private AuthZAccessCheckResult[] AccessCheck(AuthZContext context, SecurityDescriptor sd, Sid object_sid, ObjectTypeTree tree)
{
if (context.Remote && tree?.Count > kMaxRemoteObjectTypes)
{
return(tree.Split(kMaxRemoteObjectTypes).SelectMany(t => AccessCheck(context, sd, object_sid, t)).ToArray());
}
return(context.AccessCheck(sd, null, DirectoryServiceAccessRights.MaximumAllowed, object_sid, tree?.ToArray(), sd.NtType));
}
private bool CheckUserId(FirewallFilter filter, Guid condition_guid, AuthZContext context)
{
if (!filter.HasCondition(condition_guid))
{
return(true);
}
FirewallFilterCondition condition = filter.GetCondition(condition_guid);
if (!(condition.Value.Value is SecurityDescriptor sd))
{
return(false);
}
switch (condition.MatchType)
{
case FirewallMatchType.Equal:
case FirewallMatchType.NotEqual:
break;
default:
return(false);
}
if (sd.Owner == null || sd.Group == null)
{
sd = sd.Clone();
if (sd.Owner == null)
{
sd.Owner = new SecurityDescriptorSid(KnownSids.LocalSystem, true);
}
if (sd.Group == null)
{
sd.Group = new SecurityDescriptorSid(KnownSids.LocalSystem, true);
}
}
bool result = context.AccessCheck(sd, null, FirewallFilterAccessRights.Match,
null, null, FirewallUtils.FirewallFilterType).First().IsSuccess;
return(condition.MatchType == FirewallMatchType.Equal ? result : !result);
}
private AccessMask AccessCheckSingle(AuthZContext context, SecurityDescriptor sd, Sid object_sid, IDirectoryServiceObjectTree tree)
{
return(context.AccessCheck(sd, null, DirectoryServiceAccessRights.MaximumAllowed, object_sid,
tree?.ToObjectTypeTree()?.ToArray(), sd.NtType).First().GrantedAccess);
}