/// <summary>
/// Generate the LocalIntranet permission set, optionally extending it with same site permissions
/// </summary>
private static PermissionSet GetLocalIntranetPermissionSet(Url sourceUrl)
{
PermissionSet localIntranet = MachinePolicyLevel.GetNamedPermissionSet("LocalIntranet");
// If we have a source URL, try to generate same-site web and file permissions to add to the
// local intranet set
if (sourceUrl != null)
{
Evidence evidence = new Evidence();
evidence.AddHostEvidence(new Zone(SecurityZone.Intranet));
evidence.AddHostEvidence(sourceUrl);
PolicyStatement webPolicy =
new NetCodeGroup(new AllMembershipCondition()).Resolve(evidence);
if (webPolicy != null)
{
localIntranet = localIntranet.Union(webPolicy.PermissionSet);
}
PolicyStatement filePolicy =
new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.Read | FileIOPermissionAccess.PathDiscovery).Resolve(evidence);
if (filePolicy != null)
{
localIntranet = localIntranet.Union(filePolicy.PermissionSet);
}
}
// If WPF is available on the machine, then extend the permission set with some additional WPF
// permissions as well.
localIntranet = localIntranet.Union(WpfPermissionSet);
return(localIntranet);
}
// Construct a new FileCodeGroup with Read, Write, Append
// and PathDiscovery access.
private static FileCodeGroup constructDefaultGroup()
{
// Construct a new file code group that has complete access to
// files in the specified path.
FileCodeGroup fileCodeGroup =
new FileCodeGroup(
new AllMembershipCondition(),
FileIOPermissionAccess.AllAccess);
// Set the name of the file code group.
fileCodeGroup.Name = "TempCodeGroup";
// Set the description of the file code group.
fileCodeGroup.Description = "Temp folder permissions group";
// Retrieve the string representation of the fileCodeGroup�s
// attributes. FileCodeGroup does not use AttributeString, so the
// value should be null.
if (fileCodeGroup.AttributeString != null)
{
throw new NullReferenceException(
"The AttributeString property should be null.");
}
return(fileCodeGroup);
}
static void Main(string[] args)
{
FileCodeGroup fileCodeGroup = constructDefaultGroup();
// Create a deep copy of the FileCodeGroup.
FileCodeGroup copyCodeGroup = (FileCodeGroup)fileCodeGroup.Copy();
CompareTwoCodeGroups(fileCodeGroup, copyCodeGroup);
addPolicy(ref fileCodeGroup);
addXmlMember(ref fileCodeGroup);
updateMembershipCondition(ref fileCodeGroup);
addChildCodeGroup(ref fileCodeGroup);
Console.Write("Comparing the resolved code group ");
Console.WriteLine("with the initial code group.");
FileCodeGroup resolvedCodeGroup =
ResolveGroupToEvidence(fileCodeGroup);
if (CompareTwoCodeGroups(fileCodeGroup, resolvedCodeGroup))
{
PrintCodeGroup(resolvedCodeGroup);
}
else
{
PrintCodeGroup(fileCodeGroup);
}
Console.WriteLine("This sample completed successfully; " +
"press Enter to exit.");
Console.ReadLine();
}
// If a domain attribute is not found in the specified FileCodeGroup,
// add a child XML element identifying a custom membership condition.
private static void addXmlMember(ref FileCodeGroup fileCodeGroup)
{
//<Snippet10>
SecurityElement xmlElement = fileCodeGroup.ToXml();
//</Snippet10>
SecurityElement rootElement = new SecurityElement("CodeGroup");
if (xmlElement.Attribute("domain") == null)
{
//<Snippet11>
SecurityElement newElement =
new SecurityElement("CustomMembershipCondition");
newElement.AddAttribute("class", "CustomMembershipCondition");
newElement.AddAttribute("version", "1");
newElement.AddAttribute("domain", "contoso.com");
rootElement.AddChild(newElement);
fileCodeGroup.FromXml(rootElement);
//</Snippet11>
}
Console.WriteLine("Added a custom membership condition:");
Console.WriteLine(rootElement.ToString());
}
public void ToXml()
{
FileIOPermissionAccess access = FileIOPermissionAccess.Read | FileIOPermissionAccess.Write;
FileCodeGroup cg = new FileCodeGroup(new AllMembershipCondition(), access);
string s = cg.ToXml().ToString();
Assert.IsTrue(s.IndexOf("Access=\"Read, Write\"") > 0, "Access='Read, Write'");
}
// Set the membership condition of the specified FileCodeGroup
// to the Intranet zone.
