libcli/security: cmocka test for running conditional ACEs

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security/tests/test_run_conditional_ace.c

@@ -0,0 +1,674 @@
+/*
+ * Unit tests for conditional ACE SDDL.
+ *
+ *  Copyright (C) Catalyst.NET Ltd 2023
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include "cmocka.h"
+
+#include "lib/util/attr.h"
+#include "includes.h"
+#include "librpc/gen_ndr/ndr_security.h"
+#include "libcli/security/security.h"
+#include "libcli/security/conditional_ace.h"
+#include "librpc/gen_ndr/conditional_ace.h"
+#include "libcli/security/claims-conversions.h"
+
+#define debug_message(...) print_message(__VA_ARGS__)
+
+#define debug_fail(x, ...) print_message("\033[1;31m" x "\033[0m", __VA_ARGS__)
+#define debug_ok(x, ...) print_message("\033[1;32m" x "\033[0m", __VA_ARGS__)
+
+#define assert_ntstatus_equal(got, expected, comment)	  \
+	do { NTSTATUS __got = got, __expected = expected;		\
+		if (!NT_STATUS_EQUAL(__got, __expected)) {		\
+			print_message(": "#got" was %s, expected %s: %s", \
+				      nt_errstr(__got),			\
+				      nt_errstr(__expected), comment);	\
+			fail();						\
+		}							\
+	} while(0)
+
+
+
+
+/*
+static void print_error_message(const char *sddl,
+				const char *message,
+				size_t message_offset)
+{
+	print_message("%s\n\033[1;33m %*c\033[0m\n", sddl,
+		      (int)message_offset, '^');
+	print_message("%s\n", message);
+}
+*/
+static bool fill_token_claims(TALLOC_CTX *mem_ctx,
+			      struct security_token *token,
+			   const char *claim_type,
+			   const char *name,
+			   ...)
+{
+	va_list args;
+	va_start(args, name);
+	while (true) {
+		struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim = NULL;
+		const char *str = va_arg(args, const char *);
+		if (str == NULL) {
+			break;
+		}
+		claim = parse_sddl_literal_as_claim(mem_ctx,
+						    name,
+						    str);
+		if (claim == NULL) {
+			debug_fail("bad claim: %s\n", str);
+			return false;
+		}
+		add_claim_to_token(mem_ctx, token, claim, claim_type);
+	}
+	va_end(args);
+	return true;
+}
+
+
+static bool fill_token_sids(TALLOC_CTX *mem_ctx,
+			    struct security_token *token,
+			    const char *owner,
+			 ...)
+{
+	uint32_t *n = &token->num_sids;
+	struct dom_sid **list = NULL;
+	va_list args;
+	if (strcmp(owner, "device") == 0) {
+		n = &token->num_device_sids;
+		list = &token->device_sids;
+	} else if (strcmp(owner, "user") == 0) {
+		n = &token->num_sids;
+		list = &token->sids;
+	} else {
+		return false;
+	}
+
+	*n = 0;
+	va_start(args, owner);
+	while (true) {
+		struct dom_sid *sid = NULL;
+		const char *str = va_arg(args, const char *);
+		if (str == NULL) {
+			break;
+		}
+
+		sid = sddl_decode_sid(mem_ctx, &str, NULL);
+		if (sid == NULL) {
+			debug_fail("bad SID: %s\n", str);
+			return false;
+		}
+		add_sid_to_array(mem_ctx, sid, list, n);
+	}
+	va_end(args);
+	return true;
+}
+
+
+static void test_device_claims_composite(void **state)
+{
+	TALLOC_CTX *mem_ctx = talloc_new(NULL);
+	struct security_token token = {};
+	bool ok;
+	NTSTATUS status;
+	uint32_t access_granted = 0;
+	struct security_descriptor *sd = NULL;
+	const char *sddl = \
+		"D:(XA;;0x1f;;;AA;(@Device.colour == {\"orange\", \"blue\"}))";
+	ok = fill_token_sids(mem_ctx, &token,
+			     "user",
+			     "WD", "AA", NULL);
+	assert_true(ok);
+	ok = fill_token_claims(mem_ctx, &token,
+			       "device", "colour",
+			       "{\"orange\", \"blue\"}",
+			       NULL);
