librpc/idl:security: add claims flag indicating orderly and unique members

The same flag will be used in conditional ACE composites, and on
CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 structures derived from wire
claims and resource attribute ACEs, when we know we have checked the
claim has no duplicate values.

Resource Attribute ACEs contain CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1
at rest, but we are not going to set the flag there on the off chance
that the ACE could fly off to another application and have another
application specific meaning there. We will only check for uniqueness
and set the flag on ephemeral copies of resource claims during access
check operations.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/librpc/idl/conditional_ace.idl b/librpc/idl/conditional_ace.idl
index 55ec367144482d7255b4dab5ff44cd90721e5f1d..60b8966055abebf5bee5e98476a59f042af7e7e9 100644 (file)
--- a/librpc/idl/conditional_ace.idl
+++ b/librpc/idl/conditional_ace.idl
@@ -401,10 +401,23 @@ interface conditional_ace
        /*
         * Flags for ace_condition_token.flags field.
         *
-        * The following two flags from security claims are used:
+        * The following flags from security claims are used:
+        *
+        * CLAIM_SECURITY_ATTRIBUTE_NON_INHERITABLE        = 1
+        * CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE   = 2
+        *
+        * CLAIM_SECURITY_ATTRIBUTE_UNIQUE_AND_SORTED      = 1 << 30
+        *
+        * The first two of these are used on the wire in
+        * CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 structures, while the
+        * latter is in an application specific range that is not
+        * seen on the wire. It is used to indicate that a composite
+        * token contains no duplicate values, which is supposed to
+        * be true for composite values from claims (including from
+        * resource attribute ACEs), but not literal composites. It's
+        * expensive to check, so this flag helps us avoid extra work
+        * can avoid doing it over and over if we remember.
         *
-        * const uint8 CLAIM_SECURITY_ATTRIBUTE_NON_INHERITABLE      = 1;
-        * const uint8 CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE = 2;
         *
         * CONDITIONAL_ACE_FLAG_TOKEN_FROM_ATTR is set when a token
         * value on the stack is set from an attribute lookup.

diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 6a7f54fcb0780d53377ad9e365d8da907b34569e..d572c8bfbfdd6dfba69b81a701e84d10f95c51ce 100644 (file)
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -636,6 +636,28 @@ interface security
                CLAIM_SECURITY_ATTRIBUTE_MANUAL                 =    1 << 16,
                CLAIM_SECURITY_ATTRIBUTE_POLICY_DERIVED         =    1 << 17,
 
+               /*
+                * As the quote from [MS-DTYP] 2.4.10.1 above says,
+                * the upper 14 bits are for application-specific
+                * data. In Samba's case, we have one application
+                * specific flag to help us remember when we have
+                * sorted a claim and checked that it contains no
+                * duplicate values. We need to check this, and the
+                * check can be expensive, so it helps to remember.
+                * Having the values sorted is useful for comparisons
+                * in conditional ACEs.
+                *
+                * We can't just sort every claim_v1 we see, because
+                * resource attribute ACEs in SACLs contain them and
+                * are not meant to be evaluated prematurely (i.e. you
+                * can parse and reserialise a SACL even if it
+                * contains an ACE that would cause an error when used
+                * as a claim).
+                *
+                * In the case of string claims, evaluating uniqueness
+                * depends on the _CASE_SENSITIVE flag.
+                */
+               CLAIM_SECURITY_ATTRIBUTE_UNIQUE_AND_SORTED     =    1 << 30,
                /*
                 * Conditional ACEs use some of the above flags in
                 * combination with an internal one defined in