public static void BasicValidationTestCases()
{
RawAcl rawAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BA";
//case 1, empty RawAcl, binarylength should be 8
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
Assert.True(8 == rawAcl.BinaryLength);
//case 2, RawAcl with one Ace, binarylength should be 8 + the Ace's binarylength
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
Assert.True(8 + gAce.BinaryLength == rawAcl.BinaryLength);
//case 3, RawAcl with two Aces
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
Assert.True(8 + rawAcl[0].BinaryLength + rawAcl[1].BinaryLength == rawAcl.BinaryLength);
}
public static void BasicValidationTestCases()
{
GenericAce gAce = null;
RawAcl rAcl = null;
GenericAce[] gAces = null;
// Case 1, when collection is actually empty
rAcl = new RawAcl(1, 1);
gAces = new GenericAce[rAcl.Count];
rAcl.CopyTo(gAces, 0);
// Case 2, collection has one ACE
rAcl = new RawAcl(0, 1);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
gAces = new GenericAce[rAcl.Count];
rAcl.CopyTo(gAces, 0);
//Case 3, index = 3
rAcl = new RawAcl(0, 1);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BO")), false, null);
rAcl.InsertAce(0, gAce);
gAces = new GenericAce[rAcl.Count + 5];
//initialize to null
for (int i = 0; i < gAces.Length; i++)
{
gAces[i] = null;
}
rAcl.CopyTo(gAces, 3);
}
public static void BasicValidationTestCases()
{
RawAcl rawAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BA";
//case 1, empty RawAcl, binarylength should be 8
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
Assert.True(8 == rawAcl.BinaryLength);
//case 2, RawAcl with one Ace, binarylength should be 8 + the Ace's binarylength
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
Assert.True(8 + gAce.BinaryLength == rawAcl.BinaryLength);
//case 3, RawAcl with two Aces
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
Assert.True(8 + rawAcl[0].BinaryLength + rawAcl[1].BinaryLength == rawAcl.BinaryLength);
}
public static void BasicValidationTestCases()
{
RawAcl rawAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BA";
//case 1, empty RawAcl
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
Assert.True(0 == rawAcl.Count);
//case 2, RawAcl with one Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
Assert.True(1 == rawAcl.Count);
//case 3, RawAcl with two Aces
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
Assert.True(2 == rawAcl.Count);
}
public static void BasicValidationTestCases()
{
RawAcl rawAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BA";
//case 1, empty RawAcl
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
Assert.True(0 == rawAcl.Count);
//case 2, RawAcl with one Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
Assert.True(1 == rawAcl.Count);
//case 3, RawAcl with two Aces
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
Assert.True(2 == rawAcl.Count);
}
private RawSecurityDescriptor ApplyAcesToTargetSecurityDescriptor(RawSecurityDescriptor targetSd, List <GenericAce> sourceAces)
{
List <GenericAce> list = new List <GenericAce>();
foreach (GenericAce genericAce in targetSd.DiscretionaryAcl)
{
SecurityIdentifier sidFromAce = TenantRelocationSecurityDescriptorHandler.GetSidFromAce(genericAce);
if (!(sidFromAce == null))
{
SecurityIdentifier accountDomainSid = sidFromAce.AccountDomainSid;
if (sidFromAce.IsAccountSid() && !accountDomainSid.Equals(this.targetDomainSid))
{
ExTraceGlobals.TenantRelocationTracer.TraceDebug <string>((long)this.GetHashCode(), "ApplyAcesToTargetSecurityDescriptor: customized SID found {0} on target object, removed.", sidFromAce.ToString());
}
else
{
list.Add(genericAce);
}
}
}
RawAcl rawAcl = new RawAcl(targetSd.DiscretionaryAcl.Revision, list.Count + sourceAces.Count);
int num = 0;
foreach (GenericAce ace in list)
{
rawAcl.InsertAce(num++, ace);
}
foreach (GenericAce ace2 in sourceAces)
{
rawAcl.InsertAce(num++, ace2);
}
targetSd.DiscretionaryAcl = rawAcl;
return(targetSd);
}
public static void BasicValidationTestCases()
{
GenericAce gAce = null;
RawAcl rAcl = null;
GenericAce[] gAces = null;
// Case 1, when collection is actually empty
rAcl = new RawAcl(1, 1);
gAces = new GenericAce[rAcl.Count];
rAcl.CopyTo(gAces, 0);
// Case 2, collection has one ACE
rAcl = new RawAcl(0, 1);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
gAces = new GenericAce[rAcl.Count];
rAcl.CopyTo(gAces, 0);
//Case 3, index = 3
rAcl = new RawAcl(0, 1);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BO")), false, null);
rAcl.InsertAce(0, gAce);
gAces = new GenericAce[rAcl.Count + 5];
//initialize to null
for (int i = 0; i < gAces.Length; i++)
gAces[i] = null;
rAcl.CopyTo(gAces, 3);
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
GenericAce genericAce = null;
string owner = null;
int index = 0;
// case 1, no ACE, insert at index -1
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = -1;
owner = "BA";
genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl.InsertAce(index, genericAce);
});
//case 2, no ACE, insert at index Count + 1
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = rawAcl.Count + 1;
genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl.InsertAce(index, genericAce);
});
//case 3, one ACE, insert null ACE
Assert.Throws <ArgumentNullException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = 0;
owner = "BA";
genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl.InsertAce(index, genericAce);
genericAce = null;
rawAcl.InsertAce(index, genericAce);
});
//case 4, insert a big Ace to make RawAcl of length 64K + 1. RawAcl length = HeaderLength + all ACE's length
// = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace
// = 8 + ( 4 + OpaqueLength) * num_of_custom_ace
Assert.Throws <OverflowException>(() =>
{
rawAcl = new RawAcl(1, 1);
byte[] opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4];
GenericAce gAce = new CustomAce(AceType.MaxDefinedAceType + 1, (AceFlags)223, opaque);
rawAcl.InsertAce(0, gAce);
});
}
public static void AceCount_BasicValidation()
{
RawAcl rawAcl = null;
GenericAce gAce = null;
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
byte revision = 0;
int capacity = 0;
string sid = "BG";
//case 1, empty DiscretionaryAcl
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(0 == discretionaryAcl.Count);
//case 2, DiscretionaryAcl with one Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(1 == discretionaryAcl.Count);
//case 3, DiscretionaryAcl with two Aces
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//223 has all AceFlags
gAce = new CommonAce((AceFlags)223, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 2,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(2 == discretionaryAcl.Count);
}
static CommonSecurityDescriptor ProtectionPreserveInheritanceIgnoredUnlessProtectedTrueDescriptor()
{
SecurityIdentifier sid = new SecurityIdentifier("WD");
RawAcl acl = new RawAcl(GenericAcl.AclRevision, 1);
acl.InsertAce(0, new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 1, sid, false, null));
acl.InsertAce(1, new CommonAce(AceFlags.Inherited, AceQualifier.AccessAllowed, 1, sid, false, null));
CommonSecurityDescriptor descriptor = new CommonSecurityDescriptor
(false, false, ControlFlags.None, null, null, null, null);
descriptor.DiscretionaryAcl = new DiscretionaryAcl(false, false, acl);
return(descriptor);
}
public static void AceCount_BasicValidation()
{
RawAcl rawAcl = null;
GenericAce gAce = null;
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
byte revision = 0;
int capacity = 0;
string sid = "BG";
//case 1, empty DiscretionaryAcl
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(0 == discretionaryAcl.Count);
//case 2, DiscretionaryAcl with one Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(1 == discretionaryAcl.Count);
//case 3, DiscretionaryAcl with two Aces
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//223 has all AceFlags
gAce = new CommonAce((AceFlags)223, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 2,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(2 == discretionaryAcl.Count);
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BA";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString();
int expectedLength = 0;
//case 1, SystemAcl with huge number of Aces
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
expectedLength = 8;
for (int i = 0; i < 1820; i++)
{
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + i.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
expectedLength += gAce.BinaryLength;
}
systemAcl = new SystemAcl(false, false, rawAcl);
Assert.True(expectedLength == systemAcl.BinaryLength);
}
public static void AceCount_AdditionalTests()
{
RawAcl rawAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BG";
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
//case 1, DiscretionaryAcl with huge number of Aces
revision = 0;
capacity = 1;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString();
rawAcl = new RawAcl(revision, capacity);
