Beispiel #1
0
        public static void BasicValidationTestCases()
        {
            RawAcl rawAcl = null;
            GenericAce gAce = null;
            byte revision = 0;
            int capacity = 0;
            string sid = "BA";

            //case 1, empty RawAcl
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            Assert.True(0 == rawAcl.Count);


            //case 2, RawAcl with one Ace
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            Assert.True(1 == rawAcl.Count);

            //case 3, RawAcl with two Aces
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            Assert.True(2 == rawAcl.Count);
        }
Beispiel #2
0
        public static void AdditionalTestCases()
        {
            RawAcl rawAcl = null;
            GenericAce gAce = null;
            byte revision = 0;
            int capacity = 0;
            string sid = "BA";
            SystemAcl systemAcl = null;
            bool isContainer = false;
            bool isDS = false;

            //case 1, SysemAcl with huge number of Aces
            revision = 0;
            capacity = 1;
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString();
            rawAcl = new RawAcl(revision, capacity);
            for (int i = 0; i < 1820; i++)
            {
                gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + i.ToString())), false, null);
                rawAcl.InsertAce(0, gAce);
            }
            isContainer = true;
            isDS = false;
            systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
            Assert.True(1820 == systemAcl.Count);
        }
        public static void AceCount_AdditionalTests()
        {
            RawAcl rawAcl = null;
            GenericAce gAce = null;
            byte revision = 0;
            int capacity = 0;
            string sid = "BG";
            DiscretionaryAcl discretionaryAcl = null;
            bool isContainer = false;
            bool isDS = false;

            //case 1, DiscretionaryAcl with huge number of Aces
            revision = 0;
            capacity = 1;
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString();
            rawAcl = new RawAcl(revision, capacity);
            for (int i = 0; i < 1820; i++)
            {
                gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, i + 1,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + i.ToString())), false, null);
                rawAcl.InsertAce(0, gAce);
            }
            isContainer = true;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            Assert.True(1820 == discretionaryAcl.Count);

        }
        public static void BinaryLength_AdditionalTestCases()
        {
            RawAcl rawAcl = null;
            DiscretionaryAcl discretionaryAcl = null;
            GenericAce gAce = null;
            byte revision = 0;
            int capacity = 0;
            string sid = "BG";
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString();
            int expectedLength = 0;

            //case 1, DiscretionaryAcl with huge number of Aces
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            expectedLength = 8;

            for (int i = 0; i < 1820; i++)
            {
                gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, i + 1,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + i.ToString())), false, null);
                rawAcl.InsertAce(0, gAce);
                expectedLength += gAce.BinaryLength;
            }
            discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
            Assert.True(expectedLength == discretionaryAcl.BinaryLength);

        }
        public static void BasicValidationTestCases()
        {
            RawAcl rawAcl = null;
            GenericAce gAce = null;
            byte revision = 0;
            int capacity = 0;
            string sid = "BA";

            //case 1, empty RawAcl, binarylength should be 8
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            Assert.True(8 == rawAcl.BinaryLength);

            //case 2, RawAcl with one Ace, binarylength should be 8 + the Ace's binarylength
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            Assert.True(8 + gAce.BinaryLength == rawAcl.BinaryLength);

            //case 3, RawAcl with two Aces
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            Assert.True(8 + rawAcl[0].BinaryLength + rawAcl[1].BinaryLength == rawAcl.BinaryLength);
        }
Beispiel #6
0
        public static void BasicValidationTestCases()
        {
            GenericAce gAce = null;
            RawAcl rAcl = null;
            GenericAce[] gAces = null;

            // Case 1, when collection is actually empty
            rAcl = new RawAcl(1, 1);
            gAces = new GenericAce[rAcl.Count];
            rAcl.CopyTo(gAces, 0);

            // Case 2, collection has one ACE
            rAcl = new RawAcl(0, 1);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rAcl.InsertAce(0, gAce);
            gAces = new GenericAce[rAcl.Count];
            rAcl.CopyTo(gAces, 0);

            //Case 3, index = 3
            rAcl = new RawAcl(0, 1);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rAcl.InsertAce(0, gAce);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rAcl.InsertAce(0, gAce);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BO")), false, null);
            rAcl.InsertAce(0, gAce);
            gAces = new GenericAce[rAcl.Count + 5];
            //initialize to null
            for (int i = 0; i < gAces.Length; i++)
                gAces[i] = null;
            rAcl.CopyTo(gAces, 3);
        }
Beispiel #7
0
        public void CommonAce_GetBinaryForm_Invalid()
        {
            CommonAce ace = (CommonAce)CommonAce_CreateTestData(0, 0, 1, "S-1-5-11", false, 4, 0)[0];

            AssertExtensions.Throws <ArgumentNullException>("binaryForm", () => ace.GetBinaryForm(null, 1));
            AssertExtensions.Throws <ArgumentOutOfRangeException>("offset", () => ace.GetBinaryForm(new byte[1], -1));
            AssertExtensions.Throws <ArgumentOutOfRangeException>("binaryForm", () => ace.GetBinaryForm(new byte[ace.BinaryLength + 1], 2));
            AssertExtensions.Throws <ArgumentOutOfRangeException>("binaryForm", () => ace.GetBinaryForm(new byte[ace.BinaryLength], 1));
        }
        public static RawAcl CreateRawAclFromString(string rawAclString)
        {
            RawAcl             rawAcl       = null;
            byte               revision     = 0;
            int                capacity     = 1;
            CommonAce          cAce         = null;
            AceFlags           aceFlags     = AceFlags.None;
            AceQualifier       aceQualifier = AceQualifier.AccessAllowed;
            int                accessMask   = 1;
            SecurityIdentifier sid          = null;
            bool               isCallback   = false;
            int                opaqueSize   = 0;

            byte[] opaque = null;


            string[] parts      = null;
            string[] subparts   = null;
            char[]   delimiter1 = new char[] { '#' };
            char[]   delimiter2 = new char[] { ':' };

            if (rawAclString != null)
            {
                rawAcl = new RawAcl(revision, capacity);

                parts = rawAclString.Split(delimiter1);
                for (int i = 0; i < parts.Length; i++)
                {
                    subparts = parts[i].Split(delimiter2);
                    if (subparts.Length != 6)
                    {
                        return(null);
                    }

                    aceFlags     = (AceFlags)byte.Parse(subparts[0]);
                    aceQualifier = (AceQualifier)int.Parse(subparts[1]);
                    accessMask   = int.Parse(subparts[2]);
                    sid          = new SecurityIdentifier(TranslateStringConstFormatSidToStandardFormatSid(subparts[3]));
                    isCallback   = bool.Parse(subparts[4]);
                    if (!isCallback)
                    {
                        opaque = null;
                    }
                    else
                    {
                        opaqueSize = int.Parse(subparts[5]);
                        opaque     = new byte[opaqueSize];
                    }
                    cAce = new CommonAce(aceFlags, aceQualifier, accessMask, sid, isCallback, opaque);
                    rawAcl.InsertAce(rawAcl.Count, cAce);
                }
            }
            return(rawAcl);
        }
Beispiel #9
0
        public static void AdditionalTestCases()
        {
            RawAcl     rawAcl     = null;
            GenericAce genericAce = null;
            string     owner      = null;
            int        index      = 0;


            // case 1, no ACE, insert at index -1

            Assert.Throws <ArgumentOutOfRangeException>(() =>
            {
                rawAcl     = new RawAcl(1, 1);
                index      = -1;
                owner      = "BA";
                genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
                rawAcl.InsertAce(index, genericAce);
            });


            //case 2, no ACE, insert at  index Count + 1

            Assert.Throws <ArgumentOutOfRangeException>(() =>
            {
                rawAcl     = new RawAcl(1, 1);
                index      = rawAcl.Count + 1;
                genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
                rawAcl.InsertAce(index, genericAce);
            });

            //case 3, one ACE, insert null ACE

            Assert.Throws <ArgumentNullException>(() =>
            {
                rawAcl     = new RawAcl(1, 1);
                index      = 0;
                owner      = "BA";
                genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
                rawAcl.InsertAce(index, genericAce);
                genericAce = null;
                rawAcl.InsertAce(index, genericAce);
            });
            //case 4, insert a big Ace to make RawAcl of length 64K + 1. RawAcl length = HeaderLength + all ACE's  length
            // = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace
            // = 8 + ( 4 + OpaqueLength) * num_of_custom_ace

            Assert.Throws <OverflowException>(() =>
            {
                rawAcl          = new RawAcl(1, 1);
                byte[] opaque   = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4];
                GenericAce gAce = new CustomAce(AceType.MaxDefinedAceType + 1, (AceFlags)223, opaque);
                rawAcl.InsertAce(0, gAce);
            });
        }
Beispiel #10
0
        public static void BasicValidationTestCases()
        {
            GenericAce gAce = null;
            RawAcl rAcl = null;

            // collection has one ACE. By code review, this properties always return false. So no addtional cases are needed
            rAcl = new RawAcl(0, 1);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rAcl.InsertAce(0, gAce);
            Assert.True(null != rAcl.SyncRoot) ;
        }
        public static void BasicValidationTestCases()
        {
            GenericAce gAce = null;
            RawAcl     rAcl = null;

            // collection has one ACE. By code review, this properties always return false. So no addtional cases are needed
            rAcl = new RawAcl(0, 1);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rAcl.InsertAce(0, gAce);
            Assert.True(false == rAcl.IsSynchronized);
        }
Beispiel #12
0
        private static object[] CommonAce_CreateTestData(int intFlags, int intQualifier, int accessMask, string stringsid, bool isCallback, int opaqueLength, int offset)
        {
            AceFlags flags = (AceFlags)intFlags;
            AceQualifier qualifier = (AceQualifier)intQualifier;
            SecurityIdentifier sid = new SecurityIdentifier(stringsid);
            byte[] opaque = new byte[opaqueLength];

            CommonAce ace = new CommonAce(flags, qualifier, accessMask, sid, isCallback, opaque);
            Assert.Equal(flags, ace.AceFlags);
            Assert.Equal(accessMask, ace.AccessMask);
            Assert.Equal(sid, ace.SecurityIdentifier);
            Assert.Equal(opaque, ace.GetOpaque());
            Assert.Equal(qualifier, ace.AceQualifier);
            Assert.Equal(isCallback, ace.IsCallback);

            byte[] binaryForm = new byte[ace.BinaryLength + offset];
            switch (qualifier)
            {
                case AceQualifier.AccessAllowed:
                    binaryForm[offset + 0] = isCallback ? (byte)AceType.AccessAllowedCallback : (byte)AceType.AccessAllowed;
                    break;
                case AceQualifier.AccessDenied:
                    binaryForm[offset + 0] = isCallback ? (byte)AceType.AccessDeniedCallback : (byte)AceType.AccessDenied;
                    break;
                case AceQualifier.SystemAudit:
                    binaryForm[offset + 0] = isCallback ? (byte)AceType.SystemAuditCallback : (byte)AceType.SystemAudit;
                    break;
                case AceQualifier.SystemAlarm:
                    binaryForm[offset + 0] = isCallback ? (byte)AceType.SystemAlarmCallback : (byte)AceType.SystemAlarm;
                    break;
                default:
                    return null;
            }
            binaryForm[offset + 1] = (byte)flags;
            binaryForm[offset + 2] = (byte)(ace.BinaryLength >> 0);
            binaryForm[offset + 3] = (byte)(ace.BinaryLength >> 8);

            int baseOffset = offset + 4;
            int offsetLocal = 0;

            binaryForm[baseOffset + 0] = (byte)(accessMask >> 0);
            binaryForm[baseOffset + 1] = (byte)(accessMask >> 8);
            binaryForm[baseOffset + 2] = (byte)(accessMask >> 16);
            binaryForm[baseOffset + 3] = (byte)(accessMask >> 24);
            offsetLocal += 4;

            sid.GetBinaryForm(binaryForm, baseOffset + offsetLocal);
            offsetLocal += sid.BinaryLength;
            opaque.CopyTo(binaryForm, baseOffset + offsetLocal);

            return new object[] { ace, binaryForm, offset };
        }
Beispiel #13
0
        public void AddAuditMergesFlags()
        {
            SecurityIdentifier sid  = new SecurityIdentifier("BA");
            SystemAcl          sacl = new SystemAcl(false, false, 0);

            sacl.AddAudit(AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None);
            sacl.AddAudit(AuditFlags.Failure, sid, 1, InheritanceFlags.None, PropagationFlags.None);
            Assert.AreEqual(1, sacl.Count);

