private SslStreamSecurityUpgradeProvider(IDefaultCommunicationTimeouts timeouts, SecurityTokenProvider serverTokenProvider, bool requireClientCertificate, SecurityTokenAuthenticator clientCertificateAuthenticator, string scheme, IdentityVerifier identityVerifier, SslProtocols sslProtocols)
: base(timeouts)
{
_serverTokenProvider = serverTokenProvider;
_requireClientCertificate = requireClientCertificate;
_clientCertificateAuthenticator = clientCertificateAuthenticator;
_identityVerifier = identityVerifier;
_scheme = scheme;
_sslProtocols = sslProtocols;
}
private SslStreamSecurityUpgradeProvider(IDefaultCommunicationTimeouts timeouts, SecurityTokenProvider serverTokenProvider, bool requireClientCertificate, SecurityTokenAuthenticator clientCertificateAuthenticator, string scheme, IdentityVerifier identityVerifier, SslProtocols sslProtocols)
: base(timeouts)
{
_serverTokenProvider = serverTokenProvider;
RequireClientCertificate = requireClientCertificate;
_clientCertificateAuthenticator = clientCertificateAuthenticator;
IdentityVerifier = identityVerifier;
Scheme = scheme;
SslProtocols = sslProtocols;
ClientSecurityTokenManager = null; // Used for client but there's public api which need this and the compiler complains it's never assigned
}
private SecurityTokenProvider CreateAndOpenCertificateTokenProvider(EndpointAddress target, Uri via, ChannelParameterCollection channelParameters, TimeSpan timeout)
{
if (!this.RequireClientCertificate)
{
return(null);
}
SecurityTokenProvider tokenProvider = TransportSecurityHelpers.GetCertificateTokenProvider(base.SecurityTokenManager, target, via, this.Scheme, channelParameters);
System.ServiceModel.Security.SecurityUtils.OpenTokenProviderIfRequired(tokenProvider, timeout);
return(tokenProvider);
}
public GetOneTokenAndSetUpSecurityAsyncResult(Message m, MessageSecurityProtocol binding, SecurityTokenProvider provider,
bool doIdentityChecks, SecurityTokenAuthenticator identityCheckAuthenticator, SecurityProtocolCorrelationState oldCorrelationState, TimeSpan timeout, AsyncCallback callback, object state)
: base(m, binding, timeout, callback, state)
{
this.message = m;
this.binding = binding;
this.provider = provider;
this.doIdentityChecks = doIdentityChecks;
this.oldCorrelationState = oldCorrelationState;
this.identityCheckAuthenticator = identityCheckAuthenticator;
}
internal void Open(string propertyName, bool requiredForForwardDirection, SecurityTokenProvider provider, TimeSpan timeout)
{
if (provider != null)
{
SecurityUtils.OpenTokenProviderIfRequiredAsync(provider, new TimeoutHelper(timeout).GetCancellationToken());
}
else
{
OnPropertySettingsError(propertyName, requiredForForwardDirection);
}
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
if (tokenRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
SecurityTokenProvider result = null;
if (tokenRequirement is RecipientServiceModelSecurityTokenRequirement && tokenRequirement.TokenType == SecurityTokenTypes.X509Certificate && tokenRequirement.KeyUsage == SecurityKeyUsage.Exchange)
{
// this is the uncorrelated duplex case
if (_parent.ClientCertificate.Certificate == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials)));
}
result = new X509SecurityTokenProvider(_parent.ClientCertificate.Certificate);
}
else if (tokenRequirement is InitiatorServiceModelSecurityTokenRequirement)
{
InitiatorServiceModelSecurityTokenRequirement initiatorRequirement = tokenRequirement as InitiatorServiceModelSecurityTokenRequirement;
string tokenType = initiatorRequirement.TokenType;
if (IsIssuedSecurityTokenRequirement(initiatorRequirement))
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider (IsIssuedSecurityTokenRequirement(initiatorRequirement)");
}
else if (tokenType == SecurityTokenTypes.X509Certificate)
{
if (initiatorRequirement.Properties.ContainsKey(SecurityTokenRequirement.KeyUsageProperty) && initiatorRequirement.KeyUsage == SecurityKeyUsage.Exchange)
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider X509Certificate - SecurityKeyUsage.Exchange");
