The Windows Access Control Model Part 3

oshah

Rate me:

4.80/5 (28 votes)

1 Jul 200525 min read

232.5K

5.2K

126

In the third part of this series, we will take a tour of the new access control classes coming in .NET v2.0.

accesscontrolnet.zip
- NetAccessControl.txt
- NetAccessControl
  - AboutBox1.cs
  - AboutBox1.Designer.cs
  - AboutBox1.resx
  - AccCheckFrm.cs
  - AccCheckFrm.Designer.cs
  - AccCheckFrm.resx
  - AccessCheck.cs
  - app.config
  - bin
    - Release
      - AccessToken.dll
      - NetAccessControl.exe
      - NetAccessControl.exe.config
  - DACLForm.cs
  - DACLForm.Designer.cs
  - DACLForm.resx
  - Inheritance.cs
  - Inheritance.Designer.cs
  - Inheritance.resx
  - LowerRights.cs
  - LowerRights.Designer.cs
  - LowerRights.resx
  - MainMenu.cs
  - MainMenu.Designer.cs
  - MainMenu.resx
  - NetAccessControl.csproj
  - NetAccessControl.sln
  - NetAccessControl.txt
  - Program.cs
  - Properties
    - AssemblyInfo.cs
    - Resources.Designer.cs
    - Resources.resx
    - Settings.Designer.cs
    - Settings.settings
  - ReadSD.cs
  - ReadSD.Designer.cs
  - ReadSD.resx
  - ReadToken.cs
  - ReadToken.Designer.cs
  - ReadToken.resx
  - SACLForm.cs
  - Safer.cs
  - ViewSids.cs
  - ViewSids.Designer.cs
  - ViewSids.resx
accesstoken.zip
- AccessToken.txt
- AccessToken
  - AccessToken.cpp
  - AccessToken.h
  - AccessToken.rc
  - AccessToken.sln
  - AccessToken.vcproj
  - AssemblyInfo.cpp
  - mykey.snk
  - Release
    - AccessToken.dll
    - TokenTest.exe
  - resource.h
- TokenTest
  - app.ico
  - AssemblyInfo.cpp
  - TokenTest.cpp
  - TokenTest.vcproj

using System;
using System.Security.AccessControl;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Text;
using System.Windows.Forms;

namespace NetAccessControl
{
	public partial class DACLForm : Form
	{

		protected RegistrySecurity ppSD;
		string ObjectName;

		/// <summary>
		/// Creates the DACL Form.
		/// </summary>
		/// <param name="ppSDIn">The Security descriptor that DACLForm will display.</param>
		/// <param name="ObjectNameIn">The display name of the registry key to be shown to the user.</param>
		public DACLForm(RegistrySecurity ppSDIn, string ObjectNameIn)
		{
			InitializeComponent();
			this.ppSD = ppSDIn;
			this.ObjectName = ObjectNameIn;
		}


		protected void DACLForm_Load(object sender, EventArgs e)
		{
			/* Fill up the list view with information from the security descriptor */
			try
			{
				this.regKeyLbl.Text = this.ObjectName;

				RefreshDataGrid();
				CheckAutoInheritBox();
			}
			catch (System.Exception ex)
			{
				this.errorLbl.Visible = true;
				this.errorLbl.Text = ex.Message;
				this.viewInheritButton.Enabled = false;
				this.daclLView.Enabled = false;
				this.applyButton.Enabled = false;
			}
		}

		protected virtual void CheckAutoInheritBox()
		{
			this.autoinheritBox.Checked = !ppSD.AreAccessRulesProtected;
			this.viewInheritButton.Enabled = this.autoinheritBox.Checked;
		}

		protected void RefreshDataGrid()
		{
			int i = 0;
			/* clear the old view */
			this.daclLView.Rows.Clear();
			foreach (AuthorizationRule Entry in GetAuthzRules(false))
			{
				this.daclLView.Rows.Add();

				/* Username */
				this.daclLView["userLViewCol", i].Value = Entry.IdentityReference.ToString();

				/* Allow/deny */
				this.daclLView["typeLViewCol", i].Value = GetAccessType(Entry);

				/* Access mask */
				uint accessMask = GetAccessRightsFromEntry(Entry);
				this.daclLView["permsLViewCol", i].Value = Convert.ToString(accessMask, 16);

