public void CreateSandboxedInstanceWithFullTrustListTest() { PermissionSet internet = PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.Internet); RemoteDomainObject fullTrustListInternet = SandboxActivator.CreateSandboxedInstance <RemoteDomainObject>(internet, new Assembly[] { typeof(object).Assembly, typeof(System.Diagnostics.Debug).Assembly }); // Ensure we got Internet permissions Assert.IsTrue(fullTrustListInternet.Demand(internet)); Assert.IsFalse(fullTrustListInternet.Demand(PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.LocalIntranet))); // We should share with other objects having the same full trust list RemoteDomainObject fullTrustListInternet2 = SandboxActivator.CreateSandboxedInstance <RemoteDomainObject>(internet, new Assembly[] { typeof(object).Assembly, typeof(System.Diagnostics.Debug).Assembly }); Assert.AreEqual(fullTrustListInternet.AppDomainId, fullTrustListInternet2.AppDomainId); // We shouldn't share with a non-full-trust-list bearing Internet object RemoteDomainObject noFullTrustListInternet = SandboxActivator.CreateSandboxedInstance <RemoteDomainObject>(internet, null); Assert.AreNotEqual(fullTrustListInternet.AppDomainId, noFullTrustListInternet.AppDomainId); // Nor should we share with assemblies with a different full trust list RemoteDomainObject differentFullTrustListInternet = SandboxActivator.CreateSandboxedInstance <RemoteDomainObject>(internet, new Assembly[] { typeof(object).Assembly }); Assert.AreNotEqual(fullTrustListInternet.AppDomainId, differentFullTrustListInternet.AppDomainId); }
public void GetStandardPermissionSetFullTrustPermissionSetTest() { PermissionSet fullTrust = PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.FullTrust); // FullTrust should be, well, FullTrust Assert.IsTrue(fullTrust.IsUnrestricted()); }
public void GetStandardPermissionSetNothingPermissionSetTest() { PermissionSet nothing = PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.Nothing); // Nothing should not be unrestricted and should be empty Assert.IsFalse(nothing.IsUnrestricted()); Assert.IsTrue(nothing.IsEmpty()); Assert.AreEqual(0, nothing.Count); }
public void CreateSandboxSimpleTest() { PermissionSet sandboxSet = PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.LocalIntranet, new Url(Path.GetTempPath())); AppDomain sandbox = SandboxFactory.CreateSandbox(Path.GetTempPath(), sandboxSet); Assert.IsTrue(sandbox.IsSandboxed()); Assert.IsTrue(sandbox.GetPermissionSet().IsSubsetOf(sandboxSet)); Assert.IsTrue(sandboxSet.IsSubsetOf(sandbox.GetPermissionSet())); Assert.AreEqual(Path.GetTempPath(), sandbox.BaseDirectory); }
public void CreateSandboxedInstanceDefaultTest() { RemoteDomainObject object1 = SandboxActivator.CreateSandboxedInstance <RemoteDomainObject>(); // Ensure we got Execution permission Assert.IsTrue(object1.Demand(PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.Execution))); Assert.IsFalse(object1.Demand(PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.Internet))); // Ensure that we reuse the same domain for multiple objects RemoteDomainObject object2 = SandboxActivator.CreateSandboxedInstance <RemoteDomainObject>(); Assert.AreEqual(object1.AppDomainId, object2.AppDomainId); }
public void CreateSandboxedInstanceInternetTest() { PermissionSet internet = PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.Internet); RemoteDomainObject object1 = SandboxActivator.CreateSandboxedInstance <RemoteDomainObject>(internet); // Ensure we got Internet permissions Assert.IsTrue(object1.Demand(internet)); Assert.IsFalse(object1.Demand(PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.LocalIntranet))); // Ensure we reuse the same domain for multiple objects RemoteDomainObject object2 = SandboxActivator.CreateSandboxedInstance <RemoteDomainObject>(internet); Assert.AreEqual(object1.AppDomainId, object2.AppDomainId); }
