public static bool Matches(this WindowsGroupPermission permission, string resource)
{
if (permission.IsServer)
{
return(true);
}
Guid resourceId;
if (Guid.TryParse(resource, out resourceId))
{
return(permission.ResourceID == resourceId);
}
// ResourceName is in the format: {categoryName}\{resourceName}
if (resource != null)
{
resource = resource.Replace('/', '\\');
}
if (string.IsNullOrEmpty(resource))
{
return(true);
}
return(permission.ResourceName.Contains("\\" + resource));
}
int Compare(WindowsGroupPermission px, WindowsGroupPermission py)
{
switch (_sortMemberPath)
{
case "ResourceName":
return(String.Compare(px.ResourceName, py.ResourceName, StringComparison.InvariantCulture));
case "WindowsGroup":
return(String.Compare(px.WindowsGroup, py.WindowsGroup, StringComparison.InvariantCulture));
case "View":
return(px.View.CompareTo(py.View));
case "Execute":
return(px.Execute.CompareTo(py.Execute));
case "Contribute":
return(px.Contribute.CompareTo(py.Contribute));
case "DeployTo":
return(px.DeployTo.CompareTo(py.DeployTo));
case "DeployFrom":
return(px.DeployFrom.CompareTo(py.DeployFrom));
case "Administrator":
return(px.Administrator.CompareTo(py.Administrator));
default:
break;
}
return(0);
}
public void Remove(Guid resourceId)
{
LogStart();
_permissionsLock.EnterWriteLock();
try
{
var oldPermissions = new WindowsGroupPermission[_permissions.Count];
_permissions.CopyTo(oldPermissions);
var removedCount = _permissions.RemoveAll(p => !p.IsServer && p.ResourceID == resourceId);
if(removedCount > 0)
{
RaisePermissionsModified(oldPermissions, _permissions);
// This will trigger a FileSystemWatcher file changed event
// which in turn will cause the permissions to be re-read.
WritePermissions(_permissions);
}
}
finally
{
_permissionsLock.ExitWriteLock();
}
LogEnd();
}
public void Remove(Guid resourceId)
{
LogStart();
_permissionsLock.EnterWriteLock();
try
{
var oldPermissions = new WindowsGroupPermission[_permissions.Count];
_permissions.CopyTo(oldPermissions);
var removedCount = _permissions.RemoveAll(p => !p.IsServer && p.ResourceID == resourceId);
if (removedCount > 0)
{
RaisePermissionsModified(oldPermissions, _permissions);
// This will trigger a FileSystemWatcher file changed event
// which in turn will cause the permissions to be re-read.
WritePermissions(_permissions);
}
}
finally
{
_permissionsLock.ExitWriteLock();
}
LogEnd();
}
public void GivenItHasWith(string groupName, string groupRights)
{
var groupPermssions = new WindowsGroupPermission
{
WindowsGroup = groupName,
ResourceID = Guid.Empty,
IsServer = true
};
var permissionsStrings = groupRights.Split(new[] { ", " }, StringSplitOptions.RemoveEmptyEntries);
foreach(var permissionsString in permissionsStrings)
{
SecPermissions permission;
if(Enum.TryParse(permissionsString.Replace(" ", ""), true, out permission))
{
groupPermssions.Permissions |= permission;
}
}
Data.Settings.Settings settings = new Data.Settings.Settings
{
Security = new SecuritySettingsTO(new List<WindowsGroupPermission> { groupPermssions })
};
var environmentModel = ScenarioContext.Current.Get<IEnvironmentModel>("environment");
EnsureEnvironmentConnected(environmentModel);
environmentModel.ResourceRepository.WriteSettings(environmentModel, settings);
environmentModel.Disconnect();
}
public static bool Matches(this WindowsGroupPermission permission, Guid resourceId)
{
if (permission.IsServer)
{
return(true);
}
return(permission.ResourceID == resourceId);
}
static SecuritySettingsTO ProcessSettingsFile(IResourceNameProvider resourceNameProvider, string encryptedData)
{
var decryptData = SecurityEncryption.Decrypt(encryptedData);
Dev2Logger.Debug(decryptData, GlobalConstants.WarewolfDebug);
var currentSecuritySettingsTo = JsonConvert.DeserializeObject <SecuritySettingsTO>(decryptData);
if (currentSecuritySettingsTo.WindowsGroupPermissions.Any(a => a.ResourceID != Guid.Empty))
{
foreach (var perm in currentSecuritySettingsTo.WindowsGroupPermissions.Where(a => a.ResourceID != Guid.Empty))
