/// <summary>
/// Utility function to create an EndpointIdentity from a ClaimSet
/// </summary>
/// <param name="claims">Claims to create the EndpointIdentity with</param>
/// <returns>An EndpointIdentity</returns>
private EndpointIdentity CreateIdentityFromClaimSet(ClaimSet claims)
{
foreach (Claim claim in claims.FindClaims(null, Rights.Identity))
{
return(EndpointIdentity.CreateIdentity(claim));
}
return(null);
}
public string GetClaim(string claimUri)
{
foreach (Claim claim in m_identityClaims.FindClaims(claimUri, Rights.PossessProperty))
{
return(GetResourceValue(claim));
}
throw new ArgumentException(String.Format("Claim {0} not found", claimUri));
}
static bool TryCreateIdentity(ClaimSet claimSet, string claimType, out EndpointIdentity identity)
{
identity = null;
foreach (Claim claim in claimSet.FindClaims(claimType, null))
{
identity = EndpointIdentity.CreateIdentity(claim);
return(true);
}
return(false);
}
private Claim CheckDnsEquivalence(ClaimSet claimSet, string expectedSpn)
{
foreach (Claim claim in claimSet.FindClaims(ClaimTypes.Spn, Rights.PossessProperty))
{
if (expectedSpn.Equals((string)claim.Resource, StringComparison.OrdinalIgnoreCase))
{
return(claim);
}
}
return(null);
}
bool TryGetStringClaimValue(ClaimSet claimSet, string claimType, out string claimValue)
{
claimValue = null;
IEnumerable<Claim> matchingClaims = claimSet.FindClaims(claimType, Rights.PossessProperty);
if (matchingClaims == null)
return false;
IEnumerator<Claim> enumerator = matchingClaims.GetEnumerator();
enumerator.MoveNext();
claimValue = (enumerator.Current.Resource == null) ? null : enumerator.Current.Resource.ToString();
return true;
}
public static Claim FindClaim(ServiceSecurityContext context)
{
for (int i = 0; i < context.AuthorizationContext.ClaimSets.Count; i++)
{
ClaimSet set = context.AuthorizationContext.ClaimSets[i];
IEnumerator <Claim> enumerator = set.FindClaims(ClaimTypes.Rsa, null).GetEnumerator();
if (enumerator.MoveNext())
{
return(enumerator.Current);
}
}
return(null);
}
Claim CheckDnsEquivalence(ClaimSet claimSet, string expectedSpn)
{
// host/<machine-name> satisfies the DNS identity claim
IEnumerable <Claim> claims = claimSet.FindClaims(ClaimTypes.Spn, Rights.PossessProperty);
foreach (Claim claim in claims)
{
if (expectedSpn.Equals((string)claim.Resource, StringComparison.OrdinalIgnoreCase))
{
return(claim);
}
}
return(null);
}
public string GetSaml11Token()
{
var claimSets = new List <ClaimSet>(ServiceSecurityContext.Current.AuthorizationContext.ClaimSets);
ClaimSet claimSet = claimSets.Find((Predicate <ClaimSet>) delegate(ClaimSet target)
{
WindowsClaimSet defaultClaimSet = target.Issuer as WindowsClaimSet;
return(defaultClaimSet != null);
});
var accessControlClaims = claimSet.FindClaims(ClaimTypes.Sid, Rights.PossessProperty);
SamlAssertion assertion = Saml11Helper.CreateSamlAssertionFromUserNameClaims(accessControlClaims);
SamlSecurityToken token = new SamlSecurityToken(assertion);
return(Saml11Helper.SerializeSamlToken(token));
}
bool TryGetStringClaimValue(ClaimSet claimSet, string claimType, out string claimValue)
{
claimValue = null;
IEnumerable <Claim> matchingClaims = claimSet.FindClaims(claimType, Rights.PossessProperty);
if (matchingClaims == null)
{
return(false);
}
IEnumerator <Claim> enumerator = matchingClaims.GetEnumerator();
enumerator.MoveNext();
claimValue = (enumerator.Current.Resource == null) ? null : enumerator.Current.Resource.ToString();
return(true);
}
//<snippet2>
// The FindSomeClaims method looks in the provided ClaimSet for Claims of the specified type and right.
