DWORD VmAfdAccessCheckWithHandle ( PVECS_SRV_STORE_HANDLE pStore, PVM_AFD_CONNECTION_CONTEXT pConnectionContext, DWORD dwDesiredAccess ) { DWORD dwError = 0; DWORD dwLogError = 0; PVECS_SERV_STORE pStoreInfo = NULL; PVMAFD_SECURITY_DESCRIPTOR pSecurityDescriptor = NULL; PWSTR pszAccountName = NULL; if (!pStore || !pConnectionContext || !pConnectionContext->pSecurityContext ) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_VMAFD_ERROR (dwError); } if ((dwDesiredAccess | VECS_MAXIMUM_ALLOWED_MASK) != VECS_MAXIMUM_ALLOWED_MASK ) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_VMAFD_ERROR (dwError); } /* * We don't care about dwLogError errors because they are * used solely for logging purpose. Even if some call fails, * the function should not fail */ dwLogError = VmAfdAllocateNameFromContext ( pConnectionContext->pSecurityContext, &pszAccountName ); dwLogError = VmAfdGetStoreFromHandle ( pStore, pConnectionContext->pSecurityContext, &pStoreInfo ); if ( !IsNullOrEmptyString(pszAccountName) && pStoreInfo ) { PSTR paszAccountName = NULL; dwLogError = VmAfdAllocateStringAFromW( pszAccountName, &paszAccountName ); if (paszAccountName) { switch (dwDesiredAccess) { case READ_STORE: VmAfdLog (VMAFD_DEBUG_DEBUG, "User %s requested READ operation on Store with ID: %d", paszAccountName, pStoreInfo->dwStoreId ); break; case WRITE_STORE: VmAfdLog (VMAFD_DEBUG_DEBUG, "User %s requested WRITE operation on Store with ID:%d", paszAccountName, pStoreInfo->dwStoreId ); break; default: break; } } else { VmAfdLog(VMAFD_DEBUG_ANY, "%s log failed. error(%u)", __FUNCTION__, dwLogError); } VMAFD_SAFE_FREE_MEMORY (paszAccountName); } dwError = VmAfdGetSecurityDescriptorFromHandle ( pStore, &pSecurityDescriptor ); BAIL_ON_VMAFD_ERROR (dwError); if (!(VmAfdIsRootSecurityContext (pConnectionContext))) { if (!(VmAfdEqualsSecurityContext( pConnectionContext->pSecurityContext, pSecurityDescriptor->pOwnerSecurityContext ) )) { dwError = VmAfdCheckAcl ( pSecurityDescriptor, pConnectionContext->pSecurityContext, dwDesiredAccess ); BAIL_ON_VMAFD_ERROR (dwError); } } cleanup: VMAFD_SAFE_FREE_MEMORY (pszAccountName); VMAFD_SAFE_FREE_MEMORY (pStoreInfo); if (pSecurityDescriptor) { VmAfdFreeSecurityDescriptor (pSecurityDescriptor); } return dwError; error: goto cleanup; }
DWORD VecsSrvChangeOwner ( PVECS_SRV_STORE_HANDLE pStore, PCWSTR pszUserName, PVM_AFD_CONNECTION_CONTEXT pConnectionContext ) { DWORD dwError = 0; PVMAFD_SECURITY_DESCRIPTOR pSecurityDescriptor = NULL; PVECS_SERV_STORE pStoreInstance = NULL; BOOL bIsHoldingLock = FALSE; dwError = VmAfdCheckOwnerShipWithHandle ( pStore, pConnectionContext ); BAIL_ON_VMAFD_ERROR (dwError); pthread_mutex_lock (&gVmafdGlobals.mutexStoreState); bIsHoldingLock = TRUE; dwError = VmAfdGetSecurityDescriptorFromHandle ( pStore, &pSecurityDescriptor ); BAIL_ON_VMAFD_ERROR (dwError); dwError = VmAfdGetStoreFromHandle ( pStore, pConnectionContext->pSecurityContext, &pStoreInstance ); BAIL_ON_VMAFD_ERROR (dwError); dwError = VmAfdModifyOwner ( pStoreInstance, pszUserName, pSecurityDescriptor ); BAIL_ON_VMAFD_ERROR (dwError); dwError = VmAfdSetSecurityDescriptorForHandle ( pStore, pSecurityDescriptor ); BAIL_ON_VMAFD_ERROR (dwError); pthread_mutex_unlock (&gVmafdGlobals.mutexStoreState); bIsHoldingLock = FALSE; cleanup: if (pSecurityDescriptor) { VmAfdFreeSecurityDescriptor (pSecurityDescriptor); } if (bIsHoldingLock) { pthread_mutex_unlock(&gVmafdGlobals.mutexStoreState); } VMAFD_SAFE_FREE_MEMORY (pStoreInstance); return dwError; error: goto cleanup; }
