Exemplo n.º 1
0
     // Returns true if OK to return from check, or false if
     // permission-specific information must be checked.
     internal static bool CheckUnrestricted(IUnrestrictedPermission grant, CodeAccessPermission demand)
     {
         // We return true here because we're defining a demand of null to
         // automatically pass.
         if (demand == null)
             return true;
 
         if (demand.GetType() != grant.GetType())
             return false;
         if (grant.IsUnrestricted())
             return true;
         if (((IUnrestrictedPermission)demand).IsUnrestricted())
             throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().FullName), demand.GetType(), demand.ToXml().ToString());
         return false;
     } 
        internal bool CheckDeny(CodeAccessPermission denied)
        {
            BCLDebug.Assert(denied == null || denied.GetType().Equals(this.GetType()), "CheckDeny not defined for permissions of different type");
            IPermission intersectPerm = Intersect(denied);

            return(intersectPerm == null || intersectPerm.IsSubsetOf(null));
        }
Exemplo n.º 3
0
		internal bool CheckAssert (CodeAccessPermission asserted)
		{
			if (asserted == null)
				return false;
			if (asserted.GetType () != this.GetType ())
				return false;
			return IsSubsetOf (asserted);
		}
Exemplo n.º 4
0
		internal bool CheckDemand (CodeAccessPermission target)
		{
			if (target == null)
				return false;
			if (target.GetType () != this.GetType ())
				return false;
			return IsSubsetOf (target);
		}
        internal bool CheckDeny(CodeAccessPermission denied)
        {
            if (denied == null)
            {
                return(true);
            }
            Type type = denied.GetType();

            return(type != base.GetType() || this.Intersect(denied) == null || denied.IsSubsetOf(PermissionBuilder.Create(type)));
        }
 internal bool CheckDemand(CodeAccessPermission target)
 {
     if (target == null)
     {
         return(false);
     }
     if (target.GetType() != this.GetType())
     {
         return(false);
     }
     return(IsSubsetOf(target));
 }
Exemplo n.º 7
0
        //
        // Check callback
        //

        /// <include file='doc\CodeAccessPermission.uex' path='docs/doc[@for="CodeAccessPermission.CheckDemand"]/*' />
        internal void CheckDemand(CodeAccessPermission demand)
        {
            if (demand == null)
            {
                return;
            }

        #if _DEBUG
            if (debug)
            {
                DEBUG_OUT("demand = " + demand.GetType().ToString() + " this = " + this.GetType().ToString());
            }
        #endif

            BCLDebug.Assert(demand.GetType().Equals(this.GetType()), "CheckDemand not defined for permissions of different type");

            if (!demand.IsSubsetOf(this))
            {
                throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
            }
        }
 internal bool CheckAssert(CodeAccessPermission asserted)
 {
     if (asserted == null)
     {
         return(false);
     }
     if (asserted.GetType() != this.GetType())
     {
         return(false);
     }
     return(IsSubsetOf(asserted));
 }
Exemplo n.º 9
0
		internal bool CheckDeny (CodeAccessPermission denied)
		{
			if (denied == null)
				return true;
			Type t = denied.GetType ();
			if (t != this.GetType ())
				return true;
			IPermission inter = Intersect (denied);
			if (inter == null)
				return true;
			// sadly that's not enough :( at this stage we must also check
			// if an empty (PermissionState.None) is a subset of the denied
			// (which is like a empty intersection looks like for flag based
			// permissions, e.g. AspNetHostingPermission).
			return denied.IsSubsetOf (PermissionBuilder.Create (t));
		}
        internal bool CheckDeny(CodeAccessPermission denied)
        {
            if (denied == null)
            {
                return(true);
            }
            Type t = denied.GetType();

            if (t != this.GetType())
            {
                return(true);
            }
            IPermission inter = Intersect(denied);

