Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

2128 lines
78 KiB

//+---------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1999-2002.
//
// File: SecDesc.cpp
//
// Contents: DoSecurityDescription and support methods
//
//
//----------------------------------------------------------------------------
#include "stdafx.h"
#include "ADUtils.h"
#include "SecDesc.h"
///////////////////////////////////////////////////////////////////////////////
//
// Method: DoSecurityDescription ()
//
// Purpose: Main routine for doing security description
//
//
HRESULT DoSecurityDescription ()
{
_TRACE (1, L"Entering DoSecurityDescription\n");
HRESULT hr = S_OK;
wstring str;
// Print header
if ( _Module.DoTabDelimitedOutput () )
{
MyWprintf (_Module.GetObjectDN ().c_str ());
MyWprintf (L"\n");
}
else
{
FormatMessage (str, IDS_SECURITY_DIAGNOSIS_FOR, _Module.GetObjectDN ().c_str ());
MyWprintf (str.c_str ());
if ( !_Module.SkipDescription () )
{
LoadFromResource (str, IDS_DESCRIPTION);
str += L"\n";
MyWprintf (str.c_str ());
}
}
hr = GetSecurityDescriptor (_Module.GetObjectDN (), &_Module.m_pSecurityDescriptor);
if ( SUCCEEDED (hr) )
{
if ( _Module.m_pSecurityDescriptor )
{
hr = DisplayOwner ();
if ( SUCCEEDED (hr) )
{
SECURITY_DESCRIPTOR_CONTROL control;
DWORD dwRevision = 0;
if ( GetSecurityDescriptorControl (
_Module.m_pSecurityDescriptor,
&control,
&dwRevision) )
{
if ( _Module.DoTabDelimitedOutput () )
{
MyWprintf (L"\n");
if ( control & SE_DACL_PROTECTED )
LoadFromResource (str, IDS_PERMISSIONS_PROTECTED);
else
LoadFromResource (str, IDS_PERMISSIONS_NOT_PROTECTED);
MyWprintf (str.c_str ());
if ( control & SE_SACL_PROTECTED )
LoadFromResource (str, IDS_AUDITING_PROTECTED);
else
LoadFromResource (str, IDS_AUDITING_NOT_PROTECTED);
MyWprintf (str.c_str ());
}
else
{
if ( control & SE_DACL_PROTECTED )
{
LoadFromResource (str, IDS_CONFIG_NO_INHERIT);
MyWprintf (str.c_str ());
}
}
}
else
{
_TRACE (0, L"GetSecurityDescriptorControl () failed: 0x%x\n", GetLastError ());
}
hr = EnumerateDacl (_Module.m_pSecurityDescriptor, _Module.m_DACLList, true);
if ( SUCCEEDED (hr) )
{
hr = EnumerateSacl (_Module.m_pSecurityDescriptor, _Module.m_SACLList);
if ( SUCCEEDED (hr) && !_Module.SkipDescription () )
{
hr = PrintEffectivePermissions ();
if ( SUCCEEDED (hr) )
{
hr = PrintInheritedPermissions ();
if ( SUCCEEDED (hr) )
{
hr = PrintAuditingInformation ();
}
}
}
}
}
}
else
{
hr = E_ACCESSDENIED;
wstring str;
FormatMessage (str, IDS_UNABLE_TO_READ_SECURITY_DESCRIPTOR, _Module.GetObjectDN ().c_str ());
MyWprintf (str.c_str ());
}
}
_TRACE (-1, L"Leaving DoSecurityDescription: 0x%x\n", hr);
return hr;
}
///////////////////////////////////////////////////////////////////////////////
//
// Method: GetSecurityDescriptor ()
//
// Purpose: Get ths security descriptor for the indicated object
//
// Inputs: strObjectDN - the object show security descriptor we wish to
// retrieve
//
// Outputs: ppAttrs - returns the security descriptor raw data - this holds the data
// persistent in memory
//
// ppSecurityDescriptor - returns the security descriptor
//
HRESULT GetSecurityDescriptor (
wstring strObjectDN, // pass by value
PSECURITY_DESCRIPTOR* ppSecurityDescriptor)
{
_TRACE (1, L"Entering GetSecurityDescriptor\n");
HRESULT hr = S_OK;
if ( ppSecurityDescriptor )
{
CComPtr<IADsPathname> spPathname;
//
// Constructing the directory paths
//
hr = CoCreateInstance(
CLSID_Pathname,
NULL,
CLSCTX_ALL,
IID_PPV_ARG (IADsPathname, &spPathname));
if ( SUCCEEDED (hr) )
{
ASSERT (!!spPathname);
LPCWSTR pszLDAP = L"LDAP://";
// If object name is preceded with LDAP, set the whole name at once.
if ( !wcsncmp (strObjectDN.c_str (), pszLDAP, wcslen (pszLDAP)) )
{
hr = spPathname->Set (CComBSTR (strObjectDN.c_str ()),
ADS_SETTYPE_FULL);
if ( FAILED (hr) )
{
_TRACE (0, L"IADsPathname->Set (%s): 0x%x\n",
strObjectDN.c_str (), hr);
}
}
else
{
hr = spPathname->Set (CComBSTR (ACLDIAG_LDAP),
ADS_SETTYPE_PROVIDER);
if ( SUCCEEDED (hr) )
{
hr = spPathname->Set (CComBSTR (strObjectDN.c_str ()),
ADS_SETTYPE_DN);
if ( FAILED (hr) )
{
_TRACE (0, L"IADsPathname->Set (%s): 0x%x\n",
strObjectDN.c_str (), hr);
}
}
else
{
_TRACE (0, L"IADsPathname->Set (%s): 0x%x\n", ACLDIAG_LDAP, hr);
}
}
if ( SUCCEEDED (hr) )
{
BSTR bstrFullPath = 0;
hr = spPathname->Retrieve(ADS_FORMAT_X500, &bstrFullPath);
if ( SUCCEEDED (hr) )
{
CComPtr<IDirectoryObject> spDirObj;
hr = ADsOpenObjectHelper (bstrFullPath,
IID_IDirectoryObject,
0,
(void**)&spDirObj);
if ( SUCCEEDED (hr) )
{
hr = SetSecurityInfoMask (spDirObj,
OWNER_SECURITY_INFORMATION |
GROUP_SECURITY_INFORMATION |
DACL_SECURITY_INFORMATION |
SACL_SECURITY_INFORMATION);
//
// Get this object's Security Descriptor.
