public void SecurityNamespaceTests_Constructor()
{
// Arrange
var obj = BaseTests.LoadJson("Get-VSTeamSecurityNamespace.json");
// Act
var target = new SecurityNamespace(obj[0]);
// Assert
Assert.AreEqual("Analytics", target.Name, "Name");
Assert.IsNull(target.ExtensionType, "ExtensionType");
Assert.AreEqual(false, target.IsRemotable, "IsRemotable");
Assert.AreEqual(30, target.SystemBitMask, "SystemBitMask");
Assert.AreEqual(-1, target.ElementLength, "ElementLength");
Assert.AreEqual(1, target.ReadPermission, "ReadPermission");
Assert.AreEqual("/", target.SeparatorValue, "SeparatorValue");
Assert.AreEqual("1", target.StructureValue, "StructureValue");
Assert.AreEqual(2, target.WritePermission, "WritePermission");
Assert.AreEqual("Analytics", target.DisplayName, "DisplayName");
Assert.AreEqual(false, target.UseTokenTranslator, "UseTokenTranslator");
Assert.AreEqual("Default", target.DataspaceCategory, "DataspaceCategory");
Assert.AreEqual("Analytics", target.ToString(), "ToString()");
Assert.IsNotNull(target.Actions, "Actions");
Assert.AreEqual(5, target.Actions.Count, "Actions.Count");
Assert.AreEqual(1, target.Actions[0].Bit, "Actions[0].Bit");
Assert.AreEqual("Read", target.Actions[0].Name, "Actions[0].Name");
Assert.AreEqual(Guid.Empty, target.Actions[0].NamespaceId, "Actions[0].NamespaceId");
Assert.AreEqual("View analytics", target.Actions[0].DisplayName, "Actions[0].DisplayName");
}
/////// <summary>
/////// Extracts work item permissions for a specific identity
/////// </summary>
/////// <param name="server">Server security service</param>
/////// <param name="projectSecurityToken">Project Security Token</param>
/////// <param name="userIdentity">User identity</param>
/////// <returns>The list of the permissions</returns>
////private static List<Permission> ExtractWorkItemsPermissions(
//// ISecurityService server,
//// string projectSecurityToken,
//// TeamFoundationIdentity userIdentity)
////{
//// var result = new List<Permission>();
//// SecurityNamespace workItemsSecurityNamespace = server.GetSecurityNamespace(Helpers.GetSecurityNamespaceId(PermissionScope.WorkItemAreas, server));
//// if (workItemsSecurityNamespace != null)
//// {
//// Console.WriteLine("== Extract WorkItems Permissions ==");
//// AccessControlList workItemsAccessList = workItemsSecurityNamespace.QueryAccessControlList(
//// projectSecurityToken,
//// new List<IdentityDescriptor> { userIdentity.Descriptor },
//// true);
//// string allowedWorkItemPermissions = string.Empty;
//// string denyWorkItemPermissions = string.Empty;
//// foreach (AccessControlEntry ace in workItemsAccessList.AccessControlEntries)
//// {
//// if (0 != ace.Allow)
//// {
//// allowedWorkItemPermissions = ((QueryItemPermissions)ace.Allow).ToString();
//// result.AddRange(
//// Helpers.GetActionDetailsByName(allowedWorkItemPermissions, "Allow", PermissionScope.WorkItemAreas));
//// }
//// if (0 != ace.Deny)
//// {
//// denyWorkItemPermissions = ((QueryItemPermissions)ace.Deny).ToString();
//// result.AddRange(
//// Helpers.GetActionDetailsByName(denyWorkItemPermissions, "Deny", PermissionScope.WorkItemAreas));
//// }
//// }
//// }
//// return result;
////}
/// <summary>
/// Extracts build permissions for a specific identity.
/// </summary>
/// <param name="server">Server security service</param>
/// <param name="projectSecurityToken">Project Security Token</param>
/// <param name="userIdentity">User identity</param>
/// <returns>The list of the permissions</returns>
private static List <Permission> ExtractBuildPermissions(ISecurityService server, string projectSecurityToken, TeamFoundationIdentity userIdentity)
{
var result = new List <Permission>();
SecurityNamespace buildSecurityNamespace = server.GetSecurityNamespace(Helpers.GetSecurityNamespaceId(PermissionScope.TeamBuild, server));
Console.WriteLine("== Extract Build Permissions ==");
AccessControlList buildAccessList = buildSecurityNamespace.QueryAccessControlList(
projectSecurityToken,
new List <IdentityDescriptor> {
userIdentity.Descriptor
},
true);
foreach (AccessControlEntry ace in buildAccessList.AccessControlEntries)
{
foreach (AclAndName aclAndName in Helpers.EnumerateAcls(ace, false))
{
if (aclAndName.Acl != 0)
{
var allowedBuildPermissions = ((EnumerationsList.BuildPermissions)ace.Allow).ToString();
result.AddRange(
Helpers.GetActionDetailsByName(allowedBuildPermissions, aclAndName.Name,
PermissionScope.TeamBuild));
}
}
}
return(result);
}
/// <summary>
/// Extracts the generic security namespace permissions.
