Exemple #1
0
        public void ResolveMatchingCodeGroups_ThreeLevel()
        {
            UnionCodeGroup level1 = new UnionCodeGroup(new AllMembershipCondition(), new PolicyStatement(new PermissionSet(PermissionState.None)));
            CodeGroup      level2 = level1.Copy();

            level1.AddChild(level2);
            UnionCodeGroup level3 = new UnionCodeGroup(new ZoneMembershipCondition(SecurityZone.Untrusted), new PolicyStatement(new PermissionSet(PermissionState.Unrestricted)));

            level2.AddChild(level3);

            CodeGroup match = level1.ResolveMatchingCodeGroups(new Evidence());

            Assert.IsNotNull(match, "Match");
            Assert.IsTrue(match.Equals(level1, false), "Equals(false)");
            // Equals (true) isn't a deep compare (just one level)
            Assert.IsTrue(match.Equals(level1, true), "Equals(true)");
        }
Exemple #2
0
        public void ResolveMatchingCodeGroups_ThreeLevel()
        {
            FileCodeGroup level1 = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.AllAccess);
            CodeGroup     level2 = level1.Copy();

            level1.AddChild(level2);
            FileCodeGroup level3 = new FileCodeGroup(new ZoneMembershipCondition(SecurityZone.Untrusted), FileIOPermissionAccess.AllAccess);

            level2.AddChild(level3);

            CodeGroup match = level1.ResolveMatchingCodeGroups(new Evidence());

            Assert.IsNotNull(match, "Match");
            Assert.IsTrue(match.Equals(level1, false), "Equals(false)");
            // Equals (true) isn't a deep compare (just one level)
            Assert.IsTrue(match.Equals(level1, true), "Equals(true)");
        }
        }// didMachinePolicyChange

        protected override int WizFinish()
        {
            // This is the main things that the wizard needs to do.
            // If mucking with the machine level
            //
            // 1. Apply appropriate settings to the security zone codegroups.
            //
            // If mucking with the user level
            //
            // 1. Change the user policylevel's root codegroup's permission set to Nothing
            // 2. Apply appropriate settings to the security zone codegroups
            // 3. Copy the entire machine policy into a child codegroup in the user policy
            // 4. Skip the top level of the copied policy looking for zone codegroups. Set
            //    their permission set to nothing, and remove child file and net codegroups.
            // 5. Walk through the entire copied policy and remove any exclusive codegroups


            // We have some different behavior depending on what type of policy we're after
            String sPolicyLevel = IsHomeUser?"Machine":"User";

            PolicyLevel pl = Security.GetPolicyLevelFromLabel(sPolicyLevel);

            SecurityZone[] sz = new SecurityZone[] {
                SecurityZone.MyComputer,
                SecurityZone.Intranet,
                SecurityZone.Internet,
                SecurityZone.Trusted,
                SecurityZone.Untrusted
            };
            m_alNewCodeGroups.Clear();

            for (int i = 0; i < 5; i++)
            {
                // Only do this if we know how to assign a permission set
                if (Page2.SecurityLevels[i] != PermissionSetType.UNKNOWN)
                {
                    // Find the Codegroup with the appropriate Membership Condition
                    CodeGroup cgParent = null;
                    CodeGroup cg       = GetCGWithMembershipCondition(pl.RootCodeGroup, sz[i], out cgParent);

                    // Remove this codegroup from the heirarchy
                    if (cg != null)
                    {
                        if (cgParent == null)
                        {
                            throw new Exception("I should have a parent");
                        }
                        cgParent.RemoveChild(cg);
                    }

                    // We have to create this Codegroup
                    if (cg == null)
                    {
                        ZoneMembershipCondition zmc = new ZoneMembershipCondition(sz[i]);
                        cg = new UnionCodeGroup(zmc, new PolicyStatement(new PermissionSet(PermissionState.None)));
                        // Add a name and description
                        cg.Name = GetCodegroupName(sz[i]);

                        m_alNewCodeGroups.Add(cg);
                        m_pl     = pl;
                        cgParent = pl.RootCodeGroup;
                    }
                    // If was an internet or intranet codegroup, we'll need to remove child codegroups of type
                    // NetCodeGroup or FileCodeGroup
                    if (cg.PermissionSetName != null && (cg.PermissionSetName.Equals("Internet") || cg.PermissionSetName.Equals("LocalIntranet")))
                    {
                        IEnumerator enumCodeGroups = cg.Children.GetEnumerator();
                        while (enumCodeGroups.MoveNext())
                        {
                            CodeGroup group = (CodeGroup)enumCodeGroups.Current;
                            if (group is NetCodeGroup || group is FileCodeGroup)
                            {
                                cg.RemoveChild(group);
                            }
                        }
                    }

                    // Now give this codegroup the appropriate permission set
                    PolicyStatement ps = cg.PolicyStatement;
                    ps.PermissionSet = GetPermissionSetNameFromSecurityLevel(pl, Page2.SecurityLevels[i]);

                    // Put in the helper codegroups if necessary
                    if (Page2.SecurityLevels[i] == PermissionSetType.INTRANET)
                    {
                        if (!DoesCGHaveCodegroup(cg, typeof(NetCodeGroup)))
                        {
                            CodeGroup cgChild = new NetCodeGroup(new AllMembershipCondition());
                            cgChild.Name        = Security.FindAGoodCodeGroupName(pl, "NetCodeGroup_");
                            cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");