            if (inter == null)
            {
                return(true);
            }
            // sadly that's not enough :( at this stage we must also check
            // if an empty (PermissionState.None) is a subset of the denied
            // (which is like a empty intersection looks like for flag based
            // permissions, e.g. AspNetHostingPermission).
            return(denied.IsSubsetOf(PermissionBuilder.Create(t)));
        }
 internal bool CheckPermitOnly(CodeAccessPermission target)
 {
     return(target != null && target.GetType() == base.GetType() && this.IsSubsetOf(target));
 }
 internal bool CheckDemand2(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, bool fDeclarative)
 {
     if (this.GetPermitOnly(fDeclarative) != null)
     {
         this.GetPermitOnly(fDeclarative).CheckDecoded(demand, permToken);
     }
     if (this.GetDenials(fDeclarative) != null)
     {
         this.GetDenials(fDeclarative).CheckDecoded(demand, permToken);
     }
     if (this.GetAssertions(fDeclarative) != null)
     {
         this.GetAssertions(fDeclarative).CheckDecoded(demand, permToken);
     }
     bool flag = SecurityManager._SetThreadSecurity(false);
     try
     {
         PermissionSet permitOnly = this.GetPermitOnly(fDeclarative);
         if (permitOnly != null)
         {
             CodeAccessPermission permitted = (CodeAccessPermission) permitOnly.GetPermission(demand);
             if (permitted == null)
             {
                 if (!permitOnly.IsUnrestricted())
                 {
                     throw new SecurityException(string.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), new object[] { demand.GetType().AssemblyQualifiedName }), null, permitOnly, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
                 }
             }
             else
             {
                 bool flag2 = true;
                 try
                 {
                     flag2 = !demand.CheckPermitOnly(permitted);
                 }
                 catch (ArgumentException)
                 {
                 }
                 if (flag2)
                 {
                     throw new SecurityException(string.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), new object[] { demand.GetType().AssemblyQualifiedName }), null, permitOnly, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
                 }
             }
         }
         permitOnly = this.GetDenials(fDeclarative);
         if (permitOnly != null)
         {
             CodeAccessPermission permission = (CodeAccessPermission) permitOnly.GetPermission(demand);
             if (permitOnly.IsUnrestricted())
             {
                 throw new SecurityException(string.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), new object[] { demand.GetType().AssemblyQualifiedName }), permitOnly, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
             }
             bool flag3 = true;
             try
             {
                 flag3 = !demand.CheckDeny(permission);
             }
             catch (ArgumentException)
             {
             }
             if (flag3)
             {
                 throw new SecurityException(string.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), new object[] { demand.GetType().AssemblyQualifiedName }), permitOnly, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
             }
         }
         if (this.GetAssertAllPossible())
         {
             return false;
         }
         permitOnly = this.GetAssertions(fDeclarative);
         if (permitOnly != null)
         {
             CodeAccessPermission asserted = (CodeAccessPermission) permitOnly.GetPermission(demand);
             try
             {
                 if (permitOnly.IsUnrestricted() || demand.CheckAssert(asserted))
                 {
                     return false;
                 }
             }
             catch (ArgumentException)
             {
             }
         }
     }
     finally
     {
         if (flag)
         {
             SecurityManager._SetThreadSecurity(true);
         }
     }
     return true;
 }
Exemplo n.º 13
0
        internal bool CheckDemand2(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, bool fDeclarative)
        {
            if (this.GetPermitOnly(fDeclarative) != null)
            {
                this.GetPermitOnly(fDeclarative).CheckDecoded(demand, permToken);
            }
            if (this.GetDenials(fDeclarative) != null)
            {
                this.GetDenials(fDeclarative).CheckDecoded(demand, permToken);
            }
            if (this.GetAssertions(fDeclarative) != null)
            {
                this.GetAssertions(fDeclarative).CheckDecoded(demand, permToken);
            }
            bool flag1 = SecurityManager._SetThreadSecurity(false);

            try
            {
                PermissionSet permitOnly = this.GetPermitOnly(fDeclarative);
                if (permitOnly != null)
                {
                    CodeAccessPermission permitted = (CodeAccessPermission)permitOnly.GetPermission((IPermission)demand);
                    if (permitted == null)
                    {
                        if (!permitOnly.IsUnrestricted())
                        {
                            throw new SecurityException(string.Format((IFormatProvider)CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), (object)demand.GetType().AssemblyQualifiedName), (object)null, (object)permitOnly, SecurityRuntime.GetMethodInfo(rmh), (object)demand, (IPermission)demand);
                        }
                    }
                    else
                    {
                        bool flag2 = true;
                        try
                        {
                            flag2 = !demand.CheckPermitOnly(permitted);
                        }
                        catch (ArgumentException ex)
                        {
                        }
                        if (flag2)
                        {
                            throw new SecurityException(string.Format((IFormatProvider)CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), (object)demand.GetType().AssemblyQualifiedName), (object)null, (object)permitOnly, SecurityRuntime.GetMethodInfo(rmh), (object)demand, (IPermission)demand);
                        }
                    }
                }
                PermissionSet denials = this.GetDenials(fDeclarative);
                if (denials != null)
                {
                    CodeAccessPermission denied = (CodeAccessPermission)denials.GetPermission((IPermission)demand);
                    if (denials.IsUnrestricted())
                    {
                        throw new SecurityException(string.Format((IFormatProvider)CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), (object)demand.GetType().AssemblyQualifiedName), (object)denials, (object)null, SecurityRuntime.GetMethodInfo(rmh), (object)demand, (IPermission)demand);
                    }
                    bool flag2 = true;
                    try
                    {
                        flag2 = !demand.CheckDeny(denied);
                    }
                    catch (ArgumentException ex)
                    {
                    }
                    if (flag2)
                    {
                        throw new SecurityException(string.Format((IFormatProvider)CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), (object)demand.GetType().AssemblyQualifiedName), (object)denials, (object)null, SecurityRuntime.GetMethodInfo(rmh), (object)demand, (IPermission)demand);
                    }
                }
                if (this.GetAssertAllPossible())
                {
                    return(false);
                }
                PermissionSet assertions = this.GetAssertions(fDeclarative);
                if (assertions != null)
                {
                    CodeAccessPermission asserted = (CodeAccessPermission)assertions.GetPermission((IPermission)demand);
                    try
                    {
                        if (!assertions.IsUnrestricted())
                        {
                            if (!demand.CheckAssert(asserted))
                            {
                                goto label_35;
                            }
                        }
                        return(false);
                    }
                    catch (ArgumentException ex)
                    {
                    }
                }
            }
            finally
            {
                if (flag1)
                {
                    SecurityManager._SetThreadSecurity(true);
                }
            }
label_35:
            return(true);
        }
Exemplo n.º 14
0
        internal bool CheckDemandInternal(CodeAccessPermission demand, PermissionToken permToken, out Exception exception)
        {
            BCLDebug.Assert(demand != null, "demand != null");
            BCLDebug.Assert(permToken != null, "permToken != null");
            
            // First, find if there is a permission list of this type.

