/// <summary>
/// The behavior is:
/// 1) if the certificate is blacklisted in base or in any rule ----------------------> Blacklisted.
/// 2) (else) if the base behavior or any rule consider the certificate break-glass --> BreakGlass.
/// 3) (else) if the base behavior is NotAllowed or any rule says NotAllowed ---------> NotAllowed.
/// 4) (else) if any rule says Allowed -----------------------------------------------> Allowed.
/// 5) the certificate is accepted only if the final behavior is 'BreakGlass' or 'Allowed'.
/// </summary>
/// <param name="cert">the certificate to evaluate</param>
/// <param name="chain">the signature chain</param>
/// <param name="sslPolicyErrors">SSL errors from platform</param>
/// <returns>Allowed is a match is found. if no match is found, returns NotAllowed.</returns>
public override Behavior IsValid(X509Certificate cert, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
Behavior baseBeh = Behavior.Neutral;
foreach (AbstractCertificateRule rule in this.rules)
{
Behavior b = rule.IsValid(cert, chain, sslPolicyErrors);
baseBeh = AbstractCertificateRule.Compose(baseBeh, b);
if (baseBeh == Behavior.BlackListed)
{
CertificateRulesEventSource.Log.AllowIfAllCoherentRule_RuleResult(rule.GetType().ToString(), b.ToString());
return(Behavior.NotAllowed);
}
}
switch (baseBeh)
{
case Behavior.Allowed:
case Behavior.BreakGlassUnlessBlackListed:
return(Behavior.Allowed);
case Behavior.Neutral:
return(Behavior.Neutral);
case Behavior.BlackListed:
case Behavior.NotAllowed:
CertificateRulesEventSource.Log.AllowIfAllCoherentRule_Result(baseBeh.ToString());
return(Behavior.NotAllowed);
default:
return(Behavior.NotAllowed);
}
}
/// <summary>
/// Initializes a new instance of the <see cref="AzureValidationRule"/> class.
/// </summary>
/// <param name="isCertificateIncluded">the function that says if a certificate is included in the list</param>
/// <param name="forTest">if true some relaxations are made for test in DEV-BOX only</param>
public AzureValidationRule(Func <X509Certificate, bool> isCertificateIncluded, bool forTest = false)
{
this.rule = new AllowIfAllAllowedRule(
new IsCertificateTimeValidRule().SetNeutralAsAllow(true),
new ChainIsValidRule(!forTest).SetNeutralAsAllow(true),
new AllowCertificatesRule(isCertificateIncluded));
}
/// <summary>
/// Initializes a new instance of the <see cref="AzureValidationRule"/> class.
/// </summary>
/// <param name="subjectRequired">subject for the certificate to be allowed</param>
/// <param name="signingThumbprintsRequired">thumbprints allowed for the certificate signing the validated certificate</param>
/// <param name="forTest">if true some relaxations are made for test in DEV-BOX only</param>
public AzureValidationRule(string subjectRequired, string[] signingThumbprintsRequired, bool forTest = false)
{
this.rule = new AllowIfAllAllowedRule(
new IsCertificateTimeValidRule().SetNeutralAsAllow(true),
new ChainIsValidRule(!forTest).SetNeutralAsAllow(true),
new AllowCertSubjectRule(new string[] { subjectRequired }),
new AllowSigningCertRule(signingThumbprintsRequired));
}
/// <summary>
/// Initializes a new instance of the <see cref="AllowIfMaskRule"/> class.
/// </summary>
/// <param name="rule">rule to evaluate</param>
/// <param name="mask">mask to compare with</param>
public AllowIfMaskRule(AbstractCertificateRule rule, Behavior mask)
{
if (rule == null)
{
throw new ArgumentNullException("rule");
}
this.rule = rule;
this.mask = mask;
}
/// <summary>
/// takes the action within a lock
/// </summary>
/// <param name="action">action to run</param>
internal void DoInLock(Action action)
{
lock (this.cachedRuleLock)
{
if (action != null)
{
action();
}
this.cachedRule = null;
}
}
/// <summary>
/// Validates the certificate according to the configuration
/// </summary>
/// <param name="cert">certificate to validate</param>
/// <param name="chain">certificate chain</param>
/// <param name="sslPolicyErrors">SSL policy errors coming from the platform</param>
/// <returns>the behavior to follow for this certificate</returns>
public override Behavior IsValid(X509Certificate cert, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
AbstractCertificateRule rule = this.cachedRule;
if (rule == null)
{
lock (this.cachedRuleLock)
{
if (this.cachedRule == null)
{
this.cachedRule = this.RecomputeRuleSnapshot();
}
rule = this.cachedRule;
}
}
return(rule.IsValid(cert, chain, sslPolicyErrors));
}