From 8ea4392c3c89750682ae4e87c416c64f7767c427 Mon Sep 17 00:00:00 2001
From: Jiang Yio <jyio@noreply.git.inportb.com>
Date: Fri, 1 Mar 2024 23:58:00 -0500
Subject: [PATCH] First

---
 .gitignore    |  16 +++++
 Cargo.toml    |  19 ++++++
 LICENSE       |   9 +++
 README.md     |   3 +
 src/common.rs | 164 ++++++++++++++++++++++++++++++++++++++++++++++++++
 src/lib.rs    |   2 +
 src/main.rs   |  10 +++
 7 files changed, 223 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 Cargo.toml
 create mode 100644 LICENSE
 create mode 100644 README.md
 create mode 100644 src/common.rs
 create mode 100644 src/lib.rs
 create mode 100644 src/main.rs

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..3ca43ae
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,16 @@
+# ---> Rust
+# Generated by Cargo
+# will have compiled files and executables
+debug/
+target/
+
+# Remove Cargo.lock from gitignore if creating an executable, leave it for libraries
+# More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html
+Cargo.lock
+
+# These are backup files generated by rustfmt
+**/*.rs.bk
+
+# MSVC Windows builds of rustc generate these, which store debugging information
+*.pdb
+
diff --git a/Cargo.toml b/Cargo.toml
new file mode 100644
index 0000000..c61f8db
--- /dev/null
+++ b/Cargo.toml
@@ -0,0 +1,19 @@
+[package]
+name = "XWBSSOi"
+version = "0.0.1"
+edition = "2018"
+
+[dependencies]
+windows-sys = { features = [
+	"Win32_Foundation",
+	"Win32_Security_Cryptography",
+	"Win32_Security_Cryptography_UI",
+	"Win32_System",
+	"Win32_System_Registry",
+	"Win32_System_SystemInformation",
+] }
+
+[profile.release]
+codegen-units = 1
+lto = true
+strip = true
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..2fcf8f2
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,9 @@
+MIT License
+
+Copyright (c) 2023 Jiang Yio
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..fa9dca6
--- /dev/null
+++ b/README.md
@@ -0,0 +1,3 @@
+# XWBSSOi-rs
+
+XWBSSOi in Rust
\ No newline at end of file
diff --git a/src/common.rs b/src/common.rs
new file mode 100644
index 0000000..536cb7c
--- /dev/null
+++ b/src/common.rs
@@ -0,0 +1,164 @@
+use std::os::windows::ffi::OsStringExt;
+use windows_sys::Win32::Security::Cryptography;
+use windows_sys::Win32::System::Registry;
+
+const DEFAULT_USER_AGENT: &str = "Borland SOAP 1.2";
+const DEFAULT_COMPUTER_NAME: &str = "localhost";
+const DEFAULT_APP_NAME: &str = "CPRSChart.exe";
+const DEFAULT_ISSUER: &str = "https://ssoi.sts.va.gov/Issuer/smtoken/SAML2";
+
+#[derive(Debug)]
+pub struct SystemError { pub code: windows_sys::Win32::Foundation::WIN32_ERROR }
+impl std::fmt::Display for SystemError {
+	fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
+		write!(f, "System error: {:x}", self.code)
+	}
+}
+
+#[derive(Debug)]
+pub enum StringSystemError { String(std::string::FromUtf8Error), OsString(std::ffi::OsString), SystemError(SystemError) }
+
+struct ManagedCertificateStore(pub Cryptography::HCERTSTORE);
+impl Drop for ManagedCertificateStore {
+	fn drop(&mut self) {
+		if self.0 != std::ptr::null_mut() { unsafe { Cryptography::CertCloseStore(self.0, 0); } }
+	}
+}
+
+fn get_registry_reg_sz(key: Registry::HKEY, subkey: windows_sys::core::PCWSTR, value: windows_sys::core::PCWSTR) -> Result<String, StringSystemError> {
