internal static extern bool AuthzInitializeResourceManager( AuthzResourceManagerFlags flags, IntPtr pfnAccessCheck, IntPtr pfnComputeDynamicGroups, IntPtr pfnFreeDynamicGroups, string szResourceManagerName, out SafeAuthzRMHandle phAuthzResourceManager);
internal static extern bool AuthzInitializeContextFromSid( AuthzInitFlags flags, byte[] rawUserSid, SafeAuthzRMHandle authzRM, PLARGE_INTEGER expirationTime, Win32.LUID Identifier, LPVOID DynamicGroupArgs, out AUTHZ_CLIENT_CONTEXT_HANDLE authzClientContext);
public static extern bool AuthzInitializeContextFromSid( AuthzInitFlags flags, byte[] rawUserSid, SafeAuthzRMHandle authzRM, IntPtr expirationTime, Luid Identifier, IntPtr DynamicGroupArgs, out IntPtr authzClientContext);
internal static extern bool AuthzInitializeContextFromSid( AuthzInitFlags flags, byte[] rawUserSid, SafeAuthzRMHandle authzRm, IntPtr expirationTime, Win32.Luid identifier, IntPtr dynamicGroupArgs, out IntPtr authzClientContext);
public ACCESS_MASK ComputeAccess(RawSecurityDescriptor descriptor, IdentityReference identity) { var accessGranted = ACCESS_MASK.NONE; // Create the Resource Manager using (SafeAuthzRMHandle authzRM = InitializeResourceManager()) using (SafeAuthzContextHandle userClientCtxt = InitializeContextFromSid(authzRM, identity)) { accessGranted = AccessCheck(userClientCtxt, descriptor); } return(accessGranted); }
private SafeAuthzContextHandle InitializeContextFromSid(SafeAuthzRMHandle authzRM, IdentityReference identity) { // Create the context for the user var securityIdentifier = (SecurityIdentifier)identity.Translate(typeof(SecurityIdentifier)); var rawSid = new byte[securityIdentifier.BinaryLength]; securityIdentifier.GetBinaryForm(rawSid, 0); SafeAuthzContextHandle userClientCtxt; if (!NativeMethods.AuthzInitializeContextFromSid( NativeMethods.AuthzInitFlags.Default, rawSid, authzRM, IntPtr.Zero, NativeMethods.LUID.NullLuid, IntPtr.Zero, out userClientCtxt)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } return(userClientCtxt); }
private int GetGrantedAccessMask() { var userSid = Helper.GetSidForObject(Username); var handle = NativeMethods.CreateFile(Path, NativeMethods.FileAccess.GenericRead, NativeMethods.FileShare.Read | NativeMethods.FileShare.Write | NativeMethods.FileShare.Delete, IntPtr.Zero, NativeMethods.FileMode.OpenExisting, NativeMethods.FileFlagAttrib.BackupSemantics, IntPtr.Zero); if (handle.IsInvalid) { throw new Win32Exception(Marshal.GetLastWin32Error()); } RawSecurityDescriptor fileSd; var tempSd = PSECURITY_DESCRIPTOR.Zero; try { var error = NativeMethods.GetSecurityInfo(handle, NativeMethods.ObjectType.File, NativeMethods.SecurityInformationClass.Owner | NativeMethods.SecurityInformationClass.Group | NativeMethods.SecurityInformationClass.Dacl | NativeMethods.SecurityInformationClass.Label | NativeMethods.SecurityInformationClass.Attribute, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, out tempSd); if (error != Win32Error.ErrorSuccess) { throw new Win32Exception(Marshal.GetLastWin32Error()); } fileSd = new RawSecurityDescriptor(Helper.ConvertSecurityDescriptorToByteArray(tempSd), 0); } finally { Marshal.FreeHGlobal(tempSd); } var fso = new FileSecurityObject(fileSd); SafeAuthzRMHandle authzRm = null; var userClientCtxt = AUTHZ_CLIENT_CONTEXT_HANDLE.Zero; try { if (!NativeMethods.AuthzInitializeResourceManager( NativeMethods.AuthzResourceManagerFlags.NoAudit, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, null, out authzRm)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } var rawSid = new byte[userSid.BinaryLength]; userSid.GetBinaryForm(rawSid, 0); if (!NativeMethods.AuthzInitializeContextFromSid(NativeMethods.AuthzInitFlags.Default, rawSid, authzRm, PLARGE_INTEGER.Zero, Win32.Luid.NullLuid, LPVOID.Zero, out userClientCtxt)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } var grantedAccess = new PACCESS_MASK[1]; var errorSecObj = new PACCESS_MASK[1]; var request = new NativeMethods.AuthzAccessRequest { DesiredAccess = NativeMethods.StdAccess.MaximumAllowed, PrincipalSelfSid = null, ObjectTypeList = POBJECT_TYPE_LIST.Zero, ObjectTypeListLength = 0, OptionalArguments = LPVOID.Zero }; var reply = new NativeMethods.AuthzAccessReply { ResultListLength = 1, SaclEvaluationResults = PDWORD.Zero, GrantedAccessMask = grantedAccess[0] = Marshal.AllocHGlobal(sizeof(uint)), Error = errorSecObj[0] = Marshal.AllocHGlobal(sizeof(uint)) }; var rawSd = new byte[fso.SecurityDescriptor.BinaryLength]; fso.SecurityDescriptor.GetBinaryForm(rawSd, 0); if (!NativeMethods.AuthzAccessCheck(NativeMethods.AuthzAcFlags.None, userClientCtxt, ref request, AUTHZ_AUDIT_EVENT_HANDLE.Zero, rawSd, null, 0, ref reply, AUTHZ_ACCESS_CHECK_RESULTS_HANDLE.Zero)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } return(Marshal.ReadInt32(reply.GrantedAccessMask)); } finally { if (userClientCtxt != AUTHZ_CLIENT_CONTEXT_HANDLE.Zero) { NativeMethods.AuthzFreeContext(userClientCtxt); } authzRm?.Dispose(); } }
internal static extern bool AuthzInitializeRemoteResourceManager( PAUTHZ_RPC_INIT_INFO_CLIENT rpcInitInfo, out SafeAuthzRMHandle authRM);
public static extern bool AuthzInitializeRemoteResourceManager( IntPtr rpcInitInfo, out SafeAuthzRMHandle authRM);