/// <summary>
/// ServiceBinding check has the following logic:
/// 1. Check PolicyEnforcement - never => return true;
/// 1. Check status returned from SecurityContext which is obtained when querying for the serviceBinding
/// 2. Check PolicyEnforcement
/// a. WhenSupported - valid when OS does not support, null serviceBinding is valid
/// b. Always - a non-empty servicebinding must be available
/// 3. if serviceBinding is non null, check that an expected value is in the ServiceNameCollection - ignoring case
/// note that the empty string must be explicitly specified in the serviceNames.
/// </summary>
/// <param name="securityContext to ">status Code returned when obtaining serviceBinding from SecurityContext</param>
/// <returns>If servicebinding is valid</returns>
public void CheckServiceBinding(SafeDeleteContext securityContext, string defaultServiceBinding)
{
if (_policyEnforcement == PolicyEnforcement.Never)
{
return;
}
string serviceBinding = null;
int statusCode = SspiWrapper.QuerySpecifiedTarget(securityContext, out serviceBinding);
if (statusCode != (int)SecurityStatus.OK)
{
// only two acceptable non-zero values
// client OS not patched: stausCode == TargetUnknown
// service OS not patched: statusCode == Unsupported
if (statusCode != (int)SecurityStatus.TargetUnknown && statusCode != (int)SecurityStatus.Unsupported)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.InvalidServiceBindingInSspiNegotiationNoServiceBinding)));
}
// if policyEnforcement is Always we needed to see a TargetName (SPN)
if (_policyEnforcement == PolicyEnforcement.Always)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.InvalidServiceBindingInSspiNegotiationNoServiceBinding)));
}
// in this case we accept because either the client or service is not patched.
if (_policyEnforcement == PolicyEnforcement.WhenSupported)
{
return;
}
// guard against futures, force failure and fix as necessary
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.InvalidServiceBindingInSspiNegotiationNoServiceBinding)));
}
switch (_policyEnforcement)
{
case PolicyEnforcement.WhenSupported:
// serviceBinding == null => client is not patched
if (serviceBinding == null)
{
return;
}
break;
case PolicyEnforcement.Always:
// serviceBinding == null => client is not patched
// serviceBinding == "" => SB was not specified
if (string.IsNullOrEmpty(serviceBinding))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched, string.Empty)));
}
break;
}
// iff no values were 'user' set, then check the defaultServiceBinding
if (_serviceNameCollection == null || _serviceNameCollection.Count < 1)
{
if (defaultServiceBinding == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched, string.Empty)));
}
if (string.Compare(defaultServiceBinding, serviceBinding, StringComparison.OrdinalIgnoreCase) == 0)
{
return;
}
if (string.IsNullOrEmpty(serviceBinding))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched, string.Empty)));
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched, serviceBinding)));
}
}
if (_serviceNameCollection != null)
{
if (_serviceNameCollection.Contains(serviceBinding))
{
return;
}
}
if (string.IsNullOrEmpty(serviceBinding))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched, string.Empty)));
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched, serviceBinding)));
}
}
public void CheckServiceBinding(SafeDeleteContext securityContext, string defaultServiceBinding)
{
if (this._policyEnforcement != System.Security.Authentication.ExtendedProtection.PolicyEnforcement.Never)
{
string specifiedTarget = null;
int num = SspiWrapper.QuerySpecifiedTarget(securityContext, out specifiedTarget);
if (num == 0)
{
switch (this._policyEnforcement)
{
case System.Security.Authentication.ExtendedProtection.PolicyEnforcement.WhenSupported:
if (specifiedTarget != null)
{
break;
}
return;
case System.Security.Authentication.ExtendedProtection.PolicyEnforcement.Always:
if (string.IsNullOrEmpty(specifiedTarget))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched", new object[] { string.Empty })));
}
break;
}
if ((this._serviceNameCollection == null) || (this._serviceNameCollection.Count < 1))
{
if (defaultServiceBinding == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched", new object[] { string.Empty })));
}
if (string.Compare(defaultServiceBinding, specifiedTarget, StringComparison.OrdinalIgnoreCase) == 0)
{
return;
}
if (string.IsNullOrEmpty(specifiedTarget))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched", new object[] { string.Empty })));
}
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched", new object[] { specifiedTarget })));
}
foreach (string str2 in this._serviceNameCollection)
{
if ((str2 != null) && (string.Compare(str2, specifiedTarget, StringComparison.OrdinalIgnoreCase) == 0))
{
return;
}
}
if (string.IsNullOrEmpty(specifiedTarget))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched", new object[] { string.Empty })));
}
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched", new object[] { specifiedTarget })));
}
if ((num != -2146893053) && (num != -2146893054))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("InvalidServiceBindingInSspiNegotiationNoServiceBinding")));
}
if (this._policyEnforcement == System.Security.Authentication.ExtendedProtection.PolicyEnforcement.Always)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("InvalidServiceBindingInSspiNegotiationNoServiceBinding")));
}
if (this._policyEnforcement != System.Security.Authentication.ExtendedProtection.PolicyEnforcement.WhenSupported)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("InvalidServiceBindingInSspiNegotiationNoServiceBinding")));
}
}
}
