/*
* Flags for ace_condition_token.flags field.
*
- * The following two flags from security claims are used:
+ * The following flags from security claims are used:
+ *
+ * CLAIM_SECURITY_ATTRIBUTE_NON_INHERITABLE = 1
+ * CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE = 2
+ *
+ * CLAIM_SECURITY_ATTRIBUTE_UNIQUE_AND_SORTED = 1 << 30
+ *
+ * The first two of these are used on the wire in
+ * CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 structures, while the
+ * latter is in an application specific range that is not
+ * seen on the wire. It is used to indicate that a composite
+ * token contains no duplicate values, which is supposed to
+ * be true for composite values from claims (including from
+ * resource attribute ACEs), but not literal composites. It's
+ * expensive to check, so this flag helps us avoid extra work
+ * can avoid doing it over and over if we remember.
*
- * const uint8 CLAIM_SECURITY_ATTRIBUTE_NON_INHERITABLE = 1;
- * const uint8 CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE = 2;
*
* CONDITIONAL_ACE_FLAG_TOKEN_FROM_ATTR is set when a token
* value on the stack is set from an attribute lookup.
CLAIM_SECURITY_ATTRIBUTE_MANUAL = 1 << 16,
CLAIM_SECURITY_ATTRIBUTE_POLICY_DERIVED = 1 << 17,
+ /*
+ * As the quote from [MS-DTYP] 2.4.10.1 above says,
+ * the upper 14 bits are for application-specific
+ * data. In Samba's case, we have one application
+ * specific flag to help us remember when we have
+ * sorted a claim and checked that it contains no
+ * duplicate values. We need to check this, and the
+ * check can be expensive, so it helps to remember.
+ * Having the values sorted is useful for comparisons
+ * in conditional ACEs.
+ *
+ * We can't just sort every claim_v1 we see, because
+ * resource attribute ACEs in SACLs contain them and
+ * are not meant to be evaluated prematurely (i.e. you
+ * can parse and reserialise a SACL even if it
+ * contains an ACE that would cause an error when used
+ * as a claim).
+ *
+ * In the case of string claims, evaluating uniqueness
+ * depends on the _CASE_SENSITIVE flag.
+ */
+ CLAIM_SECURITY_ATTRIBUTE_UNIQUE_AND_SORTED = 1 << 30,
/*
* Conditional ACEs use some of the above flags in
* combination with an internal one defined in