BREAKING CHANGE: Moved SecurityBaseApi.h functions to PInvoke.Security even though they live in Kernel32. Simplifies structure access and Security depends on Kernel32 anyway.

2019-07-12 16:57:28 -06:00 · 2019-07-12 16:57:28 -06:00 · f9f7068a9d
parent ba13536089
commit f9f7068a9d
3 changed files with 24 additions and 260 deletions
--- a/PInvoke/Kernel32/SecurityBaseApi.cs
+++ b/PInvoke/Kernel32/SecurityBaseApi.cs
@ -5,239 +5,5 @@ namespace Vanara.PInvoke
 {
 	public static partial class Kernel32
 	{
-		/// <summary>
-		/// <para>
-		/// The <c>AddResourceAttributeAce</c> function adds a SYSTEM_RESOURCE_ATTRIBUTE_ACE access control entry (ACE) to the end of a
-		/// system access control list (SACL). A <c>SYSTEM_RESOURCE_ATTRIBUTE_ACE</c> structure specifies an attribute name and a
-		/// value-ordered list of elements that is associated with a resource and potentially used during access checks. The set of standard
-		/// access rights are defined in the Standard Access Rights topic.
-		/// </para>
-		/// </summary>
-		/// <param name="pAcl">
-		/// <para>
-		/// A pointer to an access control list (ACL). This function adds an ACE to this ACL. The value of this parameter cannot be
-		/// <c>NULL</c>. The ACE is in the form of a SYSTEM_RESOURCE_ATTRIBUTE_ACE structure.
-		/// </para>
-		/// </param>
-		/// <param name="dwAceRevision">
-		/// <para>
-		/// Specifies the revision level of the ACL being modified. This value can be ACL_REVISION or ACL_REVISION_DS. Use ACL_REVISION_DS if
-		/// the ACL contains object-specific ACEs.
-		/// </para>
-		/// </param>
-		/// <param name="AceFlags">
-		/// <para>
-		/// A set of bit flags that control ACE inheritance. The function sets these flags in the <c>AceFlags</c> member of the ACE_HEADER
-		/// structure of the new ACE.
-		/// </para>
-		/// <para>
-		/// For consistency with the Windows 8 Advanced File Permissions UI, applications should specify the CONTAINER_INHERIT_ACE and
-		/// OBJECT_INHERIT_ACE flags in the parameter.
-		/// </para>
-		/// <para>This parameter can be a combination of the following values.</para>
-		/// <list type="table">
-		/// <listheader>
-		/// <term>Value</term>
-		/// <term>Meaning</term>
-		/// </listheader>
-		/// <item>
-		/// <term>CONTAINER_INHERIT_ACE 2 (0x2)</term>
-		/// <term>The ACE is inherited by the container objects.</term>
-		/// </item>
-		/// <item>
-		/// <term>INHERIT_ONLY_ACE 8 (0x8)</term>
-		/// <term>The ACE does not apply to the object the ACE is assigned to, but it can be inherited by child objects.</term>
-		/// </item>
-		/// <item>
-		/// <term>INHERITED_ACE 16 (0x10)</term>
-		/// <term>
-		/// Indicates an inherited ACE. This flag allows operations that change the security on a tree of objects to modify inherited ACEs
-		/// while not changing ACEs that were directly applied to the object.
-		/// </term>
-		/// </item>
-		/// <item>
-		/// <term>NO_PROPAGATE_INHERIT_ACE 4 (0x4)</term>
-		/// <term>The OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE bits are not propagated to an inherited ACE.</term>
-		/// </item>
-		/// <item>
-		/// <term>OBJECT_INHERIT_ACE 1 (0x1)</term>
-		/// <term>The ACE is inherited by non-container objects.</term>
-		/// </item>
-		/// </list>
-		/// </param>
-		/// <param name="AccessMask">
-		/// <para>Must be zero for Windows 8 and Windows Server 2012.</para>
-		/// </param>
-		/// <param name="pSid">
-		/// <para>Must be the Everyone SID (S-1-1-0) for Windows 8 and Windows Server 2012.</para>
-		/// </param>
-		/// <param name="pAttributeInfo">
-		/// <para>Specifies the attribute information that will be appended after the SID in the ACE.</para>
-		/// </param>
-		/// <param name="pReturnLength">
-		/// <para>
-		/// The size, in bytes, of the actual ACL buffer used. If the buffer specified by the parameter is not big enough, the value of this
-		/// parameter is the total size required for the ACL buffer.
