public static bool ContainsClaim(this IEnumerable<ClaimSet> claimSets, Claim searchClaim, Claim issuerIdentityClaim, ClaimSearchMode searchMode, IEqualityComparer<Claim> comparer) { IEnumerable<ClaimSet> searchSet = GetClaimSetsCore(claimSets, issuerIdentityClaim, searchMode); foreach (ClaimSet set in searchSet) { bool found = false; if (comparer != null) { found = set.ContainsClaim(searchClaim, comparer); } else { found = set.ContainsClaim(searchClaim); } if (found) { return true; } } return false; }
protected void Initialize(Claim identityClaim) { if (identityClaim == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("identityClaim"); Initialize(identityClaim, null); }
public static EndpointIdentity CreateIdentity(Claim identity) { if (identity == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("identity"); // PreSharp Bug: Parameter 'identity.ClaimType' to this public method must be validated: A null-dereference can occur here. #pragma warning suppress 56506 // Claim.ClaimType will never return null if (identity.ClaimType.Equals(ClaimTypes.Dns)) { return new DnsEndpointIdentity(identity); } else if (identity.ClaimType.Equals(ClaimTypes.Spn)) { return new SpnEndpointIdentity(identity); } else if (identity.ClaimType.Equals(ClaimTypes.Upn)) { return new UpnEndpointIdentity(identity); } else if (identity.ClaimType.Equals(ClaimTypes.Rsa)) { return new RsaEndpointIdentity(identity); } else { return new GeneralEndpointIdentity(identity); } }
public static EndpointIdentity CreateIdentity(Claim identity) { if (identity == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("identity"); throw ExceptionHelper.PlatformNotSupported("EndpointIdentity.CreateIdentity is not supported."); }
public SamlAttribute(Claim claim) { if (claim == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("claim"); if (!(claim.Resource is String)) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.SamlAttributeClaimResourceShouldBeAString)); if (claim.Right != Rights.PossessProperty) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.SamlAttributeClaimRightShouldBePossessProperty)); #pragma warning suppress 56506 // claim.CalimType can never be null. int lastSlashIndex = claim.ClaimType.LastIndexOf('/'); if ((lastSlashIndex == -1) || (lastSlashIndex == 0) || (lastSlashIndex == claim.ClaimType.Length - 1)) { this.nameSpace = String.Empty; this.name = claim.ClaimType; } else { this.nameSpace = StringUtil.OptimizeString(claim.ClaimType.Substring(0, lastSlashIndex)); this.name = StringUtil.OptimizeString(claim.ClaimType.Substring(lastSlashIndex + 1, claim.ClaimType.Length - (lastSlashIndex + 1))); } this.claimType = claim.ClaimType; this.attributeValues.Add(claim.Resource as string); }
public static bool Authenticate(Claim claim, string password, byte[] authenticator) { bool flag = false; if (authenticator == null) { return false; } byte[] buffer = null; RuntimeHelpers.PrepareConstrainedRegions(); try { buffer = ComputeHash(claim, password); if (buffer.Length != authenticator.Length) { return flag; } for (int i = 0; i < buffer.Length; i++) { if (buffer[i] != authenticator[i]) { flag = false; break; } } flag = true; } finally { ArrayClear(buffer); } return flag; }
public static EndpointIdentity CreateIdentity(Claim identity) { if (identity == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("identity"); // PreSharp #pragma warning suppress 56506 // Claim.ClaimType will never return null if (identity.ClaimType.Equals(ClaimTypes.Dns)) { return new DnsEndpointIdentity(identity); } else if (identity.ClaimType.Equals(ClaimTypes.Spn)) { return new SpnEndpointIdentity(identity); } else if (identity.ClaimType.Equals(ClaimTypes.Upn)) { return new UpnEndpointIdentity(identity); } else if (identity.ClaimType.Equals(ClaimTypes.Rsa)) { return new RsaEndpointIdentity(identity); } else { return new GeneralEndpointIdentity(identity); } }
