//
// System.Security.AccessControl.ObjectSecurity implementation
//
-// Author:
+// Authors:
// Dick Porter <dick@ximian.com>
+// Atsushi Enomoto <atsushi@ximian.com>
+// James Bellinger <jfb@zer7.com>
//
-// Copyright (C) 2005, 2006 Novell, Inc (http://www.novell.com)
+// Copyright (C) 2005-2007 Novell, Inc (http://www.novell.com)
+// Copyright (C) 2012 James Bellinger
//
// Permission is hereby granted, free of charge, to any person obtaining
// a copy of this software and associated documentation files (the
// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
-#if NET_2_0
-
+using System.Collections.Generic;
using System.Security.Principal;
using System.Runtime.InteropServices;
+using System.Threading;
+#if NET_4_0
+using System.Runtime.ExceptionServices;
+#endif
-namespace System.Security.AccessControl {
- public abstract class ObjectSecurity {
- protected ObjectSecurity ()
+namespace System.Security.AccessControl
+{
+ public abstract class ObjectSecurity
+ {
+ internal ObjectSecurity (CommonSecurityDescriptor securityDescriptor)
{
- /* Give it a 0-param constructor */
+ if (securityDescriptor == null)
+ throw new ArgumentNullException ("securityDescriptor");
+
+ descriptor = securityDescriptor;
+ rw_lock = new ReaderWriterLock ();
}
protected ObjectSecurity (bool isContainer, bool isDS)
+ : this (new CommonSecurityDescriptor
+ (isContainer, isDS, ControlFlags.None, null, null, null,
+ new DiscretionaryAcl (isContainer, isDS, 0)))
{
}
+
+ internal CommonSecurityDescriptor descriptor;
+ AccessControlSections sections_modified;
+ ReaderWriterLock rw_lock;
- public abstract Type AccessRightType
- {
- get;
- }
+ public abstract Type AccessRightType { get; }
- public abstract Type AccessRuleType
- {
- get;
- }
+ public abstract Type AccessRuleType { get; }
- public bool AreAccessRulesCanonical
- {
+ public abstract Type AuditRuleType { get; }
+
+ public bool AreAccessRulesCanonical {
get {
- throw new NotImplementedException ();
+ ReadLock ();
+ try {
+ return descriptor.IsDiscretionaryAclCanonical;
+ } finally {
+ ReadUnlock ();
+ }
}
}
- public bool AreAccessRulesProtected
- {
+ public bool AreAccessRulesProtected {
get {
- throw new NotImplementedException ();
+ ReadLock ();
+ try {
+ return 0 != (descriptor.ControlFlags & ControlFlags.DiscretionaryAclProtected);
+ } finally {
+ ReadUnlock ();
+ }
}
}
- public bool AreAuditRulesCanonical
- {
+ public bool AreAuditRulesCanonical {
get {
- throw new NotImplementedException ();
+ ReadLock ();
+ try {
+ return descriptor.IsSystemAclCanonical;
+ } finally {
+ ReadUnlock ();
+ }
}
}
- public bool AreAuditRulesProtected
- {
+ public bool AreAuditRulesProtected {
get {
- throw new NotImplementedException ();
+ ReadLock ();
+ try {
+ return 0 != (descriptor.ControlFlags & ControlFlags.SystemAclProtected);
+ } finally {
+ ReadUnlock ();
+ }
}
}
- public abstract Type AuditRuleType
- {
- get;
+ internal AccessControlSections AccessControlSectionsModified {
+ get { Reading (); return sections_modified; }
+ set { Writing (); sections_modified = value; }
}
-
- protected bool AccessRulesModified
- {
- get {
- throw new NotImplementedException ();
- }
- set {
- throw new NotImplementedException ();
- }
+
+ protected bool AccessRulesModified {
+ get { return AreAccessControlSectionsModified (AccessControlSections.Access); }
+ set { SetAccessControlSectionsModified (AccessControlSections.Access, value); }
}
- protected bool AuditRulesModified
- {
- get {
- throw new NotImplementedException ();
- }
- set {
- throw new NotImplementedException ();
- }
