//
// Internal constructor to be called by public constructors
// and the access rights factory methods
//
internal PipeAccessRule(IdentityReference identity, int accessMask, bool isInherited, AccessControlType type)
: base(identity, accessMask, isInherited, InheritanceFlags.None, PropagationFlags.None, type)
{
}
public abstract AccessRule AccessRuleFactory(IdentityReference identityReference, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AccessControlType type);
public void SetGroup(IdentityReference identity);
public MutexAccessRule(IdentityReference identity, MutexRights eventRights, AccessControlType type);
public SemaphoreAuditRule(IdentityReference identity, SemaphoreRights eventRights, AuditFlags flags);
public ListChildrenAccessRule (IdentityReference identity, AccessControlType type, ActiveDirectorySecurityInheritance inheritanceType, Guid inheritedObjectType) : base(identity, 4, type, Guid.Empty, false, InheritanceFlags.None, PropagationFlags.None, inheritedObjectType)
{
}
public DeleteTreeAccessRule(IdentityReference identity, AccessControlType type) : base(identity, 0x40, type, Guid.Empty, false, InheritanceFlags.None, PropagationFlags.None, Guid.Empty)
{
}
private FileSystemAccessRule CreateFileSystemAccessRule(IdentityReference identity, FileSystemRights rights, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AccessControlType accessControlType)
{
return(new FileSystemAccessRule(identity, rights, inheritanceFlags, propagationFlags, accessControlType));
}
/// <summary>用指定的值初始化 <see cref="T:System.Security.AccessControl.AccessRule" /> 类的新实例。</summary> /// <returns>此方法所创建的 <see cref="T:System.Security.AccessControl.AccessRule" /> 对象。</returns> /// <param name="identityReference">应用访问规则的标识。它必须是可强制转换为 <see cref="T:System.Security.Principal.SecurityIdentifier" /> 的对象。</param> /// <param name="accessMask">此规则的访问掩码。访问掩码是一个 32 位的匿名位集合,其含义是由每个集成器定义的。</param> /// <param name="isInherited">如果此规则继承自父容器,则为 true。</param> /// <param name="inheritanceFlags">指定访问规则的继承属性。</param> /// <param name="propagationFlags">指定继承的访问规则是否自动传播。如果 <paramref name="inheritanceFlags" /> 设置为 <see cref="F:System.Security.AccessControl.InheritanceFlags.None" />,则将忽略传播标志。</param> /// <param name="type">指定有效的访问控制类型。</param> public abstract AccessRule AccessRuleFactory(IdentityReference identityReference, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AccessControlType type);
public CustomAccessRule(IdentityReference identity, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags
, PropagationFlags propagationFlags, AccessControlType type)
: base(identity, accessMask, isInherited, inheritanceFlags, propagationFlags, Guid.NewGuid(), Guid.NewGuid(), type)
{
}
private RegistryAccessRule CreateRegistryAccessRule(IdentityReference identity, RegistryRights rights, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AccessControlType accessControlType)
{
return(new RegistryAccessRule(identity, rights, inheritanceFlags, propagationFlags, accessControlType));
}
public CustomAuditRule(IdentityReference identity, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags
, PropagationFlags propagationFlags, AuditFlags auditFlags)
: base(identity, accessMask, isInherited, inheritanceFlags, propagationFlags, Guid.NewGuid(), Guid.NewGuid(), auditFlags)
{
}
public CustomAuditRule(IdentityReference identity, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags, Guid objectType, Guid inheritedObjectType, AuditFlags auditFlags)
: base(identity, accessMask, isInherited, inheritanceFlags, propagationFlags, objectType, inheritedObjectType, auditFlags)
{
}
public override AuditRule AuditRuleFactory(IdentityReference identityReference, int accessMask, bool isInherited,
InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AuditFlags flags)
{
return(new CustomAuditRule(identityReference, accessMask, isInherited, inheritanceFlags, propagationFlags, flags));
}
public void RemoveAudit(IdentityReference identity)
{
if (this.SaclRetrieved())
{
ActiveDirectoryAuditRule activeDirectoryAuditRule = new ActiveDirectoryAuditRule(identity, ActiveDirectoryRights.GenericRead, AuditFlags.Success | AuditFlags.Failure, ActiveDirectorySecurityInheritance.None);
base.RemoveAuditRuleAll(activeDirectoryAuditRule);
return;
}
else
{
throw new InvalidOperationException("CannotModifySacl");
}
}
public static bool op_Inequality(IdentityReference left, IdentityReference right)
{
}
public override AuditRule AuditRuleFactory(IdentityReference identityReference, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AuditFlags flags, Guid objectGuid, Guid inheritedObjectGuid)
{
return new ActiveDirectoryAuditRule(identityReference, accessMask, flags, objectGuid, isInherited, inheritanceFlags, propagationFlags, inheritedObjectGuid);
}
public override AccessRule AccessRuleFactory(IdentityReference identityReference, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AccessControlType type)
{
throw new NotImplementedException();
}
public ExtendedRightAccessRule (IdentityReference identity, AccessControlType type, Guid extendedRightType, ActiveDirectorySecurityInheritance inheritanceType, Guid inheritedObjectType) : base(identity, 256, type, extendedRightType, false, InheritanceFlags.None, PropagationFlags.None, inheritedObjectType)
{
}
public static bool CompareTo(this IdentityReference left, IdentityReference right)
{
return(left != null && right != null
? left.Translate(SecurityIdentifier).ToString().EqualsIgnoreCase(right.Translate(SecurityIdentifier).ToString())
: left == right);
}
public PropertyAccessRule(IdentityReference identity, AccessControlType type, PropertyAccess access) : base(identity, PropertyAccessTranslator.AccessMaskFromPropertyAccess(access), type, Guid.Empty, false, InheritanceFlags.None, PropagationFlags.None, Guid.Empty)
{
}
protected virtual bool HasPermissions([NotNull] AuthorizationRuleCollection rules, [NotNull] IdentityReference identity, FileSystemRights permissions)
{
Assert.ArgumentNotNull(rules, nameof(rules));
Assert.ArgumentNotNull(identity, nameof(identity));
try
{
return
(GetRules(rules, identity).Any(
rule => (((FileSystemAccessRule)rule).FileSystemRights & permissions) > 0));
}
catch (Exception ex)
{
Log.Warn(ex, "Cannot get permissions for rules collection");
return(false);
}
}
public EventWaitHandleAuditRule(IdentityReference identity, EventWaitHandleRights eventRights, AuditFlags flags);
/// <summary>
/// Sets the owner
/// </summary>
public void SetOwner(IdentityReference newOwersIdentityReference)
{
PathInfo.SetOwner(newOwersIdentityReference);
}
protected ObjectAccessRule(IdentityReference identity, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, Guid objectType, Guid inheritedObjectType, AccessControlType type);
/// <summary>使用指定的值初始化 AuditRule’1 类的一个新实例。</summary>
/// <param name="identity">审核规则应用到的标识。</param>
/// <param name="rights">审核规则的权限。</param>
/// <param name="flags">审核规则的条件。</param>
public AuditRule(IdentityReference identity, T rights, AuditFlags flags)
: this(identity, rights, InheritanceFlags.None, PropagationFlags.None, flags)
{
}
public virtual void PurgeAccessRules(IdentityReference identity);
/// <summary>使用指定的值初始化 AuditRule’1 类的一个新实例。</summary>
/// <param name="identity">审核规则应用到的标识。</param>
/// <param name="rights">审核规则的权限。</param>
/// <param name="inheritanceFlags">审核规则的继承属性。</param>
/// <param name="propagationFlags">继承的审核规则是否自动传播。</param>
/// <param name="flags">审核规则的条件。</param>
