Exemplo n.º 1
0
        /// <summary>Adds or replaces claims in the specified Authz Client Context.</summary>
        /// <remarks>
        /// This method invokes AuthzModifyClaims, modifying the claims using AUTHZ_SECURITY_ATTRIBUTE_OPERATION_REPLACE. This ensures that the values of a
        /// claims that already exists are replaces and the ones not present are added.
        /// </remarks>
        /// <param name="handleClientContext">Handle to the Authz Client Context to be modified</param>
        /// <returns>Win32Error.ERROR_SUCCESS on success and Win32 error code otherwise.</returns>
        public int ApplyClaims(SafeAUTHZ_CLIENT_CONTEXT_HANDLE handleClientContext)
        {
            var claimInfo = new AUTHZ_SECURITY_ATTRIBUTES_INFORMATION(new AUTHZ_SECURITY_ATTRIBUTE_V1[Count]);
            var i         = 0;

            foreach (var claim in this)
            {
                claimInfo.pAttributeV1[i]       = claim.Value.attr;
                claimInfo.pAttributeV1[i].pName = claim.Key;
                i++;
            }

            AUTHZ_SECURITY_ATTRIBUTE_OPERATION[] claimOps = null;
            if (claimInfo.AttributeCount != 0)
            {
                claimOps = new AUTHZ_SECURITY_ATTRIBUTE_OPERATION[claimInfo.AttributeCount];
                for (var Idx = 0; Idx < claimInfo.AttributeCount; ++Idx)
                {
                    claimOps[Idx] = AUTHZ_SECURITY_ATTRIBUTE_OPERATION.AUTHZ_SECURITY_ATTRIBUTE_OPERATION_REPLACE;
                }
            }

            if (!AuthzModifyClaims(handleClientContext,
                                   claimDefnType == ClaimDefinitionType.User ? AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoUserClaims : AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoDeviceClaims,
                                   claimOps, claimInfo))
            {
                return(Marshal.GetLastWin32Error());
            }

            return(Win32Error.ERROR_SUCCESS);
        }
Exemplo n.º 2
0
        public void AuthzAddSidsToContextTest()
        {
            using SafePSID everyoneSid = ConvertStringSidToSid("S-1-1-0");
            using SafePSID localSid    = ConvertStringSidToSid("S-1-2-0");
            SID_AND_ATTRIBUTES sids           = new() { Sid = everyoneSid, Attributes = (uint)GroupAttributes.SE_GROUP_ENABLED };
            SID_AND_ATTRIBUTES restrictedSids = new() { Sid = localSid, Attributes = (uint)GroupAttributes.SE_GROUP_ENABLED };

            using SafeAUTHZ_RESOURCE_MANAGER_HANDLE hRM = GetAuthzInitializeResourceManager();
            using SafeAUTHZ_CLIENT_CONTEXT_HANDLE hCtx  = GetCurrentUserAuthContext(hRM);
            Assert.That(AuthzAddSidsToContext(hCtx, sids, 1, restrictedSids, 1, out SafeAUTHZ_CLIENT_CONTEXT_HANDLE hNewCtx), ResultIs.Successful);
        }

        [Test]
Exemplo n.º 3
0
        public void AuthzAccessCheckAndCachedTest()
        {
            using SafeAUTHZ_RESOURCE_MANAGER_HANDLE hRM = GetAuthzInitializeResourceManager();
            using SafeAUTHZ_CLIENT_CONTEXT_HANDLE hCtx  = GetCurrentUserAuthContext(hRM);
            using SafeAUTHZ_AUDIT_EVENT_HANDLE hEvt     = GetAuthzInitializeObjectAccessAuditEvent();
            using SafePSECURITY_DESCRIPTOR psd          = AdvApi32Tests.GetSD(TestCaseSources.SmallFile);
            using AUTHZ_ACCESS_REPLY reply = new(1);
            AUTHZ_ACCESS_REQUEST req = new(ACCESS_MASK.MAXIMUM_ALLOWED);

            Assert.That(AuthzAccessCheck(AuthzAccessCheckFlags.NONE, hCtx, req, hEvt, psd, null, 0, reply, out SafeAUTHZ_ACCESS_CHECK_RESULTS_HANDLE hRes), ResultIs.Successful);
            Assert.That(reply.GrantedAccessMask, Is.Not.EqualTo(IntPtr.Zero));
            TestContext.WriteLine($"Access:{string.Join(",", reply.GrantedAccessMaskValues.Select(u => ((FileAccess)u).ToString()))}");

            Assert.That(AuthzCachedAccessCheck(0, hRes, req, default, reply), Is.True);
Exemplo n.º 4
0
        public static SafeHGlobalHandle GetCtxInfo(SafeAUTHZ_CLIENT_CONTEXT_HANDLE hCtx, AUTHZ_CONTEXT_INFORMATION_CLASS type)
        {
            bool b = AuthzGetInformationFromContext(hCtx, type, 0, out uint szReq, IntPtr.Zero);

            if (!b && Win32Error.GetLastError() != Win32Error.ERROR_INSUFFICIENT_BUFFER)
            {
                TestContext.WriteLine($"AuthzGetInformationFromContext:{Win32Error.GetLastError()}");
            }

            Assert.That(!b);
            if (szReq == 0)
            {
                return(SafeHGlobalHandle.Null);
            }

            SafeHGlobalHandle buf = new((int)szReq);

