public override void ExecuteCmdlet()
{
var currentAccount = DataLakeStoreClient.GetAccount(ResourceGroupName, Name);
var location = currentAccount.Location;
if (string.IsNullOrEmpty(DefaultGroup))
{
DefaultGroup = currentAccount.Properties.DefaultGroup;
}
if (Tags == null)
{
Tags = TagsConversionHelper.CreateTagHashtable(currentAccount.Tags);
}
// validation of encryption parameters
if (Encryption != null)
{
var identity = new EncryptionIdentity
{
Type = EncryptionIdentityType.SystemAssigned,
};
var config = new EncryptionConfig
{
Type = Encryption.Value,
};
if (Encryption.Value == EncryptionConfigType.UserManaged)
{
if (string.IsNullOrEmpty(KeyVaultId) ||
string.IsNullOrEmpty(KeyName) ||
string.IsNullOrEmpty(KeyVersion))
{
throw new PSArgumentException(Resources.MissingKeyVaultParams);
}
config.KeyVaultMetaInfo = new KeyVaultMetaInfo
{
KeyVaultResourceId = KeyVaultId,
EncryptionKeyName = KeyName,
EncryptionKeyVersion = KeyVersion
};
}
else
{
if (!string.IsNullOrEmpty(KeyVaultId) ||
!string.IsNullOrEmpty(KeyName) ||
!string.IsNullOrEmpty(KeyVersion))
{
WriteWarning(Resources.IgnoredKeyVaultParams);
}
}
WriteObject(DataLakeStoreClient.CreateOrUpdateAccount(ResourceGroupName, Name, DefaultGroup, location, Tags, identity, config));
}
else
{
WriteObject(DataLakeStoreClient.CreateOrUpdateAccount(ResourceGroupName, Name, DefaultGroup, location, Tags));
}
}
/// <summary>
/// Encrypt a new password.This will also include key derivation value, num bytes, iterations, salt,
/// </summary>
/// <returns>
/// Encrypted value of the password provided.
/// </returns>
public static string EncryptNewPassword(EncryptionConfig encrConfig, string password)
{
var randomSalt = new byte[16];
//populate new salt w/ random bytes
using (RNGCryptoServiceProvider rngCsp = new RNGCryptoServiceProvider())
{
rngCsp.GetBytes(randomSalt);
}
EncryptionLevelConfig encrLevel = encrConfig.Levels.Find(e => e.Id == encrConfig.CurrentLevel);
if (encrLevel == null)
{
throw new ArgumentNullException($"Encryption Config Level is missing. Check appSettings.json. Current Level: {encrConfig.CurrentLevel}");
}
// derive a 256-bit sub key (use HMACSHA256 with 20,000 iterations)
var hashed = Convert.ToBase64String(KeyDerivation.Pbkdf2(
password: password,
salt: randomSalt,
prf: encrLevel.PRF,
iterationCount: encrLevel.Iterations,
numBytesRequested: encrLevel.NumBytes));
//return
return($"{((int)encrLevel.Id).ToString()}{_delimiter}" +
$"{Convert.ToBase64String(randomSalt)}{_delimiter}" +
$"{hashed}");
}
/// <summary>
///
/// </summary>
/// <param name="config"></param>
/// <returns></returns>
public static RestSharpEncryptionInterceptor From(EncryptionConfig config)
{
if (config.Scheme.Equals(EncryptionConfig.EncryptionScheme.Jwe))
{
return(new RestSharpJweEncryptionInterceptor((JweConfig)config));
}
return(new RestSharpFieldLevelEncryptionInterceptor((FieldLevelEncryptionConfig)config));
}
public void EncryptionConfig_Render()
{
EncryptionConfig config;
config = EncryptionConfig.Parse("foo:10");
Assert.AreEqual("foo:10", config.ToString());
config = EncryptionConfig.Parse("foo:10,20");
Assert.AreEqual("foo:10,20", config.ToString());
}
public void TestFrom_ShouldReturnTheCorrectInterceptor()
{
// GIVEN
EncryptionConfig config = TestUtils.GetTestJweConfigBuilder().Build();
// WHEN
RestSharpEncryptionInterceptor interceptor = RestSharpEncryptionInterceptor.From(config);
// THEN
Assert.IsTrue(interceptor is RestSharpJweEncryptionInterceptor);
}
public EncryptionClient(ClientConfig clientConfig = null,
EncryptionConfig config = null) : base(clientConfig)
{
if (this.config == null)
{
this.config = EncryptionConfig.DEFAULT_CONFIG;
}
else
{
this.config = config;
}
}
public DataLakeStoreAccount CreateAccount(
string resourceGroupName,
string accountName,
string defaultGroup,
string location,
Hashtable customTags = null,
EncryptionIdentity identity = null,
EncryptionConfig config = null,
IList <TrustedIdProvider> trustedProviders = null,
IList <FirewallRule> firewallRules = null)
{
if (string.IsNullOrEmpty(resourceGroupName))
{
resourceGroupName = GetResourceGroupByAccount(accountName);
}
var tags = TagsConversionHelper.CreateTagDictionary(customTags, true);
var parameters = new DataLakeStoreAccount
{
Location = location,
DefaultGroup = defaultGroup,
Tags = tags ?? new Dictionary <string, string>()
};
if (identity != null)
{
parameters.EncryptionState = EncryptionState.Enabled;
parameters.Identity = identity;
parameters.EncryptionConfig = config ?? new EncryptionConfig
{
Type = EncryptionConfigType.ServiceManaged
};
}
if (trustedProviders != null && trustedProviders.Count > 0)
{
parameters.TrustedIdProviders = trustedProviders;
parameters.TrustedIdProviderState = TrustedIdProviderState.Enabled;
}
if (firewallRules != null && firewallRules.Count > 0)
{
parameters.FirewallRules = firewallRules;
parameters.FirewallState = FirewallState.Enabled;
}
return(_client.Account.Create(resourceGroupName, accountName, parameters));
}
public void EncryptionConfig_Parse()
{
EncryptionConfig config;
config = EncryptionConfig.Parse("foo:10");
Assert.AreEqual("foo", config.Algorithm);
Assert.AreEqual(1, config.KeySizes.Length);
Assert.AreEqual(10, config.KeySizes[0]);
config = EncryptionConfig.Parse("foo:10,20");
Assert.AreEqual("foo", config.Algorithm);
Assert.AreEqual(2, config.KeySizes.Length);
Assert.AreEqual(10, config.KeySizes[0]);
Assert.AreEqual(20, config.KeySizes[1]);
}
private void EncryptDecrypt(string algorithm, int keySize, byte[] input)
{
byte[] key;
byte[] IV;
EncryptionConfig.GenKeyIV(algorithm, keySize, out key, out IV);
BlockEncryptor encryptor = new BlockEncryptor(algorithm, key, IV);
BlockDecryptor decryptor = new BlockDecryptor(algorithm, key, IV);
byte[] encrypted;
byte[] decrypted;
bool equal;
encrypted = encryptor.Encrypt(input);
if (algorithm.ToUpper() == CryptoAlgorithm.PlainText)
{
// Make sure the input/output buffers are identical.
