archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 827363a95b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '827363a95b'
${ noResults }
windows-server-2003/ds/security/services/ca/certsrv/callback.cpp

586 lines
14 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+--------------------------------------------------------------------------
  2. // File: callback.cpp
  3. // Contents: access check callback
  4. //---------------------------------------------------------------------------
  5. #include <pch.cpp>
  6. #pragma hdrstop
  7. #include "csext.h"
  8. #include "certsd.h"
  9. #include <winldap.h>
  10. #include <limits.h>
  11. #include "csprop.h"
  12. #include "sid.h"
  13. #include <authzi.h>
  15. #define __dwFILE__ __dwFILE_CERTSRV_CALLBACK_CPP__
  18. namespace CertSrv
  19. {
  21. HRESULT GetAccountSid(
  22. IN LPCWSTR pwszName,
  23. PSID *ppSid)
  24. {
  25. HRESULT hr = S_OK;
  26. DWORD cbSid = 0;
  27. DWORD cbDomainName = 0;
  28. SID_NAME_USE use;
  29. LPWSTR pwszDomainName = NULL;
  31. *ppSid = NULL;
  33. if(!pwszName || L'\0'== pwszName[0])
  34. {
  35. hr = GetEveryoneSID(ppSid);
  36. _JumpIfError(hr, error, "GetEveryoneSID");
  37. }
  38. else
  39. {
  41. LookupAccountName(
  42. NULL,
  43. pwszName,
  44. NULL,
  45. &cbSid,
  46. NULL,
  47. &cbDomainName,
  48. &use);
  50. if(ERROR_INSUFFICIENT_BUFFER != GetLastError())
  51. {
  52. hr = myHError(GetLastError());
  53. _JumpError(hr, error, "LookupAccountName");
  54. }
  56. *ppSid = (PSID)LocalAlloc(LMEM_FIXED, cbSid);
  57. if(!*ppSid)
  58. {
  59. hr = E_OUTOFMEMORY;
  60. _JumpError(hr, error, "LocalAlloc");
  61. }
  63. pwszDomainName = (LPWSTR)LocalAlloc(LMEM_FIXED,
  64. cbDomainName*sizeof(WCHAR));
  65. if(!pwszDomainName)
  66. {
  67. hr = E_OUTOFMEMORY;
  68. _JumpError(hr, error, "LocalAlloc");
  69. }
  71. if(!LookupAccountName(
  72. NULL,
  73. pwszName,
  74. *ppSid,
  75. &cbSid,
  76. pwszDomainName,
  77. &cbDomainName,
  78. &use))
  79. {
  80. hr = myHError(GetLastError());
  81. _JumpError(hr, error, "LookupAccountName");
  82. }
  83. }
  85. hr = S_OK;
  87. error:
  88. if(S_OK!=hr)
  89. {
  90. if(*ppSid)
  91. {
  92. LocalFree(*ppSid);
  93. *ppSid = NULL;
  94. }
  95. }
  96. if(pwszDomainName)
  97. {
  98. LocalFree(pwszDomainName);
  99. }
  100. return hr;
  101. }
  103. BOOL
  104. CallbackAccessCheck(
  105. IN AUTHZ_CLIENT_CONTEXT_HANDLE, // pAuthzClientContext
  106. IN PACE_HEADER pAce,
  107. IN PVOID pArgs OPTIONAL,
  108. IN OUT PBOOL pbAceApplicable)
  109. {
  110. HRESULT hr = S_OK;
  111. LPWSTR pwszSamName = (LPWSTR)pArgs;// requester name is passed in to
  112. // AuthzAccessCheck in NT4 style form
  113. // "DomainNetbiosName\RequesterSAMName"
  114. PSID pSid = NULL, pClientSid = NULL, pCallerSid = NULL;
  115. PSID pEveryoneSid = NULL;
  116. PTOKEN_GROUPS pGroups = NULL;
  117. ACCESS_ALLOWED_CALLBACK_ACE* pCallbackAce =
  118. (ACCESS_ALLOWED_CALLBACK_ACE*)pAce;
