internal virtual AccessRule InternalAccessRuleFactory(QualifiedAce ace, Type targetType,
AccessControlType type)
{
return(AccessRuleFactory(ace.SecurityIdentifier.Translate(targetType),
ace.AccessMask, ace.IsInherited,
ace.InheritanceFlags, ace.PropagationFlags, type));
}
private bool ObjectTypesMatch(QualifiedAce ace, QualifiedAce newAce)
{
Guid guid = (ace is ObjectAce) ? ((ObjectAce)ace).ObjectAceType : Guid.Empty;
Guid g = (newAce is ObjectAce) ? ((ObjectAce)newAce).ObjectAceType : Guid.Empty;
return(guid.Equals(g));
}
void AddAce(QualifiedAce newAce)
{
RequireCanonicity();
int pos = GetAceInsertPosition(newAce.AceQualifier);
raw_acl.InsertAce(pos, CopyAce(newAce));
CanonicalizeAndClearAefa();
}
void AddAce(QualifiedAce newAce)
{
RequireCanonicity();
int pos = GetAceInsertPosition(newAce.AceQualifier);
raw_acl.InsertAce(pos, newAce);
CleanAndRetestCanonicity();
}
private bool AccessMasksAreMergeable(QualifiedAce ace, QualifiedAce newAce)
{
if (this.ObjectTypesMatch(ace, newAce))
{
return(true);
}
ObjectAceFlags flags = (ace is ObjectAce) ? ((ObjectAce)ace).ObjectAceFlags : ObjectAceFlags.None;
return((((ace.AccessMask & newAce.AccessMask) & ObjectAce.AccessMaskWithObjectType) == (newAce.AccessMask & ObjectAce.AccessMaskWithObjectType)) && ((flags & ObjectAceFlags.ObjectAceTypePresent) == ObjectAceFlags.None));
}
private bool AceFlagsAreMergeable(QualifiedAce ace, QualifiedAce newAce)
{
if (this.InheritedObjectTypesMatch(ace, newAce))
{
return(true);
}
ObjectAceFlags flags = (ace is ObjectAce) ? ((ObjectAce)ace).ObjectAceFlags : ObjectAceFlags.None;
return((flags & ObjectAceFlags.InheritedObjectAceTypePresent) == ObjectAceFlags.None);
}
// DiscretionaryAcl/SystemAcl shared implementation below...
internal void AddAce(AceQualifier aceQualifier,
SecurityIdentifier sid, int accessMask,
InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags,
AuditFlags auditFlags)
{
QualifiedAce ace = AddAceGetQualifiedAce(aceQualifier, sid, accessMask,
inheritanceFlags, propagationFlags, auditFlags);
AddAce(ace);
}
internal override AuditRule InternalAuditRuleFactory (QualifiedAce ace, Type targetType)
{
ObjectAce oace = ace as ObjectAce;
if (null == oace || ObjectAceFlags.None == oace.ObjectAceFlags)
return base.InternalAuditRuleFactory (ace, targetType);
return AuditRuleFactory (ace.SecurityIdentifier.Translate (targetType),
ace.AccessMask, ace.IsInherited,
ace.InheritanceFlags, ace.PropagationFlags, ace.AuditFlags,
oace.ObjectAceType, oace.InheritedObjectAceType);
}
private bool InspectAce(ref GenericAce ace, bool isDacl)
{
KnownAce ace2 = ace as KnownAce;
if ((ace2 != null) && (ace2.AccessMask == 0))
{
return(false);
}
if (!this.IsContainer)
{
if (((byte)(ace.AceFlags & AceFlags.InheritOnly)) != 0)
{
return(false);
}
if (((byte)(ace.AceFlags & (AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.NoPropagateInherit | AceFlags.ObjectInherit))) != 0)
{
ace.AceFlags = (AceFlags)((byte)(((int)ace.AceFlags) & 240));
}
}
else
{
if (((((byte)(ace.AceFlags & AceFlags.InheritOnly)) != 0) && (((byte)(ace.AceFlags & AceFlags.ContainerInherit)) == 0)) && (((byte)(ace.AceFlags & (AceFlags.None | AceFlags.ObjectInherit))) == 0))
{
return(false);
}
if (((((byte)(ace.AceFlags & (AceFlags.None | AceFlags.NoPropagateInherit))) != 0) && (((byte)(ace.AceFlags & AceFlags.ContainerInherit)) == 0)) && (((byte)(ace.AceFlags & (AceFlags.None | AceFlags.ObjectInherit))) == 0))
{
ace.AceFlags = (AceFlags)((byte)(((int)ace.AceFlags) & 0xfb));
}
}
QualifiedAce ace3 = ace2 as QualifiedAce;
if (isDacl)
{
ace.AceFlags = (AceFlags)((byte)(((int)ace.AceFlags) & 0x3f));
if (((ace3 != null) && (ace3.AceQualifier != AceQualifier.AccessAllowed)) && (ace3.AceQualifier != AceQualifier.AccessDenied))
{
return(false);
}
}
else
{
if (((byte)(ace.AceFlags & AceFlags.AuditFlags)) == 0)
{
return(false);
}
if ((ace3 != null) && (ace3.AceQualifier != AceQualifier.SystemAudit))
{
return(false);
}
}
return(true);
}
void SetAce(QualifiedAce newAce)
{
RequireCanonicity();
RemoveAces <QualifiedAce> (oldAce =>
{
return(oldAce.AceQualifier == newAce.AceQualifier &&
oldAce.SecurityIdentifier == newAce.SecurityIdentifier);
});
CleanAndRetestCanonicity();
AddAce(newAce);
}
internal override AuditRule InternalAuditRuleFactory(QualifiedAce ace, Type targetType)
{
ObjectAce oace = ace as ObjectAce;
if (null == oace || ObjectAceFlags.None == oace.ObjectAceFlags)
{
return(base.InternalAuditRuleFactory(ace, targetType));
}
return(AuditRuleFactory(ace.SecurityIdentifier.Translate(targetType),
ace.AccessMask, ace.IsInherited,
ace.InheritanceFlags, ace.PropagationFlags, ace.AuditFlags,
oace.ObjectAceType, oace.InheritedObjectAceType));
}
internal void AddAce(AceQualifier aceQualifier,
SecurityIdentifier sid, int accessMask,
InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags,
AuditFlags auditFlags,
ObjectAceFlags objectFlags,
Guid objectType,
Guid inheritedObjectType)
{
QualifiedAce ace = AddAceGetQualifiedAce(aceQualifier, sid, accessMask,
inheritanceFlags, propagationFlags, auditFlags,
objectFlags, objectType, inheritedObjectType);
AddAce(ace);
}
internal AuthorizationRuleCollection InternalGetAccessRules(bool includeExplicit,
bool includeInherited,
Type targetType)
{
List <AuthorizationRule> rules = new List <AuthorizationRule> ();
ReadLock();
try {
foreach (GenericAce genericAce in descriptor.DiscretionaryAcl)
{
QualifiedAce ace = genericAce as QualifiedAce;
if (null == ace)
{
continue;
}
if (ace.IsInherited && !includeInherited)
{
continue;
}
if (!ace.IsInherited && !includeExplicit)
{
continue;
}
AccessControlType type;
if (AceQualifier.AccessAllowed == ace.AceQualifier)
{
type = AccessControlType.Allow;
}
else if (AceQualifier.AccessDenied == ace.AceQualifier)
{
type = AccessControlType.Deny;
}
else
{
continue;
}
AccessRule rule = InternalAccessRuleFactory(ace, targetType, type);
rules.Add(rule);
}
} finally {
ReadUnlock();
}
return(new AuthorizationRuleCollection(rules.ToArray()));
}
internal void AddQualifiedAce(SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
{
GenericAce ace;
if (sid == null)
{
throw new ArgumentNullException("sid");
}
this.ThrowIfNotCanonical();
bool flag = false;
if ((qualifier == AceQualifier.SystemAudit) && (((byte)(flags & AceFlags.AuditFlags)) == 0))
{
throw new ArgumentException(Environment.GetResourceString("Arg_EnumAtLeastOneFlag"), "flags");
}
if (accessMask == 0)
{
throw new ArgumentException(Environment.GetResourceString("Argument_ArgumentZero"), "accessMask");
}
if (!this.IsDS || (objectFlags == ObjectAceFlags.None))
{
ace = new CommonAce(flags, qualifier, accessMask, sid, false, null);
}
else
{
ace = new ObjectAce(flags, qualifier, accessMask, sid, objectFlags, objectType, inheritedObjectType, false, null);
}
if (this.InspectAce(ref ace, this is DiscretionaryAcl))
{
for (int i = 0; i < this.Count; i++)
{
QualifiedAce ace2 = this._acl[i] as QualifiedAce;
if ((ace2 != null) && this.MergeAces(ref ace2, ace as QualifiedAce))
{
flag = true;
break;
}
}
if (!flag)
{
this._acl.InsertAce(this._acl.Count, ace);
this._isDirty = true;
}
this.OnAclModificationTried();
}
}
internal void RemoveQualifiedAcesSpecific(SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
{
if (accessMask == 0)
{
throw new ArgumentException(Environment.GetResourceString("Argument_ArgumentZero"), "accessMask");
}
if ((qualifier == AceQualifier.SystemAudit) && (((byte)(flags & AceFlags.AuditFlags)) == 0))
{
throw new ArgumentException(Environment.GetResourceString("Arg_EnumAtLeastOneFlag"), "flags");
}
if (sid == null)
{
throw new ArgumentNullException("sid");
}
this.ThrowIfNotCanonical();
for (int i = 0; i < this.Count; i++)
{
QualifiedAce ace = this._acl[i] as QualifiedAce;
if ((((ace == null) || (((byte)(ace.AceFlags & AceFlags.Inherited)) != 0)) || ((ace.AceQualifier != qualifier) || (ace.SecurityIdentifier != sid))) || ((ace.AceFlags != flags) || (ace.AccessMask != accessMask)))
{
continue;
}
if (this.IsDS)
{
if ((ace is ObjectAce) && (objectFlags != ObjectAceFlags.None))
{
ObjectAce ace2 = ace as ObjectAce;
if (ace2.ObjectTypesMatch(objectFlags, objectType) && ace2.InheritedObjectTypesMatch(objectFlags, inheritedObjectType))
{
goto Label_00F2;
}
continue;
}
if ((ace is ObjectAce) || (objectFlags != ObjectAceFlags.None))
{
continue;
}
}
Label_00F2:
this._acl.RemoveAce(i);
i--;
}
this.OnAclModificationTried();
}
internal int GetCanonicalExplicitDenyAceCount()
{
int i;
for (i = 0; i < Count; i++)
{
if (this [i].IsInherited)
{
break;
}
QualifiedAce ace = this [i] as QualifiedAce;
if (ace == null || ace.AceQualifier != AceQualifier.AccessDenied)
{
break;
}
}
return(i);
}
internal AuthorizationRuleCollection InternalGetAuditRules(bool includeExplicit,
bool includeInherited,
Type targetType)
{
List <AuthorizationRule> rules = new List <AuthorizationRule> ();
ReadLock();
try {
if (null != descriptor.SystemAcl)
{
foreach (GenericAce genericAce in descriptor.SystemAcl)
{
QualifiedAce ace = genericAce as QualifiedAce;
if (null == ace)
{
continue;
}
if (ace.IsInherited && !includeInherited)
{
continue;
}
if (!ace.IsInherited && !includeExplicit)
{
continue;
}
if (AceQualifier.SystemAudit != ace.AceQualifier)
{
continue;
}
AuditRule rule = InternalAuditRuleFactory(ace, targetType);
rules.Add(rule);
}
}
} finally {
ReadUnlock();
}
return(new AuthorizationRuleCollection(rules.ToArray()));
}
private bool GetAccessMaskForRemoval(QualifiedAce ace, ObjectAceFlags objectFlags, Guid objectType, ref int accessMask)
{
if (((ace.AccessMask & accessMask) & ObjectAce.AccessMaskWithObjectType) != 0)
{
if (ace is ObjectAce)
{
ObjectAce ace2 = ace as ObjectAce;
if (((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None) && ((ace2.ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent) == ObjectAceFlags.None))
{
return(false);
}
if (!(((objectFlags & ObjectAceFlags.ObjectAceTypePresent) == ObjectAceFlags.None) || ace2.ObjectTypesMatch(objectFlags, objectType)))
{
accessMask &= ~ObjectAce.AccessMaskWithObjectType;
}
}
else if ((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None)
{
return(false);
}
}
return(true);
}
private bool GetInheritanceFlagsForRemoval(QualifiedAce ace, ObjectAceFlags objectFlags, Guid inheritedObjectType, ref AceFlags aceFlags)
{
if ((((byte)(ace.AceFlags & AceFlags.ContainerInherit)) != 0) && (((byte)(aceFlags & AceFlags.ContainerInherit)) != 0))
{
if (ace is ObjectAce)
{
ObjectAce ace2 = ace as ObjectAce;
if (((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != ObjectAceFlags.None) && ((ace2.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent) == ObjectAceFlags.None))
{
return(false);
}
if (!(((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) == ObjectAceFlags.None) || ace2.InheritedObjectTypesMatch(objectFlags, inheritedObjectType)))
{
aceFlags = (AceFlags)((byte)(((int)aceFlags) & 240));
}
}
else if ((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != ObjectAceFlags.None)
{
return(false);
}
}
return(true);
}
private void Canonicalize(bool compact, bool isDacl)
{
for (ushort i = 0; i < this._acl.Count; i = (ushort)(i + 1))
{
this._acl[i]._indexInAcl = i;
}
this.QuickSort(0, this._acl.Count - 1, isDacl);
if (compact)
{
for (int j = 0; j < (this.Count - 1); j++)
{
QualifiedAce ace = this._acl[j] as QualifiedAce;
if (ace != null)
{
QualifiedAce newAce = this._acl[j + 1] as QualifiedAce;
if ((newAce != null) && this.MergeAces(ref ace, newAce))
{
this._acl.RemoveAce(j + 1);
}
}
}
}
}
internal override bool IsAceMeaningless(GenericAce ace)
{
if (base.IsAceMeaningless(ace))
{
return(true);
}
if (AuditFlags.None != ace.AuditFlags)
{
return(true);
}
QualifiedAce qace = ace as QualifiedAce;
if (null != qace)
{
if (!(AceQualifier.AccessAllowed == qace.AceQualifier ||
AceQualifier.AccessDenied == qace.AceQualifier))
{
return(true);
}
}
return(false);
}
internal override bool IsAceMeaningless(GenericAce ace)
{
if (base.IsAceMeaningless(ace))
{
return(true);
}
if (!IsValidAuditFlags(ace.AuditFlags))
{
return(true);
}
QualifiedAce qace = ace as QualifiedAce;
if (null != qace)
{
if (!(AceQualifier.SystemAudit == qace.AceQualifier ||
AceQualifier.SystemAlarm == qace.AceQualifier))
{
return(true);
}
}
return(false);
}
private bool AceFlagsAreMergeable( QualifiedAce ace, QualifiedAce newAce )
{
//
// The ace flags can be considered for merge in any of the following conditions
// 1. Inherited object types match
// 2. (Inherited object types do not match) The existing ace does not have an inherited object type and
// already contains all the bits of the new ace
//
if ( InheritedObjectTypesMatch( ace, newAce ))
{
// case 1
return true;
}
ObjectAceFlags objectFlags = ( ace is ObjectAce ) ? (( ObjectAce ) ace ).ObjectAceFlags : ObjectAceFlags.None;
if (( objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent ) == 0 )
{
// case 2
//
// This method is called only when the access masks of the two aces are already confirmed to be exact matches
// therefore the second condition of case 2 is already verified
//
Contract.Assert(( ace.AccessMask & newAce.AccessMask) == newAce.AccessMask, "AceFlagsAreMergeable:: AccessMask of existing ace does not contain all access bits of new ace.");
return true;
}
return false;
}
GenericAce MergeExplicitAcePair(GenericAce ace1, GenericAce ace2)
