protected ObjectSecurity( bool isContainer, bool isDS )
: this()
{
// we will create an empty DACL, denying anyone any access as the default. 5 is the capacity.
DiscretionaryAcl dacl = new DiscretionaryAcl(isContainer, isDS, 5);
_securityDescriptor = new CommonSecurityDescriptor( isContainer, isDS, ControlFlags.None, null, null, null, dacl );
}
public void RemoveAuditRule_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectType = Guid.NewGuid();
var customAuditRuleWrite = new CustomAuditRule(
Helpers.s_LocalSystemNTAccount, WriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectType, Guid.NewGuid(), AuditFlags.Success
);
var customAuditRuleReadWrite = new CustomAuditRule(
Helpers.s_LocalSystemNTAccount, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectType, Guid.NewGuid(), AuditFlags.Success
);
customObjectSecurity.AddAuditRule(customAuditRuleReadWrite);
customObjectSecurity.RemoveAuditRule(customAuditRuleWrite);
AuthorizationRuleCollection ruleCollection =
customObjectSecurity
.GetAuditRules(true, true, typeof(System.Security.Principal.NTAccount));
Assert.NotNull(ruleCollection);
List <CustomAuditRule> existingRules = ruleCollection.Cast <CustomAuditRule>().ToList();
Assert.True(existingRules.Count > 0);
Assert.True(
existingRules.Any(
x => x.AccessMaskValue == ReadAccessMask &&
x.AuditFlags == AuditFlags.Success &&
x.IdentityReference == Helpers.s_LocalSystemNTAccount
)
);
}
internal NativeObjectSecurity (CommonSecurityDescriptor securityDescriptor, ResourceType resourceType)
: base (securityDescriptor)
{
#if !MOBILE
resource_type = resourceType;
#endif
}
/// <summary>初始化 <see cref="T:System.Security.AccessControl.ObjectSecurity" /> 类的新实例。</summary>
/// <param name="isContainer">如果新 <see cref="T:System.Security.AccessControl.ObjectSecurity" /> 对象是一个容器对象,则为 true。</param>
/// <param name="isDS">如果新 <see cref="T:System.Security.AccessControl.ObjectSecurity" /> 对象是一个目录对象,则为 true。</param>
protected ObjectSecurity(bool isContainer, bool isDS)
: this()
{
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, 5);
this._securityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, ControlFlags.None, (SecurityIdentifier)null, (SecurityIdentifier)null, (SystemAcl)null, discretionaryAcl);
}
public void GetBinaryForm ()
{
CommonSecurityDescriptor csd = new CommonSecurityDescriptor
(false, false, ControlFlags.None, null, null, null, null);
Assert.AreEqual (20, csd.BinaryLength);
byte[] binaryForm = new byte[csd.BinaryLength];
csd.GetBinaryForm (binaryForm, 0);
Assert.AreEqual (ControlFlags.DiscretionaryAclPresent | ControlFlags.SelfRelative,
csd.ControlFlags);
// The default 'Allow Everyone Full Access' serializes as NOT having a
// DiscretionaryAcl, as the above demonstrates (byte 3 is 0 not 4).
Assert.AreEqual (new byte[20] {
1, 0, 0, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
}, binaryForm);
// Changing SystemAcl protection does nothing special.
csd.SetSystemAclProtection (true, true);
Assert.AreEqual (20, csd.BinaryLength);
// Modifying the DiscretionaryAcl (even effective no-ops like this) causes serialization.
csd.SetDiscretionaryAclProtection (false, true);
Assert.AreEqual (48, csd.BinaryLength);
}
public void SetAccessRule_AccessControlType_Deny_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var customAccessRuleReadWrite = new CustomAccessRule(
Helpers.s_LocalSystemNTAccount, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
var customAccessRuleRead = new CustomAccessRule(
new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount)), ReadAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
Assert.Contains(customAccessRuleReadWrite, customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>());
customObjectSecurity.SetAccessRule(customAccessRuleRead);
var existingRules = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>().ToList();
Assert.DoesNotContain(customAccessRuleReadWrite, existingRules);
Assert.Contains(customAccessRuleRead, existingRules);
}
public void AddAccessRule_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var customAccessRuleAllow = new CustomAccessRule(
Helpers.s_NetworkServiceNTAccount, ReadAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, Guid.NewGuid(), Guid.NewGuid(), AccessControlType.Allow
);
var customAccessRuleDeny = new CustomAccessRule(
Helpers.s_LocalSystemNTAccount, ReadAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, Guid.NewGuid(), Guid.NewGuid(), AccessControlType.Deny
);
customObjectSecurity.AddAccessRule(customAccessRuleAllow);
customObjectSecurity.AddAccessRule(customAccessRuleDeny);
AuthorizationRuleCollection ruleCollection = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
Assert.NotNull(ruleCollection);
List <CustomAccessRule> addedRules = ruleCollection.Cast <CustomAccessRule>().ToList();
Assert.Contains(customAccessRuleAllow, addedRules);
Assert.Contains(customAccessRuleDeny, addedRules);
}
public void RemoveAccessRuleAll_AccessControlType_Deny_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var customAccessRuleReadWrite = new CustomAccessRule(
Helpers.s_LocalSystemNTAccount, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
var customAccessRuleSynchronize = new CustomAccessRule(
Helpers.s_LocalSystemNTAccount, SynchronizeAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
customObjectSecurity.AddAccessRule(customAccessRuleSynchronize);
customObjectSecurity.RemoveAccessRuleAll(customAccessRuleSynchronize);
AuthorizationRuleCollection ruleCollection =
customObjectSecurity
.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
List <CustomAccessRule> existingRules = ruleCollection.Cast <CustomAccessRule>().ToList();
Assert.False(existingRules.Contains(customAccessRuleReadWrite));
Assert.False(existingRules.Contains(customAccessRuleSynchronize));
}
public void RemoveAccessRule_AccessControlType_Deny_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
int readDataAndAttribute = ReadAccessMask | ReadAttributeAccessMask;
var objectTypeGuid = Guid.NewGuid();
var customAccessRuleReadDataAndAttribute = new CustomAccessRule(
Helpers.s_LocalSystemNTAccount, readDataAndAttribute, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
