archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
1 Branch
0 Tags
3.8 GiB
Tree: 1b390dddff
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1b390dddff'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/security/services/ca/certsrv/callback.cpp

499 lines
12 KiB
Raw Normal View History

Add source files
4 years ago
  1. //+--------------------------------------------------------------------------
  2. // File: callback.cpp
  3. // Contents: access check callback
  4. //---------------------------------------------------------------------------
  5. #include <pch.cpp>
  6. #pragma hdrstop
  7. #include "csext.h"
  8. #include "certsd.h"
  9. #include <winldap.h>
  10. #include <limits.h>
  11. #include "csprop.h"
  12. #include "sid.h"
  13. #include <authzi.h>
  15. namespace CertSrv
  16. {
  18. HRESULT GetAccountSid(
  19. IN LPWSTR pwszName,
  20. PSID *ppSid)
  21. {
  22. HRESULT hr = S_OK;
  23. DWORD cbSid = 0;
  24. DWORD cbDomainName = 0;
  25. SID_NAME_USE use;
  26. LPWSTR pwszDomainName = NULL;
  28. *ppSid = NULL;
  30. if(!pwszName || L'\0'== pwszName[0])
  31. {
  32. hr = GetEveryoneSID(ppSid);
  33. _JumpIfError(hr, error, "GetEveryoneSID");
  34. }
  35. else
  36. {
  38. LookupAccountName(
  39. NULL,
  40. pwszName,
  41. NULL,
  42. &cbSid,
  43. NULL,
  44. &cbDomainName,
  45. &use);
  47. if(ERROR_INSUFFICIENT_BUFFER != GetLastError())
  48. {
  49. hr = myHError(GetLastError());
  50. _JumpError(hr, error, "LookupAccountName");
  51. }
  53. *ppSid = (PSID)LocalAlloc(LMEM_FIXED, cbSid);
  54. if(!*ppSid)
  55. {
  56. hr = E_OUTOFMEMORY;
  57. _JumpError(hr, error, "LocalAlloc");
  58. }
  60. pwszDomainName = (LPWSTR)LocalAlloc(LMEM_FIXED,
  61. cbDomainName*sizeof(WCHAR));
  62. if(!pwszDomainName)
  63. {
  64. hr = E_OUTOFMEMORY;
  65. _JumpError(hr, error, "LocalAlloc");
  66. }
  68. if(!LookupAccountName(
  69. NULL,
  70. pwszName,
  71. *ppSid,
  72. &cbSid,
  73. pwszDomainName,
  74. &cbDomainName,
  75. &use))
  76. {
  77. hr = myHError(GetLastError());
  78. _JumpError(hr, error, "LookupAccountName");
  79. }
  80. }
  82. hr = S_OK;
  84. error:
  85. if(S_OK!=hr)
  86. {
  87. if(*ppSid)
  88. {
  89. LocalFree(*ppSid);
  90. }
  91. if(pwszDomainName)
  92. {
  93. LocalFree(pwszDomainName);
  94. }
  95. }
  96. return hr;
  97. }
  99. BOOL
  100. CallbackAccessCheck(
  101. IN AUTHZ_CLIENT_CONTEXT_HANDLE pAuthzClientContext,
  102. IN PACE_HEADER pAce,
  103. IN PVOID pArgs OPTIONAL,
  104. IN OUT PBOOL pbAceApplicable)
  105. {
  106. HRESULT hr = S_OK;
  107. LPWSTR pwszSamName = (LPWSTR)pArgs;// requester name is passed in to
  108. // AuthzAccessCheck in NT4 style form
  109. // "DomainNetbiosName\RequesterSAMName"
  110. PSID pSid = NULL, pClientSid = NULL, pCallerSid = NULL;
  111. PSID pEveryoneSid = NULL;
  112. PTOKEN_GROUPS pGroups = NULL;
  113. ACCESS_ALLOWED_CALLBACK_ACE* pCallbackAce =
  114. (ACCESS_ALLOWED_CALLBACK_ACE*)pAce;
  115. PSID_LIST pSidList = (PSID_LIST) (((BYTE*)&pCallbackAce->SidStart)+
  116. GetLengthSid(&pCallbackAce->SidStart));
  117. DWORD cSids, cClientSids;
  119. CSASSERT(
