public static void AdditionalTestCases() { RawAcl rawAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; string sid = "BA"; SystemAcl systemAcl = null; bool isContainer = false; bool isDS = false; //case 1, SysemAcl with huge number of Aces revision = 0; capacity = 1; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString(); rawAcl = new RawAcl(revision, capacity); for (int i = 0; i < 1820; i++) { gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + i.ToString())), false, null); rawAcl.InsertAce(0, gAce); } isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(1820 == systemAcl.Count); }
public static void AdditionalTestCases() { SystemAcl systemAcl = null; bool isContainer = false; bool isDS = false; byte revision = 0; int capacity = 0; //case 1, capacity = -1 Assert.Throws <ArgumentOutOfRangeException>(() => { capacity = -1; systemAcl = new SystemAcl(isContainer, isDS, revision, capacity); }); //case 2, capacity = Int32.MaxValue/2 Assert.Throws <OutOfMemoryException>(() => { isContainer = true; isDS = false; revision = 0; capacity = Int32.MaxValue / 2; TestConstructor(isContainer, isDS, revision, capacity); }); //case 3, capacity = Int32.MaxValue Assert.Throws <OutOfMemoryException>(() => { isContainer = true; isDS = true; revision = 255; capacity = Int32.MaxValue; TestConstructor(isContainer, isDS, revision, capacity); }); }
public void SecurityDescriptor() { DiscretionaryAcl dacl = new DiscretionaryAcl { //new AccessControlEntry<FileSystemRight>() { Allowed = true, Right = FileSystemRight.FullControl }, //new AccessControlEntry<UIRight>() { Allowed = true, Right = UIRight.FullControl }, //new AccessControlEntry<UIRight>() { Allowed = false, Right = UIRight.Enabled }, //new AccessControlEntry<FileSystemRight>() { Allowed = false, Right = FileSystemRight.Execute } }; SystemAcl sacl = new SystemAcl { //new AccessControlEntryAudit<FileSystemRight>() { Allowed = true, Denied = false, Right = FileSystemRight.FullControl }, //new AccessControlEntryAudit<UIRight>() { Allowed = true, Denied = true, Right = UIRight.FullControl }, //new AccessControlEntryAudit<UIRight>() { Allowed = false, Denied = false, Right = UIRight.Enabled }, //new AccessControlEntryAudit<FileSystemRight>() { Allowed = false, Denied = true, Right = FileSystemRight.Execute } }; SecurityDescriptor sd = new SecurityDescriptor() { Dacl = dacl, Sacl = sacl }; //sd.Eval<UIRight>(); sd.Eval(); }
private static bool TestAddAudit(SystemAcl systemAcl, RawAcl rawAcl, AuditFlags auditFlag, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags) { bool result = true; byte[] sAclBinaryForm = null; byte[] rAclBinaryForm = null; systemAcl.AddAudit(auditFlag, sid, accessMask, inheritanceFlags, propagationFlags); if (systemAcl.Count == rawAcl.Count && systemAcl.BinaryLength == rawAcl.BinaryLength) { sAclBinaryForm = new byte[systemAcl.BinaryLength]; rAclBinaryForm = new byte[rawAcl.BinaryLength]; systemAcl.GetBinaryForm(sAclBinaryForm, 0); rawAcl.GetBinaryForm(rAclBinaryForm, 0); if (!Utils.IsBinaryFormEqual(sAclBinaryForm, rAclBinaryForm)) { result = false; } //redundant index check for (int i = 0; i < systemAcl.Count; i++) { if (!Utils.IsAceEqual(systemAcl[i], rawAcl[i])) { result = false; break; } } } else { result = false; } return(result); }
public static void AdditionalTestCases() { RawAcl rawAcl = null; SystemAcl systemAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; string sid = "BA"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString(); int expectedLength = 0; //case 1, SystemAcl with huge number of Aces revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); expectedLength = 8; for (int i = 0; i < 1820; i++) { gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, i + 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid + i.ToString())), false, null); rawAcl.InsertAce(0, gAce); expectedLength += gAce.BinaryLength; } systemAcl = new SystemAcl(false, false, rawAcl); Assert.True(expectedLength == systemAcl.BinaryLength); }
public void SaclPresent() { SecurityIdentifier userSid = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null); SecurityIdentifier groupSid = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null); SystemAcl sacl = new SystemAcl(false, false, 0); CommonSecurityDescriptor csd; csd = new CommonSecurityDescriptor (false, false, ControlFlags.None, userSid, groupSid, null, null); Assert.IsNull(csd.SystemAcl); Assert.IsTrue(csd.IsSystemAclCanonical); csd = new CommonSecurityDescriptor (false, false, ControlFlags.SystemAclPresent, userSid, groupSid, null, null); Assert.IsNull(csd.SystemAcl); Assert.IsTrue(csd.IsSystemAclCanonical); Assert.AreEqual(ControlFlags.DiscretionaryAclPresent | ControlFlags.SelfRelative, csd.ControlFlags); csd = new CommonSecurityDescriptor (false, false, ControlFlags.None, userSid, groupSid, sacl, null); Assert.AreSame(sacl, csd.SystemAcl); Assert.IsTrue(csd.IsSystemAclCanonical); Assert.AreEqual(0, csd.SystemAcl.Count); Assert.AreEqual(ControlFlags.DiscretionaryAclPresent | ControlFlags.SystemAclPresent | ControlFlags.SelfRelative, csd.ControlFlags); csd.SystemAcl = null; Assert.AreEqual(ControlFlags.DiscretionaryAclPresent | ControlFlags.SelfRelative, csd.ControlFlags); }
public static void TestConstructor(bool isContainer, bool isDS, int flags, string ownerStr, string groupStr, string saclStr, string daclStr) { ControlFlags controlFlags = ControlFlags.OwnerDefaulted; SecurityIdentifier owner = null; SecurityIdentifier group = null; RawAcl rawAcl = null; SystemAcl sacl = null; DiscretionaryAcl dacl = null; controlFlags = (ControlFlags)flags; owner = (ownerStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(ownerStr)) : null; group = (groupStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(groupStr)) : null; rawAcl = (saclStr != null) ? Utils.CreateRawAclFromString(saclStr) : null; if (rawAcl == null) { sacl = null; } else { sacl = new SystemAcl(isContainer, isDS, rawAcl); } rawAcl = (daclStr != null) ? Utils.CreateRawAclFromString(daclStr) : null; if (rawAcl == null) { dacl = null; } else { dacl = new DiscretionaryAcl(isContainer, isDS, rawAcl); } Assert.True(VerifyResult(isContainer, isDS, controlFlags, owner, group, sacl, dacl)); }
public void SetAudit() { SecurityIdentifier adminSid = new SecurityIdentifier("BA"); // S-1-5-32-544 SecurityIdentifier userSid = new SecurityIdentifier("BU"); // S-1-5-32-545 SystemAcl sacl = new SystemAcl(true, false, 0); sacl.SetAudit(AuditFlags.Success, adminSid, 1, InheritanceFlags.ObjectInherit, PropagationFlags.None); sacl.SetAudit(AuditFlags.Success, userSid, 2, InheritanceFlags.None, PropagationFlags.None); Assert.AreEqual(2, sacl.Count); CommonAce ace = (CommonAce)sacl [0]; Assert.AreEqual(adminSid, ace.SecurityIdentifier); Assert.AreEqual(1, ace.AccessMask); sacl.SetAudit(AuditFlags.Success, adminSid, 4, InheritanceFlags.ObjectInherit, PropagationFlags.None); Assert.AreNotEqual(4, ace.AccessMask); ace = (CommonAce)sacl [0]; Assert.AreEqual(4, ace.AccessMask); sacl.SetAudit(AuditFlags.Failure, adminSid, 4, InheritanceFlags.ObjectInherit, PropagationFlags.None); Assert.AreEqual(2, sacl.Count); ace = (CommonAce)sacl [0]; Assert.AreEqual(AuditFlags.Failure, ace.AuditFlags); Assert.AreEqual(adminSid, ace.SecurityIdentifier); ace = (CommonAce)sacl [1]; Assert.AreEqual(AuditFlags.Success, ace.AuditFlags); Assert.AreEqual(userSid, ace.SecurityIdentifier); }
