protected Dictionary <string, CentralAccessPolicy> QueryCaps(string domainName, string userName, string password)
{
Dictionary <string, CentralAccessRule> rules = new Dictionary <string, CentralAccessRule>();
Dictionary <string, CentralAccessPolicy> policies = new Dictionary <string, CentralAccessPolicy>();
string[] domainNameTokens = domainName.Split('.');
string admin = $"{domainNameTokens[0].ToUpper()}\\{userName}";
StringBuilder bindString = new StringBuilder("CN=Claims Configuration,CN=Services,CN=Configuration");
foreach (string domainNameToken in domainNameTokens)
{
bindString.Append(",DC=");
bindString.Append(domainNameToken);
}
string searchBase = bindString.ToString();
using (LdapConnection conn = new LdapConnection())
{
conn.Connect(domainName, 389);
conn.Bind(admin, password);
var results = conn.Search(searchBase, LdapConnection.ScopeSub, "(objectClass=msAuthz-CentralAccessRule)", new string[] { "cn", "distinguishedName", "msAuthz-EffectiveSecurityPolicy", "msAuthz-ResourceCondition" }, false);
var entryList = results.GetAllLdapEntries();
foreach (KeyValuePair <string, IList <LdapAttribute> > kvp in entryList)
{
string dn = kvp.Value.GetStringValueFromAttributes("distinguishedName");
string carName = kvp.Value.GetStringValueFromAttributes("cn");
string sddl = kvp.Value.GetStringValueFromAttributes("msAuthz-EffectiveSecurityPolicy");
string resourceCondition = kvp.Value.GetStringValueFromAttributes("msAuthz-ResourceCondition");
CentralAccessRule rule = new CentralAccessRule {
Name = carName, Sddl = sddl, ResourceCondition = resourceCondition
};
rules.Add(dn, rule);
}
results = conn.Search(searchBase, LdapConnection.ScopeSub, "(objectClass=msAuthz-CentralAccessPolicy)", new string[] { "cn", "msAuthz-CentralAccessPolicyID", "msAuthz-MemberRulesInCentralAccessPolicy" }, false);
var policyEntryList = results.GetAllLdapEntries();
foreach (KeyValuePair <string, IList <LdapAttribute> > kvp in policyEntryList)
{
CentralAccessPolicy policy = new CentralAccessPolicy();
string capName = kvp.Value.GetStringValueFromAttributes("cn");
policy.Name = capName;
byte[] sidInBinary = (byte[])kvp.Value.GetBytesValueFromAttributes("msAuthz-CentralAccessPolicyID")[0];
_SID capId = TypeMarshal.ToStruct <_SID>(sidInBinary);
policy.Id = capId;
IList <string> rulesPath = kvp.Value.GetStringListValueFromAttributes("msAuthz-MemberRulesInCentralAccessPolicy");
foreach (string ruleDN in rulesPath)
{
policy.MemberRules.Add(rules[ruleDN]);
}
policies.Add(capName, policy);
}
conn.Disconnect();
}
return(policies);
}
private void SetCentralAccessPolicy(string capName)
{
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Set Central Access Policy: {0} to the share: {1}", capName, CBACShareUncPath);
BaseTestSite.Log.Add(LogEntryKind.Debug, "Policy info: {0}", caps[capName]);
_SID capid = caps[capName].Id;
base.SetCap(CBACShareUncPath, capid);
}
public void FilePermission_AccessDeny_SidNoInclude()
{
_SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name);
BaseTestSite.Assert.IsFalse(
TryReadFile(),
"User SID ({0}) is not in file Security Descriptor. User should not be able to read the file.",
DtypUtility.ToSddlString(sid));
}
public void FolderPermission_AccessDeny_SidNoInclude()
{
_SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name, testConfig.UserName, testConfig.UserPassword);
