public void AddAudit(AuditFlags auditFlags, SecurityIdentifier sid,
						 int accessMask, InheritanceFlags inheritanceFlags,
						 PropagationFlags propagationFlags,
						 ObjectAceFlags objectFlags, Guid objectType,
						 Guid inheritedObjectType)
			{
				// TODO
			}
 public void RemoveAuditSpecific(AuditFlags auditFlags, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
 {
     if (!base.IsDS)
     {
         throw new InvalidOperationException(Environment.GetResourceString("InvalidOperation_OnlyValidForDS"));
     }
     base.RemoveQualifiedAcesSpecific(sid, AceQualifier.SystemAudit, accessMask, (AceFlags) ((byte) (GenericAce.AceFlagsFromAuditFlags(auditFlags) | GenericAce.AceFlagsFromInheritanceFlags(inheritanceFlags, propagationFlags))), objectFlags, objectType, inheritedObjectType);
 }
	public void AddAccess(AccessControlType accessType, SecurityIdentifier sid,
						  int accessMask, InheritanceFlags inheritanceFlags,
						  PropagationFlags propagationFlags,
						  ObjectAceFlags objectFlags, Guid objectType,
						  Guid inheritedObjectType)
			{
				// TODO
			}
	public bool RemoveAudit(AuditFlags auditFlags, SecurityIdentifier sid,
						    int accessMask, InheritanceFlags inheritanceFlags,
						    PropagationFlags propagationFlags,
						    ObjectAceFlags objectFlags, Guid objectType,
						    Guid inheritedObjectType)
			{
				// TODO
				return false;
			}
 public void RemoveAccessSpecific(AccessControlType accessType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
 {
     if (!base.IsDS)
     {
         throw new InvalidOperationException(Environment.GetResourceString("InvalidOperation_OnlyValidForDS"));
     }
     base.CheckAccessType(accessType);
     this.everyOneFullAccessForNullDacl = false;
     base.RemoveQualifiedAcesSpecific(sid, (accessType == AccessControlType.Allow) ? AceQualifier.AccessAllowed : AceQualifier.AccessDenied, accessMask, GenericAce.AceFlagsFromInheritanceFlags(inheritanceFlags, propagationFlags), objectFlags, objectType, inheritedObjectType);
 }
Beispiel #6
0
		public bool RemoveAccess (AccessControlType accessType,
					  SecurityIdentifier sid,
					  int accessMask,
					  InheritanceFlags inheritanceFlags,
					  PropagationFlags propagationFlags,
					  ObjectAceFlags objectFlags,
					  Guid objectType,
					  Guid inheritedObjectType)
		{
			throw new NotImplementedException ();
		}
Beispiel #7
0
		internal ObjectAce (AceType type, AceFlags flags, int accessMask,
		                    SecurityIdentifier sid, ObjectAceFlags objFlags,
		                    Guid objType, Guid inheritedType, byte[] opaque)
			: base(type, flags, opaque)
		{
			AccessMask = accessMask;
			SecurityIdentifier = sid;
			ObjectAceFlags = objFlags;
			ObjectAceType = objType;
			InheritedObjectAceType = inheritedType;
		}
		public void AddAudit (AuditFlags auditFlags,
				      SecurityIdentifier sid, int accessMask,
				      InheritanceFlags inheritanceFlags,
				      PropagationFlags propagationFlags,
				      ObjectAceFlags objectFlags,
				      Guid objectType,
				      Guid inheritedObjectType)
		{
			// ObjectAce?
			throw new NotImplementedException ();
		}
Beispiel #9
0
		public void AddAccess (AccessControlType accessType,
				       SecurityIdentifier sid, int accessMask,
				       InheritanceFlags inheritanceFlags,
				       PropagationFlags propagationFlags,
				       ObjectAceFlags objectFlags,
				       Guid objectType,
				       Guid inheritedObjectType)
		{
			AddAce (GetAceQualifier (accessType), sid, accessMask,
				inheritanceFlags, propagationFlags, AuditFlags.None,
				objectFlags, objectType, inheritedObjectType);
		}
Beispiel #10
0
 protected static void VerifyObjectAce(ObjectAce ace, AceFlags aceFlags, AceQualifier qualifier, int accessMask, SecurityIdentifier sid, ObjectAceFlags flags, Guid type, Guid inheritedType, bool isCallback, byte[] opaque)
 {
     Assert.Equal(aceFlags, ace.AceFlags);
     Assert.Equal(accessMask, ace.AccessMask);
     Assert.Equal(sid, ace.SecurityIdentifier);
     Assert.Equal(opaque, ace.GetOpaque());
     Assert.Equal(qualifier, ace.AceQualifier);
     Assert.Equal(isCallback, ace.IsCallback);
     Assert.Equal(flags, ace.ObjectAceFlags);
     Assert.Equal(type, ace.ObjectAceType);
     Assert.Equal(inheritedType, ace.InheritedObjectAceType);
 }
Beispiel #11
0
		public void AddAudit (AuditFlags auditFlags,
				      SecurityIdentifier sid, int accessMask,
				      InheritanceFlags inheritanceFlags,
				      PropagationFlags propagationFlags,
				      ObjectAceFlags objectFlags,
				      Guid objectType,
				      Guid inheritedObjectType)
		{
			AddAce (AceQualifier.SystemAudit, sid, accessMask,
				inheritanceFlags, propagationFlags, auditFlags,
				objectFlags, objectType, inheritedObjectType);
		}
		public ObjectAce (AceFlags aceFlags, AceQualifier qualifier,
				  int accessMask, SecurityIdentifier sid,
				  ObjectAceFlags flags, Guid type,
				  Guid inheritedType, bool isCallback,
				  byte[] opaque)
			: base (InheritanceFlags.None, PropagationFlags.None, qualifier, isCallback, opaque)
		{
			AceFlags = aceFlags;
			SecurityIdentifier = sid;
			object_ace_flags = flags;
			object_ace_type = type;
			inherited_object_type = inheritedType;
		}
Beispiel #13
0
		public ObjectAce (AceFlags aceFlags, AceQualifier qualifier,
				  int accessMask, SecurityIdentifier sid,
				  ObjectAceFlags flags, Guid type,
				  Guid inheritedType, bool isCallback,
				  byte[] opaque)
			: base (ConvertType(qualifier, isCallback), aceFlags, opaque)
		{
			AccessMask = accessMask;
			SecurityIdentifier = sid;
			ObjectAceFlags = flags;
			ObjectAceType = type;
			InheritedObjectAceType = inheritedType;
		}
 protected ObjectAccessRule(IdentityReference identity, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, Guid objectType, Guid inheritedObjectType, AccessControlType type) : base(identity, accessMask, isInherited, inheritanceFlags, propagationFlags, type)
 {
     if (!objectType.Equals(Guid.Empty) && ((accessMask & ObjectAce.AccessMaskWithObjectType) != 0))
     {
         this._objectType = objectType;
         this._objectFlags |= ObjectAceFlags.ObjectAceTypePresent;
     }
     else
     {
         this._objectType = Guid.Empty;
     }
     if (!inheritedObjectType.Equals(Guid.Empty) && ((inheritanceFlags & InheritanceFlags.ContainerInherit) != InheritanceFlags.None))
     {
         this._inheritedObjectType = inheritedObjectType;
         this._objectFlags |= ObjectAceFlags.InheritedObjectAceTypePresent;
     }
     else
     {
         this._inheritedObjectType = Guid.Empty;
     }
 }
Beispiel #15
0
        public bool RemoveAccess( AccessControlType accessType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType )
        {
            //
            // This is valid only for DS Acls 
            //
            if ( !IsDS )
            {
                throw new InvalidOperationException(
                    Environment.GetResourceString( "InvalidOperation_OnlyValidForDS" ));
            }
            Contract.EndContractBlock();

            CheckAccessType( accessType );
            everyOneFullAccessForNullDacl = false;
            return RemoveQualifiedAces(sid, accessType == AccessControlType.Allow ? AceQualifier.AccessAllowed : AceQualifier.AccessDenied, accessMask, GenericAce.AceFlagsFromInheritanceFlags( inheritanceFlags, propagationFlags ), false, objectFlags, objectType, inheritedObjectType );
        }
Beispiel #16
0
        private static object[] ObjectAce_CreateTestData(int intFlags, int intQualifier, int accessMask, string stringsid, int intObjectAceFlags, string stringType, string stringInheritedType, bool isCallback, int opaqueLength, int offset)
        {
            AceFlags           aceFlags  = (AceFlags)intFlags;
            AceQualifier       qualifier = (AceQualifier)intQualifier;
            SecurityIdentifier sid       = new SecurityIdentifier(stringsid);
            ObjectAceFlags     flags     = (ObjectAceFlags)intObjectAceFlags;
            Guid type          = new Guid(stringType);
            Guid inheritedType = new Guid(stringInheritedType);

            byte[] opaque = new byte[opaqueLength];

            ObjectAce ace = new ObjectAce(aceFlags, qualifier, accessMask, sid, flags, type, inheritedType, isCallback, opaque);