private static bool TestRemoveAudit(SystemAcl systemAcl, RawAcl rawAcl, AuditFlags auditFlag, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, bool removePossible) { bool result = true; bool isRemoved = false; byte[] sAclBinaryForm = null; byte[] rAclBinaryForm = null; isRemoved = systemAcl.RemoveAudit(auditFlag, sid, accessMask, inheritanceFlags, propagationFlags); if ((isRemoved == removePossible) && (systemAcl.Count == rawAcl.Count) && (systemAcl.BinaryLength == rawAcl.BinaryLength)) { sAclBinaryForm = new byte[systemAcl.BinaryLength]; rAclBinaryForm = new byte[rawAcl.BinaryLength]; systemAcl.GetBinaryForm(sAclBinaryForm, 0); rawAcl.GetBinaryForm(rAclBinaryForm, 0); if (!Utils.IsBinaryFormEqual(sAclBinaryForm, rAclBinaryForm)) result = false; //redundant index check for (int i = 0; i < systemAcl.Count; i++) { if (!Utils.IsAceEqual(systemAcl[i], rawAcl[i])) { result = false; break; } } } else result = false; return result; }
public static void AdditionalTestCases() { SystemAcl systemAcl = null; bool isContainer = false; bool isDS = false; byte revision = 0; int capacity = 0; //case 1, capacity = -1 Assert.Throws<ArgumentOutOfRangeException>(() => { capacity = -1; systemAcl = new SystemAcl(isContainer, isDS, revision, capacity); }); //case 2, capacity = Int32.MaxValue/2 Assert.Throws<OutOfMemoryException>(() => { isContainer = true; isDS = false; revision = 0; capacity = Int32.MaxValue / 2; TestConstructor(isContainer, isDS, revision, capacity); }); //case 3, capacity = Int32.MaxValue Assert.Throws<OutOfMemoryException>(() => { isContainer = true; isDS = true; revision = 255; capacity = Int32.MaxValue; TestConstructor(isContainer, isDS, revision, capacity); }); }
public void AddAuditObjectAceAndCommonAce() { SecurityIdentifier sid = new SecurityIdentifier("BA"); SystemAcl sacl = new SystemAcl(false, true, 0); sacl.AddAudit(AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None, ObjectAceFlags.ObjectAceTypePresent, Guid.NewGuid(), Guid.Empty); sacl.AddAudit(AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None, ObjectAceFlags.None, Guid.Empty, Guid.Empty); Assert.AreEqual(2, sacl.Count); CommonAce cace = (CommonAce)sacl [0]; Assert.AreEqual(1, cace.AccessMask); Assert.AreEqual("S-1-5-32-544", cace.SecurityIdentifier.Value); Assert.IsFalse(cace.IsCallback); Assert.IsFalse(cace.IsInherited); ObjectAce oace = (ObjectAce)sacl [1]; Assert.AreEqual(1, oace.AccessMask); Assert.AreEqual("S-1-5-32-544", oace.SecurityIdentifier.Value); Assert.IsFalse(oace.IsCallback); Assert.IsFalse(oace.IsInherited); sacl.AddAudit(AuditFlags.Success, sid, 2, InheritanceFlags.None, PropagationFlags.None, ObjectAceFlags.None, Guid.Empty, Guid.Empty); Assert.AreEqual(2, sacl.Count); CommonAce cace2 = (CommonAce)sacl [0]; Assert.AreEqual(3, cace2.AccessMask); }
public static void AdditionalTestCases() { bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; SystemAcl systemAcl = null; byte revision = 0; int capacity = 0; //case 1, null Sid Assert.Throws <ArgumentNullException>(() => { revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.Purge(null); }); }
public static void TestSystemAcl(bool isContainerSD, bool isDSSD, string sddl, bool isContainerSacl, bool isDSSacl, string newSaclStr) { CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(isContainerSD, isDSSD, sddl); SystemAcl sacl = newSaclStr == null ? null : new SystemAcl(isContainerSacl, isDSSacl, Utils.CreateRawAclFromString(newSaclStr)); try { commonSecurityDescriptor.SystemAcl = sacl; Assert.True(sacl == commonSecurityDescriptor.SystemAcl); if (sacl != null) { Assert.True((commonSecurityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != 0); } else { Assert.True((commonSecurityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) == 0); } } catch (NullReferenceException) { Assert.Null(sacl); } catch (ArgumentException) { Assert.True((sacl.IsContainer != commonSecurityDescriptor.IsContainer) || (sacl.IsDS != commonSecurityDescriptor.IsDS)); } }
public byte[] ToSaclBytes() { SystemAcl sacl = new SystemAcl(false, false, 0); byte[] bytes = new byte[sacl.BinaryLength]; sacl.GetBinaryForm(bytes, 0); return(bytes); }
public byte[] ToSystemAclBytes() { var systemAcl = new SystemAcl(false, false, 0); var bytes = new byte[systemAcl.BinaryLength]; systemAcl.GetBinaryForm(bytes, 0); return(bytes); }
internal byte[] ToSaclBytes() { var sacl = new SystemAcl(false, false, 0); var bytes = new byte[sacl.BinaryLength]; sacl.GetBinaryForm(bytes, 0); return(bytes); }
public static void TestGetSddlForm(bool isContainer, bool isDS, int flags, string ownerStr, string groupStr, string saclStr, string daclStr, bool getOwner, bool getGroup, bool getSacl, bool getDacl, string expectedSddl) { CommonSecurityDescriptor commonSecurityDescriptor = null; string resultSddl = null; ControlFlags controlFlags = ControlFlags.OwnerDefaulted; SecurityIdentifier owner = null; SecurityIdentifier group = null; RawAcl rawAcl = null; SystemAcl sacl = null; DiscretionaryAcl dacl = null; AccessControlSections accControlSections = AccessControlSections.None; controlFlags = (ControlFlags)flags; owner = (ownerStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(ownerStr)) : null; group = (groupStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(groupStr)) : null; rawAcl = (saclStr != null) ? Utils.CreateRawAclFromString(saclStr) : null; if (rawAcl == null) { sacl = null; } else { sacl = new SystemAcl(isContainer, isDS, rawAcl); } rawAcl = (daclStr != null) ? Utils.CreateRawAclFromString(daclStr) : null; if (rawAcl == null) { dacl = null; } else { dacl = new DiscretionaryAcl(isContainer, isDS, rawAcl); } commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, controlFlags, owner, group, sacl, dacl); if (getOwner) { accControlSections |= AccessControlSections.Owner; } if (getGroup) { accControlSections |= AccessControlSections.Group; } if (getSacl) { accControlSections |= AccessControlSections.Audit; } if (getDacl) { accControlSections |= AccessControlSections.Access; } resultSddl = commonSecurityDescriptor.GetSddlForm(accControlSections); Assert.True(string.Compare(expectedSddl, resultSddl, StringComparison.CurrentCultureIgnoreCase) == 0); }
public void RemoveSpecific() { SecurityIdentifier sid = new SecurityIdentifier("BA"); SystemAcl sacl = new SystemAcl(false, false, 0); RemoveSpecificBegin(sid, sacl, InheritanceFlags.None); sacl.RemoveAuditSpecific(AuditFlags.Success, sid, 3, InheritanceFlags.None, PropagationFlags.None); Assert.AreEqual(0, sacl.Count); }
public void ContainerAndDSConsistencyEnforcedB() { SecurityIdentifier userSid = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null); SecurityIdentifier groupSid = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null); SystemAcl sacl = new SystemAcl(false, false, 0); new CommonSecurityDescriptor(true, false, ControlFlags.None, userSid, groupSid, sacl, null); }
public static void BasicValidationTestCases(bool isContainer, bool isDS, int auditFlags, string sid, int accessMask, int inheritanceFlags, int propagationFlags, string initialRawAclStr, string verifierRawAclStr) { //create a systemAcl RawAcl rawAcl = Utils.CreateRawAclFromString(initialRawAclStr); SystemAcl systemAcl = new SystemAcl(isContainer, isDS, rawAcl); rawAcl = Utils.CreateRawAclFromString(verifierRawAclStr); Assert.True(TestAddAudit(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags)); }
