public void IsIssuedSecurityTokenRequirement ()
{
ServiceModelSecurityTokenRequirement r;
MyManager mgr = new MyManager (new MyClientCredentials ());
r = new InitiatorServiceModelSecurityTokenRequirement ();
MySslSecurityTokenParameters ssl =
new MySslSecurityTokenParameters ();
ssl.InitRequirement (r);
Assert.IsFalse (mgr.IsIssued (r), "ssl");
r = new InitiatorServiceModelSecurityTokenRequirement ();
MySspiSecurityTokenParameters sspi =
new MySspiSecurityTokenParameters ();
sspi.InitRequirement (r);
Assert.IsFalse (mgr.IsIssued (r), "sspi");
r = new InitiatorServiceModelSecurityTokenRequirement ();
MyIssuedSecurityTokenParameters issued =
new MyIssuedSecurityTokenParameters ();
issued.InitRequirement (r);
Assert.IsTrue (mgr.IsIssued (r), "issued");
// r = new InitiatorServiceModelSecurityTokenRequirement ();
// MySecureConversationSecurityTokenParameters sc =
// new MySecureConversationSecurityTokenParameters ();
// sc.InitRequirement (r);
// Assert.IsFalse (mgr.IsIssued (r), "sc");
}
public SslStreamSecurityUpgradeInitiator(SslStreamSecurityUpgradeProvider parent, EndpointAddress remoteAddress, Uri via) : base("application/ssl-tls", remoteAddress, via)
{
SecurityTokenResolver resolver;
this.parent = parent;
InitiatorServiceModelSecurityTokenRequirement tokenRequirement = new InitiatorServiceModelSecurityTokenRequirement {
TokenType = SecurityTokenTypes.X509Certificate,
RequireCryptographicToken = true,
KeyUsage = SecurityKeyUsage.Exchange,
TargetAddress = remoteAddress,
Via = via,
TransportScheme = this.parent.Scheme
};
this.serverCertificateAuthenticator = parent.ClientSecurityTokenManager.CreateSecurityTokenAuthenticator(tokenRequirement, out resolver);
if (parent.RequireClientCertificate)
{
InitiatorServiceModelSecurityTokenRequirement requirement2 = new InitiatorServiceModelSecurityTokenRequirement {
TokenType = SecurityTokenTypes.X509Certificate,
RequireCryptographicToken = true,
KeyUsage = SecurityKeyUsage.Signature,
TargetAddress = remoteAddress,
Via = via,
TransportScheme = this.parent.Scheme
};
this.clientCertificateProvider = parent.ClientSecurityTokenManager.CreateSecurityTokenProvider(requirement2);
if (this.clientCertificateProvider == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCredentialsUnableToCreateLocalTokenProvider", new object[] { requirement2 })));
}
}
}
SspiSecurityToken GetSpnegoClientCredential(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement)
{
InitiatorServiceModelSecurityTokenRequirement sspiCredentialRequirement = new InitiatorServiceModelSecurityTokenRequirement();
sspiCredentialRequirement.TargetAddress = initiatorRequirement.TargetAddress;
sspiCredentialRequirement.TokenType = ServiceModelSecurityTokenTypes.SspiCredential;
sspiCredentialRequirement.Via = initiatorRequirement.Via;
sspiCredentialRequirement.RequireCryptographicToken = false;
sspiCredentialRequirement.SecurityBindingElement = initiatorRequirement.SecurityBindingElement;
sspiCredentialRequirement.MessageSecurityVersion = initiatorRequirement.MessageSecurityVersion;
ChannelParameterCollection parameters;
if (initiatorRequirement.TryGetProperty<ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, out parameters))
{
sspiCredentialRequirement.Properties[ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty] = parameters;
}
SecurityTokenProvider sspiTokenProvider = this.CreateSecurityTokenProvider(sspiCredentialRequirement);
SecurityUtils.OpenTokenProviderIfRequired(sspiTokenProvider, TimeSpan.Zero);
SspiSecurityToken sspiToken = (SspiSecurityToken) sspiTokenProvider.GetToken(TimeSpan.Zero);
