public void ImpersonationLevel_IfClaimsToWindowsTokenService_ShouldReturnImpersonation_OtherwiseIdentification()
{
var expectedImpersonationLevel = this.ClaimsToWindowsTokenService ? TokenImpersonationLevel.Impersonation : TokenImpersonationLevel.Identification;
var windowsIdentity = S4UClient.UpnLogon(this.UserPrincipalName);
this.ImpersonationLevelTest(expectedImpersonationLevel, windowsIdentity);
}
protected static WindowsIdentity RetrieveWindowsIdentityForCurrentUserBasedOnClaim()
{
IClaimsIdentity identity = Thread.CurrentPrincipal.Identity as ClaimsIdentity;
if (identity == null)
{
throw new InvalidOperationException("Current Thread Identity is not a valid Claims Identity.");
}
string upn = null;
var correctClaimType = identity.Claims.Where(claim => StringComparer.Ordinal.Equals(ClaimTypes.Upn, claim.ClaimType));
correctClaimType.ForEach(c => upn = c.Value);
if (string.IsNullOrEmpty(upn))
{
throw new InvalidOperationException("Current Thread Identity is not a valid Windows Identity.");
}
WindowsIdentity windowsIdentity;
using (WindowsIdentity.Impersonate(IntPtr.Zero))
windowsIdentity = S4UClient.UpnLogon(upn);
return(windowsIdentity);
}
public ICredentials GetCredentials(Uri uri, ICredentials failedCredentials)
{
//If we're running under Claims authentication, impersonate the thread user
//by calling the Claims to Windows Token Service and call the remote site using
//the impersonated credentials. NOTE: The Claims to Windows Token Service must be running.
if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
{
IClaimsIdentity identity = (ClaimsIdentity)System.Threading.Thread.CurrentPrincipal.Identity;
var firstClaim = identity.Claims.FirstOrDefault(c => c.ClaimType == ClaimTypes.Upn);
if (firstClaim == null)
{
throw new InvalidOperationException("No UPN claim found");
}
string upn = firstClaim.Value;
if (String.IsNullOrEmpty(upn))
{
throw new InvalidOperationException("A UPN claim was found, however, the value was empty.");
}
var currentIdentity = S4UClient.UpnLogon(upn);
m_ctxt = currentIdentity.Impersonate();
}
return(CredentialCache.DefaultNetworkCredentials);
}
/// <summary>
/// This method accesses the back-end service PrintIdentityService doing impersonation.
/// </summary>
/// <param name="address">The back end service address.</param>
/// <exception cref="AccessException">When the address is null or empty string.</exception>
public void Access(string address)
{
if (string.IsNullOrEmpty(address))
{
throw new Exception("Address is null or empty");
}
// Gets the current identity and extracts the UPN claim.
IClaimsIdentity identity = ( ClaimsIdentity )Thread.CurrentPrincipal.Identity;
string upn = null;
foreach (Claim claim in identity.Claims)
{
if (StringComparer.Ordinal.Equals(Microsoft.IdentityModel.Claims.ClaimTypes.Upn, claim.ClaimType))
{
upn = claim.Value;
}
}
// Performs the UPN logon through the C2WTS service.
WindowsIdentity windowsIdentity = null;
if (!String.IsNullOrEmpty(upn))
{
try
{
windowsIdentity = S4UClient.UpnLogon(upn);
}
catch (SecurityAccessDeniedException)
{
Console.WriteLine("Could not map the upn claim to a valid windows identity.");
return;
}
}
else
{
throw new Exception("No UPN claim found");
}
using (WindowsImpersonationContext ctxt = windowsIdentity.Impersonate())
{
CallService(address);
}
}
protected override WindowsIdentity CreateWindowsIdentity(string upn)
{
var windowsIdentity = S4UClient.UpnLogon(upn);
return(new WindowsIdentity(windowsIdentity.Token, "Federation", WindowsAccountType.Normal, true));
}
public object Ajax(string url, object settings)
{
//If we're running under Claims authentication, impersonate the thread user
//by calling the Claims to Windows Token Service and call the remote site using
//the impersonated credentials. NOTE: The Claims to Windows Token Service must be running.
