static IIdentity DeserializePrimaryIdentity(XmlDictionaryReader reader, SctClaimDictionary dictionary, XmlObjectSerializer serializer)
{
IIdentity identity = null;
if (reader.IsStartElement(dictionary.PrimaryIdentity, dictionary.EmptyString))
{
reader.ReadStartElement();
if (reader.IsStartElement(dictionary.WindowsSidIdentity, dictionary.EmptyString))
{
SecurityIdentifier sid = ReadSidAttribute(reader, dictionary);
string authenticationType = reader.GetAttribute(dictionary.AuthenticationType, dictionary.EmptyString);
reader.ReadStartElement();
string name = reader.ReadContentAsString();
identity = new WindowsSidIdentity(sid, name, authenticationType ?? String.Empty);
reader.ReadEndElement();
}
else if (reader.IsStartElement(dictionary.GenericIdentity, dictionary.EmptyString))
{
string authenticationType = reader.GetAttribute(dictionary.AuthenticationType, dictionary.EmptyString);
reader.ReadStartElement();
string name = reader.ReadContentAsString();
identity = SecurityUtils.CreateIdentity(name, authenticationType ?? String.Empty);
reader.ReadEndElement();
}
else
{
identity = (IIdentity)serializer.ReadObject(reader);
}
reader.ReadEndElement();
}
return(identity);
}
static void SerializePrimaryIdentity(IIdentity identity, SctClaimDictionary dictionary, XmlDictionaryWriter writer, XmlObjectSerializer serializer)
{
if (identity != null && identity != SecurityUtils.AnonymousIdentity)
{
writer.WriteStartElement(dictionary.PrimaryIdentity, dictionary.EmptyString);
if (identity is WindowsIdentity)
{
WindowsIdentity wid = (WindowsIdentity)identity;
writer.WriteStartElement(dictionary.WindowsSidIdentity, dictionary.EmptyString);
WriteSidAttribute(wid.User, dictionary, writer);
// This is to work around WOW64 bug Windows OS 1491447
string authenticationType = null;
using (WindowsIdentity self = WindowsIdentity.GetCurrent())
{
// is owner or admin? AuthenticationType could throw un-authorized exception
if ