public void Dispose()
{
if (_testAccountTokenHandle == null)
{
return;
}
_testAccountTokenHandle.Dispose();
_testAccountTokenHandle = null;
using (var principalCtx = new PrincipalContext(ContextType.Machine))
using (var userPrincipal = UserPrincipal.FindByIdentity(principalCtx, TestAccountName))
{
if (userPrincipal == null)
{
throw new Exception($"Failed to get user principal to delete test account {TestAccountName}");
}
try
{
userPrincipal.Delete();
}
catch (InvalidOperationException)
{
// TODO: Investigate, it always throw this exception with "Can't delete object already deleted", but it actually deletes it.
}
}
}
internal static bool OpenThreadToken(TokenAccessLevels desiredAccess, WinSecurityContext openAs, out SafeAccessTokenHandle tokenHandle)
{
bool openAsSelf = true;
if (openAs == WinSecurityContext.Thread)
{
openAsSelf = false;
}
if (OpenThreadToken(Kernel32.GetCurrentThread(), desiredAccess, openAsSelf, out tokenHandle))
{
return(true);
}
if (openAs == WinSecurityContext.Both)
{
openAsSelf = false;
tokenHandle.Dispose();
if (OpenThreadToken(Kernel32.GetCurrentThread(), desiredAccess, openAsSelf, out tokenHandle))
{
return(true);
}
}
return(false);
}
private bool CheckNtTokenForSid(SecurityIdentifier sid)
{
Contract.EndContractBlock();
// special case the anonymous identity.
if (_safeTokenHandle.IsInvalid)
{
return(false);
}
// CheckTokenMembership expects an impersonation token
SafeAccessTokenHandle token = SafeAccessTokenHandle.InvalidHandle;
TokenImpersonationLevel til = ImpersonationLevel;
bool isMember = false;
try
{
if (til == TokenImpersonationLevel.None)
{
if (!Interop.Advapi32.DuplicateTokenEx(_safeTokenHandle,
(uint)TokenAccessLevels.Query,
IntPtr.Zero,
(uint)TokenImpersonationLevel.Identification,
(uint)TokenType.TokenImpersonation,
ref token))
{
throw new SecurityException(new Win32Exception().Message);
}
}
// CheckTokenMembership will check if the SID is both present and enabled in the access token.
#if uap
if (!Interop.Kernel32.CheckTokenMembershipEx((til != TokenImpersonationLevel.None ? _safeTokenHandle : token),
sid.BinaryForm,
Interop.Kernel32.CTMF_INCLUDE_APPCONTAINER,
ref isMember))
{
throw new SecurityException(new Win32Exception().Message);
}
#else
if (!Interop.Advapi32.CheckTokenMembership((til != TokenImpersonationLevel.None ? _safeTokenHandle : token),
sid.BinaryForm,
ref isMember))
{
throw new SecurityException(new Win32Exception().Message);
}
#endif
}
finally
{
if (token != SafeAccessTokenHandle.InvalidHandle)
{
token.Dispose();
}
}
return(isMember);
}
[System.Security.SecurityCritical] // auto-generated
internal void SetTokenHandles(SafeAccessTokenHandle callerToken, SafeAccessTokenHandle impToken)
{
if (m_callerToken != null && !m_callerToken.IsInvalid)
{
m_callerToken.Dispose();
}
m_callerToken = callerToken;
m_impToken = impToken;
}
protected virtual void Dispose(bool disposing)
{
if (disposing)
{
if (_safeTokenHandle != null && !_safeTokenHandle.IsClosed)
_safeTokenHandle.Dispose();
}
_name = null;
_owner = null;
_user = null;
}
protected virtual void Dispose(bool disposing)
{
if (disposing)
{
if (m_safeTokenHandle != null && !m_safeTokenHandle.IsClosed)
{
Undo();
m_safeTokenHandle.Dispose();
}
}
}
public void Dispose()
{
_accountTokenHandle?.Dispose();
uint result = NetUserDel(null, _userName);
// 2221= NERR_UserNotFound
if (result != 0 && result != 2221)
{
throw new Win32Exception((int)result);
}
}
// This method (with a SID parameter) is more general than the 2 overloads that accept a WindowsBuiltInRole or
// a rid (as an int). It is also better from a performance standpoint than the overload that accepts a string.
