1/*-
2 * Copyright (c) 2003-2010 Tim Kientzle
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in the
12 *    documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25#include "test.h"
26
27/*
28 * Exercise the system-independent portion of the ACL support.
29 * Check that archive_entry objects can save and restore NFS4 ACL data.
30 *
31 * This should work on all systems, regardless of whether local
32 * filesystems support ACLs or not.
33 */
34
35static struct archive_test_acl_t acls1[] = {
36	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_EXECUTE,
37	  ARCHIVE_ENTRY_ACL_USER_OBJ, -1, "" },
38	{ ARCHIVE_ENTRY_ACL_TYPE_DENY, ARCHIVE_ENTRY_ACL_READ_DATA,
39	  ARCHIVE_ENTRY_ACL_USER, 77, "user77" },
40	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_READ_DATA,
41	  ARCHIVE_ENTRY_ACL_GROUP_OBJ, -1, "" },
42	{ ARCHIVE_ENTRY_ACL_TYPE_DENY, ARCHIVE_ENTRY_ACL_WRITE_DATA,
43	  ARCHIVE_ENTRY_ACL_EVERYONE, -1, "" },
44};
45
46static struct archive_test_acl_t acls2[] = {
47	/* An entry for each type. */
48	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, 0,
49	  ARCHIVE_ENTRY_ACL_USER, 108, "user108" },
50	{ ARCHIVE_ENTRY_ACL_TYPE_DENY, 0,
51	  ARCHIVE_ENTRY_ACL_USER, 109, "user109" },
52	{ ARCHIVE_ENTRY_ACL_TYPE_AUDIT, 0,
53	  ARCHIVE_ENTRY_ACL_USER, 110, "user110" },
54	{ ARCHIVE_ENTRY_ACL_TYPE_ALARM, 0,
55	  ARCHIVE_ENTRY_ACL_USER, 111, "user111" },
56
57	/* An entry for each permission. */
58	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_EXECUTE,
59	  ARCHIVE_ENTRY_ACL_USER, 112, "user112" },
60	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_READ_DATA,
61	  ARCHIVE_ENTRY_ACL_USER, 113, "user113" },
62	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_LIST_DIRECTORY,
63	  ARCHIVE_ENTRY_ACL_USER, 114, "user114" },
64	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_WRITE_DATA,
65	  ARCHIVE_ENTRY_ACL_USER, 115, "user115" },
66	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_ADD_FILE,
67	  ARCHIVE_ENTRY_ACL_USER, 116, "user116" },
68	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_APPEND_DATA,
69	  ARCHIVE_ENTRY_ACL_USER, 117, "user117" },
70	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_ADD_SUBDIRECTORY,
71	  ARCHIVE_ENTRY_ACL_USER, 118, "user118" },
72	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_READ_NAMED_ATTRS,
73	  ARCHIVE_ENTRY_ACL_USER, 119, "user119" },
74	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_WRITE_NAMED_ATTRS,
75	  ARCHIVE_ENTRY_ACL_USER, 120, "user120" },
76	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_DELETE_CHILD,
77	  ARCHIVE_ENTRY_ACL_USER, 121, "user121" },
78	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_READ_ATTRIBUTES,
79	  ARCHIVE_ENTRY_ACL_USER, 122, "user122" },
80	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_WRITE_ATTRIBUTES,
81	  ARCHIVE_ENTRY_ACL_USER, 123, "user123" },
82	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_DELETE,
83	  ARCHIVE_ENTRY_ACL_USER, 124, "user124" },
84	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_READ_ACL,
85	  ARCHIVE_ENTRY_ACL_USER, 125, "user125" },
86	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_WRITE_ACL,
87	  ARCHIVE_ENTRY_ACL_USER, 126, "user126" },
88	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_WRITE_OWNER,
89	  ARCHIVE_ENTRY_ACL_USER, 127, "user127" },
90	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_SYNCHRONIZE,
91	  ARCHIVE_ENTRY_ACL_USER, 128, "user128" },
92
93	/* One entry with each inheritance value. */
94	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW,
95	  ARCHIVE_ENTRY_ACL_READ_DATA | ARCHIVE_ENTRY_ACL_ENTRY_FILE_INHERIT,
96	  ARCHIVE_ENTRY_ACL_USER, 129, "user129" },
97	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW,
98	  ARCHIVE_ENTRY_ACL_READ_DATA | ARCHIVE_ENTRY_ACL_ENTRY_DIRECTORY_INHERIT,
99	  ARCHIVE_ENTRY_ACL_USER, 130, "user130" },
100	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW,
101	  ARCHIVE_ENTRY_ACL_READ_DATA | ARCHIVE_ENTRY_ACL_ENTRY_NO_PROPAGATE_INHERIT,
102	  ARCHIVE_ENTRY_ACL_USER, 131, "user131" },
103	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW,
104	  ARCHIVE_ENTRY_ACL_READ_DATA | ARCHIVE_ENTRY_ACL_ENTRY_INHERIT_ONLY,
105	  ARCHIVE_ENTRY_ACL_USER, 132, "user132" },
106	{ ARCHIVE_ENTRY_ACL_TYPE_AUDIT,
107	  ARCHIVE_ENTRY_ACL_READ_DATA | ARCHIVE_ENTRY_ACL_ENTRY_SUCCESSFUL_ACCESS,
108	  ARCHIVE_ENTRY_ACL_USER, 133, "user133" },
109	{ ARCHIVE_ENTRY_ACL_TYPE_AUDIT,
110	  ARCHIVE_ENTRY_ACL_READ_DATA | ARCHIVE_ENTRY_ACL_ENTRY_FAILED_ACCESS,
111	  ARCHIVE_ENTRY_ACL_USER, 134, "user134" },
112
113	/* One entry for each qualifier. */
114	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_EXECUTE,
115	  ARCHIVE_ENTRY_ACL_USER, 135, "user135" },
116	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_EXECUTE,
117	  ARCHIVE_ENTRY_ACL_USER_OBJ, -1, "" },
118	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_EXECUTE,
119	  ARCHIVE_ENTRY_ACL_GROUP, 136, "group136" },
120	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_EXECUTE,
121	  ARCHIVE_ENTRY_ACL_GROUP_OBJ, -1, "" },
122	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_EXECUTE,
123	  ARCHIVE_ENTRY_ACL_EVERYONE, -1, "" },
124};
125
126/*
127 * Entries that should be rejected when we attempt to set them
128 * on an ACL that already has NFS4 entries.