            VerifyObjectAce(ace, aceFlags, qualifier, accessMask, sid, flags, type, inheritedType, isCallback, opaque);

            byte[] binaryForm = new byte[ace.BinaryLength + offset];
            switch (qualifier)
            {
            case AceQualifier.AccessAllowed:
                binaryForm[offset + 0] = isCallback ? (byte)AceType.AccessAllowedCallbackObject : (byte)AceType.AccessAllowedObject;
                break;

            case AceQualifier.AccessDenied:
                binaryForm[offset + 0] = isCallback ? (byte)AceType.AccessDeniedCallbackObject : (byte)AceType.AccessDeniedObject;
                break;

            case AceQualifier.SystemAudit:
                binaryForm[offset + 0] = isCallback ? (byte)AceType.SystemAuditCallbackObject : (byte)AceType.SystemAuditObject;
                break;

            case AceQualifier.SystemAlarm:
                binaryForm[offset + 0] = isCallback ? (byte)AceType.SystemAlarmCallbackObject : (byte)AceType.SystemAlarmObject;
                break;

            default:
                return(null);
            }
            binaryForm[offset + 1] = (byte)aceFlags;
            binaryForm[offset + 2] = (byte)(ace.BinaryLength >> 0);
            binaryForm[offset + 3] = (byte)(ace.BinaryLength >> 8);

            int baseOffset  = offset + 4;
            int offsetLocal = 0;

            unchecked
            {
                binaryForm[baseOffset + 0] = (byte)(accessMask >> 0);
                binaryForm[baseOffset + 1] = (byte)(accessMask >> 8);
                binaryForm[baseOffset + 2] = (byte)(accessMask >> 16);
                binaryForm[baseOffset + 3] = (byte)(accessMask >> 24);
            }
            offsetLocal += 4;

            binaryForm[baseOffset + offsetLocal + 0] = (byte)(((uint)flags) >> 0);
            binaryForm[baseOffset + offsetLocal + 1] = (byte)(((uint)flags) >> 8);
            binaryForm[baseOffset + offsetLocal + 2] = (byte)(((uint)flags) >> 16);
            binaryForm[baseOffset + offsetLocal + 3] = (byte)(((uint)flags) >> 24);

            offsetLocal += 4;

            if ((flags & ObjectAceFlags.ObjectAceTypePresent) != 0)
            {
                type.ToByteArray().CopyTo(binaryForm, baseOffset + offsetLocal);
                offsetLocal += 16;
            }

            if ((flags & ObjectAceFlags.InheritedObjectAceTypePresent) != 0)
            {
                inheritedType.ToByteArray().CopyTo(binaryForm, baseOffset + offsetLocal);
                offsetLocal += 16;
            }

            sid.GetBinaryForm(binaryForm, baseOffset + offsetLocal);
            offsetLocal += sid.BinaryLength;
            opaque.CopyTo(binaryForm, baseOffset + offsetLocal);

            return(new object[] { ace, binaryForm, offset });
        }
Beispiel #17
0
 /// <summary>从当前 <see cref="T:System.Security.AccessControl.DiscretionaryAcl" /> 对象移除指定的审核规则。在指定对象类型或继承的对象类型时,为目录对象的访问控制列表 (ACL) 使用此方法。</summary>
 /// <param name="auditFlags">要移除的审核规则的类型。</param>
 /// <param name="sid">要为其移除审核规则的 <see cref="T:System.Security.Principal.SecurityIdentifier" />。</param>
 /// <param name="accessMask">要移除的规则的访问掩码。</param>
 /// <param name="inheritanceFlags">指定要移除的规则的继承属性的标志。</param>
 /// <param name="propagationFlags">指定要移除的规则的继承传播属性的标志。</param>
 /// <param name="objectFlags">指定 <paramref name="objectType" /> 和 <paramref name="inheritedObjectType" /> 参数是否包含非 null 值的标志。</param>
 /// <param name="objectType">移除的审核控制规则所应用到的对象的类标识。</param>
 /// <param name="inheritedObjectType">可以继承移除的审核规则的子对象的类标识。</param>
 public void RemoveAuditSpecific(AuditFlags auditFlags, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
 {
     if (!this.IsDS)
     {
         throw new InvalidOperationException(Environment.GetResourceString("InvalidOperation_OnlyValidForDS"));
     }
     this.RemoveQualifiedAcesSpecific(sid, AceQualifier.SystemAudit, accessMask, GenericAce.AceFlagsFromAuditFlags(auditFlags) | GenericAce.AceFlagsFromInheritanceFlags(inheritanceFlags, propagationFlags), objectFlags, objectType, inheritedObjectType);
 }
Beispiel #18
0
        internal void RemoveQualifiedAcesSpecific( SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType )
        {
            if ( accessMask == 0 )
            {
                throw new ArgumentException(
                    Environment.GetResourceString( "Argument_ArgumentZero" ),
                    "accessMask" );
            }

            if ( qualifier == AceQualifier.SystemAudit &&
                (( flags & AceFlags.AuditFlags ) == 0 ))
            {
                throw new ArgumentException(
                    Environment.GetResourceString( "Arg_EnumAtLeastOneFlag" ),
                    "flags" );
            }
        
            if ( sid == null )
            {
                throw new ArgumentNullException( "sid" );
            }
            Contract.EndContractBlock();
            ThrowIfNotCanonical();

            for ( int i = 0; i < Count; i++ )
            {
                QualifiedAce ace = _acl[i] as QualifiedAce;

                //
                // Not a qualified ACE - keep going
                //

                if ( ace == null )
                {
                    continue;
                }

                //
                // Only interested in explicit (non-inherited) ACEs
                //

                if (( ace.AceFlags & AceFlags.Inherited ) != 0 )
                {
                    continue;
                }

                //
                // Only interested in ACEs with the specified qualifier
                //

                if ( ace.AceQualifier != qualifier )
                {
                    continue;
                }

                //
                // Only interested in ACEs with the specified SID
                //

                if ( ace.SecurityIdentifier != sid )
                {
                    continue;
                }

                //
                // Only interested in exact ACE flag matches
                //

                if ( ace.AceFlags != flags )
                {
                    continue;
                }

                //
                // Only interested in exact access mask matches
                //

                if ( ace.AccessMask != accessMask )
                {
                    continue;
                }

                if ( IsDS ) 
                {
                    //
                    // Incase of object aces, only interested in ACEs which match in their 
                    // objectType and inheritedObjectType
                    //

                    if (( ace is ObjectAce ) && ( objectFlags != ObjectAceFlags.None ))
                    {                 
                        //
                        // both are object aces, so must match in object type and inherited object type
                        //
                        ObjectAce objectAce = ace as ObjectAce;
                        
                        if (( !objectAce.ObjectTypesMatch( objectFlags, objectType ))
                            || ( !objectAce.InheritedObjectTypesMatch( objectFlags, inheritedObjectType ))) 
                        {
                            continue;
                        }
                    }
                    else if (( ace is ObjectAce ) || ( objectFlags != ObjectAceFlags.None ))
                    {
                        // one is object ace and the other is not, so no match
                        continue;
                    }
                }

                //
                // Got our exact match; now remove it
                //

                _acl.RemoveAce(i);
                i--; // keep the array index honest
            }
            OnAclModificationTried();
        }
Beispiel #19
0
        protected ObjectAuditRule( IdentityReference identity, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, Guid objectType, Guid inheritedObjectType, AuditFlags auditFlags )
            : base( identity, accessMask, isInherited, inheritanceFlags, propagationFlags, auditFlags )
        {
            
            if (( !objectType.Equals( Guid.Empty )) && (( accessMask & ObjectAce.AccessMaskWithObjectType ) != 0 ))
            {
                _objectType = objectType;
                _objectFlags |= ObjectAceFlags.ObjectAceTypePresent;
            }
            else
            {
                _objectType = Guid.Empty;
            }

            if (( !inheritedObjectType.Equals( Guid.Empty )) && ((inheritanceFlags & InheritanceFlags.ContainerInherit ) != 0 ))
            {
                _inheritedObjectType = inheritedObjectType;
                _objectFlags |= ObjectAceFlags.InheritedObjectAceTypePresent;
            }
            else
            {
                _inheritedObjectType = Guid.Empty;
            }
        }
Beispiel #20
0
        //
        // This method determines whether the object type and inherited object type from the original ace
        // should be retained or not based on access mask and aceflags for a given split 
        //
        private void GetObjectTypesForSplit( ObjectAce originalAce, int accessMask, AceFlags aceFlags, out ObjectAceFlags objectFlags, out Guid objectType, out Guid inheritedObjectType ) 
        {

            objectFlags = 0;
            objectType = Guid.Empty;
            inheritedObjectType = Guid.Empty;

            //
            // We should retain the object type if the access mask for this split contains any bits that refer to object type
            //
            if (( accessMask & ObjectAce.AccessMaskWithObjectType ) != 0 ) 
            {
                // keep the original ace's object flags and object type
                objectType = originalAce.ObjectAceType;
                objectFlags |= originalAce.ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent;
            }

