geos_one/CASA
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

New client components for Casa Authentication.

Browse Source
This commit is contained in:
Juan Carlos Luciani
2006-04-03 20:20:37 +00:00
parent a9706c411b
commit 433354e858
40 changed files with 10893 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

875
auth_token/client/win32/cache.c Normal file
View File

@@ -0,0 +1,875 @@
/***********************************************************************
*
* Copyright (C) 2006 Novell, Inc. All Rights Reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; version 2.1
* of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Library Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, Novell, Inc.
*
* To contact Novell about this file by physical or electronic mail,
* you may find current contact information at www.novell.com.
*
* Author: Juan Carlos Luciani <jluciani@novell.com>
*
***********************************************************************/
//===[ Include files ]=====================================================
#include "internal.h"
//===[ Type definitions ]==================================================
//
// Registry Key/Value defines used in the AuthCache
//
#define CASA_AUTH_CACHE_REG_KEY "CASA_Auth_Cache"
#define CREATION_TIME_REG_VALUE "CreationTime"
#define EXPIRATION_TIME_REG_VALUE "ExpirationTime"
#define STATUS_REG_VALUE "Status"
#define TOKEN_REG_VALUE "Token"
//===[ Function prototypes ]===============================================
//===[ Global variables ]==================================================
// In memory auth cache list head
LIST_ENTRY authCacheListHead;
//++=======================================================================
AuthCacheEntry*
CreateAuthCacheEntry(
IN char *pCacheKeyName,
IN char *pHostName)
//
// Arguments:
//
// Returns:
//
// Abstract:
//
// Notes:
//
// L1
//=======================================================================--
{
AuthCacheEntry *pEntry;
DbgTrace(1, "-CreateAuthCacheEntry- Start\n", 0);
// Allocate space for the entry
pEntry = (AuthCacheEntry*) malloc(sizeof(*pEntry));
if (pEntry)
{
// Zero the entry
memset(pEntry, 0, sizeof(*pEntry));
// Now allocate buffers to maintain copies of the CacheKeyName and host names
pEntry->pCacheKeyName = (char*) malloc(strlen(pCacheKeyName) + 1);
if (pEntry->pCacheKeyName)
{
pEntry->pHostName = (char*) malloc(strlen(pHostName) + 1);
if (pEntry->pHostName)
{
// Save the names within the entry
strcpy(pEntry->pCacheKeyName, pCacheKeyName);
strcpy(pEntry->pHostName, pHostName);
}
else
{
DbgTrace(0, "-CreateAuthCacheEntry- Unable to allocate buffer for host name\n", 0);
// Free allocated resources
free(pEntry->pCacheKeyName);
free(pEntry);
// Adjust return parameter
pEntry = NULL;
}
}
else
{
DbgTrace(0, "-CreateAuthCacheEntry- Unable to allocate buffer for the CacheKeyName\n", 0);
// Free allocated resources
free(pEntry);
// Adjust return parameter
pEntry = NULL;
}
}
else
{
DbgTrace(0, "-CreateAuthCacheEntry- Unable to allocate buffer for auth cache entry\n", 0);
}
DbgTrace(1, "-CreateAuthCacheEntry- End, pEntry = %08X\n", pEntry);
return pEntry;
}
//++=======================================================================
void
FreeAuthCacheEntry(
IN AuthCacheEntry *pEntry)
//
// Arguments:
//
// Returns:
//
// Abstract:
//
// Notes:
//
// L1
//=======================================================================--
{
DbgTrace(1, "-FreeAuthCacheEntry- Start\n", 0);
// Free resources associated with the entry
if (pEntry->pToken)
free(pEntry->pToken);
if (pEntry->pHostName)
free(pEntry->pHostName);
if (pEntry->pCacheKeyName)
free(pEntry->pCacheKeyName);
// Free the entry
free(pEntry);
DbgTrace(1, "-FreeAuthCacheEntry- End\n", 0);
}
//++=======================================================================
static
BOOL
CacheEntryLifetimeExpired(
IN DWORD creationTime,
IN DWORD expirationTime)
//
// Arguments:
//
// Returns:
//
// Abstract:
//
// Notes:
//
// L1
//=======================================================================--
{
DWORD currentTime = GetTickCount();
BOOL expired = FALSE;
DbgTrace(2, "-CacheEntryLifetimeExpired- Start\n", 0);
// Check if the clock has wrapped
if (currentTime >= creationTime)
{
// The clock has not wrapped, check if the
// expiration time has wrapped.
