public void RemoveGroupIfExists(CodeGroup parentGroup, String name)
{
CodeGroup childGroup;
while ((childGroup = GetChildGroup(parentGroup, name)) != null)
{
parentGroup.RemoveChild(childGroup);
}
}
// -rg label|name
// -remgroup label|name
static bool RemoveCodeGroup(string name)
{
PolicyLevel pl = null;
CodeGroup parent = null;
CodeGroup cg = FindCodeGroup(name, ref parent, ref pl);
if ((pl == null) || (parent == null) || (cg == null))
{
return(false);
}
if (!Confirm())
{
return(false);
}
parent.RemoveChild(cg);
SecurityManager.SavePolicyLevel(pl);
Console.WriteLine("CodeGroup '{0}' removed from {1} policy level.",
cg.Name, pl.Label);
return(true);
}
private static void DeleteCustomChildCodeGroup(string codeGroupName)
{
// Delete the custom child group.
// Delete the child group by creating a copy of the parent code group, deleting its children,
// then adding the copy of the parent code group back to the root code group.
IEnumerator policyEnumerator = SecurityManager.PolicyHierarchy();
while (policyEnumerator.MoveNext())
{
PolicyLevel machineLevel = (PolicyLevel)policyEnumerator.Current;
// IList returns copies of the code groups, not the code groups themselves,
// so operations on the IList objects do not affect the actual code group.
IList childCodeGroups = machineLevel.RootCodeGroup.Children;
IEnumerator childGroups = childCodeGroups.GetEnumerator();
while (childGroups.MoveNext())
{
CodeGroup thisCodeGroup = (CodeGroup)childGroups.Current;
if (thisCodeGroup.Name == codeGroupName)
{
// Create a new code group from this one, but without it's children.
// Delete the original code group and add the new one just created.
CodeGroup newCodeGroup = thisCodeGroup;
IList childCodeGroup = newCodeGroup.Children;
IEnumerator childGroup = childCodeGroup.GetEnumerator();
while (childGroup.MoveNext())
{
// Remove all the children from the copy.
newCodeGroup.RemoveChild((CodeGroup)childGroup.Current);
}
// Should have a copy of the parent code group with children removed.
// Delete the original parent code group and replace with its childless clone.
machineLevel.RootCodeGroup.RemoveChild(thisCodeGroup);
machineLevel.RootCodeGroup.AddChild(newCodeGroup);
SecurityManager.SavePolicy();
}
}
}
}
// Print the properties of the specified code group to the console.
private static void PrintCodeGroup(CodeGroup codeGroup)
{
// Compare the type of the specified object with the FileCodeGroup
// type.
if (!codeGroup.GetType().Equals(typeof(FileCodeGroup)))
{
throw new ArgumentException("Expected the FileCodeGroup type.");
}
string codeGroupName = codeGroup.Name;
string membershipCondition = codeGroup.MembershipCondition.ToString();
string permissionSetName = codeGroup.PermissionSetName;
int hashCode = codeGroup.GetHashCode();
string mergeLogic = "";
if (codeGroup.MergeLogic.Equals("Union"))
{
mergeLogic = " with Union merge logic";
}
// Retrieve the class path for FileCodeGroup.
string fileGroupClass = codeGroup.ToString();
// Write summary to the console window.
Console.WriteLine("\n*** " + fileGroupClass + " summary ***");
Console.Write("A FileCodeGroup named ");
Console.Write(codeGroupName + mergeLogic);
Console.Write(" has been created with hash code" + hashCode + ".");
Console.Write("This code group contains a " + membershipCondition);
Console.Write(" membership condition with the ");
Console.Write(permissionSetName + " permission set. ");
Console.Write("The code group has the following security policy: ");
Console.WriteLine(ResolveEvidence(codeGroup));
int childCount = codeGroup.Children.Count;
if (childCount > 0)
{
Console.Write("There are " + childCount);
Console.WriteLine(" child code groups in this code group.");
// Iterate through the child code groups to display their names
// and remove them from the specified code group.
for (int i = 0; i < childCount; i++)
{
// Get child code group as type FileCodeGroup.
