static void ProcessSecurityProvider (ISecurityDeclarationProvider provider)
{
if (!provider.HasSecurityDeclarations)
return;
provider.SecurityDeclarations.Clear ();
}
public static void CopySecurityDeclarations(ISecurityDeclarationProvider source, ISecurityDeclarationProvider target, ReferenceResolver resolver)
{
if (!source.HasSecurityDeclarations)
return;
foreach (var declaration in source.SecurityDeclarations)
target.InjectSecurityDeclaration(declaration, resolver);
}
void ProcessSecurityProvider(ISecurityDeclarationProvider provider)
{
if (!provider.HasSecurityDeclarations)
return;
// for non-linked code we still need to remove the security declarations,
// if any are present, are save back the assembly. Otherwise it might become
// impossible to decode what we save #28918.
switch (Action) {
case AssemblyAction.Link:
case AssemblyAction.Save:
break;
default:
Annotations.SetAction (Current, AssemblyAction.Save);
Action = AssemblyAction.Save;
break;
}
provider.SecurityDeclarations.Clear ();
}
private bool RuleDoesAppliesToType (ISecurityDeclarationProvider type)
{
assert = null;
deny = null;
permitonly = null;
demand = null;
// #1 - this rules apply if type has security permissions
if (!type.HasSecurityDeclarations)
return false;
bool apply = false;
// #2 - this rules doesn't apply to LinkDemand (both are executed)
// and to InheritanceDemand (both are executed at different time).
foreach (SecurityDeclaration declsec in type.SecurityDeclarations) {
switch (declsec.Action) {
case Mono.Cecil.SecurityAction.Assert:
assert = declsec.ToPermissionSet ();
apply = true;
break;
case Mono.Cecil.SecurityAction.Deny:
deny = declsec.ToPermissionSet ();
apply = true;
break;
case Mono.Cecil.SecurityAction.PermitOnly:
permitonly = declsec.ToPermissionSet ();
apply = true;
break;
case Mono.Cecil.SecurityAction.Demand:
demand = declsec.ToPermissionSet ();
apply = true;
break;
}
}
return apply;
}
internal bool TryGetSecurityDeclarationRanges(ISecurityDeclarationProvider owner, out Range[] ranges)
{
return SecurityDeclarations.TryGetValue (owner.MetadataToken, out ranges);
}
static bool RemoveSecurityDeclarations (ISecurityDeclarationProvider provider)
{
// also remove already existing CAS security declarations
if (provider == null)
return false;
if (!provider.HasSecurityDeclarations)
return false;
provider.SecurityDeclarations.Clear ();
return true;
}
public void RemoveSecurityDeclarationRange(ISecurityDeclarationProvider owner)
{
SecurityDeclarations.Remove(owner.MetadataToken);
}
public bool TryGetSecurityDeclarationRanges(ISecurityDeclarationProvider owner, out Range[] ranges)
{
return(this.SecurityDeclarations.TryGetValue(owner.MetadataToken, out ranges));
}
public void RemoveSecurityDeclarationRange (ISecurityDeclarationProvider owner)
{
SecurityDeclarations.Remove (owner.MetadataToken);
}
protected void MarkSecurityDeclarations (ISecurityDeclarationProvider provider)
{
// most security declarations are removed (if linked) but user code might still have some
// and if the attribtues references types then they need to be marked too
if ((provider == null) || !provider.HasSecurityDeclarations)
return;
foreach (var sd in provider.SecurityDeclarations)
MarkSecurityDeclaration (sd);
}
private static bool Check (ISecurityDeclarationProvider caller, ISecurityDeclarationProvider callee)
{
// 1 - look if the callee has a LinkDemand
PermissionSet calleeLinkDemand = GetLinkDemand (callee);
if (calleeLinkDemand.Count == 0)
return true;
// 2 - Ensure the caller requires a superset (or the same) permissions
return calleeLinkDemand.IsSubsetOf (GetLinkDemand (caller));
}
public static bool GetHasSecurityDeclarations(
this ISecurityDeclarationProvider self,
ModuleDefinition module)
{
return(module.HasImage() && module.Read(self, (provider, reader) => reader.HasSecurityDeclarations(provider)));