// It returns such Claims in a list.
public static IList <Claim> FindSomeClaims(ClaimSet cs, string type, string right)
{
// Create an empty list
IList <Claim> claims = new List <Claim>();
// Call ClaimSet.FindClaims with the specified type and right. Iterate over the result...
foreach (Claim c in cs.FindClaims(type, right))
{
//...adding each claim to the list
claims.Add(c);
}
// Return the list
return(claims);
}
internal static Claim GetPrimaryIdentityClaim(AuthorizationContext authContext)
{
if (authContext != null)
{
for (int i = 0; i < authContext.ClaimSets.Count; ++i)
{
ClaimSet claimSet = authContext.ClaimSets[i];
foreach (Claim claim in claimSet.FindClaims(null, Rights.Identity))
{
return(claim);
}
}
}
return(null);
}
public static Claim FindClaim(ServiceSecurityContext context)
{
Claim result = null;
Fx.Assert(context != null, "ServiceSecurityContext is null!");
for (int i = 0; i < context.AuthorizationContext.ClaimSets.Count; ++i)
{
ClaimSet claimSet = context.AuthorizationContext.ClaimSets[i];
IEnumerator <Claim> claims = claimSet.FindClaims(ClaimTypes.Rsa, null).GetEnumerator();
if (claims.MoveNext())
{
result = claims.Current;
break;
}
}
return(result);
}
private static bool TryGetStringClaimValue(ClaimSet claimSet, string claimType, out string claimValue)
{
claimValue = null;
var matchingClaims = claimSet.FindClaims(claimType, Rights.PossessProperty).ToList();
if (!matchingClaims.Any())
{
return(false);
}
var enumerator = matchingClaims.GetEnumerator();
enumerator.MoveNext();
claimValue = (enumerator.Current.Resource == null) ? null : enumerator.Current.Resource.ToString();
return(true);
}
bool TryGetStringClaimValue(ClaimSet claimSet, string claimType, out string claimValue)
{
claimValue = null;
IEnumerable <Claim> matchingClaims = claimSet.FindClaims(claimType, Rights.PossessProperty);
if (matchingClaims == null)
{
return(false);
}
foreach (var claim in matchingClaims)
{
claimValue += (claim.Resource == null) ? null : claim.Resource.ToString() + " ";
}
return(true);
}
/// <summary>
/// Gets the Unique RSA Claim from the SAML token.
/// </summary>
/// <param name="cs">the claimset which contains the claim</param>
/// <returns>a RSA claim</returns>
public static Claim GetUniqueRsaClaim(ClaimSet cs)
{
Claim rsa = null;
foreach (Claim c in cs.FindClaims(ClaimTypes.Rsa, Rights.PossessProperty))
{
if (null == rsa)
{
rsa = c;
}
else if (!rsa.Equals(c))
{
// Found two non-equal RSA claims
return null;
}
}
return rsa;
}
private Exception CreateIdentityCheckException(EndpointIdentity identity, AuthorizationContext authorizationContext, string errorString, EndpointAddress serviceReference)
{
if (((identity.IdentityClaim == null) || !(identity.IdentityClaim.ClaimType == ClaimTypes.Dns)) || (!(identity.IdentityClaim.Right == Rights.PossessProperty) || !(identity.IdentityClaim.Resource is string)))
{
return(new MessageSecurityException(System.ServiceModel.SR.GetString(errorString, new object[] { identity, serviceReference })));
}
string resource = (string)identity.IdentityClaim.Resource;
string str2 = null;
for (int i = 0; i < authorizationContext.ClaimSets.Count; i++)
{
ClaimSet set = authorizationContext.ClaimSets[i];
foreach (Claim claim in set.FindClaims(ClaimTypes.Dns, Rights.PossessProperty))
{
if (claim.Resource is string)
{
str2 = (string)claim.Resource;
break;
}
}
if (str2 != null)
{
break;
}
}
if ("IdentityCheckFailedForIncomingMessage".Equals(errorString))
{
if (str2 == null)
{
return(new MessageSecurityException(System.ServiceModel.SR.GetString("DnsIdentityCheckFailedForIncomingMessageLackOfDnsClaim", new object[] { resource })));
}
return(new MessageSecurityException(System.ServiceModel.SR.GetString("DnsIdentityCheckFailedForIncomingMessage", new object[] { resource, str2 })));
}
if ("IdentityCheckFailedForOutgoingMessage".Equals(errorString))
{
if (str2 == null)
{
return(new MessageSecurityException(System.ServiceModel.SR.GetString("DnsIdentityCheckFailedForOutgoingMessageLackOfDnsClaim", new object[] { resource })));
}
return(new MessageSecurityException(System.ServiceModel.SR.GetString("DnsIdentityCheckFailedForOutgoingMessage", new object[] { resource, str2 })));
}
return(new MessageSecurityException(System.ServiceModel.SR.GetString(errorString, new object[] { identity, serviceReference })));
}
/// <summary>
/// Gets the name of the issuer.