var customAccessRuleRead = new CustomAccessRule(
Helpers.s_LocalSystemNTAccount, ReadAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
customObjectSecurity.AddAccessRule(customAccessRuleReadDataAndAttribute);
customObjectSecurity.RemoveAccessRule(customAccessRuleRead);
AuthorizationRuleCollection ruleCollection = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
Assert.NotNull(ruleCollection);
Assert.Contains(ruleCollection.Cast <CustomAccessRule>(), x =>
x.IdentityReference == Helpers.s_LocalSystemNTAccount &&
x.AccessControlType == AccessControlType.Deny &&
x.AccessMaskValue == ReadAttributeAccessMask
);
}
public void AddAuditRule_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var customAuditRuleRead = new CustomAuditRule(
new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null).Translate(typeof(NTAccount)), ReadAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, Guid.NewGuid(), Guid.NewGuid(), AuditFlags.Success
);
var customAuditRuleReadAttribute = new CustomAuditRule(
new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount)), ReadAttributeAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, Guid.NewGuid(), Guid.NewGuid(), AuditFlags.Success
);
customObjectSecurity.AddAuditRule(customAuditRuleRead);
customObjectSecurity.AddAuditRule(customAuditRuleReadAttribute);
AuthorizationRuleCollection ruleCollection = customObjectSecurity.GetAuditRules(true, true, typeof(System.Security.Principal.NTAccount));
Assert.NotNull(ruleCollection);
List <CustomAuditRule> addedRules = ruleCollection.Cast <CustomAuditRule>().ToList();
Assert.Contains(customAuditRuleRead, addedRules);
Assert.Contains(customAuditRuleReadAttribute, addedRules);
}
/// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.ObjectSecurity" /> class.</summary>
/// <param name="securityDescriptor">The <see cref="T:System.Security.AccessControl.CommonSecurityDescriptor" />of the new <see cref="T:System.Security.AccessControl.CommonObjectSecurity" /> instance.</param>
// Token: 0x06001F8D RID: 8077 RVA: 0x0006E302 File Offset: 0x0006C502
protected ObjectSecurity(CommonSecurityDescriptor securityDescriptor) : this()
{
if (securityDescriptor == null)
{
throw new ArgumentNullException("securityDescriptor");
}
this._securityDescriptor = securityDescriptor;
}
public void ObjectInitialization_CommonSecurityDescriptor_Success()
{
var descriptor = new CommonSecurityDescriptor(false, false, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
Assert.False(customObjectSecurity.IsDS);
Assert.False(customObjectSecurity.IsContainer);
}
protected DirectoryObjectSecurity(CommonSecurityDescriptor securityDescriptor)
: base(securityDescriptor)
{
if (securityDescriptor == null)
{
throw new ArgumentNullException(nameof(securityDescriptor));
}
}
internal ObjectSecurity(CommonSecurityDescriptor securityDescriptor) : this()
{
if (securityDescriptor == null)
{
throw new ArgumentNullException("securityDescriptor");
}
this._securityDescriptor = securityDescriptor;
}
protected DirectoryObjectSecurity(CommonSecurityDescriptor securityDescriptor)
: base(securityDescriptor != null && securityDescriptor.IsContainer, true)
{
if (securityDescriptor == null)
{
throw new ArgumentNullException("securityDescriptor");
}
}
protected ObjectSecurity(bool isContainer, bool isDS)
: this()
{
// we will create an empty DACL, denying anyone any access as the default. 5 is the capacity.
DiscretionaryAcl dacl = new DiscretionaryAcl(isContainer, isDS, 5);
_securityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, ControlFlags.None, null, null, null, dacl);
}
internal ObjectSecurity (CommonSecurityDescriptor securityDescriptor)
{
if (securityDescriptor == null)
throw new ArgumentNullException ("securityDescriptor");
descriptor = securityDescriptor;
rw_lock = new ReaderWriterLock ();
}
static IpcStore()
{
var dacl = new DiscretionaryAcl(false, false, 1);
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.CreatorOwnerSid, null), -1, InheritanceFlags.None, PropagationFlags.None);
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null), -1, InheritanceFlags.None, PropagationFlags.None);
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), -1, InheritanceFlags.None, PropagationFlags.None);
IpcAcl = new CommonSecurityDescriptor(false, false, ControlFlags.GroupDefaulted | ControlFlags.OwnerDefaulted | ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);
}
public void SecurityDescriptorResolver_ComputeHash_W2016_Vector1()
{
byte[] binarySecurityDescriptor = "01001480e802000004030000140000009400000004008000040000000240140020000c0001010000000000010000000002401800000100000102000000000005200000002002000002402400000100000105000000000005150000004dfc5019daac02ace33e5bc6010200000740280000010000010000005651ec457edbbb47b53fdbeb2d03c40f010100000000000100000000040054020f000000050028000001000001000000aaf63111079cd111f79f00c04fc2dcd2010100000000000509000000050028000001000001000000abf63111079cd111f79f00c04fc2dcd2010100000000000509000000050028000001000001000000acf63111079cd111f79f00c04fc2dcd201010000000000050900000005002c000001000001000000aaf63111079cd111f79f00c04fc2dcd20102000000000005200000002002000005002c000001000001000000abf63111079cd111f79f00c04fc2dcd20102000000000005200000002002000005002c000001000001000000acf63111079cd111f79f00c04fc2dcd201020000000000052000000020020000000014009400020001010000000000050b00000000022400ff010f000105000000000005150000004dfc5019daac02ace33e5bc60702000000001400ff010f00010100000000000512000000000a2400bd010f000105000000000005150000004dfc5019daac02ae33e5bc600020000050028000001000001000000adf63111079cd111f79f00c04fc2dcd2010100000000000509000000050028000001000001000000765be9894d44624c991a0facbeda640c01010000000000050900000005002c000001000001000000adf63111079cd111f79f00c04fc2dcd20102000000000005200000002002000005002c000001000001000000765be9894d44624c991a0facbeda640c01020000000000052000000020020000050038000001000001000000aaf63111079cd111f79f00c04fc2dcd20105000000000005150000004dfc5019daac02ace33e5bc6f20100000105000000000005150000004dfc5019daac02ace33e5bc6070200000105000000000005150000004dfc5019daac02ace33e5bc607020000".HexToBinary();
byte[] expectedHash = "1d5459903a7daca3926c0c4e09b26fe8".HexToBinary();