BaseTestSite.Assert.IsFalse(
AccessShare(),
"User SID ({0}) is not in folder Security Descriptor. User should not be able to access the share.",
DtypUtility.ToSddlString(sid));
}
public void FilePermission_AccessDeny_SidNoInclude()
{
_SID sid = sutCommonControlAdapterAccessor.GetUserSid(azUser01Name);
BaseTestSite.Assert.IsFalse(
TryReadFile(),
"User SID ({0}) is not in file Security Descriptor. User should not be able to read the file.",
DtypUtility.ToSddlString(sid));
}
public void BVT_FilePermission_AccessAllow_UserSid()
{
_SID sid = sutCommonControlAdapterAccessor.GetUserSid(azUser01Name);
object ace = DtypUtility.CreateAccessAllowedAce(sid, DtypUtility.ACCESS_MASK_GENERIC_READ, ACE_FLAGS.None);
SetSecurityDescriptorOnFile(ace);
BaseTestSite.Assert.IsTrue(
TryReadFile(),
"ACCESS_ALLOWED_ACE with user SID ({0}) exists in file Security Descriptor. User should be able to read the file.",
DtypUtility.ToSddlString(sid));
}
public void FolderPermission_AccessDeny_UserSid()
{
_SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name, testConfig.UserName, testConfig.UserPassword);
object ace = DtypUtility.CreateAccessDeniedAce(sid, DtypUtility.ACCESS_MASK_GENERIC_READ, ACE_FLAGS.None);
SetSecurityDescriptorOnShare(ace);
BaseTestSite.Assert.IsFalse(
AccessShare(),
"ACCESS_DENIED_ACE with user SID ({0}) exists in folder Security Descriptor. User should not be able to access the share.",
DtypUtility.ToSddlString(sid));
}
public void BVT_FilePermission_AccessAllow_UserSid()
{
_SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name, testConfig.UserName, testConfig.UserPassword);
object ace = DtypUtility.CreateAccessAllowedAce(sid, DtypUtility.ACCESS_MASK_GENERIC_READ, ACE_FLAGS.None);
SetSecurityDescriptorOnFile(ace);
BaseTestSite.Assert.IsTrue(
TryReadFile(),
"ACCESS_ALLOWED_ACE with user SID ({0}) exists in file Security Descriptor. User should be able to read the file.",
DtypUtility.ToSddlString(sid));
}
public void FolderPermission_AccessDeny_UserSid()
{
_SID sid = sutCommonControlAdapterAccessor.GetUserSid(azUser01Name);
object ace = DtypUtility.CreateAccessDeniedAce(sid, DtypUtility.ACCESS_MASK_GENERIC_READ, ACE_FLAGS.None);
SetSecurityDescriptorOnShare(ace);
BaseTestSite.Assert.IsFalse(
AccessShare(),
"ACCESS_DENIED_ACE with user SID ({0}) exists in folder Security Descriptor. User should not be able to access the share.",
DtypUtility.ToSddlString(sid));
}
public void FolderPermission_AccessDeny_UserSidWithoutReadPermission()
{
_SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name, testConfig.UserName, testConfig.UserPassword);
object ace = DtypUtility.CreateAccessAllowedAce(sid, 0, ACE_FLAGS.None);
SetSecurityDescriptorOnShare(ace);
BaseTestSite.Assert.IsFalse(
AccessShare(),
"ACCESS_ALLOWED_ACE with user SID ({0}) without READ permission in folder Security Descriptor. User should not be able to access the share.",
DtypUtility.ToSddlString(sid));
}
public void FolderPermission_AccessAllow_GroupSid()
{
_SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azGroup01Name, testConfig.UserName, testConfig.UserPassword);
object ace = DtypUtility.CreateAccessAllowedAce(sid, DtypUtility.ACCESS_MASK_GENERIC_READ, ACE_FLAGS.None);
SetSecurityDescriptorOnShare(ace);
BaseTestSite.Assert.IsTrue(
AccessShare(),