private static void updateMembershipCondition(
ref FileCodeGroup fileCodeGroup)
{
ZoneMembershipCondition zoneCondition =
new ZoneMembershipCondition(SecurityZone.Intranet);
fileCodeGroup.MembershipCondition = zoneCondition;
}
public void ResolveMatchingCodeGroups_OneLevel()
{
FileCodeGroup level1 = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.AllAccess);
CodeGroup match = level1.ResolveMatchingCodeGroups(new Evidence());
Assert.IsNotNull(match, "Match");
Assert.IsTrue(match.Equals(level1, false), "Equals(false)");
Assert.IsTrue(match.Equals(level1, true), "Equals(true)");
}
public void Constructor_Read()
{
FileCodeGroup cg = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.Read);
Assert.IsNotNull(cg.MembershipCondition, "MembershipCondition");
Assert.IsNull(cg.PolicyStatement, "PolicyStatement");
// documented as always null
Assert.IsNull(cg.AttributeString, "AttributeString");
Assert.IsNotNull(cg.PermissionSetName, "PermissionSetName");
}
public static void FileCodeGroupCallMethods()
{
FileCodeGroup fcg = new FileCodeGroup(new GacMembershipCondition(), new FileIOPermissionAccess());
CodeGroup cg = fcg.Copy();
bool equals = fcg.Equals(new object());
int hash = fcg.GetHashCode();
PolicyStatement ps = fcg.Resolve(new Evidence());
cg = fcg.ResolveMatchingCodeGroups(new Evidence());
}
public void Resolve_AllMembershipCondition_AllAccess()
{
FileCodeGroup cg = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.AllAccess);
PolicyStatement result = cg.Resolve(new Evidence());
Assert.AreEqual(PolicyStatementAttribute.Nothing, result.Attributes, "Attributes");
Assert.AreEqual(String.Empty, result.AttributeString, "AttributeString");
Assert.IsFalse(result.PermissionSet.IsUnrestricted(), "IsUnrestricted");
Assert.AreEqual(0, result.PermissionSet.Count, "Count");
}
public void CopyWithChildren()
{
FileCodeGroup cgChild = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.AllAccess);
FileCodeGroup cg = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.AllAccess);
cg.AddChild(cgChild);
FileCodeGroup cg2 = (FileCodeGroup)cg.Copy();
Assert.AreEqual(cg.Children.Count, cg2.Children.Count, "Children");
Assert.AreEqual(cg.ToXml().ToString(), cg2.ToXml().ToString(), "ToXml");
}
// Retrieve the resolved code group based on the Evidence from
// the executing assembly found in the specified code group.
private static FileCodeGroup ResolveGroupToEvidence(
FileCodeGroup fileCodeGroup)
{
// Resolve matching code groups to the executing assembly.
Assembly assembly = typeof(Members).Assembly;
Evidence evidence = assembly.Evidence;
CodeGroup codeGroup =
fileCodeGroup.ResolveMatchingCodeGroups(evidence);
return((FileCodeGroup)codeGroup);
}
// Add a child group with read-access file permission to the specified
// code group.
private static void addChildCodeGroup(ref FileCodeGroup fileCodeGroup)
{
// Create a file code group with read-access permission.
FileCodeGroup tempFolderCodeGroup = new FileCodeGroup(
new AllMembershipCondition(),
FileIOPermissionAccess.Read);
// Set the name of the child code group and add it to
// the specified code group.
tempFolderCodeGroup.Name = "Read-only group";
fileCodeGroup.AddChild(tempFolderCodeGroup);
}
public void Copy()
{
FileCodeGroup cg = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.AllAccess);
FileCodeGroup cg2 = (FileCodeGroup)cg.Copy();
Assert.AreEqual(cg.AttributeString, cg2.AttributeString, "AttributeString");
Assert.AreEqual(cg.Children.Count, cg2.Children.Count, "Children");
Assert.AreEqual(cg.Description, cg2.Description, "Description");
Assert.AreEqual(cg.MergeLogic, cg2.MergeLogic, "MergeLogic");
Assert.AreEqual(cg.Name, cg2.Name, "Name");
Assert.AreEqual(cg.PermissionSetName, cg2.PermissionSetName, "PermissionSetName");
Assert.AreEqual(cg.ToXml().ToString(), cg2.ToXml().ToString(), "ToXml");
}
// Compare the two specified file code groups for equality.
