/// <summary>
/// Gets the security entity value.
/// </summary>
/// <param name="securityEntity">The security entity.</param>
private static string GetSecurityEntityValue(SecurityEntity securityEntity)
{
switch (securityEntity)
{
case SecurityEntity.SE_ASSIGNPRIMARYTOKEN_NAME:
return "SeAssignPrimaryTokenPrivilege";
case SecurityEntity.SE_AUDIT_NAME:
return "SeAuditPrivilege";
case SecurityEntity.SE_BACKUP_NAME:
return "SeBackupPrivilege";
case SecurityEntity.SE_CHANGE_NOTIFY_NAME:
return "SeChangeNotifyPrivilege";
case SecurityEntity.SE_CREATE_GLOBAL_NAME:
return "SeCreateGlobalPrivilege";
case SecurityEntity.SE_CREATE_PAGEFILE_NAME:
return "SeCreatePagefilePrivilege";
case SecurityEntity.SE_CREATE_PERMANENT_NAME:
return "SeCreatePermanentPrivilege";
case SecurityEntity.SE_CREATE_SYMBOLIC_LINK_NAME:
return "SeCreateSymbolicLinkPrivilege";
case SecurityEntity.SE_CREATE_TOKEN_NAME:
return "SeCreateTokenPrivilege";
case SecurityEntity.SE_DEBUG_NAME:
return "SeDebugPrivilege";
case SecurityEntity.SE_ENABLE_DELEGATION_NAME:
return "SeEnableDelegationPrivilege";
case SecurityEntity.SE_IMPERSONATE_NAME:
return "SeImpersonatePrivilege";
case SecurityEntity.SE_INC_BASE_PRIORITY_NAME:
return "SeIncreaseBasePriorityPrivilege";
case SecurityEntity.SE_INCREASE_QUOTA_NAME:
return "SeIncreaseQuotaPrivilege";
case SecurityEntity.SE_INC_WORKING_SET_NAME:
return "SeIncreaseWorkingSetPrivilege";
case SecurityEntity.SE_LOAD_DRIVER_NAME:
return "SeLoadDriverPrivilege";
case SecurityEntity.SE_LOCK_MEMORY_NAME:
return "SeLockMemoryPrivilege";
case SecurityEntity.SE_MACHINE_ACCOUNT_NAME:
return "SeMachineAccountPrivilege";
case SecurityEntity.SE_MANAGE_VOLUME_NAME:
return "SeManageVolumePrivilege";
case SecurityEntity.SE_PROF_SINGLE_PROCESS_NAME:
return "SeProfileSingleProcessPrivilege";
case SecurityEntity.SE_RELABEL_NAME:
return "SeRelabelPrivilege";
case SecurityEntity.SE_REMOTE_SHUTDOWN_NAME:
return "SeRemoteShutdownPrivilege";
case SecurityEntity.SE_RESTORE_NAME:
return "SeRestorePrivilege";
case SecurityEntity.SE_SECURITY_NAME:
return "SeSecurityPrivilege";
case SecurityEntity.SE_SHUTDOWN_NAME:
return "SeShutdownPrivilege";
case SecurityEntity.SE_SYNC_AGENT_NAME:
return "SeSyncAgentPrivilege";
case SecurityEntity.SE_SYSTEM_ENVIRONMENT_NAME:
return "SeSystemEnvironmentPrivilege";
case SecurityEntity.SE_SYSTEM_PROFILE_NAME:
return "SeSystemProfilePrivilege";
case SecurityEntity.SE_SYSTEMTIME_NAME:
return "SeSystemtimePrivilege";
case SecurityEntity.SE_TAKE_OWNERSHIP_NAME:
return "SeTakeOwnershipPrivilege";
case SecurityEntity.SE_TCB_NAME:
return "SeTcbPrivilege";
case SecurityEntity.SE_TIME_ZONE_NAME:
return "SeTimeZonePrivilege";
case SecurityEntity.SE_TRUSTED_CREDMAN_ACCESS_NAME:
return "SeTrustedCredManAccessPrivilege";
case SecurityEntity.SE_UNDOCK_NAME:
return "SeUndockPrivilege";
default:
throw new ArgumentOutOfRangeException(typeof(SecurityEntity).Name);
}
}
public static void EnablePrivilege(SecurityEntity securityEntity)
{
var securityEntityValue = GetSecurityEntityValue(securityEntity);
try
{
var locallyUniqueIdentifier = new NativeMethods.LUID();
if (NativeMethods.LookupPrivilegeValue(null, securityEntityValue, ref locallyUniqueIdentifier))
{
var TOKEN_PRIVILEGES = new NativeMethods.TOKEN_PRIVILEGES();
TOKEN_PRIVILEGES.PrivilegeCount = 1;
TOKEN_PRIVILEGES.Attributes = NativeMethods.SE_PRIVILEGE_ENABLED;
TOKEN_PRIVILEGES.Luid = locallyUniqueIdentifier;
var tokenHandle = IntPtr.Zero;
try
{
var currentProcess = NativeMethods.GetCurrentProcess();
if (NativeMethods.OpenProcessToken(currentProcess, NativeMethods.TOKEN_ADJUST_PRIVILEGES | NativeMethods.TOKEN_QUERY, out tokenHandle))
{
if (NativeMethods.AdjustTokenPrivileges(tokenHandle, false, ref TOKEN_PRIVILEGES, 1024, IntPtr.Zero, IntPtr.Zero))
{
var lastError = Marshal.GetLastWin32Error();
if (lastError == NativeMethods.ERROR_NOT_ALL_ASSIGNED)
{
var win32Exception = new Win32Exception();
throw new InvalidOperationException("AdjustTokenPrivileges failed.", win32Exception);
}
}
else
{
var win32Exception = new Win32Exception();
