archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/ds/security/azroles/role.cxx

739 lines
18 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 2001 Microsoft Corporation
  5. Module Name:
  7. role.cxx
  9. Abstract:
  11. Routines implementing the Role object
  13. Author:
  15. Cliff Van Dyke (cliffv) 11-Apr-2001
  17. --*/
  19. #include "pch.hxx"
  23. DWORD
  24. AzpRoleInit(
  25. IN PGENERIC_OBJECT ParentGenericObject,
  26. IN PGENERIC_OBJECT ChildGenericObject
  27. )
  28. /*++
  30. Routine Description:
  32. This routine is a worker routine for AzRoleCreate. It does any object specific
  33. initialization that needs to be done.
  35. On entry, AzGlResource must be locked exclusively.
  37. Arguments:
  39. ParentGenericObject - Specifies the parent object to add the child object onto.
  40. The reference count has been incremented on this object.
  42. ChildGenericObject - Specifies the newly allocated child object.
  43. The reference count has been incremented on this object.
  45. Return Value:
  47. NO_ERROR - The operation was successful
  48. ERROR_NOT_ENOUGH_MEMORY - not enough memory
  49. Other exception status codes
  51. --*/
  52. {
  53. PAZP_ROLE Role = (PAZP_ROLE) ChildGenericObject;
  54. PAZP_AZSTORE AzAuthorizationStore = NULL;
  55. PAZP_APPLICATION Application = NULL;
  56. PAZP_SCOPE Scope = NULL;
  58. PGENERIC_OBJECT_HEAD ParentSids = NULL;
  60. //
  61. // Initialization
  62. //
  64. ASSERT( AzpIsLockedExclusive( &AzGlResource ) );
  67. //
  68. // Behave differently depending on the object type of the parent object
  69. //
  70. // A role references SID objects that are siblings of itself.
  71. // That way, the back links on the SID object references just the roles
  72. // that are siblings of the SID object.
  73. //
  75. if ( ParentGenericObject->ObjectType == OBJECT_TYPE_APPLICATION ) {
  77. AzAuthorizationStore = ParentGenericObject->AzStoreObject;
  78. Application = (PAZP_APPLICATION) ParentGenericObject;
  80. } else if ( ParentGenericObject->ObjectType == OBJECT_TYPE_SCOPE ) {
  82. AzAuthorizationStore = ParentGenericObject->AzStoreObject;
  83. Application = (PAZP_APPLICATION) ParentOfChild( ParentGenericObject );
  84. Scope = (PAZP_SCOPE) ParentGenericObject;
  86. } else {
  87. ASSERT( FALSE );
  88. }
  90. ParentSids = &ParentGenericObject->AzpSids;
  92. //
  93. // Roles reference groups, operations, and tasks.
  94. // These other groups can be siblings of this group or siblings of our parents.
  95. //
  96. // Let the generic object manager know all of the lists we support
  97. //
  99. ChildGenericObject->GenericObjectLists = &Role->AppMembers,
  101. // List of Groups
  102. ObInitObjectList( &Role->AppMembers,
  103. &Role->Operations,
  104. FALSE, // Forward link
  105. 0, // No link pair id
  106. AZ_DIRTY_ROLE_APP_MEMBERS,
  107. &AzAuthorizationStore->Groups,
  108. &Application->Groups,
  109. Scope == NULL ? NULL : &Scope->Groups );
  111. // List of Operations
  112. ObInitObjectList( &Role->Operations,
  113. &Role->Tasks,
  114. FALSE, // Forward link
  115. 0, // No link pair id
  116. AZ_DIRTY_ROLE_OPERATIONS,
  117. &Application->Operations,
  118. NULL,
  119. NULL );
  121. // List of Tasks
  122. ObInitObjectList( &Role->Tasks,
  123. &Role->SidMembers,
  124. FALSE, // Forward link
  125. 0, // No link pair id
  126. AZ_DIRTY_ROLE_TASKS,
  127. &Application->Tasks,
  128. Scope == NULL ? NULL : &Scope->Tasks,
  129. NULL );
  131. // Role reference SID objects
  132. ObInitObjectList( &Role->SidMembers,
  133. NULL,
  134. FALSE, // Forward link
  135. 0, // No link pair id
  136. AZ_DIRTY_ROLE_MEMBERS,
  137. ParentSids,
  138. NULL,
  139. NULL );
  142. return NO_ERROR;
  143. }
  146. VOID
  147. AzpRoleFree(
  148. IN PGENERIC_OBJECT GenericObject
  149. )
  150. /*++
  152. Routine Description:
  154. This routine is a worker routine for Role object free. It does any object specific
  155. cleanup that needs to be done.
