public async Task ShouldGetTokenWithUserName(GetTokenWithUserNameData data) { var request = new WsTrustRequest(WsTrustActions.Trust13.Issue) { KeyType = WsTrustKeyTypes.Trust13.Bearer, AppliesTo = new AppliesTo(new EndpointReference("urn:tests")) }; var client = _fixture.CreateWsTrust13UserNameClient(data.UserName, data.Password); var exception = null as Exception; var token = null as SecurityToken; try { var response = await client.IssueAsync(request); token = response.GetRequestedSecurityToken(); } catch (Exception ex) { exception = ex; } if (data.ShouldFail) { Assert.NotNull(exception); Assert.IsType <MessageSecurityException>(exception); } else { Assert.NotNull(token); } }
public async Task ShouldNotValidateAlteredSignedToken(string base64) { using (var certificate = new X509Certificate2(Convert.FromBase64String(base64))) { var request = new WsTrustRequest(WsTrustActions.Trust13.Issue) { KeyType = WsTrustKeyTypes.Trust13.Bearer, AppliesTo = new AppliesTo(new EndpointReference("urn:tests")) }; var settings = new XmlWriterSettings { Indent = true }; var client = _fixture.CreateWsTrust13CertificateClient(certificate, settings); var exception = null as Exception; try { _ = await client.IssueAsync(request); } catch (Exception ex) { exception = ex; } Assert.NotNull(exception); Assert.IsType <MessageSecurityException>(exception); } }
protected virtual async ValueTask <SecurityKey> CreateProofKeyAsync(WsTrustRequest request, Scope scope, WsTrustSecurityTokenDescriptor descriptor, CancellationToken cancellationToken) { var keyType = request.KeyType; // asymmetric and psha1 // not supported at this moment if (keyType == Constants.WsTrustKeyTypes.PublicKey || keyType == Constants.WsTrustKeyTypes.PSHA1) { throw new NotSupportedException($"Key type '{keyType}' not supported at this time."); } if (keyType == Constants.WsTrustKeyTypes.Bearer) { return(null); } // symmetric if (request.ComputedKeyAlgorithm != null && request.ComputedKeyAlgorithm != "http://schemas.microsoft.com/idfx/computedkeyalgorithm/psha1") { throw new NotSupportedException($"Computed key algortihm '{request.ComputedKeyAlgorithm}' not supported at this time."); } if (descriptor.ProofKeyEncryptingCredentials == null && scope.RelyingParty.RequiresEncryptedSymmetricKeys) { throw new InvalidOperationException("Cannot created proof token with no encrypting credentials."); } if (scope.EncryptingCredentials == null && scope.RelyingParty.RequiresEncryptedToken) { throw new InvalidOperationException("Missing encrypting credentials."); } return(await CreateSymmetricProofKeyAsync(request.KeySizeInBits.Value)); }
public async Task WsTrustRequestGenericCloudUrnTest() { WsTrustAddress address = new WsTrustAddress() { Uri = new Uri("https://some/address/usernamemixed"), Version = WsTrustVersion.WsTrust13 }; HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler() { Method = HttpMethod.Post, ResponseMessage = new HttpResponseMessage(HttpStatusCode.OK) { Content = new StringContent(File.ReadAllText("WsTrustResponse.xml")) } }); HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler() { Method = HttpMethod.Post, ResponseMessage = new HttpResponseMessage(HttpStatusCode.OK) { Content = new StringContent(File.ReadAllText("WsTrustResponse.xml")) } }); WsTrustResponse wstResponse = await WsTrustRequest.SendRequestAsync(address, new UserPasswordCredential(TestConstants.DefaultDisplayableId, TestConstants.DefaultPassword), null, TestConstants.CloudAudienceUrn); Assert.IsNotNull(wstResponse.Token); wstResponse = await WsTrustRequest.SendRequestAsync(address, new UserCredential(TestConstants.DefaultDisplayableId), null, TestConstants.CloudAudienceUrn); Assert.IsNotNull(wstResponse.Token); }
public async Task <WsTrustResponse> ValidateAsync(WsTrustRequest request) { var requestMessage = CreateMessage(request, _constants.WsTrustActions.ValidateRequest); var responseMessage = await ValidateAsync(requestMessage); return(ReadResponse(responseMessage)); }
