internal static CommonSecurityDescriptor GetServerPipeSecurity()
{
#if UNIX
return(null);
#else
// Built-in Admin SID
SecurityIdentifier adminSID = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1);
dacl.AddAccess(
AccessControlType.Allow,
adminSID,
_pipeAccessMaskFullControl,
InheritanceFlags.None,
PropagationFlags.None);
CommonSecurityDescriptor securityDesc = new CommonSecurityDescriptor(
false, false,
ControlFlags.DiscretionaryAclPresent | ControlFlags.OwnerDefaulted | ControlFlags.GroupDefaulted,
null, null, null, dacl);
// Conditionally add User SID
bool isAdminElevated = new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator);
if (!isAdminElevated)
{
securityDesc.DiscretionaryAcl.AddAccess(
AccessControlType.Allow,
WindowsIdentity.GetCurrent().User,
_pipeAccessMaskFullControl,
InheritanceFlags.None,
PropagationFlags.None);
}
return(securityDesc);
#endif
}
public void CreateTask(ScheduledJobDefinition definition)
{
if (definition != null)
{
ITaskDefinition variable = this._taskScheduler.NewTask(0);
this.AddTaskOptions(variable, definition.Options);
foreach (ScheduledJobTrigger jobTrigger in definition.JobTriggers)
{
this.AddTaskTrigger(variable, jobTrigger);
}
this.AddTaskAction(variable, definition);
string str = "D:P(A;;GA;;;SY)(A;;GA;;;BA)";
SecurityIdentifier user = WindowsIdentity.GetCurrent().User;
CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, str);
commonSecurityDescriptor.DiscretionaryAcl.AddAccess(AccessControlType.Allow, user, 0x10000000, InheritanceFlags.None, PropagationFlags.None);
string sddlForm = commonSecurityDescriptor.GetSddlForm(AccessControlSections.All);
if (definition.Credential != null)
{
this._iRootFolder.RegisterTaskDefinition(definition.Name, variable, 2, definition.Credential.UserName, this.GetCredentialPassword(definition.Credential), _TASK_LOGON_TYPE.TASK_LOGON_PASSWORD, sddlForm);
return;
}
else
{
this._iRootFolder.RegisterTaskDefinition(definition.Name, variable, 2, null, null, _TASK_LOGON_TYPE.TASK_LOGON_S4U, sddlForm);
return;
}
}
else
{
throw new PSArgumentNullException("definition");
}
}
public static int ComputeBinaryLength(CommonSecurityDescriptor commonSecurityDescriptor, bool needCountDacl)
{
int verifierBinaryLength = 0;
if (commonSecurityDescriptor != null)
{
verifierBinaryLength = 20; //initialize the binary length to header length
if (commonSecurityDescriptor.Owner != null)
{
verifierBinaryLength += commonSecurityDescriptor.Owner.BinaryLength;
}
if (commonSecurityDescriptor.Group != null)
{
verifierBinaryLength += commonSecurityDescriptor.Group.BinaryLength;
}
if ((commonSecurityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != 0 && commonSecurityDescriptor.SystemAcl != null)
{
verifierBinaryLength += commonSecurityDescriptor.SystemAcl.BinaryLength;
}
if ((commonSecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != 0 && commonSecurityDescriptor.DiscretionaryAcl != null && needCountDacl)
{
verifierBinaryLength += commonSecurityDescriptor.DiscretionaryAcl.BinaryLength;
}
}
return(verifierBinaryLength);
}
/// <summary>
/// Creates a new task in WTS with information from ScheduledJobDefinition.
/// </summary>
/// <param name="definition">ScheduledJobDefinition.</param>
public void CreateTask(
ScheduledJobDefinition definition)
{
if (definition == null)
{
throw new PSArgumentNullException("definition");
}
// Create task definition
ITaskDefinition iTaskDefinition = _taskScheduler.NewTask(0);
// Add task options.
AddTaskOptions(iTaskDefinition, definition.Options);
// Add task triggers.
foreach (ScheduledJobTrigger jobTrigger in definition.JobTriggers)
{
AddTaskTrigger(iTaskDefinition, jobTrigger);
}
// Add task action.
AddTaskAction(iTaskDefinition, definition);
// Create a security descriptor for the current user so that only the user
// (and Local System account) can see/access the registered task.
string startSddl = "D:P(A;;GA;;;SY)(A;;GA;;;BA)"; // DACL Allow Generic Access to System and BUILTIN\Administrators.
System.Security.Principal.SecurityIdentifier userSid =
System.Security.Principal.WindowsIdentity.GetCurrent().User;
CommonSecurityDescriptor SDesc = new CommonSecurityDescriptor(false, false, startSddl);
SDesc.DiscretionaryAcl.AddAccess(AccessControlType.Allow, userSid, 0x10000000, InheritanceFlags.None, PropagationFlags.None);
string sddl = SDesc.GetSddlForm(AccessControlSections.All);
// Register this new task with the Task Scheduler.
if (definition.Credential == null)
{
// Register task to run as currently logged on user.
_iRootFolder.RegisterTaskDefinition(
definition.Name,
iTaskDefinition,
(int)_TASK_CREATION.TASK_CREATE,
null, // User name
null, // Password
_TASK_LOGON_TYPE.TASK_LOGON_S4U,
sddl);
}
else
{
// Register task to run under provided user account/credentials.
_iRootFolder.RegisterTaskDefinition(
definition.Name,
iTaskDefinition,
(int)_TASK_CREATION.TASK_CREATE,
definition.Credential.UserName,
GetCredentialPassword(definition.Credential),
_TASK_LOGON_TYPE.TASK_LOGON_PASSWORD,
sddl);
}
}
/// <summary>
/// ProcessRecord method.
