github.com/Serizao/go-winio@v0.0.0-20230906082528-f02f7f4ad6e8/sd.go (about) 1 //go:build windows 2 // +build windows 3 4 package winio 5 6 import ( 7 "errors" 8 "fmt" 9 "unsafe" 10 11 "golang.org/x/sys/windows" 12 ) 13 14 //sys lookupAccountName(systemName *uint16, accountName string, sid *byte, sidSize *uint32, refDomain *uint16, refDomainSize *uint32, sidNameUse *uint32) (err error) = advapi32.LookupAccountNameW 15 //sys lookupAccountSid(systemName *uint16, sid *byte, name *uint16, nameSize *uint32, refDomain *uint16, refDomainSize *uint32, sidNameUse *uint32) (err error) = advapi32.LookupAccountSidW 16 //sys convertSidToStringSid(sid *byte, str **uint16) (err error) = advapi32.ConvertSidToStringSidW 17 //sys convertStringSidToSid(str *uint16, sid **byte) (err error) = advapi32.ConvertStringSidToSidW 18 19 type AccountLookupError struct { 20 Name string 21 Err error 22 } 23 24 func (e *AccountLookupError) Error() string { 25 if e.Name == "" { 26 return "lookup account: empty account name specified" 27 } 28 var s string 29 switch { 30 case errors.Is(e.Err, windows.ERROR_INVALID_SID): 31 s = "the security ID structure is invalid" 32 case errors.Is(e.Err, windows.ERROR_NONE_MAPPED): 33 s = "not found" 34 default: 35 s = e.Err.Error() 36 } 37 return "lookup account " + e.Name + ": " + s 38 } 39 40 func (e *AccountLookupError) Unwrap() error { return e.Err } 41 42 type SddlConversionError struct { 43 Sddl string 44 Err error 45 } 46 47 func (e *SddlConversionError) Error() string { 48 return "convert " + e.Sddl + ": " + e.Err.Error() 49 } 50 51 func (e *SddlConversionError) Unwrap() error { return e.Err } 52 53 // LookupSidByName looks up the SID of an account by name 54 // 55 //revive:disable-next-line:var-naming SID, not Sid 56 func LookupSidByName(name string) (sid string, err error) { 57 if name == "" { 58 return "", &AccountLookupError{name, windows.ERROR_NONE_MAPPED} 59 } 60 61 var sidSize, sidNameUse, refDomainSize uint32 62 err = lookupAccountName(nil, name, nil, &sidSize, nil, &refDomainSize, &sidNameUse) 63 if err != nil && err != windows.ERROR_INSUFFICIENT_BUFFER { //nolint:errorlint // err is Errno 64 return "", &AccountLookupError{name, err} 65 } 66 sidBuffer := make([]byte, sidSize) 67 refDomainBuffer := make([]uint16, refDomainSize) 68 err = lookupAccountName(nil, name, &sidBuffer[0], &sidSize, &refDomainBuffer[0], &refDomainSize, &sidNameUse) 69 if err != nil { 70 return "", &AccountLookupError{name, err} 71 } 72 var strBuffer *uint16 73 err = convertSidToStringSid(&sidBuffer[0], &strBuffer) 74 if err != nil { 75 return "", &AccountLookupError{name, err} 76 } 77 sid = windows.UTF16ToString((*[0xffff]uint16)(unsafe.Pointer(strBuffer))[:]) 78 _, _ = windows.LocalFree(windows.Handle(unsafe.Pointer(strBuffer))) 79 return sid, nil 80 } 81 82 // LookupNameBySid looks up the name of an account by SID 83 // 84 //revive:disable-next-line:var-naming SID, not Sid 85 func LookupNameBySid(sid string) (name string, err error) { 86 if sid == "" { 87 return "", &AccountLookupError{sid, windows.ERROR_NONE_MAPPED} 88 } 89 90 sidBuffer, err := windows.UTF16PtrFromString(sid) 91 if err != nil { 92 return "", &AccountLookupError{sid, err} 93 } 94 95 var sidPtr *byte 96 if err = convertStringSidToSid(sidBuffer, &sidPtr); err != nil { 97 return "", &AccountLookupError{sid, err} 98 } 99 defer windows.LocalFree(windows.Handle(unsafe.Pointer(sidPtr))) //nolint:errcheck 100 101 var nameSize, refDomainSize, sidNameUse uint32 102 err = lookupAccountSid(nil, sidPtr, nil, &nameSize, nil, &refDomainSize, &sidNameUse) 103 if err != nil && err != windows.ERROR_INSUFFICIENT_BUFFER { //nolint:errorlint // err is Errno 104 return "", &AccountLookupError{sid, err} 105 } 106 107 nameBuffer := make([]uint16, nameSize) 108 refDomainBuffer := make([]uint16, refDomainSize) 109 err = lookupAccountSid(nil, sidPtr, &nameBuffer[0], &nameSize, &refDomainBuffer[0], &refDomainSize, &sidNameUse) 110 if err != nil { 111 return "", &AccountLookupError{sid, err} 112 } 113 114 name = windows.UTF16ToString(nameBuffer) 115 return name, nil 116 } 117 118 func SddlToSecurityDescriptor(sddl string) ([]byte, error) { 119 sd, err := windows.SecurityDescriptorFromString(sddl) 120 if err != nil { 121 return nil, &SddlConversionError{Sddl: sddl, Err: err} 122 } 123 b := unsafe.Slice((*byte)(unsafe.Pointer(sd)), sd.Length()) 124 return b, nil 125 } 126 127 func SecurityDescriptorToSddl(sd []byte) (string, error) { 128 if l := int(unsafe.Sizeof(windows.SECURITY_DESCRIPTOR{})); len(sd) < l { 129 return "", fmt.Errorf("SecurityDescriptor (%d) smaller than expected (%d): %w", len(sd), l, windows.ERROR_INCORRECT_SIZE) 130 } 131 s := (*windows.SECURITY_DESCRIPTOR)(unsafe.Pointer(&sd[0])) 132 return s.String(), nil 133 }