/**

 * WinPR: Windows Portable Runtime

 * Security Definitions

 *

 * Copyright 2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *     http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

#ifndef WINPR_SECURITY_H

#define WINPR_SECURITY_H

#include <winpr/winpr.h>

#include <winpr/wtypes.h>

/**

 * Windows Integrity Mechanism Design:

 * http://msdn.microsoft.com/en-us/library/bb625963.aspx

 */

#ifndef _WIN32

#include <winpr/nt.h>

#define ANYSIZE_ARRAY 1

typedef enum _SECURITY_IMPERSONATION_LEVEL

{

	SecurityAnonymous,

	SecurityIdentification,

	SecurityImpersonation,

	SecurityDelegation

} SECURITY_IMPERSONATION_LEVEL,

    *PSECURITY_IMPERSONATION_LEVEL;

#define SECURITY_MAX_IMPERSONATION_LEVEL SecurityDelegation

#define SECURITY_MIN_IMPERSONATION_LEVEL SecurityAnonymous

#define DEFAULT_IMPERSONATION_LEVEL SecurityImpersonation

#define VALID_IMPERSONATION_LEVEL(L) \

	(((L) >= SECURITY_MIN_IMPERSONATION_LEVEL) && ((L) <= SECURITY_MAX_IMPERSONATION_LEVEL))

#define TOKEN_ASSIGN_PRIMARY (0x0001)

#define TOKEN_DUPLICATE (0x0002)

#define TOKEN_IMPERSONATE (0x0004)

#define TOKEN_QUERY (0x0008)

#define TOKEN_QUERY_SOURCE (0x0010)

#define TOKEN_ADJUST_PRIVILEGES (0x0020)

#define TOKEN_ADJUST_GROUPS (0x0040)

#define TOKEN_ADJUST_DEFAULT (0x0080)

#define TOKEN_ADJUST_SESSIONID (0x0100)

#define TOKEN_ALL_ACCESS_P                                                                   \

	(STANDARD_RIGHTS_REQUIRED | TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | \

	 TOKEN_QUERY | TOKEN_QUERY_SOURCE | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS |      \

	 TOKEN_ADJUST_DEFAULT)

#define TOKEN_ALL_ACCESS (TOKEN_ALL_ACCESS_P | TOKEN_ADJUST_SESSIONID)

#define TOKEN_READ (STANDARD_RIGHTS_READ | TOKEN_QUERY)

#define TOKEN_WRITE \

	(STANDARD_RIGHTS_WRITE | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT)

#define TOKEN_EXECUTE (STANDARD_RIGHTS_EXECUTE)

#define TOKEN_MANDATORY_POLICY_OFF 0x0

#define TOKEN_MANDATORY_POLICY_NO_WRITE_UP 0x1

#define TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN 0x2

#define TOKEN_MANDATORY_POLICY_VALID_MASK \

	(TOKEN_MANDATORY_POLICY_NO_WRITE_UP | TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN)

#define POLICY_AUDIT_SUBCATEGORY_COUNT (56)

#define TOKEN_SOURCE_LENGTH 8

#define SID_REVISION (1)

#define SID_MAX_SUB_AUTHORITIES (15)

#define SID_RECOMMENDED_SUB_AUTHORITIES (1)

#define SID_HASH_SIZE 32

#define SECURITY_MANDATORY_UNTRUSTED_RID 0x0000

#define SECURITY_MANDATORY_LOW_RID 0x1000

#define SECURITY_MANDATORY_MEDIUM_RID 0x2000

#define SECURITY_MANDATORY_HIGH_RID 0x3000

#define SECURITY_MANDATORY_SYSTEM_RID 0x4000

#define SECURITY_NULL_SID_AUTHORITY \

	{                               \

		0, 0, 0, 0, 0, 0            \

	}

#define SECURITY_WORLD_SID_AUTHORITY \

	{                                \

		0, 0, 0, 0, 0, 1             \

	}

#define SECURITY_LOCAL_SID_AUTHORITY \

	{                                \

		0, 0, 0, 0, 0, 2             \

	}

#define SECURITY_CREATOR_SID_AUTHORITY \

	{                                  \

		0, 0, 0, 0, 0, 3               \

	}

#define SECURITY_NON_UNIQUE_AUTHORITY \

	{                                 \

		0, 0, 0, 0, 0, 4              \

	}

#define SECURITY_RESOURCE_MANAGER_AUTHORITY \

	{                                       \

		0, 0, 0, 0, 0, 9                    \

	}

#define SECURITY_NULL_RID (0x00000000L)

