libcli/security: comparability check: claim members are of one type

We know from the way claims are defined, and from the code that checks
sortedness and sets the flag.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/libcli/security/conditional_ace.c b/libcli/security/conditional_ace.c
index 883eaf94027e3c02d1b8eae44dee00046a9e2f11..319b3ed421717573f33aef2c98c6903c632b0d88 100644 (file)
--- a/libcli/security/conditional_ace.c
+++ b/libcli/security/conditional_ace.c
@@ -1717,7 +1717,18 @@ static bool composite_is_comparable(const struct ace_condition_token *tok,
         */
        size_t i;
        const struct ace_condition_composite *rc = &comp->data.composite;
-       for (i = 0; i < rc->n_members; i++) {
+       size_t n = rc->n_members;
+
+       if ((comp->flags & CLAIM_SECURITY_ATTRIBUTE_UNIQUE_AND_SORTED) &&
+           n > 1) {
+               /*
+                * all members are known to be the same type, so we
+                * can just check one.
+                */
+               n = 1;
+       }
+
+       for (i = 0; i < n; i++) {
                if (! tokens_are_comparable(NULL,
                                            tok,
                                            &rc->tokens[i])) {