python: get rid of pointless empty overridden methods

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: Use constants from hresult.h for python constants

This encourages us to keep a single source for constants.

In the future this should be a generated python file like for ntstatus.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

python: move HRES_SEC_* constants to samba module

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: tests: make HRES_SEC_E_* constant an int

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: PEP275: docstrings should always use double quotes

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: fix missing colon around param in docstring

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:crypto: Add test for samba_gnutls_sp800_108_derive_key() using NIST test vectors

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Nov 30 01:03:29 UTC 2023 on atb-devel-224

lib:crypto: Add ‘FixedData’ parameter to samba_gnutls_sp800_108_derive_key()

Our code won’t use this, but NIST’s test vectors are based on handing a
fixed buffer to the key derivation function.

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:crypto: Have samba_gnutls_sp800_108_derive_key() support various output key lengths

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:crypto: Clean up HMAC handle in one place

This is less error prone than having to ensure it’s cleaned up in every
error path.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:crypto: Add missing call to gnutls_hmac_deinit()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:crypto: Add common out path to samba_gnutls_sp800_108_derive_key()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:crypto: Split out core of samba_gnutls_sp800_108_derive_key()

We are going to need to alter the structure of this function a little
bit.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:crypto: Add tests for samba_gnutls_sp800_108_derive_key()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:crypto: Add samba_gnutls_sp800_108_derive_key()

Rename smb2_key_derivation() to samba_gnutls_sp800_108_derive_key() and
move it to GNUTLS_HELPERS.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:crypto: Remove unused variable

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:crypto: Remove unused imports

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/smb: Add ‘algorithm’ parameter to smb2_key_derivation()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/auth: Return more consistent status code on gnutls HMAC failure

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/gensec: Return more consistent status codes on gnutls hashing failure

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:utils: Use correct enumeration constant

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:utils: Remove trailing whitespace

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:libcli: Call correct function to get HMAC output length

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:libcli: Remove trailing whitespace

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/smb: Call correct function to get HMAC output length

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/auth: Call correct function to get HMAC output length

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/auth: Use correct enumeration constant

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/smb: Include missing headers

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: Remove knownfail entries for non‐existent tests

The corresponding tests were removed in commit
938afb8b28973b0065cc3509b70ebe3f6986de47.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

librpc:ndr: Use correct libndr flags type

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

librpc:ndr: Remove trailing whitespace

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

docs-xml: Add missing closing parenthesis

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pidl: Make sure to cast whole expressions

$cvar could be an expression such as ‘1 << 10’. In such cases this cast
presumably was intended to apply to the entire expression, not just to
the ‘1’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

conditional_ace.idl: Fix undefined shift

If ‘int’ is a 32‐bit type, then 1 << 31 cannot be represented in an
‘int’, and this shift will invoke undefined behaviour.

We have got away with this so far because of a Pidl bug that changed the
expression to ‘(uint32_t)1 << 31’, which is valid. But that bug is about
to be fixed.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pidl: Fix subscripts of dereferenced arrays

Pidl will generate code like the following:

py_out_2 = PyLong_FromLong((uint16_t)*r->out.out[out_cntr_2]);

As the array subscripting operator has a higher precedence than the
indirection (derference) operator, the argument will be evaluated as
(uint16_t)*(r->out.out[out_cntr_2]), which is wrong.

Fix Pidl to generate the following code instead:

py_out_2 = PyLong_FromLong((uint16_t)(*r->out.out)[out_cntr_2]);

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pidl: Remove unneeded casts

_pytalloc_get_ptr() returns ‘void *’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pidl: Fix grammar in warning message

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pidl: Remove trailing whitespace

