| public abstract IsSubsetOf ( IPermission target ) : bool | ||
| target | IPermission | |
| 리턴 | bool | |
internal bool CheckDeny(CodeAccessPermission denied)
{
if (denied == null)
{
return(true);
}
Type type = denied.GetType();
return(type != base.GetType() || this.Intersect(denied) == null || denied.IsSubsetOf(PermissionBuilder.Create(type)));
}
public virtual void AppendPermissionAndCompress(CodeAccessPermission perm, int type)
{
if (m_head == null)
{
BCLDebug.Assert(false, "You should not try to append and compress until there is atleast one other entry");
throw new InvalidOperationException(Environment.GetResourceString("InvalidOperation_InvalidState"));
}
if (type == MatchChecked)
{
PListNode current = m_last;
while (current != null)
{
if (current.type == MatchChecked)
{
if (current.perm == null)
{
return;
}
if (perm == null)
{
current.perm = null;
return;
}
try
{
if (perm.IsSubsetOf(current.perm) &&
current.perm.IsSubsetOf(perm))
{
return;
}
}
catch (Exception)
{
// It is ok to catch and ignore exceptions here because
// it only means that we'll continue to iterate and worst-
// case add a new PListNode for the parameter perm instance.
}
}
current = current.prev;
}
}
// If we get here, then add normally.
m_last.next = new PListNode(perm, type, null, m_last);
m_last = m_last.next;
m_cElt++;
}
public override bool Equals(object obj)
{
if (obj == null)
{
return(false);
}
if (obj.GetType() != this.GetType())
{
return(false);
}
CodeAccessPermission cap = (obj as CodeAccessPermission);
return(IsSubsetOf(cap) && cap.IsSubsetOf(this));
}
public override bool Equals(object obj)
{
if (obj == null)
{
return(false);
}
if (obj.GetType() != base.GetType())
{
return(false);
}
CodeAccessPermission codeAccessPermission = obj as CodeAccessPermission;
return(this.IsSubsetOf(codeAccessPermission) && codeAccessPermission.IsSubsetOf(this));
}
//
// Check callback
//
/// <include file='doc\CodeAccessPermission.uex' path='docs/doc[@for="CodeAccessPermission.CheckDemand"]/*' />
internal void CheckDemand(CodeAccessPermission demand)
{
if (demand == null)
{
return;
}
#if _DEBUG
if (debug)
{
DEBUG_OUT("demand = " + demand.GetType().ToString() + " this = " + this.GetType().ToString());
}
#endif
BCLDebug.Assert(demand.GetType().Equals(this.GetType()), "CheckDemand not defined for permissions of different type");
if (!demand.IsSubsetOf(this))
{
throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
}
}
internal bool CheckDeny(CodeAccessPermission denied)
{
if (denied == null)
{
return(true);
}
Type t = denied.GetType();
if (t != this.GetType())
{
return(true);
}
IPermission inter = Intersect(denied);
if (inter == null)
{
return(true);
}
// sadly that's not enough :( at this stage we must also check
// if an empty (PermissionState.None) is a subset of the denied
// (which is like a empty intersection looks like for flag based
// permissions, e.g. AspNetHostingPermission).
return(denied.IsSubsetOf(PermissionBuilder.Create(t)));
}
internal bool CheckDemandInternal(CodeAccessPermission demand, out Exception exception)
{
BCLDebug.Assert(m_head != null, "m_head != null");
for (PListNode pnext = m_head; pnext != null; pnext = pnext.next)
{
if (pnext.perm == null)
{
// If this is a grant set or a permit only, then we should fail since null indicates the empty permission.
if (pnext.type == MatchChecked || pnext.type == MatchPermitOnly)
{
BCLDebug.Assert(!demand.IsSubsetOf(null), "By the time we get here, demands that are subsets of null should have been terminated");
exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
return(false);
}
// If this is a deny, then we should fail since null indicates the unrestricted permission.
if (pnext.type == MatchDeny)
{
exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
return(false);
}
// If this is an assert, then we should return success and terminate the stack walk since
// null indicates the unrestricted permission.
if (pnext.type == MatchAssert)
{
exception = null;
return(false);
}
// If this is anything else, then we should act confused.
