|
|
/*++
Copyright (c) 2000 Microsoft Corporation Module Name: authstate.cxx
Abstract: Authenticate state implementation (and authentication utilities)
Author: Ming Lu ( MingLu ) 2-Feb-2000
Environment: Win32 User Mode
Revision History:
--*/
#include "precomp.hxx"
#include "sspiprovider.hxx"
#include "digestprovider.hxx"
#include "iisdigestprovider.hxx"
#include "basicprovider.hxx"
#include "anonymousprovider.hxx"
#include "certmapprovider.hxx"
#include "iiscertmapprovider.hxx"
#include "customprovider.hxx"
#include "passportprovider.hxx"
#define IIS_SUBAUTH_NAME L"iissuba"
W3_STATE_AUTHENTICATION * W3_STATE_AUTHENTICATION::sm_pAuthState;BOOL W3_STATE_AUTHENTICATION::sm_fSubAuthConfigured = FALSE;BOOL W3_STATE_AUTHENTICATION::sm_fLocalSystem = FALSE;LONG W3_STATE_AUTHENTICATION::sm_lSubAuthAnonEvent = 0;LONG W3_STATE_AUTHENTICATION::sm_lSubAuthDigestEvent = 0;LONG W3_STATE_AUTHENTICATION::sm_lLocalSystemEvent = 0;PTRACE_LOG W3_USER_CONTEXT::sm_pTraceLog;PTRACE_LOG CONNECTION_AUTH_CONTEXT::sm_pTraceLog;
HRESULTW3_STATE_AUTHENTICATION::GetDefaultDomainName( VOID)/*++
Description: Fills in the member variable with the name of the default domain to use for logon validation
Arguments:
None
Returns: HRESULT
--*/{ OBJECT_ATTRIBUTES ObjectAttributes; NTSTATUS NtStatus; DWORD dwLength; DWORD err = 0; LSA_HANDLE LsaPolicyHandle = NULL; PPOLICY_ACCOUNT_DOMAIN_INFO pAcctDomainInfo = NULL; PPOLICY_PRIMARY_DOMAIN_INFO pPrimaryDomainInfo = NULL; HRESULT hr = S_OK;
//
// Open a handle to the local machine's LSA policy object.
//
InitializeObjectAttributes( &ObjectAttributes, NULL, 0L, NULL, NULL );
NtStatus = LsaOpenPolicy( NULL, &ObjectAttributes, POLICY_EXECUTE, &LsaPolicyHandle );
if( !NT_SUCCESS( NtStatus ) ) { DBGPRINTF(( DBG_CONTEXT, "cannot open lsa policy, error %08lX\n", NtStatus ));
err = LsaNtStatusToWinError( NtStatus );
//
// Failure LsaOpenPolicy() does not guarantee that
// LsaPolicyHandle was not touched.
//
LsaPolicyHandle = NULL;
goto Cleanup; }
//
// Query the account domain information from the policy object.
//
NtStatus = LsaQueryInformationPolicy( LsaPolicyHandle, PolicyAccountDomainInformation, (PVOID *)&pAcctDomainInfo );
if( !NT_SUCCESS( NtStatus ) ) {
DBGPRINTF(( DBG_CONTEXT, "cannot query lsa policy info, error %08lX\n", NtStatus ));
err = LsaNtStatusToWinError( NtStatus ); goto Cleanup; }
DBG_ASSERT( pAcctDomainInfo != NULL ); dwLength = pAcctDomainInfo->DomainName.Length / sizeof( WCHAR );
if( dwLength < sizeof( _achDefaultDomainName ) / sizeof( WCHAR ) ) { wcsncpy( _achDefaultDomainName, (LPCWSTR)pAcctDomainInfo->DomainName.Buffer, dwLength );
_achDefaultDomainName[ dwLength ] = L'\0'; } else { err = ERROR_INSUFFICIENT_BUFFER; goto Cleanup; }
//
// Query the primary domain information from the policy object.
