1#!/bin/ksh -p
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22
23#
24# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
25# Use is subject to license terms.
26#
27
28#
29# Copyright (c) 2016 by Delphix. All rights reserved.
30#
31
32. $STF_SUITE/tests/functional/acl/acl_common.kshlib
33
34#
35# DESCRIPTION:
36#	Verify assigned read_acl/write_acl to owner@/group@/everyone@,
37#	specificied user and group. File have the correct access permission.
38#
39# STRATEGY:
40#	1. Separatedly verify file and directory was assigned read_acl/write_acl
41#	   by root and non-root user.
42#	2. Verify owner always can read and write acl, even deny.
43#	3. Verify group access permission, when group was assigned
44#	   read_acl/write_acl.
45#	4. Verify access permission, after everyone was assigned read_acl/write.
46#	5. Verify everyone@ was deny except specificied user, this user can read
47#	   and write acl.
48#	6. Verify the group was deny except specified user, this user can read
49#	   and write acl
50#
51
52verify_runnable "both"
53
54log_assert "Verify chmod A[number]{+|-|=} read_acl/write_acl have correct " \
55	"behaviour to access permission."
56log_onexit cleanup
57
58function read_ACL #<node> <user1> <user2> ...
59{
60	typeset node=$1
61	typeset user
62	typeset -i ret
63
64	shift
65	for user in $@; do
66		chgusr_exec $user ls -vd $node > /dev/null 2>&1
67		ret=$?
68		(( ret != 0 )) && return $ret
69
70		shift
71	done
72
73	return 0
74}
75
76function write_ACL #<node> <user1> <user2> ...
77{
78	typeset node=$1
79	typeset user
80	typeset -i ret before_cnt after_cnt
81
82	shift
83	for user in "$@"; do
84		before_cnt=$(count_ACE $node)
85		ret=$?;
86		(( ret != 0 )) && return $ret
87
88		chgusr_exec $user chmod A0+owner@:read_data:allow $node
89		ret=$?
90		(( ret != 0 )) && return $ret
91
92		after_cnt=$(count_ACE $node)
93		ret=$?
94		(( ret != 0 )) && return $ret
95
96		chgusr_exec $user chmod A0- $node
97		ret=$?
98		(( ret != 0 )) && return $ret
99
100		if (( after_cnt - before_cnt != 1 )); then
101			return 1
102		fi
103
104		shift
105	done
106
107	return 0
108}
109
110function check_owner #<node>
111{
112	typeset node=$1
113
114	for acc in allow deny; do
115		log_must usr_exec \
116			chmod A0+owner@:read_acl/write_acl:$acc $node
117		log_must read_ACL $node $ZFS_ACL_CUR_USER
118		log_must write_ACL $node $ZFS_ACL_CUR_USER
119		log_must usr_exec chmod A0- $node
120	done
121}
122
123function check_group #<node>
124{
125	typeset node=$1
126
127	typeset grp_usr=""
128	if [[ $ZFS_ACL_CUR_USER == root ]]; then
129		grp_usr=$ZFS_ACL_ADMIN
130	elif [[ $ZFS_ACL_CUR_USER == $ZFS_ACL_STAFF1 ]]; then
131		grp_usr=$ZFS_ACL_STAFF2
132	fi
133
134	log_must usr_exec chmod A0+group@:read_acl/write_acl:allow $node
135	log_must read_ACL $node $grp_usr
136	log_must write_ACL $node $grp_usr
137	log_must usr_exec chmod A0- $node
138
139	log_must usr_exec chmod A0+group@:read_acl/write_acl:deny $node
140	log_mustnot read_ACL $node $grp_usr
141	log_mustnot write_ACL $node $grp_usr
142	log_must usr_exec chmod A0- $node
143}
144
145function check_everyone #<node>
146{
147	typeset node=$1
148
149	typeset flag
150	for flag in allow deny; do
151		if [[ $flag == allow ]]; then
152			log=log_must
153		else
154			log=log_mustnot
155		fi
156
157		log_must usr_exec \
158			chmod A0+everyone@:read_acl/write_acl:$flag $node
159
160		$log read_ACL $node $ZFS_ACL_OTHER1 $ZFS_ACL_OTHER2
161		$log write_ACL $node $ZFS_ACL_OTHER1 $ZFS_ACL_OTHER2
162
163		log_must usr_exec chmod A0- $node
164	done
165}
166
167function check_spec_user #<node>
168{
169	typeset node=$1
170
171	log_must usr_exec chmod A0+everyone@:read_acl/write_acl:deny $node
172	log_must usr_exec \
173		chmod A0+user:$ZFS_ACL_OTHER1:read_acl/write_acl:allow $node
174
175	# The specified user can read and write acl
176	log_must read_ACL $node $ZFS_ACL_OTHER1
177	log_must write_ACL $node $ZFS_ACL_OTHER1
178
179	# All the other user can't read and write acl
180	log_mustnot \
181		read_ACL $node $ZFS_ACL_ADMIN $ZFS_ACL_STAFF2 $ZFS_ACL_OTHER2
182	log_mustnot \
183		write_ACL $node $ZFS_ACL_ADMIN $ZFS_ACL_STAFF2 $ZFS_ACL_OTHER2
184
185	log_must usr_exec chmod A0- $node
186	log_must usr_exec chmod A0- $node
187}
188
189function check_spec_group #<node>
190{
191	typeset node=$1
192
193	log_must usr_exec chmod A0+everyone@:read_acl/write_acl:deny $node
194	log_must usr_exec chmod \
195		A0+group:$ZFS_ACL_OTHER_GROUP:read_acl/write_acl:allow $node
196
197	# The specified group can read and write acl
198	log_must read_ACL $node $ZFS_ACL_OTHER1 $ZFS_ACL_OTHER2
199	log_must write_ACL $node $ZFS_ACL_OTHER1 $ZFS_ACL_OTHER2
200
201	# All the other user can't read and write acl
202	log_mustnot read_ACL $node $ZFS_ACL_ADMIN $ZFS_ACL_STAFF2
203	log_mustnot write_ACL $node $ZFS_ACL_ADMIN $ZFS_ACL_STAFF2
204}
205
206function check_user_in_group #<node>
207{
208	typeset node=$1
209
210	log_must usr_exec chmod \
211		A0+group:$ZFS_ACL_OTHER_GROUP:read_acl/write_acl:deny $node
212	log_must usr_exec chmod \
213		A0+user:$ZFS_ACL_OTHER1:read_acl/write_acl:allow $node
214	log_must read_ACL $node $ZFS_ACL_OTHER1
215	log_must write_ACL $node $ZFS_ACL_OTHER1
216	log_mustnot read_ACL $node $ZFS_ACL_OTHER2
217	log_mustnot write_ACL $node $ZFS_ACL_OTHER2
218
219	log_must usr_exec chmod A0- $node
220	log_must usr_exec chmod A0- $node
221}
222
223set -A func_name check_owner \
224		check_group \
225		check_everyone \
226		check_spec_user \
227		check_spec_group \
228		check_user_in_group
229
230for user in root $ZFS_ACL_STAFF1; do
231	log_must set_cur_usr $user
232
233	log_must usr_exec touch $testfile
234	log_must usr_exec mkdir $testdir
235
236	typeset func node
237	for func in ${func_name[@]}; do
238		for node in $testfile $testdir; do
239			eval $func \$node
240		done
241	done
242
243	log_must usr_exec rm -rf $testfile $testdir
244done
245
246log_pass "Verify chmod A[number]{+|-|=} read_acl/write_acl passed."
247