able/windows-nt
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
windows-nt/Source/XPSP1/NT/ds/adsi/router/var2sec.cxx
CryptoAlgo Inc b3cac27891 Add source files
2020-09-26 16:20:57 +08:00

2190 lines
54 KiB
C++
Raw Blame History

//+---------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1992 - 1995.
//
// File: libmain.cxx
//
// Contents: LibMain for nds.dll
//
// Functions: LibMain, DllGetClassObject
//
// History: 25-Oct-94 KrishnaG Created.
//
//----------------------------------------------------------------------------
#include "oleds.hxx"
#pragma hdrstop
CRITICAL_SECTION g_StringsCriticalSection;
WCHAR g_szBuiltin[100];
WCHAR g_szNT_Authority[100];
WCHAR g_szAccountOperators[100];
WCHAR g_szPrintOperators[100];
WCHAR g_szBackupOperators[100];
WCHAR g_szServerOperators[100];
WCHAR g_szPreWindows2000[100];
BOOL g_fStringsLoaded = FALSE;
//
// Global variables for dynamically loaded fn's.
//
HANDLE g_hDllAdvapi32 = NULL;
BOOL g_fDllsLoaded = FALSE;
extern "C" {
HRESULT
ConvertSidToString(
PSID pSid,
LPWSTR String
);
}
DWORD
GetDomainDNSNameForDomain(
LPWSTR pszDomainFlatName,
BOOL fVerify,
BOOL fWriteable,
LPWSTR pszServerName,
LPWSTR pszDomainDNSName
);
#define GetAce ADSIGetAce
#define AddAce ADSIAddAce
#define DeleteAce ADSIDeleteAce
#define GetAclInformation ADSIGetAclInformation
#define SetAclInformation ADSISetAclInformation
#define IsValidAcl ADSIIsValidAcl
#define InitializeAcl ADSIInitializeAcl
#define SetSecurityDescriptorControl ADSISetControlSecurityDescriptor
#define SE_VALID_CONTROL_BITS ( SE_DACL_UNTRUSTED | \
SE_SERVER_SECURITY | \
SE_DACL_AUTO_INHERIT_REQ | \
SE_SACL_AUTO_INHERIT_REQ | \
SE_DACL_AUTO_INHERITED | \
SE_SACL_AUTO_INHERITED | \
SE_DACL_PROTECTED | \
SE_SACL_PROTECTED )
BOOL
EquivalentServers(
LPWSTR pszTargetServer,
LPWSTR pszSourceServer
);
HRESULT
SecCreateSidFromArray (
OUT PSID *PPSid,
IN PSID_IDENTIFIER_AUTHORITY PSidAuthority,
IN UCHAR SubAuthorityCount,
IN ULONG SubAuthorities[],
OUT PDWORD pdwSidSize
);
HRESULT
ConvertStringToSid(
IN PWSTR string,
OUT PSID *sid,
OUT PDWORD pdwSidSize,
OUT PWSTR *end
);
HRESULT
AddFilteredACEs(
PACL pAcl,
DWORD dwAclRevision,
PACE_HEADER *ppAceHdr,
DWORD dwCountACEs,
DWORD *pdwAclPosition,
BOOL fInheritedACEs,
BOOL fDenyACEs,
BOOL fDenyObjectACEs,
BOOL fGrantACEs,
BOOL fGrantObjectACEs,
BOOL fAuditACEs
);
//
// These wrapper functions are needed as some fn's need to
// be loaded dynamically as they are not available on NT4
//
#define SET_SD_CONTROL_API "SetSecurityDescriptorControl"
//
// Helper that loads functions in advapi32.
//
PVOID LoadAdvapi32Function(CHAR *function)
{
//
// Since the strings critical section is only used in this file,
// be fine just re-using it here.
//
if (!g_fDllsLoaded) {
EnterCriticalSection(&g_StringsCriticalSection);
if (!g_fDllsLoaded) {
g_hDllAdvapi32 = LoadLibrary(L"ADVAPI32.DLL");
//
// Even if this fails, there is nothing we can do.
//
g_fDllsLoaded = TRUE;
}
LeaveCriticalSection(&g_StringsCriticalSection);
}
if (g_hDllAdvapi32) {
return((PVOID*) GetProcAddress((HMODULE) g_hDllAdvapi32, function));
}
return NULL;
}
typedef DWORD (*PF_SetSecurityDescriptorControl) (
IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
IN SECURITY_DESCRIPTOR_CONTROL ControlBitsOfInterest,
IN SECURITY_DESCRIPTOR_CONTROL ControlBitsToSet
);
//
// Wrapper function for the same.
//
DWORD SetSecurityDescriptorControlWrapper(
IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
IN SECURITY_DESCRIPTOR_CONTROL ControlBitsOfInterest,
IN SECURITY_DESCRIPTOR_CONTROL ControlBitsToSet
)
{
static PF_SetSecurityDescriptorControl pfSetSecDescControl = NULL;
static BOOL f_LoadAttempted = FALSE;
//
// Load the fn and set the variables accordingly.
//
if (!f_LoadAttempted && pfSetSecDescControl == NULL) {
pfSetSecDescControl = (PF_SetSecurityDescriptorControl)
LoadAdvapi32Function(SET_SD_CONTROL_API);
f_LoadAttempted = TRUE;
}
if (pfSetSecDescControl != NULL) {
return ((*pfSetSecDescControl)(
pSecurityDescriptor,
ControlBitsOfInterest,
ControlBitsToSet
)
);
}
else {
//
// This will call the routine in acledit.cxx.
// We should be in this codepath only in pre win2k
// machines.
//
return SetSecurityDescriptorControl(
pSecurityDescriptor,
ControlBitsOfInterest,
ControlBitsToSet
);
}
}
HRESULT
ConvertSecurityDescriptorToSecDes(
LPWSTR pszServerName,
CCredentials& Credentials,
IADsSecurityDescriptor FAR * pSecDes,
PSECURITY_DESCRIPTOR * ppSecurityDescriptor,
PDWORD pdwSDLength,
BOOL fNTDSType
)
{
HRESULT hr = S_OK;
SECURITY_DESCRIPTOR AbsoluteSD;
PSECURITY_DESCRIPTOR pRelative = NULL;
BOOL Defaulted = FALSE;
BOOL DaclPresent = FALSE;
BOOL SaclPresent = FALSE;
BOOL fDaclDefaulted = FALSE;
BOOL fSaclDefaulted = FALSE;
BOOL fOwnerDefaulted = FALSE;
BOOL fGroupDefaulted = FALSE;
PSID pOwnerSid = NULL;
PSID pGroupSid = NULL;
PACL pDacl = NULL;
PACL pSacl = NULL;
DWORD dwSDLength = 0;
BOOL dwStatus = 0;
DWORD dwControl = 0;
DWORD dwRevision = 0;
hr = pSecDes->get_Revision((long *)&dwRevision);
BAIL_ON_FAILURE(hr);
dwStatus = InitializeSecurityDescriptor (
&AbsoluteSD,
dwRevision
);
if (!dwStatus) {
hr = HRESULT_FROM_WIN32(GetLastError());
BAIL_ON_FAILURE(hr);
}
hr = pSecDes->get_Control((long *)&dwControl);
BAIL_ON_FAILURE(hr);
dwStatus = SetSecurityDescriptorControlWrapper(
&AbsoluteSD,
SE_VALID_CONTROL_BITS,
(SECURITY_DESCRIPTOR_CONTROL) (dwControl & SE_VALID_CONTROL_BITS)
);
if (!dwStatus) {
hr = HRESULT_FROM_WIN32(GetLastError());
BAIL_ON_FAILURE(hr);
}
hr = GetOwnerSecurityIdentifier(
pszServerName,
Credentials,
pSecDes,
&pOwnerSid,
&fOwnerDefaulted,
fNTDSType
);
BAIL_ON_FAILURE(hr);
dwStatus = SetSecurityDescriptorOwner(
&AbsoluteSD,
pOwnerSid,
fOwnerDefaulted
);
if (!dwStatus) {
hr = HRESULT_FROM_WIN32(GetLastError());
BAIL_ON_FAILURE(hr);
}
hr = GetGroupSecurityIdentifier(
pszServerName,
Credentials,
pSecDes,
&pGroupSid,
&fGroupDefaulted,
fNTDSType
);
BAIL_ON_FAILURE(hr);
dwStatus = SetSecurityDescriptorGroup(
&AbsoluteSD,
pGroupSid,
fGroupDefaulted
);
if (!dwStatus) {
hr = HRESULT_FROM_WIN32(GetLastError());
BAIL_ON_FAILURE(hr);
}
hr = GetDacl(
pszServerName,
Credentials,
pSecDes,
&pDacl,
&fDaclDefaulted,
fNTDSType
);
BAIL_ON_FAILURE(hr);
if (pDacl || fDaclDefaulted) {
DaclPresent = TRUE;
}
//
// This is a special case, basically the DACL is defaulted
// and pDacl is NULL. In order for this to work correctly,
// pDacl should be an empty ACL not null.
//
if (DaclPresent && !pDacl) {
pDacl = (PACL) AllocADsMem(sizeof(ACL));
if (!pDacl) {
BAIL_ON_FAILURE(hr = E_OUTOFMEMORY);
}
dwStatus = InitializeAcl(
pDacl,
sizeof(ACL),
ACL_REVISION // this revision will work for NT4 and Win2k
);
if (!dwStatus) {
hr = HRESULT_FROM_WIN32(GetLastError());
BAIL_ON_FAILURE(hr);
}
}
dwStatus = SetSecurityDescriptorDacl(
&AbsoluteSD,
DaclPresent,
pDacl,
fDaclDefaulted
);
if (!dwStatus) {
hr = HRESULT_FROM_WIN32(GetLastError());
BAIL_ON_FAILURE(hr);
}
hr = GetSacl(
pszServerName,
Credentials,
pSecDes,
&pSacl,
&fSaclDefaulted,
fNTDSType
);
BAIL_ON_FAILURE(hr);
if (pSacl || fSaclDefaulted) {
SaclPresent = TRUE;
}
dwStatus = SetSecurityDescriptorSacl(
&AbsoluteSD,
SaclPresent,
pSacl,
fSaclDefaulted
);
if (!dwStatus) {
hr = HRESULT_FROM_WIN32(GetLastError());
BAIL_ON_FAILURE(hr);
}
dwSDLength = GetSecurityDescriptorLength(
&AbsoluteSD
);
pRelative = AllocADsMem(dwSDLength);
if (!pRelative) {
hr = E_OUTOFMEMORY;
BAIL_ON_FAILURE(hr);
}
if (!MakeSelfRelativeSD (&AbsoluteSD, pRelative, &dwSDLength)) {
FreeADsMem(pRelative);
hr = HRESULT_FROM_WIN32(GetLastError());
BAIL_ON_FAILURE(hr);
}
*ppSecurityDescriptor = pRelative;
*pdwSDLength = dwSDLength;
cleanup:
if (pDacl) {
FreeADsMem(pDacl);
}
if (pSacl) {
FreeADsMem(pSacl);
}
if (pOwnerSid) {
FreeADsMem(pOwnerSid);
}
if (pGroupSid) {
FreeADsMem(pGroupSid);
}
RRETURN(hr);
error:
if (pRelative) {
FreeADsMem(pRelative);
}
*ppSecurityDescriptor = NULL;
*pdwSDLength = 0;
goto cleanup;
}
HRESULT
GetOwnerSecurityIdentifier(
LPWSTR pszServerName,
CCredentials& Credentials,
IADsSecurityDescriptor FAR * pSecDes,
PSID * ppSid,
PBOOL pfOwnerDefaulted,
BOOL fNTDSType
)
{
BSTR bstrOwner = NULL;
DWORD dwSidSize = 0;
HRESULT hr = S_OK;
VARIANT_BOOL varBool = VARIANT_FALSE;
hr = pSecDes->get_Owner(
&bstrOwner
);
BAIL_ON_FAILURE(hr);
hr = pSecDes->get_OwnerDefaulted(
&varBool
);
BAIL_ON_FAILURE(hr);
if (varBool == VARIANT_FALSE) {
if (bstrOwner && *bstrOwner) {
hr = ConvertTrusteeToSid(
pszServerName,
Credentials,
bstrOwner,
ppSid,
&dwSidSize,
fNTDSType
);
BAIL_ON_FAILURE(hr);
*pfOwnerDefaulted = FALSE;
}else {
*ppSid = NULL;
*pfOwnerDefaulted = FALSE;
}
}else {
*ppSid = NULL;
dwSidSize = 0;
*pfOwnerDefaulted = TRUE;
}
error:
if (bstrOwner) {
ADsFreeString(bstrOwner);
}
RRETURN(hr);
}
HRESULT
GetGroupSecurityIdentifier(
LPWSTR pszServerName,
CCredentials& Credentials,
IADsSecurityDescriptor FAR * pSecDes,
PSID * ppSid,
PBOOL pfGroupDefaulted,
BOOL fNTDSType
)
{
BSTR bstrGroup = NULL;
DWORD dwSidSize = 0;
HRESULT hr = S_OK;
VARIANT_BOOL varBool = VARIANT_FALSE;
hr = pSecDes->get_Group(
&bstrGroup
);
BAIL_ON_FAILURE(hr);
hr = pSecDes->get_GroupDefaulted(
&varBool
);
BAIL_ON_FAILURE(hr);
if (varBool == VARIANT_FALSE) {
if (bstrGroup && *bstrGroup) {
hr = ConvertTrusteeToSid(
pszServerName,
Credentials,
bstrGroup,
ppSid,
&dwSidSize,
fNTDSType
);
BAIL_ON_FAILURE(hr);
*pfGroupDefaulted = FALSE;
}else {
*ppSid = NULL;
*pfGroupDefaulted = FALSE;
}
}else {
*ppSid = NULL;
dwSidSize = 0;
*pfGroupDefaulted = TRUE;
}
error:
if (bstrGroup) {
ADsFreeString(bstrGroup);
}
RRETURN(hr);
}
HRESULT
GetDacl(
LPWSTR pszServerName,
CCredentials& Credentials,
IADsSecurityDescriptor FAR * pSecDes,
PACL * ppDacl,
PBOOL pfDaclDefaulted,
BOOL fNTDSType
)
{
IADsAccessControlList FAR * pDiscAcl = NULL;
IDispatch FAR * pDispatch = NULL;
HRESULT hr = S_OK;
VARIANT_BOOL varBool = VARIANT_FALSE;
hr = pSecDes->get_DaclDefaulted(
&varBool
);
BAIL_ON_FAILURE(hr);
if (varBool == VARIANT_FALSE) {
*pfDaclDefaulted = FALSE;
}else {
*pfDaclDefaulted = TRUE;
}
hr = pSecDes->get_DiscretionaryAcl(
&pDispatch
);
BAIL_ON_FAILURE(hr);
if (!pDispatch) {
*ppDacl = NULL;
goto error;
}
hr = pDispatch->QueryInterface(
IID_IADsAccessControlList,
(void **)&pDiscAcl
);
BAIL_ON_FAILURE(hr);
hr = ConvertAccessControlListToAcl(
pszServerName,
Credentials,
pDiscAcl,
ppDacl,
fNTDSType
);
BAIL_ON_FAILURE(hr);
error:
if (pDispatch) {
pDispatch->Release();
}
if (pDiscAcl) {
pDiscAcl->Release();
}
RRETURN(hr);
}
HRESULT
GetSacl(
LPWSTR pszServerName,
CCredentials& Credentials,
IADsSecurityDescriptor FAR * pSecDes,
PACL * ppSacl,
PBOOL pfSaclDefaulted,
BOOL fNTDSType
)
{
IADsAccessControlList FAR * pSystemAcl = NULL;
IDispatch FAR * pDispatch = NULL;
HRESULT hr = S_OK;
VARIANT_BOOL varBool = VARIANT_FALSE;
hr = pSecDes->get_SaclDefaulted(
&varBool
);
BAIL_ON_FAILURE(hr);
if (varBool == VARIANT_FALSE) {
*pfSaclDefaulted = FALSE;
}else {
*pfSaclDefaulted = TRUE;
}
hr = pSecDes->get_SystemAcl(
&pDispatch
);
BAIL_ON_FAILURE(hr);
if (!pDispatch) {
*ppSacl = NULL;
goto error;
}
hr = pDispatch->QueryInterface(
IID_IADsAccessControlList,
(void **)&pSystemAcl
);
BAIL_ON_FAILURE(hr);
hr = ConvertAccessControlListToAcl(
pszServerName,
Credentials,
pSystemAcl,
ppSacl,
fNTDSType
);
BAIL_ON_FAILURE(hr);
error:
if (pDispatch) {
pDispatch->Release();
}
if (pSystemAcl) {
pSystemAcl->Release();
}
RRETURN(hr);
}
HRESULT
ConvertAccessControlListToAcl(
LPWSTR pszServerName,
CCredentials& Credentials,
IADsAccessControlList FAR * pAccessList,
PACL * ppAcl,
BOOL fNTDSType
)
{
IUnknown * pUnknown = NULL;
IEnumVARIANT * pEnumerator = NULL;
HRESULT hr = S_OK;
DWORD i = 0;
DWORD iAclPosition = 0;
DWORD cReturned = 0;
VARIANT varAce;
DWORD dwAceCount = 0;
IADsAccessControlEntry FAR * pAccessControlEntry = NULL;
LPBYTE pTempAce = NULL;
DWORD dwCount = 0;
PACL pAcl = NULL;
DWORD dwAclSize = 0;
PACE_HEADER * ppAceHdr = NULL;
DWORD dwRet = 0;
DWORD dwAclRevision = 0;
DWORD dwError = 0;
//
// Defines the canonical ordering of the ACEs.
//
struct AceOrderElement
{
BOOL fInheritedACEs;
BOOL fDenyACEs;
BOOL fDenyObjectACEs;
BOOL fGrantACEs;
BOOL fGrantObjectACEs;
BOOL fAuditACEs;
} AceOrderSequence [] =
{
{FALSE, FALSE, FALSE, FALSE, FALSE, TRUE},
{FALSE, TRUE, FALSE, FALSE, FALSE, FALSE},
{FALSE, FALSE, TRUE, FALSE, FALSE, FALSE},
{FALSE, FALSE, FALSE, TRUE, FALSE, FALSE},
{FALSE, FALSE, FALSE, FALSE, TRUE, FALSE},
{TRUE, FALSE, FALSE, FALSE, FALSE, TRUE},
{TRUE, TRUE, FALSE, FALSE, FALSE, FALSE},
{TRUE, FALSE, TRUE, FALSE, FALSE, FALSE},
{TRUE, FALSE, FALSE, TRUE, FALSE, FALSE},
{TRUE, FALSE, FALSE, FALSE, TRUE, FALSE}
};
DWORD dwAceOrderSequenceLen = sizeof(AceOrderSequence) / sizeof (AceOrderElement);
hr = pAccessList->get_AceCount((long *)&dwAceCount);
BAIL_ON_FAILURE(hr);
hr = pAccessList->get__NewEnum(
&pUnknown
);
BAIL_ON_FAILURE(hr);
hr = pUnknown->QueryInterface(
IID_IEnumVARIANT,
(void FAR * FAR *)&pEnumerator
);
BAIL_ON_FAILURE(hr);
ppAceHdr = (PACE_HEADER *)AllocADsMem(sizeof(PACE_HEADER)*dwAceCount);
if (!ppAceHdr) {
hr = E_OUTOFMEMORY;
BAIL_ON_FAILURE(hr);
}
for (i = 0; i < dwAceCount; i++) {
VariantInit(&varAce);
hr = pEnumerator->Next(
1,
&varAce,
&cReturned
);
//
// Need to BAIL here as we could not convert an ACL.
