/// <summary>
/// Verify that the target securable item has the needed security settings
/// </summary>
/// <param name="context">Client context object</param>
/// <param name="security">Security template model</param>
/// <param name="item">Securable item</param>
/// <returns></returns>
public bool ValidateSecurityCSOM(ClientContext context, ObjectSecurity security, SecurableObject item)
{
int roleAssignmentCount = security.RoleAssignments.Count;
int roleCount = 0;
IEnumerable roles = context.LoadQuery(item.RoleAssignments.Include(roleAsg => roleAsg.Member,
roleAsg => roleAsg.RoleDefinitionBindings.Include(roleDef => roleDef.Name)));
context.ExecuteQueryRetry();
foreach (var s in security.RoleAssignments)
{
foreach (Microsoft.SharePoint.Client.RoleAssignment r in roles)
{
if (r.Member.LoginName.Contains(s.Principal))
{
if (r.Member.LoginName.Equals("c:0(.s|true", StringComparison.InvariantCultureIgnoreCase))
{
roleCount++;
}
else if (r.RoleDefinitionBindings.Where(i => i.Name == s.RoleDefinition).FirstOrDefault() != null)
{
roleCount++;
}
}
}
}
if (roleAssignmentCount != roleCount)
{
return(false);
}
return(true);
}
public static void SetSecurity(this SecurableObject securable, TokenParser parser, ObjectSecurity security)
{
//using (var scope = new PnPMonitoredScope("Set Security"))
//{
var context = securable.Context as ClientContext;
var groups = context.LoadQuery(context.Web.SiteGroups.Include(g => g.LoginName));
var webRoleDefinitions = context.LoadQuery(context.Web.RoleDefinitions);
context.ExecuteQueryRetry();
securable.BreakRoleInheritance(security.CopyRoleAssignments, security.ClearSubscopes);
foreach (var roleAssignment in security.RoleAssignments)
{
Principal principal = groups.FirstOrDefault(g => g.LoginName == parser.ParseString(roleAssignment.Principal));
if (principal == null)
{
principal = context.Web.EnsureUser(roleAssignment.Principal);
}
var roleDefinitionBindingCollection = new RoleDefinitionBindingCollection(context);
var roleDefinition = webRoleDefinitions.FirstOrDefault(r => r.Name == roleAssignment.RoleDefinition);
if (roleDefinition != null)
{
roleDefinitionBindingCollection.Add(roleDefinition);
}
securable.RoleAssignments.Add(principal, roleDefinitionBindingCollection);
}
context.ExecuteQueryRetry();
//}
}
/// <summary>
/// Sets the security descriptor on the specified item.
/// </summary>
/// <param name="path">
/// The path to the item to set the security descriptor on.
/// </param>
/// <param name="securityDescriptor">
/// The security descriptor to set on the item at the specified path.
/// </param>
/// <param name="context">
/// The context which the core command is running.
/// </param>
/// <returns>
/// Nothing. The security descriptor that was set on the item at the specified path
/// is written to the context.
/// </returns>
/// <exception cref="ItemNotFoundException">
/// If <paramref name="path"/> does not contain glob characters and
/// could not be found.
/// </exception>
internal void SetSecurityDescriptor(
string path,
ObjectSecurity securityDescriptor,
CmdletProviderContext context)
{
if (path == null)
{
throw PSTraceSource.NewArgumentNullException("path");
}
if (securityDescriptor == null)
{
throw PSTraceSource.NewArgumentNullException("securityDescriptor");
}
ProviderInfo provider = null;
CmdletProvider providerInstance = null;
Collection <string> providerPaths =
Globber.GetGlobbedProviderPathsFromMonadPath(
path,
false,
context,
out provider,
out providerInstance);
foreach (string providerPath in providerPaths)
{
SetSecurityDescriptor(
providerInstance,
providerPath,
securityDescriptor,
context);
}
}
public SecurityAttributes(ObjectSecurity securityDescriptor)
{
var safeBuffer = ToUnmanagedSecurityAttributes(securityDescriptor);
nLength = safeBuffer.Capacity;
lpSecurityDescriptor = safeBuffer;
}
/// <summary>
/// Gets the security descriptor for the item specified by <paramref name="path"/>.
/// </summary>
///
/// <param name="path">
/// The path to the item.
/// </param>
///
/// <param name="sections">
/// Specifies the parts of a security descriptor to retrieve.
/// </param>
///
/// <returns>
/// Nothing. An object that represents the security descriptor for the item
/// specified by path is written to the WriteSecurityDescriptorObject method.
/// </returns>
public void GetSecurityDescriptor(string path,
AccessControlSections sections)
{
ObjectSecurity sd = null;
IRegistryWrapper key = null;
// Validate input first.
if (String.IsNullOrEmpty(path))
{
throw PSTraceSource.NewArgumentNullException("path");
}
if ((sections & ~AccessControlSections.All) != 0)
{
throw PSTraceSource.NewArgumentException("sections");
}
path = NormalizePath(path);
key = GetRegkeyForPathWriteIfError(path, false);
if (key != null)
{
try
{
sd = key.GetAccessControl(sections);
}
catch (System.Security.SecurityException e)
{
WriteError(new ErrorRecord(e, e.GetType().FullName, ErrorCategory.PermissionDenied, path));
return;
}
WriteSecurityDescriptorObject(sd, path);
}
}
public void SetAccessControl(ObjectSecurity securityDescriptor)
{
using (_provider.CurrentPSTransaction)
{
_txRegKey.SetAccessControl((TransactedRegistrySecurity)securityDescriptor);
}
}
internal void SetSecurityDescriptor(string path, ObjectSecurity securityDescriptor, CmdletProviderContext context)
{
this.Context = context;
ISecurityDescriptorCmdletProvider permissionProvider = this as ISecurityDescriptorCmdletProvider;
CheckIfSecurityDescriptorInterfaceIsSupported(permissionProvider);
permissionProvider.SetSecurityDescriptor(path, securityDescriptor);
}
private static string GetOwnerName(ObjectSecurity systemSecurity)
{
var sid = systemSecurity.GetOwner(typeof(SecurityIdentifier));
var ntAccount = sid.Translate(typeof(NTAccount));
var owner = ntAccount.Value;
return(owner);
}
public SecurityAttributes(ObjectSecurity securityDescriptor)
{
SafeGlobalMemoryBufferHandle safeBuffer = ToUnmanagedSecurityAttributes(securityDescriptor);
nLength = safeBuffer.Capacity;
lpSecurityDescriptor = safeBuffer;
bInheritHandle = false;
}
public NativeSecurityAttributes(ObjectSecurity managedSecurityObject, bool inheritHandle)
{
length = Marshal.SizeOf(typeof(NativeSecurityAttributes));
byte[] binarySecurityDescriptor = managedSecurityObject.GetSecurityDescriptorBinaryForm();
securityDescriptor = Marshal.AllocHGlobal(binarySecurityDescriptor.Length);
Marshal.Copy(binarySecurityDescriptor, 0, securityDescriptor, binarySecurityDescriptor.Length);
this.inheritHandle = inheritHandle;
}
/// <summary>
/// Sets the SecurityDescriptor at the specified path, using the provided Context.
