/// <summary>Adds or replaces claims in the specified Authz Client Context.</summary>
/// <remarks>
/// This method invokes AuthzModifyClaims, modifying the claims using AUTHZ_SECURITY_ATTRIBUTE_OPERATION_REPLACE. This ensures that the values of a
/// claims that already exists are replaces and the ones not present are added.
/// </remarks>
/// <param name="handleClientContext">Handle to the Authz Client Context to be modified</param>
/// <returns>Win32Error.ERROR_SUCCESS on success and Win32 error code otherwise.</returns>
public int ApplyClaims(SafeAUTHZ_CLIENT_CONTEXT_HANDLE handleClientContext)
{
var claimInfo = new AUTHZ_SECURITY_ATTRIBUTES_INFORMATION(new AUTHZ_SECURITY_ATTRIBUTE_V1[Count]);
var i = 0;
foreach (var claim in this)
{
claimInfo.pAttributeV1[i] = claim.Value.attr;
claimInfo.pAttributeV1[i].pName = claim.Key;
i++;
}
AUTHZ_SECURITY_ATTRIBUTE_OPERATION[] claimOps = null;
if (claimInfo.AttributeCount != 0)
{
claimOps = new AUTHZ_SECURITY_ATTRIBUTE_OPERATION[claimInfo.AttributeCount];
for (var Idx = 0; Idx < claimInfo.AttributeCount; ++Idx)
{
claimOps[Idx] = AUTHZ_SECURITY_ATTRIBUTE_OPERATION.AUTHZ_SECURITY_ATTRIBUTE_OPERATION_REPLACE;
}
}
if (!AuthzModifyClaims(handleClientContext,
claimDefnType == ClaimDefinitionType.User ? AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoUserClaims : AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoDeviceClaims,
claimOps, claimInfo))
{
return(Marshal.GetLastWin32Error());
}
return(Win32Error.ERROR_SUCCESS);
}
public void AuthzModifySecurityAttributesTest()
{
using (var hRM = GetAuthzInitializeResourceManager())
using (var hCtx = GetCurrentUserAuthContext(hRM))
{
var attrs = new AUTHZ_SECURITY_ATTRIBUTES_INFORMATION(new[] { new AUTHZ_SECURITY_ATTRIBUTE_V1("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Environment.UserName) });
var b = AuthzModifySecurityAttributes(hCtx, new[] { AUTHZ_SECURITY_ATTRIBUTE_OPERATION.AUTHZ_SECURITY_ATTRIBUTE_OPERATION_ADD }, attrs);
if (!b)
{
TestContext.WriteLine($"AuthzModifySecurityAttributes:{Win32Error.GetLastError()}");
}
Assert.That(b);
}
}
public void AuthzGetInformationFromContextTest()
{
using (var hRM = GetAuthzInitializeResourceManager())
using (var hCtx = GetCurrentUserAuthContext(hRM))
{
var buf = GetCtxInfo(hCtx, AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoGroupsSids);
var tg = buf.ToStructure <TOKEN_GROUPS>();
Assert.That(tg.GroupCount, Is.GreaterThan(0));
buf = GetCtxInfo(hCtx, AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoUserClaims);
var ai = AUTHZ_SECURITY_ATTRIBUTES_INFORMATION.FromPtr((IntPtr)buf);
if (ai == null)
{
return;
}
Assert.That(ai.Version, Is.EqualTo(1));
TestContext.WriteLine($"AuthzGetInformationFromContext(AuthzContextInfoUserClaims)={ai.AttributeCount}");
}
}
public static extern bool AuthzModifyClaims(
AUTHZ_CLIENT_CONTEXT_HANDLE handleClientContext,
AuthzContextInformationClass infoClass,
AuthzSecurityAttributeOperation[] claimOperation,
ref AUTHZ_SECURITY_ATTRIBUTES_INFORMATION claims);
public void ComputeEffectivePermissionWithSecondarySecurity(PSID pSid, PSID pDeviceSid, string pszServerName, SECURITY_OBJECT[] pSecurityObjects,
uint dwSecurityObjectCount, ref TOKEN_GROUPS pUserGroups, AUTHZ_SID_OPERATION[] pAuthzUserGroupsOperations, ref TOKEN_GROUPS pDeviceGroups,
AUTHZ_SID_OPERATION[] pAuthzDeviceGroupsOperations, ref AUTHZ_SECURITY_ATTRIBUTES_INFORMATION pAuthzUserClaims, AUTHZ_SECURITY_ATTRIBUTE_OPERATION[] pAuthzUserClaimsOperations,
