/// <summary cref="ICertificateStore.GetAccessRules()" /> public IList <ApplicationAccessRule> GetAccessRules() { lock (m_lock) { return(ApplicationAccessRule.GetAccessRules(m_certificateSubdir.FullName)); } }
/// <summary cref="ICertificateStore.SetAccessRules(IList{ApplicationAccessRule},bool)" /> public void SetAccessRules(IList <ApplicationAccessRule> rules, bool replaceExisting) { lock (m_lock) { ApplicationAccessRule.SetAccessRules(m_certificateSubdir.FullName, rules, replaceExisting); if (String.Compare(m_certificateSubdir.FullName, m_privateKeySubdir.FullName, StringComparison.OrdinalIgnoreCase) != 0) { ApplicationAccessRule.SetAccessRules(m_privateKeySubdir.FullName, rules, replaceExisting); } } }
/// <summary cref="ICertificateStore.SetAccessRules(string, IList{ApplicationAccessRule},bool)" /> public void SetAccessRules(string thumbprint, IList <ApplicationAccessRule> rules, bool replaceExisting) { lock (m_lock) { Entry entry = Find(thumbprint); if (entry == null) { throw new ArgumentException("Certificate does not exist in store."); } if (entry.PrivateKeyFile != null && entry.PrivateKeyFile.Exists) { ApplicationAccessRule.SetAccessRules(entry.PrivateKeyFile.FullName, rules, replaceExisting); } } }
/// <summary cref="ICertificateStore.GetAccessRules(string)" /> public IList <ApplicationAccessRule> GetAccessRules(string thumbprint) { lock (m_lock) { Entry entry = Find(thumbprint); if (entry == null) { throw new ArgumentException("Certificate does not exist in store."); } if (entry.PrivateKeyFile == null || !entry.PrivateKeyFile.Exists) { throw new ArgumentException("Certificate does not have a private key in the store."); } return(ApplicationAccessRule.GetAccessRules(entry.PrivateKeyFile.FullName)); } }
/// <summary> /// Gets the application access rules implied by the access rights to the file. /// </summary> public static IList <ApplicationAccessRule> GetAccessRules(String filePath) { // get the current permissions from the file or directory. FileSystemSecurity security = null; FileInfo fileInfo = new FileInfo(filePath); DirectoryInfo directoryInfo = null; if (!fileInfo.Exists) { directoryInfo = new DirectoryInfo(filePath); if (!directoryInfo.Exists) { throw new FileNotFoundException("File or directory does not exist.", filePath); } security = directoryInfo.GetAccessControl(AccessControlSections.Access); } else { security = fileInfo.GetAccessControl(AccessControlSections.Access); } // combine the access rules into a set of abstract application rules. List <ApplicationAccessRule> accessRules = new List <ApplicationAccessRule>(); AuthorizationRuleCollection authorizationRules = security.GetAccessRules(true, true, typeof(NTAccount)); for (int ii = 0; ii < authorizationRules.Count; ii++) { FileSystemAccessRule accessRule = authorizationRules[ii] as FileSystemAccessRule; // only care about file system rules. if (accessRule == null) { continue; } ApplicationAccessRule rule = new ApplicationAccessRule(); rule.RuleType = ApplicationAccessRule.Convert(accessRule.AccessControlType); rule.IdentityName = accessRule.IdentityReference.Value; rule.Right = ApplicationAccessRight.None; // create an allow rule. if (rule.RuleType == AccessControlType.Allow) { // check if all rights required for configuration access exist. if (((int)accessRule.FileSystemRights & (int)Configure) == (int)Configure) { rule.Right = ApplicationAccessRight.Configure; } // check if all rights required for update access exist. else if (((int)accessRule.FileSystemRights & (int)Update) == (int)Update) { rule.Right = ApplicationAccessRight.Update; } // check if all rights required for read access exist. else if (((int)accessRule.FileSystemRights & (int)Read) == (int)Read) { rule.Right = ApplicationAccessRight.Run; } } // create a deny rule. else if (rule.RuleType == AccessControlType.Deny) { // check if any rights required for read access are denied. if (((int)accessRule.FileSystemRights & (int)Read) != 0) { rule.Right = ApplicationAccessRight.Run; } // check if any rights required for update access are denied. else if (((int)accessRule.FileSystemRights & (int)Update) != 0) { rule.Right = ApplicationAccessRight.Update; } // check if any rights required for configure access are denied. else if (((int)accessRule.FileSystemRights & (int)Configure) != 0) { rule.Right = ApplicationAccessRight.Configure; } } // add rule if not trivial. if (rule.Right != ApplicationAccessRight.None) { accessRules.Add(rule); } } return(accessRules); }
