public void GetBinaryForm ()
{
SecurityIdentifier builtInAdmins = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null);
CommonAce ace = new CommonAce (AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null);
byte[] buffer = new byte[ace.BinaryLength];
ace.GetBinaryForm (buffer, 0);
byte[] aceBinary = new byte[] {
0x00, 0x00, 0x18, 0x00, 0xFF, 0xFF, 0xFF, 0x7F, 0x01, 0x02,
0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00,
0x20, 0x02, 0x00, 0x00 };
Assert.AreEqual (aceBinary, buffer);
}
internal void AddQualifiedAce(SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
{
GenericAce ace;
if (sid == null)
{
throw new ArgumentNullException("sid");
}
this.ThrowIfNotCanonical();
bool flag = false;
if ((qualifier == AceQualifier.SystemAudit) && (((byte)(flags & AceFlags.AuditFlags)) == 0))
{
throw new ArgumentException(Environment.GetResourceString("Arg_EnumAtLeastOneFlag"), "flags");
}
if (accessMask == 0)
{
throw new ArgumentException(Environment.GetResourceString("Argument_ArgumentZero"), "accessMask");
}
if (!this.IsDS || (objectFlags == ObjectAceFlags.None))
{
ace = new CommonAce(flags, qualifier, accessMask, sid, false, null);
}
else
{
ace = new ObjectAce(flags, qualifier, accessMask, sid, objectFlags, objectType, inheritedObjectType, false, null);
}
if (this.InspectAce(ref ace, this is DiscretionaryAcl))
{
for (int i = 0; i < this.Count; i++)
{
QualifiedAce ace2 = this._acl[i] as QualifiedAce;
if ((ace2 != null) && this.MergeAces(ref ace2, ace as QualifiedAce))
{
flag = true;
break;
}
}
if (!flag)
{
this._acl.InsertAce(this._acl.Count, ace);
this._isDirty = true;
}
this.OnAclModificationTried();
}
}
private void BuildSecurityDescriptor()
{
NTAccount account;
SecurityIdentifier identifier;
CommonAce ace;
RawAcl rawAcl = new RawAcl(GenericAcl.AclRevision, 1);
int index = 0;
if (this.operationRoleMembers != null)
{
foreach (string str in this.operationRoleMembers)
{
account = new NTAccount(str);
identifier = (SecurityIdentifier) account.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null);
rawAcl.InsertAce(index, ace);
index++;
}
}
if (this.contractRoleMembers != null)
{
foreach (string str2 in this.contractRoleMembers)
{
account = new NTAccount(str2);
identifier = (SecurityIdentifier) account.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null);
rawAcl.InsertAce(index, ace);
index++;
}
}
if (this.serviceRoleMembers != null)
{
foreach (string str3 in this.serviceRoleMembers)
{
account = new NTAccount(str3);
identifier = (SecurityIdentifier) account.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null);
rawAcl.InsertAce(index, ace);
index++;
}
}
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(true, false, rawAcl);
this.securityDescriptor = new CommonSecurityDescriptor(true, false, ControlFlags.DiscretionaryAclPresent, sidAdministrators, sidAdministrators, null, discretionaryAcl);
}
// Token: 0x06001FE4 RID: 8164 RVA: 0x0006F1AC File Offset: 0x0006D3AC
private bool AceNeedsTranslation(CommonAce ace, bool isAccessAce, bool includeExplicit, bool includeInherited)
{
if (ace == null)
{
return(false);
}
if (isAccessAce)
{
if (ace.AceQualifier != AceQualifier.AccessAllowed && ace.AceQualifier != AceQualifier.AccessDenied)
{
return(false);
}
}
else if (ace.AceQualifier != AceQualifier.SystemAudit)
{
return(false);
}
return((includeExplicit && (ace.AceFlags & AceFlags.Inherited) == AceFlags.None) || (includeInherited && (ace.AceFlags & AceFlags.Inherited) != AceFlags.None));
}
public void IndexerMakesCopies ()
{
// This behavior is mentioned in the DiscretionaryAcl RawAcl constructor overload.
// Turns out it applies to more than just the constructor.
SecurityIdentifier worldSid = new SecurityIdentifier ("WD");
// RawAcl does not make copies.
RawAcl acl = new RawAcl (RawAcl.AclRevision, 1);
CommonAce ace = new CommonAce (AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, worldSid, false, null);
acl.InsertAce (0, ace);
Assert.AreSame (acl [0], acl [0]);
// CommonAcl does.
SystemAcl sacl = new SystemAcl (false, false, acl);
Assert.AreNotSame (sacl [0], sacl [0]);
// Make sure the copying occurs in the constructor as well as the indexer.
ace.AceFlags = AceFlags.FailedAccess;
Assert.AreEqual (AceFlags.SuccessfulAccess, sacl [0].AceFlags);
}
private bool AceNeedsTranslation(CommonAce ace, bool isAccessAce, bool includeExplicit, bool includeInherited)
{
if (ace == null)
{
return false;
}
if (isAccessAce)
{
if ((ace.AceQualifier != AceQualifier.AccessAllowed) && (ace.AceQualifier != AceQualifier.AccessDenied))
{
return false;
}
}
else if (ace.AceQualifier != AceQualifier.SystemAudit)
{
return false;
}
if ((!includeExplicit || (((byte) (ace.AceFlags & AceFlags.Inherited)) != 0)) && (!includeInherited || (((byte) (ace.AceFlags & AceFlags.Inherited)) == 0)))
{
return false;
}
return true;
}
private bool AceNeedsTranslation(CommonAce ace, bool isAccessAce, bool includeExplicit, bool includeInherited)
{
if (ace == null)
{
return(false);
}
if (isAccessAce)
{
if ((ace.AceQualifier != AceQualifier.AccessAllowed) && (ace.AceQualifier != AceQualifier.AccessDenied))
{
return(false);
}
}
else if (ace.AceQualifier != AceQualifier.SystemAudit)
{
return(false);
}
if ((!includeExplicit || (((byte)(ace.AceFlags & AceFlags.Inherited)) != 0)) && (!includeInherited || (((byte)(ace.AceFlags & AceFlags.Inherited)) == 0)))
{
return(false);
}
return(true);
}
private bool AceNeedsTranslation(CommonAce ace, bool isAccessAce, bool includeExplicit, bool includeInherited)
{
if (ace == null)
{
//
// Only consider common ACEs
//
return(false);
}
if (isAccessAce)
{
if (ace.AceQualifier != AceQualifier.AccessAllowed &&
ace.AceQualifier != AceQualifier.AccessDenied)
{
return(false);
}
}
else
{
if (ace.AceQualifier != AceQualifier.SystemAudit)
{
return(false);
}
}
if ((includeExplicit &&
((ace.AceFlags & AceFlags.Inherited) == 0)) ||
(includeInherited &&
((ace.AceFlags & AceFlags.Inherited) != 0)))
{
return(true);
}
return(false);
}
public static GenericAce CreateFromBinaryForm(byte[] binaryForm, int offset)
{
GenericAce ace;
VerifyHeader(binaryForm, offset);
System.Security.AccessControl.AceType type = (System.Security.AccessControl.AceType)binaryForm[offset];
switch (type)
{
case System.Security.AccessControl.AceType.AccessAllowed:
case System.Security.AccessControl.AceType.AccessDenied:
case System.Security.AccessControl.AceType.SystemAudit:
case System.Security.AccessControl.AceType.SystemAlarm:
case System.Security.AccessControl.AceType.AccessAllowedCallback:
case System.Security.AccessControl.AceType.AccessDeniedCallback:
case System.Security.AccessControl.AceType.SystemAuditCallback:
case System.Security.AccessControl.AceType.SystemAlarmCallback:
{
AceQualifier qualifier;
int num;
SecurityIdentifier identifier;
bool flag;
byte[] buffer;
if (!CommonAce.ParseBinaryForm(binaryForm, offset, out qualifier, out num, out identifier, out flag, out buffer))
{
goto Label_01A8;
}
System.Security.AccessControl.AceFlags flags = (System.Security.AccessControl.AceFlags)binaryForm[offset + 1];
ace = new CommonAce(flags, qualifier, num, identifier, flag, buffer);
break;
}
case System.Security.AccessControl.AceType.AccessAllowedObject:
case System.Security.AccessControl.AceType.AccessDeniedObject:
case System.Security.AccessControl.AceType.SystemAuditObject:
case System.Security.AccessControl.AceType.SystemAlarmObject:
case System.Security.AccessControl.AceType.AccessAllowedCallbackObject:
case System.Security.AccessControl.AceType.AccessDeniedCallbackObject:
case System.Security.AccessControl.AceType.SystemAuditCallbackObject:
case System.Security.AccessControl.AceType.SystemAlarmCallbackObject:
{
AceQualifier qualifier2;
int num2;
SecurityIdentifier identifier2;
ObjectAceFlags flags2;
Guid guid;
Guid guid2;
bool flag2;
byte[] buffer2;
if (!ObjectAce.ParseBinaryForm(binaryForm, offset, out qualifier2, out num2, out identifier2, out flags2, out guid, out guid2, out flag2, out buffer2))
{
goto Label_01A8;
}
System.Security.AccessControl.AceFlags aceFlags = (System.Security.AccessControl.AceFlags)binaryForm[offset + 1];
ace = new ObjectAce(aceFlags, qualifier2, num2, identifier2, flags2, guid, guid2, flag2, buffer2);
break;
}
case System.Security.AccessControl.AceType.AccessAllowedCompound:
{
int num3;
CompoundAceType type2;
SecurityIdentifier identifier3;
if (!CompoundAce.ParseBinaryForm(binaryForm, offset, out num3, out type2, out identifier3))
{
goto Label_01A8;
}
System.Security.AccessControl.AceFlags flags4 = (System.Security.AccessControl.AceFlags)binaryForm[offset + 1];
ace = new CompoundAce(flags4, num3, type2, identifier3);
break;
}
default:
{
System.Security.AccessControl.AceFlags flags5 = (System.Security.AccessControl.AceFlags)binaryForm[offset + 1];
byte[] opaque = null;
int num4 = binaryForm[offset + 2] + (binaryForm[offset + 3] << 8);
if ((num4 % 4) != 0)
{
goto Label_01A8;
}
int num5 = num4 - 4;
if (num5 > 0)
{
opaque = new byte[num5];
for (int i = 0; i < num5; i++)
{
opaque[i] = binaryForm[((offset + num4) - num5) + i];
}
}
ace = new CustomAce(type, flags5, opaque);
break;
}
}
if (((ace is ObjectAce) || ((binaryForm[offset + 2] + (binaryForm[offset + 3] << 8)) == ace.BinaryLength)) && ((!(ace is ObjectAce) || ((binaryForm[offset + 2] + (binaryForm[offset + 3] << 8)) == ace.BinaryLength)) || (((binaryForm[offset + 2] + (binaryForm[offset + 3] << 8)) - 0x20) == ace.BinaryLength)))
{
return(ace);
}
Label_01A8:
throw new ArgumentException(Environment.GetResourceString("ArgumentException_InvalidAceBinaryForm"), "binaryForm");
}
private bool AceNeedsTranslation(CommonAce ace, bool isAccessAce, bool includeExplicit, bool includeInherited)
{
if ( ace == null )
{
//
// Only consider common ACEs
//
return false;
}
if ( isAccessAce )
{
if ( ace.AceQualifier != AceQualifier.AccessAllowed &&
ace.AceQualifier != AceQualifier.AccessDenied )
{
return false;
}
}
else
{
if ( ace.AceQualifier != AceQualifier.SystemAudit )
{
return false;
}
}
if (( includeExplicit &&
(( ace.AceFlags & AceFlags.Inherited ) == 0 )) ||
( includeInherited &&
(( ace.AceFlags & AceFlags.Inherited ) != 0 )))
{
return true;
}
return false;
}
/// <summary>从指定的二进制数据创建一个 <see cref="T:System.Security.AccessControl.GenericAce" /> 对象。</summary>
/// <returns>此方法创建的 <see cref="T:System.Security.AccessControl.GenericAce" /> 对象。</returns>
/// <param name="binaryForm">用于创建新 <see cref="T:System.Security.AccessControl.GenericAce" /> 对象的二进制数据。</param>
/// <param name="offset">开始取消封送的偏移量。</param>
public static GenericAce CreateFromBinaryForm(byte[] binaryForm, int offset)
{
GenericAce.VerifyHeader(binaryForm, offset);
AceType type = (AceType)binaryForm[offset];
GenericAce genericAce;
switch (type)
{
