public void Resolve_ZoneMembershipCondition_MyComputer()
{
IMembershipCondition mc = new ZoneMembershipCondition(SecurityZone.MyComputer);
PermissionSet pset = new PermissionSet(PermissionState.Unrestricted);
UnionCodeGroup cg = new UnionCodeGroup(mc, new PolicyStatement(pset, PolicyStatementAttribute.LevelFinal));
Evidence e = new Evidence();
e.AddHost(new Zone(SecurityZone.MyComputer));
PolicyStatement result = cg.Resolve(e);
Assert.AreEqual(PolicyStatementAttribute.LevelFinal, result.Attributes, "MyComputer-Attributes");
Assert.AreEqual("LevelFinal", result.AttributeString, "MyComputer-AttributeString");
Assert.IsTrue(result.PermissionSet.IsUnrestricted(), "MyComputer-IsUnrestricted");
Assert.AreEqual(0, result.PermissionSet.Count, "MyComputer-Count");
e = new Evidence();
e.AddHost(new Zone(SecurityZone.Internet));
Assert.IsNull(cg.Resolve(e), "Internet");
e = new Evidence();
e.AddHost(new Zone(SecurityZone.Intranet));
Assert.IsNull(cg.Resolve(e), "Intranet");
e = new Evidence();
e.AddHost(new Zone(SecurityZone.NoZone));
Assert.IsNull(cg.Resolve(e), "NoZone");
e = new Evidence();
e.AddHost(new Zone(SecurityZone.Trusted));
Assert.IsNull(cg.Resolve(e), "Trusted");
e = new Evidence();
e.AddHost(new Zone(SecurityZone.Untrusted));
Assert.IsNull(cg.Resolve(e), "Untrusted");
}
public void Resolve_ZoneMembershipCondition_Untrusted()
{
IMembershipCondition mc = new ZoneMembershipCondition(SecurityZone.Untrusted);
PermissionSet pset = new PermissionSet(PermissionState.None);
FileCodeGroup cg = new FileCodeGroup(mc, FileIOPermissionAccess.AllAccess);
Evidence e = new Evidence();
e.AddHost(new Zone(SecurityZone.Untrusted));
PolicyStatement result = cg.Resolve(e);
Assert.AreEqual(PolicyStatementAttribute.Nothing, result.Attributes, "Untrusted-Attributes");
Assert.AreEqual(String.Empty, result.AttributeString, "Untrusted-AttributeString");
Assert.IsFalse(result.PermissionSet.IsUnrestricted(), "Untrusted-IsUnrestricted");
Assert.AreEqual(0, result.PermissionSet.Count, "Untrusted-Count");
e = new Evidence();
e.AddHost(new Zone(SecurityZone.Internet));
Assert.IsNull(cg.Resolve(e), "Internet");
e = new Evidence();
e.AddHost(new Zone(SecurityZone.Intranet));
Assert.IsNull(cg.Resolve(e), "Intranet");
e = new Evidence();
e.AddHost(new Zone(SecurityZone.MyComputer));
Assert.IsNull(cg.Resolve(e), "MyComputer");
e = new Evidence();
e.AddHost(new Zone(SecurityZone.NoZone));
Assert.IsNull(cg.Resolve(e), "NoZone");
e = new Evidence();
e.AddHost(new Zone(SecurityZone.Trusted));
Assert.IsNull(cg.Resolve(e), "Trusted");
}
public void FromXml_Null()
{
ZoneMembershipCondition zmc = new ZoneMembershipCondition(SecurityZone.MyComputer);
zmc.FromXml(null);
}
public void SecurityZone_Invalid()
{
ZoneMembershipCondition zmc = new ZoneMembershipCondition(SecurityZone.MyComputer);
zmc.SecurityZone = (SecurityZone)128;
}
public void SecurityZone_NoZone()
{
ZoneMembershipCondition zmc = new ZoneMembershipCondition(SecurityZone.MyComputer);
zmc.SecurityZone = SecurityZone.NoZone;
}
public void ZoneMembershipCondition_NoZone()
{
ZoneMembershipCondition zmc = new ZoneMembershipCondition(SecurityZone.NoZone);
}
public void ZoneMembershipCondition_Invalid()
{
ZoneMembershipCondition zmc = new ZoneMembershipCondition((SecurityZone)128);
}
public void Resolve_ZoneMembershipCondition_NoZone()
{
IMembershipCondition mc = new ZoneMembershipCondition(SecurityZone.NoZone);
}
}// didMachinePolicyChange
protected override int WizFinish()
{
// This is the main things that the wizard needs to do.
