archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/ds/security/services/ca/certmmc/officer.cpp

480 lines
12 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+--------------------------------------------------------------------------
  2. // File: officer.cpp
  3. // Contents: officer rights implementation
  4. //---------------------------------------------------------------------------
  5. #include <stdafx.h>
  6. #include "officer.h"
  7. #include "certsd.h"
  9. #define __dwFILE__ __dwFILE_CERTMMC_OFFICER_CPP__
  12. using namespace CertSrv;
  14. static const DEFAULT_USERNAME_SIZE = 256;
  16. CClientPermission::CClientPermission(BOOL fAllow, PSID pSid) :
  17. m_fAllow(fAllow),
  18. m_Sid(pSid)
  19. {}
  21. HRESULT COfficerRights::Add(PSID pSid, BOOL fAllow)
  22. {
  23. HRESULT hr = S_OK;
  24. CClientPermission* pClient = new CClientPermission(fAllow, pSid);
  26. if(!CClientPermission::IsInitialized(pClient) ||
  27. !m_List.AddTail(pClient))
  28. {
  29. hr = E_OUTOFMEMORY;
  30. _JumpError(hr, error, "");
  31. }
  33. error:
  34. if(S_OK!=hr)
  35. delete pClient;
  36. return hr;
  37. }
  39. HRESULT COfficerRights::Init(PACCESS_ALLOWED_CALLBACK_ACE pAce)
  40. {
  41. HRESULT hr = S_OK;
  43. // no object reuse
  44. CSASSERT(!m_pSid);
  45. CSASSERT(m_List.IsEmpty());
  47. CSASSERT(IsValidSid((PSID)(&pAce->SidStart)));
  48. m_pSid = new CSid((PSID)(&pAce->SidStart));
  49. if(!m_pSid)
  50. {
  51. hr = E_OUTOFMEMORY;
  52. _JumpError(hr, error, "new CSid");
  53. }
  55. hr = AddSidList(pAce);
  56. _JumpIfError(hr, error, "COfficerRights::AddSidList");
  58. error:
  59. if(S_OK!=hr)
  60. {
  61. Cleanup();
  62. }
  63. return hr;
  64. }
  66. HRESULT COfficerRights::AddSidList(PACCESS_ALLOWED_CALLBACK_ACE pAce)
  67. {
  68. HRESULT hr = S_OK;
  69. PSID pSid;
  70. DWORD cSids;
  71. PSID_LIST pSidList = (PSID_LIST) (((BYTE*)&pAce->SidStart)+
  72. GetLengthSid(&pAce->SidStart));
  74. CSASSERT(EqualSid((PSID)&pAce->SidStart, GetSid()));
  76. for(pSid=(PSID)&pSidList->SidListStart, cSids=0;
  77. cSids<pSidList->dwSidCount;
  78. cSids++, pSid = (PSID)(((BYTE*)pSid)+GetLengthSid(pSid)))
  79. {
  80. hr = Add(pSid, ACCESS_ALLOWED_CALLBACK_ACE_TYPE==pAce->Header.AceType);
  81. _JumpIfError(hr, error, "COfficerRights::Add");
  82. }
  84. error:
  85. return hr;
  86. }
  88. COfficerRightsList::~COfficerRightsList()
  89. {
  90. Cleanup();
  91. }
  94. HRESULT COfficerRightsList::Load(PSECURITY_DESCRIPTOR pSD)
  95. {
  96. HRESULT hr = S_OK;
  97. PACL pAcl; // no free
  98. ACL_SIZE_INFORMATION AclInfo;
  99. PACCESS_ALLOWED_CALLBACK_ACE pAce;
  100. DWORD cAce;
  101. COfficerRights *pOfficerRights = NULL;
  102. DWORD cList;
  103. COfficerRights* pExistingOfficer;
  105. CSASSERT(IsValidSecurityDescriptor(pSD));
  107. hr = myGetSecurityDescriptorDacl(pSD, &pAcl);
  108. _JumpIfError(hr, error, "myGetSecurityDescriptorDacl");
  110. if(!GetAclInformation(pAcl,
  111. &AclInfo,
  112. sizeof(AclInfo),
  113. AclSizeInformation))
  114. {
  115. hr = myHLastError();
  116. _JumpError(hr, error, "GetAclInformation");
  117. }
