protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
{
WindowsSecurityToken token2 = (WindowsSecurityToken)token;
WindowsClaimSet claimSet = new WindowsClaimSet(token2.WindowsIdentity, token2.AuthenticationType, this.includeWindowsGroups, token2.ValidTo);
return(System.IdentityModel.SecurityUtils.CreateAuthorizationPolicies(claimSet, token2.ValidTo));
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
{
WindowsSecurityToken windowsToken = (WindowsSecurityToken)token;
WindowsClaimSet claimSet = new WindowsClaimSet(windowsToken.WindowsIdentity, windowsToken.AuthenticationType, _includeWindowsGroups, windowsToken.ValidTo);
return(SecurityUtils.CreateAuthorizationPolicies(claimSet, windowsToken.ValidTo));
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
try
{
X509Certificate2 cert = ((X509CertificateClaimSet)evaluationContext.ClaimSets[0]).X509Certificate;
string thumbPrint = cert.Thumbprint;
string acct = System.Configuration.ConfigurationManager.AppSettings[thumbPrint];
var winId = new System.Security.Principal.WindowsIdentity(acct);
var wClaimSet = new WindowsClaimSet(winId);
evaluationContext.Properties["Principal"] = new WindowsPrincipal(winId);
evaluationContext.AddClaimSet(this, wClaimSet);
return(true);
}
catch (Exception e)
{
Console.Write(e.Message);
return(false);
}
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
{
X509SecurityToken x509Token = (X509SecurityToken)token;
this.validator.Validate(x509Token.Certificate);
X509CertificateClaimSet x509ClaimSet = new X509CertificateClaimSet(x509Token.Certificate, this.cloneHandle);
if (!this.mapToWindows)
{
return(SecurityUtils.CreateAuthorizationPolicies(x509ClaimSet, x509Token.ValidTo));
}
WindowsClaimSet windowsClaimSet;
if (token is X509WindowsSecurityToken)
{
windowsClaimSet = new WindowsClaimSet(((X509WindowsSecurityToken)token).WindowsIdentity, SecurityUtils.AuthTypeCertMap, this.includeWindowsGroups, this.cloneHandle);
}
else
{
// Ensure NT_AUTH chain policy for certificate account mapping
X509CertificateValidator.NTAuthChainTrust.Validate(x509Token.Certificate);
WindowsIdentity windowsIdentity = null;
// for Vista, LsaLogon supporting mapping cert to NTToken
if (Environment.OSVersion.Version.Major >= SecurityUtils.WindowsVistaMajorNumber)
{
windowsIdentity = KerberosCertificateLogon(x509Token.Certificate);
}
else
{
// Downlevel, S4U over PrincipalName SubjectAltNames
string name = x509Token.Certificate.GetNameInfo(X509NameType.UpnName, false);
if (string.IsNullOrEmpty(name))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(SR.GetString(SR.InvalidNtMapping,
SecurityUtils.GetCertificateId(x509Token.Certificate))));
}
using (WindowsIdentity initialWindowsIdentity = new WindowsIdentity(name, SecurityUtils.AuthTypeCertMap))
{
// This is to make sure that the auth Type is shoved down to the class as the above constructor does not do it.
