From a745c581c9c8258f0c46cec98cdc198b996111f0 Mon Sep 17 00:00:00 2001 From: Chris Jacobsen Date: Thu, 8 Aug 2024 18:58:35 -0400 Subject: [PATCH 1/2] Fix for possible privilege escalation in Blazam --- BLAZAM/BLAZAM.csproj | 2 +- BLAZAM/Pages/Recycle Bin/RecycleBin.razor | 2 +- BLAZAM/Pages/Search.razor | 6 ++--- BLAZAM/Pages/View.razor | 6 ++--- .../ActiveDirectoryContext.cs | 11 +++++----- BLAZAMActiveDirectory/Adapters/ADGroup.cs | 4 ++-- .../Adapters/DirectoryEntryAdapter.cs | 2 +- BLAZAMActiveDirectory/GlobalSuppressions.cs | 14 ++---------- .../Helpers/ActiveDirectoryHelpers.cs | 13 +++++------ .../Searchers/ADBitLockerSearcher.cs | 12 ++-------- .../Searchers/ADComputerSearcher.cs | 4 ++-- .../Searchers/ADGroupSearcher.cs | 12 +++++----- .../Searchers/ADOUSearcher.cs | 4 ++-- .../Searchers/ADPrinterSearcher.cs | 8 +++---- BLAZAMActiveDirectory/Searchers/ADSearch.cs | 22 ++++++++++++++++--- BLAZAMActiveDirectory/Searchers/ADSearcher.cs | 2 +- .../Searchers/ADUserSearcher.cs | 12 +++++----- .../Widgets/ChangedEntriesWidget.razor | 2 +- .../Widgets/DeletedEntriesWidget.razor | 2 +- BLAZAMGui/UI/DirectorySearchPage.razor | 4 ++-- BLAZAMGui/UI/Inputs/ADAutoComplete.razor | 2 +- BLAZAMGui/UI/Search/SearchPageHeader.razor | 4 ++-- BLAZAMServices/LoginPermissionApplicator.cs | 14 +++--------- 23 files changed, 76 insertions(+), 88 deletions(-) diff --git a/BLAZAM/BLAZAM.csproj b/BLAZAM/BLAZAM.csproj index 96b35f29..ad70ff6e 100644 --- a/BLAZAM/BLAZAM.csproj +++ b/BLAZAM/BLAZAM.csproj @@ -6,7 +6,7 @@ enable false 1.0.0 - 2024.08.07.2325 + 2024.08.08.2253 false BLAZAM False diff --git a/BLAZAM/Pages/Recycle Bin/RecycleBin.razor b/BLAZAM/Pages/Recycle Bin/RecycleBin.razor index c095ce93..6dddc0a1 100644 --- a/BLAZAM/Pages/Recycle Bin/RecycleBin.razor +++ b/BLAZAM/Pages/Recycle Bin/RecycleBin.razor @@ -73,7 +73,7 @@ { - var search = new ADSearch() { SearchRoot = Directory.GetDeleteObjectsEntry() }; + var search = new ADSearch(Directory) { SearchRoot = Directory.GetDeleteObjectsEntry() }; search.SearchDeleted = true; deletedObjects = await search.SearchAsync(); LoadingData = false; diff --git a/BLAZAM/Pages/Search.razor b/BLAZAM/Pages/Search.razor index 3e9cfd6b..2826247f 100644 --- a/BLAZAM/Pages/Search.razor +++ b/BLAZAM/Pages/Search.razor @@ -110,7 +110,7 @@ } - public ADSearch Searcher { get; set; } = new ADSearch(); + public ADSearch Searcher { get; set; } [CascadingParameter] @@ -130,7 +130,7 @@ protected override async Task OnInitializedAsync() { await base.OnInitializedAsync(); - Searcher = new ADSearch(); + Searcher = new ADSearch(Directory); SearchService.SearchTerm = SearchTermParameter; Searcher.GeneralSearchTerm = SearchTermParameter; @@ -212,7 +212,7 @@ protected async Task InvokeSearch() { if (Searcher == null) - Searcher = new ADSearch(); + Searcher = new ADSearch(Directory); else Searcher.Cancel(); SearchService.SearchTerm = SearchTermParameter; diff --git a/BLAZAM/Pages/View.razor b/BLAZAM/Pages/View.razor index 8b255b32..869d92b5 100644 --- a/BLAZAM/Pages/View.razor +++ b/BLAZAM/Pages/View.razor @@ -110,7 +110,7 @@ } - public ADSearch Searcher { get; set; } = new ADSearch(); + public ADSearch Searcher { get; set; } [CascadingParameter] @@ -130,7 +130,7 @@ protected override async Task OnInitializedAsync() { await base.OnInitializedAsync(); - Searcher = new ADSearch(); + Searcher = new ADSearch(Directory); SearchService.SearchTerm = SearchTermParameter; Searcher.GeneralSearchTerm = SearchTermParameter; @@ -196,7 +196,7 @@ protected async Task InvokeSearch() { if (Searcher == null) - Searcher = new ADSearch(); + Searcher = new ADSearch(Directory); else Searcher.Cancel(); SearchService.SearchTerm = SearchTermParameter; diff --git a/BLAZAMActiveDirectory/ActiveDirectoryContext.cs b/BLAZAMActiveDirectory/ActiveDirectoryContext.cs index b2671ad7..20a5d956 100644 --- a/BLAZAMActiveDirectory/ActiveDirectoryContext.cs +++ b/BLAZAMActiveDirectory/ActiveDirectoryContext.cs @@ -38,7 +38,7 @@ public IApplicationUserState? CurrentUser private WmiFactory _wmiFactory; IEncryptionService _encryption; private INotificationPublisher _notificationPublisher; - public