public void TestBlankACLValidAccount()
{
ACL acl = new ACL();
Account account = new Account();
acl.Add(new ACLAccount(account, DataOperation.All));
acl.Check(new ManagedSecurityContext(account), DataOperation.Create);
}
/// <exception cref="System.Exception"/>
private void VerifyACL(CuratorFramework curatorFramework, string path, ACL expectedACL
)
{
IList <ACL> acls = curatorFramework.GetACL().ForPath(path);
Assert.Equal(1, acls.Count);
Assert.Equal(expectedACL, acls[0]);
}
/// <summary>Add a new write access entry for all future write operations.</summary>
/// <param name="id">ID to use</param>
/// <param name="pass">password</param>
/// <exception cref="System.IO.IOException">on any failure to build the digest</exception>
public virtual bool AddWriteAccessor(string id, string pass)
{
RegistrySecurity security = GetRegistrySecurity();
ACL digestACL = new ACL(ZooDefs.Perms.All, security.ToDigestId(security.Digest(id
, pass)));
return(security.AddDigestACL(digestACL));
}
private S3CannedACL GetS3Acl(ACL acl)
{
return(acl switch
{
ACL.Read => S3CannedACL.PublicRead,
ACL.Private => S3CannedACL.Private,
_ => S3CannedACL.PublicRead,
});
public void TestBlankACLValidAccount()
{
ACL acl = new ACL();
Account account = new Account();
acl.Add(new ACLAccount(account, DataOperation.All));
acl.Check(new ManagedSecurityContext(account), DataOperation.Create);
}
protected void btnSave_Click(object sender, EventArgs e)
{
if (Page.IsValid)
{
try
{
var roles = this.CustomerService.GetAllCustomerRoles();
if (roles.Count == 0)
{
lblMessage.Text = GetLocaleResourceString("Admin.ACL.NoRolesDefined");
return;
}
this.ACLService.Enabled = cbACLEnabled.Checked;
foreach (GridViewRow row in gvACL.Rows)
{
foreach (CustomerRole cr in roles)
{
CheckBox cbAllow = row.FindControl(string.Format("cbAllow_{0}", cr.CustomerRoleId)) as CheckBox;
HiddenField hfCustomerActionId = row.FindControl(string.Format("hfCustomerActionId_{0}", cr.CustomerRoleId)) as HiddenField;
if (cbAllow == null || hfCustomerActionId == null || String.IsNullOrEmpty(hfCustomerActionId.Value))
{
return;
}
bool allow = cbAllow.Checked;
int customerActionId = int.Parse(hfCustomerActionId.Value);
var acls = this.ACLService.GetAllAcl(customerActionId, cr.CustomerRoleId, null);
if (acls.Count > 0)
{
ACL acl = acls[0];
acl.CustomerActionId = customerActionId;
acl.CustomerRoleId = cr.CustomerRoleId;
acl.Allow = allow;
this.ACLService.UpdateAcl(acl);
}
else
{
ACL acl = new ACL()
{
CustomerActionId = customerActionId,
CustomerRoleId = cr.CustomerRoleId,
Allow = allow
};
this.ACLService.InsertAcl(acl);
}
}
}
Response.Redirect("ACL.aspx");
}
catch (Exception exc)
{
ProcessException(exc);
}
}
}
public void ReadFromJson(JsonData in_jsonObj)
{
m_state = EntityState.Ready;
m_entityType = (string)in_jsonObj["entityType"];
m_entityId = (string)in_jsonObj["entityId"];
m_acl = ACL.CreateFromJson(in_jsonObj["acl"]);
UpdateTimeStamps(in_jsonObj);
m_data = JsonToDictionary(in_jsonObj["data"]);
}
public Uri Save(string domain, string path, Stream stream, string contentType,
string contentDisposition, ACL acl, string contentEncoding = null, int cacheDays = 5)
{
var buffered = stream.GetBuffered();
if (QuotaController != null)
{
QuotaController.QuotaUsedCheck(buffered.Length);
}
using (var client = GetClient())
using (var uploader = new TransferUtility(client))
{
var mime = string.IsNullOrEmpty(contentType)
? MimeMapping.GetMimeMapping(Path.GetFileName(path))
: contentType;
var request = new TransferUtilityUploadRequest
{
BucketName = _bucket,
Key = MakePath(domain, path),
CannedACL = acl == ACL.Auto ? GetDomainACL(domain) : GetS3Acl(acl),
ContentType = mime,
ServerSideEncryptionMethod = ServerSideEncryptionMethod.AES256,
InputStream = buffered,
AutoCloseStream = false,
Headers =
{
CacheControl = string.Format("public, maxage={0}", (int)TimeSpan.FromDays(cacheDays).TotalSeconds),
Expires = DateTime.UtcNow.Add(TimeSpan.FromDays(cacheDays))
}
};
if (!string.IsNullOrEmpty(contentDisposition))
{
request.Headers.ContentDisposition = contentDisposition;
}
else if (mime == "application/octet-stream")
{
request.Headers.ContentDisposition = "attachment";
}
if (!string.IsNullOrEmpty(contentEncoding))
{
request.Headers.ContentEncoding = contentEncoding;
}
uploader.Upload(request);
InvalidateCloudFront(MakePath(domain, path));
QuotaUsedAdd(domain, buffered.Length);
return(GetUri(domain, path));
}
}
private PredefinedObjectAcl GetGoogleCloudAcl(ACL acl)
{
return(PredefinedObjectAcl.PublicRead);
//return acl switch
//{
// ACL.Read => PredefinedObjectAcl.PublicRead,
// _ => PredefinedObjectAcl.PublicRead,
//};
}
protected unsafe static extern uint SetNamedSecurityInfoW(
[MarshalAs(UnmanagedType.LPTStr)]
string pObjectName,
int ObjectType,
uint SecurityInfo,
IntPtr ppsidOwner,