for (int i = 0; i < 1820; i++)
{
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, i + 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + i.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
}
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(1820 == discretionaryAcl.Count);
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BA";
SystemAcl systemAcl = null;
bool isContainer = false;
bool isDS = false;
//case 1, SysemAcl with huge number of Aces
revision = 0;
capacity = 1;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString();
rawAcl = new RawAcl(revision, capacity);
for (int i = 0; i < 1820; i++)
{
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + i.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
}
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(1820 == systemAcl.Count);
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BA";
SystemAcl systemAcl = null;
bool isContainer = false;
bool isDS = false;
//case 1, SysemAcl with huge number of Aces
revision = 0;
capacity = 1;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString();
rawAcl = new RawAcl(revision, capacity);
for (int i = 0; i < 1820; i++)
{
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + i.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
}
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(1820 == systemAcl.Count);
}
internal void Initialize()
{
try
{
if (!System.Workflow.Runtime.DebugEngine.NativeMethods.RevertToSelf())
{
Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error());
}
RawAcl currentProcessTokenDacl = this.GetCurrentProcessTokenDacl();
CommonAce newAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 8, new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null), false, null);
int index = this.FindIndexInDacl(newAce, currentProcessTokenDacl);
if (index != -1)
{
currentProcessTokenDacl.InsertAce(index, newAce);
}
this.SetCurrentProcessTokenDacl(currentProcessTokenDacl);
}
catch (Exception exception)
{
if (this.exceptionNotification != null)
{
this.exceptionNotification(exception);
}
}
}
private static RawAcl InheritAcl(RawAcl parentAcl, bool isContainer)
{
AceFlags inheritTest = isContainer ? AceFlags.ContainerInherit : AceFlags.ObjectInherit;
RawAcl newAcl = null;
if (parentAcl != null)
{
newAcl = new RawAcl(parentAcl.Revision, parentAcl.Count);
foreach (GenericAce ace in parentAcl)
{
if ((ace.AceFlags & inheritTest) != 0)
{
GenericAce newAce = ace.Copy();
AceFlags newFlags = ace.AceFlags;
if ((newFlags & AceFlags.NoPropagateInherit) != 0)
{
newFlags &= ~(AceFlags.ContainerInherit | AceFlags.ObjectInherit | AceFlags.NoPropagateInherit);
}
newFlags &= ~AceFlags.InheritOnly;
newFlags |= AceFlags.Inherited;
newAce.AceFlags = newFlags;
newAcl.InsertAce(newAcl.Count, newAce);
}
}
}
return(newAcl);
}
// Token: 0x06000B6C RID: 2924 RVA: 0x00034E28 File Offset: 0x00033028
internal static RawSecurityDescriptor RemoveInheritedACEs(RawSecurityDescriptor sd)
{
if (sd == null)
{
return(null);
}
RawAcl discretionaryAcl = sd.DiscretionaryAcl;
bool flag = false;
foreach (GenericAce genericAce in discretionaryAcl)
{
if ((byte)(genericAce.AceFlags & AceFlags.Inherited) == 16)
{
flag = true;
break;
}
}
if (!flag)
{
return(sd);
}
RawAcl rawAcl = new RawAcl(discretionaryAcl.Revision, 0);
foreach (GenericAce genericAce2 in discretionaryAcl)
{
if ((byte)(genericAce2.AceFlags & AceFlags.Inherited) != 16)
{
rawAcl.InsertAce(rawAcl.Count, genericAce2);
}
}
return(new RawSecurityDescriptor(sd.ControlFlags, sd.Owner, sd.Group, sd.SystemAcl, rawAcl));
}
public void AddAccessFailsOnNonCanonical()
{
SecurityIdentifier sid = new SecurityIdentifier("BU");
RawAcl acl = new RawAcl(RawAcl.AclRevision, 0);
acl.InsertAce(0, new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, sid, false, null));
acl.InsertAce(1, new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 1, sid, false, null));
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, acl);
Assert.IsFalse(dacl.IsCanonical);
Assert.AreEqual(2, dacl.Count);
dacl.AddAccess(AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None);
}
public void GetBinaryForm()
{
RawAcl acl = new RawAcl(1, 0);
byte[] buffer = new byte[acl.BinaryLength];
acl.GetBinaryForm(buffer, 0);
byte[] sdBinary = new byte[] { 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00 };
Assert.AreEqual(sdBinary, buffer);
SecurityIdentifier builtInAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
CommonAce ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null);
acl.InsertAce(0, ace);
buffer = new byte[acl.BinaryLength];
acl.GetBinaryForm(buffer, 0);
sdBinary = new byte[]
{
0x01, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x18, 0x00, 0xFF, 0xFF, 0xFF, 0x7F, 0x01, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02,
0x00, 0x00
};
Assert.AreEqual(sdBinary, buffer);
}
public static void BinaryLength_AdditionalTestCases()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString();
int expectedLength = 0;
//case 1, DiscretionaryAcl with huge number of Aces
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
expectedLength = 8;
for (int i = 0; i < 1820; i++)
{
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, i + 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + i.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
expectedLength += gAce.BinaryLength;
}
discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
Assert.True(expectedLength == discretionaryAcl.BinaryLength);
}
public static void AceCount_AdditionalTests()
{
RawAcl rawAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BG";
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
//case 1, DiscretionaryAcl with huge number of Aces
revision = 0;
capacity = 1;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString();
rawAcl = new RawAcl(revision, capacity);
for (int i = 0; i < 1820; i++)
{
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, i + 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + i.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
}
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(1820 == discretionaryAcl.Count);
}
private void BuildSecurityDescriptor()
{
Fx.Assert((null == securityDescriptor), "SecurityDescriptor must be NULL");
NTAccount name;
SecurityIdentifier sid;
CommonAce ace;
RawAcl acl = new RawAcl(GenericAcl.AclRevision, 1);
int index = 0;
if (operationRoleMembers != null)
{
foreach (string userName in operationRoleMembers)
{
name = new NTAccount(userName);
sid = (SecurityIdentifier)name.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, (int)ComRights.EXECUTE, sid, false, null);
acl.InsertAce(index, ace);
index++;
}
}
if (contractRoleMembers != null)
{
foreach (string userName in contractRoleMembers)
{
name = new NTAccount(userName);
sid = (SecurityIdentifier)name.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, (int)ComRights.EXECUTE, sid, false, null);
acl.InsertAce(index, ace);
index++;
}
}
if (serviceRoleMembers != null)
{
foreach (string userName in serviceRoleMembers)
{
name = new NTAccount(userName);
sid = (SecurityIdentifier)name.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, (int)ComRights.EXECUTE, sid, false, null);
acl.InsertAce(index, ace);
index++;
}
}
DiscretionaryAcl dacl = new DiscretionaryAcl(true, false, acl);
securityDescriptor = new CommonSecurityDescriptor(true, false, ControlFlags.DiscretionaryAclPresent, sidAdministrators, sidAdministrators, null, dacl);
}
private void BuildSecurityDescriptor()
{
NTAccount account;
SecurityIdentifier identifier;
CommonAce ace;
RawAcl rawAcl = new RawAcl(GenericAcl.AclRevision, 1);
int index = 0;
if (this.operationRoleMembers != null)
{
foreach (string str in this.operationRoleMembers)
{
account = new NTAccount(str);
identifier = (SecurityIdentifier)account.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null);
rawAcl.InsertAce(index, ace);
index++;
}
}
if (this.contractRoleMembers != null)
{
foreach (string str2 in this.contractRoleMembers)
{
account = new NTAccount(str2);
identifier = (SecurityIdentifier)account.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null);
rawAcl.InsertAce(index, ace);
index++;
}
}
if (this.serviceRoleMembers != null)
{
foreach (string str3 in this.serviceRoleMembers)
{
account = new NTAccount(str3);
identifier = (SecurityIdentifier)account.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null);
rawAcl.InsertAce(index, ace);
index++;
}
}
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(true, false, rawAcl);
this.securityDescriptor = new CommonSecurityDescriptor(true, false, ControlFlags.DiscretionaryAclPresent, sidAdministrators, sidAdministrators, null, discretionaryAcl);
}
static RawAcl MakeRawAcl(GenericAce[] aces)
{
RawAcl acl = new RawAcl(RawAcl.AclRevision, 0);
for (int i = 0; i < aces.Length; i++)
{
acl.InsertAce(i, aces [i]);
}
return(acl);
}
public static void BasicValidationTestCases()
{
GenericAce gAce = null;
RawAcl rAcl = null;
