archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 744f0b4006
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '744f0b4006'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/security/services/ca/certmmc/officer.cpp

475 lines
12 KiB
Raw Normal View History

Add source files
4 years ago
  1. //+--------------------------------------------------------------------------
  2. // File: officer.cpp
  3. // Contents: officer rights implementation
  4. //---------------------------------------------------------------------------
  5. #include <stdafx.h>
  6. #include "officer.h"
  7. #include "certsd.h"
  9. using namespace CertSrv;
  11. static const DEFAULT_USERNAME_SIZE = 256;
  13. CClientPermission::CClientPermission(BOOL fAllow, PSID pSid) :
  14. m_fAllow(fAllow),
  15. m_Sid(pSid)
  16. {}
  18. HRESULT COfficerRights::Add(PSID pSid, BOOL fAllow)
  19. {
  20. HRESULT hr = S_OK;
  21. CClientPermission* pClient = new CClientPermission(fAllow, pSid);
  23. if(!CClientPermission::IsInitialized(pClient) ||
  24. !m_List.AddTail(pClient))
  25. {
  26. hr = E_OUTOFMEMORY;
  27. _JumpError(hr, error, "");
  28. }
  30. error:
  31. if(S_OK!=hr)
  32. delete pClient;
  33. return hr;
  34. }
  36. HRESULT COfficerRights::Init(PACCESS_ALLOWED_CALLBACK_ACE pAce)
  37. {
  38. HRESULT hr = S_OK;
  40. // no object reuse
  41. CSASSERT(!m_pSid);
  42. CSASSERT(m_List.IsEmpty());
  44. CSASSERT(IsValidSid((PSID)(&pAce->SidStart)));
  45. m_pSid = new CSid((PSID)(&pAce->SidStart));
  46. if(!m_pSid)
  47. {
  48. hr = E_OUTOFMEMORY;
  49. _JumpError(hr, error, "new CSid");
  50. }
  52. hr = AddSidList(pAce);
  53. _JumpIfError(hr, error, "COfficerRights::AddSidList");
  55. error:
  56. if(S_OK!=hr)
  57. {
  58. Cleanup();
  59. }
  60. return hr;
  61. }
  63. HRESULT COfficerRights::AddSidList(PACCESS_ALLOWED_CALLBACK_ACE pAce)
  64. {
  65. HRESULT hr = S_OK;
  66. PSID pSid;
  67. DWORD cSids;
  68. PSID_LIST pSidList = (PSID_LIST) (((BYTE*)&pAce->SidStart)+
  69. GetLengthSid(&pAce->SidStart));
  71. CSASSERT(EqualSid((PSID)&pAce->SidStart, GetSid()));
  73. for(pSid=(PSID)&pSidList->SidListStart, cSids=0;
  74. cSids<pSidList->dwSidCount;
  75. cSids++, pSid = (PSID)(((BYTE*)pSid)+GetLengthSid(pSid)))
  76. {
  77. hr = Add(pSid, ACCESS_ALLOWED_CALLBACK_ACE_TYPE==pAce->Header.AceType);
  78. _JumpIfError(hr, error, "COfficerRights::Add");
  79. }
  81. error:
  82. return hr;
  83. }
  85. COfficerRightsList::~COfficerRightsList()
  86. {
  87. Cleanup();
  88. }
  91. HRESULT COfficerRightsList::Load(PSECURITY_DESCRIPTOR pSD)
  92. {
  93. HRESULT hr = S_OK;
  94. PACL pAcl; // no free
  95. ACL_SIZE_INFORMATION AclInfo;
  96. PACCESS_ALLOWED_CALLBACK_ACE pAce;
  97. DWORD cAce;
  98. COfficerRights *pOfficerRights = NULL;
  99. DWORD cList;
  100. COfficerRights* pExistingOfficer;
  102. CSASSERT(IsValidSecurityDescriptor(pSD));
  104. hr = myGetSecurityDescriptorDacl(pSD, &pAcl);
  105. _JumpIfError(hr, error, "myGetSecurityDescriptorDacl");
  107. if(!GetAclInformation(pAcl,
  108. &AclInfo,
  109. sizeof(AclInfo),
  110. AclSizeInformation))
  111. {
  112. hr = myHLastError();
