1
// Copyright 2012 The Go Authors. All rights reserved.
2
// Use of this source code is governed by a BSD-style
3
// license that can be found in the LICENSE file.
4

5
package windows
6

7
import (
8
	"syscall"
9
	"unsafe"
10
)
11

12
const (
13
	NameUnknown          = 0
14
	NameFullyQualifiedDN = 1
15
	NameSamCompatible    = 2
16
	NameDisplay          = 3
17
	NameUniqueId         = 6
18
	NameCanonical        = 7
19
	NameUserPrincipal    = 8
20
	NameCanonicalEx      = 9
21
	NameServicePrincipal = 10
22
	NameDnsDomain        = 12
23
)
24

25
// This function returns 1 byte BOOLEAN rather than the 4 byte BOOL.
26
// http://blogs.msdn.com/b/drnick/archive/2007/12/19/windows-and-upn-format-credentials.aspx
27
//sys	TranslateName(accName *uint16, accNameFormat uint32, desiredNameFormat uint32, translatedName *uint16, nSize *uint32) (err error) [failretval&0xff==0] = secur32.TranslateNameW
28
//sys	GetUserNameEx(nameFormat uint32, nameBuffre *uint16, nSize *uint32) (err error) [failretval&0xff==0] = secur32.GetUserNameExW
29

30
// TranslateAccountName converts a directory service
31
// object name from one format to another.
32
func TranslateAccountName(username string, from, to uint32, initSize int) (string, error) {
33
	u, e := UTF16PtrFromString(username)
34
	if e != nil {
35
		return "", e
36
	}
37
	n := uint32(50)
38
	for {
39
		b := make([]uint16, n)
40
		e = TranslateName(u, from, to, &b[0], &n)
41
		if e == nil {
42
			return UTF16ToString(b[:n]), nil
43
		}
44
		if e != ERROR_INSUFFICIENT_BUFFER {
45
			return "", e
46
		}
47
		if n <= uint32(len(b)) {
48
			return "", e
49
		}
50
	}
51
}
52

53
const (
54
	// do not reorder
55
	NetSetupUnknownStatus = iota
56
	NetSetupUnjoined
57
	NetSetupWorkgroupName
58
	NetSetupDomainName
59
)
60

61
type UserInfo10 struct {
62
	Name       *uint16
63
	Comment    *uint16
64
	UsrComment *uint16
65
	FullName   *uint16
66
}
67

68
//sys	NetUserGetInfo(serverName *uint16, userName *uint16, level uint32, buf **byte) (neterr error) = netapi32.NetUserGetInfo
69
//sys	NetGetJoinInformation(server *uint16, name **uint16, bufType *uint32) (neterr error) = netapi32.NetGetJoinInformation
70
//sys	NetApiBufferFree(buf *byte) (neterr error) = netapi32.NetApiBufferFree
71
//sys   NetUserEnum(serverName *uint16, level uint32, filter uint32, buf **byte, prefMaxLen uint32, entriesRead *uint32, totalEntries *uint32, resumeHandle *uint32) (neterr error) = netapi32.NetUserEnum
72

73
const (
74
	// do not reorder
75
	SidTypeUser = 1 + iota
76
	SidTypeGroup
77
	SidTypeDomain
78
	SidTypeAlias
79
	SidTypeWellKnownGroup
80
	SidTypeDeletedAccount
81
	SidTypeInvalid
82
	SidTypeUnknown
83
	SidTypeComputer
84
	SidTypeLabel
85
)
86

87
type SidIdentifierAuthority struct {
88
	Value [6]byte
89
}
90

91
var (
92
	SECURITY_NULL_SID_AUTHORITY        = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 0}}
93
	SECURITY_WORLD_SID_AUTHORITY       = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 1}}
94
	SECURITY_LOCAL_SID_AUTHORITY       = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 2}}
95
	SECURITY_CREATOR_SID_AUTHORITY     = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 3}}
96
	SECURITY_NON_UNIQUE_AUTHORITY      = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 4}}
97
	SECURITY_NT_AUTHORITY              = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 5}}
98
	SECURITY_MANDATORY_LABEL_AUTHORITY = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 16}}
99
)
100

101
const (
102
	SECURITY_NULL_RID                   = 0
103
	SECURITY_WORLD_RID                  = 0
104
	SECURITY_LOCAL_RID                  = 0
105
	SECURITY_CREATOR_OWNER_RID          = 0
106
	SECURITY_CREATOR_GROUP_RID          = 1
107
	SECURITY_DIALUP_RID                 = 1
108
	SECURITY_NETWORK_RID                = 2
109
	SECURITY_BATCH_RID                  = 3
110
	SECURITY_INTERACTIVE_RID            = 4
111
	SECURITY_LOGON_IDS_RID              = 5
112
	SECURITY_SERVICE_RID                = 6
113
	SECURITY_LOCAL_SYSTEM_RID           = 18
114
	SECURITY_BUILTIN_DOMAIN_RID         = 32
115
	SECURITY_PRINCIPAL_SELF_RID         = 10
116
	SECURITY_CREATOR_OWNER_SERVER_RID   = 0x2
117
	SECURITY_CREATOR_GROUP_SERVER_RID   = 0x3
118
	SECURITY_LOGON_IDS_RID_COUNT        = 0x3
119
	SECURITY_ANONYMOUS_LOGON_RID        = 0x7
120
	SECURITY_PROXY_RID                  = 0x8
121
	SECURITY_ENTERPRISE_CONTROLLERS_RID = 0x9
122
	SECURITY_SERVER_LOGON_RID           = SECURITY_ENTERPRISE_CONTROLLERS_RID
123
	SECURITY_AUTHENTICATED_USER_RID     = 0xb
124
	SECURITY_RESTRICTED_CODE_RID        = 0xc
125
	SECURITY_NT_NON_UNIQUE_RID          = 0x15
126
)
127

128
// Predefined domain-relative RIDs for local groups.
129
// See https://msdn.microsoft.com/en-us/library/windows/desktop/aa379649(v=vs.85).aspx
130
const (
131
	DOMAIN_ALIAS_RID_ADMINS                         = 0x220
132
	DOMAIN_ALIAS_RID_USERS                          = 0x221
133
	DOMAIN_ALIAS_RID_GUESTS                         = 0x222
134
	DOMAIN_ALIAS_RID_POWER_USERS                    = 0x223
135
	DOMAIN_ALIAS_RID_ACCOUNT_OPS                    = 0x224
136
	DOMAIN_ALIAS_RID_SYSTEM_OPS                     = 0x225
137
	DOMAIN_ALIAS_RID_PRINT_OPS                      = 0x226
138
	DOMAIN_ALIAS_RID_BACKUP_OPS                     = 0x227
139
	DOMAIN_ALIAS_RID_REPLICATOR                     = 0x228
140
	DOMAIN_ALIAS_RID_RAS_SERVERS                    = 0x229
141
	DOMAIN_ALIAS_RID_PREW2KCOMPACCESS               = 0x22a
142
	DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS           = 0x22b
143
	DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS      = 0x22c
144
	DOMAIN_ALIAS_RID_INCOMING_FOREST_TRUST_BUILDERS = 0x22d
145
	DOMAIN_ALIAS_RID_MONITORING_USERS               = 0x22e
146
	DOMAIN_ALIAS_RID_LOGGING_USERS                  = 0x22f
147
	DOMAIN_ALIAS_RID_AUTHORIZATIONACCESS            = 0x230
148
	DOMAIN_ALIAS_RID_TS_LICENSE_SERVERS             = 0x231
149
	DOMAIN_ALIAS_RID_DCOM_USERS                     = 0x232
150
	DOMAIN_ALIAS_RID_IUSERS                         = 0x238
151
	DOMAIN_ALIAS_RID_CRYPTO_OPERATORS               = 0x239
152
	DOMAIN_ALIAS_RID_CACHEABLE_PRINCIPALS_GROUP     = 0x23b
153
	DOMAIN_ALIAS_RID_NON_CACHEABLE_PRINCIPALS_GROUP = 0x23c
154
	DOMAIN_ALIAS_RID_EVENT_LOG_READERS_GROUP        = 0x23d
155
	DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP      = 0x23e
156
)
157

158
//sys	LookupAccountSid(systemName *uint16, sid *SID, name *uint16, nameLen *uint32, refdDomainName *uint16, refdDomainNameLen *uint32, use *uint32) (err error) = advapi32.LookupAccountSidW
159
//sys	LookupAccountName(systemName *uint16, accountName *uint16, sid *SID, sidLen *uint32, refdDomainName *uint16, refdDomainNameLen *uint32, use *uint32) (err error) = advapi32.LookupAccountNameW
160
//sys	ConvertSidToStringSid(sid *SID, stringSid **uint16) (err error) = advapi32.ConvertSidToStringSidW
161
//sys	ConvertStringSidToSid(stringSid *uint16, sid **SID) (err error) = advapi32.ConvertStringSidToSidW
162
//sys	GetLengthSid(sid *SID) (len uint32) = advapi32.GetLengthSid
163
//sys	CopySid(destSidLen uint32, destSid *SID, srcSid *SID) (err error) = advapi32.CopySid
164
//sys	AllocateAndInitializeSid(identAuth *SidIdentifierAuthority, subAuth byte, subAuth0 uint32, subAuth1 uint32, subAuth2 uint32, subAuth3 uint32, subAuth4 uint32, subAuth5 uint32, subAuth6 uint32, subAuth7 uint32, sid **SID) (err error) = advapi32.AllocateAndInitializeSid
165
//sys	createWellKnownSid(sidType WELL_KNOWN_SID_TYPE, domainSid *SID, sid *SID, sizeSid *uint32) (err error) = advapi32.CreateWellKnownSid
166
//sys	isWellKnownSid(sid *SID, sidType WELL_KNOWN_SID_TYPE) (isWellKnown bool) = advapi32.IsWellKnownSid
167
//sys	FreeSid(sid *SID) (err error) [failretval!=0] = advapi32.FreeSid
168
//sys	EqualSid(sid1 *SID, sid2 *SID) (isEqual bool) = advapi32.EqualSid
169
//sys	getSidIdentifierAuthority(sid *SID) (authority *SidIdentifierAuthority) = advapi32.GetSidIdentifierAuthority
170
//sys	getSidSubAuthorityCount(sid *SID) (count *uint8) = advapi32.GetSidSubAuthorityCount
171
//sys	getSidSubAuthority(sid *SID, index uint32) (subAuthority *uint32) = advapi32.GetSidSubAuthority
172
//sys	isValidSid(sid *SID) (isValid bool) = advapi32.IsValidSid
173

