protected Dictionary <string, CentralAccessPolicy> QueryCaps(string domainName, string userName, string password) { Dictionary <string, CentralAccessRule> rules = new Dictionary <string, CentralAccessRule>(); Dictionary <string, CentralAccessPolicy> policies = new Dictionary <string, CentralAccessPolicy>(); string[] domainNameTokens = domainName.Split('.'); string admin = $"{domainNameTokens[0].ToUpper()}\\{userName}"; StringBuilder bindString = new StringBuilder("CN=Claims Configuration,CN=Services,CN=Configuration"); foreach (string domainNameToken in domainNameTokens) { bindString.Append(",DC="); bindString.Append(domainNameToken); } string searchBase = bindString.ToString(); using (LdapConnection conn = new LdapConnection()) { conn.Connect(domainName, 389); conn.Bind(admin, password); var results = conn.Search(searchBase, LdapConnection.ScopeSub, "(objectClass=msAuthz-CentralAccessRule)", new string[] { "cn", "distinguishedName", "msAuthz-EffectiveSecurityPolicy", "msAuthz-ResourceCondition" }, false); var entryList = results.GetAllLdapEntries(); foreach (KeyValuePair <string, IList <LdapAttribute> > kvp in entryList) { string dn = kvp.Value.GetStringValueFromAttributes("distinguishedName"); string carName = kvp.Value.GetStringValueFromAttributes("cn"); string sddl = kvp.Value.GetStringValueFromAttributes("msAuthz-EffectiveSecurityPolicy"); string resourceCondition = kvp.Value.GetStringValueFromAttributes("msAuthz-ResourceCondition"); CentralAccessRule rule = new CentralAccessRule { Name = carName, Sddl = sddl, ResourceCondition = resourceCondition }; rules.Add(dn, rule); } results = conn.Search(searchBase, LdapConnection.ScopeSub, "(objectClass=msAuthz-CentralAccessPolicy)", new string[] { "cn", "msAuthz-CentralAccessPolicyID", "msAuthz-MemberRulesInCentralAccessPolicy" }, false); var policyEntryList = results.GetAllLdapEntries(); foreach (KeyValuePair <string, IList <LdapAttribute> > kvp in policyEntryList) { CentralAccessPolicy policy = new CentralAccessPolicy(); string capName = kvp.Value.GetStringValueFromAttributes("cn"); policy.Name = capName; byte[] sidInBinary = (byte[])kvp.Value.GetBytesValueFromAttributes("msAuthz-CentralAccessPolicyID")[0]; _SID capId = TypeMarshal.ToStruct <_SID>(sidInBinary); policy.Id = capId; IList <string> rulesPath = kvp.Value.GetStringListValueFromAttributes("msAuthz-MemberRulesInCentralAccessPolicy"); foreach (string ruleDN in rulesPath) { policy.MemberRules.Add(rules[ruleDN]); } policies.Add(capName, policy); } conn.Disconnect(); } return(policies); }
private void SetCentralAccessPolicy(string capName) { BaseTestSite.Log.Add(LogEntryKind.TestStep, "Set Central Access Policy: {0} to the share: {1}", capName, CBACShareUncPath); BaseTestSite.Log.Add(LogEntryKind.Debug, "Policy info: {0}", caps[capName]); _SID capid = caps[capName].Id; base.SetCap(CBACShareUncPath, capid); }
public void FilePermission_AccessDeny_SidNoInclude() { _SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name); BaseTestSite.Assert.IsFalse( TryReadFile(), "User SID ({0}) is not in file Security Descriptor. User should not be able to read the file.", DtypUtility.ToSddlString(sid)); }
