public static IEnumerable<X509Certificate> GetSigningCertificates(Uri url, X509CertificateValidationMode mode = X509CertificateValidationMode.None)
{
var certs = new List<X509Certificate2>();
using (var stream = GetMetadataStream(url))
{
var serializer = new MetadataSerializer();
serializer.CertificateValidationMode = mode;
var md = serializer.ReadMetadata(stream);
var ed = md as EntityDescriptor;
var stsd = (SecurityTokenServiceDescriptor)ed.RoleDescriptors.FirstOrDefault(x => x is SecurityTokenServiceDescriptor);
foreach (var key in stsd.Keys)
{
var clause = key.KeyInfo.FirstOrDefault() as X509RawDataKeyIdentifierClause;
if (clause != null)
{
var cert = new X509Certificate2(clause.GetX509RawData());
certs.Add(cert);
}
}
}
return certs;
}
public void ProcessRequest(HttpContext context)
{
var metadata = Common.GetFederationMetadata();
var serializer = new MetadataSerializer();
serializer.WriteMetadata(context.Response.OutputStream, metadata);
context.Response.ContentType = "text/xml";
}
protected virtual void LoadMetadata()
{
using (var stream = GetMetadataStream())
{
var serializer = new MetadataSerializer();
serializer.CertificateValidationMode = mode;
var md = serializer.ReadMetadata(stream);
var ed = md as EntityDescriptor;
var stsd = (SecurityTokenServiceDescriptor)ed.RoleDescriptors.FirstOrDefault(x => x is SecurityTokenServiceDescriptor);
var registry = new ConfigurationBasedIssuerNameRegistry();
foreach (var key in stsd.Keys)
{
var clause = key.KeyInfo.FirstOrDefault() as X509RawDataKeyIdentifierClause;
if (clause != null)
{
var cert = new X509Certificate2(clause.GetX509RawData());
registry.AddTrustedIssuer(cert.Thumbprint, issuerName);
}
}
_registry = registry;
}
}
private static byte[] GetSigningCertificate(string metadataAddress)
{
if (metadataAddress == null)
{
throw new ArgumentNullException(metadataAddress);
}
using (XmlReader metadataReader = XmlReader.Create(metadataAddress))
{
MetadataSerializer serializer = new MetadataSerializer()
{
CertificateValidationMode = X509CertificateValidationMode.None
};
EntityDescriptor metadata = serializer.ReadMetadata(metadataReader) as EntityDescriptor;
if (metadata != null)
{
SecurityTokenServiceDescriptor stsd = metadata.RoleDescriptors.OfType<SecurityTokenServiceDescriptor>().First();
if (stsd != null)
{
X509RawDataKeyIdentifierClause clause = stsd.Keys.First().KeyInfo.OfType<X509RawDataKeyIdentifierClause>().First();
if (clause != null)
{
return clause.GetX509RawData();
}
throw new Exception("The SecurityTokenServiceDescriptor in the metadata does not contain the Signing Certificate in the <X509Certificate> element");
}
throw new Exception("The Federation Metadata document does not contain a SecurityTokenServiceDescriptor");
}
throw new Exception("Invalid Federation Metadata document");
}
}
public override void ExecuteResult(ControllerContext context)
{
context.HttpContext.Response.ContentType = "text/xml";
var serializer = new MetadataSerializer();
serializer.WriteMetadata(context.HttpContext.Response.OutputStream, metadata);
context.HttpContext.Response.Flush();
}
HttpResponseMessage Execute()
{
var ser = new MetadataSerializer();
var sb = new StringBuilder(512);
ser.WriteMetadata(XmlWriter.Create(new StringWriter(sb), new XmlWriterSettings { OmitXmlDeclaration = true }), _entity);
var content = new StringContent(sb.ToString(), Encoding.UTF8, "application/xml");
return new HttpResponseMessage { Content = content };
}
public ActionResult Generate()
{
var wsFederationEndpoint = new EndpointAddress(Request.ToApplicationUri() + "Issue/WSFederation");
var wsTrustEndpoint = new EndpointAddress(new Uri(Request.ToApplicationUri() + "Issue/WSTrust/Message/Windows"), null, null, CreateMetadataReader(new Uri(Request.ToApplicationUri() + "Issue/WSTrust/mex")), null);
var metadata = new EntityDescriptor
{
EntityId = new EntityId(Request.ToApplicationUri()),
RoleDescriptors =
{
new SecurityTokenServiceDescriptor {
ServiceDisplayName = Configuration.IssuerName,
Contacts = {
new ContactPerson {
Type = ContactType.Support,
Company = "Contoso Bank",
EmailAddresses = { "*****@*****.**" },
TelephoneNumbers = { "+1 (416) 555-1212" }
}
},
ClaimTypesOffered =
{
DisplayClaim.CreateDisplayClaimFromClaimType(ClaimTypes.Name),
DisplayClaim.CreateDisplayClaimFromClaimType(ClaimTypes.Email),
},
ProtocolsSupported = { new Uri(WSFederationMetadataConstants.Namespace) },
TokenTypesOffered = { new Uri(SecurityTokenTypes.OasisWssSaml11TokenProfile11), new Uri(SecurityTokenTypes.OasisWssSaml2TokenProfile11) },
PassiveRequestorEndpoints = { wsFederationEndpoint },
SecurityTokenServiceEndpoints = { wsTrustEndpoint },
Keys = { new KeyDescriptor(
new SecurityKeyIdentifier(
new X509SecurityToken(Configuration.TokenSigningCertificate).CreateKeyIdentifierClause<X509RawDataKeyIdentifierClause>())) { Use = KeyType.Signing } }
},
},
SigningCredentials = new X509SigningCredentials(Configuration.TokenSigningCertificate)
};
using (var stream = new MemoryStream())
using (var streamReader = new StreamReader(stream))
{
var serializer = new MetadataSerializer();
serializer.WriteMetadata(stream, metadata);
stream.Position = 0;
var result = new ContentResult
{
Content = streamReader.ReadToEnd(),
ContentEncoding = Encoding.Unicode,
ContentType = System.Net.Mime.MediaTypeNames.Text.Xml
};
return result;
}
}
public ActionResult FederationMetadata() {
var entityDescriptor = new ContosoSecurityTokenServiceConfiguration().GetFederationMetadata();
var serializer = new MetadataSerializer();
var settings = new XmlWriterSettings {
Encoding = Encoding.UTF8
};
using (var memoryStream = new MemoryStream()) {
using (var writer = XmlWriter.Create(memoryStream, settings)) {
serializer.WriteMetadata(writer, entityDescriptor);
writer.Flush();
return Content(Encoding.UTF8.GetString(memoryStream.GetBuffer()), "text/xml");
}
}
}
public void Metadata()
{
var config = new SimpleSecurityTokenServiceConfiguration();
// Entity
var ent = new EntityDescriptor();
ent.Contacts.Add(new ContactPerson(ContactType.Technical) { GivenName = "Sandra", Surname = "Fernandes" });
ent.EntityId = new EntityId(config.TokenIssuerName);
ent.SigningCredentials = config.SigningCredentials;
// Role: Security Token Service
var role = new SecurityTokenServiceDescriptor();
var endpoints = new EndpointAddress[] {
new EndpointAddress("https://idp.prompt11.local:10443/Federation/Issue"),
};
foreach (var ep in endpoints)
{
role.SecurityTokenServiceEndpoints.Add(ep);
role.PassiveRequestorEndpoints.Add(ep);
}
role.ServiceDescription = "My Service";
role.ServiceDisplayName = "My Service Description";
role.ProtocolsSupported.Add(new Uri("http://docs.oasis-open.org/wsfed/federation/200706"));
role.ValidUntil = DateTime.Now.AddDays(1);
role.ClaimTypesOffered.Add(new DisplayClaim(Microsoft.IdentityModel.Claims.ClaimTypes.Role));
role.ClaimTypesOffered.Add(new DisplayClaim(Microsoft.IdentityModel.Claims.ClaimTypes.Name));
role.Keys.Add(
new KeyDescriptor()
{
KeyInfo =
new SecurityKeyIdentifier(
new X509RawDataKeyIdentifierClause((config.SigningCredentials as X509SigningCredentials).Certificate)
),
Use = KeyType.Signing
}
);
ent.RoleDescriptors.Add(role);
// Serialize
var serializer = new MetadataSerializer();
var xe = new XDocument();
var writer = xe.CreateWriter();
serializer.WriteMetadata(writer, ent);
writer.Close();
Response.ContentType = "text/xml";
Response.Write(xe.ToString(SaveOptions.DisableFormatting));
}
internal static MetadataBase Load(Stream metadataStream)
{
var serializer = new MetadataSerializer();
using (var reader = XmlDictionaryReader.CreateTextReader(metadataStream, XmlDictionaryReaderQuotas.Max))
{
// Filter out the signature from the metadata, as the built in MetadataSerializer
// doesn't handle the http://www.w3.org/2000/09/xmldsig# which is allowed (and for SAMLv1
// even recommended).