//
const PWSTR wzSecDescriptor = L"nTSecurityDescriptor";
PADS_ATTR_INFO pAttrs = 0;
DWORD cAttrs = 0;
LPWSTR rgpwzAttrNames[] = {wzSecDescriptor};
hr = spDirObj->GetObjectAttributes(rgpwzAttrNames, 1, &pAttrs, &cAttrs);
if ( SUCCEEDED (hr) )
{
if ( 0 == cAttrs )
{
// remove SACL_SECURITY_INFORMATION
hr = SetSecurityInfoMask (spDirObj,
OWNER_SECURITY_INFORMATION |
GROUP_SECURITY_INFORMATION |
DACL_SECURITY_INFORMATION);
hr = spDirObj->GetObjectAttributes(rgpwzAttrNames, 1, &pAttrs, &cAttrs);
}
if ( SUCCEEDED (hr) && 1 == cAttrs && pAttrs && pAttrs->pADsValues )
{
if (!(pAttrs->pADsValues->SecurityDescriptor.lpValue) ||
!(pAttrs->pADsValues->SecurityDescriptor.dwLength))
{
_TRACE (0, L"IADS return bogus SD!\n");
hr = E_UNEXPECTED;
}
else if (!IsValidSecurityDescriptor(pAttrs->pADsValues->SecurityDescriptor.lpValue))
{
_TRACE (0, L"IsValidSecurityDescriptor failed!\n");
hr = HRESULT_FROM_WIN32(GetLastError());
}
else
{
*ppSecurityDescriptor = (PSECURITY_DESCRIPTOR)
::LocalAlloc (LMEM_ZEROINIT, pAttrs->pADsValues->SecurityDescriptor.dwLength);
if ( *ppSecurityDescriptor )
{
memcpy (*ppSecurityDescriptor,
pAttrs->pADsValues->SecurityDescriptor.lpValue,
pAttrs->pADsValues->SecurityDescriptor.dwLength);
}
else
hr = E_OUTOFMEMORY;
}
FreeADsMem (pAttrs);
}
else
{
if ( !wcscmp (strObjectDN.c_str (), _Module.GetObjectDN ().c_str ()) )
{
wstring str;
FormatMessage (str, IDS_NO_SECDESC_RETURNED, strObjectDN.c_str ());
MyWprintf (str.c_str ());
}
}
}
else
{
if ( !wcscmp (strObjectDN.c_str (), _Module.GetObjectDN ().c_str ()) )
{
wstring str;
FormatMessage (str, IDS_NO_SECDESC_RETURNED_WITH_CODE,
strObjectDN.c_str (), GetSystemMessage (hr).c_str ());
MyWprintf (str.c_str ());
}
_TRACE (0, L"IDirectoryObject->GetObjectAttributes (): 0x%x\n", hr);
}
}
else
{
if ( ERROR_DS_REFERRAL == HRESULT_CODE (hr) )
hr = S_FALSE;
else
{
_TRACE (0, L"ADsOpenObjectHelper (%s): 0x%x\n", bstrFullPath, hr);
wstring strErr;
FormatMessage (strErr, IDS_INVALID_OBJECT,
_Module.GetObjectDN ().c_str (),
GetSystemMessage (hr).c_str ());
MyWprintf (strErr.c_str ());
}
}
}
else
{
_TRACE (0, L"IADsPathname->Retrieve (): 0x%x\n", hr);
}
}
}
else
{
_TRACE (0, L"CoCreateInstance(CLSID_Pathname): 0x%x\n", hr);
}
}
else
hr = E_POINTER;
_TRACE (-1, L"Leaving GetSecurityDescriptor: 0x%x\n", hr);
return hr;
}
///////////////////////////////////////////////////////////////////////////////
//
// Method: DisplayOwner ()
//
// Purpose: Display the owner of this object
//
HRESULT DisplayOwner ()
{
_TRACE (1, L"Entering DisplayOwner\n");
HRESULT hr = S_OK;
PSID pSidOwner = 0;
BOOL bOwnerDefaulted = FALSE;
if ( ::GetSecurityDescriptorOwner(
_Module.m_pSecurityDescriptor,
&pSidOwner,
&bOwnerDefaulted) )
{
wstring strPrincipalName;
wstring strFQDN;
SID_NAME_USE sne = SidTypeUnknown;
hr = GetNameFromSid (pSidOwner, strPrincipalName, &strFQDN, sne);
if ( SUCCEEDED (hr) && !_Module.SkipDescription () )
{
wstring str;
if ( _Module.DoTabDelimitedOutput () )
FormatMessage (str, IDS_OWNER_CDO, strPrincipalName.c_str ());
else
FormatMessage (str, IDS_OWNER, strPrincipalName.c_str ());
MyWprintf (str.c_str ());
}
PSID_FQDN* pItem = new PSID_FQDN (pSidOwner, strFQDN, strPrincipalName, sne);
if ( pItem )
_Module.m_PSIDList.push_back (pItem);
else
hr = E_OUTOFMEMORY;
}
else
{
DWORD dwErr = GetLastError ();
_TRACE (0, L"GetSecurityDescriptorOwner () failed: 0x%x\n",
dwErr);
hr = HRESULT_FROM_WIN32 (dwErr);
}
_TRACE (-1, L"Leaving DisplayOwner: 0x%x\n", hr);
return hr;
}
///////////////////////////////////////////////////////////////////////////////
//
// Method: EnumerateDacl ()
//
// Purpose: Enumerate the DACL and store it in a list
//
// Inputs: pSecurityDescriptor - where to get the DACL
//
// Outputs: DACLList - return the ACEs in this list
//
HRESULT EnumerateDacl (PSECURITY_DESCRIPTOR pSecurityDescriptor, ACE_SAMNAME_LIST& DACLList, bool bListSids)
{
_TRACE (1, L"Entering EnumerateDacl\n");
HRESULT hr = S_OK;
ASSERT (pSecurityDescriptor);
if ( !pSecurityDescriptor )
return E_POINTER;
PACL pDacl = 0;
BOOL bDaclPresent = FALSE;
BOOL bDaclDefaulted = FALSE;
_TRACE (0, L"Calling GetSecurityDescriptorDacl ()\n");
if ( GetSecurityDescriptorDacl (pSecurityDescriptor,
&bDaclPresent, &pDacl, &bDaclDefaulted) )
{
_TRACE (0, L"Call to GetSecurityDescriptorDacl () succeeded.\n");
if ( bDaclPresent )
{
PACCESS_ALLOWED_ACE pAllowedAce;
PSID_FQDN_LIST::iterator itrPSID = _Module.m_PSIDList.begin ();
ACE_SAMNAME* pAceSAMName = 0;
PSID_FQDN* pPsidFQDN = 0;
SID_NAME_USE sne = SidTypeUnknown;
// copy the ACES
for (int i = 0; i < pDacl->AceCount; i++)
{
if ( GetAce (pDacl, i, (void **)&pAllowedAce) )
{
PSID AceSid = 0;
if ( IsObjectAceType ( pAllowedAce ) )
{
AceSid = RtlObjectAceSid( pAllowedAce );
}
else
{
AceSid = &( ( PKNOWN_ACE )pAllowedAce )->SidStart;
}
ASSERT (IsValidSid (AceSid));
wstring strPrincipalName;
wstring strFQDN;
hr = GetNameFromSid (AceSid, strPrincipalName,
bListSids ? &strFQDN : 0, sne);
if ( SUCCEEDED (hr) )
{
if ( bListSids )
{
bool bFound = false;
for (PSID_FQDN_LIST::iterator itrPSIDFind = _Module.m_PSIDList.begin ();
itrPSIDFind != _Module.m_PSIDList.end ();
itrPSIDFind++)
{
pPsidFQDN = *itrPSIDFind;
if ( pPsidFQDN )
{
if ( !wcscmp (pPsidFQDN->m_strFQDN.c_str (), strFQDN.c_str ()) )
{
bFound = true;
}
}
}
if ( !bFound )
{
pPsidFQDN = new PSID_FQDN (AceSid, strFQDN, strPrincipalName, sne);
if ( pPsidFQDN )
{
_Module.m_PSIDList.push_back (pPsidFQDN);
}
else
{
hr = E_OUTOFMEMORY;
break;
}
}
}
pAceSAMName = new ACE_SAMNAME;
if ( pAceSAMName )
{
pAceSAMName->m_AceType = pAllowedAce->Header.AceType;
switch (pAceSAMName->m_AceType)
{
case ACCESS_ALLOWED_ACE_TYPE:
pAceSAMName->m_pAllowedAce = pAllowedAce;
break;
case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
pAceSAMName->m_pAllowedObjectAce =
reinterpret_cast <PACCESS_ALLOWED_OBJECT_ACE> (pAllowedAce);
break;
case ACCESS_DENIED_ACE_TYPE:
pAceSAMName->m_pDeniedAce =
reinterpret_cast <PACCESS_DENIED_ACE> (pAllowedAce);
break;
case ACCESS_DENIED_OBJECT_ACE_TYPE:
pAceSAMName->m_pDeniedObjectAce =
reinterpret_cast <PACCESS_DENIED_OBJECT_ACE> (pAllowedAce);
break;
default:
break;
}
pAceSAMName->m_SAMAccountName = strPrincipalName;
pAceSAMName->DebugOut ();
DACLList.push_back (pAceSAMName);
}
else
{
hr = E_OUTOFMEMORY;
break;
}
}
}
else
{
_TRACE (0, L"GetAce failed: 0x%x\n", GetLastError ());
break;
}
}
}
}
else
{
DWORD dwErr = GetLastError ();