/// </summary>
/// <param name="issuerClaimSet">Claim set for the issuer.</param>
/// <returns>Name of the issuer.</returns>
private static string GetIssuer(ClaimSet issuerClaimSet)
{
if (issuerClaimSet == null)
{
throw new ArgumentNullException("issuerClaimSet");
}
var claimTypes = issuerClaimSet.FindClaims(ClaimTypes.Name, Rights.PossessProperty);
if (claimTypes == null)
{
return(ClaimsIdentity.DefaultIssuer);
}
var iterator = claimTypes.GetEnumerator();
if (iterator.MoveNext())
{
return((string)iterator.Current.Resource);
}
return(ClaimsIdentity.DefaultIssuer);
}
/// <summary>
/// Gets the Unique RSA Claim from the SAML token.
/// </summary>
/// <param name="cs">the claimset which contains the claim</param>
/// <returns>a RSA claim</returns>
private static Claim GetUniqueRsaClaim(ClaimSet cs)
{
Contract.Requires <ArgumentNullException>(cs != null);
Claim rsa = null;
foreach (Claim c in cs.FindClaims(ClaimTypes.Rsa, Rights.PossessProperty))
{
if (null == rsa)
{
rsa = c;
}
else if (!rsa.Equals(c))
{
// Found two non-equal RSA claims
return(null);
}
}
return(rsa);
}
/// <summary>
/// Gets the Unique RSA Claim from the SAML token.
/// </summary>
/// <param name="cs">the claimset which contains the claim</param>
/// <returns>a RSA claim</returns>
private static Claim GetUniqueRsaClaim(ClaimSet cs)
{
Requires.NotNull(cs, "cs");
Claim rsa = null;
foreach (Claim c in cs.FindClaims(ClaimTypes.Rsa, Rights.PossessProperty))
{
if (null == rsa)
{
rsa = c;
}
else if (!rsa.Equals(c))
{
// Found two non-equal RSA claims
return(null);
}
}
return(rsa);
}
bool TryGetClaimValue <TClaimResource>(ClaimSet claimSet, string claimType, out TClaimResource resourceValue)
where TClaimResource : class
{
resourceValue = default(TClaimResource);
IEnumerable <Claim> matchingClaims = claimSet.FindClaims(claimType, Rights.PossessProperty);
if (matchingClaims == null)
{
return(false);
}
IEnumerator <Claim> enumerator = matchingClaims.GetEnumerator();
if (enumerator.MoveNext())
{
resourceValue = (enumerator.Current.Resource == null) ? null : (enumerator.Current.Resource as TClaimResource);
return(true);
}
else
{
return(false);
}
}
private Claim CheckDnsEquivalence(ClaimSet claimSet, string expectedSpn)
{
foreach (Claim claim in claimSet.FindClaims(ClaimTypes.Spn, Rights.PossessProperty))
{
if (expectedSpn.Equals((string) claim.Resource, StringComparison.OrdinalIgnoreCase))
{
return claim;
}
}
return null;
}
internal Claim CheckDnsEquivalence(ClaimSet claimSet, string expectedSpn)
{
// host/<machine-name> satisfies the DNS identity claim
IEnumerable<Claim> claims = claimSet.FindClaims(ClaimTypes.Spn, Rights.PossessProperty);
foreach (Claim claim in claims)
{
if (expectedSpn.Equals((string)claim.Resource, StringComparison.OrdinalIgnoreCase))
{
return claim;
}
}
return null;
}
/// <summary>
/// Gets the Unique RSA Claim from the SAML token.
