From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 3 Feb 2025 13:31:23 +0000 (+0100)
Subject: libcli/security: add claims_tf_policy_[un]wrap_xml() for msDS-TransformationRules
X-Git-Tag: tevent-0.17.0~793
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c33a441c8e5c532d571cc661593ef0b3a6edcb1b;p=thirdparty%2Fsamba.git

libcli/security: add claims_tf_policy_[un]wrap_xml() for msDS-TransformationRules

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/libcli/security/claims_transformation.h b/libcli/security/claims_transformation.h
index 8027d850ec0..e61922a26a8 100644
--- a/libcli/security/claims_transformation.h
+++ b/libcli/security/claims_transformation.h
@@ -38,6 +38,12 @@ bool claims_tf_rule_set_parse_blob(const DATA_BLOB *blob,
 				   struct claims_tf_rule_set **__rule_set,
 				   char **_error_string);
 
+char *claims_tf_policy_wrap_xml(TALLOC_CTX *mem_ctx,
+				const char *rules_string);
+
+bool claims_tf_policy_unwrap_xml(const DATA_BLOB *attr_val,
+				 DATA_BLOB *rules);
+
 #ifdef CLAIMS_TRANSFORMATION_INTERNALS
 
 struct claims_tf_parser_state {
diff --git a/libcli/security/claims_transformation.l b/libcli/security/claims_transformation.l
index 4594adbea7e..ff6c0478f7e 100644
--- a/libcli/security/claims_transformation.l
+++ b/libcli/security/claims_transformation.l
@@ -460,3 +460,75 @@ _PUBLIC_ bool claims_tf_rule_set_parse_blob(const DATA_BLOB *blob,
 
 	return true;
 }
+
+/*
+ * This is a bit strange regarding whitespacing,
+ * but it's what the New-ADClaimTransformPolicy
+ * powershell command from Windows 2025 adds
+ * to the msDS-TransformationRules attribute.
+ */
+static const char * const claims_tf_xml_prefix_string =
+			" "
+			"<ClaimsTransformationPolicy>"
+			"     "
+			"<Rules version=\"1\">"
+			"         "
+			"<![CDATA[";
+static const char * const claims_tf_xml_suffix_string =
+			"]]>"
+			"    "
+			"</Rules>"
+			"</ClaimsTransformationPolicy>";
+
+_PUBLIC_ char *claims_tf_policy_wrap_xml(TALLOC_CTX *mem_ctx,
+					 const char *rules_string)
+{
+	if (rules_string == NULL) {
+		errno = EINVAL;
+		return NULL;
+	}
+
+	if (strstr(rules_string, "]]>") != NULL) {
+		errno = EINVAL;
+		return NULL;
+	}
+
+	return talloc_asprintf(mem_ctx, "%s%s%s",
+			       claims_tf_xml_prefix_string,
+			       rules_string,
+			       claims_tf_xml_suffix_string);
+}
+
+_PUBLIC_ bool claims_tf_policy_unwrap_xml(const DATA_BLOB *attr_val,
+					  DATA_BLOB *rules)
+{
+	DATA_BLOB prefix = data_blob_string_const(claims_tf_xml_prefix_string);
+	DATA_BLOB suffix = data_blob_string_const(claims_tf_xml_suffix_string);
+	size_t rules_ofs;
+	size_t suffix_ofs;
+	int cmp;
+
+	if (attr_val->length < (prefix.length + suffix.length)) {
+		return false;
+	}
+	rules_ofs = prefix.length;
+	suffix_ofs = attr_val->length - suffix.length;
+
+	cmp = memcmp(attr_val->data,
+		     prefix.data,
+		     prefix.length);
+	if (cmp != 0) {
+		return false;
+	}
+
+	cmp = memcmp(attr_val->data + suffix_ofs,
+		     suffix.data,
+		     suffix.length);
+	if (cmp != 0) {
+		return false;
+	}
+
+	rules->data = attr_val->data + rules_ofs;
+	rules->length = suffix_ofs - rules_ofs;
+	return true;
+}