/// <summary cref="ICertificateStore.GetAccessRules()" />
public IList <ApplicationAccessRule> GetAccessRules()
{
lock (m_lock)
{
return(ApplicationAccessRule.GetAccessRules(m_certificateSubdir.FullName));
}
}
/// <summary cref="ICertificateStore.SetAccessRules(IList{ApplicationAccessRule},bool)" />
public void SetAccessRules(IList <ApplicationAccessRule> rules, bool replaceExisting)
{
lock (m_lock)
{
ApplicationAccessRule.SetAccessRules(m_certificateSubdir.FullName, rules, replaceExisting);
if (String.Compare(m_certificateSubdir.FullName, m_privateKeySubdir.FullName, StringComparison.OrdinalIgnoreCase) != 0)
{
ApplicationAccessRule.SetAccessRules(m_privateKeySubdir.FullName, rules, replaceExisting);
}
}
}
/// <summary cref="ICertificateStore.SetAccessRules(string, IList{ApplicationAccessRule},bool)" />
public void SetAccessRules(string thumbprint, IList <ApplicationAccessRule> rules, bool replaceExisting)
{
lock (m_lock) {
Entry entry = Find(thumbprint);
if (entry == null)
{
throw new ArgumentException("Certificate does not exist in store.");
}
if (entry.PrivateKeyFile != null && entry.PrivateKeyFile.Exists)
{
ApplicationAccessRule.SetAccessRules(entry.PrivateKeyFile.FullName, rules, replaceExisting);
}
}
}
/// <summary cref="ICertificateStore.GetAccessRules(string)" />
public IList <ApplicationAccessRule> GetAccessRules(string thumbprint)
{
lock (m_lock) {
Entry entry = Find(thumbprint);
if (entry == null)
{
throw new ArgumentException("Certificate does not exist in store.");
}
if (entry.PrivateKeyFile == null || !entry.PrivateKeyFile.Exists)
{
throw new ArgumentException("Certificate does not have a private key in the store.");
}
return(ApplicationAccessRule.GetAccessRules(entry.PrivateKeyFile.FullName));
}
}
/// <summary>
/// Gets the application access rules implied by the access rights to the file.
/// </summary>
public static IList <ApplicationAccessRule> GetAccessRules(String filePath)
{
// get the current permissions from the file or directory.
FileSystemSecurity security = null;
FileInfo fileInfo = new FileInfo(filePath);
DirectoryInfo directoryInfo = null;
if (!fileInfo.Exists)
{
directoryInfo = new DirectoryInfo(filePath);
if (!directoryInfo.Exists)
{
throw new FileNotFoundException("File or directory does not exist.", filePath);
}
security = directoryInfo.GetAccessControl(AccessControlSections.Access);
}
else
{
security = fileInfo.GetAccessControl(AccessControlSections.Access);
}
// combine the access rules into a set of abstract application rules.
List <ApplicationAccessRule> accessRules = new List <ApplicationAccessRule>();
AuthorizationRuleCollection authorizationRules = security.GetAccessRules(true, true, typeof(NTAccount));
for (int ii = 0; ii < authorizationRules.Count; ii++)
{
FileSystemAccessRule accessRule = authorizationRules[ii] as FileSystemAccessRule;
// only care about file system rules.
if (accessRule == null)
{
continue;
}
ApplicationAccessRule rule = new ApplicationAccessRule();
rule.RuleType = ApplicationAccessRule.Convert(accessRule.AccessControlType);
rule.IdentityName = accessRule.IdentityReference.Value;
rule.Right = ApplicationAccessRight.None;
// create an allow rule.
if (rule.RuleType == AccessControlType.Allow)
{
// check if all rights required for configuration access exist.
if (((int)accessRule.FileSystemRights & (int)Configure) == (int)Configure)
{
rule.Right = ApplicationAccessRight.Configure;
}
// check if all rights required for update access exist.
else if (((int)accessRule.FileSystemRights & (int)Update) == (int)Update)
{
rule.Right = ApplicationAccessRight.Update;
}
// check if all rights required for read access exist.
else if (((int)accessRule.FileSystemRights & (int)Read) == (int)Read)
{
rule.Right = ApplicationAccessRight.Run;
}
}
// create a deny rule.
else if (rule.RuleType == AccessControlType.Deny)
{
// check if any rights required for read access are denied.
if (((int)accessRule.FileSystemRights & (int)Read) != 0)
{
rule.Right = ApplicationAccessRight.Run;
}
// check if any rights required for update access are denied.
else if (((int)accessRule.FileSystemRights & (int)Update) != 0)
{
rule.Right = ApplicationAccessRight.Update;
}
// check if any rights required for configure access are denied.
else if (((int)accessRule.FileSystemRights & (int)Configure) != 0)
{
rule.Right = ApplicationAccessRight.Configure;
}
}
// add rule if not trivial.
if (rule.Right != ApplicationAccessRight.None)
{
accessRules.Add(rule);
}
}
return(accessRules);
}
/// <summary>
/// Gets the application access rules implied by the access rights to the file.
