public void CustomAce_GetBinaryForm_Invalid()
{
GenericAce ace = new CustomAce((AceType)19, (AceFlags)0, new byte[4]);
Assert.Throws<ArgumentNullException>("binaryForm", () => ace.GetBinaryForm(null, 1));
Assert.Throws<ArgumentOutOfRangeException>("offset", () => ace.GetBinaryForm(new byte[1], -1));
Assert.Throws<ArgumentOutOfRangeException>("binaryForm", () => ace.GetBinaryForm(new byte[ace.BinaryLength + 1], 2));
Assert.Throws<ArgumentOutOfRangeException>("binaryForm", () => ace.GetBinaryForm(new byte[ace.BinaryLength], 1));
}
public void CustomAce_GetBinaryForm_Invalid()
{
GenericAce ace = new CustomAce((AceType)19, (AceFlags)0, new byte[4]);
Assert.Throws <ArgumentNullException>("binaryForm", () => ace.GetBinaryForm(null, 1));
Assert.Throws <ArgumentOutOfRangeException>("offset", () => ace.GetBinaryForm(new byte[1], -1));
Assert.Throws <ArgumentOutOfRangeException>("binaryForm", () => ace.GetBinaryForm(new byte[ace.BinaryLength + 1], 2));
Assert.Throws <ArgumentOutOfRangeException>("binaryForm", () => ace.GetBinaryForm(new byte[ace.BinaryLength], 1));
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
GenericAce genericAce = null;
string owner = null;
int index = 0;
// case 1, no ACE, insert at index -1
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = -1;
owner = "BA";
genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl.InsertAce(index, genericAce);
});
//case 2, no ACE, insert at index Count + 1
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = rawAcl.Count + 1;
genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl.InsertAce(index, genericAce);
});
//case 3, one ACE, insert null ACE
Assert.Throws <ArgumentNullException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = 0;
owner = "BA";
genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl.InsertAce(index, genericAce);
genericAce = null;
rawAcl.InsertAce(index, genericAce);
});
//case 4, insert a big Ace to make RawAcl of length 64K + 1. RawAcl length = HeaderLength + all ACE's length
// = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace
// = 8 + ( 4 + OpaqueLength) * num_of_custom_ace
Assert.Throws <OverflowException>(() =>
{
rawAcl = new RawAcl(1, 1);
byte[] opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4];
GenericAce gAce = new CustomAce(AceType.MaxDefinedAceType + 1, (AceFlags)223, opaque);
rawAcl.InsertAce(0, gAce);
});
}
private static object[] CustomAce_CreateTestData(int intType, int intFlags, int opaqueLength, int offset)
{
byte[] opaque = new byte[opaqueLength];
AceType type = (AceType)intType;
AceFlags flags = (AceFlags)intFlags;
CustomAce ace = new CustomAce(type, flags, opaque);
Assert.Equal(type, ace.AceType);
Assert.Equal(flags, ace.AceFlags);
Assert.Equal(opaque, ace.GetOpaque());
byte[] binaryForm = new byte[ace.BinaryLength + offset];
binaryForm[offset + 0] = (byte)type;
binaryForm[offset + 1] = (byte)flags;
binaryForm[offset + 2] = (byte)(ace.BinaryLength >> 0);
binaryForm[offset + 3] = (byte)(ace.BinaryLength >> 8);
opaque.CopyTo(binaryForm, 4 + offset);
return new object[] { ace, binaryForm, offset };
}
private static object[] CustomAce_CreateTestData(int intType, int intFlags, int opaqueLength, int offset)
{
byte[] opaque = new byte[opaqueLength];
AceType type = (AceType)intType;
AceFlags flags = (AceFlags)intFlags;
CustomAce ace = new CustomAce(type, flags, opaque);
Assert.Equal(type, ace.AceType);
Assert.Equal(flags, ace.AceFlags);
Assert.Equal(opaque, ace.GetOpaque());
byte[] binaryForm = new byte[ace.BinaryLength + offset];
binaryForm[offset + 0] = (byte)type;
binaryForm[offset + 1] = (byte)flags;
binaryForm[offset + 2] = (byte)(ace.BinaryLength >> 0);
binaryForm[offset + 3] = (byte)(ace.BinaryLength >> 8);
opaque.CopyTo(binaryForm, 4 + offset);
return(new object[] { ace, binaryForm, offset });
}
public static void AddAccess_AdditionalTestCases()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
int accessControlType = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
byte[] opaque = null;
//Case 1, non-Container, but InheritanceFlags is not None
Assert.Throws <ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None);
});
//Case 2, non-Container, but PropagationFlags is not None
Assert.Throws <ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 3, Container, InheritanceFlags is None, PropagationFlags is InheritOnly
Assert.Throws <ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 4, Container, InheritanceFlags is None, PropagationFlags is NoPropagateInherit
Assert.Throws <ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit);
});
//Case 5, Container, InheritanceFlags is None, PropagationFlags is NoPropagateInherit | InheritOnly
Assert.Throws <ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit | PropagationFlags.InheritOnly);
});
//Case 6, accessMask = 0
Assert.Throws <ArgumentException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 0;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 7, null sid
Assert.Throws <ArgumentNullException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 8, add one Access ACE to the DiscretionaryAcl with no ACE
isContainer = true;
isDS = false;
accessControlType = 0;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)15, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
Assert.True(TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
;
//Case 9, Container, InheritOnly ON, but ContainerInherit and ObjectInherit are both OFF
//add meaningless Access ACE to the DiscretionaryAcl with no ACE, ace should not
//be added. There are mutiple type of meaningless Ace, but as both AddAccess and Constructor3
//call the same method to check the meaninglessness, only some sanitory cases are enough.