throw new InvalidOperationException("AdjustTokenPrivileges failed.", win32Exception);
}
}
else
{
var win32Exception = new Win32Exception();
var exceptionMessage = string.Format(CultureInfo.InvariantCulture, "OpenProcessToken failed. CurrentProcess: {0}", currentProcess.ToInt32());
throw new InvalidOperationException(exceptionMessage, win32Exception);
}
}
finally
{
if (tokenHandle != IntPtr.Zero)
{
NativeMethods.CloseHandle(tokenHandle);
}
}
}
else
{
var win32Exception = new Win32Exception();
var exceptionMessage = string.Format(CultureInfo.InvariantCulture, "LookupPrivilegeValue failed. SecurityEntityValue: {0}", securityEntityValue);
throw new InvalidOperationException(exceptionMessage, win32Exception);
}
}
catch (Exception e)
{
var exceptionMessage = string.Format(CultureInfo.InvariantCulture, "GrandPrivilege failed. SecurityEntity: {0}", securityEntity);
throw new InvalidOperationException(exceptionMessage, e);
}
}
/// <summary>
/// Save SecurityEntries based on entityID
/// </summary>
/// <param name="responseEntity"></param>
private BusinessMessageResponse SaveSecurityPermissionList(SecurityEntity responseEntity)
{
var response = new BusinessMessageResponse();
if (responseEntity.PermissionList != null && responseEntity.PermissionList.Count > 0)
{
try
{
//delete all existing ones first
response = this.DeleteEntitySecurityEntry(new IDRequest(responseEntity.ID));
SaveListRequest<SecurityEntry> request = new SaveListRequest<SecurityEntry>();
request.List = new List<SecurityEntry>();
foreach (SecurityPermission sp in responseEntity.PermissionList)
{
SecurityEntry entry = sp.AssignToEntry();
entry.EntityID = responseEntity.ID;
request.List.Add(entry);
}
response = this.SaveSecurityEntryList(request);
}
catch (Exception ex)
{
return ErrorHandler.Handle<BusinessMessageResponse>(ex);
}
}
return response;
}
private int Authenticate(string username, string password, LoginMode loginMode, int entityType, out SecurityEntity entity)
{
var db = ImardaDatabase.CreateDatabase(Util.GetConnName<SecurityEntity>());
using (IDataReader dr = db.ExecuteDataReader("SPGetSecurityEntityByLoginUserName", username,entityType))
{
if (dr.Read())
{
entity = GetFromData<SecurityEntity>(dr);
//handle loginEnabled
if (!entity.LoginEnabled && loginMode != LoginMode.IAC)
{
_Log.InfoFormat("User {0} is not login enabled", username);
return AuthenticationResult.LoginDisabled;
}
else
{
var req = new SaveRequest<SecurityEntity>(entity);
if (entity.Salt != Guid.Empty)
{
// Check new style password hash
string storedHash = entity.LoginPassword;
string calculatedHash = Convert.ToBase64String(AuthenticationHelper.ComputePasswordHash(entity.Salt, password));
if (storedHash != calculatedHash)
{
return AuthenticationResult.WrongPassword;
}
//else success
}
else
{
// Check old style password hash and upgrade to new style
string saltyPassword = AuthenticationHelper.ComputeHashOldStyle(username, password);
if (entity.LoginPassword != saltyPassword)
{
return AuthenticationResult.WrongPassword;
}
else
{
// upgrade
req.SetFlag("UpdatePassword", true);
entity.LoginPassword = password; // tricky: plain text will be hashed in SaveUserSecurityEntity
// success
}
}
entity.LastLogonDate = DateTime.UtcNow;
SaveUserSecurityEntity(req);
return AuthenticationResult.Success;
}
}
entity = null;
return AuthenticationResult.SecurityEntityNotFound;
}
}
internal PermissionChange(SecurityEntity entity, AceInfo entry) : this(entity, entry.IdentityId,
entry.EntryType,
entry.AllowBits, entry.DenyBits)
{
}
/// <summary>
/// Get SecurityEntries based on entityID
/// </summary>
/// <param name="responseEntity"></param>
private List<SecurityPermission> GetSecurityPermissionList(Guid applicationID, SecurityEntity entity)
{
List<SecurityPermission> permissions = new List<SecurityPermission>();
if (entity != null)
{
GetPermissions(applicationID, entity.ID, ref permissions);
if (entity.ImmediateParentsIds != null)
{
foreach (Guid parentID in entity.ImmediateParentsIds)
{
GetPermissions(applicationID, parentID, ref permissions);
}
}
}
return permissions;
}
/// <summary>
/// Gets the security entity value.