#define SECURITY_WORLD_RID (0x00000000L)

#define SECURITY_LOCAL_RID (0x00000000L)

#define SECURITY_LOCAL_LOGON_RID (0x00000001L)

#define SECURITY_CREATOR_OWNER_RID (0x00000000L)

#define SECURITY_CREATOR_GROUP_RID (0x00000001L)

#define SECURITY_CREATOR_OWNER_SERVER_RID (0x00000002L)

#define SECURITY_CREATOR_GROUP_SERVER_RID (0x00000003L)

#define SECURITY_CREATOR_OWNER_RIGHTS_RID (0x00000004L)

typedef PVOID PACCESS_TOKEN;

typedef PVOID PCLAIMS_BLOB;

typedef struct _LUID_AND_ATTRIBUTES

{

	LUID Luid;

	DWORD Attributes;

} LUID_AND_ATTRIBUTES, *PLUID_AND_ATTRIBUTES;

typedef LUID_AND_ATTRIBUTES LUID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY];

typedef LUID_AND_ATTRIBUTES_ARRAY* PLUID_AND_ATTRIBUTES_ARRAY;

typedef struct _SID_IDENTIFIER_AUTHORITY

{

	BYTE Value[6];

} SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY;

typedef struct _SID

{

	BYTE Revision;

	BYTE SubAuthorityCount;

	SID_IDENTIFIER_AUTHORITY IdentifierAuthority;

	DWORD SubAuthority[ANYSIZE_ARRAY];

} SID, *PISID;

typedef enum _SID_NAME_USE

{

	SidTypeUser = 1,

	SidTypeGroup,

	SidTypeDomain,

	SidTypeAlias,

	SidTypeWellKnownGroup,

	SidTypeDeletedAccount,

	SidTypeInvalid,

	SidTypeUnknown,

	SidTypeComputer,

	SidTypeLabel

} SID_NAME_USE,

    *PSID_NAME_USE;

typedef struct _SID_AND_ATTRIBUTES

{

	PSID Sid;

	DWORD Attributes;

} SID_AND_ATTRIBUTES, *PSID_AND_ATTRIBUTES;

typedef SID_AND_ATTRIBUTES SID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY];

typedef SID_AND_ATTRIBUTES_ARRAY* PSID_AND_ATTRIBUTES_ARRAY;

typedef ULONG_PTR SID_HASH_ENTRY, *PSID_HASH_ENTRY;

typedef struct _SID_AND_ATTRIBUTES_HASH

{

	DWORD SidCount;

	PSID_AND_ATTRIBUTES SidAttr;

	SID_HASH_ENTRY Hash[SID_HASH_SIZE];

} SID_AND_ATTRIBUTES_HASH, *PSID_AND_ATTRIBUTES_HASH;

typedef enum _TOKEN_TYPE

{

	TokenPrimary = 1,

	TokenImpersonation

} TOKEN_TYPE;

typedef TOKEN_TYPE* PTOKEN_TYPE;

typedef enum _TOKEN_ELEVATION_TYPE

{

	TokenElevationTypeDefault = 1,

	TokenElevationTypeFull,

	TokenElevationTypeLimited

} TOKEN_ELEVATION_TYPE,

    *PTOKEN_ELEVATION_TYPE;

typedef enum _TOKEN_INFORMATION_CLASS

{

	TokenUser = 1,

	TokenGroups,

	TokenPrivileges,

	TokenOwner,

	TokenPrimaryGroup,

	TokenDefaultDacl,

	TokenSource,

	TokenType,

	TokenImpersonationLevel,

	TokenStatistics,

	TokenRestrictedSids,

	TokenSessionId,

	TokenGroupsAndPrivileges,

	TokenSessionReference,

	TokenSandBoxInert,

	TokenAuditPolicy,

	TokenOrigin,

	TokenElevationType,

	TokenLinkedToken,

	TokenElevation,

	TokenHasRestrictions,

	TokenAccessInformation,

	TokenVirtualizationAllowed,

	TokenVirtualizationEnabled,

	TokenIntegrityLevel,

	TokenUIAccess,

	TokenMandatoryPolicy,

	TokenLogonSid,

	TokenIsAppContainer,

	TokenCapabilities,

	TokenAppContainerSid,

	TokenAppContainerNumber,

	TokenUserClaimAttributes,

	TokenDeviceClaimAttributes,

	TokenRestrictedUserClaimAttributes,

	TokenRestrictedDeviceClaimAttributes,

	TokenDeviceGroups,

	TokenRestrictedDeviceGroups,

	TokenSecurityAttributes,

	TokenIsRestricted,

	MaxTokenInfoClass

} TOKEN_INFORMATION_CLASS,

    *PTOKEN_INFORMATION_CLASS;

typedef struct _TOKEN_USER

{

	SID_AND_ATTRIBUTES User;

