/// <summary>
/// Validate claims made by the requestor
/// </summary>
private IEnumerable <Claim> ValidateClaims(IPrincipal userPrincipal)
{
IPolicyDecisionService pdp = ApplicationContext.Current.GetService <IPolicyDecisionService>();
List <Claim> retVal = new List <Claim>();
// HACK: Find a better way to make claims
// Claims are stored as X-OpenIZACS-Claim headers
foreach (var itm in OpenIzClaimTypes.ExtractClaims(WebOperationContext.Current.IncomingRequest.Headers))
{
// Claim allowed
if (this.m_configuration.AllowedClientClaims == null ||
!this.m_configuration.AllowedClientClaims.Contains(itm.Type))
{
throw new SecurityException(ApplicationContext.Current.GetLocaleString("SECE001"));
}
else
{
// Validate the claim
var handler = OpenIzClaimTypes.GetHandler(itm.Type);
if (handler == null || handler.Validate(userPrincipal, itm.Value))
{
retVal.Add(itm);
}
else
{
throw new SecurityException(String.Format(ApplicationContext.Current.GetLocaleString("SECE002"), itm.Type));
}
}
}
return(retVal);
}
/// <summary>
/// Evaluate the context
/// </summary>
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
try
{
this.m_traceSource.TraceInformation("Entering BasicAuthorizationAccessPolicy");
object obj;
if (!evaluationContext.Properties.TryGetValue("Identities", out obj))
{
throw new Exception("No Identity found");
}
IList <IIdentity> identities = obj as IList <IIdentity>;
if (identities == null || identities.Count <= 0)
{
throw new Exception("No Identity found");
}
// Role service
var roleService = ApplicationContext.Current.GetService <IRoleProviderService>();
var pipService = ApplicationContext.Current.GetService <IPolicyInformationService>();
// Claims
var roles = roleService.GetAllRoles(identities[0].Name);
List <System.Security.Claims.Claim> claims = new List <System.Security.Claims.Claim>(
roles.Select(o => new System.Security.Claims.Claim(ClaimsIdentity.DefaultRoleClaimType, o))
);
// Add claims made by the client
HttpRequestMessageProperty httpRequest = (HttpRequestMessageProperty)OperationContext.Current.IncomingMessageProperties[HttpRequestMessageProperty.Name];
if (httpRequest != null)
{
var clientClaims = OpenIzClaimTypes.ExtractClaims(httpRequest.Headers);
foreach (var claim in clientClaims)
{
if (this.m_configuration?.Security?.BasicAuth?.AllowedClientClaims?.Contains(claim.Type) == false)
{
throw new SecurityException(ApplicationContext.Current.GetLocaleString("SECE001"));
}
else
{
var handler = OpenIzClaimTypes.GetHandler(claim.Type);
if (handler == null ||
handler.Validate(new GenericPrincipal(identities[0], roles), claim.Value))
{
claims.Add(claim);
}
else
{
throw new SecurityException(ApplicationContext.Current.GetLocaleString("SECE002"));
}
}
}
}
// Claim headers built in
if (pipService != null)
{
claims.AddRange(pipService.GetActivePolicies(identities[0]).Where(o => o.Rule == PolicyDecisionOutcomeType.Grant).Select(o => new System.Security.Claims.Claim(OpenIzClaimTypes.OpenIzGrantedPolicyClaim, o.Policy.Oid)));
}
// Finally validate the client
if (this.m_configuration?.Security?.BasicAuth?.RequireClientAuth == true)
{
var clientAuth = httpRequest.Headers[OpenIzConstants.BasicHttpClientCredentialHeaderName];
if (clientAuth == null ||
!clientAuth.StartsWith("basic", StringComparison.InvariantCultureIgnoreCase))
{
throw new SecurityException("Client credentials invalid");
}
else
{
String clientAuthString = clientAuth.Substring(clientAuth.IndexOf("basic", StringComparison.InvariantCultureIgnoreCase) + 5).Trim();
String[] authComps = Encoding.UTF8.GetString(Convert.FromBase64String(clientAuthString)).Split(':');
var applicationPrincipal = ApplicationContext.Current.GetApplicationProviderService().Authenticate(authComps[0], authComps[1]);
claims.Add(new System.Security.Claims.Claim(OpenIzClaimTypes.OpenIzApplicationIdentifierClaim, applicationPrincipal.Identity.Name));
}
}
var principal = new ClaimsPrincipal(new ClaimsIdentity(identities[0], claims));
evaluationContext.Properties["Principal"] = principal;
AuthenticationContext.Current = new AuthenticationContext(principal); // Set Authentication context
return(true);
}
catch (Exception e)
{
this.m_traceSource.TraceEvent(TraceEventType.Error, e.HResult, e.ToString());
return(false);
}
}