public void AddResourceAttributeAceTest()
{
using (var pNewSacl = new SafePACL(256))
{
using (var capId = new SafePSID("S-1-17-22"))
Assert.That(AddScopedPolicyIDAce(pNewSacl, ACL_REVISION, 0, 0, capId), ResultIs.Successful);
var attrValues = new[] { 12L, 32L };
using (var pattrValues = SafeHGlobalHandle.CreateFromList(attrValues))
{
var csattr = new CLAIM_SECURITY_ATTRIBUTE_V1
{
Name = "Int",
ValueType = CLAIM_SECURITY_ATTRIBUTE_TYPE.CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64,
ValueCount = (uint)attrValues.Length,
Values = new CLAIM_SECURITY_ATTRIBUTE_V1.VALUESUNION {
pInt64 = (IntPtr)pattrValues
}
};
var attr = new[] { csattr };
using (var pattr = SafeHGlobalHandle.CreateFromList(attr))
{
var csi = CLAIM_SECURITY_ATTRIBUTES_INFORMATION.Default;
csi.AttributeCount = (uint)attr.Length;
csi.Attribute.pAttributeV1 = (IntPtr)pattr;
var len = 0U;
Assert.That(AddResourceAttributeAce(pNewSacl, ACL_REVISION, 0, 0, SafePSID.Everyone, csi, ref len), ResultIs.Successful);
}
}
}
}
public void PSIDTest()
{
var sid = GetCurrentSid();
Assert.That(!sid.IsInvalid);
Assert.That(sid.IsValidSid);
Assert.That(sid.ToString(), Does.StartWith("S-1-5"));
var sid2 = new SafePSID(sid);
Assert.That(!sid2.IsInvalid);
Assert.That(sid2.ToString(), Is.EqualTo(sid.ToString()));
var sid3 = new SafePSID("S-1-1-0");
var id2 = new SecurityIdentifier((IntPtr)sid3);
Assert.That(id2.IsWellKnown(WellKnownSidType.WorldSid));
var sid4 = new SafePSID(100);
Assert.That(!sid4.IsClosed);
Assert.That(!sid4.IsValidSid);
Assert.That((int)sid4.Size, Is.EqualTo(100));
sid4.Dispose();
Assert.That(sid4.IsClosed);
Assert.That((int)sid4.Size, Is.EqualTo(0));
Assert.That(sid.Equals("X"), Is.False);
Assert.That(sid.Equals(sid3), Is.False);
}
/// <summary>Copies the specified SID from a memory pointer to a <see cref="SafePSID"/> instance.</summary>
/// <param name="psid">The SID pointer. This value remains the responsibility of the caller to release.</param>
/// <returns>A <see cref="SafePSID"/> instance.</returns>
public static SafePSID CreateFromPtr(IntPtr psid)
{
var newSid = new SafePSID(GetLengthSid(psid));
CopySid(newSid.Size, newSid.handle, psid);
return(newSid);
}
public void AllocateAndInitializeSidTest()
{
var b = AllocateAndInitializeSid(KnownSIDAuthority.SECURITY_WORLD_SID_AUTHORITY, 1, KnownSIDRelativeID.SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, out var pSid);
Assert.That(b);
var everyone = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
var esid = new byte[everyone.BinaryLength];
everyone.GetBinaryForm(esid, 0);
var peSid = new SafeByteArray(esid);
Assert.That(EqualSid(pSid, (IntPtr)peSid));
ConvertStringSidToSid("S-1-2-0", out var lsid);
Assert.That(EqualSid(pSid, (IntPtr)lsid), Is.False);
string s = null;
Assert.That(IsValidSid(pSid), Is.True);
Assert.That(() => s = ConvertSidToStringSid(pSid), Throws.Nothing);
Assert.That(s, Is.EqualTo("S-1-1-0"));
Assert.That(GetSidSubAuthority(pSid, 0), Is.EqualTo(0));
var len = GetLengthSid(pSid);
var p2 = new SafePSID(len);
b = CopySid(len, (IntPtr)p2, pSid);
Assert.That(EqualSid(p2, pSid));
Assert.That(b);
}
public static bool LookupAccountName(string systemName, string accountName, out SafePSID sid, out string domainName, out SID_NAME_USE snu)
{
var sb = new StringBuilder(1024);
sid = new SafePSID(256);
var sidSz = sid.Size;
var sbSz = sb.Capacity;
var ret = LookupAccountName(systemName, accountName, sid, ref sidSz, sb, ref sbSz, out snu);
domainName = sb.ToString();
return(ret);
}
public static bool GetWindowsAccountDomainSid(PSID pSid, out SafePSID pDomainSid)
{
uint sz = 0;
if (!GetWindowsAccountDomainSid(pSid, SafePSID.Null, ref sz) && sz == 0)
{
pDomainSid = SafePSID.Null;
return(false);
}
pDomainSid = new SafePSID(sz);
return(GetWindowsAccountDomainSid(pSid, pDomainSid, ref sz));
}
