/// <summary> /// Verify that the target securable item has the needed security settings /// </summary> /// <param name="context">Client context object</param> /// <param name="security">Security template model</param> /// <param name="item">Securable item</param> /// <returns></returns> public bool ValidateSecurityCSOM(ClientContext context, ObjectSecurity security, SecurableObject item) { int roleAssignmentCount = security.RoleAssignments.Count; int roleCount = 0; IEnumerable roles = context.LoadQuery(item.RoleAssignments.Include(roleAsg => roleAsg.Member, roleAsg => roleAsg.RoleDefinitionBindings.Include(roleDef => roleDef.Name))); context.ExecuteQueryRetry(); foreach (var s in security.RoleAssignments) { foreach (Microsoft.SharePoint.Client.RoleAssignment r in roles) { if (r.Member.LoginName.Contains(s.Principal)) { if (r.Member.LoginName.Equals("c:0(.s|true", StringComparison.InvariantCultureIgnoreCase)) { roleCount++; } else if (r.RoleDefinitionBindings.Where(i => i.Name == s.RoleDefinition).FirstOrDefault() != null) { roleCount++; } } } } if (roleAssignmentCount != roleCount) { return(false); } return(true); }
public static void SetSecurity(this SecurableObject securable, TokenParser parser, ObjectSecurity security) { //using (var scope = new PnPMonitoredScope("Set Security")) //{ var context = securable.Context as ClientContext; var groups = context.LoadQuery(context.Web.SiteGroups.Include(g => g.LoginName)); var webRoleDefinitions = context.LoadQuery(context.Web.RoleDefinitions); context.ExecuteQueryRetry(); securable.BreakRoleInheritance(security.CopyRoleAssignments, security.ClearSubscopes); foreach (var roleAssignment in security.RoleAssignments) { Principal principal = groups.FirstOrDefault(g => g.LoginName == parser.ParseString(roleAssignment.Principal)); if (principal == null) { principal = context.Web.EnsureUser(roleAssignment.Principal); } var roleDefinitionBindingCollection = new RoleDefinitionBindingCollection(context); var roleDefinition = webRoleDefinitions.FirstOrDefault(r => r.Name == roleAssignment.RoleDefinition); if (roleDefinition != null) { roleDefinitionBindingCollection.Add(roleDefinition); } securable.RoleAssignments.Add(principal, roleDefinitionBindingCollection); } context.ExecuteQueryRetry(); //} }
/// <summary> /// Sets the security descriptor on the specified item. /// </summary> /// <param name="path"> /// The path to the item to set the security descriptor on. /// </param> /// <param name="securityDescriptor"> /// The security descriptor to set on the item at the specified path. /// </param> /// <param name="context"> /// The context which the core command is running. /// </param> /// <returns> /// Nothing. The security descriptor that was set on the item at the specified path /// is written to the context. /// </returns> /// <exception cref="ItemNotFoundException"> /// If <paramref name="path"/> does not contain glob characters and /// could not be found. /// </exception> internal void SetSecurityDescriptor( string path, ObjectSecurity securityDescriptor, CmdletProviderContext context) { if (path == null) { throw PSTraceSource.NewArgumentNullException("path"); } if (securityDescriptor == null) { throw PSTraceSource.NewArgumentNullException("securityDescriptor"); } ProviderInfo provider = null; CmdletProvider providerInstance = null; Collection <string> providerPaths = Globber.GetGlobbedProviderPathsFromMonadPath( path, false, context, out provider, out providerInstance); foreach (string providerPath in providerPaths) { SetSecurityDescriptor( providerInstance, providerPath, securityDescriptor, context); } }
public SecurityAttributes(ObjectSecurity securityDescriptor) { var safeBuffer = ToUnmanagedSecurityAttributes(securityDescriptor); nLength = safeBuffer.Capacity; lpSecurityDescriptor = safeBuffer; }
/// <summary> /// Gets the security descriptor for the item specified by <paramref name="path"/>. /// </summary> /// /// <param name="path"> /// The path to the item. /// </param> /// /// <param name="sections"> /// Specifies the parts of a security descriptor to retrieve. /// </param> /// /// <returns> /// Nothing. An object that represents the security descriptor for the item /// specified by path is written to the WriteSecurityDescriptorObject method. /// </returns> public void GetSecurityDescriptor(string path, AccessControlSections sections) { ObjectSecurity sd = null; IRegistryWrapper key = null; // Validate input first. if (String.IsNullOrEmpty(path)) { throw PSTraceSource.NewArgumentNullException("path"); } if ((sections & ~AccessControlSections.All) != 0) { throw PSTraceSource.NewArgumentException("sections"); } path = NormalizePath(path); key = GetRegkeyForPathWriteIfError(path, false); if (key != null) { try { sd = key.GetAccessControl(sections); } catch (System.Security.SecurityException e) { WriteError(new ErrorRecord(e, e.GetType().FullName, ErrorCategory.PermissionDenied, path)); return; } WriteSecurityDescriptorObject(sd, path); } }
public void SetAccessControl(ObjectSecurity securityDescriptor) { using (_provider.CurrentPSTransaction) { _txRegKey.SetAccessControl((TransactedRegistrySecurity)securityDescriptor); } }
