public static void Constructor2_AdditionalTestCases()
{
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
byte revision = 0;
int capacity = 0;
//case 1, capacity = -1
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
capacity = -1;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, revision, capacity);
});
//case 2, capacity = Int32.MaxValue/2
Assert.Throws<OutOfMemoryException>(() =>
{
isContainer = true;
isDS = false;
revision = 0;
capacity = Int32.MaxValue / 2;
Assert.True(Constructor2(isContainer, isDS, revision, capacity));
});
//case 3, capacity = Int32.MaxValue
Assert.Throws<OutOfMemoryException>(() =>
{
isContainer = true;
isDS = true;
revision = 255;
capacity = Int32.MaxValue;
Assert.True(Constructor2(isContainer, isDS, revision, capacity));
});
}
public static void BinaryLength_AdditionalTestCases()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString();
int expectedLength = 0;
//case 1, DiscretionaryAcl with huge number of Aces
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
expectedLength = 8;
for (int i = 0; i < 1820; i++)
{
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, i + 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + i.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
expectedLength += gAce.BinaryLength;
}
discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
Assert.True(expectedLength == discretionaryAcl.BinaryLength);
}
private static bool TestAddAccess(DiscretionaryAcl discretionaryAcl, RawAcl rawAcl, AccessControlType accessControlType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags)
{
bool result = true;
byte[] dAclBinaryForm = null;
byte[] rAclBinaryForm = null;
discretionaryAcl.AddAccess(accessControlType, sid, accessMask, inheritanceFlags, propagationFlags);
if (discretionaryAcl.Count == rawAcl.Count &&
discretionaryAcl.BinaryLength == rawAcl.BinaryLength)
{
dAclBinaryForm = new byte[discretionaryAcl.BinaryLength];
rAclBinaryForm = new byte[rawAcl.BinaryLength];
discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0);
rawAcl.GetBinaryForm(rAclBinaryForm, 0);
if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm))
result = false;
//redundant index check
for (int i = 0; i < discretionaryAcl.Count; i++)
{
if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i]))
{
result = false;
break;
}
}
}
else
result = false;
return result;
}
public static void AddAccess(bool isContainer, bool isDS, int accessControlType, string sid, int accessMask, int inheritanceFlags, int propagationFlags, string initialRawAclStr, string verifierRawAclStr)
{
RawAcl rawAcl = Utils.CreateRawAclFromString(verifierRawAclStr);
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl = Utils.CreateRawAclFromString(verifierRawAclStr);
Assert.True(TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags));
}
private static bool TestRemoveInheritedAces(DiscretionaryAcl discretionaryAcl)
{
GenericAce ace = null;
discretionaryAcl.RemoveInheritedAces();
for (int i = 0; i < discretionaryAcl.Count; i++)
{
ace = discretionaryAcl[i];
if ((ace.AceFlags & AceFlags.Inherited) != 0)
return false;
}
return true;
}
public static void AceCount_BasicValidation()
{
RawAcl rawAcl = null;
GenericAce gAce = null;
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
byte revision = 0;
int capacity = 0;
string sid = "BG";
//case 1, empty DiscretionaryAcl
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(0 == discretionaryAcl.Count);
//case 2, DiscretionaryAcl with one Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(1 == discretionaryAcl.Count);
//case 3, DiscretionaryAcl with two Aces
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//223 has all AceFlags
gAce = new CommonAce((AceFlags)223, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 2,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(2 == discretionaryAcl.Count);
}
public static void TestGetSddlForm(bool isContainer, bool isDS, int flags, string ownerStr, string groupStr, string saclStr, string daclStr, bool getOwner, bool getGroup, bool getSacl, bool getDacl, string expectedSddl)
{
CommonSecurityDescriptor commonSecurityDescriptor = null;
string resultSddl = null;
ControlFlags controlFlags = ControlFlags.OwnerDefaulted;
SecurityIdentifier owner = null;
SecurityIdentifier group = null;
RawAcl rawAcl = null;
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
AccessControlSections accControlSections = AccessControlSections.None;
controlFlags = (ControlFlags)flags;
owner = (ownerStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(ownerStr)) : null;
group = (groupStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(groupStr)) : null;
rawAcl = (saclStr != null) ? Utils.CreateRawAclFromString(saclStr) : null;
if (rawAcl == null)
sacl = null;
else
sacl = new SystemAcl(isContainer, isDS, rawAcl);
rawAcl = (daclStr != null) ? Utils.CreateRawAclFromString(daclStr) : null;
if (rawAcl == null)
dacl = null;
else
dacl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, controlFlags, owner, group, sacl, dacl);
if (getOwner)
accControlSections |= AccessControlSections.Owner;
if (getGroup)
accControlSections |= AccessControlSections.Group;
if (getSacl)
accControlSections |= AccessControlSections.Audit;
if (getDacl)
accControlSections |= AccessControlSections.Access;
resultSddl = commonSecurityDescriptor.GetSddlForm(accControlSections);
if (expectedSddl == null || resultSddl == null)
Assert.True(expectedSddl == null && resultSddl == null);
else
Assert.True(String.Compare(expectedSddl, resultSddl, StringComparison.CurrentCultureIgnoreCase) == 0);
}
public static bool Constructor1(bool isContainer, bool isDS, int capacity)
{
bool result = true;
byte[] dAclBinaryForm = null;
byte[] rAclBinaryForm = null;
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, capacity);
rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, capacity);
if (isContainer == discretionaryAcl.IsContainer &&
isDS == discretionaryAcl.IsDS &&
(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision) == discretionaryAcl.Revision &&
0 == discretionaryAcl.Count &&
8 == discretionaryAcl.BinaryLength &&
true == discretionaryAcl.IsCanonical)
{
dAclBinaryForm = new byte[discretionaryAcl.BinaryLength];
rAclBinaryForm = new byte[rawAcl.BinaryLength];
discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0);
rawAcl.GetBinaryForm(rAclBinaryForm, 0);
if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm))
result = false;
//redundant index check
for (int i = 0; i < discretionaryAcl.Count; i++)
{
if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i]))
{
result = false;
break;
}
}
}
else
{
result = false;
}
Assert.True(result);
return result;
}
private static bool TestPurge(DiscretionaryAcl discretionaryAcl, SecurityIdentifier sid, int aceCount)
{
KnownAce ace = null;
discretionaryAcl.Purge(sid);
if (aceCount != discretionaryAcl.Count)
return false;
for (int i = 0; i < discretionaryAcl.Count; i++)
{
ace = discretionaryAcl[i] as KnownAce;
if (ace != null && ((ace.AceFlags & AceFlags.Inherited) == 0))
{
if (ace.SecurityIdentifier == sid)
return false;
}
}
return true;
}
public static void BinaryLength_BasicValidation()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BG";
//case 1, empty discretionaryAcl, binarylength should be 8
capacity = 1;
discretionaryAcl = new DiscretionaryAcl(false, false, capacity);
Assert.True(8 == discretionaryAcl.BinaryLength);
//case 2, discretionaryAcl with one Ace, binarylength should be 8 + the Ace's binarylength
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(true, false, rawAcl);
Assert.True(8 + gAce.BinaryLength == discretionaryAcl.BinaryLength);
//case 3, DiscretionaryAcl with two Aces
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 2,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
Assert.True(8 + discretionaryAcl[0].BinaryLength + discretionaryAcl[1].BinaryLength == discretionaryAcl.BinaryLength);
}
private static bool VerifyACL(DiscretionaryAcl discretionaryAcl, bool isContainer, bool isDS, bool wasCanonicalInitially, RawAcl rawAcl)
{
bool result = true;
byte[] dAclBinaryForm = null;
byte[] rAclBinaryForm = null;
if (discretionaryAcl.IsContainer == isContainer &&
discretionaryAcl.IsDS == isDS &&
discretionaryAcl.Revision == rawAcl.Revision &&
discretionaryAcl.Count == rawAcl.Count &&
discretionaryAcl.BinaryLength == rawAcl.BinaryLength &&
discretionaryAcl.IsCanonical == wasCanonicalInitially)
{
dAclBinaryForm = new byte[discretionaryAcl.BinaryLength];
rAclBinaryForm = new byte[rawAcl.BinaryLength];
discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0);
rawAcl.GetBinaryForm(rAclBinaryForm, 0);
if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm))
result = false;
//redundant index check
for (int i = 0; i < discretionaryAcl.Count; i++)
{
if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i]))
{
result = false;
break;
}
}
}
else
{
result = false;
}
return result;
}
