win32-file-security 1.0.0

data/CHANGES

@@ -0,0 +1,2 @@
+= 1.0.0 - 19-Dec-2012
+* Initial release as an independent library.

data/MANIFEST

@@ -0,0 +1,12 @@
+* CHANGES
+* MANIFEST
+* Rakefile
+* README
+* win32-file-security.gemspec
+* lib/win32/file/security.rb
+* lib/win32/file/windows/constants.rb
+* lib/win32/file/windows/functions.rb
+* lib/win32/file/windows/structs.rb
+* test/test_win32_file_security_encryption.rb
+* test/test_win32_file_security_permissions.rb
+* test/test_win32_file_security_version.rb

data/README

@@ -0,0 +1,45 @@
+== Description
+  Additional methods for the File class that relate to file security on
+  the Microsoft Windows operating system.
+
+== Prerequisites
+  * ffi
+
+== Installation
+  gem install win32-file-security
+
+== Synopsis
+
+  require 'win32/file/security
+
+  p File.get_permissions('file.txt')
+
+== Notes
+  If you have the win32-file gem already installed then you do not need this
+  gem. This library was split out from the win32-file gem in order to ease
+  testing and maintenance.
+
+  Otherwise, the only difference is that this library uses FFI instead
+  of win32-api. This also means that it works with JRuby.
+
+== Known issues or bugs
+  None that I'm aware of.
+
+  Please report any issues you find on the github page at:
+
+  https://github.com/djberg96/win32-file-security/issues
+  
+== License
+  Artistic 2.0
+
+== Copyright
+  (C) 2003-2012, Daniel J. Berger, All Rights Reserved
+
+== Warranty
+  This package is provided "as is" and without any express or
+  implied warranties, including, without limitation, the implied
+  warranties of merchantability and fitness for a particular purpose.
+
+== Authors
+  * Daniel J. Berger
+  * Park Heesob

data/Rakefile

@@ -0,0 +1,43 @@
+require 'rake'
+require 'rake/clean'
+require 'rake/testtask'
+
+CLEAN.include('**/*.gem', '**/*.rbc')
+
+namespace :gem do
+  desc 'Build the win32-file-security gem'
+  task :create => [:clean] do
+    spec = eval(IO.read('win32-file-security.gemspec'))
+    Gem::Builder.new(spec).build
+  end
+
+  desc "Install the win32-file-security gem"
+  task :install => [:create] do
+    file = Dir["*.gem"].first
+    sh "gem install #{file}"
+  end
+end
+
+namespace 'test' do
+  Rake::TestTask.new('all') do |t|
+    task :test => :clean
+    t.warning = true
+    t.verbose = true
+  end
+
+  Rake::TestTask.new('encryption') do |t|
+    task :test => :clean
+    t.warning = true
+    t.verbose = true
+    t.test_files = FileList['test/test_win32_file_security_encryption']
+  end
+
+  Rake::TestTask.new('permissions') do |t|
+    task :test => :clean
+    t.warning = true
+    t.verbose = true
+    t.test_files = FileList['test/test_win32_file_security_permissions']
+  end
+end
+
+task :default => 'test:all'

