Ejemplo n.º 1
        public void AddAuditObjectAceAndCommonAce()
            SecurityIdentifier sid  = new SecurityIdentifier("BA");
            SystemAcl          sacl = new SystemAcl(false, true, 0);

            sacl.AddAudit(AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None,
                          ObjectAceFlags.ObjectAceTypePresent, Guid.NewGuid(), Guid.Empty);
            sacl.AddAudit(AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None,
                          ObjectAceFlags.None, Guid.Empty, Guid.Empty);
            Assert.AreEqual(2, sacl.Count);

            CommonAce cace = (CommonAce)sacl [0];

            Assert.AreEqual(1, cace.AccessMask);
            Assert.AreEqual("S-1-5-32-544", cace.SecurityIdentifier.Value);

            ObjectAce oace = (ObjectAce)sacl [1];

            Assert.AreEqual(1, oace.AccessMask);
            Assert.AreEqual("S-1-5-32-544", oace.SecurityIdentifier.Value);

            sacl.AddAudit(AuditFlags.Success, sid, 2, InheritanceFlags.None, PropagationFlags.None,
                          ObjectAceFlags.None, Guid.Empty, Guid.Empty);
            Assert.AreEqual(2, sacl.Count);

            CommonAce cace2 = (CommonAce)sacl [0];

            Assert.AreEqual(3, cace2.AccessMask);
 public void MaxOpaqueLength()
     Assert.AreEqual(65459, CommonAce.MaxOpaqueLength(true));
     Assert.AreEqual(65459, CommonAce.MaxOpaqueLength(false));
     Assert.AreEqual(65423, ObjectAce.MaxOpaqueLength(true));
     Assert.AreEqual(65423, ObjectAce.MaxOpaqueLength(false));
Ejemplo n.º 3
        private List <string> WalkACL(CommonAcl acl, bool translateSid = true)
            List <String> ret = new List <string> {

            foreach (Object oACE in acl)
                if (oACE.GetType().Name == "CommonAce")
                    CommonAce oReadAce = (CommonAce)oACE;

                    ret.AddFormatted("\t\t\tType: <{0}> Flags: <{1}>", oReadAce.AceType, oReadAce.AceFlags);
                    ret.AddFormatted("\t\t\tTrustee: <{0}>", DecodeSID(oReadAce.SecurityIdentifier, translateSid));
                    ret.AddFormatted("\t\t\t  AccessMask: <{0}> ({1})", DecodeAccessMask(oReadAce.AccessMask), oReadAce.IsInherited ? "inherited right" : "direct right");
                    ret.AddFormatted("\t\t\t  inheritance: <{0}> propagation: <{1}>", oReadAce.InheritanceFlags, oReadAce.PropagationFlags);

                else if (oACE.GetType().Name == "ObjectAce")
                    ObjectAce oReadAce = (ObjectAce)oACE;

                    ret.AddFormatted("\t\t\tType: <{0}> Flags: <{1}>", oReadAce.AceType, oReadAce.AceFlags);
                    ret.AddFormatted("\t\t\tTrustee: <{0}>", DecodeSID(oReadAce.SecurityIdentifier, translateSid));
                    ret.AddFormatted("\t\t\t  AccessMask: <{0}> ({1})", DecodeAccessMask(oReadAce.AccessMask), oReadAce.IsInherited ? "inherited right" : "direct right");


                    ret.AddFormatted("\t\t\t  inheritance: <{0}> propagation: <{1}>", oReadAce.InheritanceFlags, oReadAce.PropagationFlags);

                ret.AddFormatted("\t\t\t{0}", new string('-', 60));

Ejemplo n.º 4
        public List <string> DecodeOIDs(ObjectAce ace)
            List <string> ret = new List <string> {

            string valA = null;
            string valB = null;

            if (ace.ObjectAceFlags == ObjectAceFlags.None)

            if ((ace.ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent) == ObjectAceFlags.ObjectAceTypePresent)
                valA = NameFromOID(ace.ObjectAceType);

            if ((ace.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent) == ObjectAceFlags.InheritedObjectAceTypePresent)
                valB = NameFromOID(ace.InheritedObjectAceType);

            if (valA != null)
                ret.AddFormatted("\t\t\t    Objecttype: <{0}>", valA);

            if (valB != null)
                ret.AddFormatted("\t\t\t    InheritedObjectType: <{0}>", valB);

Ejemplo n.º 5
        public void AddAccessObjectAceAndCommonAce()
            SecurityIdentifier sid  = new SecurityIdentifier("BA");
            DiscretionaryAcl   dacl = new DiscretionaryAcl(false, true, 0);

            dacl.AddAccess(AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None,
                           ObjectAceFlags.ObjectAceTypePresent, Guid.NewGuid(), Guid.Empty);
            dacl.AddAccess(AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None,
                           ObjectAceFlags.None, Guid.Empty, Guid.Empty);
            Assert.AreEqual(2, dacl.Count);

            CommonAce cace = (CommonAce)dacl [0];

            Assert.AreEqual(1, cace.AccessMask);
            Assert.AreEqual("S-1-5-32-544", cace.SecurityIdentifier.Value);

            ObjectAce oace = (ObjectAce)dacl [1];

            Assert.AreEqual(1, oace.AccessMask);
            Assert.AreEqual("S-1-5-32-544", oace.SecurityIdentifier.Value);

            dacl.AddAccess(AccessControlType.Allow, sid, 2, InheritanceFlags.None, PropagationFlags.None,
                           ObjectAceFlags.None, Guid.Empty, Guid.Empty);
            Assert.AreEqual(2, dacl.Count);

            CommonAce cace2 = (CommonAce)dacl [0];

            Assert.AreEqual(3, cace2.AccessMask);
Ejemplo n.º 6
        public void ObjectAce_GetBinaryForm_Invalid()
            ObjectAce ace = (ObjectAce)ObjectAce_CreateTestData(0, 0, 1, "S-1-5-11", 1, "{73D03E18-5C03-422c-9EC7-C4C5B1CB1612}", "{3CFD5DF9-9146-43c8-BF99-78E7E2DE4BAF}", false, 8, 0)[0];

            AssertExtensions.Throws <ArgumentNullException>("binaryForm", () => ace.GetBinaryForm(null, 1));
            AssertExtensions.Throws <ArgumentOutOfRangeException>("offset", () => ace.GetBinaryForm(new byte[1], -1));
            AssertExtensions.Throws <ArgumentOutOfRangeException>("binaryForm", () => ace.GetBinaryForm(new byte[ace.BinaryLength + 1], 2));
            AssertExtensions.Throws <ArgumentOutOfRangeException>("binaryForm", () => ace.GetBinaryForm(new byte[ace.BinaryLength], 1));
Ejemplo n.º 7
 protected static void VerifyObjectAce(ObjectAce ace, AceFlags aceFlags, AceQualifier qualifier, int accessMask, SecurityIdentifier sid, ObjectAceFlags flags, Guid type, Guid inheritedType, bool isCallback, byte[] opaque)
     Assert.Equal(aceFlags, ace.AceFlags);
     Assert.Equal(accessMask, ace.AccessMask);
     Assert.Equal(sid, ace.SecurityIdentifier);
     Assert.Equal(opaque, ace.GetOpaque());
     Assert.Equal(qualifier, ace.AceQualifier);
     Assert.Equal(isCallback, ace.IsCallback);
     Assert.Equal(flags, ace.ObjectAceFlags);
     Assert.Equal(type, ace.ObjectAceType);
     Assert.Equal(inheritedType, ace.InheritedObjectAceType);
Ejemplo n.º 8
 protected static void VerifyObjectAce(ObjectAce ace, AceFlags aceFlags, AceQualifier qualifier, int accessMask, SecurityIdentifier sid, ObjectAceFlags flags, Guid type, Guid inheritedType, bool isCallback, byte[] opaque)
     Assert.Equal(aceFlags, ace.AceFlags);
     Assert.Equal(accessMask, ace.AccessMask);
     Assert.Equal(sid, ace.SecurityIdentifier);
     Assert.Equal(opaque, ace.GetOpaque());
     Assert.Equal(qualifier, ace.AceQualifier);
     Assert.Equal(isCallback, ace.IsCallback);
     Assert.Equal(flags, ace.ObjectAceFlags);
     Assert.Equal(type, ace.ObjectAceType);
     Assert.Equal(inheritedType, ace.InheritedObjectAceType);
Ejemplo n.º 9
        public static void SetAclOnAlternateProperty(ADObject obj, GenericAce[] aces, PropertyDefinition sdProperty, SecurityIdentifier owner, SecurityIdentifier group)
            DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(false, true, aces.Length);

            foreach (GenericAce genericAce in aces)
                AccessControlType accessType;
                if (genericAce.AceType == AceType.AccessAllowed || genericAce.AceType == AceType.AccessAllowedObject)
                    accessType = AccessControlType.Allow;
                    if (genericAce.AceType != AceType.AccessDenied && genericAce.AceType != AceType.AccessDeniedObject)
                        throw new AceTypeHasUnsupportedValueException(genericAce.AceType.ToString());
                    accessType = AccessControlType.Deny;
                if (genericAce is CommonAce)
                    CommonAce commonAce = genericAce as CommonAce;
                    discretionaryAcl.AddAccess(accessType, commonAce.SecurityIdentifier, commonAce.AccessMask, commonAce.InheritanceFlags, commonAce.PropagationFlags);
                    if (!(genericAce is ObjectAce))
                        throw new AceIsUnsupportedTypeException(genericAce.GetType().ToString());
                    ObjectAce objectAce = genericAce as ObjectAce;
                    discretionaryAcl.AddAccess(accessType, objectAce.SecurityIdentifier, objectAce.AccessMask, objectAce.InheritanceFlags, objectAce.PropagationFlags, objectAce.ObjectAceFlags, objectAce.ObjectAceType, objectAce.InheritedObjectAceType);
            CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(false, true, ControlFlags.DiscretionaryAclPresent, owner, group, null, discretionaryAcl);

            byte[] binaryForm = new byte[commonSecurityDescriptor.BinaryLength];
            commonSecurityDescriptor.GetBinaryForm(binaryForm, 0);
            RawSecurityDescriptor rawSecurityDescriptor = new RawSecurityDescriptor(binaryForm, 0);

            obj.SetProperties(new PropertyDefinition[]
            }, new object[]
Ejemplo n.º 10
        [Test]         // ... stumbled upon this by choosing Guid.Empty when needing an arbitrary GUID ...
        public void GuidEmptyMergesRegardlessOfFlagsAndOpaqueDataIsNotConsidered()
            SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null);

