private void WriteAuditEvent(AuditLevel auditLevel, X509Certificate2 certificate, WindowsSidIdentity wsid, Exception exception)
{
try
{
string clientIdentity = string.Empty;
if (certificate != null)
{
clientIdentity = System.ServiceModel.Security.SecurityUtils.GetCertificateId(certificate);
}
else if (wsid != null)
{
clientIdentity = System.ServiceModel.Security.SecurityUtils.GetIdentityName(wsid);
}
if (auditLevel == AuditLevel.Success)
{
SecurityAuditHelper.WriteTransportAuthenticationSuccessEvent(base.AuditBehavior.AuditLogLocation, base.AuditBehavior.SuppressAuditFailure, null, this.Uri, clientIdentity);
}
else
{
SecurityAuditHelper.WriteTransportAuthenticationFailureEvent(base.AuditBehavior.AuditLogLocation, base.AuditBehavior.SuppressAuditFailure, null, this.Uri, clientIdentity, exception);
}
}
catch (Exception exception2)
{
if (Fx.IsFatal(exception2) || (auditLevel == AuditLevel.Success))
{
throw;
}
DiagnosticUtility.ExceptionUtility.TraceHandledException(exception2, TraceEventType.Error);
}
}
private void WriteAuditEvent(StreamSecurityUpgradeAcceptor securityUpgradeAcceptor, AuditLevel auditLevel, Exception exception)
{
if (((this.transportSettings.AuditBehavior.MessageAuthenticationAuditLevel & auditLevel) == auditLevel) && (securityUpgradeAcceptor != null))
{
string clientIdentity = string.Empty;
SecurityMessageProperty remoteSecurity = securityUpgradeAcceptor.GetRemoteSecurity();
if (remoteSecurity != null)
{
clientIdentity = GetIdentityNameFromContext(remoteSecurity);
}
ServiceSecurityAuditBehavior auditBehavior = this.transportSettings.AuditBehavior;
if (auditLevel == AuditLevel.Success)
{
SecurityAuditHelper.WriteTransportAuthenticationSuccessEvent(auditBehavior.AuditLogLocation, auditBehavior.SuppressAuditFailure, null, this.Via, clientIdentity);
}
else
{
SecurityAuditHelper.WriteTransportAuthenticationFailureEvent(auditBehavior.AuditLogLocation, auditBehavior.SuppressAuditFailure, null, this.Via, clientIdentity, exception);
}
}
}
protected void WriteAuditEvent(AuditLevel auditLevel, string primaryIdentity, Exception exception)
{
try
{
if (auditLevel == AuditLevel.Success)
{
SecurityAuditHelper.WriteTransportAuthenticationSuccessEvent(base.AuditBehavior.AuditLogLocation, base.AuditBehavior.SuppressAuditFailure, null, this.Uri, primaryIdentity);
}
else
{
SecurityAuditHelper.WriteTransportAuthenticationFailureEvent(base.AuditBehavior.AuditLogLocation, base.AuditBehavior.SuppressAuditFailure, null, this.Uri, primaryIdentity, exception);
}
}
catch (Exception exception2)
{
if (Fx.IsFatal(exception2) || (auditLevel == AuditLevel.Success))
{
throw;
}
DiagnosticUtility.ExceptionUtility.TraceHandledException(exception2, TraceEventType.Error);
}
}
public void Authorize(ref MessageRpc rpc)
{
if (TD.DispatchMessageBeforeAuthorizationIsEnabled())
{
TD.DispatchMessageBeforeAuthorization(rpc.EventTraceActivity);
}
SecurityMessageProperty security = SecurityMessageProperty.GetOrCreate(rpc.Request);
security.ExternalAuthorizationPolicies = this.externalAuthorizationPolicies;
ServiceAuthorizationManager serviceAuthorizationManager = this.serviceAuthorizationManager ?? DefaultServiceAuthorizationManager;
try
{
if (!serviceAuthorizationManager.CheckAccess(rpc.OperationContext, ref rpc.Request))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(CreateAccessDeniedFaultException());
}
}
catch (Exception ex)
{
if (Fx.IsFatal(ex))
{
throw;
}
if (PerformanceCounters.PerformanceCountersEnabled)
{
PerformanceCounters.AuthorizationFailed(rpc.Operation.Name);
}
if (AuditLevel.Failure == (this.serviceAuthorizationAuditLevel & AuditLevel.Failure))
