private Uri BuildUri(ResourceRequestContext context)
{
var builder = new UriBuilder();
builder.Host = GetHost(context);
builder.Port = GetPort(context);
PortManager.OpenPortInFirewall(builder.Port);
builder.Path = AppDomain.CurrentDomain.FriendlyName + "/" + Address;
builder.Scheme = Protocol;
return(builder.Uri);
}
protected override void ModifyHost(ServiceHost serviceHost, ResourceRequestContext context)
{
// Ensure the https certificate is installed before this endpoint resource is used
string thumbprint = CertificateResourceHelpers.EnsureSslPortCertificateInstalled(context.BridgeConfiguration);
serviceHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.Custom;
serviceHost.Credentials.ClientCertificate.Authentication.CustomCertificateValidator = new MyX509CertificateValidator("DO_NOT_TRUST_WcfBridgeRootCA");
serviceHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine,
StoreName.My,
X509FindType.FindByThumbprint,
thumbprint);
}
public ResourceResponse Get(ResourceRequestContext context)
{
ResourceResponse response = new ResourceResponse();
ServiceHost host;
if (s_currentHosts.TryGetValue(Address, out host) && (host.Description.Endpoints.Count == 1))
{
response.Properties.Add(ResourceResponseUriKeyName, host.Description.Endpoints[0].ListenUri.ToString());
}
return(response);
}
public override ResourceResponse Get(ResourceRequestContext context)
{
X509Certificate2 certificate =
CertificateResourceHelpers.GetCertificateGeneratorInstance(context.BridgeConfiguration).AuthorityCertificate.Certificate;
ResourceResponse response = new ResourceResponse();
response.Properties.Add(thumbprintKeyName, certificate.Thumbprint);
response.Properties.Add(certificateKeyName, Convert.ToBase64String(certificate.RawData));
return(response);
}
protected override void ModifyHost(ServiceHost serviceHost, ResourceRequestContext context)
{
// Ensure the https certificate is installed before this endpoint resource is used
CertificateManager.InstallMyCertificate(context.BridgeConfiguration,
context.BridgeConfiguration.BridgeHttpsCertificate);
string certThumbprint = HttpsResource.EnsureHttpsCertificateInstalled(context.BridgeConfiguration);
serviceHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine,
StoreName.My,
X509FindType.FindByThumbprint,
certThumbprint);
}
// Requests a certificate to be generated by the Bridge based on a user name and not machine name
public override ResourceResponse Put(ResourceRequestContext context)
{
X509Certificate2 certificate;
string subject;
if (!context.Properties.TryGetValue(subjectKeyName, out subject) || string.IsNullOrWhiteSpace(subject))
{
throw new ArgumentException("When PUTting to this resource, specify an non-empty 'subject'", "context.Properties");
}
// There can be multiple subjects, separated by ,
string[] subjects = subject.Split(',');
lock (s_certificateResourceLock)
{
if (!s_createdCertsBySubject.TryGetValue(subjects[0], out certificate))
{
CertificateGenerator generator = CertificateResourceHelpers.GetCertificateGeneratorInstance(context.BridgeConfiguration);
CertificateCreationSettings certificateCreationSettings = new CertificateCreationSettings()
{
FriendlyName = "WCF Bridge - UserCertificateResource",
Subject = subjects[0],
SubjectAlternativeNames = subjects
};
certificate = generator.CreateUserCertificate(certificateCreationSettings).Certificate;
// Cache the certificates
s_createdCertsBySubject.Add(subjects[0], certificate);
s_createdCertsByThumbprint.Add(certificate.Thumbprint, certificate);
// Created certs get put onto the local machine
// We ideally don't want this to happen, but until we find a way to have BridgeClient not need elevation for cert installs
// we need this to happen so that running locally doesn't require elevation as it messes up our CI and developer builds
CertificateManager.InstallCertificateToMyStore(certificate);
}
}
ResourceResponse response = new ResourceResponse();
response.Properties.Add(thumbprintKeyName, certificate.Thumbprint);
return(response);
}
