Exemple #1
0
		private void SetupWebDeployPublishingOnServer(List<string> messages)
		{
			if (IsWebDeployInstalled() == false
				|| String.IsNullOrEmpty(ProviderSettings[WDeployEnabled]))
				return;
			//
			var enableFeature = Convert.ToBoolean(ProviderSettings[WDeployEnabled]);
			var repairFeature = Convert.ToBoolean(ProviderSettings[WDeployRepair]);
			//
			var appHostConfigWriter = "WDeployConfigWriter";
			var appHostConfigWriterPassword = Guid.NewGuid().ToString();
			//
			var appPoolConfigEditor = "WDeployAdmin";
			var appPoolConfigEditorPassword = Guid.NewGuid().ToString();
			//
			var appHostConfigFilePath = FileUtils.EvaluateSystemVariables(@"%WINDIR%\system32\inetsrv\config\applicationHost.config");
			//
			#region Repair feature
			if (repairFeature == true && enableFeature == true)
			{
				// Cleanup NTFS permissions
				SecurityUtils.RemoveNtfsPermissions(appHostConfigFilePath, appHostConfigWriter, ServerSettings, UsersOU, GroupsOU);
				// Remove applicationHost.config writer account
				SecurityUtils.DeleteUser(appHostConfigWriter, ServerSettings, UsersOU);
				// Remove local admin user to recycle app pools
				SecurityUtils.DeleteUser(appPoolConfigEditor, ServerSettings, UsersOU);
				// Remove delegation rules if any
				var moduleService = new DelegationRulesModuleService();
				//
				moduleService.RemoveDelegationRule("contentPath,iisApp", "{userScope}");
				moduleService.RemoveDelegationRule("dbFullSql", "Data Source=");
				moduleService.RemoveDelegationRule("dbMySql", "Server=");
				moduleService.RemoveDelegationRule("createApp", "{userScope}");
				moduleService.RemoveDelegationRule("setAcl", "{userScope}");
				moduleService.RemoveDelegationRule("recycleApp", "{userScope}");
				moduleService.RemoveDelegationRule("appPoolPipeline,appPoolNetFx", "{userScope}");
			} 
			#endregion

			// Create applicationHost.config writer account
			#region appHostConfigWriter account provisioning
			if (enableFeature == true)
			{
				//
				if (SecurityUtils.UserExists(appHostConfigWriter, ServerSettings, UsersOU) == false)
				{
					//
					try
					{
						SecurityUtils.CreateUser(new SystemUser
							{
								Name = appHostConfigWriter,
								FullName = appHostConfigWriter,
								Password = appHostConfigWriterPassword,
								PasswordCantChange = true,
								PasswordNeverExpires = true,
								MemberOf = new string[] { },
								Description = "Web Deploy applicationHost.config writer account",
							},
							ServerSettings,
							UsersOU,
							GroupsOU);
						// Grant appropriate NTFS permissions
						SecurityUtils.GrantNtfsPermissions(appHostConfigFilePath, appHostConfigWriter, NTFSPermission.Modify, true, true, ServerSettings, UsersOU, GroupsOU);
					}
					catch (Exception ex)
					{
						var errorMessage = "Could not create applicationHost.config writer account";
						//
						Log.WriteError(errorMessage, ex);
						//
						messages.Add(errorMessage);
					}
				}
			}
			else
			{
				if (SecurityUtils.UserExists(appHostConfigWriter, ServerSettings, UsersOU) == true)
				{
					//
					try
					{
						// Remove NTFS permissions
						SecurityUtils.RemoveNtfsPermissions(appHostConfigFilePath, appHostConfigWriter, ServerSettings, UsersOU, GroupsOU);
						// Remove writer account
						SecurityUtils.DeleteUser(appHostConfigWriter, ServerSettings, UsersOU);
					}
					catch (Exception ex)
					{
						var errorMessage = "Could not remove applicationHost.config writer user account";
						//
						Log.WriteError(errorMessage, ex);
						//
						messages.Add(errorMessage);
					}
				}
			} 
			#endregion

			// Create local admin user to recycle app pools
			#region appPoolConfigEditor account provisioning
			if (enableFeature)
			{
				//
				if (SecurityUtils.UserExists(appPoolConfigEditor, ServerSettings, UsersOU) == false)
				{
					//
					try
					{
						SecurityUtils.CreateUser(new SystemUser
						{
							Name = appPoolConfigEditor,
							FullName = appPoolConfigEditor,
							Password = appPoolConfigEditorPassword,
							PasswordCantChange = true,
							PasswordNeverExpires = true,
							MemberOf = new string[] { "Administrators" },
							Description = "Web Deploy AppPool configuration editor account",
						},
							ServerSettings,
							UsersOU,
							GroupsOU);
					}
					catch (Exception ex)
					{
						var errorMessage = "Could not create application pool configuration editor account";
						//
						Log.WriteError(errorMessage, ex);
						//
						messages.Add(errorMessage);
					}
				}
			}
			else
			{
				if (SecurityUtils.UserExists(appPoolConfigEditor, ServerSettings, UsersOU) == true)
				{
					//
					try
					{
						// Remove appPool config editor account
						SecurityUtils.DeleteUser(appPoolConfigEditor, ServerSettings, UsersOU);
					}
					catch (Exception ex)
					{
						var errorMessage = "Could not remove applicationHost.config writer user account";
						//
						Log.WriteError(errorMessage, ex);
						//
						messages.Add(errorMessage);
					}
				}
			} 
			#endregion

