/// <summary>
/// Return the token handle of a thread given its id.
/// If the thread is not impersonating, return "null".
/// </summary>
/// <param name="threadId">The system-wide thread id</param>
/// <param name="desiredAccess">The desired access to the token</param>
/// <returns>The token handle or null if the thread is not impersonating</returns>
private static IntPtr TryOpenThreadToken(int threadId, TokenAccessType desiredAccess)
{
IntPtr threadHandle = Win32.OpenThread(
ThreadAccessType.THREAD_QUERY_INFORMATION,
Win32.FALSE,
(uint)threadId);
if (threadHandle == IntPtr.Zero)
{
return(IntPtr.Zero);
}
Win32.CheckCall(threadHandle);
try
{
IntPtr handle;
BOOL rc = Win32.OpenThreadToken(threadHandle, (uint)desiredAccess, Win32.FALSE, out handle);
if (rc == Win32.FALSE)
{
return(IntPtr.Zero);
}
return(handle);
}
finally
{
Win32.CloseHandle(threadHandle);
}
}
private static IntPtr TryOpenProcessToken(int pid, TokenAccessType desiredAccess)
{
var processHandle = Win32.OpenProcess(
ProcessAccessType.PROCESS_QUERY_INFORMATION,
Win32.FALSE,
(uint)pid);
if (processHandle == IntPtr.Zero)
{
return(IntPtr.Zero);
}
Win32.CheckCall(processHandle);
try
{
IntPtr handle;
var rc = Win32.OpenProcessToken(processHandle, desiredAccess, out handle);
if (rc == Win32.FALSE)
{
return(IntPtr.Zero);
}
return(handle);
}
finally
{
Win32.CloseHandle(processHandle);
}
}
private static IntPtr OpenProcessToken(int pid, TokenAccessType desiredAccess)
{
var handle = TryOpenProcessToken(pid, desiredAccess);
if (handle == IntPtr.Zero)
Win32.ThrowLastError();
return handle;
}
private static IntPtr OpenProcessToken(int pid, TokenAccessType desiredAccess)
{
var handle = TryOpenProcessToken(pid, desiredAccess);
if (handle == IntPtr.Zero)
{
Win32.ThrowLastError();
}
return(handle);
}
private static IntPtr OpenThreadToken(int threadId, TokenAccessType desiredAccess)
{
IntPtr hToken = TryOpenThreadToken(threadId, desiredAccess);
if (hToken == IntPtr.Zero)
{
throw new NoThreadTokenException("No token on thread " + threadId);
}
return(hToken);
}
public static AccessTokenThread TryOpenToken(int pid, TokenAccessType desiredAccess)
{
IntPtr handle = TryOpenThreadToken(pid, desiredAccess);
if (handle != IntPtr.Zero)
{
return(new AccessTokenThread(handle));
}
return(null);
}
private static IntPtr TryOpenProcessToken(int pid, TokenAccessType desiredAccess)
{
var processHandle = Win32.OpenProcess(
ProcessAccessType.PROCESS_QUERY_INFORMATION,
Win32.FALSE,
(uint)pid);
if (processHandle == IntPtr.Zero)
return IntPtr.Zero;
Win32.CheckCall(processHandle);
try
{
IntPtr handle;
var rc = Win32.OpenProcessToken(processHandle, desiredAccess, out handle);
return rc == Win32.FALSE ? IntPtr.Zero : handle;
}
finally
{
Win32.CloseHandle(processHandle);
}
}
public AccessTokenThread(int threadId, TokenAccessType desiredAccess)
: base(OpenThreadToken(threadId, desiredAccess))
{
}
public AccessTokenProcess(int pid, TokenAccessType desiredAccess)
: base(OpenProcessToken(pid, desiredAccess))
{
}
public AccessTokenThread(int threadId, TokenAccessType desiredAccess)
: base(OpenThreadToken(threadId, desiredAccess))
{
}
/// <summary>
/// Gets the URI used to start the OAuth2.0 authorization flow. Passes in codeChallenge generated in this class
/// </summary>
/// <param name="oauthResponseType">The grant type requested, either <c>Token</c> or <c>Code</c>.</param>
/// <param name="clientId">The apps key, found in the
/// <a href="https://www.dropbox.com/developers/apps">App Console</a>.</param>
/// <param name="redirectUri">Where to redirect the user after authorization has completed. This must be the exact URI
/// registered in the <a href="https://www.dropbox.com/developers/apps">App Console</a>; even <c>localhost</c>
/// must be listed if it is used for testing. A redirect URI is required for a token flow, but optional for code.
