internal virtual AccessRule InternalAccessRuleFactory(QualifiedAce ace, Type targetType, AccessControlType type) { return(AccessRuleFactory(ace.SecurityIdentifier.Translate(targetType), ace.AccessMask, ace.IsInherited, ace.InheritanceFlags, ace.PropagationFlags, type)); }
private bool ObjectTypesMatch(QualifiedAce ace, QualifiedAce newAce) { Guid guid = (ace is ObjectAce) ? ((ObjectAce)ace).ObjectAceType : Guid.Empty; Guid g = (newAce is ObjectAce) ? ((ObjectAce)newAce).ObjectAceType : Guid.Empty; return(guid.Equals(g)); }
void AddAce(QualifiedAce newAce) { RequireCanonicity(); int pos = GetAceInsertPosition(newAce.AceQualifier); raw_acl.InsertAce(pos, CopyAce(newAce)); CanonicalizeAndClearAefa(); }
void AddAce(QualifiedAce newAce) { RequireCanonicity(); int pos = GetAceInsertPosition(newAce.AceQualifier); raw_acl.InsertAce(pos, newAce); CleanAndRetestCanonicity(); }
private bool AccessMasksAreMergeable(QualifiedAce ace, QualifiedAce newAce) { if (this.ObjectTypesMatch(ace, newAce)) { return(true); } ObjectAceFlags flags = (ace is ObjectAce) ? ((ObjectAce)ace).ObjectAceFlags : ObjectAceFlags.None; return((((ace.AccessMask & newAce.AccessMask) & ObjectAce.AccessMaskWithObjectType) == (newAce.AccessMask & ObjectAce.AccessMaskWithObjectType)) && ((flags & ObjectAceFlags.ObjectAceTypePresent) == ObjectAceFlags.None)); }
private bool AceFlagsAreMergeable(QualifiedAce ace, QualifiedAce newAce) { if (this.InheritedObjectTypesMatch(ace, newAce)) { return(true); } ObjectAceFlags flags = (ace is ObjectAce) ? ((ObjectAce)ace).ObjectAceFlags : ObjectAceFlags.None; return((flags & ObjectAceFlags.InheritedObjectAceTypePresent) == ObjectAceFlags.None); }
// DiscretionaryAcl/SystemAcl shared implementation below... internal void AddAce(AceQualifier aceQualifier, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AuditFlags auditFlags) { QualifiedAce ace = AddAceGetQualifiedAce(aceQualifier, sid, accessMask, inheritanceFlags, propagationFlags, auditFlags); AddAce(ace); }
internal override AuditRule InternalAuditRuleFactory (QualifiedAce ace, Type targetType) { ObjectAce oace = ace as ObjectAce; if (null == oace || ObjectAceFlags.None == oace.ObjectAceFlags) return base.InternalAuditRuleFactory (ace, targetType); return AuditRuleFactory (ace.SecurityIdentifier.Translate (targetType), ace.AccessMask, ace.IsInherited, ace.InheritanceFlags, ace.PropagationFlags, ace.AuditFlags, oace.ObjectAceType, oace.InheritedObjectAceType); }
private bool InspectAce(ref GenericAce ace, bool isDacl) { KnownAce ace2 = ace as KnownAce; if ((ace2 != null) && (ace2.AccessMask == 0)) { return(false); } if (!this.IsContainer) { if (((byte)(ace.AceFlags & AceFlags.InheritOnly)) != 0) { return(false); } if (((byte)(ace.AceFlags & (AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.NoPropagateInherit | AceFlags.ObjectInherit))) != 0) { ace.AceFlags = (AceFlags)((byte)(((int)ace.AceFlags) & 240)); } } else { if (((((byte)(ace.AceFlags & AceFlags.InheritOnly)) != 0) && (((byte)(ace.AceFlags & AceFlags.ContainerInherit)) == 0)) && (((byte)(ace.AceFlags & (AceFlags.None | AceFlags.ObjectInherit))) == 0)) { return(false); } if (((((byte)(ace.AceFlags & (AceFlags.None | AceFlags.NoPropagateInherit))) != 0) && (((byte)(ace.AceFlags & AceFlags.ContainerInherit)) == 0)) && (((byte)(ace.AceFlags & (AceFlags.None | AceFlags.ObjectInherit))) == 0)) { ace.AceFlags = (AceFlags)((byte)(((int)ace.AceFlags) & 0xfb)); } } QualifiedAce ace3 = ace2 as QualifiedAce; if (isDacl) { ace.AceFlags = (AceFlags)((byte)(((int)ace.AceFlags) & 0x3f)); if (((ace3 != null) && (ace3.AceQualifier != AceQualifier.AccessAllowed)) && (ace3.AceQualifier != AceQualifier.AccessDenied)) { return(false); } } else { if (((byte)(ace.AceFlags & AceFlags.AuditFlags)) == 0) { return(false); } if ((ace3 != null) && (ace3.AceQualifier != AceQualifier.SystemAudit)) { return(false); } } return(true); }
void SetAce(QualifiedAce newAce) { RequireCanonicity(); RemoveAces <QualifiedAce> (oldAce => { return(oldAce.AceQualifier == newAce.AceQualifier && oldAce.SecurityIdentifier == newAce.SecurityIdentifier); }); CleanAndRetestCanonicity(); AddAce(newAce); }
internal override AuditRule InternalAuditRuleFactory(QualifiedAce ace, Type targetType) { ObjectAce oace = ace as ObjectAce; if (null == oace || ObjectAceFlags.None == oace.ObjectAceFlags) { return(base.InternalAuditRuleFactory(ace, targetType)); } return(AuditRuleFactory(ace.SecurityIdentifier.Translate(targetType), ace.AccessMask, ace.IsInherited, ace.InheritanceFlags, ace.PropagationFlags, ace.AuditFlags, oace.ObjectAceType, oace.InheritedObjectAceType)); }
internal void AddAce(AceQualifier aceQualifier, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AuditFlags auditFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType) { QualifiedAce ace = AddAceGetQualifiedAce(aceQualifier, sid, accessMask, inheritanceFlags, propagationFlags, auditFlags, objectFlags, objectType, inheritedObjectType); AddAce(ace); }
internal AuthorizationRuleCollection InternalGetAccessRules(bool includeExplicit, bool includeInherited, Type targetType) { List <AuthorizationRule> rules = new List <AuthorizationRule> (); ReadLock(); try { foreach (GenericAce genericAce in descriptor.DiscretionaryAcl) { QualifiedAce ace = genericAce as QualifiedAce; if (null == ace) { continue; } if (ace.IsInherited && !includeInherited) { continue; } if (!ace.IsInherited && !includeExplicit) { continue; } AccessControlType type; if (AceQualifier.AccessAllowed == ace.AceQualifier) { type = AccessControlType.Allow; } else if (AceQualifier.AccessDenied == ace.AceQualifier) { type = AccessControlType.Deny; } else { continue; } AccessRule rule = InternalAccessRuleFactory(ace, targetType, type); rules.Add(rule); } } finally { ReadUnlock(); } return(new AuthorizationRuleCollection(rules.ToArray())); }
internal void AddQualifiedAce(SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType) { GenericAce ace; if (sid == null) { throw new ArgumentNullException("sid"); } this.ThrowIfNotCanonical(); bool flag = false; if ((qualifier == AceQualifier.SystemAudit) && (((byte)(flags & AceFlags.AuditFlags)) == 0)) { throw new ArgumentException(Environment.GetResourceString("Arg_EnumAtLeastOneFlag"), "flags"); } if (accessMask == 0) { throw new ArgumentException(Environment.GetResourceString("Argument_ArgumentZero"), "accessMask"); } if (!this.IsDS || (objectFlags == ObjectAceFlags.None)) { ace = new CommonAce(flags, qualifier, accessMask, sid, false, null); } else { ace = new ObjectAce(flags, qualifier, accessMask, sid, objectFlags, objectType, inheritedObjectType, false, null); } if (this.InspectAce(ref ace, this is DiscretionaryAcl)) { for (int i = 0; i < this.Count; i++) { QualifiedAce ace2 = this._acl[i] as QualifiedAce; if ((ace2 != null) && this.MergeAces(ref ace2, ace as QualifiedAce)) { flag = true; break; } } if (!flag) { this._acl.InsertAce(this._acl.Count, ace); this._isDirty = true; } this.OnAclModificationTried(); } }
