Exemplo n.º 1
	public void AddAudit(AuditFlags auditFlags, SecurityIdentifier sid,
						 int accessMask, InheritanceFlags inheritanceFlags,
						 PropagationFlags propagationFlags,
						 ObjectAceFlags objectFlags, Guid objectType,
						 Guid inheritedObjectType)
				// TODO
 public void RemoveAuditSpecific(AuditFlags auditFlags, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
     if (!base.IsDS)
         throw new InvalidOperationException(Environment.GetResourceString("InvalidOperation_OnlyValidForDS"));
     base.RemoveQualifiedAcesSpecific(sid, AceQualifier.SystemAudit, accessMask, (AceFlags) ((byte) (GenericAce.AceFlagsFromAuditFlags(auditFlags) | GenericAce.AceFlagsFromInheritanceFlags(inheritanceFlags, propagationFlags))), objectFlags, objectType, inheritedObjectType);
	public void AddAccess(AccessControlType accessType, SecurityIdentifier sid,
						  int accessMask, InheritanceFlags inheritanceFlags,
						  PropagationFlags propagationFlags,
						  ObjectAceFlags objectFlags, Guid objectType,
						  Guid inheritedObjectType)
				// TODO
Exemplo n.º 4
	public bool RemoveAudit(AuditFlags auditFlags, SecurityIdentifier sid,
						    int accessMask, InheritanceFlags inheritanceFlags,
						    PropagationFlags propagationFlags,
						    ObjectAceFlags objectFlags, Guid objectType,
						    Guid inheritedObjectType)
				// TODO
				return false;
 public void RemoveAccessSpecific(AccessControlType accessType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
     if (!base.IsDS)
         throw new InvalidOperationException(Environment.GetResourceString("InvalidOperation_OnlyValidForDS"));
     this.everyOneFullAccessForNullDacl = false;
     base.RemoveQualifiedAcesSpecific(sid, (accessType == AccessControlType.Allow) ? AceQualifier.AccessAllowed : AceQualifier.AccessDenied, accessMask, GenericAce.AceFlagsFromInheritanceFlags(inheritanceFlags, propagationFlags), objectFlags, objectType, inheritedObjectType);
Exemplo n.º 6
		public bool RemoveAccess (AccessControlType accessType,
					  SecurityIdentifier sid,
					  int accessMask,
					  InheritanceFlags inheritanceFlags,
					  PropagationFlags propagationFlags,
					  ObjectAceFlags objectFlags,
					  Guid objectType,
					  Guid inheritedObjectType)
			throw new NotImplementedException ();
Exemplo n.º 7
		internal ObjectAce (AceType type, AceFlags flags, int accessMask,
		                    SecurityIdentifier sid, ObjectAceFlags objFlags,
		                    Guid objType, Guid inheritedType, byte[] opaque)
			: base(type, flags, opaque)
			AccessMask = accessMask;
			SecurityIdentifier = sid;
			ObjectAceFlags = objFlags;
			ObjectAceType = objType;
			InheritedObjectAceType = inheritedType;
Exemplo n.º 8
		public void AddAudit (AuditFlags auditFlags,
				      SecurityIdentifier sid, int accessMask,
				      InheritanceFlags inheritanceFlags,
				      PropagationFlags propagationFlags,
				      ObjectAceFlags objectFlags,
				      Guid objectType,
				      Guid inheritedObjectType)
			// ObjectAce?
			throw new NotImplementedException ();
Exemplo n.º 9
		public void AddAccess (AccessControlType accessType,
				       SecurityIdentifier sid, int accessMask,
				       InheritanceFlags inheritanceFlags,
				       PropagationFlags propagationFlags,
				       ObjectAceFlags objectFlags,
				       Guid objectType,
				       Guid inheritedObjectType)
			AddAce (GetAceQualifier (accessType), sid, accessMask,
				inheritanceFlags, propagationFlags, AuditFlags.None,
				objectFlags, objectType, inheritedObjectType);
Exemplo n.º 10
 protected static void VerifyObjectAce(ObjectAce ace, AceFlags aceFlags, AceQualifier qualifier, int accessMask, SecurityIdentifier sid, ObjectAceFlags flags, Guid type, Guid inheritedType, bool isCallback, byte[] opaque)
     Assert.Equal(aceFlags, ace.AceFlags);
     Assert.Equal(accessMask, ace.AccessMask);
     Assert.Equal(sid, ace.SecurityIdentifier);
     Assert.Equal(opaque, ace.GetOpaque());
     Assert.Equal(qualifier, ace.AceQualifier);
     Assert.Equal(isCallback, ace.IsCallback);
     Assert.Equal(flags, ace.ObjectAceFlags);
     Assert.Equal(type, ace.ObjectAceType);
     Assert.Equal(inheritedType, ace.InheritedObjectAceType);
Exemplo n.º 11
		public void AddAudit (AuditFlags auditFlags,
				      SecurityIdentifier sid, int accessMask,
				      InheritanceFlags inheritanceFlags,
				      PropagationFlags propagationFlags,
				      ObjectAceFlags objectFlags,
				      Guid objectType,
				      Guid inheritedObjectType)
			AddAce (AceQualifier.SystemAudit, sid, accessMask,
				inheritanceFlags, propagationFlags, auditFlags,
				objectFlags, objectType, inheritedObjectType);
Exemplo n.º 12
		public ObjectAce (AceFlags aceFlags, AceQualifier qualifier,
				  int accessMask, SecurityIdentifier sid,
				  ObjectAceFlags flags, Guid type,
				  Guid inheritedType, bool isCallback,
				  byte[] opaque)
			: base (InheritanceFlags.None, PropagationFlags.None, qualifier, isCallback, opaque)
			AceFlags = aceFlags;
			SecurityIdentifier = sid;
			object_ace_flags = flags;
			object_ace_type = type;
			inherited_object_type = inheritedType;
Exemplo n.º 13
		public ObjectAce (AceFlags aceFlags, AceQualifier qualifier,
				  int accessMask, SecurityIdentifier sid,
				  ObjectAceFlags flags, Guid type,
				  Guid inheritedType, bool isCallback,
				  byte[] opaque)
			: base (ConvertType(qualifier, isCallback), aceFlags, opaque)
			AccessMask = accessMask;
			SecurityIdentifier = sid;
			ObjectAceFlags = flags;
			ObjectAceType = type;
			InheritedObjectAceType = inheritedType;
 protected ObjectAccessRule(IdentityReference identity, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, Guid objectType, Guid inheritedObjectType, AccessControlType type) : base(identity, accessMask, isInherited, inheritanceFlags, propagationFlags, type)
     if (!objectType.Equals(Guid.Empty) && ((accessMask & ObjectAce.AccessMaskWithObjectType) != 0))
         this._objectType = objectType;
         this._objectFlags |= ObjectAceFlags.ObjectAceTypePresent;
         this._objectType = Guid.Empty;
     if (!inheritedObjectType.Equals(Guid.Empty) && ((inheritanceFlags & InheritanceFlags.ContainerInherit) != InheritanceFlags.None))
         this._inheritedObjectType = inheritedObjectType;
         this._objectFlags |= ObjectAceFlags.InheritedObjectAceTypePresent;
         this._inheritedObjectType = Guid.Empty;
Exemplo n.º 15
        public bool RemoveAccess( AccessControlType accessType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType )
            // This is valid only for DS Acls 
            if ( !IsDS )
                throw new InvalidOperationException(
                    Environment.GetResourceString( "InvalidOperation_OnlyValidForDS" ));

            CheckAccessType( accessType );
            everyOneFullAccessForNullDacl = false;
            return RemoveQualifiedAces(sid, accessType == AccessControlType.Allow ? AceQualifier.AccessAllowed : AceQualifier.AccessDenied, accessMask, GenericAce.AceFlagsFromInheritanceFlags( inheritanceFlags, propagationFlags ), false, objectFlags, objectType, inheritedObjectType );
Exemplo n.º 16
        private static object[] ObjectAce_CreateTestData(int intFlags, int intQualifier, int accessMask, string stringsid, int intObjectAceFlags, string stringType, string stringInheritedType, bool isCallback, int opaqueLength, int offset)
            AceFlags           aceFlags  = (AceFlags)intFlags;
            AceQualifier       qualifier = (AceQualifier)intQualifier;
            SecurityIdentifier sid       = new SecurityIdentifier(stringsid);
            ObjectAceFlags     flags     = (ObjectAceFlags)intObjectAceFlags;
            Guid type          = new Guid(stringType);
            Guid inheritedType = new Guid(stringInheritedType);

            byte[] opaque = new byte[opaqueLength];

            ObjectAce ace = new ObjectAce(aceFlags, qualifier, accessMask, sid, flags, type, inheritedType, isCallback, opaque);