/// If the redirect URI is omitted, the code will be presented directly to the user and they will be invited to enter
/// the information in your app.</param>
/// <param name="state">Up to 500 bytes of arbitrary data that will be passed back to <paramref name="redirectUri"/>.
/// This parameter should be used to protect against cross-site request forgery (CSRF).</param>
/// <param name="forceReapprove">Whether or not to force the user to approve the app again if they've already done so.
/// If <c>false</c> (default), a user who has already approved the application may be automatically redirected to
/// <paramref name="redirectUri"/>If <c>true</c>, the user will not be automatically redirected and will have to approve
/// the app again.</param>
/// <param name="disableSignup">When <c>true</c> (default is <c>false</c>) users will not be able to sign up for a
/// Dropbox account via the authorization page. Instead, the authorization page will show a link to the Dropbox
/// iOS app in the App Store. This is only intended for use when necessary for compliance with App Store policies.</param>
/// <param name="requireRole">If this parameter is specified, the user will be asked to authorize with a particular
/// type of Dropbox account, either work for a team account or personal for a personal account. Your app should still
/// verify the type of Dropbox account after authorization since the user could modify or remove the require_role
/// parameter.</param>
/// <param name="forceReauthentication"> If <c>true</c>, users will be signed out if they are currently signed in.
/// This will make sure the user is brought to a page where they can create a new account or sign in to another account.
/// This should only be used when there is a definite reason to believe that the user needs to sign in to a new or
/// different account.</param>
/// <param name="tokenAccessType">Determines the type of token to request. See <see cref="TokenAccessType" />
/// for information on specific types available. If none is specified, this will use the legacy type.</param>
/// <param name="scopeList">list of scopes to request in base oauth flow. If left blank, will default to all scopes for app</param>
/// <param name="includeGrantedScopes">which scopes to include from previous grants. Note: if this user has never linked the app, include_granted_scopes must be None</param>
/// <returns>The uri of a web page which must be displayed to the user in order to authorize the app.</returns>
public Uri GetAuthorizeUri(OAuthResponseType oauthResponseType, string clientId, string redirectUri = null, string state = null, bool forceReapprove = false, bool disableSignup = false, string requireRole = null, bool forceReauthentication = false, TokenAccessType tokenAccessType = TokenAccessType.Legacy, string[] scopeList = null, IncludeGrantedScopes includeGrantedScopes = IncludeGrantedScopes.None)
{
return(DropboxOAuth2Helper.GetAuthorizeUri(oauthResponseType, clientId, redirectUri, state, forceReapprove, disableSignup, requireRole, forceReauthentication, tokenAccessType, scopeList, includeGrantedScopes, this.CodeChallenge));
}
public static AccessTokenThread TryOpenToken(int pid, TokenAccessType desiredAccess)
{
IntPtr handle = TryOpenThreadToken (pid, desiredAccess);
if (handle != IntPtr.Zero)
return new AccessTokenThread(handle);
return null;
}
public AccessTokenProcess(int pid, TokenAccessType desiredAccess)
: base(OpenProcessToken(pid, desiredAccess))
{
}
/// <summary>
/// Gets the URI used to start the OAuth2.0 authorization flow.
/// </summary>
/// <param name="oauthResponseType">The grant type requested, either <c>Token</c> or <c>Code</c>.</param>
/// <param name="clientId">The apps key, found in the
/// <a href="https://www.dropbox.com/developers/apps">App Console</a>.</param>
/// <param name="redirectUri">Where to redirect the user after authorization has completed. This must be the exact URI
/// registered in the <a href="https://www.dropbox.com/developers/apps">App Console</a>; even <c>localhost</c>
/// must be listed if it is used for testing. A redirect URI is required for a token flow, but optional for code.
/// If the redirect URI is omitted, the code will be presented directly to the user and they will be invited to enter
/// the information in your app.</param>
/// <param name="state">Up to 500 bytes of arbitrary data that will be passed back to <paramref name="redirectUri"/>.
/// This parameter should be used to protect against cross-site request forgery (CSRF).</param>
/// <param name="forceReapprove">Whether or not to force the user to approve the app again if they've already done so.
