public static IContentKeyAuthorizationPolicyOption AddTokenRestrictedAuthorizationPolicyAES(IContentKey contentKey, string Audience, string Issuer, IList <TokenClaim> tokenclaimslist, bool AddContentKeyIdentifierClaim, TokenType tokentype, ExplorerTokenType detailedtokentype, TokenVerificationKey mytokenverificationkey, CloudMediaContext _context, string openIdDiscoveryPath = null)
{
string tokenTemplateString = GenerateTokenRequirements(tokentype, Audience, Issuer, tokenclaimslist, AddContentKeyIdentifierClaim, mytokenverificationkey, openIdDiscoveryPath);
string tname = detailedtokentype.ToString();
List <ContentKeyAuthorizationPolicyRestriction> restrictions = new List <ContentKeyAuthorizationPolicyRestriction>();
ContentKeyAuthorizationPolicyRestriction restriction =
new ContentKeyAuthorizationPolicyRestriction
{
Name = tname + " Token Authorization Policy",
KeyRestrictionType = (int)ContentKeyRestrictionType.TokenRestricted,
Requirements = tokenTemplateString
};
restrictions.Add(restriction);
//You could have multiple options
IContentKeyAuthorizationPolicyOption policyOption =
_context.ContentKeyAuthorizationPolicyOptions.Create(
"Token option",
ContentKeyDeliveryType.BaselineHttp,
restrictions,
null // no key delivery data is needed for HLS
);
return(policyOption);
}
static public void AddOpenAuthorizationPolicy(IContentKey contentKey)
{
// Create ContentKeyAuthorizationPolicy with Open restrictions and create authorization policy
IContentKeyAuthorizationPolicy policy = context.ContentKeyAuthorizationPolicies.CreateAsync("Open Authorization Policy").Result;
List <ContentKeyAuthorizationPolicyRestriction> restrictions = new List <ContentKeyAuthorizationPolicyRestriction>();
ContentKeyAuthorizationPolicyRestriction restriction =
new ContentKeyAuthorizationPolicyRestriction
{
Name = "HLS Open Authorization Policy",
KeyRestrictionType = (int)ContentKeyRestrictionType.Open,
Requirements = null // no requirements needed for HLS
};
restrictions.Add(restriction);
IContentKeyAuthorizationPolicyOption policyOption =
context.ContentKeyAuthorizationPolicyOptions.Create(
"policy",
ContentKeyDeliveryType.BaselineHttp,
restrictions,
"");
policy.Options.Add(policyOption);
// Add ContentKeyAutorizationPolicy to ContentKey
contentKey.AuthorizationPolicyId = policy.Id;
IContentKey updatedKey = contentKey.UpdateAsync().Result;
}
public IContentKey AddAuthorizationPolicyToContentKey(string assetID, CloudMediaContext mediaContext, IContentKey objIContentKey, string claimType, string claimValue, JwtSecurityToken token)
{
//we name auth policy same as asset
var policy = mediaContext.ContentKeyAuthorizationPolicies.Where(c => c.Name == assetID).FirstOrDefault();
// Create ContentKeyAuthorizationPolicy with restrictions and create authorization policy
if (policy == null)
{
policy = mediaContext.ContentKeyAuthorizationPolicies.CreateAsync(assetID).Result;
}
//naming policyOption same as asset
var policyOption = mediaContext.ContentKeyAuthorizationPolicyOptions.Where(name => name.Name == assetID).FirstOrDefault();
if (policyOption == null)
{
List <ContentKeyAuthorizationPolicyRestriction> restrictions = new List <ContentKeyAuthorizationPolicyRestriction>();
TokenRestrictionTemplate template = new TokenRestrictionTemplate();
template.TokenType = TokenType.JWT;
