Change from Set/GetNamedSecurityInfo to Nt{Query,Set}SecurityInfo (#1589)

* Update ACL grabbing API

* Update ACL setting API

* Fix import

* Fix download case

* Persist otherwise merged ACEs

* Enable S2S and upload; add proper comparison

* Fix double-import

* Only sanity-check when necessary

* Address comments

Author: adreed-msft

e2etest/declarativeScenario.go

@@ -27,7 +27,6 @@ import (
 	"os"
 	"path"
 	"path/filepath"
-	"strings"
 	"time"
 
 	"github.com/Azure/azure-storage-azcopy/v10/common"
@@ -393,7 +392,7 @@ func (s *scenario) validateSMBPermissionsByValue(expected, actual string, objNam
 	actualSDDL, err := sddl.ParseSDDL(actual)
 	s.a.AssertNoErr(err)
 
-	s.a.Assert(strings.TrimSuffix(actualSDDL.PortableString(), "S:NO_ACCESS_CONTROL"), equals(), strings.TrimSuffix(expectedSDDL.PortableString(), "S:NO_ACCESS_CONTROL"), "On object "+objName)
+	s.a.Assert(expectedSDDL.Compare(actualSDDL), equals(), true)
 }
 
 func (s *scenario) validateContent() {

e2etest/scenario_helpers.go

@@ -36,6 +36,7 @@ import (
 	"time"
 
 	"github.com/Azure/azure-storage-azcopy/v10/azbfs"
+	"github.com/Azure/azure-storage-azcopy/v10/sddl"
 	"github.com/minio/minio-go"
 
 	"github.com/Azure/azure-storage-azcopy/v10/common"
@@ -684,6 +685,19 @@ func (scenarioHelper) generateAzureFilesFromList(c asserter, options *generateAz
 			if f.creationProperties.smbPermissionsSddl != nil || f.creationProperties.smbAttributes != nil {
 				_, err := dir.SetProperties(ctx, ad.toHeaders(c, options.shareURL).SMBProperties)
 				c.AssertNoErr(err)
+
+				if f.creationProperties.smbPermissionsSddl != nil {
+					prop, err := dir.GetProperties(ctx)
+					c.AssertNoErr(err)
+
+					perm, err := options.shareURL.GetPermission(ctx, prop.FilePermissionKey())
+					c.AssertNoErr(err)
+
+					dest, _ := sddl.ParseSDDL(perm.Permission)
+					source, _ := sddl.ParseSDDL(*f.creationProperties.smbPermissionsSddl)
+
+					c.Assert(dest.Compare(source), equals(), true)
+				}
 			}
 
 			// set other properties
@@ -721,6 +735,36 @@ func (scenarioHelper) generateAzureFilesFromList(c asserter, options *generateAz
 			c.AssertNoErr(err)
 			c.Assert(cResp.StatusCode(), equals(), 201)
 
+			if f.creationProperties.smbPermissionsSddl != nil || f.creationProperties.smbAttributes != nil {
+				/*
+					via Jason Shay:
+					Providing securityKey/SDDL during 'PUT File' and 'PUT Properties' can and will provide different results/semantics.
+					This is true for the REST PUT commands, as well as locally when providing a SECURITY_DESCRIPTOR in the SECURITY_ATTRIBUTES structure in the CreateFile() call.
+					In both cases of file creation (CreateFile() and REST PUT File), the actual security descriptor applied to the file can undergo some changes as compared to the input.
+
+					SetProperties() (and NtSetSecurityObject) use update semantics, so it should store what you provide it (with a couple exceptions).
+					And on the cloud share, you would need 'Set Properties' to be called as a final step, to save the final ACLs with 'update' semantics.
+
+
+				*/
+
+				_, err := file.SetHTTPHeaders(ctx, headers)
+				c.AssertNoErr(err)
+
+				if f.creationProperties.smbPermissionsSddl != nil {
+					prop, err := file.GetProperties(ctx)
+					c.AssertNoErr(err)
+
+					perm, err := options.shareURL.GetPermission(ctx, prop.FilePermissionKey())
+					c.AssertNoErr(err)
+
+					dest, _ := sddl.ParseSDDL(perm.Permission)
+					source, _ := sddl.ParseSDDL(*f.creationProperties.smbPermissionsSddl)
+
+					c.Assert(dest.Compare(source), equals(), true)
+				}
+			}
+
 			_, err = file.UploadRange(context.Background(), 0, contentR, nil)
 			if err == nil {
 				c.Failed()

e2etest/scenario_os_helpers_for_windows.go

@@ -28,9 +28,11 @@ import (
 	"strings"
 	"syscall"
 	"time"
+	"unsafe"
 