WindowsImpersonationContext ctxt = null;
if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
{
IClaimsIdentity identity = (ClaimsIdentity)System.Threading.Thread.CurrentPrincipal.Identity;
var firstClaim = identity.Claims.FirstOrDefault(c => c.ClaimType == ClaimTypes.Upn);
if (firstClaim == null)
{
throw new InvalidOperationException("No UPN claim found");
}
var upn = firstClaim.Value;
if (String.IsNullOrEmpty(upn))
{
throw new InvalidOperationException("A UPN claim was found, however, the value was empty.");
}
var currentIdentity = S4UClient.UpnLogon(upn);
ctxt = currentIdentity.Impersonate();
}
try
{
var noCachePolicy = new HttpRequestCachePolicy(HttpRequestCacheLevel.NoCacheNoStore);
var targetUri = ObtainTargetUri(url);
var request = (HttpWebRequest)WebRequest.Create(targetUri);
request.CachePolicy = noCachePolicy; //TODO: Make this configurable.
//Get the proxy from the concrete instance.
var proxyAddress = ObtainDefaultProxyAddress();
//If the proxy address is defined, create a new proxy with the address, otherwise, use the system proxy.
request.Proxy = proxyAddress.IsNullOrWhiteSpace() == false
? new WebProxy(proxyAddress, true, null, CredentialCache.DefaultNetworkCredentials)
: WebRequest.GetSystemWebProxy();
if (request.Proxy != null)
{
request.Proxy.Credentials = CredentialCache.DefaultNetworkCredentials;
}
var dataType = AjaxDataType.Unknown;
//If a settings parameter is defined, coerce it and set properties on the request object.
var ajaxSettings = JurassicHelper.Coerce <AjaxSettingsInstance>(Engine, settings);
if (ajaxSettings != null)
{
if (ajaxSettings.UseDefaultCredentials == false)
{
//if the "credentials" setting is set on the ajaxsettingsinstance, use those credentials instead.
if (ajaxSettings.Credentials != null && ajaxSettings.Credentials != Null.Value &&
ajaxSettings.Credentials != Undefined.Value && ajaxSettings.Credentials is NetworkCredentialInstance)
{
request.Credentials = (ajaxSettings.Credentials as NetworkCredentialInstance).NetworkCredential;
}
//Otherwise, use the username/password/domain if specified.
else if (String.IsNullOrEmpty(ajaxSettings.Username) == false ||
String.IsNullOrEmpty(ajaxSettings.Password) == false ||
String.IsNullOrEmpty(ajaxSettings.Domain) == false)
{
request.Credentials = new NetworkCredential(ajaxSettings.Username, ajaxSettings.Password,
ajaxSettings.Domain);
}
}
else
{
request.UseDefaultCredentials = true;
request.Credentials = CredentialCache.DefaultNetworkCredentials;
}
if (String.IsNullOrEmpty(ajaxSettings.Accept) == false)
{
request.Accept = ajaxSettings.Accept;
}
if (ajaxSettings.Proxy != null && ajaxSettings.Proxy != Undefined.Value && ajaxSettings.Proxy != Null.Value)
{
var proxySettings = JurassicHelper.Coerce <ProxySettingsInstance>(Engine, ajaxSettings.Proxy);
if (proxySettings != null)
{
if (String.IsNullOrEmpty(proxySettings.Address) == false)
{
try
{
var proxy = new WebProxy(proxySettings.Address, true);
request.Proxy = proxy;
}
catch
{
/* do nothing */
}
}
if (proxySettings.UseDefaultCredentials)
{
request.Proxy.Credentials = CredentialCache.DefaultNetworkCredentials;
}
}
}
if (String.IsNullOrEmpty(ajaxSettings.DataType) == false)
