private void CheckBinaryConstructor(string expectedSddl, byte[] binary)
{
RawSecurityDescriptor sd = new RawSecurityDescriptor(binary, 0);
Assert.AreEqual(sd.BinaryLength, binary.Length);
Assert.AreEqual(expectedSddl, sd.GetSddlForm(AccessControlSections.All));
}
public void Dump(TextWriter writer, string indent)
{
writer.WriteLine(indent + "SECURITY DESCRIPTORS");
using (Stream s = _file.OpenStream(AttributeType.Data, "$SDS", FileAccess.Read))
{
byte[] buffer = Utilities.ReadFully(s, (int)s.Length);
foreach (KeyValuePair <IdIndexKey, IdIndexData> entry in _idIndex.Entries)
{
int pos = (int)entry.Value.SdsOffset;
SecurityDescriptorRecord rec = new SecurityDescriptorRecord();
if (!rec.Read(buffer, pos))
{
break;
}
string secDescStr = "--unknown--";
if (rec.SecurityDescriptor[0] != 0)
{
RawSecurityDescriptor sd = new RawSecurityDescriptor(rec.SecurityDescriptor, 0);
secDescStr = sd.GetSddlForm(AccessControlSections.All);
}
writer.WriteLine(indent + " SECURITY DESCRIPTOR RECORD");
writer.WriteLine(indent + " Hash: " + rec.Hash);
writer.WriteLine(indent + " Id: " + rec.Id);
writer.WriteLine(indent + " File Offset: " + rec.OffsetInFile);
writer.WriteLine(indent + " Size: " + rec.EntrySize);
writer.WriteLine(indent + " Value: " + secDescStr);
}
}
}
public static FreeBusyPermissionLevel DetermineAllowedAccess(ClientContext clientContext, MailboxSession session, CalendarFolder calendarFolder, FreeBusyQuery freeBusyQuery, bool defaultFreeBusyOnly)
{
RawSecurityDescriptor rawSecurityDescriptor = calendarFolder.TryGetProperty(CalendarFolderSchema.FreeBusySecurityDescriptor) as RawSecurityDescriptor;
if (rawSecurityDescriptor == null)
{
FreeBusyPermission.SecurityTracer.TraceDebug <object, CalendarFolder>(0L, "{0}: Unable to retrieve FreeBusySecurityDescriptor from folder {1}. Using None as permission level.", TraceContext.Get(), calendarFolder);
return(FreeBusyPermissionLevel.None);
}
if (FreeBusyPermission.SecurityTracer.IsTraceEnabled(TraceType.DebugTrace))
{
string sddlForm = rawSecurityDescriptor.GetSddlForm(AccessControlSections.All);
FreeBusyPermission.SecurityTracer.TraceDebug <object, EmailAddress, string>(0L, "{0}: The SDDL form of calendar folder security descriptor of mailbox {1} is: {2}.", TraceContext.Get(), freeBusyQuery.Email, sddlForm);
}
if (defaultFreeBusyOnly)
{
FreeBusyPermission.SecurityTracer.TraceDebug(0L, "{0}: Using DefaultClientSecurityContext because of defaultFreeBusyOnly is set.", new object[]
{
TraceContext.Get()
});
return(FreeBusyPermission.AccessCheck(rawSecurityDescriptor, ClientSecurityContext.FreeBusyPermissionDefaultClientSecurityContext));
}
InternalClientContext internalClientContext = clientContext as InternalClientContext;
if (internalClientContext != null)
{
return(FreeBusyPermission.FromInternalClient(internalClientContext, rawSecurityDescriptor, freeBusyQuery));
}
ExternalClientContext externalClientContext = clientContext as ExternalClientContext;
return(FreeBusyPermission.FromExternalClient(externalClientContext, session, rawSecurityDescriptor, freeBusyQuery));
}
private void CheckRoundTrip(string sddl)
{
RawSecurityDescriptor sd = new RawSecurityDescriptor(sddl);
byte[] buffer = new byte[sd.BinaryLength];
sd.GetBinaryForm(buffer, 0);
