diff options
author | Andrew Bartlett <abartlet@samba.org> | 2012-08-21 23:21:58 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2012-08-23 15:02:26 +0200 |
commit | bd00c9286556aacb45fcd457751ccb43ef605329 (patch) | |
tree | 61cc13cbb8c76fefb30a165ca8a41469490d2804 /source4/scripting/python | |
parent | 318b8cb4fafcc48bb0f8266171d667a6316f66d4 (diff) | |
download | samba-bd00c9286556aacb45fcd457751ccb43ef605329.tar.gz samba-bd00c9286556aacb45fcd457751ccb43ef605329.tar.bz2 samba-bd00c9286556aacb45fcd457751ccb43ef605329.zip |
selftest: Extend posixacl test to check the actual ACL
Needing to be able to write this test is the primary reason I have
been reworking the VFS and posix ACL layer over the past few weeks.
By exposing the POSIX ACL as a IDL object we can eaisly manipulate it
in python, and then verify that the ACL was handled correctly.
This ensures the when we write an ACL in provision, that it will
indeed allow that access at the FS layer.
We need to extend this beyond just the critical two ACLs set during
provision, to also include some special (hard) cases involving the
merging of ACE entries, as this is the most delicate part of the ACL
transfomation.
A similar test should also be written to read the posix ACL and the
mapped NT ACL on a file that has never had an NT ACL set.
Andrew Bartlett
Diffstat (limited to 'source4/scripting/python')
-rw-r--r-- | source4/scripting/python/samba/tests/posixacl.py | 276 |
1 files changed, 274 insertions, 2 deletions
diff --git a/source4/scripting/python/samba/tests/posixacl.py b/source4/scripting/python/samba/tests/posixacl.py index 877363b6cd..35e6dcf4cb 100644 --- a/source4/scripting/python/samba/tests/posixacl.py +++ b/source4/scripting/python/samba/tests/posixacl.py @@ -19,7 +19,7 @@ """Tests for the Samba3 NT -> posix ACL layer""" from samba.ntacls import setntacl, getntacl, XattrBackendError -from samba.dcerpc import xattr, security, smb_acl +from samba.dcerpc import xattr, security, smb_acl, idmap from samba.param import LoadParm from samba.tests import TestCase, TestSkipped from samba import provision @@ -28,6 +28,15 @@ import os from samba.samba3 import smbd, passdb from samba.samba3 import param as s3param +# To print a posix ACL use: +# for entry in posix_acl.acl: +# print "a_type: %d" % entry.a_type +# print "a_perm: %o" % entry.a_perm +# print "uid: %d" % entry.uid +# print "gid: %d" % entry.gid + + + class PosixAclMappingTests(TestCase): def test_setntacl(self): @@ -112,17 +121,280 @@ class PosixAclMappingTests(TestCase): self.assertEquals(facl.as_sddl(domsid),acl) posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS) + LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR)) + BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS) + SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS) + SY_sid = security.dom_sid(security.SID_NT_SYSTEM) + AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS) + + s4_passdb = passdb.PDB(s3conf.get("passdb backend")) + + # These assertions correct for current plugin_s4_dc selftest + # configuration. When other environments have a broad range of + # groups mapped via passdb, we can relax some of these checks + (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid) + self.assertEquals(LA_type, idmap.ID_TYPE_UID) + (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid) + self.assertEquals(BA_type, idmap.ID_TYPE_GID) + (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid) + self.assertEquals(SO_type, idmap.ID_TYPE_BOTH) + (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid) + self.assertEquals(SO_type, idmap.ID_TYPE_BOTH) + (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid) + self.assertEquals(AU_type, idmap.ID_TYPE_BOTH) + + self.assertEquals(posix_acl.count, 