public void GetStandardPermissionSetEverythingPermissionSetTest() { PermissionSet everything = PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.Everything); // Everything should neither be empty nor full trust Assert.IsFalse(everything.IsUnrestricted()); Assert.IsFalse(everything.IsEmpty()); // Each permission in Everything should be unrestricted, except for SecurityPermission foreach (IPermission permission in everything) { IUnrestrictedPermission unrestricted = permission as IUnrestrictedPermission; SecurityPermission securityPermission = permission as SecurityPermission; if (securityPermission != null) { SecurityPermissionFlag everythingFlags = SecurityPermissionFlag.Assertion | SecurityPermissionFlag.BindingRedirects | SecurityPermissionFlag.ControlAppDomain | SecurityPermissionFlag.ControlDomainPolicy | SecurityPermissionFlag.ControlEvidence | SecurityPermissionFlag.ControlPolicy | SecurityPermissionFlag.ControlPrincipal | SecurityPermissionFlag.ControlThread | SecurityPermissionFlag.Execution | SecurityPermissionFlag.Infrastructure | SecurityPermissionFlag.RemotingConfiguration | SecurityPermissionFlag.SerializationFormatter | SecurityPermissionFlag.UnmanagedCode; Assert.AreEqual(everythingFlags, securityPermission.Flags); } else if (unrestricted != null) { Assert.IsTrue(unrestricted.IsUnrestricted()); } } // Everything should be a superset of Internet and LocalIntranet PermissionSet internet = PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.Internet); Assert.IsTrue(internet.IsSubsetOf(everything)); Assert.IsFalse(everything.IsSubsetOf(internet)); PermissionSet localIntranet = PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.LocalIntranet); Assert.IsTrue(localIntranet.IsSubsetOf(everything)); Assert.IsFalse(everything.IsSubsetOf(localIntranet)); }
public void GetStandardPermissionSetExecutionPermissionSetTest() { PermissionSet execution = PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.Execution); // Execution should neither be empty nor full trust Assert.IsFalse(execution.IsUnrestricted()); Assert.IsFalse(execution.IsEmpty()); // The Execution set should have a single permission in it Assert.AreEqual(1, execution.Count); // We should have a security permission granting only Execution SecurityPermission securityPermission = execution.GetPermission(typeof(SecurityPermission)) as SecurityPermission; Assert.IsNotNull(securityPermission); Assert.AreEqual(SecurityPermissionFlag.Execution, securityPermission.Flags); }
public void GetStandardSandboxTest() { Url fileUrl = new Url(@"\\server\share\app"); Url webUrl = new Url("http://www.microsoft.com"); PermissionSet nothing = PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.Nothing); PermissionSet internet = PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.Internet, webUrl); PermissionSet localIntranet = PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.LocalIntranet, fileUrl); // No zone -> nothing Evidence noZone = new Evidence(); PermissionSet noZoneSandbox = PermissionSetFactory.GetStandardSandbox(noZone); Assert.IsTrue(nothing.IsSubsetOf(noZoneSandbox) && noZoneSandbox.IsSubsetOf(nothing)); // Untrusted -> Nothing Evidence untrustedZone = new Evidence(new object[] { new Zone(SecurityZone.Untrusted), webUrl }, null); PermissionSet untrustedSandbox = PermissionSetFactory.GetStandardSandbox(untrustedZone); Assert.IsTrue(nothing.IsSubsetOf(untrustedSandbox) && untrustedSandbox.IsSubsetOf(nothing)); // Internet -> Internet Evidence internetZone = new Evidence(new object[] { new Zone(SecurityZone.Internet), webUrl }, null); PermissionSet internetSandbox = PermissionSetFactory.GetStandardSandbox(internetZone); Assert.IsTrue(internet.IsSubsetOf(internetSandbox) && internetSandbox.IsSubsetOf(internet)); // Trusted -> Internet Evidence trustedZone = new Evidence(new object[] { new Zone(SecurityZone.Trusted), webUrl }, null); PermissionSet trustedSandbox = PermissionSetFactory.GetStandardSandbox(trustedZone); Assert.IsTrue(internet.IsSubsetOf(trustedSandbox) && trustedSandbox.IsSubsetOf(internet)); // Intranet -> LocalIntranet Evidence intranetZone = new Evidence(new object[] { new Zone(SecurityZone.Intranet), fileUrl }, null); PermissionSet intranetSandbox = PermissionSetFactory.GetStandardSandbox(intranetZone); Assert.IsTrue(localIntranet.IsSubsetOf(intranetSandbox) && intranetSandbox.IsSubsetOf(localIntranet)); // MyComputer -> FullTrust Evidence myComputerZone = new Evidence(new object[] { new Zone(SecurityZone.MyComputer), fileUrl }, null); PermissionSet myComputerSandbox = PermissionSetFactory.GetStandardSandbox(myComputerZone); Assert.IsTrue(myComputerSandbox.IsUnrestricted()); }
