//---------------------------------------------------------- // Copyright (c) Microsoft Corporation. All rights reserved. //------------------------------------------------------------ namespace System.ServiceModel { using System; using System.DirectoryServices; using System.IdentityModel.Claims; using System.Runtime; using System.Runtime.InteropServices; using System.Security.Principal; using System.ServiceModel.Diagnostics; using System.ServiceModel.Security; using System.Xml; public class SpnEndpointIdentity : EndpointIdentity { static TimeSpan spnLookupTime = TimeSpan.FromMinutes(1); SecurityIdentifier spnSid; // Double-checked locking pattern requires volatile for read/write synchronization volatile bool hasSpnSidBeenComputed; Object thisLock = new Object(); static Object typeLock = new Object(); // Double-checked locking pattern requires volatile for read/write synchronization static volatile DirectoryEntry directoryEntry; public static TimeSpan SpnLookupTime { get { return spnLookupTime; } set { if (value.Ticks < 0) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("value", value.Ticks, SR.GetString(SR.ValueMustBeNonNegative))); } spnLookupTime = value; } } public SpnEndpointIdentity(string spnName) { if (spnName == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("spnName"); base.Initialize(Claim.CreateSpnClaim(spnName)); } public SpnEndpointIdentity(Claim identity) { if (identity == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("identity"); // PreSharp Bug: Parameter 'identity.ResourceType' to this public method must be validated: A null-dereference can occur here. #pragma warning suppress 56506 // Claim.ClaimType will never return null if (!identity.ClaimType.Equals(ClaimTypes.Spn)) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.UnrecognizedClaimTypeForIdentity, identity.ClaimType, ClaimTypes.Spn)); base.Initialize(identity); } internal override void WriteContentsTo(XmlDictionaryWriter writer) { if (writer == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer"); writer.WriteElementString(XD.AddressingDictionary.Spn, XD.AddressingDictionary.IdentityExtensionNamespace, (string)this.IdentityClaim.Resource); } internal SecurityIdentifier GetSpnSid() { Fx.Assert(ClaimTypes.Spn.Equals(this.IdentityClaim.ClaimType) || ClaimTypes.Dns.Equals(this.IdentityClaim.ClaimType), ""); if (!hasSpnSidBeenComputed) { lock (thisLock) { if (!hasSpnSidBeenComputed) { string spn = null; try { if (ClaimTypes.Dns.Equals(this.IdentityClaim.ClaimType)) { spn = "host/" + (string)this.IdentityClaim.Resource; } else { spn = (string)this.IdentityClaim.Resource; } // canonicalize SPN for use in LDAP filter following RFC 1960: if (spn != null) { spn = spn.Replace("*", @"\*").Replace("(", @"\(").Replace(")", @"\)"); } DirectoryEntry de = GetDirectoryEntry(); using (DirectorySearcher searcher = new DirectorySearcher(de)) { searcher.CacheResults = true; searcher.ClientTimeout = SpnLookupTime; searcher.Filter = "(&(objectCategory=Computer)(objectClass=computer)(servicePrincipalName=" + spn + "))"; searcher.PropertiesToLoad.Add("objectSid"); SearchResult result = searcher.FindOne(); if (result != null) { byte[] sidBinaryForm = (byte[])result.Properties["objectSid"][0]; this.spnSid = new SecurityIdentifier(sidBinaryForm, 0); } else { SecurityTraceRecordHelper.TraceSpnToSidMappingFailure(spn, null); } } } #pragma warning suppress 56500 // covered by FxCOP catch (Exception e) { // Always immediately rethrow fatal exceptions. if (Fx.IsFatal(e)) throw; if (e is NullReferenceException || e is SEHException) throw; SecurityTraceRecordHelper.TraceSpnToSidMappingFailure(spn, e); } finally { hasSpnSidBeenComputed = true; } } } } return this.spnSid; } static DirectoryEntry GetDirectoryEntry() { if (directoryEntry == null) { lock (typeLock) { if (directoryEntry == null) { DirectoryEntry tmp = new DirectoryEntry(@"LDAP://" + SecurityUtils.GetPrimaryDomain()); tmp.RefreshCache(new string[] { "name" }); directoryEntry = tmp; } } } return directoryEntry; } } }