archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
4.9 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/ds/security/authz/test/fundsrm/fundsrmp.c

329 lines
7.9 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. #include "pch.h"
  2. #include "fundsrmp.h"
  4. //
  5. // The various SIDs, the easy way
  6. //
  8. DWORD BobGuid[] = {0x00000501, 0x05000000, 0x00000015, 0x17b85159, 0x255d7266, 0x0b3b6364, 0x00020001};
  9. DWORD MarthaGuid[] = {0x00000501, 0x05000000, 0x00000015, 0x17b85159, 0x255d7266, 0x0b3b6364, 0x00020002};
  10. DWORD JoeGuid[] = {0x00000501, 0x05000000, 0x00000015, 0x17b85159, 0x255d7266, 0x0b3b6364, 0x00020003};
  11. DWORD VPGuid[] = {0x00000501, 0x05000000, 0x00000015, 0x17b85159, 0x255d7266, 0x0b3b6364, 0x00010001};
  12. DWORD ManagerGuid[] = {0x00000501, 0x05000000, 0x00000015, 0x17b85159, 0x255d7266, 0x0b3b6364, 0x00010002};
  13. DWORD EmployeeGuid[] = {0x00000501, 0x05000000, 0x00000015, 0x17b85159, 0x255d7266, 0x0b3b6364, 0x00010003};
  14. DWORD EveryoneGuid[] = {0x101, 0x01000000, 0};
  15. PSID BobSid = (PSID)BobGuid;
  16. PSID MarthaSid= (PSID)MarthaGuid;
  17. PSID JoeSid = (PSID)JoeGuid;
  18. PSID VPSid = (PSID)VPGuid;
  19. PSID ManagerSid = (PSID)ManagerGuid;
  20. PSID EmployeeSid = (PSID)EmployeeGuid;
  21. PSID EveryoneSid = (PSID)EveryoneGuid;
  23. //
  24. // Maximum spending approvals, in cents
  25. //
  27. DWORD MaxSpendingVP = 100000000;
  28. DWORD MaxSpendingManager = 1000000;
  29. DWORD MaxSpendingEmployee = 50000;
  32. //
  33. // The callback routines used with AuthZ
  34. //
  36. BOOL
  37. FundsAccessCheck(
  38. IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
  39. IN PACE_HEADER pAce,
  40. IN PVOID pArgs OPTIONAL,
  41. IN OUT PBOOL pbAceApplicable
  42. )
  44. /*++
  46. Routine Description
  48. This is the callback access check. It is registered with a
  49. resource manager. AuthzAccessCheck calls this function when it
  50. encounters a callback type ACE, one of:
  51. ACCESS_ALLOWED_CALLBACK_ACE_TYPE
  52. ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE
  53. ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE
  55. This function determines if the given callback ACE applies to the
  56. client context (which has already had dynamic groups computed) and
  57. the optional arguments, in this case the request amount.
  59. The list of groups which apply to the user is traversed. If a group
  60. is found which allows the user the requested access, pbAceApplicable
  61. is set to true and the function returns. If the end of the group list
  62. is reached, pbAceApplicable is set to false and the function returns.
  64. Arguments
  66. hAuthzClientContext - handle to the AuthzClientContext.
  68. pAce - pointer to the Ace header.
  70. pArgs - optional arguments, in this case DWORD*, DWORD is the spending
  71. request amount in cents
  73. pbAceApplicable - returns true iff the ACE allows the client's request
  75. Return value
  77. Bool, true on success, false on error
  79. Error checking
  81. Sample code, no error checking
  83. --*/
  84. {
  85. //
  86. // First, look up the user's SID from the context
  87. //
  89. DWORD dwTokenGroupsSize = 0;
  90. PVOID pvTokenGroupsBuf = NULL;
  91. DWORD i;
  92. PDWORD pAccessMask = NULL;
  94. //
  95. // The requested spending amount, in cents
  96. //
  98. DWORD dwRequestedSpending = ((PDWORD)pArgs)[0];
  100. //
  101. // By default, the ACE does not apply to the request
  102. //
  104. *pbAceApplicable = FALSE;
  106. //
  107. // The object's access mask (right after the ACE_HEADER)
  108. // The access mask determines types of expenditures allowed
  109. // from this fund
  110. //
  112. pAccessMask = (PDWORD) (pAce + sizeof(ACE_HEADER));
  114. //
  115. // Get needed buffer size
  116. //
  118. AuthzGetContextInformation(hAuthzClientContext,
  119. AuthzContextInfoGroupsSids,
  120. NULL,
  121. 0,
  122. &dwTokenGroupsSize
  123. );
  125. pvTokenGroupsBuf = malloc(dwTokenGroupsSize);
  127. //
  128. // Get the actual TOKEN_GROUPS array
  129. //
  131. AuthzGetContextInformation(hAuthzClientContext,
  132. AuthzContextInfoGroupsSids,
  133. pvTokenGroupsBuf,
  134. dwTokenGroupsSize,
  135. &dwTokenGroupsSize
  136. );
  139. //
  140. // Go through the groups until end is reached or a group applying to the
  141. // request is found
  142. //
  144. for( i = 0;
  145. i < ((PTOKEN_GROUPS)pvTokenGroupsBuf)->GroupCount
  146. && *pbAceApplicable != TRUE;
  147. i++ )
  148. {
  149. //
  150. // Again, this is the business logic.
