public async Task ShouldGetTokenWithUserName(GetTokenWithUserNameData data)
{
var request = new WsTrustRequest(WsTrustActions.Trust13.Issue)
{
KeyType = WsTrustKeyTypes.Trust13.Bearer,
AppliesTo = new AppliesTo(new EndpointReference("urn:tests"))
};
var client = _fixture.CreateWsTrust13UserNameClient(data.UserName, data.Password);
var exception = null as Exception;
var token = null as SecurityToken;
try
{
var response = await client.IssueAsync(request);
token = response.GetRequestedSecurityToken();
}
catch (Exception ex)
{
exception = ex;
}
if (data.ShouldFail)
{
Assert.NotNull(exception);
Assert.IsType <MessageSecurityException>(exception);
}
else
{
Assert.NotNull(token);
}
}
public async Task ShouldNotValidateAlteredSignedToken(string base64)
{
using (var certificate = new X509Certificate2(Convert.FromBase64String(base64)))
{
var request = new WsTrustRequest(WsTrustActions.Trust13.Issue)
{
KeyType = WsTrustKeyTypes.Trust13.Bearer,
AppliesTo = new AppliesTo(new EndpointReference("urn:tests"))
};
var settings = new XmlWriterSettings {
Indent = true
};
var client = _fixture.CreateWsTrust13CertificateClient(certificate, settings);
var exception = null as Exception;
try
{
_ = await client.IssueAsync(request);
}
catch (Exception ex)
{
exception = ex;
}
Assert.NotNull(exception);
Assert.IsType <MessageSecurityException>(exception);
}
}
protected virtual async ValueTask <SecurityKey> CreateProofKeyAsync(WsTrustRequest request, Scope scope, WsTrustSecurityTokenDescriptor descriptor, CancellationToken cancellationToken)
{
var keyType = request.KeyType;
// asymmetric and psha1
// not supported at this moment
if (keyType == Constants.WsTrustKeyTypes.PublicKey || keyType == Constants.WsTrustKeyTypes.PSHA1)
{
throw new NotSupportedException($"Key type '{keyType}' not supported at this time.");
}
if (keyType == Constants.WsTrustKeyTypes.Bearer)
{
return(null);
}
// symmetric
if (request.ComputedKeyAlgorithm != null && request.ComputedKeyAlgorithm != "http://schemas.microsoft.com/idfx/computedkeyalgorithm/psha1")
{
throw new NotSupportedException($"Computed key algortihm '{request.ComputedKeyAlgorithm}' not supported at this time.");
}
if (descriptor.ProofKeyEncryptingCredentials == null && scope.RelyingParty.RequiresEncryptedSymmetricKeys)
{
throw new InvalidOperationException("Cannot created proof token with no encrypting credentials.");
}
if (scope.EncryptingCredentials == null && scope.RelyingParty.RequiresEncryptedToken)
{
throw new InvalidOperationException("Missing encrypting credentials.");
}
return(await CreateSymmetricProofKeyAsync(request.KeySizeInBits.Value));
}
public async Task WsTrustRequestGenericCloudUrnTest()
{
WsTrustAddress address = new WsTrustAddress()
{
Uri = new Uri("https://some/address/usernamemixed"),
Version = WsTrustVersion.WsTrust13
};
HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler()
{
Method = HttpMethod.Post,
ResponseMessage = new HttpResponseMessage(HttpStatusCode.OK)
{
Content = new StringContent(File.ReadAllText("WsTrustResponse.xml"))
}
});
HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler()
{
Method = HttpMethod.Post,
ResponseMessage = new HttpResponseMessage(HttpStatusCode.OK)
{
Content = new StringContent(File.ReadAllText("WsTrustResponse.xml"))
}
});
WsTrustResponse wstResponse = await WsTrustRequest.SendRequestAsync(address, new UserPasswordCredential(TestConstants.DefaultDisplayableId, TestConstants.DefaultPassword), null, TestConstants.CloudAudienceUrn);
Assert.IsNotNull(wstResponse.Token);
wstResponse = await WsTrustRequest.SendRequestAsync(address, new UserCredential(TestConstants.DefaultDisplayableId), null, TestConstants.CloudAudienceUrn);
Assert.IsNotNull(wstResponse.Token);
}
public async Task <WsTrustResponse> ValidateAsync(WsTrustRequest request)
{
var requestMessage = CreateMessage(request, _constants.WsTrustActions.ValidateRequest);
var responseMessage = await ValidateAsync(requestMessage);
return(ReadResponse(responseMessage));
}
/// <summary>
/// Creates a <see cref="WsTrustRequest"/> from the <see cref="WSTrustTokenParameters"/>
/// </summary>
/// <returns></returns>
protected virtual WsTrustRequest CreateWsTrustRequest()
{
EndpointAddress target = SecurityTokenRequirement.GetProperty <EndpointAddress>(TargetAddressProperty);
int keySize;
string keyType;
switch (WSTrustTokenParameters.KeyType)
{
case SecurityKeyType.AsymmetricKey:
keySize = DefaultPublicKeySize;
keyType = _requestSerializationContext.TrustKeyTypes.PublicKey;