//Using Active Directory Open ID discovery spec to use Json Web Keys during token verification
template.OpenIdConnectDiscoveryDocument = new OpenIdConnectDiscoveryDocument("https://login.windows.net/common/.well-known/openid-configuration");
//Ignore Empty claims
if (!String.IsNullOrEmpty(claimType) && !String.IsNullOrEmpty(claimValue))
{
template.RequiredClaims.Add(new TokenClaim(claimType, claimValue));
}
var audience = token.Audiences.First();
template.Audience = audience;
template.Issuer = token.Issuer;
string requirements = TokenRestrictionTemplateSerializer.Serialize(template);
ContentKeyAuthorizationPolicyRestriction restriction = new ContentKeyAuthorizationPolicyRestriction
{
Name = "Authorization Policy with Token Restriction",
KeyRestrictionType = (int)ContentKeyRestrictionType.TokenRestricted,
Requirements = requirements
};
restrictions.Add(restriction);
policyOption =
mediaContext.ContentKeyAuthorizationPolicyOptions.Create(assetID,
ContentKeyDeliveryType.BaselineHttp, restrictions, null);
policy.Options.Add(policyOption);
policy.UpdateAsync();
}
// Add ContentKeyAutorizationPolicy to ContentKey
objIContentKey.AuthorizationPolicyId = policy.Id;
IContentKey IContentKeyUpdated = objIContentKey.UpdateAsync().Result;
return(IContentKeyUpdated);
}
private List <ContentKeyAuthorizationPolicyRestriction> CreateContentKeyAuthPolicyRestrictions(string policyName, ContentProtection contentProtection)
{
List <ContentKeyAuthorizationPolicyRestriction> policyRestrictions = new List <ContentKeyAuthorizationPolicyRestriction>();
if (contentProtection.ContentAuthTypeAddress)
{
ContentKeyAuthorizationPolicyRestriction policyRestriction = new ContentKeyAuthorizationPolicyRestriction();
policyRestriction.Name = string.Concat(policyName, Constant.Media.ContentProtection.AuthPolicyAddressRestrictionName);
policyRestriction.SetKeyRestrictionTypeValue(ContentKeyRestrictionType.IPRestricted);
policyRestriction.Requirements = GetAddressRangeXml(contentProtection.ContentAuthAddressRange);
policyRestrictions.Add(policyRestriction);
}
if (contentProtection.ContentAuthTypeToken)
{
string settingKey = Constant.AppSettingKey.DirectoryTenantId;
settingKey = string.Format(settingKey, contentProtection.DirectoryId);
string directoryTenantId = AppSetting.GetValue(settingKey);
settingKey = Constant.AppSettingKey.DirectoryTenantDomain;
settingKey = string.Format(settingKey, contentProtection.DirectoryId);
string directoryTenantDomain = AppSetting.GetValue(settingKey);
string discoveryUrl = Account.GetDiscoveryUrl(contentProtection.DirectoryId, directoryTenantDomain);
if (string.Equals(contentProtection.DirectoryId, Constant.DirectoryService.B2C, StringComparison.OrdinalIgnoreCase))
{
settingKey = Constant.AppSettingKey.DirectoryPolicyIdSignUpIn;
string policyIdSignUpIn = AppSetting.GetValue(settingKey);
discoveryUrl = string.Concat(discoveryUrl, "?p=", policyIdSignUpIn);
}
TokenRestrictionTemplate tokenTemplate = new TokenRestrictionTemplate(TokenType.JWT);
tokenTemplate.OpenIdConnectDiscoveryDocument = new OpenIdConnectDiscoveryDocument(discoveryUrl);
tokenTemplate.Issuer = Account.GetIssuerUrl(contentProtection.DirectoryId, directoryTenantId);
tokenTemplate.Audience = contentProtection.Audience;
ContentKeyAuthorizationPolicyRestriction policyRestriction = new ContentKeyAuthorizationPolicyRestriction();