internal void RemoveQualifiedAcesSpecific(SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType) { if (accessMask == 0) { throw new ArgumentException(Environment.GetResourceString("Argument_ArgumentZero"), "accessMask"); } if ((qualifier == AceQualifier.SystemAudit) && (((byte)(flags & AceFlags.AuditFlags)) == 0)) { throw new ArgumentException(Environment.GetResourceString("Arg_EnumAtLeastOneFlag"), "flags"); } if (sid == null) { throw new ArgumentNullException("sid"); } this.ThrowIfNotCanonical(); for (int i = 0; i < this.Count; i++) { QualifiedAce ace = this._acl[i] as QualifiedAce; if ((((ace == null) || (((byte)(ace.AceFlags & AceFlags.Inherited)) != 0)) || ((ace.AceQualifier != qualifier) || (ace.SecurityIdentifier != sid))) || ((ace.AceFlags != flags) || (ace.AccessMask != accessMask))) { continue; } if (this.IsDS) { if ((ace is ObjectAce) && (objectFlags != ObjectAceFlags.None)) { ObjectAce ace2 = ace as ObjectAce; if (ace2.ObjectTypesMatch(objectFlags, objectType) && ace2.InheritedObjectTypesMatch(objectFlags, inheritedObjectType)) { goto Label_00F2; } continue; } if ((ace is ObjectAce) || (objectFlags != ObjectAceFlags.None)) { continue; } } Label_00F2: this._acl.RemoveAce(i); i--; } this.OnAclModificationTried(); }
internal int GetCanonicalExplicitDenyAceCount() { int i; for (i = 0; i < Count; i++) { if (this [i].IsInherited) { break; } QualifiedAce ace = this [i] as QualifiedAce; if (ace == null || ace.AceQualifier != AceQualifier.AccessDenied) { break; } } return(i); }
internal AuthorizationRuleCollection InternalGetAuditRules(bool includeExplicit, bool includeInherited, Type targetType) { List <AuthorizationRule> rules = new List <AuthorizationRule> (); ReadLock(); try { if (null != descriptor.SystemAcl) { foreach (GenericAce genericAce in descriptor.SystemAcl) { QualifiedAce ace = genericAce as QualifiedAce; if (null == ace) { continue; } if (ace.IsInherited && !includeInherited) { continue; } if (!ace.IsInherited && !includeExplicit) { continue; } if (AceQualifier.SystemAudit != ace.AceQualifier) { continue; } AuditRule rule = InternalAuditRuleFactory(ace, targetType); rules.Add(rule); } } } finally { ReadUnlock(); } return(new AuthorizationRuleCollection(rules.ToArray())); }
private bool GetAccessMaskForRemoval(QualifiedAce ace, ObjectAceFlags objectFlags, Guid objectType, ref int accessMask) { if (((ace.AccessMask & accessMask) & ObjectAce.AccessMaskWithObjectType) != 0) { if (ace is ObjectAce) { ObjectAce ace2 = ace as ObjectAce; if (((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None) && ((ace2.ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent) == ObjectAceFlags.None)) { return(false); } if (!(((objectFlags & ObjectAceFlags.ObjectAceTypePresent) == ObjectAceFlags.None) || ace2.ObjectTypesMatch(objectFlags, objectType))) { accessMask &= ~ObjectAce.AccessMaskWithObjectType; } } else if ((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None) { return(false); } } return(true); }
private bool GetInheritanceFlagsForRemoval(QualifiedAce ace, ObjectAceFlags objectFlags, Guid inheritedObjectType, ref AceFlags aceFlags) { if ((((byte)(ace.AceFlags & AceFlags.ContainerInherit)) != 0) && (((byte)(aceFlags & AceFlags.ContainerInherit)) != 0)) { if (ace is ObjectAce) { ObjectAce ace2 = ace as ObjectAce; if (((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != ObjectAceFlags.None) && ((ace2.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent) == ObjectAceFlags.None)) { return(false); } if (!(((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) == ObjectAceFlags.None) || ace2.InheritedObjectTypesMatch(objectFlags, inheritedObjectType))) { aceFlags = (AceFlags)((byte)(((int)aceFlags) & 240)); } } else if ((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != ObjectAceFlags.None) { return(false); } } return(true); }
private void Canonicalize(bool compact, bool isDacl) { for (ushort i = 0; i < this._acl.Count; i = (ushort)(i + 1)) { this._acl[i]._indexInAcl = i; } this.QuickSort(0, this._acl.Count - 1, isDacl); if (compact) { for (int j = 0; j < (this.Count - 1); j++) { QualifiedAce ace = this._acl[j] as QualifiedAce; if (ace != null) { QualifiedAce newAce = this._acl[j + 1] as QualifiedAce; if ((newAce != null) && this.MergeAces(ref ace, newAce)) { this._acl.RemoveAce(j + 1); } } } } }
internal override bool IsAceMeaningless(GenericAce ace) { if (base.IsAceMeaningless(ace)) { return(true); } if (AuditFlags.None != ace.AuditFlags) { return(true); } QualifiedAce qace = ace as QualifiedAce; if (null != qace) { if (!(AceQualifier.AccessAllowed == qace.AceQualifier || AceQualifier.AccessDenied == qace.AceQualifier)) { return(true); } } return(false); }
internal override bool IsAceMeaningless(GenericAce ace) { if (base.IsAceMeaningless(ace)) { return(true); } if (!IsValidAuditFlags(ace.AuditFlags)) { return(true); } QualifiedAce qace = ace as QualifiedAce; if (null != qace) { if (!(AceQualifier.SystemAudit == qace.AceQualifier || AceQualifier.SystemAlarm == qace.AceQualifier)) { return(true); } } return(false); }
private bool AceFlagsAreMergeable( QualifiedAce ace, QualifiedAce newAce ) { // // The ace flags can be considered for merge in any of the following conditions // 1. Inherited object types match // 2. (Inherited object types do not match) The existing ace does not have an inherited object type and // already contains all the bits of the new ace // if ( InheritedObjectTypesMatch( ace, newAce )) { // case 1 return true; } ObjectAceFlags objectFlags = ( ace is ObjectAce ) ? (( ObjectAce ) ace ).ObjectAceFlags : ObjectAceFlags.None; if (( objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent ) == 0 ) { // case 2 // // This method is called only when the access masks of the two aces are already confirmed to be exact matches // therefore the second condition of case 2 is already verified // Contract.Assert(( ace.AccessMask & newAce.AccessMask) == newAce.AccessMask, "AceFlagsAreMergeable:: AccessMask of existing ace does not contain all access bits of new ace."); return true; } return false; }
