public void CustomAce_GetBinaryForm_Invalid() { GenericAce ace = new CustomAce((AceType)19, (AceFlags)0, new byte[4]); Assert.Throws<ArgumentNullException>("binaryForm", () => ace.GetBinaryForm(null, 1)); Assert.Throws<ArgumentOutOfRangeException>("offset", () => ace.GetBinaryForm(new byte[1], -1)); Assert.Throws<ArgumentOutOfRangeException>("binaryForm", () => ace.GetBinaryForm(new byte[ace.BinaryLength + 1], 2)); Assert.Throws<ArgumentOutOfRangeException>("binaryForm", () => ace.GetBinaryForm(new byte[ace.BinaryLength], 1)); }
public void CustomAce_GetBinaryForm_Invalid() { GenericAce ace = new CustomAce((AceType)19, (AceFlags)0, new byte[4]); Assert.Throws <ArgumentNullException>("binaryForm", () => ace.GetBinaryForm(null, 1)); Assert.Throws <ArgumentOutOfRangeException>("offset", () => ace.GetBinaryForm(new byte[1], -1)); Assert.Throws <ArgumentOutOfRangeException>("binaryForm", () => ace.GetBinaryForm(new byte[ace.BinaryLength + 1], 2)); Assert.Throws <ArgumentOutOfRangeException>("binaryForm", () => ace.GetBinaryForm(new byte[ace.BinaryLength], 1)); }
public static void AdditionalTestCases() { RawAcl rawAcl = null; GenericAce genericAce = null; string owner = null; int index = 0; // case 1, no ACE, insert at index -1 Assert.Throws <ArgumentOutOfRangeException>(() => { rawAcl = new RawAcl(1, 1); index = -1; owner = "BA"; genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); rawAcl.InsertAce(index, genericAce); }); //case 2, no ACE, insert at index Count + 1 Assert.Throws <ArgumentOutOfRangeException>(() => { rawAcl = new RawAcl(1, 1); index = rawAcl.Count + 1; genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); rawAcl.InsertAce(index, genericAce); }); //case 3, one ACE, insert null ACE Assert.Throws <ArgumentNullException>(() => { rawAcl = new RawAcl(1, 1); index = 0; owner = "BA"; genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); rawAcl.InsertAce(index, genericAce); genericAce = null; rawAcl.InsertAce(index, genericAce); }); //case 4, insert a big Ace to make RawAcl of length 64K + 1. RawAcl length = HeaderLength + all ACE's length // = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace // = 8 + ( 4 + OpaqueLength) * num_of_custom_ace Assert.Throws <OverflowException>(() => { rawAcl = new RawAcl(1, 1); byte[] opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4]; GenericAce gAce = new CustomAce(AceType.MaxDefinedAceType + 1, (AceFlags)223, opaque); rawAcl.InsertAce(0, gAce); }); }
private static object[] CustomAce_CreateTestData(int intType, int intFlags, int opaqueLength, int offset) { byte[] opaque = new byte[opaqueLength]; AceType type = (AceType)intType; AceFlags flags = (AceFlags)intFlags; CustomAce ace = new CustomAce(type, flags, opaque); Assert.Equal(type, ace.AceType); Assert.Equal(flags, ace.AceFlags); Assert.Equal(opaque, ace.GetOpaque()); byte[] binaryForm = new byte[ace.BinaryLength + offset]; binaryForm[offset + 0] = (byte)type; binaryForm[offset + 1] = (byte)flags; binaryForm[offset + 2] = (byte)(ace.BinaryLength >> 0); binaryForm[offset + 3] = (byte)(ace.BinaryLength >> 8); opaque.CopyTo(binaryForm, 4 + offset); return new object[] { ace, binaryForm, offset }; }
private static object[] CustomAce_CreateTestData(int intType, int intFlags, int opaqueLength, int offset) { byte[] opaque = new byte[opaqueLength]; AceType type = (AceType)intType; AceFlags flags = (AceFlags)intFlags; CustomAce ace = new CustomAce(type, flags, opaque); Assert.Equal(type, ace.AceType); Assert.Equal(flags, ace.AceFlags); Assert.Equal(opaque, ace.GetOpaque()); byte[] binaryForm = new byte[ace.BinaryLength + offset]; binaryForm[offset + 0] = (byte)type; binaryForm[offset + 1] = (byte)flags; binaryForm[offset + 2] = (byte)(ace.BinaryLength >> 0); binaryForm[offset + 3] = (byte)(ace.BinaryLength >> 8); opaque.CopyTo(binaryForm, 4 + offset); return(new object[] { ace, binaryForm, offset }); }
public static void AddAccess_AdditionalTestCases() { RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; bool isContainer = false; bool isDS = false; int accessControlType = 0; string sid = null; int accessMask = 1; int inheritanceFlags = 0; int propagationFlags = 0; GenericAce gAce = null; byte[] opaque = null; //Case 1, non-Container, but InheritanceFlags is not None Assert.Throws <ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None); }); //Case 2, non-Container, but PropagationFlags is not None Assert.Throws <ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly); }); //Case 3, Container, InheritanceFlags is None, PropagationFlags is InheritOnly Assert.Throws <ArgumentException>(() => { isContainer = true; isDS = false; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly); }); //Case 4, Container, InheritanceFlags is None, PropagationFlags is NoPropagateInherit Assert.Throws <ArgumentException>(() => { isContainer = true; isDS = false; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit); }); //Case 5, Container, InheritanceFlags is None, PropagationFlags is NoPropagateInherit | InheritOnly Assert.Throws <ArgumentException>(() => { isContainer = true; isDS = false; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit | PropagationFlags.InheritOnly); }); //Case 6, accessMask = 0 Assert.Throws <ArgumentException>(() => { isContainer = true; isDS = false; accessControlType = 1; sid = "BA"; accessMask = 0; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 7, null sid Assert.Throws <ArgumentNullException>(() => { isContainer = true; isDS = false; accessControlType = 1; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 8, add one Access ACE to the DiscretionaryAcl with no ACE isContainer = true; isDS = false; accessControlType = 0; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly gAce = new CommonAce((AceFlags)15, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); Assert.True(TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags)) ; //Case 9, Container, InheritOnly ON, but ContainerInherit and ObjectInherit are both OFF //add meaningless Access ACE to the DiscretionaryAcl with no ACE, ace should not //be added. There are mutiple type of meaningless Ace, but as both AddAccess and Constructor3 //call the same method to check the meaninglessness, only some sanitory cases are enough. //bug# 288116 Assert.Throws <ArgumentException>(() => { isContainer = true; isDS = false; inheritanceFlags = 0; //InheritanceFlags.None propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 0; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 10, add Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE, // should throw appropriate exception for wrong parameter, bug#287188 Assert.Throws <ArgumentOutOfRangeException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1; //InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 100; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 11, all the ACEs in the Dacl are non-qualified ACE, no merge Assert.Throws <InvalidOperationException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1; //InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 0; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[4]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque);; rawAcl.InsertAce(0, gAce); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 12, add Ace to exceed binary length boundary, throw exception isContainer = true; isDS = false; inheritanceFlags = 1; //InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 0; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque);; rawAcl.InsertAce(0, gAce); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws <InvalidOperationException>(() => { discretionaryAcl.AddAccess((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); }
public static void AdditionalTestCases() { RawAcl rawAcl = null; byte[] binaryForm = null; int offset = 0; //case 1, binaryForm is null Assert.Throws <ArgumentNullException>(() => { binaryForm = null; offset = 0; rawAcl = new RawAcl(binaryForm, offset); }); //case 2, binaryForm is empty Assert.Throws <ArgumentOutOfRangeException>(() => { binaryForm = new byte[0]; offset = 0; rawAcl = new RawAcl(binaryForm, offset); }); //case 3, negative offset Assert.Throws <ArgumentOutOfRangeException>(() => { binaryForm = new byte[100]; offset = -1; rawAcl = new RawAcl(binaryForm, offset); }); //case 4, binaryForm length less than GenericAcl.HeaderLength Assert.Throws <ArgumentOutOfRangeException>(() => { binaryForm = new byte[4]; offset = 0; rawAcl = new RawAcl(binaryForm, offset); }); //case 5, a RawAcl of length 64K. RawAcl length = HeaderLength + all ACE's length // = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace // = 8 + ( 4 + OpaqueLength) * num_of_custom_ace GenericAce gAce = null; byte revision = 0; int capacity = 0; string sid = "BG"; //CustomAce constructor parameters AceType aceType = 0; AceFlags aceFlag = 0; byte[] opaque = null; revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; aceFlag = (AceFlags)223; //all flags ored together opaque = new byte[GenericAcl.MaxBinaryLength - 3 - 8 - 4]; //GenericAcl.MaxBinaryLength = 65535, is not multiple of 4 gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength)); //case 6, a RawAcl of length 64K + 1. RawAcl length = HeaderLength + all ACE's length // = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace // = 8 + ( 4 + OpaqueLength) * num_of_custom_ace gAce = null; sid = "BA"; //CustomAce constructor parameters aceType = 0; aceFlag = 0; binaryForm = new byte[65536]; AssertExtensions.Throws <ArgumentException>("binaryForm", () => { revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); rawAcl.GetBinaryForm(binaryForm, 0); //change the length bytes to 65535 binaryForm[2] = 