break;
case SecurityKeyType.SymmetricKey:
keySize = _securityAlgorithmSuite.DefaultSymmetricKeyLength;
keyType = _requestSerializationContext.TrustKeyTypes.Symmetric;
break;
case SecurityKeyType.BearerKey:
keySize = 0;
keyType = _requestSerializationContext.TrustKeyTypes.Bearer;
break;
default:
throw DiagnosticUtility.ExceptionUtility.ThrowHelper(new NotSupportedException(LogHelper.FormatInvariant("KeyType is not supported: {0}", WSTrustTokenParameters.KeyType)), System.Diagnostics.Tracing.EventLevel.Error);
}
Entropy entropy = null;
if (WSTrustTokenParameters.KeyType != SecurityKeyType.BearerKey &&
(KeyEntropyMode == SecurityKeyEntropyMode.ClientEntropy || KeyEntropyMode == SecurityKeyEntropyMode.CombinedEntropy))
{
byte[] entropyBytes = new byte[keySize / 8];
Psha1KeyGenerator.FillRandomBytes(entropyBytes);
entropy = new Entropy(new BinarySecret(entropyBytes));
}
var trustRequest = new WsTrustRequest(_requestSerializationContext.TrustActions.Issue)
{
AppliesTo = new AppliesTo(new EndpointReference(target.Uri.OriginalString)),
Context = RequestContext,
KeySizeInBits = keySize,
KeyType = keyType,
WsTrustVersion = _requestSerializationContext.TrustVersion
};
if (SecurityTokenRequirement.TokenType != null)
{
trustRequest.TokenType = SecurityTokenRequirement.TokenType;
}
if (entropy != null)
{
trustRequest.Entropy = entropy;
trustRequest.ComputedKeyAlgorithm = _requestSerializationContext.TrustKeyTypes.PSHA1;
}
return(trustRequest);
}
internal override async Task PreTokenRequest()
{
await base.PreTokenRequest().ConfigureAwait(false);
if (this.PerformUserRealmDiscovery())
{
UserRealmDiscoveryResponse userRealmResponse = await UserRealmDiscoveryResponse.CreateByDiscoveryAsync(this.Authenticator.UserRealmUri, this.userCredential.UserName, this.CallState).ConfigureAwait(false);
PlatformPlugin.Logger.Information(this.CallState, string.Format("User with hash '{0}' detected as '{1}'", PlatformPlugin.CryptographyHelper.CreateSha256Hash(this.userCredential.UserName), userRealmResponse.AccountType));
if (string.Compare(userRealmResponse.AccountType, "federated", StringComparison.OrdinalIgnoreCase) == 0)
{
if (string.IsNullOrWhiteSpace(userRealmResponse.FederationMetadataUrl))
{
throw new MsalException(MsalError.MissingFederationMetadataUrl);
}
WsTrustAddress wsTrustAddress = await MexParser.FetchWsTrustAddressFromMexAsync(userRealmResponse.FederationMetadataUrl, this.userCredential.UserAuthType, this.CallState).ConfigureAwait(false);
PlatformPlugin.Logger.Information(this.CallState, string.Format("WS-Trust endpoint '{0}' fetched from MEX at '{1}'", wsTrustAddress.Uri, userRealmResponse.FederationMetadataUrl));
WsTrustResponse wsTrustResponse = await WsTrustRequest.SendRequestAsync(wsTrustAddress, this.userCredential, this.CallState).ConfigureAwait(false);
PlatformPlugin.Logger.Information(this.CallState, string.Format("Token of type '{0}' acquired from WS-Trust endpoint", wsTrustResponse.TokenType));
// We assume that if the response token type is not SAML 1.1, it is SAML 2
this.userAssertion = new UserAssertion(wsTrustResponse.Token, (wsTrustResponse.TokenType == WsTrustResponse.Saml1Assertion) ? OAuthGrantType.Saml11Bearer : OAuthGrantType.Saml20Bearer, this.userCredential.UserName);
}
else
{
throw new MsalException(MsalError.UnsupportedUserType);
}
}
}
public async Task CloudAudienceUrnNullTest()
{
AuthenticationContext context = new AuthenticationContext(TestConstants.DefaultAuthorityCommonTenant);
await context.Authenticator.UpdateFromTemplateAsync(null);
UserRealmDiscoveryResponse userRealmResponse = await UserRealmDiscoveryResponse.CreateByDiscoveryAsync(context.Authenticator.UserRealmUri, TestConstants.DefaultDisplayableId, null);
WsTrustAddress address = new WsTrustAddress()
{
Uri = new Uri("https://some/address/usernamemixed"),
Version = WsTrustVersion.WsTrust13
};
HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler()
{
Method = HttpMethod.Post,
ResponseMessage = new HttpResponseMessage(HttpStatusCode.OK)
{
Content = new StringContent(File.ReadAllText("WsTrustResponse.xml"))
}
});
WsTrustResponse wsTrustResponse = await WsTrustRequest.SendRequestAsync(address, new UserCredential(TestConstants.DefaultDisplayableId), null, null);
VerifyCloudInstanceUrnResponse(userRealmResponse.CloudAudienceUrn, "urn:federation:MicrosoftOnline");
}
/// <summary>
/// Makes a WSTrust call to the STS to obtain a <see cref="SecurityToken"/> first checking if the token is available in the cache.
