/*++ Copyright (c) 2000 Microsoft Corporation Module Name: authz.h Abstract: This module contains the authorization framework APIs and any public data structures needed to call these APIs. Revision History: Created - March 2000 --*/ #ifndef __AUTHZ_H__ #define __AUTHZ_H__ #ifdef __cplusplus extern "C" { #endif #if !defined(_AUTHZ_) #define AUTHZAPI DECLSPEC_IMPORT #else #define AUTHZAPI #endif #include #include // // Flags which may be used at the time of client context creation using a sid. // #define AUTHZ_SKIP_TOKEN_GROUPS 0x2 #define AUTHZ_REQUIRE_S4U_LOGON 0x4 DECLARE_HANDLE(AUTHZ_ACCESS_CHECK_RESULTS_HANDLE); DECLARE_HANDLE(AUTHZ_CLIENT_CONTEXT_HANDLE); DECLARE_HANDLE(AUTHZ_RESOURCE_MANAGER_HANDLE); DECLARE_HANDLE(AUTHZ_AUDIT_EVENT_HANDLE); DECLARE_HANDLE(AUTHZ_AUDIT_EVENT_TYPE_HANDLE); DECLARE_HANDLE(AUTHZ_SECURITY_EVENT_PROVIDER_HANDLE); typedef AUTHZ_ACCESS_CHECK_RESULTS_HANDLE *PAUTHZ_ACCESS_CHECK_RESULTS_HANDLE; typedef AUTHZ_CLIENT_CONTEXT_HANDLE *PAUTHZ_CLIENT_CONTEXT_HANDLE; typedef AUTHZ_RESOURCE_MANAGER_HANDLE *PAUTHZ_RESOURCE_MANAGER_HANDLE; typedef AUTHZ_AUDIT_EVENT_HANDLE *PAUTHZ_AUDIT_EVENT_HANDLE; typedef AUTHZ_AUDIT_EVENT_TYPE_HANDLE *PAUTHZ_AUDIT_EVENT_TYPE_HANDLE; typedef AUTHZ_SECURITY_EVENT_PROVIDER_HANDLE *PAUTHZ_SECURITY_EVENT_PROVIDER_HANDLE; // // Structure defining the access check request. // typedef struct _AUTHZ_ACCESS_REQUEST { ACCESS_MASK DesiredAccess; // // To replace the principal self sid in the acl. // PSID PrincipalSelfSid; // // Object type list represented by an array of (level, guid) pair and the // number of elements in the array. This is a post-fix representation of the // object tree. // These fields should be set to NULL and 0 respectively except when per // property access is desired. // POBJECT_TYPE_LIST ObjectTypeList; DWORD ObjectTypeListLength; // // To support completely business rules based access. This will be passed as // input to the callback access check function. Access check algorithm does // not interpret these. // PVOID OptionalArguments; } AUTHZ_ACCESS_REQUEST, *PAUTHZ_ACCESS_REQUEST; // // Structure to return the results of the access check call. // typedef struct _AUTHZ_ACCESS_REPLY { // // The length of the array representing the object type list structure. If // no object type is used to represent the object, then the length must be // set to 1. // // Note: This parameter must be filled! // DWORD ResultListLength; // // Array of granted access masks. This memory is allocated by the RM. Access // check routines just fill in the values. // PACCESS_MASK GrantedAccessMask; // // Array of SACL evaluation results. This memory is allocated by the RM, if SACL // evaluation results are desired. Access check routines just fill in the values. // Sacl evaluation will only be performed if auditing is requested. // #define AUTHZ_GENERATE_SUCCESS_AUDIT 0x1 #define AUTHZ_GENERATE_FAILURE_AUDIT 0x2 PDWORD SaclEvaluationResults OPTIONAL; // // Array of results for each element of the array. This memory is allocated // by the RM. Access check routines just fill in the values. // PDWORD Error; } AUTHZ_ACCESS_REPLY, *PAUTHZ_ACCESS_REPLY; // // Typedefs for callback functions to be provided by the resource manager. // // // Callback access check function