private static void ClaimDemand(ClaimType claim, SecureResource resource)
{
AuthorizationContext authContext = ServiceSecurityContext.Current.AuthorizationContext;
ClaimSet issuerClaimSet = null;
foreach (ClaimSet cs in authContext.ClaimSets)
{
if (cs.Issuer == _issuer)
{
issuerClaimSet = cs;
break;
}
}
if (issuerClaimSet == null)
{
throw new PermissionException(string.Format("No claims for issuer {0} were provided.",
_issuer[0].Resource));
}
var c = new Claim(ClaimType.All.ToString(), SecureResource.All, Rights.PossessProperty);
if (issuerClaimSet.ContainsClaim(c)) // if administrator
{
return;
}
if (claim != ClaimType.All)
{
c = new Claim(ClaimType.All.ToString(), resource, Rights.PossessProperty);
if (issuerClaimSet.ContainsClaim(c))
{
return;
}
}
if (resource != SecureResource.All)
{
c = new Claim(claim.ToString(), SecureResource.All, Rights.PossessProperty);
if (issuerClaimSet.ContainsClaim(c))
{
return;
}
}
c = new Claim(claim.ToString(), resource, Rights.PossessProperty);
if (issuerClaimSet.ContainsClaim(c))
{
return;
}
throw new PermissionException(string.Format("Claim {0} for resource {1} is not satisfied.",
claim, resource));
}
string ICrudService.UpdateSomething()
{
AuthorizationContext authContext = ServiceSecurityContext.Current.AuthorizationContext;
ClaimSet issuerClaimSet = null;
foreach (ClaimSet cs in authContext.ClaimSets)
{
Claim issuerClaim = Claim.CreateNameClaim("http://www.thatindigogirl.com/samples/2006/06/issuer");
if (cs.Issuer.ContainsClaim(issuerClaim))
{
issuerClaimSet = cs;
}
}
if (issuerClaimSet == null)
{
throw new SecurityException("Access is denied. No claims were provided from the expected issuer.");
}
Claim c = new Claim("http://schemas.thatindigogirl.com/samples/2006/06/identity/claims/update", "http://schemas.thatindigogirl.com/samples/2006/06/identity/resources/application", Rights.PossessProperty);
if (!issuerClaimSet.ContainsClaim(c))
{
throw new SecurityException("Access is denied. Required claims not satisfied.");
}
return(String.Format("UpdateSomething() called by user {0}", System.Threading.Thread.CurrentPrincipal.Identity.Name));
}
public override bool CheckAccess(EndpointIdentity identity, AuthorizationContext authContext)
{
if (identity == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("identity");
}
if (authContext == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("authContext");
}
for (int i = 0; i < authContext.ClaimSets.Count; i++)
{
ClaimSet claimSet = authContext.ClaimSets[i];
if (claimSet.ContainsClaim(identity.IdentityClaim))
{
SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(identity, identity.IdentityClaim, base.GetType());
return(true);
}
string expectedSpn = null;
if (ClaimTypes.Dns.Equals(identity.IdentityClaim.ClaimType))
{
expectedSpn = string.Format(CultureInfo.InvariantCulture, "host/{0}", new object[] { (string)identity.IdentityClaim.Resource });
Claim claim = this.CheckDnsEquivalence(claimSet, expectedSpn);
if (claim != null)
{
SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(identity, claim, base.GetType());
return(true);
}
}
SecurityIdentifier identitySid = null;
if (ClaimTypes.Sid.Equals(identity.IdentityClaim.ClaimType))
{
identitySid = this.GetSecurityIdentifier(identity.IdentityClaim);
}
else if (ClaimTypes.Upn.Equals(identity.IdentityClaim.ClaimType))
{
identitySid = ((UpnEndpointIdentity)identity).GetUpnSid();
}
else if (ClaimTypes.Spn.Equals(identity.IdentityClaim.ClaimType))
{
identitySid = ((SpnEndpointIdentity)identity).GetSpnSid();
}