public static void TestGetSddlForm(bool isContainer, bool isDS, int flags, string ownerStr, string groupStr, string saclStr, string daclStr, bool getOwner, bool getGroup, bool getSacl, bool getDacl, string expectedSddl)
{
CommonSecurityDescriptor commonSecurityDescriptor = null;
string resultSddl = null;
ControlFlags controlFlags = ControlFlags.OwnerDefaulted;
SecurityIdentifier owner = null;
SecurityIdentifier group = null;
RawAcl rawAcl = null;
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
AccessControlSections accControlSections = AccessControlSections.None;
controlFlags = (ControlFlags)flags;
owner = (ownerStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(ownerStr)) : null;
group = (groupStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(groupStr)) : null;
rawAcl = (saclStr != null) ? Utils.CreateRawAclFromString(saclStr) : null;
if (rawAcl == null)
{
sacl = null;
}
else
{
sacl = new SystemAcl(isContainer, isDS, rawAcl);
}
rawAcl = (daclStr != null) ? Utils.CreateRawAclFromString(daclStr) : null;
if (rawAcl == null)
{
dacl = null;
}
else
{
dacl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
}
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, controlFlags, owner, group, sacl, dacl);
if (getOwner)
{
accControlSections |= AccessControlSections.Owner;
}
if (getGroup)
{
accControlSections |= AccessControlSections.Group;
}
if (getSacl)
{
accControlSections |= AccessControlSections.Audit;
}
if (getDacl)
{
accControlSections |= AccessControlSections.Access;
}
resultSddl = commonSecurityDescriptor.GetSddlForm(accControlSections);
if (expectedSddl == null || resultSddl == null)
{
Assert.True(expectedSddl == null && resultSddl == null);
}
else
{
Assert.True(String.Compare(expectedSddl, resultSddl, StringComparison.CurrentCultureIgnoreCase) == 0);
}
}
public CommonSecurityDescriptor GenerateSecurityDescriptor(SecurityIdentifier sid, PowerShellAuthorizationResponse result)
{
AccessMask allowedAccess = 0;
AccessMask deniedAccess = 0;
if (result.IsLocalAdminPasswordAllowed)
{
allowedAccess |= AccessMask.LocalAdminPassword;
}
if (result.IsLocalAdminPasswordHistoryAllowed)
{
allowedAccess |= AccessMask.LocalAdminPasswordHistory;
}
if (result.IsJitAllowed)
{
allowedAccess |= AccessMask.Jit;
}
if (result.IsBitLockerAllowed)
{
allowedAccess |= AccessMask.BitLocker;
}
if (result.IsLocalAdminPasswordDenied)
{
deniedAccess |= AccessMask.LocalAdminPassword;
}
if (result.IsLocalAdminPasswordHistoryDenied)
{
deniedAccess |= AccessMask.LocalAdminPasswordHistory;
}
if (result.IsJitDenied)
{
deniedAccess |= AccessMask.Jit;
}
if (result.IsBitLockerDenied)
{
deniedAccess |= AccessMask.BitLocker;
}
DiscretionaryAcl dacl;
if (allowedAccess > 0 && deniedAccess > 0)
{
dacl = new DiscretionaryAcl(false, false, 2);
}
else if (allowedAccess > 0 || deniedAccess > 0)
{
dacl = new DiscretionaryAcl(false, false, 1);
}
else
{
dacl = new DiscretionaryAcl(false, false, 0);
}
if (allowedAccess > 0)
{
dacl.AddAccess(AccessControlType.Allow, sid, (int)allowedAccess, InheritanceFlags.None, PropagationFlags.None);
}
if (deniedAccess > 0)
{
dacl.AddAccess(AccessControlType.Deny, sid, (int)deniedAccess, InheritanceFlags.None, PropagationFlags.None);
}
return(new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), null, null, dacl));
}
//verify the dacl is crafted with one Allow Everyone Everything ACE
public static bool VerifyDaclWithCraftedAce(bool isContainer, bool isDS, DiscretionaryAcl dacl)
{
byte[] craftedBForm;
byte[] binaryForm;
DiscretionaryAcl craftedDacl = new DiscretionaryAcl(isContainer, isDS, 1);
craftedDacl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier("S-1-1-0"),
-1,
isContainer ? InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit : InheritanceFlags.None,
PropagationFlags.None);
craftedBForm = new byte[craftedDacl.BinaryLength];
binaryForm = new byte[dacl.BinaryLength];
Assert.False(craftedBForm == null || binaryForm == null);
craftedDacl.GetBinaryForm(craftedBForm, 0);
dacl.GetBinaryForm(binaryForm, 0);
return Utils.IsBinaryFormEqual(craftedBForm, binaryForm);
}
public static void Index_AdditionalTests()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
GenericAce gAce = null;
GenericAce verifierGAce = null;
string owner = null;
int index = 0;
// case 1, no ACE, get index at -1
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = -1;
discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
verifierGAce = discretionaryAcl[index];
});
//case 2, get index at Count
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
rawAcl = new RawAcl(1, 1);
discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
index = discretionaryAcl.Count;
verifierGAce = discretionaryAcl[index];
});
//case 3, set index at -1
Assert.Throws<NotSupportedException>(() =>
{
rawAcl = new RawAcl(1, 1);
discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
index = -1;
owner = "BG";
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
discretionaryAcl[index] = gAce;
});
//case 4, set index at Count
Assert.Throws<NotSupportedException>(() =>
{
rawAcl = new RawAcl(1, 1);
discretionaryAcl = new DiscretionaryAcl(true, false, rawAcl);
index = discretionaryAcl.Count;
owner = "BG";
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
discretionaryAcl[index] = gAce;
});
//case 5, set null Ace
Assert.Throws<NotSupportedException>(() =>
{
rawAcl = new RawAcl(1, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
index = 0;
gAce = null;
discretionaryAcl[index] = gAce;
});
//case 6, set index at 0
//case 5, set null Ace
Assert.Throws<NotSupportedException>(() =>
{
rawAcl = new RawAcl(1, 1);
owner = "BG";
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
index = 0;
owner = "BA";
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
discretionaryAcl[index] = gAce;
});
}
public static void Purge_AdditionalTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
byte revision = 0;
int capacity = 0;
//case 1, null Sid
Assert.Throws<ArgumentNullException>(() =>
{
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.Purge(null);
});
}
private static bool VerifyResult(bool isContainer, bool isDS, ControlFlags controlFlags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl sacl, DiscretionaryAcl dacl)
{
CommonSecurityDescriptor commonSecurityDescriptor = null;
bool result = false;
try
{
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, controlFlags, owner, group, sacl, dacl);
// verify the result
if ((isContainer == commonSecurityDescriptor.IsContainer) &&
(isDS == commonSecurityDescriptor.IsDS) &&
((((sacl != null) ? (controlFlags | ControlFlags.SystemAclPresent) : (controlFlags & (~ControlFlags.SystemAclPresent)))
| ControlFlags.SelfRelative | ControlFlags.DiscretionaryAclPresent) == commonSecurityDescriptor.ControlFlags) &&
(owner == commonSecurityDescriptor.Owner) &&
(group == commonSecurityDescriptor.Group) &&
(sacl == commonSecurityDescriptor.SystemAcl) &&
(Utils.ComputeBinaryLength(commonSecurityDescriptor, dacl != null) == commonSecurityDescriptor.BinaryLength))
{
if (dacl == null)
{
//check the contructor created an empty Dacl with correct IsContainer and isDS info
if (isContainer == commonSecurityDescriptor.DiscretionaryAcl.IsContainer &&
isDS == commonSecurityDescriptor.DiscretionaryAcl.IsDS &&
commonSecurityDescriptor.DiscretionaryAcl.Count == 1 &&
Utils.VerifyDaclWithCraftedAce(isContainer, isDS, commonSecurityDescriptor.DiscretionaryAcl))
{
result = true;
}
else
{
result = false;
}
}
else if (dacl == commonSecurityDescriptor.DiscretionaryAcl)
{
result = true;
}
else
{
result = false;
}
}
else
{
result = false;
}
}
catch (ArgumentException)
{
if ((sacl != null && sacl.IsContainer != isContainer) ||
(sacl != null && sacl.IsDS != isDS) ||
(dacl != null && dacl.IsContainer != isContainer) ||
(dacl != null && dacl.IsDS != isDS))
result = true;
else
{
// unexpected exception
result = false;
}
}
return result;
}
public void RevisionDSOK()
{
DiscretionaryAcl dacl = new DiscretionaryAcl(false, true, 0);
Assert.AreEqual(4, dacl.Revision);
}
public void EmptyBinaryLengthOK()
{
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 0);
Assert.AreEqual(8, dacl.BinaryLength);
}
private AuthorizationInformation BuildAuthorizationInformation(IUser user, IComputer computer)
{
AuthorizationInformation info = new AuthorizationInformation
{
MatchedComputerTargets = this.GetMatchingTargetsForComputer(computer),
EffectiveAccess = 0,
Computer = computer,
User = user
};
if (info.MatchedComputerTargets.Count == 0)
{
return(info);
}
using AuthorizationContext c = authorizationContextProvider.GetAuthorizationContext(user, computer.Sid);
DiscretionaryAcl masterDacl = new DiscretionaryAcl(false, false, info.MatchedComputerTargets.Count);
int matchedTargetCount = 0;
foreach (var target in info.MatchedComputerTargets)
{
CommonSecurityDescriptor sd;
if (target.AuthorizationMode == AuthorizationMode.PowershellScript)
{
sd = this.powershell.GenerateSecurityDescriptor(user, computer, target.Script, 30);
}
else
{
if (string.IsNullOrWhiteSpace(target.SecurityDescriptor))
{