public static void BasicValidationTestCases(bool isContainer, bool isDS, string initialRawAclStr, string verifierRawAclStr, bool wasCanonicalInitially) { RawAcl rawAcl = null; SystemAcl systemAcl = null; //create a systemAcl rawAcl = Utils.CreateRawAclFromString(initialRawAclStr); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); rawAcl = Utils.CreateRawAclFromString(verifierRawAclStr); Assert.True(TestConstructor(systemAcl, isContainer, isDS, wasCanonicalInitially, rawAcl)); }
public void RemoveSpecificUsingDSOverload() { SecurityIdentifier sid = new SecurityIdentifier("BA"); SystemAcl sacl = new SystemAcl(false, true, 0); RemoveSpecificBegin(sid, sacl, InheritanceFlags.None); sacl.RemoveAuditSpecific(AuditFlags.Success, sid, 3, InheritanceFlags.None, PropagationFlags.None, ObjectAceFlags.ObjectAceTypePresent, Guid.Empty, Guid.Empty); Assert.AreEqual(1, sacl.Count); sacl.RemoveAuditSpecific(AuditFlags.Success, sid, 3, InheritanceFlags.None, PropagationFlags.None, ObjectAceFlags.None, Guid.Empty, Guid.Empty); Assert.AreEqual(0, sacl.Count); }
public void AddAuditMergesFlags() { SecurityIdentifier sid = new SecurityIdentifier("BA"); SystemAcl sacl = new SystemAcl(false, false, 0); sacl.AddAudit(AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None); sacl.AddAudit(AuditFlags.Failure, sid, 1, InheritanceFlags.None, PropagationFlags.None); Assert.AreEqual(1, sacl.Count); CommonAce ace = (CommonAce)sacl [0]; Assert.AreEqual(AuditFlags.Success | AuditFlags.Failure, ace.AuditFlags); }
public static void Additional2TestCases() { SystemAcl systemAcl = null; bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; //case 1, rawAcl = null Assert.Throws <ArgumentNullException>(() => { systemAcl = new SystemAcl(isContainer, isDS, rawAcl); }); }
private static bool TestRemoveInheritedAces(SystemAcl systemAcl) { GenericAce ace = null; systemAcl.RemoveInheritedAces(); for (int i = 0; i < systemAcl.Count; i++) { ace = systemAcl[i]; if ((ace.AceFlags & AceFlags.Inherited) != 0) { return(false); } } return(true); }
public void AddAuditCommonAce() { SecurityIdentifier sid = new SecurityIdentifier("BA"); SystemAcl sacl = new SystemAcl(false, false, 0); sacl.AddAudit(AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None); Assert.AreEqual(1, sacl.Count); CommonAce ace = (CommonAce)sacl [0]; Assert.AreEqual(AuditFlags.Success, ace.AuditFlags); Assert.AreEqual(1, ace.AccessMask); Assert.AreEqual("S-1-5-32-544", ace.SecurityIdentifier.Value); Assert.IsFalse(ace.IsInherited); }
public void AddAuditCommonAceUsingDSOverload() { SecurityIdentifier sid = new SecurityIdentifier("BA"); SystemAcl sacl = new SystemAcl(false, true, 0); sacl.AddAudit(AuditFlags.Failure, sid, 1, InheritanceFlags.None, PropagationFlags.None, ObjectAceFlags.None, Guid.NewGuid(), Guid.NewGuid()); Assert.AreEqual(1, sacl.Count); CommonAce ace = (CommonAce)sacl [0]; Assert.AreEqual(AuditFlags.Failure, ace.AuditFlags); Assert.AreEqual(1, ace.AccessMask); Assert.AreEqual("S-1-5-32-544", ace.SecurityIdentifier.Value); Assert.IsFalse(ace.IsInherited); }
public static void TestConstructor(bool isContainer, bool isDS, byte revision, int capacity) { bool result = true; byte[] sAclBinaryForm = null; byte[] rAclBinaryForm = null; SystemAcl systemAcl = null; RawAcl rawAcl = null; systemAcl = new SystemAcl(isContainer, isDS, revision, capacity); rawAcl = new RawAcl(revision, capacity); if (isContainer == systemAcl.IsContainer && isDS == systemAcl.IsDS && revision == systemAcl.Revision && 0 == systemAcl.Count && 8 == systemAcl.BinaryLength && true == systemAcl.IsCanonical) { sAclBinaryForm = new byte[systemAcl.BinaryLength]; rAclBinaryForm = new byte[rawAcl.BinaryLength]; systemAcl.GetBinaryForm(sAclBinaryForm, 0); rawAcl.GetBinaryForm(rAclBinaryForm, 0); if (!Utils.IsBinaryFormEqual(sAclBinaryForm, rAclBinaryForm)) { result = false; } //redundant index check for (int i = 0; i < systemAcl.Count; i++) { if (!Utils.IsAceEqual(systemAcl[i], rawAcl[i])) { result = false; break; } } } else { result = false; } Assert.True(result); }
public static void TestGetSddlForm(bool isContainer, bool isDS, int flags, string ownerStr, string groupStr, string saclStr, string daclStr, bool getOwner, bool getGroup, bool getSacl, bool getDacl, string expectedSddl) { CommonSecurityDescriptor commonSecurityDescriptor = null; string resultSddl = null; ControlFlags controlFlags = ControlFlags.OwnerDefaulted; SecurityIdentifier owner = null; SecurityIdentifier group = null; RawAcl rawAcl = null; SystemAcl sacl = null; DiscretionaryAcl dacl = null; AccessControlSections accControlSections = AccessControlSections.None; controlFlags = (ControlFlags)flags; owner = (ownerStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(ownerStr)) : null; group = (groupStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(groupStr)) : null; rawAcl = (saclStr != null) ? Utils.CreateRawAclFromString(saclStr) : null; if (rawAcl == null) sacl = null; else sacl = new SystemAcl(isContainer, isDS, rawAcl); rawAcl = (daclStr != null) ? Utils.CreateRawAclFromString(daclStr) : null; if (rawAcl == null) dacl = null; else dacl = new DiscretionaryAcl(isContainer, isDS, rawAcl); commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, controlFlags, owner, group, sacl, dacl); if (getOwner) accControlSections |= AccessControlSections.Owner; if (getGroup) accControlSections |= AccessControlSections.Group; if (getSacl) accControlSections |= AccessControlSections.Audit; if (getDacl) accControlSections |= AccessControlSections.Access; resultSddl = commonSecurityDescriptor.GetSddlForm(accControlSections); if (expectedSddl == null || resultSddl == null) Assert.True(expectedSddl == null && resultSddl == null); else Assert.True(String.Compare(expectedSddl, resultSddl, StringComparison.CurrentCultureIgnoreCase) == 0); }
void RemoveSpecificBegin(SecurityIdentifier sid, SystemAcl sacl, InheritanceFlags inheritanceFlags) { SecurityIdentifier otherSid = new SecurityIdentifier("BU"); sacl.AddAudit(AuditFlags.Success, sid, 3, inheritanceFlags, PropagationFlags.None); Assert.AreEqual(1, sacl.Count); sacl.RemoveAuditSpecific(AuditFlags.Failure, sid, 1, inheritanceFlags, PropagationFlags.None); Assert.AreEqual(1, sacl.Count); sacl.RemoveAuditSpecific(AuditFlags.Success, otherSid, 1, inheritanceFlags, PropagationFlags.None); Assert.AreEqual(1, sacl.Count); sacl.RemoveAuditSpecific(AuditFlags.Success, sid, 1, inheritanceFlags, PropagationFlags.None); Assert.AreEqual(1, sacl.Count); Assert.AreEqual(3, ((CommonAce)sacl [0]).AccessMask); sacl.RemoveAuditSpecific(AuditFlags.Success, sid, 3, inheritanceFlags ^ InheritanceFlags.ContainerInherit, PropagationFlags.None); Assert.AreEqual(1, sacl.Count); }
public static void BasicValidationTestCases() { RawAcl rawAcl = null; GenericAce gAce = null; SystemAcl systemAcl = null; bool isContainer = false; bool isDS = false; byte revision = 0; int capacity = 0; string sid = "BA"; //case 1, empty SystemAcl revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = false; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(0 == systemAcl.Count); //case 2, SystemAcl with one Ace revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(1 == systemAcl.Count); //case 3, SystemAcl with two Aces revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(0, gAce); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(2 == systemAcl.Count); }