public void FolderPermission_AccessDeny_SidNoInclude() { _SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name, testConfig.UserName, testConfig.UserPassword); BaseTestSite.Assert.IsFalse( AccessShare(), "User SID ({0}) is not in folder Security Descriptor. User should not be able to access the share.", DtypUtility.ToSddlString(sid)); }
public void FilePermission_AccessDeny_SidNoInclude() { _SID sid = sutCommonControlAdapterAccessor.GetUserSid(azUser01Name); BaseTestSite.Assert.IsFalse( TryReadFile(), "User SID ({0}) is not in file Security Descriptor. User should not be able to read the file.", DtypUtility.ToSddlString(sid)); }
public void BVT_FilePermission_AccessAllow_UserSid() { _SID sid = sutCommonControlAdapterAccessor.GetUserSid(azUser01Name); object ace = DtypUtility.CreateAccessAllowedAce(sid, DtypUtility.ACCESS_MASK_GENERIC_READ, ACE_FLAGS.None); SetSecurityDescriptorOnFile(ace); BaseTestSite.Assert.IsTrue( TryReadFile(), "ACCESS_ALLOWED_ACE with user SID ({0}) exists in file Security Descriptor. User should be able to read the file.", DtypUtility.ToSddlString(sid)); }
public void FolderPermission_AccessDeny_UserSid() { _SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name, testConfig.UserName, testConfig.UserPassword); object ace = DtypUtility.CreateAccessDeniedAce(sid, DtypUtility.ACCESS_MASK_GENERIC_READ, ACE_FLAGS.None); SetSecurityDescriptorOnShare(ace); BaseTestSite.Assert.IsFalse( AccessShare(), "ACCESS_DENIED_ACE with user SID ({0}) exists in folder Security Descriptor. User should not be able to access the share.", DtypUtility.ToSddlString(sid)); }
public void BVT_FilePermission_AccessAllow_UserSid() { _SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name, testConfig.UserName, testConfig.UserPassword); object ace = DtypUtility.CreateAccessAllowedAce(sid, DtypUtility.ACCESS_MASK_GENERIC_READ, ACE_FLAGS.None); SetSecurityDescriptorOnFile(ace); BaseTestSite.Assert.IsTrue( TryReadFile(), "ACCESS_ALLOWED_ACE with user SID ({0}) exists in file Security Descriptor. User should be able to read the file.", DtypUtility.ToSddlString(sid)); }
public void FolderPermission_AccessDeny_UserSid() { _SID sid = sutCommonControlAdapterAccessor.GetUserSid(azUser01Name); object ace = DtypUtility.CreateAccessDeniedAce(sid, DtypUtility.ACCESS_MASK_GENERIC_READ, ACE_FLAGS.None); SetSecurityDescriptorOnShare(ace); BaseTestSite.Assert.IsFalse( AccessShare(), "ACCESS_DENIED_ACE with user SID ({0}) exists in folder Security Descriptor. User should not be able to access the share.", DtypUtility.ToSddlString(sid)); }
public void FolderPermission_AccessDeny_UserSidWithoutReadPermission() { _SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name, testConfig.UserName, testConfig.UserPassword); object ace = DtypUtility.CreateAccessAllowedAce(sid, 0, ACE_FLAGS.None); SetSecurityDescriptorOnShare(ace); BaseTestSite.Assert.IsFalse( AccessShare(), "ACCESS_ALLOWED_ACE with user SID ({0}) without READ permission in folder Security Descriptor. User should not be able to access the share.", DtypUtility.ToSddlString(sid)); }
public void FolderPermission_AccessAllow_GroupSid() { _SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azGroup01Name, testConfig.UserName, testConfig.UserPassword); object ace = DtypUtility.CreateAccessAllowedAce(sid, DtypUtility.ACCESS_MASK_GENERIC_READ, ACE_FLAGS.None); SetSecurityDescriptorOnShare(ace); BaseTestSite.Assert.IsTrue( AccessShare(), "ACCESS_ALLOWED_ACE with user's group SID ({0}) exists in share Security Descriptor. User should be able to access the share.", DtypUtility.ToSddlString(sid)); }
