Example #1
0
        public void RemoveGroupIfExists(CodeGroup parentGroup, String name)
        {
            CodeGroup childGroup;

            while ((childGroup = GetChildGroup(parentGroup, name)) != null)
            {
                parentGroup.RemoveChild(childGroup);
            }
        }
Example #2
0
        // -rg label|name
        // -remgroup label|name
        static bool RemoveCodeGroup(string name)
        {
            PolicyLevel pl     = null;
            CodeGroup   parent = null;
            CodeGroup   cg     = FindCodeGroup(name, ref parent, ref pl);

            if ((pl == null) || (parent == null) || (cg == null))
            {
                return(false);
            }

            if (!Confirm())
            {
                return(false);
            }

            parent.RemoveChild(cg);
            SecurityManager.SavePolicyLevel(pl);
            Console.WriteLine("CodeGroup '{0}' removed from {1} policy level.",
                              cg.Name, pl.Label);
            return(true);
        }
        private static void DeleteCustomChildCodeGroup(string codeGroupName)
        {
            // Delete the custom child group.
            // Delete the child group by creating a copy of the parent code group, deleting its children,
            // then adding the copy of the parent code group back to the root code group.
            IEnumerator policyEnumerator = SecurityManager.PolicyHierarchy();

            while (policyEnumerator.MoveNext())
            {
                PolicyLevel machineLevel = (PolicyLevel)policyEnumerator.Current;
                // IList returns copies of the code groups, not the code groups themselves,
                // so operations on the IList objects do not affect the actual code group.
                IList       childCodeGroups = machineLevel.RootCodeGroup.Children;
                IEnumerator childGroups     = childCodeGroups.GetEnumerator();
                while (childGroups.MoveNext())
                {
                    CodeGroup thisCodeGroup = (CodeGroup)childGroups.Current;
                    if (thisCodeGroup.Name == codeGroupName)
                    {
                        // Create a new code group from this one, but without it's children.
                        // Delete the original code group and add the new one just created.
                        CodeGroup   newCodeGroup   = thisCodeGroup;
                        IList       childCodeGroup = newCodeGroup.Children;
                        IEnumerator childGroup     = childCodeGroup.GetEnumerator();
                        while (childGroup.MoveNext())
                        {
                            // Remove all the children from the copy.
                            newCodeGroup.RemoveChild((CodeGroup)childGroup.Current);
                        }
                        // Should have a copy of the parent code group with children removed.
                        // Delete the original parent code group and replace with its childless clone.
                        machineLevel.RootCodeGroup.RemoveChild(thisCodeGroup);
                        machineLevel.RootCodeGroup.AddChild(newCodeGroup);
                        SecurityManager.SavePolicy();
                    }
                }
            }
        }
Example #4
0
    // Print the properties of the specified code group to the console.
    private static void PrintCodeGroup(CodeGroup codeGroup)
    {
        // Compare the type of the specified object with the FileCodeGroup
        // type.
        if (!codeGroup.GetType().Equals(typeof(FileCodeGroup)))
        {
            throw new ArgumentException("Expected the FileCodeGroup type.");
        }

        string codeGroupName       = codeGroup.Name;
        string membershipCondition = codeGroup.MembershipCondition.ToString();
        string permissionSetName   = codeGroup.PermissionSetName;

        int hashCode = codeGroup.GetHashCode();

        string mergeLogic = "";

        if (codeGroup.MergeLogic.Equals("Union"))
        {
            mergeLogic = " with Union merge logic";
        }

        // Retrieve the class path for FileCodeGroup.
        string fileGroupClass = codeGroup.ToString();

        // Write summary to the console window.
        Console.WriteLine("\n*** " + fileGroupClass + " summary ***");
        Console.Write("A FileCodeGroup named ");
        Console.Write(codeGroupName + mergeLogic);
        Console.Write(" has been created with hash code" + hashCode + ".");
        Console.Write("This code group contains a " + membershipCondition);
        Console.Write(" membership condition with the ");
        Console.Write(permissionSetName + " permission set. ");

        Console.Write("The code group has the following security policy: ");
        Console.WriteLine(ResolveEvidence(codeGroup));


        int childCount = codeGroup.Children.Count;

        if (childCount > 0)
        {
            Console.Write("There are " + childCount);
            Console.WriteLine(" child code groups in this code group.");