data/lib/win32/file/security.rb

@@ -0,0 +1,470 @@
+require File.join(File.dirname(__FILE__), 'windows', 'constants')
+require File.join(File.dirname(__FILE__), 'windows', 'structs')
+require File.join(File.dirname(__FILE__), 'windows', 'functions')
+
+class File
+  include Windows::File::Constants
+  include Windows::File::Functions
+  extend Windows::File::Constants
+  extend Windows::File::Structs
+  extend Windows::File::Functions
+
+  # The version of the win32-file library
+  WIN32_FILE_SECURITY_VERSION = '1.0.0'
+
+  class << self
+
+    # Returns the encryption status of a file as a string. Possible return
+    # values are:
+    #
+    # * encryptable
+    # * encrypted
+    # * readonly
+    # * root directory (i.e. not encryptable)
+    # * system fiel (i.e. not encryptable)
+    # * unsupported
+    # * unknown
+    #
+    def encryption_status(file)
+      wide_file  = file.wincode
+      status_ptr = FFI::MemoryPointer.new(:ulong)
+
+      unless FileEncryptionStatusW(wide_file, status_ptr)
+        raise SystemCallError.new("FileEncryptionStatus", FFI.errno)
+      end
+
+      status = status_ptr.read_ulong
+
+      rvalue = case status
+        when FILE_ENCRYPTABLE
+          "encryptable"
+        when FILE_IS_ENCRYPTED
+          "encrypted"
+        when FILE_READ_ONLY
+          "readonly"
+        when FILE_ROOT_DIR
+          "root directory"
+        when FILE_SYSTEM_ATTR
+          "system file"
+        when FILE_SYSTEM_NOT_SUPPORTED
+          "unsupported"
+        else
+          "unknown"
+      end
+
+      rvalue
+    end
+
+    # Returns whether or not the root path of the specified file is
+    # encryptable. If a relative path is specified, it will check against
+    # the root of the current directory.
+    #
+    # Be sure to include a trailing slash if specifying a root path.
+    #
+    # Examples:
+    #
+    #   p File.encryptable?
+    #   p File.encryptable?("D:\\")
+    #   p File.encryptable?("C:/foo/bar.txt") # Same as 'C:\'
+    #
+    def encryptable?(file = nil)
+      bool = false
+      flags_ptr = FFI::MemoryPointer.new(:ulong)
+
+      if file
+        file = File.expand_path(file)
+        wide_file = file.wincode
+
+        if !PathIsRootW(wide_file)
+          unless PathStripToRootW(wide_file)
+            raise SystemCallError.new("PathStripToRoot", FFI.errno)
+          end
+        end
+      else
+        wide_file = nil
+      end
+
+      unless GetVolumeInformationW(wide_file, nil, 0, nil, nil, flags_ptr, nil, 0)
+        raise SystemCallError.new("GetVolumeInformation", FFI.errno)
+      end
+
+      flags = flags_ptr.read_ulong
+
+      if flags & FILE_SUPPORTS_ENCRYPTION > 0
+        bool = true
+      end
+
+      bool
+    end
+
+    # Encrypts a file or directory. All data streams in a file are encrypted.
+    # All new files created in an encrypted directory are encrypted.
+    #
+    # The caller must have the FILE_READ_DATA, FILE_WRITE_DATA,
+    # FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, and SYNCHRONIZE access
+    # rights.
+    #
+    # Requires exclusive access to the file being encrypted, and will fail if
+    # another process is using the file or the file is marked read-only. If the
+    # file is compressed the file will be decompressed before encrypting it.
+    #
+    def encrypt(file)
+      unless EncryptFileW(file.wincode)
+        raise SystemCallError.new("EncryptFile", FFI.errno)
+      end
+      self
+    end
+
+    # Decrypts an encrypted file or directory.
+    #
+    # The caller must have the FILE_READ_DATA, FILE_WRITE_DATA,
+    # FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, and SYNCHRONIZE access
+    # rights.
+    #
+    # Requires exclusive access to the file being decrypted, and will fail if
+    # another process is using the file. If the file is not encrypted an error
+    # is NOT raised, it's simply a no-op.
+    #
+    def decrypt(file)
+      unless DecryptFileW(file.wincode, 0)
+        raise SystemCallError.new("DecryptFile", FFI.errno)
+      end
+      self
+    end
+
+    # Returns a hash describing the current file permissions for the given
+    # file.  The account name is the key, and the value is an integer mask
+    # that corresponds to the security permissions for that file.
+    #
+    # To get a human readable version of the permissions, pass the value to
+    # the +File.securities+ method.
+    #
+    # You may optionally specify a host as the second argument. If no host is
+    # specified then the current host is used.
+    #