            Assert.That(AuthzGetInformationFromContext(hCtx, type, szReq, out _, buf), ResultIs.Successful);
            return(buf);
        }
Exemplo n.º 5
0
        public void ComputeEffectivePermissionWithSecondarySecurity(PSID pSid, PSID pDeviceSid, string pszServerName, SECURITY_OBJECT[] pSecurityObjects,
                                                                    uint dwSecurityObjectCount, ref TOKEN_GROUPS pUserGroups, AUTHZ_SID_OPERATION[] pAuthzUserGroupsOperations, ref TOKEN_GROUPS pDeviceGroups,
                                                                    AUTHZ_SID_OPERATION[] pAuthzDeviceGroupsOperations, ref AUTHZ_SECURITY_ATTRIBUTES_INFORMATION pAuthzUserClaims, AUTHZ_SECURITY_ATTRIBUTE_OPERATION[] pAuthzUserClaimsOperations,
                                                                    ref AUTHZ_SECURITY_ATTRIBUTES_INFORMATION pAuthzDeviceClaims, AUTHZ_SECURITY_ATTRIBUTE_OPERATION[] pAuthzDeviceClaimsOperations, EFFPERM_RESULT_LIST[] pEffpermResultLists)
        {
            System.Diagnostics.Debug.WriteLine($"ComputeEffectivePermissionWithSecondarySecurity({dwSecurityObjectCount}):{new SecurityIdentifier((IntPtr)pSid).Value};{new SecurityIdentifier((IntPtr)pDeviceSid).Value}");
            if (dwSecurityObjectCount != 1)
            {
                ThrowException(HRESULT.E_FAIL, new ArgumentOutOfRangeException(nameof(dwSecurityObjectCount), @"Only a single object can be computed."));
            }
            if (pSecurityObjects[0].Id != (uint)SECURITY_OBJECT_ID.SECURITY_OBJECT_ID_OBJECT_SD)
            {
                ThrowException(HRESULT.E_FAIL, new ArgumentException(@"Unexpected value.", nameof(pSecurityObjects)));
            }
            if (pSid == null || pSid.IsInvalid)
            {
                ThrowException(HRESULT.E_INVALIDARG, new ArgumentNullException(nameof(pSid)));
            }

            SafeAUTHZ_RESOURCE_MANAGER_HANDLE hAuthzResourceManager;

            if (!AuthzInitializeResourceManager(AuthzResourceManagerFlags.AUTHZ_RM_FLAG_NO_AUDIT, null, null, null, prov.ToString(), out hAuthzResourceManager))
            {
                return;
            }

            var identifier = new LUID();
            SafeAUTHZ_CLIENT_CONTEXT_HANDLE hAuthzUserContext;
            SafeAUTHZ_CLIENT_CONTEXT_HANDLE hAuthzCompoundContext = null;

            if (!AuthzInitializeContextFromSid(AuthzContextFlags.NONE, pSid, hAuthzResourceManager, IntPtr.Zero, identifier, IntPtr.Zero, out hAuthzUserContext))
            {
                return;
            }

            if (pDeviceSid != null && !pDeviceSid.IsInvalid)
            {
                SafeAUTHZ_CLIENT_CONTEXT_HANDLE hAuthzDeviceContext;
                if (AuthzInitializeContextFromSid(AuthzContextFlags.NONE, pDeviceSid, hAuthzResourceManager, IntPtr.Zero, identifier, IntPtr.Zero, out hAuthzDeviceContext))
                {
                    if (AuthzInitializeCompoundContext(hAuthzUserContext, hAuthzDeviceContext, out hAuthzCompoundContext))
                    {
                        if (pAuthzDeviceClaims.Version != 0)
                        {
                            AuthzModifyClaims(hAuthzCompoundContext, AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoDeviceClaims, pAuthzDeviceClaimsOperations, ref pAuthzDeviceClaims);
                        }
                    }
                }
            }
            else
            {
                hAuthzCompoundContext = hAuthzUserContext;
            }

            if (hAuthzCompoundContext == null)
            {
                return;
            }

            if (pAuthzUserClaims.Version != 0)
            {
                if (!AuthzModifyClaims(hAuthzCompoundContext, AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoUserClaims, pAuthzUserClaimsOperations, ref pAuthzUserClaims))
                {
                    return;
                }
            }

            if (pDeviceGroups.GroupCount != 0)
            {
                if (!AuthzModifySids(hAuthzCompoundContext, AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoDeviceSids, pAuthzDeviceGroupsOperations, ref pDeviceGroups))
                {
                    return;
                }
            }

            if (pUserGroups.GroupCount != 0 && pAuthzUserGroupsOperations != null)
            {
                if (!AuthzModifySids(hAuthzCompoundContext, AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoGroupsSids, pAuthzUserGroupsOperations, ref pUserGroups))
                {
                    return;
                }
            }

            var request = new AUTHZ_ACCESS_REQUEST(AccessTypes.MAXIMUM_ALLOWED);
            var sd      = pSecurityObjects[0].pData.ToStructure <SECURITY_DESCRIPTOR>();
            var reply   = new AUTHZ_ACCESS_REPLY(1);
            SafeAUTHZ_ACCESS_CHECK_RESULTS_HANDLE phAccessCheckResults;

            if (!AuthzAccessCheck(AuthzAccessCheckFlags.NONE, hAuthzCompoundContext, ref request, null, ref sd, null, 0, reply, out phAccessCheckResults))
            {
                return;
            }

            pEffpermResultLists[0].fEvaluated            = true;
            pEffpermResultLists[0].pGrantedAccessList    = reply.GrantedAccessMaskValues;
            pEffpermResultLists[0].pObjectTypeList       = new[] { OBJECT_TYPE_LIST.Self };
            pEffpermResultLists[0].cObjectTypeListLength = 1;
        }