Inheritance: QualifiedAce
Example #1
0
 /// <summary>初始化 <see cref="T:System.Security.AccessControl.ObjectAce" /> 类的新实例。</summary>
 /// <param name="aceFlags">新的访问控制项 (ACE) 的继承、继承传播和审核条件。</param>
 /// <param name="qualifier">使用新的 ACE。</param>
 /// <param name="accessMask">ACE 的访问掩码。</param>
 /// <param name="sid">与新的 ACE 关联的 <see cref="T:System.Security.Principal.SecurityIdentifier" />。</param>
 /// <param name="flags">
 /// <paramref name="type" /> 和 <paramref name="inheritedType" /> 参数是否包含有效的对象 GUID。</param>
 /// <param name="type">一个 GUID,标识新的 ACE 所应用到的对象类型。</param>
 /// <param name="inheritedType">一个 GUID,标识能够继承新的 ACE 的对象类型。</param>
 /// <param name="isCallback">如果新的 ACE 是回调类型的 ACE,则为 true。</param>
 /// <param name="opaque">与新的 ACE 关联的不透明数据。只有回调 ACE 类型才允许不透明数据。此数组的长度一定不能大于 <see cref="M:System.Security.AccessControl.ObjectAceMaxOpaqueLength" /> 方法的返回值。</param>
 /// <exception cref="T:System.ArgumentOutOfRangeException">qualifier 参数包含无效的值,或者不透明参数的值的长度大于 <see cref="M:System.Security.AccessControl.ObjectAceMaxOpaqueLength" /> 方法的返回值。</exception>
 public ObjectAce(AceFlags aceFlags, AceQualifier qualifier, int accessMask, SecurityIdentifier sid, ObjectAceFlags flags, Guid type, Guid inheritedType, bool isCallback, byte[] opaque)
     : base(ObjectAce.TypeFromQualifier(isCallback, qualifier), aceFlags, accessMask, sid, opaque)
 {
     this._objectFlags            = flags;
     this._objectAceType          = type;
     this._inheritedObjectAceType = inheritedType;
 }
Example #2
0
 static void GetObjectAceTypeGuids(ObjectAce ace, out Guid type, out Guid inheritedType)
 {
     type = Guid.Empty; inheritedType = Guid.Empty;
     if (0 != (ace.ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent))
     {
         type = ace.ObjectAceType;
     }
     if (0 != (ace.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent))
     {
         inheritedType = ace.InheritedObjectAceType;
     }
 }
        internal override AuditRule InternalAuditRuleFactory(QualifiedAce ace, Type targetType)
        {
            ObjectAce oace = ace as ObjectAce;

            if (null == oace || ObjectAceFlags.None == oace.ObjectAceFlags)
            {
                return(base.InternalAuditRuleFactory(ace, targetType));
            }

            return(AuditRuleFactory(ace.SecurityIdentifier.Translate(targetType),
                                    ace.AccessMask, ace.IsInherited,
                                    ace.InheritanceFlags, ace.PropagationFlags, ace.AuditFlags,
                                    oace.ObjectAceType, oace.InheritedObjectAceType));
        }
 private void GetObjectTypesForSplit(ObjectAce originalAce, int accessMask, AceFlags aceFlags, out ObjectAceFlags objectFlags, out Guid objectType, out Guid inheritedObjectType)
 {
     objectFlags         = ObjectAceFlags.None;
     objectType          = Guid.Empty;
     inheritedObjectType = Guid.Empty;
     if ((accessMask & ObjectAce.AccessMaskWithObjectType) != 0)
     {
         objectType   = originalAce.ObjectAceType;
         objectFlags |= originalAce.ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent;
     }
     if (((byte)(aceFlags & AceFlags.ContainerInherit)) != 0)
     {
         inheritedObjectType = originalAce.InheritedObjectAceType;
         objectFlags        |= originalAce.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent;
     }
 }
        internal void AddQualifiedAce(SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
        {
            GenericAce ace;

            if (sid == null)
            {
                throw new ArgumentNullException("sid");
            }
            this.ThrowIfNotCanonical();
            bool flag = false;

            if ((qualifier == AceQualifier.SystemAudit) && (((byte)(flags & AceFlags.AuditFlags)) == 0))
            {
                throw new ArgumentException(Environment.GetResourceString("Arg_EnumAtLeastOneFlag"), "flags");
            }
            if (accessMask == 0)
            {
                throw new ArgumentException(Environment.GetResourceString("Argument_ArgumentZero"), "accessMask");
            }
            if (!this.IsDS || (objectFlags == ObjectAceFlags.None))
            {
                ace = new CommonAce(flags, qualifier, accessMask, sid, false, null);
            }
            else
            {
                ace = new ObjectAce(flags, qualifier, accessMask, sid, objectFlags, objectType, inheritedObjectType, false, null);
            }
            if (this.InspectAce(ref ace, this is DiscretionaryAcl))
            {
                for (int i = 0; i < this.Count; i++)
                {
                    QualifiedAce ace2 = this._acl[i] as QualifiedAce;
                    if ((ace2 != null) && this.MergeAces(ref ace2, ace as QualifiedAce))
                    {
                        flag = true;
                        break;
                    }
                }
                if (!flag)
                {
                    this._acl.InsertAce(this._acl.Count, ace);
                    this._isDirty = true;
                }
                this.OnAclModificationTried();
            }
        }
        internal void RemoveQualifiedAcesSpecific(SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
        {
            if (accessMask == 0)
            {
                throw new ArgumentException(Environment.GetResourceString("Argument_ArgumentZero"), "accessMask");
            }
            if ((qualifier == AceQualifier.SystemAudit) && (((byte)(flags & AceFlags.AuditFlags)) == 0))
            {
                throw new ArgumentException(Environment.GetResourceString("Arg_EnumAtLeastOneFlag"), "flags");
            }
            if (sid == null)
            {
                throw new ArgumentNullException("sid");
            }
            this.ThrowIfNotCanonical();
            for (int i = 0; i < this.Count; i++)
            {
                QualifiedAce ace = this._acl[i] as QualifiedAce;
                if ((((ace == null) || (((byte)(ace.AceFlags & AceFlags.Inherited)) != 0)) || ((ace.AceQualifier != qualifier) || (ace.SecurityIdentifier != sid))) || ((ace.AceFlags != flags) || (ace.AccessMask != accessMask)))
                {
                    continue;
                }
                if (this.IsDS)
                {
                    if ((ace is ObjectAce) && (objectFlags != ObjectAceFlags.None))
                    {
                        ObjectAce ace2 = ace as ObjectAce;
                        if (ace2.ObjectTypesMatch(objectFlags, objectType) && ace2.InheritedObjectTypesMatch(objectFlags, inheritedObjectType))
                        {
                            goto Label_00F2;
                        }
                        continue;
                    }
                    if ((ace is ObjectAce) || (objectFlags != ObjectAceFlags.None))
                    {
                        continue;
                    }
                }
Label_00F2:
                this._acl.RemoveAce(i);
                i--;
            }
            this.OnAclModificationTried();
        }
 private bool GetAccessMaskForRemoval(QualifiedAce ace, ObjectAceFlags objectFlags, Guid objectType, ref int accessMask)
 {
     if (((ace.AccessMask & accessMask) & ObjectAce.AccessMaskWithObjectType) != 0)
     {
         if (ace is ObjectAce)
         {
             ObjectAce ace2 = ace as ObjectAce;
             if (((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None) && ((ace2.ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent) == ObjectAceFlags.None))
             {
                 return(false);
             }
             if (!(((objectFlags & ObjectAceFlags.ObjectAceTypePresent) == ObjectAceFlags.None) || ace2.ObjectTypesMatch(objectFlags, objectType)))
             {
                 accessMask &= ~ObjectAce.AccessMaskWithObjectType;
             }
         }
         else if ((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None)
         {
             return(false);
         }
     }
     return(true);
 }
 private bool GetInheritanceFlagsForRemoval(QualifiedAce ace, ObjectAceFlags objectFlags, Guid inheritedObjectType, ref AceFlags aceFlags)
 {
     if ((((byte)(ace.AceFlags & AceFlags.ContainerInherit)) != 0) && (((byte)(aceFlags & AceFlags.ContainerInherit)) != 0))
     {
         if (ace is ObjectAce)
         {
             ObjectAce ace2 = ace as ObjectAce;
             if (((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != ObjectAceFlags.None) && ((ace2.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent) == ObjectAceFlags.None))
             {
                 return(false);
             }
             if (!(((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) == ObjectAceFlags.None) || ace2.InheritedObjectTypesMatch(objectFlags, inheritedObjectType)))
             {
                 aceFlags = (AceFlags)((byte)(((int)aceFlags) & 240));
             }
         }
         else if ((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != ObjectAceFlags.None)
         {
             return(false);
         }
     }
     return(true);
 }
        /// <summary>Creates a <see cref="T:System.Security.AccessControl.GenericAce" /> object from the specified binary data.</summary>
        /// <param name="binaryForm">The binary data from which to create the new <see cref="T:System.Security.AccessControl.GenericAce" /> object.</param>
        /// <param name="offset">The offset at which to begin unmarshaling.</param>
        /// <returns>The <see cref="T:System.Security.AccessControl.GenericAce" /> object this method creates.</returns>
        // Token: 0x06001E46 RID: 7750 RVA: 0x00069C80 File Offset: 0x00067E80
        public static GenericAce CreateFromBinaryForm(byte[] binaryForm, int offset)
        {
            GenericAce.VerifyHeader(binaryForm, offset);
            AceType    aceType = (AceType)binaryForm[offset];
            GenericAce genericAce;

            if (aceType == AceType.AccessAllowed || aceType == AceType.AccessDenied || aceType == AceType.SystemAudit || aceType == AceType.SystemAlarm || aceType == AceType.AccessAllowedCallback || aceType == AceType.AccessDeniedCallback || aceType == AceType.SystemAuditCallback || aceType == AceType.SystemAlarmCallback)
            {
                AceQualifier       qualifier;
                int                accessMask;
                SecurityIdentifier sid;
                bool               isCallback;
                byte[]             opaque;
                if (!CommonAce.ParseBinaryForm(binaryForm, offset, out qualifier, out accessMask, out sid, out isCallback, out opaque))
                {
                    goto IL_1A8;
                }
                AceFlags flags = (AceFlags)binaryForm[offset + 1];
                genericAce = new CommonAce(flags, qualifier, accessMask, sid, isCallback, opaque);
            }
            else if (aceType == AceType.AccessAllowedObject || aceType == AceType.AccessDeniedObject || aceType == AceType.SystemAuditObject || aceType == AceType.SystemAlarmObject || aceType == AceType.AccessAllowedCallbackObject || aceType == AceType.AccessDeniedCallbackObject || aceType == AceType.SystemAuditCallbackObject || aceType == AceType.SystemAlarmCallbackObject)
            {
                AceQualifier       qualifier2;
                int                accessMask2;
                SecurityIdentifier sid2;
                ObjectAceFlags     flags2;
                Guid               type;
                Guid               inheritedType;
                bool               isCallback2;
                byte[]             opaque2;
                if (!ObjectAce.ParseBinaryForm(binaryForm, offset, out qualifier2, out accessMask2, out sid2, out flags2, out type, out inheritedType, out isCallback2, out opaque2))
                {
                    goto IL_1A8;
                }
                AceFlags aceFlags = (AceFlags)binaryForm[offset + 1];
                genericAce = new ObjectAce(aceFlags, qualifier2, accessMask2, sid2, flags2, type, inheritedType, isCallback2, opaque2);
            }
            else if (aceType == AceType.AccessAllowedCompound)
            {
                int                accessMask3;
                CompoundAceType    compoundAceType;
                SecurityIdentifier sid3;
                if (!CompoundAce.ParseBinaryForm(binaryForm, offset, out accessMask3, out compoundAceType, out sid3))
                {
                    goto IL_1A8;
                }
                AceFlags flags3 = (AceFlags)binaryForm[offset + 1];
                genericAce = new CompoundAce(flags3, accessMask3, compoundAceType, sid3);
            }
            else
            {
                AceFlags flags4 = (AceFlags)binaryForm[offset + 1];
                byte[]   array  = null;
                int      num    = (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8);
                if (num % 4 != 0)
                {
                    goto IL_1A8;
                }
                int num2 = num - 4;
                if (num2 > 0)
                {
                    array = new byte[num2];
                    for (int i = 0; i < num2; i++)
                    {
                        array[i] = binaryForm[offset + num - num2 + i];
                    }
                }
                genericAce = new CustomAce(aceType, flags4, array);
            }
            if ((genericAce is ObjectAce || (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8) == genericAce.BinaryLength) && (!(genericAce is ObjectAce) || (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8) == genericAce.BinaryLength || (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8) - 32 == genericAce.BinaryLength))
            {
                return(genericAce);
            }
IL_1A8:
            throw new ArgumentException(Environment.GetResourceString("ArgumentException_InvalidAceBinaryForm"), "binaryForm");
        }
Example #10
0
        public static GenericAce CreateFromBinaryForm(byte[] binaryForm, int offset)
        {
            GenericAce ace;