//
NtStatus = LsaQueryInformationPolicy( LsaPolicyHandle, PolicyPrimaryDomainInformation, (PVOID *)&pPrimaryDomainInfo );
if( !NT_SUCCESS( NtStatus ) ) {
DBGPRINTF(( DBG_CONTEXT, "cannot query lsa policy info, error %08lX\n", NtStatus ));
err = LsaNtStatusToWinError( NtStatus ); goto Cleanup; }
DBG_ASSERT( pPrimaryDomainInfo != NULL ); if( pPrimaryDomainInfo->Sid ) { //
// We are a domain member
//
_fIsDomainMember = TRUE;
//
// Tres freakin lame. Gotta call into GetComputerNameEx() since I
// need to fully qualified name. If it fails, oh well, we don't
// provide a default domain name for Passport calls
//
dwLength = sizeof( _achMemberDomainName ) / sizeof( WCHAR );
GetComputerNameEx( ComputerNameDnsDomain, _achMemberDomainName, &dwLength ); } else { _fIsDomainMember = FALSE; }
//
// Success!
//
DBG_ASSERT( err == 0 );
Cleanup:
if( pAcctDomainInfo != NULL ) { LsaFreeMemory( (PVOID)pAcctDomainInfo ); pAcctDomainInfo = NULL; }
if( pPrimaryDomainInfo != NULL ) { LsaFreeMemory( (PVOID)pPrimaryDomainInfo ); pPrimaryDomainInfo = NULL; }
if( LsaPolicyHandle != NULL ) { LsaClose( LsaPolicyHandle ); }
if ( err ) { hr = HRESULT_FROM_WIN32( err ); }
return hr;};
//static
HRESULTW3_STATE_AUTHENTICATION::SplitUserDomain( STRU & strUserDomain, STRU * pstrUserName, STRU * pstrDomainName, WCHAR * pszDefaultDomain, BOOL * pfPossibleUPNLogon)/*++
Description: Split the input user name into user/domain.
Arguments:
strUserDomain - Combined domain\username (not altered) pstrUserName - Filled with user name only pstrDomainName - Filled with domain name (either embedded in *pstrUserName,or from metabase/computer domain name) pszDefaultDomain - Default domain specified in metabase pfPossibleUPNLogon - TRUE if we may need to do UNP logon, otherwise FALSE
Returns: HRESULT
--*/{ WCHAR * pszUserName; WCHAR * pszDomain; DWORD cbDomain; HRESULT hr; if ( pstrUserName == NULL || pstrDomainName == NULL || pfPossibleUPNLogon == NULL ) { DBG_ASSERT( FALSE ); return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER ); } pszUserName = wcspbrk( strUserDomain.QueryStr(), L"/\\" ); if ( pszUserName == NULL ) { //
// No domain in the user name. First try the metabase domain
// name
//
pszDomain = pszDefaultDomain; if ( pszDomain == NULL || *pszDomain == L'\0' ) { //
// No metabase domain, use default domain name
//
pszDomain = QueryDefaultDomainName(); DBG_ASSERT( pszDomain != NULL ); } pszUserName = strUserDomain.QueryStr(); hr = pstrDomainName->Copy( pszDomain ); if ( FAILED( hr ) ) { return hr; }
*pfPossibleUPNLogon = TRUE; } else { cbDomain = DIFF( pszUserName - strUserDomain.QueryStr() ); if( cbDomain == 0 ) { hr = pstrDomainName->Copy( L"." ); } else { hr = pstrDomainName->Copy( strUserDomain.QueryStr(), cbDomain ); }
if ( FAILED( hr ) ) { return hr; }
pszUserName = pszUserName + 1;
*pfPossibleUPNLogon = FALSE; } hr = pstrUserName->Copy( pszUserName ); if ( FAILED( hr ) ) { return hr; } return NO_ERROR;}
HRESULTW3_STATE_AUTHENTICATION::OnAccessDenied( W3_MAIN_CONTEXT * pMainContext)/*++
Description: Called when a resource is access denied. This routines will call all authentication providers so that they may add authentication headers, etc.
