Beispiel #1
0
        ExtendedProtectionPolicy GetExtendedProtectionPolicy()
        {
            ExtendedProtectionPolicy extendedProtection = null;

            using (RegistryKey registryKey = Registry.LocalMachine.OpenSubKey(IISConstants.CBTRegistryHKLMPath))
            {
                if (registryKey != null)
                {
                    object tokenCheckingObj = registryKey.GetValue(IISConstants.TokenCheckingAttributeName);
                    object flagsObj         = registryKey.GetValue(IISConstants.FlagsAttributeName);
                    object spnsObj          = registryKey.GetValue(IISConstants.SpnAttributeName);
                    //using the default one if the registry value is missing
                    ExtendedProtectionTokenChecking tokenChecking = (tokenCheckingObj == null) ?
                                                                    ExtendedProtectionTokenChecking.None : (ExtendedProtectionTokenChecking)tokenCheckingObj;
                    ExtendedProtectionFlags flags = flagsObj == null ?
                                                    ExtendedProtectionFlags.None : (ExtendedProtectionFlags)flagsObj;
                    List <string> spns = spnsObj == null ? null : new List <string>(spnsObj as string[]);
                    extendedProtection = BuildExtendedProtectionPolicy(tokenChecking, flags, spns);
                }
                else
                {
                    // this IIS6 does not support CBT, log a warning to tracing
                    if (DiagnosticUtility.ShouldTraceWarning)
                    {
                        TraceUtility.TraceEvent(TraceEventType.Warning, TraceCode.WebHostNoCBTSupport,
                                                SR.TraceCodeWebHostNoCBTSupport, this, (Exception)null);
                    }
                }
            }
            return(extendedProtection);
        }
Beispiel #2
0
 // translate IIS setting on extended protection to NCL object
 static internal void ReadIisExtendedProtectionPolicy(ConfigurationElement element, out ExtendedProtectionTokenChecking tokenChecking,
                                                      out ExtendedProtectionFlags flags, out List <string> spnList)
 {
     tokenChecking = (ExtendedProtectionTokenChecking)element.GetAttributeValue(MetabaseSettingsIis7Constants.TokenCheckingAttributeName);
     flags         = (ExtendedProtectionFlags)element.GetAttributeValue(MetabaseSettingsIis7Constants.FlagsAttributeName);
     spnList       = new List <string>();
     foreach (ConfigurationElement configElement in element.GetCollection())
     {
         spnList.Add((string)configElement[MetabaseSettingsIis7Constants.NameAttributeName]);
     }
 }
 private ExtendedProtectionPolicy GetExtendedProtectionPolicy()
 {
     using (RegistryKey key = Registry.LocalMachine.OpenSubKey(@"System\CurrentControlSet\Services\W3SVC\Parameters\ExtendedProtection"))
     {
         if (key != null)
         {
             object obj2 = key.GetValue("tokenChecking");
             object obj3 = key.GetValue("flags");
             object obj4 = key.GetValue("spns");
             ExtendedProtectionTokenChecking tokenChecking = (obj2 == null) ? ExtendedProtectionTokenChecking.None : ((ExtendedProtectionTokenChecking)obj2);
             ExtendedProtectionFlags         flags         = (obj3 == null) ? ExtendedProtectionFlags.None : ((ExtendedProtectionFlags)obj3);
             List <string> spnList = (obj4 == null) ? null : new List <string>(obj4 as string[]);
             return(MetabaseSettings.BuildExtendedProtectionPolicy(tokenChecking, flags, spnList));
         }
         if (DiagnosticUtility.ShouldTraceWarning)
         {
             TraceUtility.TraceEvent(TraceEventType.Warning, 0x90008, System.ServiceModel.Activation.SR.TraceCodeWebHostNoCBTSupport, this, null);
         }
     }
     return(null);
 }
        // build NCL ExtendedProtectionPolicy object
        // From NCL comments:
        // The NoServiceNameCheck flag can always be ignored because it has no meaning in the .NET Framework 
        // where validation against an SPN list is always required when the scenario does not require a CBT.
        protected static ExtendedProtectionPolicy BuildExtendedProtectionPolicy(
                    ExtendedProtectionTokenChecking tokenChecking,
                    ExtendedProtectionFlags flags,
                    List<string> spnList)
        {
            PolicyEnforcement enforce;
            ProtectionScenario scenario;
            ServiceNameCollection serviceNames = null;