{
var resourceName = resourceNameProvider.GetResourceNameById(perm.ResourceID);
if (string.IsNullOrWhiteSpace(resourceName))
{
resourceName = perm.ResourcePath ?? string.Empty;
}
perm.ResourceName = resourceName;
}
}
if (currentSecuritySettingsTo.AuthenticationOverrideWorkflow.Name.Length > 0 && currentSecuritySettingsTo.SecretKey == "")
{
var hmac = new HMACSHA256();
currentSecuritySettingsTo.SecretKey = Convert.ToBase64String(hmac.Key);
}
var permissionGroup = currentSecuritySettingsTo.WindowsGroupPermissions;
if (permissionGroup.Count > 0)
{
var adminGrp = permissionGroup[0].WindowsGroup;
if (adminGrp == "BuiltIn\\Administrators")
{
permissionGroup[0].WindowsGroup = WindowsGroupPermission.BuiltInAdministratorsText;
}
}
var hasGuestPermission = permissionGroup.Any(permission => permission.IsBuiltInGuests);
var hasAdminPermission = permissionGroup.Any(permission => permission.IsBuiltInAdministrators);
if (!hasAdminPermission)
{
permissionGroup.Add(WindowsGroupPermission.CreateAdministrators());
permissionGroup.Sort(QuickSortForPermissions);
}
if (!hasGuestPermission)
{
permissionGroup.Add(WindowsGroupPermission.CreateGuests());
permissionGroup.Sort(QuickSortForPermissions);
}
return(currentSecuritySettingsTo);
}
public void AuthorizationHelpers_Matches_SecurityPermissionIsServer_True()
{
//------------Setup for test--------------------------
var securityPermission = new WindowsGroupPermission { IsServer = true };
//------------Execute Test---------------------------
var authorized = securityPermission.Matches(null);
//------------Assert Results-------------------------
Assert.IsTrue(authorized);
}
static int QuickSortForPermissions(WindowsGroupPermission x, WindowsGroupPermission y)
{
var px = x;
var py = y;
if (px == null || py == null)
{
return(1);
}
// New items must be last
//
if (px.IsNew)
{
// px is greater than py
return(int.MaxValue);
}
if (py.IsNew)
{
// px is less than py
return(int.MinValue);
}
// BuiltInAdministrators must be first
if (px.IsBuiltInAdministrators)
{
// px is less than py
return(int.MinValue);
}
if (py.IsBuiltInAdministrators)
{
// px is greater than py
return(int.MaxValue);
}
// IsBuiltInGuests must be second
if (px.IsBuiltInGuests)
{
// px is less than py
return(int.MinValue + 1);
}
if (py.IsBuiltInGuests)
{
// px is greater than py
return(int.MaxValue - 1);
}
return(1);
}
public void WindowsGroupPermission_Permissions_SetExecute_CorrectlyApplied()
{
//------------Setup for test--------------------------
//------------Execute Test---------------------------
var p = new WindowsGroupPermission { Permissions = Permissions.Execute };
//------------Assert Results-------------------------
Assert.IsFalse(p.View);
Assert.IsTrue(p.Execute);
Assert.IsFalse(p.Contribute);
Assert.IsFalse(p.DeployTo);
Assert.IsFalse(p.DeployFrom);
Assert.IsFalse(p.Administrator);
}
public void SecurityWrite_Execute_SecuritySettingsValuePassedValidJSON_ShouldWriteFile()
{
//------------Setup for test--------------------------
var permission = new WindowsGroupPermission { Administrator = true, IsServer = true, WindowsGroup = Environment.UserName };
var windowsGroupPermissions = new List<WindowsGroupPermission> { permission };
var securitySettings = new SecuritySettingsTO(windowsGroupPermissions) { CacheTimeout = new TimeSpan(0, 2, 0) };
var securitySettingsValue = JsonConvert.SerializeObject(securitySettings);
var securityWrite = new SecurityWrite();
//------------Execute Test---------------------------
securityWrite.Execute(new Dictionary<string, StringBuilder> { { "SecuritySettings", new StringBuilder(securitySettingsValue) } }, null);
//------------Assert Results-------------------------
Assert.IsTrue(File.Exists("secure.config"));
var fileData = File.ReadAllText("secure.config");
Assert.IsFalse(fileData.StartsWith("{"));
Assert.IsFalse(fileData.EndsWith("}"));
Assert.IsFalse(fileData.Contains("IsServer"));
File.Delete("secure.config");
}
