libcl/security: conditional ACE sddl >= ops take literal parens only

You can't do things like '(a == b) == (c < d)'.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/libcli/security/sddl_conditional_ace.c b/libcli/security/sddl_conditional_ace.c
index c6da72003e639ba2a9ed4d3e871ccc7a4efc648f..1bd074eb4283cc2b0e2144676be880510176d5ad 100644 (file)
--- a/libcli/security/sddl_conditional_ace.c
+++ b/libcli/security/sddl_conditional_ace.c
@@ -64,7 +64,7 @@
                              SDDL_FLAG_IS_UNARY_OP)
 
 #define SDDL_FLAGS_RELATIONAL_OP (SDDL_FLAG_EXPECTING_LITERAL | \
-                                 SDDL_FLAG_EXPECTING_PAREN |   \
+                                 SDDL_FLAG_EXPECTING_PAREN_LITERAL |  \
                                  SDDL_FLAG_EXPECTING_NON_LOCAL_ATTR | \
                                  SDDL_FLAG_IS_BINARY_OP)
 
@@ -2532,10 +2532,10 @@ static bool parse_expression(struct ace_condition_sddl_compiler_context *comp)
 
        if (comp->state & SDDL_FLAG_EXPECTING_PAREN_LITERAL) {
                /*
-                * Syntctically we allow parentheses to wrap a literal
-                * value after a Member_of op, but we want to remember
-                * that it just wants a single literal, not a general
-                * expression.
+                * Syntactically we allow parentheses to wrap a
+                * literal value after a Member_of or >= op, but we
+                * want to remember that it just wants a single
+                * literal, not a general expression.
                 */
                return parse_paren_literal(comp);
        }

diff --git a/libcli/security/tests/test_sddl_conditional_ace.c b/libcli/security/tests/test_sddl_conditional_ace.c
index 529a8d59a9280501275322b085f303ee88d8216f..df93bcda3be398e826f42fb40ec89f216d927934 100644 (file)
--- a/libcli/security/tests/test_sddl_conditional_ace.c
+++ b/libcli/security/tests/test_sddl_conditional_ace.c
@@ -778,6 +778,10 @@ static void test_a_number_of_invalid_strings(void **state)
                "(\"x\" == \"x\")",
                /* odd number of digits following '#' */
                "(OctetStringType==#1#2#3##))",
+               /* empty expression */
+               "()",
+               /* relational op with with complex RHS */
+               "(@Device.bb == (@USER.x < 62))",
        };
        size_t i, length;
        TALLOC_CTX *mem_ctx = talloc_new(NULL);