Exemple #1
0
        static IIdentity DeserializePrimaryIdentity(XmlDictionaryReader reader, SctClaimDictionary dictionary, XmlObjectSerializer serializer)
        {
            IIdentity identity = null;

            if (reader.IsStartElement(dictionary.PrimaryIdentity, dictionary.EmptyString))
            {
                reader.ReadStartElement();
                if (reader.IsStartElement(dictionary.WindowsSidIdentity, dictionary.EmptyString))
                {
                    SecurityIdentifier sid = ReadSidAttribute(reader, dictionary);
                    string             authenticationType = reader.GetAttribute(dictionary.AuthenticationType, dictionary.EmptyString);
                    reader.ReadStartElement();
                    string name = reader.ReadContentAsString();
                    identity = new WindowsSidIdentity(sid, name, authenticationType ?? String.Empty);
                    reader.ReadEndElement();
                }
                else if (reader.IsStartElement(dictionary.GenericIdentity, dictionary.EmptyString))
                {
                    string authenticationType = reader.GetAttribute(dictionary.AuthenticationType, dictionary.EmptyString);
                    reader.ReadStartElement();
                    string name = reader.ReadContentAsString();
                    identity = SecurityUtils.CreateIdentity(name, authenticationType ?? String.Empty);
                    reader.ReadEndElement();
                }
                else
                {
                    identity = (IIdentity)serializer.ReadObject(reader);
                }
                reader.ReadEndElement();
            }
            return(identity);
        }
Exemple #2
0
        static void SerializePrimaryIdentity(IIdentity identity, SctClaimDictionary dictionary, XmlDictionaryWriter writer, XmlObjectSerializer serializer)
        {
            if (identity != null && identity != SecurityUtils.AnonymousIdentity)
            {
                writer.WriteStartElement(dictionary.PrimaryIdentity, dictionary.EmptyString);
                if (identity is WindowsIdentity)
                {
                    WindowsIdentity wid = (WindowsIdentity)identity;
                    writer.WriteStartElement(dictionary.WindowsSidIdentity, dictionary.EmptyString);
                    WriteSidAttribute(wid.User, dictionary, writer);