            VerifyObjectAce(ace, aceFlags, qualifier, accessMask, sid, flags, type, inheritedType, isCallback, opaque);

            byte[] binaryForm = new byte[ace.BinaryLength + offset];
            switch (qualifier)
            case AceQualifier.AccessAllowed:
                binaryForm[offset + 0] = isCallback ? (byte)AceType.AccessAllowedCallbackObject : (byte)AceType.AccessAllowedObject;

            case AceQualifier.AccessDenied:
                binaryForm[offset + 0] = isCallback ? (byte)AceType.AccessDeniedCallbackObject : (byte)AceType.AccessDeniedObject;

            case AceQualifier.SystemAudit:
                binaryForm[offset + 0] = isCallback ? (byte)AceType.SystemAuditCallbackObject : (byte)AceType.SystemAuditObject;

            case AceQualifier.SystemAlarm:
                binaryForm[offset + 0] = isCallback ? (byte)AceType.SystemAlarmCallbackObject : (byte)AceType.SystemAlarmObject;

            binaryForm[offset + 1] = (byte)aceFlags;
            binaryForm[offset + 2] = (byte)(ace.BinaryLength >> 0);
            binaryForm[offset + 3] = (byte)(ace.BinaryLength >> 8);

            int baseOffset  = offset + 4;
            int offsetLocal = 0;

                binaryForm[baseOffset + 0] = (byte)(accessMask >> 0);
                binaryForm[baseOffset + 1] = (byte)(accessMask >> 8);
                binaryForm[baseOffset + 2] = (byte)(accessMask >> 16);
                binaryForm[baseOffset + 3] = (byte)(accessMask >> 24);
            offsetLocal += 4;

            binaryForm[baseOffset + offsetLocal + 0] = (byte)(((uint)flags) >> 0);
            binaryForm[baseOffset + offsetLocal + 1] = (byte)(((uint)flags) >> 8);
            binaryForm[baseOffset + offsetLocal + 2] = (byte)(((uint)flags) >> 16);
            binaryForm[baseOffset + offsetLocal + 3] = (byte)(((uint)flags) >> 24);

            offsetLocal += 4;

            if ((flags & ObjectAceFlags.ObjectAceTypePresent) != 0)
                type.ToByteArray().CopyTo(binaryForm, baseOffset + offsetLocal);
                offsetLocal += 16;

            if ((flags & ObjectAceFlags.InheritedObjectAceTypePresent) != 0)
                inheritedType.ToByteArray().CopyTo(binaryForm, baseOffset + offsetLocal);
                offsetLocal += 16;

            sid.GetBinaryForm(binaryForm, baseOffset + offsetLocal);
            offsetLocal += sid.BinaryLength;
            opaque.CopyTo(binaryForm, baseOffset + offsetLocal);

            return(new object[] { ace, binaryForm, offset });
Exemplo n.º 17
 /// <summary>从当前 <see cref="T:System.Security.AccessControl.DiscretionaryAcl" /> 对象移除指定的审核规则。在指定对象类型或继承的对象类型时,为目录对象的访问控制列表 (ACL) 使用此方法。</summary>
 /// <param name="auditFlags">要移除的审核规则的类型。</param>
 /// <param name="sid">要为其移除审核规则的 <see cref="T:System.Security.Principal.SecurityIdentifier" />。</param>
 /// <param name="accessMask">要移除的规则的访问掩码。</param>
 /// <param name="inheritanceFlags">指定要移除的规则的继承属性的标志。</param>
 /// <param name="propagationFlags">指定要移除的规则的继承传播属性的标志。</param>
 /// <param name="objectFlags">指定 <paramref name="objectType" /> 和 <paramref name="inheritedObjectType" /> 参数是否包含非 null 值的标志。</param>
 /// <param name="objectType">移除的审核控制规则所应用到的对象的类标识。</param>
 /// <param name="inheritedObjectType">可以继承移除的审核规则的子对象的类标识。</param>
 public void RemoveAuditSpecific(AuditFlags auditFlags, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
     if (!this.IsDS)
         throw new InvalidOperationException(Environment.GetResourceString("InvalidOperation_OnlyValidForDS"));
     this.RemoveQualifiedAcesSpecific(sid, AceQualifier.SystemAudit, accessMask, GenericAce.AceFlagsFromAuditFlags(auditFlags) | GenericAce.AceFlagsFromInheritanceFlags(inheritanceFlags, propagationFlags), objectFlags, objectType, inheritedObjectType);
Exemplo n.º 18
        internal void RemoveQualifiedAcesSpecific( SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType )
            if ( accessMask == 0 )
                throw new ArgumentException(
                    Environment.GetResourceString( "Argument_ArgumentZero" ),
                    "accessMask" );

            if ( qualifier == AceQualifier.SystemAudit &&
                (( flags & AceFlags.AuditFlags ) == 0 ))
                throw new ArgumentException(
                    Environment.GetResourceString( "Arg_EnumAtLeastOneFlag" ),
                    "flags" );
            if ( sid == null )
                throw new ArgumentNullException( "sid" );

            for ( int i = 0; i < Count; i++ )
                QualifiedAce ace = _acl[i] as QualifiedAce;

                // Not a qualified ACE - keep going

                if ( ace == null )

                // Only interested in explicit (non-inherited) ACEs

                if (( ace.AceFlags & AceFlags.Inherited ) != 0 )

                // Only interested in ACEs with the specified qualifier

                if ( ace.AceQualifier != qualifier )

                // Only interested in ACEs with the specified SID

                if ( ace.SecurityIdentifier != sid )

                // Only interested in exact ACE flag matches

                if ( ace.AceFlags != flags )

                // Only interested in exact access mask matches

                if ( ace.AccessMask != accessMask )

                if ( IsDS ) 
                    // Incase of object aces, only interested in ACEs which match in their 
                    // objectType and inheritedObjectType

                    if (( ace is ObjectAce ) && ( objectFlags != ObjectAceFlags.None ))
                        // both are object aces, so must match in object type and inherited object type
                        ObjectAce objectAce = ace as ObjectAce;
                        if (( !objectAce.ObjectTypesMatch( objectFlags, objectType ))
                            || ( !objectAce.InheritedObjectTypesMatch( objectFlags, inheritedObjectType ))) 
                    else if (( ace is ObjectAce ) || ( objectFlags != ObjectAceFlags.None ))
                        // one is object ace and the other is not, so no match

                // Got our exact match; now remove it

                i--; // keep the array index honest
Exemplo n.º 19
        protected ObjectAuditRule( IdentityReference identity, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, Guid objectType, Guid inheritedObjectType, AuditFlags auditFlags )
            : base( identity, accessMask, isInherited, inheritanceFlags, propagationFlags, auditFlags )
            if (( !objectType.Equals( Guid.Empty )) && (( accessMask & ObjectAce.AccessMaskWithObjectType ) != 0 ))
                _objectType = objectType;
                _objectFlags |= ObjectAceFlags.ObjectAceTypePresent;
                _objectType = Guid.Empty;

            if (( !inheritedObjectType.Equals( Guid.Empty )) && ((inheritanceFlags & InheritanceFlags.ContainerInherit ) != 0 ))
                _inheritedObjectType = inheritedObjectType;
                _objectFlags |= ObjectAceFlags.InheritedObjectAceTypePresent;
                _inheritedObjectType = Guid.Empty;
Exemplo n.º 20
        // This method determines whether the object type and inherited object type from the original ace
        // should be retained or not based on access mask and aceflags for a given split 
        private void GetObjectTypesForSplit( ObjectAce originalAce, int accessMask, AceFlags aceFlags, out ObjectAceFlags objectFlags, out Guid objectType, out Guid inheritedObjectType ) 

            objectFlags = 0;
            objectType = Guid.Empty;
            inheritedObjectType = Guid.Empty;

            // We should retain the object type if the access mask for this split contains any bits that refer to object type
            if (( accessMask & ObjectAce.AccessMaskWithObjectType ) != 0 ) 
                // keep the original ace's object flags and object type
                objectType = originalAce.ObjectAceType;
                objectFlags |= originalAce.ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent;

