private static bool TestAddAccess(DiscretionaryAcl discretionaryAcl, RawAcl rawAcl, AccessControlType accessControlType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags) { bool result = true; byte[] dAclBinaryForm = null; byte[] rAclBinaryForm = null; discretionaryAcl.AddAccess(accessControlType, sid, accessMask, inheritanceFlags, propagationFlags); if (discretionaryAcl.Count == rawAcl.Count && discretionaryAcl.BinaryLength == rawAcl.BinaryLength) { dAclBinaryForm = new byte[discretionaryAcl.BinaryLength]; rAclBinaryForm = new byte[rawAcl.BinaryLength]; discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0); rawAcl.GetBinaryForm(rAclBinaryForm, 0); if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm)) result = false; //redundant index check for (int i = 0; i < discretionaryAcl.Count; i++) { if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i])) { result = false; break; } } } else result = false; return result; }
public static void AdditionalTestCases() { RawAcl rawAcl = null; byte revision = 0; int capacity = 0; //case 1, capacity = -1 Assert.Throws<ArgumentOutOfRangeException>(() => { revision = 0; capacity = -1; rawAcl = new RawAcl(revision, capacity); }); //case 2, capacity = Int32.MaxValue/2 Assert.Throws<OutOfMemoryException>(() => { revision = 0; capacity = Int32.MaxValue / 2; TestConstructor(revision, capacity); }); //case 3, capacity = Int32.MaxValue Assert.Throws<OutOfMemoryException>(() => { revision = 0; capacity = Int32.MaxValue; TestConstructor(revision, capacity); }); }
public static void AceCount_AdditionalTests() { RawAcl rawAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; string sid = "BG"; DiscretionaryAcl discretionaryAcl = null; bool isContainer = false; bool isDS = false; //case 1, DiscretionaryAcl with huge number of Aces revision = 0; capacity = 1; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString(); rawAcl = new RawAcl(revision, capacity); for (int i = 0; i < 1820; i++) { gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + i.ToString())), false, null); rawAcl.InsertAce(0, gAce); } isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(1820 == discretionaryAcl.Count); }
public static void BasicValidationTestCases() { GenericAce gAce = null; RawAcl rAcl = null; GenericAce[] gAces = null; // Case 1, when collection is actually empty rAcl = new RawAcl(1, 1); gAces = new GenericAce[rAcl.Count]; rAcl.CopyTo(gAces, 0); // Case 2, collection has one ACE rAcl = new RawAcl(0, 1); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rAcl.InsertAce(0, gAce); gAces = new GenericAce[rAcl.Count]; rAcl.CopyTo(gAces, 0); //Case 3, index = 3 rAcl = new RawAcl(0, 1); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rAcl.InsertAce(0, gAce); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rAcl.InsertAce(0, gAce); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BO")), false, null); rAcl.InsertAce(0, gAce); gAces = new GenericAce[rAcl.Count + 5]; //initialize to null for (int i = 0; i < gAces.Length; i++) gAces[i] = null; rAcl.CopyTo(gAces, 3); }
public static void BasicValidationTestCases() { RawAcl rawAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; string sid = "BA"; //case 1, empty RawAcl revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); Assert.True(0 == rawAcl.Count); //case 2, RawAcl with one Ace revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); Assert.True(1 == rawAcl.Count); //case 3, RawAcl with two Aces revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); Assert.True(2 == rawAcl.Count); }
private static bool TestRemoveAudit(SystemAcl systemAcl, RawAcl rawAcl, AuditFlags auditFlag, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, bool removePossible) { bool result = true; bool isRemoved = false; byte[] sAclBinaryForm = null; byte[] rAclBinaryForm = null; isRemoved = systemAcl.RemoveAudit(auditFlag, sid, accessMask, inheritanceFlags, propagationFlags); if ((isRemoved == removePossible) && (systemAcl.Count == rawAcl.Count) && (systemAcl.BinaryLength == rawAcl.BinaryLength)) { sAclBinaryForm = new byte[systemAcl.BinaryLength]; rAclBinaryForm = new byte[rawAcl.BinaryLength]; systemAcl.GetBinaryForm(sAclBinaryForm, 0); rawAcl.GetBinaryForm(rAclBinaryForm, 0); if (!Utils.IsBinaryFormEqual(sAclBinaryForm, rAclBinaryForm)) result = false; //redundant index check for (int i = 0; i < systemAcl.Count; i++) { if (!Utils.IsAceEqual(systemAcl[i], rawAcl[i])) { result = false; break; } } } else result = false; return result; }
public static void BinaryLength_AdditionalTestCases() { RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; string sid = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString(); int expectedLength = 0; //case 1, DiscretionaryAcl with huge number of Aces revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); expectedLength = 8; for (int i = 0; i < 1820; i++) { gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + i.ToString())), false, null); rawAcl.InsertAce(0, gAce); expectedLength += gAce.BinaryLength; } discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl); Assert.True(expectedLength == discretionaryAcl.BinaryLength); }
public static void AdditionalTestCases() { RawAcl rawAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; string sid = "BA"; SystemAcl systemAcl = null; bool isContainer = false; bool isDS = false; //case 1, SysemAcl with huge number of Aces revision = 0; capacity = 1; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString(); rawAcl = new RawAcl(revision, capacity); for (int i = 0; i < 1820; i++) { gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + i.ToString())), false, null); rawAcl.InsertAce(0, gAce); } isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(1820 == systemAcl.Count); }
public static void BasicValidationTestCases() { RawAcl rawAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; string sid = "BA"; //case 1, empty RawAcl, binarylength should be 8 revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); Assert.True(8 == rawAcl.BinaryLength); //case 2, RawAcl with one Ace, binarylength should be 8 + the Ace's binarylength revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); Assert.True(8 + gAce.BinaryLength == rawAcl.BinaryLength); //case 3, RawAcl with two Aces revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); Assert.True(8 + rawAcl[0].BinaryLength + rawAcl[1].BinaryLength == rawAcl.BinaryLength); }
public static void BasicValidationTestCases() { GenericAce gAce = null; RawAcl rAcl = null; // collection has one ACE. By code review, this properties always return false. So no addtional cases are needed rAcl = new RawAcl(0, 1); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rAcl.InsertAce(0, gAce); Assert.True(null != rAcl.SyncRoot) ; }
public static void AceCount_BasicValidation() { RawAcl rawAcl = null; GenericAce gAce = null; DiscretionaryAcl discretionaryAcl = null; bool isContainer = false; bool isDS = false; byte revision = 0; int capacity = 0; string sid = "BG"; //case 1, empty DiscretionaryAcl revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(0 == discretionaryAcl.Count); //case 2, DiscretionaryAcl with one Ace revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(1 == discretionaryAcl.Count); //case 3, DiscretionaryAcl with two Aces revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //223 has all AceFlags gAce = new CommonAce((AceFlags)223, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(0, gAce); gAce = new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 2, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(2 == discretionaryAcl.Count); }
public static void AdditionalTestCases() { GenericAce gAce = null; RawAcl rAcl = null; AceEnumerator aceEnumerator = null; //Case 1, RawAcl with huge number of Aces rAcl = new RawAcl(0, GenericAcl.MaxBinaryLength + 1); for (int i = 0; i < 1820; i++) { //this ace binary length is 36, 1820 * 36 = 65520 gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rAcl.InsertAce(0, gAce); } aceEnumerator = rAcl.GetEnumerator(); Assert.True(Utils.TestGetEnumerator(aceEnumerator, rAcl, false)); }
public static void BasicValidationTestCases() { GenericAce gAce = null; RawAcl rAcl = null; AceEnumerator aceEnumerator = null; // Case 1, when collection is actually empty rAcl = new RawAcl(1, 1); aceEnumerator = rAcl.GetEnumerator(); //Case 2, collection has one ACE rAcl = new RawAcl(0, 1); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rAcl.InsertAce(0, gAce); aceEnumerator = rAcl.GetEnumerator(); Assert.True(Utils.TestGetEnumerator(aceEnumerator, rAcl, false)); }
public static bool Constructor1(bool isContainer, bool isDS, int capacity) { bool result = true; byte[] dAclBinaryForm = null; byte[] rAclBinaryForm = null; RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, capacity); rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, capacity); if (isContainer == discretionaryAcl.IsContainer && isDS == discretionaryAcl.IsDS && (isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision) == discretionaryAcl.Revision && 0 == discretionaryAcl.Count && 8 == discretionaryAcl.BinaryLength && true == discretionaryAcl.IsCanonical) { dAclBinaryForm = new byte[discretionaryAcl.BinaryLength]; rAclBinaryForm = new byte[rawAcl.BinaryLength]; discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0); rawAcl.GetBinaryForm(rAclBinaryForm, 0); if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm)) result = false; //redundant index check for (int i = 0; i < discretionaryAcl.Count; i++) { if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i])) { result = false; break; } } } else { result = false; } Assert.True(result); return result; }
public static void TestConstructor(bool isContainer, bool isDS, byte revision, int capacity) { bool result = true; byte[] sAclBinaryForm = null; byte[] rAclBinaryForm = null; SystemAcl systemAcl = null; RawAcl rawAcl = null; systemAcl = new SystemAcl(isContainer, isDS, revision, capacity); rawAcl = new RawAcl(revision, capacity); if (isContainer == systemAcl.IsContainer && isDS == systemAcl.IsDS && revision == systemAcl.Revision && 0 == systemAcl.Count && 8 == systemAcl.BinaryLength && true == systemAcl.IsCanonical) { sAclBinaryForm = new byte[systemAcl.BinaryLength]; rAclBinaryForm = new byte[rawAcl.BinaryLength]; systemAcl.GetBinaryForm(sAclBinaryForm, 0); rawAcl.GetBinaryForm(rAclBinaryForm, 0); if (!Utils.IsBinaryFormEqual(sAclBinaryForm, rAclBinaryForm)) result = false; //redundant index check for (int i = 0; i < systemAcl.Count; i++) { if (!Utils.IsAceEqual(systemAcl[i], rawAcl[i])) { result = false; break; } } } else { result = false; } Assert.True(result); }
public static void AdditionalTestCases() { RawAcl rawAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; SecurityIdentifier sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")); //case 1, RawAcl with huge number of Aces revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); for (int i = 0; i < 1820; i++) { //this ace binary length is 36, 1820 * 36 = 65520 gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, i + 1, sid, false, null); rawAcl.InsertAce(0, gAce); } Assert.True(1820 == rawAcl.Count); }
public static void BasicValidationTestCases() { RawAcl rawAcl = null; SystemAcl systemAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; string sid = "BG"; int expectedLength = 0; //case 1, empty systemAcl, binarylength should be 8 capacity = 1; systemAcl = new SystemAcl(false, false, capacity); expectedLength = 8; Assert.True(expectedLength == systemAcl.BinaryLength); //case 2, SystemAcl with one Ace, binarylength should be 8 + the Ace's binarylength expectedLength = 8; revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); expectedLength += gAce.BinaryLength; rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(true, false, rawAcl); Assert.True(expectedLength == systemAcl.BinaryLength); //case 3, SystemAcl with two Aces expectedLength = 8; revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); expectedLength += gAce.BinaryLength; rawAcl.InsertAce(0, gAce); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); expectedLength += gAce.BinaryLength; rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(false, false, rawAcl); Assert.True(expectedLength == systemAcl.BinaryLength); }