public void FilePermission_AccessDeny_GroupSid() { _SID sid = sutCommonControlAdapterAccessor.GetGroupSid(azGroup01Name); object ace = DtypUtility.CreateAccessDeniedAce(sid, DtypUtility.ACCESS_MASK_GENERIC_READ, ACE_FLAGS.None); SetSecurityDescriptorOnFile(ace); BaseTestSite.Assert.IsFalse( TryReadFile(), "ACCESS_DENIED_ACE with user's group SID ({0}) exists in file Security Descriptor. User should be not able to read the file.", DtypUtility.ToSddlString(sid)); }
public void FilePermission_AccessDeny_UserSidWithoutReadPermission() { _SID sid = sutCommonControlAdapterAccessor.GetUserSid(azUser01Name); object ace = DtypUtility.CreateAccessAllowedAce(sid, 0, ACE_FLAGS.None); // 0 stands for non access mask flag set SetSecurityDescriptorOnFile(ace); BaseTestSite.Assert.IsFalse( TryReadFile(), "ACCESS_ALLOWED_ACE with user SID ({0}) without READ permission in folder Security Descriptor. User should not be able to read the file.", DtypUtility.ToSddlString(sid)); }
protected Dictionary <string, User> QueryUserInfo(string domainName, string userName, string password) { Dictionary <string, User> users = new Dictionary <string, User>(); string[] domainNameTokens = domainName.Split('.'); Debug.Assert(domainNameTokens.Length >= 2, "Domain name has at least 2 parts."); StringBuilder bindString = new StringBuilder("LDAP://CN=Users"); foreach (string domainNameToken in domainNameTokens) { bindString.Append(",DC="); bindString.Append(domainNameToken); } using (DirectoryEntry ldapConnection = new DirectoryEntry(bindString.ToString())) { ldapConnection.AuthenticationType = AuthenticationTypes.Secure; ldapConnection.Username = userName; ldapConnection.Password = password; using (DirectorySearcher UserSearcher = new DirectorySearcher(ldapConnection, "(objectClass=user)", new string[] { "cn", "countryCode", "department", "objectSid" }, SearchScope.Subtree)) using (SearchResultCollection searchResults = UserSearcher.FindAll()) { foreach (SearchResult searchResult in searchResults) { User user = new User(); string name = (string)searchResult.Properties["cn"][0]; user.Name = name; if (searchResult.Properties["countryCode"].Count > 0) { int countryCode = (int)searchResult.Properties["countryCode"][0]; user.CountryCode = countryCode; } if (searchResult.Properties["department"].Count > 0) { string department = (string)searchResult.Properties["department"][0]; user.Department = department; } byte[] sidInBinary = (byte[])searchResult.Properties["objectSid"][0]; _SID userSid = TypeMarshal.ToStruct <_SID>(sidInBinary); user.Sid = userSid; users.Add(name, user); } } } return(users); }
protected Dictionary <string, User> QueryUserInfo(string domainName, string userName, string password) { Dictionary <string, User> users = new Dictionary <string, User>(); string[] domainNameTokens = domainName.Split('.'); string admin = $"{domainNameTokens[0].ToUpper()}\\{userName}"; StringBuilder bindString = new StringBuilder("CN=Users"); foreach (string domainNameToken in domainNameTokens) { bindString.Append(",DC="); bindString.Append(domainNameToken); } string searchBase = bindString.ToString(); using (LdapConnection conn = new LdapConnection()) { conn.Connect(domainName, 389); conn.Bind(admin, password); var