/// </summary>
/// <param name="cs">the claimset which contains the claim</param>
/// <returns>a RSA claim</returns>
private static Claim GetUniqueRsaClaim(ClaimSet cs)
{
Contract.Requires(cs != null);
ErrorUtilities.VerifyArgumentNotNull(cs, "cs");
Claim rsa = null;
foreach (Claim c in cs.FindClaims(ClaimTypes.Rsa, Rights.PossessProperty)) {
if (null == rsa) {
rsa = c;
} else if (!rsa.Equals(c)) {
// Found two non-equal RSA claims
return null;
}
}
return rsa;
}
/// <summary>
/// Application level check for claims at the BookStoreSTS
/// </summary>
/// <param name="bookID">ID of the book intended for purchase</param>
/// <returns>True on success. False on failure.</returns>
private static bool CheckIfPurchaseLimitMet(string bookID)
{
// Extract the AuthorizationContext from the ServiceSecurityContext
AuthorizationContext authContext = OperationContext.Current.ServiceSecurityContext.AuthorizationContext;
// If there are no Claims in the AuthorizationContext, return false
// The issued token used to authenticate should contain claims
if (authContext.ClaimSets == null)
{
return(false);
}
// If there is more than two ClaimSets in the AuthorizationContext, return false
// The issued token used to authenticate should only contain two sets of claims.
if (authContext.ClaimSets.Count != 2)
{
return(false);
}
List <ClaimSet> claimsets = new List <ClaimSet>(authContext.ClaimSets);
ClaimSet myClaimSet = claimsets.Find((Predicate <ClaimSet>) delegate(ClaimSet target)
{
X509CertificateClaimSet certClaimSet = target.Issuer as X509CertificateClaimSet;
return(certClaimSet != null && certClaimSet.X509Certificate.Subject == "CN=HomeRealmSTS.com");
});
// Is the ClaimSet was NOT issued by the HomeRealmSTS then return false
// The BookStoreSTS only accepts requests where the client authenticated using a token
// issued by the HomeRealmSTS.
if (!IssuedByHomeRealmSTS(myClaimSet))
{
return(false);
}
// Find all the PurchaseLimit claims
IEnumerable <Claim> purchaseLimitClaims = myClaimSet.FindClaims(Constants.PurchaseLimitClaim, Rights.PossessProperty);
// If there are no PurchaseLimit claims, return false
// The HomeRealmSTS issues tokens containing PurchaseLimit claims for all authorized requests.
if (purchaseLimitClaims == null)
{
return(false);
}
// Get the price of the book being purchased...
double bookPrice = GetBookPrice(bookID);
// Iterate through the PurchaseLimit claims and verify that the Resource value is
// greater than or equal to the price of the book being purchased
foreach (Claim c in purchaseLimitClaims)
{
double purchaseLimit = Double.Parse(c.Resource.ToString());
if (purchaseLimit >= bookPrice)
{
return(true);
}
}
// If no PurchaseLimit claim had a resource value that was greater than or equal
// to the price of the book being purchased, return false
return(false);
}
/// <summary>
/// Utility function to create an EndpointIdentity from a ClaimSet
/// </summary>
/// <param name="claims">Claims to create the EndpointIdentity with</param>
/// <returns>An EndpointIdentity</returns>
private EndpointIdentity CreateIdentityFromClaimSet(ClaimSet claims)
{
foreach (Claim claim in claims.FindClaims(null, Rights.Identity))
{
return EndpointIdentity.CreateIdentity(claim);
}
return null;
}
/// <summary>
/// Gets the Unique RSA Claim from the SAML token.
