Poupou's Corner of the Web

Because of OS identities restrictions, mainly how we create them, my previous blog sample wasn't portable (i.e. limited to Linux and other Unix operating system). Thankfully things are easier when dealing with principals.

The IPrincipal interface has one property, Identity, and one method, bool IsInRole(string). The WindowsPrincipal implementation provides overloaded IsInRole methods but this just adds other ways to get the same results.

The goal of classes implementing IPrincipal is to allow a consistent way to use Role Based Access Control (RBAC). The GenericPrincipal let you supply an array of string, in the constructor, with the roles you want to associate with the identity. The WindowsPrincipal use the Windows local or network group (either an NT domain or an Active Directory). So it only seems natural to map this functionality to Unix's group when running on *x operating systems.

The following sample use the WindowsPrincipal class in a simple interactive console application that let you query users and groups.

using System; using System.Runtime.InteropServices; using System.Security.Principal; class WinPrincipal { [DllImport ("advapi32.dll", CallingConvention=CallingConvention.StdCall)] public static extern bool LogonUser (string lpszUsername, string lpszDomain, string lpszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken); static void Principal (WindowsIdentity user) { WindowsPrincipal wp = new WindowsPrincipal (user); while (true) { Console.Write ("Enter group name: "); string group = Console.ReadLine (); if (group == String.Empty) break; Console.WriteLine ("\t{0} is {1}a member of {2}{3}", user.Name, (wp.IsInRole (group) ? String.Empty : "NOT "), group, Environment.NewLine); } } [STAThread] static void Main (string[] args) { bool posix = ((int) Environment.OSVersion.Platform == 128); while (true) { Console.Write ("Enter username:\t"); string username = Console.ReadLine (); if (username == String.Empty) break; WindowsIdentity user = null; // check for Posix versus Windows if (posix) { user = new WindowsIdentity (username); } else { Console.Write ("Enter domain:\t"); string domain = Console.ReadLine (); Console.Write ("Enter password:\t"); string password = Console.ReadLine (); IntPtr token = IntPtr.Zero; // note: we should close that handle LogonUser (username, domain, password, 2, 0, ref token); if (token == IntPtr.Zero) { Console.WriteLine ("Invalid username/domain/password"); continue; } user = new WindowsIdentity (token); } Principal (user); } } }

As we can see the only difference between the Windows and Linux version is done at runtime. The Windows version requires the domain and password to obtain a token (the only part requiring P/Invoke in the sample). Note that no impersonation is done in the sample (neither on Linux nor on Windows - as we don't change the process identity) so it doesn't require root access to be run.

WARNING: Again this is a sneak preview of uncommitted stuff, i.e. this isn't part of the latest Mono release (0.31).

Running on Windows

This is what the sample looks when run on Windows.

Running on Linux

This is what the sample looks when run on Linux.

Now I have to merge the Linux and Windows versions of WindowsIdentity, WindowsImpersonationContext and WindowsPrincipal into a single version, test again and commit :-).