win32_check_group.c

一个功能非常全面的代理服务器源代码程序,

 * Free the allocated memory.
 */
    if (pBuf != NULL)
	NetApiBufferFree(pBuf);
    return result;
}


/* returns 1 on success, 0 on failure */
int
Valid_Global_Groups(char *UserName, const char **Groups)
{
    int result = 0;
    WCHAR wszUserName[UNLEN + 1];	// Unicode user name

    WCHAR wszLocalDomain[DNLEN + 1];	// Unicode Local Domain

    WCHAR wszUserDomain[DNLEN + 1];	// Unicode User Domain

    char NTDomain[DNLEN + UNLEN + 2];
    char *domain_qualify = NULL;
    char User[UNLEN + 1];
    size_t j;

    LPWSTR LclDCptr = NULL;
    LPWSTR UsrDCptr = NULL;
    LPGROUP_USERS_INFO_0 pUsrBuf = NULL;
    LPGROUP_USERS_INFO_0 pTmpBuf;
    LPSERVER_INFO_101 pSrvBuf;
    DWORD dwLevel = 0;
    DWORD dwPrefMaxLen = -1;
    DWORD dwEntriesRead = 0;
    DWORD dwTotalEntries = 0;
    NET_API_STATUS nStatus;
    DWORD i;
    DWORD dwTotalCount = 0;
    LPBYTE pBufTmp = NULL;

    strncpy(NTDomain, UserName, sizeof(NTDomain));

    for (j = 0; j < strlen(NTV_VALID_DOMAIN_SEPARATOR); j++) {
	if ((domain_qualify = strchr(NTDomain, NTV_VALID_DOMAIN_SEPARATOR[j])) != NULL)
	    break;
    }
    if (domain_qualify == NULL) {
	strcpy(User, NTDomain);
	strcpy(NTDomain, DefaultDomain);
    } else {
	strcpy(User, domain_qualify + 1);
	domain_qualify[0] = '\0';
	strlwr(NTDomain);
    }

    debug("Valid_Global_Groups: checking group membership of '%s\\%s'.\n", NTDomain, User);

    /* Convert ANSI User Name and Group to Unicode */

    MultiByteToWideChar(CP_ACP, 0, User,
	strlen(User) + 1, wszUserName,
	sizeof(wszUserName) / sizeof(wszUserName[0]));
    MultiByteToWideChar(CP_ACP, 0, machinedomain,
	strlen(machinedomain) + 1, wszLocalDomain, sizeof(wszLocalDomain) / sizeof(wszLocalDomain[0]));


/* Call the NetServerGetInfo function for local computer, specifying level 101. */
    dwLevel = 101;
    nStatus = NetServerGetInfo(NULL, dwLevel, &pBufTmp);
    pSrvBuf = (LPSERVER_INFO_101) pBufTmp;

    if (nStatus == NERR_Success) {
	/* Check if we are running on a Domain Controller */
	if ((pSrvBuf->sv101_type & SV_TYPE_DOMAIN_CTRL) ||
	    (pSrvBuf->sv101_type & SV_TYPE_DOMAIN_BAKCTRL)) {
	    LclDCptr = NULL;
	    debug("Running on a DC.\n");
	} else {
	    pBufTmp = NULL;
	    nStatus = (use_PDC_only ? NetGetDCName(NULL, wszLocalDomain, &pBufTmp) : NetGetAnyDCName(NULL, wszLocalDomain, &pBufTmp));
	    LclDCptr = (LPWSTR) pBufTmp;
	}
    } else {
	fprintf(stderr, "%s NetServerGetInfo() failed.'\n", myname);
	if (pSrvBuf != NULL)
	    NetApiBufferFree(pSrvBuf);
	return result;
    }

    if (nStatus == NERR_Success) {
	debug("Using '%S' as DC for '%S' local domain.\n", LclDCptr, wszLocalDomain);

	if (strcmp(NTDomain, machinedomain) != 0) {
	    MultiByteToWideChar(CP_ACP, 0, NTDomain,
		strlen(NTDomain) + 1, wszUserDomain, sizeof(wszUserDomain) / sizeof(wszUserDomain[0]));
	    pBufTmp = NULL;
	    nStatus = (use_PDC_only ? NetGetDCName(LclDCptr, wszUserDomain, &pBufTmp) : NetGetAnyDCName(LclDCptr, wszUserDomain, &pBufTmp));
	    UsrDCptr = (LPWSTR) pBufTmp;
	    if (nStatus != NERR_Success) {
		fprintf(stderr, "%s Can't find DC for user's domain '%s'\n", myname, NTDomain);
		if (pSrvBuf != NULL)
		    NetApiBufferFree(pSrvBuf);
		if (LclDCptr != NULL)
		    NetApiBufferFree((LPVOID) LclDCptr);
		if (UsrDCptr != NULL)
		    NetApiBufferFree((LPVOID) UsrDCptr);
		return result;
	    }
	} else
	    UsrDCptr = LclDCptr;