+    # Examples:
+    #
+    #   hash = File.get_permissions('test.txt')
+    #
+    #   p hash # => {"NT AUTHORITY\\SYSTEM"=>2032127, "BUILTIN\\Administrators"=>2032127, ...}
+    #
+    #   hash.each{ |name, mask|
+    #     p name
+    #     p File.securities(mask)
+    #   }
+    #
+    def get_permissions(file, host=nil)
+      size_needed_ptr = FFI::MemoryPointer.new(:ulong)
+      security_ptr    = FFI::MemoryPointer.new(:ulong)
+
+      wide_file = file.wincode
+      wide_host = host ? host.wincode : nil
+
+      # First pass, get the size needed
+      bool = GetFileSecurityW(
+        wide_file,
+        DACL_SECURITY_INFORMATION,
+        security_ptr,
+        security_ptr.size,
+        size_needed_ptr
+      )
+
+      errno = FFI.errno
+
+      if !bool && errno != ERROR_INSUFFICIENT_BUFFER
+        raise SystemCallError.new("GetFileSecurity", errno)
+      end
+
+      size_needed = size_needed_ptr.read_ulong
+
+      security_ptr = FFI::MemoryPointer.new(size_needed)
+
+      # Second pass, this time with the appropriately sized security pointer
+      bool = GetFileSecurityW(
+        wide_file,
+        DACL_SECURITY_INFORMATION,
+        security_ptr,
+        security_ptr.size,
+        size_needed_ptr
+      )
+
+      unless bool
+        raise SystemCallError.new("GetFileSecurity", FFI.errno)
+      end
+
+      control_ptr  = FFI::MemoryPointer.new(:ulong)
+      revision_ptr = FFI::MemoryPointer.new(:ulong)
+
+      unless GetSecurityDescriptorControl(security_ptr, control_ptr, revision_ptr)
+        raise SystemCallError.new("GetSecurityDescriptorControl", FFI.errno)
+      end
+
+      control = control_ptr.read_ulong
+
+      if control & SE_DACL_PRESENT == 0
+        raise ArgumentError, "No DACL present: explicit deny all"
+      end
+
+      dacl_pptr          = FFI::MemoryPointer.new(:pointer)
+      dacl_present_ptr   = FFI::MemoryPointer.new(:bool)
+      dacl_defaulted_ptr = FFI::MemoryPointer.new(:ulong)
+
+      val = GetSecurityDescriptorDacl(
+        security_ptr,
+        dacl_present_ptr,
+        dacl_pptr,
+        dacl_defaulted_ptr
+      )
+
+      if val == 0
+        raise SystemCallError.new("GetSecurityDescriptorDacl", FFI.errno)
+      end
+
+      acl = ACL.new(dacl_pptr.read_pointer)
+
+      if acl[:AclRevision] == 0
+        raise ArgumentError, "DACL is NULL: implicit access grant"
+      end
+
+      ace_count  = acl[:AceCount]
+      perms_hash = {}
+
+      0.upto(ace_count - 1){ |i|
+        ace_pptr = FFI::MemoryPointer.new(:pointer)
+        next unless GetAce(acl, i, ace_pptr)
+
+        access = ACCESS_ALLOWED_ACE.new(ace_pptr.read_pointer)
+
+        if access[:Header][:AceType] == ACCESS_ALLOWED_ACE_TYPE
+          name = FFI::MemoryPointer.new(:uchar, 260)
+          name_size = FFI::MemoryPointer.new(:ulong)
+          name_size.write_ulong(name.size)
+
+          domain = FFI::MemoryPointer.new(:uchar, 260)
+          domain_size = FFI::MemoryPointer.new(:ulong)
+          domain_size.write_ulong(domain.size)
+
+          use_ptr = FFI::MemoryPointer.new(:pointer)
+
+          val = LookupAccountSidW(
+            wide_host,
+            ace_pptr.read_pointer + 8,
+            name,
+            name_size,
+            domain,
+            domain_size,
+            use_ptr
+          )
+
+          if val == 0
+            raise SystemCallError.new("LookupAccountSid", FFI.errno)
+          end
+
+          # The x2 multiplier is necessary due to wide char strings.
+          name = name.read_string(name_size.read_ulong * 2).delete(0.chr)
+          domain = domain.read_string(domain_size.read_ulong * 2).delete(0.chr)
+
+          unless domain.empty?
+            name = domain + '\\' + name
+          end
+
+          perms_hash[name] = access[:Mask]
+        end
+      }
+
+      perms_hash
+    end
+
+    # Sets the file permissions for the given file name.  The 'permissions'
+    # argument is a hash with an account name as the key, and the various
+    # permission constants as possible values. The possible constant values
+    # are:
+    #
+    # * FILE_READ_DATA
+    # * FILE_WRITE_DATA
+    # * FILE_APPEND_DATA
+    # * FILE_READ_EA
+    # * FILE_WRITE_EA
+    # * FILE_EXECUTE
+    # * FILE_DELETE_CHILD
+    # * FILE_READ_ATTRIBUTES
+    # * FILE_WRITE_ATTRIBUTES
+    # * STANDARD_RIGHTS_ALL
+    # * FULL
+    # * READ
+    # * ADD
+    # * CHANGE
+    # * DELETE
+    # * READ_CONTROL
+    # * WRITE_DAC
+    # * WRITE_OWNER
+    # * SYNCHRONIZE
+    # * STANDARD_RIGHTS_REQUIRED
+    # * STANDARD_RIGHTS_READ