if (expirationTime > creationTime)
{
// The expiration time also has not wrapped,
// do a straight compare against the current
// time.
if (currentTime >= expirationTime)
{
// It has expired
expired = TRUE;
}
}
}
else
{
// The clock has wrapped, check if the expiration
// time also wrapped.
if (expirationTime > creationTime)
{
// The expiration time did not wrap, therefore
// it has been exceeded since the clock wrapped.
expired = TRUE;
}
else
{
// The expiration time also wrapped, do a straight
// compare against the current time.
if (currentTime >= expirationTime)
{
// It has expired
expired = TRUE;
}
}
}
DbgTrace(2, "-CacheEntryLifetimeExpired- End, result = %08X\n", expired);
return expired;
}
//++=======================================================================
AuthCacheEntry*
FindEntryInAuthCache(
IN char *pCacheKeyName,
IN char *pHostName)
//
// Arguments:
//
// Returns:
//
// Abstract:
//
// Notes:
//
// L1
//=======================================================================--
{
AuthCacheEntry *pEntry = NULL;
LIST_ENTRY *pListEntry;
DbgTrace(1, "-FindEntryInAuthCache- Start\n", 0);
// Examine the cache, if entry found then check if it has expired
// in which case we would want to remove it from the cache.
// First look through the entries in our in-memory cache
pListEntry = authCacheListHead.Flink;
while (pListEntry != &authCacheListHead)
{
AuthCacheEntry *pWrkEntry;
// get a pointer to the entry
pWrkEntry = CONTAINING_RECORD(pListEntry, AuthCacheEntry, listEntry);
// Check if this is an entry for the appropriate host
if (strcmp(pHostName, pWrkEntry->pHostName) == 0)
{
// This is an entry for the appropriate host, now check if it is
// also for the appropriate CacheKeyName
if (strcmp(pCacheKeyName, pWrkEntry->pCacheKeyName) == 0)
{
// This entry is for the appropriate CacheKeyName, check if it
// has not expired.
if (CacheEntryLifetimeExpired(pWrkEntry->creationTime, pWrkEntry->expirationTime))
{
// The lifetime of the entry has expired, remove it from the in-memory cache
// and free it.
RemoveEntryList(&pWrkEntry->listEntry);
FreeAuthCacheEntry(pWrkEntry);
}
else
{
// This cache entry is still good, use it.
pEntry = pWrkEntry;
}
// No need to keep looking in the in-memory cache
break;
}
}
// Advance to the next entry
pListEntry = pListEntry->Flink;
}
// Look in the persistent cache if an entry was not found in the in-memory cache
if (pEntry == NULL)
{
LONG status;
HKEY hCASARegKey;
// Open CASA Auth Cache Key
status = RegOpenKeyExA(HKEY_CURRENT_USER,
CASA_AUTH_CACHE_REG_KEY,
0,
KEY_ALL_ACCESS,
&hCASARegKey);
if (status == ERROR_SUCCESS)
{
HKEY hHostRegKey;
// CASA Auth Cache key opened, now try to open
// key for the host.
status = RegOpenKeyExA(hCASARegKey,
pHostName,
0,
KEY_ALL_ACCESS,
&hHostRegKey);
if (status == ERROR_SUCCESS)
{
HKEY hCacheKeyNameRegKey;
// Host key opened, now try to open key
// for the CacheKeyName.
status = RegOpenKeyExA(hHostRegKey,
pCacheKeyName,
0,
KEY_ALL_ACCESS,
&hCacheKeyNameRegKey);
if (status == ERROR_SUCCESS)
{
DWORD creationTime;
DWORD expirationTime;
BOOL deleteCacheKeyNameKey = TRUE;
DWORD variableSz;
// Key for the CacheKeyName key opened, now determine whether
// or not its lifetime has expired.
