private void SetupWebDeployPublishingOnServer(List<string> messages)
{
if (IsWebDeployInstalled() == false
|| String.IsNullOrEmpty(ProviderSettings[WDeployEnabled]))
return;
//
var enableFeature = Convert.ToBoolean(ProviderSettings[WDeployEnabled]);
var repairFeature = Convert.ToBoolean(ProviderSettings[WDeployRepair]);
//
var appHostConfigWriter = "WDeployConfigWriter";
var appHostConfigWriterPassword = Guid.NewGuid().ToString();
//
var appPoolConfigEditor = "WDeployAdmin";
var appPoolConfigEditorPassword = Guid.NewGuid().ToString();
//
var appHostConfigFilePath = FileUtils.EvaluateSystemVariables(@"%WINDIR%\system32\inetsrv\config\applicationHost.config");
//
#region Repair feature
if (repairFeature == true && enableFeature == true)
{
// Cleanup NTFS permissions
SecurityUtils.RemoveNtfsPermissions(appHostConfigFilePath, appHostConfigWriter, ServerSettings, UsersOU, GroupsOU);
// Remove applicationHost.config writer account
SecurityUtils.DeleteUser(appHostConfigWriter, ServerSettings, UsersOU);
// Remove local admin user to recycle app pools
SecurityUtils.DeleteUser(appPoolConfigEditor, ServerSettings, UsersOU);
// Remove delegation rules if any
var moduleService = new DelegationRulesModuleService();
//
moduleService.RemoveDelegationRule("contentPath,iisApp", "{userScope}");
moduleService.RemoveDelegationRule("dbFullSql", "Data Source=");
moduleService.RemoveDelegationRule("dbMySql", "Server=");
moduleService.RemoveDelegationRule("createApp", "{userScope}");
moduleService.RemoveDelegationRule("setAcl", "{userScope}");
moduleService.RemoveDelegationRule("recycleApp", "{userScope}");
moduleService.RemoveDelegationRule("appPoolPipeline,appPoolNetFx", "{userScope}");
}
#endregion
// Create applicationHost.config writer account
#region appHostConfigWriter account provisioning
if (enableFeature == true)
{
//
if (SecurityUtils.UserExists(appHostConfigWriter, ServerSettings, UsersOU) == false)
{
//
try
{
SecurityUtils.CreateUser(new SystemUser
{
Name = appHostConfigWriter,
FullName = appHostConfigWriter,
Password = appHostConfigWriterPassword,
PasswordCantChange = true,
PasswordNeverExpires = true,
MemberOf = new string[] { },
Description = "Web Deploy applicationHost.config writer account",
},
ServerSettings,
UsersOU,
GroupsOU);
// Grant appropriate NTFS permissions
SecurityUtils.GrantNtfsPermissions(appHostConfigFilePath, appHostConfigWriter, NTFSPermission.Modify, true, true, ServerSettings, UsersOU, GroupsOU);
}
catch (Exception ex)
{
var errorMessage = "Could not create applicationHost.config writer account";
//
Log.WriteError(errorMessage, ex);
//
messages.Add(errorMessage);
}
}
}
else
{
if (SecurityUtils.UserExists(appHostConfigWriter, ServerSettings, UsersOU) == true)
{
//
try
{
// Remove NTFS permissions
SecurityUtils.RemoveNtfsPermissions(appHostConfigFilePath, appHostConfigWriter, ServerSettings, UsersOU, GroupsOU);
// Remove writer account
SecurityUtils.DeleteUser(appHostConfigWriter, ServerSettings, UsersOU);
}
catch (Exception ex)
{
var errorMessage = "Could not remove applicationHost.config writer user account";
//
Log.WriteError(errorMessage, ex);
//
messages.Add(errorMessage);
}
}
}
#endregion
// Create local admin user to recycle app pools
#region appPoolConfigEditor account provisioning
if (enableFeature)
{
//
if (SecurityUtils.UserExists(appPoolConfigEditor, ServerSettings, UsersOU) == false)
{
//
try
{
SecurityUtils.CreateUser(new SystemUser
{
Name = appPoolConfigEditor,
FullName = appPoolConfigEditor,
Password = appPoolConfigEditorPassword,
PasswordCantChange = true,
PasswordNeverExpires = true,
MemberOf = new string[] { "Administrators" },
Description = "Web Deploy AppPool configuration editor account",
},
ServerSettings,
UsersOU,
GroupsOU);
}
catch (Exception ex)
{
var errorMessage = "Could not create application pool configuration editor account";
//
Log.WriteError(errorMessage, ex);
//
messages.Add(errorMessage);
}
}
}
else
{
if (SecurityUtils.UserExists(appPoolConfigEditor, ServerSettings, UsersOU) == true)
{
//
try
{
// Remove appPool config editor account
SecurityUtils.DeleteUser(appPoolConfigEditor, ServerSettings, UsersOU);
}
catch (Exception ex)
{
var errorMessage = "Could not remove applicationHost.config writer user account";
//
Log.WriteError(errorMessage, ex);
//
messages.Add(errorMessage);
}
}
