waruserauthwin32nt.cpp

ftpserver very good sample

            << userName
            << "\". "
            << err
            << war_endl;

        WarThrow(err, NULL);
    }
}

void WarUserAuthWin32Nt::DeleteGroup(war_ccsysstr_t groupName)
throw(WarException)
{
    netstr_t group_name = groupName;

    NET_API_STATUS result = ::NetLocalGroupDel(
        MY_SERVER, group_name.GetValue().c_str());

    if (NERR_Success != result)
    {
        WarLog err_log(WARLOG_ERROR, "WarUserAuthWin32Nt::DeleteGroup()");
        WarError err = MapErrorCode(result);

        err_log << "Failed to delete group \""
            << groupName
            << "\". "
            << err
            << war_endl;

        WarThrow(err, NULL);
    }
}

void WarUserAuthWin32Nt::CreateGroup(war_ccsysstr_t groupName)
throw(WarException)
{
    netstr_t group_name = groupName;
    LOCALGROUP_INFO_1 gi;
    memset(&gi, 0, sizeof(gi));

    gi.lgrpi1_name = (LPWSTR)group_name.GetValue().c_str();

    NET_API_STATUS result = ::NetLocalGroupAdd(MY_SERVER,
        1, (LPBYTE)&gi, NULL);

    if (NERR_Success != result)
    {
        WarLog err_log(WARLOG_ERROR, "WarUserAuthWin32Nt::CreateGroup()");
        WarError err = MapErrorCode(result);

        err_log << "Failed to create group\""
            << groupName
            << "\". "
            << err
            << war_endl;

        WarThrow(err, NULL);
    }
}

// Check policies and add missing rights
void WarUserAuthWin32Nt::ValidateAndFixGroup(const netstr_t& groupName)
                                        throw(WarException)
{
    netstr_t group_name = groupName;
    LPBYTE pgi = NULL;

    // See if the group exist
    NET_API_STATUS result = ::NetLocalGroupGetInfo(MY_SERVER,
        group_name.GetValue().c_str(), 1, &pgi);

    if (NERR_Success == result)
        NetApiBufferFree(pgi);
    else
    {
        // Unhandled error
        WarLog err_log(WARLOG_ERROR, "WarUserAuthWin32Nt::ValidateAndFixGroup()");
        WarError err = MapErrorCode(result);

        err_log << "Failed to check group\""
            << groupName
            << "\". "
            << err
            << war_endl;

        WarThrow(err, NULL);
    }

    LSA_HANDLE lsa = NULL;
    DWORD error = WarOpenPolicy(NULL, POLICY_ALL_ACCESS, &lsa);
    if (0 != error)
    {
        WarLog err_log(WARLOG_ERROR, "WarUserAuthWin32Nt::ValidateAndFixGroup()");
        WarError err(WAR_ERR_SYSTEM_ERROR, error);

        err_log << "Failed to open LSA polict handle"
            << err
            << war_endl;

        WarThrow(err, NULL);
    }

    error = WarAddUserRightToAccount(lsa, 
        group_name.GetValue().c_str(), L"SeBatchLogonRight");

    WarCloseLsa(&lsa);

    if (0 != error)
    {
        WarLog err_log(WARLOG_ERROR, "WarUserAuthWin32Nt::ValidateAndFixGroup()");
        WarError err(WAR_ERR_SYSTEM_ERROR, error);

        err_log << "Failed to set \"SeBatchLogonRight\" polycy on group "
            << groupName
            << err
            << war_endl;

        WarThrow(err, NULL);
    }
}

void WarUserAuthWin32Nt::ValidateAndCheckAnonUser()
{
    if (!IsAnonAllowed())
        return;

    WarLog err_log(WARLOG_ERROR, "WarUserAuthWin32Nt::ValidateAndCheckAnonUser()");

    LSA_HANDLE lsa = NULL;
    DWORD error = WarOpenPolicy(NULL, POLICY_ALL_ACCESS, &lsa);
    if (0 != error)
    {
        WarError err(WAR_ERR_SYSTEM_ERROR, error);

        err_log << "Failed to open LSA polict handle"
            << err
            << war_endl;