case AceType.AccessAllowed:
case AceType.AccessDenied:
case AceType.SystemAudit:
case AceType.SystemAlarm:
case AceType.AccessAllowedCallback:
case AceType.AccessDeniedCallback:
case AceType.SystemAuditCallback:
case AceType.SystemAlarmCallback:
AceQualifier qualifier1;
int accessMask1;
SecurityIdentifier sid1;
bool isCallback1;
byte[] opaque1;
if (CommonAce.ParseBinaryForm(binaryForm, offset, out qualifier1, out accessMask1, out sid1, out isCallback1, out opaque1))
{
genericAce = (GenericAce) new CommonAce((AceFlags)binaryForm[offset + 1], qualifier1, accessMask1, sid1, isCallback1, opaque1);
break;
}
goto label_15;
case AceType.AccessAllowedObject:
case AceType.AccessDeniedObject:
case AceType.SystemAuditObject:
case AceType.SystemAlarmObject:
case AceType.AccessAllowedCallbackObject:
case AceType.AccessDeniedCallbackObject:
case AceType.SystemAuditCallbackObject:
case AceType.SystemAlarmCallbackObject:
AceQualifier qualifier2;
int accessMask2;
SecurityIdentifier sid2;
ObjectAceFlags objectFlags;
Guid objectAceType;
Guid inheritedObjectAceType;
bool isCallback2;
byte[] opaque2;
if (ObjectAce.ParseBinaryForm(binaryForm, offset, out qualifier2, out accessMask2, out sid2, out objectFlags, out objectAceType, out inheritedObjectAceType, out isCallback2, out opaque2))
{
genericAce = (GenericAce) new ObjectAce((AceFlags)binaryForm[offset + 1], qualifier2, accessMask2, sid2, objectFlags, objectAceType, inheritedObjectAceType, isCallback2, opaque2);
break;
}
goto label_15;
case AceType.AccessAllowedCompound:
int accessMask3;
CompoundAceType compoundAceType;
SecurityIdentifier sid3;
if (CompoundAce.ParseBinaryForm(binaryForm, offset, out accessMask3, out compoundAceType, out sid3))
{
genericAce = (GenericAce) new CompoundAce((AceFlags)binaryForm[offset + 1], accessMask3, compoundAceType, sid3);
break;
}
goto label_15;
default:
AceFlags flags = (AceFlags)binaryForm[offset + 1];
byte[] opaque3 = (byte[])null;
int num = (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8);
if (num % 4 == 0)
{
int length = num - 4;
if (length > 0)
{
opaque3 = new byte[length];
for (int index = 0; index < length; ++index)
{
opaque3[index] = binaryForm[offset + num - length + index];
}
}
genericAce = (GenericAce) new CustomAce(type, flags, opaque3);
break;
}
goto label_15;
}
if ((genericAce is ObjectAce || (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8) == genericAce.BinaryLength) && (!(genericAce is ObjectAce) || (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8) == genericAce.BinaryLength || (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8) - 32 == genericAce.BinaryLength))
{
return(genericAce);
}
label_15:
throw new ArgumentException(Environment.GetResourceString("ArgumentException_InvalidAceBinaryForm"), "binaryForm");
}
internal bool RemoveQualifiedAces(SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, bool saclSemantics, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
{
if (accessMask == 0)
{
throw new ArgumentException(Environment.GetResourceString("Argument_ArgumentZero"), "accessMask");
}
if ((qualifier == AceQualifier.SystemAudit) && (((byte)(flags & AceFlags.AuditFlags)) == 0))
{
throw new ArgumentException(Environment.GetResourceString("Arg_EnumAtLeastOneFlag"), "flags");
}
if (sid == null)
{
throw new ArgumentNullException("sid");
}
this.ThrowIfNotCanonical();
bool flag = true;
bool flag2 = true;
int num = accessMask;
AceFlags flags2 = flags;
byte[] binaryForm = new byte[this.BinaryLength];
this.GetBinaryForm(binaryForm, 0);
Label_0075:
try
{
for (int i = 0; i < this.Count; i++)
{
QualifiedAce ace = this._acl[i] as QualifiedAce;
if (((ace == null) || (((byte)(ace.AceFlags & AceFlags.Inherited)) != 0)) || ((ace.AceQualifier != qualifier) || (ace.SecurityIdentifier != sid)))
{
continue;
}
if (this.IsDS)
{
accessMask = num;
bool flag3 = !this.GetAccessMaskForRemoval(ace, objectFlags, objectType, ref accessMask);
if ((ace.AccessMask & accessMask) == 0)
{
continue;
}
flags = flags2;
bool flag4 = !this.GetInheritanceFlagsForRemoval(ace, objectFlags, inheritedObjectType, ref flags);
if (((((((byte)(ace.AceFlags & AceFlags.ContainerInherit)) == 0) && (((byte)(flags & AceFlags.ContainerInherit)) != 0)) && (((byte)(flags & AceFlags.InheritOnly)) != 0)) || (((((byte)(flags & AceFlags.ContainerInherit)) == 0) && (((byte)(ace.AceFlags & AceFlags.ContainerInherit)) != 0)) && (((byte)(ace.AceFlags & AceFlags.InheritOnly)) != 0))) || (((((byte)(flags2 & AceFlags.ContainerInherit)) != 0) && (((byte)(flags2 & AceFlags.InheritOnly)) != 0)) && (((byte)(flags & AceFlags.ContainerInherit)) == 0)))
{
continue;
}
if (!flag3 && !flag4)
{
goto Label_0184;
}
flag2 = false;
goto Label_0483;
}
if ((ace.AccessMask & accessMask) == 0)
{
continue;
}
Label_0184:
if (!saclSemantics || (((byte)(((byte)(ace.AceFlags & flags)) & 0xc0)) != 0))
{
AceFlags none = AceFlags.None;
int num3 = 0;
ObjectAceFlags flags4 = ObjectAceFlags.None;
Guid empty = Guid.Empty;
Guid guid2 = Guid.Empty;
AceFlags aceFlags = AceFlags.None;
int num4 = 0;
ObjectAceFlags flags6 = ObjectAceFlags.None;
Guid guid3 = Guid.Empty;
Guid guid4 = Guid.Empty;
AceFlags existing = AceFlags.None;
int num5 = 0;
ObjectAceFlags flags8 = ObjectAceFlags.None;
Guid guid5 = Guid.Empty;
Guid guid6 = Guid.Empty;
AceFlags result = AceFlags.None;
bool total = false;
none = ace.AceFlags;
num3 = ace.AccessMask & ~accessMask;
if (ace is ObjectAce)
{
this.GetObjectTypesForSplit(ace as ObjectAce, num3, none, out flags4, out empty, out guid2);
}
if (saclSemantics)
{
aceFlags = (AceFlags)((byte)(ace.AceFlags & ~((byte)(flags & AceFlags.AuditFlags))));
num4 = ace.AccessMask & accessMask;
if (ace is ObjectAce)
{
this.GetObjectTypesForSplit(ace as ObjectAce, num4, aceFlags, out flags6, out guid3, out guid4);
}
}
existing = (AceFlags)((byte)(((byte)(ace.AceFlags & (AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.NoPropagateInherit | AceFlags.ObjectInherit))) | ((byte)(((byte)(flags & ace.AceFlags)) & 0xc0))));
num5 = ace.AccessMask & accessMask;
if (!saclSemantics || (((byte)(existing & AceFlags.AuditFlags)) != 0))
{
if (!RemoveInheritanceBits(existing, flags, this.IsDS, out result, out total))
{
flag2 = false;
goto Label_0483;
}
if (!total)
{
result = (AceFlags)((byte)(result | ((byte)(existing & AceFlags.AuditFlags))));
if (ace is ObjectAce)
{
this.GetObjectTypesForSplit(ace as ObjectAce, num5, result, out flags8, out guid5, out guid6);
}
}
}
if (!flag)
{
QualifiedAce ace2;
if (num3 != 0)
{
if (((ace is ObjectAce) && ((((ObjectAce)ace).ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None)) && ((flags4 & ObjectAceFlags.ObjectAceTypePresent) == ObjectAceFlags.None))
{
this._acl.RemoveAce(i);
ObjectAce ace3 = new ObjectAce(none, qualifier, num3, ace.SecurityIdentifier, flags4, empty, guid2, false, null);
this._acl.InsertAce(i, ace3);
}
else
{
ace.AceFlags = none;
ace.AccessMask = num3;
if (ace is ObjectAce)
{
ObjectAce ace4 = ace as ObjectAce;
ace4.ObjectAceFlags = flags4;
ace4.ObjectAceType = empty;
ace4.InheritedObjectAceType = guid2;
}
}
}
else
{
this._acl.RemoveAce(i);
i--;
}
if (saclSemantics && (((byte)(aceFlags & AceFlags.AuditFlags)) != 0))
{
if (ace is CommonAce)
{
ace2 = new CommonAce(aceFlags, qualifier, num4, ace.SecurityIdentifier, false, null);
}
else
{
ace2 = new ObjectAce(aceFlags, qualifier, num4, ace.SecurityIdentifier, flags6, guid3, guid4, false, null);
}
i++;
this._acl.InsertAce(i, ace2);
}
if (!total)
{
if (ace is CommonAce)
{
ace2 = new CommonAce(result, qualifier, num5, ace.SecurityIdentifier, false, null);
}
else
{
ace2 = new ObjectAce(result, qualifier, num5, ace.SecurityIdentifier, flags8, guid5, guid6, false, null);
}
i++;
this._acl.InsertAce(i, ace2);
}
}
}
}
}
catch (OverflowException)
{
this._acl.SetBinaryForm(binaryForm, 0);
return(false);
}
Label_0483:
if (flag && flag2)
{
flag = false;
goto Label_0075;
}
this.OnAclModificationTried();
return(flag2);
}
// Token: 0x06001FE3 RID: 8163 RVA: 0x0006EFBC File Offset: 0x0006D1BC
private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, Type targetType)
{
base.ReadLock();
AuthorizationRuleCollection result;
try
{
AuthorizationRuleCollection authorizationRuleCollection = new AuthorizationRuleCollection();
if (!SecurityIdentifier.IsValidTargetTypeStatic(targetType))
{
throw new ArgumentException(Environment.GetResourceString("Arg_MustBeIdentityReferenceType"), "targetType");
}
CommonAcl commonAcl = null;
if (access)
{
if ((this._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None)
{
commonAcl = this._securityDescriptor.DiscretionaryAcl;
}
}
else if ((this._securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None)
{
commonAcl = this._securityDescriptor.SystemAcl;
}
if (commonAcl == null)
{
result = authorizationRuleCollection;
}
else
{
IdentityReferenceCollection identityReferenceCollection = null;
if (targetType != typeof(SecurityIdentifier))
{
IdentityReferenceCollection identityReferenceCollection2 = new IdentityReferenceCollection(commonAcl.Count);
for (int i = 0; i < commonAcl.Count; i++)
{
CommonAce commonAce = commonAcl[i] as CommonAce;
if (this.AceNeedsTranslation(commonAce, access, includeExplicit, includeInherited))
{
identityReferenceCollection2.Add(commonAce.SecurityIdentifier);
}
}
identityReferenceCollection = identityReferenceCollection2.Translate(targetType);
}
int num = 0;
for (int j = 0; j < commonAcl.Count; j++)
{
CommonAce commonAce2 = commonAcl[j] as CommonAce;
if (this.AceNeedsTranslation(commonAce2, access, includeExplicit, includeInherited))
{
IdentityReference identityReference = (targetType == typeof(SecurityIdentifier)) ? commonAce2.SecurityIdentifier : identityReferenceCollection[num++];
if (access)
{
AccessControlType type;
if (commonAce2.AceQualifier == AceQualifier.AccessAllowed)
{
type = AccessControlType.Allow;
}
else
{
type = AccessControlType.Deny;
}
authorizationRuleCollection.AddRule(this.AccessRuleFactory(identityReference, commonAce2.AccessMask, commonAce2.IsInherited, commonAce2.InheritanceFlags, commonAce2.PropagationFlags, type));
}
else
{
authorizationRuleCollection.AddRule(this.AuditRuleFactory(identityReference, commonAce2.AccessMask, commonAce2.IsInherited, commonAce2.InheritanceFlags, commonAce2.PropagationFlags, commonAce2.AuditFlags));
}
}
}
result = authorizationRuleCollection;
}
}
finally
{
base.ReadUnlock();
}
return(result);
}
internal bool RemoveQualifiedAces(SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, bool saclSemantics, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
{
if (accessMask == 0)
{
throw new ArgumentException(Environment.GetResourceString("Argument_ArgumentZero"), "accessMask");
}
if ((qualifier == AceQualifier.SystemAudit) && (((byte) (flags & AceFlags.AuditFlags)) == 0))