// collection has one ACE. By code review, this properties always return false. So no addtional cases are needed
rAcl = new RawAcl(0, 1);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
Assert.True(false == rAcl.IsSynchronized);
}
public static void BasicValidationTestCases()
{
GenericAce gAce = null;
RawAcl rAcl = null;
// collection has one ACE. By code review, this properties always return false. So no addtional cases are needed
rAcl = new RawAcl(0, 1);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
Assert.True(null != rAcl.SyncRoot) ;
}
public static RawAcl CreateRawAclFromString(string rawAclString)
{
RawAcl rawAcl = null;
byte revision = 0;
int capacity = 1;
CommonAce cAce = null;
AceFlags aceFlags = AceFlags.None;
AceQualifier aceQualifier = AceQualifier.AccessAllowed;
int accessMask = 1;
SecurityIdentifier sid = null;
bool isCallback = false;
int opaqueSize = 0;
byte[] opaque = null;
string[] parts = null;
string[] subparts = null;
char[] delimiter1 = new char[] { '#' };
char[] delimiter2 = new char[] { ':' };
if (rawAclString != null)
{
rawAcl = new RawAcl(revision, capacity);
parts = rawAclString.Split(delimiter1);
for (int i = 0; i < parts.Length; i++)
{
subparts = parts[i].Split(delimiter2);
if (subparts.Length != 6)
{
return(null);
}
aceFlags = (AceFlags)byte.Parse(subparts[0]);
aceQualifier = (AceQualifier)int.Parse(subparts[1]);
accessMask = int.Parse(subparts[2]);
sid = new SecurityIdentifier(TranslateStringConstFormatSidToStandardFormatSid(subparts[3]));
isCallback = bool.Parse(subparts[4]);
if (!isCallback)
{
opaque = null;
}
else
{
opaqueSize = int.Parse(subparts[5]);
opaque = new byte[opaqueSize];
}
cAce = new CommonAce(aceFlags, aceQualifier, accessMask, sid, isCallback, opaque);
rawAcl.InsertAce(rawAcl.Count, cAce);
}
}
return(rawAcl);
}
public static void BasicValidationTestCases()
{
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BG";
int expectedLength = 0;
//case 1, empty systemAcl, binarylength should be 8
capacity = 1;
systemAcl = new SystemAcl(false, false, capacity);
expectedLength = 8;
Assert.True(expectedLength == systemAcl.BinaryLength);
//case 2, SystemAcl with one Ace, binarylength should be 8 + the Ace's binarylength
expectedLength = 8;
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
expectedLength += gAce.BinaryLength;
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(true, false, rawAcl);
Assert.True(expectedLength == systemAcl.BinaryLength);
//case 3, SystemAcl with two Aces
expectedLength = 8;
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
expectedLength += gAce.BinaryLength;
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
expectedLength += gAce.BinaryLength;
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(false, false, rawAcl);
Assert.True(expectedLength == systemAcl.BinaryLength);
}
public static void BasicValidationTestCases()
{
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BG";
int expectedLength = 0;
//case 1, empty systemAcl, binarylength should be 8
capacity = 1;
systemAcl = new SystemAcl(false, false, capacity);
expectedLength = 8;
Assert.True(expectedLength == systemAcl.BinaryLength);
//case 2, SystemAcl with one Ace, binarylength should be 8 + the Ace's binarylength
expectedLength = 8;
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
expectedLength += gAce.BinaryLength;
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(true, false, rawAcl);
Assert.True(expectedLength == systemAcl.BinaryLength);
//case 3, SystemAcl with two Aces
expectedLength = 8;
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
expectedLength += gAce.BinaryLength;
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
expectedLength += gAce.BinaryLength;
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(false, false, rawAcl);
Assert.True(expectedLength == systemAcl.BinaryLength);
}
public static void BinaryLength_BasicValidation()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BG";
//case 1, empty discretionaryAcl, binarylength should be 8
capacity = 1;
discretionaryAcl = new DiscretionaryAcl(false, false, capacity);
Assert.True(8 == discretionaryAcl.BinaryLength);
//case 2, discretionaryAcl with one Ace, binarylength should be 8 + the Ace's binarylength
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(true, false, rawAcl);
Assert.True(8 + gAce.BinaryLength == discretionaryAcl.BinaryLength);
//case 3, DiscretionaryAcl with two Aces
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 2,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
Assert.True(8 + discretionaryAcl[0].BinaryLength + discretionaryAcl[1].BinaryLength == discretionaryAcl.BinaryLength);
}
public static void BinaryLength_BasicValidation()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BG";
//case 1, empty discretionaryAcl, binarylength should be 8
capacity = 1;
discretionaryAcl = new DiscretionaryAcl(false, false, capacity);
Assert.True(8 == discretionaryAcl.BinaryLength);
//case 2, discretionaryAcl with one Ace, binarylength should be 8 + the Ace's binarylength
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(true, false, rawAcl);
Assert.True(8 + gAce.BinaryLength == discretionaryAcl.BinaryLength);
//case 3, DiscretionaryAcl with two Aces
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 2,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
Assert.True(8 + discretionaryAcl[0].BinaryLength + discretionaryAcl[1].BinaryLength == discretionaryAcl.BinaryLength);
}
private bool IsPublicToGroupSidInUserToken()
{
bool flag = false;
Exception ex = null;
int num = this.groupMailboxToLogon.PublicToGroupSids.Count <SecurityIdentifier>();
if (num > 0)
{
try
{
int num2 = 0;
RawAcl rawAcl = new RawAcl(0, num);
foreach (SecurityIdentifier sid in this.groupMailboxToLogon.PublicToGroupSids)
{
rawAcl.InsertAce(num2++, new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 131072, sid, false, null));
}
RawSecurityDescriptor rawSecurityDescriptor = new RawSecurityDescriptor(ControlFlags.DiscretionaryAclPresent, GroupMailboxAuthorizationHandler.LocalSystemSid, GroupMailboxAuthorizationHandler.LocalSystemSid, null, rawAcl);
int grantedAccess = this.clientSecurityContext.GetGrantedAccess(rawSecurityDescriptor, (AccessMask)131072);
flag = (grantedAccess == 131072);
}
catch (ArgumentException ex2)
{
ex = ex2;
}
catch (AuthzException ex3)
{
ex = ex3;
}
catch (OutOfMemoryException ex4)
{
ex = ex4;
}
}
if (ex != null)
{
GroupMailboxAuthorizationHandler.Tracer.TraceError <Exception>((long)this.GetHashCode(), "Unable to verify that the user's token contain publicToGroupSid: {0}", ex);
}
if (flag)
{
GroupMailboxAuthorizationHandler.Tracer.TraceDebug <string>((long)this.GetHashCode(), "Found that the user {0} is part of a security group present in PublicToGroupSids", this.accessingUserInfo.Identity);
}
else
{
GroupMailboxAuthorizationHandler.Tracer.TraceDebug <string>((long)this.GetHashCode(), "Found that the user {0} is not part of any security group present in PublicToGroupSids", this.accessingUserInfo.Identity);
}
return(flag);
}
public static void AdditionalTestCases()
{
GenericAce gAce = null;
RawAcl rAcl = null;
AceEnumerator aceEnumerator = null;
//Case 1, RawAcl with huge number of Aces
rAcl = new RawAcl(0, GenericAcl.MaxBinaryLength + 1);
for (int i = 0; i < 1820; i++)
{
//this ace binary length is 36, 1820 * 36 = 65520
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
}
aceEnumerator = rAcl.GetEnumerator();
Assert.True(Utils.TestGetEnumerator(aceEnumerator, rAcl, false));
}
public static void BasicValidationTestCases()
{
GenericAce gAce = null;
RawAcl rAcl = null;
AceEnumerator aceEnumerator = null;
// Case 1, when collection is actually empty
rAcl = new RawAcl(1, 1);
aceEnumerator = rAcl.GetEnumerator();
//Case 2, collection has one ACE
rAcl = new RawAcl(0, 1);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
aceEnumerator = rAcl.GetEnumerator();
Assert.True(Utils.TestGetEnumerator(aceEnumerator, rAcl, false));
}
public static void AdditionalTestCases()
{
GenericAce gAce = null;
RawAcl rAcl = null;
AceEnumerator aceEnumerator = null;
//Case 1, RawAcl with huge number of Aces
rAcl = new RawAcl(0, GenericAcl.MaxBinaryLength + 1);
for (int i = 0; i < 1820; i++)
{
//this ace binary length is 36, 1820 * 36 = 65520
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
}
aceEnumerator = rAcl.GetEnumerator();
Assert.True(Utils.TestGetEnumerator(aceEnumerator, rAcl, false));
}
public static void BasicValidationTestCases()
{
GenericAce gAce = null;
RawAcl rAcl = null;
AceEnumerator aceEnumerator = null;
// Case 1, when collection is actually empty
rAcl = new RawAcl(1, 1);
aceEnumerator = rAcl.GetEnumerator();
//Case 2, collection has one ACE
rAcl = new RawAcl(0, 1);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
aceEnumerator = rAcl.GetEnumerator();
Assert.True(Utils.TestGetEnumerator(aceEnumerator, rAcl, false));
}
[Category("NotWorking")] // Mono does not have a working CustomAce implementation yet.