/// </summary>
/// <param name="server">The server.</param>
/// <param name="permissionScope">The permission scope.</param>
/// <param name="userIdentity">The user identity.</param>
/// <param name="securityToken">The security token.</param>
/// <param name="identityManagementService">The identityManagementService.</param>
/// <param name="groups">The groups.</param>
/// <returns>List of Permissions</returns>
private static List <Permission> ExtractGenericSecurityNamespacePermissions(ISecurityService server, PermissionScope permissionScope, TeamFoundationIdentity userIdentity, string securityToken, IIdentityManagementService identityManagementService, IEnumerable <string> groups)
{
SecurityNamespace genericSecurityNamespace = server.GetSecurityNamespace(Helpers.GetSecurityNamespaceId(permissionScope, server));
AccessControlList userAccessList =
genericSecurityNamespace.QueryAccessControlList(
securityToken,
new List <IdentityDescriptor> {
userIdentity.Descriptor
},
true);
var result = new List <Permission>();
result.AddRange(Helpers.AccessControlEntryToPermission(genericSecurityNamespace, userAccessList.AccessControlEntries, false, string.Empty));
// handle group inheritance
foreach (string group in groups)
{
TeamFoundationIdentity groupIdentity = identityManagementService.ReadIdentity(IdentitySearchFactor.Identifier, group, MembershipQuery.None, ReadIdentityOptions.IncludeReadFromSource);
AccessControlList groupAccessList =
genericSecurityNamespace.QueryAccessControlList(
securityToken,
new List <IdentityDescriptor> {
groupIdentity.Descriptor
},
true);
result.AddRange(Helpers.AccessControlEntryToPermission(genericSecurityNamespace, groupAccessList.AccessControlEntries, true, groupIdentity.DisplayName));
}
var modifiedPermissions = Helpers.RemoveDuplicatePermissionsAndCombineGroups(result);
return(modifiedPermissions);
}
public PermissionGroup GetPermissionGroup(SecurityNamespace securityNamespace)
{
var permissions = new List <Permission>();
foreach (var action in securityNamespace.Description.Actions.OrderBy(a => a.DisplayName))
{
if (!this.excludedActions.Any(p => p == action.Name))
{
permissions.Add(new Permission(this.scope, action.DisplayName, action.Name, action.Bit));
}
}
return(new PermissionGroup(this.scope, this.displayName, permissions));
}
public async Task QueryPermissionsGroupRepositorySetReturnsPermissions()
{
var namespaceId = _client.Get(SecurityNamespace.SecurityNamespaces())
.First(ns => ns.DisplayName == "Git Repositories").NamespaceId;
var applicationGroupId = (await _client.GetAsync(Requests.ApplicationGroup.ApplicationGroups(_config.Project))).Identities
.First(gi => gi.DisplayName == $"[{_config.Project}]\\Project Administrators").TeamFoundationId;
var projectId = (await _client.GetAsync(Project.Properties(_config.Project))).Id;
var permissionsGitRepositorySet = await _client.GetAsync(Requests.Permissions.PermissionsGroupRepositorySet(
projectId, namespaceId, applicationGroupId));
permissionsGitRepositorySet.ShouldNotBeNull();
permissionsGitRepositorySet.Permissions.First().ShouldNotBeNull();
}
public async Task QueryPermissionsGroupSetIdDefinitionReturnsPermissionsForSetId()
{
var permissionSetId = _client.Get(SecurityNamespace.SecurityNamespaces())
.First(ns => ns.Name == "Build").NamespaceId;
var applicationGroupId = (await _client.GetAsync(Requests.ApplicationGroup.ApplicationGroups(_config.Project))).Identities
.First(gi => gi.DisplayName == $"[{_config.Project}]\\Project Administrators").TeamFoundationId;
var projectId = (await _client.GetAsync(Project.Properties(_config.Project))).Id;
var buildDefinitions = _client.Get(Requests.Builds.BuildDefinitions(projectId));
foreach (var buildDefinition in buildDefinitions)
{
var permissionsGroupSetId = (await _client.GetAsync(Requests.Permissions.PermissionsGroupSetIdDefinition(
projectId, permissionSetId, applicationGroupId, $"{projectId}/{buildDefinition.Id}")));
permissionsGroupSetId.ShouldNotBeNull();
permissionsGroupSetId.Permissions.First().PermissionId.ShouldNotBeNull();
}
}
public IEnumerable <TeamFoundationIdentity> GetAdministrators(Microsoft.TeamFoundation.Client.TeamFoundationTeam teamFoundationTeam)
{
// Get security namespace for the project collection.
