win32-security 0.1.4 → 0.2.0

data/CHANGES

@@ -1,3 +1,7 @@
+== 0.2.0 - 11-Jan-2013
+* Converted the code to FFI.
+* Refactored some of the tests.
+
 = 0.1.4 - 4-Oct-2012
 * Updated the SID.string_to_sid method so that it completes a string/sid
   round trip successfully now. Thanks go to Josh Cooper for the patch.

data/MANIFEST

@@ -1,9 +1,9 @@
-* CHANGES
-* MANIFEST
-* README
-* Rakefile
-* win32-security.gemspec
-* lib/win32/security.rb
-* lib/win32/security/sid.rb
-* test/test_security.rb
+* CHANGES
+* MANIFEST
+* README
+* Rakefile
+* win32-security.gemspec
+* lib/win32/security.rb
+* lib/win32/security/sid.rb
+* test/test_security.rb
 * test/test_sid.rb

data/README

@@ -27,7 +27,7 @@
   Artistic 2.0
     
 == Copyright
-  (C) 2003-2012 Daniel J. Berger
+  (C) 2003-2013 Daniel J. Berger
   All Rights Reserved
     
 == Authors

data/Rakefile

@@ -1,13 +1,11 @@
 require 'rake'
+require 'rake/clean'
 require 'rake/testtask'
 require 'rbconfig'
 
-namespace :gem do
-  desc "Remove any .gem files in the project"
-  task :clean do
-    Dir['*.gem'].each{ |f| File.delete(f) }
-  end
+CLEAN.include('**/*.gem', '**/*.rbc')
 
+namespace :gem do
   desc "Create the win32-security gem"
   task :create => [:clean] do
     spec = eval(IO.read('win32-security.gemspec'))
@@ -29,6 +27,12 @@ namespace :test do
     t.test_files = Dir['test/test_security.rb']
   end
 
+  Rake::TestTask.new(:acl) do |t|
+    t.verbose = true
+    t.warning = true
+    t.test_files = Dir['test/test_acl.rb']
+  end
+
   Rake::TestTask.new(:sid) do |t|
     t.verbose = true
     t.warning = true

data/lib/win32/security.rb

@@ -1,10 +1,9 @@
 # This file allows users to require all security related classes from
 # a single file, instead of having to require individual files.
 
-require 'windows/process'
-require 'windows/security'
-require 'windows/handle'
-require 'windows/error'
+require File.join(File.dirname(__FILE__), 'security', 'windows', 'constants')
+require File.join(File.dirname(__FILE__), 'security', 'windows', 'structs')
+require File.join(File.dirname(__FILE__), 'security', 'windows', 'functions')
 
 # The Win32 module serves as a namespace only.
 module Win32
@@ -15,53 +14,97 @@ module Win32
     # Base error class for all Win32::Security errors.
     class Error < StandardError; end
 
-    include Windows::Security
-
-    extend Windows::Process
-    extend Windows::Security
-    extend Windows::Handle
-    extend Windows::Error
+    include Windows::Security::Functions
+    include Windows::Security::Constants
+    include Windows::Security::Structs
+    extend Windows::Security::Functions
 
     # The version of the win32-security library
-    VERSION = '0.1.4'
+    VERSION = '0.2.0'
+
+    # Used by OpenProcessToken
+    TOKEN_QUERY = 8
 
     # Returns whether or not the owner of the current process is running
     # with elevated security privileges.
     #
-    # Only supported on Windows Vista or later.
+    # On Windows XP an earlier this method is actually just checking to
+    # see if the caller's process is a member of the local Administrator's
+    # group.
     #
     def self.elevated_security?
-      token = 0.chr * 4
+      if windows_version < 6
+        sid_ptr     = FFI::MemoryPointer.new(:pointer)
+        nt_auth_ptr = FFI::MemoryPointer.new(SID_IDENTIFIER_AUTHORITY,1)
 
-      unless OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, token)
-        raise Error, get_last_error
-      end
+        nt_auth = SID_IDENTIFIER_AUTHORITY.new(nt_auth_ptr)
+        nt_auth[:Value].to_ptr.put_bytes(0, 0.chr*5 + 5.chr)
+
+        bool = AllocateAndInitializeSid(
+          nt_auth_ptr,
+          2,
+          SECURITY_BUILTIN_DOMAIN_RID,
+          DOMAIN_ALIAS_RID_ADMINS,
+          0, 0, 0, 0, 0, 0,
+          sid_ptr
+        )
+        unless bool
+          raise SystemCallError.new("AllocateAndInitializeSid", FFI.errno)
+        end
 