internal void SetSecurityDescriptor(string path, ObjectSecurity securityDescriptor, CmdletProviderContext context) { this.Context = context; ISecurityDescriptorCmdletProvider permissionProvider = this as ISecurityDescriptorCmdletProvider; CheckIfSecurityDescriptorInterfaceIsSupported(permissionProvider); permissionProvider.SetSecurityDescriptor(path, securityDescriptor); }
private static string GetOwnerName(ObjectSecurity systemSecurity) { var sid = systemSecurity.GetOwner(typeof(SecurityIdentifier)); var ntAccount = sid.Translate(typeof(NTAccount)); var owner = ntAccount.Value; return(owner); }
public SecurityAttributes(ObjectSecurity securityDescriptor) { SafeGlobalMemoryBufferHandle safeBuffer = ToUnmanagedSecurityAttributes(securityDescriptor); nLength = safeBuffer.Capacity; lpSecurityDescriptor = safeBuffer; bInheritHandle = false; }
public NativeSecurityAttributes(ObjectSecurity managedSecurityObject, bool inheritHandle) { length = Marshal.SizeOf(typeof(NativeSecurityAttributes)); byte[] binarySecurityDescriptor = managedSecurityObject.GetSecurityDescriptorBinaryForm(); securityDescriptor = Marshal.AllocHGlobal(binarySecurityDescriptor.Length); Marshal.Copy(binarySecurityDescriptor, 0, securityDescriptor, binarySecurityDescriptor.Length); this.inheritHandle = inheritHandle; }
/// <summary> /// Sets the SecurityDescriptor at the specified path, using the provided Context. /// </summary> /// <param name="path"> /// The path of the item to set. It may be a drive or provider-qualified path and may include /// glob characters. /// </param> /// <param name="sd"> /// The new security descriptor to set. /// </param> /// <param name="context"> /// The context under which the command is running. /// </param> /// <returns> /// Nothing. The object(s) set at the specified path are written to the context. /// </returns> internal void Set(string path, ObjectSecurity sd, CmdletProviderContext context) { Dbg.Diagnostics.Assert( _sessionState != null, "The only constructor for this class should always set the sessionState field"); // Parameter validation is done in the session state object _sessionState.SetSecurityDescriptor(path, sd, context); }
} // NewSecurityDescriptor private ObjectSecurity NewSecurityDescriptorFromPath( CmdletProvider providerInstance, string path, AccessControlSections sections) { ObjectSecurity sd = null; // All parameters should have been validated by caller Diagnostics.Assert( providerInstance != null, "Caller should validate providerInstance before calling this method"); Diagnostics.Assert( path != null, "Caller should validate path before calling this method"); Diagnostics.Assert( ExecutionContext != null, "Caller should validate context before calling this method"); // This just verifies that the provider supports the interface. ISecurityDescriptorCmdletProvider sdProvider = GetPermissionProviderInstance(providerInstance); try { sd = sdProvider.NewSecurityDescriptorFromPath(path, sections); } catch (LoopFlowException) { throw; } catch (PipelineStoppedException) { throw; } catch (ActionPreferenceStopException) { throw; } catch (Exception e) // Catch-all OK, 3rd party callout. { CommandProcessorBase.CheckForSevereException(e); throw NewProviderInvocationException( "NewSecurityDescriptorProviderException", SessionStateStrings.GetSecurityDescriptorProviderException, providerInstance.ProviderInfo, path, e); } return(sd); } // NewSecurityDescriptor
public static List <string> GetInheritedFrom(string path, ObjectSecurity sd, bool isContainer) { var inheritedFrom = new List <string>(); path = Path.GetLongPath(path); uint returnValue = 0; GENERIC_MAPPING genericMap = new GENERIC_MAPPING(); genericMap.GenericRead = (uint)MappedGenericRights.FILE_GENERIC_READ; genericMap.GenericWrite = (uint)MappedGenericRights.FILE_GENERIC_WRITE; genericMap.GenericExecute = (uint)MappedGenericRights.FILE_GENERIC_EXECUTE; genericMap.GenericAll = (uint)MappedGenericRights.FILE_GENERIC_ALL; var sdBytes = sd.GetSecurityDescriptorBinaryForm(); var commonSd = new CommonSecurityDescriptor(isContainer, false, sdBytes, 0); var aclBytes = new byte[commonSd.DiscretionaryAcl.BinaryLength]; commonSd.DiscretionaryAcl.GetBinaryForm(aclBytes, 0); var pInheritInfo = Marshal.AllocHGlobal(commonSd.DiscretionaryAcl.Count * Marshal.SizeOf(typeof(PINHERITED_FROM))); returnValue = GetInheritanceSource( path, ResourceType.FileObject, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION, isContainer, IntPtr.Zero, 0, aclBytes, IntPtr.Zero, ref genericMap, pInheritInfo ); if (returnValue != 0) { throw new System.ComponentModel.Win32Exception((int)returnValue); } for (int i = 0; i < commonSd.DiscretionaryAcl.Count; i++) { var inheritInfo = pInheritInfo.ElementAt <PINHERITED_FROM>(i); inheritedFrom.Add( !string.IsNullOrEmpty(inheritInfo.AncestorName) && inheritInfo.AncestorName.StartsWith(@"\\?\") ? inheritInfo.AncestorName.Substring(4) : inheritInfo.AncestorName ); } FreeInheritedFromArray(pInheritInfo, (ushort)commonSd.DiscretionaryAcl.Count, IntPtr.Zero); Marshal.FreeHGlobal(pInheritInfo); return(inheritedFrom); }
