private static Tenant CreateOwningTenantEntry(AclProbe aclProbe, User user, AccessControlEntry ace) { Tenant owningTenant; switch (ace.TenantCondition) { case TenantCondition.OwningTenant: // Undecideable constraint: For ACE to match the SecurityToken.OwningTenant must be equal to the user's tenant. // Since this is undecideable, set the owning tenant so he will match, and record the constraint as an access condition, // keeping in mind the TenantHierarchyCondition. // Owning tenant will be set to the user's tenant, which should never be empty. Assertion.IsNotNull(user.Tenant); // TenantHierarchyCondition should always contain the flag for "this tenant"; // if this condition is violated, using owningTenant = user.Tenant will no longer work, since it will not match. Assertion.IsTrue((ace.TenantHierarchyCondition & TenantHierarchyCondition.This) != 0); owningTenant = user.Tenant; aclProbe.AccessConditions.OwningTenant = owningTenant; aclProbe.AccessConditions.TenantHierarchyCondition = ace.TenantHierarchyCondition; break; case TenantCondition.SpecificTenant: owningTenant = null; // Decideable constraint => no condition. Either Principal.Tenant matches or he does not. break; case TenantCondition.None: owningTenant = null; // No constraint => no condition (will always match). break; default: throw new ArgumentException(String.Format("ace.TenantSelection={0} is currently not supported by this method. Please extend method to handle the new TenantSelection state.", ace.TenantCondition)); } return(owningTenant); }
public void SetPermissions_Accesscontrollist() { // <snippet26> // Connect to a queue on the local computer. MessageQueue queue = new MessageQueue(".\\exampleQueue"); // Create an AccessControlList. AccessControlList list = new AccessControlList(); // Create a new trustee to represent the "Everyone" user group. Trustee tr = new Trustee("Everyone"); // Create an AccessControlEntry, granting the trustee read access to // the queue. AccessControlEntry entry = new AccessControlEntry( tr, GenericAccessRights.Read, StandardAccessRights.Read, AccessControlEntryType.Allow); // Add the AccessControlEntry to the AccessControlList. list.Add(entry); // Apply the AccessControlList to the queue. queue.SetPermissions(list); // </snippet26> }
private static User CreateOwningUserEntry(AclProbe aclProbe, User user, AccessControlEntry ace) { User owningUser; switch (ace.UserCondition) { case UserCondition.Owner: // Undecideable constraint: For ACE to match the SecurityToken.OwningUser must be equal to the user's user. // Since this is undeciadeable, set the owning user so he will match, and record the constraint as an access condition. owningUser = user; aclProbe.AccessConditions.IsOwningUserRequired = true; break; case UserCondition.SpecificUser: owningUser = null; // Decideable constraint => no condition. Either Principal matches or he does not. break; case UserCondition.SpecificPosition: owningUser = null; // Decideable constraint => no condition. Either Principal's position matches or it does not. break; case UserCondition.None: owningUser = null; // No constraint => no condition (will always match). break; default: throw new ArgumentException(String.Format("ace.UserSelection={0} is currently not supported by this method. Please extend method to handle the new UserSelection state.", ace.UserCondition)); } return(owningUser); }
public SecurityTokenMatcher(AccessControlEntry ace) { ArgumentUtility.CheckNotNull("ace", ace); _ace = ace; _clientTransaction = ace.RootTransaction; }
