archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 827363a95b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '827363a95b'
${ noResults }
windows-server-2003/ds/security/ntmarta/newsrc/rightsca.cxx

757 lines
23 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+-------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 1998 - 1998.
  5. //
  6. // File: rightsca.cxx
  7. //
  8. // Contents: Implementation of the DS access control rights cache
  9. //
  10. // History: 20-Feb-98 MacM Created
  11. //
  12. //--------------------------------------------------------------------
  13. #include <aclpch.hxx>
  14. #pragma hdrstop
  15. #include <stdio.h>
  16. #include <alsup.hxx>
  18. //
  19. // Global name/id cache
  20. //
  21. PACTRL_RIGHTS_CACHE grgRightsNameCache[ACTRL_OBJ_ID_TABLE_SIZE];
  23. //
  24. // Last connection info/time we read from the schema
  25. //
  26. static ACTRL_ID_SCHEMA_INFO LastSchemaRead;
  28. static RTL_RESOURCE RightsCacheLock;
  29. BOOL bRightsCacheLockInitialized = FALSE;
  31. #define ACTRL_EXT_RIGHTS_CONTAINER L"CN=Extended-Rights,"
  33. //+----------------------------------------------------------------------------
  34. //
  35. // Function: AccctrlInitializeRightsCache
  36. //
  37. // Synopsis: Initialize the access control rights lookup cache
  38. //
  39. // Arguments: VOID
  40. //
  41. // Returns: ERROR_SUCCESS -- Success
  42. //
  43. //-----------------------------------------------------------------------------
  44. DWORD AccctrlInitializeRightsCache(VOID)
  45. {
  46. DWORD dwErr;
  48. if (TRUE == bRightsCacheLockInitialized)
  49. {
  50. //
  51. // Just a precautionary measure to make sure that we do not initialize
  52. // multiple times.
  53. //
  55. ASSERT(FALSE);
  56. return ERROR_SUCCESS;
  57. }
  59. memset(grgRightsNameCache, 0,
  60. sizeof(PACTRL_RIGHTS_CACHE) * ACTRL_OBJ_ID_TABLE_SIZE);
  62. memset(&LastSchemaRead, 0, sizeof(ACTRL_ID_SCHEMA_INFO));
  64. __try
  65. {
  66. RtlInitializeResource(&RightsCacheLock);
  67. dwErr = ERROR_SUCCESS;
  68. bRightsCacheLockInitialized = TRUE;
  69. }
  70. __except (EXCEPTION_EXECUTE_HANDLER)
  71. {
  72. dwErr = RtlNtStatusToDosError(GetExceptionCode());
  73. }
  75. return dwErr;
  76. }
  81. //+----------------------------------------------------------------------------
  82. //
  83. // Function: AccctrlFreeRightsCache
  84. //
  85. // Synopsis: Frees any memory allocated for the id name/guid cache
  86. //
  87. // Arguments: VOID
  88. //
  89. // Returns: VOID
  90. //
  91. //-----------------------------------------------------------------------------
  92. VOID AccctrlFreeRightsCache(VOID)
  93. {
  94. INT i,j;
  95. PACTRL_RIGHTS_CACHE pNode, pNext;
  97. if (FALSE == bRightsCacheLockInitialized)
  98. {
  99. return;
  100. }
  102. for(i = 0; i < ACTRL_OBJ_ID_TABLE_SIZE; i++)
  103. {
  104. pNode = grgRightsNameCache[i];
  105. while(pNode != NULL)
  106. {
  107. pNext = pNode->pNext;
  108. for (j = 0; j < (INT)pNode->cRights; j++)
  109. {
  110. AccFree(pNode->RightsList[j]);
  111. }
  112. AccFree(pNode->RightsList);
  114. AccFree(pNode);
  115. pNode = pNext;
  116. }
  117. }