using (var filter = new XmlFilteringReader("http://www.w3.org/2000/09/xmldsig#", "Signature", reader))
{
return serializer.ReadMetadata(filter);
}
}
}
public string Generate()
{
var tokenServiceDescriptor = GetTokenServiceDescriptor();
var id = new EntityId(ConfigurationRepository.Global.IssuerUri);
var entity = new EntityDescriptor(id);
entity.SigningCredentials = new X509SigningCredentials(ConfigurationRepository.Keys.SigningCertificate);
entity.RoleDescriptors.Add(tokenServiceDescriptor);
var ser = new MetadataSerializer();
var sb = new StringBuilder(512);
ser.WriteMetadata(XmlWriter.Create(new StringWriter(sb), new XmlWriterSettings { OmitXmlDeclaration = true }), entity);
return sb.ToString();
}
protected virtual void LoadMetadata()
{
var client = new HttpClient { BaseAddress = _metadataAddress };
var stream = client.GetStreamAsync("").Result;
var serializer = new MetadataSerializer();
var md = serializer.ReadMetadata(stream);
var id = md.SigningCredentials.SigningKeyIdentifier;
var clause = id.First() as X509RawDataKeyIdentifierClause;
var cert = new X509Certificate2(clause.GetX509RawData());
_registry = new ConfigurationBasedIssuerNameRegistry();
_registry.AddTrustedIssuer(cert.Thumbprint, _issuerName);
}
private HttpResponseMessage Execute()
{
var ser = new MetadataSerializer();
var sb = new StringBuilder(512);
ser.WriteMetadata(XmlWriter.Create(new StringWriter(sb), new XmlWriterSettings {
OmitXmlDeclaration = true
}), _entity);
var content = new StringContent(sb.ToString(), Encoding.UTF8, "application/xml");
Logger.Debug("Returning WS-Federation metadata response");
return(new HttpResponseMessage {
Content = content
});
}
public byte[] GetFederationMetadata(Uri passiveSignInUrl, Uri identifier, X509Certificate2 signingCertificate)
{
var credentials = new X509SigningCredentials(signingCertificate);
// Figure out the hostname exposed from Azure and what port the service is listening on
EndpointAddress realm = new EndpointAddress(identifier);
EndpointAddress passiveEndpoint = new EndpointAddress(passiveSignInUrl);
// Create metadata document for relying party
EntityDescriptor entity = new EntityDescriptor(new EntityId(realm.Uri.AbsoluteUri));
SecurityTokenServiceDescriptor sts = new SecurityTokenServiceDescriptor();
entity.RoleDescriptors.Add(sts);
// Add STS's signing key
KeyDescriptor signingKey = new KeyDescriptor(credentials.SigningKeyIdentifier);
signingKey.Use = KeyType.Signing;
sts.Keys.Add(signingKey);
// Add offered claim types
sts.ClaimTypesOffered.Add(new DisplayClaim(ClaimTypes.AuthenticationMethod));
sts.ClaimTypesOffered.Add(new DisplayClaim(ClaimTypes.AuthenticationInstant));
sts.ClaimTypesOffered.Add(new DisplayClaim(ClaimTypes.Name));
// Add passive federation endpoint
sts.PassiveRequestorEndpoints.Add(passiveEndpoint);
// Add supported protocols
sts.ProtocolsSupported.Add(new Uri(WSFederationConstants.Namespace));
// Add passive STS endpoint
sts.SecurityTokenServiceEndpoints.Add(passiveEndpoint);
// Set credentials with which to sign the metadata
entity.SigningCredentials = credentials;
// Serialize the metadata and convert it to an XElement
MetadataSerializer serializer = new MetadataSerializer();
MemoryStream stream = new MemoryStream();
serializer.WriteMetadata(stream, entity);
stream.Flush();
return(stream.ToArray());
}
public void SerializeMetadata_ReturnsExpectedString_WhenEscaping(string escapedValue)
{
// Arrange
var identity = "../files/azureMonitor.json";
var expectedResult = $"Identity={identity}|Value={escapedValue}";
var metadata = new SortedDictionary <string, string>(StringComparer.Ordinal)
{
{ "Value", escapedValue }
};
var input = new TaskItem(identity, metadata);
// Act
var result = MetadataSerializer.SerializeMetadata(input);
// Assert
Assert.Equal(expectedResult, result);
}
public static IssuerFederationData GetFederationMetataData(string metadataEndpoint, HttpClient metadataRequest)
{
string issuer = string.Empty;
string passiveTokenEndpoint = string.Empty;
List <X509SecurityToken> signingTokens = new List <X509SecurityToken>();
// TODO: Any way to make this async?
using (HttpResponseMessage metadataResponse = metadataRequest.GetAsync(metadataEndpoint).Result)
{
metadataResponse.EnsureSuccessStatusCode();
Stream metadataStream = metadataResponse.Content.ReadAsStreamAsync().Result;
using (XmlReader metaDataReader = XmlReader.Create(metadataStream, SafeSettings))
{
var serializer = new MetadataSerializer {
CertificateValidationMode = X509CertificateValidationMode.None
};
MetadataBase metadata = serializer.ReadMetadata(metaDataReader);
var entityDescriptor = (EntityDescriptor)metadata;
if (!string.IsNullOrWhiteSpace(entityDescriptor.EntityId.Id))
{
issuer = entityDescriptor.EntityId.Id;
}
SecurityTokenServiceDescriptor stsd = entityDescriptor.RoleDescriptors.OfType <SecurityTokenServiceDescriptor>().First();
if (stsd == null)
{
throw new InvalidOperationException(Resources.Exception_MissingDescriptor);
}
passiveTokenEndpoint = stsd.PassiveRequestorEndpoints.First().Uri.AbsoluteUri;
IEnumerable <X509RawDataKeyIdentifierClause> x509DataClauses =
stsd.Keys.Where(key => key.KeyInfo != null &&
(key.Use == KeyType.Signing || key.Use == KeyType.Unspecified))
.Select(key => key.KeyInfo.OfType <X509RawDataKeyIdentifierClause>().First());
signingTokens.AddRange(x509DataClauses.Select(token => new X509SecurityToken(new X509Certificate2(token.GetX509RawData()))));
}
}
return(new IssuerFederationData {
IssuerSigningTokens = signingTokens, PassiveTokenEndpoint = passiveTokenEndpoint, TokenIssuerName = issuer
});
}
private string GenerateMetadata(params RoleDescriptor[] roles)
{
var id = new EntityId(ConfigurationRepository.Global.IssuerUri);
var entity = new EntityDescriptor(id);
entity.SigningCredentials = new X509SigningCredentials(ConfigurationRepository.Keys.SigningCertificate);
foreach (var roleDescriptor in roles)
{
entity.RoleDescriptors.Add(roleDescriptor);
}
var ser = new MetadataSerializer();
var sb = new StringBuilder(512);
ser.WriteMetadata(XmlWriter.Create(new StringWriter(sb), new XmlWriterSettings { OmitXmlDeclaration = true }), entity);
return sb.ToString();
}
protected virtual void LoadMetadata()
{
var client = new HttpClient {
BaseAddress = _metadataAddress
};
var stream = client.GetStreamAsync("").Result;
var serializer = new MetadataSerializer();
var md = serializer.ReadMetadata(stream);
var id = md.SigningCredentials.SigningKeyIdentifier;
var clause = id.First() as X509RawDataKeyIdentifierClause;
var cert = new X509Certificate2(clause.GetX509RawData());
_registry = new ConfigurationBasedIssuerNameRegistry();
_registry.AddTrustedIssuer(cert.Thumbprint, _issuerName);
}
public string Generate()
{
var tokenServiceDescriptor = GetTokenServiceDescriptor();
var id = new EntityId(ConfigurationRepository.Global.IssuerUri);
var entity = new EntityDescriptor(id);
entity.SigningCredentials = new X509SigningCredentials(ConfigurationRepository.Keys.SigningCertificate);
entity.RoleDescriptors.Add(tokenServiceDescriptor);
var ser = new MetadataSerializer();
var sb = new StringBuilder(512);
ser.WriteMetadata(XmlWriter.Create(new StringWriter(sb), new XmlWriterSettings {
OmitXmlDeclaration = true
}), entity);
return(sb.ToString());
}
internal static IssuerSigningKeys GetSigningKeys(string AzureFedUrl)
{
string issuer = "";
List <X509SecurityToken> tokens = new List <X509SecurityToken>();
var responseStatus = AzureFedUrl.GetResponseStatus();
if (responseStatus.HasValue && responseStatus.Value == System.Net.HttpStatusCode.OK)
{
using (XmlReader xmlReader = XmlReader.Create(AzureFedUrl))
{
var mdSerializer = new MetadataSerializer {
CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None
};
MetadataBase metadata = mdSerializer.ReadMetadata(xmlReader);
var entDescriptor = (EntityDescriptor)metadata;
//get the issues