			// Add delegation rules
			#region Delegation rules provisioning
			if (enableFeature)
			{
				var moduleService = new DelegationRulesModuleService();
				//
				if (moduleService.DelegationRuleExists("contentPath,iisApp", "{userScope}") == false)
				{
					moduleService.AddDelegationRule("contentPath,iisApp", "{userScope}", "PathPrefix", "CurrentUser", String.Empty, String.Empty);
				}
				//
				if (moduleService.DelegationRuleExists("dbFullSql", "Data Source=") == false)
				{
					moduleService.AddDelegationRule("dbFullSql", "Data Source=", "ConnectionString", "CurrentUser", String.Empty, String.Empty);
				}
				//
				if (moduleService.DelegationRuleExists("dbMySql", "Server=") == false)
				{
					moduleService.AddDelegationRule("dbMySql", "Server=", "ConnectionString", "CurrentUser", String.Empty, String.Empty);
				}
				//
				if (moduleService.DelegationRuleExists("createApp", "{userScope}") == false)
				{
					moduleService.AddDelegationRule("createApp", "{userScope}", "PathPrefix", "SpecificUser", appHostConfigWriter, appHostConfigWriterPassword);
				}
				//
				if (moduleService.DelegationRuleExists("setAcl", "{userScope}") == false)
				{
					moduleService.AddDelegationRule("setAcl", "{userScope}", "PathPrefix", "CurrentUser", String.Empty, String.Empty);
				}
				//
				if (moduleService.DelegationRuleExists("recycleApp", "{userScope}") == false)
				{
					moduleService.AddDelegationRule("recycleApp", "{userScope}", "PathPrefix", "SpecificUser", appPoolConfigEditor, appPoolConfigEditorPassword);
				}
				//
				if (moduleService.DelegationRuleExists("appPoolPipeline,appPoolNetFx", "{userScope}") == false)
				{
					moduleService.AddDelegationRule("appPoolPipeline,appPoolNetFx", "{userScope}", "PathPrefix", "SpecificUser", appHostConfigWriter, appHostConfigWriterPassword);
				}
			}
			else
			{
				var moduleService = new DelegationRulesModuleService();
				//
				moduleService.RemoveDelegationRule("contentPath,iisApp", "{userScope}");
				moduleService.RemoveDelegationRule("dbFullSql", "Data Source=");
				moduleService.RemoveDelegationRule("dbMySql", "Server=");
				moduleService.RemoveDelegationRule("createApp", "{userScope}");
				moduleService.RemoveDelegationRule("setAcl", "{userScope}");
				moduleService.RemoveDelegationRule("recycleApp", "{userScope}");
				moduleService.RemoveDelegationRule("appPoolPipeline,appPoolNetFx", "{userScope}");
			} 
			#endregion
		}
Exemple #2
0
		public void EnforceDelegationRulesRestrictions(string siteName, string accountName)
		{
			var moduleService = new DelegationRulesModuleService();
			// Adjust web publishing permissions to the user accordingly to deny some rules for shared app pools
			var webSite = webObjectsSvc.GetWebSiteFromIIS(siteName);
			//
			var fqUsername = GetFullQualifiedAccountName(accountName);
			// Instantiate application pool helper to retrieve the app pool mode web site is running in
			WebAppPoolHelper aphl = new WebAppPoolHelper(ProviderSettings);
			// Shared app pool is a subject restrictions to change ASP.NET version and recycle the pool
			if (aphl.is_shared_pool(webSite.ApplicationPool) == true)
			{
				//
				moduleService.RestrictRuleToUser("recycleApp", "{userScope}", fqUsername);
				moduleService.RestrictRuleToUser("appPoolPipeline,appPoolNetFx", "{userScope}", fqUsername);
			}
			// Dedicated app pool is not a subject for any restrictions
			else
			{
				//
				moduleService.AllowRuleToUser("recycleApp", "{userScope}", fqUsername);
				moduleService.AllowRuleToUser("appPoolPipeline,appPoolNetFx", "{userScope}", fqUsername);
			}
		}
Exemple #3
0
        private void RemoveDelegationRulesRestrictions(string siteName, string accountName)
        {
            WebSite webSite = null;
            using (ServerManager srvman = webObjectsSvc.GetServerManager())
            {
                webSite = webObjectsSvc.GetWebSiteFromIIS(srvman, siteName);
            }
            var moduleService = new DelegationRulesModuleService();
            // Adjust web publishing permissions to the user accordingly to deny some rules for shared app pools

            var fqUsername = GetFullQualifiedAccountName(accountName);
            // Instantiate application pool helper to retrieve the app pool mode web site is running in
            WebAppPoolHelper aphl = new WebAppPoolHelper(ProviderSettings);
            //
            // Shared app pool is a subject restrictions to change ASP.NET version and recycle the pool,
            // so we need to remove these restrictions
            if (aphl.is_shared_pool(webSite.ApplicationPool) == true)
            {
                //
                moduleService.RemoveUserFromRule("recycleApp", "{userScope}", fqUsername);
                moduleService.RemoveUserFromRule("appPoolPipeline,appPoolNetFx", "{userScope}", fqUsername);
            }
        }