public static AuthorizationRuleCollection GetAccess(PSObject instance)
{
AuthorizationRuleCollection accessRules;
if (instance != null)
{
ObjectSecurity baseObject = instance.BaseObject as ObjectSecurity;
if (baseObject == null)
{
PSTraceSource.NewArgumentException("instance");
}
CommonObjectSecurity commonObjectSecurity = baseObject as CommonObjectSecurity;
if (commonObjectSecurity == null)
{
DirectoryObjectSecurity directoryObjectSecurity = baseObject as DirectoryObjectSecurity;
accessRules = directoryObjectSecurity.GetAccessRules(true, true, typeof(NTAccount));
}
else
{
accessRules = commonObjectSecurity.GetAccessRules(true, true, typeof(NTAccount));
}
return(accessRules);
}
else
{
throw PSTraceSource.NewArgumentNullException("instance");
}
}
private FileSystemRights GetFileSystemRights(CommonObjectSecurity objectSecurity)
{
AuthorizationRuleCollection accessRules = objectSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier));
FileSystemRights fileSystemAllowRights = 0;
FileSystemRights fileSystemDenyRights = 0;
foreach (FileSystemAccessRule accessRule in accessRules)
{
IdentityReference identityReference = accessRule.IdentityReference;
if (identityReference != _currentUserIdentifier && _currentUserGroups.All(reference => reference != identityReference))
{
continue;
}
if (accessRule.AccessControlType == AccessControlType.Deny)
{
fileSystemDenyRights = fileSystemDenyRights | accessRule.FileSystemRights;
}
else
{
fileSystemAllowRights = fileSystemAllowRights | accessRule.FileSystemRights;
}
}
return(fileSystemAllowRights & (~fileSystemDenyRights));
}
public SecurityAttributes(CommonObjectSecurity objectSecurity)
{
_length = Marshal.SizeOf(typeof(SecurityAttributes));
byte[] src = objectSecurity.GetSecurityDescriptorBinaryForm();
_securityDescriptor = Marshal.AllocHGlobal(src.Length);
Marshal.Copy(src, 0, _securityDescriptor, src.Length);
_inheritHandle = false;
}
public SecuredObject(CommonObjectSecurity security, string objName, string displayName)
{
ObjectSecurity = security;
ObjectName = objName;
DisplayName = displayName;
IsContainer = IsContainerObject(ObjectSecurity);
MandatoryLabel = new SystemMandatoryLabel(ObjectSecurity);
}
private static string GetPermissions(CommonObjectSecurity fileSystemSecurity)
{
var accessRules = fileSystemSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier))
.Cast <FileSystemAccessRule>()
.Where(x => x.IdentityReference == WindowsIdentity.GetCurrent().User)
.ToArray();
return(GetEffectiveRights(accessRules).ToString());
}
private static bool FindMatch(CommonObjectSecurity security, FileSystemAccessRule rule)
=> security.GetAccessRules(true, false, typeof(SecurityIdentifier))
.OfType <FileSystemAccessRule>()
.Any(
ar =>
ar.IdentityReference.Equals(rule.IdentityReference) &&
ar.FileSystemRights.Equals(rule.FileSystemRights) &&
ar.InheritanceFlags.Equals(rule.InheritanceFlags) &&
ar.PropagationFlags.Equals(rule.PropagationFlags));
private static T GetEffectiveRights <T, R>(CommonObjectSecurity securityObject, WindowsIdentity windowsIdentity) where T : struct, IConvertible where R : AccessRule
{
if (!typeof(T).IsEnum)
{
throw new ArgumentException($"Type '{typeof(T).FullName}' is not an enum");
}
if (windowsIdentity == null)
{
throw new ArgumentNullException(nameof(windowsIdentity));
}
if (securityObject == null)
{
throw new ArgumentNullException(nameof(securityObject));
}
int denyRights = 0, allowRights = 0;
// get all access rules for the path - this works for a directory path as well as a file path
AuthorizationRuleCollection authorizationRules = securityObject.GetAccessRules(true, true, typeof(SecurityIdentifier));
// get the user's sids
List <string> sids = new List <string>(windowsIdentity.Groups.Select(g => g.Value));
sids.Insert(0, windowsIdentity.User.Value);
// get the access rules filtered by the user's sids