private void setManagedBy(string managerLDAPPath, bool managerUpdateMembershipList, DirectoryEntry group) { DirectoryEntry managedBy = new DirectoryEntry(managerLDAPPath, credentials.UserName + "@" + credentials.Domain, credentials.Password); string managedBymanagerDistinguishedName = managedBy.Properties["distinguishedName"].Value.ToString(); string userPrincipalName = managedBy.Properties["userPrincipalName"].Value.ToString(); string managedBysAMAccountName = userPrincipalName.Split('@')[0]; string managedByDomainName = userPrincipalName.Split('@')[1].Replace(".com", ""); setSinglePropertyValue(group, "managedBy", managedBymanagerDistinguishedName); if (managerUpdateMembershipList) { IADsSecurityDescriptor sd = (IADsSecurityDescriptor)group.Properties["ntSecurityDescriptor"].Value; IADsAccessControlList dacl = (IADsAccessControlList)sd.DiscretionaryAcl; IADsAccessControlEntry ace = new AccessControlEntry(); ace.Trustee = string.Format("{0}\\{1}", managedByDomainName, managedBysAMAccountName); ace.AccessMask = (int)ADS_RIGHTS_ENUM.ADS_RIGHT_DS_WRITE_PROP; ace.AceFlags = (int)ADS_ACEFLAG_ENUM.ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE; ace.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED_OBJECT; ace.Flags = (int)ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT; ace.ObjectType = "{BF9679C0-0DE6-11D0-A285-00AA003049E2}"; dacl.AddAce(ace); sd.DiscretionaryAcl = dacl; ((IADsGroup)group.NativeObject).Put("ntSecurityDescriptor", sd); ((IADsGroup)group.NativeObject).SetInfo(); } }
private void ButtonAdd_Click(object sender, EventArgs e) { if (InputBox.Show("Add User or Group", "Enter the User or Group Name:", out var accountName) == DialogResult.OK) { try { var sid = SecurityIdentity.SecurityIdentityFromName(accountName); if (MessageBox.Show(string.Format("Add user or group: {0}?", sid.Name), "User or Group Found", MessageBoxButtons.YesNo, MessageBoxIcon.Question) == DialogResult.Yes) { if (!userList.Contains(sid)) { var ace = new AccessControlEntry(sid) { AceType = AceType.AccessAllowed }; acl.Add(ace); userList.Add(sid); ListUsersAndGroups.Items.Add(sid); ListUsersAndGroups.SelectedItem = sid; } else { MessageBox.Show("The selected user or group already exists.", "Duplicate User or Group", MessageBoxButtons.OK, MessageBoxIcon.Warning); } } } catch (Exception ex) { MessageBox.Show("User or group name was not found. " + ex.Message, "User or Group Not Found", MessageBoxButtons.OK, MessageBoxIcon.Warning); } } }
public void TestExplicitDenyGroup() { User user_a = new User("User_A"); User user_b = new User("User_B"); Group group_root = new Group("Group_root"); group_root.AddDescendant(user_b); Group group_a = new Group("Group_A"); group_a.AddDescendant(user_a); group_root.AddDescendant(group_a); InMemoryAccessManager accessManager = new InMemoryAccessManager(); SampleResource sampleResource = new SampleResource() { Identifier = "Key1" }; accessManager.CreateAccessControlContainer(sampleResource, user_a); AccessControlEntry accessControlEntry = new AccessControlEntry(Permission.Allow, Operation.Read, sampleResource, group_root); accessManager.AddEntry(sampleResource, accessControlEntry, user_a); AccessControlEntry denyEntry = new AccessControlEntry(Permission.Deny, Operation.Read, sampleResource, group_a); accessManager.AddEntry(sampleResource, denyEntry, user_a); Assert.True(accessManager.ValidateAccess(sampleResource, Operation.Read, group_root)); Assert.True(accessManager.ValidateAccess(sampleResource, Operation.Read, user_b)); Assert.False(accessManager.ValidateAccess(sampleResource, Operation.Read, group_a)); Assert.False(accessManager.ValidateAccess(sampleResource, Operation.Read, user_a)); }
