archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 827363a95b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '827363a95b'
${ noResults }
windows-server-2003/ds/security/services/scerpc/escprov/kerberos.cpp

701 lines
18 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. // kerberos.cpp: implementation of the CKerberosPolicy class.
  2. //
  3. // Copyright (c)1997-1999 Microsoft Corporation
  4. //
  5. //////////////////////////////////////////////////////////////////////
  7. #include "precomp.h"
  8. #include "kerberos.h"
  9. #include "persistmgr.h"
  10. #include <io.h>
  11. #include "requestobject.h"
  13. #define KeyTicket L"MaxTicketAge"
  14. #define KeyRenew L"MaxRenewAge"
  15. #define KeyService L"MaxServiceAge"
  16. #define KeyClock L"MaxClockSkew"
  17. #define KeyClient L"TicketValidateClient"
  19. /*
  20. Routine Description:
  22. Name:
  24. CKerberosPolicy::CKerberosPolicy
  26. Functionality:
  28. This is the constructor. Pass along the parameters to the base class
  30. Virtual:
  32. No (you know that, constructor won't be virtual!)
  34. Arguments:
  36. pKeyChain - Pointer to the ISceKeyChain COM interface which is prepared
  37. by the caller who constructs this instance.
  39. pNamespace - Pointer to WMI namespace of our provider (COM interface).
  40. Passed along by the caller. Must not be NULL.
  42. pCtx - Pointer to WMI context object (COM interface). Passed along
  43. by the caller. It's up to WMI whether this interface pointer is NULL or not.
  45. Return Value:
  47. None as any constructor
  49. Notes:
  50. if you create any local members, think about initialize them here
  52. */
  54. CKerberosPolicy::CKerberosPolicy (
  55. ISceKeyChain * pKeyChain,
  56. IWbemServices * pNamespace,
  57. IWbemContext * pCtx
  58. )
  59. :
  60. CGenericClass(pKeyChain, pNamespace, pCtx)
  61. {
  63. }
  65. /*
  66. Routine Description:
  68. Name:
  70. CKerberosPolicy::~CKerberosPolicy
  72. Functionality:
  74. Destructor. Necessary as good C++ discipline since we have virtual functions.
  76. Virtual:
  78. Yes.
  80. Arguments:
  82. none as any destructor
  84. Return Value:
  86. None as any destructor
  88. Notes:
  89. if you create any local members, think about whether
  90. there is any need for a non-trivial destructor
  92. */
  94. CKerberosPolicy::~CKerberosPolicy()
  95. {
  96. }
  98. /*
  99. Routine Description:
  101. Name:
  103. CKerberosPolicy::CreateObject
  105. Functionality:
  107. Create WMI objects (Sce_KerberosPolicy). Depending on parameter atAction,
  108. this creation may mean:
  109. (a) Get a single instance (atAction == ACTIONTYPE_GET)
  110. (b) Get several instances satisfying some criteria (atAction == ACTIONTYPE_QUERY)
  111. (c) Delete an instance (atAction == ACTIONTYPE_DELETE)
  113. Virtual:
  115. Yes.
  117. Arguments:
  119. pHandler - COM interface pointer for notifying WMI for creation result.
  120. atAction - Get single instance ACTIONTYPE_GET
  121. Get several instances ACTIONTYPE_QUERY
  122. Delete a single instance ACTIONTYPE_DELETE
  124. Return Value:
  126. Success: it must return success code (use SUCCEEDED to test). It is
  127. not guaranteed to return WBEM_NO_ERROR. The returned objects are indicated to WMI,
  128. not directly passed back via parameters.
  130. Failure: Various errors may occurs. Except WBEM_E_NOT_FOUND, any such error should indicate
  131. the failure of getting the wanted instance. If WBEM_E_NOT_FOUND is returned in querying
  132. situations, this may not be an error depending on caller's intention.
  134. Notes:
  136. */
  138. HRESULT
  139. CKerberosPolicy::CreateObject (
  140. IWbemObjectSink * pHandler,
  141. ACTIONTYPE atAction
  142. )
  143. {
  144. //
  145. // we know how to:
  146. // Get single instance ACTIONTYPE_GET
  147. // Delete a single instance ACTIONTYPE_DELETE
  148. // Get several instances ACTIONTYPE_QUERY
  149. //
  151. if ( ACTIONTYPE_GET != atAction &&
  152. ACTIONTYPE_DELETE != atAction &&
  153. ACTIONTYPE_QUERY != atAction )
  154. {
  155. return WBEM_E_NOT_SUPPORTED;
  156. }
  158. //
  159. // We must have the pStorePath property because that is where
  160. // our instance is stored.
