/// <summary>Adds or replaces claims in the specified Authz Client Context.</summary> /// <remarks> /// This method invokes AuthzModifyClaims, modifying the claims using AUTHZ_SECURITY_ATTRIBUTE_OPERATION_REPLACE. This ensures that the values of a /// claims that already exists are replaces and the ones not present are added. /// </remarks> /// <param name="handleClientContext">Handle to the Authz Client Context to be modified</param> /// <returns>Win32Error.ERROR_SUCCESS on success and Win32 error code otherwise.</returns> public int ApplyClaims(SafeAUTHZ_CLIENT_CONTEXT_HANDLE handleClientContext) { var claimInfo = new AUTHZ_SECURITY_ATTRIBUTES_INFORMATION(new AUTHZ_SECURITY_ATTRIBUTE_V1[Count]); var i = 0; foreach (var claim in this) { claimInfo.pAttributeV1[i] = claim.Value.attr; claimInfo.pAttributeV1[i].pName = claim.Key; i++; } AUTHZ_SECURITY_ATTRIBUTE_OPERATION[] claimOps = null; if (claimInfo.AttributeCount != 0) { claimOps = new AUTHZ_SECURITY_ATTRIBUTE_OPERATION[claimInfo.AttributeCount]; for (var Idx = 0; Idx < claimInfo.AttributeCount; ++Idx) { claimOps[Idx] = AUTHZ_SECURITY_ATTRIBUTE_OPERATION.AUTHZ_SECURITY_ATTRIBUTE_OPERATION_REPLACE; } } if (!AuthzModifyClaims(handleClientContext, claimDefnType == ClaimDefinitionType.User ? AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoUserClaims : AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoDeviceClaims, claimOps, claimInfo)) { return(Marshal.GetLastWin32Error()); } return(Win32Error.ERROR_SUCCESS); }
public void AuthzModifySecurityAttributesTest() { using (var hRM = GetAuthzInitializeResourceManager()) using (var hCtx = GetCurrentUserAuthContext(hRM)) { var attrs = new AUTHZ_SECURITY_ATTRIBUTES_INFORMATION(new[] { new AUTHZ_SECURITY_ATTRIBUTE_V1("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Environment.UserName) }); var b = AuthzModifySecurityAttributes(hCtx, new[] { AUTHZ_SECURITY_ATTRIBUTE_OPERATION.AUTHZ_SECURITY_ATTRIBUTE_OPERATION_ADD }, attrs); if (!b) { TestContext.WriteLine($"AuthzModifySecurityAttributes:{Win32Error.GetLastError()}"); } Assert.That(b); } }
public void AuthzGetInformationFromContextTest() { using (var hRM = GetAuthzInitializeResourceManager()) using (var hCtx = GetCurrentUserAuthContext(hRM)) { var buf = GetCtxInfo(hCtx, AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoGroupsSids); var tg = buf.ToStructure <TOKEN_GROUPS>(); Assert.That(tg.GroupCount, Is.GreaterThan(0)); buf = GetCtxInfo(hCtx, AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoUserClaims); var ai = AUTHZ_SECURITY_ATTRIBUTES_INFORMATION.FromPtr((IntPtr)buf); if (ai == null) { return; } Assert.That(ai.Version, Is.EqualTo(1)); TestContext.WriteLine($"AuthzGetInformationFromContext(AuthzContextInfoUserClaims)={ai.AttributeCount}"); } }
public static extern bool AuthzModifyClaims( AUTHZ_CLIENT_CONTEXT_HANDLE handleClientContext, AuthzContextInformationClass infoClass, AuthzSecurityAttributeOperation[] claimOperation, ref AUTHZ_SECURITY_ATTRIBUTES_INFORMATION claims);
public void ComputeEffectivePermissionWithSecondarySecurity(PSID pSid, PSID pDeviceSid, string pszServerName, SECURITY_OBJECT[] pSecurityObjects, uint dwSecurityObjectCount, ref TOKEN_GROUPS pUserGroups, AUTHZ_SID_OPERATION[] pAuthzUserGroupsOperations, ref TOKEN_GROUPS pDeviceGroups, AUTHZ_SID_OPERATION[] pAuthzDeviceGroupsOperations, ref AUTHZ_SECURITY_ATTRIBUTES_INFORMATION pAuthzUserClaims, AUTHZ_SECURITY_ATTRIBUTE_OPERATION[] pAuthzUserClaimsOperations, ref AUTHZ_SECURITY_ATTRIBUTES_INFORMATION