libcli/security: note suboptimality of conditional ACE Contains operators

The Contains and Any_of operators could use a sorted comparison like
compare_composites_via_sort(), rather than O(n²) nested loops. But
that would involve amount of quite fiddly work that I am not starting
on now.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 27 23:38:13 UTC 2023 on atb-devel-224

diff --git a/libcli/security/conditional_ace.c b/libcli/security/conditional_ace.c
index 319b3ed421717573f33aef2c98c6903c632b0d88..1876b52c141380a2dd00b513ba6e568285852098 100644 (file)
--- a/libcli/security/conditional_ace.c
+++ b/libcli/security/conditional_ace.c
@@ -1960,6 +1960,10 @@ static bool contains_operator(const struct ace_condition_token *lhs,
         *
         * Both the lhs or rhs can be solitary objects or composites.
         * This makes it a bit fiddlier.
+        *
+        * NOTE: this operator does not take advantage of the
+        * CLAIM_SECURITY_ATTRIBUTE_UNIQUE_AND_SORTED flag. It could, but it
+        * doesn't.
         */
        if (lhs->type == CONDITIONAL_ACE_TOKEN_COMPOSITE) {
                struct ace_condition_composite candidates = lhs->data.composite;