/// </summary>
/// <param name="path">
/// The path of the item to set. It may be a drive or provider-qualified path and may include
/// glob characters.
/// </param>
/// <param name="sd">
/// The new security descriptor to set.
/// </param>
/// <param name="context">
/// The context under which the command is running.
/// </param>
/// <returns>
/// Nothing. The object(s) set at the specified path are written to the context.
/// </returns>
internal void Set(string path, ObjectSecurity sd, CmdletProviderContext context)
{
Dbg.Diagnostics.Assert(
_sessionState != null,
"The only constructor for this class should always set the sessionState field");
// Parameter validation is done in the session state object
_sessionState.SetSecurityDescriptor(path, sd, context);
}
} // NewSecurityDescriptor
private ObjectSecurity NewSecurityDescriptorFromPath(
CmdletProvider providerInstance,
string path,
AccessControlSections sections)
{
ObjectSecurity sd = null;
// All parameters should have been validated by caller
Diagnostics.Assert(
providerInstance != null,
"Caller should validate providerInstance before calling this method");
Diagnostics.Assert(
path != null,
"Caller should validate path before calling this method");
Diagnostics.Assert(
ExecutionContext != null,
"Caller should validate context before calling this method");
// This just verifies that the provider supports the interface.
ISecurityDescriptorCmdletProvider sdProvider =
GetPermissionProviderInstance(providerInstance);
try
{
sd = sdProvider.NewSecurityDescriptorFromPath(path,
sections);
}
catch (LoopFlowException)
{
throw;
}
catch (PipelineStoppedException)
{
throw;
}
catch (ActionPreferenceStopException)
{
throw;
}
catch (Exception e) // Catch-all OK, 3rd party callout.
{
CommandProcessorBase.CheckForSevereException(e);
throw NewProviderInvocationException(
"NewSecurityDescriptorProviderException",
SessionStateStrings.GetSecurityDescriptorProviderException,
providerInstance.ProviderInfo,
path,
e);
}
return(sd);
} // NewSecurityDescriptor
public static List <string> GetInheritedFrom(string path, ObjectSecurity sd, bool isContainer)
{
var inheritedFrom = new List <string>();
path = Path.GetLongPath(path);
uint returnValue = 0;
GENERIC_MAPPING genericMap = new GENERIC_MAPPING();
genericMap.GenericRead = (uint)MappedGenericRights.FILE_GENERIC_READ;
genericMap.GenericWrite = (uint)MappedGenericRights.FILE_GENERIC_WRITE;
genericMap.GenericExecute = (uint)MappedGenericRights.FILE_GENERIC_EXECUTE;
genericMap.GenericAll = (uint)MappedGenericRights.FILE_GENERIC_ALL;
var sdBytes = sd.GetSecurityDescriptorBinaryForm();
var commonSd = new CommonSecurityDescriptor(isContainer, false, sdBytes, 0);
var aclBytes = new byte[commonSd.DiscretionaryAcl.BinaryLength];
commonSd.DiscretionaryAcl.GetBinaryForm(aclBytes, 0);
var pInheritInfo = Marshal.AllocHGlobal(commonSd.DiscretionaryAcl.Count * Marshal.SizeOf(typeof(PINHERITED_FROM)));
returnValue = GetInheritanceSource(
path,
ResourceType.FileObject,
SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
isContainer,
IntPtr.Zero,
0,
aclBytes,
IntPtr.Zero,
ref genericMap,
pInheritInfo
);
if (returnValue != 0)
{
throw new System.ComponentModel.Win32Exception((int)returnValue);
}
for (int i = 0; i < commonSd.DiscretionaryAcl.Count; i++)
{
var inheritInfo = pInheritInfo.ElementAt <PINHERITED_FROM>(i);
inheritedFrom.Add(
!string.IsNullOrEmpty(inheritInfo.AncestorName) && inheritInfo.AncestorName.StartsWith(@"\\?\") ? inheritInfo.AncestorName.Substring(4) : inheritInfo.AncestorName
);
}
FreeInheritedFromArray(pInheritInfo, (ushort)commonSd.DiscretionaryAcl.Count, IntPtr.Zero);
Marshal.FreeHGlobal(pInheritInfo);
return(inheritedFrom);
}
public void CanRemoveCurrentUserAfterBreakingRoleInheritanceWithoutCopyRoleAssignment()
{
var template = new ProvisioningTemplate();
Page page = new Page
{
Layout = WikiPageLayout.TwoColumns,
Overwrite = true,
Url = "{site}/sitepages/pagetest.aspx"
};
var security = new ObjectSecurity()
{
ClearSubscopes = false,
CopyRoleAssignments = false,
};
page.SetSecurity(security);
template.Pages.Add(page);
using (var ctx = TestCommon.CreateClientContext())
{
var currentUser = ctx.Web.EnsureProperty(w => w.CurrentUser);
var roleAssignment = new PnP.Framework.Provisioning.Model.RoleAssignment
{
Principal = currentUser.LoginName,
Remove = true,
RoleDefinition = "{roledefinition:Administrator}"
};
page.Security.RoleAssignments.Add(roleAssignment);
var parser = new TokenParser(ctx.Web, template);
new ObjectPages().ProvisionObjects(ctx.Web, template, parser, new ProvisioningTemplateApplyingInformation());
ctx.Load(ctx.Web, w => w.ServerRelativeUrl);
ctx.ExecuteQueryRetry();
var file = ctx.Web.GetFileByServerRelativeUrl(UrlUtility.Combine(ctx.Web.ServerRelativeUrl, "/SitePages/pagetest.aspx"));
ctx.Load(file, f => f.Exists);
ctx.ExecuteQueryRetry();
Assert.IsTrue(file.Exists);
var listItem = file.ListItemAllFields;
var roleAssignments = listItem.RoleAssignments;
ctx.Load(roleAssignments);
ctx.ExecuteQueryRetry();
Assert.AreEqual(0, roleAssignments.Count);
}
}
void ISecurityDescriptorCmdletProvider.SetSecurityDescriptor(string path, ObjectSecurity securityDescriptor)
{
if (securityDescriptor is GenericObjectSecurity obj_security)
{
string relative_path = GetRelativePath(PSPathToNT(path));
using (var dir = GetPathDirectory(relative_path, true).Result)
{
dir.SetSecurity(relative_path, obj_security);
}
}
}
/// <summary>
/// Sets the provided SecurityDescriptor at the specified path.
