/// <summary>
/// Extracts the generic security namespace permissions.
/// </summary>
/// <param name="server">The server.</param>
/// <param name="permissionScope">The permission scope.</param>
/// <param name="userIdentity">The user identity.</param>
/// <param name="securityToken">The security token.</param>
/// <param name="identityManagementService">The identityManagementService.</param>
/// <param name="groups">The groups.</param>
/// <returns>List of Permissions</returns>
private static List <Permission> ExtractGenericSecurityNamespacePermissions(ISecurityService server, PermissionScope permissionScope, TeamFoundationIdentity userIdentity, string securityToken, IIdentityManagementService identityManagementService, IEnumerable <string> groups)
{
SecurityNamespace genericSecurityNamespace = server.GetSecurityNamespace(Helpers.GetSecurityNamespaceId(permissionScope, server));
AccessControlList userAccessList =
genericSecurityNamespace.QueryAccessControlList(
securityToken,
new List <IdentityDescriptor> {
userIdentity.Descriptor
},
true);
var result = new List <Permission>();
result.AddRange(Helpers.AccessControlEntryToPermission(genericSecurityNamespace, userAccessList.AccessControlEntries, false, string.Empty));
// handle group inheritance
foreach (string group in groups)
{
TeamFoundationIdentity groupIdentity = identityManagementService.ReadIdentity(IdentitySearchFactor.Identifier, group, MembershipQuery.None, ReadIdentityOptions.IncludeReadFromSource);
AccessControlList groupAccessList =
genericSecurityNamespace.QueryAccessControlList(
securityToken,
new List <IdentityDescriptor> {
groupIdentity.Descriptor
},
true);
result.AddRange(Helpers.AccessControlEntryToPermission(genericSecurityNamespace, groupAccessList.AccessControlEntries, true, groupIdentity.DisplayName));
}
var modifiedPermissions = Helpers.RemoveDuplicatePermissionsAndCombineGroups(result);
return(modifiedPermissions);
}
/////// <summary>
/////// Extracts work item permissions for a specific identity
/////// </summary>
/////// <param name="server">Server security service</param>
/////// <param name="projectSecurityToken">Project Security Token</param>
/////// <param name="userIdentity">User identity</param>
/////// <returns>The list of the permissions</returns>
////private static List<Permission> ExtractWorkItemsPermissions(
//// ISecurityService server,
//// string projectSecurityToken,
//// TeamFoundationIdentity userIdentity)
////{
//// var result = new List<Permission>();
//// SecurityNamespace workItemsSecurityNamespace = server.GetSecurityNamespace(Helpers.GetSecurityNamespaceId(PermissionScope.WorkItemAreas, server));
//// if (workItemsSecurityNamespace != null)
//// {
//// Console.WriteLine("== Extract WorkItems Permissions ==");
//// AccessControlList workItemsAccessList = workItemsSecurityNamespace.QueryAccessControlList(
//// projectSecurityToken,
//// new List<IdentityDescriptor> { userIdentity.Descriptor },
//// true);
//// string allowedWorkItemPermissions = string.Empty;
//// string denyWorkItemPermissions = string.Empty;
//// foreach (AccessControlEntry ace in workItemsAccessList.AccessControlEntries)
//// {
//// if (0 != ace.Allow)
//// {
//// allowedWorkItemPermissions = ((QueryItemPermissions)ace.Allow).ToString();
//// result.AddRange(
//// Helpers.GetActionDetailsByName(allowedWorkItemPermissions, "Allow", PermissionScope.WorkItemAreas));
//// }
//// if (0 != ace.Deny)
//// {
//// denyWorkItemPermissions = ((QueryItemPermissions)ace.Deny).ToString();
//// result.AddRange(
//// Helpers.GetActionDetailsByName(denyWorkItemPermissions, "Deny", PermissionScope.WorkItemAreas));
//// }
//// }
//// }
//// return result;
////}
/// <summary>
/// Extracts build permissions for a specific identity.