        WarThrow(err, NULL);
    }

    error = WarAddUserRightToAccount(lsa, 
        GetAnonUser().GetValue().c_str(), L"SeBatchLogonRight");

    WarCloseLsa(&lsa);

    if (0 != error)
    {
        WarError err(WAR_ERR_SYSTEM_ERROR, error);

        err_log << "Failed to set \"SeBatchLogonRight\" polycy on user "
            << GetAnonUser()
            << err
            << war_endl;

        WarThrow(err, NULL);
    }
}

void WarUserAuthWin32Nt::AddUserToGroup(war_ccsysstr_t userName,
                                        war_ccsysstr_t groupName)
                                        throw(WarException)
{
    netstr_t group_name = groupName, user_name = userName;

    LOCALGROUP_MEMBERS_INFO_3 lmi;
    memset(&lmi, 0, sizeof(lmi));

    lmi.lgrmi3_domainandname = (LPWSTR)user_name.GetValue().c_str();

    NET_API_STATUS result = ::NetLocalGroupAddMembers(MY_SERVER,
        group_name.GetValue().c_str(), 3, (LPBYTE)&lmi, 1);

    if (NERR_Success != result)
    {
        WarLog err_log(WARLOG_ERROR, "WarUserAuthWin32Nt::AddUserToGroup()");
        WarError err = MapErrorCode(result);

        err_log << "Failed to add user \""
            << userName
            << "\" to group \""
            << groupName
            << "\". "
            << err
            << war_endl;

        WarThrow(err, NULL);
    }
}

void WarUserAuthWin32Nt::RemoveUserFromGroup(war_ccsysstr_t userName,
                                 war_ccsysstr_t groupName)
                                 throw(WarException)
{
    netstr_t group_name = groupName, user_name = userName;

    LOCALGROUP_MEMBERS_INFO_3 lmi;
    memset(&lmi, 0, sizeof(lmi));

    lmi.lgrmi3_domainandname = (LPWSTR)user_name.GetValue().c_str();

    NET_API_STATUS result = ::NetLocalGroupDelMembers(MY_SERVER,
        group_name.GetValue().c_str(), 3, (LPBYTE)&lmi, 1);

    if (NERR_Success != result)
    {
        WarLog err_log(WARLOG_ERROR, "WarUserAuthWin32Nt::RemoveUserFromGroup()");
        WarError err = MapErrorCode(result);

        err_log << "Failed to add user \""
            << userName
            << "\" to group \""
            << groupName
            << "\". "
            << err
            << war_endl;

        WarThrow(err, NULL);
    }
}


// We enumerate based on the users in the FTP group. Registry
// entries for the users are created automatically if they exist
// in the NT group.
// If the anon user is enabled, this user is added as well.
void WarUserAuthWin32Nt::EnumerateUsers(user_set_t& outList)
        throw(WarException)
{
    WarLog err_log(WARLOG_ERROR, "WarUserAuthWin32Nt::EnumerateUsers()");
    WarLog warn_log(WARLOG_WARNINGS, "WarUserAuthWin32Nt::EnumerateUsers()");

    LPBYTE pbuf = NULL;
    DWORD entries_read, total_entries;
    DWORD_PTR resume_ptr = NULL;
    bool do_continue = true;
    
    DWORD computer_name_buf_len = MAX_PATH;
    TCHAR computer_name_buf[MAX_PATH];
    if (!GetComputerName(computer_name_buf, &computer_name_buf_len))
        WarThrow(WarSystemError(), NULL);
    
    war_syspath_t computer_name = computer_name_buf, user_name;

    do
    {
        NET_API_STATUS status = ::NetLocalGroupGetMembers(
            MY_SERVER,
            GetAuthGroup().GetValue().c_str(),
            2,
            &pbuf,
            MAX_PREFERRED_LENGTH,
            &entries_read,
            &total_entries,
            &resume_ptr);
        
        switch(status)
        {
        case ERROR_ACCESS_DENIED:
        case NERR_InvalidComputer:
        case NERR_GroupNotFound:
        default:
            WarThrow(WarError(WAR_ERR_SYSTEM_ERROR, status), NULL);

        case NERR_Success:
            do_continue = 0; // Just to make sure!
        case ERROR_MORE_DATA:
            
