From 1ee6873cc77c166e0594f741b9f01459a445f1a1 Mon Sep 17 00:00:00 2001 From: David Hall Date: Tue, 14 Aug 2018 11:02:20 -0600 Subject: [PATCH] Updated documentation --- PInvoke/Security/AdvApi32/NTLsa.cs | 3 + PInvoke/Security/AdvApi32/NTSecApi.cs | 15 + PInvoke/Security/AdvApi32/WinBase.cs | 104 +- PInvoke/Security/AdvApi32/WinCred.cs | 639 +++++++++-- PInvoke/Security/AdvApi32/WinNT.RegSvc.cs | 2 + PInvoke/Security/AdvApi32/WinNT.cs | 27 +- PInvoke/Security/AdvApi32/WinReg.cs | 2 +- PInvoke/Security/AdvApi32/WinSvc.cs | 33 + PInvoke/Security/Authz/Authz.cs | 1683 ++++++++++++++++++++--------- PInvoke/Security/Secur32/NTSecApi.cs | 1 + PInvoke/Shared/WinError/HRESULT.Values.cs | 9 + 11 files changed, 1873 insertions(+), 645 deletions(-) diff --git a/PInvoke/Security/AdvApi32/NTLsa.cs b/PInvoke/Security/AdvApi32/NTLsa.cs index d2893db3..77b7cace 100644 --- a/PInvoke/Security/AdvApi32/NTLsa.cs +++ b/PInvoke/Security/AdvApi32/NTLsa.cs @@ -8,6 +8,7 @@ namespace Vanara.PInvoke { public static partial class AdvApi32 { + /// Access mask for accounts. [Flags] [PInvokeData("ntlsa.h")] public enum LsaAccountAccessMask : uint @@ -48,6 +49,7 @@ namespace Vanara.PInvoke ACCOUNT_EXECUTE = ACCESS_MASK.STANDARD_RIGHTS_EXECUTE, } + /// Flags used by LsaLookupNames2. [Flags] [PInvokeData("ntlsa.h")] public enum LsaLookupNamesFlags : uint @@ -59,6 +61,7 @@ namespace Vanara.PInvoke LSA_LOOKUP_ISOLATED_AS_LOCAL = 0x80000000 } + /// Flags used by LsaLookupSids2. [Flags] [PInvokeData("ntlsa.h")] public enum LsaLookupSidsFlags : uint diff --git a/PInvoke/Security/AdvApi32/NTSecApi.cs b/PInvoke/Security/AdvApi32/NTSecApi.cs index ba37cab1..26927483 100644 --- a/PInvoke/Security/AdvApi32/NTSecApi.cs +++ b/PInvoke/Security/AdvApi32/NTSecApi.cs @@ -9,6 +9,7 @@ using Vanara.InteropServices; namespace Vanara.PInvoke { + /// Functions, enumerations and structures found in ADVAPI32.DLL. public static partial class AdvApi32 { /// The Policy object has the following object-specific access types: @@ -295,6 +296,12 @@ namespace Vanara.PInvoke return mem.DangerousGetHandle().ToIEnum(cnt).Select(u => PSID.CreateFromPtr(u.Sid)); } + /// Gets system access for an account. + /// The account handle. + /// The system access. + /// + /// If the function succeeds, the function returns one of the following NTSTATUS values. + /// [DllImport(Lib.AdvApi32, ExactSpelling = true)] public static extern uint LsaGetSystemAccessAccount(SafeLsaPolicyHandle AccountHandle, out int SystemAccess); @@ -641,6 +648,14 @@ namespace Vanara.PInvoke // public static extern uint LsaNtStatusToWinError(NTSTATUS Status); public static extern Win32Error LsaNtStatusToWinError(uint Status); + /// + /// Undocumented. Opens an account. + /// + /// The policy handle. + /// The account sid. + /// The desired access. + /// The account handle. + /// NTSTATUS [DllImport(Lib.AdvApi32, ExactSpelling = true)] public static extern uint LsaOpenAccount(SafeLsaPolicyHandle PolicyHandle, PSID AccountSid, LsaAccountAccessMask DesiredAccess, out SafeLsaPolicyHandle AccountHandle); diff --git a/PInvoke/Security/AdvApi32/WinBase.cs b/PInvoke/Security/AdvApi32/WinBase.cs index 100732ee..b12b78a3 100644 --- a/PInvoke/Security/AdvApi32/WinBase.cs +++ b/PInvoke/Security/AdvApi32/WinBase.cs @@ -192,63 +192,103 @@ namespace Vanara.PInvoke [In, MarshalAs(UnmanagedType.Bool)] bool DisableAllPrivileges, [In] SafeCoTaskMemHandle NewState, [In] uint BufferLength, [In, Out] SafeCoTaskMemHandle PreviousState, [In, Out] ref uint ReturnLength); - /// The AllocateLocallyUniqueId function allocates a locally unique identifier (LUID). - /// A pointer to a LUID structure that receives the allocated LUID. - /// If the function fails, the return value is zero. To get extended error information, call GetLastError. + /// The AllocateLocallyUniqueId function allocates a locally unique identifier (LUID). + /// A pointer to a LUID structure that receives the allocated LUID. + /// + /// If the function succeeds, the return value is nonzero. + /// If the function fails, the return value is zero. To get extended error information, call GetLastError. + /// + // BOOL WINAPI AllocateLocallyUniqueId( _Out_ PLUID Luid); https://msdn.microsoft.com/en-us/library/windows/desktop/aa375260(v=vs.85).aspx [DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)] + [PInvokeData("Winbase.h", MSDNShortId = "aa375260")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool AllocateLocallyUniqueId(out LUID Luid); - /// The DuplicateToken function creates a new access token that duplicates one already in existence. - /// A handle to an access token opened with TOKEN_DUPLICATE access. + /// The DuplicateToken function creates a new access token that duplicates one already in existence. + /// A handle to an access token opened with TOKEN_DUPLICATE access. /// - /// Specifies a SECURITY_IMPERSONATION_LEVEL enumerated type that supplies the impersonation level of the new token. + /// Specifies a SECURITY_IMPERSONATION_LEVEL enumerated type that supplies the impersonation level of the new token. /// - /// + /// + /// /// A pointer to a variable that receives a handle to the duplicate token. This handle has TOKEN_IMPERSONATE and TOKEN_QUERY access - /// to the new token. When you have finished using the new token, call the CloseHandle function to close the token handle. + /// to the new token. + /// + /// When you have finished using the new token, call the CloseHandle function to close the token handle. /// /// - /// If the function succeeds, the return value is nonzero. If the function fails, the return value is zero. To get extended error - /// information, call GetLastError. + /// If the function succeeds, the return value is nonzero. + /// If the function fails, the return value is zero. To get extended error information, call GetLastError. /// - [DllImport(Lib.AdvApi32, ExactSpelling = true, SetLastError = true)] + // BOOL WINAPI DuplicateToken( _In_ HANDLE ExistingTokenHandle, _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, _Out_ PHANDLE + // DuplicateTokenHandle); https://msdn.microsoft.com/en-us/library/windows/desktop/aa446616(v=vs.85).aspx + [DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)] + [PInvokeData("Winbase.h", MSDNShortId = "aa446616")] [return: MarshalAs(UnmanagedType.Bool)] - public static extern bool DuplicateToken(SafeTokenHandle existingObjectHandle, - SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, out SafeTokenHandle duplicateObjectHandle); + public static extern bool DuplicateToken(SafeTokenHandle ExistingTokenHandle, + SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, out SafeTokenHandle DuplicateTokenHandle); /// - /// The DuplicateTokenEx function creates a new access token that duplicates an existing token. This function can create either a - /// primary token or an impersonation token. + /// The DuplicateTokenEx function creates a new access token that duplicates an existing token. This function can create + /// either a primary token or an impersonation token. /// /// A handle to an access token opened with TOKEN_DUPLICATE access. /// - /// Specifies the requested access rights for the new token. The DuplicateTokenEx function compares the requested access rights with - /// the existing token's discretionary access control list (DACL) to determine which rights are granted or denied. To request the - /// same access rights as the existing token, specify zero. To request all access rights that are valid for the caller, specify MAXIMUM_ALLOWED. + /// + /// Specifies the requested access rights for the new token. The DuplicateTokenEx function compares the requested access + /// rights with the existing token's discretionary access control list (DACL) to determine which rights are granted or denied. To + /// request the same access rights as the existing token, specify zero. To request all access rights that are valid for the caller, + /// specify MAXIMUM_ALLOWED. + /// + /// For a list of access rights for access tokens, see Access Rights for Access-Token Objects. /// /// - /// A pointer to a SECURITY_ATTRIBUTES structure that specifies a security descriptor for the new token and determines whether child - /// processes can inherit the token. If lpTokenAttributes is NULL, the token gets a default security descriptor and the handle cannot - /// be inherited. If the security descriptor contains a system access control list (SACL), the token gets ACCESS_SYSTEM_SECURITY - /// access right, even if it was not requested in dwDesiredAccess. /// - /// To set the owner in the security descriptor for the new token, the caller's process token must have the SE_RESTORE_NAME privilege set. + /// A pointer to a SECURITY_ATTRIBUTES structure that specifies a security descriptor for the new token and determines whether + /// child processes can inherit the token. If lpTokenAttributes is NULL, the token gets a default security descriptor and the + /// handle cannot be inherited. If the security descriptor contains a system access control list (SACL), the token gets + /// ACCESS_SYSTEM_SECURITY access right, even if it was not requested in dwDesiredAccess. + /// + /// + /// To set the owner in the security descriptor for the new token, the caller's process token must have the SE_RESTORE_NAME + /// privilege set. /// /// /// - /// Specifies a value from the SECURITY_IMPERSONATION_LEVEL enumeration that indicates the impersonation level of the new token. + /// Specifies a value from the SECURITY_IMPERSONATION_LEVEL enumeration that indicates the impersonation level of the new token. + /// + /// + /// Specifies one of the following values from the TOKEN_TYPE enumeration. + /// + /// + /// + /// Value + /// Meaning + /// + /// + /// TokenPrimary + /// The new token is a primary token that you can use in the CreateProcessAsUser function. + /// + /// + /// TokenImpersonation + /// The new token is an impersonation token. + /// + /// + /// /// - /// Specifies one of the values from the TOKEN_TYPE enumeration. /// - /// A pointer to a HANDLE variable that receives the new token. When you have finished using the new token, call the CloseHandle - /// function to close the token handle. + /// A pointer to a HANDLE variable that receives the new token. + /// When you have finished using the new token, call the CloseHandle function to close the token handle. /// /// - /// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error - /// information, call GetLastError. + /// If the function succeeds, the function returns a nonzero value. + /// If the function fails, it returns zero. To get extended error information, call GetLastError. /// - [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail), DllImport(Lib.AdvApi32, ExactSpelling = true, SetLastError = true)] + // BOOL WINAPI DuplicateTokenEx( _In_ HANDLE hExistingToken, _In_ DWORD dwDesiredAccess, _In_opt_ LPSECURITY_ATTRIBUTES + // lpTokenAttributes, _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, _In_ TOKEN_TYPE TokenType, _Out_ PHANDLE phNewToken); https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx + [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)] + [DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)] + [PInvokeData("Winbase.h", MSDNShortId = "aa446617")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool DuplicateTokenEx(SafeTokenHandle hExistingToken, TokenAccess dwDesiredAccess, SECURITY_ATTRIBUTES lpTokenAttributes, SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, TOKEN_TYPE TokenType, out SafeTokenHandle phNewToken); @@ -800,8 +840,6 @@ namespace Vanara.PInvoke // lpSystemName, PLUID lpLuid, LPSTR lpName, LPDWORD cchName ); [DllImport(Lib.AdvApi32, CharSet = CharSet.Auto, SetLastError = true, BestFitMapping = false, ThrowOnUnmappableChar = true)] [PInvokeData("winbase.h", MSDNShortId = "580fb58f-1470-4389-9f07-8f37403e2bdf")] - // [return: MarshalAs(UnmanagedType.Bool)] public static extern bool LookupPrivilegeName( string lpSystemName, PLUID lpLuid, - // StringBuilder lpName, ref uint cchName); [return: MarshalAs(UnmanagedType.Bool)] public static extern bool LookupPrivilegeName(string lpSystemName, ref LUID lpLuid, StringBuilder lpName, ref int cchName); @@ -911,8 +949,6 @@ namespace Vanara.PInvoke // BOOL WINAPI OpenThreadToken( _In_ HANDLE ThreadHandle, _In_ DWORD DesiredAccess, _In_ BOOL OpenAsSelf, _Out_ PHANDLE TokenHandle); https://msdn.microsoft.com/en-us/library/windows/desktop/aa379296(v=vs.85).aspx [DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)] [PInvokeData("Winbase.h", MSDNShortId = "aa379296")] - // [return: MarshalAs(UnmanagedType.Bool)] public static extern bool WINAPI OpenThreadToken([In] IntPtr ThreadHandle, [In] uint - // DesiredAccess, [In] [MarshalAs(UnmanagedType.Bool)] bool OpenAsSelf, [Out] ref IntPtr TokenHandle); [return: MarshalAs(UnmanagedType.Bool)] public static extern bool OpenThreadToken([In] IntPtr ThreadHandle, TokenAccess DesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool OpenAsSelf, out SafeTokenHandle TokenHandle); diff --git a/PInvoke/Security/AdvApi32/WinCred.cs b/PInvoke/Security/AdvApi32/WinCred.cs index 24281e5f..d3346f57 100644 --- a/PInvoke/Security/AdvApi32/WinCred.cs +++ b/PInvoke/Security/AdvApi32/WinCred.cs @@ -8,181 +8,614 @@ namespace Vanara.PInvoke { public static partial class AdvApi32 { + /// Type of credential used by CREDENTIAL structure. public enum CredentialType { - /// The credential is a generic credential. The credential will not be used by any particular authentication package. The credential will be stored securely but has no other significant characteristics. + /// + /// The credential is a generic credential. The credential will not be used by any particular authentication package. The + /// credential will be stored securely but has no other significant characteristics. + /// CRED_TYPE_GENERIC = 1, - /// The credential is a password credential and is specific to Microsoft's authentication packages. The NTLM, Kerberos, and Negotiate authentication packages will automatically use this credential when connecting to the named target. + + /// + /// The credential is a password credential and is specific to Microsoft's authentication packages. The NTLM, Kerberos, and + /// Negotiate authentication packages will automatically use this credential when connecting to the named target. + /// CRED_TYPE_DOMAIN_PASSWORD = 2, - /// The credential is a certificate credential and is specific to Microsoft's authentication packages. The Kerberos, Negotiate, and Schannel authentication packages automatically use this credential when connecting to the named target. + + /// + /// The credential is a certificate credential and is specific to Microsoft's authentication packages. The Kerberos, Negotiate, + /// and Schannel authentication packages automatically use this credential when connecting to the named target. + /// CRED_TYPE_DOMAIN_CERTIFICATE = 3, - /// This value is no longer supported. - /// Windows Server 2003 and Windows XP: The credential is a password credential and is specific to authentication packages from Microsoft. The Passport authentication package will automatically use this credential when connecting to the named target. - /// Additional values will be defined in the future. Applications should be written to allow for credential types they do not understand. + + /// + /// This value is no longer supported. + /// + /// Windows Server 2003 and Windows XP: The credential is a password credential and is specific to authentication packages + /// from Microsoft. The Passport authentication package will automatically use this credential when connecting to the named target. + /// + /// + /// Additional values will be defined in the future. Applications should be written to allow for credential types they do not understand. + /// + /// CRED_TYPE_DOMAIN_VISIBLE_PASSWORD = 4, - /// The credential is a certificate credential that is a generic authentication package. - /// Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This value is not supported. + + /// + /// The credential is a certificate credential that is a generic authentication package. + /// Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This value is not supported. + /// CRED_TYPE_GENERIC_CERTIFICATE = 5, - /// The credential is supported by extended Negotiate packages. - /// Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This value is not supported. + + /// + /// The credential is supported by extended Negotiate packages. + /// Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This value is not supported. + /// CRED_TYPE_DOMAIN_EXTENDED = 6 } - /// The CredFree function frees a buffer returned by any of the credentials management functions. - /// Pointer to the buffer to be freed. - [DllImport(Lib.AdvApi32, ExactSpelling = true)] + /// + /// The CredFree function frees a buffer returned by any of the credentials management functions. + /// + /// + /// Pointer to the buffer to be freed. + /// + /// + /// This function does not return a value. + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/nf-wincred-credfree void CredFree( PVOID Buffer ); + [DllImport(Lib.AdvApi32, SetLastError = false, ExactSpelling = true)] + [PInvokeData("wincred.h", MSDNShortId = "bc33ab1b-dd3f-4e1b-96d2-e32ceff89ada")] public static extern void CredFree(IntPtr Buffer); - /// The CredGetTargetInfo function retrieves all known target name information for the named target computer. This executed locally and does not need any particular privilege. The information returned is expected to be passed to the CredReadDomainCredentials and CredWriteDomainCredentials functions. The information should not be used for any other purpose. - /// Authentication packages compute TargetInfo when attempting to authenticate to a TargetName. The authentication packages cache this target information to make it available to CredGetTargetInfo. Therefore, the target information will only be available from a recent attempt to authenticate a TargetName. - /// Authentication packages not in the LSA process can cache a TargetInfo for later retrieval by CredGetTargetInfo by calling CredReadDomainCredentials with the CRED_CACHE_TARGET_INFORMATION flag. - /// Pointer to a null-terminated string that contains the name of the target computer for which information is to be retrieved. - /// Flags controlling the operation of the function. The following flag can be used: - /// CRED_ALLOW_NAME_RESOLUTION = 0x1 - /// If no target information can be found for TargetName name resolution is done on TargetName to convert it to other forms. If target information exists for any of those other forms, it is returned. Currently only DNS name resolution is done. - /// This is useful if the application does not call an authentication package directly. The application can pass the TargetName to another layer of software to authenticate to the server, and that layer of software might resolve the name and pass the resolved name to the authentication package. As such, there will be no target information for the original TargetName. - /// Pointer to a single allocated block buffer to contain the target information. At least one of the returned members of TargetInfo will be non-NULL. Any pointers contained within the buffer are pointers to locations within this single allocated block. The single returned buffer must be freed by calling CredFree. - /// The function returns TRUE on success and FALSE on failure. The GetLastError function can be called to get a more specific status code. The following status code can be returned: + /// + /// + /// The CredGetTargetInfo function retrieves all known target name information for the named target computer. This executed + /// locally and does not need any particular privilege. The information returned is expected to be passed to the + /// CredReadDomainCredentials and CredWriteDomainCredentials functions. The information should not be used for any other purpose. + /// + /// + /// Authentication packages compute TargetInfo when attempting to authenticate to a TargetName. The authentication packages cache + /// this target information to make it available to CredGetTargetInfo. Therefore, the target information will only be + /// available from a recent attempt to authenticate a TargetName. + /// + /// + /// Authentication packages not in the LSA process can cache a TargetInfo for later retrieval by CredGetTargetInfo by calling + /// CredReadDomainCredentials with the CRED_CACHE_TARGET_INFORMATION flag. + /// + /// + /// + /// Pointer to a null-terminated string that contains the name of the target computer for which information is to be retrieved. + /// + /// + /// Flags controlling the operation of the function. The following flag can be used: + /// CRED_ALLOW_NAME_RESOLUTION + /// + /// If no target information can be found for TargetName name resolution is done on TargetName to convert it to other forms. If + /// target information exists for any of those other forms, it is returned. Currently only DNS name resolution is done. + /// + /// + /// This is useful if the application does not call an authentication package directly. The application can pass the TargetName to + /// another layer of software to authenticate to the server, and that layer of software might resolve the name and pass the resolved + /// name to the authentication package. As such, there will be no target information for the original TargetName. + /// + /// + /// + /// + /// Pointer to a single allocated block buffer to contain the target information. At least one of the returned members of TargetInfo + /// will be non-NULL. Any pointers contained within the buffer are pointers to locations within this single allocated block. The + /// single returned buffer must be freed by calling CredFree. + /// + /// + /// + /// + /// The function returns TRUE on success and FALSE on failure. The GetLastError function can be called to get a more + /// specific status code. The following status code can be returned: + /// /// - /// ERROR_NOT_FOUNDTarget information for the named server is not available. - /// - [DllImport(Lib.AdvApi32, CharSet = CharSet.Auto, SetLastError = true)] + /// + /// ERROR_NOT_FOUND + /// + /// + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/nf-wincred-credgettargetinfoa BOOL CredGetTargetInfoA( LPCSTR + // TargetName, DWORD