Arguments:
pMainContext - main context
Returns: HRESULT
--*/{ AUTH_PROVIDER * pProvider; DWORD cProviderCount = 0; W3_METADATA * pMetaData; HRESULT hr = NO_ERROR; if ( pMainContext == NULL ) { DBG_ASSERT( FALSE ); return HRESULT_FROM_WIN32( GetLastError() ); } pMetaData = pMainContext->QueryUrlContext()->QueryMetaData(); DBG_ASSERT( pMetaData != NULL );
//
// Loop thru all authentication providers
//
for ( cProviderCount = 0; ; cProviderCount++ ) { pProvider = _rgAuthProviders[ cProviderCount ]; if ( pProvider == NULL ) { break; } //
// Only call OnAccessDenied() if the authentication provider is
// supported for the given metadata of the denied request
//
if ( !pMetaData->QueryAuthTypeSupported( pProvider->QueryAuthType() ) ) { continue; } //
// Don't care about the return value here since we want to add
// all possible authentication headers
//
hr = pProvider->OnAccessDenied( pMainContext ); } return hr;} HRESULTW3_STATE_AUTHENTICATION::GetSubAuthConfiguration( VOID )/*++
Description: Find out if sub authenticator is configured correctly for the current process.
Arguments:
None.
Returns: HRESULT
--*/{ HRESULT hr = S_OK; PPRIVILEGE_SET pPrivilegeSet = NULL; HANDLE hProcessToken = NULL; BOOL fPrivilegeEnabled = FALSE; HKEY hKey = NULL; LUID TcbPrivilegeValue; WCHAR pszSubAuthName[ sizeof( IIS_SUBAUTH_NAME ) ]; DWORD dwType; DWORD cbValue;
if ( !OpenProcessToken( GetCurrentProcess(), TOKEN_ALL_ACCESS, &hProcessToken ) ) { hr = HRESULT_FROM_WIN32( GetLastError() ); goto Exit; }
DBG_ASSERT( hProcessToken != NULL ); pPrivilegeSet = ( PPRIVILEGE_SET )LocalAlloc( LMEM_FIXED, sizeof( PRIVILEGE_SET ) + sizeof( LUID_AND_ATTRIBUTES ) ); if( pPrivilegeSet == NULL ) { hr = HRESULT_FROM_WIN32( ERROR_NOT_ENOUGH_MEMORY ); goto Exit; }
if ( !LookupPrivilegeValue( NULL, L"SeTcbPrivilege", &TcbPrivilegeValue ) ) { hr = HRESULT_FROM_WIN32( GetLastError() ); goto Exit; }
pPrivilegeSet->PrivilegeCount = 1; pPrivilegeSet->Control = PRIVILEGE_SET_ALL_NECESSARY; pPrivilegeSet->Privilege[0].Luid = TcbPrivilegeValue; pPrivilegeSet->Privilege[0].Attributes = SE_PRIVILEGE_ENABLED;
if( !PrivilegeCheck( hProcessToken, pPrivilegeSet, &fPrivilegeEnabled ) ) { hr = HRESULT_FROM_WIN32( GetLastError() ); goto Exit; }
if( fPrivilegeEnabled ) { sm_fLocalSystem = TRUE; }
if ( RegOpenKeyEx( HKEY_LOCAL_MACHINE, L"System\\CurrentControlSet\\Control\\Lsa\\MSV1_0", 0, KEY_READ, &hKey ) == ERROR_SUCCESS ) { DBG_ASSERT( hKey != NULL );
cbValue = sizeof pszSubAuthName; if ( RegQueryValueEx( hKey, L"Auth132", NULL, &dwType, (LPBYTE) pszSubAuthName, &cbValue ) != ERROR_SUCCESS || dwType != REG_SZ || _wcsicmp( pszSubAuthName, IIS_SUBAUTH_NAME ) ) { } else { sm_fSubAuthConfigured = TRUE; }
RegCloseKey( hKey ); hKey = NULL; }
Exit: if( pPrivilegeSet != NULL ) { LocalFree( pPrivilegeSet ); pPrivilegeSet = NULL; }
return hr;}
W3_STATE_AUTHENTICATION::W3_STATE_AUTHENTICATION(){ _pAnonymousProvider = NULL; _pCustomProvider = NULL; _fHasAssociatedUserBefore = FALSE; //
// Figure out the default domain name once
//
_hr = GetDefaultDomainName(); if ( FAILED( _hr ) ) { return; } //
// Figure out if we can use the IIS subauthenticator
//
_hr = GetSubAuthConfiguration(); if( FAILED( _hr ) ) { return; } //
// Initialize all the authentication providers
//
ZeroMemory( _rgAuthProviders, sizeof( _rgAuthProviders ) ); _hr = InitializeAuthenticationProviders(); if ( FAILED( _hr ) ) { return; }
//
