tailscale/util/winutil/winutil_windows.go

// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package winutil

import (
	"log"
	"syscall"

	"golang.org/x/sys/windows"
	"golang.org/x/sys/windows/registry"
)

const (
	regBase       = `SOFTWARE\Tailscale IPN`
	regPolicyBase = `SOFTWARE\Policies\Tailscale`
)

// GetDesktopPID searches the PID of the process that's running the
// currently active desktop and whether it was found.
// Usually the PID will be for explorer.exe.
func GetDesktopPID() (pid uint32, ok bool) {
	hwnd := windows.GetShellWindow()
	if hwnd == 0 {
		return 0, false
	}
	windows.GetWindowThreadProcessId(hwnd, &pid)
	return pid, pid != 0
}

func getPolicyString(name, defval string) string {
	s, err := getRegStringInternal(regPolicyBase, name)
	if err != nil {
		// Fall back to the legacy path
		return getRegString(name, defval)
	}
	return s
}

func getPolicyInteger(name string, defval uint64) uint64 {
	i, err := getRegIntegerInternal(regPolicyBase, name)
	if err != nil {
		// Fall back to the legacy path
		return getRegInteger(name, defval)
	}
	return i
}

func getRegString(name, defval string) string {
	s, err := getRegStringInternal(regBase, name)
	if err != nil {
		return defval
	}
	return s
}

func getRegInteger(name string, defval uint64) uint64 {
	i, err := getRegIntegerInternal(regBase, name)
	if err != nil {
		return defval
	}
	return i
}

func getRegStringInternal(subKey, name string) (string, error) {
	key, err := registry.OpenKey(registry.LOCAL_MACHINE, subKey, registry.READ)
	if err != nil {
		log.Printf("registry.OpenKey(%v): %v", subKey, err)
		return "", err
	}
	defer key.Close()

	val, _, err := key.GetStringValue(name)
	if err != nil {
		if err != registry.ErrNotExist {
			log.Printf("registry.GetStringValue(%v): %v", name, err)
		}
		return "", err
	}
	return val, nil
}

func getRegIntegerInternal(subKey, name string) (uint64, error) {
	key, err := registry.OpenKey(registry.LOCAL_MACHINE, subKey, registry.READ)
	if err != nil {
		log.Printf("registry.OpenKey(%v): %v", subKey, err)
		return 0, err
	}
	defer key.Close()

	val, _, err := key.GetIntegerValue(name)
	if err != nil {
		if err != registry.ErrNotExist {
			log.Printf("registry.GetIntegerValue(%v): %v", name, err)
		}
		return 0, err
	}
	return val, nil
}

var (
	kernel32                         = syscall.NewLazyDLL("kernel32.dll")
	procWTSGetActiveConsoleSessionId = kernel32.NewProc("WTSGetActiveConsoleSessionId")
)

// TODO(crawshaw): replace with x/sys/windows... one day.
// https://go-review.googlesource.com/c/sys/+/331909
func WTSGetActiveConsoleSessionId() uint32 {
	r1, _, _ := procWTSGetActiveConsoleSessionId.Call()
	return uint32(r1)
}

func isSIDValidPrincipal(uid string) bool {
	usid, err := syscall.StringToSid(uid)
	if err != nil {
		return false
	}

	_, _, accType, err := usid.LookupAccount("")
	if err != nil {
		return false
	}

	switch accType {
	case syscall.SidTypeUser, syscall.SidTypeGroup, syscall.SidTypeDomain, syscall.SidTypeAlias, syscall.SidTypeWellKnownGroup, syscall.SidTypeComputer:
		return true
	default:
		// Reject deleted users, invalid SIDs, unknown SIDs, mandatory label SIDs, etc.
		return false
	}
}
ipn/ipnserver, util/winutil: update workaround for os/user.LookupId failures on Windows to reject SIDs from deleted/invalid security principals. Our current workaround made the user check too lax, thus allowing deleted users. This patch adds a helper function to winutil that checks that the uid's SID represents a valid Windows security principal. Now if `lookupUserFromID` determines that the SID is invalid, we simply propagate the error. Updates https://github.com/tailscale/tailscale/issues/869 Signed-off-by: Aaron Klotz <aaron@tailscale.com> 2022-02-03 01:55:32 +08:00			`// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.`
			`// Use of this source code is governed by a BSD-style`
			`// license that can be found in the LICENSE file.`

