private async Task <SecurityMessageProperty> CreateClientSecurityAsync(NegotiateStream negotiateStream,
bool extractGroupsForWindowsAccounts)
{
IIdentity remoteIdentity = negotiateStream.RemoteIdentity;
SecurityToken token;
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies;
WindowsSecurityTokenAuthenticator authenticator = new WindowsSecurityTokenAuthenticator(extractGroupsForWindowsAccounts, _ldapSettings);
if (remoteIdentity is WindowsIdentity)
{
WindowsIdentity windowIdentity = (WindowsIdentity)remoteIdentity;
SecurityUtils.ValidateAnonymityConstraint(windowIdentity, false);
token = new WindowsSecurityToken(windowIdentity, SecurityUniqueId.Create().Value, windowIdentity.AuthenticationType);
}
else
{
ClaimsIdentity claimsIdentity = new ClaimsIdentity(remoteIdentity);
token = new GenericSecurityToken(remoteIdentity.Name, SecurityUniqueId.Create().Value);
}
authorizationPolicies = await authenticator.ValidateTokenAsync(token);
SecurityMessageProperty clientSecurity = new SecurityMessageProperty
{
TransportToken = new SecurityTokenSpecification(token, authorizationPolicies),
ServiceSecurityContext = new ServiceSecurityContext(authorizationPolicies)
};
return(clientSecurity);
}
SecurityMessageProperty CreateClientSecurity(NegotiateStream negotiateStream,
bool extractGroupsForWindowsAccounts)
{
IIdentity remoteIdentity = negotiateStream.RemoteIdentity;
SecurityToken token;
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies;
if (remoteIdentity is WindowsIdentity)
{
WindowsIdentity windowIdentity = (WindowsIdentity)remoteIdentity;
Security.SecurityUtils.ValidateAnonymityConstraint(windowIdentity, false);
WindowsSecurityTokenAuthenticator authenticator = new WindowsSecurityTokenAuthenticator(extractGroupsForWindowsAccounts);
token = new WindowsSecurityToken(windowIdentity, SecurityUniqueId.Create().Value, windowIdentity.AuthenticationType);
authorizationPolicies = authenticator.ValidateToken(token);
}
else
{
token = new GenericSecurityToken(remoteIdentity.Name, SecurityUniqueId.Create().Value);
GenericSecurityTokenAuthenticator authenticator = new GenericSecurityTokenAuthenticator();
authorizationPolicies = authenticator.ValidateToken(token);
}
SecurityMessageProperty clientSecurity = new SecurityMessageProperty();
clientSecurity.TransportToken = new SecurityTokenSpecification(token, authorizationPolicies);
clientSecurity.ServiceSecurityContext = new ServiceSecurityContext(authorizationPolicies);
return(clientSecurity);
}
private PeerHashToken()
{
this.id = SecurityUniqueId.Create().Value;
this.effectiveTime = DateTime.UtcNow;
this.expirationTime = DateTime.UtcNow.AddHours(10.0);
this.CheckValidity();
}
public PeerHashToken(byte[] authenticator)
{
this.id = SecurityUniqueId.Create().Value;
this.effectiveTime = DateTime.UtcNow;
this.expirationTime = DateTime.UtcNow.AddHours(10.0);
this.authenticator = authenticator;
this.CheckValidity();
}
public PeerHashToken(X509Certificate2 certificate, string password)
{
this.id = SecurityUniqueId.Create().Value;
this.effectiveTime = DateTime.UtcNow;
this.expirationTime = DateTime.UtcNow.AddHours(10.0);
this.authenticator = PeerSecurityHelpers.ComputeHash(certificate, password);
this.CheckValidity();
}
private SecurityMessageProperty ProcessAuthentication(WindowsIdentity identity, string authenticationType)
{
System.ServiceModel.Security.SecurityUtils.ValidateAnonymityConstraint(identity, false);
SecurityToken token = new WindowsSecurityToken(identity, SecurityUniqueId.Create().Value, authenticationType);
ReadOnlyCollection <IAuthorizationPolicy> tokenPolicies = this.windowsTokenAuthenticator.ValidateToken(token);
return(new SecurityMessageProperty {
TransportToken = new SecurityTokenSpecification(token, tokenPolicies), ServiceSecurityContext = new ServiceSecurityContext(tokenPolicies)
});
}
private SecurityMessageProperty CreateClientSecurity(NegotiateStream negotiateStream, bool extractGroupsForWindowsAccounts)
{
WindowsIdentity remoteIdentity = (WindowsIdentity)negotiateStream.RemoteIdentity;
System.ServiceModel.Security.SecurityUtils.ValidateAnonymityConstraint(remoteIdentity, false);
WindowsSecurityTokenAuthenticator authenticator = new WindowsSecurityTokenAuthenticator(extractGroupsForWindowsAccounts);
SecurityToken token = new WindowsSecurityToken(remoteIdentity, SecurityUniqueId.Create().Value, remoteIdentity.AuthenticationType);
ReadOnlyCollection <IAuthorizationPolicy> tokenPolicies = authenticator.ValidateToken(token);
this.clientSecurity = new SecurityMessageProperty();
this.clientSecurity.TransportToken = new SecurityTokenSpecification(token, tokenPolicies);
this.clientSecurity.ServiceSecurityContext = new ServiceSecurityContext(tokenPolicies);
return(this.clientSecurity);
}
public override SecurityToken ReadTokenCore(XmlDictionaryReader reader, SecurityTokenResolver tokenResolver)
