authz.h

TH-NETII Windows API.sln

@@ -80,7 +80,9 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "THNETII.WinApi.Headers.Proc
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "THNETII.WinApi.Headers.FileApi", "src\THNETII.WinApi.Headers.FileApi\THNETII.WinApi.Headers.FileApi.csproj", "{DC49BB25-34E5-4B07-A527-F341D2EF833B}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "THNETII.WinApi.Headers.SysInfoApi", "src\THNETII.WinApi.Headers.SysInfoApi\THNETII.WinApi.Headers.SysInfoApi.csproj", "{75FD2E4B-27C9-49D0-8869-99C934DAACCF}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "THNETII.WinApi.Headers.SysInfoApi", "src\THNETII.WinApi.Headers.SysInfoApi\THNETII.WinApi.Headers.SysInfoApi.csproj", "{75FD2E4B-27C9-49D0-8869-99C934DAACCF}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "THNETII.WinApi.Headers.AuthZ", "src\THNETII.WinApi.Headers.AuthZ\THNETII.WinApi.Headers.AuthZ.csproj", "{6AD87FE7-9FC9-44FB-A22C-FCAD41CB7C3C}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
@@ -416,6 +418,18 @@ Global
 		{75FD2E4B-27C9-49D0-8869-99C934DAACCF}.Release|x64.Build.0 = Release|Any CPU
 		{75FD2E4B-27C9-49D0-8869-99C934DAACCF}.Release|x86.ActiveCfg = Release|Any CPU
 		{75FD2E4B-27C9-49D0-8869-99C934DAACCF}.Release|x86.Build.0 = Release|Any CPU
+		{6AD87FE7-9FC9-44FB-A22C-FCAD41CB7C3C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{6AD87FE7-9FC9-44FB-A22C-FCAD41CB7C3C}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{6AD87FE7-9FC9-44FB-A22C-FCAD41CB7C3C}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{6AD87FE7-9FC9-44FB-A22C-FCAD41CB7C3C}.Debug|x64.Build.0 = Debug|Any CPU
+		{6AD87FE7-9FC9-44FB-A22C-FCAD41CB7C3C}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{6AD87FE7-9FC9-44FB-A22C-FCAD41CB7C3C}.Debug|x86.Build.0 = Debug|Any CPU
+		{6AD87FE7-9FC9-44FB-A22C-FCAD41CB7C3C}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{6AD87FE7-9FC9-44FB-A22C-FCAD41CB7C3C}.Release|Any CPU.Build.0 = Release|Any CPU
+		{6AD87FE7-9FC9-44FB-A22C-FCAD41CB7C3C}.Release|x64.ActiveCfg = Release|Any CPU
+		{6AD87FE7-9FC9-44FB-A22C-FCAD41CB7C3C}.Release|x64.Build.0 = Release|Any CPU
+		{6AD87FE7-9FC9-44FB-A22C-FCAD41CB7C3C}.Release|x86.ActiveCfg = Release|Any CPU
+		{6AD87FE7-9FC9-44FB-A22C-FCAD41CB7C3C}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -449,6 +463,7 @@ Global
 		{3B25A551-FBEC-4515-9D98-226C51A6E74F} = {9689DB3E-1ED7-478C-AC14-C734B0397619}
 		{DC49BB25-34E5-4B07-A527-F341D2EF833B} = {9689DB3E-1ED7-478C-AC14-C734B0397619}
 		{75FD2E4B-27C9-49D0-8869-99C934DAACCF} = {9689DB3E-1ED7-478C-AC14-C734B0397619}
+		{6AD87FE7-9FC9-44FB-A22C-FCAD41CB7C3C} = {9689DB3E-1ED7-478C-AC14-C734B0397619}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {6EF7C9CF-E403-4B60-AB44-5F9FFEB668B7}

src-native-c/THNETII.WinApi.Sample.Native/main.c

@@ -1,9 +1,11 @@
 #include <Windows.h>
 #include <WinBase.h>
 
+#include <AuthZ.h>
+
 int main(int argc, char* argv[])
 {
-    OSVERSIONINFOW instance;
+    PAUTHZ_SECURITY_ATTRIBUTE_V1 instance;
     const int size = sizeof(instance);
     const int value = VER_PLATFORM_WIN32_NT;
 