{
QualifiedAce qace1 = ace1 as QualifiedAce;
QualifiedAce qace2 = ace2 as QualifiedAce;
if (!(null != qace1 && null != qace2))
{
return(null);
}
if (!(qace1.AceQualifier == qace2.AceQualifier))
{
return(null);
}
if (!(qace1.SecurityIdentifier == qace2.SecurityIdentifier))
{
return(null);
}
AceFlags aceFlags1 = qace1.AceFlags, aceFlags2 = qace2.AceFlags, aceFlagsNew;
int accessMask1 = qace1.AccessMask, accessMask2 = qace2.AccessMask, accessMaskNew;
if (!IsContainer)
{
aceFlags1 &= ~AceFlags.InheritanceFlags;
aceFlags2 &= ~AceFlags.InheritanceFlags;
}
if (aceFlags1 != aceFlags2)
{
if (accessMask1 != accessMask2)
{
return(null);
}
if ((aceFlags1 & ~(AceFlags.ContainerInherit | AceFlags.ObjectInherit)) ==
(aceFlags2 & ~(AceFlags.ContainerInherit | AceFlags.ObjectInherit)))
{
aceFlagsNew = aceFlags1 | aceFlags2; // merge InheritanceFlags
accessMaskNew = accessMask1;
}
else if ((aceFlags1 & ~(AceFlags.SuccessfulAccess | AceFlags.FailedAccess)) ==
(aceFlags2 & ~(AceFlags.SuccessfulAccess | AceFlags.FailedAccess)))
{
aceFlagsNew = aceFlags1 | aceFlags2; // merge AuditFlags
accessMaskNew = accessMask1;
}
else
{
return(null);
}
}
else
{
aceFlagsNew = aceFlags1;
accessMaskNew = accessMask1 | accessMask2;
}
CommonAce cace1 = ace1 as CommonAce;
CommonAce cace2 = ace2 as CommonAce;
if (null != cace1 && null != cace2)
{
return(new CommonAce(aceFlagsNew, cace1.AceQualifier, accessMaskNew,
cace1.SecurityIdentifier, cace1.IsCallback, cace1.GetOpaque()));
}
ObjectAce oace1 = ace1 as ObjectAce;
ObjectAce oace2 = ace2 as ObjectAce;
if (null != oace1 && null != oace2)
{
// See DiscretionaryAclTest.GuidEmptyMergesRegardlessOfFlagsAndOpaqueDataIsNotConsidered
Guid type1, inheritedType1; GetObjectAceTypeGuids(oace1, out type1, out inheritedType1);
Guid type2, inheritedType2; GetObjectAceTypeGuids(oace2, out type2, out inheritedType2);
if (type1 == type2 && inheritedType1 == inheritedType2)
{
return(new ObjectAce(aceFlagsNew, oace1.AceQualifier, accessMaskNew,
oace1.SecurityIdentifier,
oace1.ObjectAceFlags, oace1.ObjectAceType, oace1.InheritedObjectAceType,
oace1.IsCallback, oace1.GetOpaque()));
}
}
return(null);
}
private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, System.Type targetType)
{
ReadLock();
try
{
AuthorizationRuleCollection result = new AuthorizationRuleCollection();
if (!IsValidTargetTypeStatic(targetType))
{
throw new ArgumentException(SR.Arg_MustBeIdentityReferenceType, nameof(targetType));
}
CommonAcl acl = null;
if (access)
{
if ((SecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != 0)
{
acl = SecurityDescriptor.DiscretionaryAcl;
}
}
else // !access == audit
{
if ((SecurityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != 0)
{
acl = SecurityDescriptor.SystemAcl;
}
}
if (acl == null)
{
//
// The required ACL was not present; return an empty collection.
//
return(result);
}
IdentityReferenceCollection irTarget = null;
if (targetType != typeof(SecurityIdentifier))
{
IdentityReferenceCollection irSource = new IdentityReferenceCollection(acl.Count);
for (int i = 0; i < acl.Count; i++)
{
//
// Calling the indexer on a common ACL results in cloning,
// (which would not be the case if we were to use the internal RawAcl property)
// but also ensures that the resulting order of ACEs is proper
// However, this is a big price to pay - cloning all the ACEs just so that
// the canonical order could be ascertained just once.
// A better way would be to have an internal method that would canonicalize the ACL
// and call it once, then use the RawAcl.
//
QualifiedAce ace = acl[i] as QualifiedAce;
if (ace == null)
{
//
// Only consider qualified ACEs
//
continue;
}
if (ace.IsCallback == true)
{
//
// Ignore callback ACEs
//
continue;
}
if (access)
{
if (ace.AceQualifier != AceQualifier.AccessAllowed && ace.AceQualifier != AceQualifier.AccessDenied)
{
continue;
}
}
else
{
if (ace.AceQualifier != AceQualifier.SystemAudit)
{
continue;
}
}
irSource.Add(ace.SecurityIdentifier);
}
irTarget = irSource.Translate(targetType);
}
for (int i = 0; i < acl.Count; i++)
{
//
// Calling the indexer on a common ACL results in cloning,
// (which would not be the case if we were to use the internal RawAcl property)
// but also ensures that the resulting order of ACEs is proper
// However, this is a big price to pay - cloning all the ACEs just so that
// the canonical order could be ascertained just once.
// A better way would be to have an internal method that would canonicalize the ACL
// and call it once, then use the RawAcl.
//
QualifiedAce ace = acl[i] as CommonAce;
if (ace == null)
{
ace = acl[i] as ObjectAce;
if (ace == null)
{
//
// Only consider common or object ACEs
//
continue;
}
}
if (ace.IsCallback == true)
{
//
// Ignore callback ACEs
//
continue;
}
if (access)
{
if (ace.AceQualifier != AceQualifier.AccessAllowed && ace.AceQualifier != AceQualifier.AccessDenied)
{
continue;
}
}
else
{
if (ace.AceQualifier != AceQualifier.SystemAudit)
{
continue;
}
}
if ((includeExplicit && ((ace.AceFlags & AceFlags.Inherited) == 0)) || (includeInherited && ((ace.AceFlags & AceFlags.Inherited) != 0)))
{
IdentityReference iref = (targetType == typeof(SecurityIdentifier)) ? ace.SecurityIdentifier : irTarget[i];
if (access)
{
AccessControlType type;
if (ace.AceQualifier == AceQualifier.AccessAllowed)
{
type = AccessControlType.Allow;
}
else
{
type = AccessControlType.Deny;
}
if (ace is ObjectAce)
{
ObjectAce objectAce = ace as ObjectAce;
result.AddRule(AccessRuleFactory(iref, objectAce.AccessMask, objectAce.IsInherited, objectAce.InheritanceFlags, objectAce.PropagationFlags, type, objectAce.ObjectAceType, objectAce.InheritedObjectAceType));
}
else
{
CommonAce commonAce = ace as CommonAce;
if (commonAce == null)
{
continue;
}
result.AddRule(AccessRuleFactory(iref, commonAce.AccessMask, commonAce.IsInherited, commonAce.InheritanceFlags, commonAce.PropagationFlags, type));
}
}
else
{
if (ace is ObjectAce)
{
ObjectAce objectAce = ace as ObjectAce;
result.AddRule(AuditRuleFactory(iref, objectAce.AccessMask, objectAce.IsInherited, objectAce.InheritanceFlags, objectAce.PropagationFlags, objectAce.AuditFlags, objectAce.ObjectAceType, objectAce.InheritedObjectAceType));
}
else
{
CommonAce commonAce = ace as CommonAce;
if (commonAce == null)
{
continue;
}
result.AddRule(AuditRuleFactory(iref, commonAce.AccessMask, commonAce.IsInherited, commonAce.InheritanceFlags, commonAce.PropagationFlags, commonAce.AuditFlags));
}
}
}
}
return(result);
}
finally
{
ReadUnlock();
}
}
private bool GetAccessMaskForRemoval(QualifiedAce ace, ObjectAceFlags objectFlags, Guid objectType, ref int accessMask)
