public IEnumerable <AccessControlList> ListAllGitAcls()
{
VssConnection connection = this.Context.Connection;
SecurityHttpClient securityClient = connection.GetClient <SecurityHttpClient>();
IEnumerable <AccessControlList> acls = securityClient.QueryAccessControlListsAsync(
// in a real app, you should get this value via securityClient.QuerySecurityNamespacesAsync
GitSecurityNamespace,
string.Empty,
descriptors: null,
includeExtendedInfo: false,
recurse: true).Result;
// we'll store one interesting ACE to expand in a later method
bool storedAcl = false;
Console.WriteLine("token | inherit? | count of ACEs");
Console.WriteLine("------+----------+--------------");
foreach (AccessControlList acl in acls)
{
Console.WriteLine("{0} | {1} | {2} ACEs", acl.Token, acl.InheritPermissions, acl.AcesDictionary.Count());
if (!storedAcl && acl.Token.Length > "repoV2/".Length)
{
this.Context.SetValue(this.StoredAclKey, acl);
storedAcl = true;
}
}
return(acls);
}
internal IEnumerable <AccessControlList> ListAccessControl(Guid identify)
{
SecurityHttpClient securityClient = connection.GetClient <SecurityHttpClient>();
IEnumerable <SecurityNamespaceDescription> namespaces = securityClient.QuerySecurityNamespacesAsync(identify).Result;
IEnumerable <AccessControlList> acls = securityClient.QueryAccessControlListsAsync(
identify,
string.Empty,
descriptors: null,
includeExtendedInfo: false,
recurse: true).Result;
return(acls);
}
static IEnumerable <AccessControlList> GetReleaseDefinitionAccessControlList(VssConnection connection, Guid projectId, int releaseDefinitionId)
{
// We need the security client to talk to RM service instead of the default TFS to get us the ACLs for release definition
SecurityHttpClient securityHttpClient = connection.GetClient <SecurityHttpClient>(Guid.Parse(ReleaseManagementApiConstants.InstanceType));
var acls = securityHttpClient.QueryAccessControlListsAsync(
SecurityConstants.ReleaseManagementSecurityNamespaceId,
CreateToken(projectId, releaseDefinitionId),
null, // all desciptors
true,
true).Result;
return(acls);
}
public void GetReleaseDefinitionAccessControlLists()
{
VssConnection connection = Context.Connection;
var project = ClientSampleHelpers.FindAnyProject(this.Context);
// We need the security client to talk to RM service instead of the default TFS to get us the ACLs for release definition
SecurityHttpClient securityHttpClient = connection.GetClient <SecurityHttpClient>(Guid.Parse(ReleaseManagementApiConstants.InstanceType));
var acls = securityHttpClient.QueryAccessControlListsAsync(
SecurityConstants.ReleaseManagementSecurityNamespaceId,
CreateToken(project.Id, newlyCreatedReleaseDefinitionId),
null, // all desciptors
true,
true).Result;
}
internal List <Permission> GitPermissionsDetails(AccessControlList acessControlList,
IEnumerable <GraphUser> users,
IEnumerable <GraphGroup> groups,
List <GitRepository> repositories)
{
List <Permission> permissions = new List <Permission>();
Regex extractEmail = new Regex(@"\\(.*$)");
Regex extractGuid = new Regex(@".{8}-.{9}-.{4}-.{12}");
GitHttpClient gitClient = connection.GetClient <GitHttpClient>();
SecurityHttpClient securityClient = connection.GetClient <SecurityHttpClient>();
GraphHttpClient graphClient = connection.GetClient <GraphHttpClient>();
// Guid guid = Guid.Parse(acessControlList.Token.Remove(0, 7));
IEnumerable <AccessControlList> acls = securityClient.QueryAccessControlListsAsync(
Guid.Parse("2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87"),
acessControlList.Token,
descriptors: null,
includeExtendedInfo: false,
recurse: true).Result;
// get the details for Git permissions