/// </summary>
/// <param name="path">
/// The path of the item to set. It may be a drive or provider-qualified path and may include
/// glob characters.
/// </param>
/// <param name="sd">
/// The new security descriptor to set.
/// </param>
/// <returns>
/// The SecurityDescriptor(s) set at the specified path.
/// </returns>
public Collection <PSObject> Set(string path, ObjectSecurity sd)
{
Dbg.Diagnostics.Assert(
_sessionState != null,
"The only constructor for this class should always set the sessionState field");
// Parameter validation is done in the session state object
Collection <PSObject> result = _sessionState.SetSecurityDescriptor(path, sd);
return(result);
}
public DataRow(Dictionary<string, string> values, ObjectSecurity security)
{
if (values != null)
{
foreach (var key in values.Keys)
{
Values.Add(key, values[key]);
}
}
this.Security = security;
}
/// <summary>
/// Gets the security descriptor from the specified item.
/// </summary>
///
/// <param name="type">
/// The type of the item which corresponds to the security
/// descriptor that we want to create.
/// </param>
///
/// <param name="providerInstance">
/// The type of the item which corresponds to the security
/// descriptor that we want to create.
/// </param>
///
/// <param name="sections">
/// Specifies the parts of a security descriptor to retrieve.
/// </param>
///
/// <returns>
/// Nothing. The security descriptor for the item at the specified type is
/// written to the context.
/// </returns>
///
internal ObjectSecurity NewSecurityDescriptorOfType(
CmdletProvider providerInstance,
string type,
AccessControlSections sections)
{
ObjectSecurity sd = null;
if (type == null)
{
throw PSTraceSource.NewArgumentNullException("type");
}
if (providerInstance == null)
{
throw PSTraceSource.NewArgumentNullException("providerInstance");
}
// This just verifies that the provider supports the interface.
ISecurityDescriptorCmdletProvider sdProvider =
GetPermissionProviderInstance(providerInstance);
try
{
sd = sdProvider.NewSecurityDescriptorOfType(type,
sections);
}
catch (LoopFlowException)
{
throw;
}
catch (PipelineStoppedException)
{
throw;
}
catch (ActionPreferenceStopException)
{
throw;
}
catch (Exception e) // Catch-all OK, 3rd party callout.
{
CommandProcessorBase.CheckForSevereException(e);
throw NewProviderInvocationException(
"NewSecurityDescriptorProviderException",
SessionStateStrings.GetSecurityDescriptorProviderException,
providerInstance.ProviderInfo,
type,
e);
}
return(sd);
} // NewSecurityDescriptorOfType
internal void SetSecurityDescriptor(
string path,
ObjectSecurity securityDescriptor,
CmdletProviderContext context)
{
using (CmdletProvider.providerBaseTracer.TraceMethod(path, new object[0]))
{
this.Context = context;
ISecurityDescriptorCmdletProvider permissionProvider = this as ISecurityDescriptorCmdletProvider;
CmdletProvider.CheckIfSecurityDescriptorInterfaceIsSupported(permissionProvider);
permissionProvider.SetSecurityDescriptor(path, securityDescriptor);
}
}
public KernelTransaction(ObjectSecurity securityDescriptor, int timeout, string description)
{
if (!NativeMethods.IsAtLeastWindowsVista)
{
throw new PlatformNotSupportedException(Resources.Requires_Windows_Vista_Or_Higher);
}
using (var securityAttributes = new Security.NativeMethods.SecurityAttributes(securityDescriptor))
{
_hTrans = NativeMethods.CreateTransaction(securityAttributes, IntPtr.Zero, 0, 0, 0, timeout, description);
int lastError = Marshal.GetLastWin32Error();
NativeMethods.IsValidHandle(_hTrans, lastError);
}
}
public KernelTransaction(ObjectSecurity securityDescriptor, int timeout, string description)
{
if (!NativeMethods.IsAtLeastWindowsVista)
{
throw new PlatformNotSupportedException(new Win32Exception((int)Win32Errors.ERROR_OLD_WIN_VERSION).Message);
}
using (var securityAttributes = new Security.NativeMethods.SecurityAttributes(securityDescriptor))
{
_hTrans = NativeMethods.CreateTransaction(securityAttributes, IntPtr.Zero, 0, 0, 0, timeout, description);
int lastError = Marshal.GetLastWin32Error();
NativeMethods.IsValidHandle(_hTrans, lastError);
}
}
/// <summary>
/// Check to ensure that the named pipe server we connected to is owned by the same
/// user.
