public IEnumerable<Claim> GetClaims(IClaimsPrincipal principal, RequestDetails requestDetails)
{
var userName = principal.Identity.Name;
var claims = new List<Claim>();
// email address
string email = Membership.FindUsersByName(userName)[userName].Email;
if (!String.IsNullOrEmpty(email))
{
claims.Add(new Claim(ClaimTypes.Email, email));
}
// roles
GetRoles(userName, RoleTypes.Client).ToList().ForEach(role => claims.Add(new Claim(ClaimTypes.Role, role)));
// profile claims
if (ProfileManager.Enabled)
{
var profile = ProfileBase.Create(userName, true);
if (profile != null)
{
foreach (SettingsProperty prop in ProfileBase.Properties)
{
string value = profile.GetPropertyValue(prop.Name).ToString();
if (!String.IsNullOrWhiteSpace(value))
{
claims.Add(new Claim(ProfileClaimPrefix + prop.Name.ToLowerInvariant(), value));
}
}
}
}
return claims;
}
public static List<Claim> GetOutputClaims(IClaimsPrincipal principal, RequestDetails requestDetails, IUserRepository userRepository)
{
var name = principal.FindClaims(ClaimTypes.Name).First().Value;
var nameId = new Claim(ClaimTypes.NameIdentifier, name);
var userClaims = new List<Claim>
{
new Claim(ClaimTypes.Name, name),
nameId,
new Claim(ClaimTypes.AuthenticationMethod, principal.FindClaims(ClaimTypes.AuthenticationMethod).First().Value),
AuthenticationInstantClaim.Now
};
userClaims.AddRange(userRepository.GetClaims(principal, requestDetails));
return userClaims;
}
public IEnumerable<Claim> GetClaims(IClaimsPrincipal principal, RequestDetails requestDetails)
{
var userName = principal.Identity.Name;
var claims = new List<Claim>();
// email address
var email = "*****@*****.**";
if (!string.IsNullOrEmpty(email))
{
claims.Add(new Claim(ClaimTypes.Email, email));
}
// roles
GetRoles(userName, RoleTypes.Client).ToList().ForEach(role => claims.Add(new Claim(ClaimTypes.Role, role)));
// profile claims
claims.Add(new Claim(ProfileClaimPrefix + "fullname", "Michael Noonan"));
return claims;
}
protected virtual void ValidateSsl(RequestDetails details)
{
// check if SSL is used (for passive only)
if (_configuration.RequireSsl && !details.UsesSsl)
{
if (!details.IsActive)
{
Tracing.Tracing.Error("Configuration requires SSL - but clear text reply address used");
throw new InvalidRequestException("SSL is required");
}
}
}
private void ValidateTokenType(RequestDetails details)
{
if (details.TokenType == SimpleWebToken.OasisTokenProfile)
{
if (details.RelyingPartyRegistration == null ||
details.RelyingPartyRegistration.SymmetricSigningKey == null ||
details.RelyingPartyRegistration.SymmetricSigningKey.Length == 0)
{
Tracing.Tracing.Error("SWT token requested, but no symmetric signing key found");
throw new InvalidRequestException("SWT token requested, but no symmetric signing key found");
}
}
}
protected virtual void ValidateKnownRealm(RequestDetails details)
{
// check if realm is allowed
if (_configuration.AllowKnownRealmsOnly && (!details.IsKnownRealm))
{
Tracing.Tracing.Error("Configuration requires a known realm - but realm is not registered");
throw new InvalidScopeException(details.Realm.Uri.AbsoluteUri);
}
}
protected virtual void ValidateReplyTo(RequestDetails details)
{
// check if replyto is part of a registered realm (when not explicitly registered in config)
if (!details.IsReplyToFromConfiguration)
{
if (_configuration.RequireReplyToWithinRealm && (!details.ReplyToAddressIsWithinRealm))
{
Tracing.Tracing.Error("Configuration requires that ReplyTo is a sub-address of the realm - this is not the case");
throw new InvalidRequestException("Invalid ReplyTo");
}
}
}
protected virtual void AnalyzeOperationContext(RequestDetails details)
{
// determine if this is a WCF call
if (OperationContext.Current != null)
{
details.IsActive = true;
Tracing.Tracing.Information("Active request");
}
else
{
Tracing.Tracing.Information("Passive request");
}
}
protected virtual void ValidateEncryption(RequestDetails details)
{
// check if token must be encrypted
if (_configuration.RequireEncryption && (!details.UsesEncryption))
{