            RawAcl acl = MakeRawAcl(new GenericAce[] {
                new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, sid, true, new byte[12]),
                new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 4, sid, false, new byte[8]),                  // gets merged
                new ObjectAce(AceFlags.None, AceQualifier.AccessAllowed, 1, sid,
                              ObjectAceFlags.ObjectAceTypePresent, Guid.Empty, Guid.Empty, false, new byte[8]),
                new ObjectAce(AceFlags.None, AceQualifier.AccessAllowed, 2, sid,
                              ObjectAceFlags.InheritedObjectAceTypePresent, Guid.Empty, Guid.Empty, true, new byte[16]),                  // gets merged
                new ObjectAce(AceFlags.None, AceQualifier.AccessAllowed, 4, sid,
                              ObjectAceFlags.InheritedObjectAceTypePresent, Guid.Empty, Guid.NewGuid(), true, new byte[4])

            Assert.AreEqual(236, acl.BinaryLength);

            DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, acl);

            Assert.AreEqual(3, dacl.Count);

            CommonAce cace = (CommonAce)dacl [0];

            Assert.AreEqual(12, cace.OpaqueLength);
            Assert.AreEqual(5, cace.AccessMask);

            ObjectAce oace = (ObjectAce)dacl [1];

            Assert.AreEqual(8, oace.OpaqueLength);
            Assert.AreEqual(3, oace.AccessMask);
            Assert.AreEqual(ObjectAceFlags.ObjectAceTypePresent, oace.ObjectAceFlags);
            Assert.AreEqual(Guid.Empty, oace.ObjectAceType);
        public static void RemoveInheritedAces_BasicValidationTestCases()
            bool isContainer = false;
            bool isDS = false;

            RawAcl rawAcl = null;
            DiscretionaryAcl discretionaryAcl = null;

            GenericAce gAce = null;
            byte revision = 0;
            int capacity = 0;

            //CustomAce constructor parameters
            AceType aceType = AceType.AccessAllowed;
            AceFlags aceFlag = AceFlags.None;
            byte[] opaque = null;

            //CompoundAce constructor additional parameters
            int accessMask = 0;
            CompoundAceType compoundAceType = CompoundAceType.Impersonation;
            string sid = "BG";

            //CommonAce constructor additional parameters
            AceQualifier aceQualifier = 0;

            //ObjectAce constructor additional parameters
            ObjectAceFlags objectAceFlag = 0;
            Guid objectAceType;
            Guid inheritedObjectAceType;

            //case 1, no Ace
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            isContainer = true;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 2, only have explicit Ace
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //199  has all AceFlags except InheritOnly and Inherited
            gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 3,  non-inherited CommonAce, ObjectAce, CompoundAce, CustomAce
            revision = 127;
            capacity = 5;
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
            rawAcl = new RawAcl(revision, capacity);
            aceFlag = AceFlags.InheritanceFlags;
            accessMask = 1;

            //Access Allowed CommonAce
            gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
            rawAcl.InsertAce(0, gAce);
            //Access Dennied CommonAce
            gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask,
            new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
            rawAcl.InsertAce(0, gAce);
            aceType = AceType.MaxDefinedAceType + 1;
            opaque = null;
            gAce = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(2, gAce);
            compoundAceType = CompoundAceType.Impersonation;
            gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())));
            rawAcl.InsertAce(3, gAce);
            aceQualifier = AceQualifier.AccessAllowed;
            objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(2, gAce);
            isContainer = true;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
            //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
            Assert.Throws<InvalidOperationException>(() =>


            //case 4,  all inherited CommonAce, ObjectAce, CompoundAce, CustomAce
            revision = 127;
            capacity = 5;
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
            rawAcl = new RawAcl(revision, capacity);
            aceFlag = AceFlags.InheritanceFlags | AceFlags.Inherited;
            accessMask = 1;

            //Access Allowed CommonAce
            gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
            rawAcl.InsertAce(0, gAce);
            //Access Dennied CommonAce
            gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
            rawAcl.InsertAce(0, gAce);
            aceType = AceType.MaxDefinedAceType + 1;
            opaque = null;
            gAce = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            compoundAceType = CompoundAceType.Impersonation;
            gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())));
            rawAcl.InsertAce(0, gAce);
            aceQualifier = AceQualifier.AccessAllowed;
            objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 5, only have one inherit Ace
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //215 has all AceFlags except InheritOnly
            gAce = new CommonAce((AceFlags)215, AceQualifier.AccessDenied, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 6, have one explicit Ace and one inherited Ace
            revision = 255;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //199  has all AceFlags except InheritOnly and Inherited					
            gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            //215  has all AceFlags except InheritOnly					
            gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(1, gAce);
            isContainer = true;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 7, have two inherited Aces
            revision = 255;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //215  has all AceFlags except InheritOnly					
            gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            sid = "BA";
            //16 has Inherited
            gAce = new CommonAce((AceFlags)16, AceQualifier.AccessDenied, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 8, 1 inherited CustomAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceType = AceType.MaxDefinedAceType + 1;
            //215 has all AceFlags except InheritOnly
            aceFlag = (AceFlags)215;
            opaque = null;
            gAce = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 9,  1 inherited CompoundAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceFlag = (AceFlags)223; //all flags ored together
            accessMask = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 10, 1 inherited ObjectAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceFlag = (AceFlags)223; //all flags ored together
            aceQualifier = AceQualifier.AccessAllowed;
            accessMask = 1;
            objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = true;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


Ejemplo n.º 12
        private static object[] ObjectAce_CreateTestData(int intFlags, int intQualifier, int accessMask, string stringsid, int intObjectAceFlags, string stringType, string stringInheritedType, bool isCallback, int opaqueLength, int offset)
            AceFlags           aceFlags  = (AceFlags)intFlags;
            AceQualifier       qualifier = (AceQualifier)intQualifier;
            SecurityIdentifier sid       = new SecurityIdentifier(stringsid);
            ObjectAceFlags     flags     = (ObjectAceFlags)intObjectAceFlags;
            Guid type          = new Guid(stringType);
            Guid inheritedType = new Guid(stringInheritedType);

            byte[] opaque = new byte[opaqueLength];

            ObjectAce ace = new ObjectAce(aceFlags, qualifier, accessMask, sid, flags, type, inheritedType, isCallback, opaque);

            VerifyObjectAce(ace, aceFlags, qualifier, accessMask, sid, flags, type, inheritedType, isCallback, opaque);

            byte[] binaryForm = new byte[ace.BinaryLength + offset];
            switch (qualifier)
            case AceQualifier.AccessAllowed:
                binaryForm[offset + 0] = isCallback ? (byte)AceType.AccessAllowedCallbackObject : (byte)AceType.AccessAllowedObject;

            case AceQualifier.AccessDenied:
                binaryForm[offset + 0] = isCallback ? (byte)AceType.AccessDeniedCallbackObject : (byte)AceType.AccessDeniedObject;

            case AceQualifier.SystemAudit:
                binaryForm[offset + 0] = isCallback ? (byte)AceType.SystemAuditCallbackObject : (byte)AceType.SystemAuditObject;

            case AceQualifier.SystemAlarm:
                binaryForm[offset + 0] = isCallback ? (byte)AceType.SystemAlarmCallbackObject : (byte)AceType.SystemAlarmObject;

            binaryForm[offset + 1] = (byte)aceFlags;
            binaryForm[offset + 2] = (byte)(ace.BinaryLength >> 0);
            binaryForm[offset + 3] = (byte)(ace.BinaryLength >> 8);

            int baseOffset  = offset + 4;
            int offsetLocal = 0;

                binaryForm[baseOffset + 0] = (byte)(accessMask >> 0);
                binaryForm[baseOffset + 1] = (byte)(accessMask >> 8);
                binaryForm[baseOffset + 2] = (byte)(accessMask >> 16);
                binaryForm[baseOffset + 3] = (byte)(accessMask >> 24);
            offsetLocal += 4;

            binaryForm[baseOffset + offsetLocal + 0] = (byte)(((uint)flags) >> 0);
            binaryForm[baseOffset + offsetLocal + 1] = (byte)(((uint)flags) >> 8);
            binaryForm[baseOffset + offsetLocal + 2] = (byte)(((uint)flags) >> 16);
            binaryForm[baseOffset + offsetLocal + 3] = (byte)(((uint)flags) >> 24);

            offsetLocal += 4;

            if ((flags & ObjectAceFlags.ObjectAceTypePresent) != 0)
                type.ToByteArray().CopyTo(binaryForm, baseOffset + offsetLocal);
                offsetLocal += 16;

            if ((flags & ObjectAceFlags.InheritedObjectAceTypePresent) != 0)
                inheritedType.ToByteArray().CopyTo(binaryForm, baseOffset + offsetLocal);
                offsetLocal += 16;

            sid.GetBinaryForm(binaryForm, baseOffset + offsetLocal);
            offsetLocal += sid.BinaryLength;
            opaque.CopyTo(binaryForm, baseOffset + offsetLocal);

            return(new object[] { ace, binaryForm, offset });
Ejemplo n.º 13
        public void ObjectAce_CreateFromBinaryForm(GenericAce expectedAce, byte[] testBinaryForm, int testOffset)
            GenericAce resultAce = ObjectAce.CreateFromBinaryForm(testBinaryForm, testOffset);