/// </summary>
protected override void ProcessRecord()
{
CommonSecurityDescriptor rawSecurityDescriptor = null;
try
{
rawSecurityDescriptor = new CommonSecurityDescriptor(isContainer: false, isDS: false, Sddl);
}
catch (Exception e)
{
var ioe = PSTraceSource.NewInvalidOperationException(e, UtilityCommonStrings.InvalidSDDL, e.Message);
ThrowTerminatingError(new ErrorRecord(ioe, "InvalidSDDL", ErrorCategory.InvalidArgument, Sddl));
}
string owner = ConvertToNTAccount(rawSecurityDescriptor.Owner);
string group = ConvertToNTAccount(rawSecurityDescriptor.Group);
AccessRightTypeNames?typeToUse = _isTypeSet ? _type : (AccessRightTypeNames?)null;
string[] discretionaryAcl = ConvertAccessControlListToStrings(rawSecurityDescriptor.DiscretionaryAcl, typeToUse);
string[] systemAcl = ConvertAccessControlListToStrings(rawSecurityDescriptor.SystemAcl, typeToUse);
var outObj = new SecurityDescriptorInfo(owner, group, discretionaryAcl, systemAcl, rawSecurityDescriptor);
WriteObject(outObj);
}
public static void AdditionalTestCases()
{
CommonSecurityDescriptor commonSecurityDescriptor = null;
// Case1, null binary form
Assert.Throws<ArgumentNullException>(() =>
{
commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, null, 0);
// expect to throw exception but not
});
// case 2: offset < 0
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, new byte[24], -1);
// expect to throw exception but not
});
// case 3: binaryForm.Length - offset < HeaderLength
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, new byte[24], 5);
// expect to throw exception but not
});
// case 4: binaryForm[offset + 0] != Revision
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, new byte[24], 0);
// expect to throw exception but not
});
// case 5: ControlFlags.SelfRelative is not set
Assert.Throws<ArgumentException>(() =>
{
byte[] binaryForm = new byte[24];
for (int i = 0; i < binaryForm.Length; i++)
binaryForm[i] = 0;
//set correct Revision
binaryForm[0] = 1;
commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, binaryForm, 0);
// expect to throw exception but not
});
// Case 6, parameter binaryForm is empty
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, new byte[0], 0);
// expect to throw exception but not
});
// Case 7, an array of garbage
Assert.Throws<ArgumentException>(() =>
{
byte[] binaryForm = { 1, 0, 0, 128, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 };
commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, binaryForm, 0);
// expect to throw exception
});
}
public static void TestDiscretionaryAcl(bool isContainerSD, bool isDSSD, string sddl, bool isContainerDacl, bool isDSDacl, string newDaclStr)
{
bool result = false;
bool isContainer = false;
bool isDS = false;
CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(isContainerSD, isDSSD, sddl);
DiscretionaryAcl dacl = newDaclStr == null ? null : new DiscretionaryAcl(isContainerDacl, isDSDacl, Utils.CreateRawAclFromString(newDaclStr));
try
{
//save IsContainer, IsDS
isContainer = commonSecurityDescriptor.IsContainer;
isDS = commonSecurityDescriptor.IsDS;
commonSecurityDescriptor.DiscretionaryAcl = dacl;
//per shawn, the controlflag will show DaclPresent when dacl assigned is null
if ((commonSecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != 0)
{
if (dacl == null)
{
//a dacl with Allow Everyone Everything Ace should be assigned
if (commonSecurityDescriptor.DiscretionaryAcl.Count == 1 &&
commonSecurityDescriptor.IsContainer == isContainer &&
commonSecurityDescriptor.IsDS == isDS &&
Utils.VerifyDaclWithCraftedAce(commonSecurityDescriptor.IsContainer, commonSecurityDescriptor.IsDS, commonSecurityDescriptor.DiscretionaryAcl))
{
result = true;
}
else
{
result = false;
}
}
else if (dacl == commonSecurityDescriptor.DiscretionaryAcl)
{
result = true;
}
else
{
result = false;
}
}
else
{
result = false;
}
}
catch (NullReferenceException)
{
Assert.Null(dacl);
result = true;
}
catch (ArgumentException)
{
Assert.True((dacl.IsContainer != commonSecurityDescriptor.IsContainer) || (dacl.IsDS != commonSecurityDescriptor.IsDS));
result = true;
}
Assert.True(result);
}
public static void TestDiscretionaryAcl(bool isContainerSD, bool isDSSD, string sddl, bool isContainerDacl, bool isDSDacl, string newDaclStr)
{
bool result = false;
bool isContainer = false;
bool isDS = false;
CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(isContainerSD, isDSSD, sddl);
DiscretionaryAcl dacl = newDaclStr == null ? null : new DiscretionaryAcl(isContainerDacl, isDSDacl, Utils.CreateRawAclFromString(newDaclStr));
try
{
//save IsContainer, IsDS
isContainer = commonSecurityDescriptor.IsContainer;
isDS = commonSecurityDescriptor.IsDS;
commonSecurityDescriptor.DiscretionaryAcl = dacl;
//per shawn, the controlflag will show DaclPresent when dacl assigned is null
if ((commonSecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != 0)
{
if (dacl == null)
{
//a dacl with Allow Everyone Everything Ace should be assigned
if (commonSecurityDescriptor.DiscretionaryAcl.Count == 1 &&
commonSecurityDescriptor.IsContainer == isContainer &&
commonSecurityDescriptor.IsDS == isDS &&
Utils.VerifyDaclWithCraftedAce(commonSecurityDescriptor.IsContainer, commonSecurityDescriptor.IsDS, commonSecurityDescriptor.DiscretionaryAcl))
{
result = true;
}
else
{
result = false;
}
}
else if (dacl == commonSecurityDescriptor.DiscretionaryAcl)
{
result = true;
}
else
{
result = false;
}
}
else
{
result = false;
}
}
catch (NullReferenceException)
{
Assert.Null(dacl);
result = true;
}
catch (ArgumentException)
{
Assert.True((dacl.IsContainer != commonSecurityDescriptor.IsContainer) || (dacl.IsDS != commonSecurityDescriptor.IsDS));
result = true;
}
Assert.True(result);
}
/// <summary>
/// Helper method to create a PowerShell transport named pipe via native API, along
/// with a returned .Net NamedPipeServerStream object wrapping the named pipe.
/// </summary>
/// <param name="pipeName">Named pipe core name.</param>
/// <param name="securityDesc"></param>
/// <returns>NamedPipeServerStream</returns>
internal static NamedPipeServerStream CreateNamedPipe(
string pipeName,
PipeSecurity pipeSecurity)
{
string fullPipeName = @"\\.\pipe\" + pipeName;
CommonSecurityDescriptor securityDesc = new CommonSecurityDescriptor(false, false, pipeSecurity.GetSecurityDescriptorBinaryForm(), 0);
// Create optional security attributes based on provided PipeSecurity.
NamedPipeNative.SECURITY_ATTRIBUTES securityAttributes = null;
GCHandle?securityDescHandle = null;
if (securityDesc != null)
{
byte[] securityDescBuffer = new byte[securityDesc.BinaryLength];
securityDesc.GetBinaryForm(securityDescBuffer, 0);
securityDescHandle = GCHandle.Alloc(securityDescBuffer, GCHandleType.Pinned);
securityAttributes = NamedPipeNative.GetSecurityAttributes(securityDescHandle.Value);
}
// Create named pipe.