174
// The security identifier (SID) structure is a variable-length
175
// structure used to uniquely identify users or groups.
176
type SID struct{}
177

178
// StringToSid converts a string-format security identifier
179
// SID into a valid, functional SID.
180
func StringToSid(s string) (*SID, error) {
181
	var sid *SID
182
	p, e := UTF16PtrFromString(s)
183
	if e != nil {
184
		return nil, e
185
	}
186
	e = ConvertStringSidToSid(p, &sid)
187
	if e != nil {
188
		return nil, e
189
	}
190
	defer LocalFree((Handle)(unsafe.Pointer(sid)))
191
	return sid.Copy()
192
}
193

194
// LookupSID retrieves a security identifier SID for the account
195
// and the name of the domain on which the account was found.
196
// System specify target computer to search.
197
func LookupSID(system, account string) (sid *SID, domain string, accType uint32, err error) {
198
	if len(account) == 0 {
199
		return nil, "", 0, syscall.EINVAL
200
	}
201
	acc, e := UTF16PtrFromString(account)
202
	if e != nil {
203
		return nil, "", 0, e
204
	}
205
	var sys *uint16
206
	if len(system) > 0 {
207
		sys, e = UTF16PtrFromString(system)
208
		if e != nil {
209
			return nil, "", 0, e
210
		}
211
	}
212
	n := uint32(50)
213
	dn := uint32(50)
214
	for {
215
		b := make([]byte, n)
216
		db := make([]uint16, dn)
217
		sid = (*SID)(unsafe.Pointer(&b[0]))
218
		e = LookupAccountName(sys, acc, sid, &n, &db[0], &dn, &accType)
219
		if e == nil {
220
			return sid, UTF16ToString(db), accType, nil
221
		}
222
		if e != ERROR_INSUFFICIENT_BUFFER {
223
			return nil, "", 0, e
224
		}
225
		if n <= uint32(len(b)) {
226
			return nil, "", 0, e
227
		}
228
	}
229
}
230

231
// String converts SID to a string format suitable for display, storage, or transmission.
232
func (sid *SID) String() string {
233
	var s *uint16
234
	e := ConvertSidToStringSid(sid, &s)
235
	if e != nil {
236
		return ""
237
	}
238
	defer LocalFree((Handle)(unsafe.Pointer(s)))
239
	return UTF16ToString((*[256]uint16)(unsafe.Pointer(s))[:])
240
}
241

242
// Len returns the length, in bytes, of a valid security identifier SID.
243
func (sid *SID) Len() int {
244
	return int(GetLengthSid(sid))
245
}
246

247
// Copy creates a duplicate of security identifier SID.
248
func (sid *SID) Copy() (*SID, error) {
249
	b := make([]byte, sid.Len())
250
	sid2 := (*SID)(unsafe.Pointer(&b[0]))
251
	e := CopySid(uint32(len(b)), sid2, sid)
252
	if e != nil {
253
		return nil, e
254
	}
255
	return sid2, nil
256
}
257

258
// IdentifierAuthority returns the identifier authority of the SID.
259
func (sid *SID) IdentifierAuthority() SidIdentifierAuthority {
260
	return *getSidIdentifierAuthority(sid)
261
}
262

263
// SubAuthorityCount returns the number of sub-authorities in the SID.
264
func (sid *SID) SubAuthorityCount() uint8 {
265
	return *getSidSubAuthorityCount(sid)
266
}
267

268
// SubAuthority returns the sub-authority of the SID as specified by
269
// the index, which must be less than sid.SubAuthorityCount().
270
func (sid *SID) SubAuthority(idx uint32) uint32 {
271
	if idx >= uint32(sid.SubAuthorityCount()) {
272
		panic("sub-authority index out of range")
273
	}
274
	return *getSidSubAuthority(sid, idx)
275
}
276

277
// IsValid returns whether the SID has a valid revision and length.
278
func (sid *SID) IsValid() bool {
279
	return isValidSid(sid)
280
}
281

282
// Equals compares two SIDs for equality.
283
func (sid *SID) Equals(sid2 *SID) bool {
284
	return EqualSid(sid, sid2)
285
}
286

287
// IsWellKnown determines whether the SID matches the well-known sidType.
288
func (sid *SID) IsWellKnown(sidType WELL_KNOWN_SID_TYPE) bool {
289
	return isWellKnownSid(sid, sidType)
290
}
291

292
// LookupAccount retrieves the name of the account for this SID
293
// and the name of the first domain on which this SID is found.
294
// System specify target computer to search for.
295
func (sid *SID) LookupAccount(system string) (account, domain string, accType uint32, err error) {
296
	var sys *uint16
297
	if len(system) > 0 {
298
		sys, err = UTF16PtrFromString(system)
299
		if err != nil {
300
			return "", "", 0, err
301
		}
302
	}
303
	n := uint32(50)
304
	dn := uint32(50)
305
	for {
306
		b := make([]uint16, n)
307
		db := make([]uint16, dn)
308
		e := LookupAccountSid(sys, sid, &b[0], &n, &db[0], &dn, &accType)
309
		if e == nil {
310
			return UTF16ToString(b), UTF16ToString(db), accType, nil
311
		}
312
		if e != ERROR_INSUFFICIENT_BUFFER {
313
			return "", "", 0, e
314
		}
315
		if n <= uint32(len(b)) {
316
			return "", "", 0, e
317
		}
318
	}
319
}
320

321
// Various types of pre-specified SIDs that can be synthesized and compared at runtime.
322
type WELL_KNOWN_SID_TYPE uint32
323

