Gitiles
Code Review Sign In
gerrit.opencord.org / voltha-go / daa6bb293ba6cd2eee66d4ad5e42316a4d5d7e8d / . / vendor / golang.org / x / sys / windows / security_windows.go
blob: da06406c44e1efe2221a5612e86b4b343ab723e6 [file] [log] [blame]
sslobodrd046be82019-01-16 10:02:22 -0500[diff] [blame]1// Copyright 2012 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package windows
6
7import (
8 "syscall"
9 "unsafe"
10)
11
12const (
13 STANDARD_RIGHTS_REQUIRED = 0xf0000
14 STANDARD_RIGHTS_READ = 0x20000
15 STANDARD_RIGHTS_WRITE = 0x20000
16 STANDARD_RIGHTS_EXECUTE = 0x20000
17 STANDARD_RIGHTS_ALL = 0x1F0000
18)
19
20const (
21 NameUnknown = 0
22 NameFullyQualifiedDN = 1
23 NameSamCompatible = 2
24 NameDisplay = 3
25 NameUniqueId = 6
26 NameCanonical = 7
27 NameUserPrincipal = 8
28 NameCanonicalEx = 9
29 NameServicePrincipal = 10
30 NameDnsDomain = 12
31)
32
33// This function returns 1 byte BOOLEAN rather than the 4 byte BOOL.
34// http://blogs.msdn.com/b/drnick/archive/2007/12/19/windows-and-upn-format-credentials.aspx
35//sys TranslateName(accName *uint16, accNameFormat uint32, desiredNameFormat uint32, translatedName *uint16, nSize *uint32) (err error) [failretval&0xff==0] = secur32.TranslateNameW
36//sys GetUserNameEx(nameFormat uint32, nameBuffre *uint16, nSize *uint32) (err error) [failretval&0xff==0] = secur32.GetUserNameExW
37
38// TranslateAccountName converts a directory service
39// object name from one format to another.
40func TranslateAccountName(username string, from, to uint32, initSize int) (string, error) {
41 u, e := UTF16PtrFromString(username)
42 if e != nil {
43 return "", e
44 }
45 n := uint32(50)
46 for {
47 b := make([]uint16, n)
48 e = TranslateName(u, from, to, &b[0], &n)
49 if e == nil {
50 return UTF16ToString(b[:n]), nil
51 }
52 if e != ERROR_INSUFFICIENT_BUFFER {
53 return "", e
54 }
55 if n <= uint32(len(b)) {
56 return "", e
57 }
58 }
59}
60
61const (
62 // do not reorder
63 NetSetupUnknownStatus = iota
64 NetSetupUnjoined
65 NetSetupWorkgroupName
66 NetSetupDomainName
67)
68
69type UserInfo10 struct {
70 Name *uint16
71 Comment *uint16
72 UsrComment *uint16
73 FullName *uint16
74}
75
76//sys NetUserGetInfo(serverName *uint16, userName *uint16, level uint32, buf **byte) (neterr error) = netapi32.NetUserGetInfo
77//sys NetGetJoinInformation(server *uint16, name **uint16, bufType *uint32) (neterr error) = netapi32.NetGetJoinInformation
78//sys NetApiBufferFree(buf *byte) (neterr error) = netapi32.NetApiBufferFree
79
80const (
81 // do not reorder
82 SidTypeUser = 1 + iota
83 SidTypeGroup
84 SidTypeDomain
85 SidTypeAlias
86 SidTypeWellKnownGroup
87 SidTypeDeletedAccount
88 SidTypeInvalid
89 SidTypeUnknown
90 SidTypeComputer
91 SidTypeLabel
92)
93
94type SidIdentifierAuthority struct {
95 Value [6]byte
96}
97
98var (
99 SECURITY_NULL_SID_AUTHORITY = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 0}}
100 SECURITY_WORLD_SID_AUTHORITY = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 1}}
101 SECURITY_LOCAL_SID_AUTHORITY = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 2}}
