r3829: added a RAW-ACLS test suite that tests query/set of ACLs on a file

(This used to be commit 2ff9816ae0ae41e0e63e4276a70d292888346dc7)

3 files changed, 164 insertions, 0 deletions

diff --git a/source4/torture/config.mk b/source4/torture/config.mk
index 5aa621bdb5..d7e99db0d0 100644
--- a/source4/torture/config.mk
+++ b/source4/torture/config.mk
@@ -48,6 +48,7 @@ ADD_OBJ_FILES = \
 		torture/raw/rename.o \
 		torture/raw/eas.o \
 		torture/raw/streams.o \
+		torture/raw/acls.o \
 		torture/raw/seek.o
 REQUIRED_SUBSYSTEMS = \
 		LIBSMB
diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c
new file mode 100644
index 0000000000..1562af55ca
--- /dev/null
+++ b/source4/torture/raw/acls.c
@@ -0,0 +1,162 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   test security descriptor operations
+
+   Copyright (C) Andrew Tridgell 2004
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+#include "libcli/raw/libcliraw.h"
+#include "librpc/gen_ndr/ndr_security.h"
+
+#define BASEDIR "\\testsd"
+
+#define CHECK_STATUS(status, correct) do { \
+	if (!NT_STATUS_EQUAL(status, correct)) { \
+		printf("(%s) Incorrect status %s - should be %s\n", \
+		       __location__, nt_errstr(status), nt_errstr(correct)); \
+		ret = False; \
+		goto done; \
+	}} while (0)
+
+
+static BOOL test_sd(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
+{
+	NTSTATUS status;
+	union smb_open io;
+	const char *fname = BASEDIR "\\sd.txt";
+	BOOL ret = True;
+	int fnum;
+	struct smb_query_secdesc q;
+	struct smb_set_secdesc set;
+	struct security_ace ace;
+	struct security_descriptor *sd;
+	struct dom_sid *test_sid;
+
+	printf("TESTING SETFILEINFO EA_SET\n");
+
+	io.generic.level = RAW_OPEN_NTCREATEX;
+	io.ntcreatex.in.root_fid = 0;
+	io.ntcreatex.in.flags = 0;
+	io.ntcreatex.in.access_mask = SEC_RIGHT_MAXIMUM_ALLOWED;
+	io.ntcreatex.in.create_options = 0;
+	io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
+	io.ntcreatex.in.share_access = 
+		NTCREATEX_SHARE_ACCESS_READ | 
+		NTCREATEX_SHARE_ACCESS_WRITE;
+	io.ntcreatex.in.alloc_size = 0;
+	io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE;
+	io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
+	io.ntcreatex.in.security_flags = 0;
+	io.ntcreatex.in.fname = fname;
+	status = smb_raw_open(cli->tree, mem_ctx, &io);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	fnum = io.ntcreatex.out.fnum;
+
+	q.in.fnum = fnum;
+	q.in.secinfo_flags = 
+		OWNER_SECURITY_INFORMATION | 
+		GROUP_SECURITY_INFORMATION | 
+		DACL_SECURITY_INFORMATION;
+	status = smb_raw_query_secdesc(cli->tree, mem_ctx, &q);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	sd = q.out.sd;
+
+	printf("add a new ACE to the DACL\n");
+
+	test_sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-1234-5432");
+
+	ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
+	ace.flags = 0;
+	ace.access_mask = STD_RIGHT_ALL_ACCESS;
+	ace.trustee = *test_sid;
+
+	status = security_descriptor_dacl_add(sd, &ace);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	set.in.fnum = fnum;
+	set.in.secinfo_flags = q.in.secinfo_flags;
+	set.in.sd = sd;
+
+	status = smb_raw_set_secdesc(cli->tree, &set);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	status = smb_raw_query_secdesc(cli->tree, mem_ctx, &q);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	if (!security_descriptor_equal(q.out.sd, sd)) {
+		printf("security descriptors don't match!\n");
+		printf("got:\n");
+		NDR_PRINT_DEBUG(security_descriptor, q.out.sd);
+		printf("expected:\n");
+		NDR_PRINT_DEBUG(security_descriptor, sd);
+	}
+
+	printf("remove it again\n");
+
+	status = security_descriptor_dacl_del(sd, test_sid);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	status = smb_raw_set_secdesc(cli->tree, &set);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	status = smb_raw_query_secdesc(cli->tree, mem_ctx, &q);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	if (!security_descriptor_equal(q.out.sd, sd)) {
+		printf("security descriptors don't match!\n");
+		printf("got:\n");
+		NDR_PRINT_DEBUG(security_descriptor, q.out.sd);
+		printf("expected:\n");
+		NDR_PRINT_DEBUG(security_descriptor, sd);
+	}
+
+done:
+	smbcli_close(cli->tree, fnum);
+	return ret;
+}
+
+
+/* 
+   basic testing of security descriptor calls
+*/
+BOOL torture_raw_acls(void)
+{
+	struct smbcli_state *cli;
+	BOOL ret = True;
+	TALLOC_CTX *mem_ctx;
+
+	if (!torture_open_connection(&cli)) {
+		return False;
+	}
+
+	mem_ctx = talloc_init("torture_raw_acls");
+
+	if (!torture_setup_dir(cli, BASEDIR)) {
+		return False;
+	}
+
+	ret &= test_sd(cli, mem_ctx);
+
+	smb_raw_exit(cli->session);
+	smbcli_deltree(cli->tree, BASEDIR);
+
+	torture_close_connection(cli);
+	talloc_destroy(mem_ctx);
+	return ret;
+}
diff --git a/source4/torture/torture.c b/source4/torture/torture.c
index bc3b5f545f..09f7c65f04 100644
--- a/source4/torture/torture.c
+++ b/source4/torture/torture.c
@@ -2421,6 +2421,7 @@ static struct {
 	{"RAW-SEEK", torture_raw_seek, 0},
 	{"RAW-EAS", torture_raw_eas, 0},
 	{"RAW-STREAMS", torture_raw_streams, 0},
+	{"RAW-ACLS", torture_raw_acls, 0},
 	{"RAW-RAP", torture_raw_rap, 0},
 
 	/* protocol scanners */