// Constructor.
internal KnownAce(AceFlags aceFlags, AceType aceType,
int accessMask, SecurityIdentifier securityIdentifier)
: base(aceFlags, aceType)
{
this.accessMask = accessMask;
this.securityIdentifier = securityIdentifier;
}
internal GenericAce (AceType type)
{
if (type <= AceType.MaxDefinedAceType) {
throw new ArgumentOutOfRangeException ("type");
}
this.ace_type = type;
}
internal CommonAce (AceType type, AceFlags flags, int accessMask,
SecurityIdentifier sid, byte[] opaque)
: base(type, flags, opaque)
{
AccessMask = accessMask;
SecurityIdentifier = sid;
}
public KnownAce(AceType type, AceFlags flags, int mask, Sid sid)
{
if (
type != AceType.AccessAllowed &&
type != AceType.AccessDenied &&
type != AceType.SystemAlarm &&
type != AceType.SystemAudit
)
throw new ArgumentException("Invalid ACE type.");
this.MemoryRegion = new MemoryAlloc(
Marshal.SizeOf(typeof(KnownAceStruct)) -
sizeof(int) +
sid.Length
);
KnownAceStruct knownAce = new KnownAceStruct();
knownAce.Header.AceType = type;
knownAce.Header.AceFlags = flags;
knownAce.Header.AceSize = (ushort)this.MemoryRegion.Size;
knownAce.Mask = mask;
this.MemoryRegion.WriteStruct<KnownAceStruct>(knownAce);
this.MemoryRegion.WriteMemory(Win32.KnownAceSidStartOffset.ToInt32(), sid, 0, sid.Length);
this.Read();
}
internal AzRecord(Guid subjectId, Guid actionId, AceType reaction, string objectId)
{
SubjectId = subjectId;
ActionId = actionId;
Reaction = reaction;
ObjectId = objectId;
}
public KnownAce(AceType type, AceFlags flags, int mask, Sid sid)
{
if (
type != AceType.AccessAllowed &&
type != AceType.AccessDenied &&
type != AceType.SystemAlarm &&
type != AceType.SystemAudit
)
throw new ArgumentException("Invalid ACE type.");
this.MemoryRegion = new MemoryAlloc(
Marshal.SizeOf(typeof(KnownAceStruct)) - // known ace struct size
sizeof(int) + // minus SidStart field
sid.Length // plus SID length
);
KnownAceStruct knownAce = new KnownAceStruct();
// Initialize the ACE (minus the SID).
knownAce.Header.AceType = type;
knownAce.Header.AceFlags = flags;
knownAce.Header.AceSize = (ushort)this.MemoryRegion.Size;
knownAce.Mask = mask;
// Write the ACE to memory.
this.MemoryRegion.WriteStruct<KnownAceStruct>(knownAce);
// Write the SID.
this.MemoryRegion.WriteMemory(Win32.KnownAceSidStartOffset.ToInt32(), sid, 0, sid.Length);
// Update the cached info.
this.Read();
}
public CustomAce(AceType type, AceFlags flags, byte[] opaque) : base(type, flags)
{
if (type <= AceType.SystemAlarmCallbackObject)
{
throw new ArgumentOutOfRangeException("type", Environment.GetResourceString("ArgumentOutOfRange_InvalidUserDefinedAceType"));
}
this.SetOpaque(opaque);
}
public CustomAce (AceType type, AceFlags flags, byte[] opaque)
: base(type, flags)
{
/* FIXME: check length of opaque >
* MaxOpaqueLength or !multiple of 4
*/
SetOpaque (opaque);
}
internal GenericAce (AceType type, AceFlags flags)
{
if (type > AceType.MaxDefinedAceType) {
throw new ArgumentOutOfRangeException ("type");
}
this.ace_type = type;
this.ace_flags = flags;
}
internal KnownAce(AceType type, AceFlags flags, int accessMask, System.Security.Principal.SecurityIdentifier securityIdentifier) : base(type, flags)
{
if (securityIdentifier == null)
{
throw new ArgumentNullException("securityIdentifier");
}
this.AccessMask = accessMask;
this.SecurityIdentifier = securityIdentifier;
}
// Constructor.
internal QualifiedAce(AceFlags aceFlags, AceType aceType, int accessMask,
SecurityIdentifier securityIdentifier,
byte[] opaque, AceQualifier aceQualifier,
bool isCallback)
: base(aceFlags, aceType, accessMask, securityIdentifier)
{
this.opaque = opaque;
this.aceQualifier = aceQualifier;
this.isCallback = isCallback;
}
internal ObjectAce (AceType type, AceFlags flags, int accessMask,
SecurityIdentifier sid, ObjectAceFlags objFlags,
Guid objType, Guid inheritedType, byte[] opaque)
: base(type, flags, opaque)
{
AccessMask = accessMask;
SecurityIdentifier = sid;
ObjectAceFlags = objFlags;
ObjectAceType = objType;
InheritedObjectAceType = inheritedType;
}
internal GenericAce(byte[] binaryForm, int offset)
{
if (binaryForm == null)
throw new ArgumentNullException("binaryForm");
if (offset < 0 || offset > binaryForm.Length - 2)
throw new ArgumentOutOfRangeException("offset", offset, "Offset out of range");
ace_type = (AceType)binaryForm[offset];
ace_flags = (AceFlags)binaryForm[offset + 1];
}
// Constructor.
