windows-xp/Source/XPSP1/NT/admin/wmi/wbem/winmgmt/wbemcomn/winntsec.h

/*++

Copyright (C) 1997-2001 Microsoft Corporation

Module Name:

    WINNTSEC.H

Abstract:

    Generic wrapper classes for NT security objects.

    Documention on class members is in WINNTSEC.CPP.  Inline members
    are commented in this file.

History:

    raymcc      08-Jul-97       Created.

--*/

#ifndef _WINNTSEC_H_
#define _WINNTSEC_H_

class POLARITY CNtSecurity;

// All ACE types are currently have the same binary layout. Rather
// than doing a lot of useless casts, we produce a general-purpose
// typedef to hold all ACEs.
// ================================================================

typedef ACCESS_ALLOWED_ACE GENERIC_ACE;
typedef GENERIC_ACE *PGENERIC_ACE;

#define FULL_CONTROL     \
        (DELETE |       \
         READ_CONTROL | \
        WRITE_DAC |         \
        WRITE_OWNER |   \
        SYNCHRONIZE | GENERIC_ALL)


//***************************************************************************
//
//  CNtSid
//
//  Models SIDs (users/groups).
//
//***************************************************************************

class POLARITY CNtSid
{
    PSID    m_pSid;
    LPWSTR  m_pMachine;
    LPWSTR  m_pDomain;
    DWORD   m_dwStatus;
    SID_NAME_USE m_snu;

public:
    enum { NoError, Failed, NullSid, InvalidSid, InternalError, AccessDenied = 0x5 };

    enum SidType {CURRENT_USER, CURRENT_THREAD};

    CNtSid(SidType st);
    CNtSid() { m_pSid = 0; m_pMachine = 0; m_dwStatus = NullSid; }
    bool IsUser(){return m_snu == SidTypeUser;};

    CNtSid(PSID pSrc);
        // Construct based on another SID.

    CNtSid(LPWSTR pUser, LPWSTR pMachine = 0);
        // Construct based on a user (machine name is optional).

   ~CNtSid();

    CNtSid(CNtSid &Src);
    CNtSid &operator =(CNtSid &Src);
    int operator ==(CNtSid &Comparand);

    DWORD GetStatus() { return m_dwStatus; }
        // Returns one of the enumerated types.

    PSID GetPtr() { return m_pSid; }
        // Returns the internal SID ptr to interface with NT APIs
    DWORD GetSize();

    BOOL CopyTo(PSID pDestination);

    BOOL IsValid() { return (m_pSid && IsValidSid(m_pSid)); }
        // Checks the validity of the internal SID.

    void Dump();
        // Dumps SID info to console for debugging.

    int GetInfo(
        LPWSTR *pRetAccount,        // Account, use operator delete
        LPWSTR *pRetDomain,         // Domain, use operator delete
        DWORD  *pdwUse              // See SID_NAME_USE for values
        );

    BOOL GetTextSid(LPTSTR pszSidText, LPDWORD dwBufferLen);

};

//***************************************************************************
//
//  CBaseAce
//
//  Base class for aces.
//
//***************************************************************************

class POLARITY CBaseAce
{

public:

    CBaseAce(){};
    virtual ~CBaseAce(){};

    virtual int GetType() = 0;
    virtual int GetFlags() = 0;         // inheritance etc.
    virtual ACCESS_MASK GetAccessMask() = 0;
    virtual HRESULT GetFullUserName(WCHAR * pBuff, DWORD dwSize) = 0;
    virtual HRESULT GetFullUserName2(WCHAR ** pBuff) = 0; // call must free
    virtual DWORD GetStatus() = 0;
    virtual void SetFlags(long lFlags) =0;
    virtual DWORD GetSerializedSize() = 0;
    virtual bool  Serialize(BYTE * pData) = 0;
    virtual bool  Deserialize(BYTE * pData) = 0;
};


//***************************************************************************
//
//  CNtAce
//
//  Models NT ACEs.
//
//***************************************************************************

class POLARITY CNtAce : public CBaseAce
{
    PGENERIC_ACE    m_pAce;
    DWORD           m_dwStatus;

public:
    enum { NoError, InvalidAce, NullAce, InternalError };

    CNtAce() { m_pAce = 0; m_dwStatus = NullAce; }

    CNtAce(PGENERIC_ACE pAceSrc);
    CNtAce(CNtAce &Src);
    CNtAce & operator =(CNtAce &Src);

   ~CNtAce();

   CNtAce(
        ACCESS_MASK Mask,
        DWORD AceType,
        DWORD dwAceFlags,
        LPWSTR pUser,
        LPWSTR pMachine = 0         // Defaults to local machine
        );