if (!string.IsNullOrWhiteSpace(entDescriptor.EntityId.Id))
{
issuer = entDescriptor.EntityId.Id;
}
//get security token info
SecurityTokenServiceDescriptor stsd = entDescriptor.RoleDescriptors.OfType <SecurityTokenServiceDescriptor>().First();
if (stsd == null)
{
throw new InvalidOperationException("No SecurityTokenServiceType descriptor in metadata.");
}
IEnumerable <X509RawDataKeyIdentifierClause> x509DataClauses =
stsd.Keys.Where(key => key.KeyInfo != null && (key.Use == KeyType.Signing || key.Use == KeyType.Unspecified))
.Select(key => key.KeyInfo.OfType <X509RawDataKeyIdentifierClause>().First());
tokens.AddRange(x509DataClauses.Select(token => new X509SecurityToken(new X509Certificate2(token.GetX509RawData()))));
}
}
else
{
throw new InvalidOperationException("Unable to connect to federated trust url.");
}
return(new IssuerSigningKeys()
{
Issuer = issuer, Tokens = tokens
});
}
public string GetFederationMetadata(Uri endpoint)
{
// hostname
var passiveEndpoint = new EndpointReference(endpoint.AbsoluteUri);
var activeEndpoint = new EndpointReference(endpoint.AbsoluteUri);
// metadata document
var entity = new EntityDescriptor(new EntityId(TwitterClaims.IssuerName));
var sts = new SecurityTokenServiceDescriptor();
entity.RoleDescriptors.Add(sts);
// signing key
var signingKey = new KeyDescriptor(SigningCredentials.SigningKeyIdentifier) { Use = KeyType.Signing };
sts.Keys.Add(signingKey);
// claim types
sts.ClaimTypesOffered.Add(new DisplayClaim(ClaimTypes.Name, "Name", "User name"));
sts.ClaimTypesOffered.Add(new DisplayClaim(ClaimTypes.NameIdentifier, "Name Identifier", "User name identifier"));
sts.ClaimTypesOffered.Add(new DisplayClaim(TwitterClaims.TwitterToken, "Token", "Service token"));
sts.ClaimTypesOffered.Add(new DisplayClaim(TwitterClaims.TwitterTokenSecret, "Token Secret", "Service token secret"));
// passive federation endpoint
sts.PassiveRequestorEndpoints.Add(passiveEndpoint);
// supported protocols
//Inaccessable due to protection level
//sts.ProtocolsSupported.Add(new Uri(WSFederationConstants.Namespace));
sts.ProtocolsSupported.Add(new Uri("http://docs.oasis-open.org/wsfed/federation/200706"));
// add passive STS endpoint
sts.SecurityTokenServiceEndpoints.Add(activeEndpoint);
// metadata signing
entity.SigningCredentials = SigningCredentials;
// serialize
var serializer = new MetadataSerializer();
using (var memoryStream = new MemoryStream())
{
serializer.WriteMetadata(memoryStream, entity);
return Encoding.UTF8.GetString(memoryStream.ToArray());
}
}
public static IssuerSigningKeys GetSigningKeys(string metadataEndpoint, TimeSpan backchannelTimeout, HttpMessageHandler backchannelHttpHandler)
{
string issuer = string.Empty;
var tokens = new List <X509SecurityToken>();
using (var metadataRequest = new HttpClient(backchannelHttpHandler, false))
{
metadataRequest.Timeout = backchannelTimeout;
using (HttpResponseMessage metadataResponse = metadataRequest.GetAsync(metadataEndpoint).Result)
{
metadataResponse.EnsureSuccessStatusCode();
Stream metadataStream = metadataResponse.Content.ReadAsStreamAsync().Result;
using (XmlReader metaDataReader = XmlReader.Create(metadataStream, SafeSettings))
{
var serializer = new MetadataSerializer {
CertificateValidationMode = X509CertificateValidationMode.None
};
MetadataBase metadata = serializer.ReadMetadata(metaDataReader);
var entityDescriptor = (EntityDescriptor)metadata;
if (!string.IsNullOrWhiteSpace(entityDescriptor.EntityId.Id))
{
issuer = entityDescriptor.EntityId.Id;
}
SecurityTokenServiceDescriptor stsd = entityDescriptor.RoleDescriptors.OfType <SecurityTokenServiceDescriptor>().First();
if (stsd == null)
{
throw new InvalidOperationException(Properties.Resources.Exception_MissingDescriptor);
}
IEnumerable <X509RawDataKeyIdentifierClause> x509DataClauses =
stsd.Keys.Where(key => key.KeyInfo != null &&
(key.Use == KeyType.Signing || key.Use == KeyType.Unspecified))
.Select(key => key.KeyInfo.OfType <X509RawDataKeyIdentifierClause>().First());
tokens.AddRange(x509DataClauses.Select(token => new X509SecurityToken(new X509Certificate2(token.GetX509RawData()))));
}
}
}
return(new IssuerSigningKeys {
Issuer = issuer, Tokens = tokens
});
}
public void Write(MetadataSerializer serializer, Utf8JsonWriter writer, object value, IEnumerable <string> valuePath, RendererContext context)
{
writer.WriteString("type", "object");
writer.WriteString("extendedType", MetadataConverter.GetFullName(value.GetType()));
var dict = value as Dictionary <TKey, TValue>;
writer.WriteStartObject("children");
foreach (var kv in dict)
{
writer.WriteStartObject(kv.Key.ToString());
serializer.Serialize(writer, kv.Value, valuePath, context);
writer.WriteEndObject();
}
writer.WriteEndObject();
}
private static async Task <WsFederationConfiguration> GetConfigurationAsync(string address, IDocumentRetriever retriever, CancellationToken cancel)
{
var document = await retriever.GetDocumentAsync(address, cancel);
var configuration = new WsFederationConfiguration();
using (var sr = new StringReader(document))
using (var xr = XmlReader.Create(sr, _settings))
{
var serializer = new MetadataSerializer {
CertificateValidationMode = X509CertificateValidationMode.None
};
var entityDescriptor = serializer.ReadMetadata(xr) as EntityDescriptor;
if (entityDescriptor != null)
{
configuration.Issuer = entityDescriptor.EntityId.Id;
var idpssod = entityDescriptor.RoleDescriptors.OfType <IdentityProviderSingleSignOnDescriptor>().FirstOrDefault();
if (idpssod != null)
{
var redirectBinding = idpssod.SingleSignOnServices.FirstOrDefault(ssos => ssos.Binding == ProtocolBindings.HttpRedirect);
if (redirectBinding != null)
{
configuration.TokenEndpoint = redirectBinding.Location.OriginalString;
}
var keys = idpssod.Keys
.Where(key => key.KeyInfo != null && (key.Use == KeyType.Signing || key.Use == KeyType.Unspecified))
.SelectMany(key => key.KeyInfo.OfType <X509RawDataKeyIdentifierClause>())
.Select(clause => new X509SecurityKey(new X509Certificate2(clause.GetX509RawData())));
foreach (var key in keys)
{
configuration.SigningKeys.Add(key);
}
}
}
}
return(configuration);
}
public override async Task <HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
var entity = EntityDescriptorProviderMock.GetIdpEntityDescriptor("IdpEntity");
var serialiser = new MetadataSerializer();
var sb = new StringBuilder();
using (var writer = XmlWriter.Create(sb))
{
serialiser.WriteMetadata(writer, entity);
writer.Flush();
HttpClientMock.Metadata = sb.ToString();
var content = new StreamContent(new MemoryStream(Encoding.UTF8.GetBytes(HttpClientMock.Metadata)));
var message = new HttpResponseMessage(HttpStatusCode.OK)
{
Content = content
};
return(message);
}
}
public byte[] GetFederationMetadata(Uri passiveSignInUrl, Uri identifier, X509Certificate2 signingCertificate)
{
var credentials = new X509SigningCredentials(signingCertificate);
// Figure out the hostname exposed from Azure and what port the service is listening on
var realm = new EndpointAddress(identifier);
var passiveEndpoint = new EndpointReference(passiveSignInUrl.AbsoluteUri);
// Create metadata document for relying party
EntityDescriptor entity = new EntityDescriptor(new EntityId(realm.Uri.AbsoluteUri));
SecurityTokenServiceDescriptor sts = new SecurityTokenServiceDescriptor();
entity.RoleDescriptors.Add(sts);
// Add STS's signing key
KeyDescriptor signingKey = new KeyDescriptor(credentials.SigningKeyIdentifier);
signingKey.Use = KeyType.Signing;
sts.Keys.Add(signingKey);
// Add offered claim types
sts.ClaimTypesOffered.Add(new DisplayClaim(ClaimTypes.AuthenticationMethod));
sts.ClaimTypesOffered.Add(new DisplayClaim(ClaimTypes.AuthenticationInstant));
sts.ClaimTypesOffered.Add(new DisplayClaim(ClaimTypes.Name));
// Add passive federation endpoint
sts.PassiveRequestorEndpoints.Add(passiveEndpoint);
// Add supported protocols