/// <summary> /// Gets the application access rules implied by the access rights to the file. /// </summary> public static void SetAccessRules(String filePath, IList <ApplicationAccessRule> accessRules, bool replaceExisting) { // get the current permissions from the file or directory. FileSystemSecurity security = null; FileInfo fileInfo = new FileInfo(filePath); DirectoryInfo directoryInfo = null; if (!fileInfo.Exists) { directoryInfo = new DirectoryInfo(filePath); if (!directoryInfo.Exists) { throw new FileNotFoundException("File or directory does not exist.", filePath); } security = directoryInfo.GetAccessControl(AccessControlSections.Access); } else { security = fileInfo.GetAccessControl(AccessControlSections.Access); } if (replaceExisting) { // can't use inhieritance when setting permissions security.SetAccessRuleProtection(true, false); // remove all existing access rules. AuthorizationRuleCollection authorizationRules = security.GetAccessRules(true, true, typeof(NTAccount)); for (int ii = 0; ii < authorizationRules.Count; ii++) { FileSystemAccessRule accessRule = authorizationRules[ii] as FileSystemAccessRule; // only care about file system rules. if (accessRule == null) { continue; } security.RemoveAccessRule(accessRule); } } // allow children to inherit rules for directories. InheritanceFlags flags = InheritanceFlags.None; if (directoryInfo != null) { flags = InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit; } // add the new rules. for (int ii = 0; ii < accessRules.Count; ii++) { ApplicationAccessRule applicationRule = accessRules[ii]; IdentityReference identityReference = applicationRule.IdentityReference; if (identityReference == null) { if (applicationRule.IdentityName.StartsWith("S-")) { SecurityIdentifier sid = new SecurityIdentifier(applicationRule.IdentityName); if (!sid.IsValidTargetType(typeof(NTAccount))) { continue; } identityReference = sid.Translate(typeof(NTAccount)); } else { identityReference = new NTAccount(applicationRule.IdentityName); } } FileSystemAccessRule fileRule = null; switch (applicationRule.Right) { case ApplicationAccessRight.Run: { fileRule = new FileSystemAccessRule( identityReference, (applicationRule.RuleType == AccessControlType.Allow) ? Read : Configure, flags, PropagationFlags.None, ApplicationAccessRule.Convert(applicationRule.RuleType)); break; } case ApplicationAccessRight.Update: { fileRule = new FileSystemAccessRule( identityReference, (applicationRule.RuleType == AccessControlType.Allow) ? Update : ConfigureOnly | UpdateOnly, flags, PropagationFlags.None, ApplicationAccessRule.Convert(applicationRule.RuleType)); security.SetAccessRule(fileRule); break; } case ApplicationAccessRight.Configure: { fileRule = new FileSystemAccessRule( identityReference, (applicationRule.RuleType == AccessControlType.Allow) ? Configure : ConfigureOnly, flags, PropagationFlags.None, ApplicationAccessRule.Convert(applicationRule.RuleType)); break; } } try { security.SetAccessRule(fileRule); } catch (Exception e) { Utils.Trace( "Could not set access rule for account '{0}' on file '{1}'. Error={2}", applicationRule.IdentityName, filePath, e.Message); } } if (directoryInfo != null) { directoryInfo.SetAccessControl((DirectorySecurity)security); return; } fileInfo.SetAccessControl((FileSecurity)security); }