            //
            // We should retain the inherited object type if the aceflags for this contains inheritance (ContainerInherit)
            //
            if (( aceFlags & AceFlags.ContainerInherit ) != 0 ) 
            {
                // keep the original ace's object flags and object type
                inheritedObjectType = originalAce.InheritedObjectAceType;
                objectFlags |= originalAce.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent;
            }
        }
Beispiel #21
0
        internal static bool ParseBinaryForm(byte[] binaryForm, int offset, out AceQualifier qualifier, out int accessMask, out SecurityIdentifier sid, out ObjectAceFlags objectFlags, out Guid objectAceType, out Guid inheritedObjectAceType, out bool isCallback, out byte[] opaque)
        {
            byte[] b = new byte[16];
            GenericAce.VerifyHeader(binaryForm, offset);
            if (binaryForm.Length - offset >= 12 + SecurityIdentifier.MinBinaryLength)
            {
                AceType aceType = (AceType)binaryForm[offset];
                switch (aceType)
                {
                case AceType.AccessAllowedObject:
                case AceType.AccessDeniedObject:
                case AceType.SystemAuditObject:
                case AceType.SystemAlarmObject:
                    isCallback = false;
                    break;

                case AceType.AccessAllowedCallbackObject:
                case AceType.AccessDeniedCallbackObject:
                case AceType.SystemAuditCallbackObject:
                case AceType.SystemAlarmCallbackObject:
                    isCallback = true;
                    break;

                default:
                    goto label_38;
                }
                if (aceType == AceType.AccessAllowedObject || aceType == AceType.AccessAllowedCallbackObject)
                {
                    qualifier = AceQualifier.AccessAllowed;
                }
                else if (aceType == AceType.AccessDeniedObject || aceType == AceType.AccessDeniedCallbackObject)
                {
                    qualifier = AceQualifier.AccessDenied;
                }
                else if (aceType == AceType.SystemAuditObject || aceType == AceType.SystemAuditCallbackObject)
                {
                    qualifier = AceQualifier.SystemAudit;
                }
                else if (aceType == AceType.SystemAlarmObject || aceType == AceType.SystemAlarmCallbackObject)
                {
                    qualifier = AceQualifier.SystemAlarm;
                }
                else
                {
                    goto label_38;
                }
                int num1 = offset + 4;
                int num2 = 0;
                accessMask = (int)binaryForm[num1 + 0] + ((int)binaryForm[num1 + 1] << 8) + ((int)binaryForm[num1 + 2] << 16) + ((int)binaryForm[num1 + 3] << 24);
                int num3 = num2 + 4;
                objectFlags = (ObjectAceFlags)((int)binaryForm[num1 + num3 + 0] + ((int)binaryForm[num1 + num3 + 1] << 8) + ((int)binaryForm[num1 + num3 + 2] << 16) + ((int)binaryForm[num1 + num3 + 3] << 24));
                int num4 = num3 + 4;
                if ((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None)
                {
                    for (int index = 0; index < 16; ++index)
                    {
                        b[index] = binaryForm[num1 + num4 + index];
                    }
                    num4 += 16;
                }
                else
                {
                    for (int index = 0; index < 16; ++index)
                    {
                        b[index] = (byte)0;
                    }
                }
                objectAceType = new Guid(b);
                if ((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != ObjectAceFlags.None)
                {
                    for (int index = 0; index < 16; ++index)
                    {
                        b[index] = binaryForm[num1 + num4 + index];
                    }
                    num4 += 16;
                }
                else
                {
                    for (int index = 0; index < 16; ++index)
                    {
                        b[index] = (byte)0;
                    }
                }
                inheritedObjectAceType = new Guid(b);
                sid    = new SecurityIdentifier(binaryForm, num1 + num4);
                opaque = (byte[])null;
                int num5 = ((int)binaryForm[offset + 3] << 8) + (int)binaryForm[offset + 2];
                if (num5 % 4 == 0)
                {
                    int length = num5 - 4 - 4 - 4 - (int)(byte)sid.BinaryLength;
                    if ((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None)
                    {
                        length -= 16;
                    }
                    if ((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != ObjectAceFlags.None)
                    {
                        length -= 16;
                    }
                    if (length > 0)
                    {
                        opaque = new byte[length];
                        for (int index = 0; index < length; ++index)
                        {
                            opaque[index] = binaryForm[offset + num5 - length + index];
                        }
                    }
                    return(true);
                }
            }
label_38:
            qualifier              = AceQualifier.AccessAllowed;
            accessMask             = 0;
            sid                    = (SecurityIdentifier)null;
            objectFlags            = ObjectAceFlags.None;
            objectAceType          = Guid.NewGuid();
            inheritedObjectAceType = Guid.NewGuid();
            isCallback             = false;
            opaque                 = (byte[])null;
            return(false);
        }
        public static void RemoveInheritedAces_BasicValidationTestCases()
        {
            bool isContainer = false;
            bool isDS        = false;

            RawAcl           rawAcl           = null;
            DiscretionaryAcl discretionaryAcl = null;

            GenericAce gAce     = null;
            byte       revision = 0;
            int        capacity = 0;

            //CustomAce constructor parameters
            AceType  aceType = AceType.AccessAllowed;
            AceFlags aceFlag = AceFlags.None;

            byte[] opaque = null;

            //CompoundAce constructor additional parameters
            int             accessMask      = 0;
            CompoundAceType compoundAceType = CompoundAceType.Impersonation;
            string          sid             = "BG";

            //CommonAce constructor additional parameters
            AceQualifier aceQualifier = 0;

            //ObjectAce constructor additional parameters
            ObjectAceFlags objectAceFlag = 0;
            Guid           objectAceType;
            Guid           inheritedObjectAceType;

            //case 1, no Ace
            revision         = 127;
            capacity         = 1;
            rawAcl           = new RawAcl(revision, capacity);
            isContainer      = true;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(TestRemoveInheritedAces(discretionaryAcl));

            //case 2, only have explicit Ace
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //199  has all AceFlags except InheritOnly and Inherited
            gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer      = false;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(TestRemoveInheritedAces(discretionaryAcl));

            //case 3,  non-inherited CommonAce, ObjectAce, CompoundAce, CustomAce
            revision   = 127;
            capacity   = 5;
            sid        = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
            rawAcl     = new RawAcl(revision, capacity);
            aceFlag    = AceFlags.InheritanceFlags;
            accessMask = 1;

            //Access Allowed CommonAce
            gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
            rawAcl.InsertAce(0, gAce);
            //Access Dennied CommonAce
            gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
            rawAcl.InsertAce(0, gAce);
            //CustomAce
            aceType = AceType.MaxDefinedAceType + 1;
            opaque  = null;
            gAce    = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(2, gAce);
            //CompoundAce
            compoundAceType = CompoundAceType.Impersonation;
            gAce            = new CompoundAce(aceFlag, accessMask, compoundAceType,
                                              new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())));
            rawAcl.InsertAce(3, gAce);
            //ObjectAce
            aceQualifier           = AceQualifier.AccessAllowed;
            objectAceFlag          = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType          = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(2, gAce);
            isContainer      = true;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
            //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
            Assert.Throws <InvalidOperationException>(() =>
            {
                TestRemoveInheritedAces(discretionaryAcl);
            });

            //case 4,  all inherited CommonAce, ObjectAce, CompoundAce, CustomAce
            revision   = 127;
            capacity   = 5;
            sid        = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
            rawAcl     = new RawAcl(revision, capacity);
            aceFlag    = AceFlags.InheritanceFlags | AceFlags.Inherited;
            accessMask = 1;

            //Access Allowed CommonAce
            gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
            rawAcl.InsertAce(0, gAce);
            //Access Dennied CommonAce
            gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
            rawAcl.InsertAce(0, gAce);
            //CustomAce
            aceType = AceType.MaxDefinedAceType + 1;
            opaque  = null;
            gAce    = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            //CompoundAce
            compoundAceType = CompoundAceType.Impersonation;
            gAce            = new CompoundAce(aceFlag, accessMask, compoundAceType,
                                              new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())));
            rawAcl.InsertAce(0, gAce);
            //ObjectAce
            aceQualifier           = AceQualifier.AccessAllowed;
            objectAceFlag          = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType          = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer      = true;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(TestRemoveInheritedAces(discretionaryAcl));

            //case 5, only have one inherit Ace
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //215 has all AceFlags except InheritOnly
            gAce = new CommonAce((AceFlags)215, AceQualifier.AccessDenied, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer      = false;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(TestRemoveInheritedAces(discretionaryAcl));

            //case 6, have one explicit Ace and one inherited Ace
            revision = 255;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //199  has all AceFlags except InheritOnly and Inherited
            gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            //215  has all AceFlags except InheritOnly
            gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(1, gAce);
            isContainer      = true;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(TestRemoveInheritedAces(discretionaryAcl));

            //case 7, have two inherited Aces
            revision = 255;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //215  has all AceFlags except InheritOnly
            gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            sid = "BA";
            //16 has Inherited
            gAce = new CommonAce((AceFlags)16, AceQualifier.AccessDenied, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer      = true;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(TestRemoveInheritedAces(discretionaryAcl));

            //case 8, 1 inherited CustomAce
            revision = 127;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            aceType  = AceType.MaxDefinedAceType + 1;
            //215 has all AceFlags except InheritOnly
            aceFlag = (AceFlags)215;
            opaque  = null;
            gAce    = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            isContainer      = false;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(TestRemoveInheritedAces(discretionaryAcl));

            //case 9,  1 inherited CompoundAce
            revision        = 127;
            capacity        = 1;
            rawAcl          = new RawAcl(revision, capacity);
            aceFlag         = (AceFlags)223; //all flags ored together
            accessMask      = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce            = new CompoundAce(aceFlag, accessMask, compoundAceType,
                                              new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            isContainer      = true;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(TestRemoveInheritedAces(discretionaryAcl));

