selftest: Start implementing unit test for nfs4_acls

Existing smbtorture tests set and query ACLs through SMB, only working
with the DACLs in the Security Descriptors, but never check the NFSv4
ACL representation. This patch introduces a unit test to verify the
mapping between between Security Descriptors and NFSv4 ACLs. As the
mapping code queries id mappings, the id mapping cache is first primed
with the mappings used by the tests and those mappings are removed again
during teardown.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 8fb906a1860452a320c79ac87917a97303729c19)

3 files changed, 145 insertions, 0 deletions

diff --git a/source3/modules/test_nfs4_acls.c b/source3/modules/test_nfs4_acls.c
new file mode 100644
index 00000000000..557f27c7428
--- /dev/null
+++ b/source3/modules/test_nfs4_acls.c
@@ -0,0 +1,136 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *
+ *  Unit test for NFS4 ACL handling
+ *
+ *  Copyright (C) Christof Schmitt 2019
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "nfs4_acls.c"
+#include "librpc/gen_ndr/idmap.h"
+#include "idmap_cache.h"
+#include <cmocka.h>
+
+struct test_sids {
+	const char *sid_str;
+	struct unixid unix_id;
+} test_sids[] = {
+	{ "S-1-5-2-123-456-789-100",	{ 1000,	ID_TYPE_UID	}},
+	{ "S-1-5-2-123-456-789-101",	{ 1001,	ID_TYPE_GID	}},
+	{ "S-1-5-2-123-456-789-102",	{ 1002,	ID_TYPE_BOTH	}},
+	{ SID_CREATOR_OWNER,		{ 1003,	ID_TYPE_UID	}},
+	{ SID_CREATOR_GROUP,		{ 1004,	ID_TYPE_GID	}},
+	{ "S-1-5-2-123-456-789-103",	{ 1000,	ID_TYPE_GID	}},
+	{ "S-1-5-2-123-456-789-104",	{ 1005,	ID_TYPE_BOTH	}},
+	{ "S-1-5-2-123-456-789-105",	{ 1006,	ID_TYPE_BOTH	}},
+	{ "S-1-5-2-123-456-789-106",	{ 1007,	ID_TYPE_BOTH	}},
+};
+
+static int group_setup(void **state)
+{
+	struct dom_sid *sids = NULL;
+	int i;
+
+	sids = talloc_array(NULL, struct dom_sid, ARRAY_SIZE(test_sids));
+	assert_non_null(sids);
+
+	for (i = 0; i < ARRAY_SIZE(test_sids); i++) {
+		assert_true(dom_sid_parse(test_sids[i].sid_str, &sids[i]));
+		idmap_cache_set_sid2unixid(&sids[i], &test_sids[i].unix_id);
+	}
+
+	*state = sids;
+
+	return 0;
+
+}
+
+static int group_teardown(void **state)
+{
+	struct dom_sid *sids = *state;
+	int i;
+
+	for (i = 0; i < ARRAY_SIZE(test_sids); i++) {
+		assert_true(idmap_cache_del_sid(&sids[i]));
+	}
+
+	TALLOC_FREE(sids);
+	*state = NULL;
+
+	return 0;
+}
+
+/*
+ * Run this as first test to verify that the id mappings used by other
+ * tests are available in the cache.
+ */
+static void test_cached_id_mappings(void **state)
+{
+	struct dom_sid *sids = *state;
+	int i;
+
+	for (i = 0; i < ARRAY_SIZE(test_sids); i++) {
+		struct dom_sid *sid = &sids[i];
+		struct unixid *unix_id = &test_sids[i].unix_id;
+		uid_t uid;
+		gid_t gid;
+
+		switch(unix_id->type) {
+		case ID_TYPE_UID:
+			assert_true(sid_to_uid(sid, &uid));
+			assert_int_equal(uid, unix_id->id);
+			assert_false(sid_to_gid(sid, &gid));
+			break;
+		case ID_TYPE_GID:
+			assert_false(sid_to_uid(sid, &uid));
+			assert_true(sid_to_gid(sid, &gid));
+			assert_int_equal(gid, unix_id->id);
+			break;
+		case ID_TYPE_BOTH:
+			assert_true(sid_to_uid(sid, &uid));
+			assert_int_equal(uid, unix_id->id);
+			assert_true(sid_to_gid(sid, &gid));
+			assert_int_equal(gid, unix_id->id);
+			break;
+		default:
+			fail_msg("Unknown id type %d\n", unix_id->type);
+			break;
+		}
+	}
+}
+
+int main(int argc, char **argv)
+{
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(test_cached_id_mappings),
+	};
+
+	cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
+
+	if (argc != 2) {
+		print_error("Usage: %s smb.conf\n", argv[0]);
+		exit(1);
+	}
+
+	/*
+	 * Initialize enough of the Samba internals to have the
+	 * mappings tests work.
+	 */
+	talloc_stackframe();
+	lp_load_global(argv[1]);
+
+	return cmocka_run_group_tests(tests, group_setup, group_teardown);
+}
diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build
index 5e0047da917..80b0ce9ff90 100644
--- a/source3/modules/wscript_build
+++ b/source3/modules/wscript_build
@@ -4,6 +4,11 @@ bld.SAMBA3_SUBSYSTEM('NFS4_ACLS',
                     source='nfs4_acls.c',
                     deps='samba-util tdb')
 
+bld.SAMBA3_BINARY('test_nfs4_acls',
+                  source='test_nfs4_acls.c',
+                  deps='smbd_base cmocka',
+                  install=False)
+
 bld.SAMBA3_SUBSYSTEM('vfs_acl_common',
                      source='vfs_acl_common.c')
 
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 78f58bdb30c..9569aa9ae00 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -427,6 +427,10 @@ if with_pthreadpool:
                                 "script/tests/test_libwbclient_threads.sh"),
                    "$DOMAIN", "$DC_USERNAME"])
 
+plantestsuite("samba3.test_nfs4_acl", "none",
+              [os.path.join(bindir(), "test_nfs4_acls"),
+               "$SMB_CONF_PATH"])
+
 plantestsuite(
     "samba3.resolvconf", "none",
     [os.path.join(samba3srcdir, "script/tests/test_resolvconf.sh")])