public GroupSidClaimCollection(WindowsIdentity windowsIdentity) { if (windowsIdentity.Token != IntPtr.Zero) { SafeHGlobalHandle invalidHandle = SafeHGlobalHandle.InvalidHandle; try { uint num; invalidHandle = WindowsClaimSet.GetTokenInformation(windowsIdentity.Token, System.IdentityModel.TokenInformationClass.TokenGroups, out num); int num2 = Marshal.ReadInt32(invalidHandle.DangerousGetHandle()); IntPtr ptr = new IntPtr(((long)invalidHandle.DangerousGetHandle()) + ((long)Marshal.OffsetOf(typeof(TOKEN_GROUPS), "Groups"))); for (int i = 0; i < num2; i++) { SID_AND_ATTRIBUTES sid_and_attributes = (SID_AND_ATTRIBUTES)Marshal.PtrToStructure(ptr, typeof(SID_AND_ATTRIBUTES)); uint num4 = 0xc0000014; if ((sid_and_attributes.Attributes & num4) == 4) { base.Add(Claim.CreateWindowsSidClaim(new SecurityIdentifier(sid_and_attributes.Sid))); } else if ((sid_and_attributes.Attributes & num4) == 0x10) { base.Add(Claim.CreateDenyOnlyWindowsSidClaim(new SecurityIdentifier(sid_and_attributes.Sid))); } ptr = new IntPtr(((long)ptr) + SID_AND_ATTRIBUTES.SizeOf); } } finally { invalidHandle.Close(); } } }
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateTokenCore(SecurityToken token) { #if FEATURE_NETNATIVE // NegotiateStream throw ExceptionHelper.PlatformNotSupported("Windows Stream Security is not yet supported on UWP"); #else //FEATURE_NETNATIVE WindowsSecurityToken windowsToken = (WindowsSecurityToken)token; WindowsClaimSet claimSet = new WindowsClaimSet(windowsToken.WindowsIdentity, windowsToken.AuthenticationType, this.includeWindowsGroups, windowsToken.ValidTo); return SecurityUtils.CreateAuthorizationPolicies(claimSet, windowsToken.ValidTo); #endif // FEATURE_NETNATIVE }
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateTokenCore(SecurityToken token) { #if SUPPORTS_WINDOWSIDENTITY // NegotiateStream WindowsSecurityToken windowsToken = (WindowsSecurityToken)token; WindowsClaimSet claimSet = new WindowsClaimSet(windowsToken.WindowsIdentity, windowsToken.AuthenticationType, this.includeWindowsGroups, windowsToken.ValidTo); return SecurityUtils.CreateAuthorizationPolicies(claimSet, windowsToken.ValidTo); #else // SUPPORTS_WINDOWSIDENTITY throw ExceptionHelper.PlatformNotSupported(ExceptionHelper.WinsdowsStreamSecurityNotSupported); #endif // SUPPORTS_WINDOWSIDENTITY }
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateTokenCore(SecurityToken token) { X509SecurityToken x509Token = (X509SecurityToken)token; this.validator.Validate(x509Token.Certificate); X509CertificateClaimSet x509ClaimSet = new X509CertificateClaimSet(x509Token.Certificate, this.cloneHandle); if (!this.mapToWindows) return SecurityUtils.CreateAuthorizationPolicies(x509ClaimSet, x509Token.ValidTo); WindowsClaimSet windowsClaimSet; if (token is X509WindowsSecurityToken) { windowsClaimSet = new WindowsClaimSet( ( (X509WindowsSecurityToken)token ).WindowsIdentity, SecurityUtils.AuthTypeCertMap, this.includeWindowsGroups, this.cloneHandle ); } else { // Ensure NT_AUTH chain policy for certificate account mapping X509CertificateValidator.NTAuthChainTrust.Validate(x509Token.Certificate); WindowsIdentity windowsIdentity = null; // for Vista, LsaLogon supporting mapping cert to NTToken if (Environment.OSVersion.Version.Major >= SecurityUtils.WindowsVistaMajorNumber) { windowsIdentity = KerberosCertificateLogon(x509Token.Certificate); } else { // Downlevel, S4U over PrincipalName SubjectAltNames string name = x509Token.Certificate.GetNameInfo(X509NameType.UpnName, false); if (string.IsNullOrEmpty(name)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(SR.GetString(SR.InvalidNtMapping, SecurityUtils.GetCertificateId(x509Token.Certificate)))); } using (WindowsIdentity initialWindowsIdentity = new WindowsIdentity(name, SecurityUtils.AuthTypeCertMap)) { // This is to make sure that the auth Type is shoved down to the class as the above constructor does not do it. windowsIdentity = new WindowsIdentity(initialWindowsIdentity.Token, SecurityUtils.AuthTypeCertMap); } } windowsClaimSet = new WindowsClaimSet(windowsIdentity, SecurityUtils.AuthTypeCertMap, this.includeWindowsGroups, false); } List<ClaimSet> claimSets = new List<ClaimSet>(2); claimSets.Add(windowsClaimSet); claimSets.Add(x509ClaimSet); List<IAuthorizationPolicy> policies = new List<IAuthorizationPolicy>(1); policies.Add(new UnconditionalPolicy(claimSets.AsReadOnly(), x509Token.ValidTo)); return policies.AsReadOnly(); }