/// </summary>
/// <returns>A <see cref="GenericXmlSecurityToken"/>.</returns>
protected override SecurityToken GetTokenCore(TimeSpan timeout)
{
_communicationObject.ThrowIfClosedOrNotOpen();
WsTrustRequest request = CreateWsTrustRequest();
WsTrustResponse trustResponse = GetCachedResponse(request);
if (trustResponse is null)
{
using (var memeoryStream = new MemoryStream())
{
var writer = XmlDictionaryWriter.CreateTextWriter(memeoryStream, Encoding.UTF8);
var serializer = new WsTrustSerializer();
serializer.WriteRequest(writer, _requestSerializationContext.TrustVersion, request);
writer.Flush();
var reader = XmlDictionaryReader.CreateTextReader(memeoryStream.ToArray(), XmlDictionaryReaderQuotas.Max);
IRequestChannel channel = ChannelFactory.CreateChannel();
try
{
channel.Open();
Message reply = channel.Request(Message.CreateMessage(MessageVersion.Soap12WSAddressing10, _requestSerializationContext.TrustActions.IssueRequest, reader));
SecurityUtils.ThrowIfNegotiationFault(reply, channel.RemoteAddress);
trustResponse = serializer.ReadResponse(reply.GetReaderAtBodyContents());
CacheSecurityTokenResponse(request, trustResponse);
}
finally
{
channel.Close();
}
}
}
return(WSTrustUtilities.CreateGenericXmlSecurityToken(request, trustResponse, _requestSerializationContext, _securityAlgorithmSuite));
}
public WsTrustRequestBodyWriter(WsTrustVersion version, WsTrustSerializer serializer, WsTrustRequest request)
: base(true)
{
_version = version;
_request = request;
_serializer = serializer;
}
/// <summary>
/// Gets the <see cref="WsSerializationContext"/> to use when serializing the <see cref="WsTrustRequest"/>.
/// </summary>
/// <param name="trustRequest">The <see cref="WsTrustRequest"/> that will be serialized.
/// <returns>The <see cref="WsSerializationContext"/> for the <see cref="WsTrustRequest"/>.</returns>
private WsSerializationContext GetSerializationContext(WsTrustRequest trustRequest)
{
_ = trustRequest ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(trustRequest));
if (trustRequest.WsTrustVersion == WsTrustVersion.TrustFeb2005)
{
if (_wsSerializationContextTrustFeb2005 == null)
{
_wsSerializationContextTrustFeb2005 = new WsSerializationContext(trustRequest.WsTrustVersion);
}
return(_wsSerializationContextTrustFeb2005);
}
else if (trustRequest.WsTrustVersion == WsTrustVersion.Trust13)
{
if (_wsSerializationContextTrust1_3 == null)
{
_wsSerializationContextTrust1_3 = new WsSerializationContext(trustRequest.WsTrustVersion);
}
return(_wsSerializationContextTrust1_3);
}
else if (trustRequest.WsTrustVersion == WsTrustVersion.Trust14)
{
if (_wsSerializationContextTrust1_4 == null)
{
_wsSerializationContextTrust1_4 = new WsSerializationContext(trustRequest.WsTrustVersion);
}
return(_wsSerializationContextTrust1_4);
}
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetResourceString(SR.WsTrustVersionNotSupported, trustRequest.WsTrustVersion.ToString())));
}
/// <summary>
/// Creates a <see cref="Message"/> that represents a the <see cref="WsTrustRequest"/>.
/// </summary>
/// <param name="trustRequest">The <see cref="WsTrustRequest"/> to serialize into the message.</param>
/// <returns>The <see cref="Message" /> that represents the <see cref="WsTrustRequest"/>.</returns>
protected virtual Message CreateRequest(WsTrustRequest trustRequest)
{
_ = trustRequest ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(trustRequest));
return(Message.CreateMessage(MessageVersion,
GetRequestAction(trustRequest),
new WSTrustRequestBodyWriter(trustRequest, TrustSerializer)));
}
/// <summary>
/// Makes a WSTrust call to the STS to obtain a <see cref="SecurityToken"/> first checking if the token is available in the cache.