// Initialize reverse DNS service
//
if (!InitRDns()) { _hr = HRESULT_FROM_WIN32(GetLastError());
DBGPRINTF(( DBG_CONTEXT, "Error initializing RDns service. hr = 0x%x\n", _hr )); TerminateAuthenticationProviders(); return; }
//
// Initialize the W3_USER_CONTEXT reftrace log
//
#if DBG
W3_USER_CONTEXT::sm_pTraceLog = CreateRefTraceLog( 2000, 0 );#else
W3_USER_CONTEXT::sm_pTraceLog = NULL;#endif
//
// Store a pointer to the singleton (no C++ goo used in creating
// this singleton)
//
if ( sm_pAuthState != NULL ) { DBG_ASSERT( sm_pAuthState != NULL ); _hr = HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER ); } else { sm_pAuthState = this; }}
W3_STATE_AUTHENTICATION::~W3_STATE_AUTHENTICATION(){ if ( W3_USER_CONTEXT::sm_pTraceLog != NULL ) { DestroyRefTraceLog( W3_USER_CONTEXT::sm_pTraceLog ); W3_USER_CONTEXT::sm_pTraceLog = NULL; }
TerminateRDns(); TerminateAuthenticationProviders(); sm_pAuthState = NULL;}
HRESULTW3_STATE_AUTHENTICATION::InitializeAuthenticationProviders( VOID)/*++
Routine Description:
Initialize all authentication providers
Arguments:
None Return Value:
HRESULT
--*/{ HRESULT hr = NO_ERROR; DWORD cProviderCount = 0;
//
// Initialize trace for connection contexts
//
hr = CONNECTION_AUTH_CONTEXT::Initialize(); if ( FAILED( hr ) ) { goto Failure; }
//
// Certificate map provider. This must be the first !!!!!!
//
DBG_ASSERT( cProviderCount < AUTH_PROVIDER_COUNT ); _rgAuthProviders[ cProviderCount ] = new CERTMAP_AUTH_PROVIDER; if ( _rgAuthProviders[ cProviderCount ] == NULL ) { hr = HRESULT_FROM_WIN32( GetLastError() ); goto Failure; } hr = _rgAuthProviders[ cProviderCount ]->Initialize( cProviderCount ); if ( FAILED( hr ) ) { delete _rgAuthProviders[ cProviderCount ]; _rgAuthProviders[ cProviderCount ] = NULL; goto Failure; } cProviderCount++;
DBG_ASSERT( cProviderCount < AUTH_PROVIDER_COUNT ); _rgAuthProviders[ cProviderCount ] = new IISCERTMAP_AUTH_PROVIDER; if ( _rgAuthProviders[ cProviderCount ] == NULL ) { hr = HRESULT_FROM_WIN32( GetLastError() ); goto Failure; } hr = _rgAuthProviders[ cProviderCount ]->Initialize( cProviderCount ); if ( FAILED( hr ) ) { delete _rgAuthProviders[ cProviderCount ]; _rgAuthProviders[ cProviderCount ] = NULL; goto Failure; } cProviderCount++;
//
// SSPI provider
//
DBG_ASSERT( cProviderCount < AUTH_PROVIDER_COUNT ); _rgAuthProviders[ cProviderCount ] = new SSPI_AUTH_PROVIDER( MD_AUTH_NT ); if ( _rgAuthProviders[ cProviderCount ] == NULL ) { hr = HRESULT_FROM_WIN32( GetLastError() ); goto Failure; } hr = _rgAuthProviders[ cProviderCount ]->Initialize( cProviderCount ); if ( FAILED( hr ) ) { delete _rgAuthProviders[ cProviderCount ]; _rgAuthProviders[ cProviderCount ] = NULL; goto Failure; } cProviderCount++;
//
// Digest provider
//
DBG_ASSERT( cProviderCount < AUTH_PROVIDER_COUNT ); _rgAuthProviders[ cProviderCount ] = new DIGEST_AUTH_PROVIDER( MD_AUTH_MD5 ); if ( _rgAuthProviders[ cProviderCount ] == NULL ) { hr = HRESULT_FROM_WIN32( GetLastError() ); goto Failure; } hr = _rgAuthProviders[ cProviderCount ]->Initialize( cProviderCount ); if ( FAILED( hr ) ) { delete _rgAuthProviders[ cProviderCount ]; _rgAuthProviders[ cProviderCount ] = NULL; goto Failure; } cProviderCount++;
//
// IIS Digest provider (for backward compatibility)
//