var securityDescriptor = new CommonSecurityDescriptor(true, false, binarySecurityDescriptor, 0);
byte[] hash = SecurityDescriptorRersolver.ComputeHash(securityDescriptor);
Assert.AreEqual(true, expectedHash.SequenceEqual(hash));
}
public void DefaultOwnerAndGroup ()
{
CommonSecurityDescriptor csd = new CommonSecurityDescriptor
(false, false, ControlFlags.None, null, null, null, null);
Assert.IsNull (csd.Owner);
Assert.IsNull (csd.Group);
Assert.AreEqual (ControlFlags.DiscretionaryAclPresent
| ControlFlags.SelfRelative, csd.ControlFlags);
}
public void ConstructorLetsFalseDSThrough ()
{
CommonSecurityDescriptor descriptor = new CommonSecurityDescriptor
(false, false, ControlFlags.None, null, null, null, null);
TestSecurity security = new TestSecurity (descriptor);
Assert.IsFalse (security.IsContainerTest);
Assert.IsFalse (security.IsDSTest);
}
public void SecurityDescriptorResolver_ComputeHash_W2016_Vector2()
{
byte[] binarySecurityDescriptor = "0f00000001000480300000003c000000000000001400000002001c000100000000031400ffffffff010100000000000100000000010100000000000100000000010100000000000100000000".HexToBinary();
byte[] expectedHash = "5763e6665429964b143bb464463bf068".HexToBinary();
var securityDescriptor = new CommonSecurityDescriptor(true, true, binarySecurityDescriptor, 0);
byte[] hash = SecurityDescriptorRersolver.ComputeHash(securityDescriptor);
Assert.AreEqual(true, expectedHash.SequenceEqual(hash));
}
internal NativeObjectSecurity(ResourceType resourceType, CommonSecurityDescriptor securityDescriptor, ExceptionFromErrorCode exceptionFromErrorCode) : base(securityDescriptor)
{
this.ProtectedDiscretionaryAcl = 0x80000000;
this.ProtectedSystemAcl = 0x40000000;
this.UnprotectedDiscretionaryAcl = 0x20000000;
this.UnprotectedSystemAcl = 0x10000000;
this._resourceType = resourceType;
this._exceptionFromErrorCode = exceptionFromErrorCode;
}
internal NativeObjectSecurity(ResourceType resourceType, CommonSecurityDescriptor securityDescriptor, ExceptionFromErrorCode exceptionFromErrorCode) : base(securityDescriptor)
{
this.ProtectedDiscretionaryAcl = 0x80000000;
this.ProtectedSystemAcl = 0x40000000;
this.UnprotectedDiscretionaryAcl = 0x20000000;
this.UnprotectedSystemAcl = 0x10000000;
this._resourceType = resourceType;
this._exceptionFromErrorCode = exceptionFromErrorCode;
}
protected ObjectSecurity(CommonSecurityDescriptor securityDescriptor)
{
if (securityDescriptor == null)
{
throw new ArgumentNullException("securityDescriptor");
}
descriptor = securityDescriptor;
rw_lock = new ReaderWriterLock();
}
public IpcServerChannel(IDictionary properties, IServerChannelSinkProvider sinkProvider, CommonSecurityDescriptor securityDescriptor)
{
this._channelPriority = 20;
this._channelName = "ipc server";
this._bExclusiveAddressUse = true;
this._waitForStartListening = new AutoResetEvent(false);
if (properties != null)
{
foreach (DictionaryEntry entry in properties)
{
switch (((string) entry.Key))
{
case "name":
this._channelName = (string) entry.Value;
break;
case "portName":
this._portName = (string) entry.Value;
break;
case "priority":
this._channelPriority = Convert.ToInt32(entry.Value, CultureInfo.InvariantCulture);
break;
case "secure":
this._secure = Convert.ToBoolean(entry.Value, CultureInfo.InvariantCulture);
break;
case "impersonate":
this._impersonate = Convert.ToBoolean(entry.Value, CultureInfo.InvariantCulture);
this.authSet = true;
break;
case "suppressChannelData":
this._bSuppressChannelData = Convert.ToBoolean(entry.Value, CultureInfo.InvariantCulture);
break;
case "authorizedGroup":
this._authorizedGroup = (string) entry.Value;
break;
case "exclusiveAddressUse":
this._bExclusiveAddressUse = Convert.ToBoolean(entry.Value, CultureInfo.InvariantCulture);
break;
}
}
}
if (this._portName == null)
{
throw new RemotingException(CoreChannel.GetResourceString("Remoting_Ipc_NoPortNameSpecified"));
}
this._sinkProvider = sinkProvider;
this._securityDescriptor = securityDescriptor;
this.SetupChannel();
}
protected DirectoryObjectSecurity(CommonSecurityDescriptor securityDescriptor)
: base(securityDescriptor)
{
if (securityDescriptor == null)
{
throw new ArgumentNullException("securityDescriptor");
}
Contract.EndContractBlock();
_securityDescriptor = securityDescriptor;
}
protected ObjectSecurity(CommonSecurityDescriptor securityDescriptor)
: this()
{
if ( securityDescriptor == null )
{
throw new ArgumentNullException( nameof(securityDescriptor));
}
Contract.EndContractBlock();
_securityDescriptor = securityDescriptor;
}
protected DirectoryObjectSecurity(CommonSecurityDescriptor securityDescriptor)
: base(securityDescriptor)
{
if (securityDescriptor == null)
{
throw new ArgumentNullException(nameof(securityDescriptor));
}
Contract.EndContractBlock();
_securityDescriptor = securityDescriptor;
}
protected ObjectSecurity(CommonSecurityDescriptor securityDescriptor)
: this()
{
if (securityDescriptor == null)
{
throw new ArgumentNullException("securityDescriptor");
}
Contract.EndContractBlock();
_securityDescriptor = securityDescriptor;
}
public void GetAuditRules_ReturnsValidObject()
{
var descriptor = new CommonSecurityDescriptor(false, false, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
AuthorizationRuleCollection ruleCollection =
customObjectSecurity
.GetAuditRules(true, false, typeof(System.Security.Principal.NTAccount));
Assert.NotNull(ruleCollection);
}
internal ObjectSecurity( CommonSecurityDescriptor securityDescriptor )
: this()
{
if ( securityDescriptor == null )
{
throw new ArgumentNullException( "securityDescriptor" );
}
Contract.EndContractBlock();
_securityDescriptor = securityDescriptor;
}
public void GetAccessRules_TargetType_SecurityIdentifier_ReturnsValidObject()
{
var descriptor = new CommonSecurityDescriptor(false, false, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
AuthorizationRuleCollection ruleCollection =
customObjectSecurity
.GetAccessRules(false, false, typeof(System.Security.Principal.SecurityIdentifier));
Assert.NotNull(ruleCollection);
Assert.Empty(ruleCollection);
}
public override byte[] GetAllowAllNodeAcl(string repositoryName, Guid domainId, Guid rootMapId)
{
// Return an empty Windows node ACL.