            //case 10, 1 inherited ObjectAce
            revision               = 127;
            capacity               = 1;
            rawAcl                 = new RawAcl(revision, capacity);
            aceFlag                = (AceFlags)223; //all flags ored together
            aceQualifier           = AceQualifier.AccessAllowed;
            accessMask             = 1;
            objectAceFlag          = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType          = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer      = true;
            isDS             = true;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(TestRemoveInheritedAces(discretionaryAcl));
        }
Beispiel #23
0
 public bool RemoveAudit(AuditFlags auditFlags, System.Security.Principal.SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
 {
     return(default(bool));
 }
Beispiel #24
0
 /// <summary>初始化 <see cref="T:System.Security.AccessControl.ObjectAce" /> 类的新实例。</summary>
 /// <param name="aceFlags">新的访问控制项 (ACE) 的继承、继承传播和审核条件。</param>
 /// <param name="qualifier">使用新的 ACE。</param>
 /// <param name="accessMask">ACE 的访问掩码。</param>
 /// <param name="sid">与新的 ACE 关联的 <see cref="T:System.Security.Principal.SecurityIdentifier" />。</param>
 /// <param name="flags">
 /// <paramref name="type" /> 和 <paramref name="inheritedType" /> 参数是否包含有效的对象 GUID。</param>
 /// <param name="type">一个 GUID,标识新的 ACE 所应用到的对象类型。</param>
 /// <param name="inheritedType">一个 GUID,标识能够继承新的 ACE 的对象类型。</param>
 /// <param name="isCallback">如果新的 ACE 是回调类型的 ACE,则为 true。</param>
 /// <param name="opaque">与新的 ACE 关联的不透明数据。只有回调 ACE 类型才允许不透明数据。此数组的长度一定不能大于 <see cref="M:System.Security.AccessControl.ObjectAceMaxOpaqueLength" /> 方法的返回值。</param>
 /// <exception cref="T:System.ArgumentOutOfRangeException">qualifier 参数包含无效的值,或者不透明参数的值的长度大于 <see cref="M:System.Security.AccessControl.ObjectAceMaxOpaqueLength" /> 方法的返回值。</exception>
 public ObjectAce(AceFlags aceFlags, AceQualifier qualifier, int accessMask, SecurityIdentifier sid, ObjectAceFlags flags, Guid type, Guid inheritedType, bool isCallback, byte[] opaque)
     : base(ObjectAce.TypeFromQualifier(isCallback, qualifier), aceFlags, accessMask, sid, opaque)
 {
     this._objectFlags            = flags;
     this._objectAceType          = type;
     this._inheritedObjectAceType = inheritedType;
 }
Beispiel #25
0
 /// <summary>从当前 <see cref="T:System.Security.AccessControl.DiscretionaryAcl" /> 对象移除指定的访问控制项 (ACE)。在指定要移除的 ACE 的对象类型或继承的对象类型时,为目录对象的访问控制列表 (ACL) 使用此方法。</summary>
 /// <param name="accessType">要移除的访问控制类型(允许或拒绝)。</param>
 /// <param name="sid">要为其移除 ACE 的 <see cref="T:System.Security.Principal.SecurityIdentifier" />。</param>
 /// <param name="accessMask">要移除的 ACE 的访问掩码。</param>
 /// <param name="inheritanceFlags">指定要移除的 ACE 的继承属性的标志。</param>
 /// <param name="propagationFlags">指定要移除的 ACE 的继承传播属性的标志。</param>
 /// <param name="objectFlags">指定 <paramref name="objectType" /> 和 <paramref name="inheritedObjectType" /> 参数是否包含非 null 值的标志。</param>
 /// <param name="objectType">移除的 ACE 所应用到的对象的类标识。</param>
 /// <param name="inheritedObjectType">可以继承移除的 ACE 的子对象的类标识。</param>
 public void RemoveAccessSpecific(AccessControlType accessType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
 {
     if (!this.IsDS)
     {
         throw new InvalidOperationException(Environment.GetResourceString("InvalidOperation_OnlyValidForDS"));
     }
     this.CheckAccessType(accessType);
     this.everyOneFullAccessForNullDacl = false;
     this.RemoveQualifiedAcesSpecific(sid, accessType == AccessControlType.Allow ? AceQualifier.AccessAllowed : AceQualifier.AccessDenied, accessMask, GenericAce.AceFlagsFromInheritanceFlags(inheritanceFlags, propagationFlags), objectFlags, objectType, inheritedObjectType);
 }
Beispiel #26
0
 public void SetAudit(AuditFlags auditFlags, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
 {
     if (!base.IsDS)
     {
         throw new InvalidOperationException(Environment.GetResourceString("InvalidOperation_OnlyValidForDS"));
     }
     base.CheckFlags(inheritanceFlags, propagationFlags);
     base.SetQualifiedAce(sid, AceQualifier.SystemAudit, accessMask, (AceFlags)((byte)(GenericAce.AceFlagsFromAuditFlags(auditFlags) | GenericAce.AceFlagsFromInheritanceFlags(inheritanceFlags, propagationFlags))), objectFlags, objectType, inheritedObjectType);
 }
Beispiel #27
0
 public void SetAudit(AuditFlags auditFlags, System.Security.Principal.SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
 {
 }
Beispiel #28
0
        //
        // This method checks if the inheritedObjectType matches with the specified inherited object type
        // (Either both do not have an inherited object type or they have the same inherited object type)
        //
        internal bool InheritedObjectTypesMatch(ObjectAceFlags objectFlags, Guid inheritedObjectType)
        {
            if ((ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != (objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent))
            {
                return false;
            }

            if (((ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != 0) &&
                (!InheritedObjectAceType.Equals(inheritedObjectType)))
            {
                return false;
            }

            return true;
        }
 public ObjectAce(AceFlags aceFlags, AceQualifier qualifier, int accessMask, SecurityIdentifier sid, ObjectAceFlags flags, Guid type, Guid inheritedType, bool isCallback, byte[] opaque);
Beispiel #30
0
        //
        // Called by GenericAce.CreateFromBinaryForm to parse the binary form
        // of the object ACE and extract the useful pieces
        //

        internal static bool ParseBinaryForm(
            byte[] binaryForm,
            int offset,
            out AceQualifier qualifier,
            out int accessMask,
            out SecurityIdentifier sid,
            out ObjectAceFlags objectFlags,
            out Guid objectAceType,
            out Guid inheritedObjectAceType,
            out bool isCallback,
            out byte[] opaque)
        {
            byte[] guidArray = new byte[GuidLength];

            //
            // Verify the ACE header
            //

            VerifyHeader(binaryForm, offset);

            //
            // Verify the length field
            //

            if (binaryForm.Length - offset < HeaderLength + AccessMaskLength + ObjectFlagsLength + SecurityIdentifier.MinBinaryLength)
            {
                goto InvalidParameter;
            }

            //
            // Identify callback ACE types
            //

            AceType type = (AceType)binaryForm[offset];

            if (type == AceType.AccessAllowedObject ||
                type == AceType.AccessDeniedObject ||
                type == AceType.SystemAuditObject ||
                type == AceType.SystemAlarmObject)
            {
                isCallback = false;
            }
            else if (type == AceType.AccessAllowedCallbackObject ||
                type == AceType.AccessDeniedCallbackObject ||
                type == AceType.SystemAuditCallbackObject ||
                type == AceType.SystemAlarmCallbackObject)
            {
                isCallback = true;
            }
            else
            {
                goto InvalidParameter;
            }

            //
            // Compute the qualifier from the ACE type
            //

            if (type == AceType.AccessAllowedObject ||
                type == AceType.AccessAllowedCallbackObject)
            {
                qualifier = AceQualifier.AccessAllowed;
            }
            else if (type == AceType.AccessDeniedObject ||
                type == AceType.AccessDeniedCallbackObject)
            {
                qualifier = AceQualifier.AccessDenied;
            }
            else if (type == AceType.SystemAuditObject ||
                type == AceType.SystemAuditCallbackObject)
            {
                qualifier = AceQualifier.SystemAudit;
            }
            else if (type == AceType.SystemAlarmObject ||
                type == AceType.SystemAlarmCallbackObject)
            {
                qualifier = AceQualifier.SystemAlarm;
            }
            else
            {
                goto InvalidParameter;
            }

            int baseOffset = offset + HeaderLength;
            int offsetLocal = 0;

            accessMask =
                (int)(
                (((uint)binaryForm[baseOffset + 0]) << 0) +
                (((uint)binaryForm[baseOffset + 1]) << 8) +
                (((uint)binaryForm[baseOffset + 2]) << 16) +
                (((uint)binaryForm[baseOffset + 3]) << 24));

            offsetLocal += AccessMaskLength;

            objectFlags =
                (ObjectAceFlags)(
                (((uint)binaryForm[baseOffset + offsetLocal + 0]) << 0) +
                (((uint)binaryForm[baseOffset + offsetLocal + 1]) << 8) +
                (((uint)binaryForm[baseOffset + offsetLocal + 2]) << 16) +
                (((uint)binaryForm[baseOffset + offsetLocal + 3]) << 24));

            offsetLocal += ObjectFlagsLength;

            if ((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != 0)
            {
                for (int i = 0; i < GuidLength; i++)
                {
                    guidArray[i] = binaryForm[baseOffset + offsetLocal + i];
                }

                offsetLocal += GuidLength;
            }
            else
            {
                for (int i = 0; i < GuidLength; i++)
                {
                    guidArray[i] = 0;
                }
            }

            objectAceType = new Guid(guidArray);

            if ((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != 0)
            {
                for (int i = 0; i < GuidLength; i++)
                {
                    guidArray[i] = binaryForm[baseOffset + offsetLocal + i];
                }

                offsetLocal += GuidLength;
            }
            else
            {
                for (int i = 0; i < GuidLength; i++)
                {
                    guidArray[i] = 0;
                }
            }

            inheritedObjectAceType = new Guid(guidArray);

            sid = new SecurityIdentifier(binaryForm, baseOffset + offsetLocal);

            opaque = null;

            int aceLength = (binaryForm[offset + 3] << 8) + (binaryForm[offset + 2] << 0);

            if (aceLength % 4 != 0)
            {
                goto InvalidParameter;
            }

            int opaqueLength = (aceLength - HeaderLength - AccessMaskLength - ObjectFlagsLength - (byte)sid.BinaryLength);

            if ((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != 0)
            {
                opaqueLength -= GuidLength;
            }

            if ((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != 0)
            {
                opaqueLength -= GuidLength;
            }

            if (opaqueLength > 0)
            {
                opaque = new byte[opaqueLength];

                for (int i = 0; i < opaqueLength; i++)
                {
                    opaque[i] = binaryForm[offset + aceLength - opaqueLength + i];
                }
            }

            return true;

