/// <summary> /// Gets the security entity value. /// </summary> /// <param name="securityEntity">The security entity.</param> private static string GetSecurityEntityValue(SecurityEntity securityEntity) { switch (securityEntity) { case SecurityEntity.SE_ASSIGNPRIMARYTOKEN_NAME: return "SeAssignPrimaryTokenPrivilege"; case SecurityEntity.SE_AUDIT_NAME: return "SeAuditPrivilege"; case SecurityEntity.SE_BACKUP_NAME: return "SeBackupPrivilege"; case SecurityEntity.SE_CHANGE_NOTIFY_NAME: return "SeChangeNotifyPrivilege"; case SecurityEntity.SE_CREATE_GLOBAL_NAME: return "SeCreateGlobalPrivilege"; case SecurityEntity.SE_CREATE_PAGEFILE_NAME: return "SeCreatePagefilePrivilege"; case SecurityEntity.SE_CREATE_PERMANENT_NAME: return "SeCreatePermanentPrivilege"; case SecurityEntity.SE_CREATE_SYMBOLIC_LINK_NAME: return "SeCreateSymbolicLinkPrivilege"; case SecurityEntity.SE_CREATE_TOKEN_NAME: return "SeCreateTokenPrivilege"; case SecurityEntity.SE_DEBUG_NAME: return "SeDebugPrivilege"; case SecurityEntity.SE_ENABLE_DELEGATION_NAME: return "SeEnableDelegationPrivilege"; case SecurityEntity.SE_IMPERSONATE_NAME: return "SeImpersonatePrivilege"; case SecurityEntity.SE_INC_BASE_PRIORITY_NAME: return "SeIncreaseBasePriorityPrivilege"; case SecurityEntity.SE_INCREASE_QUOTA_NAME: return "SeIncreaseQuotaPrivilege"; case SecurityEntity.SE_INC_WORKING_SET_NAME: return "SeIncreaseWorkingSetPrivilege"; case SecurityEntity.SE_LOAD_DRIVER_NAME: return "SeLoadDriverPrivilege"; case SecurityEntity.SE_LOCK_MEMORY_NAME: return "SeLockMemoryPrivilege"; case SecurityEntity.SE_MACHINE_ACCOUNT_NAME: return "SeMachineAccountPrivilege"; case SecurityEntity.SE_MANAGE_VOLUME_NAME: return "SeManageVolumePrivilege"; case SecurityEntity.SE_PROF_SINGLE_PROCESS_NAME: return "SeProfileSingleProcessPrivilege"; case SecurityEntity.SE_RELABEL_NAME: return "SeRelabelPrivilege"; case SecurityEntity.SE_REMOTE_SHUTDOWN_NAME: return "SeRemoteShutdownPrivilege"; case SecurityEntity.SE_RESTORE_NAME: return "SeRestorePrivilege"; case SecurityEntity.SE_SECURITY_NAME: return "SeSecurityPrivilege"; case SecurityEntity.SE_SHUTDOWN_NAME: return "SeShutdownPrivilege"; case SecurityEntity.SE_SYNC_AGENT_NAME: return "SeSyncAgentPrivilege"; case SecurityEntity.SE_SYSTEM_ENVIRONMENT_NAME: return "SeSystemEnvironmentPrivilege"; case SecurityEntity.SE_SYSTEM_PROFILE_NAME: return "SeSystemProfilePrivilege"; case SecurityEntity.SE_SYSTEMTIME_NAME: return "SeSystemtimePrivilege"; case SecurityEntity.SE_TAKE_OWNERSHIP_NAME: return "SeTakeOwnershipPrivilege"; case SecurityEntity.SE_TCB_NAME: return "SeTcbPrivilege"; case SecurityEntity.SE_TIME_ZONE_NAME: return "SeTimeZonePrivilege"; case SecurityEntity.SE_TRUSTED_CREDMAN_ACCESS_NAME: return "SeTrustedCredManAccessPrivilege"; case SecurityEntity.SE_UNDOCK_NAME: return "SeUndockPrivilege"; default: throw new ArgumentOutOfRangeException(typeof(SecurityEntity).Name); } }
public static void EnablePrivilege(SecurityEntity securityEntity) { var securityEntityValue = GetSecurityEntityValue(securityEntity); try { var locallyUniqueIdentifier = new NativeMethods.LUID(); if (NativeMethods.LookupPrivilegeValue(null, securityEntityValue, ref locallyUniqueIdentifier)) { var TOKEN_PRIVILEGES = new NativeMethods.TOKEN_PRIVILEGES(); TOKEN_PRIVILEGES.PrivilegeCount = 1; TOKEN_PRIVILEGES.Attributes = NativeMethods.SE_PRIVILEGE_ENABLED; TOKEN_PRIVILEGES.Luid = locallyUniqueIdentifier; var tokenHandle = IntPtr.Zero; try { var currentProcess = NativeMethods.GetCurrentProcess(); if (NativeMethods.OpenProcessToken(currentProcess, NativeMethods.TOKEN_ADJUST_PRIVILEGES | NativeMethods.TOKEN_QUERY, out tokenHandle)) { if (NativeMethods.AdjustTokenPrivileges(tokenHandle, false, ref TOKEN_PRIVILEGES, 1024, IntPtr.Zero, IntPtr.Zero)) { var lastError = Marshal.GetLastWin32Error(); if (lastError == NativeMethods.ERROR_NOT_ALL_ASSIGNED) { var win32Exception = new Win32Exception(); throw new InvalidOperationException("AdjustTokenPrivileges failed.", win32Exception); } } else { var win32Exception = new Win32Exception(); throw new InvalidOperationException("AdjustTokenPrivileges failed.", win32Exception); } } else { var win32Exception = new Win32Exception(); var exceptionMessage = string.Format(CultureInfo.InvariantCulture, "OpenProcessToken failed. CurrentProcess: {0}", currentProcess.ToInt32()); throw new InvalidOperationException(exceptionMessage, win32Exception); } } finally { if (tokenHandle != IntPtr.Zero) { NativeMethods.CloseHandle(tokenHandle); } } } else { var win32Exception = new Win32Exception(); var exceptionMessage = string.Format(CultureInfo.InvariantCulture, "LookupPrivilegeValue failed. SecurityEntityValue: {0}", securityEntityValue); throw new InvalidOperationException(exceptionMessage, win32Exception); } } catch (Exception e) { var exceptionMessage = string.Format(CultureInfo.InvariantCulture, "GrandPrivilege failed. SecurityEntity: {0}", securityEntity); throw new InvalidOperationException(exceptionMessage, e); } }
/// <summary> /// Save SecurityEntries based on entityID /// </summary> /// <param name="responseEntity"></param> private BusinessMessageResponse SaveSecurityPermissionList(SecurityEntity responseEntity) { var response = new BusinessMessageResponse(); if (responseEntity.PermissionList != null && responseEntity.PermissionList.Count > 0) { try { //delete all existing ones first response = this.DeleteEntitySecurityEntry(new IDRequest(responseEntity.ID)); SaveListRequest<SecurityEntry> request = new SaveListRequest<SecurityEntry>(); request.List = new List<SecurityEntry>(); foreach (SecurityPermission sp in responseEntity.PermissionList) { SecurityEntry entry = sp.AssignToEntry(); entry.EntityID = responseEntity.ID; request.List.Add(entry); } response = this.SaveSecurityEntryList(request); } catch (Exception ex) { return ErrorHandler.Handle<BusinessMessageResponse>(ex); } } return response; }
private int Authenticate(string username, string password, LoginMode loginMode, int entityType, out SecurityEntity entity) { var db = ImardaDatabase.CreateDatabase(Util.GetConnName<SecurityEntity>()); using (IDataReader dr = db.ExecuteDataReader("SPGetSecurityEntityByLoginUserName", username,entityType)) { if (dr.Read()) { entity = GetFromData<SecurityEntity>(dr); //handle loginEnabled if (!entity.LoginEnabled && loginMode != LoginMode.IAC) { _Log.InfoFormat("User {0} is not login enabled", username); return AuthenticationResult.LoginDisabled; } else { var req = new SaveRequest<SecurityEntity>(entity); if (entity.Salt != Guid.Empty) { // Check new style password hash string storedHash = entity.LoginPassword; string calculatedHash = Convert.ToBase64String(AuthenticationHelper.ComputePasswordHash(entity.Salt, password)); if (storedHash != calculatedHash) { return AuthenticationResult.WrongPassword; } //else success } else { // Check old style password hash and upgrade to new style string saltyPassword = AuthenticationHelper.ComputeHashOldStyle(username, password); if (entity.LoginPassword != saltyPassword) { return AuthenticationResult.WrongPassword; } else { // upgrade req.SetFlag("UpdatePassword", true); entity.LoginPassword = password; // tricky: plain text will be hashed in SaveUserSecurityEntity // success } } entity.LastLogonDate = DateTime.UtcNow; SaveUserSecurityEntity(req); return AuthenticationResult.Success; } } entity = null; return AuthenticationResult.SecurityEntityNotFound; } }