-      begin
-        token = token.unpack('V')[0]
+        pbool = FFI::MemoryPointer.new(:long)
 
-        te = 0.chr * 4 # TOKEN_ELEVATION
-        rl = 0.chr * 4 # Return length
+        unless CheckTokenMembership(0, sid_ptr.read_pointer, pbool)
+          raise SystemCallError.new("CheckTokenMembership", FFI.errno)
+        end
 
-        bool = GetTokenInformation(
-          token,
-          TokenElevation,
-          te,
-          te.size,
-          rl
-        )
+        pbool.read_long != 0
+      else
+        token = FFI::MemoryPointer.new(:ulong)
+
+        unless OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, token)
+          raise SystemCallError.new("OpenProcessToken", FFI.errno)
+        end
+
+        begin
+          token = token.read_ulong
+
+          # Since the TokenElevation struct only has 1 member, we use a pointer.
+          te = FFI::MemoryPointer.new(:ulong)
+          rl = FFI::MemoryPointer.new(:ulong)
+
+          bool = GetTokenInformation(
+            token,
+            :TokenElevation,
+            te,
+            te.size,
+            rl
+          )
+
+          raise SystemCallError.new("GetTokenInformation", FFI.errno) unless bool
+        ensure
+          CloseHandle(token)
+        end
+
+        te.read_ulong != 0
+      end
+    end
+
+    private
+
+    def self.windows_version
+      ver = OSVERSIONINFO.new
+      ver[:dwOSVersionInfoSize] = ver.size
 
-        raise Error, get_last_error unless bool
-      ensure
-        CloseHandle(token)
+      unless GetVersionExA(ver)
+        raise SystemCallError.new("GetVersionEx", FFI.errno)
       end
 
-      # TokenIsElevated member of the TOKEN_ELEVATION struct
-      te.unpack('L')[0] != 0
+      ver[:dwMajorVersion]
     end
   end
 end
 
 require 'win32/security/sid'
-#require 'win32/security/acl'
+require 'win32/security/acl'
 #require 'win32/security/ace'

data/lib/win32/security/acl.rb

@@ -1,25 +1,24 @@
-require 'windows/security'
-require 'windows/error'
-require 'windows/limits'
-require 'windows/msvcrt/buffer'
+require File.join(File.dirname(__FILE__), 'windows', 'constants')
+require File.join(File.dirname(__FILE__), 'windows', 'structs')
+require File.join(File.dirname(__FILE__), 'windows', 'functions')
 
 # The Win32 module serves as a namespace only.
 module Win32
-   
+
   # The Security class serves as a toplevel class namespace.
   class Security
-      
+
     # The ACL class encapsulates an Access Control List.
     class ACL
-      include Windows::Error
-      include Windows::Security
-      include Windows::Limits
-      include Windows::MSVCRT::Buffer
-         
+      include Windows::Security::Constants
+      include Windows::Security::Functions
+      include Windows::Security::Structs
+      extend Windows::Security::Functions
+
       # The version of the Win32::Security::ACL class.
-      VERSION = '0.1.0'
+      VERSION = '0.2.0'
 
-      # The binary representation of the ACL structure
+      # The underlying ACL structure.
       attr_reader :acl
 
       # The revision level.
@@ -30,10 +29,10 @@ module Win32
       # the ACL itself, and the revision information.
       #
       def initialize(revision = ACL_REVISION)
-        acl = 0.chr * 8 # This can be increased later as needed
+        acl = ACL_STRUCT.new
 
         unless InitializeAcl(acl, acl.size, revision)
-          raise Error, get_last_error
+          raise SystemCallError.new("InitializeAcl", FFI.errno)
         end
 
         @acl = acl
@@ -43,21 +42,22 @@ module Win32
       # Returns the number of ACE's in the ACL object.
       #
       def ace_count
-        buf = 0.chr * 12 # sizeof(ACL_SIZE_INFORMATION)
+        info = ACL_SIZE_INFORMATION.new
 
-        unless GetAclInformation(@acl, buf, buf.size, AclSizeInformation)
-          raise Error, get_last_error
+        unless GetAclInformation(@acl, info, info.size, AclSizeInformation)
+          raise SystemCallError.new("GetAclInformation", FFI.errno)
         end
 
