Add DirectoryService SID lookup functionality with configurable option

src/Sddl.Parser/Ace.cs

@@ -16,7 +16,11 @@ public class Ace : Acm
         public string InheritObjectGuid { get; }
         public Sid AceSid { get; }
 
-        public Ace(string ace, SecurableObjectType type = SecurableObjectType.Unknown)
+        public Ace(string ace, SecurableObjectType type = SecurableObjectType.Unknown) : this(ace, type, null)
+        {
+        }
+
+        public Ace(string ace, SecurableObjectType type, SidResolverOptions sidResolverOptions)
         {
             Raw = ace;
 
@@ -90,7 +94,7 @@ public Ace(string ace, SecurableObjectType type = SecurableObjectType.Unknown)
             // account_sid
             if (parts.Length > 5 && parts[5].Length > 0)
             {
-                AceSid = new Sid(parts[5]);
+                AceSid = new Sid(parts[5], sidResolverOptions);
             }
 
             // resource_attribute

src/Sddl.Parser/Acl.cs

@@ -11,7 +11,11 @@ public class Acl : Acm
         public string[] Flags { get; }
         public Ace[] Aces { get; }
 
-        public Acl(string acl, SecurableObjectType type = SecurableObjectType.Unknown)
+        public Acl(string acl, SecurableObjectType type = SecurableObjectType.Unknown) : this(acl, type, null)
+        {
+        }
+
+        public Acl(string acl, SecurableObjectType type, SidResolverOptions sidResolverOptions)
         {
             Raw = acl;
 
@@ -55,7 +59,7 @@ public Acl(string acl, SecurableObjectType type = SecurableObjectType.Unknown)
                         }
 
                         if (balance == 0)
-                            aces.AddLast(new Ace(acl.Substring(begin + 1, length), type));
+                            aces.AddLast(new Ace(acl.Substring(begin + 1, length), type, sidResolverOptions));
                     }
                     else if (balance <= 0)
                     {

src/Sddl.Parser/DirectoryServiceSidResolver.cs

@@ -0,0 +1,54 @@
+using System;
+using System.Security.Principal;
+
+namespace Sddl.Parser
+{
+    /// <summary>
+    /// Resolves SID strings using SecurityIdentifier.Translate (DirectoryService lookup)
+    /// </summary>
+    public class DirectoryServiceSidResolver : ISidResolver
+    {
+        /// <summary>
+        /// Attempts to resolve a SID string to a meaningful name using DirectoryService lookup
+        /// </summary>
+        /// <param name="sidString">The SID string to resolve</param>
+        /// <returns>The resolved name, or null if resolution fails</returns>
+        public string ResolveSid(string sidString)
+        {
+            if (string.IsNullOrEmpty(sidString))
+                return null;
+
+            try
+            {
+                // Try to parse as a SecurityIdentifier
+                SecurityIdentifier sid;
+                try
+                {
+                    sid = new SecurityIdentifier(sidString);
+                }
+                catch
+                {
+                    // Not a valid SID format
+                    return null;
+                }
+
+                // Attempt to translate to NTAccount using DirectoryService lookup
+                try
+                {
+                    var account = (NTAccount)sid.Translate(typeof(NTAccount));
+                    return account.Value;
+                }
+                catch
+                {
+                    // Translation failed - SID may not exist or may not be translatable
+                    return null;
+                }
+            }
+            catch
+            {
+                // Any other error during resolution
+                return null;
+            }
+        }
+    }
+}

src/Sddl.Parser/ISidResolver.cs

@@ -0,0 +1,15 @@
+namespace Sddl.Parser
+{
+    /// <summary>
+    /// Interface for resolving SID strings to meaningful names
+    /// </summary>
+    public interface ISidResolver
+    {
+        /// <summary>
+        /// Attempts to resolve a SID string to a meaningful name
+        /// </summary>
+        /// <param name="sidString">The SID string to resolve</param>
+        /// <returns>The resolved name, or null if resolution fails</returns>
+        string ResolveSid(string sidString);
+    }
+}