CollectionAssert.AreEqual(input, encrypted);
}
else
{
// Make sure the input/output buffers differ.
if (input.Length > 0 && input.Length == encrypted.Length)
{
equal = true;
for (int i = 0; i < input.Length; i++)
{
if (input[i] != encrypted[i])
{
equal = false;
break;
}
}
Assert.IsFalse(equal);
}
}
decrypted = decryptor.Decrypt(encrypted);
// Make sure we're back to the original bytes.
CollectionAssert.AreEqual(input, decrypted);
}
/// <summary>
/// Validate an existing password, Pass in the user's existing encoded password (a concatenated string separated by $
/// with <encryption config id>$<salt>$<hash>). Encrypt the incoming password using the same
/// settings in the encoded value and see if it matches on the hash
/// </summary>
/// <param name="encoded"></param>
/// <param name="password"></param>
/// <returns></returns>
public static bool ValidatePassword(EncryptionConfig encrConfig, string encoded, string password, out bool updatePasswordEncryption)
{
updatePasswordEncryption = false;
if (string.IsNullOrEmpty(encoded))
{
return(false);
}
if (string.IsNullOrEmpty(password))
{
return(false);
}
string[] passwordParts = encoded.Split(_delimiter);
if (passwordParts.Length != 3)
{
return(false);
}
//parse parts into their positions. Then take the plain password and excrypt to see if it matches the hash
int encrId = Convert.ToInt32(passwordParts[0]);
EncryptionLevelConfig encrLevel = encrConfig.Levels.Find(e => e.Id == encrId);
if (encrLevel == null)
{
throw new ArgumentNullException($"Encryption Config is missing. Check appSettings.json. Current Level: {encrConfig.CurrentLevel}");
}
KeyDerivationPrf prf = (KeyDerivationPrf)Convert.ToInt16(encrLevel.PRF);
int numBytes = Convert.ToInt32(encrLevel.NumBytes);
int iterations = Convert.ToInt32(encrLevel.Iterations);
var convertedSalt = Convert.FromBase64String(passwordParts[1]);
//perform hash
var hash = KeyDerivation.Pbkdf2(
password: password,
salt: convertedSalt,
prf: prf,
iterationCount: iterations,
numBytesRequested: numBytes);
var hashed = Convert.ToBase64String(hash);
//add support to update pw to latest level if current pw was a lower level.
//have to get UserDAL the new password and it has to save it.
updatePasswordEncryption = encrConfig.CurrentLevel > encrId;
//true if they match, existing hash in 3rd position
return(hashed == passwordParts[2]);
}
public static void ReadConfigReturn(EncryptionConfig c)
{
Condition.IsTrue(state == ModelState.Uninitialized);
Condition.IsNotNull(c);
negotiateDialect = DialectRevision.Smb2Unknown;
// Force SE to expand Config.MaxSmbVersionServerSupported
Condition.IsTrue(c.MaxSmbVersionSupported == ModelDialectRevision.Smb2002 ||
c.MaxSmbVersionSupported == ModelDialectRevision.Smb21 ||
c.MaxSmbVersionSupported == ModelDialectRevision.Smb30 ||
c.MaxSmbVersionSupported == ModelDialectRevision.Smb302);
config = c;
request = null;
state = ModelState.Initialized;
}
public void StartRouters(bool encrypt)
{
string encryption;
byte[] key;
byte[] IV;
if (encrypt)
{
encryption = CryptoAlgorithm.TripleDES;
EncryptionConfig.GenKeyIV(encryption, 128, out key, out IV);
}
else
{
encryption = CryptoAlgorithm.PlainText;
key = new byte[1];
IV = new byte[1];
}
Msg.ClearTypes();
Msg.LoadTypes(Assembly.GetExecutingAssembly());
g1r1 = new _SyncRouter("g1r1", group1, new IPEndPoint(IPAddress.Any, 5550), new IPEndPoint(IPAddress.Any, 5560),
encryption, key, IV);
g1r2 = new _SyncRouter("g1r2", group1, new IPEndPoint(IPAddress.Any, 5551), new IPEndPoint(IPAddress.Any, 5561),
encryption, key, IV);
g1r3 = new _SyncRouter("g1r3", group1, new IPEndPoint(IPAddress.Any, 5552), new IPEndPoint(IPAddress.Any, 5562),
encryption, key, IV);
g2r1 = new _SyncRouter("g2r1", group2, new IPEndPoint(IPAddress.Any, 5553), new IPEndPoint(IPAddress.Any, 5563),
encryption, key, IV);
g2r2 = new _SyncRouter("g2r2", group2, new IPEndPoint(IPAddress.Any, 5554), new IPEndPoint(IPAddress.Any, 5564),
encryption, key, IV);
g1r1.Start();
g1r2.Start();
g1r3.Start();
g2r1.Start();
g2r2.Start();
}
public EncryptionServer(IPAddress addres,
int port,
ServerConfig serverConfig = null,
EncryptionConfig config = null) :
base(addres, port, serverConfig)
{
if (config == null)
{
this.config = EncryptionConfig.DEFAULT_CONFIG;
}
else
{
this.config = config;
}
service = new EncyptionDataDAO(NHibernateUtil.Factory.GetCurrentSession());
onStart += () => Console.WriteLine("Starting server...");
onStart += DBInit;
onStop += () => Console.WriteLine("Finishing working...");
onStop += () => service.CloseSession();
onStop += () => Console.WriteLine("Finished.");
beforeDataManipulates += () => Console.WriteLine("Start " + (encrypt?"en":"de") + "crypting recieved message...");
afterDataManipulates += () => Console.WriteLine("Finished operation.");
}
private static bool VerifySession(ModelSmb2Status status, ModelRequestType modelRequestType, EncryptionConfig c)
{
ModelHelper.Log(LogType.Requirement, "3.3.5.2.9 Verifying the Session");
if (Smb2Utility.IsSmb3xFamily(negotiateDialect) &&
