// Returns a permission set containing only CAS-permissions. If possible
// this is just the input set, otherwise a new set is allocated.
private PermissionSet GetCasOnlySet()
{
if (!m_ContainsNonCas)
return this;
if (IsUnrestricted())
return this;
PermissionSet pset = new PermissionSet(false);
PermissionSetEnumeratorInternal enumerator = new PermissionSetEnumeratorInternal(this);
while (enumerator.MoveNext())
{
IPermission perm = (IPermission)enumerator.Current;
if (perm is CodeAccessPermission)
pset.AddPermission(perm);
}
pset.m_CheckedForNonCas = true;
pset.m_ContainsCas = !pset.IsEmpty();
pset.m_ContainsNonCas = false;
return pset;
}
[System.Security.SecurityCritical] // auto-generated
#endif
private static byte[] CreateSerialized(Object[] attrs,
bool serialize,
ref byte[] nonCasBlob,
out PermissionSet casPset,
HostProtectionResource fullTrustOnlyResources,
bool allowEmptyPermissionSets)
{
// Create two new (empty) sets.
casPset = null;
PermissionSet nonCasPset = null;
// Most security attributes generate a single permission. The
// PermissionSetAttribute class generates an entire permission set we
// need to merge, however.
for (int i = 0; i < attrs.Length; i++)
{
#pragma warning disable 618
Contract.Assert(i == 0 || ((SecurityAttribute)attrs[i]).m_action == ((SecurityAttribute)attrs[i - 1]).m_action, "Mixed SecurityActions");
#pragma warning restore 618
if (attrs[i] is PermissionSetAttribute)
{
PermissionSet pset = ((PermissionSetAttribute)attrs[i]).CreatePermissionSet();
if (pset == null)
throw new ArgumentException( Environment.GetResourceString( "Argument_UnableToGeneratePermissionSet" ) );
PermissionSetEnumeratorInternal enumerator = new PermissionSetEnumeratorInternal(pset);
while (enumerator.MoveNext())
{
IPermission perm = (IPermission)enumerator.Current;
MergePermission(perm, serialize, ref casPset, ref nonCasPset);
}
if(casPset == null)
casPset = new PermissionSet(false);
if (pset.IsUnrestricted())
casPset.SetUnrestricted(true);
}
else
{
#pragma warning disable 618
IPermission perm = ((SecurityAttribute)attrs[i]).CreatePermission();
#pragma warning restore 618
MergePermission(perm, serialize, ref casPset, ref nonCasPset);
}
}
Contract.Assert(serialize || nonCasPset == null, "We shouldn't separate nonCAS permissions unless fSerialize is true");
//
// Filter HostProtection permission. In the VM, some optimizations are done based upon these
// declarative permission sets being NULL if they do not exist. When filtering the permission
// set if we end up with an empty set, we can the permission set NULL rather than returning the
// empty set in order to enable those optimizations.
//
if(casPset != null)
{
casPset.FilterHostProtectionPermissions(fullTrustOnlyResources, HostProtectionResource.None);
casPset.ContainsNonCodeAccessPermissions(); // make sure all declarative PermissionSets are checked for non-CAS so we can just check the flag from native code
if (allowEmptyPermissionSets && casPset.IsEmpty())
casPset = null;
}
if(nonCasPset != null)
{
nonCasPset.FilterHostProtectionPermissions(fullTrustOnlyResources, HostProtectionResource.None);
nonCasPset.ContainsNonCodeAccessPermissions(); // make sure all declarative PermissionSets are checked for non-CAS so we can just check the flag from native code
if (allowEmptyPermissionSets && nonCasPset.IsEmpty())
nonCasPset = null;
}
// Serialize the set(s).
