archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
4.9 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/ds/security/authz/test/samplerm/main.c

536 lines
15 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. #include "pch.h"
  2. #include "samplerm.h"
  6. void _cdecl wmain( int argc, WCHAR * argv[] )
  7. {
  8. NTSTATUS Status = STATUS_SUCCESS;
  10. BOOL b = TRUE;
  11. DWORD DesiredAccess;
  12. DWORD Callback;
  13. DWORD Iteration;
  15. AUTHZ_RESOURCE_MANAGER_HANDLE hRM = NULL;
  16. HANDLE hToken = NULL;
  17. LUID luid = {0xdead,0xbeef};
  18. AUTHZ_CLIENT_CONTEXT_HANDLE hCC1 = NULL;
  19. AUTHZ_CLIENT_CONTEXT_HANDLE hCC2 = NULL;
  20. AUTHZ_CLIENT_CONTEXT_HANDLE hCC3 = NULL;
  21. AUTHZ_ACCESS_REQUEST Request;
  22. PAUTHZ_ACCESS_REPLY pReply = (PAUTHZ_ACCESS_REPLY) Buffer;
  23. PSECURITY_DESCRIPTOR pSD = NULL;
  24. DWORD dwErr;
  25. ULONG i = 0, jj = 0;
  26. PACE_HEADER Ace = NULL;
  27. DWORD AceCount = 0;
  28. DWORD Len = 0;
  29. SID_AND_ATTRIBUTES SidAttr[1];
  30. AUTHZ_AUDIT_INFO_HANDLE hAuditInfo = NULL;
  31. AUTHZ_RM_AUDIT_INFO_HANDLE hRmAuditInfo;
  32. PAUDIT_PARAMS pAuditParams;
  34. AUTHZ_HANDLE AuthHandle = 0;
  35. PACL pAcl = NULL;
  36. AUDIT_EVENT_INFO AuditEventInfo;
  37. PSID pUserSid = NULL;
  38. AUTHZ_AUDIT_QUEUE_HANDLE hQueue;
  40. PWCHAR StringSD = L"O:BAG:DUD:(A;;0x40;;;s-1-2-2)(A;;0x1;;;BA)(OA;;0x2;6da8a4ff-0e52-11d0-a286-00aa00304900;;BA)(OA;;0x4;6da8a4ff-0e52-11d0-a286-00aa00304901;;BA)(OA;;0x8;6da8a4ff-0e52-11d0-a286-00aa00304903;;AU)(OA;;0x10;6da8a4ff-0e52-11d0-a286-00aa00304904;;BU)(OA;;0x20;6da8a4ff-0e52-11d0-a286-00aa00304905;;AU)(A;;0x40;;;PS)S:(AU;IDSAFA;0xFFFFFF;;;WD)";
  41. //PWCHAR StringSD = L"O:BAG:DUD:(A;;0x100;;;SY)(A;;0x100;;;PS)S:(AU;IDSA;SD;;;DU)";
  43. if (argc != 4)
  44. {
  45. wprintf(L"usage: %s access iter [callback]\n", argv[0]);
  46. exit(0);
  47. }
  50. DesiredAccess = wcstol(argv[1], NULL, 16);
  51. Iteration = wcstol(argv[2], NULL, 16);
  52. Callback = wcstol(argv[3], NULL, 16);
  54. //
  55. // Create the SD for the access checks
  56. //
  58. b = ConvertStringSecurityDescriptorToSecurityDescriptorW(StringSD, SDDL_REVISION_1, &pSD, NULL);
  60. if (!b)
  61. {
  62. wprintf(L"SDDL failed with %d\n", GetLastError());
  63. return;
  64. }
  66. //
  67. // If Callback aces are specified, change the DACL to use them
  68. //
  70. if (Callback)
  71. {
  72. pAcl = RtlpDaclAddrSecurityDescriptor((PISECURITY_DESCRIPTOR) pSD);
  73. AceCount = pAcl->AceCount;
  75. for (i = 0, Ace = FirstAce(pAcl); i < AceCount; i++, Ace = NextAce(Ace))
  76. {
  77. switch(Ace->AceType)
  78. {
  79. case ACCESS_ALLOWED_ACE_TYPE:
  80. Ace->AceType = ACCESS_ALLOWED_CALLBACK_ACE_TYPE;
  81. break;
  82. case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
  83. Ace->AceType = ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE;
  84. break;
  85. }
  86. }
  87. }
  90. AuditEventInfo.Version = AUDIT_TYPE_LEGACY;
  91. AuditEventInfo.u.Legacy.CategoryId = SE_CATEGID_OBJECT_ACCESS;
  92. AuditEventInfo.u.Legacy.AuditId = SE_AUDITID_OBJECT_OPERATION;
  93. AuditEventInfo.u.Legacy.ParameterCount = 11;
  95. b = AuthzInitializeAuditQueue(
  96. &hQueue,
  97. 0,
  98. 1000,
  99. 100,
  100. NULL
  101. );
  103. if (!b)
  104. {
  105. wprintf(L"authzinitauditqueueueueue %d\n", GetLastError());
  106. return;
  107. }
  109. if (!b)
  110. {
  111. printf("AuthzAllocInitRmAuditInfoHandle FAILED.\n");
  112. return;
  113. }
  115. b = AuthzInitializeResourceManager(
  116. MyAccessCheck,
  117. MyComputeDynamicGroups,
  118. MyFreeDynamicGroups,
  119. L"some rm",
  120. 0, // Flags
  121. &hRM
  122. );
  124. if (!b)
  125. {
  126. wprintf(L"AuthzInitializeResourceManager failed with %d\n", GetLastError());
  127. return;
  128. }
  130. // AuthzInitializeAuditParamsWithRM(
  131. // &pAuditParams,
  132. // hRM,
  133. // APF_AuditSuccess,
  134. // 1,
  135. // APT_String, L"Jeff operation"
  136. // );
  137. //
  138. //
  139. b = AuthzInitializeAuditInfo(
  140. &hAuditInfo,
  141. 0,
  142. hRM,
  143. &AuditEventInfo,
  144. NULL,//pAuditParams,
  145. hQueue,
  146. INFINITE,
  147. L"Cleaning",
  148. L"Toothbrush",
  149. L"Oral B",
  150. L"Rinse after brushing."
  151. );
  153. if (!b)
  154. {
  155. printf("AuthzInitAuditInfo FAILED with %d.\n", GetLastError());
  156. return;
  157. }
  159. OpenProcessToken(
  160. GetCurrentProcess(),
  161. TOKEN_QUERY,
  162. &hToken
  163. );
  165. b = AuthzInitializeContextFromToken(
  166. hToken,
  167. hRM,
  168. NULL,
  169. luid,
  170. 0,
  171. NULL,
  172. &hCC1
  173. );
  175. if (!b)
  176. {
  177. wprintf(L"AuthzInitializeContextFromSid failed with 0x%x\n", GetLastError());
  178. return;
  179. }
  181. Request.ObjectTypeList = (POBJECT_TYPE_LIST) TypeListBuffer;
  182. Request.ObjectTypeList[0].Level = 0;
  183. Request.ObjectTypeList[0].ObjectType = &Guid0;
  184. Request.ObjectTypeList[0].Sbz = 0;
  185. Request.ObjectTypeListLength = 1;
  186. Request.OptionalArguments = NULL;
  187. Request.PrincipalSelfSid = NULL;
  188. Request.DesiredAccess = 0x100;
  190. //
  191. // The ResultListLength is set to the number of ObjectType GUIDs in the Request, indicating
  192. // that the caller would like detailed information about granted access to each node in the
  193. // tree.
