public override bool CheckAccess ( EndpointIdentity identity, AuthorizationContext authContext) { // FIXME: implement throw new NotImplementedException (); }
static IList<Type> BuildKnownClaimTypes(AuthorizationContext authorizationContext) { List<Type> knownTypes = new List<Type>(); foreach (ClaimSet claimSet in authorizationContext.ClaimSets) { Type claimSetType = claimSet.GetType(); if (!redBitsKnownType.Contains(claimSetType) && !knownTypes.Contains(claimSetType)) { knownTypes.Add(claimSetType); } foreach (Claim claim in claimSet) { Type claimType = claim.GetType(); if (!redBitsKnownType.Contains(claimType) && !knownTypes.Contains(claimType)) { knownTypes.Add(claimType); } } } if (knownTypes.Count != 0) { return knownTypes; } return null; }
public ServiceSecurityContext(ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies) { if (authorizationPolicies == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("authorizationPolicies"); } this.authorizationContext = null; this.authorizationPolicies = authorizationPolicies; }
// Perf: delay created authorizationContext using forward chain. public ServiceSecurityContext(ReadOnlyCollection<IAuthorizationPolicy> authorizationPolicies) { if (authorizationPolicies == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("authorizationPolicies"); } _authorizationContext = null; _authorizationPolicies = authorizationPolicies; }
private static IList<IIdentity> GetIdentities(AuthorizationContext authorizationContext) { object list; if ((authorizationContext != null) && authorizationContext.Properties.TryGetValue("Identities", out list)) { return (list as IList<IIdentity>); } return new List<IIdentity>(); }
/// <summary> /// The the purposes of this method are: /// 1. To enable layers above to get to the bootstrap tokens /// 2. To ensure an ClaimsPrincipal is inside the SCT authorization policies. This is needed so that /// a CustomPrincipal will be created and can be set. This is required as we set the principal permission mode to custom /// 3. To set the IAuthorizationPolicy collection on the SCT to be one of IDFx's Authpolicy. /// This allows SCT cookie and SCT cached to be treated the same, futher up the stack. /// /// This method is call AFTER the final SCT has been created and the bootstrap tokens are around. Itis not called during the SP/TLS nego bootstrap. /// </summary> /// <param name="sct"></param> internal void SetPrincipalBootstrapTokensAndBindIdfxAuthPolicy(SecurityContextSecurityToken sct) { if (sct == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sct"); } List <IAuthorizationPolicy> iaps = new List <IAuthorizationPolicy>(); // // The SecurityContextToken is cached first before the OnTokenIssued is called. So in the Session SCT // case the AuthorizationPolicies will have already been updated. So check the sct.AuthorizationPolicies // policy to see if the first is a AuthorizationPolicy. // if ((sct.AuthorizationPolicies != null) && (sct.AuthorizationPolicies.Count > 0) && (ContainsEndpointAuthPolicy(sct.AuthorizationPolicies))) { // We have already seen this sct and have fixed up the AuthorizationPolicy // collection. Just return. return; } // // Nego SCT just has a cookie, there are no IAuthorizationPolicy. In this case, // we want to add the EndpointAuthorizationPolicy alone to the SCT. // if ((sct.AuthorizationPolicies != null) && (sct.AuthorizationPolicies.Count > 0)) { // // Create a principal with known policies. // AuthorizationPolicy sctAp = IdentityModelServiceAuthorizationManager.TransformAuthorizationPolicies(sct.AuthorizationPolicies, _securityTokenHandlerCollection, false); // Replace the WCF authorization policies with our IDFx policies. // The principal is needed later on to set the custom principal by WCF runtime. iaps.Add(sctAp); // // Convert the claim from WCF unconditional policy to an SctAuthorizationPolicy. The SctAuthorizationPolicy simply // captures the primary identity claim from the WCF unconditional policy which IdFX will eventually throw away. // If we don't capture that claim, then in a token renewal scenario WCF will fail due to identities being different // for the issuedToken and the renewedToken. // SysClaim claim = GetPrimaryIdentityClaim(SystemAuthorizationContext.CreateDefaultAuthorizationContext(sct.AuthorizationPolicies)); SctAuthorizationPolicy sctAuthPolicy = new SctAuthorizationPolicy(claim); iaps.Add(sctAuthPolicy); } iaps.Add(new EndpointAuthorizationPolicy(_endpointId)); sct.AuthorizationPolicies = iaps.AsReadOnly(); }
