public static bool HasLocalAces(AuthorizationRuleCollection rules) { bool res = false; AccessRule locaACE = rules.Cast<AccessRule>().FirstOrDefault(a => a.IsInherited == false); res = (locaACE == null ? false : true); return res; }
static bool AccessControlAllowsRightForPrincipal(System.Security.AccessControl.AuthorizationRuleCollection rules, FileSystemRights right, WindowsIdentity principal) { return(rules .Cast <FileSystemAccessRule>() .Where(rule => principal.User.Equals(rule.IdentityReference)) // Find the rules for the given principal .Where(rule => rule.FileSystemRights.HasFlag(right)) // Find the rules for the given right .Where(rule => !AccessControlType.Deny.Equals(rule.AccessControlType)) // If the right is explicitly denied, we don't check the rule futher .Where(rule => AccessControlType.Allow.Equals(rule.AccessControlType)) // If the right is explicitly allowed, then we mark it as allowed .Any()); // If the right is neither allowed or denied, we treat is as denied }
public PermissionsChecker(WindowsIdentity current, AuthorizationRuleCollection rules, RequiredCheck requiredCheck) { _current = current; _groups = _current.Groups.ToHashSet(); _rules = rules.Cast<FileSystemAccessRule>() .ToHashSet(); _requiredCheck = requiredCheck; }
/// <summary> /// Converts ACL into UNIX-like file mode /// </summary> private static FileModeFlags GetFileMode(System.Security.AccessControl.AuthorizationRuleCollection rules) { WindowsIdentity user = System.Security.Principal.WindowsIdentity.GetCurrent(); WindowsPrincipal principal = new WindowsPrincipal(user); FileModeFlags result; // These are set to true if either the allow read or deny read access rights are set bool allowRead = false; bool denyRead = false; bool allowWrite = false; bool denyWrite = false; bool allowExecute = false; bool denyExecute = false; foreach (FileSystemAccessRule currentRule in rules) { // If the current rule applies to the current user if (user.User.Equals(currentRule.IdentityReference) || principal.IsInRole((SecurityIdentifier)currentRule.IdentityReference)) { switch (currentRule.AccessControlType) { case AccessControlType.Deny: denyRead |= (currentRule.FileSystemRights & FileSystemRights.ListDirectory | FileSystemRights.Read) != 0; denyWrite |= (currentRule.FileSystemRights & FileSystemRights.Write) != 0; denyExecute |= (currentRule.FileSystemRights & FileSystemRights.ExecuteFile) != 0; break; case AccessControlType.Allow: allowRead |= (currentRule.FileSystemRights & FileSystemRights.ListDirectory | FileSystemRights.Read) != 0; allowWrite |= (currentRule.FileSystemRights & FileSystemRights.Write) != 0; allowExecute |= (currentRule.FileSystemRights & FileSystemRights.ExecuteFile) != 0; break; } } } result = (allowRead & !denyRead) ? FileModeFlags.Read : 0; result |= (allowWrite & !denyWrite) ? FileModeFlags.Write : 0; result |= (allowExecute & !denyExecute) ? FileModeFlags.Execute : 0; return(result); }
/// <summary> /// /// </summary> /// <param name="directory"></param> /// <param name="user"></param> /// <returns></returns> public static bool CanWrite(string directory, WindowsIdentity user) { bool bAllowed = false; try { //Get the directory security DirectorySecurity sec = Directory.GetAccessControl(directory, AccessControlSections.Access); System.Security.AccessControl.AuthorizationRuleCollection dacls = sec.GetAccessRules(true, true, typeof(SecurityIdentifier)); //Enumerate each access rule foreach (FileSystemAccessRule dacl in dacls) { SecurityIdentifier sid = (SecurityIdentifier)dacl.IdentityReference; //If the right is either create files or write access if (((dacl.FileSystemRights & FileSystemRights.CreateFiles) == FileSystemRights.CreateFiles) || ((dacl.FileSystemRights & FileSystemRights.Write) == FileSystemRights.Write)) { //If the sid matches the user or a group the user is in if ((sid.IsAccountSid() && user.User == sid) || (!sid.IsAccountSid() && user.Groups.Contains(sid))) { //If this is a deny right then the user has no access if (dacl.AccessControlType == AccessControlType.Deny) { return(false); } //Allowed, for now bAllowed = true; } } } return(bAllowed); } catch (SecurityException) { throw; } }