_TRACE (0, L"Call to GetSecurityDescriptorDacl () failed: 0x%x\n", dwErr);
hr = HRESULT_FROM_WIN32 (dwErr);
}
_TRACE (-1, L"Leaving EnumerateDacl: 0x%x\n", hr);
return hr;
}
///////////////////////////////////////////////////////////////////////////////
//
// Method: EnumerateSacl ()
//
// Purpose: Enumerate the SACL and store it in a list
//
// Inputs: pSecurityDescriptor - where to get the DACL
//
// Outputs: The results are store in the _Module.m_SACLList
//
HRESULT EnumerateSacl (PSECURITY_DESCRIPTOR pSecurityDescriptor, ACE_SAMNAME_LIST& SACLList)
{
_TRACE (1, L"Entering EnumerateSacl\n");
HRESULT hr = S_OK;
ASSERT (pSecurityDescriptor);
if ( !pSecurityDescriptor )
return E_POINTER;
PACL pSacl = 0;
BOOL bSaclPresent = FALSE;
BOOL bSaclDefaulted = FALSE;
_TRACE (0, L"Calling GetSecurityDescriptorSacl ()\n");
if ( GetSecurityDescriptorSacl (pSecurityDescriptor,
&bSaclPresent, &pSacl, &bSaclDefaulted) )
{
_TRACE (0, L"Call to GetSecurityDescriptorSacl () succeeded.\n");
if ( bSaclPresent && pSacl )
{
PACCESS_ALLOWED_ACE pAllowedAce;
wstring strPrincipalName;
wstring strFQDN;
ACE_SAMNAME* pAceSAMName = 0;
SID_NAME_USE sne = SidTypeUnknown;
// copy the ACES
for (int i = 0; i < pSacl->AceCount; i++)
{
if ( GetAce (pSacl, i, (void **)&pAllowedAce) )
{
PSID AceSid;
if ( IsObjectAceType ( pAllowedAce ) )
{
AceSid = RtlObjectAceSid( pAllowedAce );
}
else
{
AceSid = &( ( PKNOWN_ACE )pAllowedAce )->SidStart;
}
hr = GetNameFromSid (AceSid, strPrincipalName, 0, sne);
if ( SUCCEEDED (hr) )
{
pAceSAMName = new ACE_SAMNAME;
if ( pAceSAMName )
{
pAceSAMName->m_AceType = pAllowedAce->Header.AceType;
switch (pAceSAMName->m_AceType)
{
case SYSTEM_AUDIT_OBJECT_ACE_TYPE:
pAceSAMName->m_pSystemAuditObjectAce =
reinterpret_cast <PSYSTEM_AUDIT_OBJECT_ACE> (pAllowedAce);
break;
case SYSTEM_AUDIT_ACE_TYPE:
pAceSAMName->m_pSystemAuditAce =
reinterpret_cast <PSYSTEM_AUDIT_ACE> (pAllowedAce);
break;
default:
break;
}
pAceSAMName->m_SAMAccountName = strPrincipalName;
pAceSAMName->DebugOut ();
SACLList.push_back (pAceSAMName);
}
else
{
hr = E_OUTOFMEMORY;
break;
}
}
}
else
{
_TRACE (0, L"GetAce failed: 0x%x\n", GetLastError ());
break;
}
}
}
}
else
{
DWORD dwErr = GetLastError ();
_TRACE (0, L"GetSecurityDescriptorSacl () failed: 0x%x\n", dwErr);
hr = HRESULT_FROM_WIN32 (dwErr);
}
_TRACE (-1, L"Leaving EnumerateSacl: 0x%x\n", hr);
return hr;
}
///////////////////////////////////////////////////////////////////////////////
//
// Method: PrintEffectivePermissions ()
//
// Purpose: Print the permissions effective on the object
//
HRESULT PrintEffectivePermissions ()
{
HRESULT hr = S_OK;
ACE_SAMNAME_LIST::iterator itr = _Module.m_DACLList.begin ();
wstring str;
ACE_SAMNAME* pAceSAMName = 0;
if ( !_Module.DoTabDelimitedOutput () )
{
LoadFromResource (str, IDS_PERMISSIONS_EFFECTIVE);
MyWprintf (str.c_str ());
}
for (itr = _Module.m_DACLList.begin(); itr != _Module.m_DACLList.end(); itr++)
{
pAceSAMName = *itr;
if ( !(pAceSAMName->m_pAllowedAce->Header.AceFlags & INHERIT_ONLY_ACE) )
{
switch (pAceSAMName->m_AceType)
{
case ACCESS_ALLOWED_ACE_TYPE:
case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
hr = EnumeratePermissions (pAceSAMName, P_ALLOW, P_THIS_OBJECT, L"");
break;
case ACCESS_DENIED_OBJECT_ACE_TYPE:
case ACCESS_DENIED_ACE_TYPE:
hr = EnumeratePermissions (pAceSAMName, P_DENY, P_THIS_OBJECT, L"");
break;
default:
break;
}
}
}
return hr;
}
///////////////////////////////////////////////////////////////////////////////
//
// Method: EnumeratePermissions ()
//
// Purpose: Print all the permissions contained on the passed in ACE
//
// Inputs: pAceSAMName - structure containing the ACE whose permissions we wish
// to print
//
// ptype - allow, deny, succes, failure, success and failure
//
HRESULT EnumeratePermissions (ACE_SAMNAME* pAceSAMName, P_TYPE ptype, P_WHO pWho, PCWSTR pwszClassName)
{
HRESULT hr = S_OK;
if ( pAceSAMName )
{
hr = PrintPermission (pAceSAMName,
ACTRL_DS_CREATE_CHILD,
ptype,
IDS_CREATE_ALL_SUBOBJECTS,
IDS_CREATE_CLASS_OBJECTS,
pWho,
pwszClassName);
if ( SUCCEEDED (hr) )
{
hr = PrintPermission (pAceSAMName,
ACTRL_DS_DELETE_CHILD,
ptype,
IDS_DELETE_ALL_SUBOBJECTS,
IDS_DELETE_CLASS_OBJECTS,
pWho,
pwszClassName);
}
if ( SUCCEEDED (hr) )
{
hr = PrintPermission (pAceSAMName,
ACTRL_DS_READ_PROP,
ptype,
IDS_READ_ALL_PROPERTIES,
IDS_READ_PROPERTY_PROPERTY,
pWho,
pwszClassName);
}
if ( SUCCEEDED (hr) )
{
hr = PrintPermission (pAceSAMName,
ACTRL_DS_WRITE_PROP,
ptype,
IDS_WRITE_ALL_PROPERTIES,
IDS_WRITE_PROPERTY_PROPERTY,
pWho,
pwszClassName);
}
if ( SUCCEEDED (hr) )
{
hr = PrintPermission (pAceSAMName,
ACTRL_DS_LIST,
ptype,
IDS_LIST_CONTENTS, false,
pWho,
pwszClassName);
}
if ( SUCCEEDED (hr) )
{
hr = PrintPermission (pAceSAMName,
ACTRL_DS_LIST_OBJECT,
ptype,
IDS_LIST_OBJECT, false,
pWho,
pwszClassName);
}
if ( SUCCEEDED (hr) )
{
hr = PrintPermission (pAceSAMName,
ACTRL_DS_CONTROL_ACCESS,
ptype,
IDS_ALL_CONTROL_ACCESSES,
IDS_CONTROL_ACCESS_DISPLAY_NAME,
pWho,
pwszClassName);
}
if ( SUCCEEDED (hr) )
{
hr = PrintPermission (pAceSAMName,
ACTRL_DELETE,
ptype,
IDS_DELETE_THIS_OBJECT, false,
pWho,
pwszClassName);
}
if ( SUCCEEDED (hr) )
{
hr = PrintPermission (pAceSAMName,
ACTRL_READ_CONTROL,
ptype,
IDS_READ_PERMISSIONS, false,
pWho,
pwszClassName);
}
if ( SUCCEEDED (hr) )
{
hr = PrintPermission (pAceSAMName,
ACTRL_CHANGE_ACCESS,
ptype,
IDS_MODIFY_PERMISSIONS, false,
pWho,
pwszClassName);
}
if ( SUCCEEDED (hr) )
{
hr = PrintPermission (pAceSAMName,
ACTRL_CHANGE_OWNER,
ptype,
IDS_TAKE_CHANGE_OWNERSHIP, false,
pWho,
pwszClassName);
}
if ( SUCCEEDED (hr) )
{
hr = PrintPermission (pAceSAMName,
ACTRL_DS_SELF,
ptype,
IDS_MODIFY_MEMBERSHIP, false,
pWho,
pwszClassName);
}
}
else
hr = E_POINTER;
return hr;
}
///////////////////////////////////////////////////////////////////////////////
//
// Method: PrintPermission ()
//
// Purpose: Print an OBJECT_ACE_TYPE permission
//
// Inputs: pAceSAMName - structure containing the ACE whose permission we wish
// to print
//
// accessMask - the specific permission we're looking to print
//
// bAllow - whether the permission is allowed or denied
//
// strIDAll - string to print if permission applies to all object
// classes
//
// strIDParam - string print if permission applies to a specific
// object class
//
HRESULT PrintPermission (ACE_SAMNAME* pAceSAMName,
ACCESS_MASK accessMask,
P_TYPE ptype,
int strIDAll,
int strIDParam,
P_WHO pWho,
