From 81476cd9fad32f5629de44d45c3a9c58d67e5864 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Thu, 2 Dec 2004 04:34:11 +0000
Subject: r4034: add a function security_descriptor_create() which can be used
 to easily create complex security descriptors for testing. This greatly
 simplifies the smbtorture code I am writing for testing our new access_check
 code. (This used to be commit 891a8bc16af3c6ce5800e793ce4ec8b0078e444f)

---
 source4/libcli/security/security_descriptor.c | 79 +++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)

(limited to 'source4')

diff --git a/source4/libcli/security/security_descriptor.c b/source4/libcli/security/security_descriptor.c
index 1783c62f37..1c63478ab2 100644
--- a/source4/libcli/security/security_descriptor.c
+++ b/source4/libcli/security/security_descriptor.c
@@ -100,6 +100,8 @@ NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
 	
 	sd->dacl->num_aces++;
 
+	sd->type |= SEC_DESC_DACL_PRESENT;
+
 	return NT_STATUS_OK;
 }
 
@@ -206,3 +208,80 @@ BOOL security_descriptor_mask_equal(const struct security_descriptor *sd1,
 
 	return True;	
 }
+
+
+/*
+  create a security descriptor using string SIDs. This is used by the
+  torture code to allow the easy creation of complex ACLs
+  This is a varargs function. The list of ACEs ends with a NULL sid.
+
+  a typical call would be:
+
+    sd = security_descriptor_create(mem_ctx,
+                                    mysid,
+				    mygroup,
+				    SID_AUTHENTICATED_USERS, 
+				    SEC_ACE_TYPE_ACCESS_ALLOWED,
+				    SEC_FILE_ALL,
+				    NULL);
+  that would create a sd with one ACE
+*/
+struct security_descriptor *security_descriptor_create(TALLOC_CTX *mem_ctx,
+						       const char *owner_sid,
+						       const char *group_sid,
+						       ...)
+{
+	va_list ap;
+	struct security_descriptor *sd;
+	const char *sidstr;
+
+	sd = security_descriptor_initialise(mem_ctx);
+	if (sd == NULL) return NULL;
+
+	if (owner_sid) {
+		sd->owner_sid = dom_sid_parse_talloc(mem_ctx, owner_sid);
+		if (sd->owner_sid == NULL) {
+			talloc_free(sd);
+			return NULL;
+		}
+	}
+	if (group_sid) {
+		sd->group_sid = dom_sid_parse_talloc(mem_ctx, group_sid);
+		if (sd->group_sid == NULL) {
+			talloc_free(sd);
+			return NULL;
+		}
+	}
+
+	va_start(ap, group_sid);
+	while ((sidstr = va_arg(ap, const char *))) {
+		struct dom_sid *sid;
+		struct security_ace *ace = talloc_p(sd, struct security_ace);
+		NTSTATUS status;
+
+		if (ace == NULL) {
+			talloc_free(sd);
+			va_end(ap);
+			return NULL;
+		}
+		ace->type = va_arg(ap, unsigned int);
+		ace->access_mask = va_arg(ap, unsigned int);
+		ace->flags = 0;
+		sid = dom_sid_parse_talloc(ace, sidstr);
+		if (sid == NULL) {
+			va_end(ap);
+			talloc_free(sd);
+			return NULL;
+		}
+		ace->trustee = *sid;
+		status = security_descriptor_dacl_add(sd, ace);
+		if (!NT_STATUS_IS_OK(status)) {
+			va_end(ap);
+			talloc_free(sd);
+			return NULL;
+		}
+	}
+	va_end(ap);
+
+	return sd;
+}
-- 
cgit