} TOKEN_USER, *PTOKEN_USER;

typedef struct _TOKEN_GROUPS

{

	DWORD GroupCount;

	SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY];

} TOKEN_GROUPS, *PTOKEN_GROUPS;

typedef struct _TOKEN_PRIVILEGES

{

	DWORD PrivilegeCount;

	LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY];

} TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES;

typedef struct _TOKEN_OWNER

{

	PSID Owner;

} TOKEN_OWNER, *PTOKEN_OWNER;

typedef struct _TOKEN_PRIMARY_GROUP

{

	PSID PrimaryGroup;

} TOKEN_PRIMARY_GROUP, *PTOKEN_PRIMARY_GROUP;

typedef struct _TOKEN_DEFAULT_DACL

{

	PACL DefaultDacl;

} TOKEN_DEFAULT_DACL, *PTOKEN_DEFAULT_DACL;

typedef struct _TOKEN_USER_CLAIMS

{

	PCLAIMS_BLOB UserClaims;

} TOKEN_USER_CLAIMS, *PTOKEN_USER_CLAIMS;

typedef struct _TOKEN_DEVICE_CLAIMS

{

	PCLAIMS_BLOB DeviceClaims;

} TOKEN_DEVICE_CLAIMS, *PTOKEN_DEVICE_CLAIMS;

typedef struct _TOKEN_GROUPS_AND_PRIVILEGES

{

	DWORD SidCount;

	DWORD SidLength;

	PSID_AND_ATTRIBUTES Sids;

	DWORD RestrictedSidCount;

	DWORD RestrictedSidLength;

	PSID_AND_ATTRIBUTES RestrictedSids;

	DWORD PrivilegeCount;

	DWORD PrivilegeLength;

	PLUID_AND_ATTRIBUTES Privileges;

	LUID AuthenticationId;

} TOKEN_GROUPS_AND_PRIVILEGES, *PTOKEN_GROUPS_AND_PRIVILEGES;

typedef struct _TOKEN_LINKED_TOKEN

{

	HANDLE LinkedToken;

} TOKEN_LINKED_TOKEN, *PTOKEN_LINKED_TOKEN;

typedef struct _TOKEN_ELEVATION

{

	DWORD TokenIsElevated;

} TOKEN_ELEVATION, *PTOKEN_ELEVATION;

typedef struct _TOKEN_MANDATORY_LABEL

{

	SID_AND_ATTRIBUTES Label;

} TOKEN_MANDATORY_LABEL, *PTOKEN_MANDATORY_LABEL;

typedef struct _TOKEN_MANDATORY_POLICY

{

	DWORD Policy;

} TOKEN_MANDATORY_POLICY, *PTOKEN_MANDATORY_POLICY;

typedef struct _TOKEN_ACCESS_INFORMATION

{

	PSID_AND_ATTRIBUTES_HASH SidHash;

	PSID_AND_ATTRIBUTES_HASH RestrictedSidHash;

	PTOKEN_PRIVILEGES Privileges;

	LUID AuthenticationId;

	TOKEN_TYPE TokenType;

	SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;

	TOKEN_MANDATORY_POLICY MandatoryPolicy;

	DWORD Flags;

	DWORD AppContainerNumber;

	PSID PackageSid;

	PSID_AND_ATTRIBUTES_HASH CapabilitiesHash;

} TOKEN_ACCESS_INFORMATION, *PTOKEN_ACCESS_INFORMATION;

typedef struct _TOKEN_AUDIT_POLICY

{

	BYTE PerUserPolicy[((POLICY_AUDIT_SUBCATEGORY_COUNT) >> 1) + 1];

} TOKEN_AUDIT_POLICY, *PTOKEN_AUDIT_POLICY;

typedef struct _TOKEN_SOURCE

{

	CHAR SourceName[TOKEN_SOURCE_LENGTH];

	LUID SourceIdentifier;

} TOKEN_SOURCE, *PTOKEN_SOURCE;

typedef struct _TOKEN_STATISTICS

{

	LUID TokenId;