  113. _JumpError(hr, error, "GetAclInformation");
  114. }
  116. m_dwCountList = 0;
  118. m_List = (COfficerRights **)LocalAlloc(LMEM_FIXED,
  119. sizeof(COfficerRights*)*AclInfo.AceCount);
  120. if(!m_List)
  121. {
  122. hr = E_OUTOFMEMORY;
  123. _JumpError(hr, error, "LocalAlloc");
  124. }
  125. ZeroMemory(m_List, sizeof(COfficerRights*)*AclInfo.AceCount);
  127. for(cAce=0; cAce<AclInfo.AceCount; cAce++)
  128. {
  129. pExistingOfficer = NULL;
  131. if(!GetAce(pAcl, cAce, (PVOID*)&pAce))
  132. {
  133. hr = myHLastError();
  134. _JumpError(hr, error, "GetAce");
  135. }
  137. CSASSERT(
  138. ACCESS_ALLOWED_CALLBACK_ACE_TYPE == pAce->Header.AceType ||
  139. ACCESS_DENIED_CALLBACK_ACE_TYPE == pAce->Header.AceType);
  141. // Detect if another object already exists for this officer; if so, we
  142. // will add the client list to it instead of creating a new object
  143. // Assuming denied aces always come before allow aces, we can limit
  144. // the search to allow type
  145. if(ACCESS_ALLOWED_CALLBACK_ACE_TYPE==pAce->Header.AceType)
  146. {
  147. for(cList=0; cList<m_dwCountList; cList++)
  148. {
  149. if(EqualSid(m_List[cList]->GetSid(),
  150. (PSID)&pAce->SidStart))
  151. {
  152. pExistingOfficer = m_List[cList];
  153. break;
  154. }
  155. }
  156. }
  158. if(pExistingOfficer)
  159. {
  160. // add SID list stored in this ace to existing officer object
  161. hr = pExistingOfficer->AddSidList(pAce);
  162. _JumpIfError(hr, error, "COfficerRights::AddSidList");
  163. }
  164. else
  165. {
  166. // create new officer object
  167. pOfficerRights = new COfficerRights;
  168. if(!pOfficerRights)
  169. {
  170. hr = E_OUTOFMEMORY;
  171. _JumpError(hr, error, "new COfficerRights");
  172. }
  174. hr = pOfficerRights->Init(pAce);
  175. _JumpIfError(hr, error, "COfficerRights::Init");
  177. m_List[m_dwCountList] = pOfficerRights;
  178. pOfficerRights = NULL;
  179. m_dwCountList++;
  180. }
  181. }
  183. error:
  184. if(S_OK!=hr && m_List)
  185. {
  186. if(m_List)
  187. {
  188. LocalFree(m_List);
  189. m_List = NULL;
  190. }
  191. if(pOfficerRights)
  192. {
  193. delete pOfficerRights;
  194. }
  195. }
  196. return hr;
  197. }
  199. HRESULT COfficerRightsList::Save(PSECURITY_DESCRIPTOR &rpSD)
  200. {
  201. HRESULT hr = S_OK;
  202. PSECURITY_DESCRIPTOR pSD = NULL, pSDSelfRelative = NULL;
  203. DWORD dwSelfRelativeSize = 0;
  204. PSID pSidBuiltinAdministrators = NULL;
  205. PACL pAcl = NULL;
  207. rpSD = NULL;
  209. pSD = (PSECURITY_DESCRIPTOR)LocalAlloc(LMEM_FIXED,
  210. SECURITY_DESCRIPTOR_MIN_LENGTH);
  211. if (!pSD)
  212. {
  213. hr = E_OUTOFMEMORY;
  214. _JumpError(hr, error, "LocalAlloc");
  215. }
  216. #ifdef _DEBUG
  217. ZeroMemory(pSD, SECURITY_DESCRIPTOR_MIN_LENGTH);
  218. #endif
  220. if (!InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION))
  221. {
  222. hr = myHLastError();
  223. _JumpError(hr, error, "InitializeSecurityDescriptor");
  224. }
  226. hr = GetBuiltinAdministratorsSID(&pSidBuiltinAdministrators);
  227. _JumpIfError(hr, error, "GetBuiltinAdministratorsSID");
  229. if(!SetSecurityDescriptorOwner(