324
const (
325
	WinNullSid                                    = 0
326
	WinWorldSid                                   = 1
327
	WinLocalSid                                   = 2
328
	WinCreatorOwnerSid                            = 3
329
	WinCreatorGroupSid                            = 4
330
	WinCreatorOwnerServerSid                      = 5
331
	WinCreatorGroupServerSid                      = 6
332
	WinNtAuthoritySid                             = 7
333
	WinDialupSid                                  = 8
334
	WinNetworkSid                                 = 9
335
	WinBatchSid                                   = 10
336
	WinInteractiveSid                             = 11
337
	WinServiceSid                                 = 12
338
	WinAnonymousSid                               = 13
339
	WinProxySid                                   = 14
340
	WinEnterpriseControllersSid                   = 15
341
	WinSelfSid                                    = 16
342
	WinAuthenticatedUserSid                       = 17
343
	WinRestrictedCodeSid                          = 18
344
	WinTerminalServerSid                          = 19
345
	WinRemoteLogonIdSid                           = 20
346
	WinLogonIdsSid                                = 21
347
	WinLocalSystemSid                             = 22
348
	WinLocalServiceSid                            = 23
349
	WinNetworkServiceSid                          = 24
350
	WinBuiltinDomainSid                           = 25
351
	WinBuiltinAdministratorsSid                   = 26
352
	WinBuiltinUsersSid                            = 27
353
	WinBuiltinGuestsSid                           = 28
354
	WinBuiltinPowerUsersSid                       = 29
355
	WinBuiltinAccountOperatorsSid                 = 30
356
	WinBuiltinSystemOperatorsSid                  = 31
357
	WinBuiltinPrintOperatorsSid                   = 32
358
	WinBuiltinBackupOperatorsSid                  = 33
359
	WinBuiltinReplicatorSid                       = 34
360
	WinBuiltinPreWindows2000CompatibleAccessSid   = 35
361
	WinBuiltinRemoteDesktopUsersSid               = 36
362
	WinBuiltinNetworkConfigurationOperatorsSid    = 37
363
	WinAccountAdministratorSid                    = 38
364
	WinAccountGuestSid                            = 39
365
	WinAccountKrbtgtSid                           = 40
366
	WinAccountDomainAdminsSid                     = 41
367
	WinAccountDomainUsersSid                      = 42
368
	WinAccountDomainGuestsSid                     = 43
369
	WinAccountComputersSid                        = 44
370
	WinAccountControllersSid                      = 45
371
	WinAccountCertAdminsSid                       = 46
372
	WinAccountSchemaAdminsSid                     = 47
373
	WinAccountEnterpriseAdminsSid                 = 48
374
	WinAccountPolicyAdminsSid                     = 49
375
	WinAccountRasAndIasServersSid                 = 50
376
	WinNTLMAuthenticationSid                      = 51
377
	WinDigestAuthenticationSid                    = 52
378
	WinSChannelAuthenticationSid                  = 53
379
	WinThisOrganizationSid                        = 54
380
	WinOtherOrganizationSid                       = 55
381
	WinBuiltinIncomingForestTrustBuildersSid      = 56
382
	WinBuiltinPerfMonitoringUsersSid              = 57
383
	WinBuiltinPerfLoggingUsersSid                 = 58
384
	WinBuiltinAuthorizationAccessSid              = 59
385
	WinBuiltinTerminalServerLicenseServersSid     = 60
386
	WinBuiltinDCOMUsersSid                        = 61
387
	WinBuiltinIUsersSid                           = 62
388
	WinIUserSid                                   = 63
389
	WinBuiltinCryptoOperatorsSid                  = 64
390
	WinUntrustedLabelSid                          = 65
391
	WinLowLabelSid                                = 66
392
	WinMediumLabelSid                             = 67
393
	WinHighLabelSid                               = 68
394
	WinSystemLabelSid                             = 69
395
	WinWriteRestrictedCodeSid                     = 70
396
	WinCreatorOwnerRightsSid                      = 71
397
	WinCacheablePrincipalsGroupSid                = 72
398
	WinNonCacheablePrincipalsGroupSid             = 73
399
	WinEnterpriseReadonlyControllersSid           = 74
400
	WinAccountReadonlyControllersSid              = 75
401
	WinBuiltinEventLogReadersGroup                = 76
402
	WinNewEnterpriseReadonlyControllersSid        = 77
403
	WinBuiltinCertSvcDComAccessGroup              = 78
404
	WinMediumPlusLabelSid                         = 79
405
	WinLocalLogonSid                              = 80
406
	WinConsoleLogonSid                            = 81
407
	WinThisOrganizationCertificateSid             = 82
408
	WinApplicationPackageAuthoritySid             = 83
409
	WinBuiltinAnyPackageSid                       = 84
410
	WinCapabilityInternetClientSid                = 85
411
	WinCapabilityInternetClientServerSid          = 86
412
	WinCapabilityPrivateNetworkClientServerSid    = 87
413
	WinCapabilityPicturesLibrarySid               = 88
414
	WinCapabilityVideosLibrarySid                 = 89
415
	WinCapabilityMusicLibrarySid                  = 90
416
	WinCapabilityDocumentsLibrarySid              = 91
417
	WinCapabilitySharedUserCertificatesSid        = 92
418
	WinCapabilityEnterpriseAuthenticationSid      = 93
419
	WinCapabilityRemovableStorageSid              = 94
420
	WinBuiltinRDSRemoteAccessServersSid           = 95
421
	WinBuiltinRDSEndpointServersSid               = 96
422
	WinBuiltinRDSManagementServersSid             = 97
423
	WinUserModeDriversSid                         = 98
424
	WinBuiltinHyperVAdminsSid                     = 99
425
	WinAccountCloneableControllersSid             = 100
426
	WinBuiltinAccessControlAssistanceOperatorsSid = 101
427
	WinBuiltinRemoteManagementUsersSid            = 102
428
	WinAuthenticationAuthorityAssertedSid         = 103
429
	WinAuthenticationServiceAssertedSid           = 104
430
	WinLocalAccountSid                            = 105
431
	WinLocalAccountAndAdministratorSid            = 106
432
	WinAccountProtectedUsersSid                   = 107
433
	WinCapabilityAppointmentsSid                  = 108
434
	WinCapabilityContactsSid                      = 109
435
	WinAccountDefaultSystemManagedSid             = 110
436
	WinBuiltinDefaultSystemManagedGroupSid        = 111
437
	WinBuiltinStorageReplicaAdminsSid             = 112
438
	WinAccountKeyAdminsSid                        = 113
439
	WinAccountEnterpriseKeyAdminsSid              = 114
440
	WinAuthenticationKeyTrustSid                  = 115
441
	WinAuthenticationKeyPropertyMFASid            = 116
442
	WinAuthenticationKeyPropertyAttestationSid    = 117
443
	WinAuthenticationFreshKeyAuthSid              = 118
444
	WinBuiltinDeviceOwnersSid                     = 119
445
)
446

447
// Creates a SID for a well-known predefined alias, generally using the constants of the form
448
// Win*Sid, for the local machine.
449
func CreateWellKnownSid(sidType WELL_KNOWN_SID_TYPE) (*SID, error) {
450
	return CreateWellKnownDomainSid(sidType, nil)
451
}
452

453
// Creates a SID for a well-known predefined alias, generally using the constants of the form
454
// Win*Sid, for the domain specified by the domainSid parameter.
455
func CreateWellKnownDomainSid(sidType WELL_KNOWN_SID_TYPE, domainSid *SID) (*SID, error) {
456
	n := uint32(50)
457
	for {
458
		b := make([]byte, n)
459
		sid := (*SID)(unsafe.Pointer(&b[0]))
460
		err := createWellKnownSid(sidType, domainSid, sid, &n)
461
		if err == nil {
462
			return sid, nil
463
		}
464
		if err != ERROR_INSUFFICIENT_BUFFER {
465
			return nil, err
466
		}
467
		if n <= uint32(len(b)) {
468
			return nil, err
469
		}
470
	}
471
}
472

473
const (
474
	// do not reorder
475
	TOKEN_ASSIGN_PRIMARY = 1 << iota
476
	TOKEN_DUPLICATE
477
	TOKEN_IMPERSONATE
478
	TOKEN_QUERY
479
	TOKEN_QUERY_SOURCE
480
	TOKEN_ADJUST_PRIVILEGES
481
	TOKEN_ADJUST_GROUPS
482
	TOKEN_ADJUST_DEFAULT
483
	TOKEN_ADJUST_SESSIONID
484

485
	TOKEN_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED |
486
		TOKEN_ASSIGN_PRIMARY |
487
		TOKEN_DUPLICATE |
488
		TOKEN_IMPERSONATE |
489
		TOKEN_QUERY |
490
		TOKEN_QUERY_SOURCE |
491
		TOKEN_ADJUST_PRIVILEGES |
492
		TOKEN_ADJUST_GROUPS |
493
		TOKEN_ADJUST_DEFAULT |
494
		TOKEN_ADJUST_SESSIONID
495
	TOKEN_READ  = STANDARD_RIGHTS_READ | TOKEN_QUERY
496
	TOKEN_WRITE = STANDARD_RIGHTS_WRITE |
497
		TOKEN_ADJUST_PRIVILEGES |
498
		TOKEN_ADJUST_GROUPS |
499
		TOKEN_ADJUST_DEFAULT
500
	TOKEN_EXECUTE = STANDARD_RIGHTS_EXECUTE
501
)
502

503
const (
504
	// do not reorder
505
	TokenUser = 1 + iota
506
	TokenGroups
507
	TokenPrivileges
508
	TokenOwner
509
	TokenPrimaryGroup
510
	TokenDefaultDacl
511
	TokenSource
512
	TokenType
513
	TokenImpersonationLevel
514
	TokenStatistics
515
	TokenRestrictedSids
516
	TokenSessionId
517
	TokenGroupsAndPrivileges
518
	TokenSessionReference
519
	TokenSandBoxInert
520
	TokenAuditPolicy
521
	TokenOrigin
522
	TokenElevationType
523
	TokenLinkedToken
524
	TokenElevation
525
	TokenHasRestrictions
526
	TokenAccessInformation
527
	TokenVirtualizationAllowed
528
	TokenVirtualizationEnabled
529
	TokenIntegrityLevel
530
	TokenUIAccess
531
	TokenMandatoryPolicy
532
	TokenLogonSid
533
	MaxTokenInfoClass
534
)
535

536
// Group attributes inside of Tokengroups.Groups[i].Attributes
537
const (
538
	SE_GROUP_MANDATORY          = 0x00000001
539
	SE_GROUP_ENABLED_BY_DEFAULT = 0x00000002
540
	SE_GROUP_ENABLED            = 0x00000004
541
	SE_GROUP_OWNER              = 0x00000008
542
	SE_GROUP_USE_FOR_DENY_ONLY  = 0x00000010
543
	SE_GROUP_INTEGRITY          = 0x00000020
544
	SE_GROUP_INTEGRITY_ENABLED  = 0x00000040
545
	SE_GROUP_LOGON_ID           = 0xC0000000
546
	SE_GROUP_RESOURCE           = 0x20000000
547
	SE_GROUP_VALID_ATTRIBUTES   = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED | SE_GROUP_OWNER | SE_GROUP_USE_FOR_DENY_ONLY | SE_GROUP_LOGON_ID | SE_GROUP_RESOURCE | SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED
548
)
549

550
// Privilege attributes
551
const (
552
	SE_PRIVILEGE_ENABLED_BY_DEFAULT = 0x00000001
553
	SE_PRIVILEGE_ENABLED            = 0x00000002
554
	SE_PRIVILEGE_REMOVED            = 0x00000004
555
	SE_PRIVILEGE_USED_FOR_ACCESS    = 0x80000000
556
	SE_PRIVILEGE_VALID_ATTRIBUTES   = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_REMOVED | SE_PRIVILEGE_USED_FOR_ACCESS
557
)
558

559
// Token types
560
const (
561
	TokenPrimary       = 1
562
	TokenImpersonation = 2
563
)
564

565
// Impersonation levels
566
const (
567
	SecurityAnonymous      = 0
568
	SecurityIdentification = 1
569
	SecurityImpersonation  = 2
570
	SecurityDelegation     = 3
571
)
572

573
type LUID struct {
574
	LowPart  uint32
575
	HighPart int32
576
}
577

578
type LUIDAndAttributes struct {
579
	Luid       LUID
580
	Attributes uint32
581
}
582

583
type SIDAndAttributes struct {
584
	Sid        *SID
585
	Attributes uint32
586
}
587

588
type Tokenuser struct {
589
	User SIDAndAttributes
590
}
591

592
type Tokenprimarygroup struct {
593
	PrimaryGroup *SID
594
}
595

596
type Tokengroups struct {
597
	GroupCount uint32
598
	Groups     [1]SIDAndAttributes // Use AllGroups() for iterating.
599
}
600