GenericAce MergeExplicitAcePair(GenericAce ace1, GenericAce ace2) { QualifiedAce qace1 = ace1 as QualifiedAce; QualifiedAce qace2 = ace2 as QualifiedAce; if (!(null != qace1 && null != qace2)) { return(null); } if (!(qace1.AceQualifier == qace2.AceQualifier)) { return(null); } if (!(qace1.SecurityIdentifier == qace2.SecurityIdentifier)) { return(null); } AceFlags aceFlags1 = qace1.AceFlags, aceFlags2 = qace2.AceFlags, aceFlagsNew; int accessMask1 = qace1.AccessMask, accessMask2 = qace2.AccessMask, accessMaskNew; if (!IsContainer) { aceFlags1 &= ~AceFlags.InheritanceFlags; aceFlags2 &= ~AceFlags.InheritanceFlags; } if (aceFlags1 != aceFlags2) { if (accessMask1 != accessMask2) { return(null); } if ((aceFlags1 & ~(AceFlags.ContainerInherit | AceFlags.ObjectInherit)) == (aceFlags2 & ~(AceFlags.ContainerInherit | AceFlags.ObjectInherit))) { aceFlagsNew = aceFlags1 | aceFlags2; // merge InheritanceFlags accessMaskNew = accessMask1; } else if ((aceFlags1 & ~(AceFlags.SuccessfulAccess | AceFlags.FailedAccess)) == (aceFlags2 & ~(AceFlags.SuccessfulAccess | AceFlags.FailedAccess))) { aceFlagsNew = aceFlags1 | aceFlags2; // merge AuditFlags accessMaskNew = accessMask1; } else { return(null); } } else { aceFlagsNew = aceFlags1; accessMaskNew = accessMask1 | accessMask2; } CommonAce cace1 = ace1 as CommonAce; CommonAce cace2 = ace2 as CommonAce; if (null != cace1 && null != cace2) { return(new CommonAce(aceFlagsNew, cace1.AceQualifier, accessMaskNew, cace1.SecurityIdentifier, cace1.IsCallback, cace1.GetOpaque())); } ObjectAce oace1 = ace1 as ObjectAce; ObjectAce oace2 = ace2 as ObjectAce; if (null != oace1 && null != oace2) { // See DiscretionaryAclTest.GuidEmptyMergesRegardlessOfFlagsAndOpaqueDataIsNotConsidered Guid type1, inheritedType1; GetObjectAceTypeGuids(oace1, out type1, out inheritedType1); Guid type2, inheritedType2; GetObjectAceTypeGuids(oace2, out type2, out inheritedType2); if (type1 == type2 && inheritedType1 == inheritedType2) { return(new ObjectAce(aceFlagsNew, oace1.AceQualifier, accessMaskNew, oace1.SecurityIdentifier, oace1.ObjectAceFlags, oace1.ObjectAceType, oace1.InheritedObjectAceType, oace1.IsCallback, oace1.GetOpaque())); } } return(null); }
private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, System.Type targetType) { ReadLock(); try { AuthorizationRuleCollection result = new AuthorizationRuleCollection(); if (!IsValidTargetTypeStatic(targetType)) { throw new ArgumentException(SR.Arg_MustBeIdentityReferenceType, nameof(targetType)); } CommonAcl acl = null; if (access) { if ((SecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != 0) { acl = SecurityDescriptor.DiscretionaryAcl; } } else // !access == audit { if ((SecurityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != 0) { acl = SecurityDescriptor.SystemAcl; } } if (acl == null) { // // The required ACL was not present; return an empty collection. // return(result); } IdentityReferenceCollection irTarget = null; if (targetType != typeof(SecurityIdentifier)) { IdentityReferenceCollection irSource = new IdentityReferenceCollection(acl.Count); for (int i = 0; i < acl.Count; i++) { // // Calling the indexer on a common ACL results in cloning, // (which would not be the case if we were to use the internal RawAcl property) // but also ensures that the resulting order of ACEs is proper // However, this is a big price to pay - cloning all the ACEs just so that // the canonical order could be ascertained just once. // A better way would be to have an internal method that would canonicalize the ACL // and call it once, then use the RawAcl. // QualifiedAce ace = acl[i] as QualifiedAce; if (ace == null) { // // Only consider qualified ACEs // continue; } if (ace.IsCallback == true) { // // Ignore callback ACEs // continue; } if (access) { if (ace.AceQualifier != AceQualifier.AccessAllowed && ace.AceQualifier != AceQualifier.AccessDenied) { continue; } } else { if (ace.AceQualifier != AceQualifier.SystemAudit) { continue; } } irSource.Add(ace.SecurityIdentifier); } irTarget = irSource.Translate(targetType); } for (int i = 0; i < acl.Count; i++) { // // Calling the indexer on a common ACL results in cloning, // (which would not be the case if we were to use the internal RawAcl property) // but also ensures that the resulting order of ACEs is proper // However, this is a big price to pay - cloning all the ACEs just so that // the canonical order could be ascertained just once. // A better way would be to have an internal method that would canonicalize the ACL // and call it once, then use the RawAcl. // QualifiedAce ace = acl[i] as CommonAce; if (ace == null) { ace = acl[i] as ObjectAce; if (ace == null) { // // Only consider common or object ACEs // continue; } } if (ace.IsCallback == true) { // // Ignore callback ACEs // continue; } if (access) { if (ace.AceQualifier != AceQualifier.AccessAllowed && ace.AceQualifier != AceQualifier.AccessDenied) { continue; } } else { if (ace.AceQualifier != AceQualifier.SystemAudit) { continue; } } if ((includeExplicit && ((ace.AceFlags & AceFlags.Inherited) == 0)) || (includeInherited && ((ace.AceFlags & AceFlags.Inherited) != 0))) { IdentityReference iref = (targetType == typeof(SecurityIdentifier)) ? ace.SecurityIdentifier : irTarget[i]; if (access) { AccessControlType type; if (ace.AceQualifier == AceQualifier.AccessAllowed) { type = AccessControlType.Allow; } else { type = AccessControlType.Deny; } if (ace is ObjectAce) { ObjectAce objectAce = ace as ObjectAce; result.AddRule(AccessRuleFactory(iref, objectAce.AccessMask, objectAce.IsInherited, objectAce.InheritanceFlags, objectAce.PropagationFlags, type, objectAce.ObjectAceType, objectAce.InheritedObjectAceType)); } else { CommonAce commonAce = ace as CommonAce; if (commonAce == null) { continue; } result.AddRule(AccessRuleFactory(iref, commonAce.AccessMask, commonAce.IsInherited, commonAce.InheritanceFlags, commonAce.PropagationFlags, type)); } } else { if (ace is ObjectAce) { ObjectAce objectAce = ace as ObjectAce; result.AddRule(AuditRuleFactory(iref, objectAce.AccessMask, objectAce.IsInherited, objectAce.InheritanceFlags, objectAce.PropagationFlags, objectAce.AuditFlags, objectAce.ObjectAceType, objectAce.InheritedObjectAceType)); } else { CommonAce commonAce = ace as CommonAce; if (commonAce == null) { continue; } result.AddRule(AuditRuleFactory(iref, commonAce.AccessMask, commonAce.IsInherited, commonAce.InheritanceFlags, commonAce.PropagationFlags, commonAce.AuditFlags)); } } } } return(result); } finally { ReadUnlock(); } }
private bool GetAccessMaskForRemoval(QualifiedAce ace, ObjectAceFlags objectFlags, Guid objectType, ref int accessMask) { if (((ace.AccessMask & accessMask) & ObjectAce.AccessMaskWithObjectType) != 0) { if (ace is ObjectAce) { ObjectAce ace2 = ace as ObjectAce; if (((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None) && ((ace2.ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent) == ObjectAceFlags.None)) { return false; } if (!(((objectFlags & ObjectAceFlags.ObjectAceTypePresent) == ObjectAceFlags.None) || ace2.ObjectTypesMatch(objectFlags, objectType))) { accessMask &= ~ObjectAce.AccessMaskWithObjectType; } } else if ((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None) { return false; } } return true; }
internal bool RemoveQualifiedAces(SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, bool saclSemantics, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType) { if (accessMask == 0) { throw new ArgumentException(Environment.GetResourceString("Argument_ArgumentZero"), "accessMask"); } if ((qualifier == AceQualifier.SystemAudit) && (((byte)(flags & AceFlags.AuditFlags)) == 0)) { throw new ArgumentException(Environment.GetResourceString("Arg_EnumAtLeastOneFlag"), "flags"); } if (sid == null) { throw new ArgumentNullException("sid"); } this.ThrowIfNotCanonical(); bool flag = true; bool flag2 = true; int num = accessMask; AceFlags flags2 = flags; byte[] binaryForm = new byte[this.BinaryLength]; this.GetBinaryForm(binaryForm, 0); Label_0075: try { for (int i = 0; i < this.Count; i++) { QualifiedAce ace = this._acl[i] as QualifiedAce; if (((ace == null) || (((byte)(ace.AceFlags & AceFlags.Inherited)) != 0)) || ((ace.AceQualifier != qualifier) || (ace.SecurityIdentifier != sid))) { continue; } if (this.IsDS) { accessMask = num; bool flag3 = !this.GetAccessMaskForRemoval(ace, objectFlags, objectType, ref accessMask); if ((ace.AccessMask & accessMask) == 0) { continue; } flags = flags2; bool flag4 = !this.GetInheritanceFlagsForRemoval(ace, objectFlags, inheritedObjectType, ref flags); if (((((((byte)(ace.AceFlags & AceFlags.ContainerInherit)) == 0) && (((byte)(flags & AceFlags.ContainerInherit)) != 0)) && (((byte)(flags & AceFlags.InheritOnly)) != 0)) || (((((byte)(flags & AceFlags.ContainerInherit)) == 0) && (((byte)(ace.AceFlags & AceFlags.ContainerInherit)) != 0)) && (((byte)(ace.AceFlags & AceFlags.InheritOnly)) != 0))) || (((((byte)(flags2 & AceFlags.ContainerInherit)) != 0) && (((byte)(flags2 & AceFlags.InheritOnly)) != 0)) && (((byte)(flags & AceFlags.ContainerInherit)) == 0))) { continue; } if (!flag3 && !flag4) { goto Label_0184; } flag2 = false; goto Label_0483; } if ((ace.AccessMask & accessMask) == 0) { continue; } Label_0184: if (!saclSemantics || (((byte)(((byte)(ace.AceFlags & flags)) & 0xc0)) != 0)) { AceFlags none = AceFlags.None; int num3 = 0; ObjectAceFlags flags4 = ObjectAceFlags.None; Guid empty = Guid.Empty; Guid guid2 = Guid.Empty; AceFlags aceFlags = AceFlags.None; int num4 = 0; ObjectAceFlags flags6 = ObjectAceFlags.None; Guid guid3 = Guid.Empty; Guid guid4 = Guid.Empty; AceFlags existing = AceFlags.None; int num5 = 0; ObjectAceFlags flags8 = ObjectAceFlags.None; Guid guid5 = Guid.Empty; Guid guid6 = Guid.Empty; AceFlags result = AceFlags.None; bool total = false; none = ace.AceFlags; num3 = ace.AccessMask & ~accessMask; if (ace is ObjectAce) { this.GetObjectTypesForSplit(ace as ObjectAce, num3, none, out flags4, out empty, out guid2); } if (saclSemantics) { aceFlags = (AceFlags)((byte)(ace.AceFlags & ~((byte)(flags & AceFlags.AuditFlags)))); num4 = ace.AccessMask & accessMask; if (ace is ObjectAce) { this.GetObjectTypesForSplit(ace as ObjectAce, num4, aceFlags, out flags6, out guid3, out guid4); } } existing = (AceFlags)((byte)(((byte)(ace.AceFlags & (AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.NoPropagateInherit | AceFlags.ObjectInherit))) | ((byte)(((byte)(flags & ace.AceFlags)) & 0xc0)))); num5 = ace.AccessMask & accessMask; if (!saclSemantics || (((byte)(existing & AceFlags.AuditFlags)) != 0)) { if (!RemoveInheritanceBits(existing, flags, this.IsDS, out result, out total)) { flag2 = false; goto Label_0483; } if (!total) { result = (AceFlags)((byte)(result | ((byte)(existing & AceFlags.AuditFlags)))); if (ace is ObjectAce) { this.GetObjectTypesForSplit(ace as ObjectAce, num5, result, out flags8, out guid5, out guid6); } } } if (!flag) { QualifiedAce ace2; if (num3 != 0) { if (((ace is ObjectAce) && ((((ObjectAce)ace).ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None)) && ((flags4 & ObjectAceFlags.ObjectAceTypePresent) == ObjectAceFlags.None)) { this._acl.RemoveAce(i); ObjectAce ace3 = new ObjectAce(none, qualifier, num3, ace.SecurityIdentifier, flags4, empty, guid2, false, null); this._acl.InsertAce(i, ace3); } else { ace.AceFlags = none; ace.AccessMask = num3; if (ace is ObjectAce) { ObjectAce ace4 = ace as ObjectAce; ace4.ObjectAceFlags = flags4; ace4.ObjectAceType = empty; ace4.InheritedObjectAceType = guid2; } } } else { this._acl.RemoveAce(i); i--; } if (saclSemantics && (((byte)(aceFlags & AceFlags.AuditFlags)) != 0)) { if (ace is CommonAce) { ace2 = new CommonAce(aceFlags, qualifier, num4, ace.SecurityIdentifier, false, null); } else { ace2 = new ObjectAce(aceFlags, qualifier, num4, ace.SecurityIdentifier, flags6, guid3, guid4, false, null); } i++; this._acl.InsertAce(i, ace2); } if (!total) { if (ace is CommonAce) { ace2 = new CommonAce(result, qualifier, num5, ace.SecurityIdentifier, false, null); } else { ace2 = new ObjectAce(result, qualifier, num5, ace.SecurityIdentifier, flags8, guid5, guid6, false, null); } i++; this._acl.InsertAce(i, ace2); } } } } } catch (OverflowException) { this._acl.SetBinaryForm(binaryForm, 0); return(false); } Label_0483: if (flag && flag2) { flag = false; goto Label_0075; } this.OnAclModificationTried(); return(flag2); }
