public int SetSecurity(SecurityInfos requestInformation, IntPtr securityDescriptor)
{
string s = NativeMethods.GetSecurityDescriptor(securityDescriptor, requestInformation);
this.SecurityDescriptor = new RawSecurityDescriptor(s);
return(S_OK);
}
public static byte[] ComputeHash(GenericSecurityDescriptor securityDescriptor)
{
Validator.AssertNotNull(securityDescriptor, "securityDescriptor");
// Convert to binary form. We have to use double conversion, because .NET returns the SD in different order than Win32 API used by AD.
string stringSecurityDescriptor = securityDescriptor.GetSddlForm(AccessControlSections.All);
return(ComputeHash(stringSecurityDescriptor));
}
/// <summary>Returns an array of byte values that represents the information contained in this <see cref="GenericSecurityDescriptor"/> object.</summary>
/// <param name="sd">The <see cref="GenericSecurityDescriptor"/> object.</param>
/// <returns>The byte array into which the contents of the <see cref="GenericSecurityDescriptor"/> is marshaled.</returns>
public static byte[] GetBinaryForm(this GenericSecurityDescriptor sd)
{
if (sd == null)
{
throw new ArgumentNullException(nameof(sd));
}
var bin = new byte[sd.BinaryLength];
sd.GetBinaryForm(bin, 0);
return(bin);
}
public BasicSecurityInformation(SiObjectInfoFlags flags, string objectName,
List <SiAccess> accessRights, GenericSecurityDescriptor intitalSd, GenericMapping mapping,
string serverName = null, string pageTitle = null)
{
this.flags = flags;
this.objectName = objectName;
this.serverName = serverName;
this.pageTitle = pageTitle;
this.accessRights = accessRights.ToArray();
this.SecurityDescriptor = intitalSd;
this.mapping = mapping;
}
public SafeSecurityDescriptor(GenericSecurityDescriptor sd) : base(SdToArray(sd))
{
}
private static byte[] SdToArray(GenericSecurityDescriptor sd)
{
byte[] ret = new byte[sd.BinaryLength];
sd.GetBinaryForm(ret, 0);
return(ret);
}
public void SetSecurityDescriptor([NotNull] GenericSecurityDescriptor sd, SecurityInfos includeSections = Task.defaultSecurityInfosSections)
{
SetSecurityDescriptorSddlForm(sd.GetSddlForm((AccessControlSections)includeSections));
}
public TaskFolder CreateFolder([NotNull] string subFolderName, GenericSecurityDescriptor sd) => CreateFolder(subFolderName, sd == null ? null : sd.GetSddlForm(Task.defaultAccessControlSections));
/// <summary>
/// Sets the security descriptor for the folder. Not available to Task Scheduler 1.0.
/// </summary>
/// <param name="sd"> The security descriptor for the folder. </param>
/// <param name="includeSections"> Section(s) of the security descriptor to set. </param>
public void SetSecurityDescriptor(GenericSecurityDescriptor sd, AccessControlSections includeSections)
{
SetSecurityDescriptorSddlForm(sd.GetSddlForm(includeSections), includeSections);
}
/// <summary>
/// Creates a folder for related tasks. Not available to Task Scheduler 1.0.
/// </summary>
/// <param name="subFolderName">
/// The name used to identify the folder. If "FolderName\SubFolder1\SubFolder2" is specified, the entire folder tree will be created if the folders do not exist. This parameter can be a relative path to the current
/// <see
/// cref="TaskFolder" />
/// instance. The root task folder is specified with a backslash (\). An example of a task folder path, under the root task folder, is \MyTaskFolder. The '.' character cannot be used to specify the current task folder and the '..' characters cannot be used to specify the parent task folder in the path.
/// </param>
/// <param name="sd"> The security descriptor associated with the folder. </param>
/// <returns>
/// A <see cref="TaskFolder" /> instance that represents the new subfolder.
