public IEnumerable<Claim> GetClaims(IClaimsPrincipal principal, RequestDetails requestDetails)
        {
            var userName = principal.Identity.Name;
            var claims = new List<Claim>();

            // email address
            string email = Membership.FindUsersByName(userName)[userName].Email;
            if (!String.IsNullOrEmpty(email))
            {
                claims.Add(new Claim(ClaimTypes.Email, email));
            }

            // roles
            GetRoles(userName, RoleTypes.Client).ToList().ForEach(role => claims.Add(new Claim(ClaimTypes.Role, role)));

            // profile claims
            if (ProfileManager.Enabled)
            {
                var profile = ProfileBase.Create(userName, true);
                if (profile != null)
                {
                    foreach (SettingsProperty prop in ProfileBase.Properties)
                    {
                        string value = profile.GetPropertyValue(prop.Name).ToString();
                        if (!String.IsNullOrWhiteSpace(value))
                        {
                            claims.Add(new Claim(ProfileClaimPrefix + prop.Name.ToLowerInvariant(), value));
                        }
                    }
                }
            }

            return claims;
        }
Example #2
0
        public static List<Claim> GetOutputClaims(IClaimsPrincipal principal, RequestDetails requestDetails, IUserRepository userRepository)
        {
            var name = principal.FindClaims(ClaimTypes.Name).First().Value;
            var nameId = new Claim(ClaimTypes.NameIdentifier, name);

            var userClaims = new List<Claim>
            {
                new Claim(ClaimTypes.Name, name),
                nameId,
                new Claim(ClaimTypes.AuthenticationMethod, principal.FindClaims(ClaimTypes.AuthenticationMethod).First().Value),
                AuthenticationInstantClaim.Now
            };

            userClaims.AddRange(userRepository.GetClaims(principal, requestDetails));

            return userClaims;
        }
Example #3
0
        public IEnumerable<Claim> GetClaims(IClaimsPrincipal principal, RequestDetails requestDetails)
        {
            var userName = principal.Identity.Name;
            var claims = new List<Claim>();

            // email address
            var email = "*****@*****.**";
            if (!string.IsNullOrEmpty(email))
            {
                claims.Add(new Claim(ClaimTypes.Email, email));
            }

            // roles
            GetRoles(userName, RoleTypes.Client).ToList().ForEach(role => claims.Add(new Claim(ClaimTypes.Role, role)));

            // profile claims
            claims.Add(new Claim(ProfileClaimPrefix + "fullname", "Michael Noonan"));

            return claims;
        }
Example #4
0
 protected virtual void ValidateSsl(RequestDetails details)
 {
     // check if SSL is used (for passive only)
     if (_configuration.RequireSsl && !details.UsesSsl)
     {
         if (!details.IsActive)
         {
             Tracing.Tracing.Error("Configuration requires SSL - but clear text reply address used");
             throw new InvalidRequestException("SSL is required");
         }
     }
 }
Example #5
0
 private void ValidateTokenType(RequestDetails details)
 {
     if (details.TokenType == SimpleWebToken.OasisTokenProfile)
     {
         if (details.RelyingPartyRegistration == null ||
             details.RelyingPartyRegistration.SymmetricSigningKey == null ||
             details.RelyingPartyRegistration.SymmetricSigningKey.Length == 0)
         {
             Tracing.Tracing.Error("SWT token requested, but no symmetric signing key found");
             throw new InvalidRequestException("SWT token requested, but no symmetric signing key found");
         }
     }
 }
Example #6
0
 protected virtual void ValidateKnownRealm(RequestDetails details)
 {
     // check if realm is allowed
     if (_configuration.AllowKnownRealmsOnly && (!details.IsKnownRealm))
     {
         Tracing.Tracing.Error("Configuration requires a known realm - but realm is not registered");
         throw new InvalidScopeException(details.Realm.Uri.AbsoluteUri);
     }
 }
Example #7
0
 protected virtual void ValidateReplyTo(RequestDetails details)
 {
     // check if replyto is part of a registered realm (when not explicitly registered in config)
     if (!details.IsReplyToFromConfiguration)
     {
         if (_configuration.RequireReplyToWithinRealm && (!details.ReplyToAddressIsWithinRealm))
         {
             Tracing.Tracing.Error("Configuration requires that ReplyTo is a sub-address of the realm - this is not the case");
             throw new InvalidRequestException("Invalid ReplyTo");
         }
     }
 }
Example #8
0
 protected virtual void AnalyzeOperationContext(RequestDetails details)
 {
     // determine if this is a WCF call
     if (OperationContext.Current != null)
     {
         details.IsActive = true;
         Tracing.Tracing.Information("Active request");
     }
     else
     {
         Tracing.Tracing.Information("Passive request");
     }
 }
Example #9
0
 protected virtual void ValidateEncryption(RequestDetails details)
 {
     // check if token must be encrypted
     if (_configuration.RequireEncryption && (!details.UsesEncryption))
     {
         Tracing.Tracing.Error("Configuration requires encryption - but no key available");
         throw new InvalidRequestException("No encryption key available");
     }
 }
Example #10
0
 protected virtual void AnalyzeSsl(RequestDetails details)
 {
     // determine if reply to is via SSL
     details.UsesSsl = (details.ReplyToAddress.Scheme == Uri.UriSchemeHttps);
     Tracing.Tracing.Information(String.Format("SSL used:{0}", details.UsesSsl));
 }
Example #11
0
        protected virtual IClaimsIdentity GetActAsClaimsIdentity(IClaimsIdentity clientIdentity, RequestDetails requestDetails)
        {
            var actAsSubject = requestDetails.Request.ActAs.GetSubject()[0];
            var actAsIdentity = actAsSubject.Copy();