public static void BinaryLength_BasicValidation() { RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; string sid = "BG"; //case 1, empty discretionaryAcl, binarylength should be 8 capacity = 1; discretionaryAcl = new DiscretionaryAcl(false, false, capacity); Assert.True(8 == discretionaryAcl.BinaryLength); //case 2, discretionaryAcl with one Ace, binarylength should be 8 + the Ace's binarylength revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); discretionaryAcl = new DiscretionaryAcl(true, false, rawAcl); Assert.True(8 + gAce.BinaryLength == discretionaryAcl.BinaryLength); //case 3, DiscretionaryAcl with two Aces revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(0, gAce); gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 2, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(0, gAce); discretionaryAcl = new DiscretionaryAcl(false, false, rawAcl); Assert.True(8 + discretionaryAcl[0].BinaryLength + discretionaryAcl[1].BinaryLength == discretionaryAcl.BinaryLength); }
private static bool VerifyACL(DiscretionaryAcl discretionaryAcl, bool isContainer, bool isDS, bool wasCanonicalInitially, RawAcl rawAcl) { bool result = true; byte[] dAclBinaryForm = null; byte[] rAclBinaryForm = null; if (discretionaryAcl.IsContainer == isContainer && discretionaryAcl.IsDS == isDS && discretionaryAcl.Revision == rawAcl.Revision && discretionaryAcl.Count == rawAcl.Count && discretionaryAcl.BinaryLength == rawAcl.BinaryLength && discretionaryAcl.IsCanonical == wasCanonicalInitially) { dAclBinaryForm = new byte[discretionaryAcl.BinaryLength]; rAclBinaryForm = new byte[rawAcl.BinaryLength]; discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0); rawAcl.GetBinaryForm(rAclBinaryForm, 0); if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm)) result = false; //redundant index check for (int i = 0; i < discretionaryAcl.Count; i++) { if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i])) { result = false; break; } } } else { result = false; } return result; }
private static bool TestRemoveAudit(SystemAcl systemAcl, RawAcl rawAcl, AuditFlags auditFlag, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, bool removePossible) { bool result = true; bool isRemoved = false; byte[] sAclBinaryForm = null; byte[] rAclBinaryForm = null; isRemoved = systemAcl.RemoveAudit(auditFlag, sid, accessMask, inheritanceFlags, propagationFlags); if ((isRemoved == removePossible) && (systemAcl.Count == rawAcl.Count) && (systemAcl.BinaryLength == rawAcl.BinaryLength)) { sAclBinaryForm = new byte[systemAcl.BinaryLength]; rAclBinaryForm = new byte[rawAcl.BinaryLength]; systemAcl.GetBinaryForm(sAclBinaryForm, 0); rawAcl.GetBinaryForm(rAclBinaryForm, 0); if (!Utils.IsBinaryFormEqual(sAclBinaryForm, rAclBinaryForm)) { result = false; } //redundant index check for (int i = 0; i < systemAcl.Count; i++) { if (!Utils.IsAceEqual(systemAcl[i], rawAcl[i])) { result = false; break; } } } else { result = false; } return(result); }
private static bool TestConstructor(SystemAcl systemAcl, bool isContainer, bool isDS, bool wasCanonicalInitially, RawAcl rawAcl) { bool result = true; byte[] sAclBinaryForm = null; byte[] rAclBinaryForm = null; if (systemAcl.IsContainer == isContainer && systemAcl.IsDS == isDS && systemAcl.Revision == rawAcl.Revision && systemAcl.Count == rawAcl.Count && systemAcl.BinaryLength == rawAcl.BinaryLength && systemAcl.IsCanonical == wasCanonicalInitially) { sAclBinaryForm = new byte[systemAcl.BinaryLength]; rAclBinaryForm = new byte[rawAcl.BinaryLength]; systemAcl.GetBinaryForm(sAclBinaryForm, 0); rawAcl.GetBinaryForm(rAclBinaryForm, 0); if (!Utils.IsBinaryFormEqual(sAclBinaryForm, rAclBinaryForm)) result = false; //redundant index check for (int i = 0; i < systemAcl.Count; i++) { if (!Utils.IsAceEqual(systemAcl[i], rawAcl[i])) { result = false; break; } } } else { result = false; } return result; }
public void GetBinaryForm() { RawAcl acl = new RawAcl(1, 0); byte[] buffer = new byte[acl.BinaryLength]; acl.GetBinaryForm(buffer, 0); byte[] sdBinary = new byte[] { 0x01, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00 }; Assert.AreEqual(sdBinary, buffer); SecurityIdentifier builtInAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null); CommonAce ace = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0x7FFFFFFF, builtInAdmins, false, null); acl.InsertAce(0, ace); buffer = new byte[acl.BinaryLength]; acl.GetBinaryForm(buffer, 0); sdBinary = new byte[] { 0x01, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0xFF, 0xFF, 0xFF, 0x7F, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00 }; Assert.AreEqual(sdBinary, buffer); }
public void ContiguousRangeSorting() { SecurityIdentifier[] sids = new SecurityIdentifier[] { new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null), // S-1-5-32-544 new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null), // S-1-5-32-545 new SecurityIdentifier(WellKnownSidType.WorldSid, null), // S-1-1-0 new SecurityIdentifier("S-1-5-40"), new SecurityIdentifier("S-1-5-30-123"), new SecurityIdentifier("S-1-5-32-99"), new SecurityIdentifier("S-1-5-23-45-67"), new SecurityIdentifier("S-1-5-32-5432"), new SecurityIdentifier("S-1-0-2"), new SecurityIdentifier("S-1-6-0") }; GenericAce[] aces = new GenericAce[sids.Length]; for (int i = 0; i < aces.Length; i++) { aces [i] = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, sids[i], false, null); } RawAcl acl = MakeRawAcl(aces); DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, acl); Assert.IsTrue(dacl.IsCanonical); Assert.AreEqual(sids[8], ((CommonAce)dacl [0]).SecurityIdentifier); // S-1-0-2 Assert.AreEqual(sids[2], ((CommonAce)dacl [1]).SecurityIdentifier); // S-1-1-0 Assert.AreEqual(sids[3], ((CommonAce)dacl [2]).SecurityIdentifier); // S-1-5-40 Assert.AreEqual(sids[4], ((CommonAce)dacl [3]).SecurityIdentifier); // S-1-5-30-123 Assert.AreEqual(sids[5], ((CommonAce)dacl [4]).SecurityIdentifier); // S-1-5-32-99 Assert.AreEqual(sids[0], ((CommonAce)dacl [5]).SecurityIdentifier); // S-1-5-32-544 Assert.AreEqual(sids[1], ((CommonAce)dacl [6]).SecurityIdentifier); // S-1-5-32-545 Assert.AreEqual(sids[7], ((CommonAce)dacl [7]).SecurityIdentifier); // S-1-5-32-5432 Assert.AreEqual(sids[6], ((CommonAce)dacl [8]).SecurityIdentifier); // S-1-5-23-45-67 Assert.AreEqual(sids[9], ((CommonAce)dacl [9]).SecurityIdentifier); // S-1-6-0 }
[Test] // This blob produced by binaryForm1 from the BinaryRoundtrip test... public void BlobMatchesMSNet() { RawAcl acl = CreateRoundtripRawAcl(); byte[] binaryForm1 = new byte[acl.BinaryLength]; acl.GetBinaryForm(binaryForm1, 0); byte[] binaryForm2 = new byte[] { // 11 per line (byte)0x02, (byte)0x00, (byte)0x08, (byte)0x01, (byte)0x05, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x05, (byte)0x00, (byte)0x34, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01, (byte)0x02, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x05, (byte)0x20, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x21, (byte)0x02, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x0B, (byte)0x00, (byte)0x3C, (byte)0x00, (byte)0x02, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x02, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01, (byte)0x02, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x05, (byte)0x20, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x21, (byte)0x02, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x0B, (byte)0x00, (byte)0x30, (byte)0x00, (byte)0x04, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x02, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x90, (byte)0xFB, (byte)0x65, (byte)0x88, (byte)0xEB, (byte)0xA9, (byte)0x2F, (byte)0x42, (byte)0xA8, (byte)0xBA, (byte)0x07, (byte)0xEC, (byte)0xA6, (byte)0x11, (byte)0xD6, (byte)0x99, (byte)0x01, (byte)0x02, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x05, (byte)0x20, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x21, (byte)0x02, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x0B, (byte)0x00, (byte)0x40, (byte)0x00, (byte)0x04, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x03, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x7C, (byte)0x00, (byte)0x93, (byte)0xB8, (byte)0xD5, (byte)0x38, (byte)0x27, (byte)0x48, (byte)0xA6, (byte)0x98, (byte)0xBA, (byte)0x25, (byte)0xF1, (byte)0xE3, (byte)0x0B, (byte)0xAC, (byte)0x01, (byte)0x02, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x05, (byte)0x20, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x21, (byte)0x02, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x0B, (byte)0x00, (byte)0x20, (byte)0x00, (byte)0x04, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01, (byte)0x02, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x05, (byte)0x20, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x21, (byte)0x02, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00 }; CompareBinaryForms(binaryForm2, binaryForm1); }
public static void Purge_AdditionalTestCases() { bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; byte revision = 0; int capacity = 0; //case 1, null Sid Assert.Throws <ArgumentNullException>(() => { revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.Purge(null); }); }
private static void DecodeAclEntries(List <ACE> DecodedACL, RawAcl acl, Dictionary <uint, string> rights) { foreach (var ace in acl) { var DecodedACE = new ACE(); var knownAce = ace as KnownAce; if (knownAce != null) { DecodedACE.Trustee = knownAce.SecurityIdentifier.Value; DecodedACE.AccessType = knownAce.AceType > AceType.MaxDefinedAceType ? "Custom Access" : knownAce.AceType.ToString(); if (knownAce.AceFlags != AceFlags.None) { DecodedACE.AuditRights = knownAce.AceFlags.ToString(); } var mask = unchecked ((uint)knownAce.AccessMask); foreach (var r in rights.Keys) { if ((mask & r) == r) { DecodedACE.Permissions.Add(rights[r]); } } } else { throw new Exception("Not a known ACE Structure"); } DecodedACL.Add(DecodedACE); } }
[Test] // ... stumbled upon this by choosing Guid.Empty when needing an arbitrary GUID ... public void GuidEmptyMergesRegardlessOfFlagsAndOpaqueDataIsNotConsidered() { SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null); RawAcl acl = MakeRawAcl(new GenericAce[] { new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, sid, true, new byte[12]), new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 4, sid, false, new byte[8]), // gets merged new ObjectAce(AceFlags.None, AceQualifier.AccessAllowed, 1, sid, ObjectAceFlags.ObjectAceTypePresent, Guid.Empty, Guid.Empty, false, new byte[8]), new ObjectAce(AceFlags.None, AceQualifier.AccessAllowed, 2, sid, ObjectAceFlags.InheritedObjectAceTypePresent, Guid.Empty, Guid.Empty, true, new byte[16]), // gets merged new ObjectAce(AceFlags.None, AceQualifier.AccessAllowed, 4, sid, ObjectAceFlags.InheritedObjectAceTypePresent, Guid.Empty, Guid.NewGuid(), true, new byte[4]) }); Assert.AreEqual(236, acl.BinaryLength); DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, acl); Assert.IsTrue(dacl.IsCanonical); Assert.AreEqual(3, dacl.Count); CommonAce cace = (CommonAce)dacl [0]; Assert.AreEqual(12, cace.OpaqueLength); Assert.AreEqual(5, cace.AccessMask); Assert.IsTrue(cace.IsCallback); ObjectAce oace = (ObjectAce)dacl [1]; Assert.AreEqual(8, oace.OpaqueLength); Assert.AreEqual(3, oace.AccessMask); Assert.AreEqual(ObjectAceFlags.ObjectAceTypePresent, oace.ObjectAceFlags); Assert.AreEqual(Guid.Empty, oace.ObjectAceType); Assert.IsFalse(oace.IsCallback); }
