/// <summary>Adds or replaces claims in the specified Authz Client Context.</summary> /// <remarks> /// This method invokes AuthzModifyClaims, modifying the claims using AUTHZ_SECURITY_ATTRIBUTE_OPERATION_REPLACE. This ensures that the values of a /// claims that already exists are replaces and the ones not present are added. /// </remarks> /// <param name="handleClientContext">Handle to the Authz Client Context to be modified</param> /// <returns>Win32Error.ERROR_SUCCESS on success and Win32 error code otherwise.</returns> public int ApplyClaims(SafeAUTHZ_CLIENT_CONTEXT_HANDLE handleClientContext) { var claimInfo = new AUTHZ_SECURITY_ATTRIBUTES_INFORMATION(new AUTHZ_SECURITY_ATTRIBUTE_V1[Count]); var i = 0; foreach (var claim in this) { claimInfo.pAttributeV1[i] = claim.Value.attr; claimInfo.pAttributeV1[i].pName = claim.Key; i++; } AUTHZ_SECURITY_ATTRIBUTE_OPERATION[] claimOps = null; if (claimInfo.AttributeCount != 0) { claimOps = new AUTHZ_SECURITY_ATTRIBUTE_OPERATION[claimInfo.AttributeCount]; for (var Idx = 0; Idx < claimInfo.AttributeCount; ++Idx) { claimOps[Idx] = AUTHZ_SECURITY_ATTRIBUTE_OPERATION.AUTHZ_SECURITY_ATTRIBUTE_OPERATION_REPLACE; } } if (!AuthzModifyClaims(handleClientContext, claimDefnType == ClaimDefinitionType.User ? AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoUserClaims : AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoDeviceClaims, claimOps, claimInfo)) { return(Marshal.GetLastWin32Error()); } return(Win32Error.ERROR_SUCCESS); }
public void AuthzAddSidsToContextTest() { using SafePSID everyoneSid = ConvertStringSidToSid("S-1-1-0"); using SafePSID localSid = ConvertStringSidToSid("S-1-2-0"); SID_AND_ATTRIBUTES sids = new() { Sid = everyoneSid, Attributes = (uint)GroupAttributes.SE_GROUP_ENABLED }; SID_AND_ATTRIBUTES restrictedSids = new() { Sid = localSid, Attributes = (uint)GroupAttributes.SE_GROUP_ENABLED }; using SafeAUTHZ_RESOURCE_MANAGER_HANDLE hRM = GetAuthzInitializeResourceManager(); using SafeAUTHZ_CLIENT_CONTEXT_HANDLE hCtx = GetCurrentUserAuthContext(hRM); Assert.That(AuthzAddSidsToContext(hCtx, sids, 1, restrictedSids, 1, out SafeAUTHZ_CLIENT_CONTEXT_HANDLE hNewCtx), ResultIs.Successful); } [Test]
public void AuthzAccessCheckAndCachedTest() { using SafeAUTHZ_RESOURCE_MANAGER_HANDLE hRM = GetAuthzInitializeResourceManager(); using SafeAUTHZ_CLIENT_CONTEXT_HANDLE hCtx = GetCurrentUserAuthContext(hRM); using SafeAUTHZ_AUDIT_EVENT_HANDLE hEvt = GetAuthzInitializeObjectAccessAuditEvent(); using SafePSECURITY_DESCRIPTOR psd = AdvApi32Tests.GetSD(TestCaseSources.SmallFile); using AUTHZ_ACCESS_REPLY reply = new(1); AUTHZ_ACCESS_REQUEST req = new(ACCESS_MASK.MAXIMUM_ALLOWED); Assert.That(AuthzAccessCheck(AuthzAccessCheckFlags.NONE, hCtx, req, hEvt, psd, null, 0, reply, out SafeAUTHZ_ACCESS_CHECK_RESULTS_HANDLE hRes), ResultIs.Successful); Assert.That(reply.GrantedAccessMask, Is.Not.EqualTo(IntPtr.Zero)); TestContext.WriteLine($"Access:{string.Join(",", reply.GrantedAccessMaskValues.Select(u => ((FileAccess)u).ToString()))}"); Assert.That(AuthzCachedAccessCheck(0, hRes, req, default, reply), Is.True);
public static SafeHGlobalHandle GetCtxInfo(SafeAUTHZ_CLIENT_CONTEXT_HANDLE hCtx, AUTHZ_CONTEXT_INFORMATION_CLASS type) { bool b = AuthzGetInformationFromContext(hCtx, type, 0, out uint szReq, IntPtr.Zero); if (!b && Win32Error.GetLastError() != Win32Error.ERROR_INSUFFICIENT_BUFFER) { TestContext.WriteLine($"AuthzGetInformationFromContext:{Win32Error.GetLastError()}"); } Assert.That(!b); if (szReq == 0) { return(SafeHGlobalHandle.Null); } SafeHGlobalHandle buf = new((int)szReq); Assert.That(AuthzGetInformationFromContext(hCtx, type, szReq, out _, buf), ResultIs.Successful); return(buf); }
