internal void InplaceUnion(PolicyStatement childPolicy) { if (((this.Attributes & childPolicy.Attributes) & PolicyStatementAttribute.Exclusive) == PolicyStatementAttribute.Exclusive) { throw new PolicyException(Environment.GetResourceString("Policy_MultipleExclusive")); } if (childPolicy.HasDependentEvidence) { bool flag = this.m_permSet.IsSubsetOf(childPolicy.GetPermissionSetNoCopy()) && !childPolicy.GetPermissionSetNoCopy().IsSubsetOf(this.m_permSet); if (this.HasDependentEvidence || flag) { if (this.m_dependentEvidence == null) { this.m_dependentEvidence = new List <IDelayEvaluatedEvidence>(); } this.m_dependentEvidence.AddRange(childPolicy.DependentEvidence); } } if ((childPolicy.Attributes & PolicyStatementAttribute.Exclusive) == PolicyStatementAttribute.Exclusive) { this.m_permSet = childPolicy.GetPermissionSetNoCopy(); this.Attributes = childPolicy.Attributes; } else { this.m_permSet.InplaceUnion(childPolicy.GetPermissionSetNoCopy()); this.Attributes |= childPolicy.Attributes; } }
/// <summary> /// Union a child policy statement into this policy statement /// </summary> internal void InplaceUnion(PolicyStatement childPolicy) { BCLDebug.Assert(childPolicy != null, "childPolicy != null"); if (((Attributes & childPolicy.Attributes) & PolicyStatementAttribute.Exclusive) == PolicyStatementAttribute.Exclusive) { throw new PolicyException(Environment.GetResourceString("Policy_MultipleExclusive")); } // We need to merge together our grant set and attributes. The result of this merge is // dependent upon if we're merging a child marked exclusive or not. If the child is not // exclusive, we need to union in its grant set and or in its attributes. However, if the child // is exclusive then it is the only code group which should have an effect on the resulting // grant set and therefore our grant should be ignored. if ((childPolicy.Attributes & PolicyStatementAttribute.Exclusive) == PolicyStatementAttribute.Exclusive) { m_permSet = childPolicy.GetPermissionSetNoCopy(); Attributes = childPolicy.Attributes; } else { m_permSet.InplaceUnion(childPolicy.GetPermissionSetNoCopy()); Attributes = Attributes | childPolicy.Attributes; } }
public override PolicyStatement Resolve(Evidence evidence) { if (evidence == null) { throw new ArgumentNullException("evidence"); } if (this.MembershipCondition.Check(evidence)) { PolicyStatement thisPolicy = CalculateAssemblyPolicy(evidence); IEnumerator enumerator = this.Children.GetEnumerator(); while (enumerator.MoveNext()) { PolicyStatement childPolicy = ((CodeGroup)enumerator.Current).Resolve(evidence); if (childPolicy != null) { if (((thisPolicy.Attributes & childPolicy.Attributes) & PolicyStatementAttribute.Exclusive) == PolicyStatementAttribute.Exclusive) { throw new PolicyException(Environment.GetResourceString("Policy_MultipleExclusive")); } thisPolicy.GetPermissionSetNoCopy().InplaceUnion(childPolicy.GetPermissionSetNoCopy()); thisPolicy.Attributes = thisPolicy.Attributes | childPolicy.Attributes; } } return(thisPolicy); } else { return(null); } }
/// <summary> /// Union a child policy statement into this policy statement /// </summary> internal void InplaceUnion(PolicyStatement childPolicy) { BCLDebug.Assert(childPolicy != null, "childPolicy != null"); if (((Attributes & childPolicy.Attributes) & PolicyStatementAttribute.Exclusive) == PolicyStatementAttribute.Exclusive) { throw new PolicyException(Environment.GetResourceString("Policy_MultipleExclusive")); } #if FEATURE_CAS_POLICY // If our code group generated a grant set based upon unverified evidence, or it generated a grant // set strictly less than that of a child group based upon unverified evidence, we need to keep // track of any unverified evidence our child group has. if (childPolicy.HasDependentEvidence) { bool childEvidenceNeedsVerification = m_permSet.IsSubsetOf(childPolicy.GetPermissionSetNoCopy()) && !childPolicy.GetPermissionSetNoCopy().IsSubsetOf(m_permSet); if (HasDependentEvidence || childEvidenceNeedsVerification) { if (m_dependentEvidence == null) { m_dependentEvidence = new List <IDelayEvaluatedEvidence>(); } m_dependentEvidence.AddRange(childPolicy.DependentEvidence); } } #endif // We need to merge together our grant set and attributes. The result of this merge is // dependent upon if we're merging a child marked exclusive or not. If the child is not // exclusive, we need to union in its grant set and or in its attributes. However, if the child // is exclusive then it is the only code group which should have an effect on the resulting // grant set and therefore our grant should be ignored. if ((childPolicy.Attributes & PolicyStatementAttribute.Exclusive) == PolicyStatementAttribute.Exclusive) { m_permSet = childPolicy.GetPermissionSetNoCopy(); Attributes = childPolicy.Attributes; } else { m_permSet.InplaceUnion(childPolicy.GetPermissionSetNoCopy()); Attributes = Attributes | childPolicy.Attributes; } }
/// <include file='doc\FirstMatchCodeGroup.uex' path='docs/doc[@for="FirstMatchCodeGroup.Resolve"]/*' /> public override PolicyStatement Resolve(Evidence evidence) { if (evidence == null) { throw new ArgumentNullException("evidence"); } if (this.MembershipCondition.Check(evidence)) { PolicyStatement childPolicy = null; IEnumerator enumerator = this.Children.GetEnumerator(); while (enumerator.MoveNext()) { childPolicy = ((CodeGroup)enumerator.Current).Resolve(evidence); // If the child has a policy, we are done. if (childPolicy != null) { break; } } PolicyStatement thisPolicy = this.PolicyStatement; if (thisPolicy == null) { return(childPolicy); } else if (childPolicy != null) { // Combine the child and this policy and return it. PolicyStatement combined = new PolicyStatement(); combined.SetPermissionSetNoCopy(thisPolicy.GetPermissionSetNoCopy().Union(childPolicy.GetPermissionSetNoCopy())); // if both this group and matching child group are exclusive we need to throw an exception if (((thisPolicy.Attributes & childPolicy.Attributes) & PolicyStatementAttribute.Exclusive) == PolicyStatementAttribute.Exclusive) { throw new PolicyException(Environment.GetResourceString("Policy_MultipleExclusive")); } combined.Attributes = thisPolicy.Attributes | childPolicy.Attributes; return(combined); } else { // Otherwise we just copy the this policy. return(this.PolicyStatement); } } else { return(null); } }
[System.Security.SecurityCritical] // auto-generated internal SecurityElement ToXml(PolicyLevel level, String policyClassName) { if (m_membershipCondition == null && m_element != null) { ParseMembershipCondition(); } if (m_children == null) { ParseChildren(); } if (m_policy == null && m_element != null) { ParsePolicy(); } SecurityElement e = new SecurityElement("CodeGroup"); System.Security.Util.XMLUtil.AddClassAttribute(e, this.GetType(), policyClassName); // If you hit this assert then most likely you are trying to change the name of this class. // This is ok as long as you change the hard coded string above and change the assert below. Contract.Assert(this.GetType().FullName.Equals(policyClassName), "Incorrect class name passed in! Was: " + policyClassName + " Should be " + this.GetType().FullName); e.AddAttribute("version", "1"); e.AddChild(m_membershipCondition.ToXml(level)); // Grab the inerts of the policy statement's xml and just stick it // into the code group xml directly. We do this to hide the policy statement from // users in the config file. if (m_policy != null) { PermissionSet permSet = m_policy.GetPermissionSetNoCopy(); NamedPermissionSet namedPermSet = permSet as NamedPermissionSet; if (namedPermSet != null && level != null && level.GetNamedPermissionSetInternal(namedPermSet.Name) != null) { e.AddAttribute("PermissionSetName", namedPermSet.Name); } else { if (!permSet.IsEmpty()) { e.AddChild(permSet.ToXml()); } } if (m_policy.Attributes != PolicyStatementAttribute.Nothing) { e.AddAttribute("Attributes", XMLUtil.BitFieldEnumToString(typeof(PolicyStatementAttribute), m_policy.Attributes)); } } if (m_children.Count > 0) { lock (this) { IEnumerator enumerator = m_children.GetEnumerator(); while (enumerator.MoveNext()) { e.AddChild(((CodeGroup)enumerator.Current).ToXml(level)); } } } if (m_name != null) { e.AddAttribute("Name", SecurityElement.Escape(m_name)); } if (m_description != null) { e.AddAttribute("Description", SecurityElement.Escape(m_description)); } CreateXml(e, level); return(e); }