public void ObjectSecurityRemovesWhatItCannotCreate()
{
RawAcl acl = new RawAcl(GenericAcl.AclRevision, 1);
acl.InsertAce(0, new CustomAce((AceType)255, AceFlags.None, new byte[4]));
DiscretionaryAcl dacl = new DiscretionaryAcl(true, true, acl);
Assert.AreEqual(1, dacl.Count);
CommonSecurityDescriptor descriptor = new CommonSecurityDescriptor
(true, true, ControlFlags.None, null, null, null, dacl);
TestSecurity security = new TestSecurity(descriptor);
AuthorizationRuleCollection rules = security.GetAccessRules(true, true, typeof(SecurityIdentifier));
Assert.AreEqual(0, rules.Count);
}
static RawAcl CreateRoundtripRawAcl()
{
SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null);
Assert.AreEqual(16, sid.BinaryLength);
GenericAce[] aces = new GenericAce[] {
new ObjectAce(AceFlags.None, AceQualifier.AccessAllowed, 1, sid,
ObjectAceFlags.ObjectAceTypePresent,
Guid.Empty, Guid.Empty, false, new byte[8]),
new ObjectAce(AceFlags.None, AceQualifier.AccessAllowed, 2, sid,
ObjectAceFlags.InheritedObjectAceTypePresent,
Guid.Empty, Guid.Empty, true, new byte[16]),
new ObjectAce(AceFlags.None, AceQualifier.AccessAllowed, 4, sid,
ObjectAceFlags.InheritedObjectAceTypePresent,
Guid.Empty, new Guid("{8865FB90-A9EB-422F-A8BA-07ECA611D699}"), true, new byte[4]),
new ObjectAce(AceFlags.None, AceQualifier.AccessAllowed, 4, sid,
ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent,
Guid.Empty, new Guid("{B893007C-38D5-4827-A698-BA25F1E30BAC}"), true, new byte[4]),
new ObjectAce(AceFlags.None, AceQualifier.AccessAllowed, 4, sid,
ObjectAceFlags.None,
Guid.Empty, new Guid("{C0F9DF22-C320-4400-B41F-754F69668640}"), true, new byte[4])
};
// Make sure this created right, first of all.
Assert.AreEqual(AceType.AccessAllowedObject, aces [0].AceType);
Assert.AreEqual(AceType.AccessAllowedCallbackObject, aces [1].AceType);
Assert.AreEqual(AceType.AccessAllowedCallbackObject, aces [2].AceType);
Assert.AreEqual(AceType.AccessAllowedCallbackObject, aces [3].AceType);
Assert.AreEqual(AceType.AccessAllowedCallbackObject, aces [4].AceType);
Assert.AreEqual(52, aces [0].BinaryLength);
Assert.AreEqual(60, aces [1].BinaryLength);
Assert.AreEqual(48, aces [2].BinaryLength);
Assert.AreEqual(64, aces [3].BinaryLength);
Assert.AreEqual(32, aces [4].BinaryLength);
RawAcl acl = new RawAcl(RawAcl.AclRevision, 0);
for (int i = 0; i < aces.Length; i++)
{
acl.InsertAce(i, aces[i]);
}
return(acl);
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
SecurityIdentifier sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA"));
//case 1, RawAcl with huge number of Aces
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
for (int i = 0; i < 1820; i++)
{
//this ace binary length is 36, 1820 * 36 = 65520
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, i + 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
}
Assert.True(1820 == rawAcl.Count);
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
SecurityIdentifier sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA"));
//case 1, RawAcl with huge number of Aces
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
for (int i = 0; i < 1820; i++)
{
//this ace binary length is 36, 1820 * 36 = 65520
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, i + 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
}
Assert.True(1820 == rawAcl.Count);
}
/// <summary>Canonicalizes the specified Access Control List.</summary>
/// <param name="acl">The Access Control List.</param>
public static void Canonicalize(this RawAcl acl)
{
if (acl == null)
{
throw new ArgumentNullException(nameof(acl));
}
// Extract aces to list
var aces = new System.Collections.Generic.List <GenericAce>(acl.Cast <GenericAce>());
// Sort aces based on canonical order
aces.Sort((a, b) => System.Collections.Generic.Comparer <byte> .Default.Compare(GetComparisonValue(a), GetComparisonValue(b)));
// Add sorted aces back to ACL
while (acl.Count > 0)
{
acl.RemoveAce(0);
}
var aceIndex = 0;
aces.ForEach(ace => acl.InsertAce(aceIndex++, ace));
}
public void IndexerMakesCopies()
{
// This behavior is mentioned in the DiscretionaryAcl RawAcl constructor overload.
// Turns out it applies to more than just the constructor.
SecurityIdentifier worldSid = new SecurityIdentifier("WD");
// RawAcl does not make copies.
RawAcl acl = new RawAcl(RawAcl.AclRevision, 1);
CommonAce ace = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, worldSid, false, null);
acl.InsertAce(0, ace);
Assert.AreSame(acl [0], acl [0]);
// CommonAcl does.
