示例#1
0
        public void AddAccessRule_Succeeds()
        {
            var descriptor           = new CommonSecurityDescriptor(true, true, string.Empty);
            var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);

            var customAccessRuleAllow = new CustomAccessRule(
                Helpers.s_NetworkServiceNTAccount, ReadAccessMask, true, InheritanceFlags.None,
                PropagationFlags.None, Guid.NewGuid(), Guid.NewGuid(), AccessControlType.Allow
                );

            var customAccessRuleDeny = new CustomAccessRule(
                Helpers.s_LocalSystemNTAccount, ReadAccessMask, true, InheritanceFlags.None,
                PropagationFlags.None, Guid.NewGuid(), Guid.NewGuid(), AccessControlType.Deny
                );

            customObjectSecurity.AddAccessRule(customAccessRuleAllow);
            customObjectSecurity.AddAccessRule(customAccessRuleDeny);
            AuthorizationRuleCollection ruleCollection = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));

            Assert.NotNull(ruleCollection);
            List <CustomAccessRule> addedRules = ruleCollection.Cast <CustomAccessRule>().ToList();

            Assert.Contains(customAccessRuleAllow, addedRules);
            Assert.Contains(customAccessRuleDeny, addedRules);
        }
示例#2
0
        public void SetAccessRule_AccessControlType_Deny_Succeeds()
        {
            var descriptor           = new CommonSecurityDescriptor(true, true, string.Empty);
            var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);

            var objectTypeGuid            = Guid.NewGuid();
            var identityReference         = new NTAccount(@"NT AUTHORITY\SYSTEM");
            var customAccessRuleReadWrite = new CustomAccessRule(
                identityReference, ReadWriteAccessMask, true, InheritanceFlags.None,
                PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
                );

            var customAccessRuleRead = new CustomAccessRule(
                new NTAccount(@"NT AUTHORITY\SYSTEM"), ReadAccessMask, true, InheritanceFlags.None,
                PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
                );

            customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
            customObjectSecurity.SetAccessRule(customAccessRuleRead);

            AuthorizationRuleCollection ruleCollection =
                customObjectSecurity
                .GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));

            List <CustomAccessRule> existingRules = ruleCollection.Cast <CustomAccessRule>().ToList();

            Assert.False(existingRules.Contains(customAccessRuleReadWrite));
            Assert.True(existingRules.Contains(customAccessRuleRead));
        }
示例#3
0
        public void SetAccessRule_AccessControlType_Deny_Succeeds()
        {
            var descriptor           = new CommonSecurityDescriptor(true, true, string.Empty);
            var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
            var objectTypeGuid       = Guid.NewGuid();

            var customAccessRuleReadWrite = new CustomAccessRule(
                Helpers.s_LocalSystemNTAccount, ReadWriteAccessMask, true, InheritanceFlags.None,
                PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
                );

            var customAccessRuleRead = new CustomAccessRule(
                new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount)), ReadAccessMask, true, InheritanceFlags.None,
                PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
                );

            customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
            Assert.Contains(customAccessRuleReadWrite, customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>());

            customObjectSecurity.SetAccessRule(customAccessRuleRead);
            var existingRules = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>().ToList();

            Assert.DoesNotContain(customAccessRuleReadWrite, existingRules);
            Assert.Contains(customAccessRuleRead, existingRules);
        }
示例#4
0
        public void RemoveAccessRuleAll_AccessControlType_Deny_Succeeds()
        {
            var descriptor           = new CommonSecurityDescriptor(true, true, string.Empty);
            var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
            var objectTypeGuid       = Guid.NewGuid();

            var customAccessRuleReadWrite = new CustomAccessRule(
                Helpers.s_LocalSystemNTAccount, ReadWriteAccessMask, true, InheritanceFlags.None,
                PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
                );

            var customAccessRuleSynchronize = new CustomAccessRule(
                Helpers.s_LocalSystemNTAccount, SynchronizeAccessMask, true, InheritanceFlags.None,
                PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
                );

            customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
            customObjectSecurity.AddAccessRule(customAccessRuleSynchronize);
            customObjectSecurity.RemoveAccessRuleAll(customAccessRuleSynchronize);

            AuthorizationRuleCollection ruleCollection =
                customObjectSecurity
                .GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));

            List <CustomAccessRule> existingRules = ruleCollection.Cast <CustomAccessRule>().ToList();

            Assert.False(existingRules.Contains(customAccessRuleReadWrite));
            Assert.False(existingRules.Contains(customAccessRuleSynchronize));
        }
示例#5
0
        public void RemoveAccessRule_AccessControlType_Deny_Succeeds()
        {
            var descriptor           = new CommonSecurityDescriptor(true, true, string.Empty);
            var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);

            int readDataAndAttribute = ReadAccessMask | ReadAttributeAccessMask;
            var objectTypeGuid       = Guid.NewGuid();

            var customAccessRuleReadDataAndAttribute = new CustomAccessRule(
                Helpers.s_LocalSystemNTAccount, readDataAndAttribute, true, InheritanceFlags.None,
                PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
                );

            var customAccessRuleRead = new CustomAccessRule(
                Helpers.s_LocalSystemNTAccount, ReadAccessMask, true, InheritanceFlags.None,
                PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
                );

            customObjectSecurity.AddAccessRule(customAccessRuleReadDataAndAttribute);
            customObjectSecurity.RemoveAccessRule(customAccessRuleRead);

