| public InsertAce ( int index, System ace ) : void | ||
| index | int | |
| ace | System | |
| return | void | |
public void AddAccessFailsOnNonCanonical ()
{
SecurityIdentifier sid = new SecurityIdentifier ("BU");
RawAcl acl = new RawAcl (RawAcl.AclRevision, 0);
acl.InsertAce (0, new CommonAce (AceFlags.None, AceQualifier.AccessAllowed, 1, sid, false, null));
acl.InsertAce (1, new CommonAce (AceFlags.None, AceQualifier.AccessDenied, 1, sid, false, null));
DiscretionaryAcl dacl = new DiscretionaryAcl (false, false, acl);
Assert.IsFalse (dacl.IsCanonical);
Assert.AreEqual (2, dacl.Count);
dacl.AddAccess (AccessControlType.Allow, sid, 1, InheritanceFlags.None, PropagationFlags.None);
}
void AddAce(QualifiedAce newAce)
{
RequireCanonicity();
int pos = GetAceInsertPosition(newAce.AceQualifier);
raw_acl.InsertAce(pos, newAce);
CleanAndRetestCanonicity();
}
void AddAce(QualifiedAce newAce)
{
RequireCanonicity();
int pos = GetAceInsertPosition(newAce.AceQualifier);
raw_acl.InsertAce(pos, CopyAce(newAce));
CanonicalizeAndClearAefa();
}
private void BuildSecurityDescriptor()
{
NTAccount account;
SecurityIdentifier identifier;
CommonAce ace;
RawAcl rawAcl = new RawAcl(GenericAcl.AclRevision, 1);
int index = 0;
if (this.operationRoleMembers != null)
{
foreach (string str in this.operationRoleMembers)
{
account = new NTAccount(str);
identifier = (SecurityIdentifier) account.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null);
rawAcl.InsertAce(index, ace);
index++;
}
}
if (this.contractRoleMembers != null)
{
foreach (string str2 in this.contractRoleMembers)
{
account = new NTAccount(str2);
identifier = (SecurityIdentifier) account.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null);
rawAcl.InsertAce(index, ace);
index++;
}
}
if (this.serviceRoleMembers != null)
{
foreach (string str3 in this.serviceRoleMembers)
{
account = new NTAccount(str3);
identifier = (SecurityIdentifier) account.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, identifier, false, null);
rawAcl.InsertAce(index, ace);
index++;
}
}
DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(true, false, rawAcl);
this.securityDescriptor = new CommonSecurityDescriptor(true, false, ControlFlags.DiscretionaryAclPresent, sidAdministrators, sidAdministrators, null, discretionaryAcl);
}
public void IndexerMakesCopies ()
{
// This behavior is mentioned in the DiscretionaryAcl RawAcl constructor overload.
// Turns out it applies to more than just the constructor.
SecurityIdentifier worldSid = new SecurityIdentifier ("WD");
// RawAcl does not make copies.
RawAcl acl = new RawAcl (RawAcl.AclRevision, 1);
CommonAce ace = new CommonAce (AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, worldSid, false, null);
acl.InsertAce (0, ace);
Assert.AreSame (acl [0], acl [0]);
// CommonAcl does.
SystemAcl sacl = new SystemAcl (false, false, acl);
Assert.AreNotSame (sacl [0], sacl [0]);
// Make sure the copying occurs in the constructor as well as the indexer.
