diff --git a/CASA/micasad/common/SessionManager.cs b/CASA/micasad/common/SessionManager.cs index b25129d1..e55c40ec 100644 --- a/CASA/micasad/common/SessionManager.cs +++ b/CASA/micasad/common/SessionManager.cs @@ -87,9 +87,101 @@ namespace sscs.common return ss; } catch(UserNotInSessionException) - { - // Would create either windows/unix user - // depending on the platform. + { +#if W32 + // if running on vista, let's make additional checks for users with elevation privileges + // on Vista use the elevated token if there is one. + System.OperatingSystem os = System.Environment.OSVersion; + if (os.Version.Major > 5) + { + WinUserIdentifier vistaAdminUser = (WinUserIdentifier)userId; + + // if this user an admin eqivalent, it has an elevated token + if (vistaAdminUser.HasElevatedToken()) + { + CSSSLogger.DbgLog("VISTA: Request received from user with Elevated Token"); + + // CASA's Credential Manager creates a WinUser with just the normal token id + // ZEN creates a WinUser with the elevated token id + // Here we determine if we can merge any of these. + WinUserIdentifier credUser = null; + WinUserIdentifier zenUser = null; + SecretStore credUserSS = null; + SecretStore zenUserSS = null; + + // look for match UserIdentifier with just the normal id + try + { + credUser = new WinUserIdentifier(vistaAdminUser.GetUIDLow(), vistaAdminUser.GetUIDHigh(), vistaAdminUser.GetSID()); + credUserSS = GetUserSecretStore(credUser); + } + catch (Exception) { } + + // ZEN creates a winUser with just the elevated ID + try + { + zenUser = new WinUserIdentifier(vistaAdminUser.GetElevatedUIDLow(), vistaAdminUser.GetElevatedUIDHigh(), vistaAdminUser.GetSID()); + zenUserSS = GetUserSecretStore(zenUser); + } + catch (Exception) { } + + // if both exist merge them into the credUser, fix up userIdentify and return resulting store + if ((credUserSS != null) && (zenUserSS != null)) + { + CSSSLogger.DbgLog("VISTA: Merging zenUser store with credUser store"); + byte[] baSecrets = sscs.lss.LocalStorage.GetSecretsAsXMLStream(zenUserSS, ConstStrings.SSCS_SESSION_KEY_CHAIN_ID).ToArray(); + + if (baSecrets != null) + { + credUserSS.MergeXMLSecrets(baSecrets); + } + + // add elevated ids to cred user object + WinUserIdentifier temp = (WinUserIdentifier)credUserSS.GetUserIdentifier(); + temp.SetElevatedUIDLow(vistaAdminUser.GetElevatedUIDLow()); + temp.SetElevatedUIDHigh(vistaAdminUser.GetElevatedUIDHigh()); + + // nuke the zen user session + SessionManager.RemoveUserSession(zenUser, true); + + return credUserSS; + } + // only the credUser exists, add the elevated UIDs, return creduser store + else if (credUserSS != null) + { + // fix up credUser with elevated IDs + CSSSLogger.DbgLog("VISTA: Fixing credUser up with elevated IDs"); + WinUserIdentifier temp = (WinUserIdentifier)credUserSS.GetUserIdentifier(); + temp.SetElevatedUIDLow(vistaAdminUser.GetElevatedUIDLow()); + temp.SetElevatedUIDHigh(vistaAdminUser.GetElevatedUIDHigh()); + return credUserSS; + + } + // only the zenUser exists, fix the UIDs, return zenuser store + else if (zenUserSS != null) + { + // fix up zenUser with correct IDs + // NOTE:we might need to remove old UserID from session table, and add this one + CSSSLogger.DbgLog("VISTA: Fixing zenUser up with correct IDs"); + WinUserIdentifier temp = (WinUserIdentifier)zenUserSS.GetUserIdentifier(); + + // move uids + temp.SetUIDLow(vistaAdminUser.GetUIDLow()); + temp.SetUIDHigh(vistaAdminUser.GetUIDHigh()); + + // set non elevated + temp.SetElevatedUIDLow(vistaAdminUser.GetElevatedUIDLow()); + temp.SetElevatedUIDHigh(vistaAdminUser.GetElevatedUIDHigh()); + + return zenUserSS; + } + } + } + +#endif + + // Would create either windows/unix user + // depending on the platform. User user; if (userHome != null) { @@ -236,14 +328,13 @@ namespace sscs.common while(etor.MoveNext()) { - i++; - /* - CSSSLogger.DbgLog("Listing Active User Sessions"); - Console.WriteLine(etor.Key); - Console.WriteLine((((SecretStore)(etor.Value)).secretStoreName + ":" + ((SecretStore)(etor.Value)).refCount); - */ + i++; + //Console.WriteLine(etor.Key); + //Console.WriteLine((((SecretStore)(etor.Value)).secretStoreName + ":" + ((SecretStore)(etor.Value)).refCount); + } - CSSSLogger.DbgLog("List