            // We should retain the inherited object type if the aceflags for this contains inheritance (ContainerInherit)
            if (( aceFlags & AceFlags.ContainerInherit ) != 0 ) 
                // keep the original ace's object flags and object type
                inheritedObjectType = originalAce.InheritedObjectAceType;
                objectFlags |= originalAce.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent;
Exemplo n.º 21
        internal static bool ParseBinaryForm(byte[] binaryForm, int offset, out AceQualifier qualifier, out int accessMask, out SecurityIdentifier sid, out ObjectAceFlags objectFlags, out Guid objectAceType, out Guid inheritedObjectAceType, out bool isCallback, out byte[] opaque)
            byte[] b = new byte[16];
            GenericAce.VerifyHeader(binaryForm, offset);
            if (binaryForm.Length - offset >= 12 + SecurityIdentifier.MinBinaryLength)
                AceType aceType = (AceType)binaryForm[offset];
                switch (aceType)
                case AceType.AccessAllowedObject:
                case AceType.AccessDeniedObject:
                case AceType.SystemAuditObject:
                case AceType.SystemAlarmObject:
                    isCallback = false;

                case AceType.AccessAllowedCallbackObject:
                case AceType.AccessDeniedCallbackObject:
                case AceType.SystemAuditCallbackObject:
                case AceType.SystemAlarmCallbackObject:
                    isCallback = true;

                    goto label_38;
                if (aceType == AceType.AccessAllowedObject || aceType == AceType.AccessAllowedCallbackObject)
                    qualifier = AceQualifier.AccessAllowed;
                else if (aceType == AceType.AccessDeniedObject || aceType == AceType.AccessDeniedCallbackObject)
                    qualifier = AceQualifier.AccessDenied;
                else if (aceType == AceType.SystemAuditObject || aceType == AceType.SystemAuditCallbackObject)
                    qualifier = AceQualifier.SystemAudit;
                else if (aceType == AceType.SystemAlarmObject || aceType == AceType.SystemAlarmCallbackObject)
                    qualifier = AceQualifier.SystemAlarm;
                    goto label_38;
                int num1 = offset + 4;
                int num2 = 0;
                accessMask = (int)binaryForm[num1 + 0] + ((int)binaryForm[num1 + 1] << 8) + ((int)binaryForm[num1 + 2] << 16) + ((int)binaryForm[num1 + 3] << 24);
                int num3 = num2 + 4;
                objectFlags = (ObjectAceFlags)((int)binaryForm[num1 + num3 + 0] + ((int)binaryForm[num1 + num3 + 1] << 8) + ((int)binaryForm[num1 + num3 + 2] << 16) + ((int)binaryForm[num1 + num3 + 3] << 24));
                int num4 = num3 + 4;
                if ((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None)
                    for (int index = 0; index < 16; ++index)
                        b[index] = binaryForm[num1 + num4 + index];
                    num4 += 16;
                    for (int index = 0; index < 16; ++index)
                        b[index] = (byte)0;
                objectAceType = new Guid(b);
                if ((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != ObjectAceFlags.None)
                    for (int index = 0; index < 16; ++index)
                        b[index] = binaryForm[num1 + num4 + index];
                    num4 += 16;
                    for (int index = 0; index < 16; ++index)
                        b[index] = (byte)0;
                inheritedObjectAceType = new Guid(b);
                sid    = new SecurityIdentifier(binaryForm, num1 + num4);
                opaque = (byte[])null;
                int num5 = ((int)binaryForm[offset + 3] << 8) + (int)binaryForm[offset + 2];
                if (num5 % 4 == 0)
                    int length = num5 - 4 - 4 - 4 - (int)(byte)sid.BinaryLength;
                    if ((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None)
                        length -= 16;
                    if ((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != ObjectAceFlags.None)
                        length -= 16;
                    if (length > 0)
                        opaque = new byte[length];
                        for (int index = 0; index < length; ++index)
                            opaque[index] = binaryForm[offset + num5 - length + index];
            qualifier              = AceQualifier.AccessAllowed;
            accessMask             = 0;
            sid                    = (SecurityIdentifier)null;
            objectFlags            = ObjectAceFlags.None;
            objectAceType          = Guid.NewGuid();
            inheritedObjectAceType = Guid.NewGuid();
            isCallback             = false;
            opaque                 = (byte[])null;
        public static void RemoveInheritedAces_BasicValidationTestCases()
            bool isContainer = false;
            bool isDS        = false;

            RawAcl           rawAcl           = null;
            DiscretionaryAcl discretionaryAcl = null;

            GenericAce gAce     = null;
            byte       revision = 0;
            int        capacity = 0;

            //CustomAce constructor parameters
            AceType  aceType = AceType.AccessAllowed;
            AceFlags aceFlag = AceFlags.None;

            byte[] opaque = null;

            //CompoundAce constructor additional parameters
            int             accessMask      = 0;
            CompoundAceType compoundAceType = CompoundAceType.Impersonation;
            string          sid             = "BG";

            //CommonAce constructor additional parameters
            AceQualifier aceQualifier = 0;

            //ObjectAce constructor additional parameters
            ObjectAceFlags objectAceFlag = 0;
            Guid           objectAceType;
            Guid           inheritedObjectAceType;

            //case 1, no Ace
            revision         = 127;
            capacity         = 1;
            rawAcl           = new RawAcl(revision, capacity);
            isContainer      = true;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 2, only have explicit Ace
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //199  has all AceFlags except InheritOnly and Inherited
            gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer      = false;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 3,  non-inherited CommonAce, ObjectAce, CompoundAce, CustomAce
            revision   = 127;
            capacity   = 5;
            sid        = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
            rawAcl     = new RawAcl(revision, capacity);
            aceFlag    = AceFlags.InheritanceFlags;
            accessMask = 1;

            //Access Allowed CommonAce
            gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
            rawAcl.InsertAce(0, gAce);
            //Access Dennied CommonAce
            gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
            rawAcl.InsertAce(0, gAce);
            aceType = AceType.MaxDefinedAceType + 1;
            opaque  = null;
            gAce    = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(2, gAce);
            compoundAceType = CompoundAceType.Impersonation;
            gAce            = new CompoundAce(aceFlag, accessMask, compoundAceType,
                                              new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())));
            rawAcl.InsertAce(3, gAce);
            aceQualifier           = AceQualifier.AccessAllowed;
            objectAceFlag          = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType          = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(2, gAce);
            isContainer      = true;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
            //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
            Assert.Throws <InvalidOperationException>(() =>

            //case 4,  all inherited CommonAce, ObjectAce, CompoundAce, CustomAce
            revision   = 127;
            capacity   = 5;
            sid        = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString();
            rawAcl     = new RawAcl(revision, capacity);
            aceFlag    = AceFlags.InheritanceFlags | AceFlags.Inherited;
            accessMask = 1;

            //Access Allowed CommonAce
            gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null);
            rawAcl.InsertAce(0, gAce);
            //Access Dennied CommonAce
            gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null);
            rawAcl.InsertAce(0, gAce);
            aceType = AceType.MaxDefinedAceType + 1;
            opaque  = null;
            gAce    = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            compoundAceType = CompoundAceType.Impersonation;
            gAce            = new CompoundAce(aceFlag, accessMask, compoundAceType,
                                              new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())));
            rawAcl.InsertAce(0, gAce);
            aceQualifier           = AceQualifier.AccessAllowed;
            objectAceFlag          = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType          = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer      = true;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 5, only have one inherit Ace
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //215 has all AceFlags except InheritOnly
            gAce = new CommonAce((AceFlags)215, AceQualifier.AccessDenied, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer      = false;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 6, have one explicit Ace and one inherited Ace
            revision = 255;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //199  has all AceFlags except InheritOnly and Inherited
            gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            //215  has all AceFlags except InheritOnly
            gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(1, gAce);
            isContainer      = true;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 7, have two inherited Aces
            revision = 255;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //215  has all AceFlags except InheritOnly
            gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            sid = "BA";
            //16 has Inherited
            gAce = new CommonAce((AceFlags)16, AceQualifier.AccessDenied, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer      = true;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 8, 1 inherited CustomAce
            revision = 127;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            aceType  = AceType.MaxDefinedAceType + 1;
            //215 has all AceFlags except InheritOnly
            aceFlag = (AceFlags)215;
            opaque  = null;
            gAce    = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            isContainer      = false;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 9,  1 inherited CompoundAce
            revision        = 127;
            capacity        = 1;
            rawAcl          = new RawAcl(revision, capacity);
            aceFlag         = (AceFlags)223; //all flags ored together
            accessMask      = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce            = new CompoundAce(aceFlag, accessMask, compoundAceType,
                                              new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            isContainer      = true;
            isDS             = false;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);


            //case 10, 1 inherited ObjectAce
            revision               = 127;
            capacity               = 1;
            rawAcl                 = new RawAcl(revision, capacity);
            aceFlag                = (AceFlags)223; //all flags ored together
            aceQualifier           = AceQualifier.AccessAllowed;
            accessMask             = 1;
            objectAceFlag          = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType          = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer      = true;
            isDS             = true;
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