129 */
130static struct archive_test_acl_t acls_bad[] = {
131	/* POSIX.1e ACL types */
132	{ ARCHIVE_ENTRY_ACL_TYPE_ACCESS, ARCHIVE_ENTRY_ACL_EXECUTE,
133	  ARCHIVE_ENTRY_ACL_USER, 78, "" },
134	{ ARCHIVE_ENTRY_ACL_TYPE_DEFAULT, ARCHIVE_ENTRY_ACL_EXECUTE,
135	  ARCHIVE_ENTRY_ACL_USER, 78, "" },
136
137	/* POSIX.1e tags */
138	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_EXECUTE,
139	  ARCHIVE_ENTRY_ACL_OTHER, -1, "" },
140	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_EXECUTE,
141	  ARCHIVE_ENTRY_ACL_MASK, -1, "" },
142
143	/* POSIX.1e permissions */
144	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_READ,
145	  ARCHIVE_ENTRY_ACL_EVERYONE, -1, "" },
146	{ ARCHIVE_ENTRY_ACL_TYPE_ALLOW, ARCHIVE_ENTRY_ACL_WRITE,
147	  ARCHIVE_ENTRY_ACL_EVERYONE, -1, "" },
148};
149
150DEFINE_TEST(test_acl_nfs4)
151{
152	struct archive_entry *ae;
153	int i;
154
155	/* Create a simple archive_entry. */
156	assert((ae = archive_entry_new()) != NULL);
157	archive_entry_set_pathname(ae, "file");
158        archive_entry_set_mode(ae, S_IFREG | 0777);
159
160	/* Store and read back some basic ACL entries. */
161	assertEntrySetAcls(ae, acls1, sizeof(acls1)/sizeof(acls1[0]));
162
163	/* Check that entry contains only NFSv4 types */
164	assert((archive_entry_acl_types(ae) &
165	    ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) == 0);
166	assert((archive_entry_acl_types(ae) &
167	    ARCHIVE_ENTRY_ACL_TYPE_NFS4) != 0);
168
169	assertEqualInt(4,
170	    archive_entry_acl_reset(ae, ARCHIVE_ENTRY_ACL_TYPE_NFS4));
171	assertEntryCompareAcls(ae, acls1, sizeof(acls1)/sizeof(acls1[0]),
172	    ARCHIVE_ENTRY_ACL_TYPE_NFS4, 0);
173
174	/* A more extensive set of ACLs. */
175	assertEntrySetAcls(ae, acls2, sizeof(acls2)/sizeof(acls2[0]));
176	assertEqualInt(32,
177	    archive_entry_acl_reset(ae, ARCHIVE_ENTRY_ACL_TYPE_NFS4));
178	assertEntryCompareAcls(ae, acls2, sizeof(acls2)/sizeof(acls2[0]),
179	    ARCHIVE_ENTRY_ACL_TYPE_NFS4, 0);
180
181	/*
182	 * Check that clearing ACLs gets rid of them all by repeating
183	 * the first test.
184	 */
185	assertEntrySetAcls(ae, acls1, sizeof(acls1)/sizeof(acls1[0]));
186	failure("Basic ACLs shouldn't be stored as extended ACLs");
187	assertEqualInt(4,
188	    archive_entry_acl_reset(ae, ARCHIVE_ENTRY_ACL_TYPE_NFS4));
189
190	/*
191	 * Different types of malformed ACL entries that should
192	 * fail when added to existing NFS4 ACLs.
193	 */
194	assertEntrySetAcls(ae, acls2, sizeof(acls2)/sizeof(acls2[0]));
195	for (i = 0; i < (int)(sizeof(acls_bad)/sizeof(acls_bad[0])); ++i) {
196		struct archive_test_acl_t *p = &acls_bad[i];
197		failure("Malformed ACL test #%d", i);
198		assertEqualInt(ARCHIVE_FAILED,
199		    archive_entry_acl_add_entry(ae,
200			p->type, p->permset, p->tag, p->qual, p->name));
201		failure("Malformed ACL test #%d", i);
202		assertEqualInt(32,
203		    archive_entry_acl_reset(ae,
204			ARCHIVE_ENTRY_ACL_TYPE_NFS4));
205	}
206	archive_entry_free(ae);
207}
208