// Constructor. internal KnownAce(AceFlags aceFlags, AceType aceType, int accessMask, SecurityIdentifier securityIdentifier) : base(aceFlags, aceType) { this.accessMask = accessMask; this.securityIdentifier = securityIdentifier; }
internal GenericAce (AceType type) { if (type <= AceType.MaxDefinedAceType) { throw new ArgumentOutOfRangeException ("type"); } this.ace_type = type; }
internal CommonAce (AceType type, AceFlags flags, int accessMask, SecurityIdentifier sid, byte[] opaque) : base(type, flags, opaque) { AccessMask = accessMask; SecurityIdentifier = sid; }
public KnownAce(AceType type, AceFlags flags, int mask, Sid sid) { if ( type != AceType.AccessAllowed && type != AceType.AccessDenied && type != AceType.SystemAlarm && type != AceType.SystemAudit ) throw new ArgumentException("Invalid ACE type."); this.MemoryRegion = new MemoryAlloc( Marshal.SizeOf(typeof(KnownAceStruct)) - sizeof(int) + sid.Length ); KnownAceStruct knownAce = new KnownAceStruct(); knownAce.Header.AceType = type; knownAce.Header.AceFlags = flags; knownAce.Header.AceSize = (ushort)this.MemoryRegion.Size; knownAce.Mask = mask; this.MemoryRegion.WriteStruct<KnownAceStruct>(knownAce); this.MemoryRegion.WriteMemory(Win32.KnownAceSidStartOffset.ToInt32(), sid, 0, sid.Length); this.Read(); }
internal AzRecord(Guid subjectId, Guid actionId, AceType reaction, string objectId) { SubjectId = subjectId; ActionId = actionId; Reaction = reaction; ObjectId = objectId; }
public KnownAce(AceType type, AceFlags flags, int mask, Sid sid) { if ( type != AceType.AccessAllowed && type != AceType.AccessDenied && type != AceType.SystemAlarm && type != AceType.SystemAudit ) throw new ArgumentException("Invalid ACE type."); this.MemoryRegion = new MemoryAlloc( Marshal.SizeOf(typeof(KnownAceStruct)) - // known ace struct size sizeof(int) + // minus SidStart field sid.Length // plus SID length ); KnownAceStruct knownAce = new KnownAceStruct(); // Initialize the ACE (minus the SID). knownAce.Header.AceType = type; knownAce.Header.AceFlags = flags; knownAce.Header.AceSize = (ushort)this.MemoryRegion.Size; knownAce.Mask = mask; // Write the ACE to memory. this.MemoryRegion.WriteStruct<KnownAceStruct>(knownAce); // Write the SID. this.MemoryRegion.WriteMemory(Win32.KnownAceSidStartOffset.ToInt32(), sid, 0, sid.Length); // Update the cached info. this.Read(); }
public CustomAce(AceType type, AceFlags flags, byte[] opaque) : base(type, flags) { if (type <= AceType.SystemAlarmCallbackObject) { throw new ArgumentOutOfRangeException("type", Environment.GetResourceString("ArgumentOutOfRange_InvalidUserDefinedAceType")); } this.SetOpaque(opaque); }
public CustomAce (AceType type, AceFlags flags, byte[] opaque) : base(type, flags) { /* FIXME: check length of opaque > * MaxOpaqueLength or !multiple of 4 */ SetOpaque (opaque); }
internal GenericAce (AceType type, AceFlags flags) { if (type > AceType.MaxDefinedAceType) { throw new ArgumentOutOfRangeException ("type"); } this.ace_type = type; this.ace_flags = flags; }
internal KnownAce(AceType type, AceFlags flags, int accessMask, System.Security.Principal.SecurityIdentifier securityIdentifier) : base(type, flags) { if (securityIdentifier == null) { throw new ArgumentNullException("securityIdentifier"); } this.AccessMask = accessMask; this.SecurityIdentifier = securityIdentifier; }
// Constructor. internal QualifiedAce(AceFlags aceFlags, AceType aceType, int accessMask, SecurityIdentifier securityIdentifier, byte[] opaque, AceQualifier aceQualifier, bool isCallback) : base(aceFlags, aceType, accessMask, securityIdentifier) { this.opaque = opaque; this.aceQualifier = aceQualifier; this.isCallback = isCallback; }
internal ObjectAce (AceType type, AceFlags flags, int accessMask, SecurityIdentifier sid, ObjectAceFlags objFlags, Guid objType, Guid inheritedType, byte[] opaque) : base(type, flags, opaque) { AccessMask = accessMask; SecurityIdentifier = sid; ObjectAceFlags = objFlags; ObjectAceType = objType; InheritedObjectAceType = inheritedType; }
internal GenericAce(byte[] binaryForm, int offset) { if (binaryForm == null) throw new ArgumentNullException("binaryForm"); if (offset < 0 || offset > binaryForm.Length - 2) throw new ArgumentOutOfRangeException("offset", offset, "Offset out of range"); ace_type = (AceType)binaryForm[offset]; ace_flags = (AceFlags)binaryForm[offset + 1]; }
// Constructor. public CustomAce(AceType aceType, AceFlags aceFlags, byte[] opaque) : base(aceFlags, aceType) { this.opaque = opaque; }
public AzRecord(Guid subjectId, Guid actionId, AceType reaction, ISecurityObjectId objectId) : this(subjectId, actionId, reaction, AzObjectIdHelper.GetFullObjectId(objectId)) { }
internal QualifiedAce (AceType type, AceFlags flags, byte[] opaque) : base (type, flags) { SetOpaque (opaque); }
public static void BasicValidationTestCases() { bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; SystemAcl systemAcl = null; int aceCount = 0; SecurityIdentifier sid = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; //CustomAce constructor parameters AceType aceType = AceType.AccessAllowed; AceFlags aceFlag = AceFlags.None; byte[] opaque = null; //CompoundAce constructor additional parameters int accessMask = 0; CompoundAceType compoundAceType = CompoundAceType.Impersonation; string sidStr = "BG"; //CommonAce constructor additional parameters AceQualifier aceQualifier = 0; //ObjectAce constructor additional parameters ObjectAceFlags objectAceFlag = 0; Guid objectAceType; Guid inheritedObjectAceType; //case 1, no Ace revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); aceCount = 0; sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); Assert.True(TestPurge(systemAcl, sid, aceCount)); //case 2, only have 1 explicit Ace of the sid revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); //199 has all aceflags but inheritedonly and inherited gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1, sid, false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); aceCount = 0; Assert.True(TestPurge(systemAcl, sid, aceCount)); //case 3, only have 1 explicit Ace of different sid revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all aceflags but inheritedonly and inherited sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1, sid, false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); aceCount = 1; sidStr = "BA"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); Assert.True(TestPurge(systemAcl, sid, aceCount)); //case 4, only have 1 inherited Ace of the sid revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); //215 has all aceflags but