ISecurityService securityService = this.tfsTeamProjectCollection.GetService <ISecurityService>();
SecurityNamespace securityNamespace = securityService.GetSecurityNamespace(FrameworkSecurity.IdentitiesNamespaceId);
// Use reflection to retrieve a security token for the team.
MethodInfo mi = typeof(IdentityHelper).GetMethod("CreateSecurityToken");
string token = mi.Invoke(null, new object[] { teamFoundationTeam.Identity }) as string;
// Retrieve an ACL object for all the team members.
var allMembers = teamFoundationTeam.GetMembers(this.tfsTeamProjectCollection, MembershipQuery.Expanded).Where(m => !m.IsContainer);
AccessControlList acl = securityNamespace.QueryAccessControlList(token, allMembers.Select(m => m.Descriptor), true);
// Retrieve the team administrator SIDs by querying the ACL entries.
var entries = acl.AccessControlEntries;
var admins = entries.Where(e => (e.Allow & 15) == 15).Select(e => e.Descriptor.Identifier);
// Finally, retrieve the actual TeamFoundationIdentity objects from the SIDs.
return(allMembers.Where(m => admins.Contains(m.Descriptor.Identifier)));
}
/// <summary>
/// Accesses the control entry to permission.
/// </summary>
/// <param name="securityNamespace">The security namespace.</param>
/// <param name="accessControlEntries">The access control entries.</param>
/// <param name="appendGroupInheritance">if set to <c>true</c> [append group inheritance].</param>
/// <param name="groupName">Name of the group.</param>
/// <returns>List of Permissions</returns>
public static List <Permission> AccessControlEntryToPermission(SecurityNamespace securityNamespace, IEnumerable <Microsoft.TeamFoundation.Framework.Client.AccessControlEntry> accessControlEntries, bool appendGroupInheritance, string groupName)
{
var permissionsList = new List <Permission>();
foreach (Microsoft.TeamFoundation.Framework.Client.AccessControlEntry ace in accessControlEntries)
{
if (0 != ace.Allow)
{
foreach (var action in securityNamespace.Description.Actions)
{
if ((ace.Allow & action.Bit) == action.Bit)
{
permissionsList.Add(new Permission {
DisplayName = action.DisplayName, InternalName = action.Name, Scope = PermissionScope.TeamProject, PermissionConstant = action.Name, PermissionId = 0, Value = "Allow"
});
}
}
}
if (0 != ace.Deny)
{
foreach (var action in securityNamespace.Description.Actions)
{
if ((ace.Deny & action.Bit) == action.Bit)
{
permissionsList.Add(new Permission {
DisplayName = action.DisplayName, InternalName = action.Name, Scope = PermissionScope.TeamProject, PermissionConstant = action.Name, PermissionId = 0, Value = "Deny"
});
}
}
}
}
if (appendGroupInheritance)
{
AppendGroupInheritanceInformation(permissionsList, groupName);
}
return(permissionsList);
}
public List <string> ListTeamAdministrators(string team, out string message)
{
// Retrieve the default team.
TeamFoundationTeam t = this.teamService.ReadTeam(this.projectInfo.Uri, team, null);
List <string> lst = null;
message = "";
if (t == null)
{
message = "Team [" + team + "] not found";
}
else
{
// Get security namespace for the project collection.
ISecurityService securityService = this.teamProjectCollection.GetService <ISecurityService>();
SecurityNamespace securityNamespace =
securityService.GetSecurityNamespace(FrameworkSecurity.IdentitiesNamespaceId);
// Use reflection to retrieve a security token for the team.
var token = GetTeamAdminstratorsToken(t);
// Retrieve an ACL object for all the team members.
var allMembers = t.GetMembers(this.teamProjectCollection, MembershipQuery.Expanded)
.ToArray();
AccessControlList acl =
securityNamespace.QueryAccessControlList(token, allMembers.Select(m => m.Descriptor), true);
// Retrieve the team administrator SIDs by querying the ACL entries.
var entries = acl.AccessControlEntries;
var admins = entries.Where(e => (e.Allow & 15) == 15).Select(e => e.Descriptor.Identifier);
// Finally, retrieve the actual TeamFoundationIdentity objects from the SIDs.