public void Commit_DeletedStateCombination() { SecurableClassDefinition orderClass = _testHelper.CreateOrderClassDefinition(); using (_testHelper.Transaction.CreateSubTransaction().EnterDiscardingScope()) { orderClass.EnsureDataAvailable(); Assert.That(orderClass.State, Is.EqualTo(StateType.Unchanged)); using (ClientTransaction.Current.CreateSubTransaction().EnterDiscardingScope()) { StateCombination combination = _testHelper.CreateStateCombination(orderClass, ClientTransaction.Current); combination.AccessControlList.AccessControlEntries.Add(AccessControlEntry.NewObject()); using (ClientTransaction.Current.CreateSubTransaction().EnterDiscardingScope()) { orderClass.EnsureDataAvailable(); Assert.That(orderClass.State, Is.EqualTo(StateType.Unchanged)); combination.AccessControlList.Delete(); Assert.That(combination.Class, Is.Null); Assert.That(orderClass.State, Is.EqualTo(StateType.Changed)); ClientTransaction.Current.Commit(); } ClientTransaction.Current.Commit(); } Assert.That(orderClass.State, Is.EqualTo(StateType.Changed)); } }
private IBusinessObjectEnumerationProperty GetPropertyDefinition(AccessControlEntry ace, string propertyName) { var property = (IBusinessObjectEnumerationProperty)((IBusinessObject)ace).BusinessObjectClass.GetPropertyDefinition(propertyName); Assert.That(property, Is.Not.Null, propertyName); return(property); }
public ActionResult Unshare(int Id, int trainingId) { Training training = db.Trainings .Where(t => t.Id == trainingId) .Include(t => t.SharedWith) .FirstOrDefault(); if (training != null) { if (training.CreatedBy == (System.Security.Claims.ClaimsPrincipal.Current). FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value) { AccessControlEntry ace = db.AccessControlEntries.Find(Id); db.AccessControlEntries.Remove(ace); db.SaveChanges(); training.SharedWith.Remove(ace); } } else { return(new ViewResult { ViewName = "Error", ViewBag = { message = "Unauthorized - only creator can unshare training." } }); } return(View("Details", training)); }
private void HandleCheckBoxClick(CheckBox source, AceType aceType, AceRights aceRight) { foreach (var ace in acl) { if (ace.AceType == aceType && ace.AccountSID == selectedUser) { if (source.Checked) { ace.Add(aceRight); } else { ace.Remove(aceRight); } return; } } // The ace type doesn't exist var newAce = new AccessControlEntry(selectedUser) { AceType = aceType }; newAce.Add(aceRight); acl.Add(newAce); }
/// <summary> /// Factory method to create an <see cref="AclProbe"/> from the passed <see cref="User"/>, <see cref="Role"/> and <see cref="AccessControlEntry"/>. /// </summary> /// <returns></returns> public static AclProbe CreateAclProbe(User user, Role role, AccessControlEntry ace) { ArgumentUtility.CheckNotNull("user", user); ArgumentUtility.CheckNotNull("role", role); ArgumentUtility.CheckNotNull("ace", ace); var aclProbe = new AclProbe(); var owningUser = CreateOwningUserEntry(aclProbe, user, ace); var owningGroup = CreateOwningGroupEntry(aclProbe, role, ace); var owningTenant = CreateOwningTenantEntry(aclProbe, user, ace); var abstractRoles = CreateAbstractRolesEntry(aclProbe, ace); // Create a new Principal which has only the one role we are currently probing for. // If we don't do that and set all the user's roles for the principal, // another role of the user could match the ACE.SpecificPosition // for case GroupSelection.All or GroupSelection.OwningGroup, giving access rights // which the user does not have due to the currently tested role. // (Note that the user is in fact always in all roles at the same time, so he will, in fact, // always have the access rights returned; this is just not the information we want to present in the // ACL-expansion, where we distinguish which role gives rise to which access rights). var principal = new Principal( user.Tenant.GetHandle(), user.GetSafeHandle(), EnumerableUtility.Singleton(new PrincipalRole(role.Position.GetHandle(), role.Group.GetHandle()))); aclProbe._securityToken = SecurityToken.Create(principal, owningTenant, owningGroup, owningUser, abstractRoles); return(aclProbe); }