//
// Read the creation time value
variableSz = sizeof(creationTime);
status = RegQueryValueExA(hCacheKeyNameRegKey,
CREATION_TIME_REG_VALUE,
NULL,
NULL,
(LPBYTE) &creationTime,
&variableSz);
if (status == ERROR_SUCCESS)
{
// Read the expiration time
variableSz = sizeof(expirationTime);
status = RegQueryValueExA(hCacheKeyNameRegKey,
EXPIRATION_TIME_REG_VALUE,
NULL,
NULL,
(LPBYTE) &expirationTime,
&variableSz);
if (status == ERROR_SUCCESS)
{
// Check if the extry lifetime has been exceeded
if (CacheEntryLifetimeExpired(creationTime, expirationTime) == FALSE)
{
// Create a AuthCacheEntry
pEntry = CreateAuthCacheEntry(pCacheKeyName, pHostName);
if (pEntry)
{
BOOL entryInitialized = FALSE;
// Start setting up the AuthCacheEntry
pEntry->creationTime = creationTime;
pEntry->expirationTime = expirationTime;
// Read the status
variableSz = sizeof(pEntry->status);
status = RegQueryValueExA(hCacheKeyNameRegKey,
STATUS_REG_VALUE,
NULL,
NULL,
(LPBYTE) &pEntry->status,
&variableSz);
if (status == ERROR_SUCCESS)
{
// Check if there is also an auth token associated with
// this entry.
if (pEntry->status == CASA_STATUS_SUCCESS)
{
DWORD tokenSz = 0;
// There should be an auth token associated with this CacheKeyName,
// first determine what size buffer to allocate for it.
status = RegQueryValueExA(hCacheKeyNameRegKey,
TOKEN_REG_VALUE,
NULL,
NULL,
(LPBYTE) pEntry->pToken,
&tokenSz);
if (status == ERROR_SUCCESS
|| status == ERROR_MORE_DATA)
{
// Allocate buffer to hold the auth token
pEntry->pToken = (char*) malloc(tokenSz);
if (pEntry->pToken)
{
// Now read token into the allocated buffer
status = RegQueryValueExA(hCacheKeyNameRegKey,
TOKEN_REG_VALUE,
NULL,
NULL,
(LPBYTE) pEntry->pToken,
&tokenSz);
if (status == ERROR_SUCCESS)
{
// The cache entry has been properly initialized,
// add it to the in-memory cache.
entryInitialized = TRUE;
deleteCacheKeyNameKey = FALSE;
InsertHeadList(&authCacheListHead, &pEntry->listEntry);
}
else
{
DbgTrace(0, "-FindEntryInAuthCache- Error reading token, status = %d\n", status);
}
}
else
{
DbgTrace(0, "-FindEntryInAuthCache- Unable to allocate buffer for token\n", 0);
}
}
else
{
DbgTrace(0, "-FindEntryInAuthCache- Error reading token2, status = %d\n", status);
}
}
else
{
// There is no auth token associated with this entry
//
// The cache entry has been properly initialized,
// add it to the in-memory cache.
