public SecurityNamespaceDescription GetGitSecurityNamespace()
{
VssConnection connection = this.Context.Connection;
SecurityHttpClient securityClient = connection.GetClient<SecurityHttpClient>();
IEnumerable<SecurityNamespaceDescription> namespaces = securityClient.QuerySecurityNamespacesAsync(this.GitSecurityNamespace).Result;
SecurityNamespaceDescription gitNamespace = namespaces.First();
Console.WriteLine("{0}", gitNamespace.DisplayName);
foreach (ActionDefinition actionDef in gitNamespace.Actions)
{
string knownBit = "";
if (actionDef.Bit == gitNamespace.ReadPermission)
{
knownBit += " [Read]";
}
if (actionDef.Bit == gitNamespace.WritePermission)
{
knownBit += " [Write]";
}
Console.WriteLine("\"{0}\" ({1}){2}", actionDef.DisplayName ?? actionDef.Name, actionDef.Bit, knownBit);
}
return gitNamespace;
}
internal IEnumerable <AccessControlList> ListAccessControl(Guid identify)
{
SecurityHttpClient securityClient = connection.GetClient <SecurityHttpClient>();
IEnumerable <SecurityNamespaceDescription> namespaces = securityClient.QuerySecurityNamespacesAsync(identify).Result;
IEnumerable <AccessControlList> acls = securityClient.QueryAccessControlListsAsync(
identify,
string.Empty,
descriptors: null,
includeExtendedInfo: false,
recurse: true).Result;
return(acls);
}
public IEnumerable<SecurityNamespaceDescription> ListLocalSecurityNamespaces()
{
VssConnection connection = this.Context.Connection;
SecurityHttpClient securityClient = connection.GetClient<SecurityHttpClient>();
IEnumerable<SecurityNamespaceDescription> namespaces = securityClient.QuerySecurityNamespacesAsync(Guid.Empty, localOnly: true).Result;
Console.WriteLine("Listing local security namespaces");
foreach (SecurityNamespaceDescription ns in namespaces)
{
Console.WriteLine("{0} ({1}) - {2} permissions", ns.DisplayName ?? ns.Name, ns.NamespaceId, ns.Actions.Count());
}
return namespaces;
}
internal Dictionary <int, string> GetGitPermissionNames()
{
SecurityHttpClient securityClient = connection.GetClient <SecurityHttpClient>();
IEnumerable <SecurityNamespaceDescription> namespaces;
namespaces = securityClient.QuerySecurityNamespacesAsync(GitId).Result;
SecurityNamespaceDescription gitNamespace = namespaces.First();
Dictionary <int, string> permission = new Dictionary <int, string>();
foreach (ActionDefinition actionDef in gitNamespace.Actions)
{
permission[actionDef.Bit] = actionDef.DisplayName;
}
return(permission);
}
private static Dictionary <int, string> GetGitPermissionNames()
{
SecurityHttpClient securityClient = connection.GetClient <SecurityHttpClient>();
IEnumerable <Microsoft.VisualStudio.Services.Security.SecurityNamespaceDescription> namespaces;
Guid g = Guid.Parse("2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87");
namespaces = securityClient.QuerySecurityNamespacesAsync(g).Result;
Microsoft.VisualStudio.Services.Security.SecurityNamespaceDescription gitNamespace = namespaces.First();
Dictionary <int, string> permission = new Dictionary <int, string>();
foreach (Microsoft.VisualStudio.Services.Security.ActionDefinition actionDef in gitNamespace.Actions)
{
permission[actionDef.Bit] = actionDef.DisplayName;
}
return(permission);
}
private Dictionary <int, string> GetGitPermissionNames()
{
VssConnection connection = this.Context.Connection;
SecurityHttpClient securityClient = connection.GetClient <SecurityHttpClient>();
IEnumerable <SecurityNamespaceDescription> namespaces;
using (new ClientSampleHttpLoggerOutputSuppression())
{
namespaces = securityClient.QuerySecurityNamespacesAsync(this.GitSecurityNamespace).Result;
}
SecurityNamespaceDescription gitNamespace = namespaces.First();
Dictionary <int, string> permission = new Dictionary <int, string>();
foreach (ActionDefinition actionDef in gitNamespace.Actions)
{
permission[actionDef.Bit] = actionDef.DisplayName;
}
return(permission);
}
public static void ListGitNamespacePermissions()
{
SecurityHttpClient securityClient = connection.GetClient <SecurityHttpClient>();
Guid g = Guid.Parse("2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87"); //Git security namespace
IEnumerable <Microsoft.VisualStudio.Services.Security.SecurityNamespaceDescription> namespaces = securityClient.QuerySecurityNamespacesAsync(g).Result;
Microsoft.VisualStudio.Services.Security.SecurityNamespaceDescription gitNamespace = namespaces.First();
IEnumerable <Microsoft.VisualStudio.Services.Security.AccessControlList> acls = securityClient.QueryAccessControlListsAsync(