//
BAIL_ON_FAILURE(hr);
hr = (V_DISPATCH(&varAce))->QueryInterface(
IID_IADsAccessControlEntry,
(void **)&pAccessControlEntry
);
BAIL_ON_FAILURE(hr);
hr = ConvertAccessControlEntryToAce(
pszServerName,
Credentials,
pAccessControlEntry,
&(pTempAce),
fNTDSType
);
BAIL_ON_FAILURE(hr);
*(ppAceHdr + dwCount) = (PACE_HEADER)pTempAce;
VariantClear(&varAce);
if (pAccessControlEntry) {
pAccessControlEntry->Release();
pAccessControlEntry = NULL;
}
dwCount++;
}
hr = ComputeTotalAclSize(ppAceHdr, dwCount, &dwAclSize);
BAIL_ON_FAILURE(hr);
pAcl = (PACL)AllocADsMem(dwAclSize);
if (!pAcl) {
hr = E_OUTOFMEMORY;
BAIL_ON_FAILURE(hr);
}
hr = pAccessList->get_AclRevision((long *)&dwAclRevision);
BAIL_ON_FAILURE(hr);
dwRet = InitializeAcl(
pAcl,
dwAclSize,
dwAclRevision
);
if (!dwRet) {
hr = HRESULT_FROM_WIN32(GetLastError());
BAIL_ON_FAILURE(hr);
}
//
// Add the ACEs in canonical ordering:
// All Explitic Audit
// All Explicit Deny
// All Explicit Object Deny
// All Explicit Allow
// All Explicit Object Allow
//
// All Inherited Audit
// All Inherited Deny
// All Inherited Object Deny
// All Inherited Allow
// All Inherited Object Allow
//
for (i=0; i < dwAceOrderSequenceLen; i++) {
hr = AddFilteredACEs(
pAcl,
dwAclRevision,
ppAceHdr,
dwCount,
&iAclPosition,
AceOrderSequence[i].fInheritedACEs,
AceOrderSequence[i].fDenyACEs,
AceOrderSequence[i].fDenyObjectACEs,
AceOrderSequence[i].fGrantACEs,
AceOrderSequence[i].fGrantObjectACEs,
AceOrderSequence[i].fAuditACEs
);
BAIL_ON_FAILURE(hr);
}
*ppAcl = pAcl;
error:
if (ppAceHdr) {
for (i = 0; i < dwCount; i++) {
if (*(ppAceHdr + i)) {
FreeADsMem(*(ppAceHdr + i));
}
}
FreeADsMem(ppAceHdr);
}
if (pUnknown) {
pUnknown->Release();
}
if (pEnumerator) {
pEnumerator->Release();
}
RRETURN(hr);
}
/*
* AddFilteredACEs
*
* Adds ACEs from ppAceHdr (of size dwCountACEs) to the ACL pAcl
* (of revision dwAclRevision), starting at position *pdwAclPosition in
* the ACL, based on the filter settings fInheritedACEs, fDenyACEs,
* fGrantACEs, fDenyObjectACEs, fGrantObjectACEs, and fAuditACEs.
*
* On return, *pdwAclPosition is the position to continue adding
* ACEs at.
*
*/
HRESULT
AddFilteredACEs(
PACL pAcl, // the ACL to add the ACEs to
DWORD dwAclRevision, // the revision of the ACL
PACE_HEADER *ppAceHdr, // the ACEs to add
DWORD dwCountACEs, // number of ACEs in ppAceHdr
DWORD *pdwAclPosition, // starting(in)/ending(out) position
BOOL fInheritedACEs, // include explicit or inherited ACEs?
BOOL fDenyACEs, // include access-deny ACEs?
BOOL fDenyObjectACEs, // include access-deny-object ACEs?
BOOL fGrantACEs, // include access-grant ACEs?
BOOL fGrantObjectACEs, // include access-grant-object ACEs?
BOOL fAuditACEs // include audit ACEs?
)
{
HRESULT hr = S_OK;
DWORD dwStatus;
DWORD i;
DWORD iAclPosition = *pdwAclPosition;
BOOL fAddIt;
BOOL fIsAceInherited;
for (i = 0; i < dwCountACEs; i++) {
//
// Filter based on whether we're adding explicit or inherited ACEs
//
fIsAceInherited = (((*(ppAceHdr + i))->AceFlags) & INHERITED_ACE) ? TRUE : FALSE;
if ( fIsAceInherited == fInheritedACEs) {
fAddIt = FALSE;
//
// Filter based on ACE type
//
switch ((*(ppAceHdr + i))->AceType) {
case ACCESS_ALLOWED_ACE_TYPE:
if (fGrantACEs) {
fAddIt = TRUE;
}
break;
case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
if (fGrantObjectACEs) {
fAddIt = TRUE;
}
break;
case ACCESS_DENIED_ACE_TYPE:
if (fDenyACEs) {
fAddIt = TRUE;
}
break;
case ACCESS_DENIED_OBJECT_ACE_TYPE:
if (fDenyObjectACEs) {
fAddIt = TRUE;
}
break;
case SYSTEM_AUDIT_ACE_TYPE:
case SYSTEM_AUDIT_OBJECT_ACE_TYPE:
if (fAuditACEs) {
fAddIt = TRUE;
}
break;
default:
BAIL_ON_FAILURE(hr = E_INVALIDARG);
break;
}
//
// If the ACE met the criteria, add it to the ACL
//
if (fAddIt) {
dwStatus = AddAce(
pAcl,
dwAclRevision,
iAclPosition++,
(LPBYTE)*(ppAceHdr + i),
(*(ppAceHdr + i))->AceSize
);
if (!dwStatus) {
BAIL_ON_FAILURE(hr = HRESULT_FROM_WIN32(GetLastError()));
}
}
}
}
error:
*pdwAclPosition = iAclPosition;
RRETURN(hr);
}
HRESULT
ConvertAccessControlEntryToAce(
LPWSTR pszServerName,
CCredentials& Credentials,
IADsAccessControlEntry * pAccessControlEntry,
LPBYTE * ppAce,
BOOL fNTDSType
)
{
DWORD dwAceType = 0;
HRESULT hr = S_OK;
BSTR bstrTrustee = NULL;
PSID pSid = NULL;
DWORD dwSidSize = 0;
DWORD dwAceFlags = 0;
DWORD dwAccessMask = 0;
DWORD dwAceSize = 0;
LPBYTE pAce = NULL;
PACCESS_MASK pAccessMask = NULL;
PSID pSidAddress = NULL;
PUSHORT pCompoundAceType = NULL;
DWORD dwCompoundAceType = 0;
PACE_HEADER pAceHeader = NULL;
LPBYTE pOffset = NULL;
BSTR bstrObjectTypeClsid = NULL;
BSTR bstrInheritedObjectTypeClsid = NULL;
GUID ObjectTypeGUID;
GUID InheritedObjectTypeGUID;
PULONG pFlags;
DWORD dwFlags = 0;
BOOL fLookupTrustee = TRUE;
BOOL fSidValid = FALSE;
IADsAcePrivate *pPrivAce = NULL;
hr = pAccessControlEntry->get_AceType((LONG *)&dwAceType);
BAIL_ON_FAILURE(hr);
hr = pAccessControlEntry->get_Trustee(&bstrTrustee);
BAIL_ON_FAILURE(hr);
//
// We need to see if we can use a cached SID here.
//
hr = pAccessControlEntry->QueryInterface(
IID_IADsAcePrivate,
(void **)&pPrivAce
);
if (SUCCEEDED(hr)) {
//
// See if the SID is valid and if so try and retrieve it.