	LUID AuthenticationId;

	LARGE_INTEGER ExpirationTime;

	TOKEN_TYPE TokenType;

	SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;

	DWORD DynamicCharged;

	DWORD DynamicAvailable;

	DWORD GroupCount;

	DWORD PrivilegeCount;

	LUID ModifiedId;

} TOKEN_STATISTICS, *PTOKEN_STATISTICS;

typedef struct _TOKEN_CONTROL

{

	LUID TokenId;

	LUID AuthenticationId;

	LUID ModifiedId;

	TOKEN_SOURCE TokenSource;

} TOKEN_CONTROL, *PTOKEN_CONTROL;

typedef struct _TOKEN_ORIGIN

{

	LUID OriginatingLogonSession;

} TOKEN_ORIGIN, *PTOKEN_ORIGIN;

typedef enum _MANDATORY_LEVEL

{

	MandatoryLevelUntrusted = 0,

	MandatoryLevelLow,

	MandatoryLevelMedium,

	MandatoryLevelHigh,

	MandatoryLevelSystem,

	MandatoryLevelSecureProcess,

	MandatoryLevelCount

} MANDATORY_LEVEL,

    *PMANDATORY_LEVEL;

typedef struct _TOKEN_APPCONTAINER_INFORMATION

{

	PSID TokenAppContainer;

} TOKEN_APPCONTAINER_INFORMATION, *PTOKEN_APPCONTAINER_INFORMATION;

#ifdef __cplusplus

extern "C"

{

#endif

	WINPR_API BOOL InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor,

	                                            DWORD dwRevision);

	WINPR_API DWORD GetSecurityDescriptorLength(PSECURITY_DESCRIPTOR pSecurityDescriptor);

	WINPR_API BOOL IsValidSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor);

	WINPR_API BOOL GetSecurityDescriptorControl(PSECURITY_DESCRIPTOR pSecurityDescriptor,

	                                            PSECURITY_DESCRIPTOR_CONTROL pControl,

	                                            LPDWORD lpdwRevision);

	WINPR_API BOOL SetSecurityDescriptorControl(PSECURITY_DESCRIPTOR pSecurityDescriptor,

	                                            SECURITY_DESCRIPTOR_CONTROL ControlBitsOfInterest,

	                                            SECURITY_DESCRIPTOR_CONTROL ControlBitsToSet);

	WINPR_API BOOL GetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor,

	                                         LPBOOL lpbDaclPresent, PACL* pDacl,

	                                         LPBOOL lpbDaclDefaulted);

	WINPR_API BOOL SetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor,

	                                         BOOL bDaclPresent, PACL pDacl, BOOL bDaclDefaulted);

	WINPR_API BOOL GetSecurityDescriptorGroup(PSECURITY_DESCRIPTOR pSecurityDescriptor,

	                                          PSID* pGroup, LPBOOL lpbGroupDefaulted);

	WINPR_API BOOL SetSecurityDescriptorGroup(PSECURITY_DESCRIPTOR pSecurityDescriptor, PSID pGroup,

	                                          BOOL bGroupDefaulted);

	WINPR_API BOOL GetSecurityDescriptorOwner(PSECURITY_DESCRIPTOR pSecurityDescriptor,

	                                          PSID* pOwner, LPBOOL lpbOwnerDefaulted);

	WINPR_API BOOL SetSecurityDescriptorOwner(PSECURITY_DESCRIPTOR pSecurityDescriptor, PSID pOwner,

	                                          BOOL bOwnerDefaulted);

	WINPR_API DWORD GetSecurityDescriptorRMControl(PSECURITY_DESCRIPTOR SecurityDescriptor,

	                                               PUCHAR RMControl);

	WINPR_API DWORD SetSecurityDescriptorRMControl(PSECURITY_DESCRIPTOR SecurityDescriptor,

	                                               PUCHAR RMControl);

	WINPR_API BOOL GetSecurityDescriptorSacl(PSECURITY_DESCRIPTOR pSecurityDescriptor,

	                                         LPBOOL lpbSaclPresent, PACL* pSacl,

	                                         LPBOOL lpbSaclDefaulted);

	WINPR_API BOOL SetSecurityDescriptorSacl(PSECURITY_DESCRIPTOR pSecurityDescriptor,

	                                         BOOL bSaclPresent, PACL pSacl, BOOL bSaclDefaulted);

#ifdef __cplusplus

}

#endif

#endif

#endif /* WINPR_SECURITY_H */