SafePipeHandle pipeHandle = NamedPipeNative.CreateNamedPipe(
fullPipeName,
NamedPipeNative.PIPE_ACCESS_DUPLEX | NamedPipeNative.FILE_FLAG_FIRST_PIPE_INSTANCE | NamedPipeNative.FILE_FLAG_OVERLAPPED,
NamedPipeNative.PIPE_TYPE_BYTE | NamedPipeNative.PIPE_READMODE_BYTE,
1,
1024,
1024,
0,
securityAttributes);
int lastError = Marshal.GetLastWin32Error();
if (securityDescHandle != null)
{
securityDescHandle.Value.Free();
}
if (pipeHandle.IsInvalid)
{
throw new InvalidOperationException();
}
// Create the .Net NamedPipeServerStream wrapper.
try
{
return(new NamedPipeServerStream(
PipeDirection.InOut,
true, // IsAsync
false, // IsConnected
pipeHandle));
}
catch (Exception)
{
pipeHandle.Dispose();
throw;
}
}
public static void TestGetSddlForm(bool isContainer, bool isDS, int flags, string ownerStr, string groupStr, string saclStr, string daclStr, bool getOwner, bool getGroup, bool getSacl, bool getDacl, string expectedSddl)
{
CommonSecurityDescriptor commonSecurityDescriptor = null;
string resultSddl = null;
ControlFlags controlFlags = ControlFlags.OwnerDefaulted;
SecurityIdentifier owner = null;
SecurityIdentifier group = null;
RawAcl rawAcl = null;
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
AccessControlSections accControlSections = AccessControlSections.None;
controlFlags = (ControlFlags)flags;
owner = (ownerStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(ownerStr)) : null;
group = (groupStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(groupStr)) : null;
rawAcl = (saclStr != null) ? Utils.CreateRawAclFromString(saclStr) : null;
if (rawAcl == null)
{
sacl = null;
}
else
{
sacl = new SystemAcl(isContainer, isDS, rawAcl);
}
rawAcl = (daclStr != null) ? Utils.CreateRawAclFromString(daclStr) : null;
if (rawAcl == null)
{
dacl = null;
}
else
{
dacl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
}
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, controlFlags, owner, group, sacl, dacl);
if (getOwner)
{
accControlSections |= AccessControlSections.Owner;
}
if (getGroup)
{
accControlSections |= AccessControlSections.Group;
}
if (getSacl)
{
accControlSections |= AccessControlSections.Audit;
}
if (getDacl)
{
accControlSections |= AccessControlSections.Access;
}
resultSddl = commonSecurityDescriptor.GetSddlForm(accControlSections);
Assert.True(string.Compare(expectedSddl, resultSddl, StringComparison.CurrentCultureIgnoreCase) == 0);
}
public static void TestCreateFromSddlForm(bool isContainer, bool isDS, string sddl, string verifierSddl)
{
CommonSecurityDescriptor commonSecurityDescriptor = null;
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, sddl);
string resultSddlForm = commonSecurityDescriptor.GetSddlForm(AccessControlSections.All);
Assert.True(string.Compare(verifierSddl, resultSddlForm, StringComparison.CurrentCultureIgnoreCase) == 0);
}
static IpcStore()
{
var dacl = new DiscretionaryAcl(false, false, 1);
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.CreatorOwnerSid, null), -1, InheritanceFlags.None, PropagationFlags.None);
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null), -1, InheritanceFlags.None, PropagationFlags.None);
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), -1, InheritanceFlags.None, PropagationFlags.None);
IpcAcl = new CommonSecurityDescriptor(false, false, ControlFlags.GroupDefaulted | ControlFlags.OwnerDefaulted | ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);
}
} // StopListening
//
// end of IChannelReceiver implementation
//
// Thread for listening
void Listen()
{
InternalRemotingServices.RemotingTrace("Waiting to Accept a Connection on Port: " + _portName);
//
// Wait for an incoming client connection
//
IntPtr handle = IntPtr.Zero;
bool connected = false;
CommonSecurityDescriptor descriptor = _securityDescriptor;
// Connect with exlusive flag the first time
try{
// If the descriptor is not explicitly set through code use the _authorizedGroup config
if (descriptor == null && _authorizedGroup != null)
{
NTAccount ntAccount = new NTAccount(_authorizedGroup);
descriptor = IpcPort.CreateSecurityDescriptor((SecurityIdentifier)ntAccount.Translate(typeof(SecurityIdentifier)));
}
_port = IpcPort.Create(_portName, descriptor, _bExclusiveAddressUse);
}
catch (Exception e) {
_startListeningException = e;
}
finally {
_bListening = (_startListeningException == null);
_waitForStartListening.Set(); // allow main thread to continue now that we have tried to start the socket
}
if (_port != null)
{
connected = _port.WaitForConnect();
}
while (_bListening)
{
InternalRemotingServices.RemotingTrace("IpcChannel::Listen");
// For DevDiv#220882, we need to create new IpcPort before handling the current message
// to avoid race condition in case the message is handled and finished before
// the new IpcPort is created. The client will intermittently fail with Port not found.
IpcPort port = IpcPort.Create(_portName, descriptor, false);
if (connected)
{
// Initialize the server handler and perform an async read
IpcServerHandler serverHandler = new IpcServerHandler(_port, CoreChannel.RequestQueue, new PipeStream(_port));
serverHandler.DataArrivedCallback = new WaitCallback(_transportSink.ServiceRequest);
serverHandler.BeginReadMessage();
}
_port = port;
connected = _port.WaitForConnect();
}
}
public static void TestPurgeAudit(bool isContainer, bool isDS, string sddl, string sidString, string verifierSddl)
{
CommonSecurityDescriptor commonSecurityDescriptor = null;
string resultSddl = null;
var sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidString));
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, sddl);
commonSecurityDescriptor.PurgeAudit(sid);
resultSddl = commonSecurityDescriptor.GetSddlForm(AccessControlSections.All);
Assert.False(resultSddl != verifierSddl);
}
public void ConstructorLetsFalseDSThrough()
{
CommonSecurityDescriptor descriptor = new CommonSecurityDescriptor
(false, false, ControlFlags.None, null, null, null, null);
TestSecurity security = new TestSecurity(descriptor);
Assert.IsFalse(security.IsContainerTest);
Assert.IsFalse(security.IsDSTest);
}
public void DefaultOwnerAndGroup()
{
CommonSecurityDescriptor csd = new CommonSecurityDescriptor
(false, false, ControlFlags.None, null, null, null, null);
Assert.IsNull(csd.Owner);
Assert.IsNull(csd.Group);
Assert.AreEqual(ControlFlags.DiscretionaryAclPresent
| ControlFlags.SelfRelative, csd.ControlFlags);
}
public void ContainerAndDSConsistencyEnforcedInSetter()