PCWSTR pwszClassName)
{
HRESULT hr = S_OK;
if ( pAceSAMName )
{
wstring str;
wstring strPermission;
if ( pAceSAMName->m_pAllowedAce->Mask & accessMask )
{
bool bIsAudit = false;
switch (pAceSAMName->m_AceType )
{
case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
if ( (pAceSAMName->m_pAllowedObjectAce->Flags & ACE_OBJECT_TYPE_PRESENT) &&
!::IsEqualGUID (pAceSAMName->m_pAllowedObjectAce->ObjectType, NULLGUID) )
{
wstring strClass;
if ( ACTRL_DS_CONTROL_ACCESS == accessMask )
{
hr = GetControlDisplayName (
pAceSAMName->m_pAllowedObjectAce->ObjectType, strClass);
}
else
{
_Module.GetClassFromGUID (
pAceSAMName->m_pAllowedObjectAce->ObjectType,
strClass);
}
FormatMessage (strPermission, strIDParam,
strClass.c_str ());
}
else
{
LoadFromResource (strPermission, strIDAll);
}
break;
case ACCESS_DENIED_OBJECT_ACE_TYPE:
if ( (pAceSAMName->m_pDeniedObjectAce->Flags & ACE_OBJECT_TYPE_PRESENT) &&
!::IsEqualGUID (pAceSAMName->m_pDeniedObjectAce->ObjectType, NULLGUID) )
{
wstring strClass;
if ( ACTRL_DS_CONTROL_ACCESS == accessMask )
{
hr = GetControlDisplayName (
pAceSAMName->m_pDeniedObjectAce->ObjectType, strClass);
}
else
{
_Module.GetClassFromGUID (
pAceSAMName->m_pDeniedObjectAce->ObjectType,
strClass);
}
FormatMessage (strPermission,strIDParam,
strClass.c_str ());
}
else
{
LoadFromResource (strPermission, strIDAll);
}
break;
case SYSTEM_AUDIT_OBJECT_ACE_TYPE:
if ( (pAceSAMName->m_pSystemAuditObjectAce->Flags & ACE_OBJECT_TYPE_PRESENT) &&
!::IsEqualGUID (pAceSAMName->m_pSystemAuditObjectAce->ObjectType, NULLGUID) )
{
wstring strClass;
if ( ACTRL_DS_CONTROL_ACCESS == accessMask )
{
hr = GetControlDisplayName (
pAceSAMName->m_pSystemAuditObjectAce->ObjectType, strClass);
}
else
{
_Module.GetClassFromGUID (
pAceSAMName->m_pSystemAuditObjectAce->ObjectType,
strClass);
}
FormatMessage (strPermission,strIDParam,
strClass.c_str ());
}
else
{
LoadFromResource (strPermission, strIDAll);
}
bIsAudit = true;
break;
case SYSTEM_AUDIT_ACE_TYPE:
bIsAudit = true;
// fall through
case ACCESS_ALLOWED_ACE_TYPE:
case ACCESS_DENIED_ACE_TYPE:
default:
LoadFromResource (strPermission, strIDAll);
break;
}
int strid = 0;
switch (ptype)
{
case P_ALLOW:
if ( _Module.DoTabDelimitedOutput () )
strid = IDS_ALLOW_CDO;
else
strid = IDS_ALLOW;
break;
case P_DENY:
if ( _Module.DoTabDelimitedOutput () )
strid = IDS_DENY_CDO;
else
strid = IDS_DENY;
break;
case P_SUCCESS:
if ( _Module.DoTabDelimitedOutput () )
strid = IDS_SUCCESS_CDO;
else
strid = IDS_SUCCESS;
break;
case P_FAILURE:
if ( _Module.DoTabDelimitedOutput () )
strid = IDS_FAILURE_CDO;
else
strid = IDS_FAILURE;
break;
case P_SUCCESS_AND_FAILURE:
if ( _Module.DoTabDelimitedOutput () )
strid = IDS_SUCCESS_AND_FAILURE_CDO;
else
strid = IDS_SUCCESS_AND_FAILURE;
break;
default:
return E_UNEXPECTED;
}
if ( _Module.DoTabDelimitedOutput () )
{
wstring strObject;
switch ( pWho )
{
case P_THIS_OBJECT:
LoadFromResource (strObject, IDS_THIS_OBJECT);
break;
case P_ALL_OBJECTS:
LoadFromResource (strObject, IDS_ALL_SUBOBJECTS);
break;
case P_CLASS_OBJECT:
FormatMessage (strObject, IDS_CLASS_OBJECT, pwszClassName);
break;
}
FormatMessage (str, strid,
strObject.c_str (),
pAceSAMName->m_SAMAccountName.c_str (),
strPermission.c_str ());
}
else
{
FormatMessage (str, strid,
pAceSAMName->m_SAMAccountName.c_str (),
strPermission.c_str ());
}
MyWprintf (str.c_str ());
if ( pAceSAMName->m_pAllowedAce->Header.AceFlags & INHERITED_ACE &&
(P_ALLOW == ptype || P_DENY == ptype) )
{
hr = PrintInheritedPermissionFromDN (pAceSAMName, accessMask, bIsAudit);
}
if ( _Module.DoTabDelimitedOutput () )
MyWprintf (L"\n");
}
}
else
hr = E_POINTER;
return hr;
}
///////////////////////////////////////////////////////////////////////////////
//
// Method: PrintPermission ()
//
// Purpose: Print a non-OBJECT_ACE_TYPE permission
//
// Inputs: pAceSAMName - structure containing the ACE whose permission we wish
// to print
//
// accessMask - the specific permission we're looking to print
//
// bAllow - whether the permission is allowed or denied
//
// strID - string to print
//
HRESULT PrintPermission (ACE_SAMNAME* pAceSAMName,
ACCESS_MASK accessMask,
P_TYPE ptype,
int strID,
bool bIsAudit,
P_WHO pWho,
PCWSTR pwszClassName)
{
HRESULT hr = S_OK;
if ( pAceSAMName )
{
wstring str;
wstring strPermission;
if ( pAceSAMName->m_pAllowedAce->Mask & accessMask )
{
LoadFromResource (strPermission, strID);
int id = 0;
switch (ptype)
{
case P_ALLOW:
if ( _Module.DoTabDelimitedOutput () )
id = IDS_ALLOW_CDO;
else
id = IDS_ALLOW;
break;
case P_DENY:
if ( _Module.DoTabDelimitedOutput () )
id = IDS_DENY_CDO;
else
id = IDS_DENY;
break;
case P_SUCCESS:
if ( _Module.DoTabDelimitedOutput () )
id = IDS_SUCCESS_CDO;
else
id = IDS_SUCCESS;
break;
case P_FAILURE:
if ( _Module.DoTabDelimitedOutput () )
id = IDS_FAILURE_CDO;
else
id = IDS_FAILURE;
break;
case P_SUCCESS_AND_FAILURE:
if ( _Module.DoTabDelimitedOutput () )
id = IDS_SUCCESS_AND_FAILURE_CDO;
else
id = IDS_SUCCESS_AND_FAILURE;
break;
default:
return E_UNEXPECTED;
}
if ( _Module.DoTabDelimitedOutput () )
{
wstring strObject;
switch ( pWho )
{
case P_THIS_OBJECT:
LoadFromResource (strObject, IDS_THIS_OBJECT);
break;
case P_ALL_OBJECTS:
LoadFromResource (strObject, IDS_ALL_SUBOBJECTS);
break;
case P_CLASS_OBJECT:
FormatMessage (strObject, IDS_CLASS_OBJECT, pwszClassName);
break;
}
FormatMessage (str, id,
strObject.c_str (),
pAceSAMName->m_SAMAccountName.c_str (),
strPermission.c_str ());
}
else
{
FormatMessage (str, id,
pAceSAMName->m_SAMAccountName.c_str (),
strPermission.c_str ());
}
MyWprintf (str.c_str ());
if ( pAceSAMName->m_pAllowedAce->Header.AceFlags & INHERITED_ACE )
{
hr = PrintInheritedPermissionFromDN (pAceSAMName, accessMask, bIsAudit);
}
if ( _Module.DoTabDelimitedOutput () )
MyWprintf (L"\n");
}
}
else
hr = E_POINTER;
return hr;
}
///////////////////////////////////////////////////////////////////////////////
//
// GetParentObjectDNWithSameACE ()
//
// This function is called recursively to try to find an ACE that matches the ACE
// contained in pAceSAMName somewhere in the parent container of the object pointed to
// by pPathName. Each iteration strips a leaf element off pPathName, gets its
// security descriptor and searches the Dacl list for the ACE. If a match is
// found, taking into account the INHERITED_ACE flag, we look to see if the
// INHERITED_ACE flag is set. If so, we call GetParentObjectDNWithSameACE () again.
