0; i < ARRAY_SIZE(creator_owner_nfs4_to_dacl); i++) {
    1010           6 :                 struct SMB4ACL_T *nfs4_acl;
    1011           6 :                 SMB_ACE4PROP_T nfs4_ace;
    1012           6 :                 struct security_ace *dacl_aces, *creator_dacl_ace;
    1013           6 :                 int good_aces;
    1014           6 :                 struct smbacl4_vfs_params params = {
    1015             :                         .mode = e_simple,
    1016             :                         .do_chown = true,
    1017             :                         .acedup = e_merge,
    1018             :                         .map_full_control = true,
    1019             :                 };
    1020             : 
    1021           6 :                 nfs4_acl = smb_create_smb4acl(frame);
    1022           6 :                 assert_non_null(nfs4_acl);
    1023             : 
    1024           6 :                 nfs4_ace = (SMB_ACE4PROP_T) {
    1025             :                         .flags          = SMB_ACE4_ID_SPECIAL,
    1026             :                         .who.special_id
    1027           6 :                                 = creator_owner_nfs4_to_dacl[i].special_id,
    1028             :                         .aceType        = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
    1029             :                         .aceFlags
    1030           6 :                                 = creator_owner_nfs4_to_dacl[i].nfs4_ace_flags,
    1031             :                         .aceMask        = SMB_ACE4_READ_DATA,
    1032             :                 };
    1033           6 :                 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
    1034             : 
    1035           6 :                 assert_true(smbacl4_nfs42win(frame, &params, nfs4_acl,
    1036             :                                              &sids[0], &sids[1], true,
    1037             :                                              &dacl_aces, &good_aces));
    1038           6 :                 assert_non_null(dacl_aces);
    1039             : 
    1040           6 :                 if (creator_owner_nfs4_to_dacl[i].nfs4_ace_flags &
    1041             :                     SMB_ACE4_INHERIT_ONLY_ACE) {
    1042             :                         /*
    1043             :                          * Only one ACE entry for the CREATOR ACE entry.
    1044             :                          */
    1045           0 :                         assert_int_equal(good_aces, 1);
    1046           0 :                         creator_dacl_ace = &dacl_aces[0];
    1047             :                 } else {
    1048             :                         /*
    1049             :                          * This creates an additional ACE entry for
    1050             :                          * the permissions on the current object.
    1051             :                          */
    1052           6 :                         assert_int_equal(good_aces, 2);
    1053             : 
    1054           6 :                         assert_int_equal(dacl_aces[0].type,
    1055             :                                          SEC_ACE_TYPE_ACCESS_ALLOWED);
    1056           6 :                         assert_int_equal(dacl_aces[0].flags, 0);
    1057           6 :                         assert_int_equal(dacl_aces[0].access_mask,
    1058             :                                          SEC_FILE_READ_DATA);
    1059             : 
    1060           6 :                         if (creator_owner_nfs4_to_dacl[i].special_id ==
    1061             :                             SMB_ACE4_WHO_OWNER) {
    1062           3 :                                 assert_true(dom_sid_equal(&dacl_aces[0].trustee,
    1063             :                                                           &sids[0]));
    1064             :                         }
    1065             : 
    1066           6 :                         if (creator_owner_nfs4_to_dacl[i].special_id ==
    1067             :                             SMB_ACE4_WHO_GROUP) {
    1068           3 :                                 assert_true(dom_sid_equal(&dacl_aces[0].trustee,
    1069             :                                                           &sids[1]));
    1070             :                         }
    1071             : 
    1072           6 :                         creator_dacl_ace = &dacl_aces[1];
    1073             :                 }
    1074             : 
    1075           6 :                 assert_int_equal(creator_dacl_ace->type,
    1076             :                                  SEC_ACE_TYPE_ACCESS_ALLOWED);
    1077           6 :                 assert_int_equal(creator_dacl_ace->flags,
    1078             :                                  creator_owner_nfs4_to_dacl[i].dacl_ace_flags);
    1079           6 :                 assert_int_equal(creator_dacl_ace->access_mask,
    1080             :                                  SEC_FILE_READ_DATA);
    1081           6 :                 if (creator_owner_nfs4_to_dacl[i].special_id ==
    1082             :                     SMB_ACE4_WHO_OWNER) {
    1083           3 :                         assert_true(dom_sid_equal(&creator_dacl_ace->trustee,
    1084             :                                                   &global_sid_Creator_Owner));
    1085             :                 }
    1086             : 
    1087           6 :                 if (creator_owner_nfs4_to_dacl[i].special_id ==
    1088             :                     SMB_ACE4_WHO_GROUP) {
    1089           3 :                         assert_true(dom_sid_equal(&creator_dacl_ace->trustee,
    1090             :                                                   &global_sid_Creator_Group));
    1091             :                 }
    1092             :         }
    1093             : 
    1094           1 :         TALLOC_FREE(frame);
    1095           1 : }
    1096             : 
    1097             : struct nfs4_to_dacl_map_full_control{
    1098             :         bool is_dir;
    1099             :         bool config;
    1100             :         bool delete_child_added;
    1101             : } nfs4_to_dacl_full_control[] = {
    1102             :         { true, true,   false   },
    1103             :         { true, false,  false   },
    1104             :         { false,        true,   true    },
    1105             :         { false,        false,  false   },
    1106             : };
    1107             : 
    1108           1 : static void test_full_control_nfs4_to_dacl(void **state)
    1109             : {
    1110           1 :         struct dom_sid *sids = *state;
    1111           1 :         TALLOC_CTX *frame = talloc_stackframe();
    1112           1 :         int i;
    1113             : 
    1114           6 :         for (i = 0; i < ARRAY_SIZE(nfs4_to_dacl_full_control); i++) {
    1115           4 :                 struct SMB4ACL_T *nfs4_acl;
    1116           4 :                 SMB_ACE4PROP_T nfs4_ace;
    1117           4 :                 struct security_ace *dacl_aces;
    1118           4 :                 int good_aces;
    1119           4 :                 struct smbacl4_vfs_params params = {
    1120             :                         .mode = e_simple,