+ protected bool AuditRulesModified {
+ get { return AreAccessControlSectionsModified (AccessControlSections.Audit); }
+ set { SetAccessControlSectionsModified (AccessControlSections.Audit, value); }
}
- protected bool GroupModified
- {
- get {
- throw new NotImplementedException ();
- }
- set {
- throw new NotImplementedException ();
- }
+ protected bool GroupModified {
+ get { return AreAccessControlSectionsModified (AccessControlSections.Group); }
+ set { SetAccessControlSectionsModified (AccessControlSections.Group, value); }
}
- protected bool IsContainer
- {
- get {
- throw new NotImplementedException ();
- }
+ protected bool IsContainer {
+ get { return descriptor.IsContainer; }
}
- protected bool IsDS
- {
- get {
- throw new NotImplementedException ();
- }
+ protected bool IsDS {
+ get { return descriptor.IsDS; }
}
- protected bool OwnerModified
- {
- get {
- throw new NotImplementedException ();
- }
- set {
- throw new NotImplementedException ();
- }
+ protected bool OwnerModified {
+ get { return AreAccessControlSectionsModified (AccessControlSections.Owner); }
+ set { SetAccessControlSectionsModified (AccessControlSections.Owner, value); }
}
-
- public abstract AccessRule AccessRuleFactory (IdentityReference identityReference, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AccessControlType type);
- public abstract AuditRule AuditRuleFactory (IdentityReference identityReference, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AuditFlags flags);
+ public abstract AccessRule AccessRuleFactory (IdentityReference identityReference, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AccessControlType type);
+ public abstract AuditRule AuditRuleFactory (IdentityReference identityReference, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AuditFlags flags);
+
public IdentityReference GetGroup (Type targetType)
{
- throw new NotImplementedException ();
+ ReadLock ();
+ try {
+ if (descriptor.Group == null)
+ return null;
+
+ return descriptor.Group.Translate (targetType);
+ } finally {
+ ReadUnlock ();
+ }
}
public IdentityReference GetOwner (Type targetType)
{
- throw new NotImplementedException ();
+ ReadLock ();
+ try {
+ if (descriptor.Owner == null)
+ return null;
+
+ return descriptor.Owner.Translate (targetType);
+ } finally {
+ ReadUnlock ();
+ }
}
public byte[] GetSecurityDescriptorBinaryForm ()
{
- throw new NotImplementedException ();
+ ReadLock ();
+ try {
+ byte[] binaryForm = new byte[descriptor.BinaryLength];
+ descriptor.GetBinaryForm (binaryForm, 0);
+ return binaryForm;
+ } finally {
+ ReadUnlock ();
+ }
}
public string GetSecurityDescriptorSddlForm (AccessControlSections includeSections)
{
- throw new NotImplementedException ();
+ ReadLock ();
+ try {
+ return descriptor.GetSddlForm (includeSections);
+ } finally {
+ ReadUnlock ();
+ }
}
-
+
public static bool IsSddlConversionSupported ()
{
- throw new NotImplementedException ();
+ return GenericSecurityDescriptor.IsSddlConversionSupported ();
}
public virtual bool ModifyAccessRule (AccessControlModification modification, AccessRule rule, out bool modified)
{
- throw new NotImplementedException ();
+ if (rule == null)
+ throw new ArgumentNullException ("rule");
+
+ if (!AccessRuleType.IsAssignableFrom (rule.GetType()))
+ throw new ArgumentException ("rule");
+
+ return ModifyAccess (modification, rule, out modified);
}
public virtual bool ModifyAuditRule (AccessControlModification modification, AuditRule rule, out bool modified)
{
- throw new NotImplementedException ();
+ if (rule == null)
