public void RemoveRole(string principal, string role, string adObject)
{
String id = null;
String domain = DirectoryServices.GetDomain(principal, out id);
Principal p = DirectoryServices.GetPrincipal(id, domain);
DirectoryEntry target = DirectoryServices.GetDirectoryEntry(adObject);
if (p == null)
{
throw new AdException($"Principal [{principal}] Can Not Be Found.", AdStatusType.DoesNotExist);
}
else if (target == null)
{
throw new AdException($"Target [{adObject}] Can Not Be Found.", AdStatusType.DoesNotExist);
}
if (Roles.ContainsKey(role))
{
DirectoryServices.DeleteAccessRule(target, p, Roles[role].AdRights, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.All);
}
else
{
throw new AdException($"Role [{role}] Does Not Exist.", AdStatusType.DoesNotExist);
}
}
public static void DeleteWorkspace(string workspaceName)
{
Console.WriteLine($"Deleting Workspace : [{workspaceName}]");
DirectoryServices.DeleteDirectoryEntry("OrganizationalUnit", workspaceName);
DirectoryEntry de = DirectoryServices.GetDirectoryEntry(workspaceName, "OrganizationalUnit");
Assert.That(de, Is.Null);
}
public void Core_OrgUnitNotFound()
{
// Get OrgUnit That Does Not Exist
String ouName = $"testou_{Utility.GenerateToken( 8 )}";
String ouDistinguishedName = $"OU={ouName},{workspaceName}";
Console.WriteLine($"Getting OrgUnit [{ouName}] Which Should Not Exist.");
DirectoryEntryObject badOrgUnit = DirectoryServices.GetOrganizationalUnit(ouName, true, true, false);
Assert.That(badOrgUnit, Is.Null);
Console.WriteLine($"Getting OrgUnit Principal [{ouName}] Which Should Not Exist.");
DirectoryEntry de = DirectoryServices.GetDirectoryEntry(ouDistinguishedName);
Assert.That(de, Is.Null);
}
// Get A Principal's Cumulitive AD Rights On An Object
private ActiveDirectoryRights GetAdAccessRights(string principal, string adObject)
{
ActiveDirectoryRights myRights = 0;
ActiveDirectoryRights myDenyRights = 0;
Principal p = DirectoryServices.GetPrincipal(principal);
if (p == null)
{
throw new AdException($"Principal [{principal}] Does Not Exist.", AdStatusType.DoesNotExist);
}
List <DirectoryEntry> groups = DirectoryServices.GetGroupMembership(p, true);
DirectoryEntry de = DirectoryServices.GetDirectoryEntry(adObject);
if (de == null)
{
throw new AdException($"Object [{adObject}] Does Not Exist.", AdStatusType.DoesNotExist);
}
List <AccessRuleObject> rules = DirectoryServices.GetAccessRules(de);
Dictionary <string, ActiveDirectoryRights> rights = new Dictionary <string, ActiveDirectoryRights>();
Dictionary <string, ActiveDirectoryRights> denyRights = new Dictionary <string, ActiveDirectoryRights>();
// Accumulate Allow and Deny Rights By Identity Reference
foreach (AccessRuleObject rule in rules)
{
if (rule.ControlType == System.Security.AccessControl.AccessControlType.Allow)
{
if (rights.Keys.Contains(rule.IdentityReference))
{
rights[rule.IdentityReference] |= rule.Rights;
}
else
{
rights.Add(rule.IdentityReference, rule.Rights);
}
}
else
{
if (rights.Keys.Contains(rule.IdentityReference))
{
denyRights[rule.IdentityReference] |= rule.Rights;
}
else
{
denyRights.Add(rule.IdentityReference, rule.Rights);
}
}
}
foreach (DirectoryEntry entry in groups)
{
if (entry.Properties.Contains("objectSid"))
{
string sid = DirectoryServices.ConvertByteToStringSid((byte[])entry.Properties["objectSid"].Value);
