public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BA";
SystemAcl systemAcl = null;
bool isContainer = false;
bool isDS = false;
//case 1, SysemAcl with huge number of Aces
revision = 0;
capacity = 1;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString();
rawAcl = new RawAcl(revision, capacity);
for (int i = 0; i < 1820; i++)
{
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + i.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
}
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(1820 == systemAcl.Count);
}
public static void AdditionalTestCases()
{
SystemAcl systemAcl = null;
bool isContainer = false;
bool isDS = false;
byte revision = 0;
int capacity = 0;
//case 1, capacity = -1
Assert.Throws <ArgumentOutOfRangeException>(() =>
{
capacity = -1;
systemAcl = new SystemAcl(isContainer, isDS, revision, capacity);
});
//case 2, capacity = Int32.MaxValue/2
Assert.Throws <OutOfMemoryException>(() =>
{
isContainer = true;
isDS = false;
revision = 0;
capacity = Int32.MaxValue / 2;
TestConstructor(isContainer, isDS, revision, capacity);
});
//case 3, capacity = Int32.MaxValue
Assert.Throws <OutOfMemoryException>(() =>
{
isContainer = true;
isDS = true;
revision = 255;
capacity = Int32.MaxValue;
TestConstructor(isContainer, isDS, revision, capacity);
});
}
public void SecurityDescriptor()
{
DiscretionaryAcl dacl = new DiscretionaryAcl
{
//new AccessControlEntry<FileSystemRight>() { Allowed = true, Right = FileSystemRight.FullControl },
//new AccessControlEntry<UIRight>() { Allowed = true, Right = UIRight.FullControl },
//new AccessControlEntry<UIRight>() { Allowed = false, Right = UIRight.Enabled },
//new AccessControlEntry<FileSystemRight>() { Allowed = false, Right = FileSystemRight.Execute }
};
SystemAcl sacl = new SystemAcl
{
//new AccessControlEntryAudit<FileSystemRight>() { Allowed = true, Denied = false, Right = FileSystemRight.FullControl },
//new AccessControlEntryAudit<UIRight>() { Allowed = true, Denied = true, Right = UIRight.FullControl },
//new AccessControlEntryAudit<UIRight>() { Allowed = false, Denied = false, Right = UIRight.Enabled },
//new AccessControlEntryAudit<FileSystemRight>() { Allowed = false, Denied = true, Right = FileSystemRight.Execute }
};
SecurityDescriptor sd = new SecurityDescriptor()
{
Dacl = dacl,
Sacl = sacl
};
//sd.Eval<UIRight>();
sd.Eval();
}
private static bool TestAddAudit(SystemAcl systemAcl, RawAcl rawAcl, AuditFlags auditFlag, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags)
{
bool result = true;
byte[] sAclBinaryForm = null;
byte[] rAclBinaryForm = null;
systemAcl.AddAudit(auditFlag, sid, accessMask, inheritanceFlags, propagationFlags);
if (systemAcl.Count == rawAcl.Count &&
systemAcl.BinaryLength == rawAcl.BinaryLength)
{
sAclBinaryForm = new byte[systemAcl.BinaryLength];
rAclBinaryForm = new byte[rawAcl.BinaryLength];
systemAcl.GetBinaryForm(sAclBinaryForm, 0);
rawAcl.GetBinaryForm(rAclBinaryForm, 0);
if (!Utils.IsBinaryFormEqual(sAclBinaryForm, rAclBinaryForm))
{
result = false;
}
//redundant index check
for (int i = 0; i < systemAcl.Count; i++)
{
if (!Utils.IsAceEqual(systemAcl[i], rawAcl[i]))
{
result = false;
break;
}
}
}
else
{
result = false;
}
return(result);
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BA";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString();
int expectedLength = 0;
//case 1, SystemAcl with huge number of Aces
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
expectedLength = 8;
for (int i = 0; i < 1820; i++)
{
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + i.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
expectedLength += gAce.BinaryLength;
}
systemAcl = new SystemAcl(false, false, rawAcl);
Assert.True(expectedLength == systemAcl.BinaryLength);
}
public void SaclPresent()
{
SecurityIdentifier userSid = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);
SecurityIdentifier groupSid = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
SystemAcl sacl = new SystemAcl(false, false, 0);
CommonSecurityDescriptor csd;
csd = new CommonSecurityDescriptor
(false, false, ControlFlags.None, userSid, groupSid, null, null);
Assert.IsNull(csd.SystemAcl);
Assert.IsTrue(csd.IsSystemAclCanonical);
csd = new CommonSecurityDescriptor
(false, false, ControlFlags.SystemAclPresent, userSid, groupSid, null, null);
Assert.IsNull(csd.SystemAcl);
Assert.IsTrue(csd.IsSystemAclCanonical);
Assert.AreEqual(ControlFlags.DiscretionaryAclPresent | ControlFlags.SelfRelative, csd.ControlFlags);
csd = new CommonSecurityDescriptor
(false, false, ControlFlags.None, userSid, groupSid, sacl, null);
Assert.AreSame(sacl, csd.SystemAcl);
Assert.IsTrue(csd.IsSystemAclCanonical);
Assert.AreEqual(0, csd.SystemAcl.Count);
Assert.AreEqual(ControlFlags.DiscretionaryAclPresent
| ControlFlags.SystemAclPresent
| ControlFlags.SelfRelative, csd.ControlFlags);
csd.SystemAcl = null;
Assert.AreEqual(ControlFlags.DiscretionaryAclPresent
| ControlFlags.SelfRelative, csd.ControlFlags);
}
public static void TestConstructor(bool isContainer, bool isDS, int flags, string ownerStr, string groupStr, string saclStr, string daclStr)
{
ControlFlags controlFlags = ControlFlags.OwnerDefaulted;
SecurityIdentifier owner = null;
SecurityIdentifier group = null;
RawAcl rawAcl = null;
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
controlFlags = (ControlFlags)flags;
owner = (ownerStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(ownerStr)) : null;
group = (groupStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(groupStr)) : null;
rawAcl = (saclStr != null) ? Utils.CreateRawAclFromString(saclStr) : null;
if (rawAcl == null)
{
sacl = null;
}
else
{
sacl = new SystemAcl(isContainer, isDS, rawAcl);
}
rawAcl = (daclStr != null) ? Utils.CreateRawAclFromString(daclStr) : null;
if (rawAcl == null)
{
dacl = null;
}
else
{
dacl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
}
Assert.True(VerifyResult(isContainer, isDS, controlFlags, owner, group, sacl, dacl));
}
public void SetAudit()
{
SecurityIdentifier adminSid = new SecurityIdentifier("BA"); // S-1-5-32-544
SecurityIdentifier userSid = new SecurityIdentifier("BU"); // S-1-5-32-545
SystemAcl sacl = new SystemAcl(true, false, 0);
sacl.SetAudit(AuditFlags.Success, adminSid, 1, InheritanceFlags.ObjectInherit, PropagationFlags.None);
sacl.SetAudit(AuditFlags.Success, userSid, 2, InheritanceFlags.None, PropagationFlags.None);
Assert.AreEqual(2, sacl.Count);
CommonAce ace = (CommonAce)sacl [0];
Assert.AreEqual(adminSid, ace.SecurityIdentifier);
Assert.AreEqual(1, ace.AccessMask);
sacl.SetAudit(AuditFlags.Success, adminSid, 4, InheritanceFlags.ObjectInherit, PropagationFlags.None);
Assert.AreNotEqual(4, ace.AccessMask);
ace = (CommonAce)sacl [0];
Assert.AreEqual(4, ace.AccessMask);
sacl.SetAudit(AuditFlags.Failure, adminSid, 4, InheritanceFlags.ObjectInherit, PropagationFlags.None);
Assert.AreEqual(2, sacl.Count);
ace = (CommonAce)sacl [0];
Assert.AreEqual(AuditFlags.Failure, ace.AuditFlags);
Assert.AreEqual(adminSid, ace.SecurityIdentifier);
ace = (CommonAce)sacl [1];