9) + + self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP) + self.assertEquals(posix_acl.acl[0].a_perm, 7) + self.assertEquals(posix_acl.acl[0].gid, BA_gid) + self.assertEquals(posix_acl.acl[0].uid, -1) + + self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER) + self.assertEquals(posix_acl.acl[1].a_perm, 6) + self.assertEquals(posix_acl.acl[1].uid, LA_uid) + self.assertEquals(posix_acl.acl[1].gid, -1) + + self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER) + self.assertEquals(posix_acl.acl[2].a_perm, 0) + self.assertEquals(posix_acl.acl[2].uid, -1) + self.assertEquals(posix_acl.acl[2].gid, -1) + + self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ) + self.assertEquals(posix_acl.acl[3].a_perm, 6) + self.assertEquals(posix_acl.acl[3].uid, -1) + self.assertEquals(posix_acl.acl[3].gid, -1) + + self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ) + self.assertEquals(posix_acl.acl[4].a_perm, 7) + self.assertEquals(posix_acl.acl[4].uid, -1) + self.assertEquals(posix_acl.acl[4].gid, -1) + + self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP) + self.assertEquals(posix_acl.acl[5].a_perm, 5) + self.assertEquals(posix_acl.acl[5].gid, SO_gid) + self.assertEquals(posix_acl.acl[5].uid, -1) + + self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP) + self.assertEquals(posix_acl.acl[6].a_perm, 7) + self.assertEquals(posix_acl.acl[6].gid, SY_gid) + self.assertEquals(posix_acl.acl[6].uid, -1) + + self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP) + self.assertEquals(posix_acl.acl[7].a_perm, 5) + self.assertEquals(posix_acl.acl[7].gid, AU_gid) + self.assertEquals(posix_acl.acl[7].uid, -1) + + self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_MASK) + self.assertEquals(posix_acl.acl[8].a_perm, 7) + self.assertEquals(posix_acl.acl[8].uid, -1) + self.assertEquals(posix_acl.acl[8].gid, -1) + + +# check that it matches: +# user::rwx +# user:root:rwx (selftest user actually) +# group::rwx +# group:wheel:rwx +# group:3000000:r-x +# group:3000001:rwx +# group:3000002:r-x +# mask::rwx +# other::--- + +# +# This is in this order in the NDR smb_acl (not re-orderded for display) +# a_type: GROUP +# a_perm: 7 +# uid: -1 +# gid: 10 +# a_type: USER +# a_perm: 6 +# uid: 0 (selftest user actually) +# gid: -1 +# a_type: OTHER +# a_perm: 0 +# uid: -1 +# gid: -1 +# a_type: USER_OBJ +# a_perm: 6 +# uid: -1 +# gid: -1 +# a_type: GROUP_OBJ +# a_perm: 7 +# uid: -1 +# gid: -1 +# a_type: GROUP +# a_perm: 5 +# uid: -1 +# gid: 3000020 +# a_type: GROUP +# a_perm: 7 +# uid: -1 +# gid: 3000000 +# a_type: GROUP +# a_perm: 5 +# uid: -1 +# gid: 3000001 +# a_type: MASK +# a_perm: 7 +# uid: -1 +# gid: -1 + +# + + os.unlink(tempf) + + def test_setntacl_policies_check_getposixacl(self): + random.seed() + lp = LoadParm() + s3conf = s3param.get_context() + path = None + path = os.environ['SELFTEST_PREFIX'] + acl = provision.POLICIES_ACL + tempf = os.path.join(path,"pytests"+str(int(100000*random.random()))) + open(tempf, 'w').write("empty") + domsid = passdb.get_global_sam_sid() + setntacl(lp,tempf,acl,str(domsid), use_ntvfs=False) + facl = getntacl(lp,tempf) + self.assertEquals(facl.as_sddl(domsid),acl) + posix_acl = smbd.get_sys_acl(tempf, smb_acl.SMB_ACL_TYPE_ACCESS) + + LA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_ADMINISTRATOR)) + BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS) + SO_sid = security.dom_sid(security.SID_BUILTIN_SERVER_OPERATORS) + SY_sid = security.dom_sid(security.SID_NT_SYSTEM) + AU_sid = security.dom_sid(security.SID_NT_AUTHENTICATED_USERS) + PA_sid = security.dom_sid(str(domsid)+"-"+str(security.DOMAIN_RID_POLICY_ADMINS)) + + s4_passdb = passdb.PDB(s3conf.get("passdb backend")) + + # These assertions correct for current plugin_s4_dc selftest + # configuration. When other environments have a