{
if (((ace.AccessMask & accessMask) & ObjectAce.AccessMaskWithObjectType) != 0)
{
if (ace is ObjectAce)
{
ObjectAce ace2 = ace as ObjectAce;
if (((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None) && ((ace2.ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent) == ObjectAceFlags.None))
{
return false;
}
if (!(((objectFlags & ObjectAceFlags.ObjectAceTypePresent) == ObjectAceFlags.None) || ace2.ObjectTypesMatch(objectFlags, objectType)))
{
accessMask &= ~ObjectAce.AccessMaskWithObjectType;
}
}
else if ((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None)
{
return false;
}
}
return true;
}
internal bool RemoveQualifiedAces(SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, bool saclSemantics, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
{
if (accessMask == 0)
{
throw new ArgumentException(Environment.GetResourceString("Argument_ArgumentZero"), "accessMask");
}
if ((qualifier == AceQualifier.SystemAudit) && (((byte)(flags & AceFlags.AuditFlags)) == 0))
{
throw new ArgumentException(Environment.GetResourceString("Arg_EnumAtLeastOneFlag"), "flags");
}
if (sid == null)
{
throw new ArgumentNullException("sid");
}
this.ThrowIfNotCanonical();
bool flag = true;
bool flag2 = true;
int num = accessMask;
AceFlags flags2 = flags;
byte[] binaryForm = new byte[this.BinaryLength];
this.GetBinaryForm(binaryForm, 0);
Label_0075:
try
{
for (int i = 0; i < this.Count; i++)
{
QualifiedAce ace = this._acl[i] as QualifiedAce;
if (((ace == null) || (((byte)(ace.AceFlags & AceFlags.Inherited)) != 0)) || ((ace.AceQualifier != qualifier) || (ace.SecurityIdentifier != sid)))
{
continue;
}
if (this.IsDS)
{
accessMask = num;
bool flag3 = !this.GetAccessMaskForRemoval(ace, objectFlags, objectType, ref accessMask);
if ((ace.AccessMask & accessMask) == 0)
{
continue;
}
flags = flags2;
bool flag4 = !this.GetInheritanceFlagsForRemoval(ace, objectFlags, inheritedObjectType, ref flags);
if (((((((byte)(ace.AceFlags & AceFlags.ContainerInherit)) == 0) && (((byte)(flags & AceFlags.ContainerInherit)) != 0)) && (((byte)(flags & AceFlags.InheritOnly)) != 0)) || (((((byte)(flags & AceFlags.ContainerInherit)) == 0) && (((byte)(ace.AceFlags & AceFlags.ContainerInherit)) != 0)) && (((byte)(ace.AceFlags & AceFlags.InheritOnly)) != 0))) || (((((byte)(flags2 & AceFlags.ContainerInherit)) != 0) && (((byte)(flags2 & AceFlags.InheritOnly)) != 0)) && (((byte)(flags & AceFlags.ContainerInherit)) == 0)))
{
continue;
}
if (!flag3 && !flag4)
{
goto Label_0184;
}
flag2 = false;
goto Label_0483;
}
if ((ace.AccessMask & accessMask) == 0)
{
continue;
}
Label_0184:
if (!saclSemantics || (((byte)(((byte)(ace.AceFlags & flags)) & 0xc0)) != 0))
{
AceFlags none = AceFlags.None;
int num3 = 0;
ObjectAceFlags flags4 = ObjectAceFlags.None;
Guid empty = Guid.Empty;
Guid guid2 = Guid.Empty;
AceFlags aceFlags = AceFlags.None;
int num4 = 0;
ObjectAceFlags flags6 = ObjectAceFlags.None;
Guid guid3 = Guid.Empty;
Guid guid4 = Guid.Empty;
AceFlags existing = AceFlags.None;
int num5 = 0;
ObjectAceFlags flags8 = ObjectAceFlags.None;
Guid guid5 = Guid.Empty;
Guid guid6 = Guid.Empty;
AceFlags result = AceFlags.None;
bool total = false;
none = ace.AceFlags;
num3 = ace.AccessMask & ~accessMask;
if (ace is ObjectAce)
{
this.GetObjectTypesForSplit(ace as ObjectAce, num3, none, out flags4, out empty, out guid2);
}
if (saclSemantics)
{
aceFlags = (AceFlags)((byte)(ace.AceFlags & ~((byte)(flags & AceFlags.AuditFlags))));
num4 = ace.AccessMask & accessMask;
if (ace is ObjectAce)
{
this.GetObjectTypesForSplit(ace as ObjectAce, num4, aceFlags, out flags6, out guid3, out guid4);
}
}
existing = (AceFlags)((byte)(((byte)(ace.AceFlags & (AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.NoPropagateInherit | AceFlags.ObjectInherit))) | ((byte)(((byte)(flags & ace.AceFlags)) & 0xc0))));
num5 = ace.AccessMask & accessMask;
if (!saclSemantics || (((byte)(existing & AceFlags.AuditFlags)) != 0))
{
if (!RemoveInheritanceBits(existing, flags, this.IsDS, out result, out total))
{
flag2 = false;
goto Label_0483;
}
if (!total)
{
result = (AceFlags)((byte)(result | ((byte)(existing & AceFlags.AuditFlags))));
if (ace is ObjectAce)
{
this.GetObjectTypesForSplit(ace as ObjectAce, num5, result, out flags8, out guid5, out guid6);
}
}
}
if (!flag)
{
QualifiedAce ace2;
if (num3 != 0)
{
if (((ace is ObjectAce) && ((((ObjectAce)ace).ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None)) && ((flags4 & ObjectAceFlags.ObjectAceTypePresent) == ObjectAceFlags.None))
{
this._acl.RemoveAce(i);
ObjectAce ace3 = new ObjectAce(none, qualifier, num3, ace.SecurityIdentifier, flags4, empty, guid2, false, null);
this._acl.InsertAce(i, ace3);
}
else
{
ace.AceFlags = none;
ace.AccessMask = num3;
if (ace is ObjectAce)
{
ObjectAce ace4 = ace as ObjectAce;
ace4.ObjectAceFlags = flags4;
ace4.ObjectAceType = empty;
ace4.InheritedObjectAceType = guid2;
}
}
}
else
{
this._acl.RemoveAce(i);
i--;
}
if (saclSemantics && (((byte)(aceFlags & AceFlags.AuditFlags)) != 0))
{
if (ace is CommonAce)
{
ace2 = new CommonAce(aceFlags, qualifier, num4, ace.SecurityIdentifier, false, null);
}
else
{
ace2 = new ObjectAce(aceFlags, qualifier, num4, ace.SecurityIdentifier, flags6, guid3, guid4, false, null);
}
i++;
this._acl.InsertAce(i, ace2);
}
if (!total)
{
if (ace is CommonAce)
{
ace2 = new CommonAce(result, qualifier, num5, ace.SecurityIdentifier, false, null);
}
else
{
ace2 = new ObjectAce(result, qualifier, num5, ace.SecurityIdentifier, flags8, guid5, guid6, false, null);
}
i++;
this._acl.InsertAce(i, ace2);
}
}
}
}
}
catch (OverflowException)
{
this._acl.SetBinaryForm(binaryForm, 0);
return(false);
}
Label_0483:
if (flag && flag2)
{
flag = false;
goto Label_0075;
}
this.OnAclModificationTried();
return(flag2);
}
// Token: 0x06001FF6 RID: 8182 RVA: 0x0006FAEC File Offset: 0x0006DCEC
private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, Type targetType)
{
base.ReadLock();
AuthorizationRuleCollection result;
try
{
AuthorizationRuleCollection authorizationRuleCollection = new AuthorizationRuleCollection();
if (!SecurityIdentifier.IsValidTargetTypeStatic(targetType))
{
throw new ArgumentException(Environment.GetResourceString("Arg_MustBeIdentityReferenceType"), "targetType");
}
CommonAcl commonAcl = null;
if (access)
{
if ((this._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None)
{
commonAcl = this._securityDescriptor.DiscretionaryAcl;
}
}
else if ((this._securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None)
{
commonAcl = this._securityDescriptor.SystemAcl;
}
if (commonAcl == null)
{
result = authorizationRuleCollection;