  119. m_dwCountList = 0;
  121. m_List = (COfficerRights **)LocalAlloc(LMEM_FIXED,
  122. sizeof(COfficerRights*)*AclInfo.AceCount);
  123. if(!m_List)
  124. {
  125. hr = E_OUTOFMEMORY;
  126. _JumpError(hr, error, "LocalAlloc");
  127. }
  128. ZeroMemory(m_List, sizeof(COfficerRights*)*AclInfo.AceCount);
  130. for(cAce=0; cAce<AclInfo.AceCount; cAce++)
  131. {
  132. pExistingOfficer = NULL;
  134. if(!GetAce(pAcl, cAce, (PVOID*)&pAce))
  135. {
  136. hr = myHLastError();
  137. _JumpError(hr, error, "GetAce");
  138. }
  140. CSASSERT(
  141. ACCESS_ALLOWED_CALLBACK_ACE_TYPE == pAce->Header.AceType ||
  142. ACCESS_DENIED_CALLBACK_ACE_TYPE == pAce->Header.AceType);
  144. // Detect if another object already exists for this officer; if so, we
  145. // will add the client list to it instead of creating a new object
  146. // Assuming denied aces always come before allow aces, we can limit
  147. // the search to allow type
  148. if(ACCESS_ALLOWED_CALLBACK_ACE_TYPE==pAce->Header.AceType)
  149. {
  150. for(cList=0; cList<m_dwCountList; cList++)
  151. {
  152. if(EqualSid(m_List[cList]->GetSid(),
  153. (PSID)&pAce->SidStart))
  154. {
  155. pExistingOfficer = m_List[cList];
  156. break;
  157. }
  158. }
  159. }
  161. if(pExistingOfficer)
  162. {
  163. // add SID list stored in this ace to existing officer object
  164. hr = pExistingOfficer->AddSidList(pAce);
  165. _JumpIfError(hr, error, "COfficerRights::AddSidList");
  166. }
  167. else
  168. {
  169. // create new officer object
  170. pOfficerRights = new COfficerRights;
  171. if(!pOfficerRights)
  172. {
  173. hr = E_OUTOFMEMORY;
  174. _JumpError(hr, error, "new COfficerRights");
  175. }
  177. hr = pOfficerRights->Init(pAce);
  178. _JumpIfError(hr, error, "COfficerRights::Init");
  180. m_List[m_dwCountList] = pOfficerRights;
  181. pOfficerRights = NULL;
  182. m_dwCountList++;
  183. }
  184. }
  186. error:
  187. if(S_OK!=hr && m_List)
  188. {
  189. if(m_List)
  190. {
  191. LocalFree(m_List);
  192. m_List = NULL;
  193. }
  194. if(pOfficerRights)
  195. {
  196. delete pOfficerRights;
  197. }
  198. }
  199. return hr;
  200. }
  202. HRESULT COfficerRightsList::Save(PSECURITY_DESCRIPTOR &rpSD)
  203. {
  204. HRESULT hr = S_OK;
  205. PSECURITY_DESCRIPTOR pSD = NULL, pSDSelfRelative = NULL;
  206. DWORD dwSelfRelativeSize = 0;
  207. PSID pSidBuiltinAdministrators = NULL;
  208. PACL pAcl = NULL;
  210. rpSD = NULL;
  212. pSD = (PSECURITY_DESCRIPTOR)LocalAlloc(LMEM_FIXED,
  213. SECURITY_DESCRIPTOR_MIN_LENGTH);
  214. if (!pSD)
  215. {
  216. hr = E_OUTOFMEMORY;
  217. _JumpError(hr, error, "LocalAlloc");
  218. }
  219. #ifdef _DEBUG
  220. ZeroMemory(pSD, SECURITY_DESCRIPTOR_MIN_LENGTH);
  221. #endif
  223. if (!InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION))
  224. {
  225. hr = myHLastError();
  226. _JumpError(hr, error, "InitializeSecurityDescriptor");
  227. }
  229. hr = GetBuiltinAdministratorsSID(&pSidBuiltinAdministrators);
  230. _JumpIfError(hr, error, "GetBuiltinAdministratorsSID");
  232. if(!SetSecurityDescriptorOwner(
  233. pSD,
  234. pSidBuiltinAdministrators,