  230. pSD,
  231. pSidBuiltinAdministrators,
  232. FALSE))
  233. {
  234. hr = myHLastError();
  235. _JumpError(hr, error, "SetSecurityDescriptorControl");
  236. }
  238. hr = BuildAcl(pAcl);
  239. _JumpIfError(hr, error, "BuildAcl");
  241. if(!SetSecurityDescriptorDacl(
  242. pSD,
  243. TRUE, // DACL present
  244. pAcl,
  245. FALSE)) // DACL defaulted
  246. {
  247. hr = myHLastError();
  248. _JumpError(hr, error, "SetSecurityDescriptorDacl");
  249. }
  251. CSASSERT(IsValidSecurityDescriptor(pSD));
  253. MakeSelfRelativeSD(pSD, NULL, &dwSelfRelativeSize);
  254. if(ERROR_INSUFFICIENT_BUFFER!=GetLastError())
  255. {
  256. hr = myHLastError();
  257. _JumpError(hr, error, "SetSecurityDescriptorDacl");
  258. }
  260. pSDSelfRelative = (PSECURITY_DESCRIPTOR)LocalAlloc(LMEM_FIXED, dwSelfRelativeSize);
  261. if(!pSDSelfRelative)
  262. {
  263. hr = E_OUTOFMEMORY;
  264. _JumpError(hr, error, "LocalAlloc");
  265. }
  267. if(!MakeSelfRelativeSD(pSD, pSDSelfRelative, &dwSelfRelativeSize))
  268. {
  269. hr = myHLastError();
  270. _JumpError(hr, error, "MakeSelfRelativeSD");
  271. }
  273. rpSD = pSDSelfRelative;
  275. error:
  276. if(pAcl)
  277. {
  278. LocalFree(pAcl);
  279. }
  280. if(pSD)
  281. {
  282. LocalFree(pSD);
  283. }
  284. if(pSidBuiltinAdministrators)
  285. {
  286. LocalFree(pSidBuiltinAdministrators);
  287. }
  288. return hr;
  289. }
  291. HRESULT COfficerRightsList::BuildAcl(PACL &rpAcl)
  292. {
  293. HRESULT hr = S_OK;
  294. DWORD dwAclSize = sizeof(ACL);
  295. DWORD cRights;
  296. PACL pAcl = NULL;
  298. rpAcl = NULL;
  300. // calculate total acl size by adding the space required
  301. // for the ACEs resulting from each COfficerRights
  302. for(cRights=0;cRights<m_dwCountList;cRights++)
  303. {
  304. dwAclSize += m_List[cRights]->GetAceSize(FALSE);
  305. dwAclSize += m_List[cRights]->GetAceSize(TRUE);
  306. }
  308. pAcl = (PACL)LocalAlloc(LMEM_FIXED, dwAclSize);
  309. if(!pAcl)
  310. {
  311. hr = E_OUTOFMEMORY;
  312. _JumpError(hr, error, "LocalAlloc");
  313. }
  314. #ifdef _DEBUG
  315. ZeroMemory(pAcl, dwAclSize);
  316. #endif
  318. if(!InitializeAcl(pAcl, dwAclSize, ACL_REVISION))
  319. {
  320. hr = myHLastError();
  321. _JumpError(hr, error, "InitializeAcl");
  322. }
  324. // add deny aces first
  325. for(cRights=0;cRights<m_dwCountList;cRights++)
  326. {
  327. hr = m_List[cRights]->AddAce(pAcl, FALSE);
  328. _JumpIfError(hr, error, "COfficerRights::AddAce");
  329. }
  331. // then add allow aces
  332. for(cRights=0;cRights<m_dwCountList;cRights++)
  333. {
  334. hr = m_List[cRights]->AddAce(pAcl, TRUE);
  335. _JumpIfError(hr, error, "COfficerRights::AddAce");
  336. }
  338. CSASSERT(IsValidAcl(pAcl));
  340. rpAcl = pAcl;
  342. error:
  344. if(S_OK!=hr)
  345. {
  346. if(pAcl)
  347. {
  348. LocalFree(pAcl);
  349. }
  350. }
  351. return hr;
  352. }
  354. DWORD COfficerRights::GetAceSize(BOOL fAllow)
  355. {
  356. DWORD dwAceSize = sizeof(ACCESS_ALLOWED_CALLBACK_ACE);
  357. dwAceSize += GetLengthSid(m_pSid->GetSid());
  358. BOOL fFound = FALSE;
  360. TPtrListEnum<CClientPermission> CPEnum(m_List);