public object Get(ResourceRequestContext context)
{
var http = GetHttpProtocol(context) + AppDomain.CurrentDomain.FriendlyName;
var https = GetHttpsProtocol(context) + AppDomain.CurrentDomain.FriendlyName;
var tcp = GetTcpProtocol(context) + AppDomain.CurrentDomain.FriendlyName;
return(new Dictionary <string, string>()
{
{ "HttpServerBaseAddress", GetHttpProtocol(context) },
{ "HttpBaseAddress", http },
{ "HttpsBaseAddress", https },
{ "HttpsBasicBaseAddress", https },
{ "HttpsDigestBaseAddress", https },
{ "HttpsNtlmBaseAddress", https },
{ "HttpsWindowsBaseAddress", https },
{ "TcpBaseAddress", tcp }
});
}
protected override void ModifyHost(ServiceHost serviceHost, ResourceRequestContext context)
{
// Ensure the service certificate is installed before this endpoint resource is used
//Create a certificate and add to the revocation list
CertificateCreationSettings certificateCreationSettings = new CertificateCreationSettings()
{
FriendlyName = "WCF Bridge - TcpRevokedServerCertResource",
ValidityType = CertificateValidityType.Revoked,
Subject = s_fqdn,
SubjectAlternativeNames = new string[] { s_fqdn, s_hostname, "localhost" }
};
X509Certificate2 cert = CertificateResourceHelpers.EnsureCustomCertificateInstalled(context.BridgeConfiguration, certificateCreationSettings, Address);
serviceHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine,
StoreName.My,
X509FindType.FindByThumbprint,
cert.Thumbprint);
}
public virtual CefReturnValue OnBeforeResourceLoad(IWebBrowser browserControl, IBrowser browser, IFrame frame, IRequest request,
IRequestCallback callback)
{
var context = new ResourceRequestContext
{
Method = request.Method,
Referrer = !string.IsNullOrEmpty(request.ReferrerUrl) ? new Uri(request.ReferrerUrl) : null,
Url = new Uri(request.Url)
};
_requestFilter.CanLoadResourceAsync(context)
.ContinueWith(task =>
{
using (callback)
{
if (!task.IsCompleted)
{
if (task.Exception != null)
{
foreach (var ex in task.Exception.Flatten().InnerExceptions)
{
_logger.LogError(LoggerEventIds.ResourceRequestFilterError, ex,
"Error processing IResourceRequestFilter for url '{0}'", context.Url);
}
}
else
{
_logger.LogError(LoggerEventIds.ResourceRequestFilterError,
"Error processing IResourceRequestFilter for url '{0}', no exception returned",
context.Url);
}
callback.Cancel();
}
else
{
callback.Continue(task.Result);
}
}
});
return(CefReturnValue.ContinueAsync);
}
protected override void ModifyHost(ServiceHost serviceHost, ResourceRequestContext context)
{
// Ensure the service certificate is installed before this endpoint resource is used
//Create a certificate and add to the revocation list
CertificateCreationSettings certificateCreationSettings = new CertificateCreationSettings()
{
IsValidCert = false,
Subjects = new string[] { s_fqdn, s_hostname, "localhost" }
};
X509Certificate2 cert = CertificateResourceHelpers.EnsureRevokedCertificateInstalled(context.BridgeConfiguration, certificateCreationSettings, Address);
CertificateManager.RevokeCertificate(CertificateResourceHelpers.GetCertificateGeneratorInstance(context.BridgeConfiguration), cert.SerialNumber);
serviceHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine,
StoreName.My,
X509FindType.FindByThumbprint,
cert.Thumbprint);
}
protected override void ModifyHost(ServiceHost serviceHost, ResourceRequestContext context)
{
// Ensure the service certificate is installed before this endpoint resource is used
// Exactly one subject name, which is going to be the CN
CertificateCreationSettings certificateCreationSettings = new CertificateCreationSettings()
{
FriendlyName = "WCF Bridge - TcpCertificateWithSubjectCanonicalNameLocalhostResource",
Subject = "localhost",
SubjectAlternativeNames = new string[0],
ValidityType = CertificateValidityType.NonAuthoritativeForMachine
};
X509Certificate2 cert = CertificateResourceHelpers.EnsureCustomCertificateInstalled(context.BridgeConfiguration, certificateCreationSettings, Address);
serviceHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine,
StoreName.My,
X509FindType.FindByThumbprint,