/// </summary>
/// <param name="cs">the claimset which contains the claim</param>
/// <returns>a RSA claim</returns>
private static Claim GetUniqueRsaClaim(ClaimSet cs) {
Requires.NotNull(cs, "cs");
Claim rsa = null;
foreach (Claim c in cs.FindClaims(ClaimTypes.Rsa, Rights.PossessProperty)) {
if (null == rsa) {
rsa = c;
} else if (!rsa.Equals(c)) {
// Found two non-equal RSA claims
return null;
}
}
return rsa;
}
Exception CreateIdentityCheckException(EndpointIdentity identity, AuthorizationContext authorizationContext, string errorString, EndpointAddress serviceReference)
{
Exception result;
if (identity.IdentityClaim != null &&
identity.IdentityClaim.ClaimType == ClaimTypes.Dns &&
identity.IdentityClaim.Right == Rights.PossessProperty &&
identity.IdentityClaim.Resource is string)
{
string expectedDnsName = (string)identity.IdentityClaim.Resource;
string actualDnsName = null;
for (int i = 0; i < authorizationContext.ClaimSets.Count; ++i)
{
ClaimSet claimSet = authorizationContext.ClaimSets[i];
foreach (Claim claim in claimSet.FindClaims(ClaimTypes.Dns, Rights.PossessProperty))
{
if (claim.Resource is string)
{
actualDnsName = (string)claim.Resource;
break;
}
}
if (actualDnsName != null)
{
break;
}
}
if (SR.IdentityCheckFailedForIncomingMessage.Equals(errorString))
{
if (actualDnsName == null)
{
result = new MessageSecurityException(SR.Format(SR.DnsIdentityCheckFailedForIncomingMessageLackOfDnsClaim, expectedDnsName));
}
else
{
result = new MessageSecurityException(SR.Format(SR.DnsIdentityCheckFailedForIncomingMessage, expectedDnsName, actualDnsName));
}
}
else if (SR.IdentityCheckFailedForOutgoingMessage.Equals(errorString))
{
if (actualDnsName == null)
{
result = new MessageSecurityException(SR.Format(SR.DnsIdentityCheckFailedForOutgoingMessageLackOfDnsClaim, expectedDnsName));
}
else
{
result = new MessageSecurityException(SR.Format(SR.DnsIdentityCheckFailedForOutgoingMessage, expectedDnsName, actualDnsName));
}
}
else
{
result = new MessageSecurityException(SR.Format(errorString, identity, serviceReference));
}
}
else
{
result = new MessageSecurityException(SR.Format(errorString, identity, serviceReference));
}
return(result);
}
Claim CheckDnsEquivalence(ClaimSet claimSet, string expedtedDns)
{
IEnumerable<Claim> claims = claimSet.FindClaims(ClaimTypes.Dns, Rights.PossessProperty);
foreach (Claim claim in claims)
{
// 格外允许"localhost"
if (expedtedDns.Equals("localhost", StringComparison.OrdinalIgnoreCase))
{
return claim;
}
string strCurrent = (string)claim.Resource;
// 格外允许"DigitalPlatform"和任意出发字符串匹配
if (strCurrent.Equals("DigitalPlatform", StringComparison.OrdinalIgnoreCase))
return claim;
if (expedtedDns.Equals(strCurrent, StringComparison.OrdinalIgnoreCase))
{
return claim;
}
}
return null;
}
/// <summary>
/// Helper function to check if SAML Token was issued by HomeRealmSTS
/// </summary>
/// <returns>True on success. False on failure.</returns>
private static bool IssuedByHomeRealmSTS(ClaimSet myClaimSet)
{
// Extract the issuer ClaimSet
ClaimSet issuerClaimSet = myClaimSet.Issuer;
// If the Issuer is null, return false.
if (issuerClaimSet == null)
{
return(false);
}
// Find all the Thumbprint claims in the issuer ClaimSet
IEnumerable <Claim> issuerClaims = issuerClaimSet.FindClaims(ClaimTypes.Thumbprint, null);
// If there are no Thumbprint claims, return false;
if (issuerClaims == null)
{
return(false);
}
// Get the enumerator for the set of Thumbprint claims...
IEnumerator <Claim> issuerClaimsEnum = issuerClaims.GetEnumerator();
// ...and set issuerClaim to the first such Claim
Claim issuerClaim = null;
if (issuerClaimsEnum.MoveNext())
{
issuerClaim = issuerClaimsEnum.Current;
}
// If there was no Thumbprint claim, return false;
if (issuerClaim == null)
{
return(false);
}
// If, despite the above checks, the returned claim is not a Thumbprint claim, return false
if (issuerClaim.ClaimType != ClaimTypes.Thumbprint)
{
return(false);
}
// If the returned claim doesn't contain a Resource, return false
if (issuerClaim.Resource == null)
{
return(false);
}
// Extract the thmubprint data from the claim
byte[] issuerThumbprint = (byte[])issuerClaim.Resource;
// Extract the thumbprint for the HomeRealmSTS.com certificate
byte[] certThumbprint = FederationUtilities.GetCertificateThumbprint(ServiceConstants.CertStoreName,
ServiceConstants.CertStoreLocation,
ServiceConstants.IssuerDistinguishedName);
// If the lengths of the two thumbprints are different, return false
if (issuerThumbprint.Length != certThumbprint.Length)
{
return(false);
}
// Check the individual bytes of the two thumbprints for equality...
