public void AddAudit(AuditFlags auditFlags, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType) { // TODO }
public void RemoveAuditSpecific(AuditFlags auditFlags, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType) { if (!base.IsDS) { throw new InvalidOperationException(Environment.GetResourceString("InvalidOperation_OnlyValidForDS")); } base.RemoveQualifiedAcesSpecific(sid, AceQualifier.SystemAudit, accessMask, (AceFlags) ((byte) (GenericAce.AceFlagsFromAuditFlags(auditFlags) | GenericAce.AceFlagsFromInheritanceFlags(inheritanceFlags, propagationFlags))), objectFlags, objectType, inheritedObjectType); }
public void AddAccess(AccessControlType accessType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType) { // TODO }
public bool RemoveAudit(AuditFlags auditFlags, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType) { // TODO return false; }
public void RemoveAccessSpecific(AccessControlType accessType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType) { if (!base.IsDS) { throw new InvalidOperationException(Environment.GetResourceString("InvalidOperation_OnlyValidForDS")); } base.CheckAccessType(accessType); this.everyOneFullAccessForNullDacl = false; base.RemoveQualifiedAcesSpecific(sid, (accessType == AccessControlType.Allow) ? AceQualifier.AccessAllowed : AceQualifier.AccessDenied, accessMask, GenericAce.AceFlagsFromInheritanceFlags(inheritanceFlags, propagationFlags), objectFlags, objectType, inheritedObjectType); }
public bool RemoveAccess (AccessControlType accessType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType) { throw new NotImplementedException (); }
internal ObjectAce (AceType type, AceFlags flags, int accessMask, SecurityIdentifier sid, ObjectAceFlags objFlags, Guid objType, Guid inheritedType, byte[] opaque) : base(type, flags, opaque) { AccessMask = accessMask; SecurityIdentifier = sid; ObjectAceFlags = objFlags; ObjectAceType = objType; InheritedObjectAceType = inheritedType; }
public void AddAudit (AuditFlags auditFlags, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType) { // ObjectAce? throw new NotImplementedException (); }
public void AddAccess (AccessControlType accessType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType) { AddAce (GetAceQualifier (accessType), sid, accessMask, inheritanceFlags, propagationFlags, AuditFlags.None, objectFlags, objectType, inheritedObjectType); }
protected static void VerifyObjectAce(ObjectAce ace, AceFlags aceFlags, AceQualifier qualifier, int accessMask, SecurityIdentifier sid, ObjectAceFlags flags, Guid type, Guid inheritedType, bool isCallback, byte[] opaque) { Assert.Equal(aceFlags, ace.AceFlags); Assert.Equal(accessMask, ace.AccessMask); Assert.Equal(sid, ace.SecurityIdentifier); Assert.Equal(opaque, ace.GetOpaque()); Assert.Equal(qualifier, ace.AceQualifier); Assert.Equal(isCallback, ace.IsCallback); Assert.Equal(flags, ace.ObjectAceFlags); Assert.Equal(type, ace.ObjectAceType); Assert.Equal(inheritedType, ace.InheritedObjectAceType); }
public void AddAudit (AuditFlags auditFlags, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType) { AddAce (AceQualifier.SystemAudit, sid, accessMask, inheritanceFlags, propagationFlags, auditFlags, objectFlags, objectType, inheritedObjectType); }
public ObjectAce (AceFlags aceFlags, AceQualifier qualifier, int accessMask, SecurityIdentifier sid, ObjectAceFlags flags, Guid type, Guid inheritedType, bool isCallback, byte[] opaque) : base (InheritanceFlags.None, PropagationFlags.None, qualifier, isCallback, opaque) { AceFlags = aceFlags; SecurityIdentifier = sid; object_ace_flags = flags; object_ace_type = type; inherited_object_type = inheritedType; }
public ObjectAce (AceFlags aceFlags, AceQualifier qualifier, int accessMask, SecurityIdentifier sid, ObjectAceFlags flags, Guid type, Guid inheritedType, bool isCallback, byte[] opaque) : base (ConvertType(qualifier, isCallback), aceFlags, opaque) { AccessMask = accessMask; SecurityIdentifier = sid; ObjectAceFlags = flags; ObjectAceType = type; InheritedObjectAceType = inheritedType; }
protected ObjectAccessRule(IdentityReference identity, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, Guid objectType, Guid inheritedObjectType, AccessControlType type) : base(identity, accessMask, isInherited, inheritanceFlags, propagationFlags, type) { if (!objectType.Equals(Guid.Empty) && ((accessMask & ObjectAce.AccessMaskWithObjectType) != 0)) { this._objectType = objectType; this._objectFlags |= ObjectAceFlags.ObjectAceTypePresent; } else { this._objectType = Guid.Empty; } if (!inheritedObjectType.Equals(Guid.Empty) && ((inheritanceFlags & InheritanceFlags.ContainerInherit) != InheritanceFlags.None)) { this._inheritedObjectType = inheritedObjectType; this._objectFlags |= ObjectAceFlags.InheritedObjectAceTypePresent; } else { this._inheritedObjectType = Guid.Empty; } }
public bool RemoveAccess( AccessControlType accessType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType ) { // // This is valid only for DS Acls // if ( !IsDS ) { throw new InvalidOperationException( Environment.GetResourceString( "InvalidOperation_OnlyValidForDS" )); } Contract.EndContractBlock(); CheckAccessType( accessType ); everyOneFullAccessForNullDacl = false; return RemoveQualifiedAces(sid, accessType == AccessControlType.Allow ? AceQualifier.AccessAllowed : AceQualifier.AccessDenied, accessMask, GenericAce.AceFlagsFromInheritanceFlags( inheritanceFlags, propagationFlags ), false, objectFlags, objectType, inheritedObjectType ); }
private static object[] ObjectAce_CreateTestData(int intFlags, int intQualifier, int accessMask, string stringsid, int intObjectAceFlags, string stringType, string stringInheritedType, bool isCallback, int opaqueLength, int offset) { AceFlags aceFlags = (AceFlags)intFlags; AceQualifier qualifier = (AceQualifier)intQualifier; SecurityIdentifier sid = new SecurityIdentifier(stringsid); ObjectAceFlags flags = (ObjectAceFlags)intObjectAceFlags; Guid type = new Guid(stringType); Guid inheritedType = new Guid(stringInheritedType); byte[] opaque = new byte[opaqueLength]; ObjectAce ace = new ObjectAce(aceFlags, qualifier, accessMask, sid, flags, type, inheritedType, isCallback, opaque); VerifyObjectAce(ace, aceFlags, qualifier, accessMask, sid, flags, type, inheritedType, isCallback, opaque); byte[] binaryForm = new byte[ace.BinaryLength + offset]; switch (qualifier) { case AceQualifier.AccessAllowed: binaryForm[offset + 0] = isCallback ? (byte)AceType.AccessAllowedCallbackObject : (byte)AceType.AccessAllowedObject; break; case AceQualifier.AccessDenied: binaryForm[offset + 0] = isCallback ? (byte)AceType.AccessDeniedCallbackObject : (byte)AceType.AccessDeniedObject; break; case AceQualifier.SystemAudit: binaryForm[offset + 0] = isCallback ? (byte)AceType.SystemAuditCallbackObject : (byte)AceType.SystemAuditObject; break; case AceQualifier.SystemAlarm: binaryForm[offset + 0] = isCallback ? (byte)AceType.SystemAlarmCallbackObject : (byte)AceType.SystemAlarmObject; break; default: return(null); } binaryForm[offset + 1] = (byte)aceFlags; binaryForm[offset + 2] = (byte)(ace.BinaryLength >> 0); binaryForm[offset + 3] = (byte)(ace.BinaryLength >> 8); int baseOffset = offset + 4; int offsetLocal = 0; unchecked { binaryForm[baseOffset + 0] = (byte)(accessMask >> 0); binaryForm[baseOffset + 1] = (byte)(accessMask >> 8); binaryForm[baseOffset + 2] = (byte)(accessMask >> 16); binaryForm[baseOffset + 3] = (byte)(accessMask >> 24); } offsetLocal += 4; binaryForm[baseOffset + offsetLocal + 0] = (byte)(((uint)flags) >> 0); binaryForm[baseOffset + offsetLocal + 1] = (byte)(((uint)flags) >> 8); binaryForm[baseOffset + offsetLocal + 2] = (byte)(((uint)flags) >> 16); binaryForm[baseOffset + offsetLocal + 3] = (byte)(((uint)flags) >> 24); offsetLocal += 4; if ((flags & ObjectAceFlags.ObjectAceTypePresent) != 0) { type.ToByteArray().CopyTo(binaryForm, baseOffset + offsetLocal); offsetLocal += 16; } if ((flags & ObjectAceFlags.InheritedObjectAceTypePresent) != 0) { inheritedType.ToByteArray().CopyTo(binaryForm, baseOffset + offsetLocal); offsetLocal += 16; } sid.GetBinaryForm(binaryForm, baseOffset + offsetLocal); offsetLocal += sid.BinaryLength; opaque.CopyTo(binaryForm, baseOffset + offsetLocal); return(new object[] { ace, binaryForm, offset }); }
