Meik/LIAM
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prefer folder ACL groups during NTFS ensure

Browse Source
This commit is contained in:
Meik
2026-03-13 16:37:36 +01:00
parent c12978ff5d
commit b5981487d7
2 changed files with 74 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
LiamNtfs/C4IT_IAM_SET/DataArea_FileSystem.cs
View File

@@ -912,7 +912,7 @@ namespace C4IT_IAM_SET
else else
users = null; users = null;
newSecurityGroups.EnsureADGroup(groupOUPath, newSecurityGroups.IAM_SecurityGroups[i], users); newSecurityGroups.EnsureADGroup(groupOUPath, newSecurityGroups.IAM_SecurityGroups[i], users, newDataArea.IAM_Folders[0].technicalName);
if (newSecurityGroups.IAM_SecurityGroups[i].CreatedNewEntry) if (newSecurityGroups.IAM_SecurityGroups[i].CreatedNewEntry)
resultToken.createdGroups.Add(newSecurityGroups.IAM_SecurityGroups[i].Name); resultToken.createdGroups.Add(newSecurityGroups.IAM_SecurityGroups[i].Name);
else else

75
LiamNtfs/C4IT_IAM_SET/SecurityGroup.cs
View File

@@ -480,6 +480,71 @@ namespace C4IT_IAM_Engine
return new DirectoryEntry("LDAP://" + domainName + "/" + matchedDistinguishedName, username, new NetworkCredential("", password).Password, AuthenticationTypes.Secure | AuthenticationTypes.Sealing); return new DirectoryEntry("LDAP://" + domainName + "/" + matchedDistinguishedName, username, new NetworkCredential("", password).Password, AuthenticationTypes.Secure | AuthenticationTypes.Sealing);
} }
private DirectoryEntry FindGroupEntryFromFolderAcl(string folderPath, string wildcardPattern)
{
if (string.IsNullOrWhiteSpace(folderPath) || string.IsNullOrWhiteSpace(wildcardPattern) || !Directory.Exists(folderPath))
return null;
Regex wildcardRegex;
try
{
wildcardRegex = new Regex(wildcardPattern, RegexOptions.IgnoreCase);
}
catch (Exception E)
{
cLogManager.DefaultLogger.LogException(E);
return null;
}
try
{
var directory = new DirectoryInfo(folderPath);
var rules = directory.GetAccessControl(AccessControlSections.Access)
.GetAccessRules(true, false, typeof(SecurityIdentifier))
.Cast<FileSystemAccessRule>();
var matchedNames = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
using (var domainContext = new PrincipalContext(ContextType.Domain, domainName, username, new NetworkCredential("", password).Password))
{
foreach (var rule in rules)
{
if (rule.AccessControlType != AccessControlType.Allow)
continue;
var sid = rule.IdentityReference?.Value;
if (string.IsNullOrWhiteSpace(sid) || sid == "S-1-1-0")
continue;
using (var group = GroupPrincipal.FindByIdentity(domainContext, IdentityType.Sid, sid))
{
var samAccountName = group?.SamAccountName;
if (string.IsNullOrWhiteSpace(samAccountName) || !wildcardRegex.IsMatch(samAccountName))
continue;
matchedNames.Add(samAccountName);
if (matchedNames.Count > 1)
{
DefaultLogger.LogEntry(LogLevels.Warning, $"Multiple ACL groups on folder '{folderPath}' matched wildcard '{wildcardPattern}'. ACL-based reuse is skipped.");
return null;
}
}
}
}
if (matchedNames.Count == 0)
return null;
var matchedName = matchedNames.First();
DefaultLogger.LogEntry(LogLevels.Debug, $"Reusing ACL-linked AD group '{matchedName}' via wildcard '{wildcardPattern}' on folder '{folderPath}'.");
return FindGroupEntry(matchedName);
}
catch (Exception E)
{
cLogManager.DefaultLogger.LogException(E);
return null;
}
}
private void ApplyExistingGroup(IAM_SecurityGroup secGroup, DirectoryEntry existingGroup) private void ApplyExistingGroup(IAM_SecurityGroup secGroup, DirectoryEntry existingGroup)
{ {
secGroup.CreatedNewEntry = false; secGroup.CreatedNewEntry = false;
@@ -539,13 +604,19 @@ namespace C4IT_IAM_Engine
group.CommitChanges(); group.CommitChanges();
} }
public DirectoryEntry EnsureADGroup(string ouPath, IAM_SecurityGroup secGroup, List<UserPrincipal> users) public DirectoryEntry EnsureADGroup(string ouPath, IAM_SecurityGroup secGroup, List<UserPrincipal> users, string folderPath = null)
{ {
LogMethodBegin(MethodBase.GetCurrentMethod()); LogMethodBegin(MethodBase.GetCurrentMethod());
try try
{ {
secGroup.CreatedNewEntry = false; secGroup.CreatedNewEntry = false;
var existingGroup = FindGroupEntry(secGroup.Name); DirectoryEntry existingGroup = null;
if (!ForceStrictAdGroupNames)
existingGroup = FindGroupEntryFromFolderAcl(folderPath, secGroup.WildcardPattern);
if (existingGroup == null)
existingGroup = FindGroupEntry(secGroup.Name);
if (existingGroup == null && !ForceStrictAdGroupNames) if (existingGroup == null && !ForceStrictAdGroupNames)
existingGroup = FindGroupEntryByWildcard(ouPath, secGroup.WildcardPattern); existingGroup = FindGroupEntryByWildcard(ouPath, secGroup.WildcardPattern);