Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

276 lines
5.6 KiB

  1. /************************************************************************
  2. Copyright (c) 2000 - 2000 Microsoft Corporation
  3. Module Name :
  4. csd.h
  5. Abstract :
  6. Header file for SID and SECURITY_DESCRIPTOR abstraction.
  7. Author :
  8. Revision History :
  9. ***********************************************************************/
  10. #pragma once
  11. #include "qmgrlib.h"
  12. HRESULT
  13. IsGroupSid(
  14. PSID sid,
  15. BOOL * pGroup
  16. );
  17. PSID
  18. CopyTokenSid(
  19. HANDLE Token
  20. );
  21. HANDLE CopyThreadToken() throw( ComError );
  22. //------------------------------------------------------------------------
  23. class CSaveThreadToken
  24. /*
  25. A simple class to save and restore the active thread token.
  26. This allows code to impersonate other users without having to save
  27. and restore the old token.
  28. The constructor throws a ComError if it cannot copy the previous thread token.
  29. */
  30. {
  31. public:
  32. CSaveThreadToken() throw( ComError )
  33. {
  34. m_SavedToken = CopyThreadToken();
  35. }
  36. ~CSaveThreadToken()
  37. {
  38. RTL_VERIFY( SetThreadToken( NULL, m_SavedToken ));
  39. if (m_SavedToken)
  40. {
  41. RTL_VERIFY(CloseHandle( m_SavedToken ));
  42. }
  43. }
  44. protected:
  45. HANDLE m_SavedToken;
  46. };
  47. //------------------------------------------------------------------------
  48. class CNestedImpersonation : protected CSaveThreadToken
  49. /*
  50. A class to impersonate a user. It saves the old impersonation token, if any,
  51. during the constructor and restores it in the destructor.
  52. Revert() restores the old thread token, unlike RevertToSelf() which
  53. stops impersonating entirely.
  54. Most member functions throw a ComError exception if an error occurs.
  55. */
  56. {
  57. public:
  58. //
  59. // Impersonate the COM client, using CoImpersonateClient.
  60. //
  61. CNestedImpersonation() throw( ComError );
  62. //
  63. // Impersonate a particular token. The token must remain valid for the object's lifetime.
  64. //
  65. CNestedImpersonation( HANDLE token ) throw( ComError );
  66. //
  67. // Impersonate a logged-on user by SID. g_Manager must be initialized for this to work.
  68. //
  69. CNestedImpersonation( SidHandle sid ) throw( ComError );
  70. //
  71. // This is for use with the COM-client constructor. COM defaults to IDENTIFY-level
  72. // impersonation, but some of our code requires IMPERSONATE level. This function
  73. // gets the COM client's SID and finds a matching token in our logged-on-users list.
  74. // This becomes the new impersonation token.
  75. //
  76. void SwitchToLogonToken() throw( ComError );
  77. //
  78. // the destructor restores the previous impersonation context.
  79. //
  80. ~CNestedImpersonation()
  81. {
  82. Revert();
  83. if (m_ImpersonationToken && m_fDeleteToken)
  84. {
  85. CloseHandle( m_ImpersonationToken );
  86. }
  87. }
  88. //
  89. // Impersonates the new token.
  90. //
  91. void Impersonate() throw( ComError )
  92. {
  93. if (!m_fImpersonated)
  94. {
  95. if (!ImpersonateLoggedOnUser( m_ImpersonationToken ))
  96. throw ComError( HRESULT_FROM_WIN32( GetLastError() ) );
  97. m_fImpersonated = true;
  98. }
  99. }
  100. //
  101. // Restores the old impersonation context.
  102. //
  103. void Revert()
  104. {
  105. if (m_fImpersonated)
  106. {
  107. RTL_VERIFY( SetThreadToken( NULL, m_SavedToken ));
  108. m_fImpersonated = false;
  109. }
  110. }
  111. //
  112. // Returns a copy of the SID associated with the impersonation token.
  113. //
  114. SidHandle CopySid() throw( ComError )
  115. {
  116. if (m_Sid.get() == NULL)
  117. {
  118. m_Sid = CopyTokenSid( m_ImpersonationToken );
  119. }
  120. return m_Sid;
  121. }
  122. //
  123. // Returns the original impersonation token. Not a copy !
  124. //
  125. HANDLE QueryToken()
  126. {
  127. return m_ImpersonationToken;
  128. }
  129. //
  130. // Gets the Terminal Services session ID.
  131. //
  132. DWORD GetSession() throw( ComError );
  133. protected:
  134. bool m_fDeleteToken;
  135. bool m_fImpersonated;
  136. HANDLE m_ImpersonationToken;
  137. SidHandle m_Sid;
  138. };
  139. //------------------------------------------------------------------------
  140. class CJobSecurityDescriptor
  141. {
  142. public:
  143. CJobSecurityDescriptor( SidHandle sid );
  144. ~CJobSecurityDescriptor();
  145. HRESULT Clone( CJobSecurityDescriptor ** );
  146. inline HRESULT
  147. AddAce(
  148. PSID sid,
  149. BOOL fGroupSid,
  150. DWORD access
  151. );
  152. inline HRESULT
  153. RemoveAce(
  154. PSID sid,
  155. BOOL fGroupSid
  156. );
  157. HRESULT
  158. CheckTokenAccess(
  159. HANDLE hToken,
  160. DWORD RequestedAccess,
  161. DWORD * pAllowedAccess,
  162. BOOL * pSuccess
  163. );
  164. inline SidHandle GetOwnerSid()
  165. {
  166. return m_sdOwnerSid;
  167. }
  168. HRESULT Serialize( HANDLE hFile );
  169. static CJobSecurityDescriptor * Unserialize( HANDLE hFile );
  170. private:
  171. HRESULT
  172. CJobSecurityDescriptor::_ModifyAcl(
  173. PSID sid,
  174. BOOL fGroupSid,
  175. DWORD access,
  176. BOOL fAdd
  177. );
  178. CJobSecurityDescriptor( PSECURITY_DESCRIPTOR pSD,
  179. SidHandle owner,
  180. SidHandle group,
  181. PACL pAcl
  182. );
  183. PSECURITY_DESCRIPTOR m_sd;
  184. SidHandle m_sdOwnerSid;
  185. SidHandle m_sdGroupSid;
  186. PACL m_Dacl;
  187. static GENERIC_MAPPING s_AccessMapping;
  188. };
  189. HRESULT
  190. CJobSecurityDescriptor::AddAce(
  191. PSID sid,
  192. BOOL fGroupSid,
  193. DWORD access
  194. )
  195. {
  196. return _ModifyAcl( sid, fGroupSid, access, TRUE );
  197. }
  198. HRESULT
  199. CJobSecurityDescriptor::RemoveAce(
  200. PSID sid,
  201. BOOL fGroupSid
  202. )
  203. {
  204. return _ModifyAcl( sid, fGroupSid, 0, FALSE );
  205. }
  206. HRESULT
  207. CheckClientGroupMembership(
  208. SidHandle group
  209. );