				/* inheritance */
				this.daclLView["inheritLViewCol", i].Tag = Entry;
				i++;
			}
		}

		protected virtual AuthorizationRuleCollection GetAuthzRules(bool inheritedOrExplicit)
		{
			/* true: inherited, false: explicit */
			return ppSD.GetAccessRules(!inheritedOrExplicit, inheritedOrExplicit,
				typeof(System.Security.Principal.NTAccount));
		}

		protected virtual uint GetAccessRightsFromEntry(AuthorizationRule Entry)
		{
			/* This is DACL specific, so virtualize it. */
			return (uint)((RegistryAccessRule)(Entry)).RegistryRights;
		}

		protected virtual string GetAccessType(AuthorizationRule Entry)
		{
			/* DACL specific again. */
			return ((RegistryAccessRule)(Entry)).AccessControlType.ToString();
		}

		private void cancelButton_Click(object sender, EventArgs e)
		{
			this.Close();
		}


		protected virtual void HandleUpdatedData(object sender, DataGridViewCellEventArgs e) 
		{
			if (e.ColumnIndex == 3)
			{
				/** The user wanted to see the ACE Flags. However, only Form Inheritace &lt;&gt; is
				*	capable of seeing the ACE Flags, so we must create the Inheritance form passing to it
				*	the selected access control entry.
				**/
				RegistryAccessRule inheritFlags = (RegistryAccessRule)
					(this.daclLView[e.ColumnIndex, e.RowIndex].Tag);
				Inheritance<RegistryAccessRule> childFrm = new Inheritance<RegistryAccessRule>(
					inheritFlags);

				if (childFrm.ShowDialog(this) == DialogResult.OK)
				{
					/* Okay, the ACE flag was updated. Reflect the update in this ACE. */
					RegistryAccessRule Entry = new RegistryAccessRule((string)(this.daclLView["userLViewCol", e.RowIndex].Value),
						(RegistryRights)Convert.ToUInt32((string)
						(this.daclLView["permsLViewCol", e.RowIndex].Value), 16),
						childFrm.Entryinhers, childFrm.Entryprops, GetAccessFlags(e.RowIndex));
					this.daclLView[e.ColumnIndex, e.RowIndex].Tag = Entry;
					this.applyButton.Enabled = true;
				}
			}
			else
			{
				this.applyButton.Enabled = true;
			}
		}

		private AccessControlType GetAccessFlags(int i)
		{
			/** Since this int.ToAccessControlType converter is used by more than one
			*	function, I've extracted the method to here.
			**/
			AccessControlType alloworDeny = AccessControlType.Allow;
			switch ((string)(this.daclLView["typeLViewCol", i].Value))
			{
				default:
				case "Allow":
				{
					alloworDeny = AccessControlType.Allow;
					break;
				}
				case "Deny":
				{
					alloworDeny = AccessControlType.Deny;
					break;
				}
			}
			return alloworDeny;
		}


		private void remapGenericSelect_CheckedChanged(object sender, EventArgs e)
		{
			if (this.remapGenericSelect.CheckState == CheckState.Checked)
			{
				try
				{
					for (int i = 0; i < this.daclLView.Rows.Count; i++)
					{
						/* Get the cached access mask */
						uint accessMask = Convert.ToUInt32((string)(this.daclLView["permsLViewCol", i].Value), 16);
						AccessToken.AccessCheckWrap.GENERIC_MAPPING regGenericMapping = AccessToken.AccessCheckWrap.RegGeneric();
						AccessToken.AccessCheckWrap.MapGenericMask(ref accessMask, ref regGenericMapping);
						this.daclLView["permsLViewCol", i].Value = Convert.ToString(accessMask, 16);
					}
				}
				catch (System.Exception ex)
				{
					this.errorLbl.Text = "Error Occurred: " + ex.Message;
					this.applyButton.Enabled = false;
				}
			}
			else
			{
				/* we have no choice but to refill the entire Datagridview with the original data. */
				this.RefreshDataGrid();
			}
		}

		protected virtual void applyButton_Click(object sender, EventArgs e)
		{
			/* Get the contents of the DatagridView */
			for (int i = 0; i < this.daclLView.Rows.Count; i++)
			{
				try
				{
					string identity = (string)(this.daclLView["userLViewCol", i].Value);

					/* Access mask */
					RegistryRights accessMask = (RegistryRights)(Convert.ToUInt32
						((string)(this.daclLView["permsLViewCol", i].Value), 16));

					/* Inheritance flags */
					AuthorizationRule inheritEntries =
						(AuthorizationRule)(this.daclLView["inheritLViewCol", i].Tag);