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pidl: Remove unused imports

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

third_party: Update waf to version 2.0.26

https://gitlab.com/ita1024/waf/-/blob/waf-2.0.26/ChangeLog

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Nov 29 10:47:00 UTC 2023 on atb-devel-224

tests: claims blackbox: add device and server silo restrictions test

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Nov 29 04:15:27 UTC 2023 on atb-devel-224

python: tests: claims blackbox tests use ntstatus constants

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

tests: claims blackbox: use raw strings rather than escaping \

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

tests: claims: blackbox device tests

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

selftest: Run samba.tests.gensec in an enviroment build also with MIT Krb5

We would like confidence that the FAST hooks work with both implementations.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

s4-auth/kerberos: Use FAST credentials for armor if specified in cli_credentials

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

python/tests: Add test for creds.set_krb5_fast_credentials()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

python/tests: Lock in key-word arguments as key-word only in samba.tests.gssapi

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

python/tests: Import samba.gensec, not gensec

This allows this function to be used by gensec.py (a test) without collision.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

auth/credentials: Add Python bindings for association of a connection for FAST

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

auth/credentials: Add API to allow requesting a Kerberos ticket to be protected with FAST

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

build: Add build time detection for the MIT FAST ccache API

This will allow us to link against an older system Heimdal.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

third_party/heimdal: Provide krb5_init_creds_opt_set_fast_ccache() and krb5_init_creds_opt_set_fast_flags() (import lorikeet-heimdal-202311290114 (commit 4c8517e161396330c76240bf09609a0dd5f9ea20))

It is easier for external callers to manipulate the krb5_get_init_creds_opt
(via the helpers) as this is passed down from higher up than the krb5_init_creds_context.

And just as importantly, alignment with MIT makes end-user callers happier.

Finally, this resolves the ambiguity as to which layer owns the
krb5_ccache, because now we match the MIT behaviour the init_creds code
re-opens a private copy inside libkrb5, meaning the caller closes the
cache it opened, rather than handing it over to the library.

(The unrelated changes are fixes to the test_pac test, also included in this import,
but in distinct lorikeet-heimdal commits, to allow it to compile)

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

libcli/security: note suboptimality of conditional ACE Contains operators

The Contains and Any_of operators could use a sorted comparison like
compare_composites_via_sort(), rather than O(n²) nested loops. But
that would involve amount of quite fiddly work that I am not starting
on now.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 27 23:38:13 UTC 2023 on atb-devel-224

libcli/security: comparability check: claim members are of one type

We know from the way claims are defined, and from the code that checks
sortedness and sets the flag.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: shift comparability check to shortcut exits

The ordinary comparison path, using the sorted arrays, already implicitly
checks for comparability. We only need this when we're leaving early.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: add shortcuts for conditional ACE compare

If the number of members does not match in certain ways we can
say the sets are not equal without comparing the members.

We first need to check for comparability, though, so that we can return
an error if things aren't comparable.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: improve conditional ACE composite comparison

We had the comparison method wrong. Composites are compared as sets or
flabby sets, depending on their origin. Until now we compared them as
something a bit like sets, but not quite, in a maximally inefficient way.

Claims are always sets, and the left hand side is always a claim, but
literal composites on the right hand side can be multi-sets
(containing duplicate values). When it comes to comparison, composites
are reduced down to sets. To do the comparison we sort each side and
compare in order.

The fact that either side might ask for case-sensitive comparison (if
it is a claim) is an interesting complication.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: separate out claim_v1_to_ace_composite_unchecked()

For SDDL Resource ACE conversions we don't want to check too much
claim validity so that a semi-invalid ACE can round-trip through
deserialisation and serialisation. This is because Windows allows it,
but also because if the check puts the values in a sorted order that
makes the round-trip less round (that is, the return string is
semantically the same but possibly different in byte order).

The validity we're talking about is mostly uniqueness. For example
`S:(RA;;;;;WD;("foo",TU,0,7,5,7))` has two 7s, and that would be
invalid as a claim, but this is not checked while in ACE form.

On the other hand `S:(RA;;;;;WD;("foo",TU,0,3,2))` is valid, but the
return string will have 3 and 2 reversed when the check is made. We
prefer the ACE to stay the same while it is just being an ACE.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: avoid leak on SDDL encode failure

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: claim_v1_to_ace_token(): avoid unnecessary re-sort

If it is a wire claim (which is probably most common), the checking
and sorting has already happened. We don't need to make a copy to
sort and check.

