public GroupSidClaimCollection(WindowsIdentity windowsIdentity)
{
if (windowsIdentity.Token != IntPtr.Zero)
{
SafeHGlobalHandle invalidHandle = SafeHGlobalHandle.InvalidHandle;
try
{
uint num;
invalidHandle = WindowsClaimSet.GetTokenInformation(windowsIdentity.Token, System.IdentityModel.TokenInformationClass.TokenGroups, out num);
int num2 = Marshal.ReadInt32(invalidHandle.DangerousGetHandle());
IntPtr ptr = new IntPtr(((long)invalidHandle.DangerousGetHandle()) + ((long)Marshal.OffsetOf(typeof(TOKEN_GROUPS), "Groups")));
for (int i = 0; i < num2; i++)
{
SID_AND_ATTRIBUTES sid_and_attributes = (SID_AND_ATTRIBUTES)Marshal.PtrToStructure(ptr, typeof(SID_AND_ATTRIBUTES));
uint num4 = 0xc0000014;
if ((sid_and_attributes.Attributes & num4) == 4)
{
base.Add(Claim.CreateWindowsSidClaim(new SecurityIdentifier(sid_and_attributes.Sid)));
}
else if ((sid_and_attributes.Attributes & num4) == 0x10)
{
base.Add(Claim.CreateDenyOnlyWindowsSidClaim(new SecurityIdentifier(sid_and_attributes.Sid)));
}
ptr = new IntPtr(((long)ptr) + SID_AND_ATTRIBUTES.SizeOf);
}
}
finally
{
invalidHandle.Close();
}
}
}
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
{
#if FEATURE_NETNATIVE // NegotiateStream
throw ExceptionHelper.PlatformNotSupported("Windows Stream Security is not yet supported on UWP");
#else //FEATURE_NETNATIVE
WindowsSecurityToken windowsToken = (WindowsSecurityToken)token;
WindowsClaimSet claimSet = new WindowsClaimSet(windowsToken.WindowsIdentity, windowsToken.AuthenticationType, this.includeWindowsGroups, windowsToken.ValidTo);
return SecurityUtils.CreateAuthorizationPolicies(claimSet, windowsToken.ValidTo);
#endif // FEATURE_NETNATIVE
}
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
{
#if SUPPORTS_WINDOWSIDENTITY // NegotiateStream
WindowsSecurityToken windowsToken = (WindowsSecurityToken)token;
WindowsClaimSet claimSet = new WindowsClaimSet(windowsToken.WindowsIdentity, windowsToken.AuthenticationType, this.includeWindowsGroups, windowsToken.ValidTo);
return SecurityUtils.CreateAuthorizationPolicies(claimSet, windowsToken.ValidTo);
#else // SUPPORTS_WINDOWSIDENTITY
throw ExceptionHelper.PlatformNotSupported(ExceptionHelper.WinsdowsStreamSecurityNotSupported);
#endif // SUPPORTS_WINDOWSIDENTITY
}
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
{
X509SecurityToken x509Token = (X509SecurityToken)token;
this.validator.Validate(x509Token.Certificate);
X509CertificateClaimSet x509ClaimSet = new X509CertificateClaimSet(x509Token.Certificate, this.cloneHandle);
if (!this.mapToWindows)
return SecurityUtils.CreateAuthorizationPolicies(x509ClaimSet, x509Token.ValidTo);
WindowsClaimSet windowsClaimSet;
if (token is X509WindowsSecurityToken)
{
windowsClaimSet = new WindowsClaimSet( ( (X509WindowsSecurityToken)token ).WindowsIdentity, SecurityUtils.AuthTypeCertMap, this.includeWindowsGroups, this.cloneHandle );
}
else
{
// Ensure NT_AUTH chain policy for certificate account mapping
X509CertificateValidator.NTAuthChainTrust.Validate(x509Token.Certificate);
WindowsIdentity windowsIdentity = null;
// for Vista, LsaLogon supporting mapping cert to NTToken
if (Environment.OSVersion.Version.Major >= SecurityUtils.WindowsVistaMajorNumber)
{
windowsIdentity = KerberosCertificateLogon(x509Token.Certificate);
}
else
{
// Downlevel, S4U over PrincipalName SubjectAltNames
string name = x509Token.Certificate.GetNameInfo(X509NameType.UpnName, false);
if (string.IsNullOrEmpty(name))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(SR.GetString(SR.InvalidNtMapping,
SecurityUtils.GetCertificateId(x509Token.Certificate))));
}
using (WindowsIdentity initialWindowsIdentity = new WindowsIdentity(name, SecurityUtils.AuthTypeCertMap))
{
// This is to make sure that the auth Type is shoved down to the class as the above constructor does not do it.
windowsIdentity = new WindowsIdentity(initialWindowsIdentity.Token, SecurityUtils.AuthTypeCertMap);
}
}
windowsClaimSet = new WindowsClaimSet(windowsIdentity, SecurityUtils.AuthTypeCertMap, this.includeWindowsGroups, false);
}
List<ClaimSet> claimSets = new List<ClaimSet>(2);
claimSets.Add(windowsClaimSet);
claimSets.Add(x509ClaimSet);
List<IAuthorizationPolicy> policies = new List<IAuthorizationPolicy>(1);
policies.Add(new UnconditionalPolicy(claimSets.AsReadOnly(), x509Token.ValidTo));
return policies.AsReadOnly();
}
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateUserNamePasswordCore(string userName, string password)
{
string domain = null;
string[] strings = userName.Split('\\');
if (strings.Length != 1)
{
if (strings.Length != 2 || string.IsNullOrEmpty(strings[0]))
{
// Only support one slash and domain cannot be empty (consistent with windowslogon).