results = conn.Search(searchBase, LdapConnection.ScopeSub, "(objectClass=user)", new string[] { "cn", "countryCode", "department", "objectSid" }, false); var entryList = results.GetAllLdapEntries(); foreach (KeyValuePair <string, IList <LdapAttribute> > kvp in entryList) { User user = new User(); string name = kvp.Value.GetStringValueFromAttributes("cn"); user.Name = name; string countryCodeStr = kvp.Value.GetStringValueFromAttributes("countryCode"); if (string.IsNullOrEmpty(countryCodeStr)) { int countryCode = 0; if (int.TryParse(countryCodeStr, out countryCode)) { user.CountryCode = countryCode; } } user.Department = kvp.Value.GetStringValueFromAttributes("department"); byte[] sidInBinary = (byte[])kvp.Value.GetBytesValueFromAttributes("objectSid")[0]; _SID userSid = TypeMarshal.ToStruct <_SID>(sidInBinary); user.Sid = userSid; users.Add(name, user); } } return(users); }
/// <summary> /// Parse an ldap object from byte array to string /// </summary> /// <param name="ldapSyntax">The ldap syntax.</param> /// <param name="buffer">The byte array object.</param> /// <returns>Result in string format.</returns> /// <exception cref="System.NotSupportedException">Thrown when the ldapSyntax is not supported.</exception> public static string Parse(AdtsLdapSyntax ldapSyntax, byte[] buffer) { string result; switch (ldapSyntax) { case AdtsLdapSyntax.Boolean: case AdtsLdapSyntax.Enumeration: case AdtsLdapSyntax.Integer: case AdtsLdapSyntax.LargeInteger: case AdtsLdapSyntax.ObjectForAccessPoint: case AdtsLdapSyntax.ObjectForDNString: case AdtsLdapSyntax.ObjectForORName: case AdtsLdapSyntax.ObjectForDNBinary: case AdtsLdapSyntax.ObjectForDSDN: case AdtsLdapSyntax.ObjectForPresentationAddress: case AdtsLdapSyntax.StringForCase: case AdtsLdapSyntax.StringForIA5: case AdtsLdapSyntax.StringForObjectIdentifier: case AdtsLdapSyntax.StringForPrintable: case AdtsLdapSyntax.ObjectForReplicaLink: case AdtsLdapSyntax.StringForOctet: case AdtsLdapSyntax.StringForNumeric: case AdtsLdapSyntax.StringForTeletex: case AdtsLdapSyntax.StringForUnicode: case AdtsLdapSyntax.StringForUTCTime: case AdtsLdapSyntax.StringForGeneralizedTime: result = Encoding.UTF8.GetString(buffer); break; case AdtsLdapSyntax.StringForNTSecDesc: RawSecurityDescriptor ntSecurityDescriptor = new RawSecurityDescriptor(buffer, 0); result = ntSecurityDescriptor.GetSddlForm(AccessControlSections.All); break; case AdtsLdapSyntax.StringForSid: _SID sid = TypeMarshal.ToStruct <_SID>(buffer); result = DtypUtility.ToSddlString(sid); break; default: throw new NotSupportedException("The specified syntax is not supported."); } return(result); }
public string GetUserMemberships(string userName) { List <LdapEntry> ldapGroups = DtypUtility.GetUserMemberships(domainName, userName, adminName, adminPassword); List <Group> groups = new List <Group>(); foreach (LdapEntry groupEntry in ldapGroups) { string groupName = groupEntry.GetAttribute("name").StringValue; byte[] groupSidBinary = groupEntry.GetAttribute("objectSid").ByteValue; _SID groupSid = TypeMarshal.ToStruct <_SID>(groupSidBinary); Group group = new Group(); group.Name = groupName; group.Sid = groupSid; groups.Add(group); } return(JsonSerializer.Serialize(groups, serializerOptions)); }
