File: FrameworkFork\System.ServiceModel\System\ServiceModel\Channels\AsymmetricSecurityBindingElement.cs
Web Access
Project: src\src\dotnet-svcutil\lib\src\dotnet-svcutil-lib.csproj (dotnet-svcutil-lib)
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
// See the LICENSE file in the project root for more information.
 
using System.ServiceModel.Diagnostics;
using System.ServiceModel.Dispatcher;
using System.ServiceModel.Description;
using System.ServiceModel.Security;
using System.Collections.ObjectModel;
using System.Net.Security;
 
namespace System.ServiceModel.Channels
{
    using Microsoft.Xml;
    using System.ServiceModel.Security.Tokens;
    using System.ServiceModel.Security;
    using System.ServiceModel;
    using System.IO;
    using System.Collections.ObjectModel;
    using System.Collections.Generic;
    using System.Runtime.InteropServices;
 
    public class SecurityBindingElementImporter : IPolicyImportExtension
    {
        internal const string MaxPolicyRedirectionsKey = "MaxPolicyRedirections";
        internal const string SecureConversationBootstrapEncryptionRequirements = "SecureConversationBootstrapEncryptionRequirements";
        internal const string SecureConversationBootstrapSignatureRequirements = "SecureConversationBootstrapSignatureRequirements";
        internal const string InSecureConversationBootstrapBindingImportMode = "InSecureConversationBootstrapBindingImportMode";
        internal const string ContractProtectionLevelKey = "ContractProtectionLevelKey";
 
        private int _maxPolicyRedirections;
 
        public SecurityBindingElementImporter()
        {
            _maxPolicyRedirections = 10;
        }
 
        public int MaxPolicyRedirections
        {
            get
            {
                return _maxPolicyRedirections;
            }
        }
 
        private void ImportOperationScopeSupportingTokensPolicy(MetadataImporter importer, PolicyConversionContext policyContext, SecurityBindingElement binding)
        {
            foreach (OperationDescription operation in policyContext.Contract.Operations)
            {
                string requestAction = null;
                foreach (MessageDescription message in operation.Messages)
                {
                    if (message.Direction == MessageDirection.Input)
                    {
                        requestAction = message.Action;
                        break;
                    }
                }
 
                SupportingTokenParameters requirements = new SupportingTokenParameters();
                SupportingTokenParameters optionalRequirements = new SupportingTokenParameters();
                ICollection<XmlElement> operationBindingAssertions = policyContext.GetOperationBindingAssertions(operation);
                this.ImportSupportingTokenAssertions(importer, policyContext, operationBindingAssertions, requirements, optionalRequirements);
                if (requirements.Endorsing.Count > 0
                    || requirements.Signed.Count > 0
                    || requirements.SignedEncrypted.Count > 0
                    || requirements.SignedEndorsing.Count > 0)
                {
                    if (requestAction != null)
                    {
                        binding.OperationSupportingTokenParameters[requestAction] = requirements;
                    }
                    else
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SRServiceModel.CannotImportSupportingTokensForOperationWithoutRequestAction));
                    }
                }
                if (optionalRequirements.Endorsing.Count > 0
                    || optionalRequirements.Signed.Count > 0
                    || optionalRequirements.SignedEncrypted.Count > 0
                    || optionalRequirements.SignedEndorsing.Count > 0)
                {
                    if (requestAction != null)
                    {
                        binding.OptionalOperationSupportingTokenParameters[requestAction] = optionalRequirements;
                    }
                    else
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(string.Format(SRServiceModel.CannotImportSupportingTokensForOperationWithoutRequestAction)));
                    }
                }
            }
        }
 
        private void ImportProtectionAssertions(ICollection<XmlElement> assertions, out MessagePartSpecification signedParts, out MessagePartSpecification encryptedParts)
        {
            XmlElement assertion;
 
            signedParts = null;
            encryptedParts = null;
 
