public void DeserializeAccessControlList()
{
// Arrange
PathAccessControlItem accessControlEntry = new PathAccessControlItem(
AccessControlType.User,
_rolePermissions,
true,
_entityId);
// Act
IList <PathAccessControlItem> list = PathAccessControlExtensions.ParseAccessControlList("default:user:entityId:rwx");
// Assert
Assert.AreEqual(1, list.Count);
AssertPathAccessControlEntryEquality(accessControlEntry, list[0]);
// Act
list = PathAccessControlExtensions.ParseAccessControlList("default:user:entityId:rwx,default:mask::rwx");
// Assert
Assert.AreEqual(2, list.Count);
AssertPathAccessControlEntryEquality(accessControlEntry, list[0]);
AssertPathAccessControlEntryEquality(new PathAccessControlItem(
AccessControlType.Mask,
_rolePermissions,
true),
list[1]);
}
public PSPathAccessControlEntry(PathAccessControlItem acl)
{
this.DefaultScope = acl.DefaultScope;
this.AccessControlType = acl.AccessControlType;
this.EntityId = acl.EntityId;
this.Permissions = acl.Permissions;
}
// </Snippet_FileACL>
#endregion
#region Update ACL
// ---------------------------------------------------------
// Update directory-level ACLs
//----------------------------------------------------------
// <Snippet_UpdateACL>
public async Task UpdateDirectoryACLs(DataLakeFileSystemClient fileSystemClient)
{
DataLakeDirectoryClient directoryClient =
fileSystemClient.GetDirectoryClient("");
PathAccessControl directoryAccessControl =
await directoryClient.GetAccessControlAsync();
List <PathAccessControlItem> accessControlListUpdate
= (List <PathAccessControlItem>)directoryAccessControl.AccessControlList;
int index = -1;
foreach (var item in accessControlListUpdate)
{
if (item.AccessControlType == AccessControlType.Other)
{
index = accessControlListUpdate.IndexOf(item);
break;
}
}
if (index > -1)
{
accessControlListUpdate[index] = new PathAccessControlItem(AccessControlType.Other,
RolePermissions.Read |
RolePermissions.Execute);
directoryClient.SetAccessControlList(accessControlListUpdate);
}
}
public void SerializeAccessControlList()
{
// Arrange
PathAccessControlItem accessControlEntry = new PathAccessControlItem(
AccessControlType.User,
_rolePermissions,
true,
_entityId);
// Act
string result = PathAccessControlExtensions.ToAccessControlListString(new List <PathAccessControlItem>()
{
accessControlEntry
});
// Assert
Assert.AreEqual("default:user:entityId:rwx", result);
// Act
result = PathAccessControlExtensions.ToAccessControlListString(new List <PathAccessControlItem>()
{
accessControlEntry,
new PathAccessControlItem(
AccessControlType.Mask,
_rolePermissions,
true),
});
// Assert
Assert.AreEqual("default:user:entityId:rwx,default:mask::rwx", result);
}
// </Snippet_UpdateACLsRecursively>
#endregion
#region Remove ACL entry
// ---------------------------------------------------------
// Remove directory-level ACL entry
//----------------------------------------------------------
// <Snippet_RemoveACLEntry>
public async Task RemoveDirectoryACLEntry
(DataLakeFileSystemClient fileSystemClient)
{
DataLakeDirectoryClient directoryClient =
fileSystemClient.GetDirectoryClient("");
PathAccessControl directoryAccessControl =
await directoryClient.GetAccessControlAsync();
List <PathAccessControlItem> accessControlListUpdate
= (List <PathAccessControlItem>)directoryAccessControl.AccessControlList;
PathAccessControlItem entryToRemove = null;
foreach (var item in accessControlListUpdate)
{
if (item.EntityId == "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx")
{
entryToRemove = item;
break;
}
}