// The aformentioned overloads remain in this class since we do not want to introduce a
// breaking change. However, this method should be used in all new applications.
public virtual bool IsInRole(SecurityIdentifier sid)
{
if (sid == null)
{
throw new ArgumentNullException(nameof(sid));
}
Contract.EndContractBlock();
// special case the anonymous identity.
if (_identity.AccessToken.IsInvalid)
{
return(false);
}
// CheckTokenMembership expects an impersonation token
SafeAccessTokenHandle token = SafeAccessTokenHandle.InvalidHandle;
if (_identity.ImpersonationLevel == TokenImpersonationLevel.None)
{
if (!Interop.Advapi32.DuplicateTokenEx(_identity.AccessToken,
(uint)TokenAccessLevels.Query,
IntPtr.Zero,
(uint)TokenImpersonationLevel.Identification,
(uint)TokenType.TokenImpersonation,
ref token))
{
throw new SecurityException(new Win32Exception().Message);
}
}
bool isMember = false;
// CheckTokenMembership will check if the SID is both present and enabled in the access token.
#if uap
if (!Interop.Kernel32.CheckTokenMembershipEx((_identity.ImpersonationLevel != TokenImpersonationLevel.None ? _identity.AccessToken : token),
sid.BinaryForm,
Interop.Kernel32.CTMF_INCLUDE_APPCONTAINER,
ref isMember))
{
throw new SecurityException(new Win32Exception().Message);
}
#else
if (!Interop.Advapi32.CheckTokenMembership((_identity.ImpersonationLevel != TokenImpersonationLevel.None ? _identity.AccessToken : token),
sid.BinaryForm,
ref isMember))
{
throw new SecurityException(new Win32Exception().Message);
}
#endif
token.Dispose();
return(isMember);
}
private bool CheckNtTokenForSid(SecurityIdentifier sid)
{
Contract.EndContractBlock();
// special case the anonymous identity.
if (_safeTokenHandle.IsInvalid)
{
return(false);
}
// CheckTokenMembership expects an impersonation token
SafeAccessTokenHandle token = SafeAccessTokenHandle.InvalidHandle;
TokenImpersonationLevel til = ImpersonationLevel;
bool isMember = false;
try
{
if (til == TokenImpersonationLevel.None)
{
if (!Interop.mincore.DuplicateTokenEx(_safeTokenHandle,
(uint)TokenAccessLevels.Query,
IntPtr.Zero,
(uint)TokenImpersonationLevel.Identification,
(uint)TokenType.TokenImpersonation,
ref token))
{
throw new SecurityException(Interop.mincore.GetMessage(Marshal.GetLastWin32Error()));
}
}
// CheckTokenMembership will check if the SID is both present and enabled in the access token.
if (!Interop.mincore.CheckTokenMembership((til != TokenImpersonationLevel.None ? _safeTokenHandle : token),
sid.BinaryForm,
ref isMember))
{
throw new SecurityException(Interop.mincore.GetMessage(Marshal.GetLastWin32Error()));
}
}
finally
{
if (token != SafeAccessTokenHandle.InvalidHandle)
{
token.Dispose();
}
}
return(isMember);
}
public virtual bool IsInRole(SecurityIdentifier sid)
{
if (sid == null)
{
throw new ArgumentNullException("sid");
}
Contract.EndContractBlock();
// special case the anonymous identity.
if (m_identity.AccessToken.IsInvalid)
{
return(false);
}
// CheckTokenMembership expects an impersonation token
SafeAccessTokenHandle token = SafeAccessTokenHandle.InvalidHandle;
if (m_identity.ImpersonationLevel == TokenImpersonationLevel.None)
{
if (!Win32Native.DuplicateTokenEx(m_identity.AccessToken,
(uint)TokenAccessLevels.Query,
IntPtr.Zero,
(uint)TokenImpersonationLevel.Identification,
(uint)TokenType.TokenImpersonation,
ref token))
{
throw new SecurityException(Win32Native.GetMessage(Marshal.GetLastWin32Error()));
}
}
bool isMember = false;
// CheckTokenMembership will check if the SID is both present and enabled in the access token.
if (!Win32Native.CheckTokenMembership((m_identity.ImpersonationLevel != TokenImpersonationLevel.None ? m_identity.AccessToken : token),
sid.BinaryForm,
ref isMember))
{
throw new SecurityException(Win32Native.GetMessage(Marshal.GetLastWin32Error()));
}
token.Dispose();
return(isMember);
}
public void Dispose()
{
_accessToken?.Dispose();
}
///-------------------------------------------------------------------------------------------------
/// <summary>
/// Releases the user context.
/// </summary>
///
/// <seealso cref="IDisposable.Dispose()"/>
///-------------------------------------------------------------------------------------------------
public void Dispose()
{
_safeAccessTokenHandle.Dispose();
}
