/*
* Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
#include <jni.h>
#include "com_sun_security_auth_module_NTSystem.h"
#include <windows.h>
#include <stdio.h>
#include <wchar.h>
#include <ntsecapi.h>
#include <lmerr.h>
static BOOL debug = FALSE;
BOOL getToken(PHANDLE);
BOOL getUser(HANDLE tokenHandle, LPTSTR *userName,
LPTSTR *domainName, LPTSTR *userSid, LPTSTR *domainSid);
BOOL getPrimaryGroup(HANDLE tokenHandle, LPTSTR *primaryGroup);
BOOL getGroups(HANDLE tokenHandle, PDWORD numGroups, LPTSTR **groups);
BOOL getImpersonationToken(PHANDLE impersonationToken);
BOOL getTextualSid(PSID pSid, LPTSTR TextualSid, LPDWORD lpdwBufferLen);
void DisplayErrorText(DWORD dwLastError);
static void throwIllegalArgumentException(JNIEnv *env, const char *msg) {
jclass clazz = (*env)->FindClass(env, "java/lang/IllegalArgumentException");
if (clazz != NULL)
(*env)->ThrowNew(env, clazz, msg);
}
JNIEXPORT jlong JNICALL
Java_com_sun_security_auth_module_NTSystem_getImpersonationToken0
(JNIEnv *env, jobject obj) {
HANDLE impersonationToken = 0; // impersonation token
if (debug) {
printf("getting impersonation token\n");
}
if (getImpersonationToken(&impersonationToken) == FALSE) {
return 0;
}
return (jlong)impersonationToken;
}
JNIEXPORT void JNICALL
Java_com_sun_security_auth_module_NTSystem_getCurrent
(JNIEnv *env, jobject obj, jboolean debugNative) {
long i, j = 0;
HANDLE tokenHandle = INVALID_HANDLE_VALUE;
LPTSTR userName = NULL; // user name
LPTSTR userSid = NULL; // user sid
LPTSTR domainName = NULL; // domain name
LPTSTR domainSid = NULL; // domain sid
LPTSTR primaryGroup = NULL; // primary group sid
DWORD numGroups = 0; // num groups
LPTSTR *groups = NULL; // groups array
long pIndex = -1; // index of primaryGroup in groups array
jfieldID fid;
jstring jstr;
jobjectArray jgroups;
jclass stringClass = 0;
jclass cls = (*env)->GetObjectClass(env, obj);
debug = debugNative;
// get NT information first
if (debug) {
printf("getting access token\n");
}
if (getToken(&tokenHandle) == FALSE) {
return;
}
if (debug) {
printf("getting user info\n");
}
if (getUser
(tokenHandle, &userName, &domainName, &userSid, &domainSid) == FALSE) {
return;
}
if (debug) {
printf("getting primary group\n");
}
if (getPrimaryGroup(tokenHandle, &primaryGroup) == FALSE) {
return;
}
if (debug) {
printf("getting supplementary groups\n");
}
if (getGroups(tokenHandle, &numGroups, &groups) == FALSE) {
return;
}
// then set values into NTSystem
fid = (*env)->GetFieldID(env, cls, "userName", "Ljava/lang/String;");
if (fid == 0) {
(*env)->ExceptionClear(env);
throwIllegalArgumentException(env, "invalid field: userName");
goto cleanup;
}
jstr = (*env)->NewStringUTF(env, userName);
if (jstr == NULL)
goto cleanup;
(*env)->SetObjectField(env, obj, fid, jstr);
fid = (*env)->GetFieldID(env, cls, "userSID", "Ljava/lang/String;");
if (fid == 0) {
(*env)->ExceptionClear(env);
throwIllegalArgumentException(env, "invalid field: userSID");
goto cleanup;
}
