DSInternals/Src/DSInternals.Replication/DirectoryReplicationClient.cs

228 lines
9.0 KiB
C#
Raw Normal View History

2015-12-26 22:44:43 +00:00
namespace DSInternals.Replication
{
using DSInternals.Common.Data;
using DSInternals.Replication.Model;
using DSInternals.Replication.Interop;
using NDceRpc;
using NDceRpc.Microsoft.Interop;
using NDceRpc.Native;
using System;
using System.Collections.Generic;
using System.Net;
using System.Security.Principal;
using DSInternals.Common.Interop;
using DSInternals.Common.Cryptography;
2016-02-21 09:05:09 +00:00
using DSInternals.Common;
2015-12-26 22:44:43 +00:00
public class DirectoryReplicationClient : IDisposable
{
/// <summary>
/// Service principal name (SPN) of the destination server.
/// </summary>
private const string ServicePrincipalNameFormat = "ldap/{0}";
private const string DrsNamedPipeName = @"\pipe\lsass";
2015-12-26 22:44:43 +00:00
/// <summary>
/// This magic guid is needed to fetch the whole tree from a Win 2000 Server DC with DsGetNCChanges() as Administrator.
/// </summary>
static readonly Guid DcPromoGuid2k = new Guid("6abec3d1-3054-41c8-a362-5a0c5b7d5d71");
/// <summary>
/// This magic guid is needed to fetch the whole tree from a Win 2003+ Server DC with DsGetNCChanges() as Administrator.
/// </summary>
static readonly Guid DcPromoGuid2k3 = new Guid("6afab99c-6e26-464a-975f-f58f105218bc");
private NativeClient rpcConnection;
private DrsConnection drsConnection;
private NamedPipeConnection npConnection;
public DirectoryReplicationClient(string server, RpcProtocol protocol, NetworkCredential credential = null)
{
Validator.AssertNotNullOrWhiteSpace(server, "server");
2015-12-26 22:44:43 +00:00
this.CreateRpcConnection(server, protocol, credential);
this.drsConnection = new DrsConnection(this.rpcConnection.Binding, DcPromoGuid2k3);
}
public ReplicationCursor[] GetReplicationCursors(string namingContext)
{
Validator.AssertNotNullOrWhiteSpace(namingContext, "namingContext");
return this.drsConnection.GetReplicationCursors(namingContext);
}
public IEnumerable<DSAccount> GetAccounts(string domainNamingContext, ReplicationProgressHandler progressReporter = null)
2015-12-26 22:44:43 +00:00
{
2016-02-21 09:05:09 +00:00
Validator.AssertNotNullOrWhiteSpace(domainNamingContext, "domainNamingContext");
2015-12-26 22:44:43 +00:00
ReplicationCookie cookie = new ReplicationCookie(domainNamingContext);
return GetAccounts(cookie, progressReporter);
2016-02-21 09:05:09 +00:00
}
public IEnumerable<DSAccount> GetAccounts(ReplicationCookie initialCookie, ReplicationProgressHandler progressReporter = null)
2016-02-21 09:05:09 +00:00
{
Validator.AssertNotNull(initialCookie, "initialCookie");
// Create AD schema
2015-12-26 22:44:43 +00:00
var schema = BasicSchemaFactory.CreateSchema();
var currentCookie = initialCookie;
2016-02-21 09:05:09 +00:00
ReplicationResult result;
int processedObjectCount = 0;
2015-12-26 22:44:43 +00:00
do
{
// Perform one replication cycle
result = this.drsConnection.ReplicateAllObjects(currentCookie);
// Report replication progress
if(progressReporter != null)
{
processedObjectCount += result.Objects.Count;
progressReporter(result.Cookie, processedObjectCount, result.TotalObjectCount);
}
// Process the returned objects
2015-12-26 22:44:43 +00:00
foreach (var obj in result.Objects)
{
obj.Schema = schema;
2016-02-21 09:05:09 +00:00
if (!obj.IsAccount)
2015-12-26 22:44:43 +00:00
{
continue;
}
var account = new DSAccount(obj, this.SecretDecryptor);
yield return account;
}
// Update the position of the replication cursor
currentCookie = result.Cookie;
2015-12-26 22:44:43 +00:00
} while (result.HasMoreData);
}
public DSAccount GetAccount(Guid objectGuid)
{
var obj = this.drsConnection.ReplicateSingleObject(objectGuid);
var schema = BasicSchemaFactory.CreateSchema();
obj.Schema = schema;
return new DSAccount(obj, this.SecretDecryptor);
}
public IEnumerable<DPAPIBackupKey> GetDPAPIBackupKeys(string domainNamingContext)
{
// TODO: Move schema from constructor to property?