/// </summary>
/// <param name="server">Server security service</param>
/// <param name="projectSecurityToken">Project Security Token</param>
/// <param name="userIdentity">User identity</param>
/// <returns>The list of the permissions</returns>
private static List <Permission> ExtractBuildPermissions(ISecurityService server, string projectSecurityToken, TeamFoundationIdentity userIdentity)
{
var result = new List <Permission>();
SecurityNamespace buildSecurityNamespace = server.GetSecurityNamespace(Helpers.GetSecurityNamespaceId(PermissionScope.TeamBuild, server));
Console.WriteLine("== Extract Build Permissions ==");
AccessControlList buildAccessList = buildSecurityNamespace.QueryAccessControlList(
projectSecurityToken,
new List <IdentityDescriptor> {
userIdentity.Descriptor
},
true);
foreach (AccessControlEntry ace in buildAccessList.AccessControlEntries)
{
foreach (AclAndName aclAndName in Helpers.EnumerateAcls(ace, false))
{
if (aclAndName.Acl != 0)
{
var allowedBuildPermissions = ((EnumerationsList.BuildPermissions)ace.Allow).ToString();
result.AddRange(
Helpers.GetActionDetailsByName(allowedBuildPermissions, aclAndName.Name,
PermissionScope.TeamBuild));
}
}
}
return(result);
}
public IEnumerable <TeamFoundationIdentity> GetAdministrators(Microsoft.TeamFoundation.Client.TeamFoundationTeam teamFoundationTeam)
{
// Get security namespace for the project collection.
ISecurityService securityService = this.tfsTeamProjectCollection.GetService <ISecurityService>();
SecurityNamespace securityNamespace = securityService.GetSecurityNamespace(FrameworkSecurity.IdentitiesNamespaceId);
// Use reflection to retrieve a security token for the team.
MethodInfo mi = typeof(IdentityHelper).GetMethod("CreateSecurityToken");
string token = mi.Invoke(null, new object[] { teamFoundationTeam.Identity }) as string;
// Retrieve an ACL object for all the team members.
var allMembers = teamFoundationTeam.GetMembers(this.tfsTeamProjectCollection, MembershipQuery.Expanded).Where(m => !m.IsContainer);
AccessControlList acl = securityNamespace.QueryAccessControlList(token, allMembers.Select(m => m.Descriptor), true);
// Retrieve the team administrator SIDs by querying the ACL entries.
var entries = acl.AccessControlEntries;
var admins = entries.Where(e => (e.Allow & 15) == 15).Select(e => e.Descriptor.Identifier);
// Finally, retrieve the actual TeamFoundationIdentity objects from the SIDs.
return(allMembers.Where(m => admins.Contains(m.Descriptor.Identifier)));
}
public List <string> ListTeamAdministrators(string team, out string message)
{
// Retrieve the default team.
TeamFoundationTeam t = this.teamService.ReadTeam(this.projectInfo.Uri, team, null);
List <string> lst = null;
message = "";
if (t == null)
{
message = "Team [" + team + "] not found";
}
else
{
// Get security namespace for the project collection.
ISecurityService securityService = this.teamProjectCollection.GetService <ISecurityService>();
SecurityNamespace securityNamespace =
securityService.GetSecurityNamespace(FrameworkSecurity.IdentitiesNamespaceId);
// Use reflection to retrieve a security token for the team.
var token = GetTeamAdminstratorsToken(t);
// Retrieve an ACL object for all the team members.
var allMembers = t.GetMembers(this.teamProjectCollection, MembershipQuery.Expanded)
.ToArray();
AccessControlList acl =
securityNamespace.QueryAccessControlList(token, allMembers.Select(m => m.Descriptor), true);
// Retrieve the team administrator SIDs by querying the ACL entries.
var entries = acl.AccessControlEntries;
var admins = entries.Where(e => (e.Allow & 15) == 15).Select(e => e.Descriptor.Identifier);
// Finally, retrieve the actual TeamFoundationIdentity objects from the SIDs.
var adminIdentities = allMembers.Where(m => admins.Contains(m.Descriptor.Identifier));
lst = adminIdentities.Select(i => i.DisplayName).ToList();
}
return(lst);
}
/// <summary>
/// Sample method on how to extracts the git version control permissions.