/// </summary>
/// <returns>A <see cref="GenericXmlSecurityToken"/>.</returns>
protected override SecurityToken GetTokenCore(TimeSpan timeout)
{
WsTrustRequest request = CreateWsTrustRequest();
WsTrustResponse trustResponse = GetCachedResponse(request);
if (trustResponse is null)
{
using (var memeoryStream = new MemoryStream())
{
var writer = XmlDictionaryWriter.CreateTextWriter(memeoryStream, Encoding.UTF8);
var serializer = new WsTrustSerializer();
serializer.WriteRequest(writer, _requestSerializationContext.TrustVersion, request);
writer.Flush();
var reader = XmlDictionaryReader.CreateTextReader(memeoryStream.ToArray(), XmlDictionaryReaderQuotas.Max);
IRequestChannel channel = ChannelFactory.CreateChannel();
Message reply = channel.Request(Message.CreateMessage(MessageVersion.Soap12WSAddressing10, _requestSerializationContext.TrustActions.IssueRequest, reader));
SecurityUtils.ThrowIfNegotiationFault(reply, channel.RemoteAddress);
trustResponse = serializer.ReadResponse(reply.GetReaderAtBodyContents());
CacheSecurityTokenResponse(request, trustResponse);
}
}
// Create GenericXmlSecurityToken
// Assumes that token is first and Saml2SecurityToken.
using (var stream = new MemoryStream())
{
RequestSecurityTokenResponse response = trustResponse.RequestSecurityTokenResponseCollection[0];
// Get attached and unattached references
GenericXmlSecurityKeyIdentifierClause internalSecurityKeyIdentifierClause = null;
if (response.AttachedReference != null)
{
internalSecurityKeyIdentifierClause = GetSecurityKeyIdentifierForTokenReference(response.AttachedReference);
}
GenericXmlSecurityKeyIdentifierClause externalSecurityKeyIdentifierClause = null;
if (response.UnattachedReference != null)
{
externalSecurityKeyIdentifierClause = GetSecurityKeyIdentifierForTokenReference(response.UnattachedReference);
}
// Get proof token
IdentityModel.Tokens.SecurityToken proofToken = GetProofToken(request, response);
// Get lifetime
DateTime created = response.Lifetime?.Created ?? DateTime.UtcNow;
DateTime expires = response.Lifetime?.Expires ?? created.AddDays(1);
return(new GenericXmlSecurityToken(response.RequestedSecurityToken.TokenElement,
proofToken,
created,
expires,
internalSecurityKeyIdentifierClause,
externalSecurityKeyIdentifierClause,
null));
}
}
static async Task Main(string[] args)
{
IdentityModelEventSource.ShowPII = true;
await Task.Delay(5000);
var claims = new[]
{
new Claim(ClaimTypes.NameIdentifier, Guid.NewGuid().ToString()),
new Claim(ClaimTypes.Name, "username")
};
var identity = new ClaimsIdentity(claims, "Sample");
var handler = new Saml2SecurityTokenHandler();
var parameters = CreateRsaParameters();
using var rsa = new RSACryptoServiceProvider();
rsa.ImportParameters(parameters);
var descriptor = new SecurityTokenDescriptor
{
Issuer = "urn:sample.identityprovider",
Audience = "urn:sample.issuer",
IssuedAt = DateTime.UtcNow,
NotBefore = DateTime.UtcNow.AddMinutes(-5),
Expires = DateTime.UtcNow.AddHours(2),
Subject = identity,
SigningCredentials = SignatureMethod.RsaSha256.CreateCredentials(new RsaSecurityKey(rsa))
};
var token = handler.CreateToken(descriptor);
var binding = new WsTrustIssuedTokenBinding();
var endpoint = new EndpointAddress("https://localhost:5001/trust/13");
var factory = new WsTrustChannelFactory(binding, endpoint);
factory.SecurityTokenHandlers.Add(handler);
for (var i = 0; i < iterations; i++)
{
var channel = factory.CreateChannelWithIssuedToken(token);
var request = new WsTrustRequest(WsTrustConstants.Trust13.WsTrustActions.Issue)
{
KeyType = WsTrustKeyTypes.Trust13.Bearer,
AppliesTo = new AppliesTo(new EndpointReference("urn:sample:relyingparty"))
};
var response = await channel.IssueAsync(request);
var requestedToken = response.GetRequestedSecurityToken() as GenericXmlSecurityToken;
var assertion = requestedToken.Element.OuterXml;
Console.WriteLine(assertion);
}
Console.ReadKey();
}
private void CacheSecurityTokenResponse(WsTrustRequest request, WsTrustResponse response)
{
if (WSTrustTokenParameters.CacheIssuedTokens)
{
// If cached responses are stored in a shared cache in the future, that cache should be written
// to here, possibly including serializing the WsTrustResponse if the cache stores byte[] (as
// IDistributedCache does).
