232 lines
9.8 KiB
C++
232 lines
9.8 KiB
C++
//*********************************************************
|
|
//
|
|
// Copyright (c) Microsoft. All rights reserved.
|
|
// THIS CODE IS PROVIDED *AS IS* WITHOUT WARRANTY OF
|
|
// ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ANY
|
|
// IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR
|
|
// PURPOSE, MERCHANTABILITY, OR NON-INFRINGEMENT.
|
|
//
|
|
//*********************************************************
|
|
//
|
|
// This file contains the declarations for the CSecInfo class along
|
|
// with some helpful #defines and objects.
|
|
//
|
|
#ifndef _CSECINFO_H_
|
|
#define _CSECINFO_H_
|
|
#include <aclui.h>
|
|
#include <aclapi.h>
|
|
#include <windows.h>
|
|
#include "resource.h"
|
|
|
|
#define IS_FLAG_SET(dw,fl) (((dw) & (fl)) == fl)
|
|
|
|
// Each individual permission for our resource manager
|
|
#define CREATE_PERM 0x0001
|
|
#define READ_PERM 0x0002
|
|
#define VOTE_PERM 0x0004
|
|
#define UPDATE_OWN_PERM 0x0008
|
|
#define UPDATE_OTHERS_PERM 0x0010
|
|
#define HIDE_PERM 0x0020
|
|
#define SHOW_PERM 0x0040
|
|
#define LOCK_PERM 0x0080
|
|
#define UNLOCK_PERM 0x0100
|
|
#define DESTROY_PERM 0x0200
|
|
#define VIEW_PERMS_PERM 0x0400
|
|
#define CHANGE_PERMS_PERM 0x0800
|
|
|
|
// Each tier of permissions builds upon the last, but they don't have to.
|
|
#define GENERIC_POST_PERM (\
|
|
CREATE_PERM |\
|
|
READ_PERM |\
|
|
VOTE_PERM |\
|
|
UPDATE_OWN_PERM)
|
|
#define GENERIC_MOD_PERM (\
|
|
GENERIC_POST_PERM |\
|
|
UPDATE_OTHERS_PERM |\
|
|
HIDE_PERM |\
|
|
SHOW_PERM |\
|
|
LOCK_PERM |\
|
|
UNLOCK_PERM)
|
|
#define GENERIC_ADMIN_PERM (\
|
|
GENERIC_MOD_PERM |\
|
|
DESTROY_PERM |\
|
|
VIEW_PERMS_PERM |\
|
|
CHANGE_PERMS_PERM)
|
|
|
|
#define INHERIT_FULL (CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE)
|
|
|
|
// Define the generic mapping array. This is used to denote the
|
|
// mapping of each generic access right to a specific access mask.
|
|
// This is used on the basic ACL Editor page.
|
|
static GENERIC_MAPPING ObjectMap =
|
|
{
|
|
GENERIC_POST_PERM,
|
|
GENERIC_MOD_PERM,
|
|
GENERIC_ADMIN_PERM,
|
|
};
|
|
|
|
// ObjectInherit - applies to parent and only child OBJECTS (e.g. files)
|
|
// ContainerInherit - applies to parent and only child CONTAINERS (e.g. folders)
|
|
// InheritOnly - doesn't apply to parent, must be combined with something else
|
|
// NoPropagateInherit - only applies to child, not grandchildren
|
|
//
|
|
// Note: I only use container inheritance
|
|
static SI_INHERIT_TYPE siSDKInheritTypes[] =
|
|
{
|
|
&GUID_NULL, 0, (L"This object only"),
|
|
&GUID_NULL, CONTAINER_INHERIT_ACE, (L"This object and children (sections/topics)"),
|
|
&GUID_NULL, INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE, (L"Children (sections/topics) only"),
|
|
};
|
|
|
|
class CSecInfo : public ISecurityInformation, public ISecurityInformation3, public IEffectivePermission2, public ISecurityObjectTypeInfo
|
|
{
|
|
private:
|
|
unsigned long m_cRef;
|
|
const SI_ACCESS* m_AccessTable;
|
|
ULONG m_AccessTableCount;
|
|
ULONG m_DefaultAccess;
|
|
PCWSTR m_defaultSecurityDescriptorSddl;
|
|
OBJECT_TYPE_LIST m_objectTypeList;
|
|
|
|
// This represents the index (see resource.h's ResourceIndices)
|
|
// of the resource that we're currently editing.
|
|
int m_editingResource;
|
|
|
|
// This points to all of the resources that the sample keeps track of.
|
|
// The constructor sets these up.
|
|
PRESOURCE* m_resources;
|
|
|
|
// Tell ACL UI what to show
|
|
DWORD m_dwSIFlags;
|
|
|
|
// This function iterates over a container's children and sets their security.