private IList <IIdentity> GetIdentities() { object obj2; System.IdentityModel.Policy.AuthorizationContext authorizationContext = this.AuthorizationContext; if ((authorizationContext != null) && authorizationContext.Properties.TryGetValue("Identities", out obj2)) { return(obj2 as IList <IIdentity>); } return(null); }
public static SerializableAuthorizationContext From(AuthorizationContext authorizationContext) { if (authorizationContext == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("authorizationContext"); } IList<Type> knownTypes = BuildKnownClaimTypes(authorizationContext); byte[] contextBlob = CreateSerializableBlob(authorizationContext, knownTypes); return new SerializableAuthorizationContext(contextBlob, authorizationContext.ExpirationTime, authorizationContext.Id, knownTypes); }
public ServiceSecurityContext(System.IdentityModel.Policy.AuthorizationContext authorizationContext, ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies) { if (authorizationContext == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("authorizationContext"); } if (authorizationPolicies == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("authorizationPolicies"); } this.authorizationContext = authorizationContext; this.authorizationPolicies = authorizationPolicies; }
public ServiceSecurityContext(System.IdentityModel.Policy.AuthorizationContext authorizationContext, ReadOnlyCollection<IAuthorizationPolicy> authorizationPolicies) { if (authorizationContext == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("authorizationContext"); } if (authorizationPolicies == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("authorizationPolicies"); } this.authorizationContext = authorizationContext; this.authorizationPolicies = authorizationPolicies; }
public ServiceSecurityContext (AuthorizationContext authorizationContext, ReadOnlyCollection<IAuthorizationPolicy> authorizationPolicies) { if (authorizationContext == null) throw new ArgumentNullException ("authorizationContext"); if (authorizationPolicies == null) throw new ArgumentNullException ("authorizationPolicies"); this.policies = authorizationPolicies; this.context = authorizationContext; // FIXME: get correct identity primary_identity = new GenericIdentity (String.Empty); }
public override bool CheckAccess(EndpointIdentity identity, AuthorizationContext authzContext) { List<Claim> dnsClaims = new List<Claim>(); foreach( ClaimSet claimSet in authzContext.ClaimSets ) { foreach( Claim claim in claimSet ) { if ( ClaimTypes.Dns == claim.ClaimType ) { dnsClaims.Add(claim); } } } if ( 1 != dnsClaims.Count ) { throw new InvalidOperationException(String.Format("Found {0} DNS claims in authorization context.", dnsClaims.Count)); } return String.Equals((string) this.expectedIdentity.IdentityClaim.Resource, (string) dnsClaims[0].Resource, StringComparison.OrdinalIgnoreCase); }
/// <summary> /// Gets the primary identity claim to create the SCTAuthorizationPolicy /// </summary> /// <param name="authContext">The authorization context</param> /// <returns>The primary identity claim from the authorization context.</returns> SysClaim GetPrimaryIdentityClaim(SystemAuthorizationContext authContext) { if (authContext != null) { for (int i = 0; i < authContext.ClaimSets.Count; ++i) { System.IdentityModel.Claims.ClaimSet claimSet = authContext.ClaimSets[i]; foreach (System.IdentityModel.Claims.Claim claim in claimSet.FindClaims(null, System.IdentityModel.Claims.Rights.Identity)) { return(claim); } } } return(null); }
private Exception CreateIdentityCheckException(EndpointIdentity identity, AuthorizationContext authorizationContext, string errorString, EndpointAddress serviceReference) { if (((identity.IdentityClaim == null) || !(identity.IdentityClaim.ClaimType == ClaimTypes.Dns)) || (!(identity.IdentityClaim.Right == Rights.PossessProperty) || !