private static PermissionSet ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, out PermissionSet denied, bool checkExecutionPermission)
{
if (executionSecurityPermission == null)
{
executionSecurityPermission = new SecurityPermission(SecurityPermissionFlag.Execution);
}
PermissionSet other = null;
Exception exception = null;
PermissionSet set2 = optPset;
if (reqdPset == null)
{
other = set2;
}
else
{
other = (set2 == null) ? null : reqdPset.Union(set2);
}
if ((other != null) && !other.IsUnrestricted())
{
other.AddPermission(executionSecurityPermission);
}
if (evidence == null)
{
evidence = new Evidence();
}
PermissionSet target = polmgr.Resolve(evidence);
if (other != null)
{
target.InplaceIntersect(other);
}
if (checkExecutionPermission && (!target.Contains(executionSecurityPermission) || ((denyPset != null) && denyPset.Contains(executionSecurityPermission))))
{
throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"), -2146233320, exception);
}
if ((reqdPset != null) && !reqdPset.IsSubsetOf(target))
{
throw new PolicyException(Environment.GetResourceString("Policy_NoRequiredPermission"), -2146233321, exception);
}
if (denyPset != null)
{
denied = denyPset.Copy();
target.MergeDeniedSet(denied);
if (denied.IsEmpty())
{
denied = null;
}
}
else
{
denied = null;
}
target.IgnoreTypeLoadFailures = true;
return(target);
}
internal void UpdateGrant(PermissionSet in_g, out ZoneIdentityPermission z, out UrlIdentityPermission u)
{
z = null;
u = null;
if (in_g != null)
{
if (GrantSet == null)
{
GrantSet = in_g.Copy();
}
else
{
GrantSet.InplaceIntersect(in_g);
}
z = (ZoneIdentityPermission)in_g.GetPermission(ZoneToken);
u = (UrlIdentityPermission)in_g.GetPermission(UrlToken);
}
}
private static PermissionSet ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, out PermissionSet denied, bool checkExecutionPermission)
{
if (SecurityManager.executionSecurityPermission == null)
{
SecurityManager.executionSecurityPermission = new SecurityPermission(SecurityPermissionFlag.Execution);
}
Exception exception = null;
PermissionSet permissionSet;
if (reqdPset == null)
{
permissionSet = optPset;
}
else
{
permissionSet = ((optPset == null) ? null : reqdPset.Union(optPset));
}
if (permissionSet != null && !permissionSet.IsUnrestricted())
{
permissionSet.AddPermission(SecurityManager.executionSecurityPermission);
}
if (evidence == null)
{
evidence = new Evidence();
}
PermissionSet permissionSet2 = SecurityManager.polmgr.Resolve(evidence);
if (permissionSet != null)
{
permissionSet2.InplaceIntersect(permissionSet);
}
if (checkExecutionPermission && (!permissionSet2.Contains(SecurityManager.executionSecurityPermission) || (denyPset != null && denyPset.Contains(SecurityManager.executionSecurityPermission))))
{
throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"), -2146233320, exception);
}
if (reqdPset != null && !reqdPset.IsSubsetOf(permissionSet2))
{
throw new PolicyException(Environment.GetResourceString("Policy_NoRequiredPermission"), -2146233321, exception);
}
if (denyPset != null)
{
denied = denyPset.Copy();
permissionSet2.MergeDeniedSet(denied);
if (denied.IsEmpty())
{
denied = null;
}
}
else
{
denied = null;
}
permissionSet2.IgnoreTypeLoadFailures = true;
return(permissionSet2);
}
private static PermissionSet ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, out PermissionSet denied, bool checkExecutionPermission)
{
if (SecurityManager.executionSecurityPermission == null)
{
SecurityManager.executionSecurityPermission = new SecurityPermission(SecurityPermissionFlag.Execution);
}
Exception exception = (Exception)null;
PermissionSet other1 = optPset;
PermissionSet other2 = reqdPset != null ? (other1 == null ? (PermissionSet)null : reqdPset.Union(other1)) : other1;
if (other2 != null && !other2.IsUnrestricted())
{
other2.AddPermission((IPermission)SecurityManager.executionSecurityPermission);
}
if (evidence == null)
{
evidence = new Evidence();
}
PermissionSet target = SecurityManager.polmgr.Resolve(evidence);