{
throw new ArgumentException(Environment.GetResourceString("Arg_EnumAtLeastOneFlag"), "flags");
}
if (sid == null)
{
throw new ArgumentNullException("sid");
}
this.ThrowIfNotCanonical();
bool flag = true;
bool flag2 = true;
int num = accessMask;
AceFlags flags2 = flags;
byte[] binaryForm = new byte[this.BinaryLength];
this.GetBinaryForm(binaryForm, 0);
Label_0075:
try
{
for (int i = 0; i < this.Count; i++)
{
QualifiedAce ace = this._acl[i] as QualifiedAce;
if (((ace == null) || (((byte) (ace.AceFlags & AceFlags.Inherited)) != 0)) || ((ace.AceQualifier != qualifier) || (ace.SecurityIdentifier != sid)))
{
continue;
}
if (this.IsDS)
{
accessMask = num;
bool flag3 = !this.GetAccessMaskForRemoval(ace, objectFlags, objectType, ref accessMask);
if ((ace.AccessMask & accessMask) == 0)
{
continue;
}
flags = flags2;
bool flag4 = !this.GetInheritanceFlagsForRemoval(ace, objectFlags, inheritedObjectType, ref flags);
if (((((((byte) (ace.AceFlags & AceFlags.ContainerInherit)) == 0) && (((byte) (flags & AceFlags.ContainerInherit)) != 0)) && (((byte) (flags & AceFlags.InheritOnly)) != 0)) || (((((byte) (flags & AceFlags.ContainerInherit)) == 0) && (((byte) (ace.AceFlags & AceFlags.ContainerInherit)) != 0)) && (((byte) (ace.AceFlags & AceFlags.InheritOnly)) != 0))) || (((((byte) (flags2 & AceFlags.ContainerInherit)) != 0) && (((byte) (flags2 & AceFlags.InheritOnly)) != 0)) && (((byte) (flags & AceFlags.ContainerInherit)) == 0)))
{
continue;
}
if (!flag3 && !flag4)
{
goto Label_0184;
}
flag2 = false;
goto Label_0483;
}
if ((ace.AccessMask & accessMask) == 0)
{
continue;
}
Label_0184:
if (!saclSemantics || (((byte) (((byte) (ace.AceFlags & flags)) & 0xc0)) != 0))
{
AceFlags none = AceFlags.None;
int num3 = 0;
ObjectAceFlags flags4 = ObjectAceFlags.None;
Guid empty = Guid.Empty;
Guid guid2 = Guid.Empty;
AceFlags aceFlags = AceFlags.None;
int num4 = 0;
ObjectAceFlags flags6 = ObjectAceFlags.None;
Guid guid3 = Guid.Empty;
Guid guid4 = Guid.Empty;
AceFlags existing = AceFlags.None;
int num5 = 0;
ObjectAceFlags flags8 = ObjectAceFlags.None;
Guid guid5 = Guid.Empty;
Guid guid6 = Guid.Empty;
AceFlags result = AceFlags.None;
bool total = false;
none = ace.AceFlags;
num3 = ace.AccessMask & ~accessMask;
if (ace is ObjectAce)
{
this.GetObjectTypesForSplit(ace as ObjectAce, num3, none, out flags4, out empty, out guid2);
}
if (saclSemantics)
{
aceFlags = (AceFlags) ((byte) (ace.AceFlags & ~((byte) (flags & AceFlags.AuditFlags))));
num4 = ace.AccessMask & accessMask;
if (ace is ObjectAce)
{
this.GetObjectTypesForSplit(ace as ObjectAce, num4, aceFlags, out flags6, out guid3, out guid4);
}
}
existing = (AceFlags) ((byte) (((byte) (ace.AceFlags & (AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.NoPropagateInherit | AceFlags.ObjectInherit))) | ((byte) (((byte) (flags & ace.AceFlags)) & 0xc0))));
num5 = ace.AccessMask & accessMask;
if (!saclSemantics || (((byte) (existing & AceFlags.AuditFlags)) != 0))
{
if (!RemoveInheritanceBits(existing, flags, this.IsDS, out result, out total))
{
flag2 = false;
goto Label_0483;
}
if (!total)
{
result = (AceFlags) ((byte) (result | ((byte) (existing & AceFlags.AuditFlags))));
if (ace is ObjectAce)
{
this.GetObjectTypesForSplit(ace as ObjectAce, num5, result, out flags8, out guid5, out guid6);
}
}
}
if (!flag)
{
QualifiedAce ace2;
if (num3 != 0)
{
if (((ace is ObjectAce) && ((((ObjectAce) ace).ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None)) && ((flags4 & ObjectAceFlags.ObjectAceTypePresent) == ObjectAceFlags.None))
{
this._acl.RemoveAce(i);
ObjectAce ace3 = new ObjectAce(none, qualifier, num3, ace.SecurityIdentifier, flags4, empty, guid2, false, null);
this._acl.InsertAce(i, ace3);
}
else
{
ace.AceFlags = none;
ace.AccessMask = num3;
if (ace is ObjectAce)
{
ObjectAce ace4 = ace as ObjectAce;
ace4.ObjectAceFlags = flags4;
ace4.ObjectAceType = empty;
ace4.InheritedObjectAceType = guid2;
}
}
}
else
{
this._acl.RemoveAce(i);
i--;
}
if (saclSemantics && (((byte) (aceFlags & AceFlags.AuditFlags)) != 0))
{
if (ace is CommonAce)
{
ace2 = new CommonAce(aceFlags, qualifier, num4, ace.SecurityIdentifier, false, null);
}
else
{
ace2 = new ObjectAce(aceFlags, qualifier, num4, ace.SecurityIdentifier, flags6, guid3, guid4, false, null);
}
i++;
this._acl.InsertAce(i, ace2);
}
if (!total)
{
if (ace is CommonAce)
{
ace2 = new CommonAce(result, qualifier, num5, ace.SecurityIdentifier, false, null);
}
else
{
ace2 = new ObjectAce(result, qualifier, num5, ace.SecurityIdentifier, flags8, guid5, guid6, false, null);
}
i++;
this._acl.InsertAce(i, ace2);
}
}
}
}
}
catch (OverflowException)
{
this._acl.SetBinaryForm(binaryForm, 0);
return false;
}
Label_0483:
if (flag && flag2)
{
flag = false;
goto Label_0075;
}
this.OnAclModificationTried();
return flag2;
}
internal void Initialize()
{
try
{
// This is needed if the thread calling the method is impersonating
// a client call (ASP.net hosting scenarios).
if (!NativeMethods.RevertToSelf())
Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error());
// Get the DACL for process token. Add TOKEN_QUERY permissions for the Administrators group.
// Set the updated DACL for process token.
RawAcl tokenDacl = GetCurrentProcessTokenDacl();
CommonAce adminsGroupAceForToken = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, NativeMethods.TOKEN_QUERY, new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null), false, null);
int i = FindIndexInDacl(adminsGroupAceForToken, tokenDacl);
if (i != -1)
tokenDacl.InsertAce(i, adminsGroupAceForToken);
SetCurrentProcessTokenDacl(tokenDacl);
}
catch (Exception e)
{
// Communicate any exceptions from this thread back to the thread
// that spawned it.
if (exceptionNotification != null)
exceptionNotification(e);
}
}
//
// Instantiates the most-derived ACE type based on the binary
// representation of an ACE
//
public static GenericAce CreateFromBinaryForm(byte[] binaryForm, int offset)
{
GenericAce result;
AceType type;
//
// Sanity check the header
//
VerifyHeader(binaryForm, offset);
type = (AceType)binaryForm[offset];
if (type == AceType.AccessAllowed ||
type == AceType.AccessDenied ||
type == AceType.SystemAudit ||
type == AceType.SystemAlarm ||
type == AceType.AccessAllowedCallback ||
type == AceType.AccessDeniedCallback ||
type == AceType.SystemAuditCallback ||
type == AceType.SystemAlarmCallback)
{
AceQualifier qualifier;
int accessMask;
SecurityIdentifier sid;
bool isCallback;
byte[] opaque;
if (true == CommonAce.ParseBinaryForm(binaryForm, offset, out qualifier, out accessMask, out sid, out isCallback, out opaque))
{
AceFlags flags = (AceFlags)binaryForm[offset + 1];
result = new CommonAce(flags, qualifier, accessMask, sid, isCallback, opaque);
}
else
{
goto InvalidParameter;
}
}
else if (type == AceType.AccessAllowedObject ||
type == AceType.AccessDeniedObject ||
type == AceType.SystemAuditObject ||
type == AceType.SystemAlarmObject ||
type == AceType.AccessAllowedCallbackObject ||
type == AceType.AccessDeniedCallbackObject ||
type == AceType.SystemAuditCallbackObject ||
type == AceType.SystemAlarmCallbackObject)
{
AceQualifier qualifier;
int accessMask;
SecurityIdentifier sid;
ObjectAceFlags objectFlags;
Guid objectAceType;
Guid inheritedObjectAceType;
bool isCallback;
byte[] opaque;
if (true == ObjectAce.ParseBinaryForm(binaryForm, offset, out qualifier, out accessMask, out sid, out objectFlags, out objectAceType, out inheritedObjectAceType, out isCallback, out opaque))
{
AceFlags flags = (AceFlags)binaryForm[offset + 1];
result = new ObjectAce(flags, qualifier, accessMask, sid, objectFlags, objectAceType, inheritedObjectAceType, isCallback, opaque);
}
else
{
goto InvalidParameter;
}
}
else if (type == AceType.AccessAllowedCompound)
{
int accessMask;
CompoundAceType compoundAceType;
SecurityIdentifier sid;
if (true == CompoundAce.ParseBinaryForm(binaryForm, offset, out accessMask, out compoundAceType, out sid))
{
AceFlags flags = (AceFlags)binaryForm[offset + 1];
result = new CompoundAce(flags, accessMask, compoundAceType, sid);
}
else
{
goto InvalidParameter;
}
}
else
{
AceFlags flags = (AceFlags)binaryForm[offset + 1];
byte[] opaque = null;
int aceLength = (binaryForm[offset + 2] << 0) + (binaryForm[offset + 3] << 8);
if (aceLength % 4 != 0)
{
goto InvalidParameter;
}
int opaqueLength = aceLength - HeaderLength;
if (opaqueLength > 0)
{
opaque = new byte[opaqueLength];
for (int i = 0; i < opaqueLength; i++)
{
opaque[i] = binaryForm[offset + aceLength - opaqueLength + i];
}
}
result = new CustomAce(type, flags, opaque);
}
//
// As a final check, confirm that the advertised ACE header length
// was the actual parsed length
//
if (((!(result is ObjectAce)) && ((binaryForm[offset + 2] << 0) + (binaryForm[offset + 3] << 8) != result.BinaryLength))
//
// This is needed because object aces created through ADSI have the advertised ACE length
// greater than the actual length by 32 (bug in ADSI).
//
|| ((result is ObjectAce) && ((binaryForm[offset + 2] << 0) + (binaryForm[offset + 3] << 8) != result.BinaryLength) && (((binaryForm[offset + 2] << 0) + (binaryForm[offset + 3] << 8) - 32) != result.BinaryLength)))
{
goto InvalidParameter;
}
return result;
InvalidParameter:
throw new ArgumentException(
SR.ArgumentException_InvalidAceBinaryForm,
nameof(binaryForm));
}
private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, System.Type targetType)
{
ReadLock();
try
{
AuthorizationRuleCollection result = new AuthorizationRuleCollection();
if (!IsValidTargetTypeStatic(targetType))
{
throw new ArgumentException(
SR.Arg_MustBeIdentityReferenceType,
"targetType");
}
CommonAcl acl = null;
if (access)
{
if ((_securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != 0)
{
acl = _securityDescriptor.DiscretionaryAcl;
}
}
else // !access == audit
{
if ((_securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != 0)
{
acl = _securityDescriptor.SystemAcl;
}
}
if (acl == null)
{
//
// The required ACL was not present; return an empty collection.
//
return(result);
}
IdentityReferenceCollection irTarget = null;
if (targetType != typeof(SecurityIdentifier))
{
IdentityReferenceCollection irSource = new IdentityReferenceCollection(acl.Count);
for (int i = 0; i < acl.Count; i++)
{
//
// Calling the indexer on a common ACL results in cloning,
// (which would not be the case if we were to use the internal RawAcl property)
// but also ensures that the resulting order of ACEs is proper
// However, this is a big price to pay - cloning all the ACEs just so that
// the canonical order could be ascertained just once.
// A better way would be to have an internal method that would canonicalize the ACL
// and call it once, then use the RawAcl.