-		/// </para>
-		/// </param>
-		/// <returns>
-		/// <para>If the function succeeds, it returns <c>TRUE</c>.</para>
-		/// <para>If the function fails, it returns <c>FALSE</c>. To get extended error information, call GetLastError.</para>
-		/// </returns>
-		// https://docs.microsoft.com/en-us/windows/desktop/api/securitybaseapi/nf-securitybaseapi-addresourceattributeace BOOL
-		// AddResourceAttributeAce( PACL pAcl, DWORD dwAceRevision, DWORD AceFlags, DWORD AccessMask, PSID pSid,
-		// PCLAIM_SECURITY_ATTRIBUTES_INFORMATION pAttributeInfo, PDWORD pReturnLength );
-		[DllImport(Lib.Kernel32, SetLastError = true, ExactSpelling = true)]
-		[PInvokeData("securitybaseapi.h", MSDNShortId = "AA2064E4-6F76-4D7B-8540-D55A91168825")]
-		[return: MarshalAs(UnmanagedType.Bool)]
-		public static extern bool AddResourceAttributeAce(PACL pAcl, uint dwAceRevision, uint AceFlags, uint AccessMask, PSID pSid, in CLAIM_SECURITY_ATTRIBUTES_INFORMATION pAttributeInfo, ref uint pReturnLength);
-
-		/// <summary>
-		/// <para>
-		/// The <c>AddScopedPolicyIDAce</c> function adds a SYSTEM_SCOPED_POLICY_ID_ACE access control entry (ACE) to the end of a system
-		/// access control list (SACL). A <c>SYSTEM_SCOPED_POLICY_ID_ACE</c> structure specifies a central access policy (CAP) to be
-		/// associated with the resource and can be used during access checks. The set of standard access rights are defined in the Standard
-		/// Access Rights topic.
-		/// </para>
-		/// </summary>
-		/// <param name="pAcl">
-		/// <para>
-		/// A pointer to an access control list (ACL). This function adds an ACE to this ACL. The value of this parameter cannot be <c>NULL</c>.
-		/// </para>
-		/// </param>
-		/// <param name="dwAceRevision">
-		/// <para>
-		/// Specifies the revision level of the ACL being modified. This value can be ACL_REVISION or ACL_REVISION_DS. Use ACL_REVISION_DS if
-		/// the ACL contains object-specific ACEs.
-		/// </para>
-		/// </param>
-		/// <param name="AceFlags">
-		/// <para>
-		/// A set of bit flags that control ACE inheritance. The function sets these flags in the <c>AceFlags</c> member of the ACE_HEADER
-		/// structure of the new ACE.
-		/// </para>
-		/// <para>
-		/// For consistency with the Windows 8 Advanced File Permissions UI, applications should specify the CONTAINER_INHERIT_ACE and
-		/// OBJECT_INHERIT_ACE flags in the parameter.
-		/// </para>
-		/// <para>This parameter can be a combination of the following values.</para>
-		/// <list type="table">
-		/// <listheader>
-		/// <term>Value</term>
-		/// <term>Meaning</term>
-		/// </listheader>
-		/// <item>
-		/// <term>CONTAINER_INHERIT_ACE 2 (0x2)</term>
-		/// <term>The ACE is inherited by the container objects.</term>
-		/// </item>
-		/// <item>
-		/// <term>INHERIT_ONLY_ACE 8 (0x8)</term>
-		/// <term>The ACE does not apply to the object the ACE is assigned to, but it can be inherited by child objects.</term>
-		/// </item>
-		/// <item>
-		/// <term>INHERITED_ACE 16 (0x10)</term>
-		/// <term>
-		/// Indicates an inherited ACE. This flag allows operations that change the security on a tree of objects to modify inherited ACEs
-		/// while not changing ACEs that were directly applied to the object.