sd = new RawSecurityDescriptor(buffer, 0);
Assert.AreEqual(sddl, sd.GetSddlForm(AccessControlSections.All));
}
public void AclInheritance()
{
NtfsFileSystem ntfs = FileSystemSource.NtfsFileSystem();
RawSecurityDescriptor sd = new RawSecurityDescriptor("O:BAG:BAD:(A;OICINP;GA;;;BA)");
ntfs.CreateDirectory("dir");
ntfs.SetSecurity("dir", sd);
ntfs.CreateDirectory(@"dir\subdir");
RawSecurityDescriptor inheritedSd = ntfs.GetSecurity(@"dir\subdir");
Assert.NotNull(inheritedSd);
Assert.Equal("O:BAG:BAD:(A;ID;GA;;;BA)", inheritedSd.GetSddlForm(AccessControlSections.All));
using (ntfs.OpenFile(@"dir\subdir\file", FileMode.Create, FileAccess.ReadWrite)) { }
inheritedSd = ntfs.GetSecurity(@"dir\subdir\file");
Assert.NotNull(inheritedSd);
Assert.Equal("O:BAG:BAD:", inheritedSd.GetSddlForm(AccessControlSections.All));
}
/// <summary>
/// Parse an ldap object from byte array to string
/// </summary>
/// <param name="ldapSyntax">The ldap syntax.</param>
/// <param name="buffer">The byte array object.</param>
/// <returns>Result in string format.</returns>
/// <exception cref="System.NotSupportedException">Thrown when the ldapSyntax is not supported.</exception>
public static string Parse(AdtsLdapSyntax ldapSyntax, byte[] buffer)
{
string result;
switch (ldapSyntax)
{
case AdtsLdapSyntax.Boolean:
case AdtsLdapSyntax.Enumeration:
case AdtsLdapSyntax.Integer:
case AdtsLdapSyntax.LargeInteger:
case AdtsLdapSyntax.ObjectForAccessPoint:
case AdtsLdapSyntax.ObjectForDNString:
case AdtsLdapSyntax.ObjectForORName:
case AdtsLdapSyntax.ObjectForDNBinary:
case AdtsLdapSyntax.ObjectForDSDN:
case AdtsLdapSyntax.ObjectForPresentationAddress:
case AdtsLdapSyntax.StringForCase:
case AdtsLdapSyntax.StringForIA5:
case AdtsLdapSyntax.StringForObjectIdentifier:
case AdtsLdapSyntax.StringForPrintable:
case AdtsLdapSyntax.ObjectForReplicaLink:
case AdtsLdapSyntax.StringForOctet:
case AdtsLdapSyntax.StringForNumeric:
case AdtsLdapSyntax.StringForTeletex:
case AdtsLdapSyntax.StringForUnicode:
case AdtsLdapSyntax.StringForUTCTime:
case AdtsLdapSyntax.StringForGeneralizedTime:
result = Encoding.UTF8.GetString(buffer);
break;
case AdtsLdapSyntax.StringForNTSecDesc:
RawSecurityDescriptor ntSecurityDescriptor = new RawSecurityDescriptor(buffer, 0);
result = ntSecurityDescriptor.GetSddlForm(AccessControlSections.All);
break;
case AdtsLdapSyntax.StringForSid:
_SID sid = TypeMarshal.ToStruct <_SID>(buffer);
result = DtypUtility.ToSddlString(sid);
break;
default:
throw new NotSupportedException("The specified syntax is not supported.");
}
return(result);
}
private static void CanonicalizeAcl(ActiveDirectorySecurity ads)
{
ActiveDirectorySecurity activeDirectorySecurity = new ActiveDirectorySecurity();
foreach (object obj in ads.GetAccessRules(true, true, typeof(SecurityIdentifier)))
{
ActiveDirectoryAccessRule rule = (ActiveDirectoryAccessRule)obj;
activeDirectorySecurity.AddAccessRule(rule);
}
RawSecurityDescriptor rawSecurityDescriptor = new RawSecurityDescriptor(activeDirectorySecurity.GetSecurityDescriptorSddlForm(AccessControlSections.Access));
RawSecurityDescriptor rawSecurityDescriptor2 = new RawSecurityDescriptor(ads.GetSecurityDescriptorSddlForm(AccessControlSections.Access))
{
DiscretionaryAcl = rawSecurityDescriptor.DiscretionaryAcl
};
