538 lines
17 KiB
C#
538 lines
17 KiB
C#
//
|
|
// System.Security.AccessControl.CommonAcl implementation
|
|
//
|
|
// Authors:
|
|
// Dick Porter <dick@ximian.com>
|
|
// Atsushi Enomoto <atsushi@ximian.com>
|
|
// James Bellinger <jfb@zer7.com>
|
|
//
|
|
// Copyright (C) 2006-2007 Novell, Inc (http://www.novell.com)
|
|
// Copyright (C) 2012 James Bellinger
|
|
//
|
|
// Permission is hereby granted, free of charge, to any person obtaining
|
|
// a copy of this software and associated documentation files (the
|
|
// "Software"), to deal in the Software without restriction, including
|
|
// without limitation the rights to use, copy, modify, merge, publish,
|
|
// distribute, sublicense, and/or sell copies of the Software, and to
|
|
// permit persons to whom the Software is furnished to do so, subject to
|
|
// the following conditions:
|
|
//
|
|
// The above copyright notice and this permission notice shall be
|
|
// included in all copies or substantial portions of the Software.
|
|
//
|
|
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
// NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
// LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
//
|
|
|
|
using System.Collections.Generic;
|
|
using System.Security.Principal;
|
|
|
|
namespace System.Security.AccessControl
|
|
{
|
|
/* NB: Note the Remarks section in the CommonAcl class docs
|
|
* concerning ACE management
|
|
*/
|
|
public abstract class CommonAcl : GenericAcl
|
|
{
|
|
const int default_capacity = 10; // FIXME: not verified
|
|
|
|
internal delegate bool RemoveAcesCallback<T> (T ace);
|
|
|
|
internal CommonAcl (bool isContainer, bool isDS, RawAcl rawAcl)
|
|
{
|
|
if (rawAcl == null) {
|
|
rawAcl = new RawAcl (isDS ? AclRevisionDS : AclRevision, default_capacity);
|
|
} else {
|
|
// The RawAcl ACEs are cloned.
|
|
byte[] binaryForm = new byte [rawAcl.BinaryLength];
|
|
rawAcl.GetBinaryForm (binaryForm, 0);
|
|
rawAcl = new RawAcl (binaryForm, 0);
|
|
}
|
|
|
|
Init (isContainer, isDS, rawAcl);
|
|
}
|
|
|
|
internal CommonAcl (bool isContainer, bool isDS, byte revision, int capacity)
|
|
{
|
|
Init (isContainer, isDS, new RawAcl (revision, capacity));
|
|
}
|
|
|
|
internal CommonAcl (bool isContainer, bool isDS, int capacity)
|
|
: this (isContainer, isDS, isDS ? AclRevisionDS : AclRevision, capacity)
|
|
{
|
|
}
|
|
|
|
void Init (bool isContainer, bool isDS, RawAcl rawAcl)
|
|
{
|
|
is_container = isContainer;
|
|
is_ds = isDS;
|
|
raw_acl = rawAcl;
|
|
CanonicalizeAndClearAefa ();
|
|
}
|
|
|
|
bool is_aefa, is_canonical, is_container, is_ds;
|
|
internal RawAcl raw_acl;
|
|
|
|
public override sealed int BinaryLength {
|
|
get { return raw_acl.BinaryLength; }
|
|
}
|
|
|
|
public override sealed int Count {
|
|
get { return raw_acl.Count; }
|
|
}
|
|
|
|
public bool IsCanonical {
|
|
get { return is_canonical; }
|
|
}
|
|
|
|
public bool IsContainer {
|
|
get { return is_container; }
|
|
}
|
|
|
|
public bool IsDS {
|
|
get { return is_ds; }
|
|
}
|
|
|
|
// See CommonSecurityDescriptorTest's AefaModifiedFlagIsStoredOnDiscretionaryAcl unit test.