			`package winutil`

			`import (`
			`"log"`
			`"syscall"`

			`"golang.org/x/sys/windows"`
			`"golang.org/x/sys/windows/registry"`
			`)`

cmd/tailscaled, util/winutil: add accessor functions for Windows system policies. This patch adds new functions to be used when accessing system policies, and revises callers to use the new functions. They first attempt the new registry path for policies, and if that fails, attempt to fall back to the legacy path. We keep non-policy variants of these functions because we should be able to retain the ability to read settings from locations that are not exposed to sysadmins for group policy edits. The remaining changes will be done in corp. Updates https://github.com/tailscale/tailscale/issues/3584 Signed-off-by: Aaron Klotz <aaron@tailscale.com> 2022-01-11 04:10:02 +08:00			`const (`
			regBase = `SOFTWARE\Tailscale IPN`
			regPolicyBase = `SOFTWARE\Policies\Tailscale`
			`)`
ipn/ipnserver, util/winutil: update workaround for os/user.LookupId failures on Windows to reject SIDs from deleted/invalid security principals. Our current workaround made the user check too lax, thus allowing deleted users. This patch adds a helper function to winutil that checks that the uid's SID represents a valid Windows security principal. Now if `lookupUserFromID` determines that the SID is invalid, we simply propagate the error. Updates https://github.com/tailscale/tailscale/issues/869 Signed-off-by: Aaron Klotz <aaron@tailscale.com> 2022-02-03 01:55:32 +08:00
			`// GetDesktopPID searches the PID of the process that's running the`
			`// currently active desktop and whether it was found.`
			`// Usually the PID will be for explorer.exe.`
			`func GetDesktopPID() (pid uint32, ok bool) {`
			`hwnd := windows.GetShellWindow()`
			`if hwnd == 0 {`
			`return 0, false`
			`}`
			`windows.GetWindowThreadProcessId(hwnd, &pid)`
			`return pid, pid != 0`
			`}`

cmd/tailscaled, util/winutil: add accessor functions for Windows system policies. This patch adds new functions to be used when accessing system policies, and revises callers to use the new functions. They first attempt the new registry path for policies, and if that fails, attempt to fall back to the legacy path. We keep non-policy variants of these functions because we should be able to retain the ability to read settings from locations that are not exposed to sysadmins for group policy edits. The remaining changes will be done in corp. Updates https://github.com/tailscale/tailscale/issues/3584 Signed-off-by: Aaron Klotz <aaron@tailscale.com> 2022-01-11 04:10:02 +08:00			`func getPolicyString(name, defval string) string {`
			`s, err := getRegStringInternal(regPolicyBase, name)`
			`if err != nil {`
			`// Fall back to the legacy path`
			`return getRegString(name, defval)`
			`}`
			`return s`
			`}`

			`func getPolicyInteger(name string, defval uint64) uint64 {`
			`i, err := getRegIntegerInternal(regPolicyBase, name)`
			`if err != nil {`
			`// Fall back to the legacy path`
			`return getRegInteger(name, defval)`
			`}`
			`return i`
			`}`

