public void GetBinaryForm()
{
CommonSecurityDescriptor csd = new CommonSecurityDescriptor
(false, false, ControlFlags.None, null, null, null, null);
Assert.AreEqual(20, csd.BinaryLength);
byte[] binaryForm = new byte[csd.BinaryLength];
csd.GetBinaryForm(binaryForm, 0);
Assert.AreEqual(ControlFlags.DiscretionaryAclPresent | ControlFlags.SelfRelative,
csd.ControlFlags);
// The default 'Allow Everyone Full Access' serializes as NOT having a
// DiscretionaryAcl, as the above demonstrates (byte 3 is 0 not 4).
Assert.AreEqual(new byte[20] {
1, 0, 0, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
}, binaryForm);
// Changing SystemAcl protection does nothing special.
csd.SetSystemAclProtection(true, true);
Assert.AreEqual(20, csd.BinaryLength);
// Modifying the DiscretionaryAcl (even effective no-ops like this) causes serialization.
csd.SetDiscretionaryAclProtection(false, true);
Assert.AreEqual(48, csd.BinaryLength);
}
public override byte[] GetAllowAllNodeAcl(string repositoryName, Guid domainId, Guid rootMapId)
{
// Return an empty Windows node ACL.
SecurityIdentifier farmAccountSid = SPFarm.Local.DefaultServiceAccount.SecurityIdentifier;
CommonSecurityDescriptor securityDescriptor = new CommonSecurityDescriptor(false, false, ControlFlags.None, farmAccountSid, null, null, null);
securityDescriptor.SetDiscretionaryAclProtection(true, false);
byte[] itemAcl = new byte[securityDescriptor.BinaryLength];
securityDescriptor.GetBinaryForm(itemAcl, 0);
return(itemAcl);
}
public void GetSddlFormAefaRemovesDacl()
{
CommonSecurityDescriptor csd = new CommonSecurityDescriptor
(false, false, ControlFlags.None, null, null, null, null);
Assert.AreEqual(1, csd.DiscretionaryAcl.Count);
Assert.AreEqual("", csd.GetSddlForm(AccessControlSections.Access));
Assert.AreEqual(ControlFlags.DiscretionaryAclPresent
| ControlFlags.SelfRelative,
csd.ControlFlags);
Assert.AreSame(csd.DiscretionaryAcl, csd.DiscretionaryAcl);
Assert.AreNotSame(csd.DiscretionaryAcl[0], csd.DiscretionaryAcl[0]);
Assert.AreEqual("", csd.GetSddlForm(AccessControlSections.Access));
csd.SetDiscretionaryAclProtection(false, true);
Assert.AreEqual("D:(A;;0xffffffff;;;WD)", csd.GetSddlForm(AccessControlSections.Access));
Assert.AreSame(csd.DiscretionaryAcl, csd.DiscretionaryAcl);
Assert.AreNotSame(csd.DiscretionaryAcl[0], csd.DiscretionaryAcl[0]);
Assert.AreEqual(ControlFlags.DiscretionaryAclPresent
| ControlFlags.SelfRelative,
csd.ControlFlags);
csd.SetDiscretionaryAclProtection(true, true);
Assert.AreEqual(1, csd.DiscretionaryAcl.Count);
Assert.AreEqual("D:P(A;;0xffffffff;;;WD)", csd.GetSddlForm(AccessControlSections.Access));
Assert.AreEqual(ControlFlags.DiscretionaryAclPresent
| ControlFlags.DiscretionaryAclProtected
| ControlFlags.SelfRelative,
csd.ControlFlags);
csd.SetDiscretionaryAclProtection(false, false);
Assert.AreEqual(1, csd.DiscretionaryAcl.Count);
Assert.AreEqual("D:(A;;0xffffffff;;;WD)", csd.GetSddlForm(AccessControlSections.Access));
Assert.AreEqual(ControlFlags.DiscretionaryAclPresent
| ControlFlags.SelfRelative,
csd.ControlFlags);
}
public void AefaModifiedFlagIsStoredOnDiscretionaryAcl()
{
CommonSecurityDescriptor csd1, csd2;
// Incidentally this shows the DiscretionaryAcl is NOT cloned.