inheritedonly gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1, sid, false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); aceCount = 1; Assert.True(TestPurge(systemAcl, sid, aceCount)); //case 5, have one explicit Ace and one inherited Ace of the sid revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); //199 has all aceflags but inheritedonly and inherited gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1, sid, false, null); rawAcl.InsertAce(0, gAce); //215 has all aceflags but inheritedonly gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 2, sid, false, null); rawAcl.InsertAce(1, gAce); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); aceCount = 1; Assert.True(TestPurge(systemAcl, sid, aceCount)); //case 6, have two explicit Aces of the sid revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, sid, false, null); rawAcl.InsertAce(0, gAce); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, sid, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); aceCount = 0; Assert.True(TestPurge(systemAcl, sid, 0)); //case 7, 1 explicit CustomAce Assert.Throws <InvalidOperationException>(() => { revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; //199 has all aceflags but inheritedonly and inherited aceFlag = (AceFlags)199; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")); aceCount = 1; //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException TestPurge(systemAcl, sid, aceCount); }); //case 8, 1 explicit CompoundAce Assert.Throws <InvalidOperationException>(() => { revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); //207 has all AceFlags but inherited aceFlag = (AceFlags)207; accessMask = 1; compoundAceType = CompoundAceType.Impersonation; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")); gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, sid); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); aceCount = 0; //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException TestPurge(systemAcl, sid, aceCount); }); //case 9, 1 explict ObjectAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")); //207 has all AceFlags but inherited aceFlag = (AceFlags)207; aceQualifier = AceQualifier.SystemAudit; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, sid, objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = true; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); aceCount = 0; Assert.True(TestPurge(systemAcl, sid, aceCount)); }
public static void AdditionalTestCases() { RawAcl rawAcl = null; byte[] binaryForm = null; int offset = 0; //case 1, binaryForm is null Assert.Throws <ArgumentNullException>(() => { binaryForm = null; offset = 0; rawAcl = new RawAcl(binaryForm, offset); }); //case 2, binaryForm is empty Assert.Throws <ArgumentOutOfRangeException>(() => { binaryForm = new byte[0]; offset = 0; rawAcl = new RawAcl(binaryForm, offset); }); //case 3, negative offset Assert.Throws <ArgumentOutOfRangeException>(() => { binaryForm = new byte[100]; offset = -1; rawAcl = new RawAcl(binaryForm, offset); }); //case 4, binaryForm length less than GenericAcl.HeaderLength Assert.Throws <ArgumentOutOfRangeException>(() => { binaryForm = new byte[4]; offset = 0; rawAcl = new RawAcl(binaryForm, offset); }); //case 5, a RawAcl of length 64K. RawAcl length = HeaderLength + all ACE's length // = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace // = 8 + ( 4 + OpaqueLength) * num_of_custom_ace GenericAce gAce = null; byte revision = 0; int capacity = 0; string sid = "BG"; //CustomAce constructor parameters AceType aceType = 0; AceFlags aceFlag = 0; byte[] opaque = null; revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; aceFlag = (AceFlags)223; //all flags ored together opaque = new byte[GenericAcl.MaxBinaryLength - 3 - 8 - 4]; //GenericAcl.MaxBinaryLength = 65535, is not multiple of 4 gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength)); //case 6, a RawAcl of length 64K + 1. RawAcl length = HeaderLength + all ACE's length // = HeaderLength + (HeaderLength + OpaqueLength) * num_of_custom_ace // = 8 + ( 4 + OpaqueLength) * num_of_custom_ace gAce = null; sid = "BA"; //CustomAce constructor parameters aceType = 0; aceFlag = 0; binaryForm = new byte[65536]; AssertExtensions.Throws <ArgumentException>("binaryForm", () => { revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); rawAcl.GetBinaryForm(binaryForm, 0); //change the length bytes to 65535 binaryForm[2] = 0xf; binaryForm[3] = 0xf; //change the aceCount to 1 binaryForm[4] = 1; aceType = AceType.MaxDefinedAceType + 1; aceFlag = (AceFlags)223; //all flags ored together opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4]; //GenericAcl.MaxBinaryLength = 65535, is not multiple of 4 gAce = new CustomAce(aceType, aceFlag, opaque); gAce.GetBinaryForm(binaryForm, 8); TestCreateFromBinaryForm(binaryForm, 0, revision, 1, binaryForm.Length); }); //case 7, a valid binary representation with revision 255, 256 Access //CommonAce to test the correctness of the process of the AceCount in the header revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); for (int i = 0; i < 256; i++) { gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); } binaryForm = new byte[rawAcl.BinaryLength + 1000]; rawAcl.GetBinaryForm(binaryForm, 1000); Assert.True(TestCreateFromBinaryForm(binaryForm, 1000, revision, 256, rawAcl.BinaryLength)); //case 8, array containing garbage Assert.Throws <ArgumentOutOfRangeException>(() => { binaryForm = new byte[] { 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 }; TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12); }); //case 9, array containing garbage Assert.Throws <ArgumentOutOfRangeException>(() => { //binary form shows the length will be 1, actual length is 12 binaryForm = new byte[] { 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1 }; TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12); }); //case 10, array containing garbage Assert.Throws <ArgumentOutOfRangeException>(() => { binaryForm = new byte[] { 1, 1, 12, 0, 1, 1, 1, 1, 1, 1, 1, 1 }; TestCreateFromBinaryForm(binaryForm, offset, revision, 1, 12); }); }
private static bool IsObjectType(AceType type) { return type == AceType.AccessAllowedCallbackObject || type == AceType.AccessAllowedObject || type == AceType.AccessDeniedCallbackObject || type == AceType.AccessDeniedObject || type == AceType.SystemAlarmCallbackObject || type == AceType.SystemAlarmObject || type == AceType.SystemAuditCallbackObject || type == AceType.SystemAuditObject; }