var adminIdentities = allMembers.Where(m => admins.Contains(m.Descriptor.Identifier));
lst = adminIdentities.Select(i => i.DisplayName).ToList();
}
return(lst);
}
public bool RemoveTeamAdministrator(string team, string user, out string message)
{
message = string.Empty;
bool ret = true;
TeamFoundationTeam t = this.teamService.ReadTeam(this.projectInfo.Uri, team, null);
TeamFoundationIdentity i = this.identityManagementService.ReadIdentity(IdentitySearchFactor.AccountName, user, MembershipQuery.Direct, ReadIdentityOptions.None);
if (t == null)
{
message = "Team [" + team + "] not found";
ret = false;
}
if (i == null)
{
message = "User [" + user + "] not found";
ret = false;
}
if (ret)
{
this.identityManagementService.AddMemberToApplicationGroup(t.Identity.Descriptor, i.Descriptor);
message = "User removed ";
IdentityDescriptor descriptor = i.Descriptor;
string token = GetTeamAdminstratorsToken(t);
ISecurityService securityService = this.teamProjectCollection.GetService <ISecurityService>();
SecurityNamespace securityNamespace =
securityService.GetSecurityNamespace(FrameworkSecurity.IdentitiesNamespaceId);
securityNamespace.RemovePermissions(token, descriptor, 15);
}
return(ret);
}
private static IEnumerable <PermissionAssignment> GetResourcePermissions(
IReadOnlyList <Resource> resources,
SecurityNamespace @namespace,
TeamFoundationIdentity identity)
{
foreach (var descriptionAction in @namespace.Description.Actions)
{
var tokens = resources.Select(e => e.Token).ToArray();
if (!tokens.Any())
{
yield break;
}
var hasPermissions = @namespace.HasPermission(
tokens,
identity.Descriptor,
descriptionAction.Bit,
true);
for (var i = 0; i < resources.Count; i++)
{
var resource = resources[i];
var hasPermission = hasPermissions[i];
if (hasPermission)
{
yield return(new PermissionAssignment
{
Action = descriptionAction.DisplayName,
Resource = resource.Name,
Namespace = @namespace.Description.DisplayName,
Identity = identity.UniqueName
});
}
}
}
}
private static void ApplySecurityNamespacePermissions(string token, IdentityDescriptor identity, SecurityNamespace securityNamespace, IEnumerable <PermissionChange> permissions)
{
if (permissions.Where(p => p.Action != PermissionChangeAction.None).Any())
{
var allows = permissions.Where(p => p.Action == PermissionChangeAction.Allow).Aggregate(0, (sum, p) => sum += p.Permission.PermissionBit);
var denies = permissions.Where(p => p.Action == PermissionChangeAction.Deny).Aggregate(0, (sum, p) => sum += p.Permission.PermissionBit);
var inherits = permissions.Where(p => p.Action == PermissionChangeAction.Inherit).Aggregate(0, (sum, p) => sum += p.Permission.PermissionBit);
if (allows > 0 || denies > 0 || inherits > 0)
{
if (securityNamespace == null)
{
throw new InvalidOperationException("Permissions are being modified but the security namespace is not available in the current Team Project Collection.");
}
if (inherits > 0)
{
securityNamespace.RemovePermissions(token, identity, inherits);
}
if (allows > 0 || denies > 0)
{
securityNamespace.SetPermissions(token, identity, allows, denies, true);
}
}
}
}
/// <summary>
/// Sample method on how to extracts the git version control permissions.
/// </summary>
/// <param name="server">The server.</param>
/// <param name="groups">The groups.</param>
/// <param name="userIdentity">The user identity.</param>
/// <param name="projectSecurityToken">The project security token.</param>
/// <param name="identityManagementService">The identityManagementService.</param>
/// <param name="vcs">The VCS.</param>
/// <param name="gitService">The git service.</param>
/// <returns>List of Permissions</returns>
private static List <GitPermission> ExtractGitVersionControlPermissions(
ISecurityService server,
List <string> groups,
TeamFoundationIdentity userIdentity,
string projectSecurityToken,
IIdentityManagementService identityManagementService,
VersionControlServer vcs,
GitRepositoryService gitService)
{
Console.WriteLine("== Extract Git Version Control Permissions ==");
SecurityNamespace gitVersionControlSecurityNamespace = server.GetSecurityNamespace(Helpers.GetSecurityNamespaceId(PermissionScope.GitSourceControl, server));
IList <GitRepository> gitProjectRepoService = gitService.QueryRepositories(projectSecurityToken);
var groupsIdentities = new List <TeamFoundationIdentity>(groups.Count);
foreach (string group in groups)
{
TeamFoundationIdentity groupIdentity = identityManagementService.ReadIdentity(
IdentitySearchFactor.Identifier, group, MembershipQuery.None,
ReadIdentityOptions.IncludeReadFromSource);
groupsIdentities.Add(groupIdentity);
}
var results = new List <GitPermission>();
foreach (GitRepository repo in gitProjectRepoService)
{
string primaryBranch = (repo.DefaultBranch ?? "(no default branch)").StartsWith("refs/heads/") ?