Flags, PCREDENTIAL_TARGET_INFORMATIONA *TargetInfo ); + [DllImport(Lib.AdvApi32, SetLastError = true, CharSet = CharSet.Auto)] + [PInvokeData("wincred.h", MSDNShortId = "14dca0af-72d7-4ca8-84bb-c7040c5b5fb9")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CredGetTargetInfo(string TargetName, uint Flags, out SafeCredMemoryHandle TargetInfo); - /// The CredReadDomainCredentials function reads the domain credentials from the user's credential set. The credential set used is the one associated with the logon session of the current token. The token must not have the user's SID disabled. - /// Target information that identifies the target server. At least one of the naming members must not be NULL: NetbiosServerName, DnsServerName, NetbiosDomainName, DnsDomainName or DnsTreeName. - /// Flags controlling the operation of the function. + /// + /// + /// The CredReadDomainCredentials function reads the domain credentials from the user's credential set. The credential set + /// used is the one associated with the logon session of the current token. The token must not have the user's SID disabled. + /// + /// + /// + /// + /// Target information that identifies the target server. At least one of the naming members must not be NULL: + /// NetbiosServerName, DnsServerName, NetbiosDomainName, DnsDomainName or DnsTreeName. + /// + /// + /// + /// Flags controlling the operation of the function. /// The following flag is defined: + /// CRED_CACHE_TARGET_INFORMATION + /// Cache the TargetInfo for a subsequent read using CredGetTargetInfo. + /// + /// + /// Count of the credentials returned in the Credentials array. + /// + /// + /// + /// Pointer to an array of pointers to credentials. The most specific existing credential matching the TargetInfo is returned. If + /// credentials of various types (for example, CRED_TYPE_DOMAIN_PASSWORD and CRED_TYPE_DOMAIN_CERTIFICATE credentials) exist, one of + /// each type is returned. If a connection were to be made to the named target, this most-specific credential would be used. + /// + /// + /// Only those credential types specified by the TargetInfo.CredTypes array are returned. The returned Credentials array is sorted in + /// the same order as the TargetInfo.CredTypes array. That is, authentication packages specify a preferred credential type by + /// specifying it earlier in the TargetInfo.CredTypes array.If TargetInfo.CredTypeCount is zero, the Credentials array is returned in + /// the following sorted order: + /// /// - /// CRED_CACHE_TARGET_INFORMATION (0x1)Cache the TargetInfo for a subsequent read using CredGetTargetInfo. - /// - /// Count of the credentials returned in the Credentials array. - /// Pointer to an array of pointers to credentials. The most specific existing credential matching the TargetInfo is returned. If credentials of various types (for example, CRED_TYPE_DOMAIN_PASSWORD and CRED_TYPE_DOMAIN_CERTIFICATE credentials) exist, one of each type is returned. If a connection were to be made to the named target, this most-specific credential would be used. - /// Only those credential types specified by the TargetInfo.CredTypes array are returned. The returned Credentials array is sorted in the same order as the TargetInfo.CredTypes array. That is, authentication packages specify a preferred credential type by specifying it earlier in the TargetInfo.CredTypes array. - /// If TargetInfo.CredTypeCount is zero, the Credentials array is returned in the following sorted order: - /// - /// CRED_TYPE_DOMAIN_CERTIFICATE - /// CRED_TYPE_DOMAIN_PASSWORD + /// + /// CRED_TYPE_DOMAIN_CERTIFICATE + /// + /// + /// CRED_TYPE_DOMAIN_PASSWORD + /// /// - /// The returned buffer is a single allocated block. Any pointers contained within the buffer are pointers to locations within this single allocated block. The single returned buffer must be freed by calling CredFree. - /// The function returns TRUE on success and FALSE on failure. The GetLastError function can be called to get a more specific status code. The following status codes can be returned: + /// + /// The returned buffer is a single allocated block. Any pointers contained within the buffer are pointers to locations within this + /// single allocated block. The single returned buffer must be freed by calling CredFree. + /// + /// + /// + /// + /// The function returns TRUE on success and FALSE on failure. The GetLastError function can be called to get a more + /// specific status code. The following status codes can be returned: + /// /// - /// ERROR_INVALID_PARAMETERNone of the naming parameters were specified. - /// ERROR_NOT_FOUNDThere are no credentials matching the specified naming parameters. - /// ERROR_NO_SUCH_LOGON_SESSIONThe logon session does not exist or there is no credential set associated with this logon session. Network logon sessions do not have an associated credential set. - /// ERROR_INVALID_FLAGSA flag that is not valid was specified for the Flags parameter. + /// + /// ERROR_INVALID_PARAMETER + /// + /// + /// ERROR_NOT_FOUND + /// + /// + /// ERROR_NO_SUCH_LOGON_SESSION + /// + /// + /// ERROR_INVALID_FLAGS + /// /// /// - [DllImport(Lib.AdvApi32, CharSet = CharSet.Auto, SetLastError = true)] - [return: MarshalAs(UnmanagedType.Bool)] - public static extern bool CredReadDomainCredentials(ref CREDENTIAL_TARGET_INFORMATION TargetInfo, uint Flags, out uint Count, out SafeCredMemoryHandle Credentials); - - /// The CredWriteDomainCredentials function writes domain credentials to the user's credential set. The credential set used is the one associated with the logon session of the current token. The token must not have the user's SID disabled. - /// Identifies the target server. At least one of the naming members must be non-NULL and can be NetbiosServerName, DnsServerName, NetbiosDomainName, DnsDomainName, or DnsTreeName. - /// Credential to be written. The credential must be one that matches TargetInfo For instance, if the TargetName is a wildcard DNS name, then the TargetName member of the credential must be a postfix of the DnsServerName member from the TargetInfo. - /// Flags to control the operation of the API. The following flag is defined. + /// + /// + /// This function returns the most specific credentials matching the naming parameters. For instance, if there is a credential that + /// matches the target server name and a credential that matches the target domain name, only the server specific credential is + /// returned. This is the credential that would be used. + /// + /// + /// The following list specifies the order (from most specific to least specific) of what credential is returned if more than one matches: + /// /// - /// CRED_PRESERVE_CREDENTIAL_BLOB (0x1)The credential BLOB should be preserved from the already existing credential with the same credential name and credential type. The CredentialBlobSize of the passed in Credential structure must be zero. - /// - /// If the function succeeds, the function returns TRUE. - /// If the function fails, it returns FALSE. Call the GetLastError function to get a more specific status code. The following status codes can be returned. - /// Other smart card errors can be returned when writing a CRED_TYPE_CERTIFICATE credential. - [DllImport(Lib.AdvApi32, CharSet = CharSet.Auto, SetLastError = true)] + /// + /// The credential target name is of the form <DfsRoot>\<DfsShare>, and it is an exact match on the TargetName. + /// + /// + /// An exact match on the DnsServerName. + /// + /// + /// An exact match on the NetBIOSServerName. + /// + /// + /// An exact match on TargetName. + /// + /// + /// + /// A match of the DnsServerName to a wildcard server credential. If more than one wildcard server credential matches, the credential + /// with the longer TargetName is used. That is, a credential for *.example.microsoft.com is used instead of a credential for *.microsoft.com. + /// + /// + /// + /// An exact match of the DnsDomainName to a wildcard domain credential of the form <DnsDomainName>\*. + /// + /// + /// An exact match of the NetBIOSDomainName to a wildcard domain credential of the form <NetBIOSDomainName>\* + /// + /// + /// The credential named CRED_SESSION_WILDCARD_NAME. + /// + /// + /// The credential named "*". + /// + /// + /// + /// CredReadDomainCredentials differs from CredRead in that it handles the idiosyncrasies of domain (CRED_TYPE_DOMAIN_PASSWORD + /// or CRED_TYPE_DOMAIN_CERTIFICATE) credentials. Domain credentials contain more than one target member. + /// + /// + /// If the value of the Type member of the CREDENTIAL structure specified by the Credentials parameter is + /// CRED_TYPE_DOMAIN_EXTENDED, a namespace must be specified in the target name. This function can return only one credential + /// of the specified type. + /// + /// + /// This function can return multiple credentials of this type, but CRED_TYPE_DOMAIN_EXTENDED cannot be mixed with other types + /// in the CredTypes member of the CREDENTIAL_TARGET_INFORMATION structure specified by the TargetInfo parameter. + /// + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/nf-wincred-credreaddomaincredentialsa BOOL + // CredReadDomainCredentialsA( PCREDENTIAL_TARGET_INFORMATIONA TargetInfo, DWORD Flags, DWORD *Count, PCREDENTIALA **Credential ); + [DllImport(Lib.AdvApi32, SetLastError = true, CharSet = CharSet.Auto)] + [PInvokeData("wincred.h", MSDNShortId = "b62cb9c9-2a64-4ef4-97f0-e1ea85976d3e")] + [return: MarshalAs(UnmanagedType.Bool)] + public static extern bool CredReadDomainCredentials(ref CREDENTIAL_TARGET_INFORMATION TargetInfo, uint Flags, out uint Count, out SafeCredMemoryHandle Credential); + + /// + /// + /// The CredWriteDomainCredentials function writes domain credentials to the user's credential set. The credential set used is + /// the one associated with the logon session of the current token. The token must not have the user's SID disabled. + /// + /// + /// + /// + /// Identifies the target server. At least one of the naming members must be non- NULL and can be NetbiosServerName, + /// DnsServerName, NetbiosDomainName, DnsDomainName, or DnsTreeName. + /// + /// + /// + /// Credential to be written. + /// + /// The credential must be one that matches TargetInfo For instance, if the TargetName is a wildcard DNS name, then the + /// TargetName member of the credential must be a postfix of the DnsServerName member from the TargetInfo. + /// + /// + /// + /// Flags to control the operation of the API. The following flag is defined. + /// + /// + /// Value + /// Meaning + /// + /// + /// CRED_PRESERVE_CREDENTIAL_BLOB + /// + /// The credential BLOB should be preserved from the already existing credential with the same credential name and credential type. + /// The CredentialBlobSize of the passed in Credential structure must be zero. + /// + /// + /// + /// + /// + /// If the function succeeds, the function returns TRUE. + /// + /// If the function fails, it returns FALSE. Call the GetLastError function to get a more specific status code. The following + /// status codes can be returned. + /// + /// Other smart card errors can be returned when writing a CRED_TYPE_CERTIFICATE credential. + /// + /// + /// Return code + /// Description + /// + /// + /// ERROR_INVALID_PARAMETER + /// + /// One or more of the parameters are not valid. Either none of the naming parameters were specified, or the credential specified did + /// not have the Type member set to CRED_TYPE_DOMAIN_PASSWORD or CRED_TYPE_DOMAIN_CERTIFICATE, or the Credential does not match the TargetInfo. + /// + /// + /// + /// ERROR_NO_SUCH_LOGON_SESSION + /// + /// The logon session does not exist or there is no credential set associated with this logon session. Network logon sessions do not + /// have an associated credential set. + /// + /// + /// + /// ERROR_INVALID_FLAGS + /// A value that is not valid was specified for the Flags parameter. + /// + /// + /// ERROR_BAD_USERNAME + /// + /// The UserName member of the passed in Credential structure is not valid. For a description of valid syntaxes, see the definition + /// of that member. + /// + /// + /// + /// ERROR_NOT_FOUND + /// CRED_PRESERVE_CREDENTIAL_BLOB was specified and there is no existing credential by the same TargetName and Type. + /// + /// + /// SCARD_E_NO_READERS_AVAILABLE + /// The CRED_TYPE_CERTIFICATE credential being written requires the smart card reader to be available. + /// + /// + /// SCARD_E_NO_SMARTCARD or SCARD_W_REMOVED_CARD: The CRED_TYPE_CERTIFICATE + /// The credential being written requires the smart card to be inserted. + /// + /// + /// SCARD_W_WRONG_CHV + /// The wrong PIN was supplied for the CRED_TYPE_CERTIFICATE credential being written. + /// + /// + /// + /// + /// + /// When this function writes a CRED_TYPE_CERTIFICATE credential, the Credential-> CredentialBlob member specifies the PIN + /// that protects the private key of the certificate specified by the Credential-> UserName. The credential manager does + /// not maintain the PIN. Rather, the PIN is passed to the CSP of the certificate for later use by the CSP and authentication + /// packages. The CSP defines the lifetime of the PIN. For instance, most CSPs flush the PIN upon smart card removal. + /// + /// + /// CredWriteDomainCredentials differs from CredWrite in that it handles the idiosyncrasies of domain + /// (CRED_TYPE_DOMAIN_PASSWORD or CRED_TYPE_DOMAIN_CERTIFICATE) credentials. Domain credentials contain more than one target member. + /// + /// + /// If the value of the Type member of the CREDENTIAL structure specified by the Credential parameter is + /// CRED_TYPE_DOMAIN_EXTENDED, a namespace must be specified in the target name. + /// + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/nf-wincred-credwritedomaincredentialsa BOOL + // CredWriteDomainCredentialsA( PCREDENTIAL_TARGET_INFORMATIONA TargetInfo, PCREDENTIALA Credential, DWORD Flags ); + [DllImport(Lib.AdvApi32, SetLastError = true, CharSet = CharSet.Auto)] + [PInvokeData("wincred.h", MSDNShortId = "6b54c14f-a736-4fb0-b4e4-97765a792a5e")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CredWriteDomainCredentials(ref CREDENTIAL_TARGET_INFORMATION TargetInfo, ref CREDENTIAL Credential, uint Flags); /// The CREDENTIAL structure contains an individual credential. [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)] + [PInvokeData("wincred.h")] public struct CREDENTIAL { /// The flags public uint Flags; + /// The type of the credential. This member cannot be changed after the credential is created. public CredentialType Type; + /// - /// The name of the credential. The TargetName and Type members uniquely identify the credential. This member cannot be changed after the credential is created. Instead, the credential with the old name should be deleted and the credential with the new name created. - /// If Type is CRED_TYPE_DOMAIN_PASSWORD or CRED_TYPE_DOMAIN_CERTIFICATE, this member identifies the server or servers that the credential is to be used for. The member is either a NetBIOS or DNS server name, a DNS host name suffix that contains a wildcard character, a NetBIOS or DNS domain name that contains a wildcard character sequence, or an asterisk. + /// The name of the credential. The TargetName and Type members uniquely identify the credential. This member cannot be changed + /// after the credential is created. Instead, the credential with the old name should be deleted and the credential with the new + /// name created. + /// + /// If Type is CRED_TYPE_DOMAIN_PASSWORD or CRED_TYPE_DOMAIN_CERTIFICATE, this member identifies the server or servers that the + /// credential is to be used for. The member is either a NetBIOS or DNS server name, a DNS host name suffix that contains a + /// wildcard character, a NetBIOS or DNS domain name that contains a wildcard character sequence, or an asterisk. + /// /// If TargetName is a DNS host name, the TargetAlias member can be the NetBIOS name of the host. - /// If the TargetName is a DNS host name suffix that contains a wildcard character, the leftmost label of the DNS host name is an asterisk (*), which denotes that the target name is any server whose name ends in the specified name, for example, *.microsoft.com. - /// If the TargetName is a domain name that contains a wildcard character sequence, the syntax is the domain name followed by a backslash and asterisk (\*), which denotes that the target name is any server that is a member of the named domain (or realm). - /// If TargetName is a DNS domain name that contains a wildcard character sequence, the TargetAlias member can be a NetBIOS domain name that uses a wildcard sequence for the same domain. - /// If TargetName specifies a DFS share, for example, DfsRoot\DfsShare, then this credential matches the specific DFS share and any servers reached through that DFS share. + /// + /// If the TargetName is a DNS host name suffix that contains a wildcard character, the leftmost label of the DNS host name is an + /// asterisk (*), which denotes that the target name is any server whose name ends in the specified name, for example, *.microsoft.com. + /// + /// + /// If the TargetName is a domain name that contains a wildcard character sequence, the syntax is the domain name followed by a + /// backslash and asterisk (\*), which denotes that the target name is any server that is a member of the named domain (or realm). + /// + /// + /// If TargetName is a DNS domain name that contains a wildcard character sequence, the TargetAlias member can be a NetBIOS + /// domain name that uses a wildcard sequence for the same domain. + /// + /// + /// If TargetName specifies a DFS share, for example, DfsRoot\DfsShare, then this credential matches the specific DFS share and + /// any servers reached through that DFS share. + /// /// If TargetName is a single asterisk (*), this credential matches any server name. - /// If TargetName is CRED_SESSION_WILDCARD_NAME, this credential matches any server name. This credential matches before a single asterisk and is only valid if Persist is CRED_PERSIST_SESSION. The credential can be set by applications that want to temporarily override the default credential. + /// + /// If TargetName is CRED_SESSION_WILDCARD_NAME, this credential matches any server name. This credential matches before a single + /// asterisk and is only valid if Persist is CRED_PERSIST_SESSION. The credential can be set by applications that want to + /// temporarily override the default credential. + /// /// This member cannot be longer than CRED_MAX_DOMAIN_TARGET_NAME_LENGTH (337) characters. - /// If the Type is CRED_TYPE_GENERIC, this member should identify the service that uses the credential in addition to the actual target. Microsoft suggests the name be prefixed by the name of the company implementing the service. Microsoft will use the prefix "Microsoft". Services written by Microsoft should append their service name, for example Microsoft_RAS_TargetName. This member cannot be longer than CRED_MAX_GENERIC_TARGET_NAME_LENGTH (32767) characters. + /// + /// If the Type is CRED_TYPE_GENERIC, this member should identify the service that uses the credential in addition to the actual + /// target. Microsoft suggests the name be prefixed by the name of the company implementing the service. Microsoft will use the + /// prefix "Microsoft". Services written by Microsoft should append their service name, for example Microsoft_RAS_TargetName. + /// This member cannot be longer than CRED_MAX_GENERIC_TARGET_NAME_LENGTH (32767) characters. + /// /// This member is case-insensitive. /// public string TargetName; - /// A string comment from the user that describes this credential. This member cannot be longer than CRED_MAX_STRING_LENGTH (256) characters. + + /// + /// A string comment from the user that describes this credential. This member cannot be longer than CRED_MAX_STRING_LENGTH (256) characters. + /// public string Comment; - /// The time, in Coordinated Universal Time (Greenwich Mean Time), of the last modification of the credential. For write operations, the value of this member is ignored. + + /// + /// The time, in Coordinated Universal Time (Greenwich Mean Time), of the last modification of the credential. For write + /// operations, the value of this member is ignored. + /// public FILETIME LastWritten; - /// The size, in bytes, of the CredentialBlob member. This member cannot be larger than CRED_MAX_CREDENTIAL_BLOB_SIZE (512) bytes. + + /// + /// The size, in bytes, of the CredentialBlob member. This member cannot be larger than CRED_MAX_CREDENTIAL_BLOB_SIZE (512) bytes. + /// public uint CredentialBlobSize; - /// Secret data for the credential. The CredentialBlob member can be both read and written. - /// If the Type member is CRED_TYPE_DOMAIN_PASSWORD, this member contains the plaintext Unicode password for UserName. The CredentialBlob and CredentialBlobSize members do not include a trailing zero character. Also, for CRED_TYPE_DOMAIN_PASSWORD, this member can only be read by the authentication packages. - /// If the Type member is CRED_TYPE_DOMAIN_CERTIFICATE, this member contains the clear test Unicode PIN for UserName. The CredentialBlob and CredentialBlobSize members do not include a trailing zero character. Also, this member can only be read by the authentication packages. + + /// + /// Secret data for the credential. The CredentialBlob member can be both read and written. + /// + /// If the Type member is CRED_TYPE_DOMAIN_PASSWORD, this member contains the plaintext Unicode password for UserName. The + /// CredentialBlob and CredentialBlobSize members do not include a trailing zero character. Also, for CRED_TYPE_DOMAIN_PASSWORD, + /// this member can only be read by the authentication packages. + /// + /// + /// If the Type member is CRED_TYPE_DOMAIN_CERTIFICATE, this member contains the clear test Unicode PIN for UserName. The + /// CredentialBlob and CredentialBlobSize members do not include a trailing zero character. Also, this member can only be read by + /// the authentication packages. + /// /// If the Type member is CRED_TYPE_GENERIC, this member is defined by the application. - /// Credentials are expected to be portable. Applications should ensure that the data in CredentialBlob is portable. The application defines the byte-endian and alignment of the data in