def testSyntheticAcl(t, env): """ GETATTR of an ACL on a file with no ACL This should return a synthetic ACL, see RFC 5661, section 6.4.2 FLAGS: getattr file all DEPEND: LOOKFILE CODE: GATTACL """ c = env.c1 file_obj = c.homedir + [t.code] acl_attr_bitnum = get_attrbitnum_dict()['acl'] # These expected values come from the Isilon synthetic ACL; if that changes # or ACL policy is being applied, this test may need to change. group_rights = every_rights = ACE4_READ_DATA + ACE4_READ_NAMED_ATTRS + \ ACE4_READ_ATTRIBUTES + ACE4_READ_ACL + ACE4_SYNCHRONIZE owner_rights = group_rights + ACE4_WRITE_DATA + ACE4_APPEND_DATA + \ ACE4_WRITE_NAMED_ATTRS + ACE4_WRITE_ATTRIBUTES + ACE4_WRITE_ACL acl_expected = [ nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, owner_rights, "OWNER@"), nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, group_rights, "GROUP@"), nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, every_rights, "EVERYONE@") ] c.create_confirm(t.code) ops = c.use_obj(file_obj) + [c.getattr({acl_attr_bitnum: 'acl'})] res = c.compound(ops) check(res, msg="Asking for ACL attribute") acl_retrieved = res.resarray[-1].opgetattr.resok4.obj_attributes[ acl_attr_bitnum] if acl_retrieved == []: t.fail("ACL is empty!") if compare_acl(acl_retrieved, acl_expected) == False: t.fail("ACL does not match!")
def testACLTypes(t, env): """SETATTR all supported and unsupported ACL Types and verify correct response FLAGS: acls file all DEPEND: MKFILE CODE: SETACL3 """ c = env.c1 c.init_connection() file_obj = c.homedir + [t.code] # track ACL support types for comparison of aclsupport mask returned by server acl_support_types = [ACL4_SUPPORT_ALLOW_ACL, ACL4_SUPPORT_DENY_ACL, ACL4_SUPPORT_AUDIT_ACL, ACL4_SUPPORT_ALARM_ACL] # track all ACL types for test ace_types = [ ACE4_ACCESS_ALLOWED_ACE_TYPE, ACE4_ACCESS_DENIED_ACE_TYPE, ACE4_SYSTEM_AUDIT_ACE_TYPE, ACE4_SYSTEM_ALARM_ACE_TYPE, ] # track ACL names for printing in test results ace_type_names = [ "ACE4_ACCESS_ALLOWED_ACE_TYPE", "ACE4_ACCESS_DENIED_ACE_TYPE", "ACE4_SYSTEM_AUDIT_ACE_TYPE", "ACE4_SYSTEM_ALARM_ACE_TYPE", ] # get supported acl type mask from server supported = c.supportedACLTypes() fh, stateid = c.create_confirm(t.code) for index in range(0, len(acl_support_types)): if supported & acl_support_types[index]: print "Testing supported ACL type: %s" % (ace_type_names[index]) set_acl_round_trip( file_obj, c, [nfsace4(ace_types[index], 0, ACE4_READ_DATA, "OWNER@")], set_acl_exp=NFS4_OK ) else: print "Testing unsupported ACL type: %s" % (ace_type_names[index]) set_acl_round_trip( file_obj, c, [nfsace4(ace_types[index], 0, ACE4_READ_DATA, "OWNER@")], set_acl_exp=NFS4ERR_ATTRNOTSUPP, compare=False, )
def testACLTypes(t, env): """SETATTR all supported and unsupported ACL Types and verify correct response FLAGS: acls file all DEPEND: MKFILE CODE: SETACL3 """ c = env.c1 c.init_connection() file_obj = c.homedir + [t.code] # track ACL support types for comparison of aclsupport mask returned by server acl_support_types = [ ACL4_SUPPORT_ALLOW_ACL, ACL4_SUPPORT_DENY_ACL, ACL4_SUPPORT_AUDIT_ACL, ACL4_SUPPORT_ALARM_ACL ] # track all ACL types for test ace_types = [ ACE4_ACCESS_ALLOWED_ACE_TYPE, ACE4_ACCESS_DENIED_ACE_TYPE, ACE4_SYSTEM_AUDIT_ACE_TYPE, ACE4_SYSTEM_ALARM_ACE_TYPE ] # track ACL names for printing in test results ace_type_names = [ "ACE4_ACCESS_ALLOWED_ACE_TYPE", "ACE4_ACCESS_DENIED_ACE_TYPE", "ACE4_SYSTEM_AUDIT_ACE_TYPE", "ACE4_SYSTEM_ALARM_ACE_TYPE" ] # get supported acl type mask from server supported = c.supportedACLTypes() fh, stateid = c.create_confirm(t.code) for index in range(0, len(acl_support_types)): if supported & acl_support_types[index]: print "Testing supported ACL type: %s" % (ace_type_names[index]) set_acl_round_trip( file_obj, c, [nfsace4(ace_types[index], 0, ACE4_READ_DATA, "OWNER@")], set_acl_exp=NFS4_OK) else: print "Testing unsupported ACL type: %s" % (ace_type_names[index]) set_acl_round_trip( file_obj, c, [nfsace4(ace_types[index], 0, ACE4_READ_DATA, "OWNER@")], set_acl_exp=NFS4ERR_ATTRNOTSUPP, compare=False)