SecurityUtils.AbortTokenProviderIfRequired(sspiTokenProvider);
return sspiToken;
}
string GetServicePrincipalName(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement)
{
EndpointAddress targetAddress = initiatorRequirement.TargetAddress;
if (targetAddress == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.Format(SR.TokenRequirementDoesNotSpecifyTargetAddress, initiatorRequirement));
}
IdentityVerifier identityVerifier;
SecurityBindingElement securityBindingElement = initiatorRequirement.SecurityBindingElement;
if (securityBindingElement != null)
{
identityVerifier = securityBindingElement.LocalClientSettings.IdentityVerifier;
}
else
{
identityVerifier = IdentityVerifier.CreateDefault();
}
EndpointIdentity identity;
identityVerifier.TryGetIdentity(targetAddress, out identity);
return SecurityUtils.GetSpnFromIdentity(identity, targetAddress);
}
SecurityTokenProvider CreateSpnegoTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement)
{
EndpointAddress targetAddress = initiatorRequirement.TargetAddress;
if (targetAddress == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenRequirementDoesNotSpecifyTargetAddress, initiatorRequirement));
}
SecurityBindingElement securityBindingElement = initiatorRequirement.SecurityBindingElement;
if (securityBindingElement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenProviderRequiresSecurityBindingElement, initiatorRequirement));
}
SspiIssuanceChannelParameter sspiChannelParameter = GetSspiIssuanceChannelParameter(initiatorRequirement);
bool negotiateTokenOnOpen = (sspiChannelParameter == null ? true : sspiChannelParameter.GetTokenOnOpen);
LocalClientSecuritySettings localClientSettings = securityBindingElement.LocalClientSettings;
BindingContext issuerBindingContext = initiatorRequirement.GetProperty<BindingContext>(ServiceModelSecurityTokenRequirement.IssuerBindingContextProperty);
SpnegoTokenProvider spnegoTokenProvider = new SpnegoTokenProvider(sspiChannelParameter != null ? sspiChannelParameter.CredentialsHandle : null, securityBindingElement);
SspiSecurityToken clientSspiToken = GetSpnegoClientCredential(initiatorRequirement);
spnegoTokenProvider.ClientCredential = clientSspiToken.NetworkCredential;
spnegoTokenProvider.IssuerAddress = initiatorRequirement.IssuerAddress;
spnegoTokenProvider.AllowedImpersonationLevel = parent.Windows.AllowedImpersonationLevel;
spnegoTokenProvider.AllowNtlm = clientSspiToken.AllowNtlm;
spnegoTokenProvider.IdentityVerifier = localClientSettings.IdentityVerifier;
spnegoTokenProvider.SecurityAlgorithmSuite = initiatorRequirement.SecurityAlgorithmSuite;
// if this is not a supporting token, authenticate the server
spnegoTokenProvider.AuthenticateServer = !initiatorRequirement.Properties.ContainsKey(ServiceModelSecurityTokenRequirement.SupportingTokenAttachmentModeProperty);
spnegoTokenProvider.NegotiateTokenOnOpen = negotiateTokenOnOpen;
spnegoTokenProvider.CacheServiceTokens = negotiateTokenOnOpen || localClientSettings.CacheCookies;
spnegoTokenProvider.IssuerBindingContext = issuerBindingContext;
spnegoTokenProvider.MaxServiceTokenCachingTime = localClientSettings.MaxCookieCachingTime;
spnegoTokenProvider.ServiceTokenValidityThresholdPercentage = localClientSettings.CookieRenewalThresholdPercentage;
spnegoTokenProvider.StandardsManager = SecurityUtils.CreateSecurityStandardsManager(initiatorRequirement, this);
spnegoTokenProvider.TargetAddress = targetAddress;
spnegoTokenProvider.Via = initiatorRequirement.GetPropertyOrDefault<Uri>(InitiatorServiceModelSecurityTokenRequirement.ViaProperty, null);