/// </summary>
/// <remarks>
/// The type is embedded in assemblies that need to run cross platform. While this particular
/// code will never be hit when running on non-Windows platforms it does need to work when
/// on Windows. To facilitate that we use reflection to make the check here to enable it to
/// compile into our cross plat assemblies.
/// </remarks>
private static bool CheckPipeConnectionOwnership(NamedPipeClientStream pipeStream)
{
try
{
var currentIdentity = WindowsIdentity.GetCurrent();
var currentOwner = currentIdentity.Owner;
ObjectSecurity remotePipeSecurity = GetPipeSecurity(pipeStream);
var remoteOwner = remotePipeSecurity.GetOwner(typeof(SecurityIdentifier));
return(currentOwner.Equals(remoteOwner));
}
catch (Exception ex)
{
Log("Exception checking pipe connection: {0}", ex.Message);
return(false);
}
}
private bool disposedValue = false; // To detect redundant calls
protected virtual void Dispose(bool disposing)
{
if (!disposedValue)
{
if (disposing)
{
// TODO: dispose managed state (managed objects).
}
// TODO: free unmanaged resources (unmanaged objects) and override a finalizer below.
// TODO: set large fields to null.
objectSecurity = null;
QuestionarioDAO = null;
disposedValue = true;
}
}
/// <summary>
/// Initializes the SecurityAttributes structure from an instance of <see cref="ObjectSecurity"/>.
/// </summary>
/// <param name="memoryHandle">A handle that will refer to the memory allocated by this object for storage of the
/// security descriptor. As long as this object is used, the memory handle should be kept alive, and afterwards it
/// should be disposed as soon as possible.</param>
/// <param name="securityDescriptor">The security descriptor to assign to this object. This parameter may be <see langword="null"/>.</param>
public void Initialize(out SafeGlobalMemoryBufferHandle memoryHandle, ObjectSecurity securityDescriptor)
{
nLength = (uint)Marshal.SizeOf(this);
if (securityDescriptor == null)
{
memoryHandle = new SafeGlobalMemoryBufferHandle();
}
else
{
byte[] src = securityDescriptor.GetSecurityDescriptorBinaryForm();
memoryHandle = new SafeGlobalMemoryBufferHandle(src.Length);
memoryHandle.CopyFrom(src, 0, src.Length);
}
bInheritHandle = 0;
}
public static void TestAccessRules(ObjectSecurity sysIO, ObjectSecurity alphaFS)
{
Console.WriteLine();
Console.WriteLine("\tSystem.IO .AccessRightType: [{0}]", sysIO.AccessRightType);
Console.WriteLine("\tAlphaFS .AccessRightType: [{0}]", alphaFS.AccessRightType);
Console.WriteLine();
Assert.AreEqual(sysIO.AccessRightType, alphaFS.AccessRightType);
Console.WriteLine("\tSystem.IO .AccessRuleType: [{0}]", sysIO.AccessRuleType);
Console.WriteLine("\tAlphaFS .AccessRuleType: [{0}]", alphaFS.AccessRuleType);
Console.WriteLine();
Assert.AreEqual(sysIO.AccessRuleType, alphaFS.AccessRuleType);
Console.WriteLine("\tSystem.IO .AuditRuleType: [{0}]", sysIO.AuditRuleType);
Console.WriteLine("\tAlphaFS .AuditRuleType: [{0}]", alphaFS.AuditRuleType);
Console.WriteLine();
Assert.AreEqual(sysIO.AuditRuleType, alphaFS.AuditRuleType);
Console.WriteLine("\tSystem.IO .AreAccessRulesProtected: [{0}]", sysIO.AreAccessRulesProtected);
Console.WriteLine("\tAlphaFS .AreAccessRulesProtected: [{0}]", alphaFS.AreAccessRulesProtected);
Console.WriteLine();
Assert.AreEqual(sysIO.AreAccessRulesProtected, alphaFS.AreAccessRulesProtected);
Console.WriteLine("\tSystem.IO .AreAuditRulesProtected: [{0}]", sysIO.AreAuditRulesProtected);
Console.WriteLine("\tAlphaFS .AreAuditRulesProtected: [{0}]", alphaFS.AreAuditRulesProtected);
Console.WriteLine();
Assert.AreEqual(sysIO.AreAuditRulesProtected, alphaFS.AreAuditRulesProtected);
Console.WriteLine("\tSystem.IO .AreAccessRulesCanonical: [{0}]", sysIO.AreAccessRulesCanonical);
Console.WriteLine("\tAlphaFS .AreAccessRulesCanonical: [{0}]", alphaFS.AreAccessRulesCanonical);
Console.WriteLine();
Assert.AreEqual(sysIO.AreAccessRulesCanonical, alphaFS.AreAccessRulesCanonical);
Console.WriteLine("\tSystem.IO .AreAuditRulesCanonical: [{0}]", sysIO.AreAuditRulesCanonical);
Console.WriteLine("\tAlphaFS .AreAuditRulesCanonical: [{0}]", alphaFS.AreAuditRulesCanonical);
Console.WriteLine();
Assert.AreEqual(sysIO.AreAuditRulesCanonical, alphaFS.AreAuditRulesCanonical);
}
public KernelTransaction(ObjectSecurity securityDescriptor, uint timeout, string description)
{
NativeMethods.SecurityAttributes secAttr = new NativeMethods.SecurityAttributes();
SafeGlobalMemoryBufferHandle handle;
//NativeMethods.InitializeSecurityAttributes(ref secAttr, out handle, securityDescriptor);
secAttr.Initialize(out handle, securityDescriptor);
hTrans = NativeMethods.CreateTransaction(secAttr, IntPtr.Zero, 0, 0, 0, timeout, description);
handle.Dispose();
if (hTrans.IsInvalid)
{
Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error());
}
}
private static void SetSecurity(ObjectSecurity security)
{
if (null == security)
{
throw new ArgumentNullException("security");
}
// Set the DACL.
security.SetSecurityDescriptorSddlForm("D:(A;;GA;;;WD)", AccessControlSections.Access);
// Can only set integrity levels in the SACL for Vista and newer.