CachedResponse = response;
}
}
public async Task WsTrustRequestTest()
{
var federatedSts = SetupStsService(StsType.AADFederatedWithADFS3);
AuthenticationContext context = new AuthenticationContext(federatedSts.Authority, federatedSts.ValidateAuthority);
await context.Authenticator.UpdateFromTemplateAsync(null);
UserRealmDiscoveryResponse userRealmResponse = await UserRealmDiscoveryResponse.CreateByDiscoveryAsync(context.Authenticator.UserRealmUri, federatedSts.ValidUserName, null);
XDocument mexDocument = await FecthMexAsync(userRealmResponse.FederationMetadataUrl);
Verify.IsNotNull(mexDocument);
WsTrustAddress wsTrustAddress = MexParser.ExtractWsTrustAddressFromMex(mexDocument, UserAuthType.UsernamePassword, null);
Verify.IsNotNull(wsTrustAddress);
WsTrustResponse wstResponse = await WsTrustRequest.SendRequestAsync(wsTrustAddress, new UserCredential(federatedSts.ValidUserName, federatedSts.ValidPassword), null);
Verify.IsNotNull(wstResponse.Token);
Verify.IsTrue(wstResponse.TokenType.Contains("SAML"));
SecureString securePassword = new SecureString();
foreach (var ch in federatedSts.ValidPassword)
{
securePassword.AppendChar(ch);
}
wstResponse = await WsTrustRequest.SendRequestAsync(wsTrustAddress, new UserCredential(federatedSts.ValidUserName, securePassword), null);
Verify.IsNotNull(wstResponse.Token);
Verify.IsTrue(wstResponse.TokenType.Contains("SAML"));
try
{
await WsTrustRequest.SendRequestAsync(new WsTrustAddress { Uri = new Uri(wsTrustAddress.Uri.AbsoluteUri + "x") },
new UserCredential(federatedSts.ValidUserName, federatedSts.ValidPassword), null);
}
catch (AdalException ex)
{
Verify.IsNotNull(ex.ErrorCode, AdalError.FederatedServiceReturnedError);
Verify.IsNotNull(ex.InnerException);
}
try
{
await WsTrustRequest.SendRequestAsync(new WsTrustAddress { Uri = new Uri(wsTrustAddress.Uri.AbsoluteUri) }, new UserCredential(federatedSts.ValidUserName, "InvalidPassword"), null);
}
catch (AdalException ex)
{
Verify.IsNotNull(ex.ErrorCode, AdalError.FederatedServiceReturnedError);
Verify.IsNotNull(ex.InnerException);
}
}
public async Task ShouldValidateIssuerAsAudience()
{
var request = new WsTrustRequest(WsTrustActions.Trust13.Issue)
{
KeyType = WsTrustKeyTypes.Trust13.Bearer,
AppliesTo = new AppliesTo(new EndpointReference("urn:tests"))
};
var client = _fixture.CreateWsTrust13IssuedTokenClient("userName", appliesTo: WsTrustTestsFixture.Issuer);
var token = await client.IssueAsync(request);
Assert.NotNull(token);
}
public void WsTrustRequestXmlFormatTest()
{
UserCredential cred = new UserPasswordCredential("user", "pass&<>\"'");
StringBuilder sb = WsTrustRequest.BuildMessage("https://appliesto",
new WsTrustAddress {
Uri = new Uri("some://resource")
}, cred);
// Expecting XML to be valid
XmlDocument doc = new XmlDocument();
doc.LoadXml("<?xml version=\"1.0\"?>" + sb.ToString());
}
public void WsTrustRequestXmlFormatTest()
{
// Arrange
UserCredential cred = new UserPasswordCredential("user", "pass&<>\"'");
// Act
StringBuilder sb = WsTrustRequest.BuildMessage("https://appliesto",
new WsTrustAddress {
Uri = new Uri("some://resource")
}, cred);
// Assert
XmlReaderSettings readerSettings = new XmlReaderSettings();
readerSettings.XmlResolver = null;
readerSettings.IgnoreWhitespace = true;
readerSettings.ConformanceLevel = ConformanceLevel.Fragment;
readerSettings.DtdProcessing = DtdProcessing.Ignore;
// Load the fragment, validating it against the XSDs
List <string> validationIssues = new List <string>();
readerSettings.ValidationFlags = XmlSchemaValidationFlags.ReportValidationWarnings;
readerSettings.ValidationType = ValidationType.Schema;
readerSettings.Schemas = CreateWsTrustEnvelopeSchemaSet();
readerSettings.ValidationEventHandler += (s, e) =>
{
validationIssues.Add(e.Severity + " " + e.Message);
};
XmlDocument document = new XmlDocument();
using (var xmlReader = XmlTextReader.Create(new StringReader(sb.ToString()), readerSettings))
{
document.Load(xmlReader);
}
Debug.WriteLine("All validation issues:");
Debug.WriteLine(string.Join("\r\n", validationIssues.ToArray()));
// Filter out "expected" schema-validation messages.
