/// <summary>
/// Creates an instance of <see cref="SamlSecurityTokenRequirement"/>
/// <param name="element">The XmlElement from which the instance is to be loaded.</param>
/// </summary>
public SamlSecurityTokenRequirement(XmlElement element)
{
if (element == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("element");
}
if (element.LocalName != ConfigurationStrings.SamlSecurityTokenRequirement)
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7000, ConfigurationStrings.SamlSecurityTokenRequirement, element.LocalName));
}
bool foundCustomX509Validator = false;
X509RevocationMode revocationMode = DefaultRevocationMode;
X509CertificateValidationMode certificateValidationMode = DefaultValidationMode;
StoreLocation trustedStoreLocation = DefaultStoreLocation;
string customValidator = null;
foreach (XmlAttribute attribute in element.Attributes)
{
if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.MapToWindows))
{
bool outMapToWindows = false;
if (!bool.TryParse(attribute.Value, out outMapToWindows))
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7022, attribute.Value));
}
this.MapToWindows = outMapToWindows;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.IssuerCertificateValidator))
{
customValidator = attribute.Value.ToString();
}
else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.IssuerCertificateRevocationMode))
{
foundCustomX509Validator = true;
string revocationModeString = attribute.Value.ToString();
if (StringComparer.OrdinalIgnoreCase.Equals(revocationModeString, ConfigurationStrings.X509RevocationModeNoCheck))
{
revocationMode = X509RevocationMode.NoCheck;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(revocationModeString, ConfigurationStrings.X509RevocationModeOffline))
{
revocationMode = X509RevocationMode.Offline;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(revocationModeString, ConfigurationStrings.X509RevocationModeOnline))
{
revocationMode = X509RevocationMode.Online;
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7011, attribute.LocalName, element.LocalName)));
}
}
else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.IssuerCertificateValidationMode))
{
foundCustomX509Validator = true;
string validationModeString = attribute.Value.ToString();
if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModeChainTrust))
{
certificateValidationMode = X509CertificateValidationMode.ChainTrust;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModePeerOrChainTrust))
{
certificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModePeerTrust))
{
certificateValidationMode = X509CertificateValidationMode.PeerTrust;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModeNone))
{
certificateValidationMode = X509CertificateValidationMode.None;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModeCustom))
{
certificateValidationMode = X509CertificateValidationMode.Custom;
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7011, attribute.LocalName, element.LocalName)));
}
}
else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.IssuerCertificateTrustedStoreLocation))
{
foundCustomX509Validator = true;
string trustedStoreLocationString = attribute.Value.ToString();
if (StringComparer.OrdinalIgnoreCase.Equals(trustedStoreLocationString, ConfigurationStrings.X509TrustedStoreLocationCurrentUser))
{
trustedStoreLocation = StoreLocation.CurrentUser;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(trustedStoreLocationString, ConfigurationStrings.X509TrustedStoreLocationLocalMachine))
{
trustedStoreLocation = StoreLocation.LocalMachine;
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7011, attribute.LocalName, element.LocalName)));
}
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7004, attribute.LocalName, element.LocalName)));
}
}
List <XmlElement> configElements = XmlUtil.GetXmlElements(element.ChildNodes);
foreach (XmlElement childElement in configElements)
{
if (StringComparer.Ordinal.Equals(childElement.LocalName, ConfigurationStrings.NameClaimType))
{
if (childElement.Attributes.Count != 1 || !StringComparer.Ordinal.Equals(childElement.Attributes[0].LocalName, ConfigurationStrings.Value))
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7001, String.Format(System.Globalization.CultureInfo.InvariantCulture, "{0}/{1}", element.LocalName, childElement.LocalName), ConfigurationStrings.Value));
}
this.NameClaimType = childElement.Attributes[0].Value;
}
else if (StringComparer.Ordinal.Equals(childElement.LocalName, ConfigurationStrings.RoleClaimType))
{
if (childElement.Attributes.Count != 1 || !StringComparer.Ordinal.Equals(childElement.Attributes[0].LocalName, ConfigurationStrings.Value))
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7001, String.Format(System.Globalization.CultureInfo.InvariantCulture, "{0}/{1}", element.LocalName, childElement.LocalName), ConfigurationStrings.Value));
}
this.RoleClaimType = childElement.Attributes[0].Value;
}
else
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7002, childElement.LocalName, ConfigurationStrings.SamlSecurityTokenRequirement));
}
}
if (certificateValidationMode == X509CertificateValidationMode.Custom)
{
if (string.IsNullOrEmpty(customValidator))
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7028));
}
Type customValidatorType = Type.GetType(customValidator, true);
if (customValidatorType == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("value", SR.GetString(SR.ID7007, customValidatorType));
}