            VerifyHeader(binaryForm, offset);
            System.Security.AccessControl.AceType type = (System.Security.AccessControl.AceType)binaryForm[offset];
            switch (type)
            {
            case System.Security.AccessControl.AceType.AccessAllowed:
            case System.Security.AccessControl.AceType.AccessDenied:
            case System.Security.AccessControl.AceType.SystemAudit:
            case System.Security.AccessControl.AceType.SystemAlarm:
            case System.Security.AccessControl.AceType.AccessAllowedCallback:
            case System.Security.AccessControl.AceType.AccessDeniedCallback:
            case System.Security.AccessControl.AceType.SystemAuditCallback:
            case System.Security.AccessControl.AceType.SystemAlarmCallback:
            {
                AceQualifier       qualifier;
                int                num;
                SecurityIdentifier identifier;
                bool               flag;
                byte[]             buffer;
                if (!CommonAce.ParseBinaryForm(binaryForm, offset, out qualifier, out num, out identifier, out flag, out buffer))
                {
                    goto Label_01A8;
                }
                System.Security.AccessControl.AceFlags flags = (System.Security.AccessControl.AceFlags)binaryForm[offset + 1];
                ace = new CommonAce(flags, qualifier, num, identifier, flag, buffer);
                break;
            }

            case System.Security.AccessControl.AceType.AccessAllowedObject:
            case System.Security.AccessControl.AceType.AccessDeniedObject:
            case System.Security.AccessControl.AceType.SystemAuditObject:
            case System.Security.AccessControl.AceType.SystemAlarmObject:
            case System.Security.AccessControl.AceType.AccessAllowedCallbackObject:
            case System.Security.AccessControl.AceType.AccessDeniedCallbackObject:
            case System.Security.AccessControl.AceType.SystemAuditCallbackObject:
            case System.Security.AccessControl.AceType.SystemAlarmCallbackObject:
            {
                AceQualifier       qualifier2;
                int                num2;
                SecurityIdentifier identifier2;
                ObjectAceFlags     flags2;
                Guid               guid;
                Guid               guid2;
                bool               flag2;
                byte[]             buffer2;
                if (!ObjectAce.ParseBinaryForm(binaryForm, offset, out qualifier2, out num2, out identifier2, out flags2, out guid, out guid2, out flag2, out buffer2))
                {
                    goto Label_01A8;
                }
                System.Security.AccessControl.AceFlags aceFlags = (System.Security.AccessControl.AceFlags)binaryForm[offset + 1];
                ace = new ObjectAce(aceFlags, qualifier2, num2, identifier2, flags2, guid, guid2, flag2, buffer2);
                break;
            }

            case System.Security.AccessControl.AceType.AccessAllowedCompound:
            {
                int                num3;
                CompoundAceType    type2;
                SecurityIdentifier identifier3;
                if (!CompoundAce.ParseBinaryForm(binaryForm, offset, out num3, out type2, out identifier3))
                {
                    goto Label_01A8;
                }
                System.Security.AccessControl.AceFlags flags4 = (System.Security.AccessControl.AceFlags)binaryForm[offset + 1];
                ace = new CompoundAce(flags4, num3, type2, identifier3);
                break;
            }

            default:
            {
                System.Security.AccessControl.AceFlags flags5 = (System.Security.AccessControl.AceFlags)binaryForm[offset + 1];
                byte[] opaque = null;
                int    num4   = binaryForm[offset + 2] + (binaryForm[offset + 3] << 8);
                if ((num4 % 4) != 0)
                {
                    goto Label_01A8;
                }
                int num5 = num4 - 4;
                if (num5 > 0)
                {
                    opaque = new byte[num5];
                    for (int i = 0; i < num5; i++)
                    {
                        opaque[i] = binaryForm[((offset + num4) - num5) + i];
                    }
                }
                ace = new CustomAce(type, flags5, opaque);
                break;
            }
            }
            if (((ace is ObjectAce) || ((binaryForm[offset + 2] + (binaryForm[offset + 3] << 8)) == ace.BinaryLength)) && ((!(ace is ObjectAce) || ((binaryForm[offset + 2] + (binaryForm[offset + 3] << 8)) == ace.BinaryLength)) || (((binaryForm[offset + 2] + (binaryForm[offset + 3] << 8)) - 0x20) == ace.BinaryLength)))
            {
                return(ace);
            }
Label_01A8:
            throw new ArgumentException(Environment.GetResourceString("ArgumentException_InvalidAceBinaryForm"), "binaryForm");
        }
Example #11
0
        private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, System.Type targetType)
        {
            ReadLock();

            try
            {
                AuthorizationRuleCollection result = new AuthorizationRuleCollection();

                if (!IsValidTargetTypeStatic(targetType))
                {
                    throw new ArgumentException(SR.Arg_MustBeIdentityReferenceType, nameof(targetType));
                }

                CommonAcl acl = null;

                if (access)
                {
                    if ((SecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != 0)
                    {
                        acl = SecurityDescriptor.DiscretionaryAcl;
                    }
                }
                else // !access == audit
                {
                    if ((SecurityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != 0)
                    {
                        acl = SecurityDescriptor.SystemAcl;
                    }
                }

                if (acl == null)
                {
                    //
                    // The required ACL was not present; return an empty collection.
                    //
                    return(result);
                }

                IdentityReferenceCollection irTarget = null;

                if (targetType != typeof(SecurityIdentifier))
                {
                    IdentityReferenceCollection irSource = new IdentityReferenceCollection(acl.Count);

                    for (int i = 0; i < acl.Count; i++)
                    {
                        //
                        // Calling the indexer on a common ACL results in cloning,
                        // (which would not be the case if we were to use the internal RawAcl property)
                        // but also ensures that the resulting order of ACEs is proper
                        // However, this is a big price to pay - cloning all the ACEs just so that
                        // the canonical order could be ascertained just once.
                        // A better way would be to have an internal method that would canonicalize the ACL
                        // and call it once, then use the RawAcl.
                        //
                        QualifiedAce ace = acl[i] as QualifiedAce;

                        if (ace == null)
                        {
                            //
                            // Only consider qualified ACEs
                            //
                            continue;
                        }

                        if (ace.IsCallback == true)
                        {
                            //
                            // Ignore callback ACEs
                            //
                            continue;
                        }

                        if (access)
                        {
                            if (ace.AceQualifier != AceQualifier.AccessAllowed && ace.AceQualifier != AceQualifier.AccessDenied)
                            {
                                continue;
                            }
                        }
                        else
                        {
                            if (ace.AceQualifier != AceQualifier.SystemAudit)
                            {
                                continue;
                            }
                        }

                        irSource.Add(ace.SecurityIdentifier);
                    }

                    irTarget = irSource.Translate(targetType);
                }

                for (int i = 0; i < acl.Count; i++)
                {
                    //
                    // Calling the indexer on a common ACL results in cloning,
                    // (which would not be the case if we were to use the internal RawAcl property)
                    // but also ensures that the resulting order of ACEs is proper
                    // However, this is a big price to pay - cloning all the ACEs just so that
                    // the canonical order could be ascertained just once.
                    // A better way would be to have an internal method that would canonicalize the ACL
                    // and call it once, then use the RawAcl.
                    //
                    QualifiedAce ace = acl[i] as CommonAce;

                    if (ace == null)
                    {
                        ace = acl[i] as ObjectAce;
                        if (ace == null)
                        {
                            //
                            // Only consider common or object ACEs
                            //
                            continue;
                        }
                    }

                    if (ace.IsCallback == true)
                    {
                        //
                        // Ignore callback ACEs
                        //
                        continue;
                    }

                    if (access)
                    {
                        if (ace.AceQualifier != AceQualifier.AccessAllowed && ace.AceQualifier != AceQualifier.AccessDenied)
                        {
                            continue;
                        }
                    }
                    else
                    {
                        if (ace.AceQualifier != AceQualifier.SystemAudit)
                        {
                            continue;
                        }
                    }

                    if ((includeExplicit && ((ace.AceFlags & AceFlags.Inherited) == 0)) || (includeInherited && ((ace.AceFlags & AceFlags.Inherited) != 0)))
                    {
                        IdentityReference iref = (targetType == typeof(SecurityIdentifier)) ? ace.SecurityIdentifier : irTarget[i];

                        if (access)
                        {
                            AccessControlType type;

                            if (ace.AceQualifier == AceQualifier.AccessAllowed)
                            {
                                type = AccessControlType.Allow;
                            }
                            else
                            {
                                type = AccessControlType.Deny;
                            }

                            if (ace is ObjectAce)
                            {
                                ObjectAce objectAce = ace as ObjectAce;

                                result.AddRule(AccessRuleFactory(iref, objectAce.AccessMask, objectAce.IsInherited, objectAce.InheritanceFlags, objectAce.PropagationFlags, type, objectAce.ObjectAceType, objectAce.InheritedObjectAceType));
                            }
                            else
                            {
                                CommonAce commonAce = ace as CommonAce;

                                if (commonAce == null)
                                {
                                    continue;
                                }

                                result.AddRule(AccessRuleFactory(iref, commonAce.AccessMask, commonAce.IsInherited, commonAce.InheritanceFlags, commonAce.PropagationFlags, type));
                            }
                        }
                        else
                        {
                            if (ace is ObjectAce)
                            {
                                ObjectAce objectAce = ace as ObjectAce;

                                result.AddRule(AuditRuleFactory(iref, objectAce.AccessMask, objectAce.IsInherited, objectAce.InheritanceFlags, objectAce.PropagationFlags, objectAce.AuditFlags, objectAce.ObjectAceType, objectAce.InheritedObjectAceType));
                            }
                            else
                            {
                                CommonAce commonAce = ace as CommonAce;

                                if (commonAce == null)
                                {
                                    continue;
                                }

