/// <summary> /// ServiceBinding check has the following logic: /// 1. Check PolicyEnforcement - never => return true; /// 1. Check status returned from SecurityContext which is obtained when querying for the serviceBinding /// 2. Check PolicyEnforcement /// a. WhenSupported - valid when OS does not support, null serviceBinding is valid /// b. Always - a non-empty servicebinding must be available /// 3. if serviceBinding is non null, check that an expected value is in the ServiceNameCollection - ignoring case /// note that the empty string must be explicitly specified in the serviceNames. /// </summary> /// <param name="securityContext to ">status Code returned when obtaining serviceBinding from SecurityContext</param> /// <returns>If servicebinding is valid</returns> public void CheckServiceBinding(SafeDeleteContext securityContext, string defaultServiceBinding) { if (_policyEnforcement == PolicyEnforcement.Never) { return; } string serviceBinding = null; int statusCode = SspiWrapper.QuerySpecifiedTarget(securityContext, out serviceBinding); if (statusCode != (int)SecurityStatus.OK) { // only two acceptable non-zero values // client OS not patched: stausCode == TargetUnknown // service OS not patched: statusCode == Unsupported if (statusCode != (int)SecurityStatus.TargetUnknown && statusCode != (int)SecurityStatus.Unsupported) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.InvalidServiceBindingInSspiNegotiationNoServiceBinding))); } // if policyEnforcement is Always we needed to see a TargetName (SPN) if (_policyEnforcement == PolicyEnforcement.Always) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.InvalidServiceBindingInSspiNegotiationNoServiceBinding))); } // in this case we accept because either the client or service is not patched. if (_policyEnforcement == PolicyEnforcement.WhenSupported) { return; } // guard against futures, force failure and fix as necessary throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.InvalidServiceBindingInSspiNegotiationNoServiceBinding))); } switch (_policyEnforcement) { case PolicyEnforcement.WhenSupported: // serviceBinding == null => client is not patched if (serviceBinding == null) { return; } break; case PolicyEnforcement.Always: // serviceBinding == null => client is not patched // serviceBinding == "" => SB was not specified if (string.IsNullOrEmpty(serviceBinding)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched, string.Empty))); } break; } // iff no values were 'user' set, then check the defaultServiceBinding if (_serviceNameCollection == null || _serviceNameCollection.Count < 1) { if (defaultServiceBinding == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched, string.Empty))); } if (string.Compare(defaultServiceBinding, serviceBinding, StringComparison.OrdinalIgnoreCase) == 0) { return; } if (string.IsNullOrEmpty(serviceBinding)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched, string.Empty))); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched, serviceBinding))); } } if (_serviceNameCollection != null) { if (_serviceNameCollection.Contains(serviceBinding)) { return; } } if (string.IsNullOrEmpty(serviceBinding)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched, string.Empty))); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched, serviceBinding))); } }
public void CheckServiceBinding(SafeDeleteContext securityContext, string defaultServiceBinding) { if (this._policyEnforcement != System.Security.Authentication.ExtendedProtection.PolicyEnforcement.Never) { string specifiedTarget = null; int num = SspiWrapper.QuerySpecifiedTarget(securityContext, out specifiedTarget); if (num == 0) { switch (this._policyEnforcement) { case System.Security.Authentication.ExtendedProtection.PolicyEnforcement.WhenSupported: if (specifiedTarget != null) { break; } return; case System.Security.Authentication.ExtendedProtection.PolicyEnforcement.Always: if (string.IsNullOrEmpty(specifiedTarget)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched", new object[] { string.Empty }))); } break; } if ((this._serviceNameCollection == null) || (this._serviceNameCollection.Count < 1)) { if (defaultServiceBinding == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched", new object[] { string.Empty }))); } if (string.Compare(defaultServiceBinding, specifiedTarget, StringComparison.OrdinalIgnoreCase) == 0) { return; } if (string.IsNullOrEmpty(specifiedTarget)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched", new object[] { string.Empty }))); } throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched", new object[] { specifiedTarget }))); } foreach (string str2 in this._serviceNameCollection) { if ((str2 != null) && (string.Compare(str2, specifiedTarget, StringComparison.OrdinalIgnoreCase) == 0)) { return; } } if (string.IsNullOrEmpty(specifiedTarget)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched", new object[] { string.Empty }))); } throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("InvalidServiceBindingInSspiNegotiationServiceBindingNotMatched", new object[] { specifiedTarget }))); } if ((num != -2146893053) && (num != -2146893054)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("InvalidServiceBindingInSspiNegotiationNoServiceBinding"))); } if (this._policyEnforcement == System.Security.Authentication.ExtendedProtection.PolicyEnforcement.Always) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("InvalidServiceBindingInSspiNegotiationNoServiceBinding"))); } if (this._policyEnforcement != System.Security.Authentication.ExtendedProtection.PolicyEnforcement.WhenSupported) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("InvalidServiceBindingInSspiNegotiationNoServiceBinding"))); } } }