-		/// </term>
-		/// </item>
-		/// <item>
-		/// <term>NO_PROPAGATE_INHERIT_ACE 4 (0x4)</term>
-		/// <term>The OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE bits are not propagated to an inherited ACE.</term>
-		/// </item>
-		/// <item>
-		/// <term>OBJECT_INHERIT_ACE 1 (0x1)</term>
-		/// <term>The ACE is inherited by non-container objects.</term>
-		/// </item>
-		/// </list>
-		/// </param>
-		/// <param name="AccessMask">
-		/// <para>Must be zero for Windows 8 and Windows Server 2012.</para>
-		/// </param>
-		/// <param name="pSid">
-		/// <para>A pointer to the SID (S-1-17-*) that identifies the Central Access Policy to be associated with the resource.</para>
-		/// </param>
-		/// <returns>
-		/// <para>If the function succeeds, it returns <c>TRUE</c>.</para>
-		/// <para>If the function fails, it returns <c>FALSE</c>. To get extended error information, call GetLastError.</para>
-		/// </returns>
-		// https://docs.microsoft.com/en-us/windows/desktop/api/securitybaseapi/nf-securitybaseapi-addscopedpolicyidace BOOL
-		// AddScopedPolicyIDAce( PACL pAcl, DWORD dwAceRevision, DWORD AceFlags, DWORD AccessMask, PSID pSid );
-		[DllImport(Lib.Kernel32, SetLastError = true, ExactSpelling = true)]
-		[PInvokeData("securitybaseapi.h", MSDNShortId = "30AA5730-566C-4B02-A904-5A38237EE8E3")]
-		[return: MarshalAs(UnmanagedType.Bool)]
-		public static extern bool AddScopedPolicyIDAce(PACL pAcl, uint dwAceRevision, uint AceFlags, uint AccessMask, PSID pSid);
-
-		/// <summary>
-		/// <para>The <c>CheckTokenCapability</c> function checks the capabilities of a given token.</para>
-		/// </summary>
-		/// <param name="TokenHandle">
-		/// <para>
-		/// A handle to an access token. The handle must have TOKEN_QUERY access to the token. The token must be an impersonation token.
-		/// </para>
-		/// <para>
-		/// If is <c>NULL</c>, <c>CheckTokenCapability</c> uses the impersonation token of the calling thread. If the thread is not
-		/// impersonating, the function duplicates the thread's primary token to create an impersonation token.
-		/// </para>
-		/// </param>
-		/// <param name="CapabilitySidToCheck">
-		/// <para>
-		/// A pointer to a capability SID structure. The <c>CheckTokenCapability</c> function checks the capabilities of this access token.
-		/// </para>
-		/// </param>
-		/// <param name="HasCapability">
-		/// <para>
-		/// Receives the results of the check. If the access token has the capability, it returns <c>TRUE</c>, otherwise, it returns <c>FALSE</c>.
-		/// </para>
-		/// </param>
-		/// <returns>
-		/// <para>If the function succeeds, the return value is nonzero.</para>
-		/// <para>If the function fails, the return value is zero. To get extended error information, call GetLastError</para>
-		/// </returns>
-		// https://docs.microsoft.com/en-us/windows/desktop/api/securitybaseapi/nf-securitybaseapi-checktokencapability BOOL
-		// CheckTokenCapability( HANDLE TokenHandle, PSID CapabilitySidToCheck, PBOOL HasCapability );
-		[DllImport(Lib.Kernel32, SetLastError = true, ExactSpelling = true)]
-		[PInvokeData("securitybaseapi.h", MSDNShortId = "436A5110-B79E-4E64-92E8-1C9E713D0948")]
-		[return: MarshalAs(UnmanagedType.Bool)]
-		public static extern bool CheckTokenCapability(HTOKEN TokenHandle, PSID CapabilitySidToCheck, [MarshalAs(UnmanagedType.Bool)] out bool HasCapability);
-
-		/// <summary>
-		/// <para>
-		/// This function constructs two arrays of SIDs out of a capability name. One is an array group SID with NT Authority, and the other
-		/// is an array of capability SIDs with AppAuthority.