                                result.AddRule(AuditRuleFactory(iref, commonAce.AccessMask, commonAce.IsInherited, commonAce.InheritanceFlags, commonAce.PropagationFlags, commonAce.AuditFlags));
                            }
                        }
                    }
                }

                return(result);
            }
            finally
            {
                ReadUnlock();
            }
        }
 internal bool RemoveQualifiedAces(SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, bool saclSemantics, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
 {
     if (accessMask == 0)
     {
         throw new ArgumentException(Environment.GetResourceString("Argument_ArgumentZero"), "accessMask");
     }
     if ((qualifier == AceQualifier.SystemAudit) && (((byte) (flags & AceFlags.AuditFlags)) == 0))
     {
         throw new ArgumentException(Environment.GetResourceString("Arg_EnumAtLeastOneFlag"), "flags");
     }
     if (sid == null)
     {
         throw new ArgumentNullException("sid");
     }
     this.ThrowIfNotCanonical();
     bool flag = true;
     bool flag2 = true;
     int num = accessMask;
     AceFlags flags2 = flags;
     byte[] binaryForm = new byte[this.BinaryLength];
     this.GetBinaryForm(binaryForm, 0);
 Label_0075:
     try
     {
         for (int i = 0; i < this.Count; i++)
         {
             QualifiedAce ace = this._acl[i] as QualifiedAce;
             if (((ace == null) || (((byte) (ace.AceFlags & AceFlags.Inherited)) != 0)) || ((ace.AceQualifier != qualifier) || (ace.SecurityIdentifier != sid)))
             {
                 continue;
             }
             if (this.IsDS)
             {
                 accessMask = num;
                 bool flag3 = !this.GetAccessMaskForRemoval(ace, objectFlags, objectType, ref accessMask);
                 if ((ace.AccessMask & accessMask) == 0)
                 {
                     continue;
                 }
                 flags = flags2;
                 bool flag4 = !this.GetInheritanceFlagsForRemoval(ace, objectFlags, inheritedObjectType, ref flags);
                 if (((((((byte) (ace.AceFlags & AceFlags.ContainerInherit)) == 0) && (((byte) (flags & AceFlags.ContainerInherit)) != 0)) && (((byte) (flags & AceFlags.InheritOnly)) != 0)) || (((((byte) (flags & AceFlags.ContainerInherit)) == 0) && (((byte) (ace.AceFlags & AceFlags.ContainerInherit)) != 0)) && (((byte) (ace.AceFlags & AceFlags.InheritOnly)) != 0))) || (((((byte) (flags2 & AceFlags.ContainerInherit)) != 0) && (((byte) (flags2 & AceFlags.InheritOnly)) != 0)) && (((byte) (flags & AceFlags.ContainerInherit)) == 0)))
                 {
                     continue;
                 }
                 if (!flag3 && !flag4)
                 {
                     goto Label_0184;
                 }
                 flag2 = false;
                 goto Label_0483;
             }
             if ((ace.AccessMask & accessMask) == 0)
             {
                 continue;
             }
         Label_0184:
             if (!saclSemantics || (((byte) (((byte) (ace.AceFlags & flags)) & 0xc0)) != 0))
             {
                 AceFlags none = AceFlags.None;
                 int num3 = 0;
                 ObjectAceFlags flags4 = ObjectAceFlags.None;
                 Guid empty = Guid.Empty;
                 Guid guid2 = Guid.Empty;
                 AceFlags aceFlags = AceFlags.None;
                 int num4 = 0;
                 ObjectAceFlags flags6 = ObjectAceFlags.None;
                 Guid guid3 = Guid.Empty;
                 Guid guid4 = Guid.Empty;
                 AceFlags existing = AceFlags.None;
                 int num5 = 0;
                 ObjectAceFlags flags8 = ObjectAceFlags.None;
                 Guid guid5 = Guid.Empty;
                 Guid guid6 = Guid.Empty;
                 AceFlags result = AceFlags.None;
                 bool total = false;
                 none = ace.AceFlags;
                 num3 = ace.AccessMask & ~accessMask;
                 if (ace is ObjectAce)
                 {
                     this.GetObjectTypesForSplit(ace as ObjectAce, num3, none, out flags4, out empty, out guid2);
                 }
                 if (saclSemantics)
                 {
                     aceFlags = (AceFlags) ((byte) (ace.AceFlags & ~((byte) (flags & AceFlags.AuditFlags))));
                     num4 = ace.AccessMask & accessMask;
                     if (ace is ObjectAce)
                     {
                         this.GetObjectTypesForSplit(ace as ObjectAce, num4, aceFlags, out flags6, out guid3, out guid4);
                     }
                 }
                 existing = (AceFlags) ((byte) (((byte) (ace.AceFlags & (AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.NoPropagateInherit | AceFlags.ObjectInherit))) | ((byte) (((byte) (flags & ace.AceFlags)) & 0xc0))));
                 num5 = ace.AccessMask & accessMask;
                 if (!saclSemantics || (((byte) (existing & AceFlags.AuditFlags)) != 0))
                 {
                     if (!RemoveInheritanceBits(existing, flags, this.IsDS, out result, out total))
                     {
                         flag2 = false;
                         goto Label_0483;
                     }
                     if (!total)
                     {
                         result = (AceFlags) ((byte) (result | ((byte) (existing & AceFlags.AuditFlags))));
                         if (ace is ObjectAce)
                         {
                             this.GetObjectTypesForSplit(ace as ObjectAce, num5, result, out flags8, out guid5, out guid6);
                         }
                     }
                 }
                 if (!flag)
                 {
                     QualifiedAce ace2;
                     if (num3 != 0)
                     {
                         if (((ace is ObjectAce) && ((((ObjectAce) ace).ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None)) && ((flags4 & ObjectAceFlags.ObjectAceTypePresent) == ObjectAceFlags.None))
                         {
                             this._acl.RemoveAce(i);
                             ObjectAce ace3 = new ObjectAce(none, qualifier, num3, ace.SecurityIdentifier, flags4, empty, guid2, false, null);
                             this._acl.InsertAce(i, ace3);
                         }
                         else
                         {
                             ace.AceFlags = none;
                             ace.AccessMask = num3;
                             if (ace is ObjectAce)
                             {
                                 ObjectAce ace4 = ace as ObjectAce;
                                 ace4.ObjectAceFlags = flags4;
                                 ace4.ObjectAceType = empty;
                                 ace4.InheritedObjectAceType = guid2;
                             }
                         }
                     }
                     else
                     {
                         this._acl.RemoveAce(i);
                         i--;
                     }
                     if (saclSemantics && (((byte) (aceFlags & AceFlags.AuditFlags)) != 0))
                     {
                         if (ace is CommonAce)
                         {
                             ace2 = new CommonAce(aceFlags, qualifier, num4, ace.SecurityIdentifier, false, null);
                         }
                         else
                         {
                             ace2 = new ObjectAce(aceFlags, qualifier, num4, ace.SecurityIdentifier, flags6, guid3, guid4, false, null);
                         }
                         i++;
                         this._acl.InsertAce(i, ace2);
                     }
                     if (!total)
                     {
                         if (ace is CommonAce)
                         {
                             ace2 = new CommonAce(result, qualifier, num5, ace.SecurityIdentifier, false, null);
                         }
                         else
                         {
                             ace2 = new ObjectAce(result, qualifier, num5, ace.SecurityIdentifier, flags8, guid5, guid6, false, null);
                         }
                         i++;
                         this._acl.InsertAce(i, ace2);
                     }
                 }
             }
         }
     }
     catch (OverflowException)
     {
         this._acl.SetBinaryForm(binaryForm, 0);
         return false;
     }
 Label_0483:
     if (flag && flag2)
     {
         flag = false;
         goto Label_0075;
     }
     this.OnAclModificationTried();
     return flag2;
 }
        internal bool RemoveQualifiedAces(SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, bool saclSemantics, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
        {
            if (accessMask == 0)
            {
                throw new ArgumentException(Environment.GetResourceString("Argument_ArgumentZero"), "accessMask");
            }
            if ((qualifier == AceQualifier.SystemAudit) && (((byte)(flags & AceFlags.AuditFlags)) == 0))
            {
                throw new ArgumentException(Environment.GetResourceString("Arg_EnumAtLeastOneFlag"), "flags");
            }
            if (sid == null)
            {
                throw new ArgumentNullException("sid");
            }
            this.ThrowIfNotCanonical();
            bool     flag   = true;
            bool     flag2  = true;
            int      num    = accessMask;
            AceFlags flags2 = flags;

            byte[] binaryForm = new byte[this.BinaryLength];
            this.GetBinaryForm(binaryForm, 0);
Label_0075:
            try
            {
                for (int i = 0; i < this.Count; i++)
                {
                    QualifiedAce ace = this._acl[i] as QualifiedAce;
                    if (((ace == null) || (((byte)(ace.AceFlags & AceFlags.Inherited)) != 0)) || ((ace.AceQualifier != qualifier) || (ace.SecurityIdentifier != sid)))
                    {
                        continue;
                    }
                    if (this.IsDS)
                    {
                        accessMask = num;
                        bool flag3 = !this.GetAccessMaskForRemoval(ace, objectFlags, objectType, ref accessMask);
                        if ((ace.AccessMask & accessMask) == 0)
                        {
                            continue;
                        }
                        flags = flags2;
                        bool flag4 = !this.GetInheritanceFlagsForRemoval(ace, objectFlags, inheritedObjectType, ref flags);
                        if (((((((byte)(ace.AceFlags & AceFlags.ContainerInherit)) == 0) && (((byte)(flags & AceFlags.ContainerInherit)) != 0)) && (((byte)(flags & AceFlags.InheritOnly)) != 0)) || (((((byte)(flags & AceFlags.ContainerInherit)) == 0) && (((byte)(ace.AceFlags & AceFlags.ContainerInherit)) != 0)) && (((byte)(ace.AceFlags & AceFlags.InheritOnly)) != 0))) || (((((byte)(flags2 & AceFlags.ContainerInherit)) != 0) && (((byte)(flags2 & AceFlags.InheritOnly)) != 0)) && (((byte)(flags & AceFlags.ContainerInherit)) == 0)))
                        {
                            continue;
                        }
                        if (!flag3 && !flag4)
                        {
                            goto Label_0184;
                        }
                        flag2 = false;
                        goto Label_0483;
                    }
                    if ((ace.AccessMask & accessMask) == 0)
                    {
                        continue;
                    }
Label_0184:
                    if (!saclSemantics || (((byte)(((byte)(ace.AceFlags & flags)) & 0xc0)) != 0))
                    {
                        AceFlags       none     = AceFlags.None;
                        int            num3     = 0;
                        ObjectAceFlags flags4   = ObjectAceFlags.None;
                        Guid           empty    = Guid.Empty;
                        Guid           guid2    = Guid.Empty;
                        AceFlags       aceFlags = AceFlags.None;
                        int            num4     = 0;
                        ObjectAceFlags flags6   = ObjectAceFlags.None;
                        Guid           guid3    = Guid.Empty;
                        Guid           guid4    = Guid.Empty;
                        AceFlags       existing = AceFlags.None;
                        int            num5     = 0;
                        ObjectAceFlags flags8   = ObjectAceFlags.None;
                        Guid           guid5    = Guid.Empty;
                        Guid           guid6    = Guid.Empty;
                        AceFlags       result   = AceFlags.None;
                        bool           total    = false;
                        none = ace.AceFlags;
                        num3 = ace.AccessMask & ~accessMask;
                        if (ace is ObjectAce)
                        {
                            this.GetObjectTypesForSplit(ace as ObjectAce, num3, none, out flags4, out empty, out guid2);
                        }
                        if (saclSemantics)
                        {
                            aceFlags = (AceFlags)((byte)(ace.AceFlags & ~((byte)(flags & AceFlags.AuditFlags))));
                            num4     = ace.AccessMask & accessMask;
                            if (ace is ObjectAce)
                            {
                                this.GetObjectTypesForSplit(ace as ObjectAce, num4, aceFlags, out flags6, out guid3, out guid4);
                            }
                        }
                        existing = (AceFlags)((byte)(((byte)(ace.AceFlags & (AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.NoPropagateInherit | AceFlags.ObjectInherit))) | ((byte)(((byte)(flags & ace.AceFlags)) & 0xc0))));
                        num5     = ace.AccessMask & accessMask;
                        if (!saclSemantics || (((byte)(existing & AceFlags.AuditFlags)) != 0))
                        {
                            if (!RemoveInheritanceBits(existing, flags, this.IsDS, out result, out total))
                            {
                                flag2 = false;
                                goto Label_0483;
                            }
                            if (!total)
                            {
                                result = (AceFlags)((byte)(result | ((byte)(existing & AceFlags.AuditFlags))));
                                if (ace is ObjectAce)
                                {
                                    this.GetObjectTypesForSplit(ace as ObjectAce, num5, result, out flags8, out guid5, out guid6);
                                }
                            }
                        }
                        if (!flag)
                        {
                            QualifiedAce ace2;
                            if (num3 != 0)
                            {
                                if (((ace is ObjectAce) && ((((ObjectAce)ace).ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None)) && ((flags4 & ObjectAceFlags.ObjectAceTypePresent) == ObjectAceFlags.None))
                                {
                                    this._acl.RemoveAce(i);
                                    ObjectAce ace3 = new ObjectAce(none, qualifier, num3, ace.SecurityIdentifier, flags4, empty, guid2, false, null);
                                    this._acl.InsertAce(i, ace3);
                                }
                                else
                                {
                                    ace.AceFlags   = none;
                                    ace.AccessMask = num3;
                                    if (ace is ObjectAce)
                                    {
                                        ObjectAce ace4 = ace as ObjectAce;
                                        ace4.ObjectAceFlags         = flags4;
                                        ace4.ObjectAceType          = empty;
                                        ace4.InheritedObjectAceType = guid2;
                                    }
                                }
                            }
                            else
                            {
                                this._acl.RemoveAce(i);
                                i--;
                            }
                            if (saclSemantics && (((byte)(aceFlags & AceFlags.AuditFlags)) != 0))
                            {
                                if (ace is CommonAce)
                                {
                                    ace2 = new CommonAce(aceFlags, qualifier, num4, ace.SecurityIdentifier, false, null);
                                }
                                else
                                {
                                    ace2 = new ObjectAce(aceFlags, qualifier, num4, ace.SecurityIdentifier, flags6, guid3, guid4, false, null);
                                }
                                i++;
                                this._acl.InsertAce(i, ace2);
                            }
                            if (!total)
                            {
                                if (ace is CommonAce)
                                {
                                    ace2 = new CommonAce(result, qualifier, num5, ace.SecurityIdentifier, false, null);
                                }
                                else
                                {
                                    ace2 = new ObjectAce(result, qualifier, num5, ace.SecurityIdentifier, flags8, guid5, guid6, false, null);
                                }
                                i++;
                                this._acl.InsertAce(i, ace2);
                            }
                        }
                    }
                }
            }
            catch (OverflowException)
            {
                this._acl.SetBinaryForm(binaryForm, 0);
                return(false);
            }
Label_0483:
            if (flag && flag2)
            {
                flag = false;
                goto Label_0075;
            }
            this.OnAclModificationTried();
            return(flag2);
        }
Example #14
0
        private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, Type targetType)
        {
            AuthorizationRuleCollection rules2;

