Initial WebhookServer implementation
Add the .NET 8 solution scaffolded against PLAN.md. Three projects share WebhookServer.Core (models, auth, execution, storage, IPC, callbacks) and WebhookServer.Service hosts an embedded Kestrel listener plus the named-pipe admin server. WebhookServer.Gui is a thin MVVM client over the pipe. Includes 25 unit tests covering HMAC verification, bearer auth, IP allowlist parsing, arg-template rendering, DPAPI round-trip, and the encrypt-on-save config store. Install/uninstall PowerShell scripts default to LocalSystem and accept a domain user or gMSA via -ServiceAccount. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,33 @@
|
||||
using System.IO.Pipes;
|
||||
using System.Runtime.Versioning;
|
||||
using System.Security.AccessControl;
|
||||
using System.Security.Principal;
|
||||
|
||||
namespace WebhookServer.Core.Ipc;
|
||||
|
||||
/// <summary>
|
||||
/// Builds a <see cref="PipeSecurity"/> that allows SYSTEM and the local Administrators
|
||||
/// group full control, and denies everyone else. Required so non-admin users cannot
|
||||
/// read or write the admin pipe even if they know the name.
|
||||
/// </summary>
|
||||
[SupportedOSPlatform("windows")]
|
||||
public static class PipeSecurityFactory
|
||||
{
|
||||
public const string PipeName = "WebhookServerAdmin";
|
||||
|
||||
public static PipeSecurity Create()
|
||||
{
|
||||
var security = new PipeSecurity();
|
||||
|
||||
var system = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);
|
||||
var administrators = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
|
||||
|
||||
security.AddAccessRule(new PipeAccessRule(
|
||||
system, PipeAccessRights.FullControl, AccessControlType.Allow));
|
||||
|
||||
security.AddAccessRule(new PipeAccessRule(
|
||||
administrators, PipeAccessRights.FullControl, AccessControlType.Allow));
|
||||
|
||||
return security;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user