public void EmptyToken_DoesNotMatch() { AccessControlEntry entry = TestHelper.CreateAceWithAbstractRole(); SecurityTokenMatcher matcher = new SecurityTokenMatcher(entry); SecurityToken token = TestHelper.CreateTokenWithoutUser(); Assert.That(matcher.MatchesToken(token), Is.False); }
public void TokenWithAbstractRole_Matches() { AccessControlEntry entry = TestHelper.CreateAceWithAbstractRole(); SecurityTokenMatcher matcher = new SecurityTokenMatcher(entry); SecurityToken token = TestHelper.CreateTokenWithAbstractRole(entry.SpecificAbstractRole); Assert.That(matcher.MatchesToken(token), Is.True); }
public AccessControlEntry CreateAceWithNoMatchingRestrictions() { using (_transaction.EnterNonDiscardingScope()) { AccessControlEntry entry = AccessControlEntry.NewObject(); return(entry); } }
public void Validate_IsValid() { AccessControlEntry ace = AccessControlEntry.NewObject(); AccessControlEntryValidationResult result = ace.Validate(); Assert.That(result.IsValid, Is.True); }
public void ValidateGroupHierarchyCondition_IsValid_IfOwningGroup() { AccessControlEntry ace = _testHelper.CreateAceWithOwningGroup(); AccessControlEntryValidationResult result = ace.Validate(); Assert.That(result.IsValid, Is.True); }
protected AccessControlEntry CreateAceForStateless() { var ace = AccessControlEntry.NewObject(); ace.AccessControlList = StatelessAccessControlList.NewObject(); return(ace); }
public void AddAccessTypesContributingAce(AccessControlEntry ace) { ArgumentUtility.CheckNotNull("ace", ace); if (!IsInAccessTypesContributingAces(ace)) { AccessTypesSupplyingAces.Add(ace); } }
private AccessControlEntry CreateAceForStateful() { var ace = AccessControlEntry.NewObject(); ace.AccessControlList = StatefulAccessControlList.NewObject(); return(ace); }
public void AddMatchingAce(AccessControlEntry ace) { ArgumentUtility.CheckNotNull("ace", ace); if (!IsInMatchingAces(ace)) { _matchingAces.Add(ace); } }
public void TokenWithAbstractRole_Matches() { AccessControlEntry entry = AccessControlEntry.NewObject(); SecurityTokenMatcher matcher = new SecurityTokenMatcher(entry); SecurityToken token = TestHelper.CreateTokenWithAbstractRole(TestHelper.CreateTestAbstractRole()); Assert.That(matcher.MatchesToken(token), Is.True); }
public void EmptyAce_Matches() { AccessControlEntry entry = AccessControlEntry.NewObject(); SecurityTokenMatcher matcher = new SecurityTokenMatcher(entry); SecurityToken token = TestHelper.CreateTokenWithoutUser(); Assert.That(matcher.MatchesToken(token), Is.True); }
public void TokenWithNullPrincipal_NotMatches() { AccessControlEntry entry = AccessControlEntry.NewObject(); SecurityTokenMatcher matcher = new SecurityTokenMatcher(entry); SecurityToken token = TestHelper.CreateTokenWithNullPrincipal(); Assert.That(matcher.MatchesToken(token), Is.False); }
public void CreateAclProbe_Tenant_Test() { AccessControlEntry ace = TestHelper.CreateAceWithAbstractRole(); FleshOutAccessControlEntryForTest(ace); AclProbe aclProbe = AclProbe.CreateAclProbe(User, Role, ace); Assert.That(aclProbe.SecurityToken.Principal.Tenant.ObjectID, Is.EqualTo(User.Tenant.ID)); }
public void Commit_OneError() { Tenant tenant = _testHelper.CreateTenant("TestTenant"); AccessControlEntry ace = _testHelper.CreateAceWithSpecificTenant(tenant); ace.SpecificTenant = null; ClientTransactionScope.CurrentTransaction.Commit(); }
public void ValidateTenantHierarchyCondition_IsValid_IfSpecificTenant() { Tenant tenant = _testHelper.CreateTenant("TestTenant"); AccessControlEntry ace = _testHelper.CreateAceWithSpecificTenant(tenant); AccessControlEntryValidationResult result = ace.Validate(); Assert.That(result.IsValid, Is.True); }
public static ACE ConvertFrom(AccessControlEntry ace) { return(new ACE { Name = ace.Name, Access = ace.Access, EntityType = ace.EntityType }); }