/// <summary> /// Creates a <see cref="WsTrustRequest"/> from the <see cref="WSTrustTokenParameters"/> /// </summary> /// <returns></returns> protected virtual WsTrustRequest CreateWsTrustRequest() { EndpointAddress target = SecurityTokenRequirement.GetProperty <EndpointAddress>(TargetAddressProperty); int keySize; string keyType; switch (WSTrustTokenParameters.KeyType) { case SecurityKeyType.AsymmetricKey: keySize = DefaultPublicKeySize; keyType = _requestSerializationContext.TrustKeyTypes.PublicKey; break; case SecurityKeyType.SymmetricKey: keySize = _securityAlgorithmSuite.DefaultSymmetricKeyLength; keyType = _requestSerializationContext.TrustKeyTypes.Symmetric; break; case SecurityKeyType.BearerKey: keySize = 0; keyType = _requestSerializationContext.TrustKeyTypes.Bearer; break; default: throw DiagnosticUtility.ExceptionUtility.ThrowHelper(new NotSupportedException(LogHelper.FormatInvariant("KeyType is not supported: {0}", WSTrustTokenParameters.KeyType)), System.Diagnostics.Tracing.EventLevel.Error); } Entropy entropy = null; if (WSTrustTokenParameters.KeyType != SecurityKeyType.BearerKey && (KeyEntropyMode == SecurityKeyEntropyMode.ClientEntropy || KeyEntropyMode == SecurityKeyEntropyMode.CombinedEntropy)) { byte[] entropyBytes = new byte[keySize / 8]; Psha1KeyGenerator.FillRandomBytes(entropyBytes); entropy = new Entropy(new BinarySecret(entropyBytes)); } var trustRequest = new WsTrustRequest(_requestSerializationContext.TrustActions.Issue) { AppliesTo = new AppliesTo(new EndpointReference(target.Uri.OriginalString)), Context = RequestContext, KeySizeInBits = keySize, KeyType = keyType, WsTrustVersion = _requestSerializationContext.TrustVersion }; if (SecurityTokenRequirement.TokenType != null) { trustRequest.TokenType = SecurityTokenRequirement.TokenType; } if (entropy != null) { trustRequest.Entropy = entropy; trustRequest.ComputedKeyAlgorithm = _requestSerializationContext.TrustKeyTypes.PSHA1; } return(trustRequest); }
internal override async Task PreTokenRequest() { await base.PreTokenRequest().ConfigureAwait(false); if (this.PerformUserRealmDiscovery()) { UserRealmDiscoveryResponse userRealmResponse = await UserRealmDiscoveryResponse.CreateByDiscoveryAsync(this.Authenticator.UserRealmUri, this.userCredential.UserName, this.CallState).ConfigureAwait(false); PlatformPlugin.Logger.Information(this.CallState, string.Format("User with hash '{0}' detected as '{1}'", PlatformPlugin.CryptographyHelper.CreateSha256Hash(this.userCredential.UserName), userRealmResponse.AccountType)); if (string.Compare(userRealmResponse.AccountType, "federated", StringComparison.OrdinalIgnoreCase) == 0) { if (string.IsNullOrWhiteSpace(userRealmResponse.FederationMetadataUrl)) { throw new MsalException(MsalError.MissingFederationMetadataUrl); } WsTrustAddress wsTrustAddress = await MexParser.FetchWsTrustAddressFromMexAsync(userRealmResponse.FederationMetadataUrl, this.userCredential.UserAuthType, this.CallState).ConfigureAwait(false); PlatformPlugin.Logger.Information(this.CallState, string.Format("WS-Trust endpoint '{0}' fetched from MEX at '{1}'", wsTrustAddress.Uri, userRealmResponse.FederationMetadataUrl)); WsTrustResponse wsTrustResponse = await WsTrustRequest.SendRequestAsync(wsTrustAddress, this.userCredential, this.CallState).ConfigureAwait(false); PlatformPlugin.Logger.Information(this.CallState, string.Format("Token of type '{0}' acquired from WS-Trust endpoint", wsTrustResponse.TokenType)); // We assume that if the response token type is not SAML 1.1, it is SAML 2 this.userAssertion = new UserAssertion(wsTrustResponse.Token, (wsTrustResponse.TokenType == WsTrustResponse.Saml1Assertion) ? OAuthGrantType.Saml11Bearer : OAuthGrantType.Saml20Bearer, this.userCredential.UserName); } else { throw new MsalException(MsalError.UnsupportedUserType); } } }