policyRestriction.Name = string.Concat(policyName, Constant.Media.ContentProtection.AuthPolicyTokenRestrictionName);
policyRestriction.SetKeyRestrictionTypeValue(ContentKeyRestrictionType.TokenRestricted);
policyRestriction.Requirements = TokenRestrictionTemplateSerializer.Serialize(tokenTemplate);
policyRestrictions.Add(policyRestriction);
}
if (policyRestrictions.Count == 0)
{
ContentKeyAuthorizationPolicyRestriction policyRestriction = new ContentKeyAuthorizationPolicyRestriction();
policyRestriction.Name = string.Concat(policyName, Constant.Media.ContentProtection.AuthPolicyOpenRestrictionName);
policyRestriction.SetKeyRestrictionTypeValue(ContentKeyRestrictionType.Open);
policyRestrictions.Add(policyRestriction);
}
return(policyRestrictions);
}
private List <ContentKeyAuthorizationPolicyRestriction> CreateContentKeyAuthPolicyRestrictions(string policyName, ContentProtection contentProtection)
{
List <ContentKeyAuthorizationPolicyRestriction> policyRestrictions = new List <ContentKeyAuthorizationPolicyRestriction>();
if (contentProtection.ContentAuthTypeAddress)
{
ContentKeyAuthorizationPolicyRestriction policyRestriction = new ContentKeyAuthorizationPolicyRestriction();
policyRestriction.Name = string.Concat(policyName, Constants.Media.ContentProtection.AuthPolicyAddressRestrictionName);
policyRestriction.SetKeyRestrictionTypeValue(ContentKeyRestrictionType.IPRestricted);
policyRestriction.Requirements = GetAddressRangeXml(contentProtection.ContentAuthAddressRange);
policyRestrictions.Add(policyRestriction);
}
if (contentProtection.ContentAuthTypeToken)
{
string settingKey = Constants.AppSettingKey.DirectoryDiscoveryUrl;
string discoveryUrl = AppSetting.GetValue(settingKey);
settingKey = Constants.AppSettingKey.DirectoryIssuerUrl;
string issuerUrl = AppSetting.GetValue(settingKey);
settingKey = Constants.AppSettingKey.DirectoryClientId;
string clientId = AppSetting.GetValue(settingKey);
TokenRestrictionTemplate tokenTemplate = new TokenRestrictionTemplate(TokenType.JWT);
tokenTemplate.OpenIdConnectDiscoveryDocument = new OpenIdConnectDiscoveryDocument(discoveryUrl);
tokenTemplate.Issuer = issuerUrl;
tokenTemplate.Audience = clientId;
ContentKeyAuthorizationPolicyRestriction policyRestriction = new ContentKeyAuthorizationPolicyRestriction();
policyRestriction.Name = string.Concat(policyName, Constants.Media.ContentProtection.AuthPolicyTokenRestrictionName);
policyRestriction.SetKeyRestrictionTypeValue(ContentKeyRestrictionType.TokenRestricted);
policyRestriction.Requirements = TokenRestrictionTemplateSerializer.Serialize(tokenTemplate);
policyRestrictions.Add(policyRestriction);
}
if (policyRestrictions.Count == 0)
{
ContentKeyAuthorizationPolicyRestriction policyRestriction = new ContentKeyAuthorizationPolicyRestriction();
policyRestriction.Name = string.Concat(policyName, Constants.Media.ContentProtection.AuthPolicyOpenRestrictionName);
policyRestriction.SetKeyRestrictionTypeValue(ContentKeyRestrictionType.Open);
policyRestrictions.Add(policyRestriction);
}
return(policyRestrictions);
}
public static IContentKey AddAuthorizationPolicyToContentKey(CloudMediaContext objCloudMediaContext, IContentKey objIContentKey, string keyId)
{
// Create ContentKeyAuthorizationPolicy with restrictions and create authorization policy
IContentKeyAuthorizationPolicy policy = objCloudMediaContext.ContentKeyAuthorizationPolicies.CreateAsync(keyId).Result;