// The real ws-trust XML namespace is http://docs.oasis-open.org/ws-sx/ws-trust/200512/ i.e. with a trailing slash. However, we use
// the namespace without a trailing slash as this is what the server expects, so we expect validation messages about missing elements
const string invalidTrustNamespaceMessageContent = "Could not find schema information for the element 'http://docs.oasis-open.org/ws-sx/ws-trust/200512:";
List <string> unexpectedValidationIssues = validationIssues.Where(i => !i.Contains(invalidTrustNamespaceMessageContent)).ToList();
Assert.AreEqual(0, unexpectedValidationIssues.Count, "Not expecting any XML schema validation errors. See the test output for the validation errors.");
}
private WsTrustResponse GetCachedResponse(WsTrustRequest request)
{
if (WSTrustTokenParameters.CacheIssuedTokens && CachedResponse != null)
{
// If cached responses are read from shared caches in the future, then that cache should be read here
// and, if necessary, translated (perhaps via deserialization) into a WsTrustResponse.
if (!IsWsTrustResponseExpired(CachedResponse))
{
return(CachedResponse);
}
}
return(null);
}
public async Task ShouldValidateRequestUrlAsAudience()
{
var request = new WsTrustRequest(WsTrustActions.Trust13.Issue)
{
KeyType = WsTrustKeyTypes.Trust13.Bearer,
AppliesTo = new AppliesTo(new EndpointReference("urn:tests"))
};
var client = _fixture.CreateWsTrust13IssuedTokenClient("userName", appliesTo: $"{_fixture.TestingServer.BaseAddress}trust/13");
var response = await client.IssueAsync(request);
var token = response.GetRequestedSecurityToken();
Assert.NotNull(token);
}
public async Task ShouldValidateTokenWithEmbeddedCertificate(string clientTokenType)
{
var request = new WsTrustRequest(WsTrustActions.Trust13.Issue)
{
KeyType = WsTrustKeyTypes.Trust13.Bearer,
AppliesTo = new AppliesTo(new EndpointReference("urn:tests"))
};
var client = _fixture.CreateWsTrust13IssuedTokenClient("userName", issuer: "urn:test:issuer:embedded_cert", clientTokenType: clientTokenType);
var response = await client.IssueAsync(request);
var token = response.GetRequestedSecurityToken();
Assert.NotNull(token);
}
public async Task CloudAudienceUrnTest()
{
AuthenticationContext context = new AuthenticationContext(TestConstants.DefaultAuthorityCommonTenant);
await context.Authenticator.UpdateFromTemplateAsync(null);
HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler(TestConstants.GetUserRealmEndpoint(TestConstants.DefaultAuthorityCommonTenant) + "/"
+ TestConstants.DefaultDisplayableId)
{
Method = HttpMethod.Get,
ResponseMessage = new HttpResponseMessage(HttpStatusCode.OK)
{
Content = new StringContent("{\"ver\":\"1.0\",\"account_type\":\"Federated\",\"domain_name\":\"microsoft.com\"," +
"\"federation_protocol\":\"WSTrust\",\"federation_metadata_url\":" +
"\"https://msft.sts.microsoft.com/adfs/services/trust/mex\"," +
"\"federation_active_auth_url\":\"https://msft.sts.microsoft.com/adfs/services/trust/2005/usernamemixed\"" +
",\"cloud_audience_urn\":\"urn:federation:Blackforest\"" +
",\"cloud_instance_name\":\"login.microsoftonline.com\"}")
},
QueryParams = new Dictionary <string, string>()
{
{ "api-version", "1.0" }
}
});
UserRealmDiscoveryResponse userRealmResponse = await UserRealmDiscoveryResponse.CreateByDiscoveryAsync(context.Authenticator.UserRealmUri, TestConstants.DefaultDisplayableId,
CallState.Default);
WsTrustAddress address = new WsTrustAddress()
{
Uri = new Uri("https://some/address/usernamemixed"),
Version = WsTrustVersion.WsTrust13
};
HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler("https://some/address/usernamemixed")
{
Method = HttpMethod.Post,
ResponseMessage = new HttpResponseMessage(HttpStatusCode.OK)
{
Content = new StringContent(File.ReadAllText("WsTrustResponse13.xml"))
}
});
WsTrustResponse wsTrustResponse = await WsTrustRequest.SendRequestAsync(address, new UserCredential(TestConstants.DefaultDisplayableId), null, userRealmResponse.CloudAudienceUrn);
VerifyCloudInstanceUrnResponse("urn:federation:Blackforest", userRealmResponse.CloudAudienceUrn);
// All mocks are consumed
Assert.AreEqual(0, HttpMessageHandlerFactory.MockHandlersCount());
}
protected override async Task PreTokenRequestAsync()
{
await base.PreTokenRequestAsync().ConfigureAwait(false);
if (this.PerformUserRealmDiscovery())
{