ads.SetSecurityDescriptorSddlForm(rawSecurityDescriptor2.GetSddlForm(AccessControlSections.Access), AccessControlSections.Access);
}
private static bool CallerHasFullPermission(ClientSecurityContext clientSecurityContext, FreeBusyQuery freeBusyQuery)
{
SecurityIdentifier sid = freeBusyQuery.RecipientData.Sid;
SecurityIdentifier masterAccountSid = freeBusyQuery.RecipientData.MasterAccountSid;
bool flag = (sid != null && sid.Equals(clientSecurityContext.UserSid)) || (masterAccountSid != null && masterAccountSid.Equals(clientSecurityContext.UserSid));
if (flag)
{
FreeBusyPermission.SecurityTracer.TraceDebug(0L, "{0}: Caller {1} is owner of mailbox {2}, mailbox user SID {3}, master account SID {4}.", new object[]
{
TraceContext.Get(),
clientSecurityContext,
freeBusyQuery.Email,
sid,
masterAccountSid
});
return(true);
}
RawSecurityDescriptor exchangeSecurityDescriptor = freeBusyQuery.RecipientData.ExchangeSecurityDescriptor;
if (exchangeSecurityDescriptor != null)
{
if (FreeBusyPermission.SecurityTracer.IsTraceEnabled(TraceType.DebugTrace))
{
string sddlForm = exchangeSecurityDescriptor.GetSddlForm(AccessControlSections.All);
FreeBusyPermission.SecurityTracer.TraceDebug <object, EmailAddress, string>(0L, "{0}: The SDDL form of mailbox security descriptor of mailbox {1} is: {2}.", TraceContext.Get(), freeBusyQuery.Email, sddlForm);
}
if (clientSecurityContext.GetGrantedAccess(exchangeSecurityDescriptor, AccessMask.CreateChild) == 1 || clientSecurityContext.GetGrantedAccess(exchangeSecurityDescriptor, AccessMask.List) == 4)
{
FreeBusyPermission.SecurityTracer.TraceDebug <object, EmailAddress>(0L, "{0}: Caller does have 'owner' rights in mailbox {1}.", TraceContext.Get(), freeBusyQuery.Email);
return(true);
}
}
else
{
FreeBusyPermission.SecurityTracer.TraceDebug <object, EmailAddress>(0L, "{0}: User does not have an ExchangeSecurityDescriptor.", TraceContext.Get(), freeBusyQuery.Email);
}
FreeBusyPermission.SecurityTracer.TraceDebug <object, EmailAddress>(0L, "{0}: Caller does NOT have 'owner' rights in mailbox {1}.", TraceContext.Get(), freeBusyQuery.Email);
return(false);
}
public void GetSddlForm()
{
RawSecurityDescriptor sd = new RawSecurityDescriptor("");
Assert.AreEqual("", sd.GetSddlForm(AccessControlSections.All));
// Ask for part of SD that isn't represented
sd.Owner = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null);
sd.Group = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
Assert.AreEqual("", sd.GetSddlForm(AccessControlSections.Access));
// Empty ACL form
sd.DiscretionaryAcl = new RawAcl(2, 0);
sd.SystemAcl = new RawAcl(1, 0);
sd.SetFlags(sd.ControlFlags | ControlFlags.DiscretionaryAclPresent | ControlFlags.SystemAclPresent);
Assert.AreEqual("O:BUG:BAD:S:", sd.GetSddlForm(AccessControlSections.All));
// Add an ACE to the DACL
SecurityIdentifier builtInAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
CommonAce ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null);
sd.DiscretionaryAcl.InsertAce(0, ace);
Assert.AreEqual("O:BUG:BAD:(A;;0x7fffffff;;;BA)S:", sd.GetSddlForm(AccessControlSections.All));
// Add second ACE to the DACL
SecurityIdentifier randomUser = new SecurityIdentifier("S-1-5-21-324-23423-234-334");
