libcli/security: begin claim_v1_check_and_sort with Boolean checks

claim_v1_check_and_sort() is meant to sort the claim values and check
that there are no duplicates, as well as making some value checks.

In order to ease into the idea, we look first at the case where the claim
has Boolean values. There are only two values allowed, which limits the
length of a valid claim set and means we only really need to "sort" in
the {1, 0} case, which we rewrite in place as {0, 1}.

That's what will happen with other types: we'll sort in-place, make
some checks on values, set flags, and return an error if there are
duplicates or value errors.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security/claims-conversions.c

@@ -703,6 +703,58 @@ bool add_claim_to_token(TALLOC_CTX *mem_ctx,
 	return true;
 }
 
+
+static NTSTATUS claim_v1_check_and_sort_boolean(
+	TALLOC_CTX *mem_ctx,
+	struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim)
+{
+	/*
+	 * There are so few valid orders in a boolean claim that we can
+	 * enumerate them all.
+	 */
+	switch (claim->value_count) {
+	case 0:
+		return NT_STATUS_OK;
+	case 1:
+		if (*claim->values[0].uint_value == 0 ||
+		    *claim->values[0].uint_value == 1) {
+			return NT_STATUS_OK;
+		}
+		break;
+	case 2:
+		if (*claim->values[0].uint_value == 1) {
+			/* switch the order. */
+			*claim->values[0].uint_value = *claim->values[1].uint_value;
+			*claim->values[1].uint_value = 1;
+		}
+		if (*claim->values[0].uint_value == 0 &&
+		    *claim->values[1].uint_value == 1) {
+			return NT_STATUS_OK;
+		}
+		break;
+	default:
+		/* 3 or more must have duplicates. */
+		break;
+	}
+	return NT_STATUS_INVALID_PARAMETER;
+}
+
+
+NTSTATUS claim_v1_check_and_sort(TALLOC_CTX *mem_ctx,
+				 struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim,
+				 bool case_sensitive)
+{
+	if (claim->value_type == CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN) {
+		NTSTATUS status = claim_v1_check_and_sort_boolean(mem_ctx, claim);
+		if (NT_STATUS_IS_OK(status)) {
+			claim->flags |= CLAIM_SECURITY_ATTRIBUTE_UNIQUE_AND_SORTED;
+		}
+		return status;
+	}
+	return NT_STATUS_OK;
+}
+
+
 NTSTATUS token_claims_to_claims_v1(TALLOC_CTX *mem_ctx,
 				   const struct CLAIMS_SET *claims_set,
 				   struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 **out_claims,

libcli/security/claims-conversions.h

@@ -48,4 +48,9 @@ NTSTATUS token_claims_to_claims_v1(TALLOC_CTX *mem_ctx,
 				   struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 **out_claims,
 				   uint32_t *out_n_claims);
 
+NTSTATUS claim_v1_check_and_sort(
+	TALLOC_CTX *mem_ctx,
+	struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim,
+	bool case_sensitive);
+
 #endif /* LIBCLI_SECURITY_CLAIMS_CONVERSIONS_H */