//bug# 288116
Assert.Throws <ArgumentException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 0; //InheritanceFlags.None
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 10, add Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE,
// should throw appropriate exception for wrong parameter, bug#287188
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 100;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
//Case 11, all the ACEs in the Dacl are non-qualified ACE, no merge
Assert.Throws <InvalidOperationException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque);;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly,
AceQualifier.AccessAllowed,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 12, add Ace to exceed binary length boundary, throw exception
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
AceFlags.InheritanceFlags, opaque);;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws <InvalidOperationException>(() =>
{
discretionaryAcl.AddAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
byte[] binaryForm = null;
int offset = 0;
//case 1, binaryForm is null
Assert.Throws <ArgumentNullException>(() =>
{
binaryForm = null;
offset = 0;
rawAcl = new RawAcl(binaryForm, offset);
});
//case 2, binaryForm is empty
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
binaryForm = new byte[0];
offset = 0;
rawAcl = new RawAcl(binaryForm, offset);
});
//case 3, negative offset
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
binaryForm = new byte[100];
offset = -1;
rawAcl = new RawAcl(binaryForm, offset);
});
//case 4, binaryForm length less than GenericAcl.HeaderLength
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
binaryForm = new byte[4];
offset = 0;
rawAcl = new RawAcl(binaryForm, offset);
});
//case 5, a RawAcl of length 64K. RawAcl length = HeaderLength + all ACE's length
// = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace
// = 8 + ( 4 + OpaqueLength) * num_of_custom_ace
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BG";
//CustomAce constructor parameters
AceType aceType = 0;
AceFlags aceFlag = 0;
byte[] opaque = null;
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = (AceFlags)223; //all flags ored together
opaque = new byte[GenericAcl.MaxBinaryLength - 3 - 8 - 4]; //GenericAcl.MaxBinaryLength = 65535, is not multiple of 4
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 6, a RawAcl of length 64K + 1. RawAcl length = HeaderLength + all ACE's length
// = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace
// = 8 + ( 4 + OpaqueLength) * num_of_custom_ace
gAce = null;
sid = "BA";
//CustomAce constructor parameters
aceType = 0;
aceFlag = 0;
binaryForm = new byte[65536];
AssertExtensions.Throws <ArgumentException>("binaryForm", () =>
{
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
rawAcl.GetBinaryForm(binaryForm, 0);
//change the length bytes to 65535
binaryForm[2] = 0xf;
binaryForm[3] = 0xf;
//change the aceCount to 1
binaryForm[4] = 1;
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = (AceFlags)223; //all flags ored together
opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4]; //GenericAcl.MaxBinaryLength = 65535, is not multiple of 4
gAce = new CustomAce(aceType, aceFlag, opaque);
gAce.GetBinaryForm(binaryForm, 8);
TestCreateFromBinaryForm(binaryForm, 0, revision, 1, binaryForm.Length);
});
//case 7, a valid binary representation with revision 255, 256 Access
//CommonAce to test the correctness of the process of the AceCount in the header
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
for (int i = 0; i < 256; i++)
{
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
}
binaryForm = new byte[rawAcl.BinaryLength + 1000];
rawAcl.GetBinaryForm(binaryForm, 1000);
Assert.True(TestCreateFromBinaryForm(binaryForm, 1000, revision, 256, rawAcl.BinaryLength));
//case 8, array containing garbage
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
binaryForm = new byte[] { 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 };
TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12);
});
//case 9, array containing garbage
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
//binary form shows the length will be 1, actual length is 12
binaryForm = new byte[] { 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1 };
TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12);
});
//case 10, array containing garbage
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
binaryForm = new byte[] { 1, 1, 12, 0, 1, 1, 1, 1, 1, 1, 1, 1 };
TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12);
});
}
public static void AddAccess_AdditionalTestCases()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
int accessControlType = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
byte[] opaque = null;
//Case 1, non-Container, but InheritanceFlags is not None
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None);
});
//Case 2, non-Container, but PropagationFlags is not None
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 3, Container, InheritanceFlags is None, PropagationFlags is InheritOnly
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 4, Container, InheritanceFlags is None, PropagationFlags is NoPropagateInherit
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit);
});
//Case 5, Container, InheritanceFlags is None, PropagationFlags is NoPropagateInherit | InheritOnly
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit | PropagationFlags.InheritOnly);
});
//Case 6, accessMask = 0
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 0;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 7, null sid
Assert.Throws<ArgumentNullException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 8, add one Access ACE to the DiscretionaryAcl with no ACE
isContainer = true;
isDS = false;
accessControlType = 0;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)15, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
Assert.True(TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
;
//Case 9, Container, InheritOnly ON, but ContainerInherit and ObjectInherit are both OFF
//add meaningless Access ACE to the DiscretionaryAcl with no ACE, ace should not
//be added. There are mutiple type of meaningless Ace, but as both AddAccess and Constructor3
//call the same method to check the meaninglessness, only some sanitory cases are enough.
//bug# 288116
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 0;//InheritanceFlags.None
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 10, add Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE,
// should throw appropriate exception for wrong parameter, bug#287188
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 100;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
//Case 11, all the ACEs in the Dacl are non-qualified ACE, no merge
Assert.Throws<InvalidOperationException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly,
AceQualifier.AccessAllowed,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 12, add Ace to exceed binary length boundary, throw exception
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
AceFlags.InheritanceFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws<InvalidOperationException>(() =>
{
discretionaryAcl.AddAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
bool isContainer = false;
bool isDS = false;
int auditFlags = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
byte[] opaque = null;
//Case 1, null sid
Assert.Throws<ArgumentNullException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.SetAudit(AuditFlags.Success, null, 1, InheritanceFlags.None, PropagationFlags.None);
});
//Case 2, SystemAudit Ace but non AuditFlags
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.SetAudit(AuditFlags.None,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.None);
});
//Case 3, 0 accessMask
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.SetAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 0, InheritanceFlags.None, PropagationFlags.None);
});
//Case 4, non-Container, but InheritanceFlags is not None
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.SetAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None);
});
//Case 5, non-Container, but PropagationFlags is not None
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.SetAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 6, set one audit ACE to the SystemAcl with no ACE
isContainer = true;
isDS = false;
auditFlags = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
//79 = AceFlags.SuccessfulAccess | AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)79, AceQualifier.SystemAudit, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
Assert.True(TestSetAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags));
//Case 7, all the ACEs in the Sacl are non-qualified ACE, no merge
Assert.Throws<InvalidOperationException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
auditFlags = 3;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.AuditFlags,
AceQualifier.SystemAudit,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
TestSetAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 8, Set Ace to exceed binary length boundary, throw exception
Assert.Throws<InvalidOperationException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
auditFlags = 3;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
systemAcl.SetAudit((AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
}
public static void BasicValidationTestCases()
{
RawAcl rawAcl = null;
byte[] binaryForm = null;
