|
//------------------------------------------------------------------------------
// <copyright file="IdentitySection.cs" company="Microsoft">
// Copyright (c) Microsoft Corporation. All rights reserved.
// </copyright>
//------------------------------------------------------------------------------
namespace System.Web.Configuration {
using System;
using System.Xml;
using System.Configuration;
using System.Collections.Specialized;
using System.Collections;
using System.IO;
using System.Text;
using System.Web.Util;
using System.Web.Configuration;
using System.Security.Permissions;
/* <!--
identity Attributes:
impersonate="[true|false]" - Impersonate Windows User
userName="Windows user account to impersonate" | empty string implies impersonate the LOGON user specified by IIS
password="password of above specified account" | empty string
-->
<identity impersonate="false" />
*/
public sealed class IdentitySection : ConfigurationSection {
private static ConfigurationPropertyCollection _properties;
private static readonly ConfigurationProperty _propImpersonate =
new ConfigurationProperty("impersonate", typeof(bool), false, ConfigurationPropertyOptions.None);
private static readonly ConfigurationProperty _propUserName =
new ConfigurationProperty("userName", typeof(string), String.Empty, ConfigurationPropertyOptions.None);
private static readonly ConfigurationProperty _propPassword =
new ConfigurationProperty("password", typeof(string), String.Empty, ConfigurationPropertyOptions.None);
private ImpersonateTokenRef _impersonateTokenRef = new ImpersonateTokenRef(IntPtr.Zero);
private string _username;
private string _password;
private bool impersonateCache = false;
private bool impersonateCached = false; // value not read yet
private bool _credentialsValidated;
private object _credentialsValidatedLock = new object();
private String error = String.Empty;
static IdentitySection() {
// Property initialization
_properties = new ConfigurationPropertyCollection();
_properties.Add(_propImpersonate);
_properties.Add(_propUserName);
_properties.Add(_propPassword);
}
protected override object GetRuntimeObject() {
// VSWhidbey 554776: The method ValidateCredentials() is not safe
// when multiple threads are accessing it, because the method access
// and modify member variables. After reviewing the code,
// _impersonateTokenRef.Handle is actually cached, so it is safe to
// cache the validation result as a whole. That will avoid
// ValidateCredentials() to be called with multiple threads.
if (!_credentialsValidated) {
lock (_credentialsValidatedLock) {
if (!_credentialsValidated) {
ValidateCredentials();
_credentialsValidated = true;
}
}
}
return base.GetRuntimeObject();
}
public IdentitySection() {
impersonateCached = false;
}
protected override ConfigurationPropertyCollection Properties {
get {
return _properties;
}
}
[ConfigurationProperty("impersonate", DefaultValue = false)]
public bool Impersonate {
get {
if (impersonateCached == false) {
impersonateCache = (bool)base[_propImpersonate];
impersonateCached = true; // value has been read now
}
return impersonateCache;
}
set {
base[_propImpersonate] = value;
impersonateCache = value;
}
}
[ConfigurationProperty("userName", DefaultValue = "")]
public string UserName {
get {
return (string)base[_propUserName];
}
set {
base[_propUserName] = value;
}
}
[ConfigurationProperty("password", DefaultValue = "")]
public string Password {
get {
return (string)base[_propPassword];
}
set {
base[_propPassword] = value;
}
}
protected override void Reset(ConfigurationElement parentElement) {
base.Reset(parentElement);
IdentitySection parent = parentElement as IdentitySection;
if (parent != null) {
_impersonateTokenRef = parent._impersonateTokenRef;
// No partial overrides
if (Impersonate) {
UserName = null;
Password = null;
_impersonateTokenRef = new ImpersonateTokenRef(IntPtr.Zero);
}
impersonateCached = false; // We don't want to cache the parent's value!
