ExtendedProtectionPolicy GetExtendedProtectionPolicy() { ExtendedProtectionPolicy extendedProtection = null; using (RegistryKey registryKey = Registry.LocalMachine.OpenSubKey(IISConstants.CBTRegistryHKLMPath)) { if (registryKey != null) { object tokenCheckingObj = registryKey.GetValue(IISConstants.TokenCheckingAttributeName); object flagsObj = registryKey.GetValue(IISConstants.FlagsAttributeName); object spnsObj = registryKey.GetValue(IISConstants.SpnAttributeName); //using the default one if the registry value is missing ExtendedProtectionTokenChecking tokenChecking = (tokenCheckingObj == null) ? ExtendedProtectionTokenChecking.None : (ExtendedProtectionTokenChecking)tokenCheckingObj; ExtendedProtectionFlags flags = flagsObj == null ? ExtendedProtectionFlags.None : (ExtendedProtectionFlags)flagsObj; List <string> spns = spnsObj == null ? null : new List <string>(spnsObj as string[]); extendedProtection = BuildExtendedProtectionPolicy(tokenChecking, flags, spns); } else { // this IIS6 does not support CBT, log a warning to tracing if (DiagnosticUtility.ShouldTraceWarning) { TraceUtility.TraceEvent(TraceEventType.Warning, TraceCode.WebHostNoCBTSupport, SR.TraceCodeWebHostNoCBTSupport, this, (Exception)null); } } } return(extendedProtection); }
private ExtendedProtectionPolicy GetExtendedProtectionPolicy() { using (RegistryKey key = Registry.LocalMachine.OpenSubKey(@"System\CurrentControlSet\Services\W3SVC\Parameters\ExtendedProtection")) { if (key != null) { object obj2 = key.GetValue("tokenChecking"); object obj3 = key.GetValue("flags"); object obj4 = key.GetValue("spns"); ExtendedProtectionTokenChecking tokenChecking = (obj2 == null) ? ExtendedProtectionTokenChecking.None : ((ExtendedProtectionTokenChecking)obj2); ExtendedProtectionFlags flags = (obj3 == null) ? ExtendedProtectionFlags.None : ((ExtendedProtectionFlags)obj3); List <string> spnList = (obj4 == null) ? null : new List <string>(obj4 as string[]); return(MetabaseSettings.BuildExtendedProtectionPolicy(tokenChecking, flags, spnList)); } if (DiagnosticUtility.ShouldTraceWarning) { TraceUtility.TraceEvent(TraceEventType.Warning, 0x90008, System.ServiceModel.Activation.SR.TraceCodeWebHostNoCBTSupport, this, null); } } return(null); }
// build NCL ExtendedProtectionPolicy object // From NCL comments: // The NoServiceNameCheck flag can always be ignored because it has no meaning in the .NET Framework // where validation against an SPN list is always required when the scenario does not require a CBT. protected static ExtendedProtectionPolicy BuildExtendedProtectionPolicy( ExtendedProtectionTokenChecking tokenChecking, ExtendedProtectionFlags flags, List<string> spnList) { PolicyEnforcement enforce; ProtectionScenario scenario; ServiceNameCollection serviceNames = null; if (tokenChecking == ExtendedProtectionTokenChecking.None) { return new ExtendedProtectionPolicy(PolicyEnforcement.Never); } else if (tokenChecking == ExtendedProtectionTokenChecking.Allow) { enforce = PolicyEnforcement.WhenSupported; } else if (tokenChecking == ExtendedProtectionTokenChecking.Require) { enforce = PolicyEnforcement.Always; } else { throw FxTrace.Exception.Argument("tokenChecking", SR.Hosting_UnrecognizedTokenCheckingValue); } bool transportSelectedCondition1 = (flags == ExtendedProtectionFlags.None); bool transportSelectedCondition2 = (flags == ExtendedProtectionFlags.AllowDotlessSpn); bool transportSelectedCondition3 = ((flags & ExtendedProtectionFlags.Proxy) != 0) && ((flags & ExtendedProtectionFlags.ProxyCohosting) != 0); bool trustedProxyCondition = (flags & ExtendedProtectionFlags.Proxy) != 0; //only none or allowdotlessspn flag has been