public IEnumerable <AccessControlList> ListAllGitAcls() { VssConnection connection = this.Context.Connection; SecurityHttpClient securityClient = connection.GetClient <SecurityHttpClient>(); IEnumerable <AccessControlList> acls = securityClient.QueryAccessControlListsAsync( // in a real app, you should get this value via securityClient.QuerySecurityNamespacesAsync GitSecurityNamespace, string.Empty, descriptors: null, includeExtendedInfo: false, recurse: true).Result; // we'll store one interesting ACE to expand in a later method bool storedAcl = false; Console.WriteLine("token | inherit? | count of ACEs"); Console.WriteLine("------+----------+--------------"); foreach (AccessControlList acl in acls) { Console.WriteLine("{0} | {1} | {2} ACEs", acl.Token, acl.InheritPermissions, acl.AcesDictionary.Count()); if (!storedAcl && acl.Token.Length > "repoV2/".Length) { this.Context.SetValue(this.StoredAclKey, acl); storedAcl = true; } } return(acls); }
internal IEnumerable <AccessControlList> ListAccessControl(Guid identify) { SecurityHttpClient securityClient = connection.GetClient <SecurityHttpClient>(); IEnumerable <SecurityNamespaceDescription> namespaces = securityClient.QuerySecurityNamespacesAsync(identify).Result; IEnumerable <AccessControlList> acls = securityClient.QueryAccessControlListsAsync( identify, string.Empty, descriptors: null, includeExtendedInfo: false, recurse: true).Result; return(acls); }
static IEnumerable <AccessControlList> GetReleaseDefinitionAccessControlList(VssConnection connection, Guid projectId, int releaseDefinitionId) { // We need the security client to talk to RM service instead of the default TFS to get us the ACLs for release definition SecurityHttpClient securityHttpClient = connection.GetClient <SecurityHttpClient>(Guid.Parse(ReleaseManagementApiConstants.InstanceType)); var acls = securityHttpClient.QueryAccessControlListsAsync( SecurityConstants.ReleaseManagementSecurityNamespaceId, CreateToken(projectId, releaseDefinitionId), null, // all desciptors true, true).Result; return(acls); }
public void GetReleaseDefinitionAccessControlLists() { VssConnection connection = Context.Connection; var project = ClientSampleHelpers.FindAnyProject(this.Context); // We need the security client to talk to RM service instead of the default TFS to get us the ACLs for release definition SecurityHttpClient securityHttpClient = connection.GetClient <SecurityHttpClient>(Guid.Parse(ReleaseManagementApiConstants.InstanceType)); var acls = securityHttpClient.QueryAccessControlListsAsync( SecurityConstants.ReleaseManagementSecurityNamespaceId, CreateToken(project.Id, newlyCreatedReleaseDefinitionId), null, // all desciptors true, true).Result; }
internal List <Permission> GitPermissionsDetails(AccessControlList acessControlList, IEnumerable <GraphUser> users, IEnumerable <GraphGroup> groups, List <GitRepository> repositories) { List <Permission> permissions = new List <Permission>(); Regex extractEmail = new Regex(@"\\(.*$)"); Regex extractGuid = new Regex(@".{8}-.{9}-.{4}-.{12}"); GitHttpClient gitClient = connection.GetClient <GitHttpClient>(); SecurityHttpClient securityClient = connection.GetClient <SecurityHttpClient>(); GraphHttpClient graphClient = connection.GetClient <GraphHttpClient>(); // Guid guid = Guid.Parse(acessControlList.Token.Remove(0, 7)); IEnumerable <AccessControlList> acls = securityClient.QueryAccessControlListsAsync( Guid.Parse("2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87"), acessControlList.Token, descriptors: null, includeExtendedInfo: false, recurse: true).Result; // get the details for Git permissions Dictionary <int, string> permission = GetGitPermissionNames(); var tokenGuids = extractGuid.Matches(acessControlList.Token); var lastGuidFromToken = Guid.Parse(tokenGuids[tokenGuids.Count - 1].Value); var repository = repositories.FirstOrDefault(r => r.Id.Equals(lastGuidFromToken)); var repositoryName = repository != null ? repository.Name : "<none>"; // use the Git permissions data to expand the ACL Console.WriteLine("Expanding ACL for {0} ({1} ACEs)", repositoryName, acessControlList.AcesDictionary.Count()); foreach (var kvp in acessControlList.AcesDictionary) { // in the key-value pair, Key is an identity and Value is an ACE (access control entry) // allow and deny are bit flags indicating which permissions are allowed/denied //PagedGraphUsers group = graphClient.GetGroupAsync(kvp.Key); //var user = users.First(u => u.Descriptor.ToString().Equals(kvp.Key.ToString())); var group = groups.FirstOrDefault(g => g.Descriptor.Identifier.Equals(kvp.Key.Identifier)); if (group != null) { AddByGroup(permissions, graphClient, permission, repositoryName, kvp, group); } else { AddByUser(users, permissions, extractEmail, permission, repositoryName, kvp); } } return(permissions); }
public static void ListGitNamespacePermissions() { SecurityHttpClient securityClient = connection.GetClient <SecurityHttpClient>(); Guid g = Guid.Parse("2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87"); //Git security namespace IEnumerable <Microsoft.VisualStudio.Services.Security.SecurityNamespaceDescription> namespaces = securityClient.QuerySecurityNamespacesAsync(g).Result; Microsoft.VisualStudio.Services.Security.SecurityNamespaceDescription gitNamespace = namespaces.First(); IEnumerable <Microsoft.VisualStudio.Services.Security.AccessControlList> acls = securityClient.QueryAccessControlListsAsync( g, string.Empty, descriptors: null, includeExtendedInfo: false, recurse: true).Result; using (System.IO.StreamWriter file = new System.IO.StreamWriter(@"c:\TFSAdminAutomationData\out_GitAccessControlLists.txt")) { int counter = 0; file.WriteLine("token | inherit? | count of ACEs"); file.WriteLine("------+----------+--------------"); foreach (Microsoft.VisualStudio.Services.Security.AccessControlList acl in acls) { counter++; string[] tokenParser = acl.Token.Split('/'); if (tokenParser.Length != 2) //we are interested in team project level git security { continue; } file.WriteLine(); file.WriteLine(); file.WriteLine("{0} | {1} | {2} ACEs", acl.Token, acl.InheritPermissions, acl.AcesDictionary.Count()); file.WriteLine("Project Name: " + GetProjectName(tokenParser[1])); file.WriteLine("Expanding ACL for {0} ({1} ACEs)", acl.Token, acl.AcesDictionary.Count()); // get the details for Git permissions Dictionary <int, string> permission = GetGitPermissionNames(); // use the Git permissions data to expand the ACL foreach (var kvp in acl.AcesDictionary) { // in the key-value pair, Key is an identity and Value is an ACE (access control entry) // allow and deny are bit flags indicating which permissions are allowed/denied string identity = kvp.Key.Identifier.ToString(); file.WriteLine("Identity {0}", identity); string identityName = GetNameFromIdentity(identity); file.WriteLine("Identity Name {0}", identityName); if (!identityName.EndsWith("Project Administrators")) { continue; } string allowed = GetPermissionString(kvp.Value.Allow, permission); string denied = GetPermissionString(kvp.Value.Deny, permission); file.WriteLine(" Allowed: {0} (value={1})", allowed, kvp.Value.Allow); file.WriteLine(" Denied: {0} (value={1})", denied, kvp.Value.Deny); } } } }