internal static PermissionSet GetStandardPermissionSet(StandardPermissionSet permissionSet, Url sourceUrl) { switch (permissionSet) { // We need to handle Internet, LocalIntranet, and Everything ourselves, since // PermissionSetFactory will use deprecated CAS policy to calculate those case StandardPermissionSet.Internet: return(GetInternetPermissionSet(sourceUrl)); case StandardPermissionSet.LocalIntranet: return(GetLocalIntranetPermissionSet(sourceUrl)); case StandardPermissionSet.Everything: return(GetEverythingPermissionSet()); // Everything else can be obtained through PermissionSetFactory default: return(PermissionSetFactory.GetStandardPermissionSet(permissionSet, sourceUrl)); } }
public void CreateSandboxFullTrustListTest() { PermissionSet sandboxSet = PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.LocalIntranet, new Url(Path.GetTempPath())); // Yes, both mscorlib and System.dll are in the GAC and would therefore be fully trusted anyway, // without needing this list. However, by adding them here we can ensure that the strong names // are flowing properly. AppDomain sandbox = SandboxFactory.CreateSandbox(Path.GetTempPath(), sandboxSet, typeof(object).Assembly, typeof(System.Diagnostics.Debug).Assembly); Assert.IsTrue(sandbox.IsSandboxed()); Assert.IsTrue(sandbox.GetPermissionSet().IsSubsetOf(sandboxSet)); Assert.IsTrue(sandboxSet.IsSubsetOf(sandbox.GetPermissionSet())); Assert.AreEqual(Path.GetTempPath(), sandbox.BaseDirectory); IList <StrongName> fullTrustList = sandbox.ApplicationTrust.GetFullTrustAssemblies(); Assert.AreEqual(2, fullTrustList.Count); Assert.IsTrue(fullTrustList.Contains(typeof(object).Assembly.GetStrongName())); Assert.IsTrue(fullTrustList.Contains(typeof(System.Diagnostics.Debug).Assembly.GetStrongName())); }
public void CreateSandboxedInstanceMultipleSandboxesTest() { PermissionSet execution = PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.Execution); RemoteDomainObject executionObject = SandboxActivator.CreateSandboxedInstance <RemoteDomainObject>(execution); Assert.IsTrue(executionObject.Demand(execution)); Assert.IsFalse(executionObject.Demand(new PermissionSet(PermissionState.Unrestricted))); PermissionSet internet = PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.Internet); RemoteDomainObject internetObject = SandboxActivator.CreateSandboxedInstance <RemoteDomainObject>(internet); Assert.IsTrue(internetObject.Demand(internet)); Assert.IsFalse(internetObject.Demand(new PermissionSet(PermissionState.Unrestricted))); PermissionSet intranet = PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.LocalIntranet); RemoteDomainObject intranetObject = SandboxActivator.CreateSandboxedInstance <RemoteDomainObject>(intranet); Assert.IsTrue(intranetObject.Demand(intranet)); Assert.IsFalse(intranetObject.Demand(new PermissionSet(PermissionState.Unrestricted))); Assert.AreNotEqual(executionObject.AppDomainId, internetObject.AppDomainId); Assert.AreNotEqual(executionObject.AppDomainId, intranetObject.AppDomainId); Assert.AreNotEqual(internetObject.AppDomainId, intranetObject.AppDomainId); }
public void GetStandardPermissionSetInvalidSetTest() { PermissionSetFactory.GetStandardPermissionSet((StandardPermissionSet)21); }
public void CreateSandboxNullAppBaseTest() { SandboxFactory.CreateSandbox(null, PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.Internet)); }
