// Copyright 2012 The Go Authors. All rights reserved.

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

package windows

import (

	"syscall"

	"unsafe"

	"golang.org/x/sys/internal/unsafeheader"

)

const (

	NameUnknown          = 0

	NameFullyQualifiedDN = 1

	NameSamCompatible    = 2

	NameDisplay          = 3

	NameUniqueId         = 6

	NameCanonical        = 7

	NameUserPrincipal    = 8

	NameCanonicalEx      = 9

	NameServicePrincipal = 10

	NameDnsDomain        = 12

)

// This function returns 1 byte BOOLEAN rather than the 4 byte BOOL.

// http://blogs.msdn.com/b/drnick/archive/2007/12/19/windows-and-upn-format-credentials.aspx

//sys	TranslateName(accName *uint16, accNameFormat uint32, desiredNameFormat uint32, translatedName *uint16, nSize *uint32) (err error) [failretval&0xff==0] = secur32.TranslateNameW

//sys	GetUserNameEx(nameFormat uint32, nameBuffre *uint16, nSize *uint32) (err error) [failretval&0xff==0] = secur32.GetUserNameExW

// TranslateAccountName converts a directory service

// object name from one format to another.

func TranslateAccountName(username string, from, to uint32, initSize int) (string, error) {

	u, e := UTF16PtrFromString(username)

	if e != nil {

		return "", e

	}

	n := uint32(50)

	for {

		b := make([]uint16, n)

		e = TranslateName(u, from, to, &b[0], &n)

		if e == nil {

			return UTF16ToString(b[:n]), nil

		}

		if e != ERROR_INSUFFICIENT_BUFFER {

			return "", e

		}

		if n <= uint32(len(b)) {

			return "", e

		}

	}

}

const (

	// do not reorder

	NetSetupUnknownStatus = iota

	NetSetupUnjoined

	NetSetupWorkgroupName

	NetSetupDomainName

)

type UserInfo10 struct {

	Name       *uint16

	Comment    *uint16

	UsrComment *uint16

	FullName   *uint16

}

//sys	NetUserGetInfo(serverName *uint16, userName *uint16, level uint32, buf **byte) (neterr error) = netapi32.NetUserGetInfo

//sys	NetGetJoinInformation(server *uint16, name **uint16, bufType *uint32) (neterr error) = netapi32.NetGetJoinInformation

//sys	NetApiBufferFree(buf *byte) (neterr error) = netapi32.NetApiBufferFree

const (

	// do not reorder

	SidTypeUser = 1 + iota

	SidTypeGroup

	SidTypeDomain

	SidTypeAlias

	SidTypeWellKnownGroup

	SidTypeDeletedAccount

	SidTypeInvalid

	SidTypeUnknown

	SidTypeComputer

	SidTypeLabel

)

type SidIdentifierAuthority struct {

	Value [6]byte

}

var (

	SECURITY_NULL_SID_AUTHORITY        = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 0}}

	SECURITY_WORLD_SID_AUTHORITY       = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 1}}

	SECURITY_LOCAL_SID_AUTHORITY       = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 2}}

	SECURITY_CREATOR_SID_AUTHORITY     = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 3}}

	SECURITY_NON_UNIQUE_AUTHORITY      = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 4}}

	SECURITY_NT_AUTHORITY              = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 5}}

	SECURITY_MANDATORY_LABEL_AUTHORITY = SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 16}}

