samba.git/libcli/security/conditional_ace.c, branch master Unnamed repository; edit this file 'description' to name the repository. libcli: Align an integer type 2024-12-17T12:30:30+00:00 Volker Lendecke vl@samba.org 2024-12-03T12:33:48+00:00 d6ec1f42c6222601665217fb71934983674997e0 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
libcli: Remove the "mem_ctx" argument from pull_integer() 2024-12-17T12:30:30+00:00 Volker Lendecke vl@samba.org 2024-11-28T17:01:21+00:00 391962e26208ee722dca3367e8a9f793bfa7b079 Not needed anymore Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> 
Not needed anymore

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
libcli: Simplify pull_integer() 2024-12-17T12:30:30+00:00 Volker Lendecke vl@samba.org 2024-11-28T16:58:59+00:00 dddbab8e36ca47fb1799cfc38087d5bfcd694a03 Use ndr_pull_struct_blob_noalloc, we don't need talloc here. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> 
Use ndr_pull_struct_blob_noalloc, we don't need talloc here.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
libsecurity: Simplify struct ace_condition_script 2024-09-06T14:23:58+00:00 Volker Lendecke vl@samba.org 2024-09-04T15:13:44+00:00 5ad8536ec766b1d0867acfe2c34677400fb29526 We only need the stack temporarily, no reason to put it in the struct Signed-off-by: Volker Lendecke <vl@samba.org> Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Sep 6 14:23:58 UTC 2024 on atb-devel-224 
We only need the stack temporarily, no reason to put it in the struct

Signed-off-by: Volker Lendecke <vl@samba.org>
Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Sep  6 14:23:58 UTC 2024 on atb-devel-224
libcli/security: don't allow conditional ACE SIDs to have trailing bytes 2023-12-14T03:31:37+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-12-13T02:39:33+00:00 a016ce70684e5237764b2432fa182ba8b0af6b0b They should be tightly packed, allowing conditional ACEs to round-trip. Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64197 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
They should be tightly packed, allowing conditional ACEs to
round-trip.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64197

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libcli/security: note suboptimality of conditional ACE Contains operators 2023-11-27T23:38:13+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-11-24T23:55:09+00:00 a757a51a26f664591ab776db99bf48acfa698591 The Contains and Any_of operators could use a sorted comparison like compare_composites_via_sort(), rather than O(n²) nested loops. But that would involve amount of quite fiddly work that I am not starting on now. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Nov 27 23:38:13 UTC 2023 on atb-devel-224 
The Contains and Any_of operators could use a sorted comparison like
compare_composites_via_sort(), rather than O(n²) nested loops. But
that would involve amount of quite fiddly work that I am not starting
on now.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 27 23:38:13 UTC 2023 on atb-devel-224
libcli/security: comparability check: claim members are of one type 2023-11-27T22:37:32+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-11-23T00:03:15+00:00 2eb00c0bba5ed1abaa15c1511c6012da56a78604 We know from the way claims are defined, and from the code that checks sortedness and sets the flag. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
We know from the way claims are defined, and from the code that checks
sortedness and sets the flag.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libcli/security: shift comparability check to shortcut exits 2023-11-27T22:37:32+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-11-23T00:01:49+00:00 55999b7b7b2b423eea3c26425c09130059bb4fd9 The ordinary comparison path, using the sorted arrays, already implicitly checks for comparability. We only need this when we're leaving early. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
The ordinary comparison path, using the sorted arrays, already implicitly
checks for comparability. We only need this when we're leaving early.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libcli/security: add shortcuts for conditional ACE compare 2023-11-27T22:37:32+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-11-22T23:47:45+00:00 6c6f25904ee34fc34ce760311197ead6fa64d8ab If the number of members does not match in certain ways we can say the sets are not equal without comparing the members. We first need to check for comparability, though, so that we can return an error if things aren't comparable. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
If the number of members does not match in certain ways we can
say the sets are not equal without comparing the members.

We first need to check for comparability, though, so that we can return
an error if things aren't comparable.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libcli/security: improve conditional ACE composite comparison 2023-11-27T22:37:32+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2023-11-10T03:27:45+00:00 8bad19c42e14f0f7d459db41577a950f97306bcc We had the comparison method wrong. Composites are compared as sets or flabby sets, depending on their origin. Until now we compared them as something a bit like sets, but not quite, in a maximally inefficient way. Claims are always sets, and the left hand side is always a claim, but literal composites on the right hand side can be multi-sets (containing duplicate values). When it comes to comparison, composites are reduced down to sets. To do the comparison we sort each side and compare in order. The fact that either side might ask for case-sensitive comparison (if it is a claim) is an interesting complication. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
We had the comparison method wrong. Composites are compared as sets or
flabby sets, depending on their origin. Until now we compared them as
something a bit like sets, but not quite, in a maximally inefficient way.

Claims are always sets, and the left hand side is always a claim, but
literal composites on the right hand side can be multi-sets
(containing duplicate values). When it comes to comparison, composites
are reduced down to sets. To do the comparison we sort each side and
compare in order.

The fact that either side might ask for case-sensitive comparison (if
it is a claim) is an interesting complication.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>