/// If <c>false</c> (default), a user who has already approved the application may be automatically redirected to
/// <paramref name="redirectUri"/>If <c>true</c>, the user will not be automatically redirected and will have to approve
/// the app again.</param>
/// <param name="disableSignup">When <c>true</c> (default is <c>false</c>) users will not be able to sign up for a
/// Dropbox account via the authorization page. Instead, the authorization page will show a link to the Dropbox
/// iOS app in the App Store. This is only intended for use when necessary for compliance with App Store policies.</param>
/// <param name="requireRole">If this parameter is specified, the user will be asked to authorize with a particular
/// type of Dropbox account, either work for a team account or personal for a personal account. Your app should still
/// verify the type of Dropbox account after authorization since the user could modify or remove the require_role
/// parameter.</param>
/// <param name="forceReauthentication"> If <c>true</c>, users will be signed out if they are currently signed in.
/// This will make sure the user is brought to a page where they can create a new account or sign in to another account.
/// This should only be used when there is a definite reason to believe that the user needs to sign in to a new or
/// different account.</param>
/// <param name="tokenAccessType">Determines the type of token to request. See <see cref="TokenAccessType" />
/// for information on specific types available. If none is specified, this will use the legacy type.</param>
/// <param name="scopeList">list of scopes to request in base oauth flow. If left blank, will default to all scopes for app</param>
/// <param name="includeGrantedScopes">which scopes to include from previous grants. Note: if this user has never linked the app, include_granted_scopes must be None</param>
/// <returns>The uri of a web page which must be displayed to the user in order to authorize the app.</returns>
public static Uri GetAuthorizeUri(OAuthResponseType oauthResponseType, string clientId, Uri redirectUri = null, string state = null, bool forceReapprove = false, bool disableSignup = false, string requireRole = null, bool forceReauthentication = false, TokenAccessType tokenAccessType = TokenAccessType.Legacy, string[] scopeList = null, IncludeGrantedScopes includeGrantedScopes = IncludeGrantedScopes.None
)
{
if (string.IsNullOrWhiteSpace(clientId))
{
throw new ArgumentNullException("clientId");
}
if (redirectUri == null && oauthResponseType != OAuthResponseType.Code)
{
throw new ArgumentNullException("redirectUri");
}
var queryBuilder = new StringBuilder();
queryBuilder.Append("response_type=");
switch (oauthResponseType)
{
case OAuthResponseType.Token:
queryBuilder.Append("token");
break;
case OAuthResponseType.Code:
queryBuilder.Append("code");
break;
default:
throw new ArgumentOutOfRangeException("oauthResponseType");
}
queryBuilder.Append("&client_id=").Append(Uri.EscapeDataString(clientId));
if (redirectUri != null)
{
queryBuilder.Append("&redirect_uri=").Append(Uri.EscapeDataString(redirectUri.ToString()));
}
if (!string.IsNullOrWhiteSpace(state))
{
queryBuilder.Append("&state=").Append(Uri.EscapeDataString(state));
}
if (forceReapprove)
{
queryBuilder.Append("&force_reapprove=true");
}
if (disableSignup)
{
queryBuilder.Append("&disable_signup=true");
}
if (!string.IsNullOrWhiteSpace(requireRole))
{
queryBuilder.Append("&require_role=").Append(requireRole);
}
if (forceReauthentication)
{
queryBuilder.Append("&force_reauthentication=true");
}
if (tokenAccessType != TokenAccessType.Legacy)
{
queryBuilder.Append("&token_access_type=").Append(tokenAccessType.ToString().ToLower());
}
if (scopeList != null)
{
queryBuilder.Append("&scope=").Append(String.Join(" ", scopeList));
}
if (includeGrantedScopes != IncludeGrantedScopes.None)
{
queryBuilder.Append("&include_granted_scopes=").Append(includeGrantedScopes.ToString().ToLower());
}
var uriBuilder = new UriBuilder("https://www.dropbox.com/oauth2/authorize")
{
Query = queryBuilder.ToString()
};
return(uriBuilder.Uri);
}
/// <summary>
/// Gets the URI used to start the OAuth2.0 authorization flow.
/// </summary>
/// <param name="oauthResponseType">The grant type requested, either <c>Token</c> or <c>Code</c>.</param>
/// <param name="clientId">The apps key, found in the
/// <a href="https://www.dropbox.com/developers/apps">App Console</a>.</param>
/// <param name="redirectUri">Where to redirect the user after authorization has completed. This must be the exact URI
/// registered in the <a href="https://www.dropbox.com/developers/apps">App Console</a>; even <c>localhost</c>
/// must be listed if it is used for testing. A redirect URI is required for a token flow, but optional for code.
