From 2bf404eb5a999a174c1821402eb553da8576489d Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Fri, 21 Jul 2023 16:40:38 +1200
Subject: [PATCH] libcli/security: make sddl_encode_sid an external function

Mirroring the last commit for sddl_decode_sid, we want to be able to
encode SIDs from sibling source files.

The dom_sid functions are insufficient for this because they don't know
the SDDL short aliases, like "WD".

sddl_transition_encode_sid() is used internally.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 libcli/security/sddl.c | 27 ++++++++++++++++++++++-----
 libcli/security/sddl.h |  3 +++
 2 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c
index 84d34b94c90..31c730c03f6 100644
--- a/libcli/security/sddl.c
+++ b/libcli/security/sddl.c
@@ -784,8 +784,8 @@ failed:
 /*
   encode a sid in SDDL format
 */
-static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
-			     struct sddl_transition_state *state)
+static char *sddl_transition_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
+					struct sddl_transition_state *state)
 {
 	bool in_machine = dom_sid_in_domain(state->machine_sid, sid);
 	bool in_domain = dom_sid_in_domain(state->domain_sid, sid);
@@ -830,6 +830,23 @@ static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
 	return talloc_strdup(mem_ctx, sidstr);
 }
 
+char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
+		      const struct dom_sid *domain_sid)
+{
+	struct sddl_transition_state state = {
+		/*
+		 * TODO: verify .machine_rid values really belong to
+		 * to the machine_sid on a member, once
+		 * we pass machine_sid from the caller...
+		 */
+		.machine_sid = domain_sid,
+		.domain_sid = domain_sid,
+		.forest_sid = domain_sid,
+	};
+	return sddl_transition_encode_sid(mem_ctx, sid, &state);
+}
+
+
 
 /*
   encode an ACE in SDDL format
@@ -890,7 +907,7 @@ static char *sddl_transition_encode_ace(TALLOC_CTX *mem_ctx, const struct securi
 		}
 	}
 
-	sddl_trustee = sddl_encode_sid(tmp_ctx, &ace->trustee, state);
+	sddl_trustee = sddl_transition_encode_sid(tmp_ctx, &ace->trustee, state);
 	if (sddl_trustee == NULL) {
 		goto failed;
 	}
@@ -976,14 +993,14 @@ char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd,
 	tmp_ctx = talloc_new(mem_ctx);
 
 	if (sd->owner_sid != NULL) {
-		char *sid = sddl_encode_sid(tmp_ctx, sd->owner_sid, &state);
+		char *sid = sddl_transition_encode_sid(tmp_ctx, sd->owner_sid, &state);
 		if (sid == NULL) goto failed;
 		sddl = talloc_asprintf_append_buffer(sddl, "O:%s", sid);
 		if (sddl == NULL) goto failed;
 	}
 
 	if (sd->group_sid != NULL) {
-		char *sid = sddl_encode_sid(tmp_ctx, sd->group_sid, &state);
+		char *sid = sddl_transition_encode_sid(tmp_ctx, sd->group_sid, &state);
 		if (sid == NULL) goto failed;
 		sddl = talloc_asprintf_append_buffer(sddl, "G:%s", sid);
 		if (sddl == NULL) goto failed;
diff --git a/libcli/security/sddl.h b/libcli/security/sddl.h
index 810b072fec3..824b7032546 100644
--- a/libcli/security/sddl.h
+++ b/libcli/security/sddl.h
@@ -33,4 +33,7 @@ char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace,
 struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
 				const struct dom_sid *domain_sid);
 
+char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
+		      const struct dom_sid *domain_sid);
+
 #endif /* __SDDL_H__ */