archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/inetsrv/iis/iisrearc/iisplus/ulw3/iiscertmapprovider.cxx

384 lines
10 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*++
  2. Copyright (c) 1999 Microsoft Corporation
  4. Module Name :
  5. certmapprovider.cxx
  7. Abstract:
  8. IIS Certificate Mapper provider
  10. Author:
  11. Bilal Alam (balam) 10-Jan-2000
  13. Environment:
  14. Win32 - User Mode
  16. Project:
  17. ULW3.DLL
  18. --*/
  20. #include "precomp.hxx"
  21. #include "iiscertmapprovider.hxx"
  25. HRESULT
  26. IISCERTMAP_AUTH_PROVIDER::DoesApply(
  27. W3_MAIN_CONTEXT * pMainContext,
  28. BOOL * pfApplies
  29. )
  30. /*++
  32. Routine Description:
  34. Does certificate map authentication apply?
  36. Arguments:
  38. pMainContext - Main context
  39. pfApplies - Set to TRUE if cert map auth applies
  41. Return Value:
  43. HRESULT
  45. --*/
  46. {
  47. CERTIFICATE_CONTEXT * pCertificateContext;
  48. URL_CONTEXT * pUrlContext = NULL;
  49. W3_METADATA * pMetaData = NULL;
  50. BOOL fApplies = FALSE;
  51. W3_SITE * pSite = NULL;
  52. IIS_CERTIFICATE_MAPPING * pIISCertificateMapping = NULL;
  53. TOKEN_CACHE_ENTRY * pCachedIISMappedToken = NULL;
  54. BOOL fClientCertDeniedByMapper = FALSE;
  57. if ( pMainContext == NULL ||
  58. pfApplies == NULL )
  59. {
  60. DBG_ASSERT( FALSE );
  61. return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER );
  62. }
  64. //
  65. // If cert mapping is not allowed for this vroot, then ignore client
  66. // cert token and let other authentication mechanisms do their thing
  67. //
  69. pUrlContext = pMainContext->QueryUrlContext();
  70. DBG_ASSERT( pUrlContext != NULL );
  72. pMetaData = pUrlContext->QueryMetaData();
  73. DBG_ASSERT( pMetaData != NULL );
  75. pSite = pMainContext->QuerySite();
  76. DBG_ASSERT( pSite != NULL );
  79. if ( pMetaData->QuerySslAccessPerms() & VROOT_MASK_MAP_CERT )
  80. {
  81. pCertificateContext = pMainContext->QueryCertificateContext();
  82. if ( pCertificateContext == NULL )
  83. {
  84. fApplies = FALSE;
  85. goto Finished;
  86. }
  88. if ( ! pSite->QueryUseDSMapper() )
  89. {
  90. //
  91. // IIS mapper enabled
  92. //
  93. HRESULT hr = E_FAIL;
  94. PBYTE pbClientCertBlob = NULL;
  95. DWORD cbClientCertBlob = 0;
  97. //
  98. // No need to call DereferenceCertMapping after QueryIISCertificateMapping
  99. // IISCertificateMapping is referenced by W3_SITE and we hold reference
  100. // to W3_SITE already
  101. //
  102. hr = pSite->GetIISCertificateMapping( &pIISCertificateMapping );
  103. if ( FAILED( hr ) ||
  104. ( pIISCertificateMapping == NULL ) )
  105. {
  106. //
  107. // If we couldn't read the mapping because not found, thats OK.