[System.Security.SecurityCritical] // auto-generated internal PolicyStatement Resolve (Evidence evidence, int count, byte[] serializedEvidence) { if (evidence == null) throw new ArgumentNullException("evidence"); Contract.EndContractBlock(); PolicyStatement policy = null; if (serializedEvidence != null) policy = CheckCache(count, serializedEvidence); if (policy == null) { CheckLoaded(); bool allConst; bool isFullTrust = m_fullTrustAssemblies != null && IsFullTrustAssembly(m_fullTrustAssemblies, evidence); if (isFullTrust) { policy = new PolicyStatement(new PermissionSet(true), PolicyStatementAttribute.Nothing); allConst = true; } else { ArrayList list = GenericResolve(evidence, out allConst); policy = new PolicyStatement(); // This will set the permission set to the empty set. policy.PermissionSet = null; IEnumerator enumerator = list.GetEnumerator(); while (enumerator.MoveNext()) { PolicyStatement ps = ((CodeGroupStackFrame)enumerator.Current).policy; if (ps != null) { policy.GetPermissionSetNoCopy().InplaceUnion(ps.GetPermissionSetNoCopy()); policy.Attributes |= ps.Attributes; // If we find a policy statement that's dependent upon unverified evidence, we // need to mark that as used so that the VM can potentially force verification on // the evidence. if (ps.HasDependentEvidence) { foreach (IDelayEvaluatedEvidence delayEvidence in ps.DependentEvidence) { delayEvidence.MarkUsed(); } } } } } if (allConst) { // We want to store in the cache the evidence that was touched during policy evaluation // rather than the input serialized evidence, since that evidence is optimized for the // standard policy and is not all-inclusive. We need to make sure that any evidence // used to determine the grant set is added to the cache key. Cache(count, evidence.RawSerialize(), policy); } } return policy; }
internal void InplaceUnion(PolicyStatement childPolicy) { if (((this.Attributes & childPolicy.Attributes) & PolicyStatementAttribute.Exclusive) == PolicyStatementAttribute.Exclusive) { throw new PolicyException(Environment.GetResourceString("Policy_MultipleExclusive")); } if (childPolicy.HasDependentEvidence) { bool flag = this.m_permSet.IsSubsetOf(childPolicy.GetPermissionSetNoCopy()) && !childPolicy.GetPermissionSetNoCopy().IsSubsetOf(this.m_permSet); if (this.HasDependentEvidence || flag) { if (this.m_dependentEvidence == null) { this.m_dependentEvidence = new List<IDelayEvaluatedEvidence>(); } this.m_dependentEvidence.AddRange(childPolicy.DependentEvidence); } } if ((childPolicy.Attributes & PolicyStatementAttribute.Exclusive) == PolicyStatementAttribute.Exclusive) { this.m_permSet = childPolicy.GetPermissionSetNoCopy(); this.Attributes = childPolicy.Attributes; } else { this.m_permSet.InplaceUnion(childPolicy.GetPermissionSetNoCopy()); this.Attributes |= childPolicy.Attributes; } }
/// <summary> /// Union a child policy statement into this policy statement /// </summary> internal void InplaceUnion(PolicyStatement childPolicy) { BCLDebug.Assert(childPolicy != null, "childPolicy != null"); if (((Attributes & childPolicy.Attributes) & PolicyStatementAttribute.Exclusive) == PolicyStatementAttribute.Exclusive) { throw new PolicyException(Environment.GetResourceString( "Policy_MultipleExclusive" )); } #if FEATURE_CAS_POLICY // If our code group generated a grant set based upon unverified evidence, or it generated a grant // set strictly less than that of a child group based upon unverified evidence, we need to keep // track of any unverified evidence our child group has. if (childPolicy.HasDependentEvidence) { bool childEvidenceNeedsVerification = m_permSet.IsSubsetOf(childPolicy.GetPermissionSetNoCopy()) && !childPolicy.GetPermissionSetNoCopy().IsSubsetOf(m_permSet); if (HasDependentEvidence || childEvidenceNeedsVerification) { if (m_dependentEvidence == null) { m_dependentEvidence = new List<IDelayEvaluatedEvidence>(); } m_dependentEvidence.AddRange(childPolicy.DependentEvidence); } } #endif // We need to merge together our grant set and attributes. The result of this merge is // dependent upon if we're merging a child marked exclusive or not. If the child is not // exclusive, we need to union in its grant set and or in its attributes. However, if the child // is exclusive then it is the only code group which should have an effect on the resulting // grant set and therefore our grant should be ignored. if ((childPolicy.Attributes & PolicyStatementAttribute.Exclusive) == PolicyStatementAttribute.Exclusive) { m_permSet = childPolicy.GetPermissionSetNoCopy(); Attributes = childPolicy.Attributes; } else { m_permSet.InplaceUnion(childPolicy.GetPermissionSetNoCopy()); Attributes = Attributes | childPolicy.Attributes; } }
internal PolicyStatement Resolve(Evidence evidence, int count, byte[] serializedEvidence) { if (evidence == null) { throw new ArgumentNullException("evidence"); } PolicyStatement policy = null; if (serializedEvidence != null) { policy = this.CheckCache(count, serializedEvidence); } if (policy == null) { bool flag; this.CheckLoaded(); if ((this.m_fullTrustAssemblies != null) && IsFullTrustAssembly(this.m_fullTrustAssemblies, evidence)) { policy = new PolicyStatement(new PermissionSet(true), PolicyStatementAttribute.Nothing); flag = true; } else { ArrayList list = this.GenericResolve(evidence, out flag); policy = new PolicyStatement { PermissionSet = null }; IEnumerator enumerator = list.GetEnumerator(); while (enumerator.MoveNext()) { PolicyStatement statement2 = ((CodeGroupStackFrame) enumerator.Current).policy; if (statement2 != null) { policy.GetPermissionSetNoCopy().InplaceUnion(statement2.GetPermissionSetNoCopy()); policy.Attributes |= statement2.Attributes; if (statement2.HasDependentEvidence) { foreach (IDelayEvaluatedEvidence evidence2 in statement2.DependentEvidence) { evidence2.MarkUsed(); } } } } } if (flag) { this.Cache(count, evidence.RawSerialize(), policy); } } return policy; }
/// <include file='doc\CodeGroup.uex' path='docs/doc[@for="CodeGroup.ToXml1"]/*' /> public SecurityElement ToXml(PolicyLevel level) { if (m_membershipCondition == null && m_element != null) { ParseMembershipCondition(); } if (m_children == null) { ParseChildren(); } if (m_policy == null && m_element != null) { ParsePolicy(); } SecurityElement e = new SecurityElement("CodeGroup"); System.Security.Util.XMLUtil.AddClassAttribute(e, this.GetType()); e.AddAttribute("version", "1"); e.AddChild(m_membershipCondition.ToXml(level)); // Grab the inerts of the policy statement's xml and just stick it // into the code group xml directly. We do this to hide the policy statement from // users in the config file. if (m_policy != null) { PermissionSet permSet = m_policy.GetPermissionSetNoCopy(); NamedPermissionSet namedPermSet = permSet as NamedPermissionSet; if (namedPermSet != null && level != null && level.GetNamedPermissionSetInternal(namedPermSet.Name) != null) { e.AddAttribute("PermissionSetName", namedPermSet.Name); } else { if (!permSet.IsEmpty()) { e.AddChild(permSet.ToXml()); } } if (m_policy.Attributes != PolicyStatementAttribute.Nothing) { e.AddAttribute("Attributes", XMLUtil.BitFieldEnumToString(typeof(PolicyStatementAttribute), m_policy.Attributes)); } } if (m_children.Count > 0) { lock (this) { IEnumerator enumerator = m_children.GetEnumerator(); while (enumerator.MoveNext()) { e.AddChild(((CodeGroup)enumerator.Current).ToXml(level)); } } } if (m_name != null) { e.AddAttribute("Name", SecurityElement.Escape(m_name)); } if (m_description != null) { e.AddAttribute("Description", SecurityElement.Escape(m_description)); } CreateXml(e, level); return(e); }
