internal void EnsureOutgoingIdentity(EndpointAddress serviceReference, ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies)
{
if (authorizationPolicies == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(authorizationPolicies));
}
AuthorizationContext ac = AuthorizationContext.CreateDefaultAuthorizationContext(authorizationPolicies);
EnsureIdentity(serviceReference, ac, SR.IdentityCheckFailedForOutgoingMessage);
}
public void CreateDefaultAuthorizationContext()
{
AuthorizationContext a =
AuthorizationContext.CreateDefaultAuthorizationContext(new IAuthorizationPolicy [0]);
Assert.AreEqual(DateTime.MaxValue.AddDays(-1), a.ExpirationTime, "#1-1");
Assert.AreEqual(0, a.Properties.Count, "#1-2");
Assert.AreEqual(0, a.ClaimSets.Count, "#1-3");
a = AuthorizationContext.CreateDefaultAuthorizationContext(new IAuthorizationPolicy [] { new MyAuthorizationPolicy() });
Assert.AreEqual(DateTime.MaxValue.AddDays(-1), a.ExpirationTime, "#2-1");
Assert.AreEqual(0, a.Properties.Count, "#2-2");
Assert.AreEqual(0, a.ClaimSets.Count, "#2-3");
}
protected AuthorizationContext EnsureIncomingIdentity(Message message, SecurityToken token, ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies)
{
if (token == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.NoSigningTokenAvailableToDoIncomingIdentityCheck)), message);
}
AuthorizationContext authContext = (authorizationPolicies != null) ? AuthorizationContext.CreateDefaultAuthorizationContext(authorizationPolicies) : null;
if (this.factory.IdentityVerifier != null)
{
if (this.Target == null)
{
throw TraceUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.NoOutgoingEndpointAddressAvailableForDoingIdentityCheckOnReply)), message);
}
this.factory.IdentityVerifier.EnsureIncomingIdentity(this.Target, authContext);
}
return(authContext);
}
public virtual ClaimSet ResolveClaimSet(SecurityToken token)
{
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
}
for (int i = 0; i < this.supportingAuthenticators.Count; i++)
{
if (this.supportingAuthenticators[i].CanValidateToken(token))
{
AuthorizationContext context = AuthorizationContext.CreateDefaultAuthorizationContext(this.supportingAuthenticators[i].ValidateToken(token));
if (context.ClaimSets.Count > 0)
{
return(context.ClaimSets[0]);
}
}
}
return(null);
}
public static void ReplacePrimaryIdentity(this OperationContext context, IIdentity identity)
{
var incomingMessageProperties = context.IncomingMessageProperties;
if (incomingMessageProperties != null)
{
var security =
incomingMessageProperties.Security ??
(incomingMessageProperties.Security = new SecurityMessageProperty());
var policies = security.ServiceSecurityContext.AuthorizationPolicies.ToList();
policies.Add(new IdentityAuthorizationPolicy(identity));
var authorizationContext =
AuthorizationContext.CreateDefaultAuthorizationContext(policies);
security.ServiceSecurityContext = new ServiceSecurityContext(
authorizationContext,
new ReadOnlyCollection <IAuthorizationPolicy>(policies));
}
}
public virtual ClaimSet ResolveClaimSet(SecurityToken token)
{
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
}
for (int i = 0; i < this.supportingAuthenticators.Count; ++i)
{
if (this.supportingAuthenticators[i].CanValidateToken(token))
{
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = this.supportingAuthenticators[i].ValidateToken(token);
AuthorizationContext authContext = AuthorizationContext.CreateDefaultAuthorizationContext(authorizationPolicies);
if (authContext.ClaimSets.Count > 0)
{
return(authContext.ClaimSets[0]);
}
}
}
return(null);
}
/// <summary>
/// Token Constructor
/// </summary>
/// <param name="xmlToken">Encrypted xml token</param>
public Token(String xmlToken)
{
byte[] decryptedData = decryptToken(xmlToken);
XmlReader reader = new XmlTextReader(new StreamReader(new MemoryStream(decryptedData), Encoding.UTF8));
m_token = (SamlSecurityToken)WSSecurityTokenSerializer.DefaultInstance.ReadToken(reader, null);
SamlSecurityTokenAuthenticator authenticator = new SamlSecurityTokenAuthenticator(new List <SecurityTokenAuthenticator>(new SecurityTokenAuthenticator[] { new RsaSecurityTokenAuthenticator(), new X509SecurityTokenAuthenticator() }), MaximumTokenSkew);
if (authenticator.CanValidateToken(m_token))
{
ReadOnlyCollection <IAuthorizationPolicy> policies = authenticator.ValidateToken(m_token);
m_authorizationContext = AuthorizationContext.CreateDefaultAuthorizationContext(policies);
FindIdentityClaims();
}
else
{
throw new Exception("Unable to validate the token.");
}
}
public ServiceSecurityContext(
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies)
: this(AuthorizationContext.CreateDefaultAuthorizationContext(authorizationPolicies), authorizationPolicies)
{
}
internal static Claim GetPrimaryIdentityClaim(ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies)
{
return(GetPrimaryIdentityClaim(AuthorizationContext.CreateDefaultAuthorizationContext(authorizationPolicies)));
}
/// <summary>
/// Token Authentication. Translates the decrypted data into a AuthContext.
/// </summary>
/// <param name="reader">The token XML reader.</param>
/// <param name="audience">The audience that the token must be scoped for.
/// Use <c>null</c> to indicate any audience is acceptable.</param>
/// <returns>
/// The authorization context carried by the token.
/// </returns>
internal static AuthorizationContext AuthenticateToken(XmlReader reader, Uri audience)
{
Contract.Ensures(Contract.Result <AuthorizationContext>() != null);
// Extensibility Point:
// in order to accept different token types, you would need to add additional
// code to create an authenticationcontext from the security token.