static ActiveDirectoryContext Instance; + public static ActiveDirectoryContext SystemInstance; public int FailedConnectionAttempts { get; set; } = 0; @@ -220,7 +220,6 @@ INotificationPublisher notificationPublisher _wmiFactory = new(this); _encryption = encryptionService; _notificationPublisher = notificationPublisher; - Instance = this; Factory = factory; UserStateService = userStateService; //UserStateService.UserStateAdded += PopulateUserStateDirectoryUser; @@ -241,7 +240,7 @@ public ActiveDirectoryContext(ActiveDirectoryContext activeDirectoryContextSeed) { _encryption = activeDirectoryContextSeed._encryption; _notificationPublisher = activeDirectoryContextSeed._notificationPublisher; - Instance = this; + SystemInstance = this; Factory = activeDirectoryContextSeed.Factory; UserStateService = activeDirectoryContextSeed.UserStateService; ConnectionSettings = activeDirectoryContextSeed.ConnectionSettings; @@ -376,7 +375,7 @@ public void Connect() //Perform Auth check Loggers.ActiveDirectryLogger.Information("Performing Active Directory connection test"); - var search = new ADSearch() + var search = new ADSearch(this) { ObjectTypeFilter = ActiveDirectoryObjectType.User, SearchRoot = RootDirectoryEntry, @@ -856,7 +855,7 @@ public bool RestoreTombstone(IDirectoryEntryAdapter model, IADOrganizationalUnit public IDirectoryEntryAdapter? FindEntryBySID(byte[] sid) => GetDirectoryEntryBySid(sid.ToSidString()); public IDirectoryEntryAdapter? GetDirectoryEntryBySid(string sid) { - var searcher = new ADSearch(); + var searcher = new ADSearch(this); searcher.SearchRoot = RootDirectoryEntry; searcher.Fields.SID = sid; var result = searcher.Search().FirstOrDefault(); @@ -865,7 +864,7 @@ public bool RestoreTombstone(IDirectoryEntryAdapter model, IADOrganizationalUnit public IDirectoryEntryAdapter? GetDirectoryEntryByDN(string dn) { - var searcher = new ADSearch(); + var searcher = new ADSearch(this); searcher.SearchRoot = RootDirectoryEntry; searcher.Fields.DN = dn; var result = searcher.Search().FirstOrDefault(); diff --git a/BLAZAMActiveDirectory/Adapters/ADGroup.cs b/BLAZAMActiveDirectory/Adapters/ADGroup.cs index 4ee6a728..38bd08b9 100644 --- a/BLAZAMActiveDirectory/Adapters/ADGroup.cs +++ b/BLAZAMActiveDirectory/Adapters/ADGroup.cs @@ -178,7 +178,7 @@ public IEnumerable NestedMembers { get { - ADSearch search = new ADSearch(); + ADSearch search = new ADSearch(Directory); search.Fields.NestedMemberOf = this; var result = search.Search(); return result; @@ -193,7 +193,7 @@ public List Members get { var temp = MembersAsStrings; - ADSearch search = new ADSearch(); + ADSearch search = new ADSearch(Directory); List members = new List(); temp?.ForEach(t => diff --git a/BLAZAMActiveDirectory/Adapters/DirectoryEntryAdapter.cs b/BLAZAMActiveDirectory/Adapters/DirectoryEntryAdapter.cs index dd0d77ef..71d15e5c 100644 --- a/BLAZAMActiveDirectory/Adapters/DirectoryEntryAdapter.cs +++ b/BLAZAMActiveDirectory/Adapters/DirectoryEntryAdapter.cs @@ -443,7 +443,7 @@ public virtual void MoveTo(IADOrganizationalUnit parentOUToMoveTo) { if (DirectoryEntry == null || DirectoryEntry.Parent == null) return null; - var parent = DirectoryEntry.Parent.Encapsulate(); + var parent = DirectoryEntry.Parent.Encapsulate(Directory); return parent; diff --git a/BLAZAMActiveDirectory/GlobalSuppressions.cs b/BLAZAMActiveDirectory/GlobalSuppressions.cs index 367c8a0e..2871db69 100644 --- a/BLAZAMActiveDirectory/GlobalSuppressions.cs +++ b/BLAZAMActiveDirectory/GlobalSuppressions.cs @@ -6,7 +6,6 @@ using System.Diagnostics.CodeAnalysis; [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.Common.Data.Services.WmiFactory.CreateWmiConnection(System.String)~System.Management.ManagementScope")] -[assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Adapters.DirectoryEntryAdapter.CommitChanges~BLAZAM.ActiveDirectory.DirectoryChangeResult")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Adapters.DirectoryEntryAdapter.SetNewProperty(System.String,System.Object)")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.ActiveDirectoryContext.Connect")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.ActiveDirectoryContext.GetDeleteObjectsEntry~System.DirectoryServices.DirectoryEntry")] @@ -23,19 +22,14 @@ [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Adapters.DirectoryEntryAdapter.FetchDirectoryEntry")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Adapters.DirectoryEntryAdapter.DiscardChanges")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Adapters.DirectoryEntryAdapter.Delete")] -[assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Adapters.DirectoryEntryAdapter.Parse(System.DirectoryServices.DirectoryEntry,System.DirectoryServices.SearchResult,BLAZAM.ActiveDirectory.Interfaces.IActiveDirectoryContext)~System.Threading.Tasks.Task")] -[assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Adapters.DirectoryEntryAdapter.GetParent~System.Threading.Tasks.Task{BLAZAM.ActiveDirectory.Interfaces.IADOrganizationalUnit}")] -[assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Adapters.DirectoryEntryAdapter.MoveTo(BLAZAM.ActiveDirectory.Interfaces.IADOrganizationalUnit)~System.Boolean")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~P:BLAZAM.ActiveDirectory.Adapters.DirectoryEntryAdapter.Classes")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~P:BLAZAM.ActiveDirectory.Adapters.DirectoryEntryAdapter.ADSPath")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Adapters.DirectoryEntryAdapter.Invoke(System.String,System.Object[])~System.Boolean")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~P:BLAZAM.ActiveDirectory.Adapters.DirectoryEntryAdapter.Changes")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Adapters.ADUser.SetHomeDirectoryPermissions")] -[assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Adapters.ADUser.SetPassword(System.Security.SecureString,System.Boolean)~System.Boolean")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Searchers.ADSearch.Search``2(System.Nullable{System.Threading.CancellationToken})~System.Collections.Generic.List{``1}")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Searchers.ADSearch.PerformSearch``2(System.DateTime,System.DirectoryServices.DirectorySearcher,System.Int32)")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Searchers.ADSearch.PrepareSearcher(System.DirectoryServices.DirectorySearcher)")] -[assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Searchers.ADSearch.Encapsulate(System.DirectoryServices.SearchResultCollection)~System.Collections.Generic.List{BLAZAM.ActiveDirectory.Interfaces.IDirectoryEntryAdapter}")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~P:BLAZAM.ActiveDirectory.Searchers.ADSearch.SearchScope")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~F:BLAZAM.ActiveDirectory.Searchers.ADSearch._searchResults")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Adapters.ADOrganizationalUnit.CreateGroup(System.String)~BLAZAM.ActiveDirectory.Interfaces.IADGroup")] @@ -48,19 +42,15 @@ [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.ActiveDirectoryContext.TryGetDomainControllers")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~P:BLAZAM.ActiveDirectory.Adapters.DirectoryEntryAdapter.commitStep")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Adapters.DirectoryEntryAdapter.CommitChanges(BLAZAM.Jobs.IJob)~BLAZAM.Jobs.IJob")] -[assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Searchers.ADSearcher.SearchObjects(System.String,System.String,System.Nullable{BLAZAM.Common.Data.ActiveDirectoryObjectType},System.Int32,System.Nullable{System.Boolean},System.DirectoryServices.SearchScope)~System.DirectoryServices.SearchResultCollection")] -[assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~P:BLAZAM.ActiveDirectory.Adapters.ADOrganizationalUnit.Children")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~P:BLAZAM.ActiveDirectory.Adapters.DirectoryEntryAdapter.Children")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~P:BLAZAM.ActiveDirectory.ActiveDirectoryContext.AuthType")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~P:BLAZAM.ActiveDirectory.Adapters.DirectoryEntryAdapter.HasChildren")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Adapters.DirectoryEntryAdapter.MoveTo(BLAZAM.ActiveDirectory.Interfaces.IADOrganizationalUnit)")] -[assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Adapters.DirectoryEntryAdapter.GetParent~BLAZAM.ActiveDirectory.Interfaces.IADOrganizationalUnit")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.ActiveDirectoryContext.Authenticate_Alt(BLAZAM.Common.Data.LoginRequest)~BLAZAM.ActiveDirectory.Interfaces.IADUser")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Adapters.ADOrganizationalUnit.CreateOU(System.String)~BLAZAM.ActiveDirectory.Interfaces.IADOrganizationalUnit")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Adapters.ADOrganizationalUnit.CreatePrinter(System.String,System.String,System.String)~BLAZAM.ActiveDirectory.Interfaces.IADPrinter")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Adapters.ADOrganizationalUnit.CreatePrinter(BLAZAM.ActiveDirectory.Adapters.SharedPrinter)~BLAZAM.ActiveDirectory.Interfaces.IADPrinter")] -[assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.Helpers.ActiveDirectoryHelpers.Encapsulate(System.DirectoryServices.SearchResultCollection)~System.Collections.Generic.List{BLAZAM.ActiveDirectory.Interfaces.IDirectoryEntryAdapter}")] -[assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.Helpers.ActiveDirectoryHelpers.Encapsulate(System.DirectoryServices.DirectoryEntries)~System.Collections.Generic.List{BLAZAM.ActiveDirectory.Interfaces.IDirectoryEntryAdapter}")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.ActiveDirectoryContext.KeepAlive(System.Object)")] -[assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.Helpers.ActiveDirectoryHelpers.Encapsulate(System.DirectoryServices.DirectoryEntry)~BLAZAM.ActiveDirectory.Interfaces.IDirectoryEntryAdapter")] [assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.ActiveDirectory.Adapters.DirectoryEntryAdapter.GetParent~BLAZAM.ActiveDirectory.Interfaces.IDirectoryEntryAdapter")] +[assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.Helpers.ActiveDirectoryHelpers.Encapsulate(System.DirectoryServices.SearchResultCollection,BLAZAM.ActiveDirectory.Interfaces.IActiveDirectoryContext)~System.Collections.Generic.List{BLAZAM.ActiveDirectory.Interfaces.IDirectoryEntryAdapter}")] +[assembly: SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "", Scope = "member", Target = "~M:BLAZAM.Helpers.ActiveDirectoryHelpers.Encapsulate(System.DirectoryServices.DirectoryEntry,BLAZAM.ActiveDirectory.Interfaces.IActiveDirectoryContext)~BLAZAM.ActiveDirectory.Interfaces.IDirectoryEntryAdapter")] diff --git a/BLAZAMActiveDirectory/Helpers/ActiveDirectoryHelpers.cs b/BLAZAMActiveDirectory/Helpers/ActiveDirectoryHelpers.cs index 6a5df47b..430909ef 100644 --- a/BLAZAMActiveDirectory/Helpers/ActiveDirectoryHelpers.cs +++ b/BLAZAMActiveDirectory/Helpers/ActiveDirectoryHelpers.cs @@ -60,7 +60,6 @@ public static IEnumerable MoveToTop(this IEnumerablex.CanonicalName)); } return list.AsEnumerable(); - return default; } @@ -124,7 +123,7 @@ public static string FqdnToDn(string fqdn) /// /// /// A list of whose types correspond the directory object type they encapsulate - public static List Encapsulate(this SearchResultCollection r) + public static List Encapsulate(this SearchResultCollection r,IActiveDirectoryContext context) { List objects = new(); @@ -163,7 +162,7 @@ public static List Encapsulate(this SearchResultCollecti } if (thisObject != null) { - thisObject.Parse(directory: ActiveDirectoryContext.Instance, searchResult: sr); + thisObject.Parse(directory: context, searchResult: sr); objects.Add(thisObject); @@ -182,7 +181,7 @@ public static List Encapsulate(this SearchResultCollecti /// /// A whose types correspond the directory object type they encapsulate - public static IDirectoryEntryAdapter? Encapsulate(this DirectoryEntry sr) + public static IDirectoryEntryAdapter? Encapsulate(this DirectoryEntry sr, IActiveDirectoryContext context) { IDirectoryEntryAdapter? thisObject = null; @@ -214,7 +213,7 @@ public static List Encapsulate(this SearchResultCollecti } if (thisObject != null) { - thisObject.Parse(directory: ActiveDirectoryContext.Instance, directoryEntry: sr); + thisObject.Parse(directory: context, directoryEntry: sr); return thisObject; @@ -235,7 +234,7 @@ public static List Encapsulate(this SearchResultCollecti /// /// /// A list of whose types correspond the directory object type they encapsulate - public static List Encapsulate(this DirectoryEntries r) + public static List Encapsulate(this DirectoryEntries r, IActiveDirectoryContext context) { List objects = new(); @@ -245,7 +244,7 @@ public static List Encapsulate(this DirectoryEntries r) foreach (DirectoryEntry sr in r) { - var encapsulated = Encapsulate(sr); + var encapsulated = Encapsulate(sr,context); if(encapsulated != null) objects.Add(encapsulated); diff --git a/BLAZAMActiveDirectory/Searchers/ADBitLockerSearcher.cs b/BLAZAMActiveDirectory/Searchers/ADBitLockerSearcher.cs index 90f3a72d..caccb93b 100644 --- a/BLAZAMActiveDirectory/Searchers/ADBitLockerSearcher.cs +++ b/BLAZAMActiveDirectory/Searchers/ADBitLockerSearcher.cs @@ -18,7 +18,7 @@ public List FindByRecoveryId(string searchTerm) { var searchFields = new ADSearchFields(); searchFields.BitLockerRecoveryId = searchTerm; - return new ADSearch() + return new ADSearch(Directory) { ObjectTypeFilter = ActiveDirectoryObjectType.BitLocker, EnabledOnly = false, @@ -39,15 +39,7 @@ public List FindByComputer(IADComputer computer) { var children = computer.Children; return children.Where(c => c is IADBitLockerRecovery).Cast().ToList(); - var searchFields = new ADSearchFields(); - searchFields.CN = "*"+computer.DN; - return new ADSearch() - { - ObjectTypeFilter = ActiveDirectoryObjectType.BitLocker, - EnabledOnly = false, - Fields = searchFields - - }.Search(); + } public async Task> FindByComputerAsync(IADComputer computer) diff --git a/BLAZAMActiveDirectory/Searchers/ADComputerSearcher.cs b/BLAZAMActiveDirectory/Searchers/ADComputerSearcher.cs index 1c935ebb..1afc91c6 100644 --- a/BLAZAMActiveDirectory/Searchers/ADComputerSearcher.cs +++ b/BLAZAMActiveDirectory/Searchers/ADComputerSearcher.cs @@ -23,7 +23,7 @@ public async Task> FindByStringAsync(string searchTerm, bool i } public List FindByString(string searchTerm, bool ignoreDisabled = true) { - return new ADSearch() + return new ADSearch(Directory) { ObjectTypeFilter = ActiveDirectoryObjectType.Computer, EnabledOnly = ignoreDisabled, @@ -45,7 +45,7 @@ public List FindNewComputers(int maxAgeInDays = 14, bool ignoreDisa { var threeMonthsAgo = DateTime.Today - TimeSpan.FromDays(maxAgeInDays); - var results = new ADSearch() + var results = new ADSearch(Directory) { ObjectTypeFilter = ActiveDirectoryObjectType.Computer, EnabledOnly = ignoreDisabledComputers, diff --git a/BLAZAMActiveDirectory/Searchers/ADGroupSearcher.cs b/BLAZAMActiveDirectory/Searchers/ADGroupSearcher.cs index d102d24d..7917995f 100644 --- a/BLAZAMActiveDirectory/Searchers/ADGroupSearcher.cs +++ b/BLAZAMActiveDirectory/Searchers/ADGroupSearcher.cs @@ -38,7 +38,7 @@ public async Task> FindGroupByStringAsync(string searchTerm, bool /// All groups with the distinguished name fragment in their own distinguished name public List FindGroupByDN(string dn) { - return new ADSearch() + return new ADSearch(Directory) { ObjectTypeFilter = ActiveDirectoryObjectType.Group, EnabledOnly = false, @@ -54,7 +54,7 @@ public List FindGroupByDN(string dn) public List FindGroupByString(string searchTerm, bool exactMatch = false) { - return new ADSearch() + return new ADSearch(Directory) { ObjectTypeFilter = ActiveDirectoryObjectType.Group, GeneralSearchTerm = searchTerm, @@ -78,7 +78,7 @@ public async Task> FindNewGroupsAsync(int maxAgeInDays = 14) { var threeMonthsAgo = DateTime.Today - TimeSpan.FromDays(maxAgeInDays); - var results = new ADSearch() + var results = new ADSearch(Directory) { ObjectTypeFilter = ActiveDirectoryObjectType.Group, Fields = new() @@ -104,7 +104,7 @@ public async Task> FindNewGroupsAsync(int maxAgeInDays = 14) public IADGroup? FindGroupBySID(string groupSID) { - return new ADSearch() + return new ADSearch(Directory) { ObjectTypeFilter = ActiveDirectoryObjectType.Group, Fields = new() @@ -133,7 +133,7 @@ public List FindGroupsByDN(List? list) foreach (string groupDN in list) { - var