    1121             :                         .do_chown = true,
    1122             :                         .acedup = e_merge,
    1123           4 :                         .map_full_control = nfs4_to_dacl_full_control[i].config,
    1124             :                 };
    1125           4 :                 const uint32_t nfs4_ace_mask_except_deletes =
    1126             :                         SMB_ACE4_READ_DATA|SMB_ACE4_WRITE_DATA|
    1127             :                         SMB_ACE4_APPEND_DATA|SMB_ACE4_READ_NAMED_ATTRS|
    1128             :                         SMB_ACE4_WRITE_NAMED_ATTRS|SMB_ACE4_EXECUTE|
    1129             :                         SMB_ACE4_READ_ATTRIBUTES|SMB_ACE4_WRITE_ATTRIBUTES|
    1130             :                         SMB_ACE4_READ_ACL|SMB_ACE4_WRITE_ACL|
    1131             :                         SMB_ACE4_WRITE_OWNER|SMB_ACE4_SYNCHRONIZE;
    1132           4 :                 const uint32_t dacl_ace_mask_except_deletes =
    1133             :                         SEC_FILE_READ_DATA|SEC_FILE_WRITE_DATA|
    1134             :                         SEC_FILE_APPEND_DATA|SEC_FILE_READ_EA|
    1135             :                         SEC_FILE_WRITE_EA|SEC_FILE_EXECUTE|
    1136             :                         SEC_FILE_READ_ATTRIBUTE|SEC_FILE_WRITE_ATTRIBUTE|
    1137             :                         SEC_STD_READ_CONTROL|SEC_STD_WRITE_DAC|
    1138             :                         SEC_STD_WRITE_OWNER|SEC_STD_SYNCHRONIZE;
    1139             : 
    1140           4 :                 nfs4_acl = smb_create_smb4acl(frame);
    1141           4 :                 assert_non_null(nfs4_acl);
    1142             : 
    1143           4 :                 nfs4_ace = (SMB_ACE4PROP_T) {
    1144             :                         .flags          = 0,
    1145             :                         .who.uid        = 1000,
    1146             :                         .aceType        = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
    1147             :                         .aceFlags       = 0,
    1148             :                         .aceMask        = nfs4_ace_mask_except_deletes,
    1149             :                 };
    1150           4 :                 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
    1151             : 
    1152           4 :                 assert_true(
    1153             :                         smbacl4_nfs42win(frame, &params, nfs4_acl,
    1154             :                                          &sids[0], &sids[1],
    1155             :                                          nfs4_to_dacl_full_control[i].is_dir,
    1156             :                                          &dacl_aces, &good_aces));
    1157             : 
    1158           4 :                 assert_int_equal(good_aces, 1);
    1159           4 :                 assert_non_null(dacl_aces);
    1160             : 
    1161           4 :                 assert_int_equal(dacl_aces[0].type,
    1162             :                                  SEC_ACE_TYPE_ACCESS_ALLOWED);
    1163           4 :                 assert_int_equal(dacl_aces[0].flags, 0);
    1164           4 :                 assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
    1165           4 :                 if (nfs4_to_dacl_full_control[i].delete_child_added) {
    1166           1 :                         assert_int_equal(dacl_aces[0].access_mask,
    1167             :                                          dacl_ace_mask_except_deletes|
    1168             :                                          SEC_DIR_DELETE_CHILD);
    1169             :                 } else {
    1170           3 :                         assert_int_equal(dacl_aces[0].access_mask,
    1171             :                                          dacl_ace_mask_except_deletes);
    1172             :                 }
    1173             :         }
    1174             : 
    1175           1 :         TALLOC_FREE(frame);
    1176           1 : }
    1177             : 
    1178             : struct acedup_settings {
    1179             :         enum smbacl4_acedup_enum setting;
    1180             : } acedup_settings[] = {
    1181             :         { e_dontcare },
    1182             :         { e_reject },
    1183             :         { e_ignore },
    1184             :         { e_merge },
    1185             : };
    1186             : 
    1187           1 : static void test_dacl_to_nfs4_acedup_settings(void **state)
    1188             : {
    1189           1 :         struct dom_sid *sids = *state;
    1190           1 :         TALLOC_CTX *frame = talloc_stackframe();
    1191           1 :         int i;
    1192             : 
    1193           6 :         for (i = 0; i < ARRAY_SIZE(acedup_settings); i++) {
    1194           4 :                 struct SMB4ACL_T *nfs4_acl;
    1195           4 :                 struct SMB4ACE_T *nfs4_ace_container;
    1196           4 :                 SMB_ACE4PROP_T *nfs4_ace;
    1197           4 :                 struct security_ace dacl_aces[2];
    1198           4 :                 struct security_acl *dacl;
    1199           4 :                 struct smbacl4_vfs_params params = {
    1200             :                         .mode = e_simple,
    1201             :                         .do_chown = true,
    1202           4 :                         .acedup = acedup_settings[i].setting,
    1203             :                         .map_full_control = true,
    1204             :                 };
    1205             : 
    1206           4 :                 init_sec_ace(&dacl_aces[0], &sids[0],
    1207             :                              SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
    1208             :                              SEC_ACE_FLAG_OBJECT_INHERIT);
    1209           4 :                 init_sec_ace(&dacl_aces[1], &sids[0],
    1210             :                              SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA,
    1211             :                              SEC_ACE_FLAG_OBJECT_INHERIT);
    1212           4 :                 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
    1213             :                                     ARRAY_SIZE(dacl_aces), dacl_aces);
    1214           4 :                 assert_non_null(dacl);
    1215             : 
    1216           4 :                 nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, &params,
    1217             :                                             101, 102);
    1218             : 
    1219           4 :                 switch(params.acedup) {
    1220           1 :                 case e_dontcare:
    1221           1 :                         assert_non_null(nfs4_acl);
    1222           1 :                         assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
    1223             :                                          SEC_DESC_SELF_RELATIVE);
    1224           1 :                         assert_int_equal(smb_get_naces(nfs4_acl), 2);
    1225             : 
    1226           1 :                         nfs4_ace_container = smb_first_ace4(nfs4_acl);
    1227           1 :                         assert_non_null(nfs4_ace_container);
    1228             : 
    1229           1 :                         nfs4_ace = smb_get_ace4(nfs4_ace_container);
