public void AddRole(string principal, string role, string adObject)
{
String id = null;
String domain = DirectoryServices.GetDomain(principal, out id);
Principal p = DirectoryServices.GetPrincipal(id, domain);
DirectoryEntry target = DirectoryServices.GetDirectoryEntry(adObject);
if (p == null)
{
throw new AdException($"Principal [{principal}] Can Not Be Found.", AdStatusType.DoesNotExist);
}
else if (target == null)
{
throw new AdException($"Target [{adObject}] Can Not Be Found.", AdStatusType.DoesNotExist);
}
if (Roles.ContainsKey(role))
{
DirectoryServices.AddAccessRule(target, p, Roles[role].AdRights, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.All);
}
else
{
throw new AdException($"Role [{role}] Does Not Exist.", AdStatusType.DoesNotExist);
}
}
public void Core_AddRuleBadUser()
{
// Get User That Does Not Exist
String userName = $"testuser_{Utility.GenerateToken( 8 )}";
String userDistinguishedName = $"CN={userName},{workspaceName}";
Console.WriteLine($"Adding AccessRule For User [{userName}] Which Should Not Exist To User [{user.Name}].");
AdException ex = Assert.Throws <AdException>(() => DirectoryServices.AddAccessRule(user.Name, userName, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None));
Console.WriteLine($"Exception Message : {ex.Message}");
Assert.That(ex.Message, Contains.Substring("Can Not Be Found"));
}
public void Core_AddRuleBadTarget()
{
// Get OrgUnit That Does Not Exist
String ouName = $"testou_{Utility.GenerateToken( 8 )}";
String ouDistinguishedName = $"GW={ouName},{workspaceName}";
GroupPrincipal group = Utility.CreateGroup(workspaceName);
Console.WriteLine($"Adding AccessRule For Group [{group.Name}] To OrgUnit [{ouName}] Which Should Not Exist.");
AdException ex = Assert.Throws <AdException>(() => DirectoryServices.AddAccessRule(ouName, group.Name, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None));
Console.WriteLine($"Exception Message : {ex.Message}");
Assert.That(ex.Message, Contains.Substring("Can Not Be Found"));
}
public void Core_AddRuleBadUser()
{
// Get Group That Does Not Exist
String groupName = $"testgroup_{Utility.GenerateToken( 8 )}";
String groupDistinguishedName = $"CN={groupName},{workspaceName}";
String testOuName = $"ou=TestOrgUnit001,{workspaceName}";
DirectoryServices.CreateOrganizationUnit(testOuName, null);
DirectoryEntryObject ouo = DirectoryServices.GetOrganizationalUnit(testOuName, false, true, false);
Console.WriteLine($"Adding AccessRule For Group [{groupName}] Which Should Not Exist To OrgUnit [{ouo.DistinguishedName}].");
AdException ex = Assert.Throws <AdException>(() => DirectoryServices.AddAccessRule(ouo.DistinguishedName, groupName, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None));
Console.WriteLine($"Exception Message : {ex.Message}");
Assert.That(ex.Message, Contains.Substring("Can Not Be Found"));
DirectoryServices.DeleteOrganizationUnit(ouo.DistinguishedName);
}
public void Core_OrgUnitTestSuccess()
{
// Setup Test
String name = $"testou_{Utility.GenerateToken( 8 )}";
String distinguishedName = $"OU={name},{workspaceName}";
Dictionary <string, List <string> > properties = new Dictionary <string, List <string> >();
DirectoryServices.AddProperty(properties, "description", "Test OU");
// Create OrgUnit
Console.WriteLine($"Creating OrgUnit : [{distinguishedName}]");
DirectoryServices.CreateOrganizationUnit(distinguishedName, properties);
// Get OrgUnit By DistinguishedName
Console.WriteLine($"Getting OrgUnit By DisginguishedName : [{distinguishedName}]");
DirectoryEntryObject ouo = DirectoryServices.GetOrganizationalUnit(distinguishedName, true, true, false);
Assert.That(ouo, Is.Not.Null);
String guid = ouo.Guid.ToString();
// Get OrgUnit By Name
Console.WriteLine($"Getting OrgUnit By Name : [{name}]");
ouo = DirectoryServices.GetOrganizationalUnit(name, false, false, false);
Assert.That(ouo, Is.Not.Null);
// Get OrgUnit By Name
Console.WriteLine($"Getting OrgUnit By Guid : [{guid}]");
ouo = DirectoryServices.GetOrganizationalUnit(guid, false, true, false);
Assert.That(ouo, Is.Not.Null);