ace = new CommonAce(AceFlags.Inherited | AceFlags.ContainerInherit, AceQualifier.AccessDenied, 0x12345678, randomUser, true, null);
sd.DiscretionaryAcl.InsertAce(0, ace);
Assert.AreEqual("O:BUD:(XD;CIID;0x12345678;;;S-1-5-21-324-23423-234-334)(A;;0x7fffffff;;;BA)", sd.GetSddlForm(AccessControlSections.Owner | AccessControlSections.Access));
// DACL & SACL flags
sd.SetFlags(sd.ControlFlags | ControlFlags.DiscretionaryAclProtected | ControlFlags.DiscretionaryAclAutoInherited | ControlFlags.DiscretionaryAclAutoInheritRequired | ControlFlags.SystemAclAutoInherited);
sd.DiscretionaryAcl = new RawAcl(1, 0);
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null);
sd.DiscretionaryAcl.InsertAce(0, ace);
Assert.AreEqual("O:BUG:BAD:PARAI(A;;0x7fffffff;;;BA)S:AI", sd.GetSddlForm(AccessControlSections.All));
sd.SetFlags(sd.ControlFlags | ControlFlags.ServerSecurity | ControlFlags.DiscretionaryAclDefaulted);
Assert.AreEqual("O:BUG:BAD:PARAI(A;;0x7fffffff;;;BA)S:AI", sd.GetSddlForm(AccessControlSections.All));
}
public void Dump(TextWriter writer, string indent)
{
writer.WriteLine(indent + "Descriptor: " + _securityDescriptor.GetSddlForm(AccessControlSections.All));
}
/// <summary>
/// Canonicalize the Dacl
/// </summary>
/// <param name="objectSecurity"></param>
public static void CanonicalizeDacl(NativeObjectSecurity objectSecurity)
{
if (objectSecurity.AreAccessRulesCanonical)
{
return;
}
// A canonical ACL must have ACES sorted according to the following order:
// 1. Access-denied on the object
// 2. Access-denied on a child or property
// 3. Access-allowed on the object
// 4. Access-allowed on a child or property
// 5. All inherited ACEs
RawSecurityDescriptor descriptor = new RawSecurityDescriptor(objectSecurity.GetSecurityDescriptorSddlForm(AccessControlSections.Access));
var explicitDenyDacl = new List <CommonAce>();
var explicitDenyObjectDacl = new List <CommonAce>();
var inheritedDacl = new List <CommonAce>();
var explicitAllowDacl = new List <CommonAce>();
var explicitAllowObjectDacl = new List <CommonAce>();
foreach (CommonAce ace in descriptor.DiscretionaryAcl)
{
if ((ace.AceFlags & AceFlags.Inherited) == AceFlags.Inherited)
{
inheritedDacl.Add(ace);
}
else
{
switch (ace.AceType)
{
case AceType.AccessAllowed:
explicitAllowDacl.Add(ace);
break;
case AceType.AccessDenied:
explicitDenyDacl.Add(ace);
break;
case AceType.AccessAllowedObject:
explicitAllowObjectDacl.Add(ace);
break;
case AceType.AccessDeniedObject:
explicitDenyObjectDacl.Add(ace);
break;
}
}
}
int aceIndex = 0;
var newDacl = new RawAcl(descriptor.DiscretionaryAcl.Revision, descriptor.DiscretionaryAcl.Count);
explicitDenyDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
explicitDenyObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
explicitAllowDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
explicitAllowObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
inheritedDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
if (aceIndex != descriptor.DiscretionaryAcl.Count)
{
throw new InvalidOperationException("The Dacl cannot be canonicalized since it would potentially result in a loss of information");
}
descriptor.DiscretionaryAcl = newDacl;
objectSecurity.SetSecurityDescriptorSddlForm(descriptor.GetSddlForm(AccessControlSections.Access), AccessControlSections.Access);