Session_EncryptData == SessionEncryptDataType.SessionEncryptDataSet &&
(modelRequestType == ModelRequestType.UnEncryptedRequest) &&
(config.MaxSmbVersionSupported == ModelDialectRevision.Smb311 ||
((config.MaxSmbVersionSupported == ModelDialectRevision.Smb30 || config.MaxSmbVersionSupported == ModelDialectRevision.Smb302) &&
config.IsGlobalRejectUnencryptedAccessEnabled)))
{
ModelHelper.Log(LogType.Requirement,
"If Connection.Dialect belongs to the SMB 3.x dialect family, and Session.EncryptData is TRUE, " +
"the server MUST do the following: \n" +
"\tIf the server supports the 3.1.1 dialect, locate the Request in Connection.RequestList for which " +
"Request.MessageId matches the MessageId value in the SMB2 header of the request." +
"\tOtherwise, if the server supports 3.0 or 3.0.2 dialect, and RejectUnencryptedAccess is TRUE, " +
"locate the Request in Connection.RequestList for which Request.MessageId matches the MessageId " +
"value in the SMB2 header of the request.\n" +
"If Request.IsEncrypted is FALSE, the server MUST fail the request with STATUS_ACCESS_DENIED");
ModelHelper.Log(LogType.TestInfo, "Server supports {0}, RejectUnencryptedAccess is {1}",
config.MaxSmbVersionSupported, config.IsGlobalRejectUnencryptedAccessEnabled ? "TRUE" : "FALSE");
ModelHelper.Log(LogType.TestTag, TestTag.Compatibility);
Condition.IsTrue(status == ModelSmb2Status.STATUS_ACCESS_DENIED);
return(false);
}
return(true);
}
public static void TreeConnectResponse(
ModelSmb2Status status,
ShareEncryptDataType shareEncryptDataType,
ModelResponseType modelResponseType,
EncryptionConfig c)
{
Condition.IsTrue(state == ModelState.Connected);
Condition.IsTrue(config.IsGlobalRejectUnencryptedAccessEnabled == c.IsGlobalRejectUnencryptedAccessEnabled);
Condition.IsTrue(Session_IsExisted);
ModelTreeConnectRequest treeConnectRequest = ModelHelper.RetrieveOutstandingRequest <ModelTreeConnectRequest>(ref request);
if (!VerifySession(status, treeConnectRequest.modelRequestType, c))
{
return;
}
if (ModelUtility.IsSmb3xFamily(config.MaxSmbVersionSupported) &&
(config.IsGlobalEncryptDataEnabled ||
treeConnectRequest.connectToShareType == ConnectToShareType.ConnectToEncryptedShare) &&
config.IsGlobalRejectUnencryptedAccessEnabled &&
!Connection_ServerCapabilities_SMB2_GLOBAL_CAP_ENCRYPTION)
{
ModelHelper.Log(LogType.Requirement,
"3.3.5.7: If the server implements the SMB 3.x dialect family, EncryptData or Share.EncryptData is TRUE, " +
"RejectUnencryptedAccess is TRUE, and Connection.ServerCapabilities does not include SMB2_GLOBAL_CAP_ENCRYPTION, " +
"the server MUST fail the request with STATUS_ACCESS_DENIED.");
Condition.IsTrue(config.Platform == c.Platform);
ModelHelper.Log(LogType.TestInfo,
"The server implements {0}, EncryptData is {1}, Share.EncryptData is {2}, RejectUnencryptedAccess is TRUE, " +
"Connection.ServerCapabilities does not include SMB2_GLOBAL_CAP_ENCRYPTION.",
config.MaxSmbVersionSupported,
config.IsGlobalEncryptDataEnabled,
treeConnectRequest.connectToShareType == ConnectToShareType.ConnectToEncryptedShare ? "TRUE" : "FALSE");
ModelHelper.Log(LogType.TestInfo, "The SUT platform is {0}.", config.Platform);
ModelHelper.Log(LogType.TestTag, TestTag.Compatibility);
Condition.IsTrue(status == ModelSmb2Status.STATUS_ACCESS_DENIED);
return;
}
if (Smb2Utility.IsSmb3xFamily(negotiateDialect) &&
treeConnectRequest.connectToShareType == ConnectToShareType.ConnectToEncryptedShare &&
config.IsGlobalRejectUnencryptedAccessEnabled &&
!Connection_ServerCapabilities_SMB2_GLOBAL_CAP_ENCRYPTION)
{
ModelHelper.Log(LogType.Requirement,
"3.3.5.7: If Connection.Dialect belongs to the SMB 3.x dialect family, " +
"Share.EncryptData is TRUE, RejectUnencryptedAccess is TRUE, " +
"and Connection.ServerCapabilities does not include SMB2_GLOBAL_CAP_ENCRYPTION, " +
"the server MUST fail the request with STATUS_ACCESS_DENIED.");
ModelHelper.Log(LogType.Requirement,
"\tSet the SMB2_SHAREFLAG_ENCRYPT_DATA bit.");
ModelHelper.Log(LogType.TestInfo, "Connection.Dialect is {0}, and Share.EncryptData is TRUE.", negotiateDialect);
Condition.IsTrue(shareEncryptDataType == ShareEncryptDataType.ShareEncryptDataSet);
}
//TODO: To be implemented after TRANSFORM_HEADER added into Smb2FunctionalClient
if (treeConnectRequest.modelRequestType == ModelRequestType.EncryptedRequest)
{
Condition.IsTrue(modelResponseType == ModelResponseType.EncryptedResponse);
}
else
{
Condition.IsTrue(modelResponseType == ModelResponseType.UnEncryptedResponse);
}
Condition.IsTrue(status == ModelSmb2Status.STATUS_SUCCESS);
Encryption_TreeId = (treeConnectRequest.connectToShareType == ConnectToShareType.ConnectToEncryptedShare) ? EncryptionTreeId.TreeIdToEncryptShare : EncryptionTreeId.TreeIdToUnEncryptShare;
}
public static void FileOperationVerifyEncryptionResponse(ModelSmb2Status status, ModelResponseType modelResponseType, EncryptionConfig c)
{
Condition.IsTrue(state == ModelState.Connected);
Condition.IsTrue(config.IsGlobalRejectUnencryptedAccessEnabled == c.IsGlobalRejectUnencryptedAccessEnabled);
