From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 23 Aug 2023 00:04:29 +0000 (+1200)
Subject: security.idl: extend security token for claims
X-Git-Tag: tevent-0.16.0~701
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f893cf85cc387b66c496661e11073b1215270022;p=thirdparty%2Fsamba.git

security.idl: extend security token for claims

A security token contains the context needed to make access decisions
for a particular client, which has until now been a number of SIDs and
flags. Claims are arbitrary attributes that can be tacked onto the
security token. Typically they will arrive via a Kerberos PAC, but we
don't need to worry about that now -- only that they are stored on the
token.

The security token in [MS-DTYP] 2.5.2 is described in abstract terms
(it is not transmitted on the wire) as behaving *as if* it held claims
in three arrays of CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 structures. We
take that suggestion literally. This is *almost* the same as storing
the [MS-ADTS] 2.2.18 claims wire structures that the claims are
presumably derived from, and doing that might seem like a small
optimisation. But we don't do that because of subtle differences and
we already need CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 in security.idl
for resource attribute ACEs.

The three stored claim types are user claims, device claims, and local
claims. Local claims relate to local Windows accounts and are unlikely
to occur in Samba. Nevertheless we have the array there just in case.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Sep  7 05:50:24 UTC 2023 on atb-devel-224
---

diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index b3bc834a94c..20ff02f0074 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -758,6 +758,12 @@ interface security
 		[size_is(num_sids)] dom_sid sids[*];
 		se_privilege privilege_mask;
 		lsa_SystemAccessModeFlags rights_mask;
+		uint32 num_local_claims;
+		uint32 num_user_claims;
+		uint32 num_device_claims;
+		[size_is(num_local_claims)] CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 local_claims[*];
+		[size_is(num_user_claims)] CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 user_claims[*];
+		[size_is(num_device_claims)] CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 device_claims[*];
 	} security_token;
 
         typedef [public] struct {