entryInitialized = TRUE;
deleteCacheKeyNameKey = FALSE;
InsertHeadList(&authCacheListHead, &pEntry->listEntry);
}
}
else
{
DbgTrace(0, "-FindEntryInAuthCache- Error reading status, status = %d\n", status);
}
// Free the auth cache entry if it was not successfully initialized
if (entryInitialized == FALSE)
{
FreeAuthCacheEntry(pEntry);
pEntry = NULL;
}
}
else
{
DbgTrace(0, "-FindEntryInAuthCache- Error creating auth cache entry\n", 0);
}
}
}
else
{
DbgTrace(0, "-FindEntryInAuthCache- Error reading expiration time, status = %d\n", status);
}
}
else
{
DbgTrace(0, "-FindEntryInAuthCache- Error reading creation time, status = %d\n", status);
}
// Close CacheKeyName key
RegCloseKey(hCacheKeyNameRegKey);
// Delete the CacheKeyName key if necessary
if (deleteCacheKeyNameKey)
{
RegDeleteKey(hHostRegKey, pCacheKeyName);
}
}
// Close host key
RegCloseKey(hHostRegKey);
}
// Close CASA_Auth_Cache key
RegCloseKey(hCASARegKey);
}
else
{
DbgTrace(0, "-FindEntryInAuthCache- Error opening CASA Auth Cache key, status = %d\n", status);
}
}
DbgTrace(1, "-FindEntryInAuthCache- End, pEntry = %08X\n", pEntry);
return pEntry;
}
//++=======================================================================
void
AddEntryToAuthCache(
IN AuthCacheEntry *pEntry,
IN int entryLifetime) // seconds
//
// Arguments:
//
// Returns:
//
// Abstract:
//
// Notes:
//
// L1
//=======================================================================--
{
LONG status;
HKEY hCASARegKey;
DbgTrace(1, "-AddEntryToAuthCache- Start\n", 0);
// Set the time when the entry was added to the cache
pEntry->creationTime = GetTickCount();
// First determine the time when the entry is due to expire
pEntry->expirationTime = pEntry->creationTime + (entryLifetime * 1000);
// Save the entry in our persistent cache (registry)
//
// Open CASA Auth Cache key
status = RegOpenKeyExA(HKEY_CURRENT_USER,
CASA_AUTH_CACHE_REG_KEY,
0,
KEY_ALL_ACCESS,
&hCASARegKey);
if (status == ERROR_SUCCESS)
{
HKEY hHostRegKey;
// CASA_Auth_Cache key created or opened, now open or create key for the host.
status = RegCreateKeyExA(hCASARegKey,
pEntry->pHostName,
0,
NULL,
REG_OPTION_VOLATILE,
KEY_ALL_ACCESS,
NULL,
&hHostRegKey,
NULL);
if (status == ERROR_SUCCESS)
{
HKEY hCacheKeyNameRegKey;
// Host key created or opened, now create key for the CacheKeyName.
status = RegCreateKeyExA(hHostRegKey,
pEntry->pCacheKeyName,
0,
NULL,
REG_OPTION_VOLATILE,
KEY_ALL_ACCESS,
NULL,
&hCacheKeyNameRegKey,
NULL);
if (status == ERROR_SUCCESS)
{
// Write entry values
status = RegSetValueExA(hCacheKeyNameRegKey,
CREATION_TIME_REG_VALUE,
0,
REG_DWORD,
(LPBYTE) &pEntry->creationTime,
sizeof(pEntry->creationTime));
if (status == ERROR_SUCCESS)
{
status = RegSetValueExA(hCacheKeyNameRegKey,
EXPIRATION_TIME_REG_VALUE,
0,
REG_DWORD,
(LPBYTE) &pEntry->expirationTime,
sizeof(pEntry->expirationTime));
if (status == ERROR_SUCCESS)
{
status = RegSetValueExA(hCacheKeyNameRegKey,
STATUS_REG_VALUE,
0,
REG_DWORD,
(LPBYTE) &pEntry->status,
sizeof(pEntry->status));
if (status == ERROR_SUCCESS)
{
// Check if there is also an auth token associated with this entry
// this entry.