public void GetStandardPermissionSetLocalIntranetPermissionSetTest() { // Get a copy of LocalIntranet which is not extended with any same-site permission PermissionSet intranetBase = PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.LocalIntranet, null); // It shouldn't be fully trusted, and should contain a set of well known permissions Assert.IsFalse(intranetBase.IsUnrestricted()); Assert.IsTrue(intranetBase.Count == 8 || intranetBase.Count == 10); // We should have SecurityPermission/Execution,Assertion,BindingRedirects SecurityPermission baseSecurityPermission = intranetBase.GetPermission(typeof(SecurityPermission)) as SecurityPermission; Assert.IsNotNull(baseSecurityPermission); Assert.AreEqual(SecurityPermissionFlag.Execution | SecurityPermissionFlag.Assertion | SecurityPermissionFlag.BindingRedirects, baseSecurityPermission.Flags); // Unrestricted FileDialogPermission FileDialogPermission baseFileDialogPermission = intranetBase.GetPermission(typeof(FileDialogPermission)) as FileDialogPermission; Assert.IsNotNull(baseFileDialogPermission); Assert.IsTrue(baseFileDialogPermission.IsUnrestricted()); // IsolatedStorageFilePermission/AssemblyIsolationByUser IsolatedStorageFilePermission baseIsostorePermission = intranetBase.GetPermission(typeof(IsolatedStorageFilePermission)) as IsolatedStorageFilePermission; Assert.IsNotNull(baseIsostorePermission); Assert.AreEqual(IsolatedStorageContainment.AssemblyIsolationByUser, baseIsostorePermission.UsageAllowed); // Unrestricted UIPermission UIPermission baseUIPermission = intranetBase.GetPermission(typeof(UIPermission)) as UIPermission; Assert.IsNotNull(baseUIPermission); Assert.IsTrue(baseUIPermission.IsUnrestricted()); // PrintingPermission/DefaultPrinting PrintingPermission basePrintingPermission = intranetBase.GetPermission(typeof(PrintingPermission)) as PrintingPermission; Assert.IsNotNull(basePrintingPermission); Assert.AreEqual(PrintingPermissionLevel.DefaultPrinting, basePrintingPermission.Level); // EnvironmentPermission/Read USERNAME EnvironmentPermission baseEnvironmentPermission = intranetBase.GetPermission(typeof(EnvironmentPermission)) as EnvironmentPermission; Assert.IsNotNull(baseEnvironmentPermission); Assert.AreEqual("USERNAME", baseEnvironmentPermission.GetPathList(EnvironmentPermissionAccess.Read)); // ReflectionPermission/ReflectionEmit ReflectionPermission baseReflectionPermission = intranetBase.GetPermission(typeof(ReflectionPermission)) as ReflectionPermission; Assert.IsNotNull(baseReflectionPermission); Assert.AreEqual(ReflectionPermissionFlag.ReflectionEmit, baseReflectionPermission.Flags); // Unrestricted DNS permission DnsPermission baseDnsPermission = intranetBase.GetPermission(typeof(DnsPermission)) as DnsPermission; Assert.IsNotNull(baseDnsPermission); Assert.IsTrue(baseDnsPermission.IsUnrestricted()); // Also check for WPF extensions MediaPermission baseMediaPermission = intranetBase.GetPermission(typeof(MediaPermission)) as MediaPermission; if (baseMediaPermission != null) { Assert.AreEqual(MediaPermissionAudio.SafeAudio, baseMediaPermission.Audio); Assert.AreEqual(MediaPermissionImage.SafeImage, baseMediaPermission.Image); Assert.AreEqual(MediaPermissionVideo.SafeVideo, baseMediaPermission.Video); } WebBrowserPermission baseWebPermission = intranetBase.GetPermission(typeof(WebBrowserPermission)) as WebBrowserPermission; if (baseWebPermission != null) { Assert.AreEqual(WebBrowserPermissionLevel.Safe, baseWebPermission.Level); } // Now try to extend with a local URL - we should get FileIOPermission Url localUrl = new Url(@"file://c:\windows"); PermissionSet intranetLocalExtended = PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.LocalIntranet, localUrl); Assert.IsTrue(intranetBase.IsSubsetOf(intranetLocalExtended)); Assert.IsFalse(intranetLocalExtended.IsUnrestricted()); Assert.AreEqual(intranetBase.Count + 1, intranetLocalExtended.Count); FileIOPermission filePermission = intranetLocalExtended.GetPermission(typeof(FileIOPermission)) as FileIOPermission; Assert.IsNotNull(filePermission); Assert.IsFalse(filePermission.IsUnrestricted()); // Finally, try to extend with a Web URL, which should provide same site web access Url webUrl = new Url("htt://www.microsoft.com/"); PermissionSet intranetWebExtended = PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.LocalIntranet, webUrl); Assert.IsTrue(intranetBase.IsSubsetOf(intranetWebExtended)); Assert.IsFalse(intranetWebExtended.IsUnrestricted()); Assert.AreEqual(intranetBase.Count + 1, intranetWebExtended.Count); WebPermission webPermission = intranetWebExtended.GetPermission(typeof(WebPermission)) as WebPermission; Assert.IsNotNull(webPermission); Assert.IsFalse(webPermission.IsUnrestricted()); }