        InvalidParameter:

            qualifier = 0;
            accessMask = 0;
            sid = null;
            objectFlags = 0;
            objectAceType = Guid.NewGuid();
            inheritedObjectAceType = Guid.NewGuid();
            isCallback = false;
            opaque = null;

            return false;
        }
        public static void BasicValidationTestCases()
        {
            bool isContainer = false;
            bool isDS        = false;

            RawAcl    rawAcl    = null;
            SystemAcl systemAcl = null;

            GenericAce gAce     = null;
            byte       revision = 0;
            int        capacity = 0;
            //CustomAce constructor parameters
            AceType  aceType = AceType.AccessAllowed;
            AceFlags aceFlag = AceFlags.None;

            byte[] opaque = null;
            //CompoundAce constructor additional parameters
            int             accessMask      = 0;
            CompoundAceType compoundAceType = CompoundAceType.Impersonation;
            string          sid             = "BA";
            //CommonAce constructor additional parameters
            AceQualifier aceQualifier = 0;
            //ObjectAce constructor additional parameters
            ObjectAceFlags objectAceFlag = 0;
            Guid           objectAceType;
            Guid           inheritedObjectAceType;

            //case 1, no Ace


            revision    = 127;
            capacity    = 1;
            rawAcl      = new RawAcl(revision, capacity);
            isContainer = true;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);
            Assert.True(TestRemoveInheritedAces(systemAcl));


            //case 2, only have explicit Ace
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //199 has all AceFlags except InheritOnly and Inherited
            gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);
            Assert.True(TestRemoveInheritedAces(systemAcl));

            //case 3, only have one inherit Ace
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //215 has all AceFlags except InheritOnly
            gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);
            Assert.True(TestRemoveInheritedAces(systemAcl));


            //case 4, have one explicit Ace and one inherited Ace
            revision = 255;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //199 has all AceFlags except InheritOnly and Inherited
            gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            //215 has all AceFlags except InheritOnly
            gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(1, gAce);
            isContainer = true;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);
            Assert.True(TestRemoveInheritedAces(systemAcl));

            //case 5, have two inherited Aces
            revision = 255;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //215 has all AceFlags except InheritOnly
            gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            sid = "BA";
            //16 has Inherited
            gAce = new CommonAce((AceFlags)16, AceQualifier.SystemAudit, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);
            Assert.True(TestRemoveInheritedAces(systemAcl));

            //case 6, 1 inherited CustomAce
            revision = 127;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            aceType  = AceType.MaxDefinedAceType + 1;
            aceFlag  = (AceFlags)208; //SuccessfulAccess | FailedAccess | Inherited
            opaque   = null;
            gAce     = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);

            Assert.True(TestRemoveInheritedAces(systemAcl));

            //case 7,  1 inherited CompoundAce
            revision        = 127;
            capacity        = 1;
            rawAcl          = new RawAcl(revision, capacity);
            aceFlag         = (AceFlags)223; //all flags ored together
            accessMask      = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce            = new CompoundAce(aceFlag, accessMask, compoundAceType,
                                              new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);
            Assert.True(TestRemoveInheritedAces(systemAcl));

            //case 8, 1 inherited ObjectAce
            revision               = 127;
            capacity               = 1;
            rawAcl                 = new RawAcl(revision, capacity);
            aceFlag                = (AceFlags)223; //all flags ored together
            aceQualifier           = AceQualifier.SystemAudit;
            accessMask             = 1;
            objectAceFlag          = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType          = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS        = true;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);
            Assert.True(TestRemoveInheritedAces(systemAcl));
        }
Beispiel #32
0
 private static bool ObjectTypeMatches(ObjectAceFlags flg1, Guid objType1, Guid inhObjType1, ObjectAceFlags flg2, Guid objType2, Guid inhObjType2)
 {
     return(((flg1 & flg2) != ObjectAceFlags.None || (flg1 == ObjectAceFlags.None && flg2 == ObjectAceFlags.None)) && (ObjectAceFlags.ObjectAceTypePresent != (ObjectAceFlags.ObjectAceTypePresent & flg1 & flg2) || !(objType1 != objType2)) && (ObjectAceFlags.InheritedObjectAceTypePresent != (ObjectAceFlags.InheritedObjectAceTypePresent & flg1 & flg2) || !(inhObjType1 != inhObjType2)));
 }
Beispiel #33
0
        private bool GetInheritanceFlagsForRemoval( QualifiedAce ace, ObjectAceFlags objectFlags, Guid inheritedObjectType, ref AceFlags aceFlags )
        {
            if ((( ace.AceFlags & AceFlags.ContainerInherit ) != 0 )  && (( aceFlags & AceFlags.ContainerInherit ) != 0 ))
            {

                // 
                // If the aces have inheritance bits in common 
                // then we follow these rules:
                //
                //       Remove    No IOT    IOT = A        IOT = B
                // Existing
                // 
                //   No IOT          Remove   Invalid        Invalid
                //
                //   IOT = A        Remove   Remove      Nothing Common
                //
            
                
                if ( ace is ObjectAce )
                {
                    bool commonInheritanceFlagsExist = true;
                    ObjectAce objectAce = ace as ObjectAce;

                    //
                    // if what we are trying to remove has an inherited object type 
                    // but the existing ace does not then this is an invalid case
                    //
                    if ((( objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent ) != 0 ) && 
                        (( objectAce.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent ) == 0 ))
                    {
                        return false;
                    }

                    //
                    // if what we are trying to remove has no inherited object type or
                    // if inherited object types match then we have common inheritance flags                     
                    //
                    commonInheritanceFlagsExist = (( objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent ) == 0 ) ||
                                                                       objectAce.InheritedObjectTypesMatch( objectFlags, inheritedObjectType );
                    if ( !commonInheritanceFlagsExist ) 
                    {
                        aceFlags &= ~AceFlags.InheritanceFlags;
                    }
                }
                else if (( objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent ) != 0 ) 
                {
                    // the existing ace is a common ace and the one we're removing 
                    // refers to a specific child type so this is invalid
                    return false;
                }               
            }

            return true;

        }
        public static void BasicValidationTestCases()
        {
            RawAcl rawAcl = null;

            byte[] binaryForm = null;
            int    offset     = 0;

            GenericAce gAce     = null;
            byte       revision = 0;
            int        capacity = 0;
            //CustomAce constructor parameters
            AceType  aceType = AceType.AccessAllowed;
            AceFlags aceFlag = AceFlags.None;

            byte[] opaque = null;
            //CompoundAce constructor additional parameters
            int             accessMask      = 0;
            CompoundAceType compoundAceType = CompoundAceType.Impersonation;
            string          sid             = "BA";
            //CommonAce constructor additional parameters
            AceQualifier aceQualifier = 0;
            //ObjectAce constructor additional parameters
            ObjectAceFlags objectAceFlag = 0;
            Guid           objectAceType;
            Guid           inheritedObjectAceType;

            //case 1, a valid binary representation with revision 0, 1 SystemAudit CommonAce
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            gAce     = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));

            //case 2, a valid binary representation with revision 255, 1 AccessAllowed CommonAce
            revision = 255;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            gAce     = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));


            //case 3, a valid binary representation with revision 127, 1 CustomAce
            revision = 127;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            aceType  = AceType.MaxDefinedAceType + 1;
            aceFlag  = (AceFlags)223; //all flags ored together
            opaque   = null;
            gAce     = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));

            //case 4, a valid binary representation with revision 1, 1 CompoundAce
            revision        = 127;
            capacity        = 1;
            rawAcl          = new RawAcl(revision, capacity);
            aceFlag         = (AceFlags)223; //all flags ored together
            accessMask      = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce            = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));


            //case 5, a valid binary representation with revision 1, 1 ObjectAce
            revision               = 127;
            capacity               = 1;
            rawAcl                 = new RawAcl(revision, capacity);
            aceFlag                = (AceFlags)223; //all flags ored together
            aceQualifier           = AceQualifier.AccessAllowed;
            accessMask             = 1;
            objectAceFlag          = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType          = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));

            //case 6, a valid binary representation with revision 1, no Ace
            revision   = 127;
            capacity   = 1;
            rawAcl     = new RawAcl(revision, capacity);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 0, rawAcl.BinaryLength));

            //case 7, a valid binary representation with revision 1, and all Aces from case 1 to 5
            revision = 127;
            capacity = 5;
            rawAcl   = new RawAcl(revision, capacity);
            //SystemAudit CommonAce
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            //Access Allowed CommonAce
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            //CustomAce
            aceType = AceType.MaxDefinedAceType + 1;
            aceFlag = (AceFlags)223; //all flags ored together
            opaque  = null;
            gAce    = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            //CompoundAce
            aceFlag         = (AceFlags)223; //all flags ored together
            accessMask      = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce            = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            //ObjectAce
            aceFlag                = (AceFlags)223; //all flags ored together
            aceQualifier           = AceQualifier.AccessAllowed;
            accessMask             = 1;
            objectAceFlag          = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType          = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 5, rawAcl.BinaryLength));
        }
Beispiel #35
0
        //
        // Helper function behind all the SetXXX methods
        //

        internal void SetQualifiedAce( SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType )
        {
            if ( sid == null )
            {
                throw new ArgumentNullException( "sid" );
            }

            if ( qualifier == AceQualifier.SystemAudit &&
                (( flags & AceFlags.AuditFlags ) == 0 ))
            {
                throw new ArgumentException(
                    Environment.GetResourceString( "Arg_EnumAtLeastOneFlag" ),
                    "flags" );
            }

            if ( accessMask == 0 )
            {
                throw new ArgumentException(
                    Environment.GetResourceString( "Argument_ArgumentZero" ),
                    "accessMask" );
            }
            Contract.EndContractBlock();
            ThrowIfNotCanonical();