}
else
{
if (_parent.ClientCertificate.Certificate == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ClientCertificateNotProvidedOnClientCredentials)));
}
result = new X509SecurityTokenProvider(_parent.ClientCertificate.Certificate);
}
}
else if (tokenType == SecurityTokenTypes.UserName)
{
throw ExceptionHelper.PlatformNotSupported("CreateSecurityTokenProvider SecurityTokenTypes.Username");
}
}
if ((result == null) && !tokenRequirement.IsOptionalToken)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.Format(SR.SecurityTokenManagerCannotCreateProviderForRequirement, tokenRequirement)));
}
return(result);
}
internal void Open(string propertyName, bool requiredForForwardDirection, SecurityTokenProvider provider, TimeSpan timeout)
{
if (provider != null)
{
SecurityUtils.OpenTokenProviderIfRequired(provider, timeout);
}
else
{
OnPropertySettingsError(propertyName, requiredForForwardDirection);
}
}
public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
{
ServiceModelSecurityTokenRequirement requirement = tokenRequirement as ServiceModelSecurityTokenRequirement;
if (requirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
}
if (this.IsX509TokenRequirement(requirement))
{
X509CertificateValidator validator;
if (this.IsForConnectionValidator(requirement))
{
SecurityTokenProvider provider = null;
if (this.ssc != null)
{
provider = new X509SecurityTokenProvider(this.ssc.GetX509Certificate());
}
else if (this.delegateManager != null)
{
requirement.Properties[SecurityTokenRequirement.PeerAuthenticationMode] = SecurityMode.Transport;
requirement.TransportScheme = "net.p2p";
provider = this.delegateManager.CreateSecurityTokenProvider(tokenRequirement);
}
else if (this.credential.Certificate != null)
{
provider = new X509SecurityTokenProvider(this.credential.Certificate);
}
if ((provider == null) && (this.mode == PeerAuthenticationMode.Password))
{
this.ssc = this.parent.GetCertificate();
provider = new X509SecurityTokenProvider(this.ssc.GetX509Certificate());
}
return(provider);
}
if (this.delegateManager != null)
{
requirement.TransportScheme = "net.p2p";
requirement.Properties[SecurityTokenRequirement.PeerAuthenticationMode] = SecurityMode.Message;
return(this.delegateManager.CreateSecurityTokenProvider(tokenRequirement));
}
if (!this.credential.MessageSenderAuthentication.TryGetCertificateValidator(out validator))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("TokenType");
}
return(new PeerX509TokenProvider(validator, this.credential.Certificate));
}
if (!this.IsPasswordTokenRequirement(requirement))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("TokenType");
}
return(this.GetPasswordTokenProvider());
}
static T GetToken <T>(SecurityTokenProvider tokenProvider, TimeSpan timeout)
where T : SecurityToken
{
SecurityToken result = tokenProvider.GetToken(timeout);
if ((result != null) && !(result is T))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(
SR.InvalidTokenProvided, tokenProvider.GetType(), typeof(T))));
}
return(result as T);
}
private static async Task <T> GetTokenAsync <T>(SecurityTokenProvider tokenProvider, TimeSpan timeout)
where T : SecurityToken
{
SecurityToken result = await tokenProvider.GetTokenAsync(timeout);
if ((result != null) && !(result is T))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(
SR.InvalidTokenProvided, tokenProvider.GetType(), typeof(T))));
}
return(result as T);
}
internal SecurityTokenProvider CreateAndOpenCertificateTokenProvider(EndpointAddress target, Uri via, ChannelParameterCollection channelParameters, TimeSpan timeout)
{
if (!RequireClientCertificate)
{
return(null);
}
SecurityTokenProvider certificateProvider = TransportSecurityHelpers.GetCertificateTokenProvider(
SecurityTokenManager, target, via, Scheme, channelParameters);
SecurityUtils.OpenTokenProviderIfRequired(certificateProvider, timeout);
return(certificateProvider);
}
/// <summary>
/// Constructor to create an instance of this class.
