internal static void ResolveIdentityPermissions(PermissionSet ps, Evidence evidence) { if (ps.IsUnrestricted()) { return; } IEnumerator hostEnumerator = evidence.GetHostEnumerator(); while (hostEnumerator.MoveNext()) { object obj = hostEnumerator.Current; IIdentityPermissionFactory identityPermissionFactory = obj as IIdentityPermissionFactory; if (identityPermissionFactory != null) { IPermission perm = identityPermissionFactory.CreateIdentityPermission(evidence); ps.AddPermission(perm); } } }
internal static void ResolveIdentityPermissions(PermissionSet ps, Evidence evidence) { // in 2.0 identity permissions can now be unrestricted if (ps.IsUnrestricted()) { return; } // Only host evidence are used for policy resolution IEnumerator ee = evidence.GetHostEnumerator(); while (ee.MoveNext()) { IIdentityPermissionFactory ipf = (ee.Current as IIdentityPermissionFactory); if (ipf != null) { IPermission p = ipf.CreateIdentityPermission(evidence); ps.AddPermission(p); } } }
// -rsp assemblyname // -resolveperm assemblyname static bool ResolvePermissions(string assemblyname) { Evidence ev = GetAssemblyEvidences(assemblyname); if (ev == null) { return(false); } PermissionSet ps = null; Console.WriteLine(); if (policyLevelDefault) { // different "default" here IEnumerator e = SecurityManager.PolicyHierarchy(); while (e.MoveNext()) { PolicyLevel pl = (PolicyLevel)e.Current; Console.WriteLine("Resolving {0} level", pl.Label); if (ps == null) { ps = pl.Resolve(ev).PermissionSet; } else { ps = ps.Intersect(pl.Resolve(ev).PermissionSet); } } } else { // use the user specified levels foreach (PolicyLevel pl in Levels) { Console.WriteLine("Resolving {0} level", pl.Label); if (ps == null) { ps = pl.Resolve(ev).PermissionSet; } else { ps = ps.Intersect(pl.Resolve(ev).PermissionSet); } } } if (ps == null) { return(false); } IEnumerator ee = ev.GetHostEnumerator(); while (ee.MoveNext()) { IIdentityPermissionFactory ipf = (ee.Current as IIdentityPermissionFactory); if (ipf != null) { IPermission p = ipf.CreateIdentityPermission(ev); ps.AddPermission(p); } } Console.WriteLine("{0}Grant:{0}{1}", Environment.NewLine, ps.ToXml().ToString()); return(true); }
internal PermissionSet CodeGroupResolve(Evidence evidence, bool systemPolicy) { PermissionSet grant = null; PolicyStatement policy; PolicyLevel currentLevel = null; IEnumerator levelEnumerator = PolicyLevels.GetEnumerator(); char[] serializedEvidence = MakeEvidenceArray(evidence, false); int count = evidence.Count; bool legacyIgnoreSystemPolicy = (AppDomain.CurrentDomain.GetData("IgnoreSystemPolicy") != null); bool testApplicationLevels = false; while (levelEnumerator.MoveNext()) { currentLevel = (PolicyLevel)levelEnumerator.Current; if (systemPolicy) { if (currentLevel.Type == PolicyLevelType.AppDomain) { continue; } } else if (legacyIgnoreSystemPolicy && currentLevel.Type != PolicyLevelType.AppDomain) { continue; } policy = currentLevel.Resolve(evidence, count, serializedEvidence); // If the grant is "AllPossible", the intersection is just the other permission set. // Otherwise, do an inplace intersection (since we know we can alter the grant set since // it is a copy of the first policy statement's permission set). if (grant == null) { grant = policy.PermissionSet; } else { grant.InplaceIntersect(policy.GetPermissionSetNoCopy()); } if (grant == null || grant.FastIsEmpty()) { break; } else if ((policy.Attributes & PolicyStatementAttribute.LevelFinal) == PolicyStatementAttribute.LevelFinal) { if (currentLevel.Type != PolicyLevelType.AppDomain) { testApplicationLevels = true; } break; } } if (grant != null && testApplicationLevels) { PolicyLevel appDomainLevel = null; for (int i = PolicyLevels.Count - 1; i >= 0; --i) { currentLevel = (PolicyLevel)PolicyLevels[i]; if (currentLevel.Type == PolicyLevelType.AppDomain) { appDomainLevel = currentLevel; break; } } if (appDomainLevel != null) { policy = appDomainLevel.Resolve(evidence, count, serializedEvidence); grant.InplaceIntersect(policy.GetPermissionSetNoCopy()); } } if (grant == null) { grant = new