From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Fri, 24 Nov 2023 23:55:09 +0000 (+1300)
Subject: libcli/security: note suboptimality of conditional ACE Contains operators
X-Git-Tag: talloc-2.4.2~492
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a757a51a26f664591ab776db99bf48acfa698591;p=thirdparty%2Fsamba.git

libcli/security: note suboptimality of conditional ACE Contains operators

The Contains and Any_of operators could use a sorted comparison like
compare_composites_via_sort(), rather than O(n²) nested loops. But
that would involve amount of quite fiddly work that I am not starting
on now.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 27 23:38:13 UTC 2023 on atb-devel-224
---

diff --git a/libcli/security/conditional_ace.c b/libcli/security/conditional_ace.c
index 319b3ed4217..1876b52c141 100644
--- a/libcli/security/conditional_ace.c
+++ b/libcli/security/conditional_ace.c
@@ -1960,6 +1960,10 @@ static bool contains_operator(const struct ace_condition_token *lhs,
 	 *
 	 * Both the lhs or rhs can be solitary objects or composites.
 	 * This makes it a bit fiddlier.
+	 *
+	 * NOTE: this operator does not take advantage of the
+	 * CLAIM_SECURITY_ATTRIBUTE_UNIQUE_AND_SORTED flag. It could, but it
+	 * doesn't.
 	 */
 	if (lhs->type == CONDITIONAL_ACE_TOKEN_COMPOSITE) {
 		struct ace_condition_composite candidates = lhs->data.composite;