public void UpdateContextCachingTime(SecurityContextSecurityToken token, DateTime expirationTime)
{
if (token.ValidTo > expirationTime.ToUniversalTime())
{
base.TryReplaceItem(this.GetHashKey(token.ContextId, token.KeyGeneration), token, expirationTime);
}
}
public override void WriteTokenCore(XmlDictionaryWriter writer, SecurityToken token)
{
SecurityContextSecurityToken sct = token as SecurityContextSecurityToken;
writer.WriteStartElement(this.parent.SerializerDictionary.Prefix.Value, this.parent.SerializerDictionary.SecurityContextToken, this.parent.SerializerDictionary.Namespace);
if (sct.Id != null)
{
writer.WriteAttributeString(XD.UtilityDictionary.Prefix.Value, XD.UtilityDictionary.IdAttribute, XD.UtilityDictionary.Namespace, sct.Id);
}
writer.WriteStartElement(this.parent.SerializerDictionary.Prefix.Value, this.parent.SerializerDictionary.Identifier, this.parent.SerializerDictionary.Namespace);
XmlHelper.WriteStringAsUniqueId(writer, sct.ContextId);
writer.WriteEndElement();
this.WriteGeneration(writer, sct);
if (sct.IsCookieMode)
{
if (sct.CookieBlob == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError((Exception) new MessageSecurityException(SR.GetString("NoCookieInSct")));
}
#if FEATURE_CORECLR
throw new NotImplementedException("XD.DotNetSecurityDictionary is not supported in .NET Core");
#else
writer.WriteStartElement(XD.DotNetSecurityDictionary.Prefix.Value, this.parent.SerializerDictionary.Cookie, XD.DotNetSecurityDictionary.Namespace);
writer.WriteBase64(sct.CookieBlob, 0, sct.CookieBlob.Length);
writer.WriteEndElement();
#endif
}
writer.WriteEndElement();
}
protected override async ValueTask <Message> VerifyIncomingMessageCoreAsync(Message message, TimeSpan timeout)
{
string actor = string.Empty; // message.Version.Envelope.UltimateDestinationActor;
ReceiveSecurityHeader securityHeader = Factory.StandardsManager.TryCreateReceiveSecurityHeader(message, actor,
Factory.IncomingAlgorithmSuite, MessageDirection.Input);
securityHeader.RequireMessageProtection = false;
securityHeader.ReaderQuotas = Factory.SecurityBindingElement.ReaderQuotas;
IList <SupportingTokenAuthenticatorSpecification> supportingAuthenticators = GetSupportingTokenAuthenticatorsAndSetExpectationFlags(Factory, message, securityHeader);
ReadOnlyCollection <SecurityTokenResolver> mergedTokenResolvers = MergeOutOfBandResolvers(supportingAuthenticators, _sessionTokenResolverList);
if (supportingAuthenticators != null && supportingAuthenticators.Count > 0)
{
supportingAuthenticators = new List <SupportingTokenAuthenticatorSpecification>(supportingAuthenticators);
supportingAuthenticators.Insert(0, _sessionTokenAuthenticatorSpecificationList[0]);
}
else
{
supportingAuthenticators = _sessionTokenAuthenticatorSpecificationList;
}
securityHeader.ConfigureTransportBindingServerReceiveHeader(supportingAuthenticators);
securityHeader.ConfigureOutOfBandTokenResolver(mergedTokenResolvers);
securityHeader.ExpectEndorsingTokens = true;
TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
securityHeader.ReplayDetectionEnabled = Factory.DetectReplays;
securityHeader.SetTimeParameters(Factory.NonceCache, Factory.ReplayWindow, Factory.MaxClockSkew);