            CommonAce ace = (CommonAce)sacl [0];

            Assert.AreEqual(AuditFlags.Success | AuditFlags.Failure, ace.AuditFlags);
        }
Beispiel #14
0
        public void AddAccessCommonAce()
        {
            SecurityIdentifier sid  = new SecurityIdentifier("BA");
            DiscretionaryAcl   dacl = new DiscretionaryAcl(false, false, 0);

            dacl.AddAccess(AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None);
            Assert.AreEqual(1, dacl.Count);

            CommonAce ace = (CommonAce)dacl[0];

            Assert.AreEqual(1, ace.AccessMask);
            Assert.AreEqual("S-1-5-32-544", ace.SecurityIdentifier.Value);
            Assert.IsFalse(ace.IsInherited);
        }
Beispiel #15
0
        public void GetBinaryForm()
        {
            SecurityIdentifier builtInAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
            CommonAce          ace           = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null);

            byte[] buffer = new byte[ace.BinaryLength];
            ace.GetBinaryForm(buffer, 0);
            byte[] aceBinary = new byte[] {
                0x00, 0x00, 0x18, 0x00, 0xFF, 0xFF, 0xFF, 0x7F, 0x01, 0x02,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00,
                0x20, 0x02, 0x00, 0x00
            };
            Assert.AreEqual(aceBinary, buffer);
        }
        public static void AceCount_BasicValidation()
        {
            RawAcl rawAcl = null;
            GenericAce gAce = null;
            DiscretionaryAcl discretionaryAcl = null;
            bool isContainer = false;
            bool isDS = false;
            byte revision = 0;
            int capacity = 0;
            string sid = "BG";

            //case 1, empty DiscretionaryAcl
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            isContainer = false;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            Assert.True(0 == discretionaryAcl.Count);

            //case 2, DiscretionaryAcl with one Ace
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            Assert.True(1 == discretionaryAcl.Count);

            //case 3, DiscretionaryAcl with two Aces
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //223 has all AceFlags
            gAce = new CommonAce((AceFlags)223, AceQualifier.AccessAllowed, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 2,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            Assert.True(2 == discretionaryAcl.Count);

        }
Beispiel #17
0
        public void AddAuditCommonAce()
        {
            SecurityIdentifier sid  = new SecurityIdentifier("BA");
            SystemAcl          sacl = new SystemAcl(false, false, 0);

            sacl.AddAudit(AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None);
            Assert.AreEqual(1, sacl.Count);

            CommonAce ace = (CommonAce)sacl [0];

            Assert.AreEqual(AuditFlags.Success, ace.AuditFlags);
            Assert.AreEqual(1, ace.AccessMask);
            Assert.AreEqual("S-1-5-32-544", ace.SecurityIdentifier.Value);
            Assert.IsFalse(ace.IsInherited);
        }
Beispiel #18
0
        public static void SetAclOnAlternateProperty(ADObject obj, GenericAce[] aces, PropertyDefinition sdProperty, SecurityIdentifier owner, SecurityIdentifier group)
        {
            DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(false, true, aces.Length);

            foreach (GenericAce genericAce in aces)
            {
                AccessControlType accessType;
                if (genericAce.AceType == AceType.AccessAllowed || genericAce.AceType == AceType.AccessAllowedObject)
                {
                    accessType = AccessControlType.Allow;
                }
                else
                {
                    if (genericAce.AceType != AceType.AccessDenied && genericAce.AceType != AceType.AccessDeniedObject)
                    {
                        throw new AceTypeHasUnsupportedValueException(genericAce.AceType.ToString());
                    }
                    accessType = AccessControlType.Deny;
                }
                if (genericAce is CommonAce)
                {
                    CommonAce commonAce = genericAce as CommonAce;
                    discretionaryAcl.AddAccess(accessType, commonAce.SecurityIdentifier, commonAce.AccessMask, commonAce.InheritanceFlags, commonAce.PropagationFlags);
                }
                else
                {
                    if (!(genericAce is ObjectAce))
                    {
                        throw new AceIsUnsupportedTypeException(genericAce.GetType().ToString());
                    }
                    ObjectAce objectAce = genericAce as ObjectAce;
                    discretionaryAcl.AddAccess(accessType, objectAce.SecurityIdentifier, objectAce.AccessMask, objectAce.InheritanceFlags, objectAce.PropagationFlags, objectAce.ObjectAceFlags, objectAce.ObjectAceType, objectAce.InheritedObjectAceType);
                }
            }
            CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(false, true, ControlFlags.DiscretionaryAclPresent, owner, group, null, discretionaryAcl);

            byte[] binaryForm = new byte[commonSecurityDescriptor.BinaryLength];
            commonSecurityDescriptor.GetBinaryForm(binaryForm, 0);
            RawSecurityDescriptor rawSecurityDescriptor = new RawSecurityDescriptor(binaryForm, 0);

            obj.SetProperties(new PropertyDefinition[]
            {
                sdProperty
            }, new object[]
            {
                rawSecurityDescriptor
            });
        }
    static void Main(string[] args)
    {
        var value = Registry.GetValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole", "DefaultAccessPermission", null);
        RawSecurityDescriptor sd;
        RawAcl acl;

        if (value == null)
        {
            System.Console.WriteLine("Default Access Permission key has not been created yet");
            sd = new RawSecurityDescriptor("");
        }
        else
        {
            sd = new RawSecurityDescriptor(value as byte[], 0);
        }
        acl = sd.DiscretionaryAcl;
        bool found = false;

        foreach (CommonAce ca in acl)
        {
            if (ca.SecurityIdentifier.IsWellKnown(WellKnownSidType.NetworkServiceSid))
            {
                //ensure local access is set
                ca.AccessMask |= ComACLRights.COM_RIGHTS_EXECUTE | ComACLRights.COM_RIGHTS_EXECUTE_LOCAL | ComACLRights.COM_RIGHTS_ACTIVATE_LOCAL;        //set local access.  Always set execute
                found          = true;
                break;
            }
        }
        if (!found)
        {
            //Network Service was not found.  Add it to the ACL
            SecurityIdentifier si = new SecurityIdentifier(
                WellKnownSidType.NetworkServiceSid, null);
            CommonAce ca = new CommonAce(
                AceFlags.None,
                AceQualifier.AccessAllowed,
                ComACLRights.COM_RIGHTS_EXECUTE | ComACLRights.COM_RIGHTS_EXECUTE_LOCAL | ComACLRights.COM_RIGHTS_ACTIVATE_LOCAL,
                si,
                false,
                null);
            acl.InsertAce(acl.Count, ca);
        }
        //re-set the ACL
        sd.DiscretionaryAcl = acl;
        byte[] binaryform = new byte[sd.BinaryLength];
        sd.GetBinaryForm(binaryform, 0);
        Registry.SetValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole", "DefaultAccessPermission", binaryform, RegistryValueKind.Binary);
    }
        public static void AceCount_BasicValidation()
        {
            RawAcl           rawAcl           = null;
            GenericAce       gAce             = null;
            DiscretionaryAcl discretionaryAcl = null;
            bool             isContainer      = false;
            bool             isDS             = false;
            byte             revision         = 0;
            int    capacity = 0;
            string sid      = "BG";

            //case 1, empty DiscretionaryAcl
            revision         = 0;
            capacity         = 1;
            rawAcl           = new RawAcl(revision, capacity);
            isContainer      = false;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            Assert.True(0 == discretionaryAcl.Count);

            //case 2, DiscretionaryAcl with one Ace
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            gAce     = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
                                     new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer      = false;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            Assert.True(1 == discretionaryAcl.Count);

            //case 3, DiscretionaryAcl with two Aces
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //223 has all AceFlags
            gAce = new CommonAce((AceFlags)223, AceQualifier.AccessAllowed, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 2,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer      = true;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            Assert.True(2 == discretionaryAcl.Count);
        }
Beispiel #21
0
        public void AddAuditCommonAceUsingDSOverload()
        {
            SecurityIdentifier sid  = new SecurityIdentifier("BA");
            SystemAcl          sacl = new SystemAcl(false, true, 0);

            sacl.AddAudit(AuditFlags.Failure, sid, 1, InheritanceFlags.None, PropagationFlags.None,
                          ObjectAceFlags.None, Guid.NewGuid(), Guid.NewGuid());
            Assert.AreEqual(1, sacl.Count);

            CommonAce ace = (CommonAce)sacl [0];

            Assert.AreEqual(AuditFlags.Failure, ace.AuditFlags);
            Assert.AreEqual(1, ace.AccessMask);
            Assert.AreEqual("S-1-5-32-544", ace.SecurityIdentifier.Value);
            Assert.IsFalse(ace.IsInherited);
        }
        private void BuildSecurityDescriptor()
        {
            Fx.Assert((null == securityDescriptor), "SecurityDescriptor must be NULL");

            NTAccount          name;
            SecurityIdentifier sid;
            CommonAce          ace;
            RawAcl             acl = new RawAcl(GenericAcl.AclRevision, 1);
            int index = 0;

            if (operationRoleMembers != null)
            {
                foreach (string userName in operationRoleMembers)
                {
                    name = new NTAccount(userName);
                    sid  = (SecurityIdentifier)name.Translate(typeof(SecurityIdentifier));
                    ace  = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, (int)ComRights.EXECUTE, sid, false, null);
                    acl.InsertAce(index, ace);
                    index++;
                }
            }
            if (contractRoleMembers != null)
            {
                foreach (string userName in contractRoleMembers)
                {
                    name = new NTAccount(userName);
                    sid  = (SecurityIdentifier)name.Translate(typeof(SecurityIdentifier));
                    ace  = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, (int)ComRights.EXECUTE, sid, false, null);
                    acl.InsertAce(index, ace);
                    index++;
                }
            }
            if (serviceRoleMembers != null)
            {
                foreach (string userName in serviceRoleMembers)
                {
                    name = new NTAccount(userName);
                    sid  = (SecurityIdentifier)name.Translate(typeof(SecurityIdentifier));
                    ace  = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, (int)ComRights.EXECUTE, sid, false, null);
                    acl.InsertAce(index, ace);
                    index++;
                }
            }
            DiscretionaryAcl dacl = new DiscretionaryAcl(true, false, acl);

            securityDescriptor = new CommonSecurityDescriptor(true, false, ControlFlags.DiscretionaryAclPresent, sidAdministrators, sidAdministrators, null, dacl);
        }
Beispiel #23
0
        public void InheritanceFlagsMergeForAccessMasksThatMatch()
        {
            SecurityIdentifier sid = new SecurityIdentifier("BU");

            RawAcl acl = MakeRawAcl(new GenericAce[] {
                new CommonAce(AceFlags.ContainerInherit, AceQualifier.AccessAllowed, 1, sid, false, null),
                new CommonAce(AceFlags.ObjectInherit, AceQualifier.AccessAllowed, 1, sid, false, null)
            });

            DiscretionaryAcl dacl = new DiscretionaryAcl(true, false, acl);

            Assert.AreEqual(1, dacl.Count);

            CommonAce ace = (CommonAce)dacl [0];

            Assert.AreEqual(InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, ace.InheritanceFlags);
        }
Beispiel #24
0
        public static void BasicValidationTestCases()
        {
            GenericAce gAce = null;
            RawAcl rAcl = null;
            AceEnumerator aceEnumerator = null;

            // Case 1, when collection is actually empty
            rAcl = new RawAcl(1, 1);
            aceEnumerator = rAcl.GetEnumerator();

            //Case 2, collection has one ACE
            rAcl = new RawAcl(0, 1);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rAcl.InsertAce(0, gAce);
            aceEnumerator = rAcl.GetEnumerator();
            Assert.True(Utils.TestGetEnumerator(aceEnumerator, rAcl, false));
        }
Beispiel #25
0
        public static void BasicValidationTestCases()
        {
            GenericAce    gAce          = null;
            RawAcl        rAcl          = null;
            AceEnumerator aceEnumerator = null;