public string GetUsers() { List <LdapEntry> ldapUsers = DtypUtility.GetUsers(domainName, adminName, adminPassword); List <User> users = new List <User>(); foreach (LdapEntry userEntry in ldapUsers) { string userName = userEntry.GetAttribute("name").StringValue; byte[] userSidBinary = userEntry.GetAttribute("objectSid").ByteValue; _SID userSid = TypeMarshal.ToStruct <_SID>(userSidBinary); User user = new User(); user.Name = userName; user.Sid = userSid; users.Add(user); } return(JsonSerializer.Serialize(users, serializerOptions)); }
public void SharePermission_AccessDeny_SidNoInclude() { _SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name); string shareName; if (dynamicallyConfigurableShareExist) { shareName = dynamicallyConfigurableShareName; } else { shareName = "AzShare05"; } BaseTestSite.Assert.IsFalse( AccessShare(shareName), "User SID ({0}) is not in share Security Descriptor. User should not be able to access the share.", DtypUtility.ToSddlString(sid)); }
public void SharePermission_AccessDeny_UserSid() { _SID sid = sutCommonControlAdapterAccessor.GetUserSid(azUser01Name); string shareName; if (dynamicallyConfigurableShareExist) { object ace = DtypUtility.CreateAccessDeniedAce(sid, DtypUtility.ACCESS_MASK_STANDARD_RIGHTS_ALL | DtypUtility.ACCESS_MASK_SPECIFIC_RIGHTS_ALL, ACE_FLAGS.None); SetSecurityDescriptorOnDynamicallyConfigurableShare(ace); shareName = dynamicallyConfigurableShareName; } else { shareName = "AzShare03"; } bool result = AccessShare(shareName); BaseTestSite.Assert.IsFalse(result, "ACCESS_DENIED_ACE with user SID ({0}) exists in folder Security Descriptor. User should not be able to access the share.", DtypUtility.ToSddlString(sid)); }
public void BVT_SharePermission_AccessAllow_UserSid() { _SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name); string shareName; if (dynamicallyConfigurableShareExist) { object ace = DtypUtility.CreateAccessAllowedAce(sid, DtypUtility.ACCESS_MASK_STANDARD_RIGHTS_ALL | DtypUtility.ACCESS_MASK_SPECIFIC_RIGHTS_ALL, ACE_FLAGS.None); SetSecurityDescriptorOnDynamicallyConfigurableShare(ace); shareName = dynamicallyConfigurableShareName; } else { shareName = "AzShare01"; } bool result = AccessShare(shareName); BaseTestSite.Assert.IsTrue(result, "ACCESS_ALLOWED_ACE with user SID ({0}) exists in folder Security Descriptor. User should be able to access the share.", DtypUtility.ToSddlString(sid)); }
public void SharePermission_AccessDeny_GroupSid() { _SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azGroup01Name); string shareName; if (dynamicallyConfigurableShareExist) { object ace = DtypUtility.CreateAccessDeniedAce(sid, DtypUtility.ACCESS_MASK_STANDARD_RIGHTS_ALL | DtypUtility.ACCESS_MASK_SPECIFIC_RIGHTS_ALL, ACE_FLAGS.None); SetSecurityDescriptorOnDynamicallyConfigurableShare(ace); shareName = dynamicallyConfigurableShareName; } else { shareName = "AzShare04"; } BaseTestSite.Assert.IsFalse( AccessShare(shareName), "ACCESS_DENIED_ACE with user's group SID ({0}) exists in file Security Descriptor. User should be not able to access the share.", DtypUtility.ToSddlString(sid)); }