src/THNETII.WinApi.Headers.AuthZ/AUTHZ_ACCESS_REPLY.cs

@@ -0,0 +1,91 @@
+using System;
+using System.Runtime.InteropServices;
+
+using THNETII.WinApi.Native.WinError;
+using THNETII.WinApi.Native.WinNT;
+
+namespace THNETII.WinApi.Native.AuthZ
+{
+    using static WinNTConstants;
+    using static WinErrorConstants;
+
+    // C:\Program Files (x86)\Windows Kits\10\Include\10.0.17134.0\um\AuthZ.h, line 118
+    //
+    // Structure to return the results of the access check call.
+    //
+
+    /// <summary>
+    /// The <see cref="AUTHZ_ACCESS_REPLY"/> structure defines an access check reply.
+    /// </summary>
+    /// <remarks>
+    /// <para>Microsoft Docs page: <a href="https://docs.microsoft.com/en-us/windows/desktop/api/authz/ns-winnt-authz_access_reply">AUTHZ_ACCESS_REPLY structure</a></para>
+    /// </remarks>
+    /// <seealso cref="AccessCheck"/>
+    [StructLayout(LayoutKind.Sequential)]
+    public unsafe struct AUTHZ_ACCESS_REPLY
+    {
+        //
+        // The length of the array representing the object type list structure. If
+        // no object type is used to represent the object, then the length must be
+        // set to 1.
+        //
+        // Note: This parameter must be filled!
+        //
+
+        /// <summary>
+        /// The number of elements in the <see cref="GrantedAccessMask"/>, <see cref="SaclEvaluationResults"/>, and <see cref="Error"/> arrays. This number matches the number of entries in the object type list structure used in the access check. If no object type is used to represent the object, then set <see cref="ResultListLength"/> to one.
+        /// </summary>
+        public int ResultListLength;
+
+        #region public Span<ACESS_MASK> GrantedAccessMask;
+        //
+        // Array of granted access masks. This memory is allocated by the RM. Access
+        // check routines just fill in the values.
+        //
+
+        public ACCESS_MASK* GrantedAccessMaskPtr;
+        /// <summary>
+        /// An span of granted access masks. Memory for this array is allocated by the application before calling <see cref="AccessCheck"/>.
+        /// </summary>
+        public Span<ACCESS_MASK> GrantedAccessMask =>
+            new Span<ACCESS_MASK>(GrantedAccessMaskPtr, ResultListLength);
+        #endregion
+
+        #region public Span<int> SaclEvaluationResults;
+        //
+        // Array of SACL evaluation results.  This memory is allocated by the RM, if SACL
+        // evaluation results are desired. Access check routines just fill in the values.
+        // Sacl evaluation will only be performed if auditing is requested.
+        //
+
+        public AUTHZ_GENERATE_RESULT* SaclEvaluationResultsPtr;
+        /// <summary>
+        /// A span of <a href="https://docs.microsoft.com/windows/desktop/SecGloss/s-gly">system access control list</a> (SACL) evaluation results. Memory for this array is allocated by the application before calling <see cref="AccessCheck"/>. SACL evaluation will only be performed if auditing is requested.
+        /// </summary>
+        public Span<AUTHZ_GENERATE_RESULT> SaclEvaluationResults =>
+            new Span<AUTHZ_GENERATE_RESULT>(SaclEvaluationResultsPtr, ResultListLength);
+        #endregion
+
+        #region public Span<int> Error;
+        //
+        // Array of results for each element of the array. This memory is allocated
+        // by the RM. Access check routines just fill in the values.
+        //
+
+        public int* ErrorPtr;
+        /// <summary>
+        /// A span of results for each element of the array. Memory for this array is allocated by the application before calling <see cref="AccessCheck"/>.
+        /// <para>
+        /// The following table lists the possible error values.
+        /// <list type="table">
+        /// <listheader><term>Value</term><description>Meaning</description></listheader>
+        /// <item><term><see cref="ERROR_SUCCESS"/></term><description>All the access bits, not including <see cref="MAXIMUM_ALLOWED"/>, are granted and the <see cref="GrantedAccessMask"/> member is not zero.</description></item>
+        /// <item><term><see cref="ERROR_PRIVILEGE_NOT_HELD"/></term><description>DesiredAccess includes <see cref="ACCESS_SYSTEM_SECURITY"/> and the client does not have <see cref="SeSecurityPrivilege"/>.</description></item>
+        /// <item><term><see cref="ERROR_ACCESS_DENIED"/></term><description>Includes each of the following: <list type="bullet"><item>The requested bits are not granted.</item><item>MaximumAllowed bit is on and granted access is zero.</item><item>DesiredAccess is zero.</item></list></description></item>
+        /// </list>
+        /// </para>
+        /// </summary>
+        public Span<int> Error => new Span<int>(ErrorPtr, ResultListLength);
+        #endregion
+    }
+}