public CustomAce(AceType aceType, AceFlags aceFlags, byte[] opaque)
: base(aceFlags, aceType)
{
this.opaque = opaque;
}
public AzRecord(Guid subjectId, Guid actionId, AceType reaction, ISecurityObjectId objectId)
: this(subjectId, actionId, reaction, AzObjectIdHelper.GetFullObjectId(objectId))
{
}
internal QualifiedAce (AceType type, AceFlags flags,
byte[] opaque)
: base (type, flags)
{
SetOpaque (opaque);
}
public static void BasicValidationTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
int aceCount = 0;
SecurityIdentifier sid = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sidStr = "BG";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
aceCount = 0;
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
Assert.True(TestPurge(systemAcl, sid, aceCount));
//case 2, only have 1 explicit Ace of the sid
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
//199 has all aceflags but inheritedonly and inherited
gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
aceCount = 0;
Assert.True(TestPurge(systemAcl, sid, aceCount));
//case 3, only have 1 explicit Ace of different sid
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all aceflags but inheritedonly and inherited
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
aceCount = 1;
sidStr = "BA";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
Assert.True(TestPurge(systemAcl, sid, aceCount));
//case 4, only have 1 inherited Ace of the sid
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
//215 has all aceflags but inheritedonly
gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
aceCount = 1;
Assert.True(TestPurge(systemAcl, sid, aceCount));
//case 5, have one explicit Ace and one inherited Ace of the sid
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
//199 has all aceflags but inheritedonly and inherited
gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
//215 has all aceflags but inheritedonly
gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 2, sid, false, null);
rawAcl.InsertAce(1, gAce);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
aceCount = 1;
Assert.True(TestPurge(systemAcl, sid, aceCount));
//case 6, have two explicit Aces of the sid
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
aceCount = 0;
Assert.True(TestPurge(systemAcl, sid, 0));
//case 7, 1 explicit CustomAce
Assert.Throws <InvalidOperationException>(() =>
{
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
//199 has all aceflags but inheritedonly and inherited
aceFlag = (AceFlags)199;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
aceCount = 1;
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
TestPurge(systemAcl, sid, aceCount);
});
//case 8, 1 explicit CompoundAce
Assert.Throws <InvalidOperationException>(() =>
{
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//207 has all AceFlags but inherited
aceFlag = (AceFlags)207;
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, sid);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
aceCount = 0;
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
TestPurge(systemAcl, sid, aceCount);
});
//case 9, 1 explict ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
//207 has all AceFlags but inherited
aceFlag = (AceFlags)207;
aceQualifier = AceQualifier.SystemAudit;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, sid, objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
aceCount = 0;
Assert.True(TestPurge(systemAcl, sid, aceCount));
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
byte[] binaryForm = null;
int offset = 0;
//case 1, binaryForm is null
Assert.Throws <ArgumentNullException>(() =>
{
binaryForm = null;
offset = 0;
rawAcl = new RawAcl(binaryForm, offset);
});
//case 2, binaryForm is empty
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
binaryForm = new byte[0];
offset = 0;
rawAcl = new RawAcl(binaryForm, offset);
});
//case 3, negative offset
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
binaryForm = new byte[100];
offset = -1;
rawAcl = new RawAcl(binaryForm, offset);
});
//case 4, binaryForm length less than GenericAcl.HeaderLength
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
binaryForm = new byte[4];
offset = 0;
rawAcl = new RawAcl(binaryForm, offset);
});
//case 5, a RawAcl of length 64K. RawAcl length = HeaderLength + all ACE's length
// = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace
// = 8 + ( 4 + OpaqueLength) * num_of_custom_ace
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BG";
//CustomAce constructor parameters
AceType aceType = 0;
AceFlags aceFlag = 0;
byte[] opaque = null;
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = (AceFlags)223; //all flags ored together
opaque = new byte[GenericAcl.MaxBinaryLength - 3 - 8 - 4]; //GenericAcl.MaxBinaryLength = 65535, is not multiple of 4
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 6, a RawAcl of length 64K + 1. RawAcl length = HeaderLength + all ACE's length
// = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace
// = 8 + ( 4 + OpaqueLength) * num_of_custom_ace
gAce = null;
sid = "BA";
//CustomAce constructor parameters
aceType = 0;
aceFlag = 0;
binaryForm = new byte[65536];
AssertExtensions.Throws <ArgumentException>("binaryForm", () =>
{
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
rawAcl.GetBinaryForm(binaryForm, 0);
//change the length bytes to 65535
binaryForm[2] = 0xf;
binaryForm[3] = 0xf;
//change the aceCount to 1
binaryForm[4] = 1;
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = (AceFlags)223; //all flags ored together
opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4]; //GenericAcl.MaxBinaryLength = 65535, is not multiple of 4
gAce = new CustomAce(aceType, aceFlag, opaque);
gAce.GetBinaryForm(binaryForm, 8);
TestCreateFromBinaryForm(binaryForm, 0, revision, 1, binaryForm.Length);
});
//case 7, a valid binary representation with revision 255, 256 Access
//CommonAce to test the correctness of the process of the AceCount in the header
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
for (int i = 0; i < 256; i++)
{
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
}
binaryForm = new byte[rawAcl.BinaryLength + 1000];
rawAcl.GetBinaryForm(binaryForm, 1000);
Assert.True(TestCreateFromBinaryForm(binaryForm, 1000, revision, 256, rawAcl.BinaryLength));
//case 8, array containing garbage
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
binaryForm = new byte[] { 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 };
TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12);
});
//case 9, array containing garbage
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
//binary form shows the length will be 1, actual length is 12
binaryForm = new byte[] { 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1 };
TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12);
});
//case 10, array containing garbage
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
binaryForm = new byte[] { 1, 1, 12, 0, 1, 1, 1, 1, 1, 1, 1, 1 };
TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12);
});
}
private static bool IsObjectType(AceType type)
{
return type == AceType.AccessAllowedCallbackObject
|| type == AceType.AccessAllowedObject
|| type == AceType.AccessDeniedCallbackObject
|| type == AceType.AccessDeniedObject
|| type == AceType.SystemAlarmCallbackObject
|| type == AceType.SystemAlarmObject
|| type == AceType.SystemAuditCallbackObject
|| type == AceType.SystemAuditObject;
}
private AceQualifier QualifierFromType( AceType type, out bool isCallback )
{
//
// Better performance might be achieved by using a hard-coded table
//
switch ( type )
{
case AceType.AccessAllowed:
isCallback = false;
return AceQualifier.AccessAllowed;
case AceType.AccessDenied:
isCallback = false;
return AceQualifier.AccessDenied;
case AceType.SystemAudit:
isCallback = false;
return AceQualifier.SystemAudit;
case AceType.SystemAlarm:
isCallback = false;
return AceQualifier.SystemAlarm;
case AceType.AccessAllowedCallback:
isCallback = true;
return AceQualifier.AccessAllowed;
case AceType.AccessDeniedCallback:
isCallback = true;
return AceQualifier.AccessDenied;
case AceType.SystemAuditCallback:
isCallback = true;
return AceQualifier.SystemAudit;
case AceType.SystemAlarmCallback:
isCallback = true;
return AceQualifier.SystemAlarm;
case AceType.AccessAllowedObject:
isCallback = false;
return AceQualifier.AccessAllowed;
case AceType.AccessDeniedObject:
isCallback = false;
return AceQualifier.AccessDenied;
case AceType.SystemAuditObject:
isCallback = false;
return AceQualifier.SystemAudit;
case AceType.SystemAlarmObject:
isCallback = false;
return AceQualifier.SystemAlarm;
case AceType.AccessAllowedCallbackObject:
isCallback = true;
return AceQualifier.AccessAllowed;
case AceType.AccessDeniedCallbackObject:
isCallback = true;
return AceQualifier.AccessDenied;
case AceType.SystemAuditCallbackObject:
isCallback = true;
return AceQualifier.SystemAudit;
case AceType.SystemAlarmCallbackObject:
isCallback = true;
return AceQualifier.SystemAlarm;
default:
//
// Indicates a bug in the implementation, not in user's code
//
Contract.Assert( false, "Invalid ACE type" );
throw new SystemException();
}
}
internal KnownAce(AceType type, AceFlags flags, int accessMask, SecurityIdentifier securityIdentifier)
: base(type, flags)
{
if (securityIdentifier == null)
{
throw new ArgumentNullException(nameof(securityIdentifier));
}
Contract.EndContractBlock();
//
// The values are set by invoking the properties.