public void AuthorizationServiceBase_IsAuthorized_UserIsInResourceRoleAndResourceToBeVerifiedIsNull_False()
{
//------------Setup for test--------------------------
var securityPermission = new WindowsGroupPermission { IsServer = false, ResourceName = "Category\\Test1", ResourceID = Guid.NewGuid() };
var securityService = new Mock<ISecurityService>();
securityService.SetupGet(p => p.Permissions).Returns(new List<WindowsGroupPermission> { securityPermission });
var user = new Mock<IPrincipal>();
user.Setup(u => u.IsInRole(It.IsAny<string>())).Returns(true);
var authorizationService = new TestAuthorizationServiceBase(securityService.Object) { User = user.Object };
//------------Execute Test---------------------------
var authorized = authorizationService.IsAuthorized(AuthorizationContext.Contribute, null);
//------------Assert Results-------------------------
Assert.IsFalse(authorized);
}
public static bool Matches(this WindowsGroupPermission permission, string resource)
{
if (permission.IsServer)
{
return(true);
}
if (Guid.TryParse(resource, out Guid resourceId))
{
return(permission.ResourceID == resourceId);
}
resource = resource?.Replace('/', '\\');
if (string.IsNullOrEmpty(resource))
{
return(true);
}
return(permission.ResourceName.Contains("\\" + resource));
}
public static bool Matches(this WindowsGroupPermission permission, WebName resource)
{
if (permission.IsServer || resource is null)
{
return(true);
}
var resourceString = resource.Value <string>();
if (Guid.TryParse(resourceString, out var resourceId))
{
var matchingResourceID = permission.ResourceID == resourceId;
if (matchingResourceID)
{
return(true);
}
}
var resourcePath = resourceString?.Replace('/', '\\');
if (string.IsNullOrEmpty(resourcePath))
{
return(true);
}
var p1 = resourcePath;
if (p1.StartsWith(EnvironmentVariables.ResourcePath))
{
p1 = p1.Replace(EnvironmentVariables.ResourcePath, "");
}
var permissionResourcePath = permission.ResourcePath;
if (permissionResourcePath is null)
{
return(false);
}
var p2 = "\\" + permissionResourcePath;
var pathMatches = p1.StartsWith(p2);
return(pathMatches);
}
public static bool Matches(this WindowsGroupPermission permission, IWarewolfResource resource)
{
if (permission.IsServer)
{
return(true);
}
var matchingResourceID = permission.ResourceID == resource?.ResourceID;
if (matchingResourceID)
{
return(true);
}
var resourcePath = resource?.FilePath?.Replace('/', '\\');
if (string.IsNullOrEmpty(resourcePath))
{
return(true);
}
var p1 = resourcePath;
if (p1.StartsWith(EnvironmentVariables.ResourcePath))
{
p1 = p1.Replace(EnvironmentVariables.ResourcePath, "");
}
var permissionResourcePath = permission.ResourcePath;
if (permissionResourcePath is null)
{
return(false);
}
var p2 = "\\" + permissionResourcePath;
var pathMatches = p1.StartsWith(p2);
return(pathMatches);
}
int Compare(WindowsGroupPermission px, WindowsGroupPermission py)
{
switch(_sortMemberPath)
{
case "ResourceName":
return System.String.Compare(px.ResourceName, py.ResourceName, System.StringComparison.InvariantCulture);
case "WindowsGroup":
return System.String.Compare(px.WindowsGroup, py.WindowsGroup, System.StringComparison.InvariantCulture);
case "View":
return px.View.CompareTo(py.View);
case "Execute":
return px.Execute.CompareTo(py.Execute);
case "Contribute":
return px.Contribute.CompareTo(py.Contribute);
case "DeployTo":
return px.DeployTo.CompareTo(py.DeployTo);
case "DeployFrom":
return px.DeployFrom.CompareTo(py.DeployFrom);
case "Administrator":
return px.Administrator.CompareTo(py.Administrator);
}
return 0;
}
bool IsInRole(IPrincipal principal, WindowsGroupPermission p)
{
var isInRole = false;
if (principal == null)
{
return(p.IsBuiltInGuestsForExecution);
}
try
{
var windowsGroup = p.WindowsGroup;
if (windowsGroup == WindowsGroupPermission.BuiltInAdministratorsText)
{
var principleName = principal.Identity.Name;
if (!string.IsNullOrEmpty(principleName))
{
return(TryIsInRole(principal, windowsGroup));
}
}
else
{