+    # * STANDARD_RIGHTS_WRITE
+    # * STANDARD_RIGHTS_EXECUTE
+    # * STANDARD_RIGHTS_ALL
+    # * SPECIFIC_RIGHTS_ALL
+    # * ACCESS_SYSTEM_SECURITY
+    # * MAXIMUM_ALLOWED
+    # * GENERIC_READ
+    # * GENERIC_WRITE
+    # * GENERIC_EXECUTE
+    # * GENERIC_ALL
+    #
+    # Example:
+    #
+    #   # Set locally
+    #   File.set_permissions(file, "userid" => File::GENERIC_ALL)
+    #
+    #   # Set a remote system
+    #   File.set_permissions(file, "host\\userid" => File::GENERIC_ALL)
+    #
+    def set_permissions(file, perms)
+      raise TypeError unless file.is_a?(String)
+      raise TypeError unless perms.kind_of?(Hash)
+
+      wide_file = file.wincode
+
+      account_rights = 0
+      sec_desc = FFI::MemoryPointer.new(:pointer, SECURITY_DESCRIPTOR_MIN_LENGTH)
+
+      unless InitializeSecurityDescriptor(sec_desc, 1)
+        raise SystemCallError.new("InitializeSecurityDescriptor", FFI.errno)
+      end
+
+      acl_new = FFI::MemoryPointer.new(ACL, 100)
+
+      unless InitializeAcl(acl_new, acl_new.size, ACL_REVISION2)
+        raise SystemCallError.new("InitializeAcl", FFI.errno)
+      end
+
+      perms.each{ |account, mask|
+        next if mask.nil?
+
+        server, account = account.split("\\")
+
+        if ['BUILTIN', 'NT AUTHORITY'].include?(server.upcase)
+          wide_server = nil
+        else
+          wide_server = server.wincode
+        end
+
+        wide_account = account.wincode
+
+        sid = FFI::MemoryPointer.new(:uchar, 1024)
+        sid_size = FFI::MemoryPointer.new(:ulong)
+        sid_size.write_ulong(sid.size)
+
+        domain = FFI::MemoryPointer.new(:uchar, 260)
+        domain_size = FFI::MemoryPointer.new(:ulong)
+        domain_size.write_ulong(domain.size)
+
+        use_ptr = FFI::MemoryPointer.new(:ulong)
+
+        val = LookupAccountNameW(
+           wide_server,
+           wide_account,
+           sid,
+           sid_size,
+           domain,
+           domain_size,
+           use_ptr
+        )
+
+        raise SystemCallError.new("LookupAccountName", FFI.errno) unless val
+
+        all_ace = ACCESS_ALLOWED_ACE2.new
+
+        val = CopySid(
+          ALLOW_ACE_LENGTH - ACCESS_ALLOWED_ACE.size,
+          all_ace.to_ptr+8,
+          sid
+        )
+
+        raise SystemCallError.new("CopySid", FFI.errno) unless val
+
+        if (GENERIC_ALL & mask).nonzero?
+          account_rights = GENERIC_ALL & mask
+        elsif (GENERIC_RIGHTS_CHK & mask).nonzero?
+          account_rights = GENERIC_RIGHTS_MASK & mask
+        else
+          # Do nothing, leave it set to zero.
+        end
+
+        all_ace[:Header][:AceFlags] = INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE
+
+        2.times{
+          if account_rights != 0
+            all_ace[:Header][:AceSize] = 8 + GetLengthSid(sid)
+            all_ace[:Mask] = account_rights
+
+            val = AddAce(
+              acl_new,
+              ACL_REVISION2,
+              MAXDWORD,
+              all_ace,
+              all_ace[:Header][:AceSize]
+            )
+
+            raise SystemCallError.new("AddAce", FFI.errno) unless val
+
+            all_ace[:Header][:AceFlags] = CONTAINER_INHERIT_ACE
+          else
+            all_ace[:Header][:AceFlags] = 0
+          end
+
+          account_rights = REST_RIGHTS_MASK & mask
+        }
+      }
+
+      unless SetSecurityDescriptorDacl(sec_desc, true, acl_new, false)
+        raise SystemCallError.new("SetSecurityDescriptorDacl", FFI.errno)
+      end
+
+      unless SetFileSecurityW(wide_file, DACL_SECURITY_INFORMATION, sec_desc)
+        raise SystemCallError.new("SetFileSecurity", FFI.errno)
+      end
+
+      self
+    end
+
+    # Returns an array of human-readable strings that correspond to the
+    # permission flags.
+    #
+    # Example:
+    #
+    #   File.get_permissions('test.txt').each{ |name, mask|
+    #     puts name
+    #     p File.securities(mask)
+    #   }
+    #
+    def securities(mask)
+      sec_array = []
+
+      security_rights = {
+        'FULL'    => FULL,
+        'DELETE'  => DELETE,
+        'READ'    => READ,
+        'CHANGE'  => CHANGE,
+        'ADD'     => ADD
+      }
+
+      if mask == 0
+        sec_array.push('NONE')
+      else
+        if (mask & FULL) ^ FULL == 0
+          sec_array.push('FULL')
+        else
+          security_rights.each{ |string, numeric|
+            if (numeric & mask) ^ numeric == 0
+              sec_array.push(string)
+            end
+          }
+        end
+      end
+
+      sec_array
+    end
+  end
+end

