ExtendedProtectionPolicy GetExtendedProtectionPolicy()
{
ExtendedProtectionPolicy extendedProtection = null;
using (RegistryKey registryKey = Registry.LocalMachine.OpenSubKey(IISConstants.CBTRegistryHKLMPath))
{
if (registryKey != null)
{
object tokenCheckingObj = registryKey.GetValue(IISConstants.TokenCheckingAttributeName);
object flagsObj = registryKey.GetValue(IISConstants.FlagsAttributeName);
object spnsObj = registryKey.GetValue(IISConstants.SpnAttributeName);
//using the default one if the registry value is missing
ExtendedProtectionTokenChecking tokenChecking = (tokenCheckingObj == null) ?
ExtendedProtectionTokenChecking.None : (ExtendedProtectionTokenChecking)tokenCheckingObj;
ExtendedProtectionFlags flags = flagsObj == null ?
ExtendedProtectionFlags.None : (ExtendedProtectionFlags)flagsObj;
List <string> spns = spnsObj == null ? null : new List <string>(spnsObj as string[]);
extendedProtection = BuildExtendedProtectionPolicy(tokenChecking, flags, spns);
}
else
{
// this IIS6 does not support CBT, log a warning to tracing
if (DiagnosticUtility.ShouldTraceWarning)
{
TraceUtility.TraceEvent(TraceEventType.Warning, TraceCode.WebHostNoCBTSupport,
SR.TraceCodeWebHostNoCBTSupport, this, (Exception)null);
}
}
}
return(extendedProtection);
}
private ExtendedProtectionPolicy GetExtendedProtectionPolicy()
{
using (RegistryKey key = Registry.LocalMachine.OpenSubKey(@"System\CurrentControlSet\Services\W3SVC\Parameters\ExtendedProtection"))
{
if (key != null)
{
object obj2 = key.GetValue("tokenChecking");
object obj3 = key.GetValue("flags");
object obj4 = key.GetValue("spns");
ExtendedProtectionTokenChecking tokenChecking = (obj2 == null) ? ExtendedProtectionTokenChecking.None : ((ExtendedProtectionTokenChecking)obj2);
ExtendedProtectionFlags flags = (obj3 == null) ? ExtendedProtectionFlags.None : ((ExtendedProtectionFlags)obj3);
List <string> spnList = (obj4 == null) ? null : new List <string>(obj4 as string[]);
return(MetabaseSettings.BuildExtendedProtectionPolicy(tokenChecking, flags, spnList));
}
if (DiagnosticUtility.ShouldTraceWarning)
{
TraceUtility.TraceEvent(TraceEventType.Warning, 0x90008, System.ServiceModel.Activation.SR.TraceCodeWebHostNoCBTSupport, this, null);
}
}
return(null);
}
// build NCL ExtendedProtectionPolicy object
// From NCL comments:
// The NoServiceNameCheck flag can always be ignored because it has no meaning in the .NET Framework
// where validation against an SPN list is always required when the scenario does not require a CBT.
