archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/admin/wmi/wbem/winmgmt/esscli/wmiauthz.cpp

441 lines
12 KiB
Raw Normal View History

commiting as it is
4 years ago
  2. #include "precomp.h"
  3. #include "wmiauthz.h"
  7. /**************************************************************************
  8. Win32 Authz prototypes
  9. ***************************************************************************/
  11. typedef BOOL (WINAPI*PAuthzAccessCheck)(
  12. IN DWORD Flags,
  13. IN AUTHZ_CLIENT_CONTEXT_HANDLE AuthzClientContext,
  14. IN PAUTHZ_ACCESS_REQUEST pRequest,
  15. IN AUTHZ_AUDIT_EVENT_HANDLE AuditInfo OPTIONAL,
  16. IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
  17. IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
  18. IN DWORD OptionalSecurityDescriptorCount,
  19. IN OUT PAUTHZ_ACCESS_REPLY pReply,
  20. OUT PAUTHZ_ACCESS_CHECK_RESULTS_HANDLE pAuthzHandle OPTIONAL );
  22. typedef BOOL (WINAPI*PAuthzInitializeResourceManager)(
  23. IN DWORD AuthzFlags,
  24. IN PFN_AUTHZ_DYNAMIC_ACCESS_CHECK pfnAccessCheck OPTIONAL,
  25. IN PFN_AUTHZ_COMPUTE_DYNAMIC_GROUPS pfnComputeDynamicGroups OPTIONAL,
  26. IN PFN_AUTHZ_FREE_DYNAMIC_GROUPS pfnFreeDynamicGroups OPTIONAL,
  27. IN PCWSTR szResourceManagerName,
  28. OUT PAUTHZ_RESOURCE_MANAGER_HANDLE pAuthzResourceManager
  29. );
  31. typedef BOOL (WINAPI*PAuthzInitializeContextFromSid)(
  32. IN DWORD Flags,
  33. IN PSID UserSid,
  34. IN AUTHZ_RESOURCE_MANAGER_HANDLE AuthzResourceManager,
  35. IN PLARGE_INTEGER pExpirationTime OPTIONAL,
  36. IN LUID Identifier,
  37. IN PVOID DynamicGroupArgs OPTIONAL,
  38. OUT PAUTHZ_CLIENT_CONTEXT_HANDLE pAuthzClientContext
  39. );
  41. typedef BOOL (WINAPI*PAuthzInitializeContextFromToken)(
  42. IN HANDLE TokenHandle,
  43. IN AUTHZ_RESOURCE_MANAGER_HANDLE AuthzResourceManager,
  44. IN PLARGE_INTEGER pExpirationTime OPTIONAL,
  45. IN LUID Identifier,
  46. IN DWORD Flags,
  47. IN PVOID DynamicGroupArgs OPTIONAL,
  48. OUT PAUTHZ_CLIENT_CONTEXT_HANDLE pAuthzClientContext
  49. );
  51. typedef BOOL (WINAPI*PAuthzFreeContext)( AUTHZ_CLIENT_CONTEXT_HANDLE );
  52. typedef BOOL (WINAPI*PAuthzFreeResourceManager)( AUTHZ_RESOURCE_MANAGER_HANDLE );
  54. BOOL WINAPI ComputeDynamicGroups(
  55. IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
  56. IN PVOID Args,
  57. OUT PSID_AND_ATTRIBUTES *pSidAttrArray,
  58. OUT PDWORD pSidCount,
  59. OUT PSID_AND_ATTRIBUTES *pRestrictedSidAttrArray,
  60. OUT PDWORD pRestrictedSidCount
  61. )
  62. {
  63. BOOL bRet;
  64. *pRestrictedSidAttrArray = NULL;
  65. *pRestrictedSidCount = 0;
  67. //
  68. // if sid is not local system, then don't need to do anything.
  69. //
  71. *pSidAttrArray = NULL;
  72. *pSidCount = 0;
  74. if ( !*(BOOL*)(Args) )
  75. {
  76. bRet = TRUE;
  77. }
  78. else
  79. {
  80. //
  81. // need to add authenticated users and everyone groups.
