Esempio n. 1
0
        /// <summary>
        /// The behavior is:
        ///   1) if the certificate is blacklisted in base or in any rule ----------------------> Blacklisted.
        ///   2) (else) if the base behavior or any rule consider the certificate break-glass --> BreakGlass.
        ///   3) (else) if the base behavior is NotAllowed or any rule says NotAllowed ---------> NotAllowed.
        ///   4) (else) if any rule says Allowed -----------------------------------------------> Allowed.
        ///   5) the certificate is accepted only if the final behavior is 'BreakGlass' or 'Allowed'.
        /// </summary>
        /// <param name="cert">the certificate to evaluate</param>
        /// <param name="chain">the signature chain</param>
        /// <param name="sslPolicyErrors">SSL errors from platform</param>
        /// <returns>Allowed is a match is found. if no match is found, returns NotAllowed.</returns>
        public override Behavior IsValid(X509Certificate cert, X509Chain chain, SslPolicyErrors sslPolicyErrors)
        {
            Behavior baseBeh = Behavior.Neutral;

            foreach (AbstractCertificateRule rule in this.rules)
            {
                Behavior b = rule.IsValid(cert, chain, sslPolicyErrors);

                baseBeh = AbstractCertificateRule.Compose(baseBeh, b);

                if (baseBeh == Behavior.BlackListed)
                {
                    CertificateRulesEventSource.Log.AllowIfAllCoherentRule_RuleResult(rule.GetType().ToString(), b.ToString());
                    return(Behavior.NotAllowed);
                }
            }

            switch (baseBeh)
            {
            case Behavior.Allowed:
            case Behavior.BreakGlassUnlessBlackListed:
                return(Behavior.Allowed);

            case Behavior.Neutral:
                return(Behavior.Neutral);

            case Behavior.BlackListed:
            case Behavior.NotAllowed:
                CertificateRulesEventSource.Log.AllowIfAllCoherentRule_Result(baseBeh.ToString());
                return(Behavior.NotAllowed);

            default:
                return(Behavior.NotAllowed);
            }
        }
Esempio n. 2
0
 /// <summary>
 /// Initializes a new instance of the <see cref="AzureValidationRule"/> class.
 /// </summary>
 /// <param name="isCertificateIncluded">the function that says if a certificate is included in the list</param>
 /// <param name="forTest">if true some relaxations are made for test in DEV-BOX only</param>
 public AzureValidationRule(Func <X509Certificate, bool> isCertificateIncluded, bool forTest = false)
 {
     this.rule = new AllowIfAllAllowedRule(
         new IsCertificateTimeValidRule().SetNeutralAsAllow(true),
         new ChainIsValidRule(!forTest).SetNeutralAsAllow(true),
         new AllowCertificatesRule(isCertificateIncluded));
 }
Esempio n. 3
0
 /// <summary>
 /// Initializes a new instance of the <see cref="AzureValidationRule"/> class.
 /// </summary>
 /// <param name="subjectRequired">subject for the certificate to be allowed</param>
 /// <param name="signingThumbprintsRequired">thumbprints allowed for the certificate signing the validated certificate</param>
 /// <param name="forTest">if true some relaxations are made for test in DEV-BOX only</param>
 public AzureValidationRule(string subjectRequired, string[] signingThumbprintsRequired, bool forTest = false)
 {
     this.rule = new AllowIfAllAllowedRule(
         new IsCertificateTimeValidRule().SetNeutralAsAllow(true),
         new ChainIsValidRule(!forTest).SetNeutralAsAllow(true),
         new AllowCertSubjectRule(new string[] { subjectRequired }),
         new AllowSigningCertRule(signingThumbprintsRequired));
 }
Esempio n. 4
0
        /// <summary>
        /// Initializes a new instance of the <see cref="AllowIfMaskRule"/> class.
        /// </summary>
        /// <param name="rule">rule to evaluate</param>
        /// <param name="mask">mask to compare with</param>
        public AllowIfMaskRule(AbstractCertificateRule rule, Behavior mask)
        {
            if (rule == null)
            {
                throw new ArgumentNullException("rule");
            }

            this.rule = rule;
            this.mask = mask;
        }
Esempio n. 5
0
            /// <summary>
            /// takes the action within a lock
            /// </summary>
            /// <param name="action">action to run</param>
            internal void DoInLock(Action action)
            {
                lock (this.cachedRuleLock)
                {
                    if (action != null)
                    {
                        action();
                    }

                    this.cachedRule = null;
                }
            }
Esempio n. 6
0
            /// <summary>
            /// Validates the certificate according to the configuration
            /// </summary>
            /// <param name="cert">certificate to validate</param>
            /// <param name="chain">certificate chain</param>
            /// <param name="sslPolicyErrors">SSL policy errors coming from the platform</param>
            /// <returns>the behavior to follow for this certificate</returns>
            public override Behavior IsValid(X509Certificate cert, X509Chain chain, SslPolicyErrors sslPolicyErrors)
            {
                AbstractCertificateRule rule = this.cachedRule;

                if (rule == null)
                {
                    lock (this.cachedRuleLock)
                    {
                        if (this.cachedRule == null)
                        {
                            this.cachedRule = this.RecomputeRuleSnapshot();
                        }

                        rule = this.cachedRule;
                    }
                }

                return(rule.IsValid(cert, chain, sslPolicyErrors));
            }