FileCodeGroup childCodeGroup =
(FileCodeGroup)codeGroup.Children[i];
Console.Write("Removing the " + childCodeGroup.Name + ".");
// Remove child code group.
codeGroup.RemoveChild(childCodeGroup);
}
Console.WriteLine();
}
else
{
Console.Write("There are no child code groups");
Console.WriteLine(" in this code group.");
}
}
// Print the properties of the specified code group to the console.
private static void PrintCodeGroup(CodeGroup codeGroup)
{
// Compare the type of the specified object with the
// FirstMatchCodeGroup type.
//<Snippet12>
if (!codeGroup.GetType().Equals(typeof(FirstMatchCodeGroup)))
//</Snippet12>
{
throw new ArgumentException(
"Expected the FirstMatchCodeGroup type.");
}
string codeGroupName = codeGroup.Name;
string membershipCondition = codeGroup.MembershipCondition.ToString();
//<Snippet13>
string permissionSetName = codeGroup.PermissionSetName;
//</Snippet13>
//<Snippet14>
int hashCode = codeGroup.GetHashCode();
//</Snippet14>
string mergeLogic = "";
//<Snippet15>
if (codeGroup.MergeLogic.Equals("First Match"))
//</Snippet15>
{
mergeLogic = "with first-match merge logic";
}
// Retrieve the class path for the FirstMatchCodeGroup.
//<Snippet16>
string firstMatchGroupClass = codeGroup.ToString();
//</Snippet16>
string attributeString = "";
// Retrieve the string representation of the FirstMatchCodeGroup's
// attributes.
//<Snippet5>
if (codeGroup.AttributeString != null)
{
attributeString = codeGroup.AttributeString;
}
//</Snippet5>
// Write a summary to the console window.
Console.WriteLine("\n*** " + firstMatchGroupClass + " summary ***");
Console.Write("A FirstMatchCodeGroup named ");
Console.Write(codeGroupName + mergeLogic);
Console.Write(" has been created with hash code(" + hashCode + ").");
Console.Write("\nThis code group contains a " + membershipCondition);
Console.Write(" membership condition with the ");
Console.WriteLine(permissionSetName + " permission set.");
Console.Write("The code group contains the following policy: ");
Console.Write(ResolveEvidence(codeGroup));
Console.Write("\nIt also contains the following attributes: ");
Console.WriteLine(attributeString);
int childCount = codeGroup.Children.Count;
if (childCount > 0)
{
Console.Write("There are " + childCount);
Console.WriteLine(" child elements in the code group.");
// Iterate through the child code groups to display their names
// and then remove them from the specified code group.
for (int i = 0; i < childCount; i++)
{
// Retrieve a child code group, which has been cast as a
// FirstMatchCodeGroup type.
//<Snippet21>
FirstMatchCodeGroup childCodeGroup =
(FirstMatchCodeGroup)codeGroup.Children[i];
//</Snippet21>
Console.Write("Removing the " + childCodeGroup.Name + ".");
// Remove the child code group.
//<Snippet17>
codeGroup.RemoveChild(childCodeGroup);
//</Snippet17>
}
Console.WriteLine();
}
else
{
Console.WriteLine(" No child code groups were found in this" +
" code group.");
}
}
}// TryToCreateFullTrust
private CodeGroup CreateCodegroup(PermissionSet pSet, bool fHighjackExisting)
{
// Now create our codegroup
// Figure out what membership condition to use
IMembershipCondition mc = null;
// If the assembly didn't have a publisher certificate or a strong name,
// then we must trust it by hash
int nTrustBy = m_fHasCertOrSName?Page3.HowToTrust:TrustBy.HASH;
if ((nTrustBy & TrustBy.SNAME) > 0)
{
// Let's get the strong name stuff together
StrongName sn = GetStrongName();
StrongNamePublicKeyBlob snpkb = sn.PublicKey;
Version v = null;
String sName = null;
if ((nTrustBy & TrustBy.SNAMEVER) > 0)
{
v = sn.Version;
}
if ((nTrustBy & TrustBy.SNAMENAME) > 0)
{
sName = sn.Name;
}
mc = new StrongNameMembershipCondition(snpkb, sName, v);
}
else if ((nTrustBy & TrustBy.PUBCERT) > 0)
{
// We're using the publisher certificate stuff
mc = new PublisherMembershipCondition(GetCertificate());
}
else // We'll trust by hash
{
Hash h = GetHash();
mc = new HashMembershipCondition(SHA1.Create(), h.SHA1);
}
// Figure out the policy level that we should put this in....
