From a757a51a26f664591ab776db99bf48acfa698591 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Date: Sat, 25 Nov 2023 12:55:09 +1300 Subject: [PATCH] libcli/security: note suboptimality of conditional ACE Contains operators MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Contains and Any_of operators could use a sorted comparison like compare_composites_via_sort(), rather than O(n²) nested loops. But that would involve amount of quite fiddly work that I am not starting on now. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Nov 27 23:38:13 UTC 2023 on atb-devel-224 --- libcli/security/conditional_ace.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libcli/security/conditional_ace.c b/libcli/security/conditional_ace.c index 319b3ed4217..1876b52c141 100644 --- a/libcli/security/conditional_ace.c +++ b/libcli/security/conditional_ace.c @@ -1960,6 +1960,10 @@ static bool contains_operator(const struct ace_condition_token *lhs, * * Both the lhs or rhs can be solitary objects or composites. * This makes it a bit fiddlier. + * + * NOTE: this operator does not take advantage of the + * CLAIM_SECURITY_ATTRIBUTE_UNIQUE_AND_SORTED flag. It could, but it + * doesn't. */ if (lhs->type == CONDITIONAL_ACE_TOKEN_COMPOSITE) { struct ace_condition_composite candidates = lhs->data.composite;