_credentialsValidated = false;
}
}
protected override void Unmerge(ConfigurationElement sourceElement,
ConfigurationElement parentElement,
ConfigurationSaveMode saveMode) {
base.Unmerge(sourceElement, parentElement, saveMode); // do this to unmerge locks
IdentitySection source = sourceElement as IdentitySection;
if (Impersonate != source.Impersonate) { // this will not be copied by unmerge if it is the same as parent
Impersonate = source.Impersonate; // If it is different than expected make sure it is set or validation
} // will be missed
// this section does not inherit in the same manner since partial overrides are not permitted
if (Impersonate) // was impersonate set in the merge
{
if (source.ElementInformation.Properties[_propUserName.Name].IsModified ||
source.ElementInformation.Properties[_propPassword.Name].IsModified) {
UserName = source.UserName;
Password = source.Password;
}
}
}
private void ValidateCredentials() {
_username = UserName;
_password = Password;
if (HandlerBase.CheckAndReadRegistryValue(ref _username, false) == false) {
throw new ConfigurationErrorsException(
SR.GetString(SR.Invalid_registry_config),
ElementInformation.Source, ElementInformation.LineNumber);
}
if (HandlerBase.CheckAndReadRegistryValue(ref _password, false) == false) {
throw new ConfigurationErrorsException(
SR.GetString(SR.Invalid_registry_config),
ElementInformation.Source,
ElementInformation.LineNumber);
}
if (_username != null && _username.Length < 1) {
_username = null;
}
if (_username != null && Impersonate) {
if (_password == null) {
_password = String.Empty;
}
}
else if (_password != null && _username == null && _password.Length > 0 && Impersonate) {
throw new ConfigurationErrorsException(
SR.GetString(SR.Invalid_credentials),
ElementInformation.Properties["password"].Source,
ElementInformation.Properties["password"].LineNumber);
}
if (Impersonate && ImpersonateToken == IntPtr.Zero && _username != null) {
if (error.Length > 0) {
throw new ConfigurationErrorsException(
SR.GetString(SR.Invalid_credentials_2, error),
ElementInformation.Properties["userName"].Source,
ElementInformation.Properties["userName"].LineNumber);
}
else {
throw new ConfigurationErrorsException(
SR.GetString(SR.Invalid_credentials),
ElementInformation.Properties["userName"].Source,
ElementInformation.Properties["userName"].LineNumber);
}
}
}
private void InitializeToken() {
error = String.Empty;
IntPtr token = CreateUserToken(_username, _password, out error);
_impersonateTokenRef = new ImpersonateTokenRef(token);
if (_impersonateTokenRef.Handle == IntPtr.Zero) {
if (error.Length > 0) {
throw new ConfigurationErrorsException(
SR.GetString(SR.Invalid_credentials_2, error),
ElementInformation.Properties["userName"].Source,
ElementInformation.Properties["userName"].LineNumber);
}
else {
throw new ConfigurationErrorsException(
SR.GetString(SR.Invalid_credentials),
ElementInformation.Properties["userName"].Source,
ElementInformation.Properties["userName"].LineNumber);
}
}
}
internal IntPtr ImpersonateToken {
get {
if (_impersonateTokenRef.Handle == IntPtr.Zero) {
if (_username != null && Impersonate) {
InitializeToken();
}
}
return _impersonateTokenRef.Handle;
}
}
internal static IntPtr CreateUserToken(String name, String password, out String error) {
IntPtr token = IntPtr.Zero;
// when using ASP.NET process model call back via ISAPI
if (VersionInfo.ExeName == "aspnet_wp") {
byte[] bOut = new byte[IntPtr.Size];
byte[] bIn1 = System.Text.Encoding.Unicode.GetBytes(name + "\t" + password);
byte[] bIn = new byte[bIn1.Length + 2];
Buffer.BlockCopy(bIn1, 0, bIn, 0, bIn1.Length);
if (UnsafeNativeMethods.PMCallISAPI(IntPtr.Zero,
UnsafeNativeMethods.CallISAPIFunc.GenerateToken,
bIn,
bIn.Length,
bOut,
bOut.Length) == 1) {
Int64 iToken = 0;
for (int iter = 0; iter < IntPtr.Size; iter++) {
iToken = iToken * 256 + bOut[iter];
}
token = (IntPtr)iToken;
Debug.Trace("Token", "Token " + token + " for (" + name + "," + password + ") obtained via ISAPI");
}
}
// try to create the token directly
if (token == IntPtr.Zero) {
StringBuilder errorBuffer = new StringBuilder(256);
token = UnsafeNativeMethods.CreateUserToken(name, password, 1, errorBuffer, 256);
error = errorBuffer.ToString();
if (token != IntPtr.Zero) {
Debug.Trace("Token", "Token " + token + " for (" + name + "," + password + ") obtained directly");
}
}
else {
error = String.Empty;
}
if (token == IntPtr.Zero) {
Debug.Trace("Token", "Failed to create token for (" + name + "," + password + ")");
}
return token;
}
internal ContextInformation ProtectedEvaluationContext {
get {
return this.EvaluationContext;
}
}
}
}
|