data/lib/win32/file/windows/constants.rb

@@ -0,0 +1,125 @@
+module Windows
+  module File
+    module Constants
+      SE_DACL_PRESENT           = 4
+      DACL_SECURITY_INFORMATION = 4
+      ACCESS_ALLOWED_ACE_TYPE   = 0
+      ERROR_INSUFFICIENT_BUFFER = 122
+      ACL_REVISION2             = 2
+      ALLOW_ACE_LENGTH          = 62
+      OBJECT_INHERIT_ACE        = 0x1
+      CONTAINER_INHERIT_ACE     = 0x2
+      INHERIT_ONLY_ACE          = 0x8
+      MAXDWORD                  = 0xFFFFFFFF
+      SECURITY_DESCRIPTOR_MIN_LENGTH = 20
+
+      ## Security Rights
+
+      SYNCHRONIZE                  = 0x100000
+      STANDARD_RIGHTS_REQUIRED     = 0xf0000
+      STANDARD_RIGHTS_READ         = 0x20000
+      STANDARD_RIGHTS_WRITE        = 0x20000
+      STANDARD_RIGHTS_EXECUTE      = 0x20000
+      STANDARD_RIGHTS_ALL          = 0x1F0000
+      SPECIFIC_RIGHTS_ALL          = 0xFFFF
+      ACCESS_SYSTEM_SECURITY       = 0x1000000
+      MAXIMUM_ALLOWED              = 0x2000000
+      GENERIC_READ                 = 0x80000000
+      GENERIC_WRITE                = 0x40000000
+      GENERIC_EXECUTE              = 0x20000000
+      GENERIC_ALL                  = 0x10000000
+      GENERIC_RIGHTS_CHK           = 0xF0000000
+      REST_RIGHTS_MASK             = 0x001FFFFF
+
+      FILE_READ_DATA               = 1
+      FILE_LIST_DIRECTORY          = 1
+      FILE_WRITE_DATA              = 2
+      FILE_ADD_FILE                = 2
+      FILE_APPEND_DATA             = 4
+      FILE_ADD_SUBDIRECTORY        = 4
+      FILE_CREATE_PIPE_INSTANCE    = 4
+      FILE_READ_EA                 = 8
+      FILE_READ_PROPERTIES         = 8
+      FILE_WRITE_EA                = 16
+      FILE_WRITE_PROPERTIES        = 16
+      FILE_EXECUTE                 = 32
+      FILE_TRAVERSE                = 32
+      FILE_DELETE_CHILD            = 64
+      FILE_READ_ATTRIBUTES         = 128
+      FILE_WRITE_ATTRIBUTES        = 256
+
+      FILE_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF
+
+      FILE_GENERIC_READ =
+         STANDARD_RIGHTS_READ |
+         FILE_READ_DATA |
+         FILE_READ_ATTRIBUTES |
+         FILE_READ_EA |
+         SYNCHRONIZE
+
+      FILE_GENERIC_WRITE =
+         STANDARD_RIGHTS_WRITE |
+         FILE_WRITE_DATA |
+         FILE_WRITE_ATTRIBUTES |
+         FILE_WRITE_EA |
+         FILE_APPEND_DATA |
+         SYNCHRONIZE
+
+      FILE_GENERIC_EXECUTE =
+         STANDARD_RIGHTS_EXECUTE |
+         FILE_READ_ATTRIBUTES |
+         FILE_EXECUTE |
+         SYNCHRONIZE
+
+      FILE_SHARE_READ                = 1
+      FILE_SHARE_WRITE               = 2
+      FILE_SHARE_DELETE              = 4
+      FILE_NOTIFY_CHANGE_FILE_NAME   = 1
+      FILE_NOTIFY_CHANGE_DIR_NAME    = 2
+      FILE_NOTIFY_CHANGE_ATTRIBUTES  = 4
+      FILE_NOTIFY_CHANGE_SIZE        = 8
+      FILE_NOTIFY_CHANGE_LAST_WRITE  = 16
+      FILE_NOTIFY_CHANGE_LAST_ACCESS = 32
+      FILE_NOTIFY_CHANGE_CREATION    = 64
+      FILE_NOTIFY_CHANGE_SECURITY    = 256
+      FILE_CASE_SENSITIVE_SEARCH     = 1
+      FILE_CASE_PRESERVED_NAMES      = 2
+      FILE_UNICODE_ON_DISK           = 4
+      FILE_PERSISTENT_ACLS           = 8
+      FILE_FILE_COMPRESSION          = 16
+      FILE_VOLUME_QUOTAS             = 32
+      FILE_SUPPORTS_SPARSE_FILES     = 64
+      FILE_SUPPORTS_REPARSE_POINTS   = 128
+      FILE_SUPPORTS_REMOTE_STORAGE   = 256
+      FILE_VOLUME_IS_COMPRESSED      = 0x8000
+      FILE_SUPPORTS_OBJECT_IDS       = 0x10000
+      FILE_SUPPORTS_ENCRYPTION       = 0x20000
+
+      FILE_ENCRYPTABLE  = 0
+      FILE_IS_ENCRYPTED = 1
+      FILE_ROOT_DIR     = 3
+      FILE_SYSTEM_ATTR  = 2
+      FILE_SYSTEM_DIR   = 4
+      FILE_UNKNOWN      = 5
+      FILE_SYSTEM_NOT_SUPPORT = 6
+      FILE_READ_ONLY    = 8
+
+      # Read and execute privileges
+      READ = FILE_GENERIC_READ | FILE_EXECUTE
+
+      # Add privileges
+      ADD = 0x001201bf
+
+      # Delete privileges
+      DELETE = 0x00010000
+
+      # Generic write, generic read, execute and delete privileges
+      CHANGE = FILE_GENERIC_WRITE | FILE_GENERIC_READ | FILE_EXECUTE | DELETE
+
+      # Full security rights - read, write, append, execute, and delete.
+      FULL = STANDARD_RIGHTS_ALL | FILE_READ_DATA | FILE_WRITE_DATA |
+        FILE_APPEND_DATA | FILE_READ_EA | FILE_WRITE_EA | FILE_EXECUTE |
+        FILE_DELETE_CHILD | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES
+    end
+  end
+end

