1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

7 Commits

Author SHA1 Message Date
Douglas Bagnall
6a07d2fe44 libcli/security: separate out claim_v1_to_ace_composite_unchecked()
For SDDL Resource ACE conversions we don't want to check too much
claim validity so that a semi-invalid ACE can round-trip through
deserialisation and serialisation. This is because Windows allows it,
but also because if the check puts the values in a sorted order that
makes the round-trip less round (that is, the return string is
semantically the same but possibly different in byte order).

The validity we're talking about is mostly uniqueness. For example
`S:(RA;;;;;WD;("foo",TU,0,7,5,7))` has two 7s, and that would be
invalid as a claim, but this is not checked while in ACE form.

On the other hand `S:(RA;;;;;WD;("foo",TU,0,3,2))` is valid, but the
return string will have 3 and 2 reversed when the check is made. We
prefer the ACE to stay the same while it is just being an ACE.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
a19f914fb9 libcli/security: begin claim_v1_check_and_sort with Boolean checks
claim_v1_check_and_sort() is meant to sort the claim values and check
that there are no duplicates, as well as making some value checks.

In order to ease into the idea, we look first at the case where the claim
has Boolean values. There are only two values allowed, which limits the
length of a valid claim set and means we only really need to "sort" in
the {1, 0} case, which we rewrite in place as {0, 1}.

That's what will happen with other types: we'll sort in-place, make
some checks on values, set flags, and return an error if there are
duplicates or value errors.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Joseph Sutton
f035985dbd libcli/security: Add function to convert token claims to security attribute claims
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
a4010c9b65 libcli/security: Add some missing declarations
so that users of this header file don’t have to declare them.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
48606c8aed libcli/security: Const‐qualify function parameters
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
c9aab312b7 libcli/security: Add header guard
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Douglas Bagnall
6f588a1fc5 libcli:security: helpers for converting claim types
There are three different forms for claims, and we need to convert
between them.

For now, we are only going to be converting between conditional ACE
type and the CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 type used by
resource ACEs and in the security token, and later we will add the PAC
claim types.

It doesn't help that these all have incompatible definitions, but we
do our best.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00