isInRole = principal.IsInRole(windowsGroup);
}
}
catch (ObjectDisposedException e)
{
Dev2Logger.Warn(e.Message, "Warewolf Warn");
throw;
}
catch (Exception e)
{
Dev2Logger.Warn(e.Message, "Warewolf Warn");
}
return(isInRole || p.IsBuiltInGuestsForExecution);
}
public void WindowsGroupPermissions_CanRemove_Server_True()
{
//------------Setup for test--------------------------
var p = new WindowsGroupPermission { IsServer = true, WindowsGroup = "xxx" };
//------------Execute Test---------------------------
var canRemove = p.CanRemove;
//------------Assert Results-------------------------
Assert.IsTrue(canRemove);
}
void Verify_IsAuthorized(Permissions configPermissions, TestAuthorizationRequest authorizationRequest, bool isServer)
{
var configPermission = new WindowsGroupPermission { WindowsGroup = TestAuthorizationRequest.UserRole, IsServer = isServer, Permissions = configPermissions };
if(!isServer && !string.IsNullOrEmpty(authorizationRequest.Resource))
{
Guid resourceID;
if(Guid.TryParse(authorizationRequest.Resource, out resourceID))
{
configPermission.ResourceID = resourceID;
configPermission.ResourceName = "TestCategory\\";
}
else
{
configPermission.ResourceID = Guid.NewGuid();
configPermission.ResourceName = string.Format("TestCategory\\{0}", authorizationRequest.Resource);
}
}
authorizationRequest.UserIsInRole = false;
Verify_IsAuthorized(configPermission, authorizationRequest);
authorizationRequest.UserIsInRole = true;
Verify_IsAuthorized(configPermission, authorizationRequest);
}
void Verify_IsAuthorized(WindowsGroupPermission configPermissions, TestAuthorizationRequest authorizationRequest)
{
//------------Setup for test--------------------------
var allowedPermissions = AuthorizationHelpers.ToPermissions(authorizationRequest.AuthorizationContext);
var expected = authorizationRequest.UserIsInRole && (configPermissions.Permissions & allowedPermissions) != 0;
var securityService = new Mock<ISecurityService>();
securityService.SetupGet(p => p.Permissions).Returns(new[] { configPermissions });
var authorizationService = new TestServerAuthorizationService(securityService.Object);
//------------Execute Test---------------------------
var authorized = authorizationService.IsAuthorized(authorizationRequest);
//------------Assert Results-------------------------
Assert.AreEqual(expected, authorized, string.Format("\nUserIsInRole: {0}\nAllowed: {1}\nConfig: {2}\nIsServer: {3}\nURL: {4}",
authorizationRequest.UserIsInRole, allowedPermissions, configPermissions.Permissions, configPermissions.IsServer, authorizationRequest.Url));
}
IResourceModel PickResource(WindowsGroupPermission permission)
{
if(permission != null && permission.ResourceID != Guid.Empty)
{
if(_environment.ResourceRepository != null)
{
var foundResourceModel = _environment.ResourceRepository.FindSingle(model => model.ID == permission.ResourceID);
if(foundResourceModel != null)
{
_resourcePicker.SelectedResource = foundResourceModel;
}
}
}
var hasResult = _resourcePicker.ShowDialog(_environment);
return hasResult ? _resourcePicker.SelectedResource : null;
}
protected virtual bool IsInRole(IPrincipal principal, WindowsGroupPermission p)
{
var isInRole = false;
if(principal == null)
{
return p.IsBuiltInGuestsForExecution;
}
try
{
// If its our admin group ( Warewolf ), we need to check membership differently
// Prefixing with computer name does not work with Warewolf and IsInRole
// Plain does not work with IsInRole
// Hence this conditional check and divert
var windowsGroup = p.WindowsGroup;
if(windowsGroup == WindowsGroupPermission.BuiltInAdministratorsText)
{
// We need to get the group as it is local then look for principle's membership
var principleName = principal.Identity.Name;
if(!string.IsNullOrEmpty(principleName))
{
// Examine if BuiltIn\Administrators is still present as a Member
// Then inspect BuiltIn\Administrators
// Examine group for this member ;)
isInRole = principal.IsInRole(windowsGroup);
if (!isInRole)
{