{
switch (ajaxSettings.DataType.ToLowerInvariant())
{
case "json":
dataType = AjaxDataType.Json;
break;
case "xml":
dataType = AjaxDataType.Xml;
break;
case "raw":
dataType = AjaxDataType.Raw;
break;
default:
dataType = AjaxDataType.Unknown;
break;
}
}
if (String.IsNullOrEmpty(ajaxSettings.Method) == false)
{
request.Method = ajaxSettings.Method;
}
if (String.IsNullOrEmpty(ajaxSettings.UserAgent) == false)
{
request.UserAgent = ajaxSettings.UserAgent;
}
if (String.IsNullOrEmpty(ajaxSettings.ContentType) == false)
{
request.ContentType = ajaxSettings.ContentType;
}
if (String.IsNullOrEmpty(ajaxSettings.Referer) == false)
{
request.Referer = ajaxSettings.Referer;
}
}
else
{
request.Accept = "application/json";
}
//Get some not-serialized properties from the original webinstance
if (settings != Null.Value && settings != Undefined.Value && settings is ObjectInstance)
{
var settingsObj = settings as ObjectInstance;
if (settingsObj.HasProperty("headers"))
{
var headersObj = settingsObj.GetPropertyValue("headers");
if (headersObj != Null.Value && headersObj != Undefined.Value && headersObj is ObjectInstance)
{
var headersObjInstance = headersObj as ObjectInstance;
foreach (var prop in headersObjInstance.Properties)
{
try
{
request.Headers.Set(prop.Name, TypeConverter.ToString(prop.Value));
}
catch (Exception)
{
//Ignore it.
}
}
}
}
if (settingsObj.HasProperty("timeout"))
{
var timeoutObj = settingsObj.GetPropertyValue("timeout");
request.Timeout = TypeConverter.ToInteger(timeoutObj);
}
if (settingsObj.HasProperty("body"))
{
var bodyObj = settingsObj.GetPropertyValue("body");
if (bodyObj != Null.Value && bodyObj != Undefined.Value)
{
var bodyByteArray = bodyObj as Base64EncodedByteArrayInstance;
if (bodyByteArray != null)
{
var requestStream = request.GetRequestStream();
requestStream.Write(bodyByteArray.Data, 0, bodyByteArray.Data.Length);
requestStream.Close();
}
else
{
var data = Encoding.UTF8.GetBytes(TypeConverter.ToString(bodyObj));
var requestStream = request.GetRequestStream();
requestStream.Write(data, 0, data.Length);
requestStream.Close();
}
}
}
}
if (ajaxSettings != null && ajaxSettings.Async)
{
var tcs = new TaskCompletionSource <object>();
try
{
request.BeginGetResponse(iar =>
{
HttpWebResponse response = null;
try
{
response = (HttpWebResponse)request.EndGetResponse(iar);
var resultObject = GetResultFromResponse(response, dataType);
tcs.SetResult(resultObject);
}
catch (Exception exc) { tcs.SetException(exc); }
finally { if (response != null)
{
response.Close();
}
}
}, null);
}
catch (Exception exc) { tcs.SetException(exc); }
return(new DeferredInstance(Engine.Object.InstancePrototype, tcs.Task));
}
object result;
try
{
var syncResponse = (HttpWebResponse)request.GetResponse();
result = GetResultFromResponse(syncResponse, dataType);
}
catch (WebException e)
{
//The request failed -- usually a 400
var httpResponse = e.Response as HttpWebResponse;
result = httpResponse == null
? null
: new HttpWebResponseInstance(Engine.Object.InstancePrototype, httpResponse);
}
catch (Exception ex)
{
LogAjaxException(ex);
throw;
}
return(result);
}
finally
{
if (ctxt != null)
{
ctxt.Dispose();
}
}
}
