public void AddAccessRule_Succeeds() { var descriptor = new CommonSecurityDescriptor(true, true, string.Empty); var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor); var customAccessRuleAllow = new CustomAccessRule( Helpers.s_NetworkServiceNTAccount, ReadAccessMask, true, InheritanceFlags.None, PropagationFlags.None, Guid.NewGuid(), Guid.NewGuid(), AccessControlType.Allow ); var customAccessRuleDeny = new CustomAccessRule( Helpers.s_LocalSystemNTAccount, ReadAccessMask, true, InheritanceFlags.None, PropagationFlags.None, Guid.NewGuid(), Guid.NewGuid(), AccessControlType.Deny ); customObjectSecurity.AddAccessRule(customAccessRuleAllow); customObjectSecurity.AddAccessRule(customAccessRuleDeny); AuthorizationRuleCollection ruleCollection = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)); Assert.NotNull(ruleCollection); List <CustomAccessRule> addedRules = ruleCollection.Cast <CustomAccessRule>().ToList(); Assert.Contains(customAccessRuleAllow, addedRules); Assert.Contains(customAccessRuleDeny, addedRules); }
public void SetAccessRule_AccessControlType_Deny_Succeeds() { var descriptor = new CommonSecurityDescriptor(true, true, string.Empty); var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor); var objectTypeGuid = Guid.NewGuid(); var identityReference = new NTAccount(@"NT AUTHORITY\SYSTEM"); var customAccessRuleReadWrite = new CustomAccessRule( identityReference, ReadWriteAccessMask, true, InheritanceFlags.None, PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny ); var customAccessRuleRead = new CustomAccessRule( new NTAccount(@"NT AUTHORITY\SYSTEM"), ReadAccessMask, true, InheritanceFlags.None, PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny ); customObjectSecurity.AddAccessRule(customAccessRuleReadWrite); customObjectSecurity.SetAccessRule(customAccessRuleRead); AuthorizationRuleCollection ruleCollection = customObjectSecurity .GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)); List <CustomAccessRule> existingRules = ruleCollection.Cast <CustomAccessRule>().ToList(); Assert.False(existingRules.Contains(customAccessRuleReadWrite)); Assert.True(existingRules.Contains(customAccessRuleRead)); }
public void SetAccessRule_AccessControlType_Deny_Succeeds() { var descriptor = new CommonSecurityDescriptor(true, true, string.Empty); var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor); var objectTypeGuid = Guid.NewGuid(); var customAccessRuleReadWrite = new CustomAccessRule( Helpers.s_LocalSystemNTAccount, ReadWriteAccessMask, true, InheritanceFlags.None, PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny ); var customAccessRuleRead = new CustomAccessRule( new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount)), ReadAccessMask, true, InheritanceFlags.None, PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny ); customObjectSecurity.AddAccessRule(customAccessRuleReadWrite); Assert.Contains(customAccessRuleReadWrite, customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>()); customObjectSecurity.SetAccessRule(customAccessRuleRead); var existingRules = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>().ToList(); Assert.DoesNotContain(customAccessRuleReadWrite, existingRules); Assert.Contains(customAccessRuleRead, existingRules); }
public void RemoveAccessRuleAll_AccessControlType_Deny_Succeeds() { var descriptor = new CommonSecurityDescriptor(true, true, string.Empty); var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor); var objectTypeGuid = Guid.NewGuid(); var customAccessRuleReadWrite = new CustomAccessRule( Helpers.s_LocalSystemNTAccount, ReadWriteAccessMask, true, InheritanceFlags.None, PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny ); var customAccessRuleSynchronize = new CustomAccessRule( Helpers.s_LocalSystemNTAccount, SynchronizeAccessMask, true, InheritanceFlags.None, PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny ); customObjectSecurity.AddAccessRule(customAccessRuleReadWrite); customObjectSecurity.AddAccessRule(customAccessRuleSynchronize); customObjectSecurity.RemoveAccessRuleAll(customAccessRuleSynchronize); AuthorizationRuleCollection ruleCollection = customObjectSecurity .GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)); List <CustomAccessRule> existingRules = ruleCollection.Cast <CustomAccessRule>().ToList(); Assert.False(existingRules.Contains(customAccessRuleReadWrite)); Assert.False(existingRules.Contains(customAccessRuleSynchronize)); }