ipn/ipnserver, util/winutil: update workaround for os/user.LookupId failures on Windows to reject SIDs from deleted/invalid security principals. Our current workaround made the user check too lax, thus allowing deleted users. This patch adds a helper function to winutil that checks that the uid's SID represents a valid Windows security principal. Now if `lookupUserFromID` determines that the SID is invalid, we simply propagate the error. Updates https://github.com/tailscale/tailscale/issues/869 Signed-off-by: Aaron Klotz <aaron@tailscale.com> 2022-02-03 01:55:32 +08:00			`func getRegString(name, defval string) string {`
cmd/tailscaled, util/winutil: add accessor functions for Windows system policies. This patch adds new functions to be used when accessing system policies, and revises callers to use the new functions. They first attempt the new registry path for policies, and if that fails, attempt to fall back to the legacy path. We keep non-policy variants of these functions because we should be able to retain the ability to read settings from locations that are not exposed to sysadmins for group policy edits. The remaining changes will be done in corp. Updates https://github.com/tailscale/tailscale/issues/3584 Signed-off-by: Aaron Klotz <aaron@tailscale.com> 2022-01-11 04:10:02 +08:00			`s, err := getRegStringInternal(regBase, name)`
ipn/ipnserver, util/winutil: update workaround for os/user.LookupId failures on Windows to reject SIDs from deleted/invalid security principals. Our current workaround made the user check too lax, thus allowing deleted users. This patch adds a helper function to winutil that checks that the uid's SID represents a valid Windows security principal. Now if `lookupUserFromID` determines that the SID is invalid, we simply propagate the error. Updates https://github.com/tailscale/tailscale/issues/869 Signed-off-by: Aaron Klotz <aaron@tailscale.com> 2022-02-03 01:55:32 +08:00			`if err != nil {`
			`return defval`
			`}`
cmd/tailscaled, util/winutil: add accessor functions for Windows system policies. This patch adds new functions to be used when accessing system policies, and revises callers to use the new functions. They first attempt the new registry path for policies, and if that fails, attempt to fall back to the legacy path. We keep non-policy variants of these functions because we should be able to retain the ability to read settings from locations that are not exposed to sysadmins for group policy edits. The remaining changes will be done in corp. Updates https://github.com/tailscale/tailscale/issues/3584 Signed-off-by: Aaron Klotz <aaron@tailscale.com> 2022-01-11 04:10:02 +08:00			`return s`
			`}`

			`func getRegInteger(name string, defval uint64) uint64 {`
			`i, err := getRegIntegerInternal(regBase, name)`
			`if err != nil {`
			`return defval`
			`}`
			`return i`
			`}`

			`func getRegStringInternal(subKey, name string) (string, error) {`
			`key, err := registry.OpenKey(registry.LOCAL_MACHINE, subKey, registry.READ)`
			`if err != nil {`
			`log.Printf("registry.OpenKey(%v): %v", subKey, err)`
			`return "", err`
			`}`
ipn/ipnserver, util/winutil: update workaround for os/user.LookupId failures on Windows to reject SIDs from deleted/invalid security principals. Our current workaround made the user check too lax, thus allowing deleted users. This patch adds a helper function to winutil that checks that the uid's SID represents a valid Windows security principal. Now if `lookupUserFromID` determines that the SID is invalid, we simply propagate the error. Updates https://github.com/tailscale/tailscale/issues/869 Signed-off-by: Aaron Klotz <aaron@tailscale.com> 2022-02-03 01:55:32 +08:00			`defer key.Close()`