            GenericAce_VerifyAces(expectedAce, resultAce);
        public static void BasicValidationTestCases()
            bool isContainer = false;
            bool isDS = false;

            RawAcl rawAcl = null;
            SystemAcl systemAcl = null;

            GenericAce gAce = null;
            byte revision = 0;
            int capacity = 0;
            //CustomAce constructor parameters
            AceType aceType = AceType.AccessAllowed;
            AceFlags aceFlag = AceFlags.None;
            byte[] opaque = null;
            //CompoundAce constructor additional parameters
            int accessMask = 0;
            CompoundAceType compoundAceType = CompoundAceType.Impersonation;
            string sid = "BA";
            //CommonAce constructor additional parameters
            AceQualifier aceQualifier = 0;
            //ObjectAce constructor additional parameters
            ObjectAceFlags objectAceFlag = 0;
            Guid objectAceType;
            Guid inheritedObjectAceType;
            //case 1, no Ace

            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            isContainer = true;
            isDS = false;
            systemAcl = new SystemAcl(isContainer, isDS, rawAcl);

            //case 2, only have explicit Ace
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //199 has all AceFlags except InheritOnly and Inherited
            gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            systemAcl = new SystemAcl(isContainer, isDS, rawAcl);

            //case 3, only have one inherit Ace
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //215 has all AceFlags except InheritOnly
            gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            systemAcl = new SystemAcl(isContainer, isDS, rawAcl);

            //case 4, have one explicit Ace and one inherited Ace
            revision = 255;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //199 has all AceFlags except InheritOnly and Inherited                    
            gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            //215 has all AceFlags except InheritOnly                    
            gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(1, gAce);
            isContainer = true;
            isDS = false;
            systemAcl = new SystemAcl(isContainer, isDS, rawAcl);

            //case 5, have two inherited Aces
            revision = 255;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //215 has all AceFlags except InheritOnly                    
            gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            sid = "BA";
            //16 has Inherited
            gAce = new CommonAce((AceFlags)16, AceQualifier.SystemAudit, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = false;
            systemAcl = new SystemAcl(isContainer, isDS, rawAcl);

            //case 6, 1 inherited CustomAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceType = AceType.MaxDefinedAceType + 1;
            aceFlag = (AceFlags)208; //SuccessfulAccess | FailedAccess | Inherited
            opaque = null;
            gAce = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            systemAcl = new SystemAcl(isContainer, isDS, rawAcl);


            //case 7,  1 inherited CompoundAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceFlag = (AceFlags)223; //all flags ored together
            accessMask = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = false;
            systemAcl = new SystemAcl(isContainer, isDS, rawAcl);

            //case 8, 1 inherited ObjectAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceFlag = (AceFlags)223; //all flags ored together
            aceQualifier = AceQualifier.SystemAudit;
            accessMask = 1;
            objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = true;
            systemAcl = new SystemAcl(isContainer, isDS, rawAcl);

Ejemplo n.º 15
        public static void AdditionalTestCases()

            bool isContainer = false;
            bool isDS = false;

            RawAcl rawAcl = null;
            SystemAcl sAcl = null;

            GenericAce gAce = null;
            byte revision = 0;
            int capacity = 0;
            //CustomAce constructor parameters
            AceType aceType = AceType.AccessAllowed;
            AceFlags aceFlag = AceFlags.None;
            byte[] opaque = null;
            //CompoundAce constructor additional parameters
            int accessMask = 0;
            CompoundAceType compoundAceType = CompoundAceType.Impersonation;
            string sid = "BA";
            //CommonAce constructor additional parameters
            AceQualifier aceQualifier = 0;
            //ObjectAce constructor additional parameters
            ObjectAceFlags objectAceFlag = 0;
            Guid objectAceType;
            Guid inheritedObjectAceType;
            //case 1, an SystemAudit ACE with a zero access mask is meaningless, will be removed
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            gAce = new CommonAce(AceFlags.AuditFlags,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            sAcl = new SystemAcl(isContainer, isDS, rawAcl);
            //the only ACE is a meaningless ACE, will be removed
            //drop the ace from the rawAcl
            Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));

            //case 2, an inherit-only SystemAudit ACE on an object ACL is meaningless, will be removed
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            gAce = new CommonAce(AceFlags.InheritanceFlags | AceFlags.AuditFlags,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
                    false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            sAcl = new SystemAcl(isContainer, isDS, rawAcl);
            //the only ACE is a meaningless ACE, will be removed

            Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));

            //case 3, an inherit-only SystemAudit ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //200 has inheritOnly, SuccessfulAccess and FailedAccess
            gAce = new CommonAce((AceFlags)200,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = false;
            sAcl = new SystemAcl(isContainer, isDS, rawAcl);
            //the only ACE is a meaningless ACE, will be removed
            Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));

            //case 4, a SystemAudit ACE without Success or Failure Flags is meaningless, will be removed
            revision = 255;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            gAce = new CommonAce(AceFlags.None,
        new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = false;
            sAcl = new SystemAcl(isContainer, isDS, rawAcl);
            //audit ACE does not specify either Success or Failure Flags is removed
            Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));

            //case 5, a CustomAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceType = AceType.MaxDefinedAceType + 1;
            aceFlag = AceFlags.AuditFlags;
            opaque = null;
            gAce = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            sAcl = new SystemAcl(isContainer, isDS, rawAcl);
            //Mark changed design to make ACL with any CustomAce, CompoundAce uncanonical
            Assert.True(TestConstructor(sAcl, isContainer, isDS, false, rawAcl));

            //case 6, a CompoundAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceFlag = AceFlags.AuditFlags;
            accessMask = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce = new CompoundAce(aceFlag,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = false;
            sAcl = new SystemAcl(isContainer, isDS, rawAcl);
            //Mark changed design to make ACL with any CustomAce, CompoundAce uncanonical
            Assert.True(TestConstructor(sAcl, isContainer, isDS, false, rawAcl));

            //case 7, a ObjectAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceFlag = AceFlags.InheritanceFlags | AceFlags.AuditFlags;
            aceQualifier = AceQualifier.SystemAudit;
            accessMask = 1;
            objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
                objectAceFlag, objectAceType,
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = true;
            sAcl = new SystemAcl(isContainer, isDS, rawAcl);
            Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));

            //case 8, no Ace
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            isContainer = true;
            isDS = false;
            sAcl = new SystemAcl(isContainer, isDS, rawAcl);
            Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));

            //case 9, Aces from case 1 to 7 
            revision = 127;
            capacity = 5;
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString();
            rawAcl = new RawAcl(revision, capacity);
            //an SystemAudit ACE with a zero access mask
            //is meaningless, will be removed                    
            gAce = new CommonAce(AceFlags.AuditFlags,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 1.ToString()),
            rawAcl.InsertAce(rawAcl.Count, gAce);
            //an inherit-only SystemAudit ACE without ContainerInherit or ObjectInherit flags on a container object
            //is meaningless, will be removed
            //200 has inheritOnly, SuccessfulAccess and FailedAccess
            gAce = new CommonAce((AceFlags)200,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 2.ToString()),
            rawAcl.InsertAce(rawAcl.Count, gAce);
            //a SystemAudit ACE without Success or Failure Flags
            //is meaningless, will be removed                    
            gAce = new CommonAce(AceFlags.None,
        new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 3.ToString()),
            rawAcl.InsertAce(rawAcl.Count, gAce);
            //a ObjectAce
            aceFlag = AceFlags.InheritanceFlags | AceFlags.AuditFlags;
            aceQualifier = AceQualifier.SystemAudit;
            accessMask = 1;
            objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 4.ToString()),
                objectAceFlag, objectAceType,
            rawAcl.InsertAce(rawAcl.Count, gAce);
            // a CustomAce
            gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
            rawAcl.InsertAce(rawAcl.Count, gAce);
            //a CompoundAce
            gAce = new CompoundAce(AceFlags.AuditFlags,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 5.ToString()));
            rawAcl.InsertAce(rawAcl.Count, gAce);

            isContainer = true;
            isDS = false;
            sAcl = new SystemAcl(isContainer, isDS, rawAcl);
            //the first 3 Aces will be removed by SystemAcl constructor
            //Mark changed design to make ACL with any CustomAce, CompoundAce uncanonical
            Assert.True(TestConstructor(sAcl, isContainer, isDS, false, rawAcl));

Ejemplo n.º 16
        public static void Constructor3_AdditionalTestCases()
            bool isContainer = false;
            bool isDS = false;

            RawAcl rawAcl = null;
            DiscretionaryAcl discretionaryAcl = null;

            GenericAce gAce = null;
            byte revision = 0;
            int capacity = 0;

            //CustomAce constructor parameters
            AceType aceType = AceType.AccessAllowed;
            AceFlags aceFlag = AceFlags.None;
            byte[] opaque = null;

            //CompoundAce constructor additional parameters
            int accessMask = 0;
            CompoundAceType compoundAceType = CompoundAceType.Impersonation;
            string sid = "BG";

            //CommonAce constructor additional parameters
            AceQualifier aceQualifier = 0;

            //ObjectAce constructor additional parameters
            ObjectAceFlags objectAceFlag = 0;
            Guid objectAceType;
            Guid inheritedObjectAceType;

            //case 1, an AccessAllowed ACE with a zero access mask is meaningless, will be removed
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            //drop the Ace from rawAcl

            //the only ACE is a meaningless ACE, will be removed
            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));