 	"github.com/Azure/azure-storage-azcopy/v10/common"
 	"github.com/Azure/azure-storage-azcopy/v10/ste"
+	"github.com/hillu/go-ntdll"
 	"golang.org/x/sys/windows"
 )
 
@@ -86,8 +88,27 @@ func (osScenarioHelper) getFileAttrs(c asserter, filepath string) *uint32 {
 }
 
 func (osScenarioHelper) getFileSDDLString(c asserter, filepath string) *string {
-	sd, err := windows.GetNamedSecurityInfo(filepath, windows.SE_FILE_OBJECT, windows.OWNER_SECURITY_INFORMATION|windows.GROUP_SECURITY_INFORMATION|windows.DACL_SECURITY_INFORMATION)
+	srcPtr, err := syscall.UTF16PtrFromString(filepath)
 	c.AssertNoErr(err)
+	// custom open call, because must specify FILE_FLAG_BACKUP_SEMANTICS to make --backup mode work properly (i.e. our use of SeBackupPrivilege)
+	fd, err := windows.CreateFile(srcPtr,
+		windows.GENERIC_READ, windows.FILE_SHARE_READ, nil,
+		windows.OPEN_EXISTING, windows.FILE_FLAG_BACKUP_SEMANTICS, 0)
+	c.AssertNoErr(err)
+
+	buf := make([]byte, 512)
+	bufLen := uint32(len(buf))
+	status := ntdll.CallWithExpandingBuffer(func() ntdll.NtStatus {
+		return ntdll.NtQuerySecurityObject(
+			ntdll.Handle(fd),
+			windows.OWNER_SECURITY_INFORMATION|windows.GROUP_SECURITY_INFORMATION|windows.DACL_SECURITY_INFORMATION,
+			(*ntdll.SecurityDescriptor)(unsafe.Pointer(&buf[0])),
+			uint32(len(buf)),
+			&bufLen)
+	}, &buf, &bufLen)
+
+	c.Assert(status, equals(), ntdll.STATUS_SUCCESS)
+	sd := (*windows.SECURITY_DESCRIPTOR)(unsafe.Pointer(&buf[0])) // ntdll.SecurityDescriptor is equivalent
 	ret := sd.String()
 
 	return &ret

e2etest/zt_preserve_smb_properties_test.go

@@ -12,7 +12,7 @@ import (
 	"golang.org/x/sys/windows"
 )
 
-const SampleSDDL = "O:<placeholder>G:<placeholder>D:AI(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;<placeholder>)S:NO_ACCESS_CONTROL"
+const SampleSDDL = "O:<placeholder>G:<placeholder>D:AI(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;<placeholder>)(D;;FX;;;SY)S:NO_ACCESS_CONTROL"
 const RootSampleSDDL = "O:<placeholder>G:<placeholder>D:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;FA;;;<placeholder>)S:NO_ACCESS_CONTROL"
 const FolderSampleSDDL = "O:<placeholder>G:<placeholder>D:AI(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;<placeholder>)S:NO_ACCESS_CONTROL"
 const SampleSDDLPlaceHolder = "<placeholder>"
@@ -63,7 +63,8 @@ func TestProperties_SMBPermissionsSDDLPreserved(t *testing.T) {
 
 	RunScenarios(t, eOperation.Copy(), eTestFromTo.Other(
 		common.EFromTo.LocalFile(),
-		// common.EFromTo.FileFile(), // TODO: finish inquiring with Jason Shay about this wonkiness. Context: Auto-inherit bit is getting flipped on S2S unrelated to azcopy
+		common.EFromTo.FileLocal(),
+		common.EFromTo.FileFile(),
 	), eValidate.Auto(), params{
 		recursive:              true,
 		preserveSMBInfo:        true,

