DWORD
VmAfdAccessCheckWithHandle (
PVECS_SRV_STORE_HANDLE pStore,
PVM_AFD_CONNECTION_CONTEXT pConnectionContext,
DWORD dwDesiredAccess
)
{
DWORD dwError = 0;
DWORD dwLogError = 0;
PVECS_SERV_STORE pStoreInfo = NULL;
PVMAFD_SECURITY_DESCRIPTOR pSecurityDescriptor = NULL;
PWSTR pszAccountName = NULL;
if (!pStore ||
!pConnectionContext ||
!pConnectionContext->pSecurityContext
)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_VMAFD_ERROR (dwError);
}
if ((dwDesiredAccess | VECS_MAXIMUM_ALLOWED_MASK) !=
VECS_MAXIMUM_ALLOWED_MASK
)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_VMAFD_ERROR (dwError);
}
/*
* We don't care about dwLogError errors because they are
* used solely for logging purpose. Even if some call fails,
* the function should not fail
*/
dwLogError = VmAfdAllocateNameFromContext (
pConnectionContext->pSecurityContext,
&pszAccountName
);
dwLogError = VmAfdGetStoreFromHandle (
pStore,
pConnectionContext->pSecurityContext,
&pStoreInfo
);
if (
!IsNullOrEmptyString(pszAccountName) &&
pStoreInfo
)
{
PSTR paszAccountName = NULL;
dwLogError = VmAfdAllocateStringAFromW(
pszAccountName,
&paszAccountName
);
if (paszAccountName)
{
switch (dwDesiredAccess)
{
case READ_STORE:
VmAfdLog (VMAFD_DEBUG_DEBUG,
"User %s requested READ operation on Store with ID: %d",
paszAccountName,
pStoreInfo->dwStoreId
);
break;
case WRITE_STORE:
VmAfdLog (VMAFD_DEBUG_DEBUG,
"User %s requested WRITE operation on Store with ID:%d",
paszAccountName,
pStoreInfo->dwStoreId
);
break;
default:
break;
}
}
else
{
VmAfdLog(VMAFD_DEBUG_ANY, "%s log failed. error(%u)", __FUNCTION__, dwLogError);
}
VMAFD_SAFE_FREE_MEMORY (paszAccountName);
}
dwError = VmAfdGetSecurityDescriptorFromHandle (
pStore,
&pSecurityDescriptor
);
BAIL_ON_VMAFD_ERROR (dwError);
if (!(VmAfdIsRootSecurityContext (pConnectionContext)))
{
if (!(VmAfdEqualsSecurityContext(
pConnectionContext->pSecurityContext,
pSecurityDescriptor->pOwnerSecurityContext
)
))
{
dwError = VmAfdCheckAcl (
pSecurityDescriptor,
pConnectionContext->pSecurityContext,
dwDesiredAccess
);
BAIL_ON_VMAFD_ERROR (dwError);
}
}
cleanup:
VMAFD_SAFE_FREE_MEMORY (pszAccountName);
VMAFD_SAFE_FREE_MEMORY (pStoreInfo);
if (pSecurityDescriptor)
{
VmAfdFreeSecurityDescriptor (pSecurityDescriptor);
}
return dwError;
error:
goto cleanup;
}
DWORD
VecsSrvChangeOwner (
PVECS_SRV_STORE_HANDLE pStore,
PCWSTR pszUserName,
PVM_AFD_CONNECTION_CONTEXT pConnectionContext
)
{
DWORD dwError = 0;
PVMAFD_SECURITY_DESCRIPTOR pSecurityDescriptor = NULL;
PVECS_SERV_STORE pStoreInstance = NULL;
BOOL bIsHoldingLock = FALSE;
dwError = VmAfdCheckOwnerShipWithHandle (
pStore,
pConnectionContext
);
BAIL_ON_VMAFD_ERROR (dwError);
pthread_mutex_lock (&gVmafdGlobals.mutexStoreState);
bIsHoldingLock = TRUE;
dwError = VmAfdGetSecurityDescriptorFromHandle (
pStore,
&pSecurityDescriptor
);
BAIL_ON_VMAFD_ERROR (dwError);
dwError = VmAfdGetStoreFromHandle (
pStore,
pConnectionContext->pSecurityContext,
&pStoreInstance
);
BAIL_ON_VMAFD_ERROR (dwError);
dwError = VmAfdModifyOwner (
pStoreInstance,
pszUserName,
pSecurityDescriptor
);
BAIL_ON_VMAFD_ERROR (dwError);
dwError = VmAfdSetSecurityDescriptorForHandle (
pStore,
pSecurityDescriptor
);
BAIL_ON_VMAFD_ERROR (dwError);
pthread_mutex_unlock (&gVmafdGlobals.mutexStoreState);
bIsHoldingLock = FALSE;
cleanup:
if (pSecurityDescriptor)
{
VmAfdFreeSecurityDescriptor (pSecurityDescriptor);
}
if (bIsHoldingLock)
{