            base.ReadLock();
            try
            {
                AuthorizationRuleCollection rules = new AuthorizationRuleCollection();
                if (!SecurityIdentifier.IsValidTargetTypeStatic(targetType))
                {
                    throw new ArgumentException(Environment.GetResourceString("Arg_MustBeIdentityReferenceType"), "targetType");
                }
                CommonAcl discretionaryAcl = null;
                if (access)
                {
                    if ((base._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None)
                    {
                        discretionaryAcl = base._securityDescriptor.DiscretionaryAcl;
                    }
                }
                else if ((base._securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None)
                {
                    discretionaryAcl = base._securityDescriptor.SystemAcl;
                }
                if (discretionaryAcl == null)
                {
                    return(rules);
                }
                IdentityReferenceCollection references = null;
                if (targetType != typeof(SecurityIdentifier))
                {
                    IdentityReferenceCollection references2 = new IdentityReferenceCollection(discretionaryAcl.Count);
                    for (int j = 0; j < discretionaryAcl.Count; j++)
                    {
                        QualifiedAce ace = discretionaryAcl[j] as QualifiedAce;
                        if ((ace == null) || ace.IsCallback)
                        {
                            continue;
                        }
                        if (access)
                        {
                            if ((ace.AceQualifier == AceQualifier.AccessAllowed) || (ace.AceQualifier == AceQualifier.AccessDenied))
                            {
                                goto Label_00DD;
                            }
                            continue;
                        }
                        if (ace.AceQualifier != AceQualifier.SystemAudit)
                        {
                            continue;
                        }
Label_00DD:
                        references2.Add(ace.SecurityIdentifier);
                    }
                    references = references2.Translate(targetType);
                }
                for (int i = 0; i < discretionaryAcl.Count; i++)
                {
                    QualifiedAce ace2 = discretionaryAcl[i] as CommonAce;
                    if (ace2 == null)
                    {
                        ace2 = discretionaryAcl[i] as ObjectAce;
                        if (ace2 == null)
                        {
                            continue;
                        }
                    }
                    if (ace2.IsCallback)
                    {
                        continue;
                    }
                    if (access)
                    {
                        if ((ace2.AceQualifier == AceQualifier.AccessAllowed) || (ace2.AceQualifier == AceQualifier.AccessDenied))
                        {
                            goto Label_0174;
                        }
                        continue;
                    }
                    if (ace2.AceQualifier != AceQualifier.SystemAudit)
                    {
                        continue;
                    }
Label_0174:
                    if ((includeExplicit && (((byte)(ace2.AceFlags & AceFlags.Inherited)) == 0)) || (includeInherited && (((byte)(ace2.AceFlags & AceFlags.Inherited)) != 0)))
                    {
                        IdentityReference identityReference = (targetType == typeof(SecurityIdentifier)) ? ace2.SecurityIdentifier : references[i];
                        if (access)
                        {
                            AccessControlType allow;
                            if (ace2.AceQualifier == AceQualifier.AccessAllowed)
                            {
                                allow = AccessControlType.Allow;
                            }
                            else
                            {
                                allow = AccessControlType.Deny;
                            }
                            if (ace2 is ObjectAce)
                            {
                                ObjectAce ace3 = ace2 as ObjectAce;
                                rules.AddRule(this.AccessRuleFactory(identityReference, ace3.AccessMask, ace3.IsInherited, ace3.InheritanceFlags, ace3.PropagationFlags, allow, ace3.ObjectAceType, ace3.InheritedObjectAceType));
                            }
                            else
                            {
                                CommonAce ace4 = ace2 as CommonAce;
                                if (ace4 != null)
                                {
                                    rules.AddRule(this.AccessRuleFactory(identityReference, ace4.AccessMask, ace4.IsInherited, ace4.InheritanceFlags, ace4.PropagationFlags, allow));
                                }
                            }
                        }
                        else if (ace2 is ObjectAce)
                        {
                            ObjectAce ace5 = ace2 as ObjectAce;
                            rules.AddRule(this.AuditRuleFactory(identityReference, ace5.AccessMask, ace5.IsInherited, ace5.InheritanceFlags, ace5.PropagationFlags, ace5.AuditFlags, ace5.ObjectAceType, ace5.InheritedObjectAceType));
                        }
                        else
                        {
                            CommonAce ace6 = ace2 as CommonAce;
                            if (ace6 != null)
                            {
                                rules.AddRule(this.AuditRuleFactory(identityReference, ace6.AccessMask, ace6.IsInherited, ace6.InheritanceFlags, ace6.PropagationFlags, ace6.AuditFlags));
                            }
                        }
                    }
                }
                rules2 = rules;
            }
            finally
            {
                base.ReadUnlock();
            }
            return(rules2);
        }
Example #15
0
        //
        // This method determines whether the object type and inherited object type from the original ace
        // should be retained or not based on access mask and aceflags for a given split 
        //
        private void GetObjectTypesForSplit( ObjectAce originalAce, int accessMask, AceFlags aceFlags, out ObjectAceFlags objectFlags, out Guid objectType, out Guid inheritedObjectType ) 
        {

            objectFlags = 0;
            objectType = Guid.Empty;
            inheritedObjectType = Guid.Empty;

            //
            // We should retain the object type if the access mask for this split contains any bits that refer to object type
            //
            if (( accessMask & ObjectAce.AccessMaskWithObjectType ) != 0 ) 
            {
                // keep the original ace's object flags and object type
                objectType = originalAce.ObjectAceType;
                objectFlags |= originalAce.ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent;
            }

            //
            // We should retain the inherited object type if the aceflags for this contains inheritance (ContainerInherit)
            //
            if (( aceFlags & AceFlags.ContainerInherit ) != 0 ) 
            {
                // keep the original ace's object flags and object type
                inheritedObjectType = originalAce.InheritedObjectAceType;
                objectFlags |= originalAce.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent;
            }
        }
 private void GetObjectTypesForSplit(ObjectAce originalAce, int accessMask, AceFlags aceFlags, out ObjectAceFlags objectFlags, out Guid objectType, out Guid inheritedObjectType)
 {
     objectFlags = ObjectAceFlags.None;
     objectType = Guid.Empty;
     inheritedObjectType = Guid.Empty;
     if ((accessMask & ObjectAce.AccessMaskWithObjectType) != 0)
     {
         objectType = originalAce.ObjectAceType;
         objectFlags |= originalAce.ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent;
     }
     if (((byte) (aceFlags & AceFlags.ContainerInherit)) != 0)
     {
         inheritedObjectType = originalAce.InheritedObjectAceType;
         objectFlags |= originalAce.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent;
     }
 }
Example #17
0
        //
        // Helper function behind all the SetXXX methods
        //

        internal void SetQualifiedAce( SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType )
        {
            if ( sid == null )
            {
                throw new ArgumentNullException( "sid" );
            }

            if ( qualifier == AceQualifier.SystemAudit &&
                (( flags & AceFlags.AuditFlags ) == 0 ))
            {
                throw new ArgumentException(
                    Environment.GetResourceString( "Arg_EnumAtLeastOneFlag" ),
                    "flags" );
            }

            if ( accessMask == 0 )
            {
                throw new ArgumentException(
                    Environment.GetResourceString( "Argument_ArgumentZero" ),
                    "accessMask" );
            }
            Contract.EndContractBlock();
            ThrowIfNotCanonical();

            GenericAce newAce;

            if (( !IsDS ) || ( objectFlags == ObjectAceFlags.None ))
            {
                newAce = new CommonAce( flags, qualifier, accessMask, sid, false, null );
            }
            else
            {
                newAce = new ObjectAce( flags, qualifier, accessMask, sid, objectFlags, objectType, inheritedObjectType, false, null );
            }

            //
            // Make sure the new ACE wouldn't be meaningless before proceeding
            //

            if ( false == InspectAce( ref newAce, ( this is DiscretionaryAcl )))
            {
                return;
            }

            for ( int i = 0; i < Count; i++ )
            {
                QualifiedAce ace = _acl[i] as QualifiedAce;

                //
                // Not a qualified ACE - keep going
                //

                if ( ace == null )
                {
                    continue;
                }

                //
                // Only interested in explicit (non-inherited) ACEs
                //

                if (( ace.AceFlags & AceFlags.Inherited ) != 0 )
                {
                    continue;
                }

                //
                // Only interested in ACEs with the specified qualifier
                //

                if ( ace.AceQualifier != qualifier )
                {
                    continue;
                }

                //
                // Only interested in ACEs with the specified SID
                //

                if ( ace.SecurityIdentifier != sid )
                {
                    continue;
                }

                //
                // This ACE corresponds to the SID and qualifier in question - remove it
                //

                _acl.RemoveAce( i );
                i--;
            }

            //
            // As a final step, add the ACE we want.
            // Add it at the end - we'll re-canonicalize later.
            //

            _acl.InsertAce( _acl.Count, newAce );

            //
            // To aid the efficiency of batch operations, recanonicalize this later
            //