public static void AdditionalTestCases() { RawAcl rawAcl = null; SystemAcl systemAcl = null; bool isContainer = false; bool isDS = false; int auditFlags = 0; string sid = null; int accessMask = 1; int inheritanceFlags = 0; int propagationFlags = 0; GenericAce gAce = null; byte[] opaque = null; //Case 1, remove one audit ACE from the SystemAcl with no ACE isContainer = true; isDS = false; auditFlags = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveAuditSpecific(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags)); //Case 2, remove the last one audit ACE from the SystemAcl isContainer = true; isDS = false; auditFlags = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); //79 = AceFlags.SuccessfulAccess | AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly gAce = new CommonAce((AceFlags)79, AceQualifier.SystemAudit, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); //remove the ace to create the validation rawAcl rawAcl.RemoveAce(rawAcl.Count - 1); Assert.True(TestRemoveAuditSpecific(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags)); //Case 3, accessMask = 0 AssertExtensions.Throws <ArgumentException>("accessMask", () => { isContainer = true; isDS = false; auditFlags = 1; sid = "BA"; accessMask = 0; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.RemoveAuditSpecific((AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 4, Audit Qualifier None AssertExtensions.Throws <ArgumentException>("auditFlags", () => { isContainer = true; isDS = false; auditFlags = 0; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.RemoveAuditSpecific((AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 5, null sid Assert.Throws <ArgumentNullException>(() => { isContainer = true; isDS = false; auditFlags = 1; accessMask = 1; sid = "BA"; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.RemoveAuditSpecific((AuditFlags)auditFlags, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 6, all the ACEs in the Sacl are non-qualified ACE, no remove Assert.Throws <InvalidOperationException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1; //InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly auditFlags = 3; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[4]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque); rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException TestRemoveAuditSpecific(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); }
public static void TestRemoveAce(string sddl) { RawSecurityDescriptor rawSecurityDescriptor = null; RawAcl rawAcl = null; RawAcl rawAclVerifier = null; GenericAce ace = null; rawSecurityDescriptor = new RawSecurityDescriptor(sddl); rawAclVerifier = rawSecurityDescriptor.DiscretionaryAcl; rawAcl = Utils.CopyRawACL(rawAclVerifier); Assert.True(null != rawAcl && null != rawAclVerifier); int index = 0; int count = 0; //save current count count = rawAcl.Count; //test remove at -1 AssertExtensions.Throws <ArgumentOutOfRangeException>( "index", () => { index = -1; rawAcl.RemoveAce(index); }); //test remove at value too large AssertExtensions.Throws <ArgumentOutOfRangeException>( "index", () => { index = int.MaxValue; rawAcl.RemoveAce(index); }); //test remove at 0, only need to catch ArgumentOutOfRangeException if Count = 0 index = 0; try { //save a copy of the ace ace = rawAcl[index]; rawAcl.RemoveAce(index); Assert.False(0 == count); //verify the count number decrease one Assert.False(rawAcl.Count != count - 1); //verify the rawAcl.BinaryLength is updated correctly Assert.False(rawAcl.BinaryLength != rawAclVerifier.BinaryLength - ace.BinaryLength); //verify the removed ace is equal to the originial ace Assert.False(!Utils.IsAceEqual(ace, rawAclVerifier[index])); //verify right side aces are equal Assert.False(!Utils.AclPartialEqual(rawAcl, rawAclVerifier, index, rawAcl.Count - 1, index + 1, count - 1)); } catch (ArgumentOutOfRangeException) { Assert.True(0 == count); //it is expected, do nothing } //now insert that ace back if (ace != null) { rawAcl.InsertAce(index, ace); } //test remove at Count/2, do not need to catch ArgumentOutOfRangeException index = count / 2; //when count/2 = 0 it is reduandent if (0 != index) { //save a copy of the ace ace = rawAcl[index]; rawAcl.RemoveAce(index); //verify the count number decrease one Assert.False(rawAcl.Count != count - 1); //verify the rawAcl.BinaryLength is updated correctly Assert.False(rawAcl.BinaryLength != rawAclVerifier.BinaryLength - ace.BinaryLength); //verify the removed ace is equal to the originial ace Assert.False(!Utils.IsAceEqual(ace, rawAclVerifier[index])); //verify the left and right side aces are equal Assert.False(!Utils.AclPartialEqual(rawAcl, rawAclVerifier, 0, index - 1, 0, index - 1) || !Utils.AclPartialEqual(rawAcl, rawAclVerifier, index, rawAcl.Count - 1, index + 1, count - 1)); //now insert that removed ace rawAcl.InsertAce(index, ace); } //test remove at Count - 1, do not need to catch ArgumentOutOfRangeException index = count - 1; //when count -1 = -1, 0, or count/2, it is reduandent if (-1 != index && 0 != index && count / 2 != index) { //save a copy of the ace ace = rawAcl[index]; rawAcl.RemoveAce(index); //verify the count number decrease one Assert.False(rawAcl.Count != count - 1); //verify the rawAcl.BinaryLength is updated correctly Assert.False(rawAcl.BinaryLength != rawAclVerifier.BinaryLength - ace.BinaryLength); //verify the removed ace is equal to the originial ace Assert.False(!Utils.IsAceEqual(ace, rawAclVerifier[index])); //verify the left and right side aces are equal Assert.False(!Utils.AclPartialEqual(rawAcl, rawAclVerifier, 0, index - 1, 0, index - 1) || !Utils.AclPartialEqual(rawAcl, rawAclVerifier, index, rawAcl.Count - 1, index + 1, count - 1)); //now insert that inserted ace rawAcl.InsertAce(index, ace); } //test remove at Count index = count; //when count = 0, or count/2, it is reduandent if (0 != index && count / 2 != index) { Assert.Throws <ArgumentOutOfRangeException>(() => { ace = rawAcl[index]; rawAcl.RemoveAce(index); }); } }
public SystemAcl(bool isContainer, bool isDS, RawAcl rawAcl) { }
public static void RemoveInheritedAces_BasicValidationTestCases() { bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; //CustomAce constructor parameters AceType aceType = AceType.AccessAllowed; AceFlags aceFlag = AceFlags.None; byte[] opaque = null; //CompoundAce constructor additional parameters int accessMask = 0; CompoundAceType compoundAceType = CompoundAceType.Impersonation; string sid = "BG"; //CommonAce constructor additional parameters AceQualifier aceQualifier = 0; //ObjectAce constructor additional parameters ObjectAceFlags objectAceFlag = 0; Guid objectAceType; Guid inheritedObjectAceType; //case 1, no Ace revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 2, only have explicit Ace revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all AceFlags except InheritOnly and Inherited gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 3, non-inherited CommonAce, ObjectAce, CompoundAce, CustomAce revision = 127; capacity = 5; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString(); rawAcl = new RawAcl(revision, capacity); aceFlag = AceFlags.InheritanceFlags; accessMask = 1; //Access Allowed CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null); rawAcl.InsertAce(0, gAce); //Access Dennied CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null); rawAcl.InsertAce(0, gAce); //CustomAce aceType = AceType.MaxDefinedAceType + 1; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(2, gAce); //CompoundAce compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString()))); rawAcl.InsertAce(3, gAce); //ObjectAce aceQualifier = AceQualifier.AccessAllowed; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(2, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws<InvalidOperationException>(() => { TestRemoveInheritedAces(discretionaryAcl); }); //case 4, all inherited CommonAce, ObjectAce, CompoundAce, CustomAce revision = 127; capacity = 5; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString(); rawAcl = new RawAcl(revision, capacity); aceFlag = AceFlags.InheritanceFlags | AceFlags.Inherited; accessMask = 1; //Access Allowed CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null); rawAcl.InsertAce(0, gAce); //Access Dennied CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null); rawAcl.InsertAce(0, gAce); //CustomAce aceType = AceType.MaxDefinedAceType + 1; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); //CompoundAce compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString()))); rawAcl.InsertAce(0, gAce); //ObjectAce aceQualifier = AceQualifier.AccessAllowed; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 5, only have one inherit Ace revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.AccessDenied, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 6, have one explicit Ace and one inherited Ace revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all AceFlags except InheritOnly and Inherited gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(0, gAce); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(1, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 7, have two inherited Aces revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(0, gAce); sid = "BA"; //16 has Inherited gAce = new CommonAce((AceFlags)16, AceQualifier.AccessDenied, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 8, 1 inherited CustomAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; //215 has all AceFlags except InheritOnly aceFlag = (AceFlags)215; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 9, 1 inherited CompoundAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid))); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 10, 1 inherited ObjectAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together aceQualifier = AceQualifier.AccessAllowed; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = true; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); }
private void UpdateTokenData() { UserGroup user = _token.GetUser(); txtUsername.Text = user.GetName(); txtUserSid.Text = user.Sid.ToString(); TokenType tokentype = _token.GetTokenType(); txtTokenType.Text = _token.GetTokenType().ToString(); TokenLibrary.TokenImpersonationLevel implevel = _token.GetImpersonationLevel(); txtImpLevel.Text = implevel.ToString(); txtTokenId.Text = FormatLuid(_token.GetTokenId()); txtModifiedId.Text = FormatLuid(_token.GetModifiedId()); txtAuthId.Text = FormatLuid(_token.GetAuthenticationId()); if (Enum.IsDefined(typeof(TokenLibrary.TokenIntegrityLevel), _token.GetTokenIntegrityLevel())) { comboBoxIL.SelectedItem = _token.GetTokenIntegrityLevel(); comboBoxILForDup.SelectedItem = _token.GetTokenIntegrityLevel(); } else { comboBoxIL.Text = _token.GetTokenIntegrityLevel().ToString(); comboBoxILForDup.Text = _token.GetTokenIntegrityLevel().ToString(); } txtSessionId.Text = _token.GetSessionId().ToString(); txtSourceName.Text = _token.GetSourceName(); txtSourceId.Text = FormatLuid(_token.GetSourceId()); TokenElevationType evtype = _token.GetElevationType(); txtElevationType.Text = evtype.ToString(); txtIsElevated.Text = _token.IsElevated().ToString(); txtOriginLoginId.Text = FormatLuid(_token.GetTokenOriginId()); btnLinkedToken.Enabled = evtype != TokenElevationType.Default; UpdateGroupList(); txtPrimaryGroup.Text = _token.GetPrimaryGroup().GetName(); txtOwner.Text = _token.GetDefaultOwner().GetName(); RawAcl defdacl = _token.GetDefaultDacl(); if (defdacl != null) { foreach (GenericAce ace in defdacl) { KnownAce kace = ace as KnownAce; if (kace != null) { UserGroup group = new UserGroup(kace.SecurityIdentifier, GroupFlags.None); ListViewItem item = new ListViewItem(group.GetName()); uint mask = (uint)(GenericAccessRights.GenericAll | GenericAccessRights.GenericExecute | GenericAccessRights.GenericRead | GenericAccessRights.GenericWrite); string maskstr; if (((uint)kace.AccessMask & ~mask) != 0) { maskstr = String.Format("0x{0:X08}", kace.AccessMask); } else { GenericAccessRights generic = (GenericAccessRights)kace.AccessMask; maskstr = generic.ToString(); } item.SubItems.Add(maskstr); item.SubItems.Add(kace.AceFlags.ToString()); item.SubItems.Add(kace.AceType.ToString()); listViewDefDacl.Items.Add(item); } } } else { listViewDefDacl.Items.Add("No Default DACL"); } listViewDefDacl.AutoResizeColumns(ColumnHeaderAutoResizeStyle.ColumnContent); listViewDefDacl.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize); if (_token.IsRestricted()) { PopulateGroupList(listViewRestrictedSids, _token.GetRestrictedSids()); } else { tabControlMain.TabPages.Remove(tabPageRestricted); } if (_token.IsAppContainer()) { PopulateGroupList(listViewCapabilities, _token.GetCapabilities()); txtACNumber.Text = _token.GetAppContainerNumber().ToString(); txtPackageSid.Text = _token.GetPackageSid().GetName(); } else { tabControlMain.TabPages.Remove(tabPageAppContainer); } txtUIAccess.Text = _token.IsUIAccess().ToString(); txtSandboxInert.Text = _token.IsSandboxInert().ToString(); bool virtAllowed = _token.IsVirtualizationAllowed(); txtVirtualizationAllowed.Text = virtAllowed.ToString(); if (virtAllowed) { txtVirtualizationEnabled.Text = _token.IsVirtualizationEnabled().ToString(); } else { txtVirtualizationEnabled.Text = "N/A"; } txtMandatoryILPolicy.Text = _token.GetIntegrityLevelPolicy().ToString(); UpdatePrivileges(); }
