mirror of
https://github.com/mainflux/mainflux.git
synced 2025-04-27 13:48:49 +08:00
ccd8965d6f
* Use normalizer as stream source Renamed 'writer' service to 'normalizer' and dropped Cassandra facilities from it. Extracted the common dependencies to 'mainflux' package for easier sharing. Fixed the API docs and unified environment variables. Signed-off-by: Dejan Mijic <dejan@mainflux.com> * Use docker build arguments to specify build Signed-off-by: Dejan Mijic <dejan@mainflux.com> * Remove cassandra libraries Signed-off-by: Dejan Mijic <dejan@mainflux.com> * Update go-kit version to 0.6.0 Signed-off-by: Dejan Mijic <dejan@mainflux.com> * Fix manager configuration Signed-off-by: Dejan Mijic <dejan@mainflux.com> * Refactor docker-compose Merged individual compose files and dropped external links. Remove CoAP container since it is not referenced from NginX config at the moment. Update port mapping in compose and nginx.conf. Dropped bin scripts. Updated service documentation. Signed-off-by: Dejan Mijic <dejan@mainflux.com> * Drop content-type check Signed-off-by: Dejan Mijic <dejan@mainflux.com> * Implement users data access layer in PostgreSQL Signed-off-by: Dejan Mijic <dejan@mainflux.com> * Bump version to 0.1.0 Signed-off-by: Dejan Mijic <dejan@mainflux.com> * Use go-kit logger everywhere (except CoAP) Signed-off-by: Dejan Mijic <dejan@mainflux.com> * Improve factory methods naming Signed-off-by: Dejan Mijic <dejan@mainflux.com> * Implement clients data access layer on PostgreSQL Signed-off-by: Dejan Mijic <dejan@mainflux.com> * Make tests stateless All tests are refactored to use map-based table-driven tests. No cross-tests dependencies is present anymore. Signed-off-by: Dejan Mijic <dejan@mainflux.com> * Remove gitignore Signed-off-by: Dejan Mijic <dejan@mainflux.com> * Fix nginx proxying Signed-off-by: Dejan Mijic <dejan@mainflux.com> * Mark client-user FK explicit Signed-off-by: Dejan Mijic <dejan@mainflux.com> * Update API documentation Signed-off-by: Dejan Mijic <dejan@mainflux.com> * Update channel model Signed-off-by: Dejan Mijic <dejan@mainflux.com> * Add channel PostgreSQL repository tests Signed-off-by: Dejan Mijic <dejan@mainflux.com> * Implement PostgreSQL channels DAO Replaced update queries with raw SQL. Explicitly defined M2M table due to difficulties of ensuring the referential integrity through GORM. Signed-off-by: Dejan Mijic <dejan@mainflux.com> * Expose connection endpoints Signed-off-by: Dejan Mijic <dejan@mainflux.com> * Fix swagger docs and remove DB logging Signed-off-by: Dejan Mijic <dejan@mainflux.com> * Fix nested query remarks Signed-off-by: Dejan Mijic <dejan@mainflux.com> * Add unique indices Signed-off-by: Dejan Mijic <dejan@mainflux.com>
203 lines
5.3 KiB
Go
203 lines
5.3 KiB
Go
// +build windows
|
|
|
|
package winio
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/binary"
|
|
"fmt"
|
|
"runtime"
|
|
"sync"
|
|
"syscall"
|
|
"unicode/utf16"
|
|
|
|
"golang.org/x/sys/windows"
|
|
)
|
|
|
|
//sys adjustTokenPrivileges(token windows.Token, releaseAll bool, input *byte, outputSize uint32, output *byte, requiredSize *uint32) (success bool, err error) [true] = advapi32.AdjustTokenPrivileges
|
|
//sys impersonateSelf(level uint32) (err error) = advapi32.ImpersonateSelf
|
|
//sys revertToSelf() (err error) = advapi32.RevertToSelf
|
|
//sys openThreadToken(thread syscall.Handle, accessMask uint32, openAsSelf bool, token *windows.Token) (err error) = advapi32.OpenThreadToken
|
|
//sys getCurrentThread() (h syscall.Handle) = GetCurrentThread
|
|
//sys lookupPrivilegeValue(systemName string, name string, luid *uint64) (err error) = advapi32.LookupPrivilegeValueW
|
|
//sys lookupPrivilegeName(systemName string, luid *uint64, buffer *uint16, size *uint32) (err error) = advapi32.LookupPrivilegeNameW
|
|
//sys lookupPrivilegeDisplayName(systemName string, name *uint16, buffer *uint16, size *uint32, languageId *uint32) (err error) = advapi32.LookupPrivilegeDisplayNameW
|
|
|
|
const (
|
|
SE_PRIVILEGE_ENABLED = 2
|
|
|
|
ERROR_NOT_ALL_ASSIGNED syscall.Errno = 1300
|
|
|
|
SeBackupPrivilege = "SeBackupPrivilege"
|
|
SeRestorePrivilege = "SeRestorePrivilege"
|
|
)
|
|
|
|
const (
|
|
securityAnonymous = iota
|
|
securityIdentification
|
|
securityImpersonation
|
|
securityDelegation
|
|
)
|
|
|
|
var (
|
|
privNames = make(map[string]uint64)
|
|
privNameMutex sync.Mutex
|
|
)
|
|
|
|
// PrivilegeError represents an error enabling privileges.