//
AccessMask = accessMask;
SecurityIdentifier = securityIdentifier;
}
internal QualifiedAce(AceType type, AceFlags flags, int accessMask, SecurityIdentifier sid, byte[] opaque)
: base(type, flags, accessMask, sid)
{
this._qualifier = this.QualifierFromType(type, out this._isCallback);
this.SetOpaque(opaque);
}
private AceQualifier QualifierFromType(AceType type, out bool isCallback)
{
switch (type)
{
case AceType.AccessAllowed:
isCallback = false;
return(AceQualifier.AccessAllowed);
case AceType.AccessDenied:
isCallback = false;
return(AceQualifier.AccessDenied);
case AceType.SystemAudit:
isCallback = false;
return(AceQualifier.SystemAudit);
case AceType.SystemAlarm:
isCallback = false;
return(AceQualifier.SystemAlarm);
case AceType.AccessAllowedObject:
isCallback = false;
return(AceQualifier.AccessAllowed);
case AceType.AccessDeniedObject:
isCallback = false;
return(AceQualifier.AccessDenied);
case AceType.SystemAuditObject:
isCallback = false;
return(AceQualifier.SystemAudit);
case AceType.SystemAlarmObject:
isCallback = false;
return(AceQualifier.SystemAlarm);
case AceType.AccessAllowedCallback:
isCallback = true;
return(AceQualifier.AccessAllowed);
case AceType.AccessDeniedCallback:
isCallback = true;
return(AceQualifier.AccessDenied);
case AceType.AccessAllowedCallbackObject:
isCallback = true;
return(AceQualifier.AccessAllowed);
case AceType.AccessDeniedCallbackObject:
isCallback = true;
return(AceQualifier.AccessDenied);
case AceType.SystemAuditCallback:
isCallback = true;
return(AceQualifier.SystemAudit);
case AceType.SystemAlarmCallback:
isCallback = true;
return(AceQualifier.SystemAlarm);
case AceType.SystemAuditCallbackObject:
isCallback = true;
return(AceQualifier.SystemAudit);
case AceType.SystemAlarmCallbackObject:
isCallback = true;
return(AceQualifier.SystemAlarm);
default:
throw new SystemException();
}
}
public static void Constructor3_AdditionalTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sid = "BG";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, an AccessAllowed ACE with a zero access mask is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//drop the Ace from rawAcl
rawAcl.RemoveAce(0);
//the only ACE is a meaningless ACE, will be removed
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 2, an inherit-only AccessDenied ACE on an object ACL is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//15 has all inheritance AceFlags but Inherited
gAce = new CommonAce((AceFlags)15, AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl.RemoveAce(0);
//the only ACE is a meaningless ACE, will be removed
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 3, an inherit-only AccessAllowed ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//8 has inheritOnly
gAce = new CommonAce((AceFlags)8, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl.RemoveAce(0);
//the only ACE is a meaningless ACE, will be removed
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 4, 1 CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = AceFlags.None;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));
//case 5, 1 CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
// 2 has ContainerInherit
aceFlag = (AceFlags)2;
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));
//case 6, 1 ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)15; //all inheritance flags ored together but Inherited
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 7, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 8, all Aces from case 1, and 3 to 6
revision = 127;
capacity = 5;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
rawAcl = new RawAcl(revision, capacity);
//0 access Mask
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
//an inherit-only AccessAllowed ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed
gAce = new CommonAce((AceFlags)8, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
// ObjectAce
aceFlag = (AceFlags)15; //all inheritance flags ored together but Inherited
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
// CustomAce
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = AceFlags.None;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(rawAcl.Count, gAce);
// CompoundAce
aceFlag = (AceFlags)2;
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())));
rawAcl.InsertAce(rawAcl.Count, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl.RemoveAce(0);
rawAcl.RemoveAce(0);
//Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));
discretionaryAcl = null;
isContainer = false;
isDS = false;
rawAcl = null;
//case 1, rawAcl = null
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 1);
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 1);
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
}
/// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.CustomAce" /> class.</summary>
/// <param name="type">Type of the new Access Control Entry (ACE). This value must be greater than <see cref="F:System.Security.AccessControl.AceType.MaxDefinedAceType" />.</param>
/// <param name="flags">Flags that specify information about the inheritance, inheritance propagation, and auditing conditions for the new ACE.</param>
/// <param name="opaque">An array of byte values that contains the data for the new ACE. This value can be null. The length of this array must not be greater than the value of the <see cref="F:System.Security.AccessControl.CustomAce.MaxOpaqueLength" /> field, and must be a multiple of four.</param>
/// <exception cref="T:System.ArgumentOutOfRangeException">The value of the <paramref name="type" /> parameter is not greater than <see cref="F:System.Security.AccessControl.AceType.MaxDefinedAceType" /> or the length of the <paramref name="opaque" /> array is either greater than the value of the <see cref="F:System.Security.AccessControl.CustomAce.MaxOpaqueLength" /> field or not a multiple of four.</exception>
public CustomAce(AceType type, AceFlags flags, byte[] opaque) : base(type)
{
base.AceFlags = flags;
this.SetOpaque(opaque);
}
// Constructor.