this.logger.LogTrace($"Ignoring target {target.Id} with empty security descriptor");
continue;
}
sd = new CommonSecurityDescriptor(false, false, new RawSecurityDescriptor(target.SecurityDescriptor));
}
if (sd == null)
{
this.logger.LogTrace($"Ignoring target {target.Id} with null security descriptor");
continue;
}
foreach (var ace in sd.DiscretionaryAcl.OfType <CommonAce>())
{
masterDacl.AddAccess(
(AccessControlType)ace.AceType,
ace.SecurityIdentifier,
ace.AccessMask,
ace.InheritanceFlags,
ace.PropagationFlags);
}
int i = matchedTargetCount;
if (c.AccessCheck(sd, (int)AccessMask.Laps))
{
info.SuccessfulLapsTargets.Add(target);
matchedTargetCount++;
}
if (c.AccessCheck(sd, (int)AccessMask.LapsHistory))
{
info.SuccessfulLapsHistoryTargets.Add(target);
matchedTargetCount++;
}
if (c.AccessCheck(sd, (int)AccessMask.Jit))
{
info.SuccessfulJitTargets.Add(target);
matchedTargetCount++;
}
// If the ACE did not grant any permissions to the user, consider it a failure response
if (i == matchedTargetCount)
{
info.FailedTargets.Add(target);
}
}
if (matchedTargetCount > 0)
{
info.SecurityDescriptor = new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), null, null, masterDacl);
this.logger.LogTrace($"Resultant security descriptor for computer {computer.MsDsPrincipalName}: {info.SecurityDescriptor.GetSddlForm(AccessControlSections.All)}");
info.EffectiveAccess |= c.AccessCheck(info.SecurityDescriptor, (int)AccessMask.Laps) ? AccessMask.Laps : 0;
info.EffectiveAccess |= c.AccessCheck(info.SecurityDescriptor, (int)AccessMask.Jit) ? AccessMask.Jit : 0;
info.EffectiveAccess |= c.AccessCheck(info.SecurityDescriptor, (int)AccessMask.LapsHistory) ? AccessMask.LapsHistory : 0;
}
this.logger.LogTrace($"User {user.MsDsPrincipalName} has effective access of {info.EffectiveAccess} on computer {computer.MsDsPrincipalName}");
return(info);
}
public static void SetAccess_AdditionalTestCases()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
int accessControlType = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
byte[] opaque = null;
//Case 1, non-Container, but InheritanceFlags is not None
AssertExtensions.Throws <ArgumentException>("inheritanceFlags", () =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.SetAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None);
});
//Case 2, non-Container, but PropagationFlags is not None
AssertExtensions.Throws <ArgumentException>("propagationFlags", () =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.SetAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 3, set one allowed ACE to the DiscretionaryAcl with no ACE
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)15, AceQualifier.AccessDenied, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
Assert.True(TestSetAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
;
//Case 4, accessMask = 0
AssertExtensions.Throws <ArgumentException>("accessMask", () =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 0;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.SetAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 5, null sid
Assert.Throws <ArgumentNullException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.SetAccess((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case6, all the ACEs in the Dacl are non-qualified ACE, no replacement
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque);;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly,
AceQualifier.AccessAllowed,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws <InvalidOperationException>(() =>
{
TestSetAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 7, set without replacement, exceed binary length boundary, throw exception
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
AceFlags.InheritanceFlags, opaque);;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly,
AceQualifier.AccessAllowed,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws <InvalidOperationException>(() =>
{
discretionaryAcl.SetAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 8, set without replacement, not exceed binary length boundary
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 28];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
AceFlags.InheritanceFlags, opaque);;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly,
AceQualifier.AccessAllowed,
accessMask + 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws <InvalidOperationException>(() =>
{
TestSetAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask + 1, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 9, set Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE,
// should throw appropriate exception for wrong parameter, bug#287188
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 100;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.SetAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
}
public void SecureObject()
{
SecureObject top = new SecureObject()
{
UniqueName = "top"
};
SecureObject ch00 = new SecureObject()
{
UniqueName = "ch00"
};
SecureObject ch01 = new SecureObject()
{
UniqueName = "ch01"
};
SecureObject ch02 = new SecureObject()
{
UniqueName = "ch02"
};
SecureObject ch10 = new SecureObject()
{
UniqueName = "ch10"
};
DiscretionaryAcl topdacl = new DiscretionaryAcl
{
new AccessControlEntry <FileSystemRight>()
{
Allowed = true, Right = FileSystemRight.FullControl
},
new AccessControlEntry <FileSystemRight>()
{
Allowed = false, Right = FileSystemRight.Execute, Inheritable = false
}
};
DiscretionaryAcl ch00dacl = new DiscretionaryAcl
{
new AccessControlEntry <UIRight>()
{
Allowed = true, Right = UIRight.FullControl
},
new AccessControlEntry <UIRight>()
{
Allowed = false, Right = UIRight.Enabled
}
};
top.Security.Dacl = topdacl;
ch00.Security.Dacl = ch00dacl;
ch01.Security.Dacl.AllowInherit = false;
ch00.Children.Add(ch01);
ch00.Children.Add(ch02);
top.Children.Add(ch00);
top.Children.Add(ch10);
top.Security.DaclAllowInherit = false;
////MemoryDal dal = new MemoryDal();
////SecureObject foo = (SecureObject)dal.GetSecureObjectByUniqueName( "top", true );
////top.EvalSecurity();
////myMvvm.Prop = top.Security.Results["FileSystem"][(int)FileSystemRight.Execute].AccessAllowed;
////class MyFormRights
////{
////bool ShowForm;
////bool ShowOkBtn;
////}
////SecureObject xx = new SecureObject
////{
//// UniqueName = "xx",
//// Security = new SecurityDescriptor
//// {
//// Dacl = new DiscretionaryAcl
//// {
//// new AccessControlEntry<FileSystemRight>() { Allowed = true, Right = FileSystemRight.FullControl }
//// }
//// }
////};
////FileStore store = new FileStore()
////{
//// SecureObjects = new List<SecureObject>() { top }
////};
////ISecureObject found = store.Dal.GetSecureObjectByUId( ch02.UId.Value );
////string x = store.ToYaml( serializeAsJson: false );
////FileStore f = FileStore.FromYaml( x );
}
public static void AddAccess_AdditionalTestCases()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
int accessControlType = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
byte[] opaque = null;
//Case 1, non-Container, but InheritanceFlags is not None
AssertExtensions.Throws <ArgumentException>("inheritanceFlags", () =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None);
});
//Case 2, non-Container, but PropagationFlags is not None
AssertExtensions.Throws <ArgumentException>("propagationFlags", () =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 3, Container, InheritanceFlags is None, PropagationFlags is InheritOnly
AssertExtensions.Throws <ArgumentException>("propagationFlags", () =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 4, Container, InheritanceFlags is None, PropagationFlags is NoPropagateInherit
AssertExtensions.Throws <ArgumentException>("propagationFlags", () =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit);
});
//Case 5, Container, InheritanceFlags is None, PropagationFlags is NoPropagateInherit | InheritOnly
AssertExtensions.Throws <ArgumentException>("propagationFlags", () =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit | PropagationFlags.InheritOnly);
});
//Case 6, accessMask = 0
AssertExtensions.Throws <ArgumentException>("accessMask", () =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 0;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 7, null sid
Assert.Throws <ArgumentNullException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 8, add one Access ACE to the DiscretionaryAcl with no ACE
isContainer = true;
isDS = false;
accessControlType = 0;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)15, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
Assert.True(TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
;
//Case 9, Container, InheritOnly ON, but ContainerInherit and ObjectInherit are both OFF
//add meaningless Access ACE to the DiscretionaryAcl with no ACE, ace should not
//be added. There are mutiple type of meaningless Ace, but as both AddAccess and Constructor3
//call the same method to check the meaninglessness, only some sanitory cases are enough.