|
|
// parentIndex represents the index of the parent (see ResourceIndices)
|
|
// si can include either DACL_SECURITY_INFORMATION, SACL_SECURITY_INFORMATION, or both
|
|
// pSD is the security descriptor of the parent
|
|
HRESULT SetSecurityOfChildren(
|
|
int parentIndex,
|
|
THIS_ SECURITY_INFORMATION si,
|
|
PSECURITY_DESCRIPTOR pSD);
|
|
|
|
// Helper function for GetInheritSource so that we can call it on specific children
|
|
// and not just the object that we're currently editing.
|
|
// childIndex represents the index of the child (see ResourceIndices)
|
|
HRESULT GetInheritSourceHelper(
|
|
int childIndex,
|
|
SECURITY_INFORMATION psi,
|
|
PACL acl,
|
|
PINHERITED_FROM *inheritArray);
|
|
|
|
// This orders a DACL canonically. For more information, see:
|
|
// http://msdn.microsoft.com/en-us/library/windows/desktop/aa379298(v=vs.85).aspx
|
|
HRESULT OrderDacl(int childIndex, PACL *acl);
|
|
|
|
// This function takes a string representing a security descriptor,
|
|
// converts it to a self-relative SD, then finally makes it absolute.
|
|
HRESULT ConvertStringToAbsSD(_In_ PWSTR stringSD, _Outptr_ PSECURITY_DESCRIPTOR *sd);
|
|
public:
|
|
// This will be set to true if our ctor produces an error.
|
|
bool m_bFailedToConstruct;
|
|
CSecInfo();
|
|
virtual ~CSecInfo();
|
|
|
|
void SetCurrentObject(int index)
|
|
{
|
|
m_editingResource = index;
|
|
}
|
|
|
|
PRESOURCE GetResource(int index)
|
|
{
|
|
return m_resources[index];
|
|
}
|
|
|
|
// IUnknown
|
|
IFACEMETHODIMP QueryInterface(_In_ REFIID riid, _Outptr_ void **ppv);
|
|
IFACEMETHODIMP_(ULONG) AddRef();
|
|
IFACEMETHODIMP_(ULONG) Release();
|
|
|
|
// ISecurityInformation
|
|
IFACEMETHODIMP GetObjectInformation (THIS_ PSI_OBJECT_INFO pObjectInfo);
|
|
IFACEMETHODIMP GetSecurity (
|
|
THIS_ SECURITY_INFORMATION si,
|
|
PSECURITY_DESCRIPTOR *sd,
|
|
BOOL fDefault);
|
|
IFACEMETHODIMP SetSecurity (
|
|
THIS_ SECURITY_INFORMATION si,
|
|
PSECURITY_DESCRIPTOR sd);
|
|
IFACEMETHODIMP GetAccessRights (
|
|
THIS_ const GUID* guidObjectType,
|
|
DWORD dwFlags,
|
|
PSI_ACCESS *access,
|
|
ULONG *accesses, ULONG *defaultAccess);
|
|
IFACEMETHODIMP MapGeneric (
|
|
THIS_ const GUID *guidObjectType,
|
|
UCHAR *aceFlags,
|
|
ACCESS_MASK *mask);
|
|
IFACEMETHODIMP GetInheritTypes (
|
|
THIS_ PSI_INHERIT_TYPE *inheritTypes,
|
|
ULONG *numInheritTypes);
|
|
IFACEMETHODIMP PropertySheetPageCallback (
|
|
THIS_ HWND hwnd,
|
|
UINT uMsg,
|
|
SI_PAGE_TYPE uPage);
|
|
|
|
// ISecurityInformation3
|
|
IFACEMETHODIMP GetFullResourceName (THIS_ _Outptr_ LPWSTR *resourceName);
|
|
IFACEMETHODIMP OpenElevatedEditor (
|
|
THIS_ _In_ HWND hWnd,
|
|
_In_ SI_PAGE_TYPE uPage);
|
|
|
|
// IEffectivePermission2
|
|
STDMETHOD(ComputeEffectivePermissionWithSecondarySecurity) (THIS_
|
|
_In_ PSID pSid,
|
|
_In_opt_ PSID pDeviceSid,
|
|
_In_ PCWSTR pszServerName,
|
|
_Inout_updates_(dwSecurityObjectCount) PSECURITY_OBJECT pSecurityObjects,
|
|
_In_ DWORD dwSecurityObjectCount,