public void AuthzAddSidsToContextTest()
{
using SafePSID everyoneSid = ConvertStringSidToSid("S-1-1-0");
using SafePSID localSid = ConvertStringSidToSid("S-1-2-0");
SID_AND_ATTRIBUTES sids = new() { Sid = everyoneSid, Attributes = (uint)GroupAttributes.SE_GROUP_ENABLED };
SID_AND_ATTRIBUTES restrictedSids = new() { Sid = localSid, Attributes = (uint)GroupAttributes.SE_GROUP_ENABLED };
using SafeAUTHZ_RESOURCE_MANAGER_HANDLE hRM = GetAuthzInitializeResourceManager();
using SafeAUTHZ_CLIENT_CONTEXT_HANDLE hCtx = GetCurrentUserAuthContext(hRM);
Assert.That(AuthzAddSidsToContext(hCtx, sids, 1, restrictedSids, 1, out SafeAUTHZ_CLIENT_CONTEXT_HANDLE hNewCtx), ResultIs.Successful);
}
[Test]
/****************************************************************************++
*
* Description :
*
* This function creates a well known sid using User domain. CreateWellKnownSid requires
* domain sid to be provided to generate such sids. This function first gets the domain sid
* out of the user information in the token and then generate a well known sid.
*
* Arguments:
*
* hToken - [supplies] The token for which sid has to be generated
* sidType - [supplies] The type of well known sid
* pSid - [receives] The newly create sid
* pdwSidSize - [Supplies/Receives] The size of the memory allocated for ppSid
*
* Returns:
*
* Errors returned by GetTokenInformation
* Errors returned by CreateWellKnownSid
* E_OUTOFMEMORY In case there is not enough memory
* Errors returned by GetWindowsAccountDomainSid
* --***************************************************************************/
static SafePSID CreateWellKnownSidForAccount(HTOKEN hToken, WELL_KNOWN_SID_TYPE sidType)
{
var hTok = new SafeHTOKEN((IntPtr)hToken, false);
using var pUserToken = hTok.GetInfo(TOKEN_INFORMATION_CLASS.TokenUser);
//
// Now get the domain sid from the TokenUser
//
Win32Error.ThrowLastErrorIfFalse(GetWindowsAccountDomainSid(pUserToken.ToStructure <TOKEN_USER>().User.Sid, out var pDomainSid));
return(SafePSID.CreateWellKnown(sidType, pDomainSid));
}
/// <summary>Gets the SID for an ACE.</summary>
/// <param name="pAce">A pointer to an ACE.</param>
/// <returns>The SID value.</returns>
/// <exception cref="ArgumentNullException">pAce</exception>
public static SafePSID GetSid(this PACE pAce)
{
if (pAce.IsNull)
{
throw new ArgumentNullException(nameof(pAce));
}
var offset = Marshal.SizeOf(typeof(ACE_HEADER)) + sizeof(uint);
if (pAce.IsObjectAce())
{
offset += sizeof(uint) + Marshal.SizeOf(typeof(Guid)) * 2;
}
return(SafePSID.CreateFromPtr(pAce.DangerousGetHandle().Offset(offset)));
}
private PSID GetSid(string accountName)
{
int sidSize = 0, nameSize = 0;
LookupAccountName(svr, accountName, SafePSID.Null, ref sidSize, null, ref nameSize, out var accountType);
var domainName = new System.Text.StringBuilder(nameSize);
var sid = new SafePSID(sidSize);
if (!LookupAccountName(string.Empty, accountName, sid, ref sidSize, domainName, ref nameSize, out accountType))
{
throw new System.ComponentModel.Win32Exception();
}
return(sid);
}
public void InitTest()
{
var sid = GetCurrentSid();
var sidStr = sid.ToString();
Assert.That(sidStr, Does.StartWith("S-1-5-"));
var ssid = sid.ToString().Substring(6).Split('-').Select(int.Parse).ToArray();
var i = ssid[0];
var dest = new int[ssid.Length - 1];
Array.Copy(ssid, 1, dest, 0, ssid.Length - 1);
var sid2 = SafePSID.Init(KnownSIDAuthority.SECURITY_NT_AUTHORITY, i, dest);
Assert.That(sid2.IsValidSid);
Assert.That(sid, Is.EqualTo(sid2));
}
/// <summary>Creates a SID for predefined aliases.</summary>
/// <param name="WellKnownSidType">Member of the WELL_KNOWN_SID_TYPE enumeration that specifies what the SID will identify.</param>
/// <param name="DomainSid">
/// A pointer to a SID that identifies the domain to use when creating the SID. Pass <c>PSID.NULL</c> to use the local computer.