/// </summary>
/// <param name="securityEntity">The security entity.</param>
private static string GetSecurityEntityValue(SecurityEntity securityEntity)
{
switch (securityEntity)
{
case SecurityEntity.SE_ASSIGNPRIMARYTOKEN_NAME:
return("SeAssignPrimaryTokenPrivilege");
case SecurityEntity.SE_AUDIT_NAME:
return("SeAuditPrivilege");
case SecurityEntity.SE_BACKUP_NAME:
return("SeBackupPrivilege");
case SecurityEntity.SE_CHANGE_NOTIFY_NAME:
return("SeChangeNotifyPrivilege");
case SecurityEntity.SE_CREATE_GLOBAL_NAME:
return("SeCreateGlobalPrivilege");
case SecurityEntity.SE_CREATE_PAGEFILE_NAME:
return("SeCreatePagefilePrivilege");
case SecurityEntity.SE_CREATE_PERMANENT_NAME:
return("SeCreatePermanentPrivilege");
case SecurityEntity.SE_CREATE_SYMBOLIC_LINK_NAME:
return("SeCreateSymbolicLinkPrivilege");
case SecurityEntity.SE_CREATE_TOKEN_NAME:
return("SeCreateTokenPrivilege");
case SecurityEntity.SE_DEBUG_NAME:
return("SeDebugPrivilege");
case SecurityEntity.SE_ENABLE_DELEGATION_NAME:
return("SeEnableDelegationPrivilege");
case SecurityEntity.SE_IMPERSONATE_NAME:
return("SeImpersonatePrivilege");
case SecurityEntity.SE_INC_BASE_PRIORITY_NAME:
return("SeIncreaseBasePriorityPrivilege");
case SecurityEntity.SE_INCREASE_QUOTA_NAME:
return("SeIncreaseQuotaPrivilege");
case SecurityEntity.SE_INC_WORKING_SET_NAME:
return("SeIncreaseWorkingSetPrivilege");
case SecurityEntity.SE_LOAD_DRIVER_NAME:
return("SeLoadDriverPrivilege");
case SecurityEntity.SE_LOCK_MEMORY_NAME:
return("SeLockMemoryPrivilege");
case SecurityEntity.SE_MACHINE_ACCOUNT_NAME:
return("SeMachineAccountPrivilege");
case SecurityEntity.SE_MANAGE_VOLUME_NAME:
return("SeManageVolumePrivilege");
case SecurityEntity.SE_PROF_SINGLE_PROCESS_NAME:
return("SeProfileSingleProcessPrivilege");
case SecurityEntity.SE_RELABEL_NAME:
return("SeRelabelPrivilege");
case SecurityEntity.SE_REMOTE_SHUTDOWN_NAME:
return("SeRemoteShutdownPrivilege");
case SecurityEntity.SE_RESTORE_NAME:
return("SeRestorePrivilege");
case SecurityEntity.SE_SECURITY_NAME:
return("SeSecurityPrivilege");
case SecurityEntity.SE_SHUTDOWN_NAME:
return("SeShutdownPrivilege");
case SecurityEntity.SE_SYNC_AGENT_NAME:
return("SeSyncAgentPrivilege");
case SecurityEntity.SE_SYSTEM_ENVIRONMENT_NAME:
return("SeSystemEnvironmentPrivilege");
case SecurityEntity.SE_SYSTEM_PROFILE_NAME:
return("SeSystemProfilePrivilege");
case SecurityEntity.SE_SYSTEMTIME_NAME:
return("SeSystemtimePrivilege");
case SecurityEntity.SE_TAKE_OWNERSHIP_NAME:
return("SeTakeOwnershipPrivilege");
case SecurityEntity.SE_TCB_NAME:
return("SeTcbPrivilege");
case SecurityEntity.SE_TIME_ZONE_NAME:
return("SeTimeZonePrivilege");
case SecurityEntity.SE_TRUSTED_CREDMAN_ACCESS_NAME:
return("SeTrustedCredManAccessPrivilege");
case SecurityEntity.SE_UNDOCK_NAME:
return("SeUndockPrivilege");
default:
throw new ArgumentOutOfRangeException(typeof(SecurityEntity).Name);
}
}
/// <summary>
/// Initializes a new instance of the <see cref="SecurityViewModel"/> class
/// with a specific <see cref="SecurityRoleInfo"/> instance.
