archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
3.8 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/inetsrv/iis/admin/common/sitesecu.cpp

744 lines
15 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*++
  3. Copyright (c) 1994-1999 Microsoft Corporation
  5. Module Name :
  7. sitesecu.cpp
  9. Abstract:
  11. Site Security property page
  13. Author:
  15. Ronald Meijer (ronaldm)
  17. Project:
  19. Internet Services Manager (cluster edition)
  21. Revision History:
  23. --*/
  25. //
  26. // Include Files
  27. //
  28. #include "stdafx.h"
  29. #include "common.h"
  32. #undef dllexp
  33. #include <tcpdllp.hxx>
  34. #define _RDNS_STANDALONE
  35. #include <rdns.hxx>
  38. #ifdef _DEBUG
  39. #undef THIS_FILE
  40. static char BASED_CODE THIS_FILE[] = __FILE__;
  41. #endif // _DEBUG
  45. //#ifdef _DEBUG
  46. //
  47. // Careful here... This may cause build failure
  48. //
  49. extern "C" DEBUG_PRINTS * g_pDebug = NULL;
  50. //#endif // _DEBUG
  53. #define new DEBUG_NEW
  58. CIPAccessDescriptor::CIPAccessDescriptor(
  59. IN BOOL fGranted
  60. )
  61. /*++
  63. Routine Description:
  65. Dummy Constructor for access description object. Assumes a single IP
  66. address of 0.0.0.0
  68. Arguments:
  70. BOOL fGranted : TRUE for 'grant' access, FALSE for 'deny' access
  72. Return Value:
  74. N/A
  76. --*/
  77. : m_fGranted(fGranted),
  78. m_adtType(CIPAccessDescriptor::ADT_SINGLE),
  79. m_iaIPAddress(NULL_IP_ADDRESS),
  80. m_iaSubnetMask(NULL_IP_MASK),
  81. m_strDomain()
  82. {
  83. }
  88. CIPAccessDescriptor::CIPAccessDescriptor(
  89. IN const CIPAccessDescriptor & ac
  90. )
  91. /*++
  93. Routine Description:
  95. Copy constructor for access description object
  97. Arguments:
  99. const CIPAccessDescriptor & ac : Source access description object
  101. Return Value:
  103. N/A
  105. --*/
  106. : m_fGranted(ac.m_fGranted),
  107. m_adtType(ac.m_adtType),
  108. m_iaIPAddress(ac.m_iaIPAddress),
  109. m_iaSubnetMask(ac.m_iaSubnetMask),
  110. m_strDomain(ac.m_strDomain)
  111. {
  112. }
  116. CIPAccessDescriptor::CIPAccessDescriptor(
  117. IN BOOL fGranted,
  118. IN DWORD dwIPAddress,
  119. IN DWORD dwSubnetMask, OPTIONAL
  120. IN BOOL fNetworkByteOrder OPTIONAL
  121. )
  122. /*++
  124. Routine Description:
  126. Constructor for ip range (ip address/subnet mask pair)
  127. access description object.
  129. Arguments:
  131. BOOL fGranted : TRUE for 'grant' access, FALSE for 'deny' access
  132. DWORD dwIPAddress : IP Address
  133. DWORD dwSubnetMask : The subnet mask or 0xffffffff
  134. BOOL fNetworkByteOrder : If TRUE, the ip address and subnet mask are in
  135. network byte order
  137. Return Value:
  139. N/A
  141. --*/
  142. {
  143. SetValues(fGranted, dwIPAddress, dwSubnetMask, fNetworkByteOrder);
  144. }
  148. CIPAccessDescriptor::CIPAccessDescriptor(
  149. IN BOOL fGranted,
  150. IN LPCTSTR lpstrDomain
  151. )