  119. PSID_LIST pSidList = (PSID_LIST) (((BYTE*)&pCallbackAce->SidStart)+
  120. GetLengthSid(&pCallbackAce->SidStart));
  121. DWORD cSids, cClientSids;
  123. CSASSERT(
  124. ACCESS_ALLOWED_CALLBACK_ACE_TYPE == pAce->AceType ||
  125. ACCESS_DENIED_CALLBACK_ACE_TYPE == pAce->AceType);
  127. CSASSERT(HeapValidate(GetProcessHeap(),0,NULL));
  129. SetLastError(ERROR_SUCCESS);
  131. // get the SID for the requester
  132. hr = GetAccountSid(pwszSamName, &pCallerSid);
  134. CSASSERT(HeapValidate(GetProcessHeap(),0,NULL));
  136. if(EmptyString(pwszSamName) ||
  137. HRESULT_FROM_WIN32(ERROR_NONE_MAPPED)==hr)
  138. {
  139. // if name cannot be resolved, default to Everyone
  140. pGroups = (PTOKEN_GROUPS)LocalAlloc(LMEM_FIXED, sizeof(TOKEN_GROUPS));
  141. if(!pGroups)
  142. {
  143. hr = E_OUTOFMEMORY;
  144. _JumpError(hr, error, "LocalAlloc");
  145. }
  147. hr = GetEveryoneSID(&pEveryoneSid);
  148. _JumpIfError(hr, error, "GetEveryoneSID");
  150. CSASSERT(HeapValidate(GetProcessHeap(),0,NULL));
  152. pGroups->GroupCount=1;
  153. pGroups->Groups[0].Sid = pEveryoneSid;
  154. pGroups->Groups[0].Attributes = 0;
  155. }
  156. else
  157. {
  158. _JumpIfError(hr, error, "GetAccountSid");
  160. // get the list of groups this SID is member of
  161. hr = GetMembership(g_AuthzCertSrvRM, pCallerSid, &pGroups);
  162. _JumpIfError(hr, error, "GetMembership");
  163. CSASSERT(HeapValidate(GetProcessHeap(),0,NULL));
  164. }
  166. CSASSERT(HeapValidate(GetProcessHeap(),0,NULL));
  168. if(pGroups)
  169. {
  170. // traverse the SID list stored in the ACE and compare with the
  171. // client's membership
  172. for(pSid=(PSID)&pSidList->SidListStart, cSids=0; cSids<pSidList->dwSidCount;
  173. cSids++, pSid = (PSID)(((BYTE*)pSid)+GetLengthSid(pSid)))
  174. {
  175. CSASSERT(IsValidSid(pSid));
  177. // group membership doesn't include the user itself, so
  178. // compare with the user first
  179. if(pCallerSid && EqualSid(pSid, pCallerSid))
  180. {
  181. *pbAceApplicable = TRUE;
  182. goto error;
  183. }
  185. for(cClientSids=0; cClientSids<pGroups->GroupCount; cClientSids++)
  186. {
  187. pClientSid = pGroups->Groups[cClientSids].Sid;
  188. CSASSERT(IsValidSid(pClientSid));
  189. if(EqualSid(pSid, pClientSid))
  190. {
  191. *pbAceApplicable = TRUE;
  192. goto error;
  193. }
  194. }
  195. }
  196. }
  198. *pbAceApplicable = FALSE;
  200. error:
  202. CSASSERT(HeapValidate(GetProcessHeap(),0,NULL));
  204. if(pEveryoneSid)
  205. {
  206. LocalFree(pEveryoneSid);
  207. }
  208. if(pCallerSid)
  209. {
  210. LocalFree(pCallerSid);
  211. }
  212. if(pGroups)
  213. {
  214. LocalFree(pGroups);
  215. }
  216. if(S_OK==hr)
  217. {
  218. return TRUE;
  219. }
  220. else
  221. {
  222. SetLastError(HRESULT_CODE(hr));
  223. return FALSE;
  224. }
  226. }
  229. HRESULT GetMembership(
  230. IN AUTHZ_RESOURCE_MANAGER_HANDLE AuthzRM,
  231. IN PSID pSid,