Assert.AreEqual(AuditFlags.Success, ace.AuditFlags);
Assert.AreEqual(userSid, ace.SecurityIdentifier);
}
private static bool TestRemoveAudit(SystemAcl systemAcl, RawAcl rawAcl, AuditFlags auditFlag, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, bool removePossible)
{
bool result = true;
bool isRemoved = false;
byte[] sAclBinaryForm = null;
byte[] rAclBinaryForm = null;
isRemoved = systemAcl.RemoveAudit(auditFlag, sid, accessMask, inheritanceFlags, propagationFlags);
if ((isRemoved == removePossible) &&
(systemAcl.Count == rawAcl.Count) &&
(systemAcl.BinaryLength == rawAcl.BinaryLength))
{
sAclBinaryForm = new byte[systemAcl.BinaryLength];
rAclBinaryForm = new byte[rawAcl.BinaryLength];
systemAcl.GetBinaryForm(sAclBinaryForm, 0);
rawAcl.GetBinaryForm(rAclBinaryForm, 0);
if (!Utils.IsBinaryFormEqual(sAclBinaryForm, rAclBinaryForm))
result = false;
//redundant index check
for (int i = 0; i < systemAcl.Count; i++)
{
if (!Utils.IsAceEqual(systemAcl[i], rawAcl[i]))
{
result = false;
break;
}
}
}
else
result = false;
return result;
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BA";
SystemAcl systemAcl = null;
bool isContainer = false;
bool isDS = false;
//case 1, SysemAcl with huge number of Aces
revision = 0;
capacity = 1;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString();
rawAcl = new RawAcl(revision, capacity);
for (int i = 0; i < 1820; i++)
{
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + i.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
}
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(1820 == systemAcl.Count);
}
public static void AdditionalTestCases()
{
SystemAcl systemAcl = null;
bool isContainer = false;
bool isDS = false;
byte revision = 0;
int capacity = 0;
//case 1, capacity = -1
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
capacity = -1;
systemAcl = new SystemAcl(isContainer, isDS, revision, capacity);
});
//case 2, capacity = Int32.MaxValue/2
Assert.Throws<OutOfMemoryException>(() =>
{
isContainer = true;
isDS = false;
revision = 0;
capacity = Int32.MaxValue / 2;
TestConstructor(isContainer, isDS, revision, capacity);
});
//case 3, capacity = Int32.MaxValue
Assert.Throws<OutOfMemoryException>(() =>
{
isContainer = true;
isDS = true;
revision = 255;
capacity = Int32.MaxValue;
TestConstructor(isContainer, isDS, revision, capacity);
});
}
public void AddAuditObjectAceAndCommonAce()
{
SecurityIdentifier sid = new SecurityIdentifier("BA");
SystemAcl sacl = new SystemAcl(false, true, 0);
sacl.AddAudit(AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.ObjectAceTypePresent, Guid.NewGuid(), Guid.Empty);
sacl.AddAudit(AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.None, Guid.Empty, Guid.Empty);
Assert.AreEqual(2, sacl.Count);
CommonAce cace = (CommonAce)sacl [0];
Assert.AreEqual(1, cace.AccessMask);
Assert.AreEqual("S-1-5-32-544", cace.SecurityIdentifier.Value);
Assert.IsFalse(cace.IsCallback);
Assert.IsFalse(cace.IsInherited);
ObjectAce oace = (ObjectAce)sacl [1];
Assert.AreEqual(1, oace.AccessMask);
Assert.AreEqual("S-1-5-32-544", oace.SecurityIdentifier.Value);
Assert.IsFalse(oace.IsCallback);
Assert.IsFalse(oace.IsInherited);
sacl.AddAudit(AuditFlags.Success, sid, 2, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.None, Guid.Empty, Guid.Empty);
Assert.AreEqual(2, sacl.Count);
CommonAce cace2 = (CommonAce)sacl [0];
Assert.AreEqual(3, cace2.AccessMask);
}
public static void AdditionalTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
byte revision = 0;
int capacity = 0;
//case 1, null Sid
Assert.Throws <ArgumentNullException>(() =>
{
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.Purge(null);
});
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BA";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString();
int expectedLength = 0;
//case 1, SystemAcl with huge number of Aces
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
expectedLength = 8;
for (int i = 0; i < 1820; i++)
{
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + i.ToString())), false, null);
rawAcl.InsertAce(0, gAce);
expectedLength += gAce.BinaryLength;
}
systemAcl = new SystemAcl(false, false, rawAcl);
Assert.True(expectedLength == systemAcl.BinaryLength);
}
public static void TestSystemAcl(bool isContainerSD, bool isDSSD, string sddl, bool isContainerSacl, bool isDSSacl, string newSaclStr)
{
CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(isContainerSD, isDSSD, sddl);
SystemAcl sacl = newSaclStr == null ? null : new SystemAcl(isContainerSacl, isDSSacl, Utils.CreateRawAclFromString(newSaclStr));
try
{
commonSecurityDescriptor.SystemAcl = sacl;
Assert.True(sacl == commonSecurityDescriptor.SystemAcl);
if (sacl != null)
{
Assert.True((commonSecurityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != 0);
}
else
{
Assert.True((commonSecurityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) == 0);
}
}
catch (NullReferenceException)
{
Assert.Null(sacl);
}
catch (ArgumentException)
{
Assert.True((sacl.IsContainer != commonSecurityDescriptor.IsContainer) || (sacl.IsDS != commonSecurityDescriptor.IsDS));
}
}
public byte[] ToSaclBytes()
{
SystemAcl sacl = new SystemAcl(false, false, 0);
byte[] bytes = new byte[sacl.BinaryLength];
sacl.GetBinaryForm(bytes, 0);
return(bytes);
}
public byte[] ToSystemAclBytes()
{
var systemAcl = new SystemAcl(false, false, 0);
var bytes = new byte[systemAcl.BinaryLength];
systemAcl.GetBinaryForm(bytes, 0);
return(bytes);
}
internal byte[] ToSaclBytes()
{
var sacl = new SystemAcl(false, false, 0);
var bytes = new byte[sacl.BinaryLength];
sacl.GetBinaryForm(bytes, 0);
return(bytes);
}
public static void TestGetSddlForm(bool isContainer, bool isDS, int flags, string ownerStr, string groupStr, string saclStr, string daclStr, bool getOwner, bool getGroup, bool getSacl, bool getDacl, string expectedSddl)
{
CommonSecurityDescriptor commonSecurityDescriptor = null;
string resultSddl = null;
ControlFlags controlFlags = ControlFlags.OwnerDefaulted;
SecurityIdentifier owner = null;
SecurityIdentifier group = null;
RawAcl rawAcl = null;
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
AccessControlSections accControlSections = AccessControlSections.None;
controlFlags = (ControlFlags)flags;
owner = (ownerStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(ownerStr)) : null;
group = (groupStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(groupStr)) : null;
rawAcl = (saclStr != null) ? Utils.CreateRawAclFromString(saclStr) : null;
if (rawAcl == null)
{
sacl = null;
}
else
{
sacl = new SystemAcl(isContainer, isDS, rawAcl);
}
rawAcl = (daclStr != null) ? Utils.CreateRawAclFromString(daclStr) : null;
if (rawAcl == null)
{
dacl = null;
}
else
{
dacl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
}
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, controlFlags, owner, group, sacl, dacl);
if (getOwner)
{
accControlSections |= AccessControlSections.Owner;
}
if (getGroup)
{
accControlSections |= AccessControlSections.Group;
}
if (getSacl)
{
accControlSections |= AccessControlSections.Audit;
}
if (getDacl)
{
