archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
4.9 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/public/sdk/inc/authz.h

542 lines
17 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 2000 Microsoft Corporation
  5. Module Name:
  7. authz.h
  9. Abstract:
  11. This module contains the authorization framework APIs and any public data
  12. structures needed to call these APIs.
  14. Revision History:
  16. Created - March 2000
  18. --*/
  20. #ifndef __AUTHZ_H__
  21. #define __AUTHZ_H__
  23. #ifdef __cplusplus
  24. extern "C" {
  25. #endif
  27. #if !defined(_AUTHZ_)
  28. #define AUTHZAPI DECLSPEC_IMPORT
  29. #else
  30. #define AUTHZAPI
  31. #endif
  33. #include <windows.h>
  34. #include <adtgen.h>
  36. //
  37. // Flags which may be used at the time of client context creation using a sid.
  38. //
  40. #define AUTHZ_SKIP_TOKEN_GROUPS 0x2
  41. #define AUTHZ_REQUIRE_S4U_LOGON 0x4
  44. DECLARE_HANDLE(AUTHZ_ACCESS_CHECK_RESULTS_HANDLE);
  45. DECLARE_HANDLE(AUTHZ_CLIENT_CONTEXT_HANDLE);
  46. DECLARE_HANDLE(AUTHZ_RESOURCE_MANAGER_HANDLE);
  47. DECLARE_HANDLE(AUTHZ_AUDIT_EVENT_HANDLE);
  48. DECLARE_HANDLE(AUTHZ_AUDIT_EVENT_TYPE_HANDLE);
  49. DECLARE_HANDLE(AUTHZ_SECURITY_EVENT_PROVIDER_HANDLE);
  51. typedef AUTHZ_ACCESS_CHECK_RESULTS_HANDLE *PAUTHZ_ACCESS_CHECK_RESULTS_HANDLE;
  52. typedef AUTHZ_CLIENT_CONTEXT_HANDLE *PAUTHZ_CLIENT_CONTEXT_HANDLE;
  53. typedef AUTHZ_RESOURCE_MANAGER_HANDLE *PAUTHZ_RESOURCE_MANAGER_HANDLE;
  54. typedef AUTHZ_AUDIT_EVENT_HANDLE *PAUTHZ_AUDIT_EVENT_HANDLE;
  55. typedef AUTHZ_AUDIT_EVENT_TYPE_HANDLE *PAUTHZ_AUDIT_EVENT_TYPE_HANDLE;
  56. typedef AUTHZ_SECURITY_EVENT_PROVIDER_HANDLE *PAUTHZ_SECURITY_EVENT_PROVIDER_HANDLE;
  58. //
  59. // Structure defining the access check request.
  60. //
  62. typedef struct _AUTHZ_ACCESS_REQUEST
  63. {
  64. ACCESS_MASK DesiredAccess;
  66. //
  67. // To replace the principal self sid in the acl.
  68. //
  70. PSID PrincipalSelfSid;
  72. //
  73. // Object type list represented by an array of (level, guid) pair and the
  74. // number of elements in the array. This is a post-fix representation of the
  75. // object tree.
  76. // These fields should be set to NULL and 0 respectively except when per
  77. // property access is desired.
  78. //
  80. POBJECT_TYPE_LIST ObjectTypeList;
  81. DWORD ObjectTypeListLength;
  83. //
  84. // To support completely business rules based access. This will be passed as
  85. // input to the callback access check function. Access check algorithm does
  86. // not interpret these.
  87. //
  89. PVOID OptionalArguments;
  91. } AUTHZ_ACCESS_REQUEST, *PAUTHZ_ACCESS_REQUEST;
  93. //
  94. // Structure to return the results of the access check call.
  95. //
  97. typedef struct _AUTHZ_ACCESS_REPLY
  98. {
  99. //
  100. // The length of the array representing the object type list structure. If
  101. // no object type is used to represent the object, then the length must be
  102. // set to 1.
  103. //
  104. // Note: This parameter must be filled!
  105. //
  107. DWORD ResultListLength;
  109. //
  110. // Array of granted access masks. This memory is allocated by the RM. Access
  111. // check routines just fill in the values.
  112. //
  114. PACCESS_MASK GrantedAccessMask;
  116. //
  117. // Array of SACL evaluation results. This memory is allocated by the RM, if SACL
  118. // evaluation results are desired. Access check routines just fill in the values.