102 SECURITY_CREATOR_SID_AUTHORITY = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 3}}
103 SECURITY_NON_UNIQUE_AUTHORITY = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 4}}
104 SECURITY_NT_AUTHORITY = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 5}}
105 SECURITY_MANDATORY_LABEL_AUTHORITY = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 16}}
106)
107
108const (
109 SECURITY_NULL_RID = 0
110 SECURITY_WORLD_RID = 0
111 SECURITY_LOCAL_RID = 0
112 SECURITY_CREATOR_OWNER_RID = 0
113 SECURITY_CREATOR_GROUP_RID = 1
114 SECURITY_DIALUP_RID = 1
115 SECURITY_NETWORK_RID = 2
116 SECURITY_BATCH_RID = 3
117 SECURITY_INTERACTIVE_RID = 4
118 SECURITY_LOGON_IDS_RID = 5
119 SECURITY_SERVICE_RID = 6
120 SECURITY_LOCAL_SYSTEM_RID = 18
121 SECURITY_BUILTIN_DOMAIN_RID = 32
122 SECURITY_PRINCIPAL_SELF_RID = 10
123 SECURITY_CREATOR_OWNER_SERVER_RID = 0x2
124 SECURITY_CREATOR_GROUP_SERVER_RID = 0x3
125 SECURITY_LOGON_IDS_RID_COUNT = 0x3
126 SECURITY_ANONYMOUS_LOGON_RID = 0x7
127 SECURITY_PROXY_RID = 0x8
128 SECURITY_ENTERPRISE_CONTROLLERS_RID = 0x9
129 SECURITY_SERVER_LOGON_RID = SECURITY_ENTERPRISE_CONTROLLERS_RID
130 SECURITY_AUTHENTICATED_USER_RID = 0xb
131 SECURITY_RESTRICTED_CODE_RID = 0xc
132 SECURITY_NT_NON_UNIQUE_RID = 0x15
133)
134
135// Predefined domain-relative RIDs for local groups.
136// See https://msdn.microsoft.com/en-us/library/windows/desktop/aa379649(v=vs.85).aspx
137const (
138 DOMAIN_ALIAS_RID_ADMINS = 0x220
139 DOMAIN_ALIAS_RID_USERS = 0x221
140 DOMAIN_ALIAS_RID_GUESTS = 0x222
141 DOMAIN_ALIAS_RID_POWER_USERS = 0x223
142 DOMAIN_ALIAS_RID_ACCOUNT_OPS = 0x224
143 DOMAIN_ALIAS_RID_SYSTEM_OPS = 0x225
144 DOMAIN_ALIAS_RID_PRINT_OPS = 0x226
145 DOMAIN_ALIAS_RID_BACKUP_OPS = 0x227
146 DOMAIN_ALIAS_RID_REPLICATOR = 0x228
147 DOMAIN_ALIAS_RID_RAS_SERVERS = 0x229
148 DOMAIN_ALIAS_RID_PREW2KCOMPACCESS = 0x22a
149 DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS = 0x22b
150 DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS = 0x22c
151 DOMAIN_ALIAS_RID_INCOMING_FOREST_TRUST_BUILDERS = 0x22d
Stephane Barbarie260a5632019-02-26 16:12:49 -0500[diff] [blame]152 DOMAIN_ALIAS_RID_MONITORING_USERS = 0x22e
sslobodrd046be82019-01-16 10:02:22 -0500[diff] [blame]153 DOMAIN_ALIAS_RID_LOGGING_USERS = 0x22f
154 DOMAIN_ALIAS_RID_AUTHORIZATIONACCESS = 0x230
155 DOMAIN_ALIAS_RID_TS_LICENSE_SERVERS = 0x231
156 DOMAIN_ALIAS_RID_DCOM_USERS = 0x232
157 DOMAIN_ALIAS_RID_IUSERS = 0x238
158 DOMAIN_ALIAS_RID_CRYPTO_OPERATORS = 0x239
159 DOMAIN_ALIAS_RID_CACHEABLE_PRINCIPALS_GROUP = 0x23b
160 DOMAIN_ALIAS_RID_NON_CACHEABLE_PRINCIPALS_GROUP = 0x23c
161 DOMAIN_ALIAS_RID_EVENT_LOG_READERS_GROUP = 0x23d
162 DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP = 0x23e
163)
164
165//sys LookupAccountSid(systemName *uint16, sid *SID, name *uint16, nameLen *uint32, refdDomainName *uint16, refdDomainNameLen *uint32, use *uint32) (err error) = advapi32.LookupAccountSidW
166//sys LookupAccountName(systemName *uint16, accountName *uint16, sid *SID, sidLen *uint32, refdDomainName *uint16, refdDomainNameLen *uint32, use *uint32) (err error) = advapi32.LookupAccountNameW