List <ContentKeyAuthorizationPolicyRestriction> restrictions = new List <ContentKeyAuthorizationPolicyRestriction>();
//ContentKeyAuthorizationPolicyRestriction restriction = new ContentKeyAuthorizationPolicyRestriction
// {
// Name = "Open Authorization Policy",
// KeyRestrictionType = (int)ContentKeyRestrictionType.Open,
// Requirements = null // no requirements
// };
//ContentKeyAuthorizationPolicyRestriction restriction = new ContentKeyAuthorizationPolicyRestriction
//{
// Name = "Authorization Policy with SWT Token Restriction",
// KeyRestrictionType = (int)ContentKeyRestrictionType.TokenRestricted,
// Requirements = ContentKeyAuthorizationHelper.CreateRestrictionRequirements()
//};
ContentKeyAuthorizationPolicyRestriction restriction = new ContentKeyAuthorizationPolicyRestriction
{
Name = "JWTContentKeyAuthorizationPolicyRestriction",
KeyRestrictionType = (int)ContentKeyRestrictionType.TokenRestricted,
Requirements = ContentKeyAuthorizationHelper.CreateRestrictionRequirementsForJWT()
};
restrictions.Add(restriction);
IContentKeyAuthorizationPolicyOption policyOption = objCloudMediaContext.ContentKeyAuthorizationPolicyOptions.Create(
keyId,
ContentKeyDeliveryType.BaselineHttp,
restrictions,
"");
policy.Options.Add(policyOption);
// Add ContentKeyAutorizationPolicy to ContentKey
objIContentKey.AuthorizationPolicyId = policy.Id;
IContentKey IContentKeyUpdated = objIContentKey.UpdateAsync().Result;
return(IContentKeyUpdated);
}
private static void CreatePolicyOption(string assetID, CloudMediaContext mediaContext, string claimType, string claim, IContentKeyAuthorizationPolicy policy)
{
IContentKeyAuthorizationPolicyOption policyOption;
List <ContentKeyAuthorizationPolicyRestriction> restrictions = new List <ContentKeyAuthorizationPolicyRestriction>();
List <X509Certificate2> certs = GetX509Certificate2FromADMetadataEndpoint();
JwtSecurityToken token = GetJwtSecurityToken();
TokenRestrictionTemplate template = new TokenRestrictionTemplate();
template.TokenType = TokenType.JWT;
template.PrimaryVerificationKey = new X509CertTokenVerificationKey(certs[0]);
certs.GetRange(1, certs.Count - 1)
.ForEach(c => template.AlternateVerificationKeys.Add(new X509CertTokenVerificationKey(c)));
//Ignore Empty claims
if (!String.IsNullOrEmpty(claimType) && !String.IsNullOrEmpty(claim))
{
template.RequiredClaims.Add(new TokenClaim(claimType, claim));
}
var audience = token.Audiences.First();
template.Audience = new Uri(audience);
template.Issuer = new Uri(token.Issuer);
string requirements = TokenRestrictionTemplateSerializer.Serialize(template);
ContentKeyAuthorizationPolicyRestriction restriction = new ContentKeyAuthorizationPolicyRestriction
{
Name = "Authorization Policy with Token Restriction",
KeyRestrictionType = (int)ContentKeyRestrictionType.TokenRestricted,
Requirements = requirements
};
restrictions.Add(restriction);
policyOption = mediaContext.ContentKeyAuthorizationPolicyOptions.Create(assetID + "_group:" + claim, ContentKeyDeliveryType.BaselineHttp, restrictions, null);
policy.Options.Add(policyOption);
}
public static string AddTokenRestrictedAuthorizationPolicy(IContentKey contentKey)
{
string tokenTemplateString = GenerateTokenRequirements();
IContentKeyAuthorizationPolicy policy = _context.
ContentKeyAuthorizationPolicies.
