static
DWORD
VmAfdFlushRoots(
VOID
)
{
DWORD dwError = 0;
WCHAR wszStoreName[] = TRUSTED_ROOTS_STORE_NAME_W;
PVECS_SERV_STORE pCertStore = NULL;
PVECS_SRV_ENUM_CONTEXT pEnumContext = NULL;
PVMAFD_CERT_ARRAY pCertContainer = NULL;
PWSTR pwszCAPath = NULL;
PSTR pszCAPath = NULL;
dwError = VmAfSrvGetCAPath(&pwszCAPath);
BAIL_ON_VMAFD_ERROR(dwError);
dwError = VmAfdAllocateStringAFromW(pwszCAPath, &pszCAPath);
BAIL_ON_VMAFD_ERROR(dwError);
dwError = VecsSrvOpenCertStore(wszStoreName, NULL, &pCertStore);
BAIL_ON_VMAFD_ERROR(dwError);
dwError = VecsSrvAllocateCertEnumContext(
pCertStore,
0, /* default */
ENTRY_INFO_LEVEL_2,
&pEnumContext);
BAIL_ON_VMAFD_ERROR(dwError);
do
{
DWORD idx = 0;
if (pCertContainer)
{
VmAfdFreeCertArray(pCertContainer);
pCertContainer = NULL;
}
dwError = VecsSrvEnumCertsInternal(pEnumContext, &pCertContainer);
BAIL_ON_VMAFD_ERROR(dwError);
for (; idx < pCertContainer->dwCount; idx++)
{
PVMAFD_CERT_CONTAINER pCert = &pCertContainer->certificates[idx];
dwError = VmAfdSrvFlushRoot(pCert, pszCAPath);
BAIL_ON_VMAFD_ERROR(dwError);
}
} while (pCertContainer && pCertContainer->dwCount > 0);
cleanup:
if (pEnumContext)
{
VecsSrvReleaseEnumContext(pEnumContext);
}
if (pCertContainer)
{
VmAfdFreeCertArray(pCertContainer);
}
if (pCertStore)
{
VecsSrvReleaseCertStore(pCertStore);
}
VMAFD_SAFE_FREE_MEMORY(pwszCAPath);
VMAFD_SAFE_FREE_MEMORY(pszCAPath);
return dwError;
error:
goto cleanup;
}
DWORD
VmAfdRestPasswordRefresh(
PCSTR pszServer,
PCSTR pszDomain,
PCSTR pszUser,
PCSTR pszPass,
BOOLEAN bForce,
BOOLEAN bInsecure,
PSTR *ppszNewPass
)
{
DWORD dwError = 0;
PSTR pszToken = NULL;
PSTR pszNewPass = NULL;
PSTR pszUrl = NULL;
PVM_HTTP_CLIENT pHttpClient = NULL;
PSTR pszParamString = NULL;
PCSTR pszResult = NULL;
PWSTR pwszCAPath = NULL;
PSTR pszCAPath = NULL;
if (IsNullOrEmptyString(pszServer) ||
IsNullOrEmptyString(pszDomain) ||
IsNullOrEmptyString(pszUser) ||
IsNullOrEmptyString(pszPass) ||
!ppszNewPass)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_VMAFD_ERROR(dwError);
}
if (bInsecure)
{
pszCAPath = NULL;
}
else
{
dwError = VmAfSrvGetCAPath(&pwszCAPath);
BAIL_ON_VMAFD_ERROR(dwError);
dwError = VmAfdAllocateStringAFromW(pwszCAPath, &pszCAPath);
BAIL_ON_VMAFD_ERROR(dwError);
}
/* acquire token */
dwError = VmAfdAcquireOIDCToken(
pszServer,
pszDomain,
pszUser,
pszPass,
pszCAPath,
VMAFD_OIDC_VMDIR_SCOPE,
&pszToken);
BAIL_ON_VMAFD_ERROR(dwError);
dwError = VmAfdAllocateStringPrintf(
&pszParamString,
"?force=%s",
bForce?"true":"false");
BAIL_ON_VMAFD_ERROR(dwError);
/* make rest url */
dwError = VmFormatUrl(
"https",
pszServer,
VMDIR_REST_API_HTTPS_PORT,
VMDIR_REST_API_BASE"/"VMDIR_REST_API_PASSWORD_REFRESH_CMD,
pszParamString,
&pszUrl);
BAIL_ON_VMAFD_ERROR(dwError);
dwError = VmHttpClientInit(&pHttpClient, pszCAPath);
BAIL_ON_VMAFD_ERROR(dwError);
dwError = VmHttpClientSetToken(pHttpClient,
VMHTTP_TOKEN_TYPE_BEARER,
pszToken);
BAIL_ON_VMAFD_ERROR(dwError);
dwError = VmHttpClientPerform(pHttpClient, VMHTTP_METHOD_POST, pszUrl);
BAIL_ON_VMAFD_ERROR(dwError);
dwError = VmHttpClientGetResult(pHttpClient, &pszResult);
BAIL_ON_VMAFD_ERROR(dwError);
dwError = _VmAfdGetHttpResultPassword(pszResult, &pszNewPass);
BAIL_ON_VMAFD_ERROR(dwError);
/* pszPassword could be NULL if force is not set or not aged */
/* caller handles this scenario */
*ppszNewPass = pszNewPass;
cleanup:
VmHttpClientFreeHandle(pHttpClient);
VMAFD_SAFE_FREE_MEMORY(pszCAPath);
VMAFD_SAFE_FREE_MEMORY(pwszCAPath);
VMAFD_SAFE_FREE_STRINGA(pszParamString);
VMAFD_SAFE_FREE_STRINGA(pszUrl);
VMAFD_SAFE_FREE_STRINGA(pszToken);
return dwError;
error:
VMAFD_SAFE_FREE_STRINGA(pszNewPass);
goto cleanup;
}
