// Copyright (c) Microsoft. All rights reserved. // // Licensed under the MIT license. using System; using System.IO; using System.Runtime.InteropServices; using System.Security.AccessControl; using System.Security.Cryptography; using System.Security.Principal; using Microsoft.Identity.Client.Extensions.Msal; using Microsoft.Win32.SafeHandles; namespace NuGetCredentialProvider.Util { public class EncryptedFileWithPermissions { #region Unix specific /// <summary> /// Equivalent to calling open() with flags O_CREAT|O_WRONLY|O_TRUNC. O_TRUNC will truncate the file. /// See https://man7.org/linux/man-pages/man2/open.2.html /// </summary> [DllImport("libc", EntryPoint = "creat", SetLastError = true)] private static extern int PosixCreate([MarshalAs(UnmanagedType.LPStr)] string pathname, int mode); [DllImport("libc", EntryPoint = "chmod", SetLastError = true)] private static extern int PosixChmod([MarshalAs(UnmanagedType.LPStr)] string pathname, int mode); #endregion public static byte[] ReadFileBytes(string filePath, bool readUnencrypted = false) { try { return File.Exists(filePath) ? ProtectedData.Unprotect(File.ReadAllBytes(filePath), null, DataProtectionScope.CurrentUser) : null; } catch (NotSupportedException) { if (readUnencrypted) { return File.Exists(filePath) ? File.ReadAllBytes(filePath) : null; } throw; } } public static void WriteFileBytes(string filePath, byte[] bytes, bool writeUnencrypted = false) { try { EnsureDirectoryExists(filePath); WriteToNewFileWithOwnerRWPermissions(filePath, ProtectedData.Protect(bytes, null, DataProtectionScope.CurrentUser)); } catch (NotSupportedException) { if (writeUnencrypted) { WriteToNewFileWithOwnerRWPermissions(filePath, bytes); return; } throw; } } private static void EnsureDirectoryExists(string filePath) { var directory = Path.GetDirectoryName(filePath); if (!string.IsNullOrWhiteSpace(directory) && !Directory.Exists(directory)) { Directory.CreateDirectory(directory); } } /// <summary> /// Based on https://stackoverflow.com/questions/45132081/file-permissions-on-linux-unix-with-net-core and on /// https://github.com/NuGet/NuGet.Client/commit/d62db666c710bf95121fe8f5c6a6cbe01985456f and /// https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/b299b2581da87af50fde751e689f1bd4114516ce/src/client/Microsoft.Identity.Client.Extensions.Msal/Accessors/FileWithPermissions.cs /// </summary> private static void WriteToNewFileWithOwnerRWPermissions(string path, byte[] bytes) { if (SharedUtilities.IsWindowsPlatform()) { WriteToNewFileWithOwnerRWPermissionsWindows(path, bytes); } else if (SharedUtilities.IsMacPlatform() || SharedUtilities.IsLinuxPlatform()) { WriteToNewFileWithOwnerRWPermissionsUnix(path, bytes); } else { throw new PlatformNotSupportedException(); } } private static void WriteToNewFileWithOwnerRWPermissionsUnix(string path, byte[] bytes) { int _0600 = Convert.ToInt32("600", 8); int fileDescriptor = PosixCreate(path, _0600); // if creat() fails, then try to use File.Create because it will throw a meaningful exception. if (fileDescriptor == -1) { int posixCreateError = Marshal.GetLastWin32Error(); using (File.Create(path)) { // File.Create() should have thrown an exception with an appropriate error message } File.Delete(path); throw new InvalidOperationException($"libc creat() failed with last error code {posixCreateError}, but File.Create did not"); } var safeFileHandle = new SafeFileHandle((IntPtr)fileDescriptor, ownsHandle: true); using var fileStream = new FileStream(safeFileHandle, FileAccess.ReadWrite); fileStream.Write(bytes, 0, bytes.Length); } #pragma warning disable CA1416 // Validate platform compatibility private static void WriteToNewFileWithOwnerRWPermissionsWindows(string filePath, byte[] bytes) { FileSecurity security = new(); var rights = FileSystemRights.Read | FileSystemRights.Write; security.AddAccessRule( new FileSystemAccessRule( WindowsIdentity.GetCurrent().Name, rights, InheritanceFlags.None, PropagationFlags.NoPropagateInherit, AccessControlType.Allow)); security.SetAccessRuleProtection(isProtected: true, preserveInheritance: false); FileStream fs = null; try { #if NET45_OR_GREATER if (File.Exists(filePath)) { File.Delete(filePath); } fs = File.Create(filePath, bytes.Length, FileOptions.None, security); #else FileInfo info = new FileInfo(filePath); fs = info.Create(FileMode.Create, rights, FileShare.Read, bytes.Length, FileOptions.None, security); #endif fs.Write(bytes, 0, bytes.Length); } finally { fs?.Dispose(); } } #pragma warning restore CA1416 // Validate platform compatibility } }