/// <summary> /// Extracts the generic security namespace permissions. /// </summary> /// <param name="server">The server.</param> /// <param name="permissionScope">The permission scope.</param> /// <param name="userIdentity">The user identity.</param> /// <param name="securityToken">The security token.</param> /// <param name="identityManagementService">The identityManagementService.</param> /// <param name="groups">The groups.</param> /// <returns>List of Permissions</returns> private static List <Permission> ExtractGenericSecurityNamespacePermissions(ISecurityService server, PermissionScope permissionScope, TeamFoundationIdentity userIdentity, string securityToken, IIdentityManagementService identityManagementService, IEnumerable <string> groups) { SecurityNamespace genericSecurityNamespace = server.GetSecurityNamespace(Helpers.GetSecurityNamespaceId(permissionScope, server)); AccessControlList userAccessList = genericSecurityNamespace.QueryAccessControlList( securityToken, new List <IdentityDescriptor> { userIdentity.Descriptor }, true); var result = new List <Permission>(); result.AddRange(Helpers.AccessControlEntryToPermission(genericSecurityNamespace, userAccessList.AccessControlEntries, false, string.Empty)); // handle group inheritance foreach (string group in groups) { TeamFoundationIdentity groupIdentity = identityManagementService.ReadIdentity(IdentitySearchFactor.Identifier, group, MembershipQuery.None, ReadIdentityOptions.IncludeReadFromSource); AccessControlList groupAccessList = genericSecurityNamespace.QueryAccessControlList( securityToken, new List <IdentityDescriptor> { groupIdentity.Descriptor }, true); result.AddRange(Helpers.AccessControlEntryToPermission(genericSecurityNamespace, groupAccessList.AccessControlEntries, true, groupIdentity.DisplayName)); } var modifiedPermissions = Helpers.RemoveDuplicatePermissionsAndCombineGroups(result); return(modifiedPermissions); }
/////// <summary> /////// Extracts work item permissions for a specific identity /////// </summary> /////// <param name="server">Server security service</param> /////// <param name="projectSecurityToken">Project Security Token</param> /////// <param name="userIdentity">User identity</param> /////// <returns>The list of the permissions</returns> ////private static List<Permission> ExtractWorkItemsPermissions( //// ISecurityService server, //// string projectSecurityToken, //// TeamFoundationIdentity userIdentity) ////{ //// var result = new List<Permission>(); //// SecurityNamespace workItemsSecurityNamespace = server.GetSecurityNamespace(Helpers.GetSecurityNamespaceId(PermissionScope.WorkItemAreas, server)); //// if (workItemsSecurityNamespace != null) //// { //// Console.WriteLine("== Extract WorkItems Permissions =="); //// AccessControlList workItemsAccessList = workItemsSecurityNamespace.QueryAccessControlList( //// projectSecurityToken, //// new List<IdentityDescriptor> { userIdentity.Descriptor }, //// true); //// string allowedWorkItemPermissions = string.Empty; //// string denyWorkItemPermissions = string.Empty; //// foreach (AccessControlEntry ace in workItemsAccessList.AccessControlEntries) //// { //// if (0 != ace.Allow) //// { //// allowedWorkItemPermissions = ((QueryItemPermissions)ace.Allow).ToString(); //// result.AddRange( //// Helpers.GetActionDetailsByName(allowedWorkItemPermissions, "Allow", PermissionScope.WorkItemAreas)); //// } //// if (0 != ace.Deny) //// { //// denyWorkItemPermissions = ((QueryItemPermissions)ace.Deny).ToString(); //// result.AddRange( //// Helpers.GetActionDetailsByName(denyWorkItemPermissions, "Deny", PermissionScope.WorkItemAreas)); //// } //// } //// } //// return result; ////} /// <summary> /// Extracts build permissions for a specific identity. /// </summary> /// <param name="server">Server security service</param> /// <param