  161. // m_srpKeyChain->GetKeyPropertyValue WBEM_S_FALSE if the key is not recognized
  162. // So, we need to test against WBEM_S_FALSE if the property is mandatory
  163. //
  165. CComVariant varStorePath;
  166. HRESULT hr = m_srpKeyChain->GetKeyPropertyValue(pStorePath, &varStorePath);
  168. if (SUCCEEDED(hr) && hr != WBEM_S_FALSE && varStorePath.vt == VT_BSTR)
  169. {
  170. //
  171. // create a store to do the reading
  172. //
  174. CSceStore SceStore;
  175. hr = SceStore.SetPersistPath(varStorePath.bstrVal);
  177. if ( SUCCEEDED(hr) )
  178. {
  179. //
  180. // make sure the store (just a file) really exists. The raw path
  181. // may contain env variables, so we need the expanded path
  182. //
  184. DWORD dwAttrib = GetFileAttributes(SceStore.GetExpandedPath());
  186. if ( dwAttrib != -1 )
  187. {
  188. if (ACTIONTYPE_DELETE == atAction)
  189. {
  190. hr = DeleteInstance(pHandler, &SceStore);
  191. }
  192. else
  193. {
  194. hr = ConstructInstance(pHandler, &SceStore, varStorePath.bstrVal, atAction);
  195. }
  196. }
  197. else
  198. {
  199. hr = WBEM_E_NOT_FOUND;
  200. }
  201. }
  202. }
  204. return hr;
  205. }
  207. /*
  208. Routine Description:
  210. Name:
  212. CKerberosPolicy::PutInst
  214. Functionality:
  216. Put an instance as instructed by WMI. Since this class implements Sce_KerberosPolicy,
  217. which is persistence oriented, this will cause the Sce_KerberosPolicy object's property
  218. information to be saved in our store.
  220. Virtual:
  222. Yes.
  224. Arguments:
  226. pInst - COM interface pointer to the WMI class (Sce_KerberosPolicy) object.
  228. pHandler - COM interface pointer for notifying WMI of any events.
  230. pCtx - COM interface pointer. This interface is just something we pass around.
  231. WMI may mandate it (not now) in the future. But we never construct
  232. such an interface and so, we just pass around for various WMI API's
  234. Return Value:
  236. Success: it must return success code (use SUCCEEDED to test). It is
  237. not guaranteed to return WBEM_NO_ERROR.
  239. Failure: Various errors may occurs. Any such error should indicate the failure of persisting
  240. the instance.
  242. Notes:
  243. Since GetProperty will return a success code (WBEM_S_RESET_TO_DEFAULT) when the
  244. requested property is not present, don't simply use SUCCEEDED or FAILED macros
  245. to test for the result of retrieving a property.
  247. */
  249. HRESULT
  250. CKerberosPolicy::PutInst (
  251. IN IWbemClassObject * pInst,
  252. IN IWbemObjectSink * pHandler,
  253. IN IWbemContext * pCtx
  254. )
  255. {
  256. HRESULT hr = WBEM_E_INVALID_PARAMETER;
  258. //
  259. // SCE_NO_VALUE means the property is not available from the instance.
  260. //
  262. DWORD dwTicket = SCE_NO_VALUE;
  263. DWORD dwRenew = SCE_NO_VALUE;
  264. DWORD dwService = SCE_NO_VALUE;
  265. DWORD dwClock = SCE_NO_VALUE;
  266. DWORD dwClient = SCE_NO_VALUE;
  268. //
  269. // CScePropertyMgr helps us to access WMI object's properties
  270. // create an instance and attach the WMI object to it.
  271. // This will always succeed.