// Token: 0x06001FF6 RID: 8182 RVA: 0x0006FAEC File Offset: 0x0006DCEC private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, Type targetType) { base.ReadLock(); AuthorizationRuleCollection result; try { AuthorizationRuleCollection authorizationRuleCollection = new AuthorizationRuleCollection(); if (!SecurityIdentifier.IsValidTargetTypeStatic(targetType)) { throw new ArgumentException(Environment.GetResourceString("Arg_MustBeIdentityReferenceType"), "targetType"); } CommonAcl commonAcl = null; if (access) { if ((this._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None) { commonAcl = this._securityDescriptor.DiscretionaryAcl; } } else if ((this._securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None) { commonAcl = this._securityDescriptor.SystemAcl; } if (commonAcl == null) { result = authorizationRuleCollection; } else { IdentityReferenceCollection identityReferenceCollection = null; if (targetType != typeof(SecurityIdentifier)) { IdentityReferenceCollection identityReferenceCollection2 = new IdentityReferenceCollection(commonAcl.Count); for (int i = 0; i < commonAcl.Count; i++) { QualifiedAce qualifiedAce = commonAcl[i] as QualifiedAce; if (!(qualifiedAce == null) && !qualifiedAce.IsCallback) { if (access) { if (qualifiedAce.AceQualifier != AceQualifier.AccessAllowed && qualifiedAce.AceQualifier != AceQualifier.AccessDenied) { goto IL_EB; } } else if (qualifiedAce.AceQualifier != AceQualifier.SystemAudit) { goto IL_EB; } identityReferenceCollection2.Add(qualifiedAce.SecurityIdentifier); } IL_EB :; } identityReferenceCollection = identityReferenceCollection2.Translate(targetType); } int j = 0; while (j < commonAcl.Count) { QualifiedAce qualifiedAce2 = commonAcl[j] as CommonAce; if (!(qualifiedAce2 == null)) { goto IL_142; } qualifiedAce2 = (commonAcl[j] as ObjectAce); if (!(qualifiedAce2 == null)) { goto IL_142; } IL_306: j++; continue; IL_142: if (qualifiedAce2.IsCallback) { goto IL_306; } if (access) { if (qualifiedAce2.AceQualifier != AceQualifier.AccessAllowed && qualifiedAce2.AceQualifier != AceQualifier.AccessDenied) { goto IL_306; } } else if (qualifiedAce2.AceQualifier != AceQualifier.SystemAudit) { goto IL_306; } if ((!includeExplicit || (qualifiedAce2.AceFlags & AceFlags.Inherited) != AceFlags.None) && (!includeInherited || (qualifiedAce2.AceFlags & AceFlags.Inherited) == AceFlags.None)) { goto IL_306; } IdentityReference identityReference = (targetType == typeof(SecurityIdentifier)) ? qualifiedAce2.SecurityIdentifier : identityReferenceCollection[j]; if (access) { AccessControlType type; if (qualifiedAce2.AceQualifier == AceQualifier.AccessAllowed) { type = AccessControlType.Allow; } else { type = AccessControlType.Deny; } if (qualifiedAce2 is ObjectAce) { ObjectAce objectAce = qualifiedAce2 as ObjectAce; authorizationRuleCollection.AddRule(this.AccessRuleFactory(identityReference, objectAce.AccessMask, objectAce.IsInherited, objectAce.InheritanceFlags, objectAce.PropagationFlags, type, objectAce.ObjectAceType, objectAce.InheritedObjectAceType)); goto IL_306; } CommonAce commonAce = qualifiedAce2 as CommonAce; if (!(commonAce == null)) { authorizationRuleCollection.AddRule(this.AccessRuleFactory(identityReference, commonAce.AccessMask, commonAce.IsInherited, commonAce.InheritanceFlags, commonAce.PropagationFlags, type)); goto IL_306; } goto IL_306; } else { if (qualifiedAce2 is ObjectAce) { ObjectAce objectAce2 = qualifiedAce2 as ObjectAce; authorizationRuleCollection.AddRule(this.AuditRuleFactory(identityReference, objectAce2.AccessMask, objectAce2.IsInherited, objectAce2.InheritanceFlags, objectAce2.PropagationFlags, objectAce2.AuditFlags, objectAce2.ObjectAceType, objectAce2.InheritedObjectAceType)); goto IL_306; } CommonAce commonAce2 = qualifiedAce2 as CommonAce; if (!(commonAce2 == null)) { authorizationRuleCollection.AddRule(this.AuditRuleFactory(identityReference, commonAce2.AccessMask, commonAce2.IsInherited, commonAce2.InheritanceFlags, commonAce2.PropagationFlags, commonAce2.AuditFlags)); goto IL_306; } goto IL_306; } } result = authorizationRuleCollection; } } finally { base.ReadUnlock(); } return(result); }
private bool MergeAces(ref QualifiedAce ace, QualifiedAce newAce) { if (((byte)(ace.AceFlags & AceFlags.Inherited)) == 0) { if (((byte)(newAce.AceFlags & AceFlags.Inherited)) != 0) { return(false); } if (ace.AceQualifier != newAce.AceQualifier) { return(false); } if (ace.SecurityIdentifier != newAce.SecurityIdentifier) { return(false); } if (ace.AceFlags == newAce.AceFlags) { if (!(ace is ObjectAce) && !(newAce is ObjectAce)) { ace.AccessMask |= newAce.AccessMask; return(true); } if (this.InheritedObjectTypesMatch(ace, newAce) && this.AccessMasksAreMergeable(ace, newAce)) { ace.AccessMask |= newAce.AccessMask; return(true); } } if ((((byte)(ace.AceFlags & (AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.NoPropagateInherit | AceFlags.ObjectInherit))) == ((byte)(newAce.AceFlags & (AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.NoPropagateInherit | AceFlags.ObjectInherit)))) && (ace.AccessMask == newAce.AccessMask)) { if (!(ace is ObjectAce) && !(newAce is ObjectAce)) { ace.AceFlags = (AceFlags)((byte)(ace.AceFlags | ((byte)(newAce.AceFlags & AceFlags.AuditFlags)))); return(true); } if (this.InheritedObjectTypesMatch(ace, newAce) && this.ObjectTypesMatch(ace, newAce)) { ace.AceFlags = (AceFlags)((byte)(ace.AceFlags | ((byte)(newAce.AceFlags & AceFlags.AuditFlags)))); return(true); } } if ((((byte)(ace.AceFlags & AceFlags.AuditFlags)) == ((byte)(newAce.AceFlags & AceFlags.AuditFlags))) && (ace.AccessMask == newAce.AccessMask)) { AceFlags flags; if ((ace is ObjectAce) || (newAce is ObjectAce)) { if ((this.ObjectTypesMatch(ace, newAce) && this.AceFlagsAreMergeable(ace, newAce)) && MergeInheritanceBits(ace.AceFlags, newAce.AceFlags, this.IsDS, out flags)) { ace.AceFlags = (AceFlags)((byte)(flags | ((byte)(ace.AceFlags & AceFlags.AuditFlags)))); return(true); } } else if (MergeInheritanceBits(ace.AceFlags, newAce.AceFlags, this.IsDS, out flags)) { ace.AceFlags = (AceFlags)((byte)(flags | ((byte)(ace.AceFlags & AceFlags.AuditFlags)))); return(true); } } } return(false); }
internal virtual AuditRule InternalAuditRuleFactory (QualifiedAce ace, Type targetType) { return AuditRuleFactory (ace.SecurityIdentifier.Translate (targetType), ace.AccessMask, ace.IsInherited, ace.InheritanceFlags, ace.PropagationFlags, ace.AuditFlags); }
private bool InheritedObjectTypesMatch( QualifiedAce ace, QualifiedAce newAce ) { Guid inheritedObjectType = ( ace is ObjectAce ) ? (( ObjectAce ) ace ).InheritedObjectAceType : Guid.Empty; Guid newInheritedObjectType = ( newAce is ObjectAce ) ? (( ObjectAce ) newAce ).InheritedObjectAceType : Guid.Empty; return inheritedObjectType.Equals( newInheritedObjectType ); }
