public static void TestAugmentationOperation(string claimType, string claimValue, bool isMemberOfTrustedGroup)
{
SPClaim inputClaim = new SPClaim(claimType, claimValue, ClaimValueTypes.String, SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, UnitTestsHelper.SPTrust.Name));
Uri context = new Uri(TestSiteCollUri.AbsoluteUri);
SPClaim[] groups = ClaimsProvider.GetClaimsForEntity(context, inputClaim);
bool groupFound = false;
string groupsValueText = "No group was returned by the claims provider.";
if (groups != null && groups.Count() > 0)
{
groupsValueText = $"Claims provider returned those {groups.Count()} groups: {string.Join(", ", Array.ConvertAll(groups, x => x.Value))}";
if (groups.Contains(TrustedGroup))
{
groupFound = true;
}
}
if (isMemberOfTrustedGroup)
{
Assert.IsTrue(groupFound, $"Entity \"{claimValue}\" should be member of group \"{TrustedGroupToAdd_ClaimValue}\", but this group was not found in the claims returned by the claims provider. {groupsValueText}");
}
else
{
Assert.IsFalse(groupFound, $"Entity \"{claimValue}\" should NOT be member of group \"{TrustedGroupToAdd_ClaimValue}\", but this group was found in the claims returned by the claims provider. {groupsValueText}");
}
}
internal void VerifyPermissions(List <string> permutations)
{
string currUserName = SPContext.Current.Web.CurrentUser.LoginName;
string url = SPContext.Current.Site.Url;
try
{
SPSecurity.RunWithElevatedPrivileges(delegate()
{
// need to convert to claim due to us running against claims enabled web app
SPClaimProviderManager cpm = SPClaimProviderManager.Local;
SPClaim adminClaim = cpm.ConvertIdentifierToClaim(defaultUser, SPIdentifierTypes.WindowsSamAccountName);
using (SPSite s = new SPSite(url))
{
using (SPWeb w = s.RootWeb)
{
w.AllowUnsafeUpdates = true;
UpdateUserInformationList(w, GetClaimsForUser(true));
List <string> missingGroups;
List <SPGroup> groups = PermutationGroups(permutations, w, out missingGroups);
if (groups.Count != permutations.Count)
{
SPUser admin = w.EnsureUser(adminClaim.ToEncodedString());
groups.AddRange(CreateMissingGroups(missingGroups, w, admin));
}
SPUser cUser = w.EnsureUser(currUserName);
SPGroupCollection gUser = cUser.Groups;
foreach (SPGroup g in groups)
{
bool isAlreadyMember = false;
foreach (SPGroup gu in gUser)
{
if (gu.Name == g.Name)
{
isAlreadyMember = true;
break;
}
}
if (!isAlreadyMember)
{
g.AddUser(cUser);
#if DEBUG
this.Controls.Add(new LiteralControl("<div>Adding user to group:" + g.Name + "</div>"));
#endif
}
#if DEBUG
this.Controls.Add(new LiteralControl("<div>Already a member of group: " + g.Name + "</div>"));
#endif
}
w.AllowUnsafeUpdates = false;
}
}
});
}
catch (Exception ex)
{
this.Controls.Add(new LiteralControl("<div class='Error' style='display:none'>" + ex.Message + "</div><div>" + ex.StackTrace + "</div>"));
}
}
public void TestDynamicTokens(string inputValue)
{
// With NonParallelizable set, this method is not called in parallel with other methods, but it seems it can still be called multiple times simultaneously, so lock is required due to the multiple config changes
lock (LockUpdateDynamicTokensConfig)
{
string domainNetbios = "contoso";
string domainFQDN = "contoso.local";
ClaimTypeConfig ctConfig = Config.ClaimTypes.FirstOrDefault(x => String.Equals(GroupsClaimType, x.ClaimType, StringComparison.InvariantCultureIgnoreCase));
string expectedValue = inputValue;
ctConfig.ClaimValuePrefix = String.Empty;
Config.Update();
UnitTestsHelper.TestSearchOperation(inputValue, 1, inputValue);
SPClaim inputClaim = new SPClaim(GroupsClaimType, expectedValue, ClaimValueTypes.String, SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, UnitTestsHelper.SPTrust.Name));
UnitTestsHelper.TestValidationOperation(inputClaim, true, expectedValue);
expectedValue = $@"{domainNetbios}\{inputValue}";
ctConfig.ClaimValuePrefix = @"{domain}\";
Config.Update();
UnitTestsHelper.TestSearchOperation(inputValue, 1, expectedValue);
inputClaim = new SPClaim(GroupsClaimType, expectedValue, ClaimValueTypes.String, SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, UnitTestsHelper.SPTrust.Name));
UnitTestsHelper.TestValidationOperation(inputClaim, true, expectedValue);
expectedValue = $@"{domainFQDN}\{inputValue}";
ctConfig.ClaimValuePrefix = @"{fqdn}\"; // This is the default value, set at last step to restore it before releasing lock
Config.Update();
UnitTestsHelper.TestSearchOperation(inputValue, 1, expectedValue);
inputClaim = new SPClaim(GroupsClaimType, expectedValue, ClaimValueTypes.String, SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, UnitTestsHelper.SPTrust.Name));
UnitTestsHelper.TestValidationOperation(inputClaim, true, expectedValue);
}
}
public void TestDynamicTokens(string inputValue)
{
string domainNetbios = "contoso";
string domainFQDN = "contoso.local";
ClaimTypeConfig ctConfig = Config.ClaimTypes.FirstOrDefault(x => String.Equals(GroupsClaimType, x.ClaimType, StringComparison.InvariantCultureIgnoreCase));
string expectedValue = inputValue;
ctConfig.ClaimValuePrefix = String.Empty;
Config.Update();
UnitTestsHelper.TestSearchOperation(inputValue, 1, inputValue);
SPClaim inputClaim = new SPClaim(GroupsClaimType, expectedValue, ClaimValueTypes.String, SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, UnitTestsHelper.SPTrust.Name));
UnitTestsHelper.TestValidationOperation(inputClaim, true, expectedValue);
expectedValue = $@"{domainNetbios}\{inputValue}";
ctConfig.ClaimValuePrefix = @"{domain}\";
Config.Update();
UnitTestsHelper.TestSearchOperation(inputValue, 1, expectedValue);
inputClaim = new SPClaim(GroupsClaimType, expectedValue, ClaimValueTypes.String, SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, UnitTestsHelper.SPTrust.Name));
UnitTestsHelper.TestValidationOperation(inputClaim, true, expectedValue);
expectedValue = $@"{domainFQDN}\{inputValue}";
ctConfig.ClaimValuePrefix = @"{fqdn}\";
Config.Update();
UnitTestsHelper.TestSearchOperation(inputValue, 1, expectedValue);
inputClaim = new SPClaim(GroupsClaimType, expectedValue, ClaimValueTypes.String, SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, UnitTestsHelper.SPTrust.Name));
UnitTestsHelper.TestValidationOperation(inputClaim, true, expectedValue);
}
internal static void VerifyPermissions(List <string> groups, string url)
{
//string currUserName = SPContext.Current.Web.CurrentUser.LoginName;
//string url = SPContext.Current.Site.Url;
try
{
/*SPSecurity.RunWithElevatedPrivileges(delegate ()
* {*/
SPClaimProviderManager cpm = SPClaimProviderManager.Local;
SPClaim userClaim = cpm.ConvertIdentifierToClaim(defaultUser, SPIdentifierTypes.WindowsSamAccountName);
using (SPSite s = new SPSite(url))
{
using (SPWeb w = s.RootWeb)
{
w.AllowUnsafeUpdates = true;
List <string> missingGroups;
List <SPGroup> spgroups = PermutationGroups(groups, w, out missingGroups);
if (spgroups.Count != groups.Count)
{
SPUser admin = w.EnsureUser(userClaim.ToEncodedString());
CreateMissingGroups(missingGroups, w, admin);
}
w.AllowUnsafeUpdates = false;
}
}
//});
}
catch (Exception ex)
{
Console.WriteLine("Error:\n" + ex.Message + "\n" + ex.StackTrace + "\n" + ex.InnerException);
}
}
/// <summary>
/// Implement this method if the claims provider supports claims augmentation.
/// </summary>
/// <param name="context"></param>
/// <param name="entity"></param>
/// <param name="claims"></param>
protected override void FillClaimsForEntity(Uri context, SPClaim entity, List <SPClaim> claims)
{
if (null == entity)
{
throw new ArgumentNullException("entity");
}
if (null == claims)
{
throw new ArgumentNullException("claims");
}
//Add the role claim.
