def acl_calc_mp(inqueue, outqueue, construct):
while True:
adsd = inqueue.get()
if adsd is None:
outqueue.put(None)
return
sd = SECURITY_DESCRIPTOR.from_bytes(base64.b64decode(adsd.sd))
order_ctr = 0
for ace in sd.Dacl.aces:
acl = JackDawADDACL()
acl.ad_id = adsd.ad_id
acl.object_type = adsd.object_type
acl.object_type_guid = OBJECTTYPE_GUID_MAP.get(adsd.object_type)
acl.owner_sid = str(sd.Owner)
acl.group_sid = str(sd.Group)
acl.ace_order = order_ctr
order_ctr += 1
acl.guid = str(adsd.guid)
if adsd.sid:
acl.sid = str(adsd.sid)
#if sd.cn:
# acl.cn = sd.cn
#if sd.distinguishedName:
# acl.dn = str(sd.distinguishedName)
acl.sd_control = sd.Control
acl.ace_type = ace.AceType.name
acl.ace_mask = ace.Mask
t = getattr(ace, 'ObjectType', None)
if t:
acl.ace_objecttype = str(t)
t = getattr(ace, 'InheritedObjectType', None)
if t:
acl.ace_inheritedobjecttype = str(t)
true_attr, false_attr = JackDawADDACL.mask2attr(ace.Mask)
for attr in true_attr:
setattr(acl, attr, True)
for attr in false_attr:
setattr(acl, attr, False)
true_attr, false_attr = JackDawADDACL.hdrflag2attr(ace.AceFlags)
for attr in true_attr:
setattr(acl, attr, True)
for attr in false_attr:
setattr(acl, attr, False)
acl.ace_sid = str(ace.Sid)
if acl.owner_sid not in construct.ignoresids:
outqueue.put((acl.owner_sid, acl.sid, 'Owner'))
if acl.ace_sid in construct.ignoresids:
continue
if acl.ace_type not in [
'ACCESS_ALLOWED_ACE_TYPE', 'ACCESS_ALLOWED_OBJECT_ACE_TYPE'
]:
continue
if acl.ace_type == 'ACCESS_ALLOWED_ACE_TYPE':
if acl.ace_mask_generic_all == True:
outqueue.put((acl.ace_sid, acl.sid, 'GenericALL'))
if acl.ace_mask_generic_write == True:
outqueue.put((acl.ace_sid, acl.sid, 'GenericWrite'))
if acl.ace_mask_write_owner == True:
outqueue.put((acl.ace_sid, acl.sid, 'WriteOwner'))
if acl.ace_mask_write_dacl == True:
outqueue.put((acl.ace_sid, acl.sid, 'WriteDacl'))
if acl.object_type in [
'user', 'domain'
] and acl.ace_mask_control_access == True:
outqueue.put((acl.ace_sid, acl.sid, 'ExtendedRightALL'))
if acl.ace_type == 'ACCESS_ALLOWED_OBJECT_ACE_TYPE':
if acl.ace_hdr_flag_inherited == True and acl.ace_hdr_flag_inherit_only == True:
continue
if acl.ace_hdr_flag_inherited == True and acl.ace_inheritedobjecttype is not None:
if not ace_applies(acl.ace_inheritedobjecttype,
acl.object_type):
continue
if any([
acl.ace_mask_generic_all, acl.ace_mask_write_dacl,
acl.ace_mask_write_owner, acl.ace_mask_generic_write
]):
if acl.ace_objecttype is not None and not ace_applies(
acl.ace_objecttype, acl.object_type):
continue
if acl.ace_mask_generic_all == True:
outqueue.put((acl.ace_sid, acl.sid, 'GenericALL'))
continue
if acl.ace_mask_generic_write == True:
outqueue.put((acl.ace_sid, acl.sid, 'GenericWrite'))
if acl.object_type != 'domain':
continue
if acl.ace_mask_write_dacl == True:
outqueue.put((acl.ace_sid, acl.sid, 'WriteDacl'))
if acl.ace_mask_write_owner == True:
outqueue.put((acl.ace_sid, acl.sid, 'WriteOwner'))
if acl.ace_mask_write_prop == True:
if acl.object_type in ['user', 'group'
] and acl.ace_objecttype is None:
outqueue.put((acl.ace_sid, acl.sid, 'GenericWrite'))
if acl.object_type == 'group' and acl.ace_objecttype == 'bf9679c0-0de6-11d0-a285-00aa003049e2':
outqueue.put((acl.ace_sid, acl.sid, 'AddMember'))
if acl.ace_mask_control_access == True:
if acl.object_type in ['user', 'group'
] and acl.ace_objecttype is None:
outqueue.put((acl.ace_sid, acl.sid, 'ExtendedAll'))
if acl.object_type == 'domain' and acl.ace_objecttype == '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2':
# 'Replicating Directory Changes All'
outqueue.put((acl.ace_sid, acl.sid, 'GetChangesALL'))
if acl.object_type == 'domain' and acl.ace_objecttype == '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2':
# 'Replicating Directory Changes'
outqueue.put((acl.ace_sid, acl.sid, 'GetChanges'))
if acl.object_type == 'user' and acl.ace_objecttype == '00299570-246d-11d0-a768-00aa006e0529':
# 'Replicating Directory Changes'
outqueue.put((acl.ace_sid, acl.sid,
'User-Force-Change-Password'))
def store_sd(session, ad_id, obj_type, objectGUID, objectSid, sd):
#print('Got SD object!')
obj_type = obj_type
order_ctr = 0
for ace in sd.Dacl.aces:
acl = JackDawADDACL()
acl.ad_id = ad_id
acl.object_type = obj_type
acl.object_type_guid = OBJECTTYPE_GUID_MAP.get(obj_type)
acl.owner_sid = str(sd.Owner)
acl.group_sid = str(sd.Group)
acl.ace_order = order_ctr
order_ctr += 1
acl.guid = str(objectGUID)
acl.sd_control = sd.Control
acl.sid = objectSid
acl.ace_type = ace.AceType.name
acl.ace_mask = ace.Mask
t = getattr(ace, 'ObjectType', None)
if t:
acl.ace_objecttype = str(t)
t = getattr(ace, 'InheritedObjectType', None)
if t:
acl.ace_inheritedobjecttype = str(t)
true_attr, false_attr = JackDawADDACL.mask2attr(ace.Mask)
for attr in true_attr:
setattr(acl, attr, True)
for attr in false_attr:
setattr(acl, attr, False)
true_attr, false_attr = JackDawADDACL.hdrflag2attr(ace.AceFlags)
for attr in true_attr:
setattr(acl, attr, True)
for attr in false_attr:
setattr(acl, attr, False)
acl.ace_sid = str(ace.Sid)
session.add(acl)
session.commit()
def ace_to_dbo(self, obj, sd):
if isinstance(obj, JackDawADUser):
obj_type = 'user'
elif isinstance(obj, JackDawADMachine):
obj_type = 'machine'
elif isinstance(obj, JackDawADGroup):
obj_type = 'group'
elif isinstance(obj, JackDawADOU):
obj_type = 'ou'
else:
raise Exception('Unknown object type %s' % type(obj))
order_ctr = 0
for ace in sd.nTSecurityDescriptor.Dacl.aces:
acl = JackDawADDACL()
acl.object_type = obj_type
acl.object_type_guid = OBJECTTYPE_GUID_MAP.get(obj_type)
acl.owner_sid = str(sd.nTSecurityDescriptor.Owner)
acl.group_sid = str(sd.nTSecurityDescriptor.Group)
acl.ace_order = order_ctr
order_ctr += 1
acl.guid = str(sd.objectGUID)
if sd.objectSid:
acl.sid = str(sd.objectSid)
if sd.cn:
acl.cn = sd.cn
if sd.distinguishedName:
acl.dn = str(sd.distinguishedName)
acl.sd_control = sd.nTSecurityDescriptor.Control
acl.ace_type = ace.Header.AceType.name
acl.ace_mask = ace.Mask
t = getattr(ace,'ObjectType', None)
if t:
acl.ace_objecttype = str(t)
t = getattr(ace,'InheritedObjectType', None)
if t:
acl.ace_inheritedobjecttype = str(t)
true_attr, false_attr = JackDawADDACL.mask2attr(ace.Mask)
for attr in true_attr:
setattr(acl, attr, True)
for attr in false_attr:
setattr(acl, attr, False)
true_attr, false_attr = JackDawADDACL.hdrflag2attr(ace.Header.AceFlags)
for attr in true_attr:
setattr(acl, attr, True)
for attr in false_attr:
setattr(acl, attr, False)
acl.ace_sid = str(ace.Sid)
yield acl
def store_sd(self, data):
#print('Got SD object!')