g,
string.Empty,
descriptors: null,
includeExtendedInfo: false,
recurse: true).Result;
using (System.IO.StreamWriter file = new System.IO.StreamWriter(@"c:\TFSAdminAutomationData\out_GitAccessControlLists.txt"))
{
int counter = 0;
file.WriteLine("token | inherit? | count of ACEs");
file.WriteLine("------+----------+--------------");
foreach (Microsoft.VisualStudio.Services.Security.AccessControlList acl in acls)
{
counter++;
string[] tokenParser = acl.Token.Split('/');
if (tokenParser.Length != 2) //we are interested in team project level git security
{
continue;
}
file.WriteLine();
file.WriteLine();
file.WriteLine("{0} | {1} | {2} ACEs", acl.Token, acl.InheritPermissions, acl.AcesDictionary.Count());
file.WriteLine("Project Name: " + GetProjectName(tokenParser[1]));
file.WriteLine("Expanding ACL for {0} ({1} ACEs)", acl.Token, acl.AcesDictionary.Count());
// get the details for Git permissions
Dictionary <int, string> permission = GetGitPermissionNames();
// use the Git permissions data to expand the ACL
foreach (var kvp in acl.AcesDictionary)
{
// in the key-value pair, Key is an identity and Value is an ACE (access control entry)
// allow and deny are bit flags indicating which permissions are allowed/denied
string identity = kvp.Key.Identifier.ToString();
file.WriteLine("Identity {0}", identity);
string identityName = GetNameFromIdentity(identity);
file.WriteLine("Identity Name {0}", identityName);
if (!identityName.EndsWith("Project Administrators"))
{
continue;
}
string allowed = GetPermissionString(kvp.Value.Allow, permission);
string denied = GetPermissionString(kvp.Value.Deny, permission);
file.WriteLine(" Allowed: {0} (value={1})", allowed, kvp.Value.Allow);
file.WriteLine(" Denied: {0} (value={1})", denied, kvp.Value.Deny);
}
}
}
}
public async Task <List <string> > GetPermissions(string organization, string projectName)
{
if (string.IsNullOrWhiteSpace(organization))
{
throw new ArgumentException($"'{nameof(organization)}' cannot be null or whitespace.", nameof(organization));
}
if (string.IsNullOrWhiteSpace(projectName))
{
throw new ArgumentException($"'{nameof(projectName)}' cannot be null or whitespace.", nameof(projectName));
}
VssConnection connection = null;
GraphHttpClient graphHttpClient = null;
TeamHttpClient teamClient = null;
Guid GitSecurityNamespace = Guid.Parse("2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87");
try
{
string url = $"https://dev.azure.com/{organization}";
if (_adoConfig.UsePta)
{
connection = new VssConnection(new Uri(url), new VssBasicCredential(string.Empty, _adoConfig.AdoPersonalAccessToken));
}
else
{
//connection = new VssConnection(new Uri(url), new VssCredentials(true));
connection = new VssConnection(new Uri(url), new VssClientCredentials(true));
}
//projectName = "First-Ado";
//teamClient = connection.GetClient<TeamHttpClient>();
//var allteams = await teamClient.GetTeamsAsync(projectName, null, null, null, true);
//var defTeamGroupName = $"{projectName} Team";
//var defTeam = allteams?.FirstOrDefault(a => a.Name.Contains(defTeamGroupName));
//if (defTeam != null)
//{
// var members = await teamClient.GetTeamMembersWithExtendedPropertiesAsync(projectName, defTeam.Id.ToString());
// graphHttpClient = connection.GetClient<GraphHttpClient>();
// List<SubjectDescriptor> groupSubjectDescriptors = new();
// groupSubjectDescriptors.Add(SubjectDescriptor.FromString(defTeam.Identity.Descriptor.Identifier));
// var contextCreate = new GraphUserPrincipalNameCreationContext { PrincipalName = "*****@*****.**"};
// var added = await graphHttpClient.CreateUserAsync(contextCreate, groupSubjectDescriptors);
// var membersAfter = await teamClient.GetTeamMembersWithExtendedPropertiesAsync(projectName, defTeam.Id.ToString());
//}
// Get a client
SecurityHttpClient httpClient = connection.GetClient <SecurityHttpClient>();
IEnumerable <SecurityNamespaceDescription> namespaces = await httpClient.QuerySecurityNamespacesAsync(GitSecurityNamespace);
SecurityNamespaceDescription gitNamespace = namespaces.FirstOrDefault();
Dictionary <int, string> permission = new Dictionary <int, string>();
foreach (ActionDefinition actionDef in gitNamespace.Actions)
{
permission[actionDef.Bit] = actionDef.DisplayName;
}
return(permission.Values?.ToList());
}
catch (Exception ex)
{
//Console.WriteLine("Exception during create project: ", ex.Message);
throw;
}
finally
{
connection?.Dispose();
graphHttpClient?.Dispose();
teamClient?.Dispose();
}
}