  194. //
  195. RtlZeroMemory(Buffer, sizeof(Buffer));
  196. pReply->ResultListLength = 1;
  197. pReply->Error = (PDWORD) (((PCHAR) pReply) + sizeof(AUTHZ_ACCESS_REPLY));
  198. pReply->GrantedAccessMask = (PACCESS_MASK) (pReply->Error + pReply->ResultListLength);
  201. wprintf(L"* AccessCheck (PSS == NULL, ResultListLength == 1 with cache handle)\n");
  202. b = AuthzAccessCheck(
  203. hCC1,
  204. &Request,
  205. hAuditInfo,
  206. pSD,
  207. NULL,
  208. 0,
  209. pReply,
  210. &AuthHandle
  211. );
  213. if (!b)
  214. {
  215. wprintf(L"\tFailed. LastError = %d\n", GetLastError());
  216. return;
  217. }
  218. else
  219. {
  220. wprintf(L"\tSucceeded. Granted Access Masks:\n");
  222. for (i = 0; i < pReply->ResultListLength; i++)
  223. {
  224. wprintf(L"\t\tObjectType %d :: AccessMask = 0x%x, Error = %d\n",
  225. i, pReply->GrantedAccessMask[i], pReply->Error[i]);
  226. }
  227. }
  229. AuthzFreeAuditInfo(hAuditInfo);
  230. AuthzFreeAuditQueue(hQueue);
  231. return;
  233. RtlZeroMemory(Buffer, sizeof(Buffer));
  234. pReply->ResultListLength = 1;
  235. pReply->Error = (PDWORD) (((PCHAR) pReply) + sizeof(AUTHZ_ACCESS_REPLY));
  236. pReply->GrantedAccessMask = (PACCESS_MASK) (pReply->Error + pReply->ResultListLength);
  238. wprintf(L"* AccessCheck (PSS == NULL, ResultListLength == 1 without cache handle)\n");
  239. b = AuthzAccessCheck(
  240. hCC1,
  241. &Request,
  242. hAuditInfo,
  243. pSD,
  244. NULL,
  245. 0,
  246. pReply,
  247. NULL
  248. );
  250. if (!b)
  251. {
  252. wprintf(L"\tFailed. LastError = %d\n", GetLastError());
  253. return;
  254. }
  255. else
  256. {
  257. wprintf(L"\tSucceeded. Granted Access Masks:\n");
  259. for (i = 0; i < pReply->ResultListLength; i++)
  260. {
  261. wprintf(L"\t\tObjectType %d :: AccessMask = 0x%x, Error = %d\n",
  262. i, pReply->GrantedAccessMask[i], pReply->Error[i]);
  263. }
  264. }
  266. AuthzFreeAuditParams(pAuditParams);
  268. Request.ObjectTypeList = (POBJECT_TYPE_LIST) TypeListBuffer;
  270. Request.ObjectTypeList[0].Level = 0;
  271. Request.ObjectTypeList[0].ObjectType = &Guid0;
  272. Request.ObjectTypeList[0].Sbz = 0;
  274. Request.ObjectTypeList[1].Level = 1;
  275. Request.ObjectTypeList[1].ObjectType = &Guid1;
  276. Request.ObjectTypeList[1].Sbz = 0;
  278. Request.ObjectTypeList[2].Level = 2;
  279. Request.ObjectTypeList[2].ObjectType = &Guid2;
  280. Request.ObjectTypeList[2].Sbz = 0;
  282. Request.ObjectTypeList[3].Level = 2;
  283. Request.ObjectTypeList[3].ObjectType = &Guid3;
  284. Request.ObjectTypeList[3].Sbz = 0;
  286. Request.ObjectTypeList[4].Level = 1;
  287. Request.ObjectTypeList[4].ObjectType = &Guid4;
  288. Request.ObjectTypeList[4].Sbz = 0;
  290. Request.ObjectTypeList[5].Level = 2;
  291. Request.ObjectTypeList[5].ObjectType = &Guid5;
  292. Request.ObjectTypeList[5].Sbz = 0;
  294. Request.ObjectTypeList[6].Level = 3;
  295. Request.ObjectTypeList[6].ObjectType = &Guid6;
  296. Request.ObjectTypeList[6].Sbz = 0;
  298. Request.ObjectTypeList[7].Level = 2;
  299. Request.ObjectTypeList[7].ObjectType = &Guid7;
  300. Request.ObjectTypeList[7].Sbz = 0;
  302. Request.ObjectTypeListLength = 8;
  303. Request.OptionalArguments = NULL;
  305. Request.PrincipalSelfSid = NULL;
  306. Request.DesiredAccess = DesiredAccess;
  308. //
  309. // The ResultListLength is set to the number of ObjectType GUIDs in the Request, indicating
  310. // that the caller would like detailed information about granted access to each node in the
  311. // tree.