//
CommonAce ace = acl[i] as CommonAce;
if (AceNeedsTranslation(ace, access, includeExplicit, includeInherited))
{
irSource.Add(ace.SecurityIdentifier);
}
}
irTarget = irSource.Translate(targetType);
}
int targetIndex = 0;
for (int i = 0; i < acl.Count; i++)
{
//
// Calling the indexer on a common ACL results in cloning,
// (which would not be the case if we were to use the internal RawAcl property)
// but also ensures that the resulting order of ACEs is proper
// However, this is a big price to pay - cloning all the ACEs just so that
// the canonical order could be ascertained just once.
// A better way would be to have an internal method that would canonicalize the ACL
// and call it once, then use the RawAcl.
//
CommonAce ace = acl[i] as CommonAce;
if (AceNeedsTranslation(ace, access, includeExplicit, includeInherited))
{
IdentityReference iref = (targetType == typeof(SecurityIdentifier)) ? ace.SecurityIdentifier : irTarget[targetIndex++];
if (access)
{
AccessControlType type;
if (ace.AceQualifier == AceQualifier.AccessAllowed)
{
type = AccessControlType.Allow;
}
else
{
type = AccessControlType.Deny;
}
result.AddRule(
AccessRuleFactory(
iref,
ace.AccessMask,
ace.IsInherited,
ace.InheritanceFlags,
ace.PropagationFlags,
type));
}
else
{
result.AddRule(
AuditRuleFactory(
iref,
ace.AccessMask,
ace.IsInherited,
ace.InheritanceFlags,
ace.PropagationFlags,
ace.AuditFlags));
}
}
}
return(result);
}
finally
{
ReadUnlock();
}
}
private int FindIndexInDacl(CommonAce newAce, RawAcl dacl)
{
int num = 0;
num = 0;
while (num < dacl.Count)
{
if (((dacl[num] is CommonAce) && (((CommonAce) dacl[num]).SecurityIdentifier.Value == newAce.SecurityIdentifier.Value)) && (dacl[num].AceType == newAce.AceType))
{
return -1;
}
if (((newAce.AceType != AceType.AccessDenied) || (dacl[num].AceType != AceType.AccessDenied)) || (newAce.IsInherited || dacl[num].IsInherited))
{
if ((newAce.AceType == AceType.AccessDenied) && !newAce.IsInherited)
{
return num;
}
if ((((newAce.AceType != AceType.AccessAllowed) || (dacl[num].AceType != AceType.AccessAllowed)) || (newAce.IsInherited || dacl[num].IsInherited)) && ((newAce.AceType == AceType.AccessAllowed) && !newAce.IsInherited))
{
return num;
}
}
num++;
}
return num;
}
internal void Initialize()
{
try
{
if (!System.Workflow.Runtime.DebugEngine.NativeMethods.RevertToSelf())
{
Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error());
}
RawAcl currentProcessTokenDacl = this.GetCurrentProcessTokenDacl();
CommonAce newAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 8, new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null), false, null);
int index = this.FindIndexInDacl(newAce, currentProcessTokenDacl);
if (index != -1)
{
currentProcessTokenDacl.InsertAce(index, newAce);
}
this.SetCurrentProcessTokenDacl(currentProcessTokenDacl);
}
catch (Exception exception)
{
if (this.exceptionNotification != null)
{
this.exceptionNotification(exception);
}
}
}
private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, Type targetType)
{
AuthorizationRuleCollection rules2;
base.ReadLock();
try
{
AuthorizationRuleCollection rules = new AuthorizationRuleCollection();
if (!SecurityIdentifier.IsValidTargetTypeStatic(targetType))
{
throw new ArgumentException(Environment.GetResourceString("Arg_MustBeIdentityReferenceType"), "targetType");
}
CommonAcl discretionaryAcl = null;
if (access)
{
if ((base._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None)
{
discretionaryAcl = base._securityDescriptor.DiscretionaryAcl;
}
}
else if ((base._securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None)
{
discretionaryAcl = base._securityDescriptor.SystemAcl;
}
if (discretionaryAcl == null)
{
return(rules);
}
IdentityReferenceCollection references = null;
if (targetType != typeof(SecurityIdentifier))
{
IdentityReferenceCollection references2 = new IdentityReferenceCollection(discretionaryAcl.Count);
for (int j = 0; j < discretionaryAcl.Count; j++)
{
QualifiedAce ace = discretionaryAcl[j] as QualifiedAce;
if ((ace == null) || ace.IsCallback)
{
continue;
}
if (access)
{
if ((ace.AceQualifier == AceQualifier.AccessAllowed) || (ace.AceQualifier == AceQualifier.AccessDenied))
{
goto Label_00DD;
}
continue;
}
if (ace.AceQualifier != AceQualifier.SystemAudit)
{
continue;
}
Label_00DD:
references2.Add(ace.SecurityIdentifier);
}
references = references2.Translate(targetType);
}
for (int i = 0; i < discretionaryAcl.Count; i++)
{
QualifiedAce ace2 = discretionaryAcl[i] as CommonAce;
if (ace2 == null)
{
ace2 = discretionaryAcl[i] as ObjectAce;
if (ace2 == null)
{
continue;
}
}
if (ace2.IsCallback)
{
continue;
}
if (access)
{
if ((ace2.AceQualifier == AceQualifier.AccessAllowed) || (ace2.AceQualifier == AceQualifier.AccessDenied))
{
goto Label_0174;
}
continue;
}
if (ace2.AceQualifier != AceQualifier.SystemAudit)
{
continue;
}
Label_0174:
if ((includeExplicit && (((byte)(ace2.AceFlags & AceFlags.Inherited)) == 0)) || (includeInherited && (((byte)(ace2.AceFlags & AceFlags.Inherited)) != 0)))
{
IdentityReference identityReference = (targetType == typeof(SecurityIdentifier)) ? ace2.SecurityIdentifier : references[i];
if (access)
{
AccessControlType allow;
if (ace2.AceQualifier == AceQualifier.AccessAllowed)
{
allow = AccessControlType.Allow;
}
else
{
allow = AccessControlType.Deny;
}
if (ace2 is ObjectAce)
{
ObjectAce ace3 = ace2 as ObjectAce;
rules.AddRule(this.AccessRuleFactory(identityReference, ace3.AccessMask, ace3.IsInherited, ace3.InheritanceFlags, ace3.PropagationFlags, allow, ace3.ObjectAceType, ace3.InheritedObjectAceType));
}
else
{
CommonAce ace4 = ace2 as CommonAce;
if (ace4 != null)
{
rules.AddRule(this.AccessRuleFactory(identityReference, ace4.AccessMask, ace4.IsInherited, ace4.InheritanceFlags, ace4.PropagationFlags, allow));
}
}
}
else if (ace2 is ObjectAce)
{
ObjectAce ace5 = ace2 as ObjectAce;
rules.AddRule(this.AuditRuleFactory(identityReference, ace5.AccessMask, ace5.IsInherited, ace5.InheritanceFlags, ace5.PropagationFlags, ace5.AuditFlags, ace5.ObjectAceType, ace5.InheritedObjectAceType));
}
else
{
CommonAce ace6 = ace2 as CommonAce;
if (ace6 != null)
{
rules.AddRule(this.AuditRuleFactory(identityReference, ace6.AccessMask, ace6.IsInherited, ace6.InheritanceFlags, ace6.PropagationFlags, ace6.AuditFlags));
}
}
}
}
rules2 = rules;
}
finally
{
base.ReadUnlock();
}
return(rules2);
}
private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, Type targetType)
{
this.ReadLock();
try
{
AuthorizationRuleCollection authorizationRuleCollection = new AuthorizationRuleCollection();
if (!SecurityIdentifier.IsValidTargetTypeStatic(targetType))
{
throw new ArgumentException(Environment.GetResourceString("Arg_MustBeIdentityReferenceType"), "targetType");
}
CommonAcl commonAcl = (CommonAcl)null;
if (access)
{
if ((this._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None)
{
commonAcl = (CommonAcl)this._securityDescriptor.DiscretionaryAcl;
}
}
else if ((this._securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None)
{
commonAcl = (CommonAcl)this._securityDescriptor.SystemAcl;
}
if (commonAcl == null)
{
return(authorizationRuleCollection);
}
IdentityReferenceCollection referenceCollection1 = (IdentityReferenceCollection)null;
if (targetType != typeof(SecurityIdentifier))
{
IdentityReferenceCollection referenceCollection2 = new IdentityReferenceCollection(commonAcl.Count);
for (int index = 0; index < commonAcl.Count; ++index)
{
CommonAce ace = commonAcl[index] as CommonAce;
if (this.AceNeedsTranslation(ace, access, includeExplicit, includeInherited))
{
referenceCollection2.Add((IdentityReference)ace.SecurityIdentifier);
}
}
referenceCollection1 = referenceCollection2.Translate(targetType);
}
int num = 0;
for (int index = 0; index < commonAcl.Count; ++index)
{
CommonAce ace = commonAcl[index] as CommonAce;
if (this.AceNeedsTranslation(ace, access, includeExplicit, includeInherited))
{
IdentityReference identityReference = targetType == typeof(SecurityIdentifier) ? (IdentityReference)ace.SecurityIdentifier : referenceCollection1[num++];
if (access)
{
AccessControlType type = ace.AceQualifier != AceQualifier.AccessAllowed ? AccessControlType.Deny : AccessControlType.Allow;
authorizationRuleCollection.AddRule((AuthorizationRule)this.AccessRuleFactory(identityReference, ace.AccessMask, ace.IsInherited, ace.InheritanceFlags, ace.PropagationFlags, type));
}
else
{
authorizationRuleCollection.AddRule((AuthorizationRule)this.AuditRuleFactory(identityReference, ace.AccessMask, ace.IsInherited, ace.InheritanceFlags, ace.PropagationFlags, ace.AuditFlags));
}
}
}
return(authorizationRuleCollection);
}
finally
{
this.ReadUnlock();
}
}
/// <summary>Creates a <see cref="T:System.Security.AccessControl.GenericAce" /> object from the specified binary data.</summary>
/// <param name="binaryForm">The binary data from which to create the new <see cref="T:System.Security.AccessControl.GenericAce" /> object.</param>
/// <param name="offset">The offset at which to begin unmarshaling.</param>
/// <returns>The <see cref="T:System.Security.AccessControl.GenericAce" /> object this method creates.</returns>
// Token: 0x06001E46 RID: 7750 RVA: 0x00069C80 File Offset: 0x00067E80
public static GenericAce CreateFromBinaryForm(byte[] binaryForm, int offset)
{
GenericAce.VerifyHeader(binaryForm, offset);
AceType aceType = (AceType)binaryForm[offset];
GenericAce genericAce;
if (aceType == AceType.AccessAllowed || aceType == AceType.AccessDenied || aceType == AceType.SystemAudit || aceType == AceType.SystemAlarm || aceType == AceType.AccessAllowedCallback || aceType == AceType.AccessDeniedCallback || aceType == AceType.SystemAuditCallback || aceType == AceType.SystemAlarmCallback)
{
AceQualifier qualifier;
int accessMask;
SecurityIdentifier sid;
bool isCallback;
byte[] opaque;
if (!CommonAce.ParseBinaryForm(binaryForm, offset, out qualifier, out accessMask, out sid, out isCallback, out opaque))