broad range of + # groups mapped via passdb, we can relax some of these checks + (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid) + self.assertEquals(LA_type, idmap.ID_TYPE_UID) + (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid) + self.assertEquals(BA_type, idmap.ID_TYPE_GID) + (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid) + self.assertEquals(SO_type, idmap.ID_TYPE_BOTH) + (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid) + self.assertEquals(SO_type, idmap.ID_TYPE_BOTH) + (AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid) + self.assertEquals(AU_type, idmap.ID_TYPE_BOTH) + (PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid) + self.assertEquals(PA_type, idmap.ID_TYPE_BOTH) + + self.assertEquals(posix_acl.count, 10) + + self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP) + self.assertEquals(posix_acl.acl[0].a_perm, 7) + self.assertEquals(posix_acl.acl[0].gid, BA_gid) + self.assertEquals(posix_acl.acl[0].uid, -1) + + self.assertEquals(posix_acl.acl[1].a_type, smb_acl.SMB_ACL_USER) + self.assertEquals(posix_acl.acl[1].a_perm, 6) + self.assertEquals(posix_acl.acl[1].uid, LA_uid) + self.assertEquals(posix_acl.acl[1].gid, -1) + + self.assertEquals(posix_acl.acl[2].a_type, smb_acl.SMB_ACL_OTHER) + self.assertEquals(posix_acl.acl[2].a_perm, 0) + self.assertEquals(posix_acl.acl[2].uid, -1) + self.assertEquals(posix_acl.acl[2].gid, -1) + + self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ) + self.assertEquals(posix_acl.acl[3].a_perm, 6) + self.assertEquals(posix_acl.acl[3].uid, -1) + self.assertEquals(posix_acl.acl[3].gid, -1) + + self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ) + self.assertEquals(posix_acl.acl[4].a_perm, 7) + self.assertEquals(posix_acl.acl[4].uid, -1) + self.assertEquals(posix_acl.acl[4].gid, -1) + + self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP) + self.assertEquals(posix_acl.acl[5].a_perm, 5) + self.assertEquals(posix_acl.acl[5].gid, SO_gid) + self.assertEquals(posix_acl.acl[5].uid, -1) + + self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP) + self.assertEquals(posix_acl.acl[6].a_perm, 7) + self.assertEquals(posix_acl.acl[6].gid, SY_gid) + self.assertEquals(posix_acl.acl[6].uid, -1) + + self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP) + self.assertEquals(posix_acl.acl[7].a_perm, 5) + self.assertEquals(posix_acl.acl[7].gid, AU_gid) + self.assertEquals(posix_acl.acl[7].uid, -1) + + self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_GROUP) + self.assertEquals(posix_acl.acl[8].a_perm, 7) + self.assertEquals(posix_acl.acl[8].gid, PA_gid) + self.assertEquals(posix_acl.acl[8].uid, -1) + + self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_MASK) + self.assertEquals(posix_acl.acl[9].a_perm, 7) + self.assertEquals(posix_acl.acl[9].uid, -1) + self.assertEquals(posix_acl.acl[9].gid, -1) + + # check that it matches: # user::rwx -# user:root:rwx +# user:root:rwx (selftest user actually) # group::rwx # group:wheel:rwx # group:3000000:r-x # group:3000001:rwx # group:3000002:r-x +# group:3000003:rwx # mask::rwx # other::--- +# +# This is in this order in the NDR smb_acl (not re-orderded for display) +# a_type: GROUP +# a_perm: 7 +# uid: -1 +# gid: 10 +# a_type: USER +# a_perm: 6 +# uid: 0 (selftest user actually) +# gid: -1 +# a_type: OTHER +# a_perm: 0 +# uid: -1 +# gid: -1 +# a_type: USER_OBJ +# a_perm: 6 +# uid: -1 +# gid: -1 +# a_type: GROUP_OBJ +# a_perm: 7 +# uid: -1 +# gid: -1 +# a_type: GROUP +# a_perm: 5 +# uid: -1 +# gid: 3000020 +# a_type: GROUP +# a_perm: 7 +# uid: -1 +# gid: 3000000 +# a_type: GROUP +# a_perm: 5 +# uid: -1 +# gid: 3000001 +# a_type: GROUP +# a_perm: 7 +# uid: -1 +# gid: 3000003 +# a_type: MASK +# a_perm: 7 +# uid: -1 +# gid: -1 + +# + os.unlink(tempf) def setUp(self): |