if (pEntry->status == CASA_STATUS_SUCCESS)
{
status = RegSetValueExA(hCacheKeyNameRegKey,
TOKEN_REG_VALUE,
0,
REG_SZ,
(LPBYTE) pEntry->pToken,
(DWORD) strlen(pEntry->pToken) + 1);
if (status != ERROR_SUCCESS)
{
DbgTrace(0, "-AddEntryToAuthCache- Error setting token, status = %d\n", status);
}
}
}
else
{
DbgTrace(0, "-AddEntryToAuthCache- Error setting status, status = %d\n", status);
}
}
else
{
DbgTrace(0, "-AddEntryToAuthCache- Error setting expiration time, status = %d\n", status);
}
}
else
{
DbgTrace(0, "-AddEntryToAuthCache- Error setting creation time, status = %d\n", status);
}
// Close CacheKeyName key
RegCloseKey(hCacheKeyNameRegKey);
// Delete the CacheKeyName key if not successful
if (status != ERROR_SUCCESS)
{
RegDeleteKey(hHostRegKey, pEntry->pCacheKeyName);
}
}
else
{
DbgTrace(0, "-AddEntryToAuthCache- Error creating key for CacheKeyName, status = %d\n", status);
}
// Close host key
RegCloseKey(hHostRegKey);
}
else
{
DbgTrace(0, "-AddEntryToAuthCache- Error creating key for host, status = %d\n", status);
}
// Close CASA_Auth_Cache key
RegCloseKey(hCASARegKey);
}
else
{
DbgTrace(0, "-AddEntryToAuthCache- Error opening CASA Auth Cache Key, status = %d\n", status);
}
// Either place the cache entry in our in-memory cache or
// free it depending on the status of the operations performed.
if (status == ERROR_SUCCESS)
{
// The entry was added to the cache, save it in
// our in-memory cache.
InsertHeadList(&authCacheListHead, &pEntry->listEntry);
}
else
{
// Not able to successfully add the entry to the cache,
// free the entry.
FreeAuthCacheEntry(pEntry);
}
DbgTrace(1, "-AddEntryToAuthCache- End\n", 0);
}
//++=======================================================================
CasaStatus
InitializeAuthCache(void)
//
// Arguments:
//
// Returns:
//
// Abstract:
//
// Notes:
//
// L1
//=======================================================================--
{
CasaStatus retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_AUTHTOKEN,
CASA_STATUS_UNSUCCESSFUL);
PSID pEveryoneSID;
SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;
DbgTrace(1, "-InitializeAuthCache- Start\n", 0);
// Initialize the cache list head
InitializeListHead(&authCacheListHead);
// Lets create the CASA Auth Cache registry key in the
// user's hive and limit access to it.
//
// Create a well-known SID for the Everyone group.
if (AllocateAndInitializeSid(&SIDAuthWorld,
1,
SECURITY_WORLD_RID,
0, 0, 0, 0, 0, 0, 0,
&pEveryoneSID))
{
EXPLICIT_ACCESS ea[3] = {0};
SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
PSID pAdminSID;
// Initialize an EXPLICIT_ACCESS structure for an ACE.
// The ACE will revoke Everyone access to the key.
ea[0].grfAccessPermissions = KEY_ALL_ACCESS;
ea[0].grfAccessMode = REVOKE_ACCESS;
ea[0].grfInheritance= SUB_CONTAINERS_AND_OBJECTS_INHERIT;
ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[0].Trustee.ptstrName = (LPTSTR) pEveryoneSID;
// Create a SID for the BUILTIN\Administrators group.
if (AllocateAndInitializeSid(&SIDAuthNT,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&pAdminSID))
{
DWORD status;
PACL pACL;
HANDLE hToken;
// Initialize an EXPLICIT_ACCESS structure for an ACE.