if (other2 != null)
{
target.InplaceIntersect(other2);
}
if (checkExecutionPermission && (!target.Contains((IPermission)SecurityManager.executionSecurityPermission) || denyPset != null && denyPset.Contains((IPermission)SecurityManager.executionSecurityPermission)))
{
throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"), -2146233320, exception);
}
if (reqdPset != null && !reqdPset.IsSubsetOf(target))
{
throw new PolicyException(Environment.GetResourceString("Policy_NoRequiredPermission"), -2146233321, exception);
}
if (denyPset != null)
{
denied = denyPset.Copy();
target.MergeDeniedSet(denied);
if (denied.IsEmpty())
{
denied = (PermissionSet)null;
}
}
else
{
denied = (PermissionSet)null;
}
target.IgnoreTypeLoadFailures = true;
return(target);
}
internal PermissionSet CodeGroupResolve(Evidence evidence, bool systemPolicy)
{
PermissionSet grant = null;
PolicyStatement policy;
PolicyLevel currentLevel = null;
IEnumerator levelEnumerator = PolicyLevels.GetEnumerator();
char[] serializedEvidence = MakeEvidenceArray(evidence, false);
int count = evidence.Count;
bool legacyIgnoreSystemPolicy = (AppDomain.CurrentDomain.GetData("IgnoreSystemPolicy") != null);
bool testApplicationLevels = false;
while (levelEnumerator.MoveNext())
{
currentLevel = (PolicyLevel)levelEnumerator.Current;
if (systemPolicy)
{
if (currentLevel.Type == PolicyLevelType.AppDomain)
{
continue;
}
}
else if (legacyIgnoreSystemPolicy && currentLevel.Type != PolicyLevelType.AppDomain)
{
continue;
}
policy = currentLevel.Resolve(evidence, count, serializedEvidence);
// If the grant is "AllPossible", the intersection is just the other permission set.
// Otherwise, do an inplace intersection (since we know we can alter the grant set since
// it is a copy of the first policy statement's permission set).
if (grant == null)
{
grant = policy.PermissionSet;
}
else
{
grant.InplaceIntersect(policy.GetPermissionSetNoCopy());
}
if (grant == null || grant.FastIsEmpty())
{
break;
}
else if ((policy.Attributes & PolicyStatementAttribute.LevelFinal) == PolicyStatementAttribute.LevelFinal)
{
if (currentLevel.Type != PolicyLevelType.AppDomain)
{
testApplicationLevels = true;
}
break;
}
}
if (grant != null && testApplicationLevels)
{
PolicyLevel appDomainLevel = null;
for (int i = PolicyLevels.Count - 1; i >= 0; --i)
{
currentLevel = (PolicyLevel)PolicyLevels[i];
if (currentLevel.Type == PolicyLevelType.AppDomain)
{
appDomainLevel = currentLevel;
break;
}
}
if (appDomainLevel != null)
{
policy = appDomainLevel.Resolve(evidence, count, serializedEvidence);
grant.InplaceIntersect(policy.GetPermissionSetNoCopy());
}
}
if (grant == null)
{
grant = new PermissionSet(PermissionState.None);
}
// Each piece of evidence can possibly create an identity permission that we
// need to add to our grant set. Therefore, for all pieces of evidence that
// implement the IIdentityPermissionFactory interface, ask it for its
// adjoining identity permission and add it to the grant.
if (!CodeAccessSecurityEngine.DoesFullTrustMeanFullTrust() || !grant.IsUnrestricted())
{
IEnumerator enumerator = evidence.GetHostEnumerator();
while (enumerator.MoveNext())
{
Object obj = enumerator.Current;
IIdentityPermissionFactory factory = obj as IIdentityPermissionFactory;
if (factory != null)
{
IPermission perm = factory.CreateIdentityPermission(evidence);
if (perm != null)
{
grant.AddPermission(perm);
}
}
}
}
grant.IgnoreTypeLoadFailures = true;
return(grant);
}
internal PermissionSet CodeGroupResolve(Evidence evidence, bool systemPolicy)
{
Contract.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled);
PermissionSet grant = null;
PolicyStatement policy;
PolicyLevel currentLevel = null;
IEnumerator levelEnumerator = PolicyLevels.GetEnumerator();
// We're optimized for standard policy, where the only evidence that is generally evaluated are
// Zone, StrongName and Url. Since all of these are relatively inexpensive, we'll force them to
// generate, then use that as a key into the cache.