/// </summary>
/// <param name="securityToken">SecurityToken that represents the SecurityTokenElement element.</param>
public ProviderBackedSecurityToken(SecurityTokenProvider tokenProvider, TimeSpan timeout)
{
_lock = new object();
if (tokenProvider == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentNullException(nameof(tokenProvider)));
}
TokenProvider = tokenProvider;
_timeout = timeout;
}
public void CreateProviderAnonSslNoBindingElement()
{
InitiatorServiceModelSecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement();
r.TokenType = ServiceModelSecurityTokenTypes.AnonymousSslnego;
r.TargetAddress = new EndpointAddress("http://localhost:8080");
SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider(r);
Assert.IsNotNull(p, "#1");
}
private static async Task <T> GetTokenAsync <T>(SecurityTokenProvider tokenProvider, CancellationToken cancellationToken)
where T : SecurityToken
{
SecurityToken result = await tokenProvider.GetTokenAsync(cancellationToken);
if ((result != null) && !(result is T))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(string.Format(
SRServiceModel.InvalidTokenProvided, tokenProvider.GetType(), typeof(T))));
}
return(result as T);
}
public void IssueToken_CalledOnContract_CallsChannelIssue()
{
// Arrange
var securityTokenProvider = new SecurityTokenProvider();
var channelContract = MockRepository.GenerateMock <IWSTrustChannelContract>();
var actAsToken = MockRepository.GenerateStub <SecurityToken>();
// Act
securityTokenProvider.IssueToken(channelContract, "http://localhost/service", actAsToken);
// Assert
channelContract.AssertWasCalled(x => x.Issue(Arg <RequestSecurityToken> .Is.Anything, out Arg <RequestSecurityTokenResponse> .Out(null).Dummy));
}
public void CreateChannel_WhenCalled_ReturnsChannel()
{
// Arrange
var securityTokenProvider = new SecurityTokenProvider();
var issuerBinding = new WS2007HttpBinding();
var issuerEndpointAddress = new EndpointAddress("http://localhost/issuer");
// Act
var actual = securityTokenProvider.CreateChannel(issuerBinding, issuerEndpointAddress);
// Assert
Assert.IsNotNull(actual);
}
public void CreateProviderAnonSsl(bool useTransport)
{
InitiatorServiceModelSecurityTokenRequirement r =
GetAnonSslProviderRequirement(useTransport);
SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider(r);
Assert.IsNotNull(p, "#1");
ICommunicationObject comm = p as ICommunicationObject;
Assert.IsNotNull(comm, "#2");
}
public void IssueToken_WS2007HttpBindingIsNotSet_Throws()
{
// Arrange
var securityTokenProvider = new SecurityTokenProvider();
var binding = MockRepository.GenerateStub <WS2007FederationHttpBinding>();
var actAsToken = MockRepository.GenerateStub <SecurityToken>();
// Act
// Assert
var ex = Assert.Throws <ApplicationException>(() => securityTokenProvider.IssueToken(binding, "http://localhost/service", actAsToken));
Assert.AreEqual("Unable to get WS2007HttpBinding", ex.Message);
}
public void CreateProviderAnonSslNoIssuerBindingContext()
{
InitiatorServiceModelSecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement();
// r.TokenType = ServiceModelSecurityTokenTypes.AnonymousSslnego;
new MySslSecurityTokenParameters().InitRequirement(r);
r.TargetAddress = new EndpointAddress("http://localhost:8080");
r.SecurityBindingElement = new SymmetricSecurityBindingElement();
SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider(r);
Assert.IsNotNull(p, "#1");
}
protected override void OnOpen(TimeSpan timeout)
{
TimeoutHelper helper = new TimeoutHelper(timeout);
System.ServiceModel.Security.SecurityUtils.OpenTokenAuthenticatorIfRequired(this.ClientCertificateAuthenticator, helper.RemainingTime());
if (this.serverTokenProvider != null)
{
System.ServiceModel.Security.SecurityUtils.OpenTokenProviderIfRequired(this.serverTokenProvider, helper.RemainingTime());
SecurityToken token = this.serverTokenProvider.GetToken(timeout);
this.SetupServerCertificate(token);
System.ServiceModel.Security.SecurityUtils.CloseTokenProviderIfRequired(this.serverTokenProvider, helper.RemainingTime());
this.serverTokenProvider = null;
}
}
public override void OnAbort()
{
if (this.clientTokenProvider != null)
{
System.ServiceModel.Security.SecurityUtils.AbortTokenProviderIfRequired(this.ClientTokenProvider);
this.clientTokenProvider = null;
}
if (this.serverTokenAuthenticator != null)
{
System.ServiceModel.Security.SecurityUtils.AbortTokenAuthenticatorIfRequired(this.ServerTokenAuthenticator);
this.serverTokenAuthenticator = null;
}
base.OnAbort();
}
public static void Methods_Override()
{
var tokenManager = new SecurityTokenManagerImpl();
SecurityTokenVersionImpl tokenVersion = new SecurityTokenVersionImpl();
SecurityTokenRequirement tokenRequirement = new SecurityTokenRequirement();
SecurityTokenAuthenticator authenticator = tokenManager.CreateSecurityTokenAuthenticator(tokenRequirement, out SecurityTokenResolver resolver);