|
|
internal bool IsAefa {
|
|
get { return is_aefa; }
|
|
set { is_aefa = value; }
|
|
}
|
|
|
|
public override sealed byte Revision {
|
|
get { return raw_acl.Revision; }
|
|
}
|
|
|
|
public override sealed GenericAce this[int index] {
|
|
get { return CopyAce (raw_acl [index]); }
|
|
set { throw new NotSupportedException (); }
|
|
}
|
|
|
|
public override sealed void GetBinaryForm (byte[] binaryForm, int offset)
|
|
{
|
|
raw_acl.GetBinaryForm (binaryForm, offset);
|
|
}
|
|
|
|
public void Purge (SecurityIdentifier sid)
|
|
{
|
|
RequireCanonicity ();
|
|
RemoveAces<KnownAce> (ace => ace.SecurityIdentifier == sid);
|
|
}
|
|
|
|
public void RemoveInheritedAces ()
|
|
{
|
|
RequireCanonicity ();
|
|
RemoveAces<GenericAce> (ace => ace.IsInherited);
|
|
}
|
|
|
|
internal void RequireCanonicity ()
|
|
{
|
|
if (!IsCanonical)
|
|
throw new InvalidOperationException("ACL is not canonical.");
|
|
}
|
|
|
|
internal void CanonicalizeAndClearAefa ()
|
|
{
|
|
RemoveAces<GenericAce> (IsAceMeaningless);
|
|
|
|
is_canonical = TestCanonicity ();
|
|
|
|
if (IsCanonical) {
|
|
ApplyCanonicalSortToExplicitAces ();
|
|
MergeExplicitAces ();
|
|
}
|
|
|
|
IsAefa = false;
|
|
}
|
|
|
|
internal virtual bool IsAceMeaningless (GenericAce ace)
|
|
{
|
|
AceFlags flags = ace.AceFlags;
|
|
|
|
KnownAce knownAce = ace as KnownAce;
|
|
if (knownAce != null) {
|
|
if (0 == knownAce.AccessMask) return true;
|
|
if (0 != (flags & AceFlags.InheritOnly)) {
|
|
if (knownAce is ObjectAce) return true;
|
|
if (!IsContainer) return true;
|
|
if (0 == (flags & (AceFlags.ContainerInherit|AceFlags.ObjectInherit))) return true;
|
|
}
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
bool TestCanonicity ()
|
|
{
|
|
foreach (GenericAce ace in this) {
|
|
if (!(ace is QualifiedAce)) return false;
|
|
}
|
|
|
|
bool gotInheritedAce = false;
|
|
foreach (QualifiedAce ace in this) {
|
|
if (ace.IsInherited) {
|
|
gotInheritedAce = true;
|
|
} else {
|
|
if (gotInheritedAce) return false;
|
|
}
|
|
}
|
|
|
|
bool gotExplicitAllow = false;
|
|
foreach (QualifiedAce ace in this) {
|
|
if (ace.IsInherited) break;
|
|
if (AceQualifier.AccessAllowed == ace.AceQualifier) {
|
|
gotExplicitAllow = true;
|
|
} else if (AceQualifier.AccessDenied == ace.AceQualifier) {
|
|
if (gotExplicitAllow) return false;
|
|
}
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
internal int GetCanonicalExplicitDenyAceCount ()
|
|
{
|
|
int i;
|
|
for (i = 0; i < Count; i ++) {
|
|
if (raw_acl [i].IsInherited) break;
|
|
|
|
QualifiedAce ace = raw_acl [i] as QualifiedAce;
|
|
if (ace == null || ace.AceQualifier != AceQualifier.AccessDenied) break;
|
|
}
|
|
return i;
|
|
}
|
|
|
|
internal int GetCanonicalExplicitAceCount ()
|
|
{
|
|
int i;
|
|
for (i = 0; i < Count; i ++)
|
|
if (raw_acl [i].IsInherited) break;
