Class EbicsFileSpoolerAccessControlList
public class EbicsFileSpoolerAccessControlList : EbicsElement, IEnumerable<EbicsFileSpoolerAccessControlEntry>, IEnumerable- Inheritance
-
EbicsFileSpoolerAccessControlList
- Implements
- Inherited Members
Remarks
All files stored in the EbicsFileSpooler folder and all its sub-folders may be optionally encrypted and protected by individual user passwords. Only the entire folder tree with all its files can be protected, or none at all. It is not possible to protect some folders only.
If the storage folders are protected, then a ".access" (Access Control List) file exists at the root folder, and optionally at one or more sub-folders. A ".access" file contains entries for all users that have access to this folder, and implicitly also to all sub-folders of this folder. Hence, all users listed in the root ".access" file have access to the complete file spooler folder tree.
The root ".access" file must contain at least one entry for the "root" user. The "root" user has always access to the entire folder tree and is responsible for managing the other users access control list entries. The name of the root user is hard coded as "root" and cannot be changed. The access control list entry of the root user holds the root master key for encryption.
At the time when file protection is set up for the file spooler, the initial password of the "root" user is set and a master encryption key is created. Then all files that are already existing in the folder tree are encrypted with this master key. After that set up process is completed, it is no longer possible to access any files contained in the spooler folders without presenting valid user credentials.
IMPLEMENTATION NOTES
The root master key is used to derive individual folder encryption keys, based on the individual folder path and name. A folder key is computed from the parent folder key and the folder name using a one-way hash function:
folder_key = hash(parent_folder_key, folder_name)For each user in the user access control list the following tuple is stored.
{user_name, hash(user_password), enc(folder-key, user_password)}ISSUES
Technically a user could create other users with the same privileges. Would be better if only the "root" user could create/manage other users.
Currently there are no sub-folders below the Partner-ID folder. Maybe it would be better to have additional sub-folders per account IBAN.
Maybe there should be a separate ".root" file that solely holds the root users credentials.
Properties
Count
public int Count { get; }Property Value
Methods
AddAccessControlEntry(EbicsFileSpoolerAccessControlEntry)
public void AddAccessControlEntry(EbicsFileSpoolerAccessControlEntry aACE)Parameters
BuildXml(XmlDocument, EbicsVersion)
public override XmlElement BuildXml(XmlDocument xmlDocument, EbicsVersion nVersion)Parameters
xmlDocumentXmlDocumentnVersionEbicsVersion
Returns
DeleteUser(string)
public bool DeleteUser(string sUserName)Parameters
sUserNamestring
Returns
FindUser(string)
public EbicsFileSpoolerAccessControlEntry FindUser(string sUserName)Parameters
sUserNamestring
Returns
GetEnumerator()
public IEnumerator<EbicsFileSpoolerAccessControlEntry> GetEnumerator()Returns
ParseXml(XmlElement, EbicsVersion)
public override void ParseXml(XmlElement xmlElement, EbicsVersion nVersion)Parameters
xmlElementXmlElementnVersionEbicsVersion