byte[] casBlob = null;
nonCasBlob = null;
#if FEATURE_CAS_POLICY
if(serialize)
{
if(casPset != null)
casBlob = casPset.EncodeXml();
if(nonCasPset != null)
nonCasBlob = nonCasPset.EncodeXml();
}
#else // FEATURE_CAS_POLICY
Contract.Assert(!serialize, "Cannot serialize permission sets on CoreCLR");
#endif // FEATURE_CAS_POLICY
return casBlob;
}
public bool IsEmpty()
{
if (this.m_Unrestricted)
{
return false;
}
if ((this.m_permSet != null) && !this.m_permSet.FastIsEmpty())
{
PermissionSetEnumeratorInternal internal2 = new PermissionSetEnumeratorInternal(this);
while (internal2.MoveNext())
{
IPermission current = (IPermission) internal2.Current;
if (!current.IsSubsetOf(null))
{
return false;
}
}
}
return true;
}
[System.Security.SecurityCritical] // auto-generated
#endif
public bool ContainsNonCodeAccessPermissions()
{
if (m_CheckedForNonCas)
return m_ContainsNonCas;
lock (this)
{
if (m_CheckedForNonCas)
return m_ContainsNonCas;
m_ContainsCas = false;
m_ContainsNonCas = false;
if (IsUnrestricted())
m_ContainsCas = true;
if (this.m_permSet != null)
{
PermissionSetEnumeratorInternal enumerator = new PermissionSetEnumeratorInternal(this);
while (enumerator.MoveNext() && (!m_ContainsCas || !m_ContainsNonCas))
{
IPermission perm = enumerator.Current as IPermission;
if (perm != null)
{
if (perm is CodeAccessPermission)
m_ContainsCas = true;
else
m_ContainsNonCas = true;
}
}
}
m_CheckedForNonCas = true;
}
return m_ContainsNonCas;
}
public bool IsEmpty()
{
if (m_Unrestricted)
return false;
if (m_permSet == null || m_permSet.FastIsEmpty())
return true;
PermissionSetEnumeratorInternal enumerator = new PermissionSetEnumeratorInternal(this);
while (enumerator.MoveNext())
{
IPermission perm = (IPermission)enumerator.Current;
if (!perm.IsSubsetOf( null ))
{
return false;
}
}
return true;
}
internal PermissionSetEnumerator(PermissionSet permSet)
{
this.enm = new PermissionSetEnumeratorInternal(permSet);
}
public bool ContainsNonCodeAccessPermissions()
{
if (!this.m_CheckedForNonCas)
{
lock (this)
{
if (this.m_CheckedForNonCas)
{
return this.m_ContainsNonCas;
}
this.m_ContainsCas = false;
this.m_ContainsNonCas = false;
if (this.IsUnrestricted())
{
this.m_ContainsCas = true;
}
if (this.m_permSet != null)
{
PermissionSetEnumeratorInternal internal2 = new PermissionSetEnumeratorInternal(this);
while (internal2.MoveNext() && (!this.m_ContainsCas || !this.m_ContainsNonCas))
{
IPermission current = internal2.Current as IPermission;
if (current != null)
{
if (current is CodeAccessPermission)
{
this.m_ContainsCas = true;
}
else
{
this.m_ContainsNonCas = true;
}
}
}
}
this.m_CheckedForNonCas = true;
}
}
return this.m_ContainsNonCas;
}
internal static void RemoveAssertedPermissionSet(PermissionSet demandSet, PermissionSet assertSet, out PermissionSet alteredDemandSet)
{
Contract.Assert(!assertSet.IsUnrestricted(), "Cannot call this function if assertSet is unrestricted");
alteredDemandSet = null;
PermissionSetEnumeratorInternal enumerator = new PermissionSetEnumeratorInternal(demandSet);
while (enumerator.MoveNext())
{
CodeAccessPermission demandDerm = (CodeAccessPermission)enumerator.Current;
int i = enumerator.GetCurrentIndex();
if (demandDerm != null)
{
CodeAccessPermission assertPerm
= (CodeAccessPermission)assertSet.GetPermission(i);
try
{