accControlSections |= AccessControlSections.Access;
}
resultSddl = commonSecurityDescriptor.GetSddlForm(accControlSections);
Assert.True(string.Compare(expectedSddl, resultSddl, StringComparison.CurrentCultureIgnoreCase) == 0);
}
public void RemoveSpecific()
{
SecurityIdentifier sid = new SecurityIdentifier("BA");
SystemAcl sacl = new SystemAcl(false, false, 0);
RemoveSpecificBegin(sid, sacl, InheritanceFlags.None);
sacl.RemoveAuditSpecific(AuditFlags.Success, sid, 3, InheritanceFlags.None, PropagationFlags.None);
Assert.AreEqual(0, sacl.Count);
}
public void ContainerAndDSConsistencyEnforcedB()
{
SecurityIdentifier userSid = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);
SecurityIdentifier groupSid = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
SystemAcl sacl = new SystemAcl(false, false, 0);
new CommonSecurityDescriptor(true, false, ControlFlags.None, userSid, groupSid, sacl, null);
}
public static void BasicValidationTestCases(bool isContainer, bool isDS, int auditFlags, string sid, int accessMask, int inheritanceFlags, int propagationFlags, string initialRawAclStr, string verifierRawAclStr)
{
//create a systemAcl
RawAcl rawAcl = Utils.CreateRawAclFromString(initialRawAclStr);
SystemAcl systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
rawAcl = Utils.CreateRawAclFromString(verifierRawAclStr);
Assert.True(TestAddAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags));
}
public static void BasicValidationTestCases(bool isContainer, bool isDS, int auditFlags, string sid, int accessMask, int inheritanceFlags, int propagationFlags, string initialRawAclStr, string verifierRawAclStr)
{
//create a systemAcl
RawAcl rawAcl = Utils.CreateRawAclFromString(initialRawAclStr);
SystemAcl systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
rawAcl = Utils.CreateRawAclFromString(verifierRawAclStr);
Assert.True(TestAddAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags));
}
public static void BasicValidationTestCases(bool isContainer, bool isDS, string initialRawAclStr, string verifierRawAclStr, bool wasCanonicalInitially)
{
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
//create a systemAcl
rawAcl = Utils.CreateRawAclFromString(initialRawAclStr);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
rawAcl = Utils.CreateRawAclFromString(verifierRawAclStr);
Assert.True(TestConstructor(systemAcl, isContainer, isDS, wasCanonicalInitially, rawAcl));
}
public void RemoveSpecificUsingDSOverload()
{
SecurityIdentifier sid = new SecurityIdentifier("BA");
SystemAcl sacl = new SystemAcl(false, true, 0);
RemoveSpecificBegin(sid, sacl, InheritanceFlags.None);
sacl.RemoveAuditSpecific(AuditFlags.Success, sid, 3, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.ObjectAceTypePresent, Guid.Empty, Guid.Empty);
Assert.AreEqual(1, sacl.Count);
sacl.RemoveAuditSpecific(AuditFlags.Success, sid, 3, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.None, Guid.Empty, Guid.Empty);
Assert.AreEqual(0, sacl.Count);
}
public void AddAuditMergesFlags()
{
SecurityIdentifier sid = new SecurityIdentifier("BA");
SystemAcl sacl = new SystemAcl(false, false, 0);
sacl.AddAudit(AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None);
sacl.AddAudit(AuditFlags.Failure, sid, 1, InheritanceFlags.None, PropagationFlags.None);
Assert.AreEqual(1, sacl.Count);
CommonAce ace = (CommonAce)sacl [0];
Assert.AreEqual(AuditFlags.Success | AuditFlags.Failure, ace.AuditFlags);
}
public static void Additional2TestCases()
{
SystemAcl systemAcl = null;
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
//case 1, rawAcl = null
Assert.Throws <ArgumentNullException>(() =>
{
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
});
}
private static bool TestRemoveInheritedAces(SystemAcl systemAcl)
{
GenericAce ace = null;
systemAcl.RemoveInheritedAces();
for (int i = 0; i < systemAcl.Count; i++)
{
ace = systemAcl[i];
if ((ace.AceFlags & AceFlags.Inherited) != 0)
{
return(false);
}
}
return(true);
}
public void AddAuditCommonAce()
{
SecurityIdentifier sid = new SecurityIdentifier("BA");
SystemAcl sacl = new SystemAcl(false, false, 0);
sacl.AddAudit(AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None);
Assert.AreEqual(1, sacl.Count);
CommonAce ace = (CommonAce)sacl [0];
Assert.AreEqual(AuditFlags.Success, ace.AuditFlags);
Assert.AreEqual(1, ace.AccessMask);
Assert.AreEqual("S-1-5-32-544", ace.SecurityIdentifier.Value);
Assert.IsFalse(ace.IsInherited);
}
public void AddAuditCommonAceUsingDSOverload()
{
SecurityIdentifier sid = new SecurityIdentifier("BA");
SystemAcl sacl = new SystemAcl(false, true, 0);
sacl.AddAudit(AuditFlags.Failure, sid, 1, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.None, Guid.NewGuid(), Guid.NewGuid());
Assert.AreEqual(1, sacl.Count);
CommonAce ace = (CommonAce)sacl [0];
Assert.AreEqual(AuditFlags.Failure, ace.AuditFlags);
Assert.AreEqual(1, ace.AccessMask);
Assert.AreEqual("S-1-5-32-544", ace.SecurityIdentifier.Value);
Assert.IsFalse(ace.IsInherited);
}
public static void TestConstructor(bool isContainer, bool isDS, byte revision, int capacity)
{
bool result = true;
byte[] sAclBinaryForm = null;
byte[] rAclBinaryForm = null;
SystemAcl systemAcl = null;
RawAcl rawAcl = null;
systemAcl = new SystemAcl(isContainer, isDS, revision, capacity);
rawAcl = new RawAcl(revision, capacity);
if (isContainer == systemAcl.IsContainer &&
isDS == systemAcl.IsDS &&
revision == systemAcl.Revision &&
0 == systemAcl.Count &&
8 == systemAcl.BinaryLength &&
true == systemAcl.IsCanonical)
{
sAclBinaryForm = new byte[systemAcl.BinaryLength];
rAclBinaryForm = new byte[rawAcl.BinaryLength];
systemAcl.GetBinaryForm(sAclBinaryForm, 0);
rawAcl.GetBinaryForm(rAclBinaryForm, 0);
if (!Utils.IsBinaryFormEqual(sAclBinaryForm, rAclBinaryForm))
{
result = false;
}
//redundant index check
for (int i = 0; i < systemAcl.Count; i++)
{
if (!Utils.IsAceEqual(systemAcl[i], rawAcl[i]))
{
result = false;
break;
}
}
}
else
{
result = false;
}
Assert.True(result);
}
public static void TestGetSddlForm(bool isContainer, bool isDS, int flags, string ownerStr, string groupStr, string saclStr, string daclStr, bool getOwner, bool getGroup, bool getSacl, bool getDacl, string expectedSddl)
{
CommonSecurityDescriptor commonSecurityDescriptor = null;
string resultSddl = null;
ControlFlags controlFlags = ControlFlags.OwnerDefaulted;
SecurityIdentifier owner = null;
SecurityIdentifier group = null;
RawAcl rawAcl = null;
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
AccessControlSections accControlSections = AccessControlSections.None;
controlFlags = (ControlFlags)flags;
owner = (ownerStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(ownerStr)) : null;
group = (groupStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(groupStr)) : null;
rawAcl = (saclStr != null) ? Utils.CreateRawAclFromString(saclStr) : null;
if (rawAcl == null)
sacl = null;
else
sacl = new SystemAcl(isContainer, isDS, rawAcl);
rawAcl = (daclStr != null) ? Utils.CreateRawAclFromString(daclStr) : null;
if (rawAcl == null)
dacl = null;
else