|
|
_In_opt_ PTOKEN_GROUPS pUserGroups,
|
|
_When_(pUserGroups != nullptr && *pAuthzUserGroupsOperations != AUTHZ_SID_OPERATION_REPLACE_ALL, _In_reads_(pUserGroups->GroupCount))
|
|
_In_opt_ PAUTHZ_SID_OPERATION pAuthzUserGroupsOperations,
|
|
_In_opt_ PTOKEN_GROUPS pDeviceGroups,
|
|
_When_(pDeviceGroups != nullptr && *pAuthzDeviceGroupsOperations != AUTHZ_SID_OPERATION_REPLACE_ALL, _In_reads_(pDeviceGroups->GroupCount))
|
|
_In_opt_ PAUTHZ_SID_OPERATION pAuthzDeviceGroupsOperations,
|
|
_In_opt_ PAUTHZ_SECURITY_ATTRIBUTES_INFORMATION pAuthzUserClaims,
|
|
_When_(pAuthzUserClaims != nullptr && *pAuthzUserClaimsOperations != AUTHZ_SECURITY_ATTRIBUTE_OPERATION_REPLACE_ALL, _In_reads_(pAuthzUserClaims->AttributeCount))
|
|
_In_opt_ PAUTHZ_SECURITY_ATTRIBUTE_OPERATION pAuthzUserClaimsOperations,
|
|
_In_opt_ PAUTHZ_SECURITY_ATTRIBUTES_INFORMATION pAuthzDeviceClaims,
|
|
_When_(pAuthzDeviceClaims != nullptr && *pAuthzDeviceClaimsOperations != AUTHZ_SECURITY_ATTRIBUTE_OPERATION_REPLACE_ALL, _In_reads_(pAuthzDeviceClaims->AttributeCount))
|
|
_In_opt_ PAUTHZ_SECURITY_ATTRIBUTE_OPERATION pAuthzDeviceClaimsOperations,
|
|
_Inout_updates_(dwSecurityObjectCount) PEFFPERM_RESULT_LIST pEffpermResultLists);
|
|
|
|
// ISecurityObjectTypeInfo
|
|
STDMETHOD(GetInheritSource)(
|
|
SECURITY_INFORMATION psi,
|
|
PACL acl,
|
|
PINHERITED_FROM *ppInheritArray);
|
|
};
|
|
|
|
const SI_ACCESS g_siForumsAccess[] =
|
|
{
|
|
// This structure describes each flag in the file access mask.
|
|
// It is constant. ACLUI displays these strings in its UI.
|
|
{ &GUID_NULL, GENERIC_ADMIN_PERM,L"Administer", SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC | INHERIT_FULL, },
|
|
{ &GUID_NULL, GENERIC_MOD_PERM, L"Moderate", SI_ACCESS_GENERAL | INHERIT_FULL },
|
|
{ &GUID_NULL, GENERIC_POST_PERM, L"Post", SI_ACCESS_GENERAL | INHERIT_FULL },
|
|
|
|
// Show advanced rights
|
|
{ &GUID_NULL, CREATE_PERM, L"Create", SI_ACCESS_SPECIFIC | INHERIT_FULL },
|
|
{ &GUID_NULL, READ_PERM, L"Read", SI_ACCESS_SPECIFIC | INHERIT_FULL },
|
|
{ &GUID_NULL, VOTE_PERM, L"Vote", SI_ACCESS_SPECIFIC | INHERIT_FULL },
|
|
{ &GUID_NULL, UPDATE_OWN_PERM, L"Update / edit own content", SI_ACCESS_SPECIFIC | INHERIT_FULL },
|
|
{ &GUID_NULL, UPDATE_OTHERS_PERM, L"Update / edit others' content", SI_ACCESS_SPECIFIC | INHERIT_FULL },
|
|
{ &GUID_NULL, HIDE_PERM, L"Hide", SI_ACCESS_SPECIFIC | INHERIT_FULL },
|
|
{ &GUID_NULL, SHOW_PERM, L"Show", SI_ACCESS_SPECIFIC | INHERIT_FULL },
|
|
{ &GUID_NULL, LOCK_PERM, L"Lock", SI_ACCESS_SPECIFIC | INHERIT_FULL },
|
|
{ &GUID_NULL, UNLOCK_PERM, L"Unlock", SI_ACCESS_SPECIFIC | INHERIT_FULL },
|
|
{ &GUID_NULL, DESTROY_PERM, L"Destroy / delete", SI_ACCESS_SPECIFIC | INHERIT_FULL },
|
|
{ &GUID_NULL, VIEW_PERMS_PERM, L"View permissions", SI_ACCESS_SPECIFIC | INHERIT_FULL },
|
|
{ &GUID_NULL, CHANGE_PERMS_PERM, L"Change permissions", SI_ACCESS_SPECIFIC | INHERIT_FULL },
|
|
};
|
|
|
|
#endif // _CSECINFO_H_
|