  120. ACCESS_ALLOWED_CALLBACK_ACE_TYPE == pAce->AceType ||
  121. ACCESS_DENIED_CALLBACK_ACE_TYPE == pAce->AceType);
  123. CSASSERT(HeapValidate(GetProcessHeap(),0,NULL));
  125. SetLastError(ERROR_SUCCESS);
  127. // get the SID for the requester
  128. hr = GetAccountSid(pwszSamName, &pCallerSid);
  130. CSASSERT(HeapValidate(GetProcessHeap(),0,NULL));
  132. if(HRESULT_FROM_WIN32(ERROR_NONE_MAPPED)==hr)
  133. {
  134. // if name cannot be resolved, default to Everyone
  135. DWORD dwSize = sizeof(TOKEN_GROUPS);
  136. pGroups = (PTOKEN_GROUPS)LocalAlloc(LMEM_FIXED, sizeof(TOKEN_GROUPS));
  137. if(!pGroups)
  138. {
  139. hr = E_OUTOFMEMORY;
  140. _JumpError(hr, error, "LocalAlloc");
  141. }
  143. hr = GetEveryoneSID(&pEveryoneSid);
  144. _JumpIfError(hr, error, "GetEveryoneSID");
  146. CSASSERT(HeapValidate(GetProcessHeap(),0,NULL));
  148. pGroups->GroupCount=1;
  149. pGroups->Groups[0].Sid = pEveryoneSid;
  150. pGroups->Groups[0].Attributes = 0;
  151. }
  152. else
  153. {
  154. _JumpIfError(hr, error, "GetAccountSid");
  156. // get the list of groups this SID is member of
  157. hr = GetMembership(g_AuthzCertSrvRM, pCallerSid, &pGroups);
  158. _JumpIfError(hr, error, "GetMembership");
  159. CSASSERT(HeapValidate(GetProcessHeap(),0,NULL));
  160. }
  162. CSASSERT(HeapValidate(GetProcessHeap(),0,NULL));
  164. // traverse the SID list stored in the ACE and compare with the
  165. // client's membership
  166. for(pSid=(PSID)&pSidList->SidListStart, cSids=0; cSids<pSidList->dwSidCount;
  167. cSids++, pSid = (PSID)(((BYTE*)pSid)+GetLengthSid(pSid)))
  168. {
  169. CSASSERT(IsValidSid(pSid));
  171. // group membership doesn't include the user itself, so
  172. // compare with the user first
  173. if(pCallerSid && EqualSid(pSid, pCallerSid))
  174. {
  175. *pbAceApplicable = TRUE;
  176. goto error;
  177. }
  179. for(cClientSids=0; cClientSids<pGroups->GroupCount; cClientSids++)
  180. {
  181. pClientSid = pGroups->Groups[cClientSids].Sid;
  182. CSASSERT(IsValidSid(pClientSid));
  183. if(EqualSid(pSid, pClientSid))
  184. {
  185. *pbAceApplicable = TRUE;
  186. goto error;
  187. }
  188. }
  189. }
  191. *pbAceApplicable = FALSE;
  193. error:
  195. CSASSERT(HeapValidate(GetProcessHeap(),0,NULL));
  197. if(pEveryoneSid)
  198. {
  199. LocalFree(pEveryoneSid);
  200. }
  201. if(pCallerSid)
  202. {
  203. LocalFree(pCallerSid);
  204. }
  205. if(pGroups)
  206. {
  207. LocalFree(pGroups);
  208. }
  209. if(S_OK==hr)
  210. {
  211. return TRUE;
  212. }
  213. else
  214. {
  215. SetLastError(HRESULT_CODE(hr));
  216. return FALSE;
  217. }
  219. }
  222. HRESULT GetMembership(
  223. IN AUTHZ_RESOURCE_MANAGER_HANDLE AuthzRM,
  224. IN PSID pSid,
  225. PTOKEN_GROUPS *ppGroups)
  226. {
  227. HRESULT hr = S_OK;
  228. static LUID luid = {0,0};
  229. AUTHZ_CLIENT_CONTEXT_HANDLE AuthzCC = NULL;
  230. DWORD dwSizeRequired;
  232. *ppGroups = NULL;
  234. if(!AuthzInitializeContextFromSid(
  235. 0,
  236. pSid,
  237. AuthzRM,
  238. NULL,
  239. luid, //ignored
  240. NULL,
  241. &AuthzCC))
  242. {
  243. hr = myHError(GetLastError());
  244. _JumpError(hr, error, "AuthzInitializeContextFromSid");