dacl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, controlFlags, owner, group, sacl, dacl);
if (getOwner)
accControlSections |= AccessControlSections.Owner;
if (getGroup)
accControlSections |= AccessControlSections.Group;
if (getSacl)
accControlSections |= AccessControlSections.Audit;
if (getDacl)
accControlSections |= AccessControlSections.Access;
resultSddl = commonSecurityDescriptor.GetSddlForm(accControlSections);
if (expectedSddl == null || resultSddl == null)
Assert.True(expectedSddl == null && resultSddl == null);
else
Assert.True(String.Compare(expectedSddl, resultSddl, StringComparison.CurrentCultureIgnoreCase) == 0);
}
void RemoveSpecificBegin(SecurityIdentifier sid, SystemAcl sacl, InheritanceFlags inheritanceFlags)
{
SecurityIdentifier otherSid = new SecurityIdentifier("BU");
sacl.AddAudit(AuditFlags.Success, sid, 3, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual(1, sacl.Count);
sacl.RemoveAuditSpecific(AuditFlags.Failure, sid, 1, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual(1, sacl.Count);
sacl.RemoveAuditSpecific(AuditFlags.Success, otherSid, 1, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual(1, sacl.Count);
sacl.RemoveAuditSpecific(AuditFlags.Success, sid, 1, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual(1, sacl.Count);
Assert.AreEqual(3, ((CommonAce)sacl [0]).AccessMask);
sacl.RemoveAuditSpecific(AuditFlags.Success, sid, 3,
inheritanceFlags ^ InheritanceFlags.ContainerInherit,
PropagationFlags.None);
Assert.AreEqual(1, sacl.Count);
}
public static void BasicValidationTestCases()
{
RawAcl rawAcl = null;
GenericAce gAce = null;
SystemAcl systemAcl = null;
bool isContainer = false;
bool isDS = false;
byte revision = 0;
int capacity = 0;
string sid = "BA";
//case 1, empty SystemAcl
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(0 == systemAcl.Count);
//case 2, SystemAcl with one Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(1 == systemAcl.Count);
//case 3, SystemAcl with two Aces
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(2 == systemAcl.Count);
}
public static void BasicValidationTestCases()
{
RawAcl rawAcl = null;
GenericAce gAce = null;
SystemAcl systemAcl = null;
bool isContainer = false;
bool isDS = false;
byte revision = 0;
int capacity = 0;
string sid = "BA";
//case 1, empty SystemAcl
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(0 == systemAcl.Count);
//case 2, SystemAcl with one Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(1 == systemAcl.Count);
//case 3, SystemAcl with two Aces
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(2 == systemAcl.Count);
}
public static void TestConstructor(bool isContainer, bool isDS, byte revision, int capacity)
{
bool result = true;
byte[] sAclBinaryForm = null;
byte[] rAclBinaryForm = null;
SystemAcl systemAcl = null;
RawAcl rawAcl = null;
systemAcl = new SystemAcl(isContainer, isDS, revision, capacity);
rawAcl = new RawAcl(revision, capacity);
if (isContainer == systemAcl.IsContainer &&
isDS == systemAcl.IsDS &&
revision == systemAcl.Revision &&
0 == systemAcl.Count &&
8 == systemAcl.BinaryLength &&
true == systemAcl.IsCanonical)
{
sAclBinaryForm = new byte[systemAcl.BinaryLength];
rAclBinaryForm = new byte[rawAcl.BinaryLength];
systemAcl.GetBinaryForm(sAclBinaryForm, 0);
rawAcl.GetBinaryForm(rAclBinaryForm, 0);
if (!Utils.IsBinaryFormEqual(sAclBinaryForm, rAclBinaryForm))
result = false;
//redundant index check
for (int i = 0; i < systemAcl.Count; i++)
{
if (!Utils.IsAceEqual(systemAcl[i], rawAcl[i]))
{
result = false;
break;
}
}
}
else
{
result = false;
}
Assert.True(result);
}
public static void TestOwner(string newOwnerStr)
{
bool isContainer = false;
bool isDS = false;
int controlFlags = 1;
string ownerStr = "BA";
string groupStr = "BG";
CommonSecurityDescriptor commonSecurityDescriptor = null;
SecurityIdentifier owner = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(ownerStr));
SecurityIdentifier newOwner = (newOwnerStr != null ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(newOwnerStr)) : null);
SecurityIdentifier group = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(groupStr));
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, (ControlFlags)controlFlags, owner, group, sacl, dacl);
commonSecurityDescriptor.Owner = newOwner;
// verify the result, we can use == here as SecurityIdentifier overrides the comparsison
Assert.True(newOwner == commonSecurityDescriptor.Owner);
}
public static void BasicValidationTestCases()
{
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BG";
int expectedLength = 0;
//case 1, empty systemAcl, binarylength should be 8
capacity = 1;
systemAcl = new SystemAcl(false, false, capacity);
expectedLength = 8;
Assert.True(expectedLength == systemAcl.BinaryLength);
//case 2, SystemAcl with one Ace, binarylength should be 8 + the Ace's binarylength
expectedLength = 8;
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
expectedLength += gAce.BinaryLength;
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(true, false, rawAcl);
Assert.True(expectedLength == systemAcl.BinaryLength);
//case 3, SystemAcl with two Aces
expectedLength = 8;
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
expectedLength += gAce.BinaryLength;
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
expectedLength += gAce.BinaryLength;
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(false, false, rawAcl);
Assert.True(expectedLength == systemAcl.BinaryLength);
}
public static void BasicValidationTestCases()
{
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
string sid = "BG";
int expectedLength = 0;
//case 1, empty systemAcl, binarylength should be 8
capacity = 1;
systemAcl = new SystemAcl(false, false, capacity);
expectedLength = 8;
Assert.True(expectedLength == systemAcl.BinaryLength);
//case 2, SystemAcl with one Ace, binarylength should be 8 + the Ace's binarylength
expectedLength = 8;
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
expectedLength += gAce.BinaryLength;
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(true, false, rawAcl);
Assert.True(expectedLength == systemAcl.BinaryLength);
//case 3, SystemAcl with two Aces
expectedLength = 8;
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
expectedLength += gAce.BinaryLength;
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
expectedLength += gAce.BinaryLength;
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(false, false, rawAcl);
Assert.True(expectedLength == systemAcl.BinaryLength);
}
private static bool TestConstructor(SystemAcl systemAcl, bool isContainer, bool isDS, bool wasCanonicalInitially, RawAcl rawAcl)
{
bool result = true;
byte[] sAclBinaryForm = null;
byte[] rAclBinaryForm = null;
if (systemAcl.IsContainer == isContainer &&
systemAcl.IsDS == isDS &&
systemAcl.Revision == rawAcl.Revision &&
systemAcl.Count == rawAcl.Count &&
systemAcl.BinaryLength == rawAcl.BinaryLength &&
systemAcl.IsCanonical == wasCanonicalInitially)
{
sAclBinaryForm = new byte[systemAcl.BinaryLength];
rAclBinaryForm = new byte[rawAcl.BinaryLength];
systemAcl.GetBinaryForm(sAclBinaryForm, 0);
rawAcl.GetBinaryForm(rAclBinaryForm, 0);
if (!Utils.IsBinaryFormEqual(sAclBinaryForm, rAclBinaryForm))
result = false;
//redundant index check
for (int i = 0; i < systemAcl.Count; i++)
{
if (!Utils.IsAceEqual(systemAcl[i], rawAcl[i]))
{
result = false;
break;
}
}
}
else
{
result = false;
}
return result;
}
public static void BasicValidationTestCases()
{
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
GenericAce gAce = null;
GenericAce verifierGAce = null;
string owner1 = "BO";
string owner2 = "BA";
string owner3 = "BG";
int index = 0;
// case 1, only one ACE, get at index 0
rawAcl = new RawAcl(1, 1);
index = 0;
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null);
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(false, false, rawAcl);
verifierGAce = systemAcl[index];
Assert.True(TestIndex(gAce, verifierGAce));
//case 2, two ACEs, index at Count -1
rawAcl = new RawAcl(1, 2);
//208 has SuccessfulAccess, FailedAccess and Inherited
gAce = new CommonAce((AceFlags)208, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null);
rawAcl.InsertAce(0, gAce);
//gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(owner2), false, null);
gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null);
rawAcl.InsertAce(1, gAce);
systemAcl = new SystemAcl(false, false, rawAcl);
gAce = rawAcl[1];
index = systemAcl.Count - 1;
verifierGAce = systemAcl[index];
Assert.True(TestIndex(gAce, verifierGAce));
//case 3, only three ACEs, index at Count/2
rawAcl = new RawAcl(1, 3);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner2)), false, null);
rawAcl.InsertAce(0, gAce);
//208 has SuccessfulAccess, FailedAccess and Inherited
gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.IH), AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null);
rawAcl.InsertAce(1, gAce);
gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner3)), false, null);
rawAcl.InsertAce(2, gAce);
systemAcl = new SystemAcl(false, false, rawAcl);
gAce = rawAcl[1];
index = systemAcl.Count / 2;
verifierGAce = systemAcl[index];
Assert.True(TestIndex(gAce, verifierGAce));
//case 4, 3 ACEs, test merge, index at Count -1
rawAcl = new RawAcl(1, 2);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(1, gAce);
gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(2, gAce);
systemAcl = new SystemAcl(false, false, rawAcl);
gAce = rawAcl[1];
gAce.AceFlags = AceFlags.SuccessfulAccess | AceFlags.FailedAccess;
index = systemAcl.Count - 1;
verifierGAce = systemAcl[index];
Assert.True(TestIndex(gAce, verifierGAce));
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
GenericAce gAce = null;
GenericAce verifierGAce = null;
string owner = null;
int index = 0;
// case 1, no ACE, get index at -1
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
rawAcl = new RawAcl(1, 1);
index = -1;
systemAcl = new SystemAcl(false, false, rawAcl);
verifierGAce = systemAcl[index];
});
//case 2, no ACE, get index at Count
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
rawAcl = new RawAcl(1, 1);
systemAcl = new SystemAcl(false, false, rawAcl);
index = systemAcl.Count;
verifierGAce = systemAcl[index];
});
//case 3, no ACE, set index at -1
Assert.Throws<NotSupportedException>(() =>
{
rawAcl = new RawAcl(1, 1);
systemAcl = new SystemAcl(false, false, rawAcl);
index = -1;
owner = "BA";
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
systemAcl[index] = gAce;
});
//case 4, no ACE, set index at Count
Assert.Throws<NotSupportedException>(() =>
{
rawAcl = new RawAcl(1, 1);
systemAcl = new SystemAcl(true, false, rawAcl);
index = systemAcl.Count;
owner = "BA";
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
systemAcl[index] = gAce;
});
//case 5, set null Ace
Assert.Throws<NotSupportedException>(() =>
{
rawAcl = new RawAcl(1, 1);
gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(false, false, rawAcl);
index = 0;
gAce = null;
systemAcl[index] = gAce;
});
//case 6, set index at 0
Assert.Throws<NotSupportedException>(() =>
{
rawAcl = new RawAcl(1, 1);
owner = "BA";
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(false, false, rawAcl);
index = 0;
owner = "BA";
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null);
systemAcl[index] = gAce;
});
}
private static bool TestPurge(SystemAcl systemAcl, SecurityIdentifier sid, int aceCount)
{
KnownAce ace = null;
systemAcl.Purge(sid);
if (aceCount != systemAcl.Count)
return false;
for (int i = 0; i < systemAcl.Count; i++)
{
ace = systemAcl[i] as KnownAce;
if (ace != null && ((ace.AceFlags & AceFlags.Inherited) == 0))
{
if (ace.SecurityIdentifier == sid)
return false;
}
}
return true;
}
public static void TestConstructor(bool isContainer, bool isDS, int flags, string ownerStr, string groupStr, string saclStr, string daclStr)
{
ControlFlags controlFlags = ControlFlags.OwnerDefaulted;
SecurityIdentifier owner = null;
SecurityIdentifier group = null;
RawAcl rawAcl = null;
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
controlFlags = (ControlFlags)flags;
owner = (ownerStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(ownerStr)) : null;
group = (groupStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(groupStr)) : null;
rawAcl = (saclStr != null) ? Utils.CreateRawAclFromString(saclStr) : null;
if (rawAcl == null)
sacl = null;
else
sacl = new SystemAcl(isContainer, isDS, rawAcl);
rawAcl = (daclStr != null) ? Utils.CreateRawAclFromString(daclStr) : null;
if (rawAcl == null)
dacl = null;
else
dacl = new DiscretionaryAcl(isContainer, isDS, rawAcl);
Assert.True(VerifyResult(isContainer, isDS, controlFlags, owner, group, sacl, dacl));
}
public static void AdditionalTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
SystemAcl sAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sid = "BA";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, an SystemAudit ACE with a zero access mask is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.AuditFlags,
AceQualifier.SystemAudit,
0,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
//the only ACE is a meaningless ACE, will be removed
//drop the ace from the rawAcl
rawAcl.RemoveAce(0);
Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));
//case 2, an inherit-only SystemAudit ACE on an object ACL is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.InheritanceFlags | AceFlags.AuditFlags,
AceQualifier.SystemAudit,
1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
//the only ACE is a meaningless ACE, will be removed
rawAcl.RemoveAce(0);
Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));
//case 3, an inherit-only SystemAudit ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//200 has inheritOnly, SuccessfulAccess and FailedAccess
gAce = new CommonAce((AceFlags)200,
AceQualifier.SystemAudit,
1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
//the only ACE is a meaningless ACE, will be removed
rawAcl.RemoveAce(0);
Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));
//case 4, a SystemAudit ACE without Success or Failure Flags is meaningless, will be removed
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
gAce = new CommonAce(AceFlags.None,