private bool MergeAces(ref QualifiedAce ace, QualifiedAce newAce) { if (((byte) (ace.AceFlags & AceFlags.Inherited)) == 0) { if (((byte) (newAce.AceFlags & AceFlags.Inherited)) != 0) { return false; } if (ace.AceQualifier != newAce.AceQualifier) { return false; } if (ace.SecurityIdentifier != newAce.SecurityIdentifier) { return false; } if (ace.AceFlags == newAce.AceFlags) { if (!(ace is ObjectAce) && !(newAce is ObjectAce)) { ace.AccessMask |= newAce.AccessMask; return true; } if (this.InheritedObjectTypesMatch(ace, newAce) && this.AccessMasksAreMergeable(ace, newAce)) { ace.AccessMask |= newAce.AccessMask; return true; } } if ((((byte) (ace.AceFlags & (AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.NoPropagateInherit | AceFlags.ObjectInherit))) == ((byte) (newAce.AceFlags & (AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.NoPropagateInherit | AceFlags.ObjectInherit)))) && (ace.AccessMask == newAce.AccessMask)) { if (!(ace is ObjectAce) && !(newAce is ObjectAce)) { ace.AceFlags = (AceFlags) ((byte) (ace.AceFlags | ((byte) (newAce.AceFlags & AceFlags.AuditFlags)))); return true; } if (this.InheritedObjectTypesMatch(ace, newAce) && this.ObjectTypesMatch(ace, newAce)) { ace.AceFlags = (AceFlags) ((byte) (ace.AceFlags | ((byte) (newAce.AceFlags & AceFlags.AuditFlags)))); return true; } } if ((((byte) (ace.AceFlags & AceFlags.AuditFlags)) == ((byte) (newAce.AceFlags & AceFlags.AuditFlags))) && (ace.AccessMask == newAce.AccessMask)) { AceFlags flags; if ((ace is ObjectAce) || (newAce is ObjectAce)) { if ((this.ObjectTypesMatch(ace, newAce) && this.AceFlagsAreMergeable(ace, newAce)) && MergeInheritanceBits(ace.AceFlags, newAce.AceFlags, this.IsDS, out flags)) { ace.AceFlags = (AceFlags) ((byte) (flags | ((byte) (ace.AceFlags & AceFlags.AuditFlags)))); return true; } } else if (MergeInheritanceBits(ace.AceFlags, newAce.AceFlags, this.IsDS, out flags)) { ace.AceFlags = (AceFlags) ((byte) (flags | ((byte) (ace.AceFlags & AceFlags.AuditFlags)))); return true; } } } return false; }
private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, Type targetType) { AuthorizationRuleCollection rules2; base.ReadLock(); try { AuthorizationRuleCollection rules = new AuthorizationRuleCollection(); if (!SecurityIdentifier.IsValidTargetTypeStatic(targetType)) { throw new ArgumentException(Environment.GetResourceString("Arg_MustBeIdentityReferenceType"), "targetType"); } CommonAcl discretionaryAcl = null; if (access) { if ((base._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None) { discretionaryAcl = base._securityDescriptor.DiscretionaryAcl; } } else if ((base._securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None) { discretionaryAcl = base._securityDescriptor.SystemAcl; } if (discretionaryAcl == null) { return(rules); } IdentityReferenceCollection references = null; if (targetType != typeof(SecurityIdentifier)) { IdentityReferenceCollection references2 = new IdentityReferenceCollection(discretionaryAcl.Count); for (int j = 0; j < discretionaryAcl.Count; j++) { QualifiedAce ace = discretionaryAcl[j] as QualifiedAce; if ((ace == null) || ace.IsCallback) { continue; } if (access) { if ((ace.AceQualifier == AceQualifier.AccessAllowed) || (ace.AceQualifier == AceQualifier.AccessDenied)) { goto Label_00DD; } continue; } if (ace.AceQualifier != AceQualifier.SystemAudit) { continue; } Label_00DD: references2.Add(ace.SecurityIdentifier); } references = references2.Translate(targetType); } for (int i = 0; i < discretionaryAcl.Count; i++) { QualifiedAce ace2 = discretionaryAcl[i] as CommonAce; if (ace2 == null) { ace2 = discretionaryAcl[i] as ObjectAce; if (ace2 == null) { continue; } } if (ace2.IsCallback) { continue; } if (access) { if ((ace2.AceQualifier == AceQualifier.AccessAllowed) || (ace2.AceQualifier == AceQualifier.AccessDenied)) { goto Label_0174; } continue; } if (ace2.AceQualifier != AceQualifier.SystemAudit) { continue; } Label_0174: if ((includeExplicit && (((byte)(ace2.AceFlags & AceFlags.Inherited)) == 0)) || (includeInherited && (((byte)(ace2.AceFlags & AceFlags.Inherited)) != 0))) { IdentityReference identityReference = (targetType == typeof(SecurityIdentifier)) ? ace2.SecurityIdentifier : references[i]; if (access) { AccessControlType allow; if (ace2.AceQualifier == AceQualifier.AccessAllowed) { allow = AccessControlType.Allow; } else { allow = AccessControlType.Deny; } if (ace2 is ObjectAce) { ObjectAce ace3 = ace2 as ObjectAce; rules.AddRule(this.AccessRuleFactory(identityReference, ace3.AccessMask, ace3.IsInherited, ace3.InheritanceFlags, ace3.PropagationFlags, allow, ace3.ObjectAceType, ace3.InheritedObjectAceType)); } else { CommonAce ace4 = ace2 as CommonAce; if (ace4 != null) { rules.AddRule(this.AccessRuleFactory(identityReference, ace4.AccessMask, ace4.IsInherited, ace4.InheritanceFlags, ace4.PropagationFlags, allow)); } } } else if (ace2 is ObjectAce) { ObjectAce ace5 = ace2 as ObjectAce; rules.AddRule(this.AuditRuleFactory(identityReference, ace5.AccessMask, ace5.IsInherited, ace5.InheritanceFlags, ace5.PropagationFlags, ace5.AuditFlags, ace5.ObjectAceType, ace5.InheritedObjectAceType)); } else { CommonAce ace6 = ace2 as CommonAce; if (ace6 != null) { rules.AddRule(this.AuditRuleFactory(identityReference, ace6.AccessMask, ace6.IsInherited, ace6.InheritanceFlags, ace6.PropagationFlags, ace6.AuditFlags)); } } } } rules2 = rules; } finally { base.ReadUnlock(); } return(rules2); }
private bool GetInheritanceFlagsForRemoval( QualifiedAce ace, ObjectAceFlags objectFlags, Guid inheritedObjectType, ref AceFlags aceFlags ) { if ((( ace.AceFlags & AceFlags.ContainerInherit ) != 0 ) && (( aceFlags & AceFlags.ContainerInherit ) != 0 )) { // // If the aces have inheritance bits in common // then we follow these rules: // // Remove No IOT IOT = A IOT = B // Existing // // No IOT Remove Invalid Invalid // // IOT = A Remove Remove Nothing Common // if ( ace is ObjectAce ) { bool commonInheritanceFlagsExist = true; ObjectAce objectAce = ace as ObjectAce; // // if what we are trying to remove has an inherited object type // but the existing ace does not then this is an invalid case // if ((( objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent ) != 0 ) && (( objectAce.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent ) == 0 )) { return false; } // // if what we are trying to remove has no inherited object type or // if inherited object types match then we have common inheritance flags // commonInheritanceFlagsExist = (( objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent ) == 0 ) || objectAce.InheritedObjectTypesMatch( objectFlags, inheritedObjectType ); if ( !commonInheritanceFlagsExist ) { aceFlags &= ~AceFlags.InheritanceFlags; } } else if (( objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent ) != 0 ) { // the existing ace is a common ace and the one we're removing // refers to a specific child type so this is invalid return false; } } return true; }
private bool AceFlagsAreMergeable(QualifiedAce ace, QualifiedAce newAce) { if (this.InheritedObjectTypesMatch(ace, newAce)) { return true; } ObjectAceFlags flags = (ace is ObjectAce) ? ((ObjectAce) ace).ObjectAceFlags : ObjectAceFlags.None; return ((flags & ObjectAceFlags.InheritedObjectAceTypePresent) == ObjectAceFlags.None); }