public SamlAttribute(Claim claim) { this.attributeValues = new ImmutableCollection<string>(); if (claim == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("claim"); } if (!(claim.Resource is string)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.IdentityModel.SR.GetString("SamlAttributeClaimResourceShouldBeAString")); } if (claim.Right != Rights.PossessProperty) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.IdentityModel.SR.GetString("SamlAttributeClaimRightShouldBePossessProperty")); } int length = claim.ClaimType.LastIndexOf('/'); if (((length == -1) || (length == 0)) || (length == (claim.ClaimType.Length - 1))) { this.nameSpace = string.Empty; this.name = claim.ClaimType; } else { this.nameSpace = claim.ClaimType.Substring(0, length); this.name = claim.ClaimType.Substring(length + 1, claim.ClaimType.Length - (length + 1)); } this.claimType = claim.ClaimType; this.attributeValues.Add(claim.Resource as string); }
protected void Initialize(Claim identityClaim, IEqualityComparer<Claim> claimComparer) { if (identityClaim == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("identityClaim"); _identityClaim = identityClaim; _claimComparer = claimComparer; }
public PeerHashToken(Claim claim, string password) { this.id = SecurityUniqueId.Create().Value; this.effectiveTime = DateTime.UtcNow; this.expirationTime = DateTime.UtcNow.AddHours(10.0); this.authenticator = PeerSecurityHelpers.ComputeHash(claim, password); this.CheckValidity(); }
public CustomAuthorizationPolicy() { m_id = Guid.NewGuid(); Claim c = Claim.CreateNameClaim("http://www.thatindigogirl.com/samples/2006/07/issuer"); Claim[] claims = new Claim[1]; claims[0] = c; m_issuer = new DefaultClaimSet(claims); }
public DnsEndpointIdentity(Claim identity) { if (identity == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("identity"); if (!identity.ClaimType.Equals(ClaimTypes.Dns)) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.Format(SR.UnrecognizedClaimTypeForIdentity, identity.ClaimType, ClaimTypes.Dns)); base.Initialize(identity); }
public UpnEndpointIdentity(Claim identity) { if (identity == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("identity"); // PreSharp Bug: Parameter 'identity.ResourceType' to this public method must be validated: A null-dereference can occur here. if (!identity.ClaimType.Equals(ClaimTypes.Upn)) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.Format(SR.UnrecognizedClaimTypeForIdentity, identity.ClaimType, ClaimTypes.Upn)); base.Initialize(identity); }
public DnsEndpointIdentity(Claim identity) { if (identity == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("identity"); // PreSharp Bug: Parameter 'identity.ResourceType' to this public method must be validated: A null-dereference can occur here. #pragma warning suppress 56506 // Claim.ClaimType will never return null if (!identity.ClaimType.Equals(ClaimTypes.Dns)) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.UnrecognizedClaimTypeForIdentity, identity.ClaimType, ClaimTypes.Dns)); base.Initialize(identity); }
public DnsEndpointIdentity(Claim identity) { if (identity == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("identity"); } if (!identity.ClaimType.Equals(ClaimTypes.Dns)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("UnrecognizedClaimTypeForIdentity", new object[] { identity.ClaimType, ClaimTypes.Dns })); } base.Initialize(identity); }
public SpnEndpointIdentity(Claim identity) { if (identity == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("identity"); // PreSharp #pragma warning suppress 56506 // Claim.ClaimType will never return null if (!identity.ClaimType.Equals(ClaimTypes.Spn)) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.UnrecognizedClaimTypeForIdentity, identity.ClaimType, ClaimTypes.Spn)); base.Initialize(identity); }
public override bool ContainsClaim(Claim claim) { if (claim == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("claim"); for (int i = 0; i < this.claims.Count; ++i) { if (claim.Equals(this.claims[i])) { return true; } } return false; }
public static byte[] ComputeHash(Claim claim, string pwd) { RSACryptoServiceProvider resource = claim.Resource as RSACryptoServiceProvider; if (resource == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("claim"); } using (resource) { byte[] message = resource.ExportCspBlob(false); if (message == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("key"); } return ComputeHash(message, pwd); } }