}
private void WriteSecurityDeclarations(ISecurityDeclarationProvider secDeclProvider)
{
if (!secDeclProvider.HasSecurityDeclarations)
{
return;
}
foreach (var secdecl in secDeclProvider.SecurityDeclarations)
{
_output.Write(".permissionset ");
switch (secdecl.Action)
{
case SecurityAction.Request:
_output.Write("request");
break;
case SecurityAction.Demand:
_output.Write("demand");
break;
case SecurityAction.Assert:
_output.Write("assert");
break;
case SecurityAction.Deny:
_output.Write("deny");
break;
case SecurityAction.PermitOnly:
_output.Write("permitonly");
break;
case SecurityAction.LinkDemand:
_output.Write("linkcheck");
break;
case SecurityAction.InheritDemand:
_output.Write("inheritcheck");
break;
case SecurityAction.RequestMinimum:
_output.Write("reqmin");
break;
case SecurityAction.RequestOptional:
_output.Write("reqopt");
break;
case SecurityAction.RequestRefuse:
_output.Write("reqrefuse");
break;
case SecurityAction.PreJitGrant:
_output.Write("prejitgrant");
break;
case SecurityAction.PreJitDeny:
_output.Write("prejitdeny");
break;
case SecurityAction.NonCasDemand:
_output.Write("noncasdemand");
break;
case SecurityAction.NonCasLinkDemand:
_output.Write("noncaslinkdemand");
break;
case SecurityAction.NonCasInheritance:
_output.Write("noncasinheritance");
break;
default:
_output.Write(secdecl.Action.ToString());
break;
}
_output.WriteLine(" = {");
_output.Indent();
for (var i = 0; i < secdecl.SecurityAttributes.Count; i++)
{
var sa = secdecl.SecurityAttributes[i];
if (sa.AttributeType.Scope == sa.AttributeType.Module)
{
_output.Write("class ");
_output.Write(DisassemblerHelpers.Escape(GetAssemblyQualifiedName(sa.AttributeType)));
}
else
{
sa.AttributeType.WriteTo(_output, ILNameSyntax.TypeName);
}
_output.Write(" = {");
if (sa.HasFields || sa.HasProperties)
{
_output.WriteLine();
_output.Indent();
foreach (var na in sa.Fields)
{
_output.Write("field ");
WriteSecurityDeclarationArgument(na);
_output.WriteLine();
}
foreach (var na in sa.Properties)
{
_output.Write("property ");
WriteSecurityDeclarationArgument(na);
_output.WriteLine();
}
_output.Unindent();
}
_output.Write('}');
if (i + 1 < secdecl.SecurityAttributes.Count)
{
_output.Write(',');
}
_output.WriteLine();
}
_output.Unindent();
_output.WriteLine("}");
}
}
static void RemoveSecurityDeclarations (ISecurityDeclarationProvider provider)
{
// also remove already existing CAS security declarations
if (provider == null)
return;
if (!provider.HasSecurityDeclarations)
return;
provider.SecurityDeclarations.Clear ();
}
private void WriteSecurityDeclarations(ISecurityDeclarationProvider secDeclProvider)
{
if (!secDeclProvider.HasSecurityDeclarations)
return;
foreach (var secdecl in secDeclProvider.SecurityDeclarations)
{
WriteKeyWordPostSpace(".permissionset");
switch (secdecl.Action)
{
case SecurityAction.Request:
WriteKeyword("request");
break;
case SecurityAction.Demand:
WriteKeyword("demand");
break;
case SecurityAction.Assert:
WriteKeyword("assert");
break;
case SecurityAction.Deny:
WriteKeyword("deny");
break;
case SecurityAction.PermitOnly:
WriteKeyword("permitonly");
break;
case SecurityAction.LinkDemand:
WriteKeyword("linkcheck");
break;
case SecurityAction.InheritDemand:
WriteKeyword("inheritcheck");
break;
case SecurityAction.RequestMinimum:
WriteKeyword("reqmin");
break;
case SecurityAction.RequestOptional:
WriteKeyword("reqopt");
break;
case SecurityAction.RequestRefuse:
WriteKeyword("reqrefuse");
break;
case SecurityAction.PreJitGrant:
WriteKeyword("prejitgrant");
break;
case SecurityAction.PreJitDeny:
WriteKeyword("prejitdeny");
break;
case SecurityAction.NonCasDemand:
WriteKeyword("noncasdemand");
break;
case SecurityAction.NonCasLinkDemand:
WriteKeyword("noncaslinkdemand");
break;
case SecurityAction.NonCasInheritance:
WriteKeyword("noncasinheritance");
break;
default:
WriteKeyword(secdecl.Action.ToString());
break;
}
WriteTokenPreSpace("=");
WriteTokenPreSpace("{");
WriteLine();
Indent();
for (int i = 0; i < secdecl.SecurityAttributes.Count; i++)
{
SecurityAttribute sa = secdecl.SecurityAttributes[i];
if (sa.AttributeType.Scope == sa.AttributeType.Module)
{
WriteKeyWordPostSpace("class");
WriteEscaped(GetAssemblyQualifiedName(sa.AttributeType));
}
else
{
WriteTypeReference(sa.AttributeType, ILNameSyntax.TypeName);
}
WriteTokenPreSpace("=");
WriteTokenPreSpace("{");
if (sa.HasFields || sa.HasProperties)
{
WriteLine();
Indent();
foreach (CustomAttributeNamedArgument na in sa.Fields)
{
WriteKeyWordPostSpace("field");
WriteSecurityDeclarationArgument(na);
WriteLine();
}
foreach (CustomAttributeNamedArgument na in sa.Properties)
{
WriteKeyWordPostSpace("property");
WriteSecurityDeclarationArgument(na);
WriteLine();
}
Outdent();
}
WriteToken("}");
if (i + 1 < secdecl.SecurityAttributes.Count)
WriteToken(",");
WriteLine();
}
Outdent();
WriteToken("}");
WriteLine();
}
}
public static bool GetHasSecurityDeclarations(
ISecurityDeclarationProvider self,
ModuleDefinition module)
{
return Mixin.HasImage(module) && module.Read(self, (provider, reader) => reader.HasSecurityDeclarations(provider));
}
public static Collection<SecurityDeclaration> GetSecurityDeclarations(
ISecurityDeclarationProvider self,
ref Collection<SecurityDeclaration> variable,
ModuleDefinition module)
{
return Mixin.HasImage(module)
? module.Read(ref variable, self, (provider, reader) => reader.ReadSecurityDeclarations(provider))
: variable = new Collection<SecurityDeclaration>();
}
protected virtual void VerifySecurityAttributes(ICustomAttributeProvider src, ISecurityDeclarationProvider linked)
{
var expectedAttrs = GetCustomAttributeCtorValues <object> (src, nameof(KeptSecurityAttribute))
.Select(attr => attr.ToString())
.ToList();
var linkedAttrs = FilterLinkedSecurityAttributes(linked).ToList();
Assert.That(linkedAttrs, Is.EquivalentTo(expectedAttrs), $"Security attributes on `{src}' are not matching");
}
private static PermissionSet GetLinkDemand (ISecurityDeclarationProvider method)
{
foreach (SecurityDeclaration declsec in method.SecurityDeclarations) {
switch (declsec.Action) {
case Mono.Cecil.SecurityAction.LinkDemand:
case Mono.Cecil.SecurityAction.NonCasLinkDemand:
return declsec.ToPermissionSet ();
}
}
return Empty;
}
protected virtual IEnumerable <string> FilterLinkedSecurityAttributes(ISecurityDeclarationProvider linked)
{
return(linked.SecurityDeclarations
.SelectMany(d => d.SecurityAttributes)
.Select(attr => attr.AttributeType.ToString()));
}
public bool TryGetSecurityDeclarationRange (ISecurityDeclarationProvider owner, out Range range)
{
return SecurityDeclarations.TryGetValue (owner.MetadataToken, out range);
}
public bool TryGetSecurityDeclarationRange(ISecurityDeclarationProvider owner, out Range range)
{
return(SecurityDeclarations.TryGetValue(owner.MetadataToken, out range));
}
static bool CompareSecurityDeclarations (ISecurityDeclarationProvider a, ISecurityDeclarationProvider b)
{
bool ha = a.HasSecurityDeclarations;
bool hb = b.HasSecurityDeclarations;
// if only one of them has custom attributes
if (ha != hb)
return false;
// if both do not have custom attributes
if (!ha && !hb)
return true;
// compare attributes
foreach (SecurityDeclaration sd in a.SecurityDeclarations) {
if (!b.SecurityDeclarations.Contains (sd))
return false;
}
return true;
}
void EmitSecDeclarations (ISecurityDeclarationProvider prov) {
foreach (var sec in prov.SecurityDeclarations) {
string act_str = null;
if (!sec_action_to_string.TryGetValue (sec.Action, out act_str))
throw new NotImplementedException (sec.Action.ToString ());
WriteLine (".permissionset " + act_str + " = (");
WriteBlob (sec.GetBlob ());
}
}