ace.AceFlags = AceFlags.FailedAccess;
Assert.AreEqual (AceFlags.SuccessfulAccess, sacl [0].AceFlags);
}
static RawAcl CreateRoundtripRawAcl ()
{
SecurityIdentifier sid = new SecurityIdentifier (WellKnownSidType.BuiltinUsersSid, null);
Assert.AreEqual (16, sid.BinaryLength);
GenericAce[] aces = new GenericAce[] {
new ObjectAce (AceFlags.None, AceQualifier.AccessAllowed, 1, sid,
ObjectAceFlags.ObjectAceTypePresent,
Guid.Empty, Guid.Empty, false, new byte[8]),
new ObjectAce (AceFlags.None, AceQualifier.AccessAllowed, 2, sid,
ObjectAceFlags.InheritedObjectAceTypePresent,
Guid.Empty, Guid.Empty, true, new byte[16]),
new ObjectAce (AceFlags.None, AceQualifier.AccessAllowed, 4, sid,
ObjectAceFlags.InheritedObjectAceTypePresent,
Guid.Empty, new Guid ("{8865FB90-A9EB-422F-A8BA-07ECA611D699}"), true, new byte[4]),
new ObjectAce (AceFlags.None, AceQualifier.AccessAllowed, 4, sid,
ObjectAceFlags.ObjectAceTypePresent|ObjectAceFlags.InheritedObjectAceTypePresent,
Guid.Empty, new Guid ("{B893007C-38D5-4827-A698-BA25F1E30BAC}"), true, new byte[4]),
new ObjectAce (AceFlags.None, AceQualifier.AccessAllowed, 4, sid,
ObjectAceFlags.None,
Guid.Empty, new Guid ("{C0F9DF22-C320-4400-B41F-754F69668640}"), true, new byte[4])
};
// Make sure this created right, first of all.
Assert.AreEqual (AceType.AccessAllowedObject, aces [0].AceType);
Assert.AreEqual (AceType.AccessAllowedCallbackObject, aces [1].AceType);
Assert.AreEqual (AceType.AccessAllowedCallbackObject, aces [2].AceType);
Assert.AreEqual (AceType.AccessAllowedCallbackObject, aces [3].AceType);
Assert.AreEqual (AceType.AccessAllowedCallbackObject, aces [4].AceType);
Assert.AreEqual (52, aces [0].BinaryLength);
Assert.AreEqual (60, aces [1].BinaryLength);
Assert.AreEqual (48, aces [2].BinaryLength);
Assert.AreEqual (64, aces [3].BinaryLength);
Assert.AreEqual (32, aces [4].BinaryLength);
RawAcl acl = new RawAcl (RawAcl.AclRevision, 0);
for (int i = 0; i < aces.Length; i ++)
acl.InsertAce (i, aces[i]);
return acl;
}
public void GetBinaryForm ()
{
RawAcl acl = new RawAcl (1, 0);
byte[] buffer = new byte[acl.BinaryLength];
acl.GetBinaryForm (buffer, 0);
byte[] sdBinary = new byte[] { 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00 };
Assert.AreEqual (sdBinary, buffer);
SecurityIdentifier builtInAdmins = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null);
CommonAce ace = new CommonAce (AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null);
acl.InsertAce (0, ace);
buffer = new byte[acl.BinaryLength];
acl.GetBinaryForm (buffer, 0);
sdBinary = new byte[] {
0x01, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x18, 0x00, 0xFF, 0xFF, 0xFF, 0x7F, 0x01, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02,
0x00, 0x00 };
Assert.AreEqual (sdBinary, buffer);
}
/// <summary>Canonicalizes the specified Access Control List.</summary>
/// <param name="acl">The Access Control List.</param>
public static void Canonicalize(this RawAcl acl)
{
if (acl == null)
{
throw new ArgumentNullException(nameof(acl));
}
// Extract aces to list
var aces = new Collections.Generic.List <GenericAce>(acl.Cast <GenericAce>());
// Sort aces based on canonical order
aces.Sort((a, b) => Collections.Generic.Comparer <byte> .Default.Compare(GetComparisonValue(a), GetComparisonValue(b)));
// Add sorted aces back to ACL
while (acl.Count > 0)
{
acl.RemoveAce(0);
}
var aceIndex = 0;
aces.ForEach(ace => acl.InsertAce(aceIndex++, ace));
}
//
// Creates an ACL from a raw ACL