  108. //
  109. // CODEWORK: we may need smarted error handling (ignoring error
  110. // and assuming that mapping was not found is not very good idea
  111. //
  112. fApplies = FALSE;
  113. goto Finished;
  114. }
  116. //
  117. // retrieve client certificate
  118. //
  119. pCertificateContext->QueryEncodedCertificate(
  120. reinterpret_cast<PVOID *>(&pbClientCertBlob),
  121. &cbClientCertBlob );
  123. if( pbClientCertBlob == NULL || cbClientCertBlob == 0 )
  124. {
  125. fApplies = FALSE;
  126. goto Finished;
  127. }
  128. DBG_ASSERT( pIISCertificateMapping != NULL );
  130. hr = pIISCertificateMapping->DoMapCredential( pbClientCertBlob,
  131. cbClientCertBlob,
  132. &pCachedIISMappedToken,
  133. &fClientCertDeniedByMapper );
  134. if ( FAILED( hr ) )
  135. {
  136. //
  137. // IISCERTMAP applies only when there was successful mapping
  138. // Otherwise it will yield other auth providers
  139. //
  141. if ( hr == SEC_E_UNKNOWN_CREDENTIALS )
  142. {
  143. //
  144. // DoMapCredential didn't find any mathing mapping
  145. // or user/pwd in the mapping was invalid
  146. //
  147. hr = S_OK;
  148. }
  149. fApplies = FALSE;
  150. goto Finished;
  151. }
  153. DBG_ASSERT ( fClientCertDeniedByMapper || pCachedIISMappedToken!= NULL );
  155. if( ( pCachedIISMappedToken != NULL &&
  156. pCachedIISMappedToken->QueryImpersonationToken() != NULL ) ||
  157. fClientCertDeniedByMapper )
  158. {
  160. IISCERTMAP_CONTEXT_STATE * pContextState = NULL;
  161. //
  162. // Use IISCERTMAP_CONTEXT_STATE to communicate information
  163. // from DoesApply() to DoAuthenticate()
  164. // We don't want to be calling mapper twice
  165. //
  166. pContextState = new (pMainContext) IISCERTMAP_CONTEXT_STATE(
  167. pCachedIISMappedToken,
  168. fClientCertDeniedByMapper );
  169. if ( pContextState == NULL )
  170. {
  171. if ( pCachedIISMappedToken != NULL )
  172. {
  173. pCachedIISMappedToken->DereferenceCacheEntry();
  174. pCachedIISMappedToken = NULL;
  175. }
  177. hr = HRESULT_FROM_WIN32( ERROR_OUTOFMEMORY );
  178. goto Finished;
  179. }
  180. //
  181. // pContextState is taking ownership of pCachedIISMappedToken
  182. //
  183. pMainContext->SetContextState( pContextState );
  184. fApplies = TRUE;
  186. }
  187. }
  188. }
  189. Finished:
  190. *pfApplies = fApplies;
  192. if ( pCachedIISMappedToken != NULL )
  193. {
  194. //
  195. // if creating CERTMAP_CONTEXT_STATE succeeded it will hold it's own reference
  196. // to cached token
  197. //
  198. pCachedIISMappedToken->DereferenceCacheEntry();
  199. pCachedIISMappedToken = NULL;
  200. }
  201. return NO_ERROR;
  202. }
  204. HRESULT
  205. IISCERTMAP_AUTH_PROVIDER::DoAuthenticate(
  206. W3_MAIN_CONTEXT * pMainContext
  207. )
  208. /*++
  210. Routine Description:
  212. Create a user context representing a cert mapped token
  214. Arguments:
  216. pMainContext - Main context
  218. Return Value:
  220. HRESULT
  222. --*/
  223. {
  224. IISCERTMAP_USER_CONTEXT * pUserContext = NULL;
  225. CERTIFICATE_CONTEXT * pCertificateContext = NULL;
  226. HANDLE hImpersonation;
  227. BOOL fDelegatable = FALSE;
  228. HRESULT hr = NO_ERROR;
  229. W3_SITE * pSite = NULL;
  230. IISCERTMAP_CONTEXT_STATE * pContextState = NULL;
