#!/bin/ksh -p
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#

#
# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#

. $STF_SUITE/tests/functional/acl/acl_common.kshlib

#
# DESCRIPTION:
#	Verify chmod have correct behaviour to directory and file when
#	filesystem has the different aclinherit setting
#
# STRATEGY:
#	1. Loop super user and non-super user to run the test case.
#	2. Create basedir and a set of subdirectores and files within it.
#	3. Separately chmod basedir with different inherite options,
#		combine with the variable setting of aclinherit:
#		"discard", "noallow", "secure" or "passthrough".
#	4. Then create nested directories and files like the following.
#
#                     ofile
#                     odir
#          chmod -->  basedir -|
#                              |_ nfile1
#                              |_ ndir1 _
#                                        |_ nfile2
#                                        |_ ndir2 _
#                                                  |_ nfile3
#                                                  |_ ndir3
#
#	5. Verify each directories and files have the correct access control
#	   capability.
#

verify_runnable "both"

function cleanup
{
	typeset dir

	# Cleanup basedir, compared file and dir.

	if [[ -f $ofile ]]; then
		log_must $RM -f $ofile
	fi

	for dir in $odir $basedir ; do
		if [[ -d $dir ]]; then
			log_must $RM -rf $dir
		fi
	done
}

log_assert "Verify chmod have correct behaviour to directory and file when " \
    "filesystem has the different aclinherit setting."
log_onexit cleanup

# Define inherit flag
typeset aclinherit_flag=(discard noallow secure passthrough)
typeset object_flag=("f-" "-d" "fd")
typeset strategy_flag=("--" "i-" "-n" "in")

typeset ace_prefix1="owner@"
typeset ace_prefix2="group@"
typeset ace_prefix3="everyone@"
typeset ace_discard ace_noallow ace_secure ace_passthrough
typeset ace_secure_new

# Defile the based directory and file
basedir=$TESTDIR/basedir;  ofile=$TESTDIR/ofile; odir=$TESTDIR/odir

# Define the files and directories will be created after chmod
ndir1=$basedir/ndir1; ndir2=$ndir1/ndir2; ndir3=$ndir2/ndir3
nfile1=$basedir/nfile1; nfile2=$ndir1/nfile2; nfile3=$ndir2/nfile3

# Verify all the node have expected correct access control
allnodes="$ndir1 $ndir2 $ndir3 $nfile1 $nfile2 $nfile3"

#
# According to inherited flag, verify subdirectories and files within it has
# correct inherited access control.
#
function verify_inherit #<aclinherit> <object> [strategy]
{
	# Define the nodes which will be affected by inherit.
	typeset inherit_nodes
	typeset inherit=$1
	typeset obj=$2
	typeset str=$3

	# count: the ACE item to fetch
	# pass: to mark if the current ACE should apply to the target
	# maxnumber: predefine as 4
	# passcnt: counter, if it achieves to maxnumber,
	#	then no additional ACE should apply.
	# isinherit: indicate if the current target is in the inherit list.
	# step: indicate if the ACE be split during inherit.

	typeset -i count=0 pass=0 passcnt=0 isinherit=0 maxnumber=4 step=0

	log_must usr_exec $MKDIR -p $ndir3
	log_must usr_exec $TOUCH $nfile1 $nfile2 $nfile3

	# Get the files which inherited ACE.
	if [[ $(get_substr $obj 1 1) == f ]]; then
		inherit_nodes="$inherit_nodes $nfile1"

		if [[ $(get_substr $str 2 1) != n ]]; then
			inherit_nodes="$inherit_nodes $nfile2 $nfile3"
		fi
	fi
	# Get the directores which inherited ACE.
	if [[ $(get_substr $obj 2 1) == d ]]; then
		inherit_nodes="$inherit_nodes $ndir1"

		if [[ $(get_substr $str 2 1) != n ]]; then
			inherit_nodes="$inherit_nodes $ndir2 $ndir3"
		fi
	fi

	for node in $allnodes; do
		step=0
		if [[ " $inherit_nodes " == *" $node "* ]]; then
			isinherit=1
			if [[ -d $node ]] ; then
				step=1
			fi
		else
			isinherit=0
		fi

		i=0
		count=0
		passcnt=0
		while ((i < maxnumber)); do
			pass=0
			eval expect1=\$acl$i
			expect2=$expect1

		#
		# aclinherit=passthrough,
		# inherit all inheritable ACL entries without any
		# modifications made to the ACL entries when they
		# are inherited.
		#
		# aclinherit=secure,
		# any inheritable ACL entries will remove
		# write_acl and write_owner permissions when the ACL entry is
		# inherited.
		#
		# aclinherit=noallow,
		# only inherit inheritable ACE that specify "deny" permissions
		#
		# aclinherit=discard
		# will not inherit any ACL entries
		#

			case $inherit in
				passthrough)
					action=${expect1##*:}
					expect1=${expect1%:$action}
					expect1=${expect1%-}
					expect1=${expect1%I}
					expect1=${expect1}I:$action
					;;
				secure)
					eval expect2=\$acls$i
					;;
				noallow)
					if [[ $expect1 == *":allow" ]] ; then
						pass=1
						((passcnt = passcnt + 1))
					else
						eval expect2=\$acls$i
					fi
					;;
				discard)
					passcnt=maxnumber
					break
					;;
			esac

			if ((pass == 0)) ; then
				acltemp=${expect2%:*}
				acltemp=${acltemp%:*}
				aclaction=${expect2##*:}
				expect2=${acltemp}:------I:${aclaction}

				acltemp=${expect1%:*}
				inh=${acltemp##*:}

				if [[ -d $node ]]; then
					if [[ $(get_substr $inh 4 1) == n ]]; then

						#
						# if no_propagate is set,
						# then clear all inherit flags,
						# only one ACE should left.
						#

						step=0
						expect1=""

					elif [[ $(get_substr $inh 3 1) != i ]]; then

						#
						# directory should append
						# "inherit_only" if not have
						#
						acltemp=${acltemp%i*}
						expect1=${acltemp}i---I:${aclaction}
					else
						acltemp=${acltemp%-}
						acltemp=${acltemp%I}
						expect1=${acltemp}I:${aclaction}
					fi