                    // This is to work around WOW64 bug Windows OS 1491447
                    string authenticationType = null;
                    using (WindowsIdentity self = WindowsIdentity.GetCurrent())
                    {
                        // is owner or admin?  AuthenticationType could throw un-authorized exception
                        if ((self.User == wid.Owner) ||
                            (wid.Owner != null && self.Groups.Contains(wid.Owner)) ||
                            (wid.Owner != SecurityUtils.AdministratorsSid && self.Groups.Contains(SecurityUtils.AdministratorsSid)))
                        {
                            authenticationType = wid.AuthenticationType;
                        }
                    }
                    if (!String.IsNullOrEmpty(authenticationType))
                    {
                        writer.WriteAttributeString(dictionary.AuthenticationType, dictionary.EmptyString, authenticationType);
                    }
                    writer.WriteString(wid.Name);
                    writer.WriteEndElement();
                }
                else if (identity is WindowsSidIdentity)
                {
                    WindowsSidIdentity wsid = (WindowsSidIdentity)identity;
                    writer.WriteStartElement(dictionary.WindowsSidIdentity, dictionary.EmptyString);
                    WriteSidAttribute(wsid.SecurityIdentifier, dictionary, writer);
                    if (!String.IsNullOrEmpty(wsid.AuthenticationType))
                    {
                        writer.WriteAttributeString(dictionary.AuthenticationType, dictionary.EmptyString, wsid.AuthenticationType);
                    }
                    writer.WriteString(wsid.Name);
                    writer.WriteEndElement();
                }
                else if (identity is GenericIdentity)
                {
                    GenericIdentity genericIdentity = (GenericIdentity)identity;
                    writer.WriteStartElement(dictionary.GenericIdentity, dictionary.EmptyString);
                    if (!String.IsNullOrEmpty(genericIdentity.AuthenticationType))
                    {
                        writer.WriteAttributeString(dictionary.AuthenticationType, dictionary.EmptyString, genericIdentity.AuthenticationType);
                    }
                    writer.WriteString(genericIdentity.Name);
                    writer.WriteEndElement();
                }
                else
                {
                    serializer.WriteObject(writer, identity);
                }
                writer.WriteEndElement();
            }
        }
 private static void SerializePrimaryIdentity(IIdentity identity, SctClaimDictionary dictionary, XmlDictionaryWriter writer, XmlObjectSerializer serializer)
 {
     if ((identity != null) && (identity != System.ServiceModel.Security.SecurityUtils.AnonymousIdentity))
     {
         writer.WriteStartElement(dictionary.PrimaryIdentity, dictionary.EmptyString);
         if (identity is WindowsIdentity)
         {
             WindowsIdentity identity2 = (WindowsIdentity)identity;
             writer.WriteStartElement(dictionary.WindowsSidIdentity, dictionary.EmptyString);
             WriteSidAttribute(identity2.User, dictionary, writer);
             string authenticationType = null;
             using (WindowsIdentity identity3 = WindowsIdentity.GetCurrent())
             {
                 if (((identity3.User == identity2.Owner) || ((identity2.Owner != null) && identity3.Groups.Contains(identity2.Owner))) || ((identity2.Owner != System.ServiceModel.Security.SecurityUtils.AdministratorsSid) && identity3.Groups.Contains(System.ServiceModel.Security.SecurityUtils.AdministratorsSid)))
                 {
                     authenticationType = identity2.AuthenticationType;
                 }
             }
             if (!string.IsNullOrEmpty(authenticationType))
             {
                 writer.WriteAttributeString(dictionary.AuthenticationType, dictionary.EmptyString, authenticationType);
             }
             writer.WriteString(identity2.Name);
             writer.WriteEndElement();
         }
         else if (identity is WindowsSidIdentity)
         {
             WindowsSidIdentity identity4 = (WindowsSidIdentity)identity;
             writer.WriteStartElement(dictionary.WindowsSidIdentity, dictionary.EmptyString);
             WriteSidAttribute(identity4.SecurityIdentifier, dictionary, writer);
             if (!string.IsNullOrEmpty(identity4.AuthenticationType))
             {
                 writer.WriteAttributeString(dictionary.AuthenticationType, dictionary.EmptyString, identity4.AuthenticationType);
             }
             writer.WriteString(identity4.Name);
             writer.WriteEndElement();
         }
         else if (identity is GenericIdentity)
         {
             GenericIdentity identity5 = (GenericIdentity)identity;
             writer.WriteStartElement(dictionary.GenericIdentity, dictionary.EmptyString);
             if (!string.IsNullOrEmpty(identity5.AuthenticationType))
             {
                 writer.WriteAttributeString(dictionary.AuthenticationType, dictionary.EmptyString, identity5.AuthenticationType);
             }
             writer.WriteString(identity5.Name);
             writer.WriteEndElement();
         }
         else
         {
             serializer.WriteObject(writer, identity);
         }
         writer.WriteEndElement();
     }
 }
Exemple #4
0
        private IPrincipal GetWindowsPrincipal(ServiceSecurityContext securityContext)
        {
            WindowsIdentity windowsIdentity = securityContext.WindowsIdentity;

            if (!windowsIdentity.IsAnonymous)
            {
                return(new WindowsPrincipal(windowsIdentity));
            }
            WindowsSidIdentity primaryIdentity = securityContext.PrimaryIdentity as WindowsSidIdentity;

            if (primaryIdentity != null)
            {
                return(new WindowsSidPrincipal(primaryIdentity, securityContext));
            }
            return(AnonymousWindowsPrincipal);
        }
        IPrincipal GetWindowsPrincipal(ServiceSecurityContext securityContext)
        {
            WindowsIdentity wid = securityContext.WindowsIdentity;

            if (!wid.IsAnonymous)
            {
                return(new WindowsPrincipal(wid));
            }

            WindowsSidIdentity wsid = securityContext.PrimaryIdentity as WindowsSidIdentity;

            if (wsid != null)
            {
                return(new WindowsSidPrincipal(wsid, securityContext));
            }

            return(AnonymousWindowsPrincipal);
        }
Exemple #6
0
        internal static void AppendIdentityName(StringBuilder str, IIdentity identity)
        {
            string name = null;

            try
            {
                name = identity.Name;
            }
#pragma warning suppress 56500
            catch (Exception e)
            {
                if (Fx.IsFatal(e))
                {
                    throw;
                }
                // suppress exception, this is just info.
            }