//
hr = pPrivAce->isSidValid(&fSidValid);
if (SUCCEEDED(hr) && fSidValid) {
hr = pPrivAce->getSid(
&pSid,
&dwSidSize
);
if (SUCCEEDED(hr)) {
fLookupTrustee = FALSE;
}
}
}
if (fLookupTrustee) {
hr = ConvertTrusteeToSid(
pszServerName,
Credentials,
bstrTrustee,
&pSid,
&dwSidSize,
fNTDSType
);
}
BAIL_ON_FAILURE(hr);
hr = pAccessControlEntry->get_AceFlags((long *)&dwAceFlags);
BAIL_ON_FAILURE(hr);
hr = pAccessControlEntry->get_AccessMask((long *)&dwAccessMask);
BAIL_ON_FAILURE(hr);
//
// we will compensateby adding the entire ACE size
//
dwAceSize = dwSidSize - sizeof(ULONG);
switch (dwAceType) {
case ACCESS_ALLOWED_ACE_TYPE:
dwAceSize += sizeof(ACCESS_ALLOWED_ACE);
pAce = (LPBYTE)AllocADsMem(dwAceSize);
if (!pAce) {
hr = E_OUTOFMEMORY;
BAIL_ON_FAILURE(hr);
}
pAceHeader = (PACE_HEADER)pAce;
pAceHeader->AceType = (UCHAR)dwAceType;
pAceHeader->AceFlags = (UCHAR)dwAceFlags;
pAceHeader->AceSize = (USHORT)dwAceSize;
pAccessMask = (PACCESS_MASK)((LPBYTE)pAceHeader + sizeof(ACE_HEADER));
*pAccessMask = (ACCESS_MASK)dwAccessMask;
pSidAddress = (PSID)((LPBYTE)pAccessMask + sizeof(ACCESS_MASK));
memcpy(pSidAddress, pSid, dwSidSize);
break;
case ACCESS_DENIED_ACE_TYPE:
dwAceSize += sizeof(ACCESS_ALLOWED_ACE);
pAce = (LPBYTE)AllocADsMem(dwAceSize);
if (!pAce) {
hr = E_OUTOFMEMORY;
BAIL_ON_FAILURE(hr);
}
pAceHeader = (PACE_HEADER)pAce;
pAceHeader->AceType = (UCHAR)dwAceType;
pAceHeader->AceFlags = (UCHAR)dwAceFlags;
pAceHeader->AceSize = (USHORT)dwAceSize;
pAccessMask = (PACCESS_MASK)((LPBYTE)pAceHeader + sizeof(ACE_HEADER));
*pAccessMask = (ACCESS_MASK)dwAccessMask;
pSidAddress = (PSID)((LPBYTE)pAccessMask + sizeof(ACCESS_MASK));
memcpy(pSidAddress, pSid, dwSidSize);
break;
case SYSTEM_AUDIT_ACE_TYPE:
dwAceSize += sizeof(ACCESS_ALLOWED_ACE);
pAce = (LPBYTE)AllocADsMem(dwAceSize);
if (!pAce) {
hr = E_OUTOFMEMORY;
BAIL_ON_FAILURE(hr);
}
pAceHeader = (PACE_HEADER)pAce;
pAceHeader->AceType = (UCHAR)dwAceType;
pAceHeader->AceFlags = (UCHAR)dwAceFlags;
pAceHeader->AceSize = (USHORT)dwAceSize;
pAccessMask = (PACCESS_MASK)((LPBYTE)pAceHeader + sizeof(ACE_HEADER));
*pAccessMask = (ACCESS_MASK)dwAccessMask;
pSidAddress = (PSID)((LPBYTE)pAccessMask + sizeof(ACCESS_MASK));
memcpy(pSidAddress, pSid, dwSidSize);
break;
case SYSTEM_ALARM_ACE_TYPE:
dwAceSize += sizeof(ACCESS_ALLOWED_ACE);
pAce = (LPBYTE)AllocADsMem(dwAceSize);
if (!pAce) {
hr = E_OUTOFMEMORY;
BAIL_ON_FAILURE(hr);
}
pAceHeader = (PACE_HEADER)pAce;
pAceHeader->AceType = (UCHAR)dwAceType;
pAceHeader->AceFlags = (UCHAR)dwAceFlags;
pAceHeader->AceSize = (USHORT)dwAceSize;
pAccessMask = (PACCESS_MASK)((LPBYTE)pAceHeader + sizeof(ACE_HEADER));
*pAccessMask = (ACCESS_MASK)dwAccessMask;
pSidAddress = (PSID)((LPBYTE)pAccessMask + sizeof(ACCESS_MASK));
memcpy(pSidAddress, pSid, dwSidSize);
break;
case ACCESS_ALLOWED_COMPOUND_ACE_TYPE:
dwAceSize += sizeof(COMPOUND_ACCESS_ALLOWED_ACE);
pAce = (LPBYTE)AllocADsMem(dwAceSize);
if (!pAce) {
hr = E_OUTOFMEMORY;
BAIL_ON_FAILURE(hr);
}
pAceHeader = (PACE_HEADER)pAce;
pAceHeader->AceType = (UCHAR)dwAceType;
pAceHeader->AceFlags = (UCHAR)dwAceFlags;
pAceHeader->AceSize = (USHORT)dwAceSize;
pAccessMask = (PACCESS_MASK)((LPBYTE)pAceHeader + sizeof(ACE_HEADER));
*pAccessMask = (ACCESS_MASK)dwAccessMask;
pCompoundAceType = (PUSHORT)(pAccessMask + sizeof(ACCESS_MASK));
*pCompoundAceType = (USHORT)dwCompoundAceType;
//
// Fill in the reserved field here.