601
// AllGroups returns a slice that can be used to iterate over the groups in g.
602
func (g *Tokengroups) AllGroups() []SIDAndAttributes {
603
	return (*[(1 << 28) - 1]SIDAndAttributes)(unsafe.Pointer(&g.Groups[0]))[:g.GroupCount:g.GroupCount]
604
}
605

606
type Tokenprivileges struct {
607
	PrivilegeCount uint32
608
	Privileges     [1]LUIDAndAttributes // Use AllPrivileges() for iterating.
609
}
610

611
// AllPrivileges returns a slice that can be used to iterate over the privileges in p.
612
func (p *Tokenprivileges) AllPrivileges() []LUIDAndAttributes {
613
	return (*[(1 << 27) - 1]LUIDAndAttributes)(unsafe.Pointer(&p.Privileges[0]))[:p.PrivilegeCount:p.PrivilegeCount]
614
}
615

616
type Tokenmandatorylabel struct {
617
	Label SIDAndAttributes
618
}
619

620
func (tml *Tokenmandatorylabel) Size() uint32 {
621
	return uint32(unsafe.Sizeof(Tokenmandatorylabel{})) + GetLengthSid(tml.Label.Sid)
622
}
623

624
// Authorization Functions
625
//sys	checkTokenMembership(tokenHandle Token, sidToCheck *SID, isMember *int32) (err error) = advapi32.CheckTokenMembership
626
//sys	isTokenRestricted(tokenHandle Token) (ret bool, err error) [!failretval] = advapi32.IsTokenRestricted
627
//sys	OpenProcessToken(process Handle, access uint32, token *Token) (err error) = advapi32.OpenProcessToken
628
//sys	OpenThreadToken(thread Handle, access uint32, openAsSelf bool, token *Token) (err error) = advapi32.OpenThreadToken
629
//sys	ImpersonateSelf(impersonationlevel uint32) (err error) = advapi32.ImpersonateSelf
630
//sys	RevertToSelf() (err error) = advapi32.RevertToSelf
631
//sys	SetThreadToken(thread *Handle, token Token) (err error) = advapi32.SetThreadToken
632
//sys	LookupPrivilegeValue(systemname *uint16, name *uint16, luid *LUID) (err error) = advapi32.LookupPrivilegeValueW
633
//sys	AdjustTokenPrivileges(token Token, disableAllPrivileges bool, newstate *Tokenprivileges, buflen uint32, prevstate *Tokenprivileges, returnlen *uint32) (err error) = advapi32.AdjustTokenPrivileges
634
//sys	AdjustTokenGroups(token Token, resetToDefault bool, newstate *Tokengroups, buflen uint32, prevstate *Tokengroups, returnlen *uint32) (err error) = advapi32.AdjustTokenGroups
635
//sys	GetTokenInformation(token Token, infoClass uint32, info *byte, infoLen uint32, returnedLen *uint32) (err error) = advapi32.GetTokenInformation
636
//sys	SetTokenInformation(token Token, infoClass uint32, info *byte, infoLen uint32) (err error) = advapi32.SetTokenInformation
637
//sys	DuplicateTokenEx(existingToken Token, desiredAccess uint32, tokenAttributes *SecurityAttributes, impersonationLevel uint32, tokenType uint32, newToken *Token) (err error) = advapi32.DuplicateTokenEx
638
//sys	GetUserProfileDirectory(t Token, dir *uint16, dirLen *uint32) (err error) = userenv.GetUserProfileDirectoryW
639
//sys	getSystemDirectory(dir *uint16, dirLen uint32) (len uint32, err error) = kernel32.GetSystemDirectoryW
640
//sys	getWindowsDirectory(dir *uint16, dirLen uint32) (len uint32, err error) = kernel32.GetWindowsDirectoryW
641
//sys	getSystemWindowsDirectory(dir *uint16, dirLen uint32) (len uint32, err error) = kernel32.GetSystemWindowsDirectoryW
642

643
// An access token contains the security information for a logon session.
644
// The system creates an access token when a user logs on, and every
645
// process executed on behalf of the user has a copy of the token.
646
// The token identifies the user, the user's groups, and the user's
647
// privileges. The system uses the token to control access to securable
648
// objects and to control the ability of the user to perform various
649
// system-related operations on the local computer.
650
type Token Handle
651

652
// OpenCurrentProcessToken opens an access token associated with current
653
// process with TOKEN_QUERY access. It is a real token that needs to be closed.
654
//
655
// Deprecated: Explicitly call OpenProcessToken(CurrentProcess(), ...)
656
// with the desired access instead, or use GetCurrentProcessToken for a
657
// TOKEN_QUERY token.
658
func OpenCurrentProcessToken() (Token, error) {
659
	var token Token
660
	err := OpenProcessToken(CurrentProcess(), TOKEN_QUERY, &token)
661
	return token, err
662
}
663

664
// GetCurrentProcessToken returns the access token associated with
665
// the current process. It is a pseudo token that does not need
666
// to be closed.
667
func GetCurrentProcessToken() Token {
668
	return Token(^uintptr(4 - 1))
669
}
670

671
// GetCurrentThreadToken return the access token associated with
672
// the current thread. It is a pseudo token that does not need
673
// to be closed.
674
func GetCurrentThreadToken() Token {
675
	return Token(^uintptr(5 - 1))
676
}
677

678
// GetCurrentThreadEffectiveToken returns the effective access token
679
// associated with the current thread. It is a pseudo token that does
680
// not need to be closed.
681
func GetCurrentThreadEffectiveToken() Token {
682
	return Token(^uintptr(6 - 1))
683
}
684

685
// Close releases access to access token.
686
func (t Token) Close() error {
687
	return CloseHandle(Handle(t))
688
}
689

690
// getInfo retrieves a specified type of information about an access token.
691
func (t Token) getInfo(class uint32, initSize int) (unsafe.Pointer, error) {
692
	n := uint32(initSize)
693
	for {
694
		b := make([]byte, n)
695
		e := GetTokenInformation(t, class, &b[0], uint32(len(b)), &n)
696
		if e == nil {
697
			return unsafe.Pointer(&b[0]), nil
698
		}
699
		if e != ERROR_INSUFFICIENT_BUFFER {
700
			return nil, e
701
		}
702
		if n <= uint32(len(b)) {
703
			return nil, e
704
		}
705
	}
706
}
707

708
// GetTokenUser retrieves access token t user account information.
709
func (t Token) GetTokenUser() (*Tokenuser, error) {
710
	i, e := t.getInfo(TokenUser, 50)
711
	if e != nil {
712
		return nil, e
713
	}
714
	return (*Tokenuser)(i), nil
715
}
716

717
// GetTokenGroups retrieves group accounts associated with access token t.
718
func (t Token) GetTokenGroups() (*Tokengroups, error) {
719
	i, e := t.getInfo(TokenGroups, 50)
720
	if e != nil {
721
		return nil, e
722
	}
723
	return (*Tokengroups)(i), nil
724
}
725

726
// GetTokenPrimaryGroup retrieves access token t primary group information.
727
// A pointer to a SID structure representing a group that will become
728
// the primary group of any objects created by a process using this access token.
729
func (t Token) GetTokenPrimaryGroup() (*Tokenprimarygroup, error) {
730
	i, e := t.getInfo(TokenPrimaryGroup, 50)
731
	if e != nil {
732
		return nil, e
733
	}
734
	return (*Tokenprimarygroup)(i), nil
735
}
736

737
// GetUserProfileDirectory retrieves path to the
738
// root directory of the access token t user's profile.
739
func (t Token) GetUserProfileDirectory() (string, error) {
740
	n := uint32(100)
741
	for {
742
		b := make([]uint16, n)
743
		e := GetUserProfileDirectory(t, &b[0], &n)
744
		if e == nil {
745
			return UTF16ToString(b), nil
746
		}
747
		if e != ERROR_INSUFFICIENT_BUFFER {
748
			return "", e
749
		}
750
		if n <= uint32(len(b)) {
751
			return "", e
752
		}
753
	}
754
}
755

756
// IsElevated returns whether the current token is elevated from a UAC perspective.
757
func (token Token) IsElevated() bool {
758
	var isElevated uint32
759
	var outLen uint32
760
	err := GetTokenInformation(token, TokenElevation, (*byte)(unsafe.Pointer(&isElevated)), uint32(unsafe.Sizeof(isElevated)), &outLen)
761
	if err != nil {
762
		return false
763
	}
764
	return outLen == uint32(unsafe.Sizeof(isElevated)) && isElevated != 0
765
}
766

767
// GetLinkedToken returns the linked token, which may be an elevated UAC token.
768
func (token Token) GetLinkedToken() (Token, error) {
769
	var linkedToken Token
770
	var outLen uint32
771
	err := GetTokenInformation(token, TokenLinkedToken, (*byte)(unsafe.Pointer(&linkedToken)), uint32(unsafe.Sizeof(linkedToken)), &outLen)
772
	if err != nil {
773
		return Token(0), err
774
	}
775
	return linkedToken, nil
776
}
777

778
// GetSystemDirectory retrieves the path to current location of the system
779
// directory, which is typically, though not always, `C:\Windows\System32`.
780
func GetSystemDirectory() (string, error) {
781
	n := uint32(MAX_PATH)
782
	for {
783
		b := make([]uint16, n)
784
		l, e := getSystemDirectory(&b[0], n)
785
		if e != nil {
786
			return "", e
787
		}
788
		if l <= n {
789
			return UTF16ToString(b[:l]), nil
790
		}
791
		n = l
792
	}
793
}
794

795
// GetWindowsDirectory retrieves the path to current location of the Windows
796
// directory, which is typically, though not always, `C:\Windows`. This may
797
// be a private user directory in the case that the application is running
798
// under a terminal server.
799
func GetWindowsDirectory() (string, error) {
800
	n := uint32(MAX_PATH)
801
	for {
802
		b := make([]uint16, n)
803
		l, e := getWindowsDirectory(&b[0], n)
804
		if e != nil {
805
			return "", e
806
		}
807
		if l <= n {
808
			return UTF16ToString(b[:l]), nil
809
		}
810
		n = l
811
	}
812
}
813