            LOCALGROUP_MEMBERS_INFO_2 *p_info = (LOCALGROUP_MEMBERS_INFO_2 *)pbuf;
            for(DWORD index = 0; index < entries_read; index++, p_info++)
            {
                user_name = p_info->lgrmi2_domainandname;
                if (computer_name == user_name.GetPathname())
                {
                    // Strip off domainname
                    user_name = user_name.GetFilename();
                }

                // Get SID's
                if (SidTypeUser == p_info->lgrmi2_sidusage)
                {
                    WarCollector<char> name_8bit;
                    
                    war_authdata_ptr_t my_ptr = 
                        (war_authdata_ptr_t &)CreateDataHandle(p_info->lgrmi2_sid, 
                        user_name.GetValue().c_str());
                    outList.insert(my_ptr);   
                }
            } 
            ::NetApiBufferFree(pbuf);
            break;
        } 
    } while(do_continue);
    

    // Handle the anon user. 
    netstr_t anon_name = GetAnonUser();
    if (IsAnonAllowed() && !anon_name.GetValue().empty())
    {
        // Get SID
        
        DWORD cb_sid = 0, cb_domain_name = 0;
        SID_NAME_USE sid_type = SidTypeUser;
		WarCollector<TCHAR> my_server_buf = MY_SERVER;
		WarCollector<TCHAR> my_anon_name = anon_name;
		const TCHAR *pserver_name = NULL;
		if (!my_server_buf.GetValue().empty())
			pserver_name = my_server_buf.GetValue().c_str();
        
        LookupAccountName(pserver_name, 
            my_anon_name.GetValue().c_str(),
            NULL, &cb_sid, 
            NULL, &cb_domain_name, 
            &sid_type);
        
        if (cb_sid)
        {
            vector<char> sid_buf(cb_sid);
            vector<TCHAR> domain_buf(cb_domain_name +1);
            
            WarCollector<TCHAR> my_server_buf = MY_SERVER;
			WarCollector<TCHAR> my_anon_name = anon_name;
			const TCHAR *pserver_name = NULL;
			if (!my_server_buf.GetValue().empty())
				pserver_name = my_server_buf.GetValue().c_str();
			
			if (LookupAccountName(pserver_name, 
				my_anon_name.GetValue().c_str(),
                (PSID)&sid_buf[0], &cb_sid, 
                (LPTSTR)&domain_buf[0], &cb_domain_name, 
                &sid_type))
            {
                if (SidTypeUser != sid_type)
                {
                    warn_log << "The anonymous user does not "
                        "appear to be a Windows NT use, but an "
                        "object of another type ("
                        << (int)sid_type
                        << "). The user is not added to the list "
                        "of valid NT users."
                        << war_endl;
                }
                else
                {
                    WarCollector<char> name_8bit;
                    
                    war_authdata_ptr_t my_ptr = 
                        (war_authdata_ptr_t &)CreateDataHandle((PSID)&sid_buf[0], 
                        user_name.GetValue().c_str(),
                        NULL, true);
                    
                    outList.insert(my_ptr);
                }
            }
        }
    }
}

//============================= ACCESS     ===================================
//============================= INQUIRY    ===================================

WarUserAuthWin32Nt::netstr_t WarUserAuthWin32Nt::GetAuthServer() const
{
    WCHAR buffer[MAX_PATH] = {0};
    DWORD buf_len = sizeof(buffer);
    DWORD type = 0;