  152. /*++
  154. Routine Description:
  156. Constructor for domain name access description object.
  158. Arguments:
  160. BOOL fGranted : TRUE for 'grant' access, FALSE for 'deny' access
  161. LPCTSTR lpstrDomain : The domain name
  163. Return Value:
  165. N/A
  167. --*/
  168. {
  169. SetValues(fGranted, lpstrDomain);
  170. }
  173. void
  174. CIPAccessDescriptor::SetValues(
  175. IN BOOL fGranted,
  176. IN DWORD dwIPAddress,
  177. IN DWORD dwSubnetMask,
  178. IN BOOL fNetworkByteOrder OPTIONAL
  179. )
  180. /*++
  182. Routine Description:
  184. Set values for 'ip range (ip address and subnet mask)' access descriptor,
  185. or a single ip address if the mask is 0xffffffff
  187. Arguments:
  189. BOOL fGranted : TRUE for 'grant' access, FALSE for 'deny' access
  190. DWORD dwIPAddress : IP Address
  191. DWORD dwSubnetMask : The subnet mask or ffffffff
  192. BOOL fNetworkByteOrder : If TRUE, the ip address and subnet mask are in
  193. network byte order
  195. Return Value:
  197. None
  199. Notes:
  201. If the subnetmask is 0xffffffff this describes a single ip address.
  203. --*/
  204. {
  205. m_fGranted = fGranted;
  206. m_adtType = (dwSubnetMask == NULL_IP_MASK) ? ADT_SINGLE : ADT_MULTIPLE;
  207. m_iaIPAddress = CIPAddress(dwIPAddress, fNetworkByteOrder);
  208. m_iaSubnetMask = CIPAddress(dwSubnetMask, fNetworkByteOrder);
  210. //
  211. // Not used:
  212. //
  213. m_strDomain.Empty();
  214. }
  218. void
  219. CIPAccessDescriptor::SetValues(
  220. IN BOOL fGranted,
  221. IN LPCTSTR lpstrDomain
  222. )
  223. /*++
  225. Routine Description:
  227. Set values for 'domain name' access descriptor
  229. Arguments:
  231. BOOL fGranted : TRUE for 'grant' access, FALSE for 'deny' access
  232. LPCTSTR lpstrDomain : The domain name
  234. Return Value:
  236. None
  238. --*/
  239. {
  240. m_fGranted = fGranted;
  241. m_adtType = ADT_DOMAIN;
  243. try
  244. {
  245. m_strDomain = lpstrDomain;
  246. }
  247. catch(CMemoryException * e)
  248. {
  249. TRACEEOLID("!!!exception assigning domain name");
  250. e->ReportError();
  251. e->Delete();
  252. }
  254. //
  255. // Not used:
  256. //
  257. m_iaIPAddress.SetZeroValue();
  258. m_iaSubnetMask.SetZeroValue();
  259. }
  263. BOOL
  264. CIPAccessDescriptor::DuplicateInList(
  265. IN CObListPlus & oblList
  266. )
  267. /*++
  269. Routine Description:
  271. Check to see if a duplicate exists in the provided oblist
  273. Arguments:
  275. CObListPlus & oblList
  277. Return Value:
  279. TRUE if a duplicate exists, FALSE otherwise.
  281. Notes:
  283. As there's no information how this list might be sorted at this point,
  284. and the list is likely to be small, the search is sequential.
  286. --*/
  287. {
  288. CObListIter obli(oblList);
  289. CIPAccessDescriptor * pAccess;
  291. TRACEEOLID("Looking for duplicate access descriptors");
  292. while (pAccess = (CIPAccessDescriptor *)obli.Next())
  293. {
  294. ASSERT_READ_PTR(pAccess);
  296. //
  297. // Eliminate the item itself from the list, and look
  298. // only for duplicates.