public static bool CheckAccessRight(WindowsIdentity user, WindowsPrincipal principal, AuthorizationRuleCollection acl, FileSystemRights right) { // Get the collection of authorization rules that apply to the current directory //AuthorizationRuleCollection acl = //directory.GetAccessControl().GetAccessRules(true, true, typeof(System.Security.Principal.SecurityIdentifier)); // These are set to true if either the allow or deny access rights are set bool allow = false; bool deny = false; for (int x = 0; x < acl.Count; x++) { FileSystemAccessRule currentRule = (FileSystemAccessRule)acl[x]; // If the current rule applies to the current user if (user.User.Equals(currentRule.IdentityReference) || principal.IsInRole((SecurityIdentifier)currentRule.IdentityReference)) { if (currentRule.AccessControlType.Equals(AccessControlType.Deny)) { if ((currentRule.FileSystemRights & right) == right) { deny = true; } } else if (currentRule.AccessControlType.Equals(AccessControlType.Allow)) { if ((currentRule.FileSystemRights & right) == right) { allow = true; } } } } if (allow & !deny) return true; else return false; }
private bool CheckPermissions(string path, bool checkRead, bool checkWrite, bool checkModify, bool checkDelete) { bool flag = false; bool flag2 = false; bool flag3 = false; bool flag4 = false; bool flag5 = false; bool flag6 = false; bool flag7 = false; bool flag8 = false; WindowsIdentity current = WindowsIdentity.GetCurrent(); System.Security.AccessControl.AuthorizationRuleCollection rules = null; try { rules = Directory.GetAccessControl(path).GetAccessRules(true, true, typeof(SecurityIdentifier)); } catch { return(true); } try { foreach (FileSystemAccessRule rule in rules) { if (!current.User.Equals(rule.IdentityReference)) { continue; } if (AccessControlType.Deny.Equals(rule.AccessControlType)) { if ((FileSystemRights.Delete & rule.FileSystemRights) == FileSystemRights.Delete) { flag4 = true; } if ((FileSystemRights.Modify & rule.FileSystemRights) == FileSystemRights.Modify) { flag3 = true; } if ((FileSystemRights.Read & rule.FileSystemRights) == FileSystemRights.Read) { flag = true; } if ((FileSystemRights.Write & rule.FileSystemRights) == FileSystemRights.Write) { flag2 = true; } continue; } if (AccessControlType.Allow.Equals(rule.AccessControlType)) { if ((FileSystemRights.Delete & rule.FileSystemRights) == FileSystemRights.Delete) { flag8 = true; } if ((FileSystemRights.Modify & rule.FileSystemRights) == FileSystemRights.Modify) { flag7 = true; } if ((FileSystemRights.Read & rule.FileSystemRights) == FileSystemRights.Read) { flag5 = true; } if ((FileSystemRights.Write & rule.FileSystemRights) == FileSystemRights.Write) { flag6 = true; } } } foreach (IdentityReference reference in current.Groups) { foreach (FileSystemAccessRule rule2 in rules) { if (!reference.Equals(rule2.IdentityReference)) { continue; } if (AccessControlType.Deny.Equals(rule2.AccessControlType)) { if ((FileSystemRights.Delete & rule2.FileSystemRights) == FileSystemRights.Delete) { flag4 = true; } if ((FileSystemRights.Modify & rule2.FileSystemRights) == FileSystemRights.Modify) { flag3 = true; } if ((FileSystemRights.Read & rule2.FileSystemRights) == FileSystemRights.Read) { flag = true; } if ((FileSystemRights.Write & rule2.FileSystemRights) == FileSystemRights.Write) { flag2 = true; } continue; } if (AccessControlType.Allow.Equals(rule2.AccessControlType)) { if ((FileSystemRights.Delete & rule2.FileSystemRights) == FileSystemRights.Delete) { flag8 = true; } if ((FileSystemRights.Modify & rule2.FileSystemRights) == FileSystemRights.Modify) { flag7 = true; } if ((FileSystemRights.Read & rule2.FileSystemRights) == FileSystemRights.Read) { flag5 = true; } if ((FileSystemRights.Write & rule2.FileSystemRights) == FileSystemRights.Write) { flag6 = true; } } } } bool flag9 = !flag4 && flag8; bool flag10 = !flag3 && flag7; bool flag11 = !flag && flag5; bool flag12 = !flag2 && flag6; bool flag13 = true; if (checkRead) { flag13 = flag13 && flag11; } if (checkWrite) { flag13 = flag13 && flag12; } if (checkModify) { flag13 = flag13 && flag10; } if (checkDelete) { flag13 = flag13 && flag9; } return(flag13); } catch (IOException) { } return(false); }
private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, System.Type targetType) { ReadLock(); try { AuthorizationRuleCollection result = new AuthorizationRuleCollection(); if (!IsValidTargetTypeStatic(targetType)) { throw new ArgumentException(SR.Arg_MustBeIdentityReferenceType, "targetType"); } CommonAcl acl = null; if (access) { if ((_securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != 0) { acl = _securityDescriptor.DiscretionaryAcl; } } else // !access == audit { if ((_securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != 0) { acl = _securityDescriptor.SystemAcl; } } if (acl == null) { // // The required ACL was not present; return an empty collection. // return result; } IdentityReferenceCollection irTarget = null; if (targetType != typeof(SecurityIdentifier)) { IdentityReferenceCollection irSource = new IdentityReferenceCollection(acl.Count); for (int i = 0; i < acl.Count; i++) { // // Calling the indexer on a common ACL results in cloning, // (which would not be the case if we were to use the internal RawAcl property) // but also ensures that the resulting order of ACEs is proper // However, this is a big price to pay - cloning all the ACEs just so that // the canonical order could be ascertained just once. // A better way would be to have an internal method that would canonicalize the ACL // and call it once, then use the RawAcl. // QualifiedAce ace = acl[i] as QualifiedAce; if (ace == null) { // // Only consider qualified ACEs // continue; } if (ace.IsCallback == true) { // // Ignore callback ACEs // continue; } if (access) { if (ace.AceQualifier != AceQualifier.AccessAllowed && ace.AceQualifier != AceQualifier.AccessDenied) { continue; } } else { if (ace.AceQualifier != AceQualifier.SystemAudit) { continue; } } irSource.Add(ace.SecurityIdentifier); } irTarget = irSource.Translate(targetType); } for (int i = 0; i < acl.Count; i++) { // // Calling the indexer on a common ACL results in cloning, // (which would not be the case if we were to use the internal RawAcl property) // but also ensures that the resulting order of ACEs is proper // However, this is a big price to pay - cloning all the ACEs just so that // the canonical order could be ascertained just once. // A better way would be to have an internal method that would canonicalize the ACL // and call it once, then use the RawAcl. // QualifiedAce ace = acl[i] as CommonAce; if (ace == null) { ace = acl[i] as ObjectAce; if (ace == null) { // // Only consider common or object ACEs // continue; } } if (ace.IsCallback == true) { // // Ignore callback ACEs // continue; } if (access) { if (ace.AceQualifier != AceQualifier.AccessAllowed && ace.AceQualifier != AceQualifier.AccessDenied) { continue; } } else { if (ace.AceQualifier != AceQualifier.SystemAudit) { continue; } } if ((includeExplicit && ((ace.AceFlags & AceFlags.Inherited) == 0)) || (includeInherited && ((ace.AceFlags & AceFlags.Inherited) != 0))) { IdentityReference iref = (targetType == typeof(SecurityIdentifier)) ? ace.SecurityIdentifier : irTarget[i]; if (access) { AccessControlType type; if (ace.AceQualifier == AceQualifier.AccessAllowed) { type = AccessControlType.Allow; } else { type = AccessControlType.Deny; } if (ace is ObjectAce) { ObjectAce objectAce = ace as ObjectAce; result.AddRule(AccessRuleFactory(iref, objectAce.AccessMask, objectAce.IsInherited, objectAce.InheritanceFlags, objectAce.PropagationFlags, type, objectAce.ObjectAceType, objectAce.InheritedObjectAceType)); } else { CommonAce commonAce = ace as CommonAce; if (commonAce == null) { continue; } result.AddRule(AccessRuleFactory(iref, commonAce.AccessMask, commonAce.IsInherited, commonAce.InheritanceFlags, commonAce.PropagationFlags, type)); } } else { if (ace is ObjectAce) { ObjectAce objectAce = ace as ObjectAce; result.AddRule(AuditRuleFactory(iref, objectAce.AccessMask, objectAce.IsInherited, objectAce.InheritanceFlags, objectAce.PropagationFlags, objectAce.AuditFlags, objectAce.ObjectAceType, objectAce.InheritedObjectAceType)); } else { CommonAce commonAce = ace as CommonAce; if (commonAce == null) { continue; } result.AddRule(AuditRuleFactory(iref, commonAce.AccessMask, commonAce.IsInherited, commonAce.InheritanceFlags, commonAce.PropagationFlags, commonAce.AuditFlags)); } } } } return result; } finally { ReadUnlock(); } }
/// <summary> /// Processes the authentication data of a Windows user /// </summary> /// <param name="acl"><see cref="AuthorizationRuleCollection"/></param> private void ReceiveUserIdentityRules(AuthorizationRuleCollection acl) { if (WindowsIdentity.User == null) { return; } for (var i = 0; i < acl.Count; i++) { var rule = (FileSystemAccessRule)acl[i]; HandleFileSystemAccessRule(rule, WindowsIdentity.User); } }
private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, System.Type targetType) { ReadLock(); try { AuthorizationRuleCollection result = new AuthorizationRuleCollection(); if (!IsValidTargetTypeStatic(targetType)) { throw new ArgumentException( SR.Arg_MustBeIdentityReferenceType, nameof(targetType)); } CommonAcl?acl = null; if (access) { if ((_securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != 0) { acl = _securityDescriptor.DiscretionaryAcl; } } else // !access == audit { if ((_securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != 0) { acl = _securityDescriptor.SystemAcl; } } if (acl == null) { // // The required ACL was not present; return an empty collection. // return(result); } IdentityReferenceCollection?irTarget = null; if (targetType != typeof(SecurityIdentifier)) { IdentityReferenceCollection irSource = new IdentityReferenceCollection(acl.Count); for (int i = 0; i < acl.Count; i++) { // // Calling the indexer on a common ACL results in cloning, // (which would not be the case if we were to use the internal RawAcl property) // but also ensures that the resulting order of ACEs is proper // However, this is a big price to pay - cloning all the ACEs just so that // the canonical order could be ascertained just once. // A better way would be to have an internal method that would canonicalize the ACL // and call it once, then use the RawAcl. // CommonAce?ace = acl[i] as CommonAce; if (AceNeedsTranslation(ace, access, includeExplicit, includeInherited)) { irSource.Add(ace.SecurityIdentifier); } } irTarget = irSource.Translate(targetType); } int targetIndex = 0; for (int i = 0; i < acl.Count; i++) { // // Calling the indexer on a common ACL results in cloning, // (which would not be the case if we were to use the internal RawAcl property) // but also ensures that the resulting order of ACEs is proper // However, this is a big price to pay - cloning all the ACEs just so that // the canonical order could be ascertained just once. // A better way would be to have an internal method that would canonicalize the ACL // and call it once, then use the RawAcl. // CommonAce?ace = acl[i] as CommonAce; if (AceNeedsTranslation(ace, access, includeExplicit, includeInherited)) { IdentityReference iref = (targetType == typeof(SecurityIdentifier)) ? ace.SecurityIdentifier : irTarget ![targetIndex++];
/// <summary> /// Checks if the rule already exists in the collection. /// </summary> /// <param name="allRules">collection of existing rules</param> /// <param name="checkRule">rule to check for</param> /// <returns>true if existing</returns> private static bool ContainsRule(AuthorizationRuleCollection allRules, RegistryAccessRule checkRule) { foreach (RegistryAccessRule existingRule in allRules) { if (IsEqualRule(existingRule, checkRule)) return true; } return false; }
/// <summary> /// Processes the authentication data of a Windows Group /// </summary> /// <param name="acl"><see cref="AuthorizationRuleCollection"/></param> private void ReceivGroupIdentityRules(AuthorizationRuleCollection acl) { // Only Handle Groups if (WindowsIdentity.Groups == null) { return; } foreach (var identity in WindowsIdentity.Groups) { for (var i = 0; i < acl.Count; i++) { var rule = (FileSystemAccessRule)acl[i]; HandleFileSystemAccessRule(rule, identity); } } }
private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, Type targetType) { AuthorizationRuleCollection rules2; base.ReadLock(); try { AuthorizationRuleCollection rules = new AuthorizationRuleCollection(); if (!SecurityIdentifier.IsValidTargetTypeStatic(targetType)) { throw new ArgumentException(Environment.GetResourceString("Arg_MustBeIdentityReferenceType"), "targetType"); } CommonAcl discretionaryAcl = null; if (access) { if ((base._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None) { discretionaryAcl = base._securityDescriptor.DiscretionaryAcl; } } else if ((base._securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None) { discretionaryAcl = base._securityDescriptor.SystemAcl; } if (discretionaryAcl == null) { return rules; } IdentityReferenceCollection references = null; if (targetType != typeof(SecurityIdentifier)) { IdentityReferenceCollection references2 = new IdentityReferenceCollection(discretionaryAcl.Count); for (int j = 0; j < discretionaryAcl.Count; j++) { QualifiedAce ace = discretionaryAcl[j] as QualifiedAce; if ((ace == null) || ace.IsCallback) { continue; } if (access) { if ((ace.AceQualifier == AceQualifier.AccessAllowed) || (ace.AceQualifier == AceQualifier.AccessDenied)) { goto Label_00DD; } continue; } if (ace.AceQualifier != AceQualifier.SystemAudit) { continue; } Label_00DD: references2.Add(ace.SecurityIdentifier); } references = references2.Translate(targetType); } for (int i = 0; i < discretionaryAcl.Count; i++) { QualifiedAce ace2 = discretionaryAcl[i] as CommonAce; if (ace2 == null) { ace2 = discretionaryAcl[i] as ObjectAce; if (ace2 == null) { continue; } } if (ace2.IsCallback) { continue; } if (access) { if ((ace2.AceQualifier == AceQualifier.AccessAllowed) || (ace2.AceQualifier == AceQualifier.AccessDenied)) { goto Label_0174; } continue; } if (ace2.AceQualifier != AceQualifier.SystemAudit) { continue; } Label_0174: if ((includeExplicit && (((byte) (ace2.AceFlags & AceFlags.Inherited)) == 0)) || (includeInherited && (((byte) (ace2.AceFlags & AceFlags.Inherited)) != 0))) { IdentityReference identityReference = (targetType == typeof(SecurityIdentifier)) ? ace2.SecurityIdentifier : references[i]; if (access) { AccessControlType allow; if (ace2.AceQualifier == AceQualifier.AccessAllowed) { allow = AccessControlType.Allow; } else { allow = AccessControlType.Deny; } if (ace2 is ObjectAce) { ObjectAce ace3 = ace2 as ObjectAce; rules.AddRule(this.AccessRuleFactory(identityReference, ace3.AccessMask, ace3.IsInherited, ace3.InheritanceFlags, ace3.PropagationFlags, allow, ace3.ObjectAceType, ace3.InheritedObjectAceType)); } else { CommonAce ace4 = ace2 as CommonAce; if (ace4 != null) { rules.AddRule(this.AccessRuleFactory(identityReference, ace4.AccessMask, ace4.IsInherited, ace4.InheritanceFlags, ace4.PropagationFlags, allow)); } } } else if (ace2 is ObjectAce) { ObjectAce ace5 = ace2 as ObjectAce; rules.AddRule(this.AuditRuleFactory(identityReference, ace5.AccessMask, ace5.IsInherited, ace5.InheritanceFlags, ace5.PropagationFlags, ace5.AuditFlags, ace5.ObjectAceType, ace5.InheritedObjectAceType)); } else { CommonAce ace6 = ace2 as CommonAce; if (ace6 != null) { rules.AddRule(this.AuditRuleFactory(identityReference, ace6.AccessMask, ace6.IsInherited, ace6.InheritanceFlags, ace6.PropagationFlags, ace6.AuditFlags)); } } } } rules2 = rules; } finally { base.ReadUnlock(); } return rules2; }
private uint GetUserDACLfromAllRegistryKeyDACLs(AuthorizationRuleCollection DACLs, string userSID) { foreach (RegistryAccessRule dacl in DACLs) if (dacl.IdentityReference.Value.Equals(userSID)) return (uint)dacl.RegistryRights; return 0; }
private void CheckAccessControl(AuthorizationRuleCollection authorizationRules, out Boolean canRead, out Boolean canWrite) { var rules = authorizationRules .OfType<FileSystemAccessRule>() .Where(x => User.IsInRole(x.IdentityReference as SecurityIdentifier) || x.IdentityReference == ((WindowsIdentity)User.Identity).User) .ToList(); canRead = true; canWrite = true; canRead &= rules.Any(x => x.AccessControlType == AccessControlType.Allow && x.FileSystemRights.HasFlag(FileSystemRights.Read)); canWrite &= rules.Any(x => x.AccessControlType == AccessControlType.Allow && x.FileSystemRights.HasFlag(FileSystemRights.Write)); canRead &= !rules.Any(x => x.AccessControlType == AccessControlType.Deny && x.FileSystemRights.HasFlag(FileSystemRights.Read)); canWrite &= !rules.Any(x => x.AccessControlType == AccessControlType.Deny && x.FileSystemRights.HasFlag(FileSystemRights.Write)); }
/// <summary> /// Check an Access Control List. /// </summary> /// <para> /// No ordinary user should able to modify the corresponding file. /// </para> /// <param name="acl">An ACL</param> private void checkAcl(AuthorizationRuleCollection acl) { Dictionary<IdentityReference, FileSystemRights> userAllowRights = new Dictionary<IdentityReference, FileSystemRights>(); Dictionary<IdentityReference, FileSystemRights> userDenyRights = new Dictionary<IdentityReference, FileSystemRights>(); for (int i = 0; i < acl.Count; i++) { log.Debug("Authorization rule type: " + acl[i].GetType()); FileSystemAccessRule ace = acl[i] as FileSystemAccessRule; if (ace != null) { log.Debug("Access type: " + ace.AccessControlType); log.Debug("Access mask: " + ace.FileSystemRights); log.Debug("Identity: " + ace.IdentityReference); } // If rule is not a