selected or both proxy and proxycohosting flags have been selected //set scenario to TransportSelected if (transportSelectedCondition1 || transportSelectedCondition2 || transportSelectedCondition3) { scenario = ProtectionScenario.TransportSelected; } // proxy but no procycohosting flag has been selected, set scenario to TrustedProxy else if (trustedProxyCondition) { scenario = ProtectionScenario.TrustedProxy; } // other nonsupported scenarios, throw NotSupportedException else { throw FxTrace.Exception.Argument("flags", SR.Hosting_ExtendedProtectionFlagsNotSupport(flags)); } // dotless spn check if dotlessspn is not allowed // spn format <service class>/<host>:<port>/<service name> per http://msdn.microsoft.com/en-us/library/ms677601(VS.85).aspx if (spnList != null) { if ((flags & ExtendedProtectionFlags.AllowDotlessSpn) == 0) { foreach (string spn in spnList) { string[] parts = spn.Split(AboPathDelimiter); if (parts.Length > 1) { int position = parts[1].IndexOf(DotDelimiter, StringComparison.CurrentCultureIgnoreCase); if (position == -1) { throw FxTrace.Exception.Argument("spn", SR.Hosting_ExtendedProtectionDotlessSpnNotEnabled(spn)); } else if (position == 0 || position == parts[1].Length - 1) { throw FxTrace.Exception.Argument("spn", SR.Hosting_ExtendedProtectionSpnFormatError(spn)); } } else { throw FxTrace.Exception.Argument("spn", SR.Hosting_ExtendedProtectionSpnFormatError(spn)); } } } // ExtendedProtectionPolicy constructor rejects empty collection but accept null // in order to avoid any ambiguilty if (spnList.Count != 0) { serviceNames = new ServiceNameCollection(spnList); } } return new ExtendedProtectionPolicy(enforce, scenario, serviceNames); }
// build NCL ExtendedProtectionPolicy object // From NCL comments: // The NoServiceNameCheck flag can always be ignored because it has no meaning in the .NET Framework // where validation against an SPN list is always required when the scenario does not require a CBT. protected static ExtendedProtectionPolicy BuildExtendedProtectionPolicy( ExtendedProtectionTokenChecking tokenChecking, ExtendedProtectionFlags flags, List <string> spnList) { PolicyEnforcement enforce; ProtectionScenario scenario; ServiceNameCollection serviceNames = null; if (tokenChecking == ExtendedProtectionTokenChecking.None) { return(new ExtendedProtectionPolicy(PolicyEnforcement.Never)); } else if (tokenChecking == ExtendedProtectionTokenChecking.Allow) { enforce = PolicyEnforcement.WhenSupported; } else if (tokenChecking == ExtendedProtectionTokenChecking.Require) { enforce = PolicyEnforcement.Always; } else { throw FxTrace.Exception.Argument("tokenChecking", SR.Hosting_UnrecognizedTokenCheckingValue); } bool transportSelectedCondition1 = (flags == ExtendedProtectionFlags.None); bool transportSelectedCondition2 = (flags == ExtendedProtectionFlags.AllowDotlessSpn); bool transportSelectedCondition3 = ((flags & ExtendedProtectionFlags.Proxy) != 0) && ((flags & ExtendedProtectionFlags.ProxyCohosting) != 0); bool trustedProxyCondition = (flags & ExtendedProtectionFlags.Proxy) != 0; //only none or allowdotlessspn flag has been selected or both proxy and proxycohosting flags have been selected //set scenario to TransportSelected if (transportSelectedCondition1 || transportSelectedCondition2 || transportSelectedCondition3) { scenario = ProtectionScenario.TransportSelected; } // proxy but no procycohosting flag has been selected, set scenario to TrustedProxy else if (trustedProxyCondition) { scenario = ProtectionScenario.TrustedProxy; } // other nonsupported scenarios, throw NotSupportedException else { throw FxTrace.Exception.Argument("flags", SR.Hosting_ExtendedProtectionFlagsNotSupport(flags)); } // dotless