else if (ClaimTypes.Dns.Equals(identity.IdentityClaim.ClaimType))
{
identitySid = new SpnEndpointIdentity(expectedSpn).GetSpnSid();
}
if (identitySid != null)
{
Claim claim2 = this.CheckSidEquivalence(identitySid, claimSet);
if (claim2 != null)
{
SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(identity, claim2, base.GetType());
return(true);
}
}
}
SecurityTraceRecordHelper.TraceIdentityVerificationFailure(identity, authContext, base.GetType());
return(false);
}
/// <summary>
/// If IsAuthenticated was set on the permission,
/// check the thread's principal is authenticated
/// If Claims WERE NOT provided, don't check them
/// If Claims WERE provided, check the AuthorizationContext
/// check for an issuer match,
/// check that required claims are present
/// </summary>
public void CheckClaims()
{
if (this._requiredClaims == null)
{
return;
}
AuthorizationContext authContext = ServiceSecurityContext.Current.AuthorizationContext;
ClaimSet issuerClaimSet = null;
foreach (ClaimSet claimSet in authContext.ClaimSets)
{
Claim issuerClaim = Claim.CreateNameClaim(ClaimsAuthorizationPolicy.IssuerName);
if (claimSet.Issuer.ContainsClaim(issuerClaim))
{
issuerClaimSet = claimSet;
}
}
if (issuerClaimSet == null)
{
throw new SecurityAccessDeniedException("Access is denied. No claims were provided from the expected issuer.");
}
bool hasClaims = true;
foreach (Claim claim in _requiredClaims)
{
if (!issuerClaimSet.ContainsClaim(claim))
{
hasClaims = false;
break;
}
}
if (!hasClaims)
{
throw new SecurityAccessDeniedException("Access is denied. Security principal does not satisfy required claims.");
}
}
public bool IsInRole(string role)
{
if (role == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("role");
}
NTAccount account = new NTAccount(role);
Claim claim = Claim.CreateWindowsSidClaim((SecurityIdentifier)account.Translate(typeof(SecurityIdentifier)));
AuthorizationContext authorizationContext = this.securityContext.AuthorizationContext;
for (int i = 0; i < authorizationContext.ClaimSets.Count; i++)
{
ClaimSet set = authorizationContext.ClaimSets[i];
if (set.ContainsClaim(claim))
{
return(true);
}
}
return(false);
}
public override bool CheckAccess(EndpointIdentity identity, AuthorizationContext authContext)
{
//EventTraceActivity eventTraceActivity = null;
if (identity == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(identity));
}
if (authContext == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(authContext));
}
//if (FxTrace.Trace.IsEnd2EndActivityTracingEnabled)
//{
// eventTraceActivity = EventTraceActivityHelper.TryExtractActivity((OperationContext.Current != null) ? OperationContext.Current.IncomingMessage : null);
//}
for (int i = 0; i < authContext.ClaimSets.Count; ++i)
{
ClaimSet claimSet = authContext.ClaimSets[i];
if (claimSet.ContainsClaim(identity.IdentityClaim))
{
//SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(eventTraceActivity, identity, identity.IdentityClaim, this.GetType());
return(true);
}
// try Claim equivalence
string expectedSpn = null;
if (ClaimTypes.Dns.Equals(identity.IdentityClaim.ClaimType))
{
expectedSpn = string.Format(CultureInfo.InvariantCulture, "host/{0}", (string)identity.IdentityClaim.Resource);
Claim claim = CheckDnsEquivalence(claimSet, expectedSpn);
if (claim != null)
{
//SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(eventTraceActivity, identity, claim, this.GetType());
return(true);
}
}
// Allow a Sid claim to support UPN, and SPN identities
SecurityIdentifier identitySid = null;
if (ClaimTypes.Sid.Equals(identity.IdentityClaim.ClaimType))