SystemAcl sacl = new SystemAcl(false, false, acl);
Assert.AreNotSame(sacl [0], sacl [0]);
// Make sure the copying occurs in the constructor as well as the indexer.
ace.AceFlags = AceFlags.FailedAccess;
Assert.AreEqual(AceFlags.SuccessfulAccess, sacl [0].AceFlags);
}
public static void Purge_BasicValidationTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
int aceCount = 0;
SecurityIdentifier sid = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sidStr = "LA";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 0;
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
//case 2, only have 1 explicit Ace of the sid
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
//199 has all aceflags but inheritonly and inherited
gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 0;
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
//case 3, only have 1 explicit Ace of different sid
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all aceflags but inheritedonly and inherited
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
gAce = new CommonAce((AceFlags)199, AceQualifier.AccessDenied, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 1;
sidStr = "BA";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
//case 4, only have 1 inherited Ace of the sid
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
//215 has all aceflags but inheritedonly
gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 1;
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
//case 5, have one explicit Ace and one inherited Ace of the sid
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
//199 has all aceflags but inheritedonly and inherited
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
//215 has all aceflags but inheritedonly
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 2, sid, false, null);
rawAcl.InsertAce(1, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 1;
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
//case 6, have two explicit Aces of the sid
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
//207 has all AceFlags but inherited
gAce = new CommonAce((AceFlags)207, AceQualifier.AccessAllowed, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 2, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 0;
Assert.True(TestPurge(discretionaryAcl, sid, 0));
//case 7, 1 explicit CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
//199 has all AceFlags except InheritOnly and Inherited
aceFlag = (AceFlags)199;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
aceCount = 1;
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws<InvalidOperationException>(() =>
{
TestPurge(discretionaryAcl, sid, aceCount);
});
//case 8, 1 explicit CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//207 has all AceFlags but inherited
aceFlag = (AceFlags)207;
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, sid);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 0;
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws<InvalidOperationException>(() =>
{
TestPurge(discretionaryAcl, sid, aceCount);
});
//case 9, 1 explict ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
//207 has all AceFlags but inherited
aceFlag = (AceFlags)207;
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, sid, objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
aceCount = 0;
Assert.True(TestPurge(discretionaryAcl, sid, aceCount));
}
public static void BasicValidationTestCases()
{
RawAcl rAcl = null;
GenericAce gAce = null;
byte[] binaryForm = null;
//Case 1, a RawAcl with one AccessAllowed Ace
SecurityIdentifier sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA"));
byte[] verifierBinaryForm = null;
byte[] sidBinaryForm = new byte[sid.BinaryLength];
sid.GetBinaryForm(sidBinaryForm, 0);
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, sid, false, null);
rAcl.InsertAce(0, gAce);
binaryForm = new byte[rAcl.BinaryLength];
verifierBinaryForm = new byte[rAcl.BinaryLength];
rAcl.GetBinaryForm(binaryForm, 0);
int errorCode;
if (0 == Utils.Win32AclLayer.InitializeAclNative
(verifierBinaryForm, (uint)rAcl.BinaryLength, (uint)GenericAcl.AclRevision))
{
errorCode = Marshal.GetLastWin32Error();
}
else if (0 == Utils.Win32AclLayer.AddAccessAllowedAceExNative
(verifierBinaryForm, (uint)GenericAcl.AclRevision, (uint)AceFlags.None, (uint)1, sidBinaryForm))
{
errorCode = Marshal.GetLastWin32Error();
}
else
Assert.True(Utils.IsBinaryFormEqual(binaryForm, verifierBinaryForm));
//Case 2, a RawAcl with one AccessDenied Ace
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA"));
verifierBinaryForm = null;
sidBinaryForm = new byte[sid.BinaryLength];
sid.GetBinaryForm(sidBinaryForm, 0);
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
//31 include ObjectInherit, ContainerInherit, NoPropagateInherit, InheritOnly and Inherited
gAce = new CommonAce((AceFlags)31, AceQualifier.AccessDenied, 1, sid, false, null);
rAcl.InsertAce(0, gAce);
binaryForm = new byte[rAcl.BinaryLength];
verifierBinaryForm = new byte[rAcl.BinaryLength];
rAcl.GetBinaryForm(binaryForm, 0);
if (0 == Utils.Win32AclLayer.InitializeAclNative
(verifierBinaryForm, (uint)rAcl.BinaryLength, (uint)GenericAcl.AclRevision))
{
errorCode = Marshal.GetLastWin32Error();
}
else if (0 == Utils.Win32AclLayer.AddAccessDeniedAceExNative
(verifierBinaryForm, (uint)GenericAcl.AclRevision, (uint)31, (uint)1, sidBinaryForm))
{
errorCode = Marshal.GetLastWin32Error();
}
else
Assert.True(Utils.IsBinaryFormEqual(binaryForm, verifierBinaryForm));
//Case 3, a RawAcl with one Audit Ace
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA"));
verifierBinaryForm = null;
sidBinaryForm = new byte[sid.BinaryLength];
sid.GetBinaryForm(sidBinaryForm, 0);
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
//223 include ObjectInherit, ContainerInherit, NoPropagateInherit, InheritOnly, Inherited, SuccessfulAccess and FailedAccess
gAce = new CommonAce((AceFlags)223, AceQualifier.SystemAudit, 1, sid, false, null);
rAcl.InsertAce(0, gAce);
binaryForm = new byte[rAcl.BinaryLength];
verifierBinaryForm = new byte[rAcl.BinaryLength];
rAcl.GetBinaryForm(binaryForm, 0);
if (0 == Utils.Win32AclLayer.InitializeAclNative
(verifierBinaryForm, (uint)rAcl.BinaryLength, (uint)GenericAcl.AclRevision))
{
errorCode = Marshal.GetLastWin32Error();
}
else if (0 == Utils.Win32AclLayer.AddAuditAccessAceExNative
(verifierBinaryForm, (uint)GenericAcl.AclRevision, (uint)223, (uint)1, sidBinaryForm, 1, 1))
{
errorCode = Marshal.GetLastWin32Error();
}
else
Assert.True(Utils.IsBinaryFormEqual(binaryForm, verifierBinaryForm));
}
public static void Index_AdditionalTests()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
GenericAce gAce = null;
GenericAce verifierGAce = null;
string owner = null;
int index = 0;
// case 1, no ACE, get index at -1
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = -1;
discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
verifierGAce = discretionaryAcl[index];
});
//case 2, get index at Count
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
rawAcl = new RawAcl(1, 1);
discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
index = discretionaryAcl.Count;
verifierGAce = discretionaryAcl[index];
});
//case 3, set index at -1
Assert.Throws<NotSupportedException>(() =>
{
rawAcl = new RawAcl(1, 1);
discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
index = -1;
owner = "BG";
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
discretionaryAcl[index] = gAce;
});
//case 4, set index at Count
Assert.Throws<NotSupportedException>(() =>
{
rawAcl = new RawAcl(1, 1);
discretionaryAcl = new DiscretionaryAcl(true, false, rawAcl);
index = discretionaryAcl.Count;
owner = "BG";
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
discretionaryAcl[index] = gAce;
});
//case 5, set null Ace
Assert.Throws<NotSupportedException>(() =>
{
rawAcl = new RawAcl(1, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
index = 0;
gAce = null;
discretionaryAcl[index] = gAce;
});
//case 6, set index at 0
//case 5, set null Ace
Assert.Throws<NotSupportedException>(() =>
{
rawAcl = new RawAcl(1, 1);
owner = "BG";
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
index = 0;
owner = "BA";
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
discretionaryAcl[index] = gAce;
});
}
public static void Index_BasicValidation()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
GenericAce gAce = null;
GenericAce verifierGAce = null;
string owner1 = "BO";
string owner2 = "BA";
string owner3 = "BG";
int index = 0;
// case 1, only one ACE, get at index 0
rawAcl = new RawAcl(1, 1);
index = 0;
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null);
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
verifierGAce = discretionaryAcl[index];
Assert.True(TestIndex(gAce, verifierGAce));
{
}
//case 2, two ACEs, index at Count -1
rawAcl = new RawAcl(1, 2);
//215 has all AceFlags but InheriteOnly
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null);
rawAcl.InsertAce(0, gAce);
//199 has all AceFlags but InheritedOnly, Inherited
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner2)), false, null);
rawAcl.InsertAce(1, gAce);
discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
gAce = rawAcl[1];
//the discretionaryAcl is non-container, all AceFlags except Inherited will be stripped
gAce.AceFlags = (AceFlags)FlagsForAce.None;
index = discretionaryAcl.Count - 1;
verifierGAce = discretionaryAcl[index];
Assert.True(TestIndex(gAce, verifierGAce));
{
}
//case 3, only three ACEs, index at Count/2
rawAcl = new RawAcl(1, 3);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null);
rawAcl.InsertAce(0, gAce);
//199 has all AceFlags except InheritOnly and Inherited
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner2)), false, null);
rawAcl.InsertAce(1, gAce);
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner3)), false, null);
