Beispiel #1
0
        protected override async Task<HttpResponseMessage> SendAsync(
            HttpRequestMessage request, CancellationToken cancellationToken)
        {
            var cert = request.GetClientCertificate();
            if (cert == null) return await base.SendAsync(request, cancellationToken);
            try
            {
                _validator.Validate(cert);
            }
            catch (SecurityTokenValidationException)
            {
                return new HttpResponseMessage(HttpStatusCode.Unauthorized);
            }
            var issuer = _issuerMapper(cert);
            if (issuer == null)
            {
                return new HttpResponseMessage(HttpStatusCode.Unauthorized);
            }

            var claims = ExtractClaims(cert, issuer);
            var identity = new ClaimsIdentity(new ClaimsIdentity(claims, X509AuthnMethod));
            AddIdentityToCurrentPrincipal(identity, request);

            return await base.SendAsync(request, cancellationToken);
        }
Beispiel #2
0
        public void GetClientCertificate_Throws_WhenRequestIsNull()
        {
            // Arrange
            HttpRequestMessage request = null;

            // Act & Assert
            Assert.ThrowsArgumentNull(() => request.GetClientCertificate(), "request");
        }
Beispiel #3
0
        protected override Task<HttpResponseMessage> SendAsync(
            HttpRequestMessage request, 
            CancellationToken cancellationToken)
        {
            var cert = request.GetClientCertificate();
            if (cert != null)
            {
                // Not sure how this ever results in not null. Hope to find out
            }

            return base.SendAsync(request, cancellationToken);
        }
Beispiel #4
0
        public void GetClientCertificate_ReturnsClientCertificateFromProperty_WhenOnlyPropertyIsPresent()
        {
            // Arrange
            using (HttpRequestMessage request = CreateRequest())
            {
                X509Certificate2 expectedCertificate = CreateCertificate();
                request.Properties[HttpPropertyKeys.ClientCertificateKey] = expectedCertificate;

                // Act
                X509Certificate2 certificate = request.GetClientCertificate();

                // Assert
                Assert.Same(expectedCertificate, certificate);
            }
        }
Beispiel #5
0
        protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
        {
            // Retrieving the Client certificate sent by the client
            X509Certificate cert = request.GetClientCertificate();

            // The following code SHOULD be replaced with some custom mapping logic from client certificate to their roles. 
            // The client certificate is not being checked for certificate revocation or ensure PKI validity. 
            if (cert != null)
            {
                if (cert.GetCertHashString() == Program.ClientCertHash)
                {
                    Thread.CurrentPrincipal = new GenericPrincipal(new GenericIdentity(cert.Subject), new[] { "Administrators" });
                }
            }

            return base.SendAsync(request, cancellationToken);
        }
Beispiel #6
0
        public void GetClientCertificate_ReturnsClientCertificateFromContext_WhenOnlyContextIsPresent()
        {
            // Arrange
            using (HttpRequestMessage request = CreateRequest())
            {
                X509Certificate2 expectedCertificate = CreateCertificate();
                request.SetRequestContext(new HttpRequestContext
                {
                    ClientCertificate = expectedCertificate
                });

                // Act
                X509Certificate2 certificate = request.GetClientCertificate();

                // Assert
                Assert.Same(expectedCertificate, certificate);
            }
        }
Beispiel #7
0
        public void GetClientCertificate_ReturnsClientCertificateFromContext_WhenBothContextAndPropertyArePresent()
        {
            // Arrange
            using (HttpRequestMessage request = CreateRequest())
            {
                X509Certificate2 expectedCertificate = CreateCertificate();
                request.SetRequestContext(new HttpRequestContext
                {
                    ClientCertificate = expectedCertificate
                });
                X509Certificate2 otherCertificate = CreateCertificate();
                request.Properties[HttpPropertyKeys.ClientCertificateKey] = otherCertificate;

                // Act
                X509Certificate2 certificate = request.GetClientCertificate();

