/// <summary>
/// Evaluate the set of incoming claims.
/// </summary>
/// <param name="evaluationContext">The results of the authorization policies that have been evaluated.</param>
/// <param name="state">The current state of the authorization evaluation.</param>
/// <returns>true indicates evaluation of the authorization can continue, false will reject the authorization.</returns>
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
// A new principal with its associated claims is created for the first identity to have been evaluated by the transport
// layer. This principal will be applied to the thread before the operations are called.
object property = null;
if (evaluationContext.Properties.TryGetValue("Identities", out property))
{
List <IIdentity> identities = property as List <IIdentity>;
if (identities != null)
{
foreach (IIdentity iIdentity in identities)
{
///HACK - we are only interested custom username
if (iIdentity.AuthenticationType != "Kerberos")
{
ClaimSet claimSet = MapClaims(iIdentity);
ClaimsPrincipal claimsPrincipal = new ClaimsPrincipal(iIdentity, claimSet);
evaluationContext.Properties["Principal"] = claimsPrincipal;
evaluationContext.AddClaimSet(this, claimSet);
}
}
}
}
else
{
// If there was no identity provided by the transport, then a generic identity with no claims is used. This user
// will only be able to access 'Unrestricted' methods of an interface.
ClaimSet emptyClaims = new DefaultClaimSet(ClaimsAuthorizationPolicy.IssuerClaimSet, new Claim[] { });
evaluationContext.Properties["Principal"] = new ClaimsPrincipal(new GenericIdentity("Default User"), emptyClaims);
}
// There is no need to call the evaluation again, everything here is computed in a single pass.
return(true);
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
if (null == state)
{
state = false;
}
bool hasAddedClaims = (bool)state;
if (hasAddedClaims)
{
return(true);;
}
IList <Claim> claims = new List <Claim>();
foreach (ClaimSet claimSet in evaluationContext.ClaimSets)
{
foreach (Claim claim in claimSet.FindClaims(ClaimTypes.Name, Rights.PossessProperty))
{
string userName = (string)claim.Resource;
}
}
evaluationContext.AddClaimSet(this, new DefaultClaimSet(this.Issuer, claims));
state = true;
return(true);
}
//
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
bool bRet = false;
CustomAuthState customstate = null;
// If state is null, then this method has not been called before so
// set up a custom state.
if (state == null)
{
customstate = new CustomAuthState();
state = customstate;
}
else
{
customstate = (CustomAuthState)state;
}
Console.WriteLine("Inside MyAuthorizationPolicy::Evaluate");
// If we've not added claims yet...
if (!customstate.ClaimsAdded)
{
// Create an empty list of Claims.
IList <Claim> claims = new List <Claim>();
// Iterate through each of the claimsets in the evaluation context.
foreach (ClaimSet cs in evaluationContext.ClaimSets)
{
// Look for Name claims in the current claimset.
foreach (Claim c in cs.FindClaims(ClaimTypes.Name, Rights.PossessProperty))
{
// Get the list of operations the given username is allowed to call.
foreach (string s in GetAllowedOpList(c.Resource.ToString()))
{
// Add claims to the list.
claims.Add(new Claim("http://example.org/claims/allowedoperation",
s, Rights.PossessProperty));
Console.WriteLine("Claim added {0}", s);
}
}
}
// Add claims to the evaluation context.
evaluationContext.AddClaimSet(this, new DefaultClaimSet(this.Issuer, claims));
// Record that claims have been added.
customstate.ClaimsAdded = true;
// Return true, indicating the method need not be called again.
bRet = true;
}
else
{
// Should never get here, but just in case...