)

const (

	SECURITY_NULL_RID                   = 0

	SECURITY_WORLD_RID                  = 0

	SECURITY_LOCAL_RID                  = 0

	SECURITY_CREATOR_OWNER_RID          = 0

	SECURITY_CREATOR_GROUP_RID          = 1

	SECURITY_DIALUP_RID                 = 1

	SECURITY_NETWORK_RID                = 2

	SECURITY_BATCH_RID                  = 3

	SECURITY_INTERACTIVE_RID            = 4

	SECURITY_LOGON_IDS_RID              = 5

	SECURITY_SERVICE_RID                = 6

	SECURITY_LOCAL_SYSTEM_RID           = 18

	SECURITY_BUILTIN_DOMAIN_RID         = 32

	SECURITY_PRINCIPAL_SELF_RID         = 10

	SECURITY_CREATOR_OWNER_SERVER_RID   = 0x2

	SECURITY_CREATOR_GROUP_SERVER_RID   = 0x3

	SECURITY_LOGON_IDS_RID_COUNT        = 0x3

	SECURITY_ANONYMOUS_LOGON_RID        = 0x7

	SECURITY_PROXY_RID                  = 0x8

	SECURITY_ENTERPRISE_CONTROLLERS_RID = 0x9

	SECURITY_SERVER_LOGON_RID           = SECURITY_ENTERPRISE_CONTROLLERS_RID

	SECURITY_AUTHENTICATED_USER_RID     = 0xb

	SECURITY_RESTRICTED_CODE_RID        = 0xc

	SECURITY_NT_NON_UNIQUE_RID          = 0x15

)

// Predefined domain-relative RIDs for local groups.

// See https://msdn.microsoft.com/en-us/library/windows/desktop/aa379649(v=vs.85).aspx

const (

	DOMAIN_ALIAS_RID_ADMINS                         = 0x220

	DOMAIN_ALIAS_RID_USERS                          = 0x221

	DOMAIN_ALIAS_RID_GUESTS                         = 0x222

	DOMAIN_ALIAS_RID_POWER_USERS                    = 0x223

	DOMAIN_ALIAS_RID_ACCOUNT_OPS                    = 0x224

	DOMAIN_ALIAS_RID_SYSTEM_OPS                     = 0x225

	DOMAIN_ALIAS_RID_PRINT_OPS                      = 0x226

	DOMAIN_ALIAS_RID_BACKUP_OPS                     = 0x227

	DOMAIN_ALIAS_RID_REPLICATOR                     = 0x228

	DOMAIN_ALIAS_RID_RAS_SERVERS                    = 0x229

	DOMAIN_ALIAS_RID_PREW2KCOMPACCESS               = 0x22a

	DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS           = 0x22b

	DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS      = 0x22c

	DOMAIN_ALIAS_RID_INCOMING_FOREST_TRUST_BUILDERS = 0x22d

	DOMAIN_ALIAS_RID_MONITORING_USERS               = 0x22e

	DOMAIN_ALIAS_RID_LOGGING_USERS                  = 0x22f

	DOMAIN_ALIAS_RID_AUTHORIZATIONACCESS            = 0x230

	DOMAIN_ALIAS_RID_TS_LICENSE_SERVERS             = 0x231

	DOMAIN_ALIAS_RID_DCOM_USERS                     = 0x232

	DOMAIN_ALIAS_RID_IUSERS                         = 0x238

	DOMAIN_ALIAS_RID_CRYPTO_OPERATORS               = 0x239

	DOMAIN_ALIAS_RID_CACHEABLE_PRINCIPALS_GROUP     = 0x23b

	DOMAIN_ALIAS_RID_NON_CACHEABLE_PRINCIPALS_GROUP = 0x23c

	DOMAIN_ALIAS_RID_EVENT_LOG_READERS_GROUP        = 0x23d

	DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP      = 0x23e

)

//sys	LookupAccountSid(systemName *uint16, sid *SID, name *uint16, nameLen *uint32, refdDomainName *uint16, refdDomainNameLen *uint32, use *uint32) (err error) = advapi32.LookupAccountSidW

//sys	LookupAccountName(systemName *uint16, accountName *uint16, sid *SID, sidLen *uint32, refdDomainName *uint16, refdDomainNameLen *uint32, use *uint32) (err error) = advapi32.LookupAccountNameW

//sys	ConvertSidToStringSid(sid *SID, stringSid **uint16) (err error) = advapi32.ConvertSidToStringSidW