public void GetStandardPermissionSetInternetPermissionSetTest() { // Get a copy of Internet which is not extended with any same-site permission PermissionSet internetBase = PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.Internet, null); // It shouldn't be fully trusted, and should contain a set of well known permissions Assert.IsFalse(internetBase.IsUnrestricted()); Assert.IsTrue(internetBase.Count == 5 || internetBase.Count == 7); // We should have SecurityPermission/Execution SecurityPermission baseSecurityPermission = internetBase.GetPermission(typeof(SecurityPermission)) as SecurityPermission; Assert.IsNotNull(baseSecurityPermission); Assert.AreEqual(SecurityPermissionFlag.Execution, baseSecurityPermission.Flags); // FileDialogPermission/Open FileDialogPermission baseFileDialogPermission = internetBase.GetPermission(typeof(FileDialogPermission)) as FileDialogPermission; Assert.IsNotNull(baseFileDialogPermission); Assert.AreEqual(FileDialogPermissionAccess.Open, baseFileDialogPermission.Access); // IsolatedStorageFilePermission/ApplicationIsolationByUser IsolatedStorageFilePermission baseIsostorePermission = internetBase.GetPermission(typeof(IsolatedStorageFilePermission)) as IsolatedStorageFilePermission; Assert.IsNotNull(baseIsostorePermission); Assert.AreEqual(IsolatedStorageContainment.ApplicationIsolationByUser, baseIsostorePermission.UsageAllowed); // UIPermission/SafeTopLevelWindows and UIPermission/OwnClipboard UIPermission baseUIPermission = internetBase.GetPermission(typeof(UIPermission)) as UIPermission; Assert.IsNotNull(baseUIPermission); Assert.AreEqual(UIPermissionWindow.SafeTopLevelWindows, baseUIPermission.Window); Assert.AreEqual(UIPermissionClipboard.OwnClipboard, baseUIPermission.Clipboard); // PrintingPermission/SafePrinting PrintingPermission basePrintingPermission = internetBase.GetPermission(typeof(PrintingPermission)) as PrintingPermission; Assert.IsNotNull(basePrintingPermission); Assert.AreEqual(PrintingPermissionLevel.SafePrinting, basePrintingPermission.Level); // Also check for WPF extensions MediaPermission baseMediaPermission = internetBase.GetPermission(typeof(MediaPermission)) as MediaPermission; if (baseMediaPermission != null) { Assert.AreEqual(MediaPermissionAudio.SafeAudio, baseMediaPermission.Audio); Assert.AreEqual(MediaPermissionImage.SafeImage, baseMediaPermission.Image); Assert.AreEqual(MediaPermissionVideo.SafeVideo, baseMediaPermission.Video); } WebBrowserPermission baseWebPermission = internetBase.GetPermission(typeof(WebBrowserPermission)) as WebBrowserPermission; if (baseWebPermission != null) { Assert.AreEqual(WebBrowserPermissionLevel.Safe, baseWebPermission.Level); } // Now try to extend with a local URL - we should get no extensions Url localUrl = new Url(@"file://c:\windows"); PermissionSet internetLocalExtended = PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.Internet, localUrl); Assert.IsTrue(internetLocalExtended.IsSubsetOf(internetBase)); Assert.IsTrue(internetBase.IsSubsetOf(internetLocalExtended)); // Finally, try to extend with a Web URL, which should provide same site web access Url webUrl = new Url("htt://www.microsoft.com/"); PermissionSet internetWebExtended = PermissionSetFactory.GetStandardPermissionSet(StandardPermissionSet.Internet, webUrl); Assert.IsTrue(internetBase.IsSubsetOf(internetWebExtended)); Assert.IsFalse(internetWebExtended.IsUnrestricted()); Assert.AreEqual(internetBase.Count + 1, internetWebExtended.Count); WebPermission webPermission = internetWebExtended.GetPermission(typeof(WebPermission)) as WebPermission; Assert.IsNotNull(webPermission); Assert.IsFalse(webPermission.IsUnrestricted()); }
public void GetStandardSandboxNullEvidenceTest() { PermissionSetFactory.GetStandardSandbox(null); }