From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 17 Jan 2025 12:24:28 +0000 (+0100)
Subject: libcli/security: add py_claims_tf_policy_{parse_rules,wrap_xml}()
X-Git-Tag: tevent-0.17.0~792
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f8f92e716979843dfc05ffc912c649028ffef9eb;p=thirdparty%2Fsamba.git

libcli/security: add py_claims_tf_policy_{parse_rules,wrap_xml}()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/libcli/security/pysecurity.c b/libcli/security/pysecurity.c
index 037d43c62f0..dd3b4b92a9d 100644
--- a/libcli/security/pysecurity.c
+++ b/libcli/security/pysecurity.c
@@ -23,6 +23,8 @@
 #include "python/modules.h"
 #include "libcli/util/pyerrors.h"
 #include "libcli/security/security.h"
+#include "libcli/security/claims_transformation.h"
+#include "source4/librpc/rpc/pyrpc_util.h"
 #include "pytalloc.h"
 
 static PyObject *py_se_access_check(PyObject *module, PyObject *args, PyObject *kwargs)
@@ -68,11 +70,133 @@ static PyObject *py_se_access_check(PyObject *module, PyObject *args, PyObject *
 	return PyLong_FromLong(access_granted);
 }
 
+static PyObject *py_claims_tf_policy_parse_rules(PyObject *self,
+						 PyObject *args,
+						 PyObject *kwargs)
+{
+	TALLOC_CTX *frame = NULL;
+	PyObject *py_rules = NULL;
+	const char * const kwnames[] = {
+		"rules",
+		"strip_xml",
+		NULL
+	};
+	PyObject *py_ret = NULL;
+	int strip_xml = 0;
+	const char *rules_str = NULL;
+	DATA_BLOB rules_blob = { .length = 0, };
+	struct claims_tf_rule_set *rule_set = NULL;
+	char *err_str = NULL;
+	bool ok;
+
+	ok = PyArg_ParseTupleAndKeywords(args, kwargs, "O|$p",
+					 discard_const_p(char *, kwnames),
+					 &py_rules,
+					 &strip_xml);
+	if (!ok) {
+		return NULL;
+	}
+
+	rules_str = PyUnicode_AsUTF8(py_rules);
+	if (rules_str == NULL) {
+		PyErr_NoMemory();
+		return NULL;
+	}
+
+	rules_blob = data_blob_string_const(rules_str);
+
+	if (strip_xml != 0) {
+		DATA_BLOB xml_blob = rules_blob;
+
+		ok = claims_tf_policy_unwrap_xml(&xml_blob,
+						 &rules_blob);
+		if (!ok) {
+			PyErr_SetString(PyExc_ValueError,
+					"Invalid XML formatting");
+			return NULL;
+		}
+	}
+
+	frame = talloc_stackframe();
+
+	ok = claims_tf_rule_set_parse_blob(&rules_blob, frame, &rule_set, &err_str);
+	if (!ok) {
+		PyErr_Format(PyExc_RuntimeError,
+			     "Invalid Rules: %s",
+			     err_str != NULL ?
+			     err_str :
+			     "<unknown reason>");
+		TALLOC_FREE(frame);
+		return NULL;
+	}
+
+	py_ret = py_return_ndr_struct("samba.dcerpc.claims",
+				      "tf_rule_set",
+				      rule_set,
+				      rule_set);
+	TALLOC_FREE(frame);
+	return py_ret;
+}
+
+static PyObject *py_claims_tf_policy_wrap_xml(PyObject *self,
+					      PyObject *args,
+					      PyObject *kwargs)
+{
+	PyObject *py_rules = NULL;
+	const char * const kwnames[] = {
+		"rules",
+		NULL
+	};
+	PyObject *py_ret = NULL;
+	const char *rules_str = NULL;
+	char *xml_str = NULL;
+	bool ok;
+
+	ok = PyArg_ParseTupleAndKeywords(args, kwargs, "O",
+					 discard_const_p(char *, kwnames),
+					 &py_rules);
+	if (!ok) {
+		return NULL;
+	}
+
+	rules_str = PyUnicode_AsUTF8(py_rules);
+	if (rules_str == NULL) {
+		PyErr_NoMemory();
+		return NULL;
+	}
+
+	xml_str = claims_tf_policy_wrap_xml(NULL, rules_str);
+	if (xml_str == NULL) {
+		if (errno == EINVAL) {
+			PyErr_SetString(PyExc_ValueError,
+					"Invalid Rules String");
+			return NULL;
+		}
+
+		PyErr_NoMemory();
+		return NULL;
+	}
+
+	py_ret = PyUnicode_FromString(xml_str);
+	TALLOC_FREE(xml_str);
+	return py_ret;
+}
+
 static PyMethodDef py_security_methods[] = {
 	{ "access_check", PY_DISCARD_FUNC_SIG(PyCFunction,
 					      py_se_access_check),
 	METH_VARARGS|METH_KEYWORDS,
 	"access_check(security_descriptor, token, access_desired) -> access_granted.  Raises NT_STATUS on error, including on access check failure, returns access granted bitmask"},
+	{ "claims_tf_policy_parse_rules",
+	  (PyCFunction)py_claims_tf_policy_parse_rules,
+	  METH_VARARGS | METH_KEYWORDS,
+	  PyDoc_STR("claims_tf_policy_parse_rules(rules_string [, strip_xml])"
+		    " -> samba.dcerpc.claims.tf_rule_set") },
+	{ "claims_tf_policy_wrap_xml",
+	  (PyCFunction)py_claims_tf_policy_wrap_xml,
+	  METH_VARARGS | METH_KEYWORDS,
+	  PyDoc_STR("claims_tf_policy_wrap_xml(rules_string)"
+		    " -> xml_str") },
 	{0},
 };
 
diff --git a/libcli/security/wscript_build b/libcli/security/wscript_build
index d23d3a1268d..d6b133d1a87 100644
--- a/libcli/security/wscript_build
+++ b/libcli/security/wscript_build
@@ -17,9 +17,10 @@ bld.SAMBA_LIBRARY('samba-security',
                   deps='stable_sort talloc ndr NDR_SECURITY NDR_CONDITIONAL_ACE')
 
 pytalloc_util = bld.pyembed_libname('pytalloc-util')
+pyrpc_util = bld.pyembed_libname('pyrpc_util')
 bld.SAMBA_PYTHON('pysecurity',
                  source='pysecurity.c',
-                 deps='samba-security %s' % pytalloc_util,
+                 deps='samba-security %s %s' % (pytalloc_util, pyrpc_util),
                  realname='samba/security.so'
                  )