NTSTATUS
DsrSrvInitAuthInfo(
IN handle_t hBinding,
OUT PACCESS_TOKEN *ppAccessToken
)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
unsigned32 rpcStatus = 0;
rpc_binding_inq_access_token_caller(
hBinding,
ppAccessToken,
&rpcStatus);
ntStatus = LwRpcStatusToNtStatus(rpcStatus);
BAIL_ON_NTSTATUS_ERROR(ntStatus);
cleanup:
return ntStatus;
error:
goto cleanup;
}
DWORD
LWICheckSecurity(
handle_t hBindingHandle,
ACCESS_MASK dwAccessMask
)
{
DWORD dwError = ERROR_SUCCESS;
volatile unsigned32 rpcError;
PACCESS_TOKEN pUserToken = NULL;
TRY
{
rpc_binding_inq_access_token_caller(
hBindingHandle,
&pUserToken,
(unsigned32*)&rpcError);
}
CATCH_ALL
ENDTRY;
BAIL_ON_DCE_ERROR(dwError, rpcError);
dwError = EVTCheckAllowed(
pUserToken,
dwAccessMask);
BAIL_ON_EVT_ERROR(dwError);
error:
if (pUserToken)
{
RtlReleaseAccessToken(&pUserToken);
}
return dwError;
}
NTSTATUS
LsaSrvInitAuthInfo(
IN handle_t hBinding,
OUT PPOLICY_CONTEXT pPolCtx
)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
unsigned32 rpcStatus = 0;
rpc_transport_info_handle_t hTransportInfo = NULL;
DWORD dwProtSeq = rpc_c_invalid_protseq_id;
rpc_binding_inq_access_token_caller(
hBinding,
&pPolCtx->pUserToken,
&rpcStatus);
ntStatus = LwRpcStatusToNtStatus(rpcStatus);
BAIL_ON_NTSTATUS_ERROR(ntStatus);
rpc_binding_inq_transport_info(hBinding,
&hTransportInfo,
&rpcStatus);
ntStatus = LwRpcStatusToNtStatus(rpcStatus);
BAIL_ON_NTSTATUS_ERROR(ntStatus);
if (hTransportInfo)
{
rpc_binding_inq_prot_seq(hBinding,
(unsigned32*)&dwProtSeq,
&rpcStatus);
ntStatus = LwRpcStatusToNtStatus(rpcStatus);
BAIL_ON_NTSTATUS_ERROR(ntStatus);
switch (dwProtSeq)
{
case rpc_c_protseq_id_ncacn_np:
ntStatus = LsaSrvInitNpAuthInfo(hTransportInfo,
pPolCtx);
BAIL_ON_NTSTATUS_ERROR(ntStatus);
break;
}
}
cleanup:
return ntStatus;
error:
LsaSrvFreeAuthInfo(pPolCtx);
goto cleanup;
}
BOOL
VmDirIsRpcOperationAllowed(
handle_t pBinding,
PSECURITY_DESCRIPTOR_ABSOLUTE pSD,
ULONG ulAccessDesired
)
{
#if defined(HAVE_DCERPC_WIN32)
VMDIR_LOG_VERBOSE(LDAP_DEBUG_ACL, "RPC Access GRANTED!");
return TRUE;
#else
ULONG ulError = ERROR_SUCCESS;
PACCESS_TOKEN hToken = NULL;
ACCESS_MASK accessGranted = 0;
BOOLEAN bAccessGranted = FALSE;
GENERIC_MAPPING genericMapping = {0};
#if defined(_WIN32) && !defined(HAVE_DCERPC_WIN32)
BOOLEAN bImpersonated = FALSE;
#endif
#if !defined(_WIN32) || defined(HAVE_DCERPC_WIN32)
rpc_binding_inq_access_token_caller(pBinding, &hToken, &ulError);
BAIL_ON_VMDIR_ERROR(ulError);
#else
ulError = RpcImpersonateClient( pBinding );
BAIL_ON_VMDIR_ERROR(ulError);
bImpersonated = TRUE;
if ( OpenThreadToken(
GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &hToken) == 0 )
{
ulError = GetLastError();
BAIL_ON_VMDIR_ERROR(ulError);
}
#endif
ulError = LogAccessInfo(hToken, pSD, ulAccessDesired);
BAIL_ON_VMDIR_ERROR(ulError);
// Initialize generic mapping structure to map all.
memset(&genericMapping, 0xff, sizeof(GENERIC_MAPPING));
genericMapping.GenericRead = GENERIC_READ;
genericMapping.GenericWrite = GENERIC_WRITE;
genericMapping.GenericExecute = 0;
genericMapping.GenericAll = GENERIC_READ | GENERIC_WRITE;
VmDirMapGenericMask(&ulAccessDesired, &genericMapping);
bAccessGranted = VmDirAccessCheck(
pSD,
hToken,
ulAccessDesired,
0,
&genericMapping,
&accessGranted,
&ulError);
BAIL_ON_VMDIR_ERROR(ulError);
cleanup:
#if defined(_WIN32) && !defined(HAVE_DCERPC_WIN32)
if( bImpersonated != FALSE )
{
DWORD rpcError = RpcRevertToSelfEx(pBinding);
if( rpcError != RPC_S_OK )
{
// real bad, need to exit the process ....
VMDIR_LOG_ERROR( VMDIR_LOG_MASK_ALL,
"RpcRevertToSelfEx failed with %d. Exiting process.",
rpcError );
ExitProcess(rpcError);
}
}
#endif
if (hToken)
{
VmDirReleaseAccessToken(&hToken);
}
if (bAccessGranted)
{
VMDIR_LOG_VERBOSE(LDAP_DEBUG_ACL, "RPC Access GRANTED!");
}
else
{
VMDIR_LOG_ERROR(VMDIR_LOG_MASK_ALL, "RPC Access DENIED!");
}
return bAccessGranted;
error:
bAccessGranted = FALSE;
goto cleanup;
#endif
}