private AceQualifier QualifierFromType( AceType type, out bool isCallback ) { // // Better performance might be achieved by using a hard-coded table // switch ( type ) { case AceType.AccessAllowed: isCallback = false; return AceQualifier.AccessAllowed; case AceType.AccessDenied: isCallback = false; return AceQualifier.AccessDenied; case AceType.SystemAudit: isCallback = false; return AceQualifier.SystemAudit; case AceType.SystemAlarm: isCallback = false; return AceQualifier.SystemAlarm; case AceType.AccessAllowedCallback: isCallback = true; return AceQualifier.AccessAllowed; case AceType.AccessDeniedCallback: isCallback = true; return AceQualifier.AccessDenied; case AceType.SystemAuditCallback: isCallback = true; return AceQualifier.SystemAudit; case AceType.SystemAlarmCallback: isCallback = true; return AceQualifier.SystemAlarm; case AceType.AccessAllowedObject: isCallback = false; return AceQualifier.AccessAllowed; case AceType.AccessDeniedObject: isCallback = false; return AceQualifier.AccessDenied; case AceType.SystemAuditObject: isCallback = false; return AceQualifier.SystemAudit; case AceType.SystemAlarmObject: isCallback = false; return AceQualifier.SystemAlarm; case AceType.AccessAllowedCallbackObject: isCallback = true; return AceQualifier.AccessAllowed; case AceType.AccessDeniedCallbackObject: isCallback = true; return AceQualifier.AccessDenied; case AceType.SystemAuditCallbackObject: isCallback = true; return AceQualifier.SystemAudit; case AceType.SystemAlarmCallbackObject: isCallback = true; return AceQualifier.SystemAlarm; default: // // Indicates a bug in the implementation, not in user's code // Contract.Assert( false, "Invalid ACE type" ); throw new SystemException(); } }
internal KnownAce(AceType type, AceFlags flags, int accessMask, SecurityIdentifier securityIdentifier) : base(type, flags) { if (securityIdentifier == null) { throw new ArgumentNullException(nameof(securityIdentifier)); } Contract.EndContractBlock(); // // The values are set by invoking the properties. // AccessMask = accessMask; SecurityIdentifier = securityIdentifier; }
internal QualifiedAce(AceType type, AceFlags flags, int accessMask, SecurityIdentifier sid, byte[] opaque) : base(type, flags, accessMask, sid) { this._qualifier = this.QualifierFromType(type, out this._isCallback); this.SetOpaque(opaque); }
private AceQualifier QualifierFromType(AceType type, out bool isCallback) { switch (type) { case AceType.AccessAllowed: isCallback = false; return(AceQualifier.AccessAllowed); case AceType.AccessDenied: isCallback = false; return(AceQualifier.AccessDenied); case AceType.SystemAudit: isCallback = false; return(AceQualifier.SystemAudit); case AceType.SystemAlarm: isCallback = false; return(AceQualifier.SystemAlarm); case AceType.AccessAllowedObject: isCallback = false; return(AceQualifier.AccessAllowed); case AceType.AccessDeniedObject: isCallback = false; return(AceQualifier.AccessDenied); case AceType.SystemAuditObject: isCallback = false; return(AceQualifier.SystemAudit); case AceType.SystemAlarmObject: isCallback = false; return(AceQualifier.SystemAlarm); case AceType.AccessAllowedCallback: isCallback = true; return(AceQualifier.AccessAllowed); case AceType.AccessDeniedCallback: isCallback = true; return(AceQualifier.AccessDenied); case AceType.AccessAllowedCallbackObject: isCallback = true; return(AceQualifier.AccessAllowed); case AceType.AccessDeniedCallbackObject: isCallback = true; return(AceQualifier.AccessDenied); case AceType.SystemAuditCallback: isCallback = true; return(AceQualifier.SystemAudit); case AceType.SystemAlarmCallback: isCallback = true; return(AceQualifier.SystemAlarm); case AceType.SystemAuditCallbackObject: isCallback = true; return(AceQualifier.SystemAudit); case AceType.SystemAlarmCallbackObject: isCallback = true; return(AceQualifier.SystemAlarm); default: throw new SystemException(); } }
public static void Constructor3_AdditionalTestCases() { bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; //CustomAce constructor parameters AceType aceType = AceType.AccessAllowed; AceFlags aceFlag = AceFlags.None; byte[] opaque = null; //CompoundAce constructor additional parameters int accessMask = 0; CompoundAceType compoundAceType = CompoundAceType.Impersonation; string sid = "BG"; //CommonAce constructor additional parameters AceQualifier aceQualifier = 0; //ObjectAce constructor additional parameters ObjectAceFlags objectAceFlag = 0; Guid objectAceType; Guid inheritedObjectAceType; //case 1, an AccessAllowed ACE with a zero access mask is meaningless, will be removed revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //drop the Ace from rawAcl rawAcl.RemoveAce(0); //the only ACE is a meaningless ACE, will be removed Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl)); //case 2, an inherit-only AccessDenied ACE on an object ACL is meaningless, will be removed revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //15 has all inheritance AceFlags but Inherited gAce = new CommonAce((AceFlags)15, AceQualifier.AccessDenied, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); rawAcl.RemoveAce(0); //the only ACE is a meaningless ACE, will be removed Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl)); //case 3, an inherit-only AccessAllowed ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //8 has inheritOnly gAce = new CommonAce((AceFlags)8, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); rawAcl.RemoveAce(0); //the only ACE is a meaningless ACE, will be removed Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl)); //case 4, 1 CustomAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; aceFlag = AceFlags.None; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl)); //case 5, 1 CompoundAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); // 2 has ContainerInherit aceFlag = (AceFlags)2; accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid))); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl)); //case 6, 1 ObjectAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)15; //all inheritance flags ored together but Inherited aceQualifier = AceQualifier.AccessAllowed; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = true; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl)); //case 7, no Ace revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl)); //case 8, all Aces from case 1, and 3 to 6 revision = 127; capacity = 5; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString(); rawAcl = new RawAcl(revision, capacity); //0 access Mask gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 0, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); //an inherit-only