jstr = (*env)->NewStringUTF(env, userSid);
if (jstr == NULL)
goto cleanup;
(*env)->SetObjectField(env, obj, fid, jstr);
fid = (*env)->GetFieldID(env, cls, "domain", "Ljava/lang/String;");
if (fid == 0) {
(*env)->ExceptionClear(env);
throwIllegalArgumentException(env, "invalid field: domain");
goto cleanup;
}
jstr = (*env)->NewStringUTF(env, domainName);
if (jstr == NULL)
goto cleanup;
(*env)->SetObjectField(env, obj, fid, jstr);
if (domainSid != NULL) {
fid = (*env)->GetFieldID(env, cls, "domainSID", "Ljava/lang/String;");
if (fid == 0) {
(*env)->ExceptionClear(env);
throwIllegalArgumentException(env, "invalid field: domainSID");
goto cleanup;
}
jstr = (*env)->NewStringUTF(env, domainSid);
if (jstr == NULL)
goto cleanup;
(*env)->SetObjectField(env, obj, fid, jstr);
}
fid = (*env)->GetFieldID(env, cls, "primaryGroupID", "Ljava/lang/String;");
if (fid == 0) {
(*env)->ExceptionClear(env);
throwIllegalArgumentException(env, "invalid field: PrimaryGroupID");
goto cleanup;
}
jstr = (*env)->NewStringUTF(env, primaryGroup);
if (jstr == NULL)
goto cleanup;
(*env)->SetObjectField(env, obj, fid, jstr);
// primary group may or may not be part of supplementary groups
for (i = 0; i < (long)numGroups; i++) {
if (strcmp(primaryGroup, groups[i]) == 0) {
// found primary group in groups array
pIndex = i;
break;
}
}
if (numGroups == 0 || (pIndex == 0 && numGroups == 1)) {
// primary group is only group in groups array
if (debug) {
printf("no secondary groups\n");
}
} else {
// the groups array is non-empty,
// and may or may not contain the primary group
fid = (*env)->GetFieldID(env, cls, "groupIDs", "[Ljava/lang/String;");
if (fid == 0) {
(*env)->ExceptionClear(env);
throwIllegalArgumentException(env, "groupIDs");
goto cleanup;
}
stringClass = (*env)->FindClass(env, "java/lang/String");
if (stringClass == NULL)
goto cleanup;
if (pIndex == -1) {
// primary group not in groups array
jgroups = (*env)->NewObjectArray(env, numGroups, stringClass, 0);
} else {
// primary group in groups array -
// allocate one less array entry and do not add into new array
jgroups = (*env)->NewObjectArray(env, numGroups-1, stringClass, 0);
}
if (jgroups == NULL)
goto cleanup;
for (i = 0, j = 0; i < (long)numGroups; i++) {
if (pIndex == i) {
// continue if equal to primary group
continue;
}
jstr = (*env)->NewStringUTF(env, groups[i]);
if (jstr == NULL)
goto cleanup;
(*env)->SetObjectArrayElement(env, jgroups, j++, jstr);
}
(*env)->SetObjectField(env, obj, fid, jgroups);
}
cleanup:
if (userName != NULL) {
HeapFree(GetProcessHeap(), 0, userName);
}
if (domainName != NULL) {
HeapFree(GetProcessHeap(), 0, domainName);
}
if (userSid != NULL) {
HeapFree(GetProcessHeap(), 0, userSid);
}
if (domainSid != NULL) {
HeapFree(GetProcessHeap(), 0, domainSid);
}
if (primaryGroup != NULL) {
HeapFree(GetProcessHeap(), 0, primaryGroup);
}
if (groups != NULL) {
for (i = 0; i < (long)numGroups; i++) {
if (groups[i] != NULL) {
HeapFree(GetProcessHeap(), 0, groups[i]);
}
}
HeapFree(GetProcessHeap(), 0, groups);