AceQualifier.SystemAudit,
1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
//audit ACE does not specify either Success or Failure Flags is removed
rawAcl.RemoveAce(0);
Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));
//case 5, a CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = AceFlags.AuditFlags;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
//Mark changed design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(TestConstructor(sAcl, isContainer, isDS, false, rawAcl));
//case 6, a CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = AceFlags.AuditFlags;
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag,
accessMask,
compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
//Mark changed design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(TestConstructor(sAcl, isContainer, isDS, false, rawAcl));
//case 7, a ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = AceFlags.InheritanceFlags | AceFlags.AuditFlags;
aceQualifier = AceQualifier.SystemAudit;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag,
aceQualifier,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
objectAceFlag, objectAceType,
inheritedObjectAceType,
false,
null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));
//case 8, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl));
//case 9, Aces from case 1 to 7
revision = 127;
capacity = 5;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString();
rawAcl = new RawAcl(revision, capacity);
//an SystemAudit ACE with a zero access mask
//is meaningless, will be removed
gAce = new CommonAce(AceFlags.AuditFlags,
AceQualifier.SystemAudit,
0,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 1.ToString()),
false,
null);
rawAcl.InsertAce(rawAcl.Count, gAce);
//an inherit-only SystemAudit ACE without ContainerInherit or ObjectInherit flags on a container object
//is meaningless, will be removed
//200 has inheritOnly, SuccessfulAccess and FailedAccess
gAce = new CommonAce((AceFlags)200,
AceQualifier.SystemAudit,
1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 2.ToString()),
false,
null);
rawAcl.InsertAce(rawAcl.Count, gAce);
//a SystemAudit ACE without Success or Failure Flags
//is meaningless, will be removed
gAce = new CommonAce(AceFlags.None,
AceQualifier.SystemAudit,
1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 3.ToString()),
false,
null);
rawAcl.InsertAce(rawAcl.Count, gAce);
//a ObjectAce
aceFlag = AceFlags.InheritanceFlags | AceFlags.AuditFlags;
aceQualifier = AceQualifier.SystemAudit;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag,
aceQualifier,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 4.ToString()),
objectAceFlag, objectAceType,
inheritedObjectAceType,
false,
null);
rawAcl.InsertAce(rawAcl.Count, gAce);
// a CustomAce
gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
AceFlags.AuditFlags,
null);
rawAcl.InsertAce(rawAcl.Count, gAce);
//a CompoundAce
gAce = new CompoundAce(AceFlags.AuditFlags,
1,
CompoundAceType.Impersonation,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 5.ToString()));
rawAcl.InsertAce(rawAcl.Count, gAce);
isContainer = true;
isDS = false;
sAcl = new SystemAcl(isContainer, isDS, rawAcl);
//the first 3 Aces will be removed by SystemAcl constructor
rawAcl.RemoveAce(0);
rawAcl.RemoveAce(0);
rawAcl.RemoveAce(0);
//Mark changed design to make ACL with any CustomAce, CompoundAce uncanonical
Assert.True(TestConstructor(sAcl, isContainer, isDS, false, rawAcl));
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
bool isContainer = false;
bool isDS = false;
int auditFlags = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
bool removePossible = false;
byte[] opaque = null;
//Case 1, null sid
Assert.Throws<ArgumentNullException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.RemoveAudit(AuditFlags.Success, null, 1, InheritanceFlags.None, PropagationFlags.None);
});
//Case 2, SystemAudit Ace but non AuditFlags
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.RemoveAudit(AuditFlags.None,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.None);
});
//Case 3, 0 accessMask
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.RemoveAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 0, InheritanceFlags.None, PropagationFlags.None);
});
//Case 4, remove one audit ACE from the SystemAcl with no ACE
isContainer = true;
isDS = false;
auditFlags = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
removePossible = true;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, removePossible));
//Case 5, remove the last one ACE from the SystemAcl
isContainer = true;
isDS = false;
auditFlags = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
removePossible = true;
rawAcl = new RawAcl(0, 1);
//79 = AceFlags.SuccessfulAccess | AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)79, AceQualifier.SystemAudit, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
//remove the ace to create the validation rawAcl
rawAcl.RemoveAce(rawAcl.Count - 1);
Assert.True(TestRemoveAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, removePossible));
//Case 6, all the ACEs in the Sacl are non-qualified ACE, no remove
Assert.Throws<InvalidOperationException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
auditFlags = 3;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
TestRemoveAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, true);
});
//Case 7, remove split cause overflow
// Test case no longer relevant in CoreCLR
// Non-canonical ACLs cannot be modified
}
public static void BasicValidationTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
int aceCount = 0;
SecurityIdentifier sid = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sidStr = "BG";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
aceCount = 0;
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
Assert.True(TestPurge(systemAcl, sid, aceCount));
//case 2, only have 1 explicit Ace of the sid
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
//199 has all aceflags but inheritedonly and inherited
gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
aceCount = 0;
Assert.True(TestPurge(systemAcl, sid, aceCount));
//case 3, only have 1 explicit Ace of different sid
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all aceflags but inheritedonly and inherited
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
aceCount = 1;
sidStr = "BA";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
Assert.True(TestPurge(systemAcl, sid, aceCount));
//case 4, only have 1 inherited Ace of the sid
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
//215 has all aceflags but inheritedonly
gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
aceCount = 1;
Assert.True(TestPurge(systemAcl, sid, aceCount));
//case 5, have one explicit Ace and one inherited Ace of the sid
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
//199 has all aceflags but inheritedonly and inherited
gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
//215 has all aceflags but inheritedonly
gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 2, sid, false, null);
rawAcl.InsertAce(1, gAce);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
aceCount = 1;
Assert.True(TestPurge(systemAcl, sid, aceCount));
//case 6, have two explicit Aces of the sid
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sidStr = "BG";
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr));
gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, sid, false, null);
rawAcl.InsertAce(0, gAce);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, sid, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
aceCount = 0;
Assert.True(TestPurge(systemAcl, sid, 0));
//case 7, 1 explicit CustomAce
Assert.Throws<InvalidOperationException>(() =>
{
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
//199 has all aceflags but inheritedonly and inherited
aceFlag = (AceFlags)199;
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
aceCount = 1;
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
TestPurge(systemAcl, sid, aceCount);
});
//case 8, 1 explicit CompoundAce
Assert.Throws<InvalidOperationException>(() =>
{
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//207 has all AceFlags but inherited
aceFlag = (AceFlags)207;
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, sid);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
aceCount = 0;
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
TestPurge(systemAcl, sid, aceCount);
});
//case 9, 1 explict ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG"));
//207 has all AceFlags but inherited
aceFlag = (AceFlags)207;
aceQualifier = AceQualifier.SystemAudit;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, sid, objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
aceCount = 0;
Assert.True(TestPurge(systemAcl, sid, aceCount));
}
public static void AdditionalTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
byte revision = 0;
int capacity = 0;
//case 1, null Sid
Assert.Throws<ArgumentNullException>(() =>
{
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.Purge(null);
});
}
public static void AdditionalTestCases()
{
//test cases include the exceptions from the constructor
SystemAcl sacl = null;
DiscretionaryAcl dacl = null;
CommonSecurityDescriptor sd = null;
// test case 1: SACL is not null, SACL.IsContainer is true, but isContainer parameter is false
sacl = new SystemAcl(true, true, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(false, true, ControlFlags.SystemAclPresent, null, null, sacl, null);
});
// test case 2: SACL is not null, SACL.IsContainer is false, but isContainer parameter is true
sacl = new SystemAcl(false, true, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, true, ControlFlags.SystemAclPresent, null, null, sacl, null);
});
// test case 3: DACL is not null, DACL.IsContainer is true, but isContainer parameter is false
dacl = new DiscretionaryAcl(true, true, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(false, true, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);
});
// test case 4: DACL is not null, DACL.IsContainer is false, but isContainer parameter is true
dacl = new DiscretionaryAcl(false, true, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, true, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);
});
// test case 5: SACL is not null, SACL.IsDS is true, but isDS parameter is false
sacl = new SystemAcl(true, true, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, false, ControlFlags.SystemAclPresent, null, null, sacl, null);
});
// test case 6: SACL is not null, SACL.IsDS is false, but isDS parameter is true
sacl = new SystemAcl(true, false, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, true, ControlFlags.SystemAclPresent, null, null, sacl, null);
});
// test case 7: DACL is not null, DACL.IsDS is true, but isDS parameter is false
dacl = new DiscretionaryAcl(true, true, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, false, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);
});
// test case 8: DACL is not null, DACL.IsDS is false, but isDS parameter is true
dacl = new DiscretionaryAcl(true, false, 10);
Assert.Throws<ArgumentException>(() =>
{
sd = new CommonSecurityDescriptor(true, true, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl);
});
}
private static bool VerifyResult(bool isContainer, bool isDS, ControlFlags controlFlags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl sacl, DiscretionaryAcl dacl)
{
CommonSecurityDescriptor commonSecurityDescriptor = null;
bool result = false;
try
{
commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, controlFlags, owner, group, sacl, dacl);
// verify the result
if ((isContainer == commonSecurityDescriptor.IsContainer) &&
(isDS == commonSecurityDescriptor.IsDS) &&
((((sacl != null) ? (controlFlags | ControlFlags.SystemAclPresent) : (controlFlags & (~ControlFlags.SystemAclPresent)))
| ControlFlags.SelfRelative | ControlFlags.DiscretionaryAclPresent) == commonSecurityDescriptor.ControlFlags) &&
(owner == commonSecurityDescriptor.Owner) &&
(group == commonSecurityDescriptor.Group) &&
(sacl == commonSecurityDescriptor.SystemAcl) &&
(Utils.ComputeBinaryLength(commonSecurityDescriptor, dacl != null) == commonSecurityDescriptor.BinaryLength))
{
if (dacl == null)
{
//check the contructor created an empty Dacl with correct IsContainer and isDS info
if (isContainer == commonSecurityDescriptor.DiscretionaryAcl.IsContainer &&
isDS == commonSecurityDescriptor.DiscretionaryAcl.IsDS &&
commonSecurityDescriptor.DiscretionaryAcl.Count == 1 &&
Utils.VerifyDaclWithCraftedAce(isContainer, isDS, commonSecurityDescriptor.DiscretionaryAcl))
{
result = true;
}
else
{
result = false;
}
}
else if (dacl == commonSecurityDescriptor.DiscretionaryAcl)
{
result = true;
}
else
{
result = false;
}
}
else
{
result = false;
}
}
catch (ArgumentException)
{
if ((sacl != null && sacl.IsContainer != isContainer) ||
(sacl != null && sacl.IsDS != isDS) ||
(dacl != null && dacl.IsContainer != isContainer) ||
(dacl != null && dacl.IsDS != isDS))
result = true;
else
{
// unexpected exception
result = false;
}
}
return result;
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
bool isContainer = false;
bool isDS = false;
int auditFlags = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
byte[] opaque = null;
//Case 1, null sid
Assert.Throws<ArgumentNullException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.SetAudit(AuditFlags.Success, null, 1, InheritanceFlags.None, PropagationFlags.None);
});
//Case 2, SystemAudit Ace but non AuditFlags
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.SetAudit(AuditFlags.None,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.None);
});
//Case 3, 0 accessMask
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.SetAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 0, InheritanceFlags.None, PropagationFlags.None);
});
//Case 4, non-Container, but InheritanceFlags is not None
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.SetAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None);
});
