archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/inetsrv/iis/ui/admin/comprop/sitesecu.cpp

944 lines
18 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*++
  3. Copyright (c) 1994-1998 Microsoft Corporation
  5. Module Name :
  7. sitesecu.cpp
  9. Abstract:
  11. Site Security property page
  13. Author:
  15. Ronald Meijer (ronaldm)
  17. Project:
  19. Internet Services Manager
  21. Revision History:
  23. --*/
  25. //
  26. // Include Files
  27. //
  28. #include "stdafx.h"
  29. #include "comprop.h"
  30. #include "accessdl.h"
  32. #undef dllexp
  33. #include "tcpdllp.hxx"
  34. #define _RDNS_STANDALONE
  35. #include <rdns.hxx>
  37. #ifdef _DEBUG
  38. #undef THIS_FILE
  39. static char BASED_CODE THIS_FILE[] = __FILE__;
  40. #endif
  43. //#ifdef _DEBUG
  44. //
  45. // Careful here... This may cause build failure
  46. //
  47. extern "C" DEBUG_PRINTS * g_pDebug = NULL;
  48. //#endif // _DEBUG
  51. //
  52. // Registry key name for this dialog
  53. //
  54. const TCHAR g_szRegKey[] = _T("Advanced");
  58. //
  59. // Site Security Listbox Column Definitions
  60. //
  61. // Note: IDS_IP_ADDRESS_SUBNET_MASK is overridden
  62. // in w3scfg
  63. //
  64. static const ODL_COLUMN_DEF g_aColumns[] =
  65. {
  66. // ===============================================
  67. // Weight Label
  68. // ===============================================
  69. { 4, IDS_ACCESS, },
  70. { 15, IDS_IP_ADDRESS_SUBNET_MASK, },
  71. };
  75. #define NUM_COLUMNS (sizeof(g_aColumns) / sizeof(g_aColumns[0]))
  80. CIPAccessDescriptor::CIPAccessDescriptor(
  81. IN BOOL fGranted
  82. )
  83. /*++
  85. Routine Description:
  87. Dummy Constructor for access description object. Assumes a single IP
  88. address of 0.0.0.0
  90. Arguments:
  92. BOOL fGranted : TRUE for 'grant' access, FALSE for 'deny' access
  94. Return Value:
  96. N/A
  98. --*/
  99. : m_fGranted(fGranted),
  100. m_adtType(CIPAccessDescriptor::ADT_SINGLE),
  101. m_iaIPAddress(NULL_IP_ADDRESS),
  102. m_iaSubnetMask(NULL_IP_MASK),
  103. m_strDomain()
  104. {
  105. }
  110. CIPAccessDescriptor::CIPAccessDescriptor(
  111. IN const CIPAccessDescriptor & ac
  112. )
  113. /*++
  115. Routine Description:
  117. Copy constructor for access description object
  119. Arguments:
  121. const CIPAccessDescriptor & ac : Source access description object
  123. Return Value:
  125. N/A
  127. --*/
  128. : m_fGranted(ac.m_fGranted),
  129. m_adtType(ac.m_adtType),
  130. m_iaIPAddress(ac.m_iaIPAddress),
  131. m_iaSubnetMask(ac.m_iaSubnetMask),
  132. m_strDomain(ac.m_strDomain)
  133. {
  134. }
  139. CIPAccessDescriptor::CIPAccessDescriptor(
  140. IN BOOL fGranted,
  141. IN DWORD dwIPAddress,
  142. IN DWORD dwSubnetMask, OPTIONAL
  143. IN BOOL fNetworkByteOrder OPTIONAL
  144. )
  145. /*++
  147. Routine Description:
  149. Constructor for ip range (ip address/subnet mask pair)
  150. access description object.
