1#!/usr/local/bin/ksh93 -p
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22
23#
24# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
25# Use is subject to license terms.
26
27. $STF_SUITE/tests/acl/acl_common.kshlib
28
29#################################################################################
30#
31# __stc_assertion_start
32#
33# ID: zfs_acl_chmod_rwacl_001_pos
34#
35# DESCRIPTION:
36#	Verify assigned read_acl/write_acl to owner@/group@/everyone@,
37#	specificied user and group. File have the correct access permission.
38#
39# STRATEGY:
40#	1. Separatedly verify file and directory was assigned read_acl/write_acl
41#	   by root and non-root user.
42#	2. Verify owner always can read and write acl, even deny.
43#	3. Verify group access permission, when group was assigned
44#	   read_acl/write_acl.
45#	4. Verify access permission, after everyone was assigned read_acl/write.
46#	5. Verify everyone@ was deny except specificied user, this user can read
47#	   and write acl.
48#	6. Verify the group was deny except specified user, this user can read
49#	   and write acl
50#
51# TESTABILITY: explicit
52#
53# TEST_AUTOMATION_LEVEL: automated
54#
55# CODING_STATUS: COMPLETED (2005-10-19)
56#
57# __stc_assertion_end
58#
59################################################################################
60
61verify_runnable "both"
62
63log_assert "Verify chmod A[number]{+|-|=} read_acl/write_acl have correct " \
64	"behaviour to access permission."
65log_onexit cleanup
66
67function read_ACL #<node> <user1> <user2> ...
68{
69	typeset node=$1
70	typeset user
71	typeset -i ret
72
73	shift
74	for user in $@; do
75		chgusr_exec $user $LS -vd $node > /dev/null 2>&1
76		ret=$?
77		(( ret != 0 )) && return $ret
78
79		shift
80	done
81
82	return 0
83}
84
85function write_ACL #<node> <user1> <user2> ...
86{
87	typeset node=$1
88	typeset user
89	typeset -i ret before_cnt after_cnt
90
91	shift
92	for user in "$@"; do
93		before_cnt=$(count_ACE $node)
94		ret=$?;
95		(( ret != 0 )) && return $ret
96
97		chgusr_exec $user $CHMOD A0+owner@:read_data:allow $node
98		ret=$?
99		(( ret != 0 )) && return $ret
100
101		after_cnt=$(count_ACE $node)
102		ret=$?
103		(( ret != 0 )) && return $ret
104
105		chgusr_exec $user $CHMOD A0- $node
106		ret=$?
107		(( ret != 0 )) && return $ret
108
109		if (( after_cnt - before_cnt != 1 )); then
110			return 1
111		fi
112
113		shift
114	done
115
116	return 0
117}
118
119function check_owner #<node>
120{
121	typeset node=$1
122
123	for acc in allow deny; do
124		log_must usr_exec \
125			$CHMOD A0+owner@:read_acl/write_acl:$acc $node
126		log_must read_ACL $node $ZFS_ACL_CUR_USER
127		log_must write_ACL $node $ZFS_ACL_CUR_USER
128		log_must usr_exec $CHMOD A0- $node
129	done
130}
131
132function check_group #<node>
133{
134	typeset node=$1
135
136	typeset grp_usr=""
137	if [[ $ZFS_ACL_CUR_USER == root ]]; then
138		grp_usr=$ZFS_ACL_ADMIN
139	elif [[ $ZFS_ACL_CUR_USER == $ZFS_ACL_STAFF1 ]]; then
140		grp_usr=$ZFS_ACL_STAFF2
141	fi
142
143	log_must usr_exec $CHMOD A0+group@:read_acl/write_acl:allow $node
144	log_must read_ACL $node $grp_usr
145	log_must write_ACL $node $grp_usr
