/// <summary> /// Evaluate the set of incoming claims. /// </summary> /// <param name="evaluationContext">The results of the authorization policies that have been evaluated.</param> /// <param name="state">The current state of the authorization evaluation.</param> /// <returns>true indicates evaluation of the authorization can continue, false will reject the authorization.</returns> public bool Evaluate(EvaluationContext evaluationContext, ref object state) { // A new principal with its associated claims is created for the first identity to have been evaluated by the transport // layer. This principal will be applied to the thread before the operations are called. object property = null; if (evaluationContext.Properties.TryGetValue("Identities", out property)) { List <IIdentity> identities = property as List <IIdentity>; if (identities != null) { foreach (IIdentity iIdentity in identities) { ///HACK - we are only interested custom username if (iIdentity.AuthenticationType != "Kerberos") { ClaimSet claimSet = MapClaims(iIdentity); ClaimsPrincipal claimsPrincipal = new ClaimsPrincipal(iIdentity, claimSet); evaluationContext.Properties["Principal"] = claimsPrincipal; evaluationContext.AddClaimSet(this, claimSet); } } } } else { // If there was no identity provided by the transport, then a generic identity with no claims is used. This user // will only be able to access 'Unrestricted' methods of an interface. ClaimSet emptyClaims = new DefaultClaimSet(ClaimsAuthorizationPolicy.IssuerClaimSet, new Claim[] { }); evaluationContext.Properties["Principal"] = new ClaimsPrincipal(new GenericIdentity("Default User"), emptyClaims); } // There is no need to call the evaluation again, everything here is computed in a single pass. return(true); }
public bool Evaluate(EvaluationContext evaluationContext, ref object state) { if (null == state) { state = false; } bool hasAddedClaims = (bool)state; if (hasAddedClaims) { return(true);; } IList <Claim> claims = new List <Claim>(); foreach (ClaimSet claimSet in evaluationContext.ClaimSets) { foreach (Claim claim in claimSet.FindClaims(ClaimTypes.Name, Rights.PossessProperty)) { string userName = (string)claim.Resource; } } evaluationContext.AddClaimSet(this, new DefaultClaimSet(this.Issuer, claims)); state = true; return(true); }
// public bool Evaluate(EvaluationContext evaluationContext, ref object state) { bool bRet = false; CustomAuthState customstate = null; // If state is null, then this method has not been called before so // set up a custom state. if (state == null) { customstate = new CustomAuthState(); state = customstate; } else { customstate = (CustomAuthState)state; } Console.WriteLine("Inside MyAuthorizationPolicy::Evaluate"); // If we've not added claims yet... if (!customstate.ClaimsAdded) { // Create an empty list of Claims. IList <Claim> claims = new List <Claim>(); // Iterate through each of the claimsets in the evaluation context. foreach (ClaimSet cs in evaluationContext.ClaimSets) { // Look for Name claims in the current claimset. foreach (Claim c in cs.FindClaims(ClaimTypes.Name, Rights.PossessProperty)) { // Get the list of operations the given username is allowed to call. foreach (string s in GetAllowedOpList(c.Resource.ToString())) { // Add claims to the list. claims.Add(new Claim("http://example.org/claims/allowedoperation", s, Rights.PossessProperty)); Console.WriteLine("Claim added {0}", s); } } } // Add claims to the evaluation context. evaluationContext.AddClaimSet(this, new DefaultClaimSet(this.Issuer, claims)); // Record that claims have been added. customstate.ClaimsAdded = true; // Return true, indicating the method need not be called again. bRet = true; } else { // Should never get here, but just in case... bRet = true; } return(bRet); }
public bool Evaluate(EvaluationContext evaluationContext, ref object state) { evaluationContext.AddClaimSet(this, new DefaultClaimSet(Claim.CreateNameClaim(_principal.Identity.Name))); evaluationContext.Properties["Identities"] = new List <IIdentity>(new[] { _principal.Identity }); evaluationContext.Properties["Principal"] = _principal; return(true); }