IntPtr ppsidGroup,
[In] ref ACL pDacl,
IntPtr ppSacl
);
private static S3CannedACL GetS3Acl(ACL acl)
{
switch (acl)
{
case ACL.Read:
return(S3CannedACL.PublicRead);
default:
return(S3CannedACL.PublicRead);
}
}
public void ReadFromJson(object jsonObj)
{
Dictionary <string, object> jsonDict = (Dictionary <string, object>)jsonObj;
m_state = EntityState.Ready;
m_entityType = (string)jsonDict["entityType"];
m_entityId = (string)jsonDict["entityId"];
m_acl = ACL.CreateFromJson((Dictionary <string, object>)jsonDict["acl"]);
UpdateTimeStamps(jsonDict);
m_data = JsonToDictionary(jsonDict["data"]);
}
private PredefinedObjectAcl GetGoogleCloudAcl(ACL acl)
{
switch (acl)
{
case ACL.Read:
return(PredefinedObjectAcl.PublicRead);
default:
return(PredefinedObjectAcl.PublicRead);
}
}
public void Test()
{
ACL acl = new ACL(ACL.Access.ReadWrite);
Dictionary <string, object> jsonObj = new Dictionary <string, object> {
{ "other", 1 }
};
acl = ACL.CreateFromJson(jsonObj);
Assert.AreEqual(ACL.Access.ReadOnly, acl.Other);
}
public RackspaceCloudStorage(string tenant)
{
_tenant = tenant;
_modulename = string.Empty;
_dataList = null;
_domainsExpires = new Dictionary <string, TimeSpan> {
{ string.Empty, TimeSpan.Zero }
};
_domainsAcl = new Dictionary <string, ACL>();
_moduleAcl = ACL.Auto;
}
public override Uri UploadWithoutQuota(string domain, string path, Stream stream, string contentType, string contentDisposition)
{
ACL acl = ACL.Auto;
using (AmazonS3 client = GetClient())
{
var util = new Amazon.S3.Transfer.TransferUtility(client);
var request = new Amazon.S3.Transfer.TransferUtilityUploadRequest();
string mime = string.IsNullOrEmpty(contentType)
? MimeMapping.GetMimeMapping(Path.GetFileName(path))
: contentType;
const int uploadTimeout = 10 * 60 * 1000;
request.BucketName = _bucket;
request.Key = MakePath(domain, path);
request.CannedACL = acl == ACL.Auto ? GetDomainACL(domain) : GetS3Acl(acl);
request.ContentType = mime;
request.Timeout = uploadTimeout;
var headers = new NameValueCollection();
headers.Add("Cache-Control", string.Format("public, maxage={0}", (int)TimeSpan.FromDays(5).TotalSeconds));
headers.Add("Etag", (DateTime.UtcNow.Ticks).ToString(CultureInfo.InvariantCulture));
headers.Add("Last-Modified", DateTime.UtcNow.ToString("R"));
headers.Add("Expires", DateTime.UtcNow.Add(TimeSpan.FromDays(5)).ToString("R"));
if (!string.IsNullOrEmpty(contentDisposition))
{
headers.Add("Content-Disposition", Uri.EscapeDataString(contentDisposition));
}
else if (mime == "application/octet-stream")
{
headers.Add("Content-Disposition", "attachment");
}
request.AddHeaders(headers);
//Send body
var buffered = stream.GetBuffered();
request.AutoCloseStream = false;
request.InputStream = buffered;
util.Upload(request);
InvalidateCloudFront(MakePath(domain, path));
return(GetUri(domain, path));
}
}
public Uri Save(string domain, string path, Stream stream, string contentType,
string contentDisposition, ACL acl, string contentEncoding = null, int cacheDays = 5)
{
var buffered = stream.GetBuffered();
if (QuotaController != null)
{
QuotaController.QuotaUsedCheck(buffered.Length);
}
var mime = string.IsNullOrEmpty(contentType)
? MimeMapping.GetMimeMapping(Path.GetFileName(path))
: contentType;
var storage = GetStorage();
UploadObjectOptions uploadObjectOptions = new UploadObjectOptions
{
PredefinedAcl = acl == ACL.Auto ? GetDomainACL(domain) : GetGoogleCloudAcl(acl)
};
buffered.Position = 0;
var uploaded = storage.UploadObject(_bucket, MakePath(domain, path), mime, buffered, uploadObjectOptions, null);
uploaded.ContentEncoding = contentEncoding;
uploaded.CacheControl = String.Format("public, maxage={0}", (int)TimeSpan.FromDays(cacheDays).TotalSeconds);
if (uploaded.Metadata == null)
{
uploaded.Metadata = new Dictionary <String, String>();
}
uploaded.Metadata["Expires"] = DateTime.UtcNow.Add(TimeSpan.FromDays(cacheDays)).ToString("R");
if (!string.IsNullOrEmpty(contentDisposition))
{
uploaded.ContentDisposition = contentDisposition;
}
else if (mime == "application/octet-stream")
{
uploaded.ContentDisposition = "attachment";
}
storage.UpdateObject(uploaded);
// InvalidateCloudFront(MakePath(domain, path));
QuotaUsedAdd(domain, buffered.Length);
return(GetUri(domain, path));
}
/// <summary>Init operation sets up the system ACLs.</summary>
/// <param name="conf">configuration of the service</param>
/// <exception cref="System.Exception"/>
protected override void ServiceInit(Configuration conf)
{
base.ServiceInit(conf);
RegistrySecurity registrySecurity = GetRegistrySecurity();
if (registrySecurity.IsSecureRegistry())
{
ACL sasl = registrySecurity.CreateSaslACLFromCurrentUser(ZooDefs.Perms.All);
registrySecurity.AddSystemACL(sasl);
Log.Info("Registry System ACLs:", RegistrySecurity.AclsToString(registrySecurity.