  245. }
  247. if(!AuthzGetInformationFromContext(
  248. AuthzCC,
  249. AuthzContextInfoGroupsSids,
  250. 0,
  251. &dwSizeRequired,
  252. NULL))
  253. {
  254. if(ERROR_INSUFFICIENT_BUFFER!=GetLastError())
  255. {
  256. hr = myHError(GetLastError());
  257. _JumpError(hr, error, "AuthzGetContextInformation");
  258. }
  259. }
  261. *ppGroups = (PTOKEN_GROUPS)LocalAlloc(LMEM_FIXED, dwSizeRequired);
  262. if(!*ppGroups)
  263. {
  264. hr = E_OUTOFMEMORY;
  265. _JumpError(hr, error, "LocalAlloc");
  266. }
  268. if(!AuthzGetInformationFromContext(
  269. AuthzCC,
  270. AuthzContextInfoGroupsSids,
  271. dwSizeRequired,
  272. &dwSizeRequired,
  273. *ppGroups))
  274. {
  275. hr = myHError(GetLastError());
  276. _JumpError(hr, error, "AuthzGetContextInformation");
  277. }
  279. error:
  280. if(AuthzCC)
  281. {
  282. AuthzFreeContext(AuthzCC);
  283. }
  284. if(S_OK!=hr && *ppGroups)
  285. {
  286. LocalFree(*ppGroups);
  287. }
  288. return hr;
  289. }
  291. HRESULT GetRequesterName(DWORD dwRequestId, LPWSTR *ppwszName)
  292. {
  293. HRESULT hr = S_OK;
  294. ICertDBRow *prow = NULL;
  296. hr = g_pCertDB->OpenRow(
  297. PROPOPEN_READONLY | PROPTABLE_REQCERT,
  298. dwRequestId,
  299. NULL,
  300. &prow);
  301. _JumpIfError(hr, error, "OpenRow");
  303. hr = PKCSGetProperty(
  304. prow,
  305. g_wszPropRequesterName,
  306. PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_REQUEST,
  307. NULL,
  308. (BYTE **) ppwszName);
  309. _JumpIfError(hr, error, "PKCSGetProperty");
  311. error:
  312. if(prow)
  313. {
  314. prow->Release();
  315. }
  316. return hr;
  317. }
  319. HRESULT CheckOfficerRights(DWORD dwRequestID, CAuditEvent& event)
  320. {
  321. HRESULT hr = S_OK;
  322. LPWSTR pwszRequesterName = NULL;
  324. // officer rights disabled means every officer is allowed to manage requests
  325. // for everyone, so return ok
  326. if(!g_OfficerRightsSD.IsEnabled())
  327. return S_OK;
  329. hr = GetRequesterName(dwRequestID, &pwszRequesterName);
  330. if(CERTSRV_E_PROPERTY_EMPTY!=hr &&
  331. S_OK != hr)
  332. {
  333. _JumpError(hr, error, "GetRequesterName");
  334. }
  336. hr = CheckOfficerRights(pwszRequesterName, event);
  338. error:
  339. if(pwszRequesterName)
  340. {
  341. LocalFree(pwszRequesterName);
  342. }
  343. return hr;
  344. }
  346. // Verify if impersonated user has the rights over the specified request,
  347. // based on the officer rights defined in the global officer SD and the
  348. // requester name stored in the request
  349. // Return S_OK if allowed or if the officer rights feature is disabled
  350. // E_ACCESSDENIED if not allowed
  351. // E_* if failed to check the rights
  352. HRESULT CheckOfficerRights(LPCWSTR pwszRequesterName, CAuditEvent& event)
  353. {
  354. HRESULT hr = S_OK;
  355. IServerSecurity *pISS = NULL;
  356. HANDLE hThread = NULL;
  357. HANDLE hToken = NULL;
  358. PSECURITY_DESCRIPTOR pOfficerSD = NULL;
  359. static LUID luid = {0,0};
  360. AUTHZ_CLIENT_CONTEXT_HANDLE AuthzCC = NULL;
  361. AUTHZ_ACCESS_REQUEST AuthzRequest;
  362. AUTHZ_ACCESS_REPLY AuthzReply;