            _isDirty = true;
            OnAclModificationTried();
        }
Example #18
0
        /// <summary>从指定的二进制数据创建一个 <see cref="T:System.Security.AccessControl.GenericAce" /> 对象。</summary>
        /// <returns>此方法创建的 <see cref="T:System.Security.AccessControl.GenericAce" /> 对象。</returns>
        /// <param name="binaryForm">用于创建新 <see cref="T:System.Security.AccessControl.GenericAce" /> 对象的二进制数据。</param>
        /// <param name="offset">开始取消封送的偏移量。</param>
        public static GenericAce CreateFromBinaryForm(byte[] binaryForm, int offset)
        {
            GenericAce.VerifyHeader(binaryForm, offset);
            AceType    type = (AceType)binaryForm[offset];
            GenericAce genericAce;

            switch (type)
            {
            case AceType.AccessAllowed:
            case AceType.AccessDenied:
            case AceType.SystemAudit:
            case AceType.SystemAlarm:
            case AceType.AccessAllowedCallback:
            case AceType.AccessDeniedCallback:
            case AceType.SystemAuditCallback:
            case AceType.SystemAlarmCallback:
                AceQualifier       qualifier1;
                int                accessMask1;
                SecurityIdentifier sid1;
                bool               isCallback1;
                byte[]             opaque1;
                if (CommonAce.ParseBinaryForm(binaryForm, offset, out qualifier1, out accessMask1, out sid1, out isCallback1, out opaque1))
                {
                    genericAce = (GenericAce) new CommonAce((AceFlags)binaryForm[offset + 1], qualifier1, accessMask1, sid1, isCallback1, opaque1);
                    break;
                }
                goto label_15;

            case AceType.AccessAllowedObject:
            case AceType.AccessDeniedObject:
            case AceType.SystemAuditObject:
            case AceType.SystemAlarmObject:
            case AceType.AccessAllowedCallbackObject:
            case AceType.AccessDeniedCallbackObject:
            case AceType.SystemAuditCallbackObject:
            case AceType.SystemAlarmCallbackObject:
                AceQualifier       qualifier2;
                int                accessMask2;
                SecurityIdentifier sid2;
                ObjectAceFlags     objectFlags;
                Guid               objectAceType;
                Guid               inheritedObjectAceType;
                bool               isCallback2;
                byte[]             opaque2;
                if (ObjectAce.ParseBinaryForm(binaryForm, offset, out qualifier2, out accessMask2, out sid2, out objectFlags, out objectAceType, out inheritedObjectAceType, out isCallback2, out opaque2))
                {
                    genericAce = (GenericAce) new ObjectAce((AceFlags)binaryForm[offset + 1], qualifier2, accessMask2, sid2, objectFlags, objectAceType, inheritedObjectAceType, isCallback2, opaque2);
                    break;
                }
                goto label_15;

            case AceType.AccessAllowedCompound:
                int                accessMask3;
                CompoundAceType    compoundAceType;
                SecurityIdentifier sid3;
                if (CompoundAce.ParseBinaryForm(binaryForm, offset, out accessMask3, out compoundAceType, out sid3))
                {
                    genericAce = (GenericAce) new CompoundAce((AceFlags)binaryForm[offset + 1], accessMask3, compoundAceType, sid3);
                    break;
                }
                goto label_15;

            default:
                AceFlags flags   = (AceFlags)binaryForm[offset + 1];
                byte[]   opaque3 = (byte[])null;
                int      num     = (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8);
                if (num % 4 == 0)
                {
                    int length = num - 4;
                    if (length > 0)
                    {
                        opaque3 = new byte[length];
                        for (int index = 0; index < length; ++index)
                        {
                            opaque3[index] = binaryForm[offset + num - length + index];
                        }
                    }
                    genericAce = (GenericAce) new CustomAce(type, flags, opaque3);
                    break;
                }
                goto label_15;
            }
            if ((genericAce is ObjectAce || (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8) == genericAce.BinaryLength) && (!(genericAce is ObjectAce) || (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8) == genericAce.BinaryLength || (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8) - 32 == genericAce.BinaryLength))
            {
                return(genericAce);
            }
label_15:
            throw new ArgumentException(Environment.GetResourceString("ArgumentException_InvalidAceBinaryForm"), "binaryForm");
        }
Example #19
0
		static void GetObjectAceTypeGuids(ObjectAce ace, out Guid type, out Guid inheritedType)
		{
			type = Guid.Empty; inheritedType = Guid.Empty;
			if (0 != (ace.ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent))
				type = ace.ObjectAceType;
			if (0 != (ace.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent))
				inheritedType = ace.InheritedObjectAceType;
		}
Example #20
0
        GenericAce MergeExplicitAcePair(GenericAce ace1, GenericAce ace2)
        {
            QualifiedAce qace1 = ace1 as QualifiedAce;
            QualifiedAce qace2 = ace2 as QualifiedAce;

            if (!(null != qace1 && null != qace2))
            {
                return(null);
            }
            if (!(qace1.AceQualifier == qace2.AceQualifier))
            {
                return(null);
            }
            if (!(qace1.SecurityIdentifier == qace2.SecurityIdentifier))
            {
                return(null);
            }

            AceFlags aceFlags1 = qace1.AceFlags, aceFlags2 = qace2.AceFlags, aceFlagsNew;
            int      accessMask1 = qace1.AccessMask, accessMask2 = qace2.AccessMask, accessMaskNew;

            if (!IsContainer)
            {
                aceFlags1 &= ~AceFlags.InheritanceFlags;
                aceFlags2 &= ~AceFlags.InheritanceFlags;
            }

            if (aceFlags1 != aceFlags2)
            {
                if (accessMask1 != accessMask2)
                {
                    return(null);
                }
                if ((aceFlags1 & ~(AceFlags.ContainerInherit | AceFlags.ObjectInherit)) ==
                    (aceFlags2 & ~(AceFlags.ContainerInherit | AceFlags.ObjectInherit)))
                {
                    aceFlagsNew   = aceFlags1 | aceFlags2;                 // merge InheritanceFlags
                    accessMaskNew = accessMask1;
                }
                else if ((aceFlags1 & ~(AceFlags.SuccessfulAccess | AceFlags.FailedAccess)) ==
                         (aceFlags2 & ~(AceFlags.SuccessfulAccess | AceFlags.FailedAccess)))
                {
                    aceFlagsNew   = aceFlags1 | aceFlags2;                 // merge AuditFlags
                    accessMaskNew = accessMask1;
                }
                else
                {
                    return(null);
                }
            }
            else
            {
                aceFlagsNew   = aceFlags1;
                accessMaskNew = accessMask1 | accessMask2;
            }

            CommonAce cace1 = ace1 as CommonAce;
            CommonAce cace2 = ace2 as CommonAce;

            if (null != cace1 && null != cace2)
            {
                return(new CommonAce(aceFlagsNew, cace1.AceQualifier, accessMaskNew,
                                     cace1.SecurityIdentifier, cace1.IsCallback, cace1.GetOpaque()));
            }

            ObjectAce oace1 = ace1 as ObjectAce;
            ObjectAce oace2 = ace2 as ObjectAce;

            if (null != oace1 && null != oace2)
            {
                // See DiscretionaryAclTest.GuidEmptyMergesRegardlessOfFlagsAndOpaqueDataIsNotConsidered
                Guid type1, inheritedType1; GetObjectAceTypeGuids(oace1, out type1, out inheritedType1);
                Guid type2, inheritedType2; GetObjectAceTypeGuids(oace2, out type2, out inheritedType2);

                if (type1 == type2 && inheritedType1 == inheritedType2)
                {
                    return(new ObjectAce(aceFlagsNew, oace1.AceQualifier, accessMaskNew,
                                         oace1.SecurityIdentifier,
                                         oace1.ObjectAceFlags, oace1.ObjectAceType, oace1.InheritedObjectAceType,
                                         oace1.IsCallback, oace1.GetOpaque()));
                }
            }

            return(null);
        }
 private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, Type targetType)
 {
     this.ReadLock();
     try
     {
         AuthorizationRuleCollection authorizationRuleCollection = new AuthorizationRuleCollection();
         if (!SecurityIdentifier.IsValidTargetTypeStatic(targetType))
         {
             throw new ArgumentException(Environment.GetResourceString("Arg_MustBeIdentityReferenceType"), "targetType");
         }
         CommonAcl commonAcl = (CommonAcl)null;
         if (access)
         {
             if ((this._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None)
             {
                 commonAcl = (CommonAcl)this._securityDescriptor.DiscretionaryAcl;
             }
         }
         else if ((this._securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None)
         {
             commonAcl = (CommonAcl)this._securityDescriptor.SystemAcl;
         }
         if (commonAcl == null)
         {
             return(authorizationRuleCollection);
         }
         IdentityReferenceCollection referenceCollection1 = (IdentityReferenceCollection)null;
         if (targetType != typeof(SecurityIdentifier))
         {
             IdentityReferenceCollection referenceCollection2 = new IdentityReferenceCollection(commonAcl.Count);
             for (int index = 0; index < commonAcl.Count; ++index)
             {
                 QualifiedAce qualifiedAce = commonAcl[index] as QualifiedAce;
                 if (!((GenericAce)qualifiedAce == (GenericAce)null) && !qualifiedAce.IsCallback)
                 {
                     if (access)
                     {
                         if (qualifiedAce.AceQualifier != AceQualifier.AccessAllowed && qualifiedAce.AceQualifier != AceQualifier.AccessDenied)
                         {
                             continue;
                         }
                     }
                     else if (qualifiedAce.AceQualifier != AceQualifier.SystemAudit)
                     {
                         continue;
                     }
                     referenceCollection2.Add((IdentityReference)qualifiedAce.SecurityIdentifier);
                 }
             }
             referenceCollection1 = referenceCollection2.Translate(targetType);
         }
         for (int index = 0; index < commonAcl.Count; ++index)
         {
             QualifiedAce qualifiedAce = (QualifiedAce)(commonAcl[index] as CommonAce);
             if ((GenericAce)qualifiedAce == (GenericAce)null)
             {
                 qualifiedAce = (QualifiedAce)(commonAcl[index] as ObjectAce);
                 if ((GenericAce)qualifiedAce == (GenericAce)null)
                 {
                     continue;
                 }
             }
             if (!qualifiedAce.IsCallback)
             {
                 if (access)
                 {
                     if (qualifiedAce.AceQualifier != AceQualifier.AccessAllowed && qualifiedAce.AceQualifier != AceQualifier.AccessDenied)
                     {
                         continue;
                     }
                 }
                 else if (qualifiedAce.AceQualifier != AceQualifier.SystemAudit)
                 {
                     continue;
                 }
                 if (includeExplicit && (qualifiedAce.AceFlags & AceFlags.Inherited) == AceFlags.None || includeInherited && (qualifiedAce.AceFlags & AceFlags.Inherited) != AceFlags.None)
                 {
                     IdentityReference identityReference = targetType == typeof(SecurityIdentifier) ? (IdentityReference)qualifiedAce.SecurityIdentifier : referenceCollection1[index];
                     if (access)
                     {
                         AccessControlType type = qualifiedAce.AceQualifier != AceQualifier.AccessAllowed ? AccessControlType.Deny : AccessControlType.Allow;
                         if (qualifiedAce is ObjectAce)
                         {
                             ObjectAce objectAce = qualifiedAce as ObjectAce;
                             authorizationRuleCollection.AddRule((AuthorizationRule)this.AccessRuleFactory(identityReference, objectAce.AccessMask, objectAce.IsInherited, objectAce.InheritanceFlags, objectAce.PropagationFlags, type, objectAce.ObjectAceType, objectAce.InheritedObjectAceType));
                         }
                         else
                         {
                             CommonAce commonAce = qualifiedAce as CommonAce;
                             if (!((GenericAce)commonAce == (GenericAce)null))
                             {
                                 authorizationRuleCollection.AddRule((AuthorizationRule)this.AccessRuleFactory(identityReference, commonAce.AccessMask, commonAce.IsInherited, commonAce.InheritanceFlags, commonAce.PropagationFlags, type));
                             }
                         }
                     }
                     else if (qualifiedAce is ObjectAce)
                     {
                         ObjectAce objectAce = qualifiedAce as ObjectAce;
                         authorizationRuleCollection.AddRule((AuthorizationRule)this.AuditRuleFactory(identityReference, objectAce.AccessMask, objectAce.IsInherited, objectAce.InheritanceFlags, objectAce.PropagationFlags, objectAce.AuditFlags, objectAce.ObjectAceType, objectAce.InheritedObjectAceType));
                     }
                     else
                     {
                         CommonAce commonAce = qualifiedAce as CommonAce;
                         if (!((GenericAce)commonAce == (GenericAce)null))
                         {
                             authorizationRuleCollection.AddRule((AuthorizationRule)this.AuditRuleFactory(identityReference, commonAce.AccessMask, commonAce.IsInherited, commonAce.InheritanceFlags, commonAce.PropagationFlags, commonAce.AuditFlags));
                         }
                     }
                 }
             }
         }
         return(authorizationRuleCollection);
     }
     finally
     {
         this.ReadUnlock();
     }
 }
Example #22
0
        //
        // Instantiates the most-derived ACE type based on the binary
        // representation of an ACE
        //

        public static GenericAce CreateFromBinaryForm(byte[] binaryForm, int offset)
        {
            GenericAce result;
            AceType type;