CreateAsync("HLS token restricted authorization policy").Result;
List <ContentKeyAuthorizationPolicyRestriction> restrictions =
new List <ContentKeyAuthorizationPolicyRestriction>();
ContentKeyAuthorizationPolicyRestriction restriction =
new ContentKeyAuthorizationPolicyRestriction
{
Name = "Token Authorization Policy",
KeyRestrictionType = (int)ContentKeyRestrictionType.TokenRestricted,
Requirements = tokenTemplateString
};
restrictions.Add(restriction);
//You could have multiple options
IContentKeyAuthorizationPolicyOption policyOption =
_context.ContentKeyAuthorizationPolicyOptions.Create(
"Token option for HLS",
ContentKeyDeliveryType.BaselineHttp,
restrictions,
null // no key delivery data is needed for HLS
);
policy.Options.Add(policyOption);
// Add ContentKeyAutorizationPolicy to ContentKey
contentKey.AuthorizationPolicyId = policy.Id;
IContentKey updatedKey = contentKey.UpdateAsync().Result;
Console.WriteLine("Adding Key to Asset: Key ID is " + updatedKey.Id);
return(tokenTemplateString);
}
private static IContentKeyAuthorizationPolicyOption CreateFairPlayPolicyOption(byte[] iv)
{
var appCert = new X509Certificate2(pfxPath, pfxPassword, X509KeyStorageFlags.Exportable);
var pfxPasswordId = Guid.NewGuid();
byte[] pfxPasswordBytes = System.Text.Encoding.UTF8.GetBytes(pfxPassword);
IContentKey pfxPasswordKey = _mediaContext.ContentKeys.Create(pfxPasswordId, pfxPasswordBytes, "pfxPasswordKey", ContentKeyType.FairPlayPfxPassword);
var askId = Guid.NewGuid();
IContentKey askKey = _mediaContext.ContentKeys.Create(askId, askBytes, "askKey", ContentKeyType.FairPlayASk);
var restriction = new ContentKeyAuthorizationPolicyRestriction
{
Name = "Open",
KeyRestrictionType = (int)ContentKeyRestrictionType.Open,
Requirements = null
};
var restrictions = new List <ContentKeyAuthorizationPolicyRestriction> {
restriction
};
string configuration = FairPlayConfiguration.CreateSerializedFairPlayOptionConfiguration(
appCert,
pfxPassword,
pfxPasswordId,
askId,
iv);
var policyOption = _mediaContext.ContentKeyAuthorizationPolicyOptions.Create(
"fairPlayTest",
ContentKeyDeliveryType.FairPlay,
restrictions,
configuration);
return(policyOption);
}
static public IContentKeyAuthorizationPolicy AddOpenAuthorizationPolicy(IContentKey contentKey, ContentKeyDeliveryType contentkeydeliverytype, string keydeliveryconfig, CloudMediaContext _context)
{
// Create ContentKeyAuthorizationPolicy with Open restrictions
// and create authorization policy
IContentKeyAuthorizationPolicy policy = _context.
ContentKeyAuthorizationPolicies.
CreateAsync("Open Authorization Policy").Result;
List <ContentKeyAuthorizationPolicyRestriction> restrictions =
new List <ContentKeyAuthorizationPolicyRestriction>();
ContentKeyAuthorizationPolicyRestriction restriction =
new ContentKeyAuthorizationPolicyRestriction
{
Name = "Open Authorization Policy",
KeyRestrictionType = (int)ContentKeyRestrictionType.Open,
Requirements = null // no requirements needed
};
restrictions.Add(restriction);
IContentKeyAuthorizationPolicyOption policyOption =
_context.ContentKeyAuthorizationPolicyOptions.Create(
"policy",
contentkeydeliverytype,
restrictions,
keydeliveryconfig);
policy.Options.Add(policyOption);
// Add ContentKeyAutorizationPolicy to ContentKey
contentKey.AuthorizationPolicyId = policy.Id;
IContentKey updatedKey = contentKey.UpdateAsync().Result;
return(policy);
}
public static ContentKeyRestrictionType GetKeyRestrictionTypeValue(ContentKeyAuthorizationPolicyRestriction restriction)
{
return (ContentKeyRestrictionType)restriction.KeyRestrictionType;
}
public static ContentKeyRestrictionType GetKeyRestrictionTypeValue(ContentKeyAuthorizationPolicyRestriction restriction)
{
return((ContentKeyRestrictionType)restriction.KeyRestrictionType);
}