			`val, _, err := key.GetStringValue(name)`
			`if err != nil {`
			`if err != registry.ErrNotExist {`
			`log.Printf("registry.GetStringValue(%v): %v", name, err)`
			`}`
cmd/tailscaled, util/winutil: add accessor functions for Windows system policies. This patch adds new functions to be used when accessing system policies, and revises callers to use the new functions. They first attempt the new registry path for policies, and if that fails, attempt to fall back to the legacy path. We keep non-policy variants of these functions because we should be able to retain the ability to read settings from locations that are not exposed to sysadmins for group policy edits. The remaining changes will be done in corp. Updates https://github.com/tailscale/tailscale/issues/3584 Signed-off-by: Aaron Klotz <aaron@tailscale.com> 2022-01-11 04:10:02 +08:00			`return "", err`
ipn/ipnserver, util/winutil: update workaround for os/user.LookupId failures on Windows to reject SIDs from deleted/invalid security principals. Our current workaround made the user check too lax, thus allowing deleted users. This patch adds a helper function to winutil that checks that the uid's SID represents a valid Windows security principal. Now if `lookupUserFromID` determines that the SID is invalid, we simply propagate the error. Updates https://github.com/tailscale/tailscale/issues/869 Signed-off-by: Aaron Klotz <aaron@tailscale.com> 2022-02-03 01:55:32 +08:00			`}`
cmd/tailscaled, util/winutil: add accessor functions for Windows system policies. This patch adds new functions to be used when accessing system policies, and revises callers to use the new functions. They first attempt the new registry path for policies, and if that fails, attempt to fall back to the legacy path. We keep non-policy variants of these functions because we should be able to retain the ability to read settings from locations that are not exposed to sysadmins for group policy edits. The remaining changes will be done in corp. Updates https://github.com/tailscale/tailscale/issues/3584 Signed-off-by: Aaron Klotz <aaron@tailscale.com> 2022-01-11 04:10:02 +08:00			`return val, nil`
ipn/ipnserver, util/winutil: update workaround for os/user.LookupId failures on Windows to reject SIDs from deleted/invalid security principals. Our current workaround made the user check too lax, thus allowing deleted users. This patch adds a helper function to winutil that checks that the uid's SID represents a valid Windows security principal. Now if `lookupUserFromID` determines that the SID is invalid, we simply propagate the error. Updates https://github.com/tailscale/tailscale/issues/869 Signed-off-by: Aaron Klotz <aaron@tailscale.com> 2022-02-03 01:55:32 +08:00			`}`

cmd/tailscaled, util/winutil: add accessor functions for Windows system policies. This patch adds new functions to be used when accessing system policies, and revises callers to use the new functions. They first attempt the new registry path for policies, and if that fails, attempt to fall back to the legacy path. We keep non-policy variants of these functions because we should be able to retain the ability to read settings from locations that are not exposed to sysadmins for group policy edits. The remaining changes will be done in corp. Updates https://github.com/tailscale/tailscale/issues/3584 Signed-off-by: Aaron Klotz <aaron@tailscale.com> 2022-01-11 04:10:02 +08:00			`func getRegIntegerInternal(subKey, name string) (uint64, error) {`
			`key, err := registry.OpenKey(registry.LOCAL_MACHINE, subKey, registry.READ)`
ipn/ipnserver, util/winutil: update workaround for os/user.LookupId failures on Windows to reject SIDs from deleted/invalid security principals. Our current workaround made the user check too lax, thus allowing deleted users. This patch adds a helper function to winutil that checks that the uid's SID represents a valid Windows security principal. Now if `lookupUserFromID` determines that the SID is invalid, we simply propagate the error. Updates https://github.com/tailscale/tailscale/issues/869 Signed-off-by: Aaron Klotz <aaron@tailscale.com> 2022-02-03 01:55:32 +08:00			`if err != nil {`
cmd/tailscaled, util/winutil: add accessor functions for Windows system policies. This patch adds new functions to be used when accessing system policies, and revises callers to use the new functions. They first attempt the new registry path for policies, and if that fails, attempt to fall back to the legacy path. We keep non-policy variants of these functions because we should be able to retain the ability to read settings from locations that are not exposed to sysadmins for group policy edits. The remaining changes will be done in corp. Updates https://github.com/tailscale/tailscale/issues/3584 Signed-off-by: Aaron Klotz <aaron@tailscale.com> 2022-01-11 04:10:02 +08:00			`log.Printf("registry.OpenKey(%v): %v", subKey, err)`
			`return 0, err`
ipn/ipnserver, util/winutil: update workaround for os/user.LookupId failures on Windows to reject SIDs from deleted/invalid security principals. Our current workaround made the user check too lax, thus allowing deleted users. This patch adds a helper function to winutil that checks that the uid's SID represents a valid Windows security principal. Now if `lookupUserFromID` determines that the SID is invalid, we simply propagate the error. Updates https://github.com/tailscale/tailscale/issues/869 Signed-off-by: Aaron Klotz <aaron@tailscale.com> 2022-02-03 01:55:32 +08:00			`}`
			`defer key.Close()`

