archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 1b390dddff
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1b390dddff'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/published/inc/authz.w

433 lines
13 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*++
  3. Copyright (c) 2000 Microsoft Corporation
  5. Module Name:
  7. authz.h
  9. Abstract:
  11. This module contains the authorization framework APIs and any public data
  12. structures needed to call these APIs.
  14. Author:
  16. Kedar Dubhashi - March 2000
  18. Revision History:
  20. Created - March 2000
  22. --*/
  24. #ifndef __AUTHZ_H__
  25. #define __AUTHZ_H__
  27. #ifdef __cplusplus
  28. extern "C" {
  29. #endif
  31. #if !defined(_AUTHZ_)
  32. #define AUTHZAPI DECLSPEC_IMPORT
  33. #else
  34. #define AUTHZAPI
  35. #endif
  37. #include <windows.h>
  38. #include <adtgen.h>
  40. //
  41. // Flags which may be used at the time of client context creation using a sid.
  42. //
  44. #define AUTHZ_SKIP_TOKEN_GROUPS 0x2
  46. DECLARE_HANDLE(AUTHZ_ACCESS_CHECK_RESULTS_HANDLE);
  47. DECLARE_HANDLE(AUTHZ_CLIENT_CONTEXT_HANDLE);
  48. DECLARE_HANDLE(AUTHZ_RESOURCE_MANAGER_HANDLE);
  49. DECLARE_HANDLE(AUTHZ_AUDIT_EVENT_HANDLE);
  50. DECLARE_HANDLE(AUTHZ_AUDIT_EVENT_TYPE_HANDLE);
  52. typedef AUTHZ_ACCESS_CHECK_RESULTS_HANDLE *PAUTHZ_ACCESS_CHECK_RESULTS_HANDLE;
  53. typedef AUTHZ_CLIENT_CONTEXT_HANDLE *PAUTHZ_CLIENT_CONTEXT_HANDLE;
  54. typedef AUTHZ_RESOURCE_MANAGER_HANDLE *PAUTHZ_RESOURCE_MANAGER_HANDLE;
  55. typedef AUTHZ_AUDIT_EVENT_HANDLE *PAUTHZ_AUDIT_EVENT_HANDLE;
  56. typedef AUTHZ_AUDIT_EVENT_TYPE_HANDLE *PAUTHZ_AUDIT_EVENT_TYPE_HANDLE;
  58. //
  59. // Structure defining the access check request.
  60. //
  62. typedef struct _AUTHZ_ACCESS_REQUEST
  63. {
  64. ACCESS_MASK DesiredAccess;
  66. //
  67. // To replace the principal self sid in the acl.
  68. //
  70. PSID PrincipalSelfSid;
  72. //
  73. // Object type list represented by an array of (level, guid) pair and the
  74. // number of elements in the array. This is a post-fix representation of the
  75. // object tree.
  76. // These fields should be set to NULL and 0 respectively except when per
  77. // property access is desired.
  78. //
  80. POBJECT_TYPE_LIST ObjectTypeList;
  81. DWORD ObjectTypeListLength;
  83. //
  84. // To support completely business rules based access. This will be passed as
  85. // input to the callback access check function. Access check algorithm does
  86. // not interpret these.
  87. //
  89. PVOID OptionalArguments;
  91. } AUTHZ_ACCESS_REQUEST, *PAUTHZ_ACCESS_REQUEST;
  93. //
  94. // Structure to return the results of the access check call.
  95. //
  97. typedef struct _AUTHZ_ACCESS_REPLY
  98. {
  99. //
  100. // The length of the array representing the object type list structure. If
  101. // no object type is used to represent the object, then the length must be
  102. // set to 1.
  103. //
  104. // Note: This parameter must be filled!
  105. //
  107. DWORD ResultListLength;
  109. //
  110. // Array of granted access masks. This memory is allocated by the RM. Access
  111. // check routines just fill in the values.
  112. //
  114. PACCESS_MASK GrantedAccessMask;
  116. //
  117. // Array of SACL evaluation results. This memory is allocated by the RM, if SACL
  118. // evaluation results are desired. Access check routines just fill in the values.
  119. // Sacl evaluation will only be performed if auditing is requested.