src/Sddl.Parser/Sddl.Parser.csproj

@@ -8,4 +8,8 @@
     <PackageId>Sddl.Parser</PackageId>
   </PropertyGroup>
 
+  <ItemGroup>
+    <PackageReference Include="System.Security.Principal.Windows" Version="5.0.0" />
+  </ItemGroup>
+
 </Project>

src/Sddl.Parser/Sddl.cs

@@ -13,7 +13,11 @@ public class Sddl : Acm
         public Acl Dacl { get; }
         public Acl Sacl { get; }
 
-        public Sddl(string sddl, SecurableObjectType type = SecurableObjectType.Unknown)
+        public Sddl(string sddl, SecurableObjectType type = SecurableObjectType.Unknown) : this(sddl, type, null)
+        {
+        }
+
+        public Sddl(string sddl, SecurableObjectType type, SidResolverOptions sidResolverOptions)
         {
             Raw = sddl;
 
@@ -40,25 +44,25 @@ public Sddl(string sddl, SecurableObjectType type = SecurableObjectType.Unknown)
 
             if (components.TryGetValue(OwnerToken, out var owner))
             {
-                Owner = new Sid(owner);
+                Owner = new Sid(owner, sidResolverOptions);
                 components.Remove(OwnerToken);
             }
 
             if (components.TryGetValue(GroupToken, out var group))
             {
-                Group = new Sid(group);
+                Group = new Sid(group, sidResolverOptions);
                 components.Remove(GroupToken);
             }
 
             if (components.TryGetValue(DaclToken, out var dacl))
             {
-                Dacl = new Acl(dacl, type);
+                Dacl = new Acl(dacl, type, sidResolverOptions);
                 components.Remove(DaclToken);
             }
 
             if (components.TryGetValue(SaclToken, out var sacl))
             {
-                Sacl = new Acl(sacl, type);
+                Sacl = new Acl(sacl, type, sidResolverOptions);
                 components.Remove(SaclToken);
             }
 

src/Sddl.Parser/Sid.cs

@@ -8,17 +8,30 @@ public class Sid : Acm
 
         public string Alias { get; }
 
-        public Sid(string sid)
+        public Sid(string sid) : this(sid, null)
+        {
+        }
+
+        public Sid(string sid, SidResolverOptions options)
         {
             Raw = sid;
 
             string alias = Match.OneByRegexOrPrefix(sid, KnownAliasesList);
 
             if (alias == null)
             {
-                Report(Error.SDP001.Format(sid));
-
-                alias = Format.Unknown(sid);
+                // Try DirectoryService lookup if enabled
+                if (options?.EnableDirectoryServiceLookup == true)
+                {
+                    var resolver = options.SidResolver ?? new DirectoryServiceSidResolver();
+                    alias = resolver.ResolveSid(sid);
+                }
+
+                if (alias == null)
+                {
+                    Report(Error.SDP001.Format(sid));
+                    alias = Format.Unknown(sid);
+                }
             }
 
             Alias = alias;

src/Sddl.Parser/SidResolverOptions.cs

@@ -0,0 +1,19 @@
+namespace Sddl.Parser
+{
+    /// <summary>
+    /// Configuration options for SID resolution
+    /// </summary>
+    public class SidResolverOptions
+    {
+        /// <summary>
+        /// Gets or sets whether to enable DirectoryService lookup for unknown SIDs
+        /// </summary>
+        public bool EnableDirectoryServiceLookup { get; set; } = false;
+
+        /// <summary>
+        /// Gets or sets the SID resolver to use for DirectoryService lookups.
+        /// If null and EnableDirectoryServiceLookup is true, a default DirectoryServiceSidResolver will be used.
+        /// </summary>
+        public ISidResolver SidResolver { get; set; }
+    }
+}