  119. // Sacl evaluation will only be performed if auditing is requested.
  120. //
  122. #define AUTHZ_GENERATE_SUCCESS_AUDIT 0x1
  123. #define AUTHZ_GENERATE_FAILURE_AUDIT 0x2
  125. PDWORD SaclEvaluationResults OPTIONAL;
  127. //
  128. // Array of results for each element of the array. This memory is allocated
  129. // by the RM. Access check routines just fill in the values.
  130. //
  132. PDWORD Error;
  134. } AUTHZ_ACCESS_REPLY, *PAUTHZ_ACCESS_REPLY;
  137. //
  138. // Typedefs for callback functions to be provided by the resource manager.
  139. //
  141. //
  142. // Callback access check function takes in
  143. // AuthzClientContext - a client context
  144. // pAce - pointer to a callback ace
  145. // pArgs - Optional arguments that were passed to AuthzAccessCheck thru
  146. // AuthzAccessRequest->OptionalArguments are passed back here.
  147. // pbAceApplicable - The resource manager must supply whether the ace should
  148. // be used in the computation of access evaluation
  149. //
  150. // Returns
  151. // TRUE if the API succeeded.
  152. // FALSE on any intermediate errors (like failed memory allocation)
  153. // In case of failure, the caller must use SetLastError(ErrorValue).
  154. //
  156. typedef BOOL (CALLBACK *PFN_AUTHZ_DYNAMIC_ACCESS_CHECK) (
  157. IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
  158. IN PACE_HEADER pAce,
  159. IN PVOID pArgs OPTIONAL,
  160. IN OUT PBOOL pbAceApplicable
  161. );
  163. //
  164. // Callback compute dynamic groups function takes in
  165. // AuthzClientContext - a client context
  166. // pArgs - Optional arguments that supplied to AuthzInitializeClientContext*
  167. // thru DynamicGroupArgs are passed back here..
  168. // pSidAttrArray - To allocate and return an array of (sids, attribute)
  169. // pairs to be added to the normal part of the client context.
  170. // pSidCount - Number of elements in pSidAttrArray
  171. // pRestrictedSidAttrArray - To allocate and return an array of (sids, attribute)
  172. // pairs to be added to the restricted part of the client context.
  173. // pRestrictedSidCount - Number of elements in pRestrictedSidAttrArray
  174. //
  175. // Note:
  176. // Memory returned thru both these array will be freed by the callback
  177. // free function defined by the resource manager.
  178. //
  179. // Returns
  180. // TRUE if the API succeeded.
  181. // FALSE on any intermediate errors (like failed memory allocation)
  182. // In case of failure, the caller must use SetLastError(ErrorValue).
  183. //
  185. typedef BOOL (CALLBACK *PFN_AUTHZ_COMPUTE_DYNAMIC_GROUPS) (
  186. IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
  187. IN PVOID Args,
  188. OUT PSID_AND_ATTRIBUTES *pSidAttrArray,
  189. OUT PDWORD pSidCount,
  190. OUT PSID_AND_ATTRIBUTES *pRestrictedSidAttrArray,
  191. OUT PDWORD pRestrictedSidCount
  192. );
  194. //
  195. // Callback free function takes in
  196. // pSidAttrArray - To be freed. This has been allocated by the compute
  197. // dynamic groups function.