sts.ProtocolsSupported.Add(new Uri(WSFederationConstants.Namespace));
// Add passive STS endpoint
sts.SecurityTokenServiceEndpoints.Add(passiveEndpoint);
// Set credentials with which to sign the metadata
entity.SigningCredentials = credentials;
// Serialize the metadata and convert it to an XElement
MetadataSerializer serializer = new MetadataSerializer();
MemoryStream stream = new MemoryStream();
serializer.WriteMetadata(stream, entity);
stream.Flush();
return stream.ToArray();
}
public async Task <IActionResult> GetRawEvents(Guid cardId)
{
var serializer = new MetadataSerializer();
var resolvedCategory = ShortNames.GetValueOrDefault(Category, Category);
var eventsResult = await _store.ReadStreamEventsForwardAsync(new StreamId(resolvedCategory, cardId), 0);
return(Ok(eventsResult.Events.Select(p => new
{
p.Id,
p.Type,
p.Number,
p.StreamId,
p.Created,
p.Data,
Metadata = serializer.Deserialize(p.Metadata)
})));
}
private static (IHoldMetadata metadata, Type type) ReadTypeFromMetadata(string eventType, ReadOnlyMemory <byte> meta)
{
Type type;
(IHoldMetadata metadata, int version)metadata;
if (meta.Length == 0)
{
type = Type.GetType(eventType);
return(new EventMetadata_V2(eventType, new Dictionary <string, string>()), type);
}
metadata = MetadataSerializer.DeserializeMetadata(meta);
type = AppDomain.CurrentDomain.GetAssemblies()
.Select(x => x.GetType(metadata.metadata.EventTypeFQN))
.FirstOrDefault(x => x != null);
return(metadata.metadata, type);
}
// Helpers
private string Generate()
{
var tokenServiceDescriptor = GetTokenServiceDescriptor();
var id = new EntityId("https://tugberk.me");
var entity = new EntityDescriptor(id);
var certificate = GetSigningCertificate();
entity.SigningCredentials = new X509SigningCredentials(certificate);
entity.RoleDescriptors.Add(tokenServiceDescriptor);
var ser = new MetadataSerializer();
var sb = new StringBuilder(512);
using (var sr = new StringWriter(sb))
using (var xmlWriter = XmlWriter.Create(sr, new XmlWriterSettings { OmitXmlDeclaration = true }))
{
ser.WriteMetadata(xmlWriter, entity);
return sb.ToString();
}
}
private static void CreateIdentityProviderMetadata(SamlSpData samlSpData, string fileName, Encoding encoding)
{
Constants.NameIdType nidFmt = samlSpData.NameIdType;
MetadataSerializer serializer = new MetadataSerializer();
ServiceProviderSingleSignOnDescriptor item = new ServiceProviderSingleSignOnDescriptor();
EntityDescriptor metadata = new EntityDescriptor();
metadata.EntityId = new EntityId(samlSpData.EntityId);
//using 2.0
if (Constants.NameIdType.Saml20 == nidFmt)
item.NameIdentifierFormats.Add(Saml2Constants.NameIdentifierFormats.Transient);
//using 1.1
if (Constants.NameIdType.Saml11 == nidFmt)
item.NameIdentifierFormats.Add(Saml2Constants.NameIdentifierFormats.Unspecified);
item.ProtocolsSupported.Add(new Uri(Constants.Saml20Protocol));
IndexedProtocolEndpoint ipEndpoint = new IndexedProtocolEndpoint()
{
IsDefault=true,
Binding=new Uri(samlSpData.BindingType),
Location=new Uri(samlSpData.BindingLocation)
};
item.AssertionConsumerService.Add(0, ipEndpoint);
metadata.RoleDescriptors.Add(item);
metadata.Contacts.Add(new ContactPerson(ContactType.Technical)
{
Company = samlSpData.MainContact.Company,
GivenName = samlSpData.MainContact.GivenName,
Surname = samlSpData.MainContact.SurName,
EmailAddresses = { samlSpData.MainContact.Email },
TelephoneNumbers = { samlSpData.MainContact.Phone }
});
XmlTextWriter writer = new XmlTextWriter(fileName, encoding);
serializer.WriteMetadata(writer, metadata);
writer.Close();
}
private EndpointMetadata GetMetadata(string tenant)
{
if (!_metadata.ContainsKey(tenant) ||
_metadata[tenant].ExpiresOn < DateTime.Now)
{
using (var metaDataReader = XmlReader.Create(string.Format(CultureInfo.InvariantCulture, SecurityTokenServiceAddressFormat, tenant), _SafeSettings))
{
var endpointMetadata = new EndpointMetadata();
var serializer = new MetadataSerializer()
{
CertificateValidationMode = X509CertificateValidationMode.None
};
MetadataBase metadata = serializer.ReadMetadata(metaDataReader);
var entityDescriptor = (EntityDescriptor)metadata;
if (!string.IsNullOrWhiteSpace(entityDescriptor.EntityId.Id))
{
endpointMetadata.Issuer = entityDescriptor.EntityId.Id;
}
var tokens = new List<SecurityToken>();
var stsd = entityDescriptor.RoleDescriptors.OfType<SecurityTokenServiceDescriptor>().First();
if (stsd == null)
{
throw new InvalidOperationException("No SecurityTokenServiceType descriptor in metadata.");
}
IEnumerable<X509RawDataKeyIdentifierClause> x509DataClauses = stsd.Keys.Where(key => key.KeyInfo != null && (key.Use == KeyType.Signing || key.Use == KeyType.Unspecified)).Select(key => key.KeyInfo.OfType<X509RawDataKeyIdentifierClause>().First());
tokens.AddRange(x509DataClauses.Select(token => new X509SecurityToken(new X509Certificate2(token.GetX509RawData()))));
endpointMetadata.SigningTokens = tokens.AsReadOnly();
endpointMetadata.ExpiresOn = DateTime.Now.Add(CacheLength);
lock (_metadata)
{
_metadata[tenant] = endpointMetadata;
}
}
}
return _metadata[tenant];
}
private static (IHoldMetadata metadata, Type type) ReadTypeFromMetadata(EventRecord resolvedEvent)
{
Type type;
(IHoldMetadata metadata, int version)metadata;
if (resolvedEvent.Metadata.IsEmpty)
{
type = Type.GetType(resolvedEvent.EventType);
return(new EventMetadata_V2(resolvedEvent.EventType, new Dictionary <string, string>()), type);
}
metadata = MetadataSerializer.DeserializeMetadata(resolvedEvent.Metadata.ToArray());
type = AppDomain.CurrentDomain.GetAssemblies()
.Select(x => x.GetType(metadata.metadata.EventTypeFQN))
.FirstOrDefault(x => x != null);
return(metadata.metadata, type);
}
private static (IHoldMetadata metadata, Type type) ReadTypeFromMetadata(ResolvedEvent resolvedEvent)
{
Type type;
(IHoldMetadata metadata, int version)metadata;
if (resolvedEvent.Event.Metadata == null || resolvedEvent.Event.Metadata.Length == 0)
{
type = Type.GetType(resolvedEvent.Event.EventType);
return(null, type);
}
metadata = MetadataSerializer.DeserializeMetadata(resolvedEvent.Event.Metadata);
type = AppDomain.CurrentDomain.GetAssemblies()
.Select(x => x.GetType(metadata.metadata.EventTypeFQN))
.FirstOrDefault(x => x != null);
return(metadata.metadata, type);
}
private EndpointMetadata GetMetadata(string tenant)
{
if (!_metadata.ContainsKey(tenant) ||
_metadata[tenant].ExpiresOn < DateTime.Now)
{
using (var metaDataReader = XmlReader.Create(string.Format(CultureInfo.InvariantCulture, SecurityTokenServiceAddressFormat, tenant), _SafeSettings))
{
var endpointMetadata = new EndpointMetadata();
var serializer = new MetadataSerializer()
{
CertificateValidationMode = X509CertificateValidationMode.None
};
MetadataBase metadata = serializer.ReadMetadata(metaDataReader);
var entityDescriptor = (EntityDescriptor)metadata;
if (!string.IsNullOrWhiteSpace(entityDescriptor.EntityId.Id))
{
endpointMetadata.Issuer = entityDescriptor.EntityId.Id;
}
var tokens = new List <SecurityToken>();
var stsd = entityDescriptor.RoleDescriptors.OfType <SecurityTokenServiceDescriptor>().First();
if (stsd == null)
{
throw new InvalidOperationException("No SecurityTokenServiceType descriptor in metadata.");
}
IEnumerable <X509RawDataKeyIdentifierClause> x509DataClauses = stsd.Keys.Where(key => key.KeyInfo != null && (key.Use == KeyType.Signing || key.Use == KeyType.Unspecified)).Select(key => key.KeyInfo.OfType <X509RawDataKeyIdentifierClause>().First());
tokens.AddRange(x509DataClauses.Select(token => new X509SecurityToken(new X509Certificate2(token.GetX509RawData()))));
endpointMetadata.SigningTokens = tokens.AsReadOnly();
endpointMetadata.ExpiresOn = DateTime.Now.Add(CacheLength);
lock (_metadata)
{
_metadata[tenant] = endpointMetadata;
}
}
}
return(_metadata[tenant]);
}
/// <summary>
/// Returns a list of certificates from the specified metadata document.