    LONG result = ::RegQueryValueEx(mRegRoot.GetNodeKey(), WAR_WINNT_AUTH_SERVER,
        0, &type, 
        (LPBYTE)(buffer), 
        &buf_len);

    if ((ERROR_SUCCESS != result) || (REG_SZ != type))
        return L"";

    return buffer;
}

WarUserAuthWin32Nt::netstr_t WarUserAuthWin32Nt::GetAuthGroup() const
{
    WCHAR buffer[MAX_PATH] = {0};
    DWORD buf_len = sizeof(buffer);
    DWORD type = 0;

    LONG result = ::RegQueryValueEx(mRegRoot.GetNodeKey(), WAR_WINNT_AUTH_FTP_GROUP,
        0, &type, 
        (LPBYTE)(buffer), 
        &buf_len);

    if ((ERROR_SUCCESS != result) || (REG_SZ != type))
        return L"";

    return buffer;
}

WarUserAuthWin32Nt::netstr_t WarUserAuthWin32Nt::GetAnonUser() const
{
    WarCollector<wchar_t> name_buf;
    name_buf = mRegRoot.GetStrValue(WAR_WINNT_AUTH_ANON_USER, 
        NULL, false);

    return name_buf.GetValue();
}

WarUserAuthWin32Nt::netstr_t WarUserAuthWin32Nt::GetAnonPasswd() const
{
    WarCollector<wchar_t> passwd_buf(WarCollector<wchar_t>::SM_ERASE);
    passwd_buf = mRegRoot.GetStrValue(WAR_WINNT_AUTH_ANON_PASSWD, 
        NULL, false, true);

    return passwd_buf.GetValue();
}

bool WarUserAuthWin32Nt::IsUsingLocalMachine() const
{
    return mRegRoot.GetIntValue(WAR_WINNT_AUTH_SERVER_LOCAL, false);
}

bool WarUserAuthWin32Nt::IsAnonEmailReqiered() const
{
    return mRegRoot.GetIntValue(WAR_WINNT_AUTH_ANON_PWDEMAIL, false);
}

bool WarUserAuthWin32Nt::IsAnonAllowed() const
{
    return mRegRoot.GetIntValue(WAR_WINNT_AUTH_ALLOW_ANON, false);
}

WarError WarUserAuthWin32Nt::MapErrorCode(NET_API_STATUS status)
{
    war_error_definitions err_type;

    switch(status)
    {
    case ERROR_ACCESS_DENIED:
        err_type = WAR_ERR_ACCESS_DENIED;
        break;
    case NERR_InvalidComputer: 
        err_type = WAR_ERR_OBJECT_NOT_FOUND;
        break;
    case ERROR_ALIAS_EXISTS:
    case NERR_UserExists:
    case NERR_GroupExists:
        err_type = WAR_ERR_OBJECT_EXIST;
        break;
    default :
        err_type = WAR_ERR_SYSTEM_ERROR;
        break;
    }
    
    return WarError(err_type, status);
}

bool WarUserAuthWin32Nt::HaveLocalUser(war_ccsysstr_t userName)
{
    bool rval = false;
    LPUSER_INFO_0 pbuf = NULL;
	WarCollector<wchar_t> user_name = userName;

    NET_API_STATUS result = ::NetUserGetInfo(NULL,
         user_name.GetValue().c_str(), 
         0, (LPBYTE *)&pbuf);
    if (result == NERR_Success)
        rval = true;

    if (pbuf)
        NetApiBufferFree(pbuf);

    return rval;
}

bool WarUserAuthWin32Nt::HaveLocalGroup(war_ccsysstr_t groupName)
{
    bool rval = false;
    LOCALGROUP_INFO_1 *pbuf = NULL;
	WarCollector<wchar_t> group_name = groupName;

    NET_API_STATUS result = ::NetLocalGroupGetInfo(NULL,
         group_name.GetValue().c_str(), 
         1, (LPBYTE *)&pbuf);
    if (result == NERR_Success)
        rval = true;

    if (pbuf)
        NetApiBufferFree(pbuf);

    return rval;
}