CredentialBlob. + /// + /// Credentials are expected to be portable. Applications should ensure that the data in CredentialBlob is portable. The + /// application defines the byte-endian and alignment of the data in CredentialBlob. + /// + /// public IntPtr CredentialBlob; - /// Defines the persistence of this credential. This member can be read and written. + + /// + /// Defines the persistence of this credential. This member can be read and written. /// - /// ValueMeaning - /// CRED_PERSIST_SESSION (0x1)The credential persists for the life of the logon session. It will not be visible to other logon sessions of this same user. It will not exist after this user logs off and back on. - /// CRED_PERSIST_LOCAL_MACHINE (0x2)The credential persists for all subsequent logon sessions on this same computer. It is visible to other logon sessions of this same user on this same computer and not visible to logon sessions for this user on other computers. - /// Windows Vista Home Basic, Windows Vista Home Premium, Windows Vista Starter and Windows XP Home Edition: This value is not supported. - /// CRED_PERSIST_ENTERPRISE (0x3)The credential persists for all subsequent logon sessions on this same computer. It is visible to other logon sessions of this same user on this same computer and to logon sessions for this user on other computers. - /// This option can be implemented as locally persisted credential if the administrator or user configures the user account to not have roam-able state. For instance, if the user has no roaming profile, the credential will only persist locally. - /// Windows Vista Home Basic, Windows Vista Home Premium, Windows Vista Starter and Windows XP Home Edition: This value is not supported. - /// + /// + /// Value + /// Meaning + /// + /// + /// CRED_PERSIST_SESSION (0x1) + /// + /// The credential persists for the life of the logon session. It will not be visible to other logon sessions of this same user. + /// It will not exist after this user logs off and back on. + /// + /// + /// + /// CRED_PERSIST_LOCAL_MACHINE (0x2) + /// + /// The credential persists for all subsequent logon sessions on this same computer. It is visible to other logon sessions of + /// this same user on this same computer and not visible to logon sessions for this user on other computers. + /// + /// Windows Vista Home Basic, Windows Vista Home Premium, Windows Vista Starter and Windows XP Home Edition: This value is + /// not supported. + /// + /// + /// + /// + /// CRED_PERSIST_ENTERPRISE (0x3) + /// + /// The credential persists for all subsequent logon sessions on this same computer. It is visible to other logon sessions of + /// this same user on this same computer and to logon sessions for this user on other computers. + /// + /// This option can be implemented as locally persisted credential if the administrator or user configures the user account to + /// not have roam-able state. For instance, if the user has no roaming profile, the credential will only persist locally. + /// + /// + /// Windows Vista Home Basic, Windows Vista Home Premium, Windows Vista Starter and Windows XP Home Edition: This value is + /// not supported. + /// + /// + /// + /// + /// public uint Persist; - /// The number of application-defined attributes to be associated with the credential. This member can be read and written. Its value cannot be greater than CRED_MAX_ATTRIBUTES (64). + + /// + /// The number of application-defined attributes to be associated with the credential. This member can be read and written. Its + /// value cannot be greater than CRED_MAX_ATTRIBUTES (64). + /// public uint AttributeCount; + /// Application-defined attributes that are associated with the credential. This member can be read and written. public IntPtr Attributes; - /// Alias for the TargetName member. This member can be read and written. It cannot be longer than CRED_MAX_STRING_LENGTH (256) characters. - /// If the credential Type is CRED_TYPE_GENERIC, this member can be non-NULL, but the credential manager ignores the member. - public string TargetAlias; - /// The user name of the account used to connect to TargetName. - /// If the credential Type is CRED_TYPE_DOMAIN_PASSWORD, this member can be either a DomainName\UserName or a UPN. - /// If the credential Type is CRED_TYPE_DOMAIN_CERTIFICATE, this member must be a marshaled certificate reference created by calling CredMarshalCredential with a CertCredential. + + /// + /// Alias for the TargetName member. This member can be read and written. It cannot be longer than CRED_MAX_STRING_LENGTH (256) characters. /// If the credential Type is CRED_TYPE_GENERIC, this member can be non-NULL, but the credential manager ignores the member. - /// This member cannot be longer than CRED_MAX_USERNAME_LENGTH (513) characters. + /// + public string TargetAlias; + + /// + /// The user name of the account used to connect to TargetName. + /// If the credential Type is CRED_TYPE_DOMAIN_PASSWORD, this member can be either a DomainName\UserName or a UPN. + /// + /// If the credential Type is CRED_TYPE_DOMAIN_CERTIFICATE, this member must be a marshaled certificate reference created by + /// calling CredMarshalCredential with a CertCredential. + /// + /// If the credential Type is CRED_TYPE_GENERIC, this member can be non-NULL, but the credential manager ignores the member. + /// This member cannot be longer than CRED_MAX_USERNAME_LENGTH (513) characters. + /// public string UserName; } - /// The CREDENTIAL_TARGET_INFORMATION structure contains the target computer's name, domain, and tree. + /// + /// The CREDENTIAL_TARGET_INFORMATION structure contains the target computer's name, domain, and tree. + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/ns-wincred-_credential_target_informationa typedef struct + // _CREDENTIAL_TARGET_INFORMATIONA { LPSTR TargetName; LPSTR NetbiosServerName; LPSTR DnsServerName; LPSTR NetbiosDomainName; LPSTR + // DnsDomainName; LPSTR DnsTreeName; LPSTR PackageName; ULONG Flags; DWORD CredTypeCount; LPDWORD CredTypes; } + // CREDENTIAL_TARGET_INFORMATIONA, *PCREDENTIAL_TARGET_INFORMATIONA; + [PInvokeData("wincred.h", MSDNShortId = "92180f2c-ef7c-4481-9b6f-19234c114afb")] [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)] public struct CREDENTIAL_TARGET_INFORMATION { - /// Name of the target server as specified by the caller accessing the target. It is typically the NetBIOS or DNS name of the target server. + /// + /// Name of the target server as specified by the caller accessing the target. It is typically the NetBIOS or DNS name of the + /// target server. + /// public string TargetName; + /// NetBIOS name of the target server. If the name is not known, this member can be NULL. public string NetbiosServerName; + /// DNS name of the target server. If the name is not known, this member can be NULL. public string DnsServerName; - /// NetBIOS name of the target server's domain. If the name is not known, this member can be NULL. If the target server is a member of a workgroup, this member must be NULL. + + /// + /// NetBIOS name of the target server's domain. If the name is not known, this member can be NULL. If the target server is a + /// member of a workgroup, this member must be NULL. + /// public string NetbiosDomainName; - /// DNS name of the target server's domain. If the name is not known, this member can be NULL. If the target server is a member of a workgroup, this member must be NULL. + + /// + /// DNS name of the target server's domain. If the name is not known, this member can be NULL. If the target server is a member + /// of a workgroup, this member must be NULL. + /// public string DnsDomainName; - /// DNS name of the target server's tree. If the tree name is not known, this member can be NULL. If the target server is a member of a workgroup, this member must be NULL. + + /// + /// DNS name of the target server's tree. If the tree name is not known, this member can be NULL. If the target server is a + /// member of a workgroup, this member must be NULL. + /// public string DnsTreeName; - /// Name of the authentication package that determined the values NetbiosServerName, DnsServerName, NetbiosDomainName, DnsDomainName, and DnsTreeName as a function of TargetName. This member can be passed to AcquireCredentialsHandle as the package name. + + /// + /// Name of the authentication package that determined the values NetbiosServerName, DnsServerName, NetbiosDomainName, + /// DnsDomainName, and DnsTreeName as a function of TargetName. This member can be passed to AcquireCredentialsHandle as the + /// package name. + /// public string PackageName; - /// Attributes of the target. + + /// + /// Attributes of the target. /// - /// CRED_TI_SERVER_FORMAT_UNKNOWN (0x1)Set if the authentication package cannot determine whether the server name is a DNS name or a NetBIOS name. In that case, the NetbiosServerName member is set to NULL and the DnsServerName member is set to the server name of unknown format. - /// CRED_TI_DOMAIN_FORMAT_UNKNOWN (0x2)Set if the authentication package cannot determine whether the domain name is a DNS name or a NetBIOS name. In that case, the NetbiosDomainName member is set to NULL and the DnsDomainName member is set to the domain name of unknown format. - /// CRED_TI_ONLY_PASSWORD_REQUIRED (0x4)Set if the authentication package has determined that the server only needs a password to authenticate. The caller can use this flag to prompt only for a password and not a user name. + /// + /// CRED_TI_SERVER_FORMAT_UNKNOWN (0x1) + /// + /// Set if the authentication package cannot determine whether the server name is a DNS name or a NetBIOS name. In that case, the + /// NetbiosServerName member is set to NULL and the DnsServerName member is set to the server name of unknown format. + /// + /// + /// + /// CRED_TI_DOMAIN_FORMAT_UNKNOWN (0x2) + /// + /// Set if the authentication package cannot determine whether the domain name is a DNS name or a NetBIOS name. In that case, the + /// NetbiosDomainName member is set to NULL and the DnsDomainName member is set to the domain name of unknown format. + /// + /// + /// + /// CRED_TI_ONLY_PASSWORD_REQUIRED (0x4) + /// + /// Set if the authentication package has determined that the server only needs a password to authenticate. The caller can use + /// this flag to prompt only for a password and not a user name. + /// + /// /// - /// Stored credentials require a UserName member. A value of <DnsServerName>\Guest or <NetbiosServerName>\Guest should be used for these servers. + /// + /// Stored credentials require a UserName member. A value of <DnsServerName>\Guest or <NetbiosServerName>\Guest + /// should be used for these servers. + /// /// public uint Flags; + /// Number of elements in the CredTypes array. public uint CredTypeCount; - /// Array specifying the credential types acceptable by the authentication package used by the target server. Each element is one of the CRED_TYPE_* defines. The order of this array specifies the preference order of the authentication package. More preferable types are specified earlier in the list. + + /// + /// Array specifying the credential types acceptable by the authentication package used by the target server. Each element is one + /// of the CRED_TYPE_* defines. The order of this array specifies the preference order of the authentication package. More + /// preferable types are specified earlier in the list. + /// public IntPtr CredTypes; /// Extracts array of values from . @@ -201,4 +634,4 @@ namespace Vanara.PInvoke public SafeCredMemoryHandle(IntPtr ptr, bool own = true) : base(ptr, h => { CredFree(h); return true; }, own) { } } } -} +} \ No newline at end of file diff --git a/PInvoke/Security/AdvApi32/WinNT.RegSvc.cs b/PInvoke/Security/AdvApi32/WinNT.RegSvc.cs index 91324146..c38bc1d3 100644 --- a/PInvoke/Security/AdvApi32/WinNT.RegSvc.cs +++ b/PInvoke/Security/AdvApi32/WinNT.RegSvc.cs @@ -11,6 +11,7 @@ namespace Vanara.PInvoke { public static partial class AdvApi32 { + /// Access mask values for the registry. [PInvokeData("winnt.h")] public enum RegAccessTypes { @@ -77,6 +78,7 @@ namespace Vanara.PInvoke [PInvokeData("winnt.h")] public enum RegOpenOptions { + /// Reserved. REG_OPTION_RESERVED = 0x00000000, /// /// This key is not volatile; this is the default. The information is stored in a file and is preserved when the system is restarted. The RegSaveKey diff --git a/PInvoke/Security/AdvApi32/WinNT.cs b/PInvoke/Security/AdvApi32/WinNT.cs index 5e16a930..cb3b101c 100644 --- a/PInvoke/Security/AdvApi32/WinNT.cs +++ b/PInvoke/Security/AdvApi32/WinNT.cs @@ -14,19 +14,30 @@ namespace Vanara.PInvoke { public static partial class AdvApi32 { + /// Known RIDs public static class KnownSIDRelativeID { + /// The security creator group rid public const int SECURITY_CREATOR_GROUP_RID = 0x00000001; + /// The security creator group server rid public const int SECURITY_CREATOR_GROUP_SERVER_RID = 0x00000003; + /// The security creator owner rid public const int SECURITY_CREATOR_OWNER_RID = 0x00000000; + /// The security creator owner rights rid public const int SECURITY_CREATOR_OWNER_RIGHTS_RID = 0x00000004; + /// The security creator owner server rid public const int SECURITY_CREATOR_OWNER_SERVER_RID = 0x00000002; + /// The security local logon rid public const int SECURITY_LOCAL_LOGON_RID = 0x00000001; + /// The security local rid public const int SECURITY_LOCAL_RID = 0x00000000; + /// The security null rid public const int SECURITY_NULL_RID = 0x00000000; + /// The security world rid public const int SECURITY_WORLD_RID = 0x00000000; } + /// Known SID authorities. public static class KnownSIDAuthority { /// The application package authority @@ -65,6 +76,7 @@ namespace Vanara.PInvoke AclSizeInformation } + /// Group attributes. [Flags] [PInvokeData("winnt.h")] public enum GroupAttributes : uint @@ -89,6 +101,7 @@ namespace Vanara.PInvoke SE_GROUP_RESOURCE = 0x20000000 } + /// Privilege attributes. [Flags] [PInvokeData("winnt.h")] public enum PrivilegeAttributes : uint @@ -112,6 +125,7 @@ namespace Vanara.PInvoke SE_PRIVILEGE_USED_FOR_ACCESS = 0x80000000 } + /// Flags used by PRIVILEGE_SET. [PInvokeData("winnt.h")] public enum PrivilegeSetControl { @@ -1163,7 +1177,7 @@ namespace Vanara.PInvoke /// A that represents this instance. public override string ToString() => $"Count:{PrivilegeCount}"; - public class Marshaler : ICustomMarshaler + internal class Marshaler : ICustomMarshaler { public static ICustomMarshaler GetInstance(string cookie) => new Marshaler(); @@ -1203,8 +1217,11 @@ namespace Vanara.PInvoke } } + /// The SID_IDENTIFIER_AUTHORITY structure represents the top-level authority of a security identifier (SID).The identifier authority value identifies the agency that issued the SID. The following identifier authorities are predefined.Identifier authorityValueSECURITY_NULL_SID_AUTHORITY0SECURITY_WORLD_SID_AUTHORITY1SECURITY_LOCAL_SID_AUTHORITY2SECURITY_CREATOR_SID_AUTHORITY3SECURITY_NON_UNIQUE_AUTHORITY4SECURITY_NT_AUTHORITY5SECURITY_RESOURCE_MANAGER_AUTHORITY9A SID must contain a top-level authority and at least one relative identifier (RID) value. + // https://docs.microsoft.com/en-us/windows/desktop/api/winnt/ns-winnt-_sid_identifier_authority + // typedef struct _SID_IDENTIFIER_AUTHORITY { BYTE Value[6]; } SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY; + [PInvokeData("winnt.h", MSDNShortId = "450a6d2d-d2e4-4098-90af-a8024ddcfcb5")] [StructLayout(LayoutKind.Sequential, Pack = 1)] - [PInvokeData("Winnt.h", MSDNShortId = "aa379598")] public class PSID_IDENTIFIER_AUTHORITY { /// An array of 6 bytes specifying a SID's top-level authority. @@ -1252,8 +1269,14 @@ namespace Vanara.PInvoke } } + /// Performs an implicit conversion from byte[] to . + /// The bytes. + /// The result of the conversion. public static implicit operator PSID_IDENTIFIER_AUTHORITY(byte[] bytes) => new PSID_IDENTIFIER_AUTHORITY(bytes); + /// Performs an implicit conversion from to . + /// The sia. + /// The result of the conversion. public static implicit operator PSID_IDENTIFIER_AUTHORITY(SID_IDENTIFIER_AUTHORITY sia) => new PSID_IDENTIFIER_AUTHORITY(sia.Value); } diff --git a/PInvoke/Security/AdvApi32/WinReg.cs b/PInvoke/Security/AdvApi32/WinReg.cs index 63376cb8..423a9209 100644 --- a/PInvoke/Security/AdvApi32/WinReg.cs +++ b/PInvoke/Security/AdvApi32/WinReg.cs @@ -694,7 +694,7 @@ namespace Vanara.PInvoke /// [DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)] [PInvokeData("winreg.h", MSDNShortId = "ms724837")] - public static extern Win32Error RegCloseKey(SafeRegistryHandle hKey); + public static extern Win32Error RegCloseKey(IntPtr hKey); /// /// Establishes a connection to a predefined registry key on another computer. diff --git a/PInvoke/Security/AdvApi32/WinSvc.cs b/PInvoke/Security/AdvApi32/WinSvc.cs index 73051074..35054b2a 100644 --- a/PInvoke/Security/AdvApi32/WinSvc.cs +++ b/PInvoke/Security/AdvApi32/WinSvc.cs @@ -308,18 +308,51 @@ namespace Vanara.PInvoke [PInvokeData("winsvc.h", MSDNShortId = "23eea346-9899-4214-88f4-9b7eb7ce1332")] public static extern IntPtr RegisterServiceCtrlHandlerEx(string lpServiceName, LphandlerFunction lpHandlerProc, IntPtr lpContext); + /// Contains configuration information for an installed service. It is used by the QueryServiceConfig function. [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)] [PInvokeData("Winsvc.h", MSDNShortId = "ms684950")] public struct QUERY_SERVICE_CONFIG { + /// + /// The type of service. + /// public ServiceTypes dwServiceType; + /// + /// When to start the service. + /// public ServiceStartType dwStartType; + /// + /// The severity of the error, and action taken, if this service fails to start. + /// public ServiceErrorControlType dwErrorControl; + /// + /// The fully qualified path to the service binary file. + /// The path can also include arguments for an auto-start service.These arguments are passed to the service entry point (typically the main function). public string lpBinaryPathName; + /// + /// The name of the load ordering group to which this service belongs. If the member is NULL or an empty string, the service does not belong to a load ordering group. + /// The startup program uses load ordering groups to load groups of services in a specified order with respect to the other groups.The list of load ordering groups is contained in the following registry value: + /// HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceGroupOrder public string lpLoadOrderGroup; + /// + /// A unique tag value for this service in the group specified by the lpLoadOrderGroup parameter. A value of zero indicates that the service has not been assigned a tag. You can use a tag for ordering service startup within a load order group by specifying a tag order vector in the registry located at: + /// HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\GroupOrderList + /// Tags are only evaluated for SERVICE_KERNEL_DRIVER and SERVICE_FILE_SYSTEM_DRIVER type services that have SERVICE_BOOT_START or SERVICE_SYSTEM_START start types. public uint dwTagID; + /// + /// A pointer to an array of null-separated names of services or load ordering groups that must start before this service. The array is doubly null-terminated. If the pointer is NULL or if it points to an empty string, the service has no dependencies. If a group name is specified, it must be prefixed by the SC_GROUP_IDENTIFIER (defined in WinSvc.h) character to differentiate it from a service name, because services and service groups share the same name space. Dependency on a service means that this service can only run if the service it depends on is running. Dependency on a group means that this service can run if at least one member of the group is running after an attempt to start all members of the group. + /// public IntPtr lpDependencies; + /// + /// If the service type is SERVICE_WIN32_OWN_PROCESS or SERVICE_WIN32_SHARE_PROCESS, this member is the name of the account that the service process will be logged on as when it runs. This name can be of the form Domain\UserName. If the account belongs to the built-in domain, the name can be of the form .