// do not enforce key derivation requirement for Cancel messages due to WSE interop
securityHeader.EnforceDerivedKeyRequirement = (message.Headers.Action != Factory.StandardsManager.SecureConversationDriver.CloseAction.Value);
await securityHeader.ProcessAsync(timeoutHelper.RemainingTime(), SecurityUtils.GetChannelBindingFromMessage(message), Factory.ExtendedProtectionPolicy);
if (securityHeader.Timestamp == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.RequiredTimestampMissingInSecurityHeader)));
}
bool didSessionSctEndorse = false;
if (securityHeader.EndorsingSupportingTokens != null)
{
for (int i = 0; i < securityHeader.EndorsingSupportingTokens.Count; ++i)
{
SecurityContextSecurityToken signingSct = (securityHeader.EndorsingSupportingTokens[i] as SecurityContextSecurityToken);
if (signingSct != null && signingSct.ContextId == _sessionId)
{
didSessionSctEndorse = true;
break;
}
}
}
if (!didSessionSctEndorse)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.NoSessionTokenPresentInMessage)));
}
Message processedMessage = securityHeader.ProcessedMessage;
AttachRecipientSecurityProperty(processedMessage, securityHeader.BasicSupportingTokens, securityHeader.EndorsingSupportingTokens,
securityHeader.SignedEndorsingSupportingTokens, securityHeader.SignedSupportingTokens, securityHeader.SecurityTokenAuthorizationPoliciesMapping);
OnIncomingMessageVerified(processedMessage);
return(processedMessage);
}
internal ReadOnlyCollection <IAuthorizationPolicy> GetInitiatorTokenAuthorizationPolicies(bool includeTransportToken, SecurityContextSecurityToken supportingSessionTokenToExclude)
{
// fast path
if (!this.HasIncomingSupportingTokens)
{
if (_transportToken != null && _initiatorToken == null && _protectionToken == null)
{
if (includeTransportToken && _transportToken.SecurityTokenPolicies != null)
{
return(_transportToken.SecurityTokenPolicies);
}
else
{
return(EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
}
else if (_transportToken == null && _initiatorToken != null && _protectionToken == null)
{
return(_initiatorToken.SecurityTokenPolicies ?? EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
else if (_transportToken == null && _initiatorToken == null && _protectionToken != null)
{
return(_protectionToken.SecurityTokenPolicies ?? EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
}
Collection <IAuthorizationPolicy> policies = new Collection <IAuthorizationPolicy>();
if (includeTransportToken)
{
AddAuthorizationPolicies(_transportToken, policies);
}
AddAuthorizationPolicies(_initiatorToken, policies);
AddAuthorizationPolicies(_protectionToken, policies);
if (this.HasIncomingSupportingTokens)
{
for (int i = 0; i < _incomingSupportingTokens.Count; ++i)
{
if (supportingSessionTokenToExclude != null)
{
SecurityContextSecurityToken sct = _incomingSupportingTokens[i].SecurityToken as SecurityContextSecurityToken;
if (sct != null && sct.ContextId == supportingSessionTokenToExclude.ContextId)
{
continue;
}
}
SecurityTokenAttachmentMode attachmentMode = _incomingSupportingTokens[i].SecurityTokenAttachmentMode;
// a safety net in case more attachment modes get added to the product without
// reviewing this code.