private static bool CompareTwoCodeGroups(
FileCodeGroup firstCodeGroup, FileCodeGroup secondCodeGroup)
{
if (firstCodeGroup.Equals(secondCodeGroup))
{
Console.WriteLine("The two code groups are equal.");
return(true);
}
else
{
Console.WriteLine("The two code groups are not equal.");
return(false);
}
}
public void ResolveMatchingCodeGroups_ThreeLevel()
{
FileCodeGroup level1 = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.AllAccess);
CodeGroup level2 = level1.Copy();
level1.AddChild(level2);
FileCodeGroup level3 = new FileCodeGroup(new ZoneMembershipCondition(SecurityZone.Untrusted), FileIOPermissionAccess.AllAccess);
level2.AddChild(level3);
CodeGroup match = level1.ResolveMatchingCodeGroups(new Evidence());
Assert.IsNotNull(match, "Match");
Assert.IsTrue(match.Equals(level1, false), "Equals(false)");
// Equals (true) isn't a deep compare (just one level)
Assert.IsTrue(match.Equals(level1, true), "Equals(true)");
}
// Add file permission to restrict write access to all files on the
// local machine.
private static void addPolicy(ref FileCodeGroup fileCodeGroup)
{
// Set the PolicyStatement property to a policy with read access to
// the root directory of drive C.
FileIOPermission rootFilePermissions =
new FileIOPermission(PermissionState.None);
rootFilePermissions.AllLocalFiles = FileIOPermissionAccess.Read;
rootFilePermissions.SetPathList(FileIOPermissionAccess.Read, "C:\\");
NamedPermissionSet namedPermissions =
new NamedPermissionSet("RootPermissions");
namedPermissions.AddPermission(rootFilePermissions);
fileCodeGroup.PolicyStatement =
new PolicyStatement(namedPermissions);
}
public void ToFromXmlRoundtrip()
{
FileCodeGroup cg = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.AllAccess);
cg.Name = "SomeName";
cg.Description = "Some Description";
Assert.IsTrue(cg.Equals(cg), "Equals (itself)");
SecurityElement se = cg.ToXml();
FileCodeGroup cg2 = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.NoAccess);
cg2.Name = "SomeOtherName";
cg2.Description = "Some Other Description";
Assert.IsFalse(cg.Equals(cg2), "Equals (another)");
cg2.FromXml(se);
Assert.IsTrue(cg.Equals(cg2), "Equals (FromXml)");
}
public static PermissionSet GetStandardSandbox(Evidence evidence)
{
if (evidence == null)
{
throw new ArgumentNullException("evidence");
}
Zone hostEvidence = evidence.GetHostEvidence <Zone>();
if (hostEvidence == null)
{
return(new PermissionSet(PermissionState.None));
}
if (hostEvidence.SecurityZone == SecurityZone.MyComputer)
{
return(new PermissionSet(PermissionState.Unrestricted));
}
if (hostEvidence.SecurityZone == SecurityZone.Intranet)
{
PermissionSet localIntranet = BuiltInPermissionSets.LocalIntranet;
PolicyStatement statement = new NetCodeGroup(new AllMembershipCondition()).Resolve(evidence);
PolicyStatement statement2 = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.PathDiscovery | FileIOPermissionAccess.Read).Resolve(evidence);
if (statement != null)
{
localIntranet.InplaceUnion(statement.PermissionSet);
}
if (statement2 != null)
{
localIntranet.InplaceUnion(statement2.PermissionSet);
}
return(localIntranet);
}
if ((hostEvidence.SecurityZone != SecurityZone.Internet) && (hostEvidence.SecurityZone != SecurityZone.Trusted))
{
return(new PermissionSet(PermissionState.None));
}
PermissionSet internet = BuiltInPermissionSets.Internet;
PolicyStatement statement3 = new NetCodeGroup(new AllMembershipCondition()).Resolve(evidence);
if (statement3 != null)
{
internet.InplaceUnion(statement3.PermissionSet);
}
return(internet);
}
public void ResolveMatchingCodeGroups_TwoLevel()
{
FileCodeGroup level1 = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.AllAccess);
CodeGroup level2 = level1.Copy();
level1.AddChild(level2);
CodeGroup match = level1.ResolveMatchingCodeGroups(new Evidence());
Assert.IsNotNull(match, "Match");
Assert.IsTrue(match.Equals(level1, false), "Equals(false)");
Assert.IsTrue(match.Equals(level1, true), "Equals(true)");
FileCodeGroup level2b = new FileCodeGroup(new ZoneMembershipCondition(SecurityZone.Untrusted), FileIOPermissionAccess.AllAccess);
level1.AddChild(level2b);
CodeGroup match2 = level1.ResolveMatchingCodeGroups(new Evidence());
Assert.IsNotNull(match2, "Match2");
Assert.IsTrue(match2.Equals(level1, false), "Equals(false)");
Assert.IsTrue(!match2.Equals(level1, true), "Equals(true)");
}
public void Resolve_ZoneMembershipCondition_Untrusted()
{