|
|
return i;
|
|
}
|
|
|
|
void MergeExplicitAces ()
|
|
{
|
|
int explicitCount = GetCanonicalExplicitAceCount ();
|
|
|
|
for (int i = 0; i < explicitCount - 1; ) {
|
|
GenericAce mergedAce = MergeExplicitAcePair (raw_acl [i], raw_acl [i + 1]);
|
|
if (null != mergedAce) {
|
|
raw_acl [i] = mergedAce;
|
|
raw_acl.RemoveAce (i + 1);
|
|
explicitCount --;
|
|
} else {
|
|
i ++;
|
|
}
|
|
}
|
|
}
|
|
|
|
GenericAce MergeExplicitAcePair (GenericAce ace1, GenericAce ace2)
|
|
{
|
|
QualifiedAce qace1 = ace1 as QualifiedAce;
|
|
QualifiedAce qace2 = ace2 as QualifiedAce;
|
|
if (!(null != qace1 && null != qace2)) return null;
|
|
if (!(qace1.AceQualifier == qace2.AceQualifier)) return null;
|
|
if (!(qace1.SecurityIdentifier == qace2.SecurityIdentifier)) return null;
|
|
|
|
AceFlags aceFlags1 = qace1.AceFlags, aceFlags2 = qace2.AceFlags, aceFlagsNew;
|
|
int accessMask1 = qace1.AccessMask, accessMask2 = qace2.AccessMask, accessMaskNew;
|
|
|
|
if (!IsContainer) {
|
|
aceFlags1 &= ~AceFlags.InheritanceFlags;
|
|
aceFlags2 &= ~AceFlags.InheritanceFlags;
|
|
}
|
|
|
|
if (aceFlags1 != aceFlags2) {
|
|
if (accessMask1 != accessMask2) return null;
|
|
if ((aceFlags1 & ~(AceFlags.ContainerInherit|AceFlags.ObjectInherit)) ==
|
|
(aceFlags2 & ~(AceFlags.ContainerInherit|AceFlags.ObjectInherit))) {
|
|
aceFlagsNew = aceFlags1|aceFlags2; // merge InheritanceFlags
|
|
accessMaskNew = accessMask1;
|
|
} else if ((aceFlags1 & ~(AceFlags.SuccessfulAccess|AceFlags.FailedAccess)) ==
|
|
(aceFlags2 & ~(AceFlags.SuccessfulAccess|AceFlags.FailedAccess))) {
|
|
aceFlagsNew = aceFlags1|aceFlags2; // merge AuditFlags
|
|
accessMaskNew = accessMask1;
|
|
} else {
|
|
return null;
|
|
}
|
|
} else {
|
|
aceFlagsNew = aceFlags1;
|
|
accessMaskNew = accessMask1|accessMask2;
|
|
}
|
|
|
|
CommonAce cace1 = ace1 as CommonAce;
|
|
CommonAce cace2 = ace2 as CommonAce;
|
|
if (null != cace1 && null != cace2) {
|
|
return new CommonAce (aceFlagsNew, cace1.AceQualifier, accessMaskNew,
|
|
cace1.SecurityIdentifier, cace1.IsCallback, cace1.GetOpaque());
|
|
}
|
|
|
|
ObjectAce oace1 = ace1 as ObjectAce;
|
|
ObjectAce oace2 = ace2 as ObjectAce;
|
|
if (null != oace1 && null != oace2) {
|
|
// See DiscretionaryAclTest.GuidEmptyMergesRegardlessOfFlagsAndOpaqueDataIsNotConsidered
|
|
Guid type1, inheritedType1; GetObjectAceTypeGuids(oace1, out type1, out inheritedType1);
|
|
Guid type2, inheritedType2; GetObjectAceTypeGuids(oace2, out type2, out inheritedType2);
|
|
|
|
if (type1 == type2 && inheritedType1 == inheritedType2) {
|
|
return new ObjectAce (aceFlagsNew, oace1.AceQualifier, accessMaskNew,
|
|
oace1.SecurityIdentifier,
|
|
oace1.ObjectAceFlags, oace1.ObjectAceType, oace1.InheritedObjectAceType,
|
|
oace1.IsCallback, oace1.GetOpaque());
|
|
}
|
|
}
|
|
|
|
return null;
|
|
}
|
|
|
|