if (attachmentMode == SecurityTokenAttachmentMode.Endorsing ||
attachmentMode == SecurityTokenAttachmentMode.Signed ||
attachmentMode == SecurityTokenAttachmentMode.SignedEncrypted ||
attachmentMode == SecurityTokenAttachmentMode.SignedEndorsing)
{
AddAuthorizationPolicies(_incomingSupportingTokens[i], policies);
}
}
}
return(new ReadOnlyCollection <IAuthorizationPolicy>(policies));
}
protected override ArrayList OnQuotaReached(Hashtable cacheTable)
{
if (!this.replaceOldestEntries)
{
SecurityTraceRecordHelper.TraceSecurityContextTokenCacheFull(base.Capacity, 0);
return(base.OnQuotaReached(cacheTable));
}
List <SecurityContextSecurityToken> list = new List <SecurityContextSecurityToken>(cacheTable.Count);
foreach (TimeBoundedCache.IExpirableItem item in cacheTable.Values)
{
SecurityContextSecurityToken token = (SecurityContextSecurityToken)base.ExtractItem(item);
list.Add(token);
}
list.Sort(sctEffectiveTimeComparer);
int capacity = (int)(base.Capacity * pruningFactor);
capacity = (capacity <= 0) ? base.Capacity : capacity;
ArrayList list2 = new ArrayList(capacity);
for (int i = 0; i < capacity; i++)
{
list2.Add(this.GetHashKey(list[i].ContextId, list[i].KeyGeneration));
this.OnRemove(list[i]);
}
SecurityTraceRecordHelper.TraceSecurityContextTokenCacheFull(base.Capacity, capacity);
return(list2);
}
private bool TryAddContext(SecurityContextSecurityToken token, bool throwOnFailure)
{
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
}
if (!System.ServiceModel.Security.SecurityUtils.IsCurrentlyTimeEffective(token.ValidFrom, token.ValidTo, this.clockSkew))
{
if (token.KeyGeneration == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("SecurityContextExpiredNoKeyGeneration", new object[] { token.ContextId }));
}
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("SecurityContextExpired", new object[] { token.ContextId, token.KeyGeneration.ToString() }));
}
if (!System.ServiceModel.Security.SecurityUtils.IsCurrentlyTimeEffective(token.KeyEffectiveTime, token.KeyExpirationTime, this.clockSkew))
{
if (token.KeyGeneration == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("SecurityContextKeyExpiredNoKeyGeneration", new object[] { token.ContextId }));
}
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("SecurityContextKeyExpired", new object[] { token.ContextId, token.KeyGeneration.ToString() }));
}
object hashKey = this.GetHashKey(token.ContextId, token.KeyGeneration);
bool flag = base.TryAddItem(hashKey, token.Clone(), false);
if (flag || !throwOnFailure)
{
return(flag);
}
if (token.KeyGeneration == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ContextAlreadyRegisteredNoKeyGeneration", new object[] { token.ContextId })));
}
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ContextAlreadyRegistered", new object[] { token.ContextId, token.KeyGeneration.ToString() })));
}
public bool FaultInSupportingToken(Message message)
{
DebugTrace.TraceEnter(this, "FaultInSupportingToken");
bool flag = false;
WsatRegistrationHeader header = this.ReadRegistrationHeader(message);
if (((header == null) || (header.TransactionId == Guid.Empty)) || string.IsNullOrEmpty(header.TokenId))
{
if (DebugTrace.Warning)
{
DebugTrace.Trace(TraceLevel.Warning, "Invalid or absent RegisterInfo in register message");
}
}
else
{
currentSct = this.DeriveToken(header.TransactionId, header.TokenId);
flag = true;
if (DebugTrace.Verbose)
{
DebugTrace.Trace(TraceLevel.Verbose, "Created SCT with id {0} for transaction {1}", header.TokenId, header.TransactionId);
}
}
DebugTrace.TraceLeave(this, "FaultInSupportingToken");
return(flag);
}
protected override ArrayList OnQuotaReached(Hashtable cacheTable)
{
if (!this.replaceOldestEntries)
{
SecurityTraceRecordHelper.TraceSecurityContextTokenCacheFull(this.Capacity, 0);
return(base.OnQuotaReached(cacheTable));
}
else
{
List <SecurityContextSecurityToken> tokens = new List <SecurityContextSecurityToken>(cacheTable.Count);
foreach (IExpirableItem value in cacheTable.Values)
{
SecurityContextSecurityToken token = (SecurityContextSecurityToken)ExtractItem(value);
tokens.Add(token);
}
tokens.Sort(sctEffectiveTimeComparer);
int pruningAmount = (int)(((double)this.Capacity) * pruningFactor);
pruningAmount = pruningAmount <= 0 ? this.Capacity : pruningAmount;
ArrayList keys = new ArrayList(pruningAmount);
for (int i = 0; i < pruningAmount; ++i)
{
keys.Add(GetHashKey(tokens[i].ContextId, tokens[i].KeyGeneration));
OnRemove(tokens[i]);
}
SecurityTraceRecordHelper.TraceSecurityContextTokenCacheFull(this.Capacity, pruningAmount);
return(keys);
}
}
public override SecurityToken ReadTokenCore(XmlDictionaryReader reader, SecurityTokenResolver tokenResolver)
{
UniqueId generation = null;
bool isCookieMode = false;
Fx.Assert(reader.NodeType == XmlNodeType.Element, "");
// check if there is an id
string id = reader.GetAttribute(XD.UtilityDictionary.IdAttribute, XD.UtilityDictionary.Namespace);
SecurityContextSecurityToken sct = null;
// There needs to be at least a contextId in here.
