DWORD VmAfdCheckOwnerShipWithHandle ( PVECS_SRV_STORE_HANDLE pStore, PVM_AFD_CONNECTION_CONTEXT pConnectionContext ) { DWORD dwError = 0; PVMAFD_SECURITY_DESCRIPTOR pSecurityDescriptor = NULL; if (!pStore || !pConnectionContext || !pConnectionContext->pSecurityContext ) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_VMAFD_ERROR (dwError); } dwError = VmAfdGetSecurityDescriptorFromHandle ( pStore, &pSecurityDescriptor ); BAIL_ON_VMAFD_ERROR (dwError); if (!(VmAfdIsRootSecurityContext (pConnectionContext))) { if (!(VmAfdEqualsSecurityContext( pConnectionContext->pSecurityContext, pSecurityDescriptor->pOwnerSecurityContext ) )) { dwError = ERROR_ACCESS_DENIED; BAIL_ON_VMAFD_ERROR (dwError); } } cleanup: if (pSecurityDescriptor) { VmAfdFreeSecurityDescriptor (pSecurityDescriptor); } return dwError; error: goto cleanup; }
DWORD VmAfdAccessCheckWithHandle ( PVECS_SRV_STORE_HANDLE pStore, PVM_AFD_CONNECTION_CONTEXT pConnectionContext, DWORD dwDesiredAccess ) { DWORD dwError = 0; DWORD dwLogError = 0; PVECS_SERV_STORE pStoreInfo = NULL; PVMAFD_SECURITY_DESCRIPTOR pSecurityDescriptor = NULL; PWSTR pszAccountName = NULL; if (!pStore || !pConnectionContext || !pConnectionContext->pSecurityContext ) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_VMAFD_ERROR (dwError); } if ((dwDesiredAccess | VECS_MAXIMUM_ALLOWED_MASK) != VECS_MAXIMUM_ALLOWED_MASK ) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_VMAFD_ERROR (dwError); } /* * We don't care about dwLogError errors because they are * used solely for logging purpose. Even if some call fails, * the function should not fail */ dwLogError = VmAfdAllocateNameFromContext ( pConnectionContext->pSecurityContext, &pszAccountName ); dwLogError = VmAfdGetStoreFromHandle ( pStore, pConnectionContext->pSecurityContext, &pStoreInfo ); if ( !IsNullOrEmptyString(pszAccountName) && pStoreInfo ) { PSTR paszAccountName = NULL; dwLogError = VmAfdAllocateStringAFromW( pszAccountName, &paszAccountName ); if (paszAccountName) { switch (dwDesiredAccess) { case READ_STORE: VmAfdLog (VMAFD_DEBUG_DEBUG, "User %s requested READ operation on Store with ID: %d", paszAccountName, pStoreInfo->dwStoreId ); break; case WRITE_STORE: VmAfdLog (VMAFD_DEBUG_DEBUG, "User %s requested WRITE operation on Store with ID:%d", paszAccountName, pStoreInfo->dwStoreId ); break; default: break; } } else { VmAfdLog(VMAFD_DEBUG_ANY, "%s log failed. error(%u)", __FUNCTION__, dwLogError); } VMAFD_SAFE_FREE_MEMORY (paszAccountName); } dwError = VmAfdGetSecurityDescriptorFromHandle ( pStore, &pSecurityDescriptor ); BAIL_ON_VMAFD_ERROR (dwError); if (!(VmAfdIsRootSecurityContext (pConnectionContext))) { if (!(VmAfdEqualsSecurityContext( pConnectionContext->pSecurityContext, pSecurityDescriptor->pOwnerSecurityContext ) )) { dwError = VmAfdCheckAcl ( pSecurityDescriptor, pConnectionContext->pSecurityContext, dwDesiredAccess ); BAIL_ON_VMAFD_ERROR (dwError); } } cleanup: VMAFD_SAFE_FREE_MEMORY (pszAccountName); VMAFD_SAFE_FREE_MEMORY (pStoreInfo); if (pSecurityDescriptor) { VmAfdFreeSecurityDescriptor (pSecurityDescriptor); } return dwError; error: goto cleanup; }
DWORD VecsSrvEnumFilteredStores ( PVM_AFD_CONNECTION_CONTEXT pConnectionContext, PWSTR **ppwszStoreNames, PDWORD pdwCount ) { DWORD dwError = 0; DWORD dwCount = 0; PBYTE pContextBlob = NULL; DWORD dwContextSize = 0; DWORD dwContextSizeRead = 0; PWSTR *pwszStoreName = NULL; if (!pConnectionContext || !pConnectionContext->pSecurityContext || !ppwszStoreNames || !pdwCount ) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_VMAFD_ERROR (dwError); } if (VmAfdIsRootSecurityContext(pConnectionContext)) { dwError = VecsSrvEnumCertStore( &pwszStoreName, &dwCount ); BAIL_ON_VMAFD_ERROR (dwError); } else { dwError = VmAfdGetSecurityContextSize ( pConnectionContext->pSecurityContext, &dwContextSize ); BAIL_ON_VMAFD_ERROR (dwError); dwError = VmAfdAllocateMemory ( dwContextSize, (PVOID *) &pContextBlob ); BAIL_ON_VMAFD_ERROR (dwError); dwError = VmAfdEncodeSecurityContext ( pConnectionContext->pSecurityContext, pContextBlob, dwContextSize, &dwContextSizeRead ); BAIL_ON_VMAFD_ERROR (dwError); dwError = VecsDbEnumFilteredStores ( pContextBlob, dwContextSizeRead, &pwszStoreName, &dwCount ); BAIL_ON_VMAFD_ERROR (dwError); } *ppwszStoreNames = pwszStoreName; *pdwCount = dwCount; cleanup: VMAFD_SAFE_FREE_MEMORY (pContextBlob); return dwError; error: if (ppwszStoreNames) { *ppwszStoreNames = NULL; } if (pwszStoreName) { VmAfdFreeStringArrayW (pwszStoreName, dwCount); } if (pdwCount) { *pdwCount = 0; } goto cleanup; }