group = new ADSearch() + var group = new ADSearch(Directory) { ObjectTypeFilter = ActiveDirectoryObjectType.Group, Fields = new() @@ -195,7 +195,7 @@ public List GetGroupMembers(IADGroup group) public bool IsAMemberOf(IADGroup group, IGroupableDirectoryAdapter? userOrGroup, bool v, bool ignoreDisabledUsers = true) { - return new ADSearch() + return new ADSearch(Directory) { Fields = new() { diff --git a/BLAZAMActiveDirectory/Searchers/ADOUSearcher.cs b/BLAZAMActiveDirectory/Searchers/ADOUSearcher.cs index f845eaec..2e432136 100644 --- a/BLAZAMActiveDirectory/Searchers/ADOUSearcher.cs +++ b/BLAZAMActiveDirectory/Searchers/ADOUSearcher.cs @@ -9,7 +9,7 @@ namespace BLAZAM.ActiveDirectory.Searchers public class ADOUSearcher : ADSearcher, IADOUSearcher { - protected ADSearch NewSearch { get { return new ADSearch() { ObjectTypeFilter = ActiveDirectoryObjectType.OU }; } } + protected ADSearch NewSearch { get { return new ADSearch(Directory) { ObjectTypeFilter = ActiveDirectoryObjectType.OU }; } } public IADOrganizationalUnit GetApplicationRootOU() { @@ -77,7 +77,7 @@ public List FindNewOUs(int maxAgeInDays = 14) { var threeMonthsAgo = DateTime.Today - TimeSpan.FromDays(maxAgeInDays); - var results = new ADSearch() + var results = new ADSearch(Directory) { ObjectTypeFilter = ActiveDirectoryObjectType.OU, Fields = new() diff --git a/BLAZAMActiveDirectory/Searchers/ADPrinterSearcher.cs b/BLAZAMActiveDirectory/Searchers/ADPrinterSearcher.cs index be2fb59f..52b2926d 100644 --- a/BLAZAMActiveDirectory/Searchers/ADPrinterSearcher.cs +++ b/BLAZAMActiveDirectory/Searchers/ADPrinterSearcher.cs @@ -22,7 +22,7 @@ public async Task> FindPrintersByStringAsync(string? searchTerm public List FindPrintersByString(string? searchTerm, bool? ignoreDisabledPrinters = true, bool exactMatch = false) { - return new ADSearch() + return new ADSearch(Directory) { ObjectTypeFilter = ActiveDirectoryObjectType.Printer, EnabledOnly = ignoreDisabledPrinters, @@ -33,7 +33,7 @@ public List FindPrintersByString(string? searchTerm, bool? ignoreDis } public IADPrinter? FindPrinterByName(string? searchTerm, bool? ignoreDisabledPrinters = true) { - return new ADSearch() + return new ADSearch(Directory) { ObjectTypeFilter = ActiveDirectoryObjectType.Printer, EnabledOnly = ignoreDisabledPrinters, @@ -62,7 +62,7 @@ public List FindNewPrinters(int maxAgeInDays = 14, bool? ignoreDisab { var threeMonthsAgo = DateTime.Today - TimeSpan.FromDays(maxAgeInDays); - var results = new ADSearch() + var results = new ADSearch(Directory) { ObjectTypeFilter = ActiveDirectoryObjectType.Printer, EnabledOnly = ignoreDisabledPrinters, @@ -99,7 +99,7 @@ public List FindChangedPrinters(bool? ignoreDisabledPrinters = true, public IADPrinter? FindPrintersByContainerName(string? searchTerm, bool? ignoreDisabledPrinters = true, bool exactMatch = false) { - return new ADSearch() + return new ADSearch(Directory) { ObjectTypeFilter = ActiveDirectoryObjectType.Printer, EnabledOnly = ignoreDisabledPrinters, diff --git a/BLAZAMActiveDirectory/Searchers/ADSearch.cs b/BLAZAMActiveDirectory/Searchers/ADSearch.cs index 19477354..17cc507b 100644 --- a/BLAZAMActiveDirectory/Searchers/ADSearch.cs +++ b/BLAZAMActiveDirectory/Searchers/ADSearch.cs @@ -81,6 +81,12 @@ public class ADSearch : SearchBase public List Results { get; set; } = new(); public string LdapQuery { get; private set; } public bool SearchDeleted { get; set; } = false; + private IActiveDirectoryContext? _currentUserActiveDirectoryContext; + + public ADSearch(IActiveDirectoryContext? currentUserActiveDirectoryContext) + { + _currentUserActiveDirectoryContext = currentUserActiveDirectoryContext; + } public async Task> SearchAsync(CancellationToken? token = null) where T : I, IDirectoryEntryAdapter, new() { @@ -119,7 +125,7 @@ public async Task> SearchAsync() DirectorySearcher searcher; try { - SearchRoot ??= ActiveDirectoryContext.Instance.GetDirectoryEntry(DatabaseCache.ActiveDirectorySettings?.ApplicationBaseDN); + SearchRoot ??