reader.ReadFullStartElement();
reader.MoveToStartElement(Parent.SerializerDictionary.Identifier, Parent.SerializerDictionary.Namespace);
UniqueId contextId = reader.ReadElementContentAsUniqueId();
if (CanReadGeneration(reader))
{
generation = ReadGeneration(reader);
}
if (reader.IsStartElement(Parent.SerializerDictionary.Cookie, XD.DotNetSecurityDictionary.Namespace))
{
isCookieMode = true;
sct = TryResolveSecurityContextToken(contextId, generation, id, tokenResolver, out ISecurityContextSecurityTokenCache sctCache);
if (sct == null)
{
byte[] encodedCookie = reader.ReadElementContentAsBase64();
if (encodedCookie != null)
{
sct = _cookieSerializer.CreateSecurityContextFromCookie(encodedCookie, contextId, generation, id, reader.Quotas);
if (sctCache != null)
{
sctCache.AddContext(sct);
}
}
}
else
{
reader.Skip();
}
}
reader.ReadEndElement();
if (contextId == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.Format(SR.NoSecurityContextIdentifier)));
}
if (sct == null && !isCookieMode)
{
sct = TryResolveSecurityContextToken(contextId, generation, id, tokenResolver, out ISecurityContextSecurityTokenCache sctCache);
}
if (sct == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new Exception(SR.Format(SR.SecurityContextNotRegistered, contextId, generation)));
}
return(sct);
}
protected override void WriteGeneration(XmlDictionaryWriter writer, SecurityContextSecurityToken sct)
{
if (sct.KeyGeneration != null)
{
writer.WriteStartElement(DXD.SecureConversationDec2005Dictionary.Prefix.Value, DXD.SecureConversationDec2005Dictionary.Instance, DXD.SecureConversationDec2005Dictionary.Namespace);
XmlHelper.WriteStringAsUniqueId(writer, sct.KeyGeneration);
writer.WriteEndElement();
}
}
public override SecurityToken ReadTokenCore(XmlDictionaryReader reader, SecurityTokenResolver tokenResolver)
{
UniqueId generation = (UniqueId)null;
string attribute = reader.GetAttribute(XD.UtilityDictionary.IdAttribute, XD.UtilityDictionary.Namespace);
reader.ReadFullStartElement();
reader.MoveToStartElement(this.parent.SerializerDictionary.Identifier, this.parent.SerializerDictionary.Namespace);
UniqueId contextId = reader.ReadElementContentAsUniqueId();
if (this.CanReadGeneration(reader))
{
generation = this.ReadGeneration(reader);
}
#if FEATURE_CORECLR
throw new NotImplementedException("DotNetSecurityDictionary not implemented in .NET Core");
#else
bool flag = false;
SecurityContextSecurityToken token = (SecurityContextSecurityToken)null;
if (reader.IsStartElement(this.parent.SerializerDictionary.Cookie, DotNetSecurityDictionary.Namespace))
{
flag = true;
ISecurityContextSecurityTokenCache sctCache;
token = this.TryResolveSecurityContextToken(contextId, generation, attribute, tokenResolver, out sctCache);
if (token == null)
{
byte[] encodedCookie = reader.ReadElementContentAsBase64();
if (encodedCookie != null)
{
token = this.cookieSerializer.CreateSecurityContextFromCookie(encodedCookie, contextId, generation, attribute, reader.Quotas);
if (sctCache != null)
{
sctCache.AddContext(token);
}
}
}
else
{
reader.Skip();
}
}
reader.ReadEndElement();
if (contextId == (UniqueId)null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError((Exception) new MessageSecurityException(SR.GetString("NoSecurityContextIdentifier")));
}
if (token == null && !flag)
{
ISecurityContextSecurityTokenCache sctCache;