/// <summary>从当前 <see cref="T:System.Security.AccessControl.DiscretionaryAcl" /> 对象移除指定的审核规则。在指定对象类型或继承的对象类型时,为目录对象的访问控制列表 (ACL) 使用此方法。</summary> /// <param name="auditFlags">要移除的审核规则的类型。</param> /// <param name="sid">要为其移除审核规则的 <see cref="T:System.Security.Principal.SecurityIdentifier" />。</param> /// <param name="accessMask">要移除的规则的访问掩码。</param> /// <param name="inheritanceFlags">指定要移除的规则的继承属性的标志。</param> /// <param name="propagationFlags">指定要移除的规则的继承传播属性的标志。</param> /// <param name="objectFlags">指定 <paramref name="objectType" /> 和 <paramref name="inheritedObjectType" /> 参数是否包含非 null 值的标志。</param> /// <param name="objectType">移除的审核控制规则所应用到的对象的类标识。</param> /// <param name="inheritedObjectType">可以继承移除的审核规则的子对象的类标识。</param> public void RemoveAuditSpecific(AuditFlags auditFlags, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType) { if (!this.IsDS) { throw new InvalidOperationException(Environment.GetResourceString("InvalidOperation_OnlyValidForDS")); } this.RemoveQualifiedAcesSpecific(sid, AceQualifier.SystemAudit, accessMask, GenericAce.AceFlagsFromAuditFlags(auditFlags) | GenericAce.AceFlagsFromInheritanceFlags(inheritanceFlags, propagationFlags), objectFlags, objectType, inheritedObjectType); }
internal void RemoveQualifiedAcesSpecific( SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType ) { if ( accessMask == 0 ) { throw new ArgumentException( Environment.GetResourceString( "Argument_ArgumentZero" ), "accessMask" ); } if ( qualifier == AceQualifier.SystemAudit && (( flags & AceFlags.AuditFlags ) == 0 )) { throw new ArgumentException( Environment.GetResourceString( "Arg_EnumAtLeastOneFlag" ), "flags" ); } if ( sid == null ) { throw new ArgumentNullException( "sid" ); } Contract.EndContractBlock(); ThrowIfNotCanonical(); for ( int i = 0; i < Count; i++ ) { QualifiedAce ace = _acl[i] as QualifiedAce; // // Not a qualified ACE - keep going // if ( ace == null ) { continue; } // // Only interested in explicit (non-inherited) ACEs // if (( ace.AceFlags & AceFlags.Inherited ) != 0 ) { continue; } // // Only interested in ACEs with the specified qualifier // if ( ace.AceQualifier != qualifier ) { continue; } // // Only interested in ACEs with the specified SID // if ( ace.SecurityIdentifier != sid ) { continue; } // // Only interested in exact ACE flag matches // if ( ace.AceFlags != flags ) { continue; } // // Only interested in exact access mask matches // if ( ace.AccessMask != accessMask ) { continue; } if ( IsDS ) { // // Incase of object aces, only interested in ACEs which match in their // objectType and inheritedObjectType // if (( ace is ObjectAce ) && ( objectFlags != ObjectAceFlags.None )) { // // both are object aces, so must match in object type and inherited object type // ObjectAce objectAce = ace as ObjectAce; if (( !objectAce.ObjectTypesMatch( objectFlags, objectType )) || ( !objectAce.InheritedObjectTypesMatch( objectFlags, inheritedObjectType ))) { continue; } } else if (( ace is ObjectAce ) || ( objectFlags != ObjectAceFlags.None )) { // one is object ace and the other is not, so no match continue; } } // // Got our exact match; now remove it // _acl.RemoveAce(i); i--; // keep the array index honest } OnAclModificationTried(); }
protected ObjectAuditRule( IdentityReference identity, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, Guid objectType, Guid inheritedObjectType, AuditFlags auditFlags ) : base( identity, accessMask, isInherited, inheritanceFlags, propagationFlags, auditFlags ) { if (( !objectType.Equals( Guid.Empty )) && (( accessMask & ObjectAce.AccessMaskWithObjectType ) != 0 )) { _objectType = objectType; _objectFlags |= ObjectAceFlags.ObjectAceTypePresent; } else { _objectType = Guid.Empty; } if (( !inheritedObjectType.Equals( Guid.Empty )) && ((inheritanceFlags & InheritanceFlags.ContainerInherit ) != 0 )) { _inheritedObjectType = inheritedObjectType; _objectFlags |= ObjectAceFlags.InheritedObjectAceTypePresent; } else { _inheritedObjectType = Guid.Empty; } }
// // This method determines whether the object type and inherited object type from the original ace // should be retained or not based on access mask and aceflags for a given split // private void GetObjectTypesForSplit( ObjectAce originalAce, int accessMask, AceFlags aceFlags, out ObjectAceFlags objectFlags, out Guid objectType, out Guid inheritedObjectType ) { objectFlags = 0; objectType = Guid.Empty; inheritedObjectType = Guid.Empty; // // We should retain the object type if the access mask for this split contains any bits that refer to object type // if (( accessMask & ObjectAce.AccessMaskWithObjectType ) != 0 ) { // keep the original ace's object flags and object type objectType = originalAce.ObjectAceType; objectFlags |= originalAce.ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent; } // // We should retain the inherited object type if the aceflags for this contains inheritance (ContainerInherit) // if (( aceFlags & AceFlags.ContainerInherit ) != 0 ) { // keep the original ace's object flags and object type inheritedObjectType = originalAce.InheritedObjectAceType; objectFlags |= originalAce.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent; } }
internal static bool ParseBinaryForm(byte[] binaryForm, int offset, out AceQualifier qualifier, out int accessMask, out SecurityIdentifier sid, out ObjectAceFlags objectFlags, out Guid objectAceType, out Guid inheritedObjectAceType, out bool isCallback, out byte[] opaque) { byte[] b = new byte[16]; GenericAce.VerifyHeader(binaryForm, offset); if (binaryForm.Length - offset >= 12 + SecurityIdentifier.MinBinaryLength) { AceType aceType = (AceType)binaryForm[offset]; switch (aceType) { case AceType.AccessAllowedObject: case AceType.AccessDeniedObject: case AceType.SystemAuditObject: case AceType.SystemAlarmObject: isCallback = false; break; case AceType.AccessAllowedCallbackObject: case AceType.AccessDeniedCallbackObject: case AceType.SystemAuditCallbackObject: case AceType.SystemAlarmCallbackObject: isCallback = true; break; default: goto label_38; } if (aceType == AceType.AccessAllowedObject || aceType == AceType.AccessAllowedCallbackObject) { qualifier = AceQualifier.AccessAllowed; } else if (aceType == AceType.AccessDeniedObject || aceType == AceType.AccessDeniedCallbackObject) { qualifier = AceQualifier.AccessDenied; } else if (aceType == AceType.SystemAuditObject || aceType == AceType.SystemAuditCallbackObject) { qualifier = AceQualifier.SystemAudit; } else if (aceType == AceType.SystemAlarmObject || aceType == AceType.SystemAlarmCallbackObject) { qualifier = AceQualifier.SystemAlarm; } else { goto label_38; } int num1 = offset + 4; int num2 = 0; accessMask = (int)binaryForm[num1 + 0] + ((int)binaryForm[num1 + 1] << 8) + ((int)binaryForm[num1 + 2] << 16) + ((int)binaryForm[num1 + 3] << 24); int num3 = num2 + 4; objectFlags = (ObjectAceFlags)((int)binaryForm[num1 + num3 + 0] + ((int)binaryForm[num1 + num3 + 1] << 8) + ((int)binaryForm[num1 + num3 + 2] << 16) + ((int)binaryForm[num1 + num3 + 3] << 24)); int num4 = num3 + 4; if ((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None) { for (int index = 0; index < 16; ++index) { b[index] = binaryForm[num1 + num4 + index]; } num4 += 16; } else { for (int index = 0; index < 16; ++index) { b[index] = (byte)0; } } objectAceType = new Guid(b); if ((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != ObjectAceFlags.None) { for (int index = 0; index < 16; ++index) { b[index] = binaryForm[num1 + num4 + index]; } num4 += 16; } else { for (int index = 0; index < 16; ++index) { b[index] = (byte)0; } } inheritedObjectAceType = new Guid(b); sid = new SecurityIdentifier(binaryForm, num1 + num4); opaque = (byte[])null; int num5 = ((int)binaryForm[offset + 3] << 8) + (int)binaryForm[offset + 2]; if (num5 % 4 == 0) { int length = num5 - 4 - 4 - 4 - (int)(byte)sid.BinaryLength; if ((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None) { length -= 16; } if ((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != ObjectAceFlags.None) { length -= 16; } if (length > 0) { opaque = new byte[length]; for (int index = 0; index < length; ++index) { opaque[index] = binaryForm[offset + num5 - length + index]; } } return(true); } } label_38: qualifier = AceQualifier.AccessAllowed; accessMask = 0; sid = (SecurityIdentifier)null; objectFlags = ObjectAceFlags.None; objectAceType = Guid.NewGuid(); inheritedObjectAceType = Guid.NewGuid(); isCallback = false; opaque = (byte[])null; return(false); }
public static void RemoveInheritedAces_BasicValidationTestCases() { bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; //CustomAce constructor parameters AceType aceType = AceType.AccessAllowed; AceFlags aceFlag = AceFlags.None; byte[] opaque = null; //CompoundAce constructor additional parameters int accessMask = 0; CompoundAceType compoundAceType = CompoundAceType.Impersonation; string sid = "BG"; //CommonAce constructor additional parameters AceQualifier aceQualifier = 0; //ObjectAce constructor additional parameters ObjectAceFlags objectAceFlag = 0; Guid objectAceType; Guid inheritedObjectAceType; //case 1, no Ace revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 2, only have explicit Ace revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all AceFlags except InheritOnly and Inherited gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 3, non-inherited CommonAce, ObjectAce, CompoundAce, CustomAce revision = 127; capacity = 5; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString(); rawAcl = new RawAcl(revision, capacity); aceFlag = AceFlags.InheritanceFlags; accessMask = 1; //Access Allowed CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null); rawAcl.InsertAce(0, gAce); //Access Dennied CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null); rawAcl.InsertAce(0, gAce); //CustomAce aceType = AceType.MaxDefinedAceType + 1; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(2, gAce); //CompoundAce compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString()))); rawAcl.InsertAce(3, gAce); //ObjectAce aceQualifier = AceQualifier.AccessAllowed; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(2, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws <InvalidOperationException>(() => { TestRemoveInheritedAces(discretionaryAcl); }); //case 4, all inherited CommonAce, ObjectAce, CompoundAce, CustomAce revision = 127; capacity = 5; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString(); rawAcl = new RawAcl(revision, capacity); aceFlag = AceFlags.InheritanceFlags | AceFlags.Inherited; accessMask = 1; //Access Allowed CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null); rawAcl.InsertAce(0, gAce); //Access Dennied CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null); rawAcl.InsertAce(0, gAce); //CustomAce aceType = AceType.MaxDefinedAceType + 1; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); //CompoundAce compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString()))); rawAcl.InsertAce(0, gAce); //ObjectAce aceQualifier = AceQualifier.AccessAllowed; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 5, only have one inherit Ace revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.AccessDenied, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 6, have one explicit Ace and one inherited Ace revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all AceFlags except InheritOnly and Inherited gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(0, gAce); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(1, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 7, have two inherited Aces revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(0, gAce); sid = "BA"; //16 has Inherited gAce = new CommonAce((AceFlags)16, AceQualifier.AccessDenied, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 8, 1 inherited CustomAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; //215 has all AceFlags except InheritOnly aceFlag = (AceFlags)215; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 9, 1 inherited CompoundAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid))); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 10, 1 inherited ObjectAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together aceQualifier = AceQualifier.AccessAllowed; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = true; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); }
public bool RemoveAudit(AuditFlags auditFlags, System.Security.Principal.SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType) { return(default(bool)); }
/// <summary>初始化 <see cref="T:System.Security.AccessControl.ObjectAce" /> 类的新实例。</summary> /// <param name="aceFlags">新的访问控制项 (ACE) 的继承、继承传播和审核条件。</param> /// <param name="qualifier">使用新的 ACE。</param> /// <param name="accessMask">ACE 的访问掩码。</param> /// <param name="sid">与新的 ACE 关联的 <see cref="T:System.Security.Principal.SecurityIdentifier" />。</param> /// <param name="flags"> /// <paramref name="type" /> 和 <paramref name="inheritedType" /> 参数是否包含有效的对象 GUID。</param> /// <param name="type">一个 GUID,标识新的 ACE 所应用到的对象类型。</param> /// <param name="inheritedType">一个 GUID,标识能够继承新的 ACE 的对象类型。</param> /// <param name="isCallback">如果新的 ACE 是回调类型的 ACE,则为 true。</param> /// <param name="opaque">与新的 ACE 关联的不透明数据。只有回调 ACE 类型才允许不透明数据。此数组的长度一定不能大于 <see cref="M:System.Security.AccessControl.ObjectAceMaxOpaqueLength" /> 方法的返回值。</param> /// <exception cref="T:System.ArgumentOutOfRangeException">qualifier 参数包含无效的值,或者不透明参数的值的长度大于 <see cref="M:System.Security.AccessControl.ObjectAceMaxOpaqueLength" /> 方法的返回值。</exception> public ObjectAce(AceFlags aceFlags, AceQualifier qualifier, int accessMask, SecurityIdentifier sid, ObjectAceFlags flags, Guid type, Guid inheritedType, bool isCallback, byte[] opaque) : base(ObjectAce.TypeFromQualifier(isCallback, qualifier), aceFlags, accessMask, sid, opaque) { this._objectFlags = flags; this._objectAceType = type; this._inheritedObjectAceType = inheritedType; }