}
public override PropertyConstraintViolationError Validate(object value, PropertyDefinition propertyDefinition, IPropertyBag propertyBag)
{
RawSecurityDescriptor rawSecurityDescriptor = (RawSecurityDescriptor)value;
if (rawSecurityDescriptor == null)
{
return(null);
}
foreach (GenericAce genericAce in rawSecurityDescriptor.DiscretionaryAcl)
{
if ((byte)(genericAce.AceFlags & AceFlags.Inherited) == 16)
{
return(new PropertyConstraintViolationError(DataStrings.ConstraintViolationSecurityDescriptorContainsInheritedACEs(rawSecurityDescriptor.GetSddlForm(AccessControlSections.All)), propertyDefinition, value, this));
}
}
return(null);
}
private static List <AclTableEntry> BuildAclTableFromSecurityDescriptor(RawSecurityDescriptor securityDescriptor, RawSecurityDescriptor freeBusySecurityDescriptor, LazilyInitialized <ExternalUserCollection> lazilyInitializedExternalUserCollection, IRecipientSession recipientSession, AclTableIdMap aclTableIdMap, out bool isCanonical, out string canonicalErrorInformation)
{
FolderSecurity.AnnotatedAceList annotatedAceList = new FolderSecurity.AnnotatedAceList(securityDescriptor, freeBusySecurityDescriptor, (SecurityIdentifier securityIdentifier) => AclModifyTable.GetSecurityIdentifierType(recipientSession, securityIdentifier));
isCanonical = annotatedAceList.IsCanonical(out canonicalErrorInformation);
IList <FolderSecurity.SecurityIdentifierAndFolderRights> list;
if (isCanonical)
{
list = annotatedAceList.GetSecurityIdentifierAndRightsList();
}
else
{
ExTraceGlobals.StorageTracer.TraceWarning <string, string>(0L, "Got non canonical SD: {0}, ErrorInfo: ", securityDescriptor.GetSddlForm(AccessControlSections.All), canonicalErrorInformation);
list = Array <FolderSecurity.SecurityIdentifierAndFolderRights> .Empty;
}
List <AclTableEntry> list2 = new List <AclTableEntry>(list.Count + 1);
foreach (FolderSecurity.SecurityIdentifierAndFolderRights securityIdentifierAndFolderRights in list)
{
MemberRights memberRights = (MemberRights)(securityIdentifierAndFolderRights.AllowRights & ~(MemberRights)securityIdentifierAndFolderRights.DenyRights);
bool flag = false;
bool flag2 = false;
byte[] entryId;
string text;
List <SecurityIdentifier> list3;
SecurityIdentifier securityIdentifier;
if (securityIdentifierAndFolderRights.SecurityIdentifier.IsWellKnown(WellKnownSidType.WorldSid))
{
entryId = Array <byte> .Empty;
text = string.Empty;
string legacyDN = string.Empty;
securityIdentifier = securityIdentifierAndFolderRights.SecurityIdentifier;
list3 = null;
flag2 = true;
}
else if (securityIdentifierAndFolderRights.SecurityIdentifier.IsWellKnown(WellKnownSidType.AnonymousSid))
{
entryId = Array <byte> .Empty;
text = "Anonymous";
securityIdentifier = securityIdentifierAndFolderRights.SecurityIdentifier;
list3 = null;
}
else if (ExternalUser.IsExternalUserSid(securityIdentifierAndFolderRights.SecurityIdentifier))
{
ExternalUser externalUser = AclHelper.TryGetExternalUser(securityIdentifierAndFolderRights.SecurityIdentifier, lazilyInitializedExternalUserCollection);
if (externalUser == null)
{
ExTraceGlobals.StorageTracer.TraceWarning <SecurityIdentifier>(0L, "Cannot find external user with SID {0}, build entry from information we have", securityIdentifierAndFolderRights.SecurityIdentifier);