public X509CertificateClaimSet (X509Certificate2 certificate) { if (certificate == null) throw new ArgumentNullException ("certificate"); this.cert = certificate; Claim ident = new Claim (ClaimTypes.Thumbprint, cert.Thumbprint, Rights.Identity); // issuer = new X509IdentityClaimSet (ident); claims.Add (ident); //claims.Add (Claim.CreateX500DistinguishedNameClaim (cert.SubjectName)); //claims.Add (Claim.CreateNameClaim (cert.SubjectName.Name)); RSA rsa = cert.PublicKey.Key as RSA; if (rsa != null) claims.Add (Claim.CreateRsaClaim (rsa)); claims.Add (Claim.CreateThumbprintClaim (cert.GetCertHash ())); // FIXME: where is DNS info for X509 cert? claims.Add (Claim.CreateDnsClaim (null)); }
//We will add a custom claim to the EvaluationContext if the 'magic character' exists in the username public bool Evaluate(EvaluationContext evaluationContext, ref object state) { //Get the Identities Property object obj; if (!evaluationContext.Properties.TryGetValue("Identities", out obj)) { Debug.WriteLine("CustomNameCheckerPolicy: Identities is null"); return false; } //Get the list of IIdentities IList<IIdentity> identities = obj as IList<IIdentity>; if (identities == null || identities.Count != 1) { Debug.WriteLine("CustomNameCheckerPolicy: Identities.count = 0"); return false; } //Get the WindowsIdentity //Any other type of IIdentity will cause it to return false WindowsIdentity wID = identities[0] as WindowsIdentity; if (wID == null) { Debug.WriteLine("CustomNameCheckerPolicy: Not a Windows Identity"); return false; } //retrieve the username string[] domainAndUsername = wID.Name.Split(new char[]{'\\'}); string userName = domainAndUsername[0]; if (domainAndUsername.Length > 1) userName = domainAndUsername[1]; //Check to see if the 'magic character' exists in the username //Add our claim if it does if (userName.ToUpper().Contains(Constants.magicCharacter.ToUpper())) { List<Claim> claims = new List<Claim>(1); Claim magicCharacterClaim = new Claim(Constants.PossessesMagicCharacterType, Constants.magicCharacter, Rights.PossessProperty); claims.Add(magicCharacterClaim); evaluationContext.AddClaimSet(this, new DefaultClaimSet(claims)); } return true; }
public SamlAttribute (Claim claim) { if (claim == null) throw new ArgumentNullException ("claim"); if (claim.ClaimType == null) throw new ArgumentException ("Claim type is null."); int idx = claim.ClaimType.LastIndexOf ('/'); if (idx <= 0 || idx == claim.ClaimType.Length - 1) throw new ArgumentException ("Claim type does not contain '/' or it is at improper position."); name = claim.ClaimType.Substring (idx + 1); ns = claim.ClaimType.Substring (0, idx); if (claim.Resource != null && !(claim.Resource is string)) throw new ArgumentException ("Claim resource is not a string."); attribute_values = new List<string> (); attribute_values.Add ((string) claim.Resource); if (claim.Right != Rights.PossessProperty) throw new ArgumentException ("Claim right is not PossessProperty"); }
public static EndpointIdentity CreateIdentity (Claim identity) { if (identity == null) throw new ArgumentNullException (); if (identity.ClaimType == ClaimTypes.Dns) return CreateDnsIdentity ((string) identity.Resource); else if (identity.ClaimType == ClaimTypes.Rsa) { if (identity.Resource is string) return CreateRsaIdentity ((string) identity.Resource); else if (identity.Resource is X509Certificate2) return CreateRsaIdentity ((X509Certificate2) identity.Resource); } else if (identity.ClaimType == ClaimTypes.Thumbprint) return CreateX509CertificateIdentity ((X509Certificate2) identity.Resource); else if (identity.ClaimType == ClaimTypes.Spn) return CreateSpnIdentity ((string) identity.Resource); else if (identity.ClaimType == ClaimTypes.Upn) return CreateSpnIdentity ((string) identity.Resource); throw new NotSupportedException (String.Format ("Claim type '{0}' cannot be used to create an endpoint identity.", identity.ClaimType)); }
public static EndpointIdentity CreateIdentity(Claim identity) { if (identity == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("identity"); } if (identity.ClaimType.Equals(ClaimTypes.Dns)) { return new DnsEndpointIdentity(identity); } if (identity.ClaimType.Equals(ClaimTypes.Spn)) { return new SpnEndpointIdentity(identity); } if (identity.ClaimType.Equals(ClaimTypes.Upn)) { return new UpnEndpointIdentity(identity); } if (identity.ClaimType.Equals(ClaimTypes.Rsa)) { return new RsaEndpointIdentity(identity); } return new GeneralEndpointIdentity(identity); }
