|
|
//+-------------------------------------------------------------------------
//
// Microsoft Windows
//
// Copyright (C) Microsoft Corporation, 1998-2002
//
// File: SecurityPropertyPage.cpp
//
//--------------------------------------------------------------------------
/////////////////////////////////////////////////////////////////////
// casec.cpp
//
// ISecurityInformation implementation for CA objects
// and the new acl editor
//
// PURPOSE
//
//
// DYNALOADED LIBRARIES
//
// HISTORY
// 5-Nov-1998 petesk Copied template from privobsi.cpp sample.
// 6-Mar-2000 bryanwal Modified to support cert templates
//
/////////////////////////////////////////////////////////////////////
#include <stdafx.h>
#include <accctrl.h>
//#include <certca.h>
#include <sddl.h>
#include "CertTemplate.h"
// Important, keep enroll GUID in sync with string define in certacl.h
const GUID GUID_ENROLL = { /* 0e10c968-78fb-11d2-90d4-00c04f79dc55 */ 0x0e10c968, 0x78fb, 0x11d2, {0x90, 0xd4, 0x00, 0xc0, 0x4f, 0x79, 0xdc, 0x55} };
const GUID GUID_AUTOENROLL = { /* a05b8cc2-17bc-4802-a710-e7c15ab866a2 */ 0xa05b8cc2, 0x17bc, 0x4802, {0xa7, 0x10, 0xe7, 0xc1, 0x5a, 0xb8, 0x66, 0xa2} };
//
// defined in Security.cpp
//
// // define our generic mapping structure for our private objects //
#define INHERIT_FULL (CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE)
#define ACTRL_CERTSRV_ENROLL (ACTRL_DS_CONTROL_ACCESS)
#define ACTRL_CERTSRV_MANAGE (ACTRL_DS_READ_PROP | \
ACTRL_DS_WRITE_PROP | \ READ_CONTROL | \ DELETE | \ WRITE_DAC | \ WRITE_OWNER | \ ACTRL_DS_CONTROL_ACCESS | \ ACTRL_DS_CREATE_CHILD | \ ACTRL_DS_DELETE_CHILD | \ ACTRL_DS_LIST | \ ACTRL_DS_SELF | \ ACTRL_DS_DELETE_TREE | \ ACTRL_DS_LIST_OBJECT)
#define ACTRL_CERTSRV_READ ( READ_CONTROL | \
ACTRL_DS_READ_PROP | \ ACTRL_DS_LIST )#define ACTRL_CERTSRV_WRITE ( WRITE_DAC | \
WRITE_OWNER | \ ACTRL_DS_WRITE_PROP )
GENERIC_MAPPING ObjMap = { ACTRL_CERTSRV_READ, DELETE | WRITE_DAC | WRITE_OWNER | ACTRL_DS_WRITE_PROP, 0, ACTRL_CERTSRV_MANAGE };
//
// DESCRIPTION OF ACCESS FLAG AFFECTS
//
// SI_ACCESS_GENERAL shows up on general properties page
// SI_ACCESS_SPECIFIC shows up on advanced page
// SI_ACCESS_CONTAINER shows on general page IF object is a container
//
SI_ACCESS g_siV1ObjAccesses[] ={ { &GUID_NULL, ACTRL_CERTSRV_MANAGE, MAKEINTRESOURCE(IDS_ACTRL_CERTSRV_MANAGE), SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC }, { &GUID_NULL, ACTRL_CERTSRV_READ, MAKEINTRESOURCE(IDS_ACTRL_CERTSRV_READ), SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC }, { &GUID_NULL, ACTRL_CERTSRV_WRITE, MAKEINTRESOURCE(IDS_ACTRL_CERTSRV_WRITE), SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC }, { &GUID_ENROLL, ACTRL_CERTSRV_ENROLL, MAKEINTRESOURCE(IDS_ACTRL_ENROLL), SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC }};
SI_ACCESS g_siV2ObjAccesses[] ={ { &GUID_NULL, ACTRL_CERTSRV_MANAGE, MAKEINTRESOURCE(IDS_ACTRL_CERTSRV_MANAGE), SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC }, { &GUID_NULL, ACTRL_CERTSRV_READ, MAKEINTRESOURCE(IDS_ACTRL_CERTSRV_READ), SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC }, { &GUID_NULL, ACTRL_CERTSRV_WRITE, MAKEINTRESOURCE(IDS_ACTRL_CERTSRV_WRITE), SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC }, { &GUID_ENROLL, ACTRL_CERTSRV_ENROLL, MAKEINTRESOURCE(IDS_ACTRL_ENROLL), SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC }, { &GUID_AUTOENROLL, ACTRL_CERTSRV_ENROLL, MAKEINTRESOURCE(IDS_ACTRL_AUTOENROLL), SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC }};
#define g_iObjDefAccess 1 // DS_GENERIC_READ
// The following array defines the inheritance types for my containers.
