Skip to content

Commit

Permalink
Serializing identites
Browse files Browse the repository at this point in the history
  • Loading branch information
zentron committed Sep 8, 2024
1 parent 3470942 commit 6d062dc
Show file tree
Hide file tree
Showing 5 changed files with 59 additions and 26 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -11,26 +11,34 @@ public class PrivateKeyAccessRule
{
[JsonConstructor]
public PrivateKeyAccessRule(string identity, PrivateKeyAccess access)
:this(new NTAccount(identity), access)
{
}

public PrivateKeyAccessRule(IdentityReference identity, PrivateKeyAccess access)
{
Identity = identity;
Access = access;
}

public IdentityReference Identity { get; }

public PrivateKeyAccess Access { get; }


private static JsonSerializerSettings JsonSerializerSettings => new JsonSerializerSettings
public string Identity { get; }


public IdentityReference GetIdentityReference()
{
Converters = new List<JsonConverter>
return TryParse(Identity, out var temp) ? temp! : new NTAccount(Identity);
}


public static bool TryParse(string value, out SecurityIdentifier? result)
{
try
{
new StringEnumConverter(),
result = new SecurityIdentifier(value);
return true;
}
};
catch (ArgumentException)
{
result = null;
return false;
}
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ public void ImportCertificateToStore(byte[] pfxBytes, string password, string us
if (certificate.HasPrivateKey())
{
// Because we have to store the private-key in the machine key-store, we must grant the user access to it
var keySecurity = new[] {new PrivateKeyAccessRule(account, PrivateKeyAccess.FullControl)};
var keySecurity = new[] {new PrivateKeyAccessRule(account.Value, PrivateKeyAccess.FullControl)};
AddPrivateKeyAccessRules(keySecurity, certificate);
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,17 +10,42 @@ public class PrivateKeyAccessRule
{
[JsonConstructor]
public PrivateKeyAccessRule(string identity, PrivateKeyAccess access)
:this(new NTAccount(identity), access)

{
Identity = identity;
Access = access;
}

public PrivateKeyAccessRule(IdentityReference identity, PrivateKeyAccess access)
/*public PrivateKeyAccessRule(IdentityReference identity, PrivateKeyAccess access)
{
Identity = identity;
Access = access;
}
}*/

public IdentityReference Identity { get; }
/*public IdentityReference Identity { get; }*/
public string Identity { get; }

public IdentityReference GetIdentityReference()
{
return TryParse(Identity, out var temp) ? (IdentityReference)temp : new NTAccount(Identity);
}


public static bool TryParse(string value, out SecurityIdentifier result)
{
try
{
result = new SecurityIdentifier(value);
return true;
}
catch (ArgumentException)
{
result = null;
return false;
}
}


public PrivateKeyAccess Access { get; }

public static ICollection<PrivateKeyAccessRule> FromJson(string json)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ public void ImportCertificateToStore(byte[] pfxBytes, string password, string us
if (certificate.HasPrivateKey())
{
// Because we have to store the private-key in the machine key-store, we must grant the user access to it
var keySecurity = new[] {new PrivateKeyAccessRule(account, PrivateKeyAccess.FullControl)};
var keySecurity = new[] {new PrivateKeyAccessRule(userName, PrivateKeyAccess.FullControl)};
AddPrivateKeyAccessRules(keySecurity, certificate);
}
}
Expand Down Expand Up @@ -439,11 +439,11 @@ static CryptoKeyAccessRule ToCryptoKeyAccessRule(PrivateKeyAccessRule rule)
switch (rule.Access)
{
case PrivateKeyAccess.ReadOnly:
return new CryptoKeyAccessRule(rule.Identity, CryptoKeyRights.GenericRead, AccessControlType.Allow);
return new CryptoKeyAccessRule(rule.GetIdentityReference(), CryptoKeyRights.GenericRead, AccessControlType.Allow);

case PrivateKeyAccess.FullControl:
// We use 'GenericAll' here rather than 'FullControl' as 'FullControl' doesn't correctly set the access for CNG keys
return new CryptoKeyAccessRule(rule.Identity, CryptoKeyRights.GenericAll, AccessControlType.Allow);
return new CryptoKeyAccessRule(rule.GetIdentityReference(), CryptoKeyRights.GenericAll, AccessControlType.Allow);

default:
throw new ArgumentOutOfRangeException(nameof(rule.Access));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ static PrivateKeyAccessRule CreatePrivateKeyAccessForApplicationPoolAccount(IVar
PrivateKeyAccess.FullControl);
}

static IdentityReference GetIdentityForApplicationPoolIdentity(ApplicationPoolIdentityType applicationPoolIdentityType,
static string GetIdentityForApplicationPoolIdentity(ApplicationPoolIdentityType applicationPoolIdentityType,
IVariables variables)
{
//TODO: Once this only runs netcore we can remove this check (or potentially externalize the whole check)
Expand All @@ -79,19 +79,19 @@ static IdentityReference GetIdentityForApplicationPoolIdentity(ApplicationPoolId
switch (applicationPoolIdentityType)
{
case ApplicationPoolIdentityType.ApplicationPoolIdentity:
return new NTAccount("IIS AppPool\\" + variables.Get(SpecialVariables.Action.IisWebSite.ApplicationPoolName));
return new NTAccount("IIS AppPool\\" + variables.Get(SpecialVariables.Action.IisWebSite.ApplicationPoolName)).Value;

case ApplicationPoolIdentityType.LocalService:
return new SecurityIdentifier(WellKnownSidType.LocalServiceSid, null);
return new SecurityIdentifier(WellKnownSidType.LocalServiceSid, null).Value;

case ApplicationPoolIdentityType.LocalSystem:
return new SecurityIdentifier(WellKnownSidType.LocalServiceSid, null);
return new SecurityIdentifier(WellKnownSidType.LocalServiceSid, null).Value;

case ApplicationPoolIdentityType.NetworkService:
return new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null);
return new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null).Value;

case ApplicationPoolIdentityType.SpecificUser:
return new NTAccount(StripLocalAccountIdentifierFromUsername(variables.Get(SpecialVariables.Action.IisWebSite.ApplicationPoolUserName)));
return new NTAccount(StripLocalAccountIdentifierFromUsername(variables.Get(SpecialVariables.Action.IisWebSite.ApplicationPoolUserName))).Value;

default:
throw new ArgumentOutOfRangeException(nameof(applicationPoolIdentityType), applicationPoolIdentityType, null);
Expand Down

0 comments on commit 6d062dc

Please sign in to comment.