data/lib/win32/file/windows/functions.rb

@@ -0,0 +1,46 @@
+require 'ffi'
+
+module Windows
+  module File
+    module Functions
+      extend FFI::Library
+      ffi_lib :advapi32
+
+      attach_function :AddAce, [:pointer, :ulong, :ulong, :pointer, :ulong], :bool
+      attach_function :CopySid, [:ulong, :pointer, :pointer], :bool
+      attach_function :EncryptFileW, [:buffer_in], :bool
+      attach_function :DecryptFileW, [:buffer_in, :ulong], :bool
+      attach_function :FileEncryptionStatusW, [:buffer_in, :pointer], :bool
+      attach_function :GetAce, [:pointer, :ulong, :pointer], :bool
+      attach_function :GetFileSecurityW, [:buffer_in, :ulong, :pointer, :ulong, :pointer], :bool
+      attach_function :GetLengthSid, [:pointer], :ulong
+      attach_function :GetSecurityDescriptorControl, [:pointer, :pointer, :pointer], :bool
+      attach_function :GetSecurityDescriptorDacl, [:pointer, :pointer, :pointer, :pointer], :ulong
+      attach_function :InitializeAcl, [:pointer, :ulong, :ulong], :bool
+      attach_function :InitializeSecurityDescriptor, [:pointer, :ulong], :bool
+      attach_function :LookupAccountNameW, [:buffer_in, :buffer_in, :pointer, :pointer, :pointer, :pointer, :pointer], :bool
+      attach_function :LookupAccountSidW, [:buffer_in, :pointer, :pointer, :pointer, :pointer, :pointer, :pointer], :bool
+      attach_function :SetFileSecurityW, [:buffer_in, :ulong, :pointer], :bool
+      attach_function :SetSecurityDescriptorDacl, [:pointer, :bool, :pointer, :bool], :bool
+
+      ffi_lib :kernel32
+
+      attach_function :GetVolumeInformationW,
+        [:buffer_in, :buffer_out, :ulong, :pointer, :pointer, :pointer, :buffer_out, :ulong],
+        :bool
+
+      ffi_lib :shlwapi
+
+      attach_function :PathStripToRootW, [:buffer_in], :bool
+      attach_function :PathIsRootW, [:buffer_in], :bool
+    end
+  end
+end
+
+class String
+  # Convenience method for converting strings to UTF-16LE for wide character
+  # functions that require it.
+  def wincode
+    (self.tr(File::SEPARATOR, File::ALT_SEPARATOR) + 0.chr).encode('UTF-16LE')
+  end
+end

data/lib/win32/file/windows/structs.rb

@@ -0,0 +1,42 @@
+require 'ffi'
+
+module Windows
+  module File
+    module Structs
+      class ACE_HEADER < FFI::Struct
+        layout(
+          :AceType, :uchar,
+          :AceFlags, :uchar,
+          :AceSize, :ushort
+        )
+      end
+
+      class ACCESS_ALLOWED_ACE < FFI::Struct
+        layout(
+          :Header, ACE_HEADER,
+          :Mask, :ulong,
+          :SidStart, :ulong
+        )
+      end
+
+      class ACCESS_ALLOWED_ACE2 < FFI::Struct
+        layout(
+          :Header, ACE_HEADER,
+          :Mask, :ulong,
+          :SidStart, :ulong,
+	  :dummy, [:uchar, 40]
+        )
+      end
+
+      class ACL < FFI::Struct
+        layout(
+          :AclRevision, :uchar,
+          :Sbz1, :uchar,
+          :AclSize, :ushort,
+          :AceCount, :ushort,
+          :Sbz2, :ushort
+        )
+      end
+    end
+  end
+end