{
string id;
string userName;
string password;
ParseToken(reader, out id, out userName, out password);
if (id == null)
{
id = SecurityUniqueId.Create().Value;
}
return(new USerNameSecurityToken(userName, password, id));
}
SecurityMessageProperty CreateClientSecurity(NegotiateStream negotiateStream,
bool extractGroupsForWindowsAccounts)
{
WindowsIdentity remoteIdentity = (WindowsIdentity)negotiateStream.RemoteIdentity;
SecurityUtils.ValidateAnonymityConstraint(remoteIdentity, false);
WindowsSecurityTokenAuthenticator authenticator = new WindowsSecurityTokenAuthenticator(extractGroupsForWindowsAccounts);
// When NegotiateStream returns a WindowsIdentity the AuthenticationType is passed in the constructor to WindowsIdentity
// by it's internal NegoState class. If this changes, then the call to remoteIdentity.AuthenticationType could fail if the
// current process token doesn't have sufficient priviledges. It is a first class exception, and caught by the CLR
// null is returned.
SecurityToken token = new WindowsSecurityToken(remoteIdentity, SecurityUniqueId.Create().Value, remoteIdentity.AuthenticationType);
ReadOnlyCollection<IAuthorizationPolicy> authorizationPolicies = authenticator.ValidateToken(token);
this.clientSecurity = new SecurityMessageProperty();
this.clientSecurity.TransportToken = new SecurityTokenSpecification(token, authorizationPolicies);
this.clientSecurity.ServiceSecurityContext = new ServiceSecurityContext(authorizationPolicies);
return this.clientSecurity;
}
private RsaSecurityToken(RSACryptoServiceProvider rsa, bool ownsRsa)
{
if (rsa == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("rsa");
}
this.rsa = rsa;
this.id = SecurityUniqueId.Create().Value;
this.effectiveTime = DateTime.UtcNow;
if (ownsRsa)
{
this.keyContainerInfo = rsa.CspKeyContainerInfo;
rsa.PersistKeyInCsp = true;
this.rsaHandle = GCHandle.Alloc(rsa);
}
else
{
GC.SuppressFinalize(this);
}
}
// This is defense-in-depth.
// Rsa finalizer can throw and bring down the process if in finalizer context.
// This internal ctor is used by SM's IssuedSecurityTokenProvider.
// If ownsRsa=true, this class will take ownership of the Rsa object and provides
// a reliable finalizing/disposing of Rsa object. The GCHandle is used to ensure
// order in finalizer sequence.
RsaSecurityToken(RSACryptoServiceProvider rsa, bool ownsRsa)
{
if (rsa == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("rsa");
}
this.rsa = rsa;
this.id = SecurityUniqueId.Create().Value;
this.effectiveTime = DateTime.UtcNow;
if (ownsRsa)
{
// This also key pair generation.
// This must be called before PersistKeyInCsp to avoid a handle to go out of scope.
this.keyContainerInfo = rsa.CspKeyContainerInfo;
// We will handle key file deletion
rsa.PersistKeyInCsp = true;
this.rsaHandle = GCHandle.Alloc(rsa);
}
else
{
GC.SuppressFinalize(this);
}
}
public BinarySecretSecurityToken(byte[] key)
: this(SecurityUniqueId.Create().Value, key)
{
}
protected override SecurityToken GetTokenCore(TimeSpan timeout)
{
return(new KerberosRequestorSecurityToken(_innerProvider.ServicePrincipalName,
_innerProvider.TokenImpersonationLevel, _innerProvider.NetworkCredential,
SecurityUniqueId.Create().Value));
}
public KerberosRequestorSecurityToken(string servicePrincipalName)
: this(servicePrincipalName, TokenImpersonationLevel.Impersonation, null, SecurityUniqueId.Create().Value, null)
{
}
public RsaSecurityToken(RSA rsa)
: this(rsa, SecurityUniqueId.Create().Value)
{
}
public WindowsSecurityToken(System.Security.Principal.WindowsIdentity windowsIdentity) : this(windowsIdentity, SecurityUniqueId.Create().Value)
{
}
internal X509SecurityToken(X509Certificate2 certificate, bool clone, bool disposable) : this(certificate, SecurityUniqueId.Create().Value, clone, disposable)
{
}
public void ReadFrom(XmlDictionaryReader reader, long maxBufferSize)
{
ValidateReadState();
reader.MoveToStartElement(OpeningElementName, NamespaceUri);
this.encoding = reader.GetAttribute(EncodingAttribute, null);
this.id = reader.GetAttribute(XD.XmlEncryptionDictionary.Id, null) ?? SecurityUniqueId.Create().Value;
this.wsuId = reader.GetAttribute(XD.XmlEncryptionDictionary.Id, XD.UtilityDictionary.Namespace) ?? SecurityUniqueId.Create().Value;
this.mimeType = reader.GetAttribute(MimeTypeAttribute, null);
this.type = reader.GetAttribute(TypeAttribute, null);
ReadAdditionalAttributes(reader);
reader.Read();
if (reader.IsStartElement(EncryptionMethodElement.ElementName, NamespaceUri))
{
this.encryptionMethod.ReadFrom(reader);
}
if (this.tokenSerializer.CanReadKeyIdentifier(reader))
{
XmlElement xml = null;
XmlDictionaryReader localReader;
if (this.ShouldReadXmlReferenceKeyInfoClause)
{
// We create the dom only when needed to not affect perf.
XmlDocument doc = new XmlDocument();
xml = (doc.ReadNode(reader) as XmlElement);
localReader = XmlDictionaryReader.CreateDictionaryReader(new XmlNodeReader(xml));
}
else
{
localReader = reader;
}
try
{
this.KeyIdentifier = this.tokenSerializer.ReadKeyIdentifier(localReader);
}
catch (Exception e)
{
// In case when the issued token ( custom token) is used as an initiator token; we will fail
// to read the keyIdentifierClause using the plugged in default serializer. So We need to try to read it as an XmlReferencekeyIdentifierClause
// if it is the client side.
if (Fx.IsFatal(e) || !this.ShouldReadXmlReferenceKeyInfoClause)
{
throw;
}
this.keyIdentifier = ReadGenericXmlSecurityKeyIdentifier(XmlDictionaryReader.CreateDictionaryReader(new XmlNodeReader(xml)), e);
}
}
reader.ReadStartElement(CipherDataElementName, EncryptedType.NamespaceUri);
reader.ReadStartElement(CipherValueElementName, EncryptedType.NamespaceUri);
if (maxBufferSize == 0)
{
ReadCipherData(reader);
}
else
{
ReadCipherData(reader, maxBufferSize);
}
reader.ReadEndElement(); // CipherValue
reader.ReadEndElement(); // CipherData
ReadAdditionalElements(reader);
reader.ReadEndElement(); // OpeningElementName
this.State = EncryptionState.Read;
}
public KerberosReceiverSecurityToken(byte[] request)
: this(request, SecurityUniqueId.Create().Value)
{
}
public BinarySecretSecurityToken(int keySizeInBits)
: this(SecurityUniqueId.Create().Value, keySizeInBits)
{
}
public NonceToken(int keySizeInBits)
: base(SecurityUniqueId.Create().Value, keySizeInBits, false)
{
}
public NonceToken(byte[] key)
: this(SecurityUniqueId.Create().Value, key)
{
}
public UserNameSecurityToken(string userName, string password)
: this(userName, password, SecurityUniqueId.Create().Value)
{
}
public X509SecurityToken(X509Certificate2 certificate) : this(certificate, SecurityUniqueId.Create().Value)
{
}
internal Task <SecurityToken> GetTokenAsync(CancellationToken cancellationToken, ChannelBinding channelbinding)
{
return(Task.FromResult((SecurityToken) new KerberosRequestorSecurityToken(this.innerProvider.ServicePrincipalName,
this.innerProvider.TokenImpersonationLevel, this.innerProvider.NetworkCredential,
SecurityUniqueId.Create().Value)));
}
public WindowsSecurityToken(WindowsIdentity windowsIdentity)
: this(windowsIdentity, SecurityUniqueId.Create().Value)
{
}
internal X509WindowsSecurityToken(X509Certificate2 certificate, WindowsIdentity windowsIdentity, string authenticationType, bool clone)
: this(certificate, windowsIdentity, authenticationType, SecurityUniqueId.Create().Value, clone)
{
}
internal SecurityToken GetToken(CancellationToken cancellationToken, ChannelBinding channelbinding)
{
return(new KerberosRequestorSecurityToken(ServicePrincipalName,
TokenImpersonationLevel, NetworkCredential,
SecurityUniqueId.Create().Value));
}
internal SecurityToken GetToken(TimeSpan timeout, ChannelBinding channelbinding)
{
return(new KerberosRequestorSecurityToken(this.ServicePrincipalName, this.TokenImpersonationLevel, this.NetworkCredential, SecurityUniqueId.Create().Value, channelbinding));
}