= ActiveDirectoryContext.SystemInstance.GetDirectoryEntry(DatabaseCache.ActiveDirectorySettings?.ApplicationBaseDN); var pageOffset = 1; searcher = new DirectorySearcher(SearchRoot) @@ -369,11 +375,21 @@ public void Cancel() cancellationToken = new CancellationToken(true); } + + + private void AddResults(SearchResultCollection lastResults) where T : I, IDirectoryEntryAdapter, new() { + List last = new(); + if (_currentUserActiveDirectoryContext != null) + { + last = lastResults.Encapsulate(_currentUserActiveDirectoryContext); - - var last = lastResults.Encapsulate(); + } + else + { + last = lastResults.Encapsulate(ActiveDirectoryContext.SystemInstance); + } Results.AddRange(last); ResultsCollected?.Invoke(last); diff --git a/BLAZAMActiveDirectory/Searchers/ADSearcher.cs b/BLAZAMActiveDirectory/Searchers/ADSearcher.cs index 48b3802c..6ae9c5f4 100644 --- a/BLAZAMActiveDirectory/Searchers/ADSearcher.cs +++ b/BLAZAMActiveDirectory/Searchers/ADSearcher.cs @@ -50,7 +50,7 @@ public ADSearcher(IActiveDirectoryContext directory) - ADSearch search = new ADSearch(); + ADSearch search = new ADSearch(Directory); search.ObjectTypeFilter = searchType; search.SearchRoot = Directory.GetDirectoryEntry(searchBaseDN); diff --git a/BLAZAMActiveDirectory/Searchers/ADUserSearcher.cs b/BLAZAMActiveDirectory/Searchers/ADUserSearcher.cs index 9a2a01ea..4687f4b1 100644 --- a/BLAZAMActiveDirectory/Searchers/ADUserSearcher.cs +++ b/BLAZAMActiveDirectory/Searchers/ADUserSearcher.cs @@ -23,7 +23,7 @@ public async Task> FindUsersByStringAsync(string? searchTerm, bool public List FindUsersByString(string? searchTerm, bool? ignoreDisabledUsers = true, bool exactMatch = false) { - return new ADSearch() + return new ADSearch(Directory) { ObjectTypeFilter = ActiveDirectoryObjectType.User, EnabledOnly = ignoreDisabledUsers, @@ -34,7 +34,7 @@ public List FindUsersByString(string? searchTerm, bool? ignoreDisabledU } public IADUser? FindUserByUsername(string? searchTerm, bool? ignoreDisabledUsers = true) { - return new ADSearch() + return new ADSearch(Directory) { ObjectTypeFilter = ActiveDirectoryObjectType.User, EnabledOnly = ignoreDisabledUsers, @@ -58,7 +58,7 @@ public async Task> FindLockedOutUsersAsync(bool? ignoreDisabledUse public List FindLockedOutUsers(bool? ignoreDisabledUsers = true) { - return new ADSearch() + return new ADSearch(Directory) { ObjectTypeFilter = ActiveDirectoryObjectType.User, EnabledOnly = ignoreDisabledUsers, @@ -85,7 +85,7 @@ public List FindNewUsers(int maxAgeInDays = 14, bool? ignoreDisabledUse { var threeMonthsAgo = DateTime.Today - TimeSpan.FromDays(maxAgeInDays); - var results = new ADSearch() + var results = new ADSearch(Directory) { ObjectTypeFilter = ActiveDirectoryObjectType.User, EnabledOnly = ignoreDisabledUsers, @@ -139,7 +139,7 @@ public List FindChangedUsers(bool? ignoreDisabledUsers = true, int days public IADUser? FindUserBySID(string? sid) { if (sid == null) return null; - return new ADSearch() + return new ADSearch(Directory) { ObjectTypeFilter = ActiveDirectoryObjectType.User, EnabledOnly = false, @@ -152,7 +152,7 @@ public List FindChangedUsers(bool? ignoreDisabledUsers = true, int days public IADUser? FindUsersByContainerName(string? searchTerm, bool? ignoreDisabledUsers = true, bool exactMatch = false) { - return new ADSearch() + return new ADSearch(Directory) { ObjectTypeFilter = ActiveDirectoryObjectType.User, EnabledOnly = ignoreDisabledUsers, diff --git a/BLAZAMGui/UI/Dashboard/Widgets/ChangedEntriesWidget.razor b/BLAZAMGui/UI/Dashboard/Widgets/ChangedEntriesWidget.razor index 019aa729..bcc87f2b 100644 --- a/BLAZAMGui/UI/Dashboard/Widgets/ChangedEntriesWidget.razor +++ b/BLAZAMGui/UI/Dashboard/Widgets/ChangedEntriesWidget.razor @@ -56,7 +56,7 @@ Task.Run(async () => { - var search = new ADSearch(); + var search = new ADSearch(Directory); search.Fields.Changed = DateTime.Now.AddDays(-1); changdEntries = (await search.SearchAsync()).Where(x => x.CanRead).ToList(); LoadingData = false; diff --git a/BLAZAMGui/UI/Dashboard/Widgets/DeletedEntriesWidget.razor b/BLAZAMGui/UI/Dashboard/Widgets/DeletedEntriesWidget.razor index 8bb5a0d7..8486b658 100644 --- a/BLAZAMGui/UI/Dashboard/Widgets/DeletedEntriesWidget.razor +++ b/BLAZAMGui/UI/Dashboard/Widgets/DeletedEntriesWidget.razor @@ -47,7 +47,7 @@ { await base.OnInitializedAsync(); - var search = new ADSearch() { SearchRoot = Directory.GetDeleteObjectsEntry() }; + var search = new ADSearch(Directory) { SearchRoot = Directory.GetDeleteObjectsEntry() }; search.SearchDeleted = true; search.Fields.Changed = DateTime.Now.AddDays(-14); deletedObjects = await search.SearchAsync(); diff --git a/BLAZAMGui/UI/DirectorySearchPage.razor b/BLAZAMGui/UI/DirectorySearchPage.razor index 5d0a05c7..77867685 100644 --- a/BLAZAMGui/UI/DirectorySearchPage.razor +++ b/BLAZAMGui/UI/DirectorySearchPage.razor @@ -31,7 +31,7 @@ } - public ADSearch Searcher { get; set; } = new(); + public ADSearch Searcher { get; set; } @@ -64,7 +64,7 @@ protected override async Task OnInitializedAsync() { - Searcher = new ADSearch(); + Searcher = new ADSearch(Directory); Searcher.GeneralSearchTerm = SearchTermParameter; await base.OnInitializedAsync(); SearchDisabledObjects = UserStateService?.CurrentUserState?.Preferences?.SearchDisabledUsers == true; diff --git a/BLAZAMGui/UI/Inputs/ADAutoComplete.razor b/BLAZAMGui/UI/Inputs/ADAutoComplete.razor index c1c82cec..66ec431d 100644 --- a/BLAZAMGui/UI/Inputs/ADAutoComplete.razor +++ b/BLAZAMGui/UI/Inputs/ADAutoComplete.razor @@ -217,7 +217,7 @@ { SearchResults = new List(); - var search = new ADSearch(); + var search = new ADSearch(Directory); search.ObjectTypeFilter = SearchObjectType; search.GeneralSearchTerm = searchText.Replace(" ", "*"); diff --git a/BLAZAMGui/UI/Search/SearchPageHeader.razor b/BLAZAMGui/UI/Search/SearchPageHeader.razor index 5fa63ba6..0a455da7 100644 --- a/BLAZAMGui/UI/Search/SearchPageHeader.razor +++ b/BLAZAMGui/UI/Search/SearchPageHeader.razor @@ -43,7 +43,7 @@ }; - public ADSearch Searcher { get; set; } = new ADSearch(); + public ADSearch Searcher { get; set; } @@ -57,7 +57,7 @@ protected override async Task OnInitializedAsync() { await base.OnInitializedAsync(); - + Searcher = new(Directory); Searcher.ResultsCollected += ((batch) => { InvokeAsync(StateHasChanged); }); Searcher.OnSearchCompleted += (() => { diff --git a/BLAZAMServices/LoginPermissionApplicator.cs b/BLAZAMServices/LoginPermissionApplicator.cs index fe182ddd..275e932e 100644 --- a/BLAZAMServices/LoginPermissionApplicator.cs +++ b/BLAZAMServices/LoginPermissionApplicator.cs @@ -20,22 +20,14 @@ public PermissionApplicator(IApplicationUserStateService userStateService, IAppD _userStateService = userStateService; _factory = factory; _directory = directory; - //directory.OnNewLoginUser += LoadPermissionsForNewLoginUser; - //ProgramEvents.PermissionsChanged += PermissionsChanged; } - // For every user that logs in, load their permissions - //private async void LoadPermissionsForNewLoginUser(IApplicationUserState value) - //{ - // if (value.DirectoryUser != null) - // await LoadPermissions(value.DirectoryUser); - - //} + /// - /// Reads the current database settings and applys the assign permissions for the + /// Reads the current database settings and applies the assign permissions for the /// provided directory user /// /// @@ -47,7 +39,7 @@ public async Task LoadPermissions(IApplicationUserState webUser, IADUser directo var cursor = await Context.PermissionDelegate.Include(pl => pl.PermissionsMaps).ToListAsync(); foreach (var l in cursor) { - var permissiondelegate = ActiveDirectoryContext.Instance.FindEntryBySID(l.DelegateSid); + var permissiondelegate = ActiveDirectoryContext.SystemInstance.FindEntryBySID(l.DelegateSid); if (permissiondelegate != null) { if (permissiondelegate is IADGroup && directoryUser.IsAMemberOf(permissiondelegate as IADGroup) From 3ccd3a66b9495c61dc75212172125434161e076d Mon Sep 17 00:00:00 2001 From: Chris Jacobsen Date: Thu, 8 Aug 2024 19:46:49 -0400 Subject: [PATCH 2/2] Add security updates to release notes --- .github/release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/release.yml b/.github/release.yml index 61e0b57b..53b51fe5 100644 --- a/.github/release.yml +++ b/.github/release.yml @@ -16,6 +16,9 @@ changelog: - title: Exciting New Features 🎉 labels: - enhancement + - title: Security Updates 🔐 + labels: + - security - title: Fixes 🏗 labels: - bug