Tracing.Tracing.Error("Configuration requires encryption - but no key available");
throw new InvalidRequestException("No encryption key available");
}
}
protected virtual void AnalyzeSsl(RequestDetails details)
{
// determine if reply to is via SSL
details.UsesSsl = (details.ReplyToAddress.Scheme == Uri.UriSchemeHttps);
Tracing.Tracing.Information(String.Format("SSL used:{0}", details.UsesSsl));
}
protected virtual IClaimsIdentity GetActAsClaimsIdentity(IClaimsIdentity clientIdentity, RequestDetails requestDetails)
{
var actAsSubject = requestDetails.Request.ActAs.GetSubject()[0];
var actAsIdentity = actAsSubject.Copy();
// find the last actor in the actAs identity
IClaimsIdentity lastActor = actAsIdentity;
while (lastActor.Actor != null)
{
lastActor = lastActor.Actor;
}
// set the caller's identity as the last actor in the delegation chain
lastActor.Actor = clientIdentity;
Tracing.Tracing.Information("ActAs client identity: " + actAsIdentity.Name);
Tracing.Tracing.Information("ActAs actor identity : " + actAsIdentity.Actor.Name);
// return the actAsIdentity instead of the caller's identity in this case
return actAsIdentity;
}
protected virtual void AnalyzeRequestClaims(RequestDetails details)
{
// check if specific claims are requested
if (details.Request.Claims != null && details.Request.Claims.Count > 0)
{
details.ClaimsRequested = true;
details.RequestClaims = details.Request.Claims;
var requestClaims = new StringBuilder(20);
details.RequestClaims.ToList().ForEach(rq => requestClaims.AppendFormat("{0}\n", rq.ClaimType));
Tracing.Tracing.Information("Specific claims requested");
Tracing.Tracing.Information(String.Format("Request claims: {0}", requestClaims));
}
else
{
Tracing.Tracing.Information("No request claims");
}
}
protected virtual void AnalyzeRst(RequestSecurityToken rst, RequestDetails options)
{
if (rst == null)
{
throw new ArgumentNullException("request");
}
options.Request = rst;
}
protected virtual void AnalyzeReplyTo(RequestDetails details)
{
var rp = details.RelyingPartyRegistration;
// determine the reply to address (only relevant for passive requests)
if (rp != null && rp.ReplyTo != null)
{
details.ReplyToAddress = rp.ReplyTo;
details.IsReplyToFromConfiguration = true;
// check if reply to is a sub-address of the realm address
if (details.ReplyToAddress.AbsoluteUri.StartsWith(details.Realm.Uri.AbsoluteUri, StringComparison.OrdinalIgnoreCase))
{
details.ReplyToAddressIsWithinRealm = true;
}
Tracing.Tracing.Information(String.Format("ReplyTo Address set from configuration: {0}", details.ReplyToAddress.AbsoluteUri));
}
else
{
if (!String.IsNullOrEmpty(details.Request.ReplyTo))
{
if (_configuration.AllowReplyTo)
{
// explicit address
details.ReplyToAddress = new Uri(details.Request.ReplyTo);
Tracing.Tracing.Information(String.Format("Explicit ReplyTo address set: {0}", details.ReplyToAddress.AbsoluteUri));
// check if reply to is a sub-address of the realm address
if (details.ReplyToAddress.AbsoluteUri.StartsWith(details.Realm.Uri.AbsoluteUri, StringComparison.OrdinalIgnoreCase))
{
details.ReplyToAddressIsWithinRealm = true;
}
Tracing.Tracing.Information(String.Format("ReplyTo Address is within Realm: {0}", details.ReplyToAddressIsWithinRealm));
}
else
{
// same as realm
details.ReplyToAddress = details.Realm.Uri;
details.ReplyToAddressIsWithinRealm = true;
Tracing.Tracing.Warning(string.Format("ReplyTo address of ({0}) was supplied, but since configuration does not allow ReplyTo, the realm address is used", details.Request.ReplyTo));
}
}
else
{
// same as realm
details.ReplyToAddress = details.Realm.Uri;
details.ReplyToAddressIsWithinRealm = true;
Tracing.Tracing.Information("ReplyTo address set to realm address");
}
}
}
protected virtual RelyingPartyModel AnalyzeRelyingParty(RequestDetails details)
{
// check if the relying party is registered
RelyingPartyModel rp = null;
if (_relyingPartyRepository.TryGet(details.Realm.Uri.AbsoluteUri, out rp))
{
details.RelyingPartyRegistration = rp;
details.IsKnownRealm = true;
