public Concat3Response AssumeProducerActsForAlice(Concat3Response x)
{
// For testing. Wanted: a cleaner way to get this into the SymT!
VProgram_API.AssumeActsFor(x.SVX_producer, Entity.Of("Carol"));
VProgram_API.AssumeActsFor(Entity.Of("Carol"), Entity.Of("Alice"));
return(x);
}
public virtual TokenResponse SVX_MakeTokenResponse(AccessTokenRequest req, AuthorizationCodeParams codeParamsHint)
{
// We should only get here with req.grant_type ==
// "authorization_code", so we don't have to worry about modeling
// what IdP does in any other case.
if (req.grant_type != "authorization_code")
{
return(VProgram_API.Nondet <TokenResponse>());
}
authorizationCodeGenerator.Verify(codeParamsHint, req.code);
if (req.redirect_uri != codeParamsHint.redirect_uri)
{
throw new Exception("Authorization code RP mismatch");
}
var JwtTokenBody = MakeJwtTokenBody(req.client_id, codeParamsHint.userID);
SVX.PayloadSecret <JwtTokenBody> id_token1 = getTokenGenerator().Generate(JwtTokenBody, SVX_Principal);
TokenResponse TokenResponse = new TokenResponse
{
id_token = id_token1,
};
return(TokenResponse);
}
public bool Predicate(Concat3Response resp)
{
VProgram_API.AssumeTrusted(Entity.Of("Alice"));
var tmp = resp.first + resp.second;
var expected = tmp + resp.third;
return(expected == resp.output);
}
public bool LoginXSRFPrevention(RPAuthenticationConclusion conc)
{
VProgram_API.AssumeTrustedServer(googlePrincipal);
VProgram_API.AssumeTrustedServer(SVX_Principal);
VProgram_API.AssumeTrustedBrowser(conc.authenticatedClient);
var idp = VProgram_API.GetParticipant <Google_IdP>(googlePrincipal);
return(idp.Ghost_CheckSignedIn(VProgram_API.Owner(conc.authenticatedClient), conc.googleUsername));
}
public bool LoginSafety(RPAuthenticationConclusion conc)
{
var googleUser = GoogleUserPrincipal(conc.googleUsername);
VProgram_API.AssumeTrustedServer(googlePrincipal);
VProgram_API.AssumeTrustedServer(SVX_Principal);
VProgram_API.AssumeTrusted(googleUser);
return(VProgram_API.ActsFor(conc.authenticatedClient, googleUser));
}
public IdPAuthenticationEntry SVX_ConcludeClientAuthentication(IdPAuthenticationEntry entry)
{
var d = new SignedInDeclarer {
outer = this, entry = entry
};
SVX_Ops.Ghost(d.Declare);
VProgram_API.AssumeActsFor(entry.authenticatedClient, GoogleUserPrincipal(entry.googleUsername));
// Reuse the message... Should be able to get away with it.
return(entry);
}
public IdTokenResponse SVX_MakeIdTokenResponse(IdTokenRequest req, IdPAuthenticationEntry idpConc)
{
// In TokenEndpoint, we requested an IdPAuthenticationEntry for
// req.SVX_sender, but SVX doesn't know that, so we have to do a
// concrete check.
VProgram_API.Assert(req.SVX_sender == idpConc.authenticatedClient);
// Put this in a separate SVX method so "body" gets an active SymT.
var body = SVX_Ops.Call(SVX_MakeIdTokenBody, req, idpConc);
return(new IdTokenResponse
{
idToken = idTokenGenerator.Generate(body, SVX_Principal), // sign the token
state = req.state
});
}
public bool LoginSafety(AuthenticationConclusion conc)
{
var userPrincipal = IdPUserPrincipal(conc.idpUsername);
VProgram_API.AssumeTrusted(idpPrincipal);
VProgram_API.AssumeTrusted(rpPrincipal);
VProgram_API.AssumeTrusted(userPrincipal);
// BCT accepts this code but silently mistranslates it!
//return VProgram_API.ActsForAny(conc.authenticatedClient,
// new PrincipalHandle[] { idpPrincipal, rpPrincipal, IdPUserPrincipal(conc.idpUsername) });
var targets = new Principal[3];
targets[0] = idpPrincipal;
targets[1] = rpPrincipal;
targets[2] = userPrincipal;
return(VProgram_API.ActsForAny(conc.authenticatedClient, targets));
}
public AuthorizationCodeResponse SVX_MakeAuthorizationCodeResponse(AuthorizationCodeRequest req, IdPAuthenticationEntry idpConc)
{
// In CodeEndpoint, we requested an IdPAuthenticationEntry for
// req.SVX_sender, but SVX doesn't know that, so we have to do a
// concrete check.
VProgram_API.Assert(req.SVX_sender == idpConc.authenticatedClient);
// With this expression inlined below, BCT silently mistranslated the code.
var theParams = new AuthorizationCodeParams
{
rpPrincipal = req.rpPrincipal,
googleUsername = idpConc.googleUsername
};
var authorizationCode = authorizationCodeGenerator.Generate(theParams, googlePrincipal);
return(new AuthorizationCodeResponse
{
authorizationCode = authorizationCode,
state = req.state
});
}
public SignInRPReq SignInIdP(SignInIdPReq req)
{
if (req.password != "password:" + req.username)
{
throw new ArgumentException();
}
var userPrincipal = IdPUserPrincipal(req.username);
// If this line is commented out, the check for whether it's OK
// to send the secret to the client would fail, but this example
// doesn't use export/import.
VProgram_API.AssumeActsFor(req.SVX_sender, userPrincipal);
var ssoSecretParams = new SSOSecretParams {
username = req.username
};
var resp = new SignInRPReq {
username = req.username,
ssoSecret = ssoSecretGenerator.Generate(ssoSecretParams, SVX_Principal)
};
ssoSecretGenerator.Verify(ssoSecretParams, resp.ssoSecret);
return(resp);
}
internal void Declare()
{
outer.SignedInPredicate.Declare(VProgram_API.Owner(entry.authenticatedClient), entry.googleUsername);
}