            //case 2, an inherit-only AccessDenied ACE on an object ACL is meaningless, will be removed
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //15 has all inheritance AceFlags but Inherited
            gAce = new CommonAce((AceFlags)15, AceQualifier.AccessDenied, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            //the only ACE is a meaningless ACE, will be removed
            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));

            //case 3, an inherit-only AccessAllowed ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //8 has inheritOnly
            gAce = new CommonAce((AceFlags)8, AceQualifier.AccessAllowed, 1,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = false;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            //the only ACE is a meaningless ACE, will be removed
            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));

            //case 4, 1 CustomAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceType = AceType.MaxDefinedAceType + 1;
            aceFlag = AceFlags.None;
            opaque = null;
            gAce = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            //Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical
            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));

            //case 5, 1 CompoundAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            // 2 has ContainerInherit
            aceFlag = (AceFlags)2;
            accessMask = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = false;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            //Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical
            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));

            //case 6, 1 ObjectAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceFlag = (AceFlags)15; //all inheritance flags ored together but Inherited
            aceQualifier = AceQualifier.AccessAllowed;
            accessMask = 1;
            objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = true;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));

            //case 7, no Ace
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            isContainer = true;
            isDS = false;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));

            //case 8, all Aces from case 1, and 3 to 6 
            revision = 127;
            capacity = 5;
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
            rawAcl = new RawAcl(revision, capacity);
            //0 access Mask
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
            rawAcl.InsertAce(rawAcl.Count, gAce);

            //an inherit-only AccessAllowed ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed

            gAce = new CommonAce((AceFlags)8, AceQualifier.AccessAllowed, 1,
            new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
            rawAcl.InsertAce(rawAcl.Count, gAce);

            // ObjectAce
            aceFlag = (AceFlags)15; //all inheritance flags ored together but Inherited
            aceQualifier = AceQualifier.AccessAllowed;
            accessMask = 1;
            objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(rawAcl.Count, gAce);

            // CustomAce
            aceType = AceType.MaxDefinedAceType + 1;
            aceFlag = AceFlags.None;
            opaque = null;
            gAce = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(rawAcl.Count, gAce);

            // CompoundAce					
            aceFlag = (AceFlags)2;
            accessMask = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())));
            rawAcl.InsertAce(rawAcl.Count, gAce);

            isContainer = true;
            isDS = false;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            //Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical

            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));

            discretionaryAcl = null;
            isContainer = false;
            isDS = false;
            rawAcl = null;
            //case 1, rawAcl = null
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 1);
            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 1);
            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));

Ejemplo n.º 17
        public static void RemoveInheritedAces_BasicValidationTestCases()
            bool isContainer = false;
            bool isDS        = false;

            RawAcl           rawAcl           = null;
            DiscretionaryAcl discretionaryAcl = null;

            GenericAce gAce     = null;
            byte       revision = 0;
            int        capacity = 0;

            //CustomAce constructor parameters
            AceType  aceType = AceType.AccessAllowed;
            AceFlags aceFlag = AceFlags.None;

            byte[] opaque = null;

            //CompoundAce constructor additional parameters
            int             accessMask      = 0;
            CompoundAceType compoundAceType = CompoundAceType.Impersonation;
            string          sid             = "BG";

            //CommonAce constructor additional parameters
            AceQualifier aceQualifier = 0;

            //ObjectAce constructor additional parameters
            ObjectAceFlags objectAceFlag = 0;
            Guid           objectAceType;
            Guid           inheritedObjectAceType;

            //case 1, no Ace
            revision         = 127;
            capacity         = 1;
            rawAcl           = new RawAcl(revision, capacity);
            isContainer      = true;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 2, only have explicit Ace
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //199  has all AceFlags except InheritOnly and Inherited
            gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer      = false;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 3,  non-inherited CommonAce, ObjectAce, CompoundAce, CustomAce
            revision   = 127;
            capacity   = 5;
            sid        = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
            rawAcl     = new RawAcl(revision, capacity);
            aceFlag    = AceFlags.InheritanceFlags;
            accessMask = 1;

            //Access Allowed CommonAce
            gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
            rawAcl.InsertAce(0, gAce);
            //Access Dennied CommonAce
            gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
            rawAcl.InsertAce(0, gAce);
            aceType = AceType.MaxDefinedAceType + 1;
            opaque  = null;
            gAce    = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(2, gAce);
            compoundAceType = CompoundAceType.Impersonation;
            gAce            = new CompoundAce(aceFlag, accessMask, compoundAceType,
                                              new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())));
            rawAcl.InsertAce(3, gAce);
            aceQualifier           = AceQualifier.AccessAllowed;
            objectAceFlag          = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType          = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(2, gAce);
            isContainer      = true;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
            //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
            Assert.Throws <InvalidOperationException>(() =>

            //case 4,  all inherited CommonAce, ObjectAce, CompoundAce, CustomAce
            revision   = 127;
            capacity   = 5;
            sid        = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
            rawAcl     = new RawAcl(revision, capacity);
            aceFlag    = AceFlags.InheritanceFlags | AceFlags.Inherited;
            accessMask = 1;

            //Access Allowed CommonAce
            gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
            rawAcl.InsertAce(0, gAce);
            //Access Dennied CommonAce
            gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
            rawAcl.InsertAce(0, gAce);
            aceType = AceType.MaxDefinedAceType + 1;
            opaque  = null;
            gAce    = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            compoundAceType = CompoundAceType.Impersonation;
            gAce            = new CompoundAce(aceFlag, accessMask, compoundAceType,
                                              new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())));
            rawAcl.InsertAce(0, gAce);
            aceQualifier           = AceQualifier.AccessAllowed;
            objectAceFlag          = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType          = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer      = true;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 5, only have one inherit Ace
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //215 has all AceFlags except InheritOnly
            gAce = new CommonAce((AceFlags)215, AceQualifier.AccessDenied, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer      = false;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 6, have one explicit Ace and one inherited Ace
            revision = 255;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //199  has all AceFlags except InheritOnly and Inherited
            gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            //215  has all AceFlags except InheritOnly
            gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(1, gAce);
            isContainer      = true;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 7, have two inherited Aces
            revision = 255;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //215  has all AceFlags except InheritOnly
            gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            sid = "BA";
            //16 has Inherited
            gAce = new CommonAce((AceFlags)16, AceQualifier.AccessDenied, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer      = true;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 8, 1 inherited CustomAce
            revision = 127;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            aceType  = AceType.MaxDefinedAceType + 1;
            //215 has all AceFlags except InheritOnly
            aceFlag = (AceFlags)215;
            opaque  = null;
            gAce    = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            isContainer      = false;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 9,  1 inherited CompoundAce
            revision        = 127;
            capacity        = 1;
            rawAcl          = new RawAcl(revision, capacity);
            aceFlag         = (AceFlags)223; //all flags ored together
            accessMask      = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce            = new CompoundAce(aceFlag, accessMask, compoundAceType,
                                              new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            isContainer      = true;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 10, 1 inherited ObjectAce
            revision               = 127;
            capacity               = 1;
            rawAcl                 = new RawAcl(revision, capacity);
            aceFlag                = (AceFlags)223; //all flags ored together
            aceQualifier           = AceQualifier.AccessAllowed;
            accessMask             = 1;
            objectAceFlag          = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType          = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer      = true;
            isDS             = true;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

        public static void BasicValidationTestCases()

            RawAcl rawAcl = null;
            byte[] binaryForm = null;
            int offset = 0;

            GenericAce gAce = null;
            byte revision = 0;
            int capacity = 0;
            //CustomAce constructor parameters
            AceType aceType = AceType.AccessAllowed;
            AceFlags aceFlag = AceFlags.None;
            byte[] opaque = null;
            //CompoundAce constructor additional parameters
            int accessMask = 0;
            CompoundAceType compoundAceType = CompoundAceType.Impersonation;
            string sid = "BA";
            //CommonAce constructor additional parameters
            AceQualifier aceQualifier = 0;
            //ObjectAce constructor additional parameters
            ObjectAceFlags objectAceFlag = 0;
            Guid objectAceType;
            Guid inheritedObjectAceType;

            //case 1, a valid binary representation with revision 0, 1 SystemAudit CommonAce
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));

            //case 2, a valid binary representation with revision 255, 1 AccessAllowed CommonAce
            revision = 255;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));

            //case 3, a valid binary representation with revision 127, 1 CustomAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceType = AceType.MaxDefinedAceType + 1;
            aceFlag = (AceFlags)223; //all flags ored together
            opaque = null;
            gAce = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));

            //case 4, a valid binary representation with revision 1, 1 CompoundAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceFlag = (AceFlags)223; //all flags ored together
            accessMask = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));

            //case 5, a valid binary representation with revision 1, 1 ObjectAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceFlag = (AceFlags)223; //all flags ored together
            aceQualifier = AceQualifier.AccessAllowed;
            accessMask = 1;
            objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));

            //case 6, a valid binary representation with revision 1, no Ace
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 0, rawAcl.BinaryLength));

            //case 7, a valid binary representation with revision 1, and all Aces from case 1 to 5
            revision = 127;
            capacity = 5;
            rawAcl = new RawAcl(revision, capacity);
            //SystemAudit CommonAce
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            //Access Allowed CommonAce
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            aceType = AceType.MaxDefinedAceType + 1;
            aceFlag = (AceFlags)223; //all flags ored together
            opaque = null;
            gAce = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            aceFlag = (AceFlags)223; //all flags ored together
            accessMask = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            aceFlag = (AceFlags)223; //all flags ored together
            aceQualifier = AceQualifier.AccessAllowed;
            accessMask = 1;
            objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 5, rawAcl.BinaryLength));