GetSystemACLs()));
}
}
public void TestAdminACL()
{
// make sure that the administrative ACL is a cloned fresh copy
// (so that more ACLs can be added)
ACL acl = ACL.GetAdministrativeACL(Session);
int count1 = acl.Count;
acl.Add(new ACLAuthenticatedAllowCreate());
ACL acl2 = ACL.GetAdministrativeACL(Session);
Assert.AreNotEqual(acl, acl2);
Assert.AreEqual(count1, acl2.Count);
}
public SelectelStorage(String tenant, HandlerConfigurationElement handlerConfig, ModuleConfigurationElement moduleConfig)
{
_tenant = tenant;
_modulename = moduleConfig.Name;
_dataList = new DataList(moduleConfig);
_domainsExpires = moduleConfig.Domains.Cast <DomainConfigurationElement>()
.Where(x => x.Expires != TimeSpan.Zero)
.ToDictionary(x => x.Name, y => y.Expires);
_domainsExpires.Add(String.Empty, moduleConfig.Expires);
_domainsAcl = moduleConfig.Domains.Cast <DomainConfigurationElement>().ToDictionary(x => x.Name, y => y.Acl);
_moduleAcl = moduleConfig.Acl;
}
public bool DataCreate(string Path, string data)
{
CreateMode cm = CreateMode.Persistent;
ACL auth = new ACL();
List <ACL> authList = new List <ACL>();
byte[] utf8Bytes = System.Text.Encoding.UTF8.GetBytes(data);
zk.Create(Path, utf8Bytes, authList, cm);
return(true);
}
public IChannelACLEntry CreateACLEntry(IChannelGroup targetGroup)
{
var x = new ChanACL
{
ApplyOnSubchannels = true,
ApplyOnThisChannel = true,
Allow = (ChannelPermissions)0,
Deny = (ChannelPermissions)0,
TargetGroup = targetGroup,
};
ACL.Add(x);
return(x);
}
public virtual Library.Library CreateLibrary(HttpContext context)
{
YZRequest request = new YZRequest(context);
string libType = request.GetString("libType");
string FolderID = request.GetString("FolderID", null);
string DocumentFolderID = request.GetString("DocumentFolderID", null);
JObject jPost = request.GetPostData <JObject>();
Library.Library libPost = jPost["data"].ToObject <Library.Library>();
ACL acl = jPost["acl"].ToObject <ACL>();
using (IYZDbProvider provider = YZDbProviderManager.DefaultProvider)
{
using (IDbConnection cn = provider.OpenConnection())
{
Library.Library lib = new Library.Library();
lib.LibType = libType;
lib.Name = libPost.Name;
lib.Desc = libPost.Desc;
if (!String.IsNullOrEmpty(FolderID))
{
Folder folder = this.CreateLibFolder(provider, cn, libPost.Name, FolderID);
lib.FolderID = folder.FolderID;
}
if (!String.IsNullOrEmpty(DocumentFolderID))
{
Folder folder = this.CreateLibFolder(provider, cn, libPost.Name, DocumentFolderID);
lib.DocumentFolderID = folder.FolderID;
}
lib.Owner = YZAuthHelper.LoginUserAccount;
lib.CreateAt = DateTime.Now;
lib.ImageFileID = libPost.ImageFileID;
lib.OrderIndex = LibraryManager.GetLibraryNextOrderIndex(provider, cn, libType);
lib.Deleted = false;
LibraryManager.Insert(provider, cn, lib);
using (BPMConnection bpmcn = new BPMConnection())
{
bpmcn.WebOpen();
SecurityManager.SaveACL(bpmcn, SecurityResType.Library, lib.LibID.ToString(), null, acl);
}
return(lib);
}
}
}
public virtual void SaveFolder(HttpContext context)
{
YZRequest request = new YZRequest(context);
SecurityResType securityResType = request.GetEnum <SecurityResType>("securityResType");
string path = request.GetString("path", "");
JObject post = request.GetPostData <JObject>();
ACL acl = post["acl"].ToObject <ACL>();
using (BPMConnection cn = new BPMConnection())
{
cn.WebOpen();
SecurityManager.SaveACL(cn, securityResType, path, null, acl);
}
}
/// <summary>Parse the IDs, adding a realm if needed, setting the permissions</summary>
/// <param name="principalList">id string</param>
/// <param name="realm">realm to add</param>
/// <param name="perms">permissions</param>
/// <returns>the relevant ACLs</returns>
/// <exception cref="System.IO.IOException"/>
public virtual IList <ACL> BuildACLs(string principalList, string realm, int perms
)
{
IList <string> aclPairs = SplitAclPairs(principalList, realm);
IList <ACL> ids = new AList <ACL>(aclPairs.Count);
foreach (string aclPair in aclPairs)
{
ACL newAcl = new ACL();
newAcl.SetId(Parse(aclPair, realm));
newAcl.SetPerms(perms);
ids.AddItem(newAcl);
}
return(ids);
}
public string[] DumpToStringArray()
{
var list = new List <string>();
list.Add($"AccountName={AccountName}");
list.Add($"AccountKey={AccountKey}");
list.Add($"FileSystem={FileSystem}");
list.Add($"StartingPath={StartingPath}");
list.Add($"ExitAfter={ExitAfter}");
list.Add($"Parallelism={Parallelism}");
list.Add($"ACL:");
ACL?.ToList().ForEach(x => list.Add($" - {x}"));
list.Add($"RemoveList:");
RemoveList?.ToList().ForEach(x => list.Add($" - {x}"));
return(list.ToArray());
}
public virtual void TestDigestAccess()
{
RMRegistryOperationsService registryAdmin = StartRMRegistryOperations();
string id = "username";
string pass = "******";
registryAdmin.AddWriteAccessor(id, pass);
IList <ACL> clientAcls = registryAdmin.GetClientAcls();