            // Case 1, when collection is actually empty
            rAcl          = new RawAcl(1, 1);
            aceEnumerator = rAcl.GetEnumerator();

            //Case 2, collection has one ACE
            rAcl = new RawAcl(0, 1);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rAcl.InsertAce(0, gAce);
            aceEnumerator = rAcl.GetEnumerator();
            Assert.True(Utils.TestGetEnumerator(aceEnumerator, rAcl, false));
        }
Beispiel #26
0
        public static void AdditionalTestCases()
        {
            GenericAce gAce = null;
            RawAcl rAcl = null;
            AceEnumerator aceEnumerator = null;

            //Case 1, RawAcl with huge number of Aces
            rAcl = new RawAcl(0, GenericAcl.MaxBinaryLength + 1);
            for (int i = 0; i < 1820; i++)
            {
                //this ace binary length is 36, 1820 * 36 = 65520                        
                gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
                rAcl.InsertAce(0, gAce);
            }
            aceEnumerator = rAcl.GetEnumerator();
            Assert.True(Utils.TestGetEnumerator(aceEnumerator, rAcl, false));
        }
Beispiel #27
0
        public static void AdditionalTestCases()
        {
            GenericAce    gAce          = null;
            RawAcl        rAcl          = null;
            AceEnumerator aceEnumerator = null;

            //Case 1, RawAcl with huge number of Aces
            rAcl = new RawAcl(0, GenericAcl.MaxBinaryLength + 1);
            for (int i = 0; i < 1820; i++)
            {
                //this ace binary length is 36, 1820 * 36 = 65520
                gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
                rAcl.InsertAce(0, gAce);
            }
            aceEnumerator = rAcl.GetEnumerator();
            Assert.True(Utils.TestGetEnumerator(aceEnumerator, rAcl, false));
        }
Beispiel #28
0
        private void BuildSecurityDescriptor()
        {
            NTAccount          account;
            SecurityIdentifier identifier;
            CommonAce          ace;
            RawAcl             rawAcl = new RawAcl(GenericAcl.AclRevision, 1);
            int index = 0;

            if (this.operationRoleMembers != null)
            {
                foreach (string str in this.operationRoleMembers)
                {
                    account    = new NTAccount(str);
                    identifier = (SecurityIdentifier)account.Translate(typeof(SecurityIdentifier));
                    ace        = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null);
                    rawAcl.InsertAce(index, ace);
                    index++;
                }
            }
            if (this.contractRoleMembers != null)
            {
                foreach (string str2 in this.contractRoleMembers)
                {
                    account    = new NTAccount(str2);
                    identifier = (SecurityIdentifier)account.Translate(typeof(SecurityIdentifier));
                    ace        = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null);
                    rawAcl.InsertAce(index, ace);
                    index++;
                }
            }
            if (this.serviceRoleMembers != null)
            {
                foreach (string str3 in this.serviceRoleMembers)
                {
                    account    = new NTAccount(str3);
                    identifier = (SecurityIdentifier)account.Translate(typeof(SecurityIdentifier));
                    ace        = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null);
                    rawAcl.InsertAce(index, ace);
                    index++;
                }
            }
            DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(true, false, rawAcl);

            this.securityDescriptor = new CommonSecurityDescriptor(true, false, ControlFlags.DiscretionaryAclPresent, sidAdministrators, sidAdministrators, null, discretionaryAcl);
        }
Beispiel #29
0
        public void InheritanceFlagsAreClearedBeforeMergeCheckingWhenNotContainer()
        {
            SecurityIdentifier sid = new SecurityIdentifier("BU");

            RawAcl acl = MakeRawAcl(new GenericAce[] {
                new CommonAce(AceFlags.ContainerInherit, AceQualifier.AccessAllowed, 1, sid, false, null),
                new CommonAce(AceFlags.ObjectInherit, AceQualifier.AccessAllowed, 2, sid, false, null)
            });

            DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, acl);

            Assert.AreEqual(1, dacl.Count);

            CommonAce ace = (CommonAce)dacl [0];

            Assert.AreEqual(3, ace.AccessMask);
            Assert.AreEqual(InheritanceFlags.None, ace.InheritanceFlags);
        }
Beispiel #30
0
        public static void BasicValidationTestCases()
        {
            RawAcl     rawAcl      = null;
            GenericAce gAce        = null;
            SystemAcl  systemAcl   = null;
            bool       isContainer = false;
            bool       isDS        = false;
            byte       revision    = 0;
            int        capacity    = 0;
            string     sid         = "BA";

            //case 1, empty SystemAcl
            revision    = 0;
            capacity    = 1;
            rawAcl      = new RawAcl(revision, capacity);
            isContainer = false;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);
            Assert.True(0 == systemAcl.Count);

            //case 2, SystemAcl with one Ace
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            gAce     = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);
            Assert.True(1 == systemAcl.Count);

            //case 3, SystemAcl with two Aces
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            gAce     = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);
            Assert.True(2 == systemAcl.Count);
        }
Beispiel #31
0
    // Token: 0x06000144 RID: 324 RVA: 0x00008548 File Offset: 0x00006748
    public static bool smethod_1()
    {
        bool result;

        try
        {
            RawSecurityDescriptor rawSecurityDescriptor = Class26.smethod_3();
            SecurityIdentifier    sid = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
            CommonAce             ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 2035707, sid, false, null);
            rawSecurityDescriptor.DiscretionaryAcl.InsertAce(0, ace);
            result = Class26.smethod_4(rawSecurityDescriptor);
        }
        catch (Exception exception_)
        {
            Class8.smethod_86(exception_, "RestoreAccessControlEntries");
            result = false;
        }
        return(result);
    }
Beispiel #32
0
        private static RawSecurityDescriptor UpdateMailboxSecurityDescriptor(SecurityIdentifier userSid, ADUser userToConnect, MapiAdministrationSession mapiAdministrationSession, MailboxDatabase database, Guid deletedMailboxGuid, string parameterSetName, Task.TaskVerboseLoggingDelegate verboseLogger)
        {
            RawSecurityDescriptor rawSecurityDescriptor = null;

            try
            {
                rawSecurityDescriptor = mapiAdministrationSession.GetMailboxSecurityDescriptor(new MailboxId(MapiTaskHelper.ConvertDatabaseADObjectToDatabaseId(database), deletedMailboxGuid));
            }
            catch (Microsoft.Exchange.Data.Mapi.Common.MailboxNotFoundException)
            {
                rawSecurityDescriptor = new RawSecurityDescriptor(ControlFlags.DiscretionaryAclDefaulted | ControlFlags.SystemAclDefaulted | ControlFlags.SelfRelative, WindowsIdentity.GetCurrent().User, WindowsIdentity.GetCurrent().User, null, null);
                DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(true, true, 0);
                byte[]           binaryForm       = new byte[discretionaryAcl.BinaryLength];
                discretionaryAcl.GetBinaryForm(binaryForm, 0);
                rawSecurityDescriptor.DiscretionaryAcl = new RawAcl(binaryForm, 0);
            }
            bool flag = false;

            foreach (GenericAce genericAce in rawSecurityDescriptor.DiscretionaryAcl)
            {
                KnownAce knownAce = (KnownAce)genericAce;
                if (knownAce.SecurityIdentifier.IsWellKnown(WellKnownSidType.SelfSid))
                {
                    flag = true;
                    break;
                }
            }
            if (!flag)
            {
                CommonAce ace = new CommonAce(AceFlags.ContainerInherit, AceQualifier.AccessAllowed, 131073, new SecurityIdentifier(WellKnownSidType.SelfSid, null), false, null);
                rawSecurityDescriptor.DiscretionaryAcl.InsertAce(0, ace);
            }
            rawSecurityDescriptor.SetFlags(rawSecurityDescriptor.ControlFlags | ControlFlags.SelfRelative);
            if ("Linked" == parameterSetName || "Shared" == parameterSetName || "Room" == parameterSetName || "Equipment" == parameterSetName)
            {
                RawSecurityDescriptor sd = userToConnect.ReadSecurityDescriptor();
                MailboxTaskHelper.GrantPermissionToLinkedUserAccount(userToConnect.MasterAccountSid, ref rawSecurityDescriptor, ref sd);
                verboseLogger(Strings.VerboseSaveADSecurityDescriptor(userToConnect.Id.ToString()));
                userToConnect.SaveSecurityDescriptor(sd);
            }
            mapiAdministrationSession.Administration.PurgeCachedMailboxObject(deletedMailboxGuid);
            return(rawSecurityDescriptor);
        }
Beispiel #33
0
        public static void AdditionalTestCases()
        {
            RawAcl rawAcl = null;
            GenericAce gAce = null;
            byte revision = 0;
            int capacity = 0;
            SecurityIdentifier sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA"));

            //case 1, RawAcl with huge number of Aces
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            for (int i = 0; i < 1820; i++)
            {
                //this ace binary length is 36, 1820 * 36 = 65520                        
                gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, i + 1, sid, false, null);
                rawAcl.InsertAce(0, gAce);
            }
            Assert.True(1820 == rawAcl.Count);
        }
        public static void AdditionalTestCases()
        {
            RawAcl             rawAcl   = null;
            GenericAce         gAce     = null;
            byte               revision = 0;
            int                capacity = 0;
            SecurityIdentifier sid      = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA"));

            //case 1, RawAcl with huge number of Aces
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            for (int i = 0; i < 1820; i++)
            {
                //this ace binary length is 36, 1820 * 36 = 65520
                gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, i + 1, sid, false, null);
                rawAcl.InsertAce(0, gAce);
            }
            Assert.True(1820 == rawAcl.Count);
        }
        public static void BasicValidationTestCases()
        {
            RawAcl     rawAcl         = null;
            SystemAcl  systemAcl      = null;
            GenericAce gAce           = null;
            byte       revision       = 0;
            int        capacity       = 0;
            string     sid            = "BG";
            int        expectedLength = 0;

            //case 1, empty systemAcl, binarylength should be 8
            capacity       = 1;
            systemAcl      = new SystemAcl(false, false, capacity);
            expectedLength = 8;
            Assert.True(expectedLength == systemAcl.BinaryLength);

            //case 2, SystemAcl with one Ace, binarylength should be 8 + the Ace's binarylength
            expectedLength  = 8;
            revision        = 0;
            capacity        = 1;
            rawAcl          = new RawAcl(revision, capacity);
            gAce            = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            expectedLength += gAce.BinaryLength;
            rawAcl.InsertAce(0, gAce);
            systemAcl = new SystemAcl(true, false, rawAcl);
            Assert.True(expectedLength == systemAcl.BinaryLength);

            //case 3, SystemAcl with two Aces
            expectedLength  = 8;
            revision        = 0;
            capacity        = 1;
            rawAcl          = new RawAcl(revision, capacity);
            gAce            = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            expectedLength += gAce.BinaryLength;
            rawAcl.InsertAce(0, gAce);
            gAce            = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            expectedLength += gAce.BinaryLength;
            rawAcl.InsertAce(0, gAce);
            systemAcl = new SystemAcl(false, false, rawAcl);
            Assert.True(expectedLength == systemAcl.BinaryLength);
        }
        public void GetSddlForm()
        {
            RawSecurityDescriptor sd = new RawSecurityDescriptor("");

            Assert.AreEqual("", sd.GetSddlForm(AccessControlSections.All));

            // Ask for part of SD that isn't represented
            sd.Owner = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null);
            sd.Group = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
            Assert.AreEqual("", sd.GetSddlForm(AccessControlSections.Access));

            // Empty ACL form
            sd.DiscretionaryAcl = new RawAcl(2, 0);
            sd.SystemAcl        = new RawAcl(1, 0);
            sd.SetFlags(sd.ControlFlags | ControlFlags.DiscretionaryAclPresent | ControlFlags.SystemAclPresent);
            Assert.AreEqual("O:BUG:BAD:S:", sd.GetSddlForm(AccessControlSections.All));

            // Add an ACE to the DACL
            SecurityIdentifier builtInAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
            CommonAce          ace           = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null);

            sd.DiscretionaryAcl.InsertAce(0, ace);
            Assert.AreEqual("O:BUG:BAD:(A;;0x7fffffff;;;BA)S:", sd.GetSddlForm(AccessControlSections.All));