/// </summary>
/// <param name="securityEntity">The <see cref="SecurityEntity"/> instance.</param>
/// <param name="roles">The <see cref="SecurityRoleInfo"/> list.</param>
protected SecurityViewModel(SecurityEntity securityEntity, IEnumerable <SecurityRoleInfo> roles) : this(securityEntity, roles.SelectMany(r => r.Policies))
{
}
public static void EnablePrivilege(SecurityEntity securityEntity)
{
if (!Enum.IsDefined(typeof(SecurityEntity), securityEntity))
{
throw new InvalidEnumArgumentException("securityEntity", (int)securityEntity, typeof(SecurityEntity));
}
var securityEntityValue = GetSecurityEntityValue(securityEntity);
try
{
var locallyUniqueIdentifier = new NativeMethods.LUID();
if (NativeMethods.LookupPrivilegeValue(null, securityEntityValue, ref locallyUniqueIdentifier))
{
var TOKEN_PRIVILEGES = new NativeMethods.TOKEN_PRIVILEGES();
TOKEN_PRIVILEGES.PrivilegeCount = 1;
TOKEN_PRIVILEGES.Attributes = NativeMethods.SE_PRIVILEGE_ENABLED;
TOKEN_PRIVILEGES.Luid = locallyUniqueIdentifier;
var tokenHandle = IntPtr.Zero;
try
{
var currentProcess = NativeMethods.GetCurrentProcess();
if (NativeMethods.OpenProcessToken(currentProcess, NativeMethods.TOKEN_ADJUST_PRIVILEGES | NativeMethods.TOKEN_QUERY, out tokenHandle))
{
if (NativeMethods.AdjustTokenPrivileges(tokenHandle, false,
ref TOKEN_PRIVILEGES,
1024, IntPtr.Zero, IntPtr.Zero))
{
var lastError = Marshal.GetLastWin32Error();
if (lastError == NativeMethods.ERROR_NOT_ALL_ASSIGNED)
{
var win32Exception = new Win32Exception();
throw new InvalidOperationException("AdjustTokenPrivileges failed.", win32Exception);
}
}
else
{
var win32Exception = new Win32Exception();
throw new InvalidOperationException("AdjustTokenPrivileges failed.", win32Exception);
}
}
else
{
var win32Exception = new Win32Exception();
var exceptionMessage = string.Format(CultureInfo.InvariantCulture,
"OpenProcessToken failed. CurrentProcess: {0}",
currentProcess.ToInt32());
throw new InvalidOperationException(exceptionMessage, win32Exception);
}
}
finally
{
if (tokenHandle != IntPtr.Zero)
{
NativeMethods.CloseHandle(tokenHandle);
}
}
}
else
{
var win32Exception = new Win32Exception();
var exceptionMessage = string.Format(CultureInfo.InvariantCulture,
"LookupPrivilegeValue failed. SecurityEntityValue: {0}",
securityEntityValue);
throw new InvalidOperationException(exceptionMessage, win32Exception);
}
}
catch (Exception e)
{
var exceptionMessage = string.Format(CultureInfo.InvariantCulture,
"GrandPrivilege failed. SecurityEntity: {0}",
securityEntityValue);
throw new InvalidOperationException(exceptionMessage, e);
}
}
internal static bool IsInTree(SecurityContext ctx, SecurityEntity descendant, int ancestorId)
{
return(ctx.IsEntityInTree(descendant, ancestorId));
}
internal static bool HasAncestorRelation(SecurityContext ctx, SecurityEntity entity1, SecurityEntity entity2)
{
if (entity1 == null || entity2 == null)
{
return(false);
}
return(ctx.IsEntityInTree(entity2, entity1.Id) ||
ctx.IsEntityInTree(entity1, entity2.Id));
}
internal static bool IsInTree(SecurityContext ctx, int descendantId, int ancestorId)
{
var entities = SecurityEntity.PeekEntities(ctx, descendantId);
return(IsInTree(ctx, entities[0], ancestorId));
}
internal static bool HasAncestorRelation(SecurityContext ctx, int entityId1, int entityId2)
{
var entities = SecurityEntity.PeekEntities(ctx, entityId1, entityId2);
return(HasAncestorRelation(ctx, entities[0], entities[1]));
}