            str.Append(String.IsNullOrEmpty(name) ? "<null>" : name);
#if SUPPORTS_WINDOWSIDENTITY // NegotiateStream
            WindowsIdentity windows = identity as WindowsIdentity;
            if (windows != null)
            {
                if (windows.User != null)
                {
                    str.Append("; ");
                    str.Append(windows.User.ToString());
                }
            }
            else
            {
                WindowsSidIdentity sid = identity as WindowsSidIdentity;
                if (sid != null)
                {
                    str.Append("; ");
                    str.Append(sid.SecurityIdentifier.ToString());
                }
            }
#else
            throw ExceptionHelper.PlatformNotSupported(ExceptionHelper.WinsdowsStreamSecurityNotSupported);
#endif // SUPPORTS_WINDOWSIDENTITY
        }
Exemple #7
0
        internal static void AppendIdentityName(StringBuilder str, IIdentity identity)
        {
            string name = null;

            try
            {
                name = identity.Name;
            }
            catch (Exception e)
            {
                if (Fx.IsFatal(e))
                {
                    throw;
                }
                // suppress exception, this is just info.
            }

            str.Append(string.IsNullOrEmpty(name) ? "<null>" : name);
            WindowsIdentity windows = identity as WindowsIdentity;

            if (windows != null)
            {
                if (windows.User != null)
                {
                    str.Append("; ");
                    str.Append(windows.User.ToString());
                }
            }
            else
            {
                WindowsSidIdentity sid = identity as WindowsSidIdentity;
                if (sid != null)
                {
                    str.Append("; ");
                    str.Append(sid.SecurityIdentifier.ToString());
                }
            }
        }
 public WindowsSidPrincipal(WindowsSidIdentity identity, ServiceSecurityContext securityContext)
 {
     _identity        = identity;
     _securityContext = securityContext;
 }
Exemple #9
0
        private IDisposable StartImpersonation2(ref MessageRpc rpc, ServiceSecurityContext securityContext, bool isSecurityContextImpersonationOn)
        {
            IDisposable disposable = null;

            try
            {
                if (isSecurityContextImpersonationOn)
                {
                    if (securityContext == null)
                    {
                        throw TraceUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SFxSecurityContextPropertyMissingFromRequestMessage")), rpc.Request);
                    }
                    WindowsIdentity windowsIdentity = securityContext.WindowsIdentity;
                    if (windowsIdentity.User == null)
                    {
                        if (securityContext.PrimaryIdentity is WindowsSidIdentity)
                        {
                            WindowsSidIdentity primaryIdentity = (WindowsSidIdentity)securityContext.PrimaryIdentity;
                            if (primaryIdentity.SecurityIdentifier.IsWellKnown(WellKnownSidType.AnonymousSid))
                            {
                                disposable = new WindowsAnonymousIdentity().Impersonate();
                                goto Label_0103;
                            }
                            using (WindowsIdentity identity3 = new WindowsIdentity(this.GetUpnFromDownlevelName(primaryIdentity.Name), "Kerberos"))
                            {
                                disposable = identity3.Impersonate();
                                goto Label_0103;
                            }
                        }
                        throw TraceUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SecurityContextDoesNotAllowImpersonation", new object[] { rpc.Operation.Action })), rpc.Request);
                    }
                    disposable = windowsIdentity.Impersonate();
                }
                else if (AspNetEnvironment.Current.RequiresImpersonation && (rpc.HostingProperty != null))
                {
                    disposable = rpc.HostingProperty.Impersonate();
                }
Label_0103:
                SecurityTraceRecordHelper.TraceImpersonationSucceeded(rpc.Operation);
                if (AuditLevel.Success == (this.auditLevel & AuditLevel.Success))
                {
                    SecurityAuditHelper.WriteImpersonationSuccessEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Operation.Name, System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext));
                }
            }
            catch (Exception exception)
            {
                if (Fx.IsFatal(exception))
                {
                    throw;
                }
                SecurityTraceRecordHelper.TraceImpersonationFailed(rpc.Operation, exception);
                if (AuditLevel.Failure == (this.auditLevel & AuditLevel.Failure))
                {
                    try
                    {
                        string identityNamesFromContext;
                        if (securityContext != null)
                        {
                            identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext);
                        }
                        else
                        {
                            identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.AnonymousIdentity.Name;
                        }
                        SecurityAuditHelper.WriteImpersonationFailureEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Operation.Name, identityNamesFromContext, exception);
                    }
                    catch (Exception exception2)
                    {
                        if (Fx.IsFatal(exception2))
                        {
                            throw;
                        }
                        System.ServiceModel.DiagnosticUtility.ExceptionUtility.TraceHandledException(exception2, TraceEventType.Error);
                    }
                }
                throw;
            }
            return(disposable);
        }
        IDisposable StartImpersonation2(ref MessageRpc rpc, ServiceSecurityContext securityContext, bool isSecurityContextImpersonationOn)
        {
            IDisposable impersonationContext = null;