rawAcl.InsertAce(2, gAce);
discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl);
gAce = rawAcl[1];
//the systemAcl is non-container, all AceFlags will be stripped
gAce.AceFlags = AceFlags.None;
index = discretionaryAcl.Count / 2;
verifierGAce = discretionaryAcl[index];
Assert.True(TestIndex(gAce, verifierGAce));
{
}
}
public static RawAcl CreateRawAclFromString(string rawAclString)
{
RawAcl rawAcl = null;
byte revision = 0;
int capacity = 1;
CommonAce cAce = null;
AceFlags aceFlags = AceFlags.None;
AceQualifier aceQualifier = AceQualifier.AccessAllowed;
int accessMask = 1;
SecurityIdentifier sid = null;
bool isCallback = false;
int opaqueSize = 0;
byte[] opaque = null;
string[] parts = null;
string[] subparts = null;
char[] delimiter1 = new char[] { '#' };
char[] delimiter2 = new char[] { ':' };
if (rawAclString != null)
{
rawAcl = new RawAcl(revision, capacity);
parts = rawAclString.Split(delimiter1);
for (int i = 0; i < parts.Length; i++)
{
subparts = parts[i].Split(delimiter2);
if (subparts.Length != 6)
{
return null;
}
aceFlags = (AceFlags)byte.Parse(subparts[0]);
aceQualifier = (AceQualifier)int.Parse(subparts[1]);
accessMask = int.Parse(subparts[2]);
sid = new SecurityIdentifier(TranslateStringConstFormatSidToStandardFormatSid(subparts[3]));
isCallback = bool.Parse(subparts[4]);
if (!isCallback)
opaque = null;
else
{
opaqueSize = int.Parse(subparts[5]);
opaque = new byte[opaqueSize];
}
cAce = new CommonAce(aceFlags, aceQualifier, accessMask, sid, isCallback, opaque);
rawAcl.InsertAce(rawAcl.Count, cAce);
}
}
return rawAcl;
}
public static void RemoveInheritedAces_BasicValidationTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sid = "BG";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 2, only have explicit Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all AceFlags except InheritOnly and Inherited
gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 3, non-inherited CommonAce, ObjectAce, CompoundAce, CustomAce
revision = 127;
capacity = 5;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
rawAcl = new RawAcl(revision, capacity);
aceFlag = AceFlags.InheritanceFlags;
accessMask = 1;
//Access Allowed CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//Access Dennied CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//CustomAce
aceType = AceType.MaxDefinedAceType + 1;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(2, gAce);
//CompoundAce
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())));
rawAcl.InsertAce(3, gAce);
//ObjectAce
aceQualifier = AceQualifier.AccessAllowed;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(2, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws<InvalidOperationException>(() =>
{
TestRemoveInheritedAces(discretionaryAcl);
});
//case 4, all inherited CommonAce, ObjectAce, CompoundAce, CustomAce
revision = 127;
capacity = 5;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
rawAcl = new RawAcl(revision, capacity);
aceFlag = AceFlags.InheritanceFlags | AceFlags.Inherited;
accessMask = 1;
//Access Allowed CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//Access Dennied CommonAce
gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
//CustomAce
aceType = AceType.MaxDefinedAceType + 1;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
//CompoundAce
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())));
rawAcl.InsertAce(0, gAce);
//ObjectAce
aceQualifier = AceQualifier.AccessAllowed;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 5, only have one inherit Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 6, have one explicit Ace and one inherited Ace
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all AceFlags except InheritOnly and Inherited
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(1, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 7, have two inherited Aces
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
sid = "BA";
//16 has Inherited
gAce = new CommonAce((AceFlags)16, AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 8, 1 inherited CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
//215 has all AceFlags except InheritOnly
aceFlag = (AceFlags)215;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 9, 1 inherited CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
//case 10, 1 inherited ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(discretionaryAcl));
}
public static void AddAccess_AdditionalTestCases()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
int accessControlType = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
byte[] opaque = null;
//Case 1, non-Container, but InheritanceFlags is not None
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None);
});
//Case 2, non-Container, but PropagationFlags is not None
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 3, Container, InheritanceFlags is None, PropagationFlags is InheritOnly
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 4, Container, InheritanceFlags is None, PropagationFlags is NoPropagateInherit
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit);
});
//Case 5, Container, InheritanceFlags is None, PropagationFlags is NoPropagateInherit | InheritOnly
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess(AccessControlType.Allow,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit | PropagationFlags.InheritOnly);
});
//Case 6, accessMask = 0
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 0;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 7, null sid
Assert.Throws<ArgumentNullException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 8, add one Access ACE to the DiscretionaryAcl with no ACE
isContainer = true;
isDS = false;
accessControlType = 0;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)15, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
Assert.True(TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
;
//Case 9, Container, InheritOnly ON, but ContainerInherit and ObjectInherit are both OFF
//add meaningless Access ACE to the DiscretionaryAcl with no ACE, ace should not
//be added. There are mutiple type of meaningless Ace, but as both AddAccess and Constructor3
//call the same method to check the meaninglessness, only some sanitory cases are enough.
//bug# 288116
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 0;//InheritanceFlags.None
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 10, add Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE,
// should throw appropriate exception for wrong parameter, bug#287188
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 100;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.AddAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
//Case 11, all the ACEs in the Dacl are non-qualified ACE, no merge
Assert.Throws<InvalidOperationException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly,
AceQualifier.AccessAllowed,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 12, add Ace to exceed binary length boundary, throw exception
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
AceFlags.InheritanceFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws<InvalidOperationException>(() =>
{
discretionaryAcl.AddAccess((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
}
public static void Constructor3_AdditionalTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sid = "BG";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, an AccessAllowed ACE with a zero access mask is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//drop the Ace from rawAcl
rawAcl.RemoveAce(0);
//the only ACE is a meaningless ACE, will be removed
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 2, an inherit-only AccessDenied ACE on an object ACL is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//15 has all inheritance AceFlags but Inherited
gAce = new CommonAce((AceFlags)15, AceQualifier.AccessDenied, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl.RemoveAce(0);
//the only ACE is a meaningless ACE, will be removed
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 3, an inherit-only AccessAllowed ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//8 has inheritOnly
gAce = new CommonAce((AceFlags)8, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl.RemoveAce(0);
//the only ACE is a meaningless ACE, will be removed
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 4, 1 CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = AceFlags.None;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));
//case 5, 1 CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
// 2 has ContainerInherit
aceFlag = (AceFlags)2;
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));
//case 6, 1 ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)15; //all inheritance flags ored together but Inherited
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 7, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
//case 8, all Aces from case 1, and 3 to 6
revision = 127;
capacity = 5;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
rawAcl = new RawAcl(revision, capacity);
//0 access Mask
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
//an inherit-only AccessAllowed ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed
gAce = new CommonAce((AceFlags)8, AceQualifier.AccessAllowed, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
// ObjectAce
aceFlag = (AceFlags)15; //all inheritance flags ored together but Inherited
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
// CustomAce
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = AceFlags.None;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(rawAcl.Count, gAce);
// CompoundAce
aceFlag = (AceFlags)2;
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())));
rawAcl.InsertAce(rawAcl.Count, gAce);
isContainer = true;
isDS = false;