//bug# 288116
AssertExtensions.Throws <ArgumentException>("propagationFlags", () =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 0; //InheritanceFlags.None
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 10, add Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE,
// should throw appropriate exception for wrong parameter, bug#287188
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 100;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
//Case 11, all the ACEs in the Dacl are non-qualified ACE, no merge
Assert.Throws <InvalidOperationException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque);
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly,
AceQualifier.AccessAllowed,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 12, add Ace to exceed binary length boundary, throw exception
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
AceFlags.InheritanceFlags, opaque);
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws <InvalidOperationException>(() =>
{
discretionaryAcl.AddAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
}
public static void GetBinaryForm_BasicValidationTestCases()
{
DiscretionaryAcl dAcl = null;
RawAcl rAcl = null;
GenericAce gAce = null;
byte[] binaryForm = null;
//Case 1, array binaryForm is null
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
dAcl = new DiscretionaryAcl(true, false, rAcl);
Assert.Throws<ArgumentNullException>(() =>
{
dAcl.GetBinaryForm(binaryForm, 0);
});
//Case 2, offset is negative
binaryForm = new byte[100];
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
dAcl = new DiscretionaryAcl(true, false, rAcl);
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
dAcl.GetBinaryForm(binaryForm, -1);
});
//Case 3, offset is equal to binaryForm length
binaryForm = new byte[100];
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
dAcl = new DiscretionaryAcl(true, false, rAcl);
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
dAcl.GetBinaryForm(binaryForm, binaryForm.Length);
});
//Case 4, offset is a big possitive number
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
dAcl = new DiscretionaryAcl(true, false, rAcl);
binaryForm = new byte[dAcl.BinaryLength + 10000];
dAcl.GetBinaryForm(binaryForm, 10000);
//get the binaryForm of the original RawAcl
byte[] verifierBinaryForm = new byte[rAcl.BinaryLength];
rAcl.GetBinaryForm(verifierBinaryForm, 0);
Assert.True(Utils.IsBinaryFormEqual(binaryForm, 10000, verifierBinaryForm));
//Case 5, binaryForm array's size is insufficient
binaryForm = new byte[4];
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
dAcl = new DiscretionaryAcl(true, false, rAcl);
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
dAcl.GetBinaryForm(binaryForm, 0);
});
}
public static void AdditionalTestCases()
{
//test cases include the exceptions from the constructor
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
CommonSecurityDescriptor sd = null;
// test case 1: SACL is not null, SACL.IsContainer is true, but isContainer parameter is false
sacl = new SystemAcl(true, true, 10);
Assert.Throws <ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(false, true, ControlFlags.SystemAclPresent, null, null, sacl, null);
});
// test case 2: SACL is not null, SACL.IsContainer is false, but isContainer parameter is true
sacl = new SystemAcl(false, true, 10);
Assert.Throws <ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, true, ControlFlags.SystemAclPresent, null, null, sacl, null);
});
// test case 3: DACL is not null, DACL.IsContainer is true, but isContainer parameter is false
dacl = new DiscretionaryAcl(true, true, 10);
Assert.Throws <ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(false, true, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);
});
// test case 4: DACL is not null, DACL.IsContainer is false, but isContainer parameter is true
dacl = new DiscretionaryAcl(false, true, 10);
Assert.Throws <ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, true, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);
});
// test case 5: SACL is not null, SACL.IsDS is true, but isDS parameter is false
sacl = new SystemAcl(true, true, 10);
Assert.Throws <ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, false, ControlFlags.SystemAclPresent, null, null, sacl, null);
});
// test case 6: SACL is not null, SACL.IsDS is false, but isDS parameter is true
sacl = new SystemAcl(true, false, 10);
Assert.Throws <ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, true, ControlFlags.SystemAclPresent, null, null, sacl, null);
});
// test case 7: DACL is not null, DACL.IsDS is true, but isDS parameter is false
dacl = new DiscretionaryAcl(true, true, 10);
Assert.Throws <ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, false, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);
});
// test case 8: DACL is not null, DACL.IsDS is false, but isDS parameter is true
dacl = new DiscretionaryAcl(true, false, 10);
Assert.Throws <ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, true, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);
});
}
/// <summary>
/// Creates a globally reachable, managed IPC-Port.
/// </summary>
/// <remarks>
/// Because it is something tricky to get a port working for any constellation of
/// target processes, I decided to write a proper wrapper method. Just keep the returned
/// <see cref="IpcChannel"/> alive, by adding it to a global list or static variable,
/// as long as you want to have the IPC port open.
/// </remarks>
/// <typeparam name="TRemoteObject">
/// A class derived from <see cref="MarshalByRefObject"/> which provides the
/// method implementations this server should expose.
/// </typeparam>
/// <param name="InObjectMode">
/// <see cref="WellKnownObjectMode.SingleCall"/> if you want to handle each call in an new
/// object instance, <see cref="WellKnownObjectMode.Singleton"/> otherwise. The latter will implicitly
/// allow you to use "static" remote variables.
/// </param>
/// <param name="RefChannelName">
/// Either <c>null</c> to let the method generate a random channel name to be passed to
/// <see cref="IpcConnectClient"/> or a predefined one. If you pass a value unequal to
/// <c>null</c>, you shall also specify all SIDs that are allowed to connect to your channel!
/// </param>
/// <param name="InAllowedClientSIDs">
/// If no SID is specified, all authenticated users will be allowed to access the server
/// channel by default. You must specify an SID if <paramref name="RefChannelName"/> is unequal to <c>null</c>.
/// </param>
/// <returns>
/// An <see cref="IpcChannel"/> that shall be keept alive until the server is not needed anymore.
/// </returns>
/// <exception cref="System.Security.HostProtectionException">
/// If a predefined channel name is being used, you are required to specify a list of well known SIDs
/// which are allowed to access the newly created server.
/// </exception>
/// <exception cref="RemotingException">
/// The given channel name is already in use.
/// </exception>
public static IpcServerChannel IpcCreateServer <TRemoteObject>(
ref String RefChannelName,
WellKnownObjectMode InObjectMode,
params WellKnownSidType[] InAllowedClientSIDs) where TRemoteObject : MarshalByRefObject
{
String ChannelName = RefChannelName;
if (ChannelName == null)
{
ChannelName = GenerateName();
}
///////////////////////////////////////////////////////////////////
// create security descriptor for IpcChannel...
System.Collections.IDictionary Properties = new System.Collections.Hashtable();
Properties["name"] = ChannelName;
Properties["portName"] = ChannelName;
DiscretionaryAcl DACL = new DiscretionaryAcl(false, false, 1);
if (InAllowedClientSIDs.Length == 0)
{
if (RefChannelName != null)
{
throw new System.Security.HostProtectionException("If no random channel name is being used, you shall specify all allowed SIDs.");
}
// allow access from all users... Channel is protected by random path name!
DACL.AddAccess(
AccessControlType.Allow,
new SecurityIdentifier(
WellKnownSidType.WorldSid,
null),
-1,
InheritanceFlags.None,
PropagationFlags.None);
}
else
{
for (int i = 0; i < InAllowedClientSIDs.Length; i++)
{
DACL.AddAccess(
AccessControlType.Allow,
new SecurityIdentifier(
InAllowedClientSIDs[i],
null),
-1,
InheritanceFlags.None,
PropagationFlags.None);
}
}
CommonSecurityDescriptor SecDescr = new CommonSecurityDescriptor(false, false,
ControlFlags.GroupDefaulted |
ControlFlags.OwnerDefaulted |
ControlFlags.DiscretionaryAclPresent,
null, null, null,
DACL);
//////////////////////////////////////////////////////////
// create IpcChannel...