            WSSecurityPolicy securityPolicy;
            if (WSSecurityPolicy.TryGetSecurityPolicyDriver(assertions, out securityPolicy))
            {
                if (!securityPolicy.TryImportWsspEncryptedPartsAssertion(assertions, out encryptedParts, out assertion)
                    && assertion != null)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(string.Format(SRServiceModel.UnsupportedSecurityPolicyAssertion, assertion.OuterXml)));
                }
 
                if (!securityPolicy.TryImportWsspSignedPartsAssertion(assertions, out signedParts, out assertion)
                    && assertion != null)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(string.Format(SRServiceModel.UnsupportedSecurityPolicyAssertion, assertion.OuterXml)));
                }
            }
 
            if (encryptedParts == null)
            {
                encryptedParts = MessagePartSpecification.NoParts;
            }
            if (signedParts == null)
            {
                signedParts = MessagePartSpecification.NoParts;
            }
        }
 
        private void ValidateExistingOrSetNewProtectionLevel(MessagePartDescription part, MessageDescription message, OperationDescription operation, ContractDescription contract, ProtectionLevel newProtectionLevel)
        {
            ProtectionLevel existingProtectionLevel;
 
            if (part != null && part.HasProtectionLevel)
            {
                existingProtectionLevel = part.ProtectionLevel;
            }
            else if (message.HasProtectionLevel)
            {
                existingProtectionLevel = message.ProtectionLevel;
            }
            else if (operation.HasProtectionLevel)
            {
                existingProtectionLevel = operation.ProtectionLevel;
            }
            else
            {
                if (part != null)
                {
                    part.ProtectionLevel = newProtectionLevel;
                }
                else
                {
                    message.ProtectionLevel = newProtectionLevel;
                }
                existingProtectionLevel = newProtectionLevel;
            }
 
            if (existingProtectionLevel != newProtectionLevel)
            {
                if (part != null && !part.HasProtectionLevel)
                {
                    part.ProtectionLevel = newProtectionLevel;
                }
                else if (part == null && !message.HasProtectionLevel)
                {
                    message.ProtectionLevel = newProtectionLevel;
                }
                else
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentException(string.Format(SRServiceModel.CannotImportProtectionLevelForContract, contract.Name, contract.Namespace)));
                }
            }
        }
 
        private void AddParts(ref MessagePartSpecification parts1, MessagePartSpecification parts2)
        {
            if (parts1 == null)
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("parts1"));
            if (parts2 == null)
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException("parts2"));
 
            if (!parts2.IsEmpty())
            {
                if (parts1.IsReadOnly)
                {
                    MessagePartSpecification p = new MessagePartSpecification();
                    p.Union(parts1);
                    p.Union(parts2);
                    parts1 = p;
                }
                else
                {
                    parts1.Union(parts2);
                }
            }
        }
 
        private class ContractProtectionLevel
        {
            private bool _hasProtectionRequirements;
            private bool _hasUniformProtectionLevel;
            private ProtectionLevel _uniformProtectionLevel;
 
            public ContractProtectionLevel(bool hasProtectionRequirements, bool hasUniformProtectionLevel, ProtectionLevel uniformProtectionLevel)
            {
                _hasProtectionRequirements = hasProtectionRequirements;
                _hasUniformProtectionLevel = hasUniformProtectionLevel;
                _uniformProtectionLevel = uniformProtectionLevel;
            }
 
            public bool HasProtectionRequirements { get { return _hasProtectionRequirements; } }
            public bool HasUniformProtectionLevel { get { return _hasUniformProtectionLevel; } }
            public ProtectionLevel UniformProtectionLevel { get { return _uniformProtectionLevel; } }
        }
 
        private void ImportMessageScopeProtectionPolicy(MetadataImporter importer, PolicyConversionContext policyContext)
        {
            MessagePartSpecification endpointSignedParts;
            MessagePartSpecification endpointEncryptedParts;
            bool isContractAssociatedWithAtLeastOneOtherBinding;
            ContractProtectionLevel otherBindingProtectionLevel = null;
            bool hasContractProtectionLevel = false;
            bool isContractProtectionLevelUniform = true;
            ProtectionLevel contractProtectionLevel = ProtectionLevel.None;
 
            string contractAssociationName = String.Format("{0}:{1}:{2}", ContractProtectionLevelKey, policyContext.Contract.Name, policyContext.Contract.Namespace);
            if (importer.State.ContainsKey(contractAssociationName))
            {
                isContractAssociatedWithAtLeastOneOtherBinding = true;
                otherBindingProtectionLevel = (ContractProtectionLevel)importer.State[contractAssociationName];
            }
            else
            {
                isContractAssociatedWithAtLeastOneOtherBinding = false;
            }
 