Exemplo n.º 23
 public bool RemoveAudit(AuditFlags auditFlags, System.Security.Principal.SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
Exemplo n.º 24
 /// <summary>初始化 <see cref="T:System.Security.AccessControl.ObjectAce" /> 类的新实例。</summary>
 /// <param name="aceFlags">新的访问控制项 (ACE) 的继承、继承传播和审核条件。</param>
 /// <param name="qualifier">使用新的 ACE。</param>
 /// <param name="accessMask">ACE 的访问掩码。</param>
 /// <param name="sid">与新的 ACE 关联的 <see cref="T:System.Security.Principal.SecurityIdentifier" />。</param>
 /// <param name="flags">
 /// <paramref name="type" /> 和 <paramref name="inheritedType" /> 参数是否包含有效的对象 GUID。</param>
 /// <param name="type">一个 GUID,标识新的 ACE 所应用到的对象类型。</param>
 /// <param name="inheritedType">一个 GUID,标识能够继承新的 ACE 的对象类型。</param>
 /// <param name="isCallback">如果新的 ACE 是回调类型的 ACE,则为 true。</param>
 /// <param name="opaque">与新的 ACE 关联的不透明数据。只有回调 ACE 类型才允许不透明数据。此数组的长度一定不能大于 <see cref="M:System.Security.AccessControl.ObjectAceMaxOpaqueLength" /> 方法的返回值。</param>
 /// <exception cref="T:System.ArgumentOutOfRangeException">qualifier 参数包含无效的值,或者不透明参数的值的长度大于 <see cref="M:System.Security.AccessControl.ObjectAceMaxOpaqueLength" /> 方法的返回值。</exception>
 public ObjectAce(AceFlags aceFlags, AceQualifier qualifier, int accessMask, SecurityIdentifier sid, ObjectAceFlags flags, Guid type, Guid inheritedType, bool isCallback, byte[] opaque)
     : base(ObjectAce.TypeFromQualifier(isCallback, qualifier), aceFlags, accessMask, sid, opaque)
     this._objectFlags            = flags;
     this._objectAceType          = type;
     this._inheritedObjectAceType = inheritedType;
Exemplo n.º 25
 /// <summary>从当前 <see cref="T:System.Security.AccessControl.DiscretionaryAcl" /> 对象移除指定的访问控制项 (ACE)。在指定要移除的 ACE 的对象类型或继承的对象类型时,为目录对象的访问控制列表 (ACL) 使用此方法。</summary>
 /// <param name="accessType">要移除的访问控制类型(允许或拒绝)。</param>
 /// <param name="sid">要为其移除 ACE 的 <see cref="T:System.Security.Principal.SecurityIdentifier" />。</param>
 /// <param name="accessMask">要移除的 ACE 的访问掩码。</param>
 /// <param name="inheritanceFlags">指定要移除的 ACE 的继承属性的标志。</param>
 /// <param name="propagationFlags">指定要移除的 ACE 的继承传播属性的标志。</param>
 /// <param name="objectFlags">指定 <paramref name="objectType" /> 和 <paramref name="inheritedObjectType" /> 参数是否包含非 null 值的标志。</param>
 /// <param name="objectType">移除的 ACE 所应用到的对象的类标识。</param>
 /// <param name="inheritedObjectType">可以继承移除的 ACE 的子对象的类标识。</param>
 public void RemoveAccessSpecific(AccessControlType accessType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
     if (!this.IsDS)
         throw new InvalidOperationException(Environment.GetResourceString("InvalidOperation_OnlyValidForDS"));
     this.everyOneFullAccessForNullDacl = false;
     this.RemoveQualifiedAcesSpecific(sid, accessType == AccessControlType.Allow ? AceQualifier.AccessAllowed : AceQualifier.AccessDenied, accessMask, GenericAce.AceFlagsFromInheritanceFlags(inheritanceFlags, propagationFlags), objectFlags, objectType, inheritedObjectType);
Exemplo n.º 26
 public void SetAudit(AuditFlags auditFlags, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
     if (!base.IsDS)
         throw new InvalidOperationException(Environment.GetResourceString("InvalidOperation_OnlyValidForDS"));
     base.CheckFlags(inheritanceFlags, propagationFlags);
     base.SetQualifiedAce(sid, AceQualifier.SystemAudit, accessMask, (AceFlags)((byte)(GenericAce.AceFlagsFromAuditFlags(auditFlags) | GenericAce.AceFlagsFromInheritanceFlags(inheritanceFlags, propagationFlags))), objectFlags, objectType, inheritedObjectType);
Exemplo n.º 27
 public void SetAudit(AuditFlags auditFlags, System.Security.Principal.SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
Exemplo n.º 28
        // This method checks if the inheritedObjectType matches with the specified inherited object type
        // (Either both do not have an inherited object type or they have the same inherited object type)
        internal bool InheritedObjectTypesMatch(ObjectAceFlags objectFlags, Guid inheritedObjectType)
            if ((ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != (objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent))
                return false;

            if (((ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != 0) &&
                return false;

            return true;
 public ObjectAce(AceFlags aceFlags, AceQualifier qualifier, int accessMask, SecurityIdentifier sid, ObjectAceFlags flags, Guid type, Guid inheritedType, bool isCallback, byte[] opaque);
Exemplo n.º 30
        // Called by GenericAce.CreateFromBinaryForm to parse the binary form
        // of the object ACE and extract the useful pieces

        internal static bool ParseBinaryForm(
            byte[] binaryForm,
            int offset,
            out AceQualifier qualifier,
            out int accessMask,
            out SecurityIdentifier sid,
            out ObjectAceFlags objectFlags,
            out Guid objectAceType,
            out Guid inheritedObjectAceType,
            out bool isCallback,
            out byte[] opaque)
            byte[] guidArray = new byte[GuidLength];

            // Verify the ACE header

            VerifyHeader(binaryForm, offset);

            // Verify the length field

            if (binaryForm.Length - offset < HeaderLength + AccessMaskLength + ObjectFlagsLength + SecurityIdentifier.MinBinaryLength)
                goto InvalidParameter;

            // Identify callback ACE types

            AceType type = (AceType)binaryForm[offset];

            if (type == AceType.AccessAllowedObject ||
                type == AceType.AccessDeniedObject ||
                type == AceType.SystemAuditObject ||
                type == AceType.SystemAlarmObject)
                isCallback = false;
            else if (type == AceType.AccessAllowedCallbackObject ||
                type == AceType.AccessDeniedCallbackObject ||
                type == AceType.SystemAuditCallbackObject ||
                type == AceType.SystemAlarmCallbackObject)
                isCallback = true;
                goto InvalidParameter;

            // Compute the qualifier from the ACE type

            if (type == AceType.AccessAllowedObject ||
                type == AceType.AccessAllowedCallbackObject)
                qualifier = AceQualifier.AccessAllowed;
            else if (type == AceType.AccessDeniedObject ||
                type == AceType.AccessDeniedCallbackObject)
                qualifier = AceQualifier.AccessDenied;
            else if (type == AceType.SystemAuditObject ||
                type == AceType.SystemAuditCallbackObject)
                qualifier = AceQualifier.SystemAudit;
            else if (type == AceType.SystemAlarmObject ||
                type == AceType.SystemAlarmCallbackObject)
                qualifier = AceQualifier.SystemAlarm;
                goto InvalidParameter;

            int baseOffset = offset + HeaderLength;
            int offsetLocal = 0;

            accessMask =
                (((uint)binaryForm[baseOffset + 0]) << 0) +
                (((uint)binaryForm[baseOffset + 1]) << 8) +
                (((uint)binaryForm[baseOffset + 2]) << 16) +
                (((uint)binaryForm[baseOffset + 3]) << 24));

            offsetLocal += AccessMaskLength;

            objectFlags =
                (((uint)binaryForm[baseOffset + offsetLocal + 0]) << 0) +
                (((uint)binaryForm[baseOffset + offsetLocal + 1]) << 8) +
                (((uint)binaryForm[baseOffset + offsetLocal + 2]) << 16) +
                (((uint)binaryForm[baseOffset + offsetLocal + 3]) << 24));

            offsetLocal += ObjectFlagsLength;

            if ((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != 0)
                for (int i = 0; i < GuidLength; i++)
                    guidArray[i] = binaryForm[baseOffset + offsetLocal + i];

                offsetLocal += GuidLength;
                for (int i = 0; i < GuidLength; i++)
                    guidArray[i] = 0;

            objectAceType = new Guid(guidArray);

            if ((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != 0)
                for (int i = 0; i < GuidLength; i++)
                    guidArray[i] = binaryForm[baseOffset + offsetLocal + i];

                offsetLocal += GuidLength;
                for (int i = 0; i < GuidLength; i++)
                    guidArray[i] = 0;

            inheritedObjectAceType = new Guid(guidArray);

            sid = new SecurityIdentifier(binaryForm, baseOffset + offsetLocal);

            opaque = null;

            int aceLength = (binaryForm[offset + 3] << 8) + (binaryForm[offset + 2] << 0);

            if (aceLength % 4 != 0)
                goto InvalidParameter;

            int opaqueLength = (aceLength - HeaderLength - AccessMaskLength - ObjectFlagsLength - (byte)sid.BinaryLength);

            if ((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != 0)
                opaqueLength -= GuidLength;

            if ((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != 0)
                opaqueLength -= GuidLength;

            if (opaqueLength > 0)
                opaque = new byte[opaqueLength];

                for (int i = 0; i < opaqueLength; i++)
                    opaque[i] = binaryForm[offset + aceLength - opaqueLength + i];

            return true;


            qualifier = 0;
            accessMask = 0;
            sid = null;
            objectFlags = 0;
            objectAceType = Guid.NewGuid();
            inheritedObjectAceType = Guid.NewGuid();
            isCallback = false;
            opaque = null;

            return false;
        public static void BasicValidationTestCases()
            bool isContainer = false;
            bool isDS        = false;