            GenericAce newAce;

            if (( !IsDS ) || ( objectFlags == ObjectAceFlags.None ))
            {
                newAce = new CommonAce( flags, qualifier, accessMask, sid, false, null );
            }
            else
            {
                newAce = new ObjectAce( flags, qualifier, accessMask, sid, objectFlags, objectType, inheritedObjectType, false, null );
            }

            //
            // Make sure the new ACE wouldn't be meaningless before proceeding
            //

            if ( false == InspectAce( ref newAce, ( this is DiscretionaryAcl )))
            {
                return;
            }

            for ( int i = 0; i < Count; i++ )
            {
                QualifiedAce ace = _acl[i] as QualifiedAce;

                //
                // Not a qualified ACE - keep going
                //

                if ( ace == null )
                {
                    continue;
                }

                //
                // Only interested in explicit (non-inherited) ACEs
                //

                if (( ace.AceFlags & AceFlags.Inherited ) != 0 )
                {
                    continue;
                }

                //
                // Only interested in ACEs with the specified qualifier
                //

                if ( ace.AceQualifier != qualifier )
                {
                    continue;
                }

                //
                // Only interested in ACEs with the specified SID
                //

                if ( ace.SecurityIdentifier != sid )
                {
                    continue;
                }

                //
                // This ACE corresponds to the SID and qualifier in question - remove it
                //

                _acl.RemoveAce( i );
                i--;
            }

            //
            // As a final step, add the ACE we want.
            // Add it at the end - we'll re-canonicalize later.
            //

            _acl.InsertAce( _acl.Count, newAce );

            //
            // To aid the efficiency of batch operations, recanonicalize this later
            //

            _isDirty = true;
            OnAclModificationTried();
        }
Beispiel #36
0
        private bool GetAccessMaskForRemoval( QualifiedAce ace, ObjectAceFlags objectFlags, Guid objectType, ref int accessMask )
        {
            if (( ace.AccessMask & accessMask & ObjectAce.AccessMaskWithObjectType ) != 0 ) 
            {

                // 
                // If the aces have access bits in common which refer to object types
                // then we follow these rules:
                //
                //       Remove    No OT    OT = A        OT = B
                // Existing
                // 
                //   No OT          Remove   Invalid        Invalid
                //
                //   OT = A        Remove   Remove      Nothing Common
                //
            
                
                if ( ace is ObjectAce )
                {
                    bool commonAccessBitsWithObjectTypeExist = true;
                    ObjectAce objectAce = ace as ObjectAce;

                    //
                    // if what we are trying to remove has an object type 
                    // but the existing ace does not then this is an invalid case
                    //
                    if ((( objectFlags & ObjectAceFlags.ObjectAceTypePresent ) != 0 ) && 
                        (( objectAce.ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent ) == 0 ))
                    {
                        return false;
                    }

                    //
                    // if what we are trying to remove has no object type or
                    // if object types match (since at this point we have ensured that both have object types present) 
                    // then we have common access bits with object type
                    //
                    commonAccessBitsWithObjectTypeExist = (( objectFlags & ObjectAceFlags.ObjectAceTypePresent ) == 0 ) ||
                                                                                    objectAce.ObjectTypesMatch( objectFlags, objectType );
                    if ( !commonAccessBitsWithObjectTypeExist ) 
                    {
                        accessMask &= ~ObjectAce.AccessMaskWithObjectType;
                    }
                }
                else if (( objectFlags & ObjectAceFlags.ObjectAceTypePresent ) != 0 ) 
                {
                    // the existing ace is a common ace and the one we're removing 
                    // refers to a specific object type so this is invalid
                    return false;
                }               
            }

            return true;

        }
Beispiel #37
0
        internal void RemoveAceSpecific(AceQualifier aceQualifier,
                                        SecurityIdentifier sid,
                                        int accessMask,
                                        InheritanceFlags inheritanceFlags,
                                        PropagationFlags propagationFlags,
                                        AuditFlags auditFlags,
                                        ObjectAceFlags objectFlags,
                                        Guid objectType,
                                        Guid inheritedObjectType)
        {
            if (!IsDS)
            {
                throw new InvalidOperationException("For this overload, IsDS must be true.");
            }

            if (ObjectAceFlags.None == objectFlags)
            {
                RemoveAceSpecific(aceQualifier, sid, accessMask, inheritanceFlags, propagationFlags, auditFlags);
                return;
            }

            RequireCanonicity();
            RemoveAces <ObjectAce> (ace =>
            {
                if (ace.AccessMask != accessMask)
                {
                    return(false);
                }
                if (ace.AceQualifier != aceQualifier)
                {
                    return(false);
                }
                if (ace.SecurityIdentifier != sid)
                {
                    return(false);
                }
                if (ace.InheritanceFlags != inheritanceFlags)
                {
                    return(false);
                }
                if (InheritanceFlags.None != inheritanceFlags)
                {
                    if (ace.PropagationFlags != propagationFlags)
                    {
                        return(false);
                    }
                }
                if (ace.AuditFlags != auditFlags)
                {
                    return(false);
                }
                if (ace.ObjectAceFlags != objectFlags)
                {
                    return(false);
                }
                if (0 != (objectFlags & ObjectAceFlags.ObjectAceTypePresent))
                {
                    if (ace.ObjectAceType != objectType)
                    {
                        return(false);
                    }
                }
                if (0 != (objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent))
                {
                    if (ace.InheritedObjectAceType != objectType)
                    {
                        return(false);
                    }
                }
                return(true);
            });
            CanonicalizeAndClearAefa();
        }
Beispiel #38
0
        //
        // Helper function behind all the AddXXX methods for qualified aces
        //

        internal void AddQualifiedAce( SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType )
        {
            if ( sid == null )
            {
                throw new ArgumentNullException( "sid" );
            }
            Contract.EndContractBlock();

            ThrowIfNotCanonical();

            bool aceMerged = false; // if still false after all attempts to merge, create new entry

            if ( qualifier == AceQualifier.SystemAudit &&
                (( flags & AceFlags.AuditFlags ) == 0 ))
            {
                throw new ArgumentException(
                    Environment.GetResourceString( "Arg_EnumAtLeastOneFlag" ),
                    "flags" );
            }

            if ( accessMask == 0 )
            {
                throw new ArgumentException(
                    Environment.GetResourceString( "Argument_ArgumentZero" ),
                    "accessMask" );
            }

            GenericAce newAce;

            if (( !IsDS ) || ( objectFlags == ObjectAceFlags.None ))
            {
                newAce = new CommonAce( flags, qualifier, accessMask, sid, false, null );
            }
            else
            {
                newAce = new ObjectAce( flags, qualifier, accessMask, sid, objectFlags, objectType, inheritedObjectType, false, null );
            }

            //
            // Make sure the new ACE wouldn't be meaningless before proceeding
            //

            if ( false == InspectAce( ref newAce, ( this is DiscretionaryAcl )))
            {
                return;
            }

            //
            // See if the new ACE can be merged with any of the existing ones
            //

            for ( int i = 0; i < Count; i++ )
            {
                QualifiedAce ace = _acl[i] as QualifiedAce;

                if ( ace == null )
                {
                    continue;
                }

                if ( true == MergeAces( ref ace, newAce as QualifiedAce ))
                {
                    aceMerged = true;
                    break;
                }
            }

            //
            // Couldn't modify any existing entry, so add a new one
            //

            if ( !aceMerged )
            {
                _acl.InsertAce( _acl.Count, newAce );

                _isDirty = true;
            }
            OnAclModificationTried();
        }
Beispiel #39
0
 internal bool InheritedObjectTypesMatch(ObjectAceFlags objectFlags, Guid inheritedObjectType)
 {
     return((this.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent) == (objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) && ((this.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent) == ObjectAceFlags.None || this.InheritedObjectAceType.Equals(inheritedObjectType)));
 }
Beispiel #40
0
        //
        // Helper function behind all the RemoveXXX methods
        //

        internal bool RemoveQualifiedAces( SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, bool saclSemantics, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType )
        {
            if ( accessMask == 0 )
            {
                throw new ArgumentException(
                    Environment.GetResourceString( "Argument_ArgumentZero" ),
                    "accessMask" );
            }

            if ( qualifier == AceQualifier.SystemAudit &&
                (( flags & AceFlags.AuditFlags ) == 0 ))
            {
                throw new ArgumentException(
                    Environment.GetResourceString( "Arg_EnumAtLeastOneFlag" ),
                    "flags" );
            }

            if ( sid == null )
            {
                throw new ArgumentNullException( "sid" );
            }
            Contract.EndContractBlock();
            ThrowIfNotCanonical();


            //
            // Two passes are made.
            // During the first pass, no changes are made to the ACL,
            // the ACEs are simply evaluated to ascertain that the operation
            // can succeed.
            // If everything is kosher, the second pass is the one that makes changes.
            //

            bool evaluationPass = true;
            bool removePossible = true; // unless proven otherwise
            
            //
            // Needed for DS acls to keep track of the original access mask specified for removal
            //
            int originalAccessMask = accessMask;
            AceFlags originalFlags = flags;

            //
            // It is possible that the removal will result in an overflow exception
            // because more ACEs get inserted.
            // Save the current state of the object and revert to it later if
            // and exception is thrown.
            //

            byte[] recovery = new byte[BinaryLength];
            GetBinaryForm( recovery, 0 );

        MakeAnotherPass:

            try
            {
                for ( int i = 0; i < Count; i++ )
                {
                    QualifiedAce ace = _acl[i] as QualifiedAce;

                    //
                    // Not a qualified ACE - keep going
                    //

                    if ( ace == null )
                    {
                        continue;
                    }