{
SecurityIdentifier userSid = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);
SecurityIdentifier groupSid = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
CommonSecurityDescriptor csd = new CommonSecurityDescriptor
(true, false, ControlFlags.None, userSid, groupSid, null, null);
csd.DiscretionaryAcl = new DiscretionaryAcl(true, true, 0);
}
public static List <string> GetInheritedFrom(string path, ObjectSecurity sd, bool isContainer)
{
var inheritedFrom = new List <string>();
path = Path.GetLongPath(path);
uint returnValue = 0;
GENERIC_MAPPING genericMap = new GENERIC_MAPPING();
genericMap.GenericRead = (uint)MappedGenericRights.FILE_GENERIC_READ;
genericMap.GenericWrite = (uint)MappedGenericRights.FILE_GENERIC_WRITE;
genericMap.GenericExecute = (uint)MappedGenericRights.FILE_GENERIC_EXECUTE;
genericMap.GenericAll = (uint)MappedGenericRights.FILE_GENERIC_ALL;
var sdBytes = sd.GetSecurityDescriptorBinaryForm();
var commonSd = new CommonSecurityDescriptor(isContainer, false, sdBytes, 0);
var aclBytes = new byte[commonSd.DiscretionaryAcl.BinaryLength];
commonSd.DiscretionaryAcl.GetBinaryForm(aclBytes, 0);
var pInheritInfo = Marshal.AllocHGlobal(commonSd.DiscretionaryAcl.Count * Marshal.SizeOf(typeof(PINHERITED_FROM)));
returnValue = GetInheritanceSource(
path,
ResourceType.FileObject,
SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
isContainer,
IntPtr.Zero,
0,
aclBytes,
IntPtr.Zero,
ref genericMap,
pInheritInfo
);
if (returnValue != 0)
{
throw new System.ComponentModel.Win32Exception((int)returnValue);
}
for (int i = 0; i < commonSd.DiscretionaryAcl.Count; i++)
{
var inheritInfo = pInheritInfo.ElementAt <PINHERITED_FROM>(i);
inheritedFrom.Add(
!string.IsNullOrEmpty(inheritInfo.AncestorName) && inheritInfo.AncestorName.StartsWith(@"\\?\") ? inheritInfo.AncestorName.Substring(4) : inheritInfo.AncestorName
);
}
FreeInheritedFromArray(pInheritInfo, (ushort)commonSd.DiscretionaryAcl.Count, IntPtr.Zero);
Marshal.FreeHGlobal(pInheritInfo);
return(inheritedFrom);
}
public static IChannel PublishLocalProxy(ExecutionServiceProxy proxy)
{
//We want the object to be available for as long as possible so we choose one year
LifetimeServices.LeaseTime = TimeSpan.FromDays(365);
RemotingConfiguration.CustomErrorsMode = CustomErrorsModes.Off;
BinaryServerFormatterSinkProvider provider = new BinaryServerFormatterSinkProvider();
provider.TypeFilterLevel = TypeFilterLevel.Full; //need full deserialization
//create a server channel and make the object available remotely
Hashtable channelSettings = new Hashtable();
channelSettings["portName"] = ExecutionService.LocalPortName;
//Grant access to everyone (need to get the name from the well known SID to support localized builds)
SecurityIdentifier everyoneSid = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
NTAccount everyoneAccount = (NTAccount)everyoneSid.Translate(typeof(NTAccount));
channelSettings["authorizedGroup"] = everyoneAccount.Value;
//Because use use ExecutionService to update itself we have to disallow exclusive access
//to the port, otherwise updating ExecutionService fails.
channelSettings["exclusiveAddressUse"] = false;
// Workaround for Remoting breaking change. This custom security descriptor is needed
// to allow Medium IL processes to use IPC to talk to elevated UAC processes.
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1);
// This is the well-known sid for network security ID
string networkSidSddlForm = @"S-1-5-2";
// This is the well-known sid for all users on this machine
string everyoneSidSddlForm = @"S-1-1-0";
// Deny all access to NetworkSid
dacl.AddAccess(AccessControlType.Deny, new SecurityIdentifier(networkSidSddlForm), -1, InheritanceFlags.None, PropagationFlags.None);
// Add access to the current user creating the pipe
dacl.AddAccess(AccessControlType.Allow, WindowsIdentity.GetCurrent().User, -1, InheritanceFlags.None, PropagationFlags.None);
// Add access to the all users on the machine
dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(everyoneSidSddlForm), -1, InheritanceFlags.None, PropagationFlags.None);
// Initialize and return the CommonSecurityDescriptor
CommonSecurityDescriptor allowMediumILSecurityDescriptor = new CommonSecurityDescriptor(false, false, ControlFlags.OwnerDefaulted | ControlFlags.GroupDefaulted | ControlFlags.DiscretionaryAclPresent | ControlFlags.SystemAclPresent, null, null, null, dacl);
IpcServerChannel publishedChannel = new IpcServerChannel(channelSettings, provider, allowMediumILSecurityDescriptor);
ChannelServices.RegisterChannel(publishedChannel, false);
RemotingServices.Marshal(proxy, ExecutionService.ProxyName, typeof(IExecutionService));
return(publishedChannel);
}
public IpcServerChannel(IDictionary properties, IServerChannelSinkProvider sinkProvider, CommonSecurityDescriptor securityDescriptor)
{
this._channelPriority = 20;
this._channelName = "ipc server";
this._bExclusiveAddressUse = true;
this._waitForStartListening = new AutoResetEvent(false);
if (properties != null)
{
foreach (DictionaryEntry entry in properties)
{
switch (((string)entry.Key))
{
case "name":
this._channelName = (string)entry.Value;
break;
case "portName":
this._portName = (string)entry.Value;
break;
case "priority":
this._channelPriority = Convert.ToInt32(entry.Value, CultureInfo.InvariantCulture);
break;
case "secure":
this._secure = Convert.ToBoolean(entry.Value, CultureInfo.InvariantCulture);
break;
case "impersonate":
this._impersonate = Convert.ToBoolean(entry.Value, CultureInfo.InvariantCulture);
this.authSet = true;
break;
case "suppressChannelData":
this._bSuppressChannelData = Convert.ToBoolean(entry.Value, CultureInfo.InvariantCulture);
break;
case "authorizedGroup":
this._authorizedGroup = (string)entry.Value;
break;
case "exclusiveAddressUse":
this._bExclusiveAddressUse = Convert.ToBoolean(entry.Value, CultureInfo.InvariantCulture);
break;
}
}
}
if (this._portName == null)
{
throw new RemotingException(CoreChannel.GetResourceString("Remoting_Ipc_NoPortNameSpecified"));
}
this._sinkProvider = sinkProvider;
this._securityDescriptor = securityDescriptor;
this.SetupChannel();
}
private static CommonSecurityDescriptor GetSecurityDescriptor(List <SecurityIdentifier> securityIdentifiers)
{
var discretionaryAcl = GetDiscretionaryAcl(securityIdentifiers);
var securityDescriptor = new CommonSecurityDescriptor(false, false,
ControlFlags.GroupDefaulted |
ControlFlags.OwnerDefaulted |