ref AUTHZ_SECURITY_ATTRIBUTES_INFORMATION pAuthzDeviceClaims, AUTHZ_SECURITY_ATTRIBUTE_OPERATION[] pAuthzDeviceClaimsOperations, EFFPERM_RESULT_LIST[] pEffpermResultLists)
{
System.Diagnostics.Debug.WriteLine($"ComputeEffectivePermissionWithSecondarySecurity({dwSecurityObjectCount}):{new SecurityIdentifier((IntPtr)pSid).Value};{new SecurityIdentifier((IntPtr)pDeviceSid).Value}");
if (dwSecurityObjectCount != 1)
{
ThrowException(HRESULT.E_FAIL, new ArgumentOutOfRangeException(nameof(dwSecurityObjectCount), @"Only a single object can be computed."));
}
if (pSecurityObjects[0].Id != (uint)SECURITY_OBJECT_ID.SECURITY_OBJECT_ID_OBJECT_SD)
{
ThrowException(HRESULT.E_FAIL, new ArgumentException(@"Unexpected value.", nameof(pSecurityObjects)));
}
if (pSid == null || pSid.IsInvalid)
{
ThrowException(HRESULT.E_INVALIDARG, new ArgumentNullException(nameof(pSid)));
}
SafeAUTHZ_RESOURCE_MANAGER_HANDLE hAuthzResourceManager;
if (!AuthzInitializeResourceManager(AuthzResourceManagerFlags.AUTHZ_RM_FLAG_NO_AUDIT, null, null, null, prov.ToString(), out hAuthzResourceManager))
{
return;
}
var identifier = new LUID();
SafeAUTHZ_CLIENT_CONTEXT_HANDLE hAuthzUserContext;
SafeAUTHZ_CLIENT_CONTEXT_HANDLE hAuthzCompoundContext = null;
if (!AuthzInitializeContextFromSid(AuthzContextFlags.NONE, pSid, hAuthzResourceManager, IntPtr.Zero, identifier, IntPtr.Zero, out hAuthzUserContext))
{
return;
}
if (pDeviceSid != null && !pDeviceSid.IsInvalid)
{
SafeAUTHZ_CLIENT_CONTEXT_HANDLE hAuthzDeviceContext;
if (AuthzInitializeContextFromSid(AuthzContextFlags.NONE, pDeviceSid, hAuthzResourceManager, IntPtr.Zero, identifier, IntPtr.Zero, out hAuthzDeviceContext))
{
if (AuthzInitializeCompoundContext(hAuthzUserContext, hAuthzDeviceContext, out hAuthzCompoundContext))
{
if (pAuthzDeviceClaims.Version != 0)
{
AuthzModifyClaims(hAuthzCompoundContext, AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoDeviceClaims, pAuthzDeviceClaimsOperations, ref pAuthzDeviceClaims);
}
}
}
}
else
{
hAuthzCompoundContext = hAuthzUserContext;
}
if (hAuthzCompoundContext == null)
{
return;
}
if (pAuthzUserClaims.Version != 0)
{
if (!AuthzModifyClaims(hAuthzCompoundContext, AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoUserClaims, pAuthzUserClaimsOperations, ref pAuthzUserClaims))
{
return;
}
}
if (pDeviceGroups.GroupCount != 0)
{
if (!AuthzModifySids(hAuthzCompoundContext, AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoDeviceSids, pAuthzDeviceGroupsOperations, ref pDeviceGroups))
{
return;
}
}
if (pUserGroups.GroupCount != 0 && pAuthzUserGroupsOperations != null)
{
if (!AuthzModifySids(hAuthzCompoundContext, AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoGroupsSids, pAuthzUserGroupsOperations, ref pUserGroups))
{
return;
}
}
var request = new AUTHZ_ACCESS_REQUEST(AccessTypes.MAXIMUM_ALLOWED);
var sd = pSecurityObjects[0].pData.ToStructure <SECURITY_DESCRIPTOR>();
var reply = new AUTHZ_ACCESS_REPLY(1);
SafeAUTHZ_ACCESS_CHECK_RESULTS_HANDLE phAccessCheckResults;
if (!AuthzAccessCheck(AuthzAccessCheckFlags.NONE, hAuthzCompoundContext, ref request, null, ref sd, null, 0, reply, out phAccessCheckResults))
{
return;
}
pEffpermResultLists[0].fEvaluated = true;
pEffpermResultLists[0].pGrantedAccessList = reply.GrantedAccessMaskValues;
pEffpermResultLists[0].pObjectTypeList = new[] { OBJECT_TYPE_LIST.Self };
pEffpermResultLists[0].cObjectTypeListLength = 1;
}
public static extern bool AuthzModifyClaims(
[In] IntPtr handleClientContext,
[In] AuthzContextInformationClass infoClass,
[In] AuthzSecurityAttributeOperation[] claimOperation,
[In, Optional] ref AUTHZ_SECURITY_ATTRIBUTES_INFORMATION claims);