public void CanRemoveCurrentUserAfterBreakingRoleInheritanceWithoutCopyRoleAssignment() { var template = new ProvisioningTemplate(); Page page = new Page { Layout = WikiPageLayout.TwoColumns, Overwrite = true, Url = "{site}/sitepages/pagetest.aspx" }; var security = new ObjectSecurity() { ClearSubscopes = false, CopyRoleAssignments = false, }; page.SetSecurity(security); template.Pages.Add(page); using (var ctx = TestCommon.CreateClientContext()) { var currentUser = ctx.Web.EnsureProperty(w => w.CurrentUser); var roleAssignment = new PnP.Framework.Provisioning.Model.RoleAssignment { Principal = currentUser.LoginName, Remove = true, RoleDefinition = "{roledefinition:Administrator}" }; page.Security.RoleAssignments.Add(roleAssignment); var parser = new TokenParser(ctx.Web, template); new ObjectPages().ProvisionObjects(ctx.Web, template, parser, new ProvisioningTemplateApplyingInformation()); ctx.Load(ctx.Web, w => w.ServerRelativeUrl); ctx.ExecuteQueryRetry(); var file = ctx.Web.GetFileByServerRelativeUrl(UrlUtility.Combine(ctx.Web.ServerRelativeUrl, "/SitePages/pagetest.aspx")); ctx.Load(file, f => f.Exists); ctx.ExecuteQueryRetry(); Assert.IsTrue(file.Exists); var listItem = file.ListItemAllFields; var roleAssignments = listItem.RoleAssignments; ctx.Load(roleAssignments); ctx.ExecuteQueryRetry(); Assert.AreEqual(0, roleAssignments.Count); } }
void ISecurityDescriptorCmdletProvider.SetSecurityDescriptor(string path, ObjectSecurity securityDescriptor) { if (securityDescriptor is GenericObjectSecurity obj_security) { string relative_path = GetRelativePath(PSPathToNT(path)); using (var dir = GetPathDirectory(relative_path, true).Result) { dir.SetSecurity(relative_path, obj_security); } } }
/// <summary> /// Sets the provided SecurityDescriptor at the specified path. /// </summary> /// <param name="path"> /// The path of the item to set. It may be a drive or provider-qualified path and may include /// glob characters. /// </param> /// <param name="sd"> /// The new security descriptor to set. /// </param> /// <returns> /// The SecurityDescriptor(s) set at the specified path. /// </returns> public Collection <PSObject> Set(string path, ObjectSecurity sd) { Dbg.Diagnostics.Assert( _sessionState != null, "The only constructor for this class should always set the sessionState field"); // Parameter validation is done in the session state object Collection <PSObject> result = _sessionState.SetSecurityDescriptor(path, sd); return(result); }
public DataRow(Dictionary<string, string> values, ObjectSecurity security) { if (values != null) { foreach (var key in values.Keys) { Values.Add(key, values[key]); } } this.Security = security; }
/// <summary> /// Gets the security descriptor from the specified item. /// </summary> /// /// <param name="type"> /// The type of the item which corresponds to the security /// descriptor that we want to create. /// </param> /// /// <param name="providerInstance"> /// The type of the item which corresponds to the security /// descriptor that we want to create. /// </param> /// /// <param name="sections"> /// Specifies the parts of a security descriptor to retrieve. /// </param> /// /// <returns> /// Nothing. The security descriptor for the item at the specified type is /// written to the context. /// </returns> /// internal ObjectSecurity NewSecurityDescriptorOfType( CmdletProvider providerInstance, string type, AccessControlSections sections) { ObjectSecurity sd = null; if (type == null) { throw PSTraceSource.NewArgumentNullException("type"); } if (providerInstance == null) { throw PSTraceSource.NewArgumentNullException("providerInstance"); } // This just verifies that the provider supports the interface. ISecurityDescriptorCmdletProvider sdProvider = GetPermissionProviderInstance(providerInstance); try { sd = sdProvider.NewSecurityDescriptorOfType(type, sections); } catch (LoopFlowException) { throw; } catch (PipelineStoppedException) { throw; } catch (ActionPreferenceStopException) { throw; } catch (Exception e) // Catch-all OK, 3rd party callout. { CommandProcessorBase.CheckForSevereException(e); throw NewProviderInvocationException( "NewSecurityDescriptorProviderException", SessionStateStrings.GetSecurityDescriptorProviderException, providerInstance.ProviderInfo, type, e); } return(sd); } // NewSecurityDescriptorOfType
internal void SetSecurityDescriptor( string path, ObjectSecurity securityDescriptor, CmdletProviderContext context) { using (CmdletProvider.providerBaseTracer.TraceMethod(path, new object[0])) { this.Context = context; ISecurityDescriptorCmdletProvider permissionProvider = this as ISecurityDescriptorCmdletProvider; CmdletProvider.CheckIfSecurityDescriptorInterfaceIsSupported(permissionProvider); permissionProvider.SetSecurityDescriptor(path, securityDescriptor); } }
public KernelTransaction(ObjectSecurity securityDescriptor, int timeout, string description) { if (!NativeMethods.IsAtLeastWindowsVista) { throw new PlatformNotSupportedException(Resources.Requires_Windows_Vista_Or_Higher); } using (var securityAttributes = new Security.NativeMethods.SecurityAttributes(securityDescriptor)) { _hTrans = NativeMethods.CreateTransaction(securityAttributes, IntPtr.Zero, 0, 0, 0, timeout, description); int lastError = Marshal.GetLastWin32Error(); NativeMethods.IsValidHandle(_hTrans, lastError); } }
public KernelTransaction(ObjectSecurity securityDescriptor, int timeout, string description) { if (!NativeMethods.IsAtLeastWindowsVista) { throw new PlatformNotSupportedException(new Win32Exception((int)Win32Errors.ERROR_OLD_WIN_VERSION).Message); } using (var securityAttributes = new Security.NativeMethods.SecurityAttributes(securityDescriptor)) { _hTrans = NativeMethods.CreateTransaction(securityAttributes, IntPtr.Zero, 0, 0, 0, timeout, description); int lastError = Marshal.GetLastWin32Error(); NativeMethods.IsValidHandle(_hTrans, lastError); } }