SecurityTokenProvider provider = tokenManager.CreateSecurityTokenProvider(tokenRequirement);
SecurityTokenSerializer serializer = tokenManager.CreateSecurityTokenSerializer(tokenVersion);
Assert.IsType <SecurityTokenAuthenticatorImpl>(authenticator);
Assert.IsType <SecurityTokenResolverImpl>(resolver);
Assert.IsType <SecurityTokenProviderSyncImpl>(provider);
Assert.IsType <SecurityTokenSerializerImpl>(serializer);
}
public GetUserNameCredentialAsyncResult(SecurityTokenProviderContainer tokenProvider, TimeSpan timeout, AsyncCallback callback, object state) : base(callback, state)
{
if ((tokenProvider == null) || (tokenProvider.TokenProvider == null))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("NoUserNameTokenProvided")));
}
this.tokenProvider = tokenProvider.TokenProvider;
IAsyncResult result = this.tokenProvider.BeginGetToken(timeout, onGetToken, this);
if (result.CompletedSynchronously)
{
this.CompleteGetToken(result);
base.Complete(true);
}
}
protected override void OnOpen(TimeSpan timeout)
{
TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
SecurityUtils.OpenTokenAuthenticatorIfRequired(ClientCertificateAuthenticator, timeoutHelper.RemainingTime());
if (_serverTokenProvider != null)
{
SecurityUtils.OpenTokenProviderIfRequired(_serverTokenProvider, timeoutHelper.RemainingTime());
SecurityToken token = _serverTokenProvider.GetTokenAsync(timeoutHelper.RemainingTime()).GetAwaiter().GetResult();
SetupServerCertificate(token);
SecurityUtils.CloseTokenProviderIfRequired(_serverTokenProvider, timeoutHelper.RemainingTime());
_serverTokenProvider = null;
}
}
public SupportingTokenProviderSpecification(SecurityTokenProvider tokenProvider, SecurityTokenAttachmentMode attachmentMode, SecurityTokenParameters tokenParameters)
{
if (tokenProvider == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenProvider");
}
SecurityTokenAttachmentModeHelper.Validate(attachmentMode);
if (tokenParameters == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenParameters");
}
_tokenProvider = tokenProvider;
_tokenAttachmentMode = attachmentMode;
_tokenParameters = tokenParameters;
}
public override void OnClose(TimeSpan timeout)
{
TimeoutHelper helper = new TimeoutHelper(timeout);
if (this.clientTokenProvider != null)
{
System.ServiceModel.Security.SecurityUtils.CloseTokenProviderIfRequired(this.ClientTokenProvider, helper.RemainingTime());
this.clientTokenProvider = null;
}
if (this.serverTokenAuthenticator != null)
{
System.ServiceModel.Security.SecurityUtils.CloseTokenAuthenticatorIfRequired(this.ServerTokenAuthenticator, helper.RemainingTime());
this.serverTokenAuthenticator = null;
}
base.OnClose(helper.RemainingTime());
}
public override void OnAbort()
{
if (this.Factory.ActAsInitiator)
{
SecurityTokenProvider provider = this.initiatorSymmetricTokenProvider ?? this.initiatorAsymmetricTokenProvider;
if (provider != null)
{
SecurityUtils.AbortTokenProviderIfRequired(provider);
}
if (this.initiatorTokenAuthenticator != null)
{
SecurityUtils.AbortTokenAuthenticatorIfRequired(this.initiatorTokenAuthenticator);
}
}
base.OnAbort();
}
HttpWebRequest CreateHttpWebRequest(TimeSpan timeout)
{
TimeoutHelper helper = new TimeoutHelper(timeout);
ChannelParameterCollection channelParameterCollection = new ChannelParameterCollection();
HttpWebRequest request;
if (HttpChannelFactory <IDuplexSessionChannel> .MapIdentity(this.RemoteAddress, this.channelFactory.AuthenticationScheme))
{
lock (ThisLock)
{
this.cleanupIdentity = HttpTransportSecurityHelpers.AddIdentityMapping(Via, RemoteAddress);
}
}
this.channelFactory.CreateAndOpenTokenProviders(
this.RemoteAddress,
this.Via,
channelParameterCollection,
helper.RemainingTime(),
out this.webRequestTokenProvider,
out this.webRequestProxyTokenProvider);
SecurityTokenContainer clientCertificateToken = null;
HttpsChannelFactory <IDuplexSessionChannel> httpsChannelFactory = this.channelFactory as HttpsChannelFactory <IDuplexSessionChannel>;
if (httpsChannelFactory != null && httpsChannelFactory.RequireClientCertificate)
{
SecurityTokenProvider certificateProvider = httpsChannelFactory.CreateAndOpenCertificateTokenProvider(this.RemoteAddress, this.Via, channelParameterCollection, helper.RemainingTime());
clientCertificateToken = httpsChannelFactory.GetCertificateSecurityToken(certificateProvider, this.RemoteAddress, this.Via, channelParameterCollection, ref helper);
}
request = this.channelFactory.GetWebRequest(this.RemoteAddress, this.Via, this.webRequestTokenProvider, this.webRequestProxyTokenProvider, clientCertificateToken, helper.RemainingTime(), true);
// If a web socket connection factory is specified (for example, when using web sockets on pre-Win8 OS),
// we're going to use the protocol version from it. At the moment, on pre-Win8 OS, the HttpWebRequest
// created above doesn't have the version header specified.