int offset = 0;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sid = "BA";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, a valid binary representation with revision 0, 1 SystemAudit CommonAce
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 2, a valid binary representation with revision 255, 1 AccessAllowed CommonAce
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 3, a valid binary representation with revision 127, 1 CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = (AceFlags)223; //all flags ored together
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 4, a valid binary representation with revision 1, 1 CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 5, a valid binary representation with revision 1, 1 ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 6, a valid binary representation with revision 1, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 0, rawAcl.BinaryLength));
//case 7, a valid binary representation with revision 1, and all Aces from case 1 to 5
revision = 127;
capacity = 5;
rawAcl = new RawAcl(revision, capacity);
//SystemAudit CommonAce
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
//Access Allowed CommonAce
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
//CustomAce
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = (AceFlags)223; //all flags ored together
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
//CompoundAce
aceFlag = (AceFlags)223; //all flags ored together
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
//ObjectAce
aceFlag = (AceFlags)223; //all flags ored together
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 5, rawAcl.BinaryLength));
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
bool isContainer = false;
bool isDS = false;
int auditFlags = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
byte[] opaque = null;
//Case 1, remove one audit ACE from the SystemAcl with no ACE
isContainer = true;
isDS = false;
auditFlags = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveAuditSpecific(systemAcl, rawAcl, (AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags));
//Case 2, remove the last one audit ACE from the SystemAcl
isContainer = true;
isDS = false;
auditFlags = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
//79 = AceFlags.SuccessfulAccess | AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)79, AceQualifier.SystemAudit, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
//remove the ace to create the validation rawAcl
rawAcl.RemoveAce(rawAcl.Count - 1);
Assert.True(TestRemoveAuditSpecific(systemAcl, rawAcl, (AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags));
//Case 3, accessMask = 0
AssertExtensions.Throws <ArgumentException>("accessMask", () =>
{
isContainer = true;
isDS = false;
auditFlags = 1;
sid = "BA";
accessMask = 0;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.RemoveAuditSpecific((AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 4, Audit Qualifier None
AssertExtensions.Throws <ArgumentException>("auditFlags", () =>
{
isContainer = true;
isDS = false;
auditFlags = 0;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.RemoveAuditSpecific((AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 5, null sid
Assert.Throws <ArgumentNullException>(() =>
{
isContainer = true;
isDS = false;
auditFlags = 1;
accessMask = 1;
sid = "BA";
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.RemoveAuditSpecific((AuditFlags)auditFlags, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 6, all the ACEs in the Sacl are non-qualified ACE, no remove
Assert.Throws <InvalidOperationException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
auditFlags = 3;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque);
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
TestRemoveAuditSpecific(systemAcl,
rawAcl,
(AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
}
public static void Constructor3_AdditionalTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sid = "BG";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, an AccessAllowed ACE with a zero access mask is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//drop the Ace from rawAcl
rawAcl.RemoveAce(0);
//the only ACE is a meaningless ACE, will be removed
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 2, an inherit-only AccessDenied ACE on an object ACL is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//15 has all inheritance AceFlags but Inherited
gAce = new CommonAce((AceFlags)15, AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl.RemoveAce(0);
//the only ACE is a meaningless ACE, will be removed
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 3, an inherit-only AccessAllowed ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//8 has inheritOnly
gAce = new CommonAce((AceFlags)8, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl.RemoveAce(0);
//the only ACE is a meaningless ACE, will be removed
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 4, 1 CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = AceFlags.None;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));
//case 5, 1 CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
// 2 has ContainerInherit
aceFlag = (AceFlags)2;
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));
//case 6, 1 ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)15; //all inheritance flags ored together but Inherited
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 7, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 8, all Aces from case 1, and 3 to 6
revision = 127;
capacity = 5;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
rawAcl = new RawAcl(revision, capacity);
//0 access Mask
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
//an inherit-only AccessAllowed ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed
gAce = new CommonAce((AceFlags)8, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
// ObjectAce
aceFlag = (AceFlags)15; //all inheritance flags ored together but Inherited
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
// CustomAce
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = AceFlags.None;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(rawAcl.Count, gAce);
// CompoundAce
aceFlag = (AceFlags)2;
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())));
rawAcl.InsertAce(rawAcl.Count, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl.RemoveAce(0);
rawAcl.RemoveAce(0);
//Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));
discretionaryAcl = null;
isContainer = false;
isDS = false;
rawAcl = null;
//case 1, rawAcl = null
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 1);
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 1);
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
GenericAce genericAce = null;
GenericAce verifierGenericAce = null;
string owner = null;
int index = 0;
// case 1, no ACE, get index at -1
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = -1;
verifierGenericAce = rawAcl[index];
});
//case 2, get index at Count
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = rawAcl.Count;
verifierGenericAce = rawAcl[index];
});
//case 3, set index at -1
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = -1;
owner = "BA";
genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl[index] = genericAce;
});
//case 4, set index at Count
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = rawAcl.Count;
owner = "BA";
genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl[index] = genericAce;
});
//case 5, set null Ace
Assert.Throws<ArgumentNullException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = 0;
genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl.InsertAce(0, genericAce);
genericAce = null;
rawAcl[index] = genericAce;
});
//case 6, set Ace causing binarylength overflow
Assert.Throws<OverflowException>(() =>
{
byte[] opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4];
rawAcl = new RawAcl(1, 1);
index = 0;
genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl.InsertAce(0, genericAce);
genericAce = new CustomAce(AceType.MaxDefinedAceType + 1, (AceFlags)223, opaque);
rawAcl[index] = genericAce;
});
}
public static void RemoveAccess_AdditionalTestCases()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
int accessControlType = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
bool removePossible = false;
byte[] opaque = null;
//Case 1, remove one ACE from the DiscretionaryAcl with no ACE
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
removePossible = true;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, removePossible))
;
//Case 2, remove the last ACE from the DiscretionaryAcl
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
removePossible = true;
rawAcl = new RawAcl(0, 1);
//15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)15, AceQualifier.AccessDenied, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//remove the ace to create the validation rawAcl
rawAcl.RemoveAce(rawAcl.Count - 1);
Assert.True(TestRemoveAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, removePossible))
;
//Case 3, accessMask = 0
Assert.Throws <ArgumentException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 0;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.RemoveAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 4, null sid
Assert.Throws <ArgumentNullException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.RemoveAccess((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 5, all the ACEs in the Dacl are non-qualified ACE, no remove
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