protected static ExtendedProtectionPolicy BuildExtendedProtectionPolicy(
ExtendedProtectionTokenChecking tokenChecking,
ExtendedProtectionFlags flags,
List<string> spnList)
{
PolicyEnforcement enforce;
ProtectionScenario scenario;
ServiceNameCollection serviceNames = null;
if (tokenChecking == ExtendedProtectionTokenChecking.None)
{
return new ExtendedProtectionPolicy(PolicyEnforcement.Never);
}
else if (tokenChecking == ExtendedProtectionTokenChecking.Allow)
{
enforce = PolicyEnforcement.WhenSupported;
}
else if (tokenChecking == ExtendedProtectionTokenChecking.Require)
{
enforce = PolicyEnforcement.Always;
}
else
{
throw FxTrace.Exception.Argument("tokenChecking", SR.Hosting_UnrecognizedTokenCheckingValue);
}
bool transportSelectedCondition1 = (flags == ExtendedProtectionFlags.None);
bool transportSelectedCondition2 = (flags == ExtendedProtectionFlags.AllowDotlessSpn);
bool transportSelectedCondition3 = ((flags & ExtendedProtectionFlags.Proxy) != 0) && ((flags & ExtendedProtectionFlags.ProxyCohosting) != 0);
bool trustedProxyCondition = (flags & ExtendedProtectionFlags.Proxy) != 0;
//only none or allowdotlessspn flag has been selected or both proxy and proxycohosting flags have been selected
//set scenario to TransportSelected
if (transportSelectedCondition1 || transportSelectedCondition2 || transportSelectedCondition3)
{
scenario = ProtectionScenario.TransportSelected;
}
// proxy but no procycohosting flag has been selected, set scenario to TrustedProxy
else if (trustedProxyCondition)
{
scenario = ProtectionScenario.TrustedProxy;
}
// other nonsupported scenarios, throw NotSupportedException
else
{
throw FxTrace.Exception.Argument("flags", SR.Hosting_ExtendedProtectionFlagsNotSupport(flags));
}
// dotless spn check if dotlessspn is not allowed
// spn format <service class>/<host>:<port>/<service name> per http://msdn.microsoft.com/en-us/library/ms677601(VS.85).aspx
if (spnList != null)
{
if ((flags & ExtendedProtectionFlags.AllowDotlessSpn) == 0)
{
foreach (string spn in spnList)
{
string[] parts = spn.Split(AboPathDelimiter);
if (parts.Length > 1)
{
int position = parts[1].IndexOf(DotDelimiter, StringComparison.CurrentCultureIgnoreCase);
if (position == -1)
{
throw FxTrace.Exception.Argument("spn", SR.Hosting_ExtendedProtectionDotlessSpnNotEnabled(spn));
}
else if (position == 0 || position == parts[1].Length - 1)
{
throw FxTrace.Exception.Argument("spn", SR.Hosting_ExtendedProtectionSpnFormatError(spn));
}
}
else
{
throw FxTrace.Exception.Argument("spn", SR.Hosting_ExtendedProtectionSpnFormatError(spn));
}
}
}
// ExtendedProtectionPolicy constructor rejects empty collection but accept null
// in order to avoid any ambiguilty
if (spnList.Count != 0)
{
serviceNames = new ServiceNameCollection(spnList);
}
}
return new ExtendedProtectionPolicy(enforce, scenario, serviceNames);
}
// build NCL ExtendedProtectionPolicy object
// From NCL comments:
// The NoServiceNameCheck flag can always be ignored because it has no meaning in the .NET Framework
// where validation against an SPN list is always required when the scenario does not require a CBT.
protected static ExtendedProtectionPolicy BuildExtendedProtectionPolicy(
ExtendedProtectionTokenChecking tokenChecking,
ExtendedProtectionFlags flags,
List <string> spnList)
{
PolicyEnforcement enforce;
ProtectionScenario scenario;
ServiceNameCollection serviceNames = null;
if (tokenChecking == ExtendedProtectionTokenChecking.None)
{
return(new ExtendedProtectionPolicy(PolicyEnforcement.Never));
}
else if (tokenChecking == ExtendedProtectionTokenChecking.Allow)
{
enforce = PolicyEnforcement.WhenSupported;
}
else if (tokenChecking == ExtendedProtectionTokenChecking.Require)
{
enforce = PolicyEnforcement.Always;
}
else
{
throw FxTrace.Exception.Argument("tokenChecking", SR.Hosting_UnrecognizedTokenCheckingValue);
}
bool transportSelectedCondition1 = (flags == ExtendedProtectionFlags.None);
bool transportSelectedCondition2 = (flags == ExtendedProtectionFlags.AllowDotlessSpn);