// This case is unexpected.
BCLDebug.Assert(false, "This case should never happen");
exception = new InvalidOperationException(Environment.GetResourceString("InvalidOperation_InvalidState"));
return(false);
}
CodeAccessPermission cap = pnext.perm;
switch (pnext.type)
{
case MatchChecked:
case MatchPermitOnly:
if (!demand.IsSubsetOf(cap))
{
exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
return(false);
}
break;
case MatchAssert:
if (demand.IsSubsetOf(cap))
{
exception = null;
return(false);
}
break;
case MatchDeny:
if (demand.Intersect(cap) != null)
{
exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
return(false);
}
break;
default:
// Illegal entry
exception = new InvalidOperationException(Environment.GetResourceString("InvalidOperation_InvalidState"));
return(false);
}
}
exception = null;
return(true);
}
// Token: 0x06001E28 RID: 7720 RVA: 0x0006948C File Offset: 0x0006768C
internal static int GetSpecialFlags(PermissionSet grantSet, PermissionSet deniedSet)
{
if (grantSet != null && grantSet.IsUnrestricted() && (deniedSet == null || deniedSet.IsEmpty()))
{
return(-1);
}
SecurityPermissionFlag securityPermissionFlag = SecurityPermissionFlag.NoFlags;
ReflectionPermissionFlag reflectionPermissionFlag = ReflectionPermissionFlag.NoFlags;
CodeAccessPermission[] array = new CodeAccessPermission[6];
if (grantSet != null)
{
if (grantSet.IsUnrestricted())
{
securityPermissionFlag = SecurityPermissionFlag.AllFlags;
reflectionPermissionFlag = (ReflectionPermissionFlag.TypeInformation | ReflectionPermissionFlag.MemberAccess | ReflectionPermissionFlag.ReflectionEmit | ReflectionPermissionFlag.RestrictedMemberAccess);
for (int i = 0; i < array.Length; i++)
{
array[i] = SecurityManager.s_UnrestrictedSpecialPermissionMap[i];
}
}
else
{
SecurityPermission securityPermission = grantSet.GetPermission(6) as SecurityPermission;
if (securityPermission != null)
{
securityPermissionFlag = securityPermission.Flags;
}
ReflectionPermission reflectionPermission = grantSet.GetPermission(4) as ReflectionPermission;
if (reflectionPermission != null)
{
reflectionPermissionFlag = reflectionPermission.Flags;
}
for (int j = 0; j < array.Length; j++)
{
array[j] = (grantSet.GetPermission(SecurityManager.s_BuiltInPermissionIndexMap[j][0]) as CodeAccessPermission);
}
}
}
if (deniedSet != null)
{
if (deniedSet.IsUnrestricted())
{
securityPermissionFlag = SecurityPermissionFlag.NoFlags;
reflectionPermissionFlag = ReflectionPermissionFlag.NoFlags;
for (int k = 0; k < SecurityManager.s_BuiltInPermissionIndexMap.Length; k++)
{
array[k] = null;
}
}
else
{
SecurityPermission securityPermission = deniedSet.GetPermission(6) as SecurityPermission;
if (securityPermission != null)
{
securityPermissionFlag &= ~securityPermission.Flags;
}
ReflectionPermission reflectionPermission = deniedSet.GetPermission(4) as ReflectionPermission;
if (reflectionPermission != null)
{
reflectionPermissionFlag &= ~reflectionPermission.Flags;
}
for (int l = 0; l < SecurityManager.s_BuiltInPermissionIndexMap.Length; l++)
{
CodeAccessPermission codeAccessPermission = deniedSet.GetPermission(SecurityManager.s_BuiltInPermissionIndexMap[l][0]) as CodeAccessPermission;
if (codeAccessPermission != null && !codeAccessPermission.IsSubsetOf(null))
{
array[l] = null;
}
}
}
}
int num = SecurityManager.MapToSpecialFlags(securityPermissionFlag, reflectionPermissionFlag);
if (num != -1)
{
for (int m = 0; m < array.Length; m++)
{
if (array[m] != null && ((IUnrestrictedPermission)array[m]).IsUnrestricted())
{
num |= 1 << SecurityManager.s_BuiltInPermissionIndexMap[m][1];
}
}
}
return(num);
}
internal bool CheckDemandInternal(CodeAccessPermission demand, PermissionToken permToken, out Exception exception)
{
BCLDebug.Assert(demand != null, "demand != null");
BCLDebug.Assert(permToken != null, "permToken != null");
// First, find if there is a permission list of this type.