AccessAllowed ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed gAce = new CommonAce((AceFlags)8, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); // ObjectAce aceFlag = (AceFlags)15; //all inheritance flags ored together but Inherited aceQualifier = AceQualifier.AccessAllowed; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(rawAcl.Count, gAce); // CustomAce aceType = AceType.MaxDefinedAceType + 1; aceFlag = AceFlags.None; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(rawAcl.Count, gAce); // CompoundAce aceFlag = (AceFlags)2; accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString()))); rawAcl.InsertAce(rawAcl.Count, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); rawAcl.RemoveAce(0); rawAcl.RemoveAce(0); //Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, false, rawAcl)); discretionaryAcl = null; isContainer = false; isDS = false; rawAcl = null; //case 1, rawAcl = null discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 1); Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl)); discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); rawAcl = new RawAcl(isDS ? GenericAcl.AclRevisionDS : GenericAcl.AclRevision, 1); Assert.True(VerifyACL(discretionaryAcl, isContainer, isDS, true, rawAcl)); }
/// <summary>Initializes a new instance of the <see cref="T:System.Security.AccessControl.CustomAce" /> class.</summary> /// <param name="type">Type of the new Access Control Entry (ACE). This value must be greater than <see cref="F:System.Security.AccessControl.AceType.MaxDefinedAceType" />.</param> /// <param name="flags">Flags that specify information about the inheritance, inheritance propagation, and auditing conditions for the new ACE.</param> /// <param name="opaque">An array of byte values that contains the data for the new ACE. This value can be null. The length of this array must not be greater than the value of the <see cref="F:System.Security.AccessControl.CustomAce.MaxOpaqueLength" /> field, and must be a multiple of four.</param> /// <exception cref="T:System.ArgumentOutOfRangeException">The value of the <paramref name="type" /> parameter is not greater than <see cref="F:System.Security.AccessControl.AceType.MaxDefinedAceType" /> or the length of the <paramref name="opaque" /> array is either greater than the value of the <see cref="F:System.Security.AccessControl.CustomAce.MaxOpaqueLength" /> field or not a multiple of four.</exception> public CustomAce(AceType type, AceFlags flags, byte[] opaque) : base(type) { base.AceFlags = flags; this.SetOpaque(opaque); }
// Constructor. internal GenericAce(AceFlags aceFlags, AceType aceType) { this.aceFlags = aceFlags; this.aceType = aceType; }
static internal GenericAce CreateFromSddlForm(string sddlForm, ref int pos) { if (sddlForm[pos] != '(') { throw new ArgumentException("Invalid SDDL string.", "sddlForm"); } int endPos = sddlForm.IndexOf(')', pos); if (endPos < 0) { throw new ArgumentException("Invalid SDDL string.", "sddlForm"); } int count = endPos - (pos + 1); string elementsStr = sddlForm.Substring(pos + 1, count); elementsStr = elementsStr.ToUpperInvariant(); string[] elements = elementsStr.Split(';'); if (elements.Length != 6) { throw new ArgumentException("Invalid SDDL string.", "sddlForm"); } ObjectAceFlags objFlags = ObjectAceFlags.None; AceType type = ParseSddlAceType(elements[0]); AceFlags flags = ParseSddlAceFlags(elements[1]); int accessMask = ParseSddlAccessRights(elements[2]); Guid objectType = Guid.Empty; if (!string.IsNullOrEmpty(elements[3])) { objectType = new Guid(elements[3]); objFlags |= ObjectAceFlags.ObjectAceTypePresent; } Guid inhObjectType = Guid.Empty; if (!string.IsNullOrEmpty(elements[4])) { inhObjectType = new Guid(elements[4]); objFlags |= ObjectAceFlags.InheritedObjectAceTypePresent; } SecurityIdentifier sid = new SecurityIdentifier(elements[5]); if (type == AceType.AccessAllowedCallback || type == AceType.AccessDeniedCallback) { throw new NotImplementedException("Conditional ACEs not supported"); } pos = endPos + 1; if (IsObjectType(type)) { return(new ObjectAce(type, flags, accessMask, sid, objFlags, objectType, inhObjectType, null)); } else { if (objFlags != ObjectAceFlags.None) { throw new ArgumentException("Invalid SDDL string.", "sddlForm"); } return(new CommonAce(type, flags, accessMask, sid, null)); } }
public CustomAce( AceType type, AceFlags flags, byte[] opaque ) : base( type, flags ) { if ( type <= AceType.MaxDefinedAceType ) { throw new ArgumentOutOfRangeException( "type", Environment.GetResourceString( "ArgumentOutOfRange_InvalidUserDefinedAceType" )); } Contract.EndContractBlock(); SetOpaque( opaque ); }
internal QualifiedAce(AceType type, AceFlags flags, int accessMask, SecurityIdentifier sid, byte[] opaque) : base(type, flags, accessMask, sid) { _qualifier = QualifierFromType(type, out _isCallback); SetOpaque(opaque); }
private void AddAce(AceType type, AccessMask mask, AceFlags flags, Sid sid) { AddAce(new Ace(type, flags, mask, sid)); }
public Ace(Guid actionId, AceType reaction) { ActionId = actionId; Reaction = reaction; }
protected void BaseInit(AceType type, int size, AceFlags flags, Sid sid, AccessType accessType) { if (size >= ushort.MaxValue) throw new ArgumentException("Ace size is limited to an 16-bit integer", "size"); if (size <= ACE_HEADER.SizeOf) throw new ArgumentException("Ace size must be at least the size of an ACE_HEADER", "size"); _header.AceType = type; _header.AceSize = (ushort)size; _header.AceFlags = flags; _accessType = accessType; _sid = sid; }
public static void BasicValidationTestCases() { RawAcl rawAcl = null; byte[] binaryForm = null; int offset = 0; GenericAce gAce = null; byte revision = 0; int capacity = 0; //CustomAce constructor parameters AceType aceType = AceType.AccessAllowed; AceFlags aceFlag = AceFlags.None; byte[] opaque = null; //CompoundAce constructor additional parameters int accessMask = 0; CompoundAceType compoundAceType = CompoundAceType.Impersonation; string sid = "BA"; //CommonAce constructor additional parameters AceQualifier aceQualifier = 0; //ObjectAce constructor additional parameters ObjectAceFlags objectAceFlag = 0; Guid objectAceType; Guid inheritedObjectAceType; //case 1, a valid binary representation with revision 0, 1 SystemAudit CommonAce revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength)); //case 2, a valid binary representation with revision 255, 1 AccessAllowed CommonAce revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength)); //case 3, a valid binary representation with revision 127, 1 CustomAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; aceFlag = (AceFlags)223; //all flags ored together opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength)); //case 4, a valid binary representation with revision 1, 1 CompoundAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid))); rawAcl.InsertAce(0, gAce); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength)); //case 5, a valid binary representation with revision 1, 1 ObjectAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together aceQualifier = AceQualifier.AccessAllowed; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 1, rawAcl.BinaryLength)); //case 6, a valid binary representation with revision 1, no Ace revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 0, rawAcl.BinaryLength)); //case 7, a valid binary representation with revision 1, and all Aces from case 1 to 5 revision = 127; capacity = 5; rawAcl = new RawAcl(revision, capacity); //SystemAudit CommonAce gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); //Access Allowed CommonAce gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); //CustomAce aceType = AceType.MaxDefinedAceType + 1; aceFlag = (AceFlags)223; //all flags ored together opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); //CompoundAce aceFlag = (AceFlags)223; //all flags ored together accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid))); rawAcl.InsertAce(0, gAce); //ObjectAce aceFlag = (AceFlags)223; //all flags ored together aceQualifier = AceQualifier.AccessAllowed; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); binaryForm = new byte[rawAcl.BinaryLength]; rawAcl.GetBinaryForm(binaryForm, 0); Assert.True(TestCreateFromBinaryForm(binaryForm, offset, revision, 5, rawAcl.BinaryLength)); }
public void AddAce(ISubject subject, IAction action, AceType reaction) { AddAce(subject, action, null, reaction); }
protected static string GetSddlAceType (AceType type) { switch (type) { case AceType.AccessAllowed: return "A"; case AceType.AccessDenied: return "D"; case AceType.AccessAllowedObject: return "OA"; case AceType.AccessDeniedObject: return "OD"; case AceType.SystemAudit: return "AU"; case AceType.SystemAlarm: return "AL"; case AceType.SystemAuditObject: return "OU"; case AceType.SystemAlarmObject: return "OL"; case AceType.AccessAllowedCallback: return "XA"; case AceType.AccessDeniedCallback: return "XD"; default: throw new ArgumentException ("Unable to convert to SDDL ACE type: " + type, "type"); } }
// Token: 0x06001E7A RID: 7802 RVA: 0x0006A800 File Offset: 0x00068A00 internal static bool ParseBinaryForm(byte[] binaryForm, int offset, out AceQualifier qualifier, out int accessMask, out SecurityIdentifier sid, out ObjectAceFlags objectFlags, out Guid objectAceType, out Guid inheritedObjectAceType, out bool isCallback, out byte[] opaque) { byte[] array = new byte[16]; GenericAce.VerifyHeader(binaryForm, offset); if (binaryForm.Length - offset >= 12 + SecurityIdentifier.MinBinaryLength) { AceType aceType = (AceType)binaryForm[offset]; if (aceType == AceType.AccessAllowedObject || aceType == AceType.AccessDeniedObject || aceType == AceType.SystemAuditObject || aceType == AceType.SystemAlarmObject) { isCallback = false; } else { if (aceType != AceType.AccessAllowedCallbackObject && aceType != AceType.AccessDeniedCallbackObject && aceType != AceType.SystemAuditCallbackObject && aceType != AceType.SystemAlarmCallbackObject) { goto IL_209; } isCallback = true; } if (aceType == AceType.AccessAllowedObject || aceType == AceType.AccessAllowedCallbackObject) { qualifier = AceQualifier.AccessAllowed; } else if (aceType == AceType.AccessDeniedObject || aceType == AceType.AccessDeniedCallbackObject) { qualifier = AceQualifier.AccessDenied; } else if (aceType == AceType.SystemAuditObject || aceType == AceType.SystemAuditCallbackObject) { qualifier = AceQualifier.SystemAudit; } else { if (aceType != AceType.SystemAlarmObject && aceType != AceType.SystemAlarmCallbackObject) { goto IL_209; } qualifier = AceQualifier.SystemAlarm; } int num = offset + 4; int num2 = 0; accessMask = (int)binaryForm[num] + ((int)binaryForm[num + 1] << 8) + ((int)binaryForm[num + 2] << 16) + ((int)binaryForm[num + 3] << 24); num2 += 4; objectFlags = (ObjectAceFlags)((int)binaryForm[num + num2] + ((int)binaryForm[num + num2 + 1] << 8) + ((int)binaryForm[num + num2 + 2] << 16) + ((int)binaryForm[num + num2 + 3] << 24)); num2 += 4; if ((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None) { for (int i = 0; i < 16; i++) { array[i] = binaryForm[num + num2 + i]; } num2 += 16; } else { for (int j = 0; j < 16; j++) { array[j] = 0; } } objectAceType = new Guid(array); if ((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != ObjectAceFlags.None) { for (int k = 0; k < 16; k++) { array[k] = binaryForm[num + num2 + k]; } num2 += 16; } else { for (int l = 0; l < 16; l++) { array[l] = 0; } } inheritedObjectAceType = new Guid(array); sid = new SecurityIdentifier(binaryForm, num + num2); opaque = null; int num3 = ((int)binaryForm[offset + 3] << 8) + (int)binaryForm[offset + 2]; if (num3 % 4 == 0) { int num4 = num3 - 4 - 4 - 4 - (int)((byte)sid.BinaryLength); if ((objectFlags & ObjectAceFlags.ObjectAceTypePresent) != ObjectAceFlags.None) { num4 -= 16; } if ((objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent) != ObjectAceFlags.None) { num4 -= 16; } if (num4 > 0) { opaque = new byte[num4]; for (int m = 0; m < num4; m++) { opaque[m] = binaryForm[offset + num3 - num4 + m]; } } return(true); } } IL_209: qualifier = AceQualifier.AccessAllowed; accessMask = 0; sid = null; objectFlags = ObjectAceFlags.None; objectAceType = Guid.NewGuid(); inheritedObjectAceType = Guid.NewGuid(); isCallback = false; opaque = null; return(false); }
public void HasAccessOrException(string securityContext, string planUniqueName, AceType aceType, object right) { _splxDal?.TrySecurityOrException(securityContext, planUniqueName, aceType, right, "Plan"); }
public CustomAce(AceType type, AceFlags flags, byte[] opaque);
protected Ace(AceType aceType, PrincipalIdentifier principal) : this(aceType, principal, AccessMask.None) { }
public void RemoveAce <T>(ISubject subject, IAction action, ISecurityObjectId objectId, AceType reaction) { if (subject == null) { throw new ArgumentNullException("subject"); } if (action == null) { throw new ArgumentNullException("action"); } var r = new PermissionRecord(subject.ID, action.ID, AzObjectIdHelper.GetFullObjectId(objectId), reaction); if (permRecords.ContainsKey(r.Id)) { permRecords.Remove(r.Id); } }