removePossible = true;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque);;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws <InvalidOperationException>(() =>
{
TestRemoveAccess(discretionaryAcl, rawAcl,
(AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags, removePossible);
});
//Case 7, Remove Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE,
// should throw appropriate exception for wrong parameter, bug#287188
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 100;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
discretionaryAcl.RemoveAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
}
public static void AdditionalTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
SystemAcl sAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sid = "BA";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, an SystemAudit ACE with a zero access mask is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.AuditFlags,
AceQualifier.SystemAudit,
0,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
//the only ACE is a meaningless ACE, will be removed
//drop the ace from the rawAcl
rawAcl.RemoveAce(0);
Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));
//case 2, an inherit-only SystemAudit ACE on an object ACL is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.InheritanceFlags | AceFlags.AuditFlags,
AceQualifier.SystemAudit,
1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
//the only ACE is a meaningless ACE, will be removed
rawAcl.RemoveAce(0);
Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));
//case 3, an inherit-only SystemAudit ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//200 has inheritOnly, SuccessfulAccess and FailedAccess
gAce = new CommonAce((AceFlags)200,
AceQualifier.SystemAudit,
1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
//the only ACE is a meaningless ACE, will be removed
rawAcl.RemoveAce(0);
Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));
//case 4, a SystemAudit ACE without Success or Failure Flags is meaningless, will be removed
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.None,
AceQualifier.SystemAudit,
1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
//audit ACE does not specify either Success or Failure Flags is removed
rawAcl.RemoveAce(0);
Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));
//case 5, a CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = AceFlags.AuditFlags;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
//Mark changed design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(TestConstructor(sAcl, isContainer, isDS, false, rawAcl));
//case 6, a CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = AceFlags.AuditFlags;
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag,
accessMask,
compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
//Mark changed design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(TestConstructor(sAcl, isContainer, isDS, false, rawAcl));
//case 7, a ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = AceFlags.InheritanceFlags | AceFlags.AuditFlags;
aceQualifier = AceQualifier.SystemAudit;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag,
aceQualifier,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
objectAceFlag, objectAceType,
inheritedObjectAceType,
false,
null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));
//case 8, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));
//case 9, Aces from case 1 to 7
revision = 127;
capacity = 5;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString();
rawAcl = new RawAcl(revision, capacity);
//an SystemAudit ACE with a zero access mask
//is meaningless, will be removed
gAce = new CommonAce(AceFlags.AuditFlags,
AceQualifier.SystemAudit,
0,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 1.ToString()),
false,
null);
rawAcl.InsertAce(rawAcl.Count, gAce);
//an inherit-only SystemAudit ACE without ContainerInherit or ObjectInherit flags on a container object
//is meaningless, will be removed
//200 has inheritOnly, SuccessfulAccess and FailedAccess
gAce = new CommonAce((AceFlags)200,
AceQualifier.SystemAudit,
1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 2.ToString()),
false,
null);
rawAcl.InsertAce(rawAcl.Count, gAce);
//a SystemAudit ACE without Success or Failure Flags
//is meaningless, will be removed
gAce = new CommonAce(AceFlags.None,
AceQualifier.SystemAudit,
1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 3.ToString()),
false,
null);
rawAcl.InsertAce(rawAcl.Count, gAce);
//a ObjectAce
aceFlag = AceFlags.InheritanceFlags | AceFlags.AuditFlags;
aceQualifier = AceQualifier.SystemAudit;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag,
aceQualifier,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 4.ToString()),
objectAceFlag, objectAceType,
inheritedObjectAceType,
false,
null);
rawAcl.InsertAce(rawAcl.Count, gAce);
// a CustomAce
gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
AceFlags.AuditFlags,
null);
rawAcl.InsertAce(rawAcl.Count, gAce);
//a CompoundAce
gAce = new CompoundAce(AceFlags.AuditFlags,
1,
CompoundAceType.Impersonation,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 5.ToString()));
rawAcl.InsertAce(rawAcl.Count, gAce);
isContainer = true;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
//the first 3 Aces will be removed by SystemAcl constructor
rawAcl.RemoveAce(0);
rawAcl.RemoveAce(0);
rawAcl.RemoveAce(0);
//Mark changed design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(TestConstructor(sAcl, isContainer, isDS, false, rawAcl));
}
public static void Purge_BasicValidationTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
int aceCount = 0;
SecurityIdentifier sid = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sidStr = "LA";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 0;
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
//case 2, only have 1 explicit Ace of the sid
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
//199 has all aceflags but inheritonly and inherited
gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 0;
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
//case 3, only have 1 explicit Ace of different sid
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all aceflags but inheritedonly and inherited
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
gAce = new CommonAce((AceFlags)199, AceQualifier.AccessDenied, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 1;
sidStr = "BA";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
//case 4, only have 1 inherited Ace of the sid
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
//215 has all aceflags but inheritedonly
gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 1;
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
//case 5, have one explicit Ace and one inherited Ace of the sid
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
//199 has all aceflags but inheritedonly and inherited
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
//215 has all aceflags but inheritedonly
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 2, sid, false, null);
rawAcl.InsertAce(1, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 1;
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
//case 6, have two explicit Aces of the sid
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
//207 has all AceFlags but inherited
gAce = new CommonAce((AceFlags)207, AceQualifier.AccessAllowed, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 2, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 0;
Assert.True(TestPurge(discretionaryAcl, sid, 0));
//case 7, 1 explicit CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
//199 has all AceFlags except InheritOnly and Inherited
aceFlag = (AceFlags)199;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
aceCount = 1;
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws<InvalidOperationException>(() =>
{
TestPurge(discretionaryAcl, sid, aceCount);
});
//case 8, 1 explicit CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//207 has all AceFlags but inherited
aceFlag = (AceFlags)207;
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, sid);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 0;
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws<InvalidOperationException>(() =>
{
TestPurge(discretionaryAcl, sid, aceCount);
});
//case 9, 1 explict ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
//207 has all AceFlags but inherited
aceFlag = (AceFlags)207;
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, sid, objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 0;
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
GenericAce genericAce = null;
string owner = null;
int index = 0;
// case 1, no ACE, insert at index -1
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = -1;
owner = "BA";
genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl.InsertAce(index, genericAce);
});
//case 2, no ACE, insert at index Count + 1
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = rawAcl.Count + 1;
genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl.InsertAce(index, genericAce);
});
//case 3, one ACE, insert null ACE
Assert.Throws<ArgumentNullException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = 0;
owner = "BA";
genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl.InsertAce(index, genericAce);
genericAce = null;
rawAcl.InsertAce(index, genericAce);
});
//case 4, insert a big Ace to make RawAcl of length 64K + 1. RawAcl length = HeaderLength + all ACE's length
// = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace
// = 8 + ( 4 + OpaqueLength) * num_of_custom_ace