PermissionList permList = FindPermissionList(permToken);
if (permList != null)
{
// If so, check against it to determine our action.
bool cont = permList.CheckDemandInternal(demand, out exception);
// We don't record modifiers for the unrestricted permission set in the
// individual lists. Therefore, permList.CheckDemandInternal may say
// that we have to continue the stackwalk, but we know better.
if (cont && permToken.m_isUnrestricted)
{
if ((m_state & PermissionListSetState.UnrestrictedDeny) != 0)
{
exception = new SecurityException(String.Format( Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName ) );
return false;
}
else
{
cont = cont && ((m_state & PermissionListSetState.UnrestrictedAssert) == 0);
}
}
return cont;
}
#if _DEBUG
// Let's check to make sure we always pass demands for empty permissions.
else if (demand.IsSubsetOf( null ))
{
BCLDebug.Assert( false, "We should pick of empty demands before this point" );
exception = null;
return true;
}
#endif
// If the permission is not unrestricted, the lack of a permission list
// denotes that no frame on the stack granted this permission, and therefore
// we pass back the failure condition.
else if (!permToken.m_isUnrestricted)
{
exception = new SecurityException(String.Format( Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName ) );
return false;
}
// If this permission list set is not unrestricted and there is no unrestricted assert
// then the lack of a permission list denotes that no frame on the stack granted
// this permission, and therefore we pass back the failure condition. If there is
// an unrestricted assert, then we pass back success and terminate the stack walk.
else if (!this.IsUnrestricted())
{
exception = new SecurityException(String.Format( Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName ) );
return false;
}
// If we made it all the way through, that means that we are in the unrestricted
// state and that this permission is encompassed in that. If we have an unrestricted
// assert, we are done with the state walk (return false), otherwise keep going.
exception = null;
return (m_state & PermissionListSetState.UnrestrictedAssert) == 0;
}
internal static int GetSpecialFlags(PermissionSet grantSet, PermissionSet deniedSet)
{
if (((grantSet != null) && grantSet.IsUnrestricted()) && ((deniedSet == null) || deniedSet.IsEmpty()))
{
return(-1);
}
SecurityPermission permission = null;
SecurityPermissionFlag noFlags = SecurityPermissionFlag.NoFlags;
ReflectionPermission permission2 = null;
ReflectionPermissionFlag reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags;
CodeAccessPermission[] permissionArray = new CodeAccessPermission[6];
if (grantSet != null)
{
if (grantSet.IsUnrestricted())
{
noFlags = SecurityPermissionFlag.AllFlags;
reflectionPermissionFlags = ReflectionPermissionFlag.RestrictedMemberAccess | ReflectionPermissionFlag.AllFlags;
for (int i = 0; i < permissionArray.Length; i++)
{
permissionArray[i] = s_UnrestrictedSpecialPermissionMap[i];
}
}
else
{
permission = grantSet.GetPermission(6) as SecurityPermission;
if (permission != null)
{
noFlags = permission.Flags;
}
permission2 = grantSet.GetPermission(4) as ReflectionPermission;
if (permission2 != null)
{
reflectionPermissionFlags = permission2.Flags;
}
for (int j = 0; j < permissionArray.Length; j++)
{
permissionArray[j] = grantSet.GetPermission(s_BuiltInPermissionIndexMap[j][0]) as CodeAccessPermission;
}
}
}
if (deniedSet != null)
{
if (deniedSet.IsUnrestricted())
{
