Class: Puppet::Util::Windows::AccessControlList Private

Inherits:
Object
  • Object
show all
Includes:
Enumerable
Defined in:
lib/puppet/util/windows/access_control_list.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Windows Access Control List

Represents a list of access control entries (ACEs).

Constant Summary collapse

ACCESS_ALLOWED_ACE_TYPE =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

0x0
ACCESS_DENIED_ACE_TYPE =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

0x1

Instance Method Summary collapse

Methods included from Enumerable

#uniq

Constructor Details

#initialize(acl = nil) ⇒ AccessControlList

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Construct an ACL.

Parameters:

  • acl (Enumerable) (defaults to: nil)

    A list of aces to copy from.


16
17
18
19
20
21
22
# File 'lib/puppet/util/windows/access_control_list.rb', line 16

def initialize(acl = nil)
  if acl
    @aces = acl.map(&:dup)
  else
    @aces = []
  end
end

Instance Method Details

#==(other) ⇒ Object Also known as: eql?

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.


107
108
109
110
# File 'lib/puppet/util/windows/access_control_list.rb', line 107

def ==(other)
  self.class == other.class &&
    self.to_a == other.to_a
end

#allow(sid, mask, flags = 0) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Allow the sid to access a resource with the specified access mask.

Parameters:

  • sid (String)

    The SID that the ACE is granting access to

  • mask (int)

    The access mask granted to the SID

  • flags (int) (defaults to: 0)

    The flags assigned to the ACE, e.g. INHERIT_ONLY_ACE


36
37
38
# File 'lib/puppet/util/windows/access_control_list.rb', line 36

def allow(sid, mask, flags = 0)
  @aces << Puppet::Util::Windows::AccessControlEntry.new(sid, mask, flags, ACCESS_ALLOWED_ACE_TYPE)
end

#deny(sid, mask, flags = 0) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Deny the sid access to a resource with the specified access mask.

Parameters:

  • sid (String)

    The SID that the ACE is denying access to

  • mask (int)

    The access mask denied to the SID

  • flags (int) (defaults to: 0)

    The flags assigned to the ACE, e.g. INHERIT_ONLY_ACE


45
46
47
# File 'lib/puppet/util/windows/access_control_list.rb', line 45

def deny(sid, mask, flags = 0)
  @aces << Puppet::Util::Windows::AccessControlEntry.new(sid, mask, flags, ACCESS_DENIED_ACE_TYPE)
end

#each {|ace| ... } ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Enumerate each ACE in the list.

Yield Parameters:

  • ace (Hash)

    the ace


27
28
29
# File 'lib/puppet/util/windows/access_control_list.rb', line 27

def each
  @aces.each {|ace| yield ace}
end

#inspectObject

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.


99
100
101
102
103
104
105
# File 'lib/puppet/util/windows/access_control_list.rb', line 99

def inspect
  str = ""
  @aces.each do |ace|
    str << "  #{ace.inspect}\n"
  end
  str
end

#reassign!(old_sid, new_sid) ⇒ AccessControlList

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Reassign all ACEs currently assigned to old_sid to new_sid instead. If an ACE is inherited or is not assigned to old_sid, then it will be copied as-is to the new ACL, preserving its order within the ACL.

Parameters:

  • old_sid (String)

    The old SID, e.g. 'S-1-5-18'

  • new_sid (String)

    The new SID

Returns:


56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
# File 'lib/puppet/util/windows/access_control_list.rb', line 56

def reassign!(old_sid, new_sid)
  new_aces = []
  prepend_needed = false
  aces_to_prepend = []

  @aces.each do |ace|
    new_ace = ace.dup

    if ace.sid == old_sid
      if ace.inherited?
        # create an explicit ACE granting or denying the
        # new_sid the rights that the inherited ACE
        # granted or denied the old_sid. We mask off all
        # flags except those affecting inheritance of the
        # ACE we're creating.
        inherit_mask = Puppet::Util::Windows::AccessControlEntry::CONTAINER_INHERIT_ACE |
          Puppet::Util::Windows::AccessControlEntry::OBJECT_INHERIT_ACE |
          Puppet::Util::Windows::AccessControlEntry::INHERIT_ONLY_ACE
        explicit_ace = Puppet::Util::Windows::AccessControlEntry.new(new_sid, ace.mask, ace.flags & inherit_mask, ace.type)
        aces_to_prepend << explicit_ace
      else
        new_ace.sid = new_sid

        prepend_needed = old_sid == Puppet::Util::Windows::SID::LocalSystem
      end
    end
    new_aces << new_ace
  end

  @aces = []

  if prepend_needed
    mask = Puppet::Util::Windows::File::STANDARD_RIGHTS_ALL | Puppet::Util::Windows::File::SPECIFIC_RIGHTS_ALL
    ace = Puppet::Util::Windows::AccessControlEntry.new(
            Puppet::Util::Windows::SID::LocalSystem,
            mask)
    @aces << ace
  end

  @aces.concat(aces_to_prepend)
  @aces.concat(new_aces)
end