            // Iterate through the child code groups to display their names
            // and remove them from the specified code group.
            for (int i = 0; i < childCount; i++)
            {
                // Get child code group as type FileCodeGroup.
                FileCodeGroup childCodeGroup =
                    (FileCodeGroup)codeGroup.Children[i];

                Console.Write("Removing the " + childCodeGroup.Name + ".");
                // Remove child code group.
                codeGroup.RemoveChild(childCodeGroup);
            }

            Console.WriteLine();
        }
        else
        {
            Console.Write("There are no child code groups");
            Console.WriteLine(" in this code group.");
        }
    }
Example #5
0
    // Print the properties of the specified code group to the console.
    private static void PrintCodeGroup(CodeGroup codeGroup)
    {
        // Compare the type of the specified object with the
        // FirstMatchCodeGroup type.
        //<Snippet12>
        if (!codeGroup.GetType().Equals(typeof(FirstMatchCodeGroup)))
        //</Snippet12>
        {
            throw new ArgumentException(
                      "Expected the FirstMatchCodeGroup type.");
        }

        string codeGroupName       = codeGroup.Name;
        string membershipCondition = codeGroup.MembershipCondition.ToString();
        //<Snippet13>
        string permissionSetName = codeGroup.PermissionSetName;
        //</Snippet13>

        //<Snippet14>
        int hashCode = codeGroup.GetHashCode();
        //</Snippet14>

        string mergeLogic = "";

        //<Snippet15>
        if (codeGroup.MergeLogic.Equals("First Match"))
        //</Snippet15>
        {
            mergeLogic = "with first-match merge logic";
        }

        // Retrieve the class path for the FirstMatchCodeGroup.
        //<Snippet16>
        string firstMatchGroupClass = codeGroup.ToString();
        //</Snippet16>

        string attributeString = "";

        // Retrieve the string representation of the FirstMatchCodeGroup's
        // attributes.
        //<Snippet5>
        if (codeGroup.AttributeString != null)
        {
            attributeString = codeGroup.AttributeString;
        }
        //</Snippet5>

        // Write a summary to the console window.
        Console.WriteLine("\n*** " + firstMatchGroupClass + " summary ***");
        Console.Write("A FirstMatchCodeGroup named ");
        Console.Write(codeGroupName + mergeLogic);
        Console.Write(" has been created with hash code(" + hashCode + ").");
        Console.Write("\nThis code group contains a " + membershipCondition);
        Console.Write(" membership condition with the ");
        Console.WriteLine(permissionSetName + " permission set.");

        Console.Write("The code group contains the following policy: ");
        Console.Write(ResolveEvidence(codeGroup));
        Console.Write("\nIt also contains the following attributes: ");
        Console.WriteLine(attributeString);

        int childCount = codeGroup.Children.Count;

        if (childCount > 0)
        {
            Console.Write("There are " + childCount);
            Console.WriteLine(" child elements in the code group.");

            // Iterate through the child code groups to display their names
            // and then remove them from the specified code group.
            for (int i = 0; i < childCount; i++)
            {
                // Retrieve a child code group, which has been cast as a
                // FirstMatchCodeGroup type.
                //<Snippet21>
                FirstMatchCodeGroup childCodeGroup =
                    (FirstMatchCodeGroup)codeGroup.Children[i];
                //</Snippet21>

                Console.Write("Removing the " + childCodeGroup.Name + ".");
                // Remove the child code group.
                //<Snippet17>
                codeGroup.RemoveChild(childCodeGroup);
                //</Snippet17>
            }

            Console.WriteLine();
        }
        else
        {
            Console.WriteLine(" No child code groups were found in this" +
                              " code group.");
        }
    }
Example #6
0
        }// TryToCreateFullTrust

        private CodeGroup CreateCodegroup(PermissionSet pSet, bool fHighjackExisting)
        {
            // Now create our codegroup
            // Figure out what membership condition to use
            IMembershipCondition mc = null;
            // If the assembly didn't have a publisher certificate or a strong name,
            // then we must trust it by hash
            int nTrustBy = m_fHasCertOrSName?Page3.HowToTrust:TrustBy.HASH;

            if ((nTrustBy & TrustBy.SNAME) > 0)
            {
                // Let's get the strong name stuff together
                StrongName sn = GetStrongName();
                StrongNamePublicKeyBlob snpkb = sn.PublicKey;
                Version v     = null;
                String  sName = null;
                if ((nTrustBy & TrustBy.SNAMEVER) > 0)
                {
                    v = sn.Version;
                }