            if (tokenChecking == ExtendedProtectionTokenChecking.None)
            {
                return new ExtendedProtectionPolicy(PolicyEnforcement.Never);
            }
            else if (tokenChecking == ExtendedProtectionTokenChecking.Allow)
            {
                enforce = PolicyEnforcement.WhenSupported;
            }
            else if (tokenChecking == ExtendedProtectionTokenChecking.Require)
            {
                enforce = PolicyEnforcement.Always;
            }
            else
            {
                throw FxTrace.Exception.Argument("tokenChecking", SR.Hosting_UnrecognizedTokenCheckingValue);
            }

            bool transportSelectedCondition1 = (flags == ExtendedProtectionFlags.None);
            bool transportSelectedCondition2 = (flags == ExtendedProtectionFlags.AllowDotlessSpn);
            bool transportSelectedCondition3 = ((flags & ExtendedProtectionFlags.Proxy) != 0) && ((flags & ExtendedProtectionFlags.ProxyCohosting) != 0);
            bool trustedProxyCondition = (flags & ExtendedProtectionFlags.Proxy) != 0;

            //only none or allowdotlessspn flag has been selected or both proxy and proxycohosting flags have been selected 
            //set scenario to TransportSelected
            if (transportSelectedCondition1 || transportSelectedCondition2 || transportSelectedCondition3)
            {
                scenario = ProtectionScenario.TransportSelected;
            }
            // proxy but no procycohosting flag has been selected, set scenario to TrustedProxy
            else if (trustedProxyCondition)
            {
                scenario = ProtectionScenario.TrustedProxy;
            }
            // other nonsupported scenarios, throw NotSupportedException
            else
            {
                throw FxTrace.Exception.Argument("flags", SR.Hosting_ExtendedProtectionFlagsNotSupport(flags));
            }

            // dotless spn check if dotlessspn is not allowed
            // spn format <service class>/<host>:<port>/<service name> per http://msdn.microsoft.com/en-us/library/ms677601(VS.85).aspx
            if (spnList != null)
            {
                if ((flags & ExtendedProtectionFlags.AllowDotlessSpn) == 0)
                {
                    foreach (string spn in spnList)
                    {
                        string[] parts = spn.Split(AboPathDelimiter);
                        if (parts.Length > 1)
                        {
                            int position = parts[1].IndexOf(DotDelimiter, StringComparison.CurrentCultureIgnoreCase);
                            if (position == -1)
                            {
                                throw FxTrace.Exception.Argument("spn", SR.Hosting_ExtendedProtectionDotlessSpnNotEnabled(spn));
                            }
                            else if (position == 0 || position == parts[1].Length - 1)
                            {
                                throw FxTrace.Exception.Argument("spn", SR.Hosting_ExtendedProtectionSpnFormatError(spn));
                            }
                        }
                        else
                        {
                            throw FxTrace.Exception.Argument("spn", SR.Hosting_ExtendedProtectionSpnFormatError(spn));
                        }
                    }
                }
                // ExtendedProtectionPolicy constructor rejects empty collection but accept null
                // in order to avoid any ambiguilty
                if (spnList.Count != 0)
                {
                    serviceNames = new ServiceNameCollection(spnList);
                }
            }
            return new ExtendedProtectionPolicy(enforce, scenario, serviceNames);
        }
Beispiel #5
0
        // build NCL ExtendedProtectionPolicy object
        // From NCL comments:
        // The NoServiceNameCheck flag can always be ignored because it has no meaning in the .NET Framework
        // where validation against an SPN list is always required when the scenario does not require a CBT.
        protected static ExtendedProtectionPolicy BuildExtendedProtectionPolicy(
            ExtendedProtectionTokenChecking tokenChecking,
            ExtendedProtectionFlags flags,
            List <string> spnList)
        {
            PolicyEnforcement     enforce;
            ProtectionScenario    scenario;
            ServiceNameCollection serviceNames = null;

            if (tokenChecking == ExtendedProtectionTokenChecking.None)
            {
                return(new ExtendedProtectionPolicy(PolicyEnforcement.Never));
            }
            else if (tokenChecking == ExtendedProtectionTokenChecking.Allow)
            {
                enforce = PolicyEnforcement.WhenSupported;
            }
            else if (tokenChecking == ExtendedProtectionTokenChecking.Require)
            {
                enforce = PolicyEnforcement.Always;
            }
            else
            {
                throw FxTrace.Exception.Argument("tokenChecking", SR.Hosting_UnrecognizedTokenCheckingValue);
            }

            bool transportSelectedCondition1 = (flags == ExtendedProtectionFlags.None);
            bool transportSelectedCondition2 = (flags == ExtendedProtectionFlags.AllowDotlessSpn);
            bool transportSelectedCondition3 = ((flags & ExtendedProtectionFlags.Proxy) != 0) && ((flags & ExtendedProtectionFlags.ProxyCohosting) != 0);
            bool trustedProxyCondition       = (flags & ExtendedProtectionFlags.Proxy) != 0;