"ACCESS_ALLOWED_ACE with user's group SID ({0}) exists in share Security Descriptor. User should be able to access the share.",
DtypUtility.ToSddlString(sid));
}
public void FilePermission_AccessDeny_GroupSid()
{
_SID sid = sutCommonControlAdapterAccessor.GetGroupSid(azGroup01Name);
object ace = DtypUtility.CreateAccessDeniedAce(sid, DtypUtility.ACCESS_MASK_GENERIC_READ, ACE_FLAGS.None);
SetSecurityDescriptorOnFile(ace);
BaseTestSite.Assert.IsFalse(
TryReadFile(),
"ACCESS_DENIED_ACE with user's group SID ({0}) exists in file Security Descriptor. User should be not able to read the file.",
DtypUtility.ToSddlString(sid));
}
public void FilePermission_AccessDeny_UserSidWithoutReadPermission()
{
_SID sid = sutCommonControlAdapterAccessor.GetUserSid(azUser01Name);
object ace = DtypUtility.CreateAccessAllowedAce(sid, 0, ACE_FLAGS.None); // 0 stands for non access mask flag set
SetSecurityDescriptorOnFile(ace);
BaseTestSite.Assert.IsFalse(
TryReadFile(),
"ACCESS_ALLOWED_ACE with user SID ({0}) without READ permission in folder Security Descriptor. User should not be able to read the file.",
DtypUtility.ToSddlString(sid));
}
protected Dictionary <string, User> QueryUserInfo(string domainName, string userName, string password)
{
Dictionary <string, User> users = new Dictionary <string, User>();
string[] domainNameTokens = domainName.Split('.');
Debug.Assert(domainNameTokens.Length >= 2, "Domain name has at least 2 parts.");
StringBuilder bindString = new StringBuilder("LDAP://CN=Users");
foreach (string domainNameToken in domainNameTokens)
{
bindString.Append(",DC=");
bindString.Append(domainNameToken);
}
using (DirectoryEntry ldapConnection = new DirectoryEntry(bindString.ToString()))
{
ldapConnection.AuthenticationType = AuthenticationTypes.Secure;
ldapConnection.Username = userName;
ldapConnection.Password = password;
using (DirectorySearcher UserSearcher = new DirectorySearcher(ldapConnection, "(objectClass=user)",
new string[] { "cn", "countryCode", "department", "objectSid" },
SearchScope.Subtree))
using (SearchResultCollection searchResults = UserSearcher.FindAll())
{
foreach (SearchResult searchResult in searchResults)
{
User user = new User();
string name = (string)searchResult.Properties["cn"][0];
user.Name = name;
if (searchResult.Properties["countryCode"].Count > 0)
{
int countryCode = (int)searchResult.Properties["countryCode"][0];
user.CountryCode = countryCode;
}
if (searchResult.Properties["department"].Count > 0)
{
string department = (string)searchResult.Properties["department"][0];
user.Department = department;
}
byte[] sidInBinary = (byte[])searchResult.Properties["objectSid"][0];
_SID userSid = TypeMarshal.ToStruct <_SID>(sidInBinary);
user.Sid = userSid;
users.Add(name, user);
}
}
}
return(users);
}
protected Dictionary <string, User> QueryUserInfo(string domainName, string userName, string password)
{
Dictionary <string, User> users = new Dictionary <string, User>();
string[] domainNameTokens = domainName.Split('.');
string admin = $"{domainNameTokens[0].ToUpper()}\\{userName}";
StringBuilder bindString = new StringBuilder("CN=Users");
foreach (string domainNameToken in domainNameTokens)
{
bindString.Append(",DC=");
bindString.Append(domainNameToken);
}
string searchBase = bindString.ToString();
using (LdapConnection conn = new LdapConnection())
{
conn.Connect(domainName, 389);
conn.Bind(admin, password);