\UserName. The name can also be "LocalSystem" if the process is running under the LocalSystem account. + /// If the service type is SERVICE_KERNEL_DRIVER or SERVICE_FILE_SYSTEM_DRIVER, this member is the driver object name(that is, \FileSystem\Rdr or \Driver\Xns) which the input and output(I/O) system uses to load the device driver.If this member is NULL, the driver is to be run with a default object name created by the I/O system, based on the service name. public string lpServiceStartName; + /// + /// The display name to be used by service control programs to identify the service. This string has a maximum length of 256 characters. The name is case-preserved in the service control manager. Display name comparisons are always case-insensitive. + /// This parameter can specify a localized string using the following format: + /// @[Path] DLLName,-StrID + /// The string with identifier StrID is loaded from DLLName; the Path is optional.For more information, see RegLoadMUIString. + /// Windows Server 2003 and Windows XP: Localized strings are not supported until Windows Vista. public string lpDisplayName; } diff --git a/PInvoke/Security/Authz/Authz.cs b/PInvoke/Security/Authz/Authz.cs index e6a4a51a..6e87eb48 100644 --- a/PInvoke/Security/Authz/Authz.cs +++ b/PInvoke/Security/Authz/Authz.cs @@ -5,11 +5,12 @@ using System.Runtime.InteropServices; using System.Security; using Vanara.Extensions; using Vanara.InteropServices; -using AUTHZ_RESOURCE_MANAGER_HANDLE = System.IntPtr; -using AUTHZ_CLIENT_CONTEXT_HANDLE = System.IntPtr; -using AUTHZ_AUDIT_EVENT_HANDLE = System.IntPtr; -using AUTHZ_ACCESS_CHECK_RESULTS_HANDLE = System.IntPtr; using static Vanara.PInvoke.AdvApi32; +using AUTHZ_ACCESS_CHECK_RESULTS_HANDLE = System.IntPtr; + +using AUTHZ_AUDIT_EVENT_HANDLE = System.IntPtr; +using AUTHZ_CLIENT_CONTEXT_HANDLE = System.IntPtr; +using AUTHZ_RESOURCE_MANAGER_HANDLE = System.IntPtr; // ReSharper disable FieldCanBeMadeReadOnly.Global // ReSharper disable InconsistentNaming @@ -20,17 +21,25 @@ namespace Vanara.PInvoke public static partial class Authz { /// - /// The AuthzAccessCheckCallback function is an application-defined function that handles callback access control entries (ACEs) during an access check. - /// AuthzAccessCheckCallback is a placeholder for the application-defined function name. The application registers this callback by calling AuthzInitializeResourceManager. + /// The AuthzAccessCheckCallback function is an application-defined function that handles callback access control entries (ACEs) + /// during an access check. AuthzAccessCheckCallback is a placeholder for the application-defined function name. The application + /// registers this callback by calling AuthzInitializeResourceManager. /// /// A handle to a client context. /// A pointer to the ACE to evaluate for inclusion in the call to the AuthzAccessCheck function. /// Data passed in the DynamicGroupArgs parameter of the call to AuthzAccessCheck or AuthzCachedAccessCheck. - /// A pointer to a Boolean variable that receives the results of the evaluation of the logic defined by the application. - /// The results are TRUE if the logic determines that the ACE is applicable and will be included in the call to AuthzAccessCheck; otherwise, the results are FALSE. + /// + /// A pointer to a Boolean variable that receives the results of the evaluation of the logic defined by the application. + /// + /// The results are TRUE if the logic determines that the ACE is applicable and will be included in the call to AuthzAccessCheck; + /// otherwise, the results are FALSE. + /// + /// /// /// If the function succeeds, the function returns TRUE. - /// If the function is unable to perform the evaluation, it returns FALSE. Use SetLastError to return an error to the access check function. + /// + /// If the function is unable to perform the evaluation, it returns FALSE. Use SetLastError to return an error to the access check function. + /// /// [UnmanagedFunctionPointer(CallingConvention.Winapi, SetLastError = true, CharSet = CharSet.Unicode)] [SuppressUnmanagedCodeSecurity] @@ -38,23 +47,36 @@ namespace Vanara.PInvoke public delegate bool AuthzAccessCheckCallback(AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, ref ACE_HEADER pAce, IntPtr pArgs, [MarshalAs(UnmanagedType.Bool)] ref bool pbAceApplicable); /// - /// The AuthzComputeGroupsCallback function is an application-defined function that creates a list of security identifiers (SIDs) that apply to a client. AuthzComputeGroupsCallback is a placeholder for the application-defined function name. + /// The AuthzComputeGroupsCallback function is an application-defined function that creates a list of security identifiers (SIDs) + /// that apply to a client. AuthzComputeGroupsCallback is a placeholder for the application-defined function name. /// /// A handle to a client context. - /// Data passed in the DynamicGroupArgs parameter of a call to the AuthzInitializeContextFromAuthzContext, AuthzInitializeContextFromSid, or AuthzInitializeContextFromToken function. - /// A pointer to a pointer variable that receives the address of an array of SID_AND_ATTRIBUTES structures. These structures represent the groups to which the client belongs. + /// + /// Data passed in the DynamicGroupArgs parameter of a call to the AuthzInitializeContextFromAuthzContext, + /// AuthzInitializeContextFromSid, or AuthzInitializeContextFromToken function. + /// + /// + /// A pointer to a pointer variable that receives the address of an array of SID_AND_ATTRIBUTES structures. These structures + /// represent the groups to which the client belongs. + /// /// The number of structures in pSidAttrArray. - /// A pointer to a pointer variable that receives the address of an array of SID_AND_ATTRIBUTES structures. These structures represent the groups from which the client is restricted. + /// + /// A pointer to a pointer variable that receives the address of an array of SID_AND_ATTRIBUTES structures. These structures + /// represent the groups from which the client is restricted. + /// /// The number of structures in pSidRestrictedAttrArray. - /// If the function successfully returns a list of SIDs, the return value is TRUE. - /// If the function fails, the return value is FALSE. + /// + /// If the function successfully returns a list of SIDs, the return value is TRUE. + /// If the function fails, the return value is FALSE. + /// [UnmanagedFunctionPointer(CallingConvention.Winapi, SetLastError = true, CharSet = CharSet.Unicode)] [SuppressUnmanagedCodeSecurity] [return: MarshalAs(UnmanagedType.Bool)] public delegate bool AuthzComputeGroupsCallback(AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, IntPtr Args, ref SID_AND_ATTRIBUTES pSidAttrArray, out uint pSidCount, out SID_AND_ATTRIBUTES pRestrictedSidAttrArray, out uint pRestrictedSidCount); /// - /// The AuthzFreeGroupsCallback function is an application-defined function that frees memory allocated by the AuthzComputeGroupsCallback function. AuthzFreeGroupsCallback is a placeholder for the application-defined function name. + /// The AuthzFreeGroupsCallback function is an application-defined function that frees memory allocated by the + /// AuthzComputeGroupsCallback function. AuthzFreeGroupsCallback is a placeholder for the application-defined function name. /// /// A pointer to memory allocated by AuthzComputeGroupsCallback. [UnmanagedFunctionPointer(CallingConvention.Winapi, SetLastError = true, CharSet = CharSet.Unicode)] @@ -62,131 +84,207 @@ namespace Vanara.PInvoke public delegate void AuthzFreeGroupsCallback(ref SID_AND_ATTRIBUTES pSidAttrArray); /// - /// The AUTHZ_CONTEXT_INFORMATION_CLASS enumeration specifies the type of information to be retrieved from an existing AuthzClientContext. This - /// enumeration is used by the AuthzGetInformationFromContext function. + /// + /// The AUTHZ_CONTEXT_INFORMATION_CLASS enumeration specifies the type of information to be retrieved from an existing + /// AuthzClientContext. This enumeration is used by the AuthzGetInformationFromContext function. + /// /// + // https://docs.microsoft.com/en-us/windows/desktop/api/authz/ne-authz-_authz_context_information_class typedef enum + // _AUTHZ_CONTEXT_INFORMATION_CLASS { AuthzContextInfoUserSid , AuthzContextInfoGroupsSids , AuthzContextInfoRestrictedSids , + // AuthzContextInfoPrivileges , AuthzContextInfoExpirationTime , AuthzContextInfoServerContext , AuthzContextInfoIdentifier , + // AuthzContextInfoSource , AuthzContextInfoAll , AuthzContextInfoAuthenticationId , AuthzContextInfoSecurityAttributes , + // AuthzContextInfoDeviceSids , AuthzContextInfoUserClaims , AuthzContextInfoDeviceClaims , AuthzContextInfoAppContainerSid , + // AuthzContextInfoCapabilitySids } AUTHZ_CONTEXT_INFORMATION_CLASS; + [PInvokeData("authz.h", MSDNShortId = "5eb752dc-17f7-4510-8aef-d18280322e76")] public enum AUTHZ_CONTEXT_INFORMATION_CLASS { /// Retrieves a TOKEN_USER structure that contains a user security identifier (SID) and its attribute. AuthzContextInfoUserSid = 1, + /// Retrieves a TOKEN_GROUPS structure that contains the group SIDs to which the user belongs and their attributes. AuthzContextInfoGroupsSids, + /// Retrieves a TOKEN_GROUPS structure that contains the restricted group SIDs in the context and their attributes. AuthzContextInfoRestrictedSids, + /// Retrieves a TOKEN_PRIVILEGES structure that contains the privileges held by the user. AuthzContextInfoPrivileges, + /// Retrieves the expiration time set on the context. AuthzContextInfoExpirationTime, + /// This constant is reserved. Do not use it. AuthzContextInfoServerContext, + /// Retrieves an LUID structures used by the resource manager to identify the context. AuthzContextInfoIdentifier, + /// This constant is reserved. Do not use it. AuthzContextInfoSource, + /// This constant is reserved. Do not use it. AuthzContextInfoAll, + /// This constant is reserved. Do not use it. AuthzContextInfoAuthenticationId, + /// /// Retrieves an AUTHZ_SECURITY_ATTRIBUTES_INFORMATION structure that contains security attributes. /// Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This value is not supported. /// AuthzContextInfoSecurityAttributes, + /// /// Retrieves a TOKEN_GROUPS structure that contains device SIDs and their attributes. - /// Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This value is not supported. + /// + /// Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This value + /// is not supported. + /// /// AuthzContextInfoDeviceSids, + /// /// Retrieves a AUTHZ_SECURITY_ATTRIBUTES_INFORMATION structure that contains user claims. - /// Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This value is not supported. + /// + /// Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This value + /// is not supported. + /// /// AuthzContextInfoUserClaims, + /// /// Retrieves a AUTHZ_SECURITY_ATTRIBUTES_INFORMATION structure that contains device claims. - /// Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This value is not supported. + /// + /// Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This value + /// is not supported. + /// /// AuthzContextInfoDeviceClaims, + /// /// Retrieves a TOKEN_APPCONTAINER_INFORMATION structure that contains the app container SID. - /// Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This value is not supported. + /// + /// Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This value + /// is not supported. + /// /// AuthzContextInfoAppContainerSid, + /// /// Retrieves a TOKEN_GROUPS structure that contains capability SIDs. - /// Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This value is not supported. + /// + /// Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This value + /// is not supported. + /// /// AuthzContextInfoCapabilitySids, } /// Used by the structure. + [PInvokeData("authz.h")] public enum AUTHZ_SECURITY_ATTRIBUTE_DATATYPE : ushort { /// Invalid value. AUTHZ_SECURITY_ATTRIBUTE_TYPE_INVALID = 0x00, + /// The Values member refers to a security attribute that is of INT64 type. AUTHZ_SECURITY_ATTRIBUTE_TYPE_INT64 = 0x01, + /// The Values member refers to a security attribute that is of UINT64 type. AUTHZ_SECURITY_ATTRIBUTE_TYPE_UINT64 = 0x02, + /// The Values member refers to a security attribute that is of STRING type. AUTHZ_SECURITY_ATTRIBUTE_TYPE_STRING = 0x03, + /// The Values member refers to a security attribute that is of AUTHZ_SECURITY_ATTRIBUTE_TYPE_FQBN type. AUTHZ_SECURITY_ATTRIBUTE_TYPE_FQBN = 0x04, + /// /// The Values member refers to a security attribute that is of AUTHZ_SECURITY_ATTRIBUTE_TYPE_SID type. /// Windows Server 2008 R2 and Windows 7: This value type is not available. /// AUTHZ_SECURITY_ATTRIBUTE_TYPE_SID = 0x05, + /// /// The Values member refers to a security attribute that is of AUTHZ_SECURITY_ATTRIBUTE_TYPE_BOOLEAN type. /// Windows Server 2008 R2 and Windows 7: This value type is not available. /// AUTHZ_SECURITY_ATTRIBUTE_TYPE_BOOLEAN = 0x06, + /// The Values member refers to a security attribute that is of AUTHZ_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING type. AUTHZ_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING = 0x10 } - /// Used by the structure. + /// Used by the structure. + [PInvokeData("authz.h")] public enum AUTHZ_SECURITY_ATTRIBUTE_FLAGS { /// No flags specified. NONE = 0, + /// This security attribute is not inherited across processes. AUTHZ_SECURITY_ATTRIBUTE_NON_INHERITABLE = 1, + /// The value of the attribute is case sensitive. This flag is valid for values that contain string types. AUTHZ_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE = 2 } /// - /// The AUTHZ_SECURITY_ATTRIBUTE_OPERATION enumeration indicates the type of modification to be made to security attributes by a call to the AuthzModifySecurityAttributes function. + /// The AUTHZ_SECURITY_ATTRIBUTE_OPERATION enumeration indicates the type of modification to be made to security attributes by a call + /// to the AuthzModifySecurityAttributes function. /// + /// + /// + /// The AUTHZ_SECURITY_ATTRIBUTE_OPERATION enumeration indicates the type of modification to be made to security attributes by + /// a call to the AuthzModifySecurityAttributes function. + /// + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/authz/ne-authz-authz_security_attribute_operation typedef enum + // AUTHZ_SECURITY_ATTRIBUTE_OPERATION { AUTHZ_SECURITY_ATTRIBUTE_OPERATION_NONE , AUTHZ_SECURITY_ATTRIBUTE_OPERATION_REPLACE_ALL , + // AUTHZ_SECURITY_ATTRIBUTE_OPERATION_ADD , AUTHZ_SECURITY_ATTRIBUTE_OPERATION_DELETE , AUTHZ_SECURITY_ATTRIBUTE_OPERATION_REPLACE } *PAUTHZ_SECURITY_ATTRIBUTE_OPERATION; + [PInvokeData("authz.h", MSDNShortId = "c1716cdb-87f9-47d6-bfc3-ae6cc043e917")] public enum AUTHZ_SECURITY_ATTRIBUTE_OPERATION { - /// - /// Do not perform any modification. - /// + /// Do not perform any modification. AUTHZ_SECURITY_ATTRIBUTE_OPERATION_NONE = 0, + /// /// Delete all existing security attributes and their values in the token and replace them with the specified attributes and values. /// If no new attributes are specified, all existing attributes and values are deleted. - /// This operation must be the only operation specified and can be specified only once in a single call to AuthzModifySecurityAttributes. If the operation is not specified as the first in the list of operations, the call to AuthzModifySecurityAttributes fails. If the operation is specified as the first in the array of operations performed, the rest of the operations are ignored. + /// + /// This operation must be the only operation specified and can be specified only once in a single call to + /// AuthzModifySecurityAttributes. If the operation is not specified as the first in the list of operations, the call to + /// AuthzModifySecurityAttributes fails. If the operation is specified as the first in the array of operations performed, the + /// rest of the operations are ignored. + /// /// AUTHZ_SECURITY_ATTRIBUTE_OPERATION_REPLACE_ALL, + /// /// Add a new attribute or a new value to an existing attribute. - /// If the value specified for any attribute already exists for that attribute, the call to AuthzModifySecurityAttributes fails. + /// + /// If the value specified for any attribute already exists for that attribute, the call to AuthzModifySecurityAttributes fails. + /// /// AUTHZ_SECURITY_ATTRIBUTE_OPERATION_ADD, + /// /// Delete the specified values of the specified attributes. If an attribute is specified without a value, that attribute is deleted. /// If this operation results in an attribute that does not contain any values, that attribute is deleted. - /// If a value is specified that does not match an existing attribute, no modifications are performed and the call to AuthzModifySecurityAttributes fails. + /// + /// If a value is specified that does not match an existing attribute, no modifications are performed and the call to + /// AuthzModifySecurityAttributes fails. + /// /// AUTHZ_SECURITY_ATTRIBUTE_OPERATION_DELETE, + /// /// The existing values of the specified security attributes are replaced by the specified new values. /// If any of the specified attributes does not already exist, they are added. - /// When no value is specified for an attribute, that attribute is deleted. Otherwise, the operation is simply ignored and no failure is reported. + /// + /// When no value is specified for an attribute, that attribute is deleted. Otherwise, the operation is simply ignored and no + /// failure is reported. + /// /// AUTHZ_SECURITY_ATTRIBUTE_OPERATION_REPLACE } @@ -194,385 +292,812 @@ namespace Vanara.PInvoke /// /// The AUTHZ_SID_OPERATION enumeration indicates the type of SID operations that can be made by a call to the AuthzModifySids function. /// + /// + /// + /// The AUTHZ_SID_OPERATION enumeration indicates the type of SID operations that can be made by a call to the AuthzModifySids function. + /// + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/authz/ne-authz-authz_sid_operation typedef enum AUTHZ_SID_OPERATION { + // AUTHZ_SID_OPERATION_NONE , AUTHZ_SID_OPERATION_REPLACE_ALL , AUTHZ_SID_OPERATION_ADD , AUTHZ_SID_OPERATION_DELETE , + // AUTHZ_SID_OPERATION_REPLACE } *PAUTHZ_SID_OPERATION; + [PInvokeData("authz.h", MSDNShortId = "C312BE7D-DA1B-47FE-80BA-7506B9A26E9E")] public enum AUTHZ_SID_OPERATION { - /// - /// Do not modify anything. - /// + /// Do not modify anything. AUTHZ_SID_OPERATION_NONE = 0, + /// - /// Deletes all existing SIDs and replaces them with the specified SIDs. If the replacement SIDs are not specified, all existing SIDs are deleted. This operation can be specified only once and must be the only operation specified. + /// Deletes all existing SIDs and replaces them with the specified SIDs. If the replacement SIDs are not specified, all existing + /// SIDs are deleted. This operation can be specified only once and must be the only operation specified. /// AUTHZ_SID_OPERATION_REPLACE_ALL = 1, - /// - /// Adds a new SID. If the SID already exists, the call fails. - /// + + /// Adds a new SID. If the SID already exists, the call fails. AUTHZ_SID_OPERATION_ADD = 2, - /// - /// Deletes the specified SID. If no matching SID is found, no modifications are done and the call fails. - /// + + /// Deletes the specified SID. If no matching SID is found, no modifications are done and the call fails. AUTHZ_SID_OPERATION_DELETE = 3, - /// - /// Replaces the existing SID with the specified SID. If the SID does not already exist, then adds the SID. - /// + + /// Replaces the existing SID with the specified SID. If the SID does not already exist, then adds the SID. AUTHZ_SID_OPERATION_REPLACE = 4 } - /// Flags used in the method. + /// + /// Flags used in the method. + /// + [PInvokeData("authz.h")] [Flags] public enum AuthzAccessCheckFlags { - /// If phAccessCheckResults is not NULL, a deep copy of the security descriptor is copied to the handle referenced by phAccessCheckResults. - NONE = 0, /// - /// A deep copy of the security descriptor is not performed. The calling application must pass the address of an AUTHZ_ACCESS_CHECK_RESULTS_HANDLE - /// handle in phAccessCheckResults. The AuthzAccessCheck function sets this handle to a security descriptor that must remain valid during subsequent - /// calls to AuthzCachedAccessCheck. + /// If phAccessCheckResults is not NULL, a deep copy of the security descriptor is copied to the handle referenced by phAccessCheckResults. + /// + NONE = 0, + + /// + /// A deep copy of the security descriptor is not performed. The calling application must pass the address of an + /// AUTHZ_ACCESS_CHECK_RESULTS_HANDLE handle in phAccessCheckResults. The AuthzAccessCheck function sets this handle to a + /// security descriptor that must remain valid during subsequent calls to AuthzCachedAccessCheck. /// AUTHZ_ACCESS_CHECK_NO_DEEP_COPY_SD = 0x00000001, } - /// - /// Flags for the method. - /// + /// Flags for the method. + [PInvokeData("authz.h")] [Flags] public enum AuthzAuditEventFlags { - /// - /// No flags set. - /// + /// No flags set. NONE = 0, - /// - /// Disable generation of success audits. - /// + + /// Disable generation of success audits. AUTHZ_NO_SUCCESS_AUDIT = 0x00000001, - /// - /// Disable generation of failure audits. - /// + + /// Disable generation of failure audits. AUTHZ_NO_FAILURE_AUDIT = 0x00000002, + /// - /// Use pointers to the passed strings instead of allocating memory and copying the strings. The calling application must ensure that the passed memory stays valid during access checks. + /// Use pointers to the passed strings instead of allocating memory and copying the strings. The calling application must ensure + /// that the passed memory stays valid during access checks. /// AUTHZ_NO_ALLOC_STRINGS = 0x00000004, - /// - /// Undocumented. - /// + + /// Undocumented. AUTHZ_WPD_CATEGORY_FLAG = 0x00000010, } - /// - /// Flags for the method. - /// + /// Flags for the method. + [PInvokeData("authz.h")] [Flags] public enum AuthzContextFlags { /// /// Default value. /// AuthzInitializeContextFromSid attempts to retrieve the user's token group information by performing an S4U logon. - /// If S4U logon is not supported by the user's domain or the calling computer, AuthzInitializeContextFromSid queries the user's account object for group information. When an account is queried directly, some groups that represent logon characteristics, such as Network, Interactive, Anonymous, Network Service, or Local Service, are omitted. Applications can explicitly add such group SIDs by implementing the AuthzComputeGroupsCallback function or calling the AuthzAddSidsToContext function. + /// + /// If S4U logon is not supported by the user's domain or the calling computer, AuthzInitializeContextFromSid queries the user's + /// account object for group information. When an account is queried directly, some groups that represent logon characteristics, + /// such as Network, Interactive, Anonymous, Network Service, or Local Service, are omitted. Applications can explicitly add such + /// group SIDs by implementing the AuthzComputeGroupsCallback function or calling the AuthzAddSidsToContext function. + /// /// DEFAULT = 0, + /// - /// Causes AuthzInitializeContextFromSid to skip all group evaluations. When this flag is used, the context returned contains only the SID specified by the UserSid parameter. The specified SID can be an arbitrary or application-specific SID. Other SIDs can be added to this context by implementing the AuthzComputeGroupsCallback function or by calling the AuthzAddSidsToContext function. + /// Causes AuthzInitializeContextFromSid to skip all group evaluations. When this flag is used, the context returned contains + /// only the SID specified by the UserSid parameter. The specified SID can be an arbitrary or application-specific SID. Other + /// SIDs can be added to this context by implementing the AuthzComputeGroupsCallback function or by calling the + /// AuthzAddSidsToContext function. /// AUTHZ_SKIP_TOKEN_GROUPS = 0x2, + /// /// Causes AuthzInitializeContextFromSid to fail if Windows Services For User is not available to retrieve token group information. /// Windows XP: This flag is not supported. /// AUTHZ_REQUIRE_S4U_LOGON = 0x4, + /// - /// Causes AuthzInitializeContextFromSid to retrieve privileges for the new context. If this function performs an S4U logon, it retrieves privileges from the token. Otherwise, the function retrieves privileges from all SIDs in the context. + /// Causes AuthzInitializeContextFromSid to retrieve privileges for the