String sPolicyLevel = Page1.isForHomeUser?"Machine":"User";
PolicyLevel pl = Security.GetPolicyLevelFromLabel(sPolicyLevel);
// See if a codegroup for this already exists... and if it does, we'll just
// modify that.
CSingleCodeGroup scg = null;
CodeGroup cg = null;
if (fHighjackExisting)
{
scg = FindExistingCodegroup(pl, mc);
if (scg != null)
{
cg = scg.MyCodeGroup;
// Cool. We were able to find a codegroup to use. We'll
// need to strip off all the File and Net child codegroups
IEnumerator enumChildCodeGroups = cg.Children.GetEnumerator();
while (enumChildCodeGroups.MoveNext())
{
CodeGroup cgChild = (CodeGroup)enumChildCodeGroups.Current;
if (cgChild is NetCodeGroup || cgChild is FileCodeGroup)
{
// Ok to use CodeGroup.RemoveChild here we want to toast all
// File and Net codegroups... we don't care if the security system
// gets confused about which are which (if they don't have names)
cg.RemoveChild(cgChild);
}
}
}
}
// Create the codegroup... we're going to make this a level final
// codegroup, so if policy gets changes such that a lower-level policy
// level tries to deny permissions to this codegroup it will be unsuccessful.
PolicyStatement policystatement = new PolicyStatement(pSet, PolicyStatementAttribute.LevelFinal);
if (cg == null)
{
cg = new UnionCodeGroup(mc, policystatement);
String sCGName = Security.FindAGoodCodeGroupName(pl, "Wizard_");
cg.Name = sCGName;
cg.Description = CResourceStore.GetString("GeneratedCodegroup");
}
else
{
cg.PolicyStatement = policystatement;
}
// If this is a internet or intranet permission set, we also need to add some codegroups
if (pSet is NamedPermissionSet)
{
NamedPermissionSet nps = (NamedPermissionSet)pSet;
if (nps.Name.Equals("LocalIntranet"))
{
CodeGroup cgChild = new NetCodeGroup(new AllMembershipCondition());
cgChild.Name = Security.FindAGoodCodeGroupName(pl, "NetCodeGroup_");
cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");
cg.AddChild(cgChild);
cgChild = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.Read | FileIOPermissionAccess.PathDiscovery);
cgChild.Name = Security.FindAGoodCodeGroupName(pl, "FileCodeGroup_");
cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");
cg.AddChild(cgChild);
}
else if (nps.Name.Equals("Internet"))
{
CodeGroup cgChild = new NetCodeGroup(new AllMembershipCondition());
cgChild.Name = Security.FindAGoodCodeGroupName(pl, "NetCodeGroup_");
cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");
cg.AddChild(cgChild);
}
}
// Add this codegroup to the root codegroup of the policy
// If there was already an existing one, just replace that...
if (scg != null)
{
Security.UpdateCodegroup(pl, scg);
}
else
{
pl.RootCodeGroup.AddChild(cg);
}
return(cg);
}// CreateCodegroup
}// didMachinePolicyChange
protected override int WizFinish()
{
// This is the main things that the wizard needs to do.
// If mucking with the machine level
//
// 1. Apply appropriate settings to the security zone codegroups.