}
CloseHandle(tokenHandle);
return;
}
BOOL getToken(PHANDLE tokenHandle) {
// first try the thread token
if (OpenThreadToken(GetCurrentThread(),
TOKEN_READ,
FALSE,
tokenHandle) == 0) {
if (debug) {
printf(" [getToken] OpenThreadToken error [%d]: ", GetLastError());
DisplayErrorText(GetLastError());
}
// next try the process token
if (OpenProcessToken(GetCurrentProcess(),
TOKEN_READ,
tokenHandle) == 0) {
if (debug) {
printf(" [getToken] OpenProcessToken error [%d]: ",
GetLastError());
DisplayErrorText(GetLastError());
}
return FALSE;
}
}
if (debug) {
printf(" [getToken] got user access token\n");
}
return TRUE;
}
BOOL getUser(HANDLE tokenHandle, LPTSTR *userName,
LPTSTR *domainName, LPTSTR *userSid, LPTSTR *domainSid) {
BOOL error = FALSE;
DWORD bufSize = 0;
DWORD buf2Size = 0;
DWORD retBufSize = 0;
PTOKEN_USER tokenUserInfo = NULL; // getTokenInformation
SID_NAME_USE nameUse; // LookupAccountSid
PSID dSid = NULL;
LPTSTR domainSidName = NULL;
// get token information
GetTokenInformation(tokenHandle,
TokenUser,
NULL, // TokenInformation - if NULL get buffer size
0, // since TokenInformation is NULL
&bufSize);
tokenUserInfo = (PTOKEN_USER)HeapAlloc(GetProcessHeap(), 0, bufSize);
if (GetTokenInformation(tokenHandle,
TokenUser,
tokenUserInfo,
bufSize,
&retBufSize) == 0) {
if (debug) {
printf(" [getUser] GetTokenInformation error [%d]: ",
GetLastError());
DisplayErrorText(GetLastError());
}
error = TRUE;
goto cleanup;
}
if (debug) {
printf(" [getUser] Got TokenUser info\n");
}
// get userName
bufSize = 0;
buf2Size = 0;
LookupAccountSid(NULL, // local host
tokenUserInfo->User.Sid,
NULL,
&bufSize,
NULL,
&buf2Size,
&nameUse);
*userName = (LPTSTR)HeapAlloc(GetProcessHeap(), 0, bufSize);
*domainName = (LPTSTR)HeapAlloc(GetProcessHeap(), 0, buf2Size);
if (LookupAccountSid(NULL, // local host
tokenUserInfo->User.Sid,
*userName,
&bufSize,
*domainName,
&buf2Size,
&nameUse) == 0) {
if (debug) {
printf(" [getUser] LookupAccountSid error [%d]: ",
GetLastError());
DisplayErrorText(GetLastError());
}
error = TRUE;
goto cleanup;
}
if (debug) {
printf(" [getUser] userName: %s, domainName = %s\n",
*userName, *domainName);
}
bufSize = 0;
getTextualSid(tokenUserInfo->User.Sid, NULL, &bufSize);
*userSid = (LPTSTR)HeapAlloc(GetProcessHeap(), 0, bufSize);
getTextualSid(tokenUserInfo->User.Sid, *userSid, &bufSize);
if (debug) {
printf(" [getUser] userSid: %s\n", *userSid);
}
// get domainSid
bufSize = 0;
buf2Size = 0;
LookupAccountName(NULL, // local host
*domainName,
NULL,
&bufSize,
NULL,
&buf2Size,
&nameUse);
dSid = (PSID)HeapAlloc(GetProcessHeap(), 0, bufSize);
domainSidName = (LPTSTR)HeapAlloc(GetProcessHeap(), 0, buf2Size);
if (LookupAccountName(NULL, // local host
*domainName,
dSid,
&bufSize,
domainSidName,
&buf2Size,
&nameUse) == 0) {
if (debug) {
printf(" [getUser] LookupAccountName error [%d]: ",
GetLastError());
DisplayErrorText(GetLastError());
}
// ok not to have a domain SID (no error)
goto cleanup;
}
bufSize = 0;
