8ecfe84540
Add the .NET 8 solution scaffolded against PLAN.md. Three projects share WebhookServer.Core (models, auth, execution, storage, IPC, callbacks) and WebhookServer.Service hosts an embedded Kestrel listener plus the named-pipe admin server. WebhookServer.Gui is a thin MVVM client over the pipe. Includes 25 unit tests covering HMAC verification, bearer auth, IP allowlist parsing, arg-template rendering, DPAPI round-trip, and the encrypt-on-save config store. Install/uninstall PowerShell scripts default to LocalSystem and accept a domain user or gMSA via -ServiceAccount. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
34 lines
1.1 KiB
C#
34 lines
1.1 KiB
C#
using System.IO.Pipes;
|
|
using System.Runtime.Versioning;
|
|
using System.Security.AccessControl;
|
|
using System.Security.Principal;
|
|
|
|
namespace WebhookServer.Core.Ipc;
|
|
|
|
/// <summary>
|
|
/// Builds a <see cref="PipeSecurity"/> that allows SYSTEM and the local Administrators
|
|
/// group full control, and denies everyone else. Required so non-admin users cannot
|
|
/// read or write the admin pipe even if they know the name.
|
|
/// </summary>
|
|
[SupportedOSPlatform("windows")]
|
|
public static class PipeSecurityFactory
|
|
{
|
|
public const string PipeName = "WebhookServerAdmin";
|
|
|
|
public static PipeSecurity Create()
|
|
{
|
|
var security = new PipeSecurity();
|
|
|
|
var system = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);
|
|
var administrators = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
|
|
|
|
security.AddAccessRule(new PipeAccessRule(
|
|
system, PipeAccessRights.FullControl, AccessControlType.Allow));
|
|
|
|
security.AddAccessRule(new PipeAccessRule(
|
|
administrators, PipeAccessRights.FullControl, AccessControlType.Allow));
|
|
|
|
return security;
|
|
}
|
|
}
|