/// </param>
/// <returns>A <see cref="SafePSID"/> instance.</returns>
public static SafePSID CreateWellKnown(WELL_KNOWN_SID_TYPE sidType, PSID domainSid = default)
{
var sz = 0U;
CreateWellKnownSid(sidType, domainSid, Null, ref sz);
if (sz == 0)
{
Win32Error.ThrowLastError();
}
var newSid = new SafePSID((int)sz);
if (!CreateWellKnownSid(sidType, domainSid, newSid, ref sz))
{
Win32Error.ThrowLastError();
}
return(newSid);
}
public void EqualsTest()
{
var ssid = new SafePSID("S-1-1-0");
var esid = SafePSID.Everyone;
var mesid = SafePSID.Current;
Assert.That(ssid == esid, Is.True);
Assert.That(ssid != mesid, Is.True);
Assert.That(ssid.Equals(null), Is.False);
Assert.That(ssid == null, Is.False);
Assert.That(ssid.Equals((PSID)esid), Is.True);
Assert.That(ssid.Equals((IntPtr)esid), Is.True);
Assert.That(ssid.Equals((object)esid), Is.True);
Assert.That(ssid.Equals((object)(PSID)esid), Is.True);
Assert.That(ssid.Equals((object)(IntPtr)esid), Is.True);
Assert.That(ssid.Equals((object)54), Is.False);
}
public void AuditQuerySetGlobalSaclTest()
{
Assert.That(AuditQueryGlobalSacl("Key", out var orig), Is.True);
var psid = SafePSID.CreateWellKnown(WELL_KNOWN_SID_TYPE.WinWorldSid);
var explAcc = new EXPLICIT_ACCESS
{
grfAccessMode = ACCESS_MODE.SET_AUDIT_SUCCESS,
grfAccessPermissions = 0x20006 /* KEY_WRITE */,
grfInheritance = INHERIT_FLAGS.NO_INHERITANCE,
Trustee = new TRUSTEE(psid, TRUSTEE_TYPE.TRUSTEE_IS_WELL_KNOWN_GROUP)
};
SetEntriesInAcl(1, new[] { explAcc }, PACL.NULL, out var newAcl).ThrowIfFailed();
Assert.That(AuditSetGlobalSacl("Key", newAcl), Is.True);
Assert.That(AuditSetGlobalSacl("Key", orig), Is.True);
}
public void AuthzModifySidsTest()
{
using (var hRM = GetAuthzInitializeResourceManager())
using (var hCtx = GetCurrentUserAuthContext(hRM))
{
var tg = new TOKEN_GROUPS(1);
var psid = new SafePSID("S-1-5-32-551");
tg.Groups[0] = new SID_AND_ATTRIBUTES {
Attributes = (uint)GroupAttributes.SE_GROUP_ENABLED, Sid = (IntPtr)psid
};
var b = AuthzModifySids(hCtx, AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoGroupsSids, new[] { AUTHZ_SID_OPERATION.AUTHZ_SID_OPERATION_ADD }, in tg);
if (!b)
{
TestContext.WriteLine($"AuthzModifySids:{Win32Error.GetLastError()}");
}
Assert.That(b);
}
}
public void SetNamedSecurityInfoTest()
{
using (var pSD = GetSD(fn))
{
Assert.That(GetSecurityDescriptorOwner(pSD, out var owner, out var def));
Assert.That((IntPtr)owner, Is.Not.EqualTo(IntPtr.Zero));
var admins = new SafePSID("S-1-5-32-544");
var err = SetNamedSecurityInfo(fn, SE_OBJECT_TYPE.SE_FILE_OBJECT, SECURITY_INFORMATION.OWNER_SECURITY_INFORMATION, admins, PSID.NULL, IntPtr.Zero, IntPtr.Zero);
if (err.Failed)
{
TestContext.WriteLine($"SetNamedSecurityInfo failed: {err}");
}
Assert.That(err.Succeeded);
err = SetNamedSecurityInfo(fn, SE_OBJECT_TYPE.SE_FILE_OBJECT, SECURITY_INFORMATION.OWNER_SECURITY_INFORMATION, owner, PSID.NULL, IntPtr.Zero, IntPtr.Zero);
if (err.Failed)
{
TestContext.WriteLine($"SetNamedSecurityInfo failed: {err}");
}
Assert.That(err.Succeeded);
}
}
private static bool GetAccountSid(string SystemName, string AccountName, out SafePSID Sid)
{
var cbSid = 128; // initial allocation attempt
var cchReferencedDomain = 16; // initial allocation size
//
// initial memory allocations
//
Sid = new SafePSID(cbSid);
var ReferencedDomain = new StringBuilder(cchReferencedDomain);
//
// Obtain the SID of the specified account on the specified system.
