/// <summary> /// Evaluates whether the DACL fulfills the given AdRoleAssertion and returns the list of unsatisfied AceAssertions /// (if any). /// If the assertor was constructed with {@code searchGroups = true} and the roleAssertion specifies a user, /// then /// all group SIDs contained in the roleAssertion will be tested for potential matches in the DACL if any /// rights are /// not directly granted to the user. Also, the 'Everyone' AD group will also be scanned. /// Denied rights are now detected and included in the resulting list. /// @param roleAssertion /// the AdRoleAssertion to test /// @return List of unsatisfied AceAssertions (if any). Empty if none. /// </summary> private List <AceAssertion> FindUnsatisfiedAssertions(AdRoleAssertion roleAssertion) { var acesBySIDMap = new Dictionary <string, List <Ace> >(); for (var i = 0; i < this.dacl.GetAceCount(); i++) { Ace ace = this.dacl.GetAce(i); if (ace.GetSid() != null) { if (!acesBySIDMap.ContainsKey(ace.GetSid().ToString())) { acesBySIDMap.Add(ace.GetSid().ToString(), new List <Ace>()); } acesBySIDMap[ace.GetSid().ToString()].Add(ace); } } // Find any roleAssertion ACEs not matched in the DACL. // Not using Java 8 or other libs for this to keep dependencies of ADSDDL as is. // ------------------------------ var unsatisfiedAssertions = new List <AceAssertion>(roleAssertion.GetAssertions()); var deniedAssertions = new List <AceAssertion>(); SID principal = roleAssertion.GetPrincipal(); if (acesBySIDMap.ContainsKey(principal.ToString())) { this.FindUnmatchedAssertions(acesBySIDMap[principal.ToString()], unsatisfiedAssertions, deniedAssertions, roleAssertion.GetAssertions()); } // There may be denials on groups even if we resolved all assertions - search groups if specified if (this.searchGroups) { if (roleAssertion.IsGroup()) { this.DoEveryoneGroupScan(acesBySIDMap, unsatisfiedAssertions, deniedAssertions, roleAssertion.GetAssertions()); this.MergeDenials(unsatisfiedAssertions, deniedAssertions); return(unsatisfiedAssertions); } List <SID> tokenGroupSiDs = roleAssertion.GetTokenGroups(); if (tokenGroupSiDs == null) { this.DoEveryoneGroupScan(acesBySIDMap, unsatisfiedAssertions, deniedAssertions, roleAssertion.GetAssertions()); this.MergeDenials(unsatisfiedAssertions, deniedAssertions); return(unsatisfiedAssertions); } foreach (SID grpSID in tokenGroupSiDs.Where(grpSID => acesBySIDMap.ContainsKey(grpSID.ToString()))) { this.FindUnmatchedAssertions(acesBySIDMap[grpSID.ToString()], unsatisfiedAssertions, deniedAssertions, roleAssertion.GetAssertions()); } this.DoEveryoneGroupScan(acesBySIDMap, unsatisfiedAssertions, deniedAssertions, roleAssertion.GetAssertions()); } this.MergeDenials(unsatisfiedAssertions, deniedAssertions); return(unsatisfiedAssertions); }
/// <summary> /// Compares the object DACL located by the searchFilter against the specified AdRoleAssertion, and /// determines whether /// that assertion's principal is granted all the rights which the assertion contains. /// When comparing ACEs of the DACL, only those of AceType.ACCESS_ALLOWED_ACE_TYPE or /// AceType.ACCESS_ALLOWED_OBJECT_ACE_TYPE will be considered for satisfying an AceAssertion of /// the roleAssertion. /// Once completed, any unsatisfied assertions can be obtained by calling getUnsatisfiedAssertions}. /// Denied rights are now detected and included in the result, if they are determined to override /// satisfied rights. /// @param roleAssertion /// the AdRoleAssertion /// @return true if the DACL fulfills the claims of the roleAssertion, false otherwise. /// @throws CommunicationException /// if the context for searching the DACL is invalid or the domain cannot be reached /// @throws NameNotFoundException /// if the DACL search fails /// @throws NamingException /// if extracting the DACL fails or another JNDI issue occurs /// @throws SizeLimitExceededException /// if more than one AD object found during DACL search /// </summary> public bool DoAssert(AdRoleAssertion roleAssertion) { if (roleAssertion.GetPrincipal() == null) { return(false); } if (this.dacl == null) { if (this.ldapContext == null) { return(false); } this.GetDacl(); } this.unsatisfiedAssertions = this.FindUnsatisfiedAssertions(roleAssertion); return(this.unsatisfiedAssertions.Count == 0); }