SPClaim userIdClaim = SPClaimProviderManager.DecodeUserIdentifierClaim(entity);
//Add claims for users.
List <string> allCRMUsers = CRMUserInfo.GetAllUsers();
if (allCRMUsers.Contains(userIdClaim.Value.ToLower()))
{
List <Claim> userClaims = CRMUserInfo.GetClaimsForUser(userIdClaim.Value.ToLower());
foreach (Claim claim in userClaims)
{
claims.Add(CreateClaim(claim.ClaimType, claim.Value, claim.ValueType));
}
}
}
public void MSCPSWS_S04_TC02_ResolveClaim_Valid()
{
// Call the helper method to get all claims providers.
SPProviderHierarchyTree[] allProviders = TestSuiteBase.GetAllProviders();
ArrayOfString providerNames = new ArrayOfString();
SPPrincipalType principalType = SPPrincipalType.SecurityGroup;
SPClaim resolveInput = GenerateSPClaimResolveInput_Valid();
bool isResolveClaimSuccess = false;
foreach (SPProviderHierarchyTree provider in allProviders)
{
if (provider.Children.Length != 0)
{
providerNames.Add(provider.ProviderName);
}
// Call Resolve claim method to resolve an SPClaim to picker entities using a list of claims providers.
PickerEntity[] responseOfResolveClaimResult = CPSWSAdapter.ResolveClaim(providerNames, principalType, resolveInput);
Site.Assert.IsNotNull(responseOfResolveClaimResult, "The resolve claim result should not be null.");
isResolveClaimSuccess = true;
}
// If the claims providers listed in the provider names in the input message is resolved successfully, then the following requirement can be captured.
Site.CaptureRequirementIfIsTrue(
isResolveClaimSuccess,
303,
@"[In ResolveClaim] The protocol server MUST resolve across all claims providers that meet all the following criteria:
The claims providers are associated with the Web application (1) specified in the input message.
The claims providers are listed in the provider names in the input message.
The claims providers support resolve.");
}
public static void TestAugmentationOperation(string claimType, string claimValue, bool isMemberOfTrustedGroup)
{
try
{
Stopwatch timer = new Stopwatch();
timer.Start();
SPClaim inputClaim = new SPClaim(claimType, claimValue, ClaimValueTypes.String, SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, UnitTestsHelper.SPTrust.Name));
Uri context = new Uri(UnitTestsHelper.TestSiteCollUri.AbsoluteUri);
SPClaim[] groups = ClaimsProvider.GetClaimsForEntity(context, inputClaim);
bool groupFound = false;
if (groups != null && groups.Contains(TrustedGroup))
{
groupFound = true;
}
if (isMemberOfTrustedGroup)
{
Assert.IsTrue(groupFound, $"Entity \"{claimValue}\" should be member of group \"{TrustedGroupToAdd_ClaimValue}\", but this group was not found in the claims returned by the claims provider.");
}
else
{
Assert.IsFalse(groupFound, $"Entity \"{claimValue}\" should NOT be member of group \"{TrustedGroupToAdd_ClaimValue}\", but this group was found in the claims returned by the claims provider.");
}
timer.Stop();
Trace.WriteLine($"{DateTime.Now.ToString("s")} TestAugmentationOperation finished in {timer.ElapsedMilliseconds} ms. Parameters: claimType: '{claimType}', claimValue: '{claimValue}', isMemberOfTrustedGroup: '{isMemberOfTrustedGroup}'.");
}
catch (Exception ex)
{
Trace.TraceError($"{DateTime.Now.ToString("s")} TestAugmentationOperation failed with exception '{ex.GetType()}', message '{ex.Message}'. Parameters: claimType: '{claimType}', claimValue: '{claimValue}', isMemberOfTrustedGroup: '{isMemberOfTrustedGroup}'.");
}
}
public static SecurityIdentifier GetSidFromClaim(string claimValue)
{
SecurityIdentifier sid = null;
SPClaimProviderManager claimManager = SPClaimProviderManager.Local;
if (claimManager == null)
{
throw new ApplicationException("Unable to access the claims provider manager.");
}
try
{
SPClaim claim = claimManager.DecodeClaim(claimValue);
if (claim.OriginalIssuer.Equals("Windows", StringComparison.OrdinalIgnoreCase))
{
if (claim.ClaimType.Equals(Microsoft.IdentityModel.Claims.ClaimTypes.GroupSid, StringComparison.OrdinalIgnoreCase))
{
sid = new SecurityIdentifier(claim.Value);
}
else if (claim.ClaimType.Equals(Microsoft.SharePoint.Administration.Claims.SPClaimTypes.UserLogonName, StringComparison.OrdinalIgnoreCase))
{
NTAccount userAccount = new NTAccount(claim.Value);
sid = (SecurityIdentifier)userAccount.Translate(typeof(SecurityIdentifier));
}
}
}
catch (ArgumentException currentException)
{
GlymaSearchLogger.WriteTrace(LogCategoryId.Security, TraceSeverity.Unexpected, "The following exception occured when attempting to decode the claim, " + claimValue + " : " + currentException.ToString());
}
return(sid);
}
protected virtual PickerEntity GetPickerEntity(Auth0.User auth0User, string claimEntityType)
{
PickerEntity pe = CreatePickerEntity();
SPClaim claim = null;
if (claimEntityType == SPClaimEntityTypes.User)
{
claim = new SPClaim(
this.identifierClaimType,
string.IsNullOrEmpty(this.auth0Config.IdentifierUserField) || this.auth0Config.IdentifierUserField == "Email" ?
auth0User.UniqueEmail() :
Utils.GetPropValue(auth0User, this.auth0Config.IdentifierUserField).ToString(),
Microsoft.IdentityModel.Claims.ClaimValueTypes.String,
SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, this.associatedSPTrustedLoginProvider.Name));
var displayText = !string.IsNullOrEmpty(auth0User.FamilyName) && !string.IsNullOrEmpty(auth0User.GivenName) ?
string.Format("{0} {1}", auth0User.GivenName, auth0User.FamilyName) : auth0User.Name;
pe.DisplayText =
!string.IsNullOrEmpty(displayText) ?