if (demandDerm.CheckAssert(assertPerm))
{
if (alteredDemandSet == null)
alteredDemandSet = demandSet.Copy();
alteredDemandSet.RemovePermission(i);
}
}
catch (ArgumentException)
{
}
}
}
return;
}
internal bool CheckDeny(PermissionSet deniedSet, out IPermission firstPermThatFailed)
{
firstPermThatFailed = null;
if (((deniedSet != null) && !deniedSet.FastIsEmpty()) && !this.FastIsEmpty())
{
if (this.m_Unrestricted && deniedSet.m_Unrestricted)
{
return false;
}
PermissionSetEnumeratorInternal internal2 = new PermissionSetEnumeratorInternal(this);
while (internal2.MoveNext())
{
CodeAccessPermission current = internal2.Current as CodeAccessPermission;
if ((current != null) && !current.IsSubsetOf(null))
{
if (deniedSet.m_Unrestricted)
{
firstPermThatFailed = current;
return false;
}
CodeAccessPermission permission = (CodeAccessPermission) deniedSet.GetPermission(internal2.GetCurrentIndex());
if (!current.CheckDeny(permission))
{
firstPermThatFailed = current;
return false;
}
}
}
if (this.m_Unrestricted)
{
PermissionSetEnumeratorInternal internal3 = new PermissionSetEnumeratorInternal(deniedSet);
while (internal3.MoveNext())
{
if (internal3.Current is IPermission)
{
return false;
}
}
}
}
return true;
}
internal SecurityElement ToXml(string permName)
{
SecurityElement element = new SecurityElement("PermissionSet");
element.AddAttribute("class", permName);
element.AddAttribute("version", "1");
PermissionSetEnumeratorInternal internal2 = new PermissionSetEnumeratorInternal(this);
if (this.m_Unrestricted)
{
element.AddAttribute("Unrestricted", "true");
}
while (internal2.MoveNext())
{
IPermission current = (IPermission) internal2.Current;
if (!this.m_Unrestricted)
{
element.AddChild(current.ToXml());
}
}
return element;
}
internal static PermissionSet RemoveRefusedPermissionSet(PermissionSet assertSet, PermissionSet refusedSet, out bool bFailedToCompress)
{
PermissionSet set = null;
bFailedToCompress = false;
if (assertSet == null)
{
return null;
}
if (refusedSet != null)
{
if (refusedSet.IsUnrestricted())
{
return null;
}
PermissionSetEnumeratorInternal internal2 = new PermissionSetEnumeratorInternal(refusedSet);
while (internal2.MoveNext())
{
CodeAccessPermission current = (CodeAccessPermission) internal2.Current;
int currentIndex = internal2.GetCurrentIndex();
if (current != null)
{
CodeAccessPermission permission = (CodeAccessPermission) assertSet.GetPermission(currentIndex);
try
{
if (current.Intersect(permission) == null)
{
continue;
}
if (current.Equals(permission))
{
if (set == null)
{
set = assertSet.Copy();
}
set.RemovePermission(currentIndex);
continue;
}
bFailedToCompress = true;
return assertSet;
}
catch (ArgumentException)
{
if (set == null)
{
set = assertSet.Copy();
}
set.RemovePermission(currentIndex);
continue;
}
}
}
}
if (set != null)
{
return set;
}
return assertSet;
}
internal static void RemoveAssertedPermissionSet(PermissionSet demandSet, PermissionSet assertSet, out PermissionSet alteredDemandSet)
{
alteredDemandSet = null;
PermissionSetEnumeratorInternal internal2 = new PermissionSetEnumeratorInternal(demandSet);
while (internal2.MoveNext())
{
CodeAccessPermission current = (CodeAccessPermission) internal2.Current;
int currentIndex = internal2.GetCurrentIndex();
if (current != null)
{
CodeAccessPermission permission = (CodeAccessPermission) assertSet.GetPermission(currentIndex);