Version vista = new Version(6, 0);
if (vista <= Environment.OSVersion.Version)
{
security.SetSecurityDescriptorSddlForm("S:(ML;;NW;;;ME)", AccessControlSections.Audit);
}
}
private void SetSecurityDescriptor(string path, ObjectSecurity sd, AccessControlSections sections)
{
var currentPrivilegeState = new PlatformInvokes.TOKEN_PRIVILEGE();
byte[] securityDescriptorBinary = null;
try
{
// Get the binary form of the descriptor.
PlatformInvokes.EnableTokenPrivilege("SeBackupPrivilege", ref currentPrivilegeState);
securityDescriptorBinary = sd.GetSecurityDescriptorBinaryForm();
}
finally
{
PlatformInvokes.RestoreTokenPrivilege("SeBackupPrivilege", ref currentPrivilegeState);
}
try
{
PlatformInvokes.EnableTokenPrivilege("SeRestorePrivilege", ref currentPrivilegeState);
// Transfer it to the new file / directory.
// We keep these two code branches so that we can have more
// granular information when we ouput the object type via
// WriteSecurityDescriptorObject.
if (Directory.Exists(path))
{
DirectorySecurity newDescriptor = new DirectorySecurity();
newDescriptor.SetSecurityDescriptorBinaryForm(securityDescriptorBinary, sections);
new DirectoryInfo(path).SetAccessControl(newDescriptor);
WriteSecurityDescriptorObject(newDescriptor, path);
}
else
{
FileSecurity newDescriptor = new FileSecurity();
newDescriptor.SetSecurityDescriptorBinaryForm(securityDescriptorBinary, sections);
new FileInfo(path).SetAccessControl(newDescriptor);
WriteSecurityDescriptorObject(newDescriptor, path);
}
}
finally
{
PlatformInvokes.RestoreTokenPrivilege("SeRestorePrivilege", ref currentPrivilegeState);
}
}
private static ObjectSecurity NewSecurityDescriptor(
ItemType itemType)
{
ObjectSecurity sd = null;
switch (itemType)
{
case ItemType.File:
sd = new FileSecurity();
break;
case ItemType.Directory:
sd = new DirectorySecurity();
break;
}
return(sd);
}
} // GetSecurityDescriptor
/// <summary>
/// Internal wrapper for the SetSecurityDescriptor protected method. This method will
/// only be called if the provider implements the ISecurityDescriptorCmdletProvider interface.
/// </summary>
///
/// <param name="path">
/// The path to the item to set the new security descriptor on.
/// </param>
///
/// <param name="securityDescriptor">
/// The new security descriptor for the item.
/// </param>
///
/// <param name="context">
/// The context under which this method is being called.
/// </param>
///
/// <returns>
/// Nothing. The security descriptor object that was set should be written
/// to the context.
/// </returns>
///
internal void SetSecurityDescriptor(
string path,
ObjectSecurity securityDescriptor,
CmdletProviderContext context)
{
Context = context;
ISecurityDescriptorCmdletProvider permissionProvider = this as ISecurityDescriptorCmdletProvider;
//
// if this is not supported, the fn will throw
//
CheckIfSecurityDescriptorInterfaceIsSupported(permissionProvider);
// Call interface method
permissionProvider.SetSecurityDescriptor(path, securityDescriptor);
} // SetSecurityDescriptor
/// <summary>
/// Gets the SecurityDescriptor at the specified path, including only the specified
/// AccessControlSections.
/// </summary>
/// <param name="path">
/// The path of the item to retrieve. It may be a drive or provider-qualified path and may include.
/// glob characters.
/// </param>
/// <param name="sections">
/// The sections of the security descriptor to include.
/// </param>
/// <returns>
/// Nothing. An object that represents the security descriptor for the item
/// specified by path is written to the context's pipeline.
/// </returns>
/// <exception cref="System.ArgumentException">
/// path is null or empty.
/// path doesn't exist
/// sections is not valid.
/// </exception>
public void GetSecurityDescriptor(string path,
AccessControlSections sections)
{
ObjectSecurity sd = null;
path = NormalizePath(path);
if (string.IsNullOrEmpty(path))
{
throw PSTraceSource.NewArgumentNullException("path");
}
if ((sections & ~AccessControlSections.All) != 0)
{
throw PSTraceSource.NewArgumentException("sections");
}
var currentPrivilegeState = new PlatformInvokes.TOKEN_PRIVILEGE();
try
{
PlatformInvokes.EnableTokenPrivilege("SeBackupPrivilege", ref currentPrivilegeState);
if (Directory.Exists(path))
{
sd = new DirectorySecurity(path, sections);
}
else
{
sd = new FileSecurity(path, sections);
}
}
catch (System.Security.SecurityException e)
{
WriteError(new ErrorRecord(e, e.GetType().FullName, ErrorCategory.PermissionDenied, path));
}
finally
{
PlatformInvokes.RestoreTokenPrivilege("SeBackupPrivilege", ref currentPrivilegeState);
}
WriteSecurityDescriptorObject(sd, path);
}
public static ObjectSecurity GetSecurity(this SecurableObject securable)
{
ObjectSecurity security = null;
using (var scope = new PnPMonitoredScope("Get Security"))
{
var context = securable.Context as ClientContext;
context.Load(securable, sec => sec.HasUniqueRoleAssignments);
context.Load(context.Web, w => w.AssociatedMemberGroup.Title, w => w.AssociatedOwnerGroup.Title, w => w.AssociatedVisitorGroup.Title);
var roleAssignments = context.LoadQuery(securable.RoleAssignments.Include(
r => r.Member.LoginName,
r => r.RoleDefinitionBindings.Include(
rdb => rdb.Name,
rdb => rdb.RoleTypeKind
)));
context.ExecuteQueryRetry();
if (securable.HasUniqueRoleAssignments)
{
security = new ObjectSecurity();
foreach (var roleAssignment in roleAssignments)
