conditional_aces: Avoid manual parsing for ace_condition_sid

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/libcli/security/claims-conversions.c b/libcli/security/claims-conversions.c
index 655f07fb94a61a2463f7d3b3d82e36114ef70d93..176d23567d6dbed3c3531b47058af1fc61ce6fd4 100644 (file)
--- a/libcli/security/claims-conversions.c
+++ b/libcli/security/claims-conversions.c
@@ -152,7 +152,7 @@ static bool claim_v1_sid_to_ace_sid(
        }
 
        result->type = CONDITIONAL_ACE_TOKEN_SID;
-       result->data.sid.sid = sid;
+       result->data.sid.sid = *sid;
        return true;
 }
 
@@ -370,7 +370,7 @@ static bool ace_sid_to_claim_v1_sid(TALLOC_CTX *mem_ctx,
 {
        /* claim_v1 sid is an "S-1-*" string data blob, not struct dom_sid. */
        DATA_BLOB *blob = NULL;
-       char *s = dom_sid_string(mem_ctx, tok->data.sid.sid);
+       char *s = dom_sid_string(mem_ctx, &tok->data.sid.sid);
        if (s == NULL) {
                return false;
        }

diff --git a/libcli/security/conditional_ace.c b/libcli/security/conditional_ace.c
index 169e024605f80aeb9cd745702e0d3a21a5c3d360..569bdd82696dbd4d6c2508f26369f011f7285b9e 100644 (file)
--- a/libcli/security/conditional_ace.c
+++ b/libcli/security/conditional_ace.c
@@ -18,6 +18,7 @@
 
 #include "replace.h"
 #include "librpc/gen_ndr/ndr_security.h"
+#include "librpc/gen_ndr/ndr_conditional_ace.h"
 #include "librpc/gen_ndr/conditional_ace.h"
 #include "libcli/security/security.h"
 #include "libcli/security/conditional_ace.h"
@@ -264,25 +265,21 @@ static ssize_t pull_sid(TALLOC_CTX *mem_ctx,
                        uint8_t *data, size_t length,
                        struct ace_condition_sid *tok)
 {
-       uint32_t tok_length;
-       ssize_t sidlen;
-       if (length < 4) {
-               return -1;
-       }
-       tok_length = PULL_LE_U32(data, 0);
-       if (tok_length > length - 4) {
-               return -1;
-       }
-       tok->sid = talloc(mem_ctx, struct dom_sid);
-       if (tok->sid == NULL) {
+       ssize_t bytes_used;
+       enum ndr_err_code ndr_err;
+       DATA_BLOB v = data_blob_const(data, length);
+       struct ndr_pull *ndr = ndr_pull_init_blob(&v, mem_ctx);
+       if (ndr == NULL) {
                return -1;
        }
-       sidlen = sid_parse(data + 4, tok_length, tok->sid);
-       if (sidlen == -1) {
-               talloc_free(tok->sid);
+       ndr_err = ndr_pull_ace_condition_sid(ndr, NDR_SCALARS|NDR_BUFFERS, tok);
+       if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+               TALLOC_FREE(ndr);
                return -1;
        }
-       return tok_length + 4;
+       bytes_used = ndr->offset;
+       TALLOC_FREE(ndr);
+       return bytes_used;
 }
 
 static ssize_t push_sid(uint8_t *data, size_t available,
@@ -290,22 +287,19 @@ static ssize_t push_sid(uint8_t *data, size_t available,
 {
        enum ndr_err_code ndr_err;
        DATA_BLOB v;
-       ssize_t total_length;
        ndr_err = ndr_push_struct_blob(&v, NULL,
-                                      tok->sid,
-                                      (ndr_push_flags_fn_t)ndr_push_dom_sid);
+                                      tok,
+                                      (ndr_push_flags_fn_t)ndr_push_ace_condition_sid);
        if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
                return -1;
        }
-       total_length = v.length + 4;
-       if (available < total_length) {
+       if (available < v.length) {
                talloc_free(v.data);
                return -1;
        }
-       PUSH_LE_U32(data, 0, v.length);
-       memcpy(data + 4, v.data, v.length);
+       memcpy(data, v.data, v.length);
        talloc_free(v.data);
-       return total_length;
+       return v.length;
 }
 
 
@@ -904,7 +898,7 @@ static bool member_lookup(
        bool arg_is_a_single_sid;
        struct dom_sid *sid_array = NULL;
        size_t num_sids, i, j;
-       struct dom_sid *sid = NULL;
+       const struct dom_sid *sid = NULL;
 
        result->type = CONDITIONAL_ACE_SAMBA_RESULT_BOOL;
        result->data.result.value = ACE_CONDITION_UNKNOWN;
@@ -973,7 +967,7 @@ static bool member_lookup(
                 * In this case the any and all operations are the
                 * same.
                 */
-               sid = arg->data.sid.sid;
+               sid = &arg->data.sid.sid;
                match = false;
                for (i = 0; i < num_sids; i++) {
                        match = dom_sid_equal(sid, &sid_array[i]);
@@ -1007,7 +1001,7 @@ static bool member_lookup(
                                    j, member->type);
                        return false;
                }
-               sid = member->data.sid.sid;
+               sid = &member->data.sid.sid;
                match = false;
                for (i = 0; i < num_sids; i++) {
                        match = dom_sid_equal(sid, &sid_array[i]);
@@ -1397,8 +1391,8 @@ static bool compare_sids(const struct ace_condition_token *op,
                         const struct ace_condition_token *rhs,
                         int *cmp)
 {
-       *cmp = dom_sid_compare(lhs->data.sid.sid,
-                              rhs->data.sid.sid);
+       *cmp = dom_sid_compare(&lhs->data.sid.sid,
+                              &rhs->data.sid.sid);
        return true;
 }
 

