windows-nt/Source/XPSP1/NT/admin/activec/nodemgr/policy.cpp

178 lines
4.7 KiB
C++
Raw Permalink Normal View History

2020-09-26 03:20:57 -05:00
//____________________________________________________________________________
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1997 - 1999
//
// File: policy.cpp
//
// Contents: Helper class to determine policy for each snapin
//
// Classes: CPolicy
//
// Functions:
//
// History: 12/04/1998 AnandhaG Created
//____________________________________________________________________________
#include "stdafx.h"
#include "policy.h"
/*+-------------------------------------------------------------------------*
*
* CPolicy::ScInit
*
* PURPOSE: Initializes the policy object from registry.
*
* PARAMETERS:
* None.
*
* RETURNS:
* SC - Right now always returns success.
*
*+-------------------------------------------------------------------------*/
SC CPolicy::ScInit()
{
DECLARE_SC (sc, _T("CPolicy::ScInit"));
// Default NT4 configuration. Always allow author mode
// and allow snapins not in permitted list.
m_bRestrictAuthorMode = FALSE;
m_bRestrictedToPermittedList = FALSE;
// Check if the policy key exists. If not return success immediately.
sc = m_rPolicyRootKey.ScOpen (HKEY_CURRENT_USER, POLICY_KEY, KEY_READ);
if (sc)
{
if (sc = ScFromWin32 (ERROR_FILE_NOT_FOUND))
{
TRACE(_T("CPolicy::Policy does not exist\n"));
sc.Clear();
}
return (sc);
}
bool bRestrictAuthorMode = false;
bool bRestrictedToPermittedList = false;
// Read the values of RestrictAuthorMode and whether
// snapins not in the list are permitted or not.
if (m_rPolicyRootKey.IsValuePresent(g_szRestrictAuthorMode))
{
DWORD dwValue;
DWORD dwSize = sizeof(dwValue);
DWORD dwType = REG_DWORD;
sc = m_rPolicyRootKey.ScQueryValue (g_szRestrictAuthorMode, &dwType,
&dwValue, &dwSize);
if (sc)
sc.Clear();
else
bRestrictAuthorMode = !!dwValue;
}
if (m_rPolicyRootKey.IsValuePresent(g_szRestrictToPermittedList))
{
DWORD dwValue = 0;
DWORD dwSize = sizeof(dwValue);
DWORD dwType = REG_DWORD;
sc = m_rPolicyRootKey.ScQueryValue (g_szRestrictToPermittedList, &dwType,
&dwValue, &dwSize);
if (sc)
sc.Clear();
else
bRestrictedToPermittedList = !!dwValue;
}
m_bRestrictAuthorMode = bRestrictAuthorMode;
m_bRestrictedToPermittedList = bRestrictedToPermittedList;
return sc;
}
/*+-------------------------------------------------------------------------*
* CPolicy::IsPermittedSnapIn
*
* Determines if a snap-in is permitted according to this policy. The
* real work happens in
*
* IsPermittedSnapIn (LPCWSTR);
*--------------------------------------------------------------------------*/
bool CPolicy::IsPermittedSnapIn(REFCLSID refSnapInCLSID)
{
CCoTaskMemPtr<WCHAR> spwzSnapinClsid;
/*
* Get the string representation of the CLSID. If that fails,
* permit the snap-in.
*/
if (FAILED (StringFromCLSID (refSnapInCLSID, &spwzSnapinClsid)))
return TRUE;
/*
* forward to the real worker
*/
return (IsPermittedSnapIn (spwzSnapinClsid));
}
/*+-------------------------------------------------------------------------*
* CPolicy::IsPermittedSnapIn
*
* Determines if a snap-in is permitted according to this policy.
*--------------------------------------------------------------------------*/
bool CPolicy::IsPermittedSnapIn(LPCWSTR lpszCLSID)
{
/*
* No CLSID? Allow it.
*/
if (lpszCLSID == NULL)
return (TRUE);
/*
* No policy key? Allow everything.
*/
if (m_rPolicyRootKey == NULL)
return (true);
// See if this snapin policy is defined or not.
bool bRestricted = FALSE;
bool bSnapinFound = FALSE;
USES_CONVERSION;
CRegKeyEx regKeyTemp;
bSnapinFound = !regKeyTemp.ScOpen (m_rPolicyRootKey, W2CT(lpszCLSID), KEY_READ).IsError();
if (bSnapinFound && regKeyTemp.IsValuePresent(g_szRestrictRun))
{
// Read the value of Restrict_Run.
DWORD dwValue = 0;
DWORD dwSize = sizeof(DWORD);
DWORD dwType = REG_DWORD;
regKeyTemp.ScQueryValue (g_szRestrictRun, &dwType, &dwValue, &dwSize);
bRestricted = !!dwValue;
}
// At this point we know policies root key exists. So if the
// snapin key is not found, then we have to see if the administrator
// allows snapins not in the permitted list (therefore snapin key
// does not exist).
if (! bSnapinFound)
{
if(m_bRestrictedToPermittedList)
return false; // because if the snap-in is not on the list, and
// restrictions are set, disallow by default
else
return true; // NT4 behavior - no restrictions set, and per-snap-in
// entry not found, so allow by default.
}
// At this point snapin's Restrict_Run key was read so use it.
return (!bRestricted);
}