public override void Validate(ValidationActions validation)
{
var now = this.Now();
var ctime = this.Response.CTime.AddTicks(this.Response.CuSec / 10);
if (validation.HasFlag(ValidationActions.TokenWindow))
{
this.ValidateTicketSkew(now, this.Skew, ctime);
}
if (!TimeEquals(this.CTime, this.Response.CTime))
{
throw new KerberosValidationException(
$"CTime does not match. Sent: {this.CTime.Ticks}; Received: {this.Response.CTime.Ticks}",
nameof(this.CTime)
);
}
if (this.CuSec != this.Response.CuSec)
{
throw new KerberosValidationException(
$"CuSec does not match. Sent: {this.CuSec}; Received: {this.Response.CuSec}",
nameof(this.CuSec)
);
}
if (this.SequenceNumber != this.Response.SequenceNumber)
{
throw new KerberosValidationException(
$"SequenceNumber does not match. Sent: {this.SequenceNumber}; Received: {this.Response.SequenceNumber}",
nameof(this.SequenceNumber)
);
}
}
public override void Validate(ValidationActions validation)
{
var now = Now();
var ctime = Response.CTime.AddTicks(Response.CuSec / 10);
if (validation.HasFlag(ValidationActions.TokenWindow))
{
ValidateTicketSkew(now, Skew, ctime);
}
if (KerberosConstants.TimeEquals(CTime, Response.CTime))
{
throw new KerberosValidationException(
$"CTime does not match. Sent: {CTime.Ticks}; Received: {Response.CTime.Ticks}"
);
}
if (CuSec != Response.CuSec)
{
throw new KerberosValidationException(
$"CuSec does not match. Sent: {CuSec}; Received: {Response.CuSec}"
);
}
if (SequenceNumber != Response.SequenceNumber)
{
throw new KerberosValidationException(
$"SequenceNumber does not match. Sent: {SequenceNumber}; Received: {Response.SequenceNumber}"
);
}
}
internal KerberosIdentity(
IEnumerable <Claim> userClaims,
string authenticationType,
string nameType,
string roleType,
IEnumerable <Restriction> restrictions,
ValidationActions validationMode,
string apRep
) : base(userClaims, authenticationType, nameType, roleType)
{
Restrictions = restrictions.GroupBy(r => r.Type).ToDictionary(r => r.Key, r => r.ToList().AsEnumerable());
ValidationMode = validationMode;
ApRep = apRep;
}
public virtual void Validate(ValidationActions validation)
{
// As defined in https://tools.ietf.org/html/rfc1510 A.10 KRB_AP_REQ verification
if (Ticket == null)
{
throw new KerberosValidationException("Ticket is null");
}
if (Authenticator == null)
{
throw new KerberosValidationException("Authenticator is null");
}
if (validation.HasFlag(ValidationActions.ClientPrincipalIdentifier))
{
ValidateClientPrincipalIdentifier();
}
if (validation.HasFlag(ValidationActions.Realm))
{
ValidateRealm();
}
var now = Now();
var ctime = Authenticator.CTime.AddTicks(Authenticator.CuSec / 10);
if (validation.HasFlag(ValidationActions.TokenWindow))
{
ValidateTicketSkew(now, Skew, ctime);
}
if (validation.HasFlag(ValidationActions.StartTime))
{
ValidateTicketStart(now, Skew);
}
if (validation.HasFlag(ValidationActions.EndTime))
{
ValidateTicketEnd(now, Skew);
}
}
public abstract void Validate(ValidationActions validation);
public static ExtendedValidationResult Error(string message,
ValidationActions actions = (ValidationActions.Block | ValidationActions.ShowIndication))
{
return(new ExtendedValidationResult(ResultType.Error, message, actions));
}
public static ExtendedValidationResult Warning(string message, ValidationActions actions = ValidationActions.ShowIndication)
{
return(new ExtendedValidationResult(ResultType.Warning, message, actions));
}
private ExtendedValidationResult(ResultType result, object errorContent, ValidationActions actions) :
base(result == ResultType.Valid, errorContent)
{
Result = result;
Actions = actions;
}