  119. AccFree(LastSchemaRead.pwszPath);
  121. RtlDeleteResource(&RightsCacheLock);
  123. bRightsCacheLockInitialized = FALSE;
  125. }
  130. //+----------------------------------------------------------------------------
  131. //
  132. // Function: AccctrlFindRightsNode
  133. //
  134. // Synopsis: Looks up the node for the given class GUID
  135. //
  136. // Arguments: [ClassGuid] -- Class guid to look up
  137. //
  138. // Returns: NULL -- Node not found
  139. // else a valid node pointer
  140. //
  141. //-----------------------------------------------------------------------------
  142. PACTRL_RIGHTS_CACHE
  143. AccctrlpLookupClassGuidInCache(IN PGUID ClassGuid)
  144. {
  145. PACTRL_RIGHTS_CACHE pNode = NULL;
  147. pNode = grgRightsNameCache[ActrlHashGuid(ClassGuid)];
  149. while(pNode != NULL)
  150. {
  151. if(memcmp(ClassGuid, &pNode->ObjectClassGuid,sizeof(GUID)) == 0)
  152. {
  153. break;
  154. }
  155. pNode = pNode->pNext;
  156. }
  158. #if DBG
  159. if(pNode != NULL )
  160. {
  161. CHAR szGuid[38];
  162. PGUID pGuid = &pNode->ObjectClassGuid;
  163. sprintf(szGuid, "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
  164. pGuid->Data1,pGuid->Data2,pGuid->Data3,pGuid->Data4[0],
  165. pGuid->Data4[1],pGuid->Data4[2],pGuid->Data4[3],
  166. pGuid->Data4[4],pGuid->Data4[5],pGuid->Data4[6],
  167. pGuid->Data4[7]);
  169. acDebugOut((DEB_TRACE_LOOKUP,
  170. "Found guid %s\n",
  171. szGuid));
  172. }
  173. #endif
  175. return(pNode);
  176. }
  180. //+----------------------------------------------------------------------------
  181. //
  182. // Function: AccctrlpInsertRightsNode
  183. //
  184. // Synopsis: Updates the information for an existing node or creates and
  185. // inserts a new one
  186. //
  187. // Arguments: [AppliesTo] -- Guid this control right applies to
  188. // [RightsGuid] -- Control right
  189. //
  190. // Returns: ERROR_SUCCESS -- Success
  191. // ERROR_NOT_ENOUGH_MEMORY A memory allocation failed
  192. //
  193. //-----------------------------------------------------------------------------
  194. DWORD AccctrlpInsertRightsNode(IN PGUID AppliesTo,
  195. IN PWSTR ControlRight)
  196. {
  197. DWORD dwErr = ERROR_SUCCESS;
  198. PACTRL_RIGHTS_CACHE Node, pNext, pTrail = NULL;
  199. PWSTR *NewList;
  200. BOOL NewNode = FALSE;
  202. //
  203. // First, find the existing node, if it exists
  204. //
  205. Node = AccctrlpLookupClassGuidInCache( AppliesTo );
  207. if(Node == NULL)
  208. {
  209. //
  210. // Have to create and insert a new one
  211. //
  212. Node = (PACTRL_RIGHTS_CACHE)AccAlloc(sizeof(ACTRL_RIGHTS_CACHE));
  214. if(Node == NULL)
  215. {
  216. dwErr = ERROR_NOT_ENOUGH_MEMORY;
  217. }
  218. else
  219. {
  220. NewNode = TRUE;
  221. memcpy(&Node->ObjectClassGuid, AppliesTo, sizeof(GUID));
  222. Node->cRights=0;
  224. pNext = grgRightsNameCache[ActrlHashGuid(AppliesTo)];
  226. while(pNext != NULL)
  227. {
  228. if(memcmp(AppliesTo, &(pNext->ObjectClassGuid), sizeof(GUID)) == 0)
  229. {
  230. dwErr = ERROR_ALREADY_EXISTS;
  231. acDebugOut((DEB_TRACE_LOOKUP, "Guid collision. Bailing\n"));
  232. break;
  233. }
  235. pTrail = pNext;