cert.Thumbprint);
}
protected override void ModifyHost(ServiceHost serviceHost, ResourceRequestContext context)
{
// Ensure the service certificate is installed before this endpoint resource is used
// CN=not-real-subject-name means that a cert for "not-real-subject-name" will be installed
// Per #422 this shouldn't matter as we now check with SAN
CertificateCreationSettings certificateCreationSettings = new CertificateCreationSettings()
{
FriendlyName = "WCF Bridge - TcpCertificateWithServerAltNameResource",
Subject = "not-real-subject-name",
SubjectAlternativeNames = new string[] { "not-real-subject-name", "not-real-subject-name.example.com", s_fqdn, s_hostname, "localhost" }
};
X509Certificate2 cert = CertificateResourceHelpers.EnsureCustomCertificateInstalled(context.BridgeConfiguration, certificateCreationSettings, Address);
serviceHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine,
StoreName.My,
X509FindType.FindByThumbprint,
cert.Thumbprint);
}
public override ResourceResponse Get(ResourceRequestContext context)
{
X509Certificate2 certificate =
CertificateResourceHelpers.GetCertificateGeneratorInstance(context.BridgeConfiguration).AuthorityCertificate.Certificate;
string exportAsPemString = string.Empty;
bool exportAsPem;
ResourceResponse response = new ResourceResponse();
if (context.Properties.TryGetValue(exportAsPemKeyName, out exportAsPemString) && bool.TryParse(exportAsPemString, out exportAsPem) && exportAsPem)
{
response.RawResponse = Encoding.ASCII.GetBytes(GetCertificateAsPem(certificate));
}
else
{
response.Properties.Add(thumbprintKeyName, certificate.Thumbprint);
response.Properties.Add(certificateKeyName, Convert.ToBase64String(certificate.RawData));
}
return(response);
}
public static ResourceResponse DynamicInvokeGet(string resourceName, Dictionary <string, string> properties)
{
if (String.IsNullOrWhiteSpace(resourceName))
{
throw new ArgumentNullException("resourceName");
}
// Disallow concurrent resource instantation or configuration changes
lock (ConfigController.ConfigLock)
{
AssemblyLoader loader = GetLoaderFromAppDomain();
ResourceRequestContext context = new ResourceRequestContext
{
BridgeConfiguration = ConfigController.BridgeConfiguration,
ResourceName = resourceName,
Properties = properties
};
object result = loader.IResourceCall(resourceName, "Get", new object[] { context });
return((ResourceResponse)result);
}
}
public override ResourceResponse Put(ResourceRequestContext context)
{
var certGenerator = CertificateResourceHelpers.GetCertificateGeneratorInstance(context.BridgeConfiguration);
string serialNumber;
lock (s_certificateResourceLock)
{
if (context.Properties.TryGetValue(revokeSerialNumberKeyName, out serialNumber) && !string.IsNullOrWhiteSpace(serialNumber))
{
certGenerator.RevokeCertificateBySerialNumber(serialNumber);
}
ResourceResponse response = new ResourceResponse();
response.Properties.Add(crlUriKeyName, certGenerator.CrlUri);
response.Properties.Add(
revokedCertificatesKeyName,
string.Join <string>(",", certGenerator.RevokedCertificates));
return(response);
}
}
protected override void ModifyHost(ServiceHost serviceHost, ResourceRequestContext context)
{
// Ensure the service certificate is installed before this endpoint resource is used
//Create an expired certificate
CertificateCreationSettings certificateCreationSettings = new CertificateCreationSettings()
{
IsValidCert = false,
ValidityNotBefore = DateTime.UtcNow - TimeSpan.FromDays(4),
ValidityNotAfter = DateTime.UtcNow - TimeSpan.FromDays(2),
//If you specify multiple subjects, the first one becomes the subject, and all of them become Subject Alt Names.
//In this case, the certificate subject is CN=fqdn, OU=..., O=... , and SANs will be fqdn, hostname, localhost
//We do this so that a single bridge setup can deal with all the possible addresses that a client might use.
//If we don't put "localhost' here, a long-running bridge will not be able to receive requests from both fqdn and localhost
//because the certs won't match.
