/*++ Copyright (c) 1994-1999 Microsoft Corporation Module Name : sitesecu.cpp Abstract: Site Security property page Author: Ronald Meijer (ronaldm) Project: Internet Services Manager (cluster edition) Revision History: --*/ // // Include Files // #include "stdafx.h" #include "common.h" #undef dllexp #include #define _RDNS_STANDALONE #include #ifdef _DEBUG #undef THIS_FILE static char BASED_CODE THIS_FILE[] = __FILE__; #endif // _DEBUG //#ifdef _DEBUG // // Careful here... This may cause build failure // extern "C" DEBUG_PRINTS * g_pDebug = NULL; //#endif // _DEBUG #define new DEBUG_NEW CIPAccessDescriptor::CIPAccessDescriptor( IN BOOL fGranted ) /*++ Routine Description: Dummy Constructor for access description object. Assumes a single IP address of 0.0.0.0 Arguments: BOOL fGranted : TRUE for 'grant' access, FALSE for 'deny' access Return Value: N/A --*/ : m_fGranted(fGranted), m_adtType(CIPAccessDescriptor::ADT_SINGLE), m_iaIPAddress(NULL_IP_ADDRESS), m_iaSubnetMask(NULL_IP_MASK), m_strDomain() { } CIPAccessDescriptor::CIPAccessDescriptor( IN const CIPAccessDescriptor & ac ) /*++ Routine Description: Copy constructor for access description object Arguments: const CIPAccessDescriptor & ac : Source access description object Return Value: N/A --*/ : m_fGranted(ac.m_fGranted), m_adtType(ac.m_adtType), m_iaIPAddress(ac.m_iaIPAddress), m_iaSubnetMask(ac.m_iaSubnetMask), m_strDomain(ac.m_strDomain) { } CIPAccessDescriptor::CIPAccessDescriptor( IN BOOL fGranted, IN DWORD dwIPAddress, IN DWORD dwSubnetMask, OPTIONAL IN BOOL fNetworkByteOrder OPTIONAL ) /*++ Routine Description: Constructor for ip range (ip address/subnet mask pair) access description object. Arguments: BOOL fGranted : TRUE for 'grant' access, FALSE for 'deny' access DWORD dwIPAddress : IP Address DWORD dwSubnetMask : The subnet mask or 0xffffffff BOOL fNetworkByteOrder : If TRUE, the ip address and subnet mask are in network byte order Return Value: N/A --*/ { SetValues(fGranted, dwIPAddress, dwSubnetMask, fNetworkByteOrder); } CIPAccessDescriptor::CIPAccessDescriptor( IN BOOL fGranted, IN LPCTSTR lpstrDomain ) /*++ Routine Description: Constructor for domain name access description object. Arguments: BOOL fGranted : TRUE for 'grant' access, FALSE for 'deny' access LPCTSTR lpstrDomain : The domain name Return Value: N/A --*/ { SetValues(fGranted, lpstrDomain); } void CIPAccessDescriptor::SetValues( IN BOOL fGranted, IN DWORD dwIPAddress, IN DWORD dwSubnetMask, IN BOOL fNetworkByteOrder OPTIONAL ) /*++ Routine Description: Set values for 'ip range (ip address and subnet mask)' access descriptor, or a single ip address if the mask is 0xffffffff Arguments: BOOL fGranted : TRUE for 'grant' access, FALSE for 'deny' access DWORD dwIPAddress : IP Address DWORD dwSubnetMask : The subnet mask or ffffffff BOOL fNetworkByteOrder : If TRUE, the ip address and subnet mask are in network byte order Return Value: None Notes: If the subnetmask is 0xffffffff this describes a single ip address. --*/ { m_fGranted = fGranted; m_adtType = (dwSubnetMask == NULL_IP_MASK) ? ADT_SINGLE : ADT_MULTIPLE; m_iaIPAddress = CIPAddress(dwIPAddress, fNetworkByteOrder); m_iaSubnetMask = CIPAddress(dwSubnetMask, fNetworkByteOrder); // // Not used: // m_strDomain.Empty(); } void CIPAccessDescriptor::SetValues( IN BOOL fGranted, IN LPCTSTR lpstrDomain ) /*++ Routine Description: Set values for 'domain name' access descriptor Arguments: BOOL fGranted : TRUE for 'grant' access, FALSE for 'deny' access LPCTSTR lpstrDomain : The domain name Return Value: None --*/ { m_fGranted = fGranted; m_adtType = ADT_DOMAIN; try { m_strDomain = lpstrDomain; } catch(CMemoryException * e) { TRACEEOLID("!!!exception assigning domain name"); e->ReportError(); e->Delete(); } // // Not used: // m_iaIPAddress.SetZeroValue(); m_iaSubnetMask.SetZeroValue(); } BOOL CIPAccessDescriptor::DuplicateInList( IN CObListPlus & oblList ) /*++ Routine Description: Check to see