spn check if dotlessspn is not allowed // spn format <service class>/<host>:<port>/<service name> per http://msdn.microsoft.com/en-us/library/ms677601(VS.85).aspx if (spnList != null) { if ((flags & ExtendedProtectionFlags.AllowDotlessSpn) == 0) { foreach (string spn in spnList) { string[] parts = spn.Split(AboPathDelimiter); if (parts.Length > 1) { int position = parts[1].IndexOf(DotDelimiter, StringComparison.CurrentCultureIgnoreCase); if (position == -1) { throw FxTrace.Exception.Argument("spn", SR.Hosting_ExtendedProtectionDotlessSpnNotEnabled(spn)); } else if (position == 0 || position == parts[1].Length - 1) { throw FxTrace.Exception.Argument("spn", SR.Hosting_ExtendedProtectionSpnFormatError(spn)); } } else { throw FxTrace.Exception.Argument("spn", SR.Hosting_ExtendedProtectionSpnFormatError(spn)); } } } // ExtendedProtectionPolicy constructor rejects empty collection but accept null // in order to avoid any ambiguilty if (spnList.Count != 0) { serviceNames = new ServiceNameCollection(spnList); } } return(new ExtendedProtectionPolicy(enforce, scenario, serviceNames)); }
// translate IIS setting on extended protection to NCL object static internal void ReadIisExtendedProtectionPolicy(ConfigurationElement element, out ExtendedProtectionTokenChecking tokenChecking, out ExtendedProtectionFlags flags, out List<string> spnList) { tokenChecking = (ExtendedProtectionTokenChecking)element.GetAttributeValue(MetabaseSettingsIis7Constants.TokenCheckingAttributeName); flags = (ExtendedProtectionFlags)element.GetAttributeValue(MetabaseSettingsIis7Constants.FlagsAttributeName); spnList = new List<string>(); foreach (ConfigurationElement configElement in element.GetCollection()) { spnList.Add((string)configElement[MetabaseSettingsIis7Constants.NameAttributeName]); } }
protected static ExtendedProtectionPolicy BuildExtendedProtectionPolicy(ExtendedProtectionTokenChecking tokenChecking, ExtendedProtectionFlags flags, List <string> spnList) { PolicyEnforcement whenSupported; ProtectionScenario transportSelected; ServiceNameCollection customServiceNames = null; if (tokenChecking == ExtendedProtectionTokenChecking.None) { return(new ExtendedProtectionPolicy(PolicyEnforcement.Never)); } if (tokenChecking == ExtendedProtectionTokenChecking.Allow) { whenSupported = PolicyEnforcement.WhenSupported; } else { if (tokenChecking != ExtendedProtectionTokenChecking.Require) { throw FxTrace.Exception.Argument("tokenChecking", System.ServiceModel.Activation.SR.Hosting_UnrecognizedTokenCheckingValue); } whenSupported = PolicyEnforcement.Always; } bool flag = flags == ExtendedProtectionFlags.None; bool flag2 = flags == ExtendedProtectionFlags.AllowDotlessSpn; bool flag3 = ((flags & ExtendedProtectionFlags.Proxy) != ExtendedProtectionFlags.None) && ((flags & ExtendedProtectionFlags.ProxyCohosting) != ExtendedProtectionFlags.None); bool flag4 = (flags & ExtendedProtectionFlags.Proxy) != ExtendedProtectionFlags.None; if ((flag || flag2) || flag3) { transportSelected = ProtectionScenario.TransportSelected; } else { if (!flag4) { throw FxTrace.Exception.Argument("flags", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionFlagsNotSupport(flags)); } transportSelected = ProtectionScenario.TrustedProxy; } if (spnList != null) { if ((flags & ExtendedProtectionFlags.AllowDotlessSpn) == ExtendedProtectionFlags.None) { foreach (string str in spnList) { string[] strArray = str.Split(new char[] { '/' }); if (strArray.Length <= 1) { throw FxTrace.Exception.Argument("spn", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionSpnFormatError(str)); } int index = strArray[1].IndexOf(".", StringComparison.CurrentCultureIgnoreCase); if (index == -1) { throw FxTrace.Exception.Argument("spn", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionDotlessSpnNotEnabled(str)); } if ((index == 0) || (index == (strArray[1].Length - 1))) { throw FxTrace.Exception.Argument("spn", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionSpnFormatError(str)); } } } if (spnList.Count != 0) { customServiceNames = new ServiceNameCollection(spnList); } } return(new ExtendedProtectionPolicy(whenSupported, transportSelected, customServiceNames)); }
// translate IIS setting on extended protection to NCL object static internal void ReadIisExtendedProtectionPolicy(ConfigurationElement element, out ExtendedProtectionTokenChecking tokenChecking, out ExtendedProtectionFlags flags, out List <string> spnList) { tokenChecking = (ExtendedProtectionTokenChecking)element.GetAttributeValue(MetabaseSettingsIis7Constants.TokenCheckingAttributeName); flags = (ExtendedProtectionFlags)element.GetAttributeValue(MetabaseSettingsIis7Constants.FlagsAttributeName); spnList = new List <string>(); foreach (ConfigurationElement configElement in element.GetCollection()) { spnList.Add((string)configElement[MetabaseSettingsIis7Constants.NameAttributeName]); } }
protected static ExtendedProtectionPolicy BuildExtendedProtectionPolicy(ExtendedProtectionTokenChecking tokenChecking, ExtendedProtectionFlags flags, List<string> spnList) { PolicyEnforcement whenSupported; ProtectionScenario transportSelected; ServiceNameCollection customServiceNames = null; if (tokenChecking == ExtendedProtectionTokenChecking.None) { return new ExtendedProtectionPolicy(PolicyEnforcement.Never); } if (tokenChecking == ExtendedProtectionTokenChecking.Allow) { whenSupported = PolicyEnforcement.WhenSupported; } else { if (tokenChecking != ExtendedProtectionTokenChecking.Require) { throw FxTrace.Exception.Argument("tokenChecking", System.ServiceModel.Activation.SR.Hosting_UnrecognizedTokenCheckingValue); } whenSupported = PolicyEnforcement.Always; } bool flag = flags == ExtendedProtectionFlags.None; bool flag2 = flags == ExtendedProtectionFlags.AllowDotlessSpn; bool flag3 = ((flags & ExtendedProtectionFlags.Proxy) != ExtendedProtectionFlags.None) && ((flags & ExtendedProtectionFlags.ProxyCohosting) != ExtendedProtectionFlags.None); bool flag4 = (flags & ExtendedProtectionFlags.Proxy) != ExtendedProtectionFlags.None; if ((flag || flag2) || flag3) { transportSelected = ProtectionScenario.TransportSelected; } else { if (!flag4) { throw FxTrace.Exception.Argument("flags", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionFlagsNotSupport(flags)); } transportSelected = ProtectionScenario.TrustedProxy; } if (spnList != null) { if ((flags & ExtendedProtectionFlags.AllowDotlessSpn) == ExtendedProtectionFlags.None) { foreach (string str in spnList) { string[] strArray = str.Split(new char[] { '/' }); if (strArray.Length <= 1) { throw FxTrace.Exception.Argument("spn", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionSpnFormatError(str)); } int index = strArray[1].IndexOf(".", StringComparison.CurrentCultureIgnoreCase); if (index == -1) { throw FxTrace.Exception.Argument("spn", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionDotlessSpnNotEnabled(str)); } if ((index == 0) || (index == (strArray[1].Length - 1))) { throw FxTrace.Exception.Argument("spn", System.ServiceModel.Activation.SR.Hosting_ExtendedProtectionSpnFormatError(str)); } } } if (spnList.Count != 0) { customServiceNames = new ServiceNameCollection(spnList); } } return new ExtendedProtectionPolicy(whenSupported, transportSelected, customServiceNames); }