Example #1
0
        /// <summary>
        ///     Evaluates whether the DACL fulfills the given AdRoleAssertion and returns the list of unsatisfied AceAssertions
        ///     (if any).
        ///     If the assertor was constructed with {@code searchGroups = true} and the roleAssertion specifies a user,
        ///     then
        ///     all group SIDs contained in the roleAssertion will be tested for potential matches in the DACL if any
        ///     rights are
        ///     not directly granted to the user. Also, the 'Everyone' AD group will also be scanned.
        ///     Denied rights are now detected and included in the resulting list.
        ///     @param roleAssertion
        ///     the AdRoleAssertion to test
        ///     @return List of unsatisfied AceAssertions (if any). Empty if none.
        /// </summary>
        private List <AceAssertion> FindUnsatisfiedAssertions(AdRoleAssertion roleAssertion)
        {
            var acesBySIDMap = new Dictionary <string, List <Ace> >();

            for (var i = 0; i < this.dacl.GetAceCount(); i++)
            {
                Ace ace = this.dacl.GetAce(i);
                if (ace.GetSid() != null)
                {
                    if (!acesBySIDMap.ContainsKey(ace.GetSid().ToString()))
                    {
                        acesBySIDMap.Add(ace.GetSid().ToString(), new List <Ace>());
                    }

                    acesBySIDMap[ace.GetSid().ToString()].Add(ace);
                }
            }

            // Find any roleAssertion ACEs not matched in the DACL.
            // Not using Java 8 or other libs for this to keep dependencies of ADSDDL as is.
            // ------------------------------
            var unsatisfiedAssertions = new List <AceAssertion>(roleAssertion.GetAssertions());
            var deniedAssertions      = new List <AceAssertion>();
            SID principal             = roleAssertion.GetPrincipal();

            if (acesBySIDMap.ContainsKey(principal.ToString()))
            {
                this.FindUnmatchedAssertions(acesBySIDMap[principal.ToString()], unsatisfiedAssertions, deniedAssertions, roleAssertion.GetAssertions());
            }

            // There may be denials on groups even if we resolved all assertions - search groups if specified
            if (this.searchGroups)
            {
                if (roleAssertion.IsGroup())
                {
                    this.DoEveryoneGroupScan(acesBySIDMap, unsatisfiedAssertions, deniedAssertions, roleAssertion.GetAssertions());
                    this.MergeDenials(unsatisfiedAssertions, deniedAssertions);
                    return(unsatisfiedAssertions);
                }

                List <SID> tokenGroupSiDs = roleAssertion.GetTokenGroups();
                if (tokenGroupSiDs == null)
                {
                    this.DoEveryoneGroupScan(acesBySIDMap, unsatisfiedAssertions, deniedAssertions, roleAssertion.GetAssertions());
                    this.MergeDenials(unsatisfiedAssertions, deniedAssertions);
                    return(unsatisfiedAssertions);
                }

                foreach (SID grpSID in tokenGroupSiDs.Where(grpSID => acesBySIDMap.ContainsKey(grpSID.ToString())))
                {
                    this.FindUnmatchedAssertions(acesBySIDMap[grpSID.ToString()], unsatisfiedAssertions, deniedAssertions, roleAssertion.GetAssertions());
                }

                this.DoEveryoneGroupScan(acesBySIDMap, unsatisfiedAssertions, deniedAssertions, roleAssertion.GetAssertions());
            }

            this.MergeDenials(unsatisfiedAssertions, deniedAssertions);

            return(unsatisfiedAssertions);
        }
Example #2
0
        /// <summary>
        ///     Check if user canot change password.
        ///     @param sddl SSDL.
        ///     @return <tt>true</tt> if user cannot change password: <tt>false</tt> otherwise.
        /// </summary>
        public static bool IsUserCannotChangePassword(Sddl sddl)
        {
            var res = false;

            List <Ace> aces = sddl.GetDacl().GetAces();

            for (var i = 0; !res && i < aces.Count; i++)
            {
                Ace ace = aces[i];

                if (ace.GetAceType() == AceType.AccessDeniedObjectAceType &&
                    ace.GetObjectFlags().GetFlags().Contains(AceObjectFlags.Flag.AceObjectTypePresent))
                {
                    if (ace.GetObjectType() == ucpObjectGuid)
                    {
                        SID sid = ace.GetSid();
                        if (sid.GetSubAuthorities().Count == 1)
                        {
                            if (sid.GetIdentifierAuthority().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }) &&
                                sid.GetSubAuthorities().First().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x00 }) ||
                                sid.GetIdentifierAuthority().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x05 }) &&
                                sid.GetSubAuthorities().First().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x0a }))
                            {
                                res = true;
                            }
                        }
                    }
                }
            }

            return(res);
        }
Example #3
0
        /// <summary>
        ///     Set "User Cannot Change Password ACL".
        ///     @param sddl SDDL.
        ///     @param cannot <tt>true</tt> to set the ACL; <tt>false</tt> to unset.
        ///     @return updated SDDL.
        /// </summary>
        public static Sddl UserCannotChangePassword(Sddl sddl, bool cannot)
        {
            AceType type = cannot ? AceType.AccessDeniedObjectAceType : AceType.AccessAllowedObjectAceType;

            Ace self = null;
            Ace all  = null;

            List <Ace> aces = sddl.GetDacl().GetAces();

            for (var i = 0; (all == null || self == null) && i < aces.Count; i++)
            {
                Ace ace = aces[i];

                if ((ace.GetAceType() == AceType.AccessAllowedObjectAceType ||
                     ace.GetAceType() == AceType.AccessDeniedObjectAceType) &&
                    ace.GetObjectFlags().GetFlags().Contains(AceObjectFlags.Flag.AceObjectTypePresent))
                {
                    if (ace.GetObjectType() == ucpObjectGuid)
                    {
                        SID sid = ace.GetSid();
                        if (sid.GetSubAuthorities().Count == 1)
                        {
                            if (self == null &&
                                sid.GetIdentifierAuthority().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }) &&
                                sid.GetSubAuthorities().First().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x00 }))
                            {
                                self = ace;
                                self.SetType(type);
                            }
                            else if (all == null &&
                                     sid.GetIdentifierAuthority().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x05 }) &&
                                     sid.GetSubAuthorities().First().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x0a }))
                            {
                                all = ace;
                                all.SetType(type);
                            }
                        }
                    }
                }
            }

            if (self == null)
            {
                // prepare aces
                self = Ace.NewInstance(type);
                self.SetObjectFlags(new AceObjectFlags(AceObjectFlags.Flag.AceObjectTypePresent));
                self.SetObjectType(ucpObjectGuid);
                self.SetRights(new AceRights().AddOjectRight(AceRights.ObjectRight.Cr));
                SID sid = SID.NewInstance(NumberFacility.GetBytes(0x000000000001, 6));
                sid.AddSubAuthority(NumberFacility.GetBytes(0));
                self.SetSid(sid);
                sddl.GetDacl().GetAces().Add(self);
            }

            if (all == null)
            {
                all = Ace.NewInstance(type);
                all.SetObjectFlags(new AceObjectFlags(AceObjectFlags.Flag.AceObjectTypePresent));
                all.SetObjectType(ucpObjectGuid);
                all.SetRights(new AceRights().AddOjectRight(AceRights.ObjectRight.Cr));
                SID sid = SID.NewInstance(NumberFacility.GetBytes(0x000000000005, 6));
                sid.AddSubAuthority(NumberFacility.GetBytes(0x0A));
                all.SetSid(sid);
                sddl.GetDacl().GetAces().Add(all);
            }

            return(sddl);
        }