// If not, we get the return the object name at this level.
//
HRESULT GetParentObjectDNWithSameACE (
IN ACE_SAMNAME* pAceSAMName,
IN IADsPathname* pPathName,
IN ACCESS_MASK accessMask,
OUT wstring& strParentDN,
bool bIsAudit)
{
_TRACE (1, L"Entering GetParentObjectDNWithSameACE\n");
HRESULT hr = pPathName->RemoveLeafElement ();
if ( SUCCEEDED (hr) )
{
BSTR bstrFullPath = 0;
hr = pPathName->Retrieve(ADS_FORMAT_X500, &bstrFullPath);
if ( SUCCEEDED (hr) )
{
if ( !wcscmp (bstrFullPath, L"LDAP://") )
return S_FALSE;
PSECURITY_DESCRIPTOR pSecurityDescriptor = 0;
bool bFound = false;
// Check to see if we already have this object's Security Descriptor
list<SAMNAME_SD*>::iterator sdItr = _Module.m_listOfParentSDs.begin ();
SAMNAME_SD* pCurrSAMNameSD = 0;
for (; sdItr != _Module.m_listOfParentSDs.end (); sdItr++)
{
pCurrSAMNameSD = *sdItr;
if ( !pCurrSAMNameSD->m_upn.compare (bstrFullPath) )
{
pSecurityDescriptor = pCurrSAMNameSD->m_pSecurityDescriptor;
bFound = true; // Note - pSecurityDescriptor could be NULL
// this is expected.
break;
}
}
// If we don't already have the SD for this object, get it and cache it.
if ( !bFound )
{
wstring objectDN (bstrFullPath);
hr = GetSecurityDescriptor (objectDN, &pSecurityDescriptor);
if ( SUCCEEDED (hr) )
{
pCurrSAMNameSD = new SAMNAME_SD (bstrFullPath, pSecurityDescriptor);
if ( pCurrSAMNameSD )
{
if ( pSecurityDescriptor )
{
hr = EnumerateDacl (pSecurityDescriptor, pCurrSAMNameSD->m_DACLList, false);
if ( SUCCEEDED (hr) )
hr = EnumerateSacl (pSecurityDescriptor, pCurrSAMNameSD->m_SACLList);
}
_Module.m_listOfParentSDs.push_back (pCurrSAMNameSD);
}
else
hr = E_OUTOFMEMORY;
}
}
if ( SUCCEEDED (hr) && pCurrSAMNameSD )
{
ACE_SAMNAME_LIST* pList = 0;
if ( bIsAudit )
pList = &pCurrSAMNameSD->m_SACLList;
else
pList = &pCurrSAMNameSD->m_DACLList;
ACE_SAMNAME_LIST::iterator itr = pList->begin ();
ACE_SAMNAME* pCurrSAMName = 0;
for (; itr != pList->end(); itr++)
{
pCurrSAMName = *itr;
if ( pCurrSAMName->IsEquivalent (*pAceSAMName,
accessMask) )
{
if ( pCurrSAMName->m_pAllowedAce->Header.AceFlags & INHERITED_ACE )
{
hr = GetParentObjectDNWithSameACE (
pAceSAMName,
pPathName,
accessMask,
strParentDN,
bIsAudit);
}
else
{
BSTR bstrDN = 0;
hr = pPathName->Retrieve(ADS_FORMAT_X500_DN, &bstrDN);
if ( SUCCEEDED (hr) )
{
strParentDN = bstrDN;
}
else
{
_TRACE (0, L"IADsPathname->Retrieve (): 0x%x\n", hr);
}
}
break;
}
}
}
SysFreeString (bstrFullPath);
}
else
{
_TRACE (0, L"IADsPathname->Retrieve (): 0x%x\n", hr);
}
}
if ( SUCCEEDED (hr) && S_FALSE != hr && !strParentDN.length () )
{
hr = GetParentObjectDNWithSameACE (pAceSAMName, pPathName, accessMask,
strParentDN, bIsAudit);
}
_TRACE (-1, L"Leaving GetParentObjectDNWithSameACE: 0x%x\n", hr);
return hr;
}
///////////////////////////////////////////////////////////////////////////////
//
// Method: PrintInheritedPermissionFromDN ()
//
// Purpose: Print a message indicating that a permission is inherited from
// another object plus that object's DN
//
// Inputs: pAceSAMName - structure containing the ACE whose permission we wish
// to print
//
// accessMask - the specific permission we're looking to print
//
HRESULT PrintInheritedPermissionFromDN (ACE_SAMNAME* pAceSAMName, ACCESS_MASK accessMask, bool bIsAudit)
{
_TRACE (1, L"Entering PrintInheritedPermissionFromDN\n");
HRESULT hr = S_OK;
if ( pAceSAMName )
{
CComPtr<IADsPathname> spPathname;
//
// Constructing the directory paths
//
hr = CoCreateInstance(
CLSID_Pathname,
NULL,
CLSCTX_ALL,
IID_IADsPathname,
(void**)&spPathname);
if ( SUCCEEDED (hr) )
{
ASSERT (!!spPathname);
hr = spPathname->Set (CComBSTR (ACLDIAG_LDAP), ADS_SETTYPE_PROVIDER);
if ( SUCCEEDED (hr) )
{
hr = spPathname->Set (CComBSTR (_Module.GetObjectDN ().c_str ()),
ADS_SETTYPE_DN);
if ( SUCCEEDED (hr) )
{
wstring str;
wstring strParentDN;
hr = GetParentObjectDNWithSameACE (pAceSAMName,
spPathname, accessMask, strParentDN, bIsAudit);
if ( SUCCEEDED (hr) )
{
if ( !strParentDN.length () )
{
if ( _Module.DoTabDelimitedOutput () )
{
LoadFromResource (str,
IDS_GENERATED_INHERITED_PERMISSION_CDO);
}
else
{
LoadFromResource (str,
IDS_GENERATED_INHERITED_PERMISSION);
}
}
else
{
if ( _Module.DoTabDelimitedOutput () )
{
FormatMessage (str, IDS_INHERITED_PERMISSION_CDO,
strParentDN.c_str ());
}
else
{
FormatMessage (str, IDS_INHERITED_PERMISSION,
strParentDN.c_str ());
}
}
MyWprintf (str.c_str ());
}
}
}
}
}
else
hr = E_POINTER;
_TRACE (-1, L"Leaving PrintInheritedPermissionFromDN: 0x%x\n", hr);
return hr;
}
///////////////////////////////////////////////////////////////////////////////
//
// Method: PrintInheritedPermissions ()
//
// Purpose: Print permissions that are inherited by subobjects
//
HRESULT PrintInheritedPermissions ()
{
_TRACE (1, L"Entering PrintInheritedPermissions\n");
HRESULT hr = S_OK;
ACE_SAMNAME_LIST::iterator aceItr = _Module.m_DACLList.begin ();
wstring str;
ACE_SAMNAME* pAceSAMName = 0;
list<GUID*> guidList;
if ( !_Module.DoTabDelimitedOutput () )
{
LoadFromResource (str, IDS_PERMISSIONS_INHERITED_BY_SUBOBJECTS);
MyWprintf (str.c_str ());
LoadFromResource (str, IDS_INHERIT_TO_ALL_SUBOBJECTS);
MyWprintf (str.c_str ());
}
// Second iteration: Each ACE which has CONTAINER_INHERIT is inherited to
// sub-objects.