spnegoTokenProvider.ApplicationProtectionRequirements = (issuerBindingContext != null) ? issuerBindingContext.BindingParameters.Find<ChannelProtectionRequirements>() : null;
spnegoTokenProvider.InteractiveNegoExLogonEnabled = this.ClientCredentials.SupportInteractive;
return spnegoTokenProvider;
}
public void CreateProviderAnonSslNoBindingElement ()
{
InitiatorServiceModelSecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement ();
r.TokenType = ServiceModelSecurityTokenTypes.AnonymousSslnego;
r.TargetAddress = new EndpointAddress ("http://localhost:8080");
SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider (r);
Assert.IsNotNull (p, "#1");
}
SecurityTokenProvider CreateUncorrelatedDuplexSecurityTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement)
{
string tokenType = initiatorRequirement.TokenType;
SecurityTokenProvider result = null;
if (tokenType == SecurityTokenTypes.X509Certificate)
{
SecurityKeyUsage keyUsage = initiatorRequirement.KeyUsage;
if (keyUsage == SecurityKeyUsage.Exchange)
{
if (parent.ClientCertificate.Certificate == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCertificateNotProvidedOnServiceCredentials)));
}
result = new X509SecurityTokenProvider(parent.ClientCertificate.Certificate);
}
else
{
// this is a request for the server's own cert for signing
result = CreateServerX509TokenProvider();
}
}
return result;
}
public void CreateProviderDefault ()
{
SecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement ();
def_c.CreateSecurityTokenProvider (r);
}
public void InitializeRequirement ()
{
MyX509SecurityTokenParameters p =
new MyX509SecurityTokenParameters ();
InitiatorServiceModelSecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement ();
int before = r.Properties.Count;
p.InitRequirement (r);
Assert.AreEqual (1, r.Properties.Count - before, "#1"); // i.e. only TokenType is set.
Assert.AreEqual (SecurityTokenTypes.X509Certificate, r.TokenType, "#2");
}
public void CreateAuthenticatorRsa ()
{
InitiatorServiceModelSecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.Rsa;
SecurityTokenResolver resolver;
RsaSecurityTokenAuthenticator rsa =
def_c.CreateSecurityTokenAuthenticator (r, out resolver)
as RsaSecurityTokenAuthenticator;
Assert.IsNotNull (rsa, "#1");
Assert.IsNull (resolver, "#2"); // but probably non-null if there is RsaSecurityToken that could be somehow created from the credential.
}
public void SecureConvProviderOnlyWithIssuedParameters ()
{
InitiatorServiceModelSecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement ();
r.TokenType = ServiceModelSecurityTokenTypes.SecureConversation;
IssuedSecurityTokenParameters ip =
new IssuedSecurityTokenParameters ();
ip.IssuerAddress = new EndpointAddress ("http://localhost:8080");
ip.IssuerBinding = new WSHttpBinding ();
r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = ip;
def_c.CreateSecurityTokenProvider (r);
}
public void CreateProviderSecureConvNoKeySize ()
{
InitiatorServiceModelSecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement ();
r.TokenType = ServiceModelSecurityTokenTypes.SecureConversation;
r.TargetAddress = new EndpointAddress ("http://localhost:8080");
r.SecurityBindingElement =
new SymmetricSecurityBindingElement ();
r.Properties [ReqType.IssuerBindingContextProperty] =
new BindingContext (new CustomBinding (), new BindingParameterCollection ());
/* it somehow does not cause an error ...
InitiatorServiceModelSecurityTokenRequirement r =
CreateRequirement ();
r.Properties.Remove (SecurityTokenRequirement.KeySizeProperty);
*/
def_c.CreateSecurityTokenProvider (r);
}
public void CreateProviderRsaDefault ()
{
// actually is Rsa usable here??
SecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.Rsa;
def_c.CreateSecurityTokenProvider (r);
}
public void CreateProviderUserName ()
{
SecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.UserName;
def_c.ClientCredentials.UserName.UserName = "******";
UserNameSecurityTokenProvider p =
def_c.CreateSecurityTokenProvider (r)
as UserNameSecurityTokenProvider;
Assert.IsNotNull (p, "#1");
}
public void CreateProviderUserNameWithoutName ()
{
SecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.UserName;
def_c.CreateSecurityTokenProvider (r);
}
public override SecurityTokenRequirement CreateRequirement ()
{
SecurityTokenRequirement r = new InitiatorServiceModelSecurityTokenRequirement ();
// r.Properties [ReqType.IssuerAddressProperty] = message_to;
r.Properties [ReqType.TargetAddressProperty] = message_to;
// FIXME: set Via
return r;
}
private SecurityTokenProvider CreateUncorrelatedDuplexSecurityTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement)
{
string tokenType = initiatorRequirement.TokenType;
SecurityTokenProvider provider = null;
if (!(tokenType == SecurityTokenTypes.X509Certificate))
{
return provider;
}
if (initiatorRequirement.KeyUsage == SecurityKeyUsage.Exchange)
{
if (this.parent.ClientCertificate.Certificate == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCertificateNotProvidedOnServiceCredentials")));
}
return new X509SecurityTokenProvider(this.parent.ClientCertificate.Certificate);
}
return this.CreateServerX509TokenProvider();
}
public void CreateProviderAnonSslNoMessageSecurityVersion ()
{
InitiatorServiceModelSecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement ();
// r.TokenType = ServiceModelSecurityTokenTypes.AnonymousSslnego;
new MySslSecurityTokenParameters ().InitRequirement (r);
r.TargetAddress = new EndpointAddress ("http://localhost:8080");
r.SecurityBindingElement = new SymmetricSecurityBindingElement ();
r.Properties [ReqType.IssuerBindingContextProperty] =
new BindingContext (new CustomBinding (), new BindingParameterCollection ());
SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider (r);
Assert.IsNotNull (p, "#1");
}
InitiatorServiceModelSecurityTokenRequirement GetSslProviderRequirement (bool useTransport, bool mutual)
{
InitiatorServiceModelSecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement ();
new MySslSecurityTokenParameters (mutual).InitRequirement (r);
// r.TokenType = ServiceModelSecurityTokenTypes.AnonymousSslnego;
r.TargetAddress = new EndpointAddress ("http://localhost:8080");
// r.TargetAddress = CreateEndpointAddress ("http://localhost:8080", true);
r.SecurityBindingElement = SecurityBindingElement.CreateUserNameForSslBindingElement ();
CustomBinding binding =
useTransport ?
new CustomBinding (new HandlerTransportBindingElement (null)) :
new CustomBinding ();
r.Properties [ReqType.IssuerBindingContextProperty] =
new BindingContext (binding, new BindingParameterCollection ());
r.MessageSecurityVersion =
MessageSecurityVersion.Default.SecurityTokenVersion;
r.SecurityAlgorithmSuite =
SecurityAlgorithmSuite.Default;
Assert.IsFalse (new MyManager (new MyClientCredentials ()).IsIssued (r), "premise");
return r;
}
public void CreateProviderX509WithoutCert ()
{
SecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.X509Certificate;
def_c.CreateSecurityTokenProvider (r);
}
InitiatorServiceModelSecurityTokenRequirement CreateRequirement ()
{
InitiatorServiceModelSecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement ();
r.TokenType = ServiceModelSecurityTokenTypes.SecureConversation;
r.TargetAddress = new EndpointAddress ("http://localhost:8080");
r.SecurityBindingElement =
new SymmetricSecurityBindingElement ();
// Without it, mysterious "The key length (blabla)
// is not a multiple of 8 for symmetric keys." occurs.
