}

    /**
     * Returns true if this ACE is an inherited ACE and false if it is a direct ACE.
     * <p>
     * Note: For reasons not fully understood, <code>FLAGS_INHERITED</code> may
     * not be set within all security descriptors even though the ACE was in
     * face inherited. If an inherited ACE is added to a parent the Windows
     * ACL editor will rebuild all children ACEs and set this flag accordingly.

     *
     * @return whether this is an inherited ACE
     */
    boolean isInherited();

    /**
     * Returns true if this ACE is an allow ACE and false if it is a deny ACE.
     *
     * @return whether this in an allow ACE
     */
    boolean isAllow();

 * available online).
 * <p>
 * Direct ACEs are evaluated first in order. The SID of the user performing
 * the operation and the desired access bits are compared to the SID
 * and access mask of each ACE. If the SID matches, the allow/deny flags
 * and access mask are considered. If the ACE is a "deny"
 * ACE and <i>any</i> of the desired access bits match bits in the access
 * mask of the ACE, the whole access check fails. If the ACE is an "allow"

          "type":       "stemmer_override",
          "rules": []
        },
        "romanian_stop": {
          "type":       "stop",

            int[] accessConstants = { ACE.FILE_READ_DATA, ACE.FILE_WRITE_DATA, ACE.FILE_APPEND_DATA, ACE.FILE_READ_EA, ACE.FILE_WRITE_EA,
                    ACE.FILE_EXECUTE, ACE.FILE_DELETE, ACE.FILE_READ_ATTRIBUTES, ACE.FILE_WRITE_ATTRIBUTES, ACE.DELETE, ACE.READ_CONTROL,
                    ACE.WRITE_DAC, ACE.WRITE_OWNER, ACE.SYNCHRONIZE, ACE.GENERIC_ALL, ACE.GENERIC_EXECUTE, ACE.GENERIC_WRITE,
                    ACE.GENERIC_READ };

                final Set<SID> sidDenySet = new HashSet<>();
                for (final ACE ace : aces) {
                    if (logger.isDebugEnabled()) {
                        logger.debug("ACE:{}", ace);
                    }
                    processAllowedSIDs(file, ace.getSID(), ace.isAllow() ? sidAllowSet : sidDenySet);
                }

            // Then
            assertNotNull(security1, "Security ACEs should not be null");
            assertNotNull(security2, "Security ACEs with resolve should not be null");
            assertNotNull(shareSecurity, "Share security ACEs should not be null");
            assertEquals(1, security1.length, "Should return expected number of ACEs");

            }

            this.aces = new ACE[numAces];
            for (int i = 0; i < numAces; i++) {
                this.aces[i] = new ACE();
                bufferIndex += this.aces[i].decode(buffer, bufferIndex, len - bufferIndex);
            }
        } else {
            this.aces = null;
        }

        return bufferIndex - start;
    }

                throw new IOException("Invalid SecurityDescriptor");
            }

            aces = new ACE[numAces];
            for (int i = 0; i < numAces; i++) {
                aces[i] = new ACE();
                bufferIndex += aces[i].decode(buffer, bufferIndex);
            }
        } else {
            aces = null;
        }

        return bufferIndex - start;
    }

    @Override

    @DisplayName("Test getAces returns correct ACE array")
    void testGetAces() throws SMBProtocolDecodingException {
        prepareSecurityDescriptorBufferWithDACL(testBuffer, 0, 3);

        securityDescriptor.decode(testBuffer, 0, testBuffer.length);

        ACE[] aces = securityDescriptor.getAces();
        assertNotNull(aces);
        assertEquals(3, aces.length);
        for (ACE ace : aces) {
            assertNotNull(ace);