			`val, _, err := key.GetIntegerValue(name)`
			`if err != nil {`
			`if err != registry.ErrNotExist {`
			`log.Printf("registry.GetIntegerValue(%v): %v", name, err)`
			`}`
cmd/tailscaled, util/winutil: add accessor functions for Windows system policies. This patch adds new functions to be used when accessing system policies, and revises callers to use the new functions. They first attempt the new registry path for policies, and if that fails, attempt to fall back to the legacy path. We keep non-policy variants of these functions because we should be able to retain the ability to read settings from locations that are not exposed to sysadmins for group policy edits. The remaining changes will be done in corp. Updates https://github.com/tailscale/tailscale/issues/3584 Signed-off-by: Aaron Klotz <aaron@tailscale.com> 2022-01-11 04:10:02 +08:00			`return 0, err`
ipn/ipnserver, util/winutil: update workaround for os/user.LookupId failures on Windows to reject SIDs from deleted/invalid security principals. Our current workaround made the user check too lax, thus allowing deleted users. This patch adds a helper function to winutil that checks that the uid's SID represents a valid Windows security principal. Now if `lookupUserFromID` determines that the SID is invalid, we simply propagate the error. Updates https://github.com/tailscale/tailscale/issues/869 Signed-off-by: Aaron Klotz <aaron@tailscale.com> 2022-02-03 01:55:32 +08:00			`}`
cmd/tailscaled, util/winutil: add accessor functions for Windows system policies. This patch adds new functions to be used when accessing system policies, and revises callers to use the new functions. They first attempt the new registry path for policies, and if that fails, attempt to fall back to the legacy path. We keep non-policy variants of these functions because we should be able to retain the ability to read settings from locations that are not exposed to sysadmins for group policy edits. The remaining changes will be done in corp. Updates https://github.com/tailscale/tailscale/issues/3584 Signed-off-by: Aaron Klotz <aaron@tailscale.com> 2022-01-11 04:10:02 +08:00			`return val, nil`
ipn/ipnserver, util/winutil: update workaround for os/user.LookupId failures on Windows to reject SIDs from deleted/invalid security principals. Our current workaround made the user check too lax, thus allowing deleted users. This patch adds a helper function to winutil that checks that the uid's SID represents a valid Windows security principal. Now if `lookupUserFromID` determines that the SID is invalid, we simply propagate the error. Updates https://github.com/tailscale/tailscale/issues/869 Signed-off-by: Aaron Klotz <aaron@tailscale.com> 2022-02-03 01:55:32 +08:00			`}`

			`var (`
			`kernel32 = syscall.NewLazyDLL("kernel32.dll")`
			`procWTSGetActiveConsoleSessionId = kernel32.NewProc("WTSGetActiveConsoleSessionId")`
			`)`

			`// TODO(crawshaw): replace with x/sys/windows... one day.`
			`// https://go-review.googlesource.com/c/sys/+/331909`
			`func WTSGetActiveConsoleSessionId() uint32 {`
			`r1, _, _ := procWTSGetActiveConsoleSessionId.Call()`
			`return uint32(r1)`
			`}`

			`func isSIDValidPrincipal(uid string) bool {`
			`usid, err := syscall.StringToSid(uid)`
			`if err != nil {`
			`return false`
			`}`

			`_, _, accType, err := usid.LookupAccount("")`
			`if err != nil {`
			`return false`
			`}`

			`switch accType {`
			`case syscall.SidTypeUser, syscall.SidTypeGroup, syscall.SidTypeDomain, syscall.SidTypeAlias, syscall.SidTypeWellKnownGroup, syscall.SidTypeComputer:`
			`return true`
			`default:`
			`// Reject deleted users, invalid SIDs, unknown SIDs, mandatory label SIDs, etc.`
			`return false`
			`}`
			`}`