-        buf[0, 4].unpack('L')[0]
+        info[:AceCount]
       end
 
       # Adds an access allowed ACE to the given +sid+. The +mask+ is a
       # bitwise OR'd value of access rights.
       #
+      # TODO: Move this into the SID class?
       def add_access_allowed_ace(sid, mask=0)
         unless AddAccessAllowedAce(@acl, @revision, mask, sid)
-          raise Error, get_last_error
+          raise SystemCallError.new("AddAccessAllowedAce", FFI.errno)
         end
       end
 
@@ -65,7 +65,7 @@ module Win32
       #
       def add_access_denied_ace(sid, mask=0)
         unless AddAccessDeniedAce(@acl, @revision, mask, sid)
-          raise Error, get_last_error
+          raise SystemCallError.new("AddAccessDeniedAce", FFI.errno)
         end
       end
 
@@ -79,7 +79,7 @@ module Win32
       #
       def add_ace(ace, index=MAXDWORD)
         unless AddAce(@acl, @revision, index, ace, ace.length)
-          raise Error, get_last_error
+          raise SystemCallError.new("AddAce", FFI.errno)
         end
 
         index
@@ -95,7 +95,7 @@ module Win32
       #
       def delete_ace(index=MAXDWORD)
         unless DeleteAce(@ace, index)
-          raise Error, get_last_error
+          raise SystemCallError.new("DeleteAce", FFI.errno)
         end
 
         index
@@ -106,19 +106,19 @@ module Win32
       # first free byte of the ACL is returned.
       #
       def find_ace(index = nil)
-        ptr = [0].pack('L')
+        pptr = FFI::MemoryPointer.new(:pointer)
 
         if index.nil?
-          unless FindFirstFreeAce(@acl, ptr)
-            raise Error, get_last_error
+          unless FindFirstFreeAce(@acl, pptr)
+            raise SystemCallError.new("DeleteAce", FFI.errno)
           end
         else
-          unless GetAce(@acl, index, ptr)
-            raise Error, get_last_error
+          unless GetAce(@acl, index, pptr)
+            raise SystemCallError.new("GetAce", FFI.errno)
           end
         end
 
-        [ptr].pack('p*').unpack('L')[0]
+        pptr.read_pointer.address
       end
 
       # Sets the revision information level, where the +revision_level+
@@ -127,10 +127,11 @@ module Win32
       # Returns the revision level if successful.
       #
       def revision=(revision_level)
-        buf = [revision_level].pack('L')
+        buf = FFI::MemoryPointer.new(:ulong)
+        buf.write_ulong(revision_level)
 
         unless SetAclInformation(@acl, buf, buf.size, AclRevisionInformation)
-          raise Error, get_last_error
+          raise SystemCallError.new("SetAclInformation", FFI.errno)
         end
 
         @revision = revision_level

data/lib/win32/security/sid.rb

@@ -1,9 +1,6 @@
-require 'windows/security'
-require 'windows/thread'
-require 'windows/process'
-require 'windows/error'
-require 'windows/msvcrt/string'
-require 'windows/msvcrt/buffer'
+require File.join(File.dirname(__FILE__), 'windows', 'constants')
+require File.join(File.dirname(__FILE__), 'windows', 'functions')
+require File.join(File.dirname(__FILE__), 'windows', 'structs')
 require 'socket'
 
 # The Win32 module serves as a namespace only.
@@ -14,23 +11,13 @@ module Win32
 
     # The SID class encapsulates a Security Identifier.
     class SID
-      include Windows::Security
-      include Windows::Error
-      include Windows::MSVCRT::String
-      include Windows::MSVCRT::Buffer
-      include Windows::Thread
-      include Windows::Process
-
-      extend Windows::Security
-      extend Windows::Error
-      extend Windows::MSVCRT::String
-      extend Windows::MSVCRT::Buffer
-
-      # Error class typically raised if any of the SID methods fail
-      class Error < StandardError; end
+      include Windows::Security::Constants
+      include Windows::Security::Functions
+      include Windows::Security::Structs
+      extend Windows::Security::Functions
 
       # The version of the Win32::Security::SID class.
-      VERSION = '0.1.4'
+      VERSION = '0.2.0'
 
       # Some constant SID's for your convenience, in string format.
       # See http://support.microsoft.com/kb/243330 for details.
@@ -91,40 +78,25 @@ module Win32
       # Converts a binary SID to a string in S-R-I-S-S... format.
       #
       def self.sid_to_string(sid)
-        sid_addr = [sid].pack('p*').unpack('L')[0]
-        sid_buf  = 0.chr * 80
-        sid_ptr  = 0.chr * 4
+        string_sid = FFI::MemoryPointer.new(:pointer)
 