if (entryToRemove != null)
{
accessControlListUpdate.Remove(entryToRemove);
directoryClient.SetAccessControlList(accessControlListUpdate);
}
}
public void AssertPathAccessControlItemEquality(PathAccessControlItem expected, PathAccessControlItem actual)
{
Assert.AreEqual(expected.DefaultScope, actual.DefaultScope);
Assert.AreEqual(expected.AccessControlType, actual.AccessControlType);
Assert.AreEqual(expected.EntityId, actual.EntityId);
Assert.AreEqual(expected.Permissions, actual.Permissions);
}
public void AssertAccessControlListEquality(
IList <PathAccessControlItem> expected,
IList <PathAccessControlItem> actual)
{
Assert.AreEqual(expected.Count, actual.Count);
foreach (PathAccessControlItem expectedItem in expected)
{
PathAccessControlItem actualItem = actual.Where(
r => r.AccessControlType == expectedItem.AccessControlType).FirstOrDefault();
if (actualItem == null)
{
Assert.Fail("AccessControlItem not found");
}
AssertPathAccessControlItemEquality(expectedItem, actualItem);
}
}
public void Parse_Invalid()
{
Assert.AreEqual(null, PathAccessControlItem.Parse(null));
TestHelper.AssertExpectedException(
() => PathAccessControlItem.Parse("a:b"),
new ArgumentException("s should have 3 or 4 parts delimited by colons. Value is \"a:b\""));
TestHelper.AssertExpectedException(
() => PathAccessControlItem.Parse("a:b:c:d:e"),
new ArgumentException("s should have 3 or 4 parts delimited by colons. Value is \"a:b:c:d:e\""));
TestHelper.AssertExpectedException(
() => PathAccessControlItem.Parse("a:b:c:d"),
new ArgumentException("If s is 4 parts, the first must be \"default\". Value is \"a:b:c:d\""));
}
public PermsApply(Config cfg, Action <string> log = null)
{
_cfg = cfg;
Log = log;
if (_cfg.ACL == null)
{
_cfg.ACL = new string[0];
}
if (_cfg.RemoveList == null)
{
_cfg.RemoveList = new string[0];
}
if (_cfg.ExitAfter == -1)
{
_cfg.ExitAfter = null;
}
_newACL = _cfg.ACL.Select(x => PathAccessControlItem.Parse(x)).ToList();
}
public void Parse()
{
AssertPathAccessControlEntryEquality(
new PathAccessControlItem(
AccessControlType.Mask,
_rolePermissions),
PathAccessControlItem.Parse("mask::rwx"));
AssertPathAccessControlEntryEquality(
new PathAccessControlItem(
AccessControlType.Mask,
_rolePermissions,
true),
PathAccessControlItem.Parse("default:mask::rwx"));
AssertPathAccessControlEntryEquality(
new PathAccessControlItem(
AccessControlType.User,
_rolePermissions,
true,
_entityId),
PathAccessControlItem.Parse("default:user:entityId:rwx"));
}
static List <PathAccessControlItem> UpdateACLs(IEnumerable <PathAccessControlItem> existingACLs, RolePermissions newPermissionsForManagedIdentity, AppSettings settings)
{
// Either add an ACL for the search identity if it doesn't exist,
// or update it if it exists
// To learn more please visit https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-acl-dotnet#update-acls
List <PathAccessControlItem> accessControlList = existingACLs.ToList();
PathAccessControlItem managedIdentityAcl = accessControlList.FirstOrDefault(
accessControlItem => accessControlItem.AccessControlType == AccessControlType.User && accessControlItem.EntityId == settings.SearchManagedIdentityID);
if (managedIdentityAcl == null)
{
managedIdentityAcl = new PathAccessControlItem(
accessControlType: AccessControlType.User,
permissions: RolePermissions.Execute | RolePermissions.Read,
entityId: settings.SearchManagedIdentityID);
accessControlList.Add(managedIdentityAcl);
}
else
{
managedIdentityAcl.Permissions = RolePermissions.Execute | RolePermissions.Read;
}
return(accessControlList);
}
