public void AddAuditObjectAceAndCommonAce() { SecurityIdentifier sid = new SecurityIdentifier("BA"); SystemAcl sacl = new SystemAcl(false, true, 0); sacl.AddAudit(AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None, ObjectAceFlags.ObjectAceTypePresent, Guid.NewGuid(), Guid.Empty); sacl.AddAudit(AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None, ObjectAceFlags.None, Guid.Empty, Guid.Empty); Assert.AreEqual(2, sacl.Count); CommonAce cace = (CommonAce)sacl [0]; Assert.AreEqual(1, cace.AccessMask); Assert.AreEqual("S-1-5-32-544", cace.SecurityIdentifier.Value); Assert.IsFalse(cace.IsCallback); Assert.IsFalse(cace.IsInherited); ObjectAce oace = (ObjectAce)sacl [1]; Assert.AreEqual(1, oace.AccessMask); Assert.AreEqual("S-1-5-32-544", oace.SecurityIdentifier.Value); Assert.IsFalse(oace.IsCallback); Assert.IsFalse(oace.IsInherited); sacl.AddAudit(AuditFlags.Success, sid, 2, InheritanceFlags.None, PropagationFlags.None, ObjectAceFlags.None, Guid.Empty, Guid.Empty); Assert.AreEqual(2, sacl.Count); CommonAce cace2 = (CommonAce)sacl [0]; Assert.AreEqual(3, cace2.AccessMask); }
public void AddAuditMergesFlags() { SecurityIdentifier sid = new SecurityIdentifier("BA"); SystemAcl sacl = new SystemAcl(false, false, 0); sacl.AddAudit(AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None); sacl.AddAudit(AuditFlags.Failure, sid, 1, InheritanceFlags.None, PropagationFlags.None); Assert.AreEqual(1, sacl.Count); CommonAce ace = (CommonAce)sacl [0]; Assert.AreEqual(AuditFlags.Success | AuditFlags.Failure, ace.AuditFlags); }
private static bool TestAddAudit(SystemAcl systemAcl, RawAcl rawAcl, AuditFlags auditFlag, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags) { bool result = true; byte[] sAclBinaryForm = null; byte[] rAclBinaryForm = null; systemAcl.AddAudit(auditFlag, sid, accessMask, inheritanceFlags, propagationFlags); if (systemAcl.Count == rawAcl.Count && systemAcl.BinaryLength == rawAcl.BinaryLength) { sAclBinaryForm = new byte[systemAcl.BinaryLength]; rAclBinaryForm = new byte[rawAcl.BinaryLength]; systemAcl.GetBinaryForm(sAclBinaryForm, 0); rawAcl.GetBinaryForm(rAclBinaryForm, 0); if (!Utils.IsBinaryFormEqual(sAclBinaryForm, rAclBinaryForm)) { result = false; } //redundant index check for (int i = 0; i < systemAcl.Count; i++) { if (!Utils.IsAceEqual(systemAcl[i], rawAcl[i])) { result = false; break; } } } else { result = false; } return(result); }
private static bool TestAddAudit(SystemAcl systemAcl, RawAcl rawAcl, AuditFlags auditFlag, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags) { bool result = true; byte[] sAclBinaryForm = null; byte[] rAclBinaryForm = null; systemAcl.AddAudit(auditFlag, sid, accessMask, inheritanceFlags, propagationFlags); if (systemAcl.Count == rawAcl.Count && systemAcl.BinaryLength == rawAcl.BinaryLength) { sAclBinaryForm = new byte[systemAcl.BinaryLength]; rAclBinaryForm = new byte[rawAcl.BinaryLength]; systemAcl.GetBinaryForm(sAclBinaryForm, 0); rawAcl.GetBinaryForm(rAclBinaryForm, 0); if (!Utils.IsBinaryFormEqual(sAclBinaryForm, rAclBinaryForm)) result = false; //redundant index check for (int i = 0; i < systemAcl.Count; i++) { if (!Utils.IsAceEqual(systemAcl[i], rawAcl[i])) { result = false; break; } } } else result = false; return result; }
public void AddAuditCommonAce() { SecurityIdentifier sid = new SecurityIdentifier("BA"); SystemAcl sacl = new SystemAcl(false, false, 0); sacl.AddAudit(AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None); Assert.AreEqual(1, sacl.Count); CommonAce ace = (CommonAce)sacl [0]; Assert.AreEqual(AuditFlags.Success, ace.AuditFlags); Assert.AreEqual(1, ace.AccessMask); Assert.AreEqual("S-1-5-32-544", ace.SecurityIdentifier.Value); Assert.IsFalse(ace.IsInherited); }
public void AddAuditCommonAceUsingDSOverload() { SecurityIdentifier sid = new SecurityIdentifier("BA"); SystemAcl sacl = new SystemAcl(false, true, 0); sacl.AddAudit(AuditFlags.Failure, sid, 1, InheritanceFlags.None, PropagationFlags.None, ObjectAceFlags.None, Guid.NewGuid(), Guid.NewGuid()); Assert.AreEqual(1, sacl.Count); CommonAce ace = (CommonAce)sacl [0]; Assert.AreEqual(AuditFlags.Failure, ace.AuditFlags); Assert.AreEqual(1, ace.AccessMask); Assert.AreEqual("S-1-5-32-544", ace.SecurityIdentifier.Value); Assert.IsFalse(ace.IsInherited); }
void RemoveSpecificBegin(SecurityIdentifier sid, SystemAcl sacl, InheritanceFlags inheritanceFlags) { SecurityIdentifier otherSid = new SecurityIdentifier("BU"); sacl.AddAudit(AuditFlags.Success, sid, 3, inheritanceFlags, PropagationFlags.None); Assert.AreEqual(1, sacl.Count); sacl.RemoveAuditSpecific(AuditFlags.Failure, sid, 1, inheritanceFlags, PropagationFlags.None); Assert.AreEqual(1, sacl.Count); sacl.RemoveAuditSpecific(AuditFlags.Success, otherSid, 1, inheritanceFlags, PropagationFlags.None); Assert.AreEqual(1, sacl.Count); sacl.RemoveAuditSpecific(AuditFlags.Success, sid, 1, inheritanceFlags, PropagationFlags.None); Assert.AreEqual(1, sacl.Count); Assert.AreEqual(3, ((CommonAce)sacl [0]).AccessMask); sacl.RemoveAuditSpecific(AuditFlags.Success, sid, 3, inheritanceFlags ^ InheritanceFlags.ContainerInherit, PropagationFlags.None); Assert.AreEqual(1, sacl.Count); }