  198. //
  200. typedef VOID (CALLBACK *PFN_AUTHZ_FREE_DYNAMIC_GROUPS) (
  201. IN PSID_AND_ATTRIBUTES pSidAttrArray
  202. );
  204. //
  205. // Valid flags for AuthzAccessCheck
  206. //
  208. #define AUTHZ_ACCESS_CHECK_NO_DEEP_COPY_SD 0x00000001
  210. AUTHZAPI
  211. BOOL
  212. WINAPI
  213. AuthzAccessCheck(
  214. IN DWORD Flags,
  215. IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
  216. IN PAUTHZ_ACCESS_REQUEST pRequest,
  217. IN AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent OPTIONAL,
  218. IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
  219. IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
  220. IN DWORD OptionalSecurityDescriptorCount,
  221. IN OUT PAUTHZ_ACCESS_REPLY pReply,
  222. OUT PAUTHZ_ACCESS_CHECK_RESULTS_HANDLE phAccessCheckResults OPTIONAL
  223. );
  225. AUTHZAPI
  226. BOOL
  227. WINAPI
  228. AuthzCachedAccessCheck(
  229. IN DWORD Flags,
  230. IN AUTHZ_ACCESS_CHECK_RESULTS_HANDLE hAccessCheckResults,
  231. IN PAUTHZ_ACCESS_REQUEST pRequest,
  232. IN AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent OPTIONAL,
  233. IN OUT PAUTHZ_ACCESS_REPLY pReply
  234. );
  236. AUTHZAPI
  237. BOOL
  238. WINAPI
  239. AuthzOpenObjectAudit(
  240. IN DWORD Flags,
  241. IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
  242. IN PAUTHZ_ACCESS_REQUEST pRequest,
  243. IN AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent,
  244. IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
  245. IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
  246. IN DWORD OptionalSecurityDescriptorCount,
  247. IN PAUTHZ_ACCESS_REPLY pReply
  248. );
  250. AUTHZAPI
  251. BOOL
  252. WINAPI
  253. AuthzFreeHandle(
  254. IN OUT AUTHZ_ACCESS_CHECK_RESULTS_HANDLE hAccessCheckResults
  255. );
  257. //
  258. // Flags for AuthzInitializeResourceManager
  259. //
  261. #define AUTHZ_RM_FLAG_NO_AUDIT 0x1
  262. #define AUTHZ_RM_FLAG_INITIALIZE_UNDER_IMPERSONATION 0x2
  263. #define AUTHZ_VALID_RM_INIT_FLAGS (AUTHZ_RM_FLAG_NO_AUDIT | AUTHZ_RM_FLAG_INITIALIZE_UNDER_IMPERSONATION)
  265. AUTHZAPI
  266. BOOL
  267. WINAPI
  268. AuthzInitializeResourceManager(
  269. IN DWORD Flags,
  270. IN PFN_AUTHZ_DYNAMIC_ACCESS_CHECK pfnDynamicAccessCheck OPTIONAL,
  271. IN PFN_AUTHZ_COMPUTE_DYNAMIC_GROUPS pfnComputeDynamicGroups OPTIONAL,
  272. IN PFN_AUTHZ_FREE_DYNAMIC_GROUPS pfnFreeDynamicGroups OPTIONAL,
  273. IN PCWSTR szResourceManagerName,
  274. OUT PAUTHZ_RESOURCE_MANAGER_HANDLE phAuthzResourceManager
  275. );
  277. AUTHZAPI
  278. BOOL
  279. WINAPI
  280. AuthzFreeResourceManager(
  281. IN AUTHZ_RESOURCE_MANAGER_HANDLE hAuthzResourceManager
  282. );
  284. AUTHZAPI
  285. BOOL
  286. WINAPI
  287. AuthzInitializeContextFromToken(
  288. IN DWORD Flags,
  289. IN HANDLE TokenHandle,
  290. IN AUTHZ_RESOURCE_MANAGER_HANDLE hAuthzResourceManager,
  291. IN PLARGE_INTEGER pExpirationTime OPTIONAL,
  292. IN LUID Identifier,
  293. IN PVOID DynamicGroupArgs OPTIONAL,
  294. OUT PAUTHZ_CLIENT_CONTEXT_HANDLE phAuthzClientContext
  295. );
  297. AUTHZAPI
  298. BOOL
  299. WINAPI
  300. AuthzInitializeContextFromSid(
  301. IN DWORD Flags,
  302. IN PSID UserSid,
  303. IN AUTHZ_RESOURCE_MANAGER_HANDLE hAuthzResourceManager,
  304. IN PLARGE_INTEGER pExpirationTime OPTIONAL,
  305. IN LUID Identifier,
  306. IN PVOID DynamicGroupArgs OPTIONAL,
  307. OUT PAUTHZ_CLIENT_CONTEXT_HANDLE phAuthzClientContext
  308. );
  310. AUTHZAPI
  311. BOOL
  312. WINAPI
  313. AuthzInitializeContextFromAuthzContext(
  314. IN DWORD Flags,
  315. IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
  316. IN PLARGE_INTEGER pExpirationTime OPTIONAL,
  317. IN LUID Identifier,
  318. IN PVOID DynamicGroupArgs,
  319. OUT PAUTHZ_CLIENT_CONTEXT_HANDLE phNewAuthzClientContext
  320. );
  322. AUTHZAPI
  323. BOOL
  324. WINAPI
  325. AuthzAddSidsToContext(
  326. IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
  327. IN PSID_AND_ATTRIBUTES Sids OPTIONAL,
  328. IN DWORD SidCount,
  329. IN PSID_AND_ATTRIBUTES RestrictedSids OPTIONAL,
  330. IN DWORD RestrictedSidCount,
  331. OUT PAUTHZ_CLIENT_CONTEXT_HANDLE phNewAuthzClientContext
  332. );
  334. //
  335. // Enumeration type to be used to specify the type of information to be
  336. // retrieved from an existing AuthzClientContext.