}
else
{
IdentityReferenceCollection identityReferenceCollection = null;
if (targetType != typeof(SecurityIdentifier))
{
IdentityReferenceCollection identityReferenceCollection2 = new IdentityReferenceCollection(commonAcl.Count);
for (int i = 0; i < commonAcl.Count; i++)
{
QualifiedAce qualifiedAce = commonAcl[i] as QualifiedAce;
if (!(qualifiedAce == null) && !qualifiedAce.IsCallback)
{
if (access)
{
if (qualifiedAce.AceQualifier != AceQualifier.AccessAllowed && qualifiedAce.AceQualifier != AceQualifier.AccessDenied)
{
goto IL_EB;
}
}
else if (qualifiedAce.AceQualifier != AceQualifier.SystemAudit)
{
goto IL_EB;
}
identityReferenceCollection2.Add(qualifiedAce.SecurityIdentifier);
}
IL_EB :;
}
identityReferenceCollection = identityReferenceCollection2.Translate(targetType);
}
int j = 0;
while (j < commonAcl.Count)
{
QualifiedAce qualifiedAce2 = commonAcl[j] as CommonAce;
if (!(qualifiedAce2 == null))
{
goto IL_142;
}
qualifiedAce2 = (commonAcl[j] as ObjectAce);
if (!(qualifiedAce2 == null))
{
goto IL_142;
}
IL_306:
j++;
continue;
IL_142:
if (qualifiedAce2.IsCallback)
{
goto IL_306;
}
if (access)
{
if (qualifiedAce2.AceQualifier != AceQualifier.AccessAllowed && qualifiedAce2.AceQualifier != AceQualifier.AccessDenied)
{
goto IL_306;
}
}
else if (qualifiedAce2.AceQualifier != AceQualifier.SystemAudit)
{
goto IL_306;
}
if ((!includeExplicit || (qualifiedAce2.AceFlags & AceFlags.Inherited) != AceFlags.None) && (!includeInherited || (qualifiedAce2.AceFlags & AceFlags.Inherited) == AceFlags.None))
{
goto IL_306;
}
IdentityReference identityReference = (targetType == typeof(SecurityIdentifier)) ? qualifiedAce2.SecurityIdentifier : identityReferenceCollection[j];
if (access)
{
AccessControlType type;
if (qualifiedAce2.AceQualifier == AceQualifier.AccessAllowed)
{
type = AccessControlType.Allow;
}
else
{
type = AccessControlType.Deny;
}
if (qualifiedAce2 is ObjectAce)
{
ObjectAce objectAce = qualifiedAce2 as ObjectAce;
authorizationRuleCollection.AddRule(this.AccessRuleFactory(identityReference, objectAce.AccessMask, objectAce.IsInherited, objectAce.InheritanceFlags, objectAce.PropagationFlags, type, objectAce.ObjectAceType, objectAce.InheritedObjectAceType));
goto IL_306;
}
CommonAce commonAce = qualifiedAce2 as CommonAce;
if (!(commonAce == null))
{
authorizationRuleCollection.AddRule(this.AccessRuleFactory(identityReference, commonAce.AccessMask, commonAce.IsInherited, commonAce.InheritanceFlags, commonAce.PropagationFlags, type));
goto IL_306;
}
goto IL_306;
}
else
{
if (qualifiedAce2 is ObjectAce)
{
ObjectAce objectAce2 = qualifiedAce2 as ObjectAce;
authorizationRuleCollection.AddRule(this.AuditRuleFactory(identityReference, objectAce2.AccessMask, objectAce2.IsInherited, objectAce2.InheritanceFlags, objectAce2.PropagationFlags, objectAce2.AuditFlags, objectAce2.ObjectAceType, objectAce2.InheritedObjectAceType));
goto IL_306;
}
CommonAce commonAce2 = qualifiedAce2 as CommonAce;
if (!(commonAce2 == null))
{
authorizationRuleCollection.AddRule(this.AuditRuleFactory(identityReference, commonAce2.AccessMask, commonAce2.IsInherited, commonAce2.InheritanceFlags, commonAce2.PropagationFlags, commonAce2.AuditFlags));
goto IL_306;
}
goto IL_306;
}
}
result = authorizationRuleCollection;
}
}
finally
{
base.ReadUnlock();
}
return(result);
}
private bool MergeAces(ref QualifiedAce ace, QualifiedAce newAce)
{
if (((byte)(ace.AceFlags & AceFlags.Inherited)) == 0)
{
if (((byte)(newAce.AceFlags & AceFlags.Inherited)) != 0)
{
return(false);
}
if (ace.AceQualifier != newAce.AceQualifier)
{
return(false);
}
if (ace.SecurityIdentifier != newAce.SecurityIdentifier)
{
return(false);
}
if (ace.AceFlags == newAce.AceFlags)
{
if (!(ace is ObjectAce) && !(newAce is ObjectAce))
{
ace.AccessMask |= newAce.AccessMask;
return(true);
}
if (this.InheritedObjectTypesMatch(ace, newAce) && this.AccessMasksAreMergeable(ace, newAce))
{
ace.AccessMask |= newAce.AccessMask;
return(true);
}
}
if ((((byte)(ace.AceFlags & (AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.NoPropagateInherit | AceFlags.ObjectInherit))) == ((byte)(newAce.AceFlags & (AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.NoPropagateInherit | AceFlags.ObjectInherit)))) && (ace.AccessMask == newAce.AccessMask))
{
if (!(ace is ObjectAce) && !(newAce is ObjectAce))
{
ace.AceFlags = (AceFlags)((byte)(ace.AceFlags | ((byte)(newAce.AceFlags & AceFlags.AuditFlags))));
return(true);
}
if (this.InheritedObjectTypesMatch(ace, newAce) && this.ObjectTypesMatch(ace, newAce))
{
ace.AceFlags = (AceFlags)((byte)(ace.AceFlags | ((byte)(newAce.AceFlags & AceFlags.AuditFlags))));
return(true);
}
}
if ((((byte)(ace.AceFlags & AceFlags.AuditFlags)) == ((byte)(newAce.AceFlags & AceFlags.AuditFlags))) && (ace.AccessMask == newAce.AccessMask))
{
AceFlags flags;
if ((ace is ObjectAce) || (newAce is ObjectAce))
{
if ((this.ObjectTypesMatch(ace, newAce) && this.AceFlagsAreMergeable(ace, newAce)) && MergeInheritanceBits(ace.AceFlags, newAce.AceFlags, this.IsDS, out flags))
{
ace.AceFlags = (AceFlags)((byte)(flags | ((byte)(ace.AceFlags & AceFlags.AuditFlags))));
return(true);
}
}
else if (MergeInheritanceBits(ace.AceFlags, newAce.AceFlags, this.IsDS, out flags))
{
ace.AceFlags = (AceFlags)((byte)(flags | ((byte)(ace.AceFlags & AceFlags.AuditFlags))));
return(true);
}
}
}
return(false);
}
internal virtual AuditRule InternalAuditRuleFactory (QualifiedAce ace, Type targetType)
{
return AuditRuleFactory (ace.SecurityIdentifier.Translate (targetType),
ace.AccessMask, ace.IsInherited,
ace.InheritanceFlags, ace.PropagationFlags, ace.AuditFlags);
}
private bool InheritedObjectTypesMatch( QualifiedAce ace, QualifiedAce newAce )
{
Guid inheritedObjectType = ( ace is ObjectAce ) ? (( ObjectAce ) ace ).InheritedObjectAceType : Guid.Empty;
Guid newInheritedObjectType = ( newAce is ObjectAce ) ? (( ObjectAce ) newAce ).InheritedObjectAceType : Guid.Empty;
return inheritedObjectType.Equals( newInheritedObjectType );
}
private bool MergeAces(ref QualifiedAce ace, QualifiedAce newAce)
{
if (((byte) (ace.AceFlags & AceFlags.Inherited)) == 0)
{
if (((byte) (newAce.AceFlags & AceFlags.Inherited)) != 0)
{
return false;
}
if (ace.AceQualifier != newAce.AceQualifier)
{
return false;
}
if (ace.SecurityIdentifier != newAce.SecurityIdentifier)
{
return false;
}
if (ace.AceFlags == newAce.AceFlags)
{
if (!(ace is ObjectAce) && !(newAce is ObjectAce))
{
ace.AccessMask |= newAce.AccessMask;
return true;
}
if (this.InheritedObjectTypesMatch(ace, newAce) && this.AccessMasksAreMergeable(ace, newAce))
{
ace.AccessMask |= newAce.AccessMask;
return true;
}
}