public static void AdditionalTestCases() { RawAcl rawAcl = null; SystemAcl systemAcl = null; bool isContainer = false; bool isDS = false; int auditFlags = 0; string sid = null; int accessMask = 1; int inheritanceFlags = 0; int propagationFlags = 0; GenericAce gAce = null; byte[] opaque = null; //Case 1, null sid Assert.Throws <ArgumentNullException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, null, 1, InheritanceFlags.None, PropagationFlags.None); }); //Case 2, SystemAudit Ace but non AuditFlags Assert.Throws <ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.None, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.None); }); //Case 3, 0 accessMask Assert.Throws <ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 0, InheritanceFlags.None, PropagationFlags.None); }); //Case 4, non-Container, but InheritanceFlags is not None Assert.Throws <ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None); }); //Case 5, non-Container, but PropagationFlags is not None Assert.Throws <ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly); }); //Case 6, Container, but InheritanceFlags is None, but PropagationFlags is InheritOnly Assert.Throws <ArgumentException>(() => { isContainer = true; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly); }); //Case 7, Container, but InheritanceFlags is None, but PropagationFlags is NoPropagateInherit Assert.Throws <ArgumentException>(() => { isContainer = true; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit); }); //Case 8, Container, but InheritanceFlags is None, but PropagationFlags is NoPropagateInherit | InheritOnly Assert.Throws <ArgumentException>(() => { isContainer = true; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit | PropagationFlags.InheritOnly); }); //Case 9, add one audit ACE to the SystemAcl has no ACE isContainer = true; isDS = false; auditFlags = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); //79 = AceFlags.SuccessfulAccess | AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly gAce = new CommonAce((AceFlags)79, AceQualifier.SystemAudit, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); Assert.True(TestAddAudit(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags)); //Case 10, all the ACEs in the Sacl are non-qualified ACE, no merge Assert.Throws <InvalidOperationException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1; //InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly auditFlags = 3; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[4]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque);; rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.AuditFlags, AceQualifier.SystemAudit, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException TestAddAudit(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 11, add Ace to exceed binary length boundary, throw exception Assert.Throws <InvalidOperationException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1; //InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly auditFlags = 3; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque);; rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException systemAcl.AddAudit((AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); }
public static void AdditionalTestCases() { RawAcl rawAcl = null; SystemAcl systemAcl = null; bool isContainer = false; bool isDS = false; int auditFlags = 0; string sid = null; int accessMask = 1; int inheritanceFlags = 0; int propagationFlags = 0; GenericAce gAce = null; byte[] opaque = null; //Case 1, null sid Assert.Throws<ArgumentNullException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, null, 1, InheritanceFlags.None, PropagationFlags.None); }); //Case 2, SystemAudit Ace but non AuditFlags Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.None, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.None); }); //Case 3, 0 accessMask Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 0, InheritanceFlags.None, PropagationFlags.None); }); //Case 4, non-Container, but InheritanceFlags is not None Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None); }); //Case 5, non-Container, but PropagationFlags is not None Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly); }); //Case 6, Container, but InheritanceFlags is None, but PropagationFlags is InheritOnly Assert.Throws<ArgumentException>(() => { isContainer = true; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly); }); //Case 7, Container, but InheritanceFlags is None, but PropagationFlags is NoPropagateInherit Assert.Throws<ArgumentException>(() => { isContainer = true; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit); }); //Case 8, Container, but InheritanceFlags is None, but PropagationFlags is NoPropagateInherit | InheritOnly Assert.Throws<ArgumentException>(() => { isContainer = true; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit | PropagationFlags.InheritOnly); }); //Case 9, add one audit ACE to the SystemAcl has no ACE isContainer = true; isDS = false; auditFlags = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); //79 = AceFlags.SuccessfulAccess | AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly gAce = new CommonAce((AceFlags)79, AceQualifier.SystemAudit, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); Assert.True(TestAddAudit(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags)); //Case 10, all the ACEs in the Sacl are non-qualified ACE, no merge Assert.Throws<InvalidOperationException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1;//InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly auditFlags = 3; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[4]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque); ; rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.AuditFlags, AceQualifier.SystemAudit, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException TestAddAudit(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 11, add Ace to exceed binary length boundary, throw exception Assert.Throws<InvalidOperationException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1;//InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly auditFlags = 3; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque); ; rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException systemAcl.AddAudit((AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); }