  120. //
  122. #define AUTHZ_GENERATE_SUCCESS_AUDIT 0x1
  123. #define AUTHZ_GENERATE_FAILURE_AUDIT 0x2
  125. PDWORD SaclEvaluationResults OPTIONAL;
  127. //
  128. // Array of results for each element of the array. This memory is allocated
  129. // by the RM. Access check routines just fill in the values.
  130. //
  132. PDWORD Error;
  134. } AUTHZ_ACCESS_REPLY, *PAUTHZ_ACCESS_REPLY;
  137. //
  138. // Typedefs for callback functions to be provided by the resource manager.
  139. //
  141. //
  142. // Callback access check function takes in
  143. // AuthzClientContext - a client context
  144. // pAce - pointer to a callback ace
  145. // pArgs - Optional arguments that were passed to AuthzAccessCheck thru
  146. // AuthzAccessRequest->OptionalArguments are passed back here.
  147. // pbAceApplicable - The resource manager must supply whether the ace should
  148. // be used in the computation of access evaluation
  149. //
  150. // Returns
  151. // TRUE if the API succeeded.
  152. // FALSE on any intermediate errors (like failed memory allocation)
  153. // In case of failure, the caller must use SetLastError(ErrorValue).
  154. //
  156. typedef BOOL (CALLBACK *PFN_AUTHZ_DYNAMIC_ACCESS_CHECK) (
  157. IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
  158. IN PACE_HEADER pAce,
  159. IN PVOID pArgs OPTIONAL,
  160. IN OUT PBOOL pbAceApplicable
  161. );
  163. //
  164. // Callback compute dynamic groups function takes in
  165. // AuthzClientContext - a client context
  166. // pArgs - Optional arguments that supplied to AuthzInitializeClientContext*
  167. // thru DynamicGroupArgs are passed back here..
  168. // pSidAttrArray - To allocate and return an array of (sids, attribute)
  169. // pairs to be added to the normal part of the client context.
  170. // pSidCount - Number of elements in pSidAttrArray
  171. // pRestrictedSidAttrArray - To allocate and return an array of (sids, attribute)
  172. // pairs to be added to the restricted part of the client context.
  173. // pRestrictedSidCount - Number of elements in pRestrictedSidAttrArray
  174. //
  175. // Note:
  176. // Memory returned thru both these array will be freed by the callback
  177. // free function defined by the resource manager.
  178. //
  179. // Returns
  180. // TRUE if the API succeeded.
  181. // FALSE on any intermediate errors (like failed memory allocation)
  182. // In case of failure, the caller must use SetLastError(ErrorValue).
  183. //
  185. typedef BOOL (CALLBACK *PFN_AUTHZ_COMPUTE_DYNAMIC_GROUPS) (
  186. IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
  187. IN PVOID Args,
  188. OUT PSID_AND_ATTRIBUTES *pSidAttrArray,
  189. OUT PDWORD pSidCount,
  190. OUT PSID_AND_ATTRIBUTES *pRestrictedSidAttrArray,
  191. OUT PDWORD pRestrictedSidCount
  192. );
  194. //
  195. // Callback free function takes in
  196. // pSidAttrArray - To be freed. This has been allocated by the compute
  197. // dynamic groups function.