internal PermissionChange(SecurityEntity entity, AceInfo entry) : this(entity, entry.IdentityId, entry.EntryType, entry.AllowBits, entry.DenyBits) { }
/// <summary> /// Get SecurityEntries based on entityID /// </summary> /// <param name="responseEntity"></param> private List<SecurityPermission> GetSecurityPermissionList(Guid applicationID, SecurityEntity entity) { List<SecurityPermission> permissions = new List<SecurityPermission>(); if (entity != null) { GetPermissions(applicationID, entity.ID, ref permissions); if (entity.ImmediateParentsIds != null) { foreach (Guid parentID in entity.ImmediateParentsIds) { GetPermissions(applicationID, parentID, ref permissions); } } } return permissions; }
/// <summary> /// Gets the security entity value. /// </summary> /// <param name="securityEntity">The security entity.</param> private static string GetSecurityEntityValue(SecurityEntity securityEntity) { switch (securityEntity) { case SecurityEntity.SE_ASSIGNPRIMARYTOKEN_NAME: return("SeAssignPrimaryTokenPrivilege"); case SecurityEntity.SE_AUDIT_NAME: return("SeAuditPrivilege"); case SecurityEntity.SE_BACKUP_NAME: return("SeBackupPrivilege"); case SecurityEntity.SE_CHANGE_NOTIFY_NAME: return("SeChangeNotifyPrivilege"); case SecurityEntity.SE_CREATE_GLOBAL_NAME: return("SeCreateGlobalPrivilege"); case SecurityEntity.SE_CREATE_PAGEFILE_NAME: return("SeCreatePagefilePrivilege"); case SecurityEntity.SE_CREATE_PERMANENT_NAME: return("SeCreatePermanentPrivilege"); case SecurityEntity.SE_CREATE_SYMBOLIC_LINK_NAME: return("SeCreateSymbolicLinkPrivilege"); case SecurityEntity.SE_CREATE_TOKEN_NAME: return("SeCreateTokenPrivilege"); case SecurityEntity.SE_DEBUG_NAME: return("SeDebugPrivilege"); case SecurityEntity.SE_ENABLE_DELEGATION_NAME: return("SeEnableDelegationPrivilege"); case SecurityEntity.SE_IMPERSONATE_NAME: return("SeImpersonatePrivilege"); case SecurityEntity.SE_INC_BASE_PRIORITY_NAME: return("SeIncreaseBasePriorityPrivilege"); case SecurityEntity.SE_INCREASE_QUOTA_NAME: return("SeIncreaseQuotaPrivilege"); case SecurityEntity.SE_INC_WORKING_SET_NAME: return("SeIncreaseWorkingSetPrivilege"); case SecurityEntity.SE_LOAD_DRIVER_NAME: return("SeLoadDriverPrivilege"); case SecurityEntity.SE_LOCK_MEMORY_NAME: return("SeLockMemoryPrivilege"); case SecurityEntity.SE_MACHINE_ACCOUNT_NAME: return("SeMachineAccountPrivilege"); case SecurityEntity.SE_MANAGE_VOLUME_NAME: return("SeManageVolumePrivilege"); case SecurityEntity.SE_PROF_SINGLE_PROCESS_NAME: return("SeProfileSingleProcessPrivilege"); case SecurityEntity.SE_RELABEL_NAME: return("SeRelabelPrivilege"); case SecurityEntity.SE_REMOTE_SHUTDOWN_NAME: return("SeRemoteShutdownPrivilege"); case SecurityEntity.SE_RESTORE_NAME: return("SeRestorePrivilege"); case SecurityEntity.SE_SECURITY_NAME: return("SeSecurityPrivilege"); case SecurityEntity.SE_SHUTDOWN_NAME: return("SeShutdownPrivilege"); case SecurityEntity.SE_SYNC_AGENT_NAME: return("SeSyncAgentPrivilege"); case SecurityEntity.SE_SYSTEM_ENVIRONMENT_NAME: return("SeSystemEnvironmentPrivilege"); case SecurityEntity.SE_SYSTEM_PROFILE_NAME: return("SeSystemProfilePrivilege"); case SecurityEntity.SE_SYSTEMTIME_NAME: return("SeSystemtimePrivilege"); case SecurityEntity.SE_TAKE_OWNERSHIP_NAME: return("SeTakeOwnershipPrivilege"); case SecurityEntity.SE_TCB_NAME: return("SeTcbPrivilege"); case SecurityEntity.SE_TIME_ZONE_NAME: return("SeTimeZonePrivilege"); case SecurityEntity.SE_TRUSTED_CREDMAN_ACCESS_NAME: return("SeTrustedCredManAccessPrivilege"); case SecurityEntity.SE_UNDOCK_NAME: return("SeUndockPrivilege"); default: throw new ArgumentOutOfRangeException(typeof(SecurityEntity).Name); } }
