Skip to content

Commit

Permalink
chore: add some comments and rename a variable for clarity
Browse files Browse the repository at this point in the history
  • Loading branch information
@rvazarkar
rvazarkar committed Oct 18, 2022
1 parent 865b477 commit 5ed5450
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 11 deletions.
36 changes: 29 additions & 7 deletions src/CommonLib/Processors/LocalGroupProcessor.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,10 @@ public LocalGroupProcessor(ILDAPUtils utils, ILogger log = null)

public event ComputerStatusDelegate ComputerStatusEvent;

public IEnumerable<LocalGroupAPIResult> GetLocalGroups(string computerName, string computerDomainSid,
public IEnumerable<LocalGroupAPIResult> GetLocalGroups(string computerName, string computerObjectId,
string computerDomain)
{
//Open a handle to the server
var openServerResult = SAMServer.OpenServer(computerName);
if (openServerResult.IsFailed)
{
Expand All @@ -49,23 +50,25 @@ public IEnumerable<LocalGroupAPIResult> GetLocalGroups(string computerName, stri

var server = openServerResult.Value;
var typeCache = new ConcurrentDictionary<string, CachedLocalItem>();
var computerSid = new SecurityIdentifier(computerDomainSid);
var computerSid = new SecurityIdentifier(computerObjectId);

if (!Cache.GetMachineSid(computerDomainSid, out var machineSid))
//Try to get the machine sid for the computer if its not already cached
if (!Cache.GetMachineSid(computerObjectId, out var machineSid))
{
var getMachineSidResult = server.GetMachineSid();
if (getMachineSidResult.IsFailed)
{
_log.LogWarning("MachineSid for computer {ComputerName} is unknown", computerName);
machineSid = "UNKNOWN";
}
else
{
machineSid = getMachineSidResult.Value.Value;
Cache.AddMachineSid(computerDomainSid, machineSid);
Cache.AddMachineSid(computerObjectId, machineSid);
}
}


//Get all available domains in the server
var getDomainsResult = server.GetDomains();
if (getDomainsResult.IsFailed)
{
Expand All @@ -78,10 +81,16 @@ public IEnumerable<LocalGroupAPIResult> GetLocalGroups(string computerName, stri
yield break;
}

//Check if the server is a domain controller by comparing the computer's domain sid against its machine sid
var isDc = server.IsDomainController(computerSid);

//Loop over each domain result and process its member groups
foreach (var domainResult in getDomainsResult.Value)
{
//Skip non-builtin domains on domain controllers
if (isDc && !domainResult.Name.Equals("builtin", StringComparison.OrdinalIgnoreCase))
continue;
//Open a handle to the domain
var openDomainResult = server.OpenDomain(domainResult.Name);
if (openDomainResult.IsFailed)
{
Expand All @@ -96,6 +105,7 @@ public IEnumerable<LocalGroupAPIResult> GetLocalGroups(string computerName, stri

var domain = openDomainResult.Value;

//Open a handle to the available aliases
var getAliasesResult = domain.GetAliases();

if (getAliasesResult.IsFailed)
Expand All @@ -111,6 +121,7 @@ public IEnumerable<LocalGroupAPIResult> GetLocalGroups(string computerName, stri

foreach (var alias in getAliasesResult.Value)
{
//Try and resolve the group name using several different criteria
var resolvedName = ResolveGroupName(alias.Name, computerName, machineSid, computerDomain, alias.Rid,
isDc,
domainResult.Name.Equals("builtin", StringComparison.OrdinalIgnoreCase));
Expand All @@ -119,6 +130,8 @@ public IEnumerable<LocalGroupAPIResult> GetLocalGroups(string computerName, stri
Name = resolvedName.PrincipalName,
ObjectIdentifier = resolvedName.ObjectId
};

