2015-12-26 22:44:43 +00:00
|
|
|
|
namespace DSInternals.DataStore
|
|
|
|
|
{
|
2016-01-14 11:06:11 +00:00
|
|
|
|
using DSInternals.Common;
|
2016-02-28 14:21:22 +00:00
|
|
|
|
using DSInternals.Common.Exceptions;
|
|
|
|
|
using Microsoft.Database.Isam;
|
2015-12-26 22:44:43 +00:00
|
|
|
|
using System;
|
2016-02-28 14:21:22 +00:00
|
|
|
|
using System.Collections.Generic;
|
2015-12-26 22:44:43 +00:00
|
|
|
|
using System.Security.AccessControl;
|
2016-01-14 11:06:11 +00:00
|
|
|
|
using System.Security.Cryptography;
|
2015-12-26 22:44:43 +00:00
|
|
|
|
|
|
|
|
|
public class SecurityDescriptorRersolver : IDisposable
|
|
|
|
|
{
|
2016-02-28 14:21:22 +00:00
|
|
|
|
private const string SdIdCol = "sd_id";
|
2015-12-26 22:44:43 +00:00
|
|
|
|
private const string SdValueCol = "sd_value";
|
2016-01-14 11:06:11 +00:00
|
|
|
|
private const string SdHashCol = "sd_hash";
|
2016-02-28 14:21:22 +00:00
|
|
|
|
private const string SdRefCountCol = "sd_refcount";
|
2015-12-26 22:44:43 +00:00
|
|
|
|
private const string SdIndex = "sd_id_index";
|
2016-02-28 14:21:22 +00:00
|
|
|
|
private const string SdHashIndex = "sd_hash_index";
|
|
|
|
|
private const int RootSecurityDescriptorOffset = sizeof(int);
|
2015-12-26 22:44:43 +00:00
|
|
|
|
|
|
|
|
|
private Cursor cursor;
|
|
|
|
|
|
|
|
|
|
public SecurityDescriptorRersolver(IsamDatabase database)
|
|
|
|
|
{
|
|
|
|
|
this.cursor = database.OpenCursor(ADConstants.SecurityDescriptorTableName);
|
|
|
|
|
}
|
|
|
|
|
|
2016-02-28 14:21:22 +00:00
|
|
|
|
public RawSecurityDescriptor GetDescriptor(long id)
|
2015-12-26 22:44:43 +00:00
|
|
|
|
{
|
2016-02-28 14:21:22 +00:00
|
|
|
|
this.cursor.CurrentIndex = SdIndex;
|
2015-12-26 22:44:43 +00:00
|
|
|
|
bool found = this.cursor.GotoKey(Key.Compose(id));
|
|
|
|
|
if (!found)
|
|
|
|
|
{
|
2016-02-28 14:21:22 +00:00
|
|
|
|
throw new DirectoryObjectNotFoundException(id);
|
|
|
|
|
}
|
|
|
|
|
var binaryForm = this.cursor.RetrieveColumnAsByteArray(SdValueCol);
|
|
|
|
|
// Strip the root SD prefix, which is 0x0F000000
|
|
|
|
|
int sdOffset = (id == ADConstants.RootSecurityDescriptorId) ? RootSecurityDescriptorOffset : 0;
|
|
|
|
|
return new RawSecurityDescriptor(binaryForm, sdOffset);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public IEnumerable<long> FindDescriptor(GenericSecurityDescriptor securityDescriptor)
|
|
|
|
|
{
|
|
|
|
|
byte[] sdHash = ComputeHash(securityDescriptor);
|
|
|
|
|
return this.FindDescriptorHash(sdHash);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public IEnumerable<long> FindDescriptor(string securityDescriptor)
|
|
|
|
|
{
|
|
|
|
|
byte[] sdHash = ComputeHash(securityDescriptor);
|
|
|
|
|
return this.FindDescriptorHash(sdHash);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public IEnumerable<long> FindDescriptorHash(byte[] sdHash)
|
|
|
|
|
{
|
|
|
|
|
Validator.AssertNotNull(sdHash, "sdHash");
|
|
|
|
|
this.cursor.CurrentIndex = SdHashIndex;
|
|
|
|
|
this.cursor.FindRecords(MatchCriteria.EqualTo, Key.Compose(sdHash));
|
|
|
|
|
while(cursor.MoveNext())
|
|
|
|
|
{
|
|
|
|
|
long id = this.cursor.RetrieveColumnAsLong(SdIdCol).Value;
|
|
|
|
|
yield return id;
|
2015-12-26 22:44:43 +00:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public void Dispose()
|
|
|
|
|
{
|
|
|
|
|
this.Dispose(true);
|
|
|
|
|
GC.SuppressFinalize(this);
|
|
|
|
|
}
|
|
|
|
|
|
2016-02-28 14:21:22 +00:00
|
|
|
|
public static byte[] ComputeHash(GenericSecurityDescriptor securityDescriptor)
|
2016-01-14 11:06:11 +00:00
|
|
|
|
{
|
2016-02-28 14:21:22 +00:00
|
|
|
|
Validator.AssertNotNull(securityDescriptor, "securityDescriptor");
|
|
|
|
|
|
|
|
|
|
// Convert to binary form. We have to use double conversion, because .NET returns the SD in different order than Win32 API used by AD.
|
|
|
|
|
string stringSecurityDescriptor = securityDescriptor.GetSddlForm(AccessControlSections.All);
|
|
|
|
|
return ComputeHash(stringSecurityDescriptor);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public static byte[] ComputeHash(string securityDescriptor)
|
|
|
|
|
{
|
|
|
|
|
Validator.AssertNotNullOrWhiteSpace(securityDescriptor, "securityDescriptor");
|
|
|
|
|
|
|
|
|
|
return ComputeHash(securityDescriptor.SddlToBinary());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public static byte[] ComputeHash(byte[] securityDescriptor)
|
|
|
|
|
{
|
|
|
|
|
Validator.AssertNotNull(securityDescriptor, "securityDescriptor");
|
|
|
|
|
|
|
|
|
|
using (var hashFunction = MD5.Create())
|
2016-01-14 11:06:11 +00:00
|
|
|
|
{
|
2016-02-28 14:21:22 +00:00
|
|
|
|
// TODO: Cache the hash function for performance reasons
|
|
|
|
|
return hashFunction.ComputeHash(securityDescriptor);
|
2016-01-14 11:06:11 +00:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-12-26 22:44:43 +00:00
|
|
|
|
protected virtual void Dispose(bool disposing)
|
|
|
|
|
{
|
|
|
|
|
if (disposing && this.cursor != null)
|
|
|
|
|
{
|
|
|
|
|
this.cursor.Dispose();
|
|
|
|
|
this.cursor = null;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|