new context. If this function performs an S4U logon, it + /// retrieves privileges from the token. Otherwise, the function retrieves privileges from all SIDs in the context. /// AUTHZ_COMPUTE_PRIVILEGES = 0x8 } /// Flags for the method. + [PInvokeData("authz.h")] [Flags] public enum AuthzResourceManagerFlags { /// - /// Default call to the function. The resource manager is initialized as the principal identified in the process token, and auditing is in effect. - /// Note that unless the AUTHZ_RM_FLAG_NO_AUDIT flag is set, SeAuditPrivilege must be enabled for the function to succeed. + /// Default call to the function. The resource manager is initialized as the principal identified in the process token, and + /// auditing is in effect. Note that unless the AUTHZ_RM_FLAG_NO_AUDIT flag is set, SeAuditPrivilege must be enabled for the + /// function to succeed. /// DEFAULT = 0, - /// Auditing is not in effect. If this flag is set, the caller does not need to have SeAuditPrivilege enabled to call this function. + + /// + /// Auditing is not in effect. If this flag is set, the caller does not need to have SeAuditPrivilege enabled to call this function. + /// AUTHZ_RM_FLAG_NO_AUDIT = 0x1, + /// The resource manager is initialized as the identity of the thread token. AUTHZ_RM_FLAG_INITIALIZE_UNDER_IMPERSONATION = 0x2, + /// The resource manager ignores CAP IDs and does not evaluate centralized access policies. AUTHZ_RM_FLAG_NO_CENTRALIZED_ACCESS_POLICIES = 0x4 } /// - /// The AuthzAccessCheck function determines which access bits can be granted to a client for a given set of security descriptors. The AUTHZ_ACCESS_REPLY - /// structure returns an array of granted access masks and error status. Optionally, access masks that will always be granted can be cached, and a handle - /// to cached values is returned. + /// + /// The AuthzAccessCheck function determines which access bits can be granted to a client for a given set of security + /// descriptors. The AUTHZ_ACCESS_REPLY structure returns an array of granted access masks and error status. Optionally, access masks + /// that will always be granted can be cached, and a handle to cached values is returned. + /// /// - /// - /// A DWORD value that specifies how the security descriptor is copied. This parameter can be one of the following values. - /// Starting with Windows 8 and Windows Server 2012, when you call this function on a remote context handle, the upper 16 bits must be zero. + /// + /// + /// A DWORD value that specifies how the security descriptor is copied. This parameter can be one of the following values. + /// + /// + /// Starting with Windows 8 and Windows Server 2012, when you call this function on a remote context handle, the upper 16 bits must + /// be zero. + /// + /// + /// + /// Value + /// Meaning + /// + /// + /// 0 + /// If phAccessCheckResults is not NULL, a deep copy of the security descriptor is copied to the handle referenced by phAccessCheckResults. + /// + /// + /// AUTHZ_ACCESS_CHECK_NO_DEEP_COPY_SD 1 + /// + /// A deep copy of the security descriptor is not performed. The calling application must pass the address of an + /// AUTHZ_ACCESS_CHECK_RESULTS_HANDLE handle in phAccessCheckResults. The AuthzAccessCheck function sets this handle to a security + /// descriptor that must remain valid during subsequent calls to AuthzCachedAccessCheck. + /// + /// + /// /// /// - /// A handle to a structure that represents the client. + /// A handle to a structure that represents the client. /// Starting with Windows 8 and Windows Server 2012, the client context can be local or remote. /// /// - /// A pointer to an AUTHZ_ACCESS_REQUEST structure that specifies the desired access mask, principal self security identifier (SID), and the object type - /// list structure, if it exists. - /// - /// - /// A structure that contains object-specific audit information. When the value of this parameter is not null, an audit is automatically requested. - /// Static audit information is read from the resource manager structure. /// - /// Starting with Windows 8 and Windows Server 2012, when you use this function with a remote context handle, the value of the parameter must be NULL. + /// A pointer to an AUTHZ_ACCESS_REQUEST structure that specifies the desired access mask, principal self security identifier (SID), + /// and the object type list structure, if it exists. + /// + /// + /// + /// + /// A structure that contains object-specific audit information. When the value of this parameter is not null, an audit is + /// automatically requested. Static audit information is read from the resource manager structure. + /// + /// + /// Starting with Windows 8 and Windows Server 2012, when you use this function with a remote context handle, the value of the + /// parameter must be NULL. /// /// /// - /// A pointer to a SECURITY_DESCRIPTOR structure to be used for access checks. The owner SID for the object is picked from this security descriptor. A - /// NULL discretionary access control list (DACL) in this security descriptor represents a NULL DACL for the entire object. Make sure the security - /// descriptor contains OWNER and DACL information, or an error code 87 or "invalid parameter" message will be generated. Important NULL DACLs permit all types of access to all users; therefore, do not use NULL DACLs. For information about - /// creating a DACL, see Creating a DACL. - /// A NULL system access control list (SACL) in this security descriptor is treated the same way as an empty SACL. + /// + /// A pointer to a SECURITY_DESCRIPTOR structure to be used for access checks. The owner SID for the object is picked from this + /// security descriptor. A NULL discretionary access control list (DACL) in this security descriptor represents a NULL + /// DACL for the entire object. Make sure the security descriptor contains OWNER and DACL information, or an error code 87 or + /// "invalid parameter" message will be generated. + /// + /// + /// ImportantNULL DACLs permit all types of access to all users; therefore, do not use NULL DACLs. For + /// information about creating a DACL, see Creating a DACL. + /// + /// A + /// NULL + /// system access control list + /// (SACL) in this security descriptor is treated the same way as an empty SACL. /// /// - /// An array of SECURITY_DESCRIPTOR structures. NULL access control lists (ACLs) in these security descriptors are treated as empty ACLs. The ACL for the - /// entire object is the logical concatenation of all of the ACLs. + /// + /// An array of SECURITY_DESCRIPTOR structures. NULL access control lists (ACLs) in these security descriptors are treated as + /// empty ACLs. The ACL for the entire object is the logical concatenation of all of the ACLs. + /// + /// + /// + /// The number of security descriptors not including the primary security descriptor. /// - /// The number of security descriptors not including the primary security descriptor. /// - /// A pointer to an AUTHZ_ACCESS_REPLY structure that contains the results of the access check. Before calling the AuthzAccessCheck function, an - /// application must allocate memory for the GrantedAccessMask and SaclEvaluationResults members of the AUTHZ_ACCESS_REPLY structure referenced by pReply. + /// + /// A pointer to an AUTHZ_ACCESS_REPLY structure that contains the results of the access check. Before calling the + /// AuthzAccessCheck function, an application must allocate memory for the GrantedAccessMask and + /// SaclEvaluationResults members of the AUTHZ_ACCESS_REPLY structure referenced by pReply. + /// /// /// - /// A pointer to return a handle to the cached results of the access check. When this parameter value is not null, the results of this access check call - /// will be cached. This results in a MAXIMUM_ALLOWED check. /// - /// Starting with Windows 8 and Windows Server 2012, when you use this function with a remote context handle, the value of the parameter must be NULL. + /// A pointer to return a handle to the cached results of the access check. When this parameter value is not null, the results + /// of this access check call will be cached. This results in a MAXIMUM_ALLOWED check. + /// + /// + /// Starting with Windows 8 and Windows Server 2012, when you use this function with a remote context handle, the value of the + /// parameter must be NULL. /// /// /// - /// If the function succeeds, the function returns TRUE. If the function fails, it returns FALSE. To get extended error information, call GetLastError. + /// If the function succeeds, the function returns TRUE. + /// If the function fails, it returns FALSE. To get extended error information, call GetLastError. /// - [DllImport(Lib.Authz, ExactSpelling = true, SetLastError = true)] + /// + /// + /// The AuthzAccessCheckCallback callback function will be called if the DACL of the SECURITY_DESCRIPTOR structure pointed to by the + /// pSecurityDescriptor parameter contains a callback access control entry (ACE). + /// + /// + /// Security attribute variables must be present in the client context if referred to in a conditional expression, otherwise the + /// conditional expression term referencing them will evaluate to unknown. For more information, see the Security Descriptor + /// Definition Language for Conditional ACEs topic. + /// + /// For more information, see the How AccessCheck Works and Centralized Authorization Policy overviews. + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/authz/nf-authz-authzaccesscheck AUTHZAPI BOOL AuthzAccessCheck( DWORD Flags, + // AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, PAUTHZ_ACCESS_REQUEST pRequest, AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent, + // PSECURITY_DESCRIPTOR pSecurityDescriptor, PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray, DWORD + // OptionalSecurityDescriptorCount, PAUTHZ_ACCESS_REPLY pReply, PAUTHZ_ACCESS_CHECK_RESULTS_HANDLE phAccessCheckResults ); + [DllImport(Lib.Authz, SetLastError = true, ExactSpelling = true)] + [PInvokeData("authz.h", MSDNShortId = "633c2a73-169c-4e0c-abb6-96c360bd63cf")] [return: MarshalAs(UnmanagedType.Bool)] - public static extern bool AuthzAccessCheck(AuthzAccessCheckFlags flags, SafeAUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, ref AUTHZ_ACCESS_REQUEST pRequest, - [Optional] SafeAUTHZ_AUDIT_EVENT_HANDLE AuditEvent, SafeSecurityDescriptor pSecurityDescriptor, + public static extern bool AuthzAccessCheck(AuthzAccessCheckFlags Flags, SafeAUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, ref AUTHZ_ACCESS_REQUEST pRequest, + [Optional] SafeAUTHZ_AUDIT_EVENT_HANDLE hAuditEvent, SafeSecurityDescriptor pSecurityDescriptor, [Optional, MarshalAs(UnmanagedType.LPArray, SizeParamIndex = 6)] SECURITY_DESCRIPTOR[] OptionalSecurityDescriptorArray, uint OptionalSecurityDescriptorCount, [In, Out] AUTHZ_ACCESS_REPLY pReply, out SafeAUTHZ_ACCESS_CHECK_RESULTS_HANDLE phAccessCheckResults); /// - /// The AuthzAccessCheck function determines which access bits can be granted to a client for a given set of security descriptors. The AUTHZ_ACCESS_REPLY - /// structure returns an array of granted access masks and error status. Optionally, access masks that will always be granted can be cached, and a handle - /// to cached values is returned. + /// + /// The AuthzAccessCheck function determines which access bits can be granted to a client for a given set of security + /// descriptors. The AUTHZ_ACCESS_REPLY structure returns an array of granted access masks and error status. Optionally, access masks + /// that will always be granted can be cached, and a handle to cached values is returned. + /// /// - /// - /// A DWORD value that specifies how the security descriptor is copied. This parameter can be one of the following values. - /// Starting with Windows 8 and Windows Server 2012, when you call this function on a remote context handle, the upper 16 bits must be zero. + /// + /// + /// A DWORD value that specifies how the security descriptor is copied. This parameter can be one of the following values. + /// + /// + /// Starting with Windows 8 and Windows Server 2012, when you call this function on a remote context handle, the upper 16 bits must + /// be zero. + /// + /// + /// + /// Value + /// Meaning + /// + /// + /// 0 + /// If phAccessCheckResults is not NULL, a deep copy of the security descriptor is copied to the handle referenced by phAccessCheckResults. + /// + /// + /// AUTHZ_ACCESS_CHECK_NO_DEEP_COPY_SD 1 + /// + /// A deep copy of the security descriptor is not performed. The calling application must pass the address of an + /// AUTHZ_ACCESS_CHECK_RESULTS_HANDLE handle in phAccessCheckResults. The AuthzAccessCheck function sets this handle to a security + /// descriptor that must remain valid during subsequent calls to AuthzCachedAccessCheck. + /// + /// + /// /// /// - /// A handle to a structure that represents the client. + /// A handle to a structure that represents the client. /// Starting with Windows 8 and Windows Server 2012, the client context can be local or remote. /// /// - /// A pointer to an AUTHZ_ACCESS_REQUEST structure that specifies the desired access mask, principal self security identifier (SID), and the object type - /// list structure, if it exists. - /// - /// - /// A structure that contains object-specific audit information. When the value of this parameter is not null, an audit is automatically requested. - /// Static audit information is read from the resource manager structure. /// - /// Starting with Windows 8 and Windows Server 2012, when you use this function with a remote context handle, the value of the parameter must be NULL. + /// A pointer to an AUTHZ_ACCESS_REQUEST structure that specifies the desired access mask, principal self security identifier (SID), + /// and the object type list structure, if it exists. + /// + /// + /// + /// + /// A structure that contains object-specific audit information. When the value of this parameter is not null, an audit is + /// automatically requested. Static audit information is read from the resource manager structure. + /// + /// + /// Starting with Windows 8 and Windows Server 2012, when you use this function with a remote context handle, the value of the + /// parameter must be NULL. /// /// /// - /// A pointer to a SECURITY_DESCRIPTOR structure to be used for access checks. The owner SID for the object is picked from this security descriptor. A - /// NULL discretionary access control list (DACL) in this security descriptor represents a NULL DACL for the entire object. Make sure the security - /// descriptor contains OWNER and DACL information, or an error code 87 or "invalid parameter" message will be generated. Important NULL DACLs permit all types of access to all users; therefore, do not use NULL DACLs. For information about - /// creating a DACL, see Creating a DACL. - /// A NULL system access control list (SACL) in this security descriptor is treated the same way as an empty SACL. + /// + /// A pointer to a SECURITY_DESCRIPTOR structure to be used for access checks. The owner SID for the object is picked from this + /// security descriptor. A NULL discretionary access control list (DACL) in this security descriptor represents a NULL + /// DACL for the entire object. Make sure the security descriptor contains OWNER and DACL information, or an error code 87 or + /// "invalid parameter" message will be generated. + /// + /// + /// ImportantNULL DACLs permit all types of access to all users; therefore, do not use NULL DACLs. For + /// information about creating a DACL, see Creating a DACL. + /// + /// A + /// NULL + /// system access control list + /// (SACL) in this security descriptor is treated the same way as an empty SACL. /// /// - /// An array of SECURITY_DESCRIPTOR structures. NULL access control lists (ACLs) in these security descriptors are treated as empty ACLs. The ACL for the - /// entire object is the logical concatenation of all of the ACLs. + /// + /// An array of SECURITY_DESCRIPTOR structures. NULL access control lists (ACLs) in these security descriptors are treated as + /// empty ACLs. The ACL for the entire object is the logical concatenation of all of the ACLs. + /// + /// + /// + /// The number of security descriptors not including the primary security descriptor. /// - /// The number of security descriptors not including the primary security descriptor. /// - /// A pointer to an AUTHZ_ACCESS_REPLY structure that contains the results of the access check. Before calling the AuthzAccessCheck function, an - /// application must allocate memory for the GrantedAccessMask and SaclEvaluationResults members of the AUTHZ_ACCESS_REPLY structure referenced by pReply. + /// + /// A pointer to an AUTHZ_ACCESS_REPLY structure that contains the results of the access check. Before calling the + /// AuthzAccessCheck function, an application must allocate memory for the GrantedAccessMask and + /// SaclEvaluationResults members of the AUTHZ_ACCESS_REPLY structure referenced by pReply. + /// /// /// - /// A pointer to return a handle to the cached results of the access check. When this parameter value is not null, the results of this access check call - /// will be cached. This results in a MAXIMUM_ALLOWED check. /// - /// Starting with Windows 8 and Windows Server 2012, when you use this function with a remote context handle, the value of the parameter must be NULL. + /// A pointer to return a handle to the cached results of the access check. When this parameter value is not null, the results + /// of this access check call will be cached. This results in a MAXIMUM_ALLOWED check. + /// + /// + /// Starting with Windows 8 and Windows Server 2012, when you use this function with a remote context handle, the value of the + /// parameter must be NULL. /// /// /// - /// If the function succeeds, the function returns TRUE. If the function fails, it returns FALSE. To get extended error information, call GetLastError. + /// If the function succeeds, the function returns TRUE. + /// If the function fails, it returns FALSE. To get extended error information, call GetLastError. /// - [DllImport(Lib.Authz, ExactSpelling = true, SetLastError = true)] + /// + /// + /// The AuthzAccessCheckCallback callback function will be called if the DACL of the SECURITY_DESCRIPTOR structure pointed to by the + /// pSecurityDescriptor parameter contains a callback access control entry (ACE). + /// + /// + /// Security attribute variables must be present in the client context if referred to in a conditional expression, otherwise the + /// conditional expression term referencing them will evaluate to unknown. For more information, see the Security Descriptor + /// Definition Language for Conditional ACEs topic. + /// + /// For more information, see the How AccessCheck Works and Centralized Authorization Policy overviews. + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/authz/nf-authz-authzaccesscheck AUTHZAPI BOOL AuthzAccessCheck( DWORD Flags, + // AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, PAUTHZ_ACCESS_REQUEST pRequest, AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent, + // PSECURITY_DESCRIPTOR pSecurityDescriptor, PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray, DWORD + // OptionalSecurityDescriptorCount, PAUTHZ_ACCESS_REPLY pReply, PAUTHZ_ACCESS_CHECK_RESULTS_HANDLE phAccessCheckResults ); + [DllImport(Lib.Authz, SetLastError = true, ExactSpelling = true)] + [PInvokeData("authz.h", MSDNShortId = "633c2a73-169c-4e0c-abb6-96c360bd63cf")] [return: MarshalAs(UnmanagedType.Bool)] - public static extern bool AuthzAccessCheck(AuthzAccessCheckFlags flags, SafeAUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, ref AUTHZ_ACCESS_REQUEST pRequest, - [Optional] SafeAUTHZ_AUDIT_EVENT_HANDLE AuditEvent, SafeSecurityDescriptor pSecurityDescriptor, + public static extern bool AuthzAccessCheck(AuthzAccessCheckFlags Flags, SafeAUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, ref AUTHZ_ACCESS_REQUEST pRequest, + [Optional] SafeAUTHZ_AUDIT_EVENT_HANDLE hAuditEvent, SafeSecurityDescriptor pSecurityDescriptor, [Optional, MarshalAs(UnmanagedType.LPArray, SizeParamIndex = 6)] SECURITY_DESCRIPTOR[] OptionalSecurityDescriptorArray, uint OptionalSecurityDescriptorCount, [In, Out] AUTHZ_ACCESS_REPLY pReply, [Optional] IntPtr phAccessCheckResults); - /// The AuthzFreeAuditEvent function frees the structure allocated by the AuthzInitializeObjectAccessAuditEvent function. - /// A pointer to the AUTHZ_AUDIT_EVENT_HANDLE structure to be freed. + /// + /// The AuthzFreeAuditEvent function frees the structure allocated by the AuthzInitializeObjectAccessAuditEvent function. + /// + /// + /// A pointer to the AUTHZ_AUDIT_EVENT_HANDLE structure to be freed. + /// /// - /// If the function succeeds, the function returns TRUE. If the function fails, it returns FALSE. To get extended error information, call GetLastError. + /// If the function succeeds, the function returns TRUE. + /// If the function fails, it returns FALSE. To get extended error information, call GetLastError. /// - [DllImport(Lib.Authz, ExactSpelling = true, SetLastError = true)] + // https://docs.microsoft.com/en-us/windows/desktop/api/authz/nf-authz-authzfreeauditevent AUTHZAPI BOOL AuthzFreeAuditEvent( + // AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent ); + [DllImport(Lib.Authz, SetLastError = true, ExactSpelling = true)] + [PInvokeData("authz.h", MSDNShortId = "e2980ef7-45dd-47c7-ba4d-f36b52bbd7dc")] [return: MarshalAs(UnmanagedType.Bool)] - public static extern bool AuthzFreeAuditEvent(AUTHZ_AUDIT_EVENT_HANDLE pAuditEventInfo); + public static extern bool AuthzFreeAuditEvent(AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent); /// - /// The AuthzFreeContext function frees all structures and memory associated with the client context. The list of handles for a client is freed in this call. /// - /// Starting with Windows Server 2012 and Windows 8, this function also frees the memory associated with device groups, user claims, and device claims. + /// The AuthzFreeContext function frees all structures and memory associated with the client context. The list of handles for + /// a client is freed in this call. + /// + /// + /// Starting with Windows Server 2012 and Windows 8, this function also frees the memory associated with