{
try
{
string primaryIdentity;
string authContextId = null;
AuthorizationContext authContext = security.ServiceSecurityContext.AuthorizationContext;
if (authContext != null)
{
primaryIdentity = SecurityUtils.GetIdentityNamesFromContext(authContext);
authContextId = authContext.Id;
}
else
{
primaryIdentity = SecurityUtils.AnonymousIdentity.Name;
authContextId = "<null>";
}
SecurityAuditHelper.WriteServiceAuthorizationFailureEvent(this.auditLogLocation,
this.suppressAuditFailure, rpc.Request, rpc.Request.Headers.To, rpc.Request.Headers.Action,
primaryIdentity, authContextId,
serviceAuthorizationManager == DefaultServiceAuthorizationManager ? "<default>" : serviceAuthorizationManager.GetType().Name,
ex);
}
#pragma warning suppress 56500
catch (Exception auditException)
{
if (Fx.IsFatal(auditException))
{
throw;
}
DiagnosticUtility.TraceHandledException(auditException, TraceEventType.Error);
}
}
throw;
}
if (AuditLevel.Success == (this.serviceAuthorizationAuditLevel & AuditLevel.Success))
{
string primaryIdentity;
string authContextId;
AuthorizationContext authContext = security.ServiceSecurityContext.AuthorizationContext;
if (authContext != null)
{
primaryIdentity = SecurityUtils.GetIdentityNamesFromContext(authContext);
authContextId = authContext.Id;
}
else
{
primaryIdentity = SecurityUtils.AnonymousIdentity.Name;
authContextId = "<null>";
}
SecurityAuditHelper.WriteServiceAuthorizationSuccessEvent(this.auditLogLocation,
this.suppressAuditFailure, rpc.Request, rpc.Request.Headers.To, rpc.Request.Headers.Action,
primaryIdentity, authContextId,
serviceAuthorizationManager == DefaultServiceAuthorizationManager ? "<default>" : serviceAuthorizationManager.GetType().Name);
}
}
public void Authenticate(ref MessageRpc rpc)
{
SecurityMessageProperty orCreate = SecurityMessageProperty.GetOrCreate(rpc.Request);
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = orCreate.ServiceSecurityContext.AuthorizationPolicies;
try
{
authorizationPolicies = this.serviceAuthenticationManager.Authenticate(orCreate.ServiceSecurityContext.AuthorizationPolicies, rpc.Channel.ListenUri, ref rpc.Request);
if (authorizationPolicies == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("AuthenticationManagerShouldNotReturnNull")));
}
}
catch (Exception exception)
{
if (Fx.IsFatal(exception))
{
throw;
}
if (PerformanceCounters.PerformanceCountersEnabled)
{
PerformanceCounters.AuthenticationFailed(rpc.Request, rpc.Channel.ListenUri);
}
if (AuditLevel.Failure == (this.messageAuthenticationAuditLevel & AuditLevel.Failure))
{
try
{
string identityNamesFromContext;
AuthorizationContext authorizationContext = orCreate.ServiceSecurityContext.AuthorizationContext;
if (authorizationContext != null)
{
identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(authorizationContext);
}
else
{
identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.AnonymousIdentity.Name;
}
SecurityAuditHelper.WriteMessageAuthenticationFailureEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Request, rpc.Channel.ListenUri, rpc.Request.Headers.Action, identityNamesFromContext, exception);
}
catch (Exception exception2)
{
if (Fx.IsFatal(exception2))
{
throw;
}
DiagnosticUtility.ExceptionUtility.TraceHandledException(exception2, TraceEventType.Error);
}
}
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(CreateFailedAuthenticationFaultException());
}
rpc.Request.Properties.Security.ServiceSecurityContext.AuthorizationPolicies = authorizationPolicies;
if (AuditLevel.Success == (this.messageAuthenticationAuditLevel & AuditLevel.Success))