public static RawAcl CreateRawAclFromString(string rawAclString) { RawAcl rawAcl = null; byte revision = 0; int capacity = 1; CommonAce cAce = null; AceFlags aceFlags = AceFlags.None; AceQualifier aceQualifier = AceQualifier.AccessAllowed; int accessMask = 1; SecurityIdentifier sid = null; bool isCallback = false; int opaqueSize = 0; byte[] opaque = null; string[] parts = null; string[] subparts = null; char[] delimiter1 = new char[] { '#' }; char[] delimiter2 = new char[] { ':' }; if (rawAclString != null) { rawAcl = new RawAcl(revision, capacity); parts = rawAclString.Split(delimiter1); for (int i = 0; i < parts.Length; i++) { subparts = parts[i].Split(delimiter2); if (subparts.Length != 6) { return null; } aceFlags = (AceFlags)byte.Parse(subparts[0]); aceQualifier = (AceQualifier)int.Parse(subparts[1]); accessMask = int.Parse(subparts[2]); sid = new SecurityIdentifier(TranslateStringConstFormatSidToStandardFormatSid(subparts[3])); isCallback = bool.Parse(subparts[4]); if (!isCallback) opaque = null; else { opaqueSize = int.Parse(subparts[5]); opaque = new byte[opaqueSize]; } cAce = new CommonAce(aceFlags, aceQualifier, accessMask, sid, isCallback, opaque); rawAcl.InsertAce(rawAcl.Count, cAce); } } return rawAcl; }
public static void SetAccess_AdditionalTestCases() { RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; bool isContainer = false; bool isDS = false; int accessControlType = 0; string sid = null; int accessMask = 1; int inheritanceFlags = 0; int propagationFlags = 0; GenericAce gAce = null; byte[] opaque = null; //Case 1, non-Container, but InheritanceFlags is not None AssertExtensions.Throws <ArgumentException>("inheritanceFlags", () => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.SetAccess(AccessControlType.Allow, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None); }); //Case 2, non-Container, but PropagationFlags is not None AssertExtensions.Throws <ArgumentException>("propagationFlags", () => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.SetAccess(AccessControlType.Allow, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly); }); //Case 3, set one allowed ACE to the DiscretionaryAcl with no ACE isContainer = true; isDS = false; accessControlType = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly gAce = new CommonAce((AceFlags)15, AceQualifier.AccessDenied, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); Assert.True(TestSetAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags)) ; //Case 4, accessMask = 0 AssertExtensions.Throws <ArgumentException>("accessMask", () => { isContainer = true; isDS = false; accessControlType = 1; sid = "BA"; accessMask = 0; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.SetAccess((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 5, null sid Assert.Throws <ArgumentNullException>(() => { isContainer = true; isDS = false; accessControlType = 1; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.SetAccess((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case6, all the ACEs in the Dacl are non-qualified ACE, no replacement isContainer = true; isDS = false; inheritanceFlags = 1; //InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 0; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[4]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); rawAcl.InsertAce(0, gAce); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws <InvalidOperationException>(() => { TestSetAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 7, set without replacement, exceed binary length boundary, throw exception isContainer = true; isDS = false; inheritanceFlags = 1; //InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 0; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); rawAcl.InsertAce(0, gAce); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws <InvalidOperationException>(() => { discretionaryAcl.SetAccess((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 8, set without replacement, not exceed binary length boundary isContainer = true; isDS = false; inheritanceFlags = 1; //InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 0; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 28]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); rawAcl.InsertAce(0, gAce); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly, AceQualifier.AccessAllowed, accessMask + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws <InvalidOperationException>(() => { TestSetAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask + 1, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 9, set Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE, // should throw appropriate exception for wrong parameter, bug#287188 Assert.Throws <ArgumentOutOfRangeException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1; //InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 100; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.SetAccess((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); }
public RawSecurityDescriptor(ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, RawAcl systemAcl, RawAcl discretionaryAcl);
public static void BasicValidationTestCases() { RawAcl rawAcl = null; SystemAcl systemAcl = null; GenericAce gAce = null; GenericAce verifierGAce = null; string owner1 = "BO"; string owner2 = "BA"; string owner3 = "BG"; int index = 0; // case 1, only one ACE, get at index 0 rawAcl = new RawAcl(1, 1); index = 0; gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null); rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(false, false, rawAcl); verifierGAce = systemAcl[index]; Assert.True(TestIndex(gAce, verifierGAce)); //case 2, two ACEs, index at Count -1 rawAcl = new RawAcl(1, 2); //208 has SuccessfulAccess, FailedAccess and Inherited gAce = new CommonAce((AceFlags)208, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null); rawAcl.InsertAce(0, gAce); //gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(owner2), false, null); gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null); rawAcl.InsertAce(1, gAce); systemAcl = new SystemAcl(false, false, rawAcl); gAce = rawAcl[1]; index = systemAcl.Count - 1; verifierGAce = systemAcl[index]; Assert.True(TestIndex(gAce, verifierGAce)); //case 3, only three ACEs, index at Count/2 rawAcl = new RawAcl(1, 3); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner2)), false, null); rawAcl.InsertAce(0, gAce); //208 has SuccessfulAccess, FailedAccess and Inherited gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.IH), AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null); rawAcl.InsertAce(1, gAce); gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner3)), false, null); rawAcl.InsertAce(2, gAce); systemAcl = new SystemAcl(false, false, rawAcl); gAce = rawAcl[1]; index = systemAcl.Count / 2; verifierGAce = systemAcl[index]; Assert.True(TestIndex(gAce, verifierGAce)); //case 4, 3 ACEs, test merge, index at Count -1 rawAcl = new RawAcl(1, 2); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(0, gAce); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(1, gAce); gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(2, gAce); systemAcl = new SystemAcl(false, false, rawAcl); gAce = rawAcl[1]; gAce.AceFlags = AceFlags.SuccessfulAccess | AceFlags.FailedAccess; index = systemAcl.Count - 1; verifierGAce = systemAcl[index]; Assert.True(TestIndex(gAce, verifierGAce)); }
/// <summary> /// Canonicalize the Dacl /// </summary> /// <param name="objectSecurity"></param> public static void CanonicalizeDacl(NativeObjectSecurity objectSecurity) { if (objectSecurity.AreAccessRulesCanonical) { return; } // A canonical ACL must have ACES sorted according to the following order: // 1. Access-denied on the object // 2. Access-denied on a child or property // 3. Access-allowed on the object // 4. Access-allowed on a child or property // 5. All inherited ACEs RawSecurityDescriptor descriptor = new RawSecurityDescriptor(objectSecurity.GetSecurityDescriptorSddlForm(AccessControlSections.Access)); var explicitDenyDacl = new List <CommonAce>(); var explicitDenyObjectDacl = new List <CommonAce>(); var inheritedDacl = new List <CommonAce>(); var explicitAllowDacl = new List <CommonAce>(); var explicitAllowObjectDacl = new List <CommonAce>(); foreach (CommonAce ace in descriptor.DiscretionaryAcl) { if ((ace.AceFlags & AceFlags.Inherited) == AceFlags.Inherited) { inheritedDacl.Add(ace); } else { switch (ace.AceType) { case AceType.AccessAllowed: explicitAllowDacl.Add(ace); break; case AceType.AccessDenied: explicitDenyDacl.Add(ace); break; case AceType.AccessAllowedObject: explicitAllowObjectDacl.Add(ace); break; case AceType.AccessDeniedObject: explicitDenyObjectDacl.Add(ace); break; } } } int aceIndex = 0; var newDacl = new RawAcl(descriptor.DiscretionaryAcl.Revision, descriptor.DiscretionaryAcl.Count); explicitDenyDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); explicitDenyObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); explicitAllowDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); explicitAllowObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); inheritedDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x)); if (aceIndex != descriptor.DiscretionaryAcl.Count) { throw new InvalidOperationException("The Dacl cannot be canonicalized since it would potentially result in a loss of information"); } descriptor.DiscretionaryAcl = newDacl; objectSecurity.SetSecurityDescriptorSddlForm(descriptor.GetSddlForm(AccessControlSections.Access), AccessControlSections.Access); }
public static void RemoveAccess_AdditionalTestCases() { RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; bool isContainer = false; bool isDS = false; int accessControlType = 0; string sid = null; int accessMask = 1; int inheritanceFlags = 0; int propagationFlags = 0; GenericAce gAce = null; bool removePossible = false; byte[] opaque = null; //Case 1, remove one ACE from the DiscretionaryAcl with no ACE isContainer = true; isDS = false; accessControlType = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; removePossible = true; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, removePossible)) ; //Case 2, remove the last ACE from the DiscretionaryAcl isContainer = true; isDS = false; accessControlType = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; removePossible = true; rawAcl = new RawAcl(0, 1); //15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly gAce = new CommonAce((AceFlags)15, AceQualifier.AccessDenied, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //remove the ace to create the validation rawAcl rawAcl.RemoveAce(rawAcl.Count - 1); Assert.True(TestRemoveAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, removePossible)) ; //Case 3, accessMask = 0 Assert.Throws <ArgumentException>(() => { isContainer = true; isDS = false; accessControlType = 1; sid = "BA"; accessMask = 0; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.RemoveAccess((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 4, null sid Assert.Throws <ArgumentNullException>(() => { isContainer = true; isDS = false; accessControlType = 1; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.RemoveAccess((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 5, all the ACEs in the Dacl are non-qualified ACE, no remove isContainer = true; isDS = false; inheritanceFlags = 1; //InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 0; sid = "BA"; accessMask = 1; removePossible = true; rawAcl = new RawAcl(0, 1); opaque = new byte[4]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque);; rawAcl.InsertAce(0, gAce); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws <InvalidOperationException>(() => { TestRemoveAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, removePossible); }); //Case 7, Remove Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE, // should throw appropriate exception for wrong parameter, bug#287188 isContainer = true; isDS = false; inheritanceFlags = 1; //InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 100; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.Throws <ArgumentOutOfRangeException>(() => { discretionaryAcl.RemoveAccess((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); }