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
 	github.com/google/uuid v1.3.0
-	github.com/hillu/go-ntdll v0.0.0-20211217090901-0dd7663bb804
+	github.com/hillu/go-ntdll v0.0.0-20211013113251-9d1dd10a143d
 	github.com/kr/pretty v0.3.0 // indirect
 	github.com/mattn/go-ieproxy v0.0.1
 	github.com/minio/minio-go v6.0.14+incompatible

go.sum

@@ -80,12 +80,12 @@ github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3
 github.com/JeffreyRichter/enum v0.0.0-20180725232043-2567042f9cda h1:NOo6+gM9NNPJ3W56nxOKb4164LEw094U0C8zYQM8mQU=
 github.com/JeffreyRichter/enum v0.0.0-20180725232043-2567042f9cda/go.mod h1:2CaSFTh2ph9ymS6goiOKIBdfhwWUVsX4nQ5QjIYFHHs=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
-github.com/PuerkitoBio/goquery v1.7.1/go.mod h1:XY0pP4kfraEmmV1O7Uf6XyjoslwsneBbgeDjLYuN8xY=
+github.com/PuerkitoBio/goquery v1.6.1/go.mod h1:GsLWisAFVj4WgDibEWF4pvYnkVQBpKBKeU+7zCJoLcc=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/andybalholm/cascadia v1.2.0/go.mod h1:YCyR8vOZT9aZ1CHEd8ap0gMVm2aFgxBp0T0eFw1RUQY=
+github.com/andybalholm/cascadia v1.1.0/go.mod h1:GsXiBklL0woXo1j/WYWtSYYC4ouU9PqHO0sqidkEA4Y=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
@@ -271,8 +271,8 @@ github.com/hashicorp/memberlist v0.2.2/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOn
 github.com/hashicorp/memberlist v0.3.0/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE=
 github.com/hashicorp/serf v0.9.5/go.mod h1:UWDWwZeL5cuWDJdl0C6wrvrUwEqtQ4ZKBKKENpqIUyk=
 github.com/hashicorp/serf v0.9.6/go.mod h1:TXZNMjZQijwlDvp+r0b63xZ45H7JmCmgg4gpTwn9UV4=
-github.com/hillu/go-ntdll v0.0.0-20211217090901-0dd7663bb804 h1:OndflF5d6GVByvvo/NKqPtS71SAREkxzE1eYGa2QZ98=
-github.com/hillu/go-ntdll v0.0.0-20211217090901-0dd7663bb804/go.mod h1:cHjYsnAnSckPDx8/H01Y+owD1hf2adLA6VRiw4guEbA=
+github.com/hillu/go-ntdll v0.0.0-20211013113251-9d1dd10a143d h1:GS2pWoXQIkKRhQqfy9QKy/aa928aUNEOIQkGxPivCAE=
+github.com/hillu/go-ntdll v0.0.0-20211013113251-9d1dd10a143d/go.mod h1:jsDwCq+VLI6qnVqFRAlfOC14FULjT1lt99vnszAZ6/Q=
 github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
@@ -508,7 +508,6 @@ golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLd
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
 golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220105145211-5b0dc2dfae98 h1:+6WJMRLHlD7X7frgp7TUZ36RnQzSf9wVVTNakEp+nqY=
@@ -588,6 +587,7 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

