libcli/security/conditional_ace.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97

/*
   Unix SMB/CIFS implementation.
   Samba utility functions

   Copyright © Catalyst

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#ifndef _CONDITIONAL_ACE_H_
#define _CONDITIONAL_ACE_H_

#include <talloc.h>
#include "lib/util/data_blob.h"

#include "librpc/gen_ndr/conditional_ace.h"


struct ace_condition_script *parse_conditional_ace(TALLOC_CTX *mem_ctx,
						   DATA_BLOB data);

int run_conditional_ace(TALLOC_CTX *mem_ctx,
			const struct security_token *token,
			struct ace_condition_script *program,
			const struct security_descriptor *sd);


bool access_check_conditional_ace(const struct security_ace *ace,
				  const struct security_token *token,
				  const struct security_descriptor *sd,
				  int *result);

bool conditional_ace_encode_binary(TALLOC_CTX *mem_ctx,
				   struct ace_condition_script *program,
				   DATA_BLOB *dest);

struct ace_condition_script * ace_conditions_compile_sddl(TALLOC_CTX *mem_ctx,
							  const enum ace_condition_flags ace_condition_flags,
							  const char *sddl,
							  const char **message,
							  size_t *message_offset,
							  size_t *consumed_length);

char *debug_conditional_ace(TALLOC_CTX *mem_ctx,
			    struct ace_condition_script *program);

char *sddl_from_conditional_ace(TALLOC_CTX *mem_ctx,
				struct ace_condition_script *program);

#define IS_INT_TOKEN(x)							\
	(((x)->type) == CONDITIONAL_ACE_TOKEN_INT64           ||	\
	 unlikely(((x)->type) == CONDITIONAL_ACE_TOKEN_INT32  ||	\
		  ((x)->type) == CONDITIONAL_ACE_TOKEN_INT16  ||	\
		  ((x)->type) == CONDITIONAL_ACE_TOKEN_INT8)		\
		)

#define IS_BOOL_TOKEN(x)					\
	(((x)->type) == CONDITIONAL_ACE_SAMBA_RESULT_BOOL)

#define IS_DERIVED_TOKEN(x)						\
	((((x)->flags) & CONDITIONAL_ACE_FLAG_TOKEN_FROM_ATTR) == 0)

#define IS_LITERAL_TOKEN(x)						\
	((IS_INT_TOKEN(x) ||						\
	  ((x)->type) == CONDITIONAL_ACE_TOKEN_UNICODE ||		\
	  ((x)->type) == CONDITIONAL_ACE_TOKEN_OCTET_STRING ||		\
	  ((x)->type) == CONDITIONAL_ACE_TOKEN_SID ||			\
	  ((x)->type) == CONDITIONAL_ACE_TOKEN_COMPOSITE) &&		\
	 (! IS_DERIVED_TOKEN(x)))

struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *parse_sddl_literal_as_claim(
	TALLOC_CTX *mem_ctx,
	const char *name,
	const char *str);

struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *sddl_decode_resource_attr (
	TALLOC_CTX *mem_ctx,
	const char *str,
	size_t *length);

char *sddl_resource_attr_from_claim(
	TALLOC_CTX *mem_ctx,
	const struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim);


#endif /*_CONDITIONAL_ACE_H_*/