167//sys ConvertSidToStringSid(sid *SID, stringSid **uint16) (err error) = advapi32.ConvertSidToStringSidW
168//sys ConvertStringSidToSid(stringSid *uint16, sid **SID) (err error) = advapi32.ConvertStringSidToSidW
169//sys GetLengthSid(sid *SID) (len uint32) = advapi32.GetLengthSid
170//sys CopySid(destSidLen uint32, destSid *SID, srcSid *SID) (err error) = advapi32.CopySid
171//sys AllocateAndInitializeSid(identAuth *SidIdentifierAuthority, subAuth byte, subAuth0 uint32, subAuth1 uint32, subAuth2 uint32, subAuth3 uint32, subAuth4 uint32, subAuth5 uint32, subAuth6 uint32, subAuth7 uint32, sid **SID) (err error) = advapi32.AllocateAndInitializeSid
William Kurkiandaa6bb22019-03-07 12:26:28 -0500[diff] [blame^]172//sys createWellKnownSid(sidType WELL_KNOWN_SID_TYPE, domainSid *SID, sid *SID, sizeSid *uint32) (err error) = advapi32.CreateWellKnownSid
sslobodrd046be82019-01-16 10:02:22 -0500[diff] [blame]173//sys FreeSid(sid *SID) (err error) [failretval!=0] = advapi32.FreeSid
174//sys EqualSid(sid1 *SID, sid2 *SID) (isEqual bool) = advapi32.EqualSid
175
176// The security identifier (SID) structure is a variable-length
177// structure used to uniquely identify users or groups.
178type SID struct{}
179
180// StringToSid converts a string-format security identifier
181// sid into a valid, functional sid.
182func StringToSid(s string) (*SID, error) {
183 var sid *SID
184 p, e := UTF16PtrFromString(s)
185 if e != nil {
186 return nil, e
187 }
188 e = ConvertStringSidToSid(p, &sid)
189 if e != nil {
190 return nil, e
191 }
192 defer LocalFree((Handle)(unsafe.Pointer(sid)))
193 return sid.Copy()
194}
195
196// LookupSID retrieves a security identifier sid for the account
197// and the name of the domain on which the account was found.
198// System specify target computer to search.
199func LookupSID(system, account string) (sid *SID, domain string, accType uint32, err error) {
200 if len(account) == 0 {
201 return nil, "", 0, syscall.EINVAL
202 }
203 acc, e := UTF16PtrFromString(account)
204 if e != nil {
205 return nil, "", 0, e
206 }
207 var sys *uint16
208 if len(system) > 0 {
209 sys, e = UTF16PtrFromString(system)
210 if e != nil {
211 return nil, "", 0, e
212 }
213 }
214 n := uint32(50)
215 dn := uint32(50)
216 for {
217 b := make([]byte, n)
218 db := make([]uint16, dn)
219 sid = (*SID)(unsafe.Pointer(&b[0]))
220 e = LookupAccountName(sys, acc, sid, &n, &db[0], &dn, &accType)
221 if e == nil {
222 return sid, UTF16ToString(db), accType, nil
223 }
224 if e != ERROR_INSUFFICIENT_BUFFER {
225 return nil, "", 0, e
226 }
227 if n <= uint32(len(b)) {
228 return nil, "", 0, e
229 }
230 }
231}
232
233// String converts sid to a string format
234// suitable for display, storage, or transmission.
235func (sid *SID) String() (string, error) {
236 var s *uint16
237 e := ConvertSidToStringSid(sid, &s)
238 if e != nil {
239 return "", e
240 }
241 defer LocalFree((Handle)(unsafe.Pointer(s)))
242 return UTF16ToString((*[256]uint16)(unsafe.Pointer(s))[:]), nil
243}
244
245// Len returns the length, in bytes, of a valid security identifier sid.