In either case, there is still a copy step to make the conditional ACE
token.

This shuffles around some knownfails because the claim_v1_copy()
function we were using is checking for duplicates, which we don't
always want. That will be fixed soon.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: add_claim_to_token() re-sorts/checks claims

This function is used in tests and fuzzing.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: resource attribute claims use claim_v1_check_and_sort()

Because RA ACEs live a double life, sometimes being ACEs and sometimes
being claims, we make a copy of the claim strucutre for sorting and
further use in conditional ACEs.

We don't need to do that for wire claims, because they are not
persistent or forwarded on to somewhere else.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: wire claim conversion uses claim_v1_check_and_sort()

This roughly returns things to where they were a few commits ago, with
the claims being checked for uniqueness.

The difference is the claims will be sorted afterwards, and the
uniqueness check will be far more efficient on large claims.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: claim_v1_check_and_sort(): add all types

To manage this sort we need a qsort_r-like sort context which holds:

a) the value type,
b) a case sensitive flag for the string compare, and
c) a return flag indicating a failure. Failures are not picked up until
   after the sort finishes.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: begin claim_v1_check_and_sort with Boolean checks

claim_v1_check_and_sort() is meant to sort the claim values and check
that there are no duplicates, as well as making some value checks.

In order to ease into the idea, we look first at the case where the claim
has Boolean values. There are only two values allowed, which limits the
length of a valid claim set and means we only really need to "sort" in
the {1, 0} case, which we rewrite in place as {0, 1}.

That's what will happen with other types: we'll sort in-place, make
some checks on values, set flags, and return an error if there are
duplicates or value errors.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: don't allow two NULL string claims

This restores the behaviour with regard to duplicate NULL strings that
existed before the last commit. I'm putting it separately, because it
seems so strange, and I not entirely certain the behaviour is
intentional.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: wire claims conversion: remove strings uniqueness check

This changes the behaviour when one of the strings is NULL. Previously
a single NULL string would be ignored, and two would cause an error.
That will be restored in the next commit.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: int wire claims drop uniqueness check

And we allocate all the values together as an array, because
we might as well.

This and the next couple of commits might look like steps backwards,
and they are, but they allow us to get a run-up to leap over a big
fence.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: simplify wire claim conversion mem, 3/3: rm tmp_ctx

The interstitial tmp_ctx now does nothing but be interstitial, so
let's get rid of it.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: simplify wire claim conversion mem, 2/3: one tree

These values would have leaked in the event of failure (but only onto
the caller mem_ctx, which might be fleeting -- especially as its
security token is now failing).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: simplify wire claim conversion mem, 1/3: avoid NULL parent

The reason for this, apart from weighing up possible over-allocations
vs realloc costs, is in the first iteration of the loop,

       claim_values = talloc_array(claims,

would allocate onto NULL, which leaks.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest: conditional_ace_claims tests large composite comparisons

Our composite comparisons are currently all wrong.

Soon they will be fixed, but we are going to have an inflection point
where we switch from the naive compare-everything approach to a sort
based comparison, and we want to test both sides. Also, we use these
tests for a little bit of timing, which reveals it is all fast enough.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security/sddl: improve some SDDL error messages

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest: conditional_ace_claims: write_c_test_on_failure() copes with claims

*copes badly, but better than crashing.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest: token_factory note that a flag is not set

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest: token_factory copes with empty claims

We don't have a good story yet with regard to empty claims, but we at
least want to be able to create them in tests.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest: token_factory claims can have case_sensitive flag

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest: token_factory separate out list_to_claim() helper

This is so conditional_ace_claims test can create claim objects which
can e.g. have the case sensitive flag set.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: sddl_conditional_ace: check a talloc_new()

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: conditional ACE sddl writers take const tokens

We don't change these when writing the SDDL.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib/security:CA: tokens_are_comparable() accepts NULL operator

In some circumstances we are going to know general comparability
without having an operator around to use.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: CA: tokens_are_comparable() considers the obvious

Existing callers already make this check, but we are soon going to use
it in contexts that don't.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: add test_claims_conversion

These are unit tests for converting wire claims into sorted claims v1
structures.