Assert.Throws<OverflowException>(() =>
{
rawAcl = new RawAcl(1, 1);
byte[] opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4];
GenericAce gAce = new CustomAce(AceType.MaxDefinedAceType + 1, (AceFlags)223, opaque);
rawAcl.InsertAce(0, gAce);
});
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
byte[] binaryForm = null;
int offset = 0;
//case 1, binaryForm is null
Assert.Throws<ArgumentNullException>(() =>
{
binaryForm = null;
offset = 0;
rawAcl = new RawAcl(binaryForm, offset);
});
//case 2, binaryForm is empty
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
binaryForm = new byte[0];
offset = 0;
rawAcl = new RawAcl(binaryForm, offset);
});
//case 3, negative offset
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
binaryForm = new byte[100];
offset = -1;
rawAcl = new RawAcl(binaryForm, offset);
});
//case 4, binaryForm length less than GenericAcl.HeaderLength
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
binaryForm = new byte[4];
offset = 0;
rawAcl = new RawAcl(binaryForm, offset);
});
//case 5, a RawAcl of length 64K. RawAcl length = HeaderLength + all ACE's length
// = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace
// = 8 + ( 4 + OpaqueLength) * num_of_custom_ace
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BG";
//CustomAce constructor parameters
AceType aceType = 0;
AceFlags aceFlag = 0;
byte[] opaque = null;
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = (AceFlags)223; //all flags ored together
opaque = new byte[GenericAcl.MaxBinaryLength - 3 - 8 - 4];//GenericAcl.MaxBinaryLength = 65535, is not multiple of 4
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 6, a RawAcl of length 64K + 1. RawAcl length = HeaderLength + all ACE's length
// = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace
// = 8 + ( 4 + OpaqueLength) * num_of_custom_ace
gAce = null;
sid = "BA";
//CustomAce constructor parameters
aceType = 0;
aceFlag = 0;
binaryForm = new byte[65536];
Assert.Throws<ArgumentException>(() =>
{
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
rawAcl.GetBinaryForm(binaryForm, 0);
//change the length bytes to 65535
binaryForm[2] = 0xf;
binaryForm[3] = 0xf;
//change the aceCount to 1
binaryForm[4] = 1;
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = (AceFlags)223; //all flags ored together
opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4];//GenericAcl.MaxBinaryLength = 65535, is not multiple of 4
gAce = new CustomAce(aceType, aceFlag, opaque);
gAce.GetBinaryForm(binaryForm, 8);
TestCreateFromBinaryForm(binaryForm, 0, revision, 1, binaryForm.Length);
});
//case 7, a valid binary representation with revision 255, 256 Access
//CommonAce to test the correctness of the process of the AceCount in the header
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
for (int i = 0; i < 256; i++)
{
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
}
binaryForm = new byte[rawAcl.BinaryLength + 1000];
rawAcl.GetBinaryForm(binaryForm, 1000);
Assert.True(TestCreateFromBinaryForm(binaryForm, 1000, revision, 256, rawAcl.BinaryLength));
//case 8, array containing garbage
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
binaryForm = new byte[] { 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 };
TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12);
});
//case 9, array containing garbage
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
//binary form shows the length will be 1, actual length is 12
binaryForm = new byte[] { 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1 };
TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12);
});
//case 10, array containing garbage
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
binaryForm = new byte[] { 1, 1, 12, 0, 1, 1, 1, 1, 1, 1, 1, 1 };
TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12);
});
}
public static void BasicValidationTestCases()
{
RawAcl rawAcl = null;
byte[] binaryForm = null;
int offset = 0;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sid = "BA";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, a valid binary representation with revision 0, 1 SystemAudit CommonAce
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 2, a valid binary representation with revision 255, 1 AccessAllowed CommonAce
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 3, a valid binary representation with revision 127, 1 CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = (AceFlags)223; //all flags ored together
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 4, a valid binary representation with revision 1, 1 CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 5, a valid binary representation with revision 1, 1 ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 6, a valid binary representation with revision 1, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 0, rawAcl.BinaryLength));
//case 7, a valid binary representation with revision 1, and all Aces from case 1 to 5
revision = 127;
capacity = 5;
rawAcl = new RawAcl(revision, capacity);
//SystemAudit CommonAce
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
//Access Allowed CommonAce
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
//CustomAce
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = (AceFlags)223; //all flags ored together
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
//CompoundAce
aceFlag = (AceFlags)223; //all flags ored together
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
//ObjectAce
aceFlag = (AceFlags)223; //all flags ored together
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 5, rawAcl.BinaryLength));
}
public static void RemoveInheritedAces_BasicValidationTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sid = "BG";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 2, only have explicit Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all AceFlags except InheritOnly and Inherited
gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 3, non-inherited CommonAce, ObjectAce, CompoundAce, CustomAce
revision = 127;
capacity = 5;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
rawAcl = new RawAcl(revision, capacity);
aceFlag = AceFlags.InheritanceFlags;
accessMask = 1;
//Access Allowed CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//Access Dennied CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//CustomAce
aceType = AceType.MaxDefinedAceType + 1;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(2, gAce);
//CompoundAce
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())));
rawAcl.InsertAce(3, gAce);
//ObjectAce
aceQualifier = AceQualifier.AccessAllowed;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(2, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws <InvalidOperationException>(() =>
{
TestRemoveInheritedAces(discretionaryAcl);
});
//case 4, all inherited CommonAce, ObjectAce, CompoundAce, CustomAce
revision = 127;
capacity = 5;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
rawAcl = new RawAcl(revision, capacity);
aceFlag = AceFlags.InheritanceFlags | AceFlags.Inherited;
accessMask = 1;
//Access Allowed CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//Access Dennied CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//CustomAce
aceType = AceType.MaxDefinedAceType + 1;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
//CompoundAce
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())));
rawAcl.InsertAce(0, gAce);
//ObjectAce
aceQualifier = AceQualifier.AccessAllowed;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 5, only have one inherit Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 6, have one explicit Ace and one inherited Ace
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all AceFlags except InheritOnly and Inherited
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(1, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 7, have two inherited Aces
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
sid = "BA";
//16 has Inherited
gAce = new CommonAce((AceFlags)16, AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 8, 1 inherited CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
//215 has all AceFlags except InheritOnly
aceFlag = (AceFlags)215;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 9, 1 inherited CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 10, 1 inherited ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
}
public static void SetAccess_AdditionalTestCases()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
int accessControlType = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
byte[] opaque = null;
//Case 1, non-Container, but InheritanceFlags is not None
AssertExtensions.Throws <ArgumentException>("inheritanceFlags", () =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.SetAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None);
});
//Case 2, non-Container, but PropagationFlags is not None
AssertExtensions.Throws <ArgumentException>("propagationFlags", () =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.SetAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 3, set one allowed ACE to the DiscretionaryAcl with no ACE
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)15, AceQualifier.AccessDenied, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
Assert.True(TestSetAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
;
//Case 4, accessMask = 0
AssertExtensions.Throws <ArgumentException>("accessMask", () =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 0;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.SetAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 5, null sid