            RawAcl    rawAcl    = null;
            SystemAcl systemAcl = null;

            GenericAce gAce     = null;
            byte       revision = 0;
            int        capacity = 0;
            //CustomAce constructor parameters
            AceType  aceType = AceType.AccessAllowed;
            AceFlags aceFlag = AceFlags.None;

            byte[] opaque = null;
            //CompoundAce constructor additional parameters
            int             accessMask      = 0;
            CompoundAceType compoundAceType = CompoundAceType.Impersonation;
            string          sid             = "BA";
            //CommonAce constructor additional parameters
            AceQualifier aceQualifier = 0;
            //ObjectAce constructor additional parameters
            ObjectAceFlags objectAceFlag = 0;
            Guid           objectAceType;
            Guid           inheritedObjectAceType;

            //case 1, no Ace

            revision    = 127;
            capacity    = 1;
            rawAcl      = new RawAcl(revision, capacity);
            isContainer = true;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);

            //case 2, only have explicit Ace
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //199 has all AceFlags except InheritOnly and Inherited
            gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);

            //case 3, only have one inherit Ace
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //215 has all AceFlags except InheritOnly
            gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);

            //case 4, have one explicit Ace and one inherited Ace
            revision = 255;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //199 has all AceFlags except InheritOnly and Inherited
            gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            //215 has all AceFlags except InheritOnly
            gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(1, gAce);
            isContainer = true;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);

            //case 5, have two inherited Aces
            revision = 255;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            //215 has all AceFlags except InheritOnly
            gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
            rawAcl.InsertAce(0, gAce);
            sid = "BA";
            //16 has Inherited
            gAce = new CommonAce((AceFlags)16, AceQualifier.SystemAudit, 1,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);

            //case 6, 1 inherited CustomAce
            revision = 127;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            aceType  = AceType.MaxDefinedAceType + 1;
            aceFlag  = (AceFlags)208; //SuccessfulAccess | FailedAccess | Inherited
            opaque   = null;
            gAce     = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            isContainer = false;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);


            //case 7,  1 inherited CompoundAce
            revision        = 127;
            capacity        = 1;
            rawAcl          = new RawAcl(revision, capacity);
            aceFlag         = (AceFlags)223; //all flags ored together
            accessMask      = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce            = new CompoundAce(aceFlag, accessMask, compoundAceType,
                                              new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS        = false;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);

            //case 8, 1 inherited ObjectAce
            revision               = 127;
            capacity               = 1;
            rawAcl                 = new RawAcl(revision, capacity);
            aceFlag                = (AceFlags)223; //all flags ored together
            aceQualifier           = AceQualifier.SystemAudit;
            accessMask             = 1;
            objectAceFlag          = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType          = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            isContainer = true;
            isDS        = true;
            systemAcl   = new SystemAcl(isContainer, isDS, rawAcl);
Exemplo n.º 32
 private static bool ObjectTypeMatches(ObjectAceFlags flg1, Guid objType1, Guid inhObjType1, ObjectAceFlags flg2, Guid objType2, Guid inhObjType2)
     return(((flg1 & flg2) != ObjectAceFlags.None || (flg1 == ObjectAceFlags.None && flg2 == ObjectAceFlags.None)) && (ObjectAceFlags.ObjectAceTypePresent != (ObjectAceFlags.ObjectAceTypePresent & flg1 & flg2) || !(objType1 != objType2)) && (ObjectAceFlags.InheritedObjectAceTypePresent != (ObjectAceFlags.InheritedObjectAceTypePresent & flg1 & flg2) || !(inhObjType1 != inhObjType2)));
Exemplo n.º 33
        private bool GetInheritanceFlagsForRemoval( QualifiedAce ace, ObjectAceFlags objectFlags, Guid inheritedObjectType, ref AceFlags aceFlags )
            if ((( ace.AceFlags & AceFlags.ContainerInherit ) != 0 )  && (( aceFlags & AceFlags.ContainerInherit ) != 0 ))

                // If the aces have inheritance bits in common 
                // then we follow these rules:
                //       Remove    No IOT    IOT = A        IOT = B
                // Existing
                //   No IOT          Remove   Invalid        Invalid
                //   IOT = A        Remove   Remove      Nothing Common
                if ( ace is ObjectAce )
                    bool commonInheritanceFlagsExist = true;
                    ObjectAce objectAce = ace as ObjectAce;

                    // if what we are trying to remove has an inherited object type 
                    // but the existing ace does not then this is an invalid case
                    if ((( objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent ) != 0 ) && 
                        (( objectAce.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent ) == 0 ))
                        return false;

                    // if what we are trying to remove has no inherited object type or
                    // if inherited object types match then we have common inheritance flags                     
                    commonInheritanceFlagsExist = (( objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent ) == 0 ) ||
                                                                       objectAce.InheritedObjectTypesMatch( objectFlags, inheritedObjectType );
                    if ( !commonInheritanceFlagsExist ) 
                        aceFlags &= ~AceFlags.InheritanceFlags;
                else if (( objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent ) != 0 ) 
                    // the existing ace is a common ace and the one we're removing 
                    // refers to a specific child type so this is invalid
                    return false;

            return true;

        public static void BasicValidationTestCases()
            RawAcl rawAcl = null;

            byte[] binaryForm = null;
            int    offset     = 0;

            GenericAce gAce     = null;
            byte       revision = 0;
            int        capacity = 0;
            //CustomAce constructor parameters
            AceType  aceType = AceType.AccessAllowed;
            AceFlags aceFlag = AceFlags.None;

            byte[] opaque = null;
            //CompoundAce constructor additional parameters
            int             accessMask      = 0;
            CompoundAceType compoundAceType = CompoundAceType.Impersonation;
            string          sid             = "BA";
            //CommonAce constructor additional parameters
            AceQualifier aceQualifier = 0;
            //ObjectAce constructor additional parameters
            ObjectAceFlags objectAceFlag = 0;
            Guid           objectAceType;
            Guid           inheritedObjectAceType;

            //case 1, a valid binary representation with revision 0, 1 SystemAudit CommonAce
            revision = 0;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            gAce     = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));

            //case 2, a valid binary representation with revision 255, 1 AccessAllowed CommonAce
            revision = 255;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            gAce     = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));

            //case 3, a valid binary representation with revision 127, 1 CustomAce
            revision = 127;
            capacity = 1;
            rawAcl   = new RawAcl(revision, capacity);
            aceType  = AceType.MaxDefinedAceType + 1;
            aceFlag  = (AceFlags)223; //all flags ored together
            opaque   = null;
            gAce     = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));

            //case 4, a valid binary representation with revision 1, 1 CompoundAce
            revision        = 127;
            capacity        = 1;
            rawAcl          = new RawAcl(revision, capacity);
            aceFlag         = (AceFlags)223; //all flags ored together
            accessMask      = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce            = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));

            //case 5, a valid binary representation with revision 1, 1 ObjectAce
            revision               = 127;
            capacity               = 1;
            rawAcl                 = new RawAcl(revision, capacity);
            aceFlag                = (AceFlags)223; //all flags ored together
            aceQualifier           = AceQualifier.AccessAllowed;
            accessMask             = 1;
            objectAceFlag          = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType          = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength));

            //case 6, a valid binary representation with revision 1, no Ace
            revision   = 127;
            capacity   = 1;
            rawAcl     = new RawAcl(revision, capacity);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 0, rawAcl.BinaryLength));