246func (sid *SID) Len() int {
247 return int(GetLengthSid(sid))
248}
249
250// Copy creates a duplicate of security identifier sid.
251func (sid *SID) Copy() (*SID, error) {
252 b := make([]byte, sid.Len())
253 sid2 := (*SID)(unsafe.Pointer(&b[0]))
254 e := CopySid(uint32(len(b)), sid2, sid)
255 if e != nil {
256 return nil, e
257 }
258 return sid2, nil
259}
260
261// LookupAccount retrieves the name of the account for this sid
262// and the name of the first domain on which this sid is found.
263// System specify target computer to search for.
264func (sid *SID) LookupAccount(system string) (account, domain string, accType uint32, err error) {
265 var sys *uint16
266 if len(system) > 0 {
267 sys, err = UTF16PtrFromString(system)
268 if err != nil {
269 return "", "", 0, err
270 }
271 }
272 n := uint32(50)
273 dn := uint32(50)
274 for {
275 b := make([]uint16, n)
276 db := make([]uint16, dn)
277 e := LookupAccountSid(sys, sid, &b[0], &n, &db[0], &dn, &accType)
278 if e == nil {
279 return UTF16ToString(b), UTF16ToString(db), accType, nil
280 }
281 if e != ERROR_INSUFFICIENT_BUFFER {
282 return "", "", 0, e
283 }
284 if n <= uint32(len(b)) {
285 return "", "", 0, e
286 }
287 }
288}
289
William Kurkiandaa6bb22019-03-07 12:26:28 -0500[diff] [blame^]290// Various types of pre-specified sids that can be synthesized at runtime.
291type WELL_KNOWN_SID_TYPE uint32
292
293const (
294 WinNullSid = 0
295 WinWorldSid = 1
296 WinLocalSid = 2
297 WinCreatorOwnerSid = 3
298 WinCreatorGroupSid = 4
299 WinCreatorOwnerServerSid = 5
300 WinCreatorGroupServerSid = 6
301 WinNtAuthoritySid = 7
302 WinDialupSid = 8
303 WinNetworkSid = 9
304 WinBatchSid = 10
305 WinInteractiveSid = 11
306 WinServiceSid = 12
307 WinAnonymousSid = 13
308 WinProxySid = 14
309 WinEnterpriseControllersSid = 15
310 WinSelfSid = 16
311 WinAuthenticatedUserSid = 17
312 WinRestrictedCodeSid = 18
313 WinTerminalServerSid = 19
314 WinRemoteLogonIdSid = 20
315 WinLogonIdsSid = 21
316 WinLocalSystemSid = 22
317 WinLocalServiceSid = 23
318 WinNetworkServiceSid = 24
319 WinBuiltinDomainSid = 25
320 WinBuiltinAdministratorsSid = 26
321 WinBuiltinUsersSid = 27
322 WinBuiltinGuestsSid = 28
323 WinBuiltinPowerUsersSid = 29
324 WinBuiltinAccountOperatorsSid = 30
325 WinBuiltinSystemOperatorsSid = 31
326 WinBuiltinPrintOperatorsSid = 32
327 WinBuiltinBackupOperatorsSid = 33
328 WinBuiltinReplicatorSid = 34
329 WinBuiltinPreWindows2000CompatibleAccessSid = 35
330 WinBuiltinRemoteDesktopUsersSid = 36
331 WinBuiltinNetworkConfigurationOperatorsSid = 37
332 WinAccountAdministratorSid = 38
333 WinAccountGuestSid = 39
334 WinAccountKrbtgtSid = 40
335 WinAccountDomainAdminsSid = 41
336 WinAccountDomainUsersSid = 42
337 WinAccountDomainGuestsSid = 43
338 WinAccountComputersSid = 44
339 WinAccountControllersSid = 45
340 WinAccountCertAdminsSid = 46
341 WinAccountSchemaAdminsSid = 47
342 WinAccountEnterpriseAdminsSid = 48
343 WinAccountPolicyAdminsSid = 49
344 WinAccountRasAndIasServersSid = 50
345 WinNTLMAuthenticationSid = 51
346 WinDigestAuthenticationSid = 52