    1230           1 :                         assert_int_equal(nfs4_ace->flags, 0);
    1231           1 :                         assert_int_equal(nfs4_ace->who.uid, 1000);
    1232           1 :                         assert_int_equal(nfs4_ace->aceFlags,
    1233             :                                          SMB_ACE4_FILE_INHERIT_ACE);
    1234           1 :                         assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
    1235             : 
    1236           1 :                         nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
    1237           1 :                         assert_non_null(nfs4_ace_container);
    1238           1 :                         assert_null(smb_next_ace4(nfs4_ace_container));
    1239             : 
    1240           1 :                         nfs4_ace = smb_get_ace4(nfs4_ace_container);
    1241           1 :                         assert_int_equal(nfs4_ace->flags, 0);
    1242           1 :                         assert_int_equal(nfs4_ace->who.uid, 1000);
    1243           1 :                         assert_int_equal(nfs4_ace->aceFlags,
    1244             :                                          SMB_ACE4_FILE_INHERIT_ACE);
    1245           1 :                         assert_int_equal(nfs4_ace->aceMask,
    1246             :                                          SMB_ACE4_WRITE_DATA);
    1247           1 :                         break;
    1248             : 
    1249           1 :                 case e_reject:
    1250           1 :                         assert_null(nfs4_acl);
    1251           1 :                         assert_int_equal(errno, EINVAL);
    1252           1 :                         break;
    1253             : 
    1254           1 :                 case e_ignore:
    1255           1 :                         assert_non_null(nfs4_acl);
    1256           1 :                         assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
    1257             :                                          SEC_DESC_SELF_RELATIVE);
    1258           1 :                         assert_int_equal(smb_get_naces(nfs4_acl), 1);
    1259             : 
    1260           1 :                         nfs4_ace_container = smb_first_ace4(nfs4_acl);
    1261           1 :                         assert_non_null(nfs4_ace_container);
    1262           1 :                         assert_null(smb_next_ace4(nfs4_ace_container));
    1263             : 
    1264           1 :                         nfs4_ace = smb_get_ace4(nfs4_ace_container);
    1265           1 :                         assert_int_equal(nfs4_ace->flags, 0);
    1266           1 :                         assert_int_equal(nfs4_ace->who.uid, 1000);
    1267           1 :                         assert_int_equal(nfs4_ace->aceFlags,
    1268             :                                          SMB_ACE4_FILE_INHERIT_ACE);
    1269           1 :                         assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
    1270           1 :                         break;
    1271             : 
    1272           1 :                 case e_merge:
    1273           1 :                         assert_non_null(nfs4_acl);
    1274           1 :                         assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
    1275             :                                          SEC_DESC_SELF_RELATIVE);
    1276           1 :                         assert_int_equal(smb_get_naces(nfs4_acl), 1);
    1277             : 
    1278           1 :                         nfs4_ace_container = smb_first_ace4(nfs4_acl);
    1279           1 :                         assert_non_null(nfs4_ace_container);
    1280           1 :                         assert_null(smb_next_ace4(nfs4_ace_container));
    1281             : 
    1282           1 :                         nfs4_ace = smb_get_ace4(nfs4_ace_container);
    1283           1 :                         assert_int_equal(nfs4_ace->flags, 0);
    1284           1 :                         assert_int_equal(nfs4_ace->who.uid, 1000);
    1285           1 :                         assert_int_equal(nfs4_ace->aceFlags,
    1286             :                                          SMB_ACE4_FILE_INHERIT_ACE);
    1287           1 :                         assert_int_equal(nfs4_ace->aceMask,
    1288             :                                          SMB_ACE4_READ_DATA|
    1289             :                                          SMB_ACE4_WRITE_DATA);
    1290           1 :                         break;
    1291             : 
    1292           0 :                 default:
    1293           0 :                         fail_msg("Unexpected value for acedup: %d\n",
    1294             :                                  params.acedup);
    1295           4 :                 };
    1296             :         }
    1297             : 
    1298           1 :         TALLOC_FREE(frame);
    1299           1 : }
    1300             : 
    1301             : struct acedup_match {
    1302             :         int sid_idx1;
    1303             :         enum security_ace_type type1;
    1304             :         uint32_t ace_mask1;
    1305             :         uint8_t flag1;
    1306             :         int sid_idx2;
    1307             :         enum security_ace_type type2;
    1308             :         uint32_t ace_mask2;
    1309             :         uint8_t flag2;
    1310             :         bool match;
    1311             : } acedup_match[] = {
    1312             :         { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
    1313             :           SEC_ACE_FLAG_OBJECT_INHERIT,
    1314             :           0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
    1315             :           SEC_ACE_FLAG_OBJECT_INHERIT,
    1316             :           true },
    1317             :         { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
    1318             :           SEC_ACE_FLAG_OBJECT_INHERIT,
    1319             :           1, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
    1320             :           SEC_ACE_FLAG_OBJECT_INHERIT,
    1321             :           false },
    1322             :         { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
    1323             :           SEC_ACE_FLAG_OBJECT_INHERIT,
    1324             :           0, SEC_ACE_TYPE_ACCESS_DENIED, SEC_FILE_READ_DATA,
    1325             :           SEC_ACE_FLAG_OBJECT_INHERIT,
    1326             :           false },
    1327             :         { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
    1328             :           SEC_ACE_FLAG_OBJECT_INHERIT,
    1329             :           0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA,
    1330             :           SEC_ACE_FLAG_OBJECT_INHERIT,
    1331             :           true },
    1332             :         { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
    1333             :           SEC_ACE_FLAG_OBJECT_INHERIT,
    1334             :           0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
    1335             :           SEC_ACE_FLAG_CONTAINER_INHERIT,
    1336             :           false },
    1337             :         { 0, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
    1338             :           SEC_ACE_FLAG_OBJECT_INHERIT,