            // find the last actor in the actAs identity
            IClaimsIdentity lastActor = actAsIdentity;
            while (lastActor.Actor != null)
            {
                lastActor = lastActor.Actor;
            }

            // set the caller's identity as the last actor in the delegation chain
            lastActor.Actor = clientIdentity;

            Tracing.Tracing.Information("ActAs client identity: " + actAsIdentity.Name);
            Tracing.Tracing.Information("ActAs actor identity : " + actAsIdentity.Actor.Name);

            // return the actAsIdentity instead of the caller's identity in this case
            return actAsIdentity;
        }
Example #12
0
        protected virtual void AnalyzeRequestClaims(RequestDetails details)
        {
            // check if specific claims are requested
            if (details.Request.Claims != null && details.Request.Claims.Count > 0)
            {
                details.ClaimsRequested = true;
                details.RequestClaims = details.Request.Claims;

                var requestClaims = new StringBuilder(20);
                details.RequestClaims.ToList().ForEach(rq => requestClaims.AppendFormat("{0}\n", rq.ClaimType));
                Tracing.Tracing.Information("Specific claims requested");
                Tracing.Tracing.Information(String.Format("Request claims: {0}", requestClaims));
            }
            else
            {
                Tracing.Tracing.Information("No request claims");
            }
        }
Example #13
0
        protected virtual void AnalyzeRst(RequestSecurityToken rst, RequestDetails options)
        {
            if (rst == null)
            {
                throw new ArgumentNullException("request");
            }

            options.Request = rst;
        }
Example #14
0
        protected virtual void AnalyzeReplyTo(RequestDetails details)
        {
            var rp = details.RelyingPartyRegistration;

            // determine the reply to address (only relevant for passive requests)
            if (rp != null && rp.ReplyTo != null)
            {
                details.ReplyToAddress = rp.ReplyTo;
                details.IsReplyToFromConfiguration = true;

                // check if reply to is a sub-address of the realm address
                if (details.ReplyToAddress.AbsoluteUri.StartsWith(details.Realm.Uri.AbsoluteUri, StringComparison.OrdinalIgnoreCase))
                {
                    details.ReplyToAddressIsWithinRealm = true;
                }

                Tracing.Tracing.Information(String.Format("ReplyTo Address set from configuration: {0}", details.ReplyToAddress.AbsoluteUri));
            }
            else
            {
                if (!String.IsNullOrEmpty(details.Request.ReplyTo))
                {
                    if (_configuration.AllowReplyTo)
                    {
                        // explicit address
                        details.ReplyToAddress = new Uri(details.Request.ReplyTo);
                        Tracing.Tracing.Information(String.Format("Explicit ReplyTo address set: {0}", details.ReplyToAddress.AbsoluteUri));

                        // check if reply to is a sub-address of the realm address
                        if (details.ReplyToAddress.AbsoluteUri.StartsWith(details.Realm.Uri.AbsoluteUri, StringComparison.OrdinalIgnoreCase))
                        {
                            details.ReplyToAddressIsWithinRealm = true;
                        }

                        Tracing.Tracing.Information(String.Format("ReplyTo Address is within Realm: {0}", details.ReplyToAddressIsWithinRealm));
                    }
                    else
                    {
                        // same as realm
                        details.ReplyToAddress = details.Realm.Uri;
                        details.ReplyToAddressIsWithinRealm = true;
                        Tracing.Tracing.Warning(string.Format("ReplyTo address of ({0}) was supplied, but since configuration does not allow ReplyTo, the realm address is used", details.Request.ReplyTo));
                    }
                }
                else
                {
                    // same as realm
                    details.ReplyToAddress = details.Realm.Uri;
                    details.ReplyToAddressIsWithinRealm = true;
                    Tracing.Tracing.Information("ReplyTo address set to realm address");
                }
            }
        }
Example #15
0
        protected virtual RelyingPartyModel AnalyzeRelyingParty(RequestDetails details)
        {
            // check if the relying party is registered
            RelyingPartyModel rp = null;
            if (_relyingPartyRepository.TryGet(details.Realm.Uri.AbsoluteUri, out rp))
            {
                details.RelyingPartyRegistration = rp;
                details.IsKnownRealm = true;

                var traceString = String.Format("Relying Party found in registry - Realm: {0}", rp.Realm.AbsoluteUri);

                if (!string.IsNullOrEmpty(rp.Name))
                {
                    traceString += String.Format(" ({0})", rp.Name);
                }