public void RemoveAccessRule_AccessControlType_Deny_Succeeds() { var descriptor = new CommonSecurityDescriptor(true, true, string.Empty); var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor); int readDataAndAttribute = ReadAccessMask | ReadAttributeAccessMask; var objectTypeGuid = Guid.NewGuid(); var customAccessRuleReadDataAndAttribute = new CustomAccessRule( Helpers.s_LocalSystemNTAccount, readDataAndAttribute, true, InheritanceFlags.None, PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny ); var customAccessRuleRead = new CustomAccessRule( Helpers.s_LocalSystemNTAccount, ReadAccessMask, true, InheritanceFlags.None, PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny ); customObjectSecurity.AddAccessRule(customAccessRuleReadDataAndAttribute); customObjectSecurity.RemoveAccessRule(customAccessRuleRead); AuthorizationRuleCollection ruleCollection = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)); Assert.NotNull(ruleCollection); Assert.Contains(ruleCollection.Cast <CustomAccessRule>(), x => x.IdentityReference == Helpers.s_LocalSystemNTAccount && x.AccessControlType == AccessControlType.Deny && x.AccessMaskValue == ReadAttributeAccessMask ); }
public void RemoveAccessRule_AccessControlType_Deny_Succeeds() { var descriptor = new CommonSecurityDescriptor(true, true, string.Empty); var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor); int readDataAndAttribute = ReadAccessMask | ReadAttributeAccessMask; var identityReference = new NTAccount(@"NT AUTHORITY\SYSTEM"); var objectTypeGuid = Guid.NewGuid(); var customAccessRuleReadDataAndAttribute = new CustomAccessRule( identityReference, readDataAndAttribute, true, InheritanceFlags.None, PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny ); var customAccessRuleRead = new CustomAccessRule( identityReference, ReadAccessMask, true, InheritanceFlags.None, PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny ); customObjectSecurity.AddAccessRule(customAccessRuleReadDataAndAttribute); customObjectSecurity.RemoveAccessRule(customAccessRuleRead); AuthorizationRuleCollection ruleCollection = customObjectSecurity .GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)); Assert.NotNull(ruleCollection); List <CustomAccessRule> existingRules = ruleCollection.Cast <CustomAccessRule>().ToList(); Assert.True( existingRules.Any( x => x.IdentityReference == identityReference && x.AccessControlType == AccessControlType.Deny && x.AccessMaskValue == ReadAttributeAccessMask )); }
public void RemoveRule_AccessControlType_Allow_Succeeds() { var descriptor = new CommonSecurityDescriptor(true, true, string.Empty); var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor); var objectTypeGuid = Guid.NewGuid(); var identityReference = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount)); var customAccessRuleReadWrite = new CustomAccessRule( identityReference, ReadWriteAccessMask, true, InheritanceFlags.None, PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Allow ); var customAccessRuleWrite = new CustomAccessRule( identityReference, WriteAccessMask, true, InheritanceFlags.None, PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Allow ); customObjectSecurity.AddAccessRule(customAccessRuleReadWrite); bool result = customObjectSecurity.RemoveAccessRule(customAccessRuleWrite); Assert.Equal(true, result); AuthorizationRuleCollection ruleCollection = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)); Assert.NotNull(ruleCollection); Assert.Contains(ruleCollection.Cast <CustomAccessRule>(), x => x.IdentityReference == identityReference && x.AccessControlType == customAccessRuleReadWrite.AccessControlType && x.AccessMaskValue == ReadAccessMask ); }
private bool IsEqual(CustomAccessRule accessRule) { return(IdentityReference.Equals(accessRule.IdentityReference) && AccessMask.Equals(accessRule.AccessMask) && AccessControlType.Equals(accessRule.AccessControlType) && InheritanceFlags.Equals(accessRule.InheritanceFlags) && PropagationFlags.Equals(accessRule.PropagationFlags)); }
public void RemoveAccessRuleAll_AccessControlType_Deny_ThrowException() { var descriptor = new CommonSecurityDescriptor(true, true, string.Empty); var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor); var objectTypeGuid = Guid.NewGuid(); var customAccessRuleReadWrite = new CustomAccessRule( Helpers.s_LocalSystemNTAccount, ReadWriteAccessMask, true, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny ); customObjectSecurity.AddAccessRule(customAccessRuleReadWrite); AssertExtensions.Throws <InvalidOperationException, SystemException>(() => customObjectSecurity.RemoveAccessRuleAll(customAccessRuleReadWrite)); }
public void SetCustomDescriptor_Success() { // We didn't allow setting the security descriptor in core due to assembly refactoring. // GetAccessRules() would throw a null ref after setting the descriptor. We now expose // the descriptor as a protected property (instead of internal). // https://github.com/dotnet/corefx/issues/34151 var customObjectSecurity = new CustomDirectoryObjectSecurity(); // DACL:SDDL_PROTECTED SDDL_AUTO_INHERITED // (SDDL_ACCESS_ALLOWED;SDDL_OBJECT_INHERIT SDDL_CONTAINER_INHERIT;access mask;;;SDDL_BUILTIN_USERS) customObjectSecurity.SetSecurityDescriptorSddlForm("D:PAI(A;OICI;0x1200a9;;;BU)"); var rules = customObjectSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)); Assert.Equal(1, rules.Count); CustomAccessRule rule = (CustomAccessRule)rules[0]; // Should be users group Assert.Equal(rule.IdentityReference.Value, "S-1-5-32-545"); Assert.Equal(AccessControlType.Allow, rule.AccessControlType); Assert.Equal(InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, rule.InheritanceFlags); Assert.Equal(0x1200a9, rule.AccessMaskValue); }
