private AuthZAccessCheckResult[] AccessCheck(AuthZContext context, SecurityDescriptor sd, Sid object_sid, ObjectTypeTree tree) { if (context.Remote && tree?.Count > kMaxRemoteObjectTypes) { return(tree.Split(kMaxRemoteObjectTypes).SelectMany(t => AccessCheck(context, sd, object_sid, t)).ToArray()); } return(context.AccessCheck(sd, null, DirectoryServiceAccessRights.MaximumAllowed, object_sid, tree?.ToArray(), sd.NtType)); }
internal TokenInformation(AuthZContext context) { SourceData = new Dictionary <string, object>(); User = context.User.Sid; IntegrityLevel = TokenIntegrityLevel.Medium; TokenType = TokenType.Impersonation; ImpersonationLevel = SecurityImpersonationLevel.Impersonation; Groups = context.Groups.ToList().AsReadOnly(); }
/// <summary> /// Constructor. /// </summary> public GetAccessibleDsObject() { _context = new DisposableList <AuthZContext>(); _token_info = new List <TokenInformation>(); _checked_paths = new HashSet <string>(StringComparer.OrdinalIgnoreCase); ObjectClass = new string[0]; Exclude = new string[0]; Include = new string[0]; Context = new AuthZContext[0]; Depth = int.MaxValue; }
private bool CheckUserId(FirewallFilter filter, Guid condition_guid, AuthZContext context) { if (!filter.HasCondition(condition_guid)) { return(true); } FirewallFilterCondition condition = filter.GetCondition(condition_guid); if (!(condition.Value.Value is SecurityDescriptor sd)) { return(false); } switch (condition.MatchType) { case FirewallMatchType.Equal: case FirewallMatchType.NotEqual: break; default: return(false); } if (sd.Owner == null || sd.Group == null) { sd = sd.Clone(); if (sd.Owner == null) { sd.Owner = new SecurityDescriptorSid(KnownSids.LocalSystem, true); } if (sd.Group == null) { sd.Group = new SecurityDescriptorSid(KnownSids.LocalSystem, true); } } bool result = context.AccessCheck(sd, null, FirewallFilterAccessRights.Match, null, null, FirewallUtils.FirewallFilterType).First().IsSuccess; return(condition.MatchType == FirewallMatchType.Equal ? result : !result); }
private static void AddGroups(AuthZContext context, AuthZGroupSidType type, IEnumerable <UserGroup> groups) { groups = groups.Where(FilterGroup).Select(MapGroupAttributes); context.ModifyGroups(type, groups, groups.Select(_ => AuthZSidOperation.Add)); }
private AccessMask AccessCheckSingle(AuthZContext context, SecurityDescriptor sd, Sid object_sid, IDirectoryServiceObjectTree tree) { return(context.AccessCheck(sd, null, DirectoryServiceAccessRights.MaximumAllowed, object_sid, tree?.ToObjectTypeTree()?.ToArray(), sd.NtType).First().GrantedAccess); }