Subjects = new string[] { s_fqdn, s_hostname, "localhost" }
};
string thumbprint = CertificateResourceHelpers.EnsureNonDefaultCertificateInstalled(context.BridgeConfiguration, certificateCreationSettings, Address);
serviceHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine,
StoreName.My,
X509FindType.FindByThumbprint,
thumbprint);
}
public static ResourceResponse DynamicInvokePut(string resourceName, Dictionary <string, string> properties)
{
if (String.IsNullOrEmpty(resourceName))
{
throw new ArgumentNullException("resourceName");
}
// Disallow concurrent resource instantation or configuration changes
lock (ConfigController.ConfigLock)
{
AppDomain appDomain;
if (String.IsNullOrWhiteSpace(ConfigController.CurrentAppDomainName))
{
throw new InvalidOperationException("The Bridge resource folder has not been configured.");
}
if (!TypeCache.AppDomains.TryGetValue(ConfigController.CurrentAppDomainName, out appDomain))
{
throw new ArgumentException("Resource not found", "resource");
}
Type loaderType = typeof(AssemblyLoader);
var loader =
(AssemblyLoader)appDomain.CreateInstanceFromAndUnwrap(
loaderType.Assembly.Location,
loaderType.FullName);
ResourceRequestContext context = new ResourceRequestContext
{
BridgeConfiguration = ConfigController.BridgeConfiguration,
ResourceName = resourceName,
Properties = properties
};
object result = loader.IResourceCall(resourceName, "Put", new object[] { context });
return((ResourceResponse)result);
}
}
protected override string GetHost(ResourceRequestContext context)
{
return(Environment.MachineName);
}
protected virtual void ModifyHost(ServiceHost serviceHost, ResourceRequestContext context)
{
}
protected abstract int GetPort(ResourceRequestContext context);
protected virtual string GetHost(ResourceRequestContext context)
{
return(context.BridgeConfiguration.BridgeHost);
}
public static string GetTcpProtocol(ResourceRequestContext context)
{
return(string.Format("net.tcp://{0}:{1}/",
context.BridgeConfiguration.BridgeHost,
context.BridgeConfiguration.BridgeTcpPort));
}
public static string GetHttpsProtocol(ResourceRequestContext context)
{
return(string.Format("https://{0}:{1}/",
context.BridgeConfiguration.BridgeHost,
context.BridgeConfiguration.BridgeHttpsPort));
}
public ResourceResponse Put(ResourceRequestContext context)
{
throw new NotImplementedException("Cannot PUT on this resource");
}
public abstract ResourceResponse Get(ResourceRequestContext context);
protected override int GetPort(ResourceRequestContext context)
{
return(context.BridgeConfiguration.BridgeWebSocketPort + 1);
}
protected override int GetPort(ResourceRequestContext context)
{
return(context.BridgeConfiguration.BridgeHttpPort);
}
protected override void ModifyHost(ServiceHost serviceHost, ResourceRequestContext context)
{
AuthenticationResourceHelper.ConfigureServiceHostUseDigestAuth(serviceHost);
base.ModifyHost(serviceHost, context);
}
public override ResourceResponse Get(ResourceRequestContext context)
{
string thumbprint;
bool thumbprintPresent = context.Properties.TryGetValue(thumbprintKeyName, out thumbprint) && !string.IsNullOrWhiteSpace(thumbprint);
string subject;
bool subjectPresent = context.Properties.TryGetValue(subjectKeyName, out subject) && !string.IsNullOrWhiteSpace(subject);
ResourceResponse response = new ResourceResponse();
// if no subject and no thumbprint parameter provided, provide a list of certs already PUT to this resource
if (!thumbprintPresent && !subjectPresent)
{
string retVal = string.Empty;
string[] subjects;
string[] thumbprints;
lock (s_certificateResourceLock)
{
int certNum = s_createdCertsBySubject.Count;
subjects = new string[certNum];
thumbprints = new string[certNum];
foreach (var keyVal in s_createdCertsBySubject)
{
--certNum;
subjects[certNum] = keyVal.Key;
thumbprints[certNum] = keyVal.Value.Thumbprint;
}
}
// this isn't ideal, as semantically in JSON they aren't grouped together. Our current Json serializer implementation
// doesn't support serializing nested key-val pairs
response.Properties.Add(subjectsKeyName, string.Join(",", subjects));
response.Properties.Add(thumbprintsKeyName, string.Join(",", thumbprints));
return(response);
}
else
{
// Otherwise, check on the creation state given the certificate thumbprint or subject
// thumbprint is given priority if present
X509Certificate2 certificate = null;
bool certHasBeenCreated = false;
lock (s_certificateResourceLock)
{
if (thumbprintPresent)
{
certHasBeenCreated = s_createdCertsByThumbprint.TryGetValue(thumbprint, out certificate);
}
else if (subjectPresent)
{
certHasBeenCreated = s_createdCertsBySubject.TryGetValue(subject, out certificate);
}
}
if (certHasBeenCreated)
{
var certGenerator = CertificateResourceHelpers.GetCertificateGeneratorInstance(context.BridgeConfiguration);
response.Properties.Add(thumbprintKeyName, certificate.Thumbprint);
response.Properties.Add(certificateKeyName, Convert.ToBase64String(certificate.Export(X509ContentType.Pfx, certGenerator.CertificatePassword)));
}
else
{
response.Properties.Add(thumbprintKeyName, string.Empty);
response.Properties.Add(certificateKeyName, string.Empty);
}
return(response);
}
}
public abstract override ResourceResponse Put(ResourceRequestContext context);