  337. //
  339. typedef enum _AUTHZ_CONTEXT_INFORMATION_CLASS
  340. {
  341. AuthzContextInfoUserSid = 1,
  342. AuthzContextInfoGroupsSids,
  343. AuthzContextInfoRestrictedSids,
  344. AuthzContextInfoPrivileges,
  345. AuthzContextInfoExpirationTime,
  346. AuthzContextInfoServerContext,
  347. AuthzContextInfoIdentifier,
  348. AuthzContextInfoSource,
  349. AuthzContextInfoAll,
  350. AuthzContextInfoAuthenticationId
  351. } AUTHZ_CONTEXT_INFORMATION_CLASS;
  353. AUTHZAPI
  354. BOOL
  355. WINAPI
  356. AuthzGetInformationFromContext(
  357. IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
  358. IN AUTHZ_CONTEXT_INFORMATION_CLASS InfoClass,
  359. IN DWORD BufferSize,
  360. OUT PDWORD pSizeRequired,
  361. OUT PVOID Buffer
  362. );
  364. AUTHZAPI
  365. BOOL
  366. WINAPI
  367. AuthzFreeContext(
  368. IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext
  369. );
  371. //
  372. // Valid flags that may be used in AuthzInitializeObjectAccessAuditEvent().
  373. //
  375. #define AUTHZ_NO_SUCCESS_AUDIT 0x00000001
  376. #define AUTHZ_NO_FAILURE_AUDIT 0x00000002
  377. #define AUTHZ_NO_ALLOC_STRINGS 0x00000004
  379. #define AUTHZ_VALID_OBJECT_ACCESS_AUDIT_FLAGS (AUTHZ_NO_SUCCESS_AUDIT | \
  380. AUTHZ_NO_FAILURE_AUDIT | \
  381. AUTHZ_NO_ALLOC_STRINGS)
  383. AUTHZAPI
  384. BOOL
  385. WINAPI
  386. AuthzInitializeObjectAccessAuditEvent(
  387. IN DWORD Flags,
  388. IN AUTHZ_AUDIT_EVENT_TYPE_HANDLE hAuditEventType OPTIONAL,
  389. IN PWSTR szOperationType,
  390. IN PWSTR szObjectType,
  391. IN PWSTR szObjectName,
  392. IN PWSTR szAdditionalInfo,
  393. OUT PAUTHZ_AUDIT_EVENT_HANDLE phAuditEvent,
  394. IN DWORD dwAdditionalParameterCount,
  395. ...
  396. );
  398. AUTHZAPI
  399. BOOL
  400. WINAPI
  401. AuthzInitializeObjectAccessAuditEvent2(
  402. IN DWORD Flags,
  403. IN AUTHZ_AUDIT_EVENT_TYPE_HANDLE hAuditEventType,
  404. IN PWSTR szOperationType,
  405. IN PWSTR szObjectType,
  406. IN PWSTR szObjectName,
  407. IN PWSTR szAdditionalInfo,
  408. IN PWSTR szAdditionalInfo2,
  409. OUT PAUTHZ_AUDIT_EVENT_HANDLE phAuditEvent,
  410. IN DWORD dwAdditionalParameterCount,
  411. ...
  412. );
  414. //
  415. // Enumeration type to be used to specify the type of information to be
  416. // retrieved from an existing AUTHZ_AUDIT_EVENT_HANDLE.