  157. On entry, AzGlResource must be locked exclusively.
  159. Arguments:
  161. GenericObject - Specifies a pointer to the object to be deleted.
  163. Return Value:
  165. None
  167. --*/
  168. {
  169. // PAZP_ROLE Role = (PAZP_ROLE) GenericObject;
  170. UNREFERENCED_PARAMETER( GenericObject );
  172. //
  173. // Initialization
  174. //
  176. ASSERT( AzpIsLockedExclusive( &AzGlResource ) );
  178. //
  179. // Free any local strings
  180. //
  183. }
  185. DWORD
  186. AzpRoleNameConflict(
  187. IN PGENERIC_OBJECT ParentGenericObject,
  188. IN PAZP_STRING ChildObjectNameString
  189. )
  190. /*++
  192. Routine Description:
  194. This routine is a worker routine to determine if the specified ChildObjectNameString
  195. conflicts with the names of other objects that share a namespace with Roles
  197. On entry, AzGlResource must be locked exclusively.
  199. Arguments:
  201. ParentGenericObject - Specifies the parent object to add the child object onto.
  202. The reference count has been incremented on this object.
  204. ChildObjectNameString - Specifies the name of the child object.
  206. Return Value:
  208. NO_ERROR - The operation was successful
  209. ERROR_ALREADY_EXISTS - An object by that name already exists
  211. --*/
  212. {
  213. PAZP_APPLICATION Application = NULL;
  215. ULONG WinStatus;
  216. PGENERIC_OBJECT ConflictGenericObject;
  218. //
  219. // Initialization
  220. //
  222. ASSERT( AzpIsLockedExclusive( &AzGlResource ) );
  225. //
  226. // Behave differently depending on the object type of the parent object
  227. //
  228. //
  229. // A role that is a child of an application
  230. // cannot have the same name as any roles that are children of any of the child scopes.
  231. //
  233. if ( ParentGenericObject->ObjectType == OBJECT_TYPE_APPLICATION ) {
  234. Application = (PAZP_APPLICATION) ParentGenericObject;
  236. //
  237. // Check roles that are children of child scopes.
  238. //
  240. WinStatus = ObCheckNameConflict( &Application->Scopes,
  241. ChildObjectNameString,
  242. offsetof(_AZP_SCOPE, Roles),
  243. 0,
  244. 0 );
  246. //
  247. // A role that is a child of a scope,
  248. // cannot have the same name as roles that are children of the application.
  249. //
  250. } else if ( ParentGenericObject->ObjectType == OBJECT_TYPE_SCOPE ) {
  251. Application = (PAZP_APPLICATION) ParentOfChild( ParentGenericObject );
  253. //
  254. // Check roles that are children of the application.
  255. //
  257. WinStatus = ObReferenceObjectByName( &Application->Roles,
  258. ChildObjectNameString,
  259. 0, // No special flags
  260. &ConflictGenericObject );
  262. if ( WinStatus == NO_ERROR ) {
  263. ObDereferenceObject( ConflictGenericObject );
  264. return ERROR_ALREADY_EXISTS;
  265. }
  267. WinStatus = NO_ERROR;
  270. } else {
  271. WinStatus = ERROR_INTERNAL_ERROR;
  272. ASSERT( FALSE );
  273. }
  276. return WinStatus;
  277. }
  280. DWORD
  281. AzpRoleGetProperty(
  282. IN PGENERIC_OBJECT GenericObject,
  283. IN ULONG Flags,
  284. IN ULONG PropertyId,
  285. OUT PVOID *PropertyValue
  286. )