static void GetObjectAceTypeGuids(ObjectAce ace, out Guid type, out Guid inheritedType)
|
|
{
|
|
type = Guid.Empty; inheritedType = Guid.Empty;
|
|
if (0 != (ace.ObjectAceFlags & ObjectAceFlags.ObjectAceTypePresent))
|
|
type = ace.ObjectAceType;
|
|
if (0 != (ace.ObjectAceFlags & ObjectAceFlags.InheritedObjectAceTypePresent))
|
|
inheritedType = ace.InheritedObjectAceType;
|
|
}
|
|
|
|
internal abstract void ApplyCanonicalSortToExplicitAces ();
|
|
|
|
internal void ApplyCanonicalSortToExplicitAces (int start, int count)
|
|
{
|
|
int i, j;
|
|
for (i = start + 1; i < start + count; i ++)
|
|
{
|
|
KnownAce ace = (KnownAce)raw_acl [i];
|
|
SecurityIdentifier sid = ace.SecurityIdentifier;
|
|
for (j = i; j > start && ((KnownAce)raw_acl [j - 1]).SecurityIdentifier.CompareTo (sid) > 0; j --)
|
|
raw_acl [j] = raw_acl [j - 1];
|
|
raw_acl [j] = ace;
|
|
}
|
|
}
|
|
|
|
internal override string GetSddlForm (ControlFlags sdFlags, bool isDacl)
|
|
{
|
|
return raw_acl.GetSddlForm (sdFlags, isDacl);
|
|
}
|
|
|
|
internal void RemoveAces<T> (RemoveAcesCallback<T> callback)
|
|
where T : GenericAce
|
|
{
|
|
for (int i = 0; i < raw_acl.Count; ) {
|
|
if (raw_acl [i] is T && callback ((T)raw_acl [i])) {
|
|
raw_acl.RemoveAce (i);
|
|
} else {
|
|
i ++;
|
|
}
|
|
}
|
|
}
|
|
|
|
// DiscretionaryAcl/SystemAcl shared implementation below...
|
|
internal void AddAce (AceQualifier aceQualifier,
|
|
SecurityIdentifier sid, int accessMask,
|
|
InheritanceFlags inheritanceFlags,
|
|
PropagationFlags propagationFlags,
|
|
AuditFlags auditFlags)
|
|
{
|
|
QualifiedAce ace = AddAceGetQualifiedAce (aceQualifier, sid, accessMask,
|
|
inheritanceFlags, propagationFlags, auditFlags);
|
|
AddAce (ace);
|
|
}
|
|
|
|
internal void AddAce (AceQualifier aceQualifier,
|
|
SecurityIdentifier sid, int accessMask,
|
|
InheritanceFlags inheritanceFlags,
|
|
PropagationFlags propagationFlags,
|
|
AuditFlags auditFlags,
|
|
ObjectAceFlags objectFlags,
|
|
Guid objectType,
|
|
Guid inheritedObjectType)
|
|
{
|
|
QualifiedAce ace = AddAceGetQualifiedAce (aceQualifier, sid, accessMask,
|
|
inheritanceFlags, propagationFlags, auditFlags,
|
|
objectFlags, objectType, inheritedObjectType);
|
|
AddAce (ace);
|
|
}
|
|
|
|
QualifiedAce AddAceGetQualifiedAce (AceQualifier aceQualifier,
|
|
SecurityIdentifier sid, int accessMask,
|
|
InheritanceFlags inheritanceFlags,
|
|
PropagationFlags propagationFlags,
|
|
AuditFlags auditFlags,
|
|
ObjectAceFlags objectFlags,
|
|
Guid objectType,
|
|
Guid inheritedObjectType)
|
|
{
|
|
if (!IsDS)
|
|
throw new InvalidOperationException ("For this overload, IsDS must be true.");
|
|
|
|
if (ObjectAceFlags.None == objectFlags)
|
|
return AddAceGetQualifiedAce (aceQualifier, sid, accessMask,
|
|
inheritanceFlags, propagationFlags, auditFlags);
|
|
|
|
