protected virtual void AddGroups(PrivilegedAttributeCertificate pac, ICollection <Claim> claims)
{
var logonInfo = pac.LogonInfo;
if (logonInfo == null)
{
return;
}
var domainSid = logonInfo.DomainSid.Value;
foreach (var g in logonInfo.GroupSids)
{
var sid = g.Value;
claims.Add(new Claim(ClaimTypes.GroupSid, sid));
if (sid.StartsWith(domainSid))
{
var friendly = SecurityIdentifierNames.GetFriendlyName(sid, domainSid);
if (!sid.Equals(friendly, StringComparison.OrdinalIgnoreCase))
{
claims.Add(new Claim(ClaimTypes.Role, friendly));
}
}
}
}
private static void AddSids(ICollection <Claim> claims, string domainSid, IEnumerable <SecurityIdentifier> sids)
{
foreach (var g in sids)
{
var sid = g.Value;
claims.Add(new Claim(ClaimTypes.GroupSid, sid));
if (sid.StartsWith(domainSid, StringComparison.OrdinalIgnoreCase))
{
var friendly = SecurityIdentifierNames.GetFriendlyName(sid, domainSid);
if (!string.IsNullOrWhiteSpace(friendly))
{
claims.Add(new Claim(ClaimTypes.Role, friendly));
}
}
}
}
internal void DescribeTicket(KerberosIdentity identity)
{
this.WriteLine();
var adpac = identity.Restrictions.FirstOrDefault(r => r.Key == AuthorizationDataType.AdWin2kPac);
var pac = (PrivilegedAttributeCertificate)adpac.Value?.FirstOrDefault();
var properties = new List <(string, object)>()
{
(SR.Resource("CommandLine_WhoAmI_UserName"), $"{identity.Name}"),
};
if (this.All || this.Logon)
{
var objects = new object[]
{
pac.LogonInfo,
pac.ClientInformation,
pac.DelegationInformation,
pac.UpnDomainInformation,
pac.CredentialType
};
GetObjectProperties(objects, properties);
}
if (this.All || this.Claims)
{
var others = new List <Claim>();
foreach (var claim in identity.Claims)
{
if (claim.Type == ClaimTypes.Role || claim.Type == ClaimTypes.GroupSid)
{
continue;
}
else
{
others.Add(claim);
}
}
properties.Add(("", SR.Resource("CommandLine_WhoAmI_Claims")));
foreach (var claim in others)
{
properties.Add((CollapseSchemaUrl(claim.Type), claim.Value));
}
}
this.WriteProperties(properties);
if (this.All || this.Groups)
{
this.WriteLine();
this.WriteHeader(SR.Resource("CommandLine_WhoAmI_Groups"));
this.WriteLine();
var certSids = new List <SecurityIdentifier>();
if (pac.CredentialType != null)
{
certSids.Add(SecurityIdentifier.WellKnown.ThisOrganizationCertificate);
}
var sids = certSids.Union(pac.LogonInfo.ExtraSids).Union(pac.LogonInfo.GroupSids).Union(pac.LogonInfo.ResourceGroups).Select(s => new
{
Sid = s,
Name = SecurityIdentifierNames.GetFriendlyName(s.Value, pac.LogonInfo.DomainSid.Value)
});
var max = sids.Max(s => s.Sid.Value.Length);
var maxName = sids.Max(s => s.Name?.Length ?? 0);
foreach (var group in sids.OrderBy(c => c.Sid.Value))
{
this.WriteLine(1, string.Format("{0} {1} {{Attr}}", (group.Name ?? "").PadRight(maxName), group.Sid.Value.PadRight(max)), group.Sid.Attributes);
}
}
}