Assert.That(ouo.Properties.ContainsKey("description"), Is.True);
// Modify OrgUnit
DirectoryServices.AddProperty(properties, "description", "~null~", true);
DirectoryServices.ModifyOrganizationUnit(distinguishedName, properties);
ouo = DirectoryServices.GetOrganizationalUnit(distinguishedName, false, true, false);
Assert.That(ouo.Properties.ContainsKey("description"), Is.False);
// Create AccessUser For AccessRule Tests (Below)
DirectoryEntry orgUnit = DirectoryServices.GetDirectoryEntry(distinguishedName);
UserPrincipal accessRuleUser = Utility.CreateUser(workspaceName);
int ruleCount = DirectoryServices.GetAccessRules(orgUnit).Count;
// Add Access Rule To OrgUnit
Console.WriteLine($"Adding AccessRule For User [{accessRuleUser.Name}] To OrgUnit [{orgUnit.Name}].");
DirectoryServices.AddAccessRule(orgUnit, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
int newRuleCount = DirectoryServices.GetAccessRules(orgUnit).Count;
Assert.That(newRuleCount, Is.GreaterThan(ruleCount));
// Removing Access Rule From OrgUnit
Console.WriteLine($"Removing AccessRule For User [{accessRuleUser.Name}] From OrgUnit [{orgUnit.Name}].");
DirectoryServices.DeleteAccessRule(orgUnit, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
newRuleCount = DirectoryServices.GetAccessRules(orgUnit).Count;
Assert.That(newRuleCount, Is.EqualTo(ruleCount));
// Seting Access Rule From OrgUnit
Console.WriteLine($"Setting AccessRule For User [{accessRuleUser.Name}] On OrgUnit [{orgUnit.Name}].");
DirectoryServices.SetAccessRule(orgUnit, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
newRuleCount = DirectoryServices.GetAccessRules(orgUnit).Count;
Assert.That(newRuleCount, Is.GreaterThan(ruleCount));
// Purge Access Rule From OrgUnit
Console.WriteLine($"Purging AccessRules For User [{accessRuleUser.Name}] From OrgUnit [{orgUnit.Name}].");
DirectoryServices.PurgeAccessRules(orgUnit, accessRuleUser);
newRuleCount = DirectoryServices.GetAccessRules(orgUnit).Count;
Assert.That(newRuleCount, Is.EqualTo(ruleCount));
// Delete AccessRule User
Utility.DeleteUser(accessRuleUser.DistinguishedName);
// Delete OrgUnit
Console.WriteLine($"Deleting OrgUnit : [{distinguishedName}]");
DirectoryServices.DeleteOrganizationUnit(distinguishedName);
ouo = DirectoryServices.GetOrganizationalUnit(distinguishedName, false, false, false);
Assert.That(ouo, Is.Null);
}
public void Core_UserTestSuccess()
{
// Get User By Distinguished Name
Console.WriteLine($"Getting User By DisginguishedName : [{user.DistinguishedName}]");
UserPrincipalObject upo = DirectoryServices.GetUser(user.DistinguishedName, true, true, true);
Assert.That(upo.DistinguishedName, Is.EqualTo(user.DistinguishedName));
String userName = upo.Name;
String userPrincipalName = upo.UserPrincipalName;
String userSamAccountName = upo.SamAccountName;
Guid? userGuid = upo.Guid;
String userSid = upo.Sid;
// Get User By Name
Console.WriteLine($"Getting User By Name: [{userName}]");
upo = DirectoryServices.GetUser(userName, true, true, true);
Assert.That(upo.Name, Is.EqualTo(userName));
// Get User By UserPrincipalName
Console.WriteLine($"Getting User By UserPrincipalName: [{userPrincipalName}]");
upo = DirectoryServices.GetUser(userPrincipalName, true, true, true);
Assert.That(upo.UserPrincipalName, Is.EqualTo(userPrincipalName));
// Get User By SamAccountName
Console.WriteLine($"Getting User By SamAccountName : [{userSamAccountName}]");
upo = DirectoryServices.GetUser(userSamAccountName, true, true, true);
Assert.That(upo.SamAccountName, Is.EqualTo(userSamAccountName));
// Get User By Guid
Console.WriteLine($"Getting User By Guid : [{userGuid}]");
upo = DirectoryServices.GetUser(userGuid.ToString(), true, true, true);
Assert.That(upo.Guid, Is.EqualTo(userGuid));
// Get User By Sid
Console.WriteLine($"Getting User By Sid : [{userSid}]");
upo = DirectoryServices.GetUser(userSid, true, true, true);
Assert.That(upo.Sid, Is.EqualTo(userSid));
// Modify User
Console.WriteLine($"Modifying User : [{userName}]");
UserPrincipal up = DirectoryServices.GetUserPrincipal(userName);
up.DisplayName = "Guy Michael Waguespack";