try
{
if (current.CheckAssert(permission))
{
if (alteredDemandSet == null)
{
alteredDemandSet = demandSet.Copy();
}
alteredDemandSet.RemovePermission(currentIndex);
}
continue;
}
catch (ArgumentException)
{
continue;
}
}
}
}
internal static bool IsIntersectingAssertedPermissions(PermissionSet assertSet1, PermissionSet assertSet2)
{
bool flag = false;
if ((assertSet1 != null) && (assertSet2 != null))
{
PermissionSetEnumeratorInternal internal2 = new PermissionSetEnumeratorInternal(assertSet2);
while (internal2.MoveNext())
{
CodeAccessPermission current = (CodeAccessPermission) internal2.Current;
int currentIndex = internal2.GetCurrentIndex();
if (current != null)
{
CodeAccessPermission permission = (CodeAccessPermission) assertSet1.GetPermission(currentIndex);
try
{
if ((permission != null) && !permission.Equals(current))
{
flag = true;
}
continue;
}
catch (ArgumentException)
{
flag = true;
continue;
}
}
}
}
return flag;
}
public virtual void CopyTo(Array array, int index)
{
if (array == null)
throw new ArgumentNullException( "array" );
Contract.EndContractBlock();
PermissionSetEnumeratorInternal enumerator = new PermissionSetEnumeratorInternal(this);
while (enumerator.MoveNext())
{
array.SetValue(enumerator.Current , index++ );
}
}
public virtual void CopyTo(Array array, int index)
{
if (array == null)
{
throw new ArgumentNullException("array");
}
PermissionSetEnumeratorInternal internal2 = new PermissionSetEnumeratorInternal(this);
while (internal2.MoveNext())
{
array.SetValue(internal2.Current, index++);
}
}
internal static PermissionSet RemoveRefusedPermissionSet(PermissionSet assertSet, PermissionSet refusedSet, out bool bFailedToCompress)
{
Contract.Assert((assertSet == null || !assertSet.IsUnrestricted()), "Cannot be unrestricted here");
PermissionSet retPs = null;
bFailedToCompress = false;
if (assertSet == null)
return null;
if (refusedSet != null)
{
if (refusedSet.IsUnrestricted())
return null; // we're refusing everything...cannot assert anything now.
PermissionSetEnumeratorInternal enumerator = new PermissionSetEnumeratorInternal(refusedSet);
while (enumerator.MoveNext())
{
CodeAccessPermission refusedPerm = (CodeAccessPermission)enumerator.Current;
int i = enumerator.GetCurrentIndex();
if (refusedPerm != null)
{
CodeAccessPermission perm
= (CodeAccessPermission)assertSet.GetPermission(i);
try
{
if (refusedPerm.Intersect(perm) != null)
{
if (refusedPerm.Equals(perm))
{
if (retPs == null)
retPs = assertSet.Copy();
retPs.RemovePermission(i);
}
else
{
// Asserting a permission, part of which is already denied/refused
// cannot compress this assert
bFailedToCompress = true;
return assertSet;
}
}
}
catch (ArgumentException)
{
// Any exception during removing a refused set from assert set => we play it safe and not assert that perm
if (retPs == null)
retPs = assertSet.Copy();
retPs.RemovePermission(i);
}
}
}
}
if (retPs != null)
return retPs;
return assertSet;
}
private static byte[] CreateSerialized(object[] attrs, bool serialize, ref byte[] nonCasBlob, out PermissionSet casPset, HostProtectionResource fullTrustOnlyResources, bool allowEmptyPermissionSets)
{
casPset = null;
PermissionSet nonCasPset = null;
for (int i = 0; i < attrs.Length; i++)
{
if (attrs[i] is PermissionSetAttribute)
