summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2012-08-21 23:21:58 +1000
committerAndrew Bartlett <abartlet@samba.org>2012-08-23 15:02:26 +0200
commitbd00c9286556aacb45fcd457751ccb43ef605329 (patch)
tree61cc13cbb8c76fefb30a165ca8a41469490d2804
parent318b8cb4fafcc48bb0f8266171d667a6316f66d4 (diff)
downloadsamba-bd00c9286556aacb45fcd457751ccb43ef605329.tar.gz
samba-bd00c9286556aacb45fcd457751ccb43ef605329.tar.bz2
samba-bd00c9286556aacb45fcd457751ccb43ef605329.zip
selftest: Extend posixacl test to check the actual ACL
Needing to be able to write this test is the primary reason I have been reworking the VFS and posix ACL layer over the past few weeks. By exposing the POSIX ACL as a IDL object we can eaisly manipulate it in python, and then verify that the ACL was handled correctly. This ensures the when we write an ACL in provision, that it will indeed allow that access at the FS layer. We need to extend this beyond just the critical two ACLs set during provision, to also include some special (hard) cases involving the merging of ACE entries, as this is the most delicate part of the ACL transfomation. A similar test should also be written to read the posix ACL and the mapped NT ACL on a file that has never had an NT ACL set. Andrew Bartlett
-rw-r--r--source4/scripting/python/samba/tests/posixacl.py276
1 files changed, 274 insertions, 2 deletions
diff --git a/source4/scripting/python/samba/tests/posixacl.py b/source4/scripting/python/samba/tests/posixacl.py
index 877363b6cd..35e6dcf4cb 100644
--- a/source4/scripting/python/samba/tests/posixacl.py
+++ b/source4/scripting/python/samba/tests/posixacl.py
@@ -19,7 +19,7 @@
"""Tests for the Samba3 NT -> posix ACL layer"""
from samba.ntacls import setntacl, getntacl, XattrBackendError
-from samba.dcerpc import xattr, security, smb_acl
+from samba.dcerpc import xattr, security, smb_acl, idmap
from samba.param import LoadParm
from samba.tests import TestCase, TestSkipped
from samba import provision
@@ -28,6 +28,15 @@ import os
from samba.samba3 import smbd, passdb
from samba.samba3 import param as s3param
+# To print a posix ACL use:
+# for entry in posix_acl.acl:
+# print "a_type: %d" % entry.a_type
+# print "a_perm: %o" % entry.a_perm
+# print "uid: %d" % entry.uid
+# print "gid: %d" % entry.gid
+
+
+
class PosixAclMappingTests(TestCase):
def test_setntacl(self):
@@ -112,17 +121,280 @@ class PosixAclMappingTests(TestCase):
self.assertEquals(facl.as_sddl(domsid),acl)
posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
+ LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
+ BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
+ SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
+ SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
+ AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
+
+ s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
+
+ # These assertions correct for current plugin_s4_dc selftest
+ # configuration. When other environments have a broad range of
+ # groups mapped via passdb, we can relax some of these checks
+ (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
+ self.assertEquals(LA_type, idmap.ID_TYPE_UID)
+ (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
+ self.assertEquals(BA_type, idmap.ID_TYPE_GID)
+ (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
+ self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
+ (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
+ self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
+ (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
+ self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
+
+ self.assertEquals(posix_acl.count, 9)
+
+ self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