evidence.GetHostEvidence <Zone>();
evidence.GetHostEvidence <StrongName>();
evidence.GetHostEvidence <Url>();
byte[] serializedEvidence = evidence.RawSerialize();
int count = evidence.RawCount;
bool legacyIgnoreSystemPolicy = (AppDomain.CurrentDomain.GetData("IgnoreSystemPolicy") != null);
bool testApplicationLevels = false;
while (levelEnumerator.MoveNext())
{
currentLevel = (PolicyLevel)levelEnumerator.Current;
if (systemPolicy)
{
if (currentLevel.Type == PolicyLevelType.AppDomain)
{
continue;
}
}
else if (legacyIgnoreSystemPolicy && currentLevel.Type != PolicyLevelType.AppDomain)
{
continue;
}
policy = currentLevel.Resolve(evidence, count, serializedEvidence);
// If the grant is "AllPossible", the intersection is just the other permission set.
// Otherwise, do an inplace intersection (since we know we can alter the grant set since
// it is a copy of the first policy statement's permission set).
if (grant == null)
{
grant = policy.PermissionSet;
}
else
{
grant.InplaceIntersect(policy.GetPermissionSetNoCopy());
}
if (grant == null || grant.FastIsEmpty())
{
break;
}
else if ((policy.Attributes & PolicyStatementAttribute.LevelFinal) == PolicyStatementAttribute.LevelFinal)
{
if (currentLevel.Type != PolicyLevelType.AppDomain)
{
testApplicationLevels = true;
}
break;
}
}
if (grant != null && testApplicationLevels)
{
PolicyLevel appDomainLevel = null;
for (int i = PolicyLevels.Count - 1; i >= 0; --i)
{
currentLevel = (PolicyLevel)PolicyLevels[i];
if (currentLevel.Type == PolicyLevelType.AppDomain)
{
appDomainLevel = currentLevel;
break;
}
}
if (appDomainLevel != null)
{
policy = appDomainLevel.Resolve(evidence, count, serializedEvidence);
grant.InplaceIntersect(policy.GetPermissionSetNoCopy());
}
}
if (grant == null)
{
grant = new PermissionSet(PermissionState.None);
}
// Each piece of evidence can possibly create an identity permission that we
// need to add to our grant set. Therefore, for all pieces of evidence that
// implement the IIdentityPermissionFactory interface, ask it for its
// adjoining identity permission and add it to the grant.
if (!grant.IsUnrestricted())
{
IEnumerator enumerator = evidence.GetHostEnumerator();
while (enumerator.MoveNext())
{
Object obj = enumerator.Current;
IIdentityPermissionFactory factory = obj as IIdentityPermissionFactory;
if (factory != null)
{
IPermission perm = factory.CreateIdentityPermission(evidence);
if (perm != null)
{
grant.AddPermission(perm);
}
}
}
}
grant.IgnoreTypeLoadFailures = true;
return(grant);
}
internal PermissionSet CodeGroupResolve(Evidence evidence, bool systemPolicy)
{
PermissionSet permissionSet = null;
PolicyLevel current = null;
IEnumerator enumerator = this.PolicyLevels.GetEnumerator();
evidence.GetHostEvidence <Zone>();
evidence.GetHostEvidence <StrongName>();
evidence.GetHostEvidence <Url>();
byte[] serializedEvidence = evidence.RawSerialize();
int rawCount = evidence.RawCount;
bool flag = AppDomain.CurrentDomain.GetData("IgnoreSystemPolicy") != null;
bool flag2 = false;
while (enumerator.MoveNext())
{
PolicyStatement statement;
current = (PolicyLevel)enumerator.Current;
if (systemPolicy)
{
if (current.Type != PolicyLevelType.AppDomain)
{
goto Label_0078;
}
continue;
}
if (flag && (current.Type != PolicyLevelType.AppDomain))
{
continue;
}
Label_0078:
statement = current.Resolve(evidence, rawCount, serializedEvidence);
if (permissionSet == null)
{
permissionSet = statement.PermissionSet;
}
else
{
permissionSet.InplaceIntersect(statement.GetPermissionSetNoCopy());
}
if ((permissionSet == null) || permissionSet.FastIsEmpty())
{
break;
}
if ((statement.Attributes & PolicyStatementAttribute.LevelFinal) == PolicyStatementAttribute.LevelFinal)
{
if (current.Type != PolicyLevelType.AppDomain)
{
flag2 = true;
}
break;
}
}
if ((permissionSet != null) && flag2)
{
PolicyLevel level2 = null;
for (int i = this.PolicyLevels.Count - 1; i >= 0; i--)
{
current = (PolicyLevel)this.PolicyLevels[i];
if (current.Type == PolicyLevelType.AppDomain)
{
level2 = current;
break;
}
}