Assert.Throws <ArgumentNullException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.SetAccess((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case6, all the ACEs in the Dacl are non-qualified ACE, no replacement
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque);
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly,
AceQualifier.AccessAllowed,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws <InvalidOperationException>(() =>
{
TestSetAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 7, set without replacement, exceed binary length boundary, throw exception
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
AceFlags.InheritanceFlags, opaque);
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly,
AceQualifier.AccessAllowed,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws <InvalidOperationException>(() =>
{
discretionaryAcl.SetAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 8, set without replacement, not exceed binary length boundary
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 28];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
AceFlags.InheritanceFlags, opaque);
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly,
AceQualifier.AccessAllowed,
accessMask + 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws <InvalidOperationException>(() =>
{
TestSetAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask + 1, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 9, set Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE,
// should throw appropriate exception for wrong parameter, bug#287188
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 100;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.SetAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
}
public static void BasicValidationTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sid = "BA";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 2, only have explicit Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all AceFlags except InheritOnly and Inherited
gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 3, only have one inherit Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 4, have one explicit Ace and one inherited Ace
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all AceFlags except InheritOnly and Inherited
gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(1, gAce);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 5, have two inherited Aces
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
sid = "BA";
//16 has Inherited
gAce = new CommonAce((AceFlags)16, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 6, 1 inherited CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = (AceFlags)208; //SuccessfulAccess | FailedAccess | Inherited
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 7, 1 inherited CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 8, 1 inherited ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
aceQualifier = AceQualifier.SystemAudit;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
}
public static void Constructor3_AdditionalTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sid = "BG";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, an AccessAllowed ACE with a zero access mask is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//drop the Ace from rawAcl
rawAcl.RemoveAce(0);
//the only ACE is a meaningless ACE, will be removed
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 2, an inherit-only AccessDenied ACE on an object ACL is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//15 has all inheritance AceFlags but Inherited
gAce = new CommonAce((AceFlags)15, AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl.RemoveAce(0);
//the only ACE is a meaningless ACE, will be removed
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 3, an inherit-only AccessAllowed ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//8 has inheritOnly
gAce = new CommonAce((AceFlags)8, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl.RemoveAce(0);
//the only ACE is a meaningless ACE, will be removed
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 4, 1 CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = AceFlags.None;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));
//case 5, 1 CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
// 2 has ContainerInherit
aceFlag = (AceFlags)2;
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));
//case 6, 1 ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)15; //all inheritance flags ored together but Inherited
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 7, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 8, all Aces from case 1, and 3 to 6
revision = 127;
capacity = 5;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
rawAcl = new RawAcl(revision, capacity);
//0 access Mask
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
//an inherit-only AccessAllowed ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed
gAce = new CommonAce((AceFlags)8, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
// ObjectAce
aceFlag = (AceFlags)15; //all inheritance flags ored together but Inherited
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
// CustomAce
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = AceFlags.None;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(rawAcl.Count, gAce);
// CompoundAce
aceFlag = (AceFlags)2;
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())));
rawAcl.InsertAce(rawAcl.Count, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl.RemoveAce(0);
rawAcl.RemoveAce(0);
//Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));
discretionaryAcl = null;
isContainer = false;
isDS = false;
rawAcl = null;
//case 1, rawAcl = null
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 1);
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 1);
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
bool isContainer = false;
bool isDS = false;
int auditFlags = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
bool removePossible = false;
byte[] opaque = null;
//Case 1, null sid
Assert.Throws<ArgumentNullException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.RemoveAudit(AuditFlags.Success, null, 1, InheritanceFlags.None, PropagationFlags.None);
});
//Case 2, SystemAudit Ace but non AuditFlags
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.RemoveAudit(AuditFlags.None,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.None);
});
//Case 3, 0 accessMask
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.RemoveAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 0, InheritanceFlags.None, PropagationFlags.None);
});
//Case 4, remove one audit ACE from the SystemAcl with no ACE
isContainer = true;
isDS = false;
auditFlags = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
removePossible = true;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, removePossible));
//Case 5, remove the last one ACE from the SystemAcl
isContainer = true;
isDS = false;
auditFlags = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
removePossible = true;
rawAcl = new RawAcl(0, 1);
//79 = AceFlags.SuccessfulAccess | AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)79, AceQualifier.SystemAudit, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
//remove the ace to create the validation rawAcl
rawAcl.RemoveAce(rawAcl.Count - 1);
Assert.True(TestRemoveAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, removePossible));
//Case 6, all the ACEs in the Sacl are non-qualified ACE, no remove
Assert.Throws<InvalidOperationException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
auditFlags = 3;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
TestRemoveAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, true);
});
//Case 7, remove split cause overflow
// Test case no longer relevant in CoreCLR
// Non-canonical ACLs cannot be modified
}
public static void AdditionalTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
SystemAcl sAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sid = "BA";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, an SystemAudit ACE with a zero access mask is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.AuditFlags,
AceQualifier.SystemAudit,
0,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
//the only ACE is a meaningless ACE, will be removed
//drop the ace from the rawAcl
rawAcl.RemoveAce(0);
Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));
//case 2, an inherit-only SystemAudit ACE on an object ACL is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.InheritanceFlags | AceFlags.AuditFlags,
AceQualifier.SystemAudit,
1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
//the only ACE is a meaningless ACE, will be removed
rawAcl.RemoveAce(0);
Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));
//case 3, an inherit-only SystemAudit ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//200 has inheritOnly, SuccessfulAccess and FailedAccess
gAce = new CommonAce((AceFlags)200,
AceQualifier.SystemAudit,
1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
//the only ACE is a meaningless ACE, will be removed
rawAcl.RemoveAce(0);
Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));
//case 4, a SystemAudit ACE without Success or Failure Flags is meaningless, will be removed
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.None,
AceQualifier.SystemAudit,
1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
//audit ACE does not specify either Success or Failure Flags is removed
rawAcl.RemoveAce(0);
Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));
//case 5, a CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = AceFlags.AuditFlags;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
//Mark changed design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(TestConstructor(sAcl, isContainer, isDS, false, rawAcl));
//case 6, a CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = AceFlags.AuditFlags;
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag,
accessMask,
compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
//Mark changed design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(TestConstructor(sAcl, isContainer, isDS, false, rawAcl));
//case 7, a ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = AceFlags.InheritanceFlags | AceFlags.AuditFlags;
aceQualifier = AceQualifier.SystemAudit;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag,
aceQualifier,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
objectAceFlag, objectAceType,
inheritedObjectAceType,
false,
null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));
//case 8, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));
//case 9, Aces from case 1 to 7
revision = 127;
capacity = 5;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString();
rawAcl = new RawAcl(revision, capacity);
//an SystemAudit ACE with a zero access mask
//is meaningless, will be removed
gAce = new CommonAce(AceFlags.AuditFlags,
AceQualifier.SystemAudit,
0,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 1.ToString()),
false,
null);
rawAcl.InsertAce(rawAcl.Count, gAce);
//an inherit-only SystemAudit ACE without ContainerInherit or ObjectInherit flags on a container object
//is meaningless, will be removed
//200 has inheritOnly, SuccessfulAccess and FailedAccess
gAce = new CommonAce((AceFlags)200,
AceQualifier.SystemAudit,
1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 2.ToString()),
false,
null);
rawAcl.InsertAce(rawAcl.Count, gAce);
//a SystemAudit ACE without Success or Failure Flags
//is meaningless, will be removed
gAce = new CommonAce(AceFlags.None,
AceQualifier.SystemAudit,
1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 3.ToString()),
false,
null);
rawAcl.InsertAce(rawAcl.Count, gAce);
//a ObjectAce
aceFlag = AceFlags.InheritanceFlags | AceFlags.AuditFlags;
aceQualifier = AceQualifier.SystemAudit;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag,
aceQualifier,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 4.ToString()),
objectAceFlag, objectAceType,
inheritedObjectAceType,
false,
null);
rawAcl.InsertAce(rawAcl.Count, gAce);
// a CustomAce
gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
AceFlags.AuditFlags,
null);
rawAcl.InsertAce(rawAcl.Count, gAce);
//a CompoundAce
gAce = new CompoundAce(AceFlags.AuditFlags,
1,
CompoundAceType.Impersonation,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 5.ToString()));
rawAcl.InsertAce(rawAcl.Count, gAce);
isContainer = true;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
//the first 3 Aces will be removed by SystemAcl constructor
rawAcl.RemoveAce(0);
rawAcl.RemoveAce(0);
rawAcl.RemoveAce(0);
//Mark changed design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(TestConstructor(sAcl, isContainer, isDS, false, rawAcl));
}
public void CustomAce_CreateFromBinaryForm(GenericAce expectedAce, byte[] testBinaryForm, int testOffset)
{
GenericAce resultAce = CustomAce.CreateFromBinaryForm(testBinaryForm, testOffset);
GenericAce_VerifyAces(expectedAce, resultAce);
}
public static void RemoveAccessSpecific_AdditionalTestCases()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
int accessControlType = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
byte[] opaque = null;
//Case 1, remove one ACE from the DiscretionaryAcl with no ACE
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveAccessSpecific(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
;
//Case 2, remove the last one ACE from the DiscretionaryAcl
isContainer = true;
isDS = false;
accessControlType = 0;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
//15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)15, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//remove the ace to create the validation rawAcl
rawAcl.RemoveAce(rawAcl.Count - 1);
Assert.True(TestRemoveAccessSpecific(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
;
//Case 3, accessMask = 0
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 0;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 4, null sid
Assert.Throws<ArgumentNullException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
accessMask = 1;
sid = "BA";
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 5, all the ACEs in the Dacl are non-qualified ACE, no remove
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws<InvalidOperationException>(() =>
{
TestRemoveAccessSpecific
(discretionaryAcl, rawAcl,
(AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
//Case 7, Remove Specific Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE,
// should throw appropriate exception for wrong parameter, bug#287188
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 100;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
}
public static void BasicValidationTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sid = "BA";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 2, only have explicit Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all AceFlags except InheritOnly and Inherited
gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 3, only have one inherit Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 4, have one explicit Ace and one inherited Ace
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all AceFlags except InheritOnly and Inherited
gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(1, gAce);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 5, have two inherited Aces
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
sid = "BA";
//16 has Inherited
gAce = new CommonAce((AceFlags)16, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 6, 1 inherited CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = (AceFlags)208; //SuccessfulAccess | FailedAccess | Inherited
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 7, 1 inherited CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 8, 1 inherited ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
aceQualifier = AceQualifier.SystemAudit;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
}
public static void RemoveInheritedAces_BasicValidationTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sid = "BG";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 2, only have explicit Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all AceFlags except InheritOnly and Inherited
gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 3, non-inherited CommonAce, ObjectAce, CompoundAce, CustomAce
revision = 127;
capacity = 5;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
rawAcl = new RawAcl(revision, capacity);
aceFlag = AceFlags.InheritanceFlags;
accessMask = 1;
//Access Allowed CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//Access Dennied CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//CustomAce
aceType = AceType.MaxDefinedAceType + 1;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(2, gAce);
//CompoundAce
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())));
rawAcl.InsertAce(3, gAce);
//ObjectAce
aceQualifier = AceQualifier.AccessAllowed;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(2, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws<InvalidOperationException>(() =>
{
TestRemoveInheritedAces(discretionaryAcl);
});
//case 4, all inherited CommonAce, ObjectAce, CompoundAce, CustomAce
revision = 127;
capacity = 5;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
rawAcl = new RawAcl(revision, capacity);
aceFlag = AceFlags.InheritanceFlags | AceFlags.Inherited;
accessMask = 1;
//Access Allowed CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//Access Dennied CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//CustomAce
aceType = AceType.MaxDefinedAceType + 1;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
//CompoundAce
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())));
rawAcl.InsertAce(0, gAce);
//ObjectAce
aceQualifier = AceQualifier.AccessAllowed;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 5, only have one inherit Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 6, have one explicit Ace and one inherited Ace
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all AceFlags except InheritOnly and Inherited
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(1, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 7, have two inherited Aces
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
sid = "BA";
//16 has Inherited
gAce = new CommonAce((AceFlags)16, AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 8, 1 inherited CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
//215 has all AceFlags except InheritOnly
aceFlag = (AceFlags)215;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 9, 1 inherited CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 10, 1 inherited ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
}
public static void Purge_BasicValidationTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
int aceCount = 0;
SecurityIdentifier sid = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sidStr = "LA";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 0;
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