//sys	ConvertStringSidToSid(stringSid *uint16, sid **SID) (err error) = advapi32.ConvertStringSidToSidW

//sys	GetLengthSid(sid *SID) (len uint32) = advapi32.GetLengthSid

//sys	CopySid(destSidLen uint32, destSid *SID, srcSid *SID) (err error) = advapi32.CopySid

//sys	AllocateAndInitializeSid(identAuth *SidIdentifierAuthority, subAuth byte, subAuth0 uint32, subAuth1 uint32, subAuth2 uint32, subAuth3 uint32, subAuth4 uint32, subAuth5 uint32, subAuth6 uint32, subAuth7 uint32, sid **SID) (err error) = advapi32.AllocateAndInitializeSid

//sys	createWellKnownSid(sidType WELL_KNOWN_SID_TYPE, domainSid *SID, sid *SID, sizeSid *uint32) (err error) = advapi32.CreateWellKnownSid

//sys	isWellKnownSid(sid *SID, sidType WELL_KNOWN_SID_TYPE) (isWellKnown bool) = advapi32.IsWellKnownSid

//sys	FreeSid(sid *SID) (err error) [failretval!=0] = advapi32.FreeSid

//sys	EqualSid(sid1 *SID, sid2 *SID) (isEqual bool) = advapi32.EqualSid

//sys	getSidIdentifierAuthority(sid *SID) (authority *SidIdentifierAuthority) = advapi32.GetSidIdentifierAuthority

//sys	getSidSubAuthorityCount(sid *SID) (count *uint8) = advapi32.GetSidSubAuthorityCount

//sys	getSidSubAuthority(sid *SID, index uint32) (subAuthority *uint32) = advapi32.GetSidSubAuthority

//sys	isValidSid(sid *SID) (isValid bool) = advapi32.IsValidSid

// The security identifier (SID) structure is a variable-length

// structure used to uniquely identify users or groups.

type SID struct{}

// StringToSid converts a string-format security identifier

// SID into a valid, functional SID.

func StringToSid(s string) (*SID, error) {

	var sid *SID

	p, e := UTF16PtrFromString(s)

	if e != nil {

		return nil, e

	}

	e = ConvertStringSidToSid(p, &sid)

	if e != nil {

		return nil, e

	}

	defer LocalFree((Handle)(unsafe.Pointer(sid)))

	return sid.Copy()

}

// LookupSID retrieves a security identifier SID for the account

// and the name of the domain on which the account was found.

// System specify target computer to search.

func LookupSID(system, account string) (sid *SID, domain string, accType uint32, err error) {

	if len(account) == 0 {

		return nil, "", 0, syscall.EINVAL

	}

	acc, e := UTF16PtrFromString(account)

	if e != nil {

		return nil, "", 0, e

	}

	var sys *uint16

	if len(system) > 0 {

		sys, e = UTF16PtrFromString(system)

		if e != nil {

			return nil, "", 0, e

		}

	}

	n := uint32(50)

	dn := uint32(50)

	for {

		b := make([]byte, n)

		db := make([]uint16, dn)

		sid = (*SID)(unsafe.Pointer(&b[0]))

		e = LookupAccountName(sys, acc, sid, &n, &db[0], &dn, &accType)

		if e == nil {

			return sid, UTF16ToString(db), accType, nil

		}

		if e != ERROR_INSUFFICIENT_BUFFER {

			return nil, "", 0, e

		}

		if n <= uint32(len(b)) {

			return nil, "", 0, e

		}

	}

}

// String converts SID to a string format suitable for display, storage, or transmission.

func (sid *SID) String() string {

	var s *uint16

	e := ConvertSidToStringSid(sid, &s)

	if e != nil {

		return ""

	}

	defer LocalFree((Handle)(unsafe.Pointer(s)))

	return UTF16ToString((*[256]uint16)(unsafe.Pointer(s))[:])

}

// Len returns the length, in bytes, of a valid security identifier SID.