347 WinSChannelAuthenticationSid = 53
348 WinThisOrganizationSid = 54
349 WinOtherOrganizationSid = 55
350 WinBuiltinIncomingForestTrustBuildersSid = 56
351 WinBuiltinPerfMonitoringUsersSid = 57
352 WinBuiltinPerfLoggingUsersSid = 58
353 WinBuiltinAuthorizationAccessSid = 59
354 WinBuiltinTerminalServerLicenseServersSid = 60
355 WinBuiltinDCOMUsersSid = 61
356 WinBuiltinIUsersSid = 62
357 WinIUserSid = 63
358 WinBuiltinCryptoOperatorsSid = 64
359 WinUntrustedLabelSid = 65
360 WinLowLabelSid = 66
361 WinMediumLabelSid = 67
362 WinHighLabelSid = 68
363 WinSystemLabelSid = 69
364 WinWriteRestrictedCodeSid = 70
365 WinCreatorOwnerRightsSid = 71
366 WinCacheablePrincipalsGroupSid = 72
367 WinNonCacheablePrincipalsGroupSid = 73
368 WinEnterpriseReadonlyControllersSid = 74
369 WinAccountReadonlyControllersSid = 75
370 WinBuiltinEventLogReadersGroup = 76
371 WinNewEnterpriseReadonlyControllersSid = 77
372 WinBuiltinCertSvcDComAccessGroup = 78
373 WinMediumPlusLabelSid = 79
374 WinLocalLogonSid = 80
375 WinConsoleLogonSid = 81
376 WinThisOrganizationCertificateSid = 82
377 WinApplicationPackageAuthoritySid = 83
378 WinBuiltinAnyPackageSid = 84
379 WinCapabilityInternetClientSid = 85
380 WinCapabilityInternetClientServerSid = 86
381 WinCapabilityPrivateNetworkClientServerSid = 87
382 WinCapabilityPicturesLibrarySid = 88
383 WinCapabilityVideosLibrarySid = 89
384 WinCapabilityMusicLibrarySid = 90
385 WinCapabilityDocumentsLibrarySid = 91
386 WinCapabilitySharedUserCertificatesSid = 92
387 WinCapabilityEnterpriseAuthenticationSid = 93
388 WinCapabilityRemovableStorageSid = 94
389 WinBuiltinRDSRemoteAccessServersSid = 95
390 WinBuiltinRDSEndpointServersSid = 96
391 WinBuiltinRDSManagementServersSid = 97
392 WinUserModeDriversSid = 98
393 WinBuiltinHyperVAdminsSid = 99
394 WinAccountCloneableControllersSid = 100
395 WinBuiltinAccessControlAssistanceOperatorsSid = 101
396 WinBuiltinRemoteManagementUsersSid = 102
397 WinAuthenticationAuthorityAssertedSid = 103
398 WinAuthenticationServiceAssertedSid = 104
399 WinLocalAccountSid = 105
400 WinLocalAccountAndAdministratorSid = 106
401 WinAccountProtectedUsersSid = 107
402 WinCapabilityAppointmentsSid = 108
403 WinCapabilityContactsSid = 109
404 WinAccountDefaultSystemManagedSid = 110
405 WinBuiltinDefaultSystemManagedGroupSid = 111
406 WinBuiltinStorageReplicaAdminsSid = 112
407 WinAccountKeyAdminsSid = 113
408 WinAccountEnterpriseKeyAdminsSid = 114
409 WinAuthenticationKeyTrustSid = 115
410 WinAuthenticationKeyPropertyMFASid = 116
411 WinAuthenticationKeyPropertyAttestationSid = 117
412 WinAuthenticationFreshKeyAuthSid = 118
413 WinBuiltinDeviceOwnersSid = 119
414)
415
416// Creates a sid for a well-known predefined alias, generally using the constants of the form
417// Win*Sid, for the local machine.
418func CreateWellKnownSid(sidType WELL_KNOWN_SID_TYPE) (*SID, error) {
419 return CreateWellKnownDomainSid(sidType, nil)
420}
421
422// Creates a sid for a well-known predefined alias, generally using the constants of the form
423// Win*Sid, for the domain specified by the domainSid parameter.