  287. /*++
  289. Routine Description:
  291. This routine is the Role specific worker routine for AzGetProperty.
  292. It does any object specific property gets.
  294. On entry, AzGlResource must be locked shared.
  296. Arguments:
  298. GenericObject - Specifies a pointer to the object to be queried
  300. Flags - Specifies internal flags
  301. AZP_FLAGS_BY_GUID - name lists should be returned as GUID lists
  303. PropertyId - Specifies which property to return.
  305. PropertyValue - Specifies a pointer to return the property in.
  306. The returned pointer must be freed using AzFreeMemory.
  307. The returned value and type depends in PropertyId. The valid values are:
  309. AZ_PROP_ROLE_APP_MEMBERS AZ_STRING_ARRAY - Application groups that are members of this role
  310. AZ_PROP_ROLE_MEMBERS AZ_SID_ARRAY - NT Sids that are members of this role
  311. AZ_PROP_ROLE_OPERATIONS AZ_STRING_ARRAY - Operations that can be performed by this role
  312. AZ_PROP_ROLE_TASKS AZ_STRING_ARRAY - Tasks that can be performed by this role
  314. Return Value:
  316. Status of the operation
  318. --*/
  319. {
  320. DWORD WinStatus = NO_ERROR;
  321. PAZP_ROLE Role = (PAZP_ROLE) GenericObject;
  323. //
  324. // Initialization
  325. //
  327. ASSERT( AzpIsLockedShared( &AzGlResource ) );
  330. //
  331. // Return any object specific attribute
  332. //
  333. //
  334. switch ( PropertyId ) {
  336. // Return the set of app members to the caller
  337. case AZ_PROP_ROLE_APP_MEMBERS:
  339. if ( Flags & AZP_FLAGS_BY_GUID )
  340. {
  341. *PropertyValue = ObGetPropertyItemGuids( &Role->AppMembers );
  342. }
  343. else
  344. {
  345. *PropertyValue = ObGetPropertyItems( &Role->AppMembers );
  346. }
  348. if ( *PropertyValue == NULL ) {
  349. WinStatus = ERROR_NOT_ENOUGH_MEMORY;
  350. }
  352. break;
  354. // Return the set of SID members to the caller
  355. case AZ_PROP_ROLE_MEMBERS:
  357. *PropertyValue = ObGetPropertyItems( &Role->SidMembers );
  359. if ( *PropertyValue == NULL ) {
  360. WinStatus = ERROR_NOT_ENOUGH_MEMORY;
  361. }
  363. break;
  365. // Return the set of operations to the caller
  366. case AZ_PROP_ROLE_OPERATIONS:
  368. if ( Flags & AZP_FLAGS_BY_GUID )
  369. {
  370. *PropertyValue = ObGetPropertyItemGuids( &Role->Operations );
  371. }
  372. else
  373. {
  374. *PropertyValue = ObGetPropertyItems( &Role->Operations );
  375. }
  377. if ( *PropertyValue == NULL ) {
  378. WinStatus = ERROR_NOT_ENOUGH_MEMORY;
  379. }
  381. break;
  383. // Return the set of tasks to the caller
  384. case AZ_PROP_ROLE_TASKS:
  386. if ( Flags & AZP_FLAGS_BY_GUID )
  387. {
  388. *PropertyValue = ObGetPropertyItemGuids( &Role->Tasks );
  389. }
  390. else
  391. {
  392. *PropertyValue = ObGetPropertyItems( &Role->Tasks );
  393. }
  395. if ( *PropertyValue == NULL ) {
  396. WinStatus = ERROR_NOT_ENOUGH_MEMORY;
  397. }
  399. break;
  401. default:
  402. AzPrint(( AZD_INVPARM, "AzpRoleGetProperty: invalid prop id %ld\n", PropertyId ));
  403. WinStatus = ERROR_INVALID_PARAMETER;
  404. break;
  405. }
  407. return WinStatus;
  408. }
  411. DWORD
  412. AzpRoleGetGenericChildHead(
  413. IN AZ_HANDLE ParentHandle,
  414. OUT PULONG ObjectType,
  415. OUT PGENERIC_OBJECT_HEAD *GenericChildHead
  416. )
  417. /*++
  419. Routine Description:
  421. This routine determines whether ParentHandle supports Role objects as
  422. children.