+	assert_true(ok);
+	sd = sddl_decode(mem_ctx, sddl, NULL);
+	assert_non_null(sd);
+	status = se_access_check(sd, &token, 0x10, &access_granted);
+	assert_ntstatus_equal(status, NT_STATUS_OK, "access check failed\n");
+}
+
+
+static bool fill_sd(TALLOC_CTX *mem_ctx,
+		    struct security_descriptor **sd,
+		    const char *sddl)
+{
+	*sd = sddl_decode(mem_ctx, sddl, NULL);
+	return *sd != NULL;
+}
+
+#define USER_SIDS(...) \
+	assert_true(fill_token_sids(mem_ctx, &token, "user", __VA_ARGS__, NULL))
+
+#define DEVICE_SIDS(...) \
+	assert_true(     \
+		fill_token_sids(mem_ctx, &token, "device", __VA_ARGS__, NULL))
+
+#define USER_CLAIMS(...) \
+	assert_true(     \
+		fill_token_claims(mem_ctx, &token, "user", __VA_ARGS__, NULL))
+
+#define LOCAL_CLAIMS(...)                          \
+	assert_true(fill_token_claims(mem_ctx,     \
+				      &token,      \
+				      "local",     \
+				      __VA_ARGS__, \
+				      NULL))
+
+#define DEVICE_CLAIMS(...)                         \
+	assert_true(fill_token_claims(mem_ctx,     \
+				      &token,      \
+				      "device",    \
+				      __VA_ARGS__, \
+				      NULL))
+
+
+#define SD(sddl) assert_true(fill_sd(mem_ctx, &sd, sddl))
+#define SD_FAIL(sddl) assert_false(fill_sd(mem_ctx, &sd, sddl))
+
+#define ALLOW_CHECK(requested)                                 \
+	do {                                                   \
+		NTSTATUS status;                               \
+		uint32_t access_granted = 0;                   \
+		status = se_access_check(sd,                   \
+					 &token,               \
+					 requested,            \
+					 &access_granted);     \
+		assert_ntstatus_equal(status,                  \
+				      NT_STATUS_OK,            \
+				      "access not granted\n"); \
+	} while (0)
+
+
+#define DENY_CHECK(requested)                                  \
+	do {                                                   \
+		NTSTATUS status;                               \
+		uint32_t access_granted = 0;                   \
+		status = se_access_check(sd,                   \
+					 &token,               \
+					 requested,            \
+					 &access_granted);     \
+		assert_ntstatus_equal(status,                  \
+				      NT_STATUS_ACCESS_DENIED, \
+				      "not denied\n");         \
+	} while (0)
+
+
+#define INIT()					\
+	TALLOC_CTX *mem_ctx = talloc_new(NULL);	\
+	struct security_token token = {};	\
+	struct security_descriptor *sd = NULL;
+
+
+
+static void test_composite_different_order(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour == {\"orange\", \"blue\"}))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"blue\", \"orange\"}");
+	/*
+	 * Claim arrays are sets, so we assume conditional ACE ones are too.
+	 */
+	ALLOW_CHECK(0x10);
+}
+
+static void test_composite_different_order_with_dupes(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour == {\"orange\", \"blue\", \"orange\"}))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"blue\", \"orange\", \"blue\"}");
+	ALLOW_CHECK(0x10);
+}
+
+static void test_composite_different_order_with_SID_dupes(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour == {SID(WD), SID(AA), SID(WD)}))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{SID(AA), SID(AA), SID(WD)}");
+	ALLOW_CHECK(0x10);
+}
+
+static void test_composite_mixed_types(void **state)
+{
+	/*
+	 * If the conditional ACE composite hasa mixed types, it can
+	 * never equal a claim, which only has one type.