noFlags = SecurityPermissionFlag.NoFlags;
reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags;
for (int k = 0; k < s_BuiltInPermissionIndexMap.Length; k++)
{
permissionArray[k] = null;
}
}
else
{
permission = deniedSet.GetPermission(6) as SecurityPermission;
if (permission != null)
{
noFlags &= ~permission.Flags;
}
permission2 = deniedSet.GetPermission(4) as ReflectionPermission;
if (permission2 != null)
{
reflectionPermissionFlags &= ~permission2.Flags;
}
for (int m = 0; m < s_BuiltInPermissionIndexMap.Length; m++)
{
CodeAccessPermission permission3 = deniedSet.GetPermission(s_BuiltInPermissionIndexMap[m][0]) as CodeAccessPermission;
if ((permission3 != null) && !permission3.IsSubsetOf(null))
{
permissionArray[m] = null;
}
}
}
}
int num5 = MapToSpecialFlags(noFlags, reflectionPermissionFlags);
if (num5 != -1)
{
for (int n = 0; n < permissionArray.Length; n++)
{
if ((permissionArray[n] != null) && ((IUnrestrictedPermission)permissionArray[n]).IsUnrestricted())
{
num5 |= ((int)1) << s_BuiltInPermissionIndexMap[n][1];
}
}
}
return(num5);
}
internal bool CheckDemandInternal(CodeAccessPermission demand, PermissionToken permToken, bool createException, out Exception exception)
{
BCLDebug.Assert(demand != null, "demand != null");
BCLDebug.Assert(permToken != null, "permToken != null");
// First, find if there is a permission list of this type.
PermissionList permList = FindPermissionList(permToken);
if (permList != null)
{
// If so, check against it to determine our action.
bool cont = permList.CheckDemandInternal(demand, createException, out exception);
// We don't record modifiers for the unrestricted permission set in the
// individual lists. Therefore, permList.CheckDemandInternal may say
// that we have to continue the stackwalk, but we know better.
if (cont && permToken.m_isUnrestricted)
{
if ((m_state & PermissionListSetState.UnrestrictedDeny) != 0)
{
if (createException)
{
exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
}
else
{
exception = GetStaticException();
}
return(false);
}
else
{
cont = cont && ((m_state & PermissionListSetState.UnrestrictedAssert) == 0);
}
}
return(cont);
}
#if _DEBUG
// Let's check to make sure we always pass demands for empty permissions.
else if (demand.IsSubsetOf(null))
{
BCLDebug.Assert(false, "We should pick of empty demands before this point");
exception = null;
return(true);
}
#endif
// If the permission is not unrestricted, the lack of a permission list
// denotes that no frame on the stack granted this permission, and therefore
// we pass back the failure condition.
else if (!permToken.m_isUnrestricted)
{
if (createException)
{
exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
}
else
{
exception = GetStaticException();
}
return(false);
}
// If this permission list set is not unrestricted and there is no unrestricted assert
// then the lack of a permission list denotes that no frame on the stack granted
// this permission, and therefore we pass back the failure condition. If there is
// an unrestricted assert, then we pass back success and terminate the stack walk.
else if (!this.IsUnrestricted())
{
if (createException)
{
exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
}
else
{
exception = GetStaticException();
}
return(false);
}
// If we made it all the way through, that means that we are in the unrestricted
// state and that this permission is encompassed in that. If we have an unrestricted
// assert, we are done with the state walk (return false), otherwise keep going.