string.Format("{0} ({1})", displayText, auth0User.Email) :
auth0User.Email;
pe.Description = string.Format(
"Email: {0}; Name: {1}",
auth0User.Email,
auth0User.Name);
pe.EntityType = SPClaimEntityTypes.User;
pe.EntityData[PeopleEditorEntityDataKeys.DisplayName] = displayText;
pe.EntityData[PeopleEditorEntityDataKeys.Email] = auth0User.Email;
pe.EntityData["Picture"] = auth0User.Picture;
}
else if (claimEntityType == SPClaimEntityTypes.FormsRole)
{
claim = new SPClaim(
ConnectionClaimType,
auth0User.Identities.First().Connection,
Microsoft.IdentityModel.Claims.ClaimValueTypes.String,
SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, this.associatedSPTrustedLoginProvider.Name));
pe.DisplayText = string.Format(
"All Users ({0})",
auth0User.Identities.First().Connection);
pe.Description = string.Format(
"[{0}] All Users from '{1}'",
ProviderInternalName,
auth0User.Identities.First().Connection);
pe.EntityType = SPClaimEntityTypes.FormsRole;
}
pe.Claim = claim;
pe.IsResolved = true;
pe.EntityGroupName = this.pickerEntityGroupName;
return(pe);
}
private bool UpdateUserPermissions(SPWeb web, SPRoleAssignmentCollection roleAssignments, XmlNodeList principalUserNodes)
{
bool dirty = false;
foreach (XmlNode principalUserNode in principalUserNodes)
{
string loginName = principalUserNode.Attributes["login"].Value;
string userName = principalUserNode.Attributes["name"].Value;
try
{
SPClaimProviderManager cpm = SPClaimProviderManager.Local;
SPClaim userClaim = cpm.ConvertIdentifierToClaim(loginName, SPIdentifierTypes.WindowsSamAccountName);
SPUser user = web.EnsureUser(userClaim.ToEncodedString());
if (user == null)
{
throw new Exception();
}
SPPrincipal userPrincipal = (SPPrincipal)user;
try
{
SPRoleAssignment roleAssignment = roleAssignments.GetAssignmentByPrincipal(userPrincipal);
if (roleAssignment == null)
{
throw new Exception();
}
UpdatePrincipal(web, principalUserNode,
string.Format("{0,20}, '{1,15}'", userName, loginName),
roleAssignment);
}
catch
{
output.Append(string.Format("permissins missing for user: {0,20} with login: {1,15}, adding new..." + Environment.NewLine, userName, loginName));
SPRoleAssignment roleAssignmentNew = new SPRoleAssignment(userPrincipal);
XmlNodeList roleNodes = principalUserNode.SelectNodes("role");
foreach (XmlNode roleNode in roleNodes)
{
string roleName = roleNode.Attributes["name"].Value;
if (roleName.ToLower().Equals("limited access"))
{
roleName = "Limited User";
}
SPRoleDefinition role = web.RoleDefinitions[roleName];
roleAssignmentNew.RoleDefinitionBindings.Add(role);
}
roleAssignments.Add(roleAssignmentNew);
output.Append("completed" + Environment.NewLine);
dirty = true;
}
}
catch { output.Append(string.Format("user not found: {0,20} with login: {1,15}" + Environment.NewLine, userName, loginName)); }
}
return(dirty);
}
public IEnumerable <PrincipalInfo> Resolve(SPUser user, IDisposable implicitContext)
{
try {
CommonHelper.ConfirmNotNull(user, "user");
if (!resolvedIdentities.Contains(user.ID))
{
resolvedIdentities.Add(user.ID);
parentPrincipal = user;
if (SPClaimProviderManager.IsEncodedClaim(user.LoginName))
{
SPClaim claim = SPClaimProviderManager.Local.DecodeClaim(user.LoginName);
if (claim.OriginalIssuer == "Windows")
{
if (claim.ClaimType == SPClaimTypes.UserLogonName)
{
PrincipalInfo userInfo = ResolveActiveDirectoryUser(IdentityType.SamAccountName, claim.Value);
if (userInfo != null)
{
return(new[] { userInfo });
}
return(new PrincipalInfo[0]);
}
if (claim.ClaimType == ClaimTypes_GroupSid)
{
return(EnumerateActiveDirectoryGroup(IdentityType.SamAccountName, user.Name));
}
}
if (claim.OriginalIssuer.StartsWith("Forms:"))
{
string providerName = claim.OriginalIssuer.Substring(6);
if (claim.ClaimType == SPClaimTypes.UserLogonName)
{
PrincipalInfo userInfo = ResolveMembershipUser(providerName, claim.Value);
if (userInfo != null)
{
return(new[] { userInfo });
}
return(new PrincipalInfo[0]);
}
if (claim.ClaimType == ClaimTypes_Role)
{
return(EnumerateMembershipUsersInRole(providerName, claim.Value));
}
}
}
if (user.IsDomainGroup)
{
return(EnumerateActiveDirectoryGroup(IdentityType.SamAccountName, user.LoginName));
}
return(EnumerateBySamAccountName(user.LoginName));
}
return(new PrincipalInfo[0]);
} finally {
if (implicitContext != null)
{
implicitContext.Dispose();
}
}
}
private void CheckItems(XmlNode siteNode, string url)
{
using (SPWeb web = new SPSite(url).OpenWeb())
{
XmlNodeList alertNodes = siteNode.SelectNodes("alert[@type='Item']");
foreach (XmlNode alertNode in alertNodes)
{
string alertTitle = alertNode.Attributes["title"].Value;
string listTitle = alertNode.Attributes["list"].Value;
string loginName = alertNode.Attributes["user"].Value;
int itemId = Int32.Parse(alertNode.Attributes["id"].Value);
string itemUrl = alertNode.Attributes["url"].Value;
string objectType = alertNode.Attributes["object"].Value;
output.Append(string.Format("user: {0,20}...", loginName));
try
{
SPList list = web.Lists[listTitle];
SPClaimProviderManager cpm = SPClaimProviderManager.Local;
SPClaim userClaim = cpm.ConvertIdentifierToClaim(loginName, SPIdentifierTypes.WindowsSamAccountName);
SPUser user = web.EnsureUser(userClaim.ToEncodedString());
string eventType = alertNode.Attributes["event"].Value;
SPEventType spEventType = (SPEventType)Enum.Parse(typeof(SPEventType), eventType);
string eventFrequency = alertNode.Attributes["frequency"].Value;
SPAlertFrequency spAlertFrequency = (SPAlertFrequency)Enum.Parse(typeof(SPAlertFrequency), eventFrequency);
string type = alertNode.Attributes["type"].Value;
SPAlertType spAlertType = (SPAlertType)Enum.Parse(typeof(SPAlertType), type);
SPListItem item = null;
if (list.BaseType == SPBaseType.DocumentLibrary)
{
SPFile file = web.GetFile(itemUrl);
item = file.Item;
}
else
{
item = list.GetItemById(itemId);
}
SPAlert newAlert = user.Alerts.Add();
newAlert.Title = alertTitle;
newAlert.AlertType = spAlertType;
newAlert.Item = item;
newAlert.DeliveryChannels = SPAlertDeliveryChannels.Email;
newAlert.EventType = spEventType;
newAlert.AlertFrequency = spAlertFrequency;
newAlert.Status = SPAlertStatus.On;
newAlert.Update(false);
output.Append(string.Format("Complete" + Environment.NewLine));
}
catch (Exception ex) { output.Append(string.Format("error: {0,20}" + Environment.NewLine, ex.Message)); }
}
}
}
public static SPUserToken GetToken(string login)
{
SPClaimProviderManager claimProviderManager = SPClaimProviderManager.Local;
SPClaim claim = new SPClaim(SPClaimTypes.UserLogonName, login, "http://www.w3.org/2001/XMLSchema#string", SPOriginalIssuers.Format(SPOriginalIssuerType.Windows));
var userName = claimProviderManager.EncodeClaim(claim);
return(SPContext.Current.Web.EnsureUser(userName).UserToken);
}
//augments custom claims into a claims token.
protected override void FillClaimsForEntity(Uri context, SPClaim entity, List<SPClaim> claims)
{
if (entity == null) { throw new ArgumentNullException("Cannot have empty entity"); }
if (claims == null) { throw new ArgumentNullException("Cannot have empty claims"); }
//string assignedClearance = GetClearance(entity); //------> RESOLVE GetClearance(entity);
//claims.Add(CreateClaim(ClearanceClaimType, assignedClearance, ClearanceClaimValueType));
}
public void BypassLookupOnGroupClaimTest(string inputValue, int expectedCount, string expectedClaimValue)
{
UnitTestsHelper.TestSearchOperation(inputValue, expectedCount, expectedClaimValue);
if (expectedCount > 0)
{
SPClaim inputClaim = new SPClaim(UnitTestsHelper.TrustedGroupToAdd_ClaimType, expectedClaimValue, ClaimValueTypes.String, SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, UnitTestsHelper.SPTrust.Name));
UnitTestsHelper.TestValidationOperation(inputClaim, true, expectedClaimValue);
}
}
/// <summary>
/// A method used to generate an invalid SPClaim of ResolveInput.
/// </summary>
/// <returns>A return value represents the invalid SPClaim of resolveInput.</returns>
public SPClaim GenerateSPClaimResolveInput_Invalid()
{
SPClaim resolveInput = new SPClaim();
resolveInput.ClaimType = this.GenerateRandomString(10);
resolveInput.Value = this.GenerateRandomString(5);
resolveInput.ValueType = this.GenerateGUID();
resolveInput.OriginalIssuer = "ClaimProvider:" + this.GenerateRandomString(5);
return(resolveInput);
}
public string getAccountNameForEmail(string email, string indentityProviderName)
{
UPSBrowserLogger.LogDebug(loggingCategory, "getIdentityProviders invoked");
UPSBrowserLogger.LogDebug(loggingCategory, $"email: {email}, indentityProviderName: {indentityProviderName}");
string originalIssuer = SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, indentityProviderName);
SPClaimProviderManager mgr = SPClaimProviderManager.Local;
SPClaim claim = new SPClaim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", email, System.Security.Claims.ClaimValueTypes.String, originalIssuer);
string accountName = mgr.EncodeClaim(claim);
return(accountName);
}
protected override void FillClaimsForEntity(Uri context, SPClaim entity,
List <SPClaim> claims)
{
if (entity == null)
{
throw new ArgumentNullException("entity");
}
if (claims == null)
{
throw new ArgumentNullException("claims");
}
//Figure out who the user is so we know what team to add to their claim.
string team = string.Empty;
string userName = string.Empty;
int userID = 0;
int userPipe = entity.Value.LastIndexOf("|");
//Get the part after the final pipe, which corresponds to the user name.
if (userPipe > -1)
{
userName = entity.Value.Substring(userPipe + 1);
}
//Get the number part after the user prefix so we know what team they
//are associated with; use a try in case we are not using the FBA provider
//or naming convention we are not expecting.
int.TryParse(userName.Substring(4, userName.Length - 4), out userID);
//See if we got a results.
if (userID > 0)
{
//Plug in the appropriate team.
if (userID > 30)
{
team = ourTeams[2];
}
else if (userID > 15)
{
team = ourTeams[1];
}
else
{
team = ourTeams[0];
}
}
else
{
team = ourTeams[1]; //If they are not one of our FBA users.
