(SD string, baseDN string, conn *ldap.Conn)
| 192 | } |
| 193 | |
| 194 | func ParseSD(SD string, baseDN string, conn *ldap.Conn) (abusableAcesResult []CHECK_ABUSABLE_ACES) { |
| 195 | header := getHeader(SD) |
| 196 | ACLHeader := getACLHeader(SD) |
| 197 | DACL := getDACL(header, SD) |
| 198 | rawACES := DACL[16:] |
| 199 | aceCount, _ := strconv.Atoi(hexToDecimalString(ACLHeader.ACECount)) |
| 200 | rawACESList := make([]string, aceCount) |
| 201 | |
| 202 | for i := 0; i < aceCount; i++ { |
| 203 | rawACESList[i] = getACE(rawACES) |
| 204 | rawACES = rawACES[len(rawACESList[i]):] |
| 205 | } |
| 206 | |
| 207 | abusableAces := []CHECK_ABUSABLE_ACES{} |
| 208 | for ace, _ := range rawACESList { |
| 209 | entry := CHECK_ABUSABLE_ACES{SamAccountName: "", GENERIC_ALL: false, GENERIC_WRITE: false, WRITE_OWNER: false, WRITE_DACL: false, FORCE_CHANGE_PASSWORD: false, ADD_MEMBER: false} |
| 210 | |
| 211 | aceHeader := getACEHeader(rawACESList[ace]) |
| 212 | aceType, _ := strconv.Atoi(aceHeader.ACEType) |
| 213 | |
| 214 | var resolvedACEType string |
| 215 | for entry, _ := range aceTypeMap { |
| 216 | if entry == aceType { |
| 217 | resolvedACEType = aceTypeMap[entry] |
| 218 | } |
| 219 | |
| 220 | } |
| 221 | |
| 222 | switch resolvedACEType { |
| 223 | case "ACCESS_ALLOWED_ACE_TYPE": |
| 224 | ACE := new(ACCESS_ALLOWED_ACE) |
| 225 | ACE.parse(rawACESList[ace], baseDN, conn) |
| 226 | entry.SamAccountName = ACE.samAccountName |
| 227 | |
| 228 | permissions, err := strconv.ParseInt(ACE.mask, 16, 64) |
| 229 | if err != nil { |
| 230 | fmt.Printf("ACE Mask Conversion Error, %s\n", err) |
| 231 | } |
| 232 | |
| 233 | if permissions&int64(accessRightsMap["RIGHT_DS_CREATE_CHILD"]) > 0 && permissions&int64(accessRightsMap["RIGHT_DS_DELETE_CHILD"]) > 0 && permissions&int64(accessRightsMap["RIGHT_DS_LIST_CONTENTS"]) > 0 && permissions&int64(accessRightsMap["RIGHT_DS_WRITE_PROPERTY_EXTENDED"]) > 0 && permissions&int64(accessRightsMap["RIGHT_DS_READ_PROPERTY"]) > 0 && permissions&int64(accessRightsMap["RIGHT_DS_WRITE_PROPERTY"]) > 0 && permissions&int64(accessRightsMap["RIGHT_DS_DELETE_TREE"]) > 0 && permissions&int64(accessRightsMap["RIGHT_DS_LIST_OBJECT"]) > 0 && permissions&int64(accessRightsMap["RIGHT_DS_CONTROL_ACCESS"]) > 0 && permissions&int64(accessRightsMap["RIGHT_DELETE"]) > 0 && permissions&int64(accessRightsMap["RIGHT_READ_CONTROL"]) > 0 && permissions&int64(accessRightsMap["RIGHT_WRITE_DACL"]) > 0 && permissions&int64(accessRightsMap["RIGHT_WRITE_OWNER"]) > 0 { |
| 234 | entry.GENERIC_ALL = true |
| 235 | } |
| 236 | |
| 237 | if permissions&int64(accessRightsMap["RIGHT_WRITE_DACL"]) > 0 { |
| 238 | entry.WRITE_DACL = true |
| 239 | } |
| 240 | |
| 241 | if permissions&int64(accessRightsMap["RIGHT_WRITE_OWNER"]) > 0 { |
| 242 | entry.WRITE_OWNER = true |
| 243 | } |
| 244 | |
| 245 | if permissions&int64(accessRightsMap["RIGHT_READ_CONTROL"]) > 0 && permissions&int64(accessRightsMap["RIGHT_DS_WRITE_PROPERTY"]) > 0 && permissions&int64(accessRightsMap["RIGHT_DS_WRITE_PROPERTY_EXTENDED"]) > 0 { |
| 246 | entry.GENERIC_WRITE = true |
| 247 | } |
| 248 | |
| 249 | inArray := false |
| 250 | for index := range abusableAces { |
| 251 | if entry.SamAccountName == abusableAces[index].SamAccountName { |
nothing calls this directly
no test coverage detected