windowsIdentity = new WindowsIdentity(initialWindowsIdentity.Token, SecurityUtils.AuthTypeCertMap);
}
}
windowsClaimSet = new WindowsClaimSet(windowsIdentity, SecurityUtils.AuthTypeCertMap, this.includeWindowsGroups, false);
}
List <ClaimSet> claimSets = new List <ClaimSet>(2);
claimSets.Add(windowsClaimSet);
claimSets.Add(x509ClaimSet);
List <IAuthorizationPolicy> policies = new List <IAuthorizationPolicy>(1);
policies.Add(new UnconditionalPolicy(claimSets.AsReadOnly(), x509Token.ValidTo));
return(policies.AsReadOnly());
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
{
#if SUPPORTS_WINDOWSIDENTITY // NegotiateStream
WindowsSecurityToken windowsToken = (WindowsSecurityToken)token;
WindowsClaimSet claimSet = new WindowsClaimSet(windowsToken.WindowsIdentity, windowsToken.AuthenticationType, this.includeWindowsGroups, windowsToken.ValidTo);
return(SecurityUtils.CreateAuthorizationPolicies(claimSet, windowsToken.ValidTo));
#else // SUPPORTS_WINDOWSIDENTITY
throw ExceptionHelper.PlatformNotSupported(ExceptionHelper.WinsdowsStreamSecurityNotSupported);
#endif // SUPPORTS_WINDOWSIDENTITY
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateUserNamePasswordCore(string userName, string password)
{
if (IsAuthenticated(userName, password))
{
var name = userName.Split('\\')[1];
var policies = new List <IAuthorizationPolicy>(1);
var claimSet = new WindowsClaimSet(new WindowsIdentity(name), true);
policies.Add(new SecurityTokenAuthorizationPolicy(claimSet));
return(policies.AsReadOnly());
}
return(null);
}
internal static ClaimSet CloneClaimSetIfNecessary(ClaimSet claimSet)
{
if (claimSet != null)
{
WindowsClaimSet set = claimSet as WindowsClaimSet;
if (set != null)
{
return(set.Clone());
}
}
return(claimSet);
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
{
WindowsClaimSet set2;
X509SecurityToken token2 = (X509SecurityToken)token;
this.validator.Validate(token2.Certificate);
X509CertificateClaimSet claimSet = new X509CertificateClaimSet(token2.Certificate, this.cloneHandle);
if (!this.mapToWindows)
{
return(System.IdentityModel.SecurityUtils.CreateAuthorizationPolicies(claimSet, token2.ValidTo));
}
if (token is X509WindowsSecurityToken)
{
set2 = new WindowsClaimSet(((X509WindowsSecurityToken)token).WindowsIdentity, "SSL/PCT", this.includeWindowsGroups, this.cloneHandle);
}
else
{
X509CertificateValidator.NTAuthChainTrust.Validate(token2.Certificate);
WindowsIdentity windowsIdentity = null;
if (Environment.OSVersion.Version.Major >= 6)
{
windowsIdentity = KerberosCertificateLogon(token2.Certificate);
}
else
{
string nameInfo = token2.Certificate.GetNameInfo(X509NameType.UpnName, false);
if (string.IsNullOrEmpty(nameInfo))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(System.IdentityModel.SR.GetString("InvalidNtMapping", new object[] { System.IdentityModel.SecurityUtils.GetCertificateId(token2.Certificate) })));
}
using (WindowsIdentity identity2 = new WindowsIdentity(nameInfo, "SSL/PCT"))
{
windowsIdentity = new WindowsIdentity(identity2.Token, "SSL/PCT");
}
}
set2 = new WindowsClaimSet(windowsIdentity, "SSL/PCT", this.includeWindowsGroups, false);
}
List <ClaimSet> list = new List <ClaimSet>(2)
{
set2,
claimSet
};
return(new List <IAuthorizationPolicy>(1)
{
new UnconditionalPolicy(list.AsReadOnly(), token2.ValidTo)
}.AsReadOnly());
}