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl.RemoveAce(0);
rawAcl.RemoveAce(0);
//Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl));
discretionaryAcl = null;
isContainer = false;
isDS = false;
rawAcl = null;
//case 1, rawAcl = null
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 1);
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 1);
Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl));
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
GenericAce genericAce = null;
string owner = null;
int index = 0;
// case 1, no ACE, insert at index -1
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = -1;
owner = "BA";
genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl.InsertAce(index, genericAce);
});
//case 2, no ACE, insert at index Count + 1
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = rawAcl.Count + 1;
genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl.InsertAce(index, genericAce);
});
//case 3, one ACE, insert null ACE
Assert.Throws<ArgumentNullException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = 0;
owner = "BA";
genericAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl.InsertAce(index, genericAce);
genericAce = null;
rawAcl.InsertAce(index, genericAce);
});
//case 4, insert a big Ace to make RawAcl of length 64K + 1. RawAcl length = HeaderLength + all ACE's length
// = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace
// = 8 + ( 4 + OpaqueLength) * num_of_custom_ace
Assert.Throws<OverflowException>(() =>
{
rawAcl = new RawAcl(1, 1);
byte[] opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4];
GenericAce gAce = new CustomAce(AceType.MaxDefinedAceType + 1, (AceFlags)223, opaque);
rawAcl.InsertAce(0, gAce);
});
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
bool isContainer = false;
bool isDS = false;
int auditFlags = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
bool removePossible = false;
byte[] opaque = null;
//Case 1, null sid
Assert.Throws<ArgumentNullException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.RemoveAudit(AuditFlags.Success, null, 1, InheritanceFlags.None, PropagationFlags.None);
});
//Case 2, SystemAudit Ace but non AuditFlags
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.RemoveAudit(AuditFlags.None,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.None);
});
//Case 3, 0 accessMask
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.RemoveAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 0, InheritanceFlags.None, PropagationFlags.None);
});
//Case 4, remove one audit ACE from the SystemAcl with no ACE
isContainer = true;
isDS = false;
auditFlags = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
removePossible = true;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, removePossible));
//Case 5, remove the last one ACE from the SystemAcl
isContainer = true;
isDS = false;
auditFlags = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
removePossible = true;
rawAcl = new RawAcl(0, 1);
//79 = AceFlags.SuccessfulAccess | AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)79, AceQualifier.SystemAudit, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
//remove the ace to create the validation rawAcl
rawAcl.RemoveAce(rawAcl.Count - 1);
Assert.True(TestRemoveAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, removePossible));
//Case 6, all the ACEs in the Sacl are non-qualified ACE, no remove
Assert.Throws<InvalidOperationException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
auditFlags = 3;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
TestRemoveAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, true);
});
//Case 7, remove split cause overflow
// Test case no longer relevant in CoreCLR
// Non-canonical ACLs cannot be modified
}
public static void AdditionalTestCases()
{
ICollection myCollection = null;
GenericAce gAce = null;
RawAcl rAcl = null;
GenericAce[] gAces = null;
// Case 1, null array
Assert.Throws<ArgumentNullException>(() =>
{
rAcl = new RawAcl(0, 1);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
myCollection = (ICollection)rAcl;
myCollection.CopyTo(gAces, 0);
});
// Case 2, negative index
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
rAcl = new RawAcl(0, 1);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
gAces = new GenericAce[rAcl.Count];
myCollection = (ICollection)rAcl;
myCollection.CopyTo(gAces, -1);
});
// Case 3, 0 size array
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
rAcl = new RawAcl(0, 1);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
gAces = new GenericAce[0];
myCollection = (ICollection)rAcl;
myCollection.CopyTo(gAces, 0);
});
// Case 4, insufficient size array
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
rAcl = new RawAcl(0, 1);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BO")), false, null);
rAcl.InsertAce(0, gAce);
gAces = new GenericAce[rAcl.Count - 1];
myCollection = (ICollection)rAcl;
myCollection.CopyTo(gAces, 0);
});
//Case 5, RawAcl with huge number of Aces
rAcl = new RawAcl(0, GenericAcl.MaxBinaryLength);
for (int i = 0; i < 1820; i++)
{
//this ace binary length is 36, 1820 * 36 = 65520
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
}
gAces = new GenericAce[rAcl.Count];
myCollection = (ICollection)rAcl;
myCollection.CopyTo(gAces, 0);
// Case 6, test ICollection.CopyTo, array rank is not one. all the other cases are tested by type-friendly version CopyTo
//on my machine, a BCL assert as resource Rank_MutiDimNotSupported not found
Assert.Throws<RankException>(() =>
{
rAcl = new RawAcl(0, 1);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
GenericAce[,] gAces2 = new GenericAce[1, 2];
myCollection = (ICollection)rAcl;
myCollection.CopyTo(gAces2, 0);
});
}
public static void BasicValidationTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sid = "BA";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 2, only have explicit Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all AceFlags except InheritOnly and Inherited
gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 3, only have one inherit Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 4, have one explicit Ace and one inherited Ace
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all AceFlags except InheritOnly and Inherited
gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(1, gAce);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 5, have two inherited Aces
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
sid = "BA";
//16 has Inherited
gAce = new CommonAce((AceFlags)16, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 6, 1 inherited CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = (AceFlags)208; //SuccessfulAccess | FailedAccess | Inherited
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 7, 1 inherited CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 8, 1 inherited ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
aceQualifier = AceQualifier.SystemAudit;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
}
public static void BasicValidationTestCases()
{
RawAcl rawAcl = null;
RawAcl rawAclVerifier = null;
GenericAce ace = null;
GenericAce aceVerifier = null;
int count = 0;
int index = 0;
byte revision = 0;
int capacity = 1;
int flags = 1;
int qualifier = 0;
int accessMask = 1;
string sid = "BA";
bool isCallback = false;
int opaqueSize = 8;
//test insert at 0
rawAcl = new RawAcl(revision, capacity);
rawAclVerifier = new RawAcl(revision, capacity);
ace = new CommonAce((AceFlags)flags, (AceQualifier)qualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), isCallback, new byte[opaqueSize]);
index = 0;
//save current count
count = rawAcl.Count;
rawAcl.InsertAce(index, ace);
//verify the count number increase one
Assert.True(rawAcl.Count == count + 1);
//verify the inserted ace is equal to the originial ace
aceVerifier = rawAcl[index];
Assert.True(ace == aceVerifier);
//verify right side aces are equal
Assert.True(Utils.AclPartialEqual(rawAcl, rawAclVerifier, index + 1, rawAcl.Count - 1, index, count - 1));
//insert the same ACE to rawAclVerifier for next test
rawAclVerifier.InsertAce(index, ace);
//test insert at Count
sid = "BA";
ace = new CommonAce((AceFlags)flags, (AceQualifier)qualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), isCallback, new byte[opaqueSize]);
count = rawAcl.Count;
index = count;
rawAcl.InsertAce(index, ace);
//verify the count number increase one
Assert.True(rawAcl.Count == count + 1);
//verify the inserted ace is equal to the originial ace
aceVerifier = rawAcl[index];
Assert.True(ace == aceVerifier);
//verify right side aces are equal
Assert.True(Utils.AclPartialEqual(rawAcl, rawAclVerifier, index + 1, rawAcl.Count - 1, index, count - 1));
//insert the same ACE to rawAclVerifier for next test
rawAclVerifier.InsertAce(index, ace);
//test insert at Count - 1
sid = "BG";
ace = new CommonAce((AceFlags)flags, (AceQualifier)qualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), isCallback, new byte[opaqueSize]);
count = rawAcl.Count;
index = count - 1;
rawAcl.InsertAce(index, ace);
//verify the count number increase one
Assert.True(rawAcl.Count == count + 1);
//verify the inserted ace is equal to the originial ace
aceVerifier = rawAcl[index];
Assert.True(ace == aceVerifier);
//verify right side aces are equal
Assert.True(Utils.AclPartialEqual(rawAcl, rawAclVerifier, index + 1, rawAcl.Count - 1, index, count - 1));
//insert the same ACE to rawAclVerifier for next test
rawAclVerifier.InsertAce(index, ace);
//test insert at Count /2
sid = "BO";
ace = new CommonAce((AceFlags)flags, (AceQualifier)qualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), isCallback, new byte[opaqueSize]);
rawAcl.InsertAce(0, ace);
rawAclVerifier.InsertAce(0, ace);
count = rawAcl.Count;
index = count / 2;
sid = "SO";
ace = new CommonAce((AceFlags)flags, (AceQualifier)qualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), isCallback, new byte[opaqueSize]);