token = this.TryResolveSecurityContextToken(contextId, generation, attribute, tokenResolver, out sctCache);
}
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning((Exception) new SecurityContextTokenValidationException(SR.GetString("SecurityContextNotRegistered", (object)contextId, (object)generation)));
}
return((SecurityToken)token);
#endif
}
public void SetServiceToken(SecurityContextSecurityToken token)
{
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
}
this.serviceToken = token;
this.isNegotiationCompleted = true;
}
public SecurityContextSecurityToken GetContext(UniqueId contextId, UniqueId generation)
{
if (contextId == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(contextId));
}
object hashKey = GetHashKey(contextId, generation);
SecurityContextSecurityToken sct = (SecurityContextSecurityToken)GetItem(hashKey);
return sct != null ? (SecurityContextSecurityToken)sct.Clone() : null;
}
/// <summary>
/// The the purposes of this method are:
/// 1. To enable layers above to get to the bootstrap tokens
/// 2. To ensure an ClaimsPrincipal is inside the SCT authorization policies. This is needed so that
/// a CustomPrincipal will be created and can be set. This is required as we set the principal permission mode to custom
/// 3. To set the IAuthorizationPolicy collection on the SCT to be one of IDFx's Authpolicy.
/// This allows SCT cookie and SCT cached to be treated the same, futher up the stack.
///
/// This method is call AFTER the final SCT has been created and the bootstrap tokens are around. Itis not called during the SP/TLS nego bootstrap.
/// </summary>
/// <param name="sct"></param>
internal void SetPrincipalBootstrapTokensAndBindIdfxAuthPolicy(SecurityContextSecurityToken sct)
{
if (sct == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sct");
}
List <IAuthorizationPolicy> iaps = new List <IAuthorizationPolicy>();
//
// The SecurityContextToken is cached first before the OnTokenIssued is called. So in the Session SCT
// case the AuthorizationPolicies will have already been updated. So check the sct.AuthorizationPolicies
// policy to see if the first is a AuthorizationPolicy.
//
if ((sct.AuthorizationPolicies != null) &&
(sct.AuthorizationPolicies.Count > 0) &&
(ContainsEndpointAuthPolicy(sct.AuthorizationPolicies)))
{
// We have already seen this sct and have fixed up the AuthorizationPolicy
// collection. Just return.
return;
}
//
// Nego SCT just has a cookie, there are no IAuthorizationPolicy. In this case,
// we want to add the EndpointAuthorizationPolicy alone to the SCT.
//
if ((sct.AuthorizationPolicies != null) &&
(sct.AuthorizationPolicies.Count > 0))
{
//
// Create a principal with known policies.
//
AuthorizationPolicy sctAp = IdentityModelServiceAuthorizationManager.TransformAuthorizationPolicies(sct.AuthorizationPolicies,
_securityTokenHandlerCollection,
false);
// Replace the WCF authorization policies with our IDFx policies.
// The principal is needed later on to set the custom principal by WCF runtime.
iaps.Add(sctAp);
//
// Convert the claim from WCF unconditional policy to an SctAuthorizationPolicy. The SctAuthorizationPolicy simply
// captures the primary identity claim from the WCF unconditional policy which IdFX will eventually throw away.
// If we don't capture that claim, then in a token renewal scenario WCF will fail due to identities being different
// for the issuedToken and the renewedToken.