// The ACE will revoke the Administrators group access to the key.
ea[1].grfAccessPermissions = KEY_ALL_ACCESS;
ea[1].grfAccessMode = REVOKE_ACCESS;
ea[1].grfInheritance= SUB_CONTAINERS_AND_OBJECTS_INHERIT;
ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[1].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[1].Trustee.ptstrName = (LPTSTR) pAdminSID;
// Create a SID for the interactive user, first get the process token
if (OpenProcessToken(GetCurrentProcess(),
TOKEN_QUERY,
&hToken))
{
char tokenInformation[1024];
DWORD infoLength;
if (GetTokenInformation(hToken,
TokenUser,
tokenInformation,
sizeof(tokenInformation),
&infoLength))
{
TOKEN_USER *pTokenUser = (TOKEN_USER*) tokenInformation;
// Initialize an EXPLICIT_ACCESS structure for an ACE.
// The ACE will grant the interactive user access to the key.
ea[2].grfAccessPermissions = KEY_ALL_ACCESS;
ea[2].grfAccessMode = SET_ACCESS;
ea[2].grfInheritance= SUB_CONTAINERS_AND_OBJECTS_INHERIT;
ea[2].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[2].Trustee.TrusteeType = TRUSTEE_IS_USER;
ea[2].Trustee.ptstrName = (LPTSTR) pTokenUser->User.Sid;
// Create a new ACL that contains the new ACEs.
status = SetEntriesInAcl(3, ea, NULL, &pACL);
if (status == ERROR_SUCCESS)
{
PSECURITY_DESCRIPTOR pSD;
// Allocate space for a security descriptor
pSD = (SECURITY_DESCRIPTOR*) LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH);
if (pSD)
{
// Initialize a security descriptor
if (InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION))
{
// Add the ACL to the security descriptor
if (SetSecurityDescriptorDacl(pSD,
TRUE, // bDaclPresent flag
pACL,
FALSE)) // not a default DACL
{
SECURITY_ATTRIBUTES sa;
HKEY hCASARegKey;
DWORD disposition;
// Initialize a security attributes structure
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = pSD;
sa.bInheritHandle = FALSE;
// Now create the CASA Auth Cache registry key for this user
// with the required access control restrictions.
status = RegCreateKeyExA(HKEY_CURRENT_USER,
CASA_AUTH_CACHE_REG_KEY,
0,
NULL,
REG_OPTION_VOLATILE,
KEY_ALL_ACCESS,
&sa,
&hCASARegKey,
&disposition);
if (status == ERROR_SUCCESS)
{
// Success
retStatus = CASA_STATUS_SUCCESS;
// Close CASA_Auth_Cache key
RegCloseKey(hCASARegKey);
}
else
{
DbgTrace(0, "-InitializeAuthCache- Error creating CASA Key, status = %d\n", status);
}
}
else
{
DbgTrace(0, "-InitializeAuthCache- SetSecurityDescriptorDacl Error = %d\n", GetLastError());
}
}
else
{
DbgTrace(0, "-InitializeAuthCache- InitializeSecurityDescriptor Error %d\n", GetLastError());
}
// Free the space allocated for the security descriptor
LocalFree(pSD);
}
else
{
DbgTrace(0, "-InitializeAuthCache- Unable to allocate memory for SD\n", 0);
}
// Free the ACL structure
LocalFree(pACL);
}
else
{
DbgTrace(0, "-InitializeAuthCache- SetEntriesInAcl Error %d\n", status);
}
}
else
{
DbgTrace(0, "-InitializeAuthCache- Error obtaining token information, error = %d\n", GetLastError());
}
// Release the process token handle
CloseHandle(hToken);
}
else
{
DbgTrace(0, "-InitializeAuthCache- Unable to obtain process token, error = %d\n", GetLastError());
}
// Free the SID for the administrator
FreeSid(pAdminSID);
}
else
{
DbgTrace(0, "-InitializeAuthCache- AllocateAndInitializeSid Error %d\n", GetLastError());
}
// Free the SID for everyone
FreeSid(pEveryoneSID);
}
else
{
DbgTrace(0, "-InitializeAuthCache- AllocateAndInitializeSid Error = %d\n", GetLastError());
}
DbgTrace(1, "-InitializeAuthCache- End, retStatus = %08X\n", retStatus);
return retStatus;
}