            //case 7, a valid binary representation with revision 1, and all Aces from case 1 to 5
            revision = 127;
            capacity = 5;
            rawAcl   = new RawAcl(revision, capacity);
            //SystemAudit CommonAce
            gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            //Access Allowed CommonAce
            gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(0, gAce);
            aceType = AceType.MaxDefinedAceType + 1;
            aceFlag = (AceFlags)223; //all flags ored together
            opaque  = null;
            gAce    = new CustomAce(aceType, aceFlag, opaque);
            rawAcl.InsertAce(0, gAce);
            aceFlag         = (AceFlags)223; //all flags ored together
            accessMask      = 1;
            compoundAceType = CompoundAceType.Impersonation;
            gAce            = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
            rawAcl.InsertAce(0, gAce);
            aceFlag                = (AceFlags)223; //all flags ored together
            aceQualifier           = AceQualifier.AccessAllowed;
            accessMask             = 1;
            objectAceFlag          = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
            objectAceType          = new Guid("11111111-1111-1111-1111-111111111111");
            inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
            gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
            rawAcl.InsertAce(0, gAce);
            binaryForm = new byte[rawAcl.BinaryLength];
            rawAcl.GetBinaryForm(binaryForm, 0);
            Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 5, rawAcl.BinaryLength));
Exemplo n.º 35
        // Helper function behind all the SetXXX methods

        internal void SetQualifiedAce( SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType )
            if ( sid == null )
                throw new ArgumentNullException( "sid" );

            if ( qualifier == AceQualifier.SystemAudit &&
                (( flags & AceFlags.AuditFlags ) == 0 ))
                throw new ArgumentException(
                    Environment.GetResourceString( "Arg_EnumAtLeastOneFlag" ),
                    "flags" );

            if ( accessMask == 0 )
                throw new ArgumentException(
                    Environment.GetResourceString( "Argument_ArgumentZero" ),
                    "accessMask" );

            GenericAce newAce;

            if (( !IsDS ) || ( objectFlags == ObjectAceFlags.None ))
                newAce = new CommonAce( flags, qualifier, accessMask, sid, false, null );
                newAce = new ObjectAce( flags, qualifier, accessMask, sid, objectFlags, objectType, inheritedObjectType, false, null );

            // Make sure the new ACE wouldn't be meaningless before proceeding

            if ( false == InspectAce( ref newAce, ( this is DiscretionaryAcl )))

            for ( int i = 0; i < Count; i++ )
                QualifiedAce ace = _acl[i] as QualifiedAce;

                // Not a qualified ACE - keep going

                if ( ace == null )

                // Only interested in explicit (non-inherited) ACEs

                if (( ace.AceFlags & AceFlags.Inherited ) != 0 )

                // Only interested in ACEs with the specified qualifier

                if ( ace.AceQualifier != qualifier )

                // Only interested in ACEs with the specified SID

                if ( ace.SecurityIdentifier != sid )

                // This ACE corresponds to the SID and qualifier in question - remove it

                _acl.RemoveAce( i );

            // As a final step, add the ACE we want.
            // Add it at the end - we'll re-canonicalize later.

            _acl.InsertAce( _acl.Count, newAce );

            // To aid the efficiency of batch operations, recanonicalize this later

            _isDirty = true;
Exemplo n.º 36
        private bool GetAccessMaskForRemoval( QualifiedAce ace, ObjectAceFlags objectFlags, Guid objectType, ref int accessMask )
            if (( ace.AccessMask & accessMask & ObjectAce.AccessMaskWithObjectType ) != 0 ) 

                // If the aces have access bits in common which refer to object types
                // then we follow these rules:
                //       Remove    No OT    OT = A        OT = B
                // Existing
                //   No OT          Remove   Invalid        Invalid
                //   OT = A        Remove   Remove      Nothing Common
                if ( ace is ObjectAce )
                    bool commonAccessBitsWithObjectTypeExist = true;
                    ObjectAce objectAce = ace as ObjectAce;

                    // if what we are trying to remove has an object type 
                    // but the existing ace does not then this is an invalid case
                    if ((( objectFlags & ObjectAceFlags.ObjectAceTypePresent ) != 0 ) && 
                        (( objectAce.ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent ) == 0 ))
                        return false;

                    // if what we are trying to remove has no object type or
                    // if object types match (since at this point we have ensured that both have object types present) 
                    // then we have common access bits with object type
                    commonAccessBitsWithObjectTypeExist = (( objectFlags & ObjectAceFlags.ObjectAceTypePresent ) == 0 ) ||
                                                                                    objectAce.ObjectTypesMatch( objectFlags, objectType );
                    if ( !commonAccessBitsWithObjectTypeExist ) 
                        accessMask &= ~ObjectAce.AccessMaskWithObjectType;
                else if (( objectFlags & ObjectAceFlags.ObjectAceTypePresent ) != 0 ) 
                    // the existing ace is a common ace and the one we're removing 
                    // refers to a specific object type so this is invalid
                    return false;

            return true;

Exemplo n.º 37
        internal void RemoveAceSpecific(AceQualifier aceQualifier,
                                        SecurityIdentifier sid,
                                        int accessMask,
                                        InheritanceFlags inheritanceFlags,
                                        PropagationFlags propagationFlags,
                                        AuditFlags auditFlags,
                                        ObjectAceFlags objectFlags,
                                        Guid objectType,
                                        Guid inheritedObjectType)
            if (!IsDS)
                throw new InvalidOperationException("For this overload, IsDS must be true.");

            if (ObjectAceFlags.None == objectFlags)
                RemoveAceSpecific(aceQualifier, sid, accessMask, inheritanceFlags, propagationFlags, auditFlags);

            RemoveAces <ObjectAce> (ace =>
                if (ace.AccessMask != accessMask)
                if (ace.AceQualifier != aceQualifier)
                if (ace.SecurityIdentifier != sid)
                if (ace.InheritanceFlags != inheritanceFlags)
                if (InheritanceFlags.None != inheritanceFlags)
                    if (ace.PropagationFlags != propagationFlags)
                if (ace.AuditFlags != auditFlags)
                if (ace.ObjectAceFlags != objectFlags)
                if (0 != (objectFlags & ObjectAceFlags.ObjectAceTypePresent))
                    if (ace.ObjectAceType != objectType)
                if (0 != (objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent))
                    if (ace.InheritedObjectAceType != objectType)
Exemplo n.º 38
        // Helper function behind all the AddXXX methods for qualified aces

        internal void AddQualifiedAce( SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType )
            if ( sid == null )
                throw new ArgumentNullException( "sid" );


            bool aceMerged = false; // if still false after all attempts to merge, create new entry

            if ( qualifier == AceQualifier.SystemAudit &&
                (( flags & AceFlags.AuditFlags ) == 0 ))
                throw new ArgumentException(
                    Environment.GetResourceString( "Arg_EnumAtLeastOneFlag" ),
                    "flags" );

            if ( accessMask == 0 )
                throw new ArgumentException(
                    Environment.GetResourceString( "Argument_ArgumentZero" ),
                    "accessMask" );

            GenericAce newAce;

            if (( !IsDS ) || ( objectFlags == ObjectAceFlags.None ))
                newAce = new CommonAce( flags, qualifier, accessMask, sid, false, null );
                newAce = new ObjectAce( flags, qualifier, accessMask, sid, objectFlags, objectType, inheritedObjectType, false, null );

            // Make sure the new ACE wouldn't be meaningless before proceeding

            if ( false == InspectAce( ref newAce, ( this is DiscretionaryAcl )))

            // See if the new ACE can be merged with any of the existing ones

            for ( int i = 0; i < Count; i++ )
                QualifiedAce ace = _acl[i] as QualifiedAce;

                if ( ace == null )

                if ( true == MergeAces( ref ace, newAce as QualifiedAce ))
                    aceMerged = true;

            // Couldn't modify any existing entry, so add a new one

            if ( !aceMerged )
                _acl.InsertAce( _acl.Count, newAce );

                _isDirty = true;
Exemplo n.º 39
 internal bool InheritedObjectTypesMatch(ObjectAceFlags objectFlags, Guid inheritedObjectType)
     return((this.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent) == (objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) && ((this.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent) == ObjectAceFlags.None || this.InheritedObjectAceType.Equals(inheritedObjectType)));
Exemplo n.º 40
        // Helper function behind all the RemoveXXX methods

        internal bool RemoveQualifiedAces( SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, bool saclSemantics, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType )
            if ( accessMask == 0 )
                throw new ArgumentException(
                    Environment.GetResourceString( "Argument_ArgumentZero" ),
                    "accessMask" );

            if ( qualifier == AceQualifier.SystemAudit &&
                (( flags & AceFlags.AuditFlags ) == 0 ))
                throw new ArgumentException(
                    Environment.GetResourceString( "Arg_EnumAtLeastOneFlag" ),
                    "flags" );

            if ( sid == null )
                throw new ArgumentNullException( "sid" );

            // Two passes are made.
            // During the first pass, no changes are made to the ACL,
            // the ACEs are simply evaluated to ascertain that the operation
            // can succeed.
            // If everything is kosher, the second pass is the one that makes changes.