repo.DefaultBranch.Substring(11) :
repo.DefaultBranch;
Console.WriteLine(" -- Repo: {0} branch {1}", repo.Name, primaryBranch);
// Repository Security Token is repoV2/TeamProjectId/RepositoryId
string repoIdToken = string.Format("repoV2{0}{1}{2}{3}",
gitVersionControlSecurityNamespace.Description.SeparatorValue,
repo.ProjectReference.Id,
gitVersionControlSecurityNamespace.Description.SeparatorValue,
repo.Id);
AccessControlList versionControlAccessList =
gitVersionControlSecurityNamespace.QueryAccessControlList(
repoIdToken,
new List <IdentityDescriptor> {
userIdentity.Descriptor
},
true);
var gitVersionControlPermissions = new List <Permission>();
foreach (AccessControlEntry ace in versionControlAccessList.AccessControlEntries)
{
foreach (AclAndName aclAndName in Helpers.EnumerateAcls(ace, false))
{
if (aclAndName.Acl != 0)
{
string versionControlPermissions = ((EnumerationsList.GitPermissions)aclAndName.Acl).ToString();
gitVersionControlPermissions.AddRange(
Helpers.GetActionDetailsByName(versionControlPermissions, aclAndName.Name,
PermissionScope.GitSourceControl));
}
}
}
foreach (TeamFoundationIdentity groupIdentity in groupsIdentities)
{
AccessControlList groupAccessList =
gitVersionControlSecurityNamespace.QueryAccessControlList(
repoIdToken,
new List <IdentityDescriptor> {
groupIdentity.Descriptor
},
true);
foreach (AccessControlEntry ace in groupAccessList.AccessControlEntries)
{
foreach (AclAndName aclAndName in Helpers.EnumerateAcls(ace, true))
{
if (aclAndName.Acl != 0)
{
string versionControlPermissions = ((EnumerationsList.GitPermissions)aclAndName.Acl).ToString();
gitVersionControlPermissions.AddRange(
Helpers.GetActionDetailsByName(versionControlPermissions, aclAndName.Name,
PermissionScope.GitSourceControl));
}
}
}
}
List <Permission> modifiedPermissions = Helpers.RemoveDuplicatePermissionsAndCombineGroups(gitVersionControlPermissions);
results.AddRange(modifiedPermissions.Select(perm => new GitPermission(perm, repo.Name, primaryBranch)));
}
return(results);
}
protected static void ProcessCollection(TfsTeamProjectCollection collection)
{
Console.WriteLine(String.Format("Processing collection {0}", collection.DisplayName));
Console.WriteLine(String.Empty);
// Get Core, security, and identity services
ISecurityService securityService = collection.GetService <ISecurityService>();
SecurityNamespace hooksSecurity = securityService.GetSecurityNamespace(ServiceHooksSecurityNamespaceId);
IIdentityManagementService2 identityService = collection.GetService <IIdentityManagementService2>();
ProjectHttpClient projectClient = collection.GetClient <ProjectHttpClient>();
IEnumerable <TeamProjectReference> projects = projectClient.GetProjects(stateFilter: Microsoft.TeamFoundation.Common.ProjectState.WellFormed).Result;
// Iterate over each project, check SH permissions, and grant if needed
foreach (var project in projects)
{
Console.WriteLine(String.Format("Project {0} ({1})", project.Name, project.Id));
var groups = identityService.ListApplicationGroups(project.Id.ToString(), ReadIdentityOptions.None, null, Microsoft.TeamFoundation.Framework.Common.IdentityPropertyScope.Both);
String adminGroupName = String.Format("vstfs:///Classification/TeamProject/{0}\\Project Administrators", project.Id);
try
{
TeamFoundationIdentity adminGroup = groups.First(g => String.Equals(g.UniqueName, adminGroupName, StringComparison.InvariantCultureIgnoreCase));
Console.WriteLine(" - Checking Project Administrators group permissions");
AccessControlEntry ace = new AccessControlEntry(adminGroup.Descriptor, 7, 0); // 7 = view, create, delete
String securityToken = "PublisherSecurity/" + project.Id;
bool hasPermission = hooksSecurity.HasPermission(securityToken, adminGroup.Descriptor, 7, false);
if (!hasPermission)
{
Console.WriteLine(" - Missing. Granting...");
hooksSecurity.SetAccessControlEntry(securityToken, ace, true);
// check permission again after granting
hasPermission = hooksSecurity.HasPermission(securityToken, adminGroup.Descriptor, 7, false);
if (hasPermission)
{
Console.WriteLine(" - Granted");
}
else
{
Console.WriteLine(" - Still does not have permission. Check to make sure it has not been explicitly denied.");