Condition.IsTrue(Session_IsExisted);
ModelFileOperationVerifyEncryptionRequest createFileRequest = ModelHelper.RetrieveOutstandingRequest <ModelFileOperationVerifyEncryptionRequest>(ref request);
if (!VerifySession(status, createFileRequest.modelRequestType, c))
{
return;
}
if (!VerifyTreeConnect(status, createFileRequest.modelRequestType, c))
{
return;
}
ModelHelper.Log(LogType.TestInfo,
"The server implements {0}, Request.IsEncrypted is {1}, Connection.ServerCapabilities {2}include SMB2_GLOBAL_CAP_ENCRYPTION, " +
"TreeConnect.Share.EncryptData is {3}, " +
"EncryptData is {4}, RejectUnencryptedAccess is {5}",
config.MaxSmbVersionSupported,
createFileRequest.modelRequestType == ModelRequestType.UnEncryptedRequest ? "FALSE" : "TRUE",
Connection_ServerCapabilities_SMB2_GLOBAL_CAP_ENCRYPTION ? "" : "does not ",
Encryption_TreeId == EncryptionTreeId.TreeIdToEncryptShare ? "TRUE" : "FALSE",
config.IsGlobalEncryptDataEnabled ? "TRUE" : "FALSE",
config.IsGlobalRejectUnencryptedAccessEnabled ? "TRUE" : "FALSE");
if (((createFileRequest.modelRequestType == ModelRequestType.UnEncryptedRequest &&
(config.IsGlobalEncryptDataEnabled ||
Encryption_TreeId == EncryptionTreeId.TreeIdToEncryptShare)) ||
(createFileRequest.modelRequestType == ModelRequestType.EncryptedRequest && !Connection_ServerCapabilities_SMB2_GLOBAL_CAP_ENCRYPTION)) &&
config.IsGlobalRejectUnencryptedAccessEnabled)
{
ModelHelper.Log(LogType.Requirement,
"3.3.1.5: RejectUnencryptedAccess: A Boolean that, if set, " +
"indicates that the server will reject any unencrypted messages. " +
"This flag is applicable only if EncryptData is TRUE or if " +
"Share.EncryptData (as defined in section 3.3.1.6) is TRUE.");
Condition.IsTrue(status == ModelSmb2Status.STATUS_ACCESS_DENIED);
return;
}
//TODO: To be implemented after TRANSFORM_HEADER added into Smb2FunctionalClient
if (createFileRequest.modelRequestType == ModelRequestType.EncryptedRequest)
{
Condition.IsTrue(modelResponseType == ModelResponseType.EncryptedResponse);
}
else
{
Condition.IsTrue(modelResponseType == ModelResponseType.UnEncryptedResponse);
}
Condition.IsTrue(status == Smb2Status.STATUS_SUCCESS);
}
public override void ExecuteCmdlet()
{
try
{
if (DataLakeStoreClient.GetAccount(ResourceGroupName, Name) != null)
{
throw new CloudException(string.Format(Resources.DataLakeStoreAccountExists, Name));
}
}
catch (CloudException ex)
{
if (ex.Body != null && !string.IsNullOrEmpty(ex.Body.Code) && ex.Body.Code == "ResourceNotFound" ||
ex.Message.Contains("ResourceNotFound"))
{
// account does not exists so go ahead and create one
}
else if (ex.Body != null && !string.IsNullOrEmpty(ex.Body.Code) &&
ex.Body.Code == "ResourceGroupNotFound" || ex.Message.Contains("ResourceGroupNotFound"))
{
// resource group not found, let create throw error don't throw from here
}
else
{
// all other exceptions should be thrown
throw;
}
}
// validation of encryption parameters
if (Encryption != null)
{
var identity = new EncryptionIdentity
{
Type = EncryptionIdentityType.SystemAssigned,
};
var config = new EncryptionConfig
{
Type = Encryption.Value,
};
if (Encryption.Value == EncryptionConfigType.UserManaged)
{
if (string.IsNullOrEmpty(KeyVaultId) ||
string.IsNullOrEmpty(KeyName) ||
string.IsNullOrEmpty(KeyVersion))
{
throw new PSArgumentException(Resources.MissingKeyVaultParams);
}
config.KeyVaultMetaInfo = new KeyVaultMetaInfo
{
KeyVaultResourceId = KeyVaultId,
EncryptionKeyName = KeyName,
EncryptionKeyVersion = KeyVersion
};
}
else
{
if (!string.IsNullOrEmpty(KeyVaultId) ||
!string.IsNullOrEmpty(KeyName) ||
!string.IsNullOrEmpty(KeyVersion))
{
WriteWarning(Resources.IgnoredKeyVaultParams);
}
}
WriteObject(DataLakeStoreClient.CreateOrUpdateAccount(ResourceGroupName, Name, DefaultGroup, Location, Tags, identity, config));
}
else
{
WriteObject(DataLakeStoreClient.CreateOrUpdateAccount(ResourceGroupName, Name, DefaultGroup, Location, Tags));
}
}
public static void SessionSetupResponse(ModelSmb2Status status, SessionEncryptDataType sessionEncryptDataType, EncryptionConfig c)
{
Condition.IsTrue(state == ModelState.Connected);
Condition.IsTrue(config.IsGlobalEncryptDataEnabled == c.IsGlobalEncryptDataEnabled);
Condition.IsTrue(config.IsGlobalRejectUnencryptedAccessEnabled == c.IsGlobalRejectUnencryptedAccessEnabled);
if (ModelUtility.IsSmb3xFamily(config.MaxSmbVersionSupported) &&
!Smb2Utility.IsSmb3xFamily(negotiateDialect) &&
config.IsGlobalEncryptDataEnabled &&
config.IsGlobalRejectUnencryptedAccessEnabled)
{
ModelHelper.Log(LogType.Requirement,
"3.3.5.5: 1. If the server implements the SMB 3.x dialect family, " +
"Connection.Dialect does not belong to the SMB 3.x dialect family, EncryptData is TRUE, " +
"and RejectUnencryptedAccess is TRUE, the server MUST fail the request with STATUS_ACCESS_DENIED.");
ModelHelper.Log(LogType.TestInfo,
"The server implements {0}, Connection.Dialect is {1}, EncryptData is TRUE and RejectUnencryptedAccess is TRUE",
config.MaxSmbVersionSupported, negotiateDialect);