  361. CClientPermission *pCP;
  363. for(pCP=CPEnum.Next();pCP;pCP=CPEnum.Next())
  364. {
  365. if(pCP->GetPermission()==fAllow)
  366. {
  367. dwAceSize += GetLengthSid(pCP->GetSid());
  368. fFound = TRUE;
  369. }
  370. }
  372. return fFound?dwAceSize:0;
  373. }
  375. HRESULT COfficerRights::AddAce(PACL pAcl, BOOL fAllow)
  376. {
  377. HRESULT hr = S_OK;
  378. PACCESS_ALLOWED_CALLBACK_ACE pAce = NULL;
  379. DWORD dwAceSize = GetAceSize(fAllow);
  380. DWORD dwSidSize = GetLengthSid(m_pSid->GetSid());
  381. DWORD dwClientSidSize;
  382. PSID_LIST pSidList;
  383. PSID pClientSid;
  384. TPtrListEnum<CClientPermission> CPEnum(m_List);
  385. CClientPermission *pCP;
  386. BOOL fFound = FALSE;
  387. DWORD dwSidCount = 0;
  389. if(dwAceSize)
  390. {
  391. pAce = (PACCESS_ALLOWED_CALLBACK_ACE) LocalAlloc(LMEM_FIXED, dwAceSize);
  392. if(!pAce)
  393. {
  394. hr = E_OUTOFMEMORY;
  395. _JumpError(hr, error, "LocalAlloc");
  396. }
  398. #ifdef _DEBUG
  399. ZeroMemory(pAce, dwAceSize);
  400. #endif
  402. pAce->Header.AceType = fAllow?ACCESS_ALLOWED_CALLBACK_ACE_TYPE:
  403. ACCESS_DENIED_CALLBACK_ACE_TYPE;
  404. pAce->Header.AceFlags= 0;
  405. pAce->Header.AceSize = (USHORT)dwAceSize;
  406. pAce->Mask = DELETE;
  408. CopySid(dwSidSize,
  409. (PSID)&pAce->SidStart,
  410. m_pSid->GetSid());
  411. pSidList = (PSID_LIST)(((BYTE*)&pAce->SidStart)+dwSidSize);
  412. pSidList->dwSidCount = m_List.GetCount();
  413. pClientSid = (PSID)&pSidList->SidListStart;
  414. for(pCP=CPEnum.Next(); pCP; pCP=CPEnum.Next())
  415. {
  416. if(pCP->GetPermission()==fAllow)
  417. {
  418. dwClientSidSize = GetLengthSid(pCP->GetSid());
  419. CopySid(dwClientSidSize,
  420. pClientSid,
  421. pCP->GetSid());
  422. pClientSid = (((BYTE*)pClientSid)+dwClientSidSize);
  423. fFound = TRUE;
  424. dwSidCount++;
  425. }
  426. }
  427. pSidList->dwSidCount = dwSidCount;
  429. CSASSERT(pClientSid==((BYTE*)pAce)+dwAceSize);
  431. if(fFound)
  432. {
  433. if(!::AddAce(
  434. pAcl,
  435. ACL_REVISION,
  436. MAXDWORD,
  437. pAce,
  438. dwAceSize))
  439. {
  440. hr = myHLastError();
  441. _JumpError(hr, error, "AddAce");
  442. }
  443. }
  444. }
  446. error:
  447. if(pAce)
  448. {
  449. LocalFree(pAce);
  450. }
  451. return hr;
  452. }
  454. void COfficerRightsList::Dump()
  455. {
  456. DBGPRINT((DBG_SS_INFO, "Officers: %d\n", m_dwCountList));
  457. wprintf(L"Officers: %d\n", m_dwCountList);
  458. for(DWORD dwCount=0;dwCount<m_dwCountList;dwCount++)
  459. {
  460. COfficerRights *pOR = GetAt(dwCount);
  461. wprintf(L"Officer %s, %d clients\n", pOR->GetName(), pOR->GetCount());
  462. for(DWORD c=0;c<pOR->GetCount();c++)
  463. {
  464. CClientPermission *pCli = pOR->GetAt(c);
  465. wprintf(L"\tClient %s, %s\n", pCli->GetName(), pCli->GetPermission()?L"allow":L"deny");
  466. }
  467. }
  468. }
  470. // Searches the list for an object with this SID; if found returns
  471. // object index, if not found, returns DWORD_MAX
  472. DWORD COfficerRights::Find(PSID pSid)
  473. {
  474. CClientPermission perm(TRUE, pSid);
  475. return m_List.FindIndex(perm);
  476. }