var results = conn.Search(searchBase, LdapConnection.ScopeSub, "(objectClass=user)", new string[] { "cn", "countryCode", "department", "objectSid" }, false);
var entryList = results.GetAllLdapEntries();
foreach (KeyValuePair <string, IList <LdapAttribute> > kvp in entryList)
{
User user = new User();
string name = kvp.Value.GetStringValueFromAttributes("cn");
user.Name = name;
string countryCodeStr = kvp.Value.GetStringValueFromAttributes("countryCode");
if (string.IsNullOrEmpty(countryCodeStr))
{
int countryCode = 0;
if (int.TryParse(countryCodeStr, out countryCode))
{
user.CountryCode = countryCode;
}
}
user.Department = kvp.Value.GetStringValueFromAttributes("department");
byte[] sidInBinary = (byte[])kvp.Value.GetBytesValueFromAttributes("objectSid")[0];
_SID userSid = TypeMarshal.ToStruct <_SID>(sidInBinary);
user.Sid = userSid;
users.Add(name, user);
}
}
return(users);
}
/// <summary>
/// Parse an ldap object from byte array to string
/// </summary>
/// <param name="ldapSyntax">The ldap syntax.</param>
/// <param name="buffer">The byte array object.</param>
/// <returns>Result in string format.</returns>
/// <exception cref="System.NotSupportedException">Thrown when the ldapSyntax is not supported.</exception>
public static string Parse(AdtsLdapSyntax ldapSyntax, byte[] buffer)
{
string result;
switch (ldapSyntax)
{
case AdtsLdapSyntax.Boolean:
case AdtsLdapSyntax.Enumeration:
case AdtsLdapSyntax.Integer:
case AdtsLdapSyntax.LargeInteger:
case AdtsLdapSyntax.ObjectForAccessPoint:
case AdtsLdapSyntax.ObjectForDNString:
case AdtsLdapSyntax.ObjectForORName:
case AdtsLdapSyntax.ObjectForDNBinary:
case AdtsLdapSyntax.ObjectForDSDN:
case AdtsLdapSyntax.ObjectForPresentationAddress:
case AdtsLdapSyntax.StringForCase:
case AdtsLdapSyntax.StringForIA5:
case AdtsLdapSyntax.StringForObjectIdentifier:
case AdtsLdapSyntax.StringForPrintable:
case AdtsLdapSyntax.ObjectForReplicaLink:
case AdtsLdapSyntax.StringForOctet:
case AdtsLdapSyntax.StringForNumeric:
case AdtsLdapSyntax.StringForTeletex:
case AdtsLdapSyntax.StringForUnicode:
case AdtsLdapSyntax.StringForUTCTime:
case AdtsLdapSyntax.StringForGeneralizedTime:
result = Encoding.UTF8.GetString(buffer);
break;
case AdtsLdapSyntax.StringForNTSecDesc:
RawSecurityDescriptor ntSecurityDescriptor = new RawSecurityDescriptor(buffer, 0);
result = ntSecurityDescriptor.GetSddlForm(AccessControlSections.All);
break;
case AdtsLdapSyntax.StringForSid:
_SID sid = TypeMarshal.ToStruct <_SID>(buffer);
result = DtypUtility.ToSddlString(sid);
break;
default:
throw new NotSupportedException("The specified syntax is not supported.");
}
return(result);
}
public string GetUserMemberships(string userName)
{
List <LdapEntry> ldapGroups = DtypUtility.GetUserMemberships(domainName, userName, adminName, adminPassword);
List <Group> groups = new List <Group>();
foreach (LdapEntry groupEntry in ldapGroups)
{
string groupName = groupEntry.GetAttribute("name").StringValue;
byte[] groupSidBinary = groupEntry.GetAttribute("objectSid").ByteValue;
_SID groupSid = TypeMarshal.ToStruct <_SID>(groupSidBinary);
Group group = new Group();
group.Name = groupName;
group.Sid = groupSid;
groups.Add(group);
}
return(JsonSerializer.Serialize(groups, serializerOptions));
}
public string GetUsers()
{
List <LdapEntry> ldapUsers = DtypUtility.GetUsers(domainName, adminName, adminPassword);