  236. pNext = pNext->pNext;
  237. }
  239. }
  241. if(dwErr == ERROR_SUCCESS)
  242. {
  243. if(pTrail == NULL)
  244. {
  246. grgRightsNameCache[ActrlHashGuid(AppliesTo)] = Node;
  248. }
  249. else {
  251. pTrail->pNext = Node;
  252. }
  254. }
  255. }
  257. //
  258. // Now, insert the new applies to list
  259. if(dwErr == ERROR_SUCCESS)
  260. {
  261. NewList = (PWSTR *)AccAlloc((Node->cRights + 1) * sizeof(PWSTR));
  262. if(NewList==NULL)
  263. {
  264. dwErr = ERROR_NOT_ENOUGH_MEMORY;
  265. }
  266. else
  267. {
  268. memcpy(NewList, Node->RightsList, Node->cRights * sizeof( PWSTR ));
  270. NewList[Node->cRights] = (PWSTR)AccAlloc((wcslen(ControlRight) + 1) * sizeof(WCHAR));
  271. if(NewList[Node->cRights] == NULL)
  272. {
  273. dwErr = ERROR_NOT_ENOUGH_MEMORY;
  274. AccFree(NewList);
  275. }
  276. else
  277. {
  278. wcscpy(NewList[Node->cRights], ControlRight);
  279. Node->cRights++;
  280. AccFree(Node->RightsList);
  281. Node->RightsList = NewList;
  282. }
  283. }
  284. }
  286. //
  287. // Clean up if necessary
  288. //
  289. if(dwErr != ERROR_SUCCESS && NewNode == TRUE)
  290. {
  291. AccFree(Node);
  292. }
  294. return(dwErr);
  295. }
  297. //+---------------------------------------------------------------------------
  298. //
  299. // Function: AccDsReadAndInsertExtendedRights
  300. //
  301. // Synopsis: Reads the full list of extended rights from the schema
  302. //
  303. // Arguments: [IN pLDAP] -- LDAP connection to use
  304. // [OUT pcItems] -- Where the count of items
  305. // is returned
  306. // [OUT RightsList] -- Where the list of rights
  307. // entries is returned.
  308. //
  309. // Notes:
  310. //
  311. // Returns: ERROR_SUCCESS -- Success
  312. //
  313. //----------------------------------------------------------------------------
  314. DWORD
  315. AccDsReadAndInsertExtendedRights(IN PLDAP pLDAP)
  316. {
  317. DWORD dwErr = ERROR_SUCCESS;
  318. PWSTR *ppwszValues = NULL, *ppwszApplies = NULL;
  319. PWSTR rgwszAttribs[3];
  320. PWSTR pwszERContainer = NULL;
  321. PDS_NAME_RESULTW pNameRes = NULL;
  322. LDAPMessage *pMessage, *pEntry;
  323. ULONG cEntries, i, j;
  324. PACTRL_RIGHTS_CACHE pCurrentEntry;
  325. GUID RightsGuid;
  327. //
  328. // Get the subschema path
  329. //
  330. if(dwErr == ERROR_SUCCESS)
  331. {
  332. rgwszAttribs[0] = L"configurationNamingContext";
  333. rgwszAttribs[1] = NULL;
  335. dwErr = ldap_search_s(pLDAP,
  336. NULL,
  337. LDAP_SCOPE_BASE,
  338. L"(objectClass=*)",
  339. rgwszAttribs,
  340. 0,
  341. &pMessage);
  342. if(dwErr == ERROR_SUCCESS)
  343. {
  344. pEntry = ldap_first_entry(pLDAP,
  345. pMessage);
  347. if(pEntry == NULL)
  348. {
  349. ldap_msgfree(pMessage);
  350. pMessage = NULL;
  351. dwErr = LdapMapErrorToWin32( pLDAP->ld_errno );
  352. }
  353. else
  354. {
  355. //
  356. // Now, we'll have to get the values
  357. //
  358. ppwszValues = ldap_get_values(pLDAP,
  359. pEntry,
  360. rgwszAttribs[0]);
  361. ldap_msgfree(pMessage);
  362. pMessage = NULL;
  364. if(ppwszValues == NULL)
  365. {
  366. dwErr = LdapMapErrorToWin32( pLDAP->ld_errno );
  367. }
  368. else
  369. {