public static bool TestGetEnumerator(IEnumerator enumerator, RawAcl rAcl, bool isExplicit) { bool result = false;//assume failure GenericAce gAce = null; if (!(isExplicit ? enumerator.MoveNext() : ((AceEnumerator)enumerator).MoveNext())) {//enumerator is created from empty RawAcl if (0 != rAcl.Count) { return(false); } else { return(true); } } else if (0 == rAcl.Count) {//rawAcl is empty but enumerator is still enumerable return(false); } else//non-empty rAcl, non-empty enumerator { //check all aces enumerated are in the RawAcl if (isExplicit) { enumerator.Reset(); } else { ((AceEnumerator)enumerator).Reset(); } while (isExplicit ? enumerator.MoveNext() : ((AceEnumerator)enumerator).MoveNext()) { gAce = (GenericAce)(isExplicit ? enumerator.Current : ((AceEnumerator)enumerator).Current); //check this gAce exists in the RawAcl for (int i = 0; i < rAcl.Count; i++) { if (GenericAce.ReferenceEquals(gAce, rAcl[i])) {//found result = true; break; } } if (!result) {//not exists in the RawAcl, failed return(false); } //enumerate to next one } //check all aces of rAcl are enumerable by the enumerator result = false; //assume failure for (int i = 0; i < rAcl.Count; i++) { gAce = rAcl[i]; //check this gAce is enumerable if (isExplicit) { enumerator.Reset(); } else { ((AceEnumerator)enumerator).Reset(); } while (isExplicit ? enumerator.MoveNext() : ((AceEnumerator)enumerator).MoveNext()) { if (GenericAce.ReferenceEquals((GenericAce)(isExplicit ? enumerator.Current : ((AceEnumerator)enumerator).Current), gAce)) { result = true; break; } } if (!result) {//not enumerable return(false); } //check next ace in the rAcl } //now all passed return(true); } }
public static bool TestGetEnumerator(IEnumerator enumerator, RawAcl rAcl, bool isExplicit) { bool result = false;//assume failure GenericAce gAce = null; if (!(isExplicit ? enumerator.MoveNext() : ((AceEnumerator)enumerator).MoveNext())) {//enumerator is created from empty RawAcl if (0 != rAcl.Count) return false; else return true; } else if (0 == rAcl.Count) {//rawAcl is empty but enumerator is still enumerable return false; } else//non-empty rAcl, non-empty enumerator { //check all aces enumerated are in the RawAcl if (isExplicit) { enumerator.Reset(); } else { ((AceEnumerator)enumerator).Reset(); } while (isExplicit ? enumerator.MoveNext() : ((AceEnumerator)enumerator).MoveNext()) { gAce = (GenericAce)(isExplicit ? enumerator.Current : ((AceEnumerator)enumerator).Current); //check this gAce exists in the RawAcl for (int i = 0; i < rAcl.Count; i++) { if (GenericAce.ReferenceEquals(gAce, rAcl[i])) {//found result = true; break; } } if (!result) {//not exists in the RawAcl, failed return false; } //enumerate to next one } //check all aces of rAcl are enumerable by the enumerator result = false; //assume failure for (int i = 0; i < rAcl.Count; i++) { gAce = rAcl[i]; //check this gAce is enumerable if (isExplicit) { enumerator.Reset(); } else { ((AceEnumerator)enumerator).Reset(); } while (isExplicit ? enumerator.MoveNext() : ((AceEnumerator)enumerator).MoveNext()) { if (GenericAce.ReferenceEquals((GenericAce)(isExplicit ? enumerator.Current : ((AceEnumerator)enumerator).Current), gAce)) { result = true; break; } } if (!result) {//not enumerable return false; } //check next ace in the rAcl } //now all passed return true; } }
public static void AdditionalTestCases() { RawAcl rawAcl = null; SystemAcl systemAcl = null; bool isContainer = false; bool isDS = false; int auditFlags = 0; string sid = null; int accessMask = 1; int inheritanceFlags = 0; int propagationFlags = 0; GenericAce gAce = null; bool removePossible = false; byte[] opaque = null; //Case 1, null sid Assert.Throws<ArgumentNullException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.RemoveAudit(AuditFlags.Success, null, 1, InheritanceFlags.None, PropagationFlags.None); }); //Case 2, SystemAudit Ace but non AuditFlags Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.RemoveAudit(AuditFlags.None, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.None); }); //Case 3, 0 accessMask Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.RemoveAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 0, InheritanceFlags.None, PropagationFlags.None); }); //Case 4, remove one audit ACE from the SystemAcl with no ACE isContainer = true; isDS = false; auditFlags = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; removePossible = true; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveAudit(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, removePossible)); //Case 5, remove the last one ACE from the SystemAcl isContainer = true; isDS = false; auditFlags = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; removePossible = true; rawAcl = new RawAcl(0, 1); //79 = AceFlags.SuccessfulAccess | AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly gAce = new CommonAce((AceFlags)79, AceQualifier.SystemAudit, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); //remove the ace to create the validation rawAcl rawAcl.RemoveAce(rawAcl.Count - 1); Assert.True(TestRemoveAudit(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, removePossible)); //Case 6, all the ACEs in the Sacl are non-qualified ACE, no remove Assert.Throws<InvalidOperationException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1;//InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly auditFlags = 3; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[4]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque); ; rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException TestRemoveAudit(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, true); }); //Case 7, remove split cause overflow // Test case no longer relevant in CoreCLR // Non-canonical ACLs cannot be modified }
public static void TestConstructor(byte revision, int capacity) { RawAcl rawAcl = new RawAcl(revision, capacity); Assert.True(revision == rawAcl.Revision && 0 == rawAcl.Count && 8 == rawAcl.BinaryLength); }
public static void GetModifiableServices() { // finds any services that the current can modify (or modify the parent folder) // modified from https://stackoverflow.com/questions/15771998/how-to-give-a-user-permission-to-start-and-stop-a-particular-service-using-c-sha/15796352#15796352 ServiceController[] scServices; scServices = ServiceController.GetServices(); var GetServiceHandle = typeof(System.ServiceProcess.ServiceController).GetMethod("GetServiceHandle", BindingFlags.Instance | BindingFlags.NonPublic); object[] readRights = { 0x00020000 }; ServiceAccessRights[] ModifyRights = { ServiceAccessRights.ChangeConfig, ServiceAccessRights.WriteDac, ServiceAccessRights.WriteOwner, ServiceAccessRights.GenericAll, ServiceAccessRights.GenericWrite, ServiceAccessRights.AllAccess }; Console.WriteLine("\r\n\r\n=== Modifiable Services ===\r\n"); foreach (ServiceController sc in scServices) { try { IntPtr handle = (IntPtr)GetServiceHandle.Invoke(sc, readRights); ServiceControllerStatus status = sc.Status; byte[] psd = new byte[0]; uint bufSizeNeeded; bool ok = QueryServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, psd, 0, out bufSizeNeeded); if (!ok) { int err = Marshal.GetLastWin32Error(); if (err == 122 || err == 0) { // ERROR_INSUFFICIENT_BUFFER // expected; now we know bufsize psd = new byte[bufSizeNeeded]; ok = QueryServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, psd, bufSizeNeeded, out bufSizeNeeded); } else { //throw new ApplicationException("error calling QueryServiceObjectSecurity() to get DACL for " + _name + ": error code=" + err); continue; } } if (!ok) { //throw new ApplicationException("error calling QueryServiceObjectSecurity(2) to get DACL for " + _name + ": error code=" + Marshal.GetLastWin32Error()); continue; } // get security descriptor via raw into DACL form so ACE ordering checks are done for us. RawSecurityDescriptor rsd = new RawSecurityDescriptor(psd, 0); RawAcl racl = rsd.DiscretionaryAcl; DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, racl); WindowsIdentity identity = WindowsIdentity.GetCurrent(); foreach (System.Security.AccessControl.CommonAce ace in dacl) { if (identity.Groups.Contains(ace.SecurityIdentifier)) { ServiceAccessRights serviceRights = (ServiceAccessRights)ace.AccessMask; foreach (ServiceAccessRights ModifyRight in ModifyRights) { if ((ModifyRight & serviceRights) == ModifyRight) { ManagementObjectSearcher wmiData = new ManagementObjectSearcher(@"root\cimv2", String.Format("SELECT * FROM win32_service WHERE Name LIKE '{0}'", sc.ServiceName)); ManagementObjectCollection data = wmiData.Get(); foreach (ManagementObject result in data) { Console.WriteLine(" Name : {0}", result["Name"]); Console.WriteLine(" DisplayName : {0}", result["DisplayName"]); Console.WriteLine(" Description : {0}", result["Description"]); Console.WriteLine(" State : {0}", result["State"]); Console.WriteLine(" StartMode : {0}", result["StartMode"]); Console.WriteLine(" PathName : {0}", result["PathName"]); } break; } } } } } catch (Exception ex) { // Console.WriteLine("Exception: " + ex); } } }
public static RawAcl CopyRawACL(RawAcl rawAcl) { byte[] binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); return(new RawAcl(binaryForm, 0)); }
public static void RemoveAccessSpecific_AdditionalTestCases() { RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; bool isContainer = false; bool isDS = false; int accessControlType = 0; string sid = null; int accessMask = 1; int inheritanceFlags = 0; int propagationFlags = 0; GenericAce gAce = null; byte[] opaque = null; //Case 1, remove one ACE from the DiscretionaryAcl with no ACE isContainer = true; isDS = false; accessControlType = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveAccessSpecific(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags)) ; //Case 2, remove the last one ACE from the DiscretionaryAcl isContainer = true; isDS = false; accessControlType = 0; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); //15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly gAce = new CommonAce((AceFlags)15, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //remove the ace to create the validation rawAcl rawAcl.RemoveAce(rawAcl.Count - 1); Assert.True(TestRemoveAccessSpecific(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags)) ; //Case 3, accessMask = 0 Assert.Throws<ArgumentException>(() => { isContainer = true; isDS = false; accessControlType = 1; sid = "BA"; accessMask = 0; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 4, null sid Assert.Throws<ArgumentNullException>(() => { isContainer = true; isDS = false; accessControlType = 1; accessMask = 1; sid = "BA"; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 5, all the ACEs in the Dacl are non-qualified ACE, no remove isContainer = true; isDS = false; inheritanceFlags = 1;//InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 0; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[4]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); ; rawAcl.InsertAce(0, gAce); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws<InvalidOperationException>(() => { TestRemoveAccessSpecific (discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 7, Remove Specific Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE, // should throw appropriate exception for wrong parameter, bug#287188 Assert.Throws<ArgumentOutOfRangeException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1;//InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 100; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); }