func (sid *SID) Len() int {

	return int(GetLengthSid(sid))

}

// Copy creates a duplicate of security identifier SID.

func (sid *SID) Copy() (*SID, error) {

	b := make([]byte, sid.Len())

	sid2 := (*SID)(unsafe.Pointer(&b[0]))

	e := CopySid(uint32(len(b)), sid2, sid)

	if e != nil {

		return nil, e

	}

	return sid2, nil

}

// IdentifierAuthority returns the identifier authority of the SID.

func (sid *SID) IdentifierAuthority() SidIdentifierAuthority {

	return *getSidIdentifierAuthority(sid)

}

// SubAuthorityCount returns the number of sub-authorities in the SID.

func (sid *SID) SubAuthorityCount() uint8 {

	return *getSidSubAuthorityCount(sid)

}

// SubAuthority returns the sub-authority of the SID as specified by

// the index, which must be less than sid.SubAuthorityCount().

func (sid *SID) SubAuthority(idx uint32) uint32 {

	if idx >= uint32(sid.SubAuthorityCount()) {

		panic("sub-authority index out of range")

	}

	return *getSidSubAuthority(sid, idx)

}

// IsValid returns whether the SID has a valid revision and length.

func (sid *SID) IsValid() bool {

	return isValidSid(sid)

}

// Equals compares two SIDs for equality.

func (sid *SID) Equals(sid2 *SID) bool {

	return EqualSid(sid, sid2)

}

// IsWellKnown determines whether the SID matches the well-known sidType.

func (sid *SID) IsWellKnown(sidType WELL_KNOWN_SID_TYPE) bool {

	return isWellKnownSid(sid, sidType)

}

// LookupAccount retrieves the name of the account for this SID

// and the name of the first domain on which this SID is found.

// System specify target computer to search for.

func (sid *SID) LookupAccount(system string) (account, domain string, accType uint32, err error) {

	var sys *uint16

	if len(system) > 0 {

		sys, err = UTF16PtrFromString(system)

		if err != nil {

			return "", "", 0, err

		}

	}

	n := uint32(50)

	dn := uint32(50)

	for {

		b := make([]uint16, n)

		db := make([]uint16, dn)

		e := LookupAccountSid(sys, sid, &b[0], &n, &db[0], &dn, &accType)

		if e == nil {

			return UTF16ToString(b), UTF16ToString(db), accType, nil

		}

		if e != ERROR_INSUFFICIENT_BUFFER {

			return "", "", 0, e

		}

		if n <= uint32(len(b)) {

			return "", "", 0, e

		}

	}

}

// Various types of pre-specified SIDs that can be synthesized and compared at runtime.