static private bool AcesAreMergeable( QualifiedAce ace, QualifiedAce newAce ) { // // Only interested in ACEs with the specified type // if ( ace.AceType != newAce.AceType ) { return false; } // // Only interested in explicit (non-inherited) ACEs // if (( ace.AceFlags & AceFlags.Inherited ) != 0 ) { return false; } if (( newAce.AceFlags & AceFlags.Inherited ) != 0 ) { return false; } // // Only interested in ACEs with the specified qualifier // if ( ace.AceQualifier != newAce.AceQualifier ) { return false; } // // Only interested in ACEs with the specified SID // if ( ace.SecurityIdentifier != newAce.SecurityIdentifier ) { return false; } // // Only interested in ACEs with the specified callback data // if ( !AceOpaquesMatch( ace, newAce )) { return false; } return true; }
private bool ObjectTypesMatch( QualifiedAce ace, QualifiedAce newAce ) { Guid objectType = ( ace is ObjectAce ) ? (( ObjectAce ) ace ).ObjectAceType : Guid.Empty; Guid newObjectType = ( newAce is ObjectAce ) ? (( ObjectAce ) newAce ).ObjectAceType : Guid.Empty; return objectType.Equals( newObjectType ); }
private bool ObjectTypesMatch(QualifiedAce ace, QualifiedAce newAce) { Guid guid = (ace is ObjectAce) ? ((ObjectAce) ace).ObjectAceType : Guid.Empty; Guid g = (newAce is ObjectAce) ? ((ObjectAce) newAce).ObjectAceType : Guid.Empty; return guid.Equals(g); }
private bool AccessMasksAreMergeable( QualifiedAce ace, QualifiedAce newAce ) { // // The access masks are mergeable in any of the following conditions // 1. Object types match // 2. (Object types do not match) The existing ace does not have an object type and // already contains all the bits of the new ace which refer to the object type // if ( ObjectTypesMatch( ace, newAce )) { // case 1 return true; } ObjectAceFlags objectFlags = ( ace is ObjectAce ) ? (( ObjectAce ) ace ).ObjectAceFlags : ObjectAceFlags.None; if ((( ace.AccessMask & newAce.AccessMask & ObjectAce.AccessMaskWithObjectType ) == ( newAce.AccessMask & ObjectAce.AccessMaskWithObjectType )) && (( objectFlags & ObjectAceFlags.ObjectAceTypePresent ) == 0 )) { // case 2 return true; } return false; }
private bool GetInheritanceFlagsForRemoval(QualifiedAce ace, ObjectAceFlags objectFlags, Guid inheritedObjectType, ref AceFlags aceFlags) { if ((((byte) (ace.AceFlags & AceFlags.ContainerInherit)) != 0) && (((byte) (aceFlags & AceFlags.ContainerInherit)) != 0)) { if (ace is ObjectAce) { ObjectAce ace2 = ace as ObjectAce; if (((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != ObjectAceFlags.None) && ((ace2.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent) == ObjectAceFlags.None)) { return false; } if (!(((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) == ObjectAceFlags.None) || ace2.InheritedObjectTypesMatch(objectFlags, inheritedObjectType))) { aceFlags = (AceFlags) ((byte) (((int) aceFlags) & 240)); } } else if ((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != ObjectAceFlags.None) { return false; } } return true; }
private bool GetAccessMaskForRemoval( QualifiedAce ace, ObjectAceFlags objectFlags, Guid objectType, ref int accessMask ) { if (( ace.AccessMask & accessMask & ObjectAce.AccessMaskWithObjectType ) != 0 ) { // // If the aces have access bits in common which refer to object types // then we follow these rules: // // Remove No OT OT = A OT = B // Existing // // No OT Remove Invalid Invalid // // OT = A Remove Remove Nothing Common // if ( ace is ObjectAce ) { bool commonAccessBitsWithObjectTypeExist = true; ObjectAce objectAce = ace as ObjectAce; // // if what we are trying to remove has an object type // but the existing ace does not then this is an invalid case // if ((( objectFlags & ObjectAceFlags.ObjectAceTypePresent ) != 0 ) && (( objectAce.ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent ) == 0 )) { return false; } // // if what we are trying to remove has no object type or // if object types match (since at this point we have ensured that both have object types present) // then we have common access bits with object type // commonAccessBitsWithObjectTypeExist = (( objectFlags & ObjectAceFlags.ObjectAceTypePresent ) == 0 ) || objectAce.ObjectTypesMatch( objectFlags, objectType ); if ( !commonAccessBitsWithObjectTypeExist ) { accessMask &= ~ObjectAce.AccessMaskWithObjectType; } } else if (( objectFlags & ObjectAceFlags.ObjectAceTypePresent ) != 0 ) { // the existing ace is a common ace and the one we're removing // refers to a specific object type so this is invalid return false; } } return true; }
private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, Type targetType) { this.ReadLock(); try { AuthorizationRuleCollection authorizationRuleCollection = new AuthorizationRuleCollection(); if (!SecurityIdentifier.IsValidTargetTypeStatic(targetType)) { throw new ArgumentException(Environment.GetResourceString("Arg_MustBeIdentityReferenceType"), "targetType"); } CommonAcl commonAcl = (CommonAcl)null; if (access) { if ((this._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None) { commonAcl = (CommonAcl)this._securityDescriptor.DiscretionaryAcl; } } else if ((this._securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None) { commonAcl = (CommonAcl)this._securityDescriptor.SystemAcl; } if (commonAcl == null) { return(authorizationRuleCollection); } IdentityReferenceCollection referenceCollection1 = (IdentityReferenceCollection)null; if (targetType != typeof(SecurityIdentifier)) { IdentityReferenceCollection referenceCollection2 = new IdentityReferenceCollection(commonAcl.Count); for (int index = 0; index < commonAcl.Count; ++index) { QualifiedAce qualifiedAce = commonAcl[index] as QualifiedAce; if (!