isInRole = DoFallBackCheck(principal);
}
// if that fails, check Administrators group membership in the Warewolf Administrators group
if(!isInRole)
{
var sid = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
var windowsPrincipal = principal as WindowsPrincipal;
var windowsIdentity = principal.Identity as WindowsIdentity;
if(windowsPrincipal != null)
{
isInRole = windowsPrincipal.IsInRole(WindowsBuiltInRole.Administrator) || windowsPrincipal.IsInRole("BUILTIN\\Administrators") || windowsPrincipal.IsInRole(sid);
if(windowsIdentity != null && !isInRole)
{
if(windowsIdentity.Groups != null)
{
isInRole = windowsIdentity.Groups.Any(reference =>
{
if(reference.Value == sid.Value)
{
return true;
}
try
{
var identityReference = reference.Translate(typeof(NTAccount));
if(identityReference != null)
{
return identityReference.Value == windowsGroup;
}
}
catch(Exception)
{
return false;
//Complete failure
}
return false;
});
}
}
}
else
{
if(AreAdministratorsMembersOfWarewolfAdministrators.Invoke())
{
// Check user's administrator membership
isInRole = principal.IsInRole(sid.Value);
}
//Check regardless. Not installing the software can create a situation where the "Administrators" group is not part of Warewolf
isInRole = principal.IsInRole(sid.Value);
}
}
if (!isInRole)
{
isInRole = DoFallBackCheck(principal);
}
return isInRole;
}
}
else
{
// THIS TRY-CATCH IS HERE TO AVOID THE EXPLORER NOT LOADING ANYTHING WHEN THE DOMAIN CANNOT BE CONTACTED!
isInRole = principal.IsInRole(windowsGroup);
}
}
// ReSharper disable EmptyGeneralCatchClause
catch { }
// ReSharper restore EmptyGeneralCatchClause
return isInRole || p.IsBuiltInGuestsForExecution;
}
public void WindowsGroupPermission_IsValid_IsServerAndWindowsGroupIsEmpty_False()
{
//------------Setup for test--------------------------
//------------Execute Test---------------------------
var p = new WindowsGroupPermission { IsServer = true, WindowsGroup = string.Empty };
//------------Assert Results-------------------------
Assert.IsFalse(p.IsValid);
}
public void SecurityRead_Execute_WhenSecureConfigDoesExistWithNoGuestPermission_ShouldHaveExistingPermissionsAndGuest()
{
//------------Setup for test--------------------------
if(File.Exists("secure.config"))
{
File.Delete("secure.config");
}
var permission = new WindowsGroupPermission { Administrator = true, IsServer = true, WindowsGroup = Environment.UserName };
var permission2 = new WindowsGroupPermission { Administrator = false, DeployFrom = false, IsServer = true, WindowsGroup = "NETWORK SERVICE" };
var windowsGroupPermissions = new List<WindowsGroupPermission> { permission, permission2 };
var securitySettings = new SecuritySettingsTO(windowsGroupPermissions) { CacheTimeout = new TimeSpan(0, 10, 0) };
var serializeObject = JsonConvert.SerializeObject(securitySettings);
var securityWrite = new SecurityWrite();
var securityRead = new SecurityRead();
securityWrite.Execute(new Dictionary<string, StringBuilder> { { "SecuritySettings", new StringBuilder(serializeObject) } }, null);
//------------Assert Preconditions-------------------------
Assert.IsTrue(File.Exists("secure.config"));
//------------Execute Test---------------------------
var jsonPermissions = securityRead.Execute(null, null);
File.Delete("secure.config");
var readSecuritySettings = JsonConvert.DeserializeObject<SecuritySettingsTO>(jsonPermissions.ToString());
//------------Assert Results-------------------------
Assert.AreEqual(4, readSecuritySettings.WindowsGroupPermissions.Count);
var guestPermission = readSecuritySettings.WindowsGroupPermissions.FirstOrDefault(p => p.WindowsGroup == WindowsGroupPermission.BuiltInGuestsText);
Assert.IsNotNull(guestPermission);
Assert.AreEqual(true, guestPermission.IsServer);
Assert.AreEqual(false, guestPermission.View);
Assert.AreEqual(false, guestPermission.Execute);
Assert.AreEqual(false, guestPermission.Contribute);
Assert.AreEqual(false, guestPermission.DeployTo);
Assert.AreEqual(false, guestPermission.DeployFrom);