if (level2 != null)
{
permissionSet.InplaceIntersect(level2.Resolve(evidence, rawCount, serializedEvidence).GetPermissionSetNoCopy());
}
}
if (permissionSet == null)
{
permissionSet = new PermissionSet(PermissionState.None);
}
if (!permissionSet.IsUnrestricted())
{
IEnumerator hostEnumerator = evidence.GetHostEnumerator();
while (hostEnumerator.MoveNext())
{
object obj2 = hostEnumerator.Current;
IIdentityPermissionFactory factory = obj2 as IIdentityPermissionFactory;
if (factory != null)
{
IPermission perm = factory.CreateIdentityPermission(evidence);
if (perm != null)
{
permissionSet.AddPermission(perm);
}
}
}
}
permissionSet.IgnoreTypeLoadFailures = true;
return(permissionSet);
}
public PermissionSet Resolve(Evidence evidence, PermissionSet request)
{
#if _DEBUG
if (debug)
{
DEBUG_OUT("PolicyManager::Resolve");
IEnumerator evidenceEnumerator = evidence.GetEnumerator();
DEBUG_OUT("Evidence:");
while (evidenceEnumerator.MoveNext())
{
Object obj = evidenceEnumerator.Current;
if (obj is Site)
{
DEBUG_OUT(((Site)obj).ToXml().ToString());
}
else if (obj is Zone)
{
DEBUG_OUT(((Zone)obj).ToXml().ToString());
}
else if (obj is Url)
{
DEBUG_OUT(((Url)obj).ToXml().ToString());
}
else if (obj is StrongName)
{
DEBUG_OUT(((StrongName)obj).ToXml().ToString());
}
else if (obj is PermissionRequestEvidence)
{
DEBUG_OUT(((PermissionRequestEvidence)obj).ToXml().ToString());
}
}
}
#endif
// We set grant to null to represent "AllPossible"
PermissionSet grant = null;
PolicyStatement policy;
PolicyLevel currentLevel = null;
IEnumerator levelEnumerator = m_levels.GetEnumerator();
char[] serializedEvidence = MakeEvidenceArray(evidence, false);
int count = evidence.Count;
bool testApplicationLevels = false;
while (levelEnumerator.MoveNext())
{
currentLevel = (PolicyLevel)levelEnumerator.Current;
policy = currentLevel.Resolve(evidence, count, serializedEvidence);
// If the grant is "AllPossible", the intersection is just the other permission set.
// Otherwise, do an inplace intersection (since we know we can alter the grant set since
// it is a copy of the first policy statement's permission set).
if (grant == null)
{
grant = policy.PermissionSet;
}
else
{
// An exception somewhere in here means that a permission
// failed some operation. This simply means that it will be
// dropped from the grant set which is safe operation that
// can be ignored.
try
{
grant.InplaceIntersect(policy.GetPermissionSetNoCopy());
}
catch (Exception)
{
}
}
#if _DEBUG
if (debug)
{
DEBUG_OUT("Level = " + currentLevel.Label);
DEBUG_OUT("policy =\n" + policy.ToXml().ToString());
DEBUG_OUT("grant so far =\n" + grant.ToXml().ToString());
}
#endif
if (grant.IsEmpty())
{
break;
}
else if ((policy.Attributes & PolicyStatementAttribute.LevelFinal) == PolicyStatementAttribute.LevelFinal)
{
if (!currentLevel.Label.Equals("AppDomain"))
{
testApplicationLevels = true;
}
break;
}
}
if (testApplicationLevels)
{
PolicyLevel appDomainLevel = null;
for (int i = m_levels.Count - 1; i >= 0; --i)
{
currentLevel = (PolicyLevel)m_levels[i];
if (currentLevel.Label.Equals("AppDomain"))
{
appDomainLevel = currentLevel;
break;
}
}
if (appDomainLevel != null)
{
policy = appDomainLevel.Resolve(evidence, count, serializedEvidence);
grant.InplaceIntersect(policy.GetPermissionSetNoCopy());
}
}
#if _DEBUG
if (debug)
{
DEBUG_OUT("granted =\n" + grant.ToString());
DEBUG_OUT("request =\n" + (request != null ? request.ToString() : "<null>"));
DEBUG_OUT("awarded =\n" + (request != null ? grant.Intersect(request).ToString() : grant.ToString()));
}
#endif
try
{
if (request != null)
{
grant.InplaceIntersect(request);
}
}
catch (Exception)
{
}
#if _DEBUG
if (debug)
{
DEBUG_OUT("granted after intersect w/ request =\n" + grant.ToString());
}
#endif
// Each piece of evidence can possibly create an identity permission that we
// need to add to our grant set. Therefore, for all pieces of evidence that
// implement the IIdentityPermissionFactory interface, ask it for its
// adjoining identity permission and add it to the grant.