string text2 = AclHelper.CreateLocalUserStrignRepresentation(securityIdentifierAndFolderRights.SecurityIdentifier);
text = text2;
}
else
{
text = externalUser.Name;
string legacyDN = externalUser.LegacyDn;
}
entryId = AddressBookEntryId.MakeAddressBookEntryIDFromLocalDirectorySid(securityIdentifierAndFolderRights.SecurityIdentifier);
securityIdentifier = securityIdentifierAndFolderRights.SecurityIdentifier;
list3 = null;
}
else
{
MiniRecipient miniRecipient = recipientSession.FindMiniRecipientBySid <MiniRecipient>(securityIdentifierAndFolderRights.SecurityIdentifier, Array <PropertyDefinition> .Empty);
string legacyDN;
if (miniRecipient == null)
{
ExTraceGlobals.StorageTracer.TraceWarning <SecurityIdentifier>(0L, "Cannot find recipient with SID {0}, build entry from the information we have", securityIdentifierAndFolderRights.SecurityIdentifier);
flag = (securityIdentifierAndFolderRights.SecurityIdentifierType == FolderSecurity.SecurityIdentifierType.Group);
string text3 = AclHelper.CreateNTUserStrignRepresentation(securityIdentifierAndFolderRights.SecurityIdentifier);
text = text3;
legacyDN = text3;
securityIdentifier = securityIdentifierAndFolderRights.SecurityIdentifier;
list3 = null;
}
else
{
flag = AclHelper.IsGroupRecipientType(miniRecipient.RecipientType);
if (string.IsNullOrEmpty(miniRecipient.DisplayName))
{
text = AclHelper.CreateNTUserStrignRepresentation(securityIdentifierAndFolderRights.SecurityIdentifier);
}
else
{
text = miniRecipient.DisplayName;
}
if (string.IsNullOrEmpty(miniRecipient.LegacyExchangeDN))
{
legacyDN = text;
}
else
{
legacyDN = miniRecipient.LegacyExchangeDN;
}
SecurityIdentifier masterAccountSid = miniRecipient.MasterAccountSid;
if (masterAccountSid != null && !masterAccountSid.IsWellKnown(WellKnownSidType.SelfSid))
{
securityIdentifier = masterAccountSid;
list3 = null;
}
else
{
securityIdentifier = miniRecipient.Sid;
MultiValuedProperty <SecurityIdentifier> sidHistory = miniRecipient.SidHistory;
if (sidHistory != null && sidHistory.Count != 0)
{
list3 = new List <SecurityIdentifier>(sidHistory);
}
else
{
list3 = null;
}
}
}
entryId = AddressBookEntryId.MakeAddressBookEntryID(legacyDN, flag);
}
AclTableEntry aclTableEntry = list2.Find((AclTableEntry entry) => entry.SecurityIdentifier == securityIdentifier);
if (aclTableEntry == null && list3 != null)
{
using (List <SecurityIdentifier> .Enumerator enumerator2 = list3.GetEnumerator())
{
while (enumerator2.MoveNext())
{
SecurityIdentifier sid = enumerator2.Current;
aclTableEntry = list2.Find((AclTableEntry entry) => entry.SecurityIdentifier == sid);
if (aclTableEntry != null)
{
break;
}
}
}
}
if (aclTableEntry == null)
{
aclTableEntry = new AclTableEntry(AclModifyTable.GetIdForSecurityIdentifier(securityIdentifier, list3, aclTableIdMap), entryId, text, memberRights);
aclTableEntry.SetSecurityIdentifier(securityIdentifier, flag);
if (flag2)
{
list2.Insert(0, aclTableEntry);
}
else
{
list2.Add(aclTableEntry);
}
}
else
{
aclTableEntry.MemberRights &= memberRights;
if (aclTableEntry.IsGroup != flag)
{
throw new NonCanonicalACLException(annotatedAceList.CreateErrorInformation((LID)35788U, new int[0]));
}
aclTableEntry.SetSecurityIdentifier(securityIdentifier, flag);
}
}
return(list2);
}