					/* Now build up an AccessRule from the data. */
					RegistryAccessRule newEntry = new RegistryAccessRule(identity, accessMask,
						inheritEntries.InheritanceFlags, inheritEntries.PropagationFlags,
						this.GetAccessFlags(i));

					//AuthorizationRule newEntry2 = new RegistryAuditRule(identity, accessMask,
					//	inheritEntries.InheritanceFlags, inheritEntries.PropagationFlags,
					//	(RegistryAuditRule)(this.daclLView["typeLViewCol", i].Value));

					/* And apply it. */
					this.ppSD.SetAccessRule(newEntry);
				}
				catch (System.NullReferenceException)
				{
					/* skip over all empty entries */
				}
			}
			/* Don't forget the auto-inheritance. */
			this.ppSD.SetAccessRuleProtection(!this.autoinheritBox.Checked, (bool)(this.autoinheritBox.Tag));
			this.Close();
		}

		protected virtual void viewInheritButton_Click(object sender, EventArgs e)
		{
			AuthorizationRuleCollection entriesCollection = GetAuthzRules(true);
			System.Text.StringBuilder finalString = new System.Text.StringBuilder("", 20 * entriesCollection.Count);
			foreach(AuthorizationRule Entry in entriesCollection)
			{
				uint accessMask = GetAccessRightsFromEntry(Entry);
				if(this.remapGenericSelect.CheckState == CheckState.Checked)
				{
					AccessToken.AccessCheckWrap.GENERIC_MAPPING regGenericMapping = AccessToken.AccessCheckWrap.RegGeneric();
					AccessToken.AccessCheckWrap.MapGenericMask(ref accessMask, ref regGenericMapping);
				}

				finalString.Append(GetAccessType(Entry) + " " + Entry.IdentityReference.ToString() + " to " +
					Convert.ToString(accessMask, 16) + ". Propagate: " + Entry.PropagationFlags + ", " +
					Entry.InheritanceFlags + "\r\n");
			}

			MessageBox.Show(finalString.ToString(), "Inherited ACLs", MessageBoxButtons.OK, MessageBoxIcon.None,
				MessageBoxDefaultButton.Button1);
		}

		private void daclLView_CellClick(object sender, DataGridViewCellEventArgs e)
		{
			this.HandleUpdatedData(sender, e);
		}

		private void autoinheritBox_CheckedChanged(object sender, EventArgs e)
		{
			if (this.autoinheritBox.Checked)
			{/* Reenable the propagation */
				this.viewInheritButton.Enabled = true;
				this.autoinheritBox.Tag = true;
			}
			else
			{/* Ask the user how if they want to keep inherited entries (ACLUI style). */
				this.viewInheritButton.Enabled = false;
				if (this.Visible)
				{
					switch (MessageBox.Show(this, "Do you want to keep the inherited ACEs? If you choose no, " +
						"inherited ACEs will be removed. Cancel will undo the operation.", "Copy Inherited ACEs?",
						MessageBoxButtons.YesNoCancel, MessageBoxIcon.Question, MessageBoxDefaultButton.Button1))
					{
						case DialogResult.Yes:
						{/* Flag the Tag about the user's choice. applyButton will act on this tag. */
							this.autoinheritBox.Tag = false;
							break;
						}
						case DialogResult.No:
						{
							this.autoinheritBox.Tag = false;
							break;
						}
						default:
						case DialogResult.Cancel:
						{
							this.autoinheritBox.Checked = true;
							this.viewInheritButton.Enabled = true;
							break;
						}
					}
				}
			}
		}
	}
}

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

Written By

oshah

Web Developer

United States

Mr. Shah is a reclusive C++/C# developer lurking somewhere in the depths of the city of London. He learnt physics at Kings' College London and obtained a Master in Science there. Having earned an MCAD, he teeters on the brink of transitioning from C++ to C#, unsure of which language to jump to. Fortunately, he also knows how to use .NET interop to merge code between the two languages (which means he won't have to make the choice anytime soon).

His interests (apart from programming) are walking, football (the real one!), philosophy, history, retro-gaming, strategy gaming, and any good game in general.

He maintains a website / blog / FAQ / junk at shexec32.serveftp.net, where he places the best answers he's written to the questions you've asked. If you can find him, maybe you can hire Mr. Shah to help you with anything C++[/CLI]/C#/.NET related Smile | :)

The Windows Access Control Model Part 3

License

Comments and Discussions