/// <summary>
/// Checks authorization for the given operation context.
/// </summary>
/// <param name="operationContext">Operation context.</param>
/// <returns>True if access is granted otherwise false.</returns>
public override bool CheckAccess(OperationContext operationContext)
{
try
{
if (base.CheckAccess(operationContext) == false)
{
return(false);
}
if (operationContext.Host == null || operationContext.Host.Description == null)
{
return(false);
}
if (operationContext.ServiceSecurityContext == null || operationContext.ServiceSecurityContext.AuthorizationContext == null || operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets == null)
{
return(false);
}
var trustedClaimSets = _authorizationHandler.GetTrustedClaimSets(operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets);
_authorizationHandler.Authorize(trustedClaimSets, operationContext.Host.Description.ServiceType);
return(true);
}
catch (Exception ex)
{
throw new FaultException(Resource.GetExceptionMessage(ExceptionMessage.NotAuthorizedToUseService, ex.Message));
}
}
/// <summary>
/// Creates a collection of claims identities based on the given claim sets.
/// </summary>
/// <param name="claimSets">Claim sets which should be used to create claims identities.</param>
/// <returns>Collection of claims identities based on the given claims sets.</returns>
private IEnumerable <IClaimsIdentity> CreateClaimsIdentity(IEnumerable <ClaimSet> claimSets)
{
if (claimSets == null)
{
return(new List <ClaimsIdentity> {
new ClaimsIdentity()
});
}
var trustedClaimSets = _authorizationHandler.GetTrustedClaimSets(claimSets);
return(trustedClaimSets
.Select(claimSet =>
{
var issuer = GetIssuer(claimSet.Issuer);
var claims = claimSet
.Where(claim => string.Compare(claim.Right, Rights.PossessProperty, StringComparison.Ordinal) == 0)
.Select(claim =>
{
if (string.Compare(claim.ClaimType, ClaimTypes.Sid, StringComparison.Ordinal) == 0 && claim.Resource is SecurityIdentifier)
{
if (string.Compare(claim.Right, Rights.Identity, StringComparison.Ordinal) == 0)
{
return new Claim(ClaimTypes.PrimarySid, ((SecurityIdentifier)claim.Resource).Value, ClaimValueTypes.String, issuer, issuer);
}
return new Claim(ClaimTypes.GroupSid, ((SecurityIdentifier)claim.Resource).Value, ClaimValueTypes.String, issuer, issuer);
}
if (string.Compare(claim.ClaimType, ClaimTypes.Email, StringComparison.Ordinal) == 0 && claim.Resource is MailAddress)
{
return new Claim(claim.ClaimType, ((MailAddress)claim.Resource).Address, ClaimValueTypes.String, issuer, issuer);
}
if (string.Compare(claim.ClaimType, ClaimTypes.Thumbprint, StringComparison.Ordinal) == 0 && claim.Resource is byte[])
{
return new Claim(claim.ClaimType, Convert.ToBase64String((byte[])claim.Resource), ClaimValueTypes.Base64Binary, issuer, issuer);
}
if (string.Compare(claim.ClaimType, ClaimTypes.Hash, StringComparison.Ordinal) == 0 && claim.Resource is byte[])
{
return new Claim(claim.ClaimType, Convert.ToBase64String((byte[])claim.Resource), ClaimValueTypes.Base64Binary, issuer, issuer);
}
if (string.Compare(claim.ClaimType, ClaimTypes.NameIdentifier, StringComparison.Ordinal) == 0 && claim.Resource is SamlNameIdentifierClaimResource)
{
var newClaim = new Claim(claim.ClaimType, ((SamlNameIdentifierClaimResource)claim.Resource).Name, ClaimValueTypes.String, issuer, issuer);
if (((SamlNameIdentifierClaimResource)claim.Resource).Format != null)
{
newClaim.Properties[ClaimProperties.SamlNameIdentifierFormat] = ((SamlNameIdentifierClaimResource)claim.Resource).Format;
}
if (((SamlNameIdentifierClaimResource)claim.Resource).NameQualifier != null)
{
newClaim.Properties[ClaimProperties.SamlNameIdentifierNameQualifier] = ((SamlNameIdentifierClaimResource)claim.Resource).NameQualifier;
}
return newClaim;
}
if (string.Compare(claim.ClaimType, ClaimTypes.X500DistinguishedName, StringComparison.Ordinal) == 0 && claim.Resource is X500DistinguishedName)
{
return new Claim(claim.ClaimType, ((X500DistinguishedName)claim.Resource).Name, ClaimValueTypes.X500Name, issuer, issuer);
}
if (string.Compare(claim.ClaimType, ClaimTypes.Uri, StringComparison.Ordinal) == 0 && claim.Resource is Uri)
{
return new Claim(claim.ClaimType, ((Uri)claim.Resource).AbsoluteUri, ClaimValueTypes.String, issuer, issuer);
}
if (string.Compare(claim.ClaimType, ClaimTypes.Rsa, StringComparison.Ordinal) == 0 && claim.Resource is RSA)
{
return new Claim(claim.ClaimType, ((RSA)claim.Resource).ToXmlString(false), ClaimValueTypes.RsaKeyValue, issuer, issuer);
}
if (string.Compare(claim.ClaimType, ClaimTypes.DenyOnlySid, StringComparison.Ordinal) == 0 && claim.Resource is SecurityIdentifier)
{
return new Claim(claim.ClaimType, ((SecurityIdentifier)claim.Resource).Value, ClaimValueTypes.String, issuer, issuer);
}
if (claim.Resource as string != null)
{
return new Claim(claim.ClaimType, (string)claim.Resource, ClaimValueTypes.String, issuer, issuer);
}
return new Claim(claim.ClaimType, claim.Resource == null ? "{null}" : claim.Resource.ToString(), ClaimValueTypes.String, issuer, issuer);
})
.ToArray();
return new ClaimsIdentity(claims);
})
.ToArray());
}