internal GenericAce(AceFlags aceFlags, AceType aceType)
{
this.aceFlags = aceFlags;
this.aceType = aceType;
}
static internal GenericAce CreateFromSddlForm(string sddlForm, ref int pos)
{
if (sddlForm[pos] != '(')
{
throw new ArgumentException("Invalid SDDL string.", "sddlForm");
}
int endPos = sddlForm.IndexOf(')', pos);
if (endPos < 0)
{
throw new ArgumentException("Invalid SDDL string.", "sddlForm");
}
int count = endPos - (pos + 1);
string elementsStr = sddlForm.Substring(pos + 1,
count);
elementsStr = elementsStr.ToUpperInvariant();
string[] elements = elementsStr.Split(';');
if (elements.Length != 6)
{
throw new ArgumentException("Invalid SDDL string.", "sddlForm");
}
ObjectAceFlags objFlags = ObjectAceFlags.None;
AceType type = ParseSddlAceType(elements[0]);
AceFlags flags = ParseSddlAceFlags(elements[1]);
int accessMask = ParseSddlAccessRights(elements[2]);
Guid objectType = Guid.Empty;
if (!string.IsNullOrEmpty(elements[3]))
{
objectType = new Guid(elements[3]);
objFlags |= ObjectAceFlags.ObjectAceTypePresent;
}
Guid inhObjectType = Guid.Empty;
if (!string.IsNullOrEmpty(elements[4]))
{
inhObjectType = new Guid(elements[4]);
objFlags |= ObjectAceFlags.InheritedObjectAceTypePresent;
}
SecurityIdentifier sid
= new SecurityIdentifier(elements[5]);
if (type == AceType.AccessAllowedCallback ||
type == AceType.AccessDeniedCallback)
{
throw new NotImplementedException("Conditional ACEs not supported");
}
pos = endPos + 1;
if (IsObjectType(type))
{
return(new ObjectAce(type, flags, accessMask, sid, objFlags, objectType, inhObjectType, null));
}
else
{
if (objFlags != ObjectAceFlags.None)
{
throw new ArgumentException("Invalid SDDL string.", "sddlForm");
}
return(new CommonAce(type, flags, accessMask, sid, null));
}
}
public CustomAce( AceType type, AceFlags flags, byte[] opaque )
: base( type, flags )
{
if ( type <= AceType.MaxDefinedAceType )
{
throw new ArgumentOutOfRangeException(
"type",
Environment.GetResourceString( "ArgumentOutOfRange_InvalidUserDefinedAceType" ));
}
Contract.EndContractBlock();
SetOpaque( opaque );
}
internal QualifiedAce(AceType type, AceFlags flags, int accessMask, SecurityIdentifier sid, byte[] opaque)
: base(type, flags, accessMask, sid)
{
_qualifier = QualifierFromType(type, out _isCallback);
SetOpaque(opaque);
}
private void AddAce(AceType type, AccessMask mask, AceFlags flags, Sid sid)
{
AddAce(new Ace(type, flags, mask, sid));
}
public Ace(Guid actionId, AceType reaction)
{
ActionId = actionId;
Reaction = reaction;
}
protected void BaseInit(AceType type, int size, AceFlags flags, Sid sid, AccessType accessType)
{
if (size >= ushort.MaxValue)
throw new ArgumentException("Ace size is limited to an 16-bit integer", "size");
if (size <= ACE_HEADER.SizeOf)
throw new ArgumentException("Ace size must be at least the size of an ACE_HEADER", "size");
_header.AceType = type;
_header.AceSize = (ushort)size;
_header.AceFlags = flags;
_accessType = accessType;
_sid = sid;
}
public static void BasicValidationTestCases()
{
RawAcl rawAcl = null;
byte[] binaryForm = null;
int offset = 0;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sid = "BA";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, a valid binary representation with revision 0, 1 SystemAudit CommonAce
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 2, a valid binary representation with revision 255, 1 AccessAllowed CommonAce
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 3, a valid binary representation with revision 127, 1 CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = (AceFlags)223; //all flags ored together
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 4, a valid binary representation with revision 1, 1 CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 5, a valid binary representation with revision 1, 1 ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 6, a valid binary representation with revision 1, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 0, rawAcl.BinaryLength));
//case 7, a valid binary representation with revision 1, and all Aces from case 1 to 5
revision = 127;
capacity = 5;
rawAcl = new RawAcl(revision, capacity);
//SystemAudit CommonAce
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
//Access Allowed CommonAce
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
//CustomAce
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = (AceFlags)223; //all flags ored together
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
//CompoundAce
aceFlag = (AceFlags)223; //all flags ored together
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
//ObjectAce
aceFlag = (AceFlags)223; //all flags ored together
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 5, rawAcl.BinaryLength));
}
public void AddAce(ISubject subject, IAction action, AceType reaction)
{
AddAce(subject, action, null, reaction);
}
protected static string GetSddlAceType (AceType type)
{
switch (type) {
case AceType.AccessAllowed:
return "A";
case AceType.AccessDenied:
return "D";
case AceType.AccessAllowedObject:
return "OA";
case AceType.AccessDeniedObject:
return "OD";
case AceType.SystemAudit:
return "AU";
case AceType.SystemAlarm:
return "AL";
case AceType.SystemAuditObject:
return "OU";
case AceType.SystemAlarmObject:
return "OL";
case AceType.AccessAllowedCallback:
return "XA";
case AceType.AccessDeniedCallback:
return "XD";
default:
throw new ArgumentException ("Unable to convert to SDDL ACE type: " + type, "type");
}
}
// Token: 0x06001E7A RID: 7802 RVA: 0x0006A800 File Offset: 0x00068A00