// If mucking with the machine level
//
// 1. Apply appropriate settings to the security zone codegroups.
//
// If mucking with the user level
//
// 1. Change the user policylevel's root codegroup's permission set to Nothing
// 2. Apply appropriate settings to the security zone codegroups
// 3. Copy the entire machine policy into a child codegroup in the user policy
// 4. Skip the top level of the copied policy looking for zone codegroups. Set
// their permission set to nothing, and remove child file and net codegroups.
// 5. Walk through the entire copied policy and remove any exclusive codegroups
// We have some different behavior depending on what type of policy we're after
String sPolicyLevel = IsHomeUser?"Machine":"User";
PolicyLevel pl = Security.GetPolicyLevelFromLabel(sPolicyLevel);
SecurityZone[] sz = new SecurityZone[] {
SecurityZone.MyComputer,
SecurityZone.Intranet,
SecurityZone.Internet,
SecurityZone.Trusted,
SecurityZone.Untrusted
};
m_alNewCodeGroups.Clear();
for (int i = 0; i < 5; i++)
{
// Only do this if we know how to assign a permission set
if (Page2.SecurityLevels[i] != PermissionSetType.UNKNOWN)
{
// Find the Codegroup with the appropriate Membership Condition
CodeGroup cgParent = null;
CodeGroup cg = GetCGWithMembershipCondition(pl.RootCodeGroup, sz[i], out cgParent);
// Remove this codegroup from the heirarchy
if (cg != null)
{
if (cgParent == null)
{
throw new Exception("I should have a parent");
}
cgParent.RemoveChild(cg);
}
// We have to create this Codegroup
if (cg == null)
{
ZoneMembershipCondition zmc = new ZoneMembershipCondition(sz[i]);
cg = new UnionCodeGroup(zmc, new PolicyStatement(new PermissionSet(PermissionState.None)));
// Add a name and description
cg.Name = GetCodegroupName(sz[i]);
m_alNewCodeGroups.Add(cg);
m_pl = pl;
cgParent = pl.RootCodeGroup;
}
// If was an internet or intranet codegroup, we'll need to remove child codegroups of type
// NetCodeGroup or FileCodeGroup
if (cg.PermissionSetName != null && (cg.PermissionSetName.Equals("Internet") || cg.PermissionSetName.Equals("LocalIntranet")))
{
IEnumerator enumCodeGroups = cg.Children.GetEnumerator();
while (enumCodeGroups.MoveNext())
{
CodeGroup group = (CodeGroup)enumCodeGroups.Current;
if (group is NetCodeGroup || group is FileCodeGroup)
{
cg.RemoveChild(group);
}
}
}
// Now give this codegroup the appropriate permission set
PolicyStatement ps = cg.PolicyStatement;
ps.PermissionSet = GetPermissionSetNameFromSecurityLevel(pl, Page2.SecurityLevels[i]);
// Put in the helper codegroups if necessary
if (Page2.SecurityLevels[i] == PermissionSetType.INTRANET)
{
if (!DoesCGHaveCodegroup(cg, typeof(NetCodeGroup)))
{
CodeGroup cgChild = new NetCodeGroup(new AllMembershipCondition());
cgChild.Name = Security.FindAGoodCodeGroupName(pl, "NetCodeGroup_");
cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");
cg.AddChild(cgChild);
}
if (!DoesCGHaveCodegroup(cg, typeof(FileCodeGroup)))
{
CodeGroup cgChild = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.Read | FileIOPermissionAccess.PathDiscovery);
cgChild.Name = Security.FindAGoodCodeGroupName(pl, "FileCodeGroup_");
cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");
cg.AddChild(cgChild);
}
}
else if (Page2.SecurityLevels[i] == PermissionSetType.INTERNET)
{
if (!DoesCGHaveCodegroup(cg, typeof(NetCodeGroup)))
{
CodeGroup cgChild = new NetCodeGroup(new AllMembershipCondition());
cgChild.Name = Security.FindAGoodCodeGroupName(pl, "NetCodeGroup_");
cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");
cg.AddChild(cgChild);
}
}
cg.PolicyStatement = ps;
// Now let's build the code group description
String sPermissionSetDes = "";
if (ps.PermissionSet is NamedPermissionSet)
{
sPermissionSetDes += ((NamedPermissionSet)ps.PermissionSet).Description;
}
cg.Description = String.Format(CResourceStore.GetString("CSecurityAdjustmentWizard:CodeGroupDescription"),
cg.PermissionSetName,
GetCodegroupName(sz[i]),
sPermissionSetDes);
// Now add this child back in
cgParent.AddChild(cg);
}
}
// Check to see if this is for the user.