            bool evaluationPass = true;
            bool removePossible = true; // unless proven otherwise
            // Needed for DS acls to keep track of the original access mask specified for removal
            int originalAccessMask = accessMask;
            AceFlags originalFlags = flags;

            // It is possible that the removal will result in an overflow exception
            // because more ACEs get inserted.
            // Save the current state of the object and revert to it later if
            // and exception is thrown.

            byte[] recovery = new byte[BinaryLength];
            GetBinaryForm( recovery, 0 );


                for ( int i = 0; i < Count; i++ )
                    QualifiedAce ace = _acl[i] as QualifiedAce;

                    // Not a qualified ACE - keep going

                    if ( ace == null )

                    // Only interested in explicit (non-inherited) ACEs

                    if (( ace.AceFlags & AceFlags.Inherited ) != 0 )

                    // Only interested in ACEs with the specified qualifier

                    if ( ace.AceQualifier != qualifier )

                    // Only interested in ACEs with the specified SID

                    if ( ace.SecurityIdentifier != sid )

                    // If access masks have nothing in common, skip the whole exercise

                    if ( IsDS ) 
                        // incase of directory aces, if the access mask of the 
                        // existing and new ace have any bits in common that need 
                        // an object type, then we need to perform some checks on the
                        // object types in the two aces. Since certain bits are further qualified
                        // by the object type they cannot be determined to be common without 
                        // inspecting the object type. It is possible that the same bits may be set but
                        // the object types are different in which case they are really not common bits.
                        accessMask = originalAccessMask;
                        bool objectTypesConflict = !GetAccessMaskForRemoval( ace, objectFlags, objectType, ref accessMask );

                        // if the access masks have nothing in common, skip
                        if (( ace.AccessMask & accessMask ) == 0 )

                        // incase of directory aces, if the existing and new ace are being inherited, 
                        // then we need to perform some checks on the
                        // inherited object types in the two aces. Since inheritance is further qualified
                        // by the inherited object type the inheritance flags cannot be determined to be common without 
                        // inspecting the inherited object type. It is possible that both aces may be further inherited but if
                        // the inherited object types are different the inheritance may not be common.
                        flags = originalFlags;
                        bool inheritedObjectTypesConflict = !GetInheritanceFlagsForRemoval( ace, objectFlags, inheritedObjectType, ref flags );  

                        if (((( ace.AceFlags & AceFlags.ContainerInherit ) == 0 ) && (( flags & AceFlags.ContainerInherit ) != 0 )  && (( flags & AceFlags.InheritOnly ) != 0 )) ||
                             ((( flags & AceFlags.ContainerInherit ) == 0 ) && (( ace.AceFlags & AceFlags.ContainerInherit ) != 0 )  && (( ace.AceFlags & AceFlags.InheritOnly ) != 0)))
                            // if one ace applies only to self and the other only to children/descendents we have nothing in common
                        // if the ace being removed referred only to child types and child types among existing ace and
                        // ace being removed are not common then there is nothing in common between these aces (skip)
                        if ((( originalFlags & AceFlags.ContainerInherit ) != 0 ) && (( originalFlags & AceFlags.InheritOnly ) != 0 ) && (( flags & AceFlags.ContainerInherit ) == 0 )) 

                        if ( objectTypesConflict || inheritedObjectTypesConflict )
                            // if we reached this stage, then we've found something common between the two aces.
                            // But since there is a conflict between the object types (or inherited object types), the remove is not possible
                            removePossible = false;
                        if (( ace.AccessMask & accessMask ) == 0 )

                    // If audit flags on a SACL have nothing in common,
                    // skip the whole exercise

                    if ( saclSemantics &&
                        (( ace.AceFlags & flags & AceFlags.AuditFlags ) == 0 ))

                    // See if the ACE needs to be split into several
                    // To illustrate with an example, consider this equation:
                    //            From: CI OI    NP SA FA R W
                    //          Remove:    OI IO NP SA    R
                    // PermissionSplit: CI OI    NP SA FA   W   // remove R
                    //   AuditingSplit: CI OI    NP    FA R     // remove SA
                    //      MergeSplit: CI OI    NP SA    R     // ready for merge
                    //          Remove:    OI IO NP SA    R     // same audit and perm flags as merge split
                    //          Result: CI OI    NP SA FA   W   // PermissionSplit
                    //                  CI OI    NP    FA R     // AuditingSplit
                    //                  CI       NP SA    R     // Result of perm removal

                    // Example for DS acls (when removal is possible)
                    // From: CI(Guid) LC CC(Guid)
                    // Remove: CI IO LC
                    // PermissionSplit: CI(Guid) CC(Guid) // Remove GR
                    //        MergeSplit: CI(Guid) LC // Ready for merge
                    //           Remove: CI IO LC // Removal is possible since we are trying to remove inheritance for
                    //                                            all child types when it exists for one specific child type
                    //              Result: CI(Guid) CC(Guid) // PermissionSplit
                    //                         LC // Result of perm removal
                    // Example for DS acls (when removal is NOT possible)
                    // From: CI GR CC(Guid)
                    // Remove: CI(Guid) IO LC
                    // PermissionSplit: CI CC(Guid) // Remove GR
                    //        MergeSplit: CI LC // Ready for merge
                    //           Remove: CI(Guid) IO CC // Removal is not possible since we are trying to remove 
                    //                                                     inheritance for a specific child type when it exists for all child types

                    // Permission split settings
                    AceFlags ps_AceFlags = 0;
                    int ps_AccessMask = 0;
                    ObjectAceFlags ps_ObjectAceFlags = 0;
                    Guid ps_ObjectAceType = Guid.Empty;
                    Guid ps_InheritedObjectAceType = Guid.Empty;

                    // Auditing split makes sense if this is a SACL
                    AceFlags as_AceFlags = 0;
                    int as_AccessMask = 0;
                    ObjectAceFlags as_ObjectAceFlags = 0;
                    Guid as_ObjectAceType = Guid.Empty;
                    Guid as_InheritedObjectAceType = Guid.Empty;

                    // Merge split settings
                    AceFlags ms_AceFlags = 0;
                    int ms_AccessMask = 0;
                    ObjectAceFlags ms_ObjectAceFlags = 0;
                    Guid ms_ObjectAceType = Guid.Empty;
                    Guid ms_InheritedObjectAceType = Guid.Empty;

                    // Merge result settings
                    AceFlags mergeResultFlags = 0;
                    bool mergeRemoveTotal = false;

                    // First compute the permission split

                    ps_AceFlags = ace.AceFlags;
                    unchecked { ps_AccessMask = ace.AccessMask & ~accessMask; }

                    if ( ace is ObjectAce ) 
                        // determine what should be the object/inherited object types on the permission split
                        GetObjectTypesForSplit( ace as ObjectAce, ps_AccessMask /* access mask for this split */, ps_AceFlags /* flags remain the same */, out ps_ObjectAceFlags, out ps_ObjectAceType, out ps_InheritedObjectAceType );
                    // Next, for SACLs only, compute the auditing split

                    if ( saclSemantics )
                        // This operation can set the audit bits region
                        // of ACE flags to zero;
                        // This case will be handled later

                        unchecked { as_AceFlags = ace.AceFlags & ~( flags & AceFlags.AuditFlags ); }

                        // The result of this evaluation is guaranteed
                        // not to be zero by now

                        as_AccessMask = ( ace.AccessMask & accessMask );

                        if ( ace is ObjectAce ) 
                            // determine what should be the object/inherited object types on the audit split
                            GetObjectTypesForSplit( ace as ObjectAce, as_AccessMask /* access mask for this split */, as_AceFlags /* flags remain the same for inheritance */, out as_ObjectAceFlags, out as_ObjectAceType, out as_InheritedObjectAceType );

                    // Finally, compute the merge split

                    ms_AceFlags = ( ace.AceFlags & AceFlags.InheritanceFlags ) | ( flags & ace.AceFlags & AceFlags.AuditFlags );
                    ms_AccessMask = ( ace.AccessMask & accessMask );

                    // Now is the time to obtain the result of applying the remove
                    // operation to the merge split
                    // Skipping this step for SACLs where the merge split step
                    // produced no auditing flags

                    if ( !saclSemantics ||
                        (( ms_AceFlags & AceFlags.AuditFlags ) != 0 ))
                        if ( false == RemoveInheritanceBits( ms_AceFlags, flags, IsDS, out mergeResultFlags, out mergeRemoveTotal ))
                            removePossible = false;

                        if ( !mergeRemoveTotal )
                            mergeResultFlags |= ( ms_AceFlags & AceFlags.AuditFlags );
                            if ( ace is ObjectAce ) 
                                // determine what should be the object/inherited object types on the merge split
                                GetObjectTypesForSplit( ace as ObjectAce, ms_AccessMask /* access mask for this split */, mergeResultFlags /* flags for this split */, out ms_ObjectAceFlags, out ms_ObjectAceType, out ms_InheritedObjectAceType );