// - 'trusted' (internal) callers get to pass the raw ACL
// that this object will take ownership of
// - 'untrusted' callers are handled by creating a local
// copy of the ACL passed in
//
internal CommonAcl( bool isContainer, bool isDS, RawAcl rawAcl, bool trusted, bool isDacl )
: base()
{
if ( rawAcl == null )
{
throw new ArgumentNullException( "rawAcl" );
}
Contract.EndContractBlock();
_isContainer = isContainer;
_isDS = isDS;
if (trusted)
{
//
// In the trusted case, we take over ownership of the ACL passed in
//
_acl = rawAcl;
RemoveMeaninglessAcesAndFlags( isDacl );
}
else
{
//
// In the untrusted case, we create our own raw ACL to keep the ACEs in
//
_acl = new RawAcl( rawAcl.Revision, rawAcl.Count );
for ( int i = 0; i < rawAcl.Count; i++ )
{
//
// Clone each ACE prior to putting it in
//
GenericAce ace = rawAcl[i].Copy();
//
// Avoid inserting meaningless ACEs
//
if ( true == InspectAce( ref ace, isDacl ))
{
_acl.InsertAce( _acl.Count, ace );
}
}
}
//
// See whether the ACL is canonical to begin with
//
if ( true == CanonicalCheck( isDacl ))
{
//
// Sort and compact the array
//
Canonicalize( true, isDacl );
_isCanonical = true;
}
else
{
_isCanonical = false;
}
}
private static void CanonicalizeDacl(NativeObjectSecurity objectSecurity)
{
if (objectSecurity == null) { throw new ArgumentNullException("objectSecurity"); }
if (objectSecurity.AreAccessRulesCanonical) { return; }
// A canonical ACL must have ACES sorted according to the following order:
// 1. Access-denied on the object
// 2. Access-denied on a child or property
// 3. Access-allowed on the object
// 4. Access-allowed on a child or property
// 5. All inherited ACEs
RawSecurityDescriptor descriptor = new RawSecurityDescriptor(objectSecurity.GetSecurityDescriptorSddlForm(AccessControlSections.Access));
List<CommonAce> implicitDenyDacl = new List<CommonAce>();
List<CommonAce> implicitDenyObjectDacl = new List<CommonAce>();
List<CommonAce> inheritedDacl = new List<CommonAce>();
List<CommonAce> implicitAllowDacl = new List<CommonAce>();
List<CommonAce> implicitAllowObjectDacl = new List<CommonAce>();
foreach (CommonAce ace in descriptor.DiscretionaryAcl)
{
if ((ace.AceFlags & AceFlags.Inherited) == AceFlags.Inherited) { inheritedDacl.Add(ace); }
else
{
switch (ace.AceType)
{
case AceType.AccessAllowed:
implicitAllowDacl.Add(ace);
break;
case AceType.AccessDenied:
implicitDenyDacl.Add(ace);
break;
case AceType.AccessAllowedObject:
implicitAllowObjectDacl.Add(ace);
break;
case AceType.AccessDeniedObject:
implicitDenyObjectDacl.Add(ace);
break;
}
}
}
Int32 aceIndex = 0;
RawAcl newDacl = new RawAcl(descriptor.DiscretionaryAcl.Revision, descriptor.DiscretionaryAcl.Count);
implicitDenyDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
implicitDenyObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
implicitAllowDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
implicitAllowObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
inheritedDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
if (aceIndex != descriptor.DiscretionaryAcl.Count)
{
System.Diagnostics.Debug.Fail("The DACL cannot be canonicalized since it would potentially result in a loss of information");
return;
}
descriptor.DiscretionaryAcl = newDacl;
objectSecurity.SetSecurityDescriptorSddlForm(descriptor.GetSddlForm(AccessControlSections.Access), AccessControlSections.Access);
}
static RawAcl MakeRawAcl (GenericAce[] aces)
{
RawAcl acl = new RawAcl (RawAcl.AclRevision, 0);