internal static bool ParseBinaryForm(byte[] binaryForm, int offset, out AceQualifier qualifier, out int accessMask, out SecurityIdentifier sid, out ObjectAceFlags objectFlags, out Guid objectAceType, out Guid inheritedObjectAceType, out bool isCallback, out byte[] opaque)
{
byte[] array = new byte[16];
GenericAce.VerifyHeader(binaryForm, offset);
if (binaryForm.Length - offset >= 12 + SecurityIdentifier.MinBinaryLength)
{
AceType aceType = (AceType)binaryForm[offset];
if (aceType == AceType.AccessAllowedObject || aceType == AceType.AccessDeniedObject || aceType == AceType.SystemAuditObject || aceType == AceType.SystemAlarmObject)
{
isCallback = false;
}
else
{
if (aceType != AceType.AccessAllowedCallbackObject && aceType != AceType.AccessDeniedCallbackObject && aceType != AceType.SystemAuditCallbackObject && aceType != AceType.SystemAlarmCallbackObject)
{
goto IL_209;
}
isCallback = true;
}
if (aceType == AceType.AccessAllowedObject || aceType == AceType.AccessAllowedCallbackObject)
{
qualifier = AceQualifier.AccessAllowed;
}
else if (aceType == AceType.AccessDeniedObject || aceType == AceType.AccessDeniedCallbackObject)
{
qualifier = AceQualifier.AccessDenied;
}
else if (aceType == AceType.SystemAuditObject || aceType == AceType.SystemAuditCallbackObject)
{
qualifier = AceQualifier.SystemAudit;
}
else
{
if (aceType != AceType.SystemAlarmObject && aceType != AceType.SystemAlarmCallbackObject)
{
goto IL_209;
}
qualifier = AceQualifier.SystemAlarm;
}
int num = offset + 4;
int num2 = 0;
accessMask = (int)binaryForm[num] + ((int)binaryForm[num + 1] << 8) + ((int)binaryForm[num + 2] << 16) + ((int)binaryForm[num + 3] << 24);
num2 += 4;
objectFlags = (ObjectAceFlags)((int)binaryForm[num + num2] + ((int)binaryForm[num + num2 + 1] << 8) + ((int)binaryForm[num + num2 + 2] << 16) + ((int)binaryForm[num + num2 + 3] << 24));
num2 += 4;
if ((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None)
{
for (int i = 0; i < 16; i++)
{
array[i] = binaryForm[num + num2 + i];
}
num2 += 16;
}
else
{
for (int j = 0; j < 16; j++)
{
array[j] = 0;
}
}
objectAceType = new Guid(array);
if ((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != ObjectAceFlags.None)
{
for (int k = 0; k < 16; k++)
{
array[k] = binaryForm[num + num2 + k];
}
num2 += 16;
}
else
{
for (int l = 0; l < 16; l++)
{
array[l] = 0;
}
}
inheritedObjectAceType = new Guid(array);
sid = new SecurityIdentifier(binaryForm, num + num2);
opaque = null;
int num3 = ((int)binaryForm[offset + 3] << 8) + (int)binaryForm[offset + 2];
if (num3 % 4 == 0)
{
int num4 = num3 - 4 - 4 - 4 - (int)((byte)sid.BinaryLength);
if ((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None)
{
num4 -= 16;
}
if ((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != ObjectAceFlags.None)
{
num4 -= 16;
}
if (num4 > 0)
{
opaque = new byte[num4];
for (int m = 0; m < num4; m++)
{
opaque[m] = binaryForm[offset + num3 - num4 + m];
}
}
return(true);
}
}
IL_209:
qualifier = AceQualifier.AccessAllowed;
accessMask = 0;
sid = null;
objectFlags = ObjectAceFlags.None;
objectAceType = Guid.NewGuid();
inheritedObjectAceType = Guid.NewGuid();
isCallback = false;
opaque = null;
return(false);
}
public void HasAccessOrException(string securityContext, string planUniqueName, AceType aceType, object right)
{
_splxDal?.TrySecurityOrException(securityContext, planUniqueName, aceType, right, "Plan");
}
public CustomAce(AceType type, AceFlags flags, byte[] opaque);
protected Ace(AceType aceType, PrincipalIdentifier principal)
: this(aceType, principal, AccessMask.None)
{
}
public AzRecord(Guid subjectId, Guid actionId, AceType reaction, ISecurityObjectId objectId)
: this(subjectId, actionId, reaction, AzObjectIdHelper.GetFullObjectId(objectId))
{
}
public void RemoveAce <T>(ISubject subject, IAction action, ISecurityObjectId objectId, AceType reaction)
{
if (subject == null)
{
throw new ArgumentNullException("subject");
}
if (action == null)
{
throw new ArgumentNullException("action");
}
var r = new PermissionRecord(subject.ID, action.ID, AzObjectIdHelper.GetFullObjectId(objectId), reaction);
if (permRecords.ContainsKey(r.Id))
{
permRecords.Remove(r.Id);
}
}
/// <summary>
/// Selects and loads security for the given UniqueName into a SplxRecordManager
/// </summary>
/// <param name="uniqueName"></param>
/// <returns>A loaded and resolved SplxRecordManager</returns>
SplxSecureManagerBase GetSecureManagerSecurityRecurseUp(string userName, AceType aceType, string uniqueName, SecurityLoadParameters slp)
{
string rootUniqueName = ContainerRootUniqueName;
SecureContainer root = new SecureContainer()
{
UniqueName = rootUniqueName
};
#region setup SecurityLoadParameters, load ExternalGroupInfo
if (slp == null)
{
slp = new SecurityLoadParameters()
{
ExternalGroupInfo = new ExternalGroupInfo(LdapRoot, true, GlobalExternalGroupsCsv),
User = this.GetSuplexUser(userName)
}
}
;
ExternalGroupInfo egi =
new ExternalGroupInfo(LdapRoot, true, GlobalExternalGroupsCsv);
egi.BuildGroupsList(slp.User.Name);
#endregion
SecureContainer ctrl = root;
SplxSecureManagerBase context = null;
#region IsFileStore = true
if (IsFileStore)
{
context = new SplxRecordManager()
{
UniqueName = uniqueName
};
if (aceType == AceType.FileSystem)
{
context = new SplxFileSystemManager()
{
UniqueName = uniqueName
}
}
;
splxApi.UIElement uie = _splxStore.UIElements.GetByUniqueNameRecursiveIgnoreCase(uniqueName);
if (uie == null)
{
throw new SecurityException($"Could not find security element [{uniqueName}] in the permissione configuration.");