These are based from packets derived from the krb5.conditional_ace
tests, and currently don't test more than they do, but they work about
a hundred thousand times quicker.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: test_run_conditional_ace tests more comparisons

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: test_run_conditional_ace can set debug levels

No -d, just `bin/test_run_conditional_ace 3`.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

librpc/idl:security: add claims flag indicating orderly and unique members

The same flag will be used in conditional ACE composites, and on
CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 structures derived from wire
claims and resource attribute ACEs, when we know we have checked the
claim has no duplicate values.

Resource Attribute ACEs contain CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1
at rest, but we are not going to set the flag there on the off chance
that the ACE could fly off to another application and have another
application specific meaning there. We will only check for uniqueness
and set the flag on ephemeral copies of resource claims during access
check operations.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

librpc/idl:security: add a couple of claims flags

We don't use these.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

librpc/idl:condtional_ace: shift CONDITIONAL_ACE_FLAG_TOKEN_FROM_ATTR to last bit

This region is "available for application-specific data" in the
CLAIM_SECURITY_ATTRIBUTE_ space, according to [MS-DTYP] 2.4.10.1,
so it nicer to use that, even though we are not actually setting the
flag on the V1 claims.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

librpc/idl:conditional_ace: make a flags field 32 bit

This allows it to align with
CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1.flags, with which it shares
values and will soon share more.

It was 16 bit because we needed few flags, and at one point .type was
8 bit, so 16 bits packed nicely into a smaller struct.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: remove redundant claim SID size check

blob_string_sid_to_sid() immediately checks the size is within 5-191, so the 1-10000
just gives you a different message in chircumstances you'll never see.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: avoid leak when converting SID claims

Apart from the leak fix, this is faster and stricter, not accepting
SID string buffers with trailing garbage ("S-1-2-3qwerty" would have
been accepted, but not now).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3: smbd: Allow fchmod from the NFS-style mode ACL in set_nt_acl() for a SMB2 POSIX handle.

To set a mode, send a one-element ACL.

Pair-Programmed-With: Ralph Boehme <slow@samba.org>

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov 27 19:31:01 UTC 2023 on atb-devel-224

smbd: bring back "smb3 unix extensions" option

This basically reverts commit b3cae8dcf192f65031f143e5bb9135c895611d98
with a few important differences:

* SMB3 UNIX extensions are always built, but disabled by default at runtime.

* They are globally enabled in the fileserver test environment.

* It's now a per-share option, so admins can selectively disable them
  on a per-share basis. This allows clients to detect early that a share
  doesn't support user mount requested POSIX and fail appropiately, passing
  the failure to the requesting application (mount command).

Signed-off-by: Ralph Boehme <slow@samba.org>

smbd: factor out smb2_negotiate_context_process_posix()

No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: tweak POSIX check in smbd_do_qfilepathinfo()

This check is only needed for SMB2, so check for that, and in the SMB2 codepath
we'll always have a valid fsp, so we can drop that check.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: check is POSIX is enabled on the fsp in fsinfo_unix_valid_level()

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: pass fsp to fsinfo_unix_valid_level()

We need the fsp down in fsinfo_unix_valid_level(), pass it down.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: pass fsp to smbd_do_qfsinfo()

We need the fsp down in fsinfo_unix_valid_level(), start passing it down.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: leave comment on broken SMB1 POSIX open handling of SMB_O_DIRECT

Since e0814dc5082dd4ecca8a155e0ce24b073158fd92 the passed in attributes get
replaced by the mode in create_file_default().

As FILE_FLAG_NO_BUFFERING is never checked when doing the final IO, it doesn't
really matter.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>