feat: ensure missing NTFS permission groups

2026-03-10 08:51:59 +01:00
parent 58d7529329
commit 812deeaa74
6 changed files with 1049 additions and 375 deletions
--- a/LiamNtfs/C4IT.LIAM.Ntfs.cs
+++ b/LiamNtfs/C4IT.LIAM.Ntfs.cs
@@ -311,7 +311,7 @@ namespace C4IT.LIAM
            return null;
        }

-        public async Task<ResultToken> CreateDataAreaAsync(
+        public Task<ResultToken> CreateDataAreaAsync(
    string newFolderPath,
    string newFolderParent,
    IDictionary<string, string> customTags,
@@ -320,27 +320,157 @@ namespace C4IT.LIAM
    IEnumerable<string> writerSids
 )
        {
-            // 1) Instanziere DataArea_FileSystem und fülle Konfiguration:
+            var engine = CreateFilesystemEngine(
+                newFolderPath,
+                newFolderParent,
+                customTags,
+                ownerSids,
+                readerSids,
+                writerSids);
+            var result = engine.createDataArea();
+            return Task.FromResult(result);
+        }
+
+        public Task<ResultToken> EnsureMissingPermissionGroupsAsync(
+            string folderPath,
+            IDictionary<string, string> customTags,
+            IEnumerable<string> ownerSids,
+            IEnumerable<string> readerSids,
+            IEnumerable<string> writerSids,
+            bool ensureTraverseGroups = false)
+        {
+            var parentPath = Directory.GetParent(folderPath)?.FullName;
+            var engine = CreateFilesystemEngine(
+                folderPath,
+                parentPath,
+                customTags,
+                ownerSids,
+                readerSids,
+                writerSids);
+
+            return Task.FromResult(engine.ensureDataAreaPermissions(ensureTraverseGroups));
+        }
+
+        private DataArea_FileSystem CreateFilesystemEngine(
+            string folderPath,
+            string parentFolderPath,
+            IDictionary<string, string> customTags,
+            IEnumerable<string> ownerSids,
+            IEnumerable<string> readerSids,
+            IEnumerable<string> writerSids)
+        {
+            var mergedCustomTags = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
+            foreach (var tag in CustomTags)
+                mergedCustomTags[tag.Key] = tag.Value;
+            if (customTags != null)
+            {
+                foreach (var tag in customTags)
+                    mergedCustomTags[tag.Key] = tag.Value;
+            }
+
            var engine = new DataArea_FileSystem
            {
+                ConfigID = "manual",
                domainName = this.Domain,
                username = this.Credential.Identification,
                password = new NetworkCredential("", this.Credential.Secret).SecurePassword,
                baseFolder = this.RootPath,
-                newFolderPath = newFolderPath,
-                newFolderParent = newFolderParent,
-                groupPrefix = CustomTags["Filesystem_GroupPrefixTag"],
+                newFolderPath = folderPath,
+                newFolderParent = parentFolderPath,
+                groupPrefix = GetRequiredCustomTag("Filesystem_GroupPrefixTag"),
                groupOUPath = this.GroupPath,
                groupPermissionStrategy = (C4IT_IAM_GET.PermissionGroupStrategy)this.GroupStrategy,
-                groupCustomTags = customTags,
-                ownerUserSids = ownerSids?.ToList(),
-                readerUserSids = readerSids?.ToList(),
-                writerUserSids = writerSids?.ToList(),
-                // Templates aus NamingConventions übernehmen…
+                groupCustomTags = mergedCustomTags,
+                ownerUserSids = ownerSids?.Where(i => !string.IsNullOrWhiteSpace(i)).Distinct(StringComparer.OrdinalIgnoreCase).ToList() ?? new List<string>(),
+                readerUserSids = readerSids?.Where(i => !string.IsNullOrWhiteSpace(i)).Distinct(StringComparer.OrdinalIgnoreCase).ToList() ?? new List<string>(),
+                writerUserSids = writerSids?.Where(i => !string.IsNullOrWhiteSpace(i)).Distinct(StringComparer.OrdinalIgnoreCase).ToList() ?? new List<string>(),
+                groupOwnerTag = GetRequiredCustomTag("Filesystem_GroupOwnerTag"),
+                groupWriteTag = GetRequiredCustomTag("Filesystem_GroupWriteTag"),
+                groupReadTag = GetRequiredCustomTag("Filesystem_GroupReadTag"),
+                groupTraverseTag = GetRequiredCustomTag("Filesystem_GroupTraverseTag"),
+                groupDLTag = GetRequiredCustomTag("Filesystem_GroupDomainLocalTag"),
+                groupGTag = GetRequiredCustomTag("Filesystem_GroupGlobalTag")
            };
-            // 2) Engine starten
-            var result = engine.createDataArea();
-            return result;
+
+            foreach (var template in BuildSecurityGroupTemplates())
+                engine.templates.Add(template);
+
+            return engine;
+        }
+
+        private IEnumerable<IAM_SecurityGroupTemplate> BuildSecurityGroupTemplates()
+        {
+            var templates = new List<IAM_SecurityGroupTemplate>();
+            foreach (var namingConvention in NamingConventions ?? Enumerable.Empty<cLiamNamingConvention>())
+            {
+                if (!TryMapSecurityGroupType(namingConvention.AccessRole, out var securityGroupType))
+                    continue;
+
+                if (!TryMapGroupScope(namingConvention.Scope, securityGroupType, out var groupScope))
+                    continue;
+
+                templates.Add(new IAM_SecurityGroupTemplate(
+                    namingConvention.NamingTemplate,
+                    namingConvention.DescriptionTemplate,
+                    namingConvention.Wildcard,
+                    securityGroupType,
+                    groupScope));
+            }
+
+            return templates;
+        }
+
+        private bool TryMapSecurityGroupType(eLiamAccessRoles accessRole, out SecurityGroupType securityGroupType)
+        {
+            securityGroupType = SecurityGroupType.Read;
+            switch (accessRole)
+            {
+                case eLiamAccessRoles.Owner:
+                    securityGroupType = SecurityGroupType.Owner;
+                    return true;
+                case eLiamAccessRoles.Write:
+                    securityGroupType = SecurityGroupType.Write;
+                    return true;
+                case eLiamAccessRoles.Read:
+                    securityGroupType = SecurityGroupType.Read;
+                    return true;
+                case eLiamAccessRoles.Traverse:
+                    securityGroupType = SecurityGroupType.Traverse;
+                    return true;
+                default:
+                    return false;
+            }
+        }
+
+        private bool TryMapGroupScope(eLiamAccessRoleScopes scope, SecurityGroupType type, out GroupScope groupScope)
+        {
+            groupScope = GroupScope.Global;
+            switch (scope)
+            {
+                case eLiamAccessRoleScopes.Global:
+                    groupScope = GroupScope.Global;
+                    return true;
+                case eLiamAccessRoleScopes.DomainLocal:
+                    groupScope = GroupScope.Local;
+                    return true;
+                case eLiamAccessRoleScopes.Unknown:
+                    if (type == SecurityGroupType.Traverse)
+                    {
+                        groupScope = this.GroupStrategy == eLiamGroupStrategies.Ntfs_AGDLP ? GroupScope.Local : GroupScope.Global;
+                        return true;
+                    }
+                    return false;
+                default:
+                    return false;
+            }
+        }
+
+        private string GetRequiredCustomTag(string key)
+        {
+            if (!CustomTags.TryGetValue(key, out var value))
+                throw new InvalidOperationException($"Missing NTFS custom tag '{key}'.");
+
+            return value;
        }