{
goto IL_1A8;
}
AceFlags flags = (AceFlags)binaryForm[offset + 1];
genericAce = new CommonAce(flags, qualifier, accessMask, sid, isCallback, opaque);
}
else if (aceType == AceType.AccessAllowedObject || aceType == AceType.AccessDeniedObject || aceType == AceType.SystemAuditObject || aceType == AceType.SystemAlarmObject || aceType == AceType.AccessAllowedCallbackObject || aceType == AceType.AccessDeniedCallbackObject || aceType == AceType.SystemAuditCallbackObject || aceType == AceType.SystemAlarmCallbackObject)
{
AceQualifier qualifier2;
int accessMask2;
SecurityIdentifier sid2;
ObjectAceFlags flags2;
Guid type;
Guid inheritedType;
bool isCallback2;
byte[] opaque2;
if (!ObjectAce.ParseBinaryForm(binaryForm, offset, out qualifier2, out accessMask2, out sid2, out flags2, out type, out inheritedType, out isCallback2, out opaque2))
{
goto IL_1A8;
}
AceFlags aceFlags = (AceFlags)binaryForm[offset + 1];
genericAce = new ObjectAce(aceFlags, qualifier2, accessMask2, sid2, flags2, type, inheritedType, isCallback2, opaque2);
}
else if (aceType == AceType.AccessAllowedCompound)
{
int accessMask3;
CompoundAceType compoundAceType;
SecurityIdentifier sid3;
if (!CompoundAce.ParseBinaryForm(binaryForm, offset, out accessMask3, out compoundAceType, out sid3))
{
goto IL_1A8;
}
AceFlags flags3 = (AceFlags)binaryForm[offset + 1];
genericAce = new CompoundAce(flags3, accessMask3, compoundAceType, sid3);
}
else
{
AceFlags flags4 = (AceFlags)binaryForm[offset + 1];
byte[] array = null;
int num = (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8);
if (num % 4 != 0)
{
goto IL_1A8;
}
int num2 = num - 4;
if (num2 > 0)
{
array = new byte[num2];
for (int i = 0; i < num2; i++)
{
array[i] = binaryForm[offset + num - num2 + i];
}
}
genericAce = new CustomAce(aceType, flags4, array);
}
if ((genericAce is ObjectAce || (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8) == genericAce.BinaryLength) && (!(genericAce is ObjectAce) || (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8) == genericAce.BinaryLength || (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8) - 32 == genericAce.BinaryLength))
{
return(genericAce);
}
IL_1A8:
throw new ArgumentException(Environment.GetResourceString("ArgumentException_InvalidAceBinaryForm"), "binaryForm");
}
public void GetSddlForm ()
{
RawSecurityDescriptor sd = new RawSecurityDescriptor ("");
Assert.AreEqual ("", sd.GetSddlForm (AccessControlSections.All));
// Ask for part of SD that isn't represented
sd.Owner = new SecurityIdentifier (WellKnownSidType.BuiltinUsersSid, null);
sd.Group = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null);
Assert.AreEqual ("", sd.GetSddlForm (AccessControlSections.Access));
// Empty ACL form
sd.DiscretionaryAcl = new RawAcl (2, 0);
sd.SystemAcl = new RawAcl (1, 0);
sd.SetFlags (sd.ControlFlags | ControlFlags.DiscretionaryAclPresent | ControlFlags.SystemAclPresent);
Assert.AreEqual ("O:BUG:BAD:S:", sd.GetSddlForm (AccessControlSections.All));
// Add an ACE to the DACL
SecurityIdentifier builtInAdmins = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null);
CommonAce ace = new CommonAce (AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null);
sd.DiscretionaryAcl.InsertAce (0, ace);
Assert.AreEqual ("O:BUG:BAD:(A;;0x7fffffff;;;BA)S:", sd.GetSddlForm (AccessControlSections.All));
// Add second ACE to the DACL
SecurityIdentifier randomUser = new SecurityIdentifier ("S-1-5-21-324-23423-234-334");
ace = new CommonAce (AceFlags.Inherited | AceFlags.ContainerInherit, AceQualifier.AccessDenied, 0x12345678, randomUser, true, null);
sd.DiscretionaryAcl.InsertAce (0, ace);
Assert.AreEqual ("O:BUD:(XD;CIID;0x12345678;;;S-1-5-21-324-23423-234-334)(A;;0x7fffffff;;;BA)", sd.GetSddlForm (AccessControlSections.Owner | AccessControlSections.Access));
// DACL & SACL flags
sd.SetFlags (sd.ControlFlags | ControlFlags.DiscretionaryAclProtected | ControlFlags.DiscretionaryAclAutoInherited | ControlFlags.DiscretionaryAclAutoInheritRequired | ControlFlags.SystemAclAutoInherited);
sd.DiscretionaryAcl = new RawAcl (1, 0);
ace = new CommonAce (AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null);
sd.DiscretionaryAcl.InsertAce (0, ace);
Assert.AreEqual ("O:BUG:BAD:PARAI(A;;0x7fffffff;;;BA)S:AI", sd.GetSddlForm (AccessControlSections.All));
sd.SetFlags (sd.ControlFlags | ControlFlags.ServerSecurity | ControlFlags.DiscretionaryAclDefaulted);
Assert.AreEqual ("O:BUG:BAD:PARAI(A;;0x7fffffff;;;BA)S:AI", sd.GetSddlForm (AccessControlSections.All));
}
public static GenericAce CreateFromBinaryForm(byte[] binaryForm, int offset)
{
GenericAce ace;
VerifyHeader(binaryForm, offset);
System.Security.AccessControl.AceType type = (System.Security.AccessControl.AceType) binaryForm[offset];
switch (type)
{
case System.Security.AccessControl.AceType.AccessAllowed:
case System.Security.AccessControl.AceType.AccessDenied:
case System.Security.AccessControl.AceType.SystemAudit:
case System.Security.AccessControl.AceType.SystemAlarm:
case System.Security.AccessControl.AceType.AccessAllowedCallback:
case System.Security.AccessControl.AceType.AccessDeniedCallback:
case System.Security.AccessControl.AceType.SystemAuditCallback:
case System.Security.AccessControl.AceType.SystemAlarmCallback:
{
AceQualifier qualifier;
int num;
SecurityIdentifier identifier;
bool flag;
byte[] buffer;
if (!CommonAce.ParseBinaryForm(binaryForm, offset, out qualifier, out num, out identifier, out flag, out buffer))
{
goto Label_01A8;
}
System.Security.AccessControl.AceFlags flags = (System.Security.AccessControl.AceFlags) binaryForm[offset + 1];
ace = new CommonAce(flags, qualifier, num, identifier, flag, buffer);
break;
}
case System.Security.AccessControl.AceType.AccessAllowedObject:
case System.Security.AccessControl.AceType.AccessDeniedObject:
case System.Security.AccessControl.AceType.SystemAuditObject:
case System.Security.AccessControl.AceType.SystemAlarmObject:
case System.Security.AccessControl.AceType.AccessAllowedCallbackObject:
case System.Security.AccessControl.AceType.AccessDeniedCallbackObject:
case System.Security.AccessControl.AceType.SystemAuditCallbackObject:
case System.Security.AccessControl.AceType.SystemAlarmCallbackObject:
{
AceQualifier qualifier2;
int num2;
SecurityIdentifier identifier2;
ObjectAceFlags flags2;
Guid guid;
Guid guid2;
bool flag2;
byte[] buffer2;
if (!ObjectAce.ParseBinaryForm(binaryForm, offset, out qualifier2, out num2, out identifier2, out flags2, out guid, out guid2, out flag2, out buffer2))
{
goto Label_01A8;
}
System.Security.AccessControl.AceFlags aceFlags = (System.Security.AccessControl.AceFlags) binaryForm[offset + 1];
ace = new ObjectAce(aceFlags, qualifier2, num2, identifier2, flags2, guid, guid2, flag2, buffer2);
break;
}
case System.Security.AccessControl.AceType.AccessAllowedCompound:
{
int num3;
CompoundAceType type2;
SecurityIdentifier identifier3;
if (!CompoundAce.ParseBinaryForm(binaryForm, offset, out num3, out type2, out identifier3))
{
goto Label_01A8;
}
System.Security.AccessControl.AceFlags flags4 = (System.Security.AccessControl.AceFlags) binaryForm[offset + 1];
ace = new CompoundAce(flags4, num3, type2, identifier3);
break;
}
default:
{
System.Security.AccessControl.AceFlags flags5 = (System.Security.AccessControl.AceFlags) binaryForm[offset + 1];
byte[] opaque = null;
int num4 = binaryForm[offset + 2] + (binaryForm[offset + 3] << 8);
if ((num4 % 4) != 0)
{
goto Label_01A8;
}
int num5 = num4 - 4;
if (num5 > 0)
{
opaque = new byte[num5];
for (int i = 0; i < num5; i++)
{
opaque[i] = binaryForm[((offset + num4) - num5) + i];
}
}
ace = new CustomAce(type, flags5, opaque);
break;
}
}
if (((ace is ObjectAce) || ((binaryForm[offset + 2] + (binaryForm[offset + 3] << 8)) == ace.BinaryLength)) && ((!(ace is ObjectAce) || ((binaryForm[offset + 2] + (binaryForm[offset + 3] << 8)) == ace.BinaryLength)) || (((binaryForm[offset + 2] + (binaryForm[offset + 3] << 8)) - 0x20) == ace.BinaryLength)))
{
return ace;
}
Label_01A8:
throw new ArgumentException(Environment.GetResourceString("ArgumentException_InvalidAceBinaryForm"), "binaryForm");
}
//
// Helper function behind all the SetXXX methods
//
internal void SetQualifiedAce( SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType )
{
if ( sid == null )
{
throw new ArgumentNullException( "sid" );
}
if ( qualifier == AceQualifier.SystemAudit &&
(( flags & AceFlags.AuditFlags ) == 0 ))
{
throw new ArgumentException(
Environment.GetResourceString( "Arg_EnumAtLeastOneFlag" ),
"flags" );
}
if ( accessMask == 0 )
{
throw new ArgumentException(
Environment.GetResourceString( "Argument_ArgumentZero" ),
"accessMask" );
}
Contract.EndContractBlock();
ThrowIfNotCanonical();
GenericAce newAce;
if (( !IsDS ) || ( objectFlags == ObjectAceFlags.None ))
{
newAce = new CommonAce( flags, qualifier, accessMask, sid, false, null );
}
else
{
newAce = new ObjectAce( flags, qualifier, accessMask, sid, objectFlags, objectType, inheritedObjectType, false, null );
}
//
// Make sure the new ACE wouldn't be meaningless before proceeding
//
if ( false == InspectAce( ref newAce, ( this is DiscretionaryAcl )))
{
return;
}
for ( int i = 0; i < Count; i++ )
{
QualifiedAce ace = _acl[i] as QualifiedAce;
//
// Not a qualified ACE - keep going
//
if ( ace == null )
{
continue;
}
//
// Only interested in explicit (non-inherited) ACEs
//
if (( ace.AceFlags & AceFlags.Inherited ) != 0 )
{
continue;
}
//
// Only interested in ACEs with the specified qualifier
//
if ( ace.AceQualifier != qualifier )
{
continue;
}
//
// Only interested in ACEs with the specified SID
//
if ( ace.SecurityIdentifier != sid )
{
continue;
}
//
// This ACE corresponds to the SID and qualifier in question - remove it
//
_acl.RemoveAce( i );
i--;
}
//
// As a final step, add the ACE we want.
// Add it at the end - we'll re-canonicalize later.