DBG_ASSERT( cProviderCount < AUTH_PROVIDER_COUNT ); _rgAuthProviders[ cProviderCount ] = new IIS_DIGEST_AUTH_PROVIDER(); if ( _rgAuthProviders[ cProviderCount ] == NULL ) { hr = HRESULT_FROM_WIN32( GetLastError() ); goto Failure; } hr = _rgAuthProviders[ cProviderCount ]->Initialize( cProviderCount ); if ( FAILED( hr ) ) { delete _rgAuthProviders[ cProviderCount ]; _rgAuthProviders[ cProviderCount ] = NULL; goto Failure; } cProviderCount++; //
// Basic provider
//
DBG_ASSERT( cProviderCount < AUTH_PROVIDER_COUNT ); _rgAuthProviders[ cProviderCount ] = new BASIC_AUTH_PROVIDER; if ( _rgAuthProviders[ cProviderCount ] == NULL ) { hr = HRESULT_FROM_WIN32( GetLastError() ); goto Failure; } hr = _rgAuthProviders[ cProviderCount ]->Initialize( cProviderCount ); if ( FAILED( hr ) ) { delete _rgAuthProviders[ cProviderCount ]; _rgAuthProviders[ cProviderCount ] = NULL; goto Failure; } cProviderCount++; //
// Passport provider
//
DBG_ASSERT( cProviderCount < AUTH_PROVIDER_COUNT ); _rgAuthProviders[ cProviderCount ] = new PASSPORT_AUTH_PROVIDER; if ( _rgAuthProviders[ cProviderCount ] == NULL ) { hr = HRESULT_FROM_WIN32( GetLastError() ); goto Failure; } hr = _rgAuthProviders[ cProviderCount ]->Initialize( cProviderCount ); if ( FAILED( hr ) ) { delete _rgAuthProviders[ cProviderCount ]; _rgAuthProviders[ cProviderCount ] = NULL; goto Failure; } cProviderCount++; //
// Anonymous provider.
//
// Note: This one should always be the last one
//
DBG_ASSERT( cProviderCount < AUTH_PROVIDER_COUNT ); _rgAuthProviders[ cProviderCount ] = new ANONYMOUS_AUTH_PROVIDER; if ( _rgAuthProviders[ cProviderCount ] == NULL ) { hr = HRESULT_FROM_WIN32( GetLastError() ); goto Failure; } hr = _rgAuthProviders[ cProviderCount ]->Initialize( cProviderCount ); if ( FAILED( hr ) ) { delete _rgAuthProviders[ cProviderCount ]; _rgAuthProviders[ cProviderCount ] = NULL; goto Failure; } _pAnonymousProvider = _rgAuthProviders[ cProviderCount ]; cProviderCount++;
//
// Custom provider. Not really a provider in the sense that it does not
// participate in authenticating a request. Instead, it is just used
// as a stub provider for custom authentication done with
// HSE_REQ_EXEC_URL
//
_pCustomProvider = new CUSTOM_AUTH_PROVIDER; if ( _pCustomProvider == NULL ) { hr = HRESULT_FROM_WIN32( GetLastError() ); goto Failure; }
return NO_ERROR; Failure: for ( DWORD i = 0; i < AUTH_PROVIDER_COUNT; i++ ) { if ( _rgAuthProviders[ i ] != NULL ) { _rgAuthProviders[ i ]->Terminate(); delete _rgAuthProviders[ i ]; _rgAuthProviders[ i ] = NULL; } } CONNECTION_AUTH_CONTEXT::Terminate(); return hr;}
VOIDW3_STATE_AUTHENTICATION::TerminateAuthenticationProviders( VOID)/*++
Routine Description:
Terminate all authentication providers
Arguments:
None Return Value:
None
--*/{ for ( DWORD i = 0; i < AUTH_PROVIDER_COUNT; i++ ) { if ( _rgAuthProviders[ i ] != NULL ) { _rgAuthProviders[ i ]->Terminate(); delete _rgAuthProviders[ i ]; _rgAuthProviders[ i ] = NULL; } } if ( _pCustomProvider != NULL ) { delete _pCustomProvider; _pCustomProvider = NULL; } CONNECTION_AUTH_CONTEXT::Terminate();}
CONTEXT_STATUSW3_STATE_AUTHENTICATION::DoWork( W3_MAIN_CONTEXT * pMainContext, DWORD cbCompletion, DWORD dwCompletionStatus )/*++
Routine Description:
Handle authentication for this request
Arguments:
pMainContext - W3_MAIN_CONTEXT representing execution of state machine cbCompletion - Number of bytes in an async completion dwCompletionStatus - Error status of a completion Return Value:
CONTEXT_STATUS_CONTINUE - if we should continue in state machine else stop executing the machine and free up the current thread