def testInvalidName(t, env): """ Test setting an ACL with an invalid name FLAGS: idmap setattr file acl all CODE: SETID1 """ c = env.c1 c.init_connection() c.create_confirm(t.code) path = c.homedir + [t.code] # First ace is for test, second for cleanup acl = [nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, ACE4_WRITE_OWNER, "baduser@baddomain"), nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, ACE4_GENERIC_WRITE, "EVERYONE@")] _setacl(c, path, acl, NFS4ERR_BADOWNER)
def testChangeOwnerWithUid(t, env): """SETOWN using UID FLAGS: idmap setattr file all CODE: SOWNID """ c = env.c1 c.init_connection() c.create_confirm(t.code) path = c.homedir + [t.code] # First ace is for test, second for cleanup acl = [nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, ACE4_WRITE_OWNER, "admin@localdomain"), nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, ACE4_GENERIC_WRITE, "EVERYONE@")] _setacl(c, path, acl) _admin_chownerorgrp(env, path, 'owner', '10')
def testInvalidName(t, env): """ Test setting an ACL with an invalid name FLAGS: idmap setattr file acl all CODE: SETID1 """ c = env.c1 c.init_connection() c.create_confirm(t.code) path = c.homedir + [t.code] # First ace is for test, second for cleanup acl = [ nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, ACE4_WRITE_OWNER, "baduser@baddomain"), nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, ACE4_GENERIC_WRITE, "EVERYONE@") ] _setacl(c, path, acl, NFS4ERR_BADOWNER)
def testACLMultipleACE(t, env): """SETACL EVERYONE@ deny write FLAGS: acls file all DEPEND: MKFILE CODE: SETACL1ma """ acl_test(t, env, "", [ nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, ACE4_GENERIC_WRITE, "EVERYONE@"), nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, ACE4_GENERIC_READ, "OWNER@") ], test_open_write=NFS4_OK, test_open_read=NFS4_OK, c2_test_open_write=NFS4_OK, c2_test_open_read=NFS4ERR_ACCESS)
def testChangeOwnerWithUid(t, env): """SETOWN using UID FLAGS: idmap setattr file all CODE: SOWNID """ c = env.c1 c.init_connection() c.create_confirm(t.code) path = c.homedir + [t.code] # First ace is for test, second for cleanup acl = [ nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, ACE4_WRITE_OWNER, "admin@localdomain"), nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, ACE4_GENERIC_WRITE, "EVERYONE@") ] _setacl(c, path, acl) _admin_chownerorgrp(env, path, 'owner', '10')
def testACLMultipleACE(t, env): """SETACL EVERYONE@ deny write FLAGS: acls file all DEPEND: MKFILE CODE: SETACL1ma """ acl_test( t, env, "", [ nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, ACE4_GENERIC_WRITE, "EVERYONE@"), nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, ACE4_GENERIC_READ, "OWNER@"), ], test_open_write=NFS4_OK, test_open_read=NFS4_OK, c2_test_open_write=NFS4_OK, c2_test_open_read=NFS4ERR_ACCESS, )
def testSyntheticAcl(t, env): """ GETATTR of an ACL on a file with no ACL This should return a synthetic ACL, see RFC 5661, section 6.4.2 FLAGS: getattr file all DEPEND: LOOKFILE CODE: GATTACL """ c = env.c1 file_obj = c.homedir + [t.code] acl_attr_bitnum = get_attrbitnum_dict()["acl"] # These expected values come from the Isilon synthetic ACL; if that changes # or ACL policy is being applied, this test may need to change. group_rights = every_rights = ( ACE4_READ_DATA + ACE4_READ_NAMED_ATTRS + ACE4_READ_ATTRIBUTES + ACE4_READ_ACL + ACE4_SYNCHRONIZE ) owner_rights = ( group_rights + ACE4_WRITE_DATA + ACE4_APPEND_DATA + ACE4_WRITE_NAMED_ATTRS + ACE4_WRITE_ATTRIBUTES + ACE4_WRITE_ACL ) acl_expected = [ nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, owner_rights, "OWNER@"), nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, group_rights, "GROUP@"), nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, every_rights, "EVERYONE@"), ] c.create_confirm(t.code) ops = c.use_obj(file_obj) + [c.getattr({acl_attr_bitnum: "acl"})] res = c.compound(ops) check(res, msg="Asking for ACL attribute") acl_retrieved = res.resarray[-1].opgetattr.resok4.obj_attributes[acl_attr_bitnum] if acl_retrieved == []: t.fail("ACL is empty!") if compare_acl(acl_retrieved, acl_expected) == False: t.fail("ACL does not match!")