//case 2, only have 1 explicit Ace of the sid
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
//199 has all aceflags but inheritonly and inherited
gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 0;
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
//case 3, only have 1 explicit Ace of different sid
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all aceflags but inheritedonly and inherited
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
gAce = new CommonAce((AceFlags)199, AceQualifier.AccessDenied, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 1;
sidStr = "BA";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
//case 4, only have 1 inherited Ace of the sid
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
//215 has all aceflags but inheritedonly
gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 1;
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
//case 5, have one explicit Ace and one inherited Ace of the sid
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
//199 has all aceflags but inheritedonly and inherited
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
//215 has all aceflags but inheritedonly
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 2, sid, false, null);
rawAcl.InsertAce(1, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 1;
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
//case 6, have two explicit Aces of the sid
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
//207 has all AceFlags but inherited
gAce = new CommonAce((AceFlags)207, AceQualifier.AccessAllowed, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 2, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 0;
Assert.True(TestPurge(discretionaryAcl, sid, 0));
//case 7, 1 explicit CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
//199 has all AceFlags except InheritOnly and Inherited
aceFlag = (AceFlags)199;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
aceCount = 1;
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws <InvalidOperationException>(() =>
{
TestPurge(discretionaryAcl, sid, aceCount);
});
//case 8, 1 explicit CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//207 has all AceFlags but inherited
aceFlag = (AceFlags)207;
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, sid);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 0;
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws <InvalidOperationException>(() =>
{
TestPurge(discretionaryAcl, sid, aceCount);
});
//case 9, 1 explicit ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
//207 has all AceFlags but inherited
aceFlag = (AceFlags)207;
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, sid, objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 0;
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
GenericAce genericAce = null;
GenericAce verifierGenericAce = null;
string owner = null;
int index = 0;
// case 1, no ACE, get index at -1
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = -1;
verifierGenericAce = rawAcl[index];
});
//case 2, get index at Count
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = rawAcl.Count;
verifierGenericAce = rawAcl[index];
});
//case 3, set index at -1
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = -1;
owner = "BA";
genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl[index] = genericAce;
});
//case 4, set index at Count
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = rawAcl.Count;
owner = "BA";
genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl[index] = genericAce;
});
//case 5, set null Ace
Assert.Throws <ArgumentNullException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = 0;
genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl.InsertAce(0, genericAce);
genericAce = null;
rawAcl[index] = genericAce;
});
//case 6, set Ace causing binarylength overflow
Assert.Throws <OverflowException>(() =>
{
byte[] opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4];
rawAcl = new RawAcl(1, 1);
index = 0;
genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl.InsertAce(0, genericAce);
genericAce = new CustomAce(AceType.MaxDefinedAceType + 1, (AceFlags)223, opaque);
rawAcl[index] = genericAce;
});
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
bool isContainer = false;
bool isDS = false;
int auditFlags = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
byte[] opaque = null;
//Case 1, null sid
Assert.Throws <ArgumentNullException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.Success, null, 1, InheritanceFlags.None, PropagationFlags.None);
});
//Case 2, SystemAudit Ace but non AuditFlags
Assert.Throws <ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.None,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.None);
});
//Case 3, 0 accessMask
Assert.Throws <ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 0, InheritanceFlags.None, PropagationFlags.None);
});
//Case 4, non-Container, but InheritanceFlags is not None
Assert.Throws <ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None);
});
//Case 5, non-Container, but PropagationFlags is not None
Assert.Throws <ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 6, Container, but InheritanceFlags is None, but PropagationFlags is InheritOnly
Assert.Throws <ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 7, Container, but InheritanceFlags is None, but PropagationFlags is NoPropagateInherit
Assert.Throws <ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit);
});
//Case 8, Container, but InheritanceFlags is None, but PropagationFlags is NoPropagateInherit | InheritOnly
Assert.Throws <ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit | PropagationFlags.InheritOnly);
});
//Case 9, add one audit ACE to the SystemAcl has no ACE
isContainer = true;
isDS = false;
auditFlags = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
//79 = AceFlags.SuccessfulAccess | AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)79, AceQualifier.SystemAudit, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
Assert.True(TestAddAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags));
//Case 10, all the ACEs in the Sacl are non-qualified ACE, no merge
Assert.Throws <InvalidOperationException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
auditFlags = 3;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque);;
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.AuditFlags,
AceQualifier.SystemAudit,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
TestAddAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 11, add Ace to exceed binary length boundary, throw exception
Assert.Throws <InvalidOperationException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
auditFlags = 3;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque);;
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
systemAcl.AddAudit((AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
}
public static void SetAccess_AdditionalTestCases()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
int accessControlType = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
byte[] opaque = null;
//Case 1, non-Container, but InheritanceFlags is not None
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.SetAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None);
});
//Case 2, non-Container, but PropagationFlags is not None
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.SetAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 3, set one allowed ACE to the DiscretionaryAcl with no ACE
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)15, AceQualifier.AccessDenied, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
Assert.True(TestSetAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
;
//Case 4, accessMask = 0
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 0;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.SetAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 5, null sid
Assert.Throws<ArgumentNullException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.SetAccess((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case6, all the ACEs in the Dacl are non-qualified ACE, no replacement
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly,
AceQualifier.AccessAllowed,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws<InvalidOperationException>(() =>
{
TestSetAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 7, set without replacement, exceed binary length boundary, throw exception
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
AceFlags.InheritanceFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly,
AceQualifier.AccessAllowed,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws<InvalidOperationException>(() =>
{
discretionaryAcl.SetAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 8, set without replacement, not exceed binary length boundary
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 28];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
AceFlags.InheritanceFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly,
AceQualifier.AccessAllowed,
accessMask + 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws<InvalidOperationException>(() =>
{
TestSetAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask + 1, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 9, set Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE,
// should throw appropriate exception for wrong parameter, bug#287188
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 100;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.SetAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
}
