Class: Puppet::Util::Windows::AccessControlList Private

Inherits:
Object
  • Object
show all
Includes:
Enumerable
Defined in:
lib/puppet/util/windows/access_control_list.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Windows Access Control List

Represents a list of access control entries (ACEs).

See Also:

API:

  • private

Constant Summary collapse

ACCESS_ALLOWED_ACE_TYPE =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

API:

  • private

0x0
ACCESS_DENIED_ACE_TYPE =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

API:

  • private

0x1

Instance Method Summary collapse

Constructor Details

#initialize(acl = nil) ⇒ AccessControlList

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Construct an ACL.

Parameters:

  • (defaults to: nil)

    A list of aces to copy from.

API:

  • private



18
19
20
21
22
23
24
 
# File 'lib/puppet/util/windows/access_control_list.rb', line 18

def initialize(acl = nil)
  if acl
    @aces = acl.map(&:dup)
  else
    @aces = []
  end
end

Instance Method Details

#==(other) ⇒ Object Also known as: eql?

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

API:

  • private



110
111
112
113
 
# File 'lib/puppet/util/windows/access_control_list.rb', line 110

def ==(other)
  self.class == other.class &&
    to_a == other.to_a
end

#allow(sid, mask, flags = 0) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Allow the sid to access a resource with the specified access mask.

Parameters:

  • The SID that the ACE is granting access to

  • The access mask granted to the SID

  • (defaults to: 0)

    The flags assigned to the ACE, e.g. INHERIT_ONLY_ACE

API:

  • private



38
39
40
 
# File 'lib/puppet/util/windows/access_control_list.rb', line 38

def allow(sid, mask, flags = 0)
  @aces << Puppet::Util::Windows::AccessControlEntry.new(sid, mask, flags, ACCESS_ALLOWED_ACE_TYPE)
end

#deny(sid, mask, flags = 0) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Deny the sid access to a resource with the specified access mask.

Parameters:

  • The SID that the ACE is denying access to

  • The access mask denied to the SID

  • (defaults to: 0)

    The flags assigned to the ACE, e.g. INHERIT_ONLY_ACE

API:

  • private



47
48
49
 
# File 'lib/puppet/util/windows/access_control_list.rb', line 47

def deny(sid, mask, flags = 0)
  @aces << Puppet::Util::Windows::AccessControlEntry.new(sid, mask, flags, ACCESS_DENIED_ACE_TYPE)
end

#each {|ace| ... } ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Enumerate each ACE in the list.

Yield Parameters:

  • ace (Hash)

    the ace

API:

  • private



29
30
31
 
# File 'lib/puppet/util/windows/access_control_list.rb', line 29

def each
  @aces.each { |ace| yield ace }
end

#inspectObject

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

API:

  • private



102
103
104
105
106
107
108
 
# File 'lib/puppet/util/windows/access_control_list.rb', line 102

def inspect
  str = ''.dup
  @aces.each do |ace|
    str << "  #{ace.inspect}\n"
  end
  str
end

#reassign!(old_sid, new_sid) ⇒ AccessControlList

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Reassign all ACEs currently assigned to old_sid to new_sid instead. If an ACE is inherited or is not assigned to old_sid, then it will be copied as-is to the new ACL, preserving its order within the ACL.

Parameters:

  • The old SID, e.g. ‘S-1-5-18’

  • The new SID

Returns:

  • The copied ACL.

API:

  • private



58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
 
# File 'lib/puppet/util/windows/access_control_list.rb', line 58

def reassign!(old_sid, new_sid)
  new_aces = []
  prepend_needed = false
  aces_to_prepend = []

  @aces.each do |ace|
    new_ace = ace.dup

    if ace.sid == old_sid
      if ace.inherited?
        # create an explicit ACE granting or denying the
        # new_sid the rights that the inherited ACE
        # granted or denied the old_sid. We mask off all
        # flags except those affecting inheritance of the
        # ACE we're creating.
        inherit_mask = Puppet::Util::Windows::AccessControlEntry::CONTAINER_INHERIT_ACE |
                       Puppet::Util::Windows::AccessControlEntry::OBJECT_INHERIT_ACE |
                       Puppet::Util::Windows::AccessControlEntry::INHERIT_ONLY_ACE
        explicit_ace = Puppet::Util::Windows::AccessControlEntry.new(new_sid, ace.mask, ace.flags & inherit_mask, ace.type)
        aces_to_prepend << explicit_ace
      else
        new_ace.sid = new_sid

        prepend_needed = old_sid == Puppet::Util::Windows::SID::LocalSystem
      end
    end
    new_aces << new_ace
  end

  @aces = []

  if prepend_needed
    mask = Puppet::Util::Windows::File::STANDARD_RIGHTS_ALL | Puppet::Util::Windows::File::SPECIFIC_RIGHTS_ALL
    ace = Puppet::Util::Windows::AccessControlEntry.new(
      Puppet::Util::Windows::SID::LocalSystem,
      mask
    )
    @aces << ace
  end

  @aces.concat(aces_to_prepend)
  @aces.concat(new_aces)
end