  272. //
  274. CScePropertyMgr ScePropMgr;
  275. ScePropMgr.Attach(pInst);
  277. CSceStore SceStore;
  279. //
  280. // the use of the macro SCE_PROV_IfErrorGotoCleanup cause
  281. // a "goto CleanUp;" with hr set to the return value from
  282. // the function (macro parameter)
  283. //
  285. //
  286. // in hours
  287. //
  289. SCE_PROV_IfErrorGotoCleanup(ScePropMgr.GetProperty(pMaxTicketAge, &dwTicket));
  291. //
  292. // in days
  293. //
  295. SCE_PROV_IfErrorGotoCleanup(ScePropMgr.GetProperty(pMaxRenewAge, &dwRenew));
  297. //
  298. // in minutes
  299. //
  301. SCE_PROV_IfErrorGotoCleanup(ScePropMgr.GetProperty(pMaxServiceAge, &dwService));
  303. //
  304. // dependency check
  305. //
  307. if ( dwTicket != SCE_NO_VALUE &&
  308. dwRenew != SCE_NO_VALUE &&
  309. dwService != SCE_NO_VALUE )
  310. {
  311. //
  312. // dwRenew >= dwTicket
  313. // dwRenew > dwService
  314. // dwTicket > dwService
  315. //
  317. if ( dwService < 10 || dwService > 99999L ||
  318. dwRenew == 0 || dwRenew > 99999L ||
  319. dwTicket == 0 || dwTicket > 99999L )
  320. {
  321. hr = WBEM_E_VALUE_OUT_OF_RANGE;
  322. }
  323. else
  324. {
  325. DWORD dHours = dwRenew * 24;
  327. if ( dHours < dwTicket ||
  328. (dHours * 60) <= dwService ||
  329. (dwTicket * 60) <= dwService )
  330. {
  331. hr = WBEM_E_VALUE_OUT_OF_RANGE;
  332. }
  333. }
  335. }
  336. else if ( dwTicket != SCE_NO_VALUE ||
  337. dwRenew != SCE_NO_VALUE ||
  338. dwService != SCE_NO_VALUE )
  339. {
  340. hr = WBEM_E_ILLEGAL_NULL;
  341. }
  343. if ( FAILED(hr) )
  344. {
  345. goto CleanUp;
  346. }
  348. //
  349. // in minutes
  350. //
  352. SCE_PROV_IfErrorGotoCleanup(ScePropMgr.GetProperty(pMaxClockSkew, &dwClock));
  354. if ( dwClock != SCE_NO_VALUE && dwClock > 99999L )
  355. {
  356. hr = WBEM_E_VALUE_OUT_OF_RANGE;
  357. goto CleanUp;
  358. }
  360. SCE_PROV_IfErrorGotoCleanup(ScePropMgr.GetProperty(pEnforceLogonRestrictions, &dwClient));
  362. //
  363. // Attach the WMI object instance to the store and let the store know that
  364. // it's store is given by the pStorePath property of the instance.
  365. //
  367. SCE_PROV_IfErrorGotoCleanup(SceStore.SetPersistProperties(pInst, pStorePath));
  369. //
  370. // now save the info to file
  371. //
  373. hr = SaveSettingsToStore(&SceStore,
  374. dwTicket,
  375. dwRenew,
  376. dwService,
  377. dwClock,
  378. dwClient
  379. );
  381. CleanUp:
  382. return hr;
  384. }
  386. /*
  387. Routine Description:
  389. Name:
  391. CKerberosPolicy::ConstructInstance
  393. Functionality:
  395. This is private function to create an instance of Sce_KerberosPolicy.
  397. Virtual:
  399. No.
  401. Arguments:
  403. pHandler - COM interface pointer for notifying WMI of any events.
  405. pSceStore - Pointer to our store. It must have been appropriately set up.
  407. wszLogStorePath - store path, a key property of Sce_KerberosPolicy class.
  409. atAction - indicates whether it is querying or get single instance.
  411. Return Value:
  413. Success: it must return success code (use SUCCEEDED to test). It is
  414. not guaranteed to return WBEM_NO_ERROR.