//
while (!LookupAccountName(SystemName, AccountName, Sid, ref cbSid, ReferencedDomain, ref cchReferencedDomain, out _))
{
if (Win32Error.GetLastError() == Win32Error.ERROR_INSUFFICIENT_BUFFER)
{
//
// reallocate memory
//
Sid.Size = cbSid;
ReferencedDomain.Capacity = cchReferencedDomain;
}
else
{
return(false);
}
}
//
// Indicate success.
//
return(true);
}
/// <summary>Indicates whether the current object is equal to another object of the same type.</summary> /// <param name="other">An object to compare with this object.</param> /// <returns>true if the current object is equal to the <paramref name="other"/> parameter; otherwise, false.</returns> public bool Equals(SafePSID other) => EqualSid(this, other);
public void ToStringTest()
{
var sid = SafePSID.Init(KnownSIDAuthority.SECURITY_WORLD_SID_AUTHORITY, KnownSIDRelativeID.SECURITY_WORLD_RID);
Assert.That(sid.ToString(), Is.EqualTo("S-1-1-0"));
}
/****************************************************************************++
*
* Routine Description:
*
* Verifies whether specified well-known SID is in the current user token
*
* Arguments:
*
* sid - one of the WELL_KNOWN_SID_TYPE consts
* hToken - Optional the token for which we want to test membership
* pfMember - [Receives] TRUE if specified sid is a member of the user token, false otherwise
*
* Notes:
*
* -
*
* Return Value:
*
* Errors returned by CreateWellKnownSid
* Errors returned by CheckTokenMembership
* --*****************************************************************************/
static HRESULT IsMemberOf(WELL_KNOWN_SID_TYPE sid, HTOKEN hToken, out bool pfMember)
{
pfMember = false;
try
{
var hTok = new SafeHTOKEN((IntPtr)hToken, false);
using var pUserToken = hTok.GetInfo(TOKEN_INFORMATION_CLASS.TokenUser);
SafePSID pSID = null;
try
{
//
// create SID for the authenticated users
//
pSID = SafePSID.CreateWellKnown(sid);
}
catch
{
//
// In case of invalid-arg we might need to provide the domain, so create well known sid for domain
//
pSID = CreateWellKnownSidForAccount(hToken, sid);
}
//
// check whether token has this sid
//
if (!CheckTokenMembership(hToken, pSID, out pfMember))
{
var hr = Win32Error.GetLastError().ToHRESULT();
// just to be on the safe side (as we don't know that CheckTokenMembership
// does not modify fAuthenticated in case of error)
pfMember = false;
if (hr == HRESULT.E_ACCESSDENIED && hToken.IsNull)
{
// unable to query the thread token. Open as self and try again
using var ttok = SafeHTOKEN.FromThread(GetCurrentThread(), TokenAccess.TOKEN_QUERY);
{
if (CheckTokenMembership(ttok, pSID, out pfMember))
{
return(HRESULT.S_OK);
}
else
{
// stick with the original error code, but ensure that fMember is correct
pfMember = false;
}
}
}
}
return(HRESULT.S_OK);
}
catch (Exception ex)
{
var hr = HRESULT.FromException(ex);
if (hr == (HRESULT)Win32Error.ERROR_NON_ACCOUNT_SID)
{
return(HRESULT.S_OK);
}
return(hr);
}
}
static void Main(string[] args)
{
if (args.Length < 1)
{
Console.WriteLine("Please specify a SID.");
}
var sidString = args[0];
var success = Authz.AuthzInitializeResourceManager(Authz.AuthzResourceManagerFlags.AUTHZ_RM_FLAG_NO_AUDIT, null, null, null, "", out var rm);
if (!success)
{
ReportLastError("AuthzInitializeResourceManager");