{
PermissionSet permSet = ((PermissionSetAttribute) attrs[i]).CreatePermissionSet();
if (permSet == null)
{
throw new ArgumentException(Environment.GetResourceString("Argument_UnableToGeneratePermissionSet"));
}
PermissionSetEnumeratorInternal internal2 = new PermissionSetEnumeratorInternal(permSet);
while (internal2.MoveNext())
{
IPermission current = (IPermission) internal2.Current;
MergePermission(current, serialize, ref casPset, ref nonCasPset);
}
if (casPset == null)
{
casPset = new PermissionSet(false);
}
if (permSet.IsUnrestricted())
{
casPset.SetUnrestricted(true);
}
}
else
{
MergePermission(((SecurityAttribute) attrs[i]).CreatePermission(), serialize, ref casPset, ref nonCasPset);
}
}
if (casPset != null)
{
casPset.FilterHostProtectionPermissions(fullTrustOnlyResources, HostProtectionResource.None);
casPset.ContainsNonCodeAccessPermissions();
if (allowEmptyPermissionSets && casPset.IsEmpty())
{
casPset = null;
}
}
if (nonCasPset != null)
{
nonCasPset.FilterHostProtectionPermissions(fullTrustOnlyResources, HostProtectionResource.None);
nonCasPset.ContainsNonCodeAccessPermissions();
if (allowEmptyPermissionSets && nonCasPset.IsEmpty())
{
nonCasPset = null;
}
}
byte[] buffer = null;
nonCasBlob = null;
if (serialize)
{
if (casPset != null)
{
buffer = casPset.EncodeXml();
}
if (nonCasPset != null)
{
nonCasBlob = nonCasPset.EncodeXml();
}
}
return buffer;
}
internal static bool IsIntersectingAssertedPermissions(PermissionSet assertSet1, PermissionSet assertSet2)
{
bool isIntersecting = false;
if (assertSet1 != null && assertSet2 != null)
{
PermissionSetEnumeratorInternal enumerator = new PermissionSetEnumeratorInternal(assertSet2);
while (enumerator.MoveNext())
{
CodeAccessPermission perm2 = (CodeAccessPermission)enumerator.Current;
int i = enumerator.GetCurrentIndex();
if (perm2 != null)
{
CodeAccessPermission perm1
= (CodeAccessPermission)assertSet1.GetPermission(i);
try
{
if (perm1 != null && !perm1.Equals(perm2))
{
isIntersecting = true; // Same type of permission, but with different flags or something - cannot union them
}
}
catch (ArgumentException)
{
isIntersecting = true; //assume worst case
}
}
}
}
return isIntersecting;
}
private PermissionSet GetCasOnlySet()
{
if (!this.m_ContainsNonCas)
{
return this;
}
if (this.IsUnrestricted())
{
return this;
}
PermissionSet set = new PermissionSet(false);
PermissionSetEnumeratorInternal internal2 = new PermissionSetEnumeratorInternal(this);
while (internal2.MoveNext())
{
IPermission current = (IPermission) internal2.Current;
if (current is CodeAccessPermission)
{
set.AddPermission(current);
}
}
set.m_CheckedForNonCas = true;
set.m_ContainsCas = !set.IsEmpty();
set.m_ContainsNonCas = false;
return set;
}
internal bool CheckDeny(PermissionSet deniedSet, out IPermission firstPermThatFailed)
{
firstPermThatFailed = null;
if (deniedSet == null || deniedSet.FastIsEmpty() || this.FastIsEmpty())
return true;
if(this.m_Unrestricted && deniedSet.m_Unrestricted)
return false;
CodeAccessPermission permThis, permThat;
PermissionSetEnumeratorInternal enumThis = new PermissionSetEnumeratorInternal(this);
while (enumThis.MoveNext())
{
permThis = enumThis.Current as CodeAccessPermission;
if(permThis == null || permThis.IsSubsetOf(null))
continue; // ignore non-CAS permissions in the grant set.
