bool am_owner = false;
bool have_owner_rights_ace = false;
+ switch (token->evaluate_claims) {
+ case CLAIMS_EVALUATION_INVALID_STATE:
+ if (token->num_local_claims > 0 ||
+ token->num_user_claims > 0 ||
+ token->num_device_claims > 0 ||
+ token->num_device_sids > 0) {
+ DBG_WARNING("Refusing to evaluate token with claims or device SIDs but also "
+ "with CLAIMS_EVALUATION_INVALID_STATE\n");
+ return NT_STATUS_INVALID_TOKEN;
+ }
+ break;
+ case CLAIMS_EVALUATION_ALWAYS:
+ case CLAIMS_EVALUATION_NEVER:
+ break;
+ }
+
*access_granted = access_desired;
bits_remaining = access_desired;
break;
case SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK:
+ {
+ bool evaluate_claims = true;
+ switch (token->evaluate_claims) {
+ case CLAIMS_EVALUATION_INVALID_STATE:
+ DBG_WARNING("Refusing to evaluate ACL with "
+ "conditional ACE against security "
+ "token with CLAIMS_EVALUATION_INVALID_STATE\n");
+ return NT_STATUS_INVALID_ACE_CONDITION;
+ case CLAIMS_EVALUATION_NEVER:
+ evaluate_claims = false;
+ break;
+ case CLAIMS_EVALUATION_ALWAYS:
+ evaluate_claims = true;
+ break;
+ }
+
+ if (!evaluate_claims) {
+ /*
+ * We are asked to pretend we never
+ * understood this ACE type
+ */
+ break;
+ }
+
status = check_callback_ace_access(ace, token, sd,
&callback_ok);
bits_remaining &= ~ace->access_mask;
}
break;
+ }
+
case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK:
+ {
+ bool evaluate_claims = true;
+ switch (token->evaluate_claims) {
+ case CLAIMS_EVALUATION_INVALID_STATE:
+ DBG_WARNING("Refusing to evaluate ACL with "
+ "conditional ACE against security "
+ "token with CLAIMS_EVALUATION_INVALID_STATE\n");
+ return NT_STATUS_INVALID_ACE_CONDITION;
+ case CLAIMS_EVALUATION_NEVER:
+ evaluate_claims = false;
+ break;
+ case CLAIMS_EVALUATION_ALWAYS:
+ evaluate_claims = true;
+ break;
+ }
+
+ if (!evaluate_claims) {
+ /*
+ * We are asked to pretend we never
+ * understood this ACE type
+ */
+ break;
+ }
+
status = check_callback_ace_access(ace, token, sd,
&callback_ok);
explicitly_denied_bits |= (bits_remaining & ace->access_mask);
}
break;
+ }
case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT:
explicitly_denied_bits |= (bits_remaining & ace->access_mask);
--- /dev/null
+^samba.unittests.run_conditional_ace.test_user_attr_any_of_missing_resource_and_user_attr
+^samba.unittests.run_conditional_ace.test_user_attr_any_of_missing_resource_attr
+^samba.unittests.run_conditional_ace.test_user_attr_any_of_missing_user_attr
+^samba.unittests.run_conditional_ace.test_composite_mixed_types
+^samba.unittests.run_conditional_ace.test_composite_different_order_with_SID_dupes
+^samba.unittests.run_conditional_ace.test_device_claim_eq_resource_claim_2
+^samba.unittests.run_conditional_ace.test_not_Not_Any_of_1
+^samba.unittests.run_conditional_ace.test_not_any_of_composite_1
+^samba.unittests.run_conditional_ace.test_resource_ace_single
+^samba.unittests.run_conditional_ace.test_horrible_fuzz_derived_test_3
+^samba.unittests.run_conditional_ace.test_Device_Member_of_and_Member_of
+^samba.unittests.run_conditional_ace.test_resource_ace_multi
+^samba.unittests.run_conditional_ace.test_resource_ace_multi_any_of
+^samba.unittests.run_conditional_ace.test_user_claim_eq_device_claim
+^samba.unittests.run_conditional_ace.test_device_claim_comtains_resource_claim
+^samba.unittests.run_conditional_ace.test_device_claim_eq_resource_claim
+^samba.unittests.run_conditional_ace.test_Device_claim_contains_Resource_claim
+^samba.unittests.run_conditional_ace.test_not_Not_Contains_1
+^samba.unittests.run_conditional_ace.test_not_not_Not_Member_of_fail
+^samba.unittests.run_conditional_ace.test_not_not_Not_Member_of
+^samba.unittests.run_conditional_ace.test_not_not_not_not_not_not_not_not_not_not_Not_Member_of
+^samba.unittests.run_conditional_ace.test_not_any_of_1_fail
+^samba.unittests.run_conditional_ace.test_not_any_of_1
+^samba.unittests.run_conditional_ace.test_not_contains_1
+^samba.unittests.run_conditional_ace.test_not_contains_1_fail
+^samba.unittests.run_conditional_ace.test_any_of_1_fail
+^samba.unittests.run_conditional_ace.test_any_of_1
+^samba.unittests.run_conditional_ace.test_any_of
+^samba.unittests.run_conditional_ace.test_any_of_match_last
+^samba.unittests.run_conditional_ace.test_contains_incomplete
+^samba.unittests.run_conditional_ace.test_contains
+^samba.unittests.run_conditional_ace.test_contains_1
+^samba.unittests.run_conditional_ace.test_contains_1_fail
+^samba.unittests.run_conditional_ace.test_device_claims_composite
+^samba.unittests.run_conditional_ace.test_claim_name_different_case
+^samba.unittests.run_conditional_ace.test_claim_name_different_case_case_flag
+^samba.unittests.run_conditional_ace.test_different_case_with_case_sensitive_flag
+^samba.unittests.run_conditional_ace.test_composite_different_order
+^samba.unittests.run_conditional_ace.test_different_case
+^samba.unittests.run_conditional_ace.test_composite_different_order_with_dupes
+^samba.unittests.run_conditional_ace.test_more_values_not_equal
projects / thirdparty / samba.git / commitdiff