-        unless ConvertSidToStringSid(sid_addr, sid_ptr)
-          raise Error, get_last_error
+        unless ConvertSidToStringSid(sid, string_sid)
+          raise SystemCallError.new("ConvertSidToStringSid", FFI.errno)
         end
 
-        strcpy(sid_buf, sid_ptr.unpack('L')[0])
-        sid_buf.strip
+        string_sid.read_pointer.read_string
       end
 
       # Converts a string in S-R-I-S-S... format back to a binary SID.
       #
       def self.string_to_sid(string)
-        string_addr = [string].pack('p*').unpack('L')[0]
-        sid_ptr  = 0.chr * 4
+        sid = FFI::MemoryPointer.new(:pointer)
 
-        unless ConvertStringSidToSid(string_addr, sid_ptr)
-          raise Error, get_last_error
+        unless ConvertStringSidToSid(string, sid)
+          raise SystemCallError.new("ConvertStringSidToSid", FFI.errno)
         end
 
-        unless IsValidSid(sid_ptr.unpack('L')[0])
-          raise Error, get_last_error
-        end
-
-        sid_len = GetLengthSid(sid_ptr.unpack('L')[0])
-        sid_buf = 0.chr * sid_len
-
-        unless CopySid(sid_len, [sid_buf].pack('p*').unpack('L')[0], sid_ptr.unpack('L')[0])
-          raise Error, get_last_error
-        end
-
-        sid_buf
+        sid.read_pointer.read_string
       end
 
       # Creates a new SID with +authority+ and up to 8 +subauthorities+,
@@ -149,24 +121,25 @@ module Win32
       #
       def self.create(authority, *sub_authorities)
         if sub_authorities.length > 8
-           raise ArgumentError, "maximum of 8 subauthorities allowed"
+          raise ArgumentError, "maximum of 8 subauthorities allowed"
         end
 
-        sid = 0.chr * GetSidLengthRequired(sub_authorities.length)
+        size = GetSidLengthRequired(sub_authorities.length)
+        sid  = FFI::MemoryPointer.new(:uchar, size)
 
-        auth = 0.chr * 5 + authority.chr
+        auth = SID_IDENTIFIER_AUTHORITY.new
+        auth[:Value][5] = authority
 
         unless InitializeSid(sid, auth, sub_authorities.length)
-           raise Error, get_last_error
+          raise SystemCallError.new("InitializeSid", FFI.errno)
         end
 
         sub_authorities.each_index do |i|
-           value = [sub_authorities[i]].pack('L')
-           auth_ptr = GetSidSubAuthority(sid, i)
-           memcpy(auth_ptr, value, 4)
+          ptr = GetSidSubAuthority(sid, i)
+          ptr.write_ulong(sub_authorities[i])
         end
 
-        new(sid)
+        new(sid.read_string(size)) # Pass a binary string
       end
 
       # Creates and returns a new Win32::Security::SID object, based on
@@ -198,45 +171,41 @@ module Win32
       #
       def initialize(account=nil, host=Socket.gethostname)
         if account.nil?
-          htoken = [0].pack('L')
-          bool   = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, 1, htoken)
-          errno  = GetLastError()
-
-          if !bool
-            if errno == ERROR_NO_TOKEN
-              unless OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, htoken)
-                raise get_last_error
-              end
+          begin
+            ptoken = FFI::MemoryPointer.new(:ulong)
+
+            # Try the thread token first, default to the process token.
+            bool = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, true, ptoken)
+
+            if !bool && FFI.errno != ERROR_NO_TOKEN
+              raise SystemCallError.new("OpenThreadToken", FFI.errno)
             else
-              raise get_last_error(errno)
+              ptoken = FFI::MemoryPointer.new(:ulong)
+              unless OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, ptoken)
+                raise SystemCallError.new("OpenProcessToken", FFI.errno)
+              end
             end
-          end
 
-          htoken = htoken.unpack('V').first
-          cbti = [0].pack('L')
-          token_info = 0.chr * 36
+            token = ptoken.read_ulong
+            pinfo = FFI::MemoryPointer.new(:pointer)
+            plength = FFI::MemoryPointer.new(:ulong)
 
-          bool = GetTokenInformation(
-            htoken,
-            TokenOwner,
-            token_info,
-            token_info.size,
-            cbti
-          )
+            # First pass, just get the size needed (1 is TokenOwner)
+            GetTokenInformation(token, 1, pinfo, pinfo.size, plength)
 
