From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Thu, 2 Nov 2023 05:13:13 +0000 (+1300)
Subject: libcli/security: wire claim conversion uses claim_v1_check_and_sort()
X-Git-Tag: talloc-2.4.2~502
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8074257c3ae04f3a3c6a5e546d3c8267e1b2d05b;p=thirdparty%2Fsamba.git

libcli/security: wire claim conversion uses claim_v1_check_and_sort()

This roughly returns things to where they were a few commits ago, with
the claims being checked for uniqueness.

The difference is the claims will be sorted afterwards, and the
uniqueness check will be far more efficient on large claims.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/libcli/security/claims-conversions.c b/libcli/security/claims-conversions.c
index 17a4fe7d830..d6f7cde7dc5 100644
--- a/libcli/security/claims-conversions.c
+++ b/libcli/security/claims-conversions.c
@@ -897,6 +897,7 @@ NTSTATUS token_claims_to_claims_v1(TALLOC_CTX *mem_ctx,
 	uint32_t n_claims = 0;
 	uint32_t expected_n_claims = 0;
 	uint32_t i;
+	NTSTATUS status;
 
 	if (out_claims == NULL) {
 		return NT_STATUS_INVALID_PARAMETER;
@@ -1089,6 +1090,15 @@ NTSTATUS token_claims_to_claims_v1(TALLOC_CTX *mem_ctx,
 				.value_count = n_values,
 				.values = claim_values,
 			};
+
+			status = claim_v1_check_and_sort(claims, &claims[n_claims],
+							 false);
+			if (!NT_STATUS_IS_OK(status)) {
+				talloc_free(claims);
+				DBG_WARNING("claim sort and uniquess test failed with %s\n",
+					    nt_errstr(status));
+				return status;
+			}
 			n_claims++;
 		}
 	}
diff --git a/selftest/knownfail.d/krb5-conditional-aces b/selftest/knownfail.d/krb5-conditional-aces
deleted file mode 100644
index 29447379aa8..00000000000
--- a/selftest/knownfail.d/krb5-conditional-aces
+++ /dev/null
@@ -1,8 +0,0 @@
-^samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_1_42_42_42___a_equals_a_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_2_42_42___a_equals_a_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_3_FOO_foo___a_equals_a_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_3_foo_foo___a_equals_a_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_0_0___a_equals_a_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_false_booleans_6_0_0___false_booleans_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_ints_1_0_0___zero_ints_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uints_2_0_0___zero_uints_\(ad_dc\)