0xf; binaryForm[3] = 0xf; //change the aceCount to 1 binaryForm[4] = 1; aceType = AceType.MaxDefinedAceType + 1; aceFlag = (AceFlags)223; //all flags ored together opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4]; //GenericAcl.MaxBinaryLength = 65535, is not multiple of 4 gAce = new CustomAce(aceType, aceFlag, opaque); gAce.GetBinaryForm(binaryForm, 8); TestCreateFromBinaryForm(binaryForm, 0, revision, 1, binaryForm.Length); }); //case 7, a valid binary representation with revision 255, 256 Access //CommonAce to test the correctness of the process of the AceCount in the header revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); for (int i = 0; i < 256; i++) { gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); } binaryForm = new byte[rawAcl.BinaryLength + 1000]; rawAcl.GetBinaryForm(binaryForm, 1000); Assert.True(TestCreateFromBinaryForm(binaryForm, 1000, revision, 256, rawAcl.BinaryLength)); //case 8, array containing garbage Assert.Throws <ArgumentOutOfRangeException>(() => { binaryForm = new byte[] { 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 }; TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12); }); //case 9, array containing garbage Assert.Throws <ArgumentOutOfRangeException>(() => { //binary form shows the length will be 1, actual length is 12 binaryForm = new byte[] { 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1 }; TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12); }); //case 10, array containing garbage Assert.Throws <ArgumentOutOfRangeException>(() => { binaryForm = new byte[] { 1, 1, 12, 0, 1, 1, 1, 1, 1, 1, 1, 1 }; TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12); }); }
public static void AddAccess_AdditionalTestCases() { RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; bool isContainer = false; bool isDS = false; int accessControlType = 0; string sid = null; int accessMask = 1; int inheritanceFlags = 0; int propagationFlags = 0; GenericAce gAce = null; byte[] opaque = null; //Case 1, non-Container, but InheritanceFlags is not None Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None); }); //Case 2, non-Container, but PropagationFlags is not None Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly); }); //Case 3, Container, InheritanceFlags is None, PropagationFlags is InheritOnly Assert.Throws<ArgumentException>(() => { isContainer = true; isDS = false; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly); }); //Case 4, Container, InheritanceFlags is None, PropagationFlags is NoPropagateInherit Assert.Throws<ArgumentException>(() => { isContainer = true; isDS = false; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit); }); //Case 5, Container, InheritanceFlags is None, PropagationFlags is NoPropagateInherit | InheritOnly Assert.Throws<ArgumentException>(() => { isContainer = true; isDS = false; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit | PropagationFlags.InheritOnly); }); //Case 6, accessMask = 0 Assert.Throws<ArgumentException>(() => { isContainer = true; isDS = false; accessControlType = 1; sid = "BA"; accessMask = 0; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 7, null sid Assert.Throws<ArgumentNullException>(() => { isContainer = true; isDS = false; accessControlType = 1; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 8, add one Access ACE to the DiscretionaryAcl with no ACE isContainer = true; isDS = false; accessControlType = 0; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly gAce = new CommonAce((AceFlags)15, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); Assert.True(TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags)) ; //Case 9, Container, InheritOnly ON, but ContainerInherit and ObjectInherit are both OFF //add meaningless Access ACE to the DiscretionaryAcl with no ACE, ace should not //be added. There are mutiple type of meaningless Ace, but as both AddAccess and Constructor3 //call the same method to check the meaninglessness, only some sanitory cases are enough. //bug# 288116 Assert.Throws<ArgumentException>(() => { isContainer = true; isDS = false; inheritanceFlags = 0;//InheritanceFlags.None propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 0; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 10, add Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE, // should throw appropriate exception for wrong parameter, bug#287188 Assert.Throws<ArgumentOutOfRangeException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1;//InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 100; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 11, all the ACEs in the Dacl are non-qualified ACE, no merge Assert.Throws<InvalidOperationException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1;//InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 0; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[4]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); ; rawAcl.InsertAce(0, gAce); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 12, add Ace to exceed binary length boundary, throw exception isContainer = true; isDS = false; inheritanceFlags = 1;//InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 0; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); ; rawAcl.InsertAce(0, gAce); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws<InvalidOperationException>(() => { discretionaryAcl.AddAccess((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); }
public static void AdditionalTestCases() { RawAcl rawAcl = null; SystemAcl systemAcl = null; bool isContainer = false; bool isDS = false; int auditFlags = 0; string sid = null; int accessMask = 1; int inheritanceFlags = 0; int propagationFlags = 0; GenericAce gAce = null; byte[] opaque = null; //Case 1, null sid Assert.Throws<ArgumentNullException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.SetAudit(AuditFlags.Success, null, 1, InheritanceFlags.None, PropagationFlags.None); }); //Case 2, SystemAudit Ace but non AuditFlags Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.SetAudit(AuditFlags.None, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.None); }); //Case 3, 0 accessMask Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.SetAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 0, InheritanceFlags.None, PropagationFlags.None); }); //Case 4, non-Container, but InheritanceFlags is not None Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.SetAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None); }); //Case 5, non-Container, but PropagationFlags is not None Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.SetAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly); }); //Case 6, set one audit ACE to the SystemAcl with no ACE isContainer = true; isDS = false; auditFlags = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); //79 = AceFlags.SuccessfulAccess | AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly gAce = new CommonAce((AceFlags)79, AceQualifier.SystemAudit, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); Assert.True(TestSetAudit(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags)); //Case 7, all the ACEs in the Sacl are non-qualified ACE, no merge Assert.Throws<InvalidOperationException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1;//InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly auditFlags = 3; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[4]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque); ; rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.AuditFlags, AceQualifier.SystemAudit, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException TestSetAudit(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 8, Set Ace to exceed binary length boundary, throw exception Assert.Throws<InvalidOperationException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1;//InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly auditFlags = 3; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque); ; rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException systemAcl.SetAudit((AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); }
public static void BasicValidationTestCases() { RawAcl rawAcl = null; byte[] binaryForm = null; int offset = 0; GenericAce gAce = null; byte revision = 0; int capacity = 0; //CustomAce constructor parameters AceType aceType = AceType.AccessAllowed; AceFlags aceFlag = AceFlags.None; byte[] opaque = null; //CompoundAce constructor additional parameters int accessMask = 0; CompoundAceType compoundAceType = CompoundAceType.Impersonation; string sid = "BA"; //CommonAce constructor additional parameters AceQualifier aceQualifier = 0; //ObjectAce constructor additional parameters ObjectAceFlags objectAceFlag = 0; Guid objectAceType; Guid inheritedObjectAceType; //case 1, a valid binary representation with revision 0, 1 SystemAudit CommonAce revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength)); //case 2, a valid binary representation with revision 255, 1 AccessAllowed CommonAce revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength)); //case 3, a valid binary representation with revision 127, 1 CustomAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; aceFlag = (AceFlags)223; //all flags ored together opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength)); //case 4, a valid binary representation with revision 1, 1 CompoundAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid))); rawAcl.InsertAce(0, gAce); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength)); //case 5, a valid binary representation with revision 1, 1 ObjectAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together aceQualifier = AceQualifier.AccessAllowed; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength)); //case 6, a valid binary representation with revision 1, no Ace revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 0, rawAcl.BinaryLength)); //case 7, a valid binary representation with revision 1, and all Aces from case 1 to 5 revision = 127; capacity = 5; rawAcl = new RawAcl(revision, capacity); //SystemAudit CommonAce gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); //Access Allowed CommonAce gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); //CustomAce aceType = AceType.MaxDefinedAceType + 1; aceFlag = (AceFlags)223; //all flags ored together opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); //CompoundAce aceFlag = (AceFlags)223; //all flags ored together accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid))); rawAcl.InsertAce(0, gAce); //ObjectAce aceFlag = (AceFlags)223; //all flags ored together aceQualifier = AceQualifier.AccessAllowed; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 5, rawAcl.BinaryLength)); }