//
_acl.InsertAce( _acl.Count, newAce );
//
// To aid the efficiency of batch operations, recanonicalize this later
//
_isDirty = true;
OnAclModificationTried();
}
private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, Type targetType)
{
this.ReadLock();
try
{
AuthorizationRuleCollection authorizationRuleCollection = new AuthorizationRuleCollection();
if (!SecurityIdentifier.IsValidTargetTypeStatic(targetType))
{
throw new ArgumentException(Environment.GetResourceString("Arg_MustBeIdentityReferenceType"), "targetType");
}
CommonAcl commonAcl = (CommonAcl)null;
if (access)
{
if ((this._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None)
{
commonAcl = (CommonAcl)this._securityDescriptor.DiscretionaryAcl;
}
}
else if ((this._securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None)
{
commonAcl = (CommonAcl)this._securityDescriptor.SystemAcl;
}
if (commonAcl == null)
{
return(authorizationRuleCollection);
}
IdentityReferenceCollection referenceCollection1 = (IdentityReferenceCollection)null;
if (targetType != typeof(SecurityIdentifier))
{
IdentityReferenceCollection referenceCollection2 = new IdentityReferenceCollection(commonAcl.Count);
for (int index = 0; index < commonAcl.Count; ++index)
{
QualifiedAce qualifiedAce = commonAcl[index] as QualifiedAce;
if (!((GenericAce)qualifiedAce == (GenericAce)null) && !qualifiedAce.IsCallback)
{
if (access)
{
if (qualifiedAce.AceQualifier != AceQualifier.AccessAllowed && qualifiedAce.AceQualifier != AceQualifier.AccessDenied)
{
continue;
}
}
else if (qualifiedAce.AceQualifier != AceQualifier.SystemAudit)
{
continue;
}
referenceCollection2.Add((IdentityReference)qualifiedAce.SecurityIdentifier);
}
}
referenceCollection1 = referenceCollection2.Translate(targetType);
}
for (int index = 0; index < commonAcl.Count; ++index)
{
QualifiedAce qualifiedAce = (QualifiedAce)(commonAcl[index] as CommonAce);
if ((GenericAce)qualifiedAce == (GenericAce)null)
{
qualifiedAce = (QualifiedAce)(commonAcl[index] as ObjectAce);
if ((GenericAce)qualifiedAce == (GenericAce)null)
{
continue;
}
}
if (!qualifiedAce.IsCallback)
{
if (access)
{
if (qualifiedAce.AceQualifier != AceQualifier.AccessAllowed && qualifiedAce.AceQualifier != AceQualifier.AccessDenied)
{
continue;
}
}
else if (qualifiedAce.AceQualifier != AceQualifier.SystemAudit)
{
continue;
}
if (includeExplicit && (qualifiedAce.AceFlags & AceFlags.Inherited) == AceFlags.None || includeInherited && (qualifiedAce.AceFlags & AceFlags.Inherited) != AceFlags.None)
{
IdentityReference identityReference = targetType == typeof(SecurityIdentifier) ? (IdentityReference)qualifiedAce.SecurityIdentifier : referenceCollection1[index];
if (access)
{
AccessControlType type = qualifiedAce.AceQualifier != AceQualifier.AccessAllowed ? AccessControlType.Deny : AccessControlType.Allow;
if (qualifiedAce is ObjectAce)
{
ObjectAce objectAce = qualifiedAce as ObjectAce;
authorizationRuleCollection.AddRule((AuthorizationRule)this.AccessRuleFactory(identityReference, objectAce.AccessMask, objectAce.IsInherited, objectAce.InheritanceFlags, objectAce.PropagationFlags, type, objectAce.ObjectAceType, objectAce.InheritedObjectAceType));
}
else
{
CommonAce commonAce = qualifiedAce as CommonAce;
if (!((GenericAce)commonAce == (GenericAce)null))
{
authorizationRuleCollection.AddRule((AuthorizationRule)this.AccessRuleFactory(identityReference, commonAce.AccessMask, commonAce.IsInherited, commonAce.InheritanceFlags, commonAce.PropagationFlags, type));
}
}
}
else if (qualifiedAce is ObjectAce)
{
ObjectAce objectAce = qualifiedAce as ObjectAce;
authorizationRuleCollection.AddRule((AuthorizationRule)this.AuditRuleFactory(identityReference, objectAce.AccessMask, objectAce.IsInherited, objectAce.InheritanceFlags, objectAce.PropagationFlags, objectAce.AuditFlags, objectAce.ObjectAceType, objectAce.InheritedObjectAceType));
}
else
{
CommonAce commonAce = qualifiedAce as CommonAce;
if (!((GenericAce)commonAce == (GenericAce)null))
{
authorizationRuleCollection.AddRule((AuthorizationRule)this.AuditRuleFactory(identityReference, commonAce.AccessMask, commonAce.IsInherited, commonAce.InheritanceFlags, commonAce.PropagationFlags, commonAce.AuditFlags));
}
}
}
}
}
return(authorizationRuleCollection);
}
finally
{
this.ReadUnlock();
}
}
// Token: 0x06001FF6 RID: 8182 RVA: 0x0006FAEC File Offset: 0x0006DCEC
private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, Type targetType)
{
base.ReadLock();
AuthorizationRuleCollection result;
try
{
AuthorizationRuleCollection authorizationRuleCollection = new AuthorizationRuleCollection();
if (!SecurityIdentifier.IsValidTargetTypeStatic(targetType))
{
throw new ArgumentException(Environment.GetResourceString("Arg_MustBeIdentityReferenceType"), "targetType");
}
CommonAcl commonAcl = null;
if (access)
{
if ((this._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None)
{
commonAcl = this._securityDescriptor.DiscretionaryAcl;
}
}
else if ((this._securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None)
{
commonAcl = this._securityDescriptor.SystemAcl;
}
if (commonAcl == null)
{
result = authorizationRuleCollection;
}
else
{
IdentityReferenceCollection identityReferenceCollection = null;
if (targetType != typeof(SecurityIdentifier))
{
IdentityReferenceCollection identityReferenceCollection2 = new IdentityReferenceCollection(commonAcl.Count);
for (int i = 0; i < commonAcl.Count; i++)
{
QualifiedAce qualifiedAce = commonAcl[i] as QualifiedAce;
if (!(qualifiedAce == null) && !qualifiedAce.IsCallback)
{
if (access)
{
if (qualifiedAce.AceQualifier != AceQualifier.AccessAllowed && qualifiedAce.AceQualifier != AceQualifier.AccessDenied)
{
goto IL_EB;
}
}
else if (qualifiedAce.AceQualifier != AceQualifier.SystemAudit)
{
goto IL_EB;
}
identityReferenceCollection2.Add(qualifiedAce.SecurityIdentifier);
}
IL_EB :;
}
identityReferenceCollection = identityReferenceCollection2.Translate(targetType);
}
int j = 0;
while (j < commonAcl.Count)
{
QualifiedAce qualifiedAce2 = commonAcl[j] as CommonAce;
if (!(qualifiedAce2 == null))
{
goto IL_142;
}
qualifiedAce2 = (commonAcl[j] as ObjectAce);
if (!(qualifiedAce2 == null))
{
goto IL_142;
}
IL_306:
j++;
continue;
IL_142:
if (qualifiedAce2.IsCallback)
{
goto IL_306;
}
if (access)
{
if (qualifiedAce2.AceQualifier != AceQualifier.AccessAllowed && qualifiedAce2.AceQualifier != AceQualifier.AccessDenied)
{
goto IL_306;
}
}
else if (qualifiedAce2.AceQualifier != AceQualifier.SystemAudit)
{
goto IL_306;
}
if ((!includeExplicit || (qualifiedAce2.AceFlags & AceFlags.Inherited) != AceFlags.None) && (!includeInherited || (qualifiedAce2.AceFlags & AceFlags.Inherited) == AceFlags.None))
{
goto IL_306;
}
IdentityReference identityReference = (targetType == typeof(SecurityIdentifier)) ? qualifiedAce2.SecurityIdentifier : identityReferenceCollection[j];
if (access)
{
AccessControlType type;
if (qualifiedAce2.AceQualifier == AceQualifier.AccessAllowed)
{
type = AccessControlType.Allow;
}
else
{
type = AccessControlType.Deny;
}
if (qualifiedAce2 is ObjectAce)
{
ObjectAce objectAce = qualifiedAce2 as ObjectAce;
authorizationRuleCollection.AddRule(this.AccessRuleFactory(identityReference, objectAce.AccessMask, objectAce.IsInherited, objectAce.InheritanceFlags, objectAce.PropagationFlags, type, objectAce.ObjectAceType, objectAce.InheritedObjectAceType));
goto IL_306;
}
CommonAce commonAce = qualifiedAce2 as CommonAce;
if (!(commonAce == null))
{
authorizationRuleCollection.AddRule(this.AccessRuleFactory(identityReference, commonAce.AccessMask, commonAce.IsInherited, commonAce.InheritanceFlags, commonAce.PropagationFlags, type));
goto IL_306;
}
goto IL_306;
}
else
{
if (qualifiedAce2 is ObjectAce)
{
ObjectAce objectAce2 = qualifiedAce2 as ObjectAce;
authorizationRuleCollection.AddRule(this.AuditRuleFactory(identityReference, objectAce2.AccessMask, objectAce2.IsInherited, objectAce2.InheritanceFlags, objectAce2.PropagationFlags, objectAce2.AuditFlags, objectAce2.ObjectAceType, objectAce2.InheritedObjectAceType));
goto IL_306;
}
CommonAce commonAce2 = qualifiedAce2 as CommonAce;
if (!(commonAce2 == null))
{
authorizationRuleCollection.AddRule(this.AuditRuleFactory(identityReference, commonAce2.AccessMask, commonAce2.IsInherited, commonAce2.InheritanceFlags, commonAce2.PropagationFlags, commonAce2.AuditFlags));
goto IL_306;
}
goto IL_306;
}
}
result = authorizationRuleCollection;
}
}
finally
{
base.ReadUnlock();
}
return(result);
}
public void ContiguousRangeSorting ()
{
SecurityIdentifier[] sids = new SecurityIdentifier[] {
new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null), // S-1-5-32-544
new SecurityIdentifier (WellKnownSidType.BuiltinUsersSid, null), // S-1-5-32-545
new SecurityIdentifier (WellKnownSidType.WorldSid, null), // S-1-1-0
new SecurityIdentifier ("S-1-5-40"),
new SecurityIdentifier ("S-1-5-30-123"),
new SecurityIdentifier ("S-1-5-32-99"),
new SecurityIdentifier ("S-1-5-23-45-67"),
new SecurityIdentifier ("S-1-5-32-5432"),
new SecurityIdentifier ("S-1-0-2"),
new SecurityIdentifier ("S-1-6-0")
};
GenericAce[] aces = new GenericAce[sids.Length];
for (int i = 0; i < aces.Length; i ++)
aces [i] = new CommonAce (AceFlags.None, AceQualifier.AccessAllowed, 1, sids[i], false, null);
RawAcl acl = MakeRawAcl (aces);
DiscretionaryAcl dacl = new DiscretionaryAcl (false, false, acl);
Assert.IsTrue (dacl.IsCanonical);
Assert.AreEqual (sids[8], ((CommonAce)dacl [0]).SecurityIdentifier); // S-1-0-2
Assert.AreEqual (sids[2], ((CommonAce)dacl [1]).SecurityIdentifier); // S-1-1-0
Assert.AreEqual (sids[3], ((CommonAce)dacl [2]).SecurityIdentifier); // S-1-5-40
Assert.AreEqual (sids[4], ((CommonAce)dacl [3]).SecurityIdentifier); // S-1-5-30-123
Assert.AreEqual (sids[5], ((CommonAce)dacl [4]).SecurityIdentifier); // S-1-5-32-99
Assert.AreEqual (sids[0], ((CommonAce)dacl [5]).SecurityIdentifier); // S-1-5-32-544
Assert.AreEqual (sids[1], ((CommonAce)dacl [6]).SecurityIdentifier); // S-1-5-32-545
Assert.AreEqual (sids[7], ((CommonAce)dacl [7]).SecurityIdentifier); // S-1-5-32-5432
Assert.AreEqual (sids[6], ((CommonAce)dacl [8]).SecurityIdentifier); // S-1-5-23-45-67
Assert.AreEqual (sids[9], ((CommonAce)dacl [9]).SecurityIdentifier); // S-1-6-0
}
private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, Type targetType)
{
AuthorizationRuleCollection rules2;
base.ReadLock();
try
{
AuthorizationRuleCollection rules = new AuthorizationRuleCollection();
if (!SecurityIdentifier.IsValidTargetTypeStatic(targetType))
{
throw new ArgumentException(Environment.GetResourceString("Arg_MustBeIdentityReferenceType"), "targetType");
}
CommonAcl discretionaryAcl = null;
if (access)
{
if ((base._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None)
{
discretionaryAcl = base._securityDescriptor.DiscretionaryAcl;
}
}
else if ((base._securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None)
{
discretionaryAcl = base._securityDescriptor.SystemAcl;
}
if (discretionaryAcl == null)
{
return(rules);
}
IdentityReferenceCollection references = null;
if (targetType != typeof(SecurityIdentifier))
{
IdentityReferenceCollection references2 = new IdentityReferenceCollection(discretionaryAcl.Count);
for (int j = 0; j < discretionaryAcl.Count; j++)
{
CommonAce ace = discretionaryAcl[j] as CommonAce;
if (this.AceNeedsTranslation(ace, access, includeExplicit, includeInherited))
{
references2.Add(ace.SecurityIdentifier);
}
}
references = references2.Translate(targetType);
}
int num2 = 0;
for (int i = 0; i < discretionaryAcl.Count; i++)
{
CommonAce ace2 = discretionaryAcl[i] as CommonAce;
if (this.AceNeedsTranslation(ace2, access, includeExplicit, includeInherited))
{
IdentityReference identityReference = (targetType == typeof(SecurityIdentifier)) ? ace2.SecurityIdentifier : references[num2++];
if (access)
{
AccessControlType allow;
if (ace2.AceQualifier == AceQualifier.AccessAllowed)
{
allow = AccessControlType.Allow;
}
else
{
allow = AccessControlType.Deny;
}
rules.AddRule(this.AccessRuleFactory(identityReference, ace2.AccessMask, ace2.IsInherited, ace2.InheritanceFlags, ace2.PropagationFlags, allow));
}
else
{
rules.AddRule(this.AuditRuleFactory(identityReference, ace2.AccessMask, ace2.IsInherited, ace2.InheritanceFlags, ace2.PropagationFlags, ace2.AuditFlags));
}
}
}
rules2 = rules;
}
finally
{
base.ReadUnlock();
}
return(rules2);
}
// The preferred order in which ACEs are added to DACLs is
// documented here: http://search.msdn.microsoft.com/search/results.aspx?qu=Order+of+ACEs+in+a+DACL&View=msdn&st=b.