protected override ValueTask <ReadOnlyCollection <IAuthorizationPolicy> > ValidateTokenCoreAsync(SecurityToken token)
{
if (token is WindowsSecurityToken)
{
var windowsToken = (WindowsSecurityToken)token;
var claimSet = new WindowsClaimSet(windowsToken.WindowsIdentity, windowsToken.AuthenticationType, _includeWindowsGroups, windowsToken.ValidTo);
return(new ValueTask <ReadOnlyCollection <IAuthorizationPolicy> >(SecurityUtils.CreateAuthorizationPolicies(claimSet, windowsToken.ValidTo)));
}
else
{
var genericToken = (GenericSecurityToken)token;
var claimSet = new WindowsClaimSet(genericToken.GenericIdentity, _includeWindowsGroups, _ldapSettings);
return(new ValueTask <ReadOnlyCollection <IAuthorizationPolicy> >(SecurityUtils.CreateAuthorizationPolicies(claimSet)));
}
}
public string GetSaml11Token()
{
var claimSets = new List <ClaimSet>(ServiceSecurityContext.Current.AuthorizationContext.ClaimSets);
ClaimSet claimSet = claimSets.Find((Predicate <ClaimSet>) delegate(ClaimSet target)
{
WindowsClaimSet defaultClaimSet = target.Issuer as WindowsClaimSet;
return(defaultClaimSet != null);
});
var accessControlClaims = claimSet.FindClaims(ClaimTypes.Sid, Rights.PossessProperty);
SamlAssertion assertion = Saml11Helper.CreateSamlAssertionFromUserNameClaims(accessControlClaims);
SamlSecurityToken token = new SamlSecurityToken(assertion);
return(Saml11Helper.SerializeSamlToken(token));
}
internal static ClaimSet CloneClaimSetIfNecessary(ClaimSet claimSet)
{
if (claimSet != null)
{
WindowsClaimSet wic = claimSet as WindowsClaimSet;
if (wic != null)
{
return(wic.Clone());
}
//X509CertificateClaimSet x509 = claimSet as X509CertificateClaimSet;
//if (x509 != null)
//{
// return x509.Clone();
//}
}
return(claimSet);
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
{
X509SecurityToken x509Token = (X509SecurityToken)token;
_validator.Validate(x509Token.Certificate);
X509CertificateClaimSet x509ClaimSet = new X509CertificateClaimSet(x509Token.Certificate, _cloneHandle);
if (!MapCertificateToWindowsAccount)
{
return(SecurityUtils.CreateAuthorizationPolicies(x509ClaimSet, x509Token.ValidTo));
}
WindowsClaimSet windowsClaimSet;
if (token is X509WindowsSecurityToken x509token)
{
windowsClaimSet = new WindowsClaimSet(x509token.WindowsIdentity, SecurityUtils.AuthTypeCertMap, _includeWindowsGroups, _cloneHandle);
}
else
{
throw new PlatformNotSupportedException();
// Ensure NT_AUTH chain policy for certificate account mapping
//X509CertificateValidator.NTAuthChainTrust.Validate(x509Token.Certificate);
//WindowsIdentity windowsIdentity = null;
//windowsIdentity = KerberosCertificateLogon(x509Token.Certificate);
//windowsClaimSet = new WindowsClaimSet(windowsIdentity, SecurityUtils.AuthTypeCertMap, this.includeWindowsGroups, false);
}
List <ClaimSet> claimSets = new List <ClaimSet>(2)
{
windowsClaimSet,
x509ClaimSet
};
List <IAuthorizationPolicy> policies = new List <IAuthorizationPolicy>(1)
{
new UnconditionalPolicy(claimSets.AsReadOnly(), x509Token.ValidTo)
};
return(policies.AsReadOnly());
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateUserNamePasswordCore(string userName, string password)
{
string domain = null;
string[] strings = userName.Split('\\');
if (strings.Length != 1)
{
if (strings.Length != 2 || string.IsNullOrEmpty(strings[0]))
{
// Only support one slash and domain cannot be empty (consistent with windowslogon).