/// <summary> /// Check to ensure that the named pipe server we connected to is owned by the same /// user. /// </summary> /// <remarks> /// The type is embedded in assemblies that need to run cross platform. While this particular /// code will never be hit when running on non-Windows platforms it does need to work when /// on Windows. To facilitate that we use reflection to make the check here to enable it to /// compile into our cross plat assemblies. /// </remarks> private static bool CheckPipeConnectionOwnership(NamedPipeClientStream pipeStream) { try { var currentIdentity = WindowsIdentity.GetCurrent(); var currentOwner = currentIdentity.Owner; ObjectSecurity remotePipeSecurity = GetPipeSecurity(pipeStream); var remoteOwner = remotePipeSecurity.GetOwner(typeof(SecurityIdentifier)); return(currentOwner.Equals(remoteOwner)); } catch (Exception ex) { Log("Exception checking pipe connection: {0}", ex.Message); return(false); } }
private bool disposedValue = false; // To detect redundant calls protected virtual void Dispose(bool disposing) { if (!disposedValue) { if (disposing) { // TODO: dispose managed state (managed objects). } // TODO: free unmanaged resources (unmanaged objects) and override a finalizer below. // TODO: set large fields to null. objectSecurity = null; QuestionarioDAO = null; disposedValue = true; } }
/// <summary> /// Initializes the SecurityAttributes structure from an instance of <see cref="ObjectSecurity"/>. /// </summary> /// <param name="memoryHandle">A handle that will refer to the memory allocated by this object for storage of the /// security descriptor. As long as this object is used, the memory handle should be kept alive, and afterwards it /// should be disposed as soon as possible.</param> /// <param name="securityDescriptor">The security descriptor to assign to this object. This parameter may be <see langword="null"/>.</param> public void Initialize(out SafeGlobalMemoryBufferHandle memoryHandle, ObjectSecurity securityDescriptor) { nLength = (uint)Marshal.SizeOf(this); if (securityDescriptor == null) { memoryHandle = new SafeGlobalMemoryBufferHandle(); } else { byte[] src = securityDescriptor.GetSecurityDescriptorBinaryForm(); memoryHandle = new SafeGlobalMemoryBufferHandle(src.Length); memoryHandle.CopyFrom(src, 0, src.Length); } bInheritHandle = 0; }
public static void TestAccessRules(ObjectSecurity sysIO, ObjectSecurity alphaFS) { Console.WriteLine(); Console.WriteLine("\tSystem.IO .AccessRightType: [{0}]", sysIO.AccessRightType); Console.WriteLine("\tAlphaFS .AccessRightType: [{0}]", alphaFS.AccessRightType); Console.WriteLine(); Assert.AreEqual(sysIO.AccessRightType, alphaFS.AccessRightType); Console.WriteLine("\tSystem.IO .AccessRuleType: [{0}]", sysIO.AccessRuleType); Console.WriteLine("\tAlphaFS .AccessRuleType: [{0}]", alphaFS.AccessRuleType); Console.WriteLine(); Assert.AreEqual(sysIO.AccessRuleType, alphaFS.AccessRuleType); Console.WriteLine("\tSystem.IO .AuditRuleType: [{0}]", sysIO.AuditRuleType); Console.WriteLine("\tAlphaFS .AuditRuleType: [{0}]", alphaFS.AuditRuleType); Console.WriteLine(); Assert.AreEqual(sysIO.AuditRuleType, alphaFS.AuditRuleType); Console.WriteLine("\tSystem.IO .AreAccessRulesProtected: [{0}]", sysIO.AreAccessRulesProtected); Console.WriteLine("\tAlphaFS .AreAccessRulesProtected: [{0}]", alphaFS.AreAccessRulesProtected); Console.WriteLine(); Assert.AreEqual(sysIO.AreAccessRulesProtected, alphaFS.AreAccessRulesProtected); Console.WriteLine("\tSystem.IO .AreAuditRulesProtected: [{0}]", sysIO.AreAuditRulesProtected); Console.WriteLine("\tAlphaFS .AreAuditRulesProtected: [{0}]", alphaFS.AreAuditRulesProtected); Console.WriteLine(); Assert.AreEqual(sysIO.AreAuditRulesProtected, alphaFS.AreAuditRulesProtected); Console.WriteLine("\tSystem.IO .AreAccessRulesCanonical: [{0}]", sysIO.AreAccessRulesCanonical); Console.WriteLine("\tAlphaFS .AreAccessRulesCanonical: [{0}]", alphaFS.AreAccessRulesCanonical); Console.WriteLine(); Assert.AreEqual(sysIO.AreAccessRulesCanonical, alphaFS.AreAccessRulesCanonical); Console.WriteLine("\tSystem.IO .AreAuditRulesCanonical: [{0}]", sysIO.AreAuditRulesCanonical); Console.WriteLine("\tAlphaFS .AreAuditRulesCanonical: [{0}]", alphaFS.AreAuditRulesCanonical); Console.WriteLine(); Assert.AreEqual(sysIO.AreAuditRulesCanonical, alphaFS.AreAuditRulesCanonical); }
public KernelTransaction(ObjectSecurity securityDescriptor, uint timeout, string description) { NativeMethods.SecurityAttributes secAttr = new NativeMethods.SecurityAttributes(); SafeGlobalMemoryBufferHandle handle; //NativeMethods.InitializeSecurityAttributes(ref secAttr, out handle, securityDescriptor); secAttr.Initialize(out handle, securityDescriptor); hTrans = NativeMethods.CreateTransaction(secAttr, IntPtr.Zero, 0, 0, 0, timeout, description); handle.Dispose(); if (hTrans.IsInvalid) { Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error()); } }
private static void SetSecurity(ObjectSecurity security) { if (null == security) { throw new ArgumentNullException("security"); } // Set the DACL. security.SetSecurityDescriptorSddlForm("D:(A;;GA;;;WD)", AccessControlSections.Access); // Can only set integrity levels in the SACL for Vista and newer. Version vista = new Version(6, 0); if (vista <= Environment.OSVersion.Version) { security.SetSecurityDescriptorSddlForm("S:(ML;;NW;;;ME)", AccessControlSections.Audit); } }