Active Sessions3"); + CSSSLogger.DbgLog("List Active Sessions3"); + CSSSLogger.DbgLog("Current Session Count: " + sessionTable.Count); mutex.ReleaseMutex(); CSSSLogger.DbgLog("List Active Sessions4"); } diff --git a/CASA/micasad/common/WinUserIdentifier.cs b/CASA/micasad/common/WinUserIdentifier.cs index bb8576eb..6237152e 100644 --- a/CASA/micasad/common/WinUserIdentifier.cs +++ b/CASA/micasad/common/WinUserIdentifier.cs @@ -26,37 +26,37 @@ namespace sscs.common { internal class WinUserIdentifier : UserIdentifier { - private int uidLow; - private int uidHigh; - private int elevatedUidLow = 0; - private int elevatedUidHigh = 0; + private int m_uidLow; + private int m_uidHigh; + private int m_elevatedUidLow = 0; + private int m_elevatedUidHigh = 0; private string m_sSID = ""; internal WinUserIdentifier(int uidLowPart, int uidHighPart, string sSID, int elevatedUidLow, int elevatedUidHigh) { - this.uidLow = uidLowPart; - this.uidHigh = uidHighPart; + this.m_uidLow = uidLowPart; + this.m_uidHigh = uidHighPart; this.m_sSID = sSID; - if (elevatedUidLow != null) - this.elevatedUidLow = elevatedUidLow; + if (elevatedUidLow != 0) + this.m_elevatedUidLow = elevatedUidLow; - if (elevatedUidHigh != null) - this.elevatedUidHigh = elevatedUidHigh; + if (elevatedUidHigh != 0) + this.m_elevatedUidHigh = elevatedUidHigh; } internal WinUserIdentifier(int uidLowPart, int uidHighPart, string sSID) { - this.uidLow = uidLowPart; - this.uidHigh = uidHighPart; + this.m_uidLow = uidLowPart; + this.m_uidHigh = uidHighPart; this.m_sSID = sSID; } internal WinUserIdentifier(int uidLowPart, int uidHighPart) { - this.uidLow = uidLowPart; - this.uidHigh = uidHighPart; + this.m_uidLow = uidLowPart; + this.m_uidHigh = uidHighPart; } @@ -67,31 +67,39 @@ namespace sscs.common public override bool Equals(Object obj) { - WinUserIdentifier u = (WinUserIdentifier)obj; - if (((u.uidLow == uidLow) && (u.uidHigh == uidHigh)) || - ((u.uidLow == elevatedUidLow) && (u.uidHigh == elevatedUidHigh)) || - ((u.elevatedUidLow == uidLow) && (u.elevatedUidHigh == uidHigh))) - { - // we have a match, set the SID if we can - if ((this.m_sSID.Length < 1) && (u.GetSID().Length>0)) - { - CSSSLogger.DbgLog("******** WinUserIdentifier: Updating the SID *********"); - this.m_sSID = u.GetSID(); - } - - return true; - } - else - return false; + WinUserIdentifier temp = (WinUserIdentifier)obj; + + if ((temp.m_uidLow == m_uidLow) && + (temp.m_uidHigh == m_uidHigh) && + (temp.m_elevatedUidLow == m_elevatedUidLow) && + (temp.m_elevatedUidHigh == m_elevatedUidHigh)) + { + // we have a match, set the SID if we can + if ((this.m_sSID.Length < 1) && (temp.GetSID().Length > 0)) + { + CSSSLogger.DbgLog("******** WinUserIdentifier: Updating the SID *********"); + this.m_sSID = temp.GetSID(); + } + + return true; + } + else + { + return false; + } } public override int GetHashCode() { - return uidLow.GetHashCode(); + return m_uidLow.GetHashCode(); } public void PrintIdentifier() { - CSSSLogger.DbgLog(" High: " + this.uidHigh); - CSSSLogger.DbgLog(" LOW: " + this.uidLow); + CSSSLogger.DbgLog(" High: " + this.m_uidHigh); + CSSSLogger.DbgLog(" LOW: " + this.m_uidLow); + + CSSSLogger.DbgLog(" eHigh: " + this.m_elevatedUidHigh); + CSSSLogger.DbgLog(" eLOW: " + this.m_elevatedUidLow); + CSSSLogger.DbgLog(" SID: " + this.m_sSID); } @@ -102,13 +110,51 @@ namespace sscs.common internal int GetUIDLow() { - return this.uidLow; + return this.m_uidLow; } internal int GetUIDHigh() { - return this.uidHigh; + return this.m_uidHigh; } + internal int GetElevatedUIDLow() + { + return this.m_elevatedUidLow; + } + + internal int GetElevatedUIDHigh() + { + return this.m_elevatedUidHigh; + } + + // setters + internal void SetUIDLow(int uidLow) + { + this.m_uidLow = uidLow; + } + + internal void SetUIDHigh(int uidHigh) + { + this.m_uidHigh = uidHigh; + } + + internal void SetElevatedUIDLow(int elevatedUidLow) + { + this.m_elevatedUidLow = elevatedUidLow; + } + + internal void SetElevatedUIDHigh(int elevatedUidHigh) + { + this.m_elevatedUidHigh = elevatedUidHigh; + } + + internal bool HasElevatedToken() + { + if (m_elevatedUidHigh + m_elevatedUidLow > 0) + return true; + else + return false; + } } }