def testACLOwnerDenyRead(t, env): """SETACL OWNER@ deny read FLAGS: acls file all DEPEND: MKFILE CODE: SETACL1odr """ acl_test(t, env, "owner_deny_read", nfsace4(ACE4_ACCESS_DENIED_ACE_TYPE, 0, ACE4_GENERIC_READ, "OWNER@"), test_open_write=NFS4ERR_ACCESS, test_open_read=NFS4ERR_ACCESS, c2_test_open_write=NFS4ERR_ACCESS, c2_test_open_read=NFS4ERR_ACCESS)
def testACLOwnerAllowRead(t, env): """SETACL OWNER@ allow read FLAGS: acls file all DEPEND: MKFILE CODE: SETACL1oar """ acl_test(t, env, "owner_allow_read", nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, ACE4_GENERIC_READ, "OWNER@"), test_open_write=NFS4ERR_ACCESS, test_open_read=NFS4_OK, c2_test_open_write=NFS4ERR_ACCESS, c2_test_open_read=NFS4ERR_ACCESS)
def testACLOwnerAllowWrite(t, env): """SETACL OWNER@ deny write FLAGS: acls file all DEPEND: MKFILE CODE: SETACL1oaw """ acl_test(t, env, "owner_allow_write", nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, ACE4_GENERIC_WRITE, "OWNER@"), test_open_write=NFS4_OK, test_open_read=NFS4ERR_ACCESS, c2_test_open_write=NFS4ERR_ACCESS, c2_test_open_read=NFS4ERR_ACCESS)
def testACLEveryoneAllowWrite(t, env): """SETACL EVERYONE@ deny write FLAGS: acls file all DEPEND: MKFILE CODE: SETACL1eaw """ acl_test(t, env, "everyone_allow_write", nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, ACE4_GENERIC_WRITE, "EVERYONE@"), test_open_write=NFS4_OK, test_open_read=NFS4ERR_ACCESS, c2_test_open_write=NFS4_OK, c2_test_open_read=NFS4ERR_ACCESS)
def testACLEveryoneAllowRead(t, env): """SETACL EVERYONE@ allow read FLAGS: acls file all DEPEND: MKFILE CODE: SETACL1ear """ acl_test(t, env, "everyone_allow_read", nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, ACE4_GENERIC_READ, "EVERYONE@"), test_open_write=NFS4ERR_ACCESS, test_open_read=NFS4_OK, c2_test_open_write=NFS4ERR_ACCESS, c2_test_open_read=NFS4_OK)
def testACLEveryoneDenyRead(t, env): """SETACL EVERYONE@ deny read FLAGS: acls file all DEPEND: MKFILE CODE: SETACL1edr """ acl_test(t, env, "everyone_deny_read", nfsace4(ACE4_ACCESS_DENIED_ACE_TYPE, 0, ACE4_GENERIC_READ, "EVERYONE@"), test_open_write=NFS4ERR_ACCESS, test_open_read=NFS4ERR_ACCESS, c2_test_open_write=NFS4ERR_ACCESS, c2_test_open_read=NFS4ERR_ACCESS)
def testACLOwnerDenyRead(t, env): """SETACL OWNER@ deny read FLAGS: acls file all DEPEND: MKFILE CODE: SETACL1odr """ acl_test( t, env, "owner_deny_read", nfsace4(ACE4_ACCESS_DENIED_ACE_TYPE, 0, ACE4_GENERIC_READ, "OWNER@"), test_open_write=NFS4ERR_ACCESS, test_open_read=NFS4ERR_ACCESS, c2_test_open_write=NFS4ERR_ACCESS, c2_test_open_read=NFS4ERR_ACCESS, )
def testACLOwnerAllowWrite(t, env): """SETACL OWNER@ deny write FLAGS: acls file all DEPEND: MKFILE CODE: SETACL1oaw """ acl_test( t, env, "owner_allow_write", nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, ACE4_GENERIC_WRITE, "OWNER@"), test_open_write=NFS4_OK, test_open_read=NFS4ERR_ACCESS, c2_test_open_write=NFS4ERR_ACCESS, c2_test_open_read=NFS4ERR_ACCESS, )
def testACLEveryoneDenyRead(t, env): """SETACL EVERYONE@ deny read FLAGS: acls file all DEPEND: MKFILE CODE: SETACL1edr """ acl_test( t, env, "everyone_deny_read", nfsace4(ACE4_ACCESS_DENIED_ACE_TYPE, 0, ACE4_GENERIC_READ, "EVERYONE@"), test_open_write=NFS4ERR_ACCESS, test_open_read=NFS4ERR_ACCESS, c2_test_open_write=NFS4ERR_ACCESS, c2_test_open_read=NFS4ERR_ACCESS, )