ControlFlags.DiscretionaryAclPresent,
null, null, null, discretionaryAcl);
return(securityDescriptor);
}
internal static NamedPipeServerStream CreateNamedServerPipe(
string serverName,
string namespaceName,
string pipeName,
PipeSecurity pipeSecurity)
{
string fullPipeName = $@"\\{serverName}\{namespaceName}\{pipeName}";
var securityDescriptor = new CommonSecurityDescriptor(
false,
false,
pipeSecurity.GetSecurityDescriptorBinaryForm(),
0);
byte[] securityDescriptorBuffer = new byte[securityDescriptor.BinaryLength];
securityDescriptor.GetBinaryForm(securityDescriptorBuffer, 0);
GCHandle?securityDescriptorHandle = GCHandle.Alloc(securityDescriptorBuffer, GCHandleType.Pinned);
var securityAttributes = GetSecurityAttributes(securityDescriptorHandle.Value);
if (Interop.Kernel32.WaitNamedPipe(fullPipeName, System.Threading.Timeout.Infinite))
{
if (Marshal.GetLastWin32Error() != Interop.Errors.ERROR_FILE_NOT_FOUND)
{
throw new InvalidOperationException();
}
}
SafePipeHandle pipeHandle = Interop.Kernel32.CreateNamedPipe(
fullPipeName,
Interop.Kernel32.PipeOptions.PIPE_ACCESS_DUPLEX | Interop.Kernel32.FileOperations.FILE_FLAG_OVERLAPPED,
Interop.Kernel32.PipeOptions.PIPE_TYPE_BYTE | Interop.Kernel32.PipeOptions.PIPE_READMODE_BYTE,
1,
65536,
65536,
0,
ref securityAttributes);
securityDescriptorHandle.Value.Free();
if (pipeHandle.IsInvalid)
{
throw new InvalidOperationException();
}
try
{
return(new NamedPipeServerStream(PipeDirection.InOut, true, true, pipeHandle));
}
catch (Exception)
{
pipeHandle.Dispose();
throw;
}
}
public void OwnerAndGroupAreReferences()
{
SecurityIdentifier userSid = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);
SecurityIdentifier groupSid = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
CommonSecurityDescriptor csd;
csd = new CommonSecurityDescriptor
(false, false, ControlFlags.None, userSid, groupSid, null, null);
Assert.AreSame(groupSid, csd.Group);
Assert.AreSame(userSid, csd.Owner);
}
public void PurgeNullSaclWithoutError()
{
SecurityIdentifier userSid = new SecurityIdentifier("SY");
SecurityIdentifier groupSid = new SecurityIdentifier("BA");
CommonSecurityDescriptor csd = new CommonSecurityDescriptor
(false, false, ControlFlags.None, userSid, groupSid, null, null);
csd.PurgeAudit(userSid);
Assert.IsNull(csd.SystemAcl);
}
public static void AdditionalTestCases()
{
//test cases include the exceptions from the constructor
CommonSecurityDescriptor sd = null;
// test case 1: rawSecurityDescriptor is null
Assert.Throws<ArgumentNullException>(() =>
{
sd = new CommonSecurityDescriptor(true, true, (RawSecurityDescriptor)null);
});
}
public static void TestPurgeAccessControl(bool isContainer, bool isDS, string sddl, string sidString, string verifierSddl)
{
CommonSecurityDescriptor commonSecurityDescriptor = null;
string resultSddl = null;
SecurityIdentifier sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidString));
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, sddl);
commonSecurityDescriptor.PurgeAccessControl(sid);
resultSddl = commonSecurityDescriptor.GetSddlForm(AccessControlSections.All);
Assert.False(resultSddl != verifierSddl);
}
public static void AdditionalTestCases()
{
//test cases include the exceptions from the constructor
CommonSecurityDescriptor sd = null;
// test case 1: rawSecurityDescriptor is null
Assert.Throws <ArgumentNullException>(() =>
{
sd = new CommonSecurityDescriptor(true, true, (RawSecurityDescriptor)null);
});
}
public static void TestCreateFromRawSecurityDescriptor(bool isContainer, bool isDS, string rawSecurityDescriptorSddl, string verifierSddl)
{
RawSecurityDescriptor rawSecurityDescriptor = new RawSecurityDescriptor(rawSecurityDescriptorSddl);
CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, rawSecurityDescriptor);
// verify the result
Assert.True((isContainer == commonSecurityDescriptor.IsContainer) && (isDS == commonSecurityDescriptor.IsDS));
string resultSddlForm = commonSecurityDescriptor.GetSddlForm(AccessControlSections.All);
Assert.True(String.Compare(verifierSddl, resultSddlForm, StringComparison.CurrentCultureIgnoreCase) == 0);
}
/// <summary>
/// The main entry point for the application.
/// </summary>
static void Main()
{
RemotingConfiguration.Configure("Server.exe.config", false /*ensureSecurity*/);
IDictionary props = new Hashtable();
props["portName"] = "test";
// This is the wellknown sid for network sid
string networkSidSddlForm = @"S-1-5-2";
// Local administrators sid
SecurityIdentifier localAdminSid = new SecurityIdentifier(
WellKnownSidType.BuiltinAdministratorsSid, null);
// Local Power users sid
SecurityIdentifier powerUsersSid = new SecurityIdentifier(
WellKnownSidType.BuiltinPowerUsersSid, null);
// Network sid
SecurityIdentifier networkSid = new SecurityIdentifier(networkSidSddlForm);
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1);
// Disallow access from off machine
dacl.AddAccess(AccessControlType.Deny, networkSid, -1,
InheritanceFlags.None, PropagationFlags.None);
// Allow acces only from local administrators and power users
dacl.AddAccess(AccessControlType.Allow, localAdminSid, -1,
InheritanceFlags.None, PropagationFlags.None);
dacl.AddAccess(AccessControlType.Allow, powerUsersSid, -1,
InheritanceFlags.None, PropagationFlags.None);
CommonSecurityDescriptor securityDescriptor =
new CommonSecurityDescriptor(false, false,
ControlFlags.GroupDefaulted |
ControlFlags.OwnerDefaulted |
ControlFlags.DiscretionaryAclPresent,
null, null, null, dacl);
IpcServerChannel channel = new IpcServerChannel(
props,
null,
securityDescriptor);
ChannelServices.RegisterChannel(channel, false /*ensureSecurity*/);
foreach (IChannel chan in ChannelServices.RegisteredChannels)
{
Console.WriteLine(chan.ChannelName);
}
Console.WriteLine("Waiting for connections...");
Console.WriteLine("Press enter to exit.");
Console.ReadLine();
}
public static IpcServerChannel CreateIpcServer <IService, TService>(
TService service,
string channelName = null,
string portName = null,
WellKnownSidType aclSid = WellKnownSidType.WorldSid)
where IService : class
where TService : MarshalByRefObject, IService
{
if (channelName == null)
{
channelName = GenerateIpcServerChannelName();
}
System.Collections.IDictionary properties = new System.Collections.Hashtable
{
{ "name", channelName },
{ "portName", portName ?? channelName }
};
// Setup ACL : allow access from all users. Channel is protected by a random name.
