From 7f8eba4fbfdb683aea3bb1efaed236b2aa4b8f9b Mon Sep 17 00:00:00 2001
From: Thomas Waldmann <tw@waldmann-edv.de>
Date: Sun, 27 Aug 2023 02:47:46 +0200
Subject: [PATCH 1/3] freebsd: add some ACL tests, fixes #7745

enable ACL support in freebsd vagrant machine's filesystem
---
 Vagrantfile                            |  2 +
 src/borg/testsuite/platform_freebsd.py | 88 ++++++++++++++++++++++----
 2 files changed, 77 insertions(+), 13 deletions(-)

diff --git a/Vagrantfile b/Vagrantfile
index 1a58cd1a1..65e784427 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -66,6 +66,8 @@ def packages_freebsd
     pkg update
     yes | pkg upgrade
     echo 'export BORG_OPENSSL_PREFIX=/usr' >> ~vagrant/.bash_profile
+    # (re)mount / with acls
+    mount -o acls /
   EOF
 end
 
diff --git a/src/borg/testsuite/platform_freebsd.py b/src/borg/testsuite/platform_freebsd.py
index 9d898a76b..b2cc77704 100644
--- a/src/borg/testsuite/platform_freebsd.py
+++ b/src/borg/testsuite/platform_freebsd.py
@@ -1,30 +1,92 @@
-"""Dummy file for now, will eventually contain FreeBSD ACL tests."""
-import pytest
+import os
+import tempfile
 
+from ..platform import acl_get, acl_set
 from .platform import skipif_not_freebsd
 
 # set module-level skips
 pytestmark = [skipif_not_freebsd]
 
 
-def get_acl():
-    return
+ACCESS_ACL = """\
+user::rw-
+user:root:rw-
+user:9999:r--
+group::r--
+group:wheel:r--
+group:9999:r--
+mask::rw-
+other::r--
+""".encode(
+    "ascii"
+)
+
+DEFAULT_ACL = """\
+user::rw-
+user:root:r--
+user:8888:r--
+group::r--
+group:wheel:r--
+group:8888:r--
+mask::rw-
+other::r--
+""".encode(
+    "ascii"
+)
 
 
-def get_set_acl():
-    return
+def get_acl(path, numeric_ids=False):
+    item = {}
+    acl_get(path, item, os.stat(path), numeric_ids=numeric_ids)
+    return item
+
+
+def set_acl(path, access=None, default=None, nfs4=None, numeric_ids=False):
+    item = {"acl_access": access, "acl_default": default, "acl_nfs4": nfs4}
+    acl_set(path, item, numeric_ids=numeric_ids)
 
 
-@pytest.mark.skip(reason="not yet implemented")
 def test_access_acl():
-    pass
+    file1 = tempfile.NamedTemporaryFile()
+    set_acl(
+        file1.name,
+        access=b"user::rw-\ngroup::r--\nmask::rw-\nother::---\nuser:root:rw-\ngroup:wheel:rw-\n",
+        numeric_ids=False,
+    )
+    acl_access_names = get_acl(file1.name, numeric_ids=False)["acl_access"]
+    assert b"user:root:rw-" in acl_access_names
+    assert b"group:wheel:rw-" in acl_access_names
+    acl_access_ids = get_acl(file1.name, numeric_ids=True)["acl_access"]
+    assert b"user:0:rw-" in acl_access_ids
+    assert b"group:0:rw-" in acl_access_ids
+
+    file2 = tempfile.NamedTemporaryFile()
+    set_acl(
+        file2.name, access=b"user::rw-\ngroup::r--\nmask::rw-\nother::---\nuser:0:rw-\ngroup:0:rw-\n", numeric_ids=True
+    )
+    acl_access_names = get_acl(file2.name, numeric_ids=False)["acl_access"]
+    assert b"user:root:rw-" in acl_access_names
+    assert b"group:wheel:rw-" in acl_access_names
+    acl_access_ids = get_acl(file2.name, numeric_ids=True)["acl_access"]
+    assert b"user:0:rw-" in acl_access_ids
+    assert b"group:0:rw-" in acl_access_ids
+
+    file3 = tempfile.NamedTemporaryFile()
+    set_acl(
+        file3.name,
+        access=b"user::rw-\ngroup::r--\nmask::rw-\nother::---\nuser:root:rw-:9999\ngroup:wheel:rw-:9999\n",
+        numeric_ids=True,
+    )
+    acl_access_ids = get_acl(file3.name, numeric_ids=True)["acl_access"]
+    assert b"user:9999:rw-" in acl_access_ids
+    assert b"group:9999:rw-" in acl_access_ids
 
 
-@pytest.mark.skip(reason="not yet implemented")
 def test_default_acl():
-    pass
+    tmpdir = tempfile.mkdtemp()
+    set_acl(tmpdir, access=ACCESS_ACL, default=DEFAULT_ACL)
+    assert get_acl(tmpdir)["acl_access"] == ACCESS_ACL
+    assert get_acl(tmpdir)["acl_default"] == DEFAULT_ACL
 
 
-@pytest.mark.skip(reason="not yet implemented")
-def test_nfs4_acl():
-    pass
+# nfs4 acls testing not implemented.