exception = null;
return((m_state & PermissionListSetState.UnrestrictedAssert) == 0);
}
internal bool CheckDeny (CodeAccessPermission denied)
{
if (denied == null)
return true;
Type t = denied.GetType ();
if (t != this.GetType ())
return true;
IPermission inter = Intersect (denied);
if (inter == null)
return true;
// sadly that's not enough :( at this stage we must also check
// if an empty (PermissionState.None) is a subset of the denied
// (which is like a empty intersection looks like for flag based
// permissions, e.g. AspNetHostingPermission).
return denied.IsSubsetOf (PermissionBuilder.Create (t));
}
private static void CheckHelper(PermissionSet grantedSet,
PermissionSet deniedSet,
CodeAccessPermission demand,
PermissionToken permToken)
{
#if _DEBUG
if (debug)
{
DEBUG_OUT("Granted: ");
DEBUG_OUT(grantedSet.ToXml().ToString());
DEBUG_OUT("Denied: ");
DEBUG_OUT(deniedSet != null ? deniedSet.ToXml().ToString() : "<null>");
DEBUG_OUT("Demanded: ");
DEBUG_OUT(demand.ToString());
}
#endif
if (permToken == null)
{
permToken = PermissionToken.GetToken(demand);
}
// If PermissionSet is null, then module does not have Permissions... Fail check.
try
{
if (grantedSet == null)
{
throw new SecurityException(Environment.GetResourceString("Security_GenericNoType"));
}
else if (!grantedSet.IsUnrestricted() || !(demand is IUnrestrictedPermission))
{
// If we aren't unrestricted, there is a denied set, or our permission is not of the unrestricted
// variety, we need to do the proper callback.
BCLDebug.Assert(demand != null, "demand != null");
// Find the permission of matching type in the permission set.
CodeAccessPermission grantedPerm =
(CodeAccessPermission)grantedSet.GetPermission(permToken);
// If there isn't a matching permission in the set and our demand is not a subset of null (i.e. empty)
// then throw an exception.
if (grantedPerm == null)
{
if (!demand.IsSubsetOf(null))
{
throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
}
else
{
return;
}
}
// Call the check demand for our permission.
grantedPerm.CheckDemand(demand);
}
// Make the sure the permission is not denied.
if (deniedSet != null)
{
CodeAccessPermission deniedPerm =
(CodeAccessPermission)deniedSet.GetPermission(permToken);
if (deniedPerm != null)
{
if (deniedPerm.Intersect(demand) != null)
{
#if _DEBUG
if (debug)
{
DEBUG_OUT("Permission found in denied set");
}
#endif
throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
}
}
if (deniedSet.IsUnrestricted() && (demand is IUnrestrictedPermission))
{
throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
}
}
}
catch (Exception e)
{
// Any exception besides a security exception in this code means that
// a permission was unable to properly handle what we asked of it.
// We will define this to mean that the demand failed.
if (e is SecurityException)
{
throw e;
}
else
{
throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
}
}
DEBUG_OUT("Check passed");
}
private static void CheckTokenBasedSetHelper(bool ignoreGrants,
TokenBasedSet grants,
TokenBasedSet denied,
TokenBasedSet demands)
{
if (demands == null)
{
return;
}
TokenBasedSetEnumerator enumerator = (TokenBasedSetEnumerator)demands.GetEnum();
while (enumerator.MoveNext())
{
CodeAccessPermission demand = (CodeAccessPermission)enumerator.Current;
int index = enumerator.GetCurrentIndex();
if (demand != null)
{
try
{
// Check to make sure the permission was granted, unless we are supposed
// to ignore grants.
if (!ignoreGrants)
{
CodeAccessPermission grant
= grants != null ? (CodeAccessPermission)grants.GetItem(index) : null;
if (grant != null)
{
grant.CheckDemand(demand);
}
else
{
if (!demand.IsSubsetOf(null))
{
throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
}
}
}
// Check to make sure our permission was not denied.
if (denied != null)
{
CodeAccessPermission deny
= (CodeAccessPermission)denied.GetItem(index);
if (deny != null && deny.Intersect(demand) != null)
{
throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
}
}
}
catch (Exception e)
{
// Any exception besides a security exception in this code means that
// a permission was unable to properly handle what we asked of it.
