Security Manager

Location: system/security.js
Type: System Service
Status: ✅ Fully Implemented

Overview

The Security Manager provides comprehensive security and access control for FreeWorld OS. It manages user sessions, access tokens, ACLs (Access Control Lists), and provides Windows-compatible security functionality including SID generation and security descriptors.

Features

  • Session Management: Create and manage user sessions
  • Access Token Management: Create, validate, and manage access tokens
  • ACL Support: Access Control List checking and validation
  • Token Impersonation: Impersonate tokens for service operations
  • SID Generation: Security Identifier generation (Windows-compatible)
  • Security Descriptors: Create and validate security descriptors
  • Privilege Management: Calculate and check user privileges
  • Group Membership: Check user group membership

Session Management

Manage user sessions:

  • createSession(userId, username, groups) - Create a new user session
  • destroySession(sessionId) - Destroy a session
  • getCurrentSession() - Get current active session

Access Token Management

Manage access tokens:

  • createToken(userId, username, groups) - Create access token
  • destroyToken(tokenId) - Destroy token
  • getToken(tokenId) - Get token by ID
  • getCurrentToken() - Get current session's token
  • impersonateToken(tokenId) - Impersonate a token
  • revertToSelf() - Revert impersonation

Access Control

Check access permissions:

  • checkAccess(token, resource, requestedAccess) - Check if token has access to resource
  • checkACL(token, acl, requestedAccess) - Check ACL entries
  • hasPrivilege(token, privilege) - Check if token has privilege
  • isAdministrator(token) - Check if user is administrator
  • isUserInGroup(token, groupName) - Check group membership

ACL Management

Create and manage Access Control Lists:

  • createACL(entries) - Create ACL with entries
  • createACLEntry(principal, accessRights, type) - Create ACL entry

SID Generation

Generate Security Identifiers (Windows-compatible):

  • getUserSID(userId) - Get user SID
  • getGroupSID(groupId) - Get group SID

SID format: S-1-5-21-{uid}-{uid}-{uid}

Security Descriptors

Create and validate security descriptors:

  • createSecurityDescriptor(owner, group, dacl, sacl) - Create security descriptor
  • validateSecurityDescriptor(descriptor) - Validate security descriptor

Access Rights

The Security Manager supports the following access rights:

  • GENERIC_READ: Generic read access
  • GENERIC_WRITE: Generic write access
  • GENERIC_EXECUTE: Generic execute access
  • GENERIC_ALL: All access rights
  • FILE_READ_DATA: Read file data
  • FILE_WRITE_DATA: Write file data
  • FILE_EXECUTE: Execute file

Usage Example

const SecurityManager = require('./system/security');

const securityMgr = new SecurityManager();

// Create session
const session = securityMgr.createSession(1000, 'user1', ['Users', 'Administrators']);
const token = session.token;

// Check access
if (securityMgr.checkAccess(token, resource, SecurityManager.ACCESS_RIGHTS.GENERIC_READ)) {
    // Allow access
}

// Check if administrator
if (securityMgr.isAdministrator(token)) {
    // User is administrator
}

// Create ACL
const acl = securityMgr.createACL([
    securityMgr.createACLEntry('user1', SecurityManager.ACCESS_RIGHTS.GENERIC_ALL, 'ALLOW'),
    securityMgr.createACLEntry('Users', SecurityManager.ACCESS_RIGHTS.GENERIC_READ, 'ALLOW')
]);

Integration

The Security Manager integrates with:

  • Object Manager: Access control for file operations
  • Filesystem: File permission checking
  • Process Management: Process security context
  • Error Manager: Error reporting for access denied

Related Documentation