public static void BasicValidationTestCases() { RawAcl rawAcl = null; RawAcl rawAclVerifier = null; GenericAce ace = null; GenericAce aceVerifier = null; int count = 0; int index = 0; byte revision = 0; int capacity = 1; int flags = 1; int qualifier = 0; int accessMask = 1; string sid = "BA"; bool isCallback = false; int opaqueSize = 8; //test insert at 0 rawAcl = new RawAcl(revision, capacity); rawAclVerifier = new RawAcl(revision, capacity); ace = new CommonAce((AceFlags)flags, (AceQualifier)qualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), isCallback, new byte[opaqueSize]); index = 0; //save current count count = rawAcl.Count; rawAcl.InsertAce(index, ace); //verify the count number increase one Assert.True(rawAcl.Count == count + 1); //verify the inserted ace is equal to the originial ace aceVerifier = rawAcl[index]; Assert.True(ace == aceVerifier); //verify right side aces are equal Assert.True(Utils.AclPartialEqual(rawAcl, rawAclVerifier, index + 1, rawAcl.Count - 1, index, count - 1)); //insert the same ACE to rawAclVerifier for next test rawAclVerifier.InsertAce(index, ace); //test insert at Count sid = "BA"; ace = new CommonAce((AceFlags)flags, (AceQualifier)qualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), isCallback, new byte[opaqueSize]); count = rawAcl.Count; index = count; rawAcl.InsertAce(index, ace); //verify the count number increase one Assert.True(rawAcl.Count == count + 1); //verify the inserted ace is equal to the originial ace aceVerifier = rawAcl[index]; Assert.True(ace == aceVerifier); //verify right side aces are equal Assert.True(Utils.AclPartialEqual(rawAcl, rawAclVerifier, index + 1, rawAcl.Count - 1, index, count - 1)); //insert the same ACE to rawAclVerifier for next test rawAclVerifier.InsertAce(index, ace); //test insert at Count - 1 sid = "BG"; ace = new CommonAce((AceFlags)flags, (AceQualifier)qualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), isCallback, new byte[opaqueSize]); count = rawAcl.Count; index = count - 1; rawAcl.InsertAce(index, ace); //verify the count number increase one Assert.True(rawAcl.Count == count + 1); //verify the inserted ace is equal to the originial ace aceVerifier = rawAcl[index]; Assert.True(ace == aceVerifier); //verify right side aces are equal Assert.True(Utils.AclPartialEqual(rawAcl, rawAclVerifier, index + 1, rawAcl.Count - 1, index, count - 1)); //insert the same ACE to rawAclVerifier for next test rawAclVerifier.InsertAce(index, ace); //test insert at Count /2 sid = "BO"; ace = new CommonAce((AceFlags)flags, (AceQualifier)qualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), isCallback, new byte[opaqueSize]); rawAcl.InsertAce(0, ace); rawAclVerifier.InsertAce(0, ace); count = rawAcl.Count; index = count / 2; sid = "SO"; ace = new CommonAce((AceFlags)flags, (AceQualifier)qualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), isCallback, new byte[opaqueSize]); rawAcl.InsertAce(index, ace); //verify the count number increase one Assert.True(rawAcl.Count == count + 1); //verify the inserted ace is equal to the originial ace aceVerifier = rawAcl[index]; Assert.True(ace == aceVerifier); //verify right side aces are equal Assert.True(Utils.AclPartialEqual(rawAcl, rawAclVerifier, index + 1, rawAcl.Count - 1, index, count - 1)); }
public static void BasicValidationTestCases() { RawAcl rAcl = null; GenericAce gAce = null; byte[] binaryForm = null; //Case 1, a RawAcl with one AccessAllowed Ace SecurityIdentifier sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")); byte[] verifierBinaryForm = null; byte[] sidBinaryForm = new byte[sid.BinaryLength]; sid.GetBinaryForm(sidBinaryForm, 0); rAcl = new RawAcl(GenericAcl.AclRevision, 1); gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, sid, false, null); rAcl.InsertAce(0, gAce); binaryForm = new byte[rAcl.BinaryLength]; verifierBinaryForm = new byte[rAcl.BinaryLength]; rAcl.GetBinaryForm(binaryForm, 0); int errorCode; if (0 == Utils.Win32AclLayer.InitializeAclNative (verifierBinaryForm, (uint)rAcl.BinaryLength, (uint)GenericAcl.AclRevision)) { errorCode = Marshal.GetLastPInvokeError(); } else if (0 == Utils.Win32AclLayer.AddAccessAllowedAceExNative (verifierBinaryForm, (uint)GenericAcl.AclRevision, (uint)AceFlags.None, (uint)1, sidBinaryForm)) { errorCode = Marshal.GetLastPInvokeError(); } else { Assert.True(Utils.IsBinaryFormEqual(binaryForm, verifierBinaryForm)); } //Case 2, a RawAcl with one AccessDenied Ace sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")); verifierBinaryForm = null; sidBinaryForm = new byte[sid.BinaryLength]; sid.GetBinaryForm(sidBinaryForm, 0); rAcl = new RawAcl(GenericAcl.AclRevision, 1); //31 include ObjectInherit, ContainerInherit, NoPropagateInherit, InheritOnly and Inherited gAce = new CommonAce((AceFlags)31, AceQualifier.AccessDenied, 1, sid, false, null); rAcl.InsertAce(0, gAce); binaryForm = new byte[rAcl.BinaryLength]; verifierBinaryForm = new byte[rAcl.BinaryLength]; rAcl.GetBinaryForm(binaryForm, 0); if (0 == Utils.Win32AclLayer.InitializeAclNative (verifierBinaryForm, (uint)rAcl.BinaryLength, (uint)GenericAcl.AclRevision)) { errorCode = Marshal.GetLastPInvokeError(); } else if (0 == Utils.Win32AclLayer.AddAccessDeniedAceExNative (verifierBinaryForm, (uint)GenericAcl.AclRevision, (uint)31, (uint)1, sidBinaryForm)) { errorCode = Marshal.GetLastPInvokeError(); } else { Assert.True(Utils.IsBinaryFormEqual(binaryForm, verifierBinaryForm)); } //Case 3, a RawAcl with one Audit Ace sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")); verifierBinaryForm = null; sidBinaryForm = new byte[sid.BinaryLength]; sid.GetBinaryForm(sidBinaryForm, 0); rAcl = new RawAcl(GenericAcl.AclRevision, 1); //223 include ObjectInherit, ContainerInherit, NoPropagateInherit, InheritOnly, Inherited, SuccessfulAccess and FailedAccess gAce = new CommonAce((AceFlags)223, AceQualifier.SystemAudit, 1, sid, false, null); rAcl.InsertAce(0, gAce); binaryForm = new byte[rAcl.BinaryLength]; verifierBinaryForm = new byte[rAcl.BinaryLength]; rAcl.GetBinaryForm(binaryForm, 0); if (0 == Utils.Win32AclLayer.InitializeAclNative (verifierBinaryForm, (uint)rAcl.BinaryLength, (uint)GenericAcl.AclRevision)) { errorCode = Marshal.GetLastPInvokeError(); } else if (0 == Utils.Win32AclLayer.AddAuditAccessAceExNative (verifierBinaryForm, (uint)GenericAcl.AclRevision, (uint)223, (uint)1, sidBinaryForm, 1, 1)) { errorCode = Marshal.GetLastPInvokeError(); } else { Assert.True(Utils.IsBinaryFormEqual(binaryForm, verifierBinaryForm)); } }
public static Dictionary <string, string> GetModifiableServices(Dictionary <string, string> SIDs) { Dictionary <string, string> results = new Dictionary <string, string>(); ServiceController[] scServices; scServices = ServiceController.GetServices(); var GetServiceHandle = typeof(System.ServiceProcess.ServiceController).GetMethod("GetServiceHandle", BindingFlags.Instance | BindingFlags.NonPublic); object[] readRights = { 0x00020000 }; foreach (ServiceController sc in scServices) { try { IntPtr handle = (IntPtr)GetServiceHandle.Invoke(sc, readRights); ServiceControllerStatus status = sc.Status; byte[] psd = new byte[0]; bool ok = Advapi32.QueryServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, psd, 0, out uint bufSizeNeeded); if (!ok) { int err = Marshal.GetLastWin32Error(); if (err == 122 || err == 0) { // ERROR_INSUFFICIENT_BUFFER // expected; now we know bufsize psd = new byte[bufSizeNeeded]; ok = Advapi32.QueryServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, psd, bufSizeNeeded, out bufSizeNeeded); } else { //throw new ApplicationException("error calling QueryServiceObjectSecurity() to get DACL for " + _name + ": error code=" + err); continue; } } if (!ok) { //throw new ApplicationException("error calling QueryServiceObjectSecurity(2) to get DACL for " + _name + ": error code=" + Marshal.GetLastWin32Error()); continue; } // get security descriptor via raw into DACL form so ACE ordering checks are done for us. RawSecurityDescriptor rsd = new RawSecurityDescriptor(psd, 0); RawAcl racl = rsd.DiscretionaryAcl; DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, racl); List <string> permissions = new List <string>(); foreach (System.Security.AccessControl.CommonAce ace in dacl) { if (SIDs.ContainsKey(ace.SecurityIdentifier.ToString())) { int serviceRights = ace.AccessMask; string current_perm_str = PermissionsHelper.PermInt2Str(serviceRights, PermissionType.WRITEABLE_OR_EQUIVALENT_SVC); if (!string.IsNullOrEmpty(current_perm_str) && !permissions.Contains(current_perm_str)) { permissions.Add(current_perm_str); } } } if (permissions.Count > 0) { string perms = String.Join(", ", permissions); if (perms.Replace("Start", "").Replace("Stop", "").Length > 3) //Check if any other permissions appart from Start and Stop { results.Add(sc.ServiceName, perms); } } } catch (Exception) { //Beaprint.PrintException(ex.Message) } } return(results); }
public static void AdditionalTestCases() { RawAcl rAcl = null; GenericAce gAce = null; byte[] binaryForm = null; //Case 1, array binaryForm is null Assert.Throws <ArgumentNullException>(() => { rAcl = new RawAcl(GenericAcl.AclRevision, 1); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rAcl.InsertAce(0, gAce); rAcl.GetBinaryForm(binaryForm, 0); }); //Case 2, offset is negative Assert.Throws <ArgumentOutOfRangeException>(() => { binaryForm = new byte[100]; rAcl = new RawAcl(GenericAcl.AclRevision, 1); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rAcl.InsertAce(0, gAce); rAcl.GetBinaryForm(binaryForm, -1); }); //Case 3, offset is equal to binaryForm length Assert.Throws <ArgumentOutOfRangeException>(() => { binaryForm = new byte[100]; rAcl = new RawAcl(GenericAcl.AclRevision, 1); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rAcl.InsertAce(0, gAce); rAcl.GetBinaryForm(binaryForm, binaryForm.Length); }); //Case , offset is a big positive number rAcl = new RawAcl(GenericAcl.AclRevision, 1); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rAcl.InsertAce(0, gAce); gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rAcl.InsertAce(0, gAce); binaryForm = new byte[rAcl.BinaryLength + 10000]; rAcl.GetBinaryForm(binaryForm, 10000); //recreate the RawAcl from BinaryForm rAcl = new RawAcl(binaryForm, 10000); byte[] verifierBinaryForm = new byte[rAcl.BinaryLength]; rAcl.GetBinaryForm(verifierBinaryForm, 0); Assert.True(Utils.IsBinaryFormEqual(binaryForm, 10000, verifierBinaryForm)); //Case 4, binaryForm array's size is insufficient Assert.Throws <ArgumentOutOfRangeException>(() => { binaryForm = new byte[4]; rAcl = new RawAcl(GenericAcl.AclRevision, 1); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rAcl.InsertAce(0, gAce); rAcl.GetBinaryForm(binaryForm, 0); }); //Case 5, an empty RawAcl binaryForm = new byte[16]; verifierBinaryForm = new byte[16]; for (int i = 0; i < binaryForm.Length; i++) { binaryForm[i] = (byte)0; verifierBinaryForm[i] = (byte)0; } rAcl = new RawAcl(GenericAcl.AclRevision, 1); rAcl.GetBinaryForm(binaryForm, 0); int errorCode; if (0 == Utils.Win32AclLayer.InitializeAclNative (verifierBinaryForm, (uint)8, (uint)GenericAcl.AclRevision)) { errorCode = Marshal.GetLastPInvokeError(); } else { Assert.True(Utils.IsBinaryFormEqual(binaryForm, verifierBinaryForm)); } //Case 6, a RawAcl with huge number of AccessAllowed, AccessDenied, and AuditAce SecurityIdentifier sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")); verifierBinaryForm = null; byte[] sidBinaryForm = new byte[sid.BinaryLength]; sid.GetBinaryForm(sidBinaryForm, 0); rAcl = new RawAcl(GenericAcl.AclRevision, GenericAcl.MaxBinaryLength + 1); for (int i = 0; i < 780; i++) { //three aces binary length together is 24 + 36 + 24 = 84, 780 * 84 = 65520 gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, i, sid, false, null); rAcl.InsertAce(rAcl.Count, gAce); gAce = new CommonAce((AceFlags)223, AceQualifier.SystemAudit, i + 1, sid, false, null); rAcl.InsertAce(rAcl.Count, gAce); gAce = new CommonAce((AceFlags)31, AceQualifier.AccessDenied, i + 2, sid, false, null); rAcl.InsertAce(rAcl.Count, gAce); } binaryForm = new byte[rAcl.BinaryLength]; verifierBinaryForm = new byte[rAcl.BinaryLength]; rAcl.GetBinaryForm(binaryForm, 0); if (0 == Utils.Win32AclLayer.InitializeAclNative (verifierBinaryForm, (uint)rAcl.BinaryLength, (uint)GenericAcl.AclRevision)) { errorCode = Marshal.GetLastPInvokeError(); } else { int i = 0; for (i = 0; i < 780; i++) { if (0 == Utils.Win32AclLayer.AddAccessAllowedAceExNative (verifierBinaryForm, (uint)GenericAcl.AclRevision, (uint)AceFlags.None, (uint)i, sidBinaryForm)) { errorCode = Marshal.GetLastPInvokeError(); break; } if (0 == Utils.Win32AclLayer.AddAuditAccessAceExNative (verifierBinaryForm, (uint)GenericAcl.AclRevision, (uint)223, (uint)(i + 1), sidBinaryForm, 1, 1)) { errorCode = Marshal.GetLastPInvokeError(); break; } if (0 == Utils.Win32AclLayer.AddAccessDeniedAceExNative (verifierBinaryForm, (uint)GenericAcl.AclRevision, (uint)31, (uint)(i + 2), sidBinaryForm)) { errorCode = Marshal.GetLastPInvokeError(); break; } } if (i == 780) { //the loop finishes Assert.True(Utils.IsBinaryFormEqual(binaryForm, verifierBinaryForm)); } else { Utils.PrintBinaryForm(binaryForm); Utils.PrintBinaryForm(verifierBinaryForm); } } }