+	 */
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour == {2, SID(WD), SID(AA), SID(WD)}))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{SID(AA), SID(AA), SID(WD)}");
+	DENY_CHECK(0x10);
+}
+
+static void test_different_case(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour == {\"OraNgE\", \"BLuE\"}))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+	ALLOW_CHECK(0x10);
+}
+
+static void test_different_case_with_case_sensitive_flag(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour == {\"OraNgE\", \"BLuE\"}))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+	/* set the flag bit */
+	token.device_claims[0].flags = CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE;
+	DENY_CHECK(0x10);
+}
+
+
+static void test_claim_name_different_case(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.Colour == {\"orange\", \"blue\"}))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+	ALLOW_CHECK(0x10);
+}
+
+static void test_claim_name_different_case_case_flag(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.Colour == {\"orange\", \"blue\"}))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+	/*
+	 * The CASE_SENSITIVE flag is for the values, not the names.
+	 */
+	token.device_claims[0].flags = CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE;
+	ALLOW_CHECK(0x10);
+}
+
+static void test_more_values_not_equal(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour != {\"orange\", \"blue\", \"green\"}))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+	ALLOW_CHECK(0x10);
+}
+
+static void test_contains(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains {\"orange\", \"blue\"}))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+	ALLOW_CHECK(0x10);
+}
+
+static void test_contains_incomplete(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains {\"orange\", \"blue\", \"red\"}))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+	DENY_CHECK(0x10);
+}
+
+static void test_any_of(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour Any_of {\"orange\", \"blue\", \"red\"}))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+	ALLOW_CHECK(0x10);
+}
+
+static void test_any_of_match_last(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour Any_of {\"a\", \"b\", \"blue\"}))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+	ALLOW_CHECK(0x10);
+}
+
+static void test_any_of_1(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour Any_of\"blue\"))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+	ALLOW_CHECK(0x10);
+}
+
+static void test_contains_1(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains \"blue\"))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+	ALLOW_CHECK(0x10);
+}
+
+static void test_contains_1_fail(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains \"pink\"))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+	DENY_CHECK(0x10);
+}
+
+static void test_any_of_1_fail(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour Any_of \"pink\"))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+	DENY_CHECK(0x10);
+}
+
+
+static void test_not_any_of_1_fail(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour Not_Any_of\"blue\"))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+	DENY_CHECK(0x10);
+}
+
+static void test_not_any_of_composite_1(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour Not_Any_of{\"blue\"}))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+	DENY_CHECK(0x10);
+}
+