                if ((nTrustBy & TrustBy.SNAMENAME) > 0)
                {
                    sName = sn.Name;
                }

                mc = new StrongNameMembershipCondition(snpkb, sName, v);
            }
            else if ((nTrustBy & TrustBy.PUBCERT) > 0)
            {
                // We're using the publisher certificate stuff
                mc = new PublisherMembershipCondition(GetCertificate());
            }
            else // We'll trust by hash
            {
                Hash h = GetHash();
                mc = new HashMembershipCondition(SHA1.Create(), h.SHA1);
            }

            // Figure out the policy level that we should put this in....
            String      sPolicyLevel = Page1.isForHomeUser?"Machine":"User";
            PolicyLevel pl           = Security.GetPolicyLevelFromLabel(sPolicyLevel);

            // See if a codegroup for this already exists... and if it does, we'll just
            // modify that.
            CSingleCodeGroup scg = null;
            CodeGroup        cg  = null;

            if (fHighjackExisting)
            {
                scg = FindExistingCodegroup(pl, mc);

                if (scg != null)
                {
                    cg = scg.MyCodeGroup;

                    // Cool. We were able to find a codegroup to use. We'll
                    // need to strip off all the File and Net child codegroups
                    IEnumerator enumChildCodeGroups = cg.Children.GetEnumerator();
                    while (enumChildCodeGroups.MoveNext())
                    {
                        CodeGroup cgChild = (CodeGroup)enumChildCodeGroups.Current;
                        if (cgChild is NetCodeGroup || cgChild is FileCodeGroup)
                        {
                            // Ok to use CodeGroup.RemoveChild here we want to toast all
                            // File and Net codegroups... we don't care if the security system
                            // gets confused about which are which (if they don't have names)
                            cg.RemoveChild(cgChild);
                        }
                    }
                }
            }

            // Create the codegroup... we're going to make this a level final
            // codegroup, so if policy gets changes such that a lower-level policy
            // level tries to deny permissions to this codegroup it will be unsuccessful.
            PolicyStatement policystatement = new PolicyStatement(pSet, PolicyStatementAttribute.LevelFinal);

            if (cg == null)
            {
                cg = new UnionCodeGroup(mc, policystatement);
                String sCGName = Security.FindAGoodCodeGroupName(pl, "Wizard_");
                cg.Name        = sCGName;
                cg.Description = CResourceStore.GetString("GeneratedCodegroup");
            }
            else
            {
                cg.PolicyStatement = policystatement;
            }


            // If this is a internet or intranet permission set, we also need to add some codegroups
            if (pSet is NamedPermissionSet)
            {
                NamedPermissionSet nps = (NamedPermissionSet)pSet;

                if (nps.Name.Equals("LocalIntranet"))
                {
                    CodeGroup cgChild = new NetCodeGroup(new AllMembershipCondition());
                    cgChild.Name        = Security.FindAGoodCodeGroupName(pl, "NetCodeGroup_");
                    cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");

                    cg.AddChild(cgChild);
                    cgChild             = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.Read | FileIOPermissionAccess.PathDiscovery);
                    cgChild.Name        = Security.FindAGoodCodeGroupName(pl, "FileCodeGroup_");
                    cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");

                    cg.AddChild(cgChild);
                }
                else if (nps.Name.Equals("Internet"))
                {
                    CodeGroup cgChild = new NetCodeGroup(new AllMembershipCondition());
                    cgChild.Name        = Security.FindAGoodCodeGroupName(pl, "NetCodeGroup_");
                    cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");

                    cg.AddChild(cgChild);
                }
            }


            // Add this codegroup to the root codegroup of the policy
            // If there was already an existing one, just replace that...
            if (scg != null)
            {
                Security.UpdateCodegroup(pl, scg);
            }
            else
            {
                pl.RootCodeGroup.AddChild(cg);
            }

            return(cg);
        }// CreateCodegroup
        }// didMachinePolicyChange

        protected override int WizFinish()
        {
            // This is the main things that the wizard needs to do.
            // If mucking with the machine level
            //
            // 1. Apply appropriate settings to the security zone codegroups.
            //
            // If mucking with the user level
            //
            // 1. Change the user policylevel's root codegroup's permission set to Nothing
            // 2. Apply appropriate settings to the security zone codegroups
            // 3. Copy the entire machine policy into a child codegroup in the user policy
            // 4. Skip the top level of the copied policy looking for zone codegroups. Set
            //    their permission set to nothing, and remove child file and net codegroups.
            // 5. Walk through the entire copied policy and remove any exclusive codegroups