    CNtAce(
        ACCESS_MASK Mask,
        DWORD AceType,
        DWORD dwAceFlags,
        CNtSid & Sid
        );

    int GetType();
    int GetFlags();         // inheritance etc.
    void SetFlags(long lFlags){m_pAce->Header.AceFlags = (unsigned char)lFlags;};

    DWORD GetStatus() { return m_dwStatus; }
        // Returns one of the enumerated types.

    int GetSubject(
        LPWSTR *pSubject
        );

    ACCESS_MASK GetAccessMask();

    CNtSid *GetSid();
    BOOL GetSid(CNtSid &Dest);

    PGENERIC_ACE GetPtr() { return m_pAce; }
    DWORD GetSize() { return m_pAce ? m_pAce->Header.AceSize : 0; }
    HRESULT GetFullUserName(WCHAR * pBuff, DWORD dwSize);
    HRESULT GetFullUserName2(WCHAR ** pBuff); // call must free
    DWORD GetSerializedSize();
    bool Serialize(BYTE * pData);
    bool Deserialize(BYTE * pData);

    void Dump(int iAceNum = -1);
    void DumpAccessMask();
};

//***************************************************************************
//
//  C9XAce
//
//  Simulates NT ACEs for 9X boxs.
//
//***************************************************************************

class POLARITY C9XAce : public CBaseAce
{
    LPWSTR m_wszFullName;
    DWORD m_dwAccess;
    int m_iFlags;
    int m_iType;
public:

   C9XAce(){m_wszFullName = 0;};
   C9XAce(DWORD Mask,
        DWORD AceType,
        DWORD dwAceFlags,
        LPWSTR pUser);
   ~C9XAce();

    int GetType(){return m_iType;};
    int GetFlags(){return m_iFlags;};         // inheritance etc.

    ACCESS_MASK GetAccessMask(){return m_dwAccess;};
    HRESULT GetFullUserName(WCHAR * pBuff, DWORD dwSize);
    HRESULT GetFullUserName2(WCHAR ** pBuff); // call must free
    DWORD GetStatus(){ return CNtAce::NoError; };
    void SetFlags(long lFlags){m_iFlags = (unsigned char)lFlags;};
    DWORD GetSerializedSize();
    bool Serialize(BYTE * pData);
    bool Deserialize(BYTE * pData);

};


//***************************************************************************
//
//  CNtAcl
//
//  Models an NT ACL.
//
//***************************************************************************

class POLARITY CNtAcl
{
    PACL    m_pAcl;
    DWORD   m_dwStatus;

public:
    enum { NoError, InternalError, NullAcl, InvalidAcl };
    enum { MinimumSize = 1 };

    CNtAcl(DWORD dwInitialSize = 128);

    CNtAcl(CNtAcl &Src);
    CNtAcl & operator = (CNtAcl &Src);

    CNtAcl(PACL pAcl);  // Makes a copy
   ~CNtAcl();

    int  GetNumAces();

    DWORD GetStatus() { return m_dwStatus; }
        // Returns one of the enumerated types.

	BOOL ContainsSid ( CNtSid& sid, BYTE& flags ) ;

    CNtAce *GetAce(int nIndex);
    BOOL GetAce(int nIndex, CNtAce &Dest);

    BOOL DeleteAce(int nIndex);
    BOOL AddAce(CNtAce *pAce);

    BOOL IsValid() { return(m_pAcl && IsValidAcl(m_pAcl)); }
        // Checks the validity of the embedded ACL.

    BOOL Resize(DWORD dwNewSize);
        // Or use CNtAcl::MinimumSize to trim the ACL to min size.
        // Fails if an illegal size is specified.

    DWORD GetSize();

    PACL GetPtr() { return m_pAcl; }
        // Returns the internal pointer for interface with NT APIs.