/// </summary>
/// <param name="metadataAddress"></param>
/// <returns></returns>
private static List <X509SecurityToken> GetSigningCertificates(string metadataAddress)
{
List <X509SecurityToken> tokens = new List <X509SecurityToken>();
if (metadataAddress == null)
{
throw new ArgumentNullException(metadataAddress);
}
using (XmlReader metadataReader = XmlReader.Create(metadataAddress))
{
MetadataSerializer serializer = new MetadataSerializer()
{
// Do not disable for production code
CertificateValidationMode = X509CertificateValidationMode.None
};
EntityDescriptor metadata = serializer.ReadMetadata(metadataReader) as EntityDescriptor;
if (metadata != null)
{
SecurityTokenServiceDescriptor stsd = metadata.RoleDescriptors.OfType <SecurityTokenServiceDescriptor>().First();
if (stsd != null)
{
IEnumerable <X509RawDataKeyIdentifierClause> x509DataClauses = stsd.Keys.Where(key => key.KeyInfo != null && (key.Use == KeyType.Signing || key.Use == KeyType.Unspecified)).
Select(key => key.KeyInfo.OfType <X509RawDataKeyIdentifierClause>().First());
tokens.AddRange(x509DataClauses.Select(token => new X509SecurityToken(new X509Certificate2(token.GetX509RawData()))));
}
else
{
throw new InvalidOperationException("There is no RoleDescriptor of type SecurityTokenServiceType in the metadata");
}
}
else
{
throw new Exception("Invalid Federation Metadata document");
}
}
return(tokens);
}
public static IssuerFederationData GetFederationMetataData(string metadataEndpoint, HttpClient metadataRequest)
{
string issuer = string.Empty;
string passiveTokenEndpoint = string.Empty;
List<X509SecurityToken> signingTokens = new List<X509SecurityToken>();
// TODO: Any way to make this async?
using (HttpResponseMessage metadataResponse = metadataRequest.GetAsync(metadataEndpoint).Result)
{
metadataResponse.EnsureSuccessStatusCode();
Stream metadataStream = metadataResponse.Content.ReadAsStreamAsync().Result;
using (XmlReader metaDataReader = XmlReader.Create(metadataStream, SafeSettings))
{
var serializer = new MetadataSerializer { CertificateValidationMode = X509CertificateValidationMode.None };
MetadataBase metadata = serializer.ReadMetadata(metaDataReader);
var entityDescriptor = (EntityDescriptor)metadata;
if (!string.IsNullOrWhiteSpace(entityDescriptor.EntityId.Id))
{
issuer = entityDescriptor.EntityId.Id;
}
SecurityTokenServiceDescriptor stsd = entityDescriptor.RoleDescriptors.OfType<SecurityTokenServiceDescriptor>().First();
if (stsd == null)
{
throw new InvalidOperationException(Resources.Exception_MissingDescriptor);
}
passiveTokenEndpoint = stsd.PassiveRequestorEndpoints.First().Uri.AbsoluteUri;
IEnumerable<X509RawDataKeyIdentifierClause> x509DataClauses =
stsd.Keys.Where(key => key.KeyInfo != null
&& (key.Use == KeyType.Signing || key.Use == KeyType.Unspecified))
.Select(key => key.KeyInfo.OfType<X509RawDataKeyIdentifierClause>().First());
signingTokens.AddRange(x509DataClauses.Select(token => new X509SecurityToken(new X509Certificate2(token.GetX509RawData()))));
}
}
return new IssuerFederationData { IssuerSigningTokens = signingTokens, PassiveTokenEndpoint = passiveTokenEndpoint, TokenIssuerName = issuer };
}
public void Write(MetadataSerializer serializer, Utf8JsonWriter writer, object value, IEnumerable <string> valuePath, RendererContext context)
{
var prog = value as Progress;
writer.WriteString("type", "progress");
if (prog.pauseToggle != null)
{
var id = Guid.NewGuid().ToString();
context.Callbacks.Add(id, prog.pauseToggle);
writer.WriteString("pause", id);
}
else
{
writer.WriteNull("pause");
}
if (prog.setSpeed != null)
{
var id = Guid.NewGuid().ToString();
context.Callbacks.Add(id, prog.setSpeed);
writer.WriteString("setSpeed", id);
}
else
{
writer.WriteNull("setSpeed");
}
if (prog.cancellationTokenSource != null)
{
var id = Guid.NewGuid().ToString();
context.Callbacks.Add(id, (Action)prog.cancellationTokenSource.Cancel);
writer.WriteString("cancel", id);
}
else
{
writer.WriteNull("cancel");
}
}
private string GenerateMetadata(params RoleDescriptor[] roles)
{
var id = new EntityId(ConfigurationRepository.Global.IssuerUri);
var entity = new EntityDescriptor(id);
entity.SigningCredentials = new X509SigningCredentials(ConfigurationRepository.Keys.SigningCertificate);
foreach (var roleDescriptor in roles)
{
entity.RoleDescriptors.Add(roleDescriptor);
}
var ser = new MetadataSerializer();
var sb = new StringBuilder(512);
ser.WriteMetadata(XmlWriter.Create(new StringWriter(sb), new XmlWriterSettings {
OmitXmlDeclaration = true
}), entity);
return(sb.ToString());
}
public static IssuerSigningKeys GetSigningKeys(string metadataEndpoint, TimeSpan backchannelTimeout, HttpMessageHandler backchannelHttpHandler)
{
string issuer = string.Empty;
var tokens = new List<X509SecurityToken>();
using (var metadataRequest = new HttpClient(backchannelHttpHandler, false))
{
metadataRequest.Timeout = backchannelTimeout;
using (HttpResponseMessage metadataResponse = metadataRequest.GetAsync(metadataEndpoint).Result)
{
metadataResponse.EnsureSuccessStatusCode();
Stream metadataStream = metadataResponse.Content.ReadAsStreamAsync().Result;
using (XmlReader metaDataReader = XmlReader.Create(metadataStream, SafeSettings))
{
var serializer = new MetadataSerializer { CertificateValidationMode = X509CertificateValidationMode.None };
MetadataBase metadata = serializer.ReadMetadata(metaDataReader);
var entityDescriptor = (EntityDescriptor)metadata;
if (!string.IsNullOrWhiteSpace(entityDescriptor.EntityId.Id))
{
issuer = entityDescriptor.EntityId.Id;
}
SecurityTokenServiceDescriptor stsd = entityDescriptor.RoleDescriptors.OfType<SecurityTokenServiceDescriptor>().First();
if (stsd == null)
{
throw new InvalidOperationException(Properties.Resources.Exception_MissingDescriptor);
}
IEnumerable<X509RawDataKeyIdentifierClause> x509DataClauses =
stsd.Keys.Where(key => key.KeyInfo != null
&& (key.Use == KeyType.Signing || key.Use == KeyType.Unspecified))
.Select(key => key.KeyInfo.OfType<X509RawDataKeyIdentifierClause>().First());
tokens.AddRange(x509DataClauses.Select(token => new X509SecurityToken(new X509Certificate2(token.GetX509RawData()))));
}
}
}
return new IssuerSigningKeys { Issuer = issuer, Tokens = tokens };
}
/// <summary>
/// Reads a byte array for an attachment.
/// </summary>
public virtual async Task <AttachmentBytes> GetBytes(string messageId, string name, SqlConnection connection, SqlTransaction transaction, CancellationToken cancellation = default)
{
Guard.AgainstNullOrEmpty(messageId, nameof(messageId));
Guard.AgainstNullOrEmpty(name, nameof(name));
Guard.AgainstLongAttachmentName(name);
Guard.AgainstNull(connection, nameof(connection));
using (var command = CreateGetDataCommand(messageId, name, connection, transaction))
using (var reader = await command.ExecuteSequentialReader(cancellation).ConfigureAwait(false))
{
if (await reader.ReadAsync(cancellation).ConfigureAwait(false))
{
var metadataString = reader.GetStringOrNull(1);
var metadata = MetadataSerializer.Deserialize(metadataString);
var bytes = (byte[])reader[2];
return(new AttachmentBytes(bytes, metadata));
}
}
throw ThrowNotFound(messageId, name);
}
/// <summary>
/// Reads the <see cref="AttachmentInfo"/> for all attachments.