From 9c1088c95c35955670617fa6e1083e3e01c87a4f Mon Sep 17 00:00:00 2001
From: Thomas Waldmann <tw@waldmann-edv.de>
Date: Sun, 27 Aug 2023 02:55:52 +0200
Subject: [PATCH 2/3] linux: move ACL definitions to platform_linux test module

they are only used from there.
---
 src/borg/testsuite/platform.py       | 26 --------------------
 src/borg/testsuite/platform_linux.py | 36 +++++++++++++++++++++-------
 2 files changed, 28 insertions(+), 34 deletions(-)

diff --git a/src/borg/testsuite/platform.py b/src/borg/testsuite/platform.py
index 3dae11b98..4ba033e54 100644
--- a/src/borg/testsuite/platform.py
+++ b/src/borg/testsuite/platform.py
@@ -9,32 +9,6 @@ from ..platform import get_process_id, process_alive
 from . import unopened_tempfile
 from .locking import free_pid  # NOQA
 
-ACCESS_ACL = """
-user::rw-
-user:root:rw-:0
-user:9999:r--:9999
-group::r--
-group:root:r--:0
-group:9999:r--:9999
-mask::rw-
-other::r--
-""".strip().encode(
-    "ascii"
-)
-
-DEFAULT_ACL = """
-user::rw-
-user:root:r--:0
-user:8888:r--:8888
-group::r--
-group:root:r--:0
-group:8888:r--:8888
-mask::rw-
-other::r--
-""".strip().encode(
-    "ascii"
-)
-
 
 def fakeroot_detected():
     return "FAKEROOTKEY" in os.environ
diff --git a/src/borg/testsuite/platform_linux.py b/src/borg/testsuite/platform_linux.py
index a71020a55..e41f39187 100644
--- a/src/borg/testsuite/platform_linux.py
+++ b/src/borg/testsuite/platform_linux.py
@@ -2,19 +2,39 @@ import os
 import tempfile
 
 from ..platform import acl_get, acl_set
-from .platform import (
-    DEFAULT_ACL,
-    ACCESS_ACL,
-    skipif_not_linux,
-    skipif_fakeroot_detected,
-    skipif_acls_not_working,
-    skipif_no_ubel_user,
-)
+from .platform import skipif_not_linux, skipif_fakeroot_detected, skipif_acls_not_working, skipif_no_ubel_user
 
 # set module-level skips
 pytestmark = [skipif_not_linux, skipif_fakeroot_detected]
 
 
+ACCESS_ACL = """\
+user::rw-
+user:root:rw-:0
+user:9999:r--:9999
+group::r--
+group:root:r--:0
+group:9999:r--:9999
+mask::rw-
+other::r--\
+""".encode(
+    "ascii"
+)
+
+DEFAULT_ACL = """\
+user::rw-
+user:root:r--:0
+user:8888:r--:8888
+group::r--
+group:root:r--:0
+group:8888:r--:8888
+mask::rw-
+other::r--\
+""".encode(
+    "ascii"
+)
+
+
 def get_acl(path, numeric_ids=False):
     item = {}
     acl_get(path, item, os.stat(path), numeric_ids=numeric_ids)

From aa5168a21e23cee4461eb84d192dcebdbbc4a71d Mon Sep 17 00:00:00 2001
From: Thomas Waldmann <tw@waldmann-edv.de>
Date: Sun, 27 Aug 2023 03:04:44 +0200
Subject: [PATCH 3/3] use skipif_acls_not_working decorator for freebsd also

use platform-specific ACLs to check.
for unsupported platform, just return False.
---
 src/borg/testsuite/platform.py         | 13 +++++++++++--
 src/borg/testsuite/platform_freebsd.py |  4 +++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/src/borg/testsuite/platform.py b/src/borg/testsuite/platform.py
index 4ba033e54..a8a859b09 100644
--- a/src/borg/testsuite/platform.py
+++ b/src/borg/testsuite/platform.py
@@ -31,13 +31,22 @@ def are_acls_working():
     with unopened_tempfile() as filepath:
         open(filepath, "w").close()
         try:
-            access = b"user::rw-\ngroup::r--\nmask::rw-\nother::---\nuser:root:rw-:9999\ngroup:root:rw-:9999\n"
+            if is_freebsd:
+                access = b"user::rw-\ngroup::r--\nmask::rw-\nother::---\nuser:root:rw-\n"
+                contained = b"user:root:rw-"
+            elif is_linux:
+                access = b"user::rw-\ngroup::r--\nmask::rw-\nother::---\nuser:root:rw-:0\n"
+                contained = b"user:root:rw-:0"
+            elif is_darwin:
+                return True  # improve?
+            else:
+                return False  # unsupported platform
             acl = {"acl_access": access}
             acl_set(filepath, acl)
             read_acl = {}
             acl_get(filepath, read_acl, os.stat(filepath))
             read_acl_access = read_acl.get("acl_access", None)
-            if read_acl_access and b"user::rw-" in read_acl_access:
+            if read_acl_access and contained in read_acl_access:
                 return True
         except PermissionError:
             pass
diff --git a/src/borg/testsuite/platform_freebsd.py b/src/borg/testsuite/platform_freebsd.py
index b2cc77704..54fb29d6a 100644
--- a/src/borg/testsuite/platform_freebsd.py
+++ b/src/borg/testsuite/platform_freebsd.py
@@ -2,7 +2,7 @@ import os
 import tempfile
 
 from ..platform import acl_get, acl_set
-from .platform import skipif_not_freebsd
+from .platform import skipif_not_freebsd, skipif_acls_not_working
 
 # set module-level skips
 pytestmark = [skipif_not_freebsd]
@@ -46,6 +46,7 @@ def set_acl(path, access=None, default=None, nfs4=None, numeric_ids=False):
     acl_set(path, item, numeric_ids=numeric_ids)
 
 
+@skipif_acls_not_working
 def test_access_acl():
     file1 = tempfile.NamedTemporaryFile()
     set_acl(
@@ -82,6 +83,7 @@ def test_access_acl():
     assert b"group:9999:rw-" in acl_access_ids
 
 
+@skipif_acls_not_working
 def test_default_acl():
     tmpdir = tempfile.mkdtemp()
     set_acl(tmpdir, access=ACCESS_ACL, default=DEFAULT_ACL)