public static void AdditionalTestCases() { RawAcl rawAcl = null; SystemAcl systemAcl = null; bool isContainer = false; bool isDS = false; int auditFlags = 0; string sid = null; int accessMask = 1; int inheritanceFlags = 0; int propagationFlags = 0; GenericAce gAce = null; byte[] opaque = null; //Case 1, remove one audit ACE from the SystemAcl with no ACE isContainer = true; isDS = false; auditFlags = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveAuditSpecific(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags)); //Case 2, remove the last one audit ACE from the SystemAcl isContainer = true; isDS = false; auditFlags = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); //79 = AceFlags.SuccessfulAccess | AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly gAce = new CommonAce((AceFlags)79, AceQualifier.SystemAudit, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); //remove the ace to create the validation rawAcl rawAcl.RemoveAce(rawAcl.Count - 1); Assert.True(TestRemoveAuditSpecific(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags)); //Case 3, accessMask = 0 AssertExtensions.Throws <ArgumentException>("accessMask", () => { isContainer = true; isDS = false; auditFlags = 1; sid = "BA"; accessMask = 0; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.RemoveAuditSpecific((AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 4, Audit Qualifier None AssertExtensions.Throws <ArgumentException>("auditFlags", () => { isContainer = true; isDS = false; auditFlags = 0; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.RemoveAuditSpecific((AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 5, null sid Assert.Throws <ArgumentNullException>(() => { isContainer = true; isDS = false; auditFlags = 1; accessMask = 1; sid = "BA"; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.RemoveAuditSpecific((AuditFlags)auditFlags, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 6, all the ACEs in the Sacl are non-qualified ACE, no remove Assert.Throws <InvalidOperationException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1; //InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly auditFlags = 3; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[4]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque); rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException TestRemoveAuditSpecific(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); }
public static void Constructor3_AdditionalTestCases() { bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; //CustomAce constructor parameters AceType aceType = AceType.AccessAllowed; AceFlags aceFlag = AceFlags.None; byte[] opaque = null; //CompoundAce constructor additional parameters int accessMask = 0; CompoundAceType compoundAceType = CompoundAceType.Impersonation; string sid = "BG"; //CommonAce constructor additional parameters AceQualifier aceQualifier = 0; //ObjectAce constructor additional parameters ObjectAceFlags objectAceFlag = 0; Guid objectAceType; Guid inheritedObjectAceType; //case 1, an AccessAllowed ACE with a zero access mask is meaningless, will be removed revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //drop the Ace from rawAcl rawAcl.RemoveAce(0); //the only ACE is a meaningless ACE, will be removed Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl)); //case 2, an inherit-only AccessDenied ACE on an object ACL is meaningless, will be removed revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //15 has all inheritance AceFlags but Inherited gAce = new CommonAce((AceFlags)15, AceQualifier.AccessDenied, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); rawAcl.RemoveAce(0); //the only ACE is a meaningless ACE, will be removed Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl)); //case 3, an inherit-only AccessAllowed ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //8 has inheritOnly gAce = new CommonAce((AceFlags)8, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); rawAcl.RemoveAce(0); //the only ACE is a meaningless ACE, will be removed Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl)); //case 4, 1 CustomAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; aceFlag = AceFlags.None; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl)); //case 5, 1 CompoundAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); // 2 has ContainerInherit aceFlag = (AceFlags)2; accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid))); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl)); //case 6, 1 ObjectAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)15; //all inheritance flags ored together but Inherited aceQualifier = AceQualifier.AccessAllowed; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = true; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl)); //case 7, no Ace revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl)); //case 8, all Aces from case 1, and 3 to 6 revision = 127; capacity = 5; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString(); rawAcl = new RawAcl(revision, capacity); //0 access Mask gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); //an inherit-only AccessAllowed ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed gAce = new CommonAce((AceFlags)8, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); // ObjectAce aceFlag = (AceFlags)15; //all inheritance flags ored together but Inherited aceQualifier = AceQualifier.AccessAllowed; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(rawAcl.Count, gAce); // CustomAce aceType = AceType.MaxDefinedAceType + 1; aceFlag = AceFlags.None; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(rawAcl.Count, gAce); // CompoundAce aceFlag = (AceFlags)2; accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString()))); rawAcl.InsertAce(rawAcl.Count, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); rawAcl.RemoveAce(0); rawAcl.RemoveAce(0); //Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl)); discretionaryAcl = null; isContainer = false; isDS = false; rawAcl = null; //case 1, rawAcl = null discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 1); Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl)); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 1); Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl)); }
public static void AdditionalTestCases() { RawAcl rawAcl = null; GenericAce genericAce = null; GenericAce verifierGenericAce = null; string owner = null; int index = 0; // case 1, no ACE, get index at -1 Assert.Throws<ArgumentOutOfRangeException>(() => { rawAcl = new RawAcl(1, 1); index = -1; verifierGenericAce = rawAcl[index]; }); //case 2, get index at Count Assert.Throws<ArgumentOutOfRangeException>(() => { rawAcl = new RawAcl(1, 1); index = rawAcl.Count; verifierGenericAce = rawAcl[index]; }); //case 3, set index at -1 Assert.Throws<ArgumentOutOfRangeException>(() => { rawAcl = new RawAcl(1, 1); index = -1; owner = "BA"; genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); rawAcl[index] = genericAce; }); //case 4, set index at Count Assert.Throws<ArgumentOutOfRangeException>(() => { rawAcl = new RawAcl(1, 1); index = rawAcl.Count; owner = "BA"; genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); rawAcl[index] = genericAce; }); //case 5, set null Ace Assert.Throws<ArgumentNullException>(() => { rawAcl = new RawAcl(1, 1); index = 0; genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); rawAcl.InsertAce(0, genericAce); genericAce = null; rawAcl[index] = genericAce; }); //case 6, set Ace causing binarylength overflow Assert.Throws<OverflowException>(() => { byte[] opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4]; rawAcl = new RawAcl(1, 1); index = 0; genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); rawAcl.InsertAce(0, genericAce); genericAce = new CustomAce(AceType.MaxDefinedAceType + 1, (AceFlags)223, opaque); rawAcl[index] = genericAce; }); }