/// </summary>
public static void SetAccessRules(String filePath, IList <ApplicationAccessRule> accessRules, bool replaceExisting)
{
// get the current permissions from the file or directory.
FileSystemSecurity security = null;
FileInfo fileInfo = new FileInfo(filePath);
DirectoryInfo directoryInfo = null;
if (!fileInfo.Exists)
{
directoryInfo = new DirectoryInfo(filePath);
if (!directoryInfo.Exists)
{
throw new FileNotFoundException("File or directory does not exist.", filePath);
}
security = directoryInfo.GetAccessControl(AccessControlSections.Access);
}
else
{
security = fileInfo.GetAccessControl(AccessControlSections.Access);
}
if (replaceExisting)
{
// can't use inhieritance when setting permissions
security.SetAccessRuleProtection(true, false);
// remove all existing access rules.
AuthorizationRuleCollection authorizationRules = security.GetAccessRules(true, true, typeof(NTAccount));
for (int ii = 0; ii < authorizationRules.Count; ii++)
{
FileSystemAccessRule accessRule = authorizationRules[ii] as FileSystemAccessRule;
// only care about file system rules.
if (accessRule == null)
{
continue;
}
security.RemoveAccessRule(accessRule);
}
}
// allow children to inherit rules for directories.
InheritanceFlags flags = InheritanceFlags.None;
if (directoryInfo != null)
{
flags = InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit;
}
// add the new rules.
for (int ii = 0; ii < accessRules.Count; ii++)
{
ApplicationAccessRule applicationRule = accessRules[ii];
IdentityReference identityReference = applicationRule.IdentityReference;
if (identityReference == null)
{
if (applicationRule.IdentityName.StartsWith("S-"))
{
SecurityIdentifier sid = new SecurityIdentifier(applicationRule.IdentityName);
if (!sid.IsValidTargetType(typeof(NTAccount)))
{
continue;
}
identityReference = sid.Translate(typeof(NTAccount));
}
else
{
identityReference = new NTAccount(applicationRule.IdentityName);
}
}
FileSystemAccessRule fileRule = null;
switch (applicationRule.Right)
{
case ApplicationAccessRight.Run:
{
fileRule = new FileSystemAccessRule(
identityReference,
(applicationRule.RuleType == AccessControlType.Allow) ? Read : Configure,
flags,
PropagationFlags.None,
ApplicationAccessRule.Convert(applicationRule.RuleType));
break;
}
case ApplicationAccessRight.Update:
{
fileRule = new FileSystemAccessRule(
identityReference,
(applicationRule.RuleType == AccessControlType.Allow) ? Update : ConfigureOnly | UpdateOnly,
flags,
PropagationFlags.None,
ApplicationAccessRule.Convert(applicationRule.RuleType));
security.SetAccessRule(fileRule);
break;
}
case ApplicationAccessRight.Configure:
{
fileRule = new FileSystemAccessRule(
identityReference,
(applicationRule.RuleType == AccessControlType.Allow) ? Configure : ConfigureOnly,
flags,
PropagationFlags.None,
ApplicationAccessRule.Convert(applicationRule.RuleType));
break;
}
}
try
{
security.SetAccessRule(fileRule);
}
catch (Exception e)
{
Utils.Trace(
"Could not set access rule for account '{0}' on file '{1}'. Error={2}",
applicationRule.IdentityName,
filePath,
e.Message);
}
}
if (directoryInfo != null)
{
directoryInfo.SetAccessControl((DirectorySecurity)security);
return;
}
fileInfo.SetAccessControl((FileSecurity)security);
}
/// <summary>
/// Gets the access rules to use for the application.