_certificateValidator = CustomTypeElement.Resolve <X509CertificateValidator>(new CustomTypeElement(customValidatorType));
}
else if (foundCustomX509Validator)
{
_certificateValidator = X509Util.CreateCertificateValidator(certificateValidationMode, revocationMode, trustedStoreLocation);
}
}
/// <summary>
/// Load custom configuration from Xml
/// </summary>
/// <param name="customConfigElements">XmlElement to custom configuration.</param>
/// <exception cref="ArgumentNullException">The param 'customConfigElements' is null.</exception>
/// <exception cref="InvalidOperationException">Custom configuration specified was invalid.</exception>
public override void LoadCustomConfiguration(XmlNodeList customConfigElements)
{
if (customConfigElements == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("customConfigElements");
}
List <XmlElement> configNodes = XmlUtil.GetXmlElements(customConfigElements);
bool foundValidConfig = false;
bool foundCustomX509Validator = false;
X509RevocationMode revocationMode = defaultRevocationMode;
X509CertificateValidationMode certificateValidationMode = defaultValidationMode;
StoreLocation trustedStoreLocation = defaultStoreLocation;
string customValidator = null;
foreach (XmlElement customConfigElement in configNodes)
{
if (!StringComparer.Ordinal.Equals(customConfigElement.LocalName, ConfigurationStrings.X509SecurityTokenHandlerRequirement))
{
continue;
}
if (foundValidConfig)
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7026, ConfigurationStrings.X509SecurityTokenHandlerRequirement));
}
foreach (XmlAttribute attribute in customConfigElement.Attributes)
{
if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.MapToWindows))
{
mapToWindows = XmlConvert.ToBoolean(attribute.Value.ToLowerInvariant());
}
else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.X509CertificateValidator))
{
customValidator = attribute.Value.ToString();
}
else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.X509CertificateRevocationMode))
{
foundCustomX509Validator = true;
string revocationModeString = attribute.Value.ToString();
if (StringComparer.OrdinalIgnoreCase.Equals(revocationModeString, ConfigurationStrings.X509RevocationModeNoCheck))
{
revocationMode = X509RevocationMode.NoCheck;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(revocationModeString, ConfigurationStrings.X509RevocationModeOffline))
{
revocationMode = X509RevocationMode.Offline;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(revocationModeString, ConfigurationStrings.X509RevocationModeOnline))
{
revocationMode = X509RevocationMode.Online;
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7011, attribute.LocalName, customConfigElement.LocalName)));
}
}
else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.X509CertificateValidationMode))
{
foundCustomX509Validator = true;
string validationModeString = attribute.Value.ToString();
if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModeChainTrust))
{
certificateValidationMode = X509CertificateValidationMode.ChainTrust;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModePeerOrChainTrust))
{
certificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModePeerTrust))
{
certificateValidationMode = X509CertificateValidationMode.PeerTrust;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModeNone))
{
certificateValidationMode = X509CertificateValidationMode.None;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(validationModeString, ConfigurationStrings.X509CertificateValidationModeCustom))
{
certificateValidationMode = X509CertificateValidationMode.Custom;
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7011, attribute.LocalName, customConfigElement.LocalName)));
}
}
else if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.X509TrustedStoreLocation))
{
foundCustomX509Validator = true;
string trustedStoreLocationString = attribute.Value.ToString();
if (StringComparer.OrdinalIgnoreCase.Equals(trustedStoreLocationString, ConfigurationStrings.X509TrustedStoreLocationCurrentUser))
{
trustedStoreLocation = StoreLocation.CurrentUser;
}
else if (StringComparer.OrdinalIgnoreCase.Equals(trustedStoreLocationString, ConfigurationStrings.X509TrustedStoreLocationLocalMachine))
{
trustedStoreLocation = StoreLocation.LocalMachine;
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7011, attribute.LocalName, customConfigElement.LocalName)));
}
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7004, attribute.LocalName, customConfigElement.LocalName)));
}
}
foundValidConfig = true;
}
if (certificateValidationMode == X509CertificateValidationMode.Custom)
{
if (String.IsNullOrEmpty(customValidator))
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7028));
}
Type customValidatorType = Type.GetType(customValidator, true);
if (customValidatorType == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("value", SR.GetString(SR.ID7007, customValidatorType));
}
certificateValidator = CustomTypeElement.Resolve <X509CertificateValidator>(new CustomTypeElement(customValidatorType));
}
else if (foundCustomX509Validator)
{
certificateValidator = X509Util.CreateCertificateValidator(certificateValidationMode, revocationMode, trustedStoreLocation);
}
}
/// <summary>
/// Updates properties in the <see cref="SecurityTokenHandlerConfiguration"/> objects for the
/// <see cref="SecurityTokenHandlerCollection"/> objects contained in
/// <see cref="IdentityConfiguration.SecurityTokenHandlerCollectionManager"/> to be consistent with the property
/// values on this <see cref="IdentityConfiguration"/> instance.