// We will define this to mean that the demand failed.
if (e is SecurityException)
{
throw e;
}
else
{
throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
}
}
}
}
}
private static void CheckHelper(PermissionSet grantedSet,
PermissionSet deniedSet,
CodeAccessPermission demand,
PermissionToken permToken)
{
#if _DEBUG
if (debug)
{
DEBUG_OUT("Granted: ");
DEBUG_OUT(grantedSet.ToXml().ToString());
DEBUG_OUT("Denied: ");
DEBUG_OUT(deniedSet!=null ? deniedSet.ToXml().ToString() : "<null>");
DEBUG_OUT("Demanded: ");
DEBUG_OUT(demand.ToString());
}
#endif
if (permToken == null)
permToken = PermissionToken.GetToken(demand);
// If PermissionSet is null, then module does not have Permissions... Fail check.
try
{
if (grantedSet == null)
{
throw new SecurityException(Environment.GetResourceString("Security_GenericNoType"));
}
else if (!grantedSet.IsUnrestricted() || !(demand is IUnrestrictedPermission))
{
// If we aren't unrestricted, there is a denied set, or our permission is not of the unrestricted
// variety, we need to do the proper callback.
BCLDebug.Assert(demand != null,"demand != null");
// Find the permission of matching type in the permission set.
CodeAccessPermission grantedPerm =
(CodeAccessPermission)grantedSet.GetPermission(permToken);
// If there isn't a matching permission in the set and our demand is not a subset of null (i.e. empty)
// then throw an exception.
if (grantedPerm == null)
{
if (!demand.IsSubsetOf( null ))
throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
else
return;
}
// Call the check demand for our permission.
grantedPerm.CheckDemand(demand);
}
// Make the sure the permission is not denied.
if (deniedSet != null)
{
CodeAccessPermission deniedPerm =
(CodeAccessPermission)deniedSet.GetPermission(permToken);
if (deniedPerm != null)
{
if (deniedPerm.Intersect(demand) != null)
{
#if _DEBUG
if (debug)
DEBUG_OUT( "Permission found in denied set" );
#endif
throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
}
}
}
}
catch (Exception e)
{
// Any exception besides a security exception in this code means that
// a permission was unable to properly handle what we asked of it.
// We will define this to mean that the demand failed.
if (e is SecurityException)
throw e;
else
throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
}
DEBUG_OUT( "Check passed" );
}
//
// Check callback
//
/// <include file='doc\CodeAccessPermission.uex' path='docs/doc[@for="CodeAccessPermission.CheckDemand"]/*' />
internal void CheckDemand(CodeAccessPermission demand)
{
if (demand == null)
return;
#if _DEBUG
if (debug)
{
DEBUG_OUT( "demand = " + demand.GetType().ToString() + " this = " + this.GetType().ToString() );
}
#endif
BCLDebug.Assert( demand.GetType().Equals( this.GetType() ), "CheckDemand not defined for permissions of different type" );
if (!demand.IsSubsetOf( this ))
throw new SecurityException( String.Format( Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName ), demand.GetType(), demand.ToXml().ToString() );
}
internal bool CheckDemandInternal(CodeAccessPermission demand, out Exception exception)
{
BCLDebug.Assert(m_head != null,"m_head != null");
for (PListNode pnext = m_head; pnext != null; pnext = pnext.next)
{
if (pnext.perm == null)
{
// If this is a grant set or a permit only, then we should fail since null indicates the empty permission.
if (pnext.type == MatchChecked || pnext.type == MatchPermitOnly)
{
BCLDebug.Assert( !demand.IsSubsetOf( null ), "By the time we get here, demands that are subsets of null should have been terminated" );
exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
return false;
}
// If this is a deny, then we should fail since null indicates the unrestricted permission.
if (pnext.type == MatchDeny)
{
exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
return false;
}
// If this is an assert, then we should return success and terminate the stack walk since
// null indicates the unrestricted permission.
if (pnext.type == MatchAssert)
{
exception = null;
return false;
}
// If this is anything else, then we should act confused.
