IsSubsetOf() public method

public IsSubsetOf ( IPermission target ) : bool
target IPermission
return bool
        static private PermissionSet ResolvePolicy(Evidence evidence,
                                                   PermissionSet reqdPset,
                                                   PermissionSet optPset,
                                                   PermissionSet denyPset,
                                                   out PermissionSet denied,
                                                   bool checkExecutionPermission)
        {
            PermissionSet requested;
            PermissionSet optional;
            PermissionSet allowed;

            Exception savedException = null;

            // We don't want to recurse back into here as a result of a
            // stackwalk during resolution. So simply assert full trust (this
            // implies that custom permissions cannot use any permissions that
            // don't implement IUnrestrictedPermission.
            // PermissionSet.s_fullTrust.Assert();

            // The requested set is the union of the minimal request and the
            // optional request. Minimal request defaults to empty, optional
            // is "AllPossible" (includes any permission that can be defined)
            // which is symbolized by null.
            optional = optPset;

            if (reqdPset == null)
            {
                requested = optional;
            }
            else
            {
                // If optional is null, the requested set becomes null/"AllPossible".
                requested = optional == null ? null : reqdPset.Union(optional);
            }

            // Make sure that the right to execute is requested (if this feature is
            // enabled).

            if (requested != null && !requested.IsUnrestricted() && CheckExecution())
            {
                requested.AddPermission(executionSecurityPermission);
            }

            if (InitPolicy())
            {
                // If we aren't passed any evidence, just make an empty object
                // If we are passed evidence, copy it before passing it
                // to the policy manager.
                // Note: this is not a deep copy, the pieces of evidence within the
                // Evidence object can still be altered and affect the originals.

                if (evidence == null)
                {
                    evidence = new Evidence();
                }
                else
                {
                    evidence = evidence.ShallowCopy();
                }

                evidence.AddHost(new PermissionRequestEvidence(reqdPset, optPset, denyPset));

                // We need to make sure that no stray exceptions come out of Resolve so
                // we wrap it in a try block.

                try
                {
                    allowed = polmgr.Resolve(evidence, requested);
                }
                catch (Exception e)
                {
#if _DEBUG
                    if (debug)
                    {
                        DEBUG_OUT("Exception during resolve");
                        DEBUG_OUT(e.GetType().FullName);
                        DEBUG_OUT(e.Message);
                        DEBUG_OUT(e.StackTrace);
                    }
#endif

                    // If we get a policy exception, we are done are we are going to fail to
                    // load no matter what.

                    if (e is PolicyException)
                    {
                        throw e;
                    }

                    // If we get any other kid of exception, we set the allowed set to the
                    // empty set and continue processing as normal.  This allows assemblies
                    // that make no request to be loaded but blocks any assembly that
                    // makes a request from being loaded.  This seems like a valid design to
                    // me -- gregfee 6/19/2000

                    savedException = e;
                    allowed        = new PermissionSet();
                }
            }
            else
            {
                denied = null;
                return(null);
            }


#if _DEBUG
            if (debug)
            {
                DEBUG_OUT("ResolvePolicy:");
                IEnumerator enumerator = evidence.GetEnumerator();
                DEBUG_OUT("Evidence:");
                while (enumerator.MoveNext())
                {
                    Object obj = enumerator.Current;
                    if (obj is Site)
                    {
                        DEBUG_OUT(((Site)obj).ToXml().ToString());
                    }
                    else if (obj is Zone)
                    {
                        DEBUG_OUT(((Zone)obj).ToXml().ToString());
                    }
                    else if (obj is Url)
                    {
                        DEBUG_OUT(((Url)obj).ToXml().ToString());
                    }
                    else if (obj is Publisher)
                    {
                        DEBUG_OUT(((Publisher)obj).ToXml().ToString());
                    }
                    else if (obj is StrongName)
                    {
                        DEBUG_OUT(((StrongName)obj).ToXml().ToString());
                    }
                    else if (obj is PermissionRequestEvidence)
                    {
                        DEBUG_OUT(((PermissionRequestEvidence)obj).ToXml().ToString());
                    }
                }
                DEBUG_OUT("Required permissions:");
                DEBUG_OUT(reqdPset != null ? reqdPset.ToString() : "<null>");
                DEBUG_OUT("Optional permissions:");
                DEBUG_OUT(optPset != null ? optPset.ToString() : "<null>");
                DEBUG_OUT("Denied permissions:");
                DEBUG_OUT(denyPset != null ? denyPset.ToString() : "<null>");
                DEBUG_OUT("Requested permissions:");
                DEBUG_OUT(requested != null ? requested.ToString() : "<null>");
                DEBUG_OUT("Granted permissions:");
                DEBUG_OUT(allowed != null ? allowed.ToString() : "<null>");
            }
#endif