}
//Add the claim.
claims.Add(CreateClaim(SqlClaimType, team, SqlClaimValueType));
}
public virtual void DEBUG_ValidateClaim(string claimType, string claimValue, bool shouldValidate)
{
if (!TestValidation)
{
return;
}
SPClaim inputClaim = new SPClaim(claimType, claimValue, ClaimValueTypes.String, SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, UnitTestsHelper.SPTrust.Name));
UnitTestsHelper.TestValidationOperation(inputClaim, shouldValidate, claimValue);
}
public virtual void ValidateClaim(ValidateEntityData registrationData)
{
if (!TestValidation)
{
return;
}
SPClaim inputClaim = new SPClaim(UnitTestsHelper.SPTrust.IdentityClaimTypeInformation.MappedClaimType, registrationData.ClaimValue, ClaimValueTypes.String, SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, UnitTestsHelper.SPTrust.Name));
UnitTestsHelper.TestValidationOperation(inputClaim, registrationData.ShouldValidate, registrationData.ClaimValue);
}
public static void TestValidationOperation(SPClaim inputClaim, bool shouldValidate, string expectedClaimValue)
{
string[] entityTypes = new string[] { "User" };
PickerEntity[] entities = ClaimsProvider.Resolve(TestSiteCollUri, entityTypes, inputClaim);
int expectedCount = shouldValidate ? 1 : 0;
Assert.AreEqual(expectedCount, entities.Length, $"Validation of entity \"{inputClaim.Value}\" should have returned {expectedCount} entity, but it returned {entities.Length} instead.");
if (shouldValidate)
{
StringAssert.AreEqualIgnoringCase(expectedClaimValue, entities[0].Claim.Value, $"Validation of entity \"{inputClaim.Value}\" should have returned value \"{expectedClaimValue}\", but it returned \"{entities[0].Claim.Value}\" instead.");
}
}
public void TestPrefixToBypassLookup(string inputValue, int expectedCount, string expectedClaimValue)
{
ClaimTypeConfig ctConfig = Config.ClaimTypes.FirstOrDefault(x => String.Equals(UnitTestsHelper.SPTrust.IdentityClaimTypeInformation.MappedClaimType, x.ClaimType, StringComparison.InvariantCultureIgnoreCase));
ctConfig.PrefixToBypassLookup = "ext:";
Config.Update();
UnitTestsHelper.TestSearchOperation(inputValue, expectedCount, expectedClaimValue);
if (expectedCount > 0)
{
SPClaim inputClaim = new SPClaim(UnitTestsHelper.SPTrust.IdentityClaimTypeInformation.MappedClaimType, expectedClaimValue, ClaimValueTypes.String, SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, UnitTestsHelper.SPTrust.Name));
UnitTestsHelper.TestValidationOperation(inputClaim, true, expectedClaimValue);
}
}
public static string GetClaims(string account)
{
string userName = null;
SPClaimProviderManager mgr = SPClaimProviderManager.Local;
if (mgr != null)
{
SPClaim claim = new SPClaim(SPClaimTypes.UserLogonName, account, "http://www.w3.org/2001/XMLSchema#string", SPOriginalIssuers.Format(SPOriginalIssuerType.Windows));
userName = mgr.EncodeClaim(claim);
}
return(userName);
;
}
protected override void CreateChildControls()
{
// return when user is not a forms based user
IClaimsIdentity claimsIdentity = (HttpContext.Current.User != null) ? (HttpContext.Current.User.Identity as IClaimsIdentity) : null;
if (claimsIdentity != null)
{
SPClaimProviderManager mgr = SPClaimProviderManager.Local;
SPClaim sPClaim = mgr.DecodeClaimFromFormsSuffix(claimsIdentity.Name);
if (SPOriginalIssuers.GetIssuerType(sPClaim.OriginalIssuer) == SPOriginalIssuerType.Windows)
{
return;
}
}
string changePasswordPage = "";
SPSecurity.RunWithElevatedPrivileges(delegate()
{
using (SPSite site = new SPSite(SPContext.Current.Site.ID, SPContext.Current.Site.Zone))
{
MembershipSettings setting = new MembershipSettings(site.RootWeb);
if (setting == null || string.IsNullOrEmpty(setting.ChangePasswordPage))
{
return;
}
changePasswordPage = setting.ChangePasswordPage;
}
});
// generate return url
string source = SPUtility.OriginalServerRelativeRequestUrl;
string target = Utils.GetAbsoluteURL(SPContext.Current.Web, changePasswordPage);
MenuItemTemplate changePasswordItem = new MenuItemTemplate();
changePasswordItem.Text = LocalizedString.GetString("FBAPackMenus", "FBAChangePassword_Title");
changePasswordItem.Description = LocalizedString.GetString("FBAPackMenus", "FBAChangePassword_Desc");
changePasswordItem.Sequence = 1;
changePasswordItem.ClientOnClickNavigateUrl = target + "?Source=" + SPHttpUtility.UrlKeyValueEncode(source);
this.Controls.Add(changePasswordItem);
}
private void CheckLists(XmlNode siteNode, string url)
{
using (SPWeb web = new SPSite(url).OpenWeb())
{
XmlNodeList alertNodes = siteNode.SelectNodes("alert[@type='List']");
foreach (XmlNode alertNode in alertNodes)
{
string alertTitle = alertNode.Attributes["title"].Value;
string listTitle = alertNode.Attributes["list"].Value;
string loginName = alertNode.Attributes["user"].Value;
string objectType = alertNode.Attributes["object"].Value;
bool isFolder = objectType.ToLower().Equals("folder");
if (!isFolder)
{
output.Append(string.Format("user: {0,20}...", loginName));
try
{
SPList list = web.Lists[listTitle];
SPClaimProviderManager cpm = SPClaimProviderManager.Local;
SPClaim userClaim = cpm.ConvertIdentifierToClaim(loginName, SPIdentifierTypes.WindowsSamAccountName);
SPUser user = web.EnsureUser(userClaim.ToEncodedString());
string eventType = alertNode.Attributes["event"].Value;
SPEventType spEventType = (SPEventType)Enum.Parse(typeof(SPEventType), eventType);
string eventFrequency = alertNode.Attributes["frequency"].Value;
SPAlertFrequency spAlertFrequency = (SPAlertFrequency)Enum.Parse(typeof(SPAlertFrequency), eventFrequency);
string type = alertNode.Attributes["type"].Value;
SPAlertType spAlertType = (SPAlertType)Enum.Parse(typeof(SPAlertType), type);
SPAlert newAlert = user.Alerts.Add();
newAlert.Title = alertTitle;
newAlert.AlertType = spAlertType;
newAlert.List = list;
newAlert.DeliveryChannels = SPAlertDeliveryChannels.Email;
newAlert.EventType = spEventType;
newAlert.AlertFrequency = spAlertFrequency;
newAlert.Status = SPAlertStatus.On;
newAlert.Update(false);
output.Append(string.Format("Complete" + Environment.NewLine));
}
catch (Exception ex) { output.Append(string.Format("error: {0,20}" + Environment.NewLine, ex.Message)); }
}
}
}
}
private static SecureStoreServiceClaim GetSSClaim(SPUser user)
{
SPClaim spClaim = null;
var manager = SPClaimProviderManager.Local;
if ((manager != null) && SPClaimProviderManager.IsEncodedClaim(user.LoginName))
{
spClaim = manager.DecodeClaim(user.LoginName);
}
else
{
spClaim = SPClaimProviderManager.CreateUserClaim(user.LoginName, SPOriginalIssuerType.Windows);
}
SecureStoreServiceClaim ssClaim = new SecureStoreServiceClaim(spClaim);
return(ssClaim);
}
public void BypassServer()
{
Config.AlwaysResolveUserInput = true;
Config.Update();
try
{
UnitTestsHelper.TestSearchOperation(UnitTestsHelper.RandomClaimValue, 2, UnitTestsHelper.RandomClaimValue);
SPClaim inputClaim = new SPClaim(UnitTestsHelper.SPTrust.IdentityClaimTypeInformation.MappedClaimType, UnitTestsHelper.RandomClaimValue, ClaimValueTypes.String, SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, UnitTestsHelper.SPTrust.Name));
UnitTestsHelper.TestValidationOperation(inputClaim, true, UnitTestsHelper.RandomClaimValue);
}
finally
{
Config.AlwaysResolveUserInput = false;
Config.Update();
}
}
protected override void FillResolve(Uri context, string[] entityTypes, SPClaim resolveInput, List <Microsoft.SharePoint.WebControls.PickerEntity> resolved)
{
if (resolveInput.ClaimType == SPClaimTypes.UserLogonName)
{
FillResolve(context, entityTypes, resolveInput.Value, resolved);
}
else
{
//LDAPUser user = LDAPHelper.FindExact(resolveInput.Value);
//if (null != user)
//{
// PickerEntity entity = GetPickerEntity(user);
// resolved.Add(entity);
//}
PickerEntity entityADFS = GetPickerEntityADFS(resolveInput.Value);
resolved.Add(entityADFS);
}
}
/// <summary>
/// A method used to generate a valid SPClaim of ResolveInput which is used in the ResolveClaim operation.