BinaryServerFormatterSinkProvider BinaryProv = new BinaryServerFormatterSinkProvider();
BinaryProv.TypeFilterLevel = TypeFilterLevel.Full;
IpcServerChannel Result = new IpcServerChannel(Properties, BinaryProv, SecDescr);
ChannelServices.RegisterChannel(Result, false);
RemotingConfiguration.RegisterWellKnownServiceType(
typeof(TRemoteObject),
ChannelName,
InObjectMode);
RefChannelName = ChannelName;
return(Result);
}
public static void Constructor3_AdditionalTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sid = "BG";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, an AccessAllowed ACE with a zero access mask is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//drop the Ace from rawAcl
rawAcl.RemoveAce(0);
//the only ACE is a meaningless ACE, will be removed
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 2, an inherit-only AccessDenied ACE on an object ACL is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//15 has all inheritance AceFlags but Inherited
gAce = new CommonAce((AceFlags)15, AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl.RemoveAce(0);
//the only ACE is a meaningless ACE, will be removed
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 3, an inherit-only AccessAllowed ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//8 has inheritOnly
gAce = new CommonAce((AceFlags)8, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl.RemoveAce(0);
//the only ACE is a meaningless ACE, will be removed
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 4, 1 CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = AceFlags.None;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));
//case 5, 1 CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
// 2 has ContainerInherit
aceFlag = (AceFlags)2;
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));
//case 6, 1 ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)15; //all inheritance flags ored together but Inherited
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 7, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 8, all Aces from case 1, and 3 to 6
revision = 127;
capacity = 5;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
rawAcl = new RawAcl(revision, capacity);
//0 access Mask
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
//an inherit-only AccessAllowed ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed
gAce = new CommonAce((AceFlags)8, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
// ObjectAce
aceFlag = (AceFlags)15; //all inheritance flags ored together but Inherited
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
// CustomAce
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = AceFlags.None;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(rawAcl.Count, gAce);
// CompoundAce
aceFlag = (AceFlags)2;
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())));
rawAcl.InsertAce(rawAcl.Count, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl.RemoveAce(0);
rawAcl.RemoveAce(0);
//Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));
discretionaryAcl = null;
isContainer = false;
isDS = false;
rawAcl = null;
//case 1, rawAcl = null
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 1);
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 1);
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
}
public static void RemoveInheritedAces_BasicValidationTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sid = "BG";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 2, only have explicit Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all AceFlags except InheritOnly and Inherited
gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 3, non-inherited CommonAce, ObjectAce, CompoundAce, CustomAce
revision = 127;
capacity = 5;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
rawAcl = new RawAcl(revision, capacity);
aceFlag = AceFlags.InheritanceFlags;
accessMask = 1;
//Access Allowed CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//Access Dennied CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//CustomAce
aceType = AceType.MaxDefinedAceType + 1;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(2, gAce);
//CompoundAce
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())));
rawAcl.InsertAce(3, gAce);
//ObjectAce
aceQualifier = AceQualifier.AccessAllowed;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(2, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws <InvalidOperationException>(() =>
{
TestRemoveInheritedAces(discretionaryAcl);
});
//case 4, all inherited CommonAce, ObjectAce, CompoundAce, CustomAce
revision = 127;
capacity = 5;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
rawAcl = new RawAcl(revision, capacity);
aceFlag = AceFlags.InheritanceFlags | AceFlags.Inherited;
accessMask = 1;
//Access Allowed CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//Access Dennied CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//CustomAce
aceType = AceType.MaxDefinedAceType + 1;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
//CompoundAce
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())));
rawAcl.InsertAce(0, gAce);
//ObjectAce
aceQualifier = AceQualifier.AccessAllowed;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 5, only have one inherit Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 6, have one explicit Ace and one inherited Ace
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all AceFlags except InheritOnly and Inherited
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(1, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 7, have two inherited Aces
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
sid = "BA";
//16 has Inherited
gAce = new CommonAce((AceFlags)16, AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 8, 1 inherited CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
//215 has all AceFlags except InheritOnly
aceFlag = (AceFlags)215;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 9, 1 inherited CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 10, 1 inherited ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
}
public static void Constructor3(bool isContainer, bool isDS, string initialRaqAclStr, string verifierRawAclStr, bool wasCanonicalInitially)
{
RawAcl rawAcl = Utils.CreateRawAclFromString(verifierRawAclStr);
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl = Utils.CreateRawAclFromString(verifierRawAclStr);
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, wasCanonicalInitially, rawAcl));
}
public static void AddAccess_AdditionalTestCases()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
int accessControlType = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
byte[] opaque = null;
//Case 1, non-Container, but InheritanceFlags is not None
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None);
});
//Case 2, non-Container, but PropagationFlags is not None
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 3, Container, InheritanceFlags is None, PropagationFlags is InheritOnly
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 4, Container, InheritanceFlags is None, PropagationFlags is NoPropagateInherit
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit);
});
//Case 5, Container, InheritanceFlags is None, PropagationFlags is NoPropagateInherit | InheritOnly
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit | PropagationFlags.InheritOnly);
});
//Case 6, accessMask = 0
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 0;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 7, null sid
Assert.Throws<ArgumentNullException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 8, add one Access ACE to the DiscretionaryAcl with no ACE
isContainer = true;
isDS = false;
accessControlType = 0;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)15, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
Assert.True(TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
;
//Case 9, Container, InheritOnly ON, but ContainerInherit and ObjectInherit are both OFF
//add meaningless Access ACE to the DiscretionaryAcl with no ACE, ace should not
//be added. There are mutiple type of meaningless Ace, but as both AddAccess and Constructor3
//call the same method to check the meaninglessness, only some sanitory cases are enough.
//bug# 288116
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 0;//InheritanceFlags.None
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 10, add Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE,
// should throw appropriate exception for wrong parameter, bug#287188
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 100;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
//Case 11, all the ACEs in the Dacl are non-qualified ACE, no merge
Assert.Throws<InvalidOperationException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly,
AceQualifier.AccessAllowed,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 12, add Ace to exceed binary length boundary, throw exception
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
AceFlags.InheritanceFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws<InvalidOperationException>(() =>
{
discretionaryAcl.AddAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
}
public static void TestConstructor(bool isContainer, bool isDS, int flags, string ownerStr, string groupStr, string saclStr, string daclStr)
{
ControlFlags controlFlags = ControlFlags.OwnerDefaulted;
SecurityIdentifier owner = null;
SecurityIdentifier group = null;
RawAcl rawAcl = null;
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
controlFlags = (ControlFlags)flags;
owner = (ownerStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(ownerStr)) : null;
group = (groupStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(groupStr)) : null;
rawAcl = (saclStr != null) ? Utils.CreateRawAclFromString(saclStr) : null;
if (rawAcl == null)
sacl = null;
else
sacl = new SystemAcl(isContainer, isDS, rawAcl);
rawAcl = (daclStr != null) ? Utils.CreateRawAclFromString(daclStr) : null;
if (rawAcl == null)
dacl = null;
else
dacl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(VerifyResult(isContainer, isDS, controlFlags, owner, group, sacl, dacl));
}
public static void GetModifiableServices()
{
// finds any services that the current can modify (or modify the parent folder)
// modified from https://stackoverflow.com/questions/15771998/how-to-give-a-user-permission-to-start-and-stop-a-particular-service-using-c-sha/15796352#15796352
ServiceController[] scServices;
scServices = ServiceController.GetServices();
var GetServiceHandle = typeof(System.ServiceProcess.ServiceController).GetMethod("GetServiceHandle", BindingFlags.Instance | BindingFlags.NonPublic);
object[] readRights = { 0x00020000 };
ServiceAccessRights[] ModifyRights =
{
ServiceAccessRights.ChangeConfig,
ServiceAccessRights.WriteDac,
ServiceAccessRights.WriteOwner,
ServiceAccessRights.GenericAll,
ServiceAccessRights.GenericWrite,
ServiceAccessRights.AllAccess
};
Console.WriteLine("\r\n\r\n=== Modifiable Services ===\r\n");
foreach (ServiceController sc in scServices)
{
try
{
IntPtr handle = (IntPtr)GetServiceHandle.Invoke(sc, readRights);
ServiceControllerStatus status = sc.Status;
byte[] psd = new byte[0];
uint bufSizeNeeded;
bool ok = QueryServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, psd, 0, out bufSizeNeeded);
if (!ok)
{
int err = Marshal.GetLastWin32Error();
if (err == 122 || err == 0)
{ // ERROR_INSUFFICIENT_BUFFER
// expected; now we know bufsize
psd = new byte[bufSizeNeeded];
ok = QueryServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, psd, bufSizeNeeded, out bufSizeNeeded);
}
else
{
//throw new ApplicationException("error calling QueryServiceObjectSecurity() to get DACL for " + _name + ": error code=" + err);
continue;
}
}
if (!ok)
{
//throw new ApplicationException("error calling QueryServiceObjectSecurity(2) to get DACL for " + _name + ": error code=" + Marshal.GetLastWin32Error());
continue;
}
// get security descriptor via raw into DACL form so ACE ordering checks are done for us.