public void SharePermission_AccessDeny_UserSidWithoutReadPermission() { _SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name); string shareName; if (dynamicallyConfigurableShareExist) { object ace = DtypUtility.CreateAccessDeniedAce(sid, 0, ACE_FLAGS.None); SetSecurityDescriptorOnDynamicallyConfigurableShare(ace); shareName = dynamicallyConfigurableShareName; } else { shareName = "AzShare06"; } BaseTestSite.Assert.IsFalse( AccessShare(shareName), "ACCESS_ALLOWED_ACE with user SID ({0}) without READ permission in folder Security Descriptor. User should not be able to access the share.", DtypUtility.ToSddlString(sid)); }
public void SharePermission_AccessAllow_GroupSid() { _SID sid = sutCommonControlAdapterAccessor.GetGroupSid(azGroup01Name); string shareName; if (dynamicallyConfigurableShareExist) { object ace = DtypUtility.CreateAccessAllowedAce(sid, DtypUtility.ACCESS_MASK_STANDARD_RIGHTS_ALL | DtypUtility.ACCESS_MASK_SPECIFIC_RIGHTS_ALL, ACE_FLAGS.None); SetSecurityDescriptorOnDynamicallyConfigurableShare(ace); shareName = dynamicallyConfigurableShareName; } else { shareName = "AzShare02"; } BaseTestSite.Assert.IsTrue( AccessShare(shareName), "ACCESS_ALLOWED_ACE with user's group SID ({0}) exists in share Security Descriptor. User should be able to access the share.", DtypUtility.ToSddlString(sid)); }
public string GetGroupMembers(string groupName) { List <LdapEntry> ldapGroupMembers = DtypUtility.GetGroupMembers(domainName, groupName, adminName, adminPassword); List <GroupMember> groupMembers = new List <GroupMember>(); foreach (LdapEntry groupEntry in ldapGroupMembers) { string groupMemberName = groupEntry.GetAttribute("name").StringValue; byte[] groupMemberSidBinary = groupEntry.GetAttribute("objectSid").ByteValue; string groupMemberObjectClass = groupEntry.GetAttribute("objectClass").StringValue; string groupMemberPrincipalSource = "ActiveDirectory"; _SID groupMemberSid = TypeMarshal.ToStruct <_SID>(groupMemberSidBinary); GroupMember groupMember = new GroupMember(); groupMember.Name = groupMemberName; groupMember.Sid = groupMemberSid; groupMember.ObjectClass = groupMemberObjectClass; groupMember.PrincipalSource = groupMemberPrincipalSource; groupMembers.Add(groupMember); } return(JsonSerializer.Serialize(groupMembers, serializerOptions)); }
public void SharePermission_CreateClose_DeleteFile_MaximalAccessNotIncludeDeleteOrGenericAll() { _SID sid = DtypUtility.GetSidFromAccount(TestConfig.DomainName, azUser01Name); if (!dynamicallyConfigurableShareExist) { BaseTestSite.Assert.Inconclusive("Required share: {0} does not exist!", dynamicallyConfigurableShareName); } object ace = DtypUtility.CreateAccessAllowedAce(sid, (DtypUtility.ACCESS_MASK_STANDARD_RIGHTS_ALL | DtypUtility.ACCESS_MASK_SPECIFIC_RIGHTS_ALL) & ~DtypUtility.ACCESS_MASK_DELETE, ACE_FLAGS.None); SetSecurityDescriptorOnDynamicallyConfigurableShare(ace); string shareName = dynamicallyConfigurableShareName; string shareUncPath = Smb2Utility.GetUncPath(TestConfig.SutComputerName, shareName); Smb2FunctionalClient client = new Smb2FunctionalClient(TestConfig.Timeout, TestConfig, BaseTestSite); client.ConnectToServer(TestConfig.UnderlyingTransport, TestConfig.SutComputerName, TestConfig.SutIPAddress); AccountCredential user = new AccountCredential(TestConfig.DomainName, azUser01Name, TestConfig.UserPassword); try { BaseTestSite.Log.Add(LogEntryKind.Debug, "Client sends NEGOTIATE message."); client.Negotiate(TestConfig.RequestDialects, TestConfig.IsSMB1NegotiateEnabled); BaseTestSite.Log.Add(LogEntryKind.Debug, "Client sends SESSION_SETUP message using account: {0}@{1}.", user.AccountName, user.DomainName); client.SessionSetup(TestConfig.DefaultSecurityPackage, TestConfig.SutComputerName, user, false); uint treeId; BaseTestSite.Log.Add(LogEntryKind.Debug, "Client sends TREE_CONNECT message to access share: {0}.", shareUncPath); client.TreeConnect(shareUncPath, out treeId, checker: (header, response) => { BaseTestSite.Assert.IsTrue((response.MaximalAccess.ACCESS_MASK & (DtypUtility.ACCESS_MASK_DELETE | DtypUtility.ACCESS_MASK_GENERIC_ALL)) == 0, "Treeconnect.MaximalAccess does not include DELETE or GENERIC_ALL."); }); string fileName = GetTestFileName(shareUncPath); FILEID fileId; Smb2CreateContextResponse[] createContexResponse; BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create the file: {0}", fileName); BaseTestSite.Log.Add(LogEntryKind.Debug, "Client sends CREATE request."); uint status = client.Create( treeId, fileName, CreateOptions_Values.FILE_NON_DIRECTORY_FILE, out fileId, out createContexResponse, accessMask: AccessMask.FILE_READ_DATA | AccessMask.FILE_WRITE_DATA | AccessMask.FILE_APPEND_DATA | AccessMask.FILE_READ_ATTRIBUTES | AccessMask.FILE_READ_EA | AccessMask.FILE_WRITE_ATTRIBUTES | AccessMask.FILE_WRITE_EA | AccessMask.READ_CONTROL | AccessMask.WRITE_DAC | AccessMask.SYNCHRONIZE, // Windows client behavior shareAccess: ShareAccess_Values.NONE, createDisposition: CreateDisposition_Values.FILE_CREATE); client.Close(treeId, fileId); BaseTestSite.Log.Add(LogEntryKind.TestStep, "Delete the file: {0}", fileName); BaseTestSite.Log.Add(LogEntryKind.Debug, "Client sends CREATE request with FILE_DELETE_ON_CLOSE flag set in CreateOptions ."); status = client.Create( treeId, fileName, CreateOptions_Values.FILE_NON_DIRECTORY_FILE | CreateOptions_Values.FILE_DELETE_ON_CLOSE, out fileId, out createContexResponse, accessMask: AccessMask.DELETE | AccessMask.FILE_READ_ATTRIBUTES | AccessMask.SYNCHRONIZE, // Windows client behavior shareAccess: ShareAccess_Values.FILE_SHARE_DELETE, createDisposition: CreateDisposition_Values.FILE_OPEN, checker: (header, response) => { if (TestConfig.Platform == Platform.NonWindows) { BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, header.Status, "If the FILE_DELETE_ON_CLOSE flag is set in CreateOptions and " + "Treeconnect.MaximalAccess does not include DELETE or GENERIC_ALL, " + "the server SHOULD fail the request with STATUS_ACCESS_DENIED"); } else { BaseTestSite.Assert.AreEqual(Smb2Status.STATUS_ACCESS_DENIED, header.Status, "If the FILE_DELETE_ON_CLOSE flag is set in CreateOptions and " + "Treeconnect.MaximalAccess does not include DELETE or GENERIC_ALL, " + "the server SHOULD fail the request with STATUS_ACCESS_DENIED"); } }); client.TreeDisconnect(treeId); client.LogOff(); } catch (Exception e) { BaseTestSite.Assert.Fail("Case failed due to: {0}", e.Message); } finally { client.Disconnect(); } }
protected void SetCap(string sharePath, _SID? capId) { _ACL sacl; if (capId != null) { _SYSTEM_SCOPED_POLICY_ID_ACE ace = DtypUtility.CreateSystemScopedPolicyIdAce(capId.Value); sacl = DtypUtility.CreateAcl(false, ace); } else { sacl = DtypUtility.CreateAcl(false); } _SECURITY_DESCRIPTOR sd = DtypUtility.CreateSecurityDescriptor( SECURITY_DESCRIPTOR_Control.SACLAutoInherited | SECURITY_DESCRIPTOR_Control.SACLInheritanceRequired | SECURITY_DESCRIPTOR_Control.SACLPresent | SECURITY_DESCRIPTOR_Control.SelfRelative, null, null, sacl, null); SetSecurityDescriptor(sharePath, null, sd, SET_INFO_Request_AdditionalInformation_Values.SCOPE_SECURITY_INFORMATION); }