                    //
                    // Only interested in explicit (non-inherited) ACEs
                    //

                    if (( ace.AceFlags & AceFlags.Inherited ) != 0 )
                    {
                        continue;
                    }

                    //
                    // Only interested in ACEs with the specified qualifier
                    //

                    if ( ace.AceQualifier != qualifier )
                    {
                        continue;
                    }

                    //
                    // Only interested in ACEs with the specified SID
                    //

                    if ( ace.SecurityIdentifier != sid )
                    {
                        continue;
                    }               

                    //
                    // If access masks have nothing in common, skip the whole exercise
                    //

                    if ( IsDS ) 
                    {
                        //
                        // incase of directory aces, if the access mask of the 
                        // existing and new ace have any bits in common that need 
                        // an object type, then we need to perform some checks on the
                        // object types in the two aces. Since certain bits are further qualified
                        // by the object type they cannot be determined to be common without 
                        // inspecting the object type. It is possible that the same bits may be set but
                        // the object types are different in which case they are really not common bits.
                        //
                        accessMask = originalAccessMask;
                        bool objectTypesConflict = !GetAccessMaskForRemoval( ace, objectFlags, objectType, ref accessMask );

                        // if the access masks have nothing in common, skip
                        if (( ace.AccessMask & accessMask ) == 0 )
                        {
                            continue;
                        }

                        //
                        // incase of directory aces, if the existing and new ace are being inherited, 
                        // then we need to perform some checks on the
                        // inherited object types in the two aces. Since inheritance is further qualified
                        // by the inherited object type the inheritance flags cannot be determined to be common without 
                        // inspecting the inherited object type. It is possible that both aces may be further inherited but if
                        // the inherited object types are different the inheritance may not be common.
                        //
                        flags = originalFlags;
                        bool inheritedObjectTypesConflict = !GetInheritanceFlagsForRemoval( ace, objectFlags, inheritedObjectType, ref flags );  

                        if (((( ace.AceFlags & AceFlags.ContainerInherit ) == 0 ) && (( flags & AceFlags.ContainerInherit ) != 0 )  && (( flags & AceFlags.InheritOnly ) != 0 )) ||
                             ((( flags & AceFlags.ContainerInherit ) == 0 ) && (( ace.AceFlags & AceFlags.ContainerInherit ) != 0 )  && (( ace.AceFlags & AceFlags.InheritOnly ) != 0)))
                        {
                            // if one ace applies only to self and the other only to children/descendents we have nothing in common
                            continue;
                        }
                        
                        //
                        // if the ace being removed referred only to child types and child types among existing ace and
                        // ace being removed are not common then there is nothing in common between these aces (skip)
                        //
                        if ((( originalFlags & AceFlags.ContainerInherit ) != 0 ) && (( originalFlags & AceFlags.InheritOnly ) != 0 ) && (( flags & AceFlags.ContainerInherit ) == 0 )) 
                        {
                            continue;
                        }

                        if ( objectTypesConflict || inheritedObjectTypesConflict )
                        {
                            //
                            // if we reached this stage, then we've found something common between the two aces.
                            // But since there is a conflict between the object types (or inherited object types), the remove is not possible
                            //
                            removePossible = false;
                            break;
                        }
                    }
                    else 
                    {
                        if (( ace.AccessMask & accessMask ) == 0 )
                        {
                            continue;
                        }
                    }

                    //
                    // If audit flags on a SACL have nothing in common,
                    // skip the whole exercise
                    //

                    if ( saclSemantics &&
                        (( ace.AceFlags & flags & AceFlags.AuditFlags ) == 0 ))
                    {
                        continue;
                    }

                    //
                    // See if the ACE needs to be split into several
                    // To illustrate with an example, consider this equation:
                    //            From: CI OI    NP SA FA R W
                    //          Remove:    OI IO NP SA    R
                    //
                    // PermissionSplit: CI OI    NP SA FA   W   // remove R
                    //   AuditingSplit: CI OI    NP    FA R     // remove SA
                    //      MergeSplit: CI OI    NP SA    R     // ready for merge
                    //          Remove:    OI IO NP SA    R     // same audit and perm flags as merge split
                    //
                    //          Result: CI OI    NP SA FA   W   // PermissionSplit
                    //                  CI OI    NP    FA R     // AuditingSplit
                    //                  CI       NP SA    R     // Result of perm removal
                    //

                    //
                    // Example for DS acls (when removal is possible)
                    //
                    // From: CI(Guid) LC CC(Guid)
                    // Remove: CI IO LC
                    //
                    // PermissionSplit: CI(Guid) CC(Guid) // Remove GR
                    //        MergeSplit: CI(Guid) LC // Ready for merge
                    //           Remove: CI IO LC // Removal is possible since we are trying to remove inheritance for
                    //                                            all child types when it exists for one specific child type
                    //
                    //              Result: CI(Guid) CC(Guid) // PermissionSplit
                    //                         LC // Result of perm removal
                    //
                    //
                    // Example for DS acls (when removal is NOT possible)
                    //
                    // From: CI GR CC(Guid)
                    // Remove: CI(Guid) IO LC
                    //
                    // PermissionSplit: CI CC(Guid) // Remove GR
                    //        MergeSplit: CI LC // Ready for merge
                    //           Remove: CI(Guid) IO CC // Removal is not possible since we are trying to remove 
                    //                                                     inheritance for a specific child type when it exists for all child types
                    //

                    // Permission split settings
                    AceFlags ps_AceFlags = 0;
                    int ps_AccessMask = 0;
                    ObjectAceFlags ps_ObjectAceFlags = 0;
                    Guid ps_ObjectAceType = Guid.Empty;
                    Guid ps_InheritedObjectAceType = Guid.Empty;

                    // Auditing split makes sense if this is a SACL
                    AceFlags as_AceFlags = 0;
                    int as_AccessMask = 0;
                    ObjectAceFlags as_ObjectAceFlags = 0;
                    Guid as_ObjectAceType = Guid.Empty;
                    Guid as_InheritedObjectAceType = Guid.Empty;

                    // Merge split settings
                    AceFlags ms_AceFlags = 0;
                    int ms_AccessMask = 0;
                    ObjectAceFlags ms_ObjectAceFlags = 0;
                    Guid ms_ObjectAceType = Guid.Empty;
                    Guid ms_InheritedObjectAceType = Guid.Empty;

                    // Merge result settings
                    AceFlags mergeResultFlags = 0;
                    bool mergeRemoveTotal = false;

                    //
                    // First compute the permission split
                    //

                    ps_AceFlags = ace.AceFlags;
                    unchecked { ps_AccessMask = ace.AccessMask & ~accessMask; }

                    if ( ace is ObjectAce ) 
                    {
                        //
                        // determine what should be the object/inherited object types on the permission split
                        //
                        GetObjectTypesForSplit( ace as ObjectAce, ps_AccessMask /* access mask for this split */, ps_AceFlags /* flags remain the same */, out ps_ObjectAceFlags, out ps_ObjectAceType, out ps_InheritedObjectAceType );
                    }
                    
                    //
                    // Next, for SACLs only, compute the auditing split
                    //

                    if ( saclSemantics )
                    {
                        //
                        // This operation can set the audit bits region
                        // of ACE flags to zero;
                        // This case will be handled later
                        //

                        unchecked { as_AceFlags = ace.AceFlags & ~( flags & AceFlags.AuditFlags ); }

                        //
                        // The result of this evaluation is guaranteed
                        // not to be zero by now
                        //

                        as_AccessMask = ( ace.AccessMask & accessMask );

                        if ( ace is ObjectAce ) 
                        {
                            //
                            // determine what should be the object/inherited object types on the audit split
                            //
                            GetObjectTypesForSplit( ace as ObjectAce, as_AccessMask /* access mask for this split */, as_AceFlags /* flags remain the same for inheritance */, out as_ObjectAceFlags, out as_ObjectAceType, out as_InheritedObjectAceType );
                        }
                    }

                    //
                    // Finally, compute the merge split
                    //

                    ms_AceFlags = ( ace.AceFlags & AceFlags.InheritanceFlags ) | ( flags & ace.AceFlags & AceFlags.AuditFlags );
                    ms_AccessMask = ( ace.AccessMask & accessMask );

                   
                    //
                    // Now is the time to obtain the result of applying the remove
                    // operation to the merge split
                    // Skipping this step for SACLs where the merge split step
                    // produced no auditing flags
                    //

                    if ( !saclSemantics ||
                        (( ms_AceFlags & AceFlags.AuditFlags ) != 0 ))
                    {         
                        if ( false == RemoveInheritanceBits( ms_AceFlags, flags, IsDS, out mergeResultFlags, out mergeRemoveTotal ))
                        {
                            removePossible = false;
                            break;
                        }

                        if ( !mergeRemoveTotal )
                        {
                            mergeResultFlags |= ( ms_AceFlags & AceFlags.AuditFlags );
                            
                            if ( ace is ObjectAce ) 
                            {
                                //
                                // determine what should be the object/inherited object types on the merge split
                                //
                                GetObjectTypesForSplit( ace as ObjectAce, ms_AccessMask /* access mask for this split */, mergeResultFlags /* flags for this split */, out ms_ObjectAceFlags, out ms_ObjectAceType, out ms_InheritedObjectAceType );
                            }    
                        }
                    }

                    //
                    // If this is no longer an evaluation, go ahead and make the changes
                    //

                    if ( !evaluationPass )
                    {
                        QualifiedAce newAce;

                        //
                        // Modify the existing ACE in-place if it has any access
                        // mask bits left, otherwise simply remove it
                        // However, if for an object ace we are removing the object type 
                        // then we should really remove this ace and add a new one since
                        // we would be changing the size of this ace
                        //