// Several "subiterations" are done to categorize inherit ACEs to the
// subobject type they apply.
// First subiteration is for ACEs which are not object type or have
// InheritedObjectType = NULL. These apply to "All Subobjects". We'll gather
// the GUIDs of the InheritedObjectType's which are not NULL at this point to
// use in the subsequent iterations.
// Subsequent subiterations are for each unique InheritedObjectType
// present in the DACL.
for (aceItr = _Module.m_DACLList.begin(); aceItr != _Module.m_DACLList.end(); aceItr++)
{
pAceSAMName = *aceItr;
if ( pAceSAMName->m_pAllowedAce->Header.AceFlags & CONTAINER_INHERIT_ACE )
{
switch (pAceSAMName->m_AceType)
{
case ACCESS_ALLOWED_ACE_TYPE:
hr = EnumeratePermissions (pAceSAMName, P_ALLOW, P_ALL_OBJECTS, L"");
break;
case ACCESS_DENIED_ACE_TYPE:
hr = EnumeratePermissions (pAceSAMName, P_DENY, P_ALL_OBJECTS, L"");
break;
case ACCESS_DENIED_OBJECT_ACE_TYPE:
if ( !(pAceSAMName->m_pDeniedObjectAce->Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT) &&
::IsEqualGUID (pAceSAMName->m_pDeniedObjectAce->ObjectType, NULLGUID) )
{
hr = EnumeratePermissions (pAceSAMName, P_DENY, P_ALL_OBJECTS, L"");
}
else
{
AddToInheritedObjectTypeGUIDList (guidList,
&(pAceSAMName->m_pDeniedObjectAce->ObjectType));
}
break;
case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
if ( !(pAceSAMName->m_pAllowedObjectAce->Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT) &&
::IsEqualGUID (pAceSAMName->m_pAllowedObjectAce->ObjectType, NULLGUID) )
{
hr = EnumeratePermissions (pAceSAMName, P_ALLOW, P_ALL_OBJECTS, L"");
}
else
{
AddToInheritedObjectTypeGUIDList (guidList,
&(pAceSAMName->m_pAllowedObjectAce->ObjectType));
}
break;
default:
break;
}
}
}
GUID* pGuid = 0;
wstring strClassName;
GUID_TYPE guidType;
for (list<GUID*>::iterator guidItr = guidList.begin ();
guidItr != guidList.end ();
guidItr++)
{
pGuid = *guidItr;
hr = _Module.GetClassFromGUID (*pGuid, strClassName, &guidType);
if ( SUCCEEDED (hr) && GUID_TYPE_CLASS == guidType )
{
if ( !_Module.DoTabDelimitedOutput () )
{
FormatMessage (str, IDS_INHERIT_TO_X_OBJECTS_ONLY, strClassName.c_str ());
MyWprintf (str.c_str ());
}
for (aceItr = _Module.m_DACLList.begin(); aceItr != _Module.m_DACLList.end(); aceItr++)
{
pAceSAMName = *aceItr;
if ( pAceSAMName->m_pAllowedAce->Header.AceFlags & CONTAINER_INHERIT_ACE )
{
switch (pAceSAMName->m_AceType)
{
case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
if ( ::IsEqualGUID (pAceSAMName->m_pAllowedObjectAce->ObjectType,
*pGuid) )
{
hr = EnumeratePermissions (pAceSAMName, P_ALLOW,
P_CLASS_OBJECT, strClassName.c_str ());
}
break;
case ACCESS_DENIED_OBJECT_ACE_TYPE:
if ( ::IsEqualGUID (pAceSAMName->m_pDeniedObjectAce->ObjectType,
*pGuid) )
{
hr = EnumeratePermissions (pAceSAMName, P_DENY,
P_CLASS_OBJECT, strClassName.c_str ());
}
break;
default:
break;
}
}
}
}
}
_TRACE (1, L"Entering PrintInheritedPermissions: 0x%x\n", hr);
return hr;
}
///////////////////////////////////////////////////////////////////////////////
//
// Method: AddToInheritedObjectTypeGUIDList ()
//
// Purpose: Add a GUID to a list. Ensure that it is unique.
//
// Inputs: guidList - list to which the GUID should be added
//
// pGuid - GUID to add to the list
//
void AddToInheritedObjectTypeGUIDList (list<GUID*>& guidList, GUID* pGuid)
{
// The guidList should only contain unique GUIDs. Verify that the one we
// wish to add is not already in the list.
