private ActiveDirectoryMetadata NewActiveDirectoryMetadata(string displayName, string domain, string searchBase, string username, string password, bool useProcessContext)
{
ActiveDirectoryMetadata idp = null;
if (useProcessContext)
{
idp = new ActiveDirectoryMetadata()
{
Name = displayName,
Domain = domain,
Enabled = true,
ActiveDirectoryMetadataType = ActiveDirectoryMetadataType.ActiveDirectoryIwa,
Id = Guid.NewGuid(),
SearchBase = searchBase
};
}
else
{
idp = new ActiveDirectoryMetadata()
{
Name = displayName,
Domain = domain,
Enabled = true,
ActiveDirectoryMetadataType = ActiveDirectoryMetadataType.ActiveDirectoryBasic,
Id = Guid.NewGuid(),
SearchBase = searchBase,
Username = username,
Password = password
};
}
return(idp);
}
public NodeDetails Get(string id)
{
if (string.IsNullOrEmpty(id))
{
throw new ArgumentNullException("Invalid Node");
}
Guid validatedId;
if (!Guid.TryParse(id, out validatedId))
{
throw new ArgumentOutOfRangeException("Invalid Node");
}
NodeDetails node = configurationRepository.Get <NodeDetails>(validatedId);
if (node == null)
{
throw new ReferencedObjectDoesNotExistException("Node could not be found");
}
ActiveDirectoryMetadata idp = adIdpLogic.GetAll()
.Where(item => item.Id == node.CredentialId)
.FirstOrDefault();
node.CredentialDisplayName = idp.Name;
return(node);
}
public MicrosoftCertificateAuthorityOptions GetPrivateCertificateAuthorityOptions(HashAlgorithm hash)
{
PrivateCertificateAuthorityConfig caConfig = this.GetPrivateCertificateAuthorityConfigByHash(hash);
ActiveDirectoryMetadata idp = this.Get <ActiveDirectoryMetadata>(caConfig.IdentityProviderId);
MicrosoftCertificateAuthorityAuthenticationType authType;
if (idp.ActiveDirectoryMetadataType == Entities.Enumerations.ActiveDirectoryMetadataType.ActiveDirectoryBasic)
{
authType = MicrosoftCertificateAuthorityAuthenticationType.UsernamePassword;
}
else
{
authType = MicrosoftCertificateAuthorityAuthenticationType.WindowsKerberos;
}
MicrosoftCertificateAuthorityOptions options = new MicrosoftCertificateAuthorityOptions()
{
AuthenticationRealm = idp.Domain,
AuthenticationType = authType,
HashAlgorithm = hash,
CommonName = caConfig.CommonName,
ServerName = caConfig.ServerName,
Id = caConfig.Id,
Password = idp.Password,
Username = idp.Username
};
return(options);
}
public void Setup()
{
AdcsTemplate result = null;
try
{
result = configDb.Get <AdcsTemplate>(x => x.Cipher == CipherAlgorithm.RSA && x.WindowsApi == WindowsApi.CryptoApi && x.KeyUsage == KeyUsage.ServerAuthentication).First();
//result = configDb.GetAdcsTemplate(HashAlgorithm.SHA256, CipherAlgorithm.RSA, WindowsApi.CryptoApi, KeyUsage.ServerAuthentication);
}
catch
{
if (result == null)
{
configDb.Insert <AdcsTemplate>(new AdcsTemplate()
{
WindowsApi = WindowsApi.CryptoApi,
Cipher = CipherAlgorithm.RSA,
//Hash = HashAlgorithm.SHA256,
KeyUsage = KeyUsage.ServerAuthentication,
Name = "ServerAuthentication-CapiRsa"
});
}
}
ActiveDirectoryMetadata idp = configDb.GetAll <ActiveDirectoryMetadata>().FirstOrDefault();
configDb.DropCollection <PrivateCertificateAuthorityConfig>();
PrivateCertificateAuthorityConfig caConfig = new PrivateCertificateAuthorityConfig()
{
CommonName = caCommonName,
ServerName = caServerName,
HashAlgorithm = HashAlgorithm.SHA256,
IdentityProviderId = idp.Id
};
}
public ActiveDirectoryMetadata Add(string displayName, string domain, string searchBase, string username, string password, bool useProcessContext)
{
ActiveDirectoryMetadata idp = NewActiveDirectoryMetadata(displayName, domain, searchBase, username, password, useProcessContext);
configurationRepository.Insert <ActiveDirectoryMetadata>(idp);
return(idp);
}
public JsonResult UpdateActiveDirectoryMetadata(ActiveDirectoryMetadata entity)
{
ActiveDirectoryMetadata existing = configurationRepository.Get <ActiveDirectoryMetadata>(entity.Id);
entity.Password = existing.Password;
configurationRepository.Update <ActiveDirectoryMetadata>(entity);