bRet = true;
}
return(bRet);
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
evaluationContext.AddClaimSet(this, new DefaultClaimSet(Claim.CreateNameClaim(_principal.Identity.Name)));
evaluationContext.Properties["Identities"] = new List <IIdentity>(new[] { _principal.Identity });
evaluationContext.Properties["Principal"] = _principal;
return(true);
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
for (int i = 0; i < this.claimSets.Count; i++)
{
evaluationContext.AddClaimSet(this, this.claimSets[i]);
}
if (this.identities != null)
{
object obj2;
if (!evaluationContext.Properties.TryGetValue("Identities", out obj2))
{
evaluationContext.Properties.Add("Identities", this.identities);
}
else
{
List <IIdentity> list = obj2 as List <IIdentity>;
if (list != null)
{
list.AddRange(this.identities);
}
}
}
evaluationContext.RecordExpirationTime(this.expirationTime);
return(true);
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
for (int i = 0; i < this.claimSets.Count; ++i)
{
evaluationContext.AddClaimSet(this, this.claimSets[i]);
}
if (this.identities != null)
{
object obj;
if (!evaluationContext.Properties.TryGetValue(SecurityUtils.Identities, out obj))
{
evaluationContext.Properties.Add(SecurityUtils.Identities, this.identities);
}
else
{
// null if other overrides the property with something else
List <IIdentity> dstIdentities = obj as List <IIdentity>;
if (dstIdentities != null)
{
dstIdentities.AddRange(this.identities);
}
}
}
evaluationContext.RecordExpirationTime(this.expirationTime);
return(true);
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
for (int num1 = 0; num1 < this.claimSets.Count; num1++)
{
evaluationContext.AddClaimSet(this, this.claimSets[num1]);
}
if (this.identities != null)
{
object obj;
if (!evaluationContext.Properties.TryGetValue("Identities", out obj))
{
evaluationContext.Properties.Add("Identities", (object)this.identities);
}
else
{
List <IIdentity> identities = obj as List <IIdentity>;
if (identities != null)
{
identities.AddRange(this.identities);
}
}
}
evaluationContext.RecordExpirationTime(this.expirationTime);
return(true);
}
// This method is expected to be thread safe
public bool Evaluate(EvaluationContext ec, ref object state)
{
lock (ec) {
ec.AddClaimSet(this, CreateClaims());
List <IIdentity> list;
if (!ec.Properties.ContainsKey("Identities"))
{
list = new List <IIdentity> ();
ec.Properties ["Identities"] = list;
}
else
{
IList <IIdentity> ilist = (IList <IIdentity>)ec.Properties ["Identities"];
list = ilist as List <IIdentity>;
if (list == null)
{
list = new List <IIdentity> (ilist);
ec.Properties ["Identities"] = list;
}
}
list.Add(CreateIdentity());
ec.RecordExpirationTime(DateTime.MaxValue.AddDays(-1));
}
// FIXME: is it correct that this should always return true?
return(true);
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
evaluationContext.AddClaimSet(this, this.issuance);
if (this.identities != null)
{
object value;
IList <IIdentity> contextIdentities;
if (!evaluationContext.Properties.TryGetValue("Identities", out value))
{
contextIdentities = new List <IIdentity>(this.identities.Count);
evaluationContext.Properties.Add("Identities", contextIdentities);
}
else
{
contextIdentities = value as IList <IIdentity>;
}
foreach (IIdentity identity in this.identities)
{
contextIdentities.Add(identity);
}
}
evaluationContext.RecordExpirationTime(this.expirationTime);
return(true);
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
AuthorizationPolicy.CustomAuthorizationState customAuthorizationState = null;
if (state == null)
{
customAuthorizationState = new AuthorizationPolicy.CustomAuthorizationState();
}
else
{
customAuthorizationState = (state as AuthorizationPolicy.CustomAuthorizationState);
}
if (!customAuthorizationState.ClaimsAdded)
{
IList <Claim> list = new List <Claim>();
Func <Claim, IEnumerable <string> > selector = (Claim ienum) => AuthorizationPolicy.GetAllowedOperationList(ienum.Resource.ToString());
IEnumerable <Claim> source = evaluationContext.ClaimSets.SelectMany((ClaimSet s) => s.FindClaims(ClaimTypes.Name, Rights.PossessProperty));
foreach (string resource in source.SelectMany(selector))
{
list.Add(new Claim("http://bam.nexon.com/claims/allowed/operation", resource, Rights.PossessProperty));
}
evaluationContext.AddClaimSet(this, new DefaultClaimSet(this.Issuer, list));
customAuthorizationState.ClaimsAdded = true;
return(true);
}
return(true);
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
try
{
X509Certificate2 cert = ((X509CertificateClaimSet)evaluationContext.ClaimSets[0]).X509Certificate;
string thumbPrint = cert.Thumbprint;
string acct = System.Configuration.ConfigurationManager.AppSettings[thumbPrint];
var winId = new System.Security.Principal.WindowsIdentity(acct);
var wClaimSet = new WindowsClaimSet(winId);
evaluationContext.Properties["Principal"] = new WindowsPrincipal(winId);
evaluationContext.AddClaimSet(this, wClaimSet);
return(true);
}
catch (Exception e)
{
Console.Write(e.Message);
return(false);
}
}
public bool Evaluate(EvaluationContext context, ref object state)
{
foreach (ClaimSet issuance in _issuedClaimSets)
{
context.AddClaimSet(this, issuance);
}
return(true);
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
// Add the token claim set to the evaluation context.