(identity.IdentityClaim.Resource is string))) { return new MessageSecurityException(System.ServiceModel.SR.GetString(errorString, new object[] { identity, serviceReference })); } string resource = (string) identity.IdentityClaim.Resource; string str2 = null; for (int i = 0; i < authorizationContext.ClaimSets.Count; i++) { ClaimSet set = authorizationContext.ClaimSets[i]; foreach (Claim claim in set.FindClaims(ClaimTypes.Dns, Rights.PossessProperty)) { if (claim.Resource is string) { str2 = (string) claim.Resource; break; } } if (str2 != null) { break; } } if ("IdentityCheckFailedForIncomingMessage".Equals(errorString)) { if (str2 == null) { return new MessageSecurityException(System.ServiceModel.SR.GetString("DnsIdentityCheckFailedForIncomingMessageLackOfDnsClaim", new object[] { resource })); } return new MessageSecurityException(System.ServiceModel.SR.GetString("DnsIdentityCheckFailedForIncomingMessage", new object[] { resource, str2 })); } if ("IdentityCheckFailedForOutgoingMessage".Equals(errorString)) { if (str2 == null) { return new MessageSecurityException(System.ServiceModel.SR.GetString("DnsIdentityCheckFailedForOutgoingMessageLackOfDnsClaim", new object[] { resource })); } return new MessageSecurityException(System.ServiceModel.SR.GetString("DnsIdentityCheckFailedForOutgoingMessage", new object[] { resource, str2 })); } return new MessageSecurityException(System.ServiceModel.SR.GetString(errorString, new object[] { identity, serviceReference })); }
private bool AccessCheck(AuthorizationContext authzContext, MessageProperties messageProperties, string claimType, Dictionary<Claim, Claim> dictionary) { if (authzContext != null) { foreach (ClaimSet set in authzContext.ClaimSets) { foreach (Claim claim in set.FindClaims(claimType, Rights.PossessProperty)) { if (dictionary.ContainsKey(claim)) { return true; } } } } else if (DebugTrace.Info) { DebugTrace.Trace(TraceLevel.Info, "No authzContext was passed into AccessCheck"); } return false; }
// Code to be added. public override bool CheckAccess(EndpointIdentity identity, AuthorizationContext authContext) { StreamWriter file = new StreamWriter("c:\\temp\\TestClient.CustomIdentityVerifier - CheckAccess.txt", true); file.WriteLine("_________________________________________"); file.WriteLine("DateTime: " + DateTime.Now.ToString()); bool returnvalue = false; foreach (ClaimSet claimset in authContext.ClaimSets) { foreach (Claim claim in claimset) { file.WriteLine("claim.ClaimType: " + claim.ClaimType); file.WriteLine("\tclaim.Right: " + claim.Right); file.WriteLine("\t\tclaim.Resource: " + claim.Resource.ToString()); if (claim.ClaimType == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname") { X500DistinguishedName name = (X500DistinguishedName)claim.Resource; file.WriteLine("X500DistinguishedName: " + name.Name); //if (name.Name.Contains(((OrgEndpointIdentity)identity).OrganizationClaim)) //if ("CN=zpatlittrs239.ittl.gtri.org" == name.Name) if ("[email protected], CN=HA50WSP, O=Hawaii Five0, L=Honolulu, S=Hawaii, C=US" == name.Name) { file.WriteLine("\tClaim Type: {0}", claim.ClaimType); file.WriteLine("\tRight: {0}", claim.Right); file.WriteLine("\tResource: {0}", claim.Resource); file.WriteLine(); returnvalue = true; } } } } file.Close(); return returnvalue; }
private void EnsureIdentity(EndpointAddress serviceReference, AuthorizationContext authorizationContext, String errorString) { if (authorizationContext == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("authorizationContext"); } EndpointIdentity identity; if (!TryGetIdentity(serviceReference, out identity)) { SecurityTraceRecordHelper.TraceIdentityVerificationFailure(identity, authorizationContext, this.GetType()); throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(errorString, identity, serviceReference))); } else { if (!CheckAccess(identity, authorizationContext)) { // CheckAccess performs a Trace on failure, no need to do it twice Exception e = CreateIdentityCheckException(identity, authorizationContext, errorString, serviceReference); throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(e); } } }
private bool AccessCheck(AuthorizationContext authzContext, MessageProperties messageProperties, string binding) { bool result = false; if (DebugTrace.Verbose) { DebugTrace.Trace(TraceLevel.Verbose, "AccessCheck for binding {0}", binding); } if (string.Compare(binding, BindingStrings.InteropBindingQName(this.protocolVersion), StringComparison.Ordinal) == 0) { result = this.AccessCheck(authzContext, messageProperties, ClaimTypes.Thumbprint, this.thumbprints); } else if ((string.Compare(binding, BindingStrings.NamedPipeBindingQName, StringComparison.Ordinal) == 0) || (string.Compare(binding, BindingStrings.WindowsBindingQName, StringComparison.Ordinal) == 0)) { result = this.AccessCheck(authzContext, messageProperties, ClaimTypes.Sid, this.sids); } else { Microsoft.Transactions.Bridge.DiagnosticUtility.FailFast("Unknown binding " + binding); } this.TraceAccessCheckResult(result, messageProperties); return result; }
