internal static extern bool AuthzInitializeResourceManager(
AuthzResourceManagerFlags flags,
IntPtr pfnAccessCheck,
IntPtr pfnComputeDynamicGroups,
IntPtr pfnFreeDynamicGroups,
string szResourceManagerName,
out SafeAuthzRMHandle phAuthzResourceManager);
internal static extern bool AuthzInitializeContextFromSid(
AuthzInitFlags flags,
byte[] rawUserSid,
SafeAuthzRMHandle authzRM,
PLARGE_INTEGER expirationTime,
Win32.LUID Identifier,
LPVOID DynamicGroupArgs,
out AUTHZ_CLIENT_CONTEXT_HANDLE authzClientContext);
public static extern bool AuthzInitializeContextFromSid(
AuthzInitFlags flags,
byte[] rawUserSid,
SafeAuthzRMHandle authzRM,
IntPtr expirationTime,
Luid Identifier,
IntPtr DynamicGroupArgs,
out IntPtr authzClientContext);
internal static extern bool AuthzInitializeContextFromSid(
AuthzInitFlags flags,
byte[] rawUserSid,
SafeAuthzRMHandle authzRm,
IntPtr expirationTime,
Win32.Luid identifier,
IntPtr dynamicGroupArgs,
out IntPtr authzClientContext);
public ACCESS_MASK ComputeAccess(RawSecurityDescriptor descriptor, IdentityReference identity)
{
var accessGranted = ACCESS_MASK.NONE;
// Create the Resource Manager
using (SafeAuthzRMHandle authzRM = InitializeResourceManager())
using (SafeAuthzContextHandle userClientCtxt = InitializeContextFromSid(authzRM, identity))
{
accessGranted = AccessCheck(userClientCtxt, descriptor);
}
return(accessGranted);
}
private SafeAuthzContextHandle InitializeContextFromSid(SafeAuthzRMHandle authzRM, IdentityReference identity)
{
// Create the context for the user
var securityIdentifier = (SecurityIdentifier)identity.Translate(typeof(SecurityIdentifier));
var rawSid = new byte[securityIdentifier.BinaryLength];
securityIdentifier.GetBinaryForm(rawSid, 0);
SafeAuthzContextHandle userClientCtxt;
if (!NativeMethods.AuthzInitializeContextFromSid(
NativeMethods.AuthzInitFlags.Default,
rawSid,
authzRM,
IntPtr.Zero,
NativeMethods.LUID.NullLuid,
IntPtr.Zero,
out userClientCtxt))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
return(userClientCtxt);
}
private int GetGrantedAccessMask()
{
var userSid = Helper.GetSidForObject(Username);
var handle = NativeMethods.CreateFile(Path,
NativeMethods.FileAccess.GenericRead,
NativeMethods.FileShare.Read
| NativeMethods.FileShare.Write
| NativeMethods.FileShare.Delete,
IntPtr.Zero,
NativeMethods.FileMode.OpenExisting,
NativeMethods.FileFlagAttrib.BackupSemantics,
IntPtr.Zero);
if (handle.IsInvalid)
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
RawSecurityDescriptor fileSd;
var tempSd = PSECURITY_DESCRIPTOR.Zero;
try
{
var error = NativeMethods.GetSecurityInfo(handle,
NativeMethods.ObjectType.File,
NativeMethods.SecurityInformationClass.Owner
| NativeMethods.SecurityInformationClass.Group
| NativeMethods.SecurityInformationClass.Dacl
| NativeMethods.SecurityInformationClass.Label
| NativeMethods.SecurityInformationClass.Attribute,
IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero,
out tempSd);
if (error != Win32Error.ErrorSuccess)
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
fileSd = new RawSecurityDescriptor(Helper.ConvertSecurityDescriptorToByteArray(tempSd), 0);
}
finally
{
Marshal.FreeHGlobal(tempSd);
}
var fso = new FileSecurityObject(fileSd);
SafeAuthzRMHandle authzRm = null;
var userClientCtxt = AUTHZ_CLIENT_CONTEXT_HANDLE.Zero;
try
{
if (!NativeMethods.AuthzInitializeResourceManager(
NativeMethods.AuthzResourceManagerFlags.NoAudit,
IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, null,
out authzRm))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
var rawSid = new byte[userSid.BinaryLength];
userSid.GetBinaryForm(rawSid, 0);
if (!NativeMethods.AuthzInitializeContextFromSid(NativeMethods.AuthzInitFlags.Default,
rawSid,
authzRm,
PLARGE_INTEGER.Zero,
Win32.Luid.NullLuid,
LPVOID.Zero,
out userClientCtxt))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
var grantedAccess = new PACCESS_MASK[1];
var errorSecObj = new PACCESS_MASK[1];
var request = new NativeMethods.AuthzAccessRequest
{
DesiredAccess = NativeMethods.StdAccess.MaximumAllowed,
PrincipalSelfSid = null,
ObjectTypeList = POBJECT_TYPE_LIST.Zero,
ObjectTypeListLength = 0,
OptionalArguments = LPVOID.Zero
};
var reply = new NativeMethods.AuthzAccessReply
{
ResultListLength = 1,
SaclEvaluationResults = PDWORD.Zero,
GrantedAccessMask = grantedAccess[0] = Marshal.AllocHGlobal(sizeof(uint)),
Error = errorSecObj[0] = Marshal.AllocHGlobal(sizeof(uint))
};
var rawSd = new byte[fso.SecurityDescriptor.BinaryLength];
fso.SecurityDescriptor.GetBinaryForm(rawSd, 0);
if (!NativeMethods.AuthzAccessCheck(NativeMethods.AuthzAcFlags.None,
userClientCtxt,
ref request,
AUTHZ_AUDIT_EVENT_HANDLE.Zero,
rawSd,
null,
0,
ref reply,
AUTHZ_ACCESS_CHECK_RESULTS_HANDLE.Zero))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
return(Marshal.ReadInt32(reply.GrantedAccessMask));
}
finally
{
if (userClientCtxt != AUTHZ_CLIENT_CONTEXT_HANDLE.Zero)
{
NativeMethods.AuthzFreeContext(userClientCtxt);
}
authzRm?.Dispose();
}
}
internal static extern bool AuthzInitializeRemoteResourceManager(
PAUTHZ_RPC_INIT_INFO_CLIENT rpcInitInfo,
out SafeAuthzRMHandle authRM);
public static extern bool AuthzInitializeRemoteResourceManager(
IntPtr rpcInitInfo,
out SafeAuthzRMHandle authRM);
internal static extern bool AuthzInitializeResourceManager(
AuthzResourceManagerFlags flags,
IntPtr pfnAccessCheck,
IntPtr pfnComputeDynamicGroups,
IntPtr pfnFreeDynamicGroups,
string szResourceManagerName,
out SafeAuthzRMHandle phAuthzResourceManager);
internal static extern bool AuthzInitializeContextFromSid(
AuthzInitFlags flags,
byte[] rawUserSid,
SafeAuthzRMHandle authzRM,
PLARGE_INTEGER expirationTime,
Win32.LUID Identifier,
LPVOID DynamicGroupArgs,
out AUTHZ_CLIENT_CONTEXT_HANDLE authzClientContext);
internal static extern bool AuthzInitializeRemoteResourceManager(
PAUTHZ_RPC_INIT_INFO_CLIENT rpcInitInfo,
out SafeAuthzRMHandle authRM);