+ throw new ArgumentNullException ("rule");
+
+ if (!AuditRuleType.IsAssignableFrom (rule.GetType()))
+ throw new ArgumentException ("rule");
+
+ return ModifyAudit (modification, rule, out modified);
}
public virtual void PurgeAccessRules (IdentityReference identity)
{
- throw new NotImplementedException ();
+ if (null == identity)
+ throw new ArgumentNullException ("identity");
+
+ WriteLock ();
+ try {
+ descriptor.PurgeAccessControl (SidFromIR (identity));
+ } finally {
+ WriteUnlock ();
+ }
}
public virtual void PurgeAuditRules (IdentityReference identity)
{
- throw new NotImplementedException ();
+ if (null == identity)
+ throw new ArgumentNullException ("identity");
+
+ WriteLock ();
+ try {
+ descriptor.PurgeAudit (SidFromIR (identity));
+ } finally {
+ WriteUnlock ();
+ }
}
public void SetAccessRuleProtection (bool isProtected,
bool preserveInheritance)
{
- throw new NotImplementedException ();
+ WriteLock ();
+ try {
+ descriptor.SetDiscretionaryAclProtection (isProtected, preserveInheritance);
+ } finally {
+ WriteUnlock();
+ }
}
public void SetAuditRuleProtection (bool isProtected,
bool preserveInheritance)
{
- throw new NotImplementedException ();
+ WriteLock ();
+ try {
+ descriptor.SetSystemAclProtection (isProtected, preserveInheritance);
+ } finally {
+ WriteUnlock ();
+ }
}
public void SetGroup (IdentityReference identity)
{
- throw new NotImplementedException ();
+ WriteLock ();
+ try {
+ descriptor.Group = SidFromIR (identity);
+ GroupModified = true;
+ } finally {
+ WriteUnlock ();
+ }
}
public void SetOwner (IdentityReference identity)
{
- throw new NotImplementedException ();
+ WriteLock ();
+ try {
+ descriptor.Owner = SidFromIR (identity);
+ OwnerModified = true;
+ } finally {
+ WriteUnlock ();
+ }
}
public void SetSecurityDescriptorBinaryForm (byte[] binaryForm)
{
- throw new NotImplementedException ();
+ SetSecurityDescriptorBinaryForm (binaryForm, AccessControlSections.All);
}
public void SetSecurityDescriptorBinaryForm (byte[] binaryForm, AccessControlSections includeSections)
{
- throw new NotImplementedException ();
+ CopySddlForm (new CommonSecurityDescriptor (IsContainer, IsDS, binaryForm, 0), includeSections);
}
public void SetSecurityDescriptorSddlForm (string sddlForm)
{
- throw new NotImplementedException ();
+ SetSecurityDescriptorSddlForm (sddlForm, AccessControlSections.All);
}
public void SetSecurityDescriptorSddlForm (string sddlForm, AccessControlSections includeSections)
{
- throw new NotImplementedException ();
+ CopySddlForm (new CommonSecurityDescriptor (IsContainer, IsDS, sddlForm), includeSections);
+ }
+
+ void CopySddlForm (CommonSecurityDescriptor sourceDescriptor, AccessControlSections includeSections)
+ {
+ WriteLock ();
+ try {
+ AccessControlSectionsModified |= includeSections;
+ if (0 != (includeSections & AccessControlSections.Audit))
+ descriptor.SystemAcl = sourceDescriptor.SystemAcl;
+ if (0 != (includeSections & AccessControlSections.Access))
+ descriptor.DiscretionaryAcl = sourceDescriptor.DiscretionaryAcl;
+ if (0 != (includeSections & AccessControlSections.Owner))
+ descriptor.Owner = sourceDescriptor.Owner;
+ if (0 != (includeSections & AccessControlSections.Group))
+ descriptor.Group = sourceDescriptor.Group;
+ } finally {
+ WriteUnlock ();
+ }
}
protected abstract bool ModifyAccess (AccessControlModification modification, AccessRule rule, out bool modified);
protected abstract bool ModifyAudit (AccessControlModification modification, AuditRule rule, out bool modified);
+ // For MoMA. NotImplementedException is correct for this base class.