/// </returns>
public TaskFolder CreateFolder(string subFolderName, GenericSecurityDescriptor sd)
{
return(CreateFolder(subFolderName, sd.GetSddlForm(AccessControlSections.All)));
}
internal static byte[] ToBytes(this GenericSecurityDescriptor s)
{
byte[] b = new byte[s.BinaryLength];
s.GetBinaryForm(b, 0);
return(b);
}
public ObjectAttributes(string object_name, AttributeFlags attributes, SafeKernelObjectHandle root, SecurityQualityOfService sqos, GenericSecurityDescriptor security_descriptor)
{
Length = Marshal.SizeOf(this);
if (object_name != null)
{
ObjectName = AllocStruct(new UnicodeString(object_name));
}
Attributes = attributes;
if (sqos != null)
{
SecurityQualityOfService = AllocStruct(sqos);
}
if (root != null)
{
RootDirectory = root.DangerousGetHandle();
}
if (security_descriptor != null)
{
byte[] sd_binary = new byte[security_descriptor.BinaryLength];
security_descriptor.GetBinaryForm(sd_binary, 0);
SecurityDescriptor = Marshal.AllocHGlobal(sd_binary.Length);
Marshal.Copy(sd_binary, 0, SecurityDescriptor, sd_binary.Length);
}
}
/// <summary>
/// Returns a value indicating if the principal is authorized for the requested access in any given security descriptor. The access evaluated is the logical concatination of all the supplied security descriptors
/// </summary>
/// <param name="securityDescriptors">The security descriptors to check</param>
/// <param name="requestedAccessMask">The access mask desired</param>
/// <param name="selfSid">The SID to use when the security descriptor contains the 'SELF' principal</param>
/// <returns>True if the request is allowed, false if it is denied.</returns>
public bool AccessCheck(IList <GenericSecurityDescriptor> securityDescriptors, int requestedAccessMask, SecurityIdentifier selfSid)
{
if (securityDescriptors == null)
{
throw new ArgumentNullException(nameof(securityDescriptors));
}
if (securityDescriptors.Count == 0)
{
return(false);
}
GenericSecurityDescriptor primarySecurityDescriptor = securityDescriptors[0];
List <GenericSecurityDescriptor> otherSecurityDescriptors = securityDescriptors.ToList();
otherSecurityDescriptors.RemoveAt(0);
byte[] primarySecurityDescriptorBytes = primarySecurityDescriptor.ToBytes();
if (primarySecurityDescriptor.Owner == null)
{
throw new Win32Exception(87, "The security descriptor must include an owner");
}
AuthzAccessRequest request = new AuthzAccessRequest();
request.PrincipalSelfSid = selfSid?.ToBytes();
request.DesiredAccess = requestedAccessMask;
AuthzAccessReply reply = new AuthzAccessReply();
SafeAllocHGlobalHandle accessMaskReply = new SafeAllocHGlobalHandle(Marshal.SizeOf <uint>());
SafeAllocHGlobalHandle errorReply = new SafeAllocHGlobalHandle(Marshal.SizeOf <uint>());
SafeAllocHGlobalHandle saclReply = new SafeAllocHGlobalHandle(Marshal.SizeOf <uint>());
reply.ResultListLength = 1;
reply.GrantedAccessMask = accessMaskReply.DangerousGetHandle();
reply.SaclEvaluationResults = saclReply.DangerousGetHandle();
reply.Error = errorReply.DangerousGetHandle();
IntPtr pOthers = IntPtr.Zero;
int othersCount = otherSecurityDescriptors?.Count ?? 0;
if (othersCount > 0)
{
LpArrayOfByteArrayConverter r = new LpArrayOfByteArrayConverter(otherSecurityDescriptors.Select(t => t.ToBytes()).ToList());
pOthers = r.Ptr;
}
if (!NativeMethods.AuthzAccessCheck(AuthzAccessCheckFlags.None, this.authzContext, ref request, IntPtr.Zero, primarySecurityDescriptorBytes, pOthers, othersCount, ref reply, IntPtr.Zero))
{
throw new AuthorizationContextException("AuthzAccessCheck failed", new Win32Exception(Marshal.GetLastWin32Error()));
}
int maskResult = Marshal.ReadInt32(reply.GrantedAccessMask);
int error = Marshal.ReadInt32(reply.Error);
if (error == 0)
{
return((requestedAccessMask & maskResult) == requestedAccessMask);
}
return(false);
}
/// <summary>
/// Returns a value indicating if the principal is authorized for the requested access in a given security descriptor
/// </summary>
/// <param name="securityDescriptor">The security descriptor to check</param>
/// <param name="requestedAccessMask">The access mask desired</param>
/// <param name="selfSid">The SID to use when the security descriptor contains the 'SELF' principal</param>
/// <returns>True if the request is allowed, false if it is denied.</returns>
public bool AccessCheck(GenericSecurityDescriptor securityDescriptor, int requestedAccessMask, SecurityIdentifier selfSid)
{
return(AccessCheck(new List <GenericSecurityDescriptor> {
securityDescriptor
}, requestedAccessMask, selfSid));
}
/// <summary>
/// Returns a value indicating if the principal is authorized for the requested access in a given security descriptor
/// </summary>
/// <param name="securityDescriptor">The security descriptor to check</param>
/// <param name="requestedAccessMask">The access mask desired</param>
/// <returns>True if the request is allowed, false if it is denied.</returns>
public bool AccessCheck(GenericSecurityDescriptor securityDescriptor, int requestedAccessMask)
{
return(AccessCheck(securityDescriptor, requestedAccessMask, null));
}
public IEnumerable <long> FindDescriptor(GenericSecurityDescriptor securityDescriptor)
{
byte[] sdHash = ComputeHash(securityDescriptor);
return(this.FindDescriptorHash(sdHash));
}