}
ISecureControl curr = context;
IObjectModel parentObj = uie.ParentObject;
while (parentObj != null)
{
SecureContainer par = new SecureContainer()
{
UniqueName = ((splxApi.UIElement)parentObj).UniqueName
};
par.Children.Add(curr);
curr = par;
parentObj = parentObj.ParentObject;
}
curr.Security.Load(_splxStore, slp);
}
#endregion
#region IsFileStore = false
else
{
DataSet ds = _da.GetDataSet("splx.splx_dal_sel_security_byuserbyuie_up",
new System.Collections.sSortedList(
"@UIE_UNIQUE_NAME", uniqueName,
"@SPLX_USER_ID", slp.User.Id,
"@EXTERNAL_GROUP_LIST", egi.GroupsList));
_da.NameTablesFromCompositeSelect(ref ds);
//todo, when suplex is ready
//DataSet ds = _splxApi.GetSecurity( rootUniqueName, slp.User, slp.ExternalGroupInfo, future:recurseUp );
DataTable acl = ds.Tables["AclInfo"];
DataRow[] rows = acl.Select(string.Format("UIE_UNIQUE_NAME = '{0}'", rootUniqueName));
if (rows.Length > 0)
{
rows = acl.Select(string.Format("UIE_PARENT_ID = '{0}'", rows[0]["SPLX_UI_ELEMENT_ID"]));
}
while (rows.Length > 0)
{
string un = rows[0]["UIE_UNIQUE_NAME"].ToString();
if (un.StartsWith(ContainerUniqueNamePrefix))
{
context = new SplxRecordManager()
{
UniqueName = un
};
if (aceType == AceType.FileSystem)
{
context = new SplxFileSystemManager()
{
UniqueName = un
}
}
;
ctrl.Children.Add(context);
}
else
{
SecureContainer child = new SecureContainer()
{
UniqueName = un
};
ctrl.Children.Add(child);
ctrl = child;
}
rows = acl.Select(string.Format("UIE_PARENT_ID = '{0}'", rows[0]["SPLX_UI_ELEMENT_ID"]));
}
root.Security.Load(ds, slp);
}
#endregion
return(context);
}
internal Ace(AceType type)
{
Type = type;
}
/// <summary>
/// Tests security /and/ RlsOwner for the given UniqueName and validates SecurityResults[AceType.Record, right].AccessAllowed
/// </summary>
/// <param name="uniqueName">The UniqueName for which to select security.</param>
/// <param name="right">The RecordRight to test (used in error message).</param>
/// <param name="assetType">The associated AssetType (used in error message).</param>
/// <param name="rowOwnerId">The rlsOwner from the row.</param>
public SuplexSecurityInfo TrySecurityOrException(string userName, string uniqueName, AceType aceType, object right, string assetType, Guid rowOwnerId, bool recurseUp = true)
{
return(this.TrySecurityOrException(userName, uniqueName, aceType, right, assetType, rowOwnerId, null, true, recurseUp));
}
public Ace(Guid actionId, AceType reaction)
{
ActionId = actionId;
Reaction = reaction;
}
/// <summary>
/// Tests security /and/ RlsMask for the given UniqueName and validates SecurityResults[AceType.Record, right].AccessAllowed
/// </summary>
/// <param name="uniqueName">The UniqueName for which to select security.</param>
/// <param name="right">The RecordRight to test (used in error message).</param>
/// <param name="assetType">The associated AssetType (used in error message).</param>
/// <param name="rowRlsMask">The rlsMask from the row.</param>
public SuplexSecurityInfo TrySecurityOrException(string userName, string uniqueName, AceType aceType, object right, string assetType, byte[] rowRlsMask, bool recurseUp = true)
{
return(this.TrySecurityOrException(userName, uniqueName, aceType, right, assetType, Guid.Empty, rowRlsMask, false, recurseUp));
}
/// <summary>
/// Set "User Cannot Change Password ACL".
/// @param sddl SDDL.
/// @param cannot <tt>true</tt> to set the ACL; <tt>false</tt> to unset.
/// @return updated SDDL.
/// </summary>
public static Sddl UserCannotChangePassword(Sddl sddl, bool cannot)
{
AceType type = cannot ? AceType.AccessDeniedObjectAceType : AceType.AccessAllowedObjectAceType;
Ace self = null;
Ace all = null;
List <Ace> aces = sddl.GetDacl().GetAces();
for (var i = 0; (all == null || self == null) && i < aces.Count; i++)
{
Ace ace = aces[i];
if ((ace.GetAceType() == AceType.AccessAllowedObjectAceType ||
ace.GetAceType() == AceType.AccessDeniedObjectAceType) &&
ace.GetObjectFlags().GetFlags().Contains(AceObjectFlags.Flag.AceObjectTypePresent))
{
if (ace.GetObjectType() == ucpObjectGuid)
{
SID sid = ace.GetSid();
if (sid.GetSubAuthorities().Count == 1)
{
if (self == null &&
sid.GetIdentifierAuthority().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }) &&
sid.GetSubAuthorities().First().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x00 }))
{
self = ace;
self.SetType(type);
}
else if (all == null &&
sid.GetIdentifierAuthority().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x05 }) &&
sid.GetSubAuthorities().First().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x0a }))
{
all = ace;
all.SetType(type);
}
}
}
}
}
if (self == null)
{
// prepare aces
self = Ace.NewInstance(type);
self.SetObjectFlags(new AceObjectFlags(AceObjectFlags.Flag.AceObjectTypePresent));
self.SetObjectType(ucpObjectGuid);
self.SetRights(new AceRights().AddOjectRight(AceRights.ObjectRight.Cr));
SID sid = SID.NewInstance(NumberFacility.GetBytes(0x000000000001, 6));
sid.AddSubAuthority(NumberFacility.GetBytes(0));
self.SetSid(sid);
sddl.GetDacl().GetAces().Add(self);
}
if (all == null)
{
all = Ace.NewInstance(type);
all.SetObjectFlags(new AceObjectFlags(AceObjectFlags.Flag.AceObjectTypePresent));
all.SetObjectType(ucpObjectGuid);
all.SetRights(new AceRights().AddOjectRight(AceRights.ObjectRight.Cr));
SID sid = SID.NewInstance(NumberFacility.GetBytes(0x000000000005, 6));
sid.AddSubAuthority(NumberFacility.GetBytes(0x0A));
all.SetSid(sid);
sddl.GetDacl().GetAces().Add(all);
}
return(sddl);
}
// Constructor.