            // We have some different behavior depending on what type of policy we're after
            String sPolicyLevel = IsHomeUser?"Machine":"User";

            PolicyLevel pl = Security.GetPolicyLevelFromLabel(sPolicyLevel);

            SecurityZone[] sz = new SecurityZone[] {
                SecurityZone.MyComputer,
                SecurityZone.Intranet,
                SecurityZone.Internet,
                SecurityZone.Trusted,
                SecurityZone.Untrusted
            };
            m_alNewCodeGroups.Clear();

            for (int i = 0; i < 5; i++)
            {
                // Only do this if we know how to assign a permission set
                if (Page2.SecurityLevels[i] != PermissionSetType.UNKNOWN)
                {
                    // Find the Codegroup with the appropriate Membership Condition
                    CodeGroup cgParent = null;
                    CodeGroup cg       = GetCGWithMembershipCondition(pl.RootCodeGroup, sz[i], out cgParent);

                    // Remove this codegroup from the heirarchy
                    if (cg != null)
                    {
                        if (cgParent == null)
                        {
                            throw new Exception("I should have a parent");
                        }
                        cgParent.RemoveChild(cg);
                    }

                    // We have to create this Codegroup
                    if (cg == null)
                    {
                        ZoneMembershipCondition zmc = new ZoneMembershipCondition(sz[i]);
                        cg = new UnionCodeGroup(zmc, new PolicyStatement(new PermissionSet(PermissionState.None)));
                        // Add a name and description
                        cg.Name = GetCodegroupName(sz[i]);

                        m_alNewCodeGroups.Add(cg);
                        m_pl     = pl;
                        cgParent = pl.RootCodeGroup;
                    }
                    // If was an internet or intranet codegroup, we'll need to remove child codegroups of type
                    // NetCodeGroup or FileCodeGroup
                    if (cg.PermissionSetName != null && (cg.PermissionSetName.Equals("Internet") || cg.PermissionSetName.Equals("LocalIntranet")))
                    {
                        IEnumerator enumCodeGroups = cg.Children.GetEnumerator();
                        while (enumCodeGroups.MoveNext())
                        {
                            CodeGroup group = (CodeGroup)enumCodeGroups.Current;
                            if (group is NetCodeGroup || group is FileCodeGroup)
                            {
                                cg.RemoveChild(group);
                            }
                        }
                    }

                    // Now give this codegroup the appropriate permission set
                    PolicyStatement ps = cg.PolicyStatement;
                    ps.PermissionSet = GetPermissionSetNameFromSecurityLevel(pl, Page2.SecurityLevels[i]);

                    // Put in the helper codegroups if necessary
                    if (Page2.SecurityLevels[i] == PermissionSetType.INTRANET)
                    {
                        if (!DoesCGHaveCodegroup(cg, typeof(NetCodeGroup)))
                        {
                            CodeGroup cgChild = new NetCodeGroup(new AllMembershipCondition());
                            cgChild.Name        = Security.FindAGoodCodeGroupName(pl, "NetCodeGroup_");
                            cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");

                            cg.AddChild(cgChild);
                        }
                        if (!DoesCGHaveCodegroup(cg, typeof(FileCodeGroup)))
                        {
                            CodeGroup cgChild = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.Read | FileIOPermissionAccess.PathDiscovery);
                            cgChild.Name        = Security.FindAGoodCodeGroupName(pl, "FileCodeGroup_");
                            cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");

                            cg.AddChild(cgChild);
                        }
                    }
                    else if (Page2.SecurityLevels[i] == PermissionSetType.INTERNET)
                    {
                        if (!DoesCGHaveCodegroup(cg, typeof(NetCodeGroup)))
                        {
                            CodeGroup cgChild = new NetCodeGroup(new AllMembershipCondition());
                            cgChild.Name        = Security.FindAGoodCodeGroupName(pl, "NetCodeGroup_");
                            cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");