  232. PTOKEN_GROUPS *ppGroups)
  233. {
  234. HRESULT hr = S_OK;
  235. static LUID luid = {0,0};
  236. AUTHZ_CLIENT_CONTEXT_HANDLE AuthzCC = NULL;
  237. DWORD dwSizeRequired;
  239. *ppGroups = NULL;
  241. if(!AuthzInitializeContextFromSid(
  242. 0,
  243. pSid,
  244. AuthzRM,
  245. NULL,
  246. luid, //ignored
  247. NULL,
  248. &AuthzCC))
  249. {
  250. hr = myHError(GetLastError());
  251. _JumpError(hr, error, "AuthzInitializeContextFromSid");
  252. }
  254. if(!AuthzGetInformationFromContext(
  255. AuthzCC,
  256. AuthzContextInfoGroupsSids,
  257. 0,
  258. &dwSizeRequired,
  259. NULL))
  260. {
  261. if(ERROR_INSUFFICIENT_BUFFER!=GetLastError())
  262. {
  263. hr = myHError(GetLastError());
  264. _JumpError(hr, error, "AuthzGetContextInformation");
  265. }
  266. }
  268. *ppGroups = (PTOKEN_GROUPS)LocalAlloc(LMEM_FIXED, dwSizeRequired);
  269. if(!*ppGroups)
  270. {
  271. hr = E_OUTOFMEMORY;
  272. _JumpError(hr, error, "LocalAlloc");
  273. }
  275. if(!AuthzGetInformationFromContext(
  276. AuthzCC,
  277. AuthzContextInfoGroupsSids,
  278. dwSizeRequired,
  279. &dwSizeRequired,
  280. *ppGroups))
  281. {
  282. hr = myHError(GetLastError());
  283. _JumpError(hr, error, "AuthzGetContextInformation");
  284. }
  286. error:
  287. if(AuthzCC)
  288. {
  289. AuthzFreeContext(AuthzCC);
  290. }
  291. if(S_OK!=hr && *ppGroups)
  292. {
  293. LocalFree(*ppGroups);
  294. }
  295. return hr;
  296. }
  298. HRESULT GetRequesterName(DWORD dwRequestId, LPWSTR *ppwszName)
  299. {
  300. HRESULT hr = S_OK;
  301. ICertDBRow *prow = NULL;
  303. hr = g_pCertDB->OpenRow(
  304. PROPOPEN_READONLY | PROPTABLE_REQCERT,
  305. dwRequestId,
  306. NULL,
  307. &prow);
  308. _JumpIfError(hr, error, "OpenRow");
  310. hr = PKCSGetProperty(
  311. prow,
  312. g_wszPropRequesterName,
  313. PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_REQUEST,
  314. NULL,
  315. (BYTE **) ppwszName);
  316. _JumpIfError(hr, error, "PKCSGetProperty");
  318. error:
  319. if(prow)
  320. {
  321. prow->Release();
  322. }
  323. return hr;
  324. }
  326. HRESULT CheckOfficerRights(DWORD dwRequestID, CAuditEvent& event)
  327. {
  328. HRESULT hr = S_OK;
  329. LPWSTR pwszRequesterName = NULL;
  331. // officer rights disabled means every officer is allowed to manage requests
  332. // for everyone, so return ok
  333. if(!g_OfficerRightsSD.IsEnabled())
  334. return S_OK;
  336. hr = GetRequesterName(dwRequestID, &pwszRequesterName);
  337. if(CERTSRV_E_PROPERTY_EMPTY!=hr &&
  338. S_OK != hr)
  339. {
  340. _JumpError(hr, error, "GetRequesterName");
  341. }
  343. hr = CheckOfficerRights(pwszRequesterName, event);
  345. error:
  346. if(pwszRequesterName)
  347. {
  348. LocalFree(pwszRequesterName);
  349. }
  350. return hr;
  351. }
  353. // Verify if impersonated user has the rights over the specified request,
  354. // based on the officer rights defined in the global officer SD and the