  152. Arguments:
  154. BOOL fGranted : TRUE for 'grant' access, FALSE for 'deny' access
  155. DWORD dwIPAddress : IP Address
  156. DWORD dwSubnetMask : The subnet mask or 0xffffffff
  157. BOOL fNetworkByteOrder : If TRUE, the ip address and subnet mask are in
  158. network byte order
  160. Return Value:
  162. N/A
  164. --*/
  165. {
  166. SetValues(fGranted, dwIPAddress, dwSubnetMask, fNetworkByteOrder);
  167. }
  172. CIPAccessDescriptor::CIPAccessDescriptor(
  173. IN BOOL fGranted,
  174. IN LPCTSTR lpstrDomain
  175. )
  176. /*++
  178. Routine Description:
  180. Constructor for domain name access description object.
  182. Arguments:
  184. BOOL fGranted : TRUE for 'grant' access, FALSE for 'deny' access
  185. LPCTSTR lpstrDomain : The domain name
  187. Return Value:
  189. N/A
  191. --*/
  192. {
  193. SetValues(fGranted, lpstrDomain);
  194. }
  199. void
  200. CIPAccessDescriptor::SetValues(
  201. IN BOOL fGranted,
  202. IN DWORD dwIPAddress,
  203. IN DWORD dwSubnetMask,
  204. IN BOOL fNetworkByteOrder OPTIONAL
  205. )
  206. /*++
  208. Routine Description:
  210. Set values for 'ip range (ip address and subnet mask)' access descriptor,
  211. or a single ip address if the mask is 0xffffffff
  213. Arguments:
  215. BOOL fGranted : TRUE for 'grant' access, FALSE for 'deny' access
  216. DWORD dwIPAddress : IP Address
  217. DWORD dwSubnetMask : The subnet mask or ffffffff
  218. BOOL fNetworkByteOrder : If TRUE, the ip address and subnet mask are in
  219. network byte order
  221. Return Value:
  223. None
  225. Notes:
  227. If the subnetmask is 0xffffffff this describes a single ip address.
  229. --*/
  230. {
  231. m_fGranted = fGranted;
  232. m_adtType = (dwSubnetMask == NULL_IP_MASK) ? ADT_SINGLE : ADT_MULTIPLE;
  233. m_iaIPAddress = CIPAddress(dwIPAddress, fNetworkByteOrder);
  234. m_iaSubnetMask = CIPAddress(dwSubnetMask, fNetworkByteOrder);
  236. //
  237. // Not used:
  238. //
  239. m_strDomain.Empty();
  240. }
  245. void
  246. CIPAccessDescriptor::SetValues(
  247. IN BOOL fGranted,
  248. IN LPCTSTR lpstrDomain
  249. )
  250. /*++
  252. Routine Description:
  254. Set values for 'domain name' access descriptor
  256. Arguments:
  258. BOOL fGranted : TRUE for 'grant' access, FALSE for 'deny' access
  259. LPCTSTR lpstrDomain : The domain name
  261. Return Value:
  263. None
  265. --*/
  266. {
  267. m_fGranted = fGranted;
  268. m_adtType = ADT_DOMAIN;
  270. try
  271. {
  272. m_strDomain = lpstrDomain;
  273. }
  274. catch(CMemoryException * e)
  275. {
  276. TRACEEOLID("!!!exception assigning domain name");
  277. e->ReportError();
  278. e->Delete();
  279. }
  281. //
  282. // Not used:
  283. //
  284. m_iaIPAddress.SetZeroValue();
  285. m_iaSubnetMask.SetZeroValue();
  286. }
  291. BOOL
  292. CIPAccessDescriptor::DuplicateInList(
  293. IN CObListPlus & oblList
  294. )
  295. /*++
  297. Routine Description:
  299. Check to see if a duplicate exists in the provided oblist
  301. Arguments:
  303. CObListPlus & oblList
  305. Return Value:
  307. TRUE if a duplicate exists, FALSE otherwise.
  309. Notes:
  311. As there's no information how this list might be sorted at this point,
  312. and the list is likely to be small, the search is sequential.
  314. --*/
  315. {
  316. CObListIter obli(oblList);
  317. CIPAccessDescriptor * pAccess;
  319. TRACEEOLID("Looking for duplicate access descriptors");
  320. while (pAccess = (CIPAccessDescriptor *)obli.Next())
  321. {
  322. ASSERT(pAccess != NULL);
  324. //
  325. // Eliminate the item itself from the list, and look
  326. // only for duplicates.