SI_INHERIT_TYPE g_siObjInheritTypes[] ={ &GUID_NULL, 0, MAKEINTRESOURCE(IDS_INH_NONE),};
class CCertTemplateSecurityObject : public ISecurityInformation{protected: ULONG m_cRef; CCertTemplate * m_pCertTemplate; PSECURITY_DESCRIPTOR m_pSD;
public: CCertTemplateSecurityObject() : m_cRef(1), m_pCertTemplate (0), m_pSD (0) { } virtual ~CCertTemplateSecurityObject();
STDMETHOD(Initialize)(CCertTemplate *pCertTemplate);
// IUnknown methods
STDMETHOD(QueryInterface)(REFIID, LPVOID *); STDMETHOD_(ULONG, AddRef)(); STDMETHOD_(ULONG, Release)(); // ISecurityInformation methods
STDMETHOD(GetObjectInformation)(PSI_OBJECT_INFO pObjectInfo); STDMETHOD(GetSecurity)(SECURITY_INFORMATION si, PSECURITY_DESCRIPTOR *ppSD, BOOL fDefault); STDMETHOD(SetSecurity)(SECURITY_INFORMATION si, PSECURITY_DESCRIPTOR pSD); STDMETHOD(GetAccessRights)(const GUID* pguidObjectType, DWORD dwFlags, PSI_ACCESS *ppAccess, ULONG *pcAccesses, ULONG *piDefaultAccess); STDMETHOD(MapGeneric)(const GUID *pguidObjectType, UCHAR *pAceFlags, ACCESS_MASK *pmask); STDMETHOD(GetInheritTypes)(PSI_INHERIT_TYPE *ppInheritTypes, ULONG *pcInheritTypes); STDMETHOD(PropertySheetPageCallback)(HWND hwnd, UINT uMsg, SI_PAGE_TYPE uPage);};
///////////////////////////////////////////////////////////////////////////////
//
// This is the entry point function called from our code that establishes
// what the ACLUI interface is going to need to know.
//
//
///////////////////////////////////////////////////////////////////////////////
HRESULT CreateCertTemplateSecurityInfo ( CCertTemplate *pCertTemplate, LPSECURITYINFO *ppObjSI){ _TRACE (1, L"Entering CreateCertTemplateSecurityInfo\n"); ASSERT (pCertTemplate && ppObjSI); if ( !pCertTemplate || !ppObjSI ) return E_POINTER;
HRESULT hr = S_OK; CCertTemplateSecurityObject *psi = new CCertTemplateSecurityObject; if ( psi) { *ppObjSI = NULL;
hr = psi->Initialize (pCertTemplate); if ( SUCCEEDED (hr) ) *ppObjSI = psi; else delete psi; } else hr = E_OUTOFMEMORY;;
_TRACE (-1, L"Leaving CreateCertTemplateSecurityInfo: 0x%x\n", hr); return hr;}
CCertTemplateSecurityObject::~CCertTemplateSecurityObject(){ if ( m_pSD ) { LocalFree (m_pSD); } if ( m_pCertTemplate ) m_pCertTemplate->Release ();}
STDMETHODIMPCCertTemplateSecurityObject::Initialize(CCertTemplate *pCertTemplate){ _TRACE (1, L"Entering CCertTemplateSecurityObject::Initialize\n"); HRESULT hr = S_OK;
if ( pCertTemplate ) { m_pCertTemplate = pCertTemplate; m_pCertTemplate->AddRef ();
hr = pCertTemplate->GetSecurity (&m_pSD); } else hr = E_POINTER;
_TRACE (-1, L"Leaving CCertTemplateSecurityObject::Initialize: 0x%x\n", hr); return hr;}
///////////////////////////////////////////////////////////
//
// IUnknown methods
//
///////////////////////////////////////////////////////////
STDMETHODIMP_(ULONG)CCertTemplateSecurityObject::AddRef(){ return ++m_cRef;}
STDMETHODIMP_(ULONG)CCertTemplateSecurityObject::Release(){ if (--m_cRef == 0) { delete this; return 0; }
