/// <summary>Extracts the user account SID associated with a security token.</summary>
/// <param name="hToken">The security token handle.</param>
/// <returns>A <see cref="SafePSID"/> instance of the user account SID associated with a security token.</returns>
public static SafePSID FromToken(HTOKEN hToken)
{
var hTok = new SafeHTOKEN((IntPtr)hToken, false);
using var pUserToken = hTok.GetInfo(TOKEN_INFORMATION_CLASS.TokenUser);
return(new SafePSID(pUserToken.ToStructure <TOKEN_USER>().User.Sid));
}
/****************************************************************************++
*
* Description :
*
* This function creates a well known sid using User domain. CreateWellKnownSid requires
* domain sid to be provided to generate such sids. This function first gets the domain sid
* out of the user information in the token and then generate a well known sid.
*
* Arguments:
*
* hToken - [supplies] The token for which sid has to be generated
* sidType - [supplies] The type of well known sid
* pSid - [receives] The newly create sid
* pdwSidSize - [Supplies/Receives] The size of the memory allocated for ppSid
*
* Returns:
*
* Errors returned by GetTokenInformation
* Errors returned by CreateWellKnownSid
* E_OUTOFMEMORY In case there is not enough memory
* Errors returned by GetWindowsAccountDomainSid
* --***************************************************************************/
static SafePSID CreateWellKnownSidForAccount(HTOKEN hToken, WELL_KNOWN_SID_TYPE sidType)
{
var hTok = new SafeHTOKEN((IntPtr)hToken, false);
using var pUserToken = hTok.GetInfo(TOKEN_INFORMATION_CLASS.TokenUser);
//
// Now get the domain sid from the TokenUser
//
Win32Error.ThrowLastErrorIfFalse(GetWindowsAccountDomainSid(pUserToken.ToStructure <TOKEN_USER>().User.Sid, out var pDomainSid));
return(SafePSID.CreateWellKnown(sidType, pDomainSid));
}
public static IEnumerable <LUID_AND_ATTRIBUTES> GetPrivileges(this SafeHTOKEN hObj) => hObj.GetInfo <PTOKEN_PRIVILEGES>(TOKEN_INFORMATION_CLASS.TokenPrivileges).Privileges;
/// <summary>Extracts the user account SID associated with a security token.</summary>
/// <param name="hToken">The security token handle.</param>
/// <returns>A <see cref="SafePSID"/> instance of the user account SID associated with a security token.</returns>
public static SafePSID FromToken(HTOKEN hToken)
{
using var hTok = new SafeHTOKEN((IntPtr)hToken, false);
return(hTok.GetInfo <TOKEN_USER>(TOKEN_INFORMATION_CLASS.TokenUser).User.Sid);
}
/****************************************************************************++
*
* Routine Description:
*
* Verifies whether specified well-known SID is in the current user token
*
* Arguments:
*
* sid - one of the WELL_KNOWN_SID_TYPE consts
* hToken - Optional the token for which we want to test membership
* pfMember - [Receives] TRUE if specified sid is a member of the user token, false otherwise
*
* Notes:
*
* -
*
* Return Value:
*
* Errors returned by CreateWellKnownSid
* Errors returned by CheckTokenMembership
* --*****************************************************************************/
static HRESULT IsMemberOf(WELL_KNOWN_SID_TYPE sid, HTOKEN hToken, out bool pfMember)
{
pfMember = false;
try
{
var hTok = new SafeHTOKEN((IntPtr)hToken, false);
using var pUserToken = hTok.GetInfo(TOKEN_INFORMATION_CLASS.TokenUser);
SafePSID pSID = null;
try
{
//
// create SID for the authenticated users
//
pSID = SafePSID.CreateWellKnown(sid);
}
catch
{
//
// In case of invalid-arg we might need to provide the domain, so create well known sid for domain
//
pSID = CreateWellKnownSidForAccount(hToken, sid);
}
//
// check whether token has this sid
//
if (!CheckTokenMembership(hToken, pSID, out pfMember))
{
var hr = Win32Error.GetLastError().ToHRESULT();
// just to be on the safe side (as we don't know that CheckTokenMembership
// does not modify fAuthenticated in case of error)
pfMember = false;
if (hr == HRESULT.E_ACCESSDENIED && hToken.IsNull)
{
// unable to query the thread token. Open as self and try again
using var ttok = SafeHTOKEN.FromThread(GetCurrentThread(), TokenAccess.TOKEN_QUERY);
{
if (CheckTokenMembership(ttok, pSID, out pfMember))
{
return(HRESULT.S_OK);
}
else
{
// stick with the original error code, but ensure that fMember is correct
pfMember = false;
}
}
}
}
return(HRESULT.S_OK);
}
catch (Exception ex)
{
var hr = HRESULT.FromException(ex);
if (hr == (HRESULT)Win32Error.ERROR_NON_ACCOUNT_SID)
{
return(HRESULT.S_OK);
}
return(hr);
}
}