private void SetSecurityDescriptor(string path, ObjectSecurity sd, AccessControlSections sections) { var currentPrivilegeState = new PlatformInvokes.TOKEN_PRIVILEGE(); byte[] securityDescriptorBinary = null; try { // Get the binary form of the descriptor. PlatformInvokes.EnableTokenPrivilege("SeBackupPrivilege", ref currentPrivilegeState); securityDescriptorBinary = sd.GetSecurityDescriptorBinaryForm(); } finally { PlatformInvokes.RestoreTokenPrivilege("SeBackupPrivilege", ref currentPrivilegeState); } try { PlatformInvokes.EnableTokenPrivilege("SeRestorePrivilege", ref currentPrivilegeState); // Transfer it to the new file / directory. // We keep these two code branches so that we can have more // granular information when we ouput the object type via // WriteSecurityDescriptorObject. if (Directory.Exists(path)) { DirectorySecurity newDescriptor = new DirectorySecurity(); newDescriptor.SetSecurityDescriptorBinaryForm(securityDescriptorBinary, sections); new DirectoryInfo(path).SetAccessControl(newDescriptor); WriteSecurityDescriptorObject(newDescriptor, path); } else { FileSecurity newDescriptor = new FileSecurity(); newDescriptor.SetSecurityDescriptorBinaryForm(securityDescriptorBinary, sections); new FileInfo(path).SetAccessControl(newDescriptor); WriteSecurityDescriptorObject(newDescriptor, path); } } finally { PlatformInvokes.RestoreTokenPrivilege("SeRestorePrivilege", ref currentPrivilegeState); } }
private static ObjectSecurity NewSecurityDescriptor( ItemType itemType) { ObjectSecurity sd = null; switch (itemType) { case ItemType.File: sd = new FileSecurity(); break; case ItemType.Directory: sd = new DirectorySecurity(); break; } return(sd); }
} // GetSecurityDescriptor /// <summary> /// Internal wrapper for the SetSecurityDescriptor protected method. This method will /// only be called if the provider implements the ISecurityDescriptorCmdletProvider interface. /// </summary> /// /// <param name="path"> /// The path to the item to set the new security descriptor on. /// </param> /// /// <param name="securityDescriptor"> /// The new security descriptor for the item. /// </param> /// /// <param name="context"> /// The context under which this method is being called. /// </param> /// /// <returns> /// Nothing. The security descriptor object that was set should be written /// to the context. /// </returns> /// internal void SetSecurityDescriptor( string path, ObjectSecurity securityDescriptor, CmdletProviderContext context) { Context = context; ISecurityDescriptorCmdletProvider permissionProvider = this as ISecurityDescriptorCmdletProvider; // // if this is not supported, the fn will throw // CheckIfSecurityDescriptorInterfaceIsSupported(permissionProvider); // Call interface method permissionProvider.SetSecurityDescriptor(path, securityDescriptor); } // SetSecurityDescriptor
/// <summary> /// Gets the SecurityDescriptor at the specified path, including only the specified /// AccessControlSections. /// </summary> /// <param name="path"> /// The path of the item to retrieve. It may be a drive or provider-qualified path and may include. /// glob characters. /// </param> /// <param name="sections"> /// The sections of the security descriptor to include. /// </param> /// <returns> /// Nothing. An object that represents the security descriptor for the item /// specified by path is written to the context's pipeline. /// </returns> /// <exception cref="System.ArgumentException"> /// path is null or empty. /// path doesn't exist /// sections is not valid. /// </exception> public void GetSecurityDescriptor(string path, AccessControlSections sections) { ObjectSecurity sd = null; path = NormalizePath(path); if (string.IsNullOrEmpty(path)) { throw PSTraceSource.NewArgumentNullException("path"); } if ((sections & ~AccessControlSections.All) != 0) { throw PSTraceSource.NewArgumentException("sections"); } var currentPrivilegeState = new PlatformInvokes.TOKEN_PRIVILEGE(); try { PlatformInvokes.EnableTokenPrivilege("SeBackupPrivilege", ref currentPrivilegeState); if (Directory.Exists(path)) { sd = new DirectorySecurity(path, sections); } else { sd = new FileSecurity(path, sections); } } catch (System.Security.SecurityException e) { WriteError(new ErrorRecord(e, e.GetType().FullName, ErrorCategory.PermissionDenied, path)); } finally { PlatformInvokes.RestoreTokenPrivilege("SeBackupPrivilege", ref currentPrivilegeState); } WriteSecurityDescriptorObject(sd, path); }
public static ObjectSecurity GetSecurity(this SecurableObject securable) { ObjectSecurity security = null; using (var scope = new PnPMonitoredScope("Get Security")) { var context = securable.Context as ClientContext; context.Load(securable, sec => sec.HasUniqueRoleAssignments); context.Load(context.Web, w => w.AssociatedMemberGroup.Title, w => w.AssociatedOwnerGroup.Title, w => w.AssociatedVisitorGroup.Title); var roleAssignments = context.LoadQuery(securable.RoleAssignments.Include( r => r.Member.LoginName, r => r.RoleDefinitionBindings.Include( rdb => rdb.Name, rdb => rdb.RoleTypeKind ))); context.ExecuteQueryRetry(); if (securable.HasUniqueRoleAssignments) { security = new ObjectSecurity(); foreach (var roleAssignment in roleAssignments) { if (roleAssignment.Member.LoginName != "Excel Services Viewers") { foreach (var roleDefinition in roleAssignment.RoleDefinitionBindings) { if (roleDefinition.RoleTypeKind != RoleType.Guest) { security.RoleAssignments.Add(new Model.RoleAssignment() { Principal = ReplaceGroupTokens(context.Web, roleAssignment.Member.LoginName), RoleDefinition = roleDefinition.Name }); } } } } } } return(security); }