424func CreateWellKnownDomainSid(sidType WELL_KNOWN_SID_TYPE, domainSid *SID) (*SID, error) {
425 n := uint32(50)
426 for {
427 b := make([]byte, n)
428 sid := (*SID)(unsafe.Pointer(&b[0]))
429 err := createWellKnownSid(sidType, domainSid, sid, &n)
430 if err == nil {
431 return sid, nil
432 }
433 if err != ERROR_INSUFFICIENT_BUFFER {
434 return nil, err
435 }
436 if n <= uint32(len(b)) {
437 return nil, err
438 }
439 }
440}
441
sslobodrd046be82019-01-16 10:02:22 -0500[diff] [blame]442const (
443 // do not reorder
444 TOKEN_ASSIGN_PRIMARY = 1 << iota
445 TOKEN_DUPLICATE
446 TOKEN_IMPERSONATE
447 TOKEN_QUERY
448 TOKEN_QUERY_SOURCE
449 TOKEN_ADJUST_PRIVILEGES
450 TOKEN_ADJUST_GROUPS
451 TOKEN_ADJUST_DEFAULT
452 TOKEN_ADJUST_SESSIONID
453
454 TOKEN_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED |
455 TOKEN_ASSIGN_PRIMARY |
456 TOKEN_DUPLICATE |
457 TOKEN_IMPERSONATE |
458 TOKEN_QUERY |
459 TOKEN_QUERY_SOURCE |
460 TOKEN_ADJUST_PRIVILEGES |
461 TOKEN_ADJUST_GROUPS |
462 TOKEN_ADJUST_DEFAULT |
463 TOKEN_ADJUST_SESSIONID
464 TOKEN_READ = STANDARD_RIGHTS_READ | TOKEN_QUERY
465 TOKEN_WRITE = STANDARD_RIGHTS_WRITE |
466 TOKEN_ADJUST_PRIVILEGES |
467 TOKEN_ADJUST_GROUPS |
468 TOKEN_ADJUST_DEFAULT
469 TOKEN_EXECUTE = STANDARD_RIGHTS_EXECUTE
470)
471
472const (
473 // do not reorder
474 TokenUser = 1 + iota
475 TokenGroups
476 TokenPrivileges
477 TokenOwner
478 TokenPrimaryGroup
479 TokenDefaultDacl
480 TokenSource
481 TokenType
482 TokenImpersonationLevel
483 TokenStatistics
484 TokenRestrictedSids
485 TokenSessionId
486 TokenGroupsAndPrivileges
487 TokenSessionReference
488 TokenSandBoxInert
489 TokenAuditPolicy
490 TokenOrigin
491 TokenElevationType
492 TokenLinkedToken
493 TokenElevation
494 TokenHasRestrictions
495 TokenAccessInformation
496 TokenVirtualizationAllowed
497 TokenVirtualizationEnabled
498 TokenIntegrityLevel
499 TokenUIAccess
500 TokenMandatoryPolicy
501 TokenLogonSid
502 MaxTokenInfoClass
503)
504
505type SIDAndAttributes struct {
506 Sid *SID
507 Attributes uint32
508}
509
510type Tokenuser struct {
511 User SIDAndAttributes
512}
513
514type Tokenprimarygroup struct {
515 PrimaryGroup *SID
516}
517
518type Tokengroups struct {
519 GroupCount uint32
520 Groups [1]SIDAndAttributes
521}
522
523// Authorization Functions
524//sys checkTokenMembership(tokenHandle Token, sidToCheck *SID, isMember *int32) (err error) = advapi32.CheckTokenMembership
525//sys OpenProcessToken(h Handle, access uint32, token *Token) (err error) = advapi32.OpenProcessToken
526//sys GetTokenInformation(t Token, infoClass uint32, info *byte, infoLen uint32, returnedLen *uint32) (err error) = advapi32.GetTokenInformation
527//sys GetUserProfileDirectory(t Token, dir *uint16, dirLen *uint32) (err error) = userenv.GetUserProfileDirectoryW
William Kurkiandaa6bb22019-03-07 12:26:28 -0500[diff] [blame^]528//sys getSystemDirectory(dir *uint16, dirLen uint32) (len uint32, err error) = kernel32.GetSystemDirectoryW
sslobodrd046be82019-01-16 10:02:22 -0500[diff] [blame]529
530// An access token contains the security information for a logon session.