Log.Info("Client ACLS=\n{}", RegistrySecurity.AclsToString(clientAcls));
string @base = "/digested";
registryAdmin.Mknode(@base, false);
IList <ACL> baseACLs = registryAdmin.ZkGetACLS(@base);
string aclset = RegistrySecurity.AclsToString(baseACLs);
Log.Info("Base ACLs=\n{}", aclset);
ACL found = null;
foreach (ACL acl in baseACLs)
{
if (ZookeeperConfigOptions.SchemeDigest.Equals(acl.GetId().GetScheme()))
{
found = acl;
break;
}
}
NUnit.Framework.Assert.IsNotNull("Did not find digest entry in ACLs " + aclset, found
);
zkClientConf.Set(KeyRegistryUserAccounts, "sasl:[email protected], sasl:other"
);
RegistryOperations operations = RegistryOperationsFactory.CreateAuthenticatedInstance
(zkClientConf, id, pass);
AddToTeardown(operations);
operations.Start();
RegistryOperationsClient operationsClient = (RegistryOperationsClient)operations;
IList <ACL> digestClientACLs = operationsClient.GetClientAcls();
Log.Info("digest client ACLs=\n{}", RegistrySecurity.AclsToString(digestClientACLs
));
operations.Stat(@base);
operations.Mknode(@base + "/subdir", false);
ZKPathDumper pathDumper = registryAdmin.DumpPath(true);
Log.Info(pathDumper.ToString());
}
public virtual JObject GenInheriACL(HttpContext context)
{
YZRequest request = new YZRequest(context);
string rsid = request.GetString("rsid");
JObject rv = new JObject();
using (BPMConnection cn = new BPMConnection())
{
cn.WebOpen();
ACL acl = SecurityManager.GenInheriACL(cn, rsid);
rv["acl"] = this.Serialize(cn, acl);
}
return(rv);
}
public virtual void TestGoodACLs()
{
IList <ACL> result = ZKUtil.ParseACLs("sasl:hdfs/[email protected]:cdrwa, sasl:hdfs/[email protected]:ca"
);
ACL acl0 = result[0];
Assert.Equal(ZooDefs.Perms.Create | ZooDefs.Perms.Delete | ZooDefs.Perms
.Read | ZooDefs.Perms.Write | ZooDefs.Perms.Admin, acl0.GetPerms());
Assert.Equal("sasl", acl0.GetId().GetScheme());
Assert.Equal("hdfs/[email protected]", acl0.GetId().GetId());
ACL acl1 = result[1];
Assert.Equal(ZooDefs.Perms.Create | ZooDefs.Perms.Admin, acl1.
GetPerms());
Assert.Equal("sasl", acl1.GetId().GetScheme());
Assert.Equal("hdfs/[email protected]", acl1.GetId().GetId());
}
public virtual JObject GetStoreObjectPerms(HttpContext context)
{
YZRequest request = new YZRequest(context);
StoreZoneType zone = request.GetEnum <StoreZoneType>("zone");
string path = request.GetString("path", null);
string strPerms = request.GetString("perms", null);
BPMObjectNameCollection ids = BPMObjectNameCollection.FromStringList(request.GetString("ids", ""), ',');;
BPMPermision[] bpmPerms = YZSecurityHelper.ParsePermisions(strPerms);
JObject rv = new JObject();
JObject perms = new JObject();
rv["perms"] = perms;
using (BPMConnection cn = new BPMConnection())
{
cn.WebOpen();
foreach (string id in ids)
{
string fullName;
if (String.IsNullOrEmpty(path))
{
fullName = id;
}
else
{
fullName = path + "/" + id;
}
ACL acl = SecurityManager.GetACL(cn, zone.ToString() + "://" + fullName);
JObject jPerm = new JObject();
perms[id] = jPerm;
foreach (BPMPermision perm in bpmPerms)
{
jPerm[perm.ToString()] = acl.HasPermision(cn.Token, perm);
}
}
}
rv[YZJsonProperty.success] = true;
return(rv);
}
private S3CannedACL GetS3Acl(ACL acl)
{
switch (acl)
{
case ACL.Read:
return(S3CannedACL.PublicRead);
case ACL.Write:
return(S3CannedACL.PublicReadWrite);
case ACL.Private:
return(S3CannedACL.AuthenticatedRead);
default:
return(S3CannedACL.PublicRead);
}
}
public void ACLTest01()
{
ACL acl = new ACL();
Role Guests = new Role("Guests");
acl.AddRole(Guests);
Role[] parents = new Role[1];
parents[0] = Guests;
Role JoeGuest = new Role("JoeGuest", parents);
acl.AddRole(JoeGuest);
Resource CanBuild = new Resource("CanBuild");
acl.AddResource(CanBuild);
acl.GrantPermission("Guests", "CanBuild");
Permission perm = acl.HasPermission("JoeGuest", "CanBuild");
Assert.That(perm == Permission.Allow, "JoeGuest should have permission to build");
perm = Permission.None;
try
{
perm = acl.HasPermission("unknownGuest", "CanBuild");
}
catch (KeyNotFoundException)
{
}
catch (Exception)
{
Assert.That(false,"Exception thrown should have been KeyNotFoundException");
}
Assert.That(perm == Permission.None,"Permission None should be set because exception should have been thrown");
}
private static S3CannedACL GetS3Acl(ACL acl)
{
switch (acl)
{
case ACL.Read:
return S3CannedACL.PublicRead;
default:
return S3CannedACL.PublicRead;
}
}
public void Deserialize(IInputArchive a_, String tag)
{
a_.StartRecord(tag);
Path=a_.ReadString("path");
{
IIndex vidx1 = a_.StartVector("acl");
if (vidx1!= null) { var tmpLst=new System.Collections.Generic.List<ACL>();
for (; !vidx1.Done(); vidx1.Incr()) {
ACL e1;
e1= new ACL();
a_.ReadRecord(e1,"e1");
tmpLst.Add(e1);
}
Acl=tmpLst;
}
a_.EndVector("acl");
}
Version=a_.ReadInt("version");
a_.EndRecord(tag);
}
private S3CannedACL GetS3Acl(ACL acl)
{
switch (acl)
{