/// </summary>
/// <returns>A return value represents the SPClaim of resolveInput.</returns>
public SPClaim GenerateSPClaimResolveInput_Valid()
{
// Call the helper method to get all claims providers.
SPProviderHierarchyTree[] allProviders = TestSuiteBase.GetAllProviders();
SPClaim resolveInput = new SPClaim();
foreach (SPProviderHierarchyTree provider in allProviders)
{
if (provider.Children.Length != 0)
{
resolveInput.ClaimType = provider.Children[0].HierarchyNodeID;
resolveInput.Value = this.GenerateRandomString(5);
resolveInput.ValueType = this.GenerateGUID();
resolveInput.OriginalIssuer = "ClaimProvider:" + provider.ProviderName;
}
}
return(resolveInput);
}
public void MSCPSWS_S04_TC06_ResolveMultipleClaim_SomeValid()
{
// Call the helper method to get all claims providers.
SPProviderHierarchyTree[] allProviders = TestSuiteBase.GetAllProviders();
ArrayOfString providerNames = new ArrayOfString();
SPPrincipalType principalType = SPPrincipalType.SecurityGroup;
SPClaim[] resolveInput = new SPClaim[2];
resolveInput[0] = this.GenerateSPClaimResolveInput_Valid();
resolveInput[1] = this.GenerateSPClaimResolveInput_Invalid();
foreach (SPProviderHierarchyTree provider in allProviders)
{
if (provider.Children.Length != 0)
{
providerNames.Add(provider.ProviderName);
}
}
// Call Resolve multiple claim method to resolve 2 claims to picker entities using a list of claims providers.
PickerEntity[] responseOfResolveMultipleClaimResult = CPSWSAdapter.ResolveMultipleClaim(providerNames, principalType, resolveInput);
Site.Assert.IsNotNull(responseOfResolveMultipleClaimResult, "The resolve multiple claim result should not be null.");
// If the resolve multiple result contains 2 picker entities, that is to say, one picker entity in the response corresponding to one user in the request, then the following requirement can be captured.
Site.CaptureRequirementIfAreEqual <int>(
responseOfResolveMultipleClaimResult.Length,
2,
369,
@"[In ResolveMultipleClaimResponse] ResolveMultipleClaimResult: The list MUST contain one and only one picker entity per one claim in the input.");
Site.CaptureRequirementIfAreEqual <int>(
responseOfResolveMultipleClaimResult.Length,
2,
350,
@"[In ResolveMultipleClaim] The protocol server MUST resolve across all claims providers that meet all the following criteria:
The claims providers are associated with the Web application (1) specified in the input message.
The claims providers are listed in the provider names in the input message.
The claims providers support resolve.");
}
/// <summary>
/// Use this method to augment the user identity passed as parameter with more claims.
/// </summary>
/// <param name="context"></param>
/// <param name="entity">This claim identifies the user being augmented.</param>
/// <param name="claims">Add the new claims to this list.</param>
protected override void FillClaimsForEntity(Uri context, SPClaim entity, List<SPClaim> claims)
{
using (new SPMonitoredScope("FedRolesCP_FillClaimsForEntity"))
{
#region Parameter check
if (entity == null)
throw new ArgumentNullException("entity");
if (claims == null)
throw new ArgumentNullException("claims");
#endregion
// Try to parse the identity claim we got
SPClaim userIdentityClaim = entity;
try
{
userIdentityClaim = SPClaimProviderManager.DecodeUserIdentifierClaim(entity);
}
catch (Exception ex)
{
// This error doesn't have to be fatal, we can try and make do with whatever entity we got in the first place.
ULSLogger.Verbose(ULSLogger.CategoryFillClaims, "Error: " + ex.Message);
}
// Bail out if this is not a trusted provider user
if (!userIdentityClaim.OriginalIssuer.StartsWith("TrustedProvider"))
{
ULSLogger.Verbose(ULSLogger.CategoryFillClaims, "This is not a trusted provider: " + userIdentityClaim.OriginalIssuer);
return;
}
ULSLogger.Verbose(ULSLogger.CategoryFillClaims, "This is the identity claim entity we got");
ULSLogger.Verbose(ULSLogger.CategoryFillClaims, "ClaimType: " + userIdentityClaim.ClaimType);
ULSLogger.Verbose(ULSLogger.CategoryFillClaims, "ValueType: " + userIdentityClaim.ValueType);
ULSLogger.Verbose(ULSLogger.CategoryFillClaims, "OriginalIssuer: " + userIdentityClaim.OriginalIssuer);
ULSLogger.Verbose(ULSLogger.CategoryFillClaims, "Value: " + userIdentityClaim.Value);
// Look for a UPN claim as the identity
// If UPN claim is not found, look for an email claim
var identityClaimValue = userIdentityClaim.Value;
if (!(userIdentityClaim.ClaimType.Equals(UPNClaimType) || userIdentityClaim.ClaimType.Equals(EmailClaimType)))
{
// We don't know other identity claims for the moment. Bail out.
ULSLogger.Verbose(ULSLogger.CategoryFillClaims, "I don't know this identity claim type");
return;
}
// Search for this user in the current AD, get the groups the user is member of
var filterString = new StringBuilder("(&(objectCategory=User)");
if (userIdentityClaim.ClaimType.Equals(UPNClaimType))
filterString.Append("(userPrincipalName=");
else if (userIdentityClaim.ClaimType.Equals(EmailClaimType))
filterString.Append("(mail=");
filterString.Append(identityClaimValue + "))");
// Need to run all AD code with the app pool identity to avoid Bind issues
SPSecurity.RunWithElevatedPrivileges(delegate()
{
SearchResultCollection results = null;
var searcher = new DirectorySearcher();
searcher.SearchRoot = new DirectoryEntry();
searcher.Filter = filterString.ToString();
searcher.SearchScope = SearchScope.Subtree;
searcher.PropertiesToLoad.Add("memberOf");
ULSLogger.Verbose(ULSLogger.CategoryFillClaims, "Using this filter to search AD: " + filterString.ToString());
try
{
results = searcher.FindAll();
}
catch (Exception exc)
{
ULSLogger.Unexpected(ULSLogger.CategoryFillClaims, "Got this error looking for the user in AD: " + exc.Message);
return;
}
if (results.Count != 1)
{
// Zero or more than one user returned. Bail out.
ULSLogger.Medium(ULSLogger.CategoryFillClaims, "Got zero or more than one results from AD");
results.Dispose();
return;
}
// Add those groups as Role
var userEntry = results[0];
foreach (string groupDN in userEntry.Properties["memberOf"])
{
var startIndex = groupDN.IndexOf("=") + 1;
var newClaimValue = groupDN.Substring(startIndex, groupDN.IndexOf(",") - startIndex);
// Create the claim with the same provider as the identity claim
claims.Add(new SPClaim(RoleClaimType, newClaimValue, RoleClaimValueType, userIdentityClaim.OriginalIssuer));
ULSLogger.Verbose(ULSLogger.CategoryFillClaims, "Added a claim with value: " + newClaimValue);
}
// Need to explicitly Dispose this collection
results.Dispose();
});
}
}
/// <summary>
/// A method used to generate a valid SPClaim of ResolveInput which is used in the ResolveClaim operation.