814
// GetSystemWindowsDirectory retrieves the path to current location of the
815
// Windows directory, which is typically, though not always, `C:\Windows`.
816
func GetSystemWindowsDirectory() (string, error) {
817
	n := uint32(MAX_PATH)
818
	for {
819
		b := make([]uint16, n)
820
		l, e := getSystemWindowsDirectory(&b[0], n)
821
		if e != nil {
822
			return "", e
823
		}
824
		if l <= n {
825
			return UTF16ToString(b[:l]), nil
826
		}
827
		n = l
828
	}
829
}
830

831
// IsMember reports whether the access token t is a member of the provided SID.
832
func (t Token) IsMember(sid *SID) (bool, error) {
833
	var b int32
834
	if e := checkTokenMembership(t, sid, &b); e != nil {
835
		return false, e
836
	}
837
	return b != 0, nil
838
}
839

840
// IsRestricted reports whether the access token t is a restricted token.
841
func (t Token) IsRestricted() (isRestricted bool, err error) {
842
	isRestricted, err = isTokenRestricted(t)
843
	if !isRestricted && err == syscall.EINVAL {
844
		// If err is EINVAL, this returned ERROR_SUCCESS indicating a non-restricted token.
845
		err = nil
846
	}
847
	return
848
}
849

850
const (
851
	WTS_CONSOLE_CONNECT        = 0x1
852
	WTS_CONSOLE_DISCONNECT     = 0x2
853
	WTS_REMOTE_CONNECT         = 0x3
854
	WTS_REMOTE_DISCONNECT      = 0x4
855
	WTS_SESSION_LOGON          = 0x5
856
	WTS_SESSION_LOGOFF         = 0x6
857
	WTS_SESSION_LOCK           = 0x7
858
	WTS_SESSION_UNLOCK         = 0x8
859
	WTS_SESSION_REMOTE_CONTROL = 0x9
860
	WTS_SESSION_CREATE         = 0xa
861
	WTS_SESSION_TERMINATE      = 0xb
862
)
863

864
const (
865
	WTSActive       = 0
866
	WTSConnected    = 1
867
	WTSConnectQuery = 2
868
	WTSShadow       = 3
869
	WTSDisconnected = 4
870
	WTSIdle         = 5
871
	WTSListen       = 6
872
	WTSReset        = 7
873
	WTSDown         = 8
874
	WTSInit         = 9
875
)
876

877
type WTSSESSION_NOTIFICATION struct {
878
	Size      uint32
879
	SessionID uint32
880
}
881

882
type WTS_SESSION_INFO struct {
883
	SessionID         uint32
884
	WindowStationName *uint16
885
	State             uint32
886
}
887

888
//sys WTSQueryUserToken(session uint32, token *Token) (err error) = wtsapi32.WTSQueryUserToken
889
//sys WTSEnumerateSessions(handle Handle, reserved uint32, version uint32, sessions **WTS_SESSION_INFO, count *uint32) (err error) = wtsapi32.WTSEnumerateSessionsW
890
//sys WTSFreeMemory(ptr uintptr) = wtsapi32.WTSFreeMemory
891
//sys WTSGetActiveConsoleSessionId() (sessionID uint32)
892

893
type ACL struct {
894
	aclRevision byte
895
	sbz1        byte
896
	aclSize     uint16
897
	AceCount    uint16
898
	sbz2        uint16
899
}
900

901
type SECURITY_DESCRIPTOR struct {
902
	revision byte
903
	sbz1     byte
904
	control  SECURITY_DESCRIPTOR_CONTROL
905
	owner    *SID
906
	group    *SID
907
	sacl     *ACL
908
	dacl     *ACL
909
}
910

911
type SECURITY_QUALITY_OF_SERVICE struct {
912
	Length              uint32
913
	ImpersonationLevel  uint32
914
	ContextTrackingMode byte
915
	EffectiveOnly       byte
916
}
917

918
// Constants for the ContextTrackingMode field of SECURITY_QUALITY_OF_SERVICE.
919
const (
920
	SECURITY_STATIC_TRACKING  = 0
921
	SECURITY_DYNAMIC_TRACKING = 1
922
)
923

924
type SecurityAttributes struct {
925
	Length             uint32
926
	SecurityDescriptor *SECURITY_DESCRIPTOR
927
	InheritHandle      uint32
928
}
929

930
type SE_OBJECT_TYPE uint32
931

932
// Constants for type SE_OBJECT_TYPE
933
const (
934
	SE_UNKNOWN_OBJECT_TYPE     = 0
935
	SE_FILE_OBJECT             = 1
936
	SE_SERVICE                 = 2
937
	SE_PRINTER                 = 3
938
	SE_REGISTRY_KEY            = 4
939
	SE_LMSHARE                 = 5
940
	SE_KERNEL_OBJECT           = 6
941
	SE_WINDOW_OBJECT           = 7
942
	SE_DS_OBJECT               = 8
943
	SE_DS_OBJECT_ALL           = 9
944
	SE_PROVIDER_DEFINED_OBJECT = 10
945
	SE_WMIGUID_OBJECT          = 11
946
	SE_REGISTRY_WOW64_32KEY    = 12
947
	SE_REGISTRY_WOW64_64KEY    = 13
948
)
949

950
type SECURITY_INFORMATION uint32
951

952
// Constants for type SECURITY_INFORMATION
953
const (
954
	OWNER_SECURITY_INFORMATION            = 0x00000001
955
	GROUP_SECURITY_INFORMATION            = 0x00000002
956
	DACL_SECURITY_INFORMATION             = 0x00000004
957
	SACL_SECURITY_INFORMATION             = 0x00000008
958
	LABEL_SECURITY_INFORMATION            = 0x00000010
959
	ATTRIBUTE_SECURITY_INFORMATION        = 0x00000020
960
	SCOPE_SECURITY_INFORMATION            = 0x00000040
961
	BACKUP_SECURITY_INFORMATION           = 0x00010000
962
	PROTECTED_DACL_SECURITY_INFORMATION   = 0x80000000
963
	PROTECTED_SACL_SECURITY_INFORMATION   = 0x40000000
964
	UNPROTECTED_DACL_SECURITY_INFORMATION = 0x20000000
965
	UNPROTECTED_SACL_SECURITY_INFORMATION = 0x10000000
966
)
967

968
type SECURITY_DESCRIPTOR_CONTROL uint16
969

970
// Constants for type SECURITY_DESCRIPTOR_CONTROL
971
const (
972
	SE_OWNER_DEFAULTED       = 0x0001
973
	SE_GROUP_DEFAULTED       = 0x0002
974
	SE_DACL_PRESENT          = 0x0004
975
	SE_DACL_DEFAULTED        = 0x0008
976
	SE_SACL_PRESENT          = 0x0010
977
	SE_SACL_DEFAULTED        = 0x0020
978
	SE_DACL_AUTO_INHERIT_REQ = 0x0100
979
	SE_SACL_AUTO_INHERIT_REQ = 0x0200
980
	SE_DACL_AUTO_INHERITED   = 0x0400
981
	SE_SACL_AUTO_INHERITED   = 0x0800
982
	SE_DACL_PROTECTED        = 0x1000
983
	SE_SACL_PROTECTED        = 0x2000
984
	SE_RM_CONTROL_VALID      = 0x4000
985
	SE_SELF_RELATIVE         = 0x8000
986
)
987

988
type ACCESS_MASK uint32
989

990
// Constants for type ACCESS_MASK
991
const (
992
	DELETE                   = 0x00010000
993
	READ_CONTROL             = 0x00020000
994
	WRITE_DAC                = 0x00040000
995
	WRITE_OWNER              = 0x00080000
996
	SYNCHRONIZE              = 0x00100000
997
	STANDARD_RIGHTS_REQUIRED = 0x000F0000
998
	STANDARD_RIGHTS_READ     = READ_CONTROL
999
	STANDARD_RIGHTS_WRITE    = READ_CONTROL
1000
	STANDARD_RIGHTS_EXECUTE  = READ_CONTROL
1001
	STANDARD_RIGHTS_ALL      = 0x001F0000
1002
	SPECIFIC_RIGHTS_ALL      = 0x0000FFFF
1003
	ACCESS_SYSTEM_SECURITY   = 0x01000000
1004
	MAXIMUM_ALLOWED          = 0x02000000
1005
	GENERIC_READ             = 0x80000000
1006
	GENERIC_WRITE            = 0x40000000
1007
	GENERIC_EXECUTE          = 0x20000000
1008
	GENERIC_ALL              = 0x10000000
1009
)
1010

1011
type ACCESS_MODE uint32
1012

1013
// Constants for type ACCESS_MODE
1014
const (
1015
	NOT_USED_ACCESS   = 0
1016
	GRANT_ACCESS      = 1
1017
	SET_ACCESS        = 2
1018
	DENY_ACCESS       = 3
1019
	REVOKE_ACCESS     = 4
1020
	SET_AUDIT_SUCCESS = 5
1021
	SET_AUDIT_FAILURE = 6
1022
)
1023