            PermissionList permList = FindPermissionList(permToken);
                
            if (permList != null)
            {
                // If so, check against it to determine our action.

                bool cont = permList.CheckDemandInternal(demand, out exception);

                // We don't record modifiers for the unrestricted permission set in the
                // individual lists.  Therefore, permList.CheckDemandInternal may say
                // that we have to continue the stackwalk, but we know better.

                if (cont && permToken.m_isUnrestricted)
                {
                    if ((m_state & PermissionListSetState.UnrestrictedDeny) != 0)
                    {
                        exception = new SecurityException(String.Format( Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName ) );
                        return false;
                    }
                    else
                    {
                        cont = cont && ((m_state & PermissionListSetState.UnrestrictedAssert) == 0);
                    }
                }

                return cont;
            }
#if _DEBUG
            // Let's check to make sure we always pass demands for empty permissions.

            else if (demand.IsSubsetOf( null ))
            {
                BCLDebug.Assert( false, "We should pick of empty demands before this point" );
                exception = null;
                return true;
            }
#endif
            // If the permission is not unrestricted, the lack of a permission list
            // denotes that no frame on the stack granted this permission, and therefore
            // we pass back the failure condition.

            else if (!permToken.m_isUnrestricted)
            {
                exception = new SecurityException(String.Format( Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName ) );
                return false;
            }

            // If this permission list set is not unrestricted and there is no unrestricted assert
            // then the lack of a permission list denotes that no frame on the stack granted
            // this permission, and therefore we pass back the failure condition.  If there is
            // an unrestricted assert, then we pass back success and terminate the stack walk.

            else if (!this.IsUnrestricted())
            {
                exception = new SecurityException(String.Format( Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName ) );
                return false;
            }
            
            // If we made it all the way through, that means that we are in the unrestricted
            // state and that this permission is encompassed in that.  If we have an unrestricted
            // assert, we are done with the state walk (return false), otherwise keep going.

            exception = null;
            return (m_state & PermissionListSetState.UnrestrictedAssert) == 0;
        }
 internal bool CheckAssert(CodeAccessPermission asserted)
 {
     Contract.Assert( asserted == null || asserted.GetType().Equals( this.GetType() ), "CheckPermitOnly not defined for permissions of different type" );
     return IsSubsetOf( asserted );
 }
 internal bool CheckDemand(CodeAccessPermission grant)
 {
     Contract.Assert( grant == null || grant.GetType().Equals( this.GetType() ), "CheckDemand not defined for permissions of different type" );
     return IsSubsetOf( grant );
 }
 internal bool CheckPermitOnly(CodeAccessPermission permitted)
 {
     BCLDebug.Assert( permitted == null || permitted.GetType().Equals( this.GetType() ), "CheckPermitOnly not defined for permissions of different type" );
     return IsSubsetOf( permitted );
 }
Exemplo n.º 18
0
        //
        // Check callback
        //
    
        /// <include file='doc\CodeAccessPermission.uex' path='docs/doc[@for="CodeAccessPermission.CheckDemand"]/*' />
        internal void CheckDemand(CodeAccessPermission demand)
        {
            if (demand == null)
                return;
    
	#if _DEBUG	     
			if (debug)
			{
				DEBUG_OUT( "demand = " + demand.GetType().ToString() + " this = " + this.GetType().ToString() );
			}
	#endif

            BCLDebug.Assert( demand.GetType().Equals( this.GetType() ), "CheckDemand not defined for permissions of different type" );
		        
            if (!demand.IsSubsetOf( this ))
                throw new SecurityException( String.Format( Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName ), demand.GetType(), demand.ToXml().ToString() );
        }
Exemplo n.º 19
0
 static private void writePermissionState(CodeAccessPermission p)
 {
     // Write True or False depending on whether the user has the permission
     Console.WriteLine(p.GetType().ToString() + ": " + SecurityManager.IsGranted(p));
 }
Exemplo n.º 20
0
        internal bool CheckDemand2(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, bool fDeclarative)
        {
            if (this.GetPermitOnly(fDeclarative) != null)
            {
                this.GetPermitOnly(fDeclarative).CheckDecoded(demand, permToken);
            }
            if (this.GetDenials(fDeclarative) != null)
            {
                this.GetDenials(fDeclarative).CheckDecoded(demand, permToken);
            }
            if (this.GetAssertions(fDeclarative) != null)
            {
                this.GetAssertions(fDeclarative).CheckDecoded(demand, permToken);
            }
            bool flag = SecurityManager._SetThreadSecurity(false);