/// <summary> /// Token Constructor /// </summary> /// <param name="xmlToken">Encrypted xml token</param> public Token(String xmlToken) { byte[] decryptedData = decryptToken(xmlToken); XmlReader reader = new XmlTextReader(new StreamReader(new MemoryStream(decryptedData), Encoding.UTF8)); m_token = (SamlSecurityToken)WSSecurityTokenSerializer.DefaultInstance.ReadToken(reader, null); SamlSecurityTokenAuthenticator authenticator = new SamlSecurityTokenAuthenticator(new List<SecurityTokenAuthenticator>( new SecurityTokenAuthenticator[]{ new RsaSecurityTokenAuthenticator(), new X509SecurityTokenAuthenticator() }), MaximumTokenSkew); if (authenticator.CanValidateToken(m_token)) { ReadOnlyCollection<IAuthorizationPolicy> policies = authenticator.ValidateToken(m_token); m_authorizationContext = AuthorizationContext.CreateDefaultAuthorizationContext(policies); FindIdentityClaims(); } else { throw new Exception("Unable to validate the token."); } }
public abstract bool CheckAccess(EndpointIdentity identity, AuthorizationContext authContext);
internal void EnsureOutgoingIdentity(EndpointAddress serviceReference, Uri via, AuthorizationContext authorizationContext) { AdjustAddress(ref serviceReference, via); this.EnsureIdentity(serviceReference, authorizationContext, SR.IdentityCheckFailedForOutgoingMessage); }
public override bool CheckAccess(EndpointIdentity identity, AuthorizationContext authContext) { bool returnvalue = false; foreach (ClaimSet claimset in authContext.ClaimSets) { foreach (Claim claim in claimset) { if (claim.ClaimType == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname") { X500DistinguishedName name = (X500DistinguishedName)claim.Resource; if (name.Name.Contains(((OrgEndpointIdentity)identity).OrganizationClaim)) { Console.WriteLine("Claim Type: {0}", claim.ClaimType); Console.WriteLine("Right: {0}", claim.Right); Console.WriteLine("Resource: {0}", claim.Resource); Console.WriteLine(); returnvalue = true; } } } } return returnvalue; }
public override bool CheckAccess(EndpointIdentity identity, AuthorizationContext authContext) { EventTraceActivity eventTraceActivity = null; if (identity == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("identity"); if (authContext == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("authContext"); if (FxTrace.Trace.IsEnd2EndActivityTracingEnabled) { eventTraceActivity = EventTraceActivityHelper.TryExtractActivity((OperationContext.Current != null) ? OperationContext.Current.IncomingMessage : null); } for (int i = 0; i < authContext.ClaimSets.Count; ++i) { ClaimSet claimSet = authContext.ClaimSets[i]; if (claimSet.ContainsClaim(identity.IdentityClaim)) { SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(eventTraceActivity, identity, identity.IdentityClaim, this.GetType()); return true; } // try Claim equivalence string expectedSpn = null; if (ClaimTypes.Dns.Equals(identity.IdentityClaim.ClaimType)) { expectedSpn = string.Format(CultureInfo.InvariantCulture, "host/{0}", (string)identity.IdentityClaim.Resource); Claim claim = CheckDnsEquivalence(claimSet, expectedSpn); if (claim != null) { SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(eventTraceActivity, identity, claim, this.GetType()); return true; } } // Allow a Sid claim to support UPN, and SPN identities // SID claims not available yet //SecurityIdentifier identitySid = null; //if (ClaimTypes.Sid.Equals(identity.IdentityClaim.ClaimType)) //{ // throw ExceptionHelper.PlatformNotSupported("DefaultIdentityVerifier - ClaimTypes.Sid"); //} //else if (ClaimTypes.Upn.Equals(identity.IdentityClaim.ClaimType)) //{ // throw ExceptionHelper.PlatformNotSupported("DefaultIdentityVerifier - ClaimTypes.Upn"); //} //else if (ClaimTypes.Spn.Equals(identity.IdentityClaim.ClaimType)) //{ // throw ExceptionHelper.PlatformNotSupported("DefaultIdentityVerifier - ClaimTypes.Spn"); //} //else if (ClaimTypes.Dns.Equals(identity.IdentityClaim.ClaimType)) //{ // throw ExceptionHelper.PlatformNotSupported("DefaultIdentityVerifier - ClaimTypes.Dns"); //} //if (identitySid != null) //{ // Claim claim = CheckSidEquivalence(identitySid, claimSet); // if (claim != null) // { // SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(eventTraceActivity, identity, claim, this.GetType()); // return true; // } //} } SecurityTraceRecordHelper.TraceIdentityVerificationFailure(identity, authContext, this.GetType()); if (WcfEventSource.Instance.SecurityIdentityVerificationFailureIsEnabled()) { WcfEventSource.Instance.SecurityIdentityVerificationFailure(eventTraceActivity); } return false; }