sd = data['sd']
obj_type = data['obj_type']
order_ctr = 0
for ace in sd.nTSecurityDescriptor.Dacl.aces:
acl = JackDawADDACL()
acl.ad_id = self.ad_id
acl.object_type = obj_type
acl.object_type_guid = OBJECTTYPE_GUID_MAP.get(obj_type)
acl.owner_sid = str(sd.nTSecurityDescriptor.Owner)
acl.group_sid = str(sd.nTSecurityDescriptor.Group)
acl.ace_order = order_ctr
order_ctr += 1
acl.guid = str(sd.objectGUID)
if sd.objectSid:
acl.sid = str(sd.objectSid)
if sd.cn:
acl.cn = sd.cn
if sd.distinguishedName:
acl.dn = str(sd.distinguishedName)
acl.sd_control = sd.nTSecurityDescriptor.Control
acl.ace_type = ace.AceType.name
acl.ace_mask = ace.Mask
t = getattr(ace, 'ObjectType', None)
if t:
acl.ace_objecttype = str(t)
t = getattr(ace, 'InheritedObjectType', None)
if t:
acl.ace_inheritedobjecttype = str(t)
true_attr, false_attr = JackDawADDACL.mask2attr(ace.Mask)
for attr in true_attr:
setattr(acl, attr, True)
for attr in false_attr:
setattr(acl, attr, False)
true_attr, false_attr = JackDawADDACL.hdrflag2attr(ace.AceFlags)
for attr in true_attr:
setattr(acl, attr, True)
for attr in false_attr:
setattr(acl, attr, False)
acl.ace_sid = str(ace.Sid)
self.session.add(acl)
self.session.commit()
def acl_calc_gen(session, adid, inqueue, procno): total = session.query(func.count(JackDawSD.id)).filter_by(ad_id = adid).scalar() q = session.query(JackDawSD).filter_by(ad_id = adid) for adsd in tqdm(windowed_query(q, JackDawSD.id, 1000), total=total): sd = SECURITY_DESCRIPTOR.from_bytes(base64.b64decode(adsd.sd)) order_ctr = 0 for ace in sd.Dacl.aces: acl = JackDawADDACL() acl.ad_id = adsd.ad_id acl.object_type = adsd.object_type acl.object_type_guid = OBJECTTYPE_GUID_MAP.get(adsd.object_type) acl.owner_sid = str(sd.Owner) acl.group_sid = str(sd.Group) acl.ace_order = order_ctr order_ctr += 1 acl.guid = str(adsd.guid) if adsd.sid: acl.sid = str(adsd.sid) #if sd.cn: # acl.cn = sd.cn #if sd.distinguishedName: # acl.dn = str(sd.distinguishedName) acl.sd_control = sd.Control acl.ace_type = ace.AceType.name acl.ace_mask = ace.Mask t = getattr(ace,'ObjectType', None) if t: acl.ace_objecttype = str(t) t = getattr(ace,'InheritedObjectType', None) if t: acl.ace_inheritedobjecttype = str(t) true_attr, false_attr = JackDawADDACL.mask2attr(ace.Mask) for attr in true_attr: setattr(acl, attr, True) for attr in false_attr: setattr(acl, attr, False) true_attr, false_attr = JackDawADDACL.hdrflag2attr(ace.AceFlags) for attr in true_attr: setattr(acl, attr, True) for attr in false_attr: setattr(acl, attr, False) acl.ace_sid = str(ace.Sid) inqueue.put(acl) #adinfo = session.query(JackDawADInfo).get(adid) #for acl in adinfo.objectacls: # inqueue.put(acl) for _ in range(procno): inqueue.put(None)