            try
            {
                PermissionSet permitOnly = this.GetPermitOnly(fDeclarative);
                if (permitOnly != null)
                {
                    CodeAccessPermission permitted = (CodeAccessPermission)permitOnly.GetPermission(demand);
                    if (permitted == null)
                    {
                        if (!permitOnly.IsUnrestricted())
                        {
                            throw new SecurityException(string.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), new object[] { demand.GetType().AssemblyQualifiedName }), null, permitOnly, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
                        }
                    }
                    else
                    {
                        bool flag2 = true;
                        try
                        {
                            flag2 = !demand.CheckPermitOnly(permitted);
                        }
                        catch (ArgumentException)
                        {
                        }
                        if (flag2)
                        {
                            throw new SecurityException(string.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), new object[] { demand.GetType().AssemblyQualifiedName }), null, permitOnly, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
                        }
                    }
                }
                permitOnly = this.GetDenials(fDeclarative);
                if (permitOnly != null)
                {
                    CodeAccessPermission permission = (CodeAccessPermission)permitOnly.GetPermission(demand);
                    if (permitOnly.IsUnrestricted())
                    {
                        throw new SecurityException(string.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), new object[] { demand.GetType().AssemblyQualifiedName }), permitOnly, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
                    }
                    bool flag3 = true;
                    try
                    {
                        flag3 = !demand.CheckDeny(permission);
                    }
                    catch (ArgumentException)
                    {
                    }
                    if (flag3)
                    {
                        throw new SecurityException(string.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), new object[] { demand.GetType().AssemblyQualifiedName }), permitOnly, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
                    }
                }
                if (this.GetAssertAllPossible())
                {
                    return(false);
                }
                permitOnly = this.GetAssertions(fDeclarative);
                if (permitOnly != null)
                {
                    CodeAccessPermission asserted = (CodeAccessPermission)permitOnly.GetPermission(demand);
                    try
                    {
                        if (permitOnly.IsUnrestricted() || demand.CheckAssert(asserted))
                        {
                            return(false);
                        }
                    }
                    catch (ArgumentException)
                    {
                    }
                }
            }
            finally
            {
                if (flag)
                {
                    SecurityManager._SetThreadSecurity(true);
                }
            }
            return(true);
        }
        private static void CheckHelper(PermissionSet grantedSet,
                                        PermissionSet deniedSet,
                                        CodeAccessPermission demand,
                                        PermissionToken permToken)
        {
    #if _DEBUG
            if (debug)
            {
                DEBUG_OUT("Granted: ");
                DEBUG_OUT(grantedSet.ToXml().ToString());
                DEBUG_OUT("Denied: ");
                DEBUG_OUT(deniedSet != null ? deniedSet.ToXml().ToString() : "<null>");
                DEBUG_OUT("Demanded: ");
                DEBUG_OUT(demand.ToString());
            }
    #endif

            if (permToken == null)
            {
                permToken = PermissionToken.GetToken(demand);
            }

            // If PermissionSet is null, then module does not have Permissions... Fail check.

            try
            {
                if (grantedSet == null)
                {
                    throw new SecurityException(Environment.GetResourceString("Security_GenericNoType"));
                }
                else if (!grantedSet.IsUnrestricted() || !(demand is IUnrestrictedPermission))
                {
                    // If we aren't unrestricted, there is a denied set, or our permission is not of the unrestricted
                    // variety, we need to do the proper callback.

                    BCLDebug.Assert(demand != null, "demand != null");

                    // Find the permission of matching type in the permission set.

                    CodeAccessPermission grantedPerm =
                        (CodeAccessPermission)grantedSet.GetPermission(permToken);

                    // If there isn't a matching permission in the set and our demand is not a subset of null (i.e. empty)
                    // then throw an exception.

                    if (grantedPerm == null)
                    {
                        if (!demand.IsSubsetOf(null))
                        {
                            throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
                        }
                        else
                        {
                            return;
                        }
                    }

                    // Call the check demand for our permission.

                    grantedPerm.CheckDemand(demand);
                }


                // Make the sure the permission is not denied.

                if (deniedSet != null)
                {
                    CodeAccessPermission deniedPerm =
                        (CodeAccessPermission)deniedSet.GetPermission(permToken);
                    if (deniedPerm != null)
                    {
                        if (deniedPerm.Intersect(demand) != null)
                        {
        #if _DEBUG
                            if (debug)
                            {
                                DEBUG_OUT("Permission found in denied set");
                            }
        #endif
                            throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
                        }
                    }

                    if (deniedSet.IsUnrestricted() && (demand is IUnrestrictedPermission))
                    {
                        throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
                    }
                }
            }
            catch (Exception e)
            {
                // Any exception besides a security exception in this code means that
                // a permission was unable to properly handle what we asked of it.
                // We will define this to mean that the demand failed.

                if (e is SecurityException)
                {
                    throw e;
                }
                else
                {
                    throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
                }
            }


            DEBUG_OUT("Check passed");
        }
        private static void CheckTokenBasedSetHelper(bool ignoreGrants,
                                                     TokenBasedSet grants,
                                                     TokenBasedSet denied,
                                                     TokenBasedSet demands)
        {
            if (demands == null)
            {
                return;
            }

            TokenBasedSetEnumerator enumerator = (TokenBasedSetEnumerator)demands.GetEnum();

            while (enumerator.MoveNext())
            {
                CodeAccessPermission demand = (CodeAccessPermission)enumerator.Current;
                int index = enumerator.GetCurrentIndex();

                if (demand != null)
                {
                    try
                    {
                        // Check to make sure the permission was granted, unless we are supposed
                        // to ignore grants.

