public static async Task <JsonDocument> SetACEforRepoAsync(Url organization, string token, string groupSecDescriptor, long allowMask, long denyMask, string pat)
{
var ace = new ACE()
{
token = token,
merge = true,
accessControlEntries = new Accesscontrolentry[] {
new Accesscontrolentry()
{
allow = allowMask, deny = denyMask, descriptor = groupSecDescriptor, extendedInfo = new Extendedinfo()
{
effectiveAllow = allowMask,
effectiveDeny = denyMask,
inheritedAllow = allowMask,
inheritedDeny = denyMask
}
}
}
};
// https://{{coreServer}}/{{organization}}/_apis/AccessControlEntries/{{securityNamespaceId}}api-version={{api-version}}
var queryResponse = await $"{organization}"
.AppendPathSegment($"_apis/AccessControlEntries")
.AppendPathSegment(Constants.SecurityNamespaceGitRepo)
.SetQueryParam("api-version", Constants.APIVERSION)
.WithBasicAuth(string.Empty, pat)
.PostJsonAsync(ace);
return(JsonDocument.Parse(await queryResponse.ResponseMessage.Content.ReadAsStringAsync()));
}
public static void SelectionChangedRightsCombobox()
{
var selected = ((ComboBoxItem)MW.CmbxRightsType.SelectedItem).Content as string;
MW.RightsList.Clear();
foreach (var r in new List <string> {
"GA", "GX", "GW", "GR", "SD", "RC", "WD", "WO"
})
{
MW.RightsList.Add(new BoolStringClass(ACE.RigthToLong(r), r));
}
switch (selected)
{
case "Service Access Rights":
foreach (var r in new List <string> {
"CC", "DC", "LC", "DW", "RP", "WP", "DT", "LO", "CR"
})
{
MW.RightsList.Add(new BoolStringClass(ACE.RigthToLong(r, 0), r));
}
break;
case "Directory Access Rights":
foreach (var r in new List <string> {
"CC", "DC", "LC", "SW", "RP", "WP", "DT", "LO", "CR"
})
{
MW.RightsList.Add(new BoolStringClass(ACE.RigthToLong(r, 1), r));
}
break;
case "File Access Rights":
foreach (var r in new List <string> {
"CC", "DC", "LC", "SW", "RP", "WP", "LO", "CR", "FA", "FR", "FW", "FX"
})
{
MW.RightsList.Add(new BoolStringClass(ACE.RigthToLong(r, 2), r));
}
break;
case "File and Directory Access Rights":
foreach (var r in new List <string> {
"CC", "DC", "LC", "SW", "RP", "WP", "DT", "LO", "CR", "FA", "FR", "FW", "FX"
})
{
MW.RightsList.Add(new BoolStringClass(ACE.RigthToLong(r, 3), r));
}
break;
case "Registry Key Access Rights":
foreach (var r in new List <string> {
"CC", "DC", "LC", "SW", "RP", "WP", "KA", "KR", "KW", "KX"
})
{
MW.RightsList.Add(new BoolStringClass(ACE.RigthToLong(r, 4), r));
}
break;
}
TextChangedContentEdit();
}
internal void SetFileSecurityReadWriteGroups(string[] writeACLGroups, long masterID, out string missingACLGroup)
{
missingACLGroup = string.Empty;
try
{
AccessPermis readAccessPermission = new AccessPermis();
readAccessPermission.Id = 1;
readAccessPermission.Val = true;
AccessPermis writeAccessPermission = new AccessPermis();
writeAccessPermission.Id = 2;
writeAccessPermission.Val = true;
foreach (var aclGroup in writeACLGroups)
{
Group group = _webServiceManager.AdminService.GetGroupByName(aclGroup);
if (group != null)
{
ACE ace = new ACE();
ace.UserGrpId = group.Id;
ace.PermisArray = new AccessPermis[] { readAccessPermission, writeAccessPermission };
ACE[] aces = new ACE[1];
