public void AddAuditObjectAceAndCommonAce()
{
SecurityIdentifier sid = new SecurityIdentifier("BA");
SystemAcl sacl = new SystemAcl(false, true, 0);
sacl.AddAudit(AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.ObjectAceTypePresent, Guid.NewGuid(), Guid.Empty);
sacl.AddAudit(AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.None, Guid.Empty, Guid.Empty);
Assert.AreEqual(2, sacl.Count);
CommonAce cace = (CommonAce)sacl [0];
Assert.AreEqual(1, cace.AccessMask);
Assert.AreEqual("S-1-5-32-544", cace.SecurityIdentifier.Value);
Assert.IsFalse(cace.IsCallback);
Assert.IsFalse(cace.IsInherited);
ObjectAce oace = (ObjectAce)sacl [1];
Assert.AreEqual(1, oace.AccessMask);
Assert.AreEqual("S-1-5-32-544", oace.SecurityIdentifier.Value);
Assert.IsFalse(oace.IsCallback);
Assert.IsFalse(oace.IsInherited);
sacl.AddAudit(AuditFlags.Success, sid, 2, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.None, Guid.Empty, Guid.Empty);
Assert.AreEqual(2, sacl.Count);
CommonAce cace2 = (CommonAce)sacl [0];
Assert.AreEqual(3, cace2.AccessMask);
}
public void AddAuditMergesFlags()
{
SecurityIdentifier sid = new SecurityIdentifier("BA");
SystemAcl sacl = new SystemAcl(false, false, 0);
sacl.AddAudit(AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None);
sacl.AddAudit(AuditFlags.Failure, sid, 1, InheritanceFlags.None, PropagationFlags.None);
Assert.AreEqual(1, sacl.Count);
CommonAce ace = (CommonAce)sacl [0];
Assert.AreEqual(AuditFlags.Success | AuditFlags.Failure, ace.AuditFlags);
}
private static bool TestAddAudit(SystemAcl systemAcl, RawAcl rawAcl, AuditFlags auditFlag, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags)
{
bool result = true;
byte[] sAclBinaryForm = null;
byte[] rAclBinaryForm = null;
systemAcl.AddAudit(auditFlag, sid, accessMask, inheritanceFlags, propagationFlags);
if (systemAcl.Count == rawAcl.Count &&
systemAcl.BinaryLength == rawAcl.BinaryLength)
{
sAclBinaryForm = new byte[systemAcl.BinaryLength];
rAclBinaryForm = new byte[rawAcl.BinaryLength];
systemAcl.GetBinaryForm(sAclBinaryForm, 0);
rawAcl.GetBinaryForm(rAclBinaryForm, 0);
if (!Utils.IsBinaryFormEqual(sAclBinaryForm, rAclBinaryForm))
{
result = false;
}
//redundant index check
for (int i = 0; i < systemAcl.Count; i++)
{
if (!Utils.IsAceEqual(systemAcl[i], rawAcl[i]))
{
result = false;
break;
}
}
}
else
{
result = false;
}
return(result);
}
private static bool TestAddAudit(SystemAcl systemAcl, RawAcl rawAcl, AuditFlags auditFlag, SecurityIdentifier sid, int accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags)
{
bool result = true;
byte[] sAclBinaryForm = null;
byte[] rAclBinaryForm = null;
systemAcl.AddAudit(auditFlag, sid, accessMask, inheritanceFlags, propagationFlags);
if (systemAcl.Count == rawAcl.Count &&
systemAcl.BinaryLength == rawAcl.BinaryLength)
{
sAclBinaryForm = new byte[systemAcl.BinaryLength];
rAclBinaryForm = new byte[rawAcl.BinaryLength];
systemAcl.GetBinaryForm(sAclBinaryForm, 0);
rawAcl.GetBinaryForm(rAclBinaryForm, 0);
if (!Utils.IsBinaryFormEqual(sAclBinaryForm, rAclBinaryForm))
result = false;
//redundant index check
for (int i = 0; i < systemAcl.Count; i++)
{
if (!Utils.IsAceEqual(systemAcl[i], rawAcl[i]))
{
result = false;
break;
}
}
}
else
result = false;
return result;
}
public void AddAuditCommonAce()
{
SecurityIdentifier sid = new SecurityIdentifier("BA");
SystemAcl sacl = new SystemAcl(false, false, 0);
sacl.AddAudit(AuditFlags.Success, sid, 1, InheritanceFlags.None, PropagationFlags.None);
Assert.AreEqual(1, sacl.Count);
CommonAce ace = (CommonAce)sacl [0];
Assert.AreEqual(AuditFlags.Success, ace.AuditFlags);
Assert.AreEqual(1, ace.AccessMask);
Assert.AreEqual("S-1-5-32-544", ace.SecurityIdentifier.Value);
Assert.IsFalse(ace.IsInherited);
}
public void AddAuditCommonAceUsingDSOverload()
{
SecurityIdentifier sid = new SecurityIdentifier("BA");
SystemAcl sacl = new SystemAcl(false, true, 0);
sacl.AddAudit(AuditFlags.Failure, sid, 1, InheritanceFlags.None, PropagationFlags.None,
ObjectAceFlags.None, Guid.NewGuid(), Guid.NewGuid());
Assert.AreEqual(1, sacl.Count);
