public static AuthorizationRuleCollection GetAccess(PSObject instance) { AuthorizationRuleCollection accessRules; if (instance != null) { ObjectSecurity baseObject = instance.BaseObject as ObjectSecurity; if (baseObject == null) { PSTraceSource.NewArgumentException("instance"); } CommonObjectSecurity commonObjectSecurity = baseObject as CommonObjectSecurity; if (commonObjectSecurity == null) { DirectoryObjectSecurity directoryObjectSecurity = baseObject as DirectoryObjectSecurity; accessRules = directoryObjectSecurity.GetAccessRules(true, true, typeof(NTAccount)); } else { accessRules = commonObjectSecurity.GetAccessRules(true, true, typeof(NTAccount)); } return(accessRules); } else { throw PSTraceSource.NewArgumentNullException("instance"); } }
private FileSystemRights GetFileSystemRights(CommonObjectSecurity objectSecurity) { AuthorizationRuleCollection accessRules = objectSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)); FileSystemRights fileSystemAllowRights = 0; FileSystemRights fileSystemDenyRights = 0; foreach (FileSystemAccessRule accessRule in accessRules) { IdentityReference identityReference = accessRule.IdentityReference; if (identityReference != _currentUserIdentifier && _currentUserGroups.All(reference => reference != identityReference)) { continue; } if (accessRule.AccessControlType == AccessControlType.Deny) { fileSystemDenyRights = fileSystemDenyRights | accessRule.FileSystemRights; } else { fileSystemAllowRights = fileSystemAllowRights | accessRule.FileSystemRights; } } return(fileSystemAllowRights & (~fileSystemDenyRights)); }
private static string GetPermissions(CommonObjectSecurity fileSystemSecurity) { var accessRules = fileSystemSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)) .Cast <FileSystemAccessRule>() .Where(x => x.IdentityReference == WindowsIdentity.GetCurrent().User) .ToArray(); return(GetEffectiveRights(accessRules).ToString()); }
private static bool FindMatch(CommonObjectSecurity security, FileSystemAccessRule rule) => security.GetAccessRules(true, false, typeof(SecurityIdentifier)) .OfType <FileSystemAccessRule>() .Any( ar => ar.IdentityReference.Equals(rule.IdentityReference) && ar.FileSystemRights.Equals(rule.FileSystemRights) && ar.InheritanceFlags.Equals(rule.InheritanceFlags) && ar.PropagationFlags.Equals(rule.PropagationFlags));
private static T GetEffectiveRights <T, R>(CommonObjectSecurity securityObject, WindowsIdentity windowsIdentity) where T : struct, IConvertible where R : AccessRule { if (!typeof(T).IsEnum) { throw new ArgumentException($"Type '{typeof(T).FullName}' is not an enum"); } if (windowsIdentity == null) { throw new ArgumentNullException(nameof(windowsIdentity)); } if (securityObject == null) { throw new ArgumentNullException(nameof(securityObject)); } int denyRights = 0, allowRights = 0; // get all access rules for the path - this works for a directory path as well as a file path AuthorizationRuleCollection authorizationRules = securityObject.GetAccessRules(true, true, typeof(SecurityIdentifier)); // get the user's sids List <string> sids = new List <string>(windowsIdentity.Groups.Select(g => g.Value)); sids.Insert(0, windowsIdentity.User.Value); // get the access rules filtered by the user's sids var rules = (from rule in authorizationRules.Cast <R>() where sids.Contains(rule.IdentityReference.Value) select rule); System.Reflection.PropertyInfo pi = null; foreach (var rule in rules) { if (pi == null) { pi = rule.GetType().GetProperty("AccessMask", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance, null, typeof(int), Type.EmptyTypes, null); } if (pi == null) { throw new InvalidOperationException("Unable to retrieve access mask."); } if (rule.AccessControlType == AccessControlType.Deny) { denyRights |= (int)pi.GetValue(rule, null); } else { allowRights |= (int)pi.GetValue(rule, null); } } return((T)Enum.ToObject(typeof(T), (allowRights | denyRights) ^ denyRights)); }
private static void ShowSecurity(CommonObjectSecurity security) { AuthorizationRuleCollection coll = security.GetAccessRules(true, true, typeof(NTAccount)); foreach (FileSystemAccessRule rule in coll) { Console.WriteLine("IdentityReference: {0}", rule.IdentityReference); Console.WriteLine("Access control type: {0}", rule.AccessControlType); Console.WriteLine("Rights: {0}", rule.FileSystemRights); Console.WriteLine("Inherited? {0}", rule.IsInherited); Console.WriteLine(); } }
/// <summary> /// Identities the has accces. /// </summary> /// <param name="identity">The identity.</param> /// <param name="security">The security.</param> /// <param name="fileSystemRights">The file system rights.</param> /// <returns> /// <c>true</c> if [has identity accces] [the specified identity]; otherwise, <c>false</c>. /// </returns> private static bool HasIdentityAccces(WindowsIdentity identity, CommonObjectSecurity security, FileSystemRights fileSystemRights) { var allReference = GetAllReference(identity); var authorizationRuleCollection = security.GetAccessRules(true, true, domain); foreach (FileSystemAccessRule fileSystemAccessRule in authorizationRuleCollection) { if (AccessControlType.Allow == fileSystemAccessRule.AccessControlType && fileSystemRights == (fileSystemAccessRule.FileSystemRights & fileSystemRights) && allReference.Contains(fileSystemAccessRule.IdentityReference) ) { return(true); } } return(false); }
private void VerifyAccessSecurity(CommonObjectSecurity expectedSecurity, CommonObjectSecurity actualSecurity) { Assert.Equal(typeof(FileSystemRights), expectedSecurity.AccessRightType); Assert.Equal(typeof(FileSystemRights), actualSecurity.AccessRightType); List <FileSystemAccessRule> expectedAccessRules = expectedSecurity.GetAccessRules(includeExplicit: true, includeInherited: false, typeof(SecurityIdentifier)) .Cast <FileSystemAccessRule>().ToList(); List <FileSystemAccessRule> actualAccessRules = actualSecurity.GetAccessRules(includeExplicit: true, includeInherited: false, typeof(SecurityIdentifier)) .Cast <FileSystemAccessRule>().ToList(); Assert.Equal(expectedAccessRules.Count, actualAccessRules.Count); if (expectedAccessRules.Count > 0) { Assert.All(expectedAccessRules, actualAccessRule => { int count = expectedAccessRules.Count(expectedAccessRule => AreAccessRulesEqual(expectedAccessRule, actualAccessRule)); Assert.True(count > 0); }); } }
private static bool IsFileSystemAccessRuleSet(FileSystemRights rights, CommonObjectSecurity commonObjectSecurity, AccessControlType accessControlType) { AuthorizationRuleCollection rules = commonObjectSecurity.GetAccessRules(true, false, typeof(SecurityIdentifier)); return(rules.OfType <FileSystemAccessRule>().Any(fs => fs.FileSystemRights.HasFlag(rights) && fs.AccessControlType == accessControlType)); }