Dictionary <int, string> permission = GetGitPermissionNames();
var tokenGuids = extractGuid.Matches(acessControlList.Token);
var lastGuidFromToken = Guid.Parse(tokenGuids[tokenGuids.Count - 1].Value);
var repository = repositories.FirstOrDefault(r => r.Id.Equals(lastGuidFromToken));
var repositoryName = repository != null ? repository.Name : "<none>";
// use the Git permissions data to expand the ACL
Console.WriteLine("Expanding ACL for {0} ({1} ACEs)", repositoryName, acessControlList.AcesDictionary.Count());
foreach (var kvp in acessControlList.AcesDictionary)
{
// in the key-value pair, Key is an identity and Value is an ACE (access control entry)
// allow and deny are bit flags indicating which permissions are allowed/denied
//PagedGraphUsers group = graphClient.GetGroupAsync(kvp.Key);
//var user = users.First(u => u.Descriptor.ToString().Equals(kvp.Key.ToString()));
var group = groups.FirstOrDefault(g => g.Descriptor.Identifier.Equals(kvp.Key.Identifier));
if (group != null)
{
AddByGroup(permissions, graphClient, permission, repositoryName, kvp, group);
}
else
{
AddByUser(users, permissions, extractEmail, permission, repositoryName, kvp);
}
}
return(permissions);
}
public static void ListGitNamespacePermissions()
{
SecurityHttpClient securityClient = connection.GetClient <SecurityHttpClient>();
Guid g = Guid.Parse("2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87"); //Git security namespace
IEnumerable <Microsoft.VisualStudio.Services.Security.SecurityNamespaceDescription> namespaces = securityClient.QuerySecurityNamespacesAsync(g).Result;
Microsoft.VisualStudio.Services.Security.SecurityNamespaceDescription gitNamespace = namespaces.First();
IEnumerable <Microsoft.VisualStudio.Services.Security.AccessControlList> acls = securityClient.QueryAccessControlListsAsync(
g,
string.Empty,
descriptors: null,
includeExtendedInfo: false,
recurse: true).Result;
using (System.IO.StreamWriter file = new System.IO.StreamWriter(@"c:\TFSAdminAutomationData\out_GitAccessControlLists.txt"))
{
int counter = 0;
file.WriteLine("token | inherit? | count of ACEs");
file.WriteLine("------+----------+--------------");
foreach (Microsoft.VisualStudio.Services.Security.AccessControlList acl in acls)
{
counter++;
string[] tokenParser = acl.Token.Split('/');
if (tokenParser.Length != 2) //we are interested in team project level git security
{
continue;
}
file.WriteLine();
file.WriteLine();
file.WriteLine("{0} | {1} | {2} ACEs", acl.Token, acl.InheritPermissions, acl.AcesDictionary.Count());
file.WriteLine("Project Name: " + GetProjectName(tokenParser[1]));
file.WriteLine("Expanding ACL for {0} ({1} ACEs)", acl.Token, acl.AcesDictionary.Count());
// get the details for Git permissions
Dictionary <int, string> permission = GetGitPermissionNames();
// use the Git permissions data to expand the ACL
foreach (var kvp in acl.AcesDictionary)
{
// in the key-value pair, Key is an identity and Value is an ACE (access control entry)
// allow and deny are bit flags indicating which permissions are allowed/denied
string identity = kvp.Key.Identifier.ToString();
file.WriteLine("Identity {0}", identity);
string identityName = GetNameFromIdentity(identity);
file.WriteLine("Identity Name {0}", identityName);
if (!identityName.EndsWith("Project Administrators"))
{
continue;
}
string allowed = GetPermissionString(kvp.Value.Allow, permission);
string denied = GetPermissionString(kvp.Value.Deny, permission);
file.WriteLine(" Allowed: {0} (value={1})", allowed, kvp.Value.Allow);
file.WriteLine(" Denied: {0} (value={1})", denied, kvp.Value.Deny);
}
}
}
}