/// If the redirect URI is omitted, the code will be presented directly to the user and they will be invited to enter
/// the information in your app.</param>
/// <param name="state">Up to 500 bytes of arbitrary data that will be passed back to <paramref name="redirectUri"/>.
/// This parameter should be used to protect against cross-site request forgery (CSRF).</param>
/// <param name="forceReapprove">Whether or not to force the user to approve the app again if they've already done so.
/// If <c>false</c> (default), a user who has already approved the application may be automatically redirected to
/// <paramref name="redirectUri"/>If <c>true</c>, the user will not be automatically redirected and will have to approve
/// the app again.</param>
/// <param name="disableSignup">When <c>true</c> (default is <c>false</c>) users will not be able to sign up for a
/// Dropbox account via the authorization page. Instead, the authorization page will show a link to the Dropbox
/// iOS app in the App Store. This is only intended for use when necessary for compliance with App Store policies.</param>
/// <param name="requireRole">If this parameter is specified, the user will be asked to authorize with a particular
/// type of Dropbox account, either work for a team account or personal for a personal account. Your app should still
/// verify the type of Dropbox account after authorization since the user could modify or remove the require_role
/// parameter.</param>
/// <param name="forceReauthentication"> If <c>true</c>, users will be signed out if they are currently signed in.
/// This will make sure the user is brought to a page where they can create a new account or sign in to another account.
/// This should only be used when there is a definite reason to believe that the user needs to sign in to a new or
/// different account.</param>
/// <param name="tokenAccessType">Determines the type of token to request. See <see cref="TokenAccessType" />
/// for information on specific types available. If none is specified, this will use the legacy type.</param>
/// <param name="scopeList">list of scopes to request in base oauth flow. If left blank, will default to all scopes for app</param>
/// <param name="includeGrantedScopes">which scopes to include from previous grants. Note: if this user has never linked the app, include_granted_scopes must be None</param>
/// <returns>The uri of a web page which must be displayed to the user in order to authorize the app.</returns>
public static Uri GetAuthorizeUri(OAuthResponseType oauthResponseType, string clientId, string redirectUri = null, string state = null, bool forceReapprove = false, bool disableSignup = false, string requireRole = null, bool forceReauthentication = false, TokenAccessType tokenAccessType = TokenAccessType.Legacy, string[] scopeList = null, IncludeGrantedScopes includeGrantedScopes = IncludeGrantedScopes.None)
{
var uri = string.IsNullOrEmpty(redirectUri) ? null : new Uri(redirectUri);
return(GetAuthorizeUri(oauthResponseType, clientId, uri, state, forceReapprove, disableSignup, requireRole, forceReauthentication, tokenAccessType, scopeList, includeGrantedScopes));
}
/// <summary>
/// Return the token handle of a thread given its id.
/// If the thread is not impersonating, return "null".
/// </summary>
/// <param name="threadId">The system-wide thread id</param>
/// <param name="desiredAccess">The desired access to the token</param>
/// <returns>The token handle or null if the thread is not impersonating</returns>
private static IntPtr TryOpenThreadToken(int threadId, TokenAccessType desiredAccess)
{
IntPtr threadHandle = Win32.OpenThread(
ThreadAccessType.THREAD_QUERY_INFORMATION,
Win32.FALSE,
(uint)threadId);
if (threadHandle == IntPtr.Zero)
return IntPtr.Zero;
Win32.CheckCall(threadHandle);
try
{
IntPtr handle;
BOOL rc = Win32.OpenThreadToken(threadHandle, (uint)desiredAccess, Win32.FALSE, out handle);
if (rc == Win32.FALSE)
return IntPtr.Zero;
return handle;
}
finally
{
Win32.CloseHandle(threadHandle);
}
}
private static IntPtr OpenThreadToken(int threadId, TokenAccessType desiredAccess)
{
IntPtr hToken = TryOpenThreadToken(threadId, desiredAccess);
if (hToken == IntPtr.Zero)
throw new NoThreadTokenException("No token on thread " + threadId);
return hToken;
}
public static extern BOOL OpenProcessToken(HANDLE hProcess, TokenAccessType dwDesiredAccess, out HANDLE hToken);
public static extern BOOL OpenProcessToken(HANDLE hProcess, TokenAccessType dwDesiredAccess, out HANDLE hToken);