Ejemplo n.º 19
        private static object[] ObjectAce_CreateTestData(int intFlags, int intQualifier, int accessMask, string stringsid, int intObjectAceFlags, string stringType, string stringInheritedType, bool isCallback, int opaqueLength, int offset)
            AceFlags aceFlags = (AceFlags)intFlags;
            AceQualifier qualifier = (AceQualifier)intQualifier;
            SecurityIdentifier sid = new SecurityIdentifier(stringsid);
            ObjectAceFlags flags = (ObjectAceFlags)intObjectAceFlags;
            Guid type = new Guid(stringType);
            Guid inheritedType = new Guid(stringInheritedType);
            byte[] opaque = new byte[opaqueLength];

            ObjectAce ace = new ObjectAce(aceFlags, qualifier, accessMask, sid, flags, type, inheritedType, isCallback, opaque);
            VerifyObjectAce(ace, aceFlags, qualifier, accessMask, sid, flags, type, inheritedType, isCallback, opaque);

            byte[] binaryForm = new byte[ace.BinaryLength + offset];
            switch (qualifier)
                case AceQualifier.AccessAllowed:
                    binaryForm[offset + 0] = isCallback ? (byte)AceType.AccessAllowedCallbackObject : (byte)AceType.AccessAllowedObject;
                case AceQualifier.AccessDenied:
                    binaryForm[offset + 0] = isCallback ? (byte)AceType.AccessDeniedCallbackObject : (byte)AceType.AccessDeniedObject;
                case AceQualifier.SystemAudit:
                    binaryForm[offset + 0] = isCallback ? (byte)AceType.SystemAuditCallbackObject : (byte)AceType.SystemAuditObject;
                case AceQualifier.SystemAlarm:
                    binaryForm[offset + 0] = isCallback ? (byte)AceType.SystemAlarmCallbackObject : (byte)AceType.SystemAlarmObject;
                    return null;
            binaryForm[offset + 1] = (byte)aceFlags;
            binaryForm[offset + 2] = (byte)(ace.BinaryLength >> 0);
            binaryForm[offset + 3] = (byte)(ace.BinaryLength >> 8);

            int baseOffset = offset + 4;
            int offsetLocal = 0;

            binaryForm[baseOffset + 0] = (byte)(accessMask >> 0);
            binaryForm[baseOffset + 1] = (byte)(accessMask >> 8);
            binaryForm[baseOffset + 2] = (byte)(accessMask >> 16);
            binaryForm[baseOffset + 3] = (byte)(accessMask >> 24);
            offsetLocal += 4;

            binaryForm[baseOffset + offsetLocal + 0] = (byte)(((uint)flags) >> 0);
            binaryForm[baseOffset + offsetLocal + 1] = (byte)(((uint)flags) >> 8);
            binaryForm[baseOffset + offsetLocal + 2] = (byte)(((uint)flags) >> 16);
            binaryForm[baseOffset + offsetLocal + 3] = (byte)(((uint)flags) >> 24);

            offsetLocal += 4;

            if ((flags & ObjectAceFlags.ObjectAceTypePresent) != 0)
                type.ToByteArray().CopyTo(binaryForm, baseOffset + offsetLocal);
                offsetLocal += 16;

            if ((flags & ObjectAceFlags.InheritedObjectAceTypePresent) != 0)
                inheritedType.ToByteArray().CopyTo(binaryForm, baseOffset + offsetLocal);
                offsetLocal += 16;

            sid.GetBinaryForm(binaryForm, baseOffset + offsetLocal);
            offsetLocal += sid.BinaryLength;
            opaque.CopyTo(binaryForm, baseOffset + offsetLocal);

            return new object[] { ace, binaryForm, offset };
        public static void BasicValidationTestCases()
            RawAcl rawAcl = null;

            byte[] binaryForm = null;
            int    offset     = 0;

            GenericAce gAce     = null;
            byte       revision = 0;
            int        capacity = 0;
            //CustomAce constructor parameters
            AceType  aceType = AceType.AccessAllowed;
            AceFlags aceFlag = AceFlags.None;

            byte[] opaque = null;
            //CompoundAce constructor additional parameters
            int             accessMask      = 0;
            CompoundAceType compoundAceType = CompoundAceType.Impersonation;
            string          sid             = "BA";
            //CommonAce constructor additional parameters
            AceQualifier aceQualifier = 0;
            //ObjectAce constructor additional parameters
            ObjectAceFlags objectAceFlag = 0;
            Guid           objectAceType;
            Guid           inheritedObjectAceType;

            //case 1, a valid binary representation with revision 0, 1 SystemAudit CommonAce
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            gAce     = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));

            //case 2, a valid binary representation with revision 255, 1 AccessAllowed CommonAce
            revision = 255;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            gAce     = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));

            //case 3, a valid binary representation with revision 127, 1 CustomAce
            revision = 127;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            aceType  = AceType.MaxDefinedAceType + 1;
            aceFlag  = (AceFlags)223; //all flags ored together
            opaque   = null;
            gAce     = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));

            //case 4, a valid binary representation with revision 1, 1 CompoundAce
            revision        = 127;
            capacity        = 1;
            rawAcl          = new RawAcl(revision, capacity);
            aceFlag         = (AceFlags)223; //all flags ored together
            accessMask      = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce            = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));

            //case 5, a valid binary representation with revision 1, 1 ObjectAce
            revision               = 127;
            capacity               = 1;
            rawAcl                 = new RawAcl(revision, capacity);
            aceFlag                = (AceFlags)223; //all flags ored together
            aceQualifier           = AceQualifier.AccessAllowed;
            accessMask             = 1;
            objectAceFlag          = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType          = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));

            //case 6, a valid binary representation with revision 1, no Ace
            revision   = 127;
            capacity   = 1;
            rawAcl     = new RawAcl(revision, capacity);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 0, rawAcl.BinaryLength));

            //case 7, a valid binary representation with revision 1, and all Aces from case 1 to 5
            revision = 127;
            capacity = 5;
            rawAcl   = new RawAcl(revision, capacity);
            //SystemAudit CommonAce
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            //Access Allowed CommonAce
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            aceType = AceType.MaxDefinedAceType + 1;
            aceFlag = (AceFlags)223; //all flags ored together
            opaque  = null;
            gAce    = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            aceFlag         = (AceFlags)223; //all flags ored together
            accessMask      = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce            = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            aceFlag                = (AceFlags)223; //all flags ored together
            aceQualifier           = AceQualifier.AccessAllowed;
            accessMask             = 1;
            objectAceFlag          = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType          = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 5, rawAcl.BinaryLength));
Ejemplo n.º 21
 public void CreatePublicFolderTree()
     this.pfTree = new PublicFolderTree();
         QueryFilter filter;
         ADObjectId  adobjectId;
         if (Datacenter.GetExchangeSku() != Datacenter.ExchangeSku.ExchangeDatacenter)
             filter = new ComparisonFilter(ComparisonOperator.Equal, ADObjectSchema.Name, PublicFolderTreeContainer.DefaultName);
             PublicFolderTreeContainer[] array = this.taskInstance.GlobalConfigSession.Find <PublicFolderTreeContainer>(null, QueryScope.SubTree, filter, null, 1);
             PublicFolderTreeContainer   publicFolderTreeContainer;
             if (array == null || array.Length == 0)
                 filter = new ComparisonFilter(ComparisonOperator.Equal, ADObjectSchema.Name, AdministrativeGroup.DefaultName);
                 AdministrativeGroup[] array2 = this.taskInstance.GlobalConfigSession.Find <AdministrativeGroup>(null, QueryScope.SubTree, filter, null, 1);
                 if (array2 == null || array2.Length < 1)
                     throw new AdminGroupNotFoundException(AdministrativeGroup.DefaultName);
                 publicFolderTreeContainer = new PublicFolderTreeContainer();
                 publicFolderTreeContainer = array[0];
             adobjectId = publicFolderTreeContainer.Id;
             adobjectId = this.OrganizationId.ConfigurationUnit;
             this.pfTree.OrganizationId = this.OrganizationId;
         this.pfTree.SetId(adobjectId.GetChildId("Public Folders"));
         this.pfTree.PublicFolderTreeType = PublicFolderTreeType.Mapi;
         filter = new ComparisonFilter(ComparisonOperator.Equal, ExtendedRightSchema.DisplayName, "Create public folder");
         this.taskInstance.WriteVerbose(TaskVerboseStringHelper.GetFindDataObjectsVerboseString(this.taskInstance.GlobalConfigSession, typeof(ExtendedRight), filter, this.taskInstance.GlobalConfigSession.ConfigurationNamingContext, true));
         ExtendedRight[] array3 = this.taskInstance.GlobalConfigSession.Find <ExtendedRight>(this.taskInstance.GlobalConfigSession.ConfigurationNamingContext, QueryScope.SubTree, filter, null, 1);
         if (0 < array3.Length)
             ObjectAce        objectAce        = new ObjectAce(AceFlags.None, AceQualifier.AccessAllowed, 256, new SecurityIdentifier("AU"), ObjectAceFlags.ObjectAceTypePresent, array3[0].RightsGuid, Guid.Empty, false, null);
             DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(false, true, 11);
             discretionaryAcl.AddAccess(AccessControlType.Allow, objectAce.SecurityIdentifier, objectAce.AccessMask, objectAce.InheritanceFlags, objectAce.PropagationFlags, objectAce.ObjectAceFlags, objectAce.ObjectAceType, objectAce.InheritedObjectAceType);
             using (WindowsIdentity current = WindowsIdentity.GetCurrent())
                 SecurityIdentifier       user = current.User;
                 CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(false, true, ControlFlags.DiscretionaryAclPresent, user, user, null, discretionaryAcl);
                 byte[] binaryForm = new byte[commonSecurityDescriptor.BinaryLength];
                 commonSecurityDescriptor.GetBinaryForm(binaryForm, 0);
                 this.pfTree.SetPublicFolderDefaultAdminAcl(new RawSecurityDescriptor(binaryForm, 0));
         this.taskInstance.WriteVerbose(TaskVerboseStringHelper.GetSaveObjectVerboseString(this.pfTree, this.TenantSession, typeof(PublicFolderTree)));
         if (Datacenter.GetExchangeSku() == Datacenter.ExchangeSku.ExchangeDatacenter)
        public static void AdditionalTestCases()
            bool isContainer = false;
            bool isDS        = false;