type WELL_KNOWN_SID_TYPE uint32

const (

	WinNullSid                                    = 0

	WinWorldSid                                   = 1

	WinLocalSid                                   = 2

	WinCreatorOwnerSid                            = 3

	WinCreatorGroupSid                            = 4

	WinCreatorOwnerServerSid                      = 5

	WinCreatorGroupServerSid                      = 6

	WinNtAuthoritySid                             = 7

	WinDialupSid                                  = 8

	WinNetworkSid                                 = 9

	WinBatchSid                                   = 10

	WinInteractiveSid                             = 11

	WinServiceSid                                 = 12

	WinAnonymousSid                               = 13

	WinProxySid                                   = 14

	WinEnterpriseControllersSid                   = 15

	WinSelfSid                                    = 16

	WinAuthenticatedUserSid                       = 17

	WinRestrictedCodeSid                          = 18

	WinTerminalServerSid                          = 19

	WinRemoteLogonIdSid                           = 20

	WinLogonIdsSid                                = 21

	WinLocalSystemSid                             = 22

	WinLocalServiceSid                            = 23

	WinNetworkServiceSid                          = 24

	WinBuiltinDomainSid                           = 25

	WinBuiltinAdministratorsSid                   = 26

	WinBuiltinUsersSid                            = 27

	WinBuiltinGuestsSid                           = 28

	WinBuiltinPowerUsersSid                       = 29

	WinBuiltinAccountOperatorsSid                 = 30

	WinBuiltinSystemOperatorsSid                  = 31

	WinBuiltinPrintOperatorsSid                   = 32

	WinBuiltinBackupOperatorsSid                  = 33

	WinBuiltinReplicatorSid                       = 34

	WinBuiltinPreWindows2000CompatibleAccessSid   = 35

	WinBuiltinRemoteDesktopUsersSid               = 36

	WinBuiltinNetworkConfigurationOperatorsSid    = 37

	WinAccountAdministratorSid                    = 38

	WinAccountGuestSid                            = 39

	WinAccountKrbtgtSid                           = 40

	WinAccountDomainAdminsSid                     = 41

	WinAccountDomainUsersSid                      = 42

	WinAccountDomainGuestsSid                     = 43

	WinAccountComputersSid                        = 44

	WinAccountControllersSid                      = 45

	WinAccountCertAdminsSid                       = 46

	WinAccountSchemaAdminsSid                     = 47

	WinAccountEnterpriseAdminsSid                 = 48

	WinAccountPolicyAdminsSid                     = 49

	WinAccountRasAndIasServersSid                 = 50

	WinNTLMAuthenticationSid                      = 51

	WinDigestAuthenticationSid                    = 52

	WinSChannelAuthenticationSid                  = 53

	WinThisOrganizationSid                        = 54

	WinOtherOrganizationSid                       = 55

	WinBuiltinIncomingForestTrustBuildersSid      = 56

	WinBuiltinPerfMonitoringUsersSid              = 57

	WinBuiltinPerfLoggingUsersSid                 = 58

	WinBuiltinAuthorizationAccessSid              = 59

	WinBuiltinTerminalServerLicenseServersSid     = 60

	WinBuiltinDCOMUsersSid                        = 61

	WinBuiltinIUsersSid                           = 62

	WinIUserSid                                   = 63

	WinBuiltinCryptoOperatorsSid                  = 64

	WinUntrustedLabelSid                          = 65

	WinLowLabelSid                                = 66

	WinMediumLabelSid                             = 67

	WinHighLabelSid                               = 68

	WinSystemLabelSid                             = 69

	WinWriteRestrictedCodeSid                     = 70

	WinCreatorOwnerRightsSid                      = 71

	WinCacheablePrincipalsGroupSid                = 72

	WinNonCacheablePrincipalsGroupSid             = 73

	WinEnterpriseReadonlyControllersSid           = 74

	WinAccountReadonlyControllersSid              = 75

	WinBuiltinEventLogReadersGroup                = 76

	WinNewEnterpriseReadonlyControllersSid        = 77

	WinBuiltinCertSvcDComAccessGroup              = 78

	WinMediumPlusLabelSid                         = 79

	WinLocalLogonSid                              = 80

	WinConsoleLogonSid                            = 81

	WinThisOrganizationCertificateSid             = 82

	WinApplicationPackageAuthoritySid             = 83

	WinBuiltinAnyPackageSid                       = 84

	WinCapabilityInternetClientSid                = 85

	WinCapabilityInternetClientServerSid          = 86

	WinCapabilityPrivateNetworkClientServerSid    = 87

	WinCapabilityPicturesLibrarySid               = 88

	WinCapabilityVideosLibrarySid                 = 89

	WinCapabilityMusicLibrarySid                  = 90

	WinCapabilityDocumentsLibrarySid              = 91

	WinCapabilitySharedUserCertificatesSid        = 92

	WinCapabilityEnterpriseAuthenticationSid      = 93

	WinCapabilityRemovableStorageSid              = 94

	WinBuiltinRDSRemoteAccessServersSid           = 95

	WinBuiltinRDSEndpointServersSid               = 96

	WinBuiltinRDSManagementServersSid             = 97