    BOOL GetAclSizeInfo(
        PDWORD pdwBytesInUse,
        PDWORD pdwBytesFree
        );

    void Dump();
};

//***************************************************************************
//
//  SNtAbsoluteSD
//
//  Helper for converting between absolute and relative SDs.
//
//***************************************************************************

struct SNtAbsoluteSD
{
    PSECURITY_DESCRIPTOR m_pSD;

    PACL m_pDacl;
    PACL m_pSacl;
    PSID m_pOwner;
    PSID m_pPrimaryGroup;

    SNtAbsoluteSD();
   ~SNtAbsoluteSD();
};

//***************************************************************************
//
//  CNtSecurityDescriptor
//
//  Models an NT Security Descriptor.  Note that in order to use this for an
//  AccessCheck, the DACL, owner sid, and group sid must be set!
//
//***************************************************************************

class POLARITY CNtSecurityDescriptor
{
    PSECURITY_DESCRIPTOR m_pSD;
    int m_dwStatus;


public:
    enum { NoError, NullSD, Failed, InvalidSD, SDOwned, SDNotOwned };

    CNtSecurityDescriptor();

    CNtSecurityDescriptor(
        PSECURITY_DESCRIPTOR pSD,
        BOOL bAcquire = FALSE
        );

    CNtSecurityDescriptor(CNtSecurityDescriptor &Src);
    CNtSecurityDescriptor & operator=(CNtSecurityDescriptor &Src);

    ~CNtSecurityDescriptor();

    SNtAbsoluteSD* CNtSecurityDescriptor::GetAbsoluteCopy();
    BOOL SetFromAbsoluteCopy(SNtAbsoluteSD *pSrc);

    int HasOwner();

    BOOL IsValid() { return(m_pSD && IsValidSecurityDescriptor(m_pSD)); }
        // Checks the validity of the embedded security descriptor&

    DWORD GetStatus() { return m_dwStatus; }
        // Returns one of the enumerated types.

    CNtAcl *GetDacl();
        // Deallocate with operator delete

    BOOL GetDacl(CNtAcl &DestAcl);
        // Retrieve into an existing object

    BOOL SetDacl(CNtAcl *pSrc);

    CNtAcl *GetSacl();
        // Deallocate with operator delete

    BOOL SetSacl(CNtAcl *pSrc);

    CNtSid *GetOwner();
    BOOL SetOwner(CNtSid *pSid);

    CNtSid *GetGroup();
    BOOL SetGroup(CNtSid *pSid);

    PSECURITY_DESCRIPTOR GetPtr() { return m_pSD; }
        // Returns the internal pointer for interface with NT APIs

    DWORD GetSize();

    void Dump();
};

//***************************************************************************
//
//  CNtSecurity
//
//  General-purpose NT security helpers.
//
//***************************************************************************

class POLARITY CNtSecurity
{
public:
    enum { NoError, InternalFailure, NotFound, InvalidName, AccessDenied = 5, NoSecurity,
           Failed };

    static BOOL DumpPrivileges();

    static BOOL SetPrivilege(
        IN TCHAR *pszPrivilegeName,     // An SE_ value.
        IN BOOL  bEnable               // TRUE=enable, FALSE=disable
        );

    static BOOL GetFileSD(
        IN TCHAR *pszFile,
        IN SECURITY_INFORMATION SecInfo,
        OUT CNtSecurityDescriptor **pSD
        );

    static BOOL SetFileSD(
        IN TCHAR *pszFile,
        IN SECURITY_INFORMATION SecInfo,
        IN CNtSecurityDescriptor *pSD
        );

    static int GetRegSD(
        IN HKEY hRoot,
        IN TCHAR *pszSubKey,
        IN SECURITY_INFORMATION SecInfo,
        OUT CNtSecurityDescriptor **pSD
        );

    static int SetRegSD(
        IN HKEY hRoot,
        IN TCHAR *pszSubKey,
        IN SECURITY_INFORMATION SecInfo,
        IN CNtSecurityDescriptor *pSD
        );


/*    static int GetDCName(
        IN  LPWSTR   pszDomain,
        OUT LPWSTR *pszDC,
        IN  LPWSTR   pszServer
        );*/

    static BOOL IsUserInGroup(
        HANDLE hClientToken,
        CNtSid & Sid
        );

    static DWORD AccessCheck(
        HANDLE hAccessToken,
        ACCESS_MASK RequiredAccess,
        CNtSecurityDescriptor *pSD
        );  // TBD

    static CNtSid *GetCurrentThreadSid(); // TBD

    static bool DoesLocalGroupExist(LPWSTR pwszGroup, LPWSTR pwszMachine);
    static bool AddLocalGroup(LPWSTR pwszGroupName, LPWSTR pwszGroupDescription);
};

BOOL FIsRunningAsService(VOID);
POLARITY BOOL SetObjectAccess2(HANDLE hObj);
POLARITY BOOL IsAdmin(HANDLE hAccess);
POLARITY BOOL IsNetworkService(HANDLE hAccess);
POLARITY BOOL IsLocalService(HANDLE hAccess);
POLARITY HRESULT GetAccessToken(HANDLE &hAccessToken);
POLARITY BOOL IsInAdminGroup();


#endif