public void TestDomainJoinRolePositive() { // This should test positively because while the userSID is only granted one of the permissions (create computer), // the group SID ending with "-1440" has all of them, and the assertor will search groups. Acl dacl = this.sdd.GetDacl(); DaclAssertor assertor = new DaclAssertor(dacl, true); List <SID> groupSiDs = this.groupSIDList.Select(s => SID.Parse(GetSidAsByteBuffer(s))).ToList(); DomainJoinRoleAssertion djAssertion = new DomainJoinRoleAssertion(this.userSID, false, groupSiDs); bool result = assertor.DoAssert(djAssertion); Assert.True(result); }
public void testDomainJoinRoleNegative_Denials() { // This should test negatively because the userSID is denied one of the permissions (create computer), // within the OU the Sddl was pulled from (not inherited). Acl dacl = this.sddlDenials.GetDacl(); DaclAssertor assertor = new DaclAssertor(dacl, true); List <SID> groupSiDs = this.groupSIDList.Select(s => SID.Parse(GetSidAsByteBuffer(s))).ToList(); DomainJoinRoleAssertion djAssertion = new DomainJoinRoleAssertion(this.userSID, false, groupSiDs); bool result = assertor.DoAssert(djAssertion); Assert.False(result); // should be 1 of them Assert.Single(assertor.GetUnsatisfiedAssertions()); }
public void TestDomainJoinRoleNegative() { // This should test negatively because the userSID is only granted one of the permissions (create computer) // and this test tells the assertor to NOT search groups. Acl dacl = this.sdd.GetDacl(); DaclAssertor assertor = new DaclAssertor(dacl, false); DomainJoinRoleAssertion djAssertion = new DomainJoinRoleAssertion(this.userSID, false, null); bool result = assertor.DoAssert(djAssertion); Assert.False(result); // should be 6 of them List <AceAssertion> unsatisfiedAssertions = assertor.GetUnsatisfiedAssertions(); Assert.Equal(6, unsatisfiedAssertions.Count); }