1024
// Constants for AceFlags and Inheritance fields
1025
const (
1026
	NO_INHERITANCE                     = 0x0
1027
	SUB_OBJECTS_ONLY_INHERIT           = 0x1
1028
	SUB_CONTAINERS_ONLY_INHERIT        = 0x2
1029
	SUB_CONTAINERS_AND_OBJECTS_INHERIT = 0x3
1030
	INHERIT_NO_PROPAGATE               = 0x4
1031
	INHERIT_ONLY                       = 0x8
1032
	INHERITED_ACCESS_ENTRY             = 0x10
1033
	INHERITED_PARENT                   = 0x10000000
1034
	INHERITED_GRANDPARENT              = 0x20000000
1035
	OBJECT_INHERIT_ACE                 = 0x1
1036
	CONTAINER_INHERIT_ACE              = 0x2
1037
	NO_PROPAGATE_INHERIT_ACE           = 0x4
1038
	INHERIT_ONLY_ACE                   = 0x8
1039
	INHERITED_ACE                      = 0x10
1040
	VALID_INHERIT_FLAGS                = 0x1F
1041
)
1042

1043
type MULTIPLE_TRUSTEE_OPERATION uint32
1044

1045
// Constants for MULTIPLE_TRUSTEE_OPERATION
1046
const (
1047
	NO_MULTIPLE_TRUSTEE    = 0
1048
	TRUSTEE_IS_IMPERSONATE = 1
1049
)
1050

1051
type TRUSTEE_FORM uint32
1052

1053
// Constants for TRUSTEE_FORM
1054
const (
1055
	TRUSTEE_IS_SID              = 0
1056
	TRUSTEE_IS_NAME             = 1
1057
	TRUSTEE_BAD_FORM            = 2
1058
	TRUSTEE_IS_OBJECTS_AND_SID  = 3
1059
	TRUSTEE_IS_OBJECTS_AND_NAME = 4
1060
)
1061

1062
type TRUSTEE_TYPE uint32
1063

1064
// Constants for TRUSTEE_TYPE
1065
const (
1066
	TRUSTEE_IS_UNKNOWN          = 0
1067
	TRUSTEE_IS_USER             = 1
1068
	TRUSTEE_IS_GROUP            = 2
1069
	TRUSTEE_IS_DOMAIN           = 3
1070
	TRUSTEE_IS_ALIAS            = 4
1071
	TRUSTEE_IS_WELL_KNOWN_GROUP = 5
1072
	TRUSTEE_IS_DELETED          = 6
1073
	TRUSTEE_IS_INVALID          = 7
1074
	TRUSTEE_IS_COMPUTER         = 8
1075
)
1076

1077
// Constants for ObjectsPresent field
1078
const (
1079
	ACE_OBJECT_TYPE_PRESENT           = 0x1
1080
	ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x2
1081
)
1082

1083
type EXPLICIT_ACCESS struct {
1084
	AccessPermissions ACCESS_MASK
1085
	AccessMode        ACCESS_MODE
1086
	Inheritance       uint32
1087
	Trustee           TRUSTEE
1088
}
1089

1090
// https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-ace_header
1091
type ACE_HEADER struct {
1092
	AceType  uint8
1093
	AceFlags uint8
1094
	AceSize  uint16
1095
}
1096

1097
// https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-access_allowed_ace
1098
type ACCESS_ALLOWED_ACE struct {
1099
	Header   ACE_HEADER
1100
	Mask     ACCESS_MASK
1101
	SidStart uint32
1102
}
1103

1104
const (
1105
	// Constants for AceType
1106
	// https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-ace_header
1107
	ACCESS_ALLOWED_ACE_TYPE = 0
1108
	ACCESS_DENIED_ACE_TYPE  = 1
1109
)
1110

1111
// This type is the union inside of TRUSTEE and must be created using one of the TrusteeValueFrom* functions.
1112
type TrusteeValue uintptr
1113

1114
func TrusteeValueFromString(str string) TrusteeValue {
1115
	return TrusteeValue(unsafe.Pointer(StringToUTF16Ptr(str)))
1116
}
1117
func TrusteeValueFromSID(sid *SID) TrusteeValue {
1118
	return TrusteeValue(unsafe.Pointer(sid))
1119
}
1120
func TrusteeValueFromObjectsAndSid(objectsAndSid *OBJECTS_AND_SID) TrusteeValue {
1121
	return TrusteeValue(unsafe.Pointer(objectsAndSid))
1122
}
1123
func TrusteeValueFromObjectsAndName(objectsAndName *OBJECTS_AND_NAME) TrusteeValue {
1124
	return TrusteeValue(unsafe.Pointer(objectsAndName))
1125
}
1126

1127
type TRUSTEE struct {
1128
	MultipleTrustee          *TRUSTEE
1129
	MultipleTrusteeOperation MULTIPLE_TRUSTEE_OPERATION
1130
	TrusteeForm              TRUSTEE_FORM
1131
	TrusteeType              TRUSTEE_TYPE
1132
	TrusteeValue             TrusteeValue
1133
}
1134

1135
type OBJECTS_AND_SID struct {
1136
	ObjectsPresent          uint32
1137
	ObjectTypeGuid          GUID
1138
	InheritedObjectTypeGuid GUID
1139
	Sid                     *SID
1140
}
1141

1142
type OBJECTS_AND_NAME struct {
1143
	ObjectsPresent          uint32
1144
	ObjectType              SE_OBJECT_TYPE
1145
	ObjectTypeName          *uint16
1146
	InheritedObjectTypeName *uint16
1147
	Name                    *uint16
1148
}
1149

1150
//sys	getSecurityInfo(handle Handle, objectType SE_OBJECT_TYPE, securityInformation SECURITY_INFORMATION, owner **SID, group **SID, dacl **ACL, sacl **ACL, sd **SECURITY_DESCRIPTOR) (ret error) = advapi32.GetSecurityInfo
1151
//sys	SetSecurityInfo(handle Handle, objectType SE_OBJECT_TYPE, securityInformation SECURITY_INFORMATION, owner *SID, group *SID, dacl *ACL, sacl *ACL) (ret error) = advapi32.SetSecurityInfo
1152
//sys	getNamedSecurityInfo(objectName string, objectType SE_OBJECT_TYPE, securityInformation SECURITY_INFORMATION, owner **SID, group **SID, dacl **ACL, sacl **ACL, sd **SECURITY_DESCRIPTOR) (ret error) = advapi32.GetNamedSecurityInfoW
1153
//sys	SetNamedSecurityInfo(objectName string, objectType SE_OBJECT_TYPE, securityInformation SECURITY_INFORMATION, owner *SID, group *SID, dacl *ACL, sacl *ACL) (ret error) = advapi32.SetNamedSecurityInfoW
1154
//sys	SetKernelObjectSecurity(handle Handle, securityInformation SECURITY_INFORMATION, securityDescriptor *SECURITY_DESCRIPTOR) (err error) = advapi32.SetKernelObjectSecurity
1155

1156
//sys	buildSecurityDescriptor(owner *TRUSTEE, group *TRUSTEE, countAccessEntries uint32, accessEntries *EXPLICIT_ACCESS, countAuditEntries uint32, auditEntries *EXPLICIT_ACCESS, oldSecurityDescriptor *SECURITY_DESCRIPTOR, sizeNewSecurityDescriptor *uint32, newSecurityDescriptor **SECURITY_DESCRIPTOR) (ret error) = advapi32.BuildSecurityDescriptorW
1157
//sys	initializeSecurityDescriptor(absoluteSD *SECURITY_DESCRIPTOR, revision uint32) (err error) = advapi32.InitializeSecurityDescriptor
1158

1159
//sys	getSecurityDescriptorControl(sd *SECURITY_DESCRIPTOR, control *SECURITY_DESCRIPTOR_CONTROL, revision *uint32) (err error) = advapi32.GetSecurityDescriptorControl
1160
//sys	getSecurityDescriptorDacl(sd *SECURITY_DESCRIPTOR, daclPresent *bool, dacl **ACL, daclDefaulted *bool) (err error) = advapi32.GetSecurityDescriptorDacl
1161
//sys	getSecurityDescriptorSacl(sd *SECURITY_DESCRIPTOR, saclPresent *bool, sacl **ACL, saclDefaulted *bool) (err error) = advapi32.GetSecurityDescriptorSacl
1162
//sys	getSecurityDescriptorOwner(sd *SECURITY_DESCRIPTOR, owner **SID, ownerDefaulted *bool) (err error) = advapi32.GetSecurityDescriptorOwner
1163
//sys	getSecurityDescriptorGroup(sd *SECURITY_DESCRIPTOR, group **SID, groupDefaulted *bool) (err error) = advapi32.GetSecurityDescriptorGroup
1164
//sys	getSecurityDescriptorLength(sd *SECURITY_DESCRIPTOR) (len uint32) = advapi32.GetSecurityDescriptorLength
1165
//sys	getSecurityDescriptorRMControl(sd *SECURITY_DESCRIPTOR, rmControl *uint8) (ret error) [failretval!=0] = advapi32.GetSecurityDescriptorRMControl
1166
//sys	isValidSecurityDescriptor(sd *SECURITY_DESCRIPTOR) (isValid bool) = advapi32.IsValidSecurityDescriptor
1167

1168
//sys	setSecurityDescriptorControl(sd *SECURITY_DESCRIPTOR, controlBitsOfInterest SECURITY_DESCRIPTOR_CONTROL, controlBitsToSet SECURITY_DESCRIPTOR_CONTROL) (err error) = advapi32.SetSecurityDescriptorControl
1169
//sys	setSecurityDescriptorDacl(sd *SECURITY_DESCRIPTOR, daclPresent bool, dacl *ACL, daclDefaulted bool) (err error) = advapi32.SetSecurityDescriptorDacl
1170
//sys	setSecurityDescriptorSacl(sd *SECURITY_DESCRIPTOR, saclPresent bool, sacl *ACL, saclDefaulted bool) (err error) = advapi32.SetSecurityDescriptorSacl
1171
//sys	setSecurityDescriptorOwner(sd *SECURITY_DESCRIPTOR, owner *SID, ownerDefaulted bool) (err error) = advapi32.SetSecurityDescriptorOwner
1172
//sys	setSecurityDescriptorGroup(sd *SECURITY_DESCRIPTOR, group *SID, groupDefaulted bool) (err error) = advapi32.SetSecurityDescriptorGroup
1173
//sys	setSecurityDescriptorRMControl(sd *SECURITY_DESCRIPTOR, rmControl *uint8) = advapi32.SetSecurityDescriptorRMControl
1174