getTextualSid(dSid, NULL, &bufSize);
*domainSid = (LPTSTR)HeapAlloc(GetProcessHeap(), 0, bufSize);
getTextualSid(dSid, *domainSid, &bufSize);
if (debug) {
printf(" [getUser] domainSid: %s\n", *domainSid);
}
cleanup:
if (tokenUserInfo != NULL) {
HeapFree(GetProcessHeap(), 0, tokenUserInfo);
}
if (dSid != NULL) {
HeapFree(GetProcessHeap(), 0, dSid);
}
if (domainSidName != NULL) {
HeapFree(GetProcessHeap(), 0, domainSidName);
}
if (error) {
return FALSE;
}
return TRUE;
}
BOOL getPrimaryGroup(HANDLE tokenHandle, LPTSTR *primaryGroup) {
BOOL error = FALSE;
DWORD bufSize = 0;
DWORD retBufSize = 0;
PTOKEN_PRIMARY_GROUP tokenGroupInfo = NULL;
// get token information
GetTokenInformation(tokenHandle,
TokenPrimaryGroup,
NULL, // TokenInformation - if NULL get buffer size
0, // since TokenInformation is NULL
&bufSize);
tokenGroupInfo = (PTOKEN_PRIMARY_GROUP)HeapAlloc
(GetProcessHeap(), 0, bufSize);
if (GetTokenInformation(tokenHandle,
TokenPrimaryGroup,
tokenGroupInfo,
bufSize,
&retBufSize) == 0) {
if (debug) {
printf(" [getPrimaryGroup] GetTokenInformation error [%d]: ",
GetLastError());
DisplayErrorText(GetLastError());
}
error = TRUE;
goto cleanup;
}
if (debug) {
printf(" [getPrimaryGroup] Got TokenPrimaryGroup info\n");
}
bufSize = 0;
getTextualSid(tokenGroupInfo->PrimaryGroup, NULL, &bufSize);
*primaryGroup = (LPTSTR)HeapAlloc(GetProcessHeap(), 0, bufSize);
getTextualSid(tokenGroupInfo->PrimaryGroup, *primaryGroup, &bufSize);
if (debug) {
printf(" [getPrimaryGroup] primaryGroup: %s\n", *primaryGroup);
}
cleanup:
if (tokenGroupInfo != NULL) {
HeapFree(GetProcessHeap(), 0, tokenGroupInfo);
}
if (error) {
return FALSE;
}
return TRUE;
}
BOOL getGroups(HANDLE tokenHandle, PDWORD numGroups, LPTSTR **groups) {
BOOL error = FALSE;
DWORD bufSize = 0;
DWORD retBufSize = 0;
long i = 0;
PTOKEN_GROUPS tokenGroupInfo = NULL;
// get token information
GetTokenInformation(tokenHandle,
TokenGroups,
NULL, // TokenInformation - if NULL get buffer size
0, // since TokenInformation is NULL
&bufSize);
tokenGroupInfo = (PTOKEN_GROUPS)HeapAlloc(GetProcessHeap(), 0, bufSize);
if (GetTokenInformation(tokenHandle,
TokenGroups,
tokenGroupInfo,
bufSize,
&retBufSize) == 0) {
if (debug) {
printf(" [getGroups] GetTokenInformation error [%d]: ",
GetLastError());
DisplayErrorText(GetLastError());
}
error = TRUE;
goto cleanup;
}
if (debug) {
printf(" [getGroups] Got TokenGroups info\n");
}
if (tokenGroupInfo->GroupCount == 0) {
// no groups
goto cleanup;
}
// return group info
*numGroups = tokenGroupInfo->GroupCount;
*groups = (LPTSTR *)HeapAlloc
(GetProcessHeap(), 0, (*numGroups) * sizeof(LPTSTR));
for (i = 0; i < (long)*numGroups; i++) {
bufSize = 0;
getTextualSid(tokenGroupInfo->Groups[i].Sid, NULL, &bufSize);
(*groups)[i] = (LPTSTR)HeapAlloc(GetProcessHeap(), 0, bufSize);
getTextualSid(tokenGroupInfo->Groups[i].Sid, (*groups)[i], &bufSize);
if (debug) {
printf(" [getGroups] group %d: %s\n", i, (*groups)[i]);
}
}
cleanup:
if (tokenGroupInfo != NULL) {
HeapFree(GetProcessHeap(), 0, tokenGroupInfo);
}
if (error) {
return FALSE;
}
return TRUE;
}
BOOL getImpersonationToken(PHANDLE impersonationToken) {
HANDLE dupToken;
if (OpenThreadToken(GetCurrentThread(),
TOKEN_DUPLICATE,
FALSE,
&dupToken) == 0) {
if (OpenProcessToken(GetCurrentProcess(),
TOKEN_DUPLICATE,
&dupToken) == 0) {
if (debug) {
printf
(" [getImpersonationToken] OpenProcessToken error [%d]: ",
GetLastError());
DisplayErrorText(GetLastError());
}
return FALSE;
}
}
if (DuplicateToken(dupToken,
SecurityImpersonation,
impersonationToken) == 0) {
if (debug) {
printf(" [getImpersonationToken] DuplicateToken error [%d]: ",
GetLastError());
DisplayErrorText(GetLastError());
}
return FALSE;
}
CloseHandle(dupToken);
if (debug) {
printf(" [getImpersonationToken] token = %p\n",
(void *)*impersonationToken);
}
return TRUE;
}
BOOL getTextualSid
(PSID pSid, // binary SID
LPTSTR TextualSid, // buffer for Textual representation of SID
LPDWORD lpdwBufferLen) { // required/provided TextualSid buffersize
PSID_IDENTIFIER_AUTHORITY psia;
DWORD dwSubAuthorities;
DWORD dwSidRev=SID_REVISION;
DWORD dwCounter;
DWORD dwSidSize;
// Validate the binary SID.
if(!IsValidSid(pSid)) return FALSE;
// Get the identifier authority value from the SID.
psia = GetSidIdentifierAuthority(pSid);
// Get the number of subauthorities in the SID.
dwSubAuthorities = *GetSidSubAuthorityCount(pSid);
// Compute the buffer length.
// S-SID_REVISION- + IdentifierAuthority- + subauthorities- + NULL
dwSidSize=(15 + 12 + (12 * dwSubAuthorities) + 1) * sizeof(TCHAR);
// Check input buffer length.
// If too small, indicate the proper size and set last error.
if (*lpdwBufferLen < dwSidSize) {
*lpdwBufferLen = dwSidSize;
SetLastError(ERROR_INSUFFICIENT_BUFFER);
return FALSE;
}
// Add 'S' prefix and revision number to the string.
dwSidSize=wsprintf(TextualSid, TEXT("S-%lu-"), dwSidRev );
// Add SID identifier authority to the string.
if ((psia->Value[0] != 0) || (psia->Value[1] != 0)) {
dwSidSize+=wsprintf(TextualSid + lstrlen(TextualSid),
TEXT("0x%02hx%02hx%02hx%02hx%02hx%02hx"),
(USHORT)psia->Value[0],
(USHORT)psia->Value[1],
(USHORT)psia->Value[2],
(USHORT)psia->Value[3],
(USHORT)psia->Value[4],
(USHORT)psia->Value[5]);
} else {
dwSidSize+=wsprintf(TextualSid + lstrlen(TextualSid),
TEXT("%lu"),
(ULONG)(psia->Value[5] ) +
(ULONG)(psia->Value[4] << 8) +
(ULONG)(psia->Value[3] << 16) +
(ULONG)(psia->Value[2] << 24) );
}
// Add SID subauthorities to the string.
for (dwCounter=0 ; dwCounter < dwSubAuthorities ; dwCounter++) {
dwSidSize+=wsprintf(TextualSid + dwSidSize, TEXT("-%lu"),
*GetSidSubAuthority(pSid, dwCounter) );
}
return TRUE;
}
void DisplayErrorText(DWORD dwLastError) {
HMODULE hModule = NULL; // default to system source
LPSTR MessageBuffer;
DWORD dwBufferLength;
DWORD dwFormatFlags = FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_IGNORE_INSERTS |
FORMAT_MESSAGE_FROM_SYSTEM ;
//
// If dwLastError is in the network range,
// load the message source.
//
if(dwLastError >= NERR_BASE && dwLastError <= MAX_NERR) {
hModule = LoadLibraryEx(TEXT("netmsg.dll"),
NULL,
LOAD_LIBRARY_AS_DATAFILE);
if(hModule != NULL)
dwFormatFlags |= FORMAT_MESSAGE_FROM_HMODULE;
}
//
// Call FormatMessage() to allow for message
// text to be acquired from the system
// or from the supplied module handle.
//
if(dwBufferLength = FormatMessageA(dwFormatFlags,
hModule, // module to get message from (NULL == system)
dwLastError,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // default language
(LPSTR) &MessageBuffer,
0,
NULL)) {
DWORD dwBytesWritten;
//
// Output message string on stderr.
//
WriteFile(GetStdHandle(STD_ERROR_HANDLE),
MessageBuffer,
dwBufferLength,
&dwBytesWritten,
NULL);
//
// Free the buffer allocated by the system.
//
LocalFree(MessageBuffer);
}
//
// If we loaded a message source, unload it.
//
if(hModule != NULL)
FreeLibrary(hModule);
}
/**
* 1. comment out first two #includes
* 2. set 'debug' to TRUE
* 3. comment out 'getCurrent'
* 4. uncomment 'main'
* 5. cc -c nt.c
* 6. link nt.obj user32.lib advapi32.lib /out:nt.exe
*/
/*
void main(int argc, char *argv[]) {
long i = 0;
HANDLE tokenHandle = INVALID_HANDLE_VALUE;
LPTSTR userName = NULL;
LPTSTR userSid = NULL;
LPTSTR domainName = NULL;
LPTSTR domainSid = NULL;
LPTSTR primaryGroup = NULL;
DWORD numGroups = 0;
LPTSTR *groups = NULL;
HANDLE impersonationToken = 0;
printf("getting access token\n");
if (getToken(&tokenHandle) == FALSE) {
exit(1);
}
printf("getting user info\n");
if (getUser
(tokenHandle, &userName, &domainName, &userSid, &domainSid) == FALSE) {
exit(1);
}
printf("getting primary group\n");
if (getPrimaryGroup(tokenHandle, &primaryGroup) == FALSE) {
exit(1);
}
printf("getting supplementary groups\n");
if (getGroups(tokenHandle, &numGroups, &groups) == FALSE) {
exit(1);
}
printf("getting impersonation token\n");
if (getImpersonationToken(&impersonationToken) == FALSE) {
exit(1);
}
printf("userName = %s, userSid = %s, domainName = %s, domainSid = %s\n",
userName, userSid, domainName, domainSid);
printf("primaryGroup = %s\n", primaryGroup);
for (i = 0; i < numGroups; i++) {
printf("Group[%d] = %s\n", i, groups[i]);
}
printf("impersonationToken = %ld\n", impersonationToken);
if (userName != NULL) {
HeapFree(GetProcessHeap(), 0, userName);
}
if (userSid != NULL) {
HeapFree(GetProcessHeap(), 0, userSid);
}
if (domainName != NULL) {
HeapFree(GetProcessHeap(), 0, domainName);
}
if (domainSid != NULL) {
HeapFree(GetProcessHeap(), 0, domainSid);
}
if (primaryGroup != NULL) {
HeapFree(GetProcessHeap(), 0, primaryGroup);
}
if (groups != NULL) {
for (i = 0; i < numGroups; i++) {
if (groups[i] != NULL) {
HeapFree(GetProcessHeap(), 0, groups[i]);
}
}
HeapFree(GetProcessHeap(), 0, groups);
}
CloseHandle(impersonationToken);
CloseHandle(tokenHandle);
}
*/
/**
* extra main method for testing debug printing
*/
/*
void main(int argc, char *argv[]) {
if(argc != 2) {
fprintf(stderr,"Usage: %s <error number>\n", argv[0]);
}
DisplayErrorText(atoi(argv[1]));
}
*/