static bool CheckAssert(PermissionSet pSet, CodeAccessPermission demand, PermissionToken permToken)
{
if (pSet != null)
{
pSet.CheckDecoded(demand, permToken);
CodeAccessPermission perm = (CodeAccessPermission)pSet.GetPermission(demand);
// If the assert set does contain the demanded permission, halt the stackwalk
try
{
if ((pSet.IsUnrestricted() && demand.CanUnrestrictedOverride()) || demand.CheckAssert(perm))
{
return(SecurityRuntime.StackHalt);
}
}
catch (ArgumentException)
{
}
}
return(SecurityRuntime.StackContinue);
}
internal PermissionToken GetToken(Type cls, IPermission perm)
{
BCLDebug.Assert(cls != null, "Must pass in valid type");
IntPtr typePtr = cls.TypeHandle.Value;
object tok = m_handleTable[typePtr];
if (tok == null)
{
String typeStr = cls.AssemblyQualifiedName;
tok = m_tokenTable != null ? m_tokenTable[typeStr] : null; // Assumes asynchronous lookups are safe
if (tok == null)
{
lock (this)
{
if (m_tokenTable != null)
{
tok = m_tokenTable[typeStr]; // Make sure it wasn't just added
}
else
{
m_tokenTable = new Hashtable(m_size, 1.0f, new PermissionTokenKeyComparer(CultureInfo.InvariantCulture));
}
if (tok == null)
{
if (perm != null)
{
if (CodeAccessPermission.CanUnrestrictedOverride(perm))
{
tok = new PermissionToken(m_index++, PermissionTokenType.IUnrestricted, typeStr);
}
else
{
tok = new PermissionToken(m_index++, PermissionTokenType.Normal, typeStr);
}
}
else
{
if (cls.GetInterface(s_unrestrictedPermissionInferfaceName) != null)
{
tok = new PermissionToken(m_index++, PermissionTokenType.IUnrestricted, typeStr);
}
else
{
tok = new PermissionToken(m_index++, PermissionTokenType.Normal, typeStr);
}
}
m_tokenTable.Add(typeStr, tok);
m_indexTable.Add(m_index - 1, tok);
PermissionToken.s_tokenSet.SetItem(((PermissionToken)tok).m_index, tok);
}
if (!m_handleTable.Contains(typePtr))
{
m_handleTable.Add(typePtr, tok);
}
}
}
else
{
lock (this)
{
if (!m_handleTable.Contains(typePtr))
{
m_handleTable.Add(typePtr, tok);
}
}
}
}
if ((((PermissionToken)tok).m_type & PermissionTokenType.DontKnow) != 0)
{
if (perm != null)
{
BCLDebug.Assert(!(perm is IBuiltInPermission), "This should not be called for built-ins");
if (CodeAccessPermission.CanUnrestrictedOverride(perm))
{
((PermissionToken)tok).m_type = PermissionTokenType.IUnrestricted;
}
else
{
((PermissionToken)tok).m_type = PermissionTokenType.Normal;
}
((PermissionToken)tok).m_strTypeName = perm.GetType().AssemblyQualifiedName;
}
else
{
BCLDebug.Assert(cls.GetInterface("System.Security.Permissions.IBuiltInPermission") == null, "This shoudl not be called for built-ins");
if (cls.GetInterface(s_unrestrictedPermissionInferfaceName) != null)
{
((PermissionToken)tok).m_type = PermissionTokenType.IUnrestricted;
}
else
{
((PermissionToken)tok).m_type = PermissionTokenType.Normal;
}
((PermissionToken)tok).m_strTypeName = cls.AssemblyQualifiedName;
}
}
return((PermissionToken)tok);
}
static bool CheckAssert(PermissionSet pSet, CodeAccessPermission demand, PermissionToken permToken)
{
if (pSet != null)
{
pSet.CheckDecoded(demand, permToken);
CodeAccessPermission perm = (CodeAccessPermission)pSet.GetPermission(demand);
// If the assert set does contain the demanded permission, halt the stackwalk
try
{
if ((pSet.IsUnrestricted() && demand.CanUnrestrictedOverride()) || demand.CheckAssert(perm))
{
return SecurityRuntime.StackHalt;
}
}
catch (ArgumentException)
{
}
}
return SecurityRuntime.StackContinue;
}
internal static bool CheckHelper(PermissionSet grantedSet,
PermissionSet refusedSet,
CodeAccessPermission demand,
PermissionToken permToken,
RuntimeMethodHandle rmh,
Object assemblyOrString,
SecurityAction action,
bool throwException)
{
// We should never get here with a null demand
BCLDebug.Assert(demand != null, "Should not reach here with a null demand");
#if _DEBUG
if (debug)
{
DEBUG_OUT("Granted: ");
DEBUG_OUT(grantedSet.ToXml().ToString());
DEBUG_OUT("Refused: ");
DEBUG_OUT(refusedSet != null ? refusedSet.ToXml().ToString() : "<null>");
DEBUG_OUT("Demanded: ");
DEBUG_OUT(demand.ToString());
}
#endif
if (permToken == null)
permToken = PermissionToken.GetToken(demand);
if (grantedSet != null)
grantedSet.CheckDecoded(permToken.m_index);
if (refusedSet != null)
refusedSet.CheckDecoded(permToken.m_index);
// If PermissionSet is null, then module does not have Permissions... Fail check.
bool bThreadSecurity = SecurityManager._SetThreadSecurity(false);
try
{
if (grantedSet == null)
{
if (throwException)
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
else
return false;
}
else if (!grantedSet.IsUnrestricted() || !demand.CanUnrestrictedOverride())
{
// If we aren't unrestricted, there is a refused set, or our permission is not of the unrestricted
// variety, we need to do the proper callback.