Assert.AreEqual(false, guestPermission.Administrator);
var networkServicePermission = readSecuritySettings.WindowsGroupPermissions.FirstOrDefault(p => p.WindowsGroup == "NETWORK SERVICE");
Assert.IsNotNull(networkServicePermission);
Assert.AreEqual(true, networkServicePermission.IsServer);
Assert.AreEqual(false, networkServicePermission.View);
Assert.AreEqual(false, networkServicePermission.Execute);
Assert.AreEqual(false, networkServicePermission.Contribute);
Assert.AreEqual(false, networkServicePermission.DeployTo);
Assert.AreEqual(false, networkServicePermission.DeployFrom);
Assert.AreEqual(false, networkServicePermission.Administrator);
var userPermission = readSecuritySettings.WindowsGroupPermissions.FirstOrDefault(p => p.WindowsGroup == Environment.UserName);
Assert.IsNotNull(userPermission);
Assert.AreEqual(true, userPermission.IsServer);
Assert.AreEqual(false, userPermission.View);
Assert.AreEqual(false, userPermission.Execute);
Assert.AreEqual(false, userPermission.Contribute);
Assert.AreEqual(false, userPermission.DeployTo);
Assert.AreEqual(false, userPermission.DeployFrom);
Assert.AreEqual(true, userPermission.Administrator);
Assert.AreEqual(new TimeSpan(0, 10, 0), readSecuritySettings.CacheTimeout);
}
static void UpdateForAdministratorPermissions(WindowsGroupPermission windowsGroupPermission)
{
windowsGroupPermission.DeployFrom = true;
windowsGroupPermission.DeployTo = true;
windowsGroupPermission.Contribute = true;
}
WindowsGroupPermission CreateNewPermission(bool isServer)
{
var permission = new WindowsGroupPermission { IsNew = true, IsServer = isServer };
RegisterPropertyChanged(permission);
return permission;
}
static void SwitchAdminPermissionsOff(WindowsGroupPermission windowsGroupPermission, string propertyName)
{
if(!windowsGroupPermission.DeployTo && propertyName == "DeployTo"
|| !windowsGroupPermission.DeployFrom && propertyName == "DeployFrom"
|| !windowsGroupPermission.Contribute && propertyName == "Contribute")
{
windowsGroupPermission.Administrator = false;
}
}
static void UpdateForContributePermissions(WindowsGroupPermission windowsGroupPermission)
{
windowsGroupPermission.View = true;
windowsGroupPermission.Execute = true;
}
static void SwitchContributePermissionsOff(WindowsGroupPermission windowsGroupPermission, string propertyName)
{
if(!windowsGroupPermission.View && propertyName == "View"
|| !windowsGroupPermission.Execute && propertyName == "Execute")
{
windowsGroupPermission.Contribute = false;
}
}
public void WindowsGroup_RemoveRow_DeleteTrue_DeletefalseEnableCellEditingTrue()
{
//------------Setup for test--------------------------
var p = new WindowsGroupPermission { IsDeleted = true };
//------------Execute Test---------------------------
p.RemoveRow.Execute(null);
//------------Assert Results-------------------------
Assert.IsFalse(p.IsDeleted);
Assert.IsTrue(p.EnableCellEditing);
}
public void SettingsWrite_Execute_SettingsWriteValuePassedValidJSON_ShouldDoSecurityWrite()
{
//------------Setup for test--------------------------
var permission = new WindowsGroupPermission { Administrator = true, IsServer = true, WindowsGroup = Environment.UserName };
var windowsGroupPermissions = new List<WindowsGroupPermission> { permission };
var settings = new Settings { Security = new SecuritySettingsTO(windowsGroupPermissions) };
var serializeObject = JsonConvert.SerializeObject(settings);
var settingsWrite = new SettingsWrite();
//------------Execute Test---------------------------
StringBuilder execute = settingsWrite.Execute(new Dictionary<string, StringBuilder> { { "Settings", new StringBuilder(serializeObject) } }, null);
//------------Assert Results-------------------------
Assert.IsTrue(File.Exists("secure.config"));
File.Delete("secure.config");
var msg = ToMsg(execute);
StringAssert.Contains(msg.Message.ToString(), "Success");
}
public void WindowsGroupPermission_IsValid_IsNotServerAndWindowsGroupAndResourceNameAreNotEmpty_True()
{