            ICollection<XmlElement> endpointBindingAssertions = policyContext.GetBindingAssertions();
            this.ImportProtectionAssertions(endpointBindingAssertions, out endpointSignedParts, out endpointEncryptedParts);
 
            if (importer.State.ContainsKey(InSecureConversationBootstrapBindingImportMode))
            {
                // when importing secure conversation boostrap binding, add the endpoint scope protection requirements
                // to the importer state to be consumed in SecurityPolicy11.TryImportWsspBootrstapPolicyAssertion
                if (endpointEncryptedParts != null)
                    importer.State[SecureConversationBootstrapEncryptionRequirements] = endpointEncryptedParts;
                if (endpointSignedParts != null)
                    importer.State[SecureConversationBootstrapSignatureRequirements] = endpointSignedParts;
            }
 
            foreach (OperationDescription operation in policyContext.Contract.Operations)
            {
                MessagePartSpecification operationSignedParts;
                MessagePartSpecification operationEncryptedParts;
 
                ICollection<XmlElement> operationBindingAssertions = policyContext.GetOperationBindingAssertions(operation);
                this.ImportProtectionAssertions(operationBindingAssertions, out operationSignedParts, out operationEncryptedParts);
                this.AddParts(ref operationSignedParts, endpointSignedParts);
                this.AddParts(ref operationEncryptedParts, endpointEncryptedParts);
 
                MessagePartSpecification messageSignedParts;
                MessagePartSpecification messageEncryptedParts;
                bool hasProtectionLevel = false;
                bool isProtectionLevelUniform = true;
                ProtectionLevel protectionLevel = ProtectionLevel.None;
 
                // import application message protection requirements
                foreach (MessageDescription message in operation.Messages)
                {
                    ICollection<XmlElement> messageBindingAssertions = policyContext.GetMessageBindingAssertions(message);
                    this.ImportProtectionAssertions(messageBindingAssertions, out messageSignedParts, out messageEncryptedParts);
                    this.AddParts(ref messageSignedParts, operationSignedParts);
                    this.AddParts(ref messageEncryptedParts, operationEncryptedParts);
 
                    // validate or set body protection level
                    ProtectionLevel newProtectionLevel = GetProtectionLevel(messageSignedParts.IsBodyIncluded, messageEncryptedParts.IsBodyIncluded, message.Action);
                    if (OperationFormatter.IsValidReturnValue(message.Body.ReturnValue))
                    {
                        ValidateExistingOrSetNewProtectionLevel(message.Body.ReturnValue, message, operation, policyContext.Contract, newProtectionLevel);
                    }
                    foreach (MessagePartDescription body in message.Body.Parts)
                    {
                        ValidateExistingOrSetNewProtectionLevel(body, message, operation, policyContext.Contract, newProtectionLevel);
                    }
                    if (!OperationFormatter.IsValidReturnValue(message.Body.ReturnValue) || message.Body.Parts.Count == 0)
                    {
                        ValidateExistingOrSetNewProtectionLevel(null, message, operation, policyContext.Contract, newProtectionLevel);
                    }
 
                    if (hasProtectionLevel)
                    {
                        if (protectionLevel != newProtectionLevel)
                        {
                            isProtectionLevelUniform = false;
                        }
                    }
                    else
                    {
                        protectionLevel = newProtectionLevel;
                        hasProtectionLevel = true;
                    }
                    if (hasContractProtectionLevel)
                    {
                        if (contractProtectionLevel != newProtectionLevel)
                        {
                            isContractProtectionLevelUniform = false;
                        }
                    }
                    else
                    {
                        contractProtectionLevel = newProtectionLevel;
                        hasContractProtectionLevel = true;
                    }
 
                    // validate o set header protection level
                    foreach (MessageHeaderDescription header in message.Headers)
                    {
                        bool signed = messageSignedParts.IsHeaderIncluded(header.Name, header.Namespace);
                        bool encrypted = messageEncryptedParts.IsHeaderIncluded(header.Name, header.Namespace);
                        newProtectionLevel = GetProtectionLevel(signed, encrypted, message.Action);
                        ValidateExistingOrSetNewProtectionLevel(header, message, operation, policyContext.Contract, newProtectionLevel);
 
                        if (hasProtectionLevel)
                        {
                            if (protectionLevel != newProtectionLevel)
                            {
                                isProtectionLevelUniform = false;
                            }
                        }
                        else
                        {
                            protectionLevel = newProtectionLevel;
                            hasProtectionLevel = true;
                        }
                        if (hasContractProtectionLevel)
                        {
                            if (contractProtectionLevel != newProtectionLevel)
                            {
                                isContractProtectionLevelUniform = false;
                            }
                        }
                        else
                        {
                            contractProtectionLevel = newProtectionLevel;
                            hasContractProtectionLevel = true;
                        }
                    }
                }
 
