public void RemoveRole(string principal, string role, string adObject) { String id = null; String domain = DirectoryServices.GetDomain(principal, out id); Principal p = DirectoryServices.GetPrincipal(id, domain); DirectoryEntry target = DirectoryServices.GetDirectoryEntry(adObject); if (p == null) { throw new AdException($"Principal [{principal}] Can Not Be Found.", AdStatusType.DoesNotExist); } else if (target == null) { throw new AdException($"Target [{adObject}] Can Not Be Found.", AdStatusType.DoesNotExist); } if (Roles.ContainsKey(role)) { DirectoryServices.DeleteAccessRule(target, p, Roles[role].AdRights, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.All); } else { throw new AdException($"Role [{role}] Does Not Exist.", AdStatusType.DoesNotExist); } }
public static void DeleteWorkspace(string workspaceName) { Console.WriteLine($"Deleting Workspace : [{workspaceName}]"); DirectoryServices.DeleteDirectoryEntry("OrganizationalUnit", workspaceName); DirectoryEntry de = DirectoryServices.GetDirectoryEntry(workspaceName, "OrganizationalUnit"); Assert.That(de, Is.Null); }
public void Core_OrgUnitNotFound() { // Get OrgUnit That Does Not Exist String ouName = $"testou_{Utility.GenerateToken( 8 )}"; String ouDistinguishedName = $"OU={ouName},{workspaceName}"; Console.WriteLine($"Getting OrgUnit [{ouName}] Which Should Not Exist."); DirectoryEntryObject badOrgUnit = DirectoryServices.GetOrganizationalUnit(ouName, true, true, false); Assert.That(badOrgUnit, Is.Null); Console.WriteLine($"Getting OrgUnit Principal [{ouName}] Which Should Not Exist."); DirectoryEntry de = DirectoryServices.GetDirectoryEntry(ouDistinguishedName); Assert.That(de, Is.Null); }
// Get A Principal's Cumulitive AD Rights On An Object private ActiveDirectoryRights GetAdAccessRights(string principal, string adObject) { ActiveDirectoryRights myRights = 0; ActiveDirectoryRights myDenyRights = 0; Principal p = DirectoryServices.GetPrincipal(principal); if (p == null) { throw new AdException($"Principal [{principal}] Does Not Exist.", AdStatusType.DoesNotExist); } List <DirectoryEntry> groups = DirectoryServices.GetGroupMembership(p, true); DirectoryEntry de = DirectoryServices.GetDirectoryEntry(adObject); if (de == null) { throw new AdException($"Object [{adObject}] Does Not Exist.", AdStatusType.DoesNotExist); } List <AccessRuleObject> rules = DirectoryServices.GetAccessRules(de); Dictionary <string, ActiveDirectoryRights> rights = new Dictionary <string, ActiveDirectoryRights>(); Dictionary <string, ActiveDirectoryRights> denyRights = new Dictionary <string, ActiveDirectoryRights>(); // Accumulate Allow and Deny Rights By Identity Reference foreach (AccessRuleObject rule in rules) { if (rule.ControlType == System.Security.AccessControl.AccessControlType.Allow) { if (rights.Keys.Contains(rule.IdentityReference)) { rights[rule.IdentityReference] |= rule.Rights; } else { rights.Add(rule.IdentityReference, rule.Rights); } } else { if (rights.Keys.Contains(rule.IdentityReference)) { denyRights[rule.IdentityReference] |= rule.Rights; } else { denyRights.Add(rule.IdentityReference, rule.Rights); } } } foreach (DirectoryEntry entry in groups) { if (entry.Properties.Contains("objectSid")) { string sid = DirectoryServices.ConvertByteToStringSid((byte[])entry.Properties["objectSid"].Value); if (rights.ContainsKey(sid)) { myRights |= rights[sid]; } if (denyRights.ContainsKey(sid)) { myDenyRights |= denyRights[sid]; } } } // Apply Deny Rights myDenyRights = myRights & myDenyRights; myRights = myRights ^ myDenyRights; return(myRights); }
public void Core_OrgUnitTestSuccess() { // Setup Test String name = $"testou_{Utility.GenerateToken( 8 )}"; String distinguishedName = $"OU={name},{workspaceName}"; Dictionary <string, List <string> > properties = new Dictionary <string, List <string> >(); DirectoryServices.AddProperty(properties, "description", "Test OU"); // Create OrgUnit Console.WriteLine($"Creating OrgUnit : [{distinguishedName}]"); DirectoryServices.CreateOrganizationUnit(distinguishedName, properties); // Get OrgUnit By DistinguishedName Console.WriteLine($"Getting OrgUnit By DisginguishedName : [{distinguishedName}]"); DirectoryEntryObject ouo = DirectoryServices.GetOrganizationalUnit(distinguishedName, true, true, false); Assert.That(ouo, Is.Not.Null); String guid = ouo.Guid.ToString(); // Get OrgUnit By Name Console.WriteLine($"Getting OrgUnit By Name : [{name}]"); ouo = DirectoryServices.GetOrganizationalUnit(name, false, false, false); Assert.That(ouo, Is.Not.Null); // Get OrgUnit By Name Console.WriteLine($"Getting OrgUnit By Guid : [{guid}]"); ouo = DirectoryServices.GetOrganizationalUnit(guid, false, true, false); Assert.That(ouo, Is.Not.Null); Assert.That(ouo.Properties.ContainsKey("description"), Is.True); // Modify OrgUnit DirectoryServices.AddProperty(properties, "description", "~null~", true); DirectoryServices.ModifyOrganizationUnit(distinguishedName, properties); ouo = DirectoryServices.GetOrganizationalUnit(distinguishedName, false, true, false); Assert.That(ouo.Properties.ContainsKey("description"), Is.False); // Create AccessUser For AccessRule Tests (Below) DirectoryEntry orgUnit = DirectoryServices.GetDirectoryEntry(distinguishedName); UserPrincipal accessRuleUser = Utility.CreateUser(workspaceName); int ruleCount = DirectoryServices.GetAccessRules(orgUnit).Count; // Add Access Rule To OrgUnit Console.WriteLine($"Adding AccessRule For User [{accessRuleUser.Name}] To OrgUnit [{orgUnit.Name}]."); DirectoryServices.AddAccessRule(orgUnit, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None); int newRuleCount = DirectoryServices.GetAccessRules(orgUnit).Count; Assert.That(newRuleCount, Is.GreaterThan(ruleCount)); // Removing Access Rule From OrgUnit Console.WriteLine($"Removing AccessRule For User [{accessRuleUser.Name}] From OrgUnit [{orgUnit.Name}]."); DirectoryServices.DeleteAccessRule(orgUnit, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None); newRuleCount = DirectoryServices.GetAccessRules(orgUnit).Count; Assert.That(newRuleCount, Is.EqualTo(ruleCount)); // Seting Access Rule From OrgUnit Console.WriteLine($"Setting AccessRule For User [{accessRuleUser.Name}] On OrgUnit [{orgUnit.Name}]."); DirectoryServices.SetAccessRule(orgUnit, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None); newRuleCount = DirectoryServices.GetAccessRules(orgUnit).Count; Assert.That(newRuleCount, Is.GreaterThan(ruleCount)); // Purge Access Rule From OrgUnit Console.WriteLine($"Purging AccessRules For User [{accessRuleUser.Name}] From OrgUnit [{orgUnit.Name}]."); DirectoryServices.PurgeAccessRules(orgUnit, accessRuleUser); newRuleCount = DirectoryServices.GetAccessRules(orgUnit).Count; Assert.That(newRuleCount, Is.EqualTo(ruleCount)); // Delete AccessRule User Utility.DeleteUser(accessRuleUser.DistinguishedName); // Delete OrgUnit Console.WriteLine($"Deleting OrgUnit : [{distinguishedName}]"); DirectoryServices.DeleteOrganizationUnit(distinguishedName); ouo = DirectoryServices.GetOrganizationalUnit(distinguishedName, false, false, false); Assert.That(ouo, Is.Null); }
private void ProcessAccessRules(AdObject obj, bool returnObject = false) { ActiveDirectoryObjectResult result = new ActiveDirectoryObjectResult() { Type = obj.Type, Identity = obj.Identity }; ActiveDirectoryStatus status = new ActiveDirectoryStatus() { Action = config.Action, Status = AdStatusType.Success, Message = "Success", }; try { roleManager.CanPerformActionOrException(requestUser, config.Action, obj.Identity); // Get Target DirectoryEntry For Rules DirectoryEntry de = null; if (obj.Type == AdObjectType.User || obj.Type == AdObjectType.Group) { Principal principal = DirectoryServices.GetPrincipal(obj.Identity); if (principal == null) { throw new AdException($"Principal [{obj.Identity}] Can Not Be Found.", AdStatusType.DoesNotExist); } else if (principal.GetUnderlyingObjectType() == typeof(DirectoryEntry)) { de = (DirectoryEntry)principal.GetUnderlyingObject(); } else { throw new AdException($"AddAccessRule Not Available For Object Type [{principal.GetUnderlyingObjectType()}]", AdStatusType.NotSupported); } } else { de = DirectoryServices.GetDirectoryEntry(obj.Identity); if (de == null) { throw new AdException($"DirectoryEntry [{obj.Identity}] Can Not Be Found.", AdStatusType.DoesNotExist); } } // Add Rules To Target DirectoryEntry foreach (AdAccessRule rule in obj.AccessRules) { String message = String.Empty; switch (config.Action) { case ActionType.AddAccessRule: DirectoryServices.AddAccessRule(de, rule.Identity, rule.Rights, rule.Type); message = $"{rule.Type} [{rule.Rights}] Rule Added To {obj.Type} [{obj.Identity}] For Identity [{rule.Identity}]."; break; case ActionType.RemoveAccessRule: DirectoryServices.DeleteAccessRule(de, rule.Identity, rule.Rights, rule.Type); message = $"{rule.Type} [{rule.Rights}] Rule Deleted From {obj.Type} [{obj.Identity}] For Identity [{rule.Identity}]."; break; case ActionType.SetAccessRule: DirectoryServices.SetAccessRule(de, rule.Identity, rule.Rights, rule.Type); message = $"{rule.Type} [{rule.Rights}] Rule Set On {obj.Type} [{obj.Identity}] For Identity [{rule.Identity}]."; break; case ActionType.PurgeAccessRules: DirectoryServices.PurgeAccessRules(de, rule.Identity); message = $"All Rules Purged On {obj.Type} [{obj.Identity}] For Identity [{rule.Identity}]."; break; default: throw new AdException("Action [" + config.Action + "] Not Implemented For Type [" + obj.Type + "]", AdStatusType.NotSupported); } result.Statuses.Add(status); OnLogMessage("ProcessAccessRules", message); } if (returnObject) { result.Object = GetActiveDirectoryObject(obj); } } catch (AdException ex) { ProcessActiveDirectoryException(result, ex, status.Action); } catch (Exception e) { OnLogMessage("ProcessDelete", e.Message); OnLogMessage("ProcessDelete", e.StackTrace); AdException le = new AdException(e); ProcessActiveDirectoryException(result, le, status.Action); } results.Add(result); }