main
1//go:build windows
2// +build windows
3
4package winio
5
6import (
7 "errors"
8 "fmt"
9 "unsafe"
10
11 "golang.org/x/sys/windows"
12)
13
14//sys lookupAccountName(systemName *uint16, accountName string, sid *byte, sidSize *uint32, refDomain *uint16, refDomainSize *uint32, sidNameUse *uint32) (err error) = advapi32.LookupAccountNameW
15//sys lookupAccountSid(systemName *uint16, sid *byte, name *uint16, nameSize *uint32, refDomain *uint16, refDomainSize *uint32, sidNameUse *uint32) (err error) = advapi32.LookupAccountSidW
16//sys convertSidToStringSid(sid *byte, str **uint16) (err error) = advapi32.ConvertSidToStringSidW
17//sys convertStringSidToSid(str *uint16, sid **byte) (err error) = advapi32.ConvertStringSidToSidW
18
19type AccountLookupError struct {
20 Name string
21 Err error
22}
23
24func (e *AccountLookupError) Error() string {
25 if e.Name == "" {
26 return "lookup account: empty account name specified"
27 }
28 var s string
29 switch {
30 case errors.Is(e.Err, windows.ERROR_INVALID_SID):
31 s = "the security ID structure is invalid"
32 case errors.Is(e.Err, windows.ERROR_NONE_MAPPED):
33 s = "not found"
34 default:
35 s = e.Err.Error()
36 }
37 return "lookup account " + e.Name + ": " + s
38}
39
40func (e *AccountLookupError) Unwrap() error { return e.Err }
41
42type SddlConversionError struct {
43 Sddl string
44 Err error
45}
46
47func (e *SddlConversionError) Error() string {
48 return "convert " + e.Sddl + ": " + e.Err.Error()
49}
50
51func (e *SddlConversionError) Unwrap() error { return e.Err }
52
53// LookupSidByName looks up the SID of an account by name
54//
55//revive:disable-next-line:var-naming SID, not Sid
56func LookupSidByName(name string) (sid string, err error) {
57 if name == "" {
58 return "", &AccountLookupError{name, windows.ERROR_NONE_MAPPED}
59 }
60
61 var sidSize, sidNameUse, refDomainSize uint32
62 err = lookupAccountName(nil, name, nil, &sidSize, nil, &refDomainSize, &sidNameUse)
63 if err != nil && err != windows.ERROR_INSUFFICIENT_BUFFER { //nolint:errorlint // err is Errno
64 return "", &AccountLookupError{name, err}
65 }
66 sidBuffer := make([]byte, sidSize)
67 refDomainBuffer := make([]uint16, refDomainSize)
68 err = lookupAccountName(nil, name, &sidBuffer[0], &sidSize, &refDomainBuffer[0], &refDomainSize, &sidNameUse)
69 if err != nil {
70 return "", &AccountLookupError{name, err}
71 }
72 var strBuffer *uint16
73 err = convertSidToStringSid(&sidBuffer[0], &strBuffer)
74 if err != nil {
75 return "", &AccountLookupError{name, err}
76 }
77 sid = windows.UTF16ToString((*[0xffff]uint16)(unsafe.Pointer(strBuffer))[:])
78 _, _ = windows.LocalFree(windows.Handle(unsafe.Pointer(strBuffer)))
79 return sid, nil
80}
81
82// LookupNameBySid looks up the name of an account by SID
83//
84//revive:disable-next-line:var-naming SID, not Sid
85func LookupNameBySid(sid string) (name string, err error) {
86 if sid == "" {
87 return "", &AccountLookupError{sid, windows.ERROR_NONE_MAPPED}
88 }
89
90 sidBuffer, err := windows.UTF16PtrFromString(sid)
91 if err != nil {
92 return "", &AccountLookupError{sid, err}
93 }
94
95 var sidPtr *byte
96 if err = convertStringSidToSid(sidBuffer, &sidPtr); err != nil {
97 return "", &AccountLookupError{sid, err}
98 }
99 defer windows.LocalFree(windows.Handle(unsafe.Pointer(sidPtr))) //nolint:errcheck
100
101 var nameSize, refDomainSize, sidNameUse uint32
102 err = lookupAccountSid(nil, sidPtr, nil, &nameSize, nil, &refDomainSize, &sidNameUse)
103 if err != nil && err != windows.ERROR_INSUFFICIENT_BUFFER { //nolint:errorlint // err is Errno
104 return "", &AccountLookupError{sid, err}
105 }
106
107 nameBuffer := make([]uint16, nameSize)
108 refDomainBuffer := make([]uint16, refDomainSize)
109 err = lookupAccountSid(nil, sidPtr, &nameBuffer[0], &nameSize, &refDomainBuffer[0], &refDomainSize, &sidNameUse)
110 if err != nil {
111 return "", &AccountLookupError{sid, err}
112 }
113
114 name = windows.UTF16ToString(nameBuffer)
115 return name, nil
116}
117
118func SddlToSecurityDescriptor(sddl string) ([]byte, error) {
119 sd, err := windows.SecurityDescriptorFromString(sddl)
120 if err != nil {
121 return nil, &SddlConversionError{Sddl: sddl, Err: err}
122 }
123 b := unsafe.Slice((*byte)(unsafe.Pointer(sd)), sd.Length())
124 return b, nil
125}
126
127func SecurityDescriptorToSddl(sd []byte) (string, error) {
128 if l := int(unsafe.Sizeof(windows.SECURITY_DESCRIPTOR{})); len(sd) < l {
129 return "", fmt.Errorf("SecurityDescriptor (%d) smaller than expected (%d): %w", len(sd), l, windows.ERROR_INCORRECT_SIZE)
130 }
131 s := (*windows.SECURITY_DESCRIPTOR)(unsafe.Pointer(&sd[0]))
132 return s.String(), nil
133}