  370. pwszERContainer = (PWSTR)AccAlloc((wcslen(ppwszValues[0]) * sizeof(WCHAR)) +
  371. sizeof(ACTRL_EXT_RIGHTS_CONTAINER));
  372. if(pwszERContainer == NULL)
  373. {
  374. dwErr = ERROR_NOT_ENOUGH_MEMORY;
  375. }
  376. else
  377. {
  378. wcscpy(pwszERContainer,
  379. ACTRL_EXT_RIGHTS_CONTAINER);
  380. wcscat(pwszERContainer,
  381. ppwszValues[0]);
  384. rgwszAttribs[0] = L"rightsGuid";
  385. rgwszAttribs[1] = L"appliesTo";
  386. rgwszAttribs[2] = NULL;
  388. //
  389. // Read the control access rights
  390. //
  391. dwErr = ldap_search_s(pLDAP,
  392. pwszERContainer,
  393. LDAP_SCOPE_ONELEVEL,
  394. L"(objectClass=controlAccessRight)",
  395. rgwszAttribs,
  396. 0,
  397. &pMessage);
  399. dwErr = LdapMapErrorToWin32( dwErr );
  401. AccFree(pwszERContainer);
  402. }
  403. ldap_value_free(ppwszValues);
  406. //
  407. // Process the entries
  408. //
  409. if(dwErr == ERROR_SUCCESS)
  410. {
  411. pEntry = ldap_first_entry(pLDAP,
  412. pMessage);
  414. if(pEntry == NULL)
  415. {
  416. dwErr = LdapMapErrorToWin32( pLDAP->ld_errno );
  417. }
  418. else
  419. {
  420. cEntries = ldap_count_entries( pLDAP, pMessage );
  422. for(i = 0; i < cEntries && dwErr == ERROR_SUCCESS; i++) {
  424. ppwszValues = ldap_get_values(pLDAP,
  425. pEntry,
  426. rgwszAttribs[0]);
  427. if(ppwszValues == NULL)
  428. {
  429. dwErr = LdapMapErrorToWin32( pLDAP->ld_errno );
  430. }
  431. else
  432. {
  433. //
  434. // Then the list of applies to
  435. //
  436. ppwszApplies = ldap_get_values(pLDAP,
  437. pEntry,
  438. rgwszAttribs[1]);
  439. j = 0;
  441. while(ppwszApplies[j] != NULL && dwErr == ERROR_SUCCESS)
  442. {
  444. dwErr = UuidFromString(ppwszApplies[j],
  445. &RightsGuid);
  447. if(dwErr == ERROR_SUCCESS)
  448. {
  449. dwErr = AccctrlpInsertRightsNode( &RightsGuid,
  450. ppwszValues[0]);
  451. }
  452. j++;
  453. }
  455. ldap_value_free(ppwszApplies);
  456. ppwszApplies = NULL;
  457. ldap_value_free(ppwszValues);
  459. }
  461. pEntry = ldap_next_entry( pLDAP, pEntry );
  462. }
  464. }
  465. }
  467. if (pMessage != NULL)
  468. {
  469. ldap_msgfree(pMessage);
  470. }
  471. }
  472. }
  474. }
  475. else
  476. {
  477. ldap_msgfree(pMessage);
  478. dwErr = LdapMapErrorToWin32( dwErr );
  479. }
  481. }
  483. return(dwErr) ;
  484. }
  489. //+----------------------------------------------------------------------------
  490. //
  491. // Function: AccctrlpLoadRightsCacheFromSchema
  492. //
  493. // Synopsis: Reads the control rights schema cache and adds the entries into the
  494. // cache
  495. //
  496. // Arguments: [pLDAP] -- LDAP connection to the server
  497. // [pwszPath] -- DS path to the object
  498. //
  499. // Returns: ERROR_SUCCESS -- Success
  500. //
  501. //-----------------------------------------------------------------------------
  502. DWORD AccctrlpLoadRightsCacheFromSchema(PLDAP pLDAP,
  503. PWSTR pwszDsPath)
  504. {
  505. DWORD dwErr = ERROR_SUCCESS;
  506. PLDAP pLocalLDAP = pLDAP;
  507. ULONG cValues[2];
  508. PWSTR *ppwszValues[2];
  510. acDebugOut((DEB_TRACE_LOOKUP, "Reloading rights cache from schema\n"));
  512. //
  513. // If we have no parameters, just return...