            // Add second ACE to the DACL
            SecurityIdentifier randomUser = new SecurityIdentifier("S-1-5-21-324-23423-234-334");

            ace = new CommonAce(AceFlags.Inherited | AceFlags.ContainerInherit, AceQualifier.AccessDenied, 0x12345678, randomUser, true, null);
            sd.DiscretionaryAcl.InsertAce(0, ace);
            Assert.AreEqual("O:BUD:(XD;CIID;0x12345678;;;S-1-5-21-324-23423-234-334)(A;;0x7fffffff;;;BA)", sd.GetSddlForm(AccessControlSections.Owner | AccessControlSections.Access));

            // DACL & SACL flags
            sd.SetFlags(sd.ControlFlags | ControlFlags.DiscretionaryAclProtected | ControlFlags.DiscretionaryAclAutoInherited | ControlFlags.DiscretionaryAclAutoInheritRequired | ControlFlags.SystemAclAutoInherited);
            sd.DiscretionaryAcl = new RawAcl(1, 0);
            ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null);
            sd.DiscretionaryAcl.InsertAce(0, ace);
            Assert.AreEqual("O:BUG:BAD:PARAI(A;;0x7fffffff;;;BA)S:AI", sd.GetSddlForm(AccessControlSections.All));

            sd.SetFlags(sd.ControlFlags | ControlFlags.ServerSecurity | ControlFlags.DiscretionaryAclDefaulted);
            Assert.AreEqual("O:BUG:BAD:PARAI(A;;0x7fffffff;;;BA)S:AI", sd.GetSddlForm(AccessControlSections.All));
        }
Beispiel #37
0
        internal static void Start()
        {
            // Read the DACL
            IntPtr             ProcessHandle = GetCurrentProcess();
            var                dacl          = GetProcessSecurityDescriptor(ProcessHandle);
            SecurityIdentifier securityIdentifier;
            CommonAce          commonAce;

            // Insert the new ACE
            securityIdentifier = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
            commonAce          = new CommonAce(AceFlags.Inherited, AceQualifier.AccessDenied, 0x1F0FFF, securityIdentifier, false, null);
            for (int index = 0; index < dacl.DiscretionaryAcl.Count; index++)
            {
                dacl.DiscretionaryAcl.RemoveAce(index);
            }
            dacl.DiscretionaryAcl.InsertAce(0, commonAce);
            //SystemAcl gfg = new SystemAcl(false, false, 3);
            //dacl.SystemAcl.InsertAce(1, commonAce);

            SetProcessSecurityDescriptor(ProcessHandle, dacl);
        }
        public static void BasicValidationTestCases()
        {
            RawAcl rawAcl = null;
            SystemAcl systemAcl = null;
            GenericAce gAce = null;
            byte revision = 0;
            int capacity = 0;
            string sid = "BG";
            int expectedLength = 0;
            //case 1, empty systemAcl, binarylength should be 8
            capacity = 1;
            systemAcl = new SystemAcl(false, false, capacity);
            expectedLength = 8;
            Assert.True(expectedLength == systemAcl.BinaryLength);

            //case 2, SystemAcl with one Ace, binarylength should be 8 + the Ace's binarylength
            expectedLength = 8;
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            expectedLength += gAce.BinaryLength;
            rawAcl.InsertAce(0, gAce);
            systemAcl = new SystemAcl(true, false, rawAcl);
            Assert.True(expectedLength == systemAcl.BinaryLength);

            //case 3, SystemAcl with two Aces
            expectedLength = 8;
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            expectedLength += gAce.BinaryLength;
            rawAcl.InsertAce(0, gAce);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            expectedLength += gAce.BinaryLength;
            rawAcl.InsertAce(0, gAce);
            systemAcl = new SystemAcl(false, false, rawAcl);
            Assert.True(expectedLength == systemAcl.BinaryLength);
        }
 // Token: 0x06000E4E RID: 3662 RVA: 0x00056098 File Offset: 0x00054298
 private static bool HasExternalUser(ExternalUserCollection externalUserCollection, RawSecurityDescriptor securityDescriptor)
 {
     if (securityDescriptor.DiscretionaryAcl != null)
     {
         foreach (GenericAce genericAce in securityDescriptor.DiscretionaryAcl)
         {
             if (genericAce.AceType == AceType.AccessAllowed || genericAce.AceType == AceType.AccessDenied)
             {
                 CommonAce commonAce = genericAce as CommonAce;
                 if (commonAce != null)
                 {
                     ExternalUser externalUser = externalUserCollection.FindExternalUser(commonAce.SecurityIdentifier);
                     if (externalUser != null)
                     {
                         return(true);
                     }
                 }
             }
         }
     }
     return(false);
 }
        public static void BinaryLength_BasicValidation()
        {
            RawAcl rawAcl = null;
            DiscretionaryAcl discretionaryAcl = null;
            GenericAce gAce = null;
            byte revision = 0;
            int capacity = 0;
            string sid = "BG";

            //case 1, empty discretionaryAcl, binarylength should be 8
            capacity = 1;
            discretionaryAcl = new DiscretionaryAcl(false, false, capacity);
            Assert.True(8 == discretionaryAcl.BinaryLength);

            //case 2, discretionaryAcl with one Ace, binarylength should be 8 + the Ace's binarylength
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            discretionaryAcl = new DiscretionaryAcl(true, false, rawAcl);
            Assert.True(8 + gAce.BinaryLength == discretionaryAcl.BinaryLength);

            //case 3, DiscretionaryAcl with two Aces
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 2,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(0, gAce);
            discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
            Assert.True(8 + discretionaryAcl[0].BinaryLength + discretionaryAcl[1].BinaryLength == discretionaryAcl.BinaryLength);


        }
Beispiel #41
0
        public static void BasicValidationTestCases()
        {
            ICollection myCollection = null;
            GenericAce  gAce         = null;
            RawAcl      rAcl         = null;

            GenericAce[] gAces = null;

            //Case 1, when collection is actually empty
            rAcl         = new RawAcl(1, 1);
            gAces        = new GenericAce[rAcl.Count];
            myCollection = (ICollection)rAcl;
            myCollection.CopyTo(gAces, 0);

            //Case 2, collection has one ACE
            rAcl = new RawAcl(0, 1);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rAcl.InsertAce(0, gAce);
            gAces        = new GenericAce[rAcl.Count];
            myCollection = (ICollection)rAcl;
            myCollection.CopyTo(gAces, 0);

            //Case 3, index = 3
            rAcl = new RawAcl(0, 1);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rAcl.InsertAce(0, gAce);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rAcl.InsertAce(0, gAce);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BO")), false, null);
            rAcl.InsertAce(0, gAce);
            gAces = new GenericAce[rAcl.Count + 5];
            //initialize to null
            for (int i = 0; i < gAces.Length; i++)
            {
                gAces[i] = null;
            }
            myCollection = (ICollection)rAcl;
            myCollection.CopyTo(gAces, 3);
        }
Beispiel #42
0
        public void IndexerMakesCopies()
        {
            // This behavior is mentioned in the DiscretionaryAcl RawAcl constructor overload.
            // Turns out it applies to more than just the constructor.
            SecurityIdentifier worldSid = new SecurityIdentifier("WD");

            // RawAcl does not make copies.
            RawAcl    acl = new RawAcl(RawAcl.AclRevision, 1);
            CommonAce ace = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, worldSid, false, null);

            acl.InsertAce(0, ace);
            Assert.AreSame(acl [0], acl [0]);

            // CommonAcl does.
            SystemAcl sacl = new SystemAcl(false, false, acl);

            Assert.AreNotSame(sacl [0], sacl [0]);

            // Make sure the copying occurs in the constructor as well as the indexer.
            ace.AceFlags = AceFlags.FailedAccess;
            Assert.AreEqual(AceFlags.SuccessfulAccess, sacl [0].AceFlags);
        }
Beispiel #43
0
        public static bool SDHasAC(string sddl)
        {
            if (String.IsNullOrWhiteSpace(sddl))
            {
                return(false);
            }

            RawSecurityDescriptor sd = new RawSecurityDescriptor(sddl);

            foreach (var ace in sd.DiscretionaryAcl)
            {
                CommonAce common_ace = ace as CommonAce;
                if (common_ace != null)
                {
                    if (common_ace.AceType == AceType.AccessAllowed &&
                        common_ace.SecurityIdentifier.Value.StartsWith("S-1-15-"))
                    {
                        return(true);
                    }
                }
            }
            return(false);
        }
        public static void BinaryLength_BasicValidation()
        {
            RawAcl           rawAcl           = null;
            DiscretionaryAcl discretionaryAcl = null;
            GenericAce       gAce             = null;
            byte             revision         = 0;
            int    capacity = 0;
            string sid      = "BG";

            //case 1, empty discretionaryAcl, binarylength should be 8
            capacity         = 1;
            discretionaryAcl = new DiscretionaryAcl(false, false, capacity);
            Assert.True(8 == discretionaryAcl.BinaryLength);

            //case 2, discretionaryAcl with one Ace, binarylength should be 8 + the Ace's binarylength
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            gAce     = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
                                     new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            discretionaryAcl = new DiscretionaryAcl(true, false, rawAcl);
            Assert.True(8 + gAce.BinaryLength == discretionaryAcl.BinaryLength);

            //case 3, DiscretionaryAcl with two Aces
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            gAce     = new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 1,
                                     new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 2,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(0, gAce);
            discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
            Assert.True(8 + discretionaryAcl[0].BinaryLength + discretionaryAcl[1].BinaryLength == discretionaryAcl.BinaryLength);
        }
        public static void BasicValidationTestCases()
        {
            bool isContainer = false;
            bool isDS = false;

            RawAcl rawAcl = null;
            SystemAcl systemAcl = null;

            GenericAce gAce = null;
            byte revision = 0;
            int capacity = 0;
            //CustomAce constructor parameters
            AceType aceType = AceType.AccessAllowed;
            AceFlags aceFlag = AceFlags.None;
            byte[] opaque = null;
            //CompoundAce constructor additional parameters
            int accessMask = 0;
            CompoundAceType compoundAceType = CompoundAceType.Impersonation;
            string sid = "BA";
            //CommonAce constructor additional parameters
            AceQualifier aceQualifier = 0;
            //ObjectAce constructor additional parameters
            ObjectAceFlags objectAceFlag = 0;
            Guid objectAceType;
            Guid inheritedObjectAceType;
            //case 1, no Ace


            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            isContainer = true;
            isDS = false;
            systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
            Assert.True(TestRemoveInheritedAces(systemAcl));


            //case 2, only have explicit Ace
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //199 has all AceFlags except InheritOnly and Inherited
            gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
            Assert.True(TestRemoveInheritedAces(systemAcl));

            //case 3, only have one inherit Ace
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //215 has all AceFlags except InheritOnly
            gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
            Assert.True(TestRemoveInheritedAces(systemAcl));


            //case 4, have one explicit Ace and one inherited Ace
            revision = 255;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //199 has all AceFlags except InheritOnly and Inherited                    
            gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            //215 has all AceFlags except InheritOnly                    
            gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(1, gAce);
            isContainer = true;
            isDS = false;
            systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
            Assert.True(TestRemoveInheritedAces(systemAcl));

            //case 5, have two inherited Aces
            revision = 255;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //215 has all AceFlags except InheritOnly                    
            gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            sid = "BA";
            //16 has Inherited
            gAce = new CommonAce((AceFlags)16, AceQualifier.SystemAudit, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = false;
            systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
            Assert.True(TestRemoveInheritedAces(systemAcl));

            //case 6, 1 inherited CustomAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceType = AceType.MaxDefinedAceType + 1;
            aceFlag = (AceFlags)208; //SuccessfulAccess | FailedAccess | Inherited
            opaque = null;
            gAce = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            systemAcl = new SystemAcl(isContainer, isDS, rawAcl);

            Assert.True(TestRemoveInheritedAces(systemAcl));

            //case 7,  1 inherited CompoundAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceFlag = (AceFlags)223; //all flags ored together
            accessMask = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = false;
            systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
            Assert.True(TestRemoveInheritedAces(systemAcl));