public static void TestConstructor(bool isContainer, bool isDS, byte revision, int capacity) { bool result = true; byte[] sAclBinaryForm = null; byte[] rAclBinaryForm = null; SystemAcl systemAcl = null; RawAcl rawAcl = null; systemAcl = new SystemAcl(isContainer, isDS, revision, capacity); rawAcl = new RawAcl(revision, capacity); if (isContainer == systemAcl.IsContainer && isDS == systemAcl.IsDS && revision == systemAcl.Revision && 0 == systemAcl.Count && 8 == systemAcl.BinaryLength && true == systemAcl.IsCanonical) { sAclBinaryForm = new byte[systemAcl.BinaryLength]; rAclBinaryForm = new byte[rawAcl.BinaryLength]; systemAcl.GetBinaryForm(sAclBinaryForm, 0); rawAcl.GetBinaryForm(rAclBinaryForm, 0); if (!Utils.IsBinaryFormEqual(sAclBinaryForm, rAclBinaryForm)) result = false; //redundant index check for (int i = 0; i < systemAcl.Count; i++) { if (!Utils.IsAceEqual(systemAcl[i], rawAcl[i])) { result = false; break; } } } else { result = false; } Assert.True(result); }
public static void TestOwner(string newOwnerStr) { bool isContainer = false; bool isDS = false; int controlFlags = 1; string ownerStr = "BA"; string groupStr = "BG"; CommonSecurityDescriptor commonSecurityDescriptor = null; SecurityIdentifier owner = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(ownerStr)); SecurityIdentifier newOwner = (newOwnerStr != null ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(newOwnerStr)) : null); SecurityIdentifier group = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(groupStr)); SystemAcl sacl = null; DiscretionaryAcl dacl = null; commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, (ControlFlags)controlFlags, owner, group, sacl, dacl); commonSecurityDescriptor.Owner = newOwner; // verify the result, we can use == here as SecurityIdentifier overrides the comparsison Assert.True(newOwner == commonSecurityDescriptor.Owner); }
public static void BasicValidationTestCases() { RawAcl rawAcl = null; SystemAcl systemAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; string sid = "BG"; int expectedLength = 0; //case 1, empty systemAcl, binarylength should be 8 capacity = 1; systemAcl = new SystemAcl(false, false, capacity); expectedLength = 8; Assert.True(expectedLength == systemAcl.BinaryLength); //case 2, SystemAcl with one Ace, binarylength should be 8 + the Ace's binarylength expectedLength = 8; revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); expectedLength += gAce.BinaryLength; rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(true, false, rawAcl); Assert.True(expectedLength == systemAcl.BinaryLength); //case 3, SystemAcl with two Aces expectedLength = 8; revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); expectedLength += gAce.BinaryLength; rawAcl.InsertAce(0, gAce); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); expectedLength += gAce.BinaryLength; rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(false, false, rawAcl); Assert.True(expectedLength == systemAcl.BinaryLength); }
private static bool TestConstructor(SystemAcl systemAcl, bool isContainer, bool isDS, bool wasCanonicalInitially, RawAcl rawAcl) { bool result = true; byte[] sAclBinaryForm = null; byte[] rAclBinaryForm = null; if (systemAcl.IsContainer == isContainer && systemAcl.IsDS == isDS && systemAcl.Revision == rawAcl.Revision && systemAcl.Count == rawAcl.Count && systemAcl.BinaryLength == rawAcl.BinaryLength && systemAcl.IsCanonical == wasCanonicalInitially) { sAclBinaryForm = new byte[systemAcl.BinaryLength]; rAclBinaryForm = new byte[rawAcl.BinaryLength]; systemAcl.GetBinaryForm(sAclBinaryForm, 0); rawAcl.GetBinaryForm(rAclBinaryForm, 0); if (!Utils.IsBinaryFormEqual(sAclBinaryForm, rAclBinaryForm)) result = false; //redundant index check for (int i = 0; i < systemAcl.Count; i++) { if (!Utils.IsAceEqual(systemAcl[i], rawAcl[i])) { result = false; break; } } } else { result = false; } return result; }
public static void BasicValidationTestCases() { RawAcl rawAcl = null; SystemAcl systemAcl = null; GenericAce gAce = null; GenericAce verifierGAce = null; string owner1 = "BO"; string owner2 = "BA"; string owner3 = "BG"; int index = 0; // case 1, only one ACE, get at index 0 rawAcl = new RawAcl(1, 1); index = 0; gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null); rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(false, false, rawAcl); verifierGAce = systemAcl[index]; Assert.True(TestIndex(gAce, verifierGAce)); //case 2, two ACEs, index at Count -1 rawAcl = new RawAcl(1, 2); //208 has SuccessfulAccess, FailedAccess and Inherited gAce = new CommonAce((AceFlags)208, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null); rawAcl.InsertAce(0, gAce); //gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(owner2), false, null); gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null); rawAcl.InsertAce(1, gAce); systemAcl = new SystemAcl(false, false, rawAcl); gAce = rawAcl[1]; index = systemAcl.Count - 1; verifierGAce = systemAcl[index]; Assert.True(TestIndex(gAce, verifierGAce)); //case 3, only three ACEs, index at Count/2 rawAcl = new RawAcl(1, 3); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.OI | FlagsForAce.CI | FlagsForAce.NP | FlagsForAce.IH), AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner2)), false, null); rawAcl.InsertAce(0, gAce); //208 has SuccessfulAccess, FailedAccess and Inherited gAce = new CommonAce((AceFlags)(FlagsForAce.AuditFlags | FlagsForAce.IH), AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner1)), false, null); rawAcl.InsertAce(1, gAce); gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner3)), false, null); rawAcl.InsertAce(2, gAce); systemAcl = new SystemAcl(false, false, rawAcl); gAce = rawAcl[1]; index = systemAcl.Count / 2; verifierGAce = systemAcl[index]; Assert.True(TestIndex(gAce, verifierGAce)); //case 4, 3 ACEs, test merge, index at Count -1 rawAcl = new RawAcl(1, 2); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(0, gAce); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(1, gAce); gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(2, gAce); systemAcl = new SystemAcl(false, false, rawAcl); gAce = rawAcl[1]; gAce.AceFlags = AceFlags.SuccessfulAccess | AceFlags.FailedAccess; index = systemAcl.Count - 1; verifierGAce = systemAcl[index]; Assert.True(TestIndex(gAce, verifierGAce)); }