}
#endregion
// Add delegation rules
#region Delegation rules provisioning
if (enableFeature)
{
var moduleService = new DelegationRulesModuleService();
//
if (moduleService.DelegationRuleExists("contentPath,iisApp", "{userScope}") == false)
{
moduleService.AddDelegationRule("contentPath,iisApp", "{userScope}", "PathPrefix", "CurrentUser", String.Empty, String.Empty);
}
//
if (moduleService.DelegationRuleExists("dbFullSql", "Data Source=") == false)
{
moduleService.AddDelegationRule("dbFullSql", "Data Source=", "ConnectionString", "CurrentUser", String.Empty, String.Empty);
}
//
if (moduleService.DelegationRuleExists("dbMySql", "Server=") == false)
{
moduleService.AddDelegationRule("dbMySql", "Server=", "ConnectionString", "CurrentUser", String.Empty, String.Empty);
}
//
if (moduleService.DelegationRuleExists("createApp", "{userScope}") == false)
{
moduleService.AddDelegationRule("createApp", "{userScope}", "PathPrefix", "SpecificUser", appHostConfigWriter, appHostConfigWriterPassword);
}
//
if (moduleService.DelegationRuleExists("setAcl", "{userScope}") == false)
{
moduleService.AddDelegationRule("setAcl", "{userScope}", "PathPrefix", "CurrentUser", String.Empty, String.Empty);
}
//
if (moduleService.DelegationRuleExists("recycleApp", "{userScope}") == false)
{
moduleService.AddDelegationRule("recycleApp", "{userScope}", "PathPrefix", "SpecificUser", appPoolConfigEditor, appPoolConfigEditorPassword);
}
//
if (moduleService.DelegationRuleExists("appPoolPipeline,appPoolNetFx", "{userScope}") == false)
{
moduleService.AddDelegationRule("appPoolPipeline,appPoolNetFx", "{userScope}", "PathPrefix", "SpecificUser", appHostConfigWriter, appHostConfigWriterPassword);
}
}
else
{
var moduleService = new DelegationRulesModuleService();
//
moduleService.RemoveDelegationRule("contentPath,iisApp", "{userScope}");
moduleService.RemoveDelegationRule("dbFullSql", "Data Source=");
moduleService.RemoveDelegationRule("dbMySql", "Server=");
moduleService.RemoveDelegationRule("createApp", "{userScope}");
moduleService.RemoveDelegationRule("setAcl", "{userScope}");
moduleService.RemoveDelegationRule("recycleApp", "{userScope}");
moduleService.RemoveDelegationRule("appPoolPipeline,appPoolNetFx", "{userScope}");
}
#endregion
}
public void EnforceDelegationRulesRestrictions(string siteName, string accountName)
{
var moduleService = new DelegationRulesModuleService();
// Adjust web publishing permissions to the user accordingly to deny some rules for shared app pools
var webSite = webObjectsSvc.GetWebSiteFromIIS(siteName);
//
var fqUsername = GetFullQualifiedAccountName(accountName);
// Instantiate application pool helper to retrieve the app pool mode web site is running in
WebAppPoolHelper aphl = new WebAppPoolHelper(ProviderSettings);
// Shared app pool is a subject restrictions to change ASP.NET version and recycle the pool
if (aphl.is_shared_pool(webSite.ApplicationPool) == true)
{
//
moduleService.RestrictRuleToUser("recycleApp", "{userScope}", fqUsername);
moduleService.RestrictRuleToUser("appPoolPipeline,appPoolNetFx", "{userScope}", fqUsername);
}
// Dedicated app pool is not a subject for any restrictions
else
{
//
moduleService.AllowRuleToUser("recycleApp", "{userScope}", fqUsername);
moduleService.AllowRuleToUser("appPoolPipeline,appPoolNetFx", "{userScope}", fqUsername);
}
}
private void RemoveDelegationRulesRestrictions(string siteName, string accountName)
{
WebSite webSite = null;
using (ServerManager srvman = webObjectsSvc.GetServerManager())
{
webSite = webObjectsSvc.GetWebSiteFromIIS(srvman, siteName);
}
var moduleService = new DelegationRulesModuleService();
// Adjust web publishing permissions to the user accordingly to deny some rules for shared app pools
var fqUsername = GetFullQualifiedAccountName(accountName);
// Instantiate application pool helper to retrieve the app pool mode web site is running in
WebAppPoolHelper aphl = new WebAppPoolHelper(ProviderSettings);
//
// Shared app pool is a subject restrictions to change ASP.NET version and recycle the pool,
// so we need to remove these restrictions
if (aphl.is_shared_pool(webSite.ApplicationPool) == true)
{
//
moduleService.RemoveUserFromRule("recycleApp", "{userScope}", fqUsername);
moduleService.RemoveUserFromRule("appPoolPipeline,appPoolNetFx", "{userScope}", fqUsername);
}
}