// This case is unexpected.
BCLDebug.Assert( false, "This case should never happen" );
exception = new InvalidOperationException( Environment.GetResourceString( "InvalidOperation_InvalidState" ) );
return false;
}
CodeAccessPermission cap = pnext.perm;
switch (pnext.type)
{
case MatchChecked:
case MatchPermitOnly:
if (!demand.IsSubsetOf(cap))
{
exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
return false;
}
break;
case MatchAssert:
if (demand.IsSubsetOf(cap))
{
exception = null;
return false;
}
break;
case MatchDeny:
if (demand.Intersect(cap) != null)
{
exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
return false;
}
break;
default:
// Illegal entry
exception = new InvalidOperationException( Environment.GetResourceString( "InvalidOperation_InvalidState" ) );
return false;
}
}
exception = null;
return true;
}
internal static int GetSpecialFlags(PermissionSet grantSet, PermissionSet deniedSet)
{
if ((grantSet != null && grantSet.IsUnrestricted()) && (deniedSet == null || deniedSet.IsEmpty()))
{
return(-1);
}
else
{
SecurityPermission securityPermission = null;
#pragma warning disable 618
SecurityPermissionFlag securityPermissionFlags = SecurityPermissionFlag.NoFlags;
#pragma warning restore 618
ReflectionPermission reflectionPermission = null;
ReflectionPermissionFlag reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags;
CodeAccessPermission[] specialPermissions = new CodeAccessPermission[6];
if (grantSet != null)
{
if (grantSet.IsUnrestricted())
{
#pragma warning disable 618
securityPermissionFlags = SecurityPermissionFlag.AllFlags;
#pragma warning restore 618
reflectionPermissionFlags = ReflectionPermission.AllFlagsAndMore;
for (int i = 0; i < specialPermissions.Length; i++)
{
specialPermissions[i] = s_UnrestrictedSpecialPermissionMap[i];
}
}
else
{
securityPermission = grantSet.GetPermission(BuiltInPermissionIndex.SecurityPermissionIndex) as SecurityPermission;
if (securityPermission != null)
{
securityPermissionFlags = securityPermission.Flags;
}
reflectionPermission = grantSet.GetPermission(BuiltInPermissionIndex.ReflectionPermissionIndex) as ReflectionPermission;
if (reflectionPermission != null)
{
reflectionPermissionFlags = reflectionPermission.Flags;
}
for (int i = 0; i < specialPermissions.Length; i++)
{
specialPermissions[i] = grantSet.GetPermission(s_BuiltInPermissionIndexMap[i][0]) as CodeAccessPermission;
}
}
}
if (deniedSet != null)
{
if (deniedSet.IsUnrestricted())
{
#pragma warning disable 618
securityPermissionFlags = SecurityPermissionFlag.NoFlags;
#pragma warning restore 618
reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags;
for (int i = 0; i < s_BuiltInPermissionIndexMap.Length; i++)
{
specialPermissions[i] = null;
}
}
else
{
securityPermission = deniedSet.GetPermission(BuiltInPermissionIndex.SecurityPermissionIndex) as SecurityPermission;
if (securityPermission != null)
{
securityPermissionFlags &= ~securityPermission.Flags;
}
reflectionPermission = deniedSet.GetPermission(BuiltInPermissionIndex.ReflectionPermissionIndex) as ReflectionPermission;
if (reflectionPermission != null)
{
reflectionPermissionFlags &= ~reflectionPermission.Flags;
}
for (int i = 0; i < s_BuiltInPermissionIndexMap.Length; i++)
{
CodeAccessPermission deniedSpecialPermission = deniedSet.GetPermission(s_BuiltInPermissionIndexMap[i][0]) as CodeAccessPermission;
if (deniedSpecialPermission != null && !deniedSpecialPermission.IsSubsetOf(null))
{
specialPermissions[i] = null; // we don't care about the exact value here.