  82. //
  84. PSID_AND_ATTRIBUTES psa = new SID_AND_ATTRIBUTES[2];
  86. if ( psa != NULL )
  87. {
  88. ZeroMemory( psa, sizeof(SID_AND_ATTRIBUTES)*2 );
  90. SID_IDENTIFIER_AUTHORITY wid = SECURITY_WORLD_SID_AUTHORITY;
  91. SID_IDENTIFIER_AUTHORITY ntid = SECURITY_NT_AUTHORITY;
  93. if ( bRet = AllocateAndInitializeSid( &wid,
  94. 1,
  95. SECURITY_WORLD_RID,
  96. 0,0,0,0,0,0,0,
  97. &psa[0].Sid ) )
  98. {
  99. if ( bRet = AllocateAndInitializeSid( &ntid,
  100. 1,
  101. SECURITY_AUTHENTICATED_USER_RID,
  102. 0,0,0,0,0,0,0,
  103. &psa[1].Sid ) )
  104. {
  105. *pSidCount = 2;
  106. *pSidAttrArray = psa;
  107. }
  108. else
  109. {
  110. FreeSid( &psa[0].Sid );
  111. delete [] psa;
  112. SetLastError( ERROR_NOT_ENOUGH_MEMORY );
  113. }
  114. }
  115. else
  116. {
  117. delete [] psa;
  118. SetLastError( ERROR_NOT_ENOUGH_MEMORY );
  119. }
  120. }
  121. else
  122. {
  123. SetLastError( ERROR_NOT_ENOUGH_MEMORY );
  124. bRet = FALSE;
  125. }
  126. }
  128. return bRet;
  129. }
  131. void WINAPI FreeDynamicGroups( PSID_AND_ATTRIBUTES psa )
  132. {
  133. if ( psa != NULL )
  134. {
  135. FreeSid( psa[0].Sid );
  136. FreeSid( psa[1].Sid );
  137. delete [] psa;
  138. }
  139. }
  141. /**************************************************************************
  142. CWmiAuthzApi
  143. ***************************************************************************/
  145. #define FUNCMEMBER(FUNC) P ## FUNC m_fp ## FUNC;
  147. class CWmiAuthzApi
  148. {
  149. HMODULE m_hMod;
  151. public:
  153. FUNCMEMBER(AuthzInitializeContextFromToken)
  154. FUNCMEMBER(AuthzInitializeContextFromSid)
  155. FUNCMEMBER(AuthzInitializeResourceManager)
  156. FUNCMEMBER(AuthzAccessCheck)
  157. FUNCMEMBER(AuthzFreeContext)
  158. FUNCMEMBER(AuthzFreeResourceManager)
  160. CWmiAuthzApi() { ZeroMemory( this, sizeof(CWmiAuthzApi) ); }
  161. ~CWmiAuthzApi() { if ( m_hMod != NULL ) FreeLibrary( m_hMod ); }
  163. HRESULT Initialize();
  164. };
  166. #define SETFUNC(FUNC) \
  167. m_fp ## FUNC = (P ## FUNC) GetProcAddress( m_hMod, #FUNC ); \
  168. if ( m_fp ## FUNC == NULL ) return WBEM_E_NOT_SUPPORTED;
  170. HRESULT CWmiAuthzApi::Initialize()
  171. {
  172. m_hMod = LoadLibrary( TEXT("authz") );
  174. if ( m_hMod == NULL )
  175. {
  176. return WBEM_E_NOT_SUPPORTED;
  177. }
  179. SETFUNC(AuthzInitializeContextFromToken)
  180. SETFUNC(AuthzInitializeResourceManager)
  181. SETFUNC(AuthzInitializeContextFromSid)
  182. SETFUNC(AuthzInitializeContextFromToken)
  183. SETFUNC(AuthzAccessCheck)
  184. SETFUNC(AuthzFreeContext)
  185. SETFUNC(AuthzFreeResourceManager)
  187. return WBEM_S_NO_ERROR;
  188. };
  190. /**************************************************************************
  191. CWmiAuthz
  192. ***************************************************************************/
  194. #define CALLFUNC(API,FUNC) (*API->m_fp ## FUNC)
  196. CWmiAuthz::CWmiAuthz( CLifeControl* pControl )
  197. : CUnkBase<IWbemTokenCache,&IID_IWbemTokenCache>( pControl ),
  198. m_hResMgr(NULL), m_pApi(NULL), m_pAdministratorsSid(NULL),
  199. m_pLocalSystemSid(NULL)
  200. {
  202. }
  204. HRESULT CWmiAuthz::EnsureInitialized()
  205. {
  206. HRESULT hr;
  208. CInCritSec ics( &m_cs );
  210. if ( m_hResMgr != NULL )
  211. {
  212. return WBEM_S_NO_ERROR;
  213. }
  215. //
  216. // try to create the API object.