/// </summary>
/// <param name="server">The server.</param>
/// <param name="groups">The groups.</param>
/// <param name="userIdentity">The user identity.</param>
/// <param name="projectSecurityToken">The project security token.</param>
/// <param name="identityManagementService">The identityManagementService.</param>
/// <param name="vcs">The VCS.</param>
/// <param name="gitService">The git service.</param>
/// <returns>List of Permissions</returns>
private static List <GitPermission> ExtractGitVersionControlPermissions(
ISecurityService server,
List <string> groups,
TeamFoundationIdentity userIdentity,
string projectSecurityToken,
IIdentityManagementService identityManagementService,
VersionControlServer vcs,
GitRepositoryService gitService)
{
Console.WriteLine("== Extract Git Version Control Permissions ==");
SecurityNamespace gitVersionControlSecurityNamespace = server.GetSecurityNamespace(Helpers.GetSecurityNamespaceId(PermissionScope.GitSourceControl, server));
IList <GitRepository> gitProjectRepoService = gitService.QueryRepositories(projectSecurityToken);
var groupsIdentities = new List <TeamFoundationIdentity>(groups.Count);
foreach (string group in groups)
{
TeamFoundationIdentity groupIdentity = identityManagementService.ReadIdentity(
IdentitySearchFactor.Identifier, group, MembershipQuery.None,
ReadIdentityOptions.IncludeReadFromSource);
groupsIdentities.Add(groupIdentity);
}
var results = new List <GitPermission>();
foreach (GitRepository repo in gitProjectRepoService)
{
string primaryBranch = (repo.DefaultBranch ?? "(no default branch)").StartsWith("refs/heads/") ?
repo.DefaultBranch.Substring(11) :
repo.DefaultBranch;
Console.WriteLine(" -- Repo: {0} branch {1}", repo.Name, primaryBranch);
// Repository Security Token is repoV2/TeamProjectId/RepositoryId
string repoIdToken = string.Format("repoV2{0}{1}{2}{3}",
gitVersionControlSecurityNamespace.Description.SeparatorValue,
repo.ProjectReference.Id,
gitVersionControlSecurityNamespace.Description.SeparatorValue,
repo.Id);
AccessControlList versionControlAccessList =
gitVersionControlSecurityNamespace.QueryAccessControlList(
repoIdToken,
new List <IdentityDescriptor> {
userIdentity.Descriptor
},
true);
var gitVersionControlPermissions = new List <Permission>();
foreach (AccessControlEntry ace in versionControlAccessList.AccessControlEntries)
{
foreach (AclAndName aclAndName in Helpers.EnumerateAcls(ace, false))
{
if (aclAndName.Acl != 0)
{
string versionControlPermissions = ((EnumerationsList.GitPermissions)aclAndName.Acl).ToString();
gitVersionControlPermissions.AddRange(
Helpers.GetActionDetailsByName(versionControlPermissions, aclAndName.Name,
PermissionScope.GitSourceControl));
}
}
}
foreach (TeamFoundationIdentity groupIdentity in groupsIdentities)
{
AccessControlList groupAccessList =
gitVersionControlSecurityNamespace.QueryAccessControlList(
repoIdToken,
new List <IdentityDescriptor> {
groupIdentity.Descriptor
},
true);
foreach (AccessControlEntry ace in groupAccessList.AccessControlEntries)
{
foreach (AclAndName aclAndName in Helpers.EnumerateAcls(ace, true))
{
if (aclAndName.Acl != 0)
{
string versionControlPermissions = ((EnumerationsList.GitPermissions)aclAndName.Acl).ToString();
gitVersionControlPermissions.AddRange(
Helpers.GetActionDetailsByName(versionControlPermissions, aclAndName.Name,
PermissionScope.GitSourceControl));
}
}
}
}
List <Permission> modifiedPermissions = Helpers.RemoveDuplicatePermissionsAndCombineGroups(gitVersionControlPermissions);
results.AddRange(modifiedPermissions.Select(perm => new GitPermission(perm, repo.Name, primaryBranch)));
}
return(results);
}
/// <summary>
/// Sample method on how to extracts the git version control permissions.