public async Task CloudAudienceUrnNullTest() { AuthenticationContext context = new AuthenticationContext(TestConstants.DefaultAuthorityCommonTenant); await context.Authenticator.UpdateFromTemplateAsync(null); UserRealmDiscoveryResponse userRealmResponse = await UserRealmDiscoveryResponse.CreateByDiscoveryAsync(context.Authenticator.UserRealmUri, TestConstants.DefaultDisplayableId, null); WsTrustAddress address = new WsTrustAddress() { Uri = new Uri("https://some/address/usernamemixed"), Version = WsTrustVersion.WsTrust13 }; HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler() { Method = HttpMethod.Post, ResponseMessage = new HttpResponseMessage(HttpStatusCode.OK) { Content = new StringContent(File.ReadAllText("WsTrustResponse.xml")) } }); WsTrustResponse wsTrustResponse = await WsTrustRequest.SendRequestAsync(address, new UserCredential(TestConstants.DefaultDisplayableId), null, null); VerifyCloudInstanceUrnResponse(userRealmResponse.CloudAudienceUrn, "urn:federation:MicrosoftOnline"); }
/// <summary> /// Makes a WSTrust call to the STS to obtain a <see cref="SecurityToken"/> first checking if the token is available in the cache. /// </summary> /// <returns>A <see cref="GenericXmlSecurityToken"/>.</returns> protected override SecurityToken GetTokenCore(TimeSpan timeout) { _communicationObject.ThrowIfClosedOrNotOpen(); WsTrustRequest request = CreateWsTrustRequest(); WsTrustResponse trustResponse = GetCachedResponse(request); if (trustResponse is null) { using (var memeoryStream = new MemoryStream()) { var writer = XmlDictionaryWriter.CreateTextWriter(memeoryStream, Encoding.UTF8); var serializer = new WsTrustSerializer(); serializer.WriteRequest(writer, _requestSerializationContext.TrustVersion, request); writer.Flush(); var reader = XmlDictionaryReader.CreateTextReader(memeoryStream.ToArray(), XmlDictionaryReaderQuotas.Max); IRequestChannel channel = ChannelFactory.CreateChannel(); try { channel.Open(); Message reply = channel.Request(Message.CreateMessage(MessageVersion.Soap12WSAddressing10, _requestSerializationContext.TrustActions.IssueRequest, reader)); SecurityUtils.ThrowIfNegotiationFault(reply, channel.RemoteAddress); trustResponse = serializer.ReadResponse(reply.GetReaderAtBodyContents()); CacheSecurityTokenResponse(request, trustResponse); } finally { channel.Close(); } } } return(WSTrustUtilities.CreateGenericXmlSecurityToken(request, trustResponse, _requestSerializationContext, _securityAlgorithmSuite)); }
public WsTrustRequestBodyWriter(WsTrustVersion version, WsTrustSerializer serializer, WsTrustRequest request) : base(true) { _version = version; _request = request; _serializer = serializer; }
/// <summary> /// Gets the <see cref="WsSerializationContext"/> to use when serializing the <see cref="WsTrustRequest"/>. /// </summary> /// <param name="trustRequest">The <see cref="WsTrustRequest"/> that will be serialized. /// <returns>The <see cref="WsSerializationContext"/> for the <see cref="WsTrustRequest"/>.</returns> private WsSerializationContext GetSerializationContext(WsTrustRequest trustRequest) { _ = trustRequest ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(trustRequest)); if (trustRequest.WsTrustVersion == WsTrustVersion.TrustFeb2005) { if (_wsSerializationContextTrustFeb2005 == null) { _wsSerializationContextTrustFeb2005 = new WsSerializationContext(trustRequest.WsTrustVersion); } return(_wsSerializationContextTrustFeb2005); } else if (trustRequest.WsTrustVersion == WsTrustVersion.Trust13) { if (_wsSerializationContextTrust1_3 == null) { _wsSerializationContextTrust1_3 = new WsSerializationContext(trustRequest.WsTrustVersion); } return(_wsSerializationContextTrust1_3); } else if (trustRequest.WsTrustVersion == WsTrustVersion.Trust14) { if (_wsSerializationContextTrust1_4 == null) { _wsSerializationContextTrust1_4 = new WsSerializationContext(trustRequest.WsTrustVersion); } return(_wsSerializationContextTrust1_4); } throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetResourceString(SR.WsTrustVersionNotSupported, trustRequest.WsTrustVersion.ToString()))); }
/// <summary> /// Creates a <see cref="Message"/> that represents a the <see cref="WsTrustRequest"/>. /// </summary> /// <param name="trustRequest">The <see cref="WsTrustRequest"/> to serialize into the message.</param> /// <returns>The <see cref="Message" /> that represents the <see cref="WsTrustRequest"/>.</returns> protected virtual Message CreateRequest(WsTrustRequest trustRequest) { _ = trustRequest ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(trustRequest)); return(Message.CreateMessage(MessageVersion, GetRequestAction(trustRequest), new WSTrustRequestBodyWriter(trustRequest, TrustSerializer))); }