PermissionSet(PermissionState.None); } // Each piece of evidence can possibly create an identity permission that we // need to add to our grant set. Therefore, for all pieces of evidence that // implement the IIdentityPermissionFactory interface, ask it for its // adjoining identity permission and add it to the grant. if (!CodeAccessSecurityEngine.DoesFullTrustMeanFullTrust() || !grant.IsUnrestricted()) { IEnumerator enumerator = evidence.GetHostEnumerator(); while (enumerator.MoveNext()) { Object obj = enumerator.Current; IIdentityPermissionFactory factory = obj as IIdentityPermissionFactory; if (factory != null) { IPermission perm = factory.CreateIdentityPermission(evidence); if (perm != null) { grant.AddPermission(perm); } } } } grant.IgnoreTypeLoadFailures = true; return(grant); }
internal PermissionSet CodeGroupResolve(Evidence evidence, bool systemPolicy) { Contract.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled); PermissionSet grant = null; PolicyStatement policy; PolicyLevel currentLevel = null; IEnumerator levelEnumerator = PolicyLevels.GetEnumerator(); // We're optimized for standard policy, where the only evidence that is generally evaluated are // Zone, StrongName and Url. Since all of these are relatively inexpensive, we'll force them to // generate, then use that as a key into the cache. evidence.GetHostEvidence <Zone>(); evidence.GetHostEvidence <StrongName>(); evidence.GetHostEvidence <Url>(); byte[] serializedEvidence = evidence.RawSerialize(); int count = evidence.RawCount; bool legacyIgnoreSystemPolicy = (AppDomain.CurrentDomain.GetData("IgnoreSystemPolicy") != null); bool testApplicationLevels = false; while (levelEnumerator.MoveNext()) { currentLevel = (PolicyLevel)levelEnumerator.Current; if (systemPolicy) { if (currentLevel.Type == PolicyLevelType.AppDomain) { continue; } } else if (legacyIgnoreSystemPolicy && currentLevel.Type != PolicyLevelType.AppDomain) { continue; } policy = currentLevel.Resolve(evidence, count, serializedEvidence); // If the grant is "AllPossible", the intersection is just the other permission set. // Otherwise, do an inplace intersection (since we know we can alter the grant set since // it is a copy of the first policy statement's permission set). if (grant == null) { grant = policy.PermissionSet; } else { grant.InplaceIntersect(policy.GetPermissionSetNoCopy()); } if (grant == null || grant.FastIsEmpty()) { break; } else if ((policy.Attributes & PolicyStatementAttribute.LevelFinal) == PolicyStatementAttribute.LevelFinal) { if (currentLevel.Type != PolicyLevelType.AppDomain) { testApplicationLevels = true; } break; } } if (grant != null && testApplicationLevels) { PolicyLevel appDomainLevel = null; for (int i = PolicyLevels.Count - 1; i >= 0; --i) { currentLevel = (PolicyLevel)PolicyLevels[i]; if (currentLevel.Type == PolicyLevelType.AppDomain) { appDomainLevel = currentLevel; break; } } if (appDomainLevel != null) { policy = appDomainLevel.Resolve(evidence, count, serializedEvidence); grant.InplaceIntersect(policy.GetPermissionSetNoCopy()); } } if (grant == null) { grant = new PermissionSet(PermissionState.None); } // Each piece of evidence can possibly create an identity permission that we // need to add to our grant set. Therefore, for all pieces of evidence that // implement the IIdentityPermissionFactory interface, ask it for its // adjoining identity permission and add it to the grant. if (!grant.IsUnrestricted()) { IEnumerator enumerator = evidence.GetHostEnumerator(); while (enumerator.MoveNext()) { Object obj = enumerator.Current; IIdentityPermissionFactory factory = obj as IIdentityPermissionFactory; if (factory != null) { IPermission perm = factory.CreateIdentityPermission(evidence); if (perm != null) { grant.AddPermission(perm); } } } } grant.IgnoreTypeLoadFailures = true; return(grant); }