+ self.assertEquals(posix_acl.acl[0].a_perm, 7)
+ self.assertEquals(posix_acl.acl[0].gid, BA_gid)
+ self.assertEquals(posix_acl.acl[0].uid, -1)
+
+ self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
+ self.assertEquals(posix_acl.acl[1].a_perm, 6)
+ self.assertEquals(posix_acl.acl[1].uid, LA_uid)
+ self.assertEquals(posix_acl.acl[1].gid, -1)
+
+ self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
+ self.assertEquals(posix_acl.acl[2].a_perm, 0)
+ self.assertEquals(posix_acl.acl[2].uid, -1)
+ self.assertEquals(posix_acl.acl[2].gid, -1)
+
+ self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
+ self.assertEquals(posix_acl.acl[3].a_perm, 6)
+ self.assertEquals(posix_acl.acl[3].uid, -1)
+ self.assertEquals(posix_acl.acl[3].gid, -1)
+
+ self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
+ self.assertEquals(posix_acl.acl[4].a_perm, 7)
+ self.assertEquals(posix_acl.acl[4].uid, -1)
+ self.assertEquals(posix_acl.acl[4].gid, -1)
+
+ self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
+ self.assertEquals(posix_acl.acl[5].a_perm, 5)
+ self.assertEquals(posix_acl.acl[5].gid, SO_gid)
+ self.assertEquals(posix_acl.acl[5].uid, -1)
+
+ self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
+ self.assertEquals(posix_acl.acl[6].a_perm, 7)
+ self.assertEquals(posix_acl.acl[6].gid, SY_gid)
+ self.assertEquals(posix_acl.acl[6].uid, -1)
+
+ self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
+ self.assertEquals(posix_acl.acl[7].a_perm, 5)
+ self.assertEquals(posix_acl.acl[7].gid, AU_gid)
+ self.assertEquals(posix_acl.acl[7].uid, -1)
+
+ self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_MASK)
+ self.assertEquals(posix_acl.acl[8].a_perm, 7)
+ self.assertEquals(posix_acl.acl[8].uid, -1)
+ self.assertEquals(posix_acl.acl[8].gid, -1)
+
+
+# check that it matches:
+# user::rwx
+# user:root:rwx (selftest user actually)
+# group::rwx
+# group:wheel:rwx
+# group:3000000:r-x
+# group:3000001:rwx
+# group:3000002:r-x
+# mask::rwx
+# other::---
+
+#
+# This is in this order in the NDR smb_acl (not re-orderded for display)
+# a_type: GROUP
+# a_perm: 7
+# uid: -1
+# gid: 10
+# a_type: USER
+# a_perm: 6
+# uid: 0 (selftest user actually)
+# gid: -1
+# a_type: OTHER
+# a_perm: 0
+# uid: -1
+# gid: -1
+# a_type: USER_OBJ
+# a_perm: 6
+# uid: -1
+# gid: -1
+# a_type: GROUP_OBJ
+# a_perm: 7
+# uid: -1
+# gid: -1
+# a_type: GROUP
+# a_perm: 5
+# uid: -1
+# gid: 3000020
+# a_type: GROUP
+# a_perm: 7
+# uid: -1
+# gid: 3000000
+# a_type: GROUP
+# a_perm: 5
+# uid: -1
+# gid: 3000001
+# a_type: MASK
+# a_perm: 7
+# uid: -1
+# gid: -1
+
+#
+
+ os.unlink(tempf)
+
+ def test_setntacl_policies_check_getposixacl(self):
+ random.seed()
+ lp = LoadParm()
+ s3conf = s3param.get_context()
+ path = None
+ path = os.environ['SELFTEST_PREFIX']
+ acl = provision.POLICIES_ACL
+ tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
+ open(tempf, 'w').write("empty")
+ domsid = passdb.get_global_sam_sid()
+ setntacl(lp,tempf,acl,str(domsid), use_ntvfs=False)
+ facl = getntacl(lp,tempf)
+ self.assertEquals(facl.as_sddl(domsid),acl)
+ posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS)
+
+ LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR))
+ BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
+ SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS)
+ SY_sid = security.dom_sid(security.SID_NT_SYSTEM)
+ AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS)
+ PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS))
+
+ s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
+
+ # These assertions correct for current plugin_s4_dc selftest
+ # configuration. When other environments have a broad range of
+ # groups mapped via passdb, we can relax some of these checks