SecurityIdentifier farmAccountSid = SPFarm.Local.DefaultServiceAccount.SecurityIdentifier;
CommonSecurityDescriptor securityDescriptor = new CommonSecurityDescriptor(false, false, ControlFlags.None, farmAccountSid, null, null, null);
securityDescriptor.SetDiscretionaryAclProtection(true, false);
byte[] itemAcl = new byte[securityDescriptor.BinaryLength];
securityDescriptor.GetBinaryForm(itemAcl, 0);
return itemAcl;
}
public void AefaModifiedFlagIsStoredOnDiscretionaryAcl ()
{
CommonSecurityDescriptor csd1, csd2;
// Incidentally this shows the DiscretionaryAcl is NOT cloned.
csd1 = new CommonSecurityDescriptor (false, false, ControlFlags.None, null, null, null, null);
csd2 = new CommonSecurityDescriptor (false, false, ControlFlags.None, null, null, null, csd1.DiscretionaryAcl);
Assert.AreSame (csd1.DiscretionaryAcl, csd2.DiscretionaryAcl);
Assert.AreEqual ("", csd1.GetSddlForm (AccessControlSections.Access));
csd2.SetDiscretionaryAclProtection (false, true);
Assert.AreEqual ("D:(A;;0xffffffff;;;WD)", csd1.GetSddlForm (AccessControlSections.Access));
Assert.AreEqual ("D:(A;;0xffffffff;;;WD)", csd2.GetSddlForm (AccessControlSections.Access));
}
public static byte[] ComputeHash(CommonSecurityDescriptor securityDescriptor)
{
if(securityDescriptor == null)
{
return null;
}
// Convert to binary form
byte[] binaryForm = new byte[securityDescriptor.BinaryLength];
securityDescriptor.GetBinaryForm(binaryForm, 0);
using(var md5 = MD5CryptoServiceProvider.Create())
{
return md5.ComputeHash(binaryForm);
}
}
public void RemoveAccessRuleAll_AccessControlType_Deny_ThrowException()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var customAccessRuleReadWrite = new CustomAccessRule(
Helpers.s_LocalSystemNTAccount, ReadWriteAccessMask, true, InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
AssertExtensions.Throws <InvalidOperationException, SystemException>(() => customObjectSecurity.RemoveAccessRuleAll(customAccessRuleReadWrite));
}
public IpcChannel(IDictionary properties, IClientChannelSinkProvider clientSinkProvider, IServerChannelSinkProvider serverSinkProvider, CommonSecurityDescriptor securityDescriptor)
{
this._channelPriority = 20;
this._channelName = "ipc";
Hashtable hashtable = new Hashtable();
Hashtable hashtable2 = new Hashtable();
bool flag = false;
if (properties != null)
{
foreach (DictionaryEntry entry in properties)
{
string key = (string) entry.Key;
if (key == null)
{
goto Label_00CC;
}
if (!(key == "name"))
{
if (key == "priority")
{
goto Label_0098;
}
if (key == "portName")
{
goto Label_00B6;
}
goto Label_00CC;
}
this._channelName = (string) entry.Value;
continue;
Label_0098:
this._channelPriority = Convert.ToInt32((string) entry.Value, CultureInfo.InvariantCulture);
continue;
Label_00B6:
hashtable2["portName"] = entry.Value;
flag = true;
continue;
Label_00CC:
hashtable[entry.Key] = entry.Value;
hashtable2[entry.Key] = entry.Value;
}
}
this._clientChannel = new IpcClientChannel(hashtable, clientSinkProvider);
if (flag)
{
this._serverChannel = new IpcServerChannel(hashtable2, serverSinkProvider, securityDescriptor);
}
}
public void ObjectSecurityJustWrapsCommonSecurityDescriptor ()
{
CommonSecurityDescriptor descriptor = new CommonSecurityDescriptor
(false, false, ControlFlags.None, null, null, null, null);
TestSecurity security = new TestSecurity (descriptor);
Assert.IsNull (security.GetOwner (typeof(SecurityIdentifier)));
SecurityIdentifier sid = new SecurityIdentifier ("WD");
descriptor.Owner = sid; // Not virtual, so the conclusion in the test's title.
Assert.IsFalse (security.OwnerModifiedTest);
Assert.AreSame (sid, security.GetOwner (typeof(SecurityIdentifier)));
security.SetOwner (sid);
Assert.IsTrue (security.OwnerModifiedTest);
Assert.AreSame (sid, security.GetOwner (typeof(SecurityIdentifier)));
}
internal static IpcPort Create(String portName, CommonSecurityDescriptor securityDescriptor, bool exclusive)
{
if (Environment.OSVersion.Platform != PlatformID.Win32NT) {
throw new NotSupportedException(CoreChannel.GetResourceString("Remoting_Ipc_Win9x"));
}
PipeHandle handle = null;
// Add the prefix to the portName
string pipeName = prefix + portName;
SECURITY_ATTRIBUTES attr = new SECURITY_ATTRIBUTES();
attr.nLength = (int)Marshal.SizeOf(attr);
byte[] sd = null;
// If no securityDescriptor was set by the user use the default
if (securityDescriptor == null)
{
securityDescriptor = s_securityDescriptor;
}
sd = new byte[securityDescriptor.BinaryLength];
// Get the binary form of the descriptor
securityDescriptor.GetBinaryForm(sd, 0);
GCHandle pinningHandle = GCHandle.Alloc(sd, GCHandleType.Pinned);
// get the address of the security descriptor
attr.lpSecurityDescriptor = Marshal.UnsafeAddrOfPinnedArrayElement(sd, 0);
// Create the named pipe with the appropriate name
handle = NativePipe.CreateNamedPipe(pipeName,
NativePipe.PIPE_ACCESS_DUPLEX | NativePipe.FILE_FLAG_OVERLAPPED
| (exclusive ? NativePipe.FILE_FLAG_FIRST_PIPE_INSTANCE : 0x0), // Or exclusive flag
NativePipe.PIPE_TYPE_BYTE | NativePipe.PIPE_READMODE_BYTE | NativePipe.PIPE_WAIT,
NativePipe.PIPE_UNLIMITED_INSTANCES,
8192,
8192,
NativePipe.NMPWAIT_WAIT_FOREVER,
attr);
pinningHandle.Free();
if (handle.Handle.ToInt32() == NativePipe.INVALID_HANDLE_VALUE){
int error = Marshal.GetLastWin32Error();
throw new RemotingException(String.Format(CultureInfo.CurrentCulture, CoreChannel.GetResourceString("Remoting_Ipc_CreateIpcFailed"), GetMessage(error)));
}
return new IpcPort(portName, handle);
}
private void BuildSecurityDescriptor()
{
NTAccount account;
SecurityIdentifier identifier;
CommonAce ace;
RawAcl rawAcl = new RawAcl(GenericAcl.AclRevision, 1);
int index = 0;
if (this.operationRoleMembers != null)
{
foreach (string str in this.operationRoleMembers)
{
account = new NTAccount(str);
identifier = (SecurityIdentifier) account.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null);
rawAcl.InsertAce(index, ace);
index++;
}
}
if (this.contractRoleMembers != null)
{
foreach (string str2 in this.contractRoleMembers)
{
account = new NTAccount(str2);
identifier = (SecurityIdentifier) account.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null);
rawAcl.InsertAce(index, ace);
index++;
}
}
if (this.serviceRoleMembers != null)
{
foreach (string str3 in this.serviceRoleMembers)
{
account = new NTAccount(str3);
identifier = (SecurityIdentifier) account.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null);