                // normalize protection level settings at the operation scope if possible to help avoid typed message generation
                if (hasProtectionLevel && isProtectionLevelUniform)
                {
                    // (hongmeig) remove the foreach message here
                    //  foreach (MessageDescription message in operation.Messages)
 
                    this.ResetProtectionLevelForMessages(operation);
 
                    operation.ProtectionLevel = protectionLevel;
                }
 
                // import fault protection requirements
                foreach (FaultDescription fault in operation.Faults)
                {
                    ICollection<XmlElement> faultBindingAssertions = policyContext.GetFaultBindingAssertions(fault);
                    this.ImportProtectionAssertions(faultBindingAssertions, out messageSignedParts, out messageEncryptedParts);
                    this.AddParts(ref messageSignedParts, operationSignedParts);
                    this.AddParts(ref messageEncryptedParts, operationEncryptedParts);
 
                    // validate or set fault protection level
                    ProtectionLevel newProtectionLevel = GetProtectionLevel(messageSignedParts.IsBodyIncluded, messageEncryptedParts.IsBodyIncluded, fault.Action);
                    if (fault.HasProtectionLevel)
                    {
                        if (fault.ProtectionLevel != newProtectionLevel)
                        {
                            throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentException(string.Format(SRServiceModel.CannotImportProtectionLevelForContract, policyContext.Contract.Name, policyContext.Contract.Namespace)));
                        }
                    }
                    else
                    {
                        fault.ProtectionLevel = newProtectionLevel;
                    }
                    if (hasContractProtectionLevel)
                    {
                        if (contractProtectionLevel != newProtectionLevel)
                        {
                            isContractProtectionLevelUniform = false;
                        }
                    }
                    else
                    {
                        contractProtectionLevel = newProtectionLevel;
                        hasContractProtectionLevel = true;
                    }
                }
            }
 
            if (isContractAssociatedWithAtLeastOneOtherBinding)
            {
                if (hasContractProtectionLevel != otherBindingProtectionLevel.HasProtectionRequirements
                    || isContractProtectionLevelUniform != otherBindingProtectionLevel.HasUniformProtectionLevel
                    || contractProtectionLevel != otherBindingProtectionLevel.UniformProtectionLevel)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentException(string.Format(SRServiceModel.CannotImportProtectionLevelForContract, policyContext.Contract.Name, policyContext.Contract.Namespace)));
                }
            }
            else
            {
                if (hasContractProtectionLevel && isContractProtectionLevelUniform && contractProtectionLevel == ProtectionLevel.EncryptAndSign)
                {
                    // remove all explicitly set protection levels on the contract description, since they are uniform across the contract
                    // and match our binding's default of EncryptAndSign
                    foreach (OperationDescription operation in policyContext.Contract.Operations)
                    {
                        this.ResetProtectionLevelForMessages(operation);
                        foreach (FaultDescription fault in operation.Faults)
                        {
                            fault.ResetProtectionLevel();
                        }
                        operation.ResetProtectionLevel();
                    }
                }
                importer.State[contractAssociationName] = new ContractProtectionLevel(hasContractProtectionLevel, isContractProtectionLevelUniform, contractProtectionLevel);
            }
        }
 
        private void ResetProtectionLevelForMessages(OperationDescription operation)
        {
            foreach (MessageDescription message in operation.Messages)
            {
                if (OperationFormatter.IsValidReturnValue(message.Body.ReturnValue))
                {
                    message.Body.ReturnValue.ResetProtectionLevel();
                }
                foreach (MessagePartDescription body in message.Body.Parts)
                {
                    body.ResetProtectionLevel();
                }
                foreach (MessageHeaderDescription header in message.Headers)
                {
                    header.ResetProtectionLevel();
                }
                message.ResetProtectionLevel();
            }
        }
 
        private static ProtectionLevel GetProtectionLevel(bool signed, bool encrypted, string action)
        {
            ProtectionLevel result;
 
            if (encrypted)
            {
                if (signed)
                {
                    result = ProtectionLevel.EncryptAndSign;
                }
                else
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidChannelBindingException(string.Format(SRServiceModel.PolicyRequiresConfidentialityWithoutIntegrity, action)));
                }
            }
            else if (signed)
            {
                result = ProtectionLevel.Sign;
            }
            else
            {
                result = ProtectionLevel.None;
            }
 