List <User> users = new List <User>();
foreach (LdapEntry userEntry in ldapUsers)
{
string userName = userEntry.GetAttribute("name").StringValue;
byte[] userSidBinary = userEntry.GetAttribute("objectSid").ByteValue;
_SID userSid = TypeMarshal.ToStruct <_SID>(userSidBinary);
User user = new User();
user.Name = userName;
user.Sid = userSid;
users.Add(user);
}
return(JsonSerializer.Serialize(users, serializerOptions));
}
public void SharePermission_AccessDeny_SidNoInclude()
{
_SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name);
string shareName;
if (dynamicallyConfigurableShareExist)
{
shareName = dynamicallyConfigurableShareName;
}
else
{
shareName = "AzShare05";
}
BaseTestSite.Assert.IsFalse(
AccessShare(shareName),
"User SID ({0}) is not in share Security Descriptor. User should not be able to access the share.",
DtypUtility.ToSddlString(sid));
}
public void SharePermission_AccessDeny_UserSid()
{
_SID sid = sutCommonControlAdapterAccessor.GetUserSid(azUser01Name);
string shareName;
if (dynamicallyConfigurableShareExist)
{
object ace = DtypUtility.CreateAccessDeniedAce(sid, DtypUtility.ACCESS_MASK_STANDARD_RIGHTS_ALL | DtypUtility.ACCESS_MASK_SPECIFIC_RIGHTS_ALL, ACE_FLAGS.None);
SetSecurityDescriptorOnDynamicallyConfigurableShare(ace);
shareName = dynamicallyConfigurableShareName;
}
else
{
shareName = "AzShare03";
}
bool result = AccessShare(shareName);
BaseTestSite.Assert.IsFalse(result, "ACCESS_DENIED_ACE with user SID ({0}) exists in folder Security Descriptor. User should not be able to access the share.", DtypUtility.ToSddlString(sid));
}
public void BVT_SharePermission_AccessAllow_UserSid()
{
_SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name);
string shareName;
if (dynamicallyConfigurableShareExist)
{
object ace = DtypUtility.CreateAccessAllowedAce(sid, DtypUtility.ACCESS_MASK_STANDARD_RIGHTS_ALL | DtypUtility.ACCESS_MASK_SPECIFIC_RIGHTS_ALL, ACE_FLAGS.None);
SetSecurityDescriptorOnDynamicallyConfigurableShare(ace);
shareName = dynamicallyConfigurableShareName;
}
else
{
shareName = "AzShare01";
}
bool result = AccessShare(shareName);
BaseTestSite.Assert.IsTrue(result, "ACCESS_ALLOWED_ACE with user SID ({0}) exists in folder Security Descriptor. User should be able to access the share.", DtypUtility.ToSddlString(sid));
}
public void SharePermission_AccessDeny_GroupSid()
{
_SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azGroup01Name);
string shareName;
if (dynamicallyConfigurableShareExist)
{
object ace = DtypUtility.CreateAccessDeniedAce(sid, DtypUtility.ACCESS_MASK_STANDARD_RIGHTS_ALL | DtypUtility.ACCESS_MASK_SPECIFIC_RIGHTS_ALL, ACE_FLAGS.None);
SetSecurityDescriptorOnDynamicallyConfigurableShare(ace);
shareName = dynamicallyConfigurableShareName;
}
else
{
shareName = "AzShare04";
}
BaseTestSite.Assert.IsFalse(
AccessShare(shareName),
"ACCESS_DENIED_ACE with user's group SID ({0}) exists in file Security Descriptor. User should be not able to access the share.",
DtypUtility.ToSddlString(sid));
}
public void SharePermission_AccessDeny_UserSidWithoutReadPermission()
{
_SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name);
string shareName;
if (dynamicallyConfigurableShareExist)
{
object ace = DtypUtility.CreateAccessDeniedAce(sid, 0, ACE_FLAGS.None);
SetSecurityDescriptorOnDynamicallyConfigurableShare(ace);
