public static bool HasLocalAces(AuthorizationRuleCollection rules)
{
bool res = false;
AccessRule locaACE = rules.Cast<AccessRule>().FirstOrDefault(a => a.IsInherited == false);
res = (locaACE == null ? false : true);
return res;
}
public void AddAccessRule_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var customAccessRuleAllow = new CustomAccessRule(
Helpers.s_NetworkServiceNTAccount, ReadAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, Guid.NewGuid(), Guid.NewGuid(), AccessControlType.Allow
);
var customAccessRuleDeny = new CustomAccessRule(
Helpers.s_LocalSystemNTAccount, ReadAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, Guid.NewGuid(), Guid.NewGuid(), AccessControlType.Deny
);
customObjectSecurity.AddAccessRule(customAccessRuleAllow);
customObjectSecurity.AddAccessRule(customAccessRuleDeny);
AuthorizationRuleCollection ruleCollection = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
Assert.NotNull(ruleCollection);
List <CustomAccessRule> addedRules = ruleCollection.Cast <CustomAccessRule>().ToList();
Assert.Contains(customAccessRuleAllow, addedRules);
Assert.Contains(customAccessRuleDeny, addedRules);
}
public void RemoveAccessRuleAll_AccessControlType_Deny_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var customAccessRuleReadWrite = new CustomAccessRule(
Helpers.s_LocalSystemNTAccount, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
var customAccessRuleSynchronize = new CustomAccessRule(
Helpers.s_LocalSystemNTAccount, SynchronizeAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
customObjectSecurity.AddAccessRule(customAccessRuleSynchronize);
customObjectSecurity.RemoveAccessRuleAll(customAccessRuleSynchronize);
AuthorizationRuleCollection ruleCollection =
customObjectSecurity
.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
List <CustomAccessRule> existingRules = ruleCollection.Cast <CustomAccessRule>().ToList();
Assert.False(existingRules.Contains(customAccessRuleReadWrite));
Assert.False(existingRules.Contains(customAccessRuleSynchronize));
}
public void RemoveAccessRule_AccessControlType_Deny_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
int readDataAndAttribute = ReadAccessMask | ReadAttributeAccessMask;
var objectTypeGuid = Guid.NewGuid();
var customAccessRuleReadDataAndAttribute = new CustomAccessRule(
Helpers.s_LocalSystemNTAccount, readDataAndAttribute, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
var customAccessRuleRead = new CustomAccessRule(
Helpers.s_LocalSystemNTAccount, ReadAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
customObjectSecurity.AddAccessRule(customAccessRuleReadDataAndAttribute);
customObjectSecurity.RemoveAccessRule(customAccessRuleRead);
AuthorizationRuleCollection ruleCollection = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
Assert.NotNull(ruleCollection);
Assert.Contains(ruleCollection.Cast <CustomAccessRule>(), x =>
x.IdentityReference == Helpers.s_LocalSystemNTAccount &&
x.AccessControlType == AccessControlType.Deny &&
x.AccessMaskValue == ReadAttributeAccessMask
);
}
public void AddAuditRule_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var customAuditRuleRead = new CustomAuditRule(
new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null).Translate(typeof(NTAccount)), ReadAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, Guid.NewGuid(), Guid.NewGuid(), AuditFlags.Success
);
var customAuditRuleReadAttribute = new CustomAuditRule(
new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount)), ReadAttributeAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, Guid.NewGuid(), Guid.NewGuid(), AuditFlags.Success
);
customObjectSecurity.AddAuditRule(customAuditRuleRead);
customObjectSecurity.AddAuditRule(customAuditRuleReadAttribute);
AuthorizationRuleCollection ruleCollection = customObjectSecurity.GetAuditRules(true, true, typeof(System.Security.Principal.NTAccount));
Assert.NotNull(ruleCollection);