            //only none or allowdotlessspn flag has been selected or both proxy and proxycohosting flags have been selected
            //set scenario to TransportSelected
            if (transportSelectedCondition1 || transportSelectedCondition2 || transportSelectedCondition3)
            {
                scenario = ProtectionScenario.TransportSelected;
            }
            // proxy but no procycohosting flag has been selected, set scenario to TrustedProxy
            else if (trustedProxyCondition)
            {
                scenario = ProtectionScenario.TrustedProxy;
            }
            // other nonsupported scenarios, throw NotSupportedException
            else
            {
                throw FxTrace.Exception.Argument("flags", SR.Hosting_ExtendedProtectionFlagsNotSupport(flags));
            }

            // dotless spn check if dotlessspn is not allowed
            // spn format <service class>/<host>:<port>/<service name> per http://msdn.microsoft.com/en-us/library/ms677601(VS.85).aspx
            if (spnList != null)
            {
                if ((flags & ExtendedProtectionFlags.AllowDotlessSpn) == 0)
                {
                    foreach (string spn in spnList)
                    {
                        string[] parts = spn.Split(AboPathDelimiter);
                        if (parts.Length > 1)
                        {
                            int position = parts[1].IndexOf(DotDelimiter, StringComparison.CurrentCultureIgnoreCase);
                            if (position == -1)
                            {
                                throw FxTrace.Exception.Argument("spn", SR.Hosting_ExtendedProtectionDotlessSpnNotEnabled(spn));
                            }
                            else if (position == 0 || position == parts[1].Length - 1)
                            {
                                throw FxTrace.Exception.Argument("spn", SR.Hosting_ExtendedProtectionSpnFormatError(spn));
                            }
                        }
                        else
                        {
                            throw FxTrace.Exception.Argument("spn", SR.Hosting_ExtendedProtectionSpnFormatError(spn));
                        }
                    }
                }
                // ExtendedProtectionPolicy constructor rejects empty collection but accept null
                // in order to avoid any ambiguilty
                if (spnList.Count != 0)
                {
                    serviceNames = new ServiceNameCollection(spnList);
                }
            }
            return(new ExtendedProtectionPolicy(enforce, scenario, serviceNames));
        }
 // translate IIS setting on extended protection to NCL object
 static internal void ReadIisExtendedProtectionPolicy(ConfigurationElement element, out ExtendedProtectionTokenChecking tokenChecking,
     out ExtendedProtectionFlags flags, out List<string> spnList)
 {
     tokenChecking = (ExtendedProtectionTokenChecking)element.GetAttributeValue(MetabaseSettingsIis7Constants.TokenCheckingAttributeName);
     flags = (ExtendedProtectionFlags)element.GetAttributeValue(MetabaseSettingsIis7Constants.FlagsAttributeName);
     spnList = new List<string>();
     foreach (ConfigurationElement configElement in element.GetCollection())
     {
         spnList.Add((string)configElement[MetabaseSettingsIis7Constants.NameAttributeName]);
     }
 }
        protected static ExtendedProtectionPolicy BuildExtendedProtectionPolicy(ExtendedProtectionTokenChecking tokenChecking, ExtendedProtectionFlags flags, List <string> spnList)
        {
            PolicyEnforcement     whenSupported;
            ProtectionScenario    transportSelected;
            ServiceNameCollection customServiceNames = null;

            if (tokenChecking == ExtendedProtectionTokenChecking.None)
            {
                return(new ExtendedProtectionPolicy(PolicyEnforcement.Never));
            }
            if (tokenChecking == ExtendedProtectionTokenChecking.Allow)
            {
                whenSupported = PolicyEnforcement.WhenSupported;
            }
            else
            {
                if (tokenChecking != ExtendedProtectionTokenChecking.Require)
                {
                    throw FxTrace.Exception.Argument("tokenChecking", System.ServiceModel.Activation.SR.Hosting_UnrecognizedTokenCheckingValue);
                }
                whenSupported = PolicyEnforcement.Always;
            }
            bool flag  = flags == ExtendedProtectionFlags.None;
            bool flag2 = flags == ExtendedProtectionFlags.AllowDotlessSpn;
            bool flag3 = ((flags & ExtendedProtectionFlags.Proxy) != ExtendedProtectionFlags.None) && ((flags & ExtendedProtectionFlags.ProxyCohosting) != ExtendedProtectionFlags.None);
            bool flag4 = (flags & ExtendedProtectionFlags.Proxy) != ExtendedProtectionFlags.None;

