archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
3.3 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/inetsrv/iis/iisrearc/iisplus/ulw3/certmapprovider.cxx

315 lines
7.1 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  2. Copyright (c) 1999 Microsoft Corporation
  4. Module Name :
  5. certmapprovider.cxx
  7. Abstract:
  8. Active Directory Certificate Mapper provider
  10. Author:
  11. Bilal Alam (balam) 10-Jan-2000
  13. Environment:
  14. Win32 - User Mode
  16. Project:
  17. ULW3.DLL
  18. --*/
  20. #include "precomp.hxx"
  21. #include "certmapprovider.hxx"
  23. HRESULT
  24. CERTMAP_AUTH_PROVIDER::DoesApply(
  25. W3_MAIN_CONTEXT * pMainContext,
  26. BOOL * pfApplies
  27. )
  28. /*++
  30. Routine Description:
  32. Does Active Directory certificate map authentication apply?
  33. MD_ACCESS_MAP_CERT covers 2 kinds of mappings (DS mapper and IIS mapper)
  34. CERT_AUTH_PROVIDER represents only the DS mapper
  36. Arguments:
  38. pMainContext - Main context
  39. pfApplies - Set to TRUE if cert map auth applies
  41. Return Value:
  43. HRESULT
  45. --*/
  46. {
  47. CERTIFICATE_CONTEXT * pCertificateContext;
  48. URL_CONTEXT * pUrlContext = NULL;
  49. W3_METADATA * pMetaData = NULL;
  50. BOOL fApplies = FALSE;
  52. if ( pMainContext == NULL ||
  53. pfApplies == NULL )
  54. {
  55. DBG_ASSERT( FALSE );
  56. return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER );
  57. }
  59. //
  60. // If cert mapping is not allowed for this vroot, then ignore client
  61. // cert token and let other authentication mechanisms do their thing
  62. //
  64. pUrlContext = pMainContext->QueryUrlContext();
  65. DBG_ASSERT( pUrlContext != NULL );
  67. pMetaData = pUrlContext->QueryMetaData();
  68. DBG_ASSERT( pMetaData != NULL );
  70. //
  71. // Are certmappings allowed?
  72. //
  73. if ( pMetaData->QuerySslAccessPerms() & MD_ACCESS_MAP_CERT )
  74. {
  75. DBG_ASSERT( pMainContext->QuerySite() );
  76. //
  77. // Is Active Directory mapping allowed
  78. //
  79. if ( pMainContext->QuerySite()->QueryUseDSMapper() )
  80. {
  81. pCertificateContext = pMainContext->QueryCertificateContext();
  82. //
  83. // Did schannel successfully mapped client certificate to token?
  84. //
  85. if ( pCertificateContext != NULL )
  86. {
  87. if ( pCertificateContext->QueryImpersonationToken() != NULL )
  88. {
  89. fApplies = TRUE;
  90. }
  91. }
  92. }
  93. }
  95. *pfApplies = fApplies;
  97. return NO_ERROR;
  98. }
  100. HRESULT
  101. CERTMAP_AUTH_PROVIDER::DoAuthenticate(
  102. W3_MAIN_CONTEXT * pMainContext,
  103. BOOL * // unused
  104. )
  105. /*++
  107. Routine Description:
  109. Create a user context representing a cert mapped token
  111. Arguments:
  113. pMainContext - Main context
  114. pfFilterFinished - Set to TRUE if filter wants out
  116. Return Value:
  118. HRESULT
  120. --*/
  121. {
  122. CERTMAP_USER_CONTEXT * pUserContext = NULL;
  123. CERTIFICATE_CONTEXT * pCertificateContext = NULL;
  124. HANDLE hImpersonation;
  125. HRESULT hr = NO_ERROR;
  127. if ( pMainContext == NULL )
  128. {
  129. DBG_ASSERT( FALSE );
  130. return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER );
  131. }
  133. pCertificateContext = pMainContext->QueryCertificateContext();
  134. DBG_ASSERT( pCertificateContext != NULL );
  136. hImpersonation = pCertificateContext->QueryImpersonationToken();
  137. DBG_ASSERT( hImpersonation != NULL );
  139. //