                            cg.AddChild(cgChild);
                        }
                    }

                    cg.PolicyStatement = ps;
                    // Now let's build the code group description
                    String sPermissionSetDes = "";
                    if (ps.PermissionSet is NamedPermissionSet)
                    {
                        sPermissionSetDes += ((NamedPermissionSet)ps.PermissionSet).Description;
                    }


                    cg.Description = String.Format(CResourceStore.GetString("CSecurityAdjustmentWizard:CodeGroupDescription"),
                                                   cg.PermissionSetName,
                                                   GetCodegroupName(sz[i]),
                                                   sPermissionSetDes);
                    // Now add this child back in
                    cgParent.AddChild(cg);
                }
            }

            // Check to see if this is for the user.
            if (!IsHomeUser)
            {
                // Let's start on our list....
                PolicyLevel plUser = Security.GetPolicyLevelFromLabel("User");
                // Change the root codegroup's permission set to nothing
                CodeGroup       cgRoot = plUser.RootCodeGroup;
                PolicyStatement ps     = cgRoot.PolicyStatement;
                ps.PermissionSet       = plUser.GetNamedPermissionSet("Nothing");
                cgRoot.PolicyStatement = ps;

                // Now copy the entire machine level's policy into a child codegroup
                // of the user policy
                PolicyLevel plMachine = Security.GetPolicyLevelFromLabel("Machine");
                CodeGroup   cgMachine = plMachine.RootCodeGroup.Copy();
                // Change the codegroup's name to something more interesting...
                cgMachine.Name        = "Wizard_Machine_Policy";
                cgMachine.Description = CResourceStore.GetString("CSecurityAdjustmentWizard:CopiedMachinePolicyDes");
                // Now skim through the top level looking for Zone codegroups, set
                // their permission sets to nothing, and delete any child net and file
                // codegroups
                IEnumerator enumCodeGroups = cgMachine.Children.GetEnumerator();
                while (enumCodeGroups.MoveNext())
                {
                    CodeGroup zoneGroup = (CodeGroup)enumCodeGroups.Current;

                    if (zoneGroup.MembershipCondition is ZoneMembershipCondition)
                    {
                        // Ok, we need to change this codegroup
                        cgMachine.RemoveChild(zoneGroup);
                        PolicyStatement zoneps = zoneGroup.PolicyStatement;
                        zoneps.PermissionSet      = plUser.GetNamedPermissionSet("Nothing");
                        zoneGroup.PolicyStatement = zoneps;
                        // Now run through its children looking for a file or net codegroup
                        IEnumerator enumChildCodeGroups = zoneGroup.Children.GetEnumerator();
                        while (enumChildCodeGroups.MoveNext())
                        {
                            CodeGroup zoneChildGroup = (CodeGroup)enumChildCodeGroups.Current;
                            if (zoneChildGroup is NetCodeGroup || zoneChildGroup is FileCodeGroup)
                            {
                                zoneGroup.RemoveChild(zoneChildGroup);
                            }
                        }
                        cgMachine.AddChild(zoneGroup);
                    }
                }

                // Now run through the tree and remove any exclusive code groups
                // We're best to do this recursively....
                if ((cgMachine.PolicyStatement.Attributes & PolicyStatementAttribute.Exclusive) == PolicyStatementAttribute.Exclusive)
                {
                    // Remove the exclusive bit
                    PolicyStatement psMachine = cgMachine.PolicyStatement;
                    psMachine.Attributes      = psMachine.Attributes & ~PolicyStatementAttribute.Exclusive;
                    cgMachine.PolicyStatement = psMachine;
                }
                Security.RemoveExclusiveCodeGroups(cgMachine);


                // Now run through the user policy looking for codegroups named
                // "Wizard_Machine_Policy" and delete those as well.
                enumCodeGroups = cgRoot.Children.GetEnumerator();
                while (enumCodeGroups.MoveNext())
                {
                    CodeGroup group = (CodeGroup)enumCodeGroups.Current;
                    if (group.Name.Equals("Wizard_Machine_Policy"))
                    {
                        cgRoot.RemoveChild(group);
                    }
                }

                // Add finally this to the root codegroup of the user policy

                Security.PrepCodeGroupTree(cgMachine, plMachine, plUser);
                cgRoot.AddChild(cgMachine);
                plUser.RootCodeGroup = cgRoot;
            }

            m_fWizardFinished = true;

            return(0);
        }// WizFinish