/// </summary>
/// <param name="server">The server.</param>
/// <param name="groups">The groups.</param>
/// <param name="userIdentity">The user identity.</param>
/// <param name="projectSecurityToken">The project security token.</param>
/// <param name="identityManagementService">The identityManagementService.</param>
/// <param name="vcs">The VCS.</param>
/// <param name="gitService">The git service.</param>
/// <returns>List of Permissions</returns>
private static List <Permission> ExtractGitVersionControlPermissions(ISecurityService server, IEnumerable <string> groups, TeamFoundationIdentity userIdentity, string projectSecurityToken, IIdentityManagementService identityManagementService, VersionControlServer vcs, TeamFoundation.Git.Client.GitRepositoryService gitService)
{
Console.WriteLine("== Extract Git Version Control Permissions ==");
SecurityNamespace gitVersionControlSecurityNamespace = server.GetSecurityNamespace(Helpers.GetSecurityNamespaceId(PermissionScope.GitSourceControl, server));
var gitProjectRepoService = gitService.QueryRepositories(projectSecurityToken);
// This sample handle only the default repository, you can iterate through all repositories same way
var defaultGitRepo = gitProjectRepoService.SingleOrDefault(gr => gr.Name.Equals(projectSecurityToken));
vcs.TryGetTeamProject(projectSecurityToken);
if (defaultGitRepo == null)
{
return(new List <Permission>());
}
// Repository Security Token is repoV2/TeamProjectId/RepositoryId
var repoIdToken = string.Format("repoV2{0}{1}{2}{3}", gitVersionControlSecurityNamespace.Description.SeparatorValue, defaultGitRepo.ProjectReference.Id, gitVersionControlSecurityNamespace.Description.SeparatorValue, defaultGitRepo.Id);
// vcs.GetTeamProject(projectSecurityToken);
AccessControlList versionControlAccessList =
gitVersionControlSecurityNamespace.QueryAccessControlList(
repoIdToken,
new List <IdentityDescriptor> {
userIdentity.Descriptor
},
true);
var gitVersionControlPermissions = new List <Permission>();
foreach (AccessControlEntry ace in versionControlAccessList.AccessControlEntries)
{
if (0 != ace.Allow)
{
var allowedVersionControlPermissions = ((EnumrationsList.GitPermissions)ace.Allow).ToString();
gitVersionControlPermissions.AddRange(
Helpers.GetActionDetailsByName(allowedVersionControlPermissions, "Allow", PermissionScope.GitSourceControl));
}
if (0 != ace.Deny)
{
var denyVersionControlPermissions = ((EnumrationsList.GitPermissions)ace.Deny).ToString();
gitVersionControlPermissions.AddRange(
Helpers.GetActionDetailsByName(denyVersionControlPermissions, "Deny", PermissionScope.GitSourceControl));
}
}
if (gitVersionControlPermissions.Count == 0)
{
foreach (AccessControlEntry ace in versionControlAccessList.AccessControlEntries)
{
if (0 != ace.ExtendedInfo.EffectiveAllow)
{
var allowedVersionControlPermissions = ((EnumrationsList.GitPermissions)ace.ExtendedInfo.EffectiveAllow).ToString();
gitVersionControlPermissions.AddRange(
Helpers.GetActionDetailsByName(allowedVersionControlPermissions, "Allow", PermissionScope.GitSourceControl));
}
if (0 != ace.ExtendedInfo.EffectiveDeny)
{
var denyVersionControlPermissions = ((EnumrationsList.GitPermissions)ace.ExtendedInfo.EffectiveDeny).ToString();
gitVersionControlPermissions.AddRange(
Helpers.GetActionDetailsByName(denyVersionControlPermissions, "Deny", PermissionScope.GitSourceControl));
}
}
}
foreach (string group in groups)
{
TeamFoundationIdentity groupIdentity = identityManagementService.ReadIdentity(IdentitySearchFactor.Identifier, group, MembershipQuery.None, ReadIdentityOptions.IncludeReadFromSource);
AccessControlList groupAccessList =
gitVersionControlSecurityNamespace.QueryAccessControlList(
repoIdToken,
new List <IdentityDescriptor> {
groupIdentity.Descriptor
},
true);
foreach (AccessControlEntry ace in groupAccessList.AccessControlEntries)
{
if (0 != ace.Allow)
{
var allowedPermissions = ((EnumrationsList.GitPermissions)ace.Allow).ToString();