}
}
else
{
Console.WriteLine(" - Already has permission");
}
}
catch (Exception ex)
{
Console.WriteLine(String.Format("Admin group: Not found! ({0})", ex.Message));
}
Console.WriteLine("");
}
}
private static readonly string SpecialGroupName = "Service Hooks Administrators"; // assumed to be a collection-level group containing people that will have management permissions for SH in each project
public void Run(Uri collectionUri)
{
Console.WriteLine("Utility to remove Service Hooks management permissions from the Project Administrators groups.");
Console.WriteLine("");
Console.WriteLine(" All projects in account/collection: " + collectionUri);
Console.WriteLine("");
Console.WriteLine("WARNING! This operation will remove the permissions.\n\n Are you sure you want to continue (Y/N)?");
int confirmChar = Console.In.Read();
if (confirmChar != 'y' || confirmChar != 'Y')
{
return;
}
if (collectionUri != null)
{
TfsTeamProjectCollection connection = new TfsTeamProjectCollection(collectionUri);
// Get Core, security, and identity services
ISecurityService securityService = connection.GetService <ISecurityService>();
SecurityNamespace hooksSecurity = securityService.GetSecurityNamespace(ServiceHooksSecurityNamespaceId);
IIdentityManagementService2 identityService = connection.GetService <IIdentityManagementService2>();
ProjectHttpClient projectClient = connection.GetClient <ProjectHttpClient>();
IEnumerable <TeamProjectReference> projects = projectClient.GetProjects(stateFilter: Microsoft.TeamFoundation.Common.ProjectState.WellFormed).Result;
// Iterate over each project, check SH permissions, and remove if the project administrators group has access
foreach (var project in projects)
{
// Remove manage permissions from the project's administrators group (but leave it "view" access)
Console.WriteLine(String.Format("Project {0} ({1})", project.Name, project.Id));
var groups = identityService.ListApplicationGroups(project.Id.ToString(), ReadIdentityOptions.None, null, Microsoft.TeamFoundation.Framework.Common.IdentityPropertyScope.Both);
String adminGroupName = String.Format("vstfs:///Classification/TeamProject/{0}\\Project Administrators", project.Id);
try
{
TeamFoundationIdentity adminGroup = groups.First(g => String.Equals(g.UniqueName, adminGroupName, StringComparison.InvariantCultureIgnoreCase));
Console.WriteLine(" - Checking Project Administrators group permissions");
String securityToken = "PublisherSecurity/" + project.Id;
bool hasPermission = hooksSecurity.HasPermission(securityToken, adminGroup.Descriptor, ManagePermissions, false);
// Project admin group has "manage" permissions for SH in the project
if (hasPermission)
{
// Remove manage permissions from the project's administrators group (but leave it "view" access)
Console.WriteLine(" - Has permissions. Removing...");
// Give the admin group only view permissions
hooksSecurity.SetPermissions(securityToken, adminGroup.Descriptor, ViewPermissions, 0, false);
// check permission again after granting
hasPermission = hooksSecurity.HasPermission(securityToken, adminGroup.Descriptor, ManagePermissions, false);
if (!hasPermission)
{
Console.WriteLine(" - Verified permissions correctly removed.");
}
else
{
Console.WriteLine(" - Project Administrators Group still has manage permissions.");
}
}
else
{
Console.WriteLine(" - Does not have permissions to manage service hook subscriptions.");
}
}
catch (Exception ex)
{
Console.WriteLine(String.Format("Admin group: Not found! ({0})", ex.Message));
}
Console.WriteLine("");
}
// Grant the group manage permissions across the entire collection
TeamFoundationIdentity specialGroup = identityService.ReadIdentity(IdentitySearchFactor.DisplayName, SpecialGroupName, MembershipQuery.None, ReadIdentityOptions.None);
if (specialGroup != null)
{
Console.WriteLine("Granting full manage permissions to: {0}", specialGroup.UniqueName);
String rootSecurityToken = "PublisherSecurity/";
hooksSecurity.SetPermissions(rootSecurityToken, specialGroup.Descriptor, ManagePermissions, 0, false);
}
else
{
Console.WriteLine("Could not find this group.");
}
}
}
/// <summary>
/// Sample method on how to extracts the git version control permissions.
