Пример #1
0
        public void RemoveSpecificUsingDSOverload()
        {
            SecurityIdentifier sid  = new SecurityIdentifier("BA");
            DiscretionaryAcl   dacl = new DiscretionaryAcl(false, true, 0);

            RemoveSpecificBegin(sid, dacl, InheritanceFlags.None);
            dacl.RemoveAccessSpecific(AccessControlType.Allow, sid, 3, InheritanceFlags.None, PropagationFlags.None,
                                      ObjectAceFlags.ObjectAceTypePresent, Guid.Empty, Guid.Empty);
            Assert.AreEqual(1, dacl.Count);
            dacl.RemoveAccessSpecific(AccessControlType.Allow, sid, 3, InheritanceFlags.None, PropagationFlags.None,
                                      ObjectAceFlags.None, Guid.Empty, Guid.Empty);
            Assert.AreEqual(0, dacl.Count);
        }
        private static bool TestRemoveAccessSpecific(DiscretionaryAcl discretionaryAcl, RawAcl rawAcl, AccessControlType accessControlType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags)
        {
            bool result = true;

            byte[] dAclBinaryForm = null;
            byte[] rAclBinaryForm = null;

            discretionaryAcl.RemoveAccessSpecific(accessControlType, sid, accessMask, inheritanceFlags, propagationFlags);
            if (discretionaryAcl.Count == rawAcl.Count &&
                discretionaryAcl.BinaryLength == rawAcl.BinaryLength)
            {
                dAclBinaryForm = new byte[discretionaryAcl.BinaryLength];
                rAclBinaryForm = new byte[rawAcl.BinaryLength];
                discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0);
                rawAcl.GetBinaryForm(rAclBinaryForm, 0);
                if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm))
                    result = false;

                //redundant index check					
                for (int i = 0; i < discretionaryAcl.Count; i++)
                {
                    if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i]))
                    {
                        result = false;
                        break;
                    }
                }
            }
            else
                result = false;

            return result;
        }
Пример #3
0
        public void PropagationFlagsDoNotRequireInheritanceFlagsForRemoveSpecific()
        {
            SecurityIdentifier sid  = new SecurityIdentifier("BU");
            DiscretionaryAcl   dacl = new DiscretionaryAcl(false, false, 0);

            dacl.RemoveAccessSpecific(AccessControlType.Allow, sid, 3,
                                      InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly);
        }
Пример #4
0
        void RemoveSpecificBegin(SecurityIdentifier sid, DiscretionaryAcl dacl, InheritanceFlags inheritanceFlags)
        {
            SecurityIdentifier otherSid = new SecurityIdentifier("BU");

            dacl.AddAccess(AccessControlType.Allow, sid, 3, inheritanceFlags, PropagationFlags.None);
            Assert.AreEqual(1, dacl.Count);
            dacl.RemoveAccessSpecific(AccessControlType.Deny, sid, 1, inheritanceFlags, PropagationFlags.None);
            Assert.AreEqual(1, dacl.Count);
            dacl.RemoveAccessSpecific(AccessControlType.Allow, otherSid, 1, inheritanceFlags, PropagationFlags.None);
            Assert.AreEqual(1, dacl.Count);
            dacl.RemoveAccessSpecific(AccessControlType.Allow, sid, 1, inheritanceFlags, PropagationFlags.None);
            Assert.AreEqual(1, dacl.Count);
            Assert.AreEqual(3, ((CommonAce)dacl [0]).AccessMask);
            dacl.RemoveAccessSpecific(AccessControlType.Allow, sid, 3,
                                      inheritanceFlags ^ InheritanceFlags.ContainerInherit,
                                      PropagationFlags.None);
            Assert.AreEqual(1, dacl.Count);
        }
Пример #5
0
        public void RemoveSpecificIsContainer()
        {
            SecurityIdentifier sid  = new SecurityIdentifier("BA");
            DiscretionaryAcl   dacl = new DiscretionaryAcl(true, false, 0);

            RemoveSpecificBegin(sid, dacl, InheritanceFlags.ObjectInherit);
            dacl.RemoveAccessSpecific(AccessControlType.Allow, sid, 3, InheritanceFlags.ObjectInherit, PropagationFlags.None);
            Assert.AreEqual(0, dacl.Count);
        }
Пример #6
0
        public void RemoveSpecificIgnoresPropagationFlagsWhenMatchingInheritanceFlagsNone()
        {
            SecurityIdentifier sid  = new SecurityIdentifier("BA");
            DiscretionaryAcl   dacl = new DiscretionaryAcl(false, false, 0);

