change iscsi to detect and modify security descriptor to allow users …

…to change root folder
microsoft · Jun 7, 2019 · e683bce · e683bce
1 parent bc49ed2
commit e683bce
Showing 1 changed file with 84 additions and 0 deletions.
diff --git a/flexvolume/windows/plugins/microsoft.com~iscsi.cmd/iscsi.ps1 b/flexvolume/windows/plugins/microsoft.com~iscsi.cmd/iscsi.ps1
@@ -204,6 +204,88 @@ Function CreateVolumeIfNecessary($disk, $fsType)
     }
 }
 
+function HasNonHiddenFileOrFolder($path)
+{
+    #using .net instead of powershell due to bugs loading volume guid paths (\\?\Volume{b01c74e7-9047-465f-af5d-28fc67c6726a}\)    
+    $dirInfo = New-Object -TypeName System.IO.DirectoryInfo -ArgumentList @($path)
+
+    $hasVisibleFolder = $false
+    foreach( $folder in $dirInfo.GetDirectories())
+    {
+        if(-not $folder.Attributes.HasFlag([System.IO.FileAttributes]::Hidden))
+        {
+            return $true
+        }
+    }
+
+    $hasVisibleFile = $false
+    foreach( $file in $dirInfo.GetFiles())
+    {
+        if(-not $file.Attributes.HasFlag([System.IO.FileAttributes]::Hidden))
+        {
+            return $true
+        }
+    }
+    return $false
+}
+
+# We should SetRootWriteableAll only if it is unmodified
+Function SetRootWriteableAll($disk, $fsType)
+{    
+    Log "checking if update is needed"
+    $volumes = GetVolumesForDisk $disk
+    $volume = ($volumes | ? {$_.FileSystemType -eq $fsType})| GetFirst "Could not find volume of type $fsType in volume $volume"
+
+    #volume paths come with prerequisite trailing '\'
+    $volumePath = $volume.path
+
+    $hasVisibleFileOrFolder = HasNonHiddenFileOrFolder $volumePath
+
+    if($hasVisibleFileOrFolder -eq $false )
+    {
+        Log "Need to update permissions has non hidden folder"
+        $acl = [System.IO.Directory]::GetAccessControl($volumePath)
+        $rules = $acl.Access
+        foreach($rule in $rules)
+        {
+            $empty = $acl.RemoveAccessRule($rule)
+        }
+        foreach($accessRule in $rules)
+        {
+            if($accessRule.PropagationFlags -eq [System.Security.AccessControl.PropagationFlags]::InheritOnly)
+            {
+                try
+                {
+                    $newRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList @(
+                        $accessRule.IdentityReference,
+                        $accessRule.FileSystemRights,
+                        $accessRule.InheritanceFlags,
+                        [System.Security.AccessControl.PropagationFlags]::None,
+                        $accessRule.AccessControlType
+                    )
+                    $acl.AddAccessRule($newRule)
+                }
+                #apparently I cannot set  rule FileSystemRights  : 268435456
+                # so catch and set the old one
+                catch
+                {
+                    $acl.AddAccessRule($accessRule)
+                }
+            }
+            else
+            {
+                $acl.AddAccessRule($accessRule)
+            }            
+        }
+
+        [System.IO.Directory]::SetAccessControl($volumePath, $acl)
+    }
+    else
+    {        
+        Log "Did not Need to update permissions has visible file or folder"
+    }
+}
+
 Function CountCharInString($str, $char)
 {
     ($str.ToCharArray() | ? {$_ -eq $char} | Measure-Object).count
@@ -395,6 +477,7 @@ function mount_command_with_options(
 
             $disk = GetDiskByNumber $diskNumber
             CreateVolumeIfNecessary $disk $fsType
+            SetRootWriteableAll $disk $fsType
             RegisterDisk $diskNumber $prWrite
         }
         elseif(($reservation.key -eq $prFmt))
@@ -413,6 +496,7 @@ function mount_command_with_options(
             }
             $disk = GetDiskByNumber $diskNumber
             CreateVolumeIfNecessary $disk $fsType
+            SetRootWriteableAll $disk $fsType
             RegisterDisk $diskNumber $prWrite
         }
         else