                        if (!ignoreGrants)
                        {
                            CodeAccessPermission grant
                                = grants != null ? (CodeAccessPermission)grants.GetItem(index) : null;
                            if (grant != null)
                            {
                                grant.CheckDemand(demand);
                            }
                            else
                            {
                                if (!demand.IsSubsetOf(null))
                                {
                                    throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
                                }
                            }
                        }

                        // Check to make sure our permission was not denied.

                        if (denied != null)
                        {
                            CodeAccessPermission deny
                                = (CodeAccessPermission)denied.GetItem(index);
                            if (deny != null && deny.Intersect(demand) != null)
                            {
                                throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
                            }
                        }
                    }
                    catch (Exception e)
                    {
                        // Any exception besides a security exception in this code means that
                        // a permission was unable to properly handle what we asked of it.
                        // We will define this to mean that the demand failed.

                        if (e is SecurityException)
                        {
                            throw e;
                        }
                        else
                        {
                            throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
                        }
                    }
                }
            }
        }
Exemplo n.º 23
0
        private static void CheckHelper(PermissionSet grantedSet,
                                        PermissionSet deniedSet,
                                        CodeAccessPermission demand, 
                                        PermissionToken permToken)
        {
    #if _DEBUG
            if (debug)
            {
                DEBUG_OUT("Granted: ");
                DEBUG_OUT(grantedSet.ToXml().ToString());
                DEBUG_OUT("Denied: ");
                DEBUG_OUT(deniedSet!=null ? deniedSet.ToXml().ToString() : "<null>");
                DEBUG_OUT("Demanded: ");
                DEBUG_OUT(demand.ToString());
            }
    #endif
            
            if (permToken == null)
                permToken = PermissionToken.GetToken(demand);

            // If PermissionSet is null, then module does not have Permissions... Fail check.
            
            try
            {
                if (grantedSet == null)
                {
                    throw new SecurityException(Environment.GetResourceString("Security_GenericNoType"));
                } 
                else if (!grantedSet.IsUnrestricted() || !(demand is IUnrestrictedPermission))
                {
                    // If we aren't unrestricted, there is a denied set, or our permission is not of the unrestricted
                    // variety, we need to do the proper callback.
                
                    BCLDebug.Assert(demand != null,"demand != null");
                    
                    // Find the permission of matching type in the permission set.
                    
                    CodeAccessPermission grantedPerm = 
                                (CodeAccessPermission)grantedSet.GetPermission(permToken);
                                
                    // If there isn't a matching permission in the set and our demand is not a subset of null (i.e. empty)
                    // then throw an exception.
                                
                    if (grantedPerm == null)
                    {
                        if (!demand.IsSubsetOf( null ))
                            throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
                        else
                            return;
                    }
                    
                    // Call the check demand for our permission.
                    
                    grantedPerm.CheckDemand(demand);
                }
                
                
                // Make the sure the permission is not denied.
    
                if (deniedSet != null)
                {
                    CodeAccessPermission deniedPerm = 
                        (CodeAccessPermission)deniedSet.GetPermission(permToken);
                    if (deniedPerm != null)
                    {
                        if (deniedPerm.Intersect(demand) != null)
                        {
        #if _DEBUG
                            if (debug)
                                DEBUG_OUT( "Permission found in denied set" );
        #endif
                            throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
                        }
                    }
                }
            }
            catch (Exception e)
            {
                // Any exception besides a security exception in this code means that
                // a permission was unable to properly handle what we asked of it.
                // We will define this to mean that the demand failed.
                        
                if (e is SecurityException)
                    throw e;
                else
                    throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
            }

            
            DEBUG_OUT( "Check passed" );

        }
Exemplo n.º 24
0
        internal bool CheckDemandInternal(CodeAccessPermission demand, PermissionToken permToken, bool createException, out Exception exception)
        {
            BCLDebug.Assert(demand != null, "demand != null");
            BCLDebug.Assert(permToken != null, "permToken != null");

            // First, find if there is a permission list of this type.

            PermissionList permList = FindPermissionList(permToken);

            if (permList != null)
            {
                // If so, check against it to determine our action.

                bool cont = permList.CheckDemandInternal(demand, createException, out exception);

                // We don't record modifiers for the unrestricted permission set in the
                // individual lists.  Therefore, permList.CheckDemandInternal may say
                // that we have to continue the stackwalk, but we know better.

                if (cont && permToken.m_isUnrestricted)
                {
                    if ((m_state & PermissionListSetState.UnrestrictedDeny) != 0)
                    {
                        if (createException)
                        {
                            exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
                        }
                        else
                        {
                            exception = GetStaticException();
                        }
                        return(false);
                    }
                    else
                    {
                        cont = cont && ((m_state & PermissionListSetState.UnrestrictedAssert) == 0);
                    }
                }

                return(cont);
            }
#if _DEBUG
            // Let's check to make sure we always pass demands for empty permissions.

            else if (demand.IsSubsetOf(null))
            {
                BCLDebug.Assert(false, "We should pick of empty demands before this point");
                exception = null;
                return(true);
            }
#endif
            // If the permission is not unrestricted, the lack of a permission list
            // denotes that no frame on the stack granted this permission, and therefore
            // we pass back the failure condition.

            else if (!permToken.m_isUnrestricted)
            {
                if (createException)
                {
                    exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
                }
                else
                {
                    exception = GetStaticException();
                }
                return(false);
            }