            RawAcl    rawAcl = null;
            SystemAcl sAcl   = null;

            GenericAce gAce     = null;
            byte       revision = 0;
            int        capacity = 0;
            //CustomAce constructor parameters
            AceType  aceType = AceType.AccessAllowed;
            AceFlags aceFlag = AceFlags.None;

            byte[] opaque = null;
            //CompoundAce constructor additional parameters
            int             accessMask      = 0;
            CompoundAceType compoundAceType = CompoundAceType.Impersonation;
            string          sid             = "BA";
            //CommonAce constructor additional parameters
            AceQualifier aceQualifier = 0;
            //ObjectAce constructor additional parameters
            ObjectAceFlags objectAceFlag = 0;
            Guid           objectAceType;
            Guid           inheritedObjectAceType;

            //case 1, an SystemAudit ACE with a zero access mask is meaningless, will be removed
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            gAce     = new CommonAce(AceFlags.AuditFlags,
                                     new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS        = false;
            sAcl        = new SystemAcl(isContainer, isDS, rawAcl);
            //the only ACE is a meaningless ACE, will be removed
            //drop the ace from the rawAcl
            Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));

            //case 2, an inherit-only SystemAudit ACE on an object ACL is meaningless, will be removed
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            gAce     = new CommonAce(AceFlags.InheritanceFlags | AceFlags.AuditFlags,
                                     new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
                                     false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS        = false;
            sAcl        = new SystemAcl(isContainer, isDS, rawAcl);
            //the only ACE is a meaningless ACE, will be removed

            Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));

            //case 3, an inherit-only SystemAudit ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //200 has inheritOnly, SuccessfulAccess and FailedAccess
            gAce = new CommonAce((AceFlags)200,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS        = false;
            sAcl        = new SystemAcl(isContainer, isDS, rawAcl);
            //the only ACE is a meaningless ACE, will be removed
            Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));

            //case 4, a SystemAudit ACE without Success or Failure Flags is meaningless, will be removed
            revision = 255;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            gAce     = new CommonAce(AceFlags.None,
                                     new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS        = false;
            sAcl        = new SystemAcl(isContainer, isDS, rawAcl);
            //audit ACE does not specify either Success or Failure Flags is removed
            Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));

            //case 5, a CustomAce
            revision = 127;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            aceType  = AceType.MaxDefinedAceType + 1;
            aceFlag  = AceFlags.AuditFlags;
            opaque   = null;
            gAce     = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS        = false;
            sAcl        = new SystemAcl(isContainer, isDS, rawAcl);
            //Mark changed design to make ACL with any CustomAce, CompoundAce uncanonical
            Assert.True(TestConstructor(sAcl, isContainer, isDS, false, rawAcl));

            //case 6, a CompoundAce
            revision        = 127;
            capacity        = 1;
            rawAcl          = new RawAcl(revision, capacity);
            aceFlag         = AceFlags.AuditFlags;
            accessMask      = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce            = new CompoundAce(aceFlag,
                                              new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS        = false;
            sAcl        = new SystemAcl(isContainer, isDS, rawAcl);
            //Mark changed design to make ACL with any CustomAce, CompoundAce uncanonical
            Assert.True(TestConstructor(sAcl, isContainer, isDS, false, rawAcl));

            //case 7, a ObjectAce
            revision               = 127;
            capacity               = 1;
            rawAcl                 = new RawAcl(revision, capacity);
            aceFlag                = AceFlags.InheritanceFlags | AceFlags.AuditFlags;
            aceQualifier           = AceQualifier.SystemAudit;
            accessMask             = 1;
            objectAceFlag          = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType          = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
                                 objectAceFlag, objectAceType,
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS        = true;
            sAcl        = new SystemAcl(isContainer, isDS, rawAcl);
            Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));

            //case 8, no Ace
            revision    = 127;
            capacity    = 1;
            rawAcl      = new RawAcl(revision, capacity);
            isContainer = true;
            isDS        = false;
            sAcl        = new SystemAcl(isContainer, isDS, rawAcl);
            Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));

            //case 9, Aces from case 1 to 7
            revision = 127;
            capacity = 5;
            sid      = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString();
            rawAcl   = new RawAcl(revision, capacity);
            //an SystemAudit ACE with a zero access mask
            //is meaningless, will be removed
            gAce = new CommonAce(AceFlags.AuditFlags,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 1.ToString()),
            rawAcl.InsertAce(rawAcl.Count, gAce);
            //an inherit-only SystemAudit ACE without ContainerInherit or ObjectInherit flags on a container object
            //is meaningless, will be removed
            //200 has inheritOnly, SuccessfulAccess and FailedAccess
            gAce = new CommonAce((AceFlags)200,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 2.ToString()),
            rawAcl.InsertAce(rawAcl.Count, gAce);
            //a SystemAudit ACE without Success or Failure Flags
            //is meaningless, will be removed
            gAce = new CommonAce(AceFlags.None,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 3.ToString()),
            rawAcl.InsertAce(rawAcl.Count, gAce);
            //a ObjectAce
            aceFlag                = AceFlags.InheritanceFlags | AceFlags.AuditFlags;
            aceQualifier           = AceQualifier.SystemAudit;
            accessMask             = 1;
            objectAceFlag          = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType          = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 4.ToString()),
                                 objectAceFlag, objectAceType,
            rawAcl.InsertAce(rawAcl.Count, gAce);
            // a CustomAce
            gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
            rawAcl.InsertAce(rawAcl.Count, gAce);
            //a CompoundAce
            gAce = new CompoundAce(AceFlags.AuditFlags,
                                   new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 5.ToString()));
            rawAcl.InsertAce(rawAcl.Count, gAce);

            isContainer = true;
            isDS        = false;
            sAcl        = new SystemAcl(isContainer, isDS, rawAcl);
            //the first 3 Aces will be removed by SystemAcl constructor
            //Mark changed design to make ACL with any CustomAce, CompoundAce uncanonical
            Assert.True(TestConstructor(sAcl, isContainer, isDS, false, rawAcl));
Ejemplo n.º 23
        public static void Purge_BasicValidationTestCases()
            bool isContainer = false;
            bool isDS        = false;

            RawAcl           rawAcl           = null;
            DiscretionaryAcl discretionaryAcl = null;
            int aceCount           = 0;
            SecurityIdentifier sid = null;

            GenericAce gAce     = null;
            byte       revision = 0;
            int        capacity = 0;

            //CustomAce constructor parameters
            AceType  aceType = AceType.AccessAllowed;
            AceFlags aceFlag = AceFlags.None;

            byte[] opaque = null;

            //CompoundAce constructor additional parameters
            int             accessMask      = 0;
            CompoundAceType compoundAceType = CompoundAceType.Impersonation;
            string          sidStr          = "LA";

            //CommonAce constructor additional parameters
            AceQualifier aceQualifier = 0;

            //ObjectAce constructor additional parameters
            ObjectAceFlags objectAceFlag = 0;
            Guid           objectAceType;
            Guid           inheritedObjectAceType;

            //case 1, no Ace
            revision         = 127;
            capacity         = 1;
            rawAcl           = new RawAcl(revision, capacity);
            isContainer      = true;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount         = 0;
            sidStr           = "BG";
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));

            Assert.True(TestPurge(discretionaryAcl, sid, aceCount));

            //case 2, only have 1 explicit Ace of the sid
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            sidStr   = "BG";
            sid      = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
            //199 has all aceflags but inheritonly and inherited
            gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1, sid, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer      = false;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount         = 0;

            Assert.True(TestPurge(discretionaryAcl, sid, aceCount));

            //case 3, only have 1 explicit Ace of different sid
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //199 has all aceflags but inheritedonly and inherited
            sidStr = "BG";
            sid    = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
            gAce   = new CommonAce((AceFlags)199, AceQualifier.AccessDenied, 1, sid, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer      = false;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount         = 1;
            sidStr           = "BA";
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));

            Assert.True(TestPurge(discretionaryAcl, sid, aceCount));

            //case 4, only have 1 inherited Ace of the sid
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            sidStr   = "BG";
            sid      = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
            //215 has all aceflags but inheritedonly
            gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1, sid, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer      = false;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount         = 1;

            Assert.True(TestPurge(discretionaryAcl, sid, aceCount));

            //case 5, have one explicit Ace and one inherited Ace of the sid
            revision = 255;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            sidStr   = "BG";
            sid      = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
            //199 has all aceflags but inheritedonly and inherited
            gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1, sid, false, null);
            rawAcl.InsertAce(0, gAce);
            //215 has all aceflags but inheritedonly
            gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 2, sid, false, null);
            rawAcl.InsertAce(1, gAce);
            isContainer      = true;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount         = 1;

            Assert.True(TestPurge(discretionaryAcl, sid, aceCount));

            //case 6, have two explicit Aces of the sid
            revision = 255;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            sidStr   = "BG";
            sid      = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
            //207 has all AceFlags but inherited
            gAce = new CommonAce((AceFlags)207, AceQualifier.AccessAllowed, 1, sid, false, null);
            rawAcl.InsertAce(0, gAce);
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 2, sid, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer      = true;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount         = 0;

            Assert.True(TestPurge(discretionaryAcl, sid, 0));

            //case 7, 1 explicit CustomAce
            revision = 127;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            aceType  = AceType.MaxDefinedAceType + 1;
            //199 has all AceFlags except InheritOnly and Inherited
            aceFlag = (AceFlags)199;
            opaque  = null;
            gAce    = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            isContainer      = false;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            sid      = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
            aceCount = 1;