/// <summary> /// Makes a WSTrust call to the STS to obtain a <see cref="SecurityToken"/> first checking if the token is available in the cache. /// </summary> /// <returns>A <see cref="GenericXmlSecurityToken"/>.</returns> protected override SecurityToken GetTokenCore(TimeSpan timeout) { WsTrustRequest request = CreateWsTrustRequest(); WsTrustResponse trustResponse = GetCachedResponse(request); if (trustResponse is null) { using (var memeoryStream = new MemoryStream()) { var writer = XmlDictionaryWriter.CreateTextWriter(memeoryStream, Encoding.UTF8); var serializer = new WsTrustSerializer(); serializer.WriteRequest(writer, _requestSerializationContext.TrustVersion, request); writer.Flush(); var reader = XmlDictionaryReader.CreateTextReader(memeoryStream.ToArray(), XmlDictionaryReaderQuotas.Max); IRequestChannel channel = ChannelFactory.CreateChannel(); Message reply = channel.Request(Message.CreateMessage(MessageVersion.Soap12WSAddressing10, _requestSerializationContext.TrustActions.IssueRequest, reader)); SecurityUtils.ThrowIfNegotiationFault(reply, channel.RemoteAddress); trustResponse = serializer.ReadResponse(reply.GetReaderAtBodyContents()); CacheSecurityTokenResponse(request, trustResponse); } } // Create GenericXmlSecurityToken // Assumes that token is first and Saml2SecurityToken. using (var stream = new MemoryStream()) { RequestSecurityTokenResponse response = trustResponse.RequestSecurityTokenResponseCollection[0]; // Get attached and unattached references GenericXmlSecurityKeyIdentifierClause internalSecurityKeyIdentifierClause = null; if (response.AttachedReference != null) { internalSecurityKeyIdentifierClause = GetSecurityKeyIdentifierForTokenReference(response.AttachedReference); } GenericXmlSecurityKeyIdentifierClause externalSecurityKeyIdentifierClause = null; if (response.UnattachedReference != null) { externalSecurityKeyIdentifierClause = GetSecurityKeyIdentifierForTokenReference(response.UnattachedReference); } // Get proof token IdentityModel.Tokens.SecurityToken proofToken = GetProofToken(request, response); // Get lifetime DateTime created = response.Lifetime?.Created ?? DateTime.UtcNow; DateTime expires = response.Lifetime?.Expires ?? created.AddDays(1); return(new GenericXmlSecurityToken(response.RequestedSecurityToken.TokenElement, proofToken, created, expires, internalSecurityKeyIdentifierClause, externalSecurityKeyIdentifierClause, null)); } }
static async Task Main(string[] args) { IdentityModelEventSource.ShowPII = true; await Task.Delay(5000); var claims = new[] { new Claim(ClaimTypes.NameIdentifier, Guid.NewGuid().ToString()), new Claim(ClaimTypes.Name, "username") }; var identity = new ClaimsIdentity(claims, "Sample"); var handler = new Saml2SecurityTokenHandler(); var parameters = CreateRsaParameters(); using var rsa = new RSACryptoServiceProvider(); rsa.ImportParameters(parameters); var descriptor = new SecurityTokenDescriptor { Issuer = "urn:sample.identityprovider", Audience = "urn:sample.issuer", IssuedAt = DateTime.UtcNow, NotBefore = DateTime.UtcNow.AddMinutes(-5), Expires = DateTime.UtcNow.AddHours(2), Subject = identity, SigningCredentials = SignatureMethod.RsaSha256.CreateCredentials(new RsaSecurityKey(rsa)) }; var token = handler.CreateToken(descriptor); var binding = new WsTrustIssuedTokenBinding(); var endpoint = new EndpointAddress("https://localhost:5001/trust/13"); var factory = new WsTrustChannelFactory(binding, endpoint); factory.SecurityTokenHandlers.Add(handler); for (var i = 0; i < iterations; i++) { var channel = factory.CreateChannelWithIssuedToken(token); var request = new WsTrustRequest(WsTrustConstants.Trust13.WsTrustActions.Issue) { KeyType = WsTrustKeyTypes.Trust13.Bearer, AppliesTo = new AppliesTo(new EndpointReference("urn:sample:relyingparty")) }; var response = await channel.IssueAsync(request); var requestedToken = response.GetRequestedSecurityToken() as GenericXmlSecurityToken; var assertion = requestedToken.Element.OuterXml; Console.WriteLine(assertion); } Console.ReadKey(); }