public bool Evaluate(EvaluationContext evaluationContext, ref object state) { for (int i = 0; i < this.claimSets.Count; i++) { evaluationContext.AddClaimSet(this, this.claimSets[i]); } if (this.identities != null) { object obj2; if (!evaluationContext.Properties.TryGetValue("Identities", out obj2)) { evaluationContext.Properties.Add("Identities", this.identities); } else { List <IIdentity> list = obj2 as List <IIdentity>; if (list != null) { list.AddRange(this.identities); } } } evaluationContext.RecordExpirationTime(this.expirationTime); return(true); }
public bool Evaluate(EvaluationContext evaluationContext, ref object state) { for (int i = 0; i < this.claimSets.Count; ++i) { evaluationContext.AddClaimSet(this, this.claimSets[i]); } if (this.identities != null) { object obj; if (!evaluationContext.Properties.TryGetValue(SecurityUtils.Identities, out obj)) { evaluationContext.Properties.Add(SecurityUtils.Identities, this.identities); } else { // null if other overrides the property with something else List <IIdentity> dstIdentities = obj as List <IIdentity>; if (dstIdentities != null) { dstIdentities.AddRange(this.identities); } } } evaluationContext.RecordExpirationTime(this.expirationTime); return(true); }
public bool Evaluate(EvaluationContext evaluationContext, ref object state) { for (int num1 = 0; num1 < this.claimSets.Count; num1++) { evaluationContext.AddClaimSet(this, this.claimSets[num1]); } if (this.identities != null) { object obj; if (!evaluationContext.Properties.TryGetValue("Identities", out obj)) { evaluationContext.Properties.Add("Identities", (object)this.identities); } else { List <IIdentity> identities = obj as List <IIdentity>; if (identities != null) { identities.AddRange(this.identities); } } } evaluationContext.RecordExpirationTime(this.expirationTime); return(true); }
// This method is expected to be thread safe public bool Evaluate(EvaluationContext ec, ref object state) { lock (ec) { ec.AddClaimSet(this, CreateClaims()); List <IIdentity> list; if (!ec.Properties.ContainsKey("Identities")) { list = new List <IIdentity> (); ec.Properties ["Identities"] = list; } else { IList <IIdentity> ilist = (IList <IIdentity>)ec.Properties ["Identities"]; list = ilist as List <IIdentity>; if (list == null) { list = new List <IIdentity> (ilist); ec.Properties ["Identities"] = list; } } list.Add(CreateIdentity()); ec.RecordExpirationTime(DateTime.MaxValue.AddDays(-1)); } // FIXME: is it correct that this should always return true? return(true); }
public bool Evaluate(EvaluationContext evaluationContext, ref object state) { evaluationContext.AddClaimSet(this, this.issuance); if (this.identities != null) { object value; IList <IIdentity> contextIdentities; if (!evaluationContext.Properties.TryGetValue("Identities", out value)) { contextIdentities = new List <IIdentity>(this.identities.Count); evaluationContext.Properties.Add("Identities", contextIdentities); } else { contextIdentities = value as IList <IIdentity>; } foreach (IIdentity identity in this.identities) { contextIdentities.Add(identity); } } evaluationContext.RecordExpirationTime(this.expirationTime); return(true); }
public bool Evaluate(EvaluationContext evaluationContext, ref object state) { AuthorizationPolicy.CustomAuthorizationState customAuthorizationState = null; if (state == null) { customAuthorizationState = new AuthorizationPolicy.CustomAuthorizationState(); } else { customAuthorizationState = (state as AuthorizationPolicy.CustomAuthorizationState); } if (!customAuthorizationState.ClaimsAdded) { IList <Claim> list = new List <Claim>(); Func <Claim, IEnumerable <string> > selector = (Claim ienum) => AuthorizationPolicy.GetAllowedOperationList(ienum.Resource.ToString()); IEnumerable <Claim> source = evaluationContext.ClaimSets.SelectMany((ClaimSet s) => s.FindClaims(ClaimTypes.Name, Rights.PossessProperty)); foreach (string resource in source.SelectMany(selector)) { list.Add(new Claim("http://bam.nexon.com/claims/allowed/operation", resource, Rights.PossessProperty)); } evaluationContext.AddClaimSet(this, new DefaultClaimSet(this.Issuer, list)); customAuthorizationState.ClaimsAdded = true; return(true); } return(true); }
public bool Evaluate(EvaluationContext evaluationContext, ref object state) { try { X509Certificate2 cert = ((X509CertificateClaimSet)evaluationContext.ClaimSets[0]).X509Certificate; string thumbPrint = cert.Thumbprint; string acct = System.Configuration.ConfigurationManager.AppSettings[thumbPrint]; var winId = new System.Security.Principal.WindowsIdentity(acct); var wClaimSet = new WindowsClaimSet(winId); evaluationContext.Properties["Principal"] = new WindowsPrincipal(winId); evaluationContext.AddClaimSet(this, wClaimSet); return(true); } catch (Exception e) { Console.Write(e.Message); return(false); } }