BCLDebug.Assert(demand != null,"demand != null");
// Find the permission of matching type in the permission set.
CodeAccessPermission grantedPerm =
(CodeAccessPermission)grantedSet.GetPermission(permToken);
// Make sure the demand has been granted
if (!demand.CheckDemand( grantedPerm ))
{
if (throwException)
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
else
return false;
}
}
// Make the sure the permission is not refused.
if (refusedSet != null)
{
CodeAccessPermission refusedPerm =
(CodeAccessPermission)refusedSet.GetPermission(permToken);
if (refusedPerm != null)
{
if (!refusedPerm.CheckDeny(demand))
{
#if _DEBUG
if (debug)
DEBUG_OUT( "Permission found in refused set" );
#endif
if (throwException)
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
else
return false;
}
}
if (refusedSet.IsUnrestricted() && demand.CanUnrestrictedOverride())
{
if (throwException)
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
else
return false;
}
}
}
catch (SecurityException)
{
throw;
}
catch (Exception)
{
// Any exception besides a security exception in this code means that
// a permission was unable to properly handle what we asked of it.
// We will define this to mean that the demand failed.
if (throwException)
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
else
return false;
}
catch
{
return false;
}
finally
{
if (bThreadSecurity)
SecurityManager._SetThreadSecurity(true);
}
DEBUG_OUT( "Check passed" );
return true;
}
internal bool CheckDemand2(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandle rmh, bool fDeclarative)
{
PermissionSet permSet;
// If the demand is null, there is no need to continue
BCLDebug.Assert(demand != null && !demand.CheckDemand(null), "Empty demands should have been filtered out by this point");
// decode imperative
if (GetPermitOnly(fDeclarative) != null)
{
GetPermitOnly(fDeclarative).CheckDecoded(demand, permToken);
}
if (GetDenials(fDeclarative) != null)
{
GetDenials(fDeclarative).CheckDecoded(demand, permToken);
}
if (GetAssertions(fDeclarative) != null)
{
GetAssertions(fDeclarative).CheckDecoded(demand, permToken);
}
// NOTE: See notes about exceptions and exception handling in FrameDescSetHelper
bool bThreadSecurity = SecurityManager._SetThreadSecurity(false);
// Check Reduction
try
{
permSet = GetPermitOnly(fDeclarative);
if (permSet != null)
{
CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand);
// If the permit only set does not contain the demanded permission, throw a security exception
if (perm == null)
{
if (!(permSet.IsUnrestricted() && demand.CanUnrestrictedOverride()))
{
throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), null, permSet, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
}
}
else
{
bool bNeedToThrow = true;
try
{
bNeedToThrow = !demand.CheckPermitOnly(perm);
}
catch (ArgumentException)
{
}
if (bNeedToThrow)
{
throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), null, permSet, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
}
}
}
// Check Denials
permSet = GetDenials(fDeclarative);
if (permSet != null)
{
CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand);
// If an unrestricted set was denied and the demand implements IUnrestricted
if (permSet.IsUnrestricted() && demand.CanUnrestrictedOverride())
{
throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), permSet, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
}
// If the deny set does contain the demanded permission, throw a security exception
bool bNeedToThrow = true;
try
{
bNeedToThrow = !demand.CheckDeny(perm);
}
catch (ArgumentException)
{
}
if (bNeedToThrow)
{
throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), permSet, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
}
}
if (GetAssertAllPossible())
{
return(SecurityRuntime.StackHalt);
}
permSet = GetAssertions(fDeclarative);
// Check Assertions
if (permSet != null)
{
CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand);
// If the assert set does contain the demanded permission, halt the stackwalk
try
{
if ((permSet.IsUnrestricted() && demand.CanUnrestrictedOverride()) || (demand.CheckAssert(perm)))
{
return(SecurityRuntime.StackHalt);
}
}
catch (ArgumentException)
{
}
}
}
finally
{
if (bThreadSecurity)
{
SecurityManager._SetThreadSecurity(true);
}
}
return(SecurityRuntime.StackContinue);
}
internal static bool CheckHelper(PermissionSet grantedSet,
PermissionSet refusedSet,
CodeAccessPermission demand,
PermissionToken permToken,
RuntimeMethodHandle rmh,
Object assemblyOrString,
SecurityAction action,
bool throwException)
{
// We should never get here with a null demand
BCLDebug.Assert(demand != null, "Should not reach here with a null demand");
#if _DEBUG
if (debug)
{
DEBUG_OUT("Granted: ");
DEBUG_OUT(grantedSet.ToXml().ToString());
DEBUG_OUT("Refused: ");
DEBUG_OUT(refusedSet != null ? refusedSet.ToXml().ToString() : "<null>");
DEBUG_OUT("Demanded: ");
DEBUG_OUT(demand.ToString());
}
#endif
if (permToken == null)
{
permToken = PermissionToken.GetToken(demand);
}
if (grantedSet != null)
{
grantedSet.CheckDecoded(permToken.m_index);
}
if (refusedSet != null)
{
refusedSet.CheckDecoded(permToken.m_index);
}
// If PermissionSet is null, then module does not have Permissions... Fail check.