name="projectSecurityToken">Project Security Token</param> /// <param name="userIdentity">User identity</param> /// <returns>The list of the permissions</returns> private static List <Permission> ExtractBuildPermissions(ISecurityService server, string projectSecurityToken, TeamFoundationIdentity userIdentity) { var result = new List <Permission>(); SecurityNamespace buildSecurityNamespace = server.GetSecurityNamespace(Helpers.GetSecurityNamespaceId(PermissionScope.TeamBuild, server)); Console.WriteLine("== Extract Build Permissions =="); AccessControlList buildAccessList = buildSecurityNamespace.QueryAccessControlList( projectSecurityToken, new List <IdentityDescriptor> { userIdentity.Descriptor }, true); foreach (AccessControlEntry ace in buildAccessList.AccessControlEntries) { foreach (AclAndName aclAndName in Helpers.EnumerateAcls(ace, false)) { if (aclAndName.Acl != 0) { var allowedBuildPermissions = ((EnumerationsList.BuildPermissions)ace.Allow).ToString(); result.AddRange( Helpers.GetActionDetailsByName(allowedBuildPermissions, aclAndName.Name, PermissionScope.TeamBuild)); } } } return(result); }
public IEnumerable <TeamFoundationIdentity> GetAdministrators(Microsoft.TeamFoundation.Client.TeamFoundationTeam teamFoundationTeam) { // Get security namespace for the project collection. ISecurityService securityService = this.tfsTeamProjectCollection.GetService <ISecurityService>(); SecurityNamespace securityNamespace = securityService.GetSecurityNamespace(FrameworkSecurity.IdentitiesNamespaceId); // Use reflection to retrieve a security token for the team. MethodInfo mi = typeof(IdentityHelper).GetMethod("CreateSecurityToken"); string token = mi.Invoke(null, new object[] { teamFoundationTeam.Identity }) as string; // Retrieve an ACL object for all the team members. var allMembers = teamFoundationTeam.GetMembers(this.tfsTeamProjectCollection, MembershipQuery.Expanded).Where(m => !m.IsContainer); AccessControlList acl = securityNamespace.QueryAccessControlList(token, allMembers.Select(m => m.Descriptor), true); // Retrieve the team administrator SIDs by querying the ACL entries. var entries = acl.AccessControlEntries; var admins = entries.Where(e => (e.Allow & 15) == 15).Select(e => e.Descriptor.Identifier); // Finally, retrieve the actual TeamFoundationIdentity objects from the SIDs. return(allMembers.Where(m => admins.Contains(m.Descriptor.Identifier))); }
public List <string> ListTeamAdministrators(string team, out string message) { // Retrieve the default team. TeamFoundationTeam t = this.teamService.ReadTeam(this.projectInfo.Uri, team, null); List <string> lst = null; message = ""; if (t == null) { message = "Team [" + team + "] not found"; } else { // Get security namespace for the project collection. ISecurityService securityService = this.teamProjectCollection.GetService <ISecurityService>(); SecurityNamespace securityNamespace = securityService.GetSecurityNamespace(FrameworkSecurity.IdentitiesNamespaceId); // Use reflection to retrieve a security token for the team. var token = GetTeamAdminstratorsToken(t); // Retrieve an ACL object for all the team members. var allMembers = t.GetMembers(this.teamProjectCollection, MembershipQuery.Expanded) .ToArray(); AccessControlList acl = securityNamespace.QueryAccessControlList(token, allMembers.Select(m => m.Descriptor), true); // Retrieve the team administrator SIDs by querying the ACL entries. var entries = acl.AccessControlEntries; var admins = entries.Where(e => (e.Allow & 15) == 15).Select(e => e.Descriptor.Identifier); // Finally, retrieve the actual TeamFoundationIdentity objects from the SIDs. var adminIdentities = allMembers.Where(m => admins.Contains(m.Descriptor.Identifier)); lst = adminIdentities.Select(i => i.DisplayName).ToList(); } return(lst); }