/// <summary> /// Initializes a new instance of the <see cref="SecurityViewModel"/> class /// with a specific <see cref="SecurityRoleInfo"/> instance. /// </summary> /// <param name="securityEntity">The <see cref="SecurityEntity"/> instance.</param> /// <param name="roles">The <see cref="SecurityRoleInfo"/> list.</param> protected SecurityViewModel(SecurityEntity securityEntity, IEnumerable <SecurityRoleInfo> roles) : this(securityEntity, roles.SelectMany(r => r.Policies)) { }
public static void EnablePrivilege(SecurityEntity securityEntity) { if (!Enum.IsDefined(typeof(SecurityEntity), securityEntity)) { throw new InvalidEnumArgumentException("securityEntity", (int)securityEntity, typeof(SecurityEntity)); } var securityEntityValue = GetSecurityEntityValue(securityEntity); try { var locallyUniqueIdentifier = new NativeMethods.LUID(); if (NativeMethods.LookupPrivilegeValue(null, securityEntityValue, ref locallyUniqueIdentifier)) { var TOKEN_PRIVILEGES = new NativeMethods.TOKEN_PRIVILEGES(); TOKEN_PRIVILEGES.PrivilegeCount = 1; TOKEN_PRIVILEGES.Attributes = NativeMethods.SE_PRIVILEGE_ENABLED; TOKEN_PRIVILEGES.Luid = locallyUniqueIdentifier; var tokenHandle = IntPtr.Zero; try { var currentProcess = NativeMethods.GetCurrentProcess(); if (NativeMethods.OpenProcessToken(currentProcess, NativeMethods.TOKEN_ADJUST_PRIVILEGES | NativeMethods.TOKEN_QUERY, out tokenHandle)) { if (NativeMethods.AdjustTokenPrivileges(tokenHandle, false, ref TOKEN_PRIVILEGES, 1024, IntPtr.Zero, IntPtr.Zero)) { var lastError = Marshal.GetLastWin32Error(); if (lastError == NativeMethods.ERROR_NOT_ALL_ASSIGNED) { var win32Exception = new Win32Exception(); throw new InvalidOperationException("AdjustTokenPrivileges failed.", win32Exception); } } else { var win32Exception = new Win32Exception(); throw new InvalidOperationException("AdjustTokenPrivileges failed.", win32Exception); } } else { var win32Exception = new Win32Exception(); var exceptionMessage = string.Format(CultureInfo.InvariantCulture, "OpenProcessToken failed. CurrentProcess: {0}", currentProcess.ToInt32()); throw new InvalidOperationException(exceptionMessage, win32Exception); } } finally { if (tokenHandle != IntPtr.Zero) { NativeMethods.CloseHandle(tokenHandle); } } } else { var win32Exception = new Win32Exception(); var exceptionMessage = string.Format(CultureInfo.InvariantCulture, "LookupPrivilegeValue failed. SecurityEntityValue: {0}", securityEntityValue); throw new InvalidOperationException(exceptionMessage, win32Exception); } } catch (Exception e) { var exceptionMessage = string.Format(CultureInfo.InvariantCulture, "GrandPrivilege failed. SecurityEntity: {0}", securityEntityValue); throw new InvalidOperationException(exceptionMessage, e); } }
internal static bool IsInTree(SecurityContext ctx, SecurityEntity descendant, int ancestorId) { return(ctx.IsEntityInTree(descendant, ancestorId)); }
internal static bool HasAncestorRelation(SecurityContext ctx, SecurityEntity entity1, SecurityEntity entity2) { if (entity1 == null || entity2 == null) { return(false); } return(ctx.IsEntityInTree(entity2, entity1.Id) || ctx.IsEntityInTree(entity1, entity2.Id)); }
internal static bool IsInTree(SecurityContext ctx, int descendantId, int ancestorId) { var entities = SecurityEntity.PeekEntities(ctx, descendantId); return(IsInTree(ctx, entities[0], ancestorId)); }
internal static bool HasAncestorRelation(SecurityContext ctx, int entityId1, int entityId2) { var entities = SecurityEntity.PeekEntities(ctx, entityId1, entityId2); return(HasAncestorRelation(ctx, entities[0], entities[1])); }