    1339             :           5, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
    1340             :           SEC_ACE_FLAG_OBJECT_INHERIT,
    1341             :           false },
    1342             : };
    1343             : 
    1344           1 : static void test_dacl_to_nfs4_acedup_match(void **state)
    1345             : {
    1346           1 :         struct dom_sid *sids = *state;
    1347           1 :         TALLOC_CTX *frame = talloc_stackframe();
    1348           1 :         int i;
    1349             : 
    1350           8 :         for (i = 0; i < ARRAY_SIZE(acedup_match); i++) {
    1351           6 :                 struct SMB4ACL_T *nfs4_acl;
    1352           6 :                 struct SMB4ACE_T *nfs4_ace_container;
    1353           6 :                 SMB_ACE4PROP_T *nfs4_ace;
    1354           6 :                 struct security_ace dacl_aces[2];
    1355           6 :                 struct security_acl *dacl;
    1356           6 :                 struct smbacl4_vfs_params params = {
    1357             :                         .mode = e_simple,
    1358             :                         .do_chown = true,
    1359             :                         .acedup = e_ignore,
    1360             :                         .map_full_control = true,
    1361             :                 };
    1362             : 
    1363           6 :                 init_sec_ace(&dacl_aces[0],
    1364           6 :                              &sids[acedup_match[i].sid_idx1],
    1365             :                              acedup_match[i].type1,
    1366             :                              acedup_match[i].ace_mask1,
    1367           6 :                              acedup_match[i].flag1);
    1368           6 :                 init_sec_ace(&dacl_aces[1],
    1369           6 :                              &sids[acedup_match[i].sid_idx2],
    1370             :                              acedup_match[i].type2,
    1371             :                              acedup_match[i].ace_mask2,
    1372           6 :                              acedup_match[i].flag2);
    1373           6 :                 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
    1374             :                                     ARRAY_SIZE(dacl_aces), dacl_aces);
    1375           6 :                 assert_non_null(dacl);
    1376             : 
    1377           6 :                 nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, &params,
    1378             :                                             101, 102);
    1379           6 :                 assert_non_null(nfs4_acl);
    1380           6 :                 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
    1381             :                                  SEC_DESC_SELF_RELATIVE);
    1382             : 
    1383           6 :                 if (acedup_match[i].match) {
    1384           2 :                         assert_int_equal(smb_get_naces(nfs4_acl), 1);
    1385             : 
    1386           2 :                         nfs4_ace_container = smb_first_ace4(nfs4_acl);
    1387           2 :                         assert_non_null(nfs4_ace_container);
    1388           2 :                         assert_null(smb_next_ace4(nfs4_ace_container));
    1389             : 
    1390           2 :                         nfs4_ace = smb_get_ace4(nfs4_ace_container);
    1391           2 :                         assert_int_equal(nfs4_ace->flags, 0);
    1392           2 :                         assert_int_equal(nfs4_ace->who.uid, 1000);
    1393           2 :                         assert_int_equal(nfs4_ace->aceFlags,
    1394             :                                          SMB_ACE4_FILE_INHERIT_ACE);
    1395           2 :                         assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
    1396             : 
    1397             :                 } else {
    1398           4 :                         assert_int_equal(smb_get_naces(nfs4_acl), 2);
    1399             : 
    1400           4 :                         nfs4_ace_container = smb_first_ace4(nfs4_acl);
    1401           4 :                         assert_non_null(nfs4_ace_container);
    1402             : 
    1403           4 :                         nfs4_ace = smb_get_ace4(nfs4_ace_container);
    1404           4 :                         assert_int_equal(nfs4_ace->flags, 0);
    1405           4 :                         assert_int_equal(nfs4_ace->who.uid, 1000);
    1406           4 :                         assert_int_equal(nfs4_ace->aceFlags,
    1407             :                                          SMB_ACE4_FILE_INHERIT_ACE);
    1408           4 :                         assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
    1409             : 
    1410           4 :                         nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
    1411           4 :                         assert_non_null(nfs4_ace_container);
    1412           4 :                         assert_null(smb_next_ace4(nfs4_ace_container));
    1413             : 
    1414           4 :                         nfs4_ace = smb_get_ace4(nfs4_ace_container);
    1415           4 :                         assert_int_equal(nfs4_ace->flags, 0);
    1416             :                 }
    1417             :         }
    1418             : 
    1419           1 :         TALLOC_FREE(frame);
    1420           1 : }
    1421             : 
    1422           1 : static void test_dacl_to_nfs4_config_special(void **state)
    1423             : {
    1424           1 :         struct dom_sid *sids = *state;
    1425           1 :         TALLOC_CTX *frame = talloc_stackframe();
    1426           1 :         struct SMB4ACL_T *nfs4_acl;
    1427           1 :         struct SMB4ACE_T *nfs4_ace_container;
    1428           1 :         SMB_ACE4PROP_T *nfs4_ace;
    1429           1 :         struct security_ace dacl_aces[6];
    1430           1 :         struct security_acl *dacl;
    1431           1 :         struct smbacl4_vfs_params params = {
    1432             :                 .mode = e_special,
    1433             :                 .do_chown = true,
    1434             :                 .acedup = e_dontcare,
    1435             :                 .map_full_control = true,
    1436             :         };
    1437             : 
    1438             :         /*
    1439             :          * global_sid_Creator_Owner or global_sid_Special_Group is NOT mapped
    1440             :          * to SMB_ACE4_ID_SPECIAL.
    1441             :          */
    1442           1 :         init_sec_ace(&dacl_aces[0], &global_sid_Creator_Owner,
    1443             :                      SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
    1444             :                      SEC_ACE_FLAG_OBJECT_INHERIT);
    1445           1 :         init_sec_ace(&dacl_aces[1], &global_sid_Creator_Group,
    1446             :                      SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA,
    1447             :                      SEC_ACE_FLAG_CONTAINER_INHERIT);
    1448             :         /*
    1449             :          * Anything that maps to owner or owning group with inheritance flags
    1450             :          * IS mapped to special owner or special group.