RawSecurityDescriptor rsd = new RawSecurityDescriptor(psd, 0);
RawAcl racl = rsd.DiscretionaryAcl;
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, racl);
WindowsIdentity identity = WindowsIdentity.GetCurrent();
foreach (System.Security.AccessControl.CommonAce ace in dacl)
{
if (identity.Groups.Contains(ace.SecurityIdentifier))
{
ServiceAccessRights serviceRights = (ServiceAccessRights)ace.AccessMask;
foreach (ServiceAccessRights ModifyRight in ModifyRights)
{
if ((ModifyRight & serviceRights) == ModifyRight)
{
ManagementObjectSearcher wmiData = new ManagementObjectSearcher(@"root\cimv2", String.Format("SELECT * FROM win32_service WHERE Name LIKE '{0}'", sc.ServiceName));
ManagementObjectCollection data = wmiData.Get();
foreach (ManagementObject result in data)
{
Console.WriteLine(" Name : {0}", result["Name"]);
Console.WriteLine(" DisplayName : {0}", result["DisplayName"]);
Console.WriteLine(" Description : {0}", result["Description"]);
Console.WriteLine(" State : {0}", result["State"]);
Console.WriteLine(" StartMode : {0}", result["StartMode"]);
Console.WriteLine(" PathName : {0}", result["PathName"]);
}
break;
}
}
}
}
}
catch (Exception ex)
{
// Console.WriteLine("Exception: " + ex);
}
}
}
public static void Purge_BasicValidationTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
int aceCount = 0;
SecurityIdentifier sid = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sidStr = "LA";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 0;
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
//case 2, only have 1 explicit Ace of the sid
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
//199 has all aceflags but inheritonly and inherited
gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 0;
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
//case 3, only have 1 explicit Ace of different sid
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all aceflags but inheritedonly and inherited
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
gAce = new CommonAce((AceFlags)199, AceQualifier.AccessDenied, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 1;
sidStr = "BA";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
//case 4, only have 1 inherited Ace of the sid
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
//215 has all aceflags but inheritedonly
gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 1;
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
//case 5, have one explicit Ace and one inherited Ace of the sid
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
//199 has all aceflags but inheritedonly and inherited
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
//215 has all aceflags but inheritedonly
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 2, sid, false, null);
rawAcl.InsertAce(1, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 1;
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
//case 6, have two explicit Aces of the sid
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
//207 has all AceFlags but inherited
gAce = new CommonAce((AceFlags)207, AceQualifier.AccessAllowed, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 2, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 0;
Assert.True(TestPurge(discretionaryAcl, sid, 0));
//case 7, 1 explicit CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
//199 has all AceFlags except InheritOnly and Inherited
aceFlag = (AceFlags)199;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
aceCount = 1;
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws<InvalidOperationException>(() =>
{
TestPurge(discretionaryAcl, sid, aceCount);
});
//case 8, 1 explicit CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//207 has all AceFlags but inherited
aceFlag = (AceFlags)207;
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, sid);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 0;
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws<InvalidOperationException>(() =>
{
TestPurge(discretionaryAcl, sid, aceCount);
});
//case 9, 1 explict ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
//207 has all AceFlags but inherited
aceFlag = (AceFlags)207;
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, sid, objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 0;
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
}
private SecurityDescriptorTarget ConvertToSecurityDescriptorTarget(XmlElement node, out List <DiscoveryError> discoveryErrors)
{
discoveryErrors = new List <DiscoveryError>();
SecurityDescriptorTarget target = new SecurityDescriptorTarget();
string name = node.SelectSingleNode("@name")?.Value;
string type = node.SelectSingleNode("@type")?.Value;
string expireAfter = node.SelectSingleNode("@expire-after")?.Value;
List <string> readers = node.SelectNodes("readers/reader/@principal")?.OfType <XmlAttribute>().Select(t => t.Value).ToList();
string targetFriendlyName;
if (string.IsNullOrWhiteSpace(name))
{
this.logger.LogWarning("XmlElement had a null name");
return(null);
}
if (string.Equals(type, "container", StringComparison.OrdinalIgnoreCase))
{
target.Type = TargetType.Container;
target.Target = name;
targetFriendlyName = name;
}
else if (string.Equals(type, "computer", StringComparison.OrdinalIgnoreCase))
{
target.Type = TargetType.Computer;
if (this.directory.TryGetComputer(name, out IComputer computer))
{
target.Target = computer.Sid.ToString();
targetFriendlyName = computer.MsDsPrincipalName;
}
else
{
discoveryErrors.Add(new DiscoveryError {
Target = name, Type = DiscoveryErrorType.Error, Message = $"The computer was not found in the directory"
});
return(null);
}
}
else if (string.Equals(type, "group", StringComparison.OrdinalIgnoreCase))
{
target.Type = TargetType.Group;
if (this.directory.TryGetGroup(name, out IGroup group))
{
target.Target = group.Sid.ToString();
targetFriendlyName = group.MsDsPrincipalName;
}
else
{
discoveryErrors.Add(new DiscoveryError {
Target = name, Type = DiscoveryErrorType.Error, Message = $"The group was not found in the directory"
});
return(null);
}
}
else
{
discoveryErrors.Add(new DiscoveryError {
Target = name, Type = DiscoveryErrorType.Error, Message = $"Target was of an unknown type: {type}"
});
return(null);
}
if (readers == null || readers.Count == 0)
{
discoveryErrors.Add(new DiscoveryError {
Target = name, Type = DiscoveryErrorType.Warning, Message = $"Target had not authorized readers"
});
return(null);
}
if (!string.IsNullOrWhiteSpace(expireAfter))
{
if (TimeSpan.TryParse(expireAfter, out TimeSpan timespan))
{
if (timespan.TotalMinutes > 0)
{
target.Laps.ExpireAfter = timespan;
}
}
}
target.AuthorizationMode = AuthorizationMode.SecurityDescriptor;
target.Description = settings.RuleDescription.Replace("{targetName}", targetFriendlyName, StringComparison.OrdinalIgnoreCase);
foreach (string onSuccess in settings.Notifications.OnSuccess)
{
target.Notifications.OnSuccess.Add(onSuccess);
}
foreach (string onFailure in settings.Notifications.OnFailure)
{
target.Notifications.OnFailure.Add(onFailure);
}
AccessMask mask = AccessMask.LocalAdminPassword;
mask |= settings.AllowLapsHistory ? AccessMask.LocalAdminPasswordHistory : 0;
mask |= settings.AllowJit ? AccessMask.Jit : 0;
mask |= settings.AllowBitLocker ? AccessMask.BitLocker : 0;
DiscretionaryAcl acl = new DiscretionaryAcl(false, false, readers.Count);
foreach (string reader in readers)
{
if (directory.TryGetPrincipal(reader, out ISecurityPrincipal principal))
{
acl.AddAccess(AccessControlType.Allow, principal.Sid, (int)mask, InheritanceFlags.None, PropagationFlags.None);
}
else
{
discoveryErrors.Add(new DiscoveryError {
Target = name, Type = DiscoveryErrorType.Warning, Principal = reader, Message = $"The principal could not be found in the directory"
});
}
}
if (acl.Count == 0)
{
discoveryErrors.Add(new DiscoveryError {
Target = name, Type = DiscoveryErrorType.Warning, Message = $"Target had no authorized readers"
});
return(null);
}
CommonSecurityDescriptor sd = new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), null, null, acl);
target.SecurityDescriptor = sd.GetSddlForm(AccessControlSections.All);
target.Jit.AuthorizingGroup = settings.JitAuthorizingGroup;
target.Jit.ExpireAfter = settings.JitExpireAfter;
return(target);
}
public static void Index_BasicValidation()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
GenericAce gAce = null;
GenericAce verifierGAce = null;
string owner1 = "BO";
string owner2 = "BA";
string owner3 = "BG";
int index = 0;
// case 1, only one ACE, get at index 0
rawAcl = new RawAcl(1, 1);
index = 0;
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null);
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
verifierGAce = discretionaryAcl[index];
Assert.True(TestIndex(gAce, verifierGAce));
{
}
//case 2, two ACEs, index at Count -1
rawAcl = new RawAcl(1, 2);
//215 has all AceFlags but InheriteOnly
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null);
rawAcl.InsertAce(0, gAce);
//199 has all AceFlags but InheritedOnly, Inherited
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner2)), false, null);
rawAcl.InsertAce(1, gAce);
discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
gAce = rawAcl[1];
//the discretionaryAcl is non-container, all AceFlags except Inherited will be stripped
gAce.AceFlags = (AceFlags)FlagsForAce.None;
index = discretionaryAcl.Count - 1;
verifierGAce = discretionaryAcl[index];
Assert.True(TestIndex(gAce, verifierGAce));
{
}
//case 3, only three ACEs, index at Count/2
rawAcl = new RawAcl(1, 3);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null);
rawAcl.InsertAce(0, gAce);
//199 has all AceFlags except InheritOnly and Inherited
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner2)), false, null);
rawAcl.InsertAce(1, gAce);
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner3)), false, null);
rawAcl.InsertAce(2, gAce);
discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
gAce = rawAcl[1];
//the systemAcl is non-container, all AceFlags will be stripped
gAce.AceFlags = AceFlags.None;
index = discretionaryAcl.Count / 2;
verifierGAce = discretionaryAcl[index];
Assert.True(TestIndex(gAce, verifierGAce));
{
}
}
internal static void SetAccessControlExtracted(FileSystemSecurity security, string name)
{
//security.WriteLock();
AccessControlSections includeSections = AccessControlSections.Audit | AccessControlSections.Owner | AccessControlSections.Group;
SecurityInfos securityInfo = (SecurityInfos)0;
SecurityIdentifier owner = null;
SecurityIdentifier group = null;
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
if ((includeSections & AccessControlSections.Owner) != AccessControlSections.None)
{
owner = (SecurityIdentifier)security.GetOwner(typeof(SecurityIdentifier));
if (owner != null)
{
securityInfo = securityInfo | SecurityInfos.Owner;
}
}
if ((includeSections & AccessControlSections.Group) != AccessControlSections.None)
{
@group = (SecurityIdentifier)security.GetGroup(typeof(SecurityIdentifier));
if (@group != null)
{
securityInfo = securityInfo | SecurityInfos.Group;
}
}
var securityDescriptorBinaryForm = security.GetSecurityDescriptorBinaryForm();
RawSecurityDescriptor rawSecurityDescriptor = null;
bool isDiscretionaryAclPresent = false;
if (securityDescriptorBinaryForm != null)
{
rawSecurityDescriptor = new RawSecurityDescriptor(securityDescriptorBinaryForm, 0);
isDiscretionaryAclPresent = (rawSecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None;
}
if ((includeSections & AccessControlSections.Audit) != AccessControlSections.None)
{
securityInfo = securityInfo | SecurityInfos.SystemAcl;
sacl = null;
if (rawSecurityDescriptor != null)
{
var isSystemAclPresent = (rawSecurityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None;
if (isSystemAclPresent && rawSecurityDescriptor.SystemAcl != null && rawSecurityDescriptor.SystemAcl.Count > 0)
{
// are all system acls on a file not a container?