return(Json(new { status = "success" }));
}
public string GetLdapConnectionString(NamingContext namingContext, ActiveDirectoryMetadata metadata)
{
switch (namingContext)
{
case NamingContext.Configuration:
return(string.Format("LDAP://{0}/CN=Configuration,{1}", metadata.Domain, this.GetBaseDistinguishedName(metadata.Domain)));
default:
return(string.Format("LDAP://{0}/{1}", metadata.Domain, this.GetBaseDistinguishedName(metadata.Domain)));
}
}
public List <T> Search <T>(NamingContext namingContext, ActiveDirectoryMetadata metadata)
{
List <T> list = new List <T>();
string searchFilter = string.Format("(objectClass={0})", metadataResolver.GetSchemaClass <T>());
using (DirectoryEntry entry = new DirectoryEntry(GetLdapConnectionString(namingContext, metadata), metadata.Username, metadata.Password))
{
using (DirectorySearcher searcher = new DirectorySearcher(entry))
{
searcher.Filter = searchFilter;
var propertiesToLoad = metadataResolver.GetPropertiesToLoad <T>();
searcher.PropertiesToLoad.AddRange(propertiesToLoad);
foreach (SearchResult result in searcher.FindAll())
{
list.Add(ActiveDirectoryEntityMapper.MapSearchResult <T>(result));
}
}
}
return(list);
}
public ClaimsPrincipal AuthenticateActiveDirectory(string upn, Guid domain, string password)
{
AuthenticablePrincipal authenticablePrincipal = configurationRepository.GetAuthenticablePrincipal(upn);
ActiveDirectoryMetadata ActiveDirectoryMetadata = configurationRepository.Get <ActiveDirectoryMetadata>(domain);
if (ActiveDirectoryMetadata == null || ActiveDirectoryMetadata.Enabled != true)
{
throw new Exception("Authentication failed");
}
if (activeDirectoryAuthenticator.Authenticate(upn, password, ActiveDirectoryMetadata.Domain))
{
this.IncrementSuccessfulAuthentication(authenticablePrincipal, domain);
return(ConstructClaimsPrincipal(authenticablePrincipal, ActiveDirectoryMetadata.Name));
}
else
{
throw new Exception("Authentication failed");
}
}
public void Complete(InitialSetupConfigModel config)
{
ActiveDirectoryMetadata idp = idpLogic.Add(config.AdName, config.AdServer, config.AdSearchBase, config.AdServiceAccountUsername, config.AdServiceAccountPassword, config.AdUseAppPoolIdentity);
certificateAuthorityConfigurationLogic.AddPrivateCertificateAuthority(config.AdcsServerName, config.AdcsCommonName, config.AdcsHashAlgorithm, idp.Id);
AdcsTemplate adcsTemplate = templateLogic.AddTemplate(config.AdcsTemplateName, config.AdcsTemplateCipher, config.AdcsTemplateKeyUsage, config.AdcsTemplateWindowsApi, RoleManagementLogic.DefaultTemplateIssuerRoles);
AuthenticablePrincipal emergencyAccess = localIdpLogic.InitializeEmergencyAccess(config.EmergencyAccessKey);
AuthenticablePrincipal admin = localIdpLogic.InitializeLocalAdministrator(config.LocalAdminPassword);
authorizationLogic.InitializeScopes();
roleManagement.InitializeRoles(new List <Guid>()
{
emergencyAccess.Id, admin.Id
});
AppConfig appConfig = new AppConfig()
{
EncryptionKey = config.EncryptionKey,
Id = Guid.NewGuid()
};
configurationRepository.SetAppConfig(appConfig);
}
public List <AdcsCertificateTemplate> GetActiveDirectoryTemplates(ActiveDirectoryMetadata metadata)
{
List <AdcsCertificateTemplate> templates = activeDirectory.Search <AdcsCertificateTemplate>(NamingContext.Configuration, metadata);
return(templates);
}
public JsonResult DeleteActiveDirectoryMetadata(ActiveDirectoryMetadata entity)
{
configurationRepository.Delete <ActiveDirectoryMetadata>(entity.Id);
return(Json(new { status = "success" }));
}
public JsonResult AddActiveDirectoryMetadata(ActiveDirectoryMetadata entity)
{
configurationRepository.Insert <ActiveDirectoryMetadata>(entity);
return(Json(new { status = "success" }));
}
public void InitializeTest()
{
user = new Mock <ClaimsPrincipal>();
string configPath = Path.GetTempFileName();
configDb = new LiteDbConfigurationRepository(configPath);
configDb.Insert <AdcsTemplate>(new AdcsTemplate()
{
WindowsApi = WindowsApi.CryptoApi,
