public void GetMatchingTargetsForComputer(string targetDomain) { ISecurityPrincipal trustee = directory.GetPrincipal($"{targetDomain}\\user1"); IComputer computer1 = directory.GetComputer($"{targetDomain}\\PC1"); IComputer computer2 = directory.GetComputer($"{targetDomain}\\PC2"); IGroup group1 = directory.GetGroup($"{targetDomain}\\G-DL-PC1"); IGroup group2 = directory.GetGroup($"{targetDomain}\\G-DL-PC2"); var namingContext = directory.TranslateName(targetDomain + "\\", Interop.DsNameFormat.Nt4Name, Interop.DsNameFormat.DistinguishedName); var t1 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, $"OU=Computers,OU=LAPS Testing,{namingContext}", trustee); var t2 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, $"OU=LAPS Testing,{namingContext}", trustee); var t3 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, $"{namingContext}", trustee); var t4 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, $"OU=JIT Groups,OU=LAPS Testing,{namingContext}", trustee); var t5 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, computer1, trustee); var t6 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, computer2, trustee); var t7 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, group1, trustee); var t8 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, group2, trustee); var options = SetupOptions(t1, t2, t3, t4, t5, t6, t7, t8); builder = new AuthorizationInformationBuilder(options, directory, logger, powershell, cache, targetDataProvider, authorizationContextProvider); CollectionAssert.AreEquivalent(new[] { t1, t2, t3, t5, t7 }, builder.GetMatchingTargetsForComputer(computer1)); }
public void DenyTrusteeOnGroupTarget(string trusteeName, string requestorName, string targetDomain) { ISecurityPrincipal trustee = directory.GetPrincipal(trusteeName); IUser requestor = directory.GetUser(requestorName); IComputer computer1 = directory.GetComputer($"{targetDomain}\\PC1"); IComputer computer2 = directory.GetComputer($"{targetDomain}\\PC2"); IGroup group1 = directory.GetGroup($"{targetDomain}\\G-DL-PC1"); IGroup group2 = directory.GetGroup($"{targetDomain}\\G-DL-PC2"); var namingContext = directory.TranslateName(targetDomain + "\\", Interop.DsNameFormat.Nt4Name, Interop.DsNameFormat.DistinguishedName); var t1 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, $"OU=Computers,OU=LAPS Testing,{namingContext}", trustee); var t2 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, $"OU=LAPS Testing,{namingContext}", trustee); var t3 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, $"{namingContext}", trustee); var t4 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, $"OU=JIT Groups,OU=LAPS Testing,{namingContext}", trustee); var t5 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, computer1, trustee); var t6 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, computer2, trustee); var t7 = CreateTarget(AccessMask.None, AccessMask.LocalAdminPassword, group1, trustee); var t8 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, group2, trustee); var options = SetupOptions(t1, t2, t3, t4, t5, t6, t7, t8); builder = new AuthorizationInformationBuilder(options, directory, logger, powershell, cache, targetDataProvider, authorizationContextProvider); var result = builder.GetAuthorizationInformation(requestor, computer1); CollectionAssert.AreEquivalent(new[] { t1, t2, t5, t3 }, result.SuccessfulLapsTargets); Assert.AreEqual(AccessMask.None, result.EffectiveAccess); }
public void TestAclAuthorizationOnOUTarget(string username, string computerName, string targetOU, AccessMask allowed, AccessMask denied, AccessMask expected) { IUser user = directory.GetUser(username); IComputer computer = directory.GetComputer(computerName); var options = SetupOptionsForOUTarget(allowed, denied, targetOU, user); builder = new AuthorizationInformationBuilder(options, directory, logger, powershell, cache, targetDataProvider, authorizationContextProvider); var result = builder.GetAuthorizationInformation(user, computer); Assert.AreEqual(expected, result.EffectiveAccess); }
public void GroupCanAccessComputer(string requestorName, string trusteeName, string computerName) { IUser requestor = directory.GetUser(requestorName); ISecurityPrincipal trustee = directory.GetPrincipal(trusteeName); IComputer computer = directory.GetComputer(computerName); var t1 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, computer, trustee); var options = SetupOptions(t1); builder = new AuthorizationInformationBuilder(options, directory, logger, powershell, cache, targetDataProvider, authorizationContextProvider); var result = builder.GetAuthorizationInformation(requestor, computer); CollectionAssert.AreEquivalent(new[] { t1 }, result.SuccessfulLapsTargets); Assert.AreEqual(AccessMask.LocalAdminPassword, result.EffectiveAccess); }
public void ValidateTargetSortOrder() { ISecurityPrincipal trustee = directory.GetPrincipal("IDMDEV1\\user1"); IComputer computer1 = directory.GetComputer("IDMDEV1\\PC1"); var t1 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, "OU=LAPS Testing,DC=IDMDEV1,DC=LOCAL", trustee); var t2 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, "DC=IDMDEV1,DC=LOCAL", trustee); var t3 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, "OU=Computers,OU=LAPS Testing,DC=IDMDEV1,DC=LOCAL", trustee); var t4 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, "OU=JIT Groups,OU=LAPS Testing,DC=IDMDEV1,DC=LOCAL", trustee); var options = SetupOptions(t1, t2, t3, t4); builder = new AuthorizationInformationBuilder(options, directory, logger, powershell, cache, targetDataProvider, authorizationContextProvider); CollectionAssert.AreEqual(new[] { t3, t1, t2 }, builder.GetMatchingTargetsForComputer(computer1)); }
public void ValidateTargetSortOrder() { ISecurityPrincipal trustee = directory.GetPrincipal(C.DEV_User1); IComputer computer1 = directory.GetComputer(C.DEV_PC1); var t1 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, C.AmsTesting_DevDN, trustee); var t2 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, C.DevDN, trustee); var t3 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, C.Computers_AmsTesting_DevDN, trustee); var t4 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, C.JitGroups_AmsTesting_DevDN, trustee); var options = SetupOptions(t1, t2, t3, t4); builder = new AuthorizationInformationBuilder(options, logger, powershell, cache, targetDataProvider, authorizationContextProvider, licenseManager); CollectionAssert.AreEqual(new[] { t3, t1, t2 }, targetDataProvider.GetMatchingTargetsForComputer(computer1, options.Value.ComputerTargets)); }