var permissionsList = Helpers.GetActionDetailsByName(allowedPermissions, "Inherited Allow", PermissionScope.GitSourceControl);
Helpers.AppendGroupInheritanceInformation(permissionsList, groupIdentity.DisplayName);
gitVersionControlPermissions.AddRange(permissionsList);
}
if (0 != ace.Deny)
{
var denyPermissions = ((EnumrationsList.GitPermissions)ace.Deny).ToString();
var permissionsList = Helpers.GetActionDetailsByName(denyPermissions, "Inherited Deny", PermissionScope.GitSourceControl);
Helpers.AppendGroupInheritanceInformation(permissionsList, groupIdentity.DisplayName);
gitVersionControlPermissions.AddRange(permissionsList);
}
}
}
var modifiedPermissions = Helpers.RemoveDuplicatePermissionsAndCombineGroups(gitVersionControlPermissions);
return(modifiedPermissions);
}
private static async Task Main(string[] args)
{
Console.WriteLine("Please enter the following details to list all of the team members in all of the projects in the collection/instance");
Console.WriteLine();
Console.Write("Azure DevOps Instance/Collection URL: ");
var url = Console.ReadLine();
Console.Write("Personal Access Token (PAT): ");
var pat = Console.ReadLine();
VssBasicCredential vssBasicCredential = new VssBasicCredential(pat, pat);
using (TfsTeamProjectCollection tpc = new TfsTeamProjectCollection(new Uri(url), vssBasicCredential))
{
tpc.Authenticate();
Console.WriteLine();
Console.Write("Instance/Collection Display Name: ");
Console.WriteLine(tpc.DisplayName);
Console.Write("Instance/Collection ID: ");
Console.WriteLine(tpc.InstanceId);
Console.WriteLine();
var data = new List <ProjectTeamMember>();
var log = new StringBuilder();
var workItemStore = tpc.GetService <WorkItemStore>();
var teamService = tpc.GetService <TfsTeamService>();
// Get security namespace for the project collection.
ISecurityService securityService = tpc.GetService <ISecurityService>();
SecurityNamespace securityNamespace = securityService.GetSecurityNamespace(FrameworkSecurity.IdentitiesNamespaceId);
var projects = workItemStore.Projects;
foreach (Project project in projects)
{
log.AppendLine($"PROJECT: {project.Name}");
Console.WriteLine($"PROJECT: {project.Name}");
var teams = teamService.QueryTeams(project.Uri.ToString());
foreach (var team in teams)
{
log.AppendLine($"\tTEAM: {team.Name}");
Console.WriteLine($"\tTEAM: {team.Name}");
var members = team.GetMembers(tpc, MembershipQuery.Expanded);
string token = IdentityHelper.CreateSecurityToken(team.Identity);
// Retrieve an ACL object for all the team members.
AccessControlList acl = securityNamespace.QueryAccessControlList(token, members.Select(m => m.Descriptor), true);
// Retrieve the team administrator SIDs by querying the ACL entries.
var entries = acl.AccessControlEntries;
var admins = entries.Where(e => (e.Allow & 15) == 15).Select(e => e.Descriptor.Identifier);
// Finally, retrieve the actual TeamFoundationIdentity objects from the SIDs.
var adminIdentities = members.Where(m => admins.Contains(m.Descriptor.Identifier));
foreach (var member in members)
{
var isAdmin = adminIdentities.Any(i => i == member);
var isAdminText = isAdmin ? " [ADMIN]" : string.Empty;
log.AppendLine($"\t\tACCOUNT: {member.DisplayName} {isAdminText}");
Console.WriteLine($"\t\tACCOUNT: {member.DisplayName} {isAdminText}");
var projectTeamMember = new ProjectTeamMember
{
ProjectId = project.Id,
ProjectName = project.Name,
TeamId = team.Identity.TeamFoundationId,
TeamName = team.Name,
MemberId = member.TeamFoundationId,
MemberName = member.DisplayName,
IsTeamAdmin = isAdmin
};
data.Add(projectTeamMember);
}
}
Console.WriteLine();
}
File.AppendAllText($"{tpc.InstanceId}.{DateTime.Now.ToString("yyyyMMddhhmmss")}.txt", log.ToString());
using (var writer = new StreamWriter($"{tpc.InstanceId}.{DateTime.Now.ToString("yyyyMMddhhmmss")}.csv"))
using (var csv = new CsvWriter(writer))
{
csv.WriteRecords(data);
}
}
Console.ReadLine();
}
