From a757a51a26f664591ab776db99bf48acfa698591 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Sat, 25 Nov 2023 12:55:09 +1300
Subject: [PATCH] libcli/security: note suboptimality of conditional ACE
 Contains operators
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Contains and Any_of operators could use a sorted comparison like
compare_composites_via_sort(), rather than O(n²) nested loops. But
that would involve amount of quite fiddly work that I am not starting
on now.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 27 23:38:13 UTC 2023 on atb-devel-224
---
 libcli/security/conditional_ace.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libcli/security/conditional_ace.c b/libcli/security/conditional_ace.c
index 319b3ed4217..1876b52c141 100644
--- a/libcli/security/conditional_ace.c
+++ b/libcli/security/conditional_ace.c
@@ -1960,6 +1960,10 @@ static bool contains_operator(const struct ace_condition_token *lhs,
 	 *
 	 * Both the lhs or rhs can be solitary objects or composites.
 	 * This makes it a bit fiddlier.
+	 *
+	 * NOTE: this operator does not take advantage of the
+	 * CLAIM_SECURITY_ATTRIBUTE_UNIQUE_AND_SORTED flag. It could, but it
+	 * doesn't.
 	 */
 	if (lhs->type == CONDITIONAL_ACE_TOKEN_COMPOSITE) {
 		struct ace_condition_composite candidates = lhs->data.composite;