  327. //
  328. if (pAccess != this && *this == *pAccess)
  329. {
  330. TRACEEOLID("Duplicate access descriptor found");
  331. return TRUE;
  332. }
  333. }
  335. TRACEEOLID("No duplicate access descriptor found");
  337. return FALSE;
  338. }
  343. BOOL
  344. CIPAccessDescriptor::operator ==(
  345. IN const CIPAccessDescriptor & ac
  346. ) const
  347. /*++
  349. Routine Description:
  351. Compare against another access descriptor.
  353. Arguments:
  355. const CIPAccessDescriptor & ac : Object to be compared against
  357. Return Value:
  359. TRUE if the two are identical
  361. --*/
  362. {
  363. if ( m_fGranted != ac.m_fGranted
  364. || m_adtType != ac.m_adtType)
  365. {
  366. return FALSE;
  367. }
  369. if (IsDomainName())
  370. {
  371. return m_strDomain.CompareNoCase(ac.m_strDomain) == 0;
  372. }
  374. return m_iaIPAddress == ac.m_iaIPAddress
  375. && m_iaSubnetMask == ac.m_iaSubnetMask;
  376. }
  381. int
  382. CIPAccessDescriptor::OrderByAddress(
  383. IN const CObjectPlus * pobAccess
  384. ) const
  385. /*++
  387. Routine Description:
  389. Compare two access descriptors against each other.
  390. Sorting criteria are in the following order:
  392. 1) 'Granted' sorts before 'Denied'
  393. 2) Domain names are sorted before ip addresses, and are
  394. sorted alphabetically.
  395. 3) IP Address and IP Address/subnet mask pairs are sorted
  396. by ip address.
  398. Arguments:
  400. const CObjectPlus * pobAccess : This really refers to another
  401. CIPAccessDescriptor to be compared to.
  403. Return Value:
  405. Sort (+1, 0, -1) return value
  407. --*/
  408. {
  409. const CIPAccessDescriptor * pob = (CIPAccessDescriptor *)pobAccess;
  411. //
  412. // First sort by access/denied
  413. //
  414. int n1 = HasAccess() ? 1 : 0;
  415. int n2 = pob->HasAccess() ? 1 : 0;
  417. if (n2 != n1)
  418. {
  419. //
  420. // Grant sorts before denied
  421. //
  422. return n2 - n1;
  423. }
  425. //
  426. // Secondly, try to sort by domain name (domain name sorts before
  427. // ip address and ip address/subnet mask objects)
  428. //
  429. n1 = IsDomainName() ? 1 : 0;
  430. n2 = pob->IsDomainName() ? 1 : 0;
  432. if (n1 != n2)
  433. {
  434. //
  435. // Domain names sort before ip addresses
  436. //
  437. return n2 - n1;
  438. }
  440. if (n1 && n2)
  441. {
  442. //
  443. // Both are domain names. Sort alphabetically
  444. //
  445. return ::lstrcmpi(QueryDomainName(), pob->QueryDomainName());
  446. }
  448. //
  449. // IP address is the third key.