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 1);
dacl.AddAccess(
AccessControlType.Allow,
new SecurityIdentifier(
aclSid,
null),
-1,
InheritanceFlags.None,
PropagationFlags.None);
CommonSecurityDescriptor secDescr = new CommonSecurityDescriptor(false, false,
ControlFlags.GroupDefaulted |
ControlFlags.OwnerDefaulted |
ControlFlags.DiscretionaryAclPresent,
null, null, null,
dacl);
// Formatter sink
// TODO: Custom sink
BinaryServerFormatterSinkProvider binaryProv = new BinaryServerFormatterSinkProvider {
TypeFilterLevel = TypeFilterLevel.Full
};
// Create server
var ipcServer = new IpcServerChannel(properties, binaryProv, secDescr);
ChannelServices.RegisterChannel(ipcServer, false);
// Initialize with SMA interface
RemotingServices.Marshal(service, channelName, typeof(IService));
return(ipcServer);
}
public static void AdditionalTestCases()
{
CommonSecurityDescriptor sd = null;
// test case 1: sid is null
Assert.Throws <ArgumentNullException>(() =>
{
sd = new CommonSecurityDescriptor(true, false, (ControlFlags)0, null, null, null, null);
sd.PurgeAccessControl(null);
// expect to throw exception but not
});
}
public static void AdditionalTestCases()
{
CommonSecurityDescriptor sd = null;
// test case 1: sid is null
Assert.Throws<ArgumentNullException>(() =>
{
sd = new CommonSecurityDescriptor(true, false, (ControlFlags)0, null, null, null, null);
sd.PurgeAudit(null);
// expect to throw exception but not
});
}
public static void TestCreateFromRawSecurityDescriptor(bool isContainer, bool isDS, string rawSecurityDescriptorSddl, string verifierSddl)
{
RawSecurityDescriptor rawSecurityDescriptor = new RawSecurityDescriptor(rawSecurityDescriptorSddl);
CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, rawSecurityDescriptor);
// verify the result
Assert.True((isContainer == commonSecurityDescriptor.IsContainer) && (isDS == commonSecurityDescriptor.IsDS));
string resultSddlForm = commonSecurityDescriptor.GetSddlForm(AccessControlSections.All);
Assert.True(String.Compare(verifierSddl, resultSddlForm, StringComparison.CurrentCultureIgnoreCase) == 0);
}
private static void RegisterRemoting()
{
Hashtable hashtable = new Hashtable();
hashtable["name"] = "ipc";
hashtable["priority"] = "20";
hashtable["portName"] = MyConst.ChannelPortName;
CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, string.Empty);
SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
commonSecurityDescriptor.DiscretionaryAcl.AddAccess(AccessControlType.Allow, sid, -1, InheritanceFlags.None, PropagationFlags.None);
IpcServerChannel chnl = new IpcServerChannel(hashtable, null, commonSecurityDescriptor);
ChannelServices.RegisterChannel(chnl, false);
RemotingConfiguration.RegisterWellKnownServiceType(typeof(ProfilerService), MyConst.ObjectURI, WellKnownObjectMode.Singleton);
}
public override byte[] GetAllowAllNodeAcl(string repositoryName, Guid domainId, Guid rootMapId)
{
// Return an empty Windows node ACL.
SecurityIdentifier farmAccountSid = SPFarm.Local.DefaultServiceAccount.SecurityIdentifier;
CommonSecurityDescriptor securityDescriptor = new CommonSecurityDescriptor(false, false, ControlFlags.None, farmAccountSid, null, null, null);
securityDescriptor.SetDiscretionaryAclProtection(true, false);
byte[] itemAcl = new byte[securityDescriptor.BinaryLength];
securityDescriptor.GetBinaryForm(itemAcl, 0);
return(itemAcl);
}
internal SecurityDescriptorInfo(
string owner,
string group,
string[] discretionaryAcl,
string[] systemAcl,
CommonSecurityDescriptor rawDescriptor)
{
Owner = owner;
Group = group;
DiscretionaryAcl = discretionaryAcl;
SystemAcl = systemAcl;
RawDescriptor = rawDescriptor;
}
private static List <SecurityIdentifier> securityIdentifiersFromSDDL(string securityDescriptor)
{
CommonSecurityDescriptor csd = new CommonSecurityDescriptor(false, false, securityDescriptor);
DiscretionaryAcl dacl = csd.DiscretionaryAcl;
List <SecurityIdentifier> securityIdentifiers = new List <SecurityIdentifier>(dacl.Count);
foreach (CommonAce ace in dacl)
{
securityIdentifiers.Add(ace.SecurityIdentifier);
}
return(securityIdentifiers);
}
public static void AdditionalTestCases()
{
// test case will be passing in binaryForm array that is null, length is invalid and offset is invalid
CommonSecurityDescriptor commonSecurityDescriptor = null;
string sddl = null;
byte[] binaryForm = null;
//Case 1, null byte array
Assert.Throws<ArgumentNullException>(() =>
{
sddl = "O:LAG:SYD:AI(A;ID;FA;;;BA)(A;ID;FA;;;BG)(A;ID;FA;;;SY)";
commonSecurityDescriptor = new CommonSecurityDescriptor(true, false, sddl);
binaryForm = null;
commonSecurityDescriptor.GetBinaryForm(binaryForm, 0);
});
//case 2, empty byte array
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
sddl = "O:LAG:SYD:AI(A;ID;FA;;;BA)(A;ID;FA;;;BG)(A;ID;FA;;;SY)";
commonSecurityDescriptor = new CommonSecurityDescriptor(true, false, sddl);
binaryForm = new byte[0];
commonSecurityDescriptor.GetBinaryForm(binaryForm, 0);
});
//case 3, negative offset
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
sddl = "O:LAG:SYD:AI(A;ID;FA;;;BA)(A;ID;FA;;;BG)(A;ID;FA;;;SY)";
commonSecurityDescriptor = new CommonSecurityDescriptor(true, false, sddl);
binaryForm = new byte[100];
commonSecurityDescriptor.GetBinaryForm(binaryForm, -1);
});
//case 4, binaryForm.Length - offset < BinaryLength
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
sddl = "O:LAG:SYD:AI(A;ID;FA;;;BA)(A;ID;FA;;;BG)(A;ID;FA;;;SY)";
commonSecurityDescriptor = new CommonSecurityDescriptor(true, false, sddl);
binaryForm = new byte[commonSecurityDescriptor.BinaryLength];
commonSecurityDescriptor.GetBinaryForm(binaryForm, 8);
});
}
public static void TestSetSystemAclProtection(bool isContainer, bool isDS, string sddl, bool isProtected, bool preserveInheritance, string verifierSddl)
{
CommonSecurityDescriptor commonSecurityDescriptor = null;
string resultSddl = null;
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, sddl);
commonSecurityDescriptor.SetSystemAclProtection(isProtected, preserveInheritance);
resultSddl = commonSecurityDescriptor.GetSddlForm(AccessControlSections.All);
if (!isProtected && (commonSecurityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) == 0)
{
Assert.False(resultSddl != verifierSddl);
}
else if (isProtected && (commonSecurityDescriptor.ControlFlags & ControlFlags.SystemAclProtected) != 0)
{
Assert.False(resultSddl != verifierSddl);
}
}
public static void AdditionalTestCases()
{
CommonSecurityDescriptor commonSecurityDescriptor = null;
// Case1, null sddl string
Assert.Throws<ArgumentNullException>(() =>
{
commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, (string)null);
// expect to throw exception but not
});
// Case 3, sddl form owner symbol exists but no content
Assert.Throws<ArgumentException>(() =>
{
commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, "O:G:SYD:AI(A;ID;FR;;;BA)S:AI(AU;IDFA;FR;;;BA)");