  198. //
  200. typedef VOID (CALLBACK *PFN_AUTHZ_FREE_DYNAMIC_GROUPS) (
  201. IN PSID_AND_ATTRIBUTES pSidAttrArray
  202. );
  204. //
  205. // Valid flags for AuthzAccessCheck
  206. //
  208. #define AUTHZ_ACCESS_CHECK_NO_DEEP_COPY_SD 0x00000001
  210. AUTHZAPI
  211. BOOL
  212. WINAPI
  213. AuthzAccessCheck(
  214. IN DWORD Flags,
  215. IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
  216. IN PAUTHZ_ACCESS_REQUEST pRequest,
  217. IN AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent OPTIONAL,
  218. IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
  219. IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
  220. IN DWORD OptionalSecurityDescriptorCount,
  221. IN OUT PAUTHZ_ACCESS_REPLY pReply,
  222. OUT PAUTHZ_ACCESS_CHECK_RESULTS_HANDLE phAccessCheckResults OPTIONAL
  223. );
  225. AUTHZAPI
  226. BOOL
  227. WINAPI
  228. AuthzCachedAccessCheck(
  229. IN DWORD Flags,
  230. IN AUTHZ_ACCESS_CHECK_RESULTS_HANDLE hAccessCheckResults,
  231. IN PAUTHZ_ACCESS_REQUEST pRequest,
  232. IN AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent OPTIONAL,
  233. IN OUT PAUTHZ_ACCESS_REPLY pReply
  234. );
  236. AUTHZAPI
  237. BOOL
  238. WINAPI
  239. AuthzOpenObjectAudit(
  240. IN DWORD Flags,
  241. IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
  242. IN PAUTHZ_ACCESS_REQUEST pRequest,
  243. IN AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent,
  244. IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
  245. IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
  246. IN DWORD OptionalSecurityDescriptorCount,
  247. IN PAUTHZ_ACCESS_REPLY pReply
  248. );
  250. AUTHZAPI
  251. BOOL
  252. WINAPI
  253. AuthzFreeHandle(
  254. IN OUT AUTHZ_ACCESS_CHECK_RESULTS_HANDLE hAccessCheckResults
  255. );
  257. //
  258. // Flags for AuthzInitializeResourceManager
  259. //
  261. #define AUTHZ_RM_FLAG_NO_AUDIT 0x1
  263. #define AUTHZ_VALID_RM_INIT_FLAGS (AUTHZ_RM_FLAG_NO_AUDIT)
  265. AUTHZAPI
  266. BOOL
  267. WINAPI
  268. AuthzInitializeResourceManager(
  269. IN DWORD Flags,
  270. IN PFN_AUTHZ_DYNAMIC_ACCESS_CHECK pfnDynamicAccessCheck OPTIONAL,
  271. IN PFN_AUTHZ_COMPUTE_DYNAMIC_GROUPS pfnComputeDynamicGroups OPTIONAL,
  272. IN PFN_AUTHZ_FREE_DYNAMIC_GROUPS pfnFreeDynamicGroups OPTIONAL,
  273. IN PCWSTR szResourceManagerName,
  274. OUT PAUTHZ_RESOURCE_MANAGER_HANDLE phAuthzResourceManager
  275. );
  277. AUTHZAPI
  278. BOOL
  279. WINAPI
  280. AuthzFreeResourceManager(
  281. IN AUTHZ_RESOURCE_MANAGER_HANDLE hAuthzResourceManager
  282. );
  284. AUTHZAPI
  285. BOOL
  286. WINAPI
  287. AuthzInitializeContextFromToken(
  288. IN DWORD Flags,
  289. IN HANDLE TokenHandle,
  290. IN AUTHZ_RESOURCE_MANAGER_HANDLE hAuthzResourceManager,
  291. IN PLARGE_INTEGER pExpirationTime OPTIONAL,
  292. IN LUID Identifier,
  293. IN PVOID DynamicGroupArgs OPTIONAL,
  294. OUT PAUTHZ_CLIENT_CONTEXT_HANDLE phAuthzClientContext
  295. );
  297. AUTHZAPI
  298. BOOL
  299. WINAPI
  300. AuthzInitializeContextFromSid(
  301. IN DWORD Flags,
  302. IN PSID UserSid,
  303. IN AUTHZ_RESOURCE_MANAGER_HANDLE hAuthzResourceManager,
  304. IN PLARGE_INTEGER pExpirationTime OPTIONAL,
  305. IN LUID Identifier,
  306. IN PVOID DynamicGroupArgs OPTIONAL,
  307. OUT PAUTHZ_CLIENT_CONTEXT_HANDLE phAuthzClientContext
  308. );
  310. AUTHZAPI
  311. BOOL
  312. WINAPI
  313. AuthzInitializeContextFromAuthzContext(
  314. IN DWORD Flags,
  315. IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
  316. IN PLARGE_INTEGER pExpirationTime OPTIONAL,
  317. IN LUID Identifier,
  318. IN PVOID DynamicGroupArgs,
  319. OUT PAUTHZ_CLIENT_CONTEXT_HANDLE phNewAuthzClientContext
  320. );
  322. AUTHZAPI
  323. BOOL
  324. WINAPI
  325. AuthzAddSidsToContext(
  326. IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
  327. IN PSID_AND_ATTRIBUTES Sids OPTIONAL,
  328. IN DWORD SidCount,
  329. IN PSID_AND_ATTRIBUTES RestrictedSids OPTIONAL,
  330. IN DWORD RestrictedSidCount,
  331. OUT PAUTHZ_CLIENT_CONTEXT_HANDLE phNewAuthzClientContext
  332. );
  334. //
  335. // Enumeration type to be used to specify the type of information to be
  336. // retrieved from an existing AuthzClientContext.