531// The system creates an access token when a user logs on, and every
532// process executed on behalf of the user has a copy of the token.
533// The token identifies the user, the user's groups, and the user's
534// privileges. The system uses the token to control access to securable
535// objects and to control the ability of the user to perform various
536// system-related operations on the local computer.
537type Token Handle
538
539// OpenCurrentProcessToken opens the access token
540// associated with current process.
541func OpenCurrentProcessToken() (Token, error) {
542 p, e := GetCurrentProcess()
543 if e != nil {
544 return 0, e
545 }
546 var t Token
547 e = OpenProcessToken(p, TOKEN_QUERY, &t)
548 if e != nil {
549 return 0, e
550 }
551 return t, nil
552}
553
554// Close releases access to access token.
555func (t Token) Close() error {
556 return CloseHandle(Handle(t))
557}
558
559// getInfo retrieves a specified type of information about an access token.
560func (t Token) getInfo(class uint32, initSize int) (unsafe.Pointer, error) {
561 n := uint32(initSize)
562 for {
563 b := make([]byte, n)
564 e := GetTokenInformation(t, class, &b[0], uint32(len(b)), &n)
565 if e == nil {
566 return unsafe.Pointer(&b[0]), nil
567 }
568 if e != ERROR_INSUFFICIENT_BUFFER {
569 return nil, e
570 }
571 if n <= uint32(len(b)) {
572 return nil, e
573 }
574 }
575}
576
577// GetTokenUser retrieves access token t user account information.
578func (t Token) GetTokenUser() (*Tokenuser, error) {
579 i, e := t.getInfo(TokenUser, 50)
580 if e != nil {
581 return nil, e
582 }
583 return (*Tokenuser)(i), nil
584}
585
586// GetTokenGroups retrieves group accounts associated with access token t.
587func (t Token) GetTokenGroups() (*Tokengroups, error) {
588 i, e := t.getInfo(TokenGroups, 50)
589 if e != nil {
590 return nil, e
591 }
592 return (*Tokengroups)(i), nil
593}
594
595// GetTokenPrimaryGroup retrieves access token t primary group information.
596// A pointer to a SID structure representing a group that will become
597// the primary group of any objects created by a process using this access token.
598func (t Token) GetTokenPrimaryGroup() (*Tokenprimarygroup, error) {
599 i, e := t.getInfo(TokenPrimaryGroup, 50)
600 if e != nil {
601 return nil, e
602 }
603 return (*Tokenprimarygroup)(i), nil
604}
605
606// GetUserProfileDirectory retrieves path to the
607// root directory of the access token t user's profile.
608func (t Token) GetUserProfileDirectory() (string, error) {
609 n := uint32(100)
610 for {
611 b := make([]uint16, n)
612 e := GetUserProfileDirectory(t, &b[0], &n)
613 if e == nil {
614 return UTF16ToString(b), nil
615 }
616 if e != ERROR_INSUFFICIENT_BUFFER {
617 return "", e
618 }
619 if n <= uint32(len(b)) {
620 return "", e
621 }
622 }
623}
624
William Kurkiandaa6bb22019-03-07 12:26:28 -0500[diff] [blame^]625// GetSystemDirectory retrieves path to current location of the system
626// directory, which is typically, though not always, C:\Windows\System32.
627func GetSystemDirectory() (string, error) {
628 n := uint32(MAX_PATH)
629 for {
630 b := make([]uint16, n)
631 l, e := getSystemDirectory(&b[0], n)
632 if e != nil {
633 return "", e
634 }
635 if l <= n {
636 return UTF16ToString(b[:l]), nil
637 }
638 n = l
639 }
640}
641
sslobodrd046be82019-01-16 10:02:22 -0500[diff] [blame]642// IsMember reports whether the access token t is a member of the provided SID.
643func (t Token) IsMember(sid *SID) (bool, error) {
644 var b int32
645 if e := checkTokenMembership(t, sid, &b); e != nil {
646 return false, e
647 }
648 return b != 0, nil
649}