}
}
}
}
int flags = MapToSpecialFlags(securityPermissionFlags, reflectionPermissionFlags);
if (flags != -1)
{
for (int i = 0; i < specialPermissions.Length; i++)
{
if (specialPermissions[i] != null && ((IUnrestrictedPermission)specialPermissions[i]).IsUnrestricted())
{
flags |= (1 << (int)s_BuiltInPermissionIndexMap[i][1]);
}
}
}
return(flags);
}
}
internal static int GetSpecialFlags(PermissionSet grantSet, PermissionSet deniedSet)
{
if (grantSet != null && grantSet.IsUnrestricted() && (deniedSet == null || deniedSet.IsEmpty()))
{
return(-1);
}
SecurityPermissionFlag securityPermissionFlags = SecurityPermissionFlag.NoFlags;
ReflectionPermissionFlag reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags;
CodeAccessPermission[] accessPermissionArray = new CodeAccessPermission[6];
if (grantSet != null)
{
if (grantSet.IsUnrestricted())
{
securityPermissionFlags = SecurityPermissionFlag.AllFlags;
reflectionPermissionFlags = ReflectionPermissionFlag.AllFlags | ReflectionPermissionFlag.RestrictedMemberAccess;
for (int index = 0; index < accessPermissionArray.Length; ++index)
{
accessPermissionArray[index] = SecurityManager.s_UnrestrictedSpecialPermissionMap[index];
}
}
else
{
SecurityPermission securityPermission = grantSet.GetPermission(6) as SecurityPermission;
if (securityPermission != null)
{
securityPermissionFlags = securityPermission.Flags;
}
ReflectionPermission reflectionPermission = grantSet.GetPermission(4) as ReflectionPermission;
if (reflectionPermission != null)
{
reflectionPermissionFlags = reflectionPermission.Flags;
}
for (int index = 0; index < accessPermissionArray.Length; ++index)
{
accessPermissionArray[index] = grantSet.GetPermission(SecurityManager.s_BuiltInPermissionIndexMap[index][0]) as CodeAccessPermission;
}
}
}
if (deniedSet != null)
{
if (deniedSet.IsUnrestricted())
{
securityPermissionFlags = SecurityPermissionFlag.NoFlags;
reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags;
for (int index = 0; index < SecurityManager.s_BuiltInPermissionIndexMap.Length; ++index)
{
accessPermissionArray[index] = (CodeAccessPermission)null;
}
}
else
{
SecurityPermission securityPermission = deniedSet.GetPermission(6) as SecurityPermission;
if (securityPermission != null)
{
securityPermissionFlags &= ~securityPermission.Flags;
}
ReflectionPermission reflectionPermission = deniedSet.GetPermission(4) as ReflectionPermission;
if (reflectionPermission != null)
{
reflectionPermissionFlags &= ~reflectionPermission.Flags;
}
for (int index = 0; index < SecurityManager.s_BuiltInPermissionIndexMap.Length; ++index)
{
CodeAccessPermission accessPermission = deniedSet.GetPermission(SecurityManager.s_BuiltInPermissionIndexMap[index][0]) as CodeAccessPermission;
if (accessPermission != null && !accessPermission.IsSubsetOf((IPermission)null))
{
accessPermissionArray[index] = (CodeAccessPermission)null;
}
}
}
}
int specialFlags = SecurityManager.MapToSpecialFlags(securityPermissionFlags, reflectionPermissionFlags);
if (specialFlags != -1)
{
for (int index = 0; index < accessPermissionArray.Length; ++index)
{
if (accessPermissionArray[index] != null && ((IUnrestrictedPermission)accessPermissionArray[index]).IsUnrestricted())
{
specialFlags |= 1 << SecurityManager.s_BuiltInPermissionIndexMap[index][1];
}
}
}
return(specialFlags);
}