libcli/security: Hook in ability to disable conditional ACE evaluation

Signed-off-by: Andrew Bartlett <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>

libcli/security/access_check.c

@@ -220,6 +220,22 @@ static NTSTATUS se_access_check_implicit_owner(const struct security_descriptor
 	bool am_owner = false;
 	bool have_owner_rights_ace = false;
 
+	switch (token->evaluate_claims) {
+	case CLAIMS_EVALUATION_INVALID_STATE:
+		if (token->num_local_claims > 0 ||
+		    token->num_user_claims > 0 ||
+		    token->num_device_claims > 0 ||
+		    token->num_device_sids > 0) {
+			DBG_WARNING("Refusing to evaluate token with claims or device SIDs but also "
+				    "with CLAIMS_EVALUATION_INVALID_STATE\n");
+			return NT_STATUS_INVALID_TOKEN;
+		}
+		break;
+	case CLAIMS_EVALUATION_ALWAYS:
+	case CLAIMS_EVALUATION_NEVER:
+		break;
+	}
+
 	*access_granted = access_desired;
 	bits_remaining = access_desired;
 
@@ -314,6 +330,30 @@ static NTSTATUS se_access_check_implicit_owner(const struct security_descriptor
 			break;
 
 		case SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK:
+		{
+			bool evaluate_claims = true;
+			switch (token->evaluate_claims) {
+			case CLAIMS_EVALUATION_INVALID_STATE:
+				DBG_WARNING("Refusing to evaluate ACL with "
+					    "conditional ACE against security "
+					    "token with CLAIMS_EVALUATION_INVALID_STATE\n");
+				return NT_STATUS_INVALID_ACE_CONDITION;
+			case CLAIMS_EVALUATION_NEVER:
+				evaluate_claims = false;
+				break;
+			case CLAIMS_EVALUATION_ALWAYS:
+				evaluate_claims = true;
+				break;
+			}
+
+			if (!evaluate_claims) {
+				/*
+				 * We are asked to pretend we never
+				 * understood this ACE type
+				 */
+				break;
+			}
+
 			status = check_callback_ace_access(ace, token, sd,
 							   &callback_ok);
 
@@ -324,7 +364,33 @@ static NTSTATUS se_access_check_implicit_owner(const struct security_descriptor
 				bits_remaining &= ~ace->access_mask;
 			}
 			break;
+		}
+
 		case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK:
+		{
+			bool evaluate_claims = true;
+			switch (token->evaluate_claims) {
+			case CLAIMS_EVALUATION_INVALID_STATE:
+				DBG_WARNING("Refusing to evaluate ACL with "
+					    "conditional ACE against security "
+					    "token with CLAIMS_EVALUATION_INVALID_STATE\n");
+				return NT_STATUS_INVALID_ACE_CONDITION;
+			case CLAIMS_EVALUATION_NEVER:
+				evaluate_claims = false;
+				break;
+			case CLAIMS_EVALUATION_ALWAYS:
+				evaluate_claims = true;
+				break;
+			}
+
+			if (!evaluate_claims) {
+				/*
+				 * We are asked to pretend we never
+				 * understood this ACE type
+				 */
+				break;
+			}
+
 			status = check_callback_ace_access(ace, token, sd,
 							   &callback_ok);
 
@@ -335,6 +401,7 @@ static NTSTATUS se_access_check_implicit_owner(const struct security_descriptor
 				explicitly_denied_bits |= (bits_remaining & ace->access_mask);
 			}
 			break;
+		}
 
 		case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT:
 			explicitly_denied_bits |= (bits_remaining & ace->access_mask);

selftest/knownfail.d/conditional-ace-token

@@ -0,0 +1,41 @@
+^samba.unittests.run_conditional_ace.test_user_attr_any_of_missing_resource_and_user_attr
+^samba.unittests.run_conditional_ace.test_user_attr_any_of_missing_resource_attr
+^samba.unittests.run_conditional_ace.test_user_attr_any_of_missing_user_attr
+^samba.unittests.run_conditional_ace.test_composite_mixed_types
+^samba.unittests.run_conditional_ace.test_composite_different_order_with_SID_dupes
+^samba.unittests.run_conditional_ace.test_device_claim_eq_resource_claim_2
+^samba.unittests.run_conditional_ace.test_not_Not_Any_of_1
+^samba.unittests.run_conditional_ace.test_not_any_of_composite_1
+^samba.unittests.run_conditional_ace.test_resource_ace_single
+^samba.unittests.run_conditional_ace.test_horrible_fuzz_derived_test_3
+^samba.unittests.run_conditional_ace.test_Device_Member_of_and_Member_of
+^samba.unittests.run_conditional_ace.test_resource_ace_multi
+^samba.unittests.run_conditional_ace.test_resource_ace_multi_any_of
+^samba.unittests.run_conditional_ace.test_user_claim_eq_device_claim
+^samba.unittests.run_conditional_ace.test_device_claim_comtains_resource_claim
+^samba.unittests.run_conditional_ace.test_device_claim_eq_resource_claim
+^samba.unittests.run_conditional_ace.test_Device_claim_contains_Resource_claim
+^samba.unittests.run_conditional_ace.test_not_Not_Contains_1
+^samba.unittests.run_conditional_ace.test_not_not_Not_Member_of_fail
+^samba.unittests.run_conditional_ace.test_not_not_Not_Member_of
+^samba.unittests.run_conditional_ace.test_not_not_not_not_not_not_not_not_not_not_Not_Member_of
+^samba.unittests.run_conditional_ace.test_not_any_of_1_fail
+^samba.unittests.run_conditional_ace.test_not_any_of_1
+^samba.unittests.run_conditional_ace.test_not_contains_1
+^samba.unittests.run_conditional_ace.test_not_contains_1_fail
+^samba.unittests.run_conditional_ace.test_any_of_1_fail
+^samba.unittests.run_conditional_ace.test_any_of_1
+^samba.unittests.run_conditional_ace.test_any_of
+^samba.unittests.run_conditional_ace.test_any_of_match_last
+^samba.unittests.run_conditional_ace.test_contains_incomplete
+^samba.unittests.run_conditional_ace.test_contains
+^samba.unittests.run_conditional_ace.test_contains_1
+^samba.unittests.run_conditional_ace.test_contains_1_fail
+^samba.unittests.run_conditional_ace.test_device_claims_composite
+^samba.unittests.run_conditional_ace.test_claim_name_different_case
+^samba.unittests.run_conditional_ace.test_claim_name_different_case_case_flag
+^samba.unittests.run_conditional_ace.test_different_case_with_case_sensitive_flag
+^samba.unittests.run_conditional_ace.test_composite_different_order
+^samba.unittests.run_conditional_ace.test_different_case
+^samba.unittests.run_conditional_ace.test_composite_different_order_with_dupes
+^samba.unittests.run_conditional_ace.test_more_values_not_equal