ACL myAcl = _webServiceManager.SecurityService.AddSystemACL(aces);
_webServiceManager.SecurityService.SetSystemACLs(new long[] { masterID }, myAcl.Id);
}
else
{
missingACLGroup = aclGroup;
return;
}
}
}
catch (Exception ex)
{
throw (ex);
}
}
public virtual List <object> GetACEDisplayName(HttpContext context)
{
YZRequest request = new YZRequest(context);
List <object> rv = new List <object>();
JsonSerializer serializer = new JsonSerializer();
StreamReader reader = new StreamReader(context.Request.InputStream);
using (JsonTextReader streamReader = new JsonTextReader(reader))
{
JArray @params = serializer.Deserialize(streamReader) as JArray;
using (BPMConnection cn = new BPMConnection())
{
cn.WebOpen();
foreach (JObject jAce in @params)
{
ACE ace = jAce.ToObject <ACE>(serializer);
rv.Add(new {
DisplayName = ace.GetSIDDisplayName(cn)
});
}
}
}
return(rv);
}
private static TreeViewItem ACEToTreeViewItem(ACE ace, int rightsType, bool translateSID)
{
var rv = new TreeViewItem {
Header = SecurityDescriptor.SIDToLong(ace.GetSID(), translateSID)
};
rv.Items.Clear();
foreach (var right in ace.GetAllRights())
{
rv.Items.Add(ACE.RigthToLong(right, rightsType));
}
return(rv);
}
private static void PrintACE(string indent, ACE ace)
{
AwesomeConsole.Write(indent + SingleIndent + "SID: ");
PrintSID(ace.SID);
AwesomeConsole.WriteLine();
AwesomeConsole.Write(indent + SingleIndent + SingleIndent + "Access: ");
PrintEnums(ace.AccessMask);
AwesomeConsole.WriteLine();
AwesomeConsole.WriteLine(indent + SingleIndent + SingleIndent + "Type : " + ace.Type);
AwesomeConsole.Write(indent + SingleIndent + SingleIndent + "Flags : ");
PrintEnums(ace.Flags);
AwesomeConsole.WriteLine();
}
public static string GetHelperText(string line, int rightsType, out Tuple <string, string, TreeViewItem[]> details, bool translateSID)
{
var sd = new SecurityDescriptor(line);
if (sd.IsOk)
{
var lSIDs = sd.GetAllSIDs();
var lRights = sd.GetAllRights();
var sb = new StringBuilder();
if (lSIDs.Count != 0)
{
sb.AppendLine();
sb.AppendLine("SIDs:");
sb.AppendLine("-----");
foreach (var lSID in lSIDs)
{
sb.AppendLine(SecurityDescriptor.SIDToLong(lSID, translateSID));
}
sb.AppendLine("-----");
}
if (lRights.Count != 0)
{
sb.AppendLine();
sb.AppendLine("Rights (" + ACE.RightType(rightsType) + "):");
sb.AppendLine("-----");
foreach (var lRight in lRights)
{
sb.AppendLine(ACE.RigthToLong(lRight, rightsType));
}
sb.AppendLine("-----");
}
var aces = sd.GetACEs();
var treeElements = new TreeViewItem[aces.Count];
for (var i = 0; i < aces.Count; i++)
{
treeElements[i] = ACEToTreeViewItem(aces[i], rightsType, translateSID);
}
details = new Tuple <string, string, TreeViewItem[]>(sd.GetOwner(), sd.GetGroup(), treeElements);
return(sb.ToString());
}
details = new Tuple <string, string, TreeViewItem[]>("", "", new TreeViewItem[0]);
return(string.Empty);
}
public virtual object GetLoginUserACEInfo(HttpContext context)
{
YZRequest request = new YZRequest(context);
string uid = YZAuthHelper.LoginUserAccount;
using (BPMConnection cn = new BPMConnection())
{
cn.WebOpen();
User user = User.FromAccount(cn, uid);
ACE ace = new ACE();