/// </summary>
/// <param name="server">The server.</param>
/// <param name="groups">The groups.</param>
/// <param name="userIdentity">The user identity.</param>
/// <param name="projectSecurityToken">The project security token.</param>
/// <param name="identityManagementService">The identityManagementService.</param>
/// <param name="vcs">The VCS.</param>
/// <param name="gitService">The git service.</param>
/// <returns>List of Permissions</returns>
private static List <Permission> ExtractGitVersionControlPermissions(ISecurityService server, IEnumerable <string> groups, TeamFoundationIdentity userIdentity, string projectSecurityToken, IIdentityManagementService identityManagementService, VersionControlServer vcs, TeamFoundation.Git.Client.GitRepositoryService gitService)
{
Console.WriteLine("== Extract Git Version Control Permissions ==");
SecurityNamespace gitVersionControlSecurityNamespace = server.GetSecurityNamespace(Helpers.GetSecurityNamespaceId(PermissionScope.GitSourceControl, server));
var gitProjectRepoService = gitService.QueryRepositories(projectSecurityToken);
// This sample handle only the default repository, you can iterate through all repositories same way
var defaultGitRepo = gitProjectRepoService.SingleOrDefault(gr => gr.Name.Equals(projectSecurityToken));
vcs.TryGetTeamProject(projectSecurityToken);
if (defaultGitRepo == null)
{
return(new List <Permission>());
}
// Repository Security Token is repoV2/TeamProjectId/RepositoryId
var repoIdToken = string.Format("repoV2{0}{1}{2}{3}", gitVersionControlSecurityNamespace.Description.SeparatorValue, defaultGitRepo.ProjectReference.Id, gitVersionControlSecurityNamespace.Description.SeparatorValue, defaultGitRepo.Id);
// vcs.GetTeamProject(projectSecurityToken);
AccessControlList versionControlAccessList =
gitVersionControlSecurityNamespace.QueryAccessControlList(
repoIdToken,
new List <IdentityDescriptor> {
userIdentity.Descriptor
},
true);
var gitVersionControlPermissions = new List <Permission>();
foreach (AccessControlEntry ace in versionControlAccessList.AccessControlEntries)
{
if (0 != ace.Allow)
{
var allowedVersionControlPermissions = ((EnumrationsList.GitPermissions)ace.Allow).ToString();
gitVersionControlPermissions.AddRange(
Helpers.GetActionDetailsByName(allowedVersionControlPermissions, "Allow", PermissionScope.GitSourceControl));
}
if (0 != ace.Deny)
{
var denyVersionControlPermissions = ((EnumrationsList.GitPermissions)ace.Deny).ToString();
gitVersionControlPermissions.AddRange(
Helpers.GetActionDetailsByName(denyVersionControlPermissions, "Deny", PermissionScope.GitSourceControl));
}
}
if (gitVersionControlPermissions.Count == 0)
{
foreach (AccessControlEntry ace in versionControlAccessList.AccessControlEntries)
{
if (0 != ace.ExtendedInfo.EffectiveAllow)
{
var allowedVersionControlPermissions = ((EnumrationsList.GitPermissions)ace.ExtendedInfo.EffectiveAllow).ToString();
gitVersionControlPermissions.AddRange(
Helpers.GetActionDetailsByName(allowedVersionControlPermissions, "Allow", PermissionScope.GitSourceControl));
}
if (0 != ace.ExtendedInfo.EffectiveDeny)
{
var denyVersionControlPermissions = ((EnumrationsList.GitPermissions)ace.ExtendedInfo.EffectiveDeny).ToString();
gitVersionControlPermissions.AddRange(
Helpers.GetActionDetailsByName(denyVersionControlPermissions, "Deny", PermissionScope.GitSourceControl));
}
}
}
foreach (string group in groups)
{
TeamFoundationIdentity groupIdentity = identityManagementService.ReadIdentity(IdentitySearchFactor.Identifier, group, MembershipQuery.None, ReadIdentityOptions.IncludeReadFromSource);
AccessControlList groupAccessList =
gitVersionControlSecurityNamespace.QueryAccessControlList(
repoIdToken,
new List <IdentityDescriptor> {
groupIdentity.Descriptor
},
true);
foreach (AccessControlEntry ace in groupAccessList.AccessControlEntries)
{
if (0 != ace.Allow)
{
var allowedPermissions = ((EnumrationsList.GitPermissions)ace.Allow).ToString();
var permissionsList = Helpers.GetActionDetailsByName(allowedPermissions, "Inherited Allow", PermissionScope.GitSourceControl);
Helpers.AppendGroupInheritanceInformation(permissionsList, groupIdentity.DisplayName);
gitVersionControlPermissions.AddRange(permissionsList);
}
if (0 != ace.Deny)
{
var denyPermissions = ((EnumrationsList.GitPermissions)ace.Deny).ToString();
var permissionsList = Helpers.GetActionDetailsByName(denyPermissions, "Inherited Deny", PermissionScope.GitSourceControl);
Helpers.AppendGroupInheritanceInformation(permissionsList, groupIdentity.DisplayName);
gitVersionControlPermissions.AddRange(permissionsList);
}
}
}
var modifiedPermissions = Helpers.RemoveDuplicatePermissionsAndCombineGroups(gitVersionControlPermissions);
return(modifiedPermissions);
}
/// <summary>
/// Accesses the control entry to permission.