FileSystemSecurityRule then it is ignored. if (ace == null) continue; // Computes allowance of the identity: if (ace.AccessControlType == AccessControlType.Allow) { if (!userAllowRights.ContainsKey(ace.IdentityReference)) userAllowRights.Add(ace.IdentityReference, 0); userAllowRights[ace.IdentityReference] |= ace.FileSystemRights; } if (ace.AccessControlType == AccessControlType.Deny) { if (!userDenyRights.ContainsKey(ace.IdentityReference)) userDenyRights.Add(ace.IdentityReference, 0); userDenyRights[ace.IdentityReference] |= ace.FileSystemRights; } } foreach (KeyValuePair<IdentityReference, FileSystemRights> keyval in userAllowRights) { // Authorized users can do whatever they want: try { checkUser(keyval.Key); continue; } catch (UnauthorizedAccessException) { } // Computes real user rights: FileSystemRights rights = keyval.Value; if (userDenyRights.ContainsKey(keyval.Key)) rights &= (~userDenyRights[keyval.Key]); // Check user rights if (((rights & FileSystemRights.WriteData) != 0) || ((rights & FileSystemRights.AppendData) != 0) || ((rights & FileSystemRights.WriteAttributes) != 0) || ((rights & FileSystemRights.WriteExtendedAttributes) != 0) || ((rights & FileSystemRights.ChangePermissions) != 0) || ((rights & FileSystemRights.Delete) != 0) || ((rights & FileSystemRights.TakeOwnership) != 0)) throw new UnauthorizedAccessException("Users should not be able to modify the config file."); } }
private AuthorizationRuleCollection GetRules(bool access, bool includeExplicit, bool includeInherited, Type targetType) { AuthorizationRuleCollection rules2; base.ReadLock(); try { AuthorizationRuleCollection rules = new AuthorizationRuleCollection(); if (!SecurityIdentifier.IsValidTargetTypeStatic(targetType)) { throw new ArgumentException(Environment.GetResourceString("Arg_MustBeIdentityReferenceType"), "targetType"); } CommonAcl discretionaryAcl = null; if (access) { if ((base._securityDescriptor.ControlFlags & ControlFlags.DiscretionaryAclPresent) != ControlFlags.None) { discretionaryAcl = base._securityDescriptor.DiscretionaryAcl; } } else if ((base._securityDescriptor.ControlFlags & ControlFlags.SystemAclPresent) != ControlFlags.None) { discretionaryAcl = base._securityDescriptor.SystemAcl; } if (discretionaryAcl == null) { return rules; } IdentityReferenceCollection references = null; if (targetType != typeof(SecurityIdentifier)) { IdentityReferenceCollection references2 = new IdentityReferenceCollection(discretionaryAcl.Count); for (int j = 0; j < discretionaryAcl.Count; j++) { CommonAce ace = discretionaryAcl[j] as CommonAce; if (this.AceNeedsTranslation(ace, access, includeExplicit, includeInherited)) { references2.Add(ace.SecurityIdentifier); } } references = references2.Translate(targetType); } int num2 = 0; for (int i = 0; i < discretionaryAcl.Count; i++) { CommonAce ace2 = discretionaryAcl[i] as CommonAce; if (this.AceNeedsTranslation(ace2, access, includeExplicit, includeInherited)) { IdentityReference identityReference = (targetType == typeof(SecurityIdentifier)) ? ace2.SecurityIdentifier : references[num2++]; if (access) { AccessControlType allow; if (ace2.AceQualifier == AceQualifier.AccessAllowed) { allow = AccessControlType.Allow; } else { allow = AccessControlType.Deny; } rules.AddRule(this.AccessRuleFactory(identityReference, ace2.AccessMask, ace2.IsInherited, ace2.InheritanceFlags, ace2.PropagationFlags, allow)); } else { rules.AddRule(this.AuditRuleFactory(identityReference, ace2.AccessMask, ace2.IsInherited, ace2.InheritanceFlags, ace2.PropagationFlags, ace2.AuditFlags)); } } } rules2 = rules; } finally { base.ReadUnlock(); } return rules2; }