/// <summary> /// Generates a UniqueID based off the Issuer's key and the PPID. /// </summary> /// <param name="authzContext">The Authorization Context</param> /// <returns>A unique ID for this user at this web site.</returns> internal static string GetUniqueName(AuthorizationContext authzContext) { Requires.NotNull(authzContext, "authzContext"); Claim uniqueIssuerClaim = null; Claim uniqueUserClaim = null; foreach (ClaimSet cs in authzContext.ClaimSets) { Claim currentIssuerClaim = GetUniqueRsaClaim(cs.Issuer); foreach (Claim c in cs.FindClaims(ClaimTypes.PPID, Rights.PossessProperty)) { if (null == currentIssuerClaim) { // Found a claim in a ClaimSet with no RSA issuer. return null; } if (null == uniqueUserClaim) { uniqueUserClaim = c; uniqueIssuerClaim = currentIssuerClaim; } else if (!uniqueIssuerClaim.Equals(currentIssuerClaim)) { // Found two of the desired claims with different // issuers. No unique name. return null; } else if (!uniqueUserClaim.Equals(c)) { // Found two of the desired claims with different // values. No unique name. return null; } } } // No claim of the desired type was found if (null == uniqueUserClaim) { return null; } // Unexpected resource type string claimValue = uniqueUserClaim.Resource as string; if (null == claimValue) { return null; } // Unexpected resource type for RSA RSA rsa = uniqueIssuerClaim.Resource as RSA; if (null == rsa) { return null; } return ComputeCombinedId(rsa, claimValue); }
internal void EnsureIncomingIdentity(EndpointAddress serviceReference, AuthorizationContext authorizationContext) { EnsureIdentity(serviceReference, authorizationContext, SR.IdentityCheckFailedForIncomingMessage); }
internal static void TraceIdentityVerificationFailure(EndpointIdentity identity, AuthorizationContext authContext, Type identityVerifier) { }
public override bool CheckAccess(EndpointIdentity identity, AuthorizationContext authContext) { return true; }
public static void SerializeIdentities(AuthorizationContext authContext, SctClaimDictionary dictionary, XmlDictionaryWriter writer, XmlObjectSerializer serializer) { object obj2; if (authContext.Properties.TryGetValue("Identities", out obj2)) { IList<IIdentity> list = obj2 as IList<IIdentity>; if ((list != null) && (list.Count > 0)) { writer.WriteStartElement(dictionary.Identities, dictionary.EmptyString); for (int i = 0; i < list.Count; i++) { SerializePrimaryIdentity(list[i], dictionary, writer, serializer); } writer.WriteEndElement(); } } }
public ServiceSecurityContext(AuthorizationContext authorizationContext) : this(authorizationContext, EmptyReadOnlyCollection<IAuthorizationPolicy>.Instance) { }
private void ParseToken(string xmlToken, X509Certificate2 cert) { int skew = 300; // default to 5 minutes string tokenskew = System.Configuration.ConfigurationManager.AppSettings["MaximumClockSkew"]; if (!string.IsNullOrEmpty(tokenskew)) skew = Int32.Parse(tokenskew); XmlReader tokenReader = new XmlTextReader(new StringReader(xmlToken)); EncryptedData enc = new EncryptedData(); enc.TokenSerializer = WSSecurityTokenSerializer.DefaultInstance; enc.ReadFrom(tokenReader); List<SecurityToken> tokens = new List<SecurityToken>(); SecurityToken encryptingToken = new X509SecurityToken(cert); tokens.Add(encryptingToken); SecurityTokenResolver tokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(tokens.AsReadOnly(), false); SymmetricSecurityKey encryptingCrypto; // an error here usually means that you have selected the wrong key. encryptingCrypto = (SymmetricSecurityKey)tokenResolver.ResolveSecurityKey(enc.KeyIdentifier[0]); SymmetricAlgorithm algorithm = encryptingCrypto.GetSymmetricAlgorithm(enc.EncryptionMethod); byte[] decryptedData = enc.GetDecryptedBuffer(algorithm); SecurityTokenSerializer tokenSerializer = WSSecurityTokenSerializer.DefaultInstance; XmlReader reader = new XmlTextReader(new