var rules = (from rule in authorizationRules.Cast <R>()
where sids.Contains(rule.IdentityReference.Value)
select rule);
System.Reflection.PropertyInfo pi = null;
foreach (var rule in rules)
{
if (pi == null)
{
pi = rule.GetType().GetProperty("AccessMask", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance, null, typeof(int), Type.EmptyTypes, null);
}
if (pi == null)
{
throw new InvalidOperationException("Unable to retrieve access mask.");
}
if (rule.AccessControlType == AccessControlType.Deny)
{
denyRights |= (int)pi.GetValue(rule, null);
}
else
{
allowRights |= (int)pi.GetValue(rule, null);
}
}
return((T)Enum.ToObject(typeof(T), (allowRights | denyRights) ^ denyRights));
}
private static bool ModifyACL(string user, FileSystemRights rights, CommonObjectSecurity security)
{
var rule = GetAccessRule(user, rights);
if (FindMatch(security, rule))
{
return(false);
}
bool modified;
security.ModifyAccessRule(AccessControlModification.Add, rule, out modified);
return(modified);
}
public List <SecurityIdentifier> SearchObjectSecurity(CommonObjectSecurity security)
{
List <SecurityIdentifier> retval = new List <SecurityIdentifier>();
string sddl = security.GetSecurityDescriptorSddlForm(AccessControlSections.All);
foreach (SecurityIdentifier sid in SearchList)
{
if (sddl.Contains(sid.ToString()))
{
retval.Add(sid);
}
}
return(retval);
}
private static void ShowSecurity(CommonObjectSecurity security)
{
AuthorizationRuleCollection coll = security.GetAccessRules(true, true, typeof(NTAccount));
foreach (FileSystemAccessRule rule in coll)
{
Console.WriteLine("IdentityReference: {0}", rule.IdentityReference);
Console.WriteLine("Access control type: {0}", rule.AccessControlType);
Console.WriteLine("Rights: {0}", rule.FileSystemRights);
Console.WriteLine("Inherited? {0}", rule.IsInherited);
Console.WriteLine();
}
}
public static object GetAccessMask(CommonObjectSecurity acl, AuthorizationRule rule)
{
if (rule.GetType() == acl.AccessRuleType || rule.GetType() == acl.AuditRuleType)
{
Type accRightType = acl.AccessRightType;
foreach (var pi in rule.GetType().GetProperties())
{
if (pi.PropertyType == accRightType)
{
return(Enum.ToObject(accRightType, pi.GetValue(rule, null)));
}
}
}
throw new ArgumentException();
}
/// <summary>
/// Identities the has accces.
/// </summary>
/// <param name="identity">The identity.</param>
/// <param name="security">The security.</param>
/// <param name="fileSystemRights">The file system rights.</param>
/// <returns>
/// <c>true</c> if [has identity accces] [the specified identity]; otherwise, <c>false</c>.
/// </returns>
private static bool HasIdentityAccces(WindowsIdentity identity, CommonObjectSecurity security, FileSystemRights fileSystemRights)
{
var allReference = GetAllReference(identity);
var authorizationRuleCollection = security.GetAccessRules(true, true, domain);
foreach (FileSystemAccessRule fileSystemAccessRule in authorizationRuleCollection)
{
if (AccessControlType.Allow == fileSystemAccessRule.AccessControlType &&
fileSystemRights == (fileSystemAccessRule.FileSystemRights & fileSystemRights) &&
allReference.Contains(fileSystemAccessRule.IdentityReference)
)
{
return(true);
}
}
return(false);
}
public SystemMandatoryLabel(CommonObjectSecurity sec)
{
Policy = SystemMandatoryLabelPolicy.None;
Level = SystemMandatoryLabelLevel.None;
try
{
var sd = new RawSecurityDescriptor(sec.GetSecurityDescriptorBinaryForm(), 0);
if (sd.SystemAcl != null)
{
foreach (var ace in sd.SystemAcl)
{
if ((int)ace.AceType == 0x11)
{
byte[] aceBytes = new byte[ace.BinaryLength];
ace.GetBinaryForm(aceBytes, 0);
//_policy = new IntegrityPolicy(aceBytes, 4);
//_level = new IntegrityLevel(aceBytes, 8);
}
}
}
}
catch { }
/*byte[] saclBinaryForm = new byte[sd.SystemAcl.BinaryLength];
* sd.SystemAcl.GetBinaryForm(saclBinaryForm, 0);
* GenericAce ace = null;
* if (null != saclBinaryForm)
* {
