r3830: unified the query/set security descriptor code with the rest of the

[jelmer/samba4-debian.git] / source / torture / raw / acls.c

/* 
   Unix SMB/CIFS implementation.

   test security descriptor operations

   Copyright (C) Andrew Tridgell 2004
   
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 2 of the License, or
   (at your option) any later version.
   
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
   
   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software
   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/

#include "includes.h"
#include "libcli/raw/libcliraw.h"
#include "librpc/gen_ndr/ndr_security.h"

#define BASEDIR "\\testsd"

#define CHECK_STATUS(status, correct) do { \
        if (!NT_STATUS_EQUAL(status, correct)) { \
                printf("(%s) Incorrect status %s - should be %s\n", \
                       __location__, nt_errstr(status), nt_errstr(correct)); \
                ret = False; \
                goto done; \
        }} while (0)


static BOOL test_sd(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
{
        NTSTATUS status;
        union smb_open io;
        const char *fname = BASEDIR "\\sd.txt";
        BOOL ret = True;
        int fnum;
        union smb_fileinfo q;
        union smb_setfileinfo set;
        struct security_ace ace;
        struct security_descriptor *sd;
        struct dom_sid *test_sid;

        printf("TESTING SETFILEINFO EA_SET\n");

        io.generic.level = RAW_OPEN_NTCREATEX;
        io.ntcreatex.in.root_fid = 0;
        io.ntcreatex.in.flags = 0;
        io.ntcreatex.in.access_mask = SEC_RIGHT_MAXIMUM_ALLOWED;
        io.ntcreatex.in.create_options = 0;
        io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
        io.ntcreatex.in.share_access = 
                NTCREATEX_SHARE_ACCESS_READ | 
                NTCREATEX_SHARE_ACCESS_WRITE;
        io.ntcreatex.in.alloc_size = 0;
        io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE;
        io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
        io.ntcreatex.in.security_flags = 0;
        io.ntcreatex.in.fname = fname;
        status = smb_raw_open(cli->tree, mem_ctx, &io);
        CHECK_STATUS(status, NT_STATUS_OK);
        fnum = io.ntcreatex.out.fnum;
        
        q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
        q.query_secdesc.in.fnum = fnum;
        q.query_secdesc.in.secinfo_flags = 
                OWNER_SECURITY_INFORMATION | 
                GROUP_SECURITY_INFORMATION | 
                DACL_SECURITY_INFORMATION;
        status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
        CHECK_STATUS(status, NT_STATUS_OK);
        sd = q.query_secdesc.out.sd;

        printf("add a new ACE to the DACL\n");

        test_sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-1234-5432");

        ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
        ace.flags = 0;
        ace.access_mask = STD_RIGHT_ALL_ACCESS;
        ace.trustee = *test_sid;

        status = security_descriptor_dacl_add(sd, &ace);
        CHECK_STATUS(status, NT_STATUS_OK);

        set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
        set.set_secdesc.file.fnum = fnum;
        set.set_secdesc.in.secinfo_flags = q.query_secdesc.in.secinfo_flags;
        set.set_secdesc.in.sd = sd;

        status = smb_raw_setfileinfo(cli->tree, &set);
        CHECK_STATUS(status, NT_STATUS_OK);

        status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
        CHECK_STATUS(status, NT_STATUS_OK);

        if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) {
                printf("security descriptors don't match!\n");
                printf("got:\n");
                NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
                printf("expected:\n");
                NDR_PRINT_DEBUG(security_descriptor, sd);
        }

        printf("remove it again\n");

        status = security_descriptor_dacl_del(sd, test_sid);
        CHECK_STATUS(status, NT_STATUS_OK);

        status = smb_raw_setfileinfo(cli->tree, &set);
        CHECK_STATUS(status, NT_STATUS_OK);

        status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
        CHECK_STATUS(status, NT_STATUS_OK);

        if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) {
                printf("security descriptors don't match!\n");
                printf("got:\n");
                NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
                printf("expected:\n");
                NDR_PRINT_DEBUG(security_descriptor, sd);
        }

done:
        smbcli_close(cli->tree, fnum);
        return ret;
}


/* 
   basic testing of security descriptor calls
*/
BOOL torture_raw_acls(void)
{
        struct smbcli_state *cli;
        BOOL ret = True;
        TALLOC_CTX *mem_ctx;

        if (!torture_open_connection(&cli)) {
                return False;
        }

        mem_ctx = talloc_init("torture_raw_acls");

        if (!torture_setup_dir(cli, BASEDIR)) {
                return False;
        }

        ret &= test_sd(cli, mem_ctx);

        smb_raw_exit(cli->session);
        smbcli_deltree(cli->tree, BASEDIR);

        torture_close_connection(cli);
        talloc_destroy(mem_ctx);
        return ret;
}