|
|
type PrivilegeError struct {
|
|
privileges []uint64
|
|
}
|
|
|
|
func (e *PrivilegeError) Error() string {
|
|
s := ""
|
|
if len(e.privileges) > 1 {
|
|
s = "Could not enable privileges "
|
|
} else {
|
|
s = "Could not enable privilege "
|
|
}
|
|
for i, p := range e.privileges {
|
|
if i != 0 {
|
|
s += ", "
|
|
}
|
|
s += `"`
|
|
s += getPrivilegeName(p)
|
|
s += `"`
|
|
}
|
|
return s
|
|
}
|
|
|
|
// RunWithPrivilege enables a single privilege for a function call.
|
|
func RunWithPrivilege(name string, fn func() error) error {
|
|
return RunWithPrivileges([]string{name}, fn)
|
|
}
|
|
|
|
// RunWithPrivileges enables privileges for a function call.
|
|
func RunWithPrivileges(names []string, fn func() error) error {
|
|
privileges, err := mapPrivileges(names)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
runtime.LockOSThread()
|
|
defer runtime.UnlockOSThread()
|
|
token, err := newThreadToken()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer releaseThreadToken(token)
|
|
err = adjustPrivileges(token, privileges, SE_PRIVILEGE_ENABLED)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return fn()
|
|
}
|
|
|
|
func mapPrivileges(names []string) ([]uint64, error) {
|
|
var privileges []uint64
|
|
privNameMutex.Lock()
|
|
defer privNameMutex.Unlock()
|
|
for _, name := range names {
|
|
p, ok := privNames[name]
|
|
if !ok {
|
|
err := lookupPrivilegeValue("", name, &p)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
privNames[name] = p
|
|
}
|
|
privileges = append(privileges, p)
|
|
}
|
|
return privileges, nil
|
|
}
|
|
|
|
// EnableProcessPrivileges enables privileges globally for the process.
|
|
func EnableProcessPrivileges(names []string) error {
|
|
return enableDisableProcessPrivilege(names, SE_PRIVILEGE_ENABLED)
|
|
}
|
|
|
|
// DisableProcessPrivileges disables privileges globally for the process.
|
|
func DisableProcessPrivileges(names []string) error {
|
|
return enableDisableProcessPrivilege(names, 0)
|
|
}
|
|
|
|
func enableDisableProcessPrivilege(names []string, action uint32) error {
|
|
privileges, err := mapPrivileges(names)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
p, _ := windows.GetCurrentProcess()
|
|
var token windows.Token
|
|
err = windows.OpenProcessToken(p, windows.TOKEN_ADJUST_PRIVILEGES|windows.TOKEN_QUERY, &token)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
defer token.Close()
|
|
return adjustPrivileges(token, privileges, action)
|
|
}
|
|
|
|
func adjustPrivileges(token windows.Token, privileges []uint64, action uint32) error {
|
|
var b bytes.Buffer
|
|
binary.Write(&b, binary.LittleEndian, uint32(len(privileges)))
|
|
for _, p := range privileges {
|
|
binary.Write(&b, binary.LittleEndian, p)
|
|
binary.Write(&b, binary.LittleEndian, action)
|
|
}
|
|
prevState := make([]byte, b.Len())
|
|
reqSize := uint32(0)
|
|
success, err := adjustTokenPrivileges(token, false, &b.Bytes()[0], uint32(len(prevState)), &prevState[0], &reqSize)
|
|
if !success {
|
|
return err
|
|
}
|
|
if err == ERROR_NOT_ALL_ASSIGNED {
|
|
return &PrivilegeError{privileges}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func getPrivilegeName(luid uint64) string {
|
|
var nameBuffer [256]uint16
|
|
bufSize := uint32(len(nameBuffer))
|
|
err := lookupPrivilegeName("", &luid, &nameBuffer[0], &bufSize)
|
|
if err != nil {
|
|
return fmt.Sprintf("<unknown privilege %d>", luid)
|
|
}
|
|
|
|
var displayNameBuffer [256]uint16
|
|
displayBufSize := uint32(len(displayNameBuffer))
|
|
var langID uint32
|
|
err = lookupPrivilegeDisplayName("", &nameBuffer[0], &displayNameBuffer[0], &displayBufSize, &langID)
|
|
if err != nil {
|
|
return fmt.Sprintf("<unknown privilege %s>", string(utf16.Decode(nameBuffer[:bufSize])))
|
|
}
|
|
|
|
return string(utf16.Decode(displayNameBuffer[:displayBufSize]))
|
|
}
|
|
|
|
func newThreadToken() (windows.Token, error) {
|
|
err := impersonateSelf(securityImpersonation)
|
|
if err != nil {
|
|
return 0, err
|
|
}
|
|
|
|
var token windows.Token
|
|
err = openThreadToken(getCurrentThread(), syscall.TOKEN_ADJUST_PRIVILEGES|syscall.TOKEN_QUERY, false, &token)
|
|
if err != nil {
|
|
rerr := revertToSelf()
|
|
if rerr != nil {
|
|
panic(rerr)
|
|
}
|
|
return 0, err
|
|
}
|
|
return token, nil
|
|
}
|
|
|
|
func releaseThreadToken(h windows.Token) {
|
|
err := revertToSelf()
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
h.Close()
|
|
}
|