{
if (roleAssignment.Member.LoginName != "Excel Services Viewers")
{
foreach (var roleDefinition in roleAssignment.RoleDefinitionBindings)
{
if (roleDefinition.RoleTypeKind != RoleType.Guest)
{
security.RoleAssignments.Add(new Model.RoleAssignment()
{
Principal = ReplaceGroupTokens(context.Web, roleAssignment.Member.LoginName),
RoleDefinition = roleDefinition.Name
});
}
}
}
}
}
}
return(security);
}
public static ObjectSecurity GetSecurity(this SecurableObject securable)
{
ObjectSecurity security = null;
using (var scope = new PnPMonitoredScope("Get Security"))
{
var context = securable.Context as ClientContext;
context.Load(securable, sec => sec.HasUniqueRoleAssignments);
context.Load(context.Web, w => w.AssociatedMemberGroup.Title, w => w.AssociatedOwnerGroup.Title, w => w.AssociatedVisitorGroup.Title);
var roleAssignments = context.LoadQuery(securable.RoleAssignments.Include(
r => r.Member.LoginName,
r => r.RoleDefinitionBindings.Include(
rdb => rdb.Name,
rdb => rdb.RoleTypeKind
)));
context.ExecuteQueryRetry();
if (securable.HasUniqueRoleAssignments)
{
security = new ObjectSecurity();
foreach (var roleAssignment in roleAssignments)
{
if (roleAssignment.Member.LoginName != "Excel Services Viewers")
{
foreach (var roleDefinition in roleAssignment.RoleDefinitionBindings)
{
if (roleDefinition.RoleTypeKind != RoleType.Guest)
{
security.RoleAssignments.Add(new Model.RoleAssignment()
{
Principal = ReplaceGroupTokens(context.Web, roleAssignment.Member.LoginName),
RoleDefinition = roleDefinition.Name
});
}
}
}
}
}
}
return security;
}
public ContentPage(string url, string html, bool overwrite, IEnumerable<WebPart> webParts, bool welcomePage = false, ObjectSecurity security = null, Dictionary<string, string> fields = null)
: base(url, overwrite, WikiPageLayout.OneColumn, webParts, welcomePage, security, fields)
{
Html = html;
}
internal override void OverrideXmlData(XElement sourceObject, XElement targetObject)
{
XNamespace ns = SchemaVersion;
#region Property handling
// Base property handling
// Drop list properties if they're not provided in the source XML
string[] ListProperties = new string[] { "Description", "DocumentTemplate", "MinorVersionLimit", "MaxVersionLimit", "DraftVersionVisibility", "TemplateFeatureID", "EnableAttachments" };
foreach (string listProperty in ListProperties)
{
if (sourceObject.Attribute(listProperty) == null)
{
DropAttribute(targetObject, listProperty);
}
}
// Drop list elements if they're not provided in the source XML
string[] ListElements = new string[] { "ContentTypeBindings", "Views", "FieldRefs", "Fields" };
foreach (var listElement in ListElements)
{
var sourceListElementXML = sourceObject.Descendants(ns + listElement);
var targetListElementXML = targetObject.Descendants(ns + listElement);
if (sourceListElementXML.Any() == false && targetListElementXML.Any() == true)
{
targetListElementXML.Remove();
}
}
#if ONPREMISES
// MaxVersionLimit cannot be set in on-premises, so remove it before comparing before and after
if (sourceObject.Attribute("MaxVersionLimit") != null)
{
DropAttribute(targetObject, "MaxVersionLimit");
DropAttribute(sourceObject, "MaxVersionLimit");
}
#endif
#endregion
#region Contenttype handling
// If RemoveExistingContentTypes is set then remove the attribute from source since on target we don't add this.
var contentTypeBindings = targetObject.Descendants(ns + "ContentTypeBinding");
bool removeExistingContentTypes = false;
if (sourceObject.Attribute("RemoveExistingContentTypes") != null)
{
removeExistingContentTypes = sourceObject.Attribute("RemoveExistingContentTypes").Value.ToBoolean();
DropAttribute(sourceObject, "RemoveExistingContentTypes");
}
if (contentTypeBindings != null && contentTypeBindings.Any())
{
// One can add ContentTypeBindings without specifying ContentTypesEnabled. The engine will turn on ContentTypesEnabled automatically in that case
if (sourceObject.Attribute("ContentTypesEnabled") == null)
{
DropAttribute(targetObject, "ContentTypesEnabled");
}
if (removeExistingContentTypes)
{
foreach (var contentTypeBinding in contentTypeBindings.ToList())
{
// Remove the folder content type if present because we're not removing that one via RemoveExistingContentTypes
if (contentTypeBinding.Attribute("ContentTypeID").Value == "0x0120")
{
contentTypeBinding.Remove();
}
}
}
else // We did not remove existing content types
{
var sourceContentTypeBindings = sourceObject.Descendants(ns + "ContentTypeBinding");
foreach (var contentTypeBinding in contentTypeBindings.ToList())
{
string value = contentTypeBinding.Attribute("ContentTypeID").Value;
// drop all content types which are not mentioned in the source
if (sourceContentTypeBindings.Where(p => p.Attribute("ContentTypeID").Value == value).Any() == false)
{
contentTypeBinding.Remove();
}
}
}
}
#endregion
#region FieldRef handling
var fieldRefs = sourceObject.Descendants(ns + "FieldRef");
if (fieldRefs != null && fieldRefs.Any())
{
foreach (var fieldRef in fieldRefs.ToList())
{
// Drop the name attribute from the source fieldrefs since this is just an informational attribute
if (fieldRef.Attribute("Name") != null)
{
DropAttribute(fieldRef, "Name");
}
// Drop hidden fieldrefs since they're not retreived by the engine again
if (fieldRef.Attribute("Hidden") != null && fieldRef.Attribute("Hidden").Value.ToBoolean() == true)
{
fieldRef.Remove();
}
}
}