pthread_mutex_unlock(&gVmafdGlobals.mutexStoreState);
}
VMAFD_SAFE_FREE_MEMORY (pStoreInstance);
return dwError;
error:
goto cleanup;
}
DWORD
VecsSrvEnumCertsHandle(
PVECS_SRV_ENUM_CONTEXT_HANDLE pContext,
PVM_AFD_CONNECTION_CONTEXT pConnectionContext,
PVMAFD_CERT_ARRAY *ppCertContainer
)
{
DWORD dwError = 0;
PVMAFD_CERT_ARRAY pCertContainer = NULL;
PVECS_SERV_STORE pStore = NULL;
dwError = VmAfdGetStoreFromHandle (
pContext->pStore,
pConnectionContext->pSecurityContext,
&pStore
);
BAIL_ON_VMAFD_ERROR (dwError);
switch (pContext->infoLevel)
{
case ENTRY_INFO_LEVEL_1:
dwError = VecsDbEnumInfoLevel1(
pStore->dwStoreId,
pContext->dwIndex,
pContext->dwLimit,
&pCertContainer
);
BAIL_ON_VMAFD_ERROR (dwError);
break;
case ENTRY_INFO_LEVEL_2:
dwError = VecsDbEnumInfoLevel2(
pStore->dwStoreId,
pContext->dwIndex,
pContext->dwLimit,
&pCertContainer
);
BAIL_ON_VMAFD_ERROR(dwError);
break;
default:
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_VMAFD_ERROR (dwError);
}
*ppCertContainer = pCertContainer;
cleanup:
VMAFD_SAFE_FREE_MEMORY (pStore);
return dwError;
error:
if (ppCertContainer)
{
*ppCertContainer = NULL;
}
if (pCertContainer)
{
VmAfdFreeCertArray(pCertContainer);
}
goto cleanup;
}
DWORD
VecsSrvRevokePermission (
PVECS_SRV_STORE_HANDLE pStore,
PCWSTR pszUserName,
UINT32 accessMask,
VMAFD_ACE_TYPE aceType,
PVM_AFD_CONNECTION_CONTEXT pConnectionContext
)
{
DWORD dwError = 0;
PVMAFD_SECURITY_DESCRIPTOR pSecurityDescriptor = NULL;
PVECS_SERV_STORE pStoreInstance = NULL;
BOOL bIsHoldingLock = FALSE;
PWSTR pwszAccountName = NULL;
DWORD dwLogError = 0;
dwError = VmAfdCheckOwnerShipWithHandle (
pStore,
pConnectionContext
);
BAIL_ON_VMAFD_ERROR (dwError);
pthread_mutex_lock (&gVmafdGlobals.mutexStoreState);
bIsHoldingLock = TRUE;
dwError = VmAfdGetSecurityDescriptorFromHandle (
pStore,
&pSecurityDescriptor
);
BAIL_ON_VMAFD_ERROR (dwError);
dwError = VmAfdGetStoreFromHandle (
pStore,
pConnectionContext->pSecurityContext,
&pStoreInstance
);
BAIL_ON_VMAFD_ERROR (dwError);
dwError = VmAfdModifyPermissions (
pStoreInstance,
pszUserName,
accessMask,
aceType,
pSecurityDescriptor,
VMW_IPC_MODIFY_PERMISSIONS_REVOKE
);
BAIL_ON_VMAFD_ERROR (dwError);
dwError = VmAfdSetSecurityDescriptorForHandle (
pStore,
pSecurityDescriptor
);
BAIL_ON_VMAFD_ERROR (dwError);
pthread_mutex_unlock (&gVmafdGlobals.mutexStoreState);
bIsHoldingLock = FALSE;
dwLogError = VmAfdAllocateNameFromContext (
pConnectionContext->pSecurityContext,
&pwszAccountName
);
if (!IsNullOrEmptyString(pwszAccountName))
{
PSTR pszAccountName = NULL;
PSTR paszUserName = NULL;
dwLogError = VmAfdAllocateStringAFromW(
pwszAccountName,
&pszAccountName
);
dwLogError = VmAfdAllocateStringAFromW (
pszUserName,
&paszUserName
);
if (pszAccountName)
{
VmAfdLog (VMAFD_DEBUG_ANY,
"User %s changed permission of Store with ID: %d \n "
"Permission %s %s was revoked from user %s",
pszAccountName,
pStoreInstance->dwStoreId,
accessMask & READ_STORE ? "read" : "",
accessMask & WRITE_STORE ? "write": "",
!IsNullOrEmptyString(paszUserName)? paszUserName: ""
);
}
VMAFD_SAFE_FREE_MEMORY (pszAccountName);
VMAFD_SAFE_FREE_MEMORY (paszUserName);
}
cleanup:
if (pSecurityDescriptor)
{
VmAfdFreeSecurityDescriptor (pSecurityDescriptor);
}
if (bIsHoldingLock)
{
pthread_mutex_unlock(&gVmafdGlobals.mutexStoreState);
}
VMAFD_SAFE_FREE_MEMORY (pStoreInstance);
VMAFD_SAFE_FREE_MEMORY (pwszAccountName);
return dwError;
error:
goto cleanup;
}