public static void AdditionalTestCases() { RawAcl rawAcl = null; SystemAcl systemAcl = null; GenericAce gAce = null; GenericAce verifierGAce = null; string owner = null; int index = 0; // case 1, no ACE, get index at -1 Assert.Throws<ArgumentOutOfRangeException>(() => { rawAcl = new RawAcl(1, 1); index = -1; systemAcl = new SystemAcl(false, false, rawAcl); verifierGAce = systemAcl[index]; }); //case 2, no ACE, get index at Count Assert.Throws<ArgumentOutOfRangeException>(() => { rawAcl = new RawAcl(1, 1); systemAcl = new SystemAcl(false, false, rawAcl); index = systemAcl.Count; verifierGAce = systemAcl[index]; }); //case 3, no ACE, set index at -1 Assert.Throws<NotSupportedException>(() => { rawAcl = new RawAcl(1, 1); systemAcl = new SystemAcl(false, false, rawAcl); index = -1; owner = "BA"; gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); systemAcl[index] = gAce; }); //case 4, no ACE, set index at Count Assert.Throws<NotSupportedException>(() => { rawAcl = new RawAcl(1, 1); systemAcl = new SystemAcl(true, false, rawAcl); index = systemAcl.Count; owner = "BA"; gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); systemAcl[index] = gAce; }); //case 5, set null Ace Assert.Throws<NotSupportedException>(() => { rawAcl = new RawAcl(1, 1); gAce = new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(false, false, rawAcl); index = 0; gAce = null; systemAcl[index] = gAce; }); //case 6, set index at 0 Assert.Throws<NotSupportedException>(() => { rawAcl = new RawAcl(1, 1); owner = "BA"; gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(false, false, rawAcl); index = 0; owner = "BA"; gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(owner)), false, null); systemAcl[index] = gAce; }); }
private static bool TestPurge(SystemAcl systemAcl, SecurityIdentifier sid, int aceCount) { KnownAce ace = null; systemAcl.Purge(sid); if (aceCount != systemAcl.Count) return false; for (int i = 0; i < systemAcl.Count; i++) { ace = systemAcl[i] as KnownAce; if (ace != null && ((ace.AceFlags & AceFlags.Inherited) == 0)) { if (ace.SecurityIdentifier == sid) return false; } } return true; }
public static void TestConstructor(bool isContainer, bool isDS, int flags, string ownerStr, string groupStr, string saclStr, string daclStr) { ControlFlags controlFlags = ControlFlags.OwnerDefaulted; SecurityIdentifier owner = null; SecurityIdentifier group = null; RawAcl rawAcl = null; SystemAcl sacl = null; DiscretionaryAcl dacl = null; controlFlags = (ControlFlags)flags; owner = (ownerStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(ownerStr)) : null; group = (groupStr != null) ? new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(groupStr)) : null; rawAcl = (saclStr != null) ? Utils.CreateRawAclFromString(saclStr) : null; if (rawAcl == null) sacl = null; else sacl = new SystemAcl(isContainer, isDS, rawAcl); rawAcl = (daclStr != null) ? Utils.CreateRawAclFromString(daclStr) : null; if (rawAcl == null) dacl = null; else dacl = new DiscretionaryAcl(isContainer, isDS, rawAcl); Assert.True(VerifyResult(isContainer, isDS, controlFlags, owner, group, sacl, dacl)); }
public static void AdditionalTestCases() { bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; SystemAcl sAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; //CustomAce constructor parameters AceType aceType = AceType.AccessAllowed; AceFlags aceFlag = AceFlags.None; byte[] opaque = null; //CompoundAce constructor additional parameters int accessMask = 0; CompoundAceType compoundAceType = CompoundAceType.Impersonation; string sid = "BA"; //CommonAce constructor additional parameters AceQualifier aceQualifier = 0; //ObjectAce constructor additional parameters ObjectAceFlags objectAceFlag = 0; Guid objectAceType; Guid inheritedObjectAceType; //case 1, an SystemAudit ACE with a zero access mask is meaningless, will be removed revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.AuditFlags, AceQualifier.SystemAudit, 0, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; sAcl = new SystemAcl(isContainer, isDS, rawAcl); //the only ACE is a meaningless ACE, will be removed //drop the ace from the rawAcl rawAcl.RemoveAce(0); Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl)); //case 2, an inherit-only SystemAudit ACE on an object ACL is meaningless, will be removed revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.InheritanceFlags | AceFlags.AuditFlags, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; sAcl = new SystemAcl(isContainer, isDS, rawAcl); //the only ACE is a meaningless ACE, will be removed rawAcl.RemoveAce(0); Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl)); //case 3, an inherit-only SystemAudit ACE without ContainerInherit or ObjectInherit flags on a container object is meaningless, will be removed revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //200 has inheritOnly, SuccessfulAccess and FailedAccess gAce = new CommonAce((AceFlags)200, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; sAcl = new SystemAcl(isContainer, isDS, rawAcl); //the only ACE is a meaningless ACE, will be removed rawAcl.RemoveAce(0); Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl)); //case 4, a SystemAudit ACE without Success or Failure Flags is meaningless, will be removed revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); gAce = new CommonAce(AceFlags.None, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; sAcl = new SystemAcl(isContainer, isDS, rawAcl); //audit ACE does not specify either Success or Failure Flags is removed rawAcl.RemoveAce(0); Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl)); //case 5, a CustomAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; aceFlag = AceFlags.AuditFlags; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; sAcl = new SystemAcl(isContainer, isDS, rawAcl); //Mark changed design to make ACL with any CustomAce, CompoundAce uncanonical Assert.True(TestConstructor(sAcl, isContainer, isDS, false, rawAcl)); //case 6, a CompoundAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = AceFlags.AuditFlags; accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid))); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; sAcl = new SystemAcl(isContainer, isDS, rawAcl); //Mark changed design to make ACL with any CustomAce, CompoundAce uncanonical Assert.True(TestConstructor(sAcl, isContainer, isDS, false, rawAcl)); //case 7, a ObjectAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = AceFlags.InheritanceFlags | AceFlags.AuditFlags; aceQualifier = AceQualifier.SystemAudit; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = true; sAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl)); //case 8, no Ace revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = true; isDS = false; sAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestConstructor(sAcl, isContainer, isDS, true, rawAcl)); //case 9, Aces from case 1 to 7 revision = 127; capacity = 5; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)).ToString(); rawAcl = new RawAcl(revision, capacity); //an SystemAudit ACE with a zero access mask //is meaningless, will be removed gAce = new CommonAce(AceFlags.AuditFlags, AceQualifier.SystemAudit, 0, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 1.ToString()), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); //an inherit-only SystemAudit ACE without ContainerInherit or ObjectInherit flags on a container object //is meaningless, will be removed //200 has inheritOnly, SuccessfulAccess and FailedAccess gAce = new CommonAce((AceFlags)200, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 2.ToString()), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); //a SystemAudit ACE without Success or Failure Flags //is meaningless, will be removed gAce = new CommonAce(AceFlags.None, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 3.ToString()), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); //a ObjectAce aceFlag = AceFlags.InheritanceFlags | AceFlags.AuditFlags; aceQualifier = AceQualifier.SystemAudit; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 4.ToString()), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(rawAcl.Count, gAce); // a CustomAce gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.AuditFlags, null); rawAcl.InsertAce(rawAcl.Count, gAce); //a CompoundAce gAce = new CompoundAce(AceFlags.AuditFlags, 1, CompoundAceType.Impersonation, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid) + 5.ToString())); rawAcl.InsertAce(rawAcl.Count, gAce); isContainer = true; isDS = false; sAcl = new SystemAcl(isContainer, isDS, rawAcl); //the first 3 Aces will be removed by SystemAcl constructor rawAcl.RemoveAce(0); rawAcl.RemoveAce(0); rawAcl.RemoveAce(0); //Mark changed design to make ACL with any CustomAce, CompoundAce uncanonical Assert.True(TestConstructor(sAcl, isContainer, isDS, false, rawAcl)); }