/// </summary>
/// <returns>A return value represents the SPClaim of resolveInput.</returns>
public SPClaim GenerateSPClaimResolveInput_Valid()
{
// Call the helper method to get all claims providers.
SPProviderHierarchyTree[] allProviders = TestSuiteBase.GetAllProviders();
SPClaim resolveInput = new SPClaim();
foreach (SPProviderHierarchyTree provider in allProviders)
{
if (provider.Children.Length != 0)
{
resolveInput.ClaimType = provider.Children[0].HierarchyNodeID;
resolveInput.Value = this.GenerateRandomString(5);
resolveInput.ValueType = this.GenerateGUID();
resolveInput.OriginalIssuer = "ClaimProvider:" + provider.ProviderName;
}
}
return resolveInput;
}
protected override void FillResolve(Uri context, string[] entityTypes, SPClaim resolveInput, List<PickerEntity> resolved)
{
Auth0LoggingService.Write("FillResolve input: {0}", resolveInput != null ? resolveInput.ClaimType + "/" + resolveInput.Value : "empty");
if (!this.SetSPTrustInCurrentContext(context))
{
Auth0LoggingService.Write("FillResolve: SetSPTrustInCurrentContext=false.");
return;
}
if (!String.Equals(resolveInput.OriginalIssuer,
SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, this.associatedSPTrustedLoginProvider.Name),
StringComparison.OrdinalIgnoreCase))
{
Auth0LoggingService.Write("FillResolve: Original issuers don't match, {0} != {1}.", resolveInput.OriginalIssuer, SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, this.associatedSPTrustedLoginProvider.Name));
return;
}
SPSecurity.RunWithElevatedPrivileges(delegate
{
var input = resolveInput.Value.Contains(IdentifierValuesSeparator) ?
resolveInput.Value.Split(IdentifierValuesSeparator)[1] : resolveInput.Value;
var connectionName = resolveInput.Value.Contains(IdentifierValuesSeparator) ?
resolveInput.Value.Split(IdentifierValuesSeparator)[0] : string.Empty;
var consolidatedResults = this.ResolveInputBulk(input, connectionName);
if (consolidatedResults != null && consolidatedResults.Count > 0)
{
resolved.Add(consolidatedResults.ElementAt(0).PickerEntity);
return;
}
if (resolveInput.ClaimType == ConnectionClaimType)
{
var user = new Auth0.User
{
Identities = new List<Identity>
{
new Identity { Connection = resolveInput.Value }
}
};
resolved.Add(this.GetPickerEntity(user, SPClaimEntityTypes.FormsRole));
}
else if (resolveInput.ClaimType == RoleClaimType)
{
resolved.Add(this.GetRolePickerEntity(resolveInput.Value));
}
else if (this.alwaysResolveValue)
{
var user = new Auth0.User
{
Email = input,
Name = string.Empty,
Picture = string.Empty,
Identities = new List<Identity>
{
new Identity { Connection = connectionName }
}
};
resolved.Add(this.GetPickerEntity(user, SPClaimEntityTypes.User));
}
});
}
SPClaim CreateClaimForSTS(string claimtype, string claimValue)
{
var result = new SPClaim(claimtype, claimValue, Microsoft.IdentityModel.Claims.ClaimValueTypes.String,
SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider,
AssociatedTrustedLoginProviderName));
return result;
}
/// <summary>
/// Return the user key (SPClaim with identity claim type) from the incoming entity
/// </summary>
/// <param name="entity"></param>
/// <returns></returns>
protected override SPClaim GetUserKeyForEntity(SPClaim entity)
{
AzureCPLogging.Log(String.Format("[{0}] GetUserKeyForEntity called, incoming claim value: \"{1}\", claim type: \"{2}\", claim issuer: \"{3}\"", ProviderInternalName, entity.Value, entity.ClaimType, entity.OriginalIssuer),
TraceSeverity.VerboseEx, EventSeverity.Information, AzureCPLogging.Categories.Core);
if (!Initialize(null, null))
return null;
// There are 2 scenarios:
// 1: OriginalIssuer is "SecurityTokenService": Value looks like "05.t|yvanhost|[email protected]", claim type is "http://schemas.microsoft.com/sharepoint/2009/08/claims/userid" and it must be decoded properly
// 2: OriginalIssuer is AzureCP: in this case incoming entity is valid and returned as is
if (String.Equals(entity.OriginalIssuer, IssuerName, StringComparison.InvariantCultureIgnoreCase))
return entity;
SPClaimProviderManager cpm = SPClaimProviderManager.Local;
SPClaim curUser = SPClaimProviderManager.DecodeUserIdentifierClaim(entity);
this.Lock_Config.EnterReadLock();
try
{
AzureCPLogging.Log(String.Format("[{0}] Return user key for user \"{1}\"", ProviderInternalName, entity.Value),
TraceSeverity.Medium, EventSeverity.Information, AzureCPLogging.Categories.Rehydration);
return CreateClaim(IdentityAzureObject.ClaimType, curUser.Value, curUser.ValueType);
}
catch (Exception ex)
{
AzureCPLogging.LogException(ProviderInternalName, "in GetUserKeyForEntity", AzureCPLogging.Categories.Rehydration, ex);
}
finally
{
this.Lock_Config.ExitReadLock();
}
return null;
}
protected override void FillResolve(
Uri context, string[] entityTypes, SPClaim resolveInput, List<PickerEntity> resolved)
{
var users = GetUsers(resolveInput.Value);
resolved.AddRange(users.Select(user => GetPickerEntity(ClaimType.UPN, user.userName, user.email)));
}
protected override void FillResolve(Uri context, string[] entityTypes, SPClaim resolveInput, List<PickerEntity> resolved)
{
// Ensure that People Picker is asking for the type of entity that we
// return; site collection administrator will not return, for example.
if (!EntityTypesContain(entityTypes, SPClaimEntityTypes.FormsRole))
return;
var adTools = new ActiveDirectory();
var users = adTools.FindUsers(resolveInput.Value.ToLower());
foreach (var user in users)
{
resolved.Add(GetPickerEntity(user));
}
}
protected override void FillResolve(Uri context, string[] entityTypes, SPClaim resolveInput, List<Microsoft.SharePoint.WebControls.PickerEntity> resolved)
{
AzureCPLogging.Log(String.Format("[{0}] FillResolve(SPClaim) called, incoming claim value: \"{1}\", claim type: \"{2}\", claim issuer: \"{3}\"", ProviderInternalName, resolveInput.Value, resolveInput.ClaimType, resolveInput.OriginalIssuer),
TraceSeverity.VerboseEx, EventSeverity.Information, AzureCPLogging.Categories.Core);
SPSecurity.RunWithElevatedPrivileges(delegate ()
{
if (!Initialize(context, entityTypes))
return;
// Ensure incoming claim should be validated by AzureCP
// Must be made after call to Initialize because SPTrustedLoginProvider name must be known
if (!String.Equals(resolveInput.OriginalIssuer, IssuerName, StringComparison.InvariantCultureIgnoreCase))
return;
this.Lock_Config.EnterReadLock();
try
{
string input = resolveInput.Value;
// Resolve value only against the incoming claim type
List<AzureADObject> attributes = this.ProcessedAzureObjects.FindAll(x =>
String.Equals(x.ClaimType, resolveInput.ClaimType, StringComparison.InvariantCultureIgnoreCase)
&& !x.CreateAsIdentityClaim);
if (attributes.Count != 1)
{
// Should always find only 1 object at this stage
AzureCPLogging.Log(String.Format("[{0}] Found {1} objects that match the claim type \"{2}\", but exactly 1 is expected. Verify that there is no duplicate claim type. Aborting operation.", ProviderInternalName, attributes.Count().ToString(), resolveInput.ClaimType), TraceSeverity.Unexpected, EventSeverity.Error, AzureCPLogging.Categories.Claims_Picking);
return;
}
AzureADObject attribute = attributes.First();
if (this.CurrentConfiguration.AlwaysResolveUserInput)
{
PickerEntity entity = CreatePickerEntityForSpecificClaimType(
input,
attribute,
false);
if (entity != null)
{
resolved.Add(entity);
AzureCPLogging.Log(String.Format("[{0}] Validated permission without AAD lookup because AzureCP configured to always resolve input. Claim value: \"{1}\", Claim type: \"{2}\"", ProviderInternalName, entity.Claim.Value, entity.Claim.ClaimType), TraceSeverity.Medium, EventSeverity.Information, AzureCPLogging.Categories.Claims_Picking);