data/test/test_win32_file_security_encryption.rb

@@ -0,0 +1,90 @@
+#############################################################################
+# test_win32_file_encryption.rb
+#
+# Test case for the encryption related methods of win32-file. You should
+# run this test via the 'rake test' or 'rake test_encryption' task.
+#
+# Note: These tests may fail based on the security setup of your system.
+#############################################################################
+require 'test-unit'
+require 'win32/security'
+require 'win32/file/security'
+require 'socket'
+
+class TC_Win32_File_Security_Encryption < Test::Unit::TestCase
+  def self.startup
+    Dir.chdir(File.dirname(File.expand_path(File.basename(__FILE__))))
+    @@file = File.join(Dir.pwd, 'encryption_test.txt')
+    File.open(@@file, 'w'){ |fh| fh.puts "This is an encryption test." }
+    @@host = Socket.gethostname
+  end
+
+  def setup
+    @msg = '=> Ignore. May not work due to security setup of your system.'
+    @elevated = Win32::Security.elevated_security?
+    @statuses = ['encrypted', 'encryptable', 'unknown']
+  end
+
+  test "encrypt method basic functionality" do
+    omit_unless(@elevated)
+    assert_respond_to(File, :encrypt)
+    assert_nothing_raised(@msg){ File.encrypt(@@file) }
+  end
+
+  test "encrypt requires one argument" do
+    omit_unless(@elevated)
+    assert_raise(ArgumentError){ File.encrypt }
+    assert_raise(ArgumentError){ File.encrypt(@@file, @@file) }
+  end
+
+  test "encrypt requires a string argument" do
+    omit_unless(@elevated)
+    assert_raise(TypeError, NoMethodError){ File.encrypt(1) }
+  end
+
+  test "decrypt method basic functionality" do
+    omit_unless(@elevated)
+    assert_respond_to(File, :decrypt)
+    assert_nothing_raised(@msg){ File.decrypt(@@file) }
+  end
+
+  test "decrypt accepts a single argument only" do
+    omit_unless(@elevated)
+    assert_raise(ArgumentError){ File.decrypt }
+  end
+
+  test "decrypt requires a string argument" do
+    omit_unless(@elevated)
+    assert_raise(TypeError, NoMethodError){ File.decrypt(1) }
+  end
+
+  test "encryptable? basic functionality" do
+    assert_respond_to(File, :encryptable?)
+  end
+
+  test "encryptable? returns a boolean value" do
+    assert_boolean(File.encryptable?("C:\\"))
+  end
+
+  test "encryption_status basic functionality" do
+    assert_respond_to(File, :encryption_status)
+  end
+
+  test "encryption_status returns the expected result" do
+    status = File.encryption_status(@@file)
+    assert_kind_of(String, status)
+    assert_true(@statuses.include?(status))
+  end
+
+  def teardown
+    @msg = nil
+    @statuses = nil
+    @elevated = nil
+  end
+
+  def self.shutdown
+    File.delete(@@file) if File.exists?(@@file)
+    @@file = nil
+    @@host = nil
+  end
+end