evaluationContext.AddClaimSet(this, tokenClaims);
// Return true if the policy evaluation is finished.
return(true);
}
bool IAuthorizationPolicy.Evaluate(EvaluationContext evaluationContext, ref object state)
{
foreach (ClaimSet issuance in _issuedClaimSets)
{
evaluationContext.AddClaimSet(this, issuance);
}
return(true);
}
bool IAuthorizationPolicy.Evaluate(EvaluationContext evaluationContext, ref object state)
{
if (evaluationContext == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("evaluationContext");
}
evaluationContext.AddClaimSet(this, _issuer);
return(true);
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
evaluationContext.AddClaimSet(this, new DefaultClaimSet(ClaimSet.System, this.primaryIdentity));
if (!evaluationContext.Properties.ContainsKey("PrimaryIdentity"))
{
evaluationContext.Properties.Add("PrimaryIdentity", this.primaryIdentity);
}
return(true);
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
// find identity
Claim id = evaluationContext.ClaimSets.FindIdentityClaim();
string userId = Map(id);
evaluationContext.AddClaimSet(this, new CustomerClaimSet(userId, Issuer));
return(true);
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
if (evaluationContext.Properties.ContainsKey("Identities"))
{
IIdentity identity;
ClaimSet claims = MapClaims(evaluationContext, out identity);
CustomPrincipal newPrincipal = new CustomPrincipal(identity, claims);
evaluationContext.Properties["Principal"] = newPrincipal;
evaluationContext.AddClaimSet(this, claims);
}
return(true);
}
//We will add a custom claim to the EvaluationContext if the 'magic character' exists in the username
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
//Get the Identities Property
object obj;
if (!evaluationContext.Properties.TryGetValue("Identities", out obj))
{
Debug.WriteLine("CustomNameCheckerPolicy: Identities is null");
return(false);
}
//Get the list of IIdentities
IList <IIdentity> identities = obj as IList <IIdentity>;
if (identities == null || identities.Count != 1)
{
Debug.WriteLine("CustomNameCheckerPolicy: Identities.count = 0");
return(false);
}
//Get the WindowsIdentity
//Any other type of IIdentity will cause it to return false
WindowsIdentity wID = identities[0] as WindowsIdentity;
if (wID == null)
{
Debug.WriteLine("CustomNameCheckerPolicy: Not a Windows Identity");
return(false);
}
//retrieve the username
string[] domainAndUsername = wID.Name.Split(new char[] { '\\' });
string userName = domainAndUsername[0];
if (domainAndUsername.Length > 1)
{
userName = domainAndUsername[1];
}
//Check to see if the 'magic character' exists in the username
//Add our claim if it does
if (userName.ToUpper().Contains(Constants.magicCharacter.ToUpper()))
{
List <Claim> claims = new List <Claim>(1);
Claim magicCharacterClaim = new Claim(Constants.PossessesMagicCharacterType, Constants.magicCharacter, Rights.PossessProperty);
claims.Add(magicCharacterClaim);
evaluationContext.AddClaimSet(this, new DefaultClaimSet(claims));
}
return(true);
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
if (OperationContext.Current.IncomingMessageProperties["Principal"] is IPrincipal principal)
{
evaluationContext.Properties["Principal"] = principal;
evaluationContext.Properties["Identities"] = new List <IIdentity> {
principal.Identity,
};
var roleClaims = GetRoleClaims(principal as GenericPrincipal).ToList();
evaluationContext.AddClaimSet(this, new DefaultClaimSet(roleClaims));
}
return(true);
}
public virtual bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
if (evaluationContext.Properties.ContainsKey("Identities"))
{
List <IIdentity> identities = evaluationContext.Properties["Identities"] as List <IIdentity>;
IIdentity identity = identities[0];
ClaimSet claims = MapClaims(identity);
ClaimsPrincipal newPrincipal = new ClaimsPrincipal(identity, claims);