-		/// </para>
-		/// </summary>
-		/// <param name="CapName">
-		/// <para>Name of the capability in string form.</para>
-		/// </param>
-		/// <param name="CapabilityGroupSids">
-		/// <para>The GroupSids with NTAuthority.</para>
-		/// </param>
-		/// <param name="CapabilityGroupSidCount">
-		/// <para>The count of GroupSids in the array.</para>
-		/// </param>
-		/// <param name="CapabilitySids">
-		/// <para>CapabilitySids with AppAuthority.</para>
-		/// </param>
-		/// <param name="CapabilitySidCount">
-		/// <para>The count of CapabilitySid with AppAuthority.</para>
-		/// </param>
-		/// <returns>
-		/// <para>If the function succeeds, it returns <c>TRUE</c>.</para>
-		/// <para>If the function fails, it returns <c>FALSE</c>. To get extended error information, call GetLastError.</para>
-		/// </returns>
-		/// <remarks>
-		/// <para>
-		/// The caller is expected to free the individual SIDs returned in each array by calling LocalFree. as well as memory allocated for
-		/// the array itself.
-		/// </para>
-		/// </remarks>
-		// https://docs.microsoft.com/en-us/windows/desktop/api/securitybaseapi/nf-securitybaseapi-derivecapabilitysidsfromname BOOL
-		// DeriveCapabilitySidsFromName( LPCWSTR CapName, PSID **CapabilityGroupSids, DWORD *CapabilityGroupSidCount, PSID **CapabilitySids,
-		// DWORD *CapabilitySidCount );
-		[DllImport(Lib.Kernel32, SetLastError = true, ExactSpelling = true)]
-		[PInvokeData("securitybaseapi.h", MSDNShortId = "1A911FCC-6D11-4185-B532-20FE6C7C4B0B")]
-		[return: MarshalAs(UnmanagedType.Bool)]
-		public static extern bool DeriveCapabilitySidsFromName([MarshalAs(UnmanagedType.LPWStr)] string CapName, [MarshalAs(UnmanagedType.LPArray, SizeParamIndex = 2)] IntPtr[] CapabilityGroupSids, ref uint CapabilityGroupSidCount, [MarshalAs(UnmanagedType.LPArray, SizeParamIndex = 4)] IntPtr[] CapabilitySids, ref uint CapabilitySidCount);
 	}
 }
--- a/PInvoke/Security/AdvApi32/SecurityBaseApi.SID.cs
+++ b/PInvoke/Security/AdvApi32/SecurityBaseApi.SID.cs
@ -74,32 +74,6 @@ namespace Vanara.PInvoke
 		[return: MarshalAs(UnmanagedType.Bool)]
 		public static extern bool CreateWellKnownSid(WELL_KNOWN_SID_TYPE WellKnownSidType, PSID DomainSid, SafePSID pSid, ref uint cbSid);

-		/// <summary>
-		/// This function constructs two arrays of SIDs out of a capability name. One is an array group SID with NT Authority, and the other
-		/// is an array of capability SIDs with AppAuthority.
-		/// </summary>
-		/// <param name="CapName">Name of the capability in string form.</param>
-		/// <param name="CapabilityGroupSids">The GroupSids with NTAuthority.</param>
-		/// <param name="CapabilityGroupSidCount">The count of GroupSids in the array.</param>
-		/// <param name="CapabilitySids">CapabilitySids with AppAuthority.</param>
-		/// <param name="CapabilitySidCount">The count of CapabilitySid with AppAuthority.</param>
-		/// <returns>
-		/// <para>If the function succeeds, it returns <c>TRUE</c>.</para>
-		/// <para>If the function fails, it returns <c>FALSE</c>. To get extended error information, call GetLastError.</para>
-		/// </returns>
-		/// <remarks>
-		/// Before using <paramref name="CapabilityGroupSids"/> or <paramref name="CapabilitySids"/>, the caller must set their <c>Length</c>
-		/// property to the values of <paramref name="CapabilityGroupSidCount"/> and <paramref name="CapabilitySidCount"/> respectively. This
-		/// will ensure all memory is released at the end of use.