UserRealmDiscoveryResponse userRealmResponse = await UserRealmDiscoveryResponse.CreateByDiscoveryAsync(this.Authenticator.UserRealmUri, this.userCredential.UserName, this.CallState).ConfigureAwait(false);
CallState.Logger.InformationPii(CallState, string.Format(CultureInfo.CurrentCulture,
" User with user name '{0}' detected as '{1}'", userCredential.UserName,
userRealmResponse.AccountType));
if (string.Compare(userRealmResponse.AccountType, "federated", StringComparison.OrdinalIgnoreCase) == 0)
{
if (string.IsNullOrWhiteSpace(userRealmResponse.FederationMetadataUrl))
{
throw new AdalException(AdalError.MissingFederationMetadataUrl);
}
WsTrustAddress wsTrustAddress = await MexParser.FetchWsTrustAddressFromMexAsync(userRealmResponse.FederationMetadataUrl, this.userCredential.UserAuthType, this.CallState).ConfigureAwait(false);
CallState.Logger.InformationPii(CallState,
string.Format(CultureInfo.CurrentCulture, " WS-Trust endpoint '{0}' fetched from MEX at '{1}'",
wsTrustAddress.Uri, userRealmResponse.FederationMetadataUrl));
WsTrustResponse wsTrustResponse = await WsTrustRequest.SendRequestAsync(wsTrustAddress, this.userCredential, this.CallState, userRealmResponse.CloudAudienceUrn).ConfigureAwait(false);
var msg = string.Format(CultureInfo.CurrentCulture,
" Token of type '{0}' acquired from WS-Trust endpoint", wsTrustResponse.TokenType);
CallState.Logger.Information(this.CallState, msg);
CallState.Logger.InformationPii(this.CallState, msg);
// We assume that if the response token type is not SAML 1.1, it is SAML 2
this.userAssertion = new UserAssertion(wsTrustResponse.Token, (wsTrustResponse.TokenType == WsTrustResponse.Saml1Assertion) ? OAuthGrantType.Saml11Bearer : OAuthGrantType.Saml20Bearer);
}
else if (string.Compare(userRealmResponse.AccountType, "managed", StringComparison.OrdinalIgnoreCase) == 0)
{
// handle password grant flow for the managed user
if (this.userCredential.PasswordToCharArray() == null)
{
throw new AdalException(AdalError.PasswordRequiredForManagedUserError);
}
}
else
{
throw new AdalException(AdalError.UnknownUserType);
}
}
}
public async Task ShouldGetToken(GetTokenData data)
{
var request = new WsTrustRequest(WsTrustActions.Trust13.Issue)
{
KeyType = WsTrustKeyTypes.Trust13.Bearer,
AppliesTo = new AppliesTo(new EndpointReference("urn:tests")),
TokenType = data.TokenTypeIdentifier
};
var client = _fixture.CreateWsTrust13IssuedTokenClient("userName");
var response = await client.IssueAsync(request);
var token = response.GetRequestedSecurityToken();
Assert.NotNull(token);
data.AssertToken(_fixture, token);
}
public async Task WsTrustRequestXmlFormatTest()
{
UserCredential cred = new UserCredential("user", "pass&<>\"'");
StringBuilder sb = WsTrustRequest.BuildMessage("https://appliesto", new WsTrustAddress {
Uri = new Uri("resource")
}, cred);
try
{
XmlDocument doc = new XmlDocument();
doc.LoadXml("<?xml version=\"1.0\"?>" + sb.ToString());
}
catch (Exception ex)
{
Verify.Fail("Not expected");
}
}
public void WsTrustRequestXmlFormatTest()
{
// Arrange
UserCredential cred = new UserPasswordCredential("user", "pass&<>\"'");
// Act
StringBuilder sb = WsTrustRequest.BuildMessage("https://appliesto",
new WsTrustAddress {
Uri = new Uri("some://resource")
}, cred);
// Assert
XmlReaderSettings readerSettings = new XmlReaderSettings();
readerSettings.XmlResolver = null;
readerSettings.IgnoreWhitespace = true;
readerSettings.ConformanceLevel = ConformanceLevel.Fragment;
readerSettings.DtdProcessing = DtdProcessing.Ignore;
// Load the fragment, validating it against the XSDs
List <string> validationIssues = new List <string>();
readerSettings.ValidationFlags = XmlSchemaValidationFlags.ReportValidationWarnings;
readerSettings.ValidationType = ValidationType.Schema;
readerSettings.Schemas = CreateWsTrustEnvelopeSchemaSet();
readerSettings.ValidationEventHandler += (s, e) =>
{
validationIssues.Add(e.Severity + " " + e.Message);
};
XmlDocument document = new XmlDocument();
using (var xmlReader = XmlTextReader.Create(new StringReader(sb.ToString()), readerSettings))
{
document.Load(xmlReader);
}
Debug.WriteLine("Validation issues:");
Debug.WriteLine(string.Join("\r\n", validationIssues.ToArray()));
Assert.AreEqual(0, validationIssues.Count, "Not expecting any XML schema validation errors. See the test output for the validation errors.");
}
/// <summary>
/// Gets the WS-Addressing SOAP action that corresponds to the <see cref="WsTrustRequest"/>.RequestType and <see cref="WsTrustRequest"/>.WsTrustVersion.