{
string name;
AuthorizationContext authContext = orCreate.ServiceSecurityContext.AuthorizationContext;
if (authContext != null)
{
name = System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(authContext);
}
else
{
name = System.ServiceModel.Security.SecurityUtils.AnonymousIdentity.Name;
}
SecurityAuditHelper.WriteMessageAuthenticationSuccessEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Request, rpc.Channel.ListenUri, rpc.Request.Headers.Action, name);
}
}
public void Authenticate(ref MessageRpc rpc)
{
SecurityMessageProperty security = SecurityMessageProperty.GetOrCreate(rpc.Request);
ReadOnlyCollection <IAuthorizationPolicy> authPolicy = security.ServiceSecurityContext.AuthorizationPolicies;
bool outputTiming = DS.AuthenticationIsEnabled();
Stopwatch sw = null;
if (outputTiming)
{
sw = Stopwatch.StartNew();
}
try
{
authPolicy = this.serviceAuthenticationManager.Authenticate(security.ServiceSecurityContext.AuthorizationPolicies, rpc.Channel.ListenUri, ref rpc.Request);
if (authPolicy == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.AuthenticationManagerShouldNotReturnNull)));
}
if (outputTiming)
{
DS.Authentication(this.serviceAuthenticationManager.GetType(), true, sw.Elapsed);
}
}
catch (Exception ex)
{
if (Fx.IsFatal(ex))
{
throw;
}
if (outputTiming)
{
DS.Authentication(this.serviceAuthenticationManager.GetType(), false, sw.Elapsed);
}
if (PerformanceCounters.PerformanceCountersEnabled)
{
PerformanceCounters.AuthenticationFailed(rpc.Request, rpc.Channel.ListenUri);
}
if (AuditLevel.Failure == (this.messageAuthenticationAuditLevel & AuditLevel.Failure))
{
try
{
string primaryIdentity;
AuthorizationContext authContext = security.ServiceSecurityContext.AuthorizationContext;
if (authContext != null)
{
primaryIdentity = SecurityUtils.GetIdentityNamesFromContext(authContext);
}
else
{
primaryIdentity = SecurityUtils.AnonymousIdentity.Name;
}
SecurityAuditHelper.WriteMessageAuthenticationFailureEvent(this.auditLogLocation,
this.suppressAuditFailure, rpc.Request, rpc.Channel.ListenUri, rpc.Request.Headers.Action,
primaryIdentity, ex);
}
#pragma warning suppress 56500
catch (Exception auditException)
{
if (Fx.IsFatal(auditException))
{
throw;
}
DiagnosticUtility.TraceHandledException(auditException, TraceEventType.Error);
}
}
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(CreateFailedAuthenticationFaultException());
}
rpc.Request.Properties.Security.ServiceSecurityContext.AuthorizationPolicies = authPolicy;
if (AuditLevel.Success == (this.messageAuthenticationAuditLevel & AuditLevel.Success))
{
string primaryIdentity;
AuthorizationContext authContext = security.ServiceSecurityContext.AuthorizationContext;
if (authContext != null)
{
primaryIdentity = SecurityUtils.GetIdentityNamesFromContext(authContext);
}
else
{
primaryIdentity = SecurityUtils.AnonymousIdentity.Name;
}
SecurityAuditHelper.WriteMessageAuthenticationSuccessEvent(this.auditLogLocation,
this.suppressAuditFailure, rpc.Request, rpc.Channel.ListenUri, rpc.Request.Headers.Action,
primaryIdentity);
}
}
public void Authorize(ref MessageRpc rpc)
{
SecurityMessageProperty orCreate = SecurityMessageProperty.GetOrCreate(rpc.Request);
orCreate.ExternalAuthorizationPolicies = this.externalAuthorizationPolicies;
ServiceAuthorizationManager manager = this.serviceAuthorizationManager ?? DefaultServiceAuthorizationManager;
try
{
if (!manager.CheckAccess(rpc.OperationContext, ref rpc.Request))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(CreateAccessDeniedFaultException());
}
}
