/// <summary>
/// Evaluates whether the DACL fulfills the given AdRoleAssertion and returns the list of unsatisfied AceAssertions
/// (if any).
/// If the assertor was constructed with {@code searchGroups = true} and the roleAssertion specifies a user,
/// then
/// all group SIDs contained in the roleAssertion will be tested for potential matches in the DACL if any
/// rights are
/// not directly granted to the user. Also, the 'Everyone' AD group will also be scanned.
/// Denied rights are now detected and included in the resulting list.
/// @param roleAssertion
/// the AdRoleAssertion to test
/// @return List of unsatisfied AceAssertions (if any). Empty if none.
/// </summary>
private List <AceAssertion> FindUnsatisfiedAssertions(AdRoleAssertion roleAssertion)
{
var acesBySIDMap = new Dictionary <string, List <Ace> >();
for (var i = 0; i < this.dacl.GetAceCount(); i++)
{
Ace ace = this.dacl.GetAce(i);
if (ace.GetSid() != null)
{
if (!acesBySIDMap.ContainsKey(ace.GetSid().ToString()))
{
acesBySIDMap.Add(ace.GetSid().ToString(), new List <Ace>());
}
acesBySIDMap[ace.GetSid().ToString()].Add(ace);
}
}
// Find any roleAssertion ACEs not matched in the DACL.
// Not using Java 8 or other libs for this to keep dependencies of ADSDDL as is.
// ------------------------------
var unsatisfiedAssertions = new List <AceAssertion>(roleAssertion.GetAssertions());
var deniedAssertions = new List <AceAssertion>();
SID principal = roleAssertion.GetPrincipal();
if (acesBySIDMap.ContainsKey(principal.ToString()))
{
this.FindUnmatchedAssertions(acesBySIDMap[principal.ToString()], unsatisfiedAssertions, deniedAssertions, roleAssertion.GetAssertions());
}
// There may be denials on groups even if we resolved all assertions - search groups if specified
if (this.searchGroups)
{
if (roleAssertion.IsGroup())
{
this.DoEveryoneGroupScan(acesBySIDMap, unsatisfiedAssertions, deniedAssertions, roleAssertion.GetAssertions());
this.MergeDenials(unsatisfiedAssertions, deniedAssertions);
return(unsatisfiedAssertions);
}
List <SID> tokenGroupSiDs = roleAssertion.GetTokenGroups();
if (tokenGroupSiDs == null)
{
this.DoEveryoneGroupScan(acesBySIDMap, unsatisfiedAssertions, deniedAssertions, roleAssertion.GetAssertions());
this.MergeDenials(unsatisfiedAssertions, deniedAssertions);
return(unsatisfiedAssertions);
}
foreach (SID grpSID in tokenGroupSiDs.Where(grpSID => acesBySIDMap.ContainsKey(grpSID.ToString())))
{
this.FindUnmatchedAssertions(acesBySIDMap[grpSID.ToString()], unsatisfiedAssertions, deniedAssertions, roleAssertion.GetAssertions());
}
this.DoEveryoneGroupScan(acesBySIDMap, unsatisfiedAssertions, deniedAssertions, roleAssertion.GetAssertions());
}
this.MergeDenials(unsatisfiedAssertions, deniedAssertions);
return(unsatisfiedAssertions);
}
/// <summary>
/// Compares the object DACL located by the searchFilter against the specified AdRoleAssertion, and
/// determines whether
/// that assertion's principal is granted all the rights which the assertion contains.
/// When comparing ACEs of the DACL, only those of AceType.ACCESS_ALLOWED_ACE_TYPE or
/// AceType.ACCESS_ALLOWED_OBJECT_ACE_TYPE will be considered for satisfying an AceAssertion of
/// the roleAssertion.
/// Once completed, any unsatisfied assertions can be obtained by calling getUnsatisfiedAssertions}.
/// Denied rights are now detected and included in the result, if they are determined to override
/// satisfied rights.
/// @param roleAssertion
/// the AdRoleAssertion
/// @return true if the DACL fulfills the claims of the roleAssertion, false otherwise.
/// @throws CommunicationException
/// if the context for searching the DACL is invalid or the domain cannot be reached
/// @throws NameNotFoundException
/// if the DACL search fails
/// @throws NamingException
/// if extracting the DACL fails or another JNDI issue occurs
/// @throws SizeLimitExceededException
/// if more than one AD object found during DACL search
/// </summary>
public bool DoAssert(AdRoleAssertion roleAssertion)
{
if (roleAssertion.GetPrincipal() == null)
{
return(false);
}
if (this.dacl == null)
{
if (this.ldapContext == null)
{
return(false);
}
this.GetDacl();
}
this.unsatisfiedAssertions = this.FindUnsatisfiedAssertions(roleAssertion);
return(this.unsatisfiedAssertions.Count == 0);
}