  514. //
  515. if(pLDAP == NULL && pwszDsPath == NULL)
  516. {
  517. return(ERROR_SUCCESS);
  518. }
  520. //
  521. // See if we need to read... If our data is over 5 minutes old or if our path referenced is
  522. // not the same as the last one...
  523. //
  524. #define FIVE_MINUTES 300000
  525. if((LastSchemaRead.LastReadTime != 0 &&
  526. (GetTickCount() - LastSchemaRead.LastReadTime < FIVE_MINUTES)) &&
  527. DoPropertiesMatch(pwszDsPath, LastSchemaRead.pwszPath) &&
  528. ((pLDAP == NULL && LastSchemaRead.fLDAP == FALSE) ||
  529. (pLDAP != NULL && memcmp(pLDAP, &(LastSchemaRead.LDAP), sizeof(LDAP)))))
  531. {
  532. acDebugOut((DEB_TRACE_LOOKUP,"Cache up to date...\n"));
  533. return(ERROR_SUCCESS);
  534. }
  535. else
  536. {
  537. //
  538. // Need to reinitialize it...
  539. //
  540. if(pLDAP == NULL)
  541. {
  542. LastSchemaRead.fLDAP = FALSE;
  543. }
  544. else
  545. {
  546. LastSchemaRead.fLDAP = TRUE;
  547. memcpy(&(LastSchemaRead.LDAP), pLDAP, sizeof(LDAP));
  548. }
  550. AccFree(LastSchemaRead.pwszPath);
  551. if(pwszDsPath != NULL)
  552. {
  553. ACC_ALLOC_AND_COPY_STRINGW(pwszDsPath, LastSchemaRead.pwszPath, dwErr);
  554. }
  556. LastSchemaRead.LastReadTime = GetTickCount();
  557. }
  561. if(dwErr == ERROR_SUCCESS && pLocalLDAP == NULL)
  562. {
  563. PWSTR pwszServer = NULL, pwszObject = NULL;
  565. dwErr = DspSplitPath( pwszDsPath, &pwszServer, &pwszObject );
  567. if(dwErr == ERROR_SUCCESS)
  568. {
  569. dwErr = BindToDSObject(pwszServer, pwszObject, &pLocalLDAP);
  570. LocalFree(pwszServer);
  571. }
  572. }
  574. //
  575. // Now, get the info. First, extended rights, then the schema info
  576. //
  577. if(dwErr == ERROR_SUCCESS)
  578. {
  579. dwErr = AccDsReadAndInsertExtendedRights(pLocalLDAP);
  580. }
  582. //
  583. // See if we need to release our ldap connection
  584. //
  585. if(pLocalLDAP != pLDAP && pLocalLDAP != NULL)
  586. {
  587. UnBindFromDSObject(&pLocalLDAP);
  588. }
  590. return(dwErr);
  591. }
  596. //+----------------------------------------------------------------------------
  597. //
  598. // Function: AccctrlLookupRightByName
  599. //
  600. // Synopsis: Returns the list of control rights for a given object class
  601. //
  602. // Arguments: [pLDAP] -- LDAP connection to the server
  603. // [pwszPath] -- DS path to the object
  604. // [pwszName] -- Object class name
  605. // [pCount] -- Where the count if items is returned
  606. // [ppRightsList] -- List of control rights
  607. // [ppwszNameList] -- List of control rights names
  608. //
  609. // Returns: ERROR_SUCCESS -- Success
  610. // ERROR_NOT_ENOUGH_MEMORY A memory allocation failed
  611. // ERROR_NOT_FOUND -- No such ID exists
  612. //
  613. //-----------------------------------------------------------------------------
  614. DWORD
  615. AccctrlLookupRightsByName(IN PLDAP pLDAP,
  616. IN PWSTR pwszDsPath,
  617. IN PWSTR pwszName,
  618. OUT PULONG pCount,
  619. OUT PACTRL_CONTROL_INFOW *ControlInfo)
  620. {
  621. DWORD dwErr = ERROR_SUCCESS;