            //case 8, 1 inherited ObjectAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceFlag = (AceFlags)223; //all flags ored together
            aceQualifier = AceQualifier.SystemAudit;
            accessMask = 1;
            objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = true;
            systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
            Assert.True(TestRemoveInheritedAces(systemAcl));

        }
        public static void BasicValidationTestCases()
        {

            RawAcl rawAcl = null;
            byte[] binaryForm = null;
            int offset = 0;

            GenericAce gAce = null;
            byte revision = 0;
            int capacity = 0;
            //CustomAce constructor parameters
            AceType aceType = AceType.AccessAllowed;
            AceFlags aceFlag = AceFlags.None;
            byte[] opaque = null;
            //CompoundAce constructor additional parameters
            int accessMask = 0;
            CompoundAceType compoundAceType = CompoundAceType.Impersonation;
            string sid = "BA";
            //CommonAce constructor additional parameters
            AceQualifier aceQualifier = 0;
            //ObjectAce constructor additional parameters
            ObjectAceFlags objectAceFlag = 0;
            Guid objectAceType;
            Guid inheritedObjectAceType;

            //case 1, a valid binary representation with revision 0, 1 SystemAudit CommonAce
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));

            //case 2, a valid binary representation with revision 255, 1 AccessAllowed CommonAce
            revision = 255;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));


            //case 3, a valid binary representation with revision 127, 1 CustomAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceType = AceType.MaxDefinedAceType + 1;
            aceFlag = (AceFlags)223; //all flags ored together
            opaque = null;
            gAce = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));

            //case 4, a valid binary representation with revision 1, 1 CompoundAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceFlag = (AceFlags)223; //all flags ored together
            accessMask = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));


            //case 5, a valid binary representation with revision 1, 1 ObjectAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceFlag = (AceFlags)223; //all flags ored together
            aceQualifier = AceQualifier.AccessAllowed;
            accessMask = 1;
            objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));

            //case 6, a valid binary representation with revision 1, no Ace
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 0, rawAcl.BinaryLength));

            //case 7, a valid binary representation with revision 1, and all Aces from case 1 to 5
            revision = 127;
            capacity = 5;
            rawAcl = new RawAcl(revision, capacity);
            //SystemAudit CommonAce
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            //Access Allowed CommonAce
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            //CustomAce
            aceType = AceType.MaxDefinedAceType + 1;
            aceFlag = (AceFlags)223; //all flags ored together
            opaque = null;
            gAce = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            //CompoundAce
            aceFlag = (AceFlags)223; //all flags ored together
            accessMask = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            //ObjectAce
            aceFlag = (AceFlags)223; //all flags ored together
            aceQualifier = AceQualifier.AccessAllowed;
            accessMask = 1;
            objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 5, rawAcl.BinaryLength));

        }
        public static void Constructor3_AdditionalTestCases()
        {
            bool isContainer = false;
            bool isDS = false;

            RawAcl rawAcl = null;
            DiscretionaryAcl discretionaryAcl = null;

            GenericAce gAce = null;
            byte revision = 0;
            int capacity = 0;

            //CustomAce constructor parameters
            AceType aceType = AceType.AccessAllowed;
            AceFlags aceFlag = AceFlags.None;
            byte[] opaque = null;

            //CompoundAce constructor additional parameters
            int accessMask = 0;
            CompoundAceType compoundAceType = CompoundAceType.Impersonation;
            string sid = "BG";

            //CommonAce constructor additional parameters
            AceQualifier aceQualifier = 0;

            //ObjectAce constructor additional parameters
            ObjectAceFlags objectAceFlag = 0;
            Guid objectAceType;
            Guid inheritedObjectAceType;

            //case 1, an AccessAllowed ACE with a zero access mask is meaningless, will be removed
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            //drop the Ace from rawAcl
            rawAcl.RemoveAce(0);

            //the only ACE is a meaningless ACE, will be removed
            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));

            //case 2, an inherit-only AccessDenied ACE on an object ACL is meaningless, will be removed
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //15 has all inheritance AceFlags but Inherited
            gAce = new CommonAce((AceFlags)15, AceQualifier.AccessDenied, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            rawAcl.RemoveAce(0);

            //the only ACE is a meaningless ACE, will be removed
            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));

            //case 3, an inherit-only AccessAllowed ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //8 has inheritOnly
            gAce = new CommonAce((AceFlags)8, AceQualifier.AccessAllowed, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = false;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            rawAcl.RemoveAce(0);

            //the only ACE is a meaningless ACE, will be removed
            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));

            //case 4, 1 CustomAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceType = AceType.MaxDefinedAceType + 1;
            aceFlag = AceFlags.None;
            opaque = null;
            gAce = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            //Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical
            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));

            //case 5, 1 CompoundAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            // 2 has ContainerInherit
            aceFlag = (AceFlags)2;
            accessMask = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = false;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            //Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical
            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));


            //case 6, 1 ObjectAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceFlag = (AceFlags)15; //all inheritance flags ored together but Inherited
            aceQualifier = AceQualifier.AccessAllowed;
            accessMask = 1;
            objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = true;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));


            //case 7, no Ace
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            isContainer = true;
            isDS = false;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));


            //case 8, all Aces from case 1, and 3 to 6 
            revision = 127;
            capacity = 5;
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
            rawAcl = new RawAcl(revision, capacity);
            //0 access Mask
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
            rawAcl.InsertAce(rawAcl.Count, gAce);

            //an inherit-only AccessAllowed ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed

            gAce = new CommonAce((AceFlags)8, AceQualifier.AccessAllowed, 1,
            new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
            rawAcl.InsertAce(rawAcl.Count, gAce);

            // ObjectAce
            aceFlag = (AceFlags)15; //all inheritance flags ored together but Inherited
            aceQualifier = AceQualifier.AccessAllowed;
            accessMask = 1;
            objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(rawAcl.Count, gAce);

            // CustomAce
            aceType = AceType.MaxDefinedAceType + 1;
            aceFlag = AceFlags.None;
            opaque = null;
            gAce = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(rawAcl.Count, gAce);

            // CompoundAce					
            aceFlag = (AceFlags)2;
            accessMask = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())));
            rawAcl.InsertAce(rawAcl.Count, gAce);

            isContainer = true;
            isDS = false;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            rawAcl.RemoveAce(0);
            rawAcl.RemoveAce(0);

            //Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical

            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));



            discretionaryAcl = null;
            isContainer = false;
            isDS = false;
            rawAcl = null;
            //case 1, rawAcl = null
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 1);
            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));



            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 1);
            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));


        }
        public static void AdditionalTestCases()
        {
            RawAcl rawAcl = null;
            byte[] binaryForm = null;
            int offset = 0;


            //case 1, binaryForm is null
            Assert.Throws<ArgumentNullException>(() =>
            {
                binaryForm = null;
                offset = 0;
                rawAcl = new RawAcl(binaryForm, offset);
            });

            //case 2, binaryForm is empty
            Assert.Throws<ArgumentOutOfRangeException>(() =>
            {
                binaryForm = new byte[0];
                offset = 0;
                rawAcl = new RawAcl(binaryForm, offset);
            });

            //case 3, negative offset                 
            Assert.Throws<ArgumentOutOfRangeException>(() =>
            {
                binaryForm = new byte[100];
                offset = -1;
                rawAcl = new RawAcl(binaryForm, offset);
            });

            //case 4, binaryForm length less than GenericAcl.HeaderLength
            Assert.Throws<ArgumentOutOfRangeException>(() =>
            {
                binaryForm = new byte[4];
                offset = 0;
                rawAcl = new RawAcl(binaryForm, offset);
            });

            //case 5, a RawAcl of length 64K. RawAcl length = HeaderLength + all ACE's  length
            // = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace
            // = 8 + ( 4 + OpaqueLength) * num_of_custom_ace
            GenericAce gAce = null;
            byte revision = 0;
            int capacity = 0;
            string sid = "BG";
            //CustomAce constructor parameters
            AceType aceType = 0;
            AceFlags aceFlag = 0;
            byte[] opaque = null;
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceType = AceType.MaxDefinedAceType + 1;
            aceFlag = (AceFlags)223; //all flags ored together
            opaque = new byte[GenericAcl.MaxBinaryLength - 3 - 8 - 4];//GenericAcl.MaxBinaryLength = 65535, is not multiple of 4
            gAce = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));

            //case 6, a RawAcl of length 64K + 1. RawAcl length = HeaderLength + all ACE's  length
            // = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace
            // = 8 + ( 4 + OpaqueLength) * num_of_custom_ace

            gAce = null;
            sid = "BA";
            //CustomAce constructor parameters
            aceType = 0;
            aceFlag = 0;
            binaryForm = new byte[65536];

            Assert.Throws<ArgumentException>(() =>
            {
                revision = 127;
                capacity = 1;
                rawAcl = new RawAcl(revision, capacity);
                rawAcl.GetBinaryForm(binaryForm, 0);
                //change the length bytes to 65535
                binaryForm[2] = 0xf;
                binaryForm[3] = 0xf;
                //change the aceCount to 1
                binaryForm[4] = 1;
                aceType = AceType.MaxDefinedAceType + 1;
                aceFlag = (AceFlags)223; //all flags ored together
                opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4];//GenericAcl.MaxBinaryLength = 65535, is not multiple of 4
                gAce = new CustomAce(aceType, aceFlag, opaque);
                gAce.GetBinaryForm(binaryForm, 8);
                TestCreateFromBinaryForm(binaryForm, 0, revision, 1, binaryForm.Length);
            });


            //case 7, a valid binary representation with revision 255, 256 Access
            //CommonAce to test the correctness of  the process of the AceCount in the header
            revision = 255;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            for (int i = 0; i < 256; i++)
            {
                gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
                rawAcl.InsertAce(0, gAce);
            }
            binaryForm = new byte[rawAcl.BinaryLength + 1000];
            rawAcl.GetBinaryForm(binaryForm, 1000);
            Assert.True(TestCreateFromBinaryForm(binaryForm, 1000, revision, 256, rawAcl.BinaryLength));

            //case 8, array containing garbage
            Assert.Throws<ArgumentOutOfRangeException>(() =>
            {
                binaryForm = new byte[] { 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 };
                TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12);
            });

            //case 9, array containing garbage
            Assert.Throws<ArgumentOutOfRangeException>(() =>
            {
                //binary form shows the length will be 1, actual length is 12
                binaryForm = new byte[] { 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1 };
                TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12);
            });

            //case 10, array containing garbage
            Assert.Throws<ArgumentOutOfRangeException>(() =>
            {
                binaryForm = new byte[] { 1, 1, 12, 0, 1, 1, 1, 1, 1, 1, 1, 1 };
                TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12);
            });
        }
Beispiel #49
0
        public static void AdditionalTestCases()
        {
            RawAcl rawAcl = null;
            SystemAcl systemAcl = null;
            bool isContainer = false;
            bool isDS = false;

            int auditFlags = 0;
            string sid = null;
            int accessMask = 1;
            int inheritanceFlags = 0;
            int propagationFlags = 0;
            GenericAce gAce = null;
            bool removePossible = false;
            byte[] opaque = null;

            //Case 1, null sid
            Assert.Throws<ArgumentNullException>(() =>
            {
                isContainer = false;
                isDS = false;
                rawAcl = new RawAcl(0, 1);
                systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
                systemAcl.RemoveAudit(AuditFlags.Success, null, 1, InheritanceFlags.None, PropagationFlags.None);
            });

            //Case 2, SystemAudit Ace but non AuditFlags
            Assert.Throws<ArgumentException>(() =>
            {
                isContainer = false;
                isDS = false;
                rawAcl = new RawAcl(0, 1);
                systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
                systemAcl.RemoveAudit(AuditFlags.None,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.None);

            });

            //Case 3, 0 accessMask
            Assert.Throws<ArgumentException>(() =>
            {
                isContainer = false;
                isDS = false;
                rawAcl = new RawAcl(0, 1);
                systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
                systemAcl.RemoveAudit(AuditFlags.Success,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 0, InheritanceFlags.None, PropagationFlags.None);

            });