public static void RemoveAccess_AdditionalTestCases() { RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; bool isContainer = false; bool isDS = false; int accessControlType = 0; string sid = null; int accessMask = 1; int inheritanceFlags = 0; int propagationFlags = 0; GenericAce gAce = null; bool removePossible = false; byte[] opaque = null; //Case 1, remove one ACE from the DiscretionaryAcl with no ACE isContainer = true; isDS = false; accessControlType = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; removePossible = true; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, removePossible)) ; //Case 2, remove the last ACE from the DiscretionaryAcl isContainer = true; isDS = false; accessControlType = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; removePossible = true; rawAcl = new RawAcl(0, 1); //15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly gAce = new CommonAce((AceFlags)15, AceQualifier.AccessDenied, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //remove the ace to create the validation rawAcl rawAcl.RemoveAce(rawAcl.Count - 1); Assert.True(TestRemoveAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, removePossible)) ; //Case 3, accessMask = 0 Assert.Throws <ArgumentException>(() => { isContainer = true; isDS = false; accessControlType = 1; sid = "BA"; accessMask = 0; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.RemoveAccess((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 4, null sid Assert.Throws <ArgumentNullException>(() => { isContainer = true; isDS = false; accessControlType = 1; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.RemoveAccess((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 5, all the ACEs in the Dacl are non-qualified ACE, no remove isContainer = true; isDS = false; inheritanceFlags = 1; //InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 0; sid = "BA"; accessMask = 1; removePossible = true; rawAcl = new RawAcl(0, 1); opaque = new byte[4]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque);; rawAcl.InsertAce(0, gAce); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws <InvalidOperationException>(() => { TestRemoveAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, removePossible); }); //Case 7, Remove Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE, // should throw appropriate exception for wrong parameter, bug#287188 isContainer = true; isDS = false; inheritanceFlags = 1; //InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 100; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.Throws <ArgumentOutOfRangeException>(() => { discretionaryAcl.RemoveAccess((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); }
public static void AdditionalTestCases() { bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; SystemAcl sAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; //CustomAce constructor parameters AceType aceType = AceType.AccessAllowed; AceFlags aceFlag = AceFlags.None; byte[] opaque = null; //CompoundAce constructor additional parameters int accessMask = 0; CompoundAceType compoundAceType = CompoundAceType.Impersonation; string sid = "BA"; //CommonAce constructor additional parameters AceQualifier aceQualifier = 0; //ObjectAce constructor additional parameters ObjectAceFlags objectAceFlag = 0; Guid objectAceType; Guid inheritedObjectAceType; //case 1, an SystemAudit ACE with a zero access mask is meaningless, will be removed revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.AuditFlags, AceQualifier.SystemAudit, 0, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; sAcl = new SystemAcl(isContainer, isDS, rawAcl); //the only ACE is a meaningless ACE, will be removed //drop the ace from the rawAcl rawAcl.RemoveAce(0); Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl)); //case 2, an inherit-only SystemAudit ACE on an object ACL is meaningless, will be removed revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.InheritanceFlags | AceFlags.AuditFlags, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; sAcl = new SystemAcl(isContainer, isDS, rawAcl); //the only ACE is a meaningless ACE, will be removed rawAcl.RemoveAce(0); Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl)); //case 3, an inherit-only SystemAudit ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //200 has inheritOnly, SuccessfulAccess and FailedAccess gAce = new CommonAce((AceFlags)200, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; sAcl = new SystemAcl(isContainer, isDS, rawAcl); //the only ACE is a meaningless ACE, will be removed rawAcl.RemoveAce(0); Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl)); //case 4, a SystemAudit ACE without Success or Failure Flags is meaningless, will be removed revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.None, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; sAcl = new SystemAcl(isContainer, isDS, rawAcl); //audit ACE does not specify either Success or Failure Flags is removed rawAcl.RemoveAce(0); Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl)); //case 5, a CustomAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; aceFlag = AceFlags.AuditFlags; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; sAcl = new SystemAcl(isContainer, isDS, rawAcl); //Mark changed design to make ACL with any CustomAce, CompoundAce uncanonical Assert.True(TestConstructor(sAcl, isContainer, isDS, false, rawAcl)); //case 6, a CompoundAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = AceFlags.AuditFlags; accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid))); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; sAcl = new SystemAcl(isContainer, isDS, rawAcl); //Mark changed design to make ACL with any CustomAce, CompoundAce uncanonical Assert.True(TestConstructor(sAcl, isContainer, isDS, false, rawAcl)); //case 7, a ObjectAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = AceFlags.InheritanceFlags | AceFlags.AuditFlags; aceQualifier = AceQualifier.SystemAudit; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = true; sAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl)); //case 8, no Ace revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = true; isDS = false; sAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl)); //case 9, Aces from case 1 to 7 revision = 127; capacity = 5; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString(); rawAcl = new RawAcl(revision, capacity); //an SystemAudit ACE with a zero access mask //is meaningless, will be removed gAce = new CommonAce(AceFlags.AuditFlags, AceQualifier.SystemAudit, 0, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 1.ToString()), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); //an inherit-only SystemAudit ACE without ContainerInherit or ObjectInherit flags on a container object //is meaningless, will be removed //200 has inheritOnly, SuccessfulAccess and FailedAccess gAce = new CommonAce((AceFlags)200, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 2.ToString()), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); //a SystemAudit ACE without Success or Failure Flags //is meaningless, will be removed gAce = new CommonAce(AceFlags.None, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 3.ToString()), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); //a ObjectAce aceFlag = AceFlags.InheritanceFlags | AceFlags.AuditFlags; aceQualifier = AceQualifier.SystemAudit; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 4.ToString()), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(rawAcl.Count, gAce); // a CustomAce gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.AuditFlags, null); rawAcl.InsertAce(rawAcl.Count, gAce); //a CompoundAce gAce = new CompoundAce(AceFlags.AuditFlags, 1, CompoundAceType.Impersonation, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 5.ToString())); rawAcl.InsertAce(rawAcl.Count, gAce); isContainer = true; isDS = false; sAcl = new SystemAcl(isContainer, isDS, rawAcl); //the first 3 Aces will be removed by SystemAcl constructor rawAcl.RemoveAce(0); rawAcl.RemoveAce(0); rawAcl.RemoveAce(0); //Mark changed design to make ACL with any CustomAce, CompoundAce uncanonical Assert.True(TestConstructor(sAcl, isContainer, isDS, false, rawAcl)); }
public static void Purge_BasicValidationTestCases() { bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; int aceCount = 0; SecurityIdentifier sid = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; //CustomAce constructor parameters AceType aceType = AceType.AccessAllowed; AceFlags aceFlag = AceFlags.None; byte[] opaque = null; //CompoundAce constructor additional parameters int accessMask = 0; CompoundAceType compoundAceType = CompoundAceType.Impersonation; string sidStr = "LA"; //CommonAce constructor additional parameters AceQualifier aceQualifier = 0; //ObjectAce constructor additional parameters ObjectAceFlags objectAceFlag = 0; Guid objectAceType; Guid inheritedObjectAceType; //case 1, no Ace revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 0; sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); Assert.True(TestPurge(discretionaryAcl, sid, aceCount)); //case 2, only have 1 explicit Ace of the sid revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); //199 has all aceflags but inheritonly and inherited gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1, sid, false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 0; Assert.True(TestPurge(discretionaryAcl, sid, aceCount)); //case 3, only have 1 explicit Ace of different sid revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all aceflags but inheritedonly and inherited sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); gAce = new CommonAce((AceFlags)199, AceQualifier.AccessDenied, 1, sid, false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 1; sidStr = "BA"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); Assert.True(TestPurge(discretionaryAcl, sid, aceCount)); //case 4, only have 1 inherited Ace of the sid revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); //215 has all aceflags but inheritedonly gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1, sid, false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 1; Assert.True(TestPurge(discretionaryAcl, sid, aceCount)); //case 5, have one explicit Ace and one inherited Ace of the sid revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); //199 has all aceflags but inheritedonly and inherited gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1, sid, false, null); rawAcl.InsertAce(0, gAce); //215 has all aceflags but inheritedonly gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 2, sid, false, null); rawAcl.InsertAce(1, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 1; Assert.True(TestPurge(discretionaryAcl, sid, aceCount)); //case 6, have two explicit Aces of the sid revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); //207 has all AceFlags but inherited gAce = new CommonAce((AceFlags)207, AceQualifier.AccessAllowed, 1, sid, false, null); rawAcl.InsertAce(0, gAce); gAce = new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 2, sid, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 0; Assert.True(TestPurge(discretionaryAcl, sid, 0)); //case 7, 1 explicit CustomAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; //199 has all AceFlags except InheritOnly and Inherited aceFlag = (AceFlags)199; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")); aceCount = 1; //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws<InvalidOperationException>(() => { TestPurge(discretionaryAcl, sid, aceCount); }); //case 8, 1 explicit CompoundAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); //207 has all AceFlags but inherited aceFlag = (AceFlags)207; accessMask = 1; compoundAceType = CompoundAceType.Impersonation; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")); gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, sid); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 0; //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws<InvalidOperationException>(() => { TestPurge(discretionaryAcl, sid, aceCount); }); //case 9, 1 explict ObjectAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")); //207 has all AceFlags but inherited aceFlag = (AceFlags)207; aceQualifier = AceQualifier.AccessAllowed; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, sid, objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = true; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 0; Assert.True(TestPurge(discretionaryAcl, sid, aceCount)); }
public static void AdditionalTestCases() { RawAcl rawAcl = null; GenericAce genericAce = null; string owner = null; int index = 0; // case 1, no ACE, insert at index -1 Assert.Throws<ArgumentOutOfRangeException>(() => { rawAcl = new RawAcl(1, 1); index = -1; owner = "BA"; genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); rawAcl.InsertAce(index, genericAce); }); //case 2, no ACE, insert at index Count + 1 Assert.Throws<ArgumentOutOfRangeException>(() => { rawAcl = new RawAcl(1, 1); index = rawAcl.Count + 1; genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); rawAcl.InsertAce(index, genericAce); }); //case 3, one ACE, insert null ACE Assert.Throws<ArgumentNullException>(() => { rawAcl = new RawAcl(1, 1); index = 0; owner = "BA"; genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); rawAcl.InsertAce(index, genericAce); genericAce = null; rawAcl.InsertAce(index, genericAce); }); //case 4, insert a big Ace to make RawAcl of length 64K + 1. RawAcl length = HeaderLength + all ACE's length // = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace // = 8 + ( 4 + OpaqueLength) * num_of_custom_ace Assert.Throws<OverflowException>(() => { rawAcl = new RawAcl(1, 1); byte[] opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4]; GenericAce gAce = new CustomAce(AceType.MaxDefinedAceType + 1, (AceFlags)223, opaque); rawAcl.InsertAce(0, gAce); }); }
public static void AdditionalTestCases() { RawAcl rawAcl = null; byte[] binaryForm = null; int offset = 0; //case 1, binaryForm is null Assert.Throws<ArgumentNullException>(() => { binaryForm = null; offset = 0; rawAcl = new RawAcl(binaryForm, offset); }); //case 2, binaryForm is empty Assert.Throws<ArgumentOutOfRangeException>(() => { binaryForm = new byte[0]; offset = 0; rawAcl = new RawAcl(binaryForm, offset); }); //case 3, negative offset Assert.Throws<ArgumentOutOfRangeException>(() => { binaryForm = new byte[100]; offset = -1; rawAcl = new RawAcl(binaryForm, offset); }); //case 4, binaryForm length less than GenericAcl.HeaderLength Assert.Throws<ArgumentOutOfRangeException>(() => { binaryForm = new byte[4]; offset = 0; rawAcl = new RawAcl(binaryForm, offset); }); //case 5, a RawAcl of length 64K. RawAcl length = HeaderLength + all ACE's length // = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace // = 8 + ( 4 + OpaqueLength) * num_of_custom_ace GenericAce gAce = null; byte revision = 0; int capacity = 0; string sid = "BG"; //CustomAce constructor parameters AceType aceType = 0; AceFlags aceFlag = 0; byte[] opaque = null; revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; aceFlag = (AceFlags)223; //all flags ored together opaque = new byte[GenericAcl.MaxBinaryLength - 3 - 8 - 4];//GenericAcl.MaxBinaryLength = 65535, is not multiple of 4 gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength)); //case 6, a RawAcl of length 64K + 1. RawAcl length = HeaderLength + all ACE's length // = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace // = 8 + ( 4 + OpaqueLength) * num_of_custom_ace gAce = null; sid = "BA"; //CustomAce constructor parameters aceType = 0; aceFlag = 0; binaryForm = new byte[65536]; Assert.Throws<ArgumentException>(() => { revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); rawAcl.GetBinaryForm(binaryForm, 0); //change the length bytes to 65535 binaryForm[2] = 0xf; binaryForm[3] = 0xf; //change the aceCount to 1 binaryForm[4] = 1; aceType = AceType.MaxDefinedAceType + 1; aceFlag = (AceFlags)223; //all flags ored together opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4];//GenericAcl.MaxBinaryLength = 65535, is not multiple of 4 gAce = new CustomAce(aceType, aceFlag, opaque); gAce.GetBinaryForm(binaryForm, 8); TestCreateFromBinaryForm(binaryForm, 0, revision, 1, binaryForm.Length); }); //case 7, a valid binary representation with revision 255, 256 Access //CommonAce to test the correctness of the process of the AceCount in the header revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); for (int i = 0; i < 256; i++) { gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); } binaryForm = new byte[rawAcl.BinaryLength + 1000]; rawAcl.GetBinaryForm(binaryForm, 1000); Assert.True(TestCreateFromBinaryForm(binaryForm, 1000, revision, 256, rawAcl.BinaryLength)); //case 8, array containing garbage Assert.Throws<ArgumentOutOfRangeException>(() => { binaryForm = new byte[] { 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 }; TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12); }); //case 9, array containing garbage Assert.Throws<ArgumentOutOfRangeException>(() => { //binary form shows the length will be 1, actual length is 12 binaryForm = new byte[] { 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1 }; TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12); }); //case 10, array containing garbage Assert.Throws<ArgumentOutOfRangeException>(() => { binaryForm = new byte[] { 1, 1, 12, 0, 1, 1, 1, 1, 1, 1, 1, 1 }; TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12); }); }
public static void RemoveInheritedAces_BasicValidationTestCases() { bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; //CustomAce constructor parameters AceType aceType = AceType.AccessAllowed; AceFlags aceFlag = AceFlags.None; byte[] opaque = null; //CompoundAce constructor additional parameters int accessMask = 0; CompoundAceType compoundAceType = CompoundAceType.Impersonation; string sid = "BG"; //CommonAce constructor additional parameters AceQualifier aceQualifier = 0; //ObjectAce constructor additional parameters ObjectAceFlags objectAceFlag = 0; Guid objectAceType; Guid inheritedObjectAceType; //case 1, no Ace revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 2, only have explicit Ace revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all AceFlags except InheritOnly and Inherited gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 3, non-inherited CommonAce, ObjectAce, CompoundAce, CustomAce revision = 127; capacity = 5; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString(); rawAcl = new RawAcl(revision, capacity); aceFlag = AceFlags.InheritanceFlags; accessMask = 1; //Access Allowed CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null); rawAcl.InsertAce(0, gAce); //Access Dennied CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null); rawAcl.InsertAce(0, gAce); //CustomAce aceType = AceType.MaxDefinedAceType + 1; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(2, gAce); //CompoundAce compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString()))); rawAcl.InsertAce(3, gAce); //ObjectAce aceQualifier = AceQualifier.AccessAllowed; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(2, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws <InvalidOperationException>(() => { TestRemoveInheritedAces(discretionaryAcl); }); //case 4, all inherited CommonAce, ObjectAce, CompoundAce, CustomAce revision = 127; capacity = 5; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString(); rawAcl = new RawAcl(revision, capacity); aceFlag = AceFlags.InheritanceFlags | AceFlags.Inherited; accessMask = 1; //Access Allowed CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null); rawAcl.InsertAce(0, gAce); //Access Dennied CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null); rawAcl.InsertAce(0, gAce); //CustomAce aceType = AceType.MaxDefinedAceType + 1; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); //CompoundAce compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString()))); rawAcl.InsertAce(0, gAce); //ObjectAce aceQualifier = AceQualifier.AccessAllowed; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 5, only have one inherit Ace revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.AccessDenied, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 6, have one explicit Ace and one inherited Ace revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all AceFlags except InheritOnly and Inherited gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(0, gAce); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(1, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 7, have two inherited Aces revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(0, gAce); sid = "BA"; //16 has Inherited gAce = new CommonAce((AceFlags)16, AceQualifier.AccessDenied, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 8, 1 inherited CustomAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; //215 has all AceFlags except InheritOnly aceFlag = (AceFlags)215; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 9, 1 inherited CompoundAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid))); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 10, 1 inherited ObjectAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together aceQualifier = AceQualifier.AccessAllowed; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = true; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); }