AceFlags flags = GetAceFlags (inheritanceFlags, propagationFlags, auditFlags);
|
|
return new ObjectAce (flags, aceQualifier, accessMask, sid,
|
|
objectFlags, objectType, inheritedObjectType, false, null);
|
|
}
|
|
|
|
QualifiedAce AddAceGetQualifiedAce (AceQualifier aceQualifier,
|
|
SecurityIdentifier sid, int accessMask,
|
|
InheritanceFlags inheritanceFlags,
|
|
PropagationFlags propagationFlags,
|
|
AuditFlags auditFlags)
|
|
{
|
|
AceFlags flags = GetAceFlags (inheritanceFlags, propagationFlags, auditFlags);
|
|
return new CommonAce (flags, aceQualifier, accessMask, sid, false, null);
|
|
}
|
|
|
|
void AddAce (QualifiedAce newAce)
|
|
{
|
|
RequireCanonicity ();
|
|
|
|
int pos = GetAceInsertPosition (newAce.AceQualifier);
|
|
raw_acl.InsertAce (pos, CopyAce (newAce));
|
|
CanonicalizeAndClearAefa ();
|
|
}
|
|
|
|
static GenericAce CopyAce (GenericAce ace)
|
|
{
|
|
byte[] binaryForm = new byte[ace.BinaryLength];
|
|
ace.GetBinaryForm (binaryForm, 0);
|
|
return GenericAce.CreateFromBinaryForm (binaryForm, 0);
|
|
}
|
|
|
|
internal abstract int GetAceInsertPosition (AceQualifier aceQualifier);
|
|
|
|
AceFlags GetAceFlags (InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AuditFlags auditFlags)
|
|
{
|
|
if (InheritanceFlags.None != inheritanceFlags && !IsContainer)
|
|
throw new ArgumentException ("Flags only work with containers.", "inheritanceFlags");
|
|
|
|
if (InheritanceFlags.None == inheritanceFlags && PropagationFlags.None != propagationFlags)
|
|
throw new ArgumentException ("Propagation flags need inheritance flags.", "propagationFlags");
|
|
|
|
AceFlags flags = AceFlags.None;
|
|
if (0 != (InheritanceFlags.ContainerInherit & inheritanceFlags))
|
|
flags |= AceFlags.ContainerInherit;
|
|
if (0 != (InheritanceFlags.ObjectInherit & inheritanceFlags))
|
|
flags |= AceFlags.ObjectInherit;
|
|
if (0 != (PropagationFlags.InheritOnly & propagationFlags))
|
|
flags |= AceFlags.InheritOnly;
|
|
if (0 != (PropagationFlags.NoPropagateInherit & propagationFlags))
|
|
flags |= AceFlags.NoPropagateInherit;
|
|
if (0 != (AuditFlags.Success & auditFlags))
|
|
flags |= AceFlags.SuccessfulAccess;
|
|
if (0 != (AuditFlags.Failure & auditFlags))
|
|
flags |= AceFlags.FailedAccess;
|
|
return flags;
|
|
}
|
|
|
|
internal void RemoveAceSpecific (AceQualifier aceQualifier,
|
|
SecurityIdentifier sid,
|
|
int accessMask,
|
|
InheritanceFlags inheritanceFlags,
|
|
PropagationFlags propagationFlags,
|
|
AuditFlags auditFlags)
|
|
{
|
|
RequireCanonicity ();
|
|
RemoveAces<CommonAce> (ace =>
|
|
{
|
|
if (ace.AccessMask != accessMask) return false;
|
|
if (ace.AceQualifier != aceQualifier) return false;
|
|
if (ace.SecurityIdentifier != sid) return false;
|
|
if (ace.InheritanceFlags != inheritanceFlags) return false;
|
|
if (InheritanceFlags.None != inheritanceFlags)