if ((((byte) (ace.AceFlags & (AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.NoPropagateInherit | AceFlags.ObjectInherit))) == ((byte) (newAce.AceFlags & (AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.NoPropagateInherit | AceFlags.ObjectInherit)))) && (ace.AccessMask == newAce.AccessMask))
{
if (!(ace is ObjectAce) && !(newAce is ObjectAce))
{
ace.AceFlags = (AceFlags) ((byte) (ace.AceFlags | ((byte) (newAce.AceFlags & AceFlags.AuditFlags))));
return true;
}
if (this.InheritedObjectTypesMatch(ace, newAce) && this.ObjectTypesMatch(ace, newAce))
{
ace.AceFlags = (AceFlags) ((byte) (ace.AceFlags | ((byte) (newAce.AceFlags & AceFlags.AuditFlags))));
return true;
}
}
if ((((byte) (ace.AceFlags & AceFlags.AuditFlags)) == ((byte) (newAce.AceFlags & AceFlags.AuditFlags))) && (ace.AccessMask == newAce.AccessMask))
{
AceFlags flags;
if ((ace is ObjectAce) || (newAce is ObjectAce))
{
if ((this.ObjectTypesMatch(ace, newAce) && this.AceFlagsAreMergeable(ace, newAce)) && MergeInheritanceBits(ace.AceFlags, newAce.AceFlags, this.IsDS, out flags))
{
ace.AceFlags = (AceFlags) ((byte) (flags | ((byte) (ace.AceFlags & AceFlags.AuditFlags))));
return true;
}
}
else if (MergeInheritanceBits(ace.AceFlags, newAce.AceFlags, this.IsDS, out flags))
{
ace.AceFlags = (AceFlags) ((byte) (flags | ((byte) (ace.AceFlags & AceFlags.AuditFlags))));
return true;
}
}
}
return false;
}
private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, Type targetType)
{
AuthorizationRuleCollection rules2;
base.ReadLock();
try
{
AuthorizationRuleCollection rules = new AuthorizationRuleCollection();
if (!SecurityIdentifier.IsValidTargetTypeStatic(targetType))
{
throw new ArgumentException(Environment.GetResourceString("Arg_MustBeIdentityReferenceType"), "targetType");
}
CommonAcl discretionaryAcl = null;
if (access)
{
if ((base._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None)
{
discretionaryAcl = base._securityDescriptor.DiscretionaryAcl;
}
}
else if ((base._securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None)
{
discretionaryAcl = base._securityDescriptor.SystemAcl;
}
if (discretionaryAcl == null)
{
return(rules);
}
IdentityReferenceCollection references = null;
if (targetType != typeof(SecurityIdentifier))
{
IdentityReferenceCollection references2 = new IdentityReferenceCollection(discretionaryAcl.Count);
for (int j = 0; j < discretionaryAcl.Count; j++)
{
QualifiedAce ace = discretionaryAcl[j] as QualifiedAce;
if ((ace == null) || ace.IsCallback)
{
continue;
}
if (access)
{
if ((ace.AceQualifier == AceQualifier.AccessAllowed) || (ace.AceQualifier == AceQualifier.AccessDenied))
{
goto Label_00DD;
}
continue;
}
if (ace.AceQualifier != AceQualifier.SystemAudit)
{
continue;
}
Label_00DD:
references2.Add(ace.SecurityIdentifier);
}
references = references2.Translate(targetType);
}
for (int i = 0; i < discretionaryAcl.Count; i++)
{
QualifiedAce ace2 = discretionaryAcl[i] as CommonAce;
if (ace2 == null)
{
ace2 = discretionaryAcl[i] as ObjectAce;
if (ace2 == null)
{
continue;
}
}
if (ace2.IsCallback)
{
continue;
}
if (access)
{
if ((ace2.AceQualifier == AceQualifier.AccessAllowed) || (ace2.AceQualifier == AceQualifier.AccessDenied))
{
goto Label_0174;
}
continue;
}
if (ace2.AceQualifier != AceQualifier.SystemAudit)
{
continue;
}
Label_0174:
if ((includeExplicit && (((byte)(ace2.AceFlags & AceFlags.Inherited)) == 0)) || (includeInherited && (((byte)(ace2.AceFlags & AceFlags.Inherited)) != 0)))
{
IdentityReference identityReference = (targetType == typeof(SecurityIdentifier)) ? ace2.SecurityIdentifier : references[i];
if (access)
{
AccessControlType allow;
if (ace2.AceQualifier == AceQualifier.AccessAllowed)
{
allow = AccessControlType.Allow;
}
else
{
allow = AccessControlType.Deny;
}
if (ace2 is ObjectAce)
{
ObjectAce ace3 = ace2 as ObjectAce;
rules.AddRule(this.AccessRuleFactory(identityReference, ace3.AccessMask, ace3.IsInherited, ace3.InheritanceFlags, ace3.PropagationFlags, allow, ace3.ObjectAceType, ace3.InheritedObjectAceType));
}
else
{
CommonAce ace4 = ace2 as CommonAce;
if (ace4 != null)
{
rules.AddRule(this.AccessRuleFactory(identityReference, ace4.AccessMask, ace4.IsInherited, ace4.InheritanceFlags, ace4.PropagationFlags, allow));
}
}
}
else if (ace2 is ObjectAce)
{
ObjectAce ace5 = ace2 as ObjectAce;
rules.AddRule(this.AuditRuleFactory(identityReference, ace5.AccessMask, ace5.IsInherited, ace5.InheritanceFlags, ace5.PropagationFlags, ace5.AuditFlags, ace5.ObjectAceType, ace5.InheritedObjectAceType));
}
else
{
CommonAce ace6 = ace2 as CommonAce;
if (ace6 != null)
{
rules.AddRule(this.AuditRuleFactory(identityReference, ace6.AccessMask, ace6.IsInherited, ace6.InheritanceFlags, ace6.PropagationFlags, ace6.AuditFlags));
}
}
}
}
rules2 = rules;
}
finally
{
base.ReadUnlock();
}
return(rules2);
}
private bool GetInheritanceFlagsForRemoval( QualifiedAce ace, ObjectAceFlags objectFlags, Guid inheritedObjectType, ref AceFlags aceFlags )
{
if ((( ace.AceFlags & AceFlags.ContainerInherit ) != 0 ) && (( aceFlags & AceFlags.ContainerInherit ) != 0 ))
{
//
// If the aces have inheritance bits in common
// then we follow these rules:
//
// Remove No IOT IOT = A IOT = B
// Existing
//
// No IOT Remove Invalid Invalid
//
// IOT = A Remove Remove Nothing Common
//
if ( ace is ObjectAce )
{
bool commonInheritanceFlagsExist = true;
ObjectAce objectAce = ace as ObjectAce;
//
// if what we are trying to remove has an inherited object type
// but the existing ace does not then this is an invalid case
//
if ((( objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent ) != 0 ) &&
(( objectAce.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent ) == 0 ))
{
return false;
}
//
// if what we are trying to remove has no inherited object type or
// if inherited object types match then we have common inheritance flags
//
commonInheritanceFlagsExist = (( objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent ) == 0 ) ||
objectAce.InheritedObjectTypesMatch( objectFlags, inheritedObjectType );
if ( !commonInheritanceFlagsExist )
{
aceFlags &= ~AceFlags.InheritanceFlags;
}
}
else if (( objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent ) != 0 )
{
// the existing ace is a common ace and the one we're removing
// refers to a specific child type so this is invalid
return false;
}
}
return true;
}
private bool AceFlagsAreMergeable(QualifiedAce ace, QualifiedAce newAce)
{
if (this.InheritedObjectTypesMatch(ace, newAce))
{
return true;
}
ObjectAceFlags flags = (ace is ObjectAce) ? ((ObjectAce) ace).ObjectAceFlags : ObjectAceFlags.None;
return ((flags & ObjectAceFlags.InheritedObjectAceTypePresent) == ObjectAceFlags.None);