diff --git a/libcli/security/sddl_conditional_ace.c b/libcli/security/sddl_conditional_ace.c
index 9844039e9d2d3d9b239fa528ee627d3a54867182..1349a7fbf3b1f5849b7452908a1b2413f548997f 100644 (file)
--- a/libcli/security/sddl_conditional_ace.c
+++ b/libcli/security/sddl_conditional_ace.c
@@ -560,7 +560,7 @@ char *debug_conditional_ace(TALLOC_CTX *mem_ctx,
                        break;
                case CONDITIONAL_ACE_TOKEN_SID:
                        utf8 = sddl_encode_sid(mem_ctx,
-                                              tok->data.sid.sid,
+                                              &tok->data.sid.sid,
                                               NULL);
                        snprintf(line, sizeof(line),
                                 "%s (%s)\n",
@@ -883,7 +883,7 @@ static bool sddl_write_sid(struct sddl_write_context *ctx,
        bool ok;
        char *sddl = NULL;
        char *sid = sddl_encode_sid(ctx->mem_ctx,
-                                   tok->data.sid.sid,
+                                   &tok->data.sid.sid,
                                    NULL);
        if (sid == NULL) {
                return false;
@@ -2019,7 +2019,7 @@ static bool parse_sid(struct ace_condition_sddl_compiler_context *comp)
                comp->offset++;
        }
        token.type = CONDITIONAL_ACE_TOKEN_SID;
-       token.data.sid.sid = sid;
+       token.data.sid.sid = *sid;
        return write_sddl_token(comp, token);
 }
 
@@ -3167,7 +3167,7 @@ static bool write_resource_attr_from_token(struct sddl_write_context *ctx,
 
        case CONDITIONAL_ACE_TOKEN_SID:
                /* unlike conditional ACE, SID does not had "SID()" wrapper. */
-               sid = sddl_encode_sid(ctx->mem_ctx, tok->data.sid.sid, NULL);
+               sid = sddl_encode_sid(ctx->mem_ctx, &tok->data.sid.sid, NULL);
                if (sid == NULL) {
                        return false;
                }

diff --git a/libcli/security/wscript_build b/libcli/security/wscript_build
index d02c1e44ab504690fed4d98e238c93bd4a8f1f7f..34e79f1d09ec719681b58c7b7ff4b27ac7f4230a 100644 (file)
--- a/libcli/security/wscript_build
+++ b/libcli/security/wscript_build
@@ -10,7 +10,7 @@ bld.SAMBA_LIBRARY('samba-security',
                           'util_sid.c', 'session.c', 'secdesc.c',
                           'conditional_ace.c', 'sddl_conditional_ace.c',
                           'claims-conversions.c'],
-                  private_library=True, deps='talloc ndr NDR_SECURITY')
+                  private_library=True, deps='talloc ndr NDR_SECURITY NDR_CONDITIONAL_ACE')
 
 pytalloc_util = bld.pyembed_libname('pytalloc-util')
 bld.SAMBA_PYTHON('pysecurity',

diff --git a/librpc/idl/conditional_ace.idl b/librpc/idl/conditional_ace.idl
index 84d51a0c4c42a5d2916866c646ab91ff54a18c74..fc97d75189a66fd51d6e92fd32f664a1664ee18f 100644 (file)
--- a/librpc/idl/conditional_ace.idl
+++ b/librpc/idl/conditional_ace.idl
@@ -264,8 +264,6 @@ interface conditional_ace
        /*
         * Sub-structures for struct ace_condition_token -> data,
         * which vary according to the token->type.
-        *
-        * These are not used on the wire.
         */
        typedef [flag(NDR_NOALIGN)] struct {
                int64 value;
@@ -287,8 +285,8 @@ interface conditional_ace
                uint32 length;
        } ace_condition_bytes;
 
-       typedef struct {
-               dom_sid *sid;
+       typedef [public] struct {
+               [subcontext(4)] dom_sid sid;
        } ace_condition_sid;
 
        /*

diff --git a/librpc/wscript_build b/librpc/wscript_build
index 3cbb5ff78e62733a8fbb2c55a75eb36086cedb5b..3ba7ce23082814fc1386b7e495f80b7ca4f2f15a 100644 (file)
--- a/librpc/wscript_build
+++ b/librpc/wscript_build
@@ -448,6 +448,11 @@ bld.SAMBA_SUBSYSTEM('NDR_WINSTATION',
        public_deps='ndr'
        )
 
+bld.SAMBA_SUBSYSTEM('NDR_CONDITIONAL_ACE',
+       source='gen_ndr/ndr_conditional_ace.c',
+       public_deps='ndr'
+       )
+
 bld.SAMBA_SUBSYSTEM('RPC_NDR_ATSVC',
     source='gen_ndr/ndr_atsvc_c.c',
     public_deps='dcerpc-binding NDR_ATSVC'