static IAsset CreateAssetAndProtectedStreamingLocatorInV2(CloudMediaContext v2Client, ConfigWrapper config, string assetNameOrDescription)
{
// Create the input Asset
IAsset originalAsset = v2Client.Assets.Create("input asset", AssetCreationOptions.None);
string filename = Path.GetFileName(config.FilePathToUpload);
IAssetFile assetFile = originalAsset.AssetFiles.Create(filename);
assetFile.Upload(config.FilePathToUpload);
// Submit a job to encode the single input file into an adaptive streaming set
IJob job = v2Client.Jobs.Create("Media Encoder Standard Job");
IMediaProcessor processor = GetMediaEncoderStandardProcessor(v2Client);
ITask task = job.Tasks.AddNew("Adaptive Streaming encode", processor, "Adaptive Streaming", TaskOptions.None);
task.InputAssets.Add(originalAsset);
task.OutputAssets.AddNew(assetNameOrDescription, AssetCreationOptions.None);
job.Submit();
job.GetExecutionProgressTask(CancellationToken.None).Wait();
// Get the output asset to publish
job.Refresh();
IAsset assetToPublish = v2Client.Assets.Where(a => a.Id == job.Tasks[0].OutputAssets[0].Id).First();
// Create the content key
Guid keyId = Guid.NewGuid();
byte[] contentKey = GetRandomBuffer(16);
IContentKey key = v2Client.ContentKeys.Create(keyId, contentKey, "ContentKey", ContentKeyType.EnvelopeEncryption);
// Create ContentKeyAuthorizationPolicy with Open restriction and create authorization policy
IContentKeyAuthorizationPolicy policy = v2Client.ContentKeyAuthorizationPolicies.CreateAsync("Open Authorization Policy").Result;
ContentKeyAuthorizationPolicyRestriction restriction =
new ContentKeyAuthorizationPolicyRestriction
{
Name = "Open Authorization Policy",
KeyRestrictionType = (int)ContentKeyRestrictionType.Open,
Requirements = null
};
List <ContentKeyAuthorizationPolicyRestriction> restrictions = new List <ContentKeyAuthorizationPolicyRestriction>();
restrictions.Add(restriction);
var policyOption = v2Client.ContentKeyAuthorizationPolicyOptions.Create("policy", ContentKeyDeliveryType.BaselineHttp, restrictions, "");
policy.Options.Add(policyOption);
// Add ContentKeyAuthorizationPolicy to ContentKey
key.AuthorizationPolicyId = policy.Id;
key.Update();
assetToPublish.ContentKeys.Add(key);
Uri keyAcquisitionUri = key.GetKeyDeliveryUrl(ContentKeyDeliveryType.BaselineHttp);
UriBuilder uriBuilder = new UriBuilder(keyAcquisitionUri);
uriBuilder.Query = String.Empty;
keyAcquisitionUri = uriBuilder.Uri;
// The following policy configuration specifies:
// key url that will have KID=<Guid> appended to the envelope and
// the Initialization Vector (IV) to use for the envelope encryption.
var assetDeliveryPolicyConfiguration = new Dictionary <AssetDeliveryPolicyConfigurationKey, string>
{
{ AssetDeliveryPolicyConfigurationKey.EnvelopeBaseKeyAcquisitionUrl, keyAcquisitionUri.ToString() },
};
var assetDeliveryPolicy = v2Client.AssetDeliveryPolicies.Create("AssetDeliveryPolicy",
AssetDeliveryPolicyType.DynamicEnvelopeEncryption,
AssetDeliveryProtocol.SmoothStreaming | AssetDeliveryProtocol.HLS | AssetDeliveryProtocol.Dash,
assetDeliveryPolicyConfiguration);
// Add AssetDelivery Policy to the asset
assetToPublish.DeliveryPolicies.Add(assetDeliveryPolicy);
// Create a 30-day readonly access policy.
// You cannot create a streaming locator using an AccessPolicy that includes write or delete permissions.
IAccessPolicy accessPolicy = v2Client.AccessPolicies.Create("Streaming Access Policy", TimeSpan.FromDays(365 * 100), AccessPermissions.Read);
// Create a locator to the streaming content on an origin.
ILocator originLocator = v2Client.Locators.CreateLocator(LocatorType.OnDemandOrigin, assetToPublish, accessPolicy, DateTime.UtcNow.AddMinutes(-5));
// remove the original input asset as we don't need it for demonstration purposes
originalAsset.Delete();
return(assetToPublish);
}