            return result;
        }
 
        private void ImportSupportingTokenAssertions(MetadataImporter importer, PolicyConversionContext policyContext, ICollection<XmlElement> assertions, SupportingTokenParameters requirements, SupportingTokenParameters optionalRequirements)
        {
            WSSecurityPolicy securityPolicy;
            if (WSSecurityPolicy.TryGetSecurityPolicyDriver(assertions, out securityPolicy))
            {
                securityPolicy.TryImportWsspSupportingTokensAssertion(
                importer,
                policyContext,
                assertions,
                requirements.Signed,
                requirements.SignedEncrypted,
                requirements.Endorsing,
                requirements.SignedEndorsing,
                optionalRequirements.Signed,
                optionalRequirements.SignedEncrypted,
                optionalRequirements.Endorsing,
                optionalRequirements.SignedEndorsing);
            }
        }
 
        private void ImportEndpointScopeMessageBindingAssertions(MetadataImporter importer, PolicyConversionContext policyContext, SecurityBindingElement binding)
        {
            XmlElement assertion = null;
 
            this.ImportSupportingTokenAssertions(importer, policyContext, policyContext.GetBindingAssertions(), binding.EndpointSupportingTokenParameters, binding.OptionalEndpointSupportingTokenParameters);
 
            WSSecurityPolicy securityPolicy;
            if (WSSecurityPolicy.TryGetSecurityPolicyDriver(policyContext.GetBindingAssertions(), out securityPolicy))
            {
                if (!securityPolicy.TryImportWsspWssAssertion(importer, policyContext.GetBindingAssertions(), binding, out assertion)
                    && assertion != null)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(string.Format(SRServiceModel.UnsupportedSecurityPolicyAssertion, assertion.OuterXml)));
                }
 
                if (!securityPolicy.TryImportWsspTrustAssertion(importer, policyContext.GetBindingAssertions(), binding, out assertion)
                    && assertion != null)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(string.Format(SRServiceModel.UnsupportedSecurityPolicyAssertion, assertion.OuterXml)));
                }
            }
 
            //
            // We don't have WSTrust assertion => it is possible we are a BasicHttpBinding
            // Set the flag here so that later when we tried to compare binding element with basic http binding
            // we can have an exact match.
            //
            if (assertion == null)
                binding.DoNotEmitTrust = true;
        }
 
 
        private bool TryImportSymmetricSecurityBindingElement(MetadataImporter importer, PolicyConversionContext policyContext, out SecurityBindingElement sbe)
        {
            SymmetricSecurityBindingElement binding = null;
            XmlElement assertion;
            WSSecurityPolicy securityPolicy;
            if (WSSecurityPolicy.TryGetSecurityPolicyDriver(policyContext.GetBindingAssertions(), out securityPolicy))
            {
                if (securityPolicy.TryImportWsspSymmetricBindingAssertion(importer, policyContext, policyContext.GetBindingAssertions(), out binding, out assertion))
                {
                    this.ImportEndpointScopeMessageBindingAssertions(importer, policyContext, binding);
                    this.ImportOperationScopeSupportingTokensPolicy(importer, policyContext, binding);
                    this.ImportMessageScopeProtectionPolicy(importer, policyContext);
                    policyContext.BindingElements.Add(binding);
                }
                else if (assertion != null)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(string.Format(SRServiceModel.UnsupportedSecurityPolicyAssertion, assertion.OuterXml)));
                }
            }
 
            sbe = binding;
            return binding != null;
        }
 
        private bool TryImportAsymmetricSecurityBindingElement(MetadataImporter importer, PolicyConversionContext policyContext, out SecurityBindingElement sbe)
        {
            AsymmetricSecurityBindingElement binding = null;
            XmlElement assertion;
            WSSecurityPolicy securityPolicy;
            if (WSSecurityPolicy.TryGetSecurityPolicyDriver(policyContext.GetBindingAssertions(), out securityPolicy))
            {
                if (securityPolicy.TryImportWsspAsymmetricBindingAssertion(importer, policyContext, policyContext.GetBindingAssertions(), out binding, out assertion))
                {
                    this.ImportEndpointScopeMessageBindingAssertions(importer, policyContext, binding);
                    this.ImportOperationScopeSupportingTokensPolicy(importer, policyContext, binding);
                    this.ImportMessageScopeProtectionPolicy(importer, policyContext);
                    policyContext.BindingElements.Add(binding);
                }
                else if (assertion != null)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(string.Format(SRServiceModel.UnsupportedSecurityPolicyAssertion, assertion.OuterXml)));
                }
            }
 