//
// If mucking with the user level
//
// 1. Change the user policylevel's root codegroup's permission set to Nothing
// 2. Apply appropriate settings to the security zone codegroups
// 3. Copy the entire machine policy into a child codegroup in the user policy
// 4. Skip the top level of the copied policy looking for zone codegroups. Set
// their permission set to nothing, and remove child file and net codegroups.
// 5. Walk through the entire copied policy and remove any exclusive codegroups
// We have some different behavior depending on what type of policy we're after
String sPolicyLevel = IsHomeUser?"Machine":"User";
PolicyLevel pl = Security.GetPolicyLevelFromLabel(sPolicyLevel);
SecurityZone[] sz = new SecurityZone[] {
SecurityZone.MyComputer,
SecurityZone.Intranet,
SecurityZone.Internet,
SecurityZone.Trusted,
SecurityZone.Untrusted
};
m_alNewCodeGroups.Clear();
for (int i = 0; i < 5; i++)
{
// Only do this if we know how to assign a permission set
if (Page2.SecurityLevels[i] != PermissionSetType.UNKNOWN)
{
// Find the Codegroup with the appropriate Membership Condition
CodeGroup cgParent = null;
CodeGroup cg = GetCGWithMembershipCondition(pl.RootCodeGroup, sz[i], out cgParent);
// Remove this codegroup from the heirarchy
if (cg != null)
{
if (cgParent == null)
{
throw new Exception("I should have a parent");
}
cgParent.RemoveChild(cg);
}
// We have to create this Codegroup
if (cg == null)
{
ZoneMembershipCondition zmc = new ZoneMembershipCondition(sz[i]);
cg = new UnionCodeGroup(zmc, new PolicyStatement(new PermissionSet(PermissionState.None)));
// Add a name and description
cg.Name = GetCodegroupName(sz[i]);
m_alNewCodeGroups.Add(cg);
m_pl = pl;
cgParent = pl.RootCodeGroup;
}
// If was an internet or intranet codegroup, we'll need to remove child codegroups of type
// NetCodeGroup or FileCodeGroup
if (cg.PermissionSetName != null && (cg.PermissionSetName.Equals("Internet") || cg.PermissionSetName.Equals("LocalIntranet")))
{
IEnumerator enumCodeGroups = cg.Children.GetEnumerator();
while (enumCodeGroups.MoveNext())
{
CodeGroup group = (CodeGroup)enumCodeGroups.Current;
if (group is NetCodeGroup || group is FileCodeGroup)
{
cg.RemoveChild(group);
}
}
}
// Now give this codegroup the appropriate permission set
PolicyStatement ps = cg.PolicyStatement;
ps.PermissionSet = GetPermissionSetNameFromSecurityLevel(pl, Page2.SecurityLevels[i]);
// Put in the helper codegroups if necessary
if (Page2.SecurityLevels[i] == PermissionSetType.INTRANET)
{
if (!DoesCGHaveCodegroup(cg, typeof(NetCodeGroup)))
{
CodeGroup cgChild = new NetCodeGroup(new AllMembershipCondition());
cgChild.Name = Security.FindAGoodCodeGroupName(pl, "NetCodeGroup_");
cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");
cg.AddChild(cgChild);
}
if (!DoesCGHaveCodegroup(cg, typeof(FileCodeGroup)))
{
CodeGroup cgChild = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.Read | FileIOPermissionAccess.PathDiscovery);
cgChild.Name = Security.FindAGoodCodeGroupName(pl, "FileCodeGroup_");
cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");
cg.AddChild(cgChild);
}
}
else if (Page2.SecurityLevels[i] == PermissionSetType.INTERNET)
{
if (!DoesCGHaveCodegroup(cg, typeof(NetCodeGroup)))
{
CodeGroup cgChild = new NetCodeGroup(new AllMembershipCondition());
cgChild.Name = Security.FindAGoodCodeGroupName(pl, "NetCodeGroup_");
cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");
cg.AddChild(cgChild);
}
}
cg.PolicyStatement = ps;
// Now let's build the code group description
String sPermissionSetDes = "";
if (ps.PermissionSet is NamedPermissionSet)
{
sPermissionSetDes += ((NamedPermissionSet)ps.PermissionSet).Description;
}
cg.Description = String.Format(CResourceStore.GetString("CSecurityAdjustmentWizard:CodeGroupDescription"),
cg.PermissionSetName,
GetCodegroupName(sz[i]),
sPermissionSetDes);
// Now add this child back in
cgParent.AddChild(cg);
}
}
// Check to see if this is for the user.
