class Puppet::Util::Windows::AccessControlList
Windows Access Control List
Represents a list of access control entries (ACEs).
@see msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx @api private
Constants
- ACCESS_ALLOWED_ACE_TYPE
- ACCESS_DENIED_ACE_TYPE
Public Class Methods
Construct an ACL.
@param acl [Enumerable] A list of aces to copy from.
# File lib/puppet/util/windows/access_control_list.rb 17 def initialize(acl = nil) 18 if acl 19 @aces = acl.map(&:dup) 20 else 21 @aces = [] 22 end 23 end
Public Instance Methods
# File lib/puppet/util/windows/access_control_list.rb 108 def ==(other) 109 self.class == other.class && 110 self.to_a == other.to_a 111 end
Allow the sid to access a resource with the specified access mask.
@param sid [String] The SID that the ACE is granting access to @param mask [int] The access mask granted to the SID @param flags [int] The flags assigned to the ACE, e.g. INHERIT_ONLY_ACE
# File lib/puppet/util/windows/access_control_list.rb 37 def allow(sid, mask, flags = 0) 38 @aces << Puppet::Util::Windows::AccessControlEntry.new(sid, mask, flags, ACCESS_ALLOWED_ACE_TYPE) 39 end
Deny the sid access to a resource with the specified access mask.
@param sid [String] The SID that the ACE is denying access to @param mask [int] The access mask denied to the SID @param flags [int] The flags assigned to the ACE, e.g. INHERIT_ONLY_ACE
# File lib/puppet/util/windows/access_control_list.rb 46 def deny(sid, mask, flags = 0) 47 @aces << Puppet::Util::Windows::AccessControlEntry.new(sid, mask, flags, ACCESS_DENIED_ACE_TYPE) 48 end
Enumerate each ACE in the list.
@yieldparam ace [Hash] the ace
# File lib/puppet/util/windows/access_control_list.rb 28 def each 29 @aces.each {|ace| yield ace} 30 end
# File lib/puppet/util/windows/access_control_list.rb 100 def inspect 101 str = String.new 102 @aces.each do |ace| 103 str << " #{ace.inspect}\n" 104 end 105 str 106 end
Reassign all ACEs currently assigned to old_sid to new_sid instead. If an ACE is inherited or is not assigned to old_sid, then it will be copied as-is to the new ACL, preserving its order within the ACL.
@param old_sid [String] The old SID, e.g. 'S-1-5-18' @param new_sid [String] The new SID @return [AccessControlList] The copied ACL.
# File lib/puppet/util/windows/access_control_list.rb 57 def reassign!(old_sid, new_sid) 58 new_aces = [] 59 prepend_needed = false 60 aces_to_prepend = [] 61 62 @aces.each do |ace| 63 new_ace = ace.dup 64 65 if ace.sid == old_sid 66 if ace.inherited? 67 # create an explicit ACE granting or denying the 68 # new_sid the rights that the inherited ACE 69 # granted or denied the old_sid. We mask off all 70 # flags except those affecting inheritance of the 71 # ACE we're creating. 72 inherit_mask = Puppet::Util::Windows::AccessControlEntry::CONTAINER_INHERIT_ACE | 73 Puppet::Util::Windows::AccessControlEntry::OBJECT_INHERIT_ACE | 74 Puppet::Util::Windows::AccessControlEntry::INHERIT_ONLY_ACE 75 explicit_ace = Puppet::Util::Windows::AccessControlEntry.new(new_sid, ace.mask, ace.flags & inherit_mask, ace.type) 76 aces_to_prepend << explicit_ace 77 else 78 new_ace.sid = new_sid 79 80 prepend_needed = old_sid == Puppet::Util::Windows::SID::LocalSystem 81 end 82 end 83 new_aces << new_ace 84 end 85 86 @aces = [] 87 88 if prepend_needed 89 mask = Puppet::Util::Windows::File::STANDARD_RIGHTS_ALL | Puppet::Util::Windows::File::SPECIFIC_RIGHTS_ALL 90 ace = Puppet::Util::Windows::AccessControlEntry.new( 91 Puppet::Util::Windows::SID::LocalSystem, 92 mask) 93 @aces << ace 94 end 95 96 @aces.concat(aces_to_prepend) 97 @aces.concat(new_aces) 98 end