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.IncorrectUserNameFormat));
}
// This is the downlevel case - domain\userName
userName = strings[1];
domain = strings[0];
}
const uint LOGON32_PROVIDER_DEFAULT = 0;
const uint LOGON32_LOGON_NETWORK_CLEARTEXT = 8;
SafeCloseHandle tokenHandle = null;
try
{
if (!NativeMethods.LogonUser(userName, domain, password, LOGON32_LOGON_NETWORK_CLEARTEXT, LOGON32_PROVIDER_DEFAULT, out tokenHandle))
{
int error = Marshal.GetLastWin32Error();
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(SR.GetString(SR.FailLogonUser, userName), new Win32Exception(error)));
}
WindowsIdentity windowsIdentity = new WindowsIdentity(tokenHandle.DangerousGetHandle(), SecurityUtils.AuthTypeBasic);
WindowsClaimSet claimSet = new WindowsClaimSet(windowsIdentity, SecurityUtils.AuthTypeBasic, this.includeWindowsGroups, false);
return SecurityUtils.CreateAuthorizationPolicies(claimSet, claimSet.ExpirationTime);
}
finally
{
if (tokenHandle != null)
tokenHandle.Close();
}
}
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation)
{
WindowsSspiNegotiation windowsNegotiation = (WindowsSspiNegotiation)sspiNegotiation;
if (windowsNegotiation.IsValidContext == false)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.InvalidSspiNegotiation)));
}
SecurityTraceRecordHelper.TraceServiceSpnego(windowsNegotiation);
if (this.IsClientAnonymous)
{
return EmptyReadOnlyCollection<IAuthorizationPolicy>.Instance;
}
using (SafeCloseHandle contextToken = windowsNegotiation.GetContextToken())
{
WindowsIdentity windowsIdentity = new WindowsIdentity(contextToken.DangerousGetHandle(), windowsNegotiation.ProtocolName);
SecurityUtils.ValidateAnonymityConstraint(windowsIdentity, this.AllowUnauthenticatedCallers);
List<IAuthorizationPolicy> policies = new List<IAuthorizationPolicy>(1);
WindowsClaimSet wic = new WindowsClaimSet( windowsIdentity, windowsNegotiation.ProtocolName, this.extractGroupsForWindowsAccounts, false );
policies.Add(new System.IdentityModel.Policy.UnconditionalPolicy(wic, TimeoutHelper.Add(DateTime.UtcNow, base.ServiceTokenLifetime)));
return policies.AsReadOnly();
}
}
WindowsClaimSet(WindowsClaimSet from)
: this(from.WindowsIdentity, from.authenticationType, from.includeWindowsGroups, from.expirationTime, true)
{
}
private WindowsClaimSet(WindowsClaimSet from)
: this(from.WindowsIdentity, from._authenticationType, from._includeWindowsGroups, from._expirationTime, true)
{
}
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
{
WindowsSecurityToken token2 = (WindowsSecurityToken) token;
WindowsClaimSet claimSet = new WindowsClaimSet(token2.WindowsIdentity, token2.AuthenticationType, this.includeWindowsGroups, token2.ValidTo);
return System.IdentityModel.SecurityUtils.CreateAuthorizationPolicies(claimSet, token2.ValidTo);
}
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
{
WindowsClaimSet set2;
X509SecurityToken token2 = (X509SecurityToken) token;
this.validator.Validate(token2.Certificate);
X509CertificateClaimSet claimSet = new X509CertificateClaimSet(token2.Certificate, this.cloneHandle);
if (!this.mapToWindows)
{
return System.IdentityModel.SecurityUtils.CreateAuthorizationPolicies(claimSet, token2.ValidTo);
}
if (token is X509WindowsSecurityToken)
{
set2 = new WindowsClaimSet(((X509WindowsSecurityToken) token).WindowsIdentity, "SSL/PCT", this.includeWindowsGroups, this.cloneHandle);
}
else
{
X509CertificateValidator.NTAuthChainTrust.Validate(token2.Certificate);
WindowsIdentity windowsIdentity = null;
if (Environment.OSVersion.Version.Major >= 6)
{
windowsIdentity = KerberosCertificateLogon(token2.Certificate);
}
else
{
string nameInfo = token2.Certificate.GetNameInfo(X509NameType.UpnName, false);
if (string.IsNullOrEmpty(nameInfo))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(System.IdentityModel.SR.GetString("InvalidNtMapping", new object[] { System.IdentityModel.SecurityUtils.GetCertificateId(token2.Certificate) })));
}
using (WindowsIdentity identity2 = new WindowsIdentity(nameInfo, "SSL/PCT"))
{
windowsIdentity = new WindowsIdentity(identity2.Token, "SSL/PCT");
}
}
set2 = new WindowsClaimSet(windowsIdentity, "SSL/PCT", this.includeWindowsGroups, false);
}
List<ClaimSet> list = new List<ClaimSet>(2) {
set2,
claimSet
};
return new List<IAuthorizationPolicy>(1) { new UnconditionalPolicy(list.AsReadOnly(), token2.ValidTo) }.AsReadOnly();
}