case ACL.Read:
return S3CannedACL.PublicRead;
case ACL.Write:
return S3CannedACL.PublicReadWrite;
case ACL.Private:
return S3CannedACL.AuthenticatedRead;
default:
return S3CannedACL.PublicRead;
}
}
public Uri Save(string domain, string path, Stream stream, string contentType,
string contentDisposition, ACL acl, string contentEncoding = null, int cacheDays = 5)
{
bool postWriteCheck = false;
if (QuotaController != null)
{
try
{
QuotaController.QuotaUsedAdd(_modulename, domain, _dataList.GetData(domain), stream.Length);
}
catch (TenantQuotaException)
{
//this exception occurs only if tenant has no free space
//or if file size larger than allowed by quota
//so we can exit this function without stream buffering etc
throw;
}
catch (Exception)
{
postWriteCheck = true;
}
}
using (AmazonS3 client = GetClient())
{
var request = new PutObjectRequest();
string mime = string.IsNullOrEmpty(contentType)
? MimeMapping.GetMimeMapping(Path.GetFileName(path))
: contentType;
request.BucketName = _bucket;
request.Key = MakePath(domain, path);
request.CannedACL = acl == ACL.Auto ? GetDomainACL(domain) : GetS3Acl(acl);
request.ContentType = mime;
request.ServerSideEncryptionMethod = ServerSideEncryptionMethod.AES256;
var requestHeaders = new NameValueCollection();
requestHeaders.Add("Cache-Control", string.Format("public, maxage={0}", (int)TimeSpan.FromDays(cacheDays).TotalSeconds));
requestHeaders.Add("Etag", (DateTime.UtcNow.Ticks).ToString(CultureInfo.InvariantCulture));
requestHeaders.Add("Last-Modified", DateTime.UtcNow.ToString("R"));
requestHeaders.Add("Expires", DateTime.UtcNow.Add(TimeSpan.FromDays(cacheDays)).ToString("R"));
if (!string.IsNullOrEmpty(contentDisposition))
{
requestHeaders.Add("Content-Disposition", contentDisposition);
}
else if (mime == "application/octet-stream")
{
requestHeaders.Add("Content-Disposition", "attachment");
}
if (!string.IsNullOrEmpty(contentEncoding))
{
requestHeaders.Add("Content-Encoding", contentEncoding);
}
request.AddHeaders(requestHeaders);
//Send body
var buffered = stream.GetBuffered();
if (postWriteCheck)
{
QuotaController.QuotaUsedAdd(_modulename, domain, _dataList.GetData(domain), buffered.Length);
}
request.AutoCloseStream = false;
request.InputStream = buffered;
PutObjectResponse response = client.PutObject(request);
var destinationObjectEncryptionStatus = response.ServerSideEncryptionMethod;
//..ServerSideEncryptionMethod;
InvalidateCloudFront(MakePath(domain, path));
return GetUri(domain, path);
}
}
public override Uri Save(string domain, string path, Stream stream, ACL acl)
{
return Save(domain, path, stream);
}
bool CreateKeyDescriptor(IntPtr pOldSD, ACCOUNT_PERM Account, ref MEM_DATA MemData)
{
// reconstruct security descriptor
bool bDefault = false;
bool bPresent = false;
int iControlBits = 0;
int iControlSet = 0;
int iDomain = 0;
int iFlag = 0;
int iLength = 0;
int iRevision = 0;
int iSidLen = 0;
int iTotal = 0;
int iUse = 0;
StringBuilder sDomain = new StringBuilder(256);
IntPtr pNewACL = IntPtr.Zero;
IntPtr pAcl = IntPtr.Zero;
IntPtr pSid = IntPtr.Zero;
IntPtr pPnt = IntPtr.Zero;
ACL_SIZE_INFORMATION tAclSize = new ACL_SIZE_INFORMATION();
ACL tTempACL = new ACL();
ACE tTempAce = new ACE();
try
{
MemData.pAcl = IntPtr.Zero;
MemData.pSd = IntPtr.Zero;
// get size
pSid = LocalAlloc(LMEM_INITIALIZED, SECURITY_DESCRIPTOR_MIN_LENGTH);
if (pSid == IntPtr.Zero)
{
return false;
}
// store pointer
MemData.pSd = pSid;
// init descriptor
if (InitializeSecurityDescriptor(pSid, SECURITY_DESCRIPTOR_REVISION) == 0)
{
return false;
}
// check for existing sd
if (pOldSD != IntPtr.Zero)
{
if (GetSecurityDescriptorDacl(pOldSD, out bPresent, ref pAcl, out bDefault) == true)
{
// extract dacl
if ((bPresent == true) && (pAcl != IntPtr.Zero))
{
if (GetAclInformation(pAcl, ref tAclSize, Marshal.SizeOf(tAclSize), ACL_INFORMATION_CLASS.AclSizeInformation) == false)
{
return false;
}
else
{
iTotal = tAclSize.AclBytesInUse;
}
}
else
{
iTotal = Marshal.SizeOf(tTempACL);
}
}
else
{
return false;
}
}
// allocate sid //
// get callers sid
if (Account.pSid == IntPtr.Zero)
{
iDomain = 256;
// get size
LookupAccountName(null, Account.AccountName, IntPtr.Zero, ref iSidLen, sDomain, ref iDomain, out iUse);
Account.pSid = LocalAlloc(LMEM_INITIALIZED, iSidLen);
if (Account.pSid == IntPtr.Zero)
{
return false;
}
// get the sid
if (LookupAccountName(null, Account.AccountName, Account.pSid, ref iSidLen, sDomain, ref iDomain, out iUse) == false)
{
return false;
}
}
// ace buffer
iLength = (Marshal.SizeOf(tTempAce) + GetLengthSid(Account.pSid)) - 4;
iTotal += iLength;
pNewACL = LocalAlloc(LMEM_INITIALIZED, iTotal);
if (pNewACL == IntPtr.Zero)
{
return false;
}
// store pointer
MemData.pAcl = pNewACL;
// init acl
if (InitializeAcl(pNewACL, iTotal, ACL_REVISION) == false)
{
return false;
}
// build dacl in sequence