public void ComputeEffectivePermissionWithSecondarySecurity(PSID pSid, PSID pDeviceSid, string pszServerName, SECURITY_OBJECT[] pSecurityObjects, uint dwSecurityObjectCount, ref TOKEN_GROUPS pUserGroups, AUTHZ_SID_OPERATION[] pAuthzUserGroupsOperations, ref TOKEN_GROUPS pDeviceGroups, AUTHZ_SID_OPERATION[] pAuthzDeviceGroupsOperations, ref AUTHZ_SECURITY_ATTRIBUTES_INFORMATION pAuthzUserClaims, AUTHZ_SECURITY_ATTRIBUTE_OPERATION[] pAuthzUserClaimsOperations, ref AUTHZ_SECURITY_ATTRIBUTES_INFORMATION pAuthzDeviceClaims, AUTHZ_SECURITY_ATTRIBUTE_OPERATION[] pAuthzDeviceClaimsOperations, EFFPERM_RESULT_LIST[] pEffpermResultLists) { System.Diagnostics.Debug.WriteLine($"ComputeEffectivePermissionWithSecondarySecurity({dwSecurityObjectCount}):{new SecurityIdentifier((IntPtr)pSid).Value};{new SecurityIdentifier((IntPtr)pDeviceSid).Value}"); if (dwSecurityObjectCount != 1) { ThrowException(HRESULT.E_FAIL, new ArgumentOutOfRangeException(nameof(dwSecurityObjectCount), @"Only a single object can be computed.")); } if (pSecurityObjects[0].Id != (uint)SECURITY_OBJECT_ID.SECURITY_OBJECT_ID_OBJECT_SD) { ThrowException(HRESULT.E_FAIL, new ArgumentException(@"Unexpected value.", nameof(pSecurityObjects))); } if (pSid == null || pSid.IsInvalid) { ThrowException(HRESULT.E_INVALIDARG, new ArgumentNullException(nameof(pSid))); } SafeAUTHZ_RESOURCE_MANAGER_HANDLE hAuthzResourceManager; if (!AuthzInitializeResourceManager(AuthzResourceManagerFlags.AUTHZ_RM_FLAG_NO_AUDIT, null, null, null, prov.ToString(), out hAuthzResourceManager)) { return; } var identifier = new LUID(); SafeAUTHZ_CLIENT_CONTEXT_HANDLE hAuthzUserContext; SafeAUTHZ_CLIENT_CONTEXT_HANDLE hAuthzCompoundContext = null; if (!AuthzInitializeContextFromSid(AuthzContextFlags.NONE, pSid, hAuthzResourceManager, IntPtr.Zero, identifier, IntPtr.Zero, out hAuthzUserContext)) { return; } if (pDeviceSid != null && !pDeviceSid.IsInvalid) { SafeAUTHZ_CLIENT_CONTEXT_HANDLE hAuthzDeviceContext; if (AuthzInitializeContextFromSid(AuthzContextFlags.NONE, pDeviceSid, hAuthzResourceManager, IntPtr.Zero, identifier, IntPtr.Zero, out hAuthzDeviceContext)) { if (AuthzInitializeCompoundContext(hAuthzUserContext, hAuthzDeviceContext, out hAuthzCompoundContext)) { if (pAuthzDeviceClaims.Version != 0) { AuthzModifyClaims(hAuthzCompoundContext, AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoDeviceClaims, pAuthzDeviceClaimsOperations, ref pAuthzDeviceClaims); } } } } else { hAuthzCompoundContext = hAuthzUserContext; } if (hAuthzCompoundContext == null) { return; } if (pAuthzUserClaims.Version != 0) { if (!AuthzModifyClaims(hAuthzCompoundContext, AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoUserClaims, pAuthzUserClaimsOperations, ref pAuthzUserClaims)) { return; } } if (pDeviceGroups.GroupCount != 0) { if (!AuthzModifySids(hAuthzCompoundContext, AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoDeviceSids, pAuthzDeviceGroupsOperations, ref pDeviceGroups)) { return; } } if (pUserGroups.GroupCount != 0 && pAuthzUserGroupsOperations != null) { if (!AuthzModifySids(hAuthzCompoundContext, AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoGroupsSids, pAuthzUserGroupsOperations, ref pUserGroups)) { return; } } var request = new AUTHZ_ACCESS_REQUEST(AccessTypes.MAXIMUM_ALLOWED); var sd = pSecurityObjects[0].pData.ToStructure <SECURITY_DESCRIPTOR>(); var reply = new AUTHZ_ACCESS_REPLY(1); SafeAUTHZ_ACCESS_CHECK_RESULTS_HANDLE phAccessCheckResults; if (!AuthzAccessCheck(AuthzAccessCheckFlags.NONE, hAuthzCompoundContext, ref request, null, ref sd, null, 0, reply, out phAccessCheckResults)) { return; } pEffpermResultLists[0].fEvaluated = true; pEffpermResultLists[0].pGrantedAccessList = reply.GrantedAccessMaskValues; pEffpermResultLists[0].pObjectTypeList = new[] { OBJECT_TYPE_LIST.Self }; pEffpermResultLists[0].cObjectTypeListLength = 1; }