public static void SetAccess_AdditionalTestCases() { RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; bool isContainer = false; bool isDS = false; int accessControlType = 0; string sid = null; int accessMask = 1; int inheritanceFlags = 0; int propagationFlags = 0; GenericAce gAce = null; byte[] opaque = null; //Case 1, non-Container, but InheritanceFlags is not None AssertExtensions.Throws <ArgumentException>("inheritanceFlags", () => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.SetAccess(AccessControlType.Allow, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None); }); //Case 2, non-Container, but PropagationFlags is not None AssertExtensions.Throws <ArgumentException>("propagationFlags", () => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.SetAccess(AccessControlType.Allow, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly); }); //Case 3, set one allowed ACE to the DiscretionaryAcl with no ACE isContainer = true; isDS = false; accessControlType = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly gAce = new CommonAce((AceFlags)15, AceQualifier.AccessDenied, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); Assert.True(TestSetAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags)) ; //Case 4, accessMask = 0 AssertExtensions.Throws <ArgumentException>("accessMask", () => { isContainer = true; isDS = false; accessControlType = 1; sid = "BA"; accessMask = 0; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.SetAccess((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 5, null sid Assert.Throws <ArgumentNullException>(() => { isContainer = true; isDS = false; accessControlType = 1; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.SetAccess((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case6, all the ACEs in the Dacl are non-qualified ACE, no replacement isContainer = true; isDS = false; inheritanceFlags = 1; //InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 0; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[4]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); rawAcl.InsertAce(0, gAce); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws <InvalidOperationException>(() => { TestSetAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 7, set without replacement, exceed binary length boundary, throw exception isContainer = true; isDS = false; inheritanceFlags = 1; //InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 0; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); rawAcl.InsertAce(0, gAce); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws <InvalidOperationException>(() => { discretionaryAcl.SetAccess((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 8, set without replacement, not exceed binary length boundary isContainer = true; isDS = false; inheritanceFlags = 1; //InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 0; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 28]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); rawAcl.InsertAce(0, gAce); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly, AceQualifier.AccessAllowed, accessMask + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws <InvalidOperationException>(() => { TestSetAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask + 1, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 9, set Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE, // should throw appropriate exception for wrong parameter, bug#287188 Assert.Throws <ArgumentOutOfRangeException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1; //InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 100; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.SetAccess((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); }
public static void BasicValidationTestCases() { bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; SystemAcl systemAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; //CustomAce constructor parameters AceType aceType = AceType.AccessAllowed; AceFlags aceFlag = AceFlags.None; byte[] opaque = null; //CompoundAce constructor additional parameters int accessMask = 0; CompoundAceType compoundAceType = CompoundAceType.Impersonation; string sid = "BA"; //CommonAce constructor additional parameters AceQualifier aceQualifier = 0; //ObjectAce constructor additional parameters ObjectAceFlags objectAceFlag = 0; Guid objectAceType; Guid inheritedObjectAceType; //case 1, no Ace revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 2, only have explicit Ace revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all AceFlags except InheritOnly and Inherited gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 3, only have one inherit Ace revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 4, have one explicit Ace and one inherited Ace revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all AceFlags except InheritOnly and Inherited gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(0, gAce); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(1, gAce); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 5, have two inherited Aces revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(0, gAce); sid = "BA"; //16 has Inherited gAce = new CommonAce((AceFlags)16, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 6, 1 inherited CustomAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; aceFlag = (AceFlags)208; //SuccessfulAccess | FailedAccess | Inherited opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 7, 1 inherited CompoundAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid))); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 8, 1 inherited ObjectAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together aceQualifier = AceQualifier.SystemAudit; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = true; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); }
public static void AdditionalTestCases() { RawAcl rawAcl = null; SystemAcl systemAcl = null; bool isContainer = false; bool isDS = false; int auditFlags = 0; string sid = null; int accessMask = 1; int inheritanceFlags = 0; int propagationFlags = 0; GenericAce gAce = null; bool removePossible = false; byte[] opaque = null; //Case 1, null sid Assert.Throws<ArgumentNullException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.RemoveAudit(AuditFlags.Success, null, 1, InheritanceFlags.None, PropagationFlags.None); }); //Case 2, SystemAudit Ace but non AuditFlags Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.RemoveAudit(AuditFlags.None, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.None); }); //Case 3, 0 accessMask Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.RemoveAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 0, InheritanceFlags.None, PropagationFlags.None); }); //Case 4, remove one audit ACE from the SystemAcl with no ACE isContainer = true; isDS = false; auditFlags = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; removePossible = true; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveAudit(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, removePossible)); //Case 5, remove the last one ACE from the SystemAcl isContainer = true; isDS = false; auditFlags = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; removePossible = true; rawAcl = new RawAcl(0, 1); //79 = AceFlags.SuccessfulAccess | AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly gAce = new CommonAce((AceFlags)79, AceQualifier.SystemAudit, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); //remove the ace to create the validation rawAcl rawAcl.RemoveAce(rawAcl.Count - 1); Assert.True(TestRemoveAudit(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, removePossible)); //Case 6, all the ACEs in the Sacl are non-qualified ACE, no remove Assert.Throws<InvalidOperationException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1;//InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly auditFlags = 3; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[4]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque); ; rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException TestRemoveAudit(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, true); }); //Case 7, remove split cause overflow // Test case no longer relevant in CoreCLR // Non-canonical ACLs cannot be modified }