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.IncorrectUserNameFormat));
}
// This is the downlevel case - domain\userName
userName = strings[1];
domain = strings[0];
}
const uint LOGON32_PROVIDER_DEFAULT = 0;
const uint LOGON32_LOGON_NETWORK_CLEARTEXT = 8;
SafeCloseHandle tokenHandle = null;
try
{
if (!NativeMethods.LogonUser(userName, domain, password, LOGON32_LOGON_NETWORK_CLEARTEXT, LOGON32_PROVIDER_DEFAULT, out tokenHandle))
{
int error = Marshal.GetLastWin32Error();
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(SR.GetString(SR.FailLogonUser, userName), new Win32Exception(error)));
}
WindowsIdentity windowsIdentity = new WindowsIdentity(tokenHandle.DangerousGetHandle(), SecurityUtils.AuthTypeBasic);
WindowsClaimSet claimSet = new WindowsClaimSet(windowsIdentity, SecurityUtils.AuthTypeBasic, this.includeWindowsGroups, false);
return(SecurityUtils.CreateAuthorizationPolicies(claimSet, claimSet.ExpirationTime));
}
finally
{
if (tokenHandle != null)
{
tokenHandle.Close();
}
}
}
static void Main(string[] args)
{
var claims = new WindowsClaimSet(WindowsIdentity.GetCurrent());
using (claims)
{
foreach (var claim in claims)
{
Console.WriteLine(string.Format("Claim Type: {0}", claim.ClaimType));
Console.WriteLine(string.Format("Resource: {0}", claim.Resource));
Console.WriteLine(string.Format("Right: {0}", claim.Right));
}
var accessControlClaims = claims.FindClaims(ClaimTypes.Sid, Rights.PossessProperty);
var assertion = CreateSamlAssertionFromWindowsIdentityClaims(accessControlClaims);
var token = new SamlSecurityToken(assertion);
SerializeSamlTokenToFile(token);
Console.ReadKey();
Console.ReadKey();
}
}
/// <summary>
/// Converts a given set of WCF ClaimSets to IDFx ClaimsIdentity.
/// </summary>
/// <param name="claimSets">Collection of <see cref="ClaimSet"/> to convert to IDFx.</param>
/// <param name="securityTokenHandlerConfiguration">The SecurityTokenHandlerConfiguration to use.</param>
/// <returns>ClaimsIdentity</returns>
static ClaimsIdentity ConvertToIDFxIdentity(IList <ClaimSet> claimSets, SecurityTokenHandlerConfiguration securityTokenHandlerConfiguration)
{
if (claimSets == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("claimSets");
}
ClaimsIdentity claimsIdentity = null;
foreach (System.IdentityModel.Claims.ClaimSet claimSet in claimSets)
{
WindowsClaimSet windowsClaimSet = claimSet as WindowsClaimSet;
if (windowsClaimSet != null)
{
//
// The ClaimSet in the authorizationContext is simply a reflection of the NT Token.
// The WindowsClaimsIdentity will generate that information properly. So ignore the ClaimSets.
//
//
// WCF does not propogate the WindowsIdentity.AuthenticationType properly.
// To avoid WindowsClaimsIdentity.AuthenticationType from throwing, specify
// this authenticationType value. Since we only have to handle SPNEGO specify Negotiate.
//
claimsIdentity = MergeClaims(claimsIdentity, new WindowsIdentity(windowsClaimSet.WindowsIdentity.Token,
AuthenticationTypes.Negotiate));
AddAuthenticationMethod(claimsIdentity, AuthenticationMethods.Windows);
AddAuthenticationInstantClaim(claimsIdentity, XmlConvert.ToString(DateTime.UtcNow, DateTimeFormats.Generated));
}
else
{
claimsIdentity = MergeClaims(claimsIdentity, ClaimsConversionHelper.CreateClaimsIdentityFromClaimSet(claimSet));
AddAuthenticationInstantClaim(claimsIdentity, XmlConvert.ToString(DateTime.UtcNow, DateTimeFormats.Generated));
}
}
return(claimsIdentity);
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateSspiNegotiation(ISspiNegotiation sspiNegotiation)
{
WindowsSspiNegotiation windowsNegotiation = (WindowsSspiNegotiation)sspiNegotiation;