var traceString = String.Format("Relying Party found in registry - Realm: {0}", rp.Realm.AbsoluteUri);
if (!string.IsNullOrEmpty(rp.Name))
{
traceString += String.Format(" ({0})", rp.Name);
}
Tracing.Tracing.Information(traceString);
if (rp.EncryptingCertificate != null)
{
details.EncryptingCertificate = rp.EncryptingCertificate;
Tracing.Tracing.Information("Encrypting certificate set from registry");
}
}
else
{
Tracing.Tracing.Information("Relying party is not registered.");
}
return rp;
}
protected virtual void AnalyzeRealm(RequestSecurityToken rst, RequestDetails options)
{
// check realm
if (rst.AppliesTo == null || rst.AppliesTo.Uri == null)
{
throw new MissingAppliesToException("AppliesTo is missing");
}
options.Realm = rst.AppliesTo;
}
public RequestDetails Analyze(RequestSecurityToken rst, IClaimsPrincipal principal)
{
if (rst == null)
{
throw new ArgumentNullException("rst");
}
if (principal == null)
{
throw new ArgumentNullException("principal");
}
Tracing.Tracing.Information("Starting PolicyOptions creation");
var clientIdentity = AnalyzeClientIdentity(principal);
var details = new RequestDetails
{
ClientIdentity = clientIdentity,
IsActive = false,
Realm = null,
IsKnownRealm = false,
UsesSsl = false,
UsesEncryption = false,
ReplyToAddress = null,
ReplyToAddressIsWithinRealm = false,
IsReplyToFromConfiguration = false,
EncryptingCertificate = null,
ClaimsRequested = false,
RequestClaims = null,
Request = null,
IsActAsRequest = false,
RelyingPartyRegistration = null
};
AnalyzeRst(rst, details);
AnalyzeTokenType(rst, details);
AnalyzeKeyType(rst);
AnalyzeRealm(rst, details);
AnalyzeOperationContext(details);
AnalyzeDelegation(rst, details);
AnalyzeRelyingParty(details);
AnalyzeEncryption(details);
AnalyzeReplyTo(details);
AnalyzeSsl(details);
AnalyzeRequestClaims(details);
Tracing.Tracing.Information("PolicyOptions creation done.");
_details = details;
return details;
}
public void Validate(RequestDetails details)
{
if (details == null)
{
throw new ArgumentNullException("details");
}
Tracing.Tracing.Information("Starting policy validation");
ValidateKnownRealm(details);
ValidateTokenType(details);
ValidateReplyTo(details);
ValidateEncryption(details);
ValidateSsl(details);
ValidateDelegation(details);
Tracing.Tracing.Information("Policy Validation succeeded");
}
protected virtual void AnalyzeDelegation(RequestSecurityToken rst, RequestDetails details)
{
// check for identity delegation request
if (rst.ActAs != null)
{
details.IsActAsRequest = true;
Tracing.Tracing.Information("Request is ActAs request");
}
}
protected virtual void ValidateDelegation(RequestDetails details)
{
// check for ActAs request
if (details.IsActAsRequest)
{
if (!_configuration.EnableDelegation)
{
Tracing.Tracing.Error("Request is ActAs request - but ActAs is not enabled");
throw new InvalidRequestException("Request is ActAs request - but ActAs is not enabled");
}
if (!_delegationRepository.IsDelegationAllowed(details.ClientIdentity.Name, details.Realm.Uri.AbsoluteUri))
{
Tracing.Tracing.Error(String.Format("ActAs mapping not found."));
throw new InvalidRequestException("ActAs mapping not found.");
}
}
}
protected virtual void AnalyzeTokenType(RequestSecurityToken rst, RequestDetails details)
{
if (string.IsNullOrWhiteSpace(rst.TokenType))
{
details.TokenType = _configuration.DefaultTokenType;
Tracing.Tracing.Information("Token Type: not specified, falling back to default token type");
}
else
{
Tracing.Tracing.Information("Token Type: " + rst.TokenType);
details.TokenType = rst.TokenType;
}
}
protected virtual void AnalyzeEncryption(RequestDetails details)
{
if (details.EncryptingCertificate == null)
{
X509Certificate2 requestCertificate;
if (TryGetEncryptionCertificateFromRequest(details.Realm, out requestCertificate))
{
details.EncryptingCertificate = requestCertificate;
Tracing.Tracing.Information("Encrypting certificate set from RST");
}
}
details.UsesEncryption = (details.EncryptingCertificate != null);
Tracing.Tracing.Information("Token encryption: " + details.UsesEncryption);
}