  299. //
  300. if (pAccess != this && *this == *pAccess)
  301. {
  302. TRACEEOLID("Duplicate access descriptor found");
  303. return TRUE;
  304. }
  305. }
  307. TRACEEOLID("No duplicate access descriptor found");
  309. return FALSE;
  310. }
  314. BOOL
  315. CIPAccessDescriptor::operator ==(
  316. IN const CIPAccessDescriptor & ac
  317. ) const
  318. /*++
  320. Routine Description:
  322. Compare against another access descriptor.
  324. Arguments:
  326. const CIPAccessDescriptor & ac : Object to be compared against
  328. Return Value:
  330. TRUE if the two are identical
  332. --*/
  333. {
  334. if ( m_fGranted != ac.m_fGranted
  335. || m_adtType != ac.m_adtType)
  336. {
  337. return FALSE;
  338. }
  340. if (IsDomainName())
  341. {
  342. return m_strDomain.CompareNoCase(ac.m_strDomain) == 0;
  343. }
  345. return m_iaIPAddress == ac.m_iaIPAddress
  346. && m_iaSubnetMask == ac.m_iaSubnetMask;
  347. }
  351. int
  352. CIPAccessDescriptor::OrderByAddress(
  353. IN const CObjectPlus * pobAccess
  354. ) const
  355. /*++
  357. Routine Description:
  359. Compare two access descriptors against each other.
  360. Sorting criteria are in the following order:
  362. 1) 'Granted' sorts before 'Denied'
  363. 2) Domain names are sorted before ip addresses, and are
  364. sorted alphabetically.
  365. 3) IP Address and IP Address/subnet mask pairs are sorted
  366. by ip address.
  368. Arguments:
  370. const CObjectPlus * pobAccess : This really refers to another
  371. CIPAccessDescriptor to be compared to.
  373. Return Value:
  375. Sort (+1, 0, -1) return value
  377. --*/
  378. {
  379. const CIPAccessDescriptor * pob = (CIPAccessDescriptor *)pobAccess;
  381. //
  382. // First sort by access/denied
  383. //
  384. int n1 = HasAccess() ? 1 : 0;
  385. int n2 = pob->HasAccess() ? 1 : 0;
  387. if (n2 != n1)
  388. {
  389. //
  390. // Grant sorts before denied
  391. //
  392. return n2 - n1;
  393. }
  395. //
  396. // Secondly, try to sort by domain name (domain name sorts before
  397. // ip address and ip address/subnet mask objects)
  398. //
  399. n1 = IsDomainName() ? 1 : 0;
  400. n2 = pob->IsDomainName() ? 1 : 0;
  402. if (n1 != n2)
  403. {
  404. //
  405. // Domain names sort before ip addresses
  406. //
  407. return n2 - n1;
  408. }
  410. if (n1 && n2)
  411. {
  412. //
  413. // Both are domain names. Sort alphabetically
  414. //
  415. return ::lstrcmpi(QueryDomainName(), pob->QueryDomainName());
  416. }
  418. //
  419. // IP address is the third key.
  420. //
  421. return QueryIPAddress().CompareItem(pob->QueryIPAddress());
  422. }
  426. DWORD
  427. AddAccessEntries(
  428. IN ADDRESS_CHECK & ac,
  429. IN BOOL fName,
  430. IN BOOL fGrant,
  431. OUT CObListPlus & oblAccessList,
  432. OUT DWORD & cEntries
  433. )
  434. /*++
  436. Routine Description:
  438. Add specific kind of addresses from the list to the oblist of
  439. access entries
  441. Arguments:
  443. ADDRESS_CHECK & ac : Address list input object
  444. BOOL fName : TRUE for names, FALSE for ip
  445. BOOL fGrant : TRUE for granted, FALSE for denied
  446. CObListPlus & oblAccessList : ObList to add access entries to