if (deniedSet.m_Unrestricted)
{
firstPermThatFailed = permThis;
return false;
}
permThat = (CodeAccessPermission)deniedSet.GetPermission(enumThis.GetCurrentIndex());
if (!permThis.CheckDeny(permThat))
{
firstPermThatFailed = permThis;
return false;
}
}
if(this.m_Unrestricted)
{
PermissionSetEnumeratorInternal enumThat = new PermissionSetEnumeratorInternal(deniedSet);
while (enumThat.MoveNext())
{
if(enumThat.Current is IPermission)
return false;
}
}
return true;
}
// internal helper which takes in the hardcoded permission name to avoid lookup at runtime
// can be called from classes that derive from PermissionSet
internal SecurityElement ToXml(String permName)
{
SecurityElement elTrunk = new SecurityElement("PermissionSet");
elTrunk.AddAttribute( "class", permName );
elTrunk.AddAttribute( "version", "1" );
PermissionSetEnumeratorInternal enumerator = new PermissionSetEnumeratorInternal(this);
if (m_Unrestricted)
{
elTrunk.AddAttribute(s_str_Unrestricted, "true" );
}
while (enumerator.MoveNext())
{
IPermission perm = (IPermission)enumerator.Current;
if (!m_Unrestricted)
elTrunk.AddChild( perm.ToXml() );
}
return elTrunk;
}
internal PermissionSetEnumerator(PermissionSet permSet)
{
this.enm = new PermissionSetEnumeratorInternal(permSet);
}
private static byte[] CreateSerialized(Object[] attrs, bool serialize, ref byte[] nonCasBlob, out PermissionSet casPset, HostProtectionResource fullTrustOnlyResources)
{
// Create two new (empty) sets.
casPset = null;
PermissionSet nonCasPset = null;
// Most security attributes generate a single permission. The
// PermissionSetAttribute class generates an entire permission set we
// need to merge, however.
for (int i = 0; i < attrs.Length; i++)
{
BCLDebug.Assert(i == 0 || ((SecurityAttribute)attrs[i]).m_action == ((SecurityAttribute)attrs[i - 1]).m_action, "Mixed SecurityActions");
if (attrs[i] is PermissionSetAttribute)
{
PermissionSet pset = ((PermissionSetAttribute)attrs[i]).CreatePermissionSet();
if (pset == null)
throw new ArgumentException( Environment.GetResourceString( "Argument_UnableToGeneratePermissionSet" ) );
PermissionSetEnumeratorInternal enumerator = new PermissionSetEnumeratorInternal(pset);
while (enumerator.MoveNext())
{
IPermission perm = (IPermission)enumerator.Current;
MergePermission(perm, serialize, ref casPset, ref nonCasPset);
}
if(casPset == null)
casPset = new PermissionSet(false);
if (pset.IsUnrestricted())
casPset.SetUnrestricted(true);
}
else
{
IPermission perm = ((SecurityAttribute)attrs[i]).CreatePermission();
MergePermission(perm, serialize, ref casPset, ref nonCasPset);
}
}
BCLDebug.Assert(serialize || nonCasPset == null, "We shouldn't separate nonCAS permissions unless fSerialize is true");
// Filter HostProtection permission
if(casPset != null)
{
casPset.FilterHostProtectionPermissions(fullTrustOnlyResources, HostProtectionResource.None);
casPset.ContainsNonCodeAccessPermissions(); // make sure all declarative PermissionSets are checked for non-CAS so we can just check the flag from native code
}
if(nonCasPset != null)
{
nonCasPset.FilterHostProtectionPermissions(fullTrustOnlyResources, HostProtectionResource.None);
nonCasPset.ContainsNonCodeAccessPermissions(); // make sure all declarative PermissionSets are checked for non-CAS so we can just check the flag from native code
}
// Serialize the set(s).
byte[] casBlob = null;
nonCasBlob = null;
if(serialize)
{
if(casPset != null)
casBlob = casPset.EncodeXml();
if(nonCasPset != null)
nonCasBlob = nonCasPset.EncodeXml();
}
return casBlob;
}