/// <summary> /// Union a child policy statement into this policy statement /// </summary> internal void InplaceUnion(PolicyStatement childPolicy) { BCLDebug.Assert(childPolicy != null, "childPolicy != null"); if (((Attributes & childPolicy.Attributes) & PolicyStatementAttribute.Exclusive) == PolicyStatementAttribute.Exclusive) { throw new PolicyException(Environment.GetResourceString( "Policy_MultipleExclusive" )); } // We need to merge together our grant set and attributes. The result of this merge is // dependent upon if we're merging a child marked exclusive or not. If the child is not // exclusive, we need to union in its grant set and or in its attributes. However, if the child // is exclusive then it is the only code group which should have an effect on the resulting // grant set and therefore our grant should be ignored. if ((childPolicy.Attributes & PolicyStatementAttribute.Exclusive) == PolicyStatementAttribute.Exclusive) { m_permSet = childPolicy.GetPermissionSetNoCopy(); Attributes = childPolicy.Attributes; } else { m_permSet.InplaceUnion(childPolicy.GetPermissionSetNoCopy()); Attributes = Attributes | childPolicy.Attributes; } }
internal PolicyStatement Resolve (Evidence evidence, int count, char[] serializedEvidence) { if (evidence == null) throw new ArgumentNullException("evidence"); PolicyStatement policy = null; if (serializedEvidence != null) policy = CheckCache(count, serializedEvidence); if (policy == null) { CheckLoaded(); bool allConst; bool isFullTrust = m_fullTrustAssemblies != null && IsFullTrustAssembly(m_fullTrustAssemblies, evidence); if (isFullTrust) { policy = new PolicyStatement(new PermissionSet(true), PolicyStatementAttribute.Nothing); allConst = true; } else { ArrayList list = GenericResolve(evidence, out allConst); policy = new PolicyStatement(); // This will set the permission set to the empty set. policy.PermissionSet = null; IEnumerator enumerator = list.GetEnumerator(); while (enumerator.MoveNext()) { PolicyStatement ps = ((CodeGroupStackFrame)enumerator.Current).policy; if (ps != null) { policy.GetPermissionSetNoCopy().InplaceUnion(ps.GetPermissionSetNoCopy()); policy.Attributes |= ps.Attributes; } } } if (allConst && serializedEvidence != null) Cache(count, serializedEvidence, policy); } return policy; }
private void CombinePolicy( PolicyStatement left, PolicyStatement right ) { #if _DEBUG if (debug) { DEBUG_OUT( "left = \n" + (left == null ? "<null>" : left.ToXml().ToString() ) ); DEBUG_OUT( "right = \n" + (right == null ? "<null>" : right.ToXml().ToString() ) ); } #endif if (right == null) { return; } else { // An exception somewhere in here means that a permission // failed some operation. This simply means that it will be // dropped from the grant set which is safe operation that // can be ignored. try { left.GetPermissionSetNoCopy().InplaceUnion( right.GetPermissionSetNoCopy() ); } catch (Exception) { } left.Attributes = left.Attributes | right.Attributes; } #if _DEBUG if (debug) DEBUG_OUT( "outcome =\n" + left.ToXml().ToString() ); #endif }
/// <include file='doc\NetCodeGroup.uex' path='docs/doc[@for="NetCodeGroup.Resolve"]/*' /> public override PolicyStatement Resolve(Evidence evidence) { if (evidence == null) { throw new ArgumentNullException("evidence"); } if (this.MembershipCondition.Check(evidence)) { PolicyStatement thisPolicy = null; IEnumerator evidenceEnumerator = evidence.GetHostEnumerator(); Site site = null; while (evidenceEnumerator.MoveNext()) { Url url = evidenceEnumerator.Current as Url; if (url != null) { thisPolicy = CalculatePolicy(url.GetURLString().Host, url.GetURLString().Scheme); } else { if (site == null) { site = evidenceEnumerator.Current as Site; } } } if (thisPolicy == null && site != null) { thisPolicy = CalculatePolicy(site.Name, null); } if (thisPolicy == null) { thisPolicy = new PolicyStatement(new PermissionSet(false), PolicyStatementAttribute.Nothing); } IEnumerator enumerator = this.Children.GetEnumerator(); while (enumerator.MoveNext()) { PolicyStatement childPolicy = ((CodeGroup)enumerator.Current).Resolve(evidence); if (childPolicy != null) { if (((thisPolicy.Attributes & childPolicy.Attributes) & PolicyStatementAttribute.Exclusive) == PolicyStatementAttribute.Exclusive) { throw new PolicyException(Environment.GetResourceString("Policy_MultipleExclusive")); } thisPolicy.GetPermissionSetNoCopy().InplaceUnion(childPolicy.GetPermissionSetNoCopy()); thisPolicy.Attributes = thisPolicy.Attributes | childPolicy.Attributes; } } return(thisPolicy); } else { return(null); } }