                Tracing.Tracing.Information(traceString);

                if (rp.EncryptingCertificate != null)
                {
                    details.EncryptingCertificate = rp.EncryptingCertificate;
                    Tracing.Tracing.Information("Encrypting certificate set from registry");
                }
            }
            else
            {
                Tracing.Tracing.Information("Relying party is not registered.");
            }
            return rp;
        }
Example #16
0
        protected virtual void AnalyzeRealm(RequestSecurityToken rst, RequestDetails options)
        {
            // check realm
            if (rst.AppliesTo == null || rst.AppliesTo.Uri == null)
            {
                throw new MissingAppliesToException("AppliesTo is missing");
            }

            options.Realm = rst.AppliesTo;
        }
Example #17
0
        public RequestDetails Analyze(RequestSecurityToken rst, IClaimsPrincipal principal)
        {
            if (rst == null)
            {
                throw new ArgumentNullException("rst");
            }

            if (principal == null)
            {
                throw new ArgumentNullException("principal");
            }

            Tracing.Tracing.Information("Starting PolicyOptions creation");

            var clientIdentity = AnalyzeClientIdentity(principal);

            var details = new RequestDetails
            {
                ClientIdentity = clientIdentity,
                IsActive = false,
                Realm = null,
                IsKnownRealm = false,
                UsesSsl = false,
                UsesEncryption = false,
                ReplyToAddress = null,
                ReplyToAddressIsWithinRealm = false,
                IsReplyToFromConfiguration = false,
                EncryptingCertificate = null,
                ClaimsRequested = false,
                RequestClaims = null,
                Request = null,
                IsActAsRequest = false,
                RelyingPartyRegistration = null
            };

            AnalyzeRst(rst, details);
            AnalyzeTokenType(rst, details);
            AnalyzeKeyType(rst);
            AnalyzeRealm(rst, details);
            AnalyzeOperationContext(details);
            AnalyzeDelegation(rst, details);
            AnalyzeRelyingParty(details);
            AnalyzeEncryption(details);
            AnalyzeReplyTo(details);
            AnalyzeSsl(details);
            AnalyzeRequestClaims(details);

            Tracing.Tracing.Information("PolicyOptions creation done.");

            _details = details;
            return details;
        }
Example #18
0
        public void Validate(RequestDetails details)
        {
            if (details == null)
            {
                throw new ArgumentNullException("details");
            }

            Tracing.Tracing.Information("Starting policy validation");

            ValidateKnownRealm(details);
            ValidateTokenType(details);
            ValidateReplyTo(details);
            ValidateEncryption(details);
            ValidateSsl(details);
            ValidateDelegation(details);

            Tracing.Tracing.Information("Policy Validation succeeded");
        }
Example #19
0
 protected virtual void AnalyzeDelegation(RequestSecurityToken rst, RequestDetails details)
 {
     // check for identity delegation request
     if (rst.ActAs != null)
     {
         details.IsActAsRequest = true;
         Tracing.Tracing.Information("Request is ActAs request");
     }
 }
Example #20
0
        protected virtual void ValidateDelegation(RequestDetails details)
        {
            // check for ActAs request
            if (details.IsActAsRequest)
            {
                if (!_configuration.EnableDelegation)
                {
                    Tracing.Tracing.Error("Request is ActAs request - but ActAs is not enabled");
                    throw new InvalidRequestException("Request is ActAs request - but ActAs is not enabled");
                }

                if (!_delegationRepository.IsDelegationAllowed(details.ClientIdentity.Name, details.Realm.Uri.AbsoluteUri))
                {
                    Tracing.Tracing.Error(String.Format("ActAs mapping not found."));
                    throw new InvalidRequestException("ActAs mapping not found.");
                }
            }
        }
Example #21
0
 protected virtual void AnalyzeTokenType(RequestSecurityToken rst, RequestDetails details)
 {
     if (string.IsNullOrWhiteSpace(rst.TokenType))
     {
         details.TokenType = _configuration.DefaultTokenType;
         Tracing.Tracing.Information("Token Type: not specified, falling back to default token type");
     }
     else
     {
         Tracing.Tracing.Information("Token Type: " + rst.TokenType);
         details.TokenType = rst.TokenType;
     }
 }
Example #22
0
        protected virtual void AnalyzeEncryption(RequestDetails details)
        {
            if (details.EncryptingCertificate == null)
            {
                X509Certificate2 requestCertificate;
                if (TryGetEncryptionCertificateFromRequest(details.Realm, out requestCertificate))
                {
                    details.EncryptingCertificate = requestCertificate;
                    Tracing.Tracing.Information("Encrypting certificate set from RST");
                }
            }

            details.UsesEncryption = (details.EncryptingCertificate != null);
            Tracing.Tracing.Information("Token encryption: " + details.UsesEncryption);
        }