    1451             :          */
    1452           1 :         init_sec_ace(&dacl_aces[2], &sids[0],
    1453             :                      SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
    1454             :                      SEC_ACE_FLAG_OBJECT_INHERIT);
    1455           1 :         init_sec_ace(&dacl_aces[3], &sids[0],
    1456             :                      SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
    1457             :                      SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
    1458           1 :         init_sec_ace(&dacl_aces[4], &sids[1],
    1459             :                      SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
    1460             :                      SEC_ACE_FLAG_OBJECT_INHERIT);
    1461           1 :         init_sec_ace(&dacl_aces[5], &sids[1],
    1462             :                      SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
    1463             :                      SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
    1464           1 :         dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
    1465             :                             ARRAY_SIZE(dacl_aces), dacl_aces);
    1466           1 :         assert_non_null(dacl);
    1467             : 
    1468           1 :         nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, &params, 1000, 1001);
    1469             : 
    1470           1 :         assert_non_null(nfs4_acl);
    1471           1 :         assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
    1472             :                          SEC_DESC_SELF_RELATIVE);
    1473           1 :         assert_int_equal(smb_get_naces(nfs4_acl), 6);
    1474             : 
    1475           1 :         nfs4_ace_container = smb_first_ace4(nfs4_acl);
    1476           1 :         assert_non_null(nfs4_ace_container);
    1477             : 
    1478           1 :         nfs4_ace = smb_get_ace4(nfs4_ace_container);
    1479           1 :         assert_int_equal(nfs4_ace->flags, 0);
    1480           1 :         assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_FILE_INHERIT_ACE);
    1481           1 :         assert_int_equal(nfs4_ace->who.uid, 1003);
    1482           1 :         assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
    1483             : 
    1484           1 :         nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
    1485           1 :         assert_non_null(nfs4_ace_container);
    1486             : 
    1487           1 :         nfs4_ace = smb_get_ace4(nfs4_ace_container);
    1488           1 :         assert_int_equal(nfs4_ace->flags, 0);
    1489           1 :         assert_int_equal(nfs4_ace->aceFlags,
    1490             :                          SMB_ACE4_IDENTIFIER_GROUP|
    1491             :                          SMB_ACE4_DIRECTORY_INHERIT_ACE);
    1492           1 :         assert_int_equal(nfs4_ace->who.gid, 1004);
    1493           1 :         assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_WRITE_DATA);
    1494             : 
    1495           1 :         nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
    1496           1 :         assert_non_null(nfs4_ace_container);
    1497             : 
    1498           1 :         nfs4_ace = smb_get_ace4(nfs4_ace_container);
    1499           1 :         assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
    1500           1 :         assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_OWNER);
    1501           1 :         assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_FILE_INHERIT_ACE);
    1502           1 :         assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
    1503             : 
    1504           1 :         nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
    1505           1 :         assert_non_null(nfs4_ace_container);
    1506             : 
    1507           1 :         nfs4_ace = smb_get_ace4(nfs4_ace_container);
    1508           1 :         assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
    1509           1 :         assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_DIRECTORY_INHERIT_ACE|
    1510             :                          SMB_ACE4_INHERIT_ONLY_ACE);
    1511           1 :         assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_OWNER);
    1512           1 :         assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
    1513             : 
    1514           1 :         nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
    1515           1 :         assert_non_null(nfs4_ace_container);
    1516             : 
    1517           1 :         nfs4_ace = smb_get_ace4(nfs4_ace_container);
    1518           1 :         assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
    1519           1 :         assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_IDENTIFIER_GROUP|
    1520             :                          SMB_ACE4_FILE_INHERIT_ACE);
    1521           1 :         assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_GROUP);
    1522           1 :         assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
    1523             : 
    1524           1 :         nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
    1525           1 :         assert_non_null(nfs4_ace_container);
    1526             : 
    1527           1 :         nfs4_ace = smb_get_ace4(nfs4_ace_container);
    1528           1 :         assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
    1529           1 :         assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_IDENTIFIER_GROUP|
    1530             :                          SMB_ACE4_DIRECTORY_INHERIT_ACE|
    1531             :                          SMB_ACE4_INHERIT_ONLY_ACE);
    1532           1 :         assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_GROUP);
    1533           1 :         assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
    1534             : 
    1535           1 :         assert_null(smb_next_ace4(nfs4_ace_container));
    1536             : 
    1537           1 :         TALLOC_FREE(frame);
    1538           1 : }
    1539             : 
    1540           1 : static void test_nfs4_to_dacl_config_special(void **state)
    1541             : {
    1542           1 :         struct dom_sid *sids = *state;
    1543           1 :         TALLOC_CTX *frame = talloc_stackframe();
    1544           1 :         struct SMB4ACL_T *nfs4_acl;
    1545           1 :         SMB_ACE4PROP_T nfs4_ace;
    1546           1 :         struct security_ace *dacl_aces;
    1547           1 :         int good_aces;
    1548           1 :         struct smbacl4_vfs_params params = {
    1549             :                 .mode = e_special,
    1550             :                 .do_chown = true,
    1551             :                 .acedup = e_dontcare,
    1552             :                 .map_full_control = true,
    1553             :         };
    1554             : 
    1555           1 :         nfs4_acl = smb_create_smb4acl(frame);
    1556           1 :         assert_non_null(nfs4_acl);
    1557             : 
    1558             :         /*
    1559             :          * In config mode special, this is not mapped to Creator Owner
    1560             :          */
    1561           1 :         nfs4_ace = (SMB_ACE4PROP_T) {