ace.SIDType = SIDType.UserSID;
ace.SID = user.SID;
return(new {
SID = user.SID,
DisplayName = ace.GetSIDDisplayName(cn)
});
}
}
private static void DecodeAclEntries(List <ACE> DecodedACL, RawAcl acl, Dictionary <uint, string> rights)
{
foreach (var ace in acl)
{
var DecodedACE = new ACE();
var knownAce = ace as KnownAce;
if (knownAce != null)
{
DecodedACE.Trustee = knownAce.SecurityIdentifier.Value;
DecodedACE.AccessType = knownAce.AceType > AceType.MaxDefinedAceType
? "Custom Access"
: knownAce.AceType.ToString();
if (knownAce.AceFlags != AceFlags.None)
{
DecodedACE.AuditRights = knownAce.AceFlags.ToString();
}
var mask = unchecked ((uint)knownAce.AccessMask);
foreach (var r in rights.Keys)
{
if ((mask & r) == r)
{
DecodedACE.Permissions.Add(rights[r]);
}
}
}
else
{
throw new Exception("Not a known ACE Structure");
}
DecodedACL.Add(DecodedACE);
}
}
bool CreateKeyDescriptor(IntPtr pOldSD, ACCOUNT_PERM Account, ref MEM_DATA MemData)
{
// reconstruct security descriptor
bool bDefault = false;
bool bPresent = false;
int iControlBits = 0;
int iControlSet = 0;
int iDomain = 0;
int iFlag = 0;
int iLength = 0;
int iRevision = 0;
int iSidLen = 0;
int iTotal = 0;
int iUse = 0;
StringBuilder sDomain = new StringBuilder(256);
IntPtr pNewACL = IntPtr.Zero;
IntPtr pAcl = IntPtr.Zero;
IntPtr pSid = IntPtr.Zero;
IntPtr pPnt = IntPtr.Zero;
ACL_SIZE_INFORMATION tAclSize = new ACL_SIZE_INFORMATION();
ACL tTempACL = new ACL();
ACE tTempAce = new ACE();
try
{
MemData.pAcl = IntPtr.Zero;
MemData.pSd = IntPtr.Zero;
// get size
pSid = LocalAlloc(LMEM_INITIALIZED, SECURITY_DESCRIPTOR_MIN_LENGTH);
if (pSid == IntPtr.Zero)
{
return false;
}
// store pointer
MemData.pSd = pSid;
// init descriptor
if (InitializeSecurityDescriptor(pSid, SECURITY_DESCRIPTOR_REVISION) == 0)
{
return false;
}
// check for existing sd
if (pOldSD != IntPtr.Zero)
{
if (GetSecurityDescriptorDacl(pOldSD, out bPresent, ref pAcl, out bDefault) == true)
{
// extract dacl
if ((bPresent == true) && (pAcl != IntPtr.Zero))
{
if (GetAclInformation(pAcl, ref tAclSize, Marshal.SizeOf(tAclSize), ACL_INFORMATION_CLASS.AclSizeInformation) == false)
{
return false;
}
else
{
iTotal = tAclSize.AclBytesInUse;
}
}
else
{
iTotal = Marshal.SizeOf(tTempACL);
}
}
else
{
return false;
}
}
// allocate sid //
// get callers sid
if (Account.pSid == IntPtr.Zero)
{
iDomain = 256;
// get size
LookupAccountName(null, Account.AccountName, IntPtr.Zero, ref iSidLen, sDomain, ref iDomain, out iUse);
Account.pSid = LocalAlloc(LMEM_INITIALIZED, iSidLen);
if (Account.pSid == IntPtr.Zero)
{
return false;
}
// get the sid
if (LookupAccountName(null, Account.AccountName, Account.pSid, ref iSidLen, sDomain, ref iDomain, out iUse) == false)
{
return false;
}
}
// ace buffer
iLength = (Marshal.SizeOf(tTempAce) + GetLengthSid(Account.pSid)) - 4;
iTotal += iLength;
pNewACL = LocalAlloc(LMEM_INITIALIZED, iTotal);
if (pNewACL == IntPtr.Zero)
{
return false;
}
// store pointer
MemData.pAcl = pNewACL;
// init acl
if (InitializeAcl(pNewACL, iTotal, ACL_REVISION) == false)
{
return false;
}
// build dacl in sequence
if (Account.AceType == ACCESS_DENIED_ACE_TYPE)