					#
					# cleanup the first ACE if the directory
					# not in inherit list
					#

					if ((isinherit == 0)); then
						expect1=""
					fi
				elif [[ -f $node ]] ; then
					expect1=""
				fi

				# Get the first ACE to do comparison

				aclcur=$(get_ACE $node $count compact)
				aclcur=${aclcur#$count:}
				if [[ -n $expect1 && $expect1 != $aclcur ]]; then
					$LS -Vd $basedir
					$LS -Vd $node
					log_fail "$inherit $i #$count " \
					    "ACE: $aclcur, expect to be " \
					    "$expect1"
				fi

				#
				# Get the second ACE (if should have) to do
				# comparison
				#
				if ((step > 0)); then
					((count = count + step))

					aclcur=$(get_ACE $node $count compact)
					aclcur=${aclcur#$count:}
					if [[ -n $expect2 && \
					    $expect2 != $aclcur ]]; then

						$LS -Vd $basedir
						$LS -Vd $node
						log_fail "$inherit $i " \
						    "#$count ACE: $aclcur, " \
						    "expect to be $expect2"
					fi
				fi
				((count = count + 1))
			fi
			((i = i + 1))
		done

		#
		# If there's no any ACE be checked, it should be identify as
		# an normal file/dir, verify it.
		#

		if ((passcnt == maxnumber)); then
			if [[ -d $node ]]; then
				compare_acls $node $odir
			elif [[	-f $node ]]; then
				compare_acls $node $ofile
			fi

			if [[ $? -ne 0 ]]; then
				$LS -Vd $basedir
				$LS -Vd $node
				log_fail "Unexpect acl: $node, $inherit ($str)"
			fi
		fi
	done
}

typeset -i i=0
typeset acl0 acl1 acl2 acl3
typeset acls0 acls1 acls2 acls3

#
# Set aclmode=passthrough to make sure
# the acl will not change during chmod.
# A general testing should verify the combination of
# aclmode/aclinherit works well,
# here we just simple test them separately.
#

log_must $ZFS set aclmode=passthrough $TESTPOOL/$TESTFS

for inherit in "${aclinherit_flag[@]}"; do

	#
	# Set different value of aclinherit
	#

	log_must $ZFS set aclinherit=$inherit $TESTPOOL/$TESTFS

	for user in root $ZFS_ACL_STAFF1; do
		log_must set_cur_usr $user

		for obj in "${object_flag[@]}"; do
			for str in "${strategy_flag[@]}"; do
				typeset inh_opt=$obj
				((${#str} != 0)) && inh_opt=${inh_opt}${str}--

				inh_a=${inh_opt}-
				inh_b=${inh_opt}I

				#
				# Prepare 4 ACES, which should include :
				# deny -> to verify "noallow"
				# write_acl/write_owner -> to verify "secure"
				#

				acl0="$ace_prefix1:rwxp---A-W-Co-:${inh_a}:allow"
				acl1="$ace_prefix2:rwxp---A-W-Co-:${inh_a}:deny"
				acl2="$ace_prefix3:rwxp---A-W-Co-:${inh_a}:allow"
				acl3="$ace_prefix1:-------A-W----:${inh_a}:deny"
				acl4="$ace_prefix2:-------A-W----:${inh_a}:allow"
				acl5="$ace_prefix3:-------A-W----:${inh_a}:deny"


				#
				# The ACE filtered by write_acl/write_owner
				#

				if [[ $inheri == "passthrough" ]]; then
					acls0="$ace_prefix1:rwxp---A-W----:${inh_b}:allow"
					acls1="$ace_prefix2:rwxp---A-W----:${inh_b}:deny"
					acls2="$ace_prefix3:rwxp---A-W----:${inh_b}:allow"
					acls3="$ace_prefix1:rwxp---A-W----:${inh_b}:deny"
					acls4="$ace_prefix2:rwxp---A-W----:${inh_b}:allow"
					acls5="$ace_prefix3:rwxp---A-W----:${inh_b}:deny"
				else
					acls0="$ace_prefix1:-------A-W----:${inh_b}:allow"
					acls1="$ace_prefix2:-------A-W-Co-:${inh_b}:deny"
					acls2="$ace_prefix3:-------A-W----:${inh_b}:allow"
					acls3="$ace_prefix1:-------A-W----:${inh_b}:deny"
					acls4="$ace_prefix2:-------A-W----:${inh_b}:allow"
					acls5="$ace_prefix3:-------A-W----:${inh_b}:deny"
				fi

				#
				# Create basedir and tmp dir/file
				# for comparison.
				#

				log_note "$user: $CHMOD $acl $basedir"
				log_must usr_exec $MKDIR $basedir
				log_must usr_exec $MKDIR $odir
				log_must usr_exec $TOUCH $ofile

				i=5
				while ((i >= 0)); do
					eval acl=\$acl$i

				#
				# Place on a directory should succeed.
				#
					log_must usr_exec $CHMOD A+$acl $basedir

					((i = i - 1))
				done

				verify_inherit $inherit $obj $str

				log_must usr_exec $RM -rf $ofile $odir $basedir
			done
		done
	done
done

log_pass "Verify chmod inherit behaviour co-op with aclinherit setting passed."