            //Case 4, remove one audit ACE from the SystemAcl with no ACE
            isContainer = true;
            isDS = false;
            auditFlags = 1;
            sid = "BA";
            accessMask = 1;
            inheritanceFlags = 3;
            propagationFlags = 3;
            removePossible = true;
            rawAcl = new RawAcl(0, 1);
            systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
            Assert.True(TestRemoveAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, removePossible));

            //Case 5, remove the last one ACE from the SystemAcl
            isContainer = true;
            isDS = false;
            auditFlags = 1;
            sid = "BA";
            accessMask = 1;
            inheritanceFlags = 3;
            propagationFlags = 3;
            removePossible = true;
            rawAcl = new RawAcl(0, 1);
            //79 = AceFlags.SuccessfulAccess | AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
            gAce = new CommonAce((AceFlags)79, AceQualifier.SystemAudit, accessMask,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(rawAcl.Count, gAce);
            systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
            //remove the ace to create the validation rawAcl
            rawAcl.RemoveAce(rawAcl.Count - 1);
            Assert.True(TestRemoveAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, removePossible));

            //Case 6, all the ACEs in the Sacl are non-qualified ACE, no remove
            Assert.Throws<InvalidOperationException>(() =>
            {
                isContainer = true;
                isDS = false;
                inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
                propagationFlags = 2; //PropagationFlags.InheritOnly

                auditFlags = 3;
                sid = "BA";
                accessMask = 1;
                rawAcl = new RawAcl(0, 1);
                opaque = new byte[4];
                gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque); ;
                rawAcl.InsertAce(0, gAce);
                systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
                //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
                //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
                TestRemoveAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, true);
            });
            //Case 7, remove split cause overflow
            // Test case no longer relevant in CoreCLR
            // Non-canonical ACLs cannot be modified
        }
Beispiel #50
0
        public static void BasicValidationTestCases()
        {
            RawAcl rawAcl = null;
            RawAcl rawAclVerifier = null;
            GenericAce ace = null;
            GenericAce aceVerifier = null;
            int count = 0;
            int index = 0;
            byte revision = 0;
            int capacity = 1;
            int flags = 1;
            int qualifier = 0;
            int accessMask = 1;
            string sid = "BA";
            bool isCallback = false;
            int opaqueSize = 8;
            //test insert at 0
            rawAcl = new RawAcl(revision, capacity);
            rawAclVerifier = new RawAcl(revision, capacity);
            ace = new CommonAce((AceFlags)flags, (AceQualifier)qualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), isCallback, new byte[opaqueSize]);
            index = 0;
            //save current count
            count = rawAcl.Count;
            rawAcl.InsertAce(index, ace);
            //verify the count number increase one
            Assert.True(rawAcl.Count == count + 1);
            //verify the inserted ace is equal to the originial ace
            aceVerifier = rawAcl[index];
            Assert.True(ace == aceVerifier);

            //verify right side aces are equal
            Assert.True(Utils.AclPartialEqual(rawAcl, rawAclVerifier, index + 1, rawAcl.Count - 1, index, count - 1));

            //insert the same ACE to rawAclVerifier for next test
            rawAclVerifier.InsertAce(index, ace);

            //test insert at Count
            sid = "BA";
            ace = new CommonAce((AceFlags)flags, (AceQualifier)qualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), isCallback, new byte[opaqueSize]);
            count = rawAcl.Count;
            index = count;
            rawAcl.InsertAce(index, ace);
            //verify the count number increase one
            Assert.True(rawAcl.Count == count + 1);
            //verify the inserted ace is equal to the originial ace
            aceVerifier = rawAcl[index];
            Assert.True(ace == aceVerifier);

            //verify right side aces are equal
            Assert.True(Utils.AclPartialEqual(rawAcl, rawAclVerifier, index + 1, rawAcl.Count - 1, index, count - 1));

            //insert the same ACE to rawAclVerifier for next test
            rawAclVerifier.InsertAce(index, ace);

            //test insert at Count - 1
            sid = "BG";
            ace = new CommonAce((AceFlags)flags, (AceQualifier)qualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), isCallback, new byte[opaqueSize]);
            count = rawAcl.Count;
            index = count - 1;
            rawAcl.InsertAce(index, ace);

            //verify the count number increase one
            Assert.True(rawAcl.Count == count + 1);
            //verify the inserted ace is equal to the originial ace
            aceVerifier = rawAcl[index];
            Assert.True(ace == aceVerifier);

            //verify right side aces are equal
            Assert.True(Utils.AclPartialEqual(rawAcl, rawAclVerifier, index + 1, rawAcl.Count - 1, index, count - 1));

            //insert the same ACE to rawAclVerifier for next test
            rawAclVerifier.InsertAce(index, ace);

            //test insert at Count /2
            sid = "BO";
            ace = new CommonAce((AceFlags)flags, (AceQualifier)qualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), isCallback, new byte[opaqueSize]);
            rawAcl.InsertAce(0, ace);
            rawAclVerifier.InsertAce(0, ace);
            count = rawAcl.Count;
            index = count / 2;
            sid = "SO";
            ace = new CommonAce((AceFlags)flags, (AceQualifier)qualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), isCallback, new byte[opaqueSize]);
            rawAcl.InsertAce(index, ace);
            //verify the count number increase one
            Assert.True(rawAcl.Count == count + 1);
            //verify the inserted ace is equal to the originial ace
            aceVerifier = rawAcl[index];
            Assert.True(ace == aceVerifier);

            //verify right side aces are equal
            Assert.True(Utils.AclPartialEqual(rawAcl, rawAclVerifier, index + 1, rawAcl.Count - 1, index, count - 1));
        }
Beispiel #51
0
        public static void AdditionalTestCases()
        {
            RawAcl rawAcl = null;
            GenericAce genericAce = null;
            string owner = null;
            int index = 0;


            // case 1, no ACE, insert at index -1

            Assert.Throws<ArgumentOutOfRangeException>(() =>
            {
                rawAcl = new RawAcl(1, 1);
                index = -1;
                owner = "BA";
                genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
                rawAcl.InsertAce(index, genericAce);
            });


            //case 2, no ACE, insert at  index Count + 1

            Assert.Throws<ArgumentOutOfRangeException>(() =>
            {
                rawAcl = new RawAcl(1, 1);
                index = rawAcl.Count + 1;
                genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
                rawAcl.InsertAce(index, genericAce);
            });

            //case 3, one ACE, insert null ACE

            Assert.Throws<ArgumentNullException>(() =>
            {
                rawAcl = new RawAcl(1, 1);
                index = 0;
                owner = "BA";
                genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
                rawAcl.InsertAce(index, genericAce);
                genericAce = null;
                rawAcl.InsertAce(index, genericAce);
            });
            //case 4, insert a big Ace to make RawAcl of length 64K + 1. RawAcl length = HeaderLength + all ACE's  length
            // = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace
            // = 8 + ( 4 + OpaqueLength) * num_of_custom_ace

            Assert.Throws<OverflowException>(() =>
            {
                rawAcl = new RawAcl(1, 1);
                byte[] opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4];
                GenericAce gAce = new CustomAce(AceType.MaxDefinedAceType + 1, (AceFlags)223, opaque);
                rawAcl.InsertAce(0, gAce);
            });
        }
        public static void RemoveAccessSpecific_AdditionalTestCases()
        {
            RawAcl rawAcl = null;
            DiscretionaryAcl discretionaryAcl = null;
            bool isContainer = false;
            bool isDS = false;

            int accessControlType = 0;
            string sid = null;
            int accessMask = 1;
            int inheritanceFlags = 0;
            int propagationFlags = 0;
            GenericAce gAce = null;
            byte[] opaque = null;
            //Case 1, remove one ACE from the DiscretionaryAcl with no ACE
            isContainer = true;
            isDS = false;
            accessControlType = 1;
            sid = "BA";
            accessMask = 1;
            inheritanceFlags = 3;
            propagationFlags = 3;
            rawAcl = new RawAcl(0, 1);
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            Assert.True(TestRemoveAccessSpecific(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
            ;


            //Case 2, remove the last one ACE from the DiscretionaryAcl
            isContainer = true;
            isDS = false;
            accessControlType = 0;
            sid = "BA";
            accessMask = 1;
            inheritanceFlags = 3;
            propagationFlags = 3;
            rawAcl = new RawAcl(0, 1);
            //15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
            gAce = new CommonAce((AceFlags)15, AceQualifier.AccessAllowed, accessMask,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(rawAcl.Count, gAce);
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            //remove the ace to create the validation rawAcl
            rawAcl.RemoveAce(rawAcl.Count - 1);
            Assert.True(TestRemoveAccessSpecific(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
               ;


            //Case 3, accessMask = 0
            Assert.Throws<ArgumentException>(() =>
            {
                isContainer = true;
                isDS = false;
                accessControlType = 1;
                sid = "BA";
                accessMask = 0;
                inheritanceFlags = 3;
                propagationFlags = 3;
                rawAcl = new RawAcl(0, 1);
                discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
                discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);



            });

            //Case 4, null sid
            Assert.Throws<ArgumentNullException>(() =>
            {
                isContainer = true;
                isDS = false;
                accessControlType = 1;
                accessMask = 1;
                sid = "BA";
                inheritanceFlags = 3;
                propagationFlags = 3;
                rawAcl = new RawAcl(0, 1);
                discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
                discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);



            });

            //Case 5, all the ACEs in the Dacl are non-qualified ACE, no remove

            isContainer = true;
            isDS = false;

            inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
            propagationFlags = 2; //PropagationFlags.InheritOnly

            accessControlType = 0;
            sid = "BA";
            accessMask = 1;

            rawAcl = new RawAcl(0, 1);
            opaque = new byte[4];
            gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); ;
            rawAcl.InsertAce(0, gAce);
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
            //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
            Assert.Throws<InvalidOperationException>(() =>
            {
                TestRemoveAccessSpecific
                        (discretionaryAcl, rawAcl,
                        (AccessControlType)accessControlType,
                        new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
                        accessMask,
                        (InheritanceFlags)inheritanceFlags,
                        (PropagationFlags)propagationFlags);

            });

            //Case 7, Remove Specific Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE, 
            // should throw appropriate exception for wrong parameter, bug#287188

            Assert.Throws<ArgumentOutOfRangeException>(() =>
            {
                isContainer = true;
                isDS = false;

                inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
                propagationFlags = 2; //PropagationFlags.InheritOnly

                accessControlType = 100;
                sid = "BA";
                accessMask = 1;

                rawAcl = new RawAcl(0, 1);
                discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

                discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
                    accessMask,
                    (InheritanceFlags)inheritanceFlags,
                    (PropagationFlags)propagationFlags);


            });
        }
        public static void RemoveInheritedAces_BasicValidationTestCases()
        {
            bool isContainer = false;
            bool isDS = false;

            RawAcl rawAcl = null;
            DiscretionaryAcl discretionaryAcl = null;

            GenericAce gAce = null;
            byte revision = 0;
            int capacity = 0;

            //CustomAce constructor parameters
            AceType aceType = AceType.AccessAllowed;
            AceFlags aceFlag = AceFlags.None;
            byte[] opaque = null;

            //CompoundAce constructor additional parameters
            int accessMask = 0;
            CompoundAceType compoundAceType = CompoundAceType.Impersonation;
            string sid = "BG";

            //CommonAce constructor additional parameters
            AceQualifier aceQualifier = 0;

            //ObjectAce constructor additional parameters
            ObjectAceFlags objectAceFlag = 0;
            Guid objectAceType;
            Guid inheritedObjectAceType;

            //case 1, no Ace
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            isContainer = true;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(TestRemoveInheritedAces(discretionaryAcl));

            //case 2, only have explicit Ace
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //199  has all AceFlags except InheritOnly and Inherited
            gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(TestRemoveInheritedAces(discretionaryAcl));

            //case 3,  non-inherited CommonAce, ObjectAce, CompoundAce, CustomAce
            revision = 127;
            capacity = 5;
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
            rawAcl = new RawAcl(revision, capacity);
            aceFlag = AceFlags.InheritanceFlags;
            accessMask = 1;