const bool notAContainer = false;
const bool notADirectoryObjectACL = false;
sacl = new SystemAcl(notAContainer, notADirectoryObjectACL,
rawSecurityDescriptor.SystemAcl);
}
securityInfo = (SecurityInfos)(((rawSecurityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) == ControlFlags.None ?
(uint)securityInfo | UnprotectedSystemAcl : (uint)securityInfo | ProtectedSystemAcl));
}
}
if ((includeSections & AccessControlSections.Access) != AccessControlSections.None && isDiscretionaryAclPresent)
{
securityInfo = securityInfo | SecurityInfos.DiscretionaryAcl;
dacl = null;
if (rawSecurityDescriptor != null)
{
//if (!this._securityDescriptor.DiscretionaryAcl.EveryOneFullAccessForNullDacl)
{
dacl = new DiscretionaryAcl(false, false, rawSecurityDescriptor.DiscretionaryAcl);
}
securityInfo = (SecurityInfos)(((rawSecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected) == ControlFlags.None ?
(uint)securityInfo | UnprotectedDiscretionaryAcl : (uint)securityInfo | ProtectedDiscretionaryAcl));
}
}
if (securityInfo == 0)
{
return;
}
int errorNum = SetSecurityInfo(ResourceType.FileObject, name, null, securityInfo, owner, @group, sacl, dacl);
if (errorNum != 0)
{
Exception exception = GetExceptionFromWin32Error(errorNum, name);
if (exception == null)
{
if (errorNum == NativeMethods.ERROR_ACCESS_DENIED)
{
exception = new UnauthorizedAccessException();
}
else if (errorNum == NativeMethods.ERROR_INVALID_OWNER)
{
exception = new InvalidOperationException("Invalid owner");
}
else if (errorNum == NativeMethods.ERROR_INVALID_PRIMARY_GROUP)
{
exception = new InvalidOperationException("Invalid group");
}
else if (errorNum == NativeMethods.ERROR_INVALID_NAME)
{
exception = new ArgumentException("Invalid name", "name");
}
else if (errorNum == NativeMethods.ERROR_INVALID_HANDLE)
{
exception = new NotSupportedException("Invalid Handle");
}
else if (errorNum == NativeMethods.ERROR_FILE_NOT_FOUND)
{
exception = new FileNotFoundException();
}
else if (errorNum != NativeMethods.ERROR_NO_SECURITY_ON_OBJECT)
{
exception = new InvalidOperationException("Unexpected error");
}
else
{
exception = new NotSupportedException("No associated security");
}
}
throw exception;
}
//finally
//{
//security.WriteLUnlck();
//}
}
public static void RemoveAccessSpecific_AdditionalTestCases()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
int accessControlType = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
byte[] opaque = null;
//Case 1, remove one ACE from the DiscretionaryAcl with no ACE
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveAccessSpecific(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
;
//Case 2, remove the last one ACE from the DiscretionaryAcl
isContainer = true;
isDS = false;
accessControlType = 0;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
//15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)15, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//remove the ace to create the validation rawAcl
rawAcl.RemoveAce(rawAcl.Count - 1);
Assert.True(TestRemoveAccessSpecific(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
;
//Case 3, accessMask = 0
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 0;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 4, null sid
Assert.Throws<ArgumentNullException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
accessMask = 1;
sid = "BA";
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 5, all the ACEs in the Dacl are non-qualified ACE, no remove
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws<InvalidOperationException>(() =>
{
TestRemoveAccessSpecific
(discretionaryAcl, rawAcl,
(AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
//Case 7, Remove Specific Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE,
// should throw appropriate exception for wrong parameter, bug#287188
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 100;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
}
public static void AdditionalTestCases()
{
//test cases include the exceptions from the constructor
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
CommonSecurityDescriptor sd = null;
// test case 1: SACL is not null, SACL.IsContainer is true, but isContainer parameter is false
sacl = new SystemAcl(true, true, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(false, true, ControlFlags.SystemAclPresent, null, null, sacl, null);
});
// test case 2: SACL is not null, SACL.IsContainer is false, but isContainer parameter is true
sacl = new SystemAcl(false, true, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, true, ControlFlags.SystemAclPresent, null, null, sacl, null);
});
// test case 3: DACL is not null, DACL.IsContainer is true, but isContainer parameter is false
dacl = new DiscretionaryAcl(true, true, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(false, true, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);
});
// test case 4: DACL is not null, DACL.IsContainer is false, but isContainer parameter is true
dacl = new DiscretionaryAcl(false, true, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, true, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);
});
// test case 5: SACL is not null, SACL.IsDS is true, but isDS parameter is false
sacl = new SystemAcl(true, true, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, false, ControlFlags.SystemAclPresent, null, null, sacl, null);
});
// test case 6: SACL is not null, SACL.IsDS is false, but isDS parameter is true
sacl = new SystemAcl(true, false, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, true, ControlFlags.SystemAclPresent, null, null, sacl, null);
});
// test case 7: DACL is not null, DACL.IsDS is true, but isDS parameter is false
dacl = new DiscretionaryAcl(true, true, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, false, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);
});
// test case 8: DACL is not null, DACL.IsDS is false, but isDS parameter is true
dacl = new DiscretionaryAcl(true, false, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, true, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);
});
}
public static void RemoveInheritedAces_BasicValidationTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sid = "BG";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 2, only have explicit Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all AceFlags except InheritOnly and Inherited
gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 3, non-inherited CommonAce, ObjectAce, CompoundAce, CustomAce
revision = 127;
capacity = 5;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
rawAcl = new RawAcl(revision, capacity);
aceFlag = AceFlags.InheritanceFlags;
accessMask = 1;
//Access Allowed CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//Access Dennied CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//CustomAce
aceType = AceType.MaxDefinedAceType + 1;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(2, gAce);
//CompoundAce
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())));
rawAcl.InsertAce(3, gAce);
//ObjectAce
aceQualifier = AceQualifier.AccessAllowed;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(2, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws<InvalidOperationException>(() =>
{
TestRemoveInheritedAces(discretionaryAcl);
});
//case 4, all inherited CommonAce, ObjectAce, CompoundAce, CustomAce
revision = 127;
capacity = 5;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
rawAcl = new RawAcl(revision, capacity);
aceFlag = AceFlags.InheritanceFlags | AceFlags.Inherited;
accessMask = 1;
//Access Allowed CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//Access Dennied CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//CustomAce
aceType = AceType.MaxDefinedAceType + 1;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
//CompoundAce
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())));
rawAcl.InsertAce(0, gAce);
//ObjectAce
aceQualifier = AceQualifier.AccessAllowed;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 5, only have one inherit Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 6, have one explicit Ace and one inherited Ace
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all AceFlags except InheritOnly and Inherited
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(1, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 7, have two inherited Aces
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
sid = "BA";
//16 has Inherited
gAce = new CommonAce((AceFlags)16, AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 8, 1 inherited CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
//215 has all AceFlags except InheritOnly
aceFlag = (AceFlags)215;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 9, 1 inherited CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 10, 1 inherited ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
}
public static void AceCount_AdditionalTests()
{
RawAcl rawAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BG";
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
//case 1, DiscretionaryAcl with huge number of Aces
revision = 0;
capacity = 1;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString();
rawAcl = new RawAcl(revision, capacity);
for (int i = 0; i < 1820; i++)
{
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, i + 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + i.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
}
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(1820 == discretionaryAcl.Count);
}
public static Dictionary <string, string> GetModifiableServices(Dictionary <string, string> SIDs)
{
Dictionary <string, string> results = new Dictionary <string, string>();
ServiceController[] scServices;
scServices = ServiceController.GetServices();
var GetServiceHandle = typeof(System.ServiceProcess.ServiceController).GetMethod("GetServiceHandle", BindingFlags.Instance | BindingFlags.NonPublic);
object[] readRights = { 0x00020000 };
foreach (ServiceController sc in scServices)
{
try
{
IntPtr handle = (IntPtr)GetServiceHandle.Invoke(sc, readRights);
ServiceControllerStatus status = sc.Status;
byte[] psd = new byte[0];
uint bufSizeNeeded;
bool ok = QueryServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, psd, 0, out bufSizeNeeded);
if (!ok)
{
int err = Marshal.GetLastWin32Error();
if (err == 122 || err == 0)
{ // ERROR_INSUFFICIENT_BUFFER
// expected; now we know bufsize
psd = new byte[bufSizeNeeded];
ok = QueryServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, psd, bufSizeNeeded, out bufSizeNeeded);
}
else
{
//throw new ApplicationException("error calling QueryServiceObjectSecurity() to get DACL for " + _name + ": error code=" + err);
continue;
}
}
if (!ok)
{
//throw new ApplicationException("error calling QueryServiceObjectSecurity(2) to get DACL for " + _name + ": error code=" + Marshal.GetLastWin32Error());
continue;
}
// get security descriptor via raw into DACL form so ACE ordering checks are done for us.