IMembershipCondition mc = new ZoneMembershipCondition(SecurityZone.Untrusted);
PermissionSet pset = new PermissionSet(PermissionState.None);
FileCodeGroup cg = new FileCodeGroup(mc, FileIOPermissionAccess.AllAccess);
Evidence e = new Evidence();
e.AddHost(new Zone(SecurityZone.Untrusted));
PolicyStatement result = cg.Resolve(e);
Assert.AreEqual(PolicyStatementAttribute.Nothing, result.Attributes, "Untrusted-Attributes");
Assert.AreEqual(String.Empty, result.AttributeString, "Untrusted-AttributeString");
Assert.IsFalse(result.PermissionSet.IsUnrestricted(), "Untrusted-IsUnrestricted");
Assert.AreEqual(0, result.PermissionSet.Count, "Untrusted-Count");
e = new Evidence();
e.AddHost(new Zone(SecurityZone.Internet));
Assert.IsNull(cg.Resolve(e), "Internet");
e = new Evidence();
e.AddHost(new Zone(SecurityZone.Intranet));
Assert.IsNull(cg.Resolve(e), "Intranet");
e = new Evidence();
e.AddHost(new Zone(SecurityZone.MyComputer));
Assert.IsNull(cg.Resolve(e), "MyComputer");
e = new Evidence();
e.AddHost(new Zone(SecurityZone.NoZone));
Assert.IsNull(cg.Resolve(e), "NoZone");
e = new Evidence();
e.AddHost(new Zone(SecurityZone.Trusted));
Assert.IsNull(cg.Resolve(e), "Trusted");
}
// Here is the managed portion of the QuickCache code. It
// is mainly concerned with detecting whether it is valid
// for us to use the quick cache, and then calculating the
// proper mapping of partial evidence to partial mapping.
//
// The choice of the partial evidence sets is fairly arbitrary
// and in this case is tailored to give us meaningful
// results from default policy.
//
// The choice of whether or not we can use the quick cache
// is far from arbitrary. There are a couple conditions that must
// be true for the QuickCache to produce valid result. These
// are:
//
// * equivalent evidence objects must produce the same
// grant set (i.e. it must be independent of time of day,
// space on the harddisk, other "external" factors, and
// cannot be random).
//
// * evidence must be used positively (i.e. if evidence A grants
// permission X, then evidence A+B must grant at least permission
// X).
//
// In particular for our implementation, this means that we
// limit the classes that can be used by policy to just
// the ones defined within mscorlib and that there are
// no Exclusive bits set on any code groups.
internal static bool CanUseQuickCache(CodeGroup group)
{
ArrayList list = new ArrayList();
list.Add(group);
for (int i = 0; i < list.Count; ++i)
{
group = (CodeGroup)list[i];
NetCodeGroup netGroup = group as NetCodeGroup;
UnionCodeGroup unionGroup = group as UnionCodeGroup;
FirstMatchCodeGroup firstGroup = group as FirstMatchCodeGroup;
FileCodeGroup fileGroup = group as FileCodeGroup;
if (netGroup != null)
{
if (!TestPolicyStatement(netGroup.PolicyStatement))
{
return(false);
}
}
else if (unionGroup != null)
{
if (!TestPolicyStatement(unionGroup.PolicyStatement))
{
return(false);
}
}
else if (firstGroup != null)
{
if (!TestPolicyStatement(firstGroup.PolicyStatement))
{
return(false);
}
}
else if (fileGroup != null)
{
if (!TestPolicyStatement(fileGroup.PolicyStatement))
{
return(false);
}
}
else
{
return(false);
}
IMembershipCondition cond = group.MembershipCondition;
if (cond != null && !(cond is IConstantMembershipCondition))
{
return(false);
}
IList children = group.Children;
if (children != null && children.Count > 0)
{
IEnumerator enumerator = children.GetEnumerator();
while (enumerator.MoveNext())
{
list.Add(enumerator.Current);
}
}
}
return(true);
}
public void ResolveMatchingCodeGroups_Null()
{
FileCodeGroup cg = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.AllAccess);
cg.ResolveMatchingCodeGroups(null);
}
// Print the properties of the specified code group to the console.
private static void PrintCodeGroup(CodeGroup codeGroup)
{
// Compare the type of the specified object with the FileCodeGroup
// type.
if (!codeGroup.GetType().Equals(typeof(FileCodeGroup)))
{
throw new ArgumentException("Expected the FileCodeGroup type.");
}
string codeGroupName = codeGroup.Name;
string membershipCondition = codeGroup.MembershipCondition.ToString();
string permissionSetName = codeGroup.PermissionSetName;
int hashCode = codeGroup.GetHashCode();
string mergeLogic = "";
if (codeGroup.MergeLogic.Equals("Union"))
{
mergeLogic = " with Union merge logic";
}
// Retrieve the class path for FileCodeGroup.
string fileGroupClass = codeGroup.ToString();
// Write summary to the console window.