+ Exception GetNotImplementedException ()
+ {
+ return new NotImplementedException ();
+ }
+
protected virtual void Persist (SafeHandle handle, AccessControlSections includeSections)
{
- throw new NotImplementedException ();
+ throw GetNotImplementedException ();
}
protected virtual void Persist (string name, AccessControlSections includeSections)
{
- throw new NotImplementedException ();
+ throw GetNotImplementedException ();
}
-
+
+ [MonoTODO]
+#if NET_4_0
+ [HandleProcessCorruptedStateExceptions]
+#endif
protected virtual void Persist (bool enableOwnershipPrivilege, string name, AccessControlSections includeSections)
{
throw new NotImplementedException ();
}
+ void Reading ()
+ {
+ if (!rw_lock.IsReaderLockHeld && !rw_lock.IsWriterLockHeld)
+ throw new InvalidOperationException ("Either a read or a write lock must be held.");
+ }
+
protected void ReadLock ()
{
- throw new NotImplementedException ();
+ rw_lock.AcquireReaderLock (Timeout.Infinite);
}
protected void ReadUnlock ()
{
- throw new NotImplementedException ();
+ rw_lock.ReleaseReaderLock ();
+ }
+
+ void Writing ()
+ {
+ if (!rw_lock.IsWriterLockHeld)
+ throw new InvalidOperationException ("Write lock must be held.");
}
protected void WriteLock ()
{
- throw new NotImplementedException ();
+ rw_lock.AcquireWriterLock (Timeout.Infinite);
}
protected void WriteUnlock ()
{
- throw new NotImplementedException ();
+ rw_lock.ReleaseWriterLock ();
+ }
+
+ internal AuthorizationRuleCollection InternalGetAccessRules (bool includeExplicit,
+ bool includeInherited,
+ Type targetType)
+ {
+ List<AuthorizationRule> rules = new List<AuthorizationRule> ();
+
+ ReadLock ();
+ try {
+ foreach (GenericAce genericAce in descriptor.DiscretionaryAcl) {
+ QualifiedAce ace = genericAce as QualifiedAce;
+ if (null == ace) continue;
+ if (ace.IsInherited && !includeInherited) continue;
+ if (!ace.IsInherited && !includeExplicit) continue;
+
+ AccessControlType type;
+ if (AceQualifier.AccessAllowed == ace.AceQualifier)
+ type = AccessControlType.Allow;
+ else if (AceQualifier.AccessDenied == ace.AceQualifier)
+ type = AccessControlType.Deny;
+ else
+ continue;
+
+ AccessRule rule = InternalAccessRuleFactory (ace, targetType, type);
+ rules.Add (rule);
+ }
+ } finally {
+ ReadUnlock ();
+ }
+
+ return new AuthorizationRuleCollection (rules.ToArray ());
+ }
+
+ internal virtual AccessRule InternalAccessRuleFactory (QualifiedAce ace, Type targetType,
+ AccessControlType type)
+ {
+ return AccessRuleFactory (ace.SecurityIdentifier.Translate (targetType),
+ ace.AccessMask, ace.IsInherited,
+ ace.InheritanceFlags, ace.PropagationFlags, type);
+ }
+
+ internal AuthorizationRuleCollection InternalGetAuditRules (bool includeExplicit,
+ bool includeInherited,
+ Type targetType)
+ {
+ List<AuthorizationRule> rules = new List<AuthorizationRule> ();
+
+ ReadLock ();
+ try {
+ if (null != descriptor.SystemAcl) {
+ foreach (GenericAce genericAce in descriptor.SystemAcl) {
+ QualifiedAce ace = genericAce as QualifiedAce;
+ if (null == ace) continue;
+ if (ace.IsInherited && !includeInherited) continue;
+ if (!ace.IsInherited && !includeExplicit) continue;
+
+ if (AceQualifier.SystemAudit != ace.AceQualifier) continue;
+
+ AuditRule rule = InternalAuditRuleFactory (ace, targetType);
+ rules.Add (rule);
+ }
+ }
+ } finally {
+ ReadUnlock ();
+ }
+
+ return new AuthorizationRuleCollection (rules.ToArray ());
+ }
+
+ internal virtual AuditRule InternalAuditRuleFactory (QualifiedAce ace, Type targetType)
+ {
+ return AuditRuleFactory (ace.SecurityIdentifier.Translate (targetType),
+ ace.AccessMask, ace.IsInherited,
+ ace.InheritanceFlags, ace.PropagationFlags, ace.AuditFlags);
+ }
+
+ internal static SecurityIdentifier SidFromIR (IdentityReference identity)
+ {
+ if (null == identity)
+ throw new ArgumentNullException ("identity");
+
+ return (SecurityIdentifier)identity.Translate (typeof (SecurityIdentifier));
+ }
+
+ bool AreAccessControlSectionsModified (AccessControlSections mask)
+ {
+ return 0 != (AccessControlSectionsModified & mask);
+ }
+
+ void SetAccessControlSectionsModified(AccessControlSections mask, bool modified)
+ {
+ if (modified)
+ AccessControlSectionsModified |= mask;
+ else
+ AccessControlSectionsModified &= ~mask;
}
}
}
-#endif