From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 1 Dec 2022 23:43:21 +0000 (+1300)
Subject: libcli/security: make sddl_decode_sid an external function
X-Git-Tag: tevent-0.16.0~710
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6d012757a076063bcd123966f697fc8b0d1b2736;p=thirdparty%2Fsamba.git

libcli/security: make sddl_decode_sid an external function

We are going to need it in for parsing SDDL for conditional ACEs and
resource ACEs, which will go in a separate file because it's huge.

This means changing the interface for `sddl_decode_sid` to that from
before 7d466a913f2c0038b30424403a7355db849fee7a which introduced
sddl_transition_state to deal ease the shift to disambiguated machine/
domain/forest SIDs. Internal callers use `sddl_transition_decode_sid()`
which is the old function; external callers use the same shim pattern as
the other externally available functions.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c
index 5e85836ad57..84d34b94c90 100644
--- a/libcli/security/sddl.c
+++ b/libcli/security/sddl.c
@@ -24,6 +24,7 @@
 #include "libcli/security/security.h"
 #include "librpc/gen_ndr/ndr_misc.h"
 #include "lib/util/smb_strtox.h"
+#include "libcli/security/sddl.h"
 #include "system/locale.h"
 #include "lib/util/util_str_hex.h"
 
@@ -199,8 +200,8 @@ static const struct {
   decode a SID
   It can either be a special 2 letter code, or in S-* format
 */
-static struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
-				       struct sddl_transition_state *state)
+static struct dom_sid *sddl_transition_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
+						  struct sddl_transition_state *state)
 {
 	const char *sddl = (*sddlp);
 	size_t i;
@@ -281,6 +282,23 @@ static struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
 	return dom_sid_parse_talloc(mem_ctx, sid_codes[i].sid);
 }
 
+struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
+				const struct dom_sid *domain_sid)
+{
+	struct sddl_transition_state state = {
+		/*
+		 * TODO: verify .machine_rid values really belong to
+		 * to the machine_sid on a member, once
+		 * we pass machine_sid from the caller...
+		 */
+		.machine_sid = domain_sid,
+		.domain_sid = domain_sid,
+		.forest_sid = domain_sid,
+	};
+	return sddl_transition_decode_sid(mem_ctx, sddlp, &state);
+}
+
+
 static const struct flag_map ace_types[] = {
 	{ "AU", SEC_ACE_TYPE_SYSTEM_AUDIT },
 	{ "AL", SEC_ACE_TYPE_SYSTEM_ALARM },
@@ -561,7 +579,7 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx,
 
 	/* trustee */
 	s = tok[5];
-	sid = sddl_decode_sid(mem_ctx, &s, state);
+	sid = sddl_transition_decode_sid(mem_ctx, &s, state);
 	if (sid == NULL) {
 		return false;
 	}
@@ -704,12 +722,12 @@ struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl,
 			break;
 		case 'O':
 			if (sd->owner_sid != NULL) goto failed;
-			sd->owner_sid = sddl_decode_sid(sd, &sddl, &state);
+			sd->owner_sid = sddl_transition_decode_sid(sd, &sddl, &state);
 			if (sd->owner_sid == NULL) goto failed;
 			break;
 		case 'G':
 			if (sd->group_sid != NULL) goto failed;
-			sd->group_sid = sddl_decode_sid(sd, &sddl, &state);
+			sd->group_sid = sddl_transition_decode_sid(sd, &sddl, &state);
 			if (sd->group_sid == NULL) goto failed;
 			break;
 		default:
diff --git a/libcli/security/sddl.h b/libcli/security/sddl.h
index 6720ec6453e..810b072fec3 100644
--- a/libcli/security/sddl.h
+++ b/libcli/security/sddl.h
@@ -30,4 +30,7 @@ char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd,
 char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace,
 		      const struct dom_sid *domain_sid);
 
+struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
+				const struct dom_sid *domain_sid);
+
 #endif /* __SDDL_H__ */