	debug("Using '%S' as DC for '%s' user's domain.\n", UsrDCptr, NTDomain);
	/*
	 * Call the NetUserGetGroups function 
	 * specifying information level 0.
	 */
	dwLevel = 0;
	pBufTmp = NULL;
	nStatus = NetUserGetGroups(UsrDCptr,
	    wszUserName,
	    dwLevel,
	    &pBufTmp,
	    dwPrefMaxLen,
	    &dwEntriesRead,
	    &dwTotalEntries);
	pUsrBuf = (LPGROUP_USERS_INFO_0) pBufTmp;
	/*
	 * If the call succeeds,
	 */
	if (nStatus == NERR_Success) {
	    if ((pTmpBuf = pUsrBuf) != NULL) {
		for (i = 0; i < dwEntriesRead; i++) {
		    assert(pTmpBuf != NULL);
		    if (pTmpBuf == NULL) {
			result = 0;
			break;
		    }
		    if (wcstrcmparray(pTmpBuf->grui0_name, Groups) == 0) {
			result = 1;
			break;
		    }
		    pTmpBuf++;
		    dwTotalCount++;
		}
	    }
	} else {
	    result = 0;
	    fprintf(stderr, "%s NetUserGetGroups() failed.'\n", myname);
	}
    } else {
	fprintf(stderr, "%s Can't find DC for local domain '%s'\n", myname, machinedomain);
    }
    /*
     * Free the allocated memory.
     */
    if (pSrvBuf != NULL)
	NetApiBufferFree(pSrvBuf);
    if (pUsrBuf != NULL)
	NetApiBufferFree(pUsrBuf);
    if ((UsrDCptr != NULL) && (UsrDCptr != LclDCptr))
	NetApiBufferFree((LPVOID) UsrDCptr);
    if (LclDCptr != NULL)
	NetApiBufferFree((LPVOID) LclDCptr);
    return result;
}

static void
usage(char *program)
{
    fprintf(stderr, "Usage: %s [-D domain][-G][-P][-c][-d][-h]\n"
	" -D    default user Domain\n"
	" -G    enable Domain Global group mode\n"
	" -P    use ONLY PDCs for group validation\n"
	" -c    use case insensitive compare\n"
	" -d    enable debugging\n"
	" -h    this message\n",
	program);
}

void
process_options(int argc, char *argv[])
{
    int opt;

    opterr = 0;
    while (-1 != (opt = getopt(argc, argv, "D:GPcdh"))) {
	switch (opt) {
	case 'D':
	    DefaultDomain = xstrndup(optarg, DNLEN + 1);
	    strlwr(DefaultDomain);
	    break;
	case 'G':
	    use_global = 1;
	    break;
	case 'P':
	    use_PDC_only = 1;
	    break;
	case 'c':
	    use_case_insensitive_compare = 1;
	    break;
	case 'd':
	    debug_enabled = 1;
	    break;
	case 'h':
	    usage(argv[0]);
	    exit(0);
	case '?':
	    opt = optopt;
	    /* fall thru to default */
	default:
	    fprintf(stderr, "%s Unknown option: -%c. Exiting\n", myname, opt);
	    usage(argv[0]);
	    exit(1);
	    break;		/* not reached */
	}
    }
    return;
}


int
main(int argc, char *argv[])
{
    char *p;
    char buf[BUFSIZE];
    char *username;
    char *group;
    int err = 0;
    const char *groups[512];
    int n;

    if (argc > 0) {		/* should always be true */
	myname = strrchr(argv[0], '/');
	if (myname == NULL)
	    myname = argv[0];
    } else {
	myname = "(unknown)";
    }
    mypid = getpid();

    setbuf(stdout, NULL);
    setbuf(stderr, NULL);

    /* Check Command Line */
    process_options(argc, argv);

    if (use_global) {
	if ((machinedomain = GetDomainName()) == NULL) {
	    fprintf(stderr, "%s Can't read machine domain\n", myname);
	    exit(1);
	}
	strlwr(machinedomain);
	if (!DefaultDomain)
	    DefaultDomain = xstrdup(machinedomain);
    }
    debug("External ACL win32 group helper build " __DATE__ ", " __TIME__
	" starting up...\n");
    if (use_global)
	debug("Domain Global group mode enabled using '%s' as default domain.\n", DefaultDomain);
    if (use_case_insensitive_compare)
	debug("Warning: running in case insensitive mode !!!\n");
    if (use_PDC_only)
	debug("Warning: using only PDCs for group validation !!!\n");

    /* Main Loop */
    while (fgets(buf, sizeof(buf), stdin)) {
	if (NULL == strchr(buf, '\n')) {
	    /* too large message received.. skip and deny */
	    fprintf(stderr, "%s: ERROR: Too large: %s\n", argv[0], buf);
	    while (fgets(buf, sizeof(buf), stdin)) {
		fprintf(stderr, "%s: ERROR: Too large..: %s\n", argv[0], buf);
		if (strchr(buf, '\n') != NULL)
		    break;
	    }
	    goto error;
	}
	if ((p = strchr(buf, '\n')) != NULL)
	    *p = '\0';		/* strip \n */
	if ((p = strchr(buf, '\r')) != NULL)
	    *p = '\0';		/* strip \r */

	debug("Got '%s' from Squid (length: %d).\n", buf, strlen(buf));

	if (buf[0] == '\0') {
	    fprintf(stderr, "Invalid Request\n");
	    goto error;
	}
	username = strtok(buf, " ");
	for (n = 0; (group = strtok(NULL, " ")) != NULL; n++) {
	    rfc1738_unescape(group);
	    groups[n] = group;
	}
	groups[n] = NULL;

	if (NULL == username) {
	    fprintf(stderr, "Invalid Request\n");
	    goto error;
	}
	rfc1738_unescape(username);

	if ((use_global ? Valid_Global_Groups(username, groups) : Valid_Local_Groups(username, groups))) {
	    printf("OK\n");
	} else {
	  error:
	    printf("ERR\n");
	}
	err = 0;
    }
    return 0;
}