/// <summary> /// Gets the access rules to use for the application. /// </summary> private List<ApplicationAccessRule> GetAccessRules() { List<ApplicationAccessRule> rules = new List<ApplicationAccessRule>(); // check for rules specified in the installer configuration. bool hasAdmin = false; if (InstallConfig.AccessRules != null) { for (int ii = 0; ii < InstallConfig.AccessRules.Count; ii++) { ApplicationAccessRule rule = InstallConfig.AccessRules[ii]; if (rule.Right == ApplicationAccessRight.Configure && rule.RuleType == AccessControlType.Allow) { hasAdmin = true; break; } } rules = InstallConfig.AccessRules; } // provide some default rules. if (rules.Count == 0) { // give user run access. ApplicationAccessRule rule = new ApplicationAccessRule(); rule.RuleType = AccessControlType.Allow; rule.Right = ApplicationAccessRight.Run; rule.IdentityName = WellKnownSids.Users; rules.Add(rule); // ensure service can access. if (InstallConfig.InstallAsService) { rule = new ApplicationAccessRule(); rule.RuleType = AccessControlType.Allow; rule.Right = ApplicationAccessRight.Run; rule.IdentityName = WellKnownSids.NetworkService; rules.Add(rule); rule = new ApplicationAccessRule(); rule.RuleType = AccessControlType.Allow; rule.Right = ApplicationAccessRight.Run; rule.IdentityName = WellKnownSids.LocalService; rules.Add(rule); } } // ensure someone can change the configuration later. if (!hasAdmin) { ApplicationAccessRule rule = new ApplicationAccessRule(); rule.RuleType = AccessControlType.Allow; rule.Right = ApplicationAccessRight.Configure; rule.IdentityName = WellKnownSids.Administrators; rules.Add(rule); } return rules; }
/// <summary> /// Gets the application access rules implied by the access rights to the file. /// </summary> public static IList<ApplicationAccessRule> GetAccessRules(String filePath) { // get the current permissions from the file or directory. FileSystemSecurity security = null; FileInfo fileInfo = new FileInfo(filePath); DirectoryInfo directoryInfo = null; if (!fileInfo.Exists) { directoryInfo = new DirectoryInfo(filePath); if (!directoryInfo.Exists) { throw new FileNotFoundException("File or directory does not exist.", filePath); } security = directoryInfo.GetAccessControl(AccessControlSections.Access); } else { security = fileInfo.GetAccessControl(AccessControlSections.Access); } // combine the access rules into a set of abstract application rules. List<ApplicationAccessRule> accessRules = new List<ApplicationAccessRule>(); AuthorizationRuleCollection authorizationRules = security.GetAccessRules(true, true, typeof(NTAccount)); for (int ii = 0; ii < authorizationRules.Count; ii++) { FileSystemAccessRule accessRule = authorizationRules[ii] as FileSystemAccessRule; // only care about file system rules. if (accessRule == null) { continue; } ApplicationAccessRule rule = new ApplicationAccessRule(); rule.RuleType = ApplicationAccessRule.Convert(accessRule.AccessControlType); rule.IdentityName = accessRule.IdentityReference.Value; rule.Right = ApplicationAccessRight.None; // create an allow rule. if (rule.RuleType == AccessControlType.Allow) { // check if all rights required for configuration access exist. if (((int)accessRule.FileSystemRights & (int)Configure) == (int)Configure) { rule.Right = ApplicationAccessRight.Configure; } // check if all rights required for update access exist. else if (((int)accessRule.FileSystemRights & (int)Update) == (int)Update) { rule.Right = ApplicationAccessRight.Update; } // check if all rights required for read access exist. else if (((int)accessRule.FileSystemRights & (int)Read) == (int)Read) { rule.Right = ApplicationAccessRight.Run; } } // create a deny rule. else if (rule.RuleType == AccessControlType.Deny) { // check if any rights required for read access are denied. if (((int)accessRule.FileSystemRights & (int)Read) != 0) { rule.Right = ApplicationAccessRight.Run; } // check if any rights required for update access are denied. else if (((int)accessRule.FileSystemRights & (int)Update) != 0) { rule.Right = ApplicationAccessRight.Update; } // check if any rights required for configure access are denied. else if (((int)accessRule.FileSystemRights & (int)Configure) != 0) { rule.Right = ApplicationAccessRight.Configure; } } // add rule if not trivial. if (rule.Right != ApplicationAccessRight.None) { accessRules.Add(rule); } } return accessRules; }