ModelHelper.Log(LogType.TestTag, TestTag.Compatibility);
Condition.IsTrue(status == ModelSmb2Status.STATUS_ACCESS_DENIED);
return;
}
if (Smb2Utility.IsSmb3xFamily(negotiateDialect) &&
config.IsGlobalEncryptDataEnabled &&
config.IsGlobalRejectUnencryptedAccessEnabled &&
!Connection_ClientCapabilities_SMB2_GLOBAL_CAP_ENCRYPTION)
{
ModelHelper.Log(LogType.Requirement,
"3.3.5.5: 2. If Connection.Dialect belongs to the SMB 3.x dialect family, " +
"EncryptData is TRUE, RejectUnencryptedAccess is TRUE, " +
"and Connection.ClientCapabilities does not include the SMB2_GLOBAL_CAP_ENCRYPTION bit, " +
"the server MUST fail the request with STATUS_ACCESS_DENIED.");
ModelHelper.Log(LogType.TestInfo,
"Connection.Dialect is {0}, EncryptData is TRUE, RejectUnencryptedAccess is TRUE, " +
"and Connection.ClientCapabilities does not include the SMB2_GLOBAL_CAP_ENCRYPTION bit.", negotiateDialect);
ModelHelper.Log(LogType.TestTag, TestTag.Compatibility);
Condition.IsTrue(status == ModelSmb2Status.STATUS_ACCESS_DENIED);
return;
}
if (Smb2Utility.IsSmb3xFamily(negotiateDialect) &&
config.IsGlobalEncryptDataEnabled &&
(Connection_ServerCapabilities_SMB2_GLOBAL_CAP_ENCRYPTION ||
config.IsGlobalRejectUnencryptedAccessEnabled))
{
ModelHelper.Log(LogType.Requirement,
"3.3.5.5.3: 10. If global EncryptData is TRUE, the server MUST do the following: " +
"If Connection.ServerCapabilities includes SMB2_GLOBAL_CAP_ENCRYPTION or RejectUnencryptedAccess is TRUE,");
Condition.IsTrue(sessionEncryptDataType == SessionEncryptDataType.SessionEncryptDataSet);
Session_EncryptData = SessionEncryptDataType.SessionEncryptDataSet;
}
Condition.IsTrue(status == Smb2Status.STATUS_SUCCESS);
Session_IsExisted = true;
}
public void TestBuild_ShouldComputeCertificateKeyFingerprint_WhenFingerprintNotSet()
{
EncryptionConfig config = TestUtils.GetTestJweConfigBuilder().Build();
Assert.AreEqual("761b003c1eade3a5490e5000d37887baa5e6ec0e226c07706e599451fc032a79", config.EncryptionKeyFingerprint);
}
public override void ExecuteCmdlet()
{
var currentAccount = DataLakeStoreClient.GetAccount(ResourceGroupName, Name);
var location = currentAccount.Location;
if (string.IsNullOrEmpty(DefaultGroup))
{
DefaultGroup = currentAccount.Properties.DefaultGroup;
}
if (Tags == null)
{
Tags = TagsConversionHelper.CreateTagHashtable(currentAccount.Tags);
}
// validation of encryption parameters
if (Encryption != null)
{
var identity = new EncryptionIdentity
{
Type = EncryptionIdentityType.SystemAssigned,
};
var config = new EncryptionConfig
{
Type = Encryption.Value,
};
if (Encryption.Value == EncryptionConfigType.UserManaged)
{
if (string.IsNullOrEmpty(KeyVaultId) ||
string.IsNullOrEmpty(KeyName) ||
string.IsNullOrEmpty(KeyVersion))
{
throw new PSArgumentException(Resources.MissingKeyVaultParams);
}
config.KeyVaultMetaInfo = new KeyVaultMetaInfo
{
KeyVaultResourceId = KeyVaultId,
EncryptionKeyName = KeyName,
EncryptionKeyVersion = KeyVersion
};
}
else
{
if (!string.IsNullOrEmpty(KeyVaultId) ||
!string.IsNullOrEmpty(KeyName) ||
!string.IsNullOrEmpty(KeyVersion))
{
WriteWarning(Resources.IgnoredKeyVaultParams);
}
}
WriteObject(DataLakeStoreClient.CreateOrUpdateAccount(ResourceGroupName, Name, DefaultGroup, location, Tags, identity, config));
}
else
{
WriteObject(DataLakeStoreClient.CreateOrUpdateAccount(ResourceGroupName, Name, DefaultGroup, location, Tags));
}
}
public DataLakeStoreAccount CreateOrUpdateAccount(
string resourceGroupName,
string accountName,
string defaultGroup,
string location,
Hashtable customTags = null,
EncryptionIdentity identity = null,
EncryptionConfig config = null,
IList <TrustedIdProvider> trustedProviders = null,
IList <FirewallRule> firewallRules = null)
{
if (string.IsNullOrEmpty(resourceGroupName))
{
resourceGroupName = GetResourceGroupByAccount(accountName);
}
var tags = TagsConversionHelper.CreateTagDictionary(customTags, true);
var parameters = new DataLakeStoreAccount
{
Name = accountName,
Location = location,
Properties = new DataLakeStoreAccountProperties
{
DefaultGroup = defaultGroup,
},
Tags = tags ?? new Dictionary <string, string>()
};
if (identity != null)
{
parameters.Properties.EncryptionState = EncryptionState.Enabled;
parameters.Identity = identity;
parameters.Properties.EncryptionConfig = config ?? new EncryptionConfig
{
Type = EncryptionConfigType.ServiceManaged
};
}
if (trustedProviders != null && trustedProviders.Count > 0)
{
parameters.Properties.TrustedIdProviders = trustedProviders;
parameters.Properties.TrustedIdProviderState = TrustedIdProviderState.Enabled;
}
if (firewallRules != null && firewallRules.Count > 0)
{
parameters.Properties.FirewallRules = firewallRules;
parameters.Properties.FirewallState = FirewallState.Enabled;
}
var accountExists = false;
try
{
if (GetAccount(resourceGroupName, accountName) != null)
{
accountExists = true;
}
}
catch
{
// intentionally empty since if there is any exception attempting to
// get the account we know it doesn't exist and we will attempt to create it fresh.
