public void RemoveSpecificUsingDSOverload()
{
SecurityIdentifier sid = new SecurityIdentifier("BA");
DiscretionaryAcl dacl = new DiscretionaryAcl(false, true, 0);
RemoveSpecificBegin(sid, dacl, InheritanceFlags.None);
dacl.RemoveAccessSpecific(AccessControlType.Allow, sid, 3, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.ObjectAceTypePresent, Guid.Empty, Guid.Empty);
Assert.AreEqual(1, dacl.Count);
dacl.RemoveAccessSpecific(AccessControlType.Allow, sid, 3, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.None, Guid.Empty, Guid.Empty);
Assert.AreEqual(0, dacl.Count);
}
private static bool TestRemoveAccessSpecific(DiscretionaryAcl discretionaryAcl, RawAcl rawAcl, AccessControlType accessControlType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags)
{
bool result = true;
byte[] dAclBinaryForm = null;
byte[] rAclBinaryForm = null;
discretionaryAcl.RemoveAccessSpecific(accessControlType, sid, accessMask, inheritanceFlags, propagationFlags);
if (discretionaryAcl.Count == rawAcl.Count &&
discretionaryAcl.BinaryLength == rawAcl.BinaryLength)
{
dAclBinaryForm = new byte[discretionaryAcl.BinaryLength];
rAclBinaryForm = new byte[rawAcl.BinaryLength];
discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0);
rawAcl.GetBinaryForm(rAclBinaryForm, 0);
if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm))
result = false;
//redundant index check
for (int i = 0; i < discretionaryAcl.Count; i++)
{
if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i]))
{
result = false;
break;
}
}
}
else
result = false;
return result;
}
public void PropagationFlagsDoNotRequireInheritanceFlagsForRemoveSpecific()
{
SecurityIdentifier sid = new SecurityIdentifier("BU");
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 0);
dacl.RemoveAccessSpecific(AccessControlType.Allow, sid, 3,
InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly);
}
void RemoveSpecificBegin(SecurityIdentifier sid, DiscretionaryAcl dacl, InheritanceFlags inheritanceFlags)
{
SecurityIdentifier otherSid = new SecurityIdentifier("BU");
dacl.AddAccess(AccessControlType.Allow, sid, 3, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual(1, dacl.Count);
dacl.RemoveAccessSpecific(AccessControlType.Deny, sid, 1, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual(1, dacl.Count);
dacl.RemoveAccessSpecific(AccessControlType.Allow, otherSid, 1, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual(1, dacl.Count);
dacl.RemoveAccessSpecific(AccessControlType.Allow, sid, 1, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual(1, dacl.Count);
Assert.AreEqual(3, ((CommonAce)dacl [0]).AccessMask);
dacl.RemoveAccessSpecific(AccessControlType.Allow, sid, 3,
inheritanceFlags ^ InheritanceFlags.ContainerInherit,
PropagationFlags.None);
Assert.AreEqual(1, dacl.Count);
}
public void RemoveSpecificIsContainer()
{
SecurityIdentifier sid = new SecurityIdentifier("BA");
DiscretionaryAcl dacl = new DiscretionaryAcl(true, false, 0);
RemoveSpecificBegin(sid, dacl, InheritanceFlags.ObjectInherit);
dacl.RemoveAccessSpecific(AccessControlType.Allow, sid, 3, InheritanceFlags.ObjectInherit, PropagationFlags.None);
Assert.AreEqual(0, dacl.Count);
}
public void RemoveSpecificIgnoresPropagationFlagsWhenMatchingInheritanceFlagsNone()
{
SecurityIdentifier sid = new SecurityIdentifier("BA");
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, 0);
RemoveSpecificBegin(sid, dacl, InheritanceFlags.None);
dacl.RemoveAccessSpecific(AccessControlType.Allow, sid, 3,
InheritanceFlags.None, PropagationFlags.InheritOnly);
Assert.AreEqual(0, dacl.Count);
}
private static bool TestRemoveAccessSpecific(DiscretionaryAcl discretionaryAcl, RawAcl rawAcl, AccessControlType accessControlType, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags)
{
bool result = true;
byte[] dAclBinaryForm = null;
byte[] rAclBinaryForm = null;
discretionaryAcl.RemoveAccessSpecific(accessControlType, sid, accessMask, inheritanceFlags, propagationFlags);
if (discretionaryAcl.Count == rawAcl.Count &&
discretionaryAcl.BinaryLength == rawAcl.BinaryLength)
{
dAclBinaryForm = new byte[discretionaryAcl.BinaryLength];
rAclBinaryForm = new byte[rawAcl.BinaryLength];
discretionaryAcl.GetBinaryForm(dAclBinaryForm, 0);
rawAcl.GetBinaryForm(rAclBinaryForm, 0);
if (!Utils.IsBinaryFormEqual(dAclBinaryForm, rAclBinaryForm))
{
result = false;
}
//redundant index check
for (int i = 0; i < discretionaryAcl.Count; i++)