}
return;
}
// Claims provider is called by static methods in SPClaimProviderOperations class. As a consequence, results must be declared in the method (and not in the class) to ensure that each thread has it own unique collection
List<AzurecpResult> results = new List<AzurecpResult>();
BuildFilterAndProcessResults(input, attributes, true, context, entityTypes, ref results);
if (results != null && results.Count == 1)
{
resolved.Add(results[0].PickerEntity);
AzureCPLogging.Log(String.Format("[{0}] Validated permission with AAD lookup. Claim value: \"{1}\", Claim type: \"{2}\"", ProviderInternalName, results[0].PickerEntity.Claim.Value, results[0].PickerEntity.Claim.ClaimType), TraceSeverity.Medium, EventSeverity.Information, AzureCPLogging.Categories.Claims_Picking);
return;
}
else if (!String.IsNullOrEmpty(attribute.PrefixToBypassLookup))
{
// At this stage, it is impossible to know if input was originally created with the keyword that bypasses AAD lookup
// But it should be validated anyway since keyword is set for this claim type
PickerEntity entity = CreatePickerEntityForSpecificClaimType(input, attribute, false);
if (entity != null)
{
resolved.Add(entity);
AzureCPLogging.Log(String.Format("[{0}] Validated permission without LDAP lookup because corresponding claim type has a keyword associated. Claim value: \"{1}\", Claim type: \"{2}\"", ProviderInternalName, entity.Claim.Value, entity.Claim.ClaimType), TraceSeverity.Medium, EventSeverity.Information, AzureCPLogging.Categories.Claims_Picking);
return;
}
}
else if (results != null && results.Count != 1)
{
AzureCPLogging.Log(String.Format("[{0}] Validation with AAD lookup created {1} permissions instead of 1 expected. Aborting operation", ProviderInternalName, results.Count.ToString()), TraceSeverity.Unexpected, EventSeverity.Error, AzureCPLogging.Categories.Claims_Picking);
return;
}
}
catch (Exception ex)
{
AzureCPLogging.LogException(ProviderInternalName, "in FillResolve(SPClaim)", AzureCPLogging.Categories.Claims_Picking, ex);
}
finally
{
this.Lock_Config.ExitReadLock();
}
});
}
protected override void FillClaimsForEntity(Uri context, SPClaim entity, List<SPClaim> claims)
{
throw new NotImplementedException();
}
protected override void FillResolve(Uri context, string[] entityTypes, SPClaim resolveInput, List<PickerEntity> resolved) {
FillResolve(context, entityTypes, resolveInput.Value, resolved);
}
protected virtual PickerEntity GetPickerEntity(Auth0.User auth0User, string claimEntityType)
{
PickerEntity pe = CreatePickerEntity();
SPClaim claim = null;
if (claimEntityType == SPClaimEntityTypes.User)
{
claim = new SPClaim(
this.identifierClaimType,
string.IsNullOrEmpty(this.auth0Config.IdentifierUserField) || this.auth0Config.IdentifierUserField == "Email" ?
auth0User.UniqueEmail() :
Utils.GetPropValue(auth0User, this.auth0Config.IdentifierUserField).ToString(),
Microsoft.IdentityModel.Claims.ClaimValueTypes.String,
SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, this.associatedSPTrustedLoginProvider.Name));
var displayText = !string.IsNullOrEmpty(auth0User.FamilyName) && !string.IsNullOrEmpty(auth0User.GivenName) ?
string.Format("{0} {1}", auth0User.GivenName, auth0User.FamilyName) : auth0User.Name;
pe.DisplayText =
!string.IsNullOrEmpty(displayText) ?
string.Format("{0} ({1})", displayText, auth0User.Email) :
auth0User.Email;
pe.Description = string.Format(
"Email: {0}; Name: {1}",
auth0User.Email,
auth0User.Name);
pe.EntityType = SPClaimEntityTypes.User;
pe.EntityData[PeopleEditorEntityDataKeys.DisplayName] = displayText;
pe.EntityData[PeopleEditorEntityDataKeys.Email] = auth0User.Email;
pe.EntityData["Picture"] = auth0User.Picture;
}
else if (claimEntityType == SPClaimEntityTypes.FormsRole)
{
claim = new SPClaim(
ConnectionClaimType,
auth0User.Identities.First().Connection,
Microsoft.IdentityModel.Claims.ClaimValueTypes.String,
SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, this.associatedSPTrustedLoginProvider.Name));
pe.DisplayText = string.Format(
"All Users ({0})",
auth0User.Identities.First().Connection);
pe.Description = string.Format(
"[{0}] All Users from '{1}'",
ProviderInternalName,
auth0User.Identities.First().Connection);
pe.EntityType = SPClaimEntityTypes.FormsRole;
}
pe.Claim = claim;
pe.IsResolved = true;
pe.EntityGroupName = this.pickerEntityGroupName;
return pe;
}
protected override void FillClaimsForEntity(Uri context, SPClaim entity, List<SPClaim> claims)
{
Augment(context, entity, null, claims);
}
/// <summary>
/// A method used to generate an invalid SPClaim of ResolveInput.
/// </summary>
/// <returns>A return value represents the invalid SPClaim of resolveInput.</returns>
public SPClaim GenerateSPClaimResolveInput_Invalid()
{
SPClaim resolveInput = new SPClaim();
resolveInput.ClaimType = this.GenerateRandomString(10);
resolveInput.Value = this.GenerateRandomString(5);
resolveInput.ValueType = this.GenerateGUID();
resolveInput.OriginalIssuer = "ClaimProvider:" + this.GenerateRandomString(5);
return resolveInput;
}
protected override void FillClaimsForEntity(Uri context, SPClaim entity, SPClaimProviderContext claimProviderContext, List<SPClaim> claims)
{
Augment(context, entity, claimProviderContext, claims);
}
protected override void FillResolve(Uri context, string[] entityTypes, SPClaim resolveInput, List<Microsoft.SharePoint.WebControls.PickerEntity> resolved)
{
throw new NotImplementedException();
}
//This method attempts to resolve a claim
protected override void FillResolve(Uri context, string[] entityTypes, SPClaim resolveInput, List<PickerEntity> resolved)
{
if (!EntityTypesContain(entityTypes, SPClaimEntityTypes.FormsRole))
{
return;
}
//Loop through the possible locations
foreach (string clearance in clearances)
{
//Check if the entered claim matches the current list location
if (clearance.ToLower() == resolveInput.Value.ToLower())
{
//There is a match so create an entity for the location
//and add it to the resolved collection
//PickerEntity entity = PickerEntityHelper(clearance); // -----> RESOLVE PickerEntityHelper(clearance);
//resolved.Add(entity);
}
}
}
public static string EncodeUsername(string username, SPSite site)
{
SPClaim claim = new SPClaim(SPClaimTypes.UserLogonName, username, "http://www.w3.org/2001/XMLSchema#string", SPOriginalIssuers.Format(SPOriginalIssuerType.Forms, GetMembershipProvider(site)));
return SPClaimProviderManager.Local.EncodeClaim(claim);
}
/// <summary>
/// Perform augmentation of entity supplied
/// </summary>
/// <param name="context"></param>
/// <param name="entity">entity to augment</param>
/// <param name="claimProviderContext">Can be null</param>
/// <param name="claims"></param>
protected virtual void Augment(Uri context, SPClaim entity, SPClaimProviderContext claimProviderContext, List<SPClaim> claims)
{
// Augment role claims of current user
AzureCPLogging.Log(String.Format("[{0}] FillClaimsForEntity called, incoming envity: \"{1}\", claim type: \"{2}\", claim issuer: \"{3}\"", ProviderInternalName, entity.Value, entity.ClaimType, entity.OriginalIssuer),
TraceSeverity.VerboseEx, EventSeverity.Information, AzureCPLogging.Categories.Claims_Augmentation);
SPSecurity.RunWithElevatedPrivileges(delegate ()
{
if (!Initialize(context, null))
return;
this.Lock_Config.EnterReadLock();
try
{
if (!this.CurrentConfiguration.AugmentAADRoles)
return;
// Check if there are groups to add in SAML token
var groups = this.ProcessedAzureObjects.FindAll(x => x.ClaimEntityType == SPClaimEntityTypes.FormsRole);
if (groups.Count == 0)
{
AzureCPLogging.Log(String.Format("[{0}] No object with ClaimEntityType = SPClaimEntityTypes.FormsRole found.", ProviderInternalName),