+ (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
+ self.assertEquals(LA_type, idmap.ID_TYPE_UID)
+ (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
+ self.assertEquals(BA_type, idmap.ID_TYPE_GID)
+ (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
+ self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
+ (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
+ self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
+ (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
+ self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
+ (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
+ self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
+
+ self.assertEquals(posix_acl.count, 10)
+
+ self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
+ self.assertEquals(posix_acl.acl[0].a_perm, 7)
+ self.assertEquals(posix_acl.acl[0].gid, BA_gid)
+ self.assertEquals(posix_acl.acl[0].uid, -1)
+
+ self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER)
+ self.assertEquals(posix_acl.acl[1].a_perm, 6)
+ self.assertEquals(posix_acl.acl[1].uid, LA_uid)
+ self.assertEquals(posix_acl.acl[1].gid, -1)
+
+ self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER)
+ self.assertEquals(posix_acl.acl[2].a_perm, 0)
+ self.assertEquals(posix_acl.acl[2].uid, -1)
+ self.assertEquals(posix_acl.acl[2].gid, -1)
+
+ self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
+ self.assertEquals(posix_acl.acl[3].a_perm, 6)
+ self.assertEquals(posix_acl.acl[3].uid, -1)
+ self.assertEquals(posix_acl.acl[3].gid, -1)
+
+ self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
+ self.assertEquals(posix_acl.acl[4].a_perm, 7)
+ self.assertEquals(posix_acl.acl[4].uid, -1)
+ self.assertEquals(posix_acl.acl[4].gid, -1)
+
+ self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
+ self.assertEquals(posix_acl.acl[5].a_perm, 5)
+ self.assertEquals(posix_acl.acl[5].gid, SO_gid)
+ self.assertEquals(posix_acl.acl[5].uid, -1)
+
+ self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
+ self.assertEquals(posix_acl.acl[6].a_perm, 7)
+ self.assertEquals(posix_acl.acl[6].gid, SY_gid)
+ self.assertEquals(posix_acl.acl[6].uid, -1)
+
+ self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
+ self.assertEquals(posix_acl.acl[7].a_perm, 5)
+ self.assertEquals(posix_acl.acl[7].gid, AU_gid)
+ self.assertEquals(posix_acl.acl[7].uid, -1)
+
+ self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_GROUP)
+ self.assertEquals(posix_acl.acl[8].a_perm, 7)
+ self.assertEquals(posix_acl.acl[8].gid, PA_gid)
+ self.assertEquals(posix_acl.acl[8].uid, -1)
+
+ self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_MASK)
+ self.assertEquals(posix_acl.acl[9].a_perm, 7)
+ self.assertEquals(posix_acl.acl[9].uid, -1)
+ self.assertEquals(posix_acl.acl[9].gid, -1)
+
+
# check that it matches:
# user::rwx
-# user:root:rwx
+# user:root:rwx (selftest user actually)
# group::rwx
# group:wheel:rwx
# group:3000000:r-x
# group:3000001:rwx
# group:3000002:r-x
+# group:3000003:rwx
# mask::rwx
# other::---
+#
+# This is in this order in the NDR smb_acl (not re-orderded for display)
+# a_type: GROUP
+# a_perm: 7
+# uid: -1
+# gid: 10
+# a_type: USER
+# a_perm: 6
+# uid: 0 (selftest user actually)
+# gid: -1
+# a_type: OTHER
+# a_perm: 0
+# uid: -1
+# gid: -1
+# a_type: USER_OBJ
+# a_perm: 6
+# uid: -1
+# gid: -1
+# a_type: GROUP_OBJ
+# a_perm: 7
+# uid: -1
+# gid: -1
+# a_type: GROUP
+# a_perm: 5
+# uid: -1
+# gid: 3000020
+# a_type: GROUP
+# a_perm: 7
+# uid: -1
+# gid: 3000000
+# a_type: GROUP
+# a_perm: 5
+# uid: -1
+# gid: 3000001
+# a_type: GROUP
+# a_perm: 7
+# uid: -1
+# gid: 3000003
+# a_type: MASK
+# a_perm: 7
+# uid: -1
+# gid: -1
+
+#
+
os.unlink(tempf)
def setUp(self):