  355. // requester name stored in the request
  356. // Return S_OK if allowed or if the officer rights feature is disabled
  357. // E_ACCESSDENIED if not allowed
  358. // E_* if failed to check the rights
  360. HRESULT
  361. CheckOfficerRights(
  362. LPCWSTR pwszRequesterName,
  363. CAuditEvent& event)
  364. {
  365. HRESULT hr;
  366. AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzCC = NULL;
  368. // officer rights disabled means every officer is allowed to manage
  369. // requests for everyone, so return ok
  371. if (!g_OfficerRightsSD.IsEnabled())
  372. {
  373. hr = S_OK;
  374. goto error;
  375. }
  377. hr = GetCallerAuthzContext(&hAuthzCC);
  378. _JumpIfError(hr, error, "GetCallerAuthzContext");
  380. hr = CheckOfficerRightsFromAuthzCC(hAuthzCC, pwszRequesterName);
  381. _JumpIfError(hr, error, "CheckOfficerRightsFromAuthzCC");
  383. error:
  384. if (NULL != hAuthzCC)
  385. {
  386. AuthzFreeContext(hAuthzCC);
  387. }
  389. // generate a failure audit event if restricted officer
  391. if (CERTSRV_E_RESTRICTEDOFFICER == hr)
  392. {
  393. HRESULT hr2 = event.AccessCheck(
  394. CA_ACCESS_DENIED,
  395. event.m_gcNoAuditSuccess);
  396. if (S_OK != hr2 && E_ACCESSDENIED != hr2)
  397. {
  398. hr = hr2;
  399. }
  400. }
  401. return(hr);
  402. }
  405. static LUID s_luid = { 0, 0 };
  407. HRESULT
  408. GetCallerAuthzContext(
  409. OUT AUTHZ_CLIENT_CONTEXT_HANDLE *phAuthzCC)
  410. {
  411. HRESULT hr;
  412. IServerSecurity *pISS = NULL;
  413. HANDLE hThread = NULL;
  414. HANDLE hToken = NULL;
  416. hr = CoGetCallContext(IID_IServerSecurity, (VOID **) &pISS);
  417. _JumpIfError(hr, error, "CoGetCallContext");
  419. if (!pISS->IsImpersonating())
  420. {
  421. hr = pISS->ImpersonateClient();
  422. _JumpIfError(hr, error, "ImpersonateClient");
  423. }
  424. else
  425. {
  426. pISS->Release();
  427. pISS = NULL;
  428. }
  430. hThread = GetCurrentThread();
  431. if (NULL == hThread)
  432. {
  433. hr = myHLastError();
  434. _JumpIfError(hr, error, "GetCurrentThread");
  435. }
  436. if (!OpenThreadToken(
  437. hThread,
  438. TOKEN_QUERY,
  439. FALSE, // client impersonation
  440. &hToken))
  441. {
  442. hr = myHLastError();
  443. _JumpIfError(hr, error, "OpenThreadToken");
  444. }
  446. if (!AuthzInitializeContextFromToken(
  447. 0,
  448. hToken,
  449. g_AuthzCertSrvRM,
  450. NULL,
  451. s_luid,
  452. NULL,
  453. phAuthzCC))
  454. {
  455. hr = myHLastError();
  456. _JumpError(hr, error, "AuthzInitializeContextFromToken");
  457. }
  458. hr = S_OK;
  460. error:
  461. if (NULL != hThread)
  462. {
  463. CloseHandle(hThread);
  464. }
  465. if (NULL != hToken)
  466. {
  467. CloseHandle(hToken);
  468. }
  469. if (NULL != pISS)
  470. {
  471. pISS->RevertToSelf();
  472. pISS->Release();
  473. }
  474. return(hr);
  475. }
  478. // Verify if impersonated user has the rights over the specified request,
  479. // based on the officer rights defined in the global officer SD and the