}
static private bool AcesAreMergeable( QualifiedAce ace, QualifiedAce newAce )
{
//
// Only interested in ACEs with the specified type
//
if ( ace.AceType != newAce.AceType )
{
return false;
}
//
// Only interested in explicit (non-inherited) ACEs
//
if (( ace.AceFlags & AceFlags.Inherited ) != 0 )
{
return false;
}
if (( newAce.AceFlags & AceFlags.Inherited ) != 0 )
{
return false;
}
//
// Only interested in ACEs with the specified qualifier
//
if ( ace.AceQualifier != newAce.AceQualifier )
{
return false;
}
//
// Only interested in ACEs with the specified SID
//
if ( ace.SecurityIdentifier != newAce.SecurityIdentifier )
{
return false;
}
//
// Only interested in ACEs with the specified callback data
//
if ( !AceOpaquesMatch( ace, newAce ))
{
return false;
}
return true;
}
private bool ObjectTypesMatch( QualifiedAce ace, QualifiedAce newAce )
{
Guid objectType = ( ace is ObjectAce ) ? (( ObjectAce ) ace ).ObjectAceType : Guid.Empty;
Guid newObjectType = ( newAce is ObjectAce ) ? (( ObjectAce ) newAce ).ObjectAceType : Guid.Empty;
return objectType.Equals( newObjectType );
}
private bool ObjectTypesMatch(QualifiedAce ace, QualifiedAce newAce)
{
Guid guid = (ace is ObjectAce) ? ((ObjectAce) ace).ObjectAceType : Guid.Empty;
Guid g = (newAce is ObjectAce) ? ((ObjectAce) newAce).ObjectAceType : Guid.Empty;
return guid.Equals(g);
}
private bool AccessMasksAreMergeable( QualifiedAce ace, QualifiedAce newAce )
{
//
// The access masks are mergeable in any of the following conditions
// 1. Object types match
// 2. (Object types do not match) The existing ace does not have an object type and
// already contains all the bits of the new ace which refer to the object type
//
if ( ObjectTypesMatch( ace, newAce ))
{
// case 1
return true;
}
ObjectAceFlags objectFlags = ( ace is ObjectAce ) ? (( ObjectAce ) ace ).ObjectAceFlags : ObjectAceFlags.None;
if ((( ace.AccessMask & newAce.AccessMask & ObjectAce.AccessMaskWithObjectType ) == ( newAce.AccessMask & ObjectAce.AccessMaskWithObjectType )) &&
(( objectFlags & ObjectAceFlags.ObjectAceTypePresent ) == 0 ))
{
// case 2
return true;
}
return false;
}
private bool GetInheritanceFlagsForRemoval(QualifiedAce ace, ObjectAceFlags objectFlags, Guid inheritedObjectType, ref AceFlags aceFlags)
{
if ((((byte) (ace.AceFlags & AceFlags.ContainerInherit)) != 0) && (((byte) (aceFlags & AceFlags.ContainerInherit)) != 0))
{
if (ace is ObjectAce)
{
ObjectAce ace2 = ace as ObjectAce;
if (((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != ObjectAceFlags.None) && ((ace2.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent) == ObjectAceFlags.None))
{
return false;
}
if (!(((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) == ObjectAceFlags.None) || ace2.InheritedObjectTypesMatch(objectFlags, inheritedObjectType)))
{
aceFlags = (AceFlags) ((byte) (((int) aceFlags) & 240));
}
}
else if ((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != ObjectAceFlags.None)
{
return false;
}
}
return true;
}
private bool GetAccessMaskForRemoval( QualifiedAce ace, ObjectAceFlags objectFlags, Guid objectType, ref int accessMask )
{
if (( ace.AccessMask & accessMask & ObjectAce.AccessMaskWithObjectType ) != 0 )
{
//
// If the aces have access bits in common which refer to object types
// then we follow these rules:
//
// Remove No OT OT = A OT = B
// Existing
//
// No OT Remove Invalid Invalid
//
// OT = A Remove Remove Nothing Common
//
if ( ace is ObjectAce )
{
bool commonAccessBitsWithObjectTypeExist = true;
ObjectAce objectAce = ace as ObjectAce;
//
// if what we are trying to remove has an object type
// but the existing ace does not then this is an invalid case
//
if ((( objectFlags & ObjectAceFlags.ObjectAceTypePresent ) != 0 ) &&
(( objectAce.ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent ) == 0 ))
{
return false;
}
//
// if what we are trying to remove has no object type or
// if object types match (since at this point we have ensured that both have object types present)
// then we have common access bits with object type
//
commonAccessBitsWithObjectTypeExist = (( objectFlags & ObjectAceFlags.ObjectAceTypePresent ) == 0 ) ||
objectAce.ObjectTypesMatch( objectFlags, objectType );
if ( !commonAccessBitsWithObjectTypeExist )
{
accessMask &= ~ObjectAce.AccessMaskWithObjectType;
}
}
else if (( objectFlags & ObjectAceFlags.ObjectAceTypePresent ) != 0 )
{
// the existing ace is a common ace and the one we're removing
// refers to a specific object type so this is invalid
return false;
}
}
return true;
}
private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, Type targetType)
{
this.ReadLock();
try
{
AuthorizationRuleCollection authorizationRuleCollection = new AuthorizationRuleCollection();
if (!SecurityIdentifier.IsValidTargetTypeStatic(targetType))
{
throw new ArgumentException(Environment.GetResourceString("Arg_MustBeIdentityReferenceType"), "targetType");
}
CommonAcl commonAcl = (CommonAcl)null;
if (access)
{
if ((this._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None)
{
commonAcl = (CommonAcl)this._securityDescriptor.DiscretionaryAcl;
}
}
else if ((this._securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None)
{
commonAcl = (CommonAcl)this._securityDescriptor.SystemAcl;
}
if (commonAcl == null)
{
return(authorizationRuleCollection);
}
IdentityReferenceCollection referenceCollection1 = (IdentityReferenceCollection)null;
if (targetType != typeof(SecurityIdentifier))
{
IdentityReferenceCollection referenceCollection2 = new IdentityReferenceCollection(commonAcl.Count);
for (int index = 0; index < commonAcl.Count; ++index)
{
QualifiedAce qualifiedAce = commonAcl[index] as QualifiedAce;
if (!((GenericAce)qualifiedAce == (GenericAce)null) && !qualifiedAce.IsCallback)
{
if (access)
{
if (qualifiedAce.AceQualifier != AceQualifier.AccessAllowed && qualifiedAce.AceQualifier != AceQualifier.AccessDenied)
{
continue;
}
}
else if (qualifiedAce.AceQualifier != AceQualifier.SystemAudit)
{
continue;
}
referenceCollection2.Add((IdentityReference)qualifiedAce.SecurityIdentifier);
}
}
referenceCollection1 = referenceCollection2.Translate(targetType);
}
for (int index = 0; index < commonAcl.Count; ++index)
{
QualifiedAce qualifiedAce = (QualifiedAce)(commonAcl[index] as CommonAce);
if ((GenericAce)qualifiedAce == (GenericAce)null)
{
qualifiedAce = (QualifiedAce)(commonAcl[index] as ObjectAce);
if ((GenericAce)qualifiedAce == (GenericAce)null)
{
continue;
}
}
if (!qualifiedAce.IsCallback)
{
if (access)
{
if (qualifiedAce.AceQualifier != AceQualifier.AccessAllowed && qualifiedAce.AceQualifier != AceQualifier.AccessDenied)