public AuditRule(IdentityReference identity, T rights, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AuditFlags flags)
: this(identity, (int)(ValueType)rights, false, inheritanceFlags, propagationFlags, flags)
{
}
protected AuditRule(IdentityReference identity, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AuditFlags auditFlags);
internal AuditRule(IdentityReference identity, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AuditFlags flags)
: base(identity, accessMask, isInherited, inheritanceFlags, propagationFlags, flags)
{
}
public void RemoveAccess(IdentityReference identity, AccessControlType type)
{
if (this.DaclRetrieved())
{
ActiveDirectoryAccessRule activeDirectoryAccessRule = new ActiveDirectoryAccessRule(identity, ActiveDirectoryRights.GenericRead, type, ActiveDirectorySecurityInheritance.None);
base.RemoveAccessRuleAll(activeDirectoryAccessRule);
return;
}
else
{
throw new InvalidOperationException("CannotModifyDacl");
}
}
public void AddReadPermission(X509Certificate2 certificate, IdentityReference identity)
{
this.AddReadPermission(certificate, identity, out _);
}
public override AccessRule AccessRuleFactory(IdentityReference identityReference, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AccessControlType type, Guid objectGuid, Guid inheritedObjectGuid)
{
return new ActiveDirectoryAccessRule(identityReference, accessMask, type, objectGuid, isInherited, inheritanceFlags, propagationFlags, inheritedObjectGuid);
}
public void AddReadPermission(X509Store store, IdentityReference identity)
{
this.AddReadPermission(store, identity, null);
}
public ListChildrenAccessRule (IdentityReference identity, AccessControlType type) : base(identity, 4, type, Guid.Empty, false, InheritanceFlags.None, PropagationFlags.None, Guid.Empty)
{
}
public void AddReadPermissionToServiceStore(IdentityReference identity)
{
this.AddReadPermissionToServiceStore(identity, null);
}
public ExtendedRightAccessRule (IdentityReference identity, AccessControlType type, Guid extendedRightType) : base(identity, 256, type, extendedRightType, false, InheritanceFlags.None, PropagationFlags.None, Guid.Empty)
{
}
public void AddReadPermissionToServiceStore(IdentityReference identity, List <Action> rollbackActions)
{
X509Store store = X509ServiceStoreHelper.Open(Constants.ServiceName, OpenFlags.ReadOnly);
this.AddReadPermission(store, identity, rollbackActions);
}
public DeleteTreeAccessRule(IdentityReference identity, AccessControlType type, ActiveDirectorySecurityInheritance inheritanceType, Guid inheritedObjectType) : base(identity, 0x40, type, Guid.Empty, false, ActiveDirectoryInheritanceTranslator.GetInheritanceFlags(inheritanceType), ActiveDirectoryInheritanceTranslator.GetPropagationFlags(inheritanceType), inheritedObjectType)
{
}
// рекурсивный перебор директорий
void AddDirectories(TreeNode node)
{
dirSize = 0;
string strPath = node.FullPath;
DirectoryInfo dir = new DirectoryInfo(strPath);
// Объявляем ссылку на массив подкаталогов текущего каталога
DirectoryInfo[] arrayDirInfo;
node.Nodes.Clear();
arrayDirInfo = dir.GetDirectories();
// Добавляем прочитанные подкаталоги как узлы в дерево
// и записываем инфо о них в список
foreach (DirectoryInfo dirInfo in arrayDirInfo)
{
// Создаем новый узел с именем подкаталога
TreeNode nodeDir = new TreeNode(dirInfo.Name);
// Добавляем его как дочерний к текущему узлу
node.Nodes.Add(nodeDir);
AddDirectories(nodeDir);
}
string dirfsar = "";
DirectorySecurity dirSecurity = dir.GetAccessControl();
IdentityReference dirIdentityRef = dirSecurity.GetOwner(typeof(NTAccount));
foreach (FileSystemAccessRule permission in dirSecurity.GetAccessRules(true, true, typeof(NTAccount)))
{
dirfsar += permission.FileSystemRights.ToString(); // AccessControlType ?