if ( pGuid )
{
bool bFound = false;
GUID* pCurrGuid = 0;
list<GUID*>::iterator guidItr = guidList.begin();
for (; guidItr != guidList.end(); guidItr++)
{
pCurrGuid = *guidItr;
if ( ::IsEqualGUID (*pCurrGuid, *pGuid) )
{
bFound = true;
break;
}
}
if ( !bFound )
{
guidList.push_back (pGuid);
}
}
}
///////////////////////////////////////////////////////////////////////////////
//
// Method: PrintAuditingInformation ()
//
// Purpose: Print auditing information from the SACL
//
HRESULT PrintAuditingInformation ()
{
_TRACE (1, L"Entering PrintAuditingInformation\n");
HRESULT hr = S_OK;
wstring str;
MyWprintf (L"\n\n");
SECURITY_DESCRIPTOR_CONTROL control;
DWORD dwRevision = 0;
if ( GetSecurityDescriptorControl (
_Module.m_pSecurityDescriptor,
&control,
&dwRevision) )
{
if ( !_Module.DoTabDelimitedOutput () && (control & SE_SACL_PROTECTED) )
{
wstring str;
LoadFromResource (str, IDS_CONFIG_NO_INHERIT);
MyWprintf (str.c_str ());
}
}
else
{
_TRACE (0, L"GetSecurityDescriptorControl () failed: 0x%x\n", GetLastError ());
}
hr = PrintEffectiveAuditing ();
if ( SUCCEEDED (hr) )
hr = PrintInheritedAuditing ();
_TRACE (-1, L"Leaving PrintAuditingInformation: 0x%x\n", hr);
return hr;
}
HRESULT PrintEffectiveAuditing ()
{
_TRACE (1, L"Entering PrintEffectiveAuditing\n");
HRESULT hr = S_OK;
ACE_SAMNAME_LIST::iterator itr = _Module.m_SACLList.begin ();
wstring str;
ACE_SAMNAME* pAceSAMName = 0;
if ( !_Module.DoTabDelimitedOutput () )
{
LoadFromResource (str, IDS_AUDITING_EFFECTIVE_ON_THIS_OBJECT);
MyWprintf (str.c_str ());
}
for (itr = _Module.m_SACLList.begin(); itr != _Module.m_SACLList.end(); itr++)
{
pAceSAMName = *itr;
if ( !(pAceSAMName->m_pAllowedAce->Header.AceFlags & INHERIT_ONLY_ACE) )
{
switch (pAceSAMName->m_AceType)
{
case SYSTEM_AUDIT_OBJECT_ACE_TYPE:
case SYSTEM_AUDIT_ACE_TYPE:
hr = EnumerateAudits (pAceSAMName, P_THIS_OBJECT, L"");
break;
default:
break;
}
}
}
_TRACE (-1, L"Leaving PrintEffectiveAuditing: 0x%x\n", hr);
return hr;
}
HRESULT EnumerateAudits (ACE_SAMNAME* pAceSAMName, P_WHO pWho, PCWSTR pwszClassName)
{
_TRACE (1, L"Entering EnumerateAudits\n");
HRESULT hr = S_OK;
P_TYPE ptype = P_UNASSIGNED;
BYTE byBoth = SUCCESSFUL_ACCESS_ACE_FLAG | FAILED_ACCESS_ACE_FLAG;
if ( (pAceSAMName->m_pAllowedAce->Header.AceFlags & byBoth) == byBoth )
{
ptype = P_SUCCESS_AND_FAILURE;
}
else if ( pAceSAMName->m_pAllowedAce->Header.AceFlags & SUCCESSFUL_ACCESS_ACE_FLAG )
ptype = P_SUCCESS;
else if ( pAceSAMName->m_pAllowedAce->Header.AceFlags & FAILED_ACCESS_ACE_FLAG )
ptype = P_FAILURE;
else
return E_UNEXPECTED;
if ( pAceSAMName )
{
hr = PrintPermission (pAceSAMName,
ACTRL_DS_CREATE_CHILD,
ptype,
IDS_CREATE_ALL_SUBOBJECTS,
IDS_CREATE_CLASS_OBJECTS,
pWho,
pwszClassName);
if ( SUCCEEDED (hr) )
{
hr = PrintPermission (pAceSAMName,
ACTRL_DS_DELETE_CHILD,
ptype,
IDS_DELETE_ALL_SUBOBJECTS,
IDS_DELETE_CLASS_OBJECTS,
pWho,
pwszClassName);
}
if ( SUCCEEDED (hr) )
{
hr = PrintPermission (pAceSAMName,
ACTRL_DS_READ_PROP,
ptype,
IDS_READ_ALL_PROPERTIES,
IDS_READ_PROPERTY_PROPERTY,
pWho,
pwszClassName);
}
if ( SUCCEEDED (hr) )
{
hr = PrintPermission (pAceSAMName,
ACTRL_DS_WRITE_PROP,
ptype,
IDS_WRITE_ALL_PROPERTIES,
IDS_WRITE_PROPERTY_PROPERTY,
pWho,
pwszClassName);
}
if ( SUCCEEDED (hr) )
{
hr = PrintPermission (pAceSAMName,
ACTRL_DS_LIST,
ptype,
IDS_LIST_CONTENTS, true,
pWho,
pwszClassName);
}
if ( SUCCEEDED (hr) )
{
hr = PrintPermission (pAceSAMName,
ACTRL_DS_LIST_OBJECT,
ptype,
IDS_LIST_OBJECT, true,
pWho,
pwszClassName);
}
if ( SUCCEEDED (hr) )
{
if ( pAceSAMName->m_pAllowedAce->Mask & ACTRL_DS_CONTROL_ACCESS )
hr = PrintPermission (pAceSAMName,
ACTRL_DS_CONTROL_ACCESS,
ptype,
IDS_ALL_CONTROL_ACCESSES,
IDS_CONTROL_ACCESS_DISPLAY_NAME,
pWho,
pwszClassName);
}
if ( SUCCEEDED (hr) )
{
hr = PrintPermission (pAceSAMName,
ACTRL_DELETE,
ptype,
IDS_DELETE_THIS_OBJECT, true,
pWho,
pwszClassName);
}
if ( SUCCEEDED (hr) )
{
hr = PrintPermission (pAceSAMName,
ACTRL_READ_CONTROL,
ptype,
IDS_READ_PERMISSIONS, true,
pWho,
pwszClassName);
}
if ( SUCCEEDED (hr) )
{
hr = PrintPermission (pAceSAMName,
ACTRL_CHANGE_ACCESS,
ptype,
IDS_MODIFY_PERMISSIONS, true,
pWho,
pwszClassName);
}
if ( SUCCEEDED (hr) )
{
hr = PrintPermission (pAceSAMName,
ACTRL_CHANGE_OWNER,
ptype,
IDS_TAKE_CHANGE_OWNERSHIP, true,
pWho,
pwszClassName);
}
if ( SUCCEEDED (hr) )
{
hr = PrintPermission (pAceSAMName,
ACTRL_DS_SELF,
ptype,
IDS_MODIFY_MEMBERSHIP, true,
pWho,
pwszClassName);
}
}
else
hr = E_POINTER;
_TRACE (-1, L"Leaving EnumerateAudits: 0x%x\n", hr);
return hr;
}
///////////////////////////////////////////////////////////////////////////////
//
// Method: PrintInheritedAuditing ()
//
// Purpose: Print audits that are inherited to subobjects
//
HRESULT PrintInheritedAuditing ()
{
_TRACE (1, L"Entering PrintInheritedAuditing\n");
HRESULT hr = S_OK;
ACE_SAMNAME_LIST::iterator aceItr = _Module.m_SACLList.begin ();
wstring str;
ACE_SAMNAME* pAceSAMName = 0;
list<GUID*> guidList;
if ( !_Module.DoTabDelimitedOutput () )
{
LoadFromResource (str, IDS_AUDITING_INHERITED_TO_SUBOBJECTS);
MyWprintf (str.c_str ());
LoadFromResource (str, IDS_INHERIT_TO_ALL_SUBOBJECTS);
MyWprintf (str.c_str ());
}
// Second iteration: Each ACE which has CONTAINER_INHERIT is inherited to
// sub-objects.
// Several "subiterations" are done to categorize inherit ACEs to the
// subobject type they apply.
// First subiteration is for ACEs which are not object type or have
// InheritedObjectType = NULL. These apply to "All Subobjects". We'll gather
// the GUIDs of the InheritedObjectType's which are not NULL at this point to
// use in the subsequent iterations.
// Subsequent subiterations are for each unique InheritedObjectType
// present in the DACL.