public void CustomAce_CreateFromBinaryForm(GenericAce expectedAce, byte[] testBinaryForm, int testOffset) { GenericAce resultAce = CustomAce.CreateFromBinaryForm(testBinaryForm, testOffset); GenericAce_VerifyAces(expectedAce, resultAce); }
public static void RemoveAccessSpecific_AdditionalTestCases() { RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; bool isContainer = false; bool isDS = false; int accessControlType = 0; string sid = null; int accessMask = 1; int inheritanceFlags = 0; int propagationFlags = 0; GenericAce gAce = null; byte[] opaque = null; //Case 1, remove one ACE from the DiscretionaryAcl with no ACE isContainer = true; isDS = false; accessControlType = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveAccessSpecific(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags)) ; //Case 2, remove the last one ACE from the DiscretionaryAcl isContainer = true; isDS = false; accessControlType = 0; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); //15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly gAce = new CommonAce((AceFlags)15, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //remove the ace to create the validation rawAcl rawAcl.RemoveAce(rawAcl.Count - 1); Assert.True(TestRemoveAccessSpecific(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags)) ; //Case 3, accessMask = 0 Assert.Throws<ArgumentException>(() => { isContainer = true; isDS = false; accessControlType = 1; sid = "BA"; accessMask = 0; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 4, null sid Assert.Throws<ArgumentNullException>(() => { isContainer = true; isDS = false; accessControlType = 1; accessMask = 1; sid = "BA"; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 5, all the ACEs in the Dacl are non-qualified ACE, no remove isContainer = true; isDS = false; inheritanceFlags = 1;//InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 0; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[4]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); ; rawAcl.InsertAce(0, gAce); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws<InvalidOperationException>(() => { TestRemoveAccessSpecific (discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 7, Remove Specific Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE, // should throw appropriate exception for wrong parameter, bug#287188 Assert.Throws<ArgumentOutOfRangeException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1;//InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 100; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); }
public static void RemoveInheritedAces_BasicValidationTestCases() { bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; //CustomAce constructor parameters AceType aceType = AceType.AccessAllowed; AceFlags aceFlag = AceFlags.None; byte[] opaque = null; //CompoundAce constructor additional parameters int accessMask = 0; CompoundAceType compoundAceType = CompoundAceType.Impersonation; string sid = "BG"; //CommonAce constructor additional parameters AceQualifier aceQualifier = 0; //ObjectAce constructor additional parameters ObjectAceFlags objectAceFlag = 0; Guid objectAceType; Guid inheritedObjectAceType; //case 1, no Ace revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 2, only have explicit Ace revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all AceFlags except InheritOnly and Inherited gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 3, non-inherited CommonAce, ObjectAce, CompoundAce, CustomAce revision = 127; capacity = 5; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString(); rawAcl = new RawAcl(revision, capacity); aceFlag = AceFlags.InheritanceFlags; accessMask = 1; //Access Allowed CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null); rawAcl.InsertAce(0, gAce); //Access Dennied CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null); rawAcl.InsertAce(0, gAce); //CustomAce aceType = AceType.MaxDefinedAceType + 1; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(2, gAce); //CompoundAce compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString()))); rawAcl.InsertAce(3, gAce); //ObjectAce aceQualifier = AceQualifier.AccessAllowed; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(2, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws<InvalidOperationException>(() => { TestRemoveInheritedAces(discretionaryAcl); }); //case 4, all inherited CommonAce, ObjectAce, CompoundAce, CustomAce revision = 127; capacity = 5; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString(); rawAcl = new RawAcl(revision, capacity); aceFlag = AceFlags.InheritanceFlags | AceFlags.Inherited; accessMask = 1; //Access Allowed CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null); rawAcl.InsertAce(0, gAce); //Access Dennied CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null); rawAcl.InsertAce(0, gAce); //CustomAce aceType = AceType.MaxDefinedAceType + 1; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); //CompoundAce compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString()))); rawAcl.InsertAce(0, gAce); //ObjectAce aceQualifier = AceQualifier.AccessAllowed; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 5, only have one inherit Ace revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.AccessDenied, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 6, have one explicit Ace and one inherited Ace revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all AceFlags except InheritOnly and Inherited gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(0, gAce); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(1, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 7, have two inherited Aces revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(0, gAce); sid = "BA"; //16 has Inherited gAce = new CommonAce((AceFlags)16, AceQualifier.AccessDenied, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 8, 1 inherited CustomAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; //215 has all AceFlags except InheritOnly aceFlag = (AceFlags)215; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 9, 1 inherited CompoundAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid))); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 10, 1 inherited ObjectAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together aceQualifier = AceQualifier.AccessAllowed; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = true; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); }
public static void Purge_BasicValidationTestCases() { bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; int aceCount = 0; SecurityIdentifier sid = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; //CustomAce constructor parameters AceType aceType = AceType.AccessAllowed; AceFlags aceFlag = AceFlags.None; byte[] opaque = null; //CompoundAce constructor additional parameters int accessMask = 0; CompoundAceType compoundAceType = CompoundAceType.Impersonation; string sidStr = "LA"; //CommonAce constructor additional parameters AceQualifier aceQualifier = 0; //ObjectAce constructor additional parameters ObjectAceFlags objectAceFlag = 0; Guid objectAceType; Guid inheritedObjectAceType; //case 1, no Ace revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 0; sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); Assert.True(TestPurge(discretionaryAcl, sid, aceCount)); //case 2, only have 1 explicit Ace of the sid revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); //199 has all aceflags but inheritonly and inherited gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1, sid, false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 0; Assert.True(TestPurge(discretionaryAcl, sid, aceCount)); //case 3, only have 1 explicit Ace of different sid revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all aceflags but inheritedonly and inherited sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); gAce = new CommonAce((AceFlags)199, AceQualifier.AccessDenied, 1, sid, false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 1; sidStr = "BA"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); Assert.True(TestPurge(discretionaryAcl, sid, aceCount)); //case 4, only have 1 inherited Ace of the sid revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); //215 has all aceflags but inheritedonly gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1, sid, false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 1; Assert.True(TestPurge(discretionaryAcl, sid, aceCount)); //case 5, have one explicit Ace and one inherited Ace of the sid revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); //199 has all aceflags but inheritedonly and inherited gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1, sid, false, null); rawAcl.InsertAce(0, gAce); //215 has all aceflags but inheritedonly gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 2, sid, false, null); rawAcl.InsertAce(1, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 1; Assert.True(TestPurge(discretionaryAcl, sid, aceCount)); //case 6, have two explicit Aces of the sid revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); //207 has all AceFlags but inherited gAce = new CommonAce((AceFlags)207, AceQualifier.AccessAllowed, 1, sid, false, null); rawAcl.InsertAce(0, gAce); gAce = new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 2, sid, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 0; Assert.True(TestPurge(discretionaryAcl, sid, 0)); //case 7, 1 explicit CustomAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; //199 has all AceFlags except InheritOnly and Inherited aceFlag = (AceFlags)199; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")); aceCount = 1; //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws <InvalidOperationException>(() => { TestPurge(discretionaryAcl, sid, aceCount); }); //case 8, 1 explicit CompoundAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); //207 has all AceFlags but inherited aceFlag = (AceFlags)207; accessMask = 1; compoundAceType = CompoundAceType.Impersonation; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")); gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, sid); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 0; //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws <InvalidOperationException>(() => { TestPurge(discretionaryAcl, sid, aceCount); }); //case 9, 1 explicit ObjectAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")); //207 has all AceFlags but inherited aceFlag = (AceFlags)207; aceQualifier = AceQualifier.AccessAllowed; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, sid, objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = true; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 0; Assert.True(TestPurge(discretionaryAcl, sid, aceCount)); }