def testACLEveryoneAllowRead(t, env): """SETACL EVERYONE@ allow read FLAGS: acls file all DEPEND: MKFILE CODE: SETACL1ear """ acl_test( t, env, "everyone_allow_read", nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, ACE4_GENERIC_READ, "EVERYONE@"), test_open_write=NFS4ERR_ACCESS, test_open_read=NFS4_OK, c2_test_open_write=NFS4ERR_ACCESS, c2_test_open_read=NFS4_OK, )
def testACLEveryoneAllowWrite(t, env): """SETACL EVERYONE@ deny write FLAGS: acls file all DEPEND: MKFILE CODE: SETACL1eaw """ acl_test( t, env, "everyone_allow_write", nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, ACE4_GENERIC_WRITE, "EVERYONE@"), test_open_write=NFS4_OK, test_open_read=NFS4ERR_ACCESS, c2_test_open_write=NFS4_OK, c2_test_open_read=NFS4ERR_ACCESS, )
def testACLOwnerAllowRead(t, env): """SETACL OWNER@ allow read FLAGS: acls file all DEPEND: MKFILE CODE: SETACL1oar """ acl_test( t, env, "owner_allow_read", nfsace4(ACE4_ACCESS_ALLOWED_ACE_TYPE, 0, ACE4_GENERIC_READ, "OWNER@"), test_open_write=NFS4ERR_ACCESS, test_open_read=NFS4_OK, c2_test_open_write=NFS4ERR_ACCESS, c2_test_open_read=NFS4ERR_ACCESS, )
def testACLDirectAccess(t, env): """SETATTR OWNER@ and verify prevention of direct write/read FLAGS: acls file all DEPEND: MKFILE CODE: SETACL2 """ c = env.c1 c.init_connection() filename = c.homedir + ["acl_direct_access"] # we initially create the file 666 to make sure it's the ACL that is # restricting access fh1, stateid1 = c.create_confirm( "owner1", filename, attrs={FATTR4_MODE: 0666}, access=OPEN4_SHARE_ACCESS_BOTH, deny=OPEN4_SHARE_DENY_NONE, mode=GUARDED4, ) # create a new connection to do the access as someone else # to make sure we're not hitting the owner_override case c2 = env.c2 c2.init_connection() res = c2.write_file(filename, "1" * 1000) check(res, NFS4_OK, "NFS4 Direct Write Op without ACL") res = c2.read_file(filename) check(res, NFS4_OK, "NFS4 Direct Read Op without ACL") set_acl_round_trip( filename, c, nfsace4(ACE4_ACCESS_DENIED_ACE_TYPE, 0, ACE4_READ_DATA | ACE4_WRITE_DATA, "EVERYONE@") ) res = c2.write_file(filename, "1" * 1000) check(res, NFS4ERR_ACCESS, "NFS4 Direct Write Op with ACL") res = c2.read_file(filename) check(res, NFS4ERR_ACCESS, "NFS4 Direct Read Op with ACL")
def testACLDirectAccess(t, env): """SETATTR OWNER@ and verify prevention of direct write/read FLAGS: acls file all DEPEND: MKFILE CODE: SETACL2 """ c = env.c1 c.init_connection() filename = c.homedir + ["acl_direct_access"] # we initially create the file 666 to make sure it's the ACL that is # restricting access fh1, stateid1 = c.create_confirm('owner1', filename, attrs={FATTR4_MODE: 0666}, access=OPEN4_SHARE_ACCESS_BOTH, deny=OPEN4_SHARE_DENY_NONE, mode=GUARDED4) # create a new connection to do the access as someone else # to make sure we're not hitting the owner_override case c2 = env.c2 c2.init_connection() res = c2.write_file(filename, "1" * 1000) check(res, NFS4_OK, "NFS4 Direct Write Op without ACL") res = c2.read_file(filename) check(res, NFS4_OK, "NFS4 Direct Read Op without ACL") set_acl_round_trip( filename, c, nfsace4(ACE4_ACCESS_DENIED_ACE_TYPE, 0, ACE4_READ_DATA | ACE4_WRITE_DATA, "EVERYONE@")) res = c2.write_file(filename, "1" * 1000) check(res, NFS4ERR_ACCESS, "NFS4 Direct Write Op with ACL") res = c2.read_file(filename) check(res, NFS4ERR_ACCESS, "NFS4 Direct Read Op with ACL")