-		/// </remarks>
-		// https://docs.microsoft.com/en-us/windows/desktop/api/securitybaseapi/nf-securitybaseapi-derivecapabilitysidsfromname BOOL
-		// DeriveCapabilitySidsFromName( LPCWSTR CapName, PSID **CapabilityGroupSids, DWORD *CapabilityGroupSidCount, PSID **CapabilitySids,
-		// DWORD *CapabilitySidCount );
-		[DllImport(Lib.Kernel32, SetLastError = true, ExactSpelling = true)]
-		[PInvokeData("securitybaseapi.h", MSDNShortId = "1A911FCC-6D11-4185-B532-20FE6C7C4B0B")]
-		[return: MarshalAs(UnmanagedType.Bool)]
-		public static extern bool DeriveCapabilitySidsFromName([MarshalAs(UnmanagedType.LPWStr)] string CapName, out SafeLocalPSIDArray CapabilityGroupSids, out uint CapabilityGroupSidCount, out SafeLocalPSIDArray CapabilitySids, out uint CapabilitySidCount);
-
 		/// <summary>The <c>EqualDomainSid</c> function determines whether two SIDs are from the same domain.</summary>
 		/// <param name="pSid1">
 		/// A pointer to one of the two SIDs to compare. This SID must be either an account domain SID or a BUILTIN SID.
--- a/PInvoke/Security/AdvApi32/SecurityBaseApi.cs
+++ b/PInvoke/Security/AdvApi32/SecurityBaseApi.cs
@ -3835,6 +3835,30 @@ namespace Vanara.PInvoke
 		[return: MarshalAs(UnmanagedType.Bool)]
 		public static extern bool DeleteAce(PACL pAcl, uint dwAceIndex);

+		/// <summary>
+		/// This function constructs two arrays of SIDs out of a capability name. One is an array group SID with NT Authority, and the other
+		/// is an array of capability SIDs with AppAuthority.
+		/// </summary>
+		/// <param name="CapName">Name of the capability in string form.</param>
+		/// <param name="CapabilityGroupSids">The GroupSids with NTAuthority.</param>
+		/// <param name="CapabilityGroupSidCount">The count of GroupSids in the array.</param>
+		/// <param name="CapabilitySids">CapabilitySids with AppAuthority.</param>
+		/// <param name="CapabilitySidCount">The count of CapabilitySid with AppAuthority.</param>
+		/// <returns>
+		/// <para>If the function succeeds, it returns <c>TRUE</c>.</para>
+		/// <para>If the function fails, it returns <c>FALSE</c>. To get extended error information, call GetLastError.</para>
+		/// </returns>
+		/// <remarks>
+		/// The caller is expected to free the individual SIDs returned in each array by calling LocalFree. as well as memory allocated for
+		/// the array itself.
+		/// </remarks>
+		// https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-derivecapabilitysidsfromname
+		// BOOL DeriveCapabilitySidsFromName( LPCWSTR CapName, PSID **CapabilityGroupSids, DWORD *CapabilityGroupSidCount, PSID **CapabilitySids, DWORD *CapabilitySidCount );
+		[DllImport(Lib.Kernel32, SetLastError = true, ExactSpelling = true)]
+		[PInvokeData("securitybaseapi.h", MSDNShortId = "1A911FCC-6D11-4185-B532-20FE6C7C4B0B")]
+		[return: MarshalAs(UnmanagedType.Bool)]
+		public static extern bool DeriveCapabilitySidsFromName([MarshalAs(UnmanagedType.LPWStr)] string CapName, out SafeLocalPSIDArray CapabilityGroupSids, out int CapabilityGroupSidCount, out SafeLocalPSIDArray CapabilitySids, out int CapabilitySidCount);
+
 		/// <summary>
 		/// The <c>DestroyPrivateObjectSecurity</c> function deletes a private object's security descriptor. For background information, see
 		/// the Security Descriptors for Private Objects topic.