File: System\ServiceModel\SpnEndpointIdentity.cs
Project: ndp\cdf\src\WCF\ServiceModel\System.ServiceModel.csproj (System.ServiceModel)
//----------------------------------------------------------
// Copyright (c) Microsoft Corporation.  All rights reserved.
//------------------------------------------------------------
 
namespace System.ServiceModel
{
    using System;
    using System.DirectoryServices;
    using System.IdentityModel.Claims;
    using System.Runtime;
    using System.Runtime.InteropServices;
    using System.Security.Principal;
    using System.ServiceModel.Diagnostics;
    using System.ServiceModel.Security;
    using System.Xml;
 
    public class SpnEndpointIdentity : EndpointIdentity
    {
        static TimeSpan spnLookupTime = TimeSpan.FromMinutes(1);
 
        SecurityIdentifier spnSid;
 
        // Double-checked locking pattern requires volatile for read/write synchronization
        volatile bool hasSpnSidBeenComputed;
 
        Object thisLock = new Object();
 
        static Object typeLock = new Object();
 
        // Double-checked locking pattern requires volatile for read/write synchronization
        static volatile DirectoryEntry directoryEntry;
 
        public static TimeSpan SpnLookupTime
        {
            get
            {
                return spnLookupTime;
            }
            set
            {
                if (value.Ticks < 0)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("value", value.Ticks,
                                                    SR.GetString(SR.ValueMustBeNonNegative)));
                }
                spnLookupTime = value;
            }
        }
 
        public SpnEndpointIdentity(string spnName)
        {
            if (spnName == null)
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("spnName");
 
            base.Initialize(Claim.CreateSpnClaim(spnName));
        }
 
        public SpnEndpointIdentity(Claim identity)
        {
            if (identity == null)
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("identity");
 
            // PreSharp Bug: Parameter 'identity.ResourceType' to this public method must be validated: A null-dereference can occur here.
#pragma warning suppress 56506 // Claim.ClaimType will never return null
            if (!identity.ClaimType.Equals(ClaimTypes.Spn))
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.UnrecognizedClaimTypeForIdentity, identity.ClaimType, ClaimTypes.Spn));
 
            base.Initialize(identity);
        }
 
        internal override void WriteContentsTo(XmlDictionaryWriter writer)
        {
            if (writer == null)
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer");
 
            writer.WriteElementString(XD.AddressingDictionary.Spn, XD.AddressingDictionary.IdentityExtensionNamespace, (string)this.IdentityClaim.Resource);
        }
 
        internal SecurityIdentifier GetSpnSid()
        {
            Fx.Assert(ClaimTypes.Spn.Equals(this.IdentityClaim.ClaimType) || ClaimTypes.Dns.Equals(this.IdentityClaim.ClaimType), "");
            if (!hasSpnSidBeenComputed)
            {
                lock (thisLock)
                {
                    if (!hasSpnSidBeenComputed)
                    {
                        string spn = null;
                        try
                        {
 
                            if (ClaimTypes.Dns.Equals(this.IdentityClaim.ClaimType))
                            {
                                spn = "host/" + (string)this.IdentityClaim.Resource;
                            }
                            else
                            {
                                spn = (string)this.IdentityClaim.Resource;
                            }
                            // canonicalize SPN for use in LDAP filter following RFC 1960:
                            if (spn != null)
                            {
                                spn = spn.Replace("*", @"\*").Replace("(", @"\(").Replace(")", @"\)");
                            }
 
                            DirectoryEntry de = GetDirectoryEntry();
                            using (DirectorySearcher searcher = new DirectorySearcher(de))
                            {
                                searcher.CacheResults = true;
                                searcher.ClientTimeout = SpnLookupTime;
                                searcher.Filter = "(&(objectCategory=Computer)(objectClass=computer)(servicePrincipalName=" + spn + "))";
                                searcher.PropertiesToLoad.Add("objectSid");
                                SearchResult result = searcher.FindOne();
                                if (result != null)
                                {
                                    byte[] sidBinaryForm = (byte[])result.Properties["objectSid"][0];
                                    this.spnSid = new SecurityIdentifier(sidBinaryForm, 0);
                                }
                                else
                                {
                                    SecurityTraceRecordHelper.TraceSpnToSidMappingFailure(spn, null);
                                }
                            }
                        }
#pragma warning suppress 56500 // covered by FxCOP
                        catch (Exception e)
                        {
                            // Always immediately rethrow fatal exceptions.
                            if (Fx.IsFatal(e)) throw;
 
                            if (e is NullReferenceException || e is SEHException)
                                throw;
 
                            SecurityTraceRecordHelper.TraceSpnToSidMappingFailure(spn, e);
                        }
                        finally
                        {
                            hasSpnSidBeenComputed = true;
                        }
                    }
                }
            }
            return this.spnSid;
        }
 
        static DirectoryEntry GetDirectoryEntry()
        {
            if (directoryEntry == null)
            {
                lock (typeLock)
                {
                    if (directoryEntry == null)
                    {
                        DirectoryEntry tmp = new DirectoryEntry(@"LDAP://" + SecurityUtils.GetPrimaryDomain());
                        tmp.RefreshCache(new string[] { "name" });
                        directoryEntry = tmp;
                    }
                }
            }
            return directoryEntry;
        }
    }
 
}