+static void test_not_contains_1_fail(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour Not_Contains \"blue\"))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+	DENY_CHECK(0x10);
+}
+
+static void test_not_contains_1(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour Not_Contains \"pink\"))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+	ALLOW_CHECK(0x10);
+}
+
+static void test_not_any_of_1(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour Not_Any_of \"pink\"))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+	ALLOW_CHECK(0x10);
+}
+
+static void test_not_Not_Any_of_1(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(!(@Device.colour Not_Any_of \"pink\")))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+	DENY_CHECK(0x10);
+}
+
+static void test_not_Not_Contains_1(void **state)
+{
+	INIT()
+	SD("D:(XA;;0x1f;;;AA;(! (@Device.colour Not_Contains \"blue\")))");
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+	ALLOW_CHECK(0x10);
+}
+
+
+static void test_not_not_Not_Member_of(void **state)
+{
+	INIT();
+	SD("D:(XA;;0x1f;;;AA;(!(!(Not_Member_of{SID(BA)}))))");
+	USER_SIDS("WD", "AA");
+	DEVICE_SIDS("BA", "BG");
+	ALLOW_CHECK(0x10);
+}
+
+static void test_not_not_Not_Member_of_fail(void **state)
+{
+	INIT();
+	SD("D:(XA;;0x1f;;;AA;(!(!(Not_Member_of{SID(AA)}))))");
+	USER_SIDS("WD", "AA");
+	DEVICE_SIDS("BA", "BG");
+	DENY_CHECK(0x10);
+}
+
+static void test_not_not_not_not_not_not_not_not_not_not_Not_Member_of(void **state)
+{
+	INIT();
+	SD("D:(XA;;0x1f;;;AA;(!(!(!( !(!(!(  !(!(!( "
+	   "Not_Member_of{SID(AA)})))))))))))");
+	USER_SIDS("WD", "AA");
+	DEVICE_SIDS("BA", "BG");
+	ALLOW_CHECK(0x10);
+}
+
+
+static void test_Device_Member_of_and_Member_of(void **state)
+{
+	INIT();
+	USER_SIDS("WD", "AA");
+	DEVICE_SIDS("BA", "BG");
+	SD("D:(XA;;0x1f;;;AA;"
+	   "(Device_Member_of{SID(BA)} && Member_of{SID(WD)}))");
+	ALLOW_CHECK(0x10);
+}
+
+
+static void test_Device_claim_contains_Resource_claim(void **state)
+{
+	INIT();
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "\"blue\"");
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains @Resource.colour))"
+	   "S:(RA;;;;;WD;(\"colour\",TS,0,\"blue\"))");
+	ALLOW_CHECK(0x10);
+}
+
+
+static void test_device_claim_comtains_resource_claim(void **state)
+{
+	INIT();
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "\"blue\"");
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains @Resource.colour))"
+	   "S:(RA;;;;;WD;(\"colour\",TS,0,\"blue\"))");
+	ALLOW_CHECK(0x10);
+}
+
+static void test_device_claim_eq_resource_claim(void **state)
+{
+	INIT();
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "\"blue\"");
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour == @Resource.colour))"
+	   "S:(RA;;;;;WD;(\"colour\",TS,0,\"blue\"))");
+	ALLOW_CHECK(0x10);
+}
+
+static void test_user_claim_eq_device_claim(void **state)
+{
+	INIT();
+	USER_SIDS("WD", "AA");
+	USER_CLAIMS("colour", "\"blue\"");
+	DEVICE_CLAIMS("colour", "\"blue\"");
+	SD("D:(XA;;0x1f;;;AA;(@User.colour == @Device.colour))");
+	ALLOW_CHECK(0x10);
+}
+
+static void test_device_claim_eq_resource_claim_2(void **state)
+{
+	INIT();
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"orange\", \"blue\"}");
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour == {\"orange\", \"blue\"}))");
+	ALLOW_CHECK(0x10);
+}
+
+static void test_resource_ace_multi(void **state)
+{
+	INIT();
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "{\"blue\", \"red\"}");
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains @Resource.colour))"