if (!IsHomeUser)
{
// Let's start on our list....
PolicyLevel plUser = Security.GetPolicyLevelFromLabel("User");
// Change the root codegroup's permission set to nothing
CodeGroup cgRoot = plUser.RootCodeGroup;
PolicyStatement ps = cgRoot.PolicyStatement;
ps.PermissionSet = plUser.GetNamedPermissionSet("Nothing");
cgRoot.PolicyStatement = ps;
// Now copy the entire machine level's policy into a child codegroup
// of the user policy
PolicyLevel plMachine = Security.GetPolicyLevelFromLabel("Machine");
CodeGroup cgMachine = plMachine.RootCodeGroup.Copy();
// Change the codegroup's name to something more interesting...
cgMachine.Name = "Wizard_Machine_Policy";
cgMachine.Description = CResourceStore.GetString("CSecurityAdjustmentWizard:CopiedMachinePolicyDes");
// Now skim through the top level looking for Zone codegroups, set
// their permission sets to nothing, and delete any child net and file
// codegroups
IEnumerator enumCodeGroups = cgMachine.Children.GetEnumerator();
while (enumCodeGroups.MoveNext())
{
CodeGroup zoneGroup = (CodeGroup)enumCodeGroups.Current;
if (zoneGroup.MembershipCondition is ZoneMembershipCondition)
{
// Ok, we need to change this codegroup
cgMachine.RemoveChild(zoneGroup);
PolicyStatement zoneps = zoneGroup.PolicyStatement;
zoneps.PermissionSet = plUser.GetNamedPermissionSet("Nothing");
zoneGroup.PolicyStatement = zoneps;
// Now run through its children looking for a file or net codegroup
IEnumerator enumChildCodeGroups = zoneGroup.Children.GetEnumerator();
while (enumChildCodeGroups.MoveNext())
{
CodeGroup zoneChildGroup = (CodeGroup)enumChildCodeGroups.Current;
if (zoneChildGroup is NetCodeGroup || zoneChildGroup is FileCodeGroup)
{
zoneGroup.RemoveChild(zoneChildGroup);
}
}
cgMachine.AddChild(zoneGroup);
}
}
// Now run through the tree and remove any exclusive code groups
// We're best to do this recursively....
if ((cgMachine.PolicyStatement.Attributes & PolicyStatementAttribute.Exclusive) == PolicyStatementAttribute.Exclusive)
{
// Remove the exclusive bit
PolicyStatement psMachine = cgMachine.PolicyStatement;
psMachine.Attributes = psMachine.Attributes & ~PolicyStatementAttribute.Exclusive;
cgMachine.PolicyStatement = psMachine;
}
Security.RemoveExclusiveCodeGroups(cgMachine);
// Now run through the user policy looking for codegroups named
// "Wizard_Machine_Policy" and delete those as well.
enumCodeGroups = cgRoot.Children.GetEnumerator();
while (enumCodeGroups.MoveNext())
{
CodeGroup group = (CodeGroup)enumCodeGroups.Current;
if (group.Name.Equals("Wizard_Machine_Policy"))
{
cgRoot.RemoveChild(group);
}
}
// Add finally this to the root codegroup of the user policy
Security.PrepCodeGroupTree(cgMachine, plMachine, plUser);
cgRoot.AddChild(cgMachine);
plUser.RootCodeGroup = cgRoot;
}
m_fWizardFinished = true;
return(0);
}// WizFinish