private void CacheSecurityTokenResponse(WsTrustRequest request, WsTrustResponse response) { if (WSTrustTokenParameters.CacheIssuedTokens) { // If cached responses are stored in a shared cache in the future, that cache should be written // to here, possibly including serializing the WsTrustResponse if the cache stores byte[] (as // IDistributedCache does). CachedResponse = response; } }
public async Task WsTrustRequestTest() { var federatedSts = SetupStsService(StsType.AADFederatedWithADFS3); AuthenticationContext context = new AuthenticationContext(federatedSts.Authority, federatedSts.ValidateAuthority); await context.Authenticator.UpdateFromTemplateAsync(null); UserRealmDiscoveryResponse userRealmResponse = await UserRealmDiscoveryResponse.CreateByDiscoveryAsync(context.Authenticator.UserRealmUri, federatedSts.ValidUserName, null); XDocument mexDocument = await FecthMexAsync(userRealmResponse.FederationMetadataUrl); Verify.IsNotNull(mexDocument); WsTrustAddress wsTrustAddress = MexParser.ExtractWsTrustAddressFromMex(mexDocument, UserAuthType.UsernamePassword, null); Verify.IsNotNull(wsTrustAddress); WsTrustResponse wstResponse = await WsTrustRequest.SendRequestAsync(wsTrustAddress, new UserCredential(federatedSts.ValidUserName, federatedSts.ValidPassword), null); Verify.IsNotNull(wstResponse.Token); Verify.IsTrue(wstResponse.TokenType.Contains("SAML")); SecureString securePassword = new SecureString(); foreach (var ch in federatedSts.ValidPassword) { securePassword.AppendChar(ch); } wstResponse = await WsTrustRequest.SendRequestAsync(wsTrustAddress, new UserCredential(federatedSts.ValidUserName, securePassword), null); Verify.IsNotNull(wstResponse.Token); Verify.IsTrue(wstResponse.TokenType.Contains("SAML")); try { await WsTrustRequest.SendRequestAsync(new WsTrustAddress { Uri = new Uri(wsTrustAddress.Uri.AbsoluteUri + "x") }, new UserCredential(federatedSts.ValidUserName, federatedSts.ValidPassword), null); } catch (AdalException ex) { Verify.IsNotNull(ex.ErrorCode, AdalError.FederatedServiceReturnedError); Verify.IsNotNull(ex.InnerException); } try { await WsTrustRequest.SendRequestAsync(new WsTrustAddress { Uri = new Uri(wsTrustAddress.Uri.AbsoluteUri) }, new UserCredential(federatedSts.ValidUserName, "InvalidPassword"), null); } catch (AdalException ex) { Verify.IsNotNull(ex.ErrorCode, AdalError.FederatedServiceReturnedError); Verify.IsNotNull(ex.InnerException); } }
public async Task ShouldValidateIssuerAsAudience() { var request = new WsTrustRequest(WsTrustActions.Trust13.Issue) { KeyType = WsTrustKeyTypes.Trust13.Bearer, AppliesTo = new AppliesTo(new EndpointReference("urn:tests")) }; var client = _fixture.CreateWsTrust13IssuedTokenClient("userName", appliesTo: WsTrustTestsFixture.Issuer); var token = await client.IssueAsync(request); Assert.NotNull(token); }
public void WsTrustRequestXmlFormatTest() { UserCredential cred = new UserPasswordCredential("user", "pass&<>\"'"); StringBuilder sb = WsTrustRequest.BuildMessage("https://appliesto", new WsTrustAddress { Uri = new Uri("some://resource") }, cred); // Expecting XML to be valid XmlDocument doc = new XmlDocument(); doc.LoadXml("<?xml version=\"1.0\"?>" + sb.ToString()); }
public void WsTrustRequestXmlFormatTest() { // Arrange UserCredential cred = new UserPasswordCredential("user", "pass&<>\"'"); // Act StringBuilder sb = WsTrustRequest.BuildMessage("https://appliesto", new WsTrustAddress { Uri = new Uri("some://resource") }, cred); // Assert XmlReaderSettings readerSettings = new XmlReaderSettings(); readerSettings.XmlResolver = null; readerSettings.IgnoreWhitespace = true; readerSettings.ConformanceLevel = ConformanceLevel.Fragment; readerSettings.DtdProcessing = DtdProcessing.Ignore; // Load the fragment, validating it against the XSDs List <string> validationIssues = new List <string>(); readerSettings.ValidationFlags = XmlSchemaValidationFlags.ReportValidationWarnings; readerSettings.ValidationType = ValidationType.Schema; readerSettings.Schemas = CreateWsTrustEnvelopeSchemaSet(); readerSettings.ValidationEventHandler += (s, e) => { validationIssues.Add(e.Severity + " " + e.Message); }; XmlDocument document = new XmlDocument(); using (var xmlReader = XmlTextReader.Create(new StringReader(sb.ToString()), readerSettings)) { document.Load(xmlReader); } Debug.WriteLine("All validation issues:"); Debug.WriteLine(string.Join("\r\n", validationIssues.ToArray())); // Filter out "expected" schema-validation messages. // The real ws-trust XML namespace is http://docs.oasis-open.org/ws-sx/ws-trust/200512/ i.e. with a trailing slash. However, we use // the namespace without a trailing slash as this is what the server expects, so we expect validation messages about missing elements const string invalidTrustNamespaceMessageContent = "Could not find schema information for the element 'http://docs.oasis-open.org/ws-sx/ws-trust/200512:"; List <string> unexpectedValidationIssues = validationIssues.Where(i => !i.Contains(invalidTrustNamespaceMessageContent)).ToList(); Assert.AreEqual(0, unexpectedValidationIssues.Count, "Not expecting any XML schema validation errors. See the test output for the validation errors."); }
private WsTrustResponse GetCachedResponse(WsTrustRequest request) { if (WSTrustTokenParameters.CacheIssuedTokens && CachedResponse != null) { // If cached responses are read from shared caches in the future, then that cache should be read here // and, if necessary, translated (perhaps via deserialization) into a WsTrustResponse. if (!IsWsTrustResponseExpired(CachedResponse)) { return(CachedResponse); } } return(null); }
public async Task ShouldValidateRequestUrlAsAudience() { var request = new WsTrustRequest(WsTrustActions.Trust13.Issue) { KeyType = WsTrustKeyTypes.Trust13.Bearer, AppliesTo = new AppliesTo(new EndpointReference("urn:tests")) }; var client = _fixture.CreateWsTrust13IssuedTokenClient("userName", appliesTo: $"{_fixture.TestingServer.BaseAddress}trust/13"); var response = await client.IssueAsync(request); var token = response.GetRequestedSecurityToken(); Assert.NotNull(token); }
public async Task ShouldValidateTokenWithEmbeddedCertificate(string clientTokenType) { var request = new WsTrustRequest(WsTrustActions.Trust13.Issue) { KeyType = WsTrustKeyTypes.Trust13.Bearer, AppliesTo = new AppliesTo(new EndpointReference("urn:tests")) }; var client = _fixture.CreateWsTrust13IssuedTokenClient("userName", issuer: "urn:test:issuer:embedded_cert", clientTokenType: clientTokenType); var response = await client.IssueAsync(request); var token = response.GetRequestedSecurityToken(); Assert.NotNull(token); }
public async Task CloudAudienceUrnTest() { AuthenticationContext context = new AuthenticationContext(TestConstants.DefaultAuthorityCommonTenant); await context.Authenticator.UpdateFromTemplateAsync(null); HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler(TestConstants.GetUserRealmEndpoint(TestConstants.DefaultAuthorityCommonTenant) + "/" + TestConstants.DefaultDisplayableId) { Method = HttpMethod.Get, ResponseMessage = new HttpResponseMessage(HttpStatusCode.OK) { Content = new StringContent("{\"ver\":\"1.0\",\"account_type\":\"Federated\",\"domain_name\":\"microsoft.com\"," + "\"federation_protocol\":\"WSTrust\",\"federation_metadata_url\":" + "\"https://msft.sts.microsoft.com/adfs/services/trust/mex\"," + "\"federation_active_auth_url\":\"https://msft.sts.microsoft.com/adfs/services/trust/2005/usernamemixed\"" + ",\"cloud_audience_urn\":\"urn:federation:Blackforest\"" + ",\"cloud_instance_name\":\"login.microsoftonline.com\"}") }, QueryParams = new Dictionary <string, string>() { { "api-version", "1.0" } } }); UserRealmDiscoveryResponse userRealmResponse = await UserRealmDiscoveryResponse.CreateByDiscoveryAsync(context.Authenticator.UserRealmUri, TestConstants.DefaultDisplayableId, CallState.Default); WsTrustAddress address = new WsTrustAddress() { Uri = new Uri("https://some/address/usernamemixed"), Version = WsTrustVersion.WsTrust13 }; HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler("https://some/address/usernamemixed") { Method = HttpMethod.Post, ResponseMessage = new HttpResponseMessage(HttpStatusCode.OK) { Content = new StringContent(File.ReadAllText("WsTrustResponse13.xml")) } }); WsTrustResponse wsTrustResponse = await WsTrustRequest.SendRequestAsync(address, new UserCredential(TestConstants.DefaultDisplayableId), null, userRealmResponse.CloudAudienceUrn); VerifyCloudInstanceUrnResponse("urn:federation:Blackforest", userRealmResponse.CloudAudienceUrn); // All mocks are consumed Assert.AreEqual(0, HttpMessageHandlerFactory.MockHandlersCount()); }