public bool Evaluate(EvaluationContext context, ref object state) { foreach (ClaimSet issuance in _issuedClaimSets) { context.AddClaimSet(this, issuance); } return(true); }
public bool Evaluate(EvaluationContext evaluationContext, ref object state) { // Add the token claim set to the evaluation context. evaluationContext.AddClaimSet(this, tokenClaims); // Return true if the policy evaluation is finished. return(true); }
bool IAuthorizationPolicy.Evaluate(EvaluationContext evaluationContext, ref object state) { foreach (ClaimSet issuance in _issuedClaimSets) { evaluationContext.AddClaimSet(this, issuance); } return(true); }
bool IAuthorizationPolicy.Evaluate(EvaluationContext evaluationContext, ref object state) { if (evaluationContext == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("evaluationContext"); } evaluationContext.AddClaimSet(this, _issuer); return(true); }
public bool Evaluate(EvaluationContext evaluationContext, ref object state) { evaluationContext.AddClaimSet(this, new DefaultClaimSet(ClaimSet.System, this.primaryIdentity)); if (!evaluationContext.Properties.ContainsKey("PrimaryIdentity")) { evaluationContext.Properties.Add("PrimaryIdentity", this.primaryIdentity); } return(true); }
public bool Evaluate(EvaluationContext evaluationContext, ref object state) { // find identity Claim id = evaluationContext.ClaimSets.FindIdentityClaim(); string userId = Map(id); evaluationContext.AddClaimSet(this, new CustomerClaimSet(userId, Issuer)); return(true); }
public bool Evaluate(EvaluationContext evaluationContext, ref object state) { if (evaluationContext.Properties.ContainsKey("Identities")) { IIdentity identity; ClaimSet claims = MapClaims(evaluationContext, out identity); CustomPrincipal newPrincipal = new CustomPrincipal(identity, claims); evaluationContext.Properties["Principal"] = newPrincipal; evaluationContext.AddClaimSet(this, claims); } return(true); }
//We will add a custom claim to the EvaluationContext if the 'magic character' exists in the username public bool Evaluate(EvaluationContext evaluationContext, ref object state) { //Get the Identities Property object obj; if (!evaluationContext.Properties.TryGetValue("Identities", out obj)) { Debug.WriteLine("CustomNameCheckerPolicy: Identities is null"); return(false); } //Get the list of IIdentities IList <IIdentity> identities = obj as IList <IIdentity>; if (identities == null || identities.Count != 1) { Debug.WriteLine("CustomNameCheckerPolicy: Identities.count = 0"); return(false); } //Get the WindowsIdentity //Any other type of IIdentity will cause it to return false WindowsIdentity wID = identities[0] as WindowsIdentity; if (wID == null) { Debug.WriteLine("CustomNameCheckerPolicy: Not a Windows Identity"); return(false); } //retrieve the username string[] domainAndUsername = wID.Name.Split(new char[] { '\\' }); string userName = domainAndUsername[0]; if (domainAndUsername.Length > 1) { userName = domainAndUsername[1]; } //Check to see if the 'magic character' exists in the username //Add our claim if it does if (userName.ToUpper().Contains(Constants.magicCharacter.ToUpper())) { List <Claim> claims = new List <Claim>(1); Claim magicCharacterClaim = new Claim(Constants.PossessesMagicCharacterType, Constants.magicCharacter, Rights.PossessProperty); claims.Add(magicCharacterClaim); evaluationContext.AddClaimSet(this, new DefaultClaimSet(claims)); } return(true); }
public bool Evaluate(EvaluationContext evaluationContext, ref object state) { if (OperationContext.Current.IncomingMessageProperties["Principal"] is IPrincipal principal) { evaluationContext.Properties["Principal"] = principal; evaluationContext.Properties["Identities"] = new List <IIdentity> { principal.Identity, }; var roleClaims = GetRoleClaims(principal as GenericPrincipal).ToList(); evaluationContext.AddClaimSet(this, new DefaultClaimSet(roleClaims)); } return(true); }