            if ((flag || flag2) || flag3)
            {
                transportSelected = ProtectionScenario.TransportSelected;
            }
            else
            {
                if (!flag4)
                {
                    throw FxTrace.Exception.Argument("flags", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionFlagsNotSupport(flags));
                }
                transportSelected = ProtectionScenario.TrustedProxy;
            }
            if (spnList != null)
            {
                if ((flags & ExtendedProtectionFlags.AllowDotlessSpn) == ExtendedProtectionFlags.None)
                {
                    foreach (string str in spnList)
                    {
                        string[] strArray = str.Split(new char[] { '/' });
                        if (strArray.Length <= 1)
                        {
                            throw FxTrace.Exception.Argument("spn", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionSpnFormatError(str));
                        }
                        int index = strArray[1].IndexOf(".", StringComparison.CurrentCultureIgnoreCase);
                        if (index == -1)
                        {
                            throw FxTrace.Exception.Argument("spn", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionDotlessSpnNotEnabled(str));
                        }
                        if ((index == 0) || (index == (strArray[1].Length - 1)))
                        {
                            throw FxTrace.Exception.Argument("spn", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionSpnFormatError(str));
                        }
                    }
                }
                if (spnList.Count != 0)
                {
                    customServiceNames = new ServiceNameCollection(spnList);
                }
            }
            return(new ExtendedProtectionPolicy(whenSupported, transportSelected, customServiceNames));
        }
 protected static ExtendedProtectionPolicy BuildExtendedProtectionPolicy(ExtendedProtectionTokenChecking tokenChecking, ExtendedProtectionFlags flags, List<string> spnList)
 {
     PolicyEnforcement whenSupported;
     ProtectionScenario transportSelected;
     ServiceNameCollection customServiceNames = null;
     if (tokenChecking == ExtendedProtectionTokenChecking.None)
     {
         return new ExtendedProtectionPolicy(PolicyEnforcement.Never);
     }
     if (tokenChecking == ExtendedProtectionTokenChecking.Allow)
     {
         whenSupported = PolicyEnforcement.WhenSupported;
     }
     else
     {
         if (tokenChecking != ExtendedProtectionTokenChecking.Require)
         {
             throw FxTrace.Exception.Argument("tokenChecking", System.ServiceModel.Activation.SR.Hosting_UnrecognizedTokenCheckingValue);
         }
         whenSupported = PolicyEnforcement.Always;
     }
     bool flag = flags == ExtendedProtectionFlags.None;
     bool flag2 = flags == ExtendedProtectionFlags.AllowDotlessSpn;
     bool flag3 = ((flags & ExtendedProtectionFlags.Proxy) != ExtendedProtectionFlags.None) && ((flags & ExtendedProtectionFlags.ProxyCohosting) != ExtendedProtectionFlags.None);
     bool flag4 = (flags & ExtendedProtectionFlags.Proxy) != ExtendedProtectionFlags.None;
     if ((flag || flag2) || flag3)
     {
         transportSelected = ProtectionScenario.TransportSelected;
     }
     else
     {
         if (!flag4)
         {
             throw FxTrace.Exception.Argument("flags", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionFlagsNotSupport(flags));
         }
         transportSelected = ProtectionScenario.TrustedProxy;
     }
     if (spnList != null)
     {
         if ((flags & ExtendedProtectionFlags.AllowDotlessSpn) == ExtendedProtectionFlags.None)
         {
             foreach (string str in spnList)
             {
                 string[] strArray = str.Split(new char[] { '/' });
                 if (strArray.Length <= 1)
                 {
                     throw FxTrace.Exception.Argument("spn", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionSpnFormatError(str));
                 }
                 int index = strArray[1].IndexOf(".", StringComparison.CurrentCultureIgnoreCase);
                 if (index == -1)
                 {
                     throw FxTrace.Exception.Argument("spn", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionDotlessSpnNotEnabled(str));
                 }
                 if ((index == 0) || (index == (strArray[1].Length - 1)))
                 {
                     throw FxTrace.Exception.Argument("spn", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionSpnFormatError(str));
                 }
             }
         }
         if (spnList.Count != 0)
         {
             customServiceNames = new ServiceNameCollection(spnList);
         }
     }
     return new ExtendedProtectionPolicy(whenSupported, transportSelected, customServiceNames);
 }