.NET File Access Control & TDD

A skill for building a .NET Standard 2.0 application that determines user principal permissions for file and directory operations (create, read, update, delete) on Windows 10/11 machines, following strict test-driven development practices.

What This Skill Does

This skill guides the development of a security-focused file system access control application using:

.NET Standard 2.0 targeting Windows 10/11

User principal permission validation before file operations

Red-light/green-light test-driven development methodology

Comprehensive logging of access denial events

First principles procedural development approach

Instructions

Development Philosophy

1. **First Principles Approach**

- Break down all tasks into atomic units

- Complete tasks procedurally in order

- Confirm completion before proceeding to next task

- Never skip steps or assume functionality

2. **Test-Driven Development (TDD)**

- Write failing unit tests first (red light)

- Implement minimum code to pass tests (green light)

- Refactor while keeping tests green

- No feature is complete without passing unit tests

3. **Requirements Tracking**

- Maintain requirements.md with task statuses: `[Pending]`, `[In Process]`, `[Completed]`

- Update status before and after each task

- All stakeholders must confirm completion before marking `[Completed]`

Core Requirements

#### 1. User Permission Validation

**Priority 1: Directory Access Rights**

Determine current user's access rights on target directories

Validate before any file operation

Check permissions: Read, Write, Modify, Delete, Execute

Use Windows ACL (Access Control Lists) APIs

Handle inherited vs. explicit permissions

**Priority 2: File-Level Access Rights**

Validate user permissions on individual files before operations

Check specific rights: Create, Read, Update, Delete

Differentiate between directory and file permissions

Respect NTFS permission inheritance

**Priority 3: Event Logging**

Log all permission denial events with:

- Timestamp

- User principal name

- Attempted operation (Create/Read/Update/Delete)

- Target path (file or directory)

- Denial reason

Use structured logging (consider Windows Event Log or file-based)

Include success operations for audit trail

**Priority 4: Safe Operation Execution**

Only proceed with file/directory operations after permission confirmation

Implement operations: Create, Read, Update, Delete

Handle edge cases (locked files, network paths, etc.)

Provide clear error messages on failure

#### 2. Enhancement Features

**User Principal Lookup**

Query permissions by specific user principal name (not just current user)

Support domain\username format

Validate user principal exists before lookup

Handle local vs. domain accounts

Implementation Guidelines

1. **Project Structure**

```

/src

/Core # Permission checking logic

/FileOps # CRUD operations

/Logging # Event logging

/tests

/Core.Tests

/FileOps.Tests

/Logging.Tests

requirements.md

```

2. **Key .NET APIs to Use**

- `System.Security.AccessControl.FileSecurity`

- `System.Security.AccessControl.DirectorySecurity`

- `System.Security.Principal.WindowsIdentity`

- `System.Security.Principal.WindowsPrincipal`

- `FileSystemAccessRule` and `FileSystemRights`

3. **TDD Workflow for Each Feature**

- Write unit test that fails (expected behavior)

- Run test, confirm failure (red light)

- Write minimum code to pass test

- Run test, confirm pass (green light)

- Refactor if needed, keep tests green

- Commit with descriptive message

4. **Commit Strategy**

- Commit before starting each modification (document intent)

- Commit after user confirms completion (document outcome)

- Use clear commit messages: "Add failing test for directory read permission check" or "Implement directory read permission validation"

5. **Testing Requirements**

- Unit tests for all permission check methods

- Unit tests for all CRUD operations

- Unit tests for logging functionality

- Mock file system and security APIs where appropriate

- Aim for >80% code coverage

Development Process

**For Each Task:**

1. Mark task as `[In Process]` in requirements.md

2. Write failing unit test(s) for the feature

3. Commit: "Add failing test for [feature]"

4. Implement minimum code to pass test

5. Run tests until green

6. Commit: "Implement [feature] with passing tests"

7. Request user confirmation of completion

8. Update requirements.md to `[Completed]`

9. Proceed to next task

Security Considerations

Never cache permission results (permissions can change)

Always re-validate before operations

Handle permission changes between check and operation (TOCTOU)

Sanitize all file paths to prevent path traversal attacks

Validate user principal names to prevent injection

Use `SecurityCritical` attributes where appropriate

Error Handling

Catch and log specific exceptions:

- `UnauthorizedAccessException`

- `SecurityException`

- `IOException`

- `ArgumentException` (invalid paths/principals)

Provide user-friendly error messages

Never expose internal exception details to end users

All exceptions must be covered by unit tests

Example Usage

Checking Directory Permissions

```csharp

// Test first

[Test]

public void CheckDirectoryAccess_CurrentUser_HasReadPermission_ReturnsTrue()

{

// Arrange

var checker = new PermissionChecker();

var testPath = @"C:\TestDirectory";

// Act

var hasAccess = checker.HasDirectoryAccess(testPath, FileSystemRights.Read);

// Assert

Assert.IsTrue(hasAccess);

}

// Then implement

public class PermissionChecker

{

public bool HasDirectoryAccess(string path, FileSystemRights rights)

{

// Implementation after test fails

}

```

Logging Access Denial

```csharp

[Test]

public void LogAccessDenial_ValidParameters_CreatesLogEntry()

{

// Arrange

var logger = new AccessLogger();

var testPath = @"C:\SecureFile.txt";

// Act

logger.LogDenial(testPath, FileOperation.Read, "Insufficient permissions");

// Assert

var lastEntry = logger.GetLastEntry();

Assert.AreEqual(testPath, lastEntry.Path);

Assert.AreEqual(FileOperation.Read, lastEntry.Operation);

}

```

Constraints

Must target .NET Standard 2.0 (no higher)

Windows 10/11 only (use Windows-specific APIs freely)

All code must have corresponding passing unit tests

Follow TDD red-light/green-light strictly

User confirmation required before marking tasks complete

Commit before and after each task modification

Notes

Performance: Permission checks can be expensive; consider caching strategies carefully (with invalidation)

Testing: Use test directories with known permissions for integration tests

Documentation: Inline XML comments for all public APIs

Consider using dependency injection for testability

Plan for async/await patterns if dealing with network paths

.NET File Access Control & TDD

.NET File Access Control & TDD

What This Skill Does

Instructions

Development Philosophy

Core Requirements

Implementation Guidelines

Development Process

Security Considerations

Error Handling

Example Usage

Checking Directory Permissions

Logging Access Denial

Constraints

Notes

Reviews (0)