            RemoveSpecificBegin(sid, dacl, InheritanceFlags.None);
            dacl.RemoveAccessSpecific(AccessControlType.Allow, sid, 3,
                                      InheritanceFlags.None, PropagationFlags.InheritOnly);
            Assert.AreEqual(0, dacl.Count);
        }
        private static bool TestRemoveAccessSpecific(DiscretionaryAcl discretionaryAcl, RawAcl rawAcl, AccessControlType accessControlType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags)
        {
            bool result = true;

            byte[] dAclBinaryForm = null;
            byte[] rAclBinaryForm = null;

            discretionaryAcl.RemoveAccessSpecific(accessControlType, sid, accessMask, inheritanceFlags, propagationFlags);
            if (discretionaryAcl.Count == rawAcl.Count &&
                discretionaryAcl.BinaryLength == rawAcl.BinaryLength)
            {
                dAclBinaryForm = new byte[discretionaryAcl.BinaryLength];
                rAclBinaryForm = new byte[rawAcl.BinaryLength];
                discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0);
                rawAcl.GetBinaryForm(rAclBinaryForm, 0);
                if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm))
                {
                    result = false;
                }

                //redundant index check
                for (int i = 0; i < discretionaryAcl.Count; i++)
                {
                    if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i]))
                    {
                        result = false;
                        break;
                    }
                }
            }
            else
            {
                result = false;
            }

            return(result);
        }
        public static void RemoveAccessSpecific_AdditionalTestCases()
        {
            RawAcl rawAcl = null;
            DiscretionaryAcl discretionaryAcl = null;
            bool isContainer = false;
            bool isDS = false;

            int accessControlType = 0;
            string sid = null;
            int accessMask = 1;
            int inheritanceFlags = 0;
            int propagationFlags = 0;
            GenericAce gAce = null;
            byte[] opaque = null;
            //Case 1, remove one ACE from the DiscretionaryAcl with no ACE
            isContainer = true;
            isDS = false;
            accessControlType = 1;
            sid = "BA";
            accessMask = 1;
            inheritanceFlags = 3;
            propagationFlags = 3;
            rawAcl = new RawAcl(0, 1);
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            Assert.True(TestRemoveAccessSpecific(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
            ;


            //Case 2, remove the last one ACE from the DiscretionaryAcl
            isContainer = true;
            isDS = false;
            accessControlType = 0;
            sid = "BA";
            accessMask = 1;
            inheritanceFlags = 3;
            propagationFlags = 3;
            rawAcl = new RawAcl(0, 1);
            //15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
            gAce = new CommonAce((AceFlags)15, AceQualifier.AccessAllowed, accessMask,
                new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(rawAcl.Count, gAce);
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            //remove the ace to create the validation rawAcl
            rawAcl.RemoveAce(rawAcl.Count - 1);
            Assert.True(TestRemoveAccessSpecific(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
               ;


            //Case 3, accessMask = 0
            Assert.Throws<ArgumentException>(() =>
            {
                isContainer = true;
                isDS = false;
                accessControlType = 1;
                sid = "BA";
                accessMask = 0;
                inheritanceFlags = 3;
                propagationFlags = 3;
                rawAcl = new RawAcl(0, 1);
                discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
                discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);



            });

            //Case 4, null sid
            Assert.Throws<ArgumentNullException>(() =>
            {
                isContainer = true;
                isDS = false;
                accessControlType = 1;
                accessMask = 1;
                sid = "BA";
                inheritanceFlags = 3;
                propagationFlags = 3;
                rawAcl = new RawAcl(0, 1);
                discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
                discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);



            });

            //Case 5, all the ACEs in the Dacl are non-qualified ACE, no remove

            isContainer = true;
            isDS = false;

            inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
            propagationFlags = 2; //PropagationFlags.InheritOnly

            accessControlType = 0;
            sid = "BA";
            accessMask = 1;

            rawAcl = new RawAcl(0, 1);
            opaque = new byte[4];
            gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); ;
            rawAcl.InsertAce(0, gAce);
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
            //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
            Assert.Throws<InvalidOperationException>(() =>
            {
                TestRemoveAccessSpecific
                        (discretionaryAcl, rawAcl,
                        (AccessControlType)accessControlType,
                        new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
                        accessMask,
                        (InheritanceFlags)inheritanceFlags,
                        (PropagationFlags)propagationFlags);