  231. TOKEN_CACHE_ENTRY * CachedToken = NULL;
  233. if ( pMainContext == NULL )
  234. {
  235. DBG_ASSERT( FALSE );
  236. return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER );
  237. }
  239. pSite = pMainContext->QuerySite();
  240. DBG_ASSERT( pSite != NULL );
  242. // IIS mapper
  243. DBG_ASSERT ( !pSite->QueryUseDSMapper() );
  246. pContextState = (IISCERTMAP_CONTEXT_STATE *) pMainContext->QueryContextState();
  247. DBG_ASSERT( pContextState != NULL );
  249. if ( pContextState->QueryClientCertDeniedByIISCertMap() )
  250. {
  251. //
  252. // Report denied by IIS mapper error
  253. //
  254. pMainContext->QueryResponse()->SetStatus( HttpStatusForbidden,
  255. Http403MapperDenyAccess);
  256. pMainContext->SetErrorStatus( S_OK );
  257. return S_OK;
  258. }
  260. CachedToken = pContextState->QueryCachedIISCertMapToken();
  261. DBG_ASSERT( CachedToken != NULL );
  263. //
  264. // Create the user context for this request
  265. //
  267. pUserContext = new IISCERTMAP_USER_CONTEXT( this );
  268. if ( pUserContext == NULL )
  269. {
  270. CachedToken->DereferenceCacheEntry();
  271. return HRESULT_FROM_WIN32( GetLastError() );
  272. }
  274. hr = pUserContext->Create( CachedToken );
  275. if ( FAILED( hr ) )
  276. {
  277. pUserContext->DereferenceUserContext();
  278. pUserContext = NULL;
  279. return hr;
  280. }
  282. pMainContext->SetUserContext( pUserContext );
  284. return NO_ERROR;
  285. }
  287. HRESULT
  288. IISCERTMAP_AUTH_PROVIDER::OnAccessDenied(
  289. W3_MAIN_CONTEXT * pMainContext
  290. )
  291. /*++
  293. Routine Description:
  295. NOP since we have nothing to do on access denied
  297. Arguments:
  299. pMainContext - Main context
  301. Return Value:
  303. HRESULT
  305. --*/
  306. {
  307. //
  308. // No headers to add
  309. //
  311. return NO_ERROR;
  312. }
  314. HRESULT
  315. IISCERTMAP_USER_CONTEXT::Create(
  316. TOKEN_CACHE_ENTRY * pCachedToken
  317. )
  318. /*++
  320. Routine Description:
  322. Create a certificate mapped user context
  324. Arguments:
  326. pCachedToken - cached token
  328. Note: function takes ownership of pCachedToken.
  329. It will dereference it even in the case of failure
  331. Return Value:
  333. HRESULT
  335. --*/
  336. {
  337. HRESULT hr = E_FAIL;
  338. DWORD cchUserName = sizeof( _achUserName ) / sizeof( WCHAR );
  340. if ( pCachedToken == NULL )
  341. {
  342. DBG_ASSERT( FALSE );
  343. return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER );
  344. }
  346. //
  347. // First the easy stuff
  348. //
  350. pCachedToken->ReferenceCacheEntry();
  351. _pCachedToken = pCachedToken;
  353. //
  354. // Now get the user name
  355. //
  357. if ( !SetThreadToken( NULL, _pCachedToken->QueryImpersonationToken() ) )
  358. {
  359. hr = HRESULT_FROM_WIN32( GetLastError() );
  360. goto Failed;
  361. }
  363. if ( !GetUserNameEx( NameSamCompatible,
  364. _achUserName,
  365. &cchUserName ) )
  366. {
  367. RevertToSelf();
  368. hr = HRESULT_FROM_WIN32( GetLastError() );
  369. goto Failed;
  370. }
  372. RevertToSelf();
  374. return NO_ERROR;
  375. Failed:
  376. if ( _pCachedToken != NULL )
  377. {
  378. _pCachedToken->DereferenceCacheEntry();
  379. _pCachedToken = NULL;
  380. }
  381. return hr;
  382. }