+	   "S:(RA;;;;;WD;(\"colour\",TS,0,\"blue\", \"red\"))");
+	ALLOW_CHECK(0x10);
+}
+
+static void test_resource_ace_multi_any_of(void **state)
+{
+	INIT();
+	USER_SIDS("WD", "AA");
+	DEVICE_CLAIMS("colour", "\"blue\"");
+	SD("D:(XA;;0x1f;;;AA;(@Device.colour Any_of @Resource.colour))"
+	   "S:(RA;;;;;WD;(\"colour\",TS,0,\"grue\", \"blue\", \"red\"))");
+	ALLOW_CHECK(0x10);
+}
+
+
+static void test_horrible_fuzz_derived_test_3(void **state)
+{
+	INIT();
+	USER_SIDS("WD", "AA", "IS");
+	SD("S:PPPPPPD:(XD;OI;0x1;;;IS;())(OL;;GR;;;S-1-5-75-552)");
+	DENY_CHECK(0x1);
+}
+
+static void test_horrible_fuzz_derived_test_4(void **state)
+{
+	INIT();
+	USER_SIDS("WD", "AA", "IS");
+	SD_FAIL("S:PPD:(XA;OI;0x1;;;IS;(q>))");
+}
+
+static void test_resource_ace_single(void **state)
+{
+        INIT();
+        USER_SIDS("WD", "AA");
+        DEVICE_CLAIMS("colour", "\"blue\"");
+        SD("D:(XA;;0x1f;;;AA;(@Device.colour Contains @Resource.colour))"
+	   "S:(RA;;;;;WD;(\"colour\",TS,0,\"blue\"))");
+        ALLOW_CHECK(0x10);
+}
+
+
+static void test_user_attr_any_of_missing_resource_and_user_attr(void **state)
+{
+        INIT();
+        USER_SIDS("WD", "AA");
+        DEVICE_CLAIMS("colour", "\"blue\"");
+        SD("D:(XD;;FX;;;S-1-1-0;(@User.Project Any_of @Resource.Project))");
+        DENY_CHECK(0x10);
+}
+
+static void test_user_attr_any_of_missing_resource_attr(void **state)
+{
+        INIT();
+        USER_SIDS("WD", "AA");
+        USER_CLAIMS("Project", "3");
+        SD("D:(XD;;FX;;;S-1-1-0;(@User.Project Any_of @Resource.Project))");
+        DENY_CHECK(0x10);
+}
+
+static void test_user_attr_any_of_missing_user_attr(void **state)
+{
+        INIT();
+        USER_SIDS("WD", "AA");
+        SD("D:(XD;;FX;;;S-1-1-0;(@User.Project Any_of @Resource.Project))"
+	   "S:(RA;;;;;WD;(\"Project\",TX,0,#1234))");
+        DENY_CHECK(0x10);
+}
+
+
+int main(_UNUSED_ int argc, _UNUSED_ const char **argv)
+{
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(test_user_attr_any_of_missing_resource_and_user_attr),
+		cmocka_unit_test(test_user_attr_any_of_missing_resource_attr),
+		cmocka_unit_test(test_user_attr_any_of_missing_user_attr),
+		cmocka_unit_test(test_composite_mixed_types),
+		cmocka_unit_test(test_composite_different_order_with_SID_dupes),
+		cmocka_unit_test(test_device_claim_eq_resource_claim_2),
+		cmocka_unit_test(test_not_Not_Any_of_1),		
+		cmocka_unit_test(test_not_any_of_composite_1),		
+		cmocka_unit_test(test_resource_ace_single),
+		cmocka_unit_test(test_horrible_fuzz_derived_test_4),
+		cmocka_unit_test(test_horrible_fuzz_derived_test_3),
+		cmocka_unit_test(test_Device_Member_of_and_Member_of),
+		cmocka_unit_test(test_resource_ace_multi),
+		cmocka_unit_test(test_resource_ace_multi_any_of),
+		cmocka_unit_test(test_user_claim_eq_device_claim),
+		cmocka_unit_test(test_device_claim_comtains_resource_claim),
+		cmocka_unit_test(test_device_claim_eq_resource_claim),
+		cmocka_unit_test(test_Device_claim_contains_Resource_claim),
+		cmocka_unit_test(test_not_Not_Contains_1),
+		cmocka_unit_test(test_not_not_Not_Member_of_fail),
+		cmocka_unit_test(test_not_not_Not_Member_of),
+		cmocka_unit_test(test_not_not_not_not_not_not_not_not_not_not_Not_Member_of),
+		cmocka_unit_test(test_not_any_of_1_fail),
+		cmocka_unit_test(test_not_any_of_1),
+		cmocka_unit_test(test_not_contains_1),
+		cmocka_unit_test(test_not_contains_1_fail),
+		cmocka_unit_test(test_any_of_1_fail),
+		cmocka_unit_test(test_any_of_1),