//------------Setup for test--------------------------
//------------Execute Test---------------------------
var p = new WindowsGroupPermission { IsServer = false, WindowsGroup = "xxx", ResourceName = "xxx" };
//------------Assert Results-------------------------
Assert.IsTrue(p.IsValid);
}
void Verify_Compare(int expected, ListSortDirection direction, string sortMemberPath, WindowsGroupPermission px, WindowsGroupPermission py)
{
//------------Setup for test-------------------------
var comparer = new WindowsGroupPermissionComparer(direction, sortMemberPath);
//------------Execute Test---------------------------
var result = comparer.Compare(px, py);
//------------Assert Results-------------------------
Assert.AreEqual(expected, result);
}
public void WindowsGroupPermission_IsValid_IsNotServerAndResourceNameIsEmpty_False()
{
//------------Setup for test--------------------------
//------------Execute Test---------------------------
var p = new WindowsGroupPermission { IsServer = false, WindowsGroup = "xxx", ResourceName = string.Empty };
//------------Assert Results-------------------------
Assert.IsFalse(p.IsValid);
}
public void WindowsGroupPermissions_CanRemoveRow_WindowsGroupChanges_CanExecuteChangedFires()
{
//------------Setup for test--------------------------
var p = new WindowsGroupPermission { IsDeleted = false };
var hitCount=0;
p.RemoveRow.CanExecuteChanged += (sender, args) =>
{
hitCount++;
};
//------------Execute Test---------------------------
p.WindowsGroup = "TestGroup";
//------------Assert Results-------------------------
Assert.AreEqual(1,hitCount);
}
protected virtual bool IsInRole(IPrincipal principal, WindowsGroupPermission p)
{
var isInRole = false;
if (principal == null)
{
return(p.IsBuiltInGuestsForExecution);
}
try
{
// If its our admin group ( Warewolf ), we need to check membership differently
// Prefixing with computer name does not work with Warewolf and IsInRole
// Plain does not work with IsInRole
// Hence this conditional check and divert
var windowsGroup = p.WindowsGroup;
if (windowsGroup == WindowsGroupPermission.BuiltInAdministratorsText)
{
// We need to get the group as it is local then look for principle's membership
var principleName = principal.Identity.Name;
if (!string.IsNullOrEmpty(principleName))
{
// Examine if BuiltIn\Administrators is still present as a Member
// Then inspect BuiltIn\Administrators
// Examine group for this member ;)
isInRole = principal.IsInRole(windowsGroup);
if (!isInRole)
{
isInRole = DoFallBackCheck(principal);
}
// if that fails, check Administrators group membership in the Warewolf Administrators group
if (!isInRole)
{
var sid = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
var windowsPrincipal = principal as WindowsPrincipal;
var windowsIdentity = principal.Identity as WindowsIdentity;
if (windowsPrincipal != null)
{
isInRole = windowsPrincipal.IsInRole(WindowsBuiltInRole.Administrator) || windowsPrincipal.IsInRole("BUILTIN\\Administrators") || windowsPrincipal.IsInRole(sid);
if (windowsIdentity != null && !isInRole)
{
if (windowsIdentity.Groups != null)
{
isInRole = windowsIdentity.Groups.Any(reference =>
{
if (reference.Value == sid.Value)
{
return(true);
}
try
{
var identityReference = reference.Translate(typeof(NTAccount));
if (identityReference != null)
{
return(identityReference.Value == windowsGroup);
}
}
catch (Exception)
{
return(false);
//Complete failure
}
return(false);
});
}
}
}
else
{
if (AreAdministratorsMembersOfWarewolfAdministrators.Invoke())
{
// Check user's administrator membership
isInRole = principal.IsInRole(sid.Value);
}
//Check regardless. Not installing the software can create a situation where the "Administrators" group is not part of Warewolf
isInRole = principal.IsInRole(sid.Value);
}
}
if (!isInRole)
{
isInRole = DoFallBackCheck(principal);
}
return(isInRole);
}
}
else
{
// THIS TRY-CATCH IS HERE TO AVOID THE EXPLORER NOT LOADING ANYTHING WHEN THE DOMAIN CANNOT BE CONTACTED!
