Add ability to configure URL ACLs
User stories
- As a Setup Developer I can configure URL reservations such that I don’t have to use run netsh.exe in my own custom actions.
Proposal
Create new WixHttpExtension with UrlReservation elements. These provide wrappers around netsh.exe http add/delete urlacl
and their API equivalents HTTPSetServiceConfiguration and HTTPDeleteServiceConfiguration.
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xse="http://wixtoolset.org/schemas/XmlSchemaExtension" xmlns:html="http://www.w3.org/1999/xhtml" targetNamespace="http://wixtoolset.org/schemas/v4/wxs/http" xmlns="http://wixtoolset.org/schemas/v4/wxs/http"> <xs:annotation> <xs:documentation> The source code schema for the WiX Toolset Http Extension. </xs:documentation> </xs:annotation>
<xs:import namespace="http://wixtoolset.org/schemas/v4/wxs" />
<xs:element name="UrlReservation"> <xs:annotation> <xs:documentation> Makes a reservation record for the HTTP Server API configuration store on Windows XP SP2, Windows Server 2003, and later. For more information about the HTTP Server API, see <html:a href="http://msdn.microsoft.com/library/windows/desktop/aa364510.aspx"> HTTP Server API </html:a>. </xs:documentation> <xs:appinfo> <xse:parent namespace="http://wixtoolset.org/schemas/v4/wxs" ref="Component" /> <xse:parent namespace="http://wixtoolset.org/schemas/v4/wxs" ref="ServiceInstall" /> </xs:appinfo> </xs:annotation>
<xs:complexType> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:annotation> <xs:documentation> The access control entries for the access control list. </xs:documentation> </xs:annotation> <xs:element ref="UrlAce" /> </xs:choice>
<xs:attribute name="HandleExisting"> <xs:annotation> <xs:documentation> Specifies the behavior when trying to install a URL reservation and it already exists. </xs:documentation> </xs:annotation> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="replace"> <xs:annotation> <xs:documentation> Replaces the existing URL reservation (the default). </xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="ignore"> <xs:annotation> <xs:documentation> Keeps the existing URL reservation. </xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="fail"> <xs:annotation> <xs:documentation> The installation fails. </xs:documentation> </xs:annotation> </xs:enumeration> </xs:restriction> </xs:simpleType> </xs:attribute>
<xs:attribute name="Id" type="xs:string"> <xs:annotation> <xs:documentation> Unique ID of this URL reservation. If this attribute is not specified, an identifier will be generated automatically. </xs:documentation> </xs:annotation> </xs:attribute>
<xs:attribute name="Sddl" type="xs:string"> <xs:annotation> <xs:documentation> Security descriptor to apply to the URL reservation. Can't be specified when using children UrlAce elements. </xs:documentation> </xs:annotation> </xs:attribute>
<xs:attribute name="Url" type="xs:string" use="required"> <xs:annotation> <xs:documentation> The <html:a href="http://msdn.microsoft.com/library/windows/desktop/aa364698.aspx">UrlPrefix</html:a> string that defines the portion of the URL namespace to which this reservation pertains. </xs:documentation> </xs:annotation> </xs:attribute> </xs:complexType> </xs:element>
<xs:element name="UrlAce"> <xs:annotation> <xs:documentation> The security principal and which rights to assign to them for the URL reservation. </xs:documentation> </xs:annotation> <xs:complexType> <xs:attribute name="Id" type="xs:string"> <xs:annotation> <xs:documentation> Unique ID of this URL ACE. If this attribute is not specified, an identifier will be generated automatically. </xs:documentation> </xs:annotation> </xs:attribute>
<xs:attribute name="SecurityPrincipal" type="xs:string"> <xs:annotation> <xs:documentation> The security principal for this ACE. When the UrlReservation is under a ServiceInstall element, this defaults to "NT SERVICE\ServiceInstallName". This may be either a SID or an account name in a format that <html:a href="http://msdn.microsoft.com/library/windows/desktop/aa379159.aspx">LookupAccountName</html:a> supports. When using a SID, an asterisk must be prepended. For example, "*S-1-5-18". </xs:documentation> </xs:annotation> </xs:attribute>
<xs:attribute name="Rights"> <xs:annotation> <xs:documentation> Rights for this ACE. Default is "all". </xs:documentation> </xs:annotation> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="register" /> <xs:enumeration value="delegate" /> <xs:enumeration value="all" /> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:complexType> </xs:element></xs:schema>Considerations
This could have been added to the Util extension, but was put into the new Http extension instead.
The original proposal included support for the util:Group and util:User elements, but they had to be dropped because the custom action looks up the SID before the group or user is created.