windows-server-2003/ds/security/services/ca/include/audit.h

//+--------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1999 - 2000
//
// File:        audit.h
//
// Contents:    Cert Server audit classes
//
//---------------------------------------------------------------------------
#ifndef __AUDIT_H__
#define __AUDIT_H__

#include <ntsecapi.h>
#include <authzi.h>

#define AUDIT_FILTER_STARTSTOP      0x00000001
#define AUDIT_FILTER_BACKUPRESTORE  0x00000002
#define AUDIT_FILTER_CERTIFICATE    0x00000004
#define AUDIT_FILTER_CERTREVOCATION 0x00000008
#define AUDIT_FILTER_CASECURITY     0x00000010
#define AUDIT_FILTER_KEYAARCHIVAL   0x00000020
#define AUDIT_FILTER_CACONFIG       0x00000040

#define CA_ACCESS_ALLREADROLES  \
    CA_ACCESS_ADMIN   |         \
    CA_ACCESS_OFFICER |         \
    CA_ACCESS_AUDITOR |         \
    CA_ACCESS_OPERATOR|         \
    CA_ACCESS_READ

namespace CertSrv
{

static const LPCWSTR cAuditString_UnknownDataType = L"?";

// define event

class CAuditEvent
{
public:

    static const DWORD m_gcAuditSuccessOrFailure = 0;
    static const DWORD m_gcNoAuditSuccess = 1;
    static const DWORD m_gcNoAuditFailure = 2;

    CAuditEvent(ULONG ulEventID = 0L, DWORD dwFilter = 0);
    ~CAuditEvent();

    void SetEventID(ULONG ulEventID);

    HRESULT AddData(DWORD dwValue);
    HRESULT AddData(PBYTE pData, DWORD dwDataLen);
    HRESULT AddData(bool fData);
    HRESULT AddData(LPCWSTR pcwszData);
    HRESULT AddData(LPCWSTR *ppcwszData);    
    HRESULT AddData(FILETIME time);
    HRESULT AddData(const VARIANT *pvar, bool fDoublePercentInString);
    HRESULT AddData(ULARGE_INTEGER *puliValue);
    void    DeleteLastData() 
    { delete m_pEventDataList[--m_cEventData]; }

    HRESULT Report(bool fSuccess = true);
    HRESULT SaveFilter(LPCWSTR pcwszSanitizedName);
    HRESULT LoadFilter(LPCWSTR pcwszSanitizedName);
    DWORD   GetFilter() {return m_dwFilter;}
    HRESULT AccessCheck(
        ACCESS_MASK Mask,
        DWORD dwAuditFlags,
        handle_t hRpc = NULL,
        HANDLE *phToken = NULL);
    HRESULT CachedGenerateAudit();
    void FreeCachedHandles();

    HRESULT GetMyRoles(DWORD *pdwRoles);

    bool IsEventEnabled();

    HRESULT Impersonate();
    HRESULT RevertToSelf();
    HANDLE  GetClientToken();

    // role separation 
    void EventRoleSeparationEnable(bool fEnable) 
        {m_fRoleSeparationEnabled = fEnable;};

    static void RoleSeparationEnable(bool fEnable) 
        {m_gfRoleSeparationEnabled = fEnable;};
    static bool RoleSeparationIsEnabled() {return m_gfRoleSeparationEnabled;}
    static HRESULT RoleSeparationFlagSave(LPCWSTR pcwszSanitizedName);
    static HRESULT RoleSeparationFlagLoad(LPCWSTR pcwszSanitizedName);
    static void CleanupAuditEventTypeHandles();

    struct AUDIT_CATEGORIES
    {
        ULONG ulAuditID;
        DWORD dwFilter;
        DWORD dwParamCount;
        bool fRoleSeparationEnabled;
        AUTHZ_AUDIT_EVENT_TYPE_HANDLE hAuditEventType;
    };

private:

    bool IsEventValid();
    bool IsEventRoleSeparationEnabled();

    CAuditEvent(const CAuditEvent&);
    const CAuditEvent& operator=(const CAuditEvent&);

    struct EventData
    {
        EventData() : m_fDoublePercentsInStrings(false)
        {
            PropVariantInit(&m_vtData);
        };
        ~EventData() 
        {
            PropVariantClear(&m_vtData);
        };
        HRESULT ConvertToString(LPWSTR *pwszData);
        PROPVARIANT m_vtData;
        bool m_fDoublePercentsInStrings; // Insertion strings containing %number get
                                         // displayed incorrectly in the event log.
                                         // If this value is set, we double % chars.

    };// struct EventData

    PROPVARIANT *CreateNewEventData();
    EventData   *CreateNewEventData1();
    HRESULT BuildAuditParamArray(PAUDIT_PARAM& rpParamArray);
    void FreeAuditParamArray(PAUDIT_PARAM pParamArray);
    HRESULT GetPrivilegeRoles(PDWORD pdwRoles);
    HRESULT GetUserPrivilegeRoles(
                LSA_HANDLE lsah,
                PSID_AND_ATTRIBUTES pSA, 
                PDWORD pdwRoles);

    HRESULT BuildPrivilegeSecurityDescriptor(
                DWORD dwRoles);

    DWORD GetBitCount(DWORD dwBits)
    {
        DWORD dwCount = 0;
        for(DWORD dwSize = 0; dwSize<sizeof(DWORD); dwSize++, dwBits>>=1)
        {
            dwCount += dwBits&1;
        }
        return dwCount;
    }

    HRESULT DoublePercentsInString(
        LPCWSTR pcwszIn,
        LPCWSTR *ppcwszOut);

    HRESULT EnforceEncryption(bool fRequestInterface);
    HRESULT EnforceLocalVsRemote(ACCESS_MASK Mask);

    ULONG m_ulEventID;
    enum {m_EventDataMaxSize=10};
    EventData* m_pEventDataList[m_EventDataMaxSize];
    DWORD m_cEventData;
    DWORD m_cRequiredEventData; // expected number of audit parameters
    DWORD m_dwFilter;
    bool m_fRoleSeparationEnabled;

    // free these
    IServerSecurity *m_pISS;
    HANDLE m_hClientToken;
    PSECURITY_DESCRIPTOR m_pCASD;
    AUTHZ_CLIENT_CONTEXT_HANDLE m_ClientContext;
    AUTHZ_ACCESS_CHECK_RESULTS_HANDLE m_AuthzHandle;
    PSECURITY_DESCRIPTOR m_pSDPrivileges;
    PACL m_pDaclPrivileges;

    // no free
    handle_t m_hRpc;
    DWORD m_Error;
    DWORD m_SaclEval;
    ACCESS_MASK m_MaskAllowed;
    AUTHZ_ACCESS_REQUEST m_Request;
    AUTHZ_ACCESS_REPLY m_Reply;
    DWORD m_crtGUID;
    AUTHZ_AUDIT_EVENT_TYPE_HANDLE m_hAuditEventType;

    PSID m_pUserSid;

    static AUDIT_CATEGORIES *m_gAuditCategories;
    static DWORD m_gdwAuditCategoriesSize;
    static bool m_gfRoleSeparationEnabled;

    static const DWORD AuditorRoleBit;
    static const DWORD OperatorRoleBit;
    static const DWORD CAAdminRoleBit;
    static const DWORD OfficerRoleBit;
    static const DWORD dwMaskRoles;

}; // class CAuditEvent
} // namespace CertSrv

#endif //__AUDIT_H__