Func <FirewallFilter, bool> IFirewallEnumTemplate <FirewallFilter> .GetFilterFunc(DisposableList list)
{
var user_conditions = Conditions.Where(c => FirewallConditionGuids.IsUserId(c.FieldKey));
if (!user_conditions.Any())
{
return(_ => true);
}
var rm = list.AddResource(AuthZResourceManager.Create());
Dictionary <Guid, AuthZContext> contexts = new Dictionary <Guid, AuthZContext>();
foreach (var condition in user_conditions)
{
if (contexts.ContainsKey(condition.FieldKey))
{
continue;
}
if (!(condition.Value.ContextValue is FirewallTokenInformation token) || token.UserSid == null)
{
continue;
}
contexts.Add(condition.FieldKey, token.CreateContext(rm, list));
}
return(f => FilterFunc(contexts, f));
}
/// <summary>
/// Process record.
/// </summary>
protected override void ProcessRecord()
{
AuthZHandleCallbackAce callback = null;
if (CallbackAceScriptBlock != null)
{
callback = a => PSUtils.InvokeWithArg(CallbackAceScriptBlock, false, a);
}
WriteObject(AuthZResourceManager.Create(Name, Flags, callback));
}
internal AuthZContext CreateContext(AuthZResourceManager resource_manager, DisposableList list)
{
var ctx = list.AddResource(resource_manager.CreateContext(UserSid, AuthZContextInitializeSidFlags.SkipTokenGroups));
AddGroups(ctx, AuthZGroupSidType.Normal, Sids);
if (RestrictedSids.Count > 0)
{
AddGroups(ctx, AuthZGroupSidType.Restricted, RestrictedSids);
}
if (AppContainerSid != null)
{
ctx.SetAppContainer(AppContainerSid, Capabilities);
}
return(ctx);
}
/// <summary>
/// Process record.
/// </summary>
protected override void ProcessRecord()
{
if (ParameterSetName == "LocalRM")
{
AuthZHandleCallbackAce callback = null;
if (CallbackAceScriptBlock != null)
{
callback = a => PSUtils.InvokeWithArg(CallbackAceScriptBlock, false, a);
}
WriteObject(AuthZResourceManager.Create(Name, Flags, callback));
}
else
{
WriteObject(AuthZResourceManager.Create(Server, ServerSpn, ServiceType));
}
}
private void BuildAuthZContext()
{
_resource_manager = string.IsNullOrWhiteSpace(Server) ? AuthZResourceManager.Create(GetType().Name,
AuthZResourceManagerInitializeFlags.NoAudit | AuthZResourceManagerInitializeFlags.NoCentralAccessPolicies,
null) : AuthZResourceManager.Create(Server, null, AuthZResourceManagerRemoteServiceType.Default);
var sids = new HashSet <Sid>();
if (UserSid != null)
{
foreach (var sid in UserSid)
{
sids.Add(sid);
}
}
if (UserName != null)
{
foreach (var name in UserName)
{
sids.Add(NtSecurity.LookupAccountName(name));
}
}
if (sids.Count == 0)
{
sids.Add(NtToken.CurrentUser.Sid);
}
if (_resource_manager.Remote || UseLocalGroup)
{
_context.AddRange(sids.Select(s => _resource_manager.CreateContext(s, AuthZContextInitializeSidFlags.None)));
}
else
{
foreach (var sid in sids)
{
if (!NtSecurity.IsDomainSid(sid) || NtSecurity.IsLocalDomainSid(sid))
{
_context.AddResource(_resource_manager.CreateContext(sid, AuthZContextInitializeSidFlags.None));
continue;
}
WriteProgress($"Building security context for {sid.Name}");
var context = _context.AddResource(_resource_manager.CreateContext(sid, AuthZContextInitializeSidFlags.SkipTokenGroups));
context.AddSids(_cached_user_groups.GetOrAdd(Tuple.Create(Domain, sid), _ => GetUserDomainSids(Domain, sid)));
}
}
foreach (var context in Context)
{
if (sids.Add(context.User.Sid))
{
var next_ctx = _context.AddResource(_resource_manager.CreateContext(context.User.Sid, AuthZContextInitializeSidFlags.SkipTokenGroups));
foreach (var group in context.Groups)
{
next_ctx.AddSid(group.Sid);
}
}
}
_token_info = _context.Select(c => new TokenInformation(c)).ToList();
}