return m_cRef;}
STDMETHODIMPCCertTemplateSecurityObject::QueryInterface(REFIID riid, LPVOID FAR* ppv){ if (IsEqualIID(riid, IID_IUnknown) || IsEqualIID(riid, IID_ISecurityInformation)) { *ppv = (LPSECURITYINFO)this; m_cRef++; return S_OK; } else { *ppv = NULL; return E_NOINTERFACE; }}
///////////////////////////////////////////////////////////
//
// ISecurityInformation methods
//
///////////////////////////////////////////////////////////
STDMETHODIMPCCertTemplateSecurityObject::GetObjectInformation(PSI_OBJECT_INFO pObjectInfo){ if ( pObjectInfo == NULL ) { return E_POINTER; } if ( m_pCertTemplate == NULL ) { return E_POINTER; }
// security review 2/21/2002 BryanWal ok
ZeroMemory(pObjectInfo, sizeof (SI_OBJECT_INFO)); pObjectInfo->dwFlags = SI_EDIT_ALL | SI_NO_ACL_PROTECT | SI_ADVANCED | SI_NO_ADDITIONAL_PERMISSION; if ( m_pCertTemplate->ReadOnly () ) pObjectInfo->dwFlags |= SI_READONLY;
AFX_MANAGE_STATE (AfxGetStaticModuleState ()); pObjectInfo->hInstance = AfxGetResourceHandle (); //AfxGetInstanceHandle ();
pObjectInfo->pszObjectName = const_cast<WCHAR *>((LPCTSTR)m_pCertTemplate->GetLDAPPath ()); return S_OK;}
STDMETHODIMPCCertTemplateSecurityObject::GetSecurity(SECURITY_INFORMATION si, PSECURITY_DESCRIPTOR *ppSD, BOOL fDefault){ _TRACE (1, L"Entering CCertTemplateSecurityObject::GetSecurity\n"); HRESULT hr = S_OK; DWORD dwLength = 0; SECURITY_DESCRIPTOR_CONTROL Control = SE_DACL_PROTECTED; DWORD dwRevision = 0;
*ppSD = NULL;
if (fDefault) return E_NOTIMPL;
//
// Assume that required privileges have already been enabled
//
hr = S_OK;
// find out out much to allocate
if ( !GetPrivateObjectSecurity(m_pSD, si, NULL, 0, &dwLength) ) { hr = HRESULT_FROM_WIN32 (GetLastError ()); if ( hr == HRESULT_FROM_WIN32 (ERROR_INSUFFICIENT_BUFFER) && dwLength ) { hr = S_OK; // allocate and
*ppSD = LocalAlloc(LPTR, dwLength); if (*ppSD ) { // retrieve
if ( GetPrivateObjectSecurity (m_pSD, si, *ppSD, dwLength, &dwLength) ) { if ( GetSecurityDescriptorControl(m_pSD, &Control, &dwRevision)) { Control &= SE_DACL_PROTECTED | SE_DACL_AUTO_INHERIT_REQ | SE_DACL_AUTO_INHERITED; // security review 2/21/2002 BryanWal ok - if it ain't broke, don't fix it
SetSecurityDescriptorControl (*ppSD, SE_DACL_PROTECTED | SE_DACL_AUTO_INHERIT_REQ | SE_DACL_AUTO_INHERITED, Control); } else { hr = HRESULT_FROM_WIN32 (GetLastError ()); _TRACE (0, L"GetSecurityDescriptorControl failed: 0x%x\n", hr); } } else { _TRACE (0, L"GetPrivateObjectSecurity failed: 0x%x\n", hr); hr = GetLastError(); LocalFree(*ppSD); *ppSD = NULL; } } else hr = E_OUTOFMEMORY; } else if ( FAILED (hr) ) { _TRACE (0, L"GetPrivateObjectSecurity failed: 0x%x\n", hr); } } else { hr = HRESULT_FROM_WIN32 (GetLastError ()); }
_TRACE (-1, L"Leaving CCertTemplateSecurityObject::GetSecurity: 0x%x\n", hr); return hr;}
STDMETHODIMPCCertTemplateSecurityObject::SetSecurity(SECURITY_INFORMATION si, PSECURITY_DESCRIPTOR pSD){ HRESULT hr = S_OK; HANDLE hClientToken = NULL; HANDLE hHandle = NULL; SECURITY_DESCRIPTOR_CONTROL Control = SE_DACL_PROTECTED; DWORD dwRevision = 0;