if (rights.ContainsKey(sid))
{
myRights |= rights[sid];
}
if (denyRights.ContainsKey(sid))
{
myDenyRights |= denyRights[sid];
}
}
}
// Apply Deny Rights
myDenyRights = myRights & myDenyRights;
myRights = myRights ^ myDenyRights;
return(myRights);
}
public void Core_OrgUnitTestSuccess()
{
// Setup Test
String name = $"testou_{Utility.GenerateToken( 8 )}";
String distinguishedName = $"OU={name},{workspaceName}";
Dictionary <string, List <string> > properties = new Dictionary <string, List <string> >();
DirectoryServices.AddProperty(properties, "description", "Test OU");
// Create OrgUnit
Console.WriteLine($"Creating OrgUnit : [{distinguishedName}]");
DirectoryServices.CreateOrganizationUnit(distinguishedName, properties);
// Get OrgUnit By DistinguishedName
Console.WriteLine($"Getting OrgUnit By DisginguishedName : [{distinguishedName}]");
DirectoryEntryObject ouo = DirectoryServices.GetOrganizationalUnit(distinguishedName, true, true, false);
Assert.That(ouo, Is.Not.Null);
String guid = ouo.Guid.ToString();
// Get OrgUnit By Name
Console.WriteLine($"Getting OrgUnit By Name : [{name}]");
ouo = DirectoryServices.GetOrganizationalUnit(name, false, false, false);
Assert.That(ouo, Is.Not.Null);
// Get OrgUnit By Name
Console.WriteLine($"Getting OrgUnit By Guid : [{guid}]");
ouo = DirectoryServices.GetOrganizationalUnit(guid, false, true, false);
Assert.That(ouo, Is.Not.Null);
Assert.That(ouo.Properties.ContainsKey("description"), Is.True);
// Modify OrgUnit
DirectoryServices.AddProperty(properties, "description", "~null~", true);
DirectoryServices.ModifyOrganizationUnit(distinguishedName, properties);
ouo = DirectoryServices.GetOrganizationalUnit(distinguishedName, false, true, false);
Assert.That(ouo.Properties.ContainsKey("description"), Is.False);
// Create AccessUser For AccessRule Tests (Below)
DirectoryEntry orgUnit = DirectoryServices.GetDirectoryEntry(distinguishedName);
UserPrincipal accessRuleUser = Utility.CreateUser(workspaceName);
int ruleCount = DirectoryServices.GetAccessRules(orgUnit).Count;
// Add Access Rule To OrgUnit
Console.WriteLine($"Adding AccessRule For User [{accessRuleUser.Name}] To OrgUnit [{orgUnit.Name}].");
DirectoryServices.AddAccessRule(orgUnit, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
int newRuleCount = DirectoryServices.GetAccessRules(orgUnit).Count;
Assert.That(newRuleCount, Is.GreaterThan(ruleCount));
// Removing Access Rule From OrgUnit
Console.WriteLine($"Removing AccessRule For User [{accessRuleUser.Name}] From OrgUnit [{orgUnit.Name}].");
DirectoryServices.DeleteAccessRule(orgUnit, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
newRuleCount = DirectoryServices.GetAccessRules(orgUnit).Count;
Assert.That(newRuleCount, Is.EqualTo(ruleCount));
// Seting Access Rule From OrgUnit
Console.WriteLine($"Setting AccessRule For User [{accessRuleUser.Name}] On OrgUnit [{orgUnit.Name}].");
DirectoryServices.SetAccessRule(orgUnit, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
newRuleCount = DirectoryServices.GetAccessRules(orgUnit).Count;
Assert.That(newRuleCount, Is.GreaterThan(ruleCount));
// Purge Access Rule From OrgUnit
Console.WriteLine($"Purging AccessRules For User [{accessRuleUser.Name}] From OrgUnit [{orgUnit.Name}].");
DirectoryServices.PurgeAccessRules(orgUnit, accessRuleUser);