if (this.connectionFactory != null)
{
this.UseWebSocketVersionFromFactory(request);
}
this.webSocketKey = request.Headers[WebSocketHelper.SecWebSocketKey];
this.ConfigureHttpWebRequestHeader(request);
request.Timeout = (int)helper.RemainingTime().TotalMilliseconds;
return(request);
}
public void CreateProviderAnonSsl()
{
RecipientServiceModelSecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement();
new MySslSecurityTokenParameters().InitRequirement(r);
Assert.IsFalse(r.Properties.ContainsKey(ReqType.ChannelParametersCollectionProperty), "#1");
Assert.IsFalse(r.Properties.ContainsKey(ReqType.EndpointFilterTableProperty), "#2");
Assert.IsFalse(r.Properties.ContainsKey(ReqType.HttpAuthenticationSchemeProperty), "#3");
Assert.IsFalse(r.Properties.ContainsKey(ReqType.IsOutOfBandTokenProperty), "#4");
Assert.IsFalse(r.Properties.ContainsKey(ReqType.IssuerAddressProperty), "#5");
Assert.IsFalse(r.Properties.ContainsKey(ReqType.MessageDirectionProperty), "#6");
Assert.IsFalse(r.Properties.ContainsKey(ReqType.MessageSecurityVersionProperty), "#7");
//Assert.IsTrue (r.Properties.ContainsKey (SecurityTokenRequirement.PeerAuthenticationMode), "#8");
Assert.IsFalse(r.Properties.ContainsKey(ReqType.SecurityAlgorithmSuiteProperty), "#9");
Assert.IsFalse(r.Properties.ContainsKey(ReqType.SecurityBindingElementProperty), "#10");
Assert.IsFalse(r.Properties.ContainsKey(ReqType.SupportingTokenAttachmentModeProperty), "#11");
Assert.AreEqual(null, r.TransportScheme, "#12");
r.TokenType = ServiceModelSecurityTokenTypes.AnonymousSslnego;
r.ListenUri = new Uri("http://localhost:8080");
r.SecurityBindingElement = new SymmetricSecurityBindingElement();
r.Properties [ReqType.IssuerBindingContextProperty] =
new BindingContext(new CustomBinding(), new BindingParameterCollection());
r.MessageSecurityVersion =
MessageSecurityVersion.Default.SecurityTokenVersion;
r.Properties [ReqType.SecurityAlgorithmSuiteProperty] =
SecurityAlgorithmSuite.Default;
r.TransportScheme = "https";
r.Properties [ReqType.ChannelParametersCollectionProperty] = new ChannelParameterCollection();
r.Properties [ReqType.EndpointFilterTableProperty] = null;
r.Properties [ReqType.HttpAuthenticationSchemeProperty] = AuthenticationSchemes.Anonymous;
r.Properties [ReqType.IsOutOfBandTokenProperty] = true;
r.Properties [ReqType.IssuerAddressProperty] = new EndpointAddress("http://localhost:9090");
// r.Properties [ReqType.MessageDirectionProperty] = MessageDirection.Input;
r.Properties [ReqType.SecurityBindingElementProperty] = new SymmetricSecurityBindingElement();
r.Properties [ReqType.SupportingTokenAttachmentModeProperty] = SecurityTokenAttachmentMode.Signed;
SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider(r);
Assert.IsNotNull(p, "#1");
}
public void CreateProviderAnonSslError()
{
RecipientServiceModelSecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement();
r.TokenType = ServiceModelSecurityTokenTypes.AnonymousSslnego;
r.ListenUri = new Uri("http://localhost:8080");
r.SecurityBindingElement = new SymmetricSecurityBindingElement();
r.Properties [ReqType.IssuerBindingContextProperty] =
new BindingContext(new CustomBinding(), new BindingParameterCollection());
r.MessageSecurityVersion =
MessageSecurityVersion.Default.SecurityTokenVersion;
SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider(r);
Assert.IsNotNull(p, "#1");
}