}
return(accountExists
? _client.Account.Update(resourceGroupName, accountName, parameters)
: _client.Account.Create(resourceGroupName, accountName, parameters));
}
private static bool VerifySession(ModelSmb2Status status, ModelRequestType modelRequestType, EncryptionConfig c)
{
ModelHelper.Log(LogType.Requirement, "3.3.5.2.9 Verifying the Session");
Condition.IsTrue(config.Platform == c.Platform);
if (Smb2Utility.IsSmb3xFamily(negotiateDialect) &&
Session_EncryptData == SessionEncryptDataType.SessionEncryptDataSet &&
(modelRequestType == ModelRequestType.UnEncryptedRequest &&
(c.Platform != Platform.WindowsServer2012 || config.IsGlobalRejectUnencryptedAccessEnabled))) // 2012 allow unencrypt request when RejectUnencryptedAccessEnabled is FALSE
{
ModelHelper.Log(LogType.Requirement,
"If Connection.Dialect belongs to the SMB 3.x dialect family, and Session.EncryptData is TRUE, " +
"the server MUST locate the Request in Connection.RequestList " +
"for which Request.MessageId matches the MessageId value in the SMB2 header of the request. " +
"If Request.IsEncrypted is FALSE, the server MUST fail the request with STATUS_ACCESS_DENIED.");
ModelHelper.Log(LogType.TestInfo, "All the above conditions are met.");
ModelHelper.Log(LogType.TestTag, TestTag.Compatibility);
Condition.IsTrue(status == ModelSmb2Status.STATUS_ACCESS_DENIED);
return(false);
}
return(true);
}
public void TestBuild_ResultShouldBeAssignableToGenericEncryptionConfig()
{
EncryptionConfig config = TestUtils.GetTestFieldLevelEncryptionConfigBuilder().Build();
Assert.IsNotNull(config);
}
public void TestBuild_ResultShouldHaveLegacySchemeSet()
{
EncryptionConfig config = TestUtils.GetTestFieldLevelEncryptionConfigBuilder().Build();
Assert.AreEqual(EncryptionConfig.EncryptionScheme.Legacy, config.Scheme);
}
public ApplicationAuthService(AppSettings appSettings, IAuthHttpClient authClient, EncryptionConfig encryptionSettings, ILogger <ApplicationAuthService> logger)
{
_appSettings = appSettings;
_logger = logger;
_authorizationHttpClient = authClient;
_encryptionService = new EncryptionService(encryptionSettings);
}
public override void ExecuteCmdlet()
{
try
{
if (DataLakeStoreClient.GetAccount(ResourceGroupName, Name) != null)
{
throw new CloudException(string.Format(Resources.DataLakeStoreAccountExists, Name));
}
}
catch (CloudException ex)
{
if (ex.Body != null && !string.IsNullOrEmpty(ex.Body.Code) && ex.Body.Code == "ResourceNotFound" ||
ex.Message.Contains("ResourceNotFound"))
{
// account does not exists so go ahead and create one
}
else if (ex.Body != null && !string.IsNullOrEmpty(ex.Body.Code) &&
ex.Body.Code == "ResourceGroupNotFound" || ex.Message.Contains("ResourceGroupNotFound"))
{
// resource group not found, let create throw error don't throw from here
}
else
{
// all other exceptions should be thrown
throw;
}
}
// validation of encryption parameters
if (Encryption != null)
{
var identity = new EncryptionIdentity
{
Type = EncryptionIdentityType.SystemAssigned,
};
var config = new EncryptionConfig
{
Type = Encryption.Value,
};
if (Encryption.Value == EncryptionConfigType.UserManaged)
{
if (string.IsNullOrEmpty(KeyVaultId) ||
string.IsNullOrEmpty(KeyName) ||
string.IsNullOrEmpty(KeyVersion))
{
throw new PSArgumentException(Resources.MissingKeyVaultParams);
}
config.KeyVaultMetaInfo = new KeyVaultMetaInfo
{
KeyVaultResourceId = KeyVaultId,
EncryptionKeyName = KeyName,
EncryptionKeyVersion = KeyVersion
};
}
else
{
if (!string.IsNullOrEmpty(KeyVaultId) ||
!string.IsNullOrEmpty(KeyName) ||
!string.IsNullOrEmpty(KeyVersion))
{
WriteWarning(Resources.IgnoredKeyVaultParams);
}
}
WriteObject(DataLakeStoreClient.CreateOrUpdateAccount(ResourceGroupName, Name, DefaultGroup, Location, Tags, identity, config));
}
else
{
WriteObject(DataLakeStoreClient.CreateOrUpdateAccount(ResourceGroupName, Name, DefaultGroup, Location, Tags));
}
}
public DataLakeStoreAccount CreateAccount(
string resourceGroupName,
string accountName,
string defaultGroup,
string location,
Hashtable customTags = null,
EncryptionIdentity identity = null,
EncryptionConfig config = null,
IList <TrustedIdProvider> trustedProviders = null,
IList <FirewallRule> firewallRules = null,
EncryptionConfigType?encryptionType = null,
TierType?tier = null)
{
if (string.IsNullOrEmpty(resourceGroupName))
{
resourceGroupName = GetResourceGroupByAccount(accountName);
}
var tags = TagsConversionHelper.CreateTagDictionary(customTags, true);
var parameters = new DataLakeStoreAccount
{
Location = location,
DefaultGroup = defaultGroup,
Tags = tags ?? new Dictionary <string, string>()
};
if (identity != null)
{
parameters.EncryptionState = EncryptionState.Enabled;
parameters.Identity = identity;
parameters.EncryptionConfig = config ?? new EncryptionConfig
{
Type = EncryptionConfigType.ServiceManaged
};
}
if (trustedProviders != null && trustedProviders.Count > 0)
{
parameters.TrustedIdProviders = trustedProviders;
parameters.TrustedIdProviderState = TrustedIdProviderState.Enabled;
}
if (firewallRules != null && firewallRules.Count > 0)
{
parameters.FirewallRules = firewallRules;
parameters.FirewallState = FirewallState.Enabled;
}
// if there is no encryption value, then it was not set by the cmdlet which means encryption was explicitly disabled.