            //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
            //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
            Assert.Throws <InvalidOperationException>(() =>
                TestPurge(discretionaryAcl, sid, aceCount);

            //case 8,  1 explicit CompoundAce
            revision = 127;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //207 has all AceFlags but inherited
            aceFlag         = (AceFlags)207;
            accessMask      = 1;
            compoundAceType = CompoundAceType.Impersonation;
            sid             = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
            gAce            = new CompoundAce(aceFlag, accessMask, compoundAceType, sid);
            rawAcl.InsertAce(0, gAce);
            isContainer      = true;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount         = 0;

            //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
            //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
            Assert.Throws <InvalidOperationException>(() =>
                TestPurge(discretionaryAcl, sid, aceCount);

            //case 9, 1 explicit ObjectAce
            revision = 127;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            sid      = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
            //207 has all AceFlags but inherited
            aceFlag                = (AceFlags)207;
            aceQualifier           = AceQualifier.AccessAllowed;
            accessMask             = 1;
            objectAceFlag          = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType          = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, sid, objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer      = true;
            isDS             = true;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount         = 0;

            Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
Ejemplo n.º 24
        public static void BasicValidationTestCases()
            bool isContainer = false;
            bool isDS        = false;

            RawAcl    rawAcl    = null;
            SystemAcl systemAcl = null;

            GenericAce gAce     = null;
            byte       revision = 0;
            int        capacity = 0;
            //CustomAce constructor parameters
            AceType  aceType = AceType.AccessAllowed;
            AceFlags aceFlag = AceFlags.None;

            byte[] opaque = null;
            //CompoundAce constructor additional parameters
            int             accessMask      = 0;
            CompoundAceType compoundAceType = CompoundAceType.Impersonation;
            string          sid             = "BA";
            //CommonAce constructor additional parameters
            AceQualifier aceQualifier = 0;
            //ObjectAce constructor additional parameters
            ObjectAceFlags objectAceFlag = 0;
            Guid           objectAceType;
            Guid           inheritedObjectAceType;

            //case 1, no Ace

            revision    = 127;
            capacity    = 1;
            rawAcl      = new RawAcl(revision, capacity);
            isContainer = true;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);

            //case 2, only have explicit Ace
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //199 has all AceFlags except InheritOnly and Inherited
            gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);

            //case 3, only have one inherit Ace
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //215 has all AceFlags except InheritOnly
            gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);

            //case 4, have one explicit Ace and one inherited Ace
            revision = 255;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //199 has all AceFlags except InheritOnly and Inherited
            gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            //215 has all AceFlags except InheritOnly
            gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(1, gAce);
            isContainer = true;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);

            //case 5, have two inherited Aces
            revision = 255;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //215 has all AceFlags except InheritOnly
            gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            sid = "BA";
            //16 has Inherited
            gAce = new CommonAce((AceFlags)16, AceQualifier.SystemAudit, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);

            //case 6, 1 inherited CustomAce
            revision = 127;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            aceType  = AceType.MaxDefinedAceType + 1;
            aceFlag  = (AceFlags)208; //SuccessfulAccess | FailedAccess | Inherited
            opaque   = null;
            gAce     = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);


            //case 7,  1 inherited CompoundAce
            revision        = 127;
            capacity        = 1;
            rawAcl          = new RawAcl(revision, capacity);
            aceFlag         = (AceFlags)223; //all flags ored together
            accessMask      = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce            = new CompoundAce(aceFlag, accessMask, compoundAceType,
                                              new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);

            //case 8, 1 inherited ObjectAce
            revision               = 127;
            capacity               = 1;
            rawAcl                 = new RawAcl(revision, capacity);
            aceFlag                = (AceFlags)223; //all flags ored together
            aceQualifier           = AceQualifier.SystemAudit;
            accessMask             = 1;
            objectAceFlag          = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType          = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS        = true;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);
Ejemplo n.º 25
        protected override void MigrateSecurityDescriptors()
            MrsTracer.Service.Function("RemoteMoveJob.MigrateSecurityDescriptors", new object[0]);
            Dictionary <Guid, RawSecurityDescriptor> mailboxSDs = new Dictionary <Guid, RawSecurityDescriptor>();

            base.ForeachMailboxContext(delegate(MailboxMover mbxCtx)
                RawSecurityDescriptor mailboxSecurityDescriptor = mbxCtx.SourceMailbox.GetMailboxSecurityDescriptor();
                MrsTracer.Service.Debug("Loaded MailboxSD: {0}", new object[]
                if (this.CleanupMailboxSD)
                    this.RemoveExchangeServersDenyACE(mailboxSecurityDescriptor, mbxCtx);
                mailboxSDs[mbxCtx.SourceMailboxGuid] = mailboxSecurityDescriptor;
            RawSecurityDescriptor rawSecurityDescriptor = base.GetRootMailboxContext().SourceMailbox.GetUserSecurityDescriptor();

            MrsTracer.Service.Debug("Loaded source UserSD: {0}", new object[]
            foreach (RawSecurityDescriptor sd in mailboxSDs.Values)
            base.ForeachMailboxContext(delegate(MailboxMover mbxCtx)
                RawSecurityDescriptor mailboxSecurityDescriptor = this.principalTranslator.TranslateSecurityDescriptor(mailboxSDs[mbxCtx.SourceMailboxGuid], TranslateSecurityDescriptorFlags.None);
            RawSecurityDescriptor userSecurityDescriptor = base.GetRootMailboxContext().DestMailbox.GetUserSecurityDescriptor();

            MrsTracer.Service.Debug("Loaded target UserSD: {0}", new object[]
            if (rawSecurityDescriptor == null || rawSecurityDescriptor.DiscretionaryAcl == null)
            if (userSecurityDescriptor == null || userSecurityDescriptor.DiscretionaryAcl == null)
            rawSecurityDescriptor = this.principalTranslator.TranslateSecurityDescriptor(rawSecurityDescriptor, TranslateSecurityDescriptorFlags.ExcludeUnmappedACEs);
            CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(true, true, userSecurityDescriptor);
            bool flag = false;

            foreach (GenericAce genericAce in rawSecurityDescriptor.DiscretionaryAcl)
                if (!genericAce.IsInherited)
                    switch (genericAce.AceType)
                    case AceType.AccessAllowedObject:
                    case AceType.AccessDeniedObject:
                        ObjectAce objectAce = genericAce as ObjectAce;
                        if (objectAce.AccessMask == 256 && (objectAce.ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None && (!(objectAce.ObjectAceType != WellKnownGuid.SendAsExtendedRightGuid) || !(objectAce.ObjectAceType != WellKnownGuid.ReceiveAsExtendedRightGuid)))
                            commonSecurityDescriptor.DiscretionaryAcl.AddAccess((objectAce.AceType == AceType.AccessAllowedObject) ? AccessControlType.Allow : AccessControlType.Deny, objectAce.SecurityIdentifier, objectAce.AccessMask, objectAce.InheritanceFlags, objectAce.PropagationFlags, objectAce.ObjectAceFlags, objectAce.ObjectAceType, objectAce.InheritedObjectAceType);
                            flag = true;
            if (flag)
                byte[] binaryForm = new byte[commonSecurityDescriptor.BinaryLength];
                commonSecurityDescriptor.GetBinaryForm(binaryForm, 0);
                RawSecurityDescriptor userSecurityDescriptor2 = new RawSecurityDescriptor(binaryForm, 0);
                catch (LocalizedException ex)
                    if (CommonUtils.ExceptionIs(ex, new WellKnownException[]
                    LocalizedString localizedString = MrsStrings.ReportFailedToUpdateUserSD2(CommonUtils.GetFailureType(ex));
                    base.Report.Append(localizedString, ex, ReportEntryFlags.Target);
Ejemplo n.º 26
        public static void Purge_BasicValidationTestCases()
            bool isContainer = false;
            bool isDS = false;

            RawAcl rawAcl = null;
            DiscretionaryAcl discretionaryAcl = null;
            int aceCount = 0;
            SecurityIdentifier sid = null;

            GenericAce gAce = null;
            byte revision = 0;
            int capacity = 0;

            //CustomAce constructor parameters
            AceType aceType = AceType.AccessAllowed;
            AceFlags aceFlag = AceFlags.None;
            byte[] opaque = null;

            //CompoundAce constructor additional parameters
            int accessMask = 0;
            CompoundAceType compoundAceType = CompoundAceType.Impersonation;
            string sidStr = "LA";

            //CommonAce constructor additional parameters
            AceQualifier aceQualifier = 0;

            //ObjectAce constructor additional parameters
            ObjectAceFlags objectAceFlag = 0;
            Guid objectAceType;
            Guid inheritedObjectAceType;

            //case 1, no Ace
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            isContainer = true;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount = 0;
            sidStr = "BG";
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));

            Assert.True(TestPurge(discretionaryAcl, sid, aceCount));

            //case 2, only have 1 explicit Ace of the sid
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            sidStr = "BG";
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
            //199 has all aceflags but inheritonly and inherited					
            gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1, sid, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount = 0;

            Assert.True(TestPurge(discretionaryAcl, sid, aceCount));

            //case 3, only have 1 explicit Ace of different sid
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //199 has all aceflags but inheritedonly and inherited
            sidStr = "BG";
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
            gAce = new CommonAce((AceFlags)199, AceQualifier.AccessDenied, 1, sid, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount = 1;
            sidStr = "BA";
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));

            Assert.True(TestPurge(discretionaryAcl, sid, aceCount));

            //case 4, only have 1 inherited Ace of the sid
            revision = 0;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            sidStr = "BG";
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
            //215 has all aceflags but inheritedonly				
            gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1, sid, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount = 1;

