nfs4_acls: Add test for merging duplicates when mapping from NFS4 ACL to DACL

The previous patch introduced merging of duplicates on the mapping path
from NFS4 ACL entries to DACL entries. Add a testcase to verify the
expected behavior of this codepath.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/source3/modules/test_nfs4_acls.c b/source3/modules/test_nfs4_acls.c
index 170a397579a2c4ffb843054bf2ae249b94d9ec29..0b23bd1d02e88704bd7438555e21acc6b686a24d 100644 (file)
--- a/source3/modules/test_nfs4_acls.c
+++ b/source3/modules/test_nfs4_acls.c
@@ -1776,6 +1776,84 @@ static void test_dacl_to_nfs4_idmap_type_both(void **state)
        TALLOC_FREE(frame);
 }
 
+static void test_nfs4_to_dacl_remove_duplicate(void **state)
+{
+
+       struct dom_sid *sids = *state;
+       TALLOC_CTX *frame = talloc_stackframe();
+       struct SMB4ACL_T *nfs4_acl;
+       SMB_ACE4PROP_T nfs4_ace;
+       struct security_ace *dacl_aces;
+       int good_aces;
+       struct smbacl4_vfs_params params = {
+               .mode = e_simple,
+               .do_chown = true,
+               .acedup = e_dontcare,
+               .map_full_control = true,
+       };
+
+       nfs4_acl = smb_create_smb4acl(frame);
+       assert_non_null(nfs4_acl);
+
+       nfs4_ace = (SMB_ACE4PROP_T) {
+               .flags          = 0,
+               .who.uid        = 1002,
+               .aceType        = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
+               .aceFlags       = SMB_ACE4_INHERITED_ACE,
+               .aceMask        = SMB_ACE4_WRITE_DATA,
+       };
+       assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
+
+       nfs4_ace = (SMB_ACE4PROP_T) {
+               .flags          = 0,
+               .who.gid        = 1002,
+               .aceType        = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
+               .aceFlags       = SMB_ACE4_IDENTIFIER_GROUP|
+                                 SMB_ACE4_INHERITED_ACE,
+               .aceMask        = SMB_ACE4_WRITE_DATA,
+       };
+       assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
+
+       nfs4_ace = (SMB_ACE4PROP_T) {
+               .flags          = 0,
+               .who.gid        = 1002,
+               .aceType        = SMB_ACE4_ACCESS_DENIED_ACE_TYPE,
+               .aceFlags       = SMB_ACE4_IDENTIFIER_GROUP|
+                                 SMB_ACE4_INHERITED_ACE,
+               .aceMask        = SMB_ACE4_WRITE_DATA,
+       };
+       assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
+
+       nfs4_ace = (SMB_ACE4PROP_T) {
+               .flags          = 0,
+               .who.gid        = 1002,
+               .aceType        = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE,
+               .aceFlags       = SMB_ACE4_IDENTIFIER_GROUP|
+                                 SMB_ACE4_INHERITED_ACE,
+               .aceMask        = SMB_ACE4_WRITE_DATA,
+       };
+       assert_non_null(smb_add_ace4(nfs4_acl, &nfs4_ace));
+
+       assert_true(smbacl4_nfs42win(frame, &params, nfs4_acl,
+                                    &sids[0], &sids[1], true,
+                                    &dacl_aces, &good_aces));
+
+       assert_int_equal(good_aces, 2);
+       assert_non_null(dacl_aces);
+
+       assert_int_equal(dacl_aces[0].type, SEC_ACE_TYPE_ACCESS_ALLOWED);
+       assert_int_equal(dacl_aces[0].flags, SEC_ACE_FLAG_INHERITED_ACE);
+       assert_int_equal(dacl_aces[0].access_mask, SEC_FILE_WRITE_DATA);
+       assert_true(dom_sid_equal(&dacl_aces[0].trustee, &sids[2]));
+
+       assert_int_equal(dacl_aces[1].type, SEC_ACE_TYPE_ACCESS_DENIED);
+       assert_int_equal(dacl_aces[1].flags, SEC_ACE_FLAG_INHERITED_ACE);
+       assert_int_equal(dacl_aces[1].access_mask, SEC_FILE_WRITE_DATA);
+       assert_true(dom_sid_equal(&dacl_aces[1].trustee, &sids[2]));
+
+       TALLOC_FREE(frame);
+}
+
 int main(int argc, char **argv)
 {
        const struct CMUnitTest tests[] = {
@@ -1799,6 +1877,7 @@ int main(int argc, char **argv)
                cmocka_unit_test(test_nfs4_to_dacl_config_special),
                cmocka_unit_test(test_nfs4_to_dacl_idmap_type_both),
                cmocka_unit_test(test_dacl_to_nfs4_idmap_type_both),
+               cmocka_unit_test(test_nfs4_to_dacl_remove_duplicate),
        };
 
        cmocka_set_message_output(CM_OUTPUT_SUBUNIT);