github.com/Serizao/go-winio@v0.0.0-20230906082528-f02f7f4ad6e8/sd.go

github.com/Serizao/go-winio@v0.0.0-20230906082528-f02f7f4ad6e8/sd.go (about)

     1  //go:build windows
     2  // +build windows
     3  
     4  package winio
     5  
     6  import (
     7  	"errors"
     8  	"fmt"
     9  	"unsafe"
    10  
    11  	"golang.org/x/sys/windows"
    12  )
    13  
    14  //sys lookupAccountName(systemName *uint16, accountName string, sid *byte, sidSize *uint32, refDomain *uint16, refDomainSize *uint32, sidNameUse *uint32) (err error) = advapi32.LookupAccountNameW
    15  //sys lookupAccountSid(systemName *uint16, sid *byte, name *uint16, nameSize *uint32, refDomain *uint16, refDomainSize *uint32, sidNameUse *uint32) (err error) = advapi32.LookupAccountSidW
    16  //sys convertSidToStringSid(sid *byte, str **uint16) (err error) = advapi32.ConvertSidToStringSidW
    17  //sys convertStringSidToSid(str *uint16, sid **byte) (err error) = advapi32.ConvertStringSidToSidW
    18  
    19  type AccountLookupError struct {
    20  	Name string
    21  	Err  error
    22  }
    23  
    24  func (e *AccountLookupError) Error() string {
    25  	if e.Name == "" {
    26  		return "lookup account: empty account name specified"
    27  	}
    28  	var s string
    29  	switch {
    30  	case errors.Is(e.Err, windows.ERROR_INVALID_SID):
    31  		s = "the security ID structure is invalid"
    32  	case errors.Is(e.Err, windows.ERROR_NONE_MAPPED):
    33  		s = "not found"
    34  	default:
    35  		s = e.Err.Error()
    36  	}
    37  	return "lookup account " + e.Name + ": " + s
    38  }
    39  
    40  func (e *AccountLookupError) Unwrap() error { return e.Err }
    41  
    42  type SddlConversionError struct {
    43  	Sddl string
    44  	Err  error
    45  }
    46  
    47  func (e *SddlConversionError) Error() string {
    48  	return "convert " + e.Sddl + ": " + e.Err.Error()
    49  }
    50  
    51  func (e *SddlConversionError) Unwrap() error { return e.Err }
    52  
    53  // LookupSidByName looks up the SID of an account by name
    54  //
    55  //revive:disable-next-line:var-naming SID, not Sid
    56  func LookupSidByName(name string) (sid string, err error) {
    57  	if name == "" {
    58  		return "", &AccountLookupError{name, windows.ERROR_NONE_MAPPED}
    59  	}
    60  
    61  	var sidSize, sidNameUse, refDomainSize uint32
    62  	err = lookupAccountName(nil, name, nil, &sidSize, nil, &refDomainSize, &sidNameUse)
    63  	if err != nil && err != windows.ERROR_INSUFFICIENT_BUFFER { //nolint:errorlint // err is Errno
    64  		return "", &AccountLookupError{name, err}
    65  	}
    66  	sidBuffer := make([]byte, sidSize)
    67  	refDomainBuffer := make([]uint16, refDomainSize)
    68  	err = lookupAccountName(nil, name, &sidBuffer[0], &sidSize, &refDomainBuffer[0], &refDomainSize, &sidNameUse)
    69  	if err != nil {
    70  		return "", &AccountLookupError{name, err}
    71  	}
    72  	var strBuffer *uint16
    73  	err = convertSidToStringSid(&sidBuffer[0], &strBuffer)
    74  	if err != nil {
    75  		return "", &AccountLookupError{name, err}
    76  	}
    77  	sid = windows.UTF16ToString((*[0xffff]uint16)(unsafe.Pointer(strBuffer))[:])
    78  	_, _ = windows.LocalFree(windows.Handle(unsafe.Pointer(strBuffer)))
    79  	return sid, nil
    80  }
    81  
    82  // LookupNameBySid looks up the name of an account by SID
    83  //
    84  //revive:disable-next-line:var-naming SID, not Sid
    85  func LookupNameBySid(sid string) (name string, err error) {
    86  	if sid == "" {
    87  		return "", &AccountLookupError{sid, windows.ERROR_NONE_MAPPED}
    88  	}
    89  
    90  	sidBuffer, err := windows.UTF16PtrFromString(sid)
    91  	if err != nil {
    92  		return "", &AccountLookupError{sid, err}
    93  	}
    94  
    95  	var sidPtr *byte
    96  	if err = convertStringSidToSid(sidBuffer, &sidPtr); err != nil {
    97  		return "", &AccountLookupError{sid, err}
    98  	}
    99  	defer windows.LocalFree(windows.Handle(unsafe.Pointer(sidPtr))) //nolint:errcheck
   100  
   101  	var nameSize, refDomainSize, sidNameUse uint32
   102  	err = lookupAccountSid(nil, sidPtr, nil, &nameSize, nil, &refDomainSize, &sidNameUse)
   103  	if err != nil && err != windows.ERROR_INSUFFICIENT_BUFFER { //nolint:errorlint // err is Errno
   104  		return "", &AccountLookupError{sid, err}
   105  	}
   106  
   107  	nameBuffer := make([]uint16, nameSize)
   108  	refDomainBuffer := make([]uint16, refDomainSize)
   109  	err = lookupAccountSid(nil, sidPtr, &nameBuffer[0], &nameSize, &refDomainBuffer[0], &refDomainSize, &sidNameUse)
   110  	if err != nil {
   111  		return "", &AccountLookupError{sid, err}
   112  	}
   113  
   114  	name = windows.UTF16ToString(nameBuffer)
   115  	return name, nil
   116  }
   117  
   118  func SddlToSecurityDescriptor(sddl string) ([]byte, error) {
   119  	sd, err := windows.SecurityDescriptorFromString(sddl)
   120  	if err != nil {
   121  		return nil, &SddlConversionError{Sddl: sddl, Err: err}
   122  	}
   123  	b := unsafe.Slice((*byte)(unsafe.Pointer(sd)), sd.Length())
   124  	return b, nil
   125  }
   126  
   127  func SecurityDescriptorToSddl(sd []byte) (string, error) {
   128  	if l := int(unsafe.Sizeof(windows.SECURITY_DESCRIPTOR{})); len(sd) < l {
   129  		return "", fmt.Errorf("SecurityDescriptor (%d) smaller than expected (%d): %w", len(sd), l, windows.ERROR_INCORRECT_SIZE)
   130  	}
   131  	s := (*windows.SECURITY_DESCRIPTOR)(unsafe.Pointer(&sd[0]))
   132  	return s.String(), nil
   133  }