            Assert.True(TestPurge(discretionaryAcl, sid, aceCount));

            //case 5, have one explicit Ace and one inherited Ace of the sid
            revision = 255;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            sidStr = "BG";
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
            //199 has all aceflags but inheritedonly and inherited
            gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1, sid, false, null);
            rawAcl.InsertAce(0, gAce);
            //215 has all aceflags but inheritedonly
            gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 2, sid, false, null);
            rawAcl.InsertAce(1, gAce);
            isContainer = true;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount = 1;

            Assert.True(TestPurge(discretionaryAcl, sid, aceCount));

            //case 6, have two explicit Aces of the sid
            revision = 255;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            sidStr = "BG";
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
            //207 has all AceFlags but inherited				
            gAce = new CommonAce((AceFlags)207, AceQualifier.AccessAllowed, 1, sid, false, null);
            rawAcl.InsertAce(0, gAce);
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 2, sid, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount = 0;

            Assert.True(TestPurge(discretionaryAcl, sid, 0));

            //case 7, 1 explicit CustomAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            aceType = AceType.MaxDefinedAceType + 1;
            //199 has all AceFlags except InheritOnly and Inherited
            aceFlag = (AceFlags)199;
            opaque = null;
            gAce = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
            aceCount = 1;

            //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
            //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
            Assert.Throws<InvalidOperationException>(() =>

                TestPurge(discretionaryAcl, sid, aceCount);


            //case 8,  1 explicit CompoundAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            //207 has all AceFlags but inherited				
            aceFlag = (AceFlags)207;
            accessMask = 1;
            compoundAceType = CompoundAceType.Impersonation;
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
            gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, sid);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount = 0;

            //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
            //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
            Assert.Throws<InvalidOperationException>(() =>

                TestPurge(discretionaryAcl, sid, aceCount);


            //case 9, 1 explict ObjectAce
            revision = 127;
            capacity = 1;
            rawAcl = new RawAcl(revision, capacity);
            sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
            //207 has all AceFlags but inherited						
            aceFlag = (AceFlags)207;
            aceQualifier = AceQualifier.AccessAllowed;
            accessMask = 1;
            objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, sid, objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS = true;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            aceCount = 0;

            Assert.True(TestPurge(discretionaryAcl, sid, aceCount));

Ejemplo n.º 27
        public static void Constructor3_AdditionalTestCases()
            bool isContainer = false;
            bool isDS        = false;

            RawAcl           rawAcl           = null;
            DiscretionaryAcl discretionaryAcl = null;

            GenericAce gAce     = null;
            byte       revision = 0;
            int        capacity = 0;

            //CustomAce constructor parameters
            AceType  aceType = AceType.AccessAllowed;
            AceFlags aceFlag = AceFlags.None;

            byte[] opaque = null;

            //CompoundAce constructor additional parameters
            int             accessMask      = 0;
            CompoundAceType compoundAceType = CompoundAceType.Impersonation;
            string          sid             = "BG";

            //CommonAce constructor additional parameters
            AceQualifier aceQualifier = 0;

            //ObjectAce constructor additional parameters
            ObjectAceFlags objectAceFlag = 0;
            Guid           objectAceType;
            Guid           inheritedObjectAceType;

            //case 1, an AccessAllowed ACE with a zero access mask is meaningless, will be removed
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            gAce     = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0,
                                     new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS        = false;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            //drop the Ace from rawAcl

            //the only ACE is a meaningless ACE, will be removed
            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));

            //case 2, an inherit-only AccessDenied ACE on an object ACL is meaningless, will be removed
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //15 has all inheritance AceFlags but Inherited
            gAce = new CommonAce((AceFlags)15, AceQualifier.AccessDenied, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS        = false;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            //the only ACE is a meaningless ACE, will be removed
            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));

            //case 3, an inherit-only AccessAllowed ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //8 has inheritOnly
            gAce = new CommonAce((AceFlags)8, AceQualifier.AccessAllowed, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS        = false;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            //the only ACE is a meaningless ACE, will be removed
            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));

            //case 4, 1 CustomAce
            revision = 127;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            aceType  = AceType.MaxDefinedAceType + 1;
            aceFlag  = AceFlags.None;
            opaque   = null;
            gAce     = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS        = false;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            //Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical
            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));

            //case 5, 1 CompoundAce
            revision = 127;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            // 2 has ContainerInherit
            aceFlag         = (AceFlags)2;
            accessMask      = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce            = new CompoundAce(aceFlag, accessMask, compoundAceType,
                                              new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS        = false;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            //Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical
            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));

            //case 6, 1 ObjectAce
            revision               = 127;
            capacity               = 1;
            rawAcl                 = new RawAcl(revision, capacity);
            aceFlag                = (AceFlags)15; //all inheritance flags ored together but Inherited
            aceQualifier           = AceQualifier.AccessAllowed;
            accessMask             = 1;
            objectAceFlag          = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType          = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS        = true;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));

            //case 7, no Ace
            revision    = 127;
            capacity    = 1;
            rawAcl      = new RawAcl(revision, capacity);
            isContainer = true;
            isDS        = false;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));

            //case 8, all Aces from case 1, and 3 to 6
            revision = 127;
            capacity = 5;
            sid      = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
            rawAcl   = new RawAcl(revision, capacity);
            //0 access Mask
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
            rawAcl.InsertAce(rawAcl.Count, gAce);

            //an inherit-only AccessAllowed ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed

            gAce = new CommonAce((AceFlags)8, AceQualifier.AccessAllowed, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
            rawAcl.InsertAce(rawAcl.Count, gAce);

            // ObjectAce
            aceFlag                = (AceFlags)15; //all inheritance flags ored together but Inherited
            aceQualifier           = AceQualifier.AccessAllowed;
            accessMask             = 1;
            objectAceFlag          = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType          = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(rawAcl.Count, gAce);

            // CustomAce
            aceType = AceType.MaxDefinedAceType + 1;
            aceFlag = AceFlags.None;
            opaque  = null;
            gAce    = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(rawAcl.Count, gAce);

            // CompoundAce
            aceFlag         = (AceFlags)2;
            accessMask      = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce            = new CompoundAce(aceFlag, accessMask, compoundAceType,
                                              new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())));
            rawAcl.InsertAce(rawAcl.Count, gAce);

            isContainer = true;
            isDS        = false;

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            //Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical

            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));

            discretionaryAcl = null;
            isContainer      = false;
            isDS             = false;
            rawAcl           = null;
            //case 1, rawAcl = null
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            rawAcl           = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 1);
            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));

            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            rawAcl           = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 1);
            Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
        public void GetBinaryForm()
            RawSecurityDescriptor sd = new RawSecurityDescriptor("");

            sd.Owner            = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null);
            sd.Group            = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
            sd.DiscretionaryAcl = new RawAcl(1, 0);
            sd.SystemAcl        = new RawAcl(1, 0);
            sd.SetFlags(sd.ControlFlags | ControlFlags.DiscretionaryAclPresent | ControlFlags.SystemAclPresent);

            // Empty ACL form
            byte[] buffer = new byte[sd.BinaryLength];
            sd.GetBinaryForm(buffer, 0);
            byte[] sdBinary = new byte[] {
                0x01, 0x00, 0x14, 0x80, 0x14, 0x00, 0x00, 0x00, 0x24, 0x00,
                0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00,
                0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00,
                0x00, 0x00, 0x21, 0x02, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02,
                0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00
            Assert.AreEqual(sdBinary, buffer);

            // Add an ACE to the DACL
            SecurityIdentifier builtInAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
            CommonAce          ace           = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null);

            sd.DiscretionaryAcl.InsertAce(0, ace);
            buffer = new byte[sd.BinaryLength];
            sd.GetBinaryForm(buffer, 0);
            sdBinary = new byte[] {
                0x01, 0x00, 0x14, 0x80, 0x14, 0x00, 0x00, 0x00, 0x24, 0x00,
                0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00,
                0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00,
                0x00, 0x00, 0x21, 0x02, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02,
                0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x01, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x18, 0x00, 0xFF, 0xFF, 0xFF, 0x7F, 0x01, 0x02, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02,
                0x00, 0x00
            Assert.AreEqual(sdBinary, buffer);

            // This time with an Object ACE
            ObjectAce objectAce = new ObjectAce(AceFlags.Inherited, AceQualifier.AccessAllowed, 0x12345678, builtInAdmins, ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent, new Guid("189c0dc7-b849-4dea-93a5-6d4cb8857a5c"), new Guid("53b4a3d4-fe39-468b-bc60-b4fcba772fa5"), false, null);

            sd.DiscretionaryAcl = new RawAcl(2, 0);
            sd.DiscretionaryAcl.InsertAce(0, objectAce);
            buffer = new byte[sd.BinaryLength];
            sd.GetBinaryForm(buffer, 0);
            sdBinary = new byte[] {
                0x01, 0x00, 0x14, 0x80, 0x14, 0x00, 0x00, 0x00, 0x24, 0x00,
                0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00,
                0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00,
                0x00, 0x00, 0x21, 0x02, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02,
                0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x02, 0x00, 0x44, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x10,
                0x3C, 0x00, 0x78, 0x56, 0x34, 0x12, 0x03, 0x00, 0x00, 0x00,
                0xC7, 0x0D, 0x9C, 0x18, 0x49, 0xB8, 0xEA, 0x4D, 0x93, 0xA5,
                0x6D, 0x4C, 0xB8, 0x85, 0x7A, 0x5C, 0xD4, 0xA3, 0xB4, 0x53,
                0x39, 0xFE, 0x8B, 0x46, 0xBC, 0x60, 0xB4, 0xFC, 0xBA, 0x77,
                0x2F, 0xA5, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
                0x20, 0x00, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00
            Assert.AreEqual(sdBinary, buffer);