rawAcl.InsertAce(index, ace);
index++;
}
}
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(true, false, rawAcl);
this.securityDescriptor = new CommonSecurityDescriptor(true, false, ControlFlags.DiscretionaryAclPresent, sidAdministrators, sidAdministrators, null, discretionaryAcl);
}
public IpcChannel(IDictionary properties,
IClientChannelSinkProvider clientSinkProvider,
IServerChannelSinkProvider serverSinkProvider,
CommonSecurityDescriptor securityDescriptor)
{
Hashtable clientData = new Hashtable();
Hashtable serverData = new Hashtable();
bool portFound = false;
// divide properties up for respective channels
if (properties != null)
{
foreach (DictionaryEntry entry in properties)
{
switch ((String)entry.Key)
{
// general channel properties
case "name": _channelName = (String)entry.Value; break;
case "priority": _channelPriority = Convert.ToInt32((String)entry.Value, CultureInfo.InvariantCulture); break;
case "portName":
{
serverData["portName"] = entry.Value;
portFound = true;
break;
}
default:
clientData[entry.Key] = entry.Value;
serverData[entry.Key] = entry.Value;
break;
}
}
}
_clientChannel = new IpcClientChannel(clientData, clientSinkProvider);
if (portFound)
_serverChannel = new IpcServerChannel(serverData, serverSinkProvider, securityDescriptor);
} // IpcChannel
public void RemoveAuditRuleSpecific_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var customAuditRuleReadWrite = new CustomAuditRule(
Helpers.s_LocalSystemNTAccount, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AuditFlags.Success
);
customObjectSecurity.AddAuditRule(customAuditRuleReadWrite);
customObjectSecurity.RemoveAuditRuleSpecific(customAuditRuleReadWrite);
AuthorizationRuleCollection ruleCollection =
customObjectSecurity
.GetAuditRules(true, true, typeof(System.Security.Principal.NTAccount));
List <CustomAuditRule> existingRules = ruleCollection.Cast <CustomAuditRule>().ToList();
Assert.DoesNotContain(customAuditRuleReadWrite, existingRules);
}
public void RemoveAuditRuleSpecific_NoMatchableRuleFound()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var customAuditRuleReadWrite = new CustomAuditRule(
Helpers.s_LocalSystemNTAccount, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AuditFlags.Success
);
var customAuditRuleWrite = new CustomAuditRule(
Helpers.s_LocalSystemNTAccount, WriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AuditFlags.Success
);
customObjectSecurity.AddAuditRule(customAuditRuleReadWrite);
Assert.Contains(customAuditRuleReadWrite, customObjectSecurity.GetAuditRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAuditRule>());
customObjectSecurity.RemoveAuditRuleSpecific(customAuditRuleWrite);
Assert.Contains(customAuditRuleReadWrite, customObjectSecurity.GetAuditRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAuditRule>());
}
public void RemoveAccessRuleSpecific_AccessControlType_Deny_NoMatchableRules_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var identityReference = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount));
var customAccessRuleReadWrite = new CustomAccessRule(
identityReference, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
var customAccessRuleRead = new CustomAccessRule(
new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount)), ReadAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
customObjectSecurity.RemoveAccessRuleSpecific(customAccessRuleRead);
Assert.Contains(customAccessRuleReadWrite, customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>());
}
public void RemoveAuditRuleSpecific_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var identityReference = new NTAccount(@"NT AUTHORITY\SYSTEM");
var customAuditRuleReadWrite = new CustomAuditRule(
identityReference, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AuditFlags.Success
);
customObjectSecurity.AddAuditRule(customAuditRuleReadWrite);
customObjectSecurity.RemoveAuditRuleSpecific(customAuditRuleReadWrite);
AuthorizationRuleCollection ruleCollection =
customObjectSecurity
.GetAuditRules(true, true, typeof(System.Security.Principal.NTAccount));
List <CustomAuditRule> existingRules = ruleCollection.Cast <CustomAuditRule>().ToList();
Assert.False(existingRules.Contains(customAuditRuleReadWrite));
}
public void ResetAccessRule_AccessControlType_Deny_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var identityReference = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount));
var customAccessRuleReadWrite = new CustomAccessRule(
identityReference, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
var customAccessRuleNetworkService = new CustomAccessRule(
new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null).Translate(typeof(NTAccount)), SynchronizeAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Allow
);
var customAccessRuleWrite = new CustomAccessRule(
new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount)), WriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
Assert.Contains(customAccessRuleReadWrite, customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>());
customObjectSecurity.AddAccessRule(customAccessRuleNetworkService);
List <CustomAccessRule> existingRules = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>().ToList();
Assert.Contains(customAccessRuleReadWrite, existingRules);
Assert.Contains(customAccessRuleNetworkService, existingRules);
customObjectSecurity.ResetAccessRule(customAccessRuleWrite);
existingRules = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>().ToList();
Assert.DoesNotContain(customAccessRuleReadWrite, existingRules);
Assert.Contains(customAccessRuleNetworkService, existingRules);
Assert.Contains(customAccessRuleWrite, existingRules);
}
public void ResetAccessRule_AccessControlType_Allow_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var customAccessRuleReadWrite = new CustomAccessRule(
Helpers.s_LocalSystemNTAccount, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
var customAccessRuleNetworkService = new CustomAccessRule(
Helpers.s_NetworkServiceNTAccount, SynchronizeAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Allow
);
var customAccessRuleRead = new CustomAccessRule(
Helpers.s_LocalSystemNTAccount, ReadAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Allow
);
customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