/// <summary>从当前 <see cref="T:System.Security.AccessControl.DiscretionaryAcl" /> 对象移除指定的访问控制项 (ACE)。在指定要移除的 ACE 的对象类型或继承的对象类型时,为目录对象的访问控制列表 (ACL) 使用此方法。</summary> /// <param name="accessType">要移除的访问控制类型(允许或拒绝)。</param> /// <param name="sid">要为其移除 ACE 的 <see cref="T:System.Security.Principal.SecurityIdentifier" />。</param> /// <param name="accessMask">要移除的 ACE 的访问掩码。</param> /// <param name="inheritanceFlags">指定要移除的 ACE 的继承属性的标志。</param> /// <param name="propagationFlags">指定要移除的 ACE 的继承传播属性的标志。</param> /// <param name="objectFlags">指定 <paramref name="objectType" /> 和 <paramref name="inheritedObjectType" /> 参数是否包含非 null 值的标志。</param> /// <param name="objectType">移除的 ACE 所应用到的对象的类标识。</param> /// <param name="inheritedObjectType">可以继承移除的 ACE 的子对象的类标识。</param> public void RemoveAccessSpecific(AccessControlType accessType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType) { if (!this.IsDS) { throw new InvalidOperationException(Environment.GetResourceString("InvalidOperation_OnlyValidForDS")); } this.CheckAccessType(accessType); this.everyOneFullAccessForNullDacl = false; this.RemoveQualifiedAcesSpecific(sid, accessType == AccessControlType.Allow ? AceQualifier.AccessAllowed : AceQualifier.AccessDenied, accessMask, GenericAce.AceFlagsFromInheritanceFlags(inheritanceFlags, propagationFlags), objectFlags, objectType, inheritedObjectType); }
public void SetAudit(AuditFlags auditFlags, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType) { if (!base.IsDS) { throw new InvalidOperationException(Environment.GetResourceString("InvalidOperation_OnlyValidForDS")); } base.CheckFlags(inheritanceFlags, propagationFlags); base.SetQualifiedAce(sid, AceQualifier.SystemAudit, accessMask, (AceFlags)((byte)(GenericAce.AceFlagsFromAuditFlags(auditFlags) | GenericAce.AceFlagsFromInheritanceFlags(inheritanceFlags, propagationFlags))), objectFlags, objectType, inheritedObjectType); }
public void SetAudit(AuditFlags auditFlags, System.Security.Principal.SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType) { }
// // This method checks if the inheritedObjectType matches with the specified inherited object type // (Either both do not have an inherited object type or they have the same inherited object type) // internal bool InheritedObjectTypesMatch(ObjectAceFlags objectFlags, Guid inheritedObjectType) { if ((ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != (objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent)) { return false; } if (((ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != 0) && (!InheritedObjectAceType.Equals(inheritedObjectType))) { return false; } return true; }
public ObjectAce(AceFlags aceFlags, AceQualifier qualifier, int accessMask, SecurityIdentifier sid, ObjectAceFlags flags, Guid type, Guid inheritedType, bool isCallback, byte[] opaque);
// // Called by GenericAce.CreateFromBinaryForm to parse the binary form // of the object ACE and extract the useful pieces // internal static bool ParseBinaryForm( byte[] binaryForm, int offset, out AceQualifier qualifier, out int accessMask, out SecurityIdentifier sid, out ObjectAceFlags objectFlags, out Guid objectAceType, out Guid inheritedObjectAceType, out bool isCallback, out byte[] opaque) { byte[] guidArray = new byte[GuidLength]; // // Verify the ACE header // VerifyHeader(binaryForm, offset); // // Verify the length field // if (binaryForm.Length - offset < HeaderLength + AccessMaskLength + ObjectFlagsLength + SecurityIdentifier.MinBinaryLength) { goto InvalidParameter; } // // Identify callback ACE types // AceType type = (AceType)binaryForm[offset]; if (type == AceType.AccessAllowedObject || type == AceType.AccessDeniedObject || type == AceType.SystemAuditObject || type == AceType.SystemAlarmObject) { isCallback = false; } else if (type == AceType.AccessAllowedCallbackObject || type == AceType.AccessDeniedCallbackObject || type == AceType.SystemAuditCallbackObject || type == AceType.SystemAlarmCallbackObject) { isCallback = true; } else { goto InvalidParameter; } // // Compute the qualifier from the ACE type // if (type == AceType.AccessAllowedObject || type == AceType.AccessAllowedCallbackObject) { qualifier = AceQualifier.AccessAllowed; } else if (type == AceType.AccessDeniedObject || type == AceType.AccessDeniedCallbackObject) { qualifier = AceQualifier.AccessDenied; } else if (type == AceType.SystemAuditObject || type == AceType.SystemAuditCallbackObject) { qualifier = AceQualifier.SystemAudit; } else if (type == AceType.SystemAlarmObject || type == AceType.SystemAlarmCallbackObject) { qualifier = AceQualifier.SystemAlarm; } else { goto InvalidParameter; } int baseOffset = offset + HeaderLength; int offsetLocal = 0; accessMask = (int)( (((uint)binaryForm[baseOffset + 0]) << 0) + (((uint)binaryForm[baseOffset + 1]) << 8) + (((uint)binaryForm[baseOffset + 2]) << 16) + (((uint)binaryForm[baseOffset + 3]) << 24)); offsetLocal += AccessMaskLength; objectFlags = (ObjectAceFlags)( (((uint)binaryForm[baseOffset + offsetLocal + 0]) << 0) + (((uint)binaryForm[baseOffset + offsetLocal + 1]) << 8) + (((uint)binaryForm[baseOffset + offsetLocal + 2]) << 16) + (((uint)binaryForm[baseOffset + offsetLocal + 3]) << 24)); offsetLocal += ObjectFlagsLength; if ((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != 0) { for (int i = 0; i < GuidLength; i++) { guidArray[i] = binaryForm[baseOffset + offsetLocal + i]; } offsetLocal += GuidLength; } else { for (int i = 0; i < GuidLength; i++) { guidArray[i] = 0; } } objectAceType = new Guid(guidArray); if ((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != 0) { for (int i = 0; i < GuidLength; i++) { guidArray[i] = binaryForm[baseOffset + offsetLocal + i]; } offsetLocal += GuidLength; } else { for (int i = 0; i < GuidLength; i++) { guidArray[i] = 0; } } inheritedObjectAceType = new Guid(guidArray); sid = new SecurityIdentifier(binaryForm, baseOffset + offsetLocal); opaque = null; int aceLength = (binaryForm[offset + 3] << 8) + (binaryForm[offset + 2] << 0); if (aceLength % 4 != 0) { goto InvalidParameter; } int opaqueLength = (aceLength - HeaderLength - AccessMaskLength - ObjectFlagsLength - (byte)sid.BinaryLength); if ((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != 0) { opaqueLength -= GuidLength; } if ((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != 0) { opaqueLength -= GuidLength; } if (opaqueLength > 0) { opaque = new byte[opaqueLength]; for (int i = 0; i < opaqueLength; i++) { opaque[i] = binaryForm[offset + aceLength - opaqueLength + i]; } } return true; InvalidParameter: qualifier = 0; accessMask = 0; sid = null; objectFlags = 0; objectAceType = Guid.NewGuid(); inheritedObjectAceType = Guid.NewGuid(); isCallback = false; opaque = null; return false; }