  447. int & cEntries : Returns the number of entries
  449. Return Value:
  451. Error code
  453. Notes:
  455. Sentinel entries (ip 0.0.0.0) are not added to the oblist, but
  456. are reflected in the cEntries return value
  458. --*/
  459. {
  460. DWORD i;
  461. DWORD dwFlags;
  463. if (fName)
  464. {
  465. //
  466. // Domain names
  467. //
  468. LPSTR lpName;
  470. cEntries = ac.GetNbName(fGrant);
  472. for (i = 0L; i < cEntries; ++i)
  473. {
  474. if (ac.GetName(fGrant, i, &lpName, &dwFlags))
  475. {
  476. CString strDomain(lpName);
  478. if (!(dwFlags & DNSLIST_FLAG_NOSUBDOMAIN))
  479. {
  480. strDomain = _T("*.") + strDomain;
  481. }
  483. oblAccessList.AddTail(new CIPAccessDescriptor(fGrant, strDomain));
  484. }
  485. }
  486. }
  487. else
  488. {
  489. //
  490. // IP Addresses
  491. //
  492. LPBYTE lpMask;
  493. LPBYTE lpAddr;
  494. cEntries = ac.GetNbAddr(fGrant);
  496. for (i = 0L; i < cEntries; ++i)
  497. {
  498. if (ac.GetAddr(fGrant, i, &dwFlags, &lpMask, &lpAddr))
  499. {
  500. DWORD dwIP = MAKEIPADDRESS(lpAddr[0], lpAddr[1], lpAddr[2], lpAddr[3]);
  501. DWORD dwMask = MAKEIPADDRESS(lpMask[0], lpMask[1], lpMask[2], lpMask[3]);
  503. if (dwIP == NULL_IP_ADDRESS && dwMask == NULL_IP_MASK)
  504. {
  505. //
  506. // Sentinel in the grant list is not added, but
  507. // also not subtracted from the count of entries,
  508. // which is correct behaviour, since this is
  509. // how default grant/deny by default is determined.
  510. //
  511. TRACEEOLID("Ignoring sentinel");
  512. }
  513. else
  514. {
  515. oblAccessList.AddTail(
  516. new CIPAccessDescriptor(
  517. fGrant,
  518. dwIP,
  519. dwMask,
  520. FALSE
  521. )
  522. );
  523. }
  524. }
  525. }
  526. }
  528. return ERROR_SUCCESS;
  529. }
  533. DWORD
  534. BuildIplOblistFromBlob(
  535. IN CBlob & blob,
  536. OUT CObListPlus & oblAccessList,
  537. OUT BOOL & fGrantByDefault
  538. )
  539. /*++
  541. Routine Description:
  543. Convert a blob to an oblist of access descriptors.
  545. Arguments:
  547. CBlob & blob : Input binary large object(blob)
  548. CObListPlus & oblAccessList : Output oblist of access descriptors
  549. BOOL & fGrantByDefault : Returns TRUE if access is granted
  550. by default, FALSE otherwise
  552. Return Value:
  554. Error Return Code
  556. --*/
  557. {
  558. oblAccessList.RemoveAll();
  560. if (blob.IsEmpty())
  561. {
  562. return ERROR_SUCCESS;
  563. }
  565. ADDRESS_CHECK ac;
  566. ac.BindCheckList(blob.GetData(), blob.GetSize());
  568. DWORD cGrantAddr, cGrantName, cDenyAddr, cDenyName;
  570. // Name/IP Granted/Deny
  571. // ============================================================
  572. AddAccessEntries(ac, TRUE, TRUE, oblAccessList, cGrantName);
  573. AddAccessEntries(ac, FALSE, TRUE, oblAccessList, cGrantAddr);
  574. AddAccessEntries(ac, TRUE, FALSE, oblAccessList, cDenyName);
  575. AddAccessEntries(ac, FALSE, FALSE, oblAccessList, cDenyAddr);
  577. ac.UnbindCheckList();
  579. fGrantByDefault = (cDenyAddr + cDenyName != 0L)
  580. || (cGrantAddr + cGrantName == 0L);
  582. return ERROR_SUCCESS;
  583. }
  587. LPSTR
  588. PrepareDomainName(
  589. IN LPSTR lpName,
  590. OUT DWORD * pdwFlags