pAuthzDeviceClaims, AUTHZ_SECURITY_ATTRIBUTE_OPERATION[] pAuthzDeviceClaimsOperations, EFFPERM_RESULT_LIST[] pEffpermResultLists) { System.Diagnostics.Debug.WriteLine($"ComputeEffectivePermissionWithSecondarySecurity({dwSecurityObjectCount}):{new SecurityIdentifier((IntPtr)pSid).Value};{new SecurityIdentifier((IntPtr)pDeviceSid).Value}"); if (dwSecurityObjectCount != 1) { ThrowException(HRESULT.E_FAIL, new ArgumentOutOfRangeException(nameof(dwSecurityObjectCount), @"Only a single object can be computed.")); } if (pSecurityObjects[0].Id != (uint)SECURITY_OBJECT_ID.SECURITY_OBJECT_ID_OBJECT_SD) { ThrowException(HRESULT.E_FAIL, new ArgumentException(@"Unexpected value.", nameof(pSecurityObjects))); } if (pSid == null || pSid.IsInvalid) { ThrowException(HRESULT.E_INVALIDARG, new ArgumentNullException(nameof(pSid))); } SafeAUTHZ_RESOURCE_MANAGER_HANDLE hAuthzResourceManager; if (!AuthzInitializeResourceManager(AuthzResourceManagerFlags.AUTHZ_RM_FLAG_NO_AUDIT, null, null, null, prov.ToString(), out hAuthzResourceManager)) { return; } var identifier = new LUID(); SafeAUTHZ_CLIENT_CONTEXT_HANDLE hAuthzUserContext; SafeAUTHZ_CLIENT_CONTEXT_HANDLE hAuthzCompoundContext = null; if (!AuthzInitializeContextFromSid(AuthzContextFlags.NONE, pSid, hAuthzResourceManager, IntPtr.Zero, identifier, IntPtr.Zero, out hAuthzUserContext)) { return; } if (pDeviceSid != null && !pDeviceSid.IsInvalid) { SafeAUTHZ_CLIENT_CONTEXT_HANDLE hAuthzDeviceContext; if (AuthzInitializeContextFromSid(AuthzContextFlags.NONE, pDeviceSid, hAuthzResourceManager, IntPtr.Zero, identifier, IntPtr.Zero, out hAuthzDeviceContext)) { if (AuthzInitializeCompoundContext(hAuthzUserContext, hAuthzDeviceContext, out hAuthzCompoundContext)) { if (pAuthzDeviceClaims.Version != 0) { AuthzModifyClaims(hAuthzCompoundContext, AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoDeviceClaims, pAuthzDeviceClaimsOperations, ref pAuthzDeviceClaims); } } } } else { hAuthzCompoundContext = hAuthzUserContext; } if (hAuthzCompoundContext == null) { return; } if (pAuthzUserClaims.Version != 0) { if (!AuthzModifyClaims(hAuthzCompoundContext, AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoUserClaims, pAuthzUserClaimsOperations, ref pAuthzUserClaims)) { return; } } if (pDeviceGroups.GroupCount != 0) { if (!AuthzModifySids(hAuthzCompoundContext, AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoDeviceSids, pAuthzDeviceGroupsOperations, ref pDeviceGroups)) { return; } } if (pUserGroups.GroupCount != 0 && pAuthzUserGroupsOperations != null) { if (!AuthzModifySids(hAuthzCompoundContext, AUTHZ_CONTEXT_INFORMATION_CLASS.AuthzContextInfoGroupsSids, pAuthzUserGroupsOperations, ref pUserGroups)) { return; } } var request = new AUTHZ_ACCESS_REQUEST(AccessTypes.MAXIMUM_ALLOWED); var sd = pSecurityObjects[0].pData.ToStructure <SECURITY_DESCRIPTOR>(); var reply = new AUTHZ_ACCESS_REPLY(1); SafeAUTHZ_ACCESS_CHECK_RESULTS_HANDLE phAccessCheckResults; if (!AuthzAccessCheck(AuthzAccessCheckFlags.NONE, hAuthzCompoundContext, ref request, null, ref sd, null, 0, reply, out phAccessCheckResults)) { return; } pEffpermResultLists[0].fEvaluated = true; pEffpermResultLists[0].pGrantedAccessList = reply.GrantedAccessMaskValues; pEffpermResultLists[0].pObjectTypeList = new[] { OBJECT_TYPE_LIST.Self }; pEffpermResultLists[0].cObjectTypeListLength = 1; }
public static extern bool AuthzModifyClaims( [In] IntPtr handleClientContext, [In] AuthzContextInformationClass infoClass, [In] AuthzSecurityAttributeOperation[] claimOperation, [In, Optional] ref AUTHZ_SECURITY_ATTRIBUTES_INFORMATION claims);