/// <summary> /// Sample method on how to extracts the git version control permissions. /// </summary> /// <param name="server">The server.</param> /// <param name="groups">The groups.</param> /// <param name="userIdentity">The user identity.</param> /// <param name="projectSecurityToken">The project security token.</param> /// <param name="identityManagementService">The identityManagementService.</param> /// <param name="vcs">The VCS.</param> /// <param name="gitService">The git service.</param> /// <returns>List of Permissions</returns> private static List <GitPermission> ExtractGitVersionControlPermissions( ISecurityService server, List <string> groups, TeamFoundationIdentity userIdentity, string projectSecurityToken, IIdentityManagementService identityManagementService, VersionControlServer vcs, GitRepositoryService gitService) { Console.WriteLine("== Extract Git Version Control Permissions =="); SecurityNamespace gitVersionControlSecurityNamespace = server.GetSecurityNamespace(Helpers.GetSecurityNamespaceId(PermissionScope.GitSourceControl, server)); IList <GitRepository> gitProjectRepoService = gitService.QueryRepositories(projectSecurityToken); var groupsIdentities = new List <TeamFoundationIdentity>(groups.Count); foreach (string group in groups) { TeamFoundationIdentity groupIdentity = identityManagementService.ReadIdentity( IdentitySearchFactor.Identifier, group, MembershipQuery.None, ReadIdentityOptions.IncludeReadFromSource); groupsIdentities.Add(groupIdentity); } var results = new List <GitPermission>(); foreach (GitRepository repo in gitProjectRepoService) { string primaryBranch = (repo.DefaultBranch ?? "(no default branch)").StartsWith("refs/heads/") ? repo.DefaultBranch.Substring(11) : repo.DefaultBranch; Console.WriteLine(" -- Repo: {0} branch {1}", repo.Name, primaryBranch); // Repository Security Token is repoV2/TeamProjectId/RepositoryId string repoIdToken = string.Format("repoV2{0}{1}{2}{3}", gitVersionControlSecurityNamespace.Description.SeparatorValue, repo.ProjectReference.Id, gitVersionControlSecurityNamespace.Description.SeparatorValue, repo.Id); AccessControlList versionControlAccessList = gitVersionControlSecurityNamespace.QueryAccessControlList( repoIdToken, new List <IdentityDescriptor> { userIdentity.Descriptor }, true); var gitVersionControlPermissions = new List <Permission>(); foreach (AccessControlEntry ace in versionControlAccessList.AccessControlEntries) { foreach (AclAndName aclAndName in Helpers.EnumerateAcls(ace, false)) { if (aclAndName.Acl != 0) { string versionControlPermissions = ((EnumerationsList.GitPermissions)aclAndName.Acl).ToString(); gitVersionControlPermissions.AddRange( Helpers.GetActionDetailsByName(versionControlPermissions, aclAndName.Name, PermissionScope.GitSourceControl)); } } } foreach (TeamFoundationIdentity groupIdentity in groupsIdentities) { AccessControlList groupAccessList = gitVersionControlSecurityNamespace.QueryAccessControlList( repoIdToken, new List <IdentityDescriptor> { groupIdentity.Descriptor }, true); foreach (AccessControlEntry ace in groupAccessList.AccessControlEntries) { foreach (AclAndName aclAndName in Helpers.EnumerateAcls(ace, true)) { if (aclAndName.Acl != 0) { string versionControlPermissions = ((EnumerationsList.GitPermissions)aclAndName.Acl).ToString(); gitVersionControlPermissions.AddRange( Helpers.GetActionDetailsByName(versionControlPermissions, aclAndName.Name, PermissionScope.GitSourceControl)); } } } } List <Permission> modifiedPermissions = Helpers.RemoveDuplicatePermissionsAndCombineGroups(gitVersionControlPermissions); results.AddRange(modifiedPermissions.Select(perm => new GitPermission(perm, repo.Name, primaryBranch))); } return(results); }
/// <summary> /// Sample method on how to extracts the git version control permissions. /// </summary> /// <param name="server">The server.</param> /// <param name="groups">The groups.</param> /// <param name="userIdentity">The user identity.</param> /// <param name="projectSecurityToken">The project security token.</param> /// <param name="identityManagementService">The identityManagementService.</param> /// <param name="vcs">The VCS.</param> /// <param name="gitService">The git service.</param> /// <returns>List of Permissions</returns> private static List <Permission> ExtractGitVersionControlPermissions(ISecurityService server, IEnumerable <string> groups, TeamFoundationIdentity userIdentity, string projectSecurityToken, IIdentityManagementService identityManagementService, VersionControlServer vcs, TeamFoundation.Git.Client.GitRepositoryService gitService) { Console.WriteLine("== Extract Git Version Control Permissions =="); SecurityNamespace gitVersionControlSecurityNamespace = server.GetSecurityNamespace(Helpers.GetSecurityNamespaceId(PermissionScope.GitSourceControl, server)); var gitProjectRepoService = gitService.QueryRepositories(projectSecurityToken); // This sample handle only the default repository, you can iterate through all repositories same way var defaultGitRepo = gitProjectRepoService.SingleOrDefault(gr => gr.Name.Equals(projectSecurityToken)); vcs.TryGetTeamProject(projectSecurityToken); if (defaultGitRepo == null) { return(new List <Permission>()); } // Repository Security Token is repoV2/TeamProjectId/RepositoryId var repoIdToken = string.Format("repoV2{0}{1}{2}{3}", gitVersionControlSecurityNamespace.Description.SeparatorValue, defaultGitRepo.ProjectReference.Id, gitVersionControlSecurityNamespace.Description.SeparatorValue, defaultGitRepo.Id); // vcs.GetTeamProject(projectSecurityToken); AccessControlList versionControlAccessList = gitVersionControlSecurityNamespace.QueryAccessControlList( repoIdToken, new List <IdentityDescriptor> { userIdentity.Descriptor }, true); var gitVersionControlPermissions = new List <Permission>(); foreach (AccessControlEntry ace in versionControlAccessList.AccessControlEntries) { if (0 != ace.Allow) { var allowedVersionControlPermissions = ((EnumrationsList.GitPermissions)ace.Allow).ToString(); gitVersionControlPermissions.AddRange( Helpers.GetActionDetailsByName(allowedVersionControlPermissions, "Allow", PermissionScope.GitSourceControl)); } if (0 != ace.Deny) { var denyVersionControlPermissions = ((EnumrationsList.GitPermissions)ace.Deny).ToString(); gitVersionControlPermissions.AddRange( Helpers.GetActionDetailsByName(denyVersionControlPermissions, "Deny", PermissionScope.GitSourceControl)); } } if (gitVersionControlPermissions.Count == 0) { foreach (AccessControlEntry ace in versionControlAccessList.AccessControlEntries) { if (0 != ace.ExtendedInfo.EffectiveAllow) { var allowedVersionControlPermissions = ((EnumrationsList.GitPermissions)ace.ExtendedInfo.EffectiveAllow).ToString(); gitVersionControlPermissions.AddRange( Helpers.GetActionDetailsByName(allowedVersionControlPermissions, "Allow", PermissionScope.GitSourceControl)); } if (0 != ace.ExtendedInfo.EffectiveDeny) { var denyVersionControlPermissions = ((EnumrationsList.GitPermissions)ace.ExtendedInfo.EffectiveDeny).ToString(); gitVersionControlPermissions.AddRange( Helpers.GetActionDetailsByName(denyVersionControlPermissions, "Deny", PermissionScope.GitSourceControl)); } } } foreach (string group in groups) { TeamFoundationIdentity groupIdentity = identityManagementService.ReadIdentity(IdentitySearchFactor.Identifier, group, MembershipQuery.None, ReadIdentityOptions.IncludeReadFromSource); AccessControlList groupAccessList = gitVersionControlSecurityNamespace.QueryAccessControlList( repoIdToken, new List <IdentityDescriptor> { groupIdentity.Descriptor }, true); foreach (AccessControlEntry ace in groupAccessList.AccessControlEntries) { if (0 != ace.Allow) { var allowedPermissions = ((EnumrationsList.GitPermissions)ace.Allow).ToString(); var permissionsList = Helpers.GetActionDetailsByName(allowedPermissions, "Inherited Allow", PermissionScope.GitSourceControl); Helpers.AppendGroupInheritanceInformation(permissionsList, groupIdentity.DisplayName); gitVersionControlPermissions.AddRange(permissionsList); } if (0 != ace.Deny) { var denyPermissions = ((EnumrationsList.GitPermissions)ace.Deny).ToString(); var permissionsList = Helpers.GetActionDetailsByName(denyPermissions, "Inherited Deny", PermissionScope.GitSourceControl); Helpers.AppendGroupInheritanceInformation(permissionsList, groupIdentity.DisplayName); gitVersionControlPermissions.AddRange(permissionsList); } } } var modifiedPermissions = Helpers.RemoveDuplicatePermissionsAndCombineGroups(gitVersionControlPermissions); return(modifiedPermissions); }
private static async Task Main(string[] args) { Console.WriteLine("Please enter the following details to list all of the team members in all of the projects in the collection/instance"); Console.WriteLine(); Console.Write("Azure DevOps Instance/Collection URL: "); var url = Console.ReadLine(); Console.Write("Personal Access Token (PAT): "); var pat = Console.ReadLine(); VssBasicCredential vssBasicCredential = new VssBasicCredential(pat, pat); using (TfsTeamProjectCollection tpc = new TfsTeamProjectCollection(new Uri(url), vssBasicCredential)) { tpc.Authenticate(); Console.WriteLine(); Console.Write("Instance/Collection Display Name: "); Console.WriteLine(tpc.DisplayName); Console.Write("Instance/Collection ID: "); Console.WriteLine(tpc.InstanceId); Console.WriteLine(); var data = new List <ProjectTeamMember>(); var log = new StringBuilder(); var workItemStore = tpc.GetService <WorkItemStore>(); var teamService = tpc.GetService <TfsTeamService>(); // Get security namespace for the project collection. ISecurityService securityService = tpc.GetService <ISecurityService>(); SecurityNamespace securityNamespace = securityService.GetSecurityNamespace(FrameworkSecurity.IdentitiesNamespaceId); var projects = workItemStore.Projects; foreach (Project project in projects) { log.AppendLine($"PROJECT: {project.Name}"); Console.WriteLine($"PROJECT: {project.Name}"); var teams = teamService.QueryTeams(project.Uri.ToString()); foreach (var team in teams) { log.AppendLine($"\tTEAM: {team.Name}"); Console.WriteLine($"\tTEAM: {team.Name}"); var members = team.GetMembers(tpc, MembershipQuery.Expanded); string token = IdentityHelper.CreateSecurityToken(team.Identity); // Retrieve an ACL object for all the team members. AccessControlList acl = securityNamespace.QueryAccessControlList(token, members.Select(m => m.Descriptor), true); // Retrieve the team administrator SIDs by querying the ACL entries. var entries = acl.AccessControlEntries; var admins = entries.Where(e => (e.Allow & 15) == 15).Select(e => e.Descriptor.Identifier); // Finally, retrieve the actual TeamFoundationIdentity objects from the SIDs. var adminIdentities = members.Where(m => admins.Contains(m.Descriptor.Identifier)); foreach (var member in members) { var isAdmin = adminIdentities.Any(i => i == member); var isAdminText = isAdmin ? " [ADMIN]" : string.Empty; log.AppendLine($"\t\tACCOUNT: {member.DisplayName} {isAdminText}"); Console.WriteLine($"\t\tACCOUNT: {member.DisplayName} {isAdminText}"); var projectTeamMember = new ProjectTeamMember { ProjectId = project.Id, ProjectName = project.Name, TeamId = team.Identity.TeamFoundationId, TeamName = team.Name, MemberId = member.TeamFoundationId, MemberName = member.DisplayName, IsTeamAdmin = isAdmin }; data.Add(projectTeamMember); } } Console.WriteLine(); } File.AppendAllText($"{tpc.InstanceId}.{DateTime.Now.ToString("yyyyMMddhhmmss")}.txt", log.ToString()); using (var writer = new StreamWriter($"{tpc.InstanceId}.{DateTime.Now.ToString("yyyyMMddhhmmss")}.csv")) using (var csv = new CsvWriter(writer)) { csv.WriteRecords(data); } } Console.ReadLine(); }