            // If this permission list set is not unrestricted and there is no unrestricted assert
            // then the lack of a permission list denotes that no frame on the stack granted
            // this permission, and therefore we pass back the failure condition.  If there is
            // an unrestricted assert, then we pass back success and terminate the stack walk.

            else if (!this.IsUnrestricted())
            {
                if (createException)
                {
                    exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
                }
                else
                {
                    exception = GetStaticException();
                }
                return(false);
            }

            // If we made it all the way through, that means that we are in the unrestricted
            // state and that this permission is encompassed in that.  If we have an unrestricted
            // assert, we are done with the state walk (return false), otherwise keep going.

            exception = null;
            return((m_state & PermissionListSetState.UnrestrictedAssert) == 0);
        }
 internal bool CheckDemand(CodeAccessPermission grant)
 {
     BCLDebug.Assert(grant == null || grant.GetType().Equals(this.GetType()), "CheckDemand not defined for permissions of different type");
     return(IsSubsetOf(grant));
 }
Exemplo n.º 26
0
        private static bool CheckTokenBasedSets(TokenBasedSet thisSet, TokenBasedSet permSet, bool unrestricted, PermissionListSetState state, bool createException, out Exception exception, bool bNeedAlteredSet, out TokenBasedSet alteredSet)
        {
            alteredSet = null;

            // If the set is empty, there is no reason to walk the
            // stack.

            if (permSet == null || permSet.FastIsEmpty())
            {
                if (bNeedAlteredSet)
                {
                    alteredSet = new TokenBasedSet(1, 4);
                }
                exception = null;
                return(false);
            }

            int permMaxIndex = permSet.GetMaxUsedIndex();

            // Make a quick check to see if permSet definitely contains permissions that this set doesn't

            if (permMaxIndex > thisSet.GetMaxUsedIndex())
            {
                // The only way we don't want to throw an exception is
                // if we are unrestricted.  Then, if we don't want to throw
                // an exception we may want to terminate the stack walk
                // based on an unrestricted assert.

                if (unrestricted)
                {
                    if (((state & PermissionListSetState.UnrestrictedAssert) != 0))
                    {
                        if (bNeedAlteredSet)
                        {
                            alteredSet = new TokenBasedSet(1, 4);
                        }
                        exception = null;
                        return(false);
                    }
                    else
                    {
                        exception = null;
                        return(true);
                    }
                }
                else
                {
                    if (createException)
                    {
                        exception = new SecurityException(Environment.GetResourceString("Security_GenericNoType"));
                    }
                    else
                    {
                        exception = GetStaticException();
                    }
                    return(false);
                }
            }


            bool continueStackWalk = false;

            // We know that checking to <permMaxIndex> is sufficient because of above check
            for (int i = 0; i <= permMaxIndex; i++)
            {
                Object obj = permSet.GetItem(i);

                if (obj != null)
                {
                    CodeAccessPermission cap = (CodeAccessPermission)obj;

                    PermissionList permList = (PermissionList)thisSet.GetItem(i);

                    if (permList != null)
                    {
                        bool tempContinue = permList.CheckDemandInternal(cap, createException, out exception);

                        if (exception != null)
                        {
                            return(false);
                        }

                        if (tempContinue)
                        {
                            // If we are supposed to continue the stack walk but there is an unrestricted
                            // deny, then we should fail.

                            if (((state & PermissionListSetState.UnrestrictedDeny) != 0) && (cap is IUnrestrictedPermission))
                            {
                                if (createException)
                                {
                                    exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), cap.GetType().AssemblyQualifiedName));
                                }
                                else
                                {
                                    exception = GetStaticException();
                                }
                                return(false);
                            }

                            continueStackWalk = true;
                        }
                        else if (((state & PermissionListSetState.UnrestrictedAssert) == 0) && (cap is IUnrestrictedPermission))
                        {
                            // We only want to build the altered set if we don't have an
                            // unrestricted assert because we know if we have an unrestricted
                            // assert and we don't throw an exception that the stackwalk should
                            // include no unrestricted permissions.

                            if (bNeedAlteredSet)
                            {
                                if (alteredSet == null)
                                {
                                    alteredSet = CopyTokenBasedSet(permSet);
                                }

                                alteredSet.SetItem(i, null);
                            }
                        }
                    }
                    else
                    {
                        if (!unrestricted)
                        {
                            if (createException)
                            {
                                exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), cap.GetType().AssemblyQualifiedName));
                            }
                            else
                            {
                                exception = GetStaticException();
                            }
                            return(false);
                        }
                    }
                }
            }

            exception = null;
            return(continueStackWalk);
        }
 internal bool CheckAssert(CodeAccessPermission asserted)
 {
     BCLDebug.Assert(asserted == null || asserted.GetType().Equals(this.GetType()), "CheckPermitOnly not defined for permissions of different type");
     return(IsSubsetOf(asserted));
 }
Exemplo n.º 28
0
        internal bool CheckDemandInternal(CodeAccessPermission demand, out Exception exception)
        {
            BCLDebug.Assert(m_head != null,"m_head != null");
            for (PListNode pnext = m_head; pnext != null; pnext = pnext.next)
            {
                if (pnext.perm == null)
                {
                    // If this is a grant set or a permit only, then we should fail since null indicates the empty permission.
                    if (pnext.type == MatchChecked || pnext.type == MatchPermitOnly)
                    {
                        BCLDebug.Assert( !demand.IsSubsetOf( null ), "By the time we get here, demands that are subsets of null should have been terminated" );
                        exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
                        return false;
                    }
                    