//
SysClaim claim = GetPrimaryIdentityClaim(SystemAuthorizationContext.CreateDefaultAuthorizationContext(sct.AuthorizationPolicies));
SctAuthorizationPolicy sctAuthPolicy = new SctAuthorizationPolicy(claim);
iaps.Add(sctAuthPolicy);
}
iaps.Add(new EndpointAuthorizationPolicy(_endpointId));
sct.AuthorizationPolicies = iaps.AsReadOnly();
}
public override SecurityToken ReadTokenCore(XmlDictionaryReader reader, SecurityTokenResolver tokenResolver)
{
UniqueId contextId = null;
byte[] encodedCookie = null;
UniqueId generation = null;
bool flag = false;
string attribute = reader.GetAttribute(XD.UtilityDictionary.IdAttribute, XD.UtilityDictionary.Namespace);
SecurityContextSecurityToken token = null;
reader.ReadFullStartElement();
reader.MoveToStartElement(this.parent.SerializerDictionary.Identifier, this.parent.SerializerDictionary.Namespace);
contextId = reader.ReadElementContentAsUniqueId();
if (this.CanReadGeneration(reader))
{
generation = this.ReadGeneration(reader);
}
if (reader.IsStartElement(this.parent.SerializerDictionary.Cookie, XD.DotNetSecurityDictionary.Namespace))
{
ISecurityContextSecurityTokenCache cache;
flag = true;
token = this.TryResolveSecurityContextToken(contextId, generation, attribute, tokenResolver, out cache);
if (token == null)
{
encodedCookie = reader.ReadElementContentAsBase64();
if (encodedCookie != null)
{
token = this.cookieSerializer.CreateSecurityContextFromCookie(encodedCookie, contextId, generation, attribute, reader.Quotas);
if (cache != null)
{
cache.AddContext(token);
}
}
}
else
{
reader.Skip();
}
}
reader.ReadEndElement();
if (contextId == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("NoSecurityContextIdentifier")));
}
if ((token == null) && !flag)
{
ISecurityContextSecurityTokenCache cache2;
token = this.TryResolveSecurityContextToken(contextId, generation, attribute, tokenResolver, out cache2);
}
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityContextTokenValidationException(System.ServiceModel.SR.GetString("SecurityContextNotRegistered", new object[] { contextId, generation })));
}
return(token);
}
internal ReadOnlyCollection <IAuthorizationPolicy> GetInitiatorTokenAuthorizationPolicies(bool includeTransportToken, SecurityContextSecurityToken supportingSessionTokenToExclude)
{
if (!this.HasIncomingSupportingTokens)
{
if (((this.transportToken != null) && (this.initiatorToken == null)) && (this.protectionToken == null))
{
if (includeTransportToken && (this.transportToken.SecurityTokenPolicies != null))
{
return(this.transportToken.SecurityTokenPolicies);
}
return(EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
if (((this.transportToken == null) && (this.initiatorToken != null)) && (this.protectionToken == null))
{
return(this.initiatorToken.SecurityTokenPolicies ?? EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
if (((this.transportToken == null) && (this.initiatorToken == null)) && (this.protectionToken != null))
{
return(this.protectionToken.SecurityTokenPolicies ?? EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
}
Collection <IAuthorizationPolicy> policies = new Collection <IAuthorizationPolicy>();
if (includeTransportToken)
{
this.AddAuthorizationPolicies(this.transportToken, policies);
}
this.AddAuthorizationPolicies(this.initiatorToken, policies);
this.AddAuthorizationPolicies(this.protectionToken, policies);
if (this.HasIncomingSupportingTokens)
{
for (int i = 0; i < this.incomingSupportingTokens.Count; i++)
{
if (supportingSessionTokenToExclude != null)
{
SecurityContextSecurityToken securityToken = this.incomingSupportingTokens[i].SecurityToken as SecurityContextSecurityToken;
if ((securityToken != null) && (securityToken.ContextId == supportingSessionTokenToExclude.ContextId))
{
continue;
}
}
switch (this.incomingSupportingTokens[i].SecurityTokenAttachmentMode)
{
case SecurityTokenAttachmentMode.Endorsing:
case SecurityTokenAttachmentMode.Signed:
case SecurityTokenAttachmentMode.SignedEncrypted:
case SecurityTokenAttachmentMode.SignedEndorsing:
this.AddAuthorizationPolicies(this.incomingSupportingTokens[i], policies);
break;
}
}
}
return(new ReadOnlyCollection <IAuthorizationPolicy>(policies));
}
bool TryAddContext(SecurityContextSecurityToken token, bool throwOnFailure)
{
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
}
if (!SecurityUtils.IsCurrentlyTimeEffective(token.ValidFrom, token.ValidTo, this.clockSkew))
{
if (token.KeyGeneration == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.SecurityContextExpiredNoKeyGeneration, token.ContextId));
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.SecurityContextExpired, token.ContextId, token.KeyGeneration.ToString()));
}
}
if (!SecurityUtils.IsCurrentlyTimeEffective(token.KeyEffectiveTime, token.KeyExpirationTime, this.clockSkew))
{
if (token.KeyGeneration == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.SecurityContextKeyExpiredNoKeyGeneration, token.ContextId));
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.SecurityContextKeyExpired, token.ContextId, token.KeyGeneration.ToString()));
}
}
object hashKey = GetHashKey(token.ContextId, token.KeyGeneration);
bool wasTokenAdded = base.TryAddItem(hashKey, (SecurityContextSecurityToken)token.Clone(), false);
if (!wasTokenAdded)
{
if (throwOnFailure)
{
if (token.KeyGeneration == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ContextAlreadyRegisteredNoKeyGeneration, token.ContextId)));
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ContextAlreadyRegistered, token.ContextId, token.KeyGeneration.ToString())));
}
}
}
return(wasTokenAdded);
}
/// <summary>
/// Serializes the SecurityToken to the XmlWriter.