public void CreateAclProbe_Role_Test() { AccessControlEntry ace = TestHelper.CreateAceWithAbstractRole(); FleshOutAccessControlEntryForTest(ace); AclProbe aclProbe = AclProbe.CreateAclProbe(User, Role, ace); Assert.That(aclProbe.SecurityToken.Principal.Roles, Is.EquivalentTo(new[] { Role }).Using(PrincipalRoleComparer.Instance)); }
public void GetAccessTypes_WithMultipleMatchingAces() { AbstractRoleDefinition role1 = AbstractRoleDefinition.NewObject(Guid.NewGuid(), "QualityManager", 0); AccessControlEntry ace1 = AccessControlEntry.NewObject(); ace1.SpecificAbstractRole = role1; AccessTypeDefinition readAccessType = _testHelper.CreateAccessTypeForAce(ace1, true, Guid.NewGuid(), "Read", 0); AccessTypeDefinition copyAccessType = _testHelper.CreateAccessTypeForAce(ace1, true, Guid.NewGuid(), "Copy", 1); AccessTypeDefinition indexAccessType = _testHelper.CreateAccessTypeForAce(ace1, true, Guid.NewGuid(), "Index", 2); AccessTypeDefinition moveAccessType = _testHelper.CreateAccessTypeForAce(ace1, false, Guid.NewGuid(), "Move", 3); AccessTypeDefinition appendAccessType = _testHelper.CreateAccessTypeForAce(ace1, false, Guid.NewGuid(), "Append", 4); AccessTypeDefinition renameAccessType = _testHelper.CreateAccessTypeForAce(ace1, false, Guid.NewGuid(), "Rename", 5); AccessTypeDefinition writeAccessType = _testHelper.CreateAccessTypeForAce(ace1, true, Guid.NewGuid(), "Write", 6); AccessTypeDefinition deleteAccessType = _testHelper.CreateAccessTypeForAce(ace1, true, Guid.NewGuid(), "Delete", 7); AccessTypeDefinition findAccessType = _testHelper.CreateAccessTypeForAce(ace1, null, Guid.NewGuid(), "Find", 8); AbstractRoleDefinition role2 = AbstractRoleDefinition.NewObject(Guid.NewGuid(), "SoftwareDeveloper", 1); AccessControlEntry ace2 = AccessControlEntry.NewObject(); ace2.SpecificAbstractRole = role2; _testHelper.AttachAccessType(ace2, readAccessType, true); _testHelper.AttachAccessType(ace2, copyAccessType, false); _testHelper.AttachAccessType(ace2, indexAccessType, null); _testHelper.AttachAccessType(ace2, moveAccessType, true); _testHelper.AttachAccessType(ace2, appendAccessType, false); _testHelper.AttachAccessType(ace2, renameAccessType, null); _testHelper.AttachAccessType(ace2, writeAccessType, true); _testHelper.AttachAccessType(ace2, deleteAccessType, false); _testHelper.AttachAccessType(ace2, findAccessType, null); AccessControlList acl = _testHelper.CreateStatefulAcl(ace1, ace2); SecurityToken token = _testHelper.CreateTokenWithAbstractRole(role1, role2); AccessInformation accessInformation = acl.GetAccessTypes(token); //read y y y //copy y n n //index y - y //move n y n //append n n n //rename n - n //write - y y //delete - n n //find - - - Assert.That( accessInformation.AllowedAccessTypes, Is.EquivalentTo(new[] { readAccessType, indexAccessType, writeAccessType })); Assert.That( accessInformation.DeniedAccessTypes, Is.EquivalentTo(new[] { copyAccessType, moveAccessType, appendAccessType, renameAccessType, deleteAccessType })); }
private AccessControlEntry GetOperations(string resource) { var key = Sanitize(resource); AccessControlEntry value; if (!_operations.ContainsKey(key)) { value = new AccessControlEntry(); _operations.Add(key, value); } else { value = _operations[key]; } return value; }
public int IndexOf(AccessControlEntry entry) {}