var targetFieldRefs = targetObject.Descendants(ns + "FieldRef");
if (targetFieldRefs != null && targetFieldRefs.Any())
{
foreach (var targetFieldRef in targetFieldRefs.ToList())
{
// Drop the name attribute from the source fieldrefs since this is just an informational attribute
if (targetFieldRef.Attribute("Name") != null)
{
DropAttribute(targetFieldRef, "Name");
}
// Drop the fields which were not present in source (there's always some OOB fieldrefs)
if (!fieldRefs.Where(p => p.Attribute("ID").Value == targetFieldRef.Attribute("ID").Value).Any())
{
targetFieldRef.Remove();
}
else
{
// If the source object does not have a DisplayName attribute then also remove it from the target
if (!(fieldRefs.Where(p => p.Attribute("ID").Value == targetFieldRef.Attribute("ID").Value).FirstOrDefault().Attribute("DisplayName") != null))
{
DropAttribute(targetFieldRef, "DisplayName");
}
}
}
}
#endregion
#region Field handling
var targetFields = targetObject.Descendants("Field");
var sourceFields = sourceObject.Descendants("Field");
if (sourceFields != null && sourceFields.Any())
{
foreach (var sourceField in sourceFields.ToList())
{
// Ensure both target and source using the same casing
UpperCaseAttribute(sourceField, "ID");
}
}
if (targetFields != null && targetFields.Any())
{
foreach (var targetField in targetFields.ToList())
{
// Ensure both target and source using the same casing
UpperCaseAttribute(targetField, "ID");
// Drop attributes before comparison
DropAttribute(targetField, "SourceID");
DropAttribute(targetField, "StaticName");
DropAttribute(targetField, "ColName");
DropAttribute(targetField, "RowOrdinal");
DropAttribute(targetField, "Version");
// If target field does not exist in source then drop it (SPO can add additional fields e.g. _IsRecord field refering the _ComplianceFlags field)
if (sourceFields != null && sourceFields.Any())
{
if (!sourceFields.Where(p => p.Attribute("ID").Value.Equals(targetField.Attribute("ID").Value)).Any())
{
targetField.Remove();
}
}
}
}
#endregion
#region View handling
var sourceViews = sourceObject.Descendants("View");
var targetViews = targetObject.Descendants("View");
if (sourceViews != null && sourceViews.Any())
{
int sourceViewCount = 0;
int targetViewCount = 0;
foreach (var sourceView in sourceViews)
{
sourceViewCount++;
string sourceViewName = sourceView.Attribute("DisplayName").Value;
if (targetViews.Where(v => v.Attribute("DisplayName").Value.Equals(sourceViewName, StringComparison.InvariantCultureIgnoreCase)).First() != null)
{
targetViewCount++;
}
}
if (sourceViewCount == targetViewCount)
{
// if RemoveExistingViews was checked then we should have the same count of source and target views
if (sourceObject.Descendants(ns + "Views").First().Attribute("RemoveExistingViews") != null && sourceObject.Descendants(ns + "Views").First().Attribute("RemoveExistingViews").Value.ToBoolean() == true)
{
if (sourceViews.Count() == targetViews.Count())
{
// we've found the source views in the target + the original views were dropped, so we're good. Drop the view element to ensure valid XML comparison
sourceObject.Descendants(ns + "Views").Remove();
targetObject.Descendants(ns + "Views").Remove();
}
}
else
{
// we've found the source views in the target so we're good. Drop the view element to ensure valid XML comparison
sourceObject.Descendants(ns + "Views").Remove();
targetObject.Descendants(ns + "Views").Remove();
}
}
}
#endregion
#region FieldDefaults handling
var sourceFieldDefaults = sourceObject.Descendants(ns + "FieldDefault");
if (sourceFieldDefaults != null && sourceFieldDefaults.Any())
{
bool validFieldDefaults = true;
foreach(var sourceFieldDefault in sourceFieldDefaults)
{
string fieldDefaultValue = sourceFieldDefault.Value;
string fieldDefaultName = sourceFieldDefault.Attribute("FieldName").Value;
if (fieldDefaultValue != null && fieldDefaultName != null)
{
var targetField = targetFields.Where(p => p.Attribute("Name").Value.Equals(fieldDefaultName, StringComparison.InvariantCultureIgnoreCase)).First();
if (targetField.Descendants("Default").Any())
{
string targetFieldDefaultValue = targetField.Descendants("Default").First().Value;
if (!targetFieldDefaultValue.Equals(fieldDefaultValue, StringComparison.InvariantCultureIgnoreCase))
{
validFieldDefaults = false;
}
else
{
// remove the Default node
targetField.Descendants("Default").First().Remove();
}
}
else
{
validFieldDefaults = false;
}
}
}
if (validFieldDefaults)
{
sourceObject.Descendants(ns + "FieldDefaults").Remove();
}
}
// Drop any remaining Default node
foreach (var targetField in targetFields)
{
if (targetField.Descendants("Default").Any())
{
targetField.Descendants("Default").First().Remove();
}
}
#endregion
#region Folder handling
// Folders are not extracted, so manual validation needed
var sourceFolders = sourceObject.Descendants(ns + "Folders");
if (sourceFolders != null && sourceFolders.Any())
{
// use CSOM to verify the folders are listed in target and only remove the source folder from the XML when this is the case
if (this.cc != null)
{
var foldersValid = true;
var list = this.cc.Web.GetListByUrl(sourceObject.Attribute("Url").Value);
if (list != null)
{
list.EnsureProperty(w => w.RootFolder);
foreach(var folder in sourceFolders.Descendants(ns + "Folder"))
{
// only verify first level folders
if (folder.Parent.Equals(sourceFolders.First()))
{