/// <summary> /// Selects and loads security for the given UniqueName into a SplxRecordManager /// </summary> /// <param name="uniqueName"></param> /// <returns>A loaded and resolved SplxRecordManager</returns> SplxSecureManagerBase GetSecureManagerSecurityRecurseUp(string userName, AceType aceType, string uniqueName, SecurityLoadParameters slp) { string rootUniqueName = ContainerRootUniqueName; SecureContainer root = new SecureContainer() { UniqueName = rootUniqueName }; #region setup SecurityLoadParameters, load ExternalGroupInfo if (slp == null) { slp = new SecurityLoadParameters() { ExternalGroupInfo = new ExternalGroupInfo(LdapRoot, true, GlobalExternalGroupsCsv), User = this.GetSuplexUser(userName) } } ; ExternalGroupInfo egi = new ExternalGroupInfo(LdapRoot, true, GlobalExternalGroupsCsv); egi.BuildGroupsList(slp.User.Name); #endregion SecureContainer ctrl = root; SplxSecureManagerBase context = null; #region IsFileStore = true if (IsFileStore) { context = new SplxRecordManager() { UniqueName = uniqueName }; if (aceType == AceType.FileSystem) { context = new SplxFileSystemManager() { UniqueName = uniqueName } } ; splxApi.UIElement uie = _splxStore.UIElements.GetByUniqueNameRecursiveIgnoreCase(uniqueName); if (uie == null) { throw new SecurityException($"Could not find security element [{uniqueName}] in the permissione configuration."); } ISecureControl curr = context; IObjectModel parentObj = uie.ParentObject; while (parentObj != null) { SecureContainer par = new SecureContainer() { UniqueName = ((splxApi.UIElement)parentObj).UniqueName }; par.Children.Add(curr); curr = par; parentObj = parentObj.ParentObject; } curr.Security.Load(_splxStore, slp); } #endregion #region IsFileStore = false else { DataSet ds = _da.GetDataSet("splx.splx_dal_sel_security_byuserbyuie_up", new System.Collections.sSortedList( "@UIE_UNIQUE_NAME", uniqueName, "@SPLX_USER_ID", slp.User.Id, "@EXTERNAL_GROUP_LIST", egi.GroupsList)); _da.NameTablesFromCompositeSelect(ref ds); //todo, when suplex is ready //DataSet ds = _splxApi.GetSecurity( rootUniqueName, slp.User, slp.ExternalGroupInfo, future:recurseUp ); DataTable acl = ds.Tables["AclInfo"]; DataRow[] rows = acl.Select(string.Format("UIE_UNIQUE_NAME = '{0}'", rootUniqueName)); if (rows.Length > 0) { rows = acl.Select(string.Format("UIE_PARENT_ID = '{0}'", rows[0]["SPLX_UI_ELEMENT_ID"])); } while (rows.Length > 0) { string un = rows[0]["UIE_UNIQUE_NAME"].ToString(); if (un.StartsWith(ContainerUniqueNamePrefix)) { context = new SplxRecordManager() { UniqueName = un }; if (aceType == AceType.FileSystem) { context = new SplxFileSystemManager() { UniqueName = un } } ; ctrl.Children.Add(context); } else { SecureContainer child = new SecureContainer() { UniqueName = un }; ctrl.Children.Add(child); ctrl = child; } rows = acl.Select(string.Format("UIE_PARENT_ID = '{0}'", rows[0]["SPLX_UI_ELEMENT_ID"])); } root.Security.Load(ds, slp); } #endregion return(context); }
internal Ace(AceType type) { Type = type; }
/// <summary> /// Tests security /and/ RlsOwner for the given UniqueName and validates SecurityResults[AceType.Record, right].AccessAllowed /// </summary> /// <param name="uniqueName">The UniqueName for which to select security.</param> /// <param name="right">The RecordRight to test (used in error message).</param> /// <param name="assetType">The associated AssetType (used in error message).</param> /// <param name="rowOwnerId">The rlsOwner from the row.</param> public SuplexSecurityInfo TrySecurityOrException(string userName, string uniqueName, AceType aceType, object right, string assetType, Guid rowOwnerId, bool recurseUp = true) { return(this.TrySecurityOrException(userName, uniqueName, aceType, right, assetType, rowOwnerId, null, true, recurseUp)); }
/// <summary> /// Tests security /and/ RlsMask for the given UniqueName and validates SecurityResults[AceType.Record, right].AccessAllowed /// </summary> /// <param name="uniqueName">The UniqueName for which to select security.</param> /// <param name="right">The RecordRight to test (used in error message).</param> /// <param name="assetType">The associated AssetType (used in error message).</param> /// <param name="rowRlsMask">The rlsMask from the row.</param> public SuplexSecurityInfo TrySecurityOrException(string userName, string uniqueName, AceType aceType, object right, string assetType, byte[] rowRlsMask, bool recurseUp = true) { return(this.TrySecurityOrException(userName, uniqueName, aceType, right, assetType, Guid.Empty, rowRlsMask, false, recurseUp)); }
/// <summary> /// Set "User Cannot Change Password ACL". /// @param sddl SDDL. /// @param cannot <tt>true</tt> to set the ACL; <tt>false</tt> to unset. /// @return updated SDDL. /// </summary> public static Sddl UserCannotChangePassword(Sddl sddl, bool cannot) { AceType type = cannot ? AceType.AccessDeniedObjectAceType : AceType.AccessAllowedObjectAceType; Ace self = null; Ace all = null; List <Ace> aces = sddl.GetDacl().GetAces(); for (var i = 0; (all == null || self == null) && i < aces.Count; i++) { Ace ace = aces[i]; if ((ace.GetAceType() == AceType.AccessAllowedObjectAceType || ace.GetAceType() == AceType.AccessDeniedObjectAceType) && ace.GetObjectFlags().GetFlags().Contains(AceObjectFlags.Flag.AceObjectTypePresent)) { if (ace.GetObjectType() == ucpObjectGuid) { SID sid = ace.GetSid(); if (sid.GetSubAuthorities().Count == 1) { if (self == null && sid.GetIdentifierAuthority().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }) && sid.GetSubAuthorities().First().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x00 })) { self = ace; self.SetType(type); } else if (all == null && sid.GetIdentifierAuthority().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x05 }) && sid.GetSubAuthorities().First().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x0a })) { all = ace; all.SetType(type); } } } } } if (self == null) { // prepare aces self = Ace.NewInstance(type); self.SetObjectFlags(new AceObjectFlags(AceObjectFlags.Flag.AceObjectTypePresent)); self.SetObjectType(ucpObjectGuid); self.SetRights(new AceRights().AddOjectRight(AceRights.ObjectRight.Cr)); SID sid = SID.NewInstance(NumberFacility.GetBytes(0x000000000001, 6)); sid.AddSubAuthority(NumberFacility.GetBytes(0)); self.SetSid(sid); sddl.GetDacl().GetAces().Add(self); } if (all == null) { all = Ace.NewInstance(type); all.SetObjectFlags(new AceObjectFlags(AceObjectFlags.Flag.AceObjectTypePresent)); all.SetObjectType(ucpObjectGuid); all.SetRights(new AceRights().AddOjectRight(AceRights.ObjectRight.Cr)); SID sid = SID.NewInstance(NumberFacility.GetBytes(0x000000000005, 6)); sid.AddSubAuthority(NumberFacility.GetBytes(0x0A)); all.SetSid(sid); sddl.GetDacl().GetAces().Add(all); } return(sddl); }