// expect to throw exception but not
});
// Case 4, sddl form group symbol exists but no content
Assert.Throws<ArgumentException>(() =>
{
commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, "O:LAG:D:AI(A;ID;FR;;;BA)S:AI(AU;IDFA;FR;;;BA)");
// expect to throw exception but not
});
// Case 5, garbage string sddl
Assert.Throws<ArgumentException>(() =>
{
commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, "ABCDEFGHIJKLMNOPQ");
// expect to throw exception but not
});
// Case 7, sddl form with invalid owner sid
Assert.Throws<ArgumentException>(() =>
{
commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, "O:XXG:D:AI(A;ID;FR;;;BA)S:AI(AU;IDFA;FR;;;BA)");
// expect to throw exception but not
});
// Case 8, sddl form with invalid group sid
Assert.Throws<ArgumentException>(() =>
{
commonSecurityDescriptor = new CommonSecurityDescriptor(false, false, "O:LAG:YYD:AI(A;ID;FR;;;BA)S:AI(AU;IDFA;FR;;;BA)");
// expect to throw exception but not
});
}
public static void TestGetSddlForm(bool isContainer, bool isDS, int flags, string ownerStr, string groupStr, string saclStr, string daclStr, bool getOwner, bool getGroup, bool getSacl, bool getDacl, string expectedSddl)
{
CommonSecurityDescriptor commonSecurityDescriptor = null;
string resultSddl = null;
ControlFlags controlFlags = ControlFlags.OwnerDefaulted;
SecurityIdentifier owner = null;
SecurityIdentifier group = null;
RawAcl rawAcl = null;
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
AccessControlSections accControlSections = AccessControlSections.None;
controlFlags = (ControlFlags)flags;
owner = (ownerStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(ownerStr)) : null;
group = (groupStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(groupStr)) : null;
rawAcl = (saclStr != null) ? Utils.CreateRawAclFromString(saclStr) : null;
if (rawAcl == null)
sacl = null;
else
sacl = new SystemAcl(isContainer, isDS, rawAcl);
rawAcl = (daclStr != null) ? Utils.CreateRawAclFromString(daclStr) : null;
if (rawAcl == null)
dacl = null;
else
dacl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, controlFlags, owner, group, sacl, dacl);
if (getOwner)
accControlSections |= AccessControlSections.Owner;
if (getGroup)
accControlSections |= AccessControlSections.Group;
if (getSacl)
accControlSections |= AccessControlSections.Audit;
if (getDacl)
accControlSections |= AccessControlSections.Access;
resultSddl = commonSecurityDescriptor.GetSddlForm(accControlSections);
if (expectedSddl == null || resultSddl == null)
Assert.True(expectedSddl == null && resultSddl == null);
else
Assert.True(String.Compare(expectedSddl, resultSddl, StringComparison.CurrentCultureIgnoreCase) == 0);
}
public static void TestGroup(string newGroupStr)
{
bool isContainer = false;
bool isDS = false;
int controlFlags = 1;
string ownerStr = "BA";
string groupStr = "BG";
CommonSecurityDescriptor commonSecurityDescriptor = null;
SecurityIdentifier owner = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(ownerStr));
SecurityIdentifier newGroup = (newGroupStr != null ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(newGroupStr)) : null);
SecurityIdentifier group = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(groupStr));
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, (ControlFlags)controlFlags, owner, group, sacl, dacl);
commonSecurityDescriptor.Group = newGroup;
// verify the result, we can use == here as SecurityIdentifier overrides the comparsison
Assert.True(newGroup == commonSecurityDescriptor.Group);
}
public static void TestSystemAcl(bool isContainerSD, bool isDSSD, string sddl, bool isContainerSacl, bool isDSSacl, string newSaclStr)
{
CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(isContainerSD, isDSSD, sddl);
SystemAcl sacl = newSaclStr == null ? null : new SystemAcl(isContainerSacl, isDSSacl, Utils.CreateRawAclFromString(newSaclStr));
try
{
commonSecurityDescriptor.SystemAcl = sacl;
Assert.True(sacl == commonSecurityDescriptor.SystemAcl);
if (sacl != null)
Assert.True((commonSecurityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != 0);
else
Assert.True((commonSecurityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) == 0);
}
catch (NullReferenceException)
{
Assert.Null(sacl);
}
catch (ArgumentException)
{
Assert.True((sacl.IsContainer != commonSecurityDescriptor.IsContainer) || (sacl.IsDS != commonSecurityDescriptor.IsDS));
}
}
public static void AdditionalTestCases()
{
CommonSecurityDescriptor sd = null;
// test case 1: SACL is null, isProtected is true, preserveInheritance is true
sd = new CommonSecurityDescriptor(true, false, (ControlFlags)0, null, null, null, null);
sd.SetSystemAclProtection(true, true);
Assert.True((sd.ControlFlags & ControlFlags.SystemAclProtected) != 0);
// test case 2: SACL is null, isProtected is true, preserveInheritance is false
sd = new CommonSecurityDescriptor(true, false, (ControlFlags)0, null, null, null, null);
sd.SetSystemAclProtection(true, false);
Assert.True((sd.ControlFlags & ControlFlags.SystemAclProtected) != 0);
// test case 3: SACL is null, isProtected is false, preserveInheritance is true
sd = new CommonSecurityDescriptor(true, false, (ControlFlags)0, null, null, null, null);
sd.SetSystemAclProtection(false, true);
Assert.True((sd.ControlFlags & ControlFlags.SystemAclProtected) == 0);
// test case 4: SACL is null, isProtected is false, preserveInheritance is false
sd = new CommonSecurityDescriptor(true, false, (ControlFlags)0, null, null, null, null);
sd.SetSystemAclProtection(false, false);
Assert.True((sd.ControlFlags & ControlFlags.SystemAclProtected) == 0);
}
public static int ComputeBinaryLength(CommonSecurityDescriptor commonSecurityDescriptor, bool needCountDacl)
{
int verifierBinaryLength = 0;
if (commonSecurityDescriptor != null)
{
verifierBinaryLength = 20; //intialize the binary length to header length
if (commonSecurityDescriptor.Owner != null)
verifierBinaryLength += commonSecurityDescriptor.Owner.BinaryLength;
if (commonSecurityDescriptor.Group != null)
verifierBinaryLength += commonSecurityDescriptor.Group.BinaryLength;
if ((commonSecurityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != 0 && commonSecurityDescriptor.SystemAcl != null)
verifierBinaryLength += commonSecurityDescriptor.SystemAcl.BinaryLength;
if ((commonSecurityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != 0 && commonSecurityDescriptor.DiscretionaryAcl != null && needCountDacl)
verifierBinaryLength += commonSecurityDescriptor.DiscretionaryAcl.BinaryLength;
}
return verifierBinaryLength;
}
public CryptoKeySecurity(CommonSecurityDescriptor securityDescriptor) {}
public static void TestWasSystemAclCanonicalInitially(bool isContainer, bool isDS, string sddl, bool verifierWasCanonicalInitially)
{
CommonSecurityDescriptor commonSecurityDescriptor = null;