/// </summary>
/// <param name="writer">XmlWriter to write to.</param>
/// <param name="token">The SecurityToken to serializer.</param>
/// <exception cref="ArgumentNullException">The input parameter 'writer' or 'token' is null.</exception>
protected override void WriteTokenCore(XmlWriter writer, SecurityToken token)
{
if (writer == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer");
}
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
}
try
{
//
// Wire the session handler for SCT
//
SecurityContextSecurityToken sct = token as SecurityContextSecurityToken;
if (sct != null)
{
//
// Bare SCT tokens are wrapped with a SessionSecurityToken.
// The property SessionSecurityToken.IsSecurityContextSecurityTokenWrapper will be true.
//
token = SecurityContextSecurityTokenHelper.ConvertSctToSessionToken(sct, _scVersion);
}
SecurityTokenHandler securityTokenHandler = _securityTokenHandlers[token];
if ((securityTokenHandler != null) && (securityTokenHandler.CanWriteToken))
{
securityTokenHandler.WriteToken(writer, token);
return;
}
base.WriteTokenCore(writer, token);
}
catch (Exception ex)
{
if (!(MapExceptionsToSoapFaults && _exceptionMapper.HandleSecurityTokenProcessingException(ex)))
{
throw;
}
Fx.Assert(false, "ExceptionMapper did not handle an exception correctly.");
// This should never happen. ExceptionMapper will handle the exception, in which case,
// a fault exception is thrown or the original exception gets thrown.
}
}
public Collection <SecurityContextSecurityToken> GetAllContexts(UniqueId contextId)
{
ArrayList matchingKeys = this.GetMatchingKeys(contextId);
Collection <SecurityContextSecurityToken> collection = new Collection <SecurityContextSecurityToken>();
for (int i = 0; i < matchingKeys.Count; i++)
{
SecurityContextSecurityToken item = base.GetItem(matchingKeys[i]) as SecurityContextSecurityToken;
if (item != null)
{
collection.Add(item);
}
}
return(collection);
}
public SecurityContextSecurityToken GetContext(UniqueId contextId, UniqueId generation)
{
if (contextId == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("contextId");
}
object hashKey = this.GetHashKey(contextId, generation);
SecurityContextSecurityToken item = (SecurityContextSecurityToken)base.GetItem(hashKey);
if (item == null)
{
return(null);
}
return(item.Clone());
}
public void CreateKeyIdentifierClauseSCT()
{
MyParameters tp = new MyParameters();
SecurityContextSecurityToken sct =
new SecurityContextSecurityToken(new UniqueId(), new byte [32], DateTime.MinValue, DateTime.MaxValue);
SecurityKeyIdentifierClause kic =
tp.CallCreateKeyIdentifierClause(sct, SecurityTokenReferenceStyle.Internal);
Assert.IsTrue(kic is LocalIdKeyIdentifierClause, "#1");
SecurityContextKeyIdentifierClause scic = tp.CallCreateKeyIdentifierClause(sct, SecurityTokenReferenceStyle.External)
as SecurityContextKeyIdentifierClause;
Assert.IsNotNull(scic, "#2");
Assert.IsNull(scic.Generation, "#3");
}
public void AddContext(SecurityContextSecurityToken token)
{
//
// WCF will cache the token first before calling the WrappedSessionSecurityTokenHandler.OnTokenIssued.