CommonAce ace = (CommonAce)sacl [0];
Assert.AreEqual(AuditFlags.Failure, ace.AuditFlags);
Assert.AreEqual(1, ace.AccessMask);
Assert.AreEqual("S-1-5-32-544", ace.SecurityIdentifier.Value);
Assert.IsFalse(ace.IsInherited);
}
void RemoveSpecificBegin(SecurityIdentifier sid, SystemAcl sacl, InheritanceFlags inheritanceFlags)
{
SecurityIdentifier otherSid = new SecurityIdentifier("BU");
sacl.AddAudit(AuditFlags.Success, sid, 3, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual(1, sacl.Count);
sacl.RemoveAuditSpecific(AuditFlags.Failure, sid, 1, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual(1, sacl.Count);
sacl.RemoveAuditSpecific(AuditFlags.Success, otherSid, 1, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual(1, sacl.Count);
sacl.RemoveAuditSpecific(AuditFlags.Success, sid, 1, inheritanceFlags, PropagationFlags.None);
Assert.AreEqual(1, sacl.Count);
Assert.AreEqual(3, ((CommonAce)sacl [0]).AccessMask);
sacl.RemoveAuditSpecific(AuditFlags.Success, sid, 3,
inheritanceFlags ^ InheritanceFlags.ContainerInherit,
PropagationFlags.None);
Assert.AreEqual(1, sacl.Count);
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
bool isContainer = false;
bool isDS = false;
int auditFlags = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
byte[] opaque = null;
//Case 1, null sid
Assert.Throws <ArgumentNullException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.Success, null, 1, InheritanceFlags.None, PropagationFlags.None);
});
//Case 2, SystemAudit Ace but non AuditFlags
Assert.Throws <ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.None,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.None);
});
//Case 3, 0 accessMask
Assert.Throws <ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 0, InheritanceFlags.None, PropagationFlags.None);
});
//Case 4, non-Container, but InheritanceFlags is not None
Assert.Throws <ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None);
});
//Case 5, non-Container, but PropagationFlags is not None
Assert.Throws <ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 6, Container, but InheritanceFlags is None, but PropagationFlags is InheritOnly
Assert.Throws <ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 7, Container, but InheritanceFlags is None, but PropagationFlags is NoPropagateInherit
Assert.Throws <ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit);
});
//Case 8, Container, but InheritanceFlags is None, but PropagationFlags is NoPropagateInherit | InheritOnly
Assert.Throws <ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit | PropagationFlags.InheritOnly);
});
//Case 9, add one audit ACE to the SystemAcl has no ACE
isContainer = true;
isDS = false;
auditFlags = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
//79 = AceFlags.SuccessfulAccess | AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)79, AceQualifier.SystemAudit, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
Assert.True(TestAddAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags));
//Case 10, all the ACEs in the Sacl are non-qualified ACE, no merge
Assert.Throws <InvalidOperationException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
auditFlags = 3;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque);;
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.AuditFlags,
AceQualifier.SystemAudit,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
TestAddAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 11, add Ace to exceed binary length boundary, throw exception
Assert.Throws <InvalidOperationException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1; //InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
auditFlags = 3;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque);;
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
systemAcl.AddAudit((AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
}
public static void AdditionalTestCases()
{
RawAcl rawAcl = null;
SystemAcl systemAcl = null;
bool isContainer = false;
bool isDS = false;
int auditFlags = 0;
