test_nfs4_acls: Add test for mapping permissions from NFS4 ACL to DACL

Add testcase for mapping permissions from the NFSv4 ACL to DACL in the
security descriptor. The mapping is simple as each permission bit exists
on both sides.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 1767027b44a9e4ebd865022e3f8abb0c72bf15c6)

1 files changed, 77 insertions, 0 deletions

diff --git a/source3/modules/test_nfs4_acls.c b/source3/modules/test_nfs4_acls.c
index a0e7db41b70..42a69453f5a 100644
--- a/source3/modules/test_nfs4_acls.c
+++ b/source3/modules/test_nfs4_acls.c
@@ -440,6 +440,82 @@ static void test_ace_flags_dacl_to_nfs4(void **state)
 	TALLOC_FREE(frame);
 }
 
+struct ace_perm_mapping {
+	uint32_t nfs4_perm;
+	uint32_t dacl_perm;
+} perm_table_nfs4_to_dacl[] = {
+	{ SMB_ACE4_READ_DATA,		SEC_FILE_READ_DATA		},
+	{ SMB_ACE4_LIST_DIRECTORY,	SEC_DIR_LIST			},
+	{ SMB_ACE4_WRITE_DATA,		SEC_FILE_WRITE_DATA		},
+	{ SMB_ACE4_ADD_FILE,		SEC_DIR_ADD_FILE		},
+	{ SMB_ACE4_APPEND_DATA,	SEC_FILE_APPEND_DATA		},
+	{ SMB_ACE4_ADD_SUBDIRECTORY,	SEC_DIR_ADD_SUBDIR,		},
+	{ SMB_ACE4_READ_NAMED_ATTRS,	SEC_FILE_READ_EA		},
+	{ SMB_ACE4_READ_NAMED_ATTRS,	SEC_DIR_READ_EA		},
+	{ SMB_ACE4_WRITE_NAMED_ATTRS,	SEC_FILE_WRITE_EA		},
+	{ SMB_ACE4_WRITE_NAMED_ATTRS,	SEC_DIR_WRITE_EA		},
+	{ SMB_ACE4_EXECUTE,		SEC_FILE_EXECUTE		},
+	{ SMB_ACE4_EXECUTE,		SEC_DIR_TRAVERSE		},
+	{ SMB_ACE4_DELETE_CHILD,	SEC_DIR_DELETE_CHILD		},
+	{ SMB_ACE4_READ_ATTRIBUTES,	SEC_FILE_READ_ATTRIBUTE	},
+	{ SMB_ACE4_READ_ATTRIBUTES,	SEC_DIR_READ_ATTRIBUTE		},
+	{ SMB_ACE4_WRITE_ATTRIBUTES,	SEC_FILE_WRITE_ATTRIBUTE	},
+	{ SMB_ACE4_WRITE_ATTRIBUTES,	SEC_DIR_WRITE_ATTRIBUTE	},
+	{ SMB_ACE4_DELETE,		SEC_STD_DELETE			},
+	{ SMB_ACE4_READ_ACL,		SEC_STD_READ_CONTROL		},
+	{ SMB_ACE4_WRITE_ACL,		SEC_STD_WRITE_DAC,		},
+	{ SMB_ACE4_WRITE_OWNER,	SEC_STD_WRITE_OWNER		},
+	{ SMB_ACE4_SYNCHRONIZE,	SEC_STD_SYNCHRONIZE		},
+};
+
+static void test_nfs4_permissions_to_dacl(void **state)
+{
+	struct dom_sid *sids = *state;
+	TALLOC_CTX *frame = talloc_stackframe();
+	int i;
+
+	for (i = 0; i < ARRAY_SIZE(perm_table_nfs4_to_dacl); i++) {
+		struct SMB4ACL_T *nfs4_acl;
+		SMB_ACE4PROP_T nfs4_ace;
+		struct security_ace *dacl_aces;
+		int good_aces;
+		struct smbacl4_vfs_params params = {
+			.mode = e_simple,
+			.do_chown = true,
+			.acedup = e_merge,
+			.map_full_control = true,
+		};
+
+		nfs4_acl = smb_create_smb4acl(frame);
+		assert_non_null(nfs4_acl);
+
+		nfs4_ace = (SMB_ACE4PROP_T) {
+			.flags		= 0,
+			.who.uid	= 1000,
+			.aceType	= SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
+			.aceFlags	= 0,
+			.aceMask	= perm_table_nfs4_to_dacl[i].nfs4_perm,
+		};
+		assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
+
+		assert_true(smbacl4_nfs42win(frame, &params, nfs4_acl,
+					     &sids[0], &sids[1], false,
+					     &dacl_aces, &good_aces));
+
+		assert_int_equal(good_aces, 1);
+		assert_non_null(dacl_aces);
+
+		assert_int_equal(dacl_aces[0].type,
+				 SEC_ACE_TYPE_ACCESS_ALLOWED);
+		assert_int_equal(dacl_aces[0].flags, 0);
+		assert_int_equal(dacl_aces[0].access_mask,
+				 perm_table_nfs4_to_dacl[i].dacl_perm);
+		assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[0]));
+	}
+
+	TALLOC_FREE(frame);
+}
+
 int main(int argc, char **argv)
 {
 	const struct CMUnitTest tests[] = {
@@ -450,6 +526,7 @@ int main(int argc, char **argv)
 		cmocka_unit_test(test_acl_type_dacl_to_nfs4),
 		cmocka_unit_test(test_ace_flags_nfs4_to_dacl),
 		cmocka_unit_test(test_ace_flags_dacl_to_nfs4),
+		cmocka_unit_test(test_nfs4_permissions_to_dacl),
 	};
 
 	cmocka_set_message_output(CM_OUTPUT_SUBUNIT);