internal GenericAce(AceFlags aceFlags, AceType aceType)
{
this.aceFlags = aceFlags;
this.aceType = aceType;
}
private AceQualifier QualifierFromType(AceType type, out bool isCallback)
{
//
// Better performance might be achieved by using a hard-coded table
//
switch (type)
{
case AceType.AccessAllowed:
isCallback = false;
return AceQualifier.AccessAllowed;
case AceType.AccessDenied:
isCallback = false;
return AceQualifier.AccessDenied;
case AceType.SystemAudit:
isCallback = false;
return AceQualifier.SystemAudit;
case AceType.SystemAlarm:
isCallback = false;
return AceQualifier.SystemAlarm;
case AceType.AccessAllowedCallback:
isCallback = true;
return AceQualifier.AccessAllowed;
case AceType.AccessDeniedCallback:
isCallback = true;
return AceQualifier.AccessDenied;
case AceType.SystemAuditCallback:
isCallback = true;
return AceQualifier.SystemAudit;
case AceType.SystemAlarmCallback:
isCallback = true;
return AceQualifier.SystemAlarm;
case AceType.AccessAllowedObject:
isCallback = false;
return AceQualifier.AccessAllowed;
case AceType.AccessDeniedObject:
isCallback = false;
return AceQualifier.AccessDenied;
case AceType.SystemAuditObject:
isCallback = false;
return AceQualifier.SystemAudit;
case AceType.SystemAlarmObject:
isCallback = false;
return AceQualifier.SystemAlarm;
case AceType.AccessAllowedCallbackObject:
isCallback = true;
return AceQualifier.AccessAllowed;
case AceType.AccessDeniedCallbackObject:
isCallback = true;
return AceQualifier.AccessDenied;
case AceType.SystemAuditCallbackObject:
isCallback = true;
return AceQualifier.SystemAudit;
case AceType.SystemAlarmCallbackObject:
isCallback = true;
return AceQualifier.SystemAlarm;
default:
//
// Indicates a bug in the implementation, not in user's code
//
Debug.Assert(false, "Invalid ACE type");
// Replacing SystemException with InvalidOperationException. It's not a perfect fit,
// but it's the best exception type available to indicate a failure because
// of a bug in the ACE itself.
throw new InvalidOperationException();
}
}
public AzRecord(Guid subjectId, Guid actionId, AceType reaction)
: this(subjectId, actionId, reaction, default(string))
{
}
internal GenericAce(AceType type, AceFlags flags)
{
//
// Store the values passed in;
// do not make any checks - anything is valid here
//
_type = type;
_flags = flags;
}
public static void RemoveInheritedAces_BasicValidationTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sid = "BG";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 2, only have explicit Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all AceFlags except InheritOnly and Inherited
gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 3, non-inherited CommonAce, ObjectAce, CompoundAce, CustomAce
revision = 127;
capacity = 5;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
rawAcl = new RawAcl(revision, capacity);
aceFlag = AceFlags.InheritanceFlags;
accessMask = 1;
//Access Allowed CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//Access Dennied CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//CustomAce
aceType = AceType.MaxDefinedAceType + 1;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(2, gAce);
//CompoundAce
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())));
rawAcl.InsertAce(3, gAce);
//ObjectAce
aceQualifier = AceQualifier.AccessAllowed;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(2, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws <InvalidOperationException>(() =>
{
TestRemoveInheritedAces(discretionaryAcl);
});
//case 4, all inherited CommonAce, ObjectAce, CompoundAce, CustomAce
revision = 127;
capacity = 5;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
rawAcl = new RawAcl(revision, capacity);
aceFlag = AceFlags.InheritanceFlags | AceFlags.Inherited;
accessMask = 1;
//Access Allowed CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//Access Dennied CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//CustomAce
aceType = AceType.MaxDefinedAceType + 1;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
//CompoundAce
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())));
rawAcl.InsertAce(0, gAce);
//ObjectAce
aceQualifier = AceQualifier.AccessAllowed;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 5, only have one inherit Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 6, have one explicit Ace and one inherited Ace
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all AceFlags except InheritOnly and Inherited
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(1, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 7, have two inherited Aces
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
sid = "BA";
//16 has Inherited
gAce = new CommonAce((AceFlags)16, AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 8, 1 inherited CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
//215 has all AceFlags except InheritOnly
aceFlag = (AceFlags)215;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 9, 1 inherited CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 10, 1 inherited ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
}
public CustomAce(AceType type, AceFlags flags, byte[] opaque)
: base(type, flags)
{
if (type <= AceType.MaxDefinedAceType)
{
throw new ArgumentOutOfRangeException(
nameof(type),
SR.ArgumentOutOfRange_InvalidUserDefinedAceType);
}
Contract.EndContractBlock();
SetOpaque(opaque);
}
/// <summary>Creates a <see cref="T:System.Security.AccessControl.GenericAce" /> object from the specified binary data.</summary>
/// <param name="binaryForm">The binary data from which to create the new <see cref="T:System.Security.AccessControl.GenericAce" /> object.</param>
/// <param name="offset">The offset at which to begin unmarshaling.</param>
/// <returns>The <see cref="T:System.Security.AccessControl.GenericAce" /> object this method creates.</returns>