{
if (!Utils.IsAceEqual(discretionaryAcl[i], rawAcl[i]))
{
result = false;
break;
}
}
}
else
{
result = false;
}
return(result);
}
public static void RemoveAccessSpecific_AdditionalTestCases()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
int accessControlType = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
byte[] opaque = null;
//Case 1, remove one ACE from the DiscretionaryAcl with no ACE
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveAccessSpecific(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
;
//Case 2, remove the last one ACE from the DiscretionaryAcl
isContainer = true;
isDS = false;
accessControlType = 0;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
//15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)15, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//remove the ace to create the validation rawAcl
rawAcl.RemoveAce(rawAcl.Count - 1);
Assert.True(TestRemoveAccessSpecific(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
;
//Case 3, accessMask = 0
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 0;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 4, null sid
Assert.Throws<ArgumentNullException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
accessMask = 1;
sid = "BA";
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 5, all the ACEs in the Dacl are non-qualified ACE, no remove
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws<InvalidOperationException>(() =>
{
TestRemoveAccessSpecific
(discretionaryAcl, rawAcl,
(AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
//Case 7, Remove Specific Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE,
// should throw appropriate exception for wrong parameter, bug#287188
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 100;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
}
public static void RemoveAccessSpecific_AdditionalTestCases()
{
RawAcl rawAcl = null;
DiscretionaryAcl discretionaryAcl = null;
bool isContainer = false;
bool isDS = false;
int accessControlType = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
byte[] opaque = null;
//Case 1, remove one ACE from the DiscretionaryAcl with no ACE
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveAccessSpecific(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
;
//Case 2, remove the last one ACE from the DiscretionaryAcl
isContainer = true;
isDS = false;
accessControlType = 0;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
//15 = AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)15, AceQualifier.AccessAllowed, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//remove the ace to create the validation rawAcl
rawAcl.RemoveAce(rawAcl.Count - 1);
Assert.True(TestRemoveAccessSpecific(discretionaryAcl, rawAcl, (AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags))
;
//Case 3, accessMask = 0
AssertExtensions.Throws <ArgumentException>("accessMask", () =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
sid = "BA";
accessMask = 0;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 4, null sid
Assert.Throws <ArgumentNullException>(() =>
{
isContainer = true;
isDS = false;
accessControlType = 1;
accessMask = 1;
sid = "BA";
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType, null, accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 5, all the ACEs in the Dacl are non-qualified ACE, no remove
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 0;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags, opaque);;
rawAcl.InsertAce(0, gAce);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
Assert.Throws <InvalidOperationException>(() =>
{
TestRemoveAccessSpecific
(discretionaryAcl, rawAcl,
(AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
//Case 7, Remove Specific Ace of NOT(AccessControlType.Allow |AccessControlType.Denied) to the DiscretionaryAcl with no ACE,
// should throw appropriate exception for wrong parameter, bug#287188
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
accessControlType = 100;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
discretionaryAcl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
discretionaryAcl.RemoveAccessSpecific((AccessControlType)accessControlType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
accessMask,
(InheritanceFlags)inheritanceFlags,
(PropagationFlags)propagationFlags);
});
}