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateUserNamePasswordCore(string userName, string password) { string domain = null; string[] strings = userName.Split('\\'); if (strings.Length != 1) { if (strings.Length != 2 || string.IsNullOrEmpty(strings[0])) { // Only support one slash and domain cannot be empty (consistent with windowslogon). throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.IncorrectUserNameFormat)); } // This is the downlevel case - domain\userName userName = strings[1]; domain = strings[0]; } const uint LOGON32_PROVIDER_DEFAULT = 0; const uint LOGON32_LOGON_NETWORK_CLEARTEXT = 8; SafeCloseHandle tokenHandle = null; try { if (!NativeMethods.LogonUser(userName, domain, password, LOGON32_LOGON_NETWORK_CLEARTEXT, LOGON32_PROVIDER_DEFAULT, out tokenHandle)) { int error = Marshal.GetLastWin32Error(); throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(SR.GetString(SR.FailLogonUser, userName), new Win32Exception(error))); } WindowsIdentity windowsIdentity = new WindowsIdentity(tokenHandle.DangerousGetHandle(), SecurityUtils.AuthTypeBasic); WindowsClaimSet claimSet = new WindowsClaimSet(windowsIdentity, SecurityUtils.AuthTypeBasic, this.includeWindowsGroups, false); return SecurityUtils.CreateAuthorizationPolicies(claimSet, claimSet.ExpirationTime); } finally { if (tokenHandle != null) tokenHandle.Close(); } }
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation) { WindowsSspiNegotiation windowsNegotiation = (WindowsSspiNegotiation)sspiNegotiation; if (windowsNegotiation.IsValidContext == false) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(SR.GetString(SR.InvalidSspiNegotiation))); } SecurityTraceRecordHelper.TraceServiceSpnego(windowsNegotiation); if (this.IsClientAnonymous) { return EmptyReadOnlyCollection<IAuthorizationPolicy>.Instance; } using (SafeCloseHandle contextToken = windowsNegotiation.GetContextToken()) { WindowsIdentity windowsIdentity = new WindowsIdentity(contextToken.DangerousGetHandle(), windowsNegotiation.ProtocolName); SecurityUtils.ValidateAnonymityConstraint(windowsIdentity, this.AllowUnauthenticatedCallers); List<IAuthorizationPolicy> policies = new List<IAuthorizationPolicy>(1); WindowsClaimSet wic = new WindowsClaimSet( windowsIdentity, windowsNegotiation.ProtocolName, this.extractGroupsForWindowsAccounts, false ); policies.Add(new System.IdentityModel.Policy.UnconditionalPolicy(wic, TimeoutHelper.Add(DateTime.UtcNow, base.ServiceTokenLifetime))); return policies.AsReadOnly(); } }
WindowsClaimSet(WindowsClaimSet from) : this(from.WindowsIdentity, from.authenticationType, from.includeWindowsGroups, from.expirationTime, true) { }
private WindowsClaimSet(WindowsClaimSet from) : this(from.WindowsIdentity, from._authenticationType, from._includeWindowsGroups, from._expirationTime, true) { }
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateTokenCore(SecurityToken token) { WindowsSecurityToken token2 = (WindowsSecurityToken) token; WindowsClaimSet claimSet = new WindowsClaimSet(token2.WindowsIdentity, token2.AuthenticationType, this.includeWindowsGroups, token2.ValidTo); return System.IdentityModel.SecurityUtils.CreateAuthorizationPolicies(claimSet, token2.ValidTo); }
protected override ReadOnlyCollection<IAuthorizationPolicy> ValidateTokenCore(SecurityToken token) { WindowsClaimSet set2; X509SecurityToken token2 = (X509SecurityToken) token; this.validator.Validate(token2.Certificate); X509CertificateClaimSet claimSet = new X509CertificateClaimSet(token2.Certificate, this.cloneHandle); if (!this.mapToWindows) { return System.IdentityModel.SecurityUtils.CreateAuthorizationPolicies(claimSet, token2.ValidTo); } if (token is X509WindowsSecurityToken) { set2 = new WindowsClaimSet(((X509WindowsSecurityToken) token).WindowsIdentity, "SSL/PCT", this.includeWindowsGroups, this.cloneHandle); } else { X509CertificateValidator.NTAuthChainTrust.Validate(token2.Certificate); WindowsIdentity windowsIdentity = null; if (Environment.OSVersion.Version.Major >= 6) { windowsIdentity = KerberosCertificateLogon(token2.Certificate); } else { string nameInfo = token2.Certificate.GetNameInfo(X509NameType.UpnName, false); if (string.IsNullOrEmpty(nameInfo)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(System.IdentityModel.SR.GetString("InvalidNtMapping", new object[] { System.IdentityModel.SecurityUtils.GetCertificateId(token2.Certificate) }))); } using (WindowsIdentity identity2 = new WindowsIdentity(nameInfo, "SSL/PCT")) { windowsIdentity = new WindowsIdentity(identity2.Token, "SSL/PCT"); } } set2 = new WindowsClaimSet(windowsIdentity, "SSL/PCT", this.includeWindowsGroups, false); } List<ClaimSet> list = new List<ClaimSet>(2) { set2, claimSet }; return new List<IAuthorizationPolicy>(1) { new UnconditionalPolicy(list.AsReadOnly(), token2.ValidTo) }.AsReadOnly(); }