src/THNETII.WinApi.Headers.AuthZ/AUTHZ_ACCESS_REQUEST.cs

@@ -0,0 +1,68 @@
+using System;
+using System.Runtime.InteropServices;
+using THNETII.WinApi.Native.WinNT;
+
+namespace THNETII.WinApi.Native.AuthZ
+{
+    // C:\Program Files (x86)\Windows Kits\10\Include\10.0.17134.0\um\AuthZ.h, line 83
+    //
+    // Structure defining the access check request.
+    //
+
+    /// <summary>
+    /// The <see cref="AUTHZ_ACCESS_REQUEST"/> structure defines an access check request.
+    /// </summary>
+    /// <remarks>
+    /// <para>Microsoft Docs page: <a href="https://docs.microsoft.com/en-us/windows/desktop/api/authz/ns-winnt-authz_access_request">AUTHZ_ACCESS_REQUEST structure</a></para>
+    /// </remarks>
+    /// <seealso cref="AuthzAccessCheckCallback"/>
+    [StructLayout(LayoutKind.Sequential)]
+    public unsafe struct AUTHZ_ACCESS_REQUEST
+    {
+        /// <summary>
+        /// The type of access to test for.
+        /// </summary>
+        public ACCESS_MASK DesiredAccess;
+
+        //
+        // To replace the principal self sid in the acl.
+        //
+
+        /// <summary>
+        /// The <a href="https://docs.microsoft.com/windows/desktop/SecGloss/s-gly">security identifier</a> (SID) to use for the principal self SID in the <a href="https://docs.microsoft.com/windows/desktop/SecGloss/a-gly">access control list</a> (ACL).
+        /// </summary>
+        public SID* PrincipalSelfSid;
+
+        //
+        // Object type list represented by an array of (level, guid) pair and the
+        // number of elements in the array. This is a post-fix representation of the
+        // object tree.
+        // These fields should be set to NULL and 0 respectively except when per
+        // property access is desired.
+        //
+
+        #region public Span<OBJECT_TYPE_LIST> ObjectTypeList;
+        public OBJECT_TYPE_LIST* pObjectTypeList;
+        /// <summary>
+        /// A span of <see cref="OBJECT_TYPE_LIST"/> structures in the object tree for the object. Set to an empty span unless the application checks access at the property level.
+        /// </summary>
+        public Span<OBJECT_TYPE_LIST> ObjectTypeList =>
+            new Span<OBJECT_TYPE_LIST>(pObjectTypeList, ObjectTypeListLength);
+        #endregion
+        /// <summary>
+        /// The number of elements in the <see cref="ObjectTypeList"/> array. This member is necessary only if the application checks access at the property level.
+        /// </summary>
+        public int ObjectTypeListLength;
+
+        //
+        // To support completely business rules based access. This will be passed as
+        // input to the callback access check function. Access check algorithm does
+        // not interpret these.
+        //
+
+        /// <summary>
+        /// A pointer to memory to pass to <see cref="AuthzAccessCheckCallback"/> when checking callback <a href="https://docs.microsoft.com/windows/desktop/SecGloss/a-gly">access control entries</a> (ACEs).
+        /// </summary>
+        public IntPtr OptionalArguments;
+    }
+}