StreamReader(new MemoryStream(decryptedData), Encoding.UTF8)); m_token = (SamlSecurityToken)tokenSerializer.ReadToken(reader, tokenResolver); SamlSecurityTokenAuthenticator authenticator = new SamlSecurityTokenAuthenticator(new List<SecurityTokenAuthenticator>( new SecurityTokenAuthenticator[]{ new RsaSecurityTokenAuthenticator(), new X509SecurityTokenAuthenticator() }), new TimeSpan(0, 0, skew)); if (authenticator.CanValidateToken(m_token)) { ReadOnlyCollection<IAuthorizationPolicy> policies = authenticator.ValidateToken(m_token); m_authorizationContext = AuthorizationContext.CreateDefaultAuthorizationContext(policies); m_identityClaims = FindIdentityClaims(m_authorizationContext); } else { throw new Exception("Unable to validate the token."); } }
public ClaimSet FindIdentityClaims(AuthorizationContext authContext) { // Pick up the claim type to use for generating the UniqueID claim string identificationClaimType = System.Configuration.ConfigurationManager.AppSettings["IdentityClaimType"]; // Or, default to PPID if (string.IsNullOrEmpty(identificationClaimType)) identificationClaimType = System.IdentityModel.Claims.ClaimTypes.PPID; ClaimSet result = null; m_endpointIdentity = null; foreach (ClaimSet claimSet in authContext.ClaimSets) { // // This loops through the claims looking for the configured claim type // that will be used as part of the generation of the unique id. // foreach (Claim claim in claimSet.FindClaims(identificationClaimType, Rights.PossessProperty)) { // found a matching claim. This is good. EndpointIdentity issuerId = CreateIdentityFromClaimSet(claimSet.Issuer); byte[] issuerkey; // we need to get a byte array that represents the issuer's key // to use as part of the hash to generate a unique id. // currently supported: (byte[]) or an RSACryptoServiceProvider, // This could be expanded to support other types. The key just // needs to be extracted as a byte array. issuerkey = issuerId.IdentityClaim.Resource as byte[]; if (null == issuerkey) { RSACryptoServiceProvider csp = issuerId.IdentityClaim.Resource as RSACryptoServiceProvider; if (null != csp) issuerkey = csp.ExportCspBlob(false); // Can't use this claim to get the key. if (null == issuerkey) throw new Exception("Unsupported IdentityClaim resource type"); } // It doesn't matter what encoding type we use, as long as it is consistent. // this conversion is just to get a consistent set of bytes from the claim. byte[] uniqueClaim = Encoding.UTF8.GetBytes(GetResourceValue(claim)); // copy the thumbprint data and the uniqueClaim together. byte[] thumbprintData = new byte[uniqueClaim.Length + issuerkey.Length]; issuerkey.CopyTo(thumbprintData, 0); uniqueClaim.CopyTo(thumbprintData, issuerkey.Length); // generate a hash. using (SHA256 sha = new SHA256Managed()) { Claim thumbprintClaim = new Claim(ClaimTypes.Thumbprint, Convert.ToBase64String(sha.ComputeHash(thumbprintData)), Rights.Identity); m_endpointIdentity = EndpointIdentity.CreateIdentity(thumbprintClaim); } return claimSet; } if (null == m_endpointIdentity) { // // check for identity claim, if found, hold on to it, we may need to use it :) // result = claimSet; m_endpointIdentity = CreateIdentityFromClaimSet(claimSet); } } if (null != m_endpointIdentity) { return result; } // // we have looped all claim sets with out finding an identity claim. // we will return the ppidIdentity and claimset if they were found. // throw new Exception("The XML Token data provided no Identity claim."); }
public ServiceSecurityContext (AuthorizationContext authorizationContext) : this (authorizationContext, new ReadOnlyCollection<IAuthorizationPolicy> (new IAuthorizationPolicy [0])) { }
public ServiceSecurityContext(System.IdentityModel.Policy.AuthorizationContext authorizationContext) : this(authorizationContext, EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance) { }
/// <summary> /// Generates a UniqueID based off the Issuer's key /// </summary> /// <param name="authzContext">the Authorization Context</param> /// <returns>the hash of the internal key of the issuer</returns> internal static string GetIssuerPubKeyHash(AuthorizationContext authzContext) { foreach (ClaimSet cs in authzContext.ClaimSets) { Claim currentIssuerClaim = GetUniqueRsaClaim(cs.Issuer); if (currentIssuerClaim != null) { RSA rsa = currentIssuerClaim.Resource as RSA; if (null == rsa) { return null; } return ComputeCombinedId(rsa, string.Empty); } } return null; }