Console.WriteLine("\n*** " + fileGroupClass + " summary ***");
Console.Write("A FileCodeGroup named ");
Console.Write(codeGroupName + mergeLogic);
Console.Write(" has been created with hash code" + hashCode + ".");
Console.Write("This code group contains a " + membershipCondition);
Console.Write(" membership condition with the ");
Console.Write(permissionSetName + " permission set. ");
Console.Write("The code group has the following security policy: ");
Console.WriteLine(ResolveEvidence(codeGroup));
int childCount = codeGroup.Children.Count;
if (childCount > 0)
{
Console.Write("There are " + childCount);
Console.WriteLine(" child code groups in this code group.");
// Iterate through the child code groups to display their names
// and remove them from the specified code group.
for (int i = 0; i < childCount; i++)
{
// Get child code group as type FileCodeGroup.
FileCodeGroup childCodeGroup =
(FileCodeGroup)codeGroup.Children[i];
Console.Write("Removing the " + childCodeGroup.Name + ".");
// Remove child code group.
codeGroup.RemoveChild(childCodeGroup);
}
Console.WriteLine();
}
else
{
Console.Write("There are no child code groups");
Console.WriteLine(" in this code group.");
}
}
public void ResolveMatchingCodeGroups_NoMatch()
{
FileCodeGroup cg = new FileCodeGroup(new ZoneMembershipCondition(SecurityZone.Untrusted), FileIOPermissionAccess.AllAccess);
Assert.IsNull(cg.ResolveMatchingCodeGroups(new Evidence()));
}
public void Constructor_MembershipConditionNullFileIOPermissionAccess()
{
FileCodeGroup cg = new FileCodeGroup(null, FileIOPermissionAccess.AllAccess);
}
// Get a sandbox permission set that the CLR considers safe to grant an application with the given
// evidence. Note that this API is not a policy API, but rather a host helper API so that a host can
// determine if an application's requested permission set is reasonable. This is esentially just a
// hard coded mapping of Zone -> Sandbox and is not configurable in any way.
public static PermissionSet GetStandardSandbox(Evidence evidence)
{
if (evidence == null)
{
throw new ArgumentNullException("evidence");
}
Contract.EndContractBlock();
//
// The top-level switch for grant set is based upon Zone
// MyComputer -> FullTrust
// Intranet -> LocalIntranet
// Trusted -> Internet
// Internet -> Internet
// All else -> Nothing
//
// Both the Internet and LocalIntranet zones can have permission set extensions applied to them
// if there is Activation.
//
Zone zone = evidence.GetHostEvidence <Zone>();
if (zone == null)
{
return(new PermissionSet(PermissionState.None));
}
#if FEATURE_CAS_POLICY
else if (zone.SecurityZone == SecurityZone.MyComputer)
{
return(new PermissionSet(PermissionState.Unrestricted));
}
else if (zone.SecurityZone == SecurityZone.Intranet)
{
PermissionSet intranetGrantSet = BuiltInPermissionSets.LocalIntranet;
// We also need to add in same site web and file IO permission
PolicyStatement webPolicy =
new NetCodeGroup(new AllMembershipCondition()).Resolve(evidence);
PolicyStatement filePolicy =
new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.Read | FileIOPermissionAccess.PathDiscovery).Resolve(evidence);
if (webPolicy != null)
{
intranetGrantSet.InplaceUnion(webPolicy.PermissionSet);
}
if (filePolicy != null)
{
intranetGrantSet.InplaceUnion(filePolicy.PermissionSet);
}
return(intranetGrantSet);
}
else if (zone.SecurityZone == SecurityZone.Internet ||
zone.SecurityZone == SecurityZone.Trusted)
{
PermissionSet internetGrantSet = BuiltInPermissionSets.Internet;
// We also need to add in same site web permission
PolicyStatement webPolicy =
new NetCodeGroup(new AllMembershipCondition()).Resolve(evidence);
if (webPolicy != null)
{
internetGrantSet.InplaceUnion(webPolicy.PermissionSet);
}
return(internetGrantSet);
}
#endif // FEATURE_CAS_POLICY
else
{
return(new PermissionSet(PermissionState.None));
}
}
}// FindCurrentPermissionSet
internal static int FindCurrentPermissionSet(Evidence ev, PermissionSet pSet)
{
// Ok, now let's see if the permission set that is currently granted matches
// either Full Trust, Internet, Intranet, or none.
if (pSet.IsEmpty())
{
return(PermissionSetType.NONE);
}
if (pSet.IsUnrestricted())
{
return(PermissionSetType.FULLTRUST);
}
// Let's grab the internet and intranet permission sets....