                            cg.AddChild(cgChild);
                        }
                        if (!DoesCGHaveCodegroup(cg, typeof(FileCodeGroup)))
                        {
                            CodeGroup cgChild = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.Read | FileIOPermissionAccess.PathDiscovery);
                            cgChild.Name        = Security.FindAGoodCodeGroupName(pl, "FileCodeGroup_");
                            cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");

                            cg.AddChild(cgChild);
                        }
                    }
                    else if (Page2.SecurityLevels[i] == PermissionSetType.INTERNET)
                    {
                        if (!DoesCGHaveCodegroup(cg, typeof(NetCodeGroup)))
                        {
                            CodeGroup cgChild = new NetCodeGroup(new AllMembershipCondition());
                            cgChild.Name        = Security.FindAGoodCodeGroupName(pl, "NetCodeGroup_");
                            cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");

                            cg.AddChild(cgChild);
                        }
                    }

                    cg.PolicyStatement = ps;
                    // Now let's build the code group description
                    String sPermissionSetDes = "";
                    if (ps.PermissionSet is NamedPermissionSet)
                    {
                        sPermissionSetDes += ((NamedPermissionSet)ps.PermissionSet).Description;
                    }


                    cg.Description = String.Format(CResourceStore.GetString("CSecurityAdjustmentWizard:CodeGroupDescription"),
                                                   cg.PermissionSetName,
                                                   GetCodegroupName(sz[i]),
                                                   sPermissionSetDes);
                    // Now add this child back in
                    cgParent.AddChild(cg);
                }
            }

            // Check to see if this is for the user.
            if (!IsHomeUser)
            {
                // Let's start on our list....
                PolicyLevel plUser = Security.GetPolicyLevelFromLabel("User");
                // Change the root codegroup's permission set to nothing
                CodeGroup       cgRoot = plUser.RootCodeGroup;
                PolicyStatement ps     = cgRoot.PolicyStatement;
                ps.PermissionSet       = plUser.GetNamedPermissionSet("Nothing");
                cgRoot.PolicyStatement = ps;

                // Now copy the entire machine level's policy into a child codegroup
                // of the user policy
                PolicyLevel plMachine = Security.GetPolicyLevelFromLabel("Machine");
                CodeGroup   cgMachine = plMachine.RootCodeGroup.Copy();
                // Change the codegroup's name to something more interesting...
                cgMachine.Name        = "Wizard_Machine_Policy";
                cgMachine.Description = CResourceStore.GetString("CSecurityAdjustmentWizard:CopiedMachinePolicyDes");
                // Now skim through the top level looking for Zone codegroups, set
                // their permission sets to nothing, and delete any child net and file
                // codegroups
                IEnumerator enumCodeGroups = cgMachine.Children.GetEnumerator();
                while (enumCodeGroups.MoveNext())
                {
                    CodeGroup zoneGroup = (CodeGroup)enumCodeGroups.Current;

                    if (zoneGroup.MembershipCondition is ZoneMembershipCondition)
                    {
                        // Ok, we need to change this codegroup
                        cgMachine.RemoveChild(zoneGroup);
                        PolicyStatement zoneps = zoneGroup.PolicyStatement;
                        zoneps.PermissionSet      = plUser.GetNamedPermissionSet("Nothing");
                        zoneGroup.PolicyStatement = zoneps;
                        // Now run through its children looking for a file or net codegroup
                        IEnumerator enumChildCodeGroups = zoneGroup.Children.GetEnumerator();
                        while (enumChildCodeGroups.MoveNext())
                        {
                            CodeGroup zoneChildGroup = (CodeGroup)enumChildCodeGroups.Current;
                            if (zoneChildGroup is NetCodeGroup || zoneChildGroup is FileCodeGroup)
                            {
                                zoneGroup.RemoveChild(zoneChildGroup);
                            }
                        }
                        cgMachine.AddChild(zoneGroup);
                    }
                }

                // Now run through the tree and remove any exclusive code groups
                // We're best to do this recursively....
                if ((cgMachine.PolicyStatement.Attributes & PolicyStatementAttribute.Exclusive) == PolicyStatementAttribute.Exclusive)
                {
                    // Remove the exclusive bit
                    PolicyStatement psMachine = cgMachine.PolicyStatement;
                    psMachine.Attributes      = psMachine.Attributes & ~PolicyStatementAttribute.Exclusive;
                    cgMachine.PolicyStatement = psMachine;
                }
                Security.RemoveExclusiveCodeGroups(cgMachine);


                // Now run through the user policy looking for codegroups named
                // "Wizard_Machine_Policy" and delete those as well.
                enumCodeGroups = cgRoot.Children.GetEnumerator();
                while (enumCodeGroups.MoveNext())
                {
                    CodeGroup group = (CodeGroup)enumCodeGroups.Current;
                    if (group.Name.Equals("Wizard_Machine_Policy"))
                    {
                        cgRoot.RemoveChild(group);
                    }
                }

                // Add finally this to the root codegroup of the user policy

                Security.PrepCodeGroupTree(cgMachine, plMachine, plUser);
                cgRoot.AddChild(cgMachine);
                plUser.RootCodeGroup = cgRoot;
            }

            m_fWizardFinished = true;

            return(0);
        }// WizFinish