internal void Open(string propertyName, bool requiredForForwardDirection, SecurityTokenAuthenticator authenticator, TimeSpan timeout)
{
if (authenticator != null)
{
TimeoutHelper helper = new TimeoutHelper(timeout);
SecurityUtils.OpenTokenAuthenticatorIfRequiredAsync(authenticator, helper.GetCancellationToken());
}
else
{
OnPropertySettingsError(propertyName, requiredForForwardDirection);
}
}
public virtual Task OnOpenAsync(TimeSpan timeout)
{
if (this.SecurityBindingElement == null)
{
this.OnPropertySettingsError("SecurityBindingElement", true);
}
if (this.SecurityTokenManager == null)
{
this.OnPropertySettingsError("SecurityTokenManager", true);
}
this.messageSecurityVersion = this.standardsManager.MessageSecurityVersion;
TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
this.expectOutgoingMessages = this.ActAsInitiator || this.SupportsRequestReply;
this.expectIncomingMessages = !this.ActAsInitiator || this.SupportsRequestReply;
if (!this.actAsInitiator)
{
AddSupportingTokenAuthenticators(this.securityBindingElement.EndpointSupportingTokenParameters, false, (IList <SupportingTokenAuthenticatorSpecification>) this.channelSupportingTokenAuthenticatorSpecification);
AddSupportingTokenAuthenticators(this.securityBindingElement.OptionalEndpointSupportingTokenParameters, true, (IList <SupportingTokenAuthenticatorSpecification>) this.channelSupportingTokenAuthenticatorSpecification);
foreach (string action in this.securityBindingElement.OperationSupportingTokenParameters.Keys)
{
Collection <SupportingTokenAuthenticatorSpecification> authenticatorSpecList = new Collection <SupportingTokenAuthenticatorSpecification>();
AddSupportingTokenAuthenticators(this.securityBindingElement.OperationSupportingTokenParameters[action], false, authenticatorSpecList);
this.scopedSupportingTokenAuthenticatorSpecification.Add(action, authenticatorSpecList);
}
foreach (string action in this.securityBindingElement.OptionalOperationSupportingTokenParameters.Keys)
{
Collection <SupportingTokenAuthenticatorSpecification> authenticatorSpecList;
ICollection <SupportingTokenAuthenticatorSpecification> existingList;
if (this.scopedSupportingTokenAuthenticatorSpecification.TryGetValue(action, out existingList))
{
authenticatorSpecList = ((Collection <SupportingTokenAuthenticatorSpecification>)existingList);
}
else
{
authenticatorSpecList = new Collection <SupportingTokenAuthenticatorSpecification>();
this.scopedSupportingTokenAuthenticatorSpecification.Add(action, authenticatorSpecList);
}
this.AddSupportingTokenAuthenticators(this.securityBindingElement.OptionalOperationSupportingTokenParameters[action], true, authenticatorSpecList);
}
// validate the token authenticator types and create a merged map if needed.
if (!this.channelSupportingTokenAuthenticatorSpecification.IsReadOnly)
{
if (this.channelSupportingTokenAuthenticatorSpecification.Count == 0)
{
this.channelSupportingTokenAuthenticatorSpecification = EmptyTokenAuthenticators;
}
else
{
this.expectSupportingTokens = true;
foreach (SupportingTokenAuthenticatorSpecification tokenAuthenticatorSpec in this.channelSupportingTokenAuthenticatorSpecification)
{
SecurityUtils.OpenTokenAuthenticatorIfRequiredAsync(tokenAuthenticatorSpec.TokenAuthenticator, timeoutHelper.GetCancellationToken());
if (tokenAuthenticatorSpec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing ||
tokenAuthenticatorSpec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing)
{
if (tokenAuthenticatorSpec.TokenParameters.RequireDerivedKeys && !tokenAuthenticatorSpec.TokenParameters.HasAsymmetricKey)
{
expectKeyDerivation = true;
}
}
SecurityTokenAttachmentMode mode = tokenAuthenticatorSpec.SecurityTokenAttachmentMode;
if (mode == SecurityTokenAttachmentMode.SignedEncrypted ||
mode == SecurityTokenAttachmentMode.Signed ||
mode == SecurityTokenAttachmentMode.SignedEndorsing)
{
this.expectChannelSignedTokens = true;
if (mode == SecurityTokenAttachmentMode.SignedEncrypted)
{
this.expectChannelBasicTokens = true;
}
}
if (mode == SecurityTokenAttachmentMode.Endorsing || mode == SecurityTokenAttachmentMode.SignedEndorsing)
{
this.expectChannelEndorsingTokens = true;
}
}
this.channelSupportingTokenAuthenticatorSpecification =
new ReadOnlyCollection <SupportingTokenAuthenticatorSpecification>((Collection <SupportingTokenAuthenticatorSpecification>) this.channelSupportingTokenAuthenticatorSpecification);
}
}
VerifyTypeUniqueness(this.channelSupportingTokenAuthenticatorSpecification);
MergeSupportingTokenAuthenticators(timeoutHelper.RemainingTime());
}
if (this.DetectReplays)
{
if (!this.SupportsReplayDetection)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("DetectReplays", SR.Format(SR.SecurityProtocolCannotDoReplayDetection, this));
}
if (this.MaxClockSkew == TimeSpan.MaxValue || this.ReplayWindow == TimeSpan.MaxValue)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.NoncesCachedInfinitely));
}
// If DetectReplays is true and nonceCache is null then use the default InMemoryNonceCache.
