#! /usr/bin/ksh
#
#
# This file and its contents are supplied under the terms of the
# Common Development and Distribution License ("CDDL"), version 1.0.
# You may only use this file in accordance with the terms of version
# 1.0 of the CDDL.
#
# A full copy of the text of the CDDL should have accompanied this
# source.  A copy of the CDDL is also available via the Internet at
# http://www.illumos.org/license/CDDL.
#

# Copyright 2015, Richard Lowe.

# Verify that zones can be configured with security-flags
LC_ALL=C                        # Collation is important

expect_success() {
    name=$1

    (echo "create -b";
     echo "set zonepath=/$name.$$";
     cat /dev/stdin;
     echo "verify";
     echo "commit";
     echo "exit") | zonecfg -z $name.$$ > out.$$ 2>&1

    r=$?

    zonecfg -z $name.$$ delete -F

    if (($r != 0)); then
        printf "%s: FAIL\n" $name
        cat out.$$
        rm out.$$
        return 1 
    else
        rm out.$$
        printf  "%s: PASS\n" $name
        return 0
    fi
}

expect_fail() {
    name=$1
    expect=$2

    (echo "create -b";
     echo "set zonepath=/$name.$$";
     cat /dev/stdin;
     echo "verify";
     echo "commit";
     echo "exit") | zonecfg -z $name.$$ > out.$$ 2>&1

    r=$?

    # Ideally will fail, since we don't want the create to have succeeded.
    zonecfg -z $name.$$ delete -F >/dev/null 2>&1


    if (($r == 0)); then
        printf "%s: FAIL (succeeded)\n" $name
        rm out.$$
        return 1
    else
        grep -q "$expect" out.$$
        if (( $? != 0 )); then
            printf "%s: FAIL (error didn't match)\n" $name
            echo "Wanted:"
            echo "  $expect"
            echo "Got:"
            sed -e 's/^/  /' out.$$
            rm out.$$
            return 1;
        else
            rm out.$$
            printf  "%s: PASS\n" $name
            return 0
        fi
    fi
}

ret=0

expect_success valid-no-config <<EOF
EOF
(( $? != 0 )) && ret=1

expect_success valid-full-config <<EOF
add security-flags
set lower=none
set default=aslr
set upper=all
end
EOF
(( $? != 0 )) && ret=1

expect_success valid-partial-config <<EOF
add security-flags
set default=aslr
end
EOF
(( $? != 0 )) && ret=1

expect_fail invalid-full-lower-gt-def "default secflags must be above the lower limit" <<EOF
add security-flags
set lower=aslr
set default=none
set upper=all
end
EOF
(( $? != 0 )) && ret=1

expect_fail invalid-partial-lower-gt-def "default secflags must be above the lower limit" <<EOF
add security-flags
set lower=aslr
set default=none
end
EOF
(( $? != 0 )) && ret=1

expect_fail invalid-full-def-gt-upper "default secflags must be within the upper limit" <<EOF
add security-flags
set lower=none
set default=all
set upper=none
end
EOF
(( $? != 0 )) && ret=1

expect_fail invalid-partial-def-gt-upper "default secflags must be within the upper limit" <<EOF
add security-flags
set default=all
set upper=none
end
EOF
(( $? != 0 )) && ret=1

expect_fail invalid-full-def-gt-upper "default secflags must be within the upper limit" <<EOF
add security-flags
set lower=none
set default=all
set upper=none
end
EOF
(( $? != 0 )) && ret=1

expect_fail invalid-partial-lower-gt-upper "lower secflags must be within the upper limit" <<EOF
add security-flags
set lower=all
set upper=none
end
EOF
(( $? != 0 )) && ret=1

expect_fail invalid-parse-fail-def "default security flags 'fail' are invalid" <<EOF
add security-flags
set default=fail
end
EOF
(( $? != 0 )) && ret=1

expect_fail invalid-parse-fail-lower "lower security flags 'fail' are invalid" <<EOF
add security-flags
set lower=fail
end
EOF
(( $? != 0 )) && ret=1

expect_fail invalid-parse-fail-def "upper security flags 'fail' are invalid" <<EOF
add security-flags
set upper=fail
end
EOF
(( $? != 0 )) && ret=1

exit $ret