  151. // Each level of employee can approve different amounts.
  152. //
  154. //
  155. // VP
  156. //
  158. if( dwRequestedSpending <= MaxSpendingVP &&
  159. EqualSid(VPSid, ((PTOKEN_GROUPS)pvTokenGroupsBuf)->Groups[i].Sid) )
  160. {
  161. *pbAceApplicable = TRUE;
  163. }
  165. //
  166. // Manager
  167. //
  169. if( dwRequestedSpending <= MaxSpendingManager &&
  170. EqualSid(ManagerSid, ((PTOKEN_GROUPS)pvTokenGroupsBuf)->Groups[i].Sid) )
  171. {
  172. *pbAceApplicable = TRUE;
  173. }
  175. //
  176. // Employee
  177. //
  179. if( dwRequestedSpending <= MaxSpendingEmployee &&
  180. EqualSid(EmployeeSid, ((PTOKEN_GROUPS)pvTokenGroupsBuf)->Groups[i].Sid) )
  181. {
  182. *pbAceApplicable = TRUE;
  183. }
  184. }
  186. return TRUE;
  187. }
  191. BOOL
  192. FundsComputeDynamicGroups(
  193. IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
  194. IN PVOID Args,
  195. OUT PSID_AND_ATTRIBUTES *pSidAttrArray,
  196. OUT PDWORD pSidCount,
  197. OUT PSID_AND_ATTRIBUTES *pRestrictedSidAttrArray,
  198. OUT PDWORD pRestrictedSidCount
  199. )
  201. /*++
  203. Routine Description
  205. Resource manager callback to compute dynamic groups. This is used by the RM
  206. to decide if the specified client context should be included in any RM defined groups.
  208. In this example, the employees are hardcoded into their roles. However, this is the
  209. place you would normally retrieve data from an external source to determine the
  210. users' additional roles.
  212. Arguments
  214. hAuthzClientContext - handle to client context.
  215. Args - optional parameter to pass information for evaluating group membership.
  216. pSidAttrArray - computed group membership SIDs
  217. pSidCount - count of SIDs
  218. pRestrictedSidAttrArray - computed group membership restricted SIDs
  219. pRestrictedSidCount - count of restricted SIDs
  221. Return Value
  223. Bool, true for success, false on failure.
  225. Error checking
  227. Sample code, no error checking
  229. --*/
  230. {
  231. //
  232. // First, look up the user's SID from the context
  233. //
  235. DWORD dwSidSize = 0;
  236. PVOID pvSidBuf = NULL;
  237. PSID psSidPtr = NULL;
  239. //
  240. // Get needed buffer size
  241. //
  243. AuthzGetContextInformation(hAuthzClientContext,
  244. AuthzContextInfoUserSid,
  245. NULL,
  246. 0,
  247. &dwSidSize
  248. );
  250. pvSidBuf = malloc(dwSidSize);
  252. //
  253. // Get the actual SID (inside a TOKEN_USER structure)
  254. //
  256. AuthzGetContextInformation(hAuthzClientContext,
  257. AuthzContextInfoUserSid,
  258. pvSidBuf,
  259. dwSidSize,
  260. &dwSidSize
  261. );
  263. psSidPtr = ((PTOKEN_USER)pvSidBuf)->User.Sid;
  265. //
  266. // Allocate the memory for the returns, which will be deallocated by FreeDynamicGroups
  267. // Only a single group will be returned, determining the employee type
  268. //
  270. *pSidCount = 1;
  271. *pSidAttrArray = (PSID_AND_ATTRIBUTES)malloc( sizeof(SID_AND_ATTRIBUTES) );
  273. //
  274. // No restricted group sids
  275. //
  277. pRestrictedSidCount = 0;
  278. *pRestrictedSidAttrArray = NULL;
  280. (*pSidAttrArray)[0].Attributes = SE_GROUP_ENABLED;
  282. //
  283. // The hardcoded logic:
  284. // Bob is a VP
  285. // Martha is a Manager
  286. // Joe is an Employee
  287. //
  289. if( EqualSid(psSidPtr, BobSid) )
  290. {
  291. (*pSidAttrArray)[0].Sid = VPSid;
  292. }
  293. else if( EqualSid(psSidPtr, MarthaSid) )
  294. {
  295. (*pSidAttrArray)[0].Sid = ManagerSid;
  296. }
  297. else if( EqualSid(psSidPtr, JoeSid) )
  298. {
  299. (*pSidAttrArray)[0].Sid = EmployeeSid;
  300. }
  302. free(pvSidBuf);
  303. return TRUE;
  304. }
  306. VOID
  307. FundsFreeDynamicGroups (
  308. IN PSID_AND_ATTRIBUTES pSidAttrArray
  309. )
  311. /*++
  313. Routine Description
  315. Frees memory allocated for the dynamic group array.
  317. Arguments
  319. pSidAttrArray - array to free.
  321. Return Value
  322. None.
  323. --*/
  324. {
  325. if (pSidAttrArray != NULL)
  326. {
  327. free(pSidAttrArray);
  328. }
  329. }