public static void AdditionalTestCases() { RawAcl rawAcl = null; SystemAcl systemAcl = null; bool isContainer = false; bool isDS = false; int auditFlags = 0; string sid = null; int accessMask = 1; int inheritanceFlags = 0; int propagationFlags = 0; GenericAce gAce = null; bool removePossible = false; byte[] opaque = null; //Case 1, null sid Assert.Throws<ArgumentNullException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.RemoveAudit(AuditFlags.Success, null, 1, InheritanceFlags.None, PropagationFlags.None); }); //Case 2, SystemAudit Ace but non AuditFlags Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.RemoveAudit(AuditFlags.None, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 1, InheritanceFlags.None, PropagationFlags.None); }); //Case 3, 0 accessMask Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.RemoveAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), 0, InheritanceFlags.None, PropagationFlags.None); }); //Case 4, remove one audit ACE from the SystemAcl with no ACE isContainer = true; isDS = false; auditFlags = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; removePossible = true; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveAudit(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, removePossible)); //Case 5, remove the last one ACE from the SystemAcl isContainer = true; isDS = false; auditFlags = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; removePossible = true; rawAcl = new RawAcl(0, 1); //79 = AceFlags.SuccessfulAccess | AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly gAce = new CommonAce((AceFlags)79, AceQualifier.SystemAudit, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); //remove the ace to create the validation rawAcl rawAcl.RemoveAce(rawAcl.Count - 1); Assert.True(TestRemoveAudit(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, removePossible)); //Case 6, all the ACEs in the Sacl are non-qualified ACE, no remove Assert.Throws<InvalidOperationException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1;//InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly auditFlags = 3; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[4]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque); ; rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException TestRemoveAudit(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags, true); }); //Case 7, remove split cause overflow // Test case no longer relevant in CoreCLR // Non-canonical ACLs cannot be modified }
public static void BasicValidationTestCases() { bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; SystemAcl systemAcl = null; int aceCount = 0; SecurityIdentifier sid = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; //CustomAce constructor parameters AceType aceType = AceType.AccessAllowed; AceFlags aceFlag = AceFlags.None; byte[] opaque = null; //CompoundAce constructor additional parameters int accessMask = 0; CompoundAceType compoundAceType = CompoundAceType.Impersonation; string sidStr = "BG"; //CommonAce constructor additional parameters AceQualifier aceQualifier = 0; //ObjectAce constructor additional parameters ObjectAceFlags objectAceFlag = 0; Guid objectAceType; Guid inheritedObjectAceType; //case 1, no Ace revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); aceCount = 0; sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); Assert.True(TestPurge(systemAcl, sid, aceCount)); //case 2, only have 1 explicit Ace of the sid revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); //199 has all aceflags but inheritedonly and inherited gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1, sid, false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); aceCount = 0; Assert.True(TestPurge(systemAcl, sid, aceCount)); //case 3, only have 1 explicit Ace of different sid revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all aceflags but inheritedonly and inherited sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1, sid, false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); aceCount = 1; sidStr = "BA"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); Assert.True(TestPurge(systemAcl, sid, aceCount)); //case 4, only have 1 inherited Ace of the sid revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); //215 has all aceflags but inheritedonly gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1, sid, false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); aceCount = 1; Assert.True(TestPurge(systemAcl, sid, aceCount)); //case 5, have one explicit Ace and one inherited Ace of the sid revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); //199 has all aceflags but inheritedonly and inherited gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1, sid, false, null); rawAcl.InsertAce(0, gAce); //215 has all aceflags but inheritedonly gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 2, sid, false, null); rawAcl.InsertAce(1, gAce); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); aceCount = 1; Assert.True(TestPurge(systemAcl, sid, aceCount)); //case 6, have two explicit Aces of the sid revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); sidStr = "BG"; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sidStr)); gAce = new CommonAce(AceFlags.FailedAccess, AceQualifier.SystemAudit, 1, sid, false, null); rawAcl.InsertAce(0, gAce); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 2, sid, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); aceCount = 0; Assert.True(TestPurge(systemAcl, sid, 0)); //case 7, 1 explicit CustomAce Assert.Throws<InvalidOperationException>(() => { revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; //199 has all aceflags but inheritedonly and inherited aceFlag = (AceFlags)199; opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")); aceCount = 1; //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException TestPurge(systemAcl, sid, aceCount); }); //case 8, 1 explicit CompoundAce Assert.Throws<InvalidOperationException>(() => { revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); //207 has all AceFlags but inherited aceFlag = (AceFlags)207; accessMask = 1; compoundAceType = CompoundAceType.Impersonation; sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")); gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, sid); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); aceCount = 0; //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException TestPurge(systemAcl, sid, aceCount); }); //case 9, 1 explict ObjectAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); sid = new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")); //207 has all AceFlags but inherited aceFlag = (AceFlags)207; aceQualifier = AceQualifier.SystemAudit; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, sid, objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = true; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); aceCount = 0; Assert.True(TestPurge(systemAcl, sid, aceCount)); }