146	log_must usr_exec $CHMOD A0- $node
147
148	log_must usr_exec $CHMOD A0+group@:read_acl/write_acl:deny $node
149	log_mustnot read_ACL $node $grp_usr
150	log_mustnot write_ACL $node $grp_usr
151	log_must usr_exec $CHMOD A0- $node
152}
153
154function check_everyone #<node>
155{
156	typeset node=$1
157
158	typeset flag
159	for flag in allow deny; do
160		if [[ $flag == allow ]]; then
161			log=log_must
162		else
163			log=log_mustnot
164		fi
165
166		log_must usr_exec \
167			$CHMOD A0+everyone@:read_acl/write_acl:$flag $node
168
169		$log read_ACL $node $ZFS_ACL_OTHER1 $ZFS_ACL_OTHER2
170		$log write_ACL $node $ZFS_ACL_OTHER1 $ZFS_ACL_OTHER2
171
172		log_must usr_exec $CHMOD A0- $node
173	done
174}
175
176function check_spec_user #<node>
177{
178	typeset node=$1
179
180	log_must usr_exec $CHMOD A0+everyone@:read_acl/write_acl:deny $node
181	log_must usr_exec \
182		$CHMOD A0+user:$ZFS_ACL_OTHER1:read_acl/write_acl:allow $node
183
184	# The specified user can read and write acl
185	log_must read_ACL $node $ZFS_ACL_OTHER1
186	log_must write_ACL $node $ZFS_ACL_OTHER1
187
188	# All the other user can't read and write acl
189	log_mustnot \
190		read_ACL $node $ZFS_ACL_ADMIN $ZFS_ACL_STAFF2 $ZFS_ACL_OTHER2
191	log_mustnot \
192		write_ACL $node $ZFS_ACL_ADMIN $ZFS_ACL_STAFF2 $ZFS_ACL_OTHER2
193
194	log_must usr_exec $CHMOD A0- $node
195	log_must usr_exec $CHMOD A0- $node
196}
197
198function check_spec_group #<node>
199{
200	typeset node=$1
201
202	log_must usr_exec $CHMOD A0+everyone@:read_acl/write_acl:deny $node
203	log_must usr_exec $CHMOD \
204		A0+group:$ZFS_ACL_OTHER_GROUP:read_acl/write_acl:allow $node
205
206	# The specified group can read and write acl
207	log_must read_ACL $node $ZFS_ACL_OTHER1 $ZFS_ACL_OTHER2
208	log_must write_ACL $node $ZFS_ACL_OTHER1 $ZFS_ACL_OTHER2
209
210	# All the other user can't read and write acl
211	log_mustnot read_ACL $node $ZFS_ACL_ADMIN $ZFS_ACL_STAFF2
212	log_mustnot write_ACL $node $ZFS_ACL_ADMIN $ZFS_ACL_STAFF2
213}
214
215function check_user_in_group #<node>
216{
217	typeset node=$1
218
219	log_must usr_exec $CHMOD \
220		A0+group:$ZFS_ACL_OTHER_GROUP:read_acl/write_acl:deny $node
221	log_must usr_exec $CHMOD \
222		A0+user:$ZFS_ACL_OTHER1:read_acl/write_acl:allow $node
223	log_must read_ACL $node $ZFS_ACL_OTHER1
224	log_must write_ACL $node $ZFS_ACL_OTHER1
225	log_mustnot read_ACL $node $ZFS_ACL_OTHER2
226	log_mustnot write_ACL $node $ZFS_ACL_OTHER2
227
228	log_must usr_exec $CHMOD A0- $node
229	log_must usr_exec $CHMOD A0- $node
230}
231
232set -A func_name check_owner \
233		check_group \
234		check_everyone \
235		check_spec_user \
236		check_spec_group \
237		check_user_in_group
238
239test_requires ZFS_ACL
240
241for user in root $ZFS_ACL_STAFF1; do
242	log_must set_cur_usr $user
243
244	log_must usr_exec $TOUCH $testfile
245	log_must usr_exec $MKDIR $testdir
246
247	typeset func node
248	for func in ${func_name[@]}; do
249		for node in $testfile $testdir; do
250			eval $func \$node
251		done
252	done
253
254	log_must usr_exec $RM -rf $testfile $testdir
255done
256
257log_pass "Verify chmod A[number]{+|-|=} read_acl/write_acl passed."
258