--*/{ DWORD cProviderCount = 0; AUTH_PROVIDER * pProvider = NULL; W3_METADATA * pMetaData = NULL; W3_USER_CONTEXT * pUserContext = NULL; BOOL fSupported = FALSE; HRESULT hr = NO_ERROR; BOOL fApplies = FALSE; BOOL fFilterFinished = FALSE; W3_MAIN_CONTEXT_STATE * pContextState = NULL; UNREFERENCED_PARAMETER( cbCompletion ); UNREFERENCED_PARAMETER( dwCompletionStatus ); DBG_ASSERT( pMainContext != NULL );
//
// If we already have a user context, then we must have had an
// AUTH_COMPLETE notification which caused the state machine to back up
// and resume from URLINFO state. In that case, just bail
//
if ( pMainContext->QueryUserContext() != NULL ) { DBG_ASSERT( pMainContext->IsNotificationNeeded( SF_NOTIFY_AUTH_COMPLETE ) );
return CONTEXT_STATUS_CONTINUE; } //
// First, find the authentication provider which applies. We
// should always find a matching provider (since anonymous
// provider) should always match!
//
pMetaData = pMainContext->QueryUrlContext()->QueryMetaData(); DBG_ASSERT( pMetaData != NULL );
//
// Optimization for path when only anonymous authentication is enabled
// (certmapping is checked as well)
// Issue jaroslad 01/08/23. This may conflict in the future with
// DoesApply of new providers.
//
if ( pMetaData->IsOnlyAnonymousAuthSupported() && pMainContext->QueryRequest()->GetHeader( HttpHeaderAuthorization ) == NULL ) { //
// no authorization header and only anonymous enabled
//
pProvider = QueryAnonymousProvider(); DBG_ASSERT( pProvider != NULL ); } else { for ( ; ; ) { pProvider = _rgAuthProviders[ cProviderCount ]; if ( pProvider == NULL ) { break; } DBG_ASSERT( pProvider != NULL );
hr = pProvider->DoesApply( pMainContext, &fApplies ); if ( FAILED( hr ) ) { goto Finished; } if ( fApplies ) { //
// Cool. We have a match!
//
break; } cProviderCount++;
} } //
// If only the anonymous provider matched, then check whether we
// have credentials associated with the connection (since IE won't
// send Authorization: header for subsequent SSPI authenticated
// requests on a connection)
//
if ( pProvider->QueryAuthType() == MD_AUTH_ANONYMOUS ) { //
// Another slimy optimization. If we haven't associated a user
// with the connection, then we don't have to bother looking up
// connection
//
if ( _fHasAssociatedUserBefore ) { pUserContext = pMainContext->QueryConnectionUserContext(); if ( pUserContext != NULL ) { pProvider = pUserContext->QueryProvider(); DBG_ASSERT( pProvider != NULL ); }
//
// Clean up the security context if there is one
//
pProvider->SetConnectionAuthContext( pMainContext, NULL ); } } else { //
// If a provider applies, then ignore/remove any
// cached user associated with the request
//
pUserContext = pMainContext->QueryConnectionUserContext(); if ( pUserContext != NULL ) { pMainContext->SetConnectionUserContext( NULL ); pUserContext->DereferenceUserContext(); pUserContext = NULL; } }
//
// Is the given provider supported (by metadata)
//
if ( pMetaData->QueryAuthTypeSupported( pProvider->QueryAuthType() ) ) { fSupported = TRUE; } else if( pProvider->QueryAuthType() == MD_AUTH_ANONYMOUS ) { //
// Give the anonymous provider a shot at this request.
//
// We need to do this even if MD_AUTH_ANONYMOUS is not
// supported, so that authentication filters get a
// crack at it. It's up to the anonymous provider to
// fail if it's not supported, and no filter sets
// credentials.