return;
}
var sid = new SecurityIdentifier(sidString);
var sidBytes = new byte[sid.BinaryLength];
sid.GetBinaryForm(sidBytes, 0);
var psid = new SafePSID(sidBytes);
success = Authz.AuthzInitializeContextFromSid(Authz.AuthzContextFlags.DEFAULT, psid, rm, IntPtr.Zero, new LUID(), IntPtr.Zero, out var context);
if (!success)
{
ReportLastError("AuthzInitializeContextFromSid");
Authz.AuthzFreeResourceManager(rm);
return;
}
success = Authz.AuthzGetInformationFromContext(context, Authz.AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoGroupsSids, 0, out var sizeRequired, IntPtr.Zero);
if (!success && Win32Error.GetLastError() != Win32Error.ERROR_INSUFFICIENT_BUFFER)
{
ReportLastError("AuthzGetInformationFromContext part 1");
Authz.AuthzFreeContext(context);
Authz.AuthzFreeResourceManager(rm);
return;
}
if (sizeRequired == 0)
{
Console.WriteLine("No context information available?");
Authz.AuthzFreeContext(context);
Authz.AuthzFreeResourceManager(rm);
return;
}
uint size = sizeRequired;
var buffer = new SafeHGlobalHandle(size);
success = Authz.AuthzGetInformationFromContext(context, Authz.AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoGroupsSids, size, out sizeRequired, buffer);
if (!success)
{
ReportLastError("AuthzGetInformationFromContext part 2");
Authz.AuthzFreeContext(context);
Authz.AuthzFreeResourceManager(rm);
return;
}
var tokenGroups = buffer.ToArray <TOKEN_GROUPS>(1);
for (var i = 0; i < tokenGroups[0].GroupCount; i++)
{
var tokenGroup = tokenGroups[0].Groups[i];
var thisSid = new SecurityIdentifier(tokenGroup.Sid.GetBinaryForm(), 0);
string accountName = null;
try
{
accountName = thisSid.Translate(typeof(NTAccount)).Value;
}
catch
{ }
Console.WriteLine($"{thisSid} {accountName ?? tokenGroup.ToString()}");
}
}
public void GetBinaryForm()
{
var sid = new SafePSID("S-1-1-0");
Assert.That(sid.GetBinaryForm(), Is.EquivalentTo(new SecurityIdentifier(WellKnownSidType.WorldSid, null).GetBytes()));
}
public static extern bool CreateWellKnownSid(WELL_KNOWN_SID_TYPE WellKnownSidType, PSID DomainSid, SafePSID pSid, ref uint cbSid);
/// <summary>Indicates whether the current object is equal to another object of the same type.</summary> /// <param name="other">An object to compare with this object.</param> /// <returns>true if the current object is equal to the <paramref name="other"/> parameter; otherwise, false.</returns> public bool Equals(SafePSID other) => other != null && (ReferenceEquals(this, other) || EqualSid(this, other));
public void _Setup()
{
hPol = LsaOpenPolicy(LsaPolicyRights.POLICY_ALL_ACCESS);
pSid = SafePSID.Current;
}
public static extern bool GetWindowsAccountDomainSid(PSID pSid, SafePSID pDomainSid, ref uint cbDomainSid);
public void _SetupTests()
{
pCurSid = SafePSID.Current;
secPriv = new ElevPriv(new[] { "SeSecurityPrivilege", "SeAuditPrivilege" });
}
public static extern bool LookupAccountName(string lpSystemName, string lpAccountName, SafePSID Sid, ref int cbSid,
StringBuilder ReferencedDomainName, ref int cchReferencedDomainName, out SID_NAME_USE peUse);
public void InitializeSidTest()
{
using (var pSid = new SafePSID(32))
Assert.That(InitializeSid(pSid, KnownSIDAuthority.SECURITY_LOCAL_SID_AUTHORITY, 2), ResultIs.Successful);
}