+	let mut bufsz: u32 = 0;
+	unsafe { Registry::RegGetValueW(key, subkey, value, Registry::RRF_RT_REG_SZ, std::ptr::null_mut(), std::ptr::null_mut(), &mut bufsz); }
+	loop {
+		let mut buffer = vec![0 as u16; bufsz as usize >> 1];
+		match unsafe { Registry::RegGetValueW(key, subkey, value, Registry::RRF_RT_REG_SZ, std::ptr::null_mut(), buffer.as_mut_ptr() as *mut std::ffi::c_void, &mut bufsz) } {
+			windows_sys::Win32::Foundation::ERROR_MORE_DATA => continue,
+			windows_sys::Win32::Foundation::ERROR_SUCCESS => return Ok(std::ffi::OsString::from_wide(&buffer[0 .. (bufsz as usize >> 1) - 1]).into_string().map_err(|err| StringSystemError::OsString(err))?),
+			value => return Err(StringSystemError::SystemError(SystemError { code: value }))
+		}
+	}
+}
+pub fn get_registry_iam() -> String {
+	get_registry_reg_sz(Registry::HKEY_LOCAL_MACHINE, windows_sys::w!("SOFTWARE\\Vista\\Common\\IAM"), std::ptr::null()).unwrap_or_else(|_| "https://services.eauth.va.gov:9301/STS/RequestSecurityToken".to_owned())
+}
+pub fn get_registry_iam_ad() -> String {
+	get_registry_reg_sz(Registry::HKEY_LOCAL_MACHINE, windows_sys::w!("SOFTWARE\\Vista\\Common\\IAM_AD"), std::ptr::null()).unwrap_or_else(|_| "https://services.eauth.va.gov:9201/STS/RequestSecurityToken".to_owned())
+}
+pub fn get_registry_rioserver() -> String {
+	get_registry_reg_sz(Registry::HKEY_LOCAL_MACHINE, windows_sys::w!("SOFTWARE\\Vista\\Common\\RIOSERVER"), std::ptr::null()).unwrap_or_else(|_| "SecurityTokenService".to_owned())
+}
+pub fn get_registry_rioport() -> String {
+	get_registry_reg_sz(Registry::HKEY_LOCAL_MACHINE, windows_sys::w!("SOFTWARE\\Vista\\Common\\RIOPORT"), std::ptr::null()).unwrap_or_else(|_| "RequestSecurityToken".to_owned())
+}
+
+pub fn get_iam_request(application: &str, issuer: &str) -> String {
+	format!("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\
+		<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:ns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">\
+			<soapenv:Header/>\
+			<soapenv:Body>\
+				<ns:RequestSecurityToken>\
+					<ns:Base>\
+						<wss:TLS xmlns:wss=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\"/>\
+					</ns:Base>\
+					<wsp:AppliesTo xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\
+						<wsa:EndpointReference xmlns:wsa=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\">\
+							<wsa:Address>{application}</wsa:Address>\
+						</wsa:EndpointReference>\
+					</wsp:AppliesTo>\
+					<ns:Issuer>\
+						<wsa:Address xmlns:wsa=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\">{issuer}</wsa:Address>\
+					</ns:Issuer>\
+					<ns:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Validate</ns:RequestType>\
+				</ns:RequestSecurityToken>\
+			</soapenv:Body>\
+		</soapenv:Envelope>")
+}
+
+pub fn get_local_computer_name() -> Result<String, StringSystemError> {
+	use windows_sys::Win32::System::SystemInformation;
+	let mut bufsz: u32 = 0;
+	unsafe { SystemInformation::GetComputerNameExW(SystemInformation::ComputerNameDnsFullyQualified, std::ptr::null_mut() as windows_sys::core::PWSTR, &mut bufsz); }
+	let mut buffer = vec![0 as u16; bufsz as usize];
+	match unsafe { SystemInformation::GetComputerNameExW(SystemInformation::ComputerNameDnsFullyQualified, buffer.as_mut_ptr() as windows_sys::core::PWSTR, &mut bufsz) } {