|
|
if (ace.PropagationFlags != propagationFlags) return false;
|
|
if (ace.AuditFlags != auditFlags) return false;
|
|
return true;
|
|
});
|
|
CanonicalizeAndClearAefa ();
|
|
}
|
|
|
|
internal void RemoveAceSpecific (AceQualifier aceQualifier,
|
|
SecurityIdentifier sid,
|
|
int accessMask,
|
|
InheritanceFlags inheritanceFlags,
|
|
PropagationFlags propagationFlags,
|
|
AuditFlags auditFlags,
|
|
ObjectAceFlags objectFlags,
|
|
Guid objectType,
|
|
Guid inheritedObjectType)
|
|
{
|
|
if (!IsDS)
|
|
throw new InvalidOperationException ("For this overload, IsDS must be true.");
|
|
|
|
if (ObjectAceFlags.None == objectFlags) {
|
|
RemoveAceSpecific (aceQualifier, sid, accessMask, inheritanceFlags, propagationFlags, auditFlags);
|
|
return;
|
|
}
|
|
|
|
RequireCanonicity ();
|
|
RemoveAces<ObjectAce> (ace =>
|
|
{
|
|
if (ace.AccessMask != accessMask) return false;
|
|
if (ace.AceQualifier != aceQualifier) return false;
|
|
if (ace.SecurityIdentifier != sid) return false;
|
|
if (ace.InheritanceFlags != inheritanceFlags) return false;
|
|
if (InheritanceFlags.None != inheritanceFlags)
|
|
if (ace.PropagationFlags != propagationFlags) return false;
|
|
if (ace.AuditFlags != auditFlags) return false;
|
|
if (ace.ObjectAceFlags != objectFlags) return false;
|
|
if (0 != (objectFlags & ObjectAceFlags.ObjectAceTypePresent))
|
|
if (ace.ObjectAceType != objectType) return false;
|
|
if (0 != (objectFlags & ObjectAceFlags.InheritedObjectAceTypePresent))
|
|
if (ace.InheritedObjectAceType != objectType) return false;
|
|
return true;
|
|
});
|
|
CanonicalizeAndClearAefa ();
|
|
}
|
|
|
|
internal void SetAce (AceQualifier aceQualifier,
|
|
SecurityIdentifier sid,
|
|
int accessMask,
|
|
InheritanceFlags inheritanceFlags,
|
|
PropagationFlags propagationFlags,
|
|
AuditFlags auditFlags)
|
|
{
|
|
QualifiedAce ace = AddAceGetQualifiedAce (aceQualifier, sid, accessMask,
|
|
inheritanceFlags, propagationFlags, auditFlags);
|
|
SetAce (ace);
|
|
}
|
|
|
|
internal void SetAce (AceQualifier aceQualifier,
|
|
SecurityIdentifier sid,
|
|
int accessMask,
|
|
InheritanceFlags inheritanceFlags,
|
|
PropagationFlags propagationFlags,
|
|
AuditFlags auditFlags,
|
|
ObjectAceFlags objectFlags,
|
|
Guid objectType,
|
|
Guid inheritedObjectType)
|
|
{
|
|
QualifiedAce ace = AddAceGetQualifiedAce (aceQualifier, sid, accessMask,
|
|
inheritanceFlags, propagationFlags, auditFlags,
|
|
objectFlags, objectType, inheritedObjectType);
|
|
SetAce (ace);
|
|
}
|
|
|
|
void SetAce (QualifiedAce newAce)
|
|
{
|
|
RequireCanonicity ();
|
|
|
|
RemoveAces<QualifiedAce> (oldAce =>
|
|
{
|
|
return oldAce.AceQualifier == newAce.AceQualifier &&
|
|
oldAce.SecurityIdentifier == newAce.SecurityIdentifier;
|
|
});
|
|
CanonicalizeAndClearAefa ();
|
|
|
|
AddAce (newAce);
|
|
}
|
|
}
|
|
}
|
|
|