public static ActionResult AddNamespace(Session session) { session.Log("Begin AddNamespace"); HttpApi nsManager = null; try { nsManager = new HttpApi(); List<SecurityIdentity> userList = new List<SecurityIdentity>(); Dictionary<string, SecurityDescriptor> nsTable = nsManager.QueryHttpNamespaceAcls(); string url = "http://+:8888/"; SecurityDescriptor newSd = new SecurityDescriptor(); newSd.DACL = new AccessControlList(); foreach (AccessControlEntry ace in newSd.DACL) { if (!userList.Contains(ace.AccountSID)) { userList.Add(ace.AccountSID); } } try { SecurityIdentity sid = SecurityIdentity.SecurityIdentityFromWellKnownSid(WELL_KNOWN_SID_TYPE.WinWorldSid); if (!userList.Contains(sid)) { AccessControlEntry ace = new AccessControlEntry(sid); ace.AceType = AceType.AccessAllowed; ace.Add(AceRights.GenericAll); ace.Add(AceRights.GenericExecute); ace.Add(AceRights.GenericRead); ace.Add(AceRights.GenericWrite); newSd.DACL.Add(ace); userList.Add(sid); } } catch (Exception ex) { session.Log("User or group name was not found. " + ex.Message); return ActionResult.Failure; } // If entry already exists, rebuild it // as security settings could be wrong if (nsTable.ContainsKey(url)) { AccessControlList original = nsTable[url].DACL; bool removed = false; try { nsManager.RemoveHttpHamespaceAcl(url); removed = true; nsTable[url].DACL = newSd.DACL; nsManager.SetHttpNamespaceAcl(url, nsTable[url]); } catch (Exception ex) { session.Log("Error Setting ACL. " + ex.Message); if (removed) { try { nsTable[url].DACL = original; nsManager.SetHttpNamespaceAcl(url, nsTable[url]); } catch (Exception ex2) { session.Log("Unable to Restore Original ACL, ACL may be corrupt. " + ex2.Message); return ActionResult.Failure; } } session.Log("Original ACL restored."); return ActionResult.Failure; } } else { try { nsManager.SetHttpNamespaceAcl(url, newSd); nsTable.Add(url, newSd); } catch (Exception ex) { session.Log("Error Adding ACL. " + ex.Message); return ActionResult.Failure; } } return ActionResult.Success; } finally { if (nsManager != null) { nsManager.Dispose(); } } }
public bool Contains(AccessControlEntry entry) {}
public void Remove(AccessControlEntry entry) {}
private void HandleCheckBoxClick(CheckBox source, AceType aceType, AceRights aceRight) { foreach (AccessControlEntry ace in this.acl) { if (ace.AceType == aceType && ace.AccountSID == this.selectedUser) { if (source.Checked) { ace.Add(aceRight); } else { ace.Remove(aceRight); } return; } } // The ace type doesn't exist AccessControlEntry newAce = new AccessControlEntry(this.selectedUser); newAce.AceType = aceType; newAce.Add(aceRight); this.acl.Add(newAce); }
public void CopyTo(AccessControlEntry[] array, int index) {}
public void Insert(int index, AccessControlEntry entry) {}
// Methods public int Add(AccessControlEntry entry) {}
private void buttonAdd_Click(object sender, EventArgs e) { string accountName; if (InputBox.Show("Add User or Group", "Enter the User or Group Name:", out accountName) == DialogResult.OK) { try { SecurityIdentity sid = SecurityIdentity.SecurityIdentityFromName(accountName); if (MessageBox.Show(String.Format("Add user or group: {0}?", sid.Name), "User or Group Found", MessageBoxButtons.YesNo, MessageBoxIcon.Question) == DialogResult.Yes) { if (!this.userList.Contains(sid)) { AccessControlEntry ace = new AccessControlEntry(sid); ace.AceType = AceType.AccessAllowed; this.acl.Add(ace); this.userList.Add(sid); this.listUsersAndGroups.Items.Add(sid); } else { MessageBox.Show("The selected user or group already exists.", "Duplicate User or Group", MessageBoxButtons.OK, MessageBoxIcon.Warning); } } } catch (Exception ex) { MessageBox.Show("User or group name was not found. " + ex.Message, "User or Group Not Found", MessageBoxButtons.OK, MessageBoxIcon.Warning); } } }
public void SetBit( Permission mask, AccessControlEntry accessControl ) { switch( accessControl ) { case AccessControlEntry.Allow: allowMask |= (Permission)((long)mask & (long)-1); denyMask &= ~(Permission)((long)mask & (long)-1); break; case AccessControlEntry.NotSet: allowMask &= ~(Permission)((long)mask & (long)-1); denyMask &= ~(Permission)((long)mask & (long)-1); break; default: allowMask &= ~(Permission)((long)mask & (long)-1); denyMask |= (Permission)((long)mask & (long)-1); break; } }