private AceQualifier QualifierFromType(AceType type, out bool isCallback) { // // Better performance might be achieved by using a hard-coded table // switch (type) { case AceType.AccessAllowed: isCallback = false; return AceQualifier.AccessAllowed; case AceType.AccessDenied: isCallback = false; return AceQualifier.AccessDenied; case AceType.SystemAudit: isCallback = false; return AceQualifier.SystemAudit; case AceType.SystemAlarm: isCallback = false; return AceQualifier.SystemAlarm; case AceType.AccessAllowedCallback: isCallback = true; return AceQualifier.AccessAllowed; case AceType.AccessDeniedCallback: isCallback = true; return AceQualifier.AccessDenied; case AceType.SystemAuditCallback: isCallback = true; return AceQualifier.SystemAudit; case AceType.SystemAlarmCallback: isCallback = true; return AceQualifier.SystemAlarm; case AceType.AccessAllowedObject: isCallback = false; return AceQualifier.AccessAllowed; case AceType.AccessDeniedObject: isCallback = false; return AceQualifier.AccessDenied; case AceType.SystemAuditObject: isCallback = false; return AceQualifier.SystemAudit; case AceType.SystemAlarmObject: isCallback = false; return AceQualifier.SystemAlarm; case AceType.AccessAllowedCallbackObject: isCallback = true; return AceQualifier.AccessAllowed; case AceType.AccessDeniedCallbackObject: isCallback = true; return AceQualifier.AccessDenied; case AceType.SystemAuditCallbackObject: isCallback = true; return AceQualifier.SystemAudit; case AceType.SystemAlarmCallbackObject: isCallback = true; return AceQualifier.SystemAlarm; default: // // Indicates a bug in the implementation, not in user's code // Debug.Assert(false, "Invalid ACE type"); // Replacing SystemException with InvalidOperationException. It's not a perfect fit, // but it's the best exception type available to indicate a failure because // of a bug in the ACE itself. throw new InvalidOperationException(); } }
public AzRecord(Guid subjectId, Guid actionId, AceType reaction) : this(subjectId, actionId, reaction, default(string)) { }
internal GenericAce(AceType type, AceFlags flags) { // // Store the values passed in; // do not make any checks - anything is valid here // _type = type; _flags = flags; }
public static void RemoveInheritedAces_BasicValidationTestCases() { bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; DiscretionaryAcl discretionaryAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; //CustomAce constructor parameters AceType aceType = AceType.AccessAllowed; AceFlags aceFlag = AceFlags.None; byte[] opaque = null; //CompoundAce constructor additional parameters int accessMask = 0; CompoundAceType compoundAceType = CompoundAceType.Impersonation; string sid = "BG"; //CommonAce constructor additional parameters AceQualifier aceQualifier = 0; //ObjectAce constructor additional parameters ObjectAceFlags objectAceFlag = 0; Guid objectAceType; Guid inheritedObjectAceType; //case 1, no Ace revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 2, only have explicit Ace revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all AceFlags except InheritOnly and Inherited gAce = new CommonAce((AceFlags)199, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 3, non-inherited CommonAce, ObjectAce, CompoundAce, CustomAce revision = 127; capacity = 5; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString(); rawAcl = new RawAcl(revision, capacity); aceFlag = AceFlags.InheritanceFlags; accessMask = 1; //Access Allowed CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null); rawAcl.InsertAce(0, gAce); //Access Dennied CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null); rawAcl.InsertAce(0, gAce); //CustomAce aceType = AceType.MaxDefinedAceType + 1; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(2, gAce); //CompoundAce compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString()))); rawAcl.InsertAce(3, gAce); //ObjectAce aceQualifier = AceQualifier.AccessAllowed; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(2, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException Assert.Throws <InvalidOperationException>(() => { TestRemoveInheritedAces(discretionaryAcl); }); //case 4, all inherited CommonAce, ObjectAce, CompoundAce, CustomAce revision = 127; capacity = 5; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")).ToString(); rawAcl = new RawAcl(revision, capacity); aceFlag = AceFlags.InheritanceFlags | AceFlags.Inherited; accessMask = 1; //Access Allowed CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessAllowed, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 1.ToString())), false, null); rawAcl.InsertAce(0, gAce); //Access Dennied CommonAce gAce = new CommonAce(aceFlag, AceQualifier.AccessDenied, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 2.ToString())), false, null); rawAcl.InsertAce(0, gAce); //CustomAce aceType = AceType.MaxDefinedAceType + 1; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); //CompoundAce compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 3.ToString()))); rawAcl.InsertAce(0, gAce); //ObjectAce aceQualifier = AceQualifier.AccessAllowed; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + 4.ToString())), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 5, only have one inherit Ace revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.AccessDenied, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 6, have one explicit Ace and one inherited Ace revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all AceFlags except InheritOnly and Inherited gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP), AceQualifier.AccessDenied, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(0, gAce); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(1, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 7, have two inherited Aces revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(0, gAce); sid = "BA"; //16 has Inherited gAce = new CommonAce((AceFlags)16, AceQualifier.AccessDenied, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 8, 1 inherited CustomAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; //215 has all AceFlags except InheritOnly aceFlag = (AceFlags)215; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 9, 1 inherited CompoundAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid))); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); //case 10, 1 inherited ObjectAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together aceQualifier = AceQualifier.AccessAllowed; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = true; discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(discretionaryAcl)); }