List <CustomAuditRule> addedRules = ruleCollection.Cast <CustomAuditRule>().ToList();
Assert.Contains(customAuditRuleRead, addedRules);
Assert.Contains(customAuditRuleReadAttribute, addedRules);
}
public void RemoveAuditRule_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectType = Guid.NewGuid();
var customAuditRuleWrite = new CustomAuditRule(
Helpers.s_LocalSystemNTAccount, WriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectType, Guid.NewGuid(), AuditFlags.Success
);
var customAuditRuleReadWrite = new CustomAuditRule(
Helpers.s_LocalSystemNTAccount, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectType, Guid.NewGuid(), AuditFlags.Success
);
customObjectSecurity.AddAuditRule(customAuditRuleReadWrite);
customObjectSecurity.RemoveAuditRule(customAuditRuleWrite);
AuthorizationRuleCollection ruleCollection =
customObjectSecurity
.GetAuditRules(true, true, typeof(System.Security.Principal.NTAccount));
Assert.NotNull(ruleCollection);
List <CustomAuditRule> existingRules = ruleCollection.Cast <CustomAuditRule>().ToList();
Assert.True(existingRules.Count > 0);
Assert.True(
existingRules.Any(
x => x.AccessMaskValue == ReadAccessMask &&
x.AuditFlags == AuditFlags.Success &&
x.IdentityReference == Helpers.s_LocalSystemNTAccount
)
);
}
public void SetAccessRule_AccessControlType_Deny_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var identityReference = new NTAccount(@"NT AUTHORITY\SYSTEM");
var customAccessRuleReadWrite = new CustomAccessRule(
identityReference, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
var customAccessRuleRead = new CustomAccessRule(
new NTAccount(@"NT AUTHORITY\SYSTEM"), ReadAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
customObjectSecurity.SetAccessRule(customAccessRuleRead);
AuthorizationRuleCollection ruleCollection =
customObjectSecurity
.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
List <CustomAccessRule> existingRules = ruleCollection.Cast <CustomAccessRule>().ToList();
Assert.False(existingRules.Contains(customAccessRuleReadWrite));
Assert.True(existingRules.Contains(customAccessRuleRead));
}
public void RemoveAccessRule_AccessControlType_Deny_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
int readDataAndAttribute = ReadAccessMask | ReadAttributeAccessMask;
var identityReference = new NTAccount(@"NT AUTHORITY\SYSTEM");
var objectTypeGuid = Guid.NewGuid();
var customAccessRuleReadDataAndAttribute = new CustomAccessRule(
identityReference, readDataAndAttribute, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
var customAccessRuleRead = new CustomAccessRule(
identityReference, ReadAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
customObjectSecurity.AddAccessRule(customAccessRuleReadDataAndAttribute);
customObjectSecurity.RemoveAccessRule(customAccessRuleRead);
AuthorizationRuleCollection ruleCollection =
customObjectSecurity
.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
Assert.NotNull(ruleCollection);
List <CustomAccessRule> existingRules = ruleCollection.Cast <CustomAccessRule>().ToList();
Assert.True(
existingRules.Any(
x => x.IdentityReference == identityReference &&
x.AccessControlType == AccessControlType.Deny &&
x.AccessMaskValue == ReadAttributeAccessMask
));
}
public void AddAuditRule_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var customAuditRuleRead = new CustomAuditRule(
new NTAccount(@"NT AUTHORITY\Network Service"), ReadAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, Guid.NewGuid(), Guid.NewGuid(), AuditFlags.Success
);
var customAuditRuleReadAttribute = new CustomAuditRule(
new NTAccount(@"NT AUTHORITY\SYSTEM"), ReadAttributeAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, Guid.NewGuid(), Guid.NewGuid(), AuditFlags.Success
);
customObjectSecurity.AddAuditRule(customAuditRuleRead);
customObjectSecurity.AddAuditRule(customAuditRuleReadAttribute);
AuthorizationRuleCollection ruleCollection =