/// </summary>
/// <param name="securityNamespace">The security namespace.</param>
/// <param name="accessControlEntries">The access control entries.</param>
/// <param name="appendGroupInheritance">if set to <c>true</c> [append group inheritance].</param>
/// <param name="groupName">Name of the group.</param>
/// <returns>List of Permissions</returns>
public static List<Permission> AccessControlEntryToPermission(SecurityNamespace securityNamespace, IEnumerable<Microsoft.TeamFoundation.Framework.Client.AccessControlEntry> accessControlEntries, bool appendGroupInheritance, string groupName)
{
var permissionsList = new List<Permission>();
foreach (Microsoft.TeamFoundation.Framework.Client.AccessControlEntry ace in accessControlEntries)
{
if (0 != ace.Allow)
{
foreach (var action in securityNamespace.Description.Actions)
{
if ((ace.Allow & action.Bit) == action.Bit)
{
permissionsList.Add(new Permission { DisplayName = action.DisplayName, InternalName = action.Name, Scope = PermissionScope.TeamProject, PermissionConstant = action.Name, PermissionId = 0, Value = "Allow" });
}
}
}
if (0 != ace.Deny)
{
foreach (var action in securityNamespace.Description.Actions)
{
if ((ace.Deny & action.Bit) == action.Bit)
{
permissionsList.Add(new Permission { DisplayName = action.DisplayName, InternalName = action.Name, Scope = PermissionScope.TeamProject, PermissionConstant = action.Name, PermissionId = 0, Value = "Deny" });
}
}
}
}
if (appendGroupInheritance)
{
AppendGroupInheritanceInformation(permissionsList, groupName);
}
return permissionsList;
}
private static async Task Main(string[] args)
{
Console.WriteLine("Please enter the following details to list all of the team members in all of the projects in the collection/instance");
Console.WriteLine();
Console.Write("Azure DevOps Instance/Collection URL: ");
var url = Console.ReadLine();
Console.Write("Personal Access Token (PAT): ");
var pat = Console.ReadLine();
VssBasicCredential vssBasicCredential = new VssBasicCredential(pat, pat);
using (TfsTeamProjectCollection tpc = new TfsTeamProjectCollection(new Uri(url), vssBasicCredential))
{
tpc.Authenticate();
Console.WriteLine();
Console.Write("Instance/Collection Display Name: ");
Console.WriteLine(tpc.DisplayName);
Console.Write("Instance/Collection ID: ");
Console.WriteLine(tpc.InstanceId);
Console.WriteLine();
var data = new List <ProjectTeamMember>();
var log = new StringBuilder();
var workItemStore = tpc.GetService <WorkItemStore>();
var teamService = tpc.GetService <TfsTeamService>();
// Get security namespace for the project collection.
ISecurityService securityService = tpc.GetService <ISecurityService>();
SecurityNamespace securityNamespace = securityService.GetSecurityNamespace(FrameworkSecurity.IdentitiesNamespaceId);
var projects = workItemStore.Projects;
foreach (Project project in projects)
{
log.AppendLine($"PROJECT: {project.Name}");
Console.WriteLine($"PROJECT: {project.Name}");
var teams = teamService.QueryTeams(project.Uri.ToString());
foreach (var team in teams)
{
log.AppendLine($"\tTEAM: {team.Name}");
Console.WriteLine($"\tTEAM: {team.Name}");
var members = team.GetMembers(tpc, MembershipQuery.Expanded);
string token = IdentityHelper.CreateSecurityToken(team.Identity);
// Retrieve an ACL object for all the team members.
AccessControlList acl = securityNamespace.QueryAccessControlList(token, members.Select(m => m.Descriptor), true);
// Retrieve the team administrator SIDs by querying the ACL entries.
var entries = acl.AccessControlEntries;
var admins = entries.Where(e => (e.Allow & 15) == 15).Select(e => e.Descriptor.Identifier);
// Finally, retrieve the actual TeamFoundationIdentity objects from the SIDs.
var adminIdentities = members.Where(m => admins.Contains(m.Descriptor.Identifier));
foreach (var member in members)
{
var isAdmin = adminIdentities.Any(i => i == member);
var isAdminText = isAdmin ? " [ADMIN]" : string.Empty;
log.AppendLine($"\t\tACCOUNT: {member.DisplayName} {isAdminText}");
Console.WriteLine($"\t\tACCOUNT: {member.DisplayName} {isAdminText}");
var projectTeamMember = new ProjectTeamMember
{
ProjectId = project.Id,
ProjectName = project.Name,
TeamId = team.Identity.TeamFoundationId,
TeamName = team.Name,
MemberId = member.TeamFoundationId,
MemberName = member.DisplayName,
IsTeamAdmin = isAdmin
};
data.Add(projectTeamMember);
}
}
Console.WriteLine();
}
File.AppendAllText($"{tpc.InstanceId}.{DateTime.Now.ToString("yyyyMMddhhmmss")}.txt", log.ToString());
using (var writer = new StreamWriter($"{tpc.InstanceId}.{DateTime.Now.ToString("yyyyMMddhhmmss")}.csv"))
using (var csv = new CsvWriter(writer))
{
csv.WriteRecords(data);
}
}
Console.ReadLine();
}