            // Check that we were granted the right to execute.
            if (!allowed.IsUnrestricted() && checkExecutionPermission && CheckExecution())
            {
                SecurityPermission secPerm = (SecurityPermission)allowed.GetPermission(securityPermissionType);

                if (secPerm == null || !executionSecurityPermission.IsSubsetOf(secPerm))
                {
#if _DEBUG
                    DEBUG_OUT("No execute permission");
#endif
                    throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"),
                                              System.__HResults.CORSEC_E_NO_EXEC_PERM,
                                              savedException);
                }
            }

            // Check that we were granted at least the minimal set we asked for. Do
            // this before pruning away any overlap with the refused set so that
            // users have the flexability of defining minimal permissions that are
            // only expressable as set differences (e.g. allow access to "C:\" but
            // disallow "C:\Windows").
            if (reqdPset != null && !reqdPset.IsSubsetOf(allowed))
            {
#if _DEBUG
                DEBUG_OUT("Didn't get required permissions");
#endif
                throw new PolicyException(Environment.GetResourceString("Policy_NoRequiredPermission"),
                                          System.__HResults.CORSEC_E_MIN_GRANT_FAIL,
                                          savedException);
            }

            // Remove any granted permissions that are safe subsets of some denied
            // permission. The remaining denied permissions (if any) are returned
            // along with the modified grant set for use in checks.
            if (denyPset != null)
            {
                denied = denyPset.Copy();
                allowed.MergeDeniedSet(denied);
                if (denied.IsEmpty())
                {
                    denied = null;
                }
            }
            else
            {
                denied = null;
            }


#if _DEBUG
            if (debug)
            {
                DEBUG_OUT("Final denied permissions:");
                DEBUG_OUT(denied != null ? denied.ToString() : "<null>");
            }
#endif

            return(allowed);
        }
		public void IsSubset_Self ()
		{
			SecurityPermission sp = new SecurityPermission (PermissionState.None);
			foreach (SecurityPermissionFlag spf in AllFlags) {
				sp.Flags = spf;
				SecurityPermission result = (SecurityPermission)sp.Intersect (sp);
				Assert.IsTrue (sp.IsSubsetOf (sp), spf.ToString ());
			}
		}
		public void IsSubset_Unrestricted () 
		{
			// IsSubset with unrestricted
			// a. source (this) is unrestricted -> target is never a subset
			SecurityPermission sp1 = new SecurityPermission (PermissionState.Unrestricted);
			SecurityPermission sp2 = new SecurityPermission (PermissionState.None);
			foreach (SecurityPermissionFlag spf in AllFlagsExceptAllFlags) {
				sp2.Flags = spf;
				Assert.IsFalse (sp1.IsSubsetOf (sp2), "target " + spf.ToString ());
			}
			// exception of AllFlags
			sp2.Flags = SecurityPermissionFlag.AllFlags;
			Assert.IsTrue (sp1.IsSubsetOf (sp2), "target AllFlags");
			// b. destination (target) is unrestricted -> target is always a subset
			foreach (SecurityPermissionFlag spf in AllFlags) {
				sp2.Flags = spf;
				Assert.IsTrue (sp2.IsSubsetOf (sp1), "source " + spf.ToString ());
			}
		}
		public void IsSubset_Null () 
		{
			SecurityPermission sp = new SecurityPermission (PermissionState.None);
			Assert.IsTrue (sp.IsSubsetOf (null), "NoFlags");
			foreach (SecurityPermissionFlag spf in AllFlagsExceptNoFlags) {
				sp.Flags = spf;
				Assert.IsFalse (sp.IsSubsetOf (null), spf.ToString ());
			}
		}