  591. )
  592. /*++
  594. Routine Description:
  596. Check to see if the domain name contains a wild card,
  597. if so remove it. Set the flags based on the domain name
  599. Arguments:
  601. LPSTR lpName : Input domain name
  602. DWORD * pdwFlags : Return the flags for AddName
  604. Return:
  606. Pointer to the cleaned up domain name
  608. --*/
  609. {
  610. *pdwFlags = 0L;
  612. if (!strncmp(lpName, "*.", 2))
  613. {
  614. return lpName + 2;
  615. }
  617. *pdwFlags |= DNSLIST_FLAG_NOSUBDOMAIN;
  619. return lpName;
  620. }
  624. void
  625. BuildIplBlob(
  626. IN CObListPlus & oblAccessList,
  627. IN BOOL fGrantByDefault,
  628. OUT CBlob & blob
  629. )
  630. /*++
  632. Routine Description:
  634. Build a blob from an oblist of access descriptors
  636. Arguments:
  638. CObListPlus & oblAccessList : Input oblist of access descriptors
  639. BOOL fGrantByDefault : TRUE if access is granted by default
  640. CBlob & blob : Output blob
  642. Return Value:
  644. None
  646. Notes:
  648. If fGrantByDefault is FALSE, e.g. access is to be denied by
  649. default, but nobody is specifically granted access, then add
  650. a dummy entry 0.0.0.0 to the grant list.
  652. If grant by default is on, then granted entries will not be
  653. added to the blob. Similart for denied entries if deny by
  654. default is on.
  656. --*/
  657. {
  658. ADDRESS_CHECK ac;
  660. ac.BindCheckList();
  662. int cItems = 0;
  664. CObListIter obli(oblAccessList);
  665. const CIPAccessDescriptor * pAccess;
  667. //
  668. // Should be empty to start with.
  669. //
  670. ASSERT(blob.IsEmpty());
  671. blob.CleanUp();
  673. BYTE bMask[4];
  674. BYTE bIp[4];
  676. while (pAccess = (CIPAccessDescriptor *)obli.Next())
  677. {
  678. ASSERT_READ_PTR(pAccess);
  680. if (pAccess->HasAccess() == fGrantByDefault)
  681. {
  682. //
  683. // Skip this entry -- it's irrelevant
  684. //
  685. continue;
  686. }
  688. if (pAccess->IsDomainName())
  689. {
  690. LPSTR lpName = AllocAnsiString(pAccess->QueryDomainName());
  691. if (lpName)
  692. {
  693. DWORD dwFlags;
  694. LPSTR lpDomain = PrepareDomainName(lpName, &dwFlags);
  695. ac.AddName(
  696. pAccess->HasAccess(),
  697. lpDomain,
  698. dwFlags
  699. );
  700. FreeMem(lpName);
  701. }
  702. }
  703. else
  704. {
  705. //
  706. // Build with network byte order
  707. //
  708. ac.AddAddr(
  709. pAccess->HasAccess(),
  710. AF_INET,
  711. CIPAddress::DWORDtoLPBYTE(pAccess->QuerySubnetMask(FALSE), bMask),
  712. CIPAddress::DWORDtoLPBYTE(pAccess->QueryIPAddress(FALSE), bIp)
  713. );
  714. }
  716. ++cItems;
  717. }
  719. if (cItems == 0 && !fGrantByDefault)
  720. {
  721. //
  722. // List is empty. If deny by default is on, create
  723. // a dummy sentinel entry to grant access to single
  724. // address 0.0.0.0, otherwise we're ok.
  725. //
  726. ac.AddAddr(
  727. TRUE,
  728. AF_INET,
  729. CIPAddress::DWORDtoLPBYTE(NULL_IP_MASK, bMask),
  730. CIPAddress::DWORDtoLPBYTE(NULL_IP_ADDRESS, bIp)
  731. );
  732. ++cItems;
  733. }
  735. if (cItems > 0)
  736. {
  737. blob.SetValue(ac.QueryCheckListSize(), ac.QueryCheckListPtr(), TRUE);
  738. }
  740. ac.UnbindCheckList();
  741. }