public virtual bool Evaluate(EvaluationContext evaluationContext, ref object state) { if (evaluationContext.Properties.ContainsKey("Identities")) { List <IIdentity> identities = evaluationContext.Properties["Identities"] as List <IIdentity>; IIdentity identity = identities[0]; ClaimSet claims = MapClaims(identity); ClaimsPrincipal newPrincipal = new ClaimsPrincipal(identity, claims); evaluationContext.Properties["Principal"] = newPrincipal; evaluationContext.AddClaimSet(this, claims); return(true); } else { return(false); } }
/// <summary> /// Lädt das Claimset der Berechtigungen für den aufrufenden Windows User /// </summary> /// <param name="evaluationContext"></param> /// <param name="state"></param> /// <returns></returns> public bool Evaluate(EvaluationContext evaluationContext, ref object state) { IIdentity client = GetClientIdentity(evaluationContext); IPrincipal principal = new ClaimsPrincipal(client); evaluationContext.Properties["Principal"] = principal; IUserRepository repository = Container.Resolve <IUserRepository>(); if (repository != null) { IUser currentUser = repository.FindByName(principal.Identity.Name); if (currentUser != null && !currentUser.Deactivated) { IList <Claim> claims = new List <Claim>(); claims.Add(new Claim(System.IdentityModel.Claims.ClaimTypes.NameIdentifier, currentUser.Id, Rights.PossessProperty)); IEnumerable <IRight> rights = currentUser.Role.Rights; IEnumerable <IRight> distinctRights = rights.Distinct(); foreach (IRight right in distinctRights) { claims.Add(new Claim(right.Claim, right.Resource, Rights.PossessProperty)); } evaluationContext.AddClaimSet(this, new DefaultClaimSet(ClaimSet.System, claims)); } else if (currentUser == null) { string errorMessage = "Unknow User detected"; throw new FaultException <RemoteFault>(new RemoteFault(errorMessage, Constants.FaultExceptionEnum.UnknowUser), errorMessage); } else if (currentUser.Deactivated) { string errorMessage = "Current User deactivated"; throw new FaultException <RemoteFault>(new RemoteFault(errorMessage, Constants.FaultExceptionEnum.DeactivedUser), errorMessage); } } return(true); }
public bool Evaluate(EvaluationContext evaluationContext, ref object state) { if (evaluationContext.Properties.ContainsKey("Identities")) { List <IIdentity> identities = evaluationContext.Properties["Identities"] as List <IIdentity>; IIdentity identity = identities.FirstOrDefault(i => i.AuthenticationType == "X509"); GenericPrincipal genprincipal = new GenericPrincipal(identity, null); evaluationContext.Properties["Principal"] = genprincipal; var user = UserStore.GetUserByCertificate(identity.Name); evaluationContext.AddClaimSet(this, new DefaultClaimSet(new Claim("User", user, Rights.Identity))); return(true); } else { return(false); } }
public bool Evaluate(EvaluationContext context, ref object state) { var identities = new List <IIdentity> { _identity }; context.AddClaimSet(this, new DefaultClaimSet(Issuer, new Claim(ClaimTypes.Name, _identity == null ? null : _identity.Name, Rights.Identity))); if (context.Properties.ContainsKey(AuthContextIdentityPropertyName)) { context.Properties[AuthContextIdentityPropertyName] = identities; } else { context.Properties.Add(AuthContextIdentityPropertyName, identities); } return(true); }
public bool Evaluate(EvaluationContext evaluationContext, ref object state) { CustomAuthState customstate; // If the state is null, then this has not been called before so // set up a custom state. if (state == null) { customstate = new CustomAuthState(); state = customstate; } else { customstate = (CustomAuthState)state; } bool bRet; // If claims have not been added yet... if (!customstate.ClaimsAdded) { // Create an empty list of claims. IList <Claim> claims = new List <Claim> { new Claim("http://tempuri.org/claims/allowedoperation", "http://tempuri.org/IEchoService/EchoString", Rights.PossessProperty), new Claim("http://tempuri.org/claims/allowedoperation", "http://tempuri.org/IEchoService/ComplexEcho", Rights.PossessProperty) }; evaluationContext.AddClaimSet(this, new DefaultClaimSet(Issuer, claims)); // Record that claims were added. customstate.ClaimsAdded = true; // Return true, indicating that this method does not need to be called again. bRet = true; } else { // Should never get here, but just in case, return true. bRet = true; } return(bRet); }
