diff options
Diffstat (limited to 'glustolibs-io/shared_files/scripts/nfs_ganesha/nfsv4_acl_test.sh')
-rw-r--r-- | glustolibs-io/shared_files/scripts/nfs_ganesha/nfsv4_acl_test.sh | 212 |
1 files changed, 212 insertions, 0 deletions
diff --git a/glustolibs-io/shared_files/scripts/nfs_ganesha/nfsv4_acl_test.sh b/glustolibs-io/shared_files/scripts/nfs_ganesha/nfsv4_acl_test.sh new file mode 100644 index 000000000..74e662432 --- /dev/null +++ b/glustolibs-io/shared_files/scripts/nfs_ganesha/nfsv4_acl_test.sh @@ -0,0 +1,212 @@ +#!/bin/sh +# Copyright (C) 2016-2017 Red Hat, Inc. <http://www.redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Author: Jiffin Tony Thottan + +# set ONLY_CREATE_USERS_AND_GROUPS to a non-empty string to exit before testing +#ONLY_CREATE_USERS_AND_GROUPS=yes + +# if anything goes wrong, exit +set -e + +TESTDIR=${1} +if [ -z "${TESTDIR}" -o ! -d "${TESTDIR}" ] +then + echo "Usage: ${0} <testdir>" + echo "" + echo " <testdir> existing directory to use for testing" + echo "" + exit 1 +fi + +# get the domain for this system, maybe get it from /etc/idmapd.conf instead? + +error() +{ + echo "ERROR: ${@}" > /dev/stderr +} + +clean_mkdir() +{ + local dir=${1} + + [ -d ${dir} ] && rm -rf ${dir} + mkdir ${dir} +} + +OK() +{ + local user=${1} + shift + local cmd="${@}" + + if ! su ${user} sh -c "${cmd}" > /dev/null + then + error "FAILED as ${user}: ${cmd}" + return 1 + else + echo "OK as ${user}: ${cmd}" + fi + + return 0 +} + +FAIL() +{ + local user=${1} + shift + local cmd="${@}" + + if su ${user} sh -c "${cmd}" > /dev/null 2>&1 + then + error "OK but should have FAILED as ${user}: ${cmd}" + return 1 + else + echo "OK(=FAILED) as ${user}: ${cmd}" + fi + + return 0 +} + +# test for existing user, create if missing +# there is no need for home directories +# each used should have its own group +add_user() +{ + local username=${1} + shift + local userid=${1} + getent passwd ${username} >/dev/null \ + || useradd --no-create-home --shell /bin/sh --user-group ${username} -u ${userid} +} + + +add_user testuser1 5600 +add_user testuser2 5601 +add_user testuser3 5602 +add_user testuser4 5603 +add_user testuser5 5604 +add_user testuser6 5605 + +# test for existing group, create if missing, add the additional +add_group() +{ + local groupname=${1} + shift + local groupid=${1} + shift + local users=${@} + local username='' + + # create the group, if missing + getent group ${groupname} > /dev/null \ + || groupadd ${groupname} -g ${groupid} + + # add each user to the group + for username in ${users} + do + usermod -a -G ${groupname} ${username} + done +} + +add_group devgrp 6600 testuser2 testuser3 +add_group qegrp 6601 testuser4 +add_group managergrp 6602 testuser6 testuser5 + +# only create users/groups, exit here +if [ -n "${ONLY_CREATE_USERS_AND_GROUPS}" ] +then + echo "Users and groups created, exiting..." + exit 0 +fi + +cd ${TESTDIR} + +# create an STATUS file where all users/groups can write progress +[ -e STATUS ] && rm -f STATUS +OK root "/bin/echo 'Status of this test:' > STATUS" +OK root nfs4_setfacl -a A:g:devgrp:RW STATUS +OK root nfs4_setfacl -a A:g:qegrp:RW STATUS +OK root nfs4_setfacl -a A:g:managergrp:RW STATUS + +for USER in testuser2 testuser3 testuser4 testuser5 testuser6 +do + OK ${USER} "/bin/echo '- ${USER} can write' > STATUS" +done + +OK testuser1 "cat STATUS" +FAIL testuser1 "/bin/echo '- testuser1 should not be able to write' > STATUS" + +# some notes that testuser2 owns, only testuser3 may read them +[ -e NOTES.testuser2 ] && rm -f NOTES.testuser2 +# create the file and hand it over to testuser2 +OK root touch NOTES.testuser2 +OK root chown testuser2:testuser2 NOTES.testuser2 +# these notes are secret +OK testuser2 chmod 0600 NOTES.testuser2 +sleep 2 +OK testuser2 nfs4_setfacl -a A::testuser3:R NOTES.testuser2 +# testuser2 should be able to write his own notes +OK testuser2 "/bin/echo 'This is my secret with testuser3' > NOTES.testuser2" +OK testuser3 cat NOTES.testuser2 +FAIL testuser4 cat NOTES.testuser2 +FAIL testuser5 cat NOTES.testuser2 +# actually, also allow qegrp people to read the notes after previous failure +OK testuser2 nfs4_setfacl -a A:g:qegrp:R NOTES.testuser2 +OK testuser4 cat NOTES.testuser2 +FAIL testuser5 cat NOTES.testuser2 + +# any developer should be able to create filed/dirs under the src directory +clean_mkdir src +OK root nfs4_setfacl -a A:gdf:devgrp:RWX src +OK root nfs4_setfacl -a A:gdf:OWNER@:RWX src +OK testuser2 "/bin/echo 'Please send patches' > src/CONTRIBUTING" +OK testuser3 "/bin/echo 'Thanks to all contributors:' > src/THANKS" +OK testuser3 "/bin/echo 'Jiffin' >> src/THANKS" + +# the testuser1 user should not be able to read our propriatary source code +OK root nfs4_setfacl -a D::testuser1:RWX -R src +FAIL testuser1 "cat src/THANKS" + +# qegrp members may read the source code, but not modify it +OK root nfs4_setfacl -a A:g:qegrp:RX -R src +OK testuser4 "cat src/THANKS" +FAIL testuser4 "/bin/echo 'Saurabh' >> src/THANKS" +FAIL testuser4 "rm src/THANKS" + +# newly added files should inherit the permissions, qegrp can read them +OK testuser3 "/bin/echo 'ACLs' > src/TODO" + +# managergrp should create a compass for their reporting employees +clean_mkdir compass +OK root nfs4_setfacl -a "A:g:managergrp:RWX" compass +# devgrp and qegrp should be able to list contents of the compass directory +OK root nfs4_setfacl -a "A:g:devgrp:X" compass +OK root nfs4_setfacl -a "A:g:qegrp:X" compass +OK root nfs4_setfacl -a "D:dfi:EVERYONE@:RWX" compass +OK root nfs4_setfacl -a "A:dfi:OWNER@:RWX" compass +OK root nfs4_setfacl -a "A:dgfi:managergrp:RX" compass +OK testuser6 "/bin/echo 'You should have started compass yesterday' > compass/testuser3" +OK testuser6 nfs4_setfacl -a "A::testuser3:RW" compass/testuser3 +# testuser5 should also be able to read testuser3' compass +OK testuser5 "cat compass/testuser3" +# testuser2 should not be able to read testuser3' compass +FAIL testuser2 "cat compass/testuser3" + +# each employee may only read/edit their own compass +OK testuser3 "/bin/echo 'I will start really soon now...' > compass/testuser3" +OK testuser3 "cat compass/testuser3" |