  337. //
  339. typedef enum _AUTHZ_CONTEXT_INFORMATION_CLASS
  340. {
  341. AuthzContextInfoUserSid = 1,
  342. AuthzContextInfoGroupsSids,
  343. AuthzContextInfoRestrictedSids,
  344. AuthzContextInfoPrivileges,
  345. AuthzContextInfoExpirationTime,
  346. AuthzContextInfoServerContext,
  347. AuthzContextInfoIdentifier,
  348. AuthzContextInfoSource,
  349. AuthzContextInfoAll
  350. } AUTHZ_CONTEXT_INFORMATION_CLASS;
  352. AUTHZAPI
  353. BOOL
  354. WINAPI
  355. AuthzGetInformationFromContext(
  356. IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
  357. IN AUTHZ_CONTEXT_INFORMATION_CLASS InfoClass,
  358. IN DWORD BufferSize,
  359. OUT PDWORD pSizeRequired,
  360. OUT PVOID Buffer
  361. );
  363. AUTHZAPI
  364. BOOL
  365. WINAPI
  366. AuthzFreeContext(
  367. IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext
  368. );
  370. //
  371. // Valid flags that may be used in AuthzInitializeObjectAccessAuditEvent().
  372. //
  374. #define AUTHZ_NO_SUCCESS_AUDIT 0x00000001
  375. #define AUTHZ_NO_FAILURE_AUDIT 0x00000002
  376. #define AUTHZ_NO_ALLOC_STRINGS 0x00000004
  378. #define AUTHZ_VALID_OBJECT_ACCESS_AUDIT_FLAGS (AUTHZ_NO_SUCCESS_AUDIT | \
  379. AUTHZ_NO_FAILURE_AUDIT | \
  380. AUTHZ_NO_ALLOC_STRINGS)
  382. AUTHZAPI
  383. BOOL
  384. WINAPI
  385. AuthzInitializeObjectAccessAuditEvent(
  386. IN DWORD Flags,
  387. IN AUTHZ_AUDIT_EVENT_TYPE_HANDLE hAuditEventType,
  388. IN PWSTR szOperationType,
  389. IN PWSTR szObjectType,
  390. IN PWSTR szObjectName,
  391. IN PWSTR szAdditionalInfo,
  392. OUT PAUTHZ_AUDIT_EVENT_HANDLE phAuditEvent,
  393. IN DWORD dwAdditionalParameterCount,
  394. ...
  395. );
  397. //
  398. // Enumeration type to be used to specify the type of information to be
  399. // retrieved from an existing AUTHZ_AUDIT_EVENT_HANDLE.
  400. //
  402. typedef enum _AUTHZ_AUDIT_EVENT_INFORMATION_CLASS
  403. {
  404. AuthzAuditEventInfoFlags = 1,
  405. AuthzAuditEventInfoOperationType,
  406. AuthzAuditEventInfoObjectType,
  407. AuthzAuditEventInfoObjectName,
  408. AuthzAuditEventInfoAdditionalInfo,
  409. } AUTHZ_AUDIT_EVENT_INFORMATION_CLASS;
  411. AUTHZAPI
  412. BOOL
  413. WINAPI
  414. AuthzGetInformationFromAuditEvent(
  415. IN AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent,
  416. IN AUTHZ_AUDIT_EVENT_INFORMATION_CLASS InfoClass,
  417. IN DWORD BufferSize,
  418. OUT PDWORD pSizeRequired,
  419. OUT PVOID Buffer
  420. );
  422. AUTHZAPI
  423. BOOL
  424. WINAPI
  425. AuthzFreeAuditEvent(
  426. IN AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent
  427. );
  429. #ifdef __cplusplus
  430. }
  431. #endif
  433. #endif