bool bThreadSecurity = SecurityManager._SetThreadSecurity(false);
try
{
if (grantedSet == null)
{
if (throwException)
{
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
}
else
{
return(false);
}
}
else if (!grantedSet.IsUnrestricted() || !demand.CanUnrestrictedOverride())
{
// If we aren't unrestricted, there is a refused set, or our permission is not of the unrestricted
// variety, we need to do the proper callback.
BCLDebug.Assert(demand != null, "demand != null");
// Find the permission of matching type in the permission set.
CodeAccessPermission grantedPerm =
(CodeAccessPermission)grantedSet.GetPermission(permToken);
// Make sure the demand has been granted
if (!demand.CheckDemand(grantedPerm))
{
if (throwException)
{
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
}
else
{
return(false);
}
}
}
// Make the sure the permission is not refused.
if (refusedSet != null)
{
CodeAccessPermission refusedPerm =
(CodeAccessPermission)refusedSet.GetPermission(permToken);
if (refusedPerm != null)
{
if (!refusedPerm.CheckDeny(demand))
{
#if _DEBUG
if (debug)
{
DEBUG_OUT("Permission found in refused set");
}
#endif
if (throwException)
{
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
}
else
{
return(false);
}
}
}
if (refusedSet.IsUnrestricted() && demand.CanUnrestrictedOverride())
{
if (throwException)
{
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
}
else
{
return(false);
}
}
}
}
catch (SecurityException)
{
throw;
}
catch (Exception)
{
// Any exception besides a security exception in this code means that
// a permission was unable to properly handle what we asked of it.
// We will define this to mean that the demand failed.
if (throwException)
{
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
}
else
{
return(false);
}
}
catch
{
return(false);
}
finally
{
if (bThreadSecurity)
{
SecurityManager._SetThreadSecurity(true);
}
}
DEBUG_OUT("Check passed");
return(true);
}
internal bool CheckDemand2(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandle rmh, bool fDeclarative)
{
PermissionSet permSet;
// If the demand is null, there is no need to continue
BCLDebug.Assert(demand != null && !demand.CheckDemand(null), "Empty demands should have been filtered out by this point");
// decode imperative
if (GetPermitOnly(fDeclarative) != null)
GetPermitOnly(fDeclarative).CheckDecoded(demand, permToken);
if (GetDenials(fDeclarative) != null)
GetDenials(fDeclarative).CheckDecoded(demand, permToken);
if (GetAssertions(fDeclarative) != null)
GetAssertions(fDeclarative).CheckDecoded(demand, permToken);
// NOTE: See notes about exceptions and exception handling in FrameDescSetHelper
bool bThreadSecurity = SecurityManager._SetThreadSecurity(false);
// Check Reduction
try
{
permSet = GetPermitOnly(fDeclarative);
if (permSet != null)
{
CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand);
// If the permit only set does not contain the demanded permission, throw a security exception
if (perm == null)
{
if(!(permSet.IsUnrestricted() && demand.CanUnrestrictedOverride()))
throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), null, permSet, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
}
else
{
bool bNeedToThrow = true;
try
{
bNeedToThrow = !demand.CheckPermitOnly(perm);
}
catch (ArgumentException)
{
}
if (bNeedToThrow)
throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), null, permSet, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
}
}
// Check Denials
permSet = GetDenials(fDeclarative);
if (permSet != null)
{
CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand);
// If an unrestricted set was denied and the demand implements IUnrestricted
if (permSet.IsUnrestricted() && demand.CanUnrestrictedOverride())
throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), permSet, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
// If the deny set does contain the demanded permission, throw a security exception
bool bNeedToThrow = true;
try
{
bNeedToThrow = !demand.CheckDeny(perm);
}
catch (ArgumentException)
{
}
if (bNeedToThrow)
throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), permSet, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
}
if (GetAssertAllPossible())
{
return SecurityRuntime.StackHalt;
}
permSet = GetAssertions(fDeclarative);
// Check Assertions
if (permSet != null)
{
CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand);
// If the assert set does contain the demanded permission, halt the stackwalk
try
{
if ((permSet.IsUnrestricted() && demand.CanUnrestrictedOverride()) || (demand.CheckAssert(perm)))
{
return SecurityRuntime.StackHalt;
}
}
catch (ArgumentException)
{
}
}
}
finally
{
if (bThreadSecurity)
SecurityManager._SetThreadSecurity(true);
}
return SecurityRuntime.StackContinue;
}