}
// записываем информацию о файлах в директории
foreach (FileInfo file in dir.GetFiles())
{
FileSecurity fileSecurity = file.GetAccessControl();
IdentityReference identityRef = fileSecurity.GetOwner(typeof(NTAccount));
string fsar = "";
foreach (FileSystemAccessRule permission in fileSecurity.GetAccessRules(true, true, typeof(NTAccount)))
{
fsar += permission.FileSystemRights.ToString();
}
dirSize += file.Length;
Elements.Add(new Items()
{
Name = file.Name,
CreationTime = file.CreationTime.ToString(),
LastWriteTime = file.LastWriteTime.ToString(),
LastAccessTime = file.LastAccessTime.ToString(),
Attributes = file.Attributes.ToString(),
Size = file.Length.ToString(),
Owner = identityRef.ToString(),
Permission = fsar,
});
}
// добавляем инфо о директории
Elements.Add(new Items()
{
Name = dir.Name,
CreationTime = dir.CreationTime.ToString(),
LastWriteTime = dir.LastWriteTime.ToString(),
LastAccessTime = dir.LastAccessTime.ToString(),
Attributes = dir.Attributes.ToString(),
Size = dirSize.ToString(),
Owner = dirIdentityRef.ToString(),
Permission = dirfsar,
});
}
public PropertyAccessRule(IdentityReference identity, AccessControlType type, PropertyAccess access, Guid propertyType, ActiveDirectorySecurityInheritance inheritanceType, Guid inheritedObjectType) : base(identity, PropertyAccessTranslator.AccessMaskFromPropertyAccess(access), type, propertyType, false, ActiveDirectoryInheritanceTranslator.GetInheritanceFlags(inheritanceType), ActiveDirectoryInheritanceTranslator.GetPropagationFlags(inheritanceType), inheritedObjectType)
{
}
private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, System.Type targetType)
{
ReadLock();
try
{
AuthorizationRuleCollection result = new AuthorizationRuleCollection();
if (!IsValidTargetTypeStatic(targetType))
{
throw new ArgumentException(
SR.Arg_MustBeIdentityReferenceType,
nameof(targetType));
}
CommonAcl?acl = null;
if (access)
{
if ((_securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != 0)
{
acl = _securityDescriptor.DiscretionaryAcl;
}
}
else // !access == audit
{
if ((_securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != 0)
{
acl = _securityDescriptor.SystemAcl;
}
}
if (acl == null)
{
//
// The required ACL was not present; return an empty collection.
//
return(result);
}
IdentityReferenceCollection?irTarget = null;
if (targetType != typeof(SecurityIdentifier))
{
IdentityReferenceCollection irSource = new IdentityReferenceCollection(acl.Count);
for (int i = 0; i < acl.Count; i++)
{
//
// Calling the indexer on a common ACL results in cloning,
// (which would not be the case if we were to use the internal RawAcl property)
// but also ensures that the resulting order of ACEs is proper
// However, this is a big price to pay - cloning all the ACEs just so that
// the canonical order could be ascertained just once.
// A better way would be to have an internal method that would canonicalize the ACL
// and call it once, then use the RawAcl.
//
CommonAce?ace = acl[i] as CommonAce;
if (AceNeedsTranslation(ace, access, includeExplicit, includeInherited))
{
irSource.Add(ace.SecurityIdentifier);
}
}
irTarget = irSource.Translate(targetType);
}
int targetIndex = 0;
for (int i = 0; i < acl.Count; i++)
{
//
// Calling the indexer on a common ACL results in cloning,
// (which would not be the case if we were to use the internal RawAcl property)
// but also ensures that the resulting order of ACEs is proper
// However, this is a big price to pay - cloning all the ACEs just so that
// the canonical order could be ascertained just once.