DWORD VecsSrvEnumCertsHandle( PVECS_SRV_ENUM_CONTEXT_HANDLE pContext, PVM_AFD_CONNECTION_CONTEXT pConnectionContext, PVMAFD_CERT_ARRAY *ppCertContainer ) { DWORD dwError = 0; PVMAFD_CERT_ARRAY pCertContainer = NULL; PVECS_SERV_STORE pStore = NULL; dwError = VmAfdGetStoreFromHandle ( pContext->pStore, pConnectionContext->pSecurityContext, &pStore ); BAIL_ON_VMAFD_ERROR (dwError); switch (pContext->infoLevel) { case ENTRY_INFO_LEVEL_1: dwError = VecsDbEnumInfoLevel1( pStore->dwStoreId, pContext->dwIndex, pContext->dwLimit, &pCertContainer ); BAIL_ON_VMAFD_ERROR (dwError); break; case ENTRY_INFO_LEVEL_2: dwError = VecsDbEnumInfoLevel2( pStore->dwStoreId, pContext->dwIndex, pContext->dwLimit, &pCertContainer ); BAIL_ON_VMAFD_ERROR(dwError); break; default: dwError = ERROR_INVALID_PARAMETER; BAIL_ON_VMAFD_ERROR (dwError); } *ppCertContainer = pCertContainer; cleanup: VMAFD_SAFE_FREE_MEMORY (pStore); return dwError; error: if (ppCertContainer) { *ppCertContainer = NULL; } if (pCertContainer) { VmAfdFreeCertArray(pCertContainer); } goto cleanup; }
DWORD VecsSrvRevokePermission ( PVECS_SRV_STORE_HANDLE pStore, PCWSTR pszUserName, UINT32 accessMask, VMAFD_ACE_TYPE aceType, PVM_AFD_CONNECTION_CONTEXT pConnectionContext ) { DWORD dwError = 0; PVMAFD_SECURITY_DESCRIPTOR pSecurityDescriptor = NULL; PVECS_SERV_STORE pStoreInstance = NULL; BOOL bIsHoldingLock = FALSE; PWSTR pwszAccountName = NULL; DWORD dwLogError = 0; dwError = VmAfdCheckOwnerShipWithHandle ( pStore, pConnectionContext ); BAIL_ON_VMAFD_ERROR (dwError); pthread_mutex_lock (&gVmafdGlobals.mutexStoreState); bIsHoldingLock = TRUE; dwError = VmAfdGetSecurityDescriptorFromHandle ( pStore, &pSecurityDescriptor ); BAIL_ON_VMAFD_ERROR (dwError); dwError = VmAfdGetStoreFromHandle ( pStore, pConnectionContext->pSecurityContext, &pStoreInstance ); BAIL_ON_VMAFD_ERROR (dwError); dwError = VmAfdModifyPermissions ( pStoreInstance, pszUserName, accessMask, aceType, pSecurityDescriptor, VMW_IPC_MODIFY_PERMISSIONS_REVOKE ); BAIL_ON_VMAFD_ERROR (dwError); dwError = VmAfdSetSecurityDescriptorForHandle ( pStore, pSecurityDescriptor ); BAIL_ON_VMAFD_ERROR (dwError); pthread_mutex_unlock (&gVmafdGlobals.mutexStoreState); bIsHoldingLock = FALSE; dwLogError = VmAfdAllocateNameFromContext ( pConnectionContext->pSecurityContext, &pwszAccountName ); if (!IsNullOrEmptyString(pwszAccountName)) { PSTR pszAccountName = NULL; PSTR paszUserName = NULL; dwLogError = VmAfdAllocateStringAFromW( pwszAccountName, &pszAccountName ); dwLogError = VmAfdAllocateStringAFromW ( pszUserName, &paszUserName ); if (pszAccountName) { VmAfdLog (VMAFD_DEBUG_ANY, "User %s changed permission of Store with ID: %d \n " "Permission %s %s was revoked from user %s", pszAccountName, pStoreInstance->dwStoreId, accessMask & READ_STORE ? "read" : "", accessMask & WRITE_STORE ? "write": "", !IsNullOrEmptyString(paszUserName)? paszUserName: "" ); } VMAFD_SAFE_FREE_MEMORY (pszAccountName); VMAFD_SAFE_FREE_MEMORY (paszUserName); } cleanup: if (pSecurityDescriptor) { VmAfdFreeSecurityDescriptor (pSecurityDescriptor); } if (bIsHoldingLock) { pthread_mutex_unlock(&gVmafdGlobals.mutexStoreState); } VMAFD_SAFE_FREE_MEMORY (pStoreInstance); VMAFD_SAFE_FREE_MEMORY (pwszAccountName); return dwError; error: goto cleanup; }