  416. Failure: Various errors may occurs. Any such error should indicate the creating the instance.
  418. Notes:
  420. */
  422. HRESULT
  423. CKerberosPolicy::ConstructInstance (
  424. IN IWbemObjectSink * pHandler,
  425. IN CSceStore * pSceStore,
  426. IN LPWSTR wszLogStorePath,
  427. IN ACTIONTYPE atAction
  428. )
  429. {
  430. //
  431. // make sure that we have a valid store
  432. //
  434. if ( pSceStore == NULL ||
  435. pSceStore->GetStoreType() < SCE_INF_FORMAT ||
  436. pSceStore->GetStoreType() > SCE_JET_ANALYSIS_REQUIRED )
  437. {
  438. return WBEM_E_INVALID_PARAMETER;
  439. }
  441. //
  442. // ask SCE to read a gigantic structure out from the store. Only SCE
  443. // knows now to release the memory. Don't just delete it! Use our CSceStore
  444. // to do the releasing (FreeSecurityProfileInfo)
  445. //
  447. PSCE_PROFILE_INFO pInfo=NULL;
  448. HRESULT hr = pSceStore->GetSecurityProfileInfo(
  449. AREA_SECURITY_POLICY,
  450. &pInfo,
  451. NULL
  452. );
  454. if (SUCCEEDED(hr) && pInfo->pKerberosInfo == NULL)
  455. {
  456. hr = WBEM_E_NOT_FOUND;
  457. }
  459. //
  460. // the use of the macro SCE_PROV_IfErrorGotoCleanup cause
  461. // a "goto CleanUp;" with hr set to the return value from
  462. // the function (macro parameter)
  463. //
  465. if (SUCCEEDED(hr))
  466. {
  468. CComPtr<IWbemClassObject> srpObj;
  470. CComBSTR bstrLogOut;
  471. LPCWSTR pszExpandedPath = pSceStore->GetExpandedPath();
  473. if ( ACTIONTYPE_QUERY == atAction )
  474. {
  475. SCE_PROV_IfErrorGotoCleanup(MakeSingleBackSlashPath(wszLogStorePath, L'\\', &bstrLogOut));
  476. pszExpandedPath = bstrLogOut;
  477. }
  479. SCE_PROV_IfErrorGotoCleanup(SpawnAnInstance(&srpObj));
  481. //
  482. // CScePropertyMgr helps us to access WMI object's properties
  483. // create an instance and attach the WMI object to it.
  484. // This will always succeed.
  485. //
  487. CScePropertyMgr ScePropMgr;
  488. ScePropMgr.Attach(srpObj);
  490. SCE_PROV_IfErrorGotoCleanup(ScePropMgr.PutProperty(pStorePath, pszExpandedPath));
  492. if (pInfo->pKerberosInfo->MaxTicketAge != SCE_NO_VALUE ) {
  493. SCE_PROV_IfErrorGotoCleanup(ScePropMgr.PutProperty(pMaxTicketAge, pInfo->pKerberosInfo->MaxTicketAge));
  494. }
  496. if (pInfo->pKerberosInfo->MaxRenewAge != SCE_NO_VALUE ) {
  497. SCE_PROV_IfErrorGotoCleanup(ScePropMgr.PutProperty(pMaxRenewAge, pInfo->pKerberosInfo->MaxRenewAge));
  498. }
  500. if (pInfo->pKerberosInfo->MaxServiceAge != SCE_NO_VALUE ) {
  501. SCE_PROV_IfErrorGotoCleanup(ScePropMgr.PutProperty(pMaxServiceAge, pInfo->pKerberosInfo->MaxServiceAge));
  502. }
  504. if (pInfo->pKerberosInfo->MaxClockSkew != SCE_NO_VALUE ) {
  505. SCE_PROV_IfErrorGotoCleanup(ScePropMgr.PutProperty(pMaxClockSkew, pInfo->pKerberosInfo->MaxClockSkew));
  506. }
  508. if (pInfo->pKerberosInfo->TicketValidateClient != SCE_NO_VALUE ) {
  509. bool bValue = pInfo->pKerberosInfo->TicketValidateClient ? TRUE : FALSE;
  510. SCE_PROV_IfErrorGotoCleanup(ScePropMgr.PutProperty(pEnforceLogonRestrictions, bValue));
  511. }
  513. //
  514. // do the necessary gestures to WMI.
  515. // the use of WBEM_STATUS_REQUIREMENTS in SetStatus is not documented by WMI
  516. // at this point. Consult WMI team for detail if you suspect problems with
  517. // the use of WBEM_STATUS_REQUIREMENTS
  518. //
  520. if ( ACTIONTYPE_QUERY == atAction ) {
  521. pHandler->SetStatus(WBEM_STATUS_REQUIREMENTS, S_FALSE, NULL, NULL);
  522. } else {
  523. pHandler->SetStatus(WBEM_STATUS_REQUIREMENTS, S_OK, NULL, NULL);
  524. }
  526. //
  527. // pass the new instance to WMI
  528. //
  530. hr = pHandler->Indicate(1, &srpObj);
  531. }
  533. CleanUp:
  535. pSceStore->FreeSecurityProfileInfo(pInfo);
  537. return hr;
  538. }
  540. /*
  541. Routine Description:
  543. Name:
  545. CKerberosPolicy::DeleteInstance
  547. Functionality:
  549. remove an instance of Sce_KerberosPolicy from the specified store.