if (this.nonceCache == null)
{
//TODO below (InMemoryNonceCache) is coming along with WindowsAuth, so uncomment
// The nonce needs to be cached for replayWindow + 2*clockSkew to eliminate replays
// this.nonceCache = new InMemoryNonceCache(this.ReplayWindow + this.MaxClockSkew + this.MaxClockSkew, this.MaxCachedNonces);
}
}
//this.derivedKeyTokenAuthenticator = new NonValidatingSecurityTokenAuthenticator<DerivedKeySecurityToken>();
return(Task.CompletedTask);
}
private void MergeSupportingTokenAuthenticators(TimeSpan timeout)
{
if (this.scopedSupportingTokenAuthenticatorSpecification.Count == 0)
{
this.mergedSupportingTokenAuthenticatorsMap = null;
}
else
{
TimeoutHelper timeoutHelper = new TimeoutHelper(timeout);
this.expectSupportingTokens = true;
this.mergedSupportingTokenAuthenticatorsMap = new Dictionary <string, MergedSupportingTokenAuthenticatorSpecification>();
foreach (string action in this.scopedSupportingTokenAuthenticatorSpecification.Keys)
{
ICollection <SupportingTokenAuthenticatorSpecification> scopedAuthenticators = this.scopedSupportingTokenAuthenticatorSpecification[action];
if (scopedAuthenticators == null || scopedAuthenticators.Count == 0)
{
continue;
}
Collection <SupportingTokenAuthenticatorSpecification> mergedAuthenticators = new Collection <SupportingTokenAuthenticatorSpecification>();
bool expectSignedTokens = this.expectChannelSignedTokens;
bool expectBasicTokens = this.expectChannelBasicTokens;
bool expectEndorsingTokens = this.expectChannelEndorsingTokens;
foreach (SupportingTokenAuthenticatorSpecification spec in this.channelSupportingTokenAuthenticatorSpecification)
{
mergedAuthenticators.Add(spec);
}
foreach (SupportingTokenAuthenticatorSpecification spec in scopedAuthenticators)
{
SecurityUtils.OpenTokenAuthenticatorIfRequiredAsync(spec.TokenAuthenticator, timeoutHelper.GetCancellationToken());
mergedAuthenticators.Add(spec);
if (spec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.Endorsing ||
spec.SecurityTokenAttachmentMode == SecurityTokenAttachmentMode.SignedEndorsing)
{
if (spec.TokenParameters.RequireDerivedKeys && !spec.TokenParameters.HasAsymmetricKey)
{
this.expectKeyDerivation = true;
}
}
SecurityTokenAttachmentMode mode = spec.SecurityTokenAttachmentMode;
if (mode == SecurityTokenAttachmentMode.SignedEncrypted ||
mode == SecurityTokenAttachmentMode.Signed ||
mode == SecurityTokenAttachmentMode.SignedEndorsing)
{
expectSignedTokens = true;
if (mode == SecurityTokenAttachmentMode.SignedEncrypted)
{
expectBasicTokens = true;
}
}
if (mode == SecurityTokenAttachmentMode.Endorsing || mode == SecurityTokenAttachmentMode.SignedEndorsing)
{
expectEndorsingTokens = true;
}
}
VerifyTypeUniqueness(mergedAuthenticators);
MergedSupportingTokenAuthenticatorSpecification mergedSpec = new MergedSupportingTokenAuthenticatorSpecification();
mergedSpec.SupportingTokenAuthenticators = mergedAuthenticators;
mergedSpec.ExpectBasicTokens = expectBasicTokens;
mergedSpec.ExpectEndorsingTokens = expectEndorsingTokens;
mergedSpec.ExpectSignedTokens = expectSignedTokens;
mergedSupportingTokenAuthenticatorsMap.Add(action, mergedSpec);
}
}
}