device groups, user claims, + /// and device claims. /// /// - /// The AUTHZ_CLIENT_CONTEXT_HANDLE structure to be freed. + /// + /// The AUTHZ_CLIENT_CONTEXT_HANDLE structure to be freed. + /// /// - /// If the function succeeds, the function returns TRUE. If the function fails, it returns FALSE. To get extended error information, call GetLastError. + /// If the function succeeds, it returns TRUE. + /// If the function fails, it returns FALSE. To get extended error information, call GetLastError. /// - [DllImport(Lib.Authz, ExactSpelling = true, SetLastError = true)] + // https://docs.microsoft.com/en-us/windows/desktop/api/authz/nf-authz-authzfreecontext + [DllImport(Lib.Authz, SetLastError = true, ExactSpelling = true)] + [PInvokeData("authz.h", MSDNShortId = "cad9fff0-9aa6-4cb2-a34f-94cf72f66bca")] [return: MarshalAs(UnmanagedType.Bool)] - public static extern bool AuthzFreeContext(AUTHZ_CLIENT_CONTEXT_HANDLE AuthzClientContext); - - /// The AuthzFreeHandle function finds and deletes a handle from the handle list. - /// A handle to be freed. - /// If the function succeeds, the function returns TRUE. If the function fails, it returns FALSE. To get extended error information, call GetLastError. - [DllImport(Lib.Authz, ExactSpelling = true, SetLastError = true)] - [return: MarshalAs(UnmanagedType.Bool)] - public static extern bool AuthzFreeHandle(AUTHZ_ACCESS_CHECK_RESULTS_HANDLE AuthzHandle); + public static extern bool AuthzFreeContext(AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext); /// - /// The AuthzFreeResourceManager function frees a resource manager object. + /// The AuthzFreeHandle function finds and deletes a handle from the handle list. /// - /// The AUTHZ_RESOURCE_MANAGER_HANDLE to be freed. - /// If the function succeeds, the function returns TRUE. If the function fails, it returns FALSE. To get extended error information, call GetLastError. - [DllImport(Lib.Authz, ExactSpelling = true, SetLastError = true)] + /// + /// A handle to be freed. + /// + /// + /// If the function succeeds, it returns TRUE. + /// If the function fails, it returns FALSE. To get extended error information, call GetLastError. + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/authz/nf-authz-authzfreehandle AUTHZAPI BOOL AuthzFreeHandle( + // AUTHZ_ACCESS_CHECK_RESULTS_HANDLE hAccessCheckResults ); + [DllImport(Lib.Authz, SetLastError = true, ExactSpelling = true)] + [PInvokeData("authz.h", MSDNShortId = "8d2e2ae9-b515-4a02-b366-5b107b4f7ffa")] [return: MarshalAs(UnmanagedType.Bool)] - public static extern bool AuthzFreeResourceManager(AUTHZ_RESOURCE_MANAGER_HANDLE AuthzResourceManager); + public static extern bool AuthzFreeHandle(AUTHZ_ACCESS_CHECK_RESULTS_HANDLE hAccessCheckResults); /// - /// The AuthzGetInformationFromContext function returns information about an Authz context. - /// Starting with Windows Server 2012 and Windows 8, device groups are returned as a TOKEN_GROUPS structure. User and device claims are returned as an AUTHZ_SECURITY_ATTRIBUTES_INFORMATION structure. - /// A handle to the context. - /// A value of the AUTHZ_CONTEXT_INFORMATION_CLASS enumeration that indicates the type of information to be returned. - /// Size of the buffer passed. - /// A pointer to a DWORD of the buffer size required for returning the structure. - /// A pointer to memory that can receive the information. The structure returned depends on the information requested in the InfoClass parameter - /// If the function succeeds, the function returns TRUE. If the function fails, it returns FALSE. To get extended error information, call GetLastError. - [DllImport(Lib.Authz, ExactSpelling = true, SetLastError = true)] - [return: MarshalAs(UnmanagedType.Bool)] - public static extern bool AuthzGetInformationFromContext( - SafeAUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, - AUTHZ_CONTEXT_INFORMATION_CLASS InfoClass, - uint BufferSize, - out uint pSizeRequired, - IntPtr Buffer); - - /// - /// The AuthzInitializeCompoundContext function creates a user-mode context from the given user and device security contexts. + /// The AuthzFreeResourceManager function frees a resource manager object. /// - /// User context to create the compound context from. - /// Device context to create the compound context from. This must not be the same as the user context. - /// Used to return the resultant compound context. - /// If the function succeeds, the function returns TRUE. If the function fails, it returns FALSE. To get extended error information, call GetLastError. - [DllImport(Lib.Authz, ExactSpelling = true, SetLastError = true)] + /// + /// The AUTHZ_RESOURCE_MANAGER_HANDLE to be freed. + /// + /// + /// If the function succeeds, it returns TRUE. + /// If the function fails, it returns FALSE. To get extended error information, call GetLastError. + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/authz/nf-authz-authzfreeresourcemanager AUTHZAPI BOOL + // AuthzFreeResourceManager( AUTHZ_RESOURCE_MANAGER_HANDLE hAuthzResourceManager ); + [DllImport(Lib.Authz, SetLastError = true, ExactSpelling = true)] + [PInvokeData("authz.h", MSDNShortId = "8b716368-8d81-4c62-9086-0976b39bbcf8")] + [return: MarshalAs(UnmanagedType.Bool)] + public static extern bool AuthzFreeResourceManager(AUTHZ_RESOURCE_MANAGER_HANDLE hAuthzResourceManager); + + /// + /// The AuthzGetInformationFromContext function returns information about an Authz context. + /// + /// Starting with Windows Server 2012 and Windows 8, device groups are returned as a TOKEN_GROUPS structure. User and device claims + /// are returned as an AUTHZ_SECURITY_ATTRIBUTES_INFORMATION structure. + /// + /// + /// + /// A handle to the context. + /// + /// + /// A value of the AUTHZ_CONTEXT_INFORMATION_CLASS enumeration that indicates the type of information to be returned. + /// + /// + /// Size of the buffer passed. + /// + /// + /// A pointer to a DWORD of the buffer size required for returning the structure. + /// + /// + /// + /// A pointer to memory that can receive the information. The structure returned depends on the information requested in the + /// InfoClass parameter. + /// + /// + /// + /// If the function succeeds, it returns TRUE. + /// If the function fails, it returns FALSE. To get extended error information, call GetLastError. + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/authz/nf-authz-authzgetinformationfromcontext AUTHZAPI BOOL + // AuthzGetInformationFromContext( AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, AUTHZ_CONTEXT_INFORMATION_CLASS InfoClass, DWORD + // BufferSize, PDWORD pSizeRequired, PVOID Buffer ); + [DllImport(Lib.Authz, SetLastError = true, ExactSpelling = true)] + [PInvokeData("authz.h", MSDNShortId = "c365029a-3ff3-49c1-9dfc-b52948e466f3")] + [return: MarshalAs(UnmanagedType.Bool)] + public static extern bool AuthzGetInformationFromContext(SafeAUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, + AUTHZ_CONTEXT_INFORMATION_CLASS InfoClass, uint BufferSize, out uint pSizeRequired, IntPtr Buffer); + + /// + /// + /// The AuthzInitializeCompoundContext function creates a user-mode context from the given user and device security contexts. + /// + /// + /// + /// User context to create the compound context from. + /// + /// + /// Device context to create the compound context from. This must not be the same as the user context. + /// + /// + /// Used to return the resultant compound context. + /// + /// + /// If the function succeeds, it returns TRUE. + /// If the function fails, it returns FALSE. To get extended error information, call GetLastError. + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/authz/nf-authz-authzinitializecompoundcontext AUTHZAPI BOOL + // AuthzInitializeCompoundContext( AUTHZ_CLIENT_CONTEXT_HANDLE UserContext, AUTHZ_CLIENT_CONTEXT_HANDLE DeviceContext, + // PAUTHZ_CLIENT_CONTEXT_HANDLE phCompoundContext ); + [DllImport(Lib.Authz, SetLastError = true, ExactSpelling = true)] + [PInvokeData("authz.h", MSDNShortId = "2EC9EE76-9A92-40DF-9884-547D96FF3E09")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool AuthzInitializeCompoundContext(SafeAUTHZ_CLIENT_CONTEXT_HANDLE UserContext, SafeAUTHZ_CLIENT_CONTEXT_HANDLE DeviceContext, out SafeAUTHZ_CLIENT_CONTEXT_HANDLE phCompoundContext); /// - /// The AuthzInitializeContextFromSid function creates a user-mode client context from a user security identifier (SID). Domain SIDs retrieve token group attributes from the Active Directory. - /// Note If possible, call the AuthzInitializeContextFromToken function instead of AuthzInitializeContextFromSid. For more information, see Remarks. + /// + /// The AuthzInitializeContextFromSid function creates a user-mode client context from a user security identifier (SID). + /// Domain SIDs retrieve token group attributes from the Active Directory. + /// /// - /// The following flags are defined. - /// Starting with Windows 8 and Windows Server 2012, when you call this function on a remote context handle, the upper 16 bits must be zero. - /// The SID of the user for whom a client context will be created. This must be a valid user or computer account unless the AUTHZ_SKIP_TOKEN_GROUPS flag is used. - /// A handle to the resource manager creating this client context. This handle is stored in the client context structure. - /// Starting with Windows 8 and Windows Server 2012, the resource manager can be local or remote and is obtained by calling the AuthzInitializeRemoteResourceManager function. - /// Pointer to a 64-bit integer for expiration date and time of the token. If no value is passed, the token never expires. Expiration time is not currently enforced. - /// Specific identifier of the resource manager. This parameter is not currently used. - /// A pointer to parameters to be passed to the callback function that computes dynamic groups. This parameter can be NULL if no dynamic parameters are passed to the callback function. - /// Starting with Windows 8 and Windows Server 2012, this parameter must be NULL if the resource manager is remote. Otherwise, ERROR_NOT_SUPPORTED will be set. - /// A pointer to the handle to the client context that the AuthzInitializeContextFromSid function creates. When you have finished using the handle, free it by calling the AuthzFreeContext function. - /// If the function succeeds, the function returns TRUE. If the function fails, it returns FALSE. To get extended error information, call GetLastError. - [DllImport(Lib.Authz, ExactSpelling = true, SetLastError = true)] + /// + /// The following flags are defined. + /// + /// Starting with Windows 8 and Windows Server 2012, when you call this function on a remote context handle, the upper 16 bits must + /// be zero. + /// + /// + /// + /// Value + /// Meaning + /// + /// + /// 0 (0x0) + /// + /// Default value. AuthzInitializeContextFromSid attempts to retrieve the user's token group information by performing an S4U logon. + /// If S4U logon is not supported by the user's domain or the calling computer, AuthzInitializeContextFromSid queries the user's + /// account object for group information. When an account is queried directly, some groups that represent logon characteristics, such + /// as Network, Interactive, Anonymous, Network Service, or Local Service, are omitted. Applications can explicitly add such group + /// SIDs by implementing the AuthzComputeGroupsCallback function or calling the AuthzAddSidsToContext function. + /// + /// + /// + /// AUTHZ_SKIP_TOKEN_GROUPS 2 (0x2) + /// + /// Causes AuthzInitializeContextFromSid to skip all group evaluations. When this flag is used, the context returned contains only + /// the SID specified by the UserSid parameter. The specified SID can be an arbitrary or application-specific SID. Other SIDs can be + /// added to this context by implementing the AuthzComputeGroupsCallback function or by calling the AuthzAddSidsToContext function. + /// + /// + /// + /// AUTHZ_REQUIRE_S4U_LOGON 4 (0x4) + /// + /// Causes AuthzInitializeContextFromSid to fail if Windows Services For User is not available to retrieve token group information. + /// Windows XP: This flag is not supported. + /// + /// + /// + /// AUTHZ_COMPUTE_PRIVILEGES 8 (0x8) + /// + /// Causes AuthzInitializeContextFromSid to retrieve privileges for the new context. If this function performs an S4U logon, it + /// retrieves privileges from the token. Otherwise, the function retrieves privileges from all SIDs in the context. + /// + /// + /// + /// + /// + /// + /// The SID of the user for whom a client context will be created. This must be a valid user or computer account unless the + /// AUTHZ_SKIP_TOKEN_GROUPS flag is used. + /// + /// + /// + /// A handle to the resource manager creating this client context. This handle is stored in the client context structure. + /// + /// Starting with Windows 8 and Windows Server 2012, the resource manager can be local or remote and is obtained by calling the + /// AuthzInitializeRemoteResourceManager function. + /// + /// + /// + /// + /// Expiration date and time of the token. If no value is passed, the token never expires. Expiration time is not currently enforced. + /// + /// + /// + /// Specific identifier of the resource manager. This parameter is not currently used. + /// + /// + /// + /// A pointer to parameters to be passed to the callback function that computes dynamic groups. This parameter can be NULL if + /// no dynamic parameters are passed to the callback function. + /// + /// + /// Starting with Windows 8 and Windows Server 2012, this parameter must be NULL if the resource manager is remote. Otherwise, + /// ERROR_NOT_SUPPORTED will be set. + /// + /// + /// + /// + /// A pointer to the handle to the client context that the AuthzInitializeContextFromSid function creates. When you have + /// finished using the handle, free it by calling the AuthzFreeContext function. + /// + /// + /// + /// If the function succeeds, the function returns nonzero. + /// If the function fails, it returns zero. To get extended error information, call GetLastError. + /// + /// + /// + /// If possible, call the AuthzInitializeContextFromToken function instead of AuthzInitializeContextFromSid. + /// AuthzInitializeContextFromSid attempts to retrieve the information available in a logon token had the client actually + /// logged on. An actual logon token provides more information, such as logon type and logon properties, and reflects the behavior of + /// the authentication package used for the logon. The client context created by AuthzInitializeContextFromToken uses a logon + /// token, and the resulting client context is more complete and accurate than a client context created by AuthzInitializeContextFromSid. + /// + /// This function resolves valid user SIDs only. + /// + /// Windows XP: This function resolves group memberships for valid user and group SIDs (unless the AUTHZ_SKIP_TOKEN_GROUPS + /// flag is used). Support for resolving memberships of group SIDs may be altered or unavailable in subsequent versions. + /// + /// This function calls the AuthzComputeGroupsCallback callback function to add SIDs to the newly created context. + /// + /// Important Applications should not assume that the calling context has permission to use this function. The + /// AuthzInitializeContextFromSid function reads the tokenGroupsGlobalAndUniversal attribute of the SID specified in the call + /// to determine the current user's group memberships. If the user's object is in Active Directory, the calling context must have + /// read access to the tokenGroupsGlobalAndUniversal attribute on the user object. When a new domain is created, the default access + /// compatibility selection is Permissions compatible with Windows 2000 and Windows Server 2003 operating systems. When this + /// option is set, the Pre-Windows 2000 Compatible Access group includes only the Authenticated Users built-in security + /// identifiers. Therefore, applications may not have access to the tokenGroupsGlobalAndUniversal attribute; in this case, the + /// AuthzInitializeContextFromSid function fails with ACCESS_DENIED. Applications that use this function should correctly + /// handle this error and provide supporting documentation. To simplify granting accounts permission to query a user's group + /// information, add accounts that need the ability to look up group information to the Windows Authorization Access Group. + /// + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/authz/nf-authz-authzinitializecontextfromsid AUTHZAPI BOOL + // AuthzInitializeContextFromSid( DWORD Flags, PSID UserSid, AUTHZ_RESOURCE_MANAGER_HANDLE hAuthzResourceManager, PLARGE_INTEGER + // pExpirationTime, LUID Identifier, PVOID DynamicGroupArgs, PAUTHZ_CLIENT_CONTEXT_HANDLE phAuthzClientContext ); + [DllImport(Lib.Authz, SetLastError = true, ExactSpelling = true)] + [PInvokeData("authz.h", MSDNShortId = "402a8641-5644-45c1-80e9-c60321c1ac38")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool AuthzInitializeContextFromSid( AuthzContextFlags Flags, - PSID userSid, - [Optional] SafeAUTHZ_RESOURCE_MANAGER_HANDLE AuthzResourceManager, + PSID UserSid, + [Optional] SafeAUTHZ_RESOURCE_MANAGER_HANDLE hAuthzResourceManager, [Optional] IntPtr pExpirationTime, - LUID Identitifier, - [Optional] IntPtr DynamicGroupArgs, - out SafeAUTHZ_CLIENT_CONTEXT_HANDLE pAuthzClientContext); - - /// The AuthzInitializeContextFromToken function initializes a client authorization context from a kernel token. The kernel token must have been opened for TOKEN_QUERY. - /// Starting with Windows Server 2012 and Windows 8, this function can also copy device groups, user claims, and device claims. - /// Reserved for future use. - /// A handle to the client token used to initialize the pAuthzClientContext parameter. The token must have been opened with TOKEN_QUERY access. - /// A handle to the resource manager that created this client context. This handle is stored in the client context structure. - /// Expiration date and time of the token. If no value is passed, the token never expires. Expiration time is not currently enforced. - /// Identifier that is specific to the resource manager. This parameter is not currently used. - /// A pointer to parameters to be passed to the callback function that computes dynamic groups. - /// A pointer to the AuthzClientContext handle returned. Call AuthzFreeContext when done with the client context. - /// If the function succeeds, the function returns TRUE. If the function fails, it returns FALSE. To get extended error information, call GetLastError. - [DllImport(Lib.Authz, ExactSpelling = true, SetLastError = true)] - [return: MarshalAs(UnmanagedType.Bool)] - public static extern bool AuthzInitializeContextFromToken( - uint Flags, - SafeTokenHandle TokenHandle, - SafeAUTHZ_RESOURCE_MANAGER_HANDLE hAuthzResourceManager, - [Optional] IntPtr pExpirationTime, - LUID Identitifier, + LUID Identifier, [Optional] IntPtr DynamicGroupArgs, out SafeAUTHZ_CLIENT_CONTEXT_HANDLE phAuthzClientContext); /// - /// The AuthzInitializeObjectAccessAuditEvent function initializes auditing for an object. + /// + /// The AuthzInitializeContextFromToken function initializes a client authorization context from a kernel token. The kernel + /// token must have been opened for TOKEN_QUERY. + /// + /// Starting with Windows Server 2012 and Windows 8, this function can also copy device groups, user claims, and device claims. /// - /// Modifies the audit. - /// Reserved. This parameter should be set to NULL. - /// String that indicates the operation that is to be audited. - /// String that indicates the type of object being accessed. - /// String the indicates the name of the object being accessed. - /// String, defined by the Resource Manager, for additional audit information. - /// Pointer that receives an AUTHZ_AUDIT_EVENT_HANDLE structure. - /// Must be set to zero. - /// If the function succeeds, the function returns TRUE. If the function fails, it returns FALSE. To get extended error information, call GetLastError. - [DllImport(Lib.Authz, ExactSpelling = true, SetLastError = true)] + /// + /// Reserved for future use. + /// + /// + /// + /// A handle to the client token used to initialize the pAuthzClientContext parameter. The token must have been opened with + /// TOKEN_QUERY access. + /// + /// + /// + /// A handle to the resource manager that created this client context. This handle is stored in the client context structure. + /// + /// + /// + /// Expiration date and time of the token. If no value is passed, the token never expires. Expiration time is not currently enforced. + /// + /// + /// + /// Identifier that is specific to the resource manager. This parameter is not currently used. + /// + /// + /// A pointer to parameters to be passed to the callback function that computes dynamic groups. + /// + /// + /// A pointer to the AuthzClientContext handle returned. Call AuthzFreeContext when done with the client context. + /// + /// + /// If the function succeeds, it returns TRUE. + /// If the function fails, it returns FALSE. To get extended error information, call GetLastError. + /// + /// + /// + /// This function calls the AuthzComputeGroupsCallback callback function to add security identifiers to the newly created context. + /// + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/authz/nf-authz-authzinitializecontextfromtoken AUTHZAPI BOOL + // AuthzInitializeContextFromToken( DWORD Flags, HANDLE TokenHandle, AUTHZ_RESOURCE_MANAGER_HANDLE hAuthzResourceManager, + // PLARGE_INTEGER pExpirationTime, LUID Identifier, PVOID DynamicGroupArgs, PAUTHZ_CLIENT_CONTEXT_HANDLE phAuthzClientContext ); + [DllImport(Lib.Authz, SetLastError = true, ExactSpelling = true)] + [PInvokeData("authz.h", MSDNShortId = "75a7fb3f-6b3a-42ca-b467-f57baf6c60c6")] [return: MarshalAs(UnmanagedType.Bool)] - public static extern bool AuthzInitializeObjectAccessAuditEvent( - AuthzAuditEventFlags Flags, - IntPtr hAuditEventType, - [MarshalAs(UnmanagedType.LPWStr)] string szOperationType, - [MarshalAs(UnmanagedType.LPWStr)] string szObjectType, - [MarshalAs(UnmanagedType.LPWStr)] string szObjectName, - [MarshalAs(UnmanagedType.LPWStr)] string szAdditionalInfo, - out SafeAUTHZ_AUDIT_EVENT_HANDLE phAuditEvent, - uint dwAdditionalParamCount); + public static extern bool AuthzInitializeContextFromToken(uint