  217. //
  219. if ( m_pApi == NULL )
  220. {
  221. m_pApi = new CWmiAuthzApi;
  223. if ( m_pApi == NULL )
  224. {
  225. return WBEM_E_OUT_OF_MEMORY;
  226. }
  228. hr = m_pApi->Initialize();
  230. if ( FAILED(hr) )
  231. {
  232. delete m_pApi;
  233. m_pApi = NULL;
  234. return hr;
  235. }
  236. }
  238. //
  239. // initialize the authz res mgr.
  240. //
  242. if ( !CALLFUNC(m_pApi,AuthzInitializeResourceManager)
  243. ( AUTHZ_RM_FLAG_NO_AUDIT,
  244. NULL,
  245. ComputeDynamicGroups,
  246. FreeDynamicGroups,
  247. NULL,
  248. &m_hResMgr ) )
  250. {
  251. return HRESULT_FROM_WIN32( GetLastError() );
  252. }
  254. //
  255. // allocate and initialize well known sids for authz special casing.
  256. //
  258. SID_IDENTIFIER_AUTHORITY id = SECURITY_NT_AUTHORITY;
  260. if ( !AllocateAndInitializeSid( &id,
  261. 2,
  262. SECURITY_BUILTIN_DOMAIN_RID,
  263. DOMAIN_ALIAS_RID_ADMINS,
  264. 0,0,0,0,0,0,
  265. &m_pAdministratorsSid) )
  266. {
  267. return HRESULT_FROM_WIN32( GetLastError() );
  268. }
  270. if ( !AllocateAndInitializeSid( &id,
  271. 1,
  272. SECURITY_LOCAL_SYSTEM_RID,
  273. 0,0,0,0,0,0,0,
  274. &m_pLocalSystemSid) )
  275. {
  276. return HRESULT_FROM_WIN32( GetLastError() );
  277. }
  279. return WBEM_S_NO_ERROR;
  280. }
  282. STDMETHODIMP CWmiAuthz::Shutdown()
  283. {
  284. return WBEM_S_NO_ERROR;
  285. }
  287. CWmiAuthz::~CWmiAuthz()
  288. {
  289. if ( m_hResMgr != NULL )
  290. {
  291. CALLFUNC(m_pApi,AuthzFreeResourceManager)( m_hResMgr );
  292. }
  294. if ( m_pApi != NULL )
  295. {
  296. delete m_pApi;
  297. }
  299. if ( m_pAdministratorsSid != NULL )
  300. {
  301. FreeSid( m_pAdministratorsSid );
  302. }
  304. if ( m_pLocalSystemSid != NULL )
  305. {
  306. FreeSid( m_pLocalSystemSid );
  307. }
  308. }
  310. STDMETHODIMP CWmiAuthz::GetToken( const BYTE* pSid, IWbemToken** ppToken )
  311. {
  312. HRESULT hr;
  314. *ppToken = NULL;
  316. hr = EnsureInitialized();
  318. if ( SUCCEEDED( hr ) )
  319. {
  320. AUTHZ_CLIENT_CONTEXT_HANDLE hCtx = NULL;
  321. LUID luid;
  323. ZeroMemory( &luid, sizeof(LUID) );
  325. DWORD dwFlags = 0;
  326. BOOL bLocalSystem = FALSE;
  328. if ( EqualSid( PSID(pSid), m_pAdministratorsSid ) )
  329. {
  330. //
  331. // this is a group sid, so specify this in the flags so
  332. // authz can handle it properly.