RawSecurityDescriptor rsd = new RawSecurityDescriptor(psd, 0);
RawAcl racl = rsd.DiscretionaryAcl;
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, racl);
List <string> permissions = new List <string>();
foreach (System.Security.AccessControl.CommonAce ace in dacl)
{
if (SIDs.ContainsKey(ace.SecurityIdentifier.ToString()))
{
int serviceRights = ace.AccessMask;
string current_perm_str = MyUtils.PermInt2Str(serviceRights, true, true);
if (!String.IsNullOrEmpty(current_perm_str) && !permissions.Contains(current_perm_str))
{
permissions.Add(current_perm_str);
}
}
}
if (permissions.Count > 0)
{
string perms = String.Join(", ", permissions);
if (perms.Replace("Start", "").Replace("Stop", "").Length > 3) //Check if any other permissions appart from Start and Stop
{
results.Add(sc.ServiceName, perms);
}
}
}
catch (Exception ex)
{
//Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
}
return(results);
}
private static bool VerifyResult(bool isContainer, bool isDS, ControlFlags controlFlags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl sacl, DiscretionaryAcl dacl)
{
CommonSecurityDescriptor commonSecurityDescriptor = null;
bool result = false;
try
{
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, controlFlags, owner, group, sacl, dacl);
// verify the result
if ((isContainer == commonSecurityDescriptor.IsContainer) &&
(isDS == commonSecurityDescriptor.IsDS) &&
((((sacl != null) ? (controlFlags | ControlFlags.SystemAclPresent) : (controlFlags & (~ControlFlags.SystemAclPresent)))
| ControlFlags.SelfRelative | ControlFlags.DiscretionaryAclPresent) == commonSecurityDescriptor.ControlFlags) &&
(owner == commonSecurityDescriptor.Owner) &&
(group == commonSecurityDescriptor.Group) &&
(sacl == commonSecurityDescriptor.SystemAcl) &&
(Utils.ComputeBinaryLength(commonSecurityDescriptor, dacl != null) == commonSecurityDescriptor.BinaryLength))
{
if (dacl == null)
{
//check the contructor created an empty Dacl with correct IsContainer and isDS info
if (isContainer == commonSecurityDescriptor.DiscretionaryAcl.IsContainer &&
isDS == commonSecurityDescriptor.DiscretionaryAcl.IsDS &&
commonSecurityDescriptor.DiscretionaryAcl.Count == 1 &&
Utils.VerifyDaclWithCraftedAce(isContainer, isDS, commonSecurityDescriptor.DiscretionaryAcl))
{
result = true;
}
else
{
result = false;
}
}
else if (dacl == commonSecurityDescriptor.DiscretionaryAcl)
{
result = true;
}
else
{
result = false;
}
}
else
{
result = false;
}
}
catch (ArgumentException)
{
if ((sacl != null && sacl.IsContainer != isContainer) ||
(sacl != null && sacl.IsDS != isDS) ||
(dacl != null && dacl.IsContainer != isContainer) ||
(dacl != null && dacl.IsDS != isDS))
{
result = true;
}
else
{
// unexpected exception
result = false;
}
}
return(result);
}
public static void GetBinaryForm_BasicValidationTestCases()
{
DiscretionaryAcl dAcl = null;
RawAcl rAcl = null;
GenericAce gAce = null;
byte[] binaryForm = null;
//Case 1, array binaryForm is null
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
dAcl = new DiscretionaryAcl(true, false, rAcl);
Assert.Throws <ArgumentNullException>(() =>
{
dAcl.GetBinaryForm(binaryForm, 0);
});
//Case 2, offset is negative
binaryForm = new byte[100];
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
dAcl = new DiscretionaryAcl(true, false, rAcl);
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
dAcl.GetBinaryForm(binaryForm, -1);
});
//Case 3, offset is equal to binaryForm length
binaryForm = new byte[100];
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
dAcl = new DiscretionaryAcl(true, false, rAcl);
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
dAcl.GetBinaryForm(binaryForm, binaryForm.Length);
});
//Case 4, offset is a big possitive number
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
dAcl = new DiscretionaryAcl(true, false, rAcl);
binaryForm = new byte[dAcl.BinaryLength + 10000];
dAcl.GetBinaryForm(binaryForm, 10000);
//get the binaryForm of the original RawAcl
byte[] verifierBinaryForm = new byte[rAcl.BinaryLength];
rAcl.GetBinaryForm(verifierBinaryForm, 0);
Assert.True(Utils.IsBinaryFormEqual(binaryForm, 10000, verifierBinaryForm));
//Case 5, binaryForm array's size is insufficient
binaryForm = new byte[4];
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
dAcl = new DiscretionaryAcl(true, false, rAcl);
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
dAcl.GetBinaryForm(binaryForm, 0);
});
}
public static void RemoveAccessSpecific_AdditionalTestCases()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
int accessControlType = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
byte[] opaque = null;
//Case 1, remove one ACE from the DiscretionaryAcl with no ACE
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveAccessSpecific(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
;
//Case 2, remove the last one ACE from the DiscretionaryAcl
isContainer = true;
isDS = false;
accessControlType = 0;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
//15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)15, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//remove the ace to create the validation rawAcl
rawAcl.RemoveAce(rawAcl.Count - 1);
Assert.True(TestRemoveAccessSpecific(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
;
//Case 3, accessMask = 0
AssertExtensions.Throws <ArgumentException>("accessMask", () =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 0;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 4, null sid
Assert.Throws <ArgumentNullException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
accessMask = 1;
sid = "BA";
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 5, all the ACEs in the Dacl are non-qualified ACE, no remove
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque);
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws <InvalidOperationException>(() =>
{
TestRemoveAccessSpecific
(discretionaryAcl, rawAcl,
(AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
//Case 7, Remove Specific Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE,
// should throw appropriate exception for wrong parameter, bug#287188
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 100;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
}
public CommonSecurityDescriptor(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl);
public static void SetAccess_AdditionalTestCases()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
int accessControlType = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
byte[] opaque = null;
//Case 1, non-Container, but InheritanceFlags is not None
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.SetAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None);
});
//Case 2, non-Container, but PropagationFlags is not None
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.SetAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 3, set one allowed ACE to the DiscretionaryAcl with no ACE
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)15, AceQualifier.AccessDenied, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
Assert.True(TestSetAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
;
//Case 4, accessMask = 0
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 0;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.SetAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 5, null sid
Assert.Throws<ArgumentNullException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.SetAccess((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case6, all the ACEs in the Dacl are non-qualified ACE, no replacement
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly,
AceQualifier.AccessAllowed,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws<InvalidOperationException>(() =>
{
TestSetAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 7, set without replacement, exceed binary length boundary, throw exception
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
AceFlags.InheritanceFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly,
AceQualifier.AccessAllowed,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws<InvalidOperationException>(() =>
{
discretionaryAcl.SetAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 8, set without replacement, not exceed binary length boundary
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 28];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
AceFlags.InheritanceFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly,
AceQualifier.AccessAllowed,
accessMask + 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws<InvalidOperationException>(() =>
{
TestSetAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask + 1, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 9, set Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE,
// should throw appropriate exception for wrong parameter, bug#287188
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 100;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.SetAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
}