if a duplicate exists in the provided oblist Arguments: CObListPlus & oblList Return Value: TRUE if a duplicate exists, FALSE otherwise. Notes: As there's no information how this list might be sorted at this point, and the list is likely to be small, the search is sequential. --*/ { CObListIter obli(oblList); CIPAccessDescriptor * pAccess; TRACEEOLID("Looking for duplicate access descriptors"); while (pAccess = (CIPAccessDescriptor *)obli.Next()) { ASSERT_READ_PTR(pAccess); // // Eliminate the item itself from the list, and look // only for duplicates. // if (pAccess != this && *this == *pAccess) { TRACEEOLID("Duplicate access descriptor found"); return TRUE; } } TRACEEOLID("No duplicate access descriptor found"); return FALSE; } BOOL CIPAccessDescriptor::operator ==( IN const CIPAccessDescriptor & ac ) const /*++ Routine Description: Compare against another access descriptor. Arguments: const CIPAccessDescriptor & ac : Object to be compared against Return Value: TRUE if the two are identical --*/ { if ( m_fGranted != ac.m_fGranted || m_adtType != ac.m_adtType) { return FALSE; } if (IsDomainName()) { return m_strDomain.CompareNoCase(ac.m_strDomain) == 0; } return m_iaIPAddress == ac.m_iaIPAddress && m_iaSubnetMask == ac.m_iaSubnetMask; } int CIPAccessDescriptor::OrderByAddress( IN const CObjectPlus * pobAccess ) const /*++ Routine Description: Compare two access descriptors against each other. Sorting criteria are in the following order: 1) 'Granted' sorts before 'Denied' 2) Domain names are sorted before ip addresses, and are sorted alphabetically. 3) IP Address and IP Address/subnet mask pairs are sorted by ip address. Arguments: const CObjectPlus * pobAccess : This really refers to another CIPAccessDescriptor to be compared to. Return Value: Sort (+1, 0, -1) return value --*/ { const CIPAccessDescriptor * pob = (CIPAccessDescriptor *)pobAccess; // // First sort by access/denied // int n1 = HasAccess() ? 1 : 0; int n2 = pob->HasAccess() ? 1 : 0; if (n2 != n1) { // // Grant sorts before denied // return n2 - n1; } // // Secondly, try to sort by domain name (domain name sorts before // ip address and ip address/subnet mask objects) // n1 = IsDomainName() ? 1 : 0; n2 = pob->IsDomainName() ? 1 : 0; if (n1 != n2) { // // Domain names sort before ip addresses // return n2 - n1; } if (n1 && n2) { // // Both are domain names. Sort alphabetically // return ::lstrcmpi(QueryDomainName(), pob->QueryDomainName()); } // // IP address is the third key. // return QueryIPAddress().CompareItem(pob->QueryIPAddress()); } DWORD AddAccessEntries( IN ADDRESS_CHECK & ac, IN BOOL fName, IN BOOL fGrant, OUT CObListPlus & oblAccessList, OUT DWORD & cEntries ) /*++ Routine Description: Add specific kind of addresses from the list to the oblist of access entries Arguments: ADDRESS_CHECK & ac : Address list input object BOOL fName : TRUE for names, FALSE for ip BOOL fGrant : TRUE for granted, FALSE for denied CObListPlus & oblAccessList : ObList to add access entries to int & cEntries : Returns the number of entries Return Value: Error code Notes: Sentinel entries (ip 0.0.0.0) are not added to the oblist, but are reflected in the cEntries return value --*/ { DWORD i; DWORD dwFlags; if (fName) { // // Domain names // LPSTR lpName; cEntries = ac.GetNbName(fGrant); for (i = 0L; i < cEntries; ++i) { if (ac.GetName(fGrant, i, &lpName, &dwFlags)) { CString strDomain(lpName); if (!