data/test/test_win32_file_security_permissions.rb

@@ -0,0 +1,88 @@
+##############################################################################
+# test_win32_file_permissions.rb
+#
+# Test case for permission related methods of win32-file-security. You should
+# use the 'rake test' or 'rake test:perms' task to run this.
+##############################################################################
+require 'test-unit'
+require 'test/unit'
+require 'win32/file/security'
+require 'socket'
+require 'etc'
+
+class TC_Win32_File_Security_Permissions < Test::Unit::TestCase
+  def self.startup
+    @@user = Etc.getlogin
+    @@host = Socket.gethostname
+    @@file = File.join(Dir.pwd, 'security_test.txt')
+
+    Dir.chdir(File.dirname(File.expand_path(File.basename(__FILE__))))
+    File.open(@@file, 'w'){ |fh| fh.puts "This is a security test." }
+  end
+
+  def setup
+    @perms = nil
+  end
+
+  test "get_permissions basic functionality" do
+    assert_respond_to(File, :get_permissions)
+    assert_nothing_raised{ File.get_permissions(@@file) }
+  end
+
+  test "get_permissions returns a hash" do
+    assert_kind_of(Hash, File.get_permissions(@@file))
+  end
+
+  test "get_permissions accepts an optional hostname argument" do
+    assert_nothing_raised{ File.get_permissions(@@file, @@host) }
+  end
+
+  test "get_permissions requires at least one argument" do
+    assert_raise(ArgumentError){ File.get_permissions }
+  end
+
+  test "set_permissions basic functionality" do
+    assert_respond_to(File, :set_permissions)
+  end
+
+  test "set_permissions works as expected" do
+    assert_nothing_raised{ @perms = File.get_permissions(@@file) }
+    assert_nothing_raised{ File.set_permissions(@@file, @perms) }
+    assert_equal(@perms, File.get_permissions(@@file))
+  end
+
+  test "set_permissions works if host is specified" do
+    @perms = {"#{@@host}\\#{@@user}" => File::GENERIC_ALL}
+    assert_nothing_raised{ File.set_permissions(@@file, @perms) }
+    assert_equal(@perms, File.get_permissions(@@file))
+  end
+
+  test "securities method basic functionality" do
+    assert_respond_to(File, :securities)
+  end
+
+  test "securities method works as expected" do
+    @perms = File.get_permissions(@@file)
+
+    @perms.each{ |acct, mask|
+      assert_nothing_raised{ File.securities(mask) }
+      assert_kind_of(Array, File.securities(mask))
+    }
+  end
+
+  test "securities method accepts a single argument only" do
+    assert_raise(ArgumentError){ File.securities }
+    assert_raise(ArgumentError){ File.securities({}, {}) }
+  end
+
+  def teardown
+    @perms = nil
+  end
+
+  def self.shutdown
+    File.delete(@@file) if File.exists?(@@file)
+    @@file = nil
+    @@host = nil
+    @@user = nil
+  end
+end

data/test/test_win32_file_security_version.rb

@@ -0,0 +1,13 @@
+#############################################################################
+# test_win32_file_security_version.rb
+#
+# Just a test for the version of the library.
+#############################################################################
+require 'test-unit'
+require 'win32/file/security'
+
+class TC_Win32_File_Security_Version < Test::Unit::TestCase
+  test "version is set to expected value" do
+    assert_equal('1.0.0', File::WIN32_FILE_SECURITY_VERSION)
+  end
+end

data/win32-file-security.gemspec

@@ -0,0 +1,26 @@
+require 'rubygems'
+
+Gem::Specification.new do |spec|
+  spec.name       = 'win32-file-security'
+  spec.version    = '1.0.0'
+  spec.authors    = ['Daniel J. Berger', 'Park Heesob']
+  spec.license    = 'Artistic 2.0'
+  spec.email      = 'djberg96@gmail.com'
+  spec.homepage   = 'http://github.com/djberg96/win32-file-security'
+  spec.summary    = 'File security methods for the File class on MS Windows'
+  spec.test_files = Dir['test/test*']
+  spec.files      = Dir['**/*'].reject{ |f| f.include?('git') }
+
+  spec.rubyforge_project = 'win32utils'
+  spec.extra_rdoc_files  = ['README', 'CHANGES', 'MANIFEST']
+
+  spec.add_dependency('ffi')
+  spec.add_development_dependency('test-unit')
+  spec.add_development_dependency('win32-security')
+
+  spec.description = <<-EOF
+    The win32-file-security library adds security related methods to the
+    core File class for MS Windows. This includes the ability to get or
+    set permissions, as well as encrypt or decrypt files.
+  EOF
+end

metadata

@@ -0,0 +1,114 @@
+--- !ruby/object:Gem::Specification
+name: win32-file-security
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+  prerelease: 
+platform: ruby
+authors:
+- Daniel J. Berger
+- Park Heesob
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-12-19 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: ffi
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: test-unit
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: win32-security
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: ! "    The win32-file-security library adds security related methods
+  to the\n    core File class for MS Windows. This includes the ability to get or\n
+  \   set permissions, as well as encrypt or decrypt files.\n"
+email: djberg96@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files:
+- README
+- CHANGES
+- MANIFEST
+files:
+- CHANGES
+- lib/win32/file/security.rb
+- lib/win32/file/windows/constants.rb
+- lib/win32/file/windows/functions.rb
+- lib/win32/file/windows/structs.rb
+- MANIFEST
+- Rakefile
+- README
+- test/test_win32_file_security_encryption.rb
+- test/test_win32_file_security_permissions.rb
+- test/test_win32_file_security_version.rb
+- win32-file-security.gemspec
+homepage: http://github.com/djberg96/win32-file-security
+licenses:
+- Artistic 2.0
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: win32utils
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: File security methods for the File class on MS Windows
+test_files:
+- test/test_win32_file_security_encryption.rb
+- test/test_win32_file_security_permissions.rb
+- test/test_win32_file_security_version.rb