public static void AdditionalTestCases() { bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; SystemAcl systemAcl = null; byte revision = 0; int capacity = 0; //case 1, null Sid Assert.Throws<ArgumentNullException>(() => { revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.Purge(null); }); }
public static void AdditionalTestCases() { //test cases include the exceptions from the constructor SystemAcl sacl = null; DiscretionaryAcl dacl = null; CommonSecurityDescriptor sd = null; // test case 1: SACL is not null, SACL.IsContainer is true, but isContainer parameter is false sacl = new SystemAcl(true, true, 10); Assert.Throws<ArgumentException>(() => { sd = new CommonSecurityDescriptor(false, true, ControlFlags.SystemAclPresent, null, null, sacl, null); }); // test case 2: SACL is not null, SACL.IsContainer is false, but isContainer parameter is true sacl = new SystemAcl(false, true, 10); Assert.Throws<ArgumentException>(() => { sd = new CommonSecurityDescriptor(true, true, ControlFlags.SystemAclPresent, null, null, sacl, null); }); // test case 3: DACL is not null, DACL.IsContainer is true, but isContainer parameter is false dacl = new DiscretionaryAcl(true, true, 10); Assert.Throws<ArgumentException>(() => { sd = new CommonSecurityDescriptor(false, true, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl); }); // test case 4: DACL is not null, DACL.IsContainer is false, but isContainer parameter is true dacl = new DiscretionaryAcl(false, true, 10); Assert.Throws<ArgumentException>(() => { sd = new CommonSecurityDescriptor(true, true, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl); }); // test case 5: SACL is not null, SACL.IsDS is true, but isDS parameter is false sacl = new SystemAcl(true, true, 10); Assert.Throws<ArgumentException>(() => { sd = new CommonSecurityDescriptor(true, false, ControlFlags.SystemAclPresent, null, null, sacl, null); }); // test case 6: SACL is not null, SACL.IsDS is false, but isDS parameter is true sacl = new SystemAcl(true, false, 10); Assert.Throws<ArgumentException>(() => { sd = new CommonSecurityDescriptor(true, true, ControlFlags.SystemAclPresent, null, null, sacl, null); }); // test case 7: DACL is not null, DACL.IsDS is true, but isDS parameter is false dacl = new DiscretionaryAcl(true, true, 10); Assert.Throws<ArgumentException>(() => { sd = new CommonSecurityDescriptor(true, false, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl); }); // test case 8: DACL is not null, DACL.IsDS is false, but isDS parameter is true dacl = new DiscretionaryAcl(true, false, 10); Assert.Throws<ArgumentException>(() => { sd = new CommonSecurityDescriptor(true, true, ControlFlags.DiscretionaryAclPresent, null, null, null, dacl); }); }
private static bool VerifyResult(bool isContainer, bool isDS, ControlFlags controlFlags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl sacl, DiscretionaryAcl dacl) { CommonSecurityDescriptor commonSecurityDescriptor = null; bool result = false; try { commonSecurityDescriptor = new CommonSecurityDescriptor(isContainer, isDS, controlFlags, owner, group, sacl, dacl); // verify the result if ((isContainer == commonSecurityDescriptor.IsContainer) && (isDS == commonSecurityDescriptor.IsDS) && ((((sacl != null) ? (controlFlags | ControlFlags.SystemAclPresent) : (controlFlags & (~ControlFlags.SystemAclPresent))) | ControlFlags.SelfRelative | ControlFlags.DiscretionaryAclPresent) == commonSecurityDescriptor.ControlFlags) && (owner == commonSecurityDescriptor.Owner) && (group == commonSecurityDescriptor.Group) && (sacl == commonSecurityDescriptor.SystemAcl) && (Utils.ComputeBinaryLength(commonSecurityDescriptor, dacl != null) == commonSecurityDescriptor.BinaryLength)) { if (dacl == null) { //check the contructor created an empty Dacl with correct IsContainer and isDS info if (isContainer == commonSecurityDescriptor.DiscretionaryAcl.IsContainer && isDS == commonSecurityDescriptor.DiscretionaryAcl.IsDS && commonSecurityDescriptor.DiscretionaryAcl.Count == 1 && Utils.VerifyDaclWithCraftedAce(isContainer, isDS, commonSecurityDescriptor.DiscretionaryAcl)) { result = true; } else { result = false; } } else if (dacl == commonSecurityDescriptor.DiscretionaryAcl) { result = true; } else { result = false; } } else { result = false; } } catch (ArgumentException) { if ((sacl != null && sacl.IsContainer != isContainer) || (sacl != null && sacl.IsDS != isDS) || (dacl != null && dacl.IsContainer != isContainer) || (dacl != null && dacl.IsDS != isDS)) result = true; else { // unexpected exception result = false; } } return result; }
public static void AdditionalTestCases() { RawAcl rawAcl = null; SystemAcl systemAcl = null; bool isContainer = false; bool isDS = false; int auditFlags = 0; string sid = null; int accessMask = 1; int inheritanceFlags = 0; int propagationFlags = 0; GenericAce gAce = null; byte[] opaque = null; //Case 1, null sid Assert.Throws<ArgumentNullException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.SetAudit(AuditFlags.Success, null, 1, InheritanceFlags.None, PropagationFlags.None); }); //Case 2, SystemAudit Ace but non AuditFlags Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.SetAudit(AuditFlags.None, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.None); }); //Case 3, 0 accessMask Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.SetAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 0, InheritanceFlags.None, PropagationFlags.None); }); //Case 4, non-Container, but InheritanceFlags is not None Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.SetAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None); }); //Case 5, non-Container, but PropagationFlags is not None Assert.Throws<ArgumentException>(() => { isContainer = false; isDS = false; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); systemAcl.SetAudit(AuditFlags.Success, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly); }); //Case 6, set one audit ACE to the SystemAcl with no ACE isContainer = true; isDS = false; auditFlags = 1; sid = "BA"; accessMask = 1; inheritanceFlags = 3; propagationFlags = 3; rawAcl = new RawAcl(0, 1); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); //79 = AceFlags.SuccessfulAccess | AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly gAce = new CommonAce((AceFlags)79, AceQualifier.SystemAudit, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(rawAcl.Count, gAce); Assert.True(TestSetAudit(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags)); //Case 7, all the ACEs in the Sacl are non-qualified ACE, no merge Assert.Throws<InvalidOperationException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1;//InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly auditFlags = 3; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[4]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque); ; rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.AuditFlags, AceQualifier.SystemAudit, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException TestSetAudit(systemAcl, rawAcl, (AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); //Case 8, Set Ace to exceed binary length boundary, throw exception Assert.Throws<InvalidOperationException>(() => { isContainer = true; isDS = false; inheritanceFlags = 1;//InheritanceFlags.ContainerInherit propagationFlags = 2; //PropagationFlags.InheritOnly auditFlags = 3; sid = "BA"; accessMask = 1; rawAcl = new RawAcl(0, 1); opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16]; gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque); ; rawAcl.InsertAce(0, gAce); systemAcl = new SystemAcl(isContainer, isDS, rawAcl); //After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and //forbid the modification on uncanonical ACL, this case will throw InvalidOperationException systemAcl.SetAudit((AuditFlags)auditFlags, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags); }); }
public static void BasicValidationTestCases() { bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; SystemAcl systemAcl = null; GenericAce gAce = null; byte revision = 0; int capacity = 0; //CustomAce constructor parameters AceType aceType = AceType.AccessAllowed; AceFlags aceFlag = AceFlags.None; byte[] opaque = null; //CompoundAce constructor additional parameters int accessMask = 0; CompoundAceType compoundAceType = CompoundAceType.Impersonation; string sid = "BA"; //CommonAce constructor additional parameters AceQualifier aceQualifier = 0; //ObjectAce constructor additional parameters ObjectAceFlags objectAceFlag = 0; Guid objectAceType; Guid inheritedObjectAceType; //case 1, no Ace revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 2, only have explicit Ace revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all AceFlags except InheritOnly and Inherited gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 3, only have one inherit Ace revision = 0; capacity = 1; rawAcl = new RawAcl(revision, capacity); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 4, have one explicit Ace and one inherited Ace revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); //199 has all AceFlags except InheritOnly and Inherited gAce = new CommonAce((AceFlags)199, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(0, gAce); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(1, gAce); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 5, have two inherited Aces revision = 255; capacity = 1; rawAcl = new RawAcl(revision, capacity); //215 has all AceFlags except InheritOnly gAce = new CommonAce((AceFlags)215, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BG")), false, null); rawAcl.InsertAce(0, gAce); sid = "BA"; //16 has Inherited gAce = new CommonAce((AceFlags)16, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 6, 1 inherited CustomAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceType = AceType.MaxDefinedAceType + 1; aceFlag = (AceFlags)208; //SuccessfulAccess | FailedAccess | Inherited opaque = null; gAce = new CustomAce(aceType, aceFlag, opaque); rawAcl.InsertAce(0, gAce); isContainer = false; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 7, 1 inherited CompoundAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together accessMask = 1; compoundAceType = CompoundAceType.Impersonation; gAce = new CompoundAce(aceFlag, accessMask, compoundAceType, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid))); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = false; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); //case 8, 1 inherited ObjectAce revision = 127; capacity = 1; rawAcl = new RawAcl(revision, capacity); aceFlag = (AceFlags)223; //all flags ored together aceQualifier = AceQualifier.SystemAudit; accessMask = 1; objectAceFlag = ObjectAceFlags.ObjectAceTypePresent | ObjectAceFlags.InheritedObjectAceTypePresent; objectAceType = new Guid("11111111-1111-1111-1111-111111111111"); inheritedObjectAceType = new Guid("22222222-2222-2222-2222-222222222222"); gAce = new ObjectAce(aceFlag, aceQualifier, accessMask, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), objectAceFlag, objectAceType, inheritedObjectAceType, false, null); rawAcl.InsertAce(0, gAce); isContainer = true; isDS = true; systemAcl = new SystemAcl(isContainer, isDS, rawAcl); Assert.True(TestRemoveInheritedAces(systemAcl)); }
public static void Additional2TestCases() { SystemAcl systemAcl = null; bool isContainer = false; bool isDS = false; RawAcl rawAcl = null; //case 1, rawAcl = null Assert.Throws<ArgumentNullException>(() => { systemAcl = new SystemAcl(isContainer, isDS, rawAcl); }); }
private static bool TestRemoveInheritedAces(SystemAcl systemAcl) { GenericAce ace = null; systemAcl.RemoveInheritedAces(); for (int i = 0; i < systemAcl.Count; i++) { ace = systemAcl[i]; if ((ace.AceFlags & AceFlags.Inherited) != 0) return false; } return true; }
public CommonSecurityDescriptor(bool isContainer, bool isDS, ControlFlags flags, SecurityIdentifier owner, SecurityIdentifier group, SystemAcl systemAcl, DiscretionaryAcl discretionaryAcl);
public static void BasicValidationTestCases() { SystemAcl sAcl = null; RawAcl rAcl = null; GenericAce gAce = null; byte[] binaryForm = null; //Case 1, array binaryForm is null Assert.Throws<ArgumentNullException>(() => { rAcl = new RawAcl(GenericAcl.AclRevision, 1); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rAcl.InsertAce(0, gAce); sAcl = new SystemAcl(false, false, rAcl); sAcl.GetBinaryForm(binaryForm, 0); }); //Case 2, offset is negative Assert.Throws<ArgumentOutOfRangeException>(() => { binaryForm = new byte[100]; rAcl = new RawAcl(GenericAcl.AclRevision, 1); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rAcl.InsertAce(0, gAce); sAcl = new SystemAcl(false, false, rAcl); sAcl.GetBinaryForm(binaryForm, -1); }); //Case 3, offset is equal to binaryForm length Assert.Throws<ArgumentOutOfRangeException>(() => { binaryForm = new byte[100]; rAcl = new RawAcl(GenericAcl.AclRevision, 1); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rAcl.InsertAce(0, gAce); sAcl = new SystemAcl(false, false, rAcl); sAcl.GetBinaryForm(binaryForm, binaryForm.Length); }); //Case 4, offset is a big possitive number rAcl = new RawAcl(GenericAcl.AclRevision, 1); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rAcl.InsertAce(0, gAce); sAcl = new SystemAcl(false, false, rAcl); binaryForm = new byte[sAcl.BinaryLength + 10000]; sAcl.GetBinaryForm(binaryForm, 10000); //get the binaryForm of the original RawAcl byte[] verifierBinaryForm = new byte[rAcl.BinaryLength]; rAcl.GetBinaryForm(verifierBinaryForm, 0); Assert.True(Utils.IsBinaryFormEqual(binaryForm, 10000, verifierBinaryForm)); //Case 5, binaryForm array's size is insufficient Assert.Throws<ArgumentOutOfRangeException>(() => { binaryForm = new byte[4]; rAcl = new RawAcl(GenericAcl.AclRevision, 1); gAce = new CommonAce(AceFlags.SuccessfulAccess, AceQualifier.SystemAudit, 1, new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), false, null); rAcl.InsertAce(0, gAce); sAcl = new SystemAcl(false, false, rAcl); sAcl.GetBinaryForm(binaryForm, 0); }); }