/// </summary>
/// <param name="trustRequest">The <see cref="WsTrustRequest"/> to generate the WS-Addressing action.
/// <returns>The WS-Addressing action to use.</returns>
public static string GetRequestAction(WsTrustRequest trustRequest)
{
_ = trustRequest ?? throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull(nameof(trustRequest));
WsTrustActions wsTrustActions;
if (trustRequest.WsTrustVersion == WsTrustVersion.Trust13)
{
wsTrustActions = WsTrustActions.Trust13;
}
else if (trustRequest.WsTrustVersion == WsTrustVersion.TrustFeb2005)
{
wsTrustActions = WsTrustActions.TrustFeb2005;
}
else if (trustRequest.WsTrustVersion == WsTrustVersion.Trust14)
{
wsTrustActions = WsTrustActions.Trust14;
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetResourceString(SR.WsTrustVersionNotSupported, trustRequest.WsTrustVersion.ToString())));
}
if (trustRequest.RequestType.Equals(wsTrustActions.Issue))
{
return(wsTrustActions.IssueRequest);
}
else if (trustRequest.RequestType.Equals(wsTrustActions.Cancel))
{
return(wsTrustActions.CancelRequest);
}
else if (trustRequest.RequestType.Equals(wsTrustActions.Renew))
{
return(wsTrustActions.RenewRequest);
}
else if (trustRequest.RequestType.Equals(wsTrustActions.Validate))
{
return(wsTrustActions.ValidateRequest);
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetResourceString(SR.RequestTypeNotSupported, trustRequest.RequestType)));
}
}
public async Task WsTrustRequestXmlFormatTest()
{
await Task.Factory.StartNew(() =>
{
UserCredential cred = new UserPasswordCredential("user", "pass&<>\"'");
StringBuilder sb = WsTrustRequest.BuildMessage("https://appliesto",
new WsTrustAddress {
Uri = new Uri("some://resource")
}, cred);
try
{
XmlDocument doc = new XmlDocument();
doc.LoadXml("<?xml version=\"1.0\"?>" + sb.ToString());
}
catch (Exception ex)
{
Assert.Fail("Not expected -- " + ex.Message);
}
});
}
public async Task WsTrustRequestGenericCloudUrnTestAsync()
{
HttpMessageHandlerFactory.InitializeMockProvider();
string URI = "https://some/address/usernamemixed";
WsTrustAddress address = new WsTrustAddress()
{
Uri = new Uri(URI),
Version = WsTrustVersion.WsTrust13
};
HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler(URI)
{
Method = HttpMethod.Post,
ResponseMessage = new HttpResponseMessage(HttpStatusCode.OK)
{
Content = new StringContent(File.ReadAllText("WsTrustResponse13.xml"))
}
});
HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler(URI)
{
Method = HttpMethod.Post,
ResponseMessage = new HttpResponseMessage(HttpStatusCode.OK)
{
Content = new StringContent(File.ReadAllText("WsTrustResponse13.xml"))
}
});
WsTrustResponse wstResponse = await WsTrustRequest.SendRequestAsync(address, new UserPasswordCredential(TestConstants.DefaultDisplayableId, TestConstants.DefaultPassword), null, TestConstants.CloudAudienceUrn).ConfigureAwait(false);
Assert.IsNotNull(wstResponse.Token);
wstResponse = await WsTrustRequest.SendRequestAsync(address, new UserCredential(TestConstants.DefaultDisplayableId), null, TestConstants.CloudAudienceUrn).ConfigureAwait(false);
Assert.IsNotNull(wstResponse.Token);
// All mocks are consumed
Assert.AreEqual(0, HttpMessageHandlerFactory.MockHandlersCount());
}