evaluationContext.Properties["Principal"] = newPrincipal;
evaluationContext.AddClaimSet(this, claims);
return(true);
}
else
{
return(false);
}
}
/// <summary>
/// Lädt das Claimset der Berechtigungen für den aufrufenden Windows User
/// </summary>
/// <param name="evaluationContext"></param>
/// <param name="state"></param>
/// <returns></returns>
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
IIdentity client = GetClientIdentity(evaluationContext);
IPrincipal principal = new ClaimsPrincipal(client);
evaluationContext.Properties["Principal"] = principal;
IUserRepository repository = Container.Resolve <IUserRepository>();
if (repository != null)
{
IUser currentUser = repository.FindByName(principal.Identity.Name);
if (currentUser != null && !currentUser.Deactivated)
{
IList <Claim> claims = new List <Claim>();
claims.Add(new Claim(System.IdentityModel.Claims.ClaimTypes.NameIdentifier,
currentUser.Id,
Rights.PossessProperty));
IEnumerable <IRight> rights = currentUser.Role.Rights;
IEnumerable <IRight> distinctRights = rights.Distinct();
foreach (IRight right in distinctRights)
{
claims.Add(new Claim(right.Claim, right.Resource, Rights.PossessProperty));
}
evaluationContext.AddClaimSet(this, new DefaultClaimSet(ClaimSet.System, claims));
}
else if (currentUser == null)
{
string errorMessage = "Unknow User detected";
throw new FaultException <RemoteFault>(new RemoteFault(errorMessage, Constants.FaultExceptionEnum.UnknowUser), errorMessage);
}
else if (currentUser.Deactivated)
{
string errorMessage = "Current User deactivated";
throw new FaultException <RemoteFault>(new RemoteFault(errorMessage, Constants.FaultExceptionEnum.DeactivedUser), errorMessage);
}
}
return(true);
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
if (evaluationContext.Properties.ContainsKey("Identities"))
{
List <IIdentity> identities = evaluationContext.Properties["Identities"] as List <IIdentity>;
IIdentity identity = identities.FirstOrDefault(i => i.AuthenticationType == "X509");
GenericPrincipal genprincipal = new GenericPrincipal(identity, null);
evaluationContext.Properties["Principal"] = genprincipal;
var user = UserStore.GetUserByCertificate(identity.Name);
evaluationContext.AddClaimSet(this, new DefaultClaimSet(new Claim("User", user, Rights.Identity)));
return(true);
}
else
{
return(false);
}
}
public bool Evaluate(EvaluationContext context, ref object state)
{
var identities = new List <IIdentity> {
_identity
};
context.AddClaimSet(this,
new DefaultClaimSet(Issuer, new Claim(ClaimTypes.Name, _identity == null ? null : _identity.Name, Rights.Identity)));
if (context.Properties.ContainsKey(AuthContextIdentityPropertyName))
{
context.Properties[AuthContextIdentityPropertyName] = identities;
}
else
{
context.Properties.Add(AuthContextIdentityPropertyName, identities);
}
return(true);
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
CustomAuthState customstate;
// If the state is null, then this has not been called before so
// set up a custom state.
if (state == null)
{
customstate = new CustomAuthState();
state = customstate;
}
else
{
customstate = (CustomAuthState)state;
}
bool bRet;
// If claims have not been added yet...
if (!customstate.ClaimsAdded)
{
// Create an empty list of claims.
IList <Claim> claims = new List <Claim>
{
new Claim("http://tempuri.org/claims/allowedoperation", "http://tempuri.org/IEchoService/EchoString", Rights.PossessProperty),
new Claim("http://tempuri.org/claims/allowedoperation", "http://tempuri.org/IEchoService/ComplexEcho", Rights.PossessProperty)
};
evaluationContext.AddClaimSet(this, new DefaultClaimSet(Issuer, claims));
// Record that claims were added.
customstate.ClaimsAdded = true;
// Return true, indicating that this method does not need to be called again.
bRet = true;
}
else
{
// Should never get here, but just in case, return true.