protected override async Task PreTokenRequestAsync() { await base.PreTokenRequestAsync().ConfigureAwait(false); if (this.PerformUserRealmDiscovery()) { UserRealmDiscoveryResponse userRealmResponse = await UserRealmDiscoveryResponse.CreateByDiscoveryAsync(this.Authenticator.UserRealmUri, this.userCredential.UserName, this.CallState).ConfigureAwait(false); CallState.Logger.InformationPii(CallState, string.Format(CultureInfo.CurrentCulture, " User with user name '{0}' detected as '{1}'", userCredential.UserName, userRealmResponse.AccountType)); if (string.Compare(userRealmResponse.AccountType, "federated", StringComparison.OrdinalIgnoreCase) == 0) { if (string.IsNullOrWhiteSpace(userRealmResponse.FederationMetadataUrl)) { throw new AdalException(AdalError.MissingFederationMetadataUrl); } WsTrustAddress wsTrustAddress = await MexParser.FetchWsTrustAddressFromMexAsync(userRealmResponse.FederationMetadataUrl, this.userCredential.UserAuthType, this.CallState).ConfigureAwait(false); CallState.Logger.InformationPii(CallState, string.Format(CultureInfo.CurrentCulture, " WS-Trust endpoint '{0}' fetched from MEX at '{1}'", wsTrustAddress.Uri, userRealmResponse.FederationMetadataUrl)); WsTrustResponse wsTrustResponse = await WsTrustRequest.SendRequestAsync(wsTrustAddress, this.userCredential, this.CallState, userRealmResponse.CloudAudienceUrn).ConfigureAwait(false); var msg = string.Format(CultureInfo.CurrentCulture, " Token of type '{0}' acquired from WS-Trust endpoint", wsTrustResponse.TokenType); CallState.Logger.Information(this.CallState, msg); CallState.Logger.InformationPii(this.CallState, msg); // We assume that if the response token type is not SAML 1.1, it is SAML 2 this.userAssertion = new UserAssertion(wsTrustResponse.Token, (wsTrustResponse.TokenType == WsTrustResponse.Saml1Assertion) ? OAuthGrantType.Saml11Bearer : OAuthGrantType.Saml20Bearer); } else if (string.Compare(userRealmResponse.AccountType, "managed", StringComparison.OrdinalIgnoreCase) == 0) { // handle password grant flow for the managed user if (this.userCredential.PasswordToCharArray() == null) { throw new AdalException(AdalError.PasswordRequiredForManagedUserError); } } else { throw new AdalException(AdalError.UnknownUserType); } } }
public async Task ShouldGetToken(GetTokenData data) { var request = new WsTrustRequest(WsTrustActions.Trust13.Issue) { KeyType = WsTrustKeyTypes.Trust13.Bearer, AppliesTo = new AppliesTo(new EndpointReference("urn:tests")), TokenType = data.TokenTypeIdentifier }; var client = _fixture.CreateWsTrust13IssuedTokenClient("userName"); var response = await client.IssueAsync(request); var token = response.GetRequestedSecurityToken(); Assert.NotNull(token); data.AssertToken(_fixture, token); }
public async Task WsTrustRequestXmlFormatTest() { UserCredential cred = new UserCredential("user", "pass&<>\"'"); StringBuilder sb = WsTrustRequest.BuildMessage("https://appliesto", new WsTrustAddress { Uri = new Uri("resource") }, cred); try { XmlDocument doc = new XmlDocument(); doc.LoadXml("<?xml version=\"1.0\"?>" + sb.ToString()); } catch (Exception ex) { Verify.Fail("Not expected"); } }