PolicyLevel pl = GetPolicyLevelFromType(PolicyLevelType.Enterprise);
PermissionSet psInternet = pl.GetNamedPermissionSet("Internet");
PermissionSet psIntranet = pl.GetNamedPermissionSet("LocalIntranet");
// In addition, the internet and intranet permission sets get additional
// permissions that are normally provided by custom codegroups. We'll
// create those codegroups and get the permissions of of those
// Mess with the custom codegroups
FileCodeGroup fcg = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.Read | FileIOPermissionAccess.PathDiscovery);
NetCodeGroup ncg = new NetCodeGroup(new AllMembershipCondition());
// The intranet permission set gets unioned with each of these...
PermissionSet psss = fcg.Resolve(ev).PermissionSet;
psIntranet = psIntranet.Union(psss);
psIntranet = psIntranet.Union(ncg.Resolve(ev).PermissionSet);
// The internet permission set just gets the net codegroup
psInternet = psInternet.Union(ncg.Resolve(ev).PermissionSet);
int nPermissionSet = PermissionSetType.UNKNOWN;
// These 'IsSubsetOf' will throw exceptions if there are non-identical
// regular expressions.
try
{
if (psIntranet != null && pSet.IsSubsetOf(psIntranet) && psIntranet.IsSubsetOf(pSet))
{
nPermissionSet = PermissionSetType.INTRANET;
}
}
catch (Exception)
{
}
// See if we should keep looking
if (nPermissionSet == PermissionSetType.UNKNOWN)
{
try
{
// See if this is a Internet policy level
if (psInternet != null && pSet.IsSubsetOf(psInternet) && psInternet.IsSubsetOf(pSet))
{
nPermissionSet = PermissionSetType.INTERNET;
}
}
catch (Exception)
{
}
}
return(nPermissionSet);
}// FindCurrentPermissionSet
}// TryToCreateFullTrust
private CodeGroup CreateCodegroup(PermissionSet pSet, bool fHighjackExisting)
{
// Now create our codegroup
// Figure out what membership condition to use
IMembershipCondition mc = null;
// If the assembly didn't have a publisher certificate or a strong name,
// then we must trust it by hash
int nTrustBy = m_fHasCertOrSName?Page3.HowToTrust:TrustBy.HASH;
if ((nTrustBy & TrustBy.SNAME) > 0)
{
// Let's get the strong name stuff together
StrongName sn = GetStrongName();
StrongNamePublicKeyBlob snpkb = sn.PublicKey;
Version v = null;
String sName = null;
if ((nTrustBy & TrustBy.SNAMEVER) > 0)
{
v = sn.Version;
}
if ((nTrustBy & TrustBy.SNAMENAME) > 0)
{
sName = sn.Name;
}
mc = new StrongNameMembershipCondition(snpkb, sName, v);
}
else if ((nTrustBy & TrustBy.PUBCERT) > 0)
{
// We're using the publisher certificate stuff
mc = new PublisherMembershipCondition(GetCertificate());
}
else // We'll trust by hash
{
Hash h = GetHash();
mc = new HashMembershipCondition(SHA1.Create(), h.SHA1);
}
// Figure out the policy level that we should put this in....
String sPolicyLevel = Page1.isForHomeUser?"Machine":"User";
PolicyLevel pl = Security.GetPolicyLevelFromLabel(sPolicyLevel);
// See if a codegroup for this already exists... and if it does, we'll just
// modify that.
CSingleCodeGroup scg = null;
CodeGroup cg = null;
if (fHighjackExisting)
{
scg = FindExistingCodegroup(pl, mc);
if (scg != null)
{
cg = scg.MyCodeGroup;
// Cool. We were able to find a codegroup to use. We'll
// need to strip off all the File and Net child codegroups
IEnumerator enumChildCodeGroups = cg.Children.GetEnumerator();
while (enumChildCodeGroups.MoveNext())
{
CodeGroup cgChild = (CodeGroup)enumChildCodeGroups.Current;
if (cgChild is NetCodeGroup || cgChild is FileCodeGroup)
{
// Ok to use CodeGroup.RemoveChild here we want to toast all
// File and Net codegroups... we don't care if the security system
// gets confused about which are which (if they don't have names)
cg.RemoveChild(cgChild);
}
}
}
}
// Create the codegroup... we're going to make this a level final
// codegroup, so if policy gets changes such that a lower-level policy
// level tries to deny permissions to this codegroup it will be unsuccessful.