  235. FALSE))
  236. {
  237. hr = myHLastError();
  238. _JumpError(hr, error, "SetSecurityDescriptorControl");
  239. }
  241. hr = BuildAcl(pAcl);
  242. _JumpIfError(hr, error, "BuildAcl");
  244. if(!SetSecurityDescriptorDacl(
  245. pSD,
  246. TRUE, // DACL present
  247. pAcl,
  248. FALSE)) // DACL defaulted
  249. {
  250. hr = myHLastError();
  251. _JumpError(hr, error, "SetSecurityDescriptorDacl");
  252. }
  254. CSASSERT(IsValidSecurityDescriptor(pSD));
  256. MakeSelfRelativeSD(pSD, NULL, &dwSelfRelativeSize);
  257. if(ERROR_INSUFFICIENT_BUFFER!=GetLastError())
  258. {
  259. hr = myHLastError();
  260. _JumpError(hr, error, "SetSecurityDescriptorDacl");
  261. }
  263. pSDSelfRelative = (PSECURITY_DESCRIPTOR)LocalAlloc(LMEM_FIXED, dwSelfRelativeSize);
  264. if(!pSDSelfRelative)
  265. {
  266. hr = E_OUTOFMEMORY;
  267. _JumpError(hr, error, "LocalAlloc");
  268. }
  270. if(!MakeSelfRelativeSD(pSD, pSDSelfRelative, &dwSelfRelativeSize))
  271. {
  272. hr = myHLastError();
  273. _JumpError(hr, error, "MakeSelfRelativeSD");
  274. }
  276. rpSD = pSDSelfRelative;
  278. error:
  279. if(pAcl)
  280. {
  281. LocalFree(pAcl);
  282. }
  283. if(pSD)
  284. {
  285. LocalFree(pSD);
  286. }
  287. if(pSidBuiltinAdministrators)
  288. {
  289. LocalFree(pSidBuiltinAdministrators);
  290. }
  291. return hr;
  292. }
  294. HRESULT COfficerRightsList::BuildAcl(PACL &rpAcl)
  295. {
  296. HRESULT hr = S_OK;
  297. DWORD dwAclSize = sizeof(ACL);
  298. DWORD cRights;
  299. PACL pAcl = NULL;
  301. rpAcl = NULL;
  303. // calculate total acl size by adding the space required
  304. // for the ACEs resulting from each COfficerRights
  305. for(cRights=0;cRights<m_dwCountList;cRights++)
  306. {
  307. dwAclSize += m_List[cRights]->GetAceSize(FALSE);
  308. dwAclSize += m_List[cRights]->GetAceSize(TRUE);
  309. }
  311. pAcl = (PACL)LocalAlloc(LMEM_FIXED, dwAclSize);
  312. if(!pAcl)
  313. {
  314. hr = E_OUTOFMEMORY;
  315. _JumpError(hr, error, "LocalAlloc");
  316. }
  317. #ifdef _DEBUG
  318. ZeroMemory(pAcl, dwAclSize);
  319. #endif
  321. if(!InitializeAcl(pAcl, dwAclSize, ACL_REVISION))
  322. {
  323. hr = myHLastError();
  324. _JumpError(hr, error, "InitializeAcl");
  325. }
  327. // add deny aces first
  328. for(cRights=0;cRights<m_dwCountList;cRights++)
  329. {
  330. hr = m_List[cRights]->AddAce(pAcl, FALSE);
  331. _JumpIfError(hr, error, "COfficerRights::AddAce");
  332. }
  334. // then add allow aces
  335. for(cRights=0;cRights<m_dwCountList;cRights++)
  336. {
  337. hr = m_List[cRights]->AddAce(pAcl, TRUE);
  338. _JumpIfError(hr, error, "COfficerRights::AddAce");
  339. }
  341. CSASSERT(IsValidAcl(pAcl));
  343. rpAcl = pAcl;
  345. error:
  347. if(S_OK!=hr)
  348. {
  349. if(pAcl)
  350. {
  351. LocalFree(pAcl);
  352. }
  353. }
  354. return hr;
  355. }
  357. DWORD COfficerRights::GetAceSize(BOOL fAllow)
  358. {
  359. DWORD dwAceSize = sizeof(ACCESS_ALLOWED_CALLBACK_ACE);
  360. dwAceSize += GetLengthSid(m_pSid->GetSid());
  361. BOOL fFound = FALSE;
  363. TPtrListEnum<CClientPermission> CPEnum(m_List);
  364. CClientPermission *pCP;