r.SecureConversationSecurityBindingElement =
new SymmetricSecurityBindingElement ();
r.MessageSecurityVersion = MessageSecurityVersion.Default.SecurityTokenVersion;
r.Properties [ReqType.IssuerBindingContextProperty] =
new BindingContext (new CustomBinding (new HttpTransportBindingElement ()), new BindingParameterCollection ());
r.KeySize = 256;
return r;
}
public void CreateProviderX509WithX509EndpointIdentity ()
{
InitiatorServiceModelSecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.X509Certificate;
// X509CertificateEndpointIdentity does not work like
// a client certificate; it still requires client cert
r.TargetAddress = new EndpointAddress (
new Uri ("http://localhost:8080"),
new X509CertificateEndpointIdentity (cert));
def_c.CreateSecurityTokenProvider (r);
}
public void CreateAuthenticatorUserName ()
{
InitiatorServiceModelSecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.UserName;
def_c.ClientCredentials.UserName.UserName = "******";
SecurityTokenResolver resolver;
def_c.CreateSecurityTokenAuthenticator (r, out resolver);
}
public void CreateProviderX509WithX509IdentityKeyExchange ()
{
InitiatorServiceModelSecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.X509Certificate;
// ... however when it is KeyExchange mode, this
// endpoint identity is used.
r.KeyUsage = SecurityKeyUsage.Exchange;
r.TargetAddress = new EndpointAddress (
new Uri ("http://localhost:8080"),
new X509CertificateEndpointIdentity (cert));
def_c.CreateSecurityTokenProvider (r);
}
public void CreateAuthenticatorX509 ()
{
InitiatorServiceModelSecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.X509Certificate;
def_c.ClientCredentials.ClientCertificate.Certificate = cert;
SecurityTokenResolver resolver;
SecurityTokenAuthenticator x509 =
def_c.CreateSecurityTokenAuthenticator (r, out resolver);
Assert.IsNotNull (x509, "#1");
Assert.IsNull (resolver, "#2"); // hmm...
def_c.ClientCredentials.ServiceCertificate.DefaultCertificate = cert;
x509 = def_c.CreateSecurityTokenAuthenticator (r, out resolver);
Assert.IsNotNull (x509, "#3");
Assert.IsNull (resolver, "#4"); // hmmm...
}
public void CreateProviderX509WithClientCertKeyExchange ()
{
InitiatorServiceModelSecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.X509Certificate;
// ... and in such case ClientCertificate makes no sense.
r.KeyUsage = SecurityKeyUsage.Exchange;
def_c.ClientCredentials.ClientCertificate.Certificate = cert;
r.TargetAddress = new EndpointAddress ("http://localhost:8080");
def_c.CreateSecurityTokenProvider (r);
}
public void AnonSslIsIssued ()
{
InitiatorServiceModelSecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement ();
new MySslSecurityTokenParameters ().InitRequirement (r);
Assert.IsFalse (new MyManager (new MyClientCredentials ()).IsIssued (r), "#1");
}
public void CreateProviderAnonSslNoTargetAddress ()
{
SecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement ();
// r.TokenType = ServiceModelSecurityTokenTypes.AnonymousSslnego;
new MySslSecurityTokenParameters ().InitRequirement (r);
def_c.CreateSecurityTokenProvider (r);
}
public void CreateProviderX509 ()
{
SecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.X509Certificate;
def_c.ClientCredentials.ClientCertificate.Certificate = cert;
X509SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider (r)
as X509SecurityTokenProvider;
Assert.IsNotNull (p, "#1");
}
protected InitiatorServiceModelSecurityTokenRequirement CreateInitiatorSecurityTokenRequirement()
{
InitiatorServiceModelSecurityTokenRequirement requirement = new InitiatorServiceModelSecurityTokenRequirement();
requirement.TargetAddress = this.Target;
requirement.Via = this.via;
requirement.SecurityBindingElement = this.factory.SecurityBindingElement;
requirement.SecurityAlgorithmSuite = this.factory.OutgoingAlgorithmSuite;
requirement.MessageSecurityVersion = this.factory.MessageSecurityVersion.SecurityTokenVersion;
if (this.factory.PrivacyNoticeUri != null)
{
requirement.Properties[ServiceModelSecurityTokenRequirement.PrivacyNoticeUriProperty] = this.factory.PrivacyNoticeUri;
}
if (this.channelParameters != null)
{
requirement.Properties[ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty] = this.channelParameters;
}
requirement.Properties[ServiceModelSecurityTokenRequirement.PrivacyNoticeVersionProperty] = this.factory.PrivacyNoticeVersion;
return requirement;
}