  417. //
  419. typedef enum _AUTHZ_AUDIT_EVENT_INFORMATION_CLASS
  420. {
  421. AuthzAuditEventInfoFlags = 1,
  422. AuthzAuditEventInfoOperationType,
  423. AuthzAuditEventInfoObjectType,
  424. AuthzAuditEventInfoObjectName,
  425. AuthzAuditEventInfoAdditionalInfo,
  426. } AUTHZ_AUDIT_EVENT_INFORMATION_CLASS;
  428. AUTHZAPI
  429. BOOL
  430. WINAPI
  431. AuthzGetInformationFromAuditEvent(
  432. IN AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent,
  433. IN AUTHZ_AUDIT_EVENT_INFORMATION_CLASS InfoClass,
  434. IN DWORD BufferSize,
  435. OUT PDWORD pSizeRequired,
  436. OUT PVOID Buffer
  437. );
  439. AUTHZAPI
  440. BOOL
  441. WINAPI
  442. AuthzFreeAuditEvent(
  443. IN AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent
  444. );
  446. //
  447. // Support for generic auditing.
  448. //
  450. typedef struct _AUTHZ_REGISTRATION_OBJECT_TYPE_NAME_OFFSET
  451. {
  452. PWSTR szObjectTypeName;
  453. DWORD dwOffset;
  454. } AUTHZ_REGISTRATION_OBJECT_TYPE_NAME_OFFSET, *PAUTHZ_REGISTRATION_OBJECT_TYPE_NAME_OFFSET;
  456. typedef struct _AUTHZ_SOURCE_SCHEMA_REGISTRATION
  457. {
  458. DWORD dwFlags;
  459. PWSTR szEventSourceName;
  460. PWSTR szEventMessageFile;
  461. PWSTR szEventSourceXmlSchemaFile;
  462. PWSTR szEventAccessStringsFile;
  463. PWSTR szExecutableImagePath;
  464. PVOID pReserved;
  465. DWORD dwObjectTypeNameCount;
  466. AUTHZ_REGISTRATION_OBJECT_TYPE_NAME_OFFSET ObjectTypeNames[ANYSIZE_ARRAY];
  467. } AUTHZ_SOURCE_SCHEMA_REGISTRATION, *PAUTHZ_SOURCE_SCHEMA_REGISTRATION;
  469. #define AUTHZ_FLAG_ALLOW_MULTIPLE_SOURCE_INSTANCES 0x1
  471. AUTHZAPI
  472. BOOL
  473. WINAPI
  474. AuthzInstallSecurityEventSource(
  475. IN DWORD dwFlags,
  476. IN PAUTHZ_SOURCE_SCHEMA_REGISTRATION pRegistration
  477. );
  479. AUTHZAPI
  480. BOOL
  481. WINAPI
  482. AuthzUninstallSecurityEventSource(
  483. IN DWORD dwFlags,
  484. IN PCWSTR szEventSourceName
  485. );
  488. AUTHZAPI
  489. BOOL
  490. WINAPI
  491. AuthzEnumerateSecurityEventSources(
  492. IN DWORD dwFlags,
  493. OUT PAUTHZ_SOURCE_SCHEMA_REGISTRATION Buffer,
  494. OUT PDWORD pdwCount,
  495. IN OUT PDWORD pdwLength
  496. );
  498. AUTHZAPI
  499. BOOL
  500. WINAPI
  501. AuthzRegisterSecurityEventSource(
  502. IN DWORD dwFlags,
  503. IN PCWSTR szEventSourceName,
  504. OUT PAUTHZ_SECURITY_EVENT_PROVIDER_HANDLE phEventProvider
  505. );
  507. AUTHZAPI
  508. BOOL
  509. WINAPI
  510. AuthzUnregisterSecurityEventSource(
  511. IN DWORD dwFlags,
  512. IN OUT PAUTHZ_SECURITY_EVENT_PROVIDER_HANDLE phEventProvider
  513. );
  515. AUTHZAPI
  516. BOOL
  517. WINAPI
  518. AuthzReportSecurityEvent(
  519. IN DWORD dwFlags,
  520. IN OUT AUTHZ_SECURITY_EVENT_PROVIDER_HANDLE hEventProvider,
  521. IN DWORD dwAuditId,
  522. IN PSID pUserSid OPTIONAL,
  523. IN DWORD dwCount,
  524. ...
  525. );
  527. AUTHZAPI
  528. BOOL
  529. WINAPI
  530. AuthzReportSecurityEventFromParams(
  531. IN DWORD dwFlags,
  532. IN OUT AUTHZ_SECURITY_EVENT_PROVIDER_HANDLE hEventProvider,
  533. IN DWORD dwAuditId,
  534. IN PSID pUserSid OPTIONAL,
  535. IN PAUDIT_PARAMS pParams
  536. );
  538. #ifdef __cplusplus
  539. }
  540. #endif
  542. #endif