public static void AdditionalTestCases() { RawAcl rawAcl = null; GenericAce genericAce = null; GenericAce verifierGenericAce = null; string owner = null; int index = 0; // case 1, no ACE, get index at -1 Assert.Throws <ArgumentOutOfRangeException>(() => { rawAcl = new RawAcl(1, 1); index = -1; verifierGenericAce = rawAcl[index]; }); //case 2, get index at Count Assert.Throws <ArgumentOutOfRangeException>(() => { rawAcl = new RawAcl(1, 1); index = rawAcl.Count; verifierGenericAce = rawAcl[index]; }); //case 3, set index at -1 Assert.Throws <ArgumentOutOfRangeException>(() => { rawAcl = new RawAcl(1, 1); index = -1; owner = "BA"; genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); rawAcl[index] = genericAce; }); //case 4, set index at Count Assert.Throws <ArgumentOutOfRangeException>(() => { rawAcl = new RawAcl(1, 1); index = rawAcl.Count; owner = "BA"; genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); rawAcl[index] = genericAce; }); //case 5, set null Ace Assert.Throws <ArgumentNullException>(() => { rawAcl = new RawAcl(1, 1); index = 0; genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); rawAcl.InsertAce(0, genericAce); genericAce = null; rawAcl[index] = genericAce; }); //case 6, set Ace causing binarylength overflow Assert.Throws <OverflowException>(() => { byte[] opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4]; rawAcl = new RawAcl(1, 1); index = 0; genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); rawAcl.InsertAce(0, genericAce); genericAce = new CustomAce(AceType.MaxDefinedAceType + 1, (AceFlags)223, opaque); rawAcl[index] = genericAce; }); }
public static void AdditionalTestCases() { RawAcl rawAcl = null; SystemAcl systemAcl = null; bool isContainer = false; bool isDS = false; int auditFlags = 0; string sid = null; int accessMask = 1; int inheritanceFlags = 0; int propagationFlags = 0; GenericAce gAce = null; byte[] opaque = null; //Case 1, null sid Assert.Throws <ArgumentNullException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, null, 1, InheritanceFlags.None, PropagationFlags.None); }); //Case 2, SystemAudit Ace but non AuditFlags Assert.Throws <ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.None, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.None); }); //Case 3, 0 accessMask Assert.Throws <ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 0, InheritanceFlags.None, PropagationFlags.None); }); //Case 4, non-Container, but InheritanceFlags is not None Assert.Throws <ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None); }); //Case 5, non-Container, but PropagationFlags is not None Assert.Throws <ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly); }); //Case 6, Container, but InheritanceFlags is None, but PropagationFlags is InheritOnly Assert.Throws <ArgumentException>(() => { isContainer = true; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly); }); //Case 7, Container, but InheritanceFlags is None, but PropagationFlags is NoPropagateInherit Assert.Throws <ArgumentException>(() => { isContainer = true; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit); }); //Case 8, Container, but InheritanceFlags is None, but PropagationFlags is NoPropagateInherit | InheritOnly Assert.Throws <ArgumentException>(() => { isContainer = true; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit | PropagationFlags.InheritOnly); }); //Case 9, add one audit ACE to the SystemAcl has no ACE isContainer = true; isDS = false; auditFlags = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); //79 = AceFlags.SuccessfulAccess | AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly gAce = new CommonAce((AceFlags)79, AceQualifier.SystemAudit, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); Assert.True(TestAddAudit(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags)); //Case 10, all the ACEs in the Sacl are non-qualified ACE, no merge Assert.Throws <InvalidOperationException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1; //InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly auditFlags = 3; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[4]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque);; rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.AuditFlags, AceQualifier.SystemAudit, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException TestAddAudit(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 11, add Ace to exceed binary length boundary, throw exception Assert.Throws <InvalidOperationException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1; //InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly auditFlags = 3; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque);; rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException systemAcl.AddAudit((AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); }
public static void SetAccess_AdditionalTestCases() { RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; bool isContainer = false; bool isDS = false; int accessControlType = 0; string sid = null; int accessMask = 1; int inheritanceFlags = 0; int propagationFlags = 0; GenericAce gAce = null; byte[] opaque = null; //Case 1, non-Container, but InheritanceFlags is not None Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.SetAccess(AccessControlType.Allow, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None); }); //Case 2, non-Container, but PropagationFlags is not None Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.SetAccess(AccessControlType.Allow, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly); }); //Case 3, set one allowed ACE to the DiscretionaryAcl with no ACE isContainer = true; isDS = false; accessControlType = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly gAce = new CommonAce((AceFlags)15, AceQualifier.AccessDenied, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); Assert.True(TestSetAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags)) ; //Case 4, accessMask = 0 Assert.Throws<ArgumentException>(() => { isContainer = true; isDS = false; accessControlType = 1; sid = "BA"; accessMask = 0; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.SetAccess((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 5, null sid Assert.Throws<ArgumentNullException>(() => { isContainer = true; isDS = false; accessControlType = 1; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.SetAccess((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case6, all the ACEs in the Dacl are non-qualified ACE, no replacement isContainer = true; isDS = false; inheritanceFlags = 1;//InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 0; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[4]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); ; rawAcl.InsertAce(0, gAce); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws<InvalidOperationException>(() => { TestSetAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 7, set without replacement, exceed binary length boundary, throw exception isContainer = true; isDS = false; inheritanceFlags = 1;//InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 0; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); ; rawAcl.InsertAce(0, gAce); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws<InvalidOperationException>(() => { discretionaryAcl.SetAccess((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 8, set without replacement, not exceed binary length boundary isContainer = true; isDS = false; inheritanceFlags = 1;//InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 0; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 28]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); ; rawAcl.InsertAce(0, gAce); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly, AceQualifier.AccessAllowed, accessMask + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws<InvalidOperationException>(() => { TestSetAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask + 1, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 9, set Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE, // should throw appropriate exception for wrong parameter, bug#287188 Assert.Throws<ArgumentOutOfRangeException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1;//InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 100; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.SetAccess((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); }