newRuleCount = DirectoryServices.GetAccessRules(orgUnit).Count;
Assert.That(newRuleCount, Is.EqualTo(ruleCount));
// Delete AccessRule User
Utility.DeleteUser(accessRuleUser.DistinguishedName);
// Delete OrgUnit
Console.WriteLine($"Deleting OrgUnit : [{distinguishedName}]");
DirectoryServices.DeleteOrganizationUnit(distinguishedName);
ouo = DirectoryServices.GetOrganizationalUnit(distinguishedName, false, false, false);
Assert.That(ouo, Is.Null);
}
private void ProcessAccessRules(AdObject obj, bool returnObject = false)
{
ActiveDirectoryObjectResult result = new ActiveDirectoryObjectResult()
{
Type = obj.Type,
Identity = obj.Identity
};
ActiveDirectoryStatus status = new ActiveDirectoryStatus()
{
Action = config.Action,
Status = AdStatusType.Success,
Message = "Success",
};
try
{
roleManager.CanPerformActionOrException(requestUser, config.Action, obj.Identity);
// Get Target DirectoryEntry For Rules
DirectoryEntry de = null;
if (obj.Type == AdObjectType.User || obj.Type == AdObjectType.Group)
{
Principal principal = DirectoryServices.GetPrincipal(obj.Identity);
if (principal == null)
{
throw new AdException($"Principal [{obj.Identity}] Can Not Be Found.", AdStatusType.DoesNotExist);
}
else if (principal.GetUnderlyingObjectType() == typeof(DirectoryEntry))
{
de = (DirectoryEntry)principal.GetUnderlyingObject();
}
else
{
throw new AdException($"AddAccessRule Not Available For Object Type [{principal.GetUnderlyingObjectType()}]", AdStatusType.NotSupported);
}
}
else
{
de = DirectoryServices.GetDirectoryEntry(obj.Identity);
if (de == null)
{
throw new AdException($"DirectoryEntry [{obj.Identity}] Can Not Be Found.", AdStatusType.DoesNotExist);
}
}
// Add Rules To Target DirectoryEntry
foreach (AdAccessRule rule in obj.AccessRules)
{
String message = String.Empty;
switch (config.Action)
{
case ActionType.AddAccessRule:
DirectoryServices.AddAccessRule(de, rule.Identity, rule.Rights, rule.Type);
message = $"{rule.Type} [{rule.Rights}] Rule Added To {obj.Type} [{obj.Identity}] For Identity [{rule.Identity}].";
break;
case ActionType.RemoveAccessRule:
DirectoryServices.DeleteAccessRule(de, rule.Identity, rule.Rights, rule.Type);
message = $"{rule.Type} [{rule.Rights}] Rule Deleted From {obj.Type} [{obj.Identity}] For Identity [{rule.Identity}].";
break;
case ActionType.SetAccessRule:
DirectoryServices.SetAccessRule(de, rule.Identity, rule.Rights, rule.Type);
message = $"{rule.Type} [{rule.Rights}] Rule Set On {obj.Type} [{obj.Identity}] For Identity [{rule.Identity}].";
break;
case ActionType.PurgeAccessRules:
DirectoryServices.PurgeAccessRules(de, rule.Identity);
message = $"All Rules Purged On {obj.Type} [{obj.Identity}] For Identity [{rule.Identity}].";
break;
default:
throw new AdException("Action [" + config.Action + "] Not Implemented For Type [" + obj.Type + "]", AdStatusType.NotSupported);
}
result.Statuses.Add(status);
OnLogMessage("ProcessAccessRules", message);
}
if (returnObject)
{
result.Object = GetActiveDirectoryObject(obj);
}
}
catch (AdException ex)
{
ProcessActiveDirectoryException(result, ex, status.Action);
}
catch (Exception e)
{
OnLogMessage("ProcessDelete", e.Message);
OnLogMessage("ProcessDelete", e.StackTrace);
AdException le = new AdException(e);
ProcessActiveDirectoryException(result, le, status.Action);
}
results.Add(result);
}