//
pMainContext->SetCheckAnonAuthTypeSupported( TRUE ); fSupported = TRUE; } else { //
// If anonymous authentication is supported, then we can
// still let it thru
//
if ( pMetaData->QueryAuthTypeSupported( MD_AUTH_ANONYMOUS ) ) { pProvider = QueryAnonymousProvider(); DBG_ASSERT( pProvider != NULL );
//
// Anonymous provider applies, remove the previous cached
// user associated with the request
//
if ( pUserContext != NULL ) { pMainContext->SetConnectionUserContext( NULL ); pUserContext->DereferenceUserContext(); pUserContext = NULL; }
fSupported = TRUE; } }
//
// Not supported, you're outta here!
//
if ( !fSupported ) { //
// Clear any context state which was set
//
pContextState = pMainContext->QueryContextState(); if ( pContextState != NULL ) { pContextState->Cleanup( pMainContext ); pMainContext->SetContextState( NULL ); } pMainContext->QueryResponse()->SetStatus( HttpStatusUnauthorized, Http401Config ); pMainContext->SetErrorStatus( HRESULT_FROM_WIN32(ERROR_ACCESS_DENIED) ); pMainContext->SetFinishedResponse();
return CONTEXT_STATUS_CONTINUE; }
//
// Now we can authenticate
//
if ( pUserContext != NULL ) { //
// We already have a context associated with connection. Use it!
//
pUserContext->ReferenceUserContext(); pMainContext->SetUserContext( pUserContext ); } else { DBG_ASSERT( pProvider != NULL );
// perf ctr
pMainContext->QuerySite()->IncLogonAttempts();
fFilterFinished = FALSE;
hr = pProvider->DoAuthenticate( pMainContext, &fFilterFinished ); if ( FAILED( hr ) ) { DWORD dwError = WIN32_FROM_HRESULT( hr );
if( dwError == ERROR_PASSWORD_MUST_CHANGE || dwError == ERROR_PASSWORD_EXPIRED ) { hr = pMainContext->PasswdChangeExecute(); if( S_OK == hr ) { return CONTEXT_STATUS_PENDING; } else if( S_FALSE == hr ) { //
// S_FALSE means password change disabled
//
pMainContext->QueryResponse()->SetStatus( HttpStatusUnauthorized, Http401BadLogon ); pMainContext->SetErrorStatus( hr ); pMainContext->SetFinishedResponse();
return CONTEXT_STATUS_CONTINUE; } } else if( SEC_E_NO_CREDENTIALS == hr ) { pMainContext->QueryResponse()->SetStatus( HttpStatusUnauthorized, Http401Config ); pMainContext->SetErrorStatus( hr ); pMainContext->SetFinishedResponse();
return CONTEXT_STATUS_CONTINUE; } else { pMainContext->SetErrorStatus( hr );
if ( dwError == ERROR_ACCESS_DENIED ) { pMainContext->QueryResponse()->SetStatus( HttpStatusUnauthorized, Http401Filter ); } else if ( dwError == ERROR_FILE_NOT_FOUND || dwError == ERROR_PATH_NOT_FOUND ) { pMainContext->QueryResponse()->SetStatus( HttpStatusNotFound ); } else { pMainContext->QueryResponse()->SetStatus( HttpStatusServerError ); }
pMainContext->SetFinishedResponse(); pMainContext->SetDisconnect( TRUE ); return CONTEXT_STATUS_CONTINUE; }
goto Finished; } if ( fFilterFinished ) { pMainContext->SetDone();
goto Finished; } }
//
// Do we have a valid user now
//
pUserContext = pMainContext->QueryUserContext();
if ( pUserContext != NULL ) { if ( pUserContext->QueryAuthType() != MD_AUTH_ANONYMOUS ) { hr = pMainContext->PasswdExpireNotify(); if( FAILED( hr ) ) { //
// Internal error
//
goto Finished; } else if( hr == S_OK ) { //
// We've successfully handled password expire
// notification
//
return CONTEXT_STATUS_PENDING; }
//
// Advanced password expire notification is disabled,
// we should allow the user to get access, fall through
//
} //
// Should we cache the user on the connection? Do so, only if
//
DBG_ASSERT( pMetaData != NULL ); if ( pMetaData->QueryAuthPersistence() != MD_AUTH_SINGLEREQUEST && pUserContext->QueryIsAuthNTLM() && !pMainContext->QueryRequest()->IsProxyRequest() && pUserContext != pMainContext->QueryConnectionUserContext() ) { pUserContext->ReferenceUserContext(); pMainContext->SetConnectionUserContext( pUserContext ); _fHasAssociatedUserBefore = TRUE; } } else { //
// If we don't have a user, then we must not allow handle request
// state to happen!