public static void BasicValidationTestCases() { bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; SystemAcl systemAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; //CustomAce constructor parameters AceType aceType = AceType.AccessAllowed; AceFlags aceFlag = AceFlags.None; byte[] opaque = null; //CompoundAce constructor additional parameters int accessMask = 0; CompoundAceType compoundAceType = CompoundAceType.Impersonation; string sid = "BA"; //CommonAce constructor additional parameters AceQualifier aceQualifier = 0; //ObjectAce constructor additional parameters ObjectAceFlags objectAceFlag = 0; Guid objectAceType; Guid inheritedObjectAceType; //case 1, no Ace revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 2, only have explicit Ace revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all AceFlags except InheritOnly and Inherited gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 3, only have one inherit Ace revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 4, have one explicit Ace and one inherited Ace revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all AceFlags except InheritOnly and Inherited gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(0, gAce); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(1, gAce); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 5, have two inherited Aces revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(0, gAce); sid = "BA"; //16 has Inherited gAce = new CommonAce((AceFlags)16, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 6, 1 inherited CustomAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; aceFlag = (AceFlags)208; //SuccessfulAccess | FailedAccess | Inherited opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 7, 1 inherited CompoundAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid))); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 8, 1 inherited ObjectAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together aceQualifier = AceQualifier.SystemAudit; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = true; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); }
private static bool ObjectTypeMatches(ObjectAceFlags flg1, Guid objType1, Guid inhObjType1, ObjectAceFlags flg2, Guid objType2, Guid inhObjType2) { return(((flg1 & flg2) != ObjectAceFlags.None || (flg1 == ObjectAceFlags.None && flg2 == ObjectAceFlags.None)) && (ObjectAceFlags.ObjectAceTypePresent != (ObjectAceFlags.ObjectAceTypePresent & flg1 & flg2) || !(objType1 != objType2)) && (ObjectAceFlags.InheritedObjectAceTypePresent != (ObjectAceFlags.InheritedObjectAceTypePresent & flg1 & flg2) || !(inhObjType1 != inhObjType2))); }
private bool GetInheritanceFlagsForRemoval( QualifiedAce ace, ObjectAceFlags objectFlags, Guid inheritedObjectType, ref AceFlags aceFlags ) { if ((( ace.AceFlags & AceFlags.ContainerInherit ) != 0 ) && (( aceFlags & AceFlags.ContainerInherit ) != 0 )) { // // If the aces have inheritance bits in common // then we follow these rules: // // Remove No IOT IOT = A IOT = B // Existing // // No IOT Remove Invalid Invalid // // IOT = A Remove Remove Nothing Common // if ( ace is ObjectAce ) { bool commonInheritanceFlagsExist = true; ObjectAce objectAce = ace as ObjectAce; // // if what we are trying to remove has an inherited object type // but the existing ace does not then this is an invalid case // if ((( objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent ) != 0 ) && (( objectAce.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent ) == 0 )) { return false; } // // if what we are trying to remove has no inherited object type or // if inherited object types match then we have common inheritance flags // commonInheritanceFlagsExist = (( objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent ) == 0 ) || objectAce.InheritedObjectTypesMatch( objectFlags, inheritedObjectType ); if ( !commonInheritanceFlagsExist ) { aceFlags &= ~AceFlags.InheritanceFlags; } } else if (( objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent ) != 0 ) { // the existing ace is a common ace and the one we're removing // refers to a specific child type so this is invalid return false; } } return true; }
public static void BasicValidationTestCases() { RawAcl rawAcl = null; byte[] binaryForm = null; int offset = 0; GenericAce gAce = null; byte revision = 0; int capacity = 0; //CustomAce constructor parameters AceType aceType = AceType.AccessAllowed; AceFlags aceFlag = AceFlags.None; byte[] opaque = null; //CompoundAce constructor additional parameters int accessMask = 0; CompoundAceType compoundAceType = CompoundAceType.Impersonation; string sid = "BA"; //CommonAce constructor additional parameters AceQualifier aceQualifier = 0; //ObjectAce constructor additional parameters ObjectAceFlags objectAceFlag = 0; Guid objectAceType; Guid inheritedObjectAceType; //case 1, a valid binary representation with revision 0, 1 SystemAudit CommonAce revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength)); //case 2, a valid binary representation with revision 255, 1 AccessAllowed CommonAce revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength)); //case 3, a valid binary representation with revision 127, 1 CustomAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; aceFlag = (AceFlags)223; //all flags ored together opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength)); //case 4, a valid binary representation with revision 1, 1 CompoundAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid))); rawAcl.InsertAce(0, gAce); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength)); //case 5, a valid binary representation with revision 1, 1 ObjectAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together aceQualifier = AceQualifier.AccessAllowed; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength)); //case 6, a valid binary representation with revision 1, no Ace revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 0, rawAcl.BinaryLength)); //case 7, a valid binary representation with revision 1, and all Aces from case 1 to 5 revision = 127; capacity = 5; rawAcl = new RawAcl(revision, capacity); //SystemAudit CommonAce gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); //Access Allowed CommonAce gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); //CustomAce aceType = AceType.MaxDefinedAceType + 1; aceFlag = (AceFlags)223; //all flags ored together opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); //CompoundAce aceFlag = (AceFlags)223; //all flags ored together accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid))); rawAcl.InsertAce(0, gAce); //ObjectAce aceFlag = (AceFlags)223; //all flags ored together aceQualifier = AceQualifier.AccessAllowed; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 5, rawAcl.BinaryLength)); }
// // Helper function behind all the SetXXX methods // internal void SetQualifiedAce( SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType ) { if ( sid == null ) { throw new ArgumentNullException( "sid" ); } if ( qualifier == AceQualifier.SystemAudit && (( flags & AceFlags.AuditFlags ) == 0 )) { throw new ArgumentException( Environment.GetResourceString( "Arg_EnumAtLeastOneFlag" ), "flags" ); } if ( accessMask == 0 ) { throw new ArgumentException( Environment.GetResourceString( "Argument_ArgumentZero" ), "accessMask" ); } Contract.EndContractBlock(); ThrowIfNotCanonical(); GenericAce newAce; if (( !IsDS ) || ( objectFlags == ObjectAceFlags.None )) { newAce = new CommonAce( flags, qualifier, accessMask, sid, false, null ); } else { newAce = new ObjectAce( flags, qualifier, accessMask, sid, objectFlags, objectType, inheritedObjectType, false, null ); } // // Make sure the new ACE wouldn't be meaningless before proceeding // if ( false == InspectAce( ref newAce, ( this is DiscretionaryAcl ))) { return; } for ( int i = 0; i < Count; i++ ) { QualifiedAce ace = _acl[i] as QualifiedAce; // // Not a qualified ACE - keep going // if ( ace == null ) { continue; } // // Only interested in explicit (non-inherited) ACEs // if (( ace.AceFlags & AceFlags.Inherited ) != 0 ) { continue; } // // Only interested in ACEs with the specified qualifier // if ( ace.AceQualifier != qualifier ) { continue; } // // Only interested in ACEs with the specified SID // if ( ace.SecurityIdentifier != sid ) { continue; } // // This ACE corresponds to the SID and qualifier in question - remove it // _acl.RemoveAce( i ); i--; } // // As a final step, add the ACE we want. // Add it at the end - we'll re-canonicalize later. // _acl.InsertAce( _acl.Count, newAce ); // // To aid the efficiency of batch operations, recanonicalize this later // _isDirty = true; OnAclModificationTried(); }