if (Account.AceType == ACCESS_DENIED_ACE_TYPE)
{
if (BuildACE(pNewACL, Account.AceType, Account.AceFlags, Account.AccessMask, Account.pSid) == false)
{
return false;
}
}
// copy non-inherited ace
if ((bPresent == true) && (pAcl != IntPtr.Zero) && (tAclSize.AceCount > 0))
{
// combine old and new ACE entries
for (int count = 0; count < tAclSize.AceCount; count++)
{
// next ace
GetAce(pAcl, count, out pPnt);
if (pPnt == IntPtr.Zero)
{
return false;
}
RtlMoveMemory(ref tTempAce, pPnt, Marshal.SizeOf(tTempAce));
// exit on inherited ace
if (((int)tTempAce.Header.AceFlags & INHERITED_ACE) == INHERITED_ACE)
{
break;
}
int x = (int)pPnt + 8;
IntPtr pPt = new IntPtr(x);
// check ace value
if (!SidIsEqual(Account.pSid, pPt))
{
// add ace
AddAce(pNewACL, ACL_REVISION, MAXDWORD, pPnt, tTempAce.Header.AceSize);
}
}
}
// add explicit permit
if (Account.AceType == ACCESS_ALLOWED_ACE_TYPE)
{
BuildACE(pNewACL, Account.AceType, Account.AceFlags, Account.AccessMask, Account.pSid);
}
// enties with inheritence flag
if ((bPresent == true) && (pAcl != IntPtr.Zero) && (tAclSize.AceCount > 0))
{
for (int count = 0; count < tAclSize.AceCount; count++)
{
GetAce(pAcl, count, out pPnt);
RtlMoveMemory(ref tTempAce, pPnt, Marshal.SizeOf(tTempAce));
AddAce(pNewACL, ACL_REVISION, MAXDWORD, pPnt, tTempAce.Header.AceSize);
}
}
// descriptor flags
if (pOldSD != IntPtr.Zero)
{
if (GetSecurityDescriptorControl(pOldSD, out iFlag, out iRevision) != 0)
{
if ((iFlag & SE_DACL_AUTO_INHERITED) == SE_DACL_AUTO_INHERITED)
{
iControlBits = SE_DACL_AUTO_INHERIT_REQ | SE_DACL_AUTO_INHERITED;
iControlSet = iControlBits;
}
else if ((iFlag & SE_DACL_PROTECTED) == SE_DACL_PROTECTED)
{
iControlBits = SE_DACL_PROTECTED;
iControlSet = iControlBits;
}
if (iControlSet != 0)
{
SetSecurityDescriptorControl(pSid, iControlBits, iControlSet);
}
}
}
// add dacl
return SetSecurityDescriptorDacl(pSid, 1, pNewACL, 0);
}
finally
{
if (Account.pSid != IntPtr.Zero)
{
LocalFree(Account.pSid);
Account.pSid = IntPtr.Zero;
}
}
}
public Uri Save(string domain, string path, Stream stream, string contentType,
string contentDisposition, ACL acl)
{
bool postWriteCheck = false;
if (QuotaController != null)
{
try
{
QuotaController.QuotaUsedAdd(_modulename, domain, _dataList.GetData(domain), stream.Length);
}
catch (Exception)
{
postWriteCheck = true;
}
}
using (AmazonS3 client = GetClient())
{
var request = new PutObjectRequest();
string mime = string.IsNullOrEmpty(contentType)
? MimeMapping.GetMimeMapping(Path.GetFileName(path))
: contentType;
request.WithBucketName(_bucket)
.WithKey(MakePath(domain, path))
.WithCannedACL(acl == ACL.Auto ? GetDomainACL(domain) : GetS3Acl(acl))
.WithContentType(mime);
var headers = new NameValueCollection();
headers.Add("Cache-Control", string.Format("public, maxage={0}", (int)TimeSpan.FromDays(5).TotalSeconds));
headers.Add("Etag", (DateTime.UtcNow.Ticks).ToString());
headers.Add("Last-Modified", DateTime.UtcNow.ToString("R"));
headers.Add("Expires", DateTime.UtcNow.Add(TimeSpan.FromDays(5)).ToString("R"));
if (!string.IsNullOrEmpty(contentDisposition))
{
headers.Add("Content-Disposition", contentDisposition);
}
else if (mime == "application/octet-stream")
{
headers.Add("Content-Disposition", "attachment");
}
request.AddHeaders(headers);
//Send body
var buffered = stream.GetBuffered();
if (postWriteCheck)
{
QuotaController.QuotaUsedAdd(_modulename, domain, _dataList.GetData(domain), buffered.Length);
}
request.AutoCloseStream = false;
request.WithInputStream(buffered);
client.PutObject(request);
InvalidateCloudFront(MakePath(domain, path));
return GetUri(domain, path);
}
}
public void KnownButPermissionDenyAndPermissionNoneUserTest()
{
ACL acl = new ACL();
Role Guests = new Role("Guests");
acl.AddRole(Guests);
Role Administrators = new Role("Administrators");
acl.AddRole(Administrators);
Role[] Guestparents = new Role[1];
Role[] Adminparents = new Role[1];
Guestparents[0] = Guests;
Adminparents[0] = Administrators;
Role JoeGuest = new Role("JoeGuest", Guestparents);
acl.AddRole(JoeGuest);
Resource CanBuild = new Resource("CanBuild");
acl.AddResource(CanBuild);
Resource CanScript = new Resource("CanScript");
acl.AddResource(CanScript);
Resource CanRestart = new Resource("CanRestart");
acl.AddResource(CanRestart);
acl.GrantPermission("Guests", "CanBuild");
acl.DenyPermission("Guests", "CanRestart");
acl.GrantPermission("Administrators", "CanScript");
acl.GrantPermission("Administrators", "CanRestart");
Permission setPermission = acl.HasPermission("JoeGuest", "CanRestart");
Assert.That(setPermission == Permission.Deny, "Guests Should not be able to restart");
Assert.That(acl.HasPermission("JoeGuest", "CanScript") == Permission.None,
"No Explicit Permissions set so should be Permission.None");
}
/// <summary>
/// Sets the mandatory label on the given file or directory object.