  480. // requester name retrieved from the request
  481. //
  482. // Return S_OK if allowed or if the officer rights feature is disabled
  483. // E_ACCESSDENIED if not allowed
  484. // E_* if failed to check the rights
  486. HRESULT
  487. CheckOfficerRightsFromAuthzCC(
  488. IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzCCOfficer,
  489. IN WCHAR const *pwszRequesterName)
  490. {
  491. HRESULT hr;
  492. PSECURITY_DESCRIPTOR pOfficerSD = NULL;
  493. AUTHZ_ACCESS_REQUEST AuthzRequest;
  494. AUTHZ_ACCESS_REPLY AuthzReply;
  495. ACCESS_MASK GrantedMask;
  496. DWORD dwError = 0;
  497. DWORD dwSaclEval = 0;
  499. AuthzRequest.DesiredAccess = DELETE;
  500. AuthzRequest.PrincipalSelfSid = NULL;
  501. AuthzRequest.ObjectTypeList = NULL;
  502. AuthzRequest.ObjectTypeListLength = 0;
  504. AuthzRequest.OptionalArguments = (VOID *) pwszRequesterName;
  506. AuthzReply.ResultListLength = 1;
  507. AuthzReply.GrantedAccessMask = &GrantedMask;
  508. AuthzReply.Error = &dwError;
  509. AuthzReply.SaclEvaluationResults = &dwSaclEval;
  512. hr = g_OfficerRightsSD.LockGet(&pOfficerSD);
  513. _JumpIfError(hr, error, "CProtectedSecurityDescriptor::LockGet");
  515. CSASSERT(IsValidSecurityDescriptor(pOfficerSD));
  517. if (!AuthzAccessCheck(
  518. 0,
  519. hAuthzCCOfficer,
  520. &AuthzRequest,
  521. NULL, //no audit
  522. pOfficerSD,
  523. NULL,
  524. 0,
  525. &AuthzReply,
  526. NULL))
  527. {
  528. hr = myHLastError();
  529. _JumpError(hr, error, "AuthzAccessCheck");
  530. }
  532. _PrintIfError(AuthzReply.Error[0], "AuthzAccessCheck");
  533. hr = AuthzReply.Error[0] == ERROR_SUCCESS?
  534. S_OK : CERTSRV_E_RESTRICTEDOFFICER;
  536. error:
  537. if (NULL != pOfficerSD)
  538. {
  539. g_OfficerRightsSD.Unlock();
  540. }
  541. return(hr);
  542. }
  545. HRESULT
  546. CheckOfficerRightsFromOfficerName(
  547. IN WCHAR const *pwszOfficerName,
  548. IN WCHAR const *pwszRequesterName)
  549. {
  550. HRESULT hr;
  551. PSID pSid = NULL;
  552. AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzCCOfficer = NULL;
  554. // build authz context based on officer name passed in
  556. hr = GetAccountSid(pwszOfficerName, &pSid);
  557. _JumpIfErrorStr(hr, error, "GetAccountSid", pwszOfficerName);
  559. if (!AuthzInitializeContextFromSid(
  560. 0,
  561. pSid,
  562. g_AuthzCertSrvRM,
  563. NULL,
  564. s_luid, // ignored
  565. NULL,
  566. &hAuthzCCOfficer))
  567. {
  568. hr = myHError(GetLastError());
  569. _JumpError(hr, error, "AuthzInitializeContextFromSid");
  570. }
  571. hr = CheckOfficerRightsFromAuthzCC(hAuthzCCOfficer, pwszRequesterName);
  572. _JumpIfError(hr, error, "CheckOfficerRightsFromAuthzCC");
  574. error:
  575. if (NULL != pSid)
  576. {
  577. LocalFree(pSid);
  578. }
  579. if (NULL != hAuthzCCOfficer)
  580. {
  581. AuthzFreeContext(hAuthzCCOfficer);
  582. }
  583. return(hr);
  584. }
  586. } // namespace CertSrv