    1562             :                 .flags          = SMB_ACE4_ID_SPECIAL,
    1563             :                 .who.special_id = SMB_ACE4_WHO_OWNER,
    1564             :                 .aceType        = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
    1565             :                 .aceFlags       = SMB_ACE4_FILE_INHERIT_ACE,
    1566             :                 .aceMask        = SMB_ACE4_READ_DATA,
    1567             :         };
    1568           1 :         assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
    1569             : 
    1570             :         /*
    1571             :          * In config mode special, this is not mapped to Creator Group
    1572             :          */
    1573           1 :         nfs4_ace = (SMB_ACE4PROP_T) {
    1574             :                 .flags          = SMB_ACE4_ID_SPECIAL,
    1575             :                 .who.special_id = SMB_ACE4_WHO_GROUP,
    1576             :                 .aceType        = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
    1577             :                 .aceFlags       = SMB_ACE4_DIRECTORY_INHERIT_ACE,
    1578             :                 .aceMask        = SMB_ACE4_WRITE_DATA,
    1579             :         };
    1580           1 :         assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
    1581             : 
    1582           1 :         assert_true(smbacl4_nfs42win(frame, &params, nfs4_acl,
    1583             :                                      &sids[0], &sids[1], true,
    1584             :                                      &dacl_aces, &good_aces));
    1585             : 
    1586           1 :         assert_int_equal(good_aces, 2);
    1587           1 :         assert_non_null(dacl_aces);
    1588             : 
    1589           1 :         assert_int_equal(dacl_aces[0].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
    1590           1 :         assert_int_equal(dacl_aces[0].flags, SEC_ACE_FLAG_OBJECT_INHERIT);
    1591           1 :         assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
    1592           1 :         assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
    1593             : 
    1594           1 :         assert_int_equal(dacl_aces[1].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
    1595           1 :         assert_int_equal(dacl_aces[1].flags, SEC_ACE_FLAG_CONTAINER_INHERIT);
    1596           1 :         assert_int_equal(dacl_aces[1].access_mask, SEC_FILE_WRITE_DATA);
    1597           1 :         assert_true(dom_sid_equal(&dacl_aces[1].trustee, &sids[1]));
    1598             : 
    1599           1 :         TALLOC_FREE(frame);
    1600           1 : }
    1601             : 
    1602             : struct nfs_to_dacl_idmap_both {
    1603             :         uint32_t nfs4_flags;
    1604             :         uint32_t nfs4_id;
    1605             :         struct dom_sid *sid;
    1606             : };
    1607             : 
    1608           1 : static void test_nfs4_to_dacl_idmap_type_both(void **state)
    1609             : {
    1610           1 :         struct dom_sid *sids = *state;
    1611           1 :         TALLOC_CTX *frame = talloc_stackframe();
    1612           1 :         int i;
    1613           1 :         struct nfs_to_dacl_idmap_both nfs_to_dacl_idmap_both[] = {
    1614           1 :                 { 0,                            1002, &sids[2] },
    1615             :                 { SMB_ACE4_IDENTIFIER_GROUP,    1002, &sids[2] },
    1616           1 :                 { 0,                            1005, &sids[6] },
    1617             :                 { SMB_ACE4_IDENTIFIER_GROUP,    1005, &sids[6] },
    1618             :         };
    1619             : 
    1620           5 :         for (i = 0; i < ARRAY_SIZE(nfs_to_dacl_idmap_both); i++) {
    1621           4 :                 struct SMB4ACL_T *nfs4_acl;
    1622           4 :                 struct security_ace *dacl_aces;
    1623           4 :                 SMB_ACE4PROP_T nfs4_ace;
    1624           4 :                 int good_aces;
    1625           4 :                 struct smbacl4_vfs_params params = {
    1626             :                         .mode = e_simple,
    1627             :                         .do_chown = true,
    1628             :                         .acedup = e_merge,
    1629             :                         .map_full_control = true,
    1630             :                 };
    1631             : 
    1632           4 :                 nfs4_acl = smb_create_smb4acl(frame);
    1633           4 :                 assert_non_null(nfs4_acl);
    1634             : 
    1635           4 :                 nfs4_ace = (SMB_ACE4PROP_T) {
    1636             :                         .flags          = 0,
    1637             :                         .aceType        = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
    1638           4 :                         .aceFlags       = nfs_to_dacl_idmap_both[i].nfs4_flags,
    1639             :                         .aceMask        = SMB_ACE4_READ_DATA,
    1640             :                 };
    1641             : 
    1642           4 :                 if (nfs_to_dacl_idmap_both[i].nfs4_flags &
    1643             :                     SMB_ACE4_IDENTIFIER_GROUP) {
    1644           2 :                         nfs4_ace.who.gid = nfs_to_dacl_idmap_both[i].nfs4_id;
    1645             :                 } else {
    1646           2 :                         nfs4_ace.who.uid = nfs_to_dacl_idmap_both[i].nfs4_id;
    1647             :                 }
    1648           4 :                 assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
    1649             : 
    1650           4 :                 assert_true(smbacl4_nfs42win(frame, &params, nfs4_acl,
    1651             :                                              &sids[2], &sids[2],
    1652             :                                              false, &dacl_aces, &good_aces));
    1653             : 
    1654           4 :                 assert_int_equal(good_aces, 1);
    1655           4 :                 assert_non_null(dacl_aces);
    1656             : 
    1657           4 :                 assert_int_equal(dacl_aces[0].type,
    1658             :                                  SEC_ACE_TYPE_ACCESS_ALLOWED);
    1659           4 :                 assert_int_equal(dacl_aces[0].flags, 0);
    1660           4 :                 assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_READ_DATA);
    1661           4 :                 assert_true(dom_sid_equal(&dacl_aces[0].trustee,
    1662             :                                           nfs_to_dacl_idmap_both[i].sid));
    1663             :         }
    1664             : 
    1665           1 :         TALLOC_FREE(frame);
    1666           1 : }
    1667             : 
    1668             : struct dacl_to_nfs4_idmap_both {
    1669             :         struct dom_sid *sid;
    1670             :         uint32_t dacl_flags;
    1671             :         uint32_t nfs4_flags;
    1672             :         uint32_t nfs4_ace_flags;
    1673             :         uint32_t nfs4_id;
    1674             :         int num_nfs4_aces;
    1675             : };
    1676             : 
    1677             : /*
    1678             :  * IDMAP_TYPE_BOTH always creates group entries.