bRet = true;
}
return(bRet);
}
/// <summary>
/// called for every server operation
/// </summary>
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
if (evaluationContext.Properties.ContainsKey("Identities"))
{
var identities = (List <IIdentity>)evaluationContext.Properties["Identities"];
IIdentity identity = identities[0];
ClaimSet claims = MapClaims(identity);
var newPrincipal = new GenericPrincipal(identity, null);
evaluationContext.Properties["Principal"] = newPrincipal;
if (claims != null)
{
evaluationContext.AddClaimSet(this, claims);
}
return(true);
}
return(false);
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
if (null == state)
{
state = false;
}
bool hasAddedClaims = (bool)state;
if (hasAddedClaims)
{
return(true);
}
IList <Claim> claims = new List <Claim>();
foreach (ClaimSet claimSet in evaluationContext.ClaimSets)
{
foreach (Claim claim in claimSet.FindClaims(ClaimTypes.Name, Rights.PossessProperty))
{
string userName = (string)claim.Resource;
if (userName.Contains('\\'))
{
userName = userName.Split('\\')[1];
if (string.Compare("Foo", userName, true) == 0)
{
claims.Add(new Claim(ClaimType4AllowedOperation, ActionOfAdd, Rights.PossessProperty));
claims.Add(new Claim(ClaimType4AllowedOperation, ActionOfSubtract, Rights.PossessProperty));
}
if (string.Compare("Bar", userName, true) == 0)
{
claims.Add(new Claim(ClaimType4AllowedOperation, ActionOfMultiply, Rights.PossessProperty));
claims.Add(new Claim(ClaimType4AllowedOperation, ActionOfDivide, Rights.PossessProperty));
}
}
}
}
evaluationContext.AddClaimSet(this, new DefaultClaimSet(this.Issuer, claims));
state = true;
return(true);
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
if (!evaluationContext.Properties.ContainsKey("Identities"))
{
return(false);
}
List <IIdentity> identities = evaluationContext.Properties["Identities"] as List <IIdentity>;
IIdentity identity = identities[0];
IPrincipal principal = Session.GetCustomPrincipal(identity);
evaluationContext.Properties["Principal"] = principal;
ClaimSet claims = MapClaims(identity, principal);
if (claims != null)
{
evaluationContext.AddClaimSet(this, claims);
}
return(true);
}
/// <summary>
/// Evaluate the set of incoming claims.
/// </summary>
/// <param name="evaluationContext">The results of the authorization policies that have been evaluated.</param>
/// <param name="state">The current state of the authorization evaluation.</param>
/// <returns>true indicates evaluation of the authorization can continue, false will reject the authorization.</returns>
public Boolean Evaluate(EvaluationContext evaluationContext, ref Object state)
{
// Validate the parameter before using it.
if (evaluationContext == null)
{
throw new ArgumentNullException("evaluationContext");
}
// This will create an identity based on the validated user and map the claims against that identity using the role manager. This is some pretty heavy
// stuff but the upshot is that Active Directory (or some similar provider) will find out what groups this user belongs to and then assign a set of
// claims based on those roles.
Object property;
if (evaluationContext.Properties.TryGetValue("Identities", out property))
{
List <IIdentity> identities = property as List <IIdentity>;
foreach (IIdentity iIdentity in identities)
{
String distinguishedName = ClaimsAuthorizationPolicy.distinguishedNameMakerMap[iIdentity.AuthenticationType](iIdentity.Name);
OrganizationPrincipal organizationPrincipal = new OrganizationPrincipal(iIdentity, distinguishedName, this.GetRoles(distinguishedName));
evaluationContext.Properties["Principal"] = organizationPrincipal;
evaluationContext.AddClaimSet(this, this.MapClaims(organizationPrincipal));
}
}
else
{
// If no identities are provided by the transport then we'll provide a generic, unknown user with no claims. This user will be able to access the
// 'Unrestricted' serivce contracts but, most importantly, this user will be able to run the WSDL code to generate an interface.
evaluationContext.Properties["Principal"] = new OrganizationPrincipal(
new GenericIdentity("unknown"),
ClaimsAuthorizationPolicy.unknownUser,
new String[0]);
}
// There is no need to call the evaluation again, everything here is computed in a single pass.
return(true);
}
public bool Evaluate(EvaluationContext ec, ref Object state)
{
ec.AddClaimSet(this, new DefaultClaimSet(Claim.CreateRsaClaim(rsa)));
ec.RecordExpirationTime(DateTime.MaxValue.AddDays(-1));
return(true);
}