private bool GetAccessMaskForRemoval( QualifiedAce ace, ObjectAceFlags objectFlags, Guid objectType, ref int accessMask ) { if (( ace.AccessMask & accessMask & ObjectAce.AccessMaskWithObjectType ) != 0 ) { // // If the aces have access bits in common which refer to object types // then we follow these rules: // // Remove No OT OT = A OT = B // Existing // // No OT Remove Invalid Invalid // // OT = A Remove Remove Nothing Common // if ( ace is ObjectAce ) { bool commonAccessBitsWithObjectTypeExist = true; ObjectAce objectAce = ace as ObjectAce; // // if what we are trying to remove has an object type // but the existing ace does not then this is an invalid case // if ((( objectFlags & ObjectAceFlags.ObjectAceTypePresent ) != 0 ) && (( objectAce.ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent ) == 0 )) { return false; } // // if what we are trying to remove has no object type or // if object types match (since at this point we have ensured that both have object types present) // then we have common access bits with object type // commonAccessBitsWithObjectTypeExist = (( objectFlags & ObjectAceFlags.ObjectAceTypePresent ) == 0 ) || objectAce.ObjectTypesMatch( objectFlags, objectType ); if ( !commonAccessBitsWithObjectTypeExist ) { accessMask &= ~ObjectAce.AccessMaskWithObjectType; } } else if (( objectFlags & ObjectAceFlags.ObjectAceTypePresent ) != 0 ) { // the existing ace is a common ace and the one we're removing // refers to a specific object type so this is invalid return false; } } return true; }
internal void RemoveAceSpecific(AceQualifier aceQualifier, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AuditFlags auditFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType) { if (!IsDS) { throw new InvalidOperationException("For this overload, IsDS must be true."); } if (ObjectAceFlags.None == objectFlags) { RemoveAceSpecific(aceQualifier, sid, accessMask, inheritanceFlags, propagationFlags, auditFlags); return; } RequireCanonicity(); RemoveAces <ObjectAce> (ace => { if (ace.AccessMask != accessMask) { return(false); } if (ace.AceQualifier != aceQualifier) { return(false); } if (ace.SecurityIdentifier != sid) { return(false); } if (ace.InheritanceFlags != inheritanceFlags) { return(false); } if (InheritanceFlags.None != inheritanceFlags) { if (ace.PropagationFlags != propagationFlags) { return(false); } } if (ace.AuditFlags != auditFlags) { return(false); } if (ace.ObjectAceFlags != objectFlags) { return(false); } if (0 != (objectFlags & ObjectAceFlags.ObjectAceTypePresent)) { if (ace.ObjectAceType != objectType) { return(false); } } if (0 != (objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent)) { if (ace.InheritedObjectAceType != objectType) { return(false); } } return(true); }); CanonicalizeAndClearAefa(); }
// // Helper function behind all the AddXXX methods for qualified aces // internal void AddQualifiedAce( SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType ) { if ( sid == null ) { throw new ArgumentNullException( "sid" ); } Contract.EndContractBlock(); ThrowIfNotCanonical(); bool aceMerged = false; // if still false after all attempts to merge, create new entry if ( qualifier == AceQualifier.SystemAudit && (( flags & AceFlags.AuditFlags ) == 0 )) { throw new ArgumentException( Environment.GetResourceString( "Arg_EnumAtLeastOneFlag" ), "flags" ); } if ( accessMask == 0 ) { throw new ArgumentException( Environment.GetResourceString( "Argument_ArgumentZero" ), "accessMask" ); } GenericAce newAce; if (( !IsDS ) || ( objectFlags == ObjectAceFlags.None )) { newAce = new CommonAce( flags, qualifier, accessMask, sid, false, null ); } else { newAce = new ObjectAce( flags, qualifier, accessMask, sid, objectFlags, objectType, inheritedObjectType, false, null ); } // // Make sure the new ACE wouldn't be meaningless before proceeding // if ( false == InspectAce( ref newAce, ( this is DiscretionaryAcl ))) { return; } // // See if the new ACE can be merged with any of the existing ones // for ( int i = 0; i < Count; i++ ) { QualifiedAce ace = _acl[i] as QualifiedAce; if ( ace == null ) { continue; } if ( true == MergeAces( ref ace, newAce as QualifiedAce )) { aceMerged = true; break; } } // // Couldn't modify any existing entry, so add a new one // if ( !aceMerged ) { _acl.InsertAce( _acl.Count, newAce ); _isDirty = true; } OnAclModificationTried(); }
internal bool InheritedObjectTypesMatch(ObjectAceFlags objectFlags, Guid inheritedObjectType) { return((this.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent) == (objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) && ((this.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent) == ObjectAceFlags.None || this.InheritedObjectAceType.Equals(inheritedObjectType))); }
// // Helper function behind all the RemoveXXX methods // internal bool RemoveQualifiedAces( SecurityIdentifier sid, AceQualifier qualifier, int accessMask, AceFlags flags, bool saclSemantics, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType ) { if ( accessMask == 0 ) { throw new ArgumentException( Environment.GetResourceString( "Argument_ArgumentZero" ), "accessMask" ); } if ( qualifier == AceQualifier.SystemAudit && (( flags & AceFlags.AuditFlags ) == 0 )) { throw new ArgumentException( Environment.GetResourceString( "Arg_EnumAtLeastOneFlag" ), "flags" ); } if ( sid == null ) { throw new ArgumentNullException( "sid" ); } Contract.EndContractBlock(); ThrowIfNotCanonical(); // // Two passes are made. // During the first pass, no changes are made to the ACL, // the ACEs are simply evaluated to ascertain that the operation // can succeed. // If everything is kosher, the second pass is the one that makes changes. // bool evaluationPass = true; bool removePossible = true; // unless proven otherwise // // Needed for DS acls to keep track of the original access mask specified for removal // int originalAccessMask = accessMask; AceFlags originalFlags = flags; // // It is possible that the removal will result in an overflow exception // because more ACEs get inserted. // Save the current state of the object and revert to it later if // and exception is thrown. // byte[] recovery = new byte[BinaryLength]; GetBinaryForm( recovery, 0 ); MakeAnotherPass: try { for ( int i = 0; i < Count; i++ ) { QualifiedAce ace = _acl[i] as QualifiedAce; // // Not a qualified ACE - keep going // if ( ace == null ) { continue; } // // Only interested in explicit (non-inherited) ACEs // if (( ace.AceFlags & AceFlags.Inherited ) != 0 ) { continue; } // // Only interested in ACEs with the specified qualifier // if ( ace.AceQualifier != qualifier ) { continue; } // // Only interested in ACEs with the specified SID // if ( ace.SecurityIdentifier != sid ) { continue; } // // If access masks have nothing in common, skip the whole exercise // if ( IsDS ) { // // incase of directory aces, if the access mask of the // existing and new ace have any bits in common that need // an object type, then we need to perform some checks on the // object types in the two aces. Since certain bits are further qualified // by the object type they cannot be determined to be common without // inspecting the object type. It is possible that the same bits may be set but // the object types are different in which case they are really not common bits. // accessMask = originalAccessMask; bool objectTypesConflict = !GetAccessMaskForRemoval( ace, objectFlags, objectType, ref accessMask ); // if the access masks have nothing in common, skip if (( ace.AccessMask & accessMask ) == 0 ) { continue; } // // incase of directory aces, if the existing and new ace are being inherited, // then we need to perform some checks on the // inherited object types in the two aces. Since inheritance is further qualified // by the inherited object type the inheritance flags cannot be determined to be common without // inspecting the inherited object type. It is possible that both aces may be further inherited but if // the inherited object types are different the inheritance may not be common. // flags = originalFlags; bool inheritedObjectTypesConflict = !GetInheritanceFlagsForRemoval( ace, objectFlags, inheritedObjectType, ref flags ); if (((( ace.AceFlags & AceFlags.ContainerInherit ) == 0 ) && (( flags & AceFlags.ContainerInherit ) != 0 ) && (( flags & AceFlags.InheritOnly ) != 0 )) || ((( flags & AceFlags.ContainerInherit ) == 0 ) && (( ace.AceFlags & AceFlags.ContainerInherit ) != 0 ) && (( ace.AceFlags & AceFlags.InheritOnly ) != 0))) { // if one ace applies only to self and the other only to children/descendents we have nothing in common continue; } // // if the ace being removed referred only to child types and child types among existing ace and // ace being removed are not common then there is nothing in common between these aces (skip) // if ((( originalFlags & AceFlags.ContainerInherit ) != 0 ) && (( originalFlags & AceFlags.InheritOnly ) != 0 ) && (( flags & AceFlags.ContainerInherit ) == 0 )) { continue; } if ( objectTypesConflict || inheritedObjectTypesConflict ) { // // if we reached this stage, then we've found something common between the two aces. // But since there is a conflict between the object types (or inherited object types), the remove is not possible // removePossible = false; break; } } else { if (( ace.AccessMask & accessMask ) == 0 ) { continue; } } // // If audit flags on a SACL have nothing in common, // skip the whole exercise // if ( saclSemantics && (( ace.AceFlags & flags & AceFlags.AuditFlags ) == 0 )) { continue; } // // See if the ACE needs to be split into several // To illustrate with an example, consider this equation: // From: CI OI NP SA FA R W // Remove: OI IO NP SA R // // PermissionSplit: CI OI NP SA FA W // remove R // AuditingSplit: CI OI NP FA R // remove SA // MergeSplit: CI OI NP SA R // ready for merge // Remove: OI IO NP SA R // same audit and perm flags as merge split // // Result: CI OI NP SA FA W // PermissionSplit // CI OI NP FA R // AuditingSplit // CI NP SA R // Result of perm removal // // // Example for DS acls (when removal is possible) // // From: CI(Guid) LC CC(Guid) // Remove: CI IO LC // // PermissionSplit: CI(Guid) CC(Guid) // Remove GR // MergeSplit: CI(Guid) LC // Ready for merge // Remove: CI IO LC // Removal is possible since we are trying to remove inheritance for // all child types when it exists for one specific child type // // Result: CI(Guid) CC(Guid) // PermissionSplit // LC // Result of perm removal // // // Example for DS acls (when removal is NOT possible) // // From: CI GR CC(Guid) // Remove: CI(Guid) IO LC // // PermissionSplit: CI CC(Guid) // Remove GR // MergeSplit: CI LC // Ready for merge // Remove: CI(Guid) IO CC // Removal is not possible since we are trying to remove // inheritance for a specific child type when it exists for all child types // // Permission split settings AceFlags ps_AceFlags = 0; int ps_AccessMask = 0; ObjectAceFlags ps_ObjectAceFlags = 0; Guid ps_ObjectAceType = Guid.Empty; Guid ps_InheritedObjectAceType = Guid.Empty; // Auditing split makes sense if this is a SACL AceFlags as_AceFlags = 0; int as_AccessMask = 0; ObjectAceFlags as_ObjectAceFlags = 0; Guid as_ObjectAceType = Guid.Empty; Guid as_InheritedObjectAceType = Guid.Empty; // Merge split settings AceFlags ms_AceFlags = 0; int ms_AccessMask = 0; ObjectAceFlags ms_ObjectAceFlags = 0; Guid ms_ObjectAceType = Guid.Empty; Guid ms_InheritedObjectAceType = Guid.Empty; // Merge result settings AceFlags mergeResultFlags = 0; bool mergeRemoveTotal = false; // // First compute the permission split // ps_AceFlags = ace.AceFlags; unchecked { ps_AccessMask = ace.AccessMask & ~accessMask; } if ( ace is ObjectAce ) { // // determine what should be the object/inherited object types on the permission split // GetObjectTypesForSplit( ace as ObjectAce, ps_AccessMask /* access mask for this split */, ps_AceFlags /* flags remain the same */, out ps_ObjectAceFlags, out ps_ObjectAceType, out ps_InheritedObjectAceType ); } // // Next, for SACLs only, compute the auditing split // if ( saclSemantics ) { // // This operation can set the audit bits region // of ACE flags to zero; // This case will be handled later // unchecked { as_AceFlags = ace.AceFlags & ~( flags & AceFlags.AuditFlags ); } // // The result of this evaluation is guaranteed // not to be zero by now // as_AccessMask = ( ace.AccessMask & accessMask ); if ( ace is ObjectAce ) { // // determine what should be the object/inherited object types on the audit split // GetObjectTypesForSplit( ace as ObjectAce, as_AccessMask /* access mask for this split */, as_AceFlags /* flags remain the same for inheritance */, out as_ObjectAceFlags, out as_ObjectAceType, out as_InheritedObjectAceType ); } } // // Finally, compute the merge split // ms_AceFlags = ( ace.AceFlags & AceFlags.InheritanceFlags ) | ( flags & ace.AceFlags & AceFlags.AuditFlags ); ms_AccessMask = ( ace.AccessMask & accessMask ); // // Now is the time to obtain the result of applying the remove // operation to the merge split // Skipping this step for SACLs where the merge split step // produced no auditing flags // if ( !saclSemantics || (( ms_AceFlags & AceFlags.AuditFlags ) != 0 )) { if ( false == RemoveInheritanceBits( ms_AceFlags, flags, IsDS, out mergeResultFlags, out mergeRemoveTotal )) { removePossible = false; break; } if ( !mergeRemoveTotal ) { mergeResultFlags |= ( ms_AceFlags & AceFlags.AuditFlags ); if ( ace is ObjectAce ) { // // determine what should be the object/inherited object types on the merge split // GetObjectTypesForSplit( ace as ObjectAce, ms_AccessMask /* access mask for this split */, mergeResultFlags /* flags for this split */, out ms_ObjectAceFlags, out ms_ObjectAceType, out ms_InheritedObjectAceType ); } } } // // If this is no longer an evaluation, go ahead and make the changes // if ( !evaluationPass ) { QualifiedAce newAce; // // Modify the existing ACE in-place if it has any access // mask bits left, otherwise simply remove it // However, if for an object ace we are removing the object type // then we should really remove this ace and add a new one since // we would be changing the size of this ace // if ( ps_AccessMask != 0 ) { if (( ace is ObjectAce ) && (((( ObjectAce) ace ).ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent ) != 0 ) && (( ps_ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent ) == 0 )) { ObjectAce newObjectAce; _acl.RemoveAce(i); newObjectAce = new ObjectAce( ps_AceFlags, qualifier, ps_AccessMask, ace.SecurityIdentifier, ps_ObjectAceFlags, ps_ObjectAceType, ps_InheritedObjectAceType, false, null ); _acl.InsertAce( i, newObjectAce ); } else { ace.AceFlags = ps_AceFlags; ace.AccessMask = ps_AccessMask; if ( ace is ObjectAce ) { ObjectAce objectAce = ace as ObjectAce; objectAce.ObjectAceFlags = ps_ObjectAceFlags; objectAce.ObjectAceType = ps_ObjectAceType; objectAce.InheritedObjectAceType = ps_InheritedObjectAceType; } } } else { _acl.RemoveAce(i); i--; // keep the array index honest } // // On a SACL, the result of the auditing split must be recorded // if ( saclSemantics && (( as_AceFlags & AceFlags.AuditFlags ) != 0 )) { if ( ace is CommonAce ) { newAce = new CommonAce( as_AceFlags, qualifier, as_AccessMask, ace.SecurityIdentifier, false, null ); } else { // object ace newAce = new ObjectAce( as_AceFlags, qualifier, as_AccessMask, ace.SecurityIdentifier, as_ObjectAceFlags, as_ObjectAceType, as_InheritedObjectAceType, false, null ); } i++; // so it's not considered again _acl.InsertAce( i, newAce ); } // // If there are interesting bits left over from a remove, store them // as a separate ACE // if ( !mergeRemoveTotal ) { if ( ace is CommonAce ) { newAce = new CommonAce( mergeResultFlags, qualifier, ms_AccessMask, ace.SecurityIdentifier, false, null ); } else { // object ace newAce = new ObjectAce( mergeResultFlags, qualifier, ms_AccessMask, ace.SecurityIdentifier, ms_ObjectAceFlags, ms_ObjectAceType, ms_InheritedObjectAceType, false, null ); } i++; // so it's not considered again _acl.InsertAce( i, newAce ); } } } } catch( OverflowException ) { // // Oops, overflow means that the ACL became too big. // Inform the caller that the remove was not possible. // _acl.SetBinaryForm( recovery, 0 ); return false; } // // Finished evaluating the possibility of a remove. // If it looks like it's doable, go ahead and do it. // if ( evaluationPass && removePossible ) { evaluationPass = false; goto MakeAnotherPass; } OnAclModificationTried(); return removePossible; }
internal void Serialize(BinaryWriter writer) { byte[] sid_data = Sid.ToArray(); if (Type == AceType.AllowedCompound) { MemoryStream stm = new MemoryStream(); BinaryWriter sidwriter = new BinaryWriter(stm); sidwriter.Write((int)CompoundAceType.Impersonation); sidwriter.Write(ServerSid.ToArray()); sidwriter.Write(sid_data); sid_data = stm.ToArray(); } int total_length = 4 + 4 + sid_data.Length; if (ApplicationData != null) { total_length += ApplicationData.Length; } // Add a round up to 4 byte alignment. int padding = 4 - (total_length % 4); if (padding == 4) { padding = 0; } total_length += padding; ObjectAceFlags flags = ObjectAceFlags.None; if (IsObjectAce) { // For Flags total_length += 4; if (ObjectType.HasValue) { total_length += 16; flags |= ObjectAceFlags.ObjectTypePresent; } if (InheritedObjectType.HasValue) { total_length += 16; flags |= ObjectAceFlags.InheritedObjectTypePresent; } } if (total_length > ushort.MaxValue) { throw new ArgumentOutOfRangeException("Total ACE length greater than maximum"); } writer.Write((byte)Type); writer.Write(MapFromFlags(Type, Flags)); writer.Write((ushort)total_length); writer.Write(Mask.Access); if (IsObjectAce) { writer.Write((uint)flags); if (ObjectType.HasValue) { writer.Write(ObjectType.Value.ToByteArray()); } if (InheritedObjectType.HasValue) { writer.Write(InheritedObjectType.Value.ToByteArray()); } } writer.Write(sid_data); writer.Write(ApplicationData ?? new byte[0]); if (padding != 0) { writer.Write(new byte[padding]); } }
public void RemoveAuditSpecific( AuditFlags auditFlags, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType ) { // // This is valid only for DS Acls // if ( !IsDS ) { throw new InvalidOperationException( Environment.GetResourceString( "InvalidOperation_OnlyValidForDS" )); } Contract.EndContractBlock(); RemoveQualifiedAcesSpecific(sid, AceQualifier.SystemAudit, accessMask, GenericAce.AceFlagsFromAuditFlags(auditFlags) | GenericAce.AceFlagsFromInheritanceFlags(inheritanceFlags, propagationFlags), objectFlags, objectType, inheritedObjectType); }
// // This method checks if the objectType matches with the specified object type // (Either both do not have an object type or they have the same object type) // internal bool ObjectTypesMatch(ObjectAceFlags objectFlags, Guid objectType) { if ((ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent) != (objectFlags & ObjectAceFlags.ObjectAceTypePresent)) { return false; } if (((ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent) != 0) && (!ObjectAceType.Equals(objectType))) { return false; } return true; }
// Constructors public ObjectAce(AceFlags aceFlags, AceQualifier qualifier, int accessMask, System.Security.Principal.SecurityIdentifier sid, ObjectAceFlags flags, System.Guid type, System.Guid inheritedType, bool isCallback, byte[] opaque) {}
public void RemoveAuditSpecific(AuditFlags auditFlags, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType);
/// <summary>Initiates a new instance of the <see cref="T:System.Security.AccessControl.ObjectAce" /> class.</summary> /// <param name="aceFlags">The inheritance, inheritance propagation, and auditing conditions for the new Access Control Entry (ACE).</param> /// <param name="qualifier">The use of the new ACE.</param> /// <param name="accessMask">The access mask for the ACE.</param> /// <param name="sid">The <see cref="T:System.Security.Principal.SecurityIdentifier" /> associated with the new ACE.</param> /// <param name="flags">Whether the <paramref name="type" /> and <paramref name="inheritedType" /> parameters contain valid object GUIDs.</param> /// <param name="type">A GUID that identifies the object type to which the new ACE applies.</param> /// <param name="inheritedType">A GUID that identifies the object type that can inherit the new ACE.</param> /// <param name="isCallback">true if the new ACE is a callback type ACE.</param> /// <param name="opaque">Opaque data associated with the new ACE. This is allowed only for callback ACE types. The length of this array must not be greater than the return value of the <see cref="M:System.Security.AccessControl.ObjectAceMaxOpaqueLength" /> method.</param> /// <exception cref="T:System.ArgumentOutOfRangeException">The qualifier parameter contains an invalid value or the length of the value of the opaque parameter is greater than the return value of the <see cref="M:System.Security.AccessControl.ObjectAceMaxOpaqueLength" /> method.</exception> public ObjectAce(AceFlags aceFlags, AceQualifier qualifier, int accessMask, SecurityIdentifier sid, ObjectAceFlags flags, Guid type, Guid inheritedType, bool isCallback, byte[] opaque) : base(InheritanceFlags.None, PropagationFlags.None, qualifier, isCallback, opaque) { base.AceFlags = aceFlags; base.SecurityIdentifier = sid; this.object_ace_flags = flags; this.object_ace_type = type; this.inherited_object_type = inheritedType; }