+		cmocka_unit_test(test_any_of),
+		cmocka_unit_test(test_any_of_match_last),
+		cmocka_unit_test(test_contains_incomplete),
+		cmocka_unit_test(test_contains),
+		cmocka_unit_test(test_contains_1),
+		cmocka_unit_test(test_contains_1_fail),
+		cmocka_unit_test(test_device_claims_composite),
+		cmocka_unit_test(test_claim_name_different_case),
+		cmocka_unit_test(test_claim_name_different_case_case_flag),
+		cmocka_unit_test(test_different_case_with_case_sensitive_flag),
+		cmocka_unit_test(test_composite_different_order),
+		cmocka_unit_test(test_different_case),
+		cmocka_unit_test(test_composite_different_order_with_dupes),
+		cmocka_unit_test(test_more_values_not_equal),
+};
+	if (!isatty(1)) {
+		cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
+	}
+	return cmocka_run_group_tests(tests, NULL, NULL);
+}

libcli/security/wscript_build

@@ -32,3 +32,17 @@ bld.SAMBA_BINARY(
     ''',
     for_selftest=True
 )
+
+bld.SAMBA_BINARY(
+    'test_run_conditional_ace',
+    source='tests/test_run_conditional_ace.c',
+    deps='''
+        cmocka
+        talloc
+        samba-util
+        asn1util
+        NDR_SECURITY
+        samba-security
+    ''',
+    for_selftest=True
+)

selftest/knownfail.d/run_conditional_ace

@@ -0,0 +1,28 @@
+^samba.unittests.run_conditional_ace.test_composite_different_order_with_SID_dupes\b
+^samba.unittests.run_conditional_ace.test_device_claim_eq_resource_claim_2\b
+^samba.unittests.run_conditional_ace.test_resource_ace_single\b
+^samba.unittests.run_conditional_ace.test_Device_Member_of_and_Member_of\b
+^samba.unittests.run_conditional_ace.test_resource_ace_multi\b
+^samba.unittests.run_conditional_ace.test_resource_ace_multi_any_of\b
+^samba.unittests.run_conditional_ace.test_user_claim_eq_device_claim\b
+^samba.unittests.run_conditional_ace.test_device_claim_comtains_resource_claim\b
+^samba.unittests.run_conditional_ace.test_device_claim_eq_resource_claim\b
+^samba.unittests.run_conditional_ace.test_Device_claim_contains_Resource_claim\b
+^samba.unittests.run_conditional_ace.test_not_Not_Contains_1\b
+^samba.unittests.run_conditional_ace.test_not_not_Not_Member_of\b
+^samba.unittests.run_conditional_ace.test_not_not_not_not_not_not_not_not_not_not_Not_Member_of\b
+^samba.unittests.run_conditional_ace.test_not_any_of_1\b
+^samba.unittests.run_conditional_ace.test_not_contains_1\b
+^samba.unittests.run_conditional_ace.test_any_of_1\b
+^samba.unittests.run_conditional_ace.test_any_of\b
+^samba.unittests.run_conditional_ace.test_any_of_match_last\b
+^samba.unittests.run_conditional_ace.test_contains\b
+^samba.unittests.run_conditional_ace.test_contains_1\b
+^samba.unittests.run_conditional_ace.test_device_claims_composite\b
+^samba.unittests.run_conditional_ace.test_claim_name_different_case\b
+^samba.unittests.run_conditional_ace.test_claim_name_different_case_case_flag\b
+^samba.unittests.run_conditional_ace.test_composite_different_order\b
+^samba.unittests.run_conditional_ace.test_different_case\b
+^samba.unittests.run_conditional_ace.test_composite_different_order_with_dupes\b
+^samba.unittests.run_conditional_ace.test_more_values_not_equal\b
+

selftest/tests.py

@@ -488,3 +488,5 @@ plantestsuite("samba.unittests.compression.lzxpress_plain", "none",
 
 plantestsuite("samba.unittests.sddl_conditional_ace", "none",
               [os.path.join(bindir(), "test_sddl_conditional_ace")])
+plantestsuite("samba.unittests.run_conditional_ace", "none",
+              [os.path.join(bindir(), "test_run_conditional_ace")])