// This routine follows that logic to determine the position of an ACE in the DACL.
private int FindIndexInDacl(CommonAce newAce, RawAcl dacl)
{
int i = 0;
for (i = 0; i < dacl.Count; i++)
{
if (dacl[i] is CommonAce && ((CommonAce)dacl[i]).SecurityIdentifier.Value == newAce.SecurityIdentifier.Value && dacl[i].AceType == newAce.AceType)
{
i = -1;
break;
}
if (newAce.AceType == AceType.AccessDenied && dacl[i].AceType == AceType.AccessDenied && !newAce.IsInherited && !dacl[i].IsInherited)
continue;
if (newAce.AceType == AceType.AccessDenied && !newAce.IsInherited)
break;
if (newAce.AceType == AceType.AccessAllowed && dacl[i].AceType == AceType.AccessAllowed && !newAce.IsInherited && !dacl[i].IsInherited)
continue;
if (newAce.AceType == AceType.AccessAllowed && !newAce.IsInherited)
break;
}
return i;
}
private void BuildSecurityDescriptor()
{
Fx.Assert((null == securityDescriptor), "SecurityDescriptor must be NULL");
NTAccount name;
SecurityIdentifier sid;
CommonAce ace;
RawAcl acl = new RawAcl(GenericAcl.AclRevision, 1);
int index = 0;
if (operationRoleMembers != null)
{
foreach (string userName in operationRoleMembers)
{
name = new NTAccount(userName);
sid = (SecurityIdentifier)name.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, (int)ComRights.EXECUTE, sid, false, null);
acl.InsertAce(index, ace);
index++;
}
}
if (contractRoleMembers != null)
{
foreach (string userName in contractRoleMembers)
{
name = new NTAccount(userName);
sid = (SecurityIdentifier)name.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, (int)ComRights.EXECUTE, sid, false, null);
acl.InsertAce(index, ace);
index++;
}
}
if (serviceRoleMembers != null)
{
foreach (string userName in serviceRoleMembers)
{
name = new NTAccount(userName);
sid = (SecurityIdentifier)name.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, (int)ComRights.EXECUTE, sid, false, null);
acl.InsertAce(index, ace);
index++;
}
}
DiscretionaryAcl dacl = new DiscretionaryAcl(true, false, acl);
securityDescriptor = new CommonSecurityDescriptor(true, false, ControlFlags.DiscretionaryAclPresent, sidAdministrators, sidAdministrators, null, dacl);
}
public void GetBinaryForm ()
{
RawSecurityDescriptor sd = new RawSecurityDescriptor ("");
sd.Owner = new SecurityIdentifier (WellKnownSidType.BuiltinUsersSid, null);
sd.Group = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null);
sd.DiscretionaryAcl = new RawAcl (1, 0);
sd.SystemAcl = new RawAcl (1, 0);
sd.SetFlags (sd.ControlFlags | ControlFlags.DiscretionaryAclPresent | ControlFlags.SystemAclPresent);
// Empty ACL form
byte[] buffer = new byte[sd.BinaryLength];
sd.GetBinaryForm (buffer, 0);
byte[] sdBinary = new byte[] {
0x01, 0x00, 0x14, 0x80, 0x14, 0x00, 0x00, 0x00, 0x24, 0x00,
0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00,
0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00,
0x00, 0x00, 0x21, 0x02, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02,
0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00 };
Assert.AreEqual (sdBinary, buffer);
// Add an ACE to the DACL
SecurityIdentifier builtInAdmins = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null);
CommonAce ace = new CommonAce (AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null);
sd.DiscretionaryAcl.InsertAce (0, ace);
buffer = new byte[sd.BinaryLength];
sd.GetBinaryForm (buffer, 0);
sdBinary = new byte[] {
0x01, 0x00, 0x14, 0x80, 0x14, 0x00, 0x00, 0x00, 0x24, 0x00,
0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00,
0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00,
0x00, 0x00, 0x21, 0x02, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02,
0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x18, 0x00, 0xFF, 0xFF, 0xFF, 0x7F, 0x01, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02,
0x00, 0x00 };
Assert.AreEqual (sdBinary, buffer);
// This time with an Object ACE
ObjectAce objectAce = new ObjectAce (AceFlags.Inherited, AceQualifier.AccessAllowed, 0x12345678, builtInAdmins, ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent, new Guid ("189c0dc7-b849-4dea-93a5-6d4cb8857a5c"), new Guid ("53b4a3d4-fe39-468b-bc60-b4fcba772fa5"), false, null);
sd.DiscretionaryAcl = new RawAcl (2, 0);
sd.DiscretionaryAcl.InsertAce (0, objectAce);
buffer = new byte[sd.BinaryLength];
sd.GetBinaryForm (buffer, 0);
sdBinary = new byte[] {
0x01, 0x00, 0x14, 0x80, 0x14, 0x00, 0x00, 0x00, 0x24, 0x00,
0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00,
0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00,
0x00, 0x00, 0x21, 0x02, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02,
0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00,
0x02, 0x00, 0x44, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x10,
0x3C, 0x00, 0x78, 0x56, 0x34, 0x12, 0x03, 0x00, 0x00, 0x00,
0xC7, 0x0D, 0x9C, 0x18, 0x49, 0xB8, 0xEA, 0x4D, 0x93, 0xA5,
0x6D, 0x4C, 0xB8, 0x85, 0x7A, 0x5C, 0xD4, 0xA3, 0xB4, 0x53,
0x39, 0xFE, 0x8B, 0x46, 0xBC, 0x60, 0xB4, 0xFC, 0xBA, 0x77,
0x2F, 0xA5, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
0x20, 0x00, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00 };
Assert.AreEqual (sdBinary, buffer);
}
GenericAce MergeExplicitAcePair(GenericAce ace1, GenericAce ace2)
{
QualifiedAce qace1 = ace1 as QualifiedAce;
QualifiedAce qace2 = ace2 as QualifiedAce;
if (!(null != qace1 && null != qace2))
{
return(null);
}
if (!(qace1.AceQualifier == qace2.AceQualifier))
{
return(null);
}
if (!(qace1.SecurityIdentifier == qace2.SecurityIdentifier))
{
return(null);
}
AceFlags aceFlags1 = qace1.AceFlags, aceFlags2 = qace2.AceFlags, aceFlagsNew;
int accessMask1 = qace1.AccessMask, accessMask2 = qace2.AccessMask, accessMaskNew;
if (!IsContainer)
{
aceFlags1 &= ~AceFlags.InheritanceFlags;
aceFlags2 &= ~AceFlags.InheritanceFlags;
}
if (aceFlags1 != aceFlags2)
{
if (accessMask1 != accessMask2)
{
return(null);
}
if ((aceFlags1 & ~(AceFlags.ContainerInherit | AceFlags.ObjectInherit)) ==
(aceFlags2 & ~(AceFlags.ContainerInherit | AceFlags.ObjectInherit)))
{
aceFlagsNew = aceFlags1 | aceFlags2; // merge InheritanceFlags
accessMaskNew = accessMask1;
}
else if ((aceFlags1 & ~(AceFlags.SuccessfulAccess | AceFlags.FailedAccess)) ==
(aceFlags2 & ~(AceFlags.SuccessfulAccess | AceFlags.FailedAccess)))
{
aceFlagsNew = aceFlags1 | aceFlags2; // merge AuditFlags
accessMaskNew = accessMask1;
}
else
{
return(null);
}
}
else
{
aceFlagsNew = aceFlags1;
accessMaskNew = accessMask1 | accessMask2;
}
CommonAce cace1 = ace1 as CommonAce;
CommonAce cace2 = ace2 as CommonAce;
if (null != cace1 && null != cace2)
{
return(new CommonAce(aceFlagsNew, cace1.AceQualifier, accessMaskNew,
cace1.SecurityIdentifier, cace1.IsCallback, cace1.GetOpaque()));
}
ObjectAce oace1 = ace1 as ObjectAce;
ObjectAce oace2 = ace2 as ObjectAce;
if (null != oace1 && null != oace2)
{
// See DiscretionaryAclTest.GuidEmptyMergesRegardlessOfFlagsAndOpaqueDataIsNotConsidered
Guid type1, inheritedType1; GetObjectAceTypeGuids(oace1, out type1, out inheritedType1);
Guid type2, inheritedType2; GetObjectAceTypeGuids(oace2, out type2, out inheritedType2);
if (type1 == type2 && inheritedType1 == inheritedType2)
{
return(new ObjectAce(aceFlagsNew, oace1.AceQualifier, accessMaskNew,
oace1.SecurityIdentifier,
oace1.ObjectAceFlags, oace1.ObjectAceType, oace1.InheritedObjectAceType,
oace1.IsCallback, oace1.GetOpaque()));
}
}
return(null);
}
//
// Helper function behind all the AddXXX methods for qualified aces
//
internal void AddQualifiedAce( SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType )
{
if ( sid == null )
{
throw new ArgumentNullException( "sid" );
}
Contract.EndContractBlock();
ThrowIfNotCanonical();
bool aceMerged = false; // if still false after all attempts to merge, create new entry
if ( qualifier == AceQualifier.SystemAudit &&
(( flags & AceFlags.AuditFlags ) == 0 ))
{
throw new ArgumentException(
Environment.GetResourceString( "Arg_EnumAtLeastOneFlag" ),
"flags" );
}
if ( accessMask == 0 )
{
throw new ArgumentException(
Environment.GetResourceString( "Argument_ArgumentZero" ),
"accessMask" );
}
GenericAce newAce;
if (( !IsDS ) || ( objectFlags == ObjectAceFlags.None ))
{
newAce = new CommonAce( flags, qualifier, accessMask, sid, false, null );
}
else
{
newAce = new ObjectAce( flags, qualifier, accessMask, sid, objectFlags, objectType, inheritedObjectType, false, null );
}
//
// Make sure the new ACE wouldn't be meaningless before proceeding
//
if ( false == InspectAce( ref newAce, ( this is DiscretionaryAcl )))
{
return;
}
//
// See if the new ACE can be merged with any of the existing ones
//
for ( int i = 0; i < Count; i++ )
{
QualifiedAce ace = _acl[i] as QualifiedAce;
if ( ace == null )
{
continue;
}
if ( true == MergeAces( ref ace, newAce as QualifiedAce ))
{
aceMerged = true;
break;
}
}
//
// Couldn't modify any existing entry, so add a new one
//
if ( !aceMerged )
{
_acl.InsertAce( _acl.Count, newAce );
_isDirty = true;
}
OnAclModificationTried();
}
/// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.CommonAce" /> class.</summary>
/// <param name="flags">Flags that specify information about the inheritance, inheritance propagation, and auditing conditions for the new access control entry (ACE).</param>
/// <param name="qualifier">The use of the new ACE.</param>
/// <param name="accessMask">The access mask for the ACE.</param>
/// <param name="sid">The <see cref="T:System.Security.Principal.SecurityIdentifier" /> associated with the new ACE.</param>
/// <param name="isCallback">
/// <see langword="true" /> to specify that the new ACE is a callback type ACE.</param>
/// <param name="opaque">Opaque data associated with the new ACE. Opaque data is allowed only for callback ACE types. The length of this array must not be greater than the return value of the <see cref="M:System.Security.AccessControl.CommonAce.MaxOpaqueLength(System.Boolean)" /> method.</param>
// Token: 0x06001E6F RID: 7791 RVA: 0x0006A48A File Offset: 0x0006868A
public CommonAce(AceFlags flags, AceQualifier qualifier, int accessMask, SecurityIdentifier sid, bool isCallback, byte[] opaque) : base(CommonAce.TypeFromQualifier(isCallback, qualifier), flags, accessMask, sid, opaque)
{
}
//
// Helper function behind all the RemoveXXX methods
//
internal bool RemoveQualifiedAces( SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, bool saclSemantics, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType )
{
if ( accessMask == 0 )
{
throw new ArgumentException(
Environment.GetResourceString( "Argument_ArgumentZero" ),
"accessMask" );
}
if ( qualifier == AceQualifier.SystemAudit &&
(( flags & AceFlags.AuditFlags ) == 0 ))
{
throw new ArgumentException(
Environment.GetResourceString( "Arg_EnumAtLeastOneFlag" ),
"flags" );
}
if ( sid == null )
{
throw new ArgumentNullException( "sid" );
}
Contract.EndContractBlock();
ThrowIfNotCanonical();
//
// Two passes are made.
// During the first pass, no changes are made to the ACL,
// the ACEs are simply evaluated to ascertain that the operation
// can succeed.
// If everything is kosher, the second pass is the one that makes changes.
//
bool evaluationPass = true;
bool removePossible = true; // unless proven otherwise
//
// Needed for DS acls to keep track of the original access mask specified for removal
//
int originalAccessMask = accessMask;
AceFlags originalFlags = flags;
//
// It is possible that the removal will result in an overflow exception
// because more ACEs get inserted.
// Save the current state of the object and revert to it later if
// and exception is thrown.