for (aceItr = _Module.m_SACLList.begin(); aceItr != _Module.m_SACLList.end(); aceItr++)
{
pAceSAMName = *aceItr;
if ( pAceSAMName->m_pAllowedAce->Header.AceFlags & CONTAINER_INHERIT_ACE )
{
switch (pAceSAMName->m_AceType)
{
case SYSTEM_AUDIT_ACE_TYPE:
hr = EnumerateAudits (pAceSAMName, P_ALL_OBJECTS, L"");
break;
case SYSTEM_AUDIT_OBJECT_ACE_TYPE:
if ( !(pAceSAMName->m_pSystemAuditObjectAce->Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT) &&
::IsEqualGUID (pAceSAMName->m_pSystemAuditObjectAce->ObjectType, NULLGUID) )
{
hr = EnumerateAudits (pAceSAMName, P_ALL_OBJECTS, L"");
}
else
{
AddToInheritedObjectTypeGUIDList (guidList,
&(pAceSAMName->m_pSystemAuditObjectAce->ObjectType));
}
break;
default:
break;
}
}
}
GUID* pGuid = 0;
wstring strClassName;
for (list<GUID*>::iterator guidItr = guidList.begin ();
guidItr != guidList.end ();
guidItr++)
{
pGuid = *guidItr;
hr = _Module.GetClassFromGUID (*pGuid, strClassName);
if ( SUCCEEDED (hr) )
{
if ( !_Module.DoTabDelimitedOutput () )
{
FormatMessage (str, IDS_INHERIT_TO_X_OBJECTS_ONLY, strClassName.c_str ());
MyWprintf (str.c_str ());
}
for (aceItr = _Module.m_SACLList.begin(); aceItr != _Module.m_SACLList.end(); aceItr++)
{
pAceSAMName = *aceItr;
if ( pAceSAMName->m_pAllowedAce->Header.AceFlags & CONTAINER_INHERIT_ACE )
{
switch (pAceSAMName->m_AceType)
{
case SYSTEM_AUDIT_OBJECT_ACE_TYPE:
if ( ::IsEqualGUID (pAceSAMName->m_pSystemAuditObjectAce->ObjectType,
*pGuid) )
{
hr = EnumerateAudits (pAceSAMName, P_CLASS_OBJECT, strClassName.c_str ());
}
break;
case SYSTEM_AUDIT_ACE_TYPE:
default:
break;
}
}
}
}
}
_TRACE (-1, L"Leaving PrintInheritedAuditing: 0x%x\n", hr);
return hr;
}
HRESULT GetControlDisplayName (REFGUID guid, wstring& strDisplayName)
{
HRESULT hr = S_OK;
wstring strGUID;
hr = wstringFromGUID (strGUID, guid);
if ( SUCCEEDED (hr) )
{
// strip braces from GUID
wstring strRightsGUID (strGUID.substr (1, strGUID.length () - 2));
hr = GetControlDisplayName (strRightsGUID, strDisplayName);
}
else
hr = E_INVALIDARG;
return hr;
}
// TODO: Optimize this by searching for all controls and putting them in an
// array like the classes and attributes
HRESULT GetControlDisplayName (const wstring strGuid, wstring& strDisplayName)
{
HRESULT hr = S_OK;
CComPtr<IADsPathname> spPathname;
//
// Constructing the directory paths
//
hr = CoCreateInstance(
CLSID_Pathname,
NULL,
CLSCTX_ALL,
IID_PPV_ARG (IADsPathname, &spPathname));
if ( SUCCEEDED (hr) )
{
ASSERT (!!spPathname);
hr = spPathname->Set(CComBSTR (ACLDIAG_LDAP), ADS_SETTYPE_PROVIDER);
if ( SUCCEEDED (hr) )
{
//
// Open the root DSE object
//
hr = spPathname->AddLeafElement(CComBSTR (ACLDIAG_ROOTDSE));
if ( SUCCEEDED (hr) )
{
BSTR bstrFullPath = 0;
hr = spPathname->Retrieve(ADS_FORMAT_X500, &bstrFullPath);
if ( SUCCEEDED (hr) )
{
CComPtr<IADs> spRootDSEObject;
VARIANT varNamingContext;
hr = ADsOpenObjectHelper(bstrFullPath,IID_IADs, 0,(void**)&spRootDSEObject);
if ( SUCCEEDED (hr) )
{
ASSERT (!!spRootDSEObject);
//
// Get the configuration naming context from the root DSE
//
hr = spRootDSEObject->Get(CComBSTR (ACLDIAG_CONFIG_NAMING_CONTEXT),
&varNamingContext);
if ( SUCCEEDED (hr) )
{
if ( V_VT (&varNamingContext) == VT_BSTR )
{
hr = spPathname->Set(V_BSTR(&varNamingContext),
ADS_SETTYPE_DN);
if ( SUCCEEDED (hr) )
{
hr = spPathname->AddLeafElement (CComBSTR (L"CN=Extended-Rights"));
if ( SUCCEEDED (hr) )
{
BSTR bstrFullPath1 = 0;
hr = spPathname->Retrieve(ADS_FORMAT_X500, &bstrFullPath1);
if ( SUCCEEDED (hr) )
{
CComPtr<IDirectoryObject> spExtRightsContObj;
hr = ADsOpenObjectHelper (bstrFullPath1,
IID_IDirectoryObject,
0,
(void**)&spExtRightsContObj);
if ( SUCCEEDED (hr) )
{
CComPtr<IDirectorySearch> spDsSearch;
hr = spExtRightsContObj->QueryInterface (IID_PPV_ARG(IDirectorySearch, &spDsSearch));
if ( SUCCEEDED (hr) )
{
ASSERT (!!spDsSearch);
ADS_SEARCHPREF_INFO pSearchPref[2];
DWORD dwNumPref = 2;
pSearchPref[0].dwSearchPref = ADS_SEARCHPREF_SEARCH_SCOPE;
pSearchPref[0].vValue.dwType = ADSTYPE_INTEGER;
pSearchPref[0].vValue.Integer = ADS_SCOPE_ONELEVEL;
pSearchPref[1].dwSearchPref = ADS_SEARCHPREF_CHASE_REFERRALS;
pSearchPref[1].vValue.dwType = ADSTYPE_INTEGER;
pSearchPref[1].vValue.Integer = ADS_CHASE_REFERRALS_NEVER;
hr = spDsSearch->SetSearchPreference(
pSearchPref,
dwNumPref
);
if ( SUCCEEDED (hr) )
{
PWSTR rgszAttrList[] = {L"displayName"};
ADS_SEARCH_HANDLE hSearchHandle = 0;
DWORD dwNumAttributes = 1;
wstring strQuery;
ADS_SEARCH_COLUMN Column;
Column.pszAttrName = 0;
FormatMessage (strQuery,
L"rightsGUID=%1",
strGuid.c_str ());
hr = spDsSearch->ExecuteSearch(
const_cast <LPWSTR>(strQuery.c_str ()),
rgszAttrList,
dwNumAttributes,
&hSearchHandle
);
if ( SUCCEEDED (hr) )
{
hr = spDsSearch->GetFirstRow (hSearchHandle);
if ( SUCCEEDED (hr) )
{
while (hr != S_ADS_NOMORE_ROWS )
{
//
// Getting current row's information
//
hr = spDsSearch->GetColumn(
hSearchHandle,
rgszAttrList[0],
&Column
);
if ( SUCCEEDED (hr) )
{
strDisplayName = Column.pADsValues->CaseIgnoreString;
spDsSearch->FreeColumn (&Column);
Column.pszAttrName = NULL;
break;
}
else if ( hr != E_ADS_COLUMN_NOT_SET )
{
break;
}
else
{
_TRACE (0, L"IDirectorySearch::GetColumn (): 0x%x\n", hr);
}
}
}
else
{
_TRACE (0, L"IDirectorySearch::GetFirstRow (): 0x%x\n", hr);
}
if (Column.pszAttrName)
{
spDsSearch->FreeColumn(&Column);
}
spDsSearch->CloseSearchHandle(hSearchHandle);
}
else
{
_TRACE (0, L"IDirectorySearch::ExecuteSearch (): 0x%x\n", hr);
hr = S_OK;
}
}
else
{
_TRACE (0, L"IDirectorySearch::SetSearchPreference (): 0x%x\n", hr);
}
}
else
{
_TRACE (0, L"IDirectoryObject::QueryInterface (IDirectorySearch): 0x%x\n", hr);
}
}
else
{
_TRACE (0, L"ADsOpenObjectHelper (%s): 0x%x\n", bstrFullPath1, hr);
}
}
else
{
_TRACE (0, L"IADsPathname->Retrieve (): 0x%x\n", hr);
}
}
else
{
_TRACE (0, L"IADsPathname->AddLeafElement (%s): 0x%x\n",
L"CN=Extended-Rights", hr);
}
}
else
{
_TRACE (0, L"IADsPathname->Set (): 0x%x\n", V_BSTR(&varNamingContext), hr);
}
}
else
hr = E_FAIL;
}
else
{
_TRACE (0, L"IADs->Get (%s): 0x%x\n", ACLDIAG_CONFIG_NAMING_CONTEXT, hr);
}
}
else
{
_TRACE (0, L"ADsOpenObjectHelper (%s): 0x%x\n", bstrFullPath, hr);
}
}
else
{
_TRACE (0, L"IADsPathname->Retrieve (): 0x%x\n", hr);
}
}
else
{
_TRACE (0, L"IADsPathname->AddLeafElement (%s): 0x%x\n", ACLDIAG_ROOTDSE, hr);
}
}
else
{
_TRACE (0, L"IADsPathname->Set (%s): 0x%x\n", ACLDIAG_LDAP, hr);
}
}
else
{
_TRACE (0, L"CoCreateInstance(CLSID_Pathname): 0x%x\n", hr);
}
return hr;
}