  366. for(pCP=CPEnum.Next();pCP;pCP=CPEnum.Next())
  367. {
  368. if(pCP->GetPermission()==fAllow)
  369. {
  370. dwAceSize += GetLengthSid(pCP->GetSid());
  371. fFound = TRUE;
  372. }
  373. }
  375. return fFound?dwAceSize:0;
  376. }
  378. HRESULT COfficerRights::AddAce(PACL pAcl, BOOL fAllow)
  379. {
  380. HRESULT hr = S_OK;
  381. PACCESS_ALLOWED_CALLBACK_ACE pAce = NULL;
  382. DWORD dwAceSize = GetAceSize(fAllow);
  383. DWORD dwSidSize = GetLengthSid(m_pSid->GetSid());
  384. DWORD dwClientSidSize;
  385. PSID_LIST pSidList;
  386. PSID pClientSid;
  387. TPtrListEnum<CClientPermission> CPEnum(m_List);
  388. CClientPermission *pCP;
  389. BOOL fFound = FALSE;
  390. DWORD dwSidCount = 0;
  392. if(dwAceSize)
  393. {
  394. pAce = (PACCESS_ALLOWED_CALLBACK_ACE) LocalAlloc(LMEM_FIXED, dwAceSize);
  395. if(!pAce)
  396. {
  397. hr = E_OUTOFMEMORY;
  398. _JumpError(hr, error, "LocalAlloc");
  399. }
  401. #ifdef _DEBUG
  402. ZeroMemory(pAce, dwAceSize);
  403. #endif
  405. pAce->Header.AceType = (BYTE) (fAllow?
  406. ACCESS_ALLOWED_CALLBACK_ACE_TYPE:
  407. ACCESS_DENIED_CALLBACK_ACE_TYPE);
  408. pAce->Header.AceFlags= 0;
  409. pAce->Header.AceSize = (USHORT)dwAceSize;
  410. pAce->Mask = DELETE;
  412. CopySid(dwSidSize,
  413. (PSID)&pAce->SidStart,
  414. m_pSid->GetSid());
  415. pSidList = (PSID_LIST)(((BYTE*)&pAce->SidStart)+dwSidSize);
  416. pSidList->dwSidCount = m_List.GetCount();
  417. pClientSid = (PSID)&pSidList->SidListStart;
  418. for(pCP=CPEnum.Next(); pCP; pCP=CPEnum.Next())
  419. {
  420. if(pCP->GetPermission()==fAllow)
  421. {
  422. dwClientSidSize = GetLengthSid(pCP->GetSid());
  423. CopySid(dwClientSidSize,
  424. pClientSid,
  425. pCP->GetSid());
  426. pClientSid = (((BYTE*)pClientSid)+dwClientSidSize);
  427. fFound = TRUE;
  428. dwSidCount++;
  429. }
  430. }
  431. pSidList->dwSidCount = dwSidCount;
  433. CSASSERT(pClientSid==((BYTE*)pAce)+dwAceSize);
  435. if(fFound)
  436. {
  437. if(!::AddAce(
  438. pAcl,
  439. ACL_REVISION,
  440. MAXDWORD,
  441. pAce,
  442. dwAceSize))
  443. {
  444. hr = myHLastError();
  445. _JumpError(hr, error, "AddAce");
  446. }
  447. }
  448. }
  450. error:
  451. if(pAce)
  452. {
  453. LocalFree(pAce);
  454. }
  455. return hr;
  456. }
  458. void COfficerRightsList::Dump()
  459. {
  460. DBGPRINT((DBG_SS_INFO, "Officers: %d\n", m_dwCountList));
  461. wprintf(L"Officers: %d\n", m_dwCountList);
  462. for(DWORD dwCount=0;dwCount<m_dwCountList;dwCount++)
  463. {
  464. COfficerRights *pOR = GetAt(dwCount);
  465. wprintf(L"Officer %ws, %d clients\n", pOR->GetName(), pOR->GetCount());
  466. for(DWORD c=0;c<pOR->GetCount();c++)
  467. {
  468. CClientPermission *pCli = pOR->GetAt(c);
  469. wprintf(L"\tClient %ws, %ws\n", pCli->GetName(), pCli->GetPermission()?L"allow":L"deny");
  470. }
  471. }
  472. }
  474. // Searches the list for an object with this SID; if found returns
  475. // object index, if not found, returns DWORD_MAX
  476. DWORD COfficerRights::Find(PSID pSid)
  477. {
  478. CClientPermission perm(TRUE, pSid);
  479. return m_List.FindIndex(perm);
  480. }