            AuthorizationRuleCollection ruleCollection = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));

            Assert.NotNull(ruleCollection);

            Assert.Contains(ruleCollection.Cast <CustomAccessRule>(), x =>
                            x.IdentityReference == Helpers.s_LocalSystemNTAccount &&
                            x.AccessControlType == AccessControlType.Deny &&
                            x.AccessMaskValue == ReadAttributeAccessMask
                            );
        }
示例#6
0
        public void RemoveAccessRule_AccessControlType_Deny_Succeeds()
        {
            var descriptor           = new CommonSecurityDescriptor(true, true, string.Empty);
            var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);

            int readDataAndAttribute = ReadAccessMask | ReadAttributeAccessMask;
            var identityReference    = new NTAccount(@"NT AUTHORITY\SYSTEM");
            var objectTypeGuid       = Guid.NewGuid();
            var customAccessRuleReadDataAndAttribute = new CustomAccessRule(
                identityReference, readDataAndAttribute, true, InheritanceFlags.None,
                PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
                );

            var customAccessRuleRead = new CustomAccessRule(
                identityReference, ReadAccessMask, true, InheritanceFlags.None,
                PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
                );

            customObjectSecurity.AddAccessRule(customAccessRuleReadDataAndAttribute);
            customObjectSecurity.RemoveAccessRule(customAccessRuleRead);

            AuthorizationRuleCollection ruleCollection =
                customObjectSecurity
                .GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));

            Assert.NotNull(ruleCollection);
            List <CustomAccessRule> existingRules = ruleCollection.Cast <CustomAccessRule>().ToList();

            Assert.True(
                existingRules.Any(
                    x => x.IdentityReference == identityReference &&
                    x.AccessControlType == AccessControlType.Deny &&
                    x.AccessMaskValue == ReadAttributeAccessMask
                    ));
        }
        public void RemoveRule_AccessControlType_Allow_Succeeds()
        {
            var descriptor           = new CommonSecurityDescriptor(true, true, string.Empty);
            var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);

            var objectTypeGuid    = Guid.NewGuid();
            var identityReference = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount));

            var customAccessRuleReadWrite = new CustomAccessRule(
                identityReference, ReadWriteAccessMask, true, InheritanceFlags.None,
                PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Allow
                );

            var customAccessRuleWrite = new CustomAccessRule(
                identityReference, WriteAccessMask, true, InheritanceFlags.None,
                PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Allow
                );

            customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
            bool result = customObjectSecurity.RemoveAccessRule(customAccessRuleWrite);

            Assert.Equal(true, result);
            AuthorizationRuleCollection ruleCollection = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));

            Assert.NotNull(ruleCollection);

            Assert.Contains(ruleCollection.Cast <CustomAccessRule>(), x =>
                            x.IdentityReference == identityReference &&
                            x.AccessControlType == customAccessRuleReadWrite.AccessControlType &&
                            x.AccessMaskValue == ReadAccessMask
                            );
        }
示例#8
0
 private bool IsEqual(CustomAccessRule accessRule)
 {
     return(IdentityReference.Equals(accessRule.IdentityReference) &&
            AccessMask.Equals(accessRule.AccessMask) &&
            AccessControlType.Equals(accessRule.AccessControlType) &&
            InheritanceFlags.Equals(accessRule.InheritanceFlags) &&
            PropagationFlags.Equals(accessRule.PropagationFlags));
 }
示例#9
0
        public void RemoveAccessRuleAll_AccessControlType_Deny_ThrowException()
        {
            var descriptor           = new CommonSecurityDescriptor(true, true, string.Empty);
            var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
            var objectTypeGuid       = Guid.NewGuid();

            var customAccessRuleReadWrite = new CustomAccessRule(
                Helpers.s_LocalSystemNTAccount, ReadWriteAccessMask, true, InheritanceFlags.ObjectInherit,
                PropagationFlags.InheritOnly, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
                );

            customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
            AssertExtensions.Throws <InvalidOperationException, SystemException>(() => customObjectSecurity.RemoveAccessRuleAll(customAccessRuleReadWrite));
        }
示例#10
0
        public void SetCustomDescriptor_Success()
        {
            // We didn't allow setting the security descriptor in core due to assembly refactoring.
            // GetAccessRules() would throw a null ref after setting the descriptor. We now expose
            // the descriptor as a protected property (instead of internal).
            // https://github.com/dotnet/corefx/issues/34151

            var customObjectSecurity = new CustomDirectoryObjectSecurity();