src/THNETII.WinApi.Headers.AuthZ/AUTHZ_CLIENT_CONTEXT_HANDLE.cs

@@ -0,0 +1,11 @@
+using System;
+
+using THNETII.InteropServices.Memory;
+
+namespace THNETII.WinApi.Native.AuthZ
+{
+    public struct AUTHZ_CLIENT_CONTEXT_HANDLE : IPointer
+    {
+        public IntPtr Pointer { get; }
+    }
+}

src/THNETII.WinApi.Headers.AuthZ/AUTHZ_COMPUTE_DYNAMIC_GROUPS.cs

@@ -0,0 +1,65 @@
+using System;
+using System.Runtime.InteropServices;
+
+using THNETII.WinApi.Native.WinNT;
+
+namespace THNETII.WinApi.Native.AuthZ
+{
+    //
+    // Callback compute dynamic groups function takes in
+    //     AuthzClientContext - a client context
+    //     pArgs - Optional arguments that supplied to AuthzInitializeClientContext*
+    //         thru DynamicGroupArgs are passed back here..
+    //     pSidAttrArray - To allocate and return an array of (sids, attribute)
+    //         pairs to be added to the normal part of the client context.
+    //     pSidCount - Number of elements in pSidAttrArray
+    //     pRestrictedSidAttrArray - To allocate and return an array of (sids, attribute)
+    //         pairs to be added to the restricted part of the client context.
+    //     pRestrictedSidCount - Number of elements in pRestrictedSidAttrArray
+    //
+    // Note:
+    //    Memory returned thru both these array will be freed by the callback
+    //    free function defined by the resource manager.
+    //
+    // Returns
+    //     TRUE if the API succeeded.
+    //     FALSE on any intermediate errors (like failed memory allocation)
+    //         In case of failure, the caller must use SetLastError(ErrorValue).
+    //
+
+    /// <summary>
+    /// Callback compute dynamic groups function
+    /// </summary>
+    /// <param name="hAuthzClientContext">a client context</param>
+    /// <param name="Args">
+    /// Optional arguments that supplied to AuthzInitializeClientContext*
+    /// thru DynamicGroupArgs are passed back here..
+    /// </param>
+    /// <param name="pSidAttrArray">
+    /// To allocate and return an array of (sids, attribute)
+    /// pairs to be added to the normal part of the client context.
+    /// </param>
+    /// <param name="pSidCount">Number of elements in <paramref name="pSidAttrArray"/></param>
+    /// <param name="pRestrictedSidAttrArray">
+    /// To allocate and return an array of (sids, attribute)
+    /// pairs to be added to the restricted part of the client context.
+    /// </param>
+    /// <param name="pRestrictedSidCount">Number of elements in <paramref name="pRestrictedSidAttrArray"/></param>
+    /// <returns>
+    /// <para><see langword="true"/> if the API succeeded.</para>
+    /// <para>
+    /// <see langword="false"/> on any intermediate errors (like failed memory allocation)
+    /// In case of failure, the caller must use <see cref="SetLastError"/>.
+    /// </para>
+    /// </returns>
+    [UnmanagedFunctionPointer(CallingConvention.Winapi, SetLastError = true)]
+    [return: MarshalAs(UnmanagedType.Bool)]
+    public unsafe delegate bool AUTHZ_COMPUTE_DYNAMIC_GROUPS(
+        [In] AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
+        [In] IntPtr Args,
+        out SID_AND_ATTRIBUTES* pSidAttrArray,
+        out int pSidCount,
+        out SID_AND_ATTRIBUTES* pRestrictedSidAttrArray,
+        out int pRestrictedSidCount
+        );
+}