  140. // Create the user context for this request
  141. //
  143. pUserContext = new CERTMAP_USER_CONTEXT( this );
  144. if ( pUserContext == NULL )
  145. {
  146. return HRESULT_FROM_WIN32( GetLastError() );
  147. }
  149. //
  150. // Is this a delegatable token? Put another way is this token mapped
  151. // using an IIS cert mapper (IIS cert mapper creates delegatable token,
  152. // the DS mapper does not)
  153. //
  155. hr = pUserContext->Create( hImpersonation );
  156. if ( FAILED( hr ) )
  157. {
  158. pUserContext->DereferenceUserContext();
  159. pUserContext = NULL;
  160. return hr;
  161. }
  163. pMainContext->SetUserContext( pUserContext );
  165. return NO_ERROR;
  166. }
  168. HRESULT
  169. CERTMAP_AUTH_PROVIDER::OnAccessDenied(
  170. W3_MAIN_CONTEXT * /*pMainContext*/
  171. )
  172. /*++
  174. Routine Description:
  176. NOP since we have nothing to do on access denied
  178. Arguments:
  180. pMainContext - Main context (not used)
  182. Return Value:
  184. HRESULT
  186. --*/
  187. {
  188. //
  189. // No headers to add
  190. //
  192. return NO_ERROR;
  193. }
  195. HRESULT
  196. CERTMAP_USER_CONTEXT::Create(
  197. HANDLE hImpersonation
  198. )
  199. /*++
  201. Routine Description:
  203. Create a certificate mapped user context
  205. Arguments:
  207. hImpersonation - Impersonation token
  209. Return Value:
  211. HRESULT
  213. --*/
  214. {
  215. HRESULT hr = E_FAIL;
  216. if ( hImpersonation == NULL )
  217. {
  218. DBG_ASSERT( FALSE );
  219. return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER );
  220. }
  222. //
  223. // First the easy stuff
  224. //
  226. if ( !DuplicateTokenEx( hImpersonation,
  227. TOKEN_ALL_ACCESS,
  228. NULL,
  229. SecurityImpersonation,
  230. TokenImpersonation,
  231. &_hImpersonationToken ) )
  232. {
  233. hr = HRESULT_FROM_WIN32( GetLastError() );
  234. DBGPRINTF(( DBG_CONTEXT,
  235. "DuplicateTokenEx failed, hr = 0x%x\n",
  236. hr ));
  237. return hr;
  239. }
  241. DBG_ASSERT( _hImpersonationToken != NULL );
  243. //
  244. // Disable the backup privilege for the token
  245. //
  247. DisableTokenBackupPrivilege( _hImpersonationToken );
  249. //
  250. // Now get the user name
  251. //
  253. if ( !SetThreadToken( NULL, _hImpersonationToken ) )
  254. {
  255. return HRESULT_FROM_WIN32( GetLastError() );
  256. }
  258. // cchUserName includes buffer size in characters including terminating 0
  259. DWORD cchUserName = sizeof( _achUserName ) / sizeof( WCHAR );
  261. if ( !GetUserNameEx( NameSamCompatible,
  262. _achUserName,
  263. &cchUserName ) )
  264. {
  266. hr = HRESULT_FROM_WIN32( GetLastError() );
  267. RevertToSelf();
  268. return hr;
  269. }
  270. RevertToSelf();
  271. return NO_ERROR;
  272. }
  274. HANDLE
  275. CERTMAP_USER_CONTEXT::QueryPrimaryToken(
  276. VOID
  277. )
  278. /*++
  280. Routine Description:
  282. Get a primary token
  284. Arguments:
  286. None
  288. Return Value:
  290. HANDLE
  292. --*/
  293. {
  294. if ( _hPrimaryToken == NULL )
  295. {
  296. if ( DuplicateTokenEx( _hImpersonationToken,
  297. TOKEN_ALL_ACCESS,
  298. NULL,
  299. SecurityImpersonation,
  300. TokenPrimary,
  301. &_hPrimaryToken ) )
  302. {
  304. DBG_ASSERT( _hImpersonationToken != NULL );
  305. }
  306. else
  307. {
  308. DBGPRINTF(( DBG_CONTEXT,
  309. "DuplicateTokenEx failed, hr = 0x%x\n",
  310. HRESULT_FROM_WIN32( GetLastError() ) ));
  311. }
  312. }
  314. return _hPrimaryToken;
  315. }