bool transportSelectedCondition3 = ((flags & ExtendedProtectionFlags.Proxy) != 0) && ((flags & ExtendedProtectionFlags.ProxyCohosting) != 0);
bool trustedProxyCondition = (flags & ExtendedProtectionFlags.Proxy) != 0;
//only none or allowdotlessspn flag has been selected or both proxy and proxycohosting flags have been selected
//set scenario to TransportSelected
if (transportSelectedCondition1 || transportSelectedCondition2 || transportSelectedCondition3)
{
scenario = ProtectionScenario.TransportSelected;
}
// proxy but no procycohosting flag has been selected, set scenario to TrustedProxy
else if (trustedProxyCondition)
{
scenario = ProtectionScenario.TrustedProxy;
}
// other nonsupported scenarios, throw NotSupportedException
else
{
throw FxTrace.Exception.Argument("flags", SR.Hosting_ExtendedProtectionFlagsNotSupport(flags));
}
// dotless spn check if dotlessspn is not allowed
// spn format <service class>/<host>:<port>/<service name> per http://msdn.microsoft.com/en-us/library/ms677601(VS.85).aspx
if (spnList != null)
{
if ((flags & ExtendedProtectionFlags.AllowDotlessSpn) == 0)
{
foreach (string spn in spnList)
{
string[] parts = spn.Split(AboPathDelimiter);
if (parts.Length > 1)
{
int position = parts[1].IndexOf(DotDelimiter, StringComparison.CurrentCultureIgnoreCase);
if (position == -1)
{
throw FxTrace.Exception.Argument("spn", SR.Hosting_ExtendedProtectionDotlessSpnNotEnabled(spn));
}
else if (position == 0 || position == parts[1].Length - 1)
{
throw FxTrace.Exception.Argument("spn", SR.Hosting_ExtendedProtectionSpnFormatError(spn));
}
}
else
{
throw FxTrace.Exception.Argument("spn", SR.Hosting_ExtendedProtectionSpnFormatError(spn));
}
}
}
// ExtendedProtectionPolicy constructor rejects empty collection but accept null
// in order to avoid any ambiguilty
if (spnList.Count != 0)
{
serviceNames = new ServiceNameCollection(spnList);
}
}
return(new ExtendedProtectionPolicy(enforce, scenario, serviceNames));
}
// translate IIS setting on extended protection to NCL object
static internal void ReadIisExtendedProtectionPolicy(ConfigurationElement element, out ExtendedProtectionTokenChecking tokenChecking,
out ExtendedProtectionFlags flags, out List<string> spnList)
{
tokenChecking = (ExtendedProtectionTokenChecking)element.GetAttributeValue(MetabaseSettingsIis7Constants.TokenCheckingAttributeName);
flags = (ExtendedProtectionFlags)element.GetAttributeValue(MetabaseSettingsIis7Constants.FlagsAttributeName);
spnList = new List<string>();
foreach (ConfigurationElement configElement in element.GetCollection())
{
spnList.Add((string)configElement[MetabaseSettingsIis7Constants.NameAttributeName]);
}
}
protected static ExtendedProtectionPolicy BuildExtendedProtectionPolicy(ExtendedProtectionTokenChecking tokenChecking, ExtendedProtectionFlags flags, List <string> spnList)
{
PolicyEnforcement whenSupported;
ProtectionScenario transportSelected;
ServiceNameCollection customServiceNames = null;
if (tokenChecking == ExtendedProtectionTokenChecking.None)
{
return(new ExtendedProtectionPolicy(PolicyEnforcement.Never));
}
if (tokenChecking == ExtendedProtectionTokenChecking.Allow)
{
whenSupported = PolicyEnforcement.WhenSupported;
}
else
{
if (tokenChecking != ExtendedProtectionTokenChecking.Require)
{
throw FxTrace.Exception.Argument("tokenChecking", System.ServiceModel.Activation.SR.Hosting_UnrecognizedTokenCheckingValue);
}
whenSupported = PolicyEnforcement.Always;
}
bool flag = flags == ExtendedProtectionFlags.None;
bool flag2 = flags == ExtendedProtectionFlags.AllowDotlessSpn;
bool flag3 = ((flags & ExtendedProtectionFlags.Proxy) != ExtendedProtectionFlags.None) && ((flags & ExtendedProtectionFlags.ProxyCohosting) != ExtendedProtectionFlags.None);
bool flag4 = (flags & ExtendedProtectionFlags.Proxy) != ExtendedProtectionFlags.None;
if ((flag || flag2) || flag3)
{
transportSelected = ProtectionScenario.TransportSelected;
}
else
{
if (!flag4)
{
throw FxTrace.Exception.Argument("flags", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionFlagsNotSupport(flags));
}
transportSelected = ProtectionScenario.TrustedProxy;