Cipher = CipherAlgorithm.RSA,
//Hash = HashAlgorithm.SHA256,
KeyUsage = KeyUsage.ServerAuthentication,
Name = "ServerAuthentication-CapiRsa"
});
configDb.Insert <AdcsTemplate>(new AdcsTemplate()
{
WindowsApi = WindowsApi.CryptoApi,
Cipher = CipherAlgorithm.RSA,
//Hash = HashAlgorithm.SHA256,
KeyUsage = KeyUsage.None,
Name = "NoKeyUsage-CapiRsa"
});
configDb.Insert <AdcsTemplate>(new AdcsTemplate()
{
WindowsApi = WindowsApi.Cng,
Cipher = CipherAlgorithm.RSA,
// Hash = HashAlgorithm.SHA256,
KeyUsage = KeyUsage.ServerAuthentication,
Name = "ServerAuthentication-CngRsa"
});
configDb.Insert <AdcsTemplate>(new AdcsTemplate()
{
WindowsApi = WindowsApi.Cng,
Cipher = CipherAlgorithm.RSA,
//Hash = HashAlgorithm.SHA256,
KeyUsage = KeyUsage.ServerAuthentication | KeyUsage.ClientAuthentication,
Name = "ClientServerAuthentication-CngRsa"
});
configDb.Insert <AdcsTemplate>(new AdcsTemplate()
{
WindowsApi = WindowsApi.Cng,
Cipher = CipherAlgorithm.ECDH,
//Hash = HashAlgorithm.SHA256,
KeyUsage = KeyUsage.ServerAuthentication,
Name = "ServerAuthentication-CngEcdh"
});
configDb.Insert <AdcsTemplate>(new AdcsTemplate()
{
WindowsApi = WindowsApi.Cng,
Cipher = CipherAlgorithm.ECDSA,
//Hash = HashAlgorithm.SHA256,
KeyUsage = KeyUsage.ServerAuthentication,
Name = "ServerAuthentication-CngEcdsa"
});
Logic.SecretKeyProvider secretKeyProvider = new Logic.SecretKeyProvider();
AppConfig appConfig = new AppConfig()
{
EncryptionKey = secretKeyProvider.NewSecretBase64(32)
};
configDb.SetAppConfig(appConfig);
ActiveDirectoryMetadata identitySource = new ActiveDirectoryMetadata()
{
Domain = "cm.local",
Enabled = true,
ActiveDirectoryMetadataType = ActiveDirectoryMetadataType.ActiveDirectoryBasic,
Id = Guid.NewGuid(),
Name = "cm.local",
Password = password,
Username = username,
SearchBase = "DC=cm,DC=local"
};
PrivateCertificateAuthorityConfig caConfig = new PrivateCertificateAuthorityConfig()
{
CommonName = caCommonName,
ServerName = caServerName,
HashAlgorithm = HashAlgorithm.SHA256,
Id = Guid.NewGuid(),
IdentityProviderId = identitySource.Id
};
configDb.Insert <PrivateCertificateAuthorityConfig>(caConfig);
configDb.Insert <ActiveDirectoryMetadata>(identitySource);
templateLogic = new AdcsTemplateLogic(configDb, activeDirectory);
KeyUsage keyUsage = KeyUsage.ClientAuthentication | KeyUsage.ServerAuthentication;
//AdcsTemplate config = configDb.Get<AdcsTemplate>(x => x.Cipher == CipherAlgorithm.RSA && x.WindowsApi == WindowsApi.Cng && x.KeyUsage == keyUsage).First();
//var config = configDb.GetAdcsTemplate(HashAlgorithm.SHA256, CipherAlgorithm.RSA, WindowsApi.Cng, KeyUsage.ClientAuthentication | KeyUsage.ServerAuthentication);
string certDbPath = Path.GetTempFileName();
certDb = new LiteDbCertificateRepository(certDbPath);
}
public T GetObject <T>(string schemaClass, string searchValue, ActiveDirectoryMetadata metadata, bool retry = false)
{
return(default(T));
}
public AdcsCertificateTemplate GetActiveDirectoryPublishedTemplate(string name, ActiveDirectoryMetadata metadata)
{
return(activeDirectory.Search <AdcsCertificateTemplate>(NamingContext.Configuration, metadata)
.Where(x => x.Name == name)
.First());
}
public AdcsCertificateTemplate GetTemplateInAllActiveDirectoryRealms(string name, ActiveDirectoryMetadata metadata)
{
List <AdcsCertificateTemplate> templates = activeDirectory.Search <AdcsCertificateTemplate>("name", name, NamingContext.Configuration, metadata);
if (!templates.Any())
{
throw new AdcsTemplateValidationException(string.Format("Adcs template is not published in Active Directory - {0}", metadata.Domain));
}
if (templates.Count > 1)
{
throw new AdcsTemplateValidationException(string.Format("More than one template in {0} matched the query. Please specify a unique template name. ", metadata.Domain));
}
return(templates.First());
}
public void InitializeTest()
{
activeDirectory = new ActiveDirectoryRepository();
metadata = new ActiveDirectoryMetadata(domain, username, password);
}