if (!windowsNegotiation.IsValidContext)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new SecurityNegotiationException(System.ServiceModel.SR.GetString("InvalidSspiNegotiation")));
}
SecurityTraceRecordHelper.TraceServiceSpnego(windowsNegotiation);
if (base.IsClientAnonymous)
{
return(System.ServiceModel.Security.EmptyReadOnlyCollection <IAuthorizationPolicy> .Instance);
}
using (System.IdentityModel.SafeCloseHandle handle = windowsNegotiation.GetContextToken())
{
WindowsIdentity identity = new WindowsIdentity(handle.DangerousGetHandle(), windowsNegotiation.ProtocolName);
System.ServiceModel.Security.SecurityUtils.ValidateAnonymityConstraint(identity, this.AllowUnauthenticatedCallers);
List <IAuthorizationPolicy> list = new List <IAuthorizationPolicy>(1);
WindowsClaimSet issuance = new WindowsClaimSet(identity, windowsNegotiation.ProtocolName, this.extractGroupsForWindowsAccounts, false);
list.Add(new UnconditionalPolicy(issuance, TimeoutHelper.Add(DateTime.UtcNow, base.ServiceTokenLifetime)));
return(list.AsReadOnly());
}
}
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateUserNamePasswordCore(string userName, string password)
{
string lpszDomain = null;
ReadOnlyCollection <IAuthorizationPolicy> onlys;
string[] strArray = userName.Split(new char[] { '\\' });
if (strArray.Length != 1)
{
if ((strArray.Length != 2) || string.IsNullOrEmpty(strArray[0]))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.IdentityModel.SR.GetString("IncorrectUserNameFormat"));
}
userName = strArray[1];
lpszDomain = strArray[0];
}
SafeCloseHandle phToken = null;
try
{
if (!System.IdentityModel.NativeMethods.LogonUser(userName, lpszDomain, password, 8, 0, out phToken))
{
int error = Marshal.GetLastWin32Error();
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(System.IdentityModel.SR.GetString("FailLogonUser", new object[] { userName }), new Win32Exception(error)));
}
WindowsIdentity windowsIdentity = new WindowsIdentity(phToken.DangerousGetHandle(), "Basic");
WindowsClaimSet claimSet = new WindowsClaimSet(windowsIdentity, "Basic", this.includeWindowsGroups, false);
onlys = System.IdentityModel.SecurityUtils.CreateAuthorizationPolicies(claimSet, claimSet.ExpirationTime);
}
finally
{
if (phToken != null)
{
phToken.Close();
}
}
return(onlys);
}
internal static string GetIdentityNamesFromContext(AuthorizationContext authContext)
{
if (authContext == null)
{
return(String.Empty);
}
StringBuilder str = new StringBuilder(256);
for (int i = 0; i < authContext.ClaimSets.Count; ++i)
{
ClaimSet claimSet = authContext.ClaimSets[i];
// Windows
WindowsClaimSet windows = claimSet as WindowsClaimSet;
if (windows != null)
{
#if SUPPORTS_WINDOWSIDENTITY
if (str.Length > 0)
{
str.Append(", ");
}
AppendIdentityName(str, windows.WindowsIdentity);
#else
throw ExceptionHelper.PlatformNotSupported(ExceptionHelper.WinsdowsStreamSecurityNotSupported);
#endif // SUPPORTS_WINDOWSIDENTITY
}
else
{
// X509
X509CertificateClaimSet x509 = claimSet as X509CertificateClaimSet;
if (x509 != null)
{
if (str.Length > 0)
{
str.Append(", ");
}
AppendCertificateIdentityName(str, x509.X509Certificate);
}
}
}
if (str.Length <= 0)
{
List <IIdentity> identities = null;
object obj;
if (authContext.Properties.TryGetValue(SecurityUtils.Identities, out obj))
{
identities = obj as List <IIdentity>;
}
if (identities != null)
{
for (int i = 0; i < identities.Count; ++i)
{
IIdentity identity = identities[i];
if (identity != null)
{
if (str.Length > 0)
{
str.Append(", ");
}
AppendIdentityName(str, identity);
}
}
}
}
return(str.Length <= 0 ? String.Empty : str.ToString());
}
public SecurityTokenAuthorizationPolicy(WindowsClaimSet claims)
{
this.claims = claims;
}