up.GivenName = "Guy";
up.MiddleName = "Michael";
up.Surname = "Waguespack";
DirectoryServices.SaveUser(up);
upo = DirectoryServices.GetUser(userName, false, false, false);
Assert.That(upo.DisplayName, Is.EqualTo("Guy Michael Waguespack"));
Assert.That(upo.GivenName, Is.EqualTo("Guy"));
Assert.That(upo.MiddleName, Is.EqualTo("Michael"));
Assert.That(upo.Surname, Is.EqualTo("Waguespack"));
// Create AccessUser For AccessRule Tests (Below)
UserPrincipal accessRuleUser = Utility.CreateUser(workspaceName);
int ruleCount = DirectoryServices.GetAccessRules(user).Count;
// Add Access Rule To User
Console.WriteLine($"Adding AccessRule For User [{accessRuleUser.Name}] To User [{user.Name}].");
DirectoryServices.AddAccessRule(user, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
int newRuleCount = DirectoryServices.GetAccessRules(user).Count;
Assert.That(newRuleCount, Is.GreaterThan(ruleCount));
// Removing Access Rule From User
Console.WriteLine($"Removing AccessRule For User [{accessRuleUser.Name}] From User [{user.Name}].");
DirectoryServices.DeleteAccessRule(user, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
newRuleCount = DirectoryServices.GetAccessRules(user).Count;
Assert.That(newRuleCount, Is.EqualTo(ruleCount));
// Seting Access Rule From User
Console.WriteLine($"Setting AccessRule For User [{accessRuleUser.Name}] On User [{user.Name}].");
DirectoryServices.SetAccessRule(user, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
newRuleCount = DirectoryServices.GetAccessRules(user).Count;
Assert.That(newRuleCount, Is.GreaterThan(ruleCount));
// Purge Access Rule From User
Console.WriteLine($"Purging AccessRules For User [{accessRuleUser.Name}] From User [{user.Name}].");
DirectoryServices.PurgeAccessRules(user, accessRuleUser);
newRuleCount = DirectoryServices.GetAccessRules(user).Count;
Assert.That(newRuleCount, Is.EqualTo(ruleCount));
// Delete AccessRule User
Utility.DeleteUser(accessRuleUser.DistinguishedName);
}
private void ProcessAccessRules(AdObject obj, bool returnObject = false)
{
ActiveDirectoryObjectResult result = new ActiveDirectoryObjectResult()
{
Type = obj.Type,
Identity = obj.Identity
};
ActiveDirectoryStatus status = new ActiveDirectoryStatus()
{
Action = config.Action,
Status = AdStatusType.Success,
Message = "Success",
};
try
{
roleManager.CanPerformActionOrException(requestUser, config.Action, obj.Identity);
// Get Target DirectoryEntry For Rules
DirectoryEntry de = null;
if (obj.Type == AdObjectType.User || obj.Type == AdObjectType.Group)
{
Principal principal = DirectoryServices.GetPrincipal(obj.Identity);
if (principal == null)
{
throw new AdException($"Principal [{obj.Identity}] Can Not Be Found.", AdStatusType.DoesNotExist);
}
else if (principal.GetUnderlyingObjectType() == typeof(DirectoryEntry))
{
de = (DirectoryEntry)principal.GetUnderlyingObject();
}
else
{
throw new AdException($"AddAccessRule Not Available For Object Type [{principal.GetUnderlyingObjectType()}]", AdStatusType.NotSupported);
}
}
else
{
de = DirectoryServices.GetDirectoryEntry(obj.Identity);
if (de == null)
{
throw new AdException($"DirectoryEntry [{obj.Identity}] Can Not Be Found.", AdStatusType.DoesNotExist);
}
}
// Add Rules To Target DirectoryEntry
foreach (AdAccessRule rule in obj.AccessRules)
{
String message = String.Empty;
switch (config.Action)
{
case ActionType.AddAccessRule:
DirectoryServices.AddAccessRule(de, rule.Identity, rule.Rights, rule.Type);
message = $"{rule.Type} [{rule.Rights}] Rule Added To {obj.Type} [{obj.Identity}] For Identity [{rule.Identity}].";
break;
case ActionType.RemoveAccessRule:
DirectoryServices.DeleteAccessRule(de, rule.Identity, rule.Rights, rule.Type);
message = $"{rule.Type} [{rule.Rights}] Rule Deleted From {obj.Type} [{obj.Identity}] For Identity [{rule.Identity}].";
break;
case ActionType.SetAccessRule:
DirectoryServices.SetAccessRule(de, rule.Identity, rule.Rights, rule.Type);
message = $"{rule.Type} [{rule.Rights}] Rule Set On {obj.Type} [{obj.Identity}] For Identity [{rule.Identity}].";
break;
case ActionType.PurgeAccessRules:
DirectoryServices.PurgeAccessRules(de, rule.Identity);
message = $"All Rules Purged On {obj.Type} [{obj.Identity}] For Identity [{rule.Identity}].";
break;
default:
throw new AdException("Action [" + config.Action + "] Not Implemented For Type [" + obj.Type + "]", AdStatusType.NotSupported);
}
result.Statuses.Add(status);
OnLogMessage("ProcessAccessRules", message);
}
if (returnObject)
{
result.Object = GetActiveDirectoryObject(obj);
}
}
catch (AdException ex)
{
ProcessActiveDirectoryException(result, ex, status.Action);
}
catch (Exception e)
{
OnLogMessage("ProcessDelete", e.Message);
OnLogMessage("ProcessDelete", e.StackTrace);
AdException le = new AdException(e);
ProcessActiveDirectoryException(result, le, status.Action);
}
results.Add(result);
}
public void Core_GroupTestSuccess()
{
// Get Group By Distinguished Name
Console.WriteLine($"Getting Group By DisginguishedName : [{group.DistinguishedName}]");
GroupPrincipalObject gpo = DirectoryServices.GetGroup(group.DistinguishedName, true, true, true);
Assert.That(gpo.DistinguishedName, Is.EqualTo(group.DistinguishedName));
String groupName = gpo.Name;
String groupSamAccountName = gpo.SamAccountName;
Guid? groupGuid = gpo.Guid;
String groupSid = gpo.Sid;
// Get Group By Name
Console.WriteLine($"Getting Group By Name: [{groupName}]");
gpo = DirectoryServices.GetGroup(groupName, true, true, true);
Assert.That(gpo.Name, Is.EqualTo(groupName));
// Get Group By SamAccountName
Console.WriteLine($"Getting Group By SamAccountName : [{groupSamAccountName}]");
gpo = DirectoryServices.GetGroup(groupSamAccountName, true, true, true);
Assert.That(gpo.SamAccountName, Is.EqualTo(groupSamAccountName));
// Get Group By Guid
Console.WriteLine($"Getting Group By Guid : [{groupGuid}]");
gpo = DirectoryServices.GetGroup(groupGuid.ToString(), true, true, true);
Assert.That(gpo.Guid, Is.EqualTo(groupGuid));
// Get Group By Sid
Console.WriteLine($"Getting Group By Sid : [{groupSid}]");
gpo = DirectoryServices.GetGroup(groupSid, true, true, true);
Assert.That(gpo.Sid, Is.EqualTo(groupSid));
// Modify Group
Console.WriteLine($"Modifying Group : [{groupName}]");
GroupPrincipal gp = DirectoryServices.GetGroupPrincipal(groupName);
gp.DisplayName = "Unit Test Group";
gp.Description = "Unit Test Description";
DirectoryServices.SaveGroup(gp);
gpo = DirectoryServices.GetGroup(groupName, false, false, false);
Assert.That(gpo.DisplayName, Is.EqualTo("Unit Test Group"));
Assert.That(gpo.Description, Is.EqualTo("Unit Test Description"));
// Create AccessUser For AccessRule Tests (Below)
UserPrincipal accessRuleUser = Utility.CreateUser(workspaceName);
int ruleCount = DirectoryServices.GetAccessRules(group).Count;
// Add Access Rule To Group
Console.WriteLine($"Adding AccessRule For User [{accessRuleUser.Name}] To Group [{group.Name}].");
DirectoryServices.AddAccessRule(group, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
int newRuleCount = DirectoryServices.GetAccessRules(group).Count;
Assert.That(newRuleCount, Is.GreaterThan(ruleCount));
// Removing Access Rule From Group
Console.WriteLine($"Removing AccessRule For User [{accessRuleUser.Name}] From Group [{group.Name}].");
DirectoryServices.DeleteAccessRule(group, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
newRuleCount = DirectoryServices.GetAccessRules(group).Count;
Assert.That(newRuleCount, Is.EqualTo(ruleCount));
// Seting Access Rule From Group
Console.WriteLine($"Setting AccessRule For User [{accessRuleUser.Name}] On Group [{group.Name}].");
DirectoryServices.SetAccessRule(group, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
newRuleCount = DirectoryServices.GetAccessRules(group).Count;
Assert.That(newRuleCount, Is.GreaterThan(ruleCount));
// Purge Access Rule From Group
Console.WriteLine($"Purging AccessRules For User [{accessRuleUser.Name}] From Group [{group.Name}].");
DirectoryServices.PurgeAccessRules(group, accessRuleUser);
newRuleCount = DirectoryServices.GetAccessRules(group).Count;
Assert.That(newRuleCount, Is.EqualTo(ruleCount));
// Delete AccessRule User
Utility.DeleteUser(accessRuleUser.DistinguishedName);
}