csd1 = new CommonSecurityDescriptor(false, false, ControlFlags.None, null, null, null, null);
csd2 = new CommonSecurityDescriptor(false, false, ControlFlags.None, null, null, null, csd1.DiscretionaryAcl);
Assert.AreSame(csd1.DiscretionaryAcl, csd2.DiscretionaryAcl);
Assert.AreEqual("", csd1.GetSddlForm(AccessControlSections.Access));
csd2.SetDiscretionaryAclProtection(false, true);
Assert.AreEqual("D:(A;;0xffffffff;;;WD)", csd1.GetSddlForm(AccessControlSections.Access));
Assert.AreEqual("D:(A;;0xffffffff;;;WD)", csd2.GetSddlForm(AccessControlSections.Access));
}
public static void TestSetDiscretionaryAclProtection(bool isContainer, bool isDS, string sddl, bool isProtected, bool preserveInheritance, string verifierSddl)
{
CommonSecurityDescriptor commonSecurityDescriptor = null;
string resultSddl = null;
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, sddl);
commonSecurityDescriptor.SetDiscretionaryAclProtection(isProtected, preserveInheritance);
resultSddl = commonSecurityDescriptor.GetSddlForm(AccessControlSections.All);
if (!isProtected && (commonSecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) == 0)
{
Assert.False(resultSddl != verifierSddl);
}
else if (isProtected && (commonSecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) != 0)
{
Assert.False(resultSddl != verifierSddl);
}
}
public static void TestSetDiscretionaryAclProtection(bool isContainer, bool isDS, string sddl, bool isProtected, bool preserveInheritance, string verifierSddl)
{
CommonSecurityDescriptor commonSecurityDescriptor = null;
string resultSddl = null;
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, sddl);
commonSecurityDescriptor.SetDiscretionaryAclProtection(isProtected, preserveInheritance);
resultSddl = commonSecurityDescriptor.GetSddlForm(AccessControlSections.All);
if (!isProtected && (commonSecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) == 0)
{
Assert.False(resultSddl != verifierSddl);
}
else if (isProtected && (commonSecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) != 0)
{
Assert.False(resultSddl != verifierSddl);
}
}
protected byte[] GetNodeAclWorker(string mapDatabaseName, string repositoryName, Guid domainId, Guid rootMapId, bool isCacheEnabled)
{
SecurityIdentifier farmAccountSid = SPFarm.Local.DefaultServiceAccount.SecurityIdentifier;
CommonSecurityDescriptor securityDescriptor = new CommonSecurityDescriptor(false, false, ControlFlags.None, farmAccountSid, null, null, null);
securityDescriptor.SetDiscretionaryAclProtection(true, false);
// Deny access to all users.
SecurityIdentifier everyoneSid = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
securityDescriptor.DiscretionaryAcl.RemoveAccess(AccessControlType.Allow, everyoneSid, unchecked ((int)0xffffffffL), InheritanceFlags.None, PropagationFlags.None);
// Grant access to specified users.
securityDescriptor.DiscretionaryAcl.AddAccess(AccessControlType.Allow, farmAccountSid, unchecked ((int)0xffffffffL), InheritanceFlags.None, PropagationFlags.None);
List <SpUserDetail> allowedUsers = GetAllowedUsers(mapDatabaseName, repositoryName, domainId, rootMapId);
List <string> addedSids = new List <string>();
foreach (SpUserDetail user in allowedUsers)
{
SecurityIdentifier userSid = null;
if (!string.IsNullOrEmpty(user.Sid))
{
userSid = new SecurityIdentifier(user.Sid);
}
else
{
userSid = GetSidFromClaim(user.LoginName);
}
if (userSid != null && !addedSids.Contains(userSid.Value))
{
securityDescriptor.DiscretionaryAcl.AddAccess(AccessControlType.Allow, userSid, unchecked ((int)0xffffffffL), InheritanceFlags.None, PropagationFlags.None);
addedSids.Add(userSid.Value);
}
}
byte[] itemAcl = new byte[securityDescriptor.BinaryLength];
securityDescriptor.GetBinaryForm(itemAcl, 0);
return(itemAcl);
}
public void ProtectionChangesFlags()
{
SecurityIdentifier userSid = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);
SecurityIdentifier groupSid = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
CommonSecurityDescriptor csd;
csd = new CommonSecurityDescriptor
(false, false, ControlFlags.None, userSid, groupSid, null, null);
Assert.AreEqual(ControlFlags.DiscretionaryAclPresent
| ControlFlags.SelfRelative, csd.ControlFlags);
csd.SetDiscretionaryAclProtection(true, false);
Assert.AreEqual(ControlFlags.DiscretionaryAclPresent
| ControlFlags.DiscretionaryAclProtected
| ControlFlags.SelfRelative, csd.ControlFlags);
csd.SetSystemAclProtection(true, false); // despite not being *present*
Assert.AreEqual(ControlFlags.DiscretionaryAclPresent
| ControlFlags.DiscretionaryAclProtected
| ControlFlags.SystemAclProtected
| ControlFlags.SelfRelative, csd.ControlFlags);
}