public CustomAce(AceType type, AceFlags flags, byte[] opaque) : base(type, flags) { if (type <= AceType.MaxDefinedAceType) { throw new ArgumentOutOfRangeException( nameof(type), SR.ArgumentOutOfRange_InvalidUserDefinedAceType); } Contract.EndContractBlock(); SetOpaque(opaque); }
/// <summary>Creates a <see cref="T:System.Security.AccessControl.GenericAce" /> object from the specified binary data.</summary> /// <param name="binaryForm">The binary data from which to create the new <see cref="T:System.Security.AccessControl.GenericAce" /> object.</param> /// <param name="offset">The offset at which to begin unmarshaling.</param> /// <returns>The <see cref="T:System.Security.AccessControl.GenericAce" /> object this method creates.</returns> // Token: 0x06001E46 RID: 7750 RVA: 0x00069C80 File Offset: 0x00067E80 public static GenericAce CreateFromBinaryForm(byte[] binaryForm, int offset) { GenericAce.VerifyHeader(binaryForm, offset); AceType aceType = (AceType)binaryForm[offset]; GenericAce genericAce; if (aceType == AceType.AccessAllowed || aceType == AceType.AccessDenied || aceType == AceType.SystemAudit || aceType == AceType.SystemAlarm || aceType == AceType.AccessAllowedCallback || aceType == AceType.AccessDeniedCallback || aceType == AceType.SystemAuditCallback || aceType == AceType.SystemAlarmCallback) { AceQualifier qualifier; int accessMask; SecurityIdentifier sid; bool isCallback; byte[] opaque; if (!CommonAce.ParseBinaryForm(binaryForm, offset, out qualifier, out accessMask, out sid, out isCallback, out opaque)) { goto IL_1A8; } AceFlags flags = (AceFlags)binaryForm[offset + 1]; genericAce = new CommonAce(flags, qualifier, accessMask, sid, isCallback, opaque); } else if (aceType == AceType.AccessAllowedObject || aceType == AceType.AccessDeniedObject || aceType == AceType.SystemAuditObject || aceType == AceType.SystemAlarmObject || aceType == AceType.AccessAllowedCallbackObject || aceType == AceType.AccessDeniedCallbackObject || aceType == AceType.SystemAuditCallbackObject || aceType == AceType.SystemAlarmCallbackObject) { AceQualifier qualifier2; int accessMask2; SecurityIdentifier sid2; ObjectAceFlags flags2; Guid type; Guid inheritedType; bool isCallback2; byte[] opaque2; if (!ObjectAce.ParseBinaryForm(binaryForm, offset, out qualifier2, out accessMask2, out sid2, out flags2, out type, out inheritedType, out isCallback2, out opaque2)) { goto IL_1A8; } AceFlags aceFlags = (AceFlags)binaryForm[offset + 1]; genericAce = new ObjectAce(aceFlags, qualifier2, accessMask2, sid2, flags2, type, inheritedType, isCallback2, opaque2); } else if (aceType == AceType.AccessAllowedCompound) { int accessMask3; CompoundAceType compoundAceType; SecurityIdentifier sid3; if (!CompoundAce.ParseBinaryForm(binaryForm, offset, out accessMask3, out compoundAceType, out sid3)) { goto IL_1A8; } AceFlags flags3 = (AceFlags)binaryForm[offset + 1]; genericAce = new CompoundAce(flags3, accessMask3, compoundAceType, sid3); } else { AceFlags flags4 = (AceFlags)binaryForm[offset + 1]; byte[] array = null; int num = (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8); if (num % 4 != 0) { goto IL_1A8; } int num2 = num - 4; if (num2 > 0) { array = new byte[num2]; for (int i = 0; i < num2; i++) { array[i] = binaryForm[offset + num - num2 + i]; } } genericAce = new CustomAce(aceType, flags4, array); } if ((genericAce is ObjectAce || (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8) == genericAce.BinaryLength) && (!(genericAce is ObjectAce) || (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8) == genericAce.BinaryLength || (int)binaryForm[offset + 2] + ((int)binaryForm[offset + 3] << 8) - 32 == genericAce.BinaryLength)) { return(genericAce); } IL_1A8: throw new ArgumentException(Environment.GetResourceString("ArgumentException_InvalidAceBinaryForm"), "binaryForm"); }
// Token: 0x06001E42 RID: 7746 RVA: 0x00069B73 File Offset: 0x00067D73 internal GenericAce(AceType type, AceFlags flags) { this._type = type; this._flags = flags; }
/// <summary> /// Tests security /and/ (RlsOwner /or/ RlsMask) for the given UniqueName and validates SecurityResults[AceType.Record, right].AccessAllowed /// </summary> /// <param name="uniqueName">The UniqueName for which to select security.</param> /// <param name="right">The RecordRight to test (used in error message).</param> /// <param name="assetType">The associated AssetType (used in error message).</param> /// <param name="rowOwnerId">The rlsOwner from the row.</param> /// <param name="rowRlsMask">The rlsMask from the row.</param> public SuplexSecurityInfo TrySecurityOrException(string userName, string uniqueName, AceType aceType, object right, string assetType, Guid rowOwnerId, byte[] rowRlsMask, bool allowOwnerOverride, bool recurseUp = true) { string exceptionMsg = this.GetNoRightsErrorMessage(right, assetType); SecurityLoadParameters slp = new SecurityLoadParameters() { ExternalGroupInfo = new ExternalGroupInfo(LdapRoot, true, GlobalExternalGroupsCsv), User = this.GetSuplexUser(userName, resolve: true) }; SplxSecureManagerBase perms = recurseUp ? GetSecureManagerSecurityRecurseUp(userName, aceType, uniqueName, slp) : GetSecureManagerSecurity(userName, aceType, uniqueName, slp); #region eval rls RowLevelSecurityHelper.EvalOption option = RowLevelSecurityHelper.EvalOption.None; if (rowOwnerId != Guid.Empty) { option |= RowLevelSecurityHelper.EvalOption.Owner; } if (rowRlsMask != null) { option |= RowLevelSecurityHelper.EvalOption.Mask; } RowLevelSecurityHelper rlsHelper = new RowLevelSecurityHelper() { RowOwnerId = rowOwnerId, RowRlsMask = rowRlsMask, SecurityPrincipalId = slp.User.IdToGuid(), SecurityPrincipalRlsMask = slp.User.RlsMask, Option = option }; perms.Security.EvalRowLevelSecurity(rlsHelper, aceType, new object[] { right }, allowOwnerOverride); if (option != RowLevelSecurityHelper.EvalOption.None && !perms.Security.Descriptor.SecurityResults[aceType, right].AccessAllowed) { exceptionMsg = "You do not have rights to this record."; } #endregion if (!perms.Security.Descriptor.SecurityResults[aceType, right].AccessAllowed) { throw new SecurityException(exceptionMsg); } return(new SuplexSecurityInfo(slp.User, perms)); }
protected virtual void Read() { var aceHeader = _memory.ReadStruct<AceHeader>(); _flags = aceHeader.AceFlags; _size = aceHeader.AceSize; _type = aceHeader.AceType; }
public SecureContainer(AceType aceType = AceType.FileSystem) { _sa = new SecurityAccessor(this, aceType); _sr = _sa.Descriptor.SecurityResults; }