    1679             :  */
    1680           1 : static void test_dacl_to_nfs4_idmap_type_both(void **state)
    1681             : {
    1682           1 :         struct dom_sid *sids = *state;
    1683           1 :         TALLOC_CTX *frame = talloc_stackframe();
    1684           1 :         int i;
    1685             : 
    1686           1 :         struct dacl_to_nfs4_idmap_both dacl_to_nfs4_idmap_both[] = {
    1687           1 :         { &sids[2], 0,
    1688             :           SMB_ACE4_ID_SPECIAL, SMB_ACE4_IDENTIFIER_GROUP, SMB_ACE4_WHO_GROUP,
    1689             :           2 },
    1690             :         { &sids[2], SEC_ACE_FLAG_OBJECT_INHERIT,
    1691             :           0, SMB_ACE4_IDENTIFIER_GROUP|SMB_ACE4_FILE_INHERIT_ACE, 1002,
    1692             :           1 },
    1693           1 :         { &sids[6], 0,
    1694             :           0, SMB_ACE4_IDENTIFIER_GROUP, 1005,
    1695             :           1 },
    1696             :         { &sids[6], SEC_ACE_FLAG_OBJECT_INHERIT,
    1697             :           0, SMB_ACE4_IDENTIFIER_GROUP|SMB_ACE4_FILE_INHERIT_ACE, 1005,
    1698             :           1 },
    1699             :         };
    1700             : 
    1701           5 :         for (i = 0; i < ARRAY_SIZE(dacl_to_nfs4_idmap_both); i++) {
    1702           4 :                 struct SMB4ACL_T *nfs4_acl;
    1703           4 :                 struct SMB4ACE_T *nfs4_ace_container;
    1704           4 :                 SMB_ACE4PROP_T *nfs4_ace;
    1705           4 :                 struct security_ace dacl_aces[1];
    1706           4 :                 struct security_acl *dacl;
    1707           4 :                 struct smbacl4_vfs_params params = {
    1708             :                         .mode = e_simple,
    1709             :                         .do_chown = true,
    1710             :                         .acedup = e_merge,
    1711             :                         .map_full_control = true,
    1712             :                 };
    1713             : 
    1714           4 :                 init_sec_ace(&dacl_aces[0], dacl_to_nfs4_idmap_both[i].sid,
    1715             :                              SEC_ACE_TYPE_ACCESS_ALLOWED,
    1716             :                              SEC_FILE_READ_DATA,
    1717           4 :                              dacl_to_nfs4_idmap_both[i].dacl_flags);
    1718           4 :                 dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
    1719             :                                     ARRAY_SIZE(dacl_aces), dacl_aces);
    1720           4 :                 assert_non_null(dacl);
    1721             : 
    1722           4 :                 nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, &params,
    1723             :                                             1002, 1002);
    1724             : 
    1725           4 :                 assert_non_null(nfs4_acl);
    1726           4 :                 assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
    1727             :                                  SEC_DESC_SELF_RELATIVE);
    1728           4 :                 assert_int_equal(smb_get_naces(nfs4_acl),
    1729             :                                  dacl_to_nfs4_idmap_both[i].num_nfs4_aces);
    1730             : 
    1731           4 :                 nfs4_ace_container = smb_first_ace4(nfs4_acl);
    1732           4 :                 assert_non_null(nfs4_ace_container);
    1733             : 
    1734           4 :                 nfs4_ace = smb_get_ace4(nfs4_ace_container);
    1735           4 :                 assert_int_equal(nfs4_ace->flags,
    1736             :                                  dacl_to_nfs4_idmap_both[i].nfs4_flags);
    1737           4 :                 assert_int_equal(nfs4_ace->aceFlags,
    1738             :                                  dacl_to_nfs4_idmap_both[i].nfs4_ace_flags);
    1739           4 :                 if (nfs4_ace->flags & SMB_ACE4_ID_SPECIAL) {
    1740           1 :                         assert_int_equal(nfs4_ace->who.special_id,
    1741             :                                          dacl_to_nfs4_idmap_both[i].nfs4_id);
    1742           3 :                 } else if (nfs4_ace->aceFlags & SMB_ACE4_IDENTIFIER_GROUP) {
    1743           3 :                         assert_int_equal(nfs4_ace->who.gid,
    1744             :                                          dacl_to_nfs4_idmap_both[i].nfs4_id);
    1745             :                 } else {
    1746           0 :                         assert_int_equal(nfs4_ace->who.uid,
    1747             :                                          dacl_to_nfs4_idmap_both[i].nfs4_id);
    1748             :                 }
    1749           4 :                 assert_int_equal(nfs4_ace->aceType,
    1750             :                                  SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE);
    1751           4 :                 assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
    1752             : 
    1753           4 :                 if (dacl_to_nfs4_idmap_both[i].num_nfs4_aces == 2) {
    1754           1 :                         nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
    1755           1 :                         assert_non_null(nfs4_ace_container);
    1756             : 
    1757           1 :                         nfs4_ace = smb_get_ace4(nfs4_ace_container);
    1758           1 :                         assert_int_equal(nfs4_ace->flags,
    1759             :                                          dacl_to_nfs4_idmap_both[i].nfs4_flags);
    1760           1 :                         assert_int_equal(nfs4_ace->aceFlags,
    1761             :                                          dacl_to_nfs4_idmap_both[i].nfs4_ace_flags &
    1762             :                                          ~SMB_ACE4_IDENTIFIER_GROUP);
    1763           1 :                         if (nfs4_ace->flags & SMB_ACE4_ID_SPECIAL) {
    1764           1 :                                 assert_int_equal(nfs4_ace->who.special_id,
    1765             :                                                  SMB_ACE4_WHO_OWNER);
    1766             :                         } else {
    1767           0 :                                 assert_int_equal(nfs4_ace->who.uid,
    1768             :                                                  dacl_to_nfs4_idmap_both[i].nfs4_id);
    1769             :                         }
    1770           1 :                         assert_int_equal(nfs4_ace->aceType,
    1771             :                                          SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE);
    1772           1 :                         assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
    1773             :                 }
    1774             :         }
    1775             : 
    1776           1 :         TALLOC_FREE(frame);
    1777           1 : }
    1778             : 
    1779           1 : static void test_nfs4_to_dacl_remove_duplicate(void **state)
    1780             : {
    1781             : 
    1782           1 :         struct dom_sid *sids = *state;
    1783           1 :         TALLOC_CTX *frame = talloc_stackframe();
    1784           1 :         struct SMB4ACL_T *nfs4_acl;
    1785           1 :         SMB_ACE4PROP_T nfs4_ace;