public static ObjectSecurity GetSecurity(this SecurableObject securable) { ObjectSecurity security = null; using (var scope = new PnPMonitoredScope("Get Security")) { var context = securable.Context as ClientContext; context.Load(securable, sec => sec.HasUniqueRoleAssignments); context.Load(context.Web, w => w.AssociatedMemberGroup.Title, w => w.AssociatedOwnerGroup.Title, w => w.AssociatedVisitorGroup.Title); var roleAssignments = context.LoadQuery(securable.RoleAssignments.Include( r => r.Member.LoginName, r => r.RoleDefinitionBindings.Include( rdb => rdb.Name, rdb => rdb.RoleTypeKind ))); context.ExecuteQueryRetry(); if (securable.HasUniqueRoleAssignments) { security = new ObjectSecurity(); foreach (var roleAssignment in roleAssignments) { if (roleAssignment.Member.LoginName != "Excel Services Viewers") { foreach (var roleDefinition in roleAssignment.RoleDefinitionBindings) { if (roleDefinition.RoleTypeKind != RoleType.Guest) { security.RoleAssignments.Add(new Model.RoleAssignment() { Principal = ReplaceGroupTokens(context.Web, roleAssignment.Member.LoginName), RoleDefinition = roleDefinition.Name }); } } } } } } return security; }
public ContentPage(string url, string html, bool overwrite, IEnumerable<WebPart> webParts, bool welcomePage = false, ObjectSecurity security = null, Dictionary<string, string> fields = null) : base(url, overwrite, WikiPageLayout.OneColumn, webParts, welcomePage, security, fields) { Html = html; }
internal override void OverrideXmlData(XElement sourceObject, XElement targetObject) { XNamespace ns = SchemaVersion; #region Property handling // Base property handling // Drop list properties if they're not provided in the source XML string[] ListProperties = new string[] { "Description", "DocumentTemplate", "MinorVersionLimit", "MaxVersionLimit", "DraftVersionVisibility", "TemplateFeatureID", "EnableAttachments" }; foreach (string listProperty in ListProperties) { if (sourceObject.Attribute(listProperty) == null) { DropAttribute(targetObject, listProperty); } } // Drop list elements if they're not provided in the source XML string[] ListElements = new string[] { "ContentTypeBindings", "Views", "FieldRefs", "Fields" }; foreach (var listElement in ListElements) { var sourceListElementXML = sourceObject.Descendants(ns + listElement); var targetListElementXML = targetObject.Descendants(ns + listElement); if (sourceListElementXML.Any() == false && targetListElementXML.Any() == true) { targetListElementXML.Remove(); } } #if ONPREMISES // MaxVersionLimit cannot be set in on-premises, so remove it before comparing before and after if (sourceObject.Attribute("MaxVersionLimit") != null) { DropAttribute(targetObject, "MaxVersionLimit"); DropAttribute(sourceObject, "MaxVersionLimit"); } #endif #endregion #region Contenttype handling // If RemoveExistingContentTypes is set then remove the attribute from source since on target we don't add this. var contentTypeBindings = targetObject.Descendants(ns + "ContentTypeBinding"); bool removeExistingContentTypes = false; if (sourceObject.Attribute("RemoveExistingContentTypes") != null) { removeExistingContentTypes = sourceObject.Attribute("RemoveExistingContentTypes").Value.ToBoolean(); DropAttribute(sourceObject, "RemoveExistingContentTypes"); } if (contentTypeBindings != null && contentTypeBindings.Any()) { // One can add ContentTypeBindings without specifying ContentTypesEnabled. The engine will turn on ContentTypesEnabled automatically in that case if (sourceObject.Attribute("ContentTypesEnabled") == null) { DropAttribute(targetObject, "ContentTypesEnabled"); } if (removeExistingContentTypes) { foreach (var contentTypeBinding in contentTypeBindings.ToList()) { // Remove the folder content type if present because we're not removing that one via RemoveExistingContentTypes if (contentTypeBinding.Attribute("ContentTypeID").Value == "0x0120") { contentTypeBinding.Remove(); } } } else // We did not remove existing content types { var sourceContentTypeBindings = sourceObject.Descendants(ns + "ContentTypeBinding"); foreach (var contentTypeBinding in contentTypeBindings.ToList()) { string value = contentTypeBinding.Attribute("ContentTypeID").Value; // drop all content types which are not mentioned in the source if (sourceContentTypeBindings.Where(p => p.Attribute("ContentTypeID").Value == value).Any() == false) { contentTypeBinding.Remove(); } } } } #endregion #region FieldRef handling var fieldRefs = sourceObject.Descendants(ns + "FieldRef"); if (fieldRefs != null && fieldRefs.Any()) { foreach (var fieldRef in fieldRefs.ToList()) { // Drop the name attribute from the source fieldrefs since this is just an informational attribute if (fieldRef.Attribute("Name") != null) { DropAttribute(fieldRef, "Name"); } // Drop hidden fieldrefs since they're not retreived by the engine again if (fieldRef.Attribute("Hidden") != null && fieldRef.Attribute("Hidden").Value.ToBoolean() == true) { fieldRef.Remove(); } } } var targetFieldRefs = targetObject.Descendants(ns + "FieldRef"); if (targetFieldRefs != null && targetFieldRefs.Any()) { foreach (var targetFieldRef in targetFieldRefs.ToList()) { // Drop the name attribute from the source fieldrefs since this is just an informational attribute if (targetFieldRef.Attribute("Name") != null) { DropAttribute(targetFieldRef, "Name"); } // Drop the fields which were not present in source (there's always some OOB fieldrefs) if (!fieldRefs.Where(p => p.Attribute("ID").Value == targetFieldRef.Attribute("ID").Value).Any()) { targetFieldRef.Remove(); } else { // If the source object does not have a DisplayName attribute then also remove it from the target if (!