            try
            {
                if (isSecurityContextImpersonationOn)
                {
                    if (securityContext == null)
                    {
                        throw TraceUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SFxSecurityContextPropertyMissingFromRequestMessage)), rpc.Request);
                    }

                    WindowsIdentity impersonationToken = securityContext.WindowsIdentity;
                    if (impersonationToken.User != null)
                    {
                        impersonationContext = impersonationToken.Impersonate();
                    }
                    else if (securityContext.PrimaryIdentity is WindowsSidIdentity)
                    {
                        WindowsSidIdentity sidIdentity = (WindowsSidIdentity)securityContext.PrimaryIdentity;
                        if (sidIdentity.SecurityIdentifier.IsWellKnown(WellKnownSidType.AnonymousSid))
                        {
                            impersonationContext = new WindowsAnonymousIdentity().Impersonate();
                        }
                        else
                        {
                            string fullyQualifiedDomainName = GetUpnFromDownlevelName(sidIdentity.Name);
                            using (WindowsIdentity windowsIdentity = new WindowsIdentity(fullyQualifiedDomainName, SecurityUtils.AuthTypeKerberos))
                            {
                                impersonationContext = windowsIdentity.Impersonate();
                            }
                        }
                    }
                    else
                    {
                        throw TraceUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SecurityContextDoesNotAllowImpersonation, rpc.Operation.Action)), rpc.Request);
                    }
                }
                else if (AspNetEnvironment.Current.RequiresImpersonation)
                {
                    if (rpc.HostingProperty != null)
                    {
                        impersonationContext = rpc.HostingProperty.Impersonate();
                    }
                }

                SecurityTraceRecordHelper.TraceImpersonationSucceeded(rpc.EventTraceActivity, rpc.Operation);

                // update the impersonation succeed audit
                if (AuditLevel.Success == (this.auditLevel & AuditLevel.Success))
                {
                    SecurityAuditHelper.WriteImpersonationSuccessEvent(this.auditLogLocation,
                                                                       this.suppressAuditFailure, rpc.Operation.Name, SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext));
                }
            }
            catch (Exception ex)
            {
                if (Fx.IsFatal(ex))
                {
                    throw;
                }
                SecurityTraceRecordHelper.TraceImpersonationFailed(rpc.EventTraceActivity, rpc.Operation, ex);

                //
                // Update the impersonation failure audit
                // Copy SecurityAuthorizationBehavior.Audit level to here!!!
                //
                if (AuditLevel.Failure == (this.auditLevel & AuditLevel.Failure))
                {
                    try
                    {
                        string primaryIdentity;
                        if (securityContext != null)
                        {
                            primaryIdentity = SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext);
                        }
                        else
                        {
                            primaryIdentity = SecurityUtils.AnonymousIdentity.Name;
                        }

                        SecurityAuditHelper.WriteImpersonationFailureEvent(this.auditLogLocation,
                                                                           this.suppressAuditFailure, rpc.Operation.Name, primaryIdentity, ex);
                    }
#pragma warning suppress 56500
                    catch (Exception auditException)
                    {
                        if (Fx.IsFatal(auditException))
                        {
                            throw;
                        }

