MCPcopy Index your code
hub / github.com/Synzack/ldapper / ParseSD

Function ParseSD

SecurityDescriptor/SecurityDescriptorFuncs.go:194–293  ·  view source on GitHub ↗
(SD string, baseDN string, conn *ldap.Conn)

Source from the content-addressed store, hash-verified

192}
193
194func ParseSD(SD string, baseDN string, conn *ldap.Conn) (abusableAcesResult []CHECK_ABUSABLE_ACES) {
195 header := getHeader(SD)
196 ACLHeader := getACLHeader(SD)
197 DACL := getDACL(header, SD)
198 rawACES := DACL[16:]
199 aceCount, _ := strconv.Atoi(hexToDecimalString(ACLHeader.ACECount))
200 rawACESList := make([]string, aceCount)
201
202 for i := 0; i < aceCount; i++ {
203 rawACESList[i] = getACE(rawACES)
204 rawACES = rawACES[len(rawACESList[i]):]
205 }
206
207 abusableAces := []CHECK_ABUSABLE_ACES{}
208 for ace, _ := range rawACESList {
209 entry := CHECK_ABUSABLE_ACES{SamAccountName: "", GENERIC_ALL: false, GENERIC_WRITE: false, WRITE_OWNER: false, WRITE_DACL: false, FORCE_CHANGE_PASSWORD: false, ADD_MEMBER: false}
210
211 aceHeader := getACEHeader(rawACESList[ace])
212 aceType, _ := strconv.Atoi(aceHeader.ACEType)
213
214 var resolvedACEType string
215 for entry, _ := range aceTypeMap {
216 if entry == aceType {
217 resolvedACEType = aceTypeMap[entry]
218 }
219
220 }
221
222 switch resolvedACEType {
223 case "ACCESS_ALLOWED_ACE_TYPE":
224 ACE := new(ACCESS_ALLOWED_ACE)
225 ACE.parse(rawACESList[ace], baseDN, conn)
226 entry.SamAccountName = ACE.samAccountName
227
228 permissions, err := strconv.ParseInt(ACE.mask, 16, 64)
229 if err != nil {
230 fmt.Printf("ACE Mask Conversion Error, %s\n", err)
231 }
232
233 if permissions&int64(accessRightsMap["RIGHT_DS_CREATE_CHILD"]) > 0 && permissions&int64(accessRightsMap["RIGHT_DS_DELETE_CHILD"]) > 0 && permissions&int64(accessRightsMap["RIGHT_DS_LIST_CONTENTS"]) > 0 && permissions&int64(accessRightsMap["RIGHT_DS_WRITE_PROPERTY_EXTENDED"]) > 0 && permissions&int64(accessRightsMap["RIGHT_DS_READ_PROPERTY"]) > 0 && permissions&int64(accessRightsMap["RIGHT_DS_WRITE_PROPERTY"]) > 0 && permissions&int64(accessRightsMap["RIGHT_DS_DELETE_TREE"]) > 0 && permissions&int64(accessRightsMap["RIGHT_DS_LIST_OBJECT"]) > 0 && permissions&int64(accessRightsMap["RIGHT_DS_CONTROL_ACCESS"]) > 0 && permissions&int64(accessRightsMap["RIGHT_DELETE"]) > 0 && permissions&int64(accessRightsMap["RIGHT_READ_CONTROL"]) > 0 && permissions&int64(accessRightsMap["RIGHT_WRITE_DACL"]) > 0 && permissions&int64(accessRightsMap["RIGHT_WRITE_OWNER"]) > 0 {
234 entry.GENERIC_ALL = true
235 }
236
237 if permissions&int64(accessRightsMap["RIGHT_WRITE_DACL"]) > 0 {
238 entry.WRITE_DACL = true
239 }
240
241 if permissions&int64(accessRightsMap["RIGHT_WRITE_OWNER"]) > 0 {
242 entry.WRITE_OWNER = true
243 }
244
245 if permissions&int64(accessRightsMap["RIGHT_READ_CONTROL"]) > 0 && permissions&int64(accessRightsMap["RIGHT_DS_WRITE_PROPERTY"]) > 0 && permissions&int64(accessRightsMap["RIGHT_DS_WRITE_PROPERTY_EXTENDED"]) > 0 {
246 entry.GENERIC_WRITE = true
247 }
248
249 inArray := false
250 for index := range abusableAces {
251 if entry.SamAccountName == abusableAces[index].SamAccountName {

Callers

nothing calls this directly

Calls 7

getHeaderFunction · 0.85
getACLHeaderFunction · 0.85
getDACLFunction · 0.85
hexToDecimalStringFunction · 0.85
getACEFunction · 0.85
getACEHeaderFunction · 0.85
parseMethod · 0.45

Tested by

no test coverage detected