Cache risk-rating SID lookups

[SamErde]

Summary

Eliminates repeated Active Directory LDAP queries for the same SID during a Locksmith scan run by introducing a session-scoped lookup cache in Private/Set-RiskRating.ps1.

Problem

Set-RiskRating is called once per issue during a scan. Seven call sites within that function all perform an identical query:

Get-ADObject -Filter { objectSid -eq $SID } | Select-Object objectClass

Common principals — Domain Users (S-1-5-21-...-513), Authenticated Users (S-1-5-11), Domain Computers (S-1-5-21-...-515), etc. — appear in the ACL of many templates and are re-queried on every issue that references them.

Solution

New helper: Get-SidObjectClass

Added at the top of Set-RiskRating.ps1 (before Set-RiskRating), automatically dot-sourced by Locksmith.psm1 with the rest of Private/*.ps1:

function Get-SidObjectClass {
    param ([Parameter(Mandatory)][string]$Sid)

    if ($null -eq $script:SidObjectClassCache) {
        $script:SidObjectClassCache = @{}
    }
    if (-not $script:SidObjectClassCache.ContainsKey($Sid)) {
        $script:SidObjectClassCache[$Sid] = Get-ADObject -Filter { objectSid -eq $Sid } |
            Select-Object objectClass
    }
    return $script:SidObjectClassCache[$Sid]
}

The $script: scope means the cache persists across all calls to Set-RiskRating within a single module session, hitting AD at most once per unique SID per scan run.

Call-site replacements (7 total)

All seven Get-ADObject | Select-Object objectClass calls replaced with Get-SidObjectClass:

Location	Pattern	Variable
ESC7 section	A — returns PSCustomObject	$IdentityReferenceObjectClass
Template section	A — returns PSCustomObject	$IdentityReferenceObjectClass
ESC3C2 loop	A — returns PSCustomObject	$escIdentityReferenceObjectClass
ESC15 loop	A — returns PSCustomObject	$escIdentityReferenceObjectClass
ESC2 loop	A — returns PSCustomObject	$escIdentityReferenceObjectClass
ESC3C1 loop	A — returns PSCustomObject	$escIdentityReferenceObjectClass
ESC5 loop	B — extracts .objectClass	$OtherIssueIdentityReferenceObjectClass

Pattern A preserves the PSCustomObject return type. Pattern B (ESC5) appends .objectClass to extract the raw array, preserving exact existing semantics.

Scope

• ✅ Caches repeated SID lookups in Set-RiskRating.ps1
• ✅ Preserves all risk score semantics exactly
• ✅ Invoke-Locksmith.ps1 not edited — it is auto-generated by Build/Build-Module.ps1
• ❌ No Pester tests added
• ❌ No remediation or TLS changes
• ❌ No broad refactoring

Static analysis

PSScriptAnalyzer (Warning+Error): no new warnings introduced. The pre-existing PSUseShouldProcessForStateChangingFunctions on Set-RiskRating is unchanged.

[Copilot]

Pull request overview

This PR reduces repeated Active Directory lookups during a Locksmith scan by introducing a script-scoped SID→objectClass cache and routing existing Get-ADObject calls through a new helper in Set-RiskRating.

Changes:

• Added Get-SidObjectClass helper that caches Get-ADObject SID lookups in a script-scoped hashtable.
• Replaced 7 repeated Get-ADObject ... | Select-Object objectClass call sites with Get-SidObjectClass to reuse cached results.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.