1175
//sys	convertStringSecurityDescriptorToSecurityDescriptor(str string, revision uint32, sd **SECURITY_DESCRIPTOR, size *uint32) (err error) = advapi32.ConvertStringSecurityDescriptorToSecurityDescriptorW
1176
//sys	convertSecurityDescriptorToStringSecurityDescriptor(sd *SECURITY_DESCRIPTOR, revision uint32, securityInformation SECURITY_INFORMATION, str **uint16, strLen *uint32) (err error) = advapi32.ConvertSecurityDescriptorToStringSecurityDescriptorW
1177

1178
//sys	makeAbsoluteSD(selfRelativeSD *SECURITY_DESCRIPTOR, absoluteSD *SECURITY_DESCRIPTOR, absoluteSDSize *uint32, dacl *ACL, daclSize *uint32, sacl *ACL, saclSize *uint32, owner *SID, ownerSize *uint32, group *SID, groupSize *uint32) (err error) = advapi32.MakeAbsoluteSD
1179
//sys	makeSelfRelativeSD(absoluteSD *SECURITY_DESCRIPTOR, selfRelativeSD *SECURITY_DESCRIPTOR, selfRelativeSDSize *uint32) (err error) = advapi32.MakeSelfRelativeSD
1180

1181
//sys	setEntriesInAcl(countExplicitEntries uint32, explicitEntries *EXPLICIT_ACCESS, oldACL *ACL, newACL **ACL) (ret error) = advapi32.SetEntriesInAclW
1182
//sys	GetAce(acl *ACL, aceIndex uint32, pAce **ACCESS_ALLOWED_ACE) (err error) = advapi32.GetAce
1183

1184
// Control returns the security descriptor control bits.
1185
func (sd *SECURITY_DESCRIPTOR) Control() (control SECURITY_DESCRIPTOR_CONTROL, revision uint32, err error) {
1186
	err = getSecurityDescriptorControl(sd, &control, &revision)
1187
	return
1188
}
1189

1190
// SetControl sets the security descriptor control bits.
1191
func (sd *SECURITY_DESCRIPTOR) SetControl(controlBitsOfInterest SECURITY_DESCRIPTOR_CONTROL, controlBitsToSet SECURITY_DESCRIPTOR_CONTROL) error {
1192
	return setSecurityDescriptorControl(sd, controlBitsOfInterest, controlBitsToSet)
1193
}
1194

1195
// RMControl returns the security descriptor resource manager control bits.
1196
func (sd *SECURITY_DESCRIPTOR) RMControl() (control uint8, err error) {
1197
	err = getSecurityDescriptorRMControl(sd, &control)
1198
	return
1199
}
1200

1201
// SetRMControl sets the security descriptor resource manager control bits.
1202
func (sd *SECURITY_DESCRIPTOR) SetRMControl(rmControl uint8) {
1203
	setSecurityDescriptorRMControl(sd, &rmControl)
1204
}
1205

1206
// DACL returns the security descriptor DACL and whether it was defaulted. The dacl return value may be nil
1207
// if a DACL exists but is an "empty DACL", meaning fully permissive. If the DACL does not exist, err returns
1208
// ERROR_OBJECT_NOT_FOUND.
1209
func (sd *SECURITY_DESCRIPTOR) DACL() (dacl *ACL, defaulted bool, err error) {
1210
	var present bool
1211
	err = getSecurityDescriptorDacl(sd, &present, &dacl, &defaulted)
1212
	if !present {
1213
		err = ERROR_OBJECT_NOT_FOUND
1214
	}
1215
	return
1216
}
1217

1218
// SetDACL sets the absolute security descriptor DACL.
1219
func (absoluteSD *SECURITY_DESCRIPTOR) SetDACL(dacl *ACL, present, defaulted bool) error {
1220
	return setSecurityDescriptorDacl(absoluteSD, present, dacl, defaulted)
1221
}
1222

1223
// SACL returns the security descriptor SACL and whether it was defaulted. The sacl return value may be nil
1224
// if a SACL exists but is an "empty SACL", meaning fully permissive. If the SACL does not exist, err returns
1225
// ERROR_OBJECT_NOT_FOUND.
1226
func (sd *SECURITY_DESCRIPTOR) SACL() (sacl *ACL, defaulted bool, err error) {
1227
	var present bool
1228
	err = getSecurityDescriptorSacl(sd, &present, &sacl, &defaulted)
1229
	if !present {
1230
		err = ERROR_OBJECT_NOT_FOUND
1231
	}
1232
	return
1233
}
1234

1235
// SetSACL sets the absolute security descriptor SACL.
1236
func (absoluteSD *SECURITY_DESCRIPTOR) SetSACL(sacl *ACL, present, defaulted bool) error {
1237
	return setSecurityDescriptorSacl(absoluteSD, present, sacl, defaulted)
1238
}
1239

1240
// Owner returns the security descriptor owner and whether it was defaulted.
1241
func (sd *SECURITY_DESCRIPTOR) Owner() (owner *SID, defaulted bool, err error) {
1242
	err = getSecurityDescriptorOwner(sd, &owner, &defaulted)
1243
	return
1244
}
1245

1246
// SetOwner sets the absolute security descriptor owner.
1247
func (absoluteSD *SECURITY_DESCRIPTOR) SetOwner(owner *SID, defaulted bool) error {
1248
	return setSecurityDescriptorOwner(absoluteSD, owner, defaulted)
1249
}
1250

1251
// Group returns the security descriptor group and whether it was defaulted.
1252
func (sd *SECURITY_DESCRIPTOR) Group() (group *SID, defaulted bool, err error) {
1253
	err = getSecurityDescriptorGroup(sd, &group, &defaulted)
1254
	return
1255
}
1256

1257
// SetGroup sets the absolute security descriptor owner.
1258
func (absoluteSD *SECURITY_DESCRIPTOR) SetGroup(group *SID, defaulted bool) error {
1259
	return setSecurityDescriptorGroup(absoluteSD, group, defaulted)
1260
}
1261

1262
// Length returns the length of the security descriptor.
1263
func (sd *SECURITY_DESCRIPTOR) Length() uint32 {
1264
	return getSecurityDescriptorLength(sd)
1265
}
1266

1267
// IsValid returns whether the security descriptor is valid.
1268
func (sd *SECURITY_DESCRIPTOR) IsValid() bool {
1269
	return isValidSecurityDescriptor(sd)
1270
}
1271

1272
// String returns the SDDL form of the security descriptor, with a function signature that can be
1273
// used with %v formatting directives.
1274
func (sd *SECURITY_DESCRIPTOR) String() string {
1275
	var sddl *uint16
1276
	err := convertSecurityDescriptorToStringSecurityDescriptor(sd, 1, 0xff, &sddl, nil)
1277
	if err != nil {
1278
		return ""
1279
	}
1280
	defer LocalFree(Handle(unsafe.Pointer(sddl)))
1281
	return UTF16PtrToString(sddl)
1282
}
1283

1284
// ToAbsolute converts a self-relative security descriptor into an absolute one.
1285
func (selfRelativeSD *SECURITY_DESCRIPTOR) ToAbsolute() (absoluteSD *SECURITY_DESCRIPTOR, err error) {
1286
	control, _, err := selfRelativeSD.Control()
1287
	if err != nil {
1288
		return
1289
	}
1290
	if control&SE_SELF_RELATIVE == 0 {
1291
		err = ERROR_INVALID_PARAMETER
1292
		return
1293
	}
1294
	var absoluteSDSize, daclSize, saclSize, ownerSize, groupSize uint32
1295
	err = makeAbsoluteSD(selfRelativeSD, nil, &absoluteSDSize,
1296
		nil, &daclSize, nil, &saclSize, nil, &ownerSize, nil, &groupSize)
1297
	switch err {
1298
	case ERROR_INSUFFICIENT_BUFFER:
1299
	case nil:
1300
		// makeAbsoluteSD is expected to fail, but it succeeds.
1301
		return nil, ERROR_INTERNAL_ERROR
1302
	default:
1303
		return nil, err
1304
	}
1305
	if absoluteSDSize > 0 {
1306
		absoluteSD = new(SECURITY_DESCRIPTOR)
1307
		if unsafe.Sizeof(*absoluteSD) < uintptr(absoluteSDSize) {
1308
			panic("sizeof(SECURITY_DESCRIPTOR) too small")
1309
		}
1310
	}
1311
	var (
1312
		dacl  *ACL
1313
		sacl  *ACL
1314
		owner *SID
1315
		group *SID
1316
	)
1317
	if daclSize > 0 {
1318
		dacl = (*ACL)(unsafe.Pointer(unsafe.SliceData(make([]byte, daclSize))))
1319
	}
1320
	if saclSize > 0 {
1321
		sacl = (*ACL)(unsafe.Pointer(unsafe.SliceData(make([]byte, saclSize))))
1322
	}
1323
	if ownerSize > 0 {
1324
		owner = (*SID)(unsafe.Pointer(unsafe.SliceData(make([]byte, ownerSize))))
1325
	}
1326
	if groupSize > 0 {
1327
		group = (*SID)(unsafe.Pointer(unsafe.SliceData(make([]byte, groupSize))))
1328
	}
1329
	// We call into Windows via makeAbsoluteSD, which sets up
1330
	// pointers within absoluteSD that point to other chunks of memory
1331
	// we pass into makeAbsoluteSD, and that happens outside the view of the GC.
1332
	// We therefore take some care here to then verify the pointers are as we expect
1333
	// and set them explicitly in view of the GC. See https://go.dev/issue/73199.
1334
	// TODO: consider weak pointers once Go 1.24 is appropriate. See suggestion in https://go.dev/cl/663575.
1335
	err = makeAbsoluteSD(selfRelativeSD, absoluteSD, &absoluteSDSize,
1336
		dacl, &daclSize, sacl, &saclSize, owner, &ownerSize, group, &groupSize)
1337
	if err != nil {
1338
		// Don't return absoluteSD, which might be partially initialized.
1339
		return nil, err
1340
	}
1341
	// Before using any fields, verify absoluteSD is in the format we expect according to Windows.
1342
	// See https://learn.microsoft.com/en-us/windows/win32/secauthz/absolute-and-self-relative-security-descriptors
1343
	absControl, _, err := absoluteSD.Control()
1344
	if err != nil {
1345
		panic("absoluteSD: " + err.Error())
1346
	}
1347
	if absControl&SE_SELF_RELATIVE != 0 {
1348
		panic("absoluteSD not in absolute format")
1349
	}
1350
	if absoluteSD.dacl != dacl {
1351
		panic("dacl pointer mismatch")
1352
	}
1353
	if absoluteSD.sacl != sacl {
1354
		panic("sacl pointer mismatch")
1355
	}
1356
	if absoluteSD.owner != owner {
1357
		panic("owner pointer mismatch")
1358
	}
1359
	if absoluteSD.group != group {
1360
		panic("group pointer mismatch")
1361
	}
1362
	absoluteSD.dacl = dacl
1363
	absoluteSD.sacl = sacl
1364
	absoluteSD.owner = owner
1365
	absoluteSD.group = group
1366