customObjectSecurity
.GetAuditRules(true, true, typeof(System.Security.Principal.NTAccount));
Assert.NotNull(ruleCollection);
List <CustomAuditRule> addedRules = ruleCollection.Cast <CustomAuditRule>().ToList();
Assert.True(addedRules.Contains(customAuditRuleRead));
Assert.True(addedRules.Contains(customAuditRuleReadAttribute));
}
public void RemoveAuditRuleSpecific_NoMatchableRuleFound()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var identityReference = new NTAccount(@"NT AUTHORITY\SYSTEM");
var customAuditRuleReadWrite = new CustomAuditRule(
identityReference, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AuditFlags.Success
);
var customAuditRuleWrite = new CustomAuditRule(
identityReference, WriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AuditFlags.Success
);
customObjectSecurity.AddAuditRule(customAuditRuleReadWrite);
customObjectSecurity.RemoveAuditRuleSpecific(customAuditRuleWrite);
AuthorizationRuleCollection ruleCollection =
customObjectSecurity
.GetAuditRules(true, true, typeof(System.Security.Principal.NTAccount));
List <CustomAuditRule> existingRules = ruleCollection.Cast <CustomAuditRule>().ToList();
Assert.True(existingRules.Contains(customAuditRuleReadWrite));
}
public void RemoveRule_AccessControlType_Allow_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var identityReference = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount));
var customAccessRuleReadWrite = new CustomAccessRule(
identityReference, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Allow
);
var customAccessRuleWrite = new CustomAccessRule(
identityReference, WriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Allow
);
customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
bool result = customObjectSecurity.RemoveAccessRule(customAccessRuleWrite);
Assert.Equal(true, result);
AuthorizationRuleCollection ruleCollection = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
Assert.NotNull(ruleCollection);
Assert.Contains(ruleCollection.Cast <CustomAccessRule>(), x =>
x.IdentityReference == identityReference &&
x.AccessControlType == customAccessRuleReadWrite.AccessControlType &&
x.AccessMaskValue == ReadAccessMask
);
}
public PermissionsChecker(WindowsIdentity current, AuthorizationRuleCollection rules,
RequiredCheck requiredCheck)
{
_current = current;
_groups = _current.Groups.ToHashSet();
_rules =
rules.Cast<FileSystemAccessRule>()
.ToHashSet();
_requiredCheck = requiredCheck;
}
static bool AccessControlAllowsRightForPrincipal(System.Security.AccessControl.AuthorizationRuleCollection rules, FileSystemRights right, WindowsIdentity principal)
{
return(rules
.Cast <FileSystemAccessRule>()
.Where(rule => principal.User.Equals(rule.IdentityReference)) // Find the rules for the given principal
.Where(rule => rule.FileSystemRights.HasFlag(right)) // Find the rules for the given right
.Where(rule => !AccessControlType.Deny.Equals(rule.AccessControlType)) // If the right is explicitly denied, we don't check the rule futher
.Where(rule => AccessControlType.Allow.Equals(rule.AccessControlType)) // If the right is explicitly allowed, then we mark it as allowed
.Any()); // If the right is neither allowed or denied, we treat is as denied
}
public void RemoveAuditRuleSpecific_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var customAuditRuleReadWrite = new CustomAuditRule(
Helpers.s_LocalSystemNTAccount, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AuditFlags.Success
);
customObjectSecurity.AddAuditRule(customAuditRuleReadWrite);
customObjectSecurity.RemoveAuditRuleSpecific(customAuditRuleReadWrite);
AuthorizationRuleCollection ruleCollection =
customObjectSecurity
.GetAuditRules(true, true, typeof(System.Security.Principal.NTAccount));
List <CustomAuditRule> existingRules = ruleCollection.Cast <CustomAuditRule>().ToList();
Assert.DoesNotContain(customAuditRuleReadWrite, existingRules);
}