// A better way would be to have an internal method that would canonicalize the ACL
// and call it once, then use the RawAcl.
//
CommonAce?ace = acl[i] as CommonAce;
if (AceNeedsTranslation(ace, access, includeExplicit, includeInherited))
{
IdentityReference iref = (targetType == typeof(SecurityIdentifier)) ? ace.SecurityIdentifier : irTarget ![targetIndex++];
public EventWaitHandleAccessRule(IdentityReference identity, EventWaitHandleRights eventRights, AccessControlType type);
public GrantAccessRule(IdentityReference identity, int accessMask, AccessControlType type) :
base(identity, accessMask, false, InheritanceFlags.None,
PropagationFlags.None, type)
{
}
public MutexAuditRule(IdentityReference identity, MutexRights eventRights, AuditFlags flags);
public override AccessRule AccessRuleFactory(IdentityReference identityReference, int accessMask, bool isInherited,
InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AccessControlType type)
{
return(new HttpUrlAccessRule(identityReference, (HttpUrlAccessRights)accessMask));
}
public SemaphoreAccessRule(IdentityReference identity, SemaphoreRights eventRights, AccessControlType type);
public override AuditRule AuditRuleFactory(IdentityReference identityReference, int accessMask, bool isInherited,
InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AuditFlags flags)
{
throw new NotImplementedException(AuditingNotSupportedMessage);
}
byte[] IAgentProtocol.SignData(IdentityReference identity, byte[] data)
{
var hWnd = NativeMethods.FindWindow("Pageant", "Pageant");
if (hWnd == IntPtr.Zero)
{
return new byte[0];
}
string mmFileName = Path.GetRandomFileName();
using (var mmFile = MemoryMappedFile.CreateNew(mmFileName, AGENT_MAX_MSGLEN))
{
using (var accessor = mmFile.CreateViewAccessor())
{
var security = mmFile.GetAccessControl();
security.SetOwner(System.Security.Principal.WindowsIdentity.GetCurrent().User);
mmFile.SetAccessControl(security);
accessor.Write(0, IPAddress.NetworkToHostOrder(AGENT_MAX_MSGLEN - 4));
accessor.Write(4, SSH2_AGENTC_SIGN_REQUEST);
accessor.Write(5, IPAddress.NetworkToHostOrder(identity.Blob.Length));
accessor.WriteArray(9, identity.Blob, 0, identity.Blob.Length);
accessor.Write(9 + identity.Blob.Length, IPAddress.NetworkToHostOrder(data.Length));
accessor.WriteArray(13 + identity.Blob.Length, data, 0, data.Length);
var copy = new COPYDATASTRUCT(AGENT_COPYDATA_ID, mmFileName);
if (NativeMethods.SendMessage(hWnd, WM_COPYDATA, IntPtr.Zero, ref copy) == IntPtr.Zero)
{
return new byte[0];
}
if (accessor.ReadByte(4) != SSH2_AGENT_SIGN_RESPONSE)
{
return new byte[0];
}
int size = IPAddress.HostToNetworkOrder(accessor.ReadInt32(5));
var ret = new byte[size];
accessor.ReadArray(9, ret, 0, size);
return ret;
}
}
}
public static HttpUrlSecurity[] GetHttpUrlSecurity()
{
InitializeHttp();
try
{
var urls = new List <HttpUrlSecurity>();
uint recordNum = 0;
while (true)
{
var inputConfigInfoQuery = new HTTP_SERVICE_CONFIG_URLACL_QUERY
{
QueryDesc = HTTP_SERVICE_CONFIG_QUERY_TYPE.HttpServiceConfigQueryNext,
dwToken = recordNum++
};
var size = Marshal.SizeOf(typeof(HTTP_SERVICE_CONFIG_URLACL_QUERY));
var pInputConfigInfo = Marshal.AllocCoTaskMem(size);
Marshal.StructureToPtr(inputConfigInfoQuery, pInputConfigInfo, false);