//Case 5, non-Container, but PropagationFlags is not None
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.SetAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 6, set one audit ACE to the SystemAcl with no ACE
isContainer = true;
isDS = false;
auditFlags = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
//79 = AceFlags.SuccessfulAccess | AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)79, AceQualifier.SystemAudit, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
Assert.True(TestSetAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags));
//Case 7, all the ACEs in the Sacl are non-qualified ACE, no merge
Assert.Throws<InvalidOperationException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
auditFlags = 3;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.AuditFlags,
AceQualifier.SystemAudit,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
TestSetAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 8, Set Ace to exceed binary length boundary, throw exception
Assert.Throws<InvalidOperationException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
auditFlags = 3;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
systemAcl.SetAudit((AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
}
public static void BasicValidationTestCases()
{
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
GenericAce gAce = null;
byte revision = 0;
int capacity = 0;
//CustomAce constructor parameters
AceType aceType = AceType.AccessAllowed;
AceFlags aceFlag = AceFlags.None;
byte[] opaque = null;
//CompoundAce constructor additional parameters
int accessMask = 0;
CompoundAceType compoundAceType = CompoundAceType.Impersonation;
string sid = "BA";
//CommonAce constructor additional parameters
AceQualifier aceQualifier = 0;
//ObjectAce constructor additional parameters
ObjectAceFlags objectAceFlag = 0;
Guid objectAceType;
Guid inheritedObjectAceType;
//case 1, no Ace
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 2, only have explicit Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all AceFlags except InheritOnly and Inherited
gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 3, only have one inherit Ace
revision = 0;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 4, have one explicit Ace and one inherited Ace
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//199 has all AceFlags except InheritOnly and Inherited
gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(1, gAce);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 5, have two inherited Aces
revision = 255;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
//215 has all AceFlags except InheritOnly
gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null);
rawAcl.InsertAce(0, gAce);
sid = "BA";
//16 has Inherited
gAce = new CommonAce((AceFlags)16, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 6, 1 inherited CustomAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceType = AceType.MaxDefinedAceType + 1;
aceFlag = (AceFlags)208; //SuccessfulAccess | FailedAccess | Inherited
opaque = null;
gAce = new CustomAce(aceType, aceFlag, opaque);
rawAcl.InsertAce(0, gAce);
isContainer = false;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 7, 1 inherited CompoundAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
accessMask = 1;
compoundAceType = CompoundAceType.Impersonation;
gAce = new CompoundAce(aceFlag, accessMask, compoundAceType,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)));
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = false;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
//case 8, 1 inherited ObjectAce
revision = 127;
capacity = 1;
rawAcl = new RawAcl(revision, capacity);
aceFlag = (AceFlags)223; //all flags ored together
aceQualifier = AceQualifier.SystemAudit;
accessMask = 1;
objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent;
objectAceType = new Guid("11111111-1111-1111-1111-111111111111");
inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222");
gAce = new ObjectAce(aceFlag, aceQualifier, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null);
rawAcl.InsertAce(0, gAce);
isContainer = true;
isDS = true;
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
Assert.True(TestRemoveInheritedAces(systemAcl));
}
public static void Additional2TestCases()
{
SystemAcl systemAcl = null;
bool isContainer = false;
bool isDS = false;
RawAcl rawAcl = null;
//case 1, rawAcl = null
Assert.Throws<ArgumentNullException>(() =>
{
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
});
}
public static void BasicValidationTestCases(bool isContainer, bool isDS, string initialRawAclStr, string verifierRawAclStr, bool wasCanonicalInitially)
{
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
//create a systemAcl
rawAcl = Utils.CreateRawAclFromString(initialRawAclStr);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
rawAcl = Utils.CreateRawAclFromString(verifierRawAclStr);
Assert.True(TestConstructor(systemAcl, isContainer, isDS, wasCanonicalInitially, rawAcl));
}
private static bool TestRemoveInheritedAces(SystemAcl systemAcl)
{
GenericAce ace = null;
systemAcl.RemoveInheritedAces();
for (int i = 0; i < systemAcl.Count; i++)
{
ace = systemAcl[i];
if ((ace.AceFlags & AceFlags.Inherited) != 0)
return false;
}
return true;
}
public CommonSecurityDescriptor(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl);
public static void BasicValidationTestCases()
{
SystemAcl sAcl = null;
RawAcl rAcl = null;
GenericAce gAce = null;
byte[] binaryForm = null;
//Case 1, array binaryForm is null
Assert.Throws<ArgumentNullException>(() =>
{
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
sAcl = new SystemAcl(false, false, rAcl);
sAcl.GetBinaryForm(binaryForm, 0);
});
//Case 2, offset is negative
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
binaryForm = new byte[100];
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
sAcl = new SystemAcl(false, false, rAcl);
sAcl.GetBinaryForm(binaryForm, -1);
});
//Case 3, offset is equal to binaryForm length
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
binaryForm = new byte[100];
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
sAcl = new SystemAcl(false, false, rAcl);
sAcl.GetBinaryForm(binaryForm, binaryForm.Length);
});
//Case 4, offset is a big possitive number
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
sAcl = new SystemAcl(false, false, rAcl);
binaryForm = new byte[sAcl.BinaryLength + 10000];
sAcl.GetBinaryForm(binaryForm, 10000);
//get the binaryForm of the original RawAcl
byte[] verifierBinaryForm = new byte[rAcl.BinaryLength];
rAcl.GetBinaryForm(verifierBinaryForm, 0);
Assert.True(Utils.IsBinaryFormEqual(binaryForm, 10000, verifierBinaryForm));
//Case 5, binaryForm array's size is insufficient
Assert.Throws<ArgumentOutOfRangeException>(() =>
{
binaryForm = new byte[4];
rAcl = new RawAcl(GenericAcl.AclRevision, 1);
gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null);
rAcl.InsertAce(0, gAce);
sAcl = new SystemAcl(false, false, rAcl);
sAcl.GetBinaryForm(binaryForm, 0);
});
}