if (!encryptionType.HasValue)
{
parameters.EncryptionState = EncryptionState.Disabled;
parameters.Identity = null;
parameters.EncryptionConfig = null;
}
if (tier.HasValue)
{
parameters.NewTier = tier;
}
var toReturn = _client.Account.Create(resourceGroupName, accountName, parameters);
return(toReturn);
}
private static bool VerifyTreeConnect(ModelSmb2Status status, ModelRequestType modelRequestType, EncryptionConfig c)
{
ModelHelper.Log(LogType.Requirement, "3.3.5.2.11 Verifying the Tree Connect");
if (Encryption_TreeId == EncryptionTreeId.NoTreeId)
{
ModelHelper.Log(LogType.Requirement,
"The server MUST look up the TreeConnect in Session.TreeConnectTable by using the TreeId in the SMB2 header of the request. " +
"If no tree connect is found, the request MUST be failed with STATUS_NETWORK_NAME_DELETED.");
ModelHelper.Log(LogType.TestInfo, "No tree connect is found.");
ModelHelper.Log(LogType.TestTag, TestTag.InvalidIdentifier);
Condition.IsTrue(status == ModelSmb2Status.STATUS_NETWORK_NAME_DELETED);
return(false);
}
if (Smb2Utility.IsSmb3xFamily(negotiateDialect))
{
ModelHelper.Log(LogType.Requirement,
"If the Connection.Dialect belongs to the SMB 3.x dialect family, the server MUST fail the request with STATUS_ACCESS_DENIED in the following cases");
ModelHelper.Log(LogType.TestInfo, "The Connection.Dialect is {0}.", negotiateDialect);
// Actually the "EncryptData is true" is redundant since it would failed in verify session step
if (Connection_ServerCapabilities_SMB2_GLOBAL_CAP_ENCRYPTION &&
((config.MaxSmbVersionSupported == ModelDialectRevision.Smb311 && Encryption_TreeId == EncryptionTreeId.TreeIdToEncryptShare) ||
((config.MaxSmbVersionSupported == ModelDialectRevision.Smb30 || config.MaxSmbVersionSupported == ModelDialectRevision.Smb302) &&
(Encryption_TreeId == EncryptionTreeId.TreeIdToEncryptShare || config.IsGlobalEncryptDataEnabled) && config.IsGlobalRejectUnencryptedAccessEnabled)) &&
modelRequestType == ModelRequestType.UnEncryptedRequest)
{
ModelHelper.Log(LogType.Requirement,
"\tServer supports the 3.1.1 dialect, TreeConnect.Share.EncryptData is TRUE, " +
"Connection.ServerCapabilities includes SMB2_GLOBAL_CAP_ENCRYPTION, and Request.IsEncrypted is FALSE\n" +
"\tServer supports the 3.0 or 3.0.2 dialect, EncryptData or TreeConnect.Share.EncryptData is TRUE, " +
"Connection.ServerCapabilities includes SMB2_GLOBAL_CAP_ENCRYPTION, RejectUnencryptedAccess is TRUE, " +
"and Request.IsEncrypted is FALSE");
ModelHelper.Log(LogType.TestInfo, "Server supports {0}, RejectUnencryptedAccess is {1}",
config.MaxSmbVersionSupported, config.IsGlobalRejectUnencryptedAccessEnabled ? "TRUE" : "FALSE");
ModelHelper.Log(LogType.TestTag, TestTag.Compatibility);
Condition.IsTrue(status == ModelSmb2Status.STATUS_ACCESS_DENIED);
return(false);
}
if ((config.IsGlobalEncryptDataEnabled ||
Encryption_TreeId == EncryptionTreeId.TreeIdToEncryptShare ||
modelRequestType == ModelRequestType.EncryptedRequest) &&
config.IsGlobalRejectUnencryptedAccessEnabled &&
!Connection_ServerCapabilities_SMB2_GLOBAL_CAP_ENCRYPTION)
{
ModelHelper.Log(LogType.Requirement,
"\tEncryptData or TreeConnect.Share.EncryptData or Request.IsEncrypted is TRUE, RejectUnencryptedAccess is TRUE, " +
"and Connection.ServerCapabilities does not include SMB2_GLOBAL_CAP_ENCRYPTION.");
ModelHelper.Log(LogType.TestInfo,
"The server implements {0}, EncryptData is {1}, TreeConnect.Share.EncryptData is {2}, " +
"Request.IsEncrypted is {3}, RejectUnencryptedAccess is TRUE, " +
"and Connection.ServerCapabilities does not include SMB2_GLOBAL_CAP_ENCRYPTION.",
config.MaxSmbVersionSupported,
config.IsGlobalEncryptDataEnabled,
Encryption_TreeId == EncryptionTreeId.TreeIdToEncryptShare ? "TRUE" : "FALSE",
modelRequestType == ModelRequestType.EncryptedRequest ? "TRUE" : "FALSE");
ModelHelper.Log(LogType.TestInfo, "The SUT platform is {0}.", config.Platform);
ModelHelper.Log(LogType.TestTag, TestTag.Compatibility);
Condition.IsTrue(status == ModelSmb2Status.STATUS_ACCESS_DENIED);
return(false);
}
}
return(true);
}
public AppSettingsRnCore()
{
// TODO: [TESTS] (AppSettingsRnCore) Add tests
Encryption = new EncryptionConfig();
}
public static void FileOperationVerifyEncryptionResponse(ModelSmb2Status status, ModelResponseType modelResponseType, EncryptionConfig c)
{
Condition.IsTrue(state == ModelState.Connected);
Condition.IsTrue(config.IsGlobalRejectUnencryptedAccessEnabled == c.IsGlobalRejectUnencryptedAccessEnabled);
Condition.IsTrue(Session_IsExisted);
ModelFileOperationVerifyEncryptionRequest createFileRequest = ModelHelper.RetrieveOutstandingRequest <ModelFileOperationVerifyEncryptionRequest>(ref request);
if (!VerifySession(status, createFileRequest.modelRequestType))
{
return;
}
if (!VerifyTreeConnect(status, createFileRequest.modelRequestType, c))
{
return;
}
//TODO: To be implemented after TRANSFORM_HEADER added into Smb2FunctionalClient
if (createFileRequest.modelRequestType == ModelRequestType.EncryptedRequest)
{
Condition.IsTrue(modelResponseType == ModelResponseType.EncryptedResponse);
}
else
{
Condition.IsTrue(modelResponseType == ModelResponseType.UnEncryptedResponse);
}
Condition.IsTrue(status == Smb2Status.STATUS_SUCCESS);
}
public abstract int EnableEncryption(bool enabled, EncryptionConfig config);
public DataLakeStoreAccount CreateOrUpdateAccount(
string resourceGroupName,
string accountName,
string defaultGroup,
string location,
Hashtable customTags = null,
EncryptionIdentity identity = null,
EncryptionConfig config = null,
IList<TrustedIdProvider> trustedProviders = null,
IList<FirewallRule> firewallRules = null)
{
if (string.IsNullOrEmpty(resourceGroupName))
{
resourceGroupName = GetResourceGroupByAccount(accountName);
}
var tags = TagsConversionHelper.CreateTagDictionary(customTags, true);
var parameters = new DataLakeStoreAccount
{
Name = accountName,
Location = location,
Properties = new DataLakeStoreAccountProperties
{
DefaultGroup = defaultGroup,
},
Tags = tags ?? new Dictionary<string, string>()
};
if (identity != null)
{
parameters.Properties.EncryptionState = EncryptionState.Enabled;
parameters.Identity = identity;
parameters.Properties.EncryptionConfig = config ?? new EncryptionConfig
{
Type = EncryptionConfigType.ServiceManaged
};
}
if (trustedProviders != null && trustedProviders.Count > 0)
{
parameters.Properties.TrustedIdProviders = trustedProviders;
parameters.Properties.TrustedIdProviderState = TrustedIdProviderState.Enabled;
}
if (firewallRules != null && firewallRules.Count > 0)
{
parameters.Properties.FirewallRules = firewallRules;
parameters.Properties.FirewallState = FirewallState.Enabled;
}
var accountExists = false;
try
{
if (GetAccount(resourceGroupName, accountName) != null)
{
accountExists = true;
}
}
catch
{
// intentionally empty since if there is any exception attempting to
// get the account we know it doesn't exist and we will attempt to create it fresh.