for (int i = 0; i < aces.Length; i ++) { acl.InsertAce (i, aces [i]); }
return acl;
}
private static RawAcl InheritAcl(RawAcl parentAcl, bool isContainer)
{
AceFlags inheritTest = isContainer ? AceFlags.ContainerInherit : AceFlags.ObjectInherit;
RawAcl newAcl = null;
if (parentAcl != null)
{
newAcl = new RawAcl(parentAcl.Revision, parentAcl.Count);
foreach (GenericAce ace in parentAcl)
{
if ((ace.AceFlags & inheritTest) != 0)
{
GenericAce newAce = ace.Copy();
AceFlags newFlags = ace.AceFlags;
if ((newFlags & AceFlags.NoPropagateInherit) != 0)
{
newFlags &= ~(AceFlags.ContainerInherit | AceFlags.ObjectInherit | AceFlags.NoPropagateInherit);
}
newFlags &= ~AceFlags.InheritOnly;
newFlags |= AceFlags.Inherited;
newAce.AceFlags = newFlags;
newAcl.InsertAce(newAcl.Count, newAce);
}
}
}
return newAcl;
}
static CommonSecurityDescriptor ProtectionPreserveInheritanceIgnoredUnlessProtectedTrueDescriptor()
{
SecurityIdentifier sid = new SecurityIdentifier ("WD");
RawAcl acl = new RawAcl (GenericAcl.AclRevision, 1);
acl.InsertAce (0, new CommonAce (AceFlags.None, AceQualifier.AccessDenied, 1, sid, false, null));
acl.InsertAce (1, new CommonAce (AceFlags.Inherited, AceQualifier.AccessAllowed, 1, sid, false, null));
CommonSecurityDescriptor descriptor = new CommonSecurityDescriptor
(false, false, ControlFlags.None, null, null, null, null);
descriptor.DiscretionaryAcl = new DiscretionaryAcl (false, false, acl);
return descriptor;
}
private void BuildSecurityDescriptor()
{
Fx.Assert((null == securityDescriptor), "SecurityDescriptor must be NULL");
NTAccount name;
SecurityIdentifier sid;
CommonAce ace;
RawAcl acl = new RawAcl(GenericAcl.AclRevision, 1);
int index = 0;
if (operationRoleMembers != null)
{
foreach (string userName in operationRoleMembers)
{
name = new NTAccount(userName);
sid = (SecurityIdentifier)name.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, (int)ComRights.EXECUTE, sid, false, null);
acl.InsertAce(index, ace);
index++;
}
}
if (contractRoleMembers != null)
{
foreach (string userName in contractRoleMembers)
{
name = new NTAccount(userName);
sid = (SecurityIdentifier)name.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, (int)ComRights.EXECUTE, sid, false, null);
acl.InsertAce(index, ace);
index++;
}
}
if (serviceRoleMembers != null)
{
foreach (string userName in serviceRoleMembers)
{
name = new NTAccount(userName);
sid = (SecurityIdentifier)name.Translate(typeof(SecurityIdentifier));
ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, (int)ComRights.EXECUTE, sid, false, null);
acl.InsertAce(index, ace);
index++;
}
}
DiscretionaryAcl dacl = new DiscretionaryAcl(true, false, acl);
securityDescriptor = new CommonSecurityDescriptor(true, false, ControlFlags.DiscretionaryAclPresent, sidAdministrators, sidAdministrators, null, dacl);
}
[Category ("NotWorking")] // Mono does not have a working CustomAce implementation yet.
public void ObjectSecurityRemovesWhatItCannotCreate ()
{
RawAcl acl = new RawAcl (GenericAcl.AclRevision, 1);
acl.InsertAce (0, new CustomAce ((AceType)255, AceFlags.None, new byte[4]));
DiscretionaryAcl dacl = new DiscretionaryAcl (true, true, acl);
Assert.AreEqual (1, dacl.Count);
CommonSecurityDescriptor descriptor = new CommonSecurityDescriptor
(true, true, ControlFlags.None, null, null, null, dacl);
TestSecurity security = new TestSecurity (descriptor);
AuthorizationRuleCollection rules = security.GetAccessRules (true, true, typeof (SecurityIdentifier));
Assert.AreEqual (0, rules.Count);
}