                    // If this is a deny, then we should fail since null indicates the unrestricted permission.
                    if (pnext.type == MatchDeny)
                    {
                        exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
                        return false;
                    }

                    // If this is an assert, then we should return success and terminate the stack walk since
                    // null indicates the unrestricted permission.
                    if (pnext.type == MatchAssert)
                    {
                        exception = null;
                        return false;
                    }

                    // If this is anything else, then we should act confused.
                    // This case is unexpected.
                    BCLDebug.Assert( false, "This case should never happen" );
                    exception = new InvalidOperationException( Environment.GetResourceString( "InvalidOperation_InvalidState" ) );
                    return false;
                }
                
                CodeAccessPermission cap = pnext.perm;
                switch (pnext.type)
                {
                case MatchChecked:
                case MatchPermitOnly:
                    if (!demand.IsSubsetOf(cap))
                    {
                        exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
                        return false;
                    }
                    break;
                case MatchAssert:
                    if (demand.IsSubsetOf(cap))
                    {
                        exception = null;
                        return false;
                    }
                    break;
                case MatchDeny:
                    if (demand.Intersect(cap) != null)
                    {
                        exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
                        return false;
                    }
                    break;
                default:
                    // Illegal entry
                    exception = new InvalidOperationException( Environment.GetResourceString( "InvalidOperation_InvalidState" ) );
                    return false;
                }
            }

            exception = null;
            return true;
        }
 internal bool CheckDeny(CodeAccessPermission denied)
 {
     Contract.Assert( denied == null || denied.GetType().Equals( this.GetType() ), "CheckDeny not defined for permissions of different type" );
     IPermission intersectPerm = Intersect(denied);
     return (intersectPerm == null || intersectPerm.IsSubsetOf(null));
 }
Exemplo n.º 30
0
 internal bool CheckPermitOnly(CodeAccessPermission permitted)
 {
     Contract.Assert(permitted == null || permitted.GetType().Equals(this.GetType()), "CheckPermitOnly not defined for permissions of different type");
     return(IsSubsetOf(permitted));
 }
Exemplo n.º 31
0
        [System.Security.SecurityCritical]  // auto-generated
        internal bool CheckDemand2(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, bool fDeclarative)
        {
            PermissionSet permSet;
            
            // If the demand is null, there is no need to continue
            Contract.Assert(demand != null && !demand.CheckDemand(null), "Empty demands should have been filtered out by this point");

            // decode imperative
            if (GetPermitOnly(fDeclarative) != null)
                GetPermitOnly(fDeclarative).CheckDecoded(demand, permToken);
    
            if (GetDenials(fDeclarative) != null)
                GetDenials(fDeclarative).CheckDecoded(demand, permToken);
    
            if (GetAssertions(fDeclarative) != null)
                GetAssertions(fDeclarative).CheckDecoded(demand, permToken);
            
            // NOTE: See notes about exceptions and exception handling in FrameDescSetHelper 
    
            bool bThreadSecurity = SecurityManager._SetThreadSecurity(false);
    
            // Check Reduction
            
            try
            {
                permSet = GetPermitOnly(fDeclarative);
                if (permSet != null)
                {
                    CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand);
            
                    // If the permit only set does not contain the demanded permission, throw a security exception
                    if (perm == null)
                    {
                        if (!permSet.IsUnrestricted())
                            throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), null, permSet, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
                    }
                    else
                    {
                        bool bNeedToThrow = true;
    
                        try
                        {
                            bNeedToThrow = !demand.CheckPermitOnly(perm);
                        }
                        catch (ArgumentException)
                        {
                        }
    
                        if (bNeedToThrow)
                            throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), null, permSet, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
                    }
                }
            
                // Check Denials
            
                permSet = GetDenials(fDeclarative);
                if (permSet != null)
                {
                    CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand);
                    
                    // If an unrestricted set was denied and the demand implements IUnrestricted
                    if (permSet.IsUnrestricted())
                        throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), permSet, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
    
                    // If the deny set does contain the demanded permission, throw a security exception
                    bool bNeedToThrow = true;
                    try
                    {
                        bNeedToThrow = !demand.CheckDeny(perm);
                    }
                    catch (ArgumentException)
                    {
                    }
                    if (bNeedToThrow)
                        throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), permSet, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
                }
    
                if (GetAssertAllPossible())
                {
                    return SecurityRuntime.StackHalt;
                }        
    
                permSet = GetAssertions(fDeclarative);
                // Check Assertions
                if (permSet != null)
                {
            
                    CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand);
                
                    // If the assert set does contain the demanded permission, halt the stackwalk
            
                    try
                    {
                        if (permSet.IsUnrestricted() || demand.CheckAssert(perm))
                        {
                            return SecurityRuntime.StackHalt;
                        }
                    }
                    catch (ArgumentException)
                    {
                    }
                }
                