/// </summary>
/// <param name="target">target file or directory path</param>
/// <param name="flags">flags to control inheritance</param>
/// <param name="policy">access policy</param>
/// <param name="mlrid">mandatory integrity level</param>
public static void SetFileMandatoryLabel(string target, AceFlags flags, MandatoryPolicy policy,
MandatoryLabel mlrid)
{
SID_IDENTIFIER_AUTHORITY mlauth = new SID_IDENTIFIER_AUTHORITY() {
Value = MANDATORY_LABEL_AUTHORITY
};
SYSTEM_MANDATORY_LABEL_ACE mlace = new SYSTEM_MANDATORY_LABEL_ACE();
ACL acl = new ACL();
IntPtr sdptr = new IntPtr(0);
IntPtr saclptr;
IntPtr mlauthptr;
IntPtr sidptr;
IntPtr newsdptr = new IntPtr(0);
int szneeded = 0;
int size = 0;
bool present = false;
bool defaulted = false;
int errno = 0;
if (!File.Exists(target) && !Directory.Exists(target))
throw new FileNotFoundException("The path '" + target + "' was not found.");
Security.GetFileSecurity(target, LABEL_SECURITY_INFORMATION, sdptr, size, ref szneeded);
sdptr = Marshal.AllocHGlobal(szneeded);
size = szneeded;
if (!Security.GetFileSecurity(target, LABEL_SECURITY_INFORMATION, sdptr, size, ref szneeded)) {
errno = Marshal.GetLastWin32Error();
Marshal.FreeHGlobal(sdptr);
throw new IOException("Failed to read file security information. (" + errno + ")");
}
if (!Security.GetSecurityDescriptorSacl(sdptr, ref present, out saclptr, ref defaulted)) {
errno = Marshal.GetLastWin32Error();
Marshal.FreeHGlobal(sdptr);
throw new IOException("Failed to read security descriptor SACL. (" + errno + ")");
}
if (!Security.ConvertSecurityDescriptor(sdptr, out newsdptr, out errno)) {
Marshal.FreeHGlobal(sdptr);
throw new IOException("Failed to convert security descriptor. (" + errno + ")");
}
Marshal.FreeHGlobal(sdptr);
mlauthptr = Marshal.AllocHGlobal(Marshal.SizeOf(mlauth));
Marshal.StructureToPtr(mlauth, mlauthptr, false);
if (!Security.AllocateAndInitializeSid(mlauthptr, 1, (int)mlrid, 0, 0, 0, 0, 0, 0, 0, out sidptr)) {
errno = Marshal.GetLastWin32Error();
Marshal.FreeHGlobal(newsdptr);
Marshal.FreeHGlobal(mlauthptr);
throw new IOException("Failed to allocate new SID. (" + errno + ")");
}
Marshal.FreeHGlobal(mlauthptr);
int cbAcl = Marshal.SizeOf(acl) + Marshal.SizeOf(mlace) + (Security.GetLengthSid(sidptr) - sizeof(int));
cbAcl = (cbAcl + (sizeof(int) - 1)) & 0xfffc; /* align cbAcl to an int */
saclptr = Marshal.AllocHGlobal(cbAcl);
if (!InitializeAcl(saclptr, cbAcl, ACL_REVISION)) {
errno = Marshal.GetLastWin32Error();
Marshal.FreeHGlobal(newsdptr);
Marshal.FreeHGlobal(sidptr);
Marshal.FreeHGlobal(saclptr);
throw new IOException("Failed to initialise new ACL. (" + errno + ")");
}
if (!Security.AddMandatoryAce(saclptr, ACL_REVISION, (int)flags, (int)policy, sidptr)) {
errno = Marshal.GetLastWin32Error();
Marshal.FreeHGlobal(newsdptr);
Marshal.FreeHGlobal(sidptr);
Marshal.FreeHGlobal(saclptr);
throw new IOException("Failed to add new mandatory ACE. (" + errno + ")");
}
Marshal.FreeHGlobal(sidptr);
if (!Security.SetSecurityDescriptorSacl(newsdptr, true, saclptr, false)) {
errno = Marshal.GetLastWin32Error();
Marshal.FreeHGlobal(newsdptr);
Marshal.FreeHGlobal(saclptr);
throw new IOException("Failed to set security descriptor SACL. (" + errno + ")");
}
if (!Security.SetFileSecurity(target, LABEL_SECURITY_INFORMATION, newsdptr)) {
errno = Marshal.GetLastWin32Error();
Marshal.FreeHGlobal(newsdptr);
Marshal.FreeHGlobal(saclptr);
throw new IOException("Failed to write file security information. (" + errno + ")");
}
Marshal.FreeHGlobal(newsdptr);
Marshal.FreeHGlobal(saclptr);
}
public void TestBlankACLNonAdminAccount()
{
ACL acl = new ACL();
acl.Check(new ManagedSecurityContext(new Account()), DataOperation.Create);
}
/// <summary>
/// new
/// </summary>
/// <param name="path"></param>
/// <param name="acl"></param>
/// <param name="version"></param>
public SetACLRequest(string path, ACL[] acl, int version)
{
this.Path = path;
this.Acl = acl;
this.Version = version;
}
public void TestBlankACLAdminAccount()
{
ACL acl = new ACL();