            });

            //Case 7, Remove Specific Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE, 
            // should throw appropriate exception for wrong parameter, bug#287188

            Assert.Throws<ArgumentOutOfRangeException>(() =>
            {
                isContainer = true;
                isDS = false;

                inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
                propagationFlags = 2; //PropagationFlags.InheritOnly

                accessControlType = 100;
                sid = "BA";
                accessMask = 1;

                rawAcl = new RawAcl(0, 1);
                discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

                discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
                    accessMask,
                    (InheritanceFlags)inheritanceFlags,
                    (PropagationFlags)propagationFlags);


            });
        }
        public static void RemoveAccessSpecific_AdditionalTestCases()
        {
            RawAcl           rawAcl           = null;
            DiscretionaryAcl discretionaryAcl = null;
            bool             isContainer      = false;
            bool             isDS             = false;

            int        accessControlType = 0;
            string     sid              = null;
            int        accessMask       = 1;
            int        inheritanceFlags = 0;
            int        propagationFlags = 0;
            GenericAce gAce             = null;

            byte[] opaque = null;
            //Case 1, remove one ACE from the DiscretionaryAcl with no ACE
            isContainer       = true;
            isDS              = false;
            accessControlType = 1;
            sid              = "BA";
            accessMask       = 1;
            inheritanceFlags = 3;
            propagationFlags = 3;
            rawAcl           = new RawAcl(0, 1);
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            Assert.True(TestRemoveAccessSpecific(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
                                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
            ;


            //Case 2, remove the last one ACE from the DiscretionaryAcl
            isContainer       = true;
            isDS              = false;
            accessControlType = 0;
            sid              = "BA";
            accessMask       = 1;
            inheritanceFlags = 3;
            propagationFlags = 3;
            rawAcl           = new RawAcl(0, 1);
            //15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
            gAce = new CommonAce((AceFlags)15, AceQualifier.AccessAllowed, accessMask,
                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
            rawAcl.InsertAce(rawAcl.Count, gAce);
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
            //remove the ace to create the validation rawAcl
            rawAcl.RemoveAce(rawAcl.Count - 1);
            Assert.True(TestRemoveAccessSpecific(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
                                                 new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
            ;


            //Case 3, accessMask = 0
            AssertExtensions.Throws <ArgumentException>("accessMask", () =>
            {
                isContainer       = true;
                isDS              = false;
                accessControlType = 1;
                sid              = "BA";
                accessMask       = 0;
                inheritanceFlags = 3;
                propagationFlags = 3;
                rawAcl           = new RawAcl(0, 1);
                discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
                discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType,
                                                      new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
            });

            //Case 4, null sid
            Assert.Throws <ArgumentNullException>(() =>
            {
                isContainer       = true;
                isDS              = false;
                accessControlType = 1;
                accessMask        = 1;
                sid = "BA";
                inheritanceFlags = 3;
                propagationFlags = 3;
                rawAcl           = new RawAcl(0, 1);
                discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
                discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
            });

            //Case 5, all the ACEs in the Dacl are non-qualified ACE, no remove

            isContainer = true;
            isDS        = false;

            inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
            propagationFlags = 2; //PropagationFlags.InheritOnly

            accessControlType = 0;
            sid        = "BA";
            accessMask = 1;

            rawAcl = new RawAcl(0, 1);
            opaque = new byte[4];
            gAce   = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque);;
            rawAcl.InsertAce(0, gAce);
            discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

            //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
            //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
            Assert.Throws <InvalidOperationException>(() =>
            {
                TestRemoveAccessSpecific
                    (discretionaryAcl, rawAcl,
                    (AccessControlType)accessControlType,
                    new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
                    accessMask,
                    (InheritanceFlags)inheritanceFlags,
                    (PropagationFlags)propagationFlags);
            });

            //Case 7, Remove Specific Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE,
            // should throw appropriate exception for wrong parameter, bug#287188

            Assert.Throws <ArgumentOutOfRangeException>(() =>
            {
                isContainer = true;
                isDS        = false;

                inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
                propagationFlags = 2; //PropagationFlags.InheritOnly

                accessControlType = 100;
                sid        = "BA";
                accessMask = 1;

                rawAcl           = new RawAcl(0, 1);
                discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);

                discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType,
                                                      new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
                                                      accessMask,
                                                      (InheritanceFlags)inheritanceFlags,
                                                      (PropagationFlags)propagationFlags);
            });
        }