private AuthorizationInformation BuildAuthorizationInformation(IUser user, IComputer computer)
{
AuthorizationInformation info = new AuthorizationInformation
{
MatchedComputerTargets = this.GetMatchingTargetsForComputer(computer),
EffectiveAccess = 0,
Computer = computer,
User = user
};
if (info.MatchedComputerTargets.Count == 0)
{
return(info);
}
using AuthorizationContext c = authorizationContextProvider.GetAuthorizationContext(user, computer.Sid);
DiscretionaryAcl masterDacl = new DiscretionaryAcl(false, false, info.MatchedComputerTargets.Count);
int matchedTargetCount = 0;
foreach (var target in info.MatchedComputerTargets)
{
CommonSecurityDescriptor sd;
if (target.AuthorizationMode == AuthorizationMode.PowershellScript)
{
sd = this.powershell.GenerateSecurityDescriptor(user, computer, target.Script, 30);
}
else
{
if (string.IsNullOrWhiteSpace(target.SecurityDescriptor))
{
this.logger.LogTrace($"Ignoring target {target.Id} with empty security descriptor");
continue;
}
sd = new CommonSecurityDescriptor(false, false, new RawSecurityDescriptor(target.SecurityDescriptor));
}
if (sd == null)
{
this.logger.LogTrace($"Ignoring target {target.Id} with null security descriptor");
continue;
}
foreach (var ace in sd.DiscretionaryAcl.OfType <CommonAce>())
{
masterDacl.AddAccess(
(AccessControlType)ace.AceType,
ace.SecurityIdentifier,
ace.AccessMask,
ace.InheritanceFlags,
ace.PropagationFlags);
}
int i = matchedTargetCount;
if (c.AccessCheck(sd, (int)AccessMask.Laps))
{
info.SuccessfulLapsTargets.Add(target);
matchedTargetCount++;
}
if (c.AccessCheck(sd, (int)AccessMask.LapsHistory))
{
info.SuccessfulLapsHistoryTargets.Add(target);
matchedTargetCount++;
}
if (c.AccessCheck(sd, (int)AccessMask.Jit))
{
info.SuccessfulJitTargets.Add(target);
matchedTargetCount++;
}
// If the ACE did not grant any permissions to the user, consider it a failure response
if (i == matchedTargetCount)
{
info.FailedTargets.Add(target);
}
}
if (matchedTargetCount > 0)
{
info.SecurityDescriptor = new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), null, null, masterDacl);
this.logger.LogTrace($"Resultant security descriptor for computer {computer.MsDsPrincipalName}: {info.SecurityDescriptor.GetSddlForm(AccessControlSections.All)}");
info.EffectiveAccess |= c.AccessCheck(info.SecurityDescriptor, (int)AccessMask.Laps) ? AccessMask.Laps : 0;
info.EffectiveAccess |= c.AccessCheck(info.SecurityDescriptor, (int)AccessMask.Jit) ? AccessMask.Jit : 0;
info.EffectiveAccess |= c.AccessCheck(info.SecurityDescriptor, (int)AccessMask.LapsHistory) ? AccessMask.LapsHistory : 0;
}
this.logger.LogTrace($"User {user.MsDsPrincipalName} has effective access of {info.EffectiveAccess} on computer {computer.MsDsPrincipalName}");
return(info);
}