Assert.Contains(customAccessRuleReadWrite, customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>());
customObjectSecurity.AddAccessRule(customAccessRuleNetworkService);
List <CustomAccessRule> existingRules = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>().ToList();
Assert.Contains(customAccessRuleReadWrite, existingRules);
Assert.Contains(customAccessRuleNetworkService, existingRules);
customObjectSecurity.ResetAccessRule(customAccessRuleRead);
existingRules = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>().ToList();
Assert.DoesNotContain(customAccessRuleReadWrite, existingRules);
Assert.Contains(customAccessRuleNetworkService, existingRules);
Assert.Contains(customAccessRuleRead, existingRules);
}
public void RemoveRule_AccessControlType_Allow_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var identityReference = new NTAccount(@"NT AUTHORITY\SYSTEM");
var customAccessRuleReadWrite = new CustomAccessRule(
identityReference, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Allow
);
var customAccessRuleWrite = new CustomAccessRule(
identityReference, WriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Allow
);
customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
bool result = customObjectSecurity.RemoveAccessRule(customAccessRuleWrite);
Assert.Equal(true, result);
AuthorizationRuleCollection ruleCollection =
customObjectSecurity
.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
Assert.NotNull(ruleCollection);
List <CustomAccessRule> existingRules = ruleCollection.Cast <CustomAccessRule>().ToList();
Assert.True(
existingRules.Any(
x => x.IdentityReference == identityReference &&
x.AccessControlType == customAccessRuleReadWrite.AccessControlType &&
x.AccessMaskValue == ReadAccessMask
));
}
public void ResetAccessRule_AccessControlType_Deny_Succeeds()
{
var descriptor = new CommonSecurityDescriptor(true, true, string.Empty);
var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
var objectTypeGuid = Guid.NewGuid();
var identityReference = new NTAccount(@"NT AUTHORITY\SYSTEM");
var customAccessRuleReadWrite = new CustomAccessRule(
identityReference, ReadWriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
var customAccessRuleNetworkService = new CustomAccessRule(
new NTAccount(@"NT AUTHORITY\NetworkService"), SynchronizeAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Allow
);
var customAccessRuleWrite = new CustomAccessRule(
new NTAccount(@"NT AUTHORITY\SYSTEM"), WriteAccessMask, true, InheritanceFlags.None,
PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
);
customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
customObjectSecurity.AddAccessRule(customAccessRuleNetworkService);
customObjectSecurity.ResetAccessRule(customAccessRuleWrite);
AuthorizationRuleCollection ruleCollection =
customObjectSecurity
.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
List <CustomAccessRule> existingRules = ruleCollection.Cast <CustomAccessRule>().ToList();
Assert.False(existingRules.Contains(customAccessRuleReadWrite));
Assert.False(existingRules.Contains(customAccessRuleNetworkService));
Assert.True(existingRules.Contains(customAccessRuleWrite));
}
private static byte[] FromSecurityIdentifiersFull(List<SecurityIdentifier> allowedSids, int accessRights)
{
int capacity = (allowedSids == null) ? 3 : (2 + allowedSids.Count);
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(false, false, capacity);
discretionaryAcl.AddAccess(AccessControlType.Deny, new SecurityIdentifier(WellKnownSidType.NetworkSid, null), 0x10000000, InheritanceFlags.None, PropagationFlags.None);
int accessMask = GenerateClientAccessRights(accessRights);
if (allowedSids == null)
{
discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.WorldSid, null), accessMask, InheritanceFlags.None, PropagationFlags.None);
}
else
{
for (int i = 0; i < allowedSids.Count; i++)
{
SecurityIdentifier sid = allowedSids[i];
discretionaryAcl.AddAccess(AccessControlType.Allow, sid, accessMask, InheritanceFlags.None, PropagationFlags.None);
}
}
discretionaryAcl.AddAccess(AccessControlType.Allow, GetProcessLogonSid(), accessRights, InheritanceFlags.None, PropagationFlags.None);
CommonSecurityDescriptor descriptor = new CommonSecurityDescriptor(false, false, ControlFlags.None, null, null, null, discretionaryAcl);
byte[] binaryForm = new byte[descriptor.BinaryLength];
descriptor.GetBinaryForm(binaryForm, 0);
return binaryForm;
}
internal NativeObjectSecurity (CommonSecurityDescriptor securityDescriptor, ResourceType resourceType)
: base (securityDescriptor)
{
resource_type = resourceType;
}
public IpcServerChannel(IDictionary properties, IServerChannelSinkProvider sinkProvider, CommonSecurityDescriptor securityDescriptor)
{
if (properties != null)
{
foreach (DictionaryEntry entry in properties)
{
switch ((String)entry.Key)
{
case "name": _channelName = (String)entry.Value; break;
case "portName": _portName = (String)entry.Value; break;
case "priority": _channelPriority = Convert.ToInt32(entry.Value, CultureInfo.InvariantCulture); break;
case "secure": _secure = Convert.ToBoolean(entry.Value, CultureInfo.InvariantCulture); break;
case "impersonate": _impersonate = Convert.ToBoolean(entry.Value, CultureInfo.InvariantCulture); authSet = true; break;
case "suppressChannelData": _bSuppressChannelData = Convert.ToBoolean(entry.Value, CultureInfo.InvariantCulture); break;
case "authorizedGroup": _authorizedGroup = (String)entry.Value; break;
case "exclusiveAddressUse": _bExclusiveAddressUse = Convert.ToBoolean(entry.Value, CultureInfo.InvariantCulture); break;
default:
break;
}
}
}
if (_portName == null)
throw new RemotingException(CoreChannel.GetResourceString(
"Remoting_Ipc_NoPortNameSpecified"));
_sinkProvider = sinkProvider;
_securityDescriptor = securityDescriptor;
SetupChannel();
} // IpcServerChannel
internal NativeObjectSecurity(ResourceType resourceType, CommonSecurityDescriptor securityDescriptor, ExceptionFromErrorCode exceptionFromErrorCode)
: base(securityDescriptor)
{
_resourceType = resourceType;
_exceptionFromErrorCode = exceptionFromErrorCode;
}
public CustomDirectoryObjectSecurity(CommonSecurityDescriptor securityDescriptor)
: base(securityDescriptor)
{
}
/// <summary>
///
/// </summary>
/// <exception cref="InvalidOperationException">
/// 1. Either both "AssemblyName" and "ConfigurationTypeName" must be specified
/// or both must not be specified.