for (int i = 0; i < issuerThumbprint.Length; i++)
{
//... if any byte in the thumbprint from the claim does NOT match the corresponding
// byte from the thumbprint in the BookStoreSTS.com certificate, return false
if (issuerThumbprint[i] != certThumbprint[i])
{
return(false);
}
}
// If we get through all the above checks, return true (ClaimSet was issued by HomeRealmSTS.com)
return(true);
}
/// <summary>
/// Implementation of the framework level access control mechanism via ServiceAuthorizationManager
/// </summary>
/// <returns>True on success. False on failure.</returns>
public override bool CheckAccess(OperationContext operationContext)
{
// BrowseBooks is always authorized, so return true
if (operationContext.IncomingMessageHeaders.Action == ServiceConstants.BrowseBooksAction)
{
return(true);
}
// If the requested operation is NOT BuyBook, return false (Access Denied)
// The only operation we support apart from BrowseBooks is BuyBook
if (operationContext.IncomingMessageHeaders.Action != ServiceConstants.BuyBookAction)
{
return(false);
}
// Extract the AuthorizationContext from the ServiceSecurityContext
AuthorizationContext authContext = operationContext.ServiceSecurityContext.AuthorizationContext;
// If there are no Claims in the AuthorizationContext, return false (Access Denied)
// The issued token used to authenticate should contain claims
if (authContext.ClaimSets == null)
{
return(false);
}
// If there is more than one ClaimSet in the AuthorizationContext, return false (Access Denied).
// The issued token used to authenticate should only contain a single set of claims.
if (authContext.ClaimSets.Count != 2)
{
return(false);
}
// Extract the single ClaimSet from the AuthorizationContext
List <ClaimSet> claimsets = new List <ClaimSet>(authContext.ClaimSets);
ClaimSet myClaimSet = claimsets.Find((Predicate <ClaimSet>) delegate(ClaimSet target)
{
X509CertificateClaimSet certClaimSet = target.Issuer as X509CertificateClaimSet;
return(certClaimSet != null && certClaimSet.X509Certificate.Subject == "CN=BookStoreSTS.com");
});
// Is the ClaimSet was NOT issued by the BookStoreSTS then return false (Access Denied)
// The BookStoreService only accepts requests where the client authenticated using a token
// issued by the BookStoreSTS.
if (!IssuedByBookStoreSTS(myClaimSet))
{
return(false);
}
// Find all the PurchaseAuthorized claims
IEnumerable <Claim> purchaseAllowedClaims = myClaimSet.FindClaims(Constants.PurchaseAuthorizedClaim, Rights.PossessProperty);
// If there are no PurchaseAuthorized claims, return false (Access Denied)
// The BookStoreSTS issues tokens containing PurchaseAuthorized claims for all authorized requests.
if (purchaseAllowedClaims == null)
{
return(false);
}
// Get the book name being purchased...
string bookName = operationContext.IncomingMessageHeaders.GetHeader <string>(Constants.BookNameHeaderName, Constants.BookNameHeaderNamespace);
// ..and if it's null or empty, return false (Access Denied)
if (string.IsNullOrEmpty(bookName))
{
return(false);
}
// Iterate through the PurchaseAllowed claims and verify that the Resource value is
// the same as the book name retrieved above
foreach (Claim claim in purchaseAllowedClaims)
{
string authorizedBook = claim.Resource.ToString();
if (!string.IsNullOrEmpty(authorizedBook) && authorizedBook.Trim().Equals(bookName.Trim(), StringComparison.OrdinalIgnoreCase))
{
return(true);
}
}
// If no PurchaseAllowed claim had a resource value that matched the
// book name, return false (Access Denied)
return(false);
}