var pOutputConfigInfo = Marshal.AllocCoTaskMem(0);
var returnLength = 0;
var retVal = HttpQueryServiceConfiguration(IntPtr.Zero,
HTTP_SERVICE_CONFIG_ID.HttpServiceConfigUrlAclInfo,
pInputConfigInfo,
Marshal.SizeOf(inputConfigInfoQuery),
pOutputConfigInfo,
returnLength,
out returnLength,
IntPtr.Zero);
if (Win32ErrorCodes.InsufficientBuffer == retVal)
{
Marshal.FreeCoTaskMem(pOutputConfigInfo);
pOutputConfigInfo = Marshal.AllocCoTaskMem(Convert.ToInt32(returnLength));
retVal = HttpQueryServiceConfiguration(IntPtr.Zero,
HTTP_SERVICE_CONFIG_ID.HttpServiceConfigUrlAclInfo,
pInputConfigInfo,
Marshal.SizeOf(inputConfigInfoQuery),
pOutputConfigInfo,
returnLength,
out returnLength,
IntPtr.Zero);
}
else if (Win32ErrorCodes.NoMoreItems == retVal)
{
break;
}
if (Win32ErrorCodes.Ok == retVal)
{
var outputConfigInfo = (HTTP_SERVICE_CONFIG_URLACL_SET)
Marshal.PtrToStructure(pOutputConfigInfo, typeof(HTTP_SERVICE_CONFIG_URLACL_SET));
var sd = new CommonSecurityDescriptor(false, false, outputConfigInfo.ParamDesc.pStringSecurityDescriptor);
var urlAcl = new HttpUrlSecurity(outputConfigInfo.KeyDesc.pUrlPrefix);
foreach (var genericAce in sd.DiscretionaryAcl)
{
var rule = (CommonAce)genericAce;
IdentityReference id = rule.SecurityIdentifier;
if (id.IsValidTargetType(typeof(NTAccount)))
{
id = id.Translate(typeof(NTAccount));
}
urlAcl.AddAccessRule(new HttpUrlAccessRule(id, (HttpUrlAccessRights)rule.AccessMask));
}
urls.Add(urlAcl);
}
else
{
throw new Win32Exception();
}
}
return(urls.ToArray());
}
finally
{
TerminateHttp();
}
}
protected ObjectAuditRule(IdentityReference identity, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, Guid objectType, Guid inheritedObjectType, AuditFlags auditFlags);
public abstract AuditRule Constructor(IdentityReference identityReference, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AuditFlags AuditFlags);
public abstract AuditRule AuditRuleFactory(IdentityReference identityReference, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AuditFlags flags);
public override AuditRule Constructor(IdentityReference identityReference, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AuditFlags AuditFlags)
{
return(new FileSystemAuditRule(identityReference, FileSystemRights.Read, inheritanceFlags, propagationFlags, AuditFlags));
}
public virtual void PurgeAuditRules(IdentityReference identity);
public sealed override AccessRule AccessRuleFactory(IdentityReference identityReference, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AccessControlType type)
{
return(new FileSystemAccessRule(identityReference, accessMask, isInherited, inheritanceFlags, propagationFlags, type));
}
public void SetOwner(IdentityReference identity);
public void PurgeAuditRules(IdentityReference identity)
{
if (this.SaclRetrieved())
{
base.PurgeAuditRules(identity);
return;
}
else
{
throw new InvalidOperationException("CannotModifySacl");
}
}
protected internal AuthorizationRule(IdentityReference identity, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags);
public PipeAccessRule(IdentityReference identity, PipeAccessRights rights, AccessControlType type)
: this(identity, AccessMaskFromRights(rights, type), false, type)
{
}