  551. Virtual:
  553. No.
  555. Arguments:
  557. pHandler - COM interface pointer for notifying WMI of any events.
  559. pSceStore - Pointer to our store. It must have been appropriately set up.
  561. Return Value:
  563. Success: WBEM_NO_ERROR.
  565. Failure: WBEM_E_INVALID_PARAMETER.
  567. Notes:
  569. */
  571. HRESULT
  572. CKerberosPolicy::DeleteInstance (
  573. IN IWbemObjectSink * pHandler,
  574. IN CSceStore * pSceStore
  575. )
  576. {
  577. //
  578. // make sure we are given a valid store
  579. //
  581. if ( pSceStore == NULL ||
  582. pSceStore->GetStoreType() < SCE_INF_FORMAT ||
  583. pSceStore->GetStoreType() > SCE_JET_ANALYSIS_REQUIRED )
  584. {
  585. return WBEM_E_INVALID_PARAMETER;
  586. }
  588. pSceStore->DeleteSectionFromStore(szKerberosPolicy);
  589. return WBEM_NO_ERROR;
  590. }
  593. /*
  594. Routine Description:
  596. Name:
  598. CKerberosPolicy:SaveSettingsToStore
  600. Functionality:
  602. With all the properties of a Sce_KerberosPolicy, this function just saves
  603. the instance properties to our store.
  605. Virtual:
  607. No.
  609. Arguments:
  611. pSceStore - store path, a key property of Sce_KerberosPolicy class.
  613. dwTicket - a corresponding key property of Sce_KerberosPolicy class.
  615. dwRenew - another corresponding property of the Sce_KerberosPolicy class.
  617. dwService - another corresponding property of the Sce_KerberosPolicy class.
  619. dwClock - another corresponding property of the Sce_KerberosPolicy class.
  621. dwClient - another corresponding property of the Sce_KerberosPolicy class.
  623. Return Value:
  625. Success: it must return success code (use SUCCEEDED to test). It is
  626. not guaranteed to return WBEM_NO_ERROR.
  628. Failure: Various errors may occurs. Any error indicates the failure to save the instance.
  630. Notes:
  631. */
  633. HRESULT
  634. CKerberosPolicy::SaveSettingsToStore (
  635. IN CSceStore * pSceStore,
  636. IN DWORD dwTicket,
  637. IN DWORD dwRenew,
  638. IN DWORD dwService,
  639. IN DWORD dwClock,
  640. IN DWORD dwClient
  641. )
  642. {
  643. HRESULT hr = WBEM_S_NO_ERROR;
  644. HRESULT hrTmp;
  646. DWORD dwDump;
  648. //
  649. // the use of the macro SCE_PROV_IfErrorGotoCleanup cause
  650. // a "goto CleanUp;" with hr set to the return value from
  651. // the function (macro parameter)
  652. //
  654. //
  655. // For a new .inf file. Write an empty buffer to the file
  656. // will creates the file with right header/signature/unicode format
  657. // this is harmless for existing files.
  658. // For database store, this is a no-op.
  659. //
  661. SCE_PROV_IfErrorGotoCleanup(pSceStore->WriteSecurityProfileInfo(AreaBogus,
  662. (PSCE_PROFILE_INFO)&dwDump,
  663. NULL,
  664. false
  665. )
  666. );
  668. //
  669. // TicketAge
  670. //
  672. SCE_PROV_IfErrorGotoCleanup(pSceStore->SavePropertyToStore(szKerberosPolicy, KeyTicket, dwTicket));
  674. //
  675. // RenewAge
  676. //
  678. SCE_PROV_IfErrorGotoCleanup(pSceStore->SavePropertyToStore(szKerberosPolicy, KeyRenew, dwRenew));
  680. //
  681. // ServiceAge
  682. //
  684. SCE_PROV_IfErrorGotoCleanup(pSceStore->SavePropertyToStore(szKerberosPolicy, KeyService, dwService));
  686. //
  687. // Clock Skew
  688. //
  690. SCE_PROV_IfErrorGotoCleanup(pSceStore->SavePropertyToStore(szKerberosPolicy, KeyClock, dwClock));
  692. //
  693. // Validate client
  694. //
  696. SCE_PROV_IfErrorGotoCleanup(pSceStore->SavePropertyToStore(szKerberosPolicy, KeyClient, dwClient));
  698. CleanUp:
  699. return hr;
  700. }