public static AuthorizationRuleCollection GetAccess(PSObject instance)
{
AuthorizationRuleCollection accessRules;
if (instance != null)
{
ObjectSecurity baseObject = instance.BaseObject as ObjectSecurity;
if (baseObject == null)
{
PSTraceSource.NewArgumentException("instance");
}
CommonObjectSecurity commonObjectSecurity = baseObject as CommonObjectSecurity;
if (commonObjectSecurity == null)
{
DirectoryObjectSecurity directoryObjectSecurity = baseObject as DirectoryObjectSecurity;
accessRules = directoryObjectSecurity.GetAccessRules(true, true, typeof(NTAccount));
}
else
{
accessRules = commonObjectSecurity.GetAccessRules(true, true, typeof(NTAccount));
}
return(accessRules);
}
else
{
throw PSTraceSource.NewArgumentNullException("instance");
}
}
private FileSystemRights GetFileSystemRights(CommonObjectSecurity objectSecurity)
{
AuthorizationRuleCollection accessRules = objectSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier));
FileSystemRights fileSystemAllowRights = 0;
FileSystemRights fileSystemDenyRights = 0;
foreach (FileSystemAccessRule accessRule in accessRules)
{
IdentityReference identityReference = accessRule.IdentityReference;
if (identityReference != _currentUserIdentifier && _currentUserGroups.All(reference => reference != identityReference))
{
continue;
}
if (accessRule.AccessControlType == AccessControlType.Deny)
{
fileSystemDenyRights = fileSystemDenyRights | accessRule.FileSystemRights;
}
else
{
fileSystemAllowRights = fileSystemAllowRights | accessRule.FileSystemRights;
}
}
return(fileSystemAllowRights & (~fileSystemDenyRights));
}
private static string GetPermissions(CommonObjectSecurity fileSystemSecurity)
{
var accessRules = fileSystemSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier))
.Cast <FileSystemAccessRule>()
.Where(x => x.IdentityReference == WindowsIdentity.GetCurrent().User)
.ToArray();
return(GetEffectiveRights(accessRules).ToString());
}
private static bool FindMatch(CommonObjectSecurity security, FileSystemAccessRule rule)
=> security.GetAccessRules(true, false, typeof(SecurityIdentifier))
.OfType <FileSystemAccessRule>()
.Any(
ar =>
ar.IdentityReference.Equals(rule.IdentityReference) &&
ar.FileSystemRights.Equals(rule.FileSystemRights) &&
ar.InheritanceFlags.Equals(rule.InheritanceFlags) &&
ar.PropagationFlags.Equals(rule.PropagationFlags));
private static T GetEffectiveRights <T, R>(CommonObjectSecurity securityObject, WindowsIdentity windowsIdentity) where T : struct, IConvertible where R : AccessRule
{
if (!typeof(T).IsEnum)
{
throw new ArgumentException($"Type '{typeof(T).FullName}' is not an enum");
}
if (windowsIdentity == null)
{
throw new ArgumentNullException(nameof(windowsIdentity));
}
if (securityObject == null)
{
throw new ArgumentNullException(nameof(securityObject));
}
int denyRights = 0, allowRights = 0;
// get all access rules for the path - this works for a directory path as well as a file path
AuthorizationRuleCollection authorizationRules = securityObject.GetAccessRules(true, true, typeof(SecurityIdentifier));
// get the user's sids
List <string> sids = new List <string>(windowsIdentity.Groups.Select(g => g.Value));
sids.Insert(0, windowsIdentity.User.Value);
// get the access rules filtered by the user's sids
var rules = (from rule in authorizationRules.Cast <R>()
where sids.Contains(rule.IdentityReference.Value)
select rule);
System.Reflection.PropertyInfo pi = null;
foreach (var rule in rules)
{
if (pi == null)
{
pi = rule.GetType().GetProperty("AccessMask", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance, null, typeof(int), Type.EmptyTypes, null);
}
if (pi == null)
{
throw new InvalidOperationException("Unable to retrieve access mask.");
}
if (rule.AccessControlType == AccessControlType.Deny)
{
denyRights |= (int)pi.GetValue(rule, null);
}
else
{
allowRights |= (int)pi.GetValue(rule, null);
}
}
return((T)Enum.ToObject(typeof(T), (allowRights | denyRights) ^ denyRights));
}
private static void ShowSecurity(CommonObjectSecurity security)
{
AuthorizationRuleCollection coll = security.GetAccessRules(true, true, typeof(NTAccount));
foreach (FileSystemAccessRule rule in coll)
{
Console.WriteLine("IdentityReference: {0}", rule.IdentityReference);
Console.WriteLine("Access control type: {0}", rule.AccessControlType);
Console.WriteLine("Rights: {0}", rule.FileSystemRights);
Console.WriteLine("Inherited? {0}", rule.IsInherited);
Console.WriteLine();
}
}
/// <summary>
/// Identities the has accces.
/// </summary>
/// <param name="identity">The identity.</param>
/// <param name="security">The security.</param>
/// <param name="fileSystemRights">The file system rights.</param>
/// <returns>
/// <c>true</c> if [has identity accces] [the specified identity]; otherwise, <c>false</c>.
/// </returns>
private static bool HasIdentityAccces(WindowsIdentity identity, CommonObjectSecurity security, FileSystemRights fileSystemRights)
{
var allReference = GetAllReference(identity);
var authorizationRuleCollection = security.GetAccessRules(true, true, domain);
foreach (FileSystemAccessRule fileSystemAccessRule in authorizationRuleCollection)
{
if (AccessControlType.Allow == fileSystemAccessRule.AccessControlType &&
fileSystemRights == (fileSystemAccessRule.FileSystemRights & fileSystemRights) &&
allReference.Contains(fileSystemAccessRule.IdentityReference)
)
{
return(true);
}
}
return(false);
}
private void VerifyAccessSecurity(CommonObjectSecurity expectedSecurity, CommonObjectSecurity actualSecurity)
{
Assert.Equal(typeof(FileSystemRights), expectedSecurity.AccessRightType);
Assert.Equal(typeof(FileSystemRights), actualSecurity.AccessRightType);
List <FileSystemAccessRule> expectedAccessRules = expectedSecurity.GetAccessRules(includeExplicit: true, includeInherited: false, typeof(SecurityIdentifier))
.Cast <FileSystemAccessRule>().ToList();
List <FileSystemAccessRule> actualAccessRules = actualSecurity.GetAccessRules(includeExplicit: true, includeInherited: false, typeof(SecurityIdentifier))
.Cast <FileSystemAccessRule>().ToList();
Assert.Equal(expectedAccessRules.Count, actualAccessRules.Count);
if (expectedAccessRules.Count > 0)
{
Assert.All(expectedAccessRules, actualAccessRule =>
{
int count = expectedAccessRules.Count(expectedAccessRule => AreAccessRulesEqual(expectedAccessRule, actualAccessRule));
Assert.True(count > 0);
});
}
}
private static bool IsFileSystemAccessRuleSet(FileSystemRights rights, CommonObjectSecurity commonObjectSecurity, AccessControlType accessControlType)
{
AuthorizationRuleCollection rules = commonObjectSecurity.GetAccessRules(true, false, typeof(SecurityIdentifier));
return(rules.OfType <FileSystemAccessRule>().Any(fs => fs.FileSystemRights.HasFlag(rights) && fs.AccessControlType == accessControlType));
}