PolicyStatement policystatement = new PolicyStatement(pSet, PolicyStatementAttribute.LevelFinal);
if (cg == null)
{
cg = new UnionCodeGroup(mc, policystatement);
String sCGName = Security.FindAGoodCodeGroupName(pl, "Wizard_");
cg.Name = sCGName;
cg.Description = CResourceStore.GetString("GeneratedCodegroup");
}
else
{
cg.PolicyStatement = policystatement;
}
// If this is a internet or intranet permission set, we also need to add some codegroups
if (pSet is NamedPermissionSet)
{
NamedPermissionSet nps = (NamedPermissionSet)pSet;
if (nps.Name.Equals("LocalIntranet"))
{
CodeGroup cgChild = new NetCodeGroup(new AllMembershipCondition());
cgChild.Name = Security.FindAGoodCodeGroupName(pl, "NetCodeGroup_");
cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");
cg.AddChild(cgChild);
cgChild = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.Read | FileIOPermissionAccess.PathDiscovery);
cgChild.Name = Security.FindAGoodCodeGroupName(pl, "FileCodeGroup_");
cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");
cg.AddChild(cgChild);
}
else if (nps.Name.Equals("Internet"))
{
CodeGroup cgChild = new NetCodeGroup(new AllMembershipCondition());
cgChild.Name = Security.FindAGoodCodeGroupName(pl, "NetCodeGroup_");
cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");
cg.AddChild(cgChild);
}
}
// Add this codegroup to the root codegroup of the policy
// If there was already an existing one, just replace that...
if (scg != null)
{
Security.UpdateCodegroup(pl, scg);
}
else
{
pl.RootCodeGroup.AddChild(cg);
}
return(cg);
}// CreateCodegroup
}// didMachinePolicyChange
protected override int WizFinish()
{
// This is the main things that the wizard needs to do.
// If mucking with the machine level
//
// 1. Apply appropriate settings to the security zone codegroups.
//
// If mucking with the user level
//
// 1. Change the user policylevel's root codegroup's permission set to Nothing
// 2. Apply appropriate settings to the security zone codegroups
// 3. Copy the entire machine policy into a child codegroup in the user policy
// 4. Skip the top level of the copied policy looking for zone codegroups. Set
// their permission set to nothing, and remove child file and net codegroups.
// 5. Walk through the entire copied policy and remove any exclusive codegroups
// We have some different behavior depending on what type of policy we're after
String sPolicyLevel = IsHomeUser?"Machine":"User";
PolicyLevel pl = Security.GetPolicyLevelFromLabel(sPolicyLevel);
SecurityZone[] sz = new SecurityZone[] {
SecurityZone.MyComputer,
SecurityZone.Intranet,
SecurityZone.Internet,
SecurityZone.Trusted,
SecurityZone.Untrusted
};
m_alNewCodeGroups.Clear();
for (int i = 0; i < 5; i++)
{
// Only do this if we know how to assign a permission set
if (Page2.SecurityLevels[i] != PermissionSetType.UNKNOWN)
{
// Find the Codegroup with the appropriate Membership Condition
CodeGroup cgParent = null;
CodeGroup cg = GetCGWithMembershipCondition(pl.RootCodeGroup, sz[i], out cgParent);
// Remove this codegroup from the heirarchy
if (cg != null)
{
if (cgParent == null)
{
throw new Exception("I should have a parent");
}
cgParent.RemoveChild(cg);
}
// We have to create this Codegroup
if (cg == null)
{
ZoneMembershipCondition zmc = new ZoneMembershipCondition(sz[i]);
cg = new UnionCodeGroup(zmc, new PolicyStatement(new PermissionSet(PermissionState.None)));
// Add a name and description
cg.Name = GetCodegroupName(sz[i]);
m_alNewCodeGroups.Add(cg);
m_pl = pl;
cgParent = pl.RootCodeGroup;
}
// If was an internet or intranet codegroup, we'll need to remove child codegroups of type
// NetCodeGroup or FileCodeGroup
if (cg.PermissionSetName != null && (cg.PermissionSetName.Equals("Internet") || cg.PermissionSetName.Equals("LocalIntranet")))
{
IEnumerator enumCodeGroups = cg.Children.GetEnumerator();
while (enumCodeGroups.MoveNext())
{
CodeGroup group = (CodeGroup)enumCodeGroups.Current;
if (group is NetCodeGroup || group is FileCodeGroup)
{
cg.RemoveChild(group);
}
}
}
// Now give this codegroup the appropriate permission set
PolicyStatement ps = cg.PolicyStatement;
ps.PermissionSet = GetPermissionSetNameFromSecurityLevel(pl, Page2.SecurityLevels[i]);
// Put in the helper codegroups if necessary
if (Page2.SecurityLevels[i] == PermissionSetType.INTRANET)
{
if (!DoesCGHaveCodegroup(cg, typeof(NetCodeGroup)))
{
CodeGroup cgChild = new NetCodeGroup(new AllMembershipCondition());
cgChild.Name = Security.FindAGoodCodeGroupName(pl, "NetCodeGroup_");
cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");
cg.AddChild(cgChild);
}
if (!DoesCGHaveCodegroup(cg, typeof(FileCodeGroup)))
{
CodeGroup cgChild = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.Read | FileIOPermissionAccess.PathDiscovery);
cgChild.Name = Security.FindAGoodCodeGroupName(pl, "FileCodeGroup_");
cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");
cg.AddChild(cgChild);
}
}
else if (Page2.SecurityLevels[i] == PermissionSetType.INTERNET)
{
if (!DoesCGHaveCodegroup(cg, typeof(NetCodeGroup)))
{
CodeGroup cgChild = new NetCodeGroup(new AllMembershipCondition());
cgChild.Name = Security.FindAGoodCodeGroupName(pl, "NetCodeGroup_");
cgChild.Description = CResourceStore.GetString("GeneratedCodegroup");
cg.AddChild(cgChild);
}
}
cg.PolicyStatement = ps;
// Now let's build the code group description
String sPermissionSetDes = "";
if (ps.PermissionSet is NamedPermissionSet)
{
sPermissionSetDes += ((NamedPermissionSet)ps.PermissionSet).Description;
}
cg.Description = String.Format(CResourceStore.GetString("CSecurityAdjustmentWizard:CodeGroupDescription"),
cg.PermissionSetName,
GetCodegroupName(sz[i]),
sPermissionSetDes);
// Now add this child back in
cgParent.AddChild(cg);
}
}
// Check to see if this is for the user.