            //
            // Sanity check the header
            //

            VerifyHeader(binaryForm, offset);

            type = (AceType)binaryForm[offset];

            if (type == AceType.AccessAllowed ||
                type == AceType.AccessDenied ||
                type == AceType.SystemAudit ||
                type == AceType.SystemAlarm ||
                type == AceType.AccessAllowedCallback ||
                type == AceType.AccessDeniedCallback ||
                type == AceType.SystemAuditCallback ||
                type == AceType.SystemAlarmCallback)
            {
                AceQualifier qualifier;
                int accessMask;
                SecurityIdentifier sid;
                bool isCallback;
                byte[] opaque;

                if (true == CommonAce.ParseBinaryForm(binaryForm, offset, out qualifier, out accessMask, out sid, out isCallback, out opaque))
                {
                    AceFlags flags = (AceFlags)binaryForm[offset + 1];
                    result = new CommonAce(flags, qualifier, accessMask, sid, isCallback, opaque);
                }
                else
                {
                    goto InvalidParameter;
                }
            }
            else if (type == AceType.AccessAllowedObject ||
                type == AceType.AccessDeniedObject ||
                type == AceType.SystemAuditObject ||
                type == AceType.SystemAlarmObject ||
                type == AceType.AccessAllowedCallbackObject ||
                type == AceType.AccessDeniedCallbackObject ||
                type == AceType.SystemAuditCallbackObject ||
                type == AceType.SystemAlarmCallbackObject)
            {
                AceQualifier qualifier;
                int accessMask;
                SecurityIdentifier sid;
                ObjectAceFlags objectFlags;
                Guid objectAceType;
                Guid inheritedObjectAceType;
                bool isCallback;
                byte[] opaque;

                if (true == ObjectAce.ParseBinaryForm(binaryForm, offset, out qualifier, out accessMask, out sid, out objectFlags, out objectAceType, out inheritedObjectAceType, out isCallback, out opaque))
                {
                    AceFlags flags = (AceFlags)binaryForm[offset + 1];
                    result = new ObjectAce(flags, qualifier, accessMask, sid, objectFlags, objectAceType, inheritedObjectAceType, isCallback, opaque);
                }
                else
                {
                    goto InvalidParameter;
                }
            }
            else if (type == AceType.AccessAllowedCompound)
            {
                int accessMask;
                CompoundAceType compoundAceType;
                SecurityIdentifier sid;

                if (true == CompoundAce.ParseBinaryForm(binaryForm, offset, out accessMask, out compoundAceType, out sid))
                {
                    AceFlags flags = (AceFlags)binaryForm[offset + 1];
                    result = new CompoundAce(flags, accessMask, compoundAceType, sid);
                }
                else
                {
                    goto InvalidParameter;
                }
            }
            else
            {
                AceFlags flags = (AceFlags)binaryForm[offset + 1];
                byte[] opaque = null;
                int aceLength = (binaryForm[offset + 2] << 0) + (binaryForm[offset + 3] << 8);

                if (aceLength % 4 != 0)
                {
                    goto InvalidParameter;
                }

                int opaqueLength = aceLength - HeaderLength;

                if (opaqueLength > 0)
                {
                    opaque = new byte[opaqueLength];

                    for (int i = 0; i < opaqueLength; i++)
                    {
                        opaque[i] = binaryForm[offset + aceLength - opaqueLength + i];
                    }
                }

                result = new CustomAce(type, flags, opaque);
            }

            //
            // As a final check, confirm that the advertised ACE header length
            // was the actual parsed length
            //

            if (((!(result is ObjectAce)) && ((binaryForm[offset + 2] << 0) + (binaryForm[offset + 3] << 8) != result.BinaryLength))
                //
                // This is needed because object aces created through ADSI have the advertised ACE length
                // greater than the actual length by 32 (bug in ADSI).
                //
                || ((result is ObjectAce) && ((binaryForm[offset + 2] << 0) + (binaryForm[offset + 3] << 8) != result.BinaryLength) && (((binaryForm[offset + 2] << 0) + (binaryForm[offset + 3] << 8) - 32) != result.BinaryLength)))
            {
                goto InvalidParameter;
            }

            return result;

        InvalidParameter:

            throw new ArgumentException(
                 SR.ArgumentException_InvalidAceBinaryForm,
nameof(binaryForm));
        }
		public void GetBinaryForm ()
		{
			RawSecurityDescriptor sd = new RawSecurityDescriptor ("");
			sd.Owner = new SecurityIdentifier (WellKnownSidType.BuiltinUsersSid, null);
			sd.Group = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null);
			sd.DiscretionaryAcl = new RawAcl (1, 0);
			sd.SystemAcl = new RawAcl (1, 0);
			sd.SetFlags (sd.ControlFlags | ControlFlags.DiscretionaryAclPresent | ControlFlags.SystemAclPresent);
			
			// Empty ACL form
			byte[] buffer = new byte[sd.BinaryLength];
			sd.GetBinaryForm (buffer, 0);
			byte[] sdBinary = new byte[] {
				0x01, 0x00, 0x14, 0x80, 0x14, 0x00, 0x00, 0x00, 0x24, 0x00,
				0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00,
				0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00,
				0x00, 0x00, 0x21, 0x02, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00,
				0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02,
				0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00,
				0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00 };
			Assert.AreEqual (sdBinary, buffer);
			
			// Add an ACE to the DACL
			SecurityIdentifier builtInAdmins = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null);
			CommonAce ace = new CommonAce (AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null);
			sd.DiscretionaryAcl.InsertAce (0, ace);
			buffer = new byte[sd.BinaryLength];
			sd.GetBinaryForm (buffer, 0);
			sdBinary = new byte[] {
				0x01, 0x00, 0x14, 0x80, 0x14, 0x00, 0x00, 0x00, 0x24, 0x00,
				0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00,
				0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00,
				0x00, 0x00, 0x21, 0x02, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00,
				0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02,
				0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00,
				0x01, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
				0x18, 0x00, 0xFF, 0xFF, 0xFF, 0x7F, 0x01, 0x02, 0x00, 0x00,
				0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02,
				0x00, 0x00 };
			Assert.AreEqual (sdBinary, buffer);
			
			// This time with an Object ACE
			ObjectAce objectAce = new ObjectAce (AceFlags.Inherited, AceQualifier.AccessAllowed, 0x12345678, builtInAdmins, ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent, new Guid ("189c0dc7-b849-4dea-93a5-6d4cb8857a5c"), new Guid ("53b4a3d4-fe39-468b-bc60-b4fcba772fa5"), false, null);
			sd.DiscretionaryAcl = new RawAcl (2, 0);
			sd.DiscretionaryAcl.InsertAce (0, objectAce);
			buffer = new byte[sd.BinaryLength];
			sd.GetBinaryForm (buffer, 0);
			sdBinary = new byte[] {
				0x01, 0x00, 0x14, 0x80, 0x14, 0x00, 0x00, 0x00, 0x24, 0x00,
				0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00,
				0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00,
				0x00, 0x00, 0x21, 0x02, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00,
				0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02,
				0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00,
				0x02, 0x00, 0x44, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x10,
				0x3C, 0x00, 0x78, 0x56, 0x34, 0x12, 0x03, 0x00, 0x00, 0x00,
				0xC7, 0x0D, 0x9C, 0x18, 0x49, 0xB8, 0xEA, 0x4D, 0x93, 0xA5,
				0x6D, 0x4C, 0xB8, 0x85, 0x7A, 0x5C, 0xD4, 0xA3, 0xB4, 0x53,
				0x39, 0xFE, 0x8B, 0x46, 0xBC, 0x60, 0xB4, 0xFC, 0xBA, 0x77,
				0x2F, 0xA5, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
				0x20, 0x00, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00 };
			Assert.AreEqual (sdBinary, buffer);
		}
 public static GenericAce CreateFromBinaryForm(byte[] binaryForm, int offset)
 {
     GenericAce ace;
     VerifyHeader(binaryForm, offset);
     System.Security.AccessControl.AceType type = (System.Security.AccessControl.AceType) binaryForm[offset];
     switch (type)
     {
         case System.Security.AccessControl.AceType.AccessAllowed:
         case System.Security.AccessControl.AceType.AccessDenied:
         case System.Security.AccessControl.AceType.SystemAudit:
         case System.Security.AccessControl.AceType.SystemAlarm:
         case System.Security.AccessControl.AceType.AccessAllowedCallback:
         case System.Security.AccessControl.AceType.AccessDeniedCallback:
         case System.Security.AccessControl.AceType.SystemAuditCallback:
         case System.Security.AccessControl.AceType.SystemAlarmCallback:
         {
             AceQualifier qualifier;
             int num;
             SecurityIdentifier identifier;
             bool flag;
             byte[] buffer;
             if (!CommonAce.ParseBinaryForm(binaryForm, offset, out qualifier, out num, out identifier, out flag, out buffer))
             {
                 goto Label_01A8;
             }
             System.Security.AccessControl.AceFlags flags = (System.Security.AccessControl.AceFlags) binaryForm[offset + 1];
             ace = new CommonAce(flags, qualifier, num, identifier, flag, buffer);
             break;
         }
         case System.Security.AccessControl.AceType.AccessAllowedObject:
         case System.Security.AccessControl.AceType.AccessDeniedObject:
         case System.Security.AccessControl.AceType.SystemAuditObject:
         case System.Security.AccessControl.AceType.SystemAlarmObject:
         case System.Security.AccessControl.AceType.AccessAllowedCallbackObject:
         case System.Security.AccessControl.AceType.AccessDeniedCallbackObject:
         case System.Security.AccessControl.AceType.SystemAuditCallbackObject:
         case System.Security.AccessControl.AceType.SystemAlarmCallbackObject:
         {
             AceQualifier qualifier2;
             int num2;
             SecurityIdentifier identifier2;
             ObjectAceFlags flags2;
             Guid guid;
             Guid guid2;
             bool flag2;
             byte[] buffer2;
             if (!ObjectAce.ParseBinaryForm(binaryForm, offset, out qualifier2, out num2, out identifier2, out flags2, out guid, out guid2, out flag2, out buffer2))
             {
                 goto Label_01A8;
             }
             System.Security.AccessControl.AceFlags aceFlags = (System.Security.AccessControl.AceFlags) binaryForm[offset + 1];
             ace = new ObjectAce(aceFlags, qualifier2, num2, identifier2, flags2, guid, guid2, flag2, buffer2);
             break;
         }
         case System.Security.AccessControl.AceType.AccessAllowedCompound:
         {
             int num3;
             CompoundAceType type2;
             SecurityIdentifier identifier3;
             if (!CompoundAce.ParseBinaryForm(binaryForm, offset, out num3, out type2, out identifier3))
             {
                 goto Label_01A8;
             }
             System.Security.AccessControl.AceFlags flags4 = (System.Security.AccessControl.AceFlags) binaryForm[offset + 1];
             ace = new CompoundAce(flags4, num3, type2, identifier3);
             break;
         }
         default:
         {
             System.Security.AccessControl.AceFlags flags5 = (System.Security.AccessControl.AceFlags) binaryForm[offset + 1];
             byte[] opaque = null;
             int num4 = binaryForm[offset + 2] + (binaryForm[offset + 3] << 8);
             if ((num4 % 4) != 0)
             {
                 goto Label_01A8;
             }
             int num5 = num4 - 4;
             if (num5 > 0)
             {
                 opaque = new byte[num5];
                 for (int i = 0; i < num5; i++)
                 {
                     opaque[i] = binaryForm[((offset + num4) - num5) + i];
                 }
             }
             ace = new CustomAce(type, flags5, opaque);
             break;
         }
     }
     if (((ace is ObjectAce) || ((binaryForm[offset + 2] + (binaryForm[offset + 3] << 8)) == ace.BinaryLength)) && ((!(ace is ObjectAce) || ((binaryForm[offset + 2] + (binaryForm[offset + 3] << 8)) == ace.BinaryLength)) || (((binaryForm[offset + 2] + (binaryForm[offset + 3] << 8)) - 0x20) == ace.BinaryLength)))
     {
         return ace;
     }
 Label_01A8:
     throw new ArgumentException(Environment.GetResourceString("ArgumentException_InvalidAceBinaryForm"), "binaryForm");
 }
Example #25
0
        //
        // Helper function behind all the AddXXX methods for qualified aces
        //

        internal void AddQualifiedAce( SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType )
        {
            if ( sid == null )
            {
                throw new ArgumentNullException( "sid" );
            }
            Contract.EndContractBlock();

