libcli/security: begin claim_v1_check_and_sort with Boolean checks

claim_v1_check_and_sort() is meant to sort the claim values and check
that there are no duplicates, as well as making some value checks.

In order to ease into the idea, we look first at the case where the claim
has Boolean values. There are only two values allowed, which limits the
length of a valid claim set and means we only really need to "sort" in
the {1, 0} case, which we rewrite in place as {0, 1}.

That's what will happen with other types: we'll sort in-place, make
some checks on values, set flags, and return an error if there are
duplicates or value errors.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/libcli/security/claims-conversions.c b/libcli/security/claims-conversions.c
index e73771e0e12bf4ad650bc725b8d56791dc699b0b..009d614770428910c669c7984e7940986041d30a 100644 (file)
--- a/libcli/security/claims-conversions.c
+++ b/libcli/security/claims-conversions.c
@@ -703,6 +703,58 @@ bool add_claim_to_token(TALLOC_CTX *mem_ctx,
        return true;
 }
 
+
+static NTSTATUS claim_v1_check_and_sort_boolean(
+       TALLOC_CTX *mem_ctx,
+       struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim)
+{
+       /*
+        * There are so few valid orders in a boolean claim that we can
+        * enumerate them all.
+        */
+       switch (claim->value_count) {
+       case 0:
+               return NT_STATUS_OK;
+       case 1:
+               if (*claim->values[0].uint_value == 0 ||
+                   *claim->values[0].uint_value == 1) {
+                       return NT_STATUS_OK;
+               }
+               break;
+       case 2:
+               if (*claim->values[0].uint_value == 1) {
+                       /* switch the order. */
+                       *claim->values[0].uint_value = *claim->values[1].uint_value;
+                       *claim->values[1].uint_value = 1;
+               }
+               if (*claim->values[0].uint_value == 0 &&
+                   *claim->values[1].uint_value == 1) {
+                       return NT_STATUS_OK;
+               }
+               break;
+       default:
+               /* 3 or more must have duplicates. */
+               break;
+       }
+       return NT_STATUS_INVALID_PARAMETER;
+}
+
+
+NTSTATUS claim_v1_check_and_sort(TALLOC_CTX *mem_ctx,
+                                struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim,
+                                bool case_sensitive)
+{
+       if (claim->value_type == CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN) {
+               NTSTATUS status = claim_v1_check_and_sort_boolean(mem_ctx, claim);
+               if (NT_STATUS_IS_OK(status)) {
+                       claim->flags |= CLAIM_SECURITY_ATTRIBUTE_UNIQUE_AND_SORTED;
+               }
+               return status;
+       }
+       return NT_STATUS_OK;
+}
+
+
 NTSTATUS token_claims_to_claims_v1(TALLOC_CTX *mem_ctx,
                                   const struct CLAIMS_SET *claims_set,
                                   struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 **out_claims,

diff --git a/libcli/security/claims-conversions.h b/libcli/security/claims-conversions.h
index caf185f17e7f30a17584d99a9729055de8a432c1..7cddced2ec0e3a8ef65398274bed6d44b4b9abb2 100644 (file)
--- a/libcli/security/claims-conversions.h
+++ b/libcli/security/claims-conversions.h
@@ -48,4 +48,9 @@ NTSTATUS token_claims_to_claims_v1(TALLOC_CTX *mem_ctx,
                                   struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 **out_claims,
                                   uint32_t *out_n_claims);
 
+NTSTATUS claim_v1_check_and_sort(
+       TALLOC_CTX *mem_ctx,
+       struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim,
+       bool case_sensitive);
+
 #endif /* LIBCLI_SECURITY_CLAIMS_CONVERSIONS_H */