NTSTATUS DsrSrvInitAuthInfo( IN handle_t hBinding, OUT PACCESS_TOKEN *ppAccessToken ) { NTSTATUS ntStatus = STATUS_SUCCESS; unsigned32 rpcStatus = 0; rpc_binding_inq_access_token_caller( hBinding, ppAccessToken, &rpcStatus); ntStatus = LwRpcStatusToNtStatus(rpcStatus); BAIL_ON_NTSTATUS_ERROR(ntStatus); cleanup: return ntStatus; error: goto cleanup; }
DWORD LWICheckSecurity( handle_t hBindingHandle, ACCESS_MASK dwAccessMask ) { DWORD dwError = ERROR_SUCCESS; volatile unsigned32 rpcError; PACCESS_TOKEN pUserToken = NULL; TRY { rpc_binding_inq_access_token_caller( hBindingHandle, &pUserToken, (unsigned32*)&rpcError); } CATCH_ALL ENDTRY; BAIL_ON_DCE_ERROR(dwError, rpcError); dwError = EVTCheckAllowed( pUserToken, dwAccessMask); BAIL_ON_EVT_ERROR(dwError); error: if (pUserToken) { RtlReleaseAccessToken(&pUserToken); } return dwError; }
NTSTATUS LsaSrvInitAuthInfo( IN handle_t hBinding, OUT PPOLICY_CONTEXT pPolCtx ) { NTSTATUS ntStatus = STATUS_SUCCESS; unsigned32 rpcStatus = 0; rpc_transport_info_handle_t hTransportInfo = NULL; DWORD dwProtSeq = rpc_c_invalid_protseq_id; rpc_binding_inq_access_token_caller( hBinding, &pPolCtx->pUserToken, &rpcStatus); ntStatus = LwRpcStatusToNtStatus(rpcStatus); BAIL_ON_NTSTATUS_ERROR(ntStatus); rpc_binding_inq_transport_info(hBinding, &hTransportInfo, &rpcStatus); ntStatus = LwRpcStatusToNtStatus(rpcStatus); BAIL_ON_NTSTATUS_ERROR(ntStatus); if (hTransportInfo) { rpc_binding_inq_prot_seq(hBinding, (unsigned32*)&dwProtSeq, &rpcStatus); ntStatus = LwRpcStatusToNtStatus(rpcStatus); BAIL_ON_NTSTATUS_ERROR(ntStatus); switch (dwProtSeq) { case rpc_c_protseq_id_ncacn_np: ntStatus = LsaSrvInitNpAuthInfo(hTransportInfo, pPolCtx); BAIL_ON_NTSTATUS_ERROR(ntStatus); break; } } cleanup: return ntStatus; error: LsaSrvFreeAuthInfo(pPolCtx); goto cleanup; }
BOOL VmDirIsRpcOperationAllowed( handle_t pBinding, PSECURITY_DESCRIPTOR_ABSOLUTE pSD, ULONG ulAccessDesired ) { #if defined(HAVE_DCERPC_WIN32) VMDIR_LOG_VERBOSE(LDAP_DEBUG_ACL, "RPC Access GRANTED!"); return TRUE; #else ULONG ulError = ERROR_SUCCESS; PACCESS_TOKEN hToken = NULL; ACCESS_MASK accessGranted = 0; BOOLEAN bAccessGranted = FALSE; GENERIC_MAPPING genericMapping = {0}; #if defined(_WIN32) && !defined(HAVE_DCERPC_WIN32) BOOLEAN bImpersonated = FALSE; #endif #if !defined(_WIN32) || defined(HAVE_DCERPC_WIN32) rpc_binding_inq_access_token_caller(pBinding, &hToken, &ulError); BAIL_ON_VMDIR_ERROR(ulError); #else ulError = RpcImpersonateClient( pBinding ); BAIL_ON_VMDIR_ERROR(ulError); bImpersonated = TRUE; if ( OpenThreadToken( GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &hToken) == 0 ) { ulError = GetLastError(); BAIL_ON_VMDIR_ERROR(ulError); } #endif ulError = LogAccessInfo(hToken, pSD, ulAccessDesired); BAIL_ON_VMDIR_ERROR(ulError); // Initialize generic mapping structure to map all. memset(&genericMapping, 0xff, sizeof(GENERIC_MAPPING)); genericMapping.GenericRead = GENERIC_READ; genericMapping.GenericWrite = GENERIC_WRITE; genericMapping.GenericExecute = 0; genericMapping.GenericAll = GENERIC_READ | GENERIC_WRITE; VmDirMapGenericMask(&ulAccessDesired, &genericMapping); bAccessGranted = VmDirAccessCheck( pSD, hToken, ulAccessDesired, 0, &genericMapping, &accessGranted, &ulError); BAIL_ON_VMDIR_ERROR(ulError); cleanup: #if defined(_WIN32) && !defined(HAVE_DCERPC_WIN32) if( bImpersonated != FALSE ) { DWORD rpcError = RpcRevertToSelfEx(pBinding); if( rpcError != RPC_S_OK ) { // real bad, need to exit the process .... VMDIR_LOG_ERROR( VMDIR_LOG_MASK_ALL, "RpcRevertToSelfEx failed with %d. Exiting process.", rpcError ); ExitProcess(rpcError); } } #endif if (hToken) { VmDirReleaseAccessToken(&hToken); } if (bAccessGranted) { VMDIR_LOG_VERBOSE(LDAP_DEBUG_ACL, "RPC Access GRANTED!"); } else { VMDIR_LOG_ERROR(VMDIR_LOG_MASK_ALL, "RPC Access DENIED!"); } return bAccessGranted; error: bAccessGranted = FALSE; goto cleanup; #endif }