  333. //
  334. dwFlags = AUTHZ_SKIP_TOKEN_GROUPS;
  335. }
  336. else if ( EqualSid( PSID(pSid), m_pLocalSystemSid ) )
  337. {
  338. //
  339. // authz doesn't handle local system so have to workaround
  340. // by disabling authz's group computation and do it ourselves.
  341. //
  342. bLocalSystem = TRUE;
  343. dwFlags = AUTHZ_SKIP_TOKEN_GROUPS;
  344. }
  346. if ( !CALLFUNC(m_pApi,AuthzInitializeContextFromSid)( dwFlags,
  347. PSID(pSid),
  348. m_hResMgr,
  349. NULL,
  350. luid,
  351. &bLocalSystem,
  352. &hCtx ) )
  353. {
  354. return HRESULT_FROM_WIN32( GetLastError() );
  355. }
  357. *ppToken = new CWmiAuthzToken( this, hCtx );
  359. if ( *ppToken == NULL )
  360. {
  361. CALLFUNC(m_pApi,AuthzFreeContext)(hCtx);
  362. return WBEM_E_OUT_OF_MEMORY;
  363. }
  365. (*ppToken)->AddRef();
  367. return WBEM_S_NO_ERROR;
  368. }
  370. return hr;
  371. }
  373. /***************************************************************************
  374. CWmiAuthzToken
  375. ****************************************************************************/
  377. CWmiAuthzToken::CWmiAuthzToken( CWmiAuthz* pOwner, AUTHZ_CLIENT_CONTEXT_HANDLE hCtx )
  378. : CUnkBase<IWbemToken,&IID_IWbemToken>(NULL), m_hCtx(hCtx), m_pOwner(pOwner)
  379. {
  380. //
  381. // we want to keep the owner alive, in case the caller has released theirs
  382. //
  383. m_pOwner->AddRef();
  384. }
  386. CWmiAuthzToken::~CWmiAuthzToken()
  387. {
  388. CWmiAuthzApi* pApi = m_pOwner->GetApi();
  389. CALLFUNC(pApi,AuthzFreeContext)(m_hCtx);
  390. m_pOwner->Release();
  391. }
  393. STDMETHODIMP CWmiAuthzToken::AccessCheck( DWORD dwDesiredAccess,
  394. const BYTE* pSD,
  395. DWORD* pdwGrantedAccess )
  396. {
  397. HRESULT hr;
  399. AUTHZ_ACCESS_REQUEST AccessReq;
  400. ZeroMemory( &AccessReq, sizeof(AUTHZ_ACCESS_REQUEST) );
  401. AccessReq.DesiredAccess = dwDesiredAccess;
  403. AUTHZ_ACCESS_REPLY AccessRep;
  404. DWORD dwError;
  406. ZeroMemory( &AccessRep, sizeof(AUTHZ_ACCESS_REPLY) );
  407. AccessRep.GrantedAccessMask = pdwGrantedAccess;
  408. AccessRep.ResultListLength = 1;
  409. AccessRep.Error = &dwError;
  410. AccessRep.SaclEvaluationResults = NULL;
  412. CWmiAuthzApi* pApi = m_pOwner->GetApi();
  414. if ( !CALLFUNC(pApi,AuthzAccessCheck)( 0,
  415. m_hCtx,
  416. &AccessReq,
  417. NULL,
  418. PSECURITY_DESCRIPTOR(pSD),
  419. NULL,
  420. NULL,
  421. &AccessRep,
  422. NULL ) )
  423. {
  424. return HRESULT_FROM_WIN32( GetLastError() );
  425. }
  427. return WBEM_S_NO_ERROR;
  428. }