if (!list.RootFolder.FolderExists(folder.Attribute("Name").Value))
{
foldersValid = false;
}
// if the folder has a security element then verify this as well
var sourceFolderSecurity = folder.Descendants(ns + "Security");
if (sourceFolderSecurity != null && sourceFolderSecurity.Any())
{
// convert XML in ObjectSecurity object
ObjectSecurity sourceFolderSecurityElement = new ObjectSecurity();
sourceFolderSecurityElement.ClearSubscopes = sourceFolderSecurity.Descendants(ns + "BreakRoleInheritance").First().Attribute("ClearSubscopes").Value.ToBoolean();
sourceFolderSecurityElement.CopyRoleAssignments = sourceFolderSecurity.Descendants(ns + "BreakRoleInheritance").First().Attribute("CopyRoleAssignments").Value.ToBoolean();
var sourceRoleAssignments = folder.Descendants(ns + "RoleAssignment");
foreach (var sourceRoleAssignment in sourceRoleAssignments)
{
sourceFolderSecurityElement.RoleAssignments.Add(new Core.Framework.Provisioning.Model.RoleAssignment()
{ Principal = sourceRoleAssignment.Attribute("Principal").Value,
RoleDefinition = sourceRoleAssignment.Attribute("RoleDefinition").Value
});
}
// grab the "Securable" for the folder
var currentFolderItem = list.RootFolder.EnsureFolder(folder.Attribute("Name").Value).ListItemAllFields;
cc.Load(currentFolderItem);
cc.ExecuteQueryRetry();
// use CSOM to verify security settings
if (ValidateSecurityCSOM(this.cc, sourceFolderSecurityElement, currentFolderItem))
{
sourceFolderSecurity.Remove();
}
}
}
}
}
if (foldersValid)
{
sourceFolders.Remove();
}
}
}
#endregion
#region DataRows handling
var sourceDataRows = sourceObject.Descendants(ns + "DataRow");
if (sourceDataRows != null && sourceDataRows.Any())
{
bool dataRowsValidated = true;
var list = this.cc.Web.GetListByUrl(sourceObject.Attribute("Url").Value);
if (list != null)
{
int dataRowCount = 0;
foreach (var sourceDataRow in sourceDataRows)
{
// Convert XML in DataRow object
DataRow sourceDataRowElement = null;
Dictionary<string, string> values = new Dictionary<string, string>();
foreach (var dataValue in sourceDataRow.Descendants(ns + "DataValue"))
{
values.Add(dataValue.Attribute("FieldName").Value, dataValue.Value);
}
ObjectSecurity sourceDataRowSecurityElement = null;
var sourceDataRowSecurity = sourceDataRow.Descendants(ns + "Security");
if (sourceDataRowSecurity != null && sourceDataRowSecurity.Any())
{
// convert XML in ObjectSecurity object
sourceDataRowSecurityElement = new ObjectSecurity();
sourceDataRowSecurityElement.ClearSubscopes = sourceDataRowSecurity.Descendants(ns + "BreakRoleInheritance").First().Attribute("ClearSubscopes").Value.ToBoolean();
sourceDataRowSecurityElement.CopyRoleAssignments = sourceDataRowSecurity.Descendants(ns + "BreakRoleInheritance").First().Attribute("CopyRoleAssignments").Value.ToBoolean();
var sourceRoleAssignments = sourceDataRowSecurity.Descendants(ns + "RoleAssignment");
foreach (var sourceRoleAssignment in sourceRoleAssignments)
{
sourceDataRowSecurityElement.RoleAssignments.Add(new Core.Framework.Provisioning.Model.RoleAssignment()
{
Principal = sourceRoleAssignment.Attribute("Principal").Value,
RoleDefinition = sourceRoleAssignment.Attribute("RoleDefinition").Value
});
}
}
if (sourceDataRowSecurityElement != null)
{
sourceDataRowElement = new DataRow(values, sourceDataRowSecurityElement);
}
else
{
sourceDataRowElement = new DataRow(values);
}
dataRowCount++;
ListItem itemToValidate = null;
try
{
itemToValidate = list.GetItemById(dataRowCount);
}
catch
{ }
if (itemToValidate == null || !ValidateDataRowsCSOM(cc, sourceDataRowElement, itemToValidate))
{
dataRowsValidated = false;
}
}
}
// If all datarows are validated then we can drop
if (dataRowsValidated)
{
sourceObject.Descendants(ns + "DataRows").First().Remove();
}
}
#endregion
#region Security handling
var sourceSecurity = sourceObject.Descendants(ns + "Security");
if (sourceSecurity != null && sourceSecurity.Any())
{
var targetSecurity = targetObject.Descendants(ns + "Security");
if (ValidateSecurityXml(sourceSecurity.First(), targetSecurity.First()))
{
sourceSecurity.Remove();
targetSecurity.Remove();
}
}
#endregion
#region CustomAction handling
var sourceCustomActions = sourceObject.Descendants(ns + "UserCustomActions");
if (sourceCustomActions != null && sourceCustomActions.Any())
{
// delete custom actions since we validate these latter on
var targetCustomActions = targetObject.Descendants(ns + "UserCustomActions");
sourceCustomActions.Remove();
if (targetCustomActions != null && targetCustomActions.Any())
{
targetCustomActions.Remove();
}
}
#endregion
}
public PublishingPage(string url, string title, string html, string layoutUrl, bool overwrite, IEnumerable<WebPart> webParts, bool welcomePage = false, ObjectSecurity security = null, Dictionary<string, string> fields = null)
: base(url, html, overwrite, webParts, welcomePage, security, fields)
{
PageTitle = title;
PageLayoutUrl = layoutUrl;
}
public Page(string url, bool overwrite, WikiPageLayout layout, IEnumerable<WebPart> webParts, bool welcomePage = false, ObjectSecurity security = null) :
this(url, overwrite, layout, webParts, welcomePage, security, null)
{
}
public Page(string url, bool overwrite, WikiPageLayout layout, IEnumerable<WebPart> webParts, bool welcomePage = false, ObjectSecurity security = null, Dictionary<String, String> fields = null) :
this(url, overwrite, layout, webParts, security, fields)
{
}
