public void TestDomainJoinRolePositive()
{
// This should test positively because while the userSID is only granted one of the permissions (create computer),
// the group SID ending with "-1440" has all of them, and the assertor will search groups.
Acl dacl = this.sdd.GetDacl();
DaclAssertor assertor = new DaclAssertor(dacl, true);
List <SID> groupSiDs = this.groupSIDList.Select(s => SID.Parse(GetSidAsByteBuffer(s))).ToList();
DomainJoinRoleAssertion djAssertion = new DomainJoinRoleAssertion(this.userSID, false, groupSiDs);
bool result = assertor.DoAssert(djAssertion);
Assert.True(result);
}
public void testDomainJoinRoleNegative_Denials()
{
// This should test negatively because the userSID is denied one of the permissions (create computer),
// within the OU the Sddl was pulled from (not inherited).
Acl dacl = this.sddlDenials.GetDacl();
DaclAssertor assertor = new DaclAssertor(dacl, true);
List <SID> groupSiDs = this.groupSIDList.Select(s => SID.Parse(GetSidAsByteBuffer(s))).ToList();
DomainJoinRoleAssertion djAssertion = new DomainJoinRoleAssertion(this.userSID, false, groupSiDs);
bool result = assertor.DoAssert(djAssertion);
Assert.False(result);
// should be 1 of them
Assert.Single(assertor.GetUnsatisfiedAssertions());
}
public void TestDomainJoinRoleNegative()
{
// This should test negatively because the userSID is only granted one of the permissions (create computer)
// and this test tells the assertor to NOT search groups.
Acl dacl = this.sdd.GetDacl();
DaclAssertor assertor = new DaclAssertor(dacl, false);
DomainJoinRoleAssertion djAssertion = new DomainJoinRoleAssertion(this.userSID, false, null);
bool result = assertor.DoAssert(djAssertion);
Assert.False(result);
// should be 6 of them
List <AceAssertion> unsatisfiedAssertions = assertor.GetUnsatisfiedAssertions();
Assert.Equal(6, unsatisfiedAssertions.Count);
}