* RawAcl aclRaw = new RawAcl(saclBinaryForm, 0);
* if (0 >= aclRaw.Count) throw new ArgumentException("No ACEs in ACL", "saclBinaryForm");
* ace = aclRaw[0];
* if (Win32.SYSTEM_MANDATORY_LABEL_ACE_TYPE != (int)ace.AceType)
* throw new ArgumentException("No Mandatory Integrity Label in ACL", "saclBinaryForm");
* byte[] aceBytes = new byte[ace.BinaryLength];
* ace.GetBinaryForm(aceBytes, 0);
* _policy = new IntegrityPolicy(aceBytes, 4);
* _level = new IntegrityLevel(aceBytes, 8);
* return;
* }
* throw new ArgumentNullException("saclBinaryForm");*/
}
private void VerifyAccessSecurity(CommonObjectSecurity expectedSecurity, CommonObjectSecurity actualSecurity)
{
Assert.Equal(typeof(FileSystemRights), expectedSecurity.AccessRightType);
Assert.Equal(typeof(FileSystemRights), actualSecurity.AccessRightType);
List <FileSystemAccessRule> expectedAccessRules = expectedSecurity.GetAccessRules(includeExplicit: true, includeInherited: false, typeof(SecurityIdentifier))
.Cast <FileSystemAccessRule>().ToList();
List <FileSystemAccessRule> actualAccessRules = actualSecurity.GetAccessRules(includeExplicit: true, includeInherited: false, typeof(SecurityIdentifier))
.Cast <FileSystemAccessRule>().ToList();
Assert.Equal(expectedAccessRules.Count, actualAccessRules.Count);
if (expectedAccessRules.Count > 0)
{
Assert.All(expectedAccessRules, actualAccessRule =>
{
int count = expectedAccessRules.Count(expectedAccessRule => AreAccessRulesEqual(expectedAccessRule, actualAccessRule));
Assert.True(count > 0);
});
}
}
public static ResourceType GetResourceType(CommonObjectSecurity sec)
{
switch (sec.GetType().Name)
{
case "FileSecurity":
case "DirectorySecurity":
case "CryptoKeySecurity":
return(ResourceType.FileObject);
case "PipeSecurity":
case "EventWaitHandleSecurity":
case "MutexSecurity":
case "MemoryMappedFileSecurity":
case "SemaphoreSecurity":
return(ResourceType.KernelObject);
case "RegistrySecurity":
return(ResourceType.RegistryKey);
case "TaskSecurity":
return(Community.Windows.Forms.AccessControlEditorDialog.TaskResourceType);
}
return(ResourceType.Unknown);
}
/// <summary>Initializes the dialog with the specified <see cref="CommonObjectSecurity"/> value and names.</summary>
/// <param name="objSecurity">The object security.</param>
/// <param name="objName">Name of the object.</param>
/// <param name="displayName">The display name.</param>
public void Initialize(CommonObjectSecurity objSecurity, string objName, string displayName)
{
Initialize(new SecuredObject(objSecurity, objName, displayName));
}
private FileSystemObjectProperties GetFileSystemObjectProperties(FileSystemInfo info, CommonObjectSecurity objectSecurity)
{
IdentityReference owner = objectSecurity.GetOwner(typeof(NTAccount));
string objectOwner = owner != null ? owner.Value : "Unknown";
return(new FileSystemObjectProperties
{
Name = info.Name,
CreationTime = info.CreationTime,
LastWriteTime = info.LastWriteTime,
LastAccessTime = info.LastAccessTime,
Attributes = info.Attributes,
FileSystemRights = GetFileSystemRights(objectSecurity),
Owner = objectOwner
});
}
public static bool IsContainerObject(CommonObjectSecurity sec)
{
var secTypeName = sec.GetType().Name;
return(!Array.Exists(nonContainerTypes, s => secTypeName == s));
}
private static bool IsFileSystemAccessRuleSet(FileSystemRights rights, CommonObjectSecurity commonObjectSecurity, AccessControlType accessControlType)
{
AuthorizationRuleCollection rules = commonObjectSecurity.GetAccessRules(true, false, typeof(SecurityIdentifier));
return(rules.OfType <FileSystemAccessRule>().Any(fs => fs.FileSystemRights.HasFlag(rights) && fs.AccessControlType == accessControlType));
}
public static bool IsContainerObject(CommonObjectSecurity sec)
{
string secTypeName = sec.GetType().Name;
return(!Array.Exists <string>(nonContainerTypes, delegate(string s) { return secTypeName == s; }));
}