acl.Check(new ManagedSecurityContext(ManagedAccount.GetAdminAccount(Session)), DataOperation.Create);
}
public void TestBlankACLInvalidAccount()
{
ACL acl = new ACL();
acl.Add(new ACLAccount(new Account(), DataOperation.All));
acl.Check(new ManagedSecurityContext((Account) null), DataOperation.Create);
}
public Uri Save(string domain, string path, Stream stream, string contentType,
string contentDisposition, ACL acl, string contentEncoding = null, int cacheDays = 5)
{
bool postWriteCheck = false;
if (QuotaController != null)
{
try
{
QuotaController.QuotaUsedAdd(_modulename, domain, _dataList.GetData(domain), stream.Length);
}
catch (TenantQuotaException)
{
//this exception occurs only if tenant has no free space
//or if file size larger than allowed by quota
//so we can exit this function without stream buffering etc
throw;
}
catch (Exception)
{
postWriteCheck = true;
}
}
using (var client = GetClient())
{
var mime = string.IsNullOrEmpty(contentType)
? MimeMapping.GetMimeMapping(Path.GetFileName(path))
: contentType;
var buffered = stream.GetBuffered();
var request = new PutObjectRequest
{
BucketName = _bucket,
Key = MakePath(domain, path),
CannedACL = acl == ACL.Auto ? GetDomainACL(domain) : GetS3Acl(acl),
ContentType = mime,
ServerSideEncryptionMethod = ServerSideEncryptionMethod.AES256,
InputStream = buffered,
AutoCloseStream = false,
Headers =
{
CacheControl = string.Format("public, maxage={0}", (int)TimeSpan.FromDays(cacheDays).TotalSeconds),
ContentMD5 = Hasher.Base64Hash(buffered.GetCorrectBuffer(), HashAlg.MD5),
Expires = DateTime.UtcNow.Add(TimeSpan.FromDays(cacheDays))
}
};
if (!string.IsNullOrEmpty(contentDisposition))
{
request.Headers.ContentDisposition = contentDisposition;
}
else if (mime == "application/octet-stream")
{
request.Headers.ContentDisposition = "attachment";
}
if (!string.IsNullOrEmpty(contentEncoding))
{
request.Headers.ContentEncoding = contentEncoding;
}
//Send body
if (postWriteCheck)
{
QuotaController.QuotaUsedAdd(_modulename, domain, _dataList.GetData(domain), buffered.Length);
}
var response = client.PutObject(request);
var destinationObjectEncryptionStatus = response.ServerSideEncryptionMethod;
//..ServerSideEncryptionMethod;
InvalidateCloudFront(MakePath(domain, path));
return GetUri(domain, path);
}
}
public void TestACLEveryoneRetreive()
{
ACL acl = new ACL();
acl.Add(new ACLEveryoneAllowRetrieve());
acl.Check(new ManagedSecurityContext(new Account()), DataOperation.Retreive);
}
public abstract Uri Save(string domain, string path, Stream stream, ACL acl);
public void DoCreateRightsViewUnmaterialized(ObjectClass objClass)
{
var tblName = db.GetTableName(objClass.Module.SchemaName, objClass.TableName);
var tblRightsName = db.GetTableName(objClass.Module.SchemaName, Construct.SecurityRulesTableName(objClass));
var rightsViewUnmaterializedName = db.GetTableName(objClass.Module.SchemaName, Construct.SecurityRulesRightsViewUnmaterializedName(objClass));
if (objClass.AccessControlList.Count == 0)
{
Log.ErrorFormat("Unable to create RightsViewUnmaterialized: ObjectClass '{0}' has an empty AccessControlList", objClass.Name);
db.CreateEmptyRightsViewUnmaterialized(rightsViewUnmaterializedName);
return;
}
List<ACL> viewAcls = new List<ACL>();
foreach (var ac in objClass.AccessControlList.OfType<RoleMembership>())
{
if (ac.Relations.Count == 0)
{
Log.ErrorFormat("Unable to create RightsViewUnmaterialized: RoleMembership '{0}' has no relations", ac.Name);
db.CreateEmptyRightsViewUnmaterialized(rightsViewUnmaterializedName);
return;
}
var viewAcl = new ACL();
viewAcls.Add(viewAcl);
viewAcl.Right = (Zetbox.API.AccessRights)ac.Rights;
try
{
viewAcl.Relations.AddRange(SchemaManager.CreateJoinList(db, objClass, ac.Relations));
}
catch (SchemaManager.JoinListException ex)
{
Log.ErrorFormat(ex.Message);
db.CreateEmptyRightsViewUnmaterialized(rightsViewUnmaterializedName);
return;
}
}
db.CreateRightsViewUnmaterialized(rightsViewUnmaterializedName, tblName, tblRightsName, viewAcls);
}