                    // If this is no longer an evaluation, go ahead and make the changes

                    if ( !evaluationPass )
                        QualifiedAce newAce;

                        // Modify the existing ACE in-place if it has any access
                        // mask bits left, otherwise simply remove it
                        // However, if for an object ace we are removing the object type 
                        // then we should really remove this ace and add a new one since
                        // we would be changing the size of this ace

                        if ( ps_AccessMask != 0 )
                            if (( ace is ObjectAce ) &&
                                (((( ObjectAce) ace ).ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent ) != 0 ) &&
                                     (( ps_ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent ) == 0 ))
                                ObjectAce newObjectAce;

                                newObjectAce = new ObjectAce( ps_AceFlags, qualifier, ps_AccessMask, ace.SecurityIdentifier, ps_ObjectAceFlags, ps_ObjectAceType, ps_InheritedObjectAceType, false, null );
                                _acl.InsertAce( i, newObjectAce );
                                ace.AceFlags = ps_AceFlags;
                                ace.AccessMask = ps_AccessMask;

                                if ( ace is ObjectAce ) 
                                    ObjectAce objectAce = ace as ObjectAce;
                                    objectAce.ObjectAceFlags = ps_ObjectAceFlags;
                                    objectAce.ObjectAceType = ps_ObjectAceType;
                                    objectAce.InheritedObjectAceType = ps_InheritedObjectAceType;
                            i--; // keep the array index honest

                        // On a SACL, the result of the auditing split must be recorded

                        if ( saclSemantics && (( as_AceFlags & AceFlags.AuditFlags ) != 0 ))
                            if ( ace is CommonAce )
                                newAce = new CommonAce( as_AceFlags, qualifier, as_AccessMask, ace.SecurityIdentifier, false, null );
                                // object ace
                                newAce = new ObjectAce( as_AceFlags, qualifier, as_AccessMask, ace.SecurityIdentifier, as_ObjectAceFlags, as_ObjectAceType, as_InheritedObjectAceType, false, null );

                            i++; // so it's not considered again
                            _acl.InsertAce( i, newAce );

                        // If there are interesting bits left over from a remove, store them
                        // as a separate ACE

                        if ( !mergeRemoveTotal )
                            if ( ace is CommonAce )
                                newAce = new CommonAce( mergeResultFlags, qualifier, ms_AccessMask, ace.SecurityIdentifier, false, null );
                                // object ace
                                newAce = new ObjectAce( mergeResultFlags, qualifier, ms_AccessMask, ace.SecurityIdentifier, ms_ObjectAceFlags, ms_ObjectAceType, ms_InheritedObjectAceType, false, null );

                            i++; // so it's not considered again
                            _acl.InsertAce( i, newAce );
            catch( OverflowException )
                // Oops, overflow means that the ACL became too big.
                // Inform the caller that the remove was not possible.

                _acl.SetBinaryForm( recovery, 0 );
                return false;

            // Finished evaluating the possibility of a remove.
            // If it looks like it's doable, go ahead and do it.

            if ( evaluationPass && removePossible )
                evaluationPass = false;
                goto MakeAnotherPass;


            return removePossible;
        internal void Serialize(BinaryWriter writer)
            byte[] sid_data = Sid.ToArray();
            if (Type == AceType.AllowedCompound)
                MemoryStream stm       = new MemoryStream();
                BinaryWriter sidwriter = new BinaryWriter(stm);
                sid_data = stm.ToArray();

            int total_length = 4 + 4 + sid_data.Length;

            if (ApplicationData != null)
                total_length += ApplicationData.Length;

            // Add a round up to 4 byte alignment.
            int padding = 4 - (total_length % 4);

            if (padding == 4)
                padding = 0;

            total_length += padding;

            ObjectAceFlags flags = ObjectAceFlags.None;

            if (IsObjectAce)
                // For Flags
                total_length += 4;
                if (ObjectType.HasValue)
                    total_length += 16;
                    flags        |= ObjectAceFlags.ObjectTypePresent;
                if (InheritedObjectType.HasValue)
                    total_length += 16;
                    flags        |= ObjectAceFlags.InheritedObjectTypePresent;
            if (total_length > ushort.MaxValue)
                throw new ArgumentOutOfRangeException("Total ACE length greater than maximum");

            writer.Write(MapFromFlags(Type, Flags));
            if (IsObjectAce)
                if (ObjectType.HasValue)
                if (InheritedObjectType.HasValue)
            writer.Write(ApplicationData ?? new byte[0]);
            if (padding != 0)
                writer.Write(new byte[padding]);
Exemplo n.º 42
        public void RemoveAuditSpecific( AuditFlags auditFlags, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType )
            // This is valid only for DS Acls 
            if ( !IsDS )
                throw new InvalidOperationException(
                    Environment.GetResourceString( "InvalidOperation_OnlyValidForDS" ));

            RemoveQualifiedAcesSpecific(sid, AceQualifier.SystemAudit, accessMask, GenericAce.AceFlagsFromAuditFlags(auditFlags) | GenericAce.AceFlagsFromInheritanceFlags(inheritanceFlags, propagationFlags), objectFlags, objectType, inheritedObjectType);
Exemplo n.º 43
        // This method checks if the objectType matches with the specified object type
        // (Either both do not have an object type or they have the same object type)
        internal bool ObjectTypesMatch(ObjectAceFlags objectFlags, Guid objectType)
            if ((ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent) != (objectFlags & ObjectAceFlags.ObjectAceTypePresent))
                return false;

            if (((ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent) != 0) &&
                return false;

            return true;
	// Constructors
	public ObjectAce(AceFlags aceFlags, AceQualifier qualifier, int accessMask, System.Security.Principal.SecurityIdentifier sid, ObjectAceFlags flags, System.Guid type, System.Guid inheritedType, bool isCallback, byte[] opaque) {}
Exemplo n.º 45
 protected static void VerifyObjectAce(ObjectAce ace, AceFlags aceFlags, AceQualifier qualifier, int accessMask, SecurityIdentifier sid, ObjectAceFlags flags, Guid type, Guid inheritedType, bool isCallback, byte[] opaque)
     Assert.Equal(aceFlags, ace.AceFlags);
     Assert.Equal(accessMask, ace.AccessMask);
     Assert.Equal(sid, ace.SecurityIdentifier);
     Assert.Equal(opaque, ace.GetOpaque());
     Assert.Equal(qualifier, ace.AceQualifier);
     Assert.Equal(isCallback, ace.IsCallback);
     Assert.Equal(flags, ace.ObjectAceFlags);
     Assert.Equal(type, ace.ObjectAceType);
     Assert.Equal(inheritedType, ace.InheritedObjectAceType);
 public void RemoveAuditSpecific(AuditFlags auditFlags, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType);
Exemplo n.º 47
 /// <summary>Initiates a new instance of the <see cref="T:System.Security.AccessControl.ObjectAce" /> class.</summary>
 /// <param name="aceFlags">The inheritance, inheritance propagation, and auditing conditions for the new Access Control Entry (ACE).</param>
 /// <param name="qualifier">The use of the new ACE.</param>
 /// <param name="accessMask">The access mask for the ACE.</param>
 /// <param name="sid">The <see cref="T:System.Security.Principal.SecurityIdentifier" /> associated with the new ACE.</param>
 /// <param name="flags">Whether the <paramref name="type" /> and <paramref name="inheritedType" /> parameters contain valid object GUIDs.</param>
 /// <param name="type">A GUID that identifies the object type to which the new ACE applies.</param>
 /// <param name="inheritedType">A GUID that identifies the object type that can inherit the new ACE.</param>
 /// <param name="isCallback">true if the new ACE is a callback type ACE.</param>
 /// <param name="opaque">Opaque data associated with the new ACE. This is allowed only for callback ACE types. The length of this array must not be greater than the return value of the <see cref="M:System.Security.AccessControl.ObjectAceMaxOpaqueLength" /> method.</param>
 /// <exception cref="T:System.ArgumentOutOfRangeException">The qualifier parameter contains an invalid value or the length of the value of the opaque parameter is greater than the return value of the <see cref="M:System.Security.AccessControl.ObjectAceMaxOpaqueLength" /> method.</exception>
 public ObjectAce(AceFlags aceFlags, AceQualifier qualifier, int accessMask, SecurityIdentifier sid, ObjectAceFlags flags, Guid type, Guid inheritedType, bool isCallback, byte[] opaque) : base(InheritanceFlags.None, PropagationFlags.None, qualifier, isCallback, opaque)
     base.AceFlags              = aceFlags;
     base.SecurityIdentifier    = sid;
     this.object_ace_flags      = flags;
     this.object_ace_type       = type;
     this.inherited_object_type = inheritedType;