public static void ListAndRemoveGitNamespacePermissions()
{
SecurityHttpClient securityClient = connection.GetClient <SecurityHttpClient>();
Guid g = Guid.Parse("2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87"); //Git security namespace
IEnumerable <Microsoft.VisualStudio.Services.Security.SecurityNamespaceDescription> namespaces = securityClient.QuerySecurityNamespacesAsync(g).Result;
Microsoft.VisualStudio.Services.Security.SecurityNamespaceDescription gitNamespace = namespaces.First();
IEnumerable <Microsoft.VisualStudio.Services.Security.AccessControlList> acls = securityClient.QueryAccessControlListsAsync(
g,
string.Empty,
descriptors: null,
includeExtendedInfo: false,
recurse: true).Result;
using (System.IO.StreamWriter file = new System.IO.StreamWriter(@"c:\TFSAdminAutomationData\out_GitAccessControlLists.txt"))
{
int counter = 0;
file.WriteLine("token | inherit? | count of ACEs");
file.WriteLine("------+----------+--------------");
foreach (Microsoft.VisualStudio.Services.Security.AccessControlList acl in acls)
{
counter++;
string[] tokenParser = acl.Token.Split('/');
if (tokenParser.Length != 2) //we are interested in team project level git security
{
continue;
}
file.WriteLine();
file.WriteLine();
file.WriteLine("{0} | {1} | {2} ACEs", acl.Token, acl.InheritPermissions, acl.AcesDictionary.Count());
file.WriteLine("Project Name: " + GetProjectName(tokenParser[1]));
file.WriteLine("Expanding ACL for {0} ({1} ACEs)", acl.Token, acl.AcesDictionary.Count());
// get the details for Git permissions
Dictionary <int, string> permission = GetGitPermissionNames();
// use the Git permissions data to expand the ACL
foreach (var kvp in acl.AcesDictionary)
{
// in the key-value pair, Key is an identity and Value is an ACE (access control entry)
// allow and deny are bit flags indicating which permissions are allowed/denied
string identity = kvp.Key.Identifier.ToString();
file.WriteLine("Identity {0}", identity);
string identityName = GetNameFromIdentity(identity);
file.WriteLine("Identity Name {0}", identityName);
if (!identityName.EndsWith("Project Administrators"))
{
continue;
}
string allowed = GetPermissionString(kvp.Value.Allow, permission);
string denied = GetPermissionString(kvp.Value.Deny, permission);
file.WriteLine(" Allowed: {0} (value={1})", allowed, kvp.Value.Allow);
file.WriteLine(" Denied: {0} (value={1})", denied, kvp.Value.Deny);
if (allowed.Contains("4096"))
{
//Remove "remove others' locks permission from project administrators"
try
{
securityClient.RemovePermissionAsync(g, acl.Token, kvp.Key, 4096);
file.WriteLine("Removed permission");
}
catch (Exception ex)
{
file.WriteLine("Could not remove permission");
}
}
}
}
}
}