            ThrowIfNotCanonical();

            bool aceMerged = false; // if still false after all attempts to merge, create new entry

            if ( qualifier == AceQualifier.SystemAudit &&
                (( flags & AceFlags.AuditFlags ) == 0 ))
            {
                throw new ArgumentException(
                    Environment.GetResourceString( "Arg_EnumAtLeastOneFlag" ),
                    "flags" );
            }

            if ( accessMask == 0 )
            {
                throw new ArgumentException(
                    Environment.GetResourceString( "Argument_ArgumentZero" ),
                    "accessMask" );
            }

            GenericAce newAce;

            if (( !IsDS ) || ( objectFlags == ObjectAceFlags.None ))
            {
                newAce = new CommonAce( flags, qualifier, accessMask, sid, false, null );
            }
            else
            {
                newAce = new ObjectAce( flags, qualifier, accessMask, sid, objectFlags, objectType, inheritedObjectType, false, null );
            }

            //
            // Make sure the new ACE wouldn't be meaningless before proceeding
            //

            if ( false == InspectAce( ref newAce, ( this is DiscretionaryAcl )))
            {
                return;
            }

            //
            // See if the new ACE can be merged with any of the existing ones
            //

            for ( int i = 0; i < Count; i++ )
            {
                QualifiedAce ace = _acl[i] as QualifiedAce;

                if ( ace == null )
                {
                    continue;
                }

                if ( true == MergeAces( ref ace, newAce as QualifiedAce ))
                {
                    aceMerged = true;
                    break;
                }
            }

            //
            // Couldn't modify any existing entry, so add a new one
            //

            if ( !aceMerged )
            {
                _acl.InsertAce( _acl.Count, newAce );

                _isDirty = true;
            }
            OnAclModificationTried();
        }
Example #26
0
        // Token: 0x06001FF6 RID: 8182 RVA: 0x0006FAEC File Offset: 0x0006DCEC
        private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, Type targetType)
        {
            base.ReadLock();
            AuthorizationRuleCollection result;

            try
            {
                AuthorizationRuleCollection authorizationRuleCollection = new AuthorizationRuleCollection();
                if (!SecurityIdentifier.IsValidTargetTypeStatic(targetType))
                {
                    throw new ArgumentException(Environment.GetResourceString("Arg_MustBeIdentityReferenceType"), "targetType");
                }
                CommonAcl commonAcl = null;
                if (access)
                {
                    if ((this._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None)
                    {
                        commonAcl = this._securityDescriptor.DiscretionaryAcl;
                    }
                }
                else if ((this._securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None)
                {
                    commonAcl = this._securityDescriptor.SystemAcl;
                }
                if (commonAcl == null)
                {
                    result = authorizationRuleCollection;
                }
                else
                {
                    IdentityReferenceCollection identityReferenceCollection = null;
                    if (targetType != typeof(SecurityIdentifier))
                    {
                        IdentityReferenceCollection identityReferenceCollection2 = new IdentityReferenceCollection(commonAcl.Count);
                        for (int i = 0; i < commonAcl.Count; i++)
                        {
                            QualifiedAce qualifiedAce = commonAcl[i] as QualifiedAce;
                            if (!(qualifiedAce == null) && !qualifiedAce.IsCallback)
                            {
                                if (access)
                                {
                                    if (qualifiedAce.AceQualifier != AceQualifier.AccessAllowed && qualifiedAce.AceQualifier != AceQualifier.AccessDenied)
                                    {
                                        goto IL_EB;
                                    }
                                }
                                else if (qualifiedAce.AceQualifier != AceQualifier.SystemAudit)
                                {
                                    goto IL_EB;
                                }
                                identityReferenceCollection2.Add(qualifiedAce.SecurityIdentifier);
                            }
                            IL_EB :;
                        }
                        identityReferenceCollection = identityReferenceCollection2.Translate(targetType);
                    }
                    int j = 0;
                    while (j < commonAcl.Count)
                    {
                        QualifiedAce qualifiedAce2 = commonAcl[j] as CommonAce;
                        if (!(qualifiedAce2 == null))
                        {
                            goto IL_142;
                        }
                        qualifiedAce2 = (commonAcl[j] as ObjectAce);
                        if (!(qualifiedAce2 == null))
                        {
                            goto IL_142;
                        }
IL_306:
                        j++;
                        continue;
IL_142:
                        if (qualifiedAce2.IsCallback)
                        {
                            goto IL_306;
                        }
                        if (access)
                        {
                            if (qualifiedAce2.AceQualifier != AceQualifier.AccessAllowed && qualifiedAce2.AceQualifier != AceQualifier.AccessDenied)
                            {
                                goto IL_306;
                            }
                        }
                        else if (qualifiedAce2.AceQualifier != AceQualifier.SystemAudit)
                        {
                            goto IL_306;
                        }
                        if ((!includeExplicit || (qualifiedAce2.AceFlags & AceFlags.Inherited) != AceFlags.None) && (!includeInherited || (qualifiedAce2.AceFlags & AceFlags.Inherited) == AceFlags.None))
                        {
                            goto IL_306;
                        }
                        IdentityReference identityReference = (targetType == typeof(SecurityIdentifier)) ? qualifiedAce2.SecurityIdentifier : identityReferenceCollection[j];
                        if (access)
                        {
                            AccessControlType type;
                            if (qualifiedAce2.AceQualifier == AceQualifier.AccessAllowed)
                            {
                                type = AccessControlType.Allow;
                            }
                            else
                            {
                                type = AccessControlType.Deny;
                            }
                            if (qualifiedAce2 is ObjectAce)
                            {
                                ObjectAce objectAce = qualifiedAce2 as ObjectAce;
                                authorizationRuleCollection.AddRule(this.AccessRuleFactory(identityReference, objectAce.AccessMask, objectAce.IsInherited, objectAce.InheritanceFlags, objectAce.PropagationFlags, type, objectAce.ObjectAceType, objectAce.InheritedObjectAceType));
                                goto IL_306;
                            }
                            CommonAce commonAce = qualifiedAce2 as CommonAce;
                            if (!(commonAce == null))
                            {
                                authorizationRuleCollection.AddRule(this.AccessRuleFactory(identityReference, commonAce.AccessMask, commonAce.IsInherited, commonAce.InheritanceFlags, commonAce.PropagationFlags, type));
                                goto IL_306;
                            }
                            goto IL_306;
                        }
                        else
                        {
                            if (qualifiedAce2 is ObjectAce)
                            {
                                ObjectAce objectAce2 = qualifiedAce2 as ObjectAce;
                                authorizationRuleCollection.AddRule(this.AuditRuleFactory(identityReference, objectAce2.AccessMask, objectAce2.IsInherited, objectAce2.InheritanceFlags, objectAce2.PropagationFlags, objectAce2.AuditFlags, objectAce2.ObjectAceType, objectAce2.InheritedObjectAceType));
                                goto IL_306;
                            }
                            CommonAce commonAce2 = qualifiedAce2 as CommonAce;
                            if (!(commonAce2 == null))
                            {
                                authorizationRuleCollection.AddRule(this.AuditRuleFactory(identityReference, commonAce2.AccessMask, commonAce2.IsInherited, commonAce2.InheritanceFlags, commonAce2.PropagationFlags, commonAce2.AuditFlags));
                                goto IL_306;
                            }
                            goto IL_306;
                        }
                    }
                    result = authorizationRuleCollection;
                }
            }
            finally
            {
                base.ReadUnlock();
            }
            return(result);
        }
Example #27
0
        //
        // Helper function behind all the RemoveXXX methods
        //

        internal bool RemoveQualifiedAces( SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, bool saclSemantics, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType )
        {
            if ( accessMask == 0 )
            {
                throw new ArgumentException(
                    Environment.GetResourceString( "Argument_ArgumentZero" ),
                    "accessMask" );
            }

            if ( qualifier == AceQualifier.SystemAudit &&
                (( flags & AceFlags.AuditFlags ) == 0 ))
            {
                throw new ArgumentException(
                    Environment.GetResourceString( "Arg_EnumAtLeastOneFlag" ),
                    "flags" );
            }

            if ( sid == null )
            {
                throw new ArgumentNullException( "sid" );
            }
            Contract.EndContractBlock();
            ThrowIfNotCanonical();


            //
            // Two passes are made.
            // During the first pass, no changes are made to the ACL,
            // the ACEs are simply evaluated to ascertain that the operation
            // can succeed.
            // If everything is kosher, the second pass is the one that makes changes.
            //

            bool evaluationPass = true;
            bool removePossible = true; // unless proven otherwise
            
            //
            // Needed for DS acls to keep track of the original access mask specified for removal
            //
            int originalAccessMask = accessMask;
            AceFlags originalFlags = flags;

            //
            // It is possible that the removal will result in an overflow exception
            // because more ACEs get inserted.
            // Save the current state of the object and revert to it later if
            // and exception is thrown.
            //

            byte[] recovery = new byte[BinaryLength];
            GetBinaryForm( recovery, 0 );

        MakeAnotherPass:

            try
            {
                for ( int i = 0; i < Count; i++ )
                {
                    QualifiedAce ace = _acl[i] as QualifiedAce;

                    //
                    // Not a qualified ACE - keep going
                    //

                    if ( ace == null )
                    {
                        continue;
                    }

                    //
                    // Only interested in explicit (non-inherited) ACEs
                    //

                    if (( ace.AceFlags & AceFlags.Inherited ) != 0 )
                    {
                        continue;
                    }

                    //
                    // Only interested in ACEs with the specified qualifier
                    //

                    if ( ace.AceQualifier != qualifier )
                    {
                        continue;
                    }

                    //
                    // Only interested in ACEs with the specified SID
                    //

                    if ( ace.SecurityIdentifier != sid )
                    {
                        continue;
                    }               

                    //
                    // If access masks have nothing in common, skip the whole exercise
                    //

                    if ( IsDS ) 
                    {
                        //
                        // incase of directory aces, if the access mask of the 
                        // existing and new ace have any bits in common that need 
                        // an object type, then we need to perform some checks on the
                        // object types in the two aces. Since certain bits are further qualified
                        // by the object type they cannot be determined to be common without 
                        // inspecting the object type. It is possible that the same bits may be set but
                        // the object types are different in which case they are really not common bits.
                        //
                        accessMask = originalAccessMask;
                        bool objectTypesConflict = !GetAccessMaskForRemoval( ace, objectFlags, objectType, ref accessMask );

                        // if the access masks have nothing in common, skip
                        if (( ace.AccessMask & accessMask ) == 0 )
                        {
                            continue;
                        }

                        //
                        // incase of directory aces, if the existing and new ace are being inherited, 
                        // then we need to perform some checks on the
                        // inherited object types in the two aces. Since inheritance is further qualified
                        // by the inherited object type the inheritance flags cannot be determined to be common without 
                        // inspecting the inherited object type. It is possible that both aces may be further inherited but if
                        // the inherited object types are different the inheritance may not be common.
                        //
                        flags = originalFlags;
                        bool inheritedObjectTypesConflict = !GetInheritanceFlagsForRemoval( ace, objectFlags, inheritedObjectType, ref flags );  

                        if (((( ace.AceFlags & AceFlags.ContainerInherit ) == 0 ) && (( flags & AceFlags.ContainerInherit ) != 0 )  && (( flags & AceFlags.InheritOnly ) != 0 )) ||
                             ((( flags & AceFlags.ContainerInherit ) == 0 ) && (( ace.AceFlags & AceFlags.ContainerInherit ) != 0 )  && (( ace.AceFlags & AceFlags.InheritOnly ) != 0)))
                        {
                            // if one ace applies only to self and the other only to children/descendents we have nothing in common
                            continue;
                        }
                        
