You've already forked linux-packaging-mono
Imported Upstream version 4.0.0~alpha1
Former-commit-id: 806294f5ded97629b74c85c09952f2a74fe182d9
This commit is contained in:
Jo Shields
164
external/referencesource/System.ServiceModel/System/ServiceModel/SpnEndpointIdentity.cs
vendored
Normal file
164
external/referencesource/System.ServiceModel/System/ServiceModel/SpnEndpointIdentity.cs
vendored
Normal file
@ -0,0 +1,164 @@
|
||||
//----------------------------------------------------------
|
||||
// Copyright (c) Microsoft Corporation. All rights reserved.
|
||||
//------------------------------------------------------------
|
||||
|
||||
namespace System.ServiceModel
|
||||
{
|
||||
using System;
|
||||
using System.DirectoryServices;
|
||||
using System.IdentityModel.Claims;
|
||||
using System.Runtime;
|
||||
using System.Runtime.InteropServices;
|
||||
using System.Security.Principal;
|
||||
using System.ServiceModel.Diagnostics;
|
||||
using System.ServiceModel.Security;
|
||||
using System.Xml;
|
||||
|
||||
public class SpnEndpointIdentity : EndpointIdentity
|
||||
{
|
||||
static TimeSpan spnLookupTime = TimeSpan.FromMinutes(1);
|
||||
|
||||
SecurityIdentifier spnSid;
|
||||
|
||||
// Double-checked locking pattern requires volatile for read/write synchronization
|
||||
volatile bool hasSpnSidBeenComputed;
|
||||
|
||||
Object thisLock = new Object();
|
||||
|
||||
static Object typeLock = new Object();
|
||||
|
||||
// Double-checked locking pattern requires volatile for read/write synchronization
|
||||
static volatile DirectoryEntry directoryEntry;
|
||||
|
||||
public static TimeSpan SpnLookupTime
|
||||
{
|
||||
get
|
||||
{
|
||||
return spnLookupTime;
|
||||
}
|
||||
set
|
||||
{
|
||||
if (value.Ticks < 0)
|
||||
{
|
||||
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("value", value.Ticks,
|
||||
SR.GetString(SR.ValueMustBeNonNegative)));
|
||||
}
|
||||
spnLookupTime = value;
|
||||
}
|
||||
}
|
||||
|
||||
public SpnEndpointIdentity(string spnName)
|
||||
{
|
||||
if (spnName == null)
|
||||
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("spnName");
|
||||
|
||||
base.Initialize(Claim.CreateSpnClaim(spnName));
|
||||
}
|
||||
|
||||
public SpnEndpointIdentity(Claim identity)
|
||||
{
|
||||
if (identity == null)
|
||||
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("identity");
|
||||
|
||||
// PreSharp Bug: Parameter 'identity.ResourceType' to this public method must be validated: A null-dereference can occur here.
|
||||
#pragma warning suppress 56506 // Claim.ClaimType will never return null
|
||||
if (!identity.ClaimType.Equals(ClaimTypes.Spn))
|
||||
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.UnrecognizedClaimTypeForIdentity, identity.ClaimType, ClaimTypes.Spn));
|
||||
|
||||
base.Initialize(identity);
|
||||
}
|
||||
|
||||
internal override void WriteContentsTo(XmlDictionaryWriter writer)
|
||||
{
|
||||
if (writer == null)
|
||||
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer");
|
||||
|
||||
writer.WriteElementString(XD.AddressingDictionary.Spn, XD.AddressingDictionary.IdentityExtensionNamespace, (string)this.IdentityClaim.Resource);
|
||||
}
|
||||
|
||||
internal SecurityIdentifier GetSpnSid()
|
||||
{
|
||||
Fx.Assert(ClaimTypes.Spn.Equals(this.IdentityClaim.ClaimType) || ClaimTypes.Dns.Equals(this.IdentityClaim.ClaimType), "");
|
||||
if (!hasSpnSidBeenComputed)
|
||||
{
|
||||
lock (thisLock)
|
||||
{
|
||||
if (!hasSpnSidBeenComputed)
|
||||
{
|
||||
string spn = null;
|
||||
try
|
||||
{
|
||||
|
||||
if (ClaimTypes.Dns.Equals(this.IdentityClaim.ClaimType))
|
||||
{
|
||||
spn = "host/" + (string)this.IdentityClaim.Resource;
|
||||
}
|
||||
else
|
||||
{
|
||||
spn = (string)this.IdentityClaim.Resource;
|
||||
}
|
||||
// canonicalize SPN for use in LDAP filter following RFC 1960:
|
||||
if (spn != null)
|
||||
{
|
||||
spn = spn.Replace("*", @"\*").Replace("(", @"\(").Replace(")", @"\)");
|
||||
}
|
||||
|
||||
DirectoryEntry de = GetDirectoryEntry();
|
||||
using (DirectorySearcher searcher = new DirectorySearcher(de))
|
||||
{
|
||||
searcher.CacheResults = true;
|
||||
searcher.ClientTimeout = SpnLookupTime;
|
||||
searcher.Filter = "(&(objectCategory=Computer)(objectClass=computer)(servicePrincipalName=" + spn + "))";
|
||||
searcher.PropertiesToLoad.Add("objectSid");
|
||||
SearchResult result = searcher.FindOne();
|
||||
if (result != null)
|
||||
{
|
||||
byte[] sidBinaryForm = (byte[])result.Properties["objectSid"][0];
|
||||
this.spnSid = new SecurityIdentifier(sidBinaryForm, 0);
|
||||
}
|
||||
else
|
||||
{
|
||||
SecurityTraceRecordHelper.TraceSpnToSidMappingFailure(spn, null);
|
||||
}
|
||||
}
|
||||
}
|
||||
#pragma warning suppress 56500 // covered by FxCOP
|
||||
catch (Exception e)
|
||||
{
|
||||
// Always immediately rethrow fatal exceptions.
|
||||
if (Fx.IsFatal(e)) throw;
|
||||
|
||||
if (e is NullReferenceException || e is SEHException)
|
||||
throw;
|
||||
|
||||
SecurityTraceRecordHelper.TraceSpnToSidMappingFailure(spn, e);
|
||||
}
|
||||
finally
|
||||
{
|
||||
hasSpnSidBeenComputed = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return this.spnSid;
|
||||
}
|
||||
|
||||
static DirectoryEntry GetDirectoryEntry()
|
||||
{
|
||||
if (directoryEntry == null)
|
||||
{
|
||||
lock (typeLock)
|
||||
{
|
||||
if (directoryEntry == null)
|
||||
{
|
||||
DirectoryEntry tmp = new DirectoryEntry(@"LDAP://" + SecurityUtils.GetPrimaryDomain());
|
||||
tmp.RefreshCache(new string[] { "name" });
|
||||
directoryEntry = tmp;
|
||||
}
|
||||
}
|
||||
}
|
||||
return directoryEntry;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user