            //Access Allowed CommonAce
            gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
            rawAcl.InsertAce(0, gAce);
            //Access Dennied CommonAce
            gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask,
            new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
            rawAcl.InsertAce(0, gAce);
            //CustomAce
            aceType = AceType.MaxDefinedAceType + 1;
            opaque = null;
            gAce = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(2, gAce);
            //CompoundAce
            compoundAceType = CompoundAceType.Impersonation;
            gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())));
            rawAcl.InsertAce(3, gAce);
            //ObjectAce
            aceQualifier = AceQualifier.AccessAllowed;
            objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(2, gAce);
            isContainer = true;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
            //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
            Assert.Throws<InvalidOperationException>(() =>
            {

                TestRemoveInheritedAces(discretionaryAcl);
            });

            //case 4,  all inherited CommonAce, ObjectAce, CompoundAce, CustomAce
            revision = 127;
            capacity = 5;
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
            rawAcl = new RawAcl(revision, capacity);
            aceFlag = AceFlags.InheritanceFlags | AceFlags.Inherited;
            accessMask = 1;

            //Access Allowed CommonAce
            gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
            rawAcl.InsertAce(0, gAce);
            //Access Dennied CommonAce
            gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
            rawAcl.InsertAce(0, gAce);
            //CustomAce
            aceType = AceType.MaxDefinedAceType + 1;
            opaque = null;
            gAce = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            //CompoundAce
            compoundAceType = CompoundAceType.Impersonation;
            gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())));
            rawAcl.InsertAce(0, gAce);
            //ObjectAce
            aceQualifier = AceQualifier.AccessAllowed;
            objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(TestRemoveInheritedAces(discretionaryAcl));

            //case 5, only have one inherit Ace
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //215 has all AceFlags except InheritOnly
            gAce = new CommonAce((AceFlags)215, AceQualifier.AccessDenied, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(TestRemoveInheritedAces(discretionaryAcl));

            //case 6, have one explicit Ace and one inherited Ace
            revision = 255;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //199  has all AceFlags except InheritOnly and Inherited					
            gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            //215  has all AceFlags except InheritOnly					
            gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(1, gAce);
            isContainer = true;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(TestRemoveInheritedAces(discretionaryAcl));

            //case 7, have two inherited Aces
            revision = 255;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //215  has all AceFlags except InheritOnly					
            gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            sid = "BA";
            //16 has Inherited
            gAce = new CommonAce((AceFlags)16, AceQualifier.AccessDenied, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(TestRemoveInheritedAces(discretionaryAcl));

            //case 8, 1 inherited CustomAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceType = AceType.MaxDefinedAceType + 1;
            //215 has all AceFlags except InheritOnly
            aceFlag = (AceFlags)215;
            opaque = null;
            gAce = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(TestRemoveInheritedAces(discretionaryAcl));

            //case 9,  1 inherited CompoundAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceFlag = (AceFlags)223; //all flags ored together
            accessMask = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(TestRemoveInheritedAces(discretionaryAcl));

            //case 10, 1 inherited ObjectAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceFlag = (AceFlags)223; //all flags ored together
            aceQualifier = AceQualifier.AccessAllowed;
            accessMask = 1;
            objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = true;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(TestRemoveInheritedAces(discretionaryAcl));

        }
        public static void Index_BasicValidation()
        {
            RawAcl rawAcl = null;
            DiscretionaryAcl discretionaryAcl = null;

            GenericAce gAce = null;
            GenericAce verifierGAce = null;
            string owner1 = "BO";
            string owner2 = "BA";
            string owner3 = "BG";
            int index = 0;

            // case 1, only one ACE, get at index 0
            rawAcl = new RawAcl(1, 1);
            index = 0;
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null);
            rawAcl.InsertAce(0, gAce);
            discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
            verifierGAce = discretionaryAcl[index];

            Assert.True(TestIndex(gAce, verifierGAce));
            {
            }

            //case 2, two ACEs, index at Count -1
            rawAcl = new RawAcl(1, 2);
            //215 has all AceFlags but InheriteOnly
            gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null);
            rawAcl.InsertAce(0, gAce);
            //199 has all AceFlags but InheritedOnly, Inherited
            gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner2)), false, null);
            rawAcl.InsertAce(1, gAce);
            discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
            gAce = rawAcl[1];
            //the discretionaryAcl is non-container, all AceFlags except Inherited will be stripped
            gAce.AceFlags = (AceFlags)FlagsForAce.None;
            index = discretionaryAcl.Count - 1;

            verifierGAce = discretionaryAcl[index];

            Assert.True(TestIndex(gAce, verifierGAce));
            {
            }

            //case 3, only three ACEs, index at Count/2
            rawAcl = new RawAcl(1, 3);

            //215 has all AceFlags except InheritOnly					
            gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null);
            rawAcl.InsertAce(0, gAce);

            //199 has all AceFlags except InheritOnly and Inherited				
            gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner2)), false, null);
            rawAcl.InsertAce(1, gAce);
            gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessAllowed, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner3)), false, null);
            rawAcl.InsertAce(2, gAce);
            discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
            gAce = rawAcl[1];
            //the systemAcl is non-container, all AceFlags will be stripped
            gAce.AceFlags = AceFlags.None;
            index = discretionaryAcl.Count / 2;
            verifierGAce = discretionaryAcl[index];

            Assert.True(TestIndex(gAce, verifierGAce));
            {
            }

        }
        public static void Index_AdditionalTests()
        {
            RawAcl rawAcl = null;
            DiscretionaryAcl discretionaryAcl = null;
            GenericAce gAce = null;
            GenericAce verifierGAce = null;
            string owner = null;
            int index = 0;

            // case 1, no ACE, get index at -1
            Assert.Throws<ArgumentOutOfRangeException>(() =>
            {
                rawAcl = new RawAcl(1, 1);
                index = -1;
                discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
                verifierGAce = discretionaryAcl[index];
            });

            //case 2, get index at Count
            Assert.Throws<ArgumentOutOfRangeException>(() =>
            {
                rawAcl = new RawAcl(1, 1);
                discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
                index = discretionaryAcl.Count;
                verifierGAce = discretionaryAcl[index];
            });

            //case 3, set index at -1
            Assert.Throws<NotSupportedException>(() =>
            {
                rawAcl = new RawAcl(1, 1);
                discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
                index = -1;
                owner = "BG";
                gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
                discretionaryAcl[index] = gAce;

            });

            //case 4, set index at Count
            Assert.Throws<NotSupportedException>(() =>
            {
                rawAcl = new RawAcl(1, 1);
                discretionaryAcl = new DiscretionaryAcl(true, false, rawAcl);
                index = discretionaryAcl.Count;
                owner = "BG";
                gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
                discretionaryAcl[index] = gAce;

            });

            //case 5, set null Ace
            Assert.Throws<NotSupportedException>(() =>
            {
                rawAcl = new RawAcl(1, 1);
                gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
                rawAcl.InsertAce(0, gAce);
                discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
                index = 0;
                gAce = null;
                discretionaryAcl[index] = gAce;

            });

            //case 6, set index at 0
            //case 5, set null Ace
            Assert.Throws<NotSupportedException>(() =>
            {
                rawAcl = new RawAcl(1, 1);
                owner = "BG";
                gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
                rawAcl.InsertAce(0, gAce);

                discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
                index = 0;
                owner = "BA";
                gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
                discretionaryAcl[index] = gAce;
            });
        }
        public static void AddAccess_AdditionalTestCases()
        {
            RawAcl rawAcl = null;
            DiscretionaryAcl discretionaryAcl = null;
            bool isContainer = false;
            bool isDS = false;

            int accessControlType = 0;
            string sid = null;
            int accessMask = 1;
            int inheritanceFlags = 0;
            int propagationFlags = 0;
            GenericAce gAce = null;
            byte[] opaque = null;

            //Case 1, non-Container, but InheritanceFlags is not None
            Assert.Throws<ArgumentException>(() =>
            {
                isContainer = false;
                isDS = false;
                rawAcl = new RawAcl(0, 1);
                discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

                discretionaryAcl.AddAccess(AccessControlType.Allow,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None);

            });

            //Case 2, non-Container, but PropagationFlags is not None
            Assert.Throws<ArgumentException>(() =>
            {
                isContainer = false;
                isDS = false;
                rawAcl = new RawAcl(0, 1);
                discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

                discretionaryAcl.AddAccess(AccessControlType.Allow,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);


            });

            //Case 3, Container, InheritanceFlags is None, PropagationFlags is InheritOnly
            Assert.Throws<ArgumentException>(() =>
            {
                isContainer = true;
                isDS = false;
                rawAcl = new RawAcl(0, 1);
                discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

                discretionaryAcl.AddAccess(AccessControlType.Allow,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);


            });

            //Case 4, Container, InheritanceFlags is None, PropagationFlags is NoPropagateInherit
            Assert.Throws<ArgumentException>(() =>
            {
                isContainer = true;
                isDS = false;
                rawAcl = new RawAcl(0, 1);
                discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

                discretionaryAcl.AddAccess(AccessControlType.Allow,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit);


            });

            //Case 5, Container, InheritanceFlags is None, PropagationFlags is NoPropagateInherit | InheritOnly
            Assert.Throws<ArgumentException>(() =>
            {
                isContainer = true;
                isDS = false;
                rawAcl = new RawAcl(0, 1);
                discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

                discretionaryAcl.AddAccess(AccessControlType.Allow,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit | PropagationFlags.InheritOnly);


            });

            //Case 6, accessMask = 0
            Assert.Throws<ArgumentException>(() =>
            {
                isContainer = true;
                isDS = false;
                accessControlType = 1;
                sid = "BA";
                accessMask = 0;
                inheritanceFlags = 3;
                propagationFlags = 3;
                rawAcl = new RawAcl(0, 1);
                discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
                discretionaryAcl.AddAccess((AccessControlType)accessControlType,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);



            });

            //Case 7, null sid
            Assert.Throws<ArgumentNullException>(() =>
            {
                isContainer = true;
                isDS = false;
                accessControlType = 1;
                accessMask = 1;
                inheritanceFlags = 3;
                propagationFlags = 3;
                rawAcl = new RawAcl(0, 1);
                discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
                discretionaryAcl.AddAccess((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);



            });

            //Case 8, add one Access ACE to the DiscretionaryAcl with no ACE
            isContainer = true;
            isDS = false;
            accessControlType = 0;
            sid = "BA";
            accessMask = 1;
            inheritanceFlags = 3;
            propagationFlags = 3;
            rawAcl = new RawAcl(0, 1);
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            //15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
            gAce = new CommonAce((AceFlags)15, AceQualifier.AccessAllowed, accessMask,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(rawAcl.Count, gAce);
            Assert.True(TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
            ;


            //Case 9, Container, InheritOnly ON, but ContainerInherit and ObjectInherit are both OFF
            //add meaningless Access ACE to the DiscretionaryAcl with no ACE, ace should not
            //be added. There are mutiple type of meaningless Ace, but as both AddAccess and Constructor3
            //call the same method to check the meaninglessness, only some sanitory cases are enough.
            //bug# 288116


            Assert.Throws<ArgumentException>(() =>
            {
                isContainer = true;
                isDS = false;

                inheritanceFlags = 0;//InheritanceFlags.None
                propagationFlags = 2; //PropagationFlags.InheritOnly

                accessControlType = 0;
                sid = "BA";
                accessMask = 1;

                rawAcl = new RawAcl(0, 1);
                discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
                TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
            });


            //Case 10, add Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE, 
            // should throw appropriate exception for wrong parameter, bug#287188

            Assert.Throws<ArgumentOutOfRangeException>(() =>
            {
                isContainer = true;
                isDS = false;

                inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
                propagationFlags = 2; //PropagationFlags.InheritOnly

                accessControlType = 100;
                sid = "BA";
                accessMask = 1;

                rawAcl = new RawAcl(0, 1);
                discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
                discretionaryAcl.AddAccess((AccessControlType)accessControlType,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
                    accessMask,
                    (InheritanceFlags)inheritanceFlags,
                    (PropagationFlags)propagationFlags);

            });