(fieldRefs.Where(p => p.Attribute("ID").Value == targetFieldRef.Attribute("ID").Value).FirstOrDefault().Attribute("DisplayName") != null)) { DropAttribute(targetFieldRef, "DisplayName"); } } } } #endregion #region Field handling var targetFields = targetObject.Descendants("Field"); var sourceFields = sourceObject.Descendants("Field"); if (sourceFields != null && sourceFields.Any()) { foreach (var sourceField in sourceFields.ToList()) { // Ensure both target and source using the same casing UpperCaseAttribute(sourceField, "ID"); } } if (targetFields != null && targetFields.Any()) { foreach (var targetField in targetFields.ToList()) { // Ensure both target and source using the same casing UpperCaseAttribute(targetField, "ID"); // Drop attributes before comparison DropAttribute(targetField, "SourceID"); DropAttribute(targetField, "StaticName"); DropAttribute(targetField, "ColName"); DropAttribute(targetField, "RowOrdinal"); DropAttribute(targetField, "Version"); // If target field does not exist in source then drop it (SPO can add additional fields e.g. _IsRecord field refering the _ComplianceFlags field) if (sourceFields != null && sourceFields.Any()) { if (!sourceFields.Where(p => p.Attribute("ID").Value.Equals(targetField.Attribute("ID").Value)).Any()) { targetField.Remove(); } } } } #endregion #region View handling var sourceViews = sourceObject.Descendants("View"); var targetViews = targetObject.Descendants("View"); if (sourceViews != null && sourceViews.Any()) { int sourceViewCount = 0; int targetViewCount = 0; foreach (var sourceView in sourceViews) { sourceViewCount++; string sourceViewName = sourceView.Attribute("DisplayName").Value; if (targetViews.Where(v => v.Attribute("DisplayName").Value.Equals(sourceViewName, StringComparison.InvariantCultureIgnoreCase)).First() != null) { targetViewCount++; } } if (sourceViewCount == targetViewCount) { // if RemoveExistingViews was checked then we should have the same count of source and target views if (sourceObject.Descendants(ns + "Views").First().Attribute("RemoveExistingViews") != null && sourceObject.Descendants(ns + "Views").First().Attribute("RemoveExistingViews").Value.ToBoolean() == true) { if (sourceViews.Count() == targetViews.Count()) { // we've found the source views in the target + the original views were dropped, so we're good. Drop the view element to ensure valid XML comparison sourceObject.Descendants(ns + "Views").Remove(); targetObject.Descendants(ns + "Views").Remove(); } } else { // we've found the source views in the target so we're good. Drop the view element to ensure valid XML comparison sourceObject.Descendants(ns + "Views").Remove(); targetObject.Descendants(ns + "Views").Remove(); } } } #endregion #region FieldDefaults handling var sourceFieldDefaults = sourceObject.Descendants(ns + "FieldDefault"); if (sourceFieldDefaults != null && sourceFieldDefaults.Any()) { bool validFieldDefaults = true; foreach(var sourceFieldDefault in sourceFieldDefaults) { string fieldDefaultValue = sourceFieldDefault.Value; string fieldDefaultName = sourceFieldDefault.Attribute("FieldName").Value; if (fieldDefaultValue != null && fieldDefaultName != null) { var targetField = targetFields.Where(p => p.Attribute("Name").Value.Equals(fieldDefaultName, StringComparison.InvariantCultureIgnoreCase)).First(); if (targetField.Descendants("Default").Any()) { string targetFieldDefaultValue = targetField.Descendants("Default").First().Value; if (!targetFieldDefaultValue.Equals(fieldDefaultValue, StringComparison.InvariantCultureIgnoreCase)) { validFieldDefaults = false; } else { // remove the Default node targetField.Descendants("Default").First().Remove(); } } else { validFieldDefaults = false; } } } if (validFieldDefaults) { sourceObject.Descendants(ns + "FieldDefaults").Remove(); } } // Drop any remaining Default node foreach (var targetField in targetFields) { if (targetField.Descendants("Default").Any()) { targetField.Descendants("Default").First().Remove(); } } #endregion #region Folder handling // Folders are not extracted, so manual validation needed var sourceFolders = sourceObject.Descendants(ns + "Folders"); if (sourceFolders != null && sourceFolders.Any()) { // use CSOM to verify the folders are listed in target and only remove the source folder from the XML when this is the case if (this.cc != null) { var foldersValid = true; var list = this.cc.Web.GetListByUrl(sourceObject.Attribute("Url").Value); if (list != null) { list.EnsureProperty(w => w.RootFolder); foreach(var folder in sourceFolders.Descendants(ns + "Folder")) { // only verify first level folders if (folder.Parent.Equals(sourceFolders.First())) { if (!list.RootFolder.FolderExists(folder.Attribute("Name").Value)) { foldersValid = false; } // if the folder has a security element then verify this as well var sourceFolderSecurity = folder.Descendants(ns + "Security"); if (sourceFolderSecurity != null && sourceFolderSecurity.Any()) { // convert XML in ObjectSecurity object ObjectSecurity sourceFolderSecurityElement = new ObjectSecurity(); sourceFolderSecurityElement.ClearSubscopes = sourceFolderSecurity.Descendants(ns + "BreakRoleInheritance").First().Attribute("ClearSubscopes").Value.ToBoolean(); sourceFolderSecurityElement.CopyRoleAssignments = sourceFolderSecurity.Descendants(ns + "BreakRoleInheritance").First().Attribute("CopyRoleAssignments").Value.ToBoolean(); var sourceRoleAssignments = folder.Descendants(ns + "RoleAssignment"); foreach (var sourceRoleAssignment in sourceRoleAssignments) { sourceFolderSecurityElement.RoleAssignments.Add(new Core.Framework.Provisioning.Model.RoleAssignment() { Principal = sourceRoleAssignment.Attribute("Principal").Value, RoleDefinition = sourceRoleAssignment.Attribute("RoleDefinition").Value }); } // grab the "Securable" for the folder var currentFolderItem = list.RootFolder.EnsureFolder(folder.Attribute("Name").Value).ListItemAllFields; cc.Load(currentFolderItem); cc.ExecuteQueryRetry(); // use CSOM to verify security settings if (ValidateSecurityCSOM(this.cc, sourceFolderSecurityElement, currentFolderItem)) { sourceFolderSecurity.Remove(); } } } } } if (foldersValid) { sourceFolders.Remove(); } } } #endregion #region DataRows handling var sourceDataRows = sourceObject.Descendants(ns + "DataRow"); if (sourceDataRows != null && sourceDataRows.Any()) { bool dataRowsValidated = true; var list = this.cc.Web.GetListByUrl(sourceObject.Attribute("Url").Value); if (list != null) { int dataRowCount = 0; foreach (var sourceDataRow in sourceDataRows) { // Convert XML in DataRow object DataRow sourceDataRowElement = null; Dictionary<string, string> values = new Dictionary<string, string>(); foreach (var dataValue in sourceDataRow.Descendants(ns + "DataValue")) { values.Add(dataValue.Attribute("FieldName").Value, dataValue.Value); } ObjectSecurity sourceDataRowSecurityElement = null; var sourceDataRowSecurity = sourceDataRow.Descendants(ns + "Security"); if (sourceDataRowSecurity != null && sourceDataRowSecurity.Any()) { // convert XML in ObjectSecurity object sourceDataRowSecurityElement = new ObjectSecurity(); sourceDataRowSecurityElement.ClearSubscopes = sourceDataRowSecurity.Descendants(ns + "BreakRoleInheritance").First().Attribute("ClearSubscopes").Value.ToBoolean(); sourceDataRowSecurityElement.CopyRoleAssignments = sourceDataRowSecurity.Descendants(ns + "BreakRoleInheritance").First().Attribute("CopyRoleAssignments").Value.ToBoolean(); var sourceRoleAssignments = sourceDataRowSecurity.Descendants(ns + "RoleAssignment"); foreach (var sourceRoleAssignment in sourceRoleAssignments) { sourceDataRowSecurityElement.RoleAssignments.Add(new Core.Framework.Provisioning.Model.RoleAssignment() { Principal = sourceRoleAssignment.Attribute("Principal").Value, RoleDefinition = sourceRoleAssignment.Attribute("RoleDefinition").Value }); } } if (sourceDataRowSecurityElement != null) { sourceDataRowElement = new DataRow(values, sourceDataRowSecurityElement); } else { sourceDataRowElement = new DataRow(values); } dataRowCount++; ListItem itemToValidate = null; try { itemToValidate = list.GetItemById(dataRowCount); } catch { } if (itemToValidate == null || !ValidateDataRowsCSOM(cc, sourceDataRowElement, itemToValidate)) { dataRowsValidated = false; } } } // If all datarows are validated then we can drop if (dataRowsValidated) { sourceObject.Descendants(ns + "DataRows").First().Remove(); } } #endregion #region Security handling var sourceSecurity = sourceObject.Descendants(ns + "Security"); if (sourceSecurity != null && sourceSecurity.Any()) { var targetSecurity = targetObject.Descendants(ns + "Security"); if (ValidateSecurityXml(sourceSecurity.First(), targetSecurity.First())) { sourceSecurity.Remove(); targetSecurity.Remove(); } } #endregion #region CustomAction handling var sourceCustomActions = sourceObject.Descendants(ns + "UserCustomActions"); if (sourceCustomActions != null && sourceCustomActions.Any()) { // delete custom actions since we validate these latter on var targetCustomActions = targetObject.Descendants(ns + "UserCustomActions"); sourceCustomActions.Remove(); if (targetCustomActions != null && targetCustomActions.Any()) { targetCustomActions.Remove(); } } #endregion }
public PublishingPage(string url, string title, string html, string layoutUrl, bool overwrite, IEnumerable<WebPart> webParts, bool welcomePage = false, ObjectSecurity security = null, Dictionary<string, string> fields = null) : base(url, html, overwrite, webParts, welcomePage, security, fields) { PageTitle = title; PageLayoutUrl = layoutUrl; }
public Page(string url, bool overwrite, WikiPageLayout layout, IEnumerable<WebPart> webParts, bool welcomePage = false, ObjectSecurity security = null) : this(url, overwrite, layout, webParts, welcomePage, security, null) { }
public Page(string url, bool overwrite, WikiPageLayout layout, IEnumerable<WebPart> webParts, bool welcomePage = false, ObjectSecurity security = null, Dictionary<String, String> fields = null) : this(url, overwrite, layout, webParts, security, fields) { }