{
if (BuildACE(pNewACL, Account.AceType, Account.AceFlags, Account.AccessMask, Account.pSid) == false)
{
return false;
}
}
// copy non-inherited ace
if ((bPresent == true) && (pAcl != IntPtr.Zero) && (tAclSize.AceCount > 0))
{
// combine old and new ACE entries
for (int count = 0; count < tAclSize.AceCount; count++)
{
// next ace
GetAce(pAcl, count, out pPnt);
if (pPnt == IntPtr.Zero)
{
return false;
}
RtlMoveMemory(ref tTempAce, pPnt, Marshal.SizeOf(tTempAce));
// exit on inherited ace
if (((int)tTempAce.Header.AceFlags & INHERITED_ACE) == INHERITED_ACE)
{
break;
}
int x = (int)pPnt + 8;
IntPtr pPt = new IntPtr(x);
// check ace value
if (!SidIsEqual(Account.pSid, pPt))
{
// add ace
AddAce(pNewACL, ACL_REVISION, MAXDWORD, pPnt, tTempAce.Header.AceSize);
}
}
}
// add explicit permit
if (Account.AceType == ACCESS_ALLOWED_ACE_TYPE)
{
BuildACE(pNewACL, Account.AceType, Account.AceFlags, Account.AccessMask, Account.pSid);
}
// enties with inheritence flag
if ((bPresent == true) && (pAcl != IntPtr.Zero) && (tAclSize.AceCount > 0))
{
for (int count = 0; count < tAclSize.AceCount; count++)
{
GetAce(pAcl, count, out pPnt);
RtlMoveMemory(ref tTempAce, pPnt, Marshal.SizeOf(tTempAce));
AddAce(pNewACL, ACL_REVISION, MAXDWORD, pPnt, tTempAce.Header.AceSize);
}
}
// descriptor flags
if (pOldSD != IntPtr.Zero)
{
if (GetSecurityDescriptorControl(pOldSD, out iFlag, out iRevision) != 0)
{
if ((iFlag & SE_DACL_AUTO_INHERITED) == SE_DACL_AUTO_INHERITED)
{
iControlBits = SE_DACL_AUTO_INHERIT_REQ | SE_DACL_AUTO_INHERITED;
iControlSet = iControlBits;
}
else if ((iFlag & SE_DACL_PROTECTED) == SE_DACL_PROTECTED)
{
iControlBits = SE_DACL_PROTECTED;
iControlSet = iControlBits;
}
if (iControlSet != 0)
{
SetSecurityDescriptorControl(pSid, iControlBits, iControlSet);
}
}
}
// add dacl
return SetSecurityDescriptorDacl(pSid, 1, pNewACL, 0);
}
finally
{
if (Account.pSid != IntPtr.Zero)
{
LocalFree(Account.pSid);
Account.pSid = IntPtr.Zero;
}
}
}
bool BuildACE(IntPtr lAclId, byte bType, byte bFlags, uint lMask, IntPtr lPointer)
{
// build an ace entry
int iAceLen = 0;
int iSidLen = 0;
IntPtr pAce = IntPtr.Zero;
ACE tTempAce = new ACE();
try
{
// get len
iSidLen = GetLengthSid(lPointer);
iAceLen = Marshal.SizeOf(tTempAce) + iSidLen - 4;
// allocate space
pAce = LocalAlloc(LMEM_INITIALIZED, iAceLen);
if (pAce != IntPtr.Zero)
{
// ace struct
tTempAce.Header = new ACE_HEADER();
tTempAce.Header.AceType = bType;
tTempAce.Header.AceFlags = bFlags;
tTempAce.Header.AceSize = (short)iAceLen;
tTempAce.Mask = (int)lMask;
// copy to buffer
int dDt = (int)pAce + 8;
IntPtr pDt = new IntPtr(dDt);
RtlMoveMemory(pAce, ref tTempAce, Marshal.SizeOf(tTempAce));
RtlMoveMemory(pDt, lPointer, iSidLen);
// add to acl
return AddAce(lAclId, ACL_REVISION, MAXDWORD, pAce, iAceLen);
}
return false;
}
finally
{
if (pAce != IntPtr.Zero)
{
LocalFree(pAce);
}
}
}
static extern void RtlMoveMemory(IntPtr dest, ref ACE src, int size);
static extern void RtlMoveMemory(ref ACE dest, IntPtr src, int size);
/// <summary>
/// Конструктор по умолчанию.
/// </summary>
public ACEitem()
{
ACE = new ACE();
}