/// <summary> /// called for every server operation /// </summary> public bool Evaluate(EvaluationContext evaluationContext, ref object state) { if (evaluationContext.Properties.ContainsKey("Identities")) { var identities = (List <IIdentity>)evaluationContext.Properties["Identities"]; IIdentity identity = identities[0]; ClaimSet claims = MapClaims(identity); var newPrincipal = new GenericPrincipal(identity, null); evaluationContext.Properties["Principal"] = newPrincipal; if (claims != null) { evaluationContext.AddClaimSet(this, claims); } return(true); } return(false); }
public bool Evaluate(EvaluationContext evaluationContext, ref object state) { if (null == state) { state = false; } bool hasAddedClaims = (bool)state; if (hasAddedClaims) { return(true); } IList <Claim> claims = new List <Claim>(); foreach (ClaimSet claimSet in evaluationContext.ClaimSets) { foreach (Claim claim in claimSet.FindClaims(ClaimTypes.Name, Rights.PossessProperty)) { string userName = (string)claim.Resource; if (userName.Contains('\\')) { userName = userName.Split('\\')[1]; if (string.Compare("Foo", userName, true) == 0) { claims.Add(new Claim(ClaimType4AllowedOperation, ActionOfAdd, Rights.PossessProperty)); claims.Add(new Claim(ClaimType4AllowedOperation, ActionOfSubtract, Rights.PossessProperty)); } if (string.Compare("Bar", userName, true) == 0) { claims.Add(new Claim(ClaimType4AllowedOperation, ActionOfMultiply, Rights.PossessProperty)); claims.Add(new Claim(ClaimType4AllowedOperation, ActionOfDivide, Rights.PossessProperty)); } } } } evaluationContext.AddClaimSet(this, new DefaultClaimSet(this.Issuer, claims)); state = true; return(true); }
public bool Evaluate(EvaluationContext evaluationContext, ref object state) { if (!evaluationContext.Properties.ContainsKey("Identities")) { return(false); } List <IIdentity> identities = evaluationContext.Properties["Identities"] as List <IIdentity>; IIdentity identity = identities[0]; IPrincipal principal = Session.GetCustomPrincipal(identity); evaluationContext.Properties["Principal"] = principal; ClaimSet claims = MapClaims(identity, principal); if (claims != null) { evaluationContext.AddClaimSet(this, claims); } return(true); }
/// <summary> /// Evaluate the set of incoming claims. /// </summary> /// <param name="evaluationContext">The results of the authorization policies that have been evaluated.</param> /// <param name="state">The current state of the authorization evaluation.</param> /// <returns>true indicates evaluation of the authorization can continue, false will reject the authorization.</returns> public Boolean Evaluate(EvaluationContext evaluationContext, ref Object state) { // Validate the parameter before using it. if (evaluationContext == null) { throw new ArgumentNullException("evaluationContext"); } // This will create an identity based on the validated user and map the claims against that identity using the role manager. This is some pretty heavy // stuff but the upshot is that Active Directory (or some similar provider) will find out what groups this user belongs to and then assign a set of // claims based on those roles. Object property; if (evaluationContext.Properties.TryGetValue("Identities", out property)) { List <IIdentity> identities = property as List <IIdentity>; foreach (IIdentity iIdentity in identities) { String distinguishedName = ClaimsAuthorizationPolicy.distinguishedNameMakerMap[iIdentity.AuthenticationType](iIdentity.Name); OrganizationPrincipal organizationPrincipal = new OrganizationPrincipal(iIdentity, distinguishedName, this.GetRoles(distinguishedName)); evaluationContext.Properties["Principal"] = organizationPrincipal; evaluationContext.AddClaimSet(this, this.MapClaims(organizationPrincipal)); } } else { // If no identities are provided by the transport then we'll provide a generic, unknown user with no claims. This user will be able to access the // 'Unrestricted' serivce contracts but, most importantly, this user will be able to run the WSDL code to generate an interface. evaluationContext.Properties["Principal"] = new OrganizationPrincipal( new GenericIdentity("unknown"), ClaimsAuthorizationPolicy.unknownUser, new String[0]); } // There is no need to call the evaluation again, everything here is computed in a single pass. return(true); }
public bool Evaluate(EvaluationContext ec, ref Object state) { ec.AddClaimSet(this, new DefaultClaimSet(Claim.CreateRsaClaim(rsa))); ec.RecordExpirationTime(DateTime.MaxValue.AddDays(-1)); return(true); }