protected Dictionary <string, CentralAccessPolicy> QueryCaps(string domainName, string userName, string password) { Dictionary <string, CentralAccessRule> rules = new Dictionary <string, CentralAccessRule>(); Dictionary <string, CentralAccessPolicy> policies = new Dictionary <string, CentralAccessPolicy>(); string[] domainNameTokens = domainName.Split('.'); Debug.Assert(domainNameTokens.Length >= 2, "Domain name has at least 2 parts."); StringBuilder bindString = new StringBuilder("LDAP://CN=Claims Configuration,CN=Services,CN=Configuration"); foreach (string domainNameToken in domainNameTokens) { bindString.Append(",DC="); bindString.Append(domainNameToken); } using (DirectoryEntry ldapConnection = new DirectoryEntry(bindString.ToString())) { ldapConnection.AuthenticationType = AuthenticationTypes.Secure; ldapConnection.Username = userName; ldapConnection.Password = password; using (DirectorySearcher AccessRuleSearcher = new DirectorySearcher(ldapConnection, "(objectClass=msAuthz-CentralAccessRule)", new string[] { "cn", "distinguishedName", "msAuthz-EffectiveSecurityPolicy", "msAuthz-ResourceCondition" }, SearchScope.Subtree)) using (SearchResultCollection searchResults = AccessRuleSearcher.FindAll()) { foreach (SearchResult searchResult in searchResults) { string dn = (string)searchResult.Properties["distinguishedName"][0]; string carName = (string)searchResult.Properties["cn"][0]; string sddl = (string)searchResult.Properties["msAuthz-EffectiveSecurityPolicy"][0]; string resourceCondition = null; if (searchResult.Properties["msAuthz-ResourceCondition"].Count > 0) { resourceCondition = (string)searchResult.Properties["msAuthz-ResourceCondition"][0]; } CentralAccessRule rule = new CentralAccessRule { Name = carName, Sddl = sddl, ResourceCondition = resourceCondition }; rules.Add(dn, rule); } } using (DirectorySearcher AccessPolicySearcher = new DirectorySearcher(ldapConnection, "(objectClass=msAuthz-CentralAccessPolicy)", new string[] { "cn", "msAuthz-CentralAccessPolicyID", "msAuthz-MemberRulesInCentralAccessPolicy" }, SearchScope.Subtree)) using (SearchResultCollection searchResults = AccessPolicySearcher.FindAll()) { foreach (SearchResult searchResult in searchResults) { CentralAccessPolicy policy = new CentralAccessPolicy(); string capName = (string)searchResult.Properties["cn"][0]; policy.Name = capName; byte[] sidInBinary = (byte[])searchResult.Properties["msAuthz-CentralAccessPolicyID"][0]; _SID capId = TypeMarshal.ToStruct <_SID>(sidInBinary); policy.Id = capId; ResultPropertyValueCollection rulesPath = searchResult.Properties["msAuthz-MemberRulesInCentralAccessPolicy"]; foreach (string ruleDN in rulesPath) { policy.MemberRules.Add(rules[ruleDN]); } policies.Add(capName, policy); } } } return(policies); }
public string GetGroupSid(string groupName) { _SID sid = DtypUtility.GetSidFromGroupName(domainName, groupName, adminName, adminPassword); return(sid.GetSddlForm()); }
public string GetUserSid(string userName) { _SID sid = DtypUtility.GetSidFromAccount(domainName, userName, adminName, adminPassword); return(sid.GetSddlForm()); }
public static extern bool ConvertSidToStringSid( _SID sid, out IntPtr sidString );