Flags, SafeTokenHandle TokenHandle, SafeAUTHZ_RESOURCE_MANAGER_HANDLE hAuthzResourceManager, + [Optional] IntPtr pExpirationTime, LUID Identifier, [Optional] IntPtr DynamicGroupArgs, out SafeAUTHZ_CLIENT_CONTEXT_HANDLE phAuthzClientContext); /// - /// The AuthzInitializeResourceManager function uses Authz to verify that clients have access to various resources. + /// The AuthzInitializeObjectAccessAuditEvent function initializes auditing for an object. /// - /// A DWORD value that defines how the resource manager is initialized. - /// AUTHZ_RM_FLAG_NO_AUDIT and AUTHZ_RM_FLAG_INITIALIZE_UNDER_IMPERSONATION can be bitwise-combined. - /// A pointer to the AuthzAccessCheckCallback callback function that the resource manager calls each time it encounters a callback access control entry (ACE) during access control list (ACL) evaluation in AuthzAccessCheck or AuthzCachedAccessCheck. This parameter can be NULL if no access check callback function is used. - /// A pointer to the AuthzComputeGroupsCallback callback function called by the resource manager during initialization of an AuthzClientContext handle. This parameter can be NULL if no callback function is used to compute dynamic groups. - /// A pointer to the AuthzFreeGroupsCallback callback function called by the resource manager to free security identifier (SID) attribute arrays allocated by the compute dynamic groups callback. This parameter can be NULL if no callback function is used to compute dynamic groups. - /// A string that identifies the resource manager. This parameter can be NULL if the resource manager does not need a name. - /// A pointer to the returned resource manager handle. When you have finished using the handle, free it by calling the AuthzFreeResourceManager function. - /// If the function succeeds, the function returns TRUE. If the function fails, it returns FALSE. To get extended error information, call GetLastError. - [DllImport(Lib.Authz, ExactSpelling = true, SetLastError = true, CharSet = CharSet.Unicode)] + /// + /// Modifies the audit. This parameter can be one of the following values. + /// + /// + /// Value + /// Meaning + /// + /// + /// AUTHZ_NO_SUCCESS_AUDIT + /// Disable generation of success audits. + /// + /// + /// AUTHZ_NO_FAILURE_AUDIT + /// Disable generation of failure audits. + /// + /// + /// AUTHZ_NO_ALLOC_STRINGS + /// + /// Use pointers to the passed strings instead of allocating memory and copying the strings. The calling application must ensure that + /// the passed memory stays valid during access checks. + /// + /// + /// + /// + /// + /// Reserved. This parameter should be set to NULL. + /// + /// + /// String that indicates the operation that is to be audited. + /// + /// + /// String that indicates the type of object being accessed. + /// + /// + /// String the indicates the name of the object being accessed. + /// + /// + /// String, defined by the Resource Manager, for additional audit information. + /// + /// + /// Pointer that receives an AUTHZ_AUDIT_EVENT_HANDLE structure. + /// + /// + /// Must be set to zero. + /// + /// + /// If the function succeeds, it returns TRUE. + /// If the function fails, it returns FALSE. For extended error information, call GetLastError. + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/authz/nf-authz-authzinitializeobjectaccessauditevent AUTHZAPI BOOL + // AuthzInitializeObjectAccessAuditEvent( DWORD Flags, AUTHZ_AUDIT_EVENT_TYPE_HANDLE hAuditEventType, PWSTR szOperationType, PWSTR + // szObjectType, PWSTR szObjectName, PWSTR szAdditionalInfo, PAUTHZ_AUDIT_EVENT_HANDLE phAuditEvent, DWORD + // dwAdditionalParameterCount, ... ); + [DllImport(Lib.Authz, SetLastError = true, ExactSpelling = true)] + [PInvokeData("authz.h", MSDNShortId = "cf79a92f-31e0-47cf-8990-4dbd46056a90")] [return: MarshalAs(UnmanagedType.Bool)] + public static extern bool AuthzInitializeObjectAccessAuditEvent(AuthzAuditEventFlags Flags, IntPtr hAuditEventType, + [MarshalAs(UnmanagedType.LPWStr)] string szOperationType, [MarshalAs(UnmanagedType.LPWStr)] string szObjectType, + [MarshalAs(UnmanagedType.LPWStr)] string szObjectName, [MarshalAs(UnmanagedType.LPWStr)] string szAdditionalInfo, + out SafeAUTHZ_AUDIT_EVENT_HANDLE phAuditEvent, uint dwAdditionalParameterCount); + + /// The AuthzInitializeResourceManager function uses Authz to verify that clients have access to various resources. + /// + /// A DWORD value that defines how the resource manager is initialized. + /// AUTHZ_RM_FLAG_NO_AUDIT and AUTHZ_RM_FLAG_INITIALIZE_UNDER_IMPERSONATION can be bitwise-combined. + /// + /// + /// A pointer to the AuthzAccessCheckCallback callback function that the resource manager calls each time it encounters a callback + /// access control entry (ACE) during access control list (ACL) evaluation in AuthzAccessCheck or AuthzCachedAccessCheck. This + /// parameter can be NULL if no access check callback function is used. + /// + /// + /// A pointer to the AuthzComputeGroupsCallback callback function called by the resource manager during initialization of an + /// AuthzClientContext handle. This parameter can be NULL if no callback function is used to compute dynamic groups. + /// + /// + /// A pointer to the AuthzFreeGroupsCallback callback function called by the resource manager to free security identifier (SID) + /// attribute arrays allocated by the compute dynamic groups callback. This parameter can be NULL if no callback function is used to + /// compute dynamic groups. + /// + /// + /// A string that identifies the resource manager. This parameter can be NULL if the resource manager does not need a name. + /// + /// + /// A pointer to the returned resource manager handle. When you have finished using the handle, free it by calling the + /// AuthzFreeResourceManager function. + /// + /// + /// If the function succeeds, the function returns TRUE. If the function fails, it returns FALSE. To get extended error information, + /// call GetLastError. + /// + [DllImport(Lib.Authz, ExactSpelling = true, SetLastError = true, CharSet = CharSet.Unicode)] [PInvokeData("authz.h", MSDNShortId = "aa376313")] + [return: MarshalAs(UnmanagedType.Bool)] public static extern bool AuthzInitializeResourceManager( AuthzResourceManagerFlags flags, [Optional] AuthzAccessCheckCallback pfnAccessCheck, @@ -582,82 +1107,347 @@ namespace Vanara.PInvoke out SafeAUTHZ_RESOURCE_MANAGER_HANDLE rm); /// - /// The AuthzModifyClaims function adds, deletes, or modifies user and device claims in the Authz client context. + /// The AuthzModifyClaims function adds, deletes, or modifies user and device claims in the Authz client context. /// - /// A handle to the client context to be modified. - /// Type of information to be modified. The caller can specify AuthzContextInfoUserClaims or AuthzContextInfoDeviceClaims. - /// A pointer to an array of AUTHZ_SECURITY_ATTRIBUTE_OPERATION enumeration values that specify the type of claim modification to make. - /// A pointer to an AUTHZ_SECURITY_ATTRIBUTES_INFORMATION structure that specifies the claims to modify. - /// If the function succeeds, the function returns TRUE. If the function fails, it returns FALSE. To get extended error information, call GetLastError. + /// + /// A handle to the client context to be modified. + /// + /// + /// Type of information to be modified. The caller can specify AuthzContextInfoUserClaims or AuthzContextInfoDeviceClaims. + /// + /// + /// + /// A pointer to an array of AUTHZ_SECURITY_ATTRIBUTE_OPERATION enumeration values that specify the type of claim modification to make. + /// + /// + /// + /// A pointer to an AUTHZ_SECURITY_ATTRIBUTES_INFORMATION structure that specifies the claims to modify. + /// + /// + /// If the function succeeds, it returns TRUE. + /// If the function fails, it returns FALSE. To get extended error information, call GetLastError. + /// + /// + /// + /// The AUTHZ_SECURITY_ATTRIBUTE_OPERATION enumeration must have only one element if the value of that element is + /// AUTHZ_SECURITY_ATTRIBUTE_OPERATION_REPLACE_ALL. Otherwise, the array has the same number of elements as the corresponding PAUTHZ_SECURITY_ATTRIBUTES_INFORMATION. + /// + /// + /// If the AUTHZ_SECURITY_ATTRIBUTE_OPERATION enumeration is AUTHZ_SECURITY_ATTRIBUTE_OPERATION_REPLACE and the function fails, call + /// GetLastError. If the error code is ERROR_ALREADY_EXISTS, the claim's values have duplicate entries. + /// + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/authz/nf-authz-authzmodifyclaims AUTHZAPI BOOL AuthzModifyClaims( + // AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, AUTHZ_CONTEXT_INFORMATION_CLASS ClaimClass, PAUTHZ_SECURITY_ATTRIBUTE_OPERATION + // pClaimOperations, PAUTHZ_SECURITY_ATTRIBUTES_INFORMATION pClaims ); + [PInvokeData("authz.h", MSDNShortId = "A93CD1DD-4E87-4C6A-928A-F90AD7F1085E")] [DllImport(Lib.Authz, ExactSpelling = true, SetLastError = true, CharSet = CharSet.Unicode)] [return: MarshalAs(UnmanagedType.Bool)] - public static extern bool AuthzModifyClaims(SafeAUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, AUTHZ_CONTEXT_INFORMATION_CLASS ClaimClass, - AUTHZ_SECURITY_ATTRIBUTE_OPERATION[] pClaimOperations, + public static extern bool AuthzModifyClaims(SafeAUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, AUTHZ_CONTEXT_INFORMATION_CLASS ClaimClass, + AUTHZ_SECURITY_ATTRIBUTE_OPERATION[] pClaimOperations, [In, MarshalAs(UnmanagedType.CustomMarshaler, MarshalTypeRef = typeof(AUTHZ_SECURITY_ATTRIBUTES_INFORMATION_Marshaler))] AUTHZ_SECURITY_ATTRIBUTES_INFORMATION pClaims); /// - /// The AuthzModifySids function adds, deletes, or modifies user and device groups in the Authz client context. + /// + /// The AuthzModifySecurityAttributes function modifies the security attribute information in the specified client context. + /// /// - /// A handle to the client context to be modified. - /// A pointer to an array of AUTHZ_SECURITY_ATTRIBUTE_OPERATION enumeration values that specify the types of modifications to make. - /// This array must have only one element if the value of that element is AUTHZ_SECURITY_ATTRIBUTE_OPERATION_REPLACE_ALL. Otherwise, the array has the same number of elements as the pAttributes array. - /// A pointer to an AUTHZ_SECURITY_ATTRIBUTES_INFORMATION structure that specifies the attributes to modify. + /// + /// A handle to the client context to be modified. + /// + /// + /// + /// A pointer to an array of AUTHZ_SECURITY_ATTRIBUTE_OPERATION enumeration values that specify the types of modifications to make. + /// + /// + /// This array must have only one element if the value of that element is AUTHZ_SECURITY_ATTRIBUTE_OPERATION_REPLACE_ALL. + /// Otherwise, the array has the same number of elements as the pAttributes array. + /// + /// + /// + /// A pointer to an AUTHZ_SECURITY_ATTRIBUTES_INFORMATION structure that specifies the attributes to modify. + /// /// - /// If the function succeeds, the function returns TRUE. If the function fails, it returns FALSE. To get extended error information, call GetLastError. + /// If the function succeeds, it returns TRUE. + /// If the function fails, it returns FALSE. To get extended error information, call GetLastError. /// + // https://docs.microsoft.com/en-us/windows/desktop/api/authz/nf-authz-authzmodifysecurityattributes AUTHZAPI BOOL + // AuthzModifySecurityAttributes( AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, PAUTHZ_SECURITY_ATTRIBUTE_OPERATION pOperations, + // PAUTHZ_SECURITY_ATTRIBUTES_INFORMATION pAttributes ); [DllImport(Lib.Authz, ExactSpelling = true, SetLastError = true, CharSet = CharSet.Unicode)] + [PInvokeData("authz.h", MSDNShortId = "d84873e2-ecfe-45cf-9048-7ed173117efa")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool AuthzModifySecurityAttributes(SafeAUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, AUTHZ_SECURITY_ATTRIBUTE_OPERATION[] pOperations, [In, MarshalAs(UnmanagedType.CustomMarshaler, MarshalTypeRef = typeof(AUTHZ_SECURITY_ATTRIBUTES_INFORMATION_Marshaler))] AUTHZ_SECURITY_ATTRIBUTES_INFORMATION pAttributes); /// - /// The AuthzModifySids function adds, deletes, or modifies user and device groups in the Authz client context. + /// The AuthzModifySids function adds, deletes, or modifies user and device groups in the Authz client context. /// - /// A handle to the client context to be modified. - /// Type of information to be modified. The caller can specify AuthzContextInfoGroupsSids, AuthzContextInfoRestrictedSids, or AuthzContextInfoDeviceSids. - /// A pointer to an array of AUTHZ_SID_OPERATION enumeration values that specify the group modifications to make. - /// A pointer to a TOKEN_GROUPS structure that specifies the groups to modify. - /// If the function succeeds, the function returns TRUE. If the function fails, it returns FALSE. To get extended error information, call GetLastError. + /// + /// A handle to the client context to be modified. + /// + /// + /// + /// Type of information to be modified. The caller can specify AuthzContextInfoGroupsSids, AuthzContextInfoRestrictedSids, or AuthzContextInfoDeviceSids. + /// + /// + /// + /// A pointer to an array of AUTHZ_SID_OPERATION enumeration values that specify the group modifications to make. + /// + /// + /// A pointer to a TOKEN_GROUPS structure that specifies the groups to modify. + /// + /// + /// If the function succeeds, it returns TRUE. + /// If the function fails, it returns FALSE. To get extended error information, call GetLastError. + /// + /// + /// + /// The AUTHZ_SID_OPERATION enumeration must have only one element if the value of that element is AUTHZ_SID_OPERATION_REPLACE_ALL. + /// Otherwise, the array has the same number of elements as the corresponding PTOKEN_GROUPS. + /// + /// + /// When you want to use AuthzModifySids to delete, the SIDs are matched but not the SID flags. If no matching SID is found, + /// no modifications are done and the call fails. + /// + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/authz/nf-authz-authzmodifysids AUTHZAPI BOOL AuthzModifySids( + // AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, AUTHZ_CONTEXT_INFORMATION_CLASS SidClass, PAUTHZ_SID_OPERATION pSidOperations, + // PTOKEN_GROUPS pSids ); [DllImport(Lib.Authz, ExactSpelling = true, SetLastError = true, CharSet = CharSet.Unicode)] + [PInvokeData("authz.h", MSDNShortId = "740569A5-6159-409B-B8CB-B3A8BAE4F398")] [return: MarshalAs(UnmanagedType.Bool)] - public static extern bool AuthzModifySids(SafeAUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, AUTHZ_CONTEXT_INFORMATION_CLASS SidClass, + public static extern bool AuthzModifySids(SafeAUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, AUTHZ_CONTEXT_INFORMATION_CLASS SidClass, AUTHZ_SID_OPERATION[] pSidOperations, ref TOKEN_GROUPS pSids); - /// The AUTHZ_ACCESS_REPLY structure defines an access check reply. + /// + /// The AUTHZ_ACCESS_REQUEST structure defines an access check request. + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/authz/ns-authz-_authz_access_request typedef struct _AUTHZ_ACCESS_REQUEST { + // ACCESS_MASK DesiredAccess; PSID PrincipalSelfSid; POBJECT_TYPE_LIST ObjectTypeList; DWORD ObjectTypeListLength; PVOID + // OptionalArguments; } AUTHZ_ACCESS_REQUEST, *PAUTHZ_ACCESS_REQUEST; + [PInvokeData("authz.h", MSDNShortId = "3748075c-b31a-4669-b8a6-1a540449d8fa")] + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] + public struct AUTHZ_ACCESS_REQUEST + { + /// The type of access to test for. + public uint DesiredAccess; + + /// The security identifier (SID) to use for the principal self SID in the access control list (ACL). + public byte[] PrincipalSelfSid; + + /// + /// An array of OBJECT_TYPE_LIST structures in the object tree for the object. Set to NULL unless the application checks access + /// at the property level. + /// + public IntPtr ObjectTypeList; + + /// + /// The number of elements in the ObjectTypeList array. This member is necessary only if the application checks access at the + /// property level. + /// + public uint ObjectTypeListLength; + + /// A pointer to memory to pass to AuthzAccessCheckCallback when checking callback access control entries (ACEs). + public IntPtr OptionalArguments; + + /// Initializes a new instance of the struct. + /// The access. + public AUTHZ_ACCESS_REQUEST(uint access) : this() { DesiredAccess = access; } + + /// Gets or sets the object types. + /// The object types. + public OBJECT_TYPE_LIST[] ObjectTypes => ObjectTypeList.ToIEnum((int)ObjectTypeListLength).Select(p => p.ToStructure()).ToArray(); + } + + /// + /// + /// The AUTHZ_SECURITY_ATTRIBUTE_FQBN_VALUE structure specifies a fully qualified binary name value associated with a security attribute. + /// + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/authz/ns-authz-_authz_security_attribute_fqbn_value typedef struct + // _AUTHZ_SECURITY_ATTRIBUTE_FQBN_VALUE { ULONG64 Version; PWSTR pName; } AUTHZ_SECURITY_ATTRIBUTE_FQBN_VALUE, *PAUTHZ_SECURITY_ATTRIBUTE_FQBN_VALUE; + [PInvokeData("authz.h", MSDNShortId = "05b4bf7d-a0d9-473c-b215-9cf566b2a996")] + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] + public struct AUTHZ_SECURITY_ATTRIBUTE_FQBN_VALUE + { + /// The version number of the structure. + public ulong Version; + + /// + /// A pointer to strings that specify the names of the publisher, the product, and the original binary file of the value. + /// + public string pName; + } + + /// + /// The AUTHZ_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE structure specifies an octet string value for a security attribute. + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/authz/ns-authz-_authz_security_attribute_octet_string_value typedef struct + // _AUTHZ_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE { PVOID pValue; ULONG ValueLength; } AUTHZ_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PAUTHZ_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE; + [PInvokeData("authz.h", MSDNShortId = "aebe20d5-280f-45d3-a11d-279a08a1a165")] + [StructLayout(LayoutKind.Sequential)] + public struct AUTHZ_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE + { + /// A pointer to the value. + public byte[] pValue; + + /// The length, in bytes, of the pValue member. + public uint ValueLength; + } + + /// + /// + /// The AUTHZ_SECURITY_ATTRIBUTE_V1 structure defines a security attribute that can be associated with an authorization context. + /// + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/authz/ns-authz-_authz_security_attribute_v1 typedef struct + // _AUTHZ_SECURITY_ATTRIBUTE_V1 { PWSTR pName; USHORT ValueType; USHORT Reserved; ULONG Flags; ULONG ValueCount; union { PLONG64 + // pInt64; PULONG64 pUint64; PWSTR *ppString; PAUTHZ_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn; + // PAUTHZ_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString; } Values; } AUTHZ_SECURITY_ATTRIBUTE_V1, *PAUTHZ_SECURITY_ATTRIBUTE_V1; + [PInvokeData("authz.h", MSDNShortId = "0c4778bb-1b5d-4422-b066-d2a6aaa1f351")] + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] + public struct AUTHZ_SECURITY_ATTRIBUTE_V1 + { + /// A pointer to a name of a security attribute. + public string pName; + + /// The data type of the values pointed to by the Values member. + public AUTHZ_SECURITY_ATTRIBUTE_DATATYPE ValueType; + + /// Reserved for future use. + public ushort Reserved; + + /// A combination of one or more of the following values. + public AUTHZ_SECURITY_ATTRIBUTE_FLAGS Flags; + + /// The number of values specified in the Values member. + public uint ValueCount; + + /// A pointer to the value. + public AUTHZ_SECURITY_ATTRIBUTE_V1_Union Values; + + /// Initializes a new instance of the struct. + /// The name. + /// The value. + public AUTHZ_SECURITY_ATTRIBUTE_V1(string name, params long[] values) : this(name, AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_INT64, values.Length) + { + Values.pInt64 = values; + } + + /// Initializes a new instance of the struct. + /// The name. + /// The value. + public AUTHZ_SECURITY_ATTRIBUTE_V1(string name, params ulong[] values) : this(name, AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_UINT64, values.Length) + { + Values.pUInt64 = values; + } + + /// Initializes a new instance of the struct. + /// The name. + /// The value. + public AUTHZ_SECURITY_ATTRIBUTE_V1(string name, params bool[] values) : this(name, AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_BOOLEAN, values.Length) + { + Values.pInt64 = Array.ConvertAll(values, Convert.ToInt64); + } + + /// Initializes a new instance of the struct. + /// The name. + /// The value. + public AUTHZ_SECURITY_ATTRIBUTE_V1(string name, params string[] values) : this(name, AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_STRING, values.Length) + { + Values.ppString = values; + } + + /// Initializes a new instance of the struct. + /// The name. + /// The value. + public AUTHZ_SECURITY_ATTRIBUTE_V1(string name, params AUTHZ_SECURITY_ATTRIBUTE_FQBN_VALUE[] values) : this(name, AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_FQBN, values.Length) + { + Values.pFqbn = values; + } + + /// Initializes a new instance of the struct. + /// The name. + /// The value. + public AUTHZ_SECURITY_ATTRIBUTE_V1(string name, params AUTHZ_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE[] values) : this(name, AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING, values.Length) + { + Values.pOctetString = values; + } + + private AUTHZ_SECURITY_ATTRIBUTE_V1(string name, AUTHZ_SECURITY_ATTRIBUTE_DATATYPE type, int count) : this() + { + pName = name; + ValueType = type; + ValueCount = (uint)count; + } + + /// Union. + [StructLayout(LayoutKind.Explicit, CharSet = CharSet.Unicode)] + public struct AUTHZ_SECURITY_ATTRIBUTE_V1_Union + { + /// A pointer to one or more numeric attribute values. + [FieldOffset(0)] public long[] pInt64; + + /// A pointer to one or more numeric attribute values. + [FieldOffset(0)] public ulong[] pUInt64; + + /// A pointer to one or more string attribute values. + [FieldOffset(0)] public string[] ppString; + + /// A pointer to one or more AUTHZ_SECURITY_ATTRIBUTE_FQBN_VALUE structures. + [FieldOffset(0)] public AUTHZ_SECURITY_ATTRIBUTE_FQBN_VALUE[] pFqbn; + + /// A pointer to one or more AUTHZ_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE structures. + [FieldOffset(0)] public