public void WsTrustRequestXmlFormatTest() { // Arrange UserCredential cred = new UserPasswordCredential("user", "pass&<>\"'"); // Act StringBuilder sb = WsTrustRequest.BuildMessage("https://appliesto", new WsTrustAddress { Uri = new Uri("some://resource") }, cred); // Assert XmlReaderSettings readerSettings = new XmlReaderSettings(); readerSettings.XmlResolver = null; readerSettings.IgnoreWhitespace = true; readerSettings.ConformanceLevel = ConformanceLevel.Fragment; readerSettings.DtdProcessing = DtdProcessing.Ignore; // Load the fragment, validating it against the XSDs List <string> validationIssues = new List <string>(); readerSettings.ValidationFlags = XmlSchemaValidationFlags.ReportValidationWarnings; readerSettings.ValidationType = ValidationType.Schema; readerSettings.Schemas = CreateWsTrustEnvelopeSchemaSet(); readerSettings.ValidationEventHandler += (s, e) => { validationIssues.Add(e.Severity + " " + e.Message); }; XmlDocument document = new XmlDocument(); using (var xmlReader = XmlTextReader.Create(new StringReader(sb.ToString()), readerSettings)) { document.Load(xmlReader); } Debug.WriteLine("Validation issues:"); Debug.WriteLine(string.Join("\r\n", validationIssues.ToArray())); Assert.AreEqual(0, validationIssues.Count, "Not expecting any XML schema validation errors. See the test output for the validation errors."); }
/// <summary> /// Gets the WS-Addressing SOAP action that corresponds to the <see cref="WsTrustRequest"/>.RequestType and <see cref="WsTrustRequest"/>.WsTrustVersion. /// </summary> /// <param name="trustRequest">The <see cref="WsTrustRequest"/> to generate the WS-Addressing action. /// <returns>The WS-Addressing action to use.</returns> public static string GetRequestAction(WsTrustRequest trustRequest) { _ = trustRequest ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(trustRequest)); WsTrustActions wsTrustActions; if (trustRequest.WsTrustVersion == WsTrustVersion.Trust13) { wsTrustActions = WsTrustActions.Trust13; } else if (trustRequest.WsTrustVersion == WsTrustVersion.TrustFeb2005) { wsTrustActions = WsTrustActions.TrustFeb2005; } else if (trustRequest.WsTrustVersion == WsTrustVersion.Trust14) { wsTrustActions = WsTrustActions.Trust14; } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetResourceString(SR.WsTrustVersionNotSupported, trustRequest.WsTrustVersion.ToString()))); } if (trustRequest.RequestType.Equals(wsTrustActions.Issue)) { return(wsTrustActions.IssueRequest); } else if (trustRequest.RequestType.Equals(wsTrustActions.Cancel)) { return(wsTrustActions.CancelRequest); } else if (trustRequest.RequestType.Equals(wsTrustActions.Renew)) { return(wsTrustActions.RenewRequest); } else if (trustRequest.RequestType.Equals(wsTrustActions.Validate)) { return(wsTrustActions.ValidateRequest); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetResourceString(SR.RequestTypeNotSupported, trustRequest.RequestType))); } }
public async Task WsTrustRequestXmlFormatTest() { await Task.Factory.StartNew(() => { UserCredential cred = new UserPasswordCredential("user", "pass&<>\"'"); StringBuilder sb = WsTrustRequest.BuildMessage("https://appliesto", new WsTrustAddress { Uri = new Uri("some://resource") }, cred); try { XmlDocument doc = new XmlDocument(); doc.LoadXml("<?xml version=\"1.0\"?>" + sb.ToString()); } catch (Exception ex) { Assert.Fail("Not expected -- " + ex.Message); } }); }
public async Task WsTrustRequestGenericCloudUrnTestAsync() { HttpMessageHandlerFactory.InitializeMockProvider(); string URI = "https://some/address/usernamemixed"; WsTrustAddress address = new WsTrustAddress() { Uri = new Uri(URI), Version = WsTrustVersion.WsTrust13 }; HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler(URI) { Method = HttpMethod.Post, ResponseMessage = new HttpResponseMessage(HttpStatusCode.OK) { Content = new StringContent(File.ReadAllText("WsTrustResponse13.xml")) } }); HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler(URI) { Method = HttpMethod.Post, ResponseMessage = new HttpResponseMessage(HttpStatusCode.OK) { Content = new StringContent(File.ReadAllText("WsTrustResponse13.xml")) } }); WsTrustResponse wstResponse = await WsTrustRequest.SendRequestAsync(address, new UserPasswordCredential(TestConstants.DefaultDisplayableId, TestConstants.DefaultPassword), null, TestConstants.CloudAudienceUrn).ConfigureAwait(false); Assert.IsNotNull(wstResponse.Token); wstResponse = await WsTrustRequest.SendRequestAsync(address, new UserCredential(TestConstants.DefaultDisplayableId), null, TestConstants.CloudAudienceUrn).ConfigureAwait(false); Assert.IsNotNull(wstResponse.Token); // All mocks are consumed Assert.AreEqual(0, HttpMessageHandlerFactory.MockHandlersCount()); }