((GenericAce)qualifiedAce == (GenericAce)null) && !qualifiedAce.IsCallback) { if (access) { if (qualifiedAce.AceQualifier != AceQualifier.AccessAllowed && qualifiedAce.AceQualifier != AceQualifier.AccessDenied) { continue; } } else if (qualifiedAce.AceQualifier != AceQualifier.SystemAudit) { continue; } referenceCollection2.Add((IdentityReference)qualifiedAce.SecurityIdentifier); } } referenceCollection1 = referenceCollection2.Translate(targetType); } for (int index = 0; index < commonAcl.Count; ++index) { QualifiedAce qualifiedAce = (QualifiedAce)(commonAcl[index] as CommonAce); if ((GenericAce)qualifiedAce == (GenericAce)null) { qualifiedAce = (QualifiedAce)(commonAcl[index] as ObjectAce); if ((GenericAce)qualifiedAce == (GenericAce)null) { continue; } } if (!qualifiedAce.IsCallback) { if (access) { if (qualifiedAce.AceQualifier != AceQualifier.AccessAllowed && qualifiedAce.AceQualifier != AceQualifier.AccessDenied) { continue; } } else if (qualifiedAce.AceQualifier != AceQualifier.SystemAudit) { continue; } if (includeExplicit && (qualifiedAce.AceFlags & AceFlags.Inherited) == AceFlags.None || includeInherited && (qualifiedAce.AceFlags & AceFlags.Inherited) != AceFlags.None) { IdentityReference identityReference = targetType == typeof(SecurityIdentifier) ? (IdentityReference)qualifiedAce.SecurityIdentifier : referenceCollection1[index]; if (access) { AccessControlType type = qualifiedAce.AceQualifier != AceQualifier.AccessAllowed ? AccessControlType.Deny : AccessControlType.Allow; if (qualifiedAce is ObjectAce) { ObjectAce objectAce = qualifiedAce as ObjectAce; authorizationRuleCollection.AddRule((AuthorizationRule)this.AccessRuleFactory(identityReference, objectAce.AccessMask, objectAce.IsInherited, objectAce.InheritanceFlags, objectAce.PropagationFlags, type, objectAce.ObjectAceType, objectAce.InheritedObjectAceType)); } else { CommonAce commonAce = qualifiedAce as CommonAce; if (!((GenericAce)commonAce == (GenericAce)null)) { authorizationRuleCollection.AddRule((AuthorizationRule)this.AccessRuleFactory(identityReference, commonAce.AccessMask, commonAce.IsInherited, commonAce.InheritanceFlags, commonAce.PropagationFlags, type)); } } } else if (qualifiedAce is ObjectAce) { ObjectAce objectAce = qualifiedAce as ObjectAce; authorizationRuleCollection.AddRule((AuthorizationRule)this.AuditRuleFactory(identityReference, objectAce.AccessMask, objectAce.IsInherited, objectAce.InheritanceFlags, objectAce.PropagationFlags, objectAce.AuditFlags, objectAce.ObjectAceType, objectAce.InheritedObjectAceType)); } else { CommonAce commonAce = qualifiedAce as CommonAce; if (!((GenericAce)commonAce == (GenericAce)null)) { authorizationRuleCollection.AddRule((AuthorizationRule)this.AuditRuleFactory(identityReference, commonAce.AccessMask, commonAce.IsInherited, commonAce.InheritanceFlags, commonAce.PropagationFlags, commonAce.AuditFlags)); } } } } } return(authorizationRuleCollection); } finally { this.ReadUnlock(); } }
static private bool AceOpaquesMatch( QualifiedAce ace, QualifiedAce newAce ) { byte[] aceOpaque = ace.GetOpaque(); byte[] newAceOpaque = newAce.GetOpaque(); if ( aceOpaque == null || newAceOpaque == null ) { return aceOpaque == newAceOpaque; } if ( aceOpaque.Length != newAceOpaque.Length ) { return false; } for ( int i = 0; i < aceOpaque.Length; ++i ) { if ( aceOpaque[i] != newAceOpaque[i] ) { return false; } } return true; }
private bool CanonicalCheck(bool isDacl) { if (isDacl) { int num = 0; for (int i = 0; i < this._acl.Count; i++) { int num3 = 3; GenericAce ace = this._acl[i]; if (((byte)(ace.AceFlags & AceFlags.Inherited)) != 0) { num3 = 2; } else { QualifiedAce ace2 = ace as QualifiedAce; if (ace2 != null) { if (ace2.AceQualifier == AceQualifier.AccessAllowed) { num3 = 1; goto Label_0059; } if (ace2.AceQualifier == AceQualifier.AccessDenied) { num3 = 0; goto Label_0059; } } return(false); } Label_0059: if (num3 != 3) { if (num3 > num) { num = num3; } else if (num3 < num) { return(false); } } } } else { int num4 = 0; for (int j = 0; j < this._acl.Count; j++) { int num6 = 2; GenericAce ace3 = this._acl[j]; if (ace3 != null) { if (((byte)(ace3.AceFlags & AceFlags.Inherited)) != 0) { num6 = 1; } else { QualifiedAce ace4 = ace3 as QualifiedAce; if (ace4 == null) { return(false); } if ((ace4.AceQualifier != AceQualifier.SystemAudit) && (ace4.AceQualifier != AceQualifier.SystemAlarm)) { return(false); } num6 = 0; } if (num6 > num4) { num4 = num6; } else if (num6 < num4) { return(false); } } } } return(true); }
// // Merge routine for qualified ACEs // private bool MergeAces( ref QualifiedAce ace, QualifiedAce newAce ) { // // Check whether the ACEs are potentially mergeable // if ( !AcesAreMergeable( ace, newAce )) { return false; } // // The modification algorithm proceeds in stages // // Stage 1: if flags match, add to the access mask // if ( ace.AceFlags == newAce.AceFlags ) { if ( ace is ObjectAce || newAce is ObjectAce ) { // for object aces we need to match the inherited object types (for ace flags equality) if ( InheritedObjectTypesMatch( ace, newAce )) { // also since access mask bits are further qualified by object type, they cannot always be added on if ( AccessMasksAreMergeable( ace, newAce )) { ace.AccessMask |= newAce.AccessMask; return true; } } } else { ace.AccessMask |= newAce.AccessMask; return true; } } // // Stage 2: Audit flags can be combined if the rest of the // flags (both access mask and inheritance) match // if ((( ace.AceFlags & AceFlags.InheritanceFlags ) == ( newAce.AceFlags & AceFlags.InheritanceFlags )) && ( ace.AccessMask == newAce.AccessMask )) { if (( ace is ObjectAce ) || ( newAce is ObjectAce )) { // for object aces we need to match the inherited object types (for inheritance flags equality) and object type (for access mask equality) as well if ( InheritedObjectTypesMatch( ace, newAce ) && ( ObjectTypesMatch( ace, newAce ))) { ace.AceFlags |= ( newAce.AceFlags & AceFlags.AuditFlags ); return true; } } else { ace.AceFlags |= ( newAce.AceFlags & AceFlags.AuditFlags ); return true; } } // // Stage 3: Inheritance flags can be combined in some cases // provided access mask and audit bits are the same // if ((( ace.AceFlags & AceFlags.AuditFlags ) == ( newAce.AceFlags & AceFlags.AuditFlags )) && ( ace.AccessMask == newAce.AccessMask )) { AceFlags merged; // // See whether the inheritance bits can be merged // if (( ace is ObjectAce ) || ( newAce is ObjectAce )) { // object types need to match (for access mask equality) and inheritance flags need additional DS specific logic // to check whether they can be merged if (( ObjectTypesMatch( ace, newAce )) && ( AceFlagsAreMergeable( ace, newAce ))) { if ( true == MergeInheritanceBits( ace.AceFlags, newAce.AceFlags, IsDS, out merged )) { ace.AceFlags = ( merged | ( ace.AceFlags & AceFlags.AuditFlags )); return true; } } } else { if ( true == MergeInheritanceBits( ace.AceFlags, newAce.AceFlags, IsDS, out merged )) { ace.AceFlags = ( merged | ( ace.AceFlags & AceFlags.AuditFlags )); return true; } } } return false; }
private bool AccessMasksAreMergeable(QualifiedAce ace, QualifiedAce newAce) { if (this.ObjectTypesMatch(ace, newAce)) { return true; } ObjectAceFlags flags = (ace is ObjectAce) ? ((ObjectAce) ace).ObjectAceFlags : ObjectAceFlags.None; return ((((ace.AccessMask & newAce.AccessMask) & ObjectAce.AccessMaskWithObjectType) == (newAce.AccessMask & ObjectAce.AccessMaskWithObjectType)) && ((flags & ObjectAceFlags.ObjectAceTypePresent) == ObjectAceFlags.None)); }