{
identitySid = GetSecurityIdentifier(identity.IdentityClaim);
}
else if (ClaimTypes.Upn.Equals(identity.IdentityClaim.ClaimType))
{
identitySid = ((UpnEndpointIdentity)identity).GetUpnSid();
}
else if (ClaimTypes.Spn.Equals(identity.IdentityClaim.ClaimType))
{
identitySid = ((SpnEndpointIdentity)identity).GetSpnSid();
}
else if (ClaimTypes.Dns.Equals(identity.IdentityClaim.ClaimType))
{
identitySid = new SpnEndpointIdentity(expectedSpn).GetSpnSid();
}
if (identitySid != null)
{
Claim claim = CheckSidEquivalence(identitySid, claimSet);
if (claim != null)
{
//SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(eventTraceActivity, identity, claim, this.GetType());
return(true);
}
}
}
SecurityTraceRecordHelper.TraceIdentityVerificationFailure(identity, authContext, GetType());
//if (TD.SecurityIdentityVerificationFailureIsEnabled())
//{
// TD.SecurityIdentityVerificationFailure(eventTraceActivity);
//}
return(false);
}
public override bool CheckAccess(EndpointIdentity identity, AuthorizationContext authContext)
{
EventTraceActivity eventTraceActivity = null;
if (identity == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("identity");
}
if (authContext == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("authContext");
}
if (FxTrace.Trace.IsEnd2EndActivityTracingEnabled)
{
eventTraceActivity = EventTraceActivityHelper.TryExtractActivity((OperationContext.Current != null) ? OperationContext.Current.IncomingMessage : null);
}
for (int i = 0; i < authContext.ClaimSets.Count; ++i)
{
ClaimSet claimSet = authContext.ClaimSets[i];
if (claimSet.ContainsClaim(identity.IdentityClaim))
{
SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(eventTraceActivity, identity, identity.IdentityClaim, this.GetType());
return(true);
}
// try Claim equivalence
string expectedSpn = null;
if (ClaimTypes.Dns.Equals(identity.IdentityClaim.ClaimType))
{
expectedSpn = string.Format(CultureInfo.InvariantCulture, "host/{0}", (string)identity.IdentityClaim.Resource);
Claim claim = CheckDnsEquivalence(claimSet, expectedSpn);
if (claim != null)
{
SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(eventTraceActivity, identity, claim, this.GetType());
return(true);
}
}
// Allow a Sid claim to support UPN, and SPN identities
// SID claims not available yet
//SecurityIdentifier identitySid = null;
//if (ClaimTypes.Sid.Equals(identity.IdentityClaim.ClaimType))
//{
// throw ExceptionHelper.PlatformNotSupported("DefaultIdentityVerifier - ClaimTypes.Sid");
//}
//else if (ClaimTypes.Upn.Equals(identity.IdentityClaim.ClaimType))
//{
// throw ExceptionHelper.PlatformNotSupported("DefaultIdentityVerifier - ClaimTypes.Upn");
//}
//else if (ClaimTypes.Spn.Equals(identity.IdentityClaim.ClaimType))
//{
// throw ExceptionHelper.PlatformNotSupported("DefaultIdentityVerifier - ClaimTypes.Spn");
//}
//else if (ClaimTypes.Dns.Equals(identity.IdentityClaim.ClaimType))
//{
// throw ExceptionHelper.PlatformNotSupported("DefaultIdentityVerifier - ClaimTypes.Dns");
//}
//if (identitySid != null)
//{
// Claim claim = CheckSidEquivalence(identitySid, claimSet);
// if (claim != null)
// {
// SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(eventTraceActivity, identity, claim, this.GetType());
// return true;
// }
//}
}
SecurityTraceRecordHelper.TraceIdentityVerificationFailure(identity, authContext, this.GetType());
if (WcfEventSource.Instance.SecurityIdentityVerificationFailureIsEnabled())
{
WcfEventSource.Instance.SecurityIdentityVerificationFailure(eventTraceActivity);
}
return(false);
}