//
pMainContext->SetFinishedResponse(); } //
// OK. If we got to here and we have a user context, then authentication
// is complete! So lets notify AUTH_COMPLETE filters
//
if ( pUserContext != NULL ) { if ( pMainContext->IsNotificationNeeded( SF_NOTIFY_AUTH_COMPLETE ) ) { HTTP_FILTER_AUTH_COMPLETE_INFO AuthInfo; STACK_STRU( strOriginal, MAX_PATH ); STACK_STRU( strNewUrl, MAX_PATH ); BOOL fFinished = FALSE; //
// Store away the original URL
//
hr = pMainContext->QueryRequest()->GetUrl( &strOriginal ); if ( FAILED( hr ) ) { goto Finished; }
//
// Call the filter
//
if ( !pMainContext->NotifyFilters( SF_NOTIFY_AUTH_COMPLETE, &AuthInfo, &fFinished ) ) { DWORD dwError = GetLastError();
pMainContext->SetErrorStatus( HRESULT_FROM_WIN32( dwError ) );
if ( dwError == ERROR_ACCESS_DENIED ) { pMainContext->QueryResponse()->SetStatus( HttpStatusUnauthorized, Http401Filter ); } else if ( dwError == ERROR_FILE_NOT_FOUND || dwError == ERROR_PATH_NOT_FOUND ) { pMainContext->QueryResponse()->SetStatus( HttpStatusNotFound ); } else { pMainContext->QueryResponse()->SetStatus( HttpStatusServerError ); }
pMainContext->SetFinishedResponse(); pMainContext->SetDisconnect( TRUE ); return CONTEXT_STATUS_CONTINUE; } if ( fFinished ) { pMainContext->SetDone(); return CONTEXT_STATUS_CONTINUE; } //
// If the URL has changed, we'll need to backup the state machine
//
hr = pMainContext->QueryRequest()->GetUrl( &strNewUrl ); if ( FAILED( hr ) ) { goto Finished; } if ( wcscmp( strNewUrl.QueryStr(), strOriginal.QueryStr() ) != 0 ) { //
// URL is different!
//
pMainContext->BackupStateMachine(); } else { //
// URL is the same. Do nothing and continue
//
} } }
Finished: if ( FAILED( hr ) ) { pMainContext->QueryResponse()-> SetStatus( HttpStatusServerError ); pMainContext->SetFinishedResponse(); pMainContext->SetErrorStatus( hr ); } return CONTEXT_STATUS_CONTINUE;}
CONTEXT_STATUSW3_STATE_AUTHENTICATION::OnCompletion( W3_MAIN_CONTEXT * pMainContext, DWORD cbCompletion, DWORD dwCompletionStatus)/*++
Routine Description:
Complete the done state
Arguments:
pMainContext - W3_MAIN_CONTEXT representing an execution of the state machine cbCompletion - Number of bytes on completion dwCompletionStatus - Win32 Error on completion (if any) Return Value:
CONTEXT_STATUS_CONTINUE - if we should continue in state machine else stop executing the machine and free up the current thread
--*/{ UNREFERENCED_PARAMETER( cbCompletion ); UNREFERENCED_PARAMETER( dwCompletionStatus ); DBG_ASSERT( pMainContext != NULL ); //
// During authentication state, only the routines for password notification
// could post asynchonous completion while they are doing child execution.
// The following assert is to make sure that the completion is posted by
// ExecuteExpiredURL routine.
//
DBG_ASSERT( pMainContext->QueryRequest()->GetHeader( "CFG-ENC-CAPS" ) != NULL ); //
// Since the response has already been send asynchronously, we advance the
// state machine to CONTEXT_STATE_RESPONSE here.
//
pMainContext->SetFinishedResponse();
return CONTEXT_STATUS_CONTINUE;}
|