                // Assert
                Assert.Same(expectedCertificate, certificate);
            }
        }
Beispiel #8
0
        protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
        {
            // Retrieving the Client certificate sent by the client
            X509Certificate cert = request.GetClientCertificate();

            // The following code SHOULD be replaced with some custom mapping logic from client certificate to their roles. 
            if (cert != null)
            {
                if (cert.GetCertHashString() == ClientCertHash)
                {
                    Thread.CurrentPrincipal = new GenericPrincipal(new GenericIdentity(cert.Subject, "X509Certificate"), new[] { "Administrators" });

                    if (HttpContext.Current != null)
                    {
                        HttpContext.Current.User = Thread.CurrentPrincipal;
                    }
                }
            }

            return base.SendAsync(request, cancellationToken);
        }
Beispiel #9
0
        public ClaimsPrincipal Authenticate(HttpRequestMessage request)
        {
            string resourceName = request.RequestUri.AbsoluteUri;

            // if session feature is enabled (and this is not a token request), check for session token first
            if (Configuration.EnableSessionToken && !IsSessionTokenRequest(request))
            {
                var principal = AuthenticateSessionToken(request);

                if (principal.Identity.IsAuthenticated)
                {
                    Tracing.Information(Area.HttpAuthentication, "Client authenticated using session token");
                    return principal;
                }
            }

            // check for credentials on the authorization header
            if (Configuration.HasAuthorizationHeaderMapping)
            {
                var authZ = request.Headers.Authorization;
                if (authZ != null)
                {
                    Tracing.Verbose(Area.HttpAuthentication, "Mapping for authorization header found: " + authZ.Scheme);

                    var principal = AuthenticateAuthorizationHeader(authZ.Scheme, authZ.Parameter);

                    if (principal.Identity.IsAuthenticated)
                    {
                        Tracing.Information(Area.HttpAuthentication, "Client authenticated using authorization header mapping: " + authZ.Scheme);

                        return Transform(resourceName, principal);
                    }
                }
            }

            // check for credentials on other headers
            if (Configuration.HasHeaderMapping)
            {
                if (request.Headers != null)
                {
                    Tracing.Verbose(Area.HttpAuthentication, "Mapping for header header found.");

                    var principal = AuthenticateHeaders(request.Headers);

                    if (principal.Identity.IsAuthenticated)
                    {
                        Tracing.Information(Area.HttpAuthentication, "Client authenticated using header mapping");

                        return Transform(resourceName, principal);
                    }
                }
            }

            // check for credentials on the query string
            if (Configuration.HasQueryStringMapping)
            {
                if (request.RequestUri != null && !string.IsNullOrWhiteSpace(request.RequestUri.Query))
                {
                    Tracing.Verbose(Area.HttpAuthentication, "Mapping for query string found.");

                    var principal = AuthenticateQueryStrings(request.RequestUri);

                    if (principal.Identity.IsAuthenticated)
                    {
                        Tracing.Information(Area.HttpAuthentication, "Client authenticated using query string mapping");
                        return Transform(resourceName, principal);
                    }
                }
            }

            // check for client certificate
            if (Configuration.HasClientCertificateMapping)
            {
                var cert = request.GetClientCertificate();

                if (cert != null)
                {
                    Tracing.Verbose(Area.HttpAuthentication, "Mapping for client certificate found.");

                    var principal = AuthenticateClientCertificate(cert);

                    if (principal.Identity.IsAuthenticated)
                    {
                        Tracing.Information(Area.HttpAuthentication, "Client authenticated using client certificate");
                        return Transform(resourceName, principal);
                    }
                }
            }

            // do claim transformation (if enabled), and return.
            return Transform(resourceName, Principal.Anonymous);
        }
Beispiel #10
0
        public bool TryGetClientCertificateFromRequest(HttpRequestMessage request, out X509Certificate2 clientCertificate)
        {
            clientCertificate = request.GetClientCertificate();

            if (clientCertificate != null)
            {
                return true;
            }

            return false;
        }