DWORD
VmAfdCheckOwnerShipWithHandle (
PVECS_SRV_STORE_HANDLE pStore,
PVM_AFD_CONNECTION_CONTEXT pConnectionContext
)
{
DWORD dwError = 0;
PVMAFD_SECURITY_DESCRIPTOR pSecurityDescriptor = NULL;
if (!pStore ||
!pConnectionContext ||
!pConnectionContext->pSecurityContext
)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_VMAFD_ERROR (dwError);
}
dwError = VmAfdGetSecurityDescriptorFromHandle (
pStore,
&pSecurityDescriptor
);
BAIL_ON_VMAFD_ERROR (dwError);
if (!(VmAfdIsRootSecurityContext (pConnectionContext)))
{
if (!(VmAfdEqualsSecurityContext(
pConnectionContext->pSecurityContext,
pSecurityDescriptor->pOwnerSecurityContext
)
))
{
dwError = ERROR_ACCESS_DENIED;
BAIL_ON_VMAFD_ERROR (dwError);
}
}
cleanup:
if (pSecurityDescriptor)
{
VmAfdFreeSecurityDescriptor (pSecurityDescriptor);
}
return dwError;
error:
goto cleanup;
}
DWORD
VmAfdAccessCheckWithHandle (
PVECS_SRV_STORE_HANDLE pStore,
PVM_AFD_CONNECTION_CONTEXT pConnectionContext,
DWORD dwDesiredAccess
)
{
DWORD dwError = 0;
DWORD dwLogError = 0;
PVECS_SERV_STORE pStoreInfo = NULL;
PVMAFD_SECURITY_DESCRIPTOR pSecurityDescriptor = NULL;
PWSTR pszAccountName = NULL;
if (!pStore ||
!pConnectionContext ||
!pConnectionContext->pSecurityContext
)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_VMAFD_ERROR (dwError);
}
if ((dwDesiredAccess | VECS_MAXIMUM_ALLOWED_MASK) !=
VECS_MAXIMUM_ALLOWED_MASK
)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_VMAFD_ERROR (dwError);
}
/*
* We don't care about dwLogError errors because they are
* used solely for logging purpose. Even if some call fails,
* the function should not fail
*/
dwLogError = VmAfdAllocateNameFromContext (
pConnectionContext->pSecurityContext,
&pszAccountName
);
dwLogError = VmAfdGetStoreFromHandle (
pStore,
pConnectionContext->pSecurityContext,
&pStoreInfo
);
if (
!IsNullOrEmptyString(pszAccountName) &&
pStoreInfo
)
{
PSTR paszAccountName = NULL;
dwLogError = VmAfdAllocateStringAFromW(
pszAccountName,
&paszAccountName
);
if (paszAccountName)
{
switch (dwDesiredAccess)
{
case READ_STORE:
VmAfdLog (VMAFD_DEBUG_DEBUG,
"User %s requested READ operation on Store with ID: %d",
paszAccountName,
pStoreInfo->dwStoreId
);
break;
case WRITE_STORE:
VmAfdLog (VMAFD_DEBUG_DEBUG,
"User %s requested WRITE operation on Store with ID:%d",
paszAccountName,
pStoreInfo->dwStoreId
);
break;
default:
break;
}
}
else
{
VmAfdLog(VMAFD_DEBUG_ANY, "%s log failed. error(%u)", __FUNCTION__, dwLogError);
}
VMAFD_SAFE_FREE_MEMORY (paszAccountName);
}
dwError = VmAfdGetSecurityDescriptorFromHandle (
pStore,
&pSecurityDescriptor
);
BAIL_ON_VMAFD_ERROR (dwError);
if (!(VmAfdIsRootSecurityContext (pConnectionContext)))
{
if (!(VmAfdEqualsSecurityContext(
pConnectionContext->pSecurityContext,
pSecurityDescriptor->pOwnerSecurityContext
)
))
{
dwError = VmAfdCheckAcl (
pSecurityDescriptor,
pConnectionContext->pSecurityContext,
dwDesiredAccess
);
BAIL_ON_VMAFD_ERROR (dwError);
}
}
cleanup:
VMAFD_SAFE_FREE_MEMORY (pszAccountName);
VMAFD_SAFE_FREE_MEMORY (pStoreInfo);
if (pSecurityDescriptor)
{
VmAfdFreeSecurityDescriptor (pSecurityDescriptor);
}
return dwError;
error:
goto cleanup;
}
DWORD
VecsSrvEnumFilteredStores (
PVM_AFD_CONNECTION_CONTEXT pConnectionContext,
PWSTR **ppwszStoreNames,
PDWORD pdwCount
)
{
DWORD dwError = 0;
DWORD dwCount = 0;
PBYTE pContextBlob = NULL;
DWORD dwContextSize = 0;
DWORD dwContextSizeRead = 0;
PWSTR *pwszStoreName = NULL;
if (!pConnectionContext ||
!pConnectionContext->pSecurityContext ||
!ppwszStoreNames ||
!pdwCount
)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_VMAFD_ERROR (dwError);
}
if (VmAfdIsRootSecurityContext(pConnectionContext))
{
dwError = VecsSrvEnumCertStore(
&pwszStoreName,
&dwCount
);
BAIL_ON_VMAFD_ERROR (dwError);
}
else
{
dwError = VmAfdGetSecurityContextSize (
pConnectionContext->pSecurityContext,
&dwContextSize
);
BAIL_ON_VMAFD_ERROR (dwError);
dwError = VmAfdAllocateMemory (
dwContextSize,
(PVOID *) &pContextBlob
);
BAIL_ON_VMAFD_ERROR (dwError);
dwError = VmAfdEncodeSecurityContext (
pConnectionContext->pSecurityContext,
pContextBlob,
dwContextSize,
&dwContextSizeRead
);
BAIL_ON_VMAFD_ERROR (dwError);
dwError = VecsDbEnumFilteredStores (
pContextBlob,
dwContextSizeRead,
&pwszStoreName,
&dwCount
);
BAIL_ON_VMAFD_ERROR (dwError);
}
*ppwszStoreNames = pwszStoreName;
*pdwCount = dwCount;
cleanup:
VMAFD_SAFE_FREE_MEMORY (pContextBlob);
return dwError;
error:
if (ppwszStoreNames)
{
*ppwszStoreNames = NULL;
}
if (pwszStoreName)
{
VmAfdFreeStringArrayW (pwszStoreName, dwCount);
}
if (pdwCount)
{
*pdwCount = 0;
}
goto cleanup;
}
