public void AddAccessRule_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var customAccessRuleAllow = new CustomAccessRule(
Helpers.s_NetworkServiceNTAccount, ReadAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, Guid.NewGuid(), Guid.NewGuid(), AccessControlType.Allow
);
var customAccessRuleDeny = new CustomAccessRule(
Helpers.s_LocalSystemNTAccount, ReadAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, Guid.NewGuid(), Guid.NewGuid(), AccessControlType.Deny
);
customObjectSecurity.AddAccessRule(customAccessRuleAllow);
customObjectSecurity.AddAccessRule(customAccessRuleDeny);
AuthorizationRuleCollection ruleCollection = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
Assert.NotNull(ruleCollection);
List <CustomAccessRule> addedRules = ruleCollection.Cast <CustomAccessRule>().ToList();
Assert.Contains(customAccessRuleAllow, addedRules);
Assert.Contains(customAccessRuleDeny, addedRules);
}
public void SetAccessRule_AccessControlType_Deny_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var identityReference = new NTAccount(@"NT AUTHORITY\SYSTEM");
var customAccessRuleReadWrite = new CustomAccessRule(
identityReference, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
var customAccessRuleRead = new CustomAccessRule(
new NTAccount(@"NT AUTHORITY\SYSTEM"), ReadAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
customObjectSecurity.SetAccessRule(customAccessRuleRead);
AuthorizationRuleCollection ruleCollection =
customObjectSecurity
.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
List <CustomAccessRule> existingRules = ruleCollection.Cast <CustomAccessRule>().ToList();
Assert.False(existingRules.Contains(customAccessRuleReadWrite));
Assert.True(existingRules.Contains(customAccessRuleRead));
}
public void SetAccessRule_AccessControlType_Deny_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var customAccessRuleReadWrite = new CustomAccessRule(
Helpers.s_LocalSystemNTAccount, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
var customAccessRuleRead = new CustomAccessRule(
new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount)), ReadAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
Assert.Contains(customAccessRuleReadWrite, customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>());
customObjectSecurity.SetAccessRule(customAccessRuleRead);
var existingRules = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>().ToList();
Assert.DoesNotContain(customAccessRuleReadWrite, existingRules);
Assert.Contains(customAccessRuleRead, existingRules);
}
public void RemoveAccessRuleAll_AccessControlType_Deny_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var customAccessRuleReadWrite = new CustomAccessRule(
Helpers.s_LocalSystemNTAccount, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
var customAccessRuleSynchronize = new CustomAccessRule(
Helpers.s_LocalSystemNTAccount, SynchronizeAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
customObjectSecurity.AddAccessRule(customAccessRuleSynchronize);
customObjectSecurity.RemoveAccessRuleAll(customAccessRuleSynchronize);
AuthorizationRuleCollection ruleCollection =
customObjectSecurity
.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
List <CustomAccessRule> existingRules = ruleCollection.Cast <CustomAccessRule>().ToList();
Assert.False(existingRules.Contains(customAccessRuleReadWrite));
Assert.False(existingRules.Contains(customAccessRuleSynchronize));
}
public void RemoveAccessRule_AccessControlType_Deny_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
int readDataAndAttribute = ReadAccessMask | ReadAttributeAccessMask;
var objectTypeGuid = Guid.NewGuid();
var customAccessRuleReadDataAndAttribute = new CustomAccessRule(
Helpers.s_LocalSystemNTAccount, readDataAndAttribute, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
var customAccessRuleRead = new CustomAccessRule(
Helpers.s_LocalSystemNTAccount, ReadAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
customObjectSecurity.AddAccessRule(customAccessRuleReadDataAndAttribute);
customObjectSecurity.RemoveAccessRule(customAccessRuleRead);
AuthorizationRuleCollection ruleCollection = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
Assert.NotNull(ruleCollection);
Assert.Contains(ruleCollection.Cast <CustomAccessRule>(), x =>
x.IdentityReference == Helpers.s_LocalSystemNTAccount &&
x.AccessControlType == AccessControlType.Deny &&
x.AccessMaskValue == ReadAttributeAccessMask
);
}
public void RemoveAccessRule_AccessControlType_Deny_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
int readDataAndAttribute = ReadAccessMask | ReadAttributeAccessMask;
var identityReference = new NTAccount(@"NT AUTHORITY\SYSTEM");
var objectTypeGuid = Guid.NewGuid();
var customAccessRuleReadDataAndAttribute = new CustomAccessRule(
identityReference, readDataAndAttribute, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
var customAccessRuleRead = new CustomAccessRule(
identityReference, ReadAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
customObjectSecurity.AddAccessRule(customAccessRuleReadDataAndAttribute);
customObjectSecurity.RemoveAccessRule(customAccessRuleRead);
AuthorizationRuleCollection ruleCollection =
customObjectSecurity
.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
Assert.NotNull(ruleCollection);
List <CustomAccessRule> existingRules = ruleCollection.Cast <CustomAccessRule>().ToList();
Assert.True(
existingRules.Any(
x => x.IdentityReference == identityReference &&
x.AccessControlType == AccessControlType.Deny &&
x.AccessMaskValue == ReadAttributeAccessMask
));
}
public void RemoveRule_AccessControlType_Allow_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var identityReference = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount));
var customAccessRuleReadWrite = new CustomAccessRule(
identityReference, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Allow
);
var customAccessRuleWrite = new CustomAccessRule(
identityReference, WriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Allow
);
customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
bool result = customObjectSecurity.RemoveAccessRule(customAccessRuleWrite);
Assert.Equal(true, result);
AuthorizationRuleCollection ruleCollection = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
Assert.NotNull(ruleCollection);
Assert.Contains(ruleCollection.Cast <CustomAccessRule>(), x =>
x.IdentityReference == identityReference &&
x.AccessControlType == customAccessRuleReadWrite.AccessControlType &&
x.AccessMaskValue == ReadAccessMask
);
}
private bool IsEqual(CustomAccessRule accessRule)
{
return(IdentityReference.Equals(accessRule.IdentityReference) &&
AccessMask.Equals(accessRule.AccessMask) &&
AccessControlType.Equals(accessRule.AccessControlType) &&
InheritanceFlags.Equals(accessRule.InheritanceFlags) &&
PropagationFlags.Equals(accessRule.PropagationFlags));
}
public void RemoveAccessRuleAll_AccessControlType_Deny_ThrowException()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var customAccessRuleReadWrite = new CustomAccessRule(
Helpers.s_LocalSystemNTAccount, ReadWriteAccessMask, true, InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
AssertExtensions.Throws <InvalidOperationException, SystemException>(() => customObjectSecurity.RemoveAccessRuleAll(customAccessRuleReadWrite));
}
public void SetCustomDescriptor_Success()
{
// We didn't allow setting the security descriptor in core due to assembly refactoring.