IEnumerator enumerator = evidence.GetHostEnumerator();
while (enumerator.MoveNext())
{
try
{
Object obj = enumerator.Current;
IIdentityPermissionFactory factory = obj as IIdentityPermissionFactory;
if (factory != null)
{
IPermission perm = factory.CreateIdentityPermission(evidence);
if (perm != null)
{
grant.AddPermission(perm);
}
}
}
catch (Exception)
{
}
}
#if _DEBUG
if (debug)
{
DEBUG_OUT("awarded with identity =\n" + grant.ToString());
}
#endif
return(grant);
}
internal PermissionSet CodeGroupResolve(Evidence evidence, bool systemPolicy)
{
PermissionSet permissionSet = (PermissionSet)null;
IEnumerator enumerator = this.PolicyLevels.GetEnumerator();
evidence.GetHostEvidence <Zone>();
evidence.GetHostEvidence <StrongName>();
evidence.GetHostEvidence <Url>();
byte[] serializedEvidence = evidence.RawSerialize();
int rawCount = evidence.RawCount;
bool flag1 = AppDomain.CurrentDomain.GetData("IgnoreSystemPolicy") != null;
bool flag2 = false;
while (enumerator.MoveNext())
{
PolicyLevel policyLevel = (PolicyLevel)enumerator.Current;
if (systemPolicy)
{
if (policyLevel.Type == PolicyLevelType.AppDomain)
{
continue;
}
}
else if (flag1 && policyLevel.Type != PolicyLevelType.AppDomain)
{
continue;
}
PolicyStatement policyStatement = policyLevel.Resolve(evidence, rawCount, serializedEvidence);
if (permissionSet == null)
{
permissionSet = policyStatement.PermissionSet;
}
else
{
permissionSet.InplaceIntersect(policyStatement.GetPermissionSetNoCopy());
}
if (permissionSet != null && !permissionSet.FastIsEmpty())
{
if ((policyStatement.Attributes & PolicyStatementAttribute.LevelFinal) == PolicyStatementAttribute.LevelFinal)
{
if (policyLevel.Type != PolicyLevelType.AppDomain)
{
flag2 = true;
break;
}
break;
}
}
else
{
break;
}
}
if (permissionSet != null & flag2)
{
PolicyLevel policyLevel1 = (PolicyLevel)null;
for (int index = this.PolicyLevels.Count - 1; index >= 0; --index)
{
PolicyLevel policyLevel2 = (PolicyLevel)this.PolicyLevels[index];
if (policyLevel2.Type == PolicyLevelType.AppDomain)
{
policyLevel1 = policyLevel2;
break;
}
}
if (policyLevel1 != null)
{
PolicyStatement policyStatement = policyLevel1.Resolve(evidence, rawCount, serializedEvidence);
permissionSet.InplaceIntersect(policyStatement.GetPermissionSetNoCopy());
}
}
if (permissionSet == null)
{
permissionSet = new PermissionSet(PermissionState.None);
}
if (!permissionSet.IsUnrestricted())
{
IEnumerator hostEnumerator = evidence.GetHostEnumerator();
while (hostEnumerator.MoveNext())
{
IIdentityPermissionFactory permissionFactory = hostEnumerator.Current as IIdentityPermissionFactory;
if (permissionFactory != null)
{
IPermission identityPermission = permissionFactory.CreateIdentityPermission(evidence);
if (identityPermission != null)
{
permissionSet.AddPermission(identityPermission);
}
}
}
}
permissionSet.IgnoreTypeLoadFailures = true;
return(permissionSet);
}
