Exemplo n.º 1
0
        private bool IsMatch(string trustee, string requestor, string domainName, AccessControlType aceType = AccessControlType.Allow)
        {
            var user = directory.GetUser(requestor);
            var p    = directory.GetPrincipal(trustee);

            DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1);

            dacl.AddAccess(aceType, p.Sid, (int)AccessMask.Jit, InheritanceFlags.None, PropagationFlags.None);
            CommonSecurityDescriptor sd = new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), null, null, dacl);

            string serverName;

            if (domainName == null)
            {
                serverName = discoveryServices.GetDomainController(discoveryServices.GetDomainNameDns(p.Sid));
            }
            else
            {
                serverName = discoveryServices.GetDomainController(domainName);
            }

            using AuthorizationContext c = new AuthorizationContext(user.Sid, serverName);

            return(c.AccessCheck(sd, (int)AccessMask.Jit));
        }
Exemplo n.º 2
0
        private bool CheckForSidInToken(SecurityIdentifier principalSid, SecurityIdentifier sidToCheck, SecurityIdentifier requestContext = null)
        {
            if (principalSid == null)
            {
                throw new ArgumentNullException(nameof(principalSid));
            }

            if (sidToCheck == null)
            {
                throw new ArgumentNullException(nameof(sidToCheck));
            }

            if (principalSid == sidToCheck)
            {
                return(true);
            }

            if (requestContext == null || requestContext.IsEqualDomainSid(CurrentDomainSid))
            {
                using (AuthorizationContext context = new AuthorizationContext(principalSid))
                {
                    return(context.ContainsSid(sidToCheck));
                }
            }
            else
            {
                string dnsDomain = discoveryServices.GetDomainNameDns(requestContext.AccountDomainSid);

                return(this.discoveryServices.Find2012DcAndExecuteWithRetry(dnsDomain, dc =>
                {
                    using (AuthorizationContext context = new AuthorizationContext(principalSid, dc))
                    {
                        return context.ContainsSid(sidToCheck);
                    }
                }));
            }
        }