internal PermissionSet CodeGroupResolve(Evidence evidence, bool systemPolicy) { PermissionSet permissionSet = null; PolicyLevel current = null; IEnumerator enumerator = this.PolicyLevels.GetEnumerator(); evidence.GetHostEvidence <Zone>(); evidence.GetHostEvidence <StrongName>(); evidence.GetHostEvidence <Url>(); byte[] serializedEvidence = evidence.RawSerialize(); int rawCount = evidence.RawCount; bool flag = AppDomain.CurrentDomain.GetData("IgnoreSystemPolicy") != null; bool flag2 = false; while (enumerator.MoveNext()) { PolicyStatement statement; current = (PolicyLevel)enumerator.Current; if (systemPolicy) { if (current.Type != PolicyLevelType.AppDomain) { goto Label_0078; } continue; } if (flag && (current.Type != PolicyLevelType.AppDomain)) { continue; } Label_0078: statement = current.Resolve(evidence, rawCount, serializedEvidence); if (permissionSet == null) { permissionSet = statement.PermissionSet; } else { permissionSet.InplaceIntersect(statement.GetPermissionSetNoCopy()); } if ((permissionSet == null) || permissionSet.FastIsEmpty()) { break; } if ((statement.Attributes & PolicyStatementAttribute.LevelFinal) == PolicyStatementAttribute.LevelFinal) { if (current.Type != PolicyLevelType.AppDomain) { flag2 = true; } break; } } if ((permissionSet != null) && flag2) { PolicyLevel level2 = null; for (int i = this.PolicyLevels.Count - 1; i >= 0; i--) { current = (PolicyLevel)this.PolicyLevels[i]; if (current.Type == PolicyLevelType.AppDomain) { level2 = current; break; } } if (level2 != null) { permissionSet.InplaceIntersect(level2.Resolve(evidence, rawCount, serializedEvidence).GetPermissionSetNoCopy()); } } if (permissionSet == null) { permissionSet = new PermissionSet(PermissionState.None); } if (!permissionSet.IsUnrestricted()) { IEnumerator hostEnumerator = evidence.GetHostEnumerator(); while (hostEnumerator.MoveNext()) { object obj2 = hostEnumerator.Current; IIdentityPermissionFactory factory = obj2 as IIdentityPermissionFactory; if (factory != null) { IPermission perm = factory.CreateIdentityPermission(evidence); if (perm != null) { permissionSet.AddPermission(perm); } } } } permissionSet.IgnoreTypeLoadFailures = true; return(permissionSet); }
public PermissionSet Resolve(Evidence evidence, PermissionSet request) { #if _DEBUG if (debug) { DEBUG_OUT("PolicyManager::Resolve"); IEnumerator evidenceEnumerator = evidence.GetEnumerator(); DEBUG_OUT("Evidence:"); while (evidenceEnumerator.MoveNext()) { Object obj = evidenceEnumerator.Current; if (obj is Site) { DEBUG_OUT(((Site)obj).ToXml().ToString()); } else if (obj is Zone) { DEBUG_OUT(((Zone)obj).ToXml().ToString()); } else if (obj is Url) { DEBUG_OUT(((Url)obj).ToXml().ToString()); } else if (obj is StrongName) { DEBUG_OUT(((StrongName)obj).ToXml().ToString()); } else if (obj is PermissionRequestEvidence) { DEBUG_OUT(((PermissionRequestEvidence)obj).ToXml().ToString()); } } } #endif // We set grant to null to represent "AllPossible" PermissionSet grant = null; PolicyStatement policy; PolicyLevel currentLevel = null; IEnumerator levelEnumerator = m_levels.GetEnumerator(); char[] serializedEvidence = MakeEvidenceArray(evidence, false); int count = evidence.Count; bool testApplicationLevels = false; while (levelEnumerator.MoveNext()) { currentLevel = (PolicyLevel)levelEnumerator.Current; policy = currentLevel.Resolve(evidence, count, serializedEvidence); // If the grant is "AllPossible", the intersection is just the other permission set. // Otherwise, do an inplace intersection (since we know we can alter the grant set since // it is a copy of the first policy statement's permission set). if (grant == null) { grant = policy.PermissionSet; } else { // An exception somewhere in here means that a permission // failed some operation. This simply means that it will be // dropped from the grant set which is safe operation that // can be ignored. try { grant.InplaceIntersect(policy.GetPermissionSetNoCopy()); } catch (Exception) { } } #if _DEBUG if (debug) { DEBUG_OUT("Level = " + currentLevel.Label); DEBUG_OUT("policy =\n" + policy.ToXml().ToString()); DEBUG_OUT("grant so far =\n" + grant.ToXml().ToString()); } #endif if (grant.IsEmpty()) { break; } else if ((policy.Attributes & PolicyStatementAttribute.LevelFinal) == PolicyStatementAttribute.LevelFinal) { if (!currentLevel.Label.Equals("AppDomain")) { testApplicationLevels = true; } break; } } if (testApplicationLevels) { PolicyLevel appDomainLevel = null; for (int i = m_levels.Count - 1; i >= 0; --i) { currentLevel = (PolicyLevel)m_levels[i]; if (currentLevel.Label.Equals("AppDomain")) { appDomainLevel = currentLevel; break; } } if (appDomainLevel != null) { policy = appDomainLevel.Resolve(evidence, count, serializedEvidence); grant.InplaceIntersect(policy.GetPermissionSetNoCopy()); } } #if _DEBUG if (debug) { DEBUG_OUT("granted =\n" + grant.ToString()); DEBUG_OUT("request =\n" + (request != null ? request.ToString() : "<null>")); DEBUG_OUT("awarded =\n" + (request != null ? grant.Intersect(request).ToString() : grant.ToString())); } #endif try { if (request != null) { grant.InplaceIntersect(request); } } catch (Exception) { } #if _DEBUG if (debug) { DEBUG_OUT("granted after intersect w/ request =\n" + grant.ToString()); } #endif // Each piece of evidence can possibly create an identity permission that we // need to add to our grant set. Therefore, for all pieces of evidence that // implement the IIdentityPermissionFactory interface, ask it for its // adjoining identity permission and add it to the grant. IEnumerator enumerator = evidence.GetHostEnumerator(); while (enumerator.MoveNext()) { try { Object obj = enumerator.Current; IIdentityPermissionFactory factory = obj as IIdentityPermissionFactory; if (factory != null) { IPermission perm = factory.CreateIdentityPermission(evidence); if (perm != null) { grant.AddPermission(perm); } } } catch (Exception) { } } #if _DEBUG if (debug) { DEBUG_OUT("awarded with identity =\n" + grant.ToString()); } #endif return(grant); }
internal PermissionSet CodeGroupResolve(Evidence evidence, bool systemPolicy) { PermissionSet permissionSet = (PermissionSet)null; IEnumerator enumerator = this.PolicyLevels.GetEnumerator(); evidence.GetHostEvidence <Zone>(); evidence.GetHostEvidence <StrongName>(); evidence.GetHostEvidence <Url>(); byte[] serializedEvidence = evidence.RawSerialize(); int rawCount = evidence.RawCount; bool flag1 = AppDomain.CurrentDomain.GetData("IgnoreSystemPolicy") != null; bool flag2 = false; while (enumerator.MoveNext()) { PolicyLevel policyLevel = (PolicyLevel)enumerator.Current; if (systemPolicy) { if (policyLevel.Type == PolicyLevelType.AppDomain) { continue; } } else if (flag1 && policyLevel.Type != PolicyLevelType.AppDomain) { continue; } PolicyStatement policyStatement = policyLevel.Resolve(evidence, rawCount, serializedEvidence); if (permissionSet == null) { permissionSet = policyStatement.PermissionSet; } else { permissionSet.InplaceIntersect(policyStatement.GetPermissionSetNoCopy()); } if (permissionSet != null && !permissionSet.FastIsEmpty()) { if ((policyStatement.Attributes & PolicyStatementAttribute.LevelFinal) == PolicyStatementAttribute.LevelFinal) { if (policyLevel.Type != PolicyLevelType.AppDomain) { flag2 = true; break; } break; } } else { break; } } if (permissionSet != null & flag2) { PolicyLevel policyLevel1 = (PolicyLevel)null; for (int index = this.PolicyLevels.Count - 1; index >= 0; --index) { PolicyLevel policyLevel2 = (PolicyLevel)this.PolicyLevels[index]; if (policyLevel2.Type == PolicyLevelType.AppDomain) { policyLevel1 = policyLevel2; break; } } if (policyLevel1 != null) { PolicyStatement policyStatement = policyLevel1.Resolve(evidence, rawCount, serializedEvidence); permissionSet.InplaceIntersect(policyStatement.GetPermissionSetNoCopy()); } } if (permissionSet == null) { permissionSet = new PermissionSet(PermissionState.None); } if (!permissionSet.IsUnrestricted()) { IEnumerator hostEnumerator = evidence.GetHostEnumerator(); while (hostEnumerator.MoveNext()) { IIdentityPermissionFactory permissionFactory = hostEnumerator.Current as IIdentityPermissionFactory; if (permissionFactory != null) { IPermission identityPermission = permissionFactory.CreateIdentityPermission(evidence); if (identityPermission != null) { permissionSet.AddPermission(identityPermission); } } } } permissionSet.IgnoreTypeLoadFailures = true; return(permissionSet); }