/// </summary>
public virtual async Task ReadAllInfo(SqlConnection connection, SqlTransaction transaction, Func <AttachmentInfo, Task> action, CancellationToken cancellation = default)
{
Guard.AgainstNull(connection, nameof(connection));
Guard.AgainstNull(action, nameof(action));
using (var command = GetReadInfosCommand(connection, transaction))
using (var reader = await command.ExecuteSequentialReader(cancellation).ConfigureAwait(false))
{
while (await reader.ReadAsync(cancellation).ConfigureAwait(false))
{
cancellation.ThrowIfCancellationRequested();
var info = new AttachmentInfo(
messageId: reader.GetString(1),
name: reader.GetString(2),
expiry: reader.GetDateTime(3),
metadata: MetadataSerializer.Deserialize(reader.GetStringOrNull(4)));
var task = action(info);
Guard.ThrowIfNullReturned(null, null, task);
await task.ConfigureAwait(false);
}
}
}
public void ModelWithRelationship_()
{
var model = new StubModel(m =>
{
m.EntitySet("products", new List <Product2>().AsQueryable())
.AddAttribute(new EntityPropertyMappingAttribute("Name", SyndicationItemProperty.Title, SyndicationTextContentKind.Plaintext, true));
m.EntitySet("catalogs", new List <Catalog2>().AsQueryable());
m.EntitySet("suppliers", new List <Supplier2>().AsQueryable());
});
var writer = new StringWriter();
MetadataSerializer.serialize(writer, new DataServiceMetadataProviderWrapper(model), Encoding.UTF8);
// writer.GetStringBuilder().ToString().Should().Be(
//@"<?xml version=""1.0"" encoding=""utf-8"" standalone=""yes""?>
//<edmx:Edmx Version=""1.0"" xmlns:edmx=""http://schemas.microsoft.com/ado/2007/06/edmx"">
// <edmx:DataServices xmlns:m=""http://schemas.microsoft.com/ado/2007/08/dataservices/metadata"" m:DataServiceVersion=""2.0"" />
//</edmx:Edmx>");
Console.WriteLine(writer.GetStringBuilder().ToString());
}
public XElement GetFederationMetadata(string endPoint, IList <string> claims)
{
System.ServiceModel.EndpointAddress item = new System.ServiceModel.EndpointAddress(endPoint + "/_sts/");
EntityDescriptor entityDescriptor = new EntityDescriptor(new EntityId(this.TokenIssuerName));
SecurityTokenServiceDescriptor securityTokenServiceDescriptor = new SecurityTokenServiceDescriptor();
entityDescriptor.RoleDescriptors.Add(securityTokenServiceDescriptor);
KeyDescriptor keyDescriptor = new KeyDescriptor(this.SigningCredentials.SigningKeyIdentifier);
keyDescriptor.Use = KeyType.Signing;
securityTokenServiceDescriptor.Keys.Add(keyDescriptor);
for (int i = 0; i < claims.Count; i++)
{
securityTokenServiceDescriptor.ClaimTypesOffered.Add(new DisplayClaim(claims[i], claims[i], string.Empty));
}
var endPointReference = new EndpointReference(item.Uri.ToString());
securityTokenServiceDescriptor.PassiveRequestorEndpoints.Add(endPointReference);
securityTokenServiceDescriptor.ProtocolsSupported.Add(new System.Uri("http://docs.oasis-open.org/wsfed/federation/200706"));
securityTokenServiceDescriptor.SecurityTokenServiceEndpoints.Add(endPointReference);
entityDescriptor.SigningCredentials = base.SigningCredentials;
MetadataSerializer metadataSerializer = new MetadataSerializer();
XElement result = null;
using (System.IO.MemoryStream memoryStream = new System.IO.MemoryStream())
{
metadataSerializer.WriteMetadata(memoryStream, entityDescriptor);
memoryStream.Flush();
memoryStream.Seek(0L, System.IO.SeekOrigin.Begin);
XmlReaderSettings settings = new XmlReaderSettings();
settings.IgnoreComments = true;
settings.IgnoreWhitespace = true;
XmlReader reader = XmlReader.Create(memoryStream);
result = XElement.Load(reader);
}
return(result);
}
// Helpers
private string Generate()
{
var tokenServiceDescriptor = GetTokenServiceDescriptor();
var id = new EntityId("https://tugberk.me");
var entity = new EntityDescriptor(id);
var certificate = GetSigningCertificate();
entity.SigningCredentials = new X509SigningCredentials(certificate);
entity.RoleDescriptors.Add(tokenServiceDescriptor);
var ser = new MetadataSerializer();
var sb = new StringBuilder(512);
using (var sr = new StringWriter(sb))
using (var xmlWriter = XmlWriter.Create(sr, new XmlWriterSettings {
OmitXmlDeclaration = true
}))
{
ser.WriteMetadata(xmlWriter, entity);
return(sb.ToString());
}
}
public ActionResult FederationMetadata()
{
var endpoint = Request.Url.Scheme + "://" + Request.Url.Host + ":" + Request.Url.Port;
var entityDescriptor = new EntityDescriptor(new EntityId(ConfigurationManager.AppSettings["stsName"]))
{
SigningCredentials = CertificateFactory.GetSigningCredentials()
};
var roleDescriptor = new SecurityTokenServiceDescriptor();
roleDescriptor.Contacts.Add(new ContactPerson(ContactType.Administrative));
var clause = new X509RawDataKeyIdentifierClause(CertificateFactory.GetCertificate());
var securityKeyIdentifier = new SecurityKeyIdentifier(clause);
var signingKey = new KeyDescriptor(securityKeyIdentifier) {Use = KeyType.Signing};
roleDescriptor.Keys.Add(signingKey);
var endpointAddress =
new System.IdentityModel.Protocols.WSTrust.EndpointReference(endpoint + "/Security/Authorize");
roleDescriptor.PassiveRequestorEndpoints.Add(endpointAddress);
roleDescriptor.SecurityTokenServiceEndpoints.Add(endpointAddress);
roleDescriptor.ProtocolsSupported.Add(new Uri("http://docs.oasis-open.org/wsfed/federation/200706"));
entityDescriptor.RoleDescriptors.Add(roleDescriptor);
var serializer = new MetadataSerializer();
var settings = new XmlWriterSettings {Encoding = Encoding.UTF8};
var memoryStream = new MemoryStream();
var writer = XmlWriter.Create(memoryStream, settings);
serializer.WriteMetadata(writer,entityDescriptor);
writer.Flush();
var content = Content(Encoding.UTF8.GetString(memoryStream.GetBuffer()), "text/xml");
writer.Dispose();
return content;
}
private static void PrintCredentialsJson(
bool passwordFound,
string exponent,
string modulus,
string userName,
string encryptedPassword = null,
string error = null)
{
GoogleCredentialsJson credentialsJson = new GoogleCredentialsJson
{
PasswordFound = passwordFound,
Exponent = exponent,
Modulus = modulus,
UserName = userName,
EncryptedPassword = encryptedPassword,
Error = error
};
string serializedCredentials = MetadataSerializer.SerializeMetadata <GoogleCredentialsJson>(credentialsJson);
Logger.LogWithCom(EventLogEntryType.Information, "COM4", "{0}", serializedCredentials);
}
public async Task LoadSettingsTest()
{
var assmBuilder = AssemblyBuilder.DefineDynamicAssembly(new AssemblyName(Guid.NewGuid().ToString()),
AssemblyBuilderAccess.RunAndCollect);
var moduleBuilder = assmBuilder.DefineDynamicModule(Guid.NewGuid().ToString());
var typeBuilder = moduleBuilder.DefineType("Plugin1", TypeAttributes.Public);
typeBuilder.AddInterfaceImplementation(typeof(IPlugin <MockSettings1>));
typeBuilder.SetParent(typeof(PluginMock <MockSettings1>));
typeBuilder.CreateType();
var assm = moduleBuilder.Assembly;
var assmBuffer = new Lokad.ILPack.AssemblyGenerator().GenerateAssemblyBytes(assm);
var conf = new MetadataSerializer().Deserialize <Configuration>("^plg1:\r\n prop-two: 0.1\r\n prp3:\r\n - A\r\n - B");
conf.Plugins = new List <string>(new string[] { "plg1" });
var mgr = new PluginsManager(conf, new Mock <IDocifyApplication>().Object);
await mgr.LoadPlugins(new PluginInfoMock[]
{
new PluginInfoMock("plg1", new FileMock(Location.FromPath("mockplugins.dll"), assmBuffer))
}.ToAsyncEnumerable());
var res = mgr.GetType().GetField("m_Plugins", BindingFlags.Instance | BindingFlags.NonPublic).GetValue(mgr) as IEnumerable <IPluginBase>;
var plg = res.OfType <PluginMock <MockSettings1> >().FirstOrDefault();
Assert.IsNotNull(plg);
Assert.IsNotNull(plg.Settings);
Assert.IsNotNull(plg.App);
Assert.AreEqual("A", plg.Settings.Prp1);
Assert.AreEqual(0.1, plg.Settings.PropTwo);
Assert.That(new string[] { "A", "B" }.SequenceEqual(plg.Settings.Prp3));
}
public void VerifyMetadataSerializerDoesThrowIfDerviedTypeRedefinesETag()
{