  312. //
  314. pReply->ResultListLength = 8;
  315. pReply->Error = (PDWORD) (((PCHAR) pReply) + sizeof(AUTHZ_ACCESS_REPLY));
  316. pReply->GrantedAccessMask = (PACCESS_MASK) (pReply->Error + pReply->ResultListLength);
  318. wprintf(L"* AccessCheck (PrincipalSelfSid == NULL, ResultListLength == 8)\n");
  319. b = AuthzAccessCheck(
  320. hCC1,
  321. &Request,
  322. hAuditInfo,
  323. pSD,
  324. NULL,
  325. 0,
  326. pReply,
  327. &AuthHandle
  328. );
  330. if (!b)
  331. {
  332. wprintf(L"\tFailed. LastError = %d\n", GetLastError());
  333. return;
  334. }
  335. else
  336. {
  337. wprintf(L"\tSucceeded. Granted Access Masks:\n");
  339. for (i = 0; i < pReply->ResultListLength; i++)
  340. {
  341. wprintf(L"\t\tObjectType %d :: AccessMask = 0x%x, Error = %d\n",
  342. i, pReply->GrantedAccessMask[i], pReply->Error[i]);
  343. }
  344. }
  347. //
  348. // In the original AuthzAccessCheck call, we passed in a handle to store caching information. Now we
  349. // can use this handle to perform an AccessCheck on the same object.
  350. //
  352. if (AuthHandle)
  353. {
  354. wprintf(L"* Cached AccessCheck (PrincipalSelfSid == NULL, ResultListLength = 8)\n");
  355. b = AuthzCachedAccessCheck(
  356. AuthHandle,
  357. &Request,
  358. hAuditInfo,
  359. pReply
  360. );
  362. if (!b)
  363. {
  364. wprintf(L"\tFailed. LastError = %d\n", GetLastError());
  365. return;
  366. }
  367. else
  368. {
  369. wprintf(L"\tSucceeded. Granted Access Masks:\n");
  371. for (i = 0; i < pReply->ResultListLength; i++)
  372. {
  373. wprintf(L"\t\tObjectType %d :: AccessMask = 0x%x, Error = %d\n",
  374. i, pReply->GrantedAccessMask[i], pReply->Error[i]);
  375. }
  376. }
  378. //
  379. // Since we will no longer use this caching handle, free it.
  380. //
  382. AuthzFreeHandle(AuthHandle);
  383. }
  384. else
  385. {
  386. wprintf(L"No CachedAccessCheck done since NULL = AuthHandle\n");
  387. }
  389. //
  390. // We set the PrincipalSelfSid in the Request, and leave all other parameters the same.