/// <summary> /// Translates claims to strings /// </summary> /// <param name="claim">Claim to translate to a string</param> /// <returns></returns> protected static string GetResourceValue(Claim claim) { IdentityReference reference = claim.Resource as IdentityReference; if (null != reference) { return reference.Value; } ICspAsymmetricAlgorithm rsa = claim.Resource as ICspAsymmetricAlgorithm; if (null != rsa) { using (SHA256 sha = new SHA256Managed()) { return Convert.ToBase64String(sha.ComputeHash(rsa.ExportCspBlob(false))); } } System.Net.Mail.MailAddress mail = claim.Resource as System.Net.Mail.MailAddress; if (null != mail) { return mail.ToString(); } byte[] bufferValue = claim.Resource as byte[]; if (null != bufferValue) { return Convert.ToBase64String(bufferValue); } return claim.Resource.ToString(); }
/// <summary> /// Processes the Auth Context to get the IdentityClaims /// </summary> /// <returns></returns> protected void FindIdentityClaims() { // Pick up the claim type to use for generating the UniqueID claim string identificationClaimType = System.Configuration.ConfigurationManager.AppSettings["IdentityClaimType"]; // Or, default to PPID if (string.IsNullOrEmpty(identificationClaimType)) identificationClaimType = System.IdentityModel.Claims.ClaimTypes.PPID; ClaimSet result = null; m_endpointIdentity = null; foreach (ClaimSet claimSet in m_authorizationContext.ClaimSets) { // // This loops through the claims looking for the configured claim type // that will be used as part of the generation of the unique id. // foreach (Claim claim in claimSet.FindClaims(identificationClaimType, Rights.PossessProperty)) { // found a matching claim. This is good. m_issuer = CreateIdentityFromClaimSet(claimSet.Issuer); byte[] issuerkey; // we need to get a byte array that represents the issuer's key // to use as part of the hash to generate a unique id. // currently supported: (byte[]) or an RSACryptoServiceProvider, // This could be expanded to support other types. The key just // needs to be extracted as a byte array. issuerkey = m_issuer.IdentityClaim.Resource as byte[]; if (null == issuerkey) { RSACryptoServiceProvider csp = m_issuer.IdentityClaim.Resource as RSACryptoServiceProvider; if (null != csp) issuerkey = csp.ExportCspBlob(false); // Can't use this claim to get the key. if (null == issuerkey) throw new Exception("Unsupported IdentityClaim resource type"); } // It doesn't matter what encoding type we use, as long as it is consistent. // this conversion is just to get a consistent set of bytes from the claim. byte[] uniqueClaim = Encoding.UTF8.GetBytes(GetResourceValue(claim)); // copy the thumbprint data and the uniqueClaim together. byte[] thumbprintData = new byte[uniqueClaim.Length + issuerkey.Length]; issuerkey.CopyTo(thumbprintData, 0); uniqueClaim.CopyTo(thumbprintData, issuerkey.Length); // generate a hash. using (SHA256 sha = new SHA256Managed()) { Claim thumbprintClaim = new Claim(ClaimTypes.Thumbprint, Convert.ToBase64String(sha.ComputeHash(thumbprintData)), Rights.Identity); m_endpointIdentity = EndpointIdentity.CreateIdentity(thumbprintClaim); } m_identityClaims = claimSet; return; } if (null == m_endpointIdentity) { // // check for identity claim, if found, hold on to it, we may need to use it :) // result = claimSet; m_endpointIdentity = CreateIdentityFromClaimSet(claimSet); } } if (null != m_endpointIdentity) { m_identityClaims = result; return; } // // we have looped all claim sets with out finding an identity claim. // we will return the ppidIdentity and claimset if they were found. // throw new Exception("The XML Token data provided no Identity claim."); }
public static bool AuthenticateResponse(Claim claim, string password, Message message) { return PeerRequestSecurityTokenResponse.CreateHashTokenFrom(message).Validate(claim, password); }
private IList <Claim> InitializeClaimsCore() { List <Claim> claims = new List <Claim>(); byte[] thumbprint = _certificate.GetCertHash(); claims.Add(new Claim(ClaimTypes.Thumbprint, thumbprint, Rights.Identity)); claims.Add(new Claim(ClaimTypes.Thumbprint, thumbprint, Rights.PossessProperty)); // Ordering SubjectName, Dns, SimpleName, Email, Upn string value = _certificate.SubjectName.Name; if (!string.IsNullOrEmpty(value)) { claims.Add(Claim.CreateX500DistinguishedNameClaim(_certificate.SubjectName)); } // A SAN field can have multiple DNS names string[] dnsEntries = GetDnsFromExtensions(_certificate); if (dnsEntries.Length > 0) { for (int i = 0; i < dnsEntries.Length; ++i) { claims.Add(Claim.CreateDnsClaim(dnsEntries[i])); } } else { // If no SANs found in certificate, fall back to looking for the CN value = _certificate.GetNameInfo(X509NameType.DnsName, false); if (!string.IsNullOrEmpty(value)) { claims.Add(Claim.CreateDnsClaim(value)); } } value = _certificate.GetNameInfo(X509NameType.SimpleName, false); if (!string.IsNullOrEmpty(value)) { claims.Add(Claim.CreateNameClaim(value)); } value = _certificate.GetNameInfo(X509NameType.UpnName, false); if (!string.IsNullOrEmpty(value)) #if SUPPORTS_WINDOWSIDENTITY { claims.Add(Claim.CreateUpnClaim(value)); } #else { throw ExceptionHelper.PlatformNotSupported(); } #endif // SUPPORTS_WINDOWSIDENTITY value = _certificate.GetNameInfo(X509NameType.UrlName, false); if (!string.IsNullOrEmpty(value)) { claims.Add(Claim.CreateUriClaim(new Uri(value))); } //RSA rsa = _certificate.PublicKey.Key as RSA; //if (rsa != null) // claims.Add(Claim.CreateRsaClaim(rsa)); return(claims); }
// Note: null string represents any. public override IEnumerable <Claim> FindClaims(string claimType, string right) { ThrowIfDisposed(); if (!SupportedClaimType(claimType) || !ClaimSet.SupportedRight(right)) { yield break; } else if (_claims == null && ClaimTypes.Thumbprint.Equals(claimType)) { if (right == null || Rights.Identity.Equals(right)) { yield return(new Claim(ClaimTypes.Thumbprint, _certificate.GetCertHash(), Rights.Identity)); } if (right == null || Rights.PossessProperty.Equals(right)) { yield return(new Claim(ClaimTypes.Thumbprint, _certificate.GetCertHash(), Rights.PossessProperty)); } } else if (_claims == null && ClaimTypes.Dns.Equals(claimType)) { if (right == null || Rights.PossessProperty.Equals(right)) { // A SAN field can have multiple DNS names string[] dnsEntries = GetDnsFromExtensions(_certificate); if (dnsEntries.Length > 0) { for (int i = 0; i < dnsEntries.Length; ++i) { yield return(Claim.CreateDnsClaim(dnsEntries[i])); } } else { // If no SANs found in certificate, fall back to looking at the CN string value = _certificate.GetNameInfo(X509NameType.DnsName, false); if (!string.IsNullOrEmpty(value)) { yield return(Claim.CreateDnsClaim(value)); } } } } else { EnsureClaims(); bool anyClaimType = (claimType == null); bool anyRight = (right == null); for (int i = 0; i < _claims.Count; ++i) { Claim claim = _claims[i]; if ((claim != null) && (anyClaimType || claimType.Equals(claim.ClaimType)) && (anyRight || right.Equals(claim.Right))) { yield return(claim); } } } }
SecurityIdentifier GetSecurityIdentifier(Claim claim) { // if the incoming claim is a SID and the EndpointIdentity is UPN/SPN/DNS, try to find the SID corresponding to // the UPN/SPN/DNS (transactions case) if (claim.Resource is WindowsIdentity) return ((WindowsIdentity)claim.Resource).User; else if (claim.Resource is WindowsSidIdentity) return ((WindowsSidIdentity)claim.Resource).SecurityIdentifier; return claim.Resource as SecurityIdentifier; }
internal static void TraceIdentityVerificationSuccess(EventTraceActivity eventTraceActivity, EndpointIdentity identity, Claim claim, Type identityVerifier) { }
internal SctAuthorizationPolicy(SysClaim claim) { _issuer = new DefaultClaimSet(claim); }
internal static string GetResourceValue(Claim claim) { string strClaim = claim.Resource as string; if (!string.IsNullOrEmpty(strClaim)) { return strClaim; } IdentityReference reference = claim.Resource as IdentityReference; if (null != reference) { return reference.Value; } ICspAsymmetricAlgorithm rsa = claim.Resource as ICspAsymmetricAlgorithm; if (null != rsa) { using (SHA256 sha = new SHA256Managed()) { return Convert.ToBase64String(sha.ComputeHash(rsa.ExportCspBlob(false))); } } MailAddress mail = claim.Resource as MailAddress; if (null != mail) { return mail.ToString(); } byte[] bufferValue = claim.Resource as byte[]; if (null != bufferValue) { return Convert.ToBase64String(bufferValue); } return claim.Resource.ToString(); }
public GeneralEndpointIdentity(Claim identityClaim) { base.Initialize(identityClaim); }
public static bool TryCreateWindowsSidClaim(WindowsIdentity windowsIdentity, out Claim claim) { throw ExceptionHelper.PlatformNotSupported("CreateWindowsSidClaim is not yet supported"); }
public override bool Equals(object obj) { Claim c = obj as Claim; return(c != null && DefaultComparer.Equals(this, c)); }