/// </summary>
/// <remarks>
/// This method should be invoked prior to using these token handlers
/// for token processing.
/// </remarks>
/// <exception cref="InvalidOperationException">If this method is invoked more than once.</exception>
public virtual void Initialize()
{
if (this.IsInitialized)
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID7009));
}
SecurityTokenHandlerCollection defaultCollection = this.SecurityTokenHandlers;
if (!object.ReferenceEquals(_serviceHandlerConfiguration, defaultCollection.Configuration))
{
//
// If someone has created their own new STHConfig and set it as default, leave that config alone.
//
TraceUtility.TraceString(TraceEventType.Information, SR.GetString(SR.ID4283));
this.IsInitialized = true;
return;
}
// Update the ServiceTokenResolver of the default TokenHandlerCollection's configuration, if serviceCertificate is set.
if (this.ServiceCertificate != null)
{
SecurityTokenResolver serviceCertificateResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken>(
new SecurityToken[] { new X509SecurityToken(this.ServiceCertificate) }), false);
SecurityTokenResolver tokenResolver = this.SecurityTokenHandlers.Configuration.ServiceTokenResolver;
if ((tokenResolver != null) && (tokenResolver != EmptySecurityTokenResolver.Instance))
{
this.SecurityTokenHandlers.Configuration.ServiceTokenResolver = new AggregateTokenResolver(new SecurityTokenResolver[] { serviceCertificateResolver, tokenResolver });
}
else
{
this.SecurityTokenHandlers.Configuration.ServiceTokenResolver = serviceCertificateResolver;
}
}
SecurityTokenResolver configuredIssuerTokenResolver = this.IssuerTokenResolver;
if (this.IssuerTokenResolver == SecurityTokenHandlerConfiguration.DefaultIssuerTokenResolver)
{
//
// Add the known certificates from WCF's ServiceCredentials in front of
// the default issuer token resolver.
//
if (this.KnownIssuerCertificates != null)
{
int count = this.KnownIssuerCertificates.Count;
if (count > 0)
{
SecurityToken[] tokens = new SecurityToken[count];
for (int i = 0; i < count; i++)
{
tokens[i] = new X509SecurityToken(this.KnownIssuerCertificates[i]);
}
SecurityTokenResolver knownCertificateTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken>(tokens), false);
this.IssuerTokenResolver = new AggregateTokenResolver(new SecurityTokenResolver[] { knownCertificateTokenResolver, configuredIssuerTokenResolver });
}
}
}
if (this.CertificateValidationMode != X509CertificateValidationMode.Custom)
{
defaultCollection.Configuration.CertificateValidator = X509Util.CreateCertificateValidator(defaultCollection.Configuration.CertificateValidationMode,
defaultCollection.Configuration.RevocationMode,
defaultCollection.Configuration.TrustedStoreLocation);
}
else if (object.ReferenceEquals(defaultCollection.Configuration.CertificateValidator, SecurityTokenHandlerConfiguration.DefaultCertificateValidator))
{
//
// If the mode is custom but the validator or still default, something has gone wrong.
//
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID4280)));
}
this.IsInitialized = true;
}
