cmd/go: add TestACL

Add test that verifies that go command produces executable
that have security attributes of the target directory.

Update #22343

Change-Id: Ieab02381927a2b09bee21c49c043b3298bd088e6
Reviewed-on: https://go-review.googlesource.com/78215
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

diff --git a/src/cmd/go/go_windows_test.go b/src/cmd/go/go_windows_test.go
index d8d04aaf497e210bbdde93df4a5a356c87bc3eff..aa68a195802aea70108138fcad1a97aafe4ec299 100644 (file)
--- a/src/cmd/go/go_windows_test.go
+++ b/src/cmd/go/go_windows_test.go
@@ -5,12 +5,14 @@
 package main
 
 import (
+       "fmt"
        "internal/testenv"
        "io/ioutil"
        "os"
        "os/exec"
        "path/filepath"
        "strings"
+       "syscall"
        "testing"
 )
 
@@ -54,3 +56,82 @@ func TestAbsolutePath(t *testing.T) {
                t.Fatalf("wrong output found: %v %v", err, string(output))
        }
 }
+
+func isWindowsXP(t *testing.T) bool {
+       v, err := syscall.GetVersion()
+       if err != nil {
+               t.Fatalf("GetVersion failed: %v", err)
+       }
+       major := byte(v)
+       return major < 6
+}
+
+func runIcacls(t *testing.T, args ...string) string {
+       t.Helper()
+       out, err := exec.Command("icacls", args...).CombinedOutput()
+       if err != nil {
+               t.Fatalf("icacls failed: %v\n%v", err, string(out))
+       }
+       return string(out)
+}
+
+func runGetACL(t *testing.T, path string) string {
+       t.Helper()
+       cmd := fmt.Sprintf(`Get-Acl "%s" | Select -expand AccessToString`, path)
+       out, err := exec.Command("powershell", "-Command", cmd).CombinedOutput()
+       if err != nil {
+               t.Fatalf("Get-Acl failed: %v\n%v", err, string(out))
+       }
+       return string(out)
+}
+
+// For issue 22343: verify that executable file created by "go build" command
+// has discretionary access control list (DACL) set as if the file
+// was created in the destination directory.
+func TestACL(t *testing.T) {
+       if isWindowsXP(t) {
+               t.Skip("Windows XP does not have powershell command")
+       }
+
+       tmpdir, err := ioutil.TempDir("", "TestACL")
+       if err != nil {
+               t.Fatal(err)
+       }
+       defer os.RemoveAll(tmpdir)
+
+       newtmpdir := filepath.Join(tmpdir, "tmp")
+       err = os.Mkdir(newtmpdir, 0777)
+       if err != nil {
+               t.Fatal(err)
+       }
+
+       // When TestACL/tmp directory is created, it will have
+       // the same security attributes as TestACL.
+       // Add Guest account full access to TestACL/tmp - this
+       // will make all files created in TestACL/tmp have different
+       // security attributes to the files created in TestACL.
+       runIcacls(t, newtmpdir,
+               "/grant", "guest:(oi)(ci)f", // add Guest user to have full access
+       )
+
+       src := filepath.Join(tmpdir, "main.go")
+       err = ioutil.WriteFile(src, []byte("package main; func main() { }\n"), 0644)
+       if err != nil {
+               t.Fatal(err)
+       }
+       exe := filepath.Join(tmpdir, "main.exe")
+       cmd := exec.Command(testenv.GoToolPath(t), "build", "-o", exe, src)
+       cmd.Env = append(os.Environ(),
+               "TMP="+newtmpdir,
+               "TEMP="+newtmpdir,
+       )
+       out, err := cmd.CombinedOutput()
+       if err != nil {
+               t.Fatalf("go command failed: %v\n%v", err, string(out))
+       }
+
+       // exe file is expected to have the same security attributes as the src.
+       if got, expected := runGetACL(t, exe), runGetACL(t, src); got != expected {
+               t.Fatalf("expected Get-Acl output of \n%v\n, got \n%v\n", expected, got)
+       }
+}