{
continue;
}
}
else if (qualifiedAce.AceQualifier != AceQualifier.SystemAudit)
{
continue;
}
if (includeExplicit && (qualifiedAce.AceFlags & AceFlags.Inherited) == AceFlags.None || includeInherited && (qualifiedAce.AceFlags & AceFlags.Inherited) != AceFlags.None)
{
IdentityReference identityReference = targetType == typeof(SecurityIdentifier) ? (IdentityReference)qualifiedAce.SecurityIdentifier : referenceCollection1[index];
if (access)
{
AccessControlType type = qualifiedAce.AceQualifier != AceQualifier.AccessAllowed ? AccessControlType.Deny : AccessControlType.Allow;
if (qualifiedAce is ObjectAce)
{
ObjectAce objectAce = qualifiedAce as ObjectAce;
authorizationRuleCollection.AddRule((AuthorizationRule)this.AccessRuleFactory(identityReference, objectAce.AccessMask, objectAce.IsInherited, objectAce.InheritanceFlags, objectAce.PropagationFlags, type, objectAce.ObjectAceType, objectAce.InheritedObjectAceType));
}
else
{
CommonAce commonAce = qualifiedAce as CommonAce;
if (!((GenericAce)commonAce == (GenericAce)null))
{
authorizationRuleCollection.AddRule((AuthorizationRule)this.AccessRuleFactory(identityReference, commonAce.AccessMask, commonAce.IsInherited, commonAce.InheritanceFlags, commonAce.PropagationFlags, type));
}
}
}
else if (qualifiedAce is ObjectAce)
{
ObjectAce objectAce = qualifiedAce as ObjectAce;
authorizationRuleCollection.AddRule((AuthorizationRule)this.AuditRuleFactory(identityReference, objectAce.AccessMask, objectAce.IsInherited, objectAce.InheritanceFlags, objectAce.PropagationFlags, objectAce.AuditFlags, objectAce.ObjectAceType, objectAce.InheritedObjectAceType));
}
else
{
CommonAce commonAce = qualifiedAce as CommonAce;
if (!((GenericAce)commonAce == (GenericAce)null))
{
authorizationRuleCollection.AddRule((AuthorizationRule)this.AuditRuleFactory(identityReference, commonAce.AccessMask, commonAce.IsInherited, commonAce.InheritanceFlags, commonAce.PropagationFlags, commonAce.AuditFlags));
}
}
}
}
}
return(authorizationRuleCollection);
}
finally
{
this.ReadUnlock();
}
}
static private bool AceOpaquesMatch( QualifiedAce ace, QualifiedAce newAce )
{
byte[] aceOpaque = ace.GetOpaque();
byte[] newAceOpaque = newAce.GetOpaque();
if ( aceOpaque == null || newAceOpaque == null )
{
return aceOpaque == newAceOpaque;
}
if ( aceOpaque.Length != newAceOpaque.Length )
{
return false;
}
for ( int i = 0; i < aceOpaque.Length; ++i )
{
if ( aceOpaque[i] != newAceOpaque[i] )
{
return false;
}
}
return true;
}
private bool CanonicalCheck(bool isDacl)
{
if (isDacl)
{
int num = 0;
for (int i = 0; i < this._acl.Count; i++)
{
int num3 = 3;
GenericAce ace = this._acl[i];
if (((byte)(ace.AceFlags & AceFlags.Inherited)) != 0)
{
num3 = 2;
}
else
{
QualifiedAce ace2 = ace as QualifiedAce;
if (ace2 != null)
{
if (ace2.AceQualifier == AceQualifier.AccessAllowed)
{
num3 = 1;
goto Label_0059;
}
if (ace2.AceQualifier == AceQualifier.AccessDenied)
{
num3 = 0;
goto Label_0059;
}
}
return(false);
}
Label_0059:
if (num3 != 3)
{
if (num3 > num)
{
num = num3;
}
else if (num3 < num)
{
return(false);
}
}
}
}
else
{
int num4 = 0;
for (int j = 0; j < this._acl.Count; j++)
{
int num6 = 2;
GenericAce ace3 = this._acl[j];
if (ace3 != null)
{
if (((byte)(ace3.AceFlags & AceFlags.Inherited)) != 0)
{
num6 = 1;
}
else
{
QualifiedAce ace4 = ace3 as QualifiedAce;
if (ace4 == null)
{
return(false);
}
if ((ace4.AceQualifier != AceQualifier.SystemAudit) && (ace4.AceQualifier != AceQualifier.SystemAlarm))
{
return(false);
}
num6 = 0;
}
if (num6 > num4)
{
num4 = num6;
}
else if (num6 < num4)
{
return(false);
}
}
}
}
return(true);
}
//
// Merge routine for qualified ACEs
//
private bool MergeAces( ref QualifiedAce ace, QualifiedAce newAce )
{
//
// Check whether the ACEs are potentially mergeable
//
if ( !AcesAreMergeable( ace, newAce ))
{
return false;
}
//
// The modification algorithm proceeds in stages
//
// Stage 1: if flags match, add to the access mask
//
if ( ace.AceFlags == newAce.AceFlags )
{
if ( ace is ObjectAce || newAce is ObjectAce )
{
// for object aces we need to match the inherited object types (for ace flags equality)
if ( InheritedObjectTypesMatch( ace, newAce ))
{
// also since access mask bits are further qualified by object type, they cannot always be added on
if ( AccessMasksAreMergeable( ace, newAce ))
{
ace.AccessMask |= newAce.AccessMask;
return true;
}
}
}
else
{
ace.AccessMask |= newAce.AccessMask;
return true;
}
}
//
// Stage 2: Audit flags can be combined if the rest of the
// flags (both access mask and inheritance) match
//
if ((( ace.AceFlags & AceFlags.InheritanceFlags ) == ( newAce.AceFlags & AceFlags.InheritanceFlags )) &&
( ace.AccessMask == newAce.AccessMask ))
{
if (( ace is ObjectAce ) || ( newAce is ObjectAce ))
{
// for object aces we need to match the inherited object types (for inheritance flags equality) and object type (for access mask equality) as well
if ( InheritedObjectTypesMatch( ace, newAce ) &&
( ObjectTypesMatch( ace, newAce )))
{
ace.AceFlags |= ( newAce.AceFlags & AceFlags.AuditFlags );
return true;
}
}
else
{
ace.AceFlags |= ( newAce.AceFlags & AceFlags.AuditFlags );
return true;
}
}
//
// Stage 3: Inheritance flags can be combined in some cases
// provided access mask and audit bits are the same
//
if ((( ace.AceFlags & AceFlags.AuditFlags ) == ( newAce.AceFlags & AceFlags.AuditFlags )) &&
( ace.AccessMask == newAce.AccessMask ))
{
AceFlags merged;
//
// See whether the inheritance bits can be merged
//
if (( ace is ObjectAce ) || ( newAce is ObjectAce ))
{
// object types need to match (for access mask equality) and inheritance flags need additional DS specific logic
// to check whether they can be merged
if (( ObjectTypesMatch( ace, newAce )) &&
( AceFlagsAreMergeable( ace, newAce )))
{
if ( true == MergeInheritanceBits( ace.AceFlags, newAce.AceFlags, IsDS, out merged ))
{
ace.AceFlags = ( merged | ( ace.AceFlags & AceFlags.AuditFlags ));
return true;
}
}
}
else
{
if ( true == MergeInheritanceBits( ace.AceFlags, newAce.AceFlags, IsDS, out merged ))
{
ace.AceFlags = ( merged | ( ace.AceFlags & AceFlags.AuditFlags ));
return true;
}
}
}
return false;
}
private bool AccessMasksAreMergeable(QualifiedAce ace, QualifiedAce newAce)
{
if (this.ObjectTypesMatch(ace, newAce))
{
return true;
}
ObjectAceFlags flags = (ace is ObjectAce) ? ((ObjectAce) ace).ObjectAceFlags : ObjectAceFlags.None;
return ((((ace.AccessMask & newAce.AccessMask) & ObjectAce.AccessMaskWithObjectType) == (newAce.AccessMask & ObjectAce.AccessMaskWithObjectType)) && ((flags & ObjectAceFlags.ObjectAceTypePresent) == ObjectAceFlags.None));
}