takes in // AuthzClientContext - a client context // pAce - pointer to a callback ace // pArgs - Optional arguments that were passed to AuthzAccessCheck thru // AuthzAccessRequest->OptionalArguments are passed back here. // pbAceApplicable - The resource manager must supply whether the ace should // be used in the computation of access evaluation // // Returns // TRUE if the API succeeded. // FALSE on any intermediate errors (like failed memory allocation) // In case of failure, the caller must use SetLastError(ErrorValue). // typedef BOOL (CALLBACK *PFN_AUTHZ_DYNAMIC_ACCESS_CHECK) ( IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, IN PACE_HEADER pAce, IN PVOID pArgs OPTIONAL, IN OUT PBOOL pbAceApplicable ); // // Callback compute dynamic groups function takes in // AuthzClientContext - a client context // pArgs - Optional arguments that supplied to AuthzInitializeClientContext* // thru DynamicGroupArgs are passed back here.. // pSidAttrArray - To allocate and return an array of (sids, attribute) // pairs to be added to the normal part of the client context. // pSidCount - Number of elements in pSidAttrArray // pRestrictedSidAttrArray - To allocate and return an array of (sids, attribute) // pairs to be added to the restricted part of the client context. // pRestrictedSidCount - Number of elements in pRestrictedSidAttrArray // // Note: // Memory returned thru both these array will be freed by the callback // free function defined by the resource manager. // // Returns // TRUE if the API succeeded. // FALSE on any intermediate errors (like failed memory allocation) // In case of failure, the caller must use SetLastError(ErrorValue). // typedef BOOL (CALLBACK *PFN_AUTHZ_COMPUTE_DYNAMIC_GROUPS) ( IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, IN PVOID Args, OUT PSID_AND_ATTRIBUTES *pSidAttrArray, OUT PDWORD pSidCount, OUT PSID_AND_ATTRIBUTES *pRestrictedSidAttrArray, OUT PDWORD pRestrictedSidCount ); // // Callback free function takes in // pSidAttrArray - To be freed. This has been allocated by the compute // dynamic groups function. // typedef VOID (CALLBACK *PFN_AUTHZ_FREE_DYNAMIC_GROUPS) ( IN PSID_AND_ATTRIBUTES pSidAttrArray ); // // Valid flags for AuthzAccessCheck // #define AUTHZ_ACCESS_CHECK_NO_DEEP_COPY_SD 0x00000001 AUTHZAPI BOOL WINAPI AuthzAccessCheck( IN DWORD Flags, IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, IN PAUTHZ_ACCESS_REQUEST pRequest, IN AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent OPTIONAL, IN PSECURITY_DESCRIPTOR pSecurityDescriptor, IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL, IN DWORD OptionalSecurityDescriptorCount, IN OUT PAUTHZ_ACCESS_REPLY pReply, OUT PAUTHZ_ACCESS_CHECK_RESULTS_HANDLE phAccessCheckResults OPTIONAL ); AUTHZAPI BOOL WINAPI AuthzCachedAccessCheck( IN DWORD Flags, IN AUTHZ_ACCESS_CHECK_RESULTS_HANDLE hAccessCheckResults, IN PAUTHZ_ACCESS_REQUEST pRequest, IN AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent OPTIONAL, IN OUT PAUTHZ_ACCESS_REPLY pReply ); AUTHZAPI BOOL WINAPI AuthzOpenObjectAudit( IN DWORD Flags, IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, IN PAUTHZ_ACCESS_REQUEST pRequest, IN AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent, IN PSECURITY_DESCRIPTOR