(dwFlags & DNSLIST_FLAG_NOSUBDOMAIN)) { strDomain = _T("*.") + strDomain; } oblAccessList.AddTail(new CIPAccessDescriptor(fGrant, strDomain)); } } } else { // // IP Addresses // LPBYTE lpMask; LPBYTE lpAddr; cEntries = ac.GetNbAddr(fGrant); for (i = 0L; i < cEntries; ++i) { if (ac.GetAddr(fGrant, i, &dwFlags, &lpMask, &lpAddr)) { DWORD dwIP = MAKEIPADDRESS(lpAddr[0], lpAddr[1], lpAddr[2], lpAddr[3]); DWORD dwMask = MAKEIPADDRESS(lpMask[0], lpMask[1], lpMask[2], lpMask[3]); if (dwIP == NULL_IP_ADDRESS && dwMask == NULL_IP_MASK) { // // Sentinel in the grant list is not added, but // also not subtracted from the count of entries, // which is correct behaviour, since this is // how default grant/deny by default is determined. // TRACEEOLID("Ignoring sentinel"); } else { oblAccessList.AddTail( new CIPAccessDescriptor( fGrant, dwIP, dwMask, FALSE ) ); } } } } return ERROR_SUCCESS; } DWORD BuildIplOblistFromBlob( IN CBlob & blob, OUT CObListPlus & oblAccessList, OUT BOOL & fGrantByDefault ) /*++ Routine Description: Convert a blob to an oblist of access descriptors. Arguments: CBlob & blob : Input binary large object(blob) CObListPlus & oblAccessList : Output oblist of access descriptors BOOL & fGrantByDefault : Returns TRUE if access is granted by default, FALSE otherwise Return Value: Error Return Code --*/ { oblAccessList.RemoveAll(); if (blob.IsEmpty()) { return ERROR_SUCCESS; } ADDRESS_CHECK ac; ac.BindCheckList(blob.GetData(), blob.GetSize()); DWORD cGrantAddr, cGrantName, cDenyAddr, cDenyName; // Name/IP Granted/Deny // ============================================================ AddAccessEntries(ac, TRUE, TRUE, oblAccessList, cGrantName); AddAccessEntries(ac, FALSE, TRUE, oblAccessList, cGrantAddr); AddAccessEntries(ac, TRUE, FALSE, oblAccessList, cDenyName); AddAccessEntries(ac, FALSE, FALSE, oblAccessList, cDenyAddr); ac.UnbindCheckList(); fGrantByDefault = (cDenyAddr + cDenyName != 0L) || (cGrantAddr + cGrantName == 0L); return ERROR_SUCCESS; } LPSTR PrepareDomainName( IN LPSTR lpName, OUT DWORD * pdwFlags ) /*++ Routine Description: Check to see if the domain name contains a wild card, if so remove it. Set the flags based on the domain name Arguments: LPSTR lpName : Input domain name DWORD * pdwFlags : Return the flags for AddName Return: Pointer to the cleaned up domain name --*/ { *pdwFlags = 0L; if (!strncmp(lpName, "*.", 2)) { return lpName + 2; } *pdwFlags |= DNSLIST_FLAG_NOSUBDOMAIN; return lpName; } void BuildIplBlob( IN CObListPlus & oblAccessList, IN BOOL fGrantByDefault, OUT CBlob & blob ) /*++ Routine Description: Build a blob from an oblist of access descriptors Arguments: CObListPlus & oblAccessList : Input oblist of access descriptors BOOL fGrantByDefault : TRUE if access is granted by default CBlob & blob : Output blob Return Value: None Notes: If fGrantByDefault is FALSE, e.g. access is to be denied by default, but nobody is specifically granted access, then add a dummy entry 0.0.0.0 to the grant list. If grant by default is on, then granted entries will not be added to the blob. Similart for denied entries if deny by default is on. --*/ { ADDRESS_CHECK ac; ac.BindCheckList(); int cItems = 0; CObListIter obli(oblAccessList); const CIPAccessDescriptor * pAccess; // // Should be empty to start with. // ASSERT(blob.IsEmpty()); blob.CleanUp(); BYTE bMask[4]; BYTE bIp[4]; while (pAccess = (CIPAccessDescriptor *)obli.Next()) { ASSERT_READ_PTR(pAccess); if (pAccess->HasAccess() == fGrantByDefault) { // // Skip this entry -- it's irrelevant // continue; } if (pAccess->IsDomainName()) { LPSTR lpName = AllocAnsiString(pAccess->QueryDomainName()); if (lpName) { DWORD dwFlags; LPSTR lpDomain = PrepareDomainName(lpName, &dwFlags); ac.AddName( pAccess->HasAccess(), lpDomain, dwFlags ); FreeMem(lpName); } } else { // // Build with network byte order // ac.AddAddr( pAccess->HasAccess(), AF_INET, CIPAddress::DWORDtoLPBYTE(pAccess->QuerySubnetMask(FALSE), bMask), CIPAddress::DWORDtoLPBYTE(pAccess->QueryIPAddress(FALSE), bIp) ); } ++cItems; } if (cItems == 0 && !fGrantByDefault) { // // List is empty. If deny by default is on, create // a dummy sentinel entry to grant access to single // address 0.0.0.0, otherwise we're ok. // ac.AddAddr( TRUE, AF_INET, CIPAddress::DWORDtoLPBYTE(NULL_IP_MASK, bMask), CIPAddress::DWORDtoLPBYTE(NULL_IP_ADDRESS, bIp) ); ++cItems; } if (cItems > 0) { blob.SetValue(ac.QueryCheckListSize(), ac.QueryCheckListPtr(), TRUE); } ac.UnbindCheckList(); }