/// </exception>
protected override void BeginProcessing()
{
if (isSddlSpecified && showUISpecified)
{
string message = StringUtil.Format(RemotingErrorIdStrings.ShowUIAndSDDLCannotExist,
"SecurityDescriptorSddl",
"ShowSecurityDescriptorUI");
throw new PSInvalidOperationException(message);
}
if (isRunAsCredentialSpecified)
{
WriteWarning(RemotingErrorIdStrings.RunAsSessionConfigurationSecurityWarning);
}
if (isSddlSpecified)
{
// Constructor call should succeed. The sddl is check in the property setter
CommonSecurityDescriptor descriptor = new CommonSecurityDescriptor(false, false, sddl);
SecurityIdentifier networkSidIdentifier = new SecurityIdentifier(WellKnownSidType.NetworkSid, null);
bool networkDenyAllExists = false;
foreach (CommonAce ace in descriptor.DiscretionaryAcl)
{
if (ace.AceQualifier.Equals(AceQualifier.AccessDenied) && ace.SecurityIdentifier.Equals(networkSidIdentifier) && ace.AccessMask == 268435456)
{
networkDenyAllExists = true;
break;
}
}
switch (AccessMode)
{
case PSSessionConfigurationAccessMode.Local:
if (!networkDenyAllExists)
{
descriptor.DiscretionaryAcl.AddAccess(AccessControlType.Deny, networkSidIdentifier, 268435456, InheritanceFlags.None, PropagationFlags.None);
sddl = descriptor.GetSddlForm(AccessControlSections.All);
}
break;
case PSSessionConfigurationAccessMode.Remote:
if (networkDenyAllExists)
{
// Remove the specific ACE
descriptor.DiscretionaryAcl.RemoveAccessSpecific(AccessControlType.Deny, networkSidIdentifier, 268435456, InheritanceFlags.None, PropagationFlags.None);
// If the discretionaryAcl becomes empty, add the BA and RM which is the default WinRM behavior
if (descriptor.DiscretionaryAcl.Count == 0)
{
// BA
SecurityIdentifier baSidIdentifier = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
descriptor.DiscretionaryAcl.AddAccess(AccessControlType.Allow, baSidIdentifier, 268435456, InheritanceFlags.None, PropagationFlags.None);
// Only for Win8+
if (Environment.OSVersion.Version >= new Version(6, 2))
{
// Remote Management Users
SecurityIdentifier rmSidIdentifier = new SecurityIdentifier(RemoteManagementUsersSID);
descriptor.DiscretionaryAcl.AddAccess(AccessControlType.Allow, rmSidIdentifier, 268435456, InheritanceFlags.None, PropagationFlags.None);
}
// Interactive Users
SecurityIdentifier iaSidIdentifier = new SecurityIdentifier(InteractiveUsersSID);
descriptor.DiscretionaryAcl.AddAccess(AccessControlType.Allow, iaSidIdentifier, 268435456, InheritanceFlags.None, PropagationFlags.None);
}
sddl = descriptor.GetSddlForm(AccessControlSections.All);
}
break;
case PSSessionConfigurationAccessMode.Disabled:
break;
}
}
if (!isSddlSpecified && !showUISpecified)
{
if (AccessMode.Equals(PSSessionConfigurationAccessMode.Local))
{
// If AccessMode is Local or Disabled and no SDDL specified, use the default local SDDL
sddl = GetLocalSddl();
}
else if (AccessMode.Equals(PSSessionConfigurationAccessMode.Remote))
{
// If AccessMode is Remote and no SDDL specified then use the default remote SDDL
sddl = GetRemoteSddl();
}
}
// check if we have compatible WSMan
RemotingCommandUtil.CheckRemotingCmdletPrerequisites();
PSSessionConfigurationCommandUtilities.ThrowIfNotAdministrator();
WSManConfigurationOption wsmanOption = transportOption as WSManConfigurationOption;
if (wsmanOption != null)
{
if (wsmanOption.ProcessIdleTimeoutSec != null && !isUseSharedProcessSpecified)
{
PSInvalidOperationException ioe = new PSInvalidOperationException(
StringUtil.Format(RemotingErrorIdStrings.InvalidConfigurationXMLAttribute, "ProcessIdleTimeoutSec",
"UseSharedProcess"));
ThrowTerminatingError(ioe.ErrorRecord);
}
}
}
/// <summary>
///
/// </summary>
/// <exception cref="InvalidOperationException">
/// 1. Either both "AssemblyName" and "ConfigurationTypeName" must be specified
/// or both must not be specified.
/// </exception>
protected override void BeginProcessing()
{
if (isSddlSpecified && showUISpecified)
{
string message = StringUtil.Format(RemotingErrorIdStrings.ShowUIAndSDDLCannotExist,
"SecurityDescriptorSddl",
"ShowSecurityDescriptorUI");
throw new PSInvalidOperationException(message);
}
if (isRunAsCredentialSpecified)
{
WriteWarning(RemotingErrorIdStrings.RunAsSessionConfigurationSecurityWarning);
}
// Populate the configTable hash, and get its SDDL if needed
if (Path != null)
{
ProviderInfo provider = null;
PSDriveInfo drive;
_configFilePath = SessionState.Path.GetUnresolvedProviderPathFromPSPath(Path, out provider, out drive);
string scriptName;
ExternalScriptInfo scriptInfo = DISCUtils.GetScriptInfoForFile(this.Context, _configFilePath, out scriptName);
_configTable = DISCUtils.LoadConfigFile(this.Context, scriptInfo);
if (!isSddlSpecified)
{
ErrorRecord error;
_configSddl = PSSessionConfigurationCommandUtilities.ComputeSDDLFromConfiguration(
_configTable,
AccessMode,
out error);
if (error != null)
{
WriteError(error);
}
if (!string.IsNullOrEmpty(_configSddl))
{
// Use Sddl from configuration.
