From bbf009b46f75f292a625b853b9331b5d5e0da7c2 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Thu, 18 Nov 2004 01:02:27 +0000
Subject: r3829: added a RAW-ACLS test suite that tests query/set of ACLs on a
 file (This used to be commit 2ff9816ae0ae41e0e63e4276a70d292888346dc7)

---
 source4/libcli/security/security_descriptor.c | 128 +++++++++++++++++++++++++-
 1 file changed, 126 insertions(+), 2 deletions(-)

(limited to 'source4/libcli/security/security_descriptor.c')

diff --git a/source4/libcli/security/security_descriptor.c b/source4/libcli/security/security_descriptor.c
index 255836066a..671174a824 100644
--- a/source4/libcli/security/security_descriptor.c
+++ b/source4/libcli/security/security_descriptor.c
@@ -54,7 +54,7 @@ struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx)
    talloc and copy a security descriptor
  */
 struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx, 
-							const struct security_descriptor *osd)
+						     const struct security_descriptor *osd)
 {
 	struct security_descriptor *nsd;
 
@@ -65,7 +65,9 @@ struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx,
 	return nsd;
 }
 
-NTSTATUS security_check_dacl(struct security_token *st, struct security_descriptor *sd, uint32 access_mask)
+NTSTATUS security_check_dacl(struct security_token *st, 
+			     struct security_descriptor *sd, 
+			     uint32 access_mask)
 {
 	size_t i,y;
 	NTSTATUS status = NT_STATUS_ACCESS_DENIED;
@@ -100,3 +102,125 @@ NTSTATUS security_check_dacl(struct security_token *st, struct security_descript
 
 	return status;
 }
+
+
+/*
+  add an ACE to the DACL of a security_descriptor
+*/
+NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd, 
+				      struct security_ace *ace)
+{
+	if (sd->dacl == NULL) {
+		sd->dacl = talloc_p(sd, struct security_acl);
+		if (sd->dacl == NULL) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		sd->dacl->revision = SD_REVISION;
+		sd->dacl->size     = 0;
+		sd->dacl->num_aces = 0;
+		sd->dacl->aces     = NULL;
+	}
+
+	sd->dacl->aces = talloc_realloc_p(sd->dacl, sd->dacl->aces, 
+					  struct security_ace, sd->dacl->num_aces+1);
+	if (sd->dacl->aces == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	sd->dacl->aces[sd->dacl->num_aces] = *ace;
+	sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths = 
+		talloc_memdup(sd->dacl->aces, 
+			      sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths,
+			      sizeof(uint32_t) * 
+			      sd->dacl->aces[sd->dacl->num_aces].trustee.num_auths);
+	if (sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	
+	sd->dacl->num_aces++;
+
+	return NT_STATUS_OK;
+}
+
+
+/*
+  delete the ACE corresponding to the given trustee in the DACL of a security_descriptor
+*/
+NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd, 
+				      struct dom_sid *trustee)
+{
+	int i;
+
+	if (sd->dacl == NULL) {
+		return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+	}
+	
+	for (i=0;i<sd->dacl->num_aces;i++) {
+		if (dom_sid_equal(trustee, &sd->dacl->aces[i].trustee)) {
+			memmove(&sd->dacl->aces[i], &sd->dacl->aces[i+1],
+				sizeof(sd->dacl->aces[i]) * (sd->dacl->num_aces - (i+1)));
+			sd->dacl->num_aces--;
+			if (sd->dacl->num_aces == 0) {
+				sd->dacl->aces = NULL;
+			}
+			return NT_STATUS_OK;
+		}
+	}
+	return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+}
+
+
+/*
+  compare two security ace structures
+*/
+BOOL security_ace_equal(const struct security_ace *ace1, 
+			const struct security_ace *ace2)
+{
+	if (ace1 == ace2) return True;
+	if (!ace1 || !ace2) return False;
+	if (ace1->type != ace2->type) return False;
+	if (ace1->flags != ace2->flags) return False;
+	if (ace1->access_mask != ace2->access_mask) return False;
+	if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) return False;
+
+	return True;	
+}
+
+
+/*
+  compare two security acl structures
+*/
+BOOL security_acl_equal(const struct security_acl *acl1, 
+			const struct security_acl *acl2)
+{
+	int i;
+
+	if (acl1 == acl2) return True;
+	if (!acl1 || !acl2) return False;
+	if (acl1->revision != acl2->revision) return False;
+	if (acl1->num_aces != acl2->num_aces) return False;
+
+	for (i=0;i<acl1->num_aces;i++) {
+		if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return False;
+	}
+	return True;	
+}
+
+/*
+  compare two security descriptors.
+*/
+BOOL security_descriptor_equal(const struct security_descriptor *sd1, 
+			       const struct security_descriptor *sd2)
+{
+	if (sd1 == sd2) return True;
+	if (!sd1 || !sd2) return False;
+	if (sd1->revision != sd2->revision) return False;
+	if (sd1->type != sd2->type) return False;
+
+	if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return False;
+	if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return False;
+	if (!security_acl_equal(sd1->sacl, sd2->sacl))      return False;
+	if (!security_acl_equal(sd1->dacl, sd2->dacl))      return False;
+
+	return True;	
+}
-- 
cgit