/// </summary>
private List<ApplicationAccessRule> GetAccessRules()
{
List<ApplicationAccessRule> rules = new List<ApplicationAccessRule>();
// check for rules specified in the installer configuration.
bool hasAdmin = false;
if (InstallConfig.AccessRules != null)
{
for (int ii = 0; ii < InstallConfig.AccessRules.Count; ii++)
{
ApplicationAccessRule rule = InstallConfig.AccessRules[ii];
if (rule.Right == ApplicationAccessRight.Configure && rule.RuleType == AccessControlType.Allow)
{
hasAdmin = true;
break;
}
}
rules = InstallConfig.AccessRules;
}
// provide some default rules.
if (rules.Count == 0)
{
// give user run access.
ApplicationAccessRule rule = new ApplicationAccessRule();
rule.RuleType = AccessControlType.Allow;
rule.Right = ApplicationAccessRight.Run;
rule.IdentityName = WellKnownSids.Users;
rules.Add(rule);
// ensure service can access.
if (InstallConfig.InstallAsService)
{
rule = new ApplicationAccessRule();
rule.RuleType = AccessControlType.Allow;
rule.Right = ApplicationAccessRight.Run;
rule.IdentityName = WellKnownSids.NetworkService;
rules.Add(rule);
rule = new ApplicationAccessRule();
rule.RuleType = AccessControlType.Allow;
rule.Right = ApplicationAccessRight.Run;
rule.IdentityName = WellKnownSids.LocalService;
rules.Add(rule);
}
}
// ensure someone can change the configuration later.
if (!hasAdmin)
{
ApplicationAccessRule rule = new ApplicationAccessRule();
rule.RuleType = AccessControlType.Allow;
rule.Right = ApplicationAccessRight.Configure;
rule.IdentityName = WellKnownSids.Administrators;
rules.Add(rule);
}
return rules;
}
/// <summary>
/// Gets the application access rules implied by the access rights to the file.
/// </summary>
public static IList<ApplicationAccessRule> GetAccessRules(String filePath)
{
// get the current permissions from the file or directory.
FileSystemSecurity security = null;
FileInfo fileInfo = new FileInfo(filePath);
DirectoryInfo directoryInfo = null;
if (!fileInfo.Exists)
{
directoryInfo = new DirectoryInfo(filePath);
if (!directoryInfo.Exists)
{
throw new FileNotFoundException("File or directory does not exist.", filePath);
}
security = directoryInfo.GetAccessControl(AccessControlSections.Access);
}
else
{
security = fileInfo.GetAccessControl(AccessControlSections.Access);
}
// combine the access rules into a set of abstract application rules.
List<ApplicationAccessRule> accessRules = new List<ApplicationAccessRule>();
AuthorizationRuleCollection authorizationRules = security.GetAccessRules(true, true, typeof(NTAccount));
for (int ii = 0; ii < authorizationRules.Count; ii++)
{
FileSystemAccessRule accessRule = authorizationRules[ii] as FileSystemAccessRule;
// only care about file system rules.
if (accessRule == null)
{
continue;
}
ApplicationAccessRule rule = new ApplicationAccessRule();
rule.RuleType = ApplicationAccessRule.Convert(accessRule.AccessControlType);
rule.IdentityName = accessRule.IdentityReference.Value;
rule.Right = ApplicationAccessRight.None;
// create an allow rule.
if (rule.RuleType == AccessControlType.Allow)
{
// check if all rights required for configuration access exist.
if (((int)accessRule.FileSystemRights & (int)Configure) == (int)Configure)
{
rule.Right = ApplicationAccessRight.Configure;
}
// check if all rights required for update access exist.
else if (((int)accessRule.FileSystemRights & (int)Update) == (int)Update)
{
rule.Right = ApplicationAccessRight.Update;
}
// check if all rights required for read access exist.
else if (((int)accessRule.FileSystemRights & (int)Read) == (int)Read)
{
rule.Right = ApplicationAccessRight.Run;
}
}
// create a deny rule.
else if (rule.RuleType == AccessControlType.Deny)
{
// check if any rights required for read access are denied.
if (((int)accessRule.FileSystemRights & (int)Read) != 0)
{
rule.Right = ApplicationAccessRight.Run;
}
// check if any rights required for update access are denied.
else if (((int)accessRule.FileSystemRights & (int)Update) != 0)
{
rule.Right = ApplicationAccessRight.Update;
}
// check if any rights required for configure access are denied.
else if (((int)accessRule.FileSystemRights & (int)Configure) != 0)
{
rule.Right = ApplicationAccessRight.Configure;
}
}
// add rule if not trivial.
if (rule.Right != ApplicationAccessRight.None)
{
accessRules.Add(rule);
}
}
return accessRules;
}