            }
            finally
            {
                if (bThreadSecurity)
                    SecurityManager._SetThreadSecurity(true);
            }
            
            return SecurityRuntime.StackContinue;
        }
Exemplo n.º 32
0
        internal bool CheckDemandInternal(CodeAccessPermission demand, out Exception exception)
        {
            BCLDebug.Assert(m_head != null, "m_head != null");
            for (PListNode pnext = m_head; pnext != null; pnext = pnext.next)
            {
                if (pnext.perm == null)
                {
                    // If this is a grant set or a permit only, then we should fail since null indicates the empty permission.
                    if (pnext.type == MatchChecked || pnext.type == MatchPermitOnly)
                    {
                        BCLDebug.Assert(!demand.IsSubsetOf(null), "By the time we get here, demands that are subsets of null should have been terminated");
                        exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
                        return(false);
                    }

                    // If this is a deny, then we should fail since null indicates the unrestricted permission.
                    if (pnext.type == MatchDeny)
                    {
                        exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
                        return(false);
                    }

                    // If this is an assert, then we should return success and terminate the stack walk since
                    // null indicates the unrestricted permission.
                    if (pnext.type == MatchAssert)
                    {
                        exception = null;
                        return(false);
                    }

                    // If this is anything else, then we should act confused.
                    // This case is unexpected.
                    BCLDebug.Assert(false, "This case should never happen");
                    exception = new InvalidOperationException(Environment.GetResourceString("InvalidOperation_InvalidState"));
                    return(false);
                }

                CodeAccessPermission cap = pnext.perm;
                switch (pnext.type)
                {
                case MatchChecked:
                case MatchPermitOnly:
                    if (!demand.IsSubsetOf(cap))
                    {
                        exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
                        return(false);
                    }
                    break;

                case MatchAssert:
                    if (demand.IsSubsetOf(cap))
                    {
                        exception = null;
                        return(false);
                    }
                    break;

                case MatchDeny:
                    if (demand.Intersect(cap) != null)
                    {
                        exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
                        return(false);
                    }
                    break;

                default:
                    // Illegal entry
                    exception = new InvalidOperationException(Environment.GetResourceString("InvalidOperation_InvalidState"));
                    return(false);
                }
            }

            exception = null;
            return(true);
        }
        [System.Security.SecurityCritical]  // auto-generated
        internal bool CheckDemand2(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, bool fDeclarative)
        {
            PermissionSet permSet;

            // If the demand is null, there is no need to continue
            Contract.Assert(demand != null && !demand.CheckDemand(null), "Empty demands should have been filtered out by this point");

            // decode imperative
            if (GetPermitOnly(fDeclarative) != null)
            {
                GetPermitOnly(fDeclarative).CheckDecoded(demand, permToken);
            }

            if (GetDenials(fDeclarative) != null)
            {
                GetDenials(fDeclarative).CheckDecoded(demand, permToken);
            }

            if (GetAssertions(fDeclarative) != null)
            {
                GetAssertions(fDeclarative).CheckDecoded(demand, permToken);
            }

            // NOTE: See notes about exceptions and exception handling in FrameDescSetHelper

            bool bThreadSecurity = SecurityManager._SetThreadSecurity(false);

            // Check Reduction

            try
            {
                permSet = GetPermitOnly(fDeclarative);
                if (permSet != null)
                {
                    CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand);

                    // If the permit only set does not contain the demanded permission, throw a security exception
                    if (perm == null)
                    {
                        if (!permSet.IsUnrestricted())
                        {
                            throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), null, permSet, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
                        }
                    }
                    else
                    {
                        bool bNeedToThrow = true;

                        try
                        {
                            bNeedToThrow = !demand.CheckPermitOnly(perm);
                        }
                        catch (ArgumentException)
                        {
                        }

                        if (bNeedToThrow)
                        {
                            throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), null, permSet, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
                        }
                    }
                }

                // Check Denials

                permSet = GetDenials(fDeclarative);
                if (permSet != null)
                {
                    CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand);

                    // If an unrestricted set was denied and the demand implements IUnrestricted
                    if (permSet.IsUnrestricted())
                    {
                        throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), permSet, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
                    }

                    // If the deny set does contain the demanded permission, throw a security exception
                    bool bNeedToThrow = true;
                    try
                    {
                        bNeedToThrow = !demand.CheckDeny(perm);
                    }
                    catch (ArgumentException)
                    {
                    }
                    if (bNeedToThrow)
                    {
                        throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), permSet, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
                    }
                }

                if (GetAssertAllPossible())
                {
                    return(SecurityRuntime.StackHalt);
                }

                permSet = GetAssertions(fDeclarative);
                // Check Assertions
                if (permSet != null)
                {
                    CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand);

                    // If the assert set does contain the demanded permission, halt the stackwalk

                    try
                    {
                        if (permSet.IsUnrestricted() || demand.CheckAssert(perm))
                        {
                            return(SecurityRuntime.StackHalt);
                        }
                    }
                    catch (ArgumentException)
                    {
                    }
                }
            }
            finally
            {
                if (bThreadSecurity)
                {
                    SecurityManager._SetThreadSecurity(true);
                }
            }

            return(SecurityRuntime.StackContinue);
        }
 internal bool CheckAssert(CodeAccessPermission asserted)
 {
     return(asserted != null && asserted.GetType() == base.GetType() && this.IsSubsetOf(asserted));
 }