shareName = dynamicallyConfigurableShareName;
}
else
{
shareName = "AzShare06";
}
BaseTestSite.Assert.IsFalse(
AccessShare(shareName),
"ACCESS_ALLOWED_ACE with user SID ({0}) without READ permission in folder Security Descriptor. User should not be able to access the share.",
DtypUtility.ToSddlString(sid));
}
public void SharePermission_AccessAllow_GroupSid()
{
_SID sid = sutCommonControlAdapterAccessor.GetGroupSid(azGroup01Name);
string shareName;
if (dynamicallyConfigurableShareExist)
{
object ace = DtypUtility.CreateAccessAllowedAce(sid, DtypUtility.ACCESS_MASK_STANDARD_RIGHTS_ALL | DtypUtility.ACCESS_MASK_SPECIFIC_RIGHTS_ALL, ACE_FLAGS.None);
SetSecurityDescriptorOnDynamicallyConfigurableShare(ace);
shareName = dynamicallyConfigurableShareName;
}
else
{
shareName = "AzShare02";
}
BaseTestSite.Assert.IsTrue(
AccessShare(shareName),
"ACCESS_ALLOWED_ACE with user's group SID ({0}) exists in share Security Descriptor. User should be able to access the share.",
DtypUtility.ToSddlString(sid));
}
public string GetGroupMembers(string groupName)
{
List <LdapEntry> ldapGroupMembers = DtypUtility.GetGroupMembers(domainName, groupName, adminName, adminPassword);
List <GroupMember> groupMembers = new List <GroupMember>();
foreach (LdapEntry groupEntry in ldapGroupMembers)
{
string groupMemberName = groupEntry.GetAttribute("name").StringValue;
byte[] groupMemberSidBinary = groupEntry.GetAttribute("objectSid").ByteValue;
string groupMemberObjectClass = groupEntry.GetAttribute("objectClass").StringValue;
string groupMemberPrincipalSource = "ActiveDirectory";
_SID groupMemberSid = TypeMarshal.ToStruct <_SID>(groupMemberSidBinary);
GroupMember groupMember = new GroupMember();
groupMember.Name = groupMemberName;
groupMember.Sid = groupMemberSid;
groupMember.ObjectClass = groupMemberObjectClass;
groupMember.PrincipalSource = groupMemberPrincipalSource;
groupMembers.Add(groupMember);
}
return(JsonSerializer.Serialize(groupMembers, serializerOptions));
}
public void SharePermission_CreateClose_DeleteFile_MaximalAccessNotIncludeDeleteOrGenericAll()
{
_SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name);
if (!dynamicallyConfigurableShareExist)
{
BaseTestSite.Assert.Inconclusive("Required share: {0} does not exist!", dynamicallyConfigurableShareName);
}
object ace = DtypUtility.CreateAccessAllowedAce(sid, (DtypUtility.ACCESS_MASK_STANDARD_RIGHTS_ALL | DtypUtility.ACCESS_MASK_SPECIFIC_RIGHTS_ALL) & ~DtypUtility.ACCESS_MASK_DELETE, ACE_FLAGS.None);
SetSecurityDescriptorOnDynamicallyConfigurableShare(ace);
string shareName = dynamicallyConfigurableShareName;
string shareUncPath = Smb2Utility.GetUncPath(TestConfig.SutComputerName, shareName);
Smb2FunctionalClient client = new Smb2FunctionalClient(TestConfig.Timeout, TestConfig, BaseTestSite);
client.ConnectToServer(TestConfig.UnderlyingTransport, TestConfig.SutComputerName, TestConfig.SutIPAddress);
AccountCredential user = new AccountCredential(TestConfig.DomainName, azUser01Name, TestConfig.UserPassword);
try
{
BaseTestSite.Log.Add(LogEntryKind.Debug, "Client sends NEGOTIATE message.");
client.Negotiate(TestConfig.RequestDialects, TestConfig.IsSMB1NegotiateEnabled);
BaseTestSite.Log.Add(LogEntryKind.Debug, "Client sends SESSION_SETUP message using account: {0}@{1}.", user.AccountName, user.DomainName);