+		0 => unsafe { Err(StringSystemError::SystemError(SystemError { code: windows_sys::Win32::Foundation::GetLastError() })) },
+		_ => std::ffi::OsString::from_wide(&buffer[0 .. bufsz as usize]).into_string().map_err(|err| StringSystemError::OsString(err))
+	}
+}
+
+pub fn get_app_name() -> Option<String> {
+	std::env::current_exe().ok()?.file_name()?.to_str()?.to_owned().into()
+}
+
+pub fn get_vista_certificate(show_cert_dialog: bool) -> Result<*const Cryptography::CERT_CONTEXT, StringSystemError> {
+	let void_p_null = std::ptr::null_mut();
+	unsafe {
+		let store_system = ManagedCertificateStore(Cryptography::CertOpenSystemStoreW(0, windows_sys::w!("MY")));
+		let store_memory = ManagedCertificateStore(Cryptography::CertOpenStore(Cryptography::CERT_STORE_PROV_MEMORY, 0, 0, 0, void_p_null));
+		let mut cert_selection = void_p_null as *const Cryptography::CERT_CONTEXT;
+		let mut cert_iter = void_p_null as *const Cryptography::CERT_CONTEXT;
+		while { cert_iter = Cryptography::CertEnumCertificatesInStore(store_system.0, cert_iter); cert_iter } != void_p_null as *const Cryptography::CERT_CONTEXT {
+			let mut cert_valid = Cryptography::CertFindCertificateInStore(store_system.0, Cryptography::X509_ASN_ENCODING | Cryptography::PKCS_7_ASN_ENCODING, 0, Cryptography::CERT_FIND_ANY, void_p_null, void_p_null as *const Cryptography::CERT_CONTEXT);
+			if cert_valid != void_p_null as *mut Cryptography::CERT_CONTEXT {
+				let name_bufsz = Cryptography::CertGetNameStringW(cert_iter, Cryptography::CERT_NAME_FRIENDLY_DISPLAY_TYPE, 0, void_p_null, void_p_null as windows_sys::core::PWSTR, 0);
+				let mut name_buffer = vec![0 as u16; name_bufsz as usize];
+				Cryptography::CertGetNameStringW(cert_iter, Cryptography::CERT_NAME_FRIENDLY_DISPLAY_TYPE, 0, void_p_null, name_buffer.as_mut_ptr() as windows_sys::core::PWSTR, name_bufsz);
+				let name_string = std::ffi::OsString::from_wide(&name_buffer[0 .. name_bufsz as usize - 1]).into_string().map_err(|err| StringSystemError::OsString(err))?;
+				let mut key_usage_bits: u8 = 0;
+				Cryptography::CertGetIntendedKeyUsage(Cryptography::X509_ASN_ENCODING | Cryptography::PKCS_7_ASN_ENCODING, (*cert_iter).pCertInfo, &mut key_usage_bits, std::mem::size_of_val(&key_usage_bits) as u32);
+				let valid_date = Cryptography::CertVerifyTimeValidity(void_p_null as *const windows_sys::Win32::Foundation::FILETIME, (*cert_iter).pCertInfo);
+				if ((key_usage_bits as u32 & Cryptography::CERT_DIGITAL_SIGNATURE_KEY_USAGE) == Cryptography::CERT_DIGITAL_SIGNATURE_KEY_USAGE) && (valid_date == 0) && (!name_string.contains("Card Authentication")) && (!name_string.contains("0,")) && (!name_string.contains("Signature")) {
+					Cryptography::CertAddCertificateContextToStore(store_memory.0, cert_iter, Cryptography::CERT_STORE_ADD_ALWAYS, &mut cert_valid);
+					cert_selection = cert_valid;
+				}
+			}
+		}
+		//Cryptography::CertCloseStore(store_system.0, 0);
+		if show_cert_dialog {
+			cert_selection = Cryptography::UI::CryptUIDlgSelectCertificateFromStore(store_memory.0, 0, windows_sys::w!("VistA Logon - Certificate Selection"), windows_sys::w!("Select a certificate for VistA authentication"), 0, 0, void_p_null);
+		}