catch (Exception exception)
{
if (Fx.IsFatal(exception))
{
throw;
}
if (PerformanceCounters.PerformanceCountersEnabled)
{
PerformanceCounters.AuthorizationFailed(rpc.Operation.Name);
}
if (AuditLevel.Failure == (this.serviceAuthorizationAuditLevel & AuditLevel.Failure))
{
try
{
string identityNamesFromContext;
string authContextId = null;
AuthorizationContext authorizationContext = orCreate.ServiceSecurityContext.AuthorizationContext;
if (authorizationContext != null)
{
identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(authorizationContext);
authContextId = authorizationContext.Id;
}
else
{
identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.AnonymousIdentity.Name;
authContextId = "<null>";
}
SecurityAuditHelper.WriteServiceAuthorizationFailureEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Request, rpc.Request.Headers.To, rpc.Request.Headers.Action, identityNamesFromContext, authContextId, (manager == DefaultServiceAuthorizationManager) ? "<default>" : manager.GetType().Name, exception);
}
catch (Exception exception2)
{
if (Fx.IsFatal(exception2))
{
throw;
}
DiagnosticUtility.ExceptionUtility.TraceHandledException(exception2, TraceEventType.Error);
}
}
throw;
}
if (AuditLevel.Success == (this.serviceAuthorizationAuditLevel & AuditLevel.Success))
{
string name;
string id;
AuthorizationContext authContext = orCreate.ServiceSecurityContext.AuthorizationContext;
if (authContext != null)
{
name = System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(authContext);
id = authContext.Id;
}
else
{
name = System.ServiceModel.Security.SecurityUtils.AnonymousIdentity.Name;
id = "<null>";
}
SecurityAuditHelper.WriteServiceAuthorizationSuccessEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Request, rpc.Request.Headers.To, rpc.Request.Headers.Action, name, id, (manager == DefaultServiceAuthorizationManager) ? "<default>" : manager.GetType().Name);
}
}
private IDisposable StartImpersonation2(ref MessageRpc rpc, ServiceSecurityContext securityContext, bool isSecurityContextImpersonationOn)
{
IDisposable disposable = null;
try
{
if (isSecurityContextImpersonationOn)
{
if (securityContext == null)
{
throw TraceUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SFxSecurityContextPropertyMissingFromRequestMessage")), rpc.Request);
}
WindowsIdentity windowsIdentity = securityContext.WindowsIdentity;
if (windowsIdentity.User == null)
{
if (securityContext.PrimaryIdentity is WindowsSidIdentity)
{
WindowsSidIdentity primaryIdentity = (WindowsSidIdentity)securityContext.PrimaryIdentity;
if (primaryIdentity.SecurityIdentifier.IsWellKnown(WellKnownSidType.AnonymousSid))
{
disposable = new WindowsAnonymousIdentity().Impersonate();
goto Label_0103;
}
using (WindowsIdentity identity3 = new WindowsIdentity(this.GetUpnFromDownlevelName(primaryIdentity.Name), "Kerberos"))
{
disposable = identity3.Impersonate();
goto Label_0103;
}
}
throw TraceUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SecurityContextDoesNotAllowImpersonation", new object[] { rpc.Operation.Action })), rpc.Request);
}
disposable = windowsIdentity.Impersonate();
}
else if (AspNetEnvironment.Current.RequiresImpersonation && (rpc.HostingProperty != null))
{
disposable = rpc.HostingProperty.Impersonate();
}
Label_0103:
SecurityTraceRecordHelper.TraceImpersonationSucceeded(rpc.Operation);
if (AuditLevel.Success == (this.auditLevel & AuditLevel.Success))
{
SecurityAuditHelper.WriteImpersonationSuccessEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Operation.Name, System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext));