sddl/parseSddl.go

@@ -0,0 +1,163 @@
+// Copyright © Microsoft <wastore@microsoft.com>
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+package sddl
+
+import (
+	"errors"
+	"fmt"
+	"regexp"
+	"strings"
+)
+
+var translateSID = OSTranslateSID // this layer of indirection is to support unit testing. TODO: it's ugly to set a global to test. Do something better one day
+
+func IffInt(condition bool, tVal, fVal int) int {
+	if condition {
+		return tVal
+	}
+	return fVal
+}
+
+func ParseSDDL(input string) (sddl SDDLString, err error) {
+	scope := 0                     // if scope is 1, we're in an ACE string, if scope is 2, we're in a resource attribute.
+	inString := false              // If a quotation mark was found, we've entered a string and should ignore all characters except another quotation mark.
+	elementStart := make([]int, 0) // This is the start of the element we're currently analyzing. If the array has more than one element, we're probably under a lower scope.
+	awaitingACLFlags := false      // If this is true, a ACL section was just entered, and we're awaiting our first ACE string
+	var elementType rune           // We need to keep track of which section of the SDDL string we're in.
+	for k, v := range input {
+		switch {
+		case inString: // ignore characters within a string-- except for the end of a string, and escaped quotes
+			if v == '"' && input[k-1] != '\\' {
+				inString = false
+			}
+		case v == '"':
+			inString = true
+		case v == '(': // this comes before scope == 1 because ACE strings can be multi-leveled. We only care about the bottom level.
+			scope++
+			if scope == 1 { // only do this if we're in the base of an ACE string-- We don't care about the metadata as much.
+				if awaitingACLFlags {
+					err := sddl.setACLFlags(input[elementStart[0]:k], elementType)
+
+					if err != nil {
+						return sddl, err
+					}
+
+					awaitingACLFlags = false
+				}
+				elementStart = append(elementStart, k+1) // raise the element start scope
+				err := sddl.startACL(elementType)
+
+				if err != nil {
+					return sddl, err
+				}
+			}
+		case v == ')':
+			// (...,...,...,(...))
+			scope--
+			if scope == 0 {
+				err := sddl.putACLElement(input[elementStart[1]:k], elementType)
+
+				if err != nil {
+					return sddl, err
+				}
+
+				elementStart = elementStart[:1] // lower the element start scope
+			}
+		case scope == 1: // We're at the top level of an ACE string
+			switch v {
+			case ';':
+				// moving to the next element
+				err := sddl.putACLElement(input[elementStart[1]:k], elementType)
+
+				if err != nil {
+					return sddl, err
+				}
+
+				elementStart[1] = k + 1 // move onto the next bit of the element scope
+			}
+		case scope == 0: // We're at the top level of a SDDL string
+			if k == len(input)-1 || v == ':' { // If we end the string OR start a new section
+				if elementType != 0x00 {
+					switch elementType {
+					case 'O':
+						// you are here:
+						//       V
+						// O:...G:
+						//      ^
+						//      k-1
+						// string separations in go happen [x:y).
+						sddl.OwnerSID = strings.TrimSpace(input[elementStart[0]:IffInt(k == len(input)-1, len(input), k-1)])
+					case 'G':
+						sddl.GroupSID = strings.TrimSpace(input[elementStart[0]:IffInt(k == len(input)-1, len(input), k-1)])
+					case 'D', 'S': // These are both parsed WHILE they happen, UNLESS we're awaiting flags.
+						if awaitingACLFlags {
+							err := sddl.setACLFlags(strings.TrimSpace(input[elementStart[0]:IffInt(k == len(input)-1, len(input), k-1)]), elementType)
+
+							if err != nil {
+								return sddl, err
+							}
+						}
+					default:
+						return sddl, fmt.Errorf("%s is an invalid SDDL section", string(elementType))
+					}
+				}
+
+				if v == ':' {
+					// set element type to last character
+					elementType = rune(input[k-1])
+
+					// await ACL flags
+					if elementType == 'D' || elementType == 'S' {
+						awaitingACLFlags = true
+					}
+
+					// set element start to next character
+					if len(elementStart) == 0 { // start the list if it's empty
+						elementStart = append(elementStart, k+1)
+					} else if len(elementStart) > 1 {
+						return sddl, errors.New("elementStart too long for starting a new part of a SDDL")
+					} else { // assign the new element start
+						elementStart[0] = k + 1
+					}
+				}
+			}
+		}
+	}
+
+	if scope > 0 || inString {
+		return sddl, errors.New("string or scope not fully exited")
+	}
+
+	if err == nil {
+		if !sanityCheckSDDLParse(input, sddl) {
+			return sddl, errors.New("SDDL parsing sanity check failed")
+		}
+	}
+
+	return
+}
+
+var sddlWhitespaceRegex = regexp.MustCompile(`[\x09-\x0D ]`)
+
+func sanityCheckSDDLParse(original string, parsed SDDLString) bool {
+	return sddlWhitespaceRegex.ReplaceAllString(original, "") ==
+		sddlWhitespaceRegex.ReplaceAllString(parsed.String(), "")
+}