isInRole = principal.IsInRole(windowsGroup);
}
}
// ReSharper disable EmptyGeneralCatchClause
catch { }
// ReSharper restore EmptyGeneralCatchClause
return(isInRole || p.IsBuiltInGuestsForExecution);
}
public void WindowsGroupPermissions_CanRemove_Resource_True()
{
//------------Setup for test--------------------------
var p = new WindowsGroupPermission { IsServer = false, ResourceID = Guid.NewGuid(), WindowsGroup = "xxx" };
//------------Execute Test---------------------------
var canRemove = p.CanRemove;
//------------Assert Results-------------------------
Assert.IsTrue(canRemove);
}
void RegisterPropertyChanged(WindowsGroupPermission permission)
{
permission.PropertyChanged += OnPermissionPropertyChanged;
}
public void GivenResourceHasRights(string resourceName, string resourceRights, string groupName)
{
var environmentModel = ScenarioContext.Current.Get<IEnvironmentModel>("environment");
EnsureEnvironmentConnected(environmentModel);
var resourceRepository = environmentModel.ResourceRepository;
var settings = resourceRepository.ReadSettings(environmentModel);
environmentModel.ForceLoadResources();
var resourceModel = resourceRepository.FindSingle(model => model.Category.Equals(resourceName, StringComparison.InvariantCultureIgnoreCase));
Assert.IsNotNull(resourceModel, "Did not find: " + resourceName);
SecPermissions resourcePermissions = SecPermissions.None;
var permissionsStrings = resourceRights.Split(new[] { ", " }, StringSplitOptions.RemoveEmptyEntries);
foreach(var permissionsString in permissionsStrings)
{
SecPermissions permission;
if(Enum.TryParse(permissionsString.Replace(" ", ""), true, out permission))
{
resourcePermissions |= permission;
}
}
settings.Security.WindowsGroupPermissions.RemoveAll(permission => permission.ResourceID == resourceModel.ID);
var windowsGroupPermission = new WindowsGroupPermission { WindowsGroup = groupName, ResourceID = resourceModel.ID, ResourceName = resourceName, IsServer = false, Permissions = resourcePermissions };
settings.Security.WindowsGroupPermissions.Add(windowsGroupPermission);
resourceRepository.WriteSettings(environmentModel, settings);
}
int QuickSortForPermissions(WindowsGroupPermission x, WindowsGroupPermission y)
{
var px = x;
var py = y;
if(px == null || py == null)
{
return 1;
}
// New items must be last
//
if(px.IsNew)
{
// px is greater than py
return int.MaxValue;
}
if(py.IsNew)
{
// px is less than py
return int.MinValue;
}
// BuiltInAdministrators must be first
if(px.IsBuiltInAdministrators)
{
// px is less than py
return int.MinValue;
}
if(py.IsBuiltInAdministrators)
{
// px is greater than py
return int.MaxValue;
}
// IsBuiltInGuests must be second
if(px.IsBuiltInGuests)
{
// px is less than py
return int.MinValue + 1;
}
if(py.IsBuiltInGuests)
{
// px is greater than py
return int.MaxValue - 1;
}
return 1;
}
void UpdateOverridingPermission(WindowsGroupPermission windowsGroupPermission, string propertyName)
{
if(windowsGroupPermission == null)
{
return;
}
SwitchAdminPermissionsOff(windowsGroupPermission, propertyName);
SwitchContributePermissionsOff(windowsGroupPermission, propertyName);
if(windowsGroupPermission.Administrator && propertyName == "Administrator")
{
UpdateForAdministratorPermissions(windowsGroupPermission);
}
if(windowsGroupPermission.Contribute && propertyName == "Contribute")
{
UpdateForContributePermissions(windowsGroupPermission);
}
}