}
return accountExists
? _client.Account.Update(resourceGroupName, accountName, parameters)
: _client.Account.Create(resourceGroupName, accountName, parameters);
}
private static bool VerifyTreeConnect(ModelSmb2Status status, ModelRequestType modelRequestType, EncryptionConfig c)
{
ModelHelper.Log(LogType.Requirement, "3.3.5.2.11 Verifying the Tree Connect");
if (Encryption_TreeId == EncryptionTreeId.NoTreeId)
{
ModelHelper.Log(LogType.Requirement,
"The server MUST look up the TreeConnect in Session.TreeConnectTable by using the TreeId in the SMB2 header of the request. " +
"If no tree connect is found, the request MUST be failed with STATUS_NETWORK_NAME_DELETED.");
ModelHelper.Log(LogType.TestInfo, "No tree connect is found.");
ModelHelper.Log(LogType.TestTag, TestTag.InvalidIdentifier);
Condition.IsTrue(status == ModelSmb2Status.STATUS_NETWORK_NAME_DELETED);
return(false);
}
if (ModelUtility.IsSmb3xFamily(config.MaxSmbVersionSupported))
{
ModelHelper.Log(LogType.Requirement,
"If the server implements the SMB 3.x dialect family, it MUST return STATUS_ACCESS_DENIED for the following cases:");
ModelHelper.Log(LogType.TestInfo, "The server implements {0}.", config.MaxSmbVersionSupported);
if (Encryption_TreeId == EncryptionTreeId.TreeIdToEncryptShare &&
config.IsGlobalRejectUnencryptedAccessEnabled &&
modelRequestType == ModelRequestType.UnEncryptedRequest)
{
ModelHelper.Log(LogType.Requirement,
"\tIf TreeConnect.Share.EncryptData is TRUE, RejectUnencryptedAccess is TRUE, and Request.IsEncrypted is FALSE.");
ModelHelper.Log(LogType.TestInfo, "The above conditions are met.");
ModelHelper.Log(LogType.TestTag, TestTag.Compatibility);
Condition.IsTrue(status == ModelSmb2Status.STATUS_ACCESS_DENIED);
return(false);
}
else if (config.IsGlobalEncryptDataEnabled &&
config.IsGlobalRejectUnencryptedAccessEnabled &&
modelRequestType == ModelRequestType.UnEncryptedRequest)
{
ModelHelper.Log(LogType.Requirement,
"\tIf EncryptData is TRUE, RejectUnencryptedAccess is TRUE, and Request.IsEncrypted is FALSE.");
ModelHelper.Log(LogType.TestInfo, "The above conditions are met.");
ModelHelper.Log(LogType.TestTag, TestTag.Compatibility);
Condition.IsTrue(status == ModelSmb2Status.STATUS_ACCESS_DENIED);
return(false);
}
}
if (ModelUtility.IsSmb3xFamily(config.MaxSmbVersionSupported) &&
(config.IsGlobalEncryptDataEnabled ||
Encryption_TreeId == EncryptionTreeId.TreeIdToEncryptShare ||
modelRequestType == ModelRequestType.EncryptedRequest) &&
config.IsGlobalRejectUnencryptedAccessEnabled &&
!Connection_ServerCapabilities_SMB2_GLOBAL_CAP_ENCRYPTION)
{
ModelHelper.Log(LogType.Requirement,
"If the server implements the SMB 3.x dialect family, EncryptData or TreeConnect.Share.EncryptData or Request.IsEncrypted is TRUE, " +
"RejectUnencryptedAccess is TRUE, and Connection.ServerCapabilities does not include SMB2_GLOBAL_CAP_ENCRYPTION, " +
"the server SHOULD fail the request with STATUS_ACCESS_DENIED.");
Condition.IsTrue(config.Platform == c.Platform);
ModelHelper.Log(LogType.TestInfo,
"The server implements {0}, EncryptData is {1}, TreeConnect.Share.EncryptData is {2}, " +
"Request.IsEncrypted is {3}, RejectUnencryptedAccess is TRUE, " +
"and Connection.ServerCapabilities does not include SMB2_GLOBAL_CAP_ENCRYPTION.",
config.MaxSmbVersionSupported,
config.IsGlobalEncryptDataEnabled,
Encryption_TreeId == EncryptionTreeId.TreeIdToEncryptShare ? "TRUE" : "FALSE",
modelRequestType == ModelRequestType.EncryptedRequest ? "TRUE" : "FALSE");
ModelHelper.Log(LogType.TestInfo, "The SUT platform is {0}.", config.Platform);
ModelHelper.Log(LogType.TestTag, TestTag.Compatibility);
if (config.Platform == Platform.NonWindows)
{
Condition.IsTrue(status != ModelSmb2Status.STATUS_SUCCESS);
}
else
{
Condition.IsTrue(status == ModelSmb2Status.STATUS_ACCESS_DENIED);
}
return(false);
}
return(true);
}