}
}
catch (Exception exception)
{
if (Fx.IsFatal(exception))
{
throw;
}
SecurityTraceRecordHelper.TraceImpersonationFailed(rpc.Operation, exception);
if (AuditLevel.Failure == (this.auditLevel & AuditLevel.Failure))
{
try
{
string identityNamesFromContext;
if (securityContext != null)
{
identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext);
}
else
{
identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.AnonymousIdentity.Name;
}
SecurityAuditHelper.WriteImpersonationFailureEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Operation.Name, identityNamesFromContext, exception);
}
catch (Exception exception2)
{
if (Fx.IsFatal(exception2))
{
throw;
}
System.ServiceModel.DiagnosticUtility.ExceptionUtility.TraceHandledException(exception2, TraceEventType.Error);
}
}
throw;
}
return(disposable);
}
IDisposable StartImpersonation2(ref MessageRpc rpc, ServiceSecurityContext securityContext, bool isSecurityContextImpersonationOn)
{
IDisposable impersonationContext = null;
try
{
if (isSecurityContextImpersonationOn)
{
if (securityContext == null)
{
throw TraceUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SFxSecurityContextPropertyMissingFromRequestMessage)), rpc.Request);
}
WindowsIdentity impersonationToken = securityContext.WindowsIdentity;
if (impersonationToken.User != null)
{
impersonationContext = impersonationToken.Impersonate();
}
else if (securityContext.PrimaryIdentity is WindowsSidIdentity)
{
WindowsSidIdentity sidIdentity = (WindowsSidIdentity)securityContext.PrimaryIdentity;
if (sidIdentity.SecurityIdentifier.IsWellKnown(WellKnownSidType.AnonymousSid))
{
impersonationContext = new WindowsAnonymousIdentity().Impersonate();
}
else
{
string fullyQualifiedDomainName = GetUpnFromDownlevelName(sidIdentity.Name);
using (WindowsIdentity windowsIdentity = new WindowsIdentity(fullyQualifiedDomainName, SecurityUtils.AuthTypeKerberos))
{
impersonationContext = windowsIdentity.Impersonate();
}
}
}
else
{
throw TraceUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SecurityContextDoesNotAllowImpersonation, rpc.Operation.Action)), rpc.Request);
}
}
else if (AspNetEnvironment.Current.RequiresImpersonation)
{
if (rpc.HostingProperty != null)
{
impersonationContext = rpc.HostingProperty.Impersonate();
}
}
SecurityTraceRecordHelper.TraceImpersonationSucceeded(rpc.EventTraceActivity, rpc.Operation);
// update the impersonation succeed audit
if (AuditLevel.Success == (this.auditLevel & AuditLevel.Success))
{
SecurityAuditHelper.WriteImpersonationSuccessEvent(this.auditLogLocation,
this.suppressAuditFailure, rpc.Operation.Name, SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext));
}
}
catch (Exception ex)
{
if (Fx.IsFatal(ex))
{
throw;
}
SecurityTraceRecordHelper.TraceImpersonationFailed(rpc.EventTraceActivity, rpc.Operation, ex);
//
// Update the impersonation failure audit
// Copy SecurityAuthorizationBehavior.Audit level to here!!!
//
if (AuditLevel.Failure == (this.auditLevel & AuditLevel.Failure))
{
try
{
string primaryIdentity;
if (securityContext != null)
{
primaryIdentity = SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext);
}
else
{
primaryIdentity = SecurityUtils.AnonymousIdentity.Name;
}
SecurityAuditHelper.WriteImpersonationFailureEvent(this.auditLogLocation,
this.suppressAuditFailure, rpc.Operation.Name, primaryIdentity, ex);
}
#pragma warning suppress 56500
catch (Exception auditException)
{
if (Fx.IsFatal(auditException))
{
throw;
}
DiagnosticUtility.TraceHandledException(auditException, TraceEventType.Error);
}
}
throw;
}
return(impersonationContext);
}
