From 2eb00c0bba5ed1abaa15c1511c6012da56a78604 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Thu, 23 Nov 2023 13:03:15 +1300
Subject: [PATCH] libcli/security: comparability check: claim members are of
 one type

We know from the way claims are defined, and from the code that checks
sortedness and sets the flag.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 libcli/security/conditional_ace.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/libcli/security/conditional_ace.c b/libcli/security/conditional_ace.c
index 883eaf94027..319b3ed4217 100644
--- a/libcli/security/conditional_ace.c
+++ b/libcli/security/conditional_ace.c
@@ -1717,7 +1717,18 @@ static bool composite_is_comparable(const struct ace_condition_token *tok,
 	 */
 	size_t i;
 	const struct ace_condition_composite *rc = &comp->data.composite;
-	for (i = 0; i < rc->n_members; i++) {
+	size_t n = rc->n_members;
+
+	if ((comp->flags & CLAIM_SECURITY_ATTRIBUTE_UNIQUE_AND_SORTED) &&
+	    n > 1) {
+		/*
+		 * all members are known to be the same type, so we
+		 * can just check one.
+		 */
+		n = 1;
+	}
+
+	for (i = 0; i < n; i++) {
 		if (! tokens_are_comparable(NULL,
 					    tok,
 					    &rc->tokens[i])) {
-- 
2.47.3