if (!IsHomeUser)
{
// Let's start on our list....
PolicyLevel plUser = Security.GetPolicyLevelFromLabel("User");
// Change the root codegroup's permission set to nothing
CodeGroup cgRoot = plUser.RootCodeGroup;
PolicyStatement ps = cgRoot.PolicyStatement;
ps.PermissionSet = plUser.GetNamedPermissionSet("Nothing");
cgRoot.PolicyStatement = ps;
// Now copy the entire machine level's policy into a child codegroup
// of the user policy
PolicyLevel plMachine = Security.GetPolicyLevelFromLabel("Machine");
CodeGroup cgMachine = plMachine.RootCodeGroup.Copy();
// Change the codegroup's name to something more interesting...
cgMachine.Name = "Wizard_Machine_Policy";
cgMachine.Description = CResourceStore.GetString("CSecurityAdjustmentWizard:CopiedMachinePolicyDes");
// Now skim through the top level looking for Zone codegroups, set
// their permission sets to nothing, and delete any child net and file
// codegroups
IEnumerator enumCodeGroups = cgMachine.Children.GetEnumerator();
while (enumCodeGroups.MoveNext())
{
CodeGroup zoneGroup = (CodeGroup)enumCodeGroups.Current;
if (zoneGroup.MembershipCondition is ZoneMembershipCondition)
{
// Ok, we need to change this codegroup
cgMachine.RemoveChild(zoneGroup);
PolicyStatement zoneps = zoneGroup.PolicyStatement;
zoneps.PermissionSet = plUser.GetNamedPermissionSet("Nothing");
zoneGroup.PolicyStatement = zoneps;
// Now run through its children looking for a file or net codegroup
IEnumerator enumChildCodeGroups = zoneGroup.Children.GetEnumerator();
while (enumChildCodeGroups.MoveNext())
{
CodeGroup zoneChildGroup = (CodeGroup)enumChildCodeGroups.Current;
if (zoneChildGroup is NetCodeGroup || zoneChildGroup is FileCodeGroup)
{
zoneGroup.RemoveChild(zoneChildGroup);
}
}
cgMachine.AddChild(zoneGroup);
}
}
// Now run through the tree and remove any exclusive code groups
// We're best to do this recursively....
if ((cgMachine.PolicyStatement.Attributes & PolicyStatementAttribute.Exclusive) == PolicyStatementAttribute.Exclusive)
{
// Remove the exclusive bit
PolicyStatement psMachine = cgMachine.PolicyStatement;
psMachine.Attributes = psMachine.Attributes & ~PolicyStatementAttribute.Exclusive;
cgMachine.PolicyStatement = psMachine;
}
Security.RemoveExclusiveCodeGroups(cgMachine);
// Now run through the user policy looking for codegroups named
// "Wizard_Machine_Policy" and delete those as well.
enumCodeGroups = cgRoot.Children.GetEnumerator();
while (enumCodeGroups.MoveNext())
{
CodeGroup group = (CodeGroup)enumCodeGroups.Current;
if (group.Name.Equals("Wizard_Machine_Policy"))
{
cgRoot.RemoveChild(group);
}
}
// Add finally this to the root codegroup of the user policy
Security.PrepCodeGroupTree(cgMachine, plMachine, plUser);
cgRoot.AddChild(cgMachine);
plUser.RootCodeGroup = cgRoot;
}
m_fWizardFinished = true;
return(0);
}// WizFinish