  450. //
  451. return QueryIPAddress().CompareItem(pob->QueryIPAddress());
  452. }
  457. DWORD
  458. AddAccessEntries(
  459. IN ADDRESS_CHECK & ac,
  460. IN BOOL fName,
  461. IN BOOL fGrant,
  462. OUT CObListPlus & oblAccessList,
  463. OUT DWORD & cEntries
  464. )
  465. /*++
  467. Routine Description:
  469. Add specific kind of addresses from the list to the oblist of
  470. access entries
  472. Arguments:
  474. ADDRESS_CHECK & ac : Address list input object
  475. BOOL fName : TRUE for names, FALSE for ip
  476. BOOL fGrant : TRUE for granted, FALSE for denied
  477. CObListPlus & oblAccessList : ObList to add access entries to
  478. int & cEntries : Returns the number of entries
  480. Return Value:
  482. Error code
  484. Notes:
  486. Sentinel entries (ip 0.0.0.0) are not added to the oblist, but
  487. are reflected in the cEntries return value
  489. --*/
  490. {
  491. DWORD i;
  492. DWORD dwFlags;
  494. if (fName)
  495. {
  496. //
  497. // Domain names
  498. //
  499. LPSTR lpName;
  501. cEntries = ac.GetNbName(fGrant);
  503. for (i = 0L; i < cEntries; ++i)
  504. {
  505. if (ac.GetName(fGrant, i, &lpName, &dwFlags))
  506. {
  507. CString strDomain(lpName);
  508. if (!(dwFlags & DNSLIST_FLAG_NOSUBDOMAIN))
  509. {
  510. strDomain = _T("*.") + strDomain;
  511. }
  513. oblAccessList.AddTail(new CIPAccessDescriptor(fGrant, strDomain));
  514. }
  515. }
  516. }
  517. else
  518. {
  519. //
  520. // IP Addresses
  521. //
  522. LPBYTE lpMask;
  523. LPBYTE lpAddr;
  524. cEntries = ac.GetNbAddr(fGrant);
  525. for (i = 0L; i < cEntries; ++i)
  526. {
  527. if (ac.GetAddr(fGrant, i, &dwFlags, &lpMask, &lpAddr))
  528. {
  529. DWORD dwIP = MAKEIPADDRESS(lpAddr[0], lpAddr[1], lpAddr[2], lpAddr[3]);
  530. DWORD dwMask = MAKEIPADDRESS(lpMask[0], lpMask[1], lpMask[2], lpMask[3]);
  532. if (dwIP == NULL_IP_ADDRESS && dwMask == NULL_IP_MASK)
  533. {
  534. //
  535. // Sentinel in the grant list is not added, but
  536. // also not subtracted from the count of entries,
  537. // which is correct behaviour, since this is
  538. // how default grant/deny by default is determined.
  539. //
  540. TRACEEOLID("Ignoring sentinel");
  541. }
  542. else
  543. {
  544. oblAccessList.AddTail(
  545. new CIPAccessDescriptor(
  546. fGrant,
  547. dwIP,
  548. dwMask,
  549. FALSE
  550. )
  551. );
  552. }
  553. }
  554. }
  555. }
  557. return ERROR_SUCCESS;
  558. }
  564. DWORD
  565. BuildIplOblistFromBlob(
  566. IN CBlob & blob,
  567. OUT CObListPlus & oblAccessList,
  568. OUT BOOL & fGrantByDefault
  569. )
  570. /*++
  572. Routine Description:
  574. Convert a blob to an oblist of access descriptors.
  576. Arguments:
  578. CBlob & blob : Input binary large object(blob)
  579. CObListPlus & oblAccessList : Output oblist of access descriptors
  580. BOOL & fGrantByDefault : Returns TRUE if access is granted
  581. by default, FALSE otherwise
  583. Return Value:
  585. Error Return Code
  587. --*/
  588. {
  589. oblAccessList.RemoveAll();
  591. if (blob.IsEmpty())
  592. {
  593. return ERROR_SUCCESS;
  594. }
  596. ADDRESS_CHECK ac;
  597. ac.BindCheckList(blob.GetData(), blob.GetSize());
  599. DWORD cGrantAddr, cGrantName, cDenyAddr, cDenyName;
  601. // Name/IP Granted/Deny
  602. // ============================================================