class Environment(testmod.Environment): # STUB attr_info = [ \ AttrInfo('supported_attrs', 'rm', []), AttrInfo('type', 'rm', 1), AttrInfo('fh_expire_type', 'rm', 0), AttrInfo('change', 'rm', 0), AttrInfo('size', 'rwm', 0), AttrInfo('link_support', 'rm', False), AttrInfo('symlink_support', 'rm', False), AttrInfo('named_attr', 'rm', False), AttrInfo('fsid', 'rm', fsid4(0, 0)), AttrInfo('unique_handles', 'rm', False), AttrInfo('lease_time', 'rm', 0), AttrInfo('rdattr_error', 'rm', 0), AttrInfo('filehandle', 'rm', 'nonsense'), AttrInfo('acl', 'rw', [nfsace4(0,0,0,'EVERYONE@')]), AttrInfo('aclsupport', 'r', 0), AttrInfo('archive', 'rw', False), AttrInfo('cansettime', 'r', False), AttrInfo('case_insensitive', 'r', False), AttrInfo('case_preserving', 'r', False), AttrInfo('chown_restricted', 'r', False), AttrInfo('fileid', 'r', 0), AttrInfo('files_avail', 'r', 0), AttrInfo('files_free', 'r', 0), AttrInfo('files_total', 'r', 0), # FRED - packer did not complain about missing [] about server AttrInfo('fs_locations', 'r', fs_locations4('root',[fs_location4(['server'],'path')])), AttrInfo('hidden', 'rw', False), AttrInfo('homogeneous', 'r', False), AttrInfo('maxfilesize', 'r', 0), AttrInfo('maxlink', 'r', 0), AttrInfo('maxname', 'r', 0), AttrInfo('maxread', 'r', 0), AttrInfo('maxwrite', 'r', 0), AttrInfo('mimetype', 'rw', 'nonsense'), AttrInfo('mode', 'rw', 0), AttrInfo('no_trunc', 'r', False), AttrInfo('numlinks', 'r', 0), AttrInfo('owner', 'rw', 'nonsense'), AttrInfo('owner_group', 'rw', 'nonsense'), AttrInfo('quota_avail_hard', 'r', 0), AttrInfo('quota_avail_soft', 'r', 0), AttrInfo('quota_used', 'r', 0), AttrInfo('rawdev', 'r', specdata4(0, 0)), AttrInfo('space_avail', 'r', 0), AttrInfo('space_free', 'r', 0), AttrInfo('space_total', 'r', 0), AttrInfo('space_used', 'r', 0), AttrInfo('system', 'rw', False), AttrInfo('time_access', 'r', nfstime4(0, 0)), AttrInfo('time_access_set', 'w', settime4(0)), AttrInfo('time_backup', 'rw', nfstime4(0, 0)), AttrInfo('time_create', 'rw', nfstime4(0, 0)), AttrInfo('time_delta', 'r', nfstime4(0, 0)), AttrInfo('time_metadata', 'r', nfstime4(0, 0)), AttrInfo('time_modify', 'r', nfstime4(0, 0)), AttrInfo('time_modify_set', 'w', settime4(0)), AttrInfo('mounted_on_fileid', 'r', 0), ] def __init__(self, opts): sec1, sec2 = self._get_security(opts) # authsys1 = rpc.SecAuthSys(0, opts.machinename, opts.uid, opts.gid, []) authsys2 = rpc.SecAuthSys(0, opts.machinename, opts.uid+1, opts.gid+1, []) self.c1 = NFS4Client('client1_pid%i' % os.getpid(), opts.server, opts.port, opts.path, sec_list=[sec1], opts=opts) self.c2 = NFS4Client('client2_pid%i' % os.getpid(), opts.server, opts.port, opts.path, sec_list=[authsys2], opts=opts) self.longname = "a"*512 self.uid = 0 self.gid = 0 self.opts = opts self.filedata = "This is the file test data." self.linkdata = "/etc/X11" self.stateid0 = stateid4(0, '') self.stateid1 = stateid4(0xffffffffL, '\xff'*12) def _get_security(self, opts): if opts.security == 'none': return [opts.flavor(), opts.flavor()] elif opts.security == 'sys': sec1 = opts.flavor(0, opts.machinename, opts.uid, opts.gid, []) sec2 = opts.flavor(0, opts.machinename, opts.uid+1, opts.gid+1, []) return [sec1, sec2] elif opts.security.startswith('krb5'): sec1 = opts.flavor(opts.service) sec2 = opts.flavor(opts.service) return [sec1, sec2] else: raise 'Bad security %s' % opts.security def init(self): """Run once before any test is run""" c = self.c1 if self.opts.maketree: self._maketree() if self.opts.noinit: return # Make sure opts.path exists res = c.compound(c.use_obj(self.opts.path)) check(res, msg="Could not LOOKUP /%s," % '/'.join(self.opts.path)) # Make sure it is empty c.clean_dir(self.opts.path) c.null() def _maketree(self): """Make testtree""" c = self.c1 # make /tmp (and path leading up to it if necesary) path = [] for comp in self.opts.path: path.append(comp) res = c.compound(c.use_obj(path)) checklist(res, [NFS4_OK, NFS4ERR_NOENT], "Could not LOOKUP /%s," % '/'.join(path)) if res.status == NFS4ERR_NOENT: res = c.create_obj(path) check(res, msg="Trying to create /%s," % '/'.join(path)) # remove /tree/* tree = self.opts.path[:-1] + ['tree'] res = c.compound(c.use_obj(tree)) checklist(res, [NFS4_OK, NFS4ERR_NOENT]) if res.status == NFS4ERR_NOENT: res = c.create_obj(tree) check(res, msg="Trying to create /%s," % '/'.join(tree)) else: c.clean_dir(tree) # make objects in /tree name = {NF4DIR: 'dir', NF4SOCK: 'socket', NF4FIFO: 'fifo', NF4LNK: 'link', NF4BLK: 'block', NF4CHR: 'char'} for type in name: path = tree + [name[type]] res = c.create_obj(path, type) if res.status != NFS4_OK: print "WARNING - could not create /%s" % '/'.join(path) c.init_connection() fh, stateid = c.create_confirm('maketree', tree + ['file'], deny=OPEN4_SHARE_DENY_NONE) ops = [c.putfh_op(fh), c.write_op(stateid, 0, FILE_SYNC4, self.filedata)] res = c.compound(ops) check(res, msg="Writing data to /%s/file" % '/'.join(tree)) res = c.close_file('maketree', fh, stateid ) check(res) def finish(self): """Run once after all tests are run""" if self.opts.nocleanup: return c = self.c1 c.null() c.null() c.clean_dir(self.opts.path) def startUp(self): """Run before each test""" self.c1.null() def sleep(self, sec, msg=''): """Sleep for given seconds""" print "Sleeping for %i seconds:" % sec, msg time.sleep(sec) print "Woke up" def serverhelper(self, args): """Perform a special operation on the server side (such as rebooting the server)""" if self.opts.serverhelper is None: print "Manual operation required on server:" print args + " and hit ENTER when done" sys.stdin.readline() print "Continuing with test" else: cmd = self.opts.serverhelper if self.opts.serverhelperarg: cmd += ' ' + self.opts.serverhelperarg cmd += ' ' + args os.system(cmd);
def testACLEnumRountTrip(t, env): """SETATTR all supported ACL Types FLAGS: acls file all DEPEND: MKFILE CODE: SETACL4 """ c = env.c1 c.init_connection() rtfail = 0 # track ACL support types for comparison of aclsupport mask returned by server acl_support_types = [ ACL4_SUPPORT_ALLOW_ACL, ACL4_SUPPORT_DENY_ACL, ACL4_SUPPORT_AUDIT_ACL, ACL4_SUPPORT_ALARM_ACL ] # track all ACL types for test ace_types = [ ACE4_ACCESS_ALLOWED_ACE_TYPE, ACE4_ACCESS_DENIED_ACE_TYPE, ACE4_SYSTEM_AUDIT_ACE_TYPE, ACE4_SYSTEM_ALARM_ACE_TYPE ] # track all ACL flags for test ace_flags = {} # for ALLOWED and DENIED, SUCCESSFUL_ACCESS and FAILED_ACCESS mean nothing # for all types, IDENTIFIER_GROUP is omitted; we only test FOO@ whos ace_flags[ACE4_ACCESS_ALLOWED_ACE_TYPE] = [ 0, ACE4_FILE_INHERIT_ACE, ACE4_DIRECTORY_INHERIT_ACE, ACE4_NO_PROPAGATE_INHERIT_ACE, ACE4_INHERIT_ONLY_ACE ] ace_flags[ACE4_ACCESS_DENIED_ACE_TYPE] = [ 0, ACE4_FILE_INHERIT_ACE, ACE4_DIRECTORY_INHERIT_ACE, ACE4_NO_PROPAGATE_INHERIT_ACE, ACE4_INHERIT_ONLY_ACE ] # AUDIT and ALARM currently omit nothing because they're not even # supported and