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, sddl);
Assert.False(verifierWasCanonicalInitially != commonSecurityDescriptor.IsSystemAclCanonical);
}
private static bool VerifyResult(bool isContainer, bool isDS, ControlFlags controlFlags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl sacl, DiscretionaryAcl dacl)
{
CommonSecurityDescriptor commonSecurityDescriptor = null;
bool result = false;
try
{
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, controlFlags, owner, group, sacl, dacl);
// verify the result
if ((isContainer == commonSecurityDescriptor.IsContainer) &&
(isDS == commonSecurityDescriptor.IsDS) &&
((((sacl != null) ? (controlFlags | ControlFlags.SystemAclPresent) : (controlFlags & (~ControlFlags.SystemAclPresent)))
| ControlFlags.SelfRelative | ControlFlags.DiscretionaryAclPresent) == commonSecurityDescriptor.ControlFlags) &&
(owner == commonSecurityDescriptor.Owner) &&
(group == commonSecurityDescriptor.Group) &&
(sacl == commonSecurityDescriptor.SystemAcl) &&
(Utils.ComputeBinaryLength(commonSecurityDescriptor, dacl != null) == commonSecurityDescriptor.BinaryLength))
{
if (dacl == null)
{
//check the contructor created an empty Dacl with correct IsContainer and isDS info
if (isContainer == commonSecurityDescriptor.DiscretionaryAcl.IsContainer &&
isDS == commonSecurityDescriptor.DiscretionaryAcl.IsDS &&
commonSecurityDescriptor.DiscretionaryAcl.Count == 1 &&
Utils.VerifyDaclWithCraftedAce(isContainer, isDS, commonSecurityDescriptor.DiscretionaryAcl))
{
result = true;
}
else
{
result = false;
}
}
else if (dacl == commonSecurityDescriptor.DiscretionaryAcl)
{
result = true;
}
else
{
result = false;
}
}
else
{
result = false;
}
}
catch (ArgumentException)
{
if ((sacl != null && sacl.IsContainer != isContainer) ||
(sacl != null && sacl.IsDS != isDS) ||
(dacl != null && dacl.IsContainer != isContainer) ||
(dacl != null && dacl.IsDS != isDS))
result = true;
else
{
// unexpected exception
result = false;
}
}
return result;
}
private static void TestCreateFromSddlForm(bool isContainer, bool isDS, string sddl, string verifierSddl)
{
CommonSecurityDescriptor commonSecurityDescriptor = null;
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, sddl);
string resultSddlForm = commonSecurityDescriptor.GetSddlForm(AccessControlSections.All);
Assert.True(string.Compare(verifierSddl, resultSddlForm, StringComparison.CurrentCultureIgnoreCase) == 0);
}
public static void TestGetBinaryForm(bool isContainer, bool isDS, string sddl, string verifierSddl, int offset)
{
CommonSecurityDescriptor commonSecurityDescriptor = null;
CommonSecurityDescriptor verifierCommonSecurityDescriptor = null;
string resultSddl = null;
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, sddl);
byte[] binaryForm = new byte[commonSecurityDescriptor.BinaryLength + offset];
commonSecurityDescriptor.GetBinaryForm(binaryForm, offset);
verifierCommonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, binaryForm, offset);
resultSddl = verifierCommonSecurityDescriptor.GetSddlForm(AccessControlSections.All);
if (resultSddl == null || verifierSddl == null)
Assert.True(resultSddl == null && verifierSddl == null);
else
Assert.True(String.Compare(resultSddl, verifierSddl, StringComparison.CurrentCultureIgnoreCase) == 0);
}
public static void TestWasDiscretionaryAclCanonicalInitially(bool isContainer, bool isDS, string sddl, bool verifierWasCanonicalInitially)
{
CommonSecurityDescriptor commonSecurityDescriptor = null;
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, sddl);
Assert.True(verifierWasCanonicalInitially == commonSecurityDescriptor.IsDiscretionaryAclCanonical);
}
private static void TestCreateFromBinaryForm(bool isContainer, bool isDS, string sddl, int offset, string verifierSddl)
{
CommonSecurityDescriptor commonSecurityDescriptor = null;
byte[] binaryForm;
Assert.Equal(0, Utils.CreateBinaryArrayFromSddl(sddl, out binaryForm));
byte[] tempBForm = null;
if (offset > 0)
{
//copy the binaryform to a new array, start at offset
tempBForm = new byte[binaryForm.Length + offset];
for (int i = 0; i < binaryForm.Length; i++)
{
tempBForm[i + offset] = binaryForm[i];
}
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, tempBForm, offset);
}
else
{
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, binaryForm, offset);
}
string resultSddlForm = commonSecurityDescriptor.GetSddlForm(AccessControlSections.All);
Assert.True(String.Compare(verifierSddl, resultSddlForm, StringComparison.CurrentCultureIgnoreCase) == 0);
}
protected DirectoryObjectSecurity(CommonSecurityDescriptor securityDescriptor);
protected ObjectSecurity(CommonSecurityDescriptor securityDescriptor);
public static void AdditionalTestCases()
{
//test cases include the exceptions from the constructor
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
CommonSecurityDescriptor sd = null;
// test case 1: SACL is not null, SACL.IsContainer is true, but isContainer parameter is false
sacl = new SystemAcl(true, true, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(false, true, ControlFlags.SystemAclPresent, null, null, sacl, null);
});
// test case 2: SACL is not null, SACL.IsContainer is false, but isContainer parameter is true
sacl = new SystemAcl(false, true, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, true, ControlFlags.SystemAclPresent, null, null, sacl, null);
});
// test case 3: DACL is not null, DACL.IsContainer is true, but isContainer parameter is false
dacl = new DiscretionaryAcl(true, true, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(false, true, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);
});
// test case 4: DACL is not null, DACL.IsContainer is false, but isContainer parameter is true
dacl = new DiscretionaryAcl(false, true, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, true, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);
});
// test case 5: SACL is not null, SACL.IsDS is true, but isDS parameter is false
sacl = new SystemAcl(true, true, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, false, ControlFlags.SystemAclPresent, null, null, sacl, null);
});
// test case 6: SACL is not null, SACL.IsDS is false, but isDS parameter is true
sacl = new SystemAcl(true, false, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, true, ControlFlags.SystemAclPresent, null, null, sacl, null);
});
// test case 7: DACL is not null, DACL.IsDS is true, but isDS parameter is false
dacl = new DiscretionaryAcl(true, true, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, false, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);
});
// test case 8: DACL is not null, DACL.IsDS is false, but isDS parameter is true
dacl = new DiscretionaryAcl(true, false, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, true, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);
});
}