    1786           1 :         struct security_ace *dacl_aces;
    1787           1 :         int good_aces;
    1788           1 :         struct smbacl4_vfs_params params = {
    1789             :                 .mode = e_simple,
    1790             :                 .do_chown = true,
    1791             :                 .acedup = e_dontcare,
    1792             :                 .map_full_control = true,
    1793             :         };
    1794             : 
    1795           1 :         nfs4_acl = smb_create_smb4acl(frame);
    1796           1 :         assert_non_null(nfs4_acl);
    1797             : 
    1798           1 :         nfs4_ace = (SMB_ACE4PROP_T) {
    1799             :                 .flags          = 0,
    1800             :                 .who.uid        = 1002,
    1801             :                 .aceType        = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
    1802             :                 .aceFlags       = SMB_ACE4_INHERITED_ACE,
    1803             :                 .aceMask        = SMB_ACE4_WRITE_DATA,
    1804             :         };
    1805           1 :         assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
    1806             : 
    1807           1 :         nfs4_ace = (SMB_ACE4PROP_T) {
    1808             :                 .flags          = 0,
    1809             :                 .who.gid        = 1002,
    1810             :                 .aceType        = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
    1811             :                 .aceFlags       = SMB_ACE4_IDENTIFIER_GROUP|
    1812             :                                   SMB_ACE4_INHERITED_ACE,
    1813             :                 .aceMask        = SMB_ACE4_WRITE_DATA,
    1814             :         };
    1815           1 :         assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
    1816             : 
    1817           1 :         nfs4_ace = (SMB_ACE4PROP_T) {
    1818             :                 .flags          = 0,
    1819             :                 .who.gid        = 1002,
    1820             :                 .aceType        = SMB_ACE4_ACCESS_DENIED_ACE_TYPE,
    1821             :                 .aceFlags       = SMB_ACE4_IDENTIFIER_GROUP|
    1822             :                                   SMB_ACE4_INHERITED_ACE,
    1823             :                 .aceMask        = SMB_ACE4_WRITE_DATA,
    1824             :         };
    1825           1 :         assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
    1826             : 
    1827           1 :         nfs4_ace = (SMB_ACE4PROP_T) {
    1828             :                 .flags          = 0,
    1829             :                 .who.gid        = 1002,
    1830             :                 .aceType        = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
    1831             :                 .aceFlags       = SMB_ACE4_IDENTIFIER_GROUP|
    1832             :                                   SMB_ACE4_INHERITED_ACE,
    1833             :                 .aceMask        = SMB_ACE4_WRITE_DATA,
    1834             :         };
    1835           1 :         assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
    1836             : 
    1837           1 :         assert_true(smbacl4_nfs42win(frame, &params, nfs4_acl,
    1838             :                                      &sids[0], &sids[1], true,
    1839             :                                      &dacl_aces, &good_aces));
    1840             : 
    1841           1 :         assert_int_equal(good_aces, 2);
    1842           1 :         assert_non_null(dacl_aces);
    1843             : 
    1844           1 :         assert_int_equal(dacl_aces[0].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
    1845           1 :         assert_int_equal(dacl_aces[0].flags, SEC_ACE_FLAG_INHERITED_ACE);
    1846           1 :         assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_WRITE_DATA);
    1847           1 :         assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[2]));
    1848             : 
    1849           1 :         assert_int_equal(dacl_aces[1].type, SEC_ACE_TYPE_ACCESS_DENIED);
    1850           1 :         assert_int_equal(dacl_aces[1].flags, SEC_ACE_FLAG_INHERITED_ACE);
    1851           1 :         assert_int_equal(dacl_aces[1].access_mask, SEC_FILE_WRITE_DATA);
    1852           1 :         assert_true(dom_sid_equal(&dacl_aces[1].trustee, &sids[2]));
    1853             : 
    1854           1 :         TALLOC_FREE(frame);
    1855           1 : }
    1856             : 
    1857           1 : int main(int argc, char **argv)
    1858             : {
    1859           1 :         const struct CMUnitTest tests[] = {
    1860             :                 cmocka_unit_test(test_cached_id_mappings),
    1861             :                 cmocka_unit_test(test_empty_nfs4_to_dacl),
    1862             :                 cmocka_unit_test(test_empty_dacl_to_nfs4),
    1863             :                 cmocka_unit_test(test_acl_type_nfs4_to_dacl),
    1864             :                 cmocka_unit_test(test_acl_type_dacl_to_nfs4),
    1865             :                 cmocka_unit_test(test_ace_flags_nfs4_to_dacl),
    1866             :                 cmocka_unit_test(test_ace_flags_dacl_to_nfs4),
    1867             :                 cmocka_unit_test(test_nfs4_permissions_to_dacl),
    1868             :                 cmocka_unit_test(test_dacl_permissions_to_nfs4),
    1869             :                 cmocka_unit_test(test_special_nfs4_to_dacl),
    1870             :                 cmocka_unit_test(test_dacl_to_special_nfs4),
    1871             :                 cmocka_unit_test(test_dacl_creator_to_nfs4),
    1872             :                 cmocka_unit_test(test_nfs4_to_dacl_creator),
    1873             :                 cmocka_unit_test(test_full_control_nfs4_to_dacl),
    1874             :                 cmocka_unit_test(test_dacl_to_nfs4_acedup_settings),
    1875             :                 cmocka_unit_test(test_dacl_to_nfs4_acedup_match),
    1876             :                 cmocka_unit_test(test_dacl_to_nfs4_config_special),
    1877             :                 cmocka_unit_test(test_nfs4_to_dacl_config_special),
    1878             :                 cmocka_unit_test(test_nfs4_to_dacl_idmap_type_both),
    1879             :                 cmocka_unit_test(test_dacl_to_nfs4_idmap_type_both),
    1880             :                 cmocka_unit_test(test_nfs4_to_dacl_remove_duplicate),
    1881             :         };
    1882             : 
    1883           1 :         cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
    1884             : 
    1885           1 :         if (argc != 2) {
    1886           0 :                 print_error("Usage: %s smb.conf\n", argv[0]);
    1887           0 :                 exit(1);
    1888             :         }
    1889             : 
    1890             :         /*
    1891             :          * Initialize enough of the Samba internals to have the
    1892             :          * mappings tests work.
    1893             :          */
    1894           1 :         talloc_stackframe();
    1895           1 :         lp_load_global(argv[1]);
    1896             : 
    1897           1 :         return cmocka_run_group_tests(tests, group_setup, group_teardown);
    1898             : }

Generated by: LCOV version 1.14