AUTHZ_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE[] pOctetString; + } + } + + /// + /// The AUTHZ_ACCESS_REPLY structure defines an access check reply. + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/authz/ns-authz-_authz_access_reply typedef struct _AUTHZ_ACCESS_REPLY { DWORD + // ResultListLength; PACCESS_MASK GrantedAccessMask; PDWORD SaclEvaluationResults; PDWORD Error; } AUTHZ_ACCESS_REPLY, *PAUTHZ_ACCESS_REPLY; + [PInvokeData("authz.h", MSDNShortId = "7162bf80-3730-46d7-a603-2a55b969c9ba")] [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public sealed class AUTHZ_ACCESS_REPLY : IDisposable { /// - /// The number of elements in the GrantedAccessMask, SaclEvaluationResults, and Error arrays. This number matches the number of entries in the object - /// type list structure used in the access check. If no object type is used to represent the object, then set ResultListLength to one. + /// The number of elements in the GrantedAccessMask, SaclEvaluationResults, and Error arrays. This number matches the number of + /// entries in the object type list structure used in the access check. If no object type is used to represent the object, then + /// set ResultListLength to one. /// public int ResultListLength; + /// An array of granted access masks. Memory for this array is allocated by the application before calling AccessCheck. public IntPtr GrantedAccessMask; - /// - /// An array of system access control list (SACL) evaluation results. Memory for this array is allocated by the application before calling - /// AccessCheck. SACL evaluation will only be performed if auditing is requested. - /// - public IntPtr SaclEvaluationResults; - /// An array of results for each element of the array. Memory for this array is allocated by the application before calling AccessCheck. - public IntPtr Error; /// - /// Initializes a new instance of the struct. + /// An array of system access control list (SACL) evaluation results. Memory for this array is allocated by the application + /// before calling AccessCheck. SACL evaluation will only be performed if auditing is requested. /// + public IntPtr SaclEvaluationResults; + + /// + /// An array of results for each element of the array. Memory for this array is allocated by the application before calling AccessCheck. + /// + public IntPtr Error; + + /// Initializes a new instance of the struct. /// The count of array members in each of the three arrays. public AUTHZ_ACCESS_REPLY(uint count) { if (count == 0) return; ResultListLength = (int)count; - var sz = Marshal.SizeOf(typeof(uint))*(int)count; + var sz = Marshal.SizeOf(typeof(uint)) * (int)count; GrantedAccessMask = Marshal.AllocHGlobal(sz); SaclEvaluationResults = Marshal.AllocHGlobal(sz); Error = Marshal.AllocHGlobal(sz); } #pragma warning disable 612 + /// Gets or sets the granted access mask values. The length of this array must match the value in . /// The granted access mask values. public uint[] GrantedAccessMaskValues @@ -687,7 +1477,10 @@ namespace Vanara.PInvoke Marshal.Copy(ms.ToArray(), 0, ptr, (int)ms.Length); } - /// Gets or sets the system access control list (SACL) evaluation results values. The length of this array must match the value in . + /// + /// Gets or sets the system access control list (SACL) evaluation results values. The length of this array must match the value + /// in . + /// /// The system access control list (SACL) evaluation results values. public uint[] SaclEvaluationResultsValues { @@ -707,7 +1500,9 @@ namespace Vanara.PInvoke } } - /// Gets or sets the results for each element of the array. The length of this array must match the value in . + /// + /// Gets or sets the results for each element of the array. The length of this array must match the value in . + /// /// The results values. public uint[] ErrorValues { @@ -726,6 +1521,7 @@ namespace Vanara.PInvoke CopyArrayToPtr(value, Error); } } + #pragma warning restore 612 void IDisposable.Dispose() @@ -738,176 +1534,28 @@ namespace Vanara.PInvoke } /// - /// The AUTHZ_ACCESS_REQUEST structure defines an access check request. + /// The AUTHZ_SECURITY_ATTRIBUTES_INFORMATION structure specifies one or more security attributes. /// - [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] - public struct AUTHZ_ACCESS_REQUEST - { - /// - /// The type of access to test for. - /// - public uint DesiredAccess; - /// - /// The security identifier (SID) to use for the principal self SID in the access control list (ACL). - /// - public byte[] PrincipalSelfSid; - /// - /// An array of OBJECT_TYPE_LIST structures in the object tree for the object. Set to NULL unless the application checks access at the property level. - /// - public IntPtr ObjectTypeList; - /// - /// The number of elements in the ObjectTypeList array. This member is necessary only if the application checks access at the property level. - /// - public uint ObjectTypeListLength; - /// - /// A pointer to memory to pass to AuthzAccessCheckCallback when checking callback access control entries (ACEs). - /// - public IntPtr OptionalArguments; - - /// - /// Initializes a new instance of the struct. - /// - /// The access. - public AUTHZ_ACCESS_REQUEST(uint access) : this() { DesiredAccess = access; } - - /// - /// Gets or sets the object types. - /// - /// - /// The object types. - /// - public OBJECT_TYPE_LIST[] ObjectTypes => ObjectTypeList.ToIEnum((int)ObjectTypeListLength).Select(p => p.ToStructure()).ToArray(); - } - - /// The AUTHZ_SECURITY_ATTRIBUTE_FQBN_VALUE structure specifies a fully qualified binary name value associated with a security attribute. - public struct AUTHZ_SECURITY_ATTRIBUTE_FQBN_VALUE - { - /// The version number of the structure. - public ulong Version; - /// A pointer to strings that specify the names of the publisher, the product, and the original binary file of the value. - public string pName; - } - - /// The AUTHZ_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE structure specifies an octet string value for a security attribute. - public struct AUTHZ_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE - { - /// A pointer to the value. - public byte[] pValue; - /// The length, in bytes, of the pValue member. - public uint ValueLength; - } - - /// The AUTHZ_SECURITY_ATTRIBUTE_V1 structure defines a security attribute that can be associated with an authorization context. - public struct AUTHZ_SECURITY_ATTRIBUTE_V1 - { - /// A pointer to a name of a security attribute. - public string pName; - /// The data type of the values pointed to by the Values member. - public AUTHZ_SECURITY_ATTRIBUTE_DATATYPE ValueType; - /// Reserved for future use. - public ushort Reserved; - /// A combination of one or more of the following values. - public AUTHZ_SECURITY_ATTRIBUTE_FLAGS Flags; - /// The number of values specified in the Values member. - public uint ValueCount; - /// A pointer to the value. - public AUTHZ_SECURITY_ATTRIBUTE_V1_Union Values; - - /// - /// Initializes a new instance of the struct. - /// - /// The name. - /// The value. - public AUTHZ_SECURITY_ATTRIBUTE_V1(string name, params long[] values) : this(name, AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_INT64, values.Length) - { - Values.pInt64 = values; - } - - /// - /// Initializes a new instance of the struct. - /// - /// The name. - /// The value. - public AUTHZ_SECURITY_ATTRIBUTE_V1(string name, params ulong[] values) : this(name, AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_UINT64, values.Length) - { - Values.pUInt64 = values; - } - - /// - /// Initializes a new instance of the struct. - /// - /// The name. - /// The value. - public AUTHZ_SECURITY_ATTRIBUTE_V1(string name, params bool[] values) : this(name, AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_BOOLEAN, values.Length) - { - Values.pInt64 = Array.ConvertAll(values, Convert.ToInt64); - } - - /// - /// Initializes a new instance of the struct. - /// - /// The name. - /// The value. - public AUTHZ_SECURITY_ATTRIBUTE_V1(string name, params string[] values) : this(name, AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_STRING, values.Length) - { - Values.ppString = values; - } - - /// - /// Initializes a new instance of the struct. - /// - /// The name. - /// The value. - public AUTHZ_SECURITY_ATTRIBUTE_V1(string name, params AUTHZ_SECURITY_ATTRIBUTE_FQBN_VALUE[] values) : this(name, AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_FQBN, values.Length) - { - Values.pFqbn = values; - } - - /// - /// Initializes a new instance of the struct. - /// - /// The name. - /// The value. - public AUTHZ_SECURITY_ATTRIBUTE_V1(string name, params AUTHZ_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE[] values) : this(name, AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING, values.Length) - { - Values.pOctetString = values; - } - - private AUTHZ_SECURITY_ATTRIBUTE_V1(string name, AUTHZ_SECURITY_ATTRIBUTE_DATATYPE type, int count) : this() - { - pName = name; - ValueType = type; - ValueCount = (uint)count; - } - } - - [StructLayout(LayoutKind.Explicit, CharSet = CharSet.Unicode)] - public struct AUTHZ_SECURITY_ATTRIBUTE_V1_Union - { - /// A pointer to one or more numeric attribute values. - [FieldOffset(0)] public long[] pInt64; - /// A pointer to one or more numeric attribute values. - [FieldOffset(0)] public ulong[] pUInt64; - /// A pointer to one or more string attribute values. - [FieldOffset(0)] public string[] ppString; - /// A pointer to one or more AUTHZ_SECURITY_ATTRIBUTE_FQBN_VALUE structures. - [FieldOffset(0)] public AUTHZ_SECURITY_ATTRIBUTE_FQBN_VALUE[] pFqbn; - /// A pointer to one or more AUTHZ_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE structures. - [FieldOffset(0)] public AUTHZ_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE[] pOctetString; - } - - /// Specifies one or more security attributes. + // https://docs.microsoft.com/en-us/windows/desktop/api/authz/ns-authz-_authz_security_attributes_information typedef struct + // _AUTHZ_SECURITY_ATTRIBUTES_INFORMATION { USHORT Version; USHORT Reserved; ULONG AttributeCount; union { + // PAUTHZ_SECURITY_ATTRIBUTE_V1 pAttributeV1; } Attribute; } AUTHZ_SECURITY_ATTRIBUTES_INFORMATION, *PAUTHZ_SECURITY_ATTRIBUTES_INFORMATION; + [PInvokeData("authz.h", MSDNShortId = "1db95ab0-951f-488c-b522-b3f38fc74c7c")] public class AUTHZ_SECURITY_ATTRIBUTES_INFORMATION { - /// The version of this structure. Currently the only value supported is 1. - public ushort Version; - /// Reserved. Do not use. - public ushort Reserved; /// The number of attributes specified by the Attribute member. public uint AttributeCount; + /// An array of AUTHZ_SECURITY_ATTRIBUTE_V1 structures of the length of the AttributeCount member. public AUTHZ_SECURITY_ATTRIBUTE_V1[] pAttributeV1; + /// Reserved. Do not use. + public ushort Reserved; + + /// The version of this structure. Currently the only value supported is 1. + public ushort Version; + + /// Initializes a new instance of the class. + /// The attributes. public AUTHZ_SECURITY_ATTRIBUTES_INFORMATION(AUTHZ_SECURITY_ATTRIBUTE_V1[] attributes) { Version = 1; @@ -916,6 +1564,9 @@ namespace Vanara.PInvoke pAttributeV1 = attributes; } + /// Create a AUTHZ_SECURITY_ATTRIBUTES_INFORMATION from a pointer. + /// The pointer to a block of memory. + /// A AUTHZ_SECURITY_ATTRIBUTES_INFORMATION instance. public static AUTHZ_SECURITY_ATTRIBUTES_INFORMATION FromPtr(IntPtr ptr) => (AUTHZ_SECURITY_ATTRIBUTES_INFORMATION)AUTHZ_SECURITY_ATTRIBUTES_INFORMATION_Marshaler.GetInstance(null).MarshalNativeToManaged(ptr); } @@ -936,6 +1587,9 @@ namespace Vanara.PInvoke /// public class SafeAUTHZ_AUDIT_EVENT_HANDLE : GenericSafeHandle { + /// A null value equivalent. + public static readonly SafeAUTHZ_AUDIT_EVENT_HANDLE Null = new SafeAUTHZ_AUDIT_EVENT_HANDLE(); + /// Initializes a new instance of the class. public SafeAUTHZ_AUDIT_EVENT_HANDLE() : base(AuthzFreeContext) { } @@ -943,9 +1597,6 @@ namespace Vanara.PInvoke /// An existing handle. /// if set to true free handle when disposed. public SafeAUTHZ_AUDIT_EVENT_HANDLE(AUTHZ_AUDIT_EVENT_HANDLE ptr, bool own = true) : base(ptr, AuthzFreeAuditEvent, own) { } - - /// A null value equivalent. - public static readonly SafeAUTHZ_AUDIT_EVENT_HANDLE Null = new SafeAUTHZ_AUDIT_EVENT_HANDLE(); } /// A safe handle for AUTHZ_CLIENT_CONTEXT_HANDLE. @@ -965,6 +1616,9 @@ namespace Vanara.PInvoke /// public class SafeAUTHZ_RESOURCE_MANAGER_HANDLE : GenericSafeHandle { + /// A null value equivalent. + public static readonly SafeAUTHZ_RESOURCE_MANAGER_HANDLE Null = new SafeAUTHZ_RESOURCE_MANAGER_HANDLE(); + /// Initializes a new instance of the class. public SafeAUTHZ_RESOURCE_MANAGER_HANDLE() : base(AuthzFreeResourceManager) { } @@ -972,58 +1626,29 @@ namespace Vanara.PInvoke /// An existing handle. /// if set to true free handle when disposed. public SafeAUTHZ_RESOURCE_MANAGER_HANDLE(AUTHZ_RESOURCE_MANAGER_HANDLE ptr, bool own = true) : base(ptr, AuthzFreeResourceManager, own) { } - - /// A null value equivalent. - public static readonly SafeAUTHZ_RESOURCE_MANAGER_HANDLE Null = new SafeAUTHZ_RESOURCE_MANAGER_HANDLE(); } internal class AUTHZ_SECURITY_ATTRIBUTES_INFORMATION_Marshaler : ICustomMarshaler { - [StructLayout(LayoutKind.Sequential)] - private struct Internal_AUTHZ_SECURITY_ATTRIBUTES_INFORMATION - { - /// The version of this structure. Currently the only value supported is 1. - public ushort Version; - /// Reserved. Do not use. - public ushort Reserved; - /// The number of attributes specified by the Attribute member. - public uint AttributeCount; - /// An array of AUTHZ_SECURITY_ATTRIBUTE_V1 structures of the length of the AttributeCount member. - public IntPtr pAttributeV1; - } - - [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] - private struct Internal_AUTHZ_SECURITY_ATTRIBUTE_V1 - { - /// A pointer to a name of a security attribute. - public IntPtr pName; - /// The data type of the values pointed to by the Values member. - public AUTHZ_SECURITY_ATTRIBUTE_DATATYPE ValueType; - /// Reserved for future use. - public ushort Reserved; - /// A combination of one or more of the following values. - public AUTHZ_SECURITY_ATTRIBUTE_FLAGS Flags; - /// The number of values specified in the Values member. - public uint ValueCount; - /// A pointer to the value. - public IntPtr Values; - - public Internal_AUTHZ_SECURITY_ATTRIBUTE_V1(AUTHZ_SECURITY_ATTRIBUTE_V1 v1) : this() - { - ValueType = v1.ValueType; - Flags = v1.Flags; - ValueCount = v1.ValueCount; - } - } - public static ICustomMarshaler GetInstance(string cookie) => new AUTHZ_SECURITY_ATTRIBUTES_INFORMATION_Marshaler(); + public void CleanUpManagedData(object ManagedObj) + { + } + + public void CleanUpNativeData(IntPtr pNativeData) + { + Marshal.FreeHGlobal(pNativeData); + } + + public int GetNativeDataSize() => -1; + public IntPtr MarshalManagedToNative(object ManagedObj) { // Determine size if (!(ManagedObj is AUTHZ_SECURITY_ATTRIBUTES_INFORMATION attrInfo)) throw new InvalidOperationException("This marshaler only works on AUTHZ_SECURITY_ATTRIBUTES_INFORMATION structures."); var sz1 = Marshal.SizeOf(typeof(Internal_AUTHZ_SECURITY_ATTRIBUTES_INFORMATION)) + - attrInfo.AttributeCount * Marshal.SizeOf(typeof(Internal_AUTHZ_SECURITY_ATTRIBUTE_V1)); + attrInfo.AttributeCount * Marshal.SizeOf(typeof(Internal_AUTHZ_SECURITY_ATTRIBUTE_V1)); var sz2 = 0L; for (var i = 0; i < attrInfo.AttributeCount; i++) { @@ -1038,19 +1663,23 @@ namespace Vanara.PInvoke case AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_UINT64: sz2 += Marshal.SizeOf(typeof(long)) * v1.ValueCount; break; + case AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_STRING: foreach (var s in v1.Values.ppString) sz2 += (s.Length + 1) * 2 + IntPtr.Size; sz2 += IntPtr.Size; break; + case AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_FQBN: foreach (var s in v1.Values.pFqbn) sz2 += (s.pName.Length + 1) * 2 + Marshal.SizeOf(s.Version); break; + case AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING: foreach (var s in v1.Values.pOctetString) sz2 += s.ValueLength + Marshal.SizeOf(s.ValueLength); break; + case AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_SID: case AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_INVALID: default: @@ -1066,7 +1695,7 @@ namespace Vanara.PInvoke var iV1s = new Internal_AUTHZ_SECURITY_ATTRIBUTE_V1[attrInfo.AttributeCount]; for (var i = 0; i < attrInfo.AttributeCount; i++) { - iV1s[i] = new Internal_AUTHZ_SECURITY_ATTRIBUTE_V1(attrInfo.pAttributeV1[i]) {pName = ms2.PositionPtr}; + iV1s[i] = new Internal_AUTHZ_SECURITY_ATTRIBUTE_V1(attrInfo.pAttributeV1[i]) { pName = ms2.PositionPtr }; ms2.Write(attrInfo.pAttributeV1[i].pName); iV1s[i].Values = ms2.PositionPtr; switch (iV1s[i].ValueType) @@ -1075,18 +1704,23 @@ namespace Vanara.PInvoke case AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_INT64: ms2.Write(attrInfo.pAttributeV1[i].Values.pInt64); break; + case AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_UINT64: ms2.Write(attrInfo.pAttributeV1[i].Values.pUInt64); break; + case AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_STRING: ms2.Write(attrInfo.pAttributeV1[i].Values.ppString); break; + case AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_FQBN: ms2.Write(attrInfo.pAttributeV1[i].Values.pFqbn); break; + case AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING: ms2.Write(attrInfo.pAttributeV1[i].Values.pOctetString); break; + default: throw new ArgumentOutOfRangeException(); } @@ -1105,17 +1739,12 @@ namespace Vanara.PInvoke return retPtr; } - public void CleanUpNativeData(IntPtr pNativeData) - { - Marshal.FreeHGlobal(pNativeData); - } - public object MarshalNativeToManaged(IntPtr pNativeData) { if (pNativeData == IntPtr.Zero) return null; var attrInfo = pNativeData.ToStructure(); return new AUTHZ_SECURITY_ATTRIBUTES_INFORMATION(attrInfo.pAttributeV1 == IntPtr.Zero ? null : - Array.ConvertAll(attrInfo.pAttributeV1.ToArray((int) attrInfo.AttributeCount), Conv)); + Array.ConvertAll(attrInfo.pAttributeV1.ToArray((int)attrInfo.AttributeCount), Conv)); AUTHZ_SECURITY_ATTRIBUTE_V1 Conv(Internal_AUTHZ_SECURITY_ATTRIBUTE_V1 input) { @@ -1126,18 +1755,23 @@ namespace Vanara.PInvoke case AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_INT64: v1.Values.pInt64 = input.Values.ToArray((int)v1.ValueCount); break; + case AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_UINT64: v1.Values.pUInt64 = input.Values.ToArray((int)v1.ValueCount); break; + case AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_STRING: v1.Values.ppString = input.Values.ToStringEnum((int)v1.ValueCount, CharSet.Unicode).ToArray(); break; + case AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_FQBN: v1.Values.pFqbn = input.Values.ToArray((int)v1.ValueCount); break; + case AUTHZ_SECURITY_ATTRIBUTE_DATATYPE.AUTHZ_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING: v1.Values.pOctetString = input.Values.ToArray((int)v1.ValueCount); break; + default: throw new ArgumentOutOfRangeException(); } @@ -1145,11 +1779,50 @@ namespace Vanara.PInvoke } } - public void CleanUpManagedData(object ManagedObj) + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] + private struct Internal_AUTHZ_SECURITY_ATTRIBUTE_V1 { + /// A pointer to a name of a security attribute. + public IntPtr pName; + + /// The data type of the values pointed to by the Values member. + public AUTHZ_SECURITY_ATTRIBUTE_DATATYPE ValueType; + + /// Reserved for future use. + public ushort Reserved; + + /// A combination of one or more of the following values. + public AUTHZ_SECURITY_ATTRIBUTE_FLAGS Flags; + + /// The number of values specified in the Values member. + public uint ValueCount; + + /// A pointer to the value. + public IntPtr Values; + + public Internal_AUTHZ_SECURITY_ATTRIBUTE_V1(AUTHZ_SECURITY_ATTRIBUTE_V1 v1) : this() + { + ValueType = v1.ValueType; + Flags = v1.Flags; + ValueCount = v1.ValueCount; + } } - public int GetNativeDataSize() => -1; + [StructLayout(LayoutKind.Sequential)] + private struct Internal_AUTHZ_SECURITY_ATTRIBUTES_INFORMATION + { + /// The version of this structure. Currently the only value supported is 1. + public ushort Version; + + /// Reserved. Do not use. + public ushort Reserved; + + /// The number of attributes specified by the Attribute member. + public uint AttributeCount; + + /// An array of AUTHZ_SECURITY_ATTRIBUTE_V1 structures of the length of the AttributeCount member. + public IntPtr pAttributeV1; + } } } } \ No newline at end of file diff --git a/PInvoke/Security/Secur32/NTSecApi.cs b/PInvoke/Security/Secur32/NTSecApi.cs index e16f9517..0bb782e1 100644 --- a/PInvoke/Security/Secur32/NTSecApi.cs +++ b/PInvoke/Security/Secur32/NTSecApi.cs @@ -8,6 +8,7 @@ using static Vanara.PInvoke.AdvApi32; namespace Vanara.PInvoke { + /// Functions, enumerations and structures found in NetSecApi.dll. public static partial class NetSecApi { /// The MSV1_0 authentication package name. diff --git a/PInvoke/Shared/WinError/HRESULT.Values.cs b/PInvoke/Shared/WinError/HRESULT.Values.cs index 58b28e4f..33a8ce11 100644 --- a/PInvoke/Shared/WinError/HRESULT.Values.cs +++ b/PInvoke/Shared/WinError/HRESULT.Values.cs @@ -8807,14 +8807,23 @@ namespace Vanara.PInvoke /// This function can be used only if a program is running in the local console session. It cannot be used if the program is running on a remote desktop session or on a terminal server session. public const uint ERROR_GRAPHICS_ONLY_CONSOLE_SESSION_SUPPORTED = 0xC02625E0; + /// User responded "Yes" to the dialog. public const uint COPYENGINE_S_YES = 0x00270001; + /// Undocumented. public const uint COPYENGINE_S_NOT_HANDLED = 0x00270003; + /// User responded to retry the current action. public const uint COPYENGINE_S_USER_RETRY = 0x00270004; + /// User responded "No" to the dialog. public const uint COPYENGINE_S_USER_IGNORED = 0x00270005; + /// User responded to merge folders. public const uint COPYENGINE_S_MERGE = 0x00270006; + /// Child items should not be processed. public const uint COPYENGINE_S_DONT_PROCESS_CHILDREN = 0x00270008; + /// Undocumented. public const uint COPYENGINE_S_ALREADY_DONE = 0x0027000A; + /// Error has been queued and will display later. public const uint COPYENGINE_S_PENDING = 0x0027000B; + /// Undocumented. public const uint COPYENGINE_S_KEEP_BOTH = 0x0027000C; /// Close the program using the current file public const uint COPYENGINE_S_CLOSE_PROGRAM = 0x0027000D;