Add NamedPipeServerStream method that takes an ACL (#317)

Add NamedPipeServerStream method that takes an ACL

Approved API proposal: dotnet/corefx#41657

We don't currently have a way to create a pipe with a given ACL in .NET Core. We can modify the ACL, but it would be more secure to have the proper ACL on the pipe from the start.

This PR adds a new static class and method that can create an NamedPipeServerStream taking a PipeSecurity object, reusing code that can already perform this task.

Author: carlossanlop

src/libraries/System.IO.Pipes.AccessControl/ref/System.IO.Pipes.AccessControl.cs

@@ -71,4 +71,9 @@ public static class AnonymousPipeServerStreamAcl
     {
         public static System.IO.Pipes.AnonymousPipeServerStream Create(System.IO.Pipes.PipeDirection direction, System.IO.HandleInheritability inheritability, int bufferSize, System.IO.Pipes.PipeSecurity pipeSecurity) { throw null; }
     }
+
+    public static class NamedPipeServerStreamAcl
+    {
+        public static System.IO.Pipes.NamedPipeServerStream Create(string pipeName, System.IO.Pipes.PipeDirection direction, int maxNumberOfServerInstances, System.IO.Pipes.PipeTransmissionMode transmissionMode, System.IO.Pipes.PipeOptions options, int inBufferSize, int outBufferSize, System.IO.Pipes.PipeSecurity pipeSecurity, System.IO.HandleInheritability inheritability = System.IO.HandleInheritability.None, System.IO.Pipes.PipeAccessRights additionalAccessRights = default) { throw null; }
+    }
 }

src/libraries/System.IO.Pipes.AccessControl/tests/AnonymousPipeTests/AnonymousPipeServerStreamAclTests.cs

@@ -8,10 +8,6 @@ namespace System.IO.Pipes.Tests
 {
     public class AnonymousPipeServerStreamAclTests : PipeServerStreamAclTestBase
     {
-        private const PipeDirection DefaultPipeDirection = PipeDirection.In;
-        private const HandleInheritability DefaultInheritability = HandleInheritability.None;
-        private const int DefaultBufferSize = 1;
-
         [Fact]
         public void Create_NullSecurity()
         {
@@ -28,10 +24,7 @@ public void Create_NotSupportedPipeDirection()
         }
 
         [Theory]
-        [InlineData((PipeDirection)(int.MinValue))]
-        [InlineData((PipeDirection)0)]
-        [InlineData((PipeDirection)4)]
-        [InlineData((PipeDirection)(int.MaxValue))]
+        [MemberData(nameof(Create_InvalidPipeDirection_MemberData))]
         public void Create_InvalidPipeDirection(PipeDirection direction)
         {
             Assert.Throws<ArgumentOutOfRangeException>(() =>
@@ -41,10 +34,7 @@ public void Create_InvalidPipeDirection(PipeDirection direction)
         }
 
         [Theory]
-        [InlineData((HandleInheritability)(int.MinValue))]
-        [InlineData((HandleInheritability)(-1))]
-        [InlineData((HandleInheritability)2)]
-        [InlineData((HandleInheritability)(int.MaxValue))]
+        [MemberData(nameof(Create_InvalidInheritability_MemberData))]
         public void Create_InvalidInheritability(HandleInheritability inheritability)
         {
             Assert.Throws<ArgumentOutOfRangeException>(() =>
@@ -54,8 +44,7 @@ public void Create_InvalidInheritability(HandleInheritability inheritability)
         }
 
         [Theory]
-        [InlineData(int.MinValue)]
-        [InlineData(-1)]
+        [MemberData(nameof(Create_InvalidBufferSize_MemberData))]
         public void Create_InvalidBufferSize(int bufferSize)
         {
             Assert.Throws<ArgumentOutOfRangeException>(() =>
@@ -66,7 +55,7 @@ public void Create_InvalidBufferSize(int bufferSize)
 
         public static IEnumerable<object[]> Create_ValidParameters_MemberData() =>
             from direction in new[] { PipeDirection.In, PipeDirection.Out }
-            from inheritability in Enum.GetValues(typeof(HandleInheritability)).Cast<HandleInheritability>()
+            from inheritability in new[] { HandleInheritability.None, HandleInheritability.Inheritable }
             from bufferSize in new[] { 0, 1 }
             select new object[] { direction, inheritability, bufferSize };
 
@@ -78,7 +67,7 @@ public void Create_ValidParameters(PipeDirection direction, HandleInheritability
         }
 
         public static IEnumerable<object[]> Create_CombineRightsAndAccessControl_MemberData() =>
-            from rights in Enum.GetValues(typeof(PipeAccessRights)).Cast<PipeAccessRights>()
+            from rights in s_combinedPipeAccessRights
             from accessControl in new[] { AccessControlType.Allow, AccessControlType.Deny }
             select new object[] { rights, accessControl };
 
@@ -87,22 +76,13 @@ from rights in Enum.GetValues(typeof(PipeAccessRights)).Cast<PipeAccessRights>()
         [MemberData(nameof(Create_CombineRightsAndAccessControl_MemberData))]
         public void Create_CombineRightsAndAccessControl(PipeAccessRights rights, AccessControlType accessControl)
         {
-            // These are the two cases that create a valid pipe when using Allow
-            if ((rights == PipeAccessRights.FullControl || rights == PipeAccessRights.ReadWrite) &&
-                accessControl == AccessControlType.Allow)
+            // These are the only two rights that allow creating a pipe when using Allow
+            if (accessControl == AccessControlType.Allow &&
+                (rights == PipeAccessRights.FullControl || rights == PipeAccessRights.ReadWrite))
             {
                 VerifyValidSecurity(rights, accessControl);
             }
-            // When creating the PipeAccessRule for the PipeSecurity, the PipeAccessRule constructor calls AccessMaskFromRights, which explicilty removes the Synchronize bit from rights when AccessControlType is Deny
-            // and rights is not FullControl, so using Synchronize with Deny is not allowed
-            else  if (rights == PipeAccessRights.Synchronize && accessControl == AccessControlType.Deny)
-            {
-                Assert.Throws<ArgumentException>("accessMask", () =>
-                {
-                    PipeSecurity security = GetPipeSecurity(WellKnownSidType.BuiltinUsersSid, PipeAccessRights.Synchronize, AccessControlType.Deny);
-                });
-            }
-            // Any other case is not authorized
+            // Any other combination is not authorized
             else
             {
                 PipeSecurity security = GetPipeSecurity(WellKnownSidType.BuiltinUsersSid, rights, accessControl);
@@ -113,11 +93,12 @@ public void Create_CombineRightsAndAccessControl(PipeAccessRights rights, Access
             }
         }
 
-        [Theory]
-        [InlineData(PipeAccessRights.ReadWrite | PipeAccessRights.Synchronize, AccessControlType.Allow)]
-        public void Create_ValidBitwiseRightsSecurity(PipeAccessRights rights, AccessControlType accessControl)
+        [Fact]
+        public void Create_ValidBitwiseRightsSecurity()
         {
-            VerifyValidSecurity(rights, accessControl);
+            // Synchronize gets removed from the bitwise combination,
+            // but ReadWrite (an allowed right) should remain untouched
+            VerifyValidSecurity(PipeAccessRights.ReadWrite | PipeAccessRights.Synchronize, AccessControlType.Allow);
         }
 
         private void VerifyValidSecurity(PipeAccessRights rights, AccessControlType accessControl)