  622. GUID *ObjectClassGuid, RightsGuid;
  623. PACTRL_RIGHTS_CACHE Node;
  624. ULONG Size = 0, i;
  625. PWSTR GuidName, Current;
  627. if((pwszDsPath == NULL && pLDAP == NULL) || pwszName == NULL)
  628. {
  629. *pCount = 0;
  630. *ControlInfo = NULL;
  631. return(ERROR_SUCCESS);
  632. }
  634. RtlAcquireResourceShared(&RightsCacheLock, TRUE);
  636. //
  637. // This is a multi-staged process. First, we have to lookup the guid associated
  638. // with the object class name. Then, we get the list of control rights for it
  639. //
  640. dwErr = AccctrlLookupGuid(pLDAP,
  641. pwszDsPath,
  642. pwszName,
  643. FALSE, // Don't allocate
  644. &ObjectClassGuid);
  645. if(dwErr == ERROR_SUCCESS)
  646. {
  647. Node = AccctrlpLookupClassGuidInCache(ObjectClassGuid);
  649. if(Node == NULL)
  650. {
  651. RtlConvertSharedToExclusive( &RightsCacheLock );
  653. dwErr = AccctrlpLoadRightsCacheFromSchema(pLDAP, pwszDsPath );
  655. if(dwErr == ERROR_SUCCESS)
  656. {
  657. Node = AccctrlpLookupClassGuidInCache(ObjectClassGuid);
  658. if(Node == NULL)
  659. {
  660. dwErr = ERROR_NOT_FOUND;
  661. }
  662. }
  664. }
  667. if(Node != NULL)
  668. {
  669. //
  670. // Size all of the return strings
  671. //
  672. for (i = 0;i < Node->cRights && dwErr == ERROR_SUCCESS; i++) {
  674. dwErr = UuidFromString( Node->RightsList[i],&RightsGuid);
  676. if(dwErr == ERROR_SUCCESS)
  677. {
  678. dwErr = AccctrlLookupIdName(pLDAP,
  679. pwszDsPath,
  680. &RightsGuid,
  681. FALSE,
  682. FALSE,
  683. &GuidName);
  684. if(dwErr == ERROR_SUCCESS)
  685. {
  686. Size += wcslen( GuidName ) + 1;
  687. Size += wcslen( Node->RightsList[i] ) + 1;
  688. }
  690. }
  691. }
  693. //
  694. // Now, allocate the return information
  695. //
  696. if(dwErr == ERROR_SUCCESS)
  697. {
  698. *ControlInfo = (PACTRL_CONTROL_INFOW)AccAlloc((Size * sizeof(WCHAR)) +
  699. (Node->cRights * sizeof(ACTRL_CONTROL_INFOW)));
  700. if(*ControlInfo == NULL)
  701. {
  702. dwErr = ERROR_NOT_ENOUGH_MEMORY;
  703. }
  704. else
  705. {
  706. Current = (PWSTR)((*ControlInfo) + Node->cRights);
  707. for (i = 0;i < Node->cRights && dwErr == ERROR_SUCCESS; i++) {
  709. dwErr = UuidFromString( Node->RightsList[i],&RightsGuid);
  711. if(dwErr == ERROR_SUCCESS)
  712. {
  713. dwErr = AccctrlLookupIdName(pLDAP,
  714. pwszDsPath,
  715. &RightsGuid,
  716. FALSE,
  717. FALSE,
  718. &GuidName);
  719. }
  721. if(dwErr == ERROR_SUCCESS)
  722. {
  723. (*ControlInfo)[i].lpControlId = Current;
  724. wcscpy(Current, Node->RightsList[i]);
  725. Current += wcslen(Node->RightsList[i]);
  726. *Current = L'\0';
  727. Current++;
  729. (*ControlInfo)[i].lpControlName = Current;
  730. wcscpy(Current, GuidName);
  731. Current += wcslen(GuidName);
  732. *Current = L'\0';
  733. Current++;
  734. }
  735. }
  738. if(dwErr != ERROR_SUCCESS)
  739. {
  740. AccFree(*ControlInfo);
  741. }
  742. else
  743. {
  744. *pCount = Node->cRights;
  745. }
  746. }
  748. }
  750. }
  751. }
  753. RtlReleaseResource(&RightsCacheLock);
  755. return(dwErr);
  756. }