1367
	return
1368
}
1369

1370
// ToSelfRelative converts an absolute security descriptor into a self-relative one.
1371
func (absoluteSD *SECURITY_DESCRIPTOR) ToSelfRelative() (selfRelativeSD *SECURITY_DESCRIPTOR, err error) {
1372
	control, _, err := absoluteSD.Control()
1373
	if err != nil {
1374
		return
1375
	}
1376
	if control&SE_SELF_RELATIVE != 0 {
1377
		err = ERROR_INVALID_PARAMETER
1378
		return
1379
	}
1380
	var selfRelativeSDSize uint32
1381
	err = makeSelfRelativeSD(absoluteSD, nil, &selfRelativeSDSize)
1382
	switch err {
1383
	case ERROR_INSUFFICIENT_BUFFER:
1384
	case nil:
1385
		// makeSelfRelativeSD is expected to fail, but it succeeds.
1386
		return nil, ERROR_INTERNAL_ERROR
1387
	default:
1388
		return nil, err
1389
	}
1390
	if selfRelativeSDSize > 0 {
1391
		selfRelativeSD = (*SECURITY_DESCRIPTOR)(unsafe.Pointer(&make([]byte, selfRelativeSDSize)[0]))
1392
	}
1393
	err = makeSelfRelativeSD(absoluteSD, selfRelativeSD, &selfRelativeSDSize)
1394
	return
1395
}
1396

1397
func (selfRelativeSD *SECURITY_DESCRIPTOR) copySelfRelativeSecurityDescriptor() *SECURITY_DESCRIPTOR {
1398
	sdLen := int(selfRelativeSD.Length())
1399
	const min = int(unsafe.Sizeof(SECURITY_DESCRIPTOR{}))
1400
	if sdLen < min {
1401
		sdLen = min
1402
	}
1403

1404
	src := unsafe.Slice((*byte)(unsafe.Pointer(selfRelativeSD)), sdLen)
1405
	// SECURITY_DESCRIPTOR has pointers in it, which means checkptr expects for it to
1406
	// be aligned properly. When we're copying a Windows-allocated struct to a
1407
	// Go-allocated one, make sure that the Go allocation is aligned to the
1408
	// pointer size.
1409
	const psize = int(unsafe.Sizeof(uintptr(0)))
1410
	alloc := make([]uintptr, (sdLen+psize-1)/psize)
1411
	dst := unsafe.Slice((*byte)(unsafe.Pointer(&alloc[0])), sdLen)
1412
	copy(dst, src)
1413
	return (*SECURITY_DESCRIPTOR)(unsafe.Pointer(&dst[0]))
1414
}
1415

1416
// SecurityDescriptorFromString converts an SDDL string describing a security descriptor into a
1417
// self-relative security descriptor object allocated on the Go heap.
1418
func SecurityDescriptorFromString(sddl string) (sd *SECURITY_DESCRIPTOR, err error) {
1419
	var winHeapSD *SECURITY_DESCRIPTOR
1420
	err = convertStringSecurityDescriptorToSecurityDescriptor(sddl, 1, &winHeapSD, nil)
1421
	if err != nil {
1422
		return
1423
	}
1424
	defer LocalFree(Handle(unsafe.Pointer(winHeapSD)))
1425
	return winHeapSD.copySelfRelativeSecurityDescriptor(), nil
1426
}
1427

1428
// GetSecurityInfo queries the security information for a given handle and returns the self-relative security
1429
// descriptor result on the Go heap.
1430
func GetSecurityInfo(handle Handle, objectType SE_OBJECT_TYPE, securityInformation SECURITY_INFORMATION) (sd *SECURITY_DESCRIPTOR, err error) {
1431
	var winHeapSD *SECURITY_DESCRIPTOR
1432
	err = getSecurityInfo(handle, objectType, securityInformation, nil, nil, nil, nil, &winHeapSD)
1433
	if err != nil {
1434
		return
1435
	}
1436
	defer LocalFree(Handle(unsafe.Pointer(winHeapSD)))
1437
	return winHeapSD.copySelfRelativeSecurityDescriptor(), nil
1438
}
1439

1440
// GetNamedSecurityInfo queries the security information for a given named object and returns the self-relative security
1441
// descriptor result on the Go heap.
1442
func GetNamedSecurityInfo(objectName string, objectType SE_OBJECT_TYPE, securityInformation SECURITY_INFORMATION) (sd *SECURITY_DESCRIPTOR, err error) {
1443
	var winHeapSD *SECURITY_DESCRIPTOR
1444
	err = getNamedSecurityInfo(objectName, objectType, securityInformation, nil, nil, nil, nil, &winHeapSD)
1445
	if err != nil {
1446
		return
1447
	}
1448
	defer LocalFree(Handle(unsafe.Pointer(winHeapSD)))
1449
	return winHeapSD.copySelfRelativeSecurityDescriptor(), nil
1450
}
1451

1452
// BuildSecurityDescriptor makes a new security descriptor using the input trustees, explicit access lists, and
1453
// prior security descriptor to be merged, any of which can be nil, returning the self-relative security descriptor
1454
// result on the Go heap.
1455
func BuildSecurityDescriptor(owner *TRUSTEE, group *TRUSTEE, accessEntries []EXPLICIT_ACCESS, auditEntries []EXPLICIT_ACCESS, mergedSecurityDescriptor *SECURITY_DESCRIPTOR) (sd *SECURITY_DESCRIPTOR, err error) {
1456
	var winHeapSD *SECURITY_DESCRIPTOR
1457
	var winHeapSDSize uint32
1458
	var firstAccessEntry *EXPLICIT_ACCESS
1459
	if len(accessEntries) > 0 {
1460
		firstAccessEntry = &accessEntries[0]
1461
	}
1462
	var firstAuditEntry *EXPLICIT_ACCESS
1463
	if len(auditEntries) > 0 {
1464
		firstAuditEntry = &auditEntries[0]
1465
	}
1466
	err = buildSecurityDescriptor(owner, group, uint32(len(accessEntries)), firstAccessEntry, uint32(len(auditEntries)), firstAuditEntry, mergedSecurityDescriptor, &winHeapSDSize, &winHeapSD)
1467
	if err != nil {
1468
		return
1469
	}
1470
	defer LocalFree(Handle(unsafe.Pointer(winHeapSD)))
1471
	return winHeapSD.copySelfRelativeSecurityDescriptor(), nil
1472
}
1473

1474
// NewSecurityDescriptor creates and initializes a new absolute security descriptor.
1475
func NewSecurityDescriptor() (absoluteSD *SECURITY_DESCRIPTOR, err error) {
1476
	absoluteSD = &SECURITY_DESCRIPTOR{}
1477
	err = initializeSecurityDescriptor(absoluteSD, 1)
1478
	return
1479
}
1480

1481
// ACLFromEntries returns a new ACL on the Go heap containing a list of explicit entries as well as those of another ACL.
1482
// Both explicitEntries and mergedACL are optional and can be nil.
1483
func ACLFromEntries(explicitEntries []EXPLICIT_ACCESS, mergedACL *ACL) (acl *ACL, err error) {
1484
	var firstExplicitEntry *EXPLICIT_ACCESS
1485
	if len(explicitEntries) > 0 {
1486
		firstExplicitEntry = &explicitEntries[0]
1487
	}
1488
	var winHeapACL *ACL
1489
	err = setEntriesInAcl(uint32(len(explicitEntries)), firstExplicitEntry, mergedACL, &winHeapACL)
1490
	if err != nil {
1491
		return
1492
	}
1493
	defer LocalFree(Handle(unsafe.Pointer(winHeapACL)))
1494
	aclBytes := make([]byte, winHeapACL.aclSize)
1495
	copy(aclBytes, (*[(1 << 31) - 1]byte)(unsafe.Pointer(winHeapACL))[:len(aclBytes):len(aclBytes)])
1496
	return (*ACL)(unsafe.Pointer(&aclBytes[0])), nil
1497
}
1498

1499