client.SessionSetup(TestConfig.DefaultSecurityPackage, TestConfig.SutComputerName, user, false);
uint treeId;
BaseTestSite.Log.Add(LogEntryKind.Debug, "Client sends TREE_CONNECT message to access share: {0}.", shareUncPath);
client.TreeConnect(shareUncPath, out treeId, checker: (header, response) =>
{
BaseTestSite.Assert.IsTrue((response.MaximalAccess.ACCESS_MASK & (DtypUtility.ACCESS_MASK_DELETE | DtypUtility.ACCESS_MASK_GENERIC_ALL)) == 0,
"Treeconnect.MaximalAccess does not include DELETE or GENERIC_ALL.");
});
string fileName = GetTestFileName(shareUncPath);
FILEID fileId;
Smb2CreateContextResponse[] createContexResponse;
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create the file: {0}", fileName);
BaseTestSite.Log.Add(LogEntryKind.Debug, "Client sends CREATE request.");
uint status = client.Create(
treeId,
fileName,
CreateOptions_Values.FILE_NON_DIRECTORY_FILE,
out fileId,
out createContexResponse,
accessMask: AccessMask.FILE_READ_DATA | AccessMask.FILE_WRITE_DATA | AccessMask.FILE_APPEND_DATA |
AccessMask.FILE_READ_ATTRIBUTES | AccessMask.FILE_READ_EA | AccessMask.FILE_WRITE_ATTRIBUTES |
AccessMask.FILE_WRITE_EA | AccessMask.READ_CONTROL | AccessMask.WRITE_DAC | AccessMask.SYNCHRONIZE, // Windows client behavior
shareAccess: ShareAccess_Values.NONE,
createDisposition: CreateDisposition_Values.FILE_CREATE);
client.Close(treeId, fileId);
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Delete the file: {0}", fileName);
BaseTestSite.Log.Add(LogEntryKind.Debug, "Client sends CREATE request with FILE_DELETE_ON_CLOSE flag set in CreateOptions .");
status = client.Create(
treeId,
fileName,
CreateOptions_Values.FILE_NON_DIRECTORY_FILE | CreateOptions_Values.FILE_DELETE_ON_CLOSE,
out fileId,
out createContexResponse,
accessMask: AccessMask.DELETE | AccessMask.FILE_READ_ATTRIBUTES | AccessMask.SYNCHRONIZE, // Windows client behavior
shareAccess: ShareAccess_Values.FILE_SHARE_DELETE,
createDisposition: CreateDisposition_Values.FILE_OPEN,
checker: (header, response) =>
{
if (TestConfig.Platform == Platform.NonWindows)
{
BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, header.Status,
"If the FILE_DELETE_ON_CLOSE flag is set in CreateOptions and " +
"Treeconnect.MaximalAccess does not include DELETE or GENERIC_ALL, " +
"the server SHOULD fail the request with STATUS_ACCESS_DENIED");
}
else
{
BaseTestSite.Assert.AreEqual(Smb2Status.STATUS_ACCESS_DENIED, header.Status,
"If the FILE_DELETE_ON_CLOSE flag is set in CreateOptions and " +
"Treeconnect.MaximalAccess does not include DELETE or GENERIC_ALL, " +
"the server SHOULD fail the request with STATUS_ACCESS_DENIED");
}
});
client.TreeDisconnect(treeId);
client.LogOff();
}
catch (Exception e)
{
BaseTestSite.Assert.Fail("Case failed due to: {0}", e.Message);
}
finally
{
client.Disconnect();
}
}
protected void SetCap(string sharePath, _SID? capId)
{
_ACL sacl;
if (capId != null)
{
_SYSTEM_SCOPED_POLICY_ID_ACE ace = DtypUtility.CreateSystemScopedPolicyIdAce(capId.Value);
sacl = DtypUtility.CreateAcl(false, ace);
}
else
{
sacl = DtypUtility.CreateAcl(false);
}
_SECURITY_DESCRIPTOR sd = DtypUtility.CreateSecurityDescriptor(
SECURITY_DESCRIPTOR_Control.SACLAutoInherited | SECURITY_DESCRIPTOR_Control.SACLInheritanceRequired |
SECURITY_DESCRIPTOR_Control.SACLPresent | SECURITY_DESCRIPTOR_Control.SelfRelative,