public void RemoveAccessRuleSpecific_AccessControlType_Deny_NoMatchableRules_Succeeds() { var descriptor = new CommonSecurityDescriptor(true, true, string.Empty); var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor); var objectTypeGuid = Guid.NewGuid(); var identityReference = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount)); var customAccessRuleReadWrite = new CustomAccessRule( identityReference, ReadWriteAccessMask, true, InheritanceFlags.None, PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny ); var customAccessRuleRead = new CustomAccessRule( new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount)), ReadAccessMask, true, InheritanceFlags.None, PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny ); customObjectSecurity.AddAccessRule(customAccessRuleReadWrite); customObjectSecurity.RemoveAccessRuleSpecific(customAccessRuleRead); Assert.Contains(customAccessRuleReadWrite, customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>()); }
public void ResetAccessRule_AccessControlType_Deny_Succeeds() { var descriptor = new CommonSecurityDescriptor(true, true, string.Empty); var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor); var objectTypeGuid = Guid.NewGuid(); var identityReference = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount)); var customAccessRuleReadWrite = new CustomAccessRule( identityReference, ReadWriteAccessMask, true, InheritanceFlags.None, PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny ); var customAccessRuleNetworkService = new CustomAccessRule( new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null).Translate(typeof(NTAccount)), SynchronizeAccessMask, true, InheritanceFlags.None, PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Allow ); var customAccessRuleWrite = new CustomAccessRule( new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount)), WriteAccessMask, true, InheritanceFlags.None, PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny ); customObjectSecurity.AddAccessRule(customAccessRuleReadWrite); Assert.Contains(customAccessRuleReadWrite, customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>()); customObjectSecurity.AddAccessRule(customAccessRuleNetworkService); List <CustomAccessRule> existingRules = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>().ToList(); Assert.Contains(customAccessRuleReadWrite, existingRules); Assert.Contains(customAccessRuleNetworkService, existingRules); customObjectSecurity.ResetAccessRule(customAccessRuleWrite); existingRules = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>().ToList(); Assert.DoesNotContain(customAccessRuleReadWrite, existingRules); Assert.Contains(customAccessRuleNetworkService, existingRules); Assert.Contains(customAccessRuleWrite, existingRules); }
public void ResetAccessRule_AccessControlType_Allow_Succeeds() { var descriptor = new CommonSecurityDescriptor(true, true, string.Empty); var customObjectSecurity = new CustomDirectoryObjectSecurity(descriptor); var objectTypeGuid = Guid.NewGuid(); var customAccessRuleReadWrite = new CustomAccessRule( Helpers.s_LocalSystemNTAccount, ReadWriteAccessMask, true, InheritanceFlags.None, PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Deny ); var customAccessRuleNetworkService = new CustomAccessRule( Helpers.s_NetworkServiceNTAccount, SynchronizeAccessMask, true, InheritanceFlags.None, PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Allow ); var customAccessRuleRead = new CustomAccessRule( Helpers.s_LocalSystemNTAccount, ReadAccessMask, true, InheritanceFlags.None, PropagationFlags.None, objectTypeGuid, Guid.NewGuid(), AccessControlType.Allow ); customObjectSecurity.AddAccessRule(customAccessRuleReadWrite); Assert.Contains(customAccessRuleReadWrite, customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>()); customObjectSecurity.AddAccessRule(customAccessRuleNetworkService); List <CustomAccessRule> existingRules = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>().ToList(); Assert.Contains(customAccessRuleReadWrite, existingRules); Assert.Contains(customAccessRuleNetworkService, existingRules); customObjectSecurity.ResetAccessRule(customAccessRuleRead); existingRules = customObjectSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)).Cast <CustomAccessRule>().ToList(); Assert.DoesNotContain(customAccessRuleReadWrite, existingRules); Assert.Contains(customAccessRuleNetworkService, existingRules); Assert.Contains(customAccessRuleRead, existingRules); }