public Decision Decide(EsriWebIdentity esriIdentity)
{
Evidence evidence = new Evidence();
Dictionary <string, string[]> dict = new Dictionary <string, string[]>();
foreach (string key in esriIdentity.Keys)
{
dict.Add(key, esriIdentity[key]);
}
// TODO implement chain of evidence reporting for decision
// NOTE this implementation still correctly evaluates the decision
bool isAuthorized = this.AccessControl != null && this.AccessControl.Evaluate(new ReadOnlyDictionary <string, string[]>(dict));
return(new Decision(isAuthorized, evidence));
}
protected override EsriWebIdentity GetIdentityImpl(HttpApplication context)
{
EsriWebIdentity identity = null;
try
{
string dn = context.Request.ClientCertificate.Subject;
if (string.IsNullOrEmpty(dn))
{
throw new Exception("client certificate subject was null or empty");
}
log.DebugFormat("distinguished name: '{0}'", dn);
string[] tokens = dn.Split(new char[] { ',', '/' });
string cn = (from token in tokens where token.TrimStart().ToUpper().StartsWith("CN") select token.Split('=').LastOrDefault()).FirstOrDefault();
log.DebugFormat("common name parsed: '{0}'", cn);
if (string.IsNullOrEmpty(cn))
{
throw new Exception("could not parse common name from distinguished name");
}
cn = cn.Replace(' ', '_');
Dictionary <string, string[]> attributes = new Dictionary <string, string[]>();
//attributes.Add("AWESOME", new string[] { "VERY" });
identity = new EsriWebIdentity(cn, attributes, this.GetType().FullName);
}
catch (Exception ex)
{
log.Error(ex);
}
return(identity);
}
void Module_AuthenticateRequest(object sender, EventArgs e)
{
HttpApplication context = (HttpApplication)sender;
HttpRequest req = context.Request;
if (config == null)
{
throw new HttpException(500, "configuration not available");
}
if (identityProvider == null)
{
throw new HttpException(500, "identity provider not available");
}
// refuse to service insecure requests if specified
if (config.RequireHTTPS && !req.IsSecureConnection)
{
LogEvent(req, "?", 403);
throw new HttpException(403, "must use HTTPS");
}
// check the whitelist before checking the identity provider
if (whitelist.IndexOf(req.UserHostAddress) > -1)
{
LogEvent(req, "WHITELIST", 200);
log.InfoFormat("Whitelisted IP {0} allowed", req.UserHostAddress);
return;
}
// get the identity from the provider
IIdentity identity;
try
{
identity = identityProvider.GetIdentity(context);
if (identity == null)
{
LogEvent(req, "?", 403);
throw new HttpException(403, "no identity found");
}
}
catch (Exception ex)
{
log.Error("error while obtaining identity", ex);
LogEvent(req, "?", 403);
throw new HttpException(403, "unable to authorize with service provider");
}
// set a header with the client certificate's DN, if specified
try
{
if (!string.IsNullOrEmpty(config.ClientDNHeader))
{
req.Headers.Set(config.ClientDNHeader, req.ClientCertificate.Subject);
}
}
catch (Exception)
{
log.Warn("could not set client DN header");
}
// perform the authorization check
EsriWebIdentity esriIdentity = (EsriWebIdentity)identity;
Decision authorizationDecision = decisionPoint.Decide(esriIdentity);
if (authorizationDecision == null || !authorizationDecision.IsAuthorized)
{
LogEvent(req, identity.Name, 403);
throw new HttpException(403, "unauthorized");
}
req.Headers.Set("X-Auth-Evidence", authorizationDecision.Evidence.ToString());
// set the identity for the user if specified
if (config.SetPrincipal)
{
HttpContext.Current.User = new GenericPrincipal(identity, null);
}
}