TraceSeverity.Unexpected, EventSeverity.Error, AzureCPLogging.Categories.Claims_Augmentation);
return;
}
if (groups.Count != 1)
{
AzureCPLogging.Log(String.Format("[{0}] Found \"{1}\" objects configured with ClaimEntityType = SPClaimEntityTypes.FormsRole, instead of 1 expected.", ProviderInternalName),
TraceSeverity.Unexpected, EventSeverity.Error, AzureCPLogging.Categories.Claims_Augmentation);
return;
}
AzureADObject groupObject = groups.First();
SPClaim curUser;
if (SPClaimProviderManager.IsUserIdentifierClaim(entity))
curUser = SPClaimProviderManager.DecodeUserIdentifierClaim(entity);
else
{
if (SPClaimProviderManager.IsEncodedClaim(entity.Value))
curUser = SPClaimProviderManager.Local.DecodeClaim(entity.Value);
else
curUser = entity;
}
SPOriginalIssuerType loginType = SPOriginalIssuers.GetIssuerType(curUser.OriginalIssuer);
if (loginType == SPOriginalIssuerType.TrustedProvider || loginType == SPOriginalIssuerType.ClaimProvider)
{
string input = curUser.Value;
// Get user in AAD from UPN claim type
List<AzureADObject> identityObjects = ProcessedAzureObjects.FindAll(x =>
String.Equals(x.ClaimType, IdentityAzureObject.ClaimType, StringComparison.InvariantCultureIgnoreCase) &&
!x.CreateAsIdentityClaim);
if (identityObjects.Count != 1)
{
// Expect only 1 object with claim type UPN
AzureCPLogging.Log(String.Format("[{0}] Found \"{1}\" objects configured with identity claim type {2} and CreateAsIdentityClaim set to false, instead of 1 expected.", ProviderInternalName, identityObjects.Count, IdentityAzureObject.ClaimType),
TraceSeverity.Unexpected, EventSeverity.Error, AzureCPLogging.Categories.Claims_Augmentation);
return;
}
AzureADObject identityObject = identityObjects.First();
List<AzurecpResult> results = new List<AzurecpResult>();
BuildFilterAndProcessResults(input, identityObjects, true, context, null, ref results);
if (results.Count == 0)
{
// User not found
AzureCPLogging.Log(String.Format("[{0}] User with {1}='{2}' was not found in Azure tenant(s).", ProviderInternalName, identityObject.GraphProperty.ToString(), input),
TraceSeverity.Verbose, EventSeverity.Information, AzureCPLogging.Categories.Claims_Augmentation);
return;
}
else if (results.Count != 1)
{
// Expect only 1 user
AzureCPLogging.Log(String.Format("[{0}] Found \"{1}\" users with {2}='{3}' instead of 1 expected, aborting augmentation.", ProviderInternalName, results.Count, identityObject.GraphProperty.ToString(), input),
TraceSeverity.Unexpected, EventSeverity.Error, AzureCPLogging.Categories.Claims_Augmentation);
return;
}
AzurecpResult result = results.First();
// Get groups this user is member of from his Azure tenant
AzureTenant userTenant = this.CurrentConfiguration.AzureTenants.First(x => String.Equals(x.TenantId, result.TenantId, StringComparison.InvariantCultureIgnoreCase));
AzureCPLogging.Log(String.Format("[{0}] Getting membership of user \"{1}\" on tenant {2}", ProviderInternalName, input, userTenant.TenantName),
TraceSeverity.Verbose, EventSeverity.Information, AzureCPLogging.Categories.Claims_Augmentation);
List<AzurecpResult> userMembership = GetUserMembership(result.DirectoryObjectResult as User, userTenant);
foreach (AzurecpResult groupResult in userMembership)
{
Group group = groupResult.DirectoryObjectResult as Group;
SPClaim claim = CreateClaim(groupObject.ClaimType, group.DisplayName, groupObject.ClaimValueType);
claims.Add(claim);
AzureCPLogging.Log(String.Format("[{0}] user {1} augmented with Azure AD group \"{2}\" (claim type {3}).", ProviderInternalName, input, group.DisplayName, groupObject.ClaimType),
TraceSeverity.Medium, EventSeverity.Information, AzureCPLogging.Categories.Claims_Augmentation);
}
//foreach (Role role in userMembership.Roles)
//{
// // Azure AD fixed Organizational roles (global admin, billing admin, service admin, user admin, password admin)
// SPClaim claim = CreateClaim(groupObject.ClaimType, role.DisplayName, groupObject.ClaimValueType, false);
// claims.Add(claim);
// AzureCPLogging.Log(String.Format("[{0}] user {1} augmented with Azure AD role \"{2}\" (claim type {3}).", ProviderInternalName, input, role.DisplayName, groupObject.ClaimType),
// TraceSeverity.Medium, EventSeverity.Information, AzureCPLogging.Categories.Claims_Augmentation);
//}
}
}
catch (Exception ex)
{
AzureCPLogging.LogException(ProviderInternalName, "in FillClaimsForEntity", AzureCPLogging.Categories.Claims_Augmentation, ex);
}
finally
{
this.Lock_Config.ExitReadLock();
}
});
}
/// <summary>
/// A method used to resolve a list of claims to picker entities using a list of claims providers.
/// </summary>
/// <param name="providerNames">A parameter represents a list of provider names.</param>
/// <param name="principalType">A parameter represents which type of picker entities to be included in the result.</param>
/// <param name="resolveInput">A parameter represents a list of claims to be resolved.</param>
/// <returns>A return value represents a list of picker entities.</returns>
public PickerEntity[] ResolveMultipleClaim(ArrayOfString providerNames, SPPrincipalType principalType, SPClaim[] resolveInput)
{
PickerEntity[] responseOfResolveMultipleClaim = new PickerEntity[0];
try
{
responseOfResolveMultipleClaim = this.cpswsClient.ResolveMultipleClaim(providerNames, principalType, resolveInput);
this.CaptureTransportRelatedRequirements();
}
catch (FaultException faultEX)
{
this.Site.Log.Add(
LogEntryKind.Debug,
@"There is an exception generated when calling [ResolveMultipleClaim] method:\r\n{0}",
faultEX.Message);
this.CaptureTransportRelatedRequirements();
this.ValidateAndCaptureSOAPFaultRequirement(faultEX);
throw;
}
this.ValidateResolveMultipleClaimResponseData(responseOfResolveMultipleClaim);
return responseOfResolveMultipleClaim;
}
public void MSCPSWS_S04_TC06_ResolveMultipleClaim_SomeValid()
{
// Call the helper method to get all claims providers.
SPProviderHierarchyTree[] allProviders = TestSuiteBase.GetAllProviders();
ArrayOfString providerNames = new ArrayOfString();
SPPrincipalType principalType = SPPrincipalType.SecurityGroup;
SPClaim[] resolveInput = new SPClaim[2];
resolveInput[0] = this.GenerateSPClaimResolveInput_Valid();
resolveInput[1] = this.GenerateSPClaimResolveInput_Invalid();
foreach (SPProviderHierarchyTree provider in allProviders)
{
if (provider.Children.Length != 0)
{
providerNames.Add(provider.ProviderName);
}
}
// Call Resolve multiple claim method to resolve 2 claims to picker entities using a list of claims providers.
PickerEntity[] responseOfResolveMultipleClaimResult = CPSWSAdapter.ResolveMultipleClaim(providerNames, principalType, resolveInput);
Site.Assert.IsNotNull(responseOfResolveMultipleClaimResult, "The resolve multiple claim result should not be null.");
// If the resolve multiple result contains 2 picker entities, that is to say, one picker entity in the response corresponding to one user in the request, then the following requirement can be captured.
Site.CaptureRequirementIfAreEqual<int>(
responseOfResolveMultipleClaimResult.Length,
2,
369,
@"[In ResolveMultipleClaimResponse] ResolveMultipleClaimResult: The list MUST contain one and only one picker entity per one claim in the input.");
Site.CaptureRequirementIfAreEqual<int>(
responseOfResolveMultipleClaimResult.Length,
2,
350,
@"[In ResolveMultipleClaim] The protocol server MUST resolve across all claims providers that meet all the following criteria:
The claims providers are associated with the Web application (1) specified in the input message.
The claims providers are listed in the provider names in the input message.
The claims providers support resolve.");
}