  391. //
  393. Request.PrincipalSelfSid = (PSID) KedarSid;
  395. wprintf(L"* AccessCheck (PrincipalSelfSid == Kedard, ResultListLength == 8)\n");
  396. b = AuthzAccessCheck(
  397. hCC1,
  398. &Request,
  399. hAuditInfo,
  400. pSD,
  401. NULL,
  402. 0,
  403. pReply,
  404. &AuthHandle
  405. );
  407. if (!b)
  408. {
  409. wprintf(L"\tFailed. LastError = %d\n", GetLastError());
  410. return;
  411. }
  412. else
  413. {
  414. wprintf(L"\tSucceeded. Granted Access Masks:\n");
  416. for (i = 0; i < pReply->ResultListLength; i++)
  417. {
  418. wprintf(L"\t\tObjectType %d :: AccessMask = 0x%x, Error = %d\n",
  419. i, pReply->GrantedAccessMask[i], pReply->Error[i]);
  420. }
  421. }
  423. //
  424. // Use our caching handle to perform the same AccessCheck with speed.
  425. //
  427. if (AuthHandle)
  428. {
  429. wprintf(L"* Cached AccessCheck (PrincipalSelfSid == Kedard, ResultListLength = 8)\n");
  430. b = AuthzCachedAccessCheck(
  431. AuthHandle,
  432. &Request,
  433. hAuditInfo,
  434. pReply
  435. );
  437. if (!b)
  438. {
  439. wprintf(L"\tFailed. LastError = %d\n", GetLastError());
  440. return;
  441. }
  442. else
  443. {
  444. wprintf(L"\tSucceeded. Granted Access Masks:\n");
  446. for (i = 0; i < pReply->ResultListLength; i++)
  447. {
  448. wprintf(L"\t\tObjectType %d :: AccessMask = 0x%x, Error = %d\n",
  449. i, pReply->GrantedAccessMask[i], pReply->Error[i]);
  450. }
  451. }
  453. //
  454. // Free the handle, since it will not be used again.
  455. //
  457. AuthzFreeHandle(AuthHandle);
  458. }
  459. else
  460. {
  461. wprintf(L"No CachedAccessCheck done since NULL = AuthHandle\n");
  462. }
  465. //
  466. // Set the ResultListLength to 1, indicating that we do not care about the results
  467. // of the AccessCheck at the individual nodes in the tree. Rather, we care about
  468. // our permissions to the entire tree. The returned access indicates if we have
  469. // access to the whole thing.
  470. //
  472. pReply->ResultListLength = 1;
  474. wprintf(L"* AccessCheck (PrincipalSelfSid == Kedard, ResultListLength == 1)\n");
  475. b = AuthzAccessCheck(
  476. hCC1,
  477. &Request,
  478. hAuditInfo,
  479. pSD,
  480. NULL,
  481. 0,
  482. pReply,
  483. NULL
  484. );
  486. if (!b)
  487. {
  488. wprintf(L"\tFailed. LastError = %d\n", GetLastError());
  489. return;
  490. }
  491. else
  492. {
  493. wprintf(L"\tSucceeded. Granted Access Masks:\n");
  495. for (i = 0; i < pReply->ResultListLength; i++)
  496. {
  497. wprintf(L"\t\tObjectType %d :: AccessMask = 0x%x, Error = %d\n",
  498. i, pReply->GrantedAccessMask[i], pReply->Error[i]);
  499. }
  500. }
  502. // for (i = 0; i < 10; i ++)
  503. // {
  504. // AuthzOpenObjectAuditAlarm(
  505. // hCC1,
  506. // &Request,
  507. // hAuditInfo,
  508. // pSD,
  509. // NULL,
  510. // 0,
  511. // pReply
  512. // );
  513. //
  514. // if (!b)
  515. // {
  516. // wprintf(L"AuthzOpenObjectAuditAlarm failed with %d\n", GetLastError);
  517. // }
  518. // }
  520. //
  521. // Free the RM auditing data before exiting. This call is importants, as it also waits on
  522. // threads used by the Authzs auditing component to complete.
  523. //
  525. //AuthzFreeRmAuditInfoHandle(hRmAuditInfo);
  527. //
  528. // Free the contexts that the RM created.
  529. //
  531. AuthzFreeContext(hCC1);
  532. AuthzFreeAuditQueue(hQueue);
  534. return;
  535. }