public static void AdditionalTestCases() { RawAcl rawAcl = null; SystemAcl systemAcl = null; GenericAce gAce = null; GenericAce verifierGAce = null; string owner = null; int index = 0; // case 1, no ACE, get index at -1 Assert.Throws <ArgumentOutOfRangeException>(() => { rawAcl = new RawAcl(1, 1); index = -1; systemAcl = new SystemAcl(false, false, rawAcl); verifierGAce = systemAcl[index]; }); //case 2, no ACE, get index at Count Assert.Throws <ArgumentOutOfRangeException>(() => { rawAcl = new RawAcl(1, 1); systemAcl = new SystemAcl(false, false, rawAcl); index = systemAcl.Count; verifierGAce = systemAcl[index]; }); //case 3, no ACE, set index at -1 Assert.Throws <NotSupportedException>(() => { rawAcl = new RawAcl(1, 1); systemAcl = new SystemAcl(false, false, rawAcl); index = -1; owner = "BA"; gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); systemAcl[index] = gAce; }); //case 4, no ACE, set index at Count Assert.Throws <NotSupportedException>(() => { rawAcl = new RawAcl(1, 1); systemAcl = new SystemAcl(true, false, rawAcl); index = systemAcl.Count; owner = "BA"; gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); systemAcl[index] = gAce; }); //case 5, set null Ace Assert.Throws <NotSupportedException>(() => { rawAcl = new RawAcl(1, 1); gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(false, false, rawAcl); index = 0; gAce = null; systemAcl[index] = gAce; }); //case 6, set index at 0 Assert.Throws <NotSupportedException>(() => { rawAcl = new RawAcl(1, 1); owner = "BA"; gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(false, false, rawAcl); index = 0; owner = "BA"; gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); systemAcl[index] = gAce; }); }
public static void Constructor3_AdditionalTestCases() { bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; //CustomAce constructor parameters AceType aceType = AceType.AccessAllowed; AceFlags aceFlag = AceFlags.None; byte[] opaque = null; //CompoundAce constructor additional parameters int accessMask = 0; CompoundAceType compoundAceType = CompoundAceType.Impersonation; string sid = "BG"; //CommonAce constructor additional parameters AceQualifier aceQualifier = 0; //ObjectAce constructor additional parameters ObjectAceFlags objectAceFlag = 0; Guid objectAceType; Guid inheritedObjectAceType; //case 1, an AccessAllowed ACE with a zero access mask is meaningless, will be removed revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //drop the Ace from rawAcl rawAcl.RemoveAce(0); //the only ACE is a meaningless ACE, will be removed Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl)); //case 2, an inherit-only AccessDenied ACE on an object ACL is meaningless, will be removed revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //15 has all inheritance AceFlags but Inherited gAce = new CommonAce((AceFlags)15, AceQualifier.AccessDenied, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); rawAcl.RemoveAce(0); //the only ACE is a meaningless ACE, will be removed Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl)); //case 3, an inherit-only AccessAllowed ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //8 has inheritOnly gAce = new CommonAce((AceFlags)8, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); rawAcl.RemoveAce(0); //the only ACE is a meaningless ACE, will be removed Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl)); //case 4, 1 CustomAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; aceFlag = AceFlags.None; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl)); //case 5, 1 CompoundAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); // 2 has ContainerInherit aceFlag = (AceFlags)2; accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid))); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl)); //case 6, 1 ObjectAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)15; //all inheritance flags ored together but Inherited aceQualifier = AceQualifier.AccessAllowed; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = true; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl)); //case 7, no Ace revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl)); //case 8, all Aces from case 1, and 3 to 6 revision = 127; capacity = 5; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString(); rawAcl = new RawAcl(revision, capacity); //0 access Mask gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); //an inherit-only AccessAllowed ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed gAce = new CommonAce((AceFlags)8, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); // ObjectAce aceFlag = (AceFlags)15; //all inheritance flags ored together but Inherited aceQualifier = AceQualifier.AccessAllowed; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(rawAcl.Count, gAce); // CustomAce aceType = AceType.MaxDefinedAceType + 1; aceFlag = AceFlags.None; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(rawAcl.Count, gAce); // CompoundAce aceFlag = (AceFlags)2; accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString()))); rawAcl.InsertAce(rawAcl.Count, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); rawAcl.RemoveAce(0); rawAcl.RemoveAce(0); //Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl)); discretionaryAcl = null; isContainer = false; isDS = false; rawAcl = null; //case 1, rawAcl = null discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 1); Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl)); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 1); Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl)); }
public static void Purge_BasicValidationTestCases() { bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; int aceCount = 0; SecurityIdentifier sid = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; //CustomAce constructor parameters AceType aceType = AceType.AccessAllowed; AceFlags aceFlag = AceFlags.None; byte[] opaque = null; //CompoundAce constructor additional parameters int accessMask = 0; CompoundAceType compoundAceType = CompoundAceType.Impersonation; string sidStr = "LA"; //CommonAce constructor additional parameters AceQualifier aceQualifier = 0; //ObjectAce constructor additional parameters ObjectAceFlags objectAceFlag = 0; Guid objectAceType; Guid inheritedObjectAceType; //case 1, no Ace revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 0; sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); Assert.True(TestPurge(discretionaryAcl, sid, aceCount)); //case 2, only have 1 explicit Ace of the sid revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); //199 has all aceflags but inheritonly and inherited gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1, sid, false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 0; Assert.True(TestPurge(discretionaryAcl, sid, aceCount)); //case 3, only have 1 explicit Ace of different sid revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all aceflags but inheritedonly and inherited sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); gAce = new CommonAce((AceFlags)199, AceQualifier.AccessDenied, 1, sid, false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 1; sidStr = "BA"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); Assert.True(TestPurge(discretionaryAcl, sid, aceCount)); //case 4, only have 1 inherited Ace of the sid revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); //215 has all aceflags but inheritedonly gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1, sid, false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 1; Assert.True(TestPurge(discretionaryAcl, sid, aceCount)); //case 5, have one explicit Ace and one inherited Ace of the sid revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); //199 has all aceflags but inheritedonly and inherited gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1, sid, false, null); rawAcl.InsertAce(0, gAce); //215 has all aceflags but inheritedonly gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 2, sid, false, null); rawAcl.InsertAce(1, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 1; Assert.True(TestPurge(discretionaryAcl, sid, aceCount)); //case 6, have two explicit Aces of the sid revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); //207 has all AceFlags but inherited gAce = new CommonAce((AceFlags)207, AceQualifier.AccessAllowed, 1, sid, false, null); rawAcl.InsertAce(0, gAce); gAce = new CommonAce(AceFlags.None, AceQualifier.AccessDenied, 2, sid, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 0; Assert.True(TestPurge(discretionaryAcl, sid, 0)); //case 7, 1 explicit CustomAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; //199 has all AceFlags except InheritOnly and Inherited aceFlag = (AceFlags)199; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")); aceCount = 1; //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws <InvalidOperationException>(() => { TestPurge(discretionaryAcl, sid, aceCount); }); //case 8, 1 explicit CompoundAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); //207 has all AceFlags but inherited aceFlag = (AceFlags)207; accessMask = 1; compoundAceType = CompoundAceType.Impersonation; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")); gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, sid); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 0; //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws <InvalidOperationException>(() => { TestPurge(discretionaryAcl, sid, aceCount); }); //case 9, 1 explicit ObjectAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")); //207 has all AceFlags but inherited aceFlag = (AceFlags)207; aceQualifier = AceQualifier.AccessAllowed; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, sid, objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = true; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); aceCount = 0; Assert.True(TestPurge(discretionaryAcl, sid, aceCount)); }
public static void AdditionalTestCases() { RawAcl rawAcl = null; SystemAcl systemAcl = null; bool isContainer = false; bool isDS = false; int auditFlags = 0; string sid = null; int accessMask = 1; int inheritanceFlags = 0; int propagationFlags = 0; GenericAce gAce = null; byte[] opaque = null; //Case 1, null sid Assert.Throws <ArgumentNullException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, null, 1, InheritanceFlags.None, PropagationFlags.None); }); //Case 2, SystemAudit Ace but non AuditFlags Assert.Throws <ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.None, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.None); }); //Case 3, 0 accessMask Assert.Throws <ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 0, InheritanceFlags.None, PropagationFlags.None); }); //Case 4, non-Container, but InheritanceFlags is not None Assert.Throws <ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None); }); //Case 5, non-Container, but PropagationFlags is not None Assert.Throws <ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly); }); //Case 6, Container, but InheritanceFlags is None, but PropagationFlags is InheritOnly Assert.Throws <ArgumentException>(() => { isContainer = true; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly); }); //Case 7, Container, but InheritanceFlags is None, but PropagationFlags is NoPropagateInherit Assert.Throws <ArgumentException>(() => { isContainer = true; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit); }); //Case 8, Container, but InheritanceFlags is None, but PropagationFlags is NoPropagateInherit | InheritOnly Assert.Throws <ArgumentException>(() => { isContainer = true; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.AddAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit | PropagationFlags.InheritOnly); }); //Case 9, add one audit ACE to the SystemAcl has no ACE isContainer = true; isDS = false; auditFlags = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); //79 = AceFlags.SuccessfulAccess | AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly gAce = new CommonAce((AceFlags)79, AceQualifier.SystemAudit, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); Assert.True(TestAddAudit(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags)); //Case 10, all the ACEs in the Sacl are non-qualified ACE, no merge Assert.Throws <InvalidOperationException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1; //InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly auditFlags = 3; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[4]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque);; rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.AuditFlags, AceQualifier.SystemAudit, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException TestAddAudit(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 11, add Ace to exceed binary length boundary, throw exception Assert.Throws <InvalidOperationException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1; //InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly auditFlags = 3; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque);; rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException systemAcl.AddAudit((AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); }
