internal static ReadOnlyCollection <IAuthorizationPolicy> CreatePrincipalNameAuthorizationPolicies(string principalName)
{
if (principalName == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("principalName");
}
Claim identityClaim;
Claim primaryPrincipal;
if (principalName.Contains("@") || principalName.Contains(@"\"))
{
identityClaim = new Claim(ClaimTypes.Upn, principalName, Rights.Identity);
#if SUPPORTS_WINDOWSIDENTITY
primaryPrincipal = Claim.CreateUpnClaim(principalName);
#else
throw ExceptionHelper.PlatformNotSupported("UPN claim not supported");
#endif // SUPPORTS_WINDOWSIDENTITY
}
else
{
identityClaim = new Claim(ClaimTypes.Spn, principalName, Rights.Identity);
primaryPrincipal = Claim.CreateSpnClaim(principalName);
}
List <Claim> claims = new List <Claim>(2);
claims.Add(identityClaim);
claims.Add(primaryPrincipal);
List <IAuthorizationPolicy> policies = new List <IAuthorizationPolicy>(1);
policies.Add(new UnconditionalPolicy(SecurityUtils.CreateIdentity(principalName), new DefaultClaimSet(ClaimSet.Anonymous, claims)));
return(policies.AsReadOnly());
}
public SpnEndpointIdentity(string spnName)
{
if (spnName == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("spnName");
}
base.Initialize(Claim.CreateSpnClaim(spnName));
}
public void CreateClaims()
{
Claim c;
// premises
Assert.AreEqual("http://schemas.xmlsoap.org/ws/2005/05/identity/right/identity", Rights.Identity, "#1");
Assert.AreEqual("http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty", Rights.PossessProperty, "#2");
c = Claim.CreateDnsClaim("123.45.6.7");
AssertClaim("Dns", c, ClaimTypes.Dns, "123.45.6.7", Rights.PossessProperty);
Uri uri = new Uri("http://www.example.com");
c = Claim.CreateUriClaim(uri);
AssertClaim("Uri", c, ClaimTypes.Uri, uri, Rights.PossessProperty);
MailAddress mail = new MailAddress("*****@*****.**");
c = Claim.CreateMailAddressClaim(mail);
AssertClaim("Mail", c, ClaimTypes.Email, mail, Rights.PossessProperty);
c = Claim.CreateNameClaim("Rupert");
AssertClaim("Name", c, ClaimTypes.Name, "Rupert", Rights.PossessProperty);
c = Claim.CreateSpnClaim("foo");
AssertClaim("Spn", c, ClaimTypes.Spn, "foo", Rights.PossessProperty);
c = Claim.CreateUpnClaim("foo");
AssertClaim("Upn", c, ClaimTypes.Upn, "foo", Rights.PossessProperty);
//SecurityIdentifier sid = new SecurityIdentifier (blah);
//c = Claim.CreateWindowsSidClaim (sid);
//AssertClaim ("Sid", c, ClaimTypes.Sid, blah, Rights.PossessProperty);
byte [] hash = new byte [] { 1, 2, 3, 4, 5, 6, 7, 8, 9 };
c = Claim.CreateHashClaim(hash);
AssertClaim("Hash", c, ClaimTypes.Hash, hash, Rights.PossessProperty);
RSA rsa = RSA.Create();
c = Claim.CreateRsaClaim(rsa);
AssertClaim("Rsa", c, ClaimTypes.Rsa, rsa, Rights.PossessProperty);
X509Certificate2 cert = new X509Certificate2(TestResourceHelper.GetFullPathOfResource("Test/Resources/test.pfx"), "mono");
byte [] chash = cert.GetCertHash();
c = Claim.CreateThumbprintClaim(chash);
AssertClaim("Thumbprint", c, ClaimTypes.Thumbprint, chash, Rights.PossessProperty);
c = Claim.CreateX500DistinguishedNameClaim(cert.SubjectName);
AssertClaim("X500Name", c, ClaimTypes.X500DistinguishedName, cert.SubjectName, Rights.PossessProperty);
}
protected override async ValueTask <ReadOnlyCollection <IAuthorizationPolicy> > ValidateTokenCoreAsync(SecurityToken token)
{
var genericToken = (GenericSecurityToken)token;
string principalName = genericToken.Name;
if (principalName == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(principalName));
}
Claim identityClaim;
Claim primaryPrincipal;
if (principalName.Contains("@") || principalName.Contains(@"\"))
{
identityClaim = new Claim(ClaimTypes.Upn, principalName, Rights.Identity);
primaryPrincipal = Claim.CreateUpnClaim(principalName);
}
else
{
identityClaim = new Claim(ClaimTypes.Spn, principalName, Rights.Identity);
primaryPrincipal = Claim.CreateSpnClaim(principalName);
}
List <Claim> claims = new List <Claim>(2)
{
identityClaim,
primaryPrincipal
};
if (_ldapSettings != null)
{
List <Claim> allCaims = await LdapAdapter.RetrieveClaimsAsync(_ldapSettings, genericToken.GenericIdentity.Name);
// if this is made async, many other API changes has to happen. COnsidering this is one of the scenario, ok to take the hit ?
foreach (Claim claim in allCaims)
{
claims.Add(claim);
}
}
List <IAuthorizationPolicy> policies = new List <IAuthorizationPolicy>(1)
{
new UnconditionalPolicy(genericToken.GenericIdentity, new DefaultClaimSet(ClaimSet.Anonymous, claims))
};
return(policies.AsReadOnly());
}
public SpnEndpointIdentity(string spn)
: this(Claim.CreateSpnClaim(spn))
{
}