  603. AddAccessEntries(ac, TRUE, TRUE, oblAccessList, cGrantName);
  604. AddAccessEntries(ac, FALSE, TRUE, oblAccessList, cGrantAddr);
  605. AddAccessEntries(ac, TRUE, FALSE, oblAccessList, cDenyName);
  606. AddAccessEntries(ac, FALSE, FALSE, oblAccessList, cDenyAddr);
  608. ac.UnbindCheckList();
  610. fGrantByDefault = (cDenyAddr + cDenyName != 0L)
  611. || (cGrantAddr + cGrantName == 0L);
  613. return ERROR_SUCCESS;
  614. }
  619. LPSTR
  620. PrepareDomainName(
  621. IN LPSTR lpName,
  622. OUT DWORD * pdwFlags
  623. )
  624. /*++
  626. Routine Description:
  628. Check to see if the domain name contains a wild card,
  629. if so remove it. Set the flags based on the domain name
  631. Arguments:
  633. LPSTR lpName : Input domain name
  634. DWORD * pdwFlags : Return the flags for AddName
  636. Return:
  638. Pointer to the cleaned up domain name
  640. --*/
  641. {
  642. *pdwFlags = 0L;
  644. if (!strncmp(lpName, "*.", 2))
  645. {
  646. return lpName + 2;
  647. }
  649. *pdwFlags |= DNSLIST_FLAG_NOSUBDOMAIN;
  651. return lpName;
  652. }
  657. void
  658. BuildIplBlob(
  659. IN CObListPlus & oblAccessList,
  660. IN BOOL fGrantByDefault,
  661. OUT CBlob & blob
  662. )
  663. /*++
  665. Routine Description:
  667. Build a blob from an oblist of access descriptors
  669. Arguments:
  671. CObListPlus & oblAccessList : Input oblist of access descriptors
  672. BOOL fGrantByDefault : TRUE if access is granted by default
  673. CBlob & blob : Output blob
  675. Return Value:
  677. None
  679. Notes:
  681. If fGrantByDefault is FALSE, e.g. access is to be denied by
  682. default, but nobody is specifically granted access, then add
  683. a dummy entry 0.0.0.0 to the grant list.
  685. If grant by default is on, then granted entries will not be
  686. added to the blob. Similart for denied entries if deny by
  687. default is on.
  689. --*/
  690. {
  691. ADDRESS_CHECK ac;
  693. ac.BindCheckList();
  695. int cItems = 0;
  697. CObListIter obli(oblAccessList);
  698. const CIPAccessDescriptor * pAccess;
  700. //
  701. // Should be empty to start with.
  702. //
  703. ASSERT(blob.IsEmpty());
  704. blob.CleanUp();
  706. BYTE bMask[4];
  707. BYTE bIp[4];
  709. while (pAccess = (CIPAccessDescriptor *)obli.Next())
  710. {
  711. ASSERT(pAccess != NULL);
  713. if (pAccess->HasAccess() == fGrantByDefault)
  714. {
  715. //
  716. // Skip this entry -- it's irrelevant
  717. //
  718. continue;
  719. }
  721. if (pAccess->IsDomainName())
  722. {
  723. LPSTR lpName = AllocAnsiString(pAccess->QueryDomainName());
  724. if (lpName)
  725. {
  726. DWORD dwFlags;
  727. LPSTR lpDomain = PrepareDomainName(lpName, &dwFlags);
  728. ac.AddName(
  729. pAccess->HasAccess(),
  730. lpDomain,
  731. dwFlags
  732. );
  733. FreeMem(lpName);
  734. }
  735. }
  736. else
  737. {
  738. //
  739. // Build with network byte order
  740. //
  741. ac.AddAddr(
  742. pAccess->HasAccess(),
  743. AF_INET,
  744. CIPAddress::DWORDtoLPBYTE(pAccess->QuerySubnetMask(FALSE), bMask),
  745. CIPAddress::DWORDtoLPBYTE(pAccess->QueryIPAddress(FALSE), bIp)
  746. );
  747. }
  749. ++cItems;
  750. }
  752. if (cItems == 0 && !fGrantByDefault)
  753. {
  754. //
  755. // List is empty. If deny by default is on, create
  756. // a dummy sentinel entry to grant access to single
  757. // address 0.0.0.0, otherwise we're ok.
