Exemple #1
0
        /// <summary>
        ///     Evaluates whether the DACL fulfills the given AdRoleAssertion and returns the list of unsatisfied AceAssertions
        ///     (if any).
        ///     If the assertor was constructed with {@code searchGroups = true} and the roleAssertion specifies a user,
        ///     then
        ///     all group SIDs contained in the roleAssertion will be tested for potential matches in the DACL if any
        ///     rights are
        ///     not directly granted to the user. Also, the 'Everyone' AD group will also be scanned.
        ///     Denied rights are now detected and included in the resulting list.
        ///     @param roleAssertion
        ///     the AdRoleAssertion to test
        ///     @return List of unsatisfied AceAssertions (if any). Empty if none.
        /// </summary>
        private List <AceAssertion> FindUnsatisfiedAssertions(AdRoleAssertion roleAssertion)
        {
            var acesBySIDMap = new Dictionary <string, List <Ace> >();

            for (var i = 0; i < this.dacl.GetAceCount(); i++)
            {
                Ace ace = this.dacl.GetAce(i);
                if (ace.GetSid() != null)
                {
                    if (!acesBySIDMap.ContainsKey(ace.GetSid().ToString()))
                    {
                        acesBySIDMap.Add(ace.GetSid().ToString(), new List <Ace>());
                    }

                    acesBySIDMap[ace.GetSid().ToString()].Add(ace);
                }
            }

            // Find any roleAssertion ACEs not matched in the DACL.
            // Not using Java 8 or other libs for this to keep dependencies of ADSDDL as is.
            // ------------------------------
            var unsatisfiedAssertions = new List <AceAssertion>(roleAssertion.GetAssertions());
            var deniedAssertions      = new List <AceAssertion>();
            SID principal             = roleAssertion.GetPrincipal();

            if (acesBySIDMap.ContainsKey(principal.ToString()))
            {
                this.FindUnmatchedAssertions(acesBySIDMap[principal.ToString()], unsatisfiedAssertions, deniedAssertions, roleAssertion.GetAssertions());
            }

            // There may be denials on groups even if we resolved all assertions - search groups if specified
            if (this.searchGroups)
            {
                if (roleAssertion.IsGroup())
                {
                    this.DoEveryoneGroupScan(acesBySIDMap, unsatisfiedAssertions, deniedAssertions, roleAssertion.GetAssertions());
                    this.MergeDenials(unsatisfiedAssertions, deniedAssertions);
                    return(unsatisfiedAssertions);
                }

                List <SID> tokenGroupSiDs = roleAssertion.GetTokenGroups();
                if (tokenGroupSiDs == null)
                {
                    this.DoEveryoneGroupScan(acesBySIDMap, unsatisfiedAssertions, deniedAssertions, roleAssertion.GetAssertions());
                    this.MergeDenials(unsatisfiedAssertions, deniedAssertions);
                    return(unsatisfiedAssertions);
                }

                foreach (SID grpSID in tokenGroupSiDs.Where(grpSID => acesBySIDMap.ContainsKey(grpSID.ToString())))
                {
                    this.FindUnmatchedAssertions(acesBySIDMap[grpSID.ToString()], unsatisfiedAssertions, deniedAssertions, roleAssertion.GetAssertions());
                }

                this.DoEveryoneGroupScan(acesBySIDMap, unsatisfiedAssertions, deniedAssertions, roleAssertion.GetAssertions());
            }

            this.MergeDenials(unsatisfiedAssertions, deniedAssertions);

            return(unsatisfiedAssertions);
        }
Exemple #2
0
        /// <summary>
        ///     Compares the object DACL located by the searchFilter against the specified AdRoleAssertion, and
        ///     determines whether
        ///     that assertion's principal is granted all the rights which the assertion contains.
        ///     When comparing ACEs of the DACL, only those of AceType.ACCESS_ALLOWED_ACE_TYPE or
        ///     AceType.ACCESS_ALLOWED_OBJECT_ACE_TYPE will be considered for satisfying an AceAssertion of
        ///     the roleAssertion.
        ///     Once completed, any unsatisfied assertions can be obtained by calling getUnsatisfiedAssertions}.
        ///     Denied rights are now detected and included in the result, if they are determined to override
        ///     satisfied rights.
        ///     @param roleAssertion
        ///     the AdRoleAssertion
        ///     @return true if the DACL fulfills the claims of the roleAssertion, false otherwise.
        ///     @throws CommunicationException
        ///     if the context for searching the DACL is invalid or the domain cannot be reached
        ///     @throws NameNotFoundException
        ///     if the DACL search fails
        ///     @throws NamingException
        ///     if extracting the DACL fails or another JNDI issue occurs
        ///     @throws SizeLimitExceededException
        ///     if more than one AD object found during DACL search
        /// </summary>
        public bool DoAssert(AdRoleAssertion roleAssertion)
        {
            if (roleAssertion.GetPrincipal() == null)
            {
                return(false);
            }

            if (this.dacl == null)
            {
                if (this.ldapContext == null)
                {
                    return(false);
                }
                this.GetDacl();
            }

            this.unsatisfiedAssertions = this.FindUnsatisfiedAssertions(roleAssertion);
            return(this.unsatisfiedAssertions.Count == 0);
        }