Example #1
0
        public void DenyTrusteeOnGroupTarget(string trusteeName, string requestorName, string targetDomain)
        {
            ISecurityPrincipal trustee = directory.GetPrincipal(trusteeName);
            IUser requestor            = directory.GetUser(requestorName);

            IComputer computer1 = directory.GetComputer($"{targetDomain}\\PC1");
            IComputer computer2 = directory.GetComputer($"{targetDomain}\\PC2");
            IGroup    group1    = directory.GetGroup($"{targetDomain}\\G-DL-PC1");
            IGroup    group2    = directory.GetGroup($"{targetDomain}\\G-DL-PC2");

            var namingContext = directory.TranslateName(targetDomain + "\\", Interop.DsNameFormat.Nt4Name, Interop.DsNameFormat.DistinguishedName);

            var t1 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, $"OU=Computers,OU=LAPS Testing,{namingContext}", trustee);
            var t2 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, $"OU=LAPS Testing,{namingContext}", trustee);
            var t3 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, $"{namingContext}", trustee);
            var t4 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, $"OU=JIT Groups,OU=LAPS Testing,{namingContext}", trustee);
            var t5 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, computer1, trustee);
            var t6 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, computer2, trustee);
            var t7 = CreateTarget(AccessMask.None, AccessMask.LocalAdminPassword, group1, trustee);
            var t8 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, group2, trustee);

            var options = SetupOptions(t1, t2, t3, t4, t5, t6, t7, t8);

            builder = new AuthorizationInformationBuilder(options, directory, logger, powershell, cache, targetDataProvider, authorizationContextProvider);
            var result = builder.GetAuthorizationInformation(requestor, computer1);

            CollectionAssert.AreEquivalent(new[] { t1, t2, t5, t3 }, result.SuccessfulLapsTargets);
            Assert.AreEqual(AccessMask.None, result.EffectiveAccess);
        }
Example #2
0
        public void TestAclAuthorizationOnOUTarget(string username, string computerName, string targetOU, AccessMask allowed, AccessMask denied, AccessMask expected)
        {
            IUser     user     = directory.GetUser(username);
            IComputer computer = directory.GetComputer(computerName);

            var options = SetupOptionsForOUTarget(allowed, denied, targetOU, user);

            builder = new AuthorizationInformationBuilder(options, directory, logger, powershell, cache, targetDataProvider, authorizationContextProvider);
            var result = builder.GetAuthorizationInformation(user, computer);

            Assert.AreEqual(expected, result.EffectiveAccess);
        }
Example #3
0
        public void GroupCanAccessComputer(string requestorName, string trusteeName, string computerName)
        {
            IUser requestor             = directory.GetUser(requestorName);
            ISecurityPrincipal trustee  = directory.GetPrincipal(trusteeName);
            IComputer          computer = directory.GetComputer(computerName);

            var t1 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, computer, trustee);

            var options = SetupOptions(t1);

            builder = new AuthorizationInformationBuilder(options, directory, logger, powershell, cache, targetDataProvider, authorizationContextProvider);
            var result = builder.GetAuthorizationInformation(requestor, computer);

            CollectionAssert.AreEquivalent(new[] { t1 }, result.SuccessfulLapsTargets);
            Assert.AreEqual(AccessMask.LocalAdminPassword, result.EffectiveAccess);
        }