  758. //
  759. ac.AddAddr(
  760. TRUE,
  761. AF_INET,
  762. CIPAddress::DWORDtoLPBYTE(NULL_IP_MASK, bMask),
  763. CIPAddress::DWORDtoLPBYTE(NULL_IP_ADDRESS, bIp)
  764. );
  765. ++cItems;
  766. }
  768. if (cItems > 0)
  769. {
  770. blob.SetValue(ac.QueryCheckListSize(), ac.QueryCheckListPtr(), TRUE);
  771. }
  773. ac.UnbindCheckList();
  774. }
  779. IMPLEMENT_DYNAMIC(CIPAccessDescriptorListBox, CHeaderListBox);
  784. //
  785. // Bitmap indices
  786. //
  787. enum
  788. {
  789. BMPID_GRANTED = 0,
  790. BMPID_DENIED,
  791. BMPID_SINGLE,
  792. BMPID_MULTIPLE,
  794. //
  795. // Don't move this one
  796. //
  797. BMPID_TOTAL
  798. };
  803. const int CIPAccessDescriptorListBox::nBitmaps = BMPID_TOTAL;
  808. CIPAccessDescriptorListBox::CIPAccessDescriptorListBox(
  809. IN BOOL fDomainsAllowed
  810. )
  811. /*++
  813. Routine Description:
  815. Constructor
  817. Arguments:
  819. fDomainsAllowed : TRUE if domain names are legal.
  821. Return Value:
  823. N/A
  825. --*/
  826. : m_fDomainsAllowed(fDomainsAllowed),
  827. CHeaderListBox(HLS_STRETCH, g_szRegKey)
  828. {
  829. m_strGranted.LoadString(IDS_GRANTED);
  830. m_strDenied.LoadString(IDS_DENIED);
  831. m_strFormat.LoadString(IDS_FMT_SECURITY);
  832. }
  837. void
  838. CIPAccessDescriptorListBox::DrawItemEx(
  839. IN CRMCListBoxDrawStruct & ds
  840. )
  841. /*++
  843. Routine Description:
  845. Draw item in the listbox
  847. Arguments:
  849. CRMCListBoxDrawStruct & ds : Draw item structure
  851. Return Value:
  853. None
  855. --*/
  856. {
  857. CIPAccessDescriptor * p = (CIPAccessDescriptor *)ds.m_ItemData;
  858. ASSERT(p != NULL);
  860. //
  861. // Display Granted/Denied with appropriate bitmap
  862. //
  863. DrawBitmap(ds, 0, p->HasAccess() ? BMPID_GRANTED : BMPID_DENIED);
  864. ColumnText(ds, 0, TRUE, p->HasAccess() ? m_strGranted : m_strDenied);
  866. //
  867. // Display IP Address with multiple/single bitmap
  868. //
  869. DrawBitmap(ds, 1, p->IsSingle() ? BMPID_SINGLE : BMPID_MULTIPLE);
  871. if (p->IsDomainName())
  872. {
  873. ColumnText(ds, 1, TRUE, p->QueryDomainName());
  874. }
  875. else if (p->IsSingle())
  876. {
  877. //
  878. // Display only ip address
  879. //
  880. ColumnText(ds, 1, TRUE, p->QueryIPAddress());
  881. }
  882. else
  883. {
  884. //
  885. // Display ip address/subnet mask
  886. //
  887. CString str, strIP, strMask;
  889. str.Format(
  890. m_strFormat,
  891. (LPCTSTR)p->QueryIPAddress().QueryIPAddress(strIP),
  892. (LPCTSTR)p->QuerySubnetMask().QueryIPAddress(strMask)
  893. );
  894. ColumnText(ds, 1, TRUE, str);
  895. }
  896. }
  901. /* virtual */
  902. BOOL
  903. CIPAccessDescriptorListBox::Initialize()
  904. /*++
  906. Routine Description:
  908. Initialize the listbox. Insert the columns as requested, and lay
  909. them out appropriately
  911. Arguments:
  913. None
  915. Return Value:
  917. TRUE for succesful initialisation, FALSE otherwise
  919. --*/
  920. {
  921. if (!CHeaderListBox::Initialize())
  922. {
  923. return FALSE;
  924. }
  926. //
  927. // Build all columns
  928. //
  929. for (int nCol = 0; nCol < NUM_COLUMNS; ++nCol)
  930. {
  931. InsertColumn(nCol, g_aColumns[nCol].nWeight, g_aColumns[nCol].nLabelID);
  932. }
  934. //
  935. // Try to set the widths from the stored registry value,
  936. // otherwise distribute according to column weights specified
  937. //
  938. if (!SetWidthsFromReg())
  939. {
  940. DistributeColumns();
  941. }
  943. return TRUE;
  944. }