// This code only supports SamlSecurityToken objects.
SamlSecurityToken token = WSSecurityTokenSerializer.DefaultInstance.ReadToken(reader, null) as SamlSecurityToken;
if (null == token)
{
throw new InformationCardException("Unable to read security token");
}
if (null != token.SecurityKeys && token.SecurityKeys.Count > 0)
{
throw new InformationCardException("Token Security Keys Exist");
}
if (audience == null)
{
Logger.InfoCard.Warn("SAML token Audience checking will be skipped.");
}
else
{
if (token.Assertion.Conditions != null &&
token.Assertion.Conditions.Conditions != null)
{
foreach (SamlCondition condition in token.Assertion.Conditions.Conditions)
{
SamlAudienceRestrictionCondition audienceCondition = condition as SamlAudienceRestrictionCondition;
if (audienceCondition != null)
{
Logger.InfoCard.DebugFormat("SAML token audience(s): {0}", audienceCondition.Audiences.ToStringDeferred());
bool match = audienceCondition.Audiences.Contains(audience);
if (!match && Logger.InfoCard.IsErrorEnabled)
{
Logger.InfoCard.ErrorFormat("Expected SAML token audience of {0} but found {1}.", audience.AbsoluteUri, audienceCondition.Audiences.Select(aud => aud.AbsoluteUri).ToStringDeferred());
}
// The token is invalid if any condition is not valid.
// An audience restriction condition is valid if any audience
// matches the Relying Party.
InfoCardErrorUtilities.VerifyInfoCard(match, InfoCardStrings.AudienceMismatch);
}
}
}
}
var samlAuthenticator = new SamlSecurityTokenAuthenticator(
new List <SecurityTokenAuthenticator>(
new SecurityTokenAuthenticator[] {
new RsaSecurityTokenAuthenticator(),
new X509SecurityTokenAuthenticator(),
}),
MaximumClockSkew);
if (audience != null)
{
samlAuthenticator.AllowedAudienceUris.Add(audience.AbsoluteUri);
}
return(AuthorizationContext.CreateDefaultAuthorizationContext(samlAuthenticator.ValidateToken(token)));
}
public byte[] CreateCookieFromSecurityContext(UniqueId contextId, string id, byte[] key, DateTime tokenEffectiveTime,
DateTime tokenExpirationTime, UniqueId keyGeneration, DateTime keyEffectiveTime, DateTime keyExpirationTime,
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies)
{
if (contextId == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("contextId");
}
if (key == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("key");
}
MemoryStream stream = new MemoryStream();
XmlDictionaryWriter writer = XmlDictionaryWriter.CreateBinaryWriter(stream, SctClaimDictionary.Instance, null);
SctClaimDictionary dictionary = SctClaimDictionary.Instance;
writer.WriteStartElement(dictionary.SecurityContextSecurityToken, dictionary.EmptyString);
writer.WriteStartElement(dictionary.Version, dictionary.EmptyString);
writer.WriteValue(SupportedPersistanceVersion);
writer.WriteEndElement();
if (id != null)
{
writer.WriteElementString(dictionary.Id, dictionary.EmptyString, id);
}
XmlHelper.WriteElementStringAsUniqueId(writer, dictionary.ContextId, dictionary.EmptyString, contextId);
writer.WriteStartElement(dictionary.Key, dictionary.EmptyString);
writer.WriteBase64(key, 0, key.Length);
writer.WriteEndElement();
if (keyGeneration != null)
{
XmlHelper.WriteElementStringAsUniqueId(writer, dictionary.KeyGeneration, dictionary.EmptyString, keyGeneration);
}
XmlHelper.WriteElementContentAsInt64(writer, dictionary.EffectiveTime, dictionary.EmptyString, tokenEffectiveTime.ToUniversalTime().Ticks);
XmlHelper.WriteElementContentAsInt64(writer, dictionary.ExpiryTime, dictionary.EmptyString, tokenExpirationTime.ToUniversalTime().Ticks);
XmlHelper.WriteElementContentAsInt64(writer, dictionary.KeyEffectiveTime, dictionary.EmptyString, keyEffectiveTime.ToUniversalTime().Ticks);
XmlHelper.WriteElementContentAsInt64(writer, dictionary.KeyExpiryTime, dictionary.EmptyString, keyExpirationTime.ToUniversalTime().Ticks);
AuthorizationContext authContext = null;
if (authorizationPolicies != null)
{
authContext = AuthorizationContext.CreateDefaultAuthorizationContext(authorizationPolicies);
}
if (authContext != null && authContext.ClaimSets.Count != 0)
{
DataContractSerializer identitySerializer = DataContractSerializerDefaults.CreateSerializer(typeof(IIdentity), this.knownTypes, int.MaxValue);
DataContractSerializer claimSetSerializer = DataContractSerializerDefaults.CreateSerializer(typeof(ClaimSet), this.knownTypes, int.MaxValue);
DataContractSerializer claimSerializer = DataContractSerializerDefaults.CreateSerializer(typeof(Claim), this.knownTypes, int.MaxValue);
SctClaimSerializer.SerializeIdentities(authContext, dictionary, writer, identitySerializer);
writer.WriteStartElement(dictionary.ClaimSets, dictionary.EmptyString);
for (int i = 0; i < authContext.ClaimSets.Count; i++)
{
SctClaimSerializer.SerializeClaimSet(authContext.ClaimSets[i], dictionary, writer, claimSetSerializer, claimSerializer);
}
writer.WriteEndElement();
}
writer.WriteEndElement();
writer.Flush();
byte[] serializedContext = stream.ToArray();
return(this.securityStateEncoder.EncodeSecurityState(serializedContext));
}