// regression test: Including derived properties on an ETag yields an error on service metadata document
string csdlContentWithConcurrencyReDefinedOnSubType = @"<?xml version='1.0' encoding='utf-8'?>
<edmx:Edmx Version='4.0' xmlns:edmx='http://docs.oasis-open.org/odata/ns/edmx'>
<edmx:DataServices xmlns:m='http://docs.oasis-open.org/odata/ns/metadata'>
<Schema Namespace='Scratch' xmlns='http://docs.oasis-open.org/odata/ns/edm'>
<EntityType Name='Child' BaseType='Scratch.Person'>
<Property Name='Description' Type='Edm.String' ConcurrencyMode='Fixed' />
</EntityType>
<EntityType Name='Person'>
<Key>
<PropertyRef Name='ID' />
</Key>
<Property Name='ID' Type='Edm.Int32' Nullable='false' />
<Property Name='Name' Type='Edm.String' ConcurrencyMode='Fixed' />
</EntityType>
<Function Name='GetPeople'>
<ReturnType Type='Collection(Scratch.Person)' />
</Function>
<EntityContainer Name='DataProvider'>
<EntitySet Name='People' EntityType='Scratch.Person' />
<FunctionImport Name='GetPeople' Function='Scratch.GetPeople' EntitySet='People' m:HttpMethod='GET' />
</EntityContainer>
</Schema>
</edmx:DataServices>
</edmx:Edmx>";
var csdlReader = XmlReader.Create(new StringReader(csdlContentWithConcurrencyReDefinedOnSubType));
IEdmModel modelWithConcurrencyRedefined = null;
IEnumerable <EdmError> errors = null;
EdmxReader.TryParse(csdlReader, out modelWithConcurrencyRedefined, out errors);
Assert.IsFalse(errors.Any(), "Expected model to be parsed without any errors");
Version edmxVersion = EdmConstants.EdmVersion4;
MetadataSerializer.ValidateModel(modelWithConcurrencyRedefined, edmxVersion);
}
protected virtual void LoadMetadata()
{
using (var stream = GetMetadataStream())
{
var serializer = new MetadataSerializer();
var md = serializer.ReadMetadata(stream);
var ed = md as EntityDescriptor;
var stsd = (SecurityTokenServiceDescriptor)ed.RoleDescriptors.FirstOrDefault(x => x is SecurityTokenServiceDescriptor);
var registry = new ConfigurationBasedIssuerNameRegistry();
foreach (var key in stsd.Keys)
{
var clause = key.KeyInfo.FirstOrDefault() as X509RawDataKeyIdentifierClause;
if (clause != null)
{
var cert = new X509Certificate2(clause.GetX509RawData());
registry.AddTrustedIssuer(cert.Thumbprint, issuerName);
}
}
_registry = registry;
}
}
public void DeserializeMetadata_ReturnsExpectedTask()
{
// Arrange
var identity = "../files/azureMonitor.json";
var input = $"Identity={identity}|ClassName=azureMonitorClient|" +
"CodeGenerator=NSwagCSharp|FirstForGenerator=true|Namespace=ConsoleClient|" +
"Options=|OriginalItemSpec=../files/azureMonitor.json|" +
"OutputPath=C:\\dd\\dnx\\AspNetCore\\artifacts\\obj\\ConsoleClient\\azureMonitorClient.cs";
var expectedMetadata = new SortedDictionary <string, string>(StringComparer.Ordinal)
{
{ "ClassName", "azureMonitorClient" },
{ "CodeGenerator", "NSwagCSharp" },
{ "FirstForGenerator", "true" },
{ "Namespace", "ConsoleClient" },
{ "Options", "" },
{ "OriginalItemSpec", identity },
{ "OutputPath", "C:\\dd\\dnx\\AspNetCore\\artifacts\\obj\\ConsoleClient\\azureMonitorClient.cs" },
};
// Act
var item = MetadataSerializer.DeserializeMetadata(input);
// Assert
Assert.Equal(identity, item.ItemSpec);
var metadata = Assert.IsAssignableFrom <IDictionary <string, string> >(item.CloneCustomMetadata());
// The dictionary CloneCustomMetadata returns doesn't provide a useful KeyValuePair enumerator.
var orderedMetadata = new SortedDictionary <string, string>(StringComparer.Ordinal);
foreach (var key in metadata.Keys)
{
orderedMetadata.Add(key, metadata[key]);
}
Assert.Equal(expectedMetadata, orderedMetadata);
}
private XmlElement SerializeMetadata(EntityDescriptor entityDescriptor)
{
var ser = new MetadataSerializer();
var sb = new StringBuilder();
using (var stringWriter = new StringWriter(sb))
{
using (var xmlWriter = XmlWriter.Create(stringWriter, new XmlWriterSettings {
OmitXmlDeclaration = true
}))
{
ser.WriteMetadata(xmlWriter, entityDescriptor);
}
}
var xml = sb.ToString();
xml.Should().NotBeNullOrEmpty();
var doc = new XmlDocument();
doc.LoadXml(xml);
return(doc.DocumentElement);
}
public void SerializeMetadata(Stream stream)
{
var serializer = new MetadataSerializer();
serializer.WriteMetadata(stream, GenerateEntities());
}
/// <summary>
/// Configure ACS endpoint address in Web.config.
/// </summary>
public static void Intialize()
{
// Compute federation metadata address based on web config's
// <system.identityModel.services>\<federationConfiguration>\<wsFederation issuer=""> attribute value
var settings = DependencyResolver.Current.GetService<IPortalFrontendSettings>();
string acsNamespace = settings.AcsNamespace;
// Setup correct issuer name
// Compute federation metadata address based on web config's
// <system.identityModel.services>\<federationConfiguration>\<wsFederation issuer=""> attribute value
string stsMetadataAddress = string.Format(WsFederationMetadata, acsNamespace);
// Update the web config with latest local STS federation meta data each
// time when instance of the application is created
try
{
using (XmlReader metadataReader = XmlReader.Create(stsMetadataAddress))
{
// Creates the xml reader pointing to the updated web.config contents
// Don't validate the cert signing the federation metadata
var serializer = new MetadataSerializer
{
CertificateValidationMode = X509CertificateValidationMode.None,
};
var metadata = (EntityDescriptor)serializer.ReadMetadata(metadataReader);
// Select security token descriptors
SecurityTokenServiceDescriptor descriptor = metadata.RoleDescriptors.OfType<SecurityTokenServiceDescriptor>().FirstOrDefault();
if (descriptor != null)
{
var issuerNameRegistry = new ConfigurationBasedIssuerNameRegistry();
// Try to find and add certificates for trusted issuers
foreach (KeyDescriptor keyDescriptor in descriptor.Keys)
{
if (keyDescriptor.KeyInfo != null && (keyDescriptor.Use == KeyType.Signing || keyDescriptor.Use == KeyType.Unspecified))
{
SecurityKeyIdentifier keyInfo = keyDescriptor.KeyInfo;
X509RawDataKeyIdentifierClause clause;
keyInfo.TryFind(out clause);
if (clause != null)
{
var x509Certificate2 = new X509Certificate2(clause.GetX509RawData());
if (x509Certificate2.Thumbprint != null)
{
issuerNameRegistry.AddTrustedIssuer(x509Certificate2.Thumbprint, x509Certificate2.SubjectName.Name);
}
}
}
}
// Set retrieved issuers
FederatedAuthentication.FederationConfiguration.IdentityConfiguration.IssuerNameRegistry = issuerNameRegistry;
}
metadataReader.Dispose();
}
}
catch (Exception e)
{
Trace.TraceError("Error occured when update web config with latest local STS federation meta data. {0}", e);
return;
}
// Add audience URIs
string portalUri = settings.PortalUri;
// Front-end
var uriBuilder = new UriBuilder(portalUri);
FederatedAuthentication.FederationConfiguration.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(uriBuilder.Uri);
// Extension
uriBuilder.Path = "/extension/login";
FederatedAuthentication.FederationConfiguration.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(uriBuilder.Uri);
// Update WS-Federation configuration
FederatedAuthentication.WSFederationAuthenticationModule.Issuer = string.Format(WsFederationIssuer, acsNamespace);
FederatedAuthentication.WSFederationAuthenticationModule.Realm = portalUri;
}
private static void CreateIdentityProviderMetadata(SamlIdpData idpData, string fileName, Encoding encoding)
{
if ( string.IsNullOrEmpty(idpData.SigninCertificateCn))
throw new ApplicationException("no CN for a Certificate supplied");
string signingCertificateSubjectName = idpData.SigninCertificateCn;
Constants.NameIdType nidFmt = idpData.NameIdType;
MetadataSerializer serializer = new MetadataSerializer();
IdentityProviderSingleSignOnDescriptor item = new IdentityProviderSingleSignOnDescriptor();
EntityDescriptor metadata = new EntityDescriptor();
metadata.EntityId = new EntityId(idpData.EntityId);
X509Certificate2 certificate = CertificateHelper.RetrieveCertificate(signingCertificateSubjectName);