// Token: 0x06001E46 RID: 7750 RVA: 0x00069C80 File Offset: 0x00067E80
public static GenericAce CreateFromBinaryForm(byte[] binaryForm, int offset)
{
GenericAce.VerifyHeader(binaryForm, offset);
AceType aceType = (AceType)binaryForm[offset];
GenericAce genericAce;
if (aceType == AceType.AccessAllowed || aceType == AceType.AccessDenied || aceType == AceType.SystemAudit || aceType == AceType.SystemAlarm || aceType == AceType.AccessAllowedCallback || aceType == AceType.AccessDeniedCallback || aceType == AceType.SystemAuditCallback || aceType == AceType.SystemAlarmCallback)
{
AceQualifier qualifier;
int accessMask;
SecurityIdentifier sid;
bool isCallback;
byte[] opaque;
if (!CommonAce.ParseBinaryForm(binaryForm, offset, out qualifier, out accessMask, out sid, out isCallback, out opaque))
{
goto IL_1A8;
}
AceFlags flags = (AceFlags)binaryForm[offset + 1];
genericAce = new CommonAce(flags, qualifier, accessMask, sid, isCallback, opaque);
}
else if (aceType == AceType.AccessAllowedObject || aceType == AceType.AccessDeniedObject || aceType == AceType.SystemAuditObject || aceType == AceType.SystemAlarmObject || aceType == AceType.AccessAllowedCallbackObject || aceType == AceType.AccessDeniedCallbackObject || aceType == AceType.SystemAuditCallbackObject || aceType == AceType.SystemAlarmCallbackObject)
{
AceQualifier qualifier2;
int accessMask2;
SecurityIdentifier sid2;
ObjectAceFlags flags2;
Guid type;
Guid inheritedType;
bool isCallback2;
byte[] opaque2;
if (!ObjectAce.ParseBinaryForm(binaryForm, offset, out qualifier2, out accessMask2, out sid2, out flags2, out type, out inheritedType, out isCallback2, out opaque2))
{
goto IL_1A8;
}
AceFlags aceFlags = (AceFlags)binaryForm[offset + 1];
genericAce = new ObjectAce(aceFlags, qualifier2, accessMask2, sid2, flags2, type, inheritedType, isCallback2, opaque2);
}
else if (aceType == AceType.AccessAllowedCompound)
{
int accessMask3;
CompoundAceType compoundAceType;
SecurityIdentifier sid3;
if (!CompoundAce.ParseBinaryForm(binaryForm, offset, out accessMask3, out compoundAceType, out sid3))
{
goto IL_1A8;
}
AceFlags flags3 = (AceFlags)binaryForm[offset + 1];
genericAce = new CompoundAce(flags3, accessMask3, compoundAceType, sid3);
}
else
{
AceFlags flags4 = (AceFlags)binaryForm[offset + 1];
byte[] array = null;
int num = (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8);
if (num % 4 != 0)
{
goto IL_1A8;
}
int num2 = num - 4;
if (num2 > 0)
{
array = new byte[num2];
for (int i = 0; i < num2; i++)
{
array[i] = binaryForm[offset + num - num2 + i];
}
}
genericAce = new CustomAce(aceType, flags4, array);
}
if ((genericAce is ObjectAce || (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8) == genericAce.BinaryLength) && (!(genericAce is ObjectAce) || (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8) == genericAce.BinaryLength || (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8) - 32 == genericAce.BinaryLength))
{
return(genericAce);
}
IL_1A8:
throw new ArgumentException(Environment.GetResourceString("ArgumentException_InvalidAceBinaryForm"), "binaryForm");
}
public AzRecord(Guid subjectId, Guid actionId, AceType reaction)
: this(subjectId, actionId, reaction, default(string))
{
}
// Token: 0x06001E42 RID: 7746 RVA: 0x00069B73 File Offset: 0x00067D73
internal GenericAce(AceType type, AceFlags flags)
{
this._type = type;
this._flags = flags;
}
/// <summary>
/// Tests security /and/ (RlsOwner /or/ RlsMask) for the given UniqueName and validates SecurityResults[AceType.Record, right].AccessAllowed
/// </summary>
/// <param name="uniqueName">The UniqueName for which to select security.</param>
/// <param name="right">The RecordRight to test (used in error message).</param>
/// <param name="assetType">The associated AssetType (used in error message).</param>
/// <param name="rowOwnerId">The rlsOwner from the row.</param>
/// <param name="rowRlsMask">The rlsMask from the row.</param>
public SuplexSecurityInfo TrySecurityOrException(string userName, string uniqueName, AceType aceType, object right, string assetType, Guid rowOwnerId, byte[] rowRlsMask, bool allowOwnerOverride, bool recurseUp = true)
{
string exceptionMsg = this.GetNoRightsErrorMessage(right, assetType);
SecurityLoadParameters slp = new SecurityLoadParameters()
{
ExternalGroupInfo = new ExternalGroupInfo(LdapRoot, true, GlobalExternalGroupsCsv),
User = this.GetSuplexUser(userName, resolve: true)
};
SplxSecureManagerBase perms = recurseUp ?
GetSecureManagerSecurityRecurseUp(userName, aceType, uniqueName, slp) :
GetSecureManagerSecurity(userName, aceType, uniqueName, slp);
#region eval rls
RowLevelSecurityHelper.EvalOption option = RowLevelSecurityHelper.EvalOption.None;
if (rowOwnerId != Guid.Empty)
{
option |= RowLevelSecurityHelper.EvalOption.Owner;
}
if (rowRlsMask != null)
{
option |= RowLevelSecurityHelper.EvalOption.Mask;
}
RowLevelSecurityHelper rlsHelper = new RowLevelSecurityHelper()
{
RowOwnerId = rowOwnerId,
RowRlsMask = rowRlsMask,
SecurityPrincipalId = slp.User.IdToGuid(),
SecurityPrincipalRlsMask = slp.User.RlsMask,
Option = option
};
perms.Security.EvalRowLevelSecurity(rlsHelper, aceType, new object[] { right }, allowOwnerOverride);
if (option != RowLevelSecurityHelper.EvalOption.None &&
!perms.Security.Descriptor.SecurityResults[aceType, right].AccessAllowed)
{
exceptionMsg = "You do not have rights to this record.";
}
#endregion
if (!perms.Security.Descriptor.SecurityResults[aceType, right].AccessAllowed)
{
throw new SecurityException(exceptionMsg);
}
return(new SuplexSecurityInfo(slp.User, perms));
}
protected virtual void Read()
{
var aceHeader = _memory.ReadStruct<AceHeader>();
_flags = aceHeader.AceFlags;
_size = aceHeader.AceSize;
_type = aceHeader.AceType;
}
public CustomAce(AceType type, AceFlags flags, byte[] opaque);
public SecureContainer(AceType aceType = AceType.FileSystem)
{
_sa = new SecurityAccessor(this, aceType);
_sr = _sa.Descriptor.SecurityResults;
}