// We need to map the claims here so we will be caching the correct token with Geneva Claims substitued
// in place of the WCF claims.
//
_claimsHandler.SetPrincipalBootstrapTokensAndBindIdfxAuthPolicy(token);
SessionSecurityTokenCacheKey key = new SessionSecurityTokenCacheKey(_claimsHandler.EndpointId, token.ContextId, token.KeyGeneration);
SessionSecurityToken sessionToken = SecurityContextSecurityTokenHelper.ConvertSctToSessionToken(token, SecureConversationVersion.Default);
DateTime expiryTime = DateTimeUtil.Add(sessionToken.ValidTo, _claimsHandler.SecurityTokenHandlerCollection.Configuration.MaxClockSkew);
_tokenCache.AddOrUpdate(key, sessionToken, expiryTime);
}
private SecurityContextSecurityToken TryResolveSecurityContextToken(UniqueId contextId, UniqueId generation, string id, SecurityTokenResolver tokenResolver, out ISecurityContextSecurityTokenCache sctCache)
{
SecurityContextSecurityToken sourceToken = (SecurityContextSecurityToken)null;
sctCache = (ISecurityContextSecurityTokenCache)null;
if (tokenResolver is ISecurityContextSecurityTokenCache)
{
sctCache = (ISecurityContextSecurityTokenCache)tokenResolver;
sourceToken = sctCache.GetContext(contextId, generation);
}
else
{
#if FEATURE_CORECLR
throw new NotImplementedException("AggregateSecurityHeaderTokenResolver not supported in .NET Core");
#else
if (tokenResolver is AggregateSecurityHeaderTokenResolver)
{
AggregateSecurityHeaderTokenResolver headerTokenResolver = tokenResolver as AggregateSecurityHeaderTokenResolver;
for (int index = 0; index < headerTokenResolver.TokenResolvers.Count; ++index)
{
ISecurityContextSecurityTokenCache tokenResolver1 = headerTokenResolver.TokenResolvers[index] as ISecurityContextSecurityTokenCache;
if (tokenResolver1 != null)
{
if (sctCache == null)
{
sctCache = tokenResolver1;
}
sourceToken = tokenResolver1.GetContext(contextId, generation);
if (sourceToken != null)
{
break;
}
}
}
}
#endif
}
if (sourceToken == null)
{
return((SecurityContextSecurityToken)null);
}
if (sourceToken.Id == id)
{
return(sourceToken);
}
return(new SecurityContextSecurityToken(sourceToken, id));
}
public Collection <SecurityContextSecurityToken> GetAllContexts(UniqueId contextId)
{
ArrayList matchingKeys = GetMatchingKeys(contextId);
Collection <SecurityContextSecurityToken> matchingContexts = new Collection <SecurityContextSecurityToken>();
for (int i = 0; i < matchingKeys.Count; ++i)
{
SecurityContextSecurityToken token = base.GetItem(matchingKeys[i]) as SecurityContextSecurityToken;
if (token != null)
{
matchingContexts.Add(token);
}
}
return(matchingContexts);
}
public SecurityContextSecurityToken GetContext(System.Xml.UniqueId contextId, System.Xml.UniqueId generation)
{
SessionSecurityToken token = null;
SessionSecurityTokenCacheKey key = new SessionSecurityTokenCacheKey(_claimsHandler.EndpointId, contextId, generation);
token = _tokenCache.Get(key);
SecurityContextSecurityToken sctToken = null;
if (token != null && token.IsSecurityContextSecurityTokenWrapper)
{
sctToken = SecurityContextSecurityTokenHelper.ConvertSessionTokenToSecurityContextSecurityToken(token);
}
return(sctToken);
}