                        DiagnosticUtility.TraceHandledException(auditException, TraceEventType.Error);
                    }
                }

                throw;
            }

            return(impersonationContext);
        }
 private void WriteAuditEvent(AuditLevel auditLevel, X509Certificate2 certificate, WindowsSidIdentity wsid, Exception exception)
 {
     try
     {
         string clientIdentity = string.Empty;
         if (certificate != null)
         {
             clientIdentity = System.ServiceModel.Security.SecurityUtils.GetCertificateId(certificate);
         }
         else if (wsid != null)
         {
             clientIdentity = System.ServiceModel.Security.SecurityUtils.GetIdentityName(wsid);
         }
         if (auditLevel == AuditLevel.Success)
         {
             SecurityAuditHelper.WriteTransportAuthenticationSuccessEvent(base.AuditBehavior.AuditLogLocation, base.AuditBehavior.SuppressAuditFailure, null, this.Uri, clientIdentity);
         }
         else
         {
             SecurityAuditHelper.WriteTransportAuthenticationFailureEvent(base.AuditBehavior.AuditLogLocation, base.AuditBehavior.SuppressAuditFailure, null, this.Uri, clientIdentity, exception);
         }
     }
     catch (Exception exception2)
     {
         if (Fx.IsFatal(exception2) || (auditLevel == AuditLevel.Success))
         {
             throw;
         }
         DiagnosticUtility.ExceptionUtility.TraceHandledException(exception2, TraceEventType.Error);
     }
 }
        internal SecurityMessageProperty ValidateSecurity(MsmqInputMessage msmqMessage)
        {
            SecurityMessageProperty property        = null;
            X509Certificate2        certificate     = null;
            WindowsSidIdentity      primaryIdentity = null;

            try
            {
                if (MsmqAuthenticationMode.Certificate == base.ReceiveParameters.TransportSecurity.MsmqAuthenticationMode)
                {
                    try
                    {
                        certificate = new X509Certificate2(msmqMessage.SenderCertificate.GetBufferCopy(msmqMessage.SenderCertificateLength.Value));
                        X509SecurityToken token = new X509SecurityToken(certificate, false);
                        ReadOnlyCollection <IAuthorizationPolicy> tokenPolicies = this.x509SecurityTokenAuthenticator.ValidateToken(token);
                        property = new SecurityMessageProperty {
                            TransportToken         = new SecurityTokenSpecification(token, tokenPolicies),
                            ServiceSecurityContext = new ServiceSecurityContext(tokenPolicies)
                        };
                        goto Label_01C4;
                    }
                    catch (SecurityTokenValidationException exception)
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ProtocolException(System.ServiceModel.SR.GetString("MsmqBadCertificate"), exception));
                    }
                    catch (CryptographicException exception2)
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ProtocolException(System.ServiceModel.SR.GetString("MsmqBadCertificate"), exception2));
                    }
                }
                if (MsmqAuthenticationMode.WindowsDomain == base.ReceiveParameters.TransportSecurity.MsmqAuthenticationMode)
                {
                    byte[] bufferCopy = msmqMessage.SenderId.GetBufferCopy(msmqMessage.SenderIdLength.Value);
                    if (bufferCopy.Length == 0)
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ProtocolException(System.ServiceModel.SR.GetString("MsmqNoSid")));
                    }
                    SecurityIdentifier resource = new SecurityIdentifier(bufferCopy, 0);
                    List <Claim>       claims   = new List <Claim>(2)
                    {
                        new Claim(ClaimTypes.Sid, resource, Rights.Identity),
                        Claim.CreateWindowsSidClaim(resource)
                    };
                    ClaimSet issuance = new DefaultClaimSet(ClaimSet.System, claims);
                    List <IAuthorizationPolicy> list2 = new List <IAuthorizationPolicy>(1);
                    primaryIdentity = new WindowsSidIdentity(resource);
                    list2.Add(new UnconditionalPolicy(primaryIdentity, issuance));
                    ReadOnlyCollection <IAuthorizationPolicy> onlys2 = list2.AsReadOnly();
                    property = new SecurityMessageProperty {
                        TransportToken         = new SecurityTokenSpecification(null, onlys2),
                        ServiceSecurityContext = new ServiceSecurityContext(onlys2)
                    };
                }
            }
            catch (Exception exception3)
            {
                if (Fx.IsFatal(exception3))
                {
                    throw;
                }
                if (AuditLevel.Failure == (base.AuditBehavior.MessageAuthenticationAuditLevel & AuditLevel.Failure))
                {
                    this.WriteAuditEvent(AuditLevel.Failure, certificate, primaryIdentity, null);
                }
                throw;
            }
Label_01C4:
            if ((property != null) && (AuditLevel.Success == (base.AuditBehavior.MessageAuthenticationAuditLevel & AuditLevel.Success)))
            {
                this.WriteAuditEvent(AuditLevel.Success, certificate, primaryIdentity, null);
            }
            return(property);
        }