//
pSidAddress = (PSID)((LPBYTE)pCompoundAceType + sizeof(DWORD));
memcpy(pSidAddress, pSid, dwSidSize);
break;
case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
case ACCESS_DENIED_OBJECT_ACE_TYPE:
case SYSTEM_AUDIT_OBJECT_ACE_TYPE:
case SYSTEM_ALARM_OBJECT_ACE_TYPE:
hr = pAccessControlEntry->get_AceFlags((LONG *)&dwAceFlags);
BAIL_ON_FAILURE(hr);
hr = pAccessControlEntry->get_Flags((LONG *)&dwFlags);
BAIL_ON_FAILURE(hr);
if (dwFlags & ACE_OBJECT_TYPE_PRESENT) {
dwAceSize += sizeof(GUID);
}
if (dwFlags & ACE_INHERITED_OBJECT_TYPE_PRESENT) {
dwAceSize += sizeof(GUID);
}
hr = pAccessControlEntry->get_ObjectType(&bstrObjectTypeClsid);
BAIL_ON_FAILURE(hr);
hr = CLSIDFromString(bstrObjectTypeClsid, &ObjectTypeGUID);
BAIL_ON_FAILURE(hr);
hr = pAccessControlEntry->get_InheritedObjectType(&bstrInheritedObjectTypeClsid);
BAIL_ON_FAILURE(hr);
hr = CLSIDFromString(bstrInheritedObjectTypeClsid, &InheritedObjectTypeGUID);
BAIL_ON_FAILURE(hr);
dwAceSize += sizeof(ACCESS_ALLOWED_OBJECT_ACE);
pAce = (LPBYTE)AllocADsMem(dwAceSize);
if (!pAce) {
hr = E_OUTOFMEMORY;
BAIL_ON_FAILURE(hr);
}
pAceHeader = (PACE_HEADER)pAce;
pAceHeader->AceType = (UCHAR)dwAceType;
pAceHeader->AceFlags = (UCHAR)dwAceFlags;
pAceHeader->AceSize = (USHORT)dwAceSize;
pAccessMask = (PACCESS_MASK)((LPBYTE)pAceHeader + sizeof(ACE_HEADER));
*pAccessMask = (ACCESS_MASK)dwAccessMask;
//
// Fill in Flags
//
pOffset = (LPBYTE)((LPBYTE)pAceHeader + sizeof(ACE_HEADER) + sizeof(ACCESS_MASK));
pFlags = (PULONG)(pOffset);
*pFlags = dwFlags;
pOffset += sizeof(ULONG);
if (dwFlags & ACE_OBJECT_TYPE_PRESENT) {
memcpy(pOffset, &ObjectTypeGUID, sizeof(GUID));
pOffset += sizeof(GUID);
}
if (dwFlags & ACE_INHERITED_OBJECT_TYPE_PRESENT) {
memcpy(pOffset, &InheritedObjectTypeGUID, sizeof(GUID));
pOffset += sizeof(GUID);
}
pSidAddress = (PSID)((LPBYTE)pOffset);
memcpy(pSidAddress, pSid, dwSidSize);
break;
default:
hr = HRESULT_FROM_WIN32(ERROR_INVALID_ACL);
BAIL_ON_FAILURE(hr);
break;
}
*ppAce = pAce;
error:
if (bstrTrustee) {
ADsFreeString(bstrTrustee);
}
if (pSid) {
FreeADsMem(pSid);
}
if (bstrObjectTypeClsid) {
SysFreeString(bstrObjectTypeClsid);
}
if (bstrInheritedObjectTypeClsid) {
SysFreeString(bstrInheritedObjectTypeClsid);
}
if (pPrivAce) {
pPrivAce->Release();
}
RRETURN(hr);
}
HRESULT
ComputeTotalAclSize(
PACE_HEADER * ppAceHdr,
DWORD dwAceCount,
PDWORD pdwAclSize
)
{
DWORD i = 0;
PACE_HEADER pAceHdr = NULL;
DWORD dwAceSize = 0;
DWORD dwAclSize = 0;
for (i = 0; i < dwAceCount; i++) {
pAceHdr = *(ppAceHdr + i);
dwAceSize = pAceHdr->AceSize;
dwAclSize += dwAceSize;
}
dwAclSize += sizeof(ACL);
*pdwAclSize = dwAclSize;
RRETURN(S_OK);
}
HRESULT
ParseAccountName(LPWSTR szFullAccountName,
LPWSTR *pszUserDomainName,
LPWSTR *pszUserAccountName)
{
HRESULT hr = S_OK;
DWORD dwDomain = 0;
BOOLEAN bFound = FALSE;
LPWSTR szUserDomainName = NULL;
LPWSTR szUserAccountName = NULL;
LPWSTR szCount = szFullAccountName;
if (!szFullAccountName) {
hr = E_FAIL;
BAIL_ON_FAILURE(hr);
}
while (*szCount) {
if (*szCount == '\\') {
bFound = TRUE;
break;
}
dwDomain++;
szCount++;
}
if (bFound) {
DWORD dwRest = 0;
szUserDomainName = (LPWSTR)AllocADsMem(sizeof(WCHAR) * (dwDomain+1));
if (!szUserDomainName) {
hr = E_OUTOFMEMORY;
BAIL_ON_FAILURE(hr);
}
wcsncpy(szUserDomainName,
szFullAccountName,
dwDomain);
wcscat(szUserDomainName, L"\0");
szUserAccountName = AllocADsStr(szCount+1);
if (!szUserAccountName) {
hr = E_OUTOFMEMORY;
BAIL_ON_FAILURE(hr);
}
}
else {
szUserAccountName = AllocADsStr(szFullAccountName);
if (!szUserAccountName) {
hr = E_OUTOFMEMORY;
BAIL_ON_FAILURE(hr);
}
szUserDomainName = NULL;
}
*pszUserAccountName = szUserAccountName;
*pszUserDomainName = szUserDomainName;
return hr;
error:
if (szUserAccountName) {
FreeADsMem(szUserAccountName);
}
if (szUserDomainName) {
FreeADsMem(szUserDomainName);
}
return hr;
}
HRESULT
ConvertTrusteeToSid(
LPWSTR pszServerName,
CCredentials& Credentials,
BSTR bstrTrustee,
PSID * ppSid,
PDWORD pdwSidSize,
BOOL fNTDSType
)
{
HRESULT hr = S_OK;
BYTE Sid[MAX_PATH];
DWORD dwSidSize = sizeof(Sid);
DWORD dwRet = 0;
DWORD dwErr = 0;
WCHAR szDomainName[MAX_PATH];
DWORD dwDomainSize = sizeof(szDomainName)/sizeof(WCHAR);
SID_NAME_USE eUse;
PSID pSid = NULL;
LPWSTR pszEnd = NULL;
LPWSTR szUserDomainName = NULL;
LPWSTR szUserAccountName = NULL;
LPWSTR szAccountName = NULL;
BOOL fForceVerify = FALSE;
//
// Load the strings into table if necessary
//
if (!g_fStringsLoaded) {
EnterCriticalSection(&g_StringsCriticalSection);
//
// Verify flag again.
//
if (!g_fStringsLoaded) {
dwRet = LoadStringW(
g_hInst,
ADS_BUILTIN,
g_szBuiltin,
sizeof( g_szBuiltin ) / sizeof( WCHAR )
);
if (!dwRet) {
//
// Default to English values.
//
wcscpy(g_szBuiltin, L"BUILTIN");
}
dwRet = LoadStringW(
g_hInst,
ADS_NT_AUTHORITY,
g_szNT_Authority,
sizeof( g_szNT_Authority ) / sizeof( WCHAR )
);
if (!dwRet) {
//
// Default to English values.
//
wcscpy(g_szNT_Authority, L"NT AUTHORITY");
}
dwRet = LoadStringW(
g_hInst,
ADS_ACCOUNT_OPERATORS,
g_szAccountOperators,
sizeof( g_szAccountOperators ) / sizeof( WCHAR )
);
if (!dwRet) {
//
// Default to English values.
//
wcscpy(g_szAccountOperators, L"Account Operators");
}
dwRet = LoadStringW(
g_hInst,
ADS_PRINT_OPERATORS,
g_szPrintOperators,
sizeof( g_szPrintOperators ) / sizeof( WCHAR )
);
if (!dwRet) {
//
// Default to English values.
//
wcscpy(g_szPrintOperators, L"Print Operators");
}
dwRet = LoadStringW(
g_hInst,
ADS_BACKUP_OPERATORS,
g_szBackupOperators,
sizeof( g_szBackupOperators ) / sizeof( WCHAR )
);
if (!dwRet) {
//
// Default to English values.
//
wcscpy(g_szBackupOperators, L"Backup Operators");
}
dwRet = LoadStringW(
g_hInst,
ADS_SERVER_OPERATORS,
g_szServerOperators,
sizeof( g_szServerOperators ) / sizeof( WCHAR )
);
if (!dwRet) {
//
// Default to English values.
