class Puppet::Util::Windows::AccessControlList
Windows Access Control List
Represents a list of access control entries (ACEs).
@see msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx @api private
Constants
- ACCESS_ALLOWED_ACE_TYPE
- ACCESS_DENIED_ACE_TYPE
Public Class Methods
Construct an ACL.
@param acl [Enumerable] A list of aces to copy from.
# File lib/puppet/util/windows/access_control_list.rb 16 def initialize(acl = nil) 17 if acl 18 @aces = acl.map(&:dup) 19 else 20 @aces = [] 21 end 22 end
Public Instance Methods
# File lib/puppet/util/windows/access_control_list.rb 107 def ==(other) 108 self.class == other.class && 109 self.to_a == other.to_a 110 end
Allow the sid
to access a resource with the specified access mask
.
@param sid [String] The SID that the ACE is granting access to @param mask [int] The access mask granted to the SID @param flags [int] The flags assigned to the ACE, e.g. INHERIT_ONLY_ACE
# File lib/puppet/util/windows/access_control_list.rb 36 def allow(sid, mask, flags = 0) 37 @aces << Puppet::Util::Windows::AccessControlEntry.new(sid, mask, flags, ACCESS_ALLOWED_ACE_TYPE) 38 end
Deny the sid
access to a resource with the specified access mask
.
@param sid [String] The SID that the ACE is denying access to @param mask [int] The access mask denied to the SID @param flags [int] The flags assigned to the ACE, e.g. INHERIT_ONLY_ACE
# File lib/puppet/util/windows/access_control_list.rb 45 def deny(sid, mask, flags = 0) 46 @aces << Puppet::Util::Windows::AccessControlEntry.new(sid, mask, flags, ACCESS_DENIED_ACE_TYPE) 47 end
Enumerate each ACE in the list.
@yieldparam ace [Hash] the ace
# File lib/puppet/util/windows/access_control_list.rb 27 def each 28 @aces.each {|ace| yield ace} 29 end
# File lib/puppet/util/windows/access_control_list.rb 99 def inspect 100 str = "" 101 @aces.each do |ace| 102 str << " #{ace.inspect}\n" 103 end 104 str 105 end
Reassign all ACEs currently assigned to old_sid
to new_sid
instead. If an ACE is inherited or is not assigned to old_sid
, then it will be copied as-is to the new ACL, preserving its order within the ACL.
@param old_sid [String] The old SID, e.g. 'S-1-5-18' @param new_sid [String] The new SID @return [AccessControlList] The copied ACL.
# File lib/puppet/util/windows/access_control_list.rb 56 def reassign!(old_sid, new_sid) 57 new_aces = [] 58 prepend_needed = false 59 aces_to_prepend = [] 60 61 @aces.each do |ace| 62 new_ace = ace.dup 63 64 if ace.sid == old_sid 65 if ace.inherited? 66 # create an explicit ACE granting or denying the 67 # new_sid the rights that the inherited ACE 68 # granted or denied the old_sid. We mask off all 69 # flags except those affecting inheritance of the 70 # ACE we're creating. 71 inherit_mask = Puppet::Util::Windows::AccessControlEntry::CONTAINER_INHERIT_ACE | 72 Puppet::Util::Windows::AccessControlEntry::OBJECT_INHERIT_ACE | 73 Puppet::Util::Windows::AccessControlEntry::INHERIT_ONLY_ACE 74 explicit_ace = Puppet::Util::Windows::AccessControlEntry.new(new_sid, ace.mask, ace.flags & inherit_mask, ace.type) 75 aces_to_prepend << explicit_ace 76 else 77 new_ace.sid = new_sid 78 79 prepend_needed = old_sid == Puppet::Util::Windows::SID::LocalSystem 80 end 81 end 82 new_aces << new_ace 83 end 84 85 @aces = [] 86 87 if prepend_needed 88 mask = Puppet::Util::Windows::File::STANDARD_RIGHTS_ALL | Puppet::Util::Windows::File::SPECIFIC_RIGHTS_ALL 89 ace = Puppet::Util::Windows::AccessControlEntry.new( 90 Puppet::Util::Windows::SID::LocalSystem, 91 mask) 92 @aces << ace 93 end 94 95 @aces.concat(aces_to_prepend) 96 @aces.concat(new_aces) 97 end