  363. ACCESS_MASK GrantedMask;
  364. DWORD dwError = 0;
  365. DWORD dwSaclEval = 0;
  366. bool fImpersonating = false;
  368. // officer rights disabled means every officer is allowed to manage requests
  369. // for everyone, so return ok
  370. if(!g_OfficerRightsSD.IsEnabled())
  371. return S_OK;
  373. hr = CoGetCallContext(IID_IServerSecurity, (void**)&pISS);
  374. _JumpIfError(hr, error, "CoGetCallContext");
  376. if (!pISS->IsImpersonating())
  377. {
  378. hr = pISS->ImpersonateClient();
  379. _JumpIfError(hr, error, "ImpersonateClient");
  380. }
  381. else
  382. {
  383. pISS->Release();
  384. pISS = NULL;
  385. }
  387. hThread = GetCurrentThread();
  388. if (NULL == hThread)
  389. {
  390. hr = myHLastError();
  391. _JumpIfError(hr, error, "GetCurrentThread");
  392. }
  393. if (!OpenThreadToken(hThread,
  394. TOKEN_QUERY,
  395. FALSE, // client impersonation
  396. &hToken))
  397. {
  398. hr = myHLastError();
  399. _JumpIfError(hr, error, "OpenThreadToken");
  400. }
  402. if(!AuthzInitializeContextFromToken(
  403. 0,
  404. hToken,
  405. g_AuthzCertSrvRM,
  406. NULL,
  407. luid,
  408. NULL,
  409. &AuthzCC))
  410. {
  411. hr = myHLastError();
  412. _JumpError(hr, error, "AuthzInitializeContextFromToken");
  413. }
  415. CloseHandle(hToken);
  416. hToken = NULL;
  418. if(pISS) // impersonating
  419. {
  420. pISS->RevertToSelf();
  421. pISS->Release();
  422. pISS = NULL;
  423. }
  425. AuthzRequest.DesiredAccess = DELETE;
  426. AuthzRequest.PrincipalSelfSid = NULL;
  427. AuthzRequest.ObjectTypeList = NULL;
  428. AuthzRequest.ObjectTypeListLength = 0;
  430. AuthzRequest.OptionalArguments = (void*)pwszRequesterName;
  432. AuthzReply.ResultListLength = 1;
  433. AuthzReply.GrantedAccessMask = &GrantedMask;
  434. AuthzReply.Error = &dwError;
  435. AuthzReply.SaclEvaluationResults = &dwSaclEval;
  438. hr = g_OfficerRightsSD.LockGet(&pOfficerSD);
  439. _JumpIfError(hr, error, "CProtectedSecurityDescriptor::LockGet");
  441. CSASSERT(IsValidSecurityDescriptor(pOfficerSD));
  443. if(!AuthzAccessCheck(
  444. 0,
  445. AuthzCC,
  446. &AuthzRequest,
  447. NULL, //no audit
  448. pOfficerSD,
  449. NULL,
  450. 0,
  451. &AuthzReply,
  452. NULL))
  453. {
  454. hr = myHLastError();
  455. _JumpError(hr, error, "AuthzAccessCheck");
  456. }
  458. hr = AuthzReply.Error[0]==ERROR_SUCCESS?S_OK:CERTSRV_E_RESTRICTEDOFFICER;
  460. error:
  462. if(AuthzCC)
  463. {
  464. AuthzFreeContext(AuthzCC);
  465. }
  466. if(pOfficerSD)
  467. {
  468. g_OfficerRightsSD.Unlock();
  469. }
  470. if (NULL != hThread)
  471. {
  472. CloseHandle(hThread);
  473. }
  475. if (NULL != hToken)
  476. {
  477. CloseHandle(hToken);
  478. }
  479. if (NULL != pISS)
  480. {
  481. pISS->RevertToSelf();
  482. pISS->Release();
  483. }
  485. // generate a failure audit event if restricted officer
  486. if(CERTSRV_E_RESTRICTEDOFFICER==hr)
  487. {
  488. HRESULT hrtemp = event.AccessCheck(
  489. CA_ACCESS_DENIED,
  490. event.m_gcNoAuditSuccess);
  492. if(S_OK!=hrtemp && E_ACCESSDENIED!=hrtemp)
  493. hr = hrtemp;
  494. }
  496. return hr;
  497. }
  499. } // namespace CertSrv