            // DACL:SDDL_PROTECTED SDDL_AUTO_INHERITED
            //  (SDDL_ACCESS_ALLOWED;SDDL_OBJECT_INHERIT SDDL_CONTAINER_INHERIT;access mask;;;SDDL_BUILTIN_USERS)
            customObjectSecurity.SetSecurityDescriptorSddlForm("D:PAI(A;OICI;0x1200a9;;;BU)");
            var rules = customObjectSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier));

            Assert.Equal(1, rules.Count);
            CustomAccessRule rule = (CustomAccessRule)rules[0];

            // Should be users group
            Assert.Equal(rule.IdentityReference.Value, "S-1-5-32-545");
            Assert.Equal(AccessControlType.Allow, rule.AccessControlType);
            Assert.Equal(InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, rule.InheritanceFlags);
            Assert.Equal(0x1200a9, rule.AccessMaskValue);
        }
        public void RemoveAccessRuleSpecific_AccessControlType_Deny_NoMatchableRules_Succeeds()
        {
            var descriptor           = new CommonSecurityDescriptor(true, true, string.Empty);
            var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);

            var objectTypeGuid    = Guid.NewGuid();
            var identityReference = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount));

            var customAccessRuleReadWrite = new CustomAccessRule(
                identityReference, ReadWriteAccessMask, true, InheritanceFlags.None,
                PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
                );

            var customAccessRuleRead = new CustomAccessRule(
                new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount)), ReadAccessMask, true, InheritanceFlags.None,
                PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
                );

            customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
            customObjectSecurity.RemoveAccessRuleSpecific(customAccessRuleRead);

            Assert.Contains(customAccessRuleReadWrite, customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>());
        }
        public void ResetAccessRule_AccessControlType_Deny_Succeeds()
        {
            var descriptor           = new CommonSecurityDescriptor(true, true, string.Empty);
            var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);

            var objectTypeGuid            = Guid.NewGuid();
            var identityReference         = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount));
            var customAccessRuleReadWrite = new CustomAccessRule(
                identityReference, ReadWriteAccessMask, true, InheritanceFlags.None,
                PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
                );

            var customAccessRuleNetworkService = new CustomAccessRule(
                new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null).Translate(typeof(NTAccount)), SynchronizeAccessMask, true, InheritanceFlags.None,
                PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Allow
                );

            var customAccessRuleWrite = new CustomAccessRule(
                new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount)), WriteAccessMask, true, InheritanceFlags.None,
                PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
                );

            customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
            Assert.Contains(customAccessRuleReadWrite, customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>());

            customObjectSecurity.AddAccessRule(customAccessRuleNetworkService);
            List <CustomAccessRule> existingRules = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>().ToList();

            Assert.Contains(customAccessRuleReadWrite, existingRules);
            Assert.Contains(customAccessRuleNetworkService, existingRules);

            customObjectSecurity.ResetAccessRule(customAccessRuleWrite);
            existingRules = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>().ToList();
            Assert.DoesNotContain(customAccessRuleReadWrite, existingRules);
            Assert.Contains(customAccessRuleNetworkService, existingRules);
            Assert.Contains(customAccessRuleWrite, existingRules);
        }
示例#13
0
        public void ResetAccessRule_AccessControlType_Allow_Succeeds()
        {
            var descriptor           = new CommonSecurityDescriptor(true, true, string.Empty);
            var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor);
            var objectTypeGuid       = Guid.NewGuid();

            var customAccessRuleReadWrite = new CustomAccessRule(
                Helpers.s_LocalSystemNTAccount, ReadWriteAccessMask, true, InheritanceFlags.None,
                PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny
                );

            var customAccessRuleNetworkService = new CustomAccessRule(
                Helpers.s_NetworkServiceNTAccount, SynchronizeAccessMask, true, InheritanceFlags.None,
                PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Allow
                );

            var customAccessRuleRead = new CustomAccessRule(
                Helpers.s_LocalSystemNTAccount, ReadAccessMask, true, InheritanceFlags.None,
                PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Allow
                );

            customObjectSecurity.AddAccessRule(customAccessRuleReadWrite);
            Assert.Contains(customAccessRuleReadWrite, customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>());

            customObjectSecurity.AddAccessRule(customAccessRuleNetworkService);
            List <CustomAccessRule> existingRules = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>().ToList();

            Assert.Contains(customAccessRuleReadWrite, existingRules);
            Assert.Contains(customAccessRuleNetworkService, existingRules);

            customObjectSecurity.ResetAccessRule(customAccessRuleRead);
            existingRules = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>().ToList();
            Assert.DoesNotContain(customAccessRuleReadWrite, existingRules);
            Assert.Contains(customAccessRuleNetworkService, existingRules);
            Assert.Contains(customAccessRuleRead, existingRules);
        }