public void GetMatchingTargetsForComputer(string targetDomain)
{
ISecurityPrincipal trustee = directory.GetPrincipal($"{targetDomain}\\user1");
IComputer computer1 = directory.GetComputer($"{targetDomain}\\PC1");
IComputer computer2 = directory.GetComputer($"{targetDomain}\\PC2");
IGroup group1 = directory.GetGroup($"{targetDomain}\\G-DL-PC1");
IGroup group2 = directory.GetGroup($"{targetDomain}\\G-DL-PC2");
var namingContext = directory.TranslateName(targetDomain + "\\", Interop.DsNameFormat.Nt4Name, Interop.DsNameFormat.DistinguishedName);
var t1 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, $"OU=Computers,OU=LAPS Testing,{namingContext}", trustee);
var t2 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, $"OU=LAPS Testing,{namingContext}", trustee);
var t3 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, $"{namingContext}", trustee);
var t4 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, $"OU=JIT Groups,OU=LAPS Testing,{namingContext}", trustee);
var t5 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, computer1, trustee);
var t6 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, computer2, trustee);
var t7 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, group1, trustee);
var t8 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, group2, trustee);
var options = SetupOptions(t1, t2, t3, t4, t5, t6, t7, t8);
builder = new AuthorizationInformationBuilder(options, directory, logger, powershell, cache, targetDataProvider, authorizationContextProvider);
CollectionAssert.AreEquivalent(new[] { t1, t2, t3, t5, t7 }, builder.GetMatchingTargetsForComputer(computer1));
}
public void DenyTrusteeOnGroupTarget(string trusteeName, string requestorName, string targetDomain)
{
ISecurityPrincipal trustee = directory.GetPrincipal(trusteeName);
IUser requestor = directory.GetUser(requestorName);
IComputer computer1 = directory.GetComputer($"{targetDomain}\\PC1");
IComputer computer2 = directory.GetComputer($"{targetDomain}\\PC2");
IGroup group1 = directory.GetGroup($"{targetDomain}\\G-DL-PC1");
IGroup group2 = directory.GetGroup($"{targetDomain}\\G-DL-PC2");
var namingContext = directory.TranslateName(targetDomain + "\\", Interop.DsNameFormat.Nt4Name, Interop.DsNameFormat.DistinguishedName);
var t1 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, $"OU=Computers,OU=LAPS Testing,{namingContext}", trustee);
var t2 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, $"OU=LAPS Testing,{namingContext}", trustee);
var t3 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, $"{namingContext}", trustee);
var t4 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, $"OU=JIT Groups,OU=LAPS Testing,{namingContext}", trustee);
var t5 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, computer1, trustee);
var t6 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, computer2, trustee);
var t7 = CreateTarget(AccessMask.None, AccessMask.LocalAdminPassword, group1, trustee);
var t8 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, group2, trustee);
var options = SetupOptions(t1, t2, t3, t4, t5, t6, t7, t8);
builder = new AuthorizationInformationBuilder(options, directory, logger, powershell, cache, targetDataProvider, authorizationContextProvider);
var result = builder.GetAuthorizationInformation(requestor, computer1);
CollectionAssert.AreEquivalent(new[] { t1, t2, t5, t3 }, result.SuccessfulLapsTargets);
Assert.AreEqual(AccessMask.None, result.EffectiveAccess);
}
public void TestAclAuthorizationOnOUTarget(string username, string computerName, string targetOU, AccessMask allowed, AccessMask denied, AccessMask expected)
{
IUser user = directory.GetUser(username);
IComputer computer = directory.GetComputer(computerName);
var options = SetupOptionsForOUTarget(allowed, denied, targetOU, user);
builder = new AuthorizationInformationBuilder(options, directory, logger, powershell, cache, targetDataProvider, authorizationContextProvider);
var result = builder.GetAuthorizationInformation(user, computer);
Assert.AreEqual(expected, result.EffectiveAccess);
}
public void GroupCanAccessComputer(string requestorName, string trusteeName, string computerName)
{
IUser requestor = directory.GetUser(requestorName);
ISecurityPrincipal trustee = directory.GetPrincipal(trusteeName);
IComputer computer = directory.GetComputer(computerName);
var t1 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, computer, trustee);
var options = SetupOptions(t1);
builder = new AuthorizationInformationBuilder(options, directory, logger, powershell, cache, targetDataProvider, authorizationContextProvider);
var result = builder.GetAuthorizationInformation(requestor, computer);
CollectionAssert.AreEquivalent(new[] { t1 }, result.SuccessfulLapsTargets);
Assert.AreEqual(AccessMask.LocalAdminPassword, result.EffectiveAccess);
}
public void ValidateTargetSortOrder()
{
ISecurityPrincipal trustee = directory.GetPrincipal("IDMDEV1\\user1");
IComputer computer1 = directory.GetComputer("IDMDEV1\\PC1");
var t1 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, "OU=LAPS Testing,DC=IDMDEV1,DC=LOCAL", trustee);
var t2 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, "DC=IDMDEV1,DC=LOCAL", trustee);
var t3 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, "OU=Computers,OU=LAPS Testing,DC=IDMDEV1,DC=LOCAL", trustee);
var t4 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, "OU=JIT Groups,OU=LAPS Testing,DC=IDMDEV1,DC=LOCAL", trustee);
var options = SetupOptions(t1, t2, t3, t4);
builder = new AuthorizationInformationBuilder(options, directory, logger, powershell, cache, targetDataProvider, authorizationContextProvider);
CollectionAssert.AreEqual(new[] { t3, t1, t2 }, builder.GetMatchingTargetsForComputer(computer1));
}
public void ValidateTargetSortOrder()
{
ISecurityPrincipal trustee = directory.GetPrincipal(C.DEV_User1);
IComputer computer1 = directory.GetComputer(C.DEV_PC1);
var t1 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, C.AmsTesting_DevDN, trustee);
var t2 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, C.DevDN, trustee);
var t3 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, C.Computers_AmsTesting_DevDN, trustee);
var t4 = CreateTarget(AccessMask.LocalAdminPassword, AccessMask.None, C.JitGroups_AmsTesting_DevDN, trustee);
var options = SetupOptions(t1, t2, t3, t4);
builder = new AuthorizationInformationBuilder(options, logger, powershell, cache, targetDataProvider, authorizationContextProvider, licenseManager);
CollectionAssert.AreEqual(new[] { t3, t1, t2 }, targetDataProvider.GetMatchingTargetsForComputer(computer1, options.Value.ComputerTargets));
}
