test_nfs4_acls: Add test for mapping from DACL to special NFS4 ACL entries

Add testcase for mapping from entries in the DACL security descriptor to
"special" entries in the NFSv4 ACL. Verify that the WORLD well-known SID
maps to "everyone" in the NFSv4 ACL. Verify that the "Unix NFS" SID is
ignored, as there is no meaningful mapping for this entry. Verify that
SID entries matching the owner or group are mapped to "special owner"
or "special group", but only if no inheritance flags are used. "special
owner" and "special group" with inheritance flags have the meaning of
CREATOR OWNER and CREATOR GROUP and will be tested in another testcase.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 1f1fa5bde2c76636c1beec39c21067b252ea10be)

1 files changed, 108 insertions, 0 deletions

diff --git a/source3/modules/test_nfs4_acls.c b/source3/modules/test_nfs4_acls.c
index 5b5b37adc82..46119f83dc4 100644
--- a/source3/modules/test_nfs4_acls.c
+++ b/source3/modules/test_nfs4_acls.c
@@ -759,6 +759,113 @@ static void test_special_nfs4_to_dacl(void **state)
 	TALLOC_FREE(frame);
 }
 
+static void test_dacl_to_special_nfs4(void **state)
+{
+	struct dom_sid *sids = *state;
+	TALLOC_CTX *frame = talloc_stackframe();
+	struct SMB4ACL_T *nfs4_acl;
+	struct SMB4ACE_T *nfs4_ace_container;
+	SMB_ACE4PROP_T *nfs4_ace;
+	struct security_ace dacl_aces[6];
+	struct security_acl *dacl;
+	struct smbacl4_vfs_params params = {
+		.mode = e_simple,
+		.do_chown = true,
+		.acedup = e_dontcare,
+		.map_full_control = true,
+	};
+
+	/*
+	 * global_Sid_World is mapped to EVERYONE.
+	 */
+	init_sec_ace(&dacl_aces[0], &global_sid_World,
+		     SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA, 0);
+	/*
+	 * global_sid_Unix_NFS is ignored.
+	 */
+	init_sec_ace(&dacl_aces[1], &global_sid_Unix_NFS,
+		     SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA, 0);
+	/*
+	 * Anything that maps to owner or owning group with inheritance flags
+	 * is NOT mapped to special owner or special group.
+	 */
+	init_sec_ace(&dacl_aces[2], &sids[0],
+		     SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
+		     SEC_ACE_FLAG_OBJECT_INHERIT);
+	init_sec_ace(&dacl_aces[3], &sids[0],
+		     SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
+		     SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
+	init_sec_ace(&dacl_aces[4], &sids[1],
+		     SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
+		     SEC_ACE_FLAG_OBJECT_INHERIT);
+	init_sec_ace(&dacl_aces[5], &sids[1],
+		     SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_READ_DATA,
+		     SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
+	dacl = make_sec_acl(frame, SECURITY_ACL_REVISION_ADS,
+			    ARRAY_SIZE(dacl_aces), dacl_aces);
+	assert_non_null(dacl);
+
+	nfs4_acl = smbacl4_win2nfs4(frame, true, dacl, &params, 1000, 1001);
+
+	assert_non_null(nfs4_acl);
+	assert_int_equal(smbacl4_get_controlflags(nfs4_acl),
+			 SEC_DESC_SELF_RELATIVE);
+	assert_int_equal(smb_get_naces(nfs4_acl), 5);
+
+	nfs4_ace_container = smb_first_ace4(nfs4_acl);
+	assert_non_null(nfs4_ace_container);
+
+	nfs4_ace = smb_get_ace4(nfs4_ace_container);
+	assert_int_equal(nfs4_ace->flags, SMB_ACE4_ID_SPECIAL);
+	assert_int_equal(nfs4_ace->who.special_id, SMB_ACE4_WHO_EVERYONE);
+	assert_int_equal(nfs4_ace->aceFlags, 0);
+	assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_WRITE_DATA);
+
+	nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
+	assert_non_null(nfs4_ace_container);
+
+	nfs4_ace = smb_get_ace4(nfs4_ace_container);
+	assert_int_equal(nfs4_ace->flags, 0);
+	assert_int_equal(nfs4_ace->who.uid, 1000);
+	assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_FILE_INHERIT_ACE);
+	assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
+
+	nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
+	assert_non_null(nfs4_ace_container);
+
+	nfs4_ace = smb_get_ace4(nfs4_ace_container);
+	assert_int_equal(nfs4_ace->flags, 0);
+	assert_int_equal(nfs4_ace->who.uid, 1000);
+	assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_DIRECTORY_INHERIT_ACE|
+			 SMB_ACE4_INHERIT_ONLY_ACE);
+	assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
+
+	nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
+	assert_non_null(nfs4_ace_container);
+
+	nfs4_ace = smb_get_ace4(nfs4_ace_container);
+	assert_int_equal(nfs4_ace->flags, 0);
+	assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_IDENTIFIER_GROUP|
+			 SMB_ACE4_FILE_INHERIT_ACE);
+	assert_int_equal(nfs4_ace->who.gid, 1001);
+	assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
+
+	nfs4_ace_container = smb_next_ace4(nfs4_ace_container);
+	assert_non_null(nfs4_ace_container);
+
+	nfs4_ace = smb_get_ace4(nfs4_ace_container);
+	assert_int_equal(nfs4_ace->flags, 0);
+	assert_int_equal(nfs4_ace->aceFlags, SMB_ACE4_IDENTIFIER_GROUP|
+			 SMB_ACE4_DIRECTORY_INHERIT_ACE|
+			 SMB_ACE4_INHERIT_ONLY_ACE);
+	assert_int_equal(nfs4_ace->who.gid, 1001);
+	assert_int_equal(nfs4_ace->aceMask, SMB_ACE4_READ_DATA);
+
+	assert_null(smb_next_ace4(nfs4_ace_container));
+
+	TALLOC_FREE(frame);
+}
+
 int main(int argc, char **argv)
 {
 	const struct CMUnitTest tests[] = {
@@ -772,6 +879,7 @@ int main(int argc, char **argv)
 		cmocka_unit_test(test_nfs4_permissions_to_dacl),
 		cmocka_unit_test(test_dacl_permissions_to_nfs4),
 		cmocka_unit_test(test_special_nfs4_to_dacl),
+		cmocka_unit_test(test_dacl_to_special_nfs4),
 	};
 
 	cmocka_set_message_output(CM_OUTPUT_SUBUNIT);