hHandle = GetCurrentThread(); if (NULL == hHandle) { hr = HRESULT_FROM_WIN32 (GetLastError()); } else { if (!OpenThreadToken(hHandle, TOKEN_QUERY, TRUE, // open as self
&hClientToken)) { hr = HRESULT_FROM_WIN32 (GetLastError()); CloseHandle(hHandle); hHandle = NULL; } } if(hr != S_OK) { hHandle = GetCurrentProcess(); if (NULL == hHandle) { hr = HRESULT_FROM_WIN32 (GetLastError()); } else { HANDLE hProcessToken = NULL; hr = S_OK;
if (!OpenProcessToken(hHandle, TOKEN_DUPLICATE, &hProcessToken)) { hr = HRESULT_FROM_WIN32 (GetLastError()); CloseHandle(hHandle); hHandle = NULL; } else { // security review 2/21/2002 BryanWal ok
if(!DuplicateToken(hProcessToken, SecurityImpersonation, &hClientToken)) { hr = HRESULT_FROM_WIN32 (GetLastError()); CloseHandle(hHandle); hHandle = NULL; } CloseHandle(hProcessToken); } } }
if ( SUCCEEDED (hr) ) { //
// Assume that required privileges have already been enabled
//
if ( SetPrivateObjectSecurityEx (si, pSD, &m_pSD, SEF_DACL_AUTO_INHERIT, &ObjMap, hClientToken) ) { if ( si & DACL_SECURITY_INFORMATION ) { if ( GetSecurityDescriptorControl (pSD, &Control, &dwRevision) ) { Control &= SE_DACL_PROTECTED | SE_DACL_AUTO_INHERIT_REQ | SE_DACL_AUTO_INHERITED; // security review 2/21/2002 BryanWal ok
SetSecurityDescriptorControl(m_pSD, SE_DACL_PROTECTED | SE_DACL_AUTO_INHERIT_REQ | SE_DACL_AUTO_INHERITED, Control); } }
hr = m_pCertTemplate->SetSecurity (m_pSD); } else { hr = HRESULT_FROM_WIN32 (GetLastError()); _TRACE (0, L"SetPrivateObjectSecurityEx () failed: 0x%x\n", hr); } }
if ( hClientToken ) { CloseHandle (hClientToken); } if ( hHandle ) { CloseHandle (hHandle); }
m_pCertTemplate->FailedToSetSecurity (FAILED (hr) ? true : false);
return hr;}
STDMETHODIMPCCertTemplateSecurityObject::GetAccessRights(const GUID* /*pguidObjectType*/, DWORD /*dwFlags*/, PSI_ACCESS *ppAccesses, ULONG *pcAccesses, ULONG *piDefaultAccess){ if ( !ppAccesses || !pcAccesses || !piDefaultAccess ) return E_POINTER;
if ( 1 == m_pCertTemplate->GetType () ) { *ppAccesses = g_siV1ObjAccesses; *pcAccesses = sizeof(g_siV1ObjAccesses)/sizeof(g_siV1ObjAccesses[0]); } else { *ppAccesses = g_siV2ObjAccesses; *pcAccesses = sizeof(g_siV2ObjAccesses)/sizeof(g_siV2ObjAccesses[0]); } *piDefaultAccess = g_iObjDefAccess;
return S_OK;}
STDMETHODIMPCCertTemplateSecurityObject::MapGeneric(const GUID* /*pguidObjectType*/, UCHAR * /*pAceFlags*/, ACCESS_MASK *pmask){ MapGenericMask(pmask, &ObjMap);
return S_OK;}
STDMETHODIMPCCertTemplateSecurityObject::GetInheritTypes(PSI_INHERIT_TYPE *ppInheritTypes, ULONG *pcInheritTypes){ *ppInheritTypes = g_siObjInheritTypes; *pcInheritTypes = sizeof(g_siObjInheritTypes)/sizeof(g_siObjInheritTypes[0]);
return S_OK;}
STDMETHODIMPCCertTemplateSecurityObject::PropertySheetPageCallback(HWND /*hwnd*/, UINT uMsg, SI_PAGE_TYPE /*uPage*/){ if ( PSPCB_CREATE == uMsg ) return E_NOTIMPL;
return S_OK;}
|