rawAcl.InsertAce(index, ace);
//verify the count number increase one
Assert.True(rawAcl.Count == count + 1);
//verify the inserted ace is equal to the originial ace
aceVerifier = rawAcl[index];
Assert.True(ace == aceVerifier);
//verify right side aces are equal
Assert.True(Utils.AclPartialEqual(rawAcl, rawAclVerifier, index + 1, rawAcl.Count - 1, index, count - 1));
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
byte[] binaryForm = null;
int offset = 0;
//case 1, binaryForm is null
Assert.Throws<ArgumentNullException>(() =>
{
binaryForm = null;
offset = 0;
rawAcl = new RawAcl(binaryForm, offset);
});
//case 2, binaryForm is empty
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
binaryForm = new byte[0];
offset = 0;
rawAcl = new RawAcl(binaryForm, offset);
});
//case 3, negative offset
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
binaryForm = new byte[100];
offset = -1;
rawAcl = new RawAcl(binaryForm, offset);
});
//case 4, binaryForm length less than GenericAcl.HeaderLength
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
binaryForm = new byte[4];
offset = 0;
rawAcl = new RawAcl(binaryForm, offset);
});
//case 5, a RawAcl of length 64K. RawAcl length = HeaderLength + all ACE's length
// = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace
// = 8 + ( 4 + OpaqueLength) * num_of_custom_ace
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BG";
//CustomAce constructor parameters
AceType aceType = 0;
AceFlags aceFlag = 0;
byte[] opaque = null;
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = (AceFlags)223; //all flags ored together
opaque = new byte[GenericAcl.MaxBinaryLength - 3 - 8 - 4];//GenericAcl.MaxBinaryLength = 65535, is not multiple of 4
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 6, a RawAcl of length 64K + 1. RawAcl length = HeaderLength + all ACE's length
// = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace
// = 8 + ( 4 + OpaqueLength) * num_of_custom_ace
gAce = null;
sid = "BA";
//CustomAce constructor parameters
aceType = 0;
aceFlag = 0;
binaryForm = new byte[65536];
Assert.Throws<ArgumentException>(() =>
{
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
rawAcl.GetBinaryForm(binaryForm, 0);
//change the length bytes to 65535
binaryForm[2] = 0xf;
binaryForm[3] = 0xf;
//change the aceCount to 1
binaryForm[4] = 1;
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = (AceFlags)223; //all flags ored together
opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4];//GenericAcl.MaxBinaryLength = 65535, is not multiple of 4
gAce = new CustomAce(aceType, aceFlag, opaque);
gAce.GetBinaryForm(binaryForm, 8);
TestCreateFromBinaryForm(binaryForm, 0, revision, 1, binaryForm.Length);
});
//case 7, a valid binary representation with revision 255, 256 Access
//CommonAce to test the correctness of the process of the AceCount in the header
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
for (int i = 0; i < 256; i++)
{
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
}
binaryForm = new byte[rawAcl.BinaryLength + 1000];
rawAcl.GetBinaryForm(binaryForm, 1000);
Assert.True(TestCreateFromBinaryForm(binaryForm, 1000, revision, 256, rawAcl.BinaryLength));
//case 8, array containing garbage
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
binaryForm = new byte[] { 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 };
TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12);
});
//case 9, array containing garbage
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
//binary form shows the length will be 1, actual length is 12
binaryForm = new byte[] { 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1 };
TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12);
});
//case 10, array containing garbage
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
binaryForm = new byte[] { 1, 1, 12, 0, 1, 1, 1, 1, 1, 1, 1, 1 };
TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12);
});
}
public static void RemoveAccessSpecific_AdditionalTestCases()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
int accessControlType = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
byte[] opaque = null;
//Case 1, remove one ACE from the DiscretionaryAcl with no ACE
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveAccessSpecific(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
;
//Case 2, remove the last one ACE from the DiscretionaryAcl
isContainer = true;
isDS = false;
accessControlType = 0;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
//15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)15, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//remove the ace to create the validation rawAcl
rawAcl.RemoveAce(rawAcl.Count - 1);
Assert.True(TestRemoveAccessSpecific(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
;
//Case 3, accessMask = 0
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 0;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 4, null sid
Assert.Throws<ArgumentNullException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
accessMask = 1;
sid = "BA";
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 5, all the ACEs in the Dacl are non-qualified ACE, no remove
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws<InvalidOperationException>(() =>
{
TestRemoveAccessSpecific
(discretionaryAcl, rawAcl,
(AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
//Case 7, Remove Specific Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE,
// should throw appropriate exception for wrong parameter, bug#287188
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 100;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
}
public static void BasicValidationTestCases()
{
RawAcl rawAcl = null;
byte[] binaryForm = null;
int offset = 0;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sid = "BA";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, a valid binary representation with revision 0, 1 SystemAudit CommonAce
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 2, a valid binary representation with revision 255, 1 AccessAllowed CommonAce
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 3, a valid binary representation with revision 127, 1 CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = (AceFlags)223; //all flags ored together
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 4, a valid binary representation with revision 1, 1 CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 5, a valid binary representation with revision 1, 1 ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));
//case 6, a valid binary representation with revision 1, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 0, rawAcl.BinaryLength));
//case 7, a valid binary representation with revision 1, and all Aces from case 1 to 5
revision = 127;
capacity = 5;
rawAcl = new RawAcl(revision, capacity);
//SystemAudit CommonAce
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
//Access Allowed CommonAce
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
//CustomAce
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = (AceFlags)223; //all flags ored together
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
//CompoundAce
aceFlag = (AceFlags)223; //all flags ored together
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
//ObjectAce
aceFlag = (AceFlags)223; //all flags ored together
aceQualifier = AceQualifier.AccessAllowed;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
binaryForm = new byte[rawAcl.BinaryLength];
rawAcl.GetBinaryForm(binaryForm, 0);
Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 5, rawAcl.BinaryLength));
}
public static void BasicValidationTestCases()
{
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
GenericAce gAce = null;
GenericAce verifierGAce = null;
string owner1 = "BO";
string owner2 = "BA";
string owner3 = "BG";
int index = 0;
// case 1, only one ACE, get at index 0
rawAcl = new RawAcl(1, 1);
index = 0;
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null);
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(false, false, rawAcl);
verifierGAce = systemAcl[index];
Assert.True(TestIndex(gAce, verifierGAce));
//case 2, two ACEs, index at Count -1
rawAcl = new RawAcl(1, 2);
//208 has SuccessfulAccess, FailedAccess and Inherited
gAce = new CommonAce((AceFlags)208, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null);
rawAcl.InsertAce(0, gAce);
//gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(owner2), false, null);
gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null);
rawAcl.InsertAce(1, gAce);
systemAcl = new SystemAcl(false, false, rawAcl);
gAce = rawAcl[1];
index = systemAcl.Count - 1;
verifierGAce = systemAcl[index];
Assert.True(TestIndex(gAce, verifierGAce));
//case 3, only three ACEs, index at Count/2
rawAcl = new RawAcl(1, 3);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner2)), false, null);
rawAcl.InsertAce(0, gAce);
//208 has SuccessfulAccess, FailedAccess and Inherited
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.IH), AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null);
rawAcl.InsertAce(1, gAce);
gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner3)), false, null);
rawAcl.InsertAce(2, gAce);
systemAcl = new SystemAcl(false, false, rawAcl);
gAce = rawAcl[1];
index = systemAcl.Count / 2;
verifierGAce = systemAcl[index];
Assert.True(TestIndex(gAce, verifierGAce));
//case 4, 3 ACEs, test merge, index at Count -1
rawAcl = new RawAcl(1, 2);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(1, gAce);
gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(2, gAce);
systemAcl = new SystemAcl(false, false, rawAcl);
gAce = rawAcl[1];
gAce.AceFlags = AceFlags.SuccessfulAccess | AceFlags.FailedAccess;
index = systemAcl.Count - 1;
verifierGAce = systemAcl[index];
Assert.True(TestIndex(gAce, verifierGAce));
}