public CommonSecurityDescriptor GenerateSecurityDescriptor(SecurityIdentifier sid, PowerShellAuthorizationResponse result)
{
AccessMask allowedAccess = 0;
AccessMask deniedAccess = 0;
if (result.IsLocalAdminPasswordAllowed)
{
allowedAccess |= AccessMask.LocalAdminPassword;
}
if (result.IsLocalAdminPasswordHistoryAllowed)
{
allowedAccess |= AccessMask.LocalAdminPasswordHistory;
}
if (result.IsJitAllowed)
{
allowedAccess |= AccessMask.Jit;
}
if (result.IsLocalAdminPasswordDenied)
{
deniedAccess |= AccessMask.LocalAdminPassword;
}
if (result.IsLocalAdminPasswordHistoryDenied)
{
deniedAccess |= AccessMask.LocalAdminPasswordHistory;
}
if (result.IsJitDenied)
{
deniedAccess |= AccessMask.Jit;
}
DiscretionaryAcl dacl;
if (allowedAccess > 0 && deniedAccess > 0)
{
dacl = new DiscretionaryAcl(false, false, 2);
}
else if (allowedAccess > 0 || deniedAccess > 0)
{
dacl = new DiscretionaryAcl(false, false, 1);
}
else
{
dacl = new DiscretionaryAcl(false, false, 0);
}
if (allowedAccess > 0)
{
dacl.AddAccess(AccessControlType.Allow, sid, (int)allowedAccess, InheritanceFlags.None, PropagationFlags.None);
}
if (deniedAccess > 0)
{
dacl.AddAccess(AccessControlType.Deny, sid, (int)deniedAccess, InheritanceFlags.None, PropagationFlags.None);
}
return(new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), null, null, dacl));
}
private PowerShellAuthorizationResponse GetAuthorizationResponse(string script, IUser user, IComputer computer, int timeout)
{
PowerShell powershell = this.sessionProvider.GetSession(script, "Get-AuthorizationResponse");
powershell.AddCommand("Get-AuthorizationResponse")
.AddParameter("user", this.ToPSObject(user))
.AddParameter("computer", this.ToPSObject(computer));
Task <PowerShellAuthorizationResponse> task = new Task <PowerShellAuthorizationResponse>(() =>
{
var results = powershell.Invoke();
powershell.ThrowOnPipelineError();
foreach (PSObject result in results)
{
if (result.BaseObject is PowerShellAuthorizationResponse res)
{
return(res);
}
if (result.Properties[nameof(res.IsLocalAdminPasswordAllowed)] == null &&
result.Properties[nameof(res.IsLocalAdminPasswordDenied)] == null &&
result.Properties[nameof(res.IsLocalAdminPasswordHistoryAllowed)] == null &&
result.Properties[nameof(res.IsLocalAdminPasswordHistoryDenied)] == null &&
result.Properties[nameof(res.IsJitAllowed)] == null &&
result.Properties[nameof(res.IsJitDenied)] == null)
{
continue;
}
res = new PowerShellAuthorizationResponse();
res.IsLocalAdminPasswordAllowed = Convert.ToBoolean(result.Properties[nameof(res.IsLocalAdminPasswordAllowed)]?.Value ?? false);
res.IsLocalAdminPasswordDenied = Convert.ToBoolean(result.Properties[nameof(res.IsLocalAdminPasswordDenied)]?.Value ?? false);
res.IsLocalAdminPasswordHistoryAllowed = Convert.ToBoolean(result.Properties[nameof(res.IsLocalAdminPasswordHistoryAllowed)]?.Value ?? false);
res.IsLocalAdminPasswordHistoryDenied = Convert.ToBoolean(result.Properties[nameof(res.IsLocalAdminPasswordHistoryDenied)]?.Value ?? false);
res.IsJitAllowed = Convert.ToBoolean(result.Properties[nameof(res.IsJitAllowed)]?.Value ?? false);
res.IsJitDenied = Convert.ToBoolean(result.Properties[nameof(res.IsJitDenied)]?.Value ?? false);
return(res);
}
return(null);
});
task.Start();
if (!task.Wait(TimeSpan.FromSeconds(timeout)))
{
throw new TimeoutException("The PowerShell script did not complete within the configured time");
}
if (task.IsFaulted)
{
if (task.Exception != null)
{
throw task.Exception;
}
throw new AccessManagerException("The task failed");
}
if (task.Result != null)
{
this.logger.LogTrace($"PowerShell script returned the following AuthorizationResponse: {JsonConvert.SerializeObject(task.Result)}");
return(task.Result);
}
this.logger.LogWarning(EventIDs.PowerShellSDGeneratorInvalidResponse, $"The PowerShell script did not return an AuthorizationResponse");
return(new PowerShellAuthorizationResponse());
}
public CommonSecurityDescriptor GenerateSecurityDescriptor(IUser user, IComputer computer, string script, int timeout)
{
PowerShellAuthorizationResponse result = this.GetAuthorizationResponse(script, user, computer, timeout);
return(GenerateSecurityDescriptor(user.Sid, result));
}