pSecurityDescriptor, IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL, IN DWORD OptionalSecurityDescriptorCount, IN PAUTHZ_ACCESS_REPLY pReply ); AUTHZAPI BOOL WINAPI AuthzFreeHandle( IN OUT AUTHZ_ACCESS_CHECK_RESULTS_HANDLE hAccessCheckResults ); // // Flags for AuthzInitializeResourceManager // #define AUTHZ_RM_FLAG_NO_AUDIT 0x1 #define AUTHZ_RM_FLAG_INITIALIZE_UNDER_IMPERSONATION 0x2 #define AUTHZ_VALID_RM_INIT_FLAGS (AUTHZ_RM_FLAG_NO_AUDIT | AUTHZ_RM_FLAG_INITIALIZE_UNDER_IMPERSONATION) AUTHZAPI BOOL WINAPI AuthzInitializeResourceManager( IN DWORD Flags, IN PFN_AUTHZ_DYNAMIC_ACCESS_CHECK pfnDynamicAccessCheck OPTIONAL, IN PFN_AUTHZ_COMPUTE_DYNAMIC_GROUPS pfnComputeDynamicGroups OPTIONAL, IN PFN_AUTHZ_FREE_DYNAMIC_GROUPS pfnFreeDynamicGroups OPTIONAL, IN PCWSTR szResourceManagerName, OUT PAUTHZ_RESOURCE_MANAGER_HANDLE phAuthzResourceManager ); AUTHZAPI BOOL WINAPI AuthzFreeResourceManager( IN AUTHZ_RESOURCE_MANAGER_HANDLE hAuthzResourceManager ); AUTHZAPI BOOL WINAPI AuthzInitializeContextFromToken( IN DWORD Flags, IN HANDLE TokenHandle, IN AUTHZ_RESOURCE_MANAGER_HANDLE hAuthzResourceManager, IN PLARGE_INTEGER pExpirationTime OPTIONAL, IN LUID Identifier, IN PVOID DynamicGroupArgs OPTIONAL, OUT PAUTHZ_CLIENT_CONTEXT_HANDLE phAuthzClientContext ); AUTHZAPI BOOL WINAPI AuthzInitializeContextFromSid( IN DWORD Flags, IN PSID UserSid, IN AUTHZ_RESOURCE_MANAGER_HANDLE hAuthzResourceManager, IN PLARGE_INTEGER pExpirationTime OPTIONAL, IN LUID Identifier, IN PVOID DynamicGroupArgs OPTIONAL, OUT PAUTHZ_CLIENT_CONTEXT_HANDLE phAuthzClientContext ); AUTHZAPI BOOL WINAPI AuthzInitializeContextFromAuthzContext( IN DWORD Flags, IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, IN PLARGE_INTEGER pExpirationTime OPTIONAL, IN LUID Identifier, IN PVOID DynamicGroupArgs, OUT PAUTHZ_CLIENT_CONTEXT_HANDLE phNewAuthzClientContext ); AUTHZAPI BOOL WINAPI AuthzAddSidsToContext( IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, IN PSID_AND_ATTRIBUTES Sids OPTIONAL, IN DWORD SidCount, IN PSID_AND_ATTRIBUTES RestrictedSids OPTIONAL, IN DWORD RestrictedSidCount, OUT PAUTHZ_CLIENT_CONTEXT_HANDLE phNewAuthzClientContext ); // // Enumeration type to be used to specify the type of information to be // retrieved from an existing AuthzClientContext. // typedef enum _AUTHZ_CONTEXT_INFORMATION_CLASS { AuthzContextInfoUserSid = 1, AuthzContextInfoGroupsSids, AuthzContextInfoRestrictedSids, AuthzContextInfoPrivileges, AuthzContextInfoExpirationTime, AuthzContextInfoServerContext, AuthzContextInfoIdentifier, AuthzContextInfoSource, AuthzContextInfoAll, AuthzContextInfoAuthenticationId } AUTHZ_CONTEXT_INFORMATION_CLASS; AUTHZAPI BOOL WINAPI AuthzGetInformationFromContext( IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, IN AUTHZ_CONTEXT_INFORMATION_CLASS InfoClass, IN DWORD BufferSize, OUT PDWORD pSizeRequired, OUT PVOID Buffer ); AUTHZAPI BOOL WINAPI AuthzFreeContext( IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext ); // // Valid flags that may be used in AuthzInitializeObjectAccessAuditEvent(). // #define AUTHZ_NO_SUCCESS_AUDIT 0x00000001 #define AUTHZ_NO_FAILURE_AUDIT 0x00000002 #define AUTHZ_NO_ALLOC_STRINGS 0x00000004 #define AUTHZ_VALID_OBJECT_ACCESS_AUDIT_FLAGS (AUTHZ_NO_SUCCESS_AUDIT | \ AUTHZ_NO_FAILURE_AUDIT | \ AUTHZ_NO_ALLOC_STRINGS) AUTHZAPI BOOL WINAPI AuthzInitializeObjectAccessAuditEvent( IN DWORD Flags, IN AUTHZ_AUDIT_EVENT_TYPE_HANDLE hAuditEventType OPTIONAL, IN PWSTR szOperationType, IN PWSTR szObjectType, IN PWSTR szObjectName, IN PWSTR szAdditionalInfo, OUT PAUTHZ_AUDIT_EVENT_HANDLE phAuditEvent, IN DWORD dwAdditionalParameterCount, ... ); AUTHZAPI BOOL WINAPI AuthzInitializeObjectAccessAuditEvent2( IN DWORD Flags, IN AUTHZ_AUDIT_EVENT_TYPE_HANDLE hAuditEventType, IN PWSTR szOperationType, IN PWSTR szObjectType, IN PWSTR szObjectName, IN PWSTR szAdditionalInfo, IN PWSTR szAdditionalInfo2, OUT PAUTHZ_AUDIT_EVENT_HANDLE phAuditEvent, IN DWORD dwAdditionalParameterCount, ... ); // // Enumeration type to be used to specify the type of information to be // retrieved from an existing AUTHZ_AUDIT_EVENT_HANDLE. // typedef enum _AUTHZ_AUDIT_EVENT_INFORMATION_CLASS { AuthzAuditEventInfoFlags = 1, AuthzAuditEventInfoOperationType, AuthzAuditEventInfoObjectType, AuthzAuditEventInfoObjectName, AuthzAuditEventInfoAdditionalInfo, } AUTHZ_AUDIT_EVENT_INFORMATION_CLASS; AUTHZAPI BOOL WINAPI AuthzGetInformationFromAuditEvent( IN AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent, IN AUTHZ_AUDIT_EVENT_INFORMATION_CLASS InfoClass, IN DWORD BufferSize, OUT PDWORD pSizeRequired, OUT PVOID Buffer ); AUTHZAPI BOOL WINAPI AuthzFreeAuditEvent( IN AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent ); // // Support for generic auditing. // typedef struct _AUTHZ_REGISTRATION_OBJECT_TYPE_NAME_OFFSET { PWSTR szObjectTypeName; DWORD dwOffset; } AUTHZ_REGISTRATION_OBJECT_TYPE_NAME_OFFSET, *PAUTHZ_REGISTRATION_OBJECT_TYPE_NAME_OFFSET; typedef struct _AUTHZ_SOURCE_SCHEMA_REGISTRATION { DWORD dwFlags; PWSTR szEventSourceName; PWSTR szEventMessageFile; PWSTR szEventSourceXmlSchemaFile; PWSTR szEventAccessStringsFile; PWSTR szExecutableImagePath; PVOID pReserved; DWORD dwObjectTypeNameCount; AUTHZ_REGISTRATION_OBJECT_TYPE_NAME_OFFSET ObjectTypeNames[ANYSIZE_ARRAY]; } AUTHZ_SOURCE_SCHEMA_REGISTRATION, *PAUTHZ_SOURCE_SCHEMA_REGISTRATION; #define AUTHZ_FLAG_ALLOW_MULTIPLE_SOURCE_INSTANCES 0x1 AUTHZAPI BOOL WINAPI AuthzInstallSecurityEventSource( IN DWORD dwFlags, IN PAUTHZ_SOURCE_SCHEMA_REGISTRATION pRegistration ); AUTHZAPI BOOL WINAPI AuthzUninstallSecurityEventSource( IN DWORD dwFlags, IN PCWSTR szEventSourceName ); AUTHZAPI BOOL WINAPI AuthzEnumerateSecurityEventSources( IN DWORD dwFlags, OUT PAUTHZ_SOURCE_SCHEMA_REGISTRATION Buffer, OUT PDWORD pdwCount, IN OUT PDWORD pdwLength ); AUTHZAPI BOOL WINAPI AuthzRegisterSecurityEventSource( IN DWORD dwFlags, IN PCWSTR szEventSourceName, OUT PAUTHZ_SECURITY_EVENT_PROVIDER_HANDLE phEventProvider ); AUTHZAPI BOOL WINAPI AuthzUnregisterSecurityEventSource( IN DWORD dwFlags, IN OUT PAUTHZ_SECURITY_EVENT_PROVIDER_HANDLE phEventProvider ); AUTHZAPI BOOL WINAPI AuthzReportSecurityEvent( IN DWORD dwFlags, IN OUT AUTHZ_SECURITY_EVENT_PROVIDER_HANDLE hEventProvider, IN DWORD dwAuditId, IN PSID pUserSid OPTIONAL, IN DWORD dwCount, ... ); AUTHZAPI BOOL WINAPI AuthzReportSecurityEventFromParams( IN DWORD dwFlags, IN OUT AUTHZ_SECURITY_EVENT_PROVIDER_HANDLE hEventProvider, IN DWORD dwAuditId, IN PSID pUserSid OPTIONAL, IN PAUDIT_PARAMS pParams ); #ifdef __cplusplus } #endif #endif