  424. Arguments:
  426. ParentHandle - Specifies a handle to the object that is the parent of the role.
  427. This may be an Application Handle or a Scope handle.
  429. ObjectType - Returns the object type of the ParentHandle.
  431. GenericChildHead - Returns a pointer to the head of the list of roles objects
  432. that are children of the object specified by ParentHandle. This in an unverified
  433. pointer. The pointer is only valid after ParentHandle has been validated.
  435. Return Value:
  437. Status of the operation.
  439. --*/
  440. {
  441. DWORD WinStatus;
  443. //
  444. // Determine the type of the parent handle
  445. //
  447. WinStatus = ObGetHandleType( (PGENERIC_OBJECT)ParentHandle,
  448. FALSE, // ignore deleted objects
  449. ObjectType );
  451. if ( WinStatus != NO_ERROR ) {
  452. return WinStatus;
  453. }
  456. //
  457. // Verify that the specified handle support children roles.
  458. //
  460. switch ( *ObjectType ) {
  461. case OBJECT_TYPE_APPLICATION:
  463. *GenericChildHead = &(((PAZP_APPLICATION)ParentHandle)->Roles);
  464. break;
  466. case OBJECT_TYPE_SCOPE:
  468. *GenericChildHead = &(((PAZP_SCOPE)ParentHandle)->Roles);
  469. break;
  471. default:
  472. return ERROR_INVALID_HANDLE;
  473. }
  475. return NO_ERROR;
  476. }
  480. DWORD
  481. WINAPI
  482. AzRoleCreate(
  483. IN AZ_HANDLE ParentHandle,
  484. IN LPCWSTR RoleName,
  485. IN DWORD Reserved,
  486. OUT PAZ_HANDLE RoleHandle
  487. )
  488. /*++
  490. Routine Description:
  492. This routine adds a role into the scope of the specified parent object.
  494. Arguments:
  496. ParentHandle - Specifies a handle to the object that is the parent of the role.
  497. This may be an Application Handle or a Scope handle.
  499. RoleName - Specifies the name of the role to add.
  501. Reserved - Reserved. Must by zero.
  503. RoleHandle - Return a handle to the role.
  504. The caller must close this handle by calling AzCloseHandle.
  506. Return Value:
  508. NO_ERROR - The operation was successful
  510. ERROR_ALREADY_EXISTS - An object by that name already exists
  512. --*/
  513. {
  514. DWORD WinStatus;
  515. DWORD ObjectType;
  516. PGENERIC_OBJECT_HEAD GenericChildHead;
  518. //
  519. // Determine that the parent handle supports roles as children
  520. //
  522. WinStatus = AzpRoleGetGenericChildHead( ParentHandle,
  523. &ObjectType,
  524. &GenericChildHead );
  526. if ( WinStatus != NO_ERROR ) {
  527. return WinStatus;
  528. }
  530. //
  531. // Call the common routine to do most of the work
  532. //
  534. return ObCommonCreateObject(
  535. (PGENERIC_OBJECT) ParentHandle,
  536. ObjectType,
  537. GenericChildHead,
  538. OBJECT_TYPE_ROLE,
  539. RoleName,
  540. Reserved,
  541. (PGENERIC_OBJECT *) RoleHandle );
  543. }
  547. DWORD
  548. WINAPI
  549. AzRoleOpen(
  550. IN AZ_HANDLE ParentHandle,
  551. IN LPCWSTR RoleName,
  552. IN DWORD Reserved,
  553. OUT PAZ_HANDLE RoleHandle
  554. )