src/THNETII.WinApi.Headers.AuthZ/AUTHZ_DYNAMIC_ACCESS_CHECK.cs

@@ -0,0 +1,56 @@
+using System;
+using System.Collections.Generic;
+using System.Runtime.InteropServices;
+using System.Text;
+
+namespace THNETII.WinApi.Native.AuthZ
+{
+    // C:\Program Files (x86)\Windows Kits\10\Include\10.0.17134.0\um\AuthZ.h, line 161
+    //
+    // Typedefs for callback functions to be provided by the resource manager.
+    //
+
+    //
+    // Callback access check function takes in
+    //     AuthzClientContext - a client context
+    //     pAce - pointer to a callback ace
+    //     pArgs - Optional arguments that were passed to AuthzAccessCheck thru
+    //             AuthzAccessRequest->OptionalArguments are passed back here.
+    //     pbAceApplicable - The resource manager must supply whether the ace should
+    //         be used in the computation of access evaluation
+    //
+    // Returns
+    //     TRUE if the API succeeded.
+    //     FALSE on any intermediate errors (like failed memory allocation)
+    //         In case of failure, the caller must use SetLastError(ErrorValue).
+    //
+
+    /// <summary>
+    /// Callback access check function
+    /// </summary>
+    /// <param name="hAuthzClientContext">a client context</param>
+    /// <param name="pAce">pointer to a callback ace</param>
+    /// <param name="pArgs">
+    /// Optional arguments that were passed to AuthzAccessCheck thru
+    /// AuthzAccessRequest->OptionalArguments are passed back here.
+    /// </param>
+    /// <param name="pbAceApplicable">
+    /// The resource manager must supply whether the ace should
+    /// be used in the computation of access evaluation
+    /// </param>
+    /// <returns>
+    /// <para><see langword="true"/> if the API succeeded.</para>
+    /// <para>
+    /// <see langword="false"/> on any intermediate errors (like failed memory allocation)
+    /// In case of failure, the caller must use <see cref="SetLastError"/>.
+    /// </para>
+    /// </returns>
+    [UnmanagedFunctionPointer(CallingConvention.Winapi, SetLastError = true)]
+    [return: MarshalAs(UnmanagedType.Bool)]
+    public unsafe delegate bool AUTHZ_DYNAMIC_ACCESS_CHECK(
+        [In] AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
+        [In] IntPtr pAce,
+        [In, Optional] IntPtr pArgs,
+        [MarshalAs(UnmanagedType.Bool)] ref bool pbAceApplicable
+        );
+}

src/THNETII.WinApi.Headers.AuthZ/AUTHZ_FREE_CENTRAL_ACCESS_POLICY.cs

@@ -0,0 +1,24 @@
+using System;
+using System.Runtime.InteropServices;
+
+namespace THNETII.WinApi.Native.AuthZ
+{
+    // C:\Program Files (x86)\Windows Kits\10\Include\10.0.17134.0\um\AuthZ.h, line 254
+    //
+    // Callback central access policy free function takes in
+    //     pCentralAccessPolicy - To be freed. This memory has been allocated by 
+    //     the central access policy retrieval callback function.
+    //
+
+    /// <summary>
+    /// Callback central access policy free function
+    /// </summary>
+    /// <param name="pCentralAccessPolicy">
+    /// To be freed. This memory has been allocated by
+    /// the central access policy retrieval callback function.
+    /// </param>
+    [UnmanagedFunctionPointer(CallingConvention.Winapi)]
+    public delegate void AUTHZ_FREE_CENTRAL_ACCESS_POLICY(
+        [In] IntPtr pCentralAccessPolicy
+        );
+}

src/THNETII.WinApi.Headers.AuthZ/AUTHZ_FREE_DYNAMIC_GROUPS.cs

@@ -0,0 +1,24 @@
+using System.Runtime.InteropServices;
+
+using THNETII.WinApi.Native.WinNT;
+
+namespace THNETII.WinApi.Native.AuthZ
+{
+    //
+    // Callback free function takes in
+    //     pSidAttrArray - To be freed. This has been allocated by the compute
+    //     dynamic groups function.
+    //
+
+    /// <summary>
+    /// Callback free function
+    /// </summary>
+    /// <param name="pSidAttrArray">
+    /// To be freed. This has been allocated by the compute
+    /// dynamic groups function.
+    /// </param>
+    [UnmanagedFunctionPointer(CallingConvention.Winapi)]
+    public unsafe delegate void AUTHZ_FREE_DYNAMIC_GROUPS(
+        [In] SID_AND_ATTRIBUTES* pSidAttrArray
+        );
+}