            sbe = binding;
            return binding != null;
        }
 
        // isDualSecurityModeOnly is true if the binding has both message security and https security enabled.
        private bool TryImportTransportSecurityBindingElement(MetadataImporter importer, PolicyConversionContext policyContext, out SecurityBindingElement sbe, bool isDualSecurityModeOnly)
        {
            TransportSecurityBindingElement binding = null;
            XmlElement assertion;
            sbe = null;
 
            WSSecurityPolicy securityPolicy;
            if (WSSecurityPolicy.TryGetSecurityPolicyDriver(policyContext.GetBindingAssertions(), out securityPolicy))
            {
                if (securityPolicy.TryImportWsspTransportBindingAssertion(importer, policyContext.GetBindingAssertions(), out binding, out assertion))
                {
                    this.ImportEndpointScopeMessageBindingAssertions(importer, policyContext, binding);
 
                    // If it is not DualSecurityMode then it is Mixed mode. So we need to look for supporting tokens in the binding.
                    if (!isDualSecurityModeOnly)
                    {
                        this.ImportOperationScopeSupportingTokensPolicy(importer, policyContext, binding);
                        if (importer.State.ContainsKey(InSecureConversationBootstrapBindingImportMode))
                        {
                            this.ImportMessageScopeProtectionPolicy(importer, policyContext);
                        }
 
                        if (HasSupportingTokens(binding) || binding.IncludeTimestamp)
                        {
                            sbe = binding;
                            policyContext.BindingElements.Add(binding);
                        }
                    }
                }
                else if (assertion != null)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(string.Format(SRServiceModel.UnsupportedSecurityPolicyAssertion, assertion.OuterXml)));
                }
            }
 
            return binding != null;
        }
 
        private static bool HasSupportingTokens(SecurityBindingElement binding)
        {
            if (binding.EndpointSupportingTokenParameters.Endorsing.Count > 0
                    || binding.EndpointSupportingTokenParameters.SignedEndorsing.Count > 0
                    || binding.EndpointSupportingTokenParameters.SignedEncrypted.Count > 0
                    || binding.EndpointSupportingTokenParameters.Signed.Count > 0)
            {
                return true;
            }
 
            foreach (SupportingTokenParameters r in binding.OperationSupportingTokenParameters.Values)
            {
                if (r.Endorsing.Count > 0
                        || r.SignedEndorsing.Count > 0
                        || r.SignedEncrypted.Count > 0
                        || r.Signed.Count > 0)
                {
                    return true;
                }
            }
 
            return false;
        }
 
        void IPolicyImportExtension.ImportPolicy(MetadataImporter importer, PolicyConversionContext policyContext)
        {
            if (importer == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("importer");
            }
            if (policyContext == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("policyContext");
            }
            WSSecurityPolicy securityPolicy;
            if (WSSecurityPolicy.TryGetSecurityPolicyDriver(policyContext.GetBindingAssertions(), out securityPolicy))
            {
                if ((importer.State != null) && (!importer.State.ContainsKey(MaxPolicyRedirectionsKey)))
                {
                    importer.State.Add(MaxPolicyRedirectionsKey, this.MaxPolicyRedirections);
                }
 
                SecurityBindingElement sbe = null;
                bool success = this.TryImportSymmetricSecurityBindingElement(importer, policyContext, out sbe);
                if (!success)
                {
                    success = this.TryImportAsymmetricSecurityBindingElement(importer, policyContext, out sbe);
                }
                if (!success)
                {
                    success = this.TryImportTransportSecurityBindingElement(importer, policyContext, out sbe, false);
                }
                else
                {
                    // We already have found and imported the message security binding element above. Hence this could be the dual mode security.
                    // Now let us see if there is HttpsTransportBinding assertion also below it .This is to avoid the 
                    // warning messages while importing wsdl representing the message security over Https transport security scenario. See Bug:136416.
 
                    SecurityBindingElement tbe = null;
                    this.TryImportTransportSecurityBindingElement(importer, policyContext, out tbe, true);
                }
            }
        }
    }
}