            //Case 11, all the ACEs in the Dacl are non-qualified ACE, no merge

            Assert.Throws<InvalidOperationException>(() =>
            {
                isContainer = true;
                isDS = false;

                inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
                propagationFlags = 2; //PropagationFlags.InheritOnly

                accessControlType = 0;
                sid = "BA";
                accessMask = 1;

                rawAcl = new RawAcl(0, 1);
                opaque = new byte[4];
                gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); ;
                rawAcl.InsertAce(0, gAce);
                discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

                gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly,
                                        AceQualifier.AccessAllowed,
                                        accessMask,
                                        new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
                                        false,
                                        null);
                rawAcl.InsertAce(0, gAce);

                //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
                //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException

                TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);

            });

            //Case 12, add Ace to exceed binary length boundary, throw exception
            isContainer = true;
            isDS = false;

            inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
            propagationFlags = 2; //PropagationFlags.InheritOnly

            accessControlType = 0;
            sid = "BA";
            accessMask = 1;

            rawAcl = new RawAcl(0, 1);
            opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16];
            gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
                AceFlags.InheritanceFlags, opaque); ;
            rawAcl.InsertAce(0, gAce);
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
            //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
            Assert.Throws<InvalidOperationException>(() =>
            {

                discretionaryAcl.AddAccess((AccessControlType)accessControlType,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);

            });

        }
Beispiel #57
0
        public static void BasicValidationTestCases()
        {
            RawAcl rawAcl = null;
            SystemAcl systemAcl = null;

            GenericAce gAce = null;
            GenericAce verifierGAce = null;
            string owner1 = "BO";
            string owner2 = "BA";
            string owner3 = "BG";
            int index = 0;

            // case 1, only one ACE, get at index 0
            rawAcl = new RawAcl(1, 1);
            index = 0;
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null);
            rawAcl.InsertAce(0, gAce);
            systemAcl = new SystemAcl(false, false, rawAcl);
            verifierGAce = systemAcl[index];
            Assert.True(TestIndex(gAce, verifierGAce));

            //case 2, two ACEs, index at Count -1
            rawAcl = new RawAcl(1, 2);
            //208 has SuccessfulAccess, FailedAccess and Inherited
            gAce = new CommonAce((AceFlags)208, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null);
            rawAcl.InsertAce(0, gAce);
            //gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(owner2), false, null);                    
            gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null);
            rawAcl.InsertAce(1, gAce);
            systemAcl = new SystemAcl(false, false, rawAcl);
            gAce = rawAcl[1];
            index = systemAcl.Count - 1;

            verifierGAce = systemAcl[index];
            Assert.True(TestIndex(gAce, verifierGAce));

            //case 3, only three ACEs, index at Count/2
            rawAcl = new RawAcl(1, 3);
            //215 has all AceFlags except InheritOnly                    
            gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner2)), false, null);
            rawAcl.InsertAce(0, gAce);
            //208 has SuccessfulAccess, FailedAccess and Inherited
            gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.IH), AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null);
            rawAcl.InsertAce(1, gAce);

            gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner3)), false, null);
            rawAcl.InsertAce(2, gAce);
            systemAcl = new SystemAcl(false, false, rawAcl);
            gAce = rawAcl[1];
            index = systemAcl.Count / 2;
            verifierGAce = systemAcl[index];
            Assert.True(TestIndex(gAce, verifierGAce));
            //case 4, 3 ACEs, test merge, index at Count -1
            rawAcl = new RawAcl(1, 2);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(0, gAce);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(1, gAce);
            gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(2, gAce);
            systemAcl = new SystemAcl(false, false, rawAcl);
            gAce = rawAcl[1];
            gAce.AceFlags = AceFlags.SuccessfulAccess | AceFlags.FailedAccess;
            index = systemAcl.Count - 1;

            verifierGAce = systemAcl[index];
            Assert.True(TestIndex(gAce, verifierGAce));
        }
        public static void AdditionalTestCases()
        {
            ICollection myCollection = null;
            GenericAce gAce = null;
            RawAcl rAcl = null;
            GenericAce[] gAces = null;


            // Case 1, null array
            Assert.Throws<ArgumentNullException>(() =>
            {
                rAcl = new RawAcl(0, 1);
                gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
                rAcl.InsertAce(0, gAce);
                myCollection = (ICollection)rAcl;
                myCollection.CopyTo(gAces, 0);
            });

            // Case 2, negative index
            Assert.Throws<ArgumentOutOfRangeException>(() =>
            {
                rAcl = new RawAcl(0, 1);
                gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
                rAcl.InsertAce(0, gAce);
                gAces = new GenericAce[rAcl.Count];
                myCollection = (ICollection)rAcl;
                myCollection.CopyTo(gAces, -1);
            });

            // Case 3, 0 size array
            Assert.Throws<ArgumentOutOfRangeException>(() =>
            {
                rAcl = new RawAcl(0, 1);
                gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
                rAcl.InsertAce(0, gAce);
                gAces = new GenericAce[0];
                myCollection = (ICollection)rAcl;
                myCollection.CopyTo(gAces, 0);
            });

            // Case 4, insufficient size array
            Assert.Throws<ArgumentOutOfRangeException>(() =>
            {
                rAcl = new RawAcl(0, 1);
                gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
                rAcl.InsertAce(0, gAce);
                gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
                rAcl.InsertAce(0, gAce);
                gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BO")), false, null);
                rAcl.InsertAce(0, gAce);

                gAces = new GenericAce[rAcl.Count - 1];
                myCollection = (ICollection)rAcl;
                myCollection.CopyTo(gAces, 0);
            });
            
            //Case 5, RawAcl with huge number of Aces
            rAcl = new RawAcl(0, GenericAcl.MaxBinaryLength);
            for (int i = 0; i < 1820; i++)
            {
                //this ace binary length is 36, 1820 * 36 = 65520
                gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
                rAcl.InsertAce(0, gAce);
            }
            gAces = new GenericAce[rAcl.Count];
            myCollection = (ICollection)rAcl;
            myCollection.CopyTo(gAces, 0);

            // Case 6, test ICollection.CopyTo, array rank is not one. all the other cases are tested by type-friendly version CopyTo
            //on my machine, a BCL assert as resource Rank_MutiDimNotSupported not found
            Assert.Throws<RankException>(() =>
            {
                rAcl = new RawAcl(0, 1);
                gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
                rAcl.InsertAce(0, gAce);
                gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
                rAcl.InsertAce(0, gAce);
                GenericAce[,] gAces2 = new GenericAce[1, 2];
                myCollection = (ICollection)rAcl;
                myCollection.CopyTo(gAces2, 0);
            });
        }
        public static void Purge_BasicValidationTestCases()
        {
            bool isContainer = false;
            bool isDS = false;

            RawAcl rawAcl = null;
            DiscretionaryAcl discretionaryAcl = null;
            int aceCount = 0;
            SecurityIdentifier sid = null;

            GenericAce gAce = null;
            byte revision = 0;
            int capacity = 0;

            //CustomAce constructor parameters
            AceType aceType = AceType.AccessAllowed;
            AceFlags aceFlag = AceFlags.None;
            byte[] opaque = null;

            //CompoundAce constructor additional parameters
            int accessMask = 0;
            CompoundAceType compoundAceType = CompoundAceType.Impersonation;
            string sidStr = "LA";

            //CommonAce constructor additional parameters
            AceQualifier aceQualifier = 0;

            //ObjectAce constructor additional parameters
            ObjectAceFlags objectAceFlag = 0;
            Guid objectAceType;
            Guid inheritedObjectAceType;

            //case 1, no Ace
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            isContainer = true;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount = 0;
            sidStr = "BG";
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));

            Assert.True(TestPurge(discretionaryAcl, sid, aceCount));

            //case 2, only have 1 explicit Ace of the sid
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            sidStr = "BG";
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
            //199 has all aceflags but inheritonly and inherited					
            gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1, sid, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount = 0;

            Assert.True(TestPurge(discretionaryAcl, sid, aceCount));

            //case 3, only have 1 explicit Ace of different sid
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //199 has all aceflags but inheritedonly and inherited
            sidStr = "BG";
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
            gAce = new CommonAce((AceFlags)199, AceQualifier.AccessDenied, 1, sid, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount = 1;
            sidStr = "BA";
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));

            Assert.True(TestPurge(discretionaryAcl, sid, aceCount));

            //case 4, only have 1 inherited Ace of the sid
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            sidStr = "BG";
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
            //215 has all aceflags but inheritedonly				
            gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1, sid, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount = 1;

            Assert.True(TestPurge(discretionaryAcl, sid, aceCount));

            //case 5, have one explicit Ace and one inherited Ace of the sid
            revision = 255;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            sidStr = "BG";
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
            //199 has all aceflags but inheritedonly and inherited
            gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1, sid, false, null);
            rawAcl.InsertAce(0, gAce);
            //215 has all aceflags but inheritedonly
            gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 2, sid, false, null);
            rawAcl.InsertAce(1, gAce);
            isContainer = true;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount = 1;

            Assert.True(TestPurge(discretionaryAcl, sid, aceCount));

            //case 6, have two explicit Aces of the sid
            revision = 255;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            sidStr = "BG";
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
            //207 has all AceFlags but inherited				
            gAce = new CommonAce((AceFlags)207, AceQualifier.AccessAllowed, 1, sid, false, null);
            rawAcl.InsertAce(0, gAce);
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 2, sid, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount = 0;

            Assert.True(TestPurge(discretionaryAcl, sid, 0));

            //case 7, 1 explicit CustomAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceType = AceType.MaxDefinedAceType + 1;
            //199 has all AceFlags except InheritOnly and Inherited
            aceFlag = (AceFlags)199;
            opaque = null;
            gAce = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
            aceCount = 1;

            //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
            //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
            Assert.Throws<InvalidOperationException>(() =>
            {

                TestPurge(discretionaryAcl, sid, aceCount);

            });


            //case 8,  1 explicit CompoundAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //207 has all AceFlags but inherited				
            aceFlag = (AceFlags)207;
            accessMask = 1;
            compoundAceType = CompoundAceType.Impersonation;
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
            gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, sid);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount = 0;

            //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
            //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
            Assert.Throws<InvalidOperationException>(() =>
            {

                TestPurge(discretionaryAcl, sid, aceCount);

            });

            //case 9, 1 explict ObjectAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
            //207 has all AceFlags but inherited						
            aceFlag = (AceFlags)207;
            aceQualifier = AceQualifier.AccessAllowed;
            accessMask = 1;
            objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, sid, objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = true;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount = 0;

            Assert.True(TestPurge(discretionaryAcl, sid, aceCount));

        }
Beispiel #60
0
        public static RawAcl CreateRawAclFromString(string rawAclString)
        {
            RawAcl rawAcl = null;
            byte revision = 0;
            int capacity = 1;
            CommonAce cAce = null;
            AceFlags aceFlags = AceFlags.None;
            AceQualifier aceQualifier = AceQualifier.AccessAllowed;
            int accessMask = 1;
            SecurityIdentifier sid = null;
            bool isCallback = false;
            int opaqueSize = 0;
            byte[] opaque = null;


            string[] parts = null;
            string[] subparts = null;
            char[] delimiter1 = new char[] { '#' };
            char[] delimiter2 = new char[] { ':' };

            if (rawAclString != null)
            {
                rawAcl = new RawAcl(revision, capacity);

                parts = rawAclString.Split(delimiter1);
                for (int i = 0; i < parts.Length; i++)
                {
                    subparts = parts[i].Split(delimiter2);
                    if (subparts.Length != 6)
                    {
                        return null;
                    }

                    aceFlags = (AceFlags)byte.Parse(subparts[0]);
                    aceQualifier = (AceQualifier)int.Parse(subparts[1]);
                    accessMask = int.Parse(subparts[2]);
                    sid = new SecurityIdentifier(TranslateStringConstFormatSidToStandardFormatSid(subparts[3]));
                    isCallback = bool.Parse(subparts[4]);
                    if (!isCallback)
                        opaque = null;
                    else
                    {
                        opaqueSize = int.Parse(subparts[5]);
                        opaque = new byte[opaqueSize];
                    }
                    cAce = new CommonAce(aceFlags, aceQualifier, accessMask, sid, isCallback, opaque);
                    rawAcl.InsertAce(rawAcl.Count, cAce);
                }
            }
            return rawAcl;
        }