//
byte[] recovery = new byte[BinaryLength];
GetBinaryForm( recovery, 0 );
MakeAnotherPass:
try
{
for ( int i = 0; i < Count; i++ )
{
QualifiedAce ace = _acl[i] as QualifiedAce;
//
// Not a qualified ACE - keep going
//
if ( ace == null )
{
continue;
}
//
// Only interested in explicit (non-inherited) ACEs
//
if (( ace.AceFlags & AceFlags.Inherited ) != 0 )
{
continue;
}
//
// Only interested in ACEs with the specified qualifier
//
if ( ace.AceQualifier != qualifier )
{
continue;
}
//
// Only interested in ACEs with the specified SID
//
if ( ace.SecurityIdentifier != sid )
{
continue;
}
//
// If access masks have nothing in common, skip the whole exercise
//
if ( IsDS )
{
//
// incase of directory aces, if the access mask of the
// existing and new ace have any bits in common that need
// an object type, then we need to perform some checks on the
// object types in the two aces. Since certain bits are further qualified
// by the object type they cannot be determined to be common without
// inspecting the object type. It is possible that the same bits may be set but
// the object types are different in which case they are really not common bits.
//
accessMask = originalAccessMask;
bool objectTypesConflict = !GetAccessMaskForRemoval( ace, objectFlags, objectType, ref accessMask );
// if the access masks have nothing in common, skip
if (( ace.AccessMask & accessMask ) == 0 )
{
continue;
}
//
// incase of directory aces, if the existing and new ace are being inherited,
// then we need to perform some checks on the
// inherited object types in the two aces. Since inheritance is further qualified
// by the inherited object type the inheritance flags cannot be determined to be common without
// inspecting the inherited object type. It is possible that both aces may be further inherited but if
// the inherited object types are different the inheritance may not be common.
//
flags = originalFlags;
bool inheritedObjectTypesConflict = !GetInheritanceFlagsForRemoval( ace, objectFlags, inheritedObjectType, ref flags );
if (((( ace.AceFlags & AceFlags.ContainerInherit ) == 0 ) && (( flags & AceFlags.ContainerInherit ) != 0 ) && (( flags & AceFlags.InheritOnly ) != 0 )) ||
((( flags & AceFlags.ContainerInherit ) == 0 ) && (( ace.AceFlags & AceFlags.ContainerInherit ) != 0 ) && (( ace.AceFlags & AceFlags.InheritOnly ) != 0)))
{
// if one ace applies only to self and the other only to children/descendents we have nothing in common
continue;
}
//
// if the ace being removed referred only to child types and child types among existing ace and
// ace being removed are not common then there is nothing in common between these aces (skip)
//
if ((( originalFlags & AceFlags.ContainerInherit ) != 0 ) && (( originalFlags & AceFlags.InheritOnly ) != 0 ) && (( flags & AceFlags.ContainerInherit ) == 0 ))
{
continue;
}
if ( objectTypesConflict || inheritedObjectTypesConflict )
{
//
// if we reached this stage, then we've found something common between the two aces.
// But since there is a conflict between the object types (or inherited object types), the remove is not possible
//
removePossible = false;
break;
}
}
else
{
if (( ace.AccessMask & accessMask ) == 0 )
{
continue;
}
}
//
// If audit flags on a SACL have nothing in common,
// skip the whole exercise
//
if ( saclSemantics &&
(( ace.AceFlags & flags & AceFlags.AuditFlags ) == 0 ))
{
continue;
}
//
// See if the ACE needs to be split into several
// To illustrate with an example, consider this equation:
// From: CI OI NP SA FA R W
// Remove: OI IO NP SA R
//
// PermissionSplit: CI OI NP SA FA W // remove R
// AuditingSplit: CI OI NP FA R // remove SA
// MergeSplit: CI OI NP SA R // ready for merge
// Remove: OI IO NP SA R // same audit and perm flags as merge split
//
// Result: CI OI NP SA FA W // PermissionSplit
// CI OI NP FA R // AuditingSplit
// CI NP SA R // Result of perm removal
//
//
// Example for DS acls (when removal is possible)
//
// From: CI(Guid) LC CC(Guid)
// Remove: CI IO LC
//
// PermissionSplit: CI(Guid) CC(Guid) // Remove GR
// MergeSplit: CI(Guid) LC // Ready for merge
// Remove: CI IO LC // Removal is possible since we are trying to remove inheritance for
// all child types when it exists for one specific child type
//
// Result: CI(Guid) CC(Guid) // PermissionSplit
// LC // Result of perm removal
//
//
// Example for DS acls (when removal is NOT possible)
//
// From: CI GR CC(Guid)
// Remove: CI(Guid) IO LC
//
// PermissionSplit: CI CC(Guid) // Remove GR
// MergeSplit: CI LC // Ready for merge
// Remove: CI(Guid) IO CC // Removal is not possible since we are trying to remove
// inheritance for a specific child type when it exists for all child types
//
// Permission split settings
AceFlags ps_AceFlags = 0;
int ps_AccessMask = 0;
ObjectAceFlags ps_ObjectAceFlags = 0;
Guid ps_ObjectAceType = Guid.Empty;
Guid ps_InheritedObjectAceType = Guid.Empty;
// Auditing split makes sense if this is a SACL
AceFlags as_AceFlags = 0;
int as_AccessMask = 0;
ObjectAceFlags as_ObjectAceFlags = 0;
Guid as_ObjectAceType = Guid.Empty;
Guid as_InheritedObjectAceType = Guid.Empty;
// Merge split settings
AceFlags ms_AceFlags = 0;
int ms_AccessMask = 0;
ObjectAceFlags ms_ObjectAceFlags = 0;
Guid ms_ObjectAceType = Guid.Empty;
Guid ms_InheritedObjectAceType = Guid.Empty;
// Merge result settings
AceFlags mergeResultFlags = 0;
bool mergeRemoveTotal = false;
//
// First compute the permission split
//
ps_AceFlags = ace.AceFlags;
unchecked { ps_AccessMask = ace.AccessMask & ~accessMask; }
if ( ace is ObjectAce )
{
//
// determine what should be the object/inherited object types on the permission split
//
GetObjectTypesForSplit( ace as ObjectAce, ps_AccessMask /* access mask for this split */, ps_AceFlags /* flags remain the same */, out ps_ObjectAceFlags, out ps_ObjectAceType, out ps_InheritedObjectAceType );
}
//
// Next, for SACLs only, compute the auditing split
//
if ( saclSemantics )
{
//
// This operation can set the audit bits region
// of ACE flags to zero;
// This case will be handled later
//
unchecked { as_AceFlags = ace.AceFlags & ~( flags & AceFlags.AuditFlags ); }
//
// The result of this evaluation is guaranteed
// not to be zero by now
//
as_AccessMask = ( ace.AccessMask & accessMask );
if ( ace is ObjectAce )
{
//
// determine what should be the object/inherited object types on the audit split
//
GetObjectTypesForSplit( ace as ObjectAce, as_AccessMask /* access mask for this split */, as_AceFlags /* flags remain the same for inheritance */, out as_ObjectAceFlags, out as_ObjectAceType, out as_InheritedObjectAceType );
}
}
//
// Finally, compute the merge split
//
ms_AceFlags = ( ace.AceFlags & AceFlags.InheritanceFlags ) | ( flags & ace.AceFlags & AceFlags.AuditFlags );
ms_AccessMask = ( ace.AccessMask & accessMask );
//
// Now is the time to obtain the result of applying the remove
// operation to the merge split
// Skipping this step for SACLs where the merge split step
// produced no auditing flags
//
if ( !saclSemantics ||
(( ms_AceFlags & AceFlags.AuditFlags ) != 0 ))
{
if ( false == RemoveInheritanceBits( ms_AceFlags, flags, IsDS, out mergeResultFlags, out mergeRemoveTotal ))
{
removePossible = false;
break;
}
if ( !mergeRemoveTotal )
{
mergeResultFlags |= ( ms_AceFlags & AceFlags.AuditFlags );
if ( ace is ObjectAce )
{
//
// determine what should be the object/inherited object types on the merge split
//
GetObjectTypesForSplit( ace as ObjectAce, ms_AccessMask /* access mask for this split */, mergeResultFlags /* flags for this split */, out ms_ObjectAceFlags, out ms_ObjectAceType, out ms_InheritedObjectAceType );
}
}
}
//
// If this is no longer an evaluation, go ahead and make the changes
//
if ( !evaluationPass )
{
QualifiedAce newAce;
//
// Modify the existing ACE in-place if it has any access
// mask bits left, otherwise simply remove it
// However, if for an object ace we are removing the object type
// then we should really remove this ace and add a new one since
// we would be changing the size of this ace
//
if ( ps_AccessMask != 0 )
{
if (( ace is ObjectAce ) &&
(((( ObjectAce) ace ).ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent ) != 0 ) &&
(( ps_ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent ) == 0 ))
{
ObjectAce newObjectAce;
_acl.RemoveAce(i);
newObjectAce = new ObjectAce( ps_AceFlags, qualifier, ps_AccessMask, ace.SecurityIdentifier, ps_ObjectAceFlags, ps_ObjectAceType, ps_InheritedObjectAceType, false, null );
_acl.InsertAce( i, newObjectAce );
}
else
{
ace.AceFlags = ps_AceFlags;
ace.AccessMask = ps_AccessMask;
if ( ace is ObjectAce )
{
ObjectAce objectAce = ace as ObjectAce;
objectAce.ObjectAceFlags = ps_ObjectAceFlags;
objectAce.ObjectAceType = ps_ObjectAceType;
objectAce.InheritedObjectAceType = ps_InheritedObjectAceType;
}
}
}
else
{
_acl.RemoveAce(i);
i--; // keep the array index honest
}
//
// On a SACL, the result of the auditing split must be recorded
//
if ( saclSemantics && (( as_AceFlags & AceFlags.AuditFlags ) != 0 ))
{
if ( ace is CommonAce )
{
newAce = new CommonAce( as_AceFlags, qualifier, as_AccessMask, ace.SecurityIdentifier, false, null );
}
else
{
// object ace
newAce = new ObjectAce( as_AceFlags, qualifier, as_AccessMask, ace.SecurityIdentifier, as_ObjectAceFlags, as_ObjectAceType, as_InheritedObjectAceType, false, null );
}
i++; // so it's not considered again
_acl.InsertAce( i, newAce );
}
//
// If there are interesting bits left over from a remove, store them
// as a separate ACE
//
if ( !mergeRemoveTotal )
{
if ( ace is CommonAce )
{
newAce = new CommonAce( mergeResultFlags, qualifier, ms_AccessMask, ace.SecurityIdentifier, false, null );
}
else
{
// object ace
newAce = new ObjectAce( mergeResultFlags, qualifier, ms_AccessMask, ace.SecurityIdentifier, ms_ObjectAceFlags, ms_ObjectAceType, ms_InheritedObjectAceType, false, null );
}
i++; // so it's not considered again
_acl.InsertAce( i, newAce );
}
}
}
}
catch( OverflowException )
{
//
// Oops, overflow means that the ACL became too big.
// Inform the caller that the remove was not possible.
//
_acl.SetBinaryForm( recovery, 0 );
return false;
}
//
// Finished evaluating the possibility of a remove.
// If it looks like it's doable, go ahead and do it.
//
if ( evaluationPass && removePossible )
{
evaluationPass = false;
goto MakeAnotherPass;
}
OnAclModificationTried();
return removePossible;
}
internal void AddQualifiedAce(SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
{
GenericAce ace;
if (sid == null)
{
throw new ArgumentNullException("sid");
}
this.ThrowIfNotCanonical();
bool flag = false;
if ((qualifier == AceQualifier.SystemAudit) && (((byte) (flags & AceFlags.AuditFlags)) == 0))
{
throw new ArgumentException(Environment.GetResourceString("Arg_EnumAtLeastOneFlag"), "flags");
}
if (accessMask == 0)
{
throw new ArgumentException(Environment.GetResourceString("Argument_ArgumentZero"), "accessMask");
}
if (!this.IsDS || (objectFlags == ObjectAceFlags.None))
{
ace = new CommonAce(flags, qualifier, accessMask, sid, false, null);
}
else
{
ace = new ObjectAce(flags, qualifier, accessMask, sid, objectFlags, objectType, inheritedObjectType, false, null);
}
if (this.InspectAce(ref ace, this is DiscretionaryAcl))
{
for (int i = 0; i < this.Count; i++)
{
QualifiedAce ace2 = this._acl[i] as QualifiedAce;
if ((ace2 != null) && this.MergeAces(ref ace2, ace as QualifiedAce))
{
flag = true;
break;
}
}
if (!flag)
{
this._acl.InsertAce(this._acl.Count, ace);
this._isDirty = true;
}
this.OnAclModificationTried();
}
}