  555. /*++
  557. Routine Description:
  559. This routine opens a role into the scope of the specified parent object.
  561. Arguments:
  563. ParentHandle - Specifies a handle to the object that is the parent of the role.
  564. This may be an Application Handle or a Scope handle.
  566. RoleName - Specifies the name of the role to open
  568. Reserved - Reserved. Must by zero.
  570. RoleHandle - Return a handle to the role.
  571. The caller must close this handle by calling AzCloseHandle.
  573. Return Value:
  575. NO_ERROR - The operation was successful
  577. ERROR_NOT_FOUND - There is no role by that name
  579. --*/
  580. {
  581. DWORD WinStatus;
  582. DWORD ObjectType;
  583. PGENERIC_OBJECT_HEAD GenericChildHead;
  585. //
  586. // Determine that the parent handle supports roles as children
  587. //
  589. WinStatus = AzpRoleGetGenericChildHead( ParentHandle,
  590. &ObjectType,
  591. &GenericChildHead );
  593. if ( WinStatus != NO_ERROR ) {
  594. return WinStatus;
  595. }
  597. //
  598. // Call the common routine to do most of the work
  599. //
  601. return ObCommonOpenObject(
  602. (PGENERIC_OBJECT) ParentHandle,
  603. ObjectType,
  604. GenericChildHead,
  605. OBJECT_TYPE_ROLE,
  606. RoleName,
  607. Reserved,
  608. (PGENERIC_OBJECT *) RoleHandle );
  610. }
  613. DWORD
  614. WINAPI
  615. AzRoleEnum(
  616. IN AZ_HANDLE ParentHandle,
  617. IN DWORD Reserved,
  618. IN OUT PULONG EnumerationContext,
  619. OUT PAZ_HANDLE RoleHandle
  620. )
  621. /*++
  623. Routine Description:
  625. Enumerates all of the roles for the specified parent object.
  627. Arguments:
  629. ParentHandle - Specifies a handle to the object that is the parent of the role.
  630. This may be an Application Handle or a Scope handle.
  632. Reserved - Reserved. Must by zero.
  634. EnumerationContext - Specifies a context indicating the next role to return
  635. On input for the first call, should point to zero.
  636. On input for subsequent calls, should point to the value returned on the previous call.
  637. On output, returns a value to be passed on the next call.
  639. RoleHandle - Returns a handle to the next role object.
  640. The caller must close this handle by calling AzCloseHandle.
  642. Return Value:
  644. NO_ERROR - The operation was successful (a handle was returned)
  646. ERROR_NO_MORE_ITEMS - No more items were available for enumeration
  648. --*/
  649. {
  650. DWORD WinStatus;
  651. DWORD ObjectType;
  652. PGENERIC_OBJECT_HEAD GenericChildHead;
  654. //
  655. // Determine that the parent handle supports roles as children
  656. //
  658. WinStatus = AzpRoleGetGenericChildHead( ParentHandle,
  659. &ObjectType,
  660. &GenericChildHead );
  662. if ( WinStatus != NO_ERROR ) {
  663. return WinStatus;
  664. }
  666. //
  667. // Call the common routine to do most of the work
  668. //
  670. return ObCommonEnumObjects(
  671. (PGENERIC_OBJECT) ParentHandle,
  672. ObjectType,
  673. GenericChildHead,
  674. EnumerationContext,
  675. Reserved,
  676. (PGENERIC_OBJECT *) RoleHandle );
  678. }
  680. DWORD
  681. WINAPI
  682. AzRoleDelete(
  683. IN AZ_HANDLE ParentHandle,
  684. IN LPCWSTR RoleName,
  685. IN DWORD Reserved
  686. )
  687. /*++
  689. Routine Description:
  691. This routine deletes a role from the scope of the specified parent object.
  692. Also deletes any child objects of RoleName.
  694. Arguments:
  696. ParentHandle - Specifies a handle to the object that is the parent of the role.
  697. This may be an Application Handle or a Scope handle.
  699. RoleName - Specifies the name of the role to delete.
  701. Reserved - Reserved. Must by zero.
  703. Return Value:
  705. NO_ERROR - The operation was successful
  707. ERROR_NOT_FOUND - An object by that name cannot be found
  709. --*/
  710. {
  711. DWORD WinStatus;
  712. DWORD ObjectType;
  713. PGENERIC_OBJECT_HEAD GenericChildHead;
  715. //
  716. // Determine that the parent handle supports roles as children
  717. //
  719. WinStatus = AzpRoleGetGenericChildHead( ParentHandle,
  720. &ObjectType,
  721. &GenericChildHead );
  723. if ( WinStatus != NO_ERROR ) {
  724. return WinStatus;
  725. }
  727. //
  728. // Call the common routine to do most of the work
  729. //
  731. return ObCommonDeleteObject(
  732. (PGENERIC_OBJECT) ParentHandle,
  733. ObjectType,
  734. GenericChildHead,
  735. OBJECT_TYPE_ROLE,
  736. RoleName,
  737. Reserved );
  739. }