private static bool VerifyACL(DiscretionaryAcl discretionaryAcl, bool isContainer, bool isDS, bool wasCanonicalInitially, RawAcl rawAcl) { bool result = true; byte[] dAclBinaryForm = null; byte[] rAclBinaryForm = null; if (discretionaryAcl.IsContainer == isContainer && discretionaryAcl.IsDS == isDS && discretionaryAcl.Revision == rawAcl.Revision && discretionaryAcl.Count == rawAcl.Count && discretionaryAcl.BinaryLength == rawAcl.BinaryLength && discretionaryAcl.IsCanonical == wasCanonicalInitially) { dAclBinaryForm = new byte[discretionaryAcl.BinaryLength]; rAclBinaryForm = new byte[rawAcl.BinaryLength]; discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0); rawAcl.GetBinaryForm(rAclBinaryForm, 0); if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm)) { result = false; } //redundant index check for (int i = 0; i < discretionaryAcl.Count; i++) { if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i])) { result = false; break; } } } else { result = false; } return(result); }
public static void AddAccess_AdditionalTestCases() { RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; bool isContainer = false; bool isDS = false; int accessControlType = 0; string sid = null; int accessMask = 1; int inheritanceFlags = 0; int propagationFlags = 0; GenericAce gAce = null; byte[] opaque = null; //Case 1, non-Container, but InheritanceFlags is not None Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None); }); //Case 2, non-Container, but PropagationFlags is not None Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly); }); //Case 3, Container, InheritanceFlags is None, PropagationFlags is InheritOnly Assert.Throws<ArgumentException>(() => { isContainer = true; isDS = false; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly); }); //Case 4, Container, InheritanceFlags is None, PropagationFlags is NoPropagateInherit Assert.Throws<ArgumentException>(() => { isContainer = true; isDS = false; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit); }); //Case 5, Container, InheritanceFlags is None, PropagationFlags is NoPropagateInherit | InheritOnly Assert.Throws<ArgumentException>(() => { isContainer = true; isDS = false; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit | PropagationFlags.InheritOnly); }); //Case 6, accessMask = 0 Assert.Throws<ArgumentException>(() => { isContainer = true; isDS = false; accessControlType = 1; sid = "BA"; accessMask = 0; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 7, null sid Assert.Throws<ArgumentNullException>(() => { isContainer = true; isDS = false; accessControlType = 1; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 8, add one Access ACE to the DiscretionaryAcl with no ACE isContainer = true; isDS = false; accessControlType = 0; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly gAce = new CommonAce((AceFlags)15, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); Assert.True(TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags)) ; //Case 9, Container, InheritOnly ON, but ContainerInherit and ObjectInherit are both OFF //add meaningless Access ACE to the DiscretionaryAcl with no ACE, ace should not //be added. There are mutiple type of meaningless Ace, but as both AddAccess and Constructor3 //call the same method to check the meaninglessness, only some sanitory cases are enough. //bug# 288116 Assert.Throws<ArgumentException>(() => { isContainer = true; isDS = false; inheritanceFlags = 0;//InheritanceFlags.None propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 0; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 10, add Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE, // should throw appropriate exception for wrong parameter, bug#287188 Assert.Throws<ArgumentOutOfRangeException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1;//InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 100; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); discretionaryAcl.AddAccess((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 11, all the ACEs in the Dacl are non-qualified ACE, no merge Assert.Throws<InvalidOperationException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1;//InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 0; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[4]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); ; rawAcl.InsertAce(0, gAce); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException TestAddAccess(discretionaryAcl, rawAcl, (AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 12, add Ace to exceed binary length boundary, throw exception isContainer = true; isDS = false; inheritanceFlags = 1;//InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly accessControlType = 0; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); ; rawAcl.InsertAce(0, gAce); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws<InvalidOperationException>(() => { discretionaryAcl.AddAccess((AccessControlType)accessControlType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); }
public DiscretionaryAcl(bool isContainer, bool isDS, RawAcl rawAcl);
public static void RemoveInheritedAces_BasicValidationTestCases() { bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; //CustomAce constructor parameters AceType aceType = AceType.AccessAllowed; AceFlags aceFlag = AceFlags.None; byte[] opaque = null; //CompoundAce constructor additional parameters int accessMask = 0; CompoundAceType compoundAceType = CompoundAceType.Impersonation; string sid = "BG"; //CommonAce constructor additional parameters AceQualifier aceQualifier = 0; //ObjectAce constructor additional parameters ObjectAceFlags objectAceFlag = 0; Guid objectAceType; Guid inheritedObjectAceType; //case 1, no Ace revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 2, only have explicit Ace revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all AceFlags except InheritOnly and Inherited gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 3, non-inherited CommonAce, ObjectAce, CompoundAce, CustomAce revision = 127; capacity = 5; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString(); rawAcl = new RawAcl(revision, capacity); aceFlag = AceFlags.InheritanceFlags; accessMask = 1; //Access Allowed CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null); rawAcl.InsertAce(0, gAce); //Access Dennied CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null); rawAcl.InsertAce(0, gAce); //CustomAce aceType = AceType.MaxDefinedAceType + 1; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(2, gAce); //CompoundAce compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString()))); rawAcl.InsertAce(3, gAce); //ObjectAce aceQualifier = AceQualifier.AccessAllowed; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(2, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws <InvalidOperationException>(() => { TestRemoveInheritedAces(discretionaryAcl); }); //case 4, all inherited CommonAce, ObjectAce, CompoundAce, CustomAce revision = 127; capacity = 5; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString(); rawAcl = new RawAcl(revision, capacity); aceFlag = AceFlags.InheritanceFlags | AceFlags.Inherited; accessMask = 1; //Access Allowed CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null); rawAcl.InsertAce(0, gAce); //Access Dennied CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null); rawAcl.InsertAce(0, gAce); //CustomAce aceType = AceType.MaxDefinedAceType + 1; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); //CompoundAce compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString()))); rawAcl.InsertAce(0, gAce); //ObjectAce aceQualifier = AceQualifier.AccessAllowed; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 5, only have one inherit Ace revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.AccessDenied, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 6, have one explicit Ace and one inherited Ace revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all AceFlags except InheritOnly and Inherited gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(0, gAce); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(1, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 7, have two inherited Aces revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(0, gAce); sid = "BA"; //16 has Inherited gAce = new CommonAce((AceFlags)16, AceQualifier.AccessDenied, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 8, 1 inherited CustomAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; //215 has all AceFlags except InheritOnly aceFlag = (AceFlags)215; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 9, 1 inherited CompoundAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid))); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 10, 1 inherited ObjectAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together aceQualifier = AceQualifier.AccessAllowed; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = true; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); }
public SystemAcl(bool isContainer, bool isDS, RawAcl rawAcl);
public static void BasicValidationTestCases() { bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; SystemAcl systemAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; //CustomAce constructor parameters AceType aceType = AceType.AccessAllowed; AceFlags aceFlag = AceFlags.None; byte[] opaque = null; //CompoundAce constructor additional parameters int accessMask = 0; CompoundAceType compoundAceType = CompoundAceType.Impersonation; string sid = "BA"; //CommonAce constructor additional parameters AceQualifier aceQualifier = 0; //ObjectAce constructor additional parameters ObjectAceFlags objectAceFlag = 0; Guid objectAceType; Guid inheritedObjectAceType; //case 1, no Ace revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 2, only have explicit Ace revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all AceFlags except InheritOnly and Inherited gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 3, only have one inherit Ace revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 4, have one explicit Ace and one inherited Ace revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all AceFlags except InheritOnly and Inherited gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(0, gAce); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(1, gAce); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 5, have two inherited Aces revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(0, gAce); sid = "BA"; //16 has Inherited gAce = new CommonAce((AceFlags)16, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 6, 1 inherited CustomAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; aceFlag = (AceFlags)208; //SuccessfulAccess | FailedAccess | Inherited opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 7, 1 inherited CompoundAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid))); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 8, 1 inherited ObjectAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together aceQualifier = AceQualifier.SystemAudit; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = true; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); }