//
wcscpy(g_szServerOperators, L"Server Operators");
}
dwRet = LoadStringW(
g_hInst,
ADS_PRE_WIN2000,
g_szPreWindows2000,
sizeof( g_szPreWindows2000 ) / sizeof( WCHAR )
);
if (!dwRet) {
//
// Default to English values.
//
wcscpy(
g_szPreWindows2000,
L"Pre-Windows 2000 Compatible Access"
);
}
}
g_fStringsLoaded = TRUE;
LeaveCriticalSection(&g_StringsCriticalSection);
}
//
//
// parse Trustee and determine whether its NTDS or U2
//
if (fNTDSType) {
WCHAR szDomainName[MAX_PATH];
WCHAR szServerName[MAX_PATH];
LPWSTR szLookupServer = NULL;
BOOL fSpecialLookup = FALSE;
BOOL fLookupOnServer = FALSE;
DWORD dwTmpSidLen = 0;
dwSidSize = sizeof(Sid);
szAccountName = bstrTrustee;
hr = ParseAccountName(bstrTrustee,
&szUserDomainName,
&szUserAccountName);
BAIL_ON_FAILURE(hr);
//
// Need to look these up on the server only.
//
if (szUserAccountName
&& ((_wcsicmp(szUserAccountName, g_szAccountOperators) == 0)
|| (_wcsicmp(szUserAccountName, g_szPrintOperators) == 0)
|| (_wcsicmp(szUserAccountName, g_szBackupOperators) == 0)
|| (_wcsicmp(szUserAccountName, g_szServerOperators) == 0)
|| (_wcsicmp(szUserAccountName, g_szPreWindows2000) == 0)
)
) {
if (szUserDomainName
&& (_wcsicmp(szUserDomainName, g_szBuiltin)) == 0) {
fSpecialLookup = TRUE;
} else {
fSpecialLookup = FALSE;
}
} // special users
if (fSpecialLookup ||
(szUserDomainName &&
(_wcsicmp(szUserDomainName, g_szBuiltin) != 0) &&
(_wcsicmp(szUserDomainName, g_szNT_Authority) != 0))
) {
//
// We will come back here and do a force retry
// if the server is down.
//
retryForce:
//
// Force hr to S_OK. This will be needed especially
// when we jump to the retryForce label.
//
hr = S_OK;
//
// Set Lookup on server to true so that later
// on we do not do the lookup on the server again.
// In some cases just like we fall back to local machine,
// we need to look at the server if the local machine fails.
// this will be the case for mixed locale domains.
//
DWORD dwStatus = GetDomainDNSNameForDomain(
fSpecialLookup ?
NULL :
szUserDomainName,
fForceVerify, // forceVerify
FALSE,
szServerName,
szDomainName
);
fLookupOnServer = TRUE;
if (dwStatus) {
szLookupServer = NULL;
}
else {
szLookupServer = szServerName;
}
szAccountName = szUserAccountName;
}
dwRet = LookupAccountName(
szLookupServer,
bstrTrustee,
Sid,
&dwSidSize,
szDomainName,
&dwDomainSize,
(PSID_NAME_USE)&eUse
);
if (!dwRet) {
hr = HRESULT_FROM_WIN32(GetLastError());
}
else {
//
// Update the length of the SID.
//
//
// Call needed on NT4 where GetLenghtSid does not
// reset the error correctly leading to false errors.
//
SetLastError(NO_ERROR);
dwTmpSidLen = GetLengthSid(Sid);
if ((dwRet = GetLastError()) == NO_ERROR) {
//
// Got the correct length so update dwSidSize
//
dwSidSize = dwTmpSidLen;
}
}
if (FAILED(hr)
&& hr != HRESULT_FROM_WIN32(RPC_S_SERVER_UNAVAILABLE)) {
//
// This code path should not be hit often but it can
// happen on multi locale domains. The server when might
// have returned say Builtin instead of german for the same.
// If the client is german we will be looking for germanbuiltin
// and that wont work. The lookup will fail locally but
// will succeed on the server. This is especially true for
// Builtin\Print Operators as that can only be resolved on the DC.
//
if (pszServerName) {
//
// Before we do a dsgetdc, we should try with
// the serverName passed in.
//
hr = S_OK;
dwRet = LookupAccountName(
pszServerName,
bstrTrustee,
Sid,
&dwSidSize,
szDomainName,
&dwDomainSize,
(PSID_NAME_USE)&eUse
);
if (!dwRet) {
hr = HRESULT_FROM_WIN32(GetLastError());
//
// force server name to NULL so we wont
// try this again.
//
pszServerName = NULL;
}
else {
//
// Update the length of the SID.
//
//
// Call needed on NT4 where GetLenghtSid does not
// reset the error correctly leading to false errors.
//
SetLastError(NO_ERROR);
dwTmpSidLen = GetLengthSid(Sid);
if ((dwRet = GetLastError()) == NO_ERROR) {
//
// Got the correct length so update dwSidSize
//
dwSidSize = dwTmpSidLen;
}
}
}
if (FAILED(hr)) {
//
// We could be here if either pszServerName was always
// NULL or if the call to the server failed.
// The only thing we can do is to retry if we know
// that the szLookupServer was NULL (that is local machine)
// or if szLookupServer was something other than the default
// server for the machine (that is we called DsGetDC with
// the name of a domain rather than NULL).
// In all other cases we should not retry and just return
// the error.
//
if (fSpecialLookup) {
//
// We should not retry in this case as we will not
// get anything useful. Setting fLookupOnServer
// to true will force this (if you look above this
// is not really needed but it helps clear things)
//
fLookupOnServer = TRUE;
}
else {
//
// This was not a special lookup, so we
// need to retry irrespective of what
// szLookupServer was.
//
fLookupOnServer = FALSE;
szLookupServer = NULL;
}
}
//
// This will do the correct thing even if the above
// LookUpCall failed. If not we should go down this
// as we can get stuck in an infinite loop.
//
if (FAILED(hr)
&& !pszServerName
&& !szLookupServer
&& !fLookupOnServer
) {
//
// In this case we want to try and call
// DsGetDCName and hopefully we will get the right
// DC. fSpecialLookup will be true so that we go to
// the default DC for the machine/user.
//
fSpecialLookup = TRUE;
goto retryForce;
}
}
//
// If failure was due to an expected error then retry
//
if (FAILED(hr)
&& hr == HRESULT_FROM_WIN32(RPC_S_SERVER_UNAVAILABLE)
) {
if (!fForceVerify) {
fForceVerify = TRUE;
goto retryForce;
}
}
}else {
//
// We know that LookupAccountName failed,
// so now try the U2 DS
//
dwSidSize = 0;
hr = ConvertU2TrusteeToSid(
pszServerName,
Credentials,
bstrTrustee,
Sid,
&dwSidSize
);
}
//
// If neither the NTDS nor the U2 conversion
// worked, then try a textual translation
//
if (FAILED(hr)) {
hr = ConvertStringToSid(
bstrTrustee,
&pSid,
&dwSidSize,
&pszEnd
);
BAIL_ON_FAILURE(hr);
memcpy(Sid,pSid, dwSidSize);
if (pSid) {
FreeADsMem(pSid);
}
}
//
// On NT4 for some reason GetLengthSID does not set lasterror to 0
//
SetLastError(NO_ERROR);
dwSidSize = GetLengthSid((PSID) Sid);
dwErr = GetLastError();
//
// This is an extra check to make sure that we have the
// correct length.