null,
null,
sacl,
null);
SetSecurityDescriptor(sharePath, null, sd, SET_INFO_Request_AdditionalInformation_Values.SCOPE_SECURITY_INFORMATION);
}
protected Dictionary <string, CentralAccessPolicy> QueryCaps(string domainName, string userName, string password)
{
Dictionary <string, CentralAccessRule> rules = new Dictionary <string, CentralAccessRule>();
Dictionary <string, CentralAccessPolicy> policies = new Dictionary <string, CentralAccessPolicy>();
string[] domainNameTokens = domainName.Split('.');
Debug.Assert(domainNameTokens.Length >= 2, "Domain name has at least 2 parts.");
StringBuilder bindString = new StringBuilder("LDAP://CN=Claims Configuration,CN=Services,CN=Configuration");
foreach (string domainNameToken in domainNameTokens)
{
bindString.Append(",DC=");
bindString.Append(domainNameToken);
}
using (DirectoryEntry ldapConnection = new DirectoryEntry(bindString.ToString()))
{
ldapConnection.AuthenticationType = AuthenticationTypes.Secure;
ldapConnection.Username = userName;
ldapConnection.Password = password;
using (DirectorySearcher AccessRuleSearcher = new DirectorySearcher(ldapConnection, "(objectClass=msAuthz-CentralAccessRule)",
new string[] { "cn", "distinguishedName", "msAuthz-EffectiveSecurityPolicy", "msAuthz-ResourceCondition" },
SearchScope.Subtree))
using (SearchResultCollection searchResults = AccessRuleSearcher.FindAll())
{
foreach (SearchResult searchResult in searchResults)
{
string dn = (string)searchResult.Properties["distinguishedName"][0];
string carName = (string)searchResult.Properties["cn"][0];
string sddl = (string)searchResult.Properties["msAuthz-EffectiveSecurityPolicy"][0];
string resourceCondition = null;
if (searchResult.Properties["msAuthz-ResourceCondition"].Count > 0)
{
resourceCondition = (string)searchResult.Properties["msAuthz-ResourceCondition"][0];
}
CentralAccessRule rule = new CentralAccessRule {
Name = carName, Sddl = sddl, ResourceCondition = resourceCondition
};
rules.Add(dn, rule);
}
}
using (DirectorySearcher AccessPolicySearcher = new DirectorySearcher(ldapConnection, "(objectClass=msAuthz-CentralAccessPolicy)",
new string[] { "cn", "msAuthz-CentralAccessPolicyID", "msAuthz-MemberRulesInCentralAccessPolicy" },
SearchScope.Subtree))
using (SearchResultCollection searchResults = AccessPolicySearcher.FindAll())
{
foreach (SearchResult searchResult in searchResults)
{
CentralAccessPolicy policy = new CentralAccessPolicy();
string capName = (string)searchResult.Properties["cn"][0];
policy.Name = capName;
byte[] sidInBinary = (byte[])searchResult.Properties["msAuthz-CentralAccessPolicyID"][0];
_SID capId = TypeMarshal.ToStruct <_SID>(sidInBinary);
policy.Id = capId;
ResultPropertyValueCollection rulesPath = searchResult.Properties["msAuthz-MemberRulesInCentralAccessPolicy"];
foreach (string ruleDN in rulesPath)
{
policy.MemberRules.Add(rules[ruleDN]);
}
policies.Add(capName, policy);
}
}
}
return(policies);
}
public string GetGroupSid(string groupName)
{
_SID sid = DtypUtility.GetSidFromGroupName(domainName, groupName, adminName, adminPassword);
return(sid.GetSddlForm());
}
public string GetUserSid(string userName)
{
_SID sid = DtypUtility.GetSidFromAccount(domainName, userName, adminName, adminPassword);
return(sid.GetSddlForm());
}
public static extern bool ConvertSidToStringSid(
_SID sid,
out IntPtr sidString
);