KeyDescriptor descriptor = new KeyDescriptor(
new SecurityKeyIdentifier(
new SecurityKeyIdentifierClause[]
{
new X509SecurityToken(certificate).CreateKeyIdentifierClause<X509RawDataKeyIdentifierClause>()
}));
descriptor.Use = KeyType.Signing;
item.Keys.Add(descriptor);
//using 2.0
if (Constants.NameIdType.Saml20 == nidFmt)
item.NameIdentifierFormats.Add(Saml2Constants.NameIdentifierFormats.Transient);
//using 1.1
if (Constants.NameIdType.Saml11 == nidFmt)
item.NameIdentifierFormats.Add(Saml2Constants.NameIdentifierFormats.Unspecified);
foreach (var attributeName in idpData.AttributeNames)
{
Saml2Attribute at1 = new Saml2Attribute(attributeName.Name)
{
NameFormat = new Uri(Constants.Saml20AttributeNameFormat)
};
item.SupportedAttributes.Add(at1);
}
item.ProtocolsSupported.Add(new Uri(Constants.Saml20Protocol));
item.SingleSignOnServices.Add(new ProtocolEndpoint(new Uri(idpData.BindingType), new Uri(idpData.BindingLocation)));
metadata.RoleDescriptors.Add(item);
metadata.Contacts.Add(new ContactPerson(ContactType.Technical)
{
Company = idpData.MainContact.Company,
GivenName = idpData.MainContact.GivenName,
Surname = idpData.MainContact.SurName,
EmailAddresses = { idpData.MainContact.Email },
TelephoneNumbers = { idpData.MainContact.Phone }
});
XmlTextWriter writer = new XmlTextWriter(fileName, encoding);
serializer.WriteMetadata(writer, metadata);
writer.Close();
}
public static List<SecurityToken> GetSigningCertificates(string metadataAddress)
{
Logging.DebugMessage(metadataAddress);
List<SecurityToken> tokens;
if (cache.TryGetValue(metadataAddress, out tokens)) return tokens;
tokens = new List<SecurityToken>();
if (metadataAddress == null)
{
throw new ArgumentNullException(metadataAddress);
}
using (XmlReader metadataReader = XmlReader.Create(metadataAddress))
{
MetadataSerializer serializer = new MetadataSerializer()
{
// Do not disable for production code
CertificateValidationMode = X509CertificateValidationMode.None
};
EntityDescriptor metadata = serializer.ReadMetadata(metadataReader) as EntityDescriptor;
if (metadata != null)
{
var stsd = metadata.RoleDescriptors.OfType<SecurityTokenServiceDescriptor>().First();
if (stsd != null)
{
var x509DataClauses = stsd.Keys.Where(key => key.KeyInfo != null && (key.Use == KeyType.Signing || key.Use == KeyType.Unspecified)).
Select(key => key.KeyInfo.OfType<X509RawDataKeyIdentifierClause>().First());
tokens.AddRange(x509DataClauses.Select(token => new X509SecurityToken(new X509Certificate2(token.GetX509RawData()))));
}
else
{
throw new InvalidOperationException("There is no RoleDescriptor of type SecurityTokenServiceType in the metadata");
}
}
else
{
throw new Exception("Invalid Federation Metadata document");
}
}
cache.TryAdd(metadataAddress, tokens);
return tokens;
}
static void CreatePassiveStsMetadata(StsData data, string fileName, Encoding encoding)
{
MetadataSerializer serializer = new MetadataSerializer();
SecurityTokenServiceDescriptor item = new SecurityTokenServiceDescriptor();
EntityDescriptor metadata = new EntityDescriptor();
metadata.EntityId = new EntityId(data.EntityId);
X509Certificate2 certificate = CertificateHelper.RetrieveCertificate(data.SigninCertificateCn);
metadata.SigningCredentials = new X509SigningCredentials(certificate);
KeyDescriptor descriptor3 = new KeyDescriptor(new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { new X509SecurityToken(certificate).CreateKeyIdentifierClause<X509RawDataKeyIdentifierClause>() }));
descriptor3.Use = KeyType.Signing;
item.Keys.Add(descriptor3);
if (data.Claims != null)
{
foreach (var claim in data.Claims)
{
DisplayClaim dc = new DisplayClaim(claim.ClaimType, claim.DisplayTag, claim.Description)
{
Optional = claim.Optional
};
item.ClaimTypesOffered.Add(dc);
}
}
item.PassiveRequestorEndpoints.Add(new EndpointAddress( new Uri(data.PassiveRequestorEndpoint).AbsoluteUri));
if (data.Protocols != null)
{
foreach (Protocol protocol in data.Protocols)
{
item.ProtocolsSupported.Add(new Uri(protocol.ProtocolNamespace));
}
}
item.SecurityTokenServiceEndpoints.Add(new EndpointAddress( new Uri(data.ActiveStsEndpoint).AbsoluteUri));
item.Contacts.Add(new ContactPerson(ContactType.Technical)
{
Company = data.MainContact.Company,
GivenName = data.MainContact.GivenName,
Surname = data.MainContact.SurName,
EmailAddresses = { data.MainContact.Email },
TelephoneNumbers = { data.MainContact.Phone }
});
metadata.RoleDescriptors.Add(item);
XmlTextWriter writer = new XmlTextWriter(fileName, Encoding.UTF8);
serializer.WriteMetadata(writer, metadata);
writer.Close();
}
/// <summary>
/// Parses the federation metadata document and gets issuer Name and Signing Certificates
/// </summary>
/// <param name="metadataAddress">URL of the Federation Metadata document</param>
/// <param name="issuer">Issuer Name</param>
/// <param name="signingTokens">Signing Certificates in the form of X509SecurityToken</param>
static void GetTenantInformation(string metadataAddress, out string issuer, out List<X509SecurityToken> signingTokens)
{
signingTokens = new List<X509SecurityToken>();
// The issuer and signingTokens are cached for 24 hours. They are updated if any of the conditions in the if condition is true.
if (DateTime.UtcNow.Subtract(_stsMetadataRetrievalTime).TotalHours > 24
|| string.IsNullOrEmpty(_issuer)
|| _signingTokens == null)
{
MetadataSerializer serializer = new MetadataSerializer()
{
CertificateValidationMode = X509CertificateValidationMode.None
};
MetadataBase metadata = serializer.ReadMetadata(XmlReader.Create(metadataAddress));
EntityDescriptor entityDescriptor = (EntityDescriptor)metadata;
// get the issuer name
if (!string.IsNullOrWhiteSpace(entityDescriptor.EntityId.Id))
{
_issuer = entityDescriptor.EntityId.Id;
}
// get the signing certs
_signingTokens = ReadSigningCertsFromMetadata(entityDescriptor);
_stsMetadataRetrievalTime = DateTime.UtcNow;
}
issuer = _issuer;
signingTokens = _signingTokens;
}
public Issuer AddIdentityProvider(string displayName, byte[] fedMetadata)
{
try
{
var client = this.CreateManagementServiceClient();
string metadataImporter = string.Format(CultureInfo.InvariantCulture, "https://{0}.{1}/{2}", this.serviceNamespace, Constants.AcsHostName, Constants.MetadataImportHead);
var postRequest = (HttpWebRequest)WebRequest.Create(metadataImporter);
postRequest.Method = "POST";
this.AttachTokenWithWritePermissions(postRequest);
using (Stream postStream = postRequest.GetRequestStream())
{
for (int i = 0; i < fedMetadata.Length; i++)
{
postStream.WriteByte(fedMetadata[i]);
}
}
HttpWebResponse resp;
try
{
resp = (HttpWebResponse)postRequest.GetResponse();
}
catch (WebException e)
{
resp = (HttpWebResponse)e.Response;
string responseHtml;
using (var stream = resp.GetResponseStream())
{
using (var reader = new StreamReader(stream))
{
responseHtml = reader.ReadToEnd();
}
}
throw new WebException(responseHtml, e);
}
string identityProviderName;
var serializer = new MetadataSerializer();
using (var memoryStream = new MemoryStream(fedMetadata))
{
var metadata = serializer.ReadMetadata(memoryStream) as EntityDescriptor;
identityProviderName = metadata.EntityId.Id;
}
var newIdentityProvider = client.IdentityProviders.Where(idp => idp.DisplayName == identityProviderName).FirstOrDefault();
if (newIdentityProvider == null)
{
throw new InvalidOperationException("Identity Provider: " + identityProviderName + " does not exist");
}
// Update display name
newIdentityProvider.DisplayName = displayName;
client.UpdateObject(newIdentityProvider);
client.SaveChanges();
// Update and return issuer
Issuer issuer = client.Issuers.Where(i => i.Name == identityProviderName).FirstOrDefault();
if (issuer == null)
{
throw new InvalidOperationException("Issuer: " + identityProviderName + " does not exist");
}
return issuer;
}
catch (Exception ex)
{
throw TryGetExceptionDetails(ex);
}
}