//
if (dwErr != NO_ERROR) {
hr = HRESULT_FROM_WIN32(dwErr);
}
BAIL_ON_FAILURE(hr); ;
pSid = AllocADsMem(dwSidSize);
if (!pSid) {
hr = E_OUTOFMEMORY;
BAIL_ON_FAILURE(hr);
}
memcpy(pSid, Sid, dwSidSize);
*pdwSidSize = dwSidSize;
*ppSid = pSid;
error:
if (szUserDomainName) {
FreeADsStr(szUserDomainName);
};
if (szUserAccountName) {
FreeADsStr(szUserAccountName);
}
RRETURN(hr);
}
/*
+--------------------------------------------------------------------------------+
NAME: get_sid_out_of_string
FUNCTION: Convert a string representation of a SID back into
a sid. The expected format of the string is:
L"S-1-5-32-549"
If a string in a different format or an incorrect or
incomplete string is given, the operation is failed.
The returned sid must be free via a call to SEC_FREE.
Arguments:
string - The wide string to be converted
sid - Where the created SID is to be returned
end - Where in the string we stopped processing
RETURN:
NTSTATUS error codes or success.
+--------------------------------------------------------------------------------+
*/
HRESULT
ConvertStringToSid(
IN PWSTR string,
OUT PSID *sid,
OUT PDWORD pdwSidSize,
OUT PWSTR *end
)
{
HRESULT hr = S_OK;
UCHAR revision;
UCHAR sub_authority_count;
SID_IDENTIFIER_AUTHORITY authority;
ULONG sub_authority[SID_MAX_SUB_AUTHORITIES];
PWSTR end_list;
PWSTR current;
PWSTR next;
ULONG x;
*sid = NULL;
if (((*string != L'S') && (*string != L's')) || (*(string + 1) != L'-'))
{
hr = HRESULT_FROM_WIN32(ERROR_INVALID_SID);
BAIL_ON_FAILURE(hr);
}
current = string + 2;
revision = (UCHAR)wcstol(current, &end_list, 10);
current = end_list + 1;
//
// Count the number of characters in the indentifer authority...
//
next = wcschr(current, L'-');
if (!next) {
hr = HRESULT_FROM_WIN32(ERROR_INVALID_SID);
BAIL_ON_FAILURE(hr);
}
if(next - current == 6)
{
for(x = 0; x < 6; x++)
{
authority.Value[x] = (UCHAR)next[x];
}
current +=6;
}
else
{
ULONG Auto = wcstoul(current, &end_list, 10);
authority.Value[0] = authority.Value[1] = 0;
authority.Value[5] = (UCHAR)Auto & 0xF;
authority.Value[4] = (UCHAR)((Auto >> 8) & 0xFF);
authority.Value[3] = (UCHAR)((Auto >> 16) & 0xFF);
authority.Value[2] = (UCHAR)((Auto >> 24) & 0xFF);
current = end_list;
}
//
// Now, count the number of sub auths
//
sub_authority_count = 0;
next = current;
//
// We'll have to count our sub authoritys one character at a time,
// since there are several deliminators that we can have...
//
while(next)
{
next++;
if(*next == L'-')
{
//
// We've found one!
//
sub_authority_count++;
}
else if(*next == L';' || *next == L'\0')
{
*end = next;
sub_authority_count++;
break;
}
}
if(sub_authority_count != 0)
{
current++;
for(x = 0; x < sub_authority_count; x++)
{
sub_authority[x] = wcstoul(current, &end_list, 10);
current = end_list + 1;
}
}
//
// Now, create the SID
//
hr = SecCreateSidFromArray(
sid,
&authority,
sub_authority_count,
sub_authority,
pdwSidSize
);
if (SUCCEEDED(hr))
{
/* Set the revision to what was specified in the string, in case, our
system creates one with newer revision */
((SID *)(*sid))->Revision = revision;
}
error:
RRETURN(hr);
}
HRESULT
SecCreateSidFromArray (
OUT PSID *PPSid,
IN PSID_IDENTIFIER_AUTHORITY PSidAuthority,
IN UCHAR SubAuthorityCount,
IN ULONG SubAuthorities[],
OUT PDWORD pdwSidSize
)
/*++
Routine Description:
Creates a SID with desired authority and sub authorities.
NOTE: This routine allocates memory for the SID. When finished
the caller should free memory using SEC_FREE (PSid).
Arguments:
PPSid -- addr of ptr to SID to be created
Note: if SID creation fails ptr set to NULL
PSidAuthority -- desired value for SID authority
SubAuthorityCount -- number of sub authorities desired
SubAuthorities -- sub-authority values, MUST SPECIFY contain
at least SubAuthorityCount number of values
Return Value:
STATUS_SUCCESS if SID created.
STATUS_UNSUCCESSFUL otherwise.
--*/
{
USHORT iSub; /* sub-authority index */
DWORD dwSidSize = 0;
HRESULT hr = S_OK;
/* allocate memory for SID */
dwSidSize = RtlLengthRequiredSid(SubAuthorityCount);
*PPSid = (PSID) AllocADsMem( dwSidSize );
if (! *PPSid){
hr = E_OUTOFMEMORY;
BAIL_ON_FAILURE(hr);
}
*pdwSidSize = dwSidSize;
/* initialize SID with top level SID identifier authority */
RtlInitializeSid( *PPSid, PSidAuthority, SubAuthorityCount);
/* fill in sub authorities */
for (iSub=0; iSub < SubAuthorityCount; iSub++)
* RtlSubAuthoritySid( *PPSid, iSub) = SubAuthorities[iSub];
/* sanity check */
if ( ! RtlValidSid( *PPSid) ) {
FreeADsMem( *PPSid);
*PPSid = NULL;
hr = HRESULT_FROM_WIN32(ERROR_INVALID_SID);
BAIL_ON_FAILURE(hr);
}
error:
RRETURN(hr);
}
BOOL
EquivalentServers(
LPWSTR pszTargetServer,
LPWSTR pszSourceServer
)
{
if (!pszTargetServer && !pszSourceServer) {
return(TRUE);
}
if (pszTargetServer && pszSourceServer) {
#ifdef WIN95
if (!_wcsicmp(pszTargetServer, pszSourceServer)) {
#else
if (CompareStringW(
LOCALE_SYSTEM_DEFAULT,
NORM_IGNORECASE,
pszTargetServer,
-1,
pszSourceServer,
-1
) == CSTR_EQUAL ) {
#endif
return(TRUE);
}
}
return(FALSE);
}
Reference in a new issue View git blame Copy permalink