isSddlSpecified = true;
SecurityDescriptorSddl = _configSddl;
}
}
if (_configTable.ContainsKey(ConfigFileConstants.RunAsVirtualAccount))
{
this.RunAsVirtualAccount = LanguagePrimitives.ConvertTo<bool>(_configTable[ConfigFileConstants.RunAsVirtualAccount]);
this.RunAsVirtualAccountSpecified = true;
}
if (_configTable.ContainsKey(ConfigFileConstants.RunAsVirtualAccountGroups))
{
this.RunAsVirtualAccountGroups = PSSessionConfigurationCommandUtilities.GetRunAsVirtualAccountGroupsString(
DISCPowerShellConfiguration.TryGetStringArray(_configTable[ConfigFileConstants.RunAsVirtualAccountGroups]));
}
}
if (isSddlSpecified && accessModeSpecified)
{
// Constructor call should succeed. The sddl is check in the property setter
CommonSecurityDescriptor descriptor = new CommonSecurityDescriptor(false, false, sddl);
SecurityIdentifier networkSidIdentifier = new SecurityIdentifier(WellKnownSidType.NetworkSid, null);
bool networkDenyAllExists = false;
foreach (CommonAce ace in descriptor.DiscretionaryAcl)
{
if (ace.AceQualifier.Equals(AceQualifier.AccessDenied) && ace.SecurityIdentifier.Equals(networkSidIdentifier) && ace.AccessMask == 268435456)
{
networkDenyAllExists = true;
break;
}
}
switch (AccessMode)
{
case PSSessionConfigurationAccessMode.Local:
if (!networkDenyAllExists)
{
descriptor.DiscretionaryAcl.AddAccess(AccessControlType.Deny, networkSidIdentifier, 268435456, InheritanceFlags.None, PropagationFlags.None);
sddl = descriptor.GetSddlForm(AccessControlSections.All);
}
break;
case PSSessionConfigurationAccessMode.Remote:
if (networkDenyAllExists)
{
// Remove the specific ACE
descriptor.DiscretionaryAcl.RemoveAccessSpecific(AccessControlType.Deny, networkSidIdentifier, 268435456, InheritanceFlags.None, PropagationFlags.None);
// If the discretionaryAcl becomes empty, add the BA and RM which is the default WinRM behavior
if (descriptor.DiscretionaryAcl.Count == 0)
{
sddl = GetRemoteSddl();
}
else
{
sddl = descriptor.GetSddlForm(AccessControlSections.All);
}
}
break;
case PSSessionConfigurationAccessMode.Disabled:
break;
}
}
// check if we have compatible WSMan
RemotingCommandUtil.CheckRemotingCmdletPrerequisites();
PSSessionConfigurationCommandUtilities.ThrowIfNotAdministrator();
}
/// <summary>
/// Builds a session SDDL based on the provided configuration hashtable.
/// Retrieves RequiredGroups information to add conditional group membership restrictions to SDDL.
/// Retrieves RoleDefinitions information to include role user accounts.
/// </summary>
/// <param name="configTable"></param>
/// <param name="accessMode"></param>
/// <param name="error"></param>
/// <returns>SDDL</returns>
internal static string ComputeSDDLFromConfiguration(
Hashtable configTable,
PSSessionConfigurationAccessMode accessMode,
out ErrorRecord error)
{
Dbg.Assert(configTable != null, "configTable input parameter cannot be null.");
string sddl = string.Empty;
error = null;
// RoleDefinitions
if (configTable.ContainsKey(ConfigFileConstants.RoleDefinitions))
{
// Start with known good security descriptor.
if (accessMode == PSSessionConfigurationAccessMode.Local)
{
sddl = PSSessionConfigurationCommandBase.GetLocalSddl();
}
else if (accessMode == PSSessionConfigurationAccessMode.Remote)
{
sddl = PSSessionConfigurationCommandBase.GetRemoteSddl();
}
CommonSecurityDescriptor descriptor = new CommonSecurityDescriptor(false, false, sddl);
// Purge all existing access rules so that only role definition principals are granted access.
List<SecurityIdentifier> sidsToRemove = new List<SecurityIdentifier>();
foreach (CommonAce ace in descriptor.DiscretionaryAcl)
{
sidsToRemove.Add(ace.SecurityIdentifier);
}
foreach (var sidToRemove in sidsToRemove)
{
descriptor.PurgeAccessControl(sidToRemove);
}
Hashtable roleNamesHash = configTable[ConfigFileConstants.RoleDefinitions] as Hashtable;
foreach (object roleName in roleNamesHash.Keys)
{
string roleNameValue = roleName.ToString();
try
{
NTAccount ntAccount = new NTAccount(roleNameValue);
SecurityIdentifier accountSid = (SecurityIdentifier)ntAccount.Translate(typeof(SecurityIdentifier));
// AccessMask = 268435456 == 0x10000000 == GR == Generic Read
descriptor.DiscretionaryAcl.AddAccess(AccessControlType.Allow, accountSid, 268435456, InheritanceFlags.None, PropagationFlags.None);
}
catch (IdentityNotMappedException e)
{
string message = StringUtil.Format(RemotingErrorIdStrings.CouldNotResolveRoleDefinitionPrincipal, roleNameValue, e.Message);
InvalidOperationException ioe = new InvalidOperationException(message, e);
error = new ErrorRecord(ioe, "CouldNotResolveRoleDefinitionPrincipal", ErrorCategory.ObjectNotFound, roleNameValue);
}
}
if (descriptor.DiscretionaryAcl.Count > 0)
{
sddl = descriptor.GetSddlForm(AccessControlSections.All);
// RequiredGroups
string conditionalGroupACE = CreateConditionalACEFromConfig(configTable);
if (conditionalGroupACE != null)
{
sddl = UpdateSDDLUsersWithGroupConditional(sddl, conditionalGroupACE);
}
}
}
return sddl;
}
internal NativeObjectSecurity(ResourceType resourceType, CommonSecurityDescriptor securityDescriptor)
: this(resourceType, securityDescriptor, null)
{
}
// These two are based on similar utility methods in EasyHook:
private static IpcServerChannel CreateServerChannel(string channelName)
{
Dictionary<string, string> properties = new Dictionary<string, string>();
properties["name"] = channelName;
properties["portName"] = channelName;
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1);
dacl.AddAccess(
AccessControlType.Allow,
new SecurityIdentifier(WellKnownSidType.WorldSid, null),
-1,
InheritanceFlags.None,
PropagationFlags.None);
CommonSecurityDescriptor secDesc = new CommonSecurityDescriptor(
false,
false,
ControlFlags.GroupDefaulted | ControlFlags.OwnerDefaulted | ControlFlags.DiscretionaryAclPresent,
null,
null,
null,
dacl);
BinaryServerFormatterSinkProvider sinkProv = new BinaryServerFormatterSinkProvider();
sinkProv.TypeFilterLevel = TypeFilterLevel.Full;
return new IpcServerChannel(properties, sinkProv, secDesc);
}