-          unless bool
-            raise Error, get_last_error
-          end
-        end
+            pinfo = FFI::MemoryPointer.new(plength.read_ulong)
+            plength = FFI::MemoryPointer.new(:ulong)
 
-        bool   = false
-        sid    = 0.chr * 28
-        sid_cb = [sid.size].pack('L')
-
-        domain_buf = 0.chr * 80
-        domain_cch = [domain_buf.size].pack('L')
+            # Second pass, actual call (1 is TokenOwner)
+            unless GetTokenInformation(token, 1, pinfo, pinfo.size, plength)
+              raise SystemCallError.new("GetTokenInformation", FFI.errno)
+            end
 
-        sid_name_use = 0.chr * 4
+            token_info = pinfo.read_pointer
+          ensure
+            CloseHandle(token) if token
+          end
+        end
 
         if account
           ordinal_val = account[0]
@@ -245,61 +214,74 @@ module Win32
           ordinal_val = nil
         end
 
+        sid = FFI::MemoryPointer.new(:uchar, 260)
+        sid_size = FFI::MemoryPointer.new(:ulong)
+        sid_size.write_ulong(sid.size)
+
+        domain = FFI::MemoryPointer.new(:uchar, 260)
+        domain_size = FFI::MemoryPointer.new(:ulong)
+        domain_size.write_ulong(domain.size)
+
+        use_ptr = FFI::MemoryPointer.new(:ulong)
+
         if ordinal_val.nil?
           bool = LookupAccountSid(
             nil,
-            token_info.unpack('L')[0],
+            token_info,
             sid,
-            sid_cb,
-            domain_buf,
-            domain_cch,
-            sid_name_use
+            sid_size,
+            domain,
+            domain_size,
+            use_ptr
           )
+          unless bool
+            raise SystemCallError.new("LookupAccountSid", FFI.errno)
+          end
         elsif ordinal_val < 10 # Assume it's a binary SID.
+          account_ptr = FFI::MemoryPointer.from_string(account)
           bool = LookupAccountSid(
             host,
-            [account].pack('p*').unpack('L')[0],
+            account_ptr,
             sid,
-            sid_cb,
-            domain_buf,
-            domain_cch,
-            sid_name_use
+            sid_size,
+            domain,
+            domain_size,
+            use_ptr
           )
+          unless bool
+            raise SystemCallError.new("LookupAccountSid", FFI.errno)
+          end
         else
           bool = LookupAccountName(
             host,
             account,
             sid,
-            sid_cb,
-            domain_buf,
-            domain_cch,
-            sid_name_use
+            sid_size,
+            domain,
+            domain_size,
+            use_ptr,
           )
-        end
-
-        unless bool
-          raise Error, get_last_error
+          unless bool
+            raise SystemCallError.new("LookupAccountName", FFI.errno)
+          end
         end
 
         # The arguments are flipped depending on which path we took
         if ordinal_val.nil?
-          buf = 0.chr * 260
-          ptr = token_info.unpack('L')[0]
-          memcpy(buf, ptr, token_info.size)
-          @sid = buf.strip
-          @account = sid.strip
+          @sid = token_info.read_string
+          @account = sid.read_string(sid.size).strip
         elsif ordinal_val < 10
           @sid     = account
-          @account = sid.strip
+          @account = sid.read_string(sid.size).strip
         else
-          @sid     = sid.strip
+          @sid     = sid.read_string(sid.size).strip
           @account = account
         end
 
         @host   = host
-        @domain = domain_buf.strip
+        @domain = domain.read_string
 
-        @account_type = get_account_type(sid_name_use.unpack('L')[0])
+        @account_type = get_account_type(use_ptr.read_ulong)
       end
 
       # Synonym for SID.new.
@@ -312,16 +294,13 @@ module Win32
       # storage or transmission.
       #
       def to_s
-        sid_addr = [@sid].pack('p*').unpack('L').first
-        sid_buf  = 0.chr * 80
-        sid_ptr  = 0.chr * 4
+        ptr = FFI::MemoryPointer.new(:pointer)
 
-        unless ConvertSidToStringSid(sid_addr, sid_ptr)
-          raise Error, get_last_error
+        unless ConvertSidToStringSid(@sid, ptr)
+          raise SystemCallError.new("ConvertSidToStringSid", FFI.errno)
         end
 
-        strcpy(sid_buf, sid_ptr.unpack('L').first)
-        sid_buf.strip
+        ptr.read_pointer.read_string
       end
 
       alias to_str to_s