// GetAccessRules() would throw a null ref after setting the descriptor. We now expose
// the descriptor as a protected property (instead of internal).
// https://github.com/dotnet/corefx/issues/34151
var customObjectSecurity = new CustomDirectoryObjectSecurity();
// DACL:SDDL_PROTECTED SDDL_AUTO_INHERITED
// (SDDL_ACCESS_ALLOWED;SDDL_OBJECT_INHERIT SDDL_CONTAINER_INHERIT;access mask;;;SDDL_BUILTIN_USERS)
customObjectSecurity.SetSecurityDescriptorSddlForm("D:PAI(A;OICI;0x1200a9;;;BU)");
var rules = customObjectSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier));
Assert.Equal(1, rules.Count);
CustomAccessRule rule = (CustomAccessRule)rules[0];
// Should be users group
Assert.Equal(rule.IdentityReference.Value, "S-1-5-32-545");
Assert.Equal(AccessControlType.Allow, rule.AccessControlType);
Assert.Equal(InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, rule.InheritanceFlags);
Assert.Equal(0x1200a9, rule.AccessMaskValue);
}
public void RemoveAccessRuleSpecific_AccessControlType_Deny_NoMatchableRules_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var identityReference = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount));
var customAccessRuleReadWrite = new CustomAccessRule(
identityReference, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
var customAccessRuleRead = new CustomAccessRule(
new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount)), ReadAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
customObjectSecurity.RemoveAccessRuleSpecific(customAccessRuleRead);
Assert.Contains(customAccessRuleReadWrite, customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>());
}
public void ResetAccessRule_AccessControlType_Deny_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var identityReference = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount));
var customAccessRuleReadWrite = new CustomAccessRule(
identityReference, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
var customAccessRuleNetworkService = new CustomAccessRule(
new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null).Translate(typeof(NTAccount)), SynchronizeAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Allow
);
var customAccessRuleWrite = new CustomAccessRule(
new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount)), WriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
Assert.Contains(customAccessRuleReadWrite, customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>());
customObjectSecurity.AddAccessRule(customAccessRuleNetworkService);
List <CustomAccessRule> existingRules = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>().ToList();
Assert.Contains(customAccessRuleReadWrite, existingRules);
Assert.Contains(customAccessRuleNetworkService, existingRules);
customObjectSecurity.ResetAccessRule(customAccessRuleWrite);
existingRules = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>().ToList();
Assert.DoesNotContain(customAccessRuleReadWrite, existingRules);
Assert.Contains(customAccessRuleNetworkService, existingRules);
Assert.Contains(customAccessRuleWrite, existingRules);
}
public void ResetAccessRule_AccessControlType_Allow_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var customAccessRuleReadWrite = new CustomAccessRule(
Helpers.s_LocalSystemNTAccount, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
var customAccessRuleNetworkService = new CustomAccessRule(
Helpers.s_NetworkServiceNTAccount, SynchronizeAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Allow
);
var customAccessRuleRead = new CustomAccessRule(
Helpers.s_LocalSystemNTAccount, ReadAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Allow
);
customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
Assert.Contains(customAccessRuleReadWrite, customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>());
customObjectSecurity.AddAccessRule(customAccessRuleNetworkService);
List <CustomAccessRule> existingRules = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>().ToList();
Assert.Contains(customAccessRuleReadWrite, existingRules);
Assert.Contains(customAccessRuleNetworkService, existingRules);
customObjectSecurity.ResetAccessRule(customAccessRuleRead);
existingRules = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>().ToList();
Assert.DoesNotContain(customAccessRuleReadWrite, existingRules);
Assert.Contains(customAccessRuleNetworkService, existingRules);
Assert.Contains(customAccessRuleRead, existingRules);
}