string sid = null;
int accessMask = 1;
int inheritanceFlags = 0;
int propagationFlags = 0;
GenericAce gAce = null;
byte[] opaque = null;
//Case 1, null sid
Assert.Throws<ArgumentNullException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.Success, null, 1, InheritanceFlags.None, PropagationFlags.None);
});
//Case 2, SystemAudit Ace but non AuditFlags
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.None,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.None);
});
//Case 3, 0 accessMask
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 0, InheritanceFlags.None, PropagationFlags.None);
});
//Case 4, non-Container, but InheritanceFlags is not None
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.ContainerInherit, PropagationFlags.None);
});
//Case 5, non-Container, but PropagationFlags is not None
Assert.Throws<ArgumentException>(() =>
{
isContainer = false;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 6, Container, but InheritanceFlags is None, but PropagationFlags is InheritOnly
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.InheritOnly);
});
//Case 7, Container, but InheritanceFlags is None, but PropagationFlags is NoPropagateInherit
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit);
});
//Case 8, Container, but InheritanceFlags is None, but PropagationFlags is NoPropagateInherit | InheritOnly
Assert.Throws<ArgumentException>(() =>
{
isContainer = true;
isDS = false;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
systemAcl.AddAudit(AuditFlags.Success,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid("BA")), 1, InheritanceFlags.None, PropagationFlags.NoPropagateInherit | PropagationFlags.InheritOnly);
});
//Case 9, add one audit ACE to the SystemAcl has no ACE
isContainer = true;
isDS = false;
auditFlags = 1;
sid = "BA";
accessMask = 1;
inheritanceFlags = 3;
propagationFlags = 3;
rawAcl = new RawAcl(0, 1);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
//79 = AceFlags.SuccessfulAccess | AceFlags.ObjectInherit |AceFlags.ContainerInherit | AceFlags.NoPropagateInherit | AceFlags.InheritOnly
gAce = new CommonAce((AceFlags)79, AceQualifier.SystemAudit, accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), false, null);
rawAcl.InsertAce(rawAcl.Count, gAce);
Assert.True(TestAddAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags));
//Case 10, all the ACEs in the Sacl are non-qualified ACE, no merge
Assert.Throws<InvalidOperationException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
auditFlags = 3;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[4];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1, AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
gAce = new CommonAce(AceFlags.ContainerInherit | AceFlags.InheritOnly | AceFlags.AuditFlags,
AceQualifier.SystemAudit,
accessMask,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)),
false,
null);
rawAcl.InsertAce(0, gAce);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
TestAddAudit(systemAcl, rawAcl, (AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
//Case 11, add Ace to exceed binary length boundary, throw exception
Assert.Throws<InvalidOperationException>(() =>
{
isContainer = true;
isDS = false;
inheritanceFlags = 1;//InheritanceFlags.ContainerInherit
propagationFlags = 2; //PropagationFlags.InheritOnly
auditFlags = 3;
sid = "BA";
accessMask = 1;
rawAcl = new RawAcl(0, 1);
opaque = new byte[GenericAcl.MaxBinaryLength + 1 - 8 - 4 - 16];
gAce = new CustomAce(AceType.MaxDefinedAceType + 1,
AceFlags.InheritanceFlags | AceFlags.AuditFlags, opaque); ;
rawAcl.InsertAce(0, gAce);
systemAcl = new SystemAcl(isContainer, isDS, rawAcl);
//After Mark changes design to make ACL with any CustomAce, CompoundAce uncanonical and
//forbid the modification on uncanonical ACL, this case will throw InvalidOperationException
systemAcl.AddAudit((AuditFlags)auditFlags,
new SecurityIdentifier(Utils.TranslateStringConstFormatSidToStandardFormatSid(sid)), accessMask, (InheritanceFlags)inheritanceFlags, (PropagationFlags)propagationFlags);
});
}