are therefore dead code; if we add support then # we'll need to review which values to include ace_flags[ACE4_SYSTEM_AUDIT_ACE_TYPE] = [ 0, ACE4_FILE_INHERIT_ACE, ACE4_DIRECTORY_INHERIT_ACE, ACE4_NO_PROPAGATE_INHERIT_ACE, ACE4_INHERIT_ONLY_ACE, ACE4_SUCCESSFUL_ACCESS_ACE_FLAG, ACE4_FAILED_ACCESS_ACE_FLAG ] ace_flags[ACE4_SYSTEM_ALARM_ACE_TYPE] = [ 0, ACE4_FILE_INHERIT_ACE, ACE4_DIRECTORY_INHERIT_ACE, ACE4_NO_PROPAGATE_INHERIT_ACE, ACE4_INHERIT_ONLY_ACE, ACE4_SUCCESSFUL_ACCESS_ACE_FLAG, ACE4_FAILED_ACCESS_ACE_FLAG ] # track all ACL access modes for test ace_access_modes = {} # for file we omit DELETE_CHILD since files can't have children ace_access_modes["file"] = [ ACE4_READ_DATA, ACE4_WRITE_DATA, ACE4_APPEND_DATA, ACE4_READ_NAMED_ATTRS, ACE4_WRITE_NAMED_ATTRS, ACE4_EXECUTE, ACE4_READ_ATTRIBUTES, ACE4_WRITE_ATTRIBUTES, ACE4_DELETE, ACE4_READ_ACL, ACE4_WRITE_ACL, ACE4_WRITE_OWNER, ACE4_SYNCHRONIZE, ACE4_GENERIC_READ, ACE4_GENERIC_WRITE, ACE4_GENERIC_EXECUTE ] # for dir we omit SYNCHRONIZE, GENERIC_READ, GENERIC_WRITE and # GENERIC_EXECUTE since these are inapplicable to directories ace_access_modes["dir"] = [ ACE4_READ_DATA, ACE4_WRITE_DATA, ACE4_APPEND_DATA, ACE4_READ_NAMED_ATTRS, ACE4_WRITE_NAMED_ATTRS, ACE4_EXECUTE, ACE4_DELETE_CHILD, ACE4_READ_ATTRIBUTES, ACE4_WRITE_ATTRIBUTES, ACE4_DELETE, ACE4_READ_ACL, ACE4_WRITE_ACL, ACE4_WRITE_OWNER ] # track interesting who types for test ace_identities = ["OWNER@", "GROUP@", "EVERYONE@"] # ace_identities = ["OWNER@", "GROUP@", "EVERYONE@", "INTERACTIVE@", "NETWORK@", "DIALUP@", "BATCH@", "ANONYMOUS@", # "AUTHENTICATED@", "SERVICE@"] # get supported acl type mask from server supported = c.supportedACLTypes() for file_type in ("file", "dir"): # iterate over all acl support types for index in range(0, len(acl_support_types)): # only run tests on supported acl types (unsupported will surely fail) if supported & acl_support_types[index]: # iterate over all possible ace flags for ace_flag in ace_flags[ace_types[index]]: # skip any flag tests for files since they don't apply if ace_flag != 0 and file_type == "file": continue # iterate over all access modes for access_mode in ace_access_modes[file_type]: # iterate over all identities for identity in ace_identities: # generate a test name for presentation testname = "%s_%s_%s_%s_%s" % ( file_type, ace_type_to_str(ace_types[index]), ace_flag_to_str(ace_flag), ace_mode_to_str(file_type, access_mode), identity) print "Round Tripping nfsace4(%s, %s, %s, %s) on a %s" % ( ace_type_to_str(ace_types[index]), ace_flag_to_str(ace_flag), ace_mode_to_str(file_type, access_mode), identity, file_type) try: acl_test( t, env, testname, [ nfsace4(ace_types[index], ace_flag, access_mode, identity) ], file_type=file_type, verbose=1) except Exception, e: rtfail += 1 print "--> ACLTest Exception: ", e
def testACLEnumRountTrip(t, env): """SETATTR all supported ACL Types FLAGS: acls file all DEPEND: MKFILE CODE: SETACL4 """ c = env.c1 c.init_connection() rtfail = 0 # track ACL support types for comparison of aclsupport mask returned by server acl_support_types = [ACL4_SUPPORT_ALLOW_ACL, ACL4_SUPPORT_DENY_ACL, ACL4_SUPPORT_AUDIT_ACL, ACL4_SUPPORT_ALARM_ACL] # track all ACL types for test ace_types = [ ACE4_ACCESS_ALLOWED_ACE_TYPE, ACE4_ACCESS_DENIED_ACE_TYPE, ACE4_SYSTEM_AUDIT_ACE_TYPE, ACE4_SYSTEM_ALARM_ACE_TYPE, ] # track all ACL flags for test