                        //
                        // if the ace being removed referred only to child types and child types among existing ace and
                        // ace being removed are not common then there is nothing in common between these aces (skip)
                        //
                        if ((( originalFlags & AceFlags.ContainerInherit ) != 0 ) && (( originalFlags & AceFlags.InheritOnly ) != 0 ) && (( flags & AceFlags.ContainerInherit ) == 0 )) 
                        {
                            continue;
                        }

                        if ( objectTypesConflict || inheritedObjectTypesConflict )
                        {
                            //
                            // if we reached this stage, then we've found something common between the two aces.
                            // But since there is a conflict between the object types (or inherited object types), the remove is not possible
                            //
                            removePossible = false;
                            break;
                        }
                    }
                    else 
                    {
                        if (( ace.AccessMask & accessMask ) == 0 )
                        {
                            continue;
                        }
                    }

                    //
                    // If audit flags on a SACL have nothing in common,
                    // skip the whole exercise
                    //

                    if ( saclSemantics &&
                        (( ace.AceFlags & flags & AceFlags.AuditFlags ) == 0 ))
                    {
                        continue;
                    }

                    //
                    // See if the ACE needs to be split into several
                    // To illustrate with an example, consider this equation:
                    //            From: CI OI    NP SA FA R W
                    //          Remove:    OI IO NP SA    R
                    //
                    // PermissionSplit: CI OI    NP SA FA   W   // remove R
                    //   AuditingSplit: CI OI    NP    FA R     // remove SA
                    //      MergeSplit: CI OI    NP SA    R     // ready for merge
                    //          Remove:    OI IO NP SA    R     // same audit and perm flags as merge split
                    //
                    //          Result: CI OI    NP SA FA   W   // PermissionSplit
                    //                  CI OI    NP    FA R     // AuditingSplit
                    //                  CI       NP SA    R     // Result of perm removal
                    //

                    //
                    // Example for DS acls (when removal is possible)
                    //
                    // From: CI(Guid) LC CC(Guid)
                    // Remove: CI IO LC
                    //
                    // PermissionSplit: CI(Guid) CC(Guid) // Remove GR
                    //        MergeSplit: CI(Guid) LC // Ready for merge
                    //           Remove: CI IO LC // Removal is possible since we are trying to remove inheritance for
                    //                                            all child types when it exists for one specific child type
                    //
                    //              Result: CI(Guid) CC(Guid) // PermissionSplit
                    //                         LC // Result of perm removal
                    //
                    //
                    // Example for DS acls (when removal is NOT possible)
                    //
                    // From: CI GR CC(Guid)
                    // Remove: CI(Guid) IO LC
                    //
                    // PermissionSplit: CI CC(Guid) // Remove GR
                    //        MergeSplit: CI LC // Ready for merge
                    //           Remove: CI(Guid) IO CC // Removal is not possible since we are trying to remove 
                    //                                                     inheritance for a specific child type when it exists for all child types
                    //

                    // Permission split settings
                    AceFlags ps_AceFlags = 0;
                    int ps_AccessMask = 0;
                    ObjectAceFlags ps_ObjectAceFlags = 0;
                    Guid ps_ObjectAceType = Guid.Empty;
                    Guid ps_InheritedObjectAceType = Guid.Empty;

                    // Auditing split makes sense if this is a SACL
                    AceFlags as_AceFlags = 0;
                    int as_AccessMask = 0;
                    ObjectAceFlags as_ObjectAceFlags = 0;
                    Guid as_ObjectAceType = Guid.Empty;
                    Guid as_InheritedObjectAceType = Guid.Empty;

                    // Merge split settings
                    AceFlags ms_AceFlags = 0;
                    int ms_AccessMask = 0;
                    ObjectAceFlags ms_ObjectAceFlags = 0;
                    Guid ms_ObjectAceType = Guid.Empty;
                    Guid ms_InheritedObjectAceType = Guid.Empty;

                    // Merge result settings
                    AceFlags mergeResultFlags = 0;
                    bool mergeRemoveTotal = false;

                    //
                    // First compute the permission split
                    //

                    ps_AceFlags = ace.AceFlags;
                    unchecked { ps_AccessMask = ace.AccessMask & ~accessMask; }

                    if ( ace is ObjectAce ) 
                    {
                        //
                        // determine what should be the object/inherited object types on the permission split
                        //
                        GetObjectTypesForSplit( ace as ObjectAce, ps_AccessMask /* access mask for this split */, ps_AceFlags /* flags remain the same */, out ps_ObjectAceFlags, out ps_ObjectAceType, out ps_InheritedObjectAceType );
                    }
                    
                    //
                    // Next, for SACLs only, compute the auditing split
                    //

                    if ( saclSemantics )
                    {
                        //
                        // This operation can set the audit bits region
                        // of ACE flags to zero;
                        // This case will be handled later
                        //

                        unchecked { as_AceFlags = ace.AceFlags & ~( flags & AceFlags.AuditFlags ); }

                        //
                        // The result of this evaluation is guaranteed
                        // not to be zero by now
                        //

                        as_AccessMask = ( ace.AccessMask & accessMask );

                        if ( ace is ObjectAce ) 
                        {
                            //
                            // determine what should be the object/inherited object types on the audit split
                            //
                            GetObjectTypesForSplit( ace as ObjectAce, as_AccessMask /* access mask for this split */, as_AceFlags /* flags remain the same for inheritance */, out as_ObjectAceFlags, out as_ObjectAceType, out as_InheritedObjectAceType );
                        }
                    }

                    //
                    // Finally, compute the merge split
                    //

                    ms_AceFlags = ( ace.AceFlags & AceFlags.InheritanceFlags ) | ( flags & ace.AceFlags & AceFlags.AuditFlags );
                    ms_AccessMask = ( ace.AccessMask & accessMask );

                   
                    //
                    // Now is the time to obtain the result of applying the remove
                    // operation to the merge split
                    // Skipping this step for SACLs where the merge split step
                    // produced no auditing flags
                    //

                    if ( !saclSemantics ||
                        (( ms_AceFlags & AceFlags.AuditFlags ) != 0 ))
                    {         
                        if ( false == RemoveInheritanceBits( ms_AceFlags, flags, IsDS, out mergeResultFlags, out mergeRemoveTotal ))
                        {
                            removePossible = false;
                            break;
                        }

                        if ( !mergeRemoveTotal )
                        {
                            mergeResultFlags |= ( ms_AceFlags & AceFlags.AuditFlags );
                            
                            if ( ace is ObjectAce ) 
                            {
                                //
                                // determine what should be the object/inherited object types on the merge split
                                //
                                GetObjectTypesForSplit( ace as ObjectAce, ms_AccessMask /* access mask for this split */, mergeResultFlags /* flags for this split */, out ms_ObjectAceFlags, out ms_ObjectAceType, out ms_InheritedObjectAceType );
                            }    
                        }
                    }

                    //
                    // If this is no longer an evaluation, go ahead and make the changes
                    //

                    if ( !evaluationPass )
                    {
                        QualifiedAce newAce;

                        //
                        // Modify the existing ACE in-place if it has any access
                        // mask bits left, otherwise simply remove it
                        // However, if for an object ace we are removing the object type 
                        // then we should really remove this ace and add a new one since
                        // we would be changing the size of this ace
                        //

                        if ( ps_AccessMask != 0 )
                        {
                            if (( ace is ObjectAce ) &&
                                (((( ObjectAce) ace ).ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent ) != 0 ) &&
                                     (( ps_ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent ) == 0 ))
                            {
                                ObjectAce newObjectAce;

                                _acl.RemoveAce(i);
                                newObjectAce = new ObjectAce( ps_AceFlags, qualifier, ps_AccessMask, ace.SecurityIdentifier, ps_ObjectAceFlags, ps_ObjectAceType, ps_InheritedObjectAceType, false, null );
                                _acl.InsertAce( i, newObjectAce );
                            }
                            else 
                            {
                                ace.AceFlags = ps_AceFlags;
                                ace.AccessMask = ps_AccessMask;

                                if ( ace is ObjectAce ) 
                                {
                                    ObjectAce objectAce = ace as ObjectAce;
                                    
                                    objectAce.ObjectAceFlags = ps_ObjectAceFlags;
                                    objectAce.ObjectAceType = ps_ObjectAceType;
                                    objectAce.InheritedObjectAceType = ps_InheritedObjectAceType;
                                }
                            }
                        }
                        else
                        {
                            _acl.RemoveAce(i);
                            i--; // keep the array index honest
                        }

                        //
                        // On a SACL, the result of the auditing split must be recorded
                        //

                        if ( saclSemantics && (( as_AceFlags & AceFlags.AuditFlags ) != 0 ))
                        {
                            if ( ace is CommonAce )
                            {
                                newAce = new CommonAce( as_AceFlags, qualifier, as_AccessMask, ace.SecurityIdentifier, false, null );
                            }
                            else
                            {
                                // object ace
                                newAce = new ObjectAce( as_AceFlags, qualifier, as_AccessMask, ace.SecurityIdentifier, as_ObjectAceFlags, as_ObjectAceType, as_InheritedObjectAceType, false, null );
                            }

                            i++; // so it's not considered again
                            _acl.InsertAce( i, newAce );
                        }

                        //
                        // If there are interesting bits left over from a remove, store them
                        // as a separate ACE
                        //

                        if ( !mergeRemoveTotal )
                        {
                            if ( ace is CommonAce )
                            {
                                newAce = new CommonAce( mergeResultFlags, qualifier, ms_AccessMask, ace.SecurityIdentifier, false, null );
                            }
                            else
                            {
                                // object ace
                                newAce = new ObjectAce( mergeResultFlags, qualifier, ms_AccessMask, ace.SecurityIdentifier, ms_ObjectAceFlags, ms_ObjectAceType, ms_InheritedObjectAceType, false, null );
                            }

                            i++; // so it's not considered again
                            _acl.InsertAce( i, newAce );
                        }
                    }
                }
            }
            catch( OverflowException )
            {
                //
                // Oops, overflow means that the ACL became too big.
                // Inform the caller that the remove was not possible.
                //

                _acl.SetBinaryForm( recovery, 0 );
                return false;
            }

            //
            // Finished evaluating the possibility of a remove.
            // If it looks like it's doable, go ahead and do it.
            //

            if ( evaluationPass && removePossible )
            {
                evaluationPass = false;
                goto MakeAnotherPass;
            }

            OnAclModificationTried();

            return removePossible;
        }
 internal void AddQualifiedAce(SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
 {
     GenericAce ace;
     if (sid == null)
     {
         throw new ArgumentNullException("sid");
     }
     this.ThrowIfNotCanonical();
     bool flag = false;
     if ((qualifier == AceQualifier.SystemAudit) && (((byte) (flags & AceFlags.AuditFlags)) == 0))
     {
         throw new ArgumentException(Environment.GetResourceString("Arg_EnumAtLeastOneFlag"), "flags");
     }
     if (accessMask == 0)
     {
         throw new ArgumentException(Environment.GetResourceString("Argument_ArgumentZero"), "accessMask");
     }
     if (!this.IsDS || (objectFlags == ObjectAceFlags.None))
     {
         ace = new CommonAce(flags, qualifier, accessMask, sid, false, null);
     }
     else
     {
         ace = new ObjectAce(flags, qualifier, accessMask, sid, objectFlags, objectType, inheritedObjectType, false, null);
     }
     if (this.InspectAce(ref ace, this is DiscretionaryAcl))
     {
         for (int i = 0; i < this.Count; i++)
         {
             QualifiedAce ace2 = this._acl[i] as QualifiedAce;
             if ((ace2 != null) && this.MergeAces(ref ace2, ace as QualifiedAce))
             {
                 flag = true;
                 break;
             }
         }
         if (!flag)
         {
             this._acl.InsertAce(this._acl.Count, ace);
             this._isDirty = true;
         }
         this.OnAclModificationTried();
     }
 }