if (!IsHomeUser)
{
// Let's start on our list....
PolicyLevel plUser = Security.GetPolicyLevelFromLabel("User");
// Change the root codegroup's permission set to nothing
CodeGroup cgRoot = plUser.RootCodeGroup;
PolicyStatement ps = cgRoot.PolicyStatement;
ps.PermissionSet = plUser.GetNamedPermissionSet("Nothing");
cgRoot.PolicyStatement = ps;
// Now copy the entire machine level's policy into a child codegroup
// of the user policy
PolicyLevel plMachine = Security.GetPolicyLevelFromLabel("Machine");
CodeGroup cgMachine = plMachine.RootCodeGroup.Copy();
// Change the codegroup's name to something more interesting...
cgMachine.Name = "Wizard_Machine_Policy";
cgMachine.Description = CResourceStore.GetString("CSecurityAdjustmentWizard:CopiedMachinePolicyDes");
// Now skim through the top level looking for Zone codegroups, set
// their permission sets to nothing, and delete any child net and file
// codegroups
IEnumerator enumCodeGroups = cgMachine.Children.GetEnumerator();
while (enumCodeGroups.MoveNext())
{
CodeGroup zoneGroup = (CodeGroup)enumCodeGroups.Current;
if (zoneGroup.MembershipCondition is ZoneMembershipCondition)
{
// Ok, we need to change this codegroup
cgMachine.RemoveChild(zoneGroup);
PolicyStatement zoneps = zoneGroup.PolicyStatement;
zoneps.PermissionSet = plUser.GetNamedPermissionSet("Nothing");
zoneGroup.PolicyStatement = zoneps;
// Now run through its children looking for a file or net codegroup
IEnumerator enumChildCodeGroups = zoneGroup.Children.GetEnumerator();
while (enumChildCodeGroups.MoveNext())
{
CodeGroup zoneChildGroup = (CodeGroup)enumChildCodeGroups.Current;
if (zoneChildGroup is NetCodeGroup || zoneChildGroup is FileCodeGroup)
{
zoneGroup.RemoveChild(zoneChildGroup);
}
}
cgMachine.AddChild(zoneGroup);
}
}
// Now run through the tree and remove any exclusive code groups
// We're best to do this recursively....
if ((cgMachine.PolicyStatement.Attributes & PolicyStatementAttribute.Exclusive) == PolicyStatementAttribute.Exclusive)
{
// Remove the exclusive bit
PolicyStatement psMachine = cgMachine.PolicyStatement;
psMachine.Attributes = psMachine.Attributes & ~PolicyStatementAttribute.Exclusive;
cgMachine.PolicyStatement = psMachine;
}
Security.RemoveExclusiveCodeGroups(cgMachine);
// Now run through the user policy looking for codegroups named
// "Wizard_Machine_Policy" and delete those as well.
enumCodeGroups = cgRoot.Children.GetEnumerator();
while (enumCodeGroups.MoveNext())
{
CodeGroup group = (CodeGroup)enumCodeGroups.Current;
if (group.Name.Equals("Wizard_Machine_Policy"))
{
cgRoot.RemoveChild(group);
}
}
// Add finally this to the root codegroup of the user policy
Security.PrepCodeGroupTree(cgMachine, plMachine, plUser);
cgRoot.AddChild(cgMachine);
plUser.RootCodeGroup = cgRoot;
}
m_fWizardFinished = true;
return(0);
}// WizFinish