                        if ( ps_AccessMask != 0 )
                        {
                            if (( ace is ObjectAce ) &&
                                (((( ObjectAce) ace ).ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent ) != 0 ) &&
                                     (( ps_ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent ) == 0 ))
                            {
                                ObjectAce newObjectAce;

                                _acl.RemoveAce(i);
                                newObjectAce = new ObjectAce( ps_AceFlags, qualifier, ps_AccessMask, ace.SecurityIdentifier, ps_ObjectAceFlags, ps_ObjectAceType, ps_InheritedObjectAceType, false, null );
                                _acl.InsertAce( i, newObjectAce );
                            }
                            else 
                            {
                                ace.AceFlags = ps_AceFlags;
                                ace.AccessMask = ps_AccessMask;

                                if ( ace is ObjectAce ) 
                                {
                                    ObjectAce objectAce = ace as ObjectAce;
                                    
                                    objectAce.ObjectAceFlags = ps_ObjectAceFlags;
                                    objectAce.ObjectAceType = ps_ObjectAceType;
                                    objectAce.InheritedObjectAceType = ps_InheritedObjectAceType;
                                }
                            }
                        }
                        else
                        {
                            _acl.RemoveAce(i);
                            i--; // keep the array index honest
                        }

                        //
                        // On a SACL, the result of the auditing split must be recorded
                        //

                        if ( saclSemantics && (( as_AceFlags & AceFlags.AuditFlags ) != 0 ))
                        {
                            if ( ace is CommonAce )
                            {
                                newAce = new CommonAce( as_AceFlags, qualifier, as_AccessMask, ace.SecurityIdentifier, false, null );
                            }
                            else
                            {
                                // object ace
                                newAce = new ObjectAce( as_AceFlags, qualifier, as_AccessMask, ace.SecurityIdentifier, as_ObjectAceFlags, as_ObjectAceType, as_InheritedObjectAceType, false, null );
                            }

                            i++; // so it's not considered again
                            _acl.InsertAce( i, newAce );
                        }

                        //
                        // If there are interesting bits left over from a remove, store them
                        // as a separate ACE
                        //

                        if ( !mergeRemoveTotal )
                        {
                            if ( ace is CommonAce )
                            {
                                newAce = new CommonAce( mergeResultFlags, qualifier, ms_AccessMask, ace.SecurityIdentifier, false, null );
                            }
                            else
                            {
                                // object ace
                                newAce = new ObjectAce( mergeResultFlags, qualifier, ms_AccessMask, ace.SecurityIdentifier, ms_ObjectAceFlags, ms_ObjectAceType, ms_InheritedObjectAceType, false, null );
                            }

                            i++; // so it's not considered again
                            _acl.InsertAce( i, newAce );
                        }
                    }
                }
            }
            catch( OverflowException )
            {
                //
                // Oops, overflow means that the ACL became too big.
                // Inform the caller that the remove was not possible.
                //

                _acl.SetBinaryForm( recovery, 0 );
                return false;
            }

            //
            // Finished evaluating the possibility of a remove.
            // If it looks like it's doable, go ahead and do it.
            //

            if ( evaluationPass && removePossible )
            {
                evaluationPass = false;
                goto MakeAnotherPass;
            }

            OnAclModificationTried();

            return removePossible;
        }
        internal void Serialize(BinaryWriter writer)
        {
            byte[] sid_data = Sid.ToArray();
            if (Type == AceType.AllowedCompound)
            {
                MemoryStream stm       = new MemoryStream();
                BinaryWriter sidwriter = new BinaryWriter(stm);
                sidwriter.Write((int)CompoundAceType.Impersonation);
                sidwriter.Write(ServerSid.ToArray());
                sidwriter.Write(sid_data);
                sid_data = stm.ToArray();
            }

            int total_length = 4 + 4 + sid_data.Length;

            if (ApplicationData != null)
            {
                total_length += ApplicationData.Length;
            }

            // Add a round up to 4 byte alignment.
            int padding = 4 - (total_length % 4);

            if (padding == 4)
            {
                padding = 0;
            }

            total_length += padding;

            ObjectAceFlags flags = ObjectAceFlags.None;

            if (IsObjectAce)
            {
                // For Flags
                total_length += 4;
                if (ObjectType.HasValue)
                {
                    total_length += 16;
                    flags        |= ObjectAceFlags.ObjectTypePresent;
                }
                if (InheritedObjectType.HasValue)
                {
                    total_length += 16;
                    flags        |= ObjectAceFlags.InheritedObjectTypePresent;
                }
            }
            if (total_length > ushort.MaxValue)
            {
                throw new ArgumentOutOfRangeException("Total ACE length greater than maximum");
            }

            writer.Write((byte)Type);
            writer.Write(MapFromFlags(Type, Flags));
            writer.Write((ushort)total_length);
            writer.Write(Mask.Access);
            if (IsObjectAce)
            {
                writer.Write((uint)flags);
                if (ObjectType.HasValue)
                {
                    writer.Write(ObjectType.Value.ToByteArray());
                }
                if (InheritedObjectType.HasValue)
                {
                    writer.Write(InheritedObjectType.Value.ToByteArray());
                }
            }
            writer.Write(sid_data);
            writer.Write(ApplicationData ?? new byte[0]);
            if (padding != 0)
            {
                writer.Write(new byte[padding]);
            }
        }
Beispiel #42
0
        public void RemoveAuditSpecific( AuditFlags auditFlags, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType )
        {
            //
            // This is valid only for DS Acls 
            //
            if ( !IsDS )
            {
                throw new InvalidOperationException(
                    Environment.GetResourceString( "InvalidOperation_OnlyValidForDS" ));
            }
            Contract.EndContractBlock();

            RemoveQualifiedAcesSpecific(sid, AceQualifier.SystemAudit, accessMask, GenericAce.AceFlagsFromAuditFlags(auditFlags) | GenericAce.AceFlagsFromInheritanceFlags(inheritanceFlags, propagationFlags), objectFlags, objectType, inheritedObjectType);
        }
Beispiel #43
0
        //
        // This method checks if the objectType matches with the specified object type
        // (Either both do not have an object type or they have the same object type)
        //
        internal bool ObjectTypesMatch(ObjectAceFlags objectFlags, Guid objectType)
        {
            if ((ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent) != (objectFlags & ObjectAceFlags.ObjectAceTypePresent))
            {
                return false;
            }

            if (((ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent) != 0) &&
                (!ObjectAceType.Equals(objectType)))
            {
                return false;
            }

            return true;
        }
	// Constructors
	public ObjectAce(AceFlags aceFlags, AceQualifier qualifier, int accessMask, System.Security.Principal.SecurityIdentifier sid, ObjectAceFlags flags, System.Guid type, System.Guid inheritedType, bool isCallback, byte[] opaque) {}
Beispiel #45
0
 protected static void VerifyObjectAce(ObjectAce ace, AceFlags aceFlags, AceQualifier qualifier, int accessMask, SecurityIdentifier sid, ObjectAceFlags flags, Guid type, Guid inheritedType, bool isCallback, byte[] opaque)
 {
     Assert.Equal(aceFlags, ace.AceFlags);
     Assert.Equal(accessMask, ace.AccessMask);
     Assert.Equal(sid, ace.SecurityIdentifier);
     Assert.Equal(opaque, ace.GetOpaque());
     Assert.Equal(qualifier, ace.AceQualifier);
     Assert.Equal(isCallback, ace.IsCallback);
     Assert.Equal(flags, ace.ObjectAceFlags);
     Assert.Equal(type, ace.ObjectAceType);
     Assert.Equal(inheritedType, ace.InheritedObjectAceType);
 }
 public void RemoveAuditSpecific(AuditFlags auditFlags, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType);
 /// <summary>Initiates a new instance of the <see cref="T:System.Security.AccessControl.ObjectAce" /> class.</summary>
 /// <param name="aceFlags">The inheritance, inheritance propagation, and auditing conditions for the new Access Control Entry (ACE).</param>
 /// <param name="qualifier">The use of the new ACE.</param>
 /// <param name="accessMask">The access mask for the ACE.</param>
 /// <param name="sid">The <see cref="T:System.Security.Principal.SecurityIdentifier" /> associated with the new ACE.</param>
 /// <param name="flags">Whether the <paramref name="type" /> and <paramref name="inheritedType" /> parameters contain valid object GUIDs.</param>
 /// <param name="type">A GUID that identifies the object type to which the new ACE applies.</param>
 /// <param name="inheritedType">A GUID that identifies the object type that can inherit the new ACE.</param>
 /// <param name="isCallback">true if the new ACE is a callback type ACE.</param>
 /// <param name="opaque">Opaque data associated with the new ACE. This is allowed only for callback ACE types. The length of this array must not be greater than the return value of the <see cref="M:System.Security.AccessControl.ObjectAceMaxOpaqueLength" /> method.</param>
 /// <exception cref="T:System.ArgumentOutOfRangeException">The qualifier parameter contains an invalid value or the length of the value of the opaque parameter is greater than the return value of the <see cref="M:System.Security.AccessControl.ObjectAceMaxOpaqueLength" /> method.</exception>
 public ObjectAce(AceFlags aceFlags, AceQualifier qualifier, int accessMask, SecurityIdentifier sid, ObjectAceFlags flags, Guid type, Guid inheritedType, bool isCallback, byte[] opaque) : base(InheritanceFlags.None, PropagationFlags.None, qualifier, isCallback, opaque)
 {
     base.AceFlags              = aceFlags;
     base.SecurityIdentifier    = sid;
     this.object_ace_flags      = flags;
     this.object_ace_type       = type;
     this.inherited_object_type = inheritedType;
 }