public ETypeNegotiationRestriction(KrbAuthorizationData authz)
: base(authz?.Type ?? 0, AuthorizationDataType.AdETypeNegotiation)
{
var etypes = KrbETypeList.Decode(authz.Data);
this.ETypes = new List <EncryptionType>(etypes.List);
}
private void ShowAuthorizationData(string title, KrbAuthorizationData auth)
{
if (auth != null)
{
AADKerberosLogger.Save($" {title}.Type: {auth.Type}");
AADKerberosLogger.Save($" {title}.Data.Length: {auth.Data.Length}");
AADKerberosLogger.Save($" {title}.Data.Value:");
AADKerberosLogger.PrintBinaryData(auth.Data.ToArray());
}
}
public KerbAuthDataTokenRestriction(KrbAuthorizationData authz)
: base(authz.Type, AuthorizationDataType.KerbAuthDataTokenRestrictions)
{
var restriction = KrbAuthorizationDataSequence.Decode(authz.Data);
foreach (var data in restriction.AuthorizationData)
{
RestrictionType = (int)data.Type;
Restriction = new LsapTokenInfoIntegrity(data.Data.ToArray());
break;
}
}
private void DecodePac(DecryptedKrbApReq krbApReq, List <Claim> claims, KrbAuthorizationData authz)
{
var pac = new PrivilegedAttributeCertificate(authz.Data.ToArray());
if (!pac.HasRequiredFields)
{
return;
}
if (validator.ValidateAfterDecrypt.HasFlag(ValidationActions.Pac))
{
ValidatePacSignature(pac, krbApReq.SName);
}
MergeAttributes(krbApReq.Ticket, pac, claims);
}
private void DecodeAdIfRelevant(
DecryptedKrbApReq krbApReq,
List <Claim> claims,
KrbAuthorizationData authData,
List <Restriction> restrictions
)
{
var adif = authData.DecodeAdIfRelevant();
foreach (var authz in adif)
{
switch (authz.Type)
{
case AuthorizationDataType.AdIfRelevant:
DecodeAdIfRelevant(krbApReq, claims, authz, restrictions);
break;
case AuthorizationDataType.AdWin2kPac:
DecodePac(krbApReq, claims, authz, restrictions);
break;
case AuthorizationDataType.AdETypeNegotiation:
restrictions.Add(new ETypeNegotiationRestriction(authz));
break;
case AuthorizationDataType.KerbAuthDataTokenRestrictions:
restrictions.Add(new KerbAuthDataTokenRestriction(authz));
break;
case AuthorizationDataType.KerbApOptions:
restrictions.Add(new KerbApOptionsRestriction(authz));
break;
case AuthorizationDataType.KerbLocal:
restrictions.Add(new KerbLocalRestriction(authz));
break;
case AuthorizationDataType.KerbServiceTarget:
restrictions.Add(new KerbServiceTargetRestriction(authz));
break;
default:
Debug.WriteLine($"Unknown authorization-data type {authData.Type} \r\n{authData.Data.DumpHex()}");
break;
}
}
}
private void DecodePac(DecryptedKrbApReq krbApReq, List <Claim> claims, KrbAuthorizationData authz, List <Restriction> restrictions)
{
var pac = new PrivilegedAttributeCertificate(authz, SignatureMode.Server);
if (!pac.HasRequiredFields)
{
return;
}
if (this.validator.ValidateAfterDecrypt.HasFlag(ValidationActions.Pac))
{
this.ValidatePacSignature(pac, krbApReq.SName);
}
this.MergeAttributes(krbApReq.Ticket, pac, claims);
restrictions.Add(pac);
}
public KerbApOptionsRestriction(KrbAuthorizationData authz)
: base(authz.Type, AuthorizationDataType.KerbApOptions)
{
Options = (ApOptions)authz.Data.AsLong(littleEndian: true);
}
public KerbLocalRestriction(KrbAuthorizationData authz)
: base(authz.Type, AuthorizationDataType.KerbLocal)
{
Value = authz.Data.ToArray();
}
public KerbServiceTargetRestriction(KrbAuthorizationData authz)
: base(authz.Type, AuthorizationDataType.KerbServiceTarget)
{
ServiceName = Encoding.Unicode.GetString(authz.Data.ToArray());
}
public KerbLocalRestriction(KrbAuthorizationData authz)
: base(authz?.Type ?? 0, AuthorizationDataType.KerbLocal)
{
this.Value = new ReadOnlySequence <byte>(authz.Data);
}
public KerbApOptionsRestriction(KrbAuthorizationData authz)
: base(authz.Type, AuthorizationDataType.KerbApOptions)
{
Options = (ApOptions)BinaryPrimitives.ReadInt32LittleEndian(authz.Data.Span);
}
public KerbServiceTargetRestriction(KrbAuthorizationData authz)
: base(authz.Type, AuthorizationDataType.KerbServiceTarget)
{
ServiceName = MemoryMarshal.Cast <byte, char>(authz.Data.Span).ToString();
}