private Exception CreateIdentityCheckException(EndpointIdentity identity, AuthorizationContext authorizationContext, string errorString, EndpointAddress serviceReference) { Exception result; if (identity.IdentityClaim != null && identity.IdentityClaim.ClaimType == ClaimTypes.Dns && identity.IdentityClaim.Right == Rights.PossessProperty && identity.IdentityClaim.Resource is string) { string expectedDnsName = (string)identity.IdentityClaim.Resource; string actualDnsName = null; for (int i = 0; i < authorizationContext.ClaimSets.Count; ++i) { ClaimSet claimSet = authorizationContext.ClaimSets[i]; foreach (Claim claim in claimSet.FindClaims(ClaimTypes.Dns, Rights.PossessProperty)) { if (claim.Resource is string) { actualDnsName = (string)claim.Resource; break; } } if (actualDnsName != null) { break; } } if (SR.IdentityCheckFailedForIncomingMessage.Equals(errorString)) { if (actualDnsName == null) { result = new MessageSecurityException(SR.Format(SR.DnsIdentityCheckFailedForIncomingMessageLackOfDnsClaim, expectedDnsName)); } else { result = new MessageSecurityException(SR.Format(SR.DnsIdentityCheckFailedForIncomingMessage, expectedDnsName, actualDnsName)); } } else if (SR.IdentityCheckFailedForOutgoingMessage.Equals(errorString)) { if (actualDnsName == null) { result = new MessageSecurityException(SR.Format(SR.DnsIdentityCheckFailedForOutgoingMessageLackOfDnsClaim, expectedDnsName)); } else { result = new MessageSecurityException(SR.Format(SR.DnsIdentityCheckFailedForOutgoingMessage, expectedDnsName, actualDnsName)); } } else { result = new MessageSecurityException(SR.Format(errorString, identity, serviceReference)); } } else { result = new MessageSecurityException(SR.Format(errorString, identity, serviceReference)); } return result; }
/// <summary> /// Converts a given set of WCF IAuthorizationPolicy to WIF ClaimIdentities. /// </summary> /// <param name="authorizationPolicies">Set of AuthorizationPolicies to convert to IDFx.</param> /// <param name="securityTokenHandlerCollection">The SecurityTokenHandlerCollection to use.</param> /// <returns>ClaimsIdentityCollection</returns> static ReadOnlyCollection <ClaimsIdentity> ConvertToIDFxIdentities(IList <IAuthorizationPolicy> authorizationPolicies, SecurityTokenHandlerCollection securityTokenHandlerCollection) { if (authorizationPolicies == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("authorizationPolicies"); } if (securityTokenHandlerCollection == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("securityTokenHandlerCollection"); } List <ClaimsIdentity> identities = new List <ClaimsIdentity>(); SecurityTokenSpecification kerberosTokenSpecification = null; SysAuthorizationContext kerberosAuthContext = null; if ((OperationContext.Current != null) && (OperationContext.Current.IncomingMessageProperties != null) && (OperationContext.Current.IncomingMessageProperties.Security != null)) { SecurityMessageProperty securityMessageProperty = OperationContext.Current.IncomingMessageProperties.Security; foreach (SecurityTokenSpecification tokenSpecification in new SecurityTokenSpecificationEnumerable(securityMessageProperty)) { if (tokenSpecification.SecurityToken is KerberosReceiverSecurityToken) { kerberosTokenSpecification = tokenSpecification; kerberosAuthContext = SysAuthorizationContext.CreateDefaultAuthorizationContext(kerberosTokenSpecification.SecurityTokenPolicies); break; } } } bool hasKerberosTokenPolicyMatched = false; foreach (IAuthorizationPolicy policy in authorizationPolicies) { bool authPolicyHandled = false; if ((kerberosTokenSpecification != null) && !hasKerberosTokenPolicyMatched) { if (kerberosTokenSpecification.SecurityTokenPolicies.Contains(policy)) { hasKerberosTokenPolicyMatched = true; } else { SysAuthorizationContext authContext = SysAuthorizationContext.CreateDefaultAuthorizationContext(new List <IAuthorizationPolicy>() { policy }); // Kerberos creates only one ClaimSet. So any more ClaimSet would mean that this is not a Policy created from Kerberos. if (authContext.ClaimSets.Count == 1) { bool allClaimsMatched = true; foreach (System.IdentityModel.Claims.Claim c in authContext.ClaimSets[0]) { if (!kerberosAuthContext.ClaimSets[0].ContainsClaim(c)) { allClaimsMatched = false; break; } } hasKerberosTokenPolicyMatched = allClaimsMatched; } } if (hasKerberosTokenPolicyMatched) { SecurityTokenHandler tokenHandler = securityTokenHandlerCollection[kerberosTokenSpecification.SecurityToken]; if ((tokenHandler != null) && tokenHandler.CanValidateToken) { identities.AddRange(tokenHandler.ValidateToken(kerberosTokenSpecification.SecurityToken)); authPolicyHandled = true; } } } if (!authPolicyHandled) { SysAuthorizationContext defaultAuthContext = SysAuthorizationContext.CreateDefaultAuthorizationContext(new List <IAuthorizationPolicy>() { policy }); // // Merge all ClaimSets to IClaimsIdentity. // identities.Add(ConvertToIDFxIdentity(defaultAuthContext.ClaimSets, securityTokenHandlerCollection.Configuration)); } } return(identities.AsReadOnly()); }
public static void SerializeIdentities(AuthorizationContext authContext, SctClaimDictionary dictionary, XmlDictionaryWriter writer, XmlObjectSerializer serializer) { object obj; IList<IIdentity> identities; if (authContext.Properties.TryGetValue(SecurityUtils.Identities, out obj)) { identities = obj as IList<IIdentity>; if (identities != null && identities.Count > 0) { writer.WriteStartElement(dictionary.Identities, dictionary.EmptyString); for (int i = 0; i < identities.Count; ++i) { SerializePrimaryIdentity(identities[i], dictionary, writer, serializer); } writer.WriteEndElement(); } } }
/// <summary> /// Returns true if the IAuthorizationPolicy could have been created from the given Transport token. /// The method can handle only X509SecurityToken and WindowsSecurityToken. /// </summary> /// <param name="transportToken">Client's Security Token provided at the transport layer.</param> /// <param name="tranportTokenIdentities">A collection of <see cref="ClaimsIdentity"/> to match.</param> /// <param name="authPolicy">IAuthorizationPolicy to check.</param> /// <returns>True if the IAuthorizationPolicy could have been created from the given Transpor token.</returns> static bool DoesPolicyMatchTransportToken( SecurityToken transportToken, IEnumerable <ClaimsIdentity> tranportTokenIdentities, IAuthorizationPolicy authPolicy ) { if (transportToken == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("transportToken"); } if (tranportTokenIdentities == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tranportTokenIdentities"); } if (authPolicy == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("authPolicy"); } ////////////////////////////////////////////////////////////////////////////////////////// // // There are 5 Client Authentication types at the transport layer. Each of these will // result either in a WindowsSecurityToken, X509SecurityToken or UserNameSecurityToken. // // ClientCredential Type || Transport Token Type // ------------------------------------------------------------------- // Basic -> UserNameSecurityToken (In Self-hosted case) // Basic -> WindowsSecurityToken (In Web-Hosted case) // NTLM -> WindowsSecurityToken // Negotiate -> WindowsSecurityToken // Windows -> WindowsSecurityToken // Certificate -> X509SecurityToken // ////////////////////////////////////////////////////////////////////////////////////////// X509SecurityToken x509SecurityToken = transportToken as X509SecurityToken; SysAuthorizationContext defaultAuthContext = SysAuthorizationContext.CreateDefaultAuthorizationContext(new List <IAuthorizationPolicy>() { authPolicy }); foreach (System.IdentityModel.Claims.ClaimSet claimset in defaultAuthContext.ClaimSets) { if (x509SecurityToken != null) { // Check if the claimset contains a claim that matches the X.509 certificate thumbprint. if (claimset.ContainsClaim(new System.IdentityModel.Claims.Claim( System.IdentityModel.Claims.ClaimTypes.Thumbprint, x509SecurityToken.Certificate.GetCertHash(), System.IdentityModel.Claims.Rights.PossessProperty))) { return(true); } } else { // For WindowsSecurityToken and UserNameSecurityToken check that IClaimsdentity.Name // matches the Name Claim in the ClaimSet. // In most cases, we will have only one Identity in the ClaimsIdentityCollection // generated from transport token. foreach (ClaimsIdentity transportTokenIdentity in tranportTokenIdentities) { if (claimset.ContainsClaim(new System.IdentityModel.Claims.Claim( System.IdentityModel.Claims.ClaimTypes.Name, transportTokenIdentity.Name, System.IdentityModel.Claims.Rights.PossessProperty), new ClaimStringValueComparer())) { return(true); } } } } return(false); }