ace_flags = {} # for ALLOWED and DENIED, SUCCESSFUL_ACCESS and FAILED_ACCESS mean nothing # for all types, IDENTIFIER_GROUP is omitted; we only test FOO@ whos ace_flags[ACE4_ACCESS_ALLOWED_ACE_TYPE] = [ 0, ACE4_FILE_INHERIT_ACE, ACE4_DIRECTORY_INHERIT_ACE, ACE4_NO_PROPAGATE_INHERIT_ACE, ACE4_INHERIT_ONLY_ACE, ] ace_flags[ACE4_ACCESS_DENIED_ACE_TYPE] = [ 0, ACE4_FILE_INHERIT_ACE, ACE4_DIRECTORY_INHERIT_ACE, ACE4_NO_PROPAGATE_INHERIT_ACE, ACE4_INHERIT_ONLY_ACE, ] # AUDIT and ALARM currently omit nothing because they're not even # supported and are therefore dead code; if we add support then # we'll need to review which values to include ace_flags[ACE4_SYSTEM_AUDIT_ACE_TYPE] = [ 0, ACE4_FILE_INHERIT_ACE, ACE4_DIRECTORY_INHERIT_ACE, ACE4_NO_PROPAGATE_INHERIT_ACE, ACE4_INHERIT_ONLY_ACE, ACE4_SUCCESSFUL_ACCESS_ACE_FLAG, ACE4_FAILED_ACCESS_ACE_FLAG, ] ace_flags[ACE4_SYSTEM_ALARM_ACE_TYPE] = [ 0, ACE4_FILE_INHERIT_ACE, ACE4_DIRECTORY_INHERIT_ACE, ACE4_NO_PROPAGATE_INHERIT_ACE, ACE4_INHERIT_ONLY_ACE, ACE4_SUCCESSFUL_ACCESS_ACE_FLAG, ACE4_FAILED_ACCESS_ACE_FLAG, ] # track all ACL access modes for test ace_access_modes = {} # for file we omit DELETE_CHILD since files can't have children ace_access_modes["file"] = [ ACE4_READ_DATA, ACE4_WRITE_DATA, ACE4_APPEND_DATA, ACE4_READ_NAMED_ATTRS, ACE4_WRITE_NAMED_ATTRS, ACE4_EXECUTE, ACE4_READ_ATTRIBUTES, ACE4_WRITE_ATTRIBUTES, ACE4_DELETE, ACE4_READ_ACL, ACE4_WRITE_ACL, ACE4_WRITE_OWNER, ACE4_SYNCHRONIZE, ACE4_GENERIC_READ, ACE4_GENERIC_WRITE, ACE4_GENERIC_EXECUTE, ] # for dir we omit SYNCHRONIZE, GENERIC_READ, GENERIC_WRITE and # GENERIC_EXECUTE since these are inapplicable to directories ace_access_modes["dir"] = [ ACE4_READ_DATA, ACE4_WRITE_DATA, ACE4_APPEND_DATA, ACE4_READ_NAMED_ATTRS, ACE4_WRITE_NAMED_ATTRS, ACE4_EXECUTE, ACE4_DELETE_CHILD, ACE4_READ_ATTRIBUTES, ACE4_WRITE_ATTRIBUTES, ACE4_DELETE, ACE4_READ_ACL, ACE4_WRITE_ACL, ACE4_WRITE_OWNER, ] # track interesting who types for test ace_identities = ["OWNER@", "GROUP@", "EVERYONE@"] # ace_identities = ["OWNER@", "GROUP@", "EVERYONE@", "INTERACTIVE@", "NETWORK@", "DIALUP@", "BATCH@", "ANONYMOUS@", # "AUTHENTICATED@", "SERVICE@"] # get supported acl type mask from server supported = c.supportedACLTypes() for file_type in ("file", "dir"): # iterate over all acl support types for index in range(0, len(acl_support_types)): # only run tests on supported acl types (unsupported will surely fail) if supported & acl_support_types[index]: # iterate over all possible ace flags for ace_flag in ace_flags[ace_types[index]]: # skip any flag tests for files since they don't apply if ace_flag != 0 and file_type == "file": continue # iterate over all access modes for access_mode in ace_access_modes[file_type]: # iterate over all identities for identity in ace_identities: # generate a test name for presentation testname = "%s_%s_%s_%s_%s" % ( file_type, ace_type_to_str(ace_types[index]), ace_flag_to_str(ace_flag), ace_mode_to_str(file_type, access_mode), identity, ) print "Round Tripping nfsace4(%s, %s, %s, %s) on a %s" % ( ace_type_to_str(ace_types[index]), ace_flag_to_str(ace_flag), ace_mode_to_str(file_type, access_mode), identity, file_type, ) try: acl_test( t, env, testname, [nfsace4(ace_types[index], ace_flag, access_mode, identity)], file_type=file_type, verbose=1, ) except Exception, e: rtfail += 1 print "--> ACLTest Exception: ", e