}
if (spnList != null)
{
if ((flags & ExtendedProtectionFlags.AllowDotlessSpn) == ExtendedProtectionFlags.None)
{
foreach (string str in spnList)
{
string[] strArray = str.Split(new char[] { '/' });
if (strArray.Length <= 1)
{
throw FxTrace.Exception.Argument("spn", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionSpnFormatError(str));
}
int index = strArray[1].IndexOf(".", StringComparison.CurrentCultureIgnoreCase);
if (index == -1)
{
throw FxTrace.Exception.Argument("spn", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionDotlessSpnNotEnabled(str));
}
if ((index == 0) || (index == (strArray[1].Length - 1)))
{
throw FxTrace.Exception.Argument("spn", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionSpnFormatError(str));
}
}
}
if (spnList.Count != 0)
{
customServiceNames = new ServiceNameCollection(spnList);
}
}
return(new ExtendedProtectionPolicy(whenSupported, transportSelected, customServiceNames));
}
// translate IIS setting on extended protection to NCL object
static internal void ReadIisExtendedProtectionPolicy(ConfigurationElement element, out ExtendedProtectionTokenChecking tokenChecking,
out ExtendedProtectionFlags flags, out List <string> spnList)
{
tokenChecking = (ExtendedProtectionTokenChecking)element.GetAttributeValue(MetabaseSettingsIis7Constants.TokenCheckingAttributeName);
flags = (ExtendedProtectionFlags)element.GetAttributeValue(MetabaseSettingsIis7Constants.FlagsAttributeName);
spnList = new List <string>();
foreach (ConfigurationElement configElement in element.GetCollection())
{
spnList.Add((string)configElement[MetabaseSettingsIis7Constants.NameAttributeName]);
}
}
protected static ExtendedProtectionPolicy BuildExtendedProtectionPolicy(ExtendedProtectionTokenChecking tokenChecking, ExtendedProtectionFlags flags, List<string> spnList)
{
PolicyEnforcement whenSupported;
ProtectionScenario transportSelected;
ServiceNameCollection customServiceNames = null;
if (tokenChecking == ExtendedProtectionTokenChecking.None)
{
return new ExtendedProtectionPolicy(PolicyEnforcement.Never);
}
if (tokenChecking == ExtendedProtectionTokenChecking.Allow)
{
whenSupported = PolicyEnforcement.WhenSupported;
}
else
{
if (tokenChecking != ExtendedProtectionTokenChecking.Require)
{
throw FxTrace.Exception.Argument("tokenChecking", System.ServiceModel.Activation.SR.Hosting_UnrecognizedTokenCheckingValue);
}
whenSupported = PolicyEnforcement.Always;
}
bool flag = flags == ExtendedProtectionFlags.None;
bool flag2 = flags == ExtendedProtectionFlags.AllowDotlessSpn;
bool flag3 = ((flags & ExtendedProtectionFlags.Proxy) != ExtendedProtectionFlags.None) && ((flags & ExtendedProtectionFlags.ProxyCohosting) != ExtendedProtectionFlags.None);
bool flag4 = (flags & ExtendedProtectionFlags.Proxy) != ExtendedProtectionFlags.None;
if ((flag || flag2) || flag3)
{
transportSelected = ProtectionScenario.TransportSelected;
}
else
{
if (!flag4)
{
throw FxTrace.Exception.Argument("flags", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionFlagsNotSupport(flags));
}
transportSelected = ProtectionScenario.TrustedProxy;
}
if (spnList != null)
{
if ((flags & ExtendedProtectionFlags.AllowDotlessSpn) == ExtendedProtectionFlags.None)
{
foreach (string str in spnList)
{
string[] strArray = str.Split(new char[] { '/' });
if (strArray.Length <= 1)
{
throw FxTrace.Exception.Argument("spn", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionSpnFormatError(str));
}
int index = strArray[1].IndexOf(".", StringComparison.CurrentCultureIgnoreCase);
if (index == -1)
{
throw FxTrace.Exception.Argument("spn", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionDotlessSpnNotEnabled(str));
}
if ((index == 0) || (index == (strArray[1].Length - 1)))
{
throw FxTrace.Exception.Argument("spn", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionSpnFormatError(str));
}
}
}
if (spnList.Count != 0)
{
customServiceNames = new ServiceNameCollection(spnList);
}
}
return new ExtendedProtectionPolicy(whenSupported, transportSelected, customServiceNames);
}