2015-12-26 22:44:43 +00:00
// TODO: Split this function into RSA and Legacy Part so that exception in one of them does not crash the whole process
var schema = BasicSchemaFactory.CreateSchema();
2016-02-02 23:40:40 +00:00
// Fetch the legacy pointer first, because there is a higher chance that it is present than the RSA one.
2015-12-26 22:44:43 +00:00
string legacyPointerDN = DPAPIBackupKey.GetPreferredLegacyKeyPointerDN(domainNamingContext);
var legacyPointer = this.GetLSASecret(legacyPointerDN, schema);
yield return legacyPointer;
string legacyKeyDN = DPAPIBackupKey.GetKeyDN(legacyPointer.KeyId, domainNamingContext);
var legacyKey = this.GetLSASecret(legacyKeyDN, schema);
yield return legacyKey;
2016-02-02 23:40:40 +00:00
string rsaPointerDN = DPAPIBackupKey.GetPreferredRSAKeyPointerDN(domainNamingContext);
var rsaPointer = this.GetLSASecret(rsaPointerDN, schema);
yield return rsaPointer;
string rsaKeyDN = DPAPIBackupKey.GetKeyDN(rsaPointer.KeyId, domainNamingContext);
var rsaKey = this.GetLSASecret(rsaKeyDN, schema);
yield return rsaKey;
2015-12-26 22:44:43 +00:00
}
private DPAPIBackupKey GetLSASecret(string distinguishedName, BasicSchema schema)
{
var secretObj = this.drsConnection.ReplicateSingleObject(distinguishedName);
secretObj.Schema = schema;
return new DPAPIBackupKey(secretObj, this.SecretDecryptor);
}
public DSAccount GetAccount(string distinguishedName)
{
var obj = this.drsConnection.ReplicateSingleObject(distinguishedName);
// TODO: Extract?
var schema = BasicSchemaFactory.CreateSchema();
obj.Schema = schema;
return new DSAccount(obj, this.SecretDecryptor);
}
public DSAccount GetAccount(NTAccount accountName)
{
Guid objectGuid = this.drsConnection.ResolveGuid(accountName);
return this.GetAccount(objectGuid);
}
public DSAccount GetAccount(SecurityIdentifier sid)
{
Guid objectGuid = this.drsConnection.ResolveGuid(sid);
return this.GetAccount(objectGuid);
}
2016-06-21 07:27:40 +00:00
public DSAccount GetAccountByUPN(string userPrincipalName)
{
// TODO: Redesign the GetAccount overloads, for GetAccountByUPN to follow the same convention.
Guid objectGuid = this.drsConnection.ResolveGuid(userPrincipalName);
return this.GetAccount(objectGuid);
}
2015-12-26 22:44:43 +00:00
private DirectorySecretDecryptor SecretDecryptor
{
get
{
return new ReplicationSecretDecryptor(this.drsConnection.SessionKey);
}
}
private void CreateRpcConnection(string server, RpcProtocol protocol, NetworkCredential credential = null)
{
EndpointBindingInfo binding;
switch(protocol)
{
case RpcProtocol.TCP:
binding = new EndpointBindingInfo(RpcProtseq.ncacn_ip_tcp, server, null);
break;
case RpcProtocol.SMB:
binding = new EndpointBindingInfo(RpcProtseq.ncacn_np, server, DrsNamedPipeName);
if(credential != null)
{
// Connect named pipe
this.npConnection = new NamedPipeConnection(server, credential);
}
break;
default:
// TODO: Custom exception type
// TODO: Extract as string
throw new Exception("Unsupported RPC protocol");
}
this.rpcConnection = new NativeClient(binding);
NetworkCredential rpcCredential = credential ?? Client.Self;
string spn = String.Format(ServicePrincipalNameFormat, server);
this.rpcConnection.AuthenticateAs(spn, rpcCredential, RPC_C_AUTHN_LEVEL.RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_AUTHN.RPC_C_AUTHN_GSS_NEGOTIATE);
2015-12-26 22:44:43 +00:00
}
public void Dispose()
{
this.Dispose(true);
GC.SuppressFinalize(this);
}
protected virtual void Dispose(bool disposing)
{
if (!disposing)
{
return;
}
if (this.drsConnection != null)
{
this.drsConnection.Dispose();
this.drsConnection = null;
}
if (this.rpcConnection != null)
{
this.rpcConnection.Dispose();
this.rpcConnection = null;
}
if(this.npConnection != null)
{
this.npConnection.Dispose();
this.npConnection = null;
}
}
}
}