//Open a handle to the alias
var openAliasResult = domain.OpenAlias(alias.Rid);
if (openAliasResult.IsFailed)
{
Expand All @@ -138,6 +151,7 @@ public IEnumerable<LocalGroupAPIResult> GetLocalGroups(string computerName, stri
var names = new List<NamedPrincipal>();

var localGroup = openAliasResult.Value;
//Call GetMembersInAlias to get raw group members
var getMembersResult = localGroup.GetMembers();
if (getMembersResult.IsFailed)
{
Expand All @@ -162,22 +176,27 @@ public IEnumerable<LocalGroupAPIResult> GetLocalGroups(string computerName, stri

foreach (var securityIdentifier in getMembersResult.Value)
{
//Check if the sid is one of our filtered ones
if (IsSidFiltered(securityIdentifier))
continue;

var sidValue = securityIdentifier.Value;

if (server.IsDomainController(computerSid))
if (isDc)
{
//If the server is a domain controller and we have a well known group, use the domain value
if (_utils.GetWellKnownPrincipal(sidValue, computerDomain, out var wellKnown))
results.Add(wellKnown);
//Call ResolveIDAndType for non-well known principals
else
results.Add(_utils.ResolveIDAndType(sidValue, computerDomain));
}
else
{
//Use the non-utils call to ensure we dont cache this well known principal for later output
if (WellKnownPrincipal.GetWellKnownPrincipal(sidValue, out var wellKnown))
{
//If we dont know our machine sid, we cant do much else
if (machineSid == "UNKNOWN")
continue;
wellKnown.ObjectIdentifier = $"{machineSid}-{securityIdentifier.Rid()}";
Expand Down Expand Up @@ -263,6 +282,7 @@ private NamedPrincipal ResolveGroupName(string baseName, string computerName, st
{
if (isBuiltIn)
{
//If this is the builtin group on the DC, the groups correspond to the domain well known groups
_utils.GetWellKnownPrincipal($"S-1-5-32-{groupRid}".ToUpper(), domainName, out var principal);
return new NamedPrincipal
{
Expand All @@ -271,13 +291,15 @@ private NamedPrincipal ResolveGroupName(string baseName, string computerName, st
};
}

//We shouldn't hit this provided our isDC logic is correct since we're skipping non-builtin groups
return new NamedPrincipal
{
ObjectId = $"{machineSid}-{groupRid}".ToUpper(),
PrincipalName = "IGNOREME"
};
}

//Take the local machineSid, append the groupRid, and make a name from the group name + computername
return new NamedPrincipal
{
ObjectId = $"{machineSid}-{groupRid}",
Expand Down
8 changes: 4 additions & 4 deletions src/CommonLib/Processors/UserRightsAssignmentProcessor.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,9 @@ public UserRightsAssignmentProcessor(ILDAPUtils utils, ILogger log = null)
public event ComputerStatusDelegate ComputerStatusEvent;

public IEnumerable<UserRightsAssignmentAPIResult> GetUserRightsAssignments(string computerName,
string computerDomainSid, string computerDomain, string[] desiredPrivileges = null)
string computerObjectId, string computerDomain, string[] desiredPrivileges = null)
{
var computerSid = new SecurityIdentifier(computerDomainSid);
var computerSid = new SecurityIdentifier(computerObjectId);
var policyOpenResult = LSAPolicy.OpenPolicy(computerName);
if (policyOpenResult.IsFailed)
{
Expand Down Expand Up @@ -83,7 +83,7 @@ public IEnumerable<UserRightsAssignmentAPIResult> GetUserRightsAssignments(strin
Task = "LSAEnumerateAccountsWithUserRight"
});

if (!Cache.GetMachineSid(computerDomainSid, out var machineSid))
if (!Cache.GetMachineSid(computerObjectId, out var machineSid))
{
var getMachineSidResult = server.GetLocalDomainInformation();
if (getMachineSidResult.IsFailed)
Expand All @@ -93,7 +93,7 @@ public IEnumerable<UserRightsAssignmentAPIResult> GetUserRightsAssignments(strin
else
{
machineSid = getMachineSidResult.Value.Sid;
Cache.AddMachineSid(computerDomainSid, machineSid);
Cache.AddMachineSid(computerObjectId, machineSid);
}
}

Expand Down

0 comments on commit 5ed5450

Please sign in to comment.