+		//Cryptography::CertCloseStore(store_memory.0, 0);
+		if cert_selection != void_p_null as *const Cryptography::CERT_CONTEXT { Ok(cert_selection) } else { Err(StringSystemError::SystemError(SystemError { code: windows_sys::Win32::Foundation::ERROR_REQUEST_REFUSED })) }
+	}
+}
+
+pub fn get_certificate_thumbprint(certificate: *const Cryptography::CERT_CONTEXT) -> String {
+	let mut bufsz: u32 = 0;
+	unsafe { Cryptography::CertGetCertificateContextProperty(certificate, Cryptography::CERT_HASH_PROP_ID, std::ptr::null_mut(), &mut bufsz); }
+	let mut buffer = vec![0 as u8; bufsz as usize];
+	unsafe { Cryptography::CertGetCertificateContextProperty(certificate, Cryptography::CERT_HASH_PROP_ID, buffer.as_mut_ptr() as *mut std::ffi::c_void, &mut bufsz); }
+	buffer.iter().map(|b| format!("{:02x}", b)).collect::<Vec<String>>().join("")
+}
+
+pub struct TokenConfig {
+	pub iam: String,
+	pub ua: String,
+	pub certificate: String,
+	pub issuer: String,
+	pub hostname: String,
+	pub application: String,
+}
+
+impl Default for TokenConfig {
+	fn default() -> Self {
+		Self {
+			iam: String::new(),
+			ua: String::new(),
+			certificate: String::new(),
+			issuer: String::new(),
+			hostname: String::new(),
+			application: String::new(),
+		}
+	}
+}
+
+pub fn get_sso_token(config: TokenConfig) -> Result<String, StringSystemError> {
+	let config_certificate = match config.certificate.as_str() { "" => get_certificate_thumbprint(get_vista_certificate(true)?), _ => config.certificate };
+	let config_hostname = match config.hostname.as_str() { "" => get_local_computer_name().unwrap_or_else(|_| DEFAULT_COMPUTER_NAME.to_owned()), _ => config.hostname };
+	let config_application = match config.application.as_str() { "" => get_app_name().unwrap_or_else(|| DEFAULT_APP_NAME.to_owned()), _ => config.application };
+	let mut req = std::process::Command::new("curl");
+	req.arg("-fsSL").arg("-X").arg("POST").arg(match config.iam.as_str() { "" => get_registry_iam(), _ => config.iam })
+		.arg("--ca-native").arg("--cert").arg(format!("CurrentUser\\MY\\{config_certificate}"))
+		.arg("-A").arg(match config.ua.as_str() { "" => DEFAULT_USER_AGENT, v => v })
+		.arg("-H").arg("Content-Type: application/xml").arg("-H").arg("Accept: application/xml")
+		.arg("-d").arg(get_iam_request(format!("https://{config_hostname}/Delphi_RPC_Broker/{config_application}").as_str(), match config.issuer.as_str() { "" => DEFAULT_ISSUER, v => v }));
+	String::from_utf8(req.stdin(std::process::Stdio::null()).stdout(std::process::Stdio::piped()).stderr(std::process::Stdio::inherit()).output().unwrap().stdout).map_err(|err| StringSystemError::String(err))
+}
diff --git a/src/lib.rs b/src/lib.rs
new file mode 100644
index 0000000..598ae17
--- /dev/null
+++ b/src/lib.rs
@@ -0,0 +1,2 @@
+mod common;
+pub use common::*;
diff --git a/src/main.rs b/src/main.rs
new file mode 100644
index 0000000..0f658e4
--- /dev/null
+++ b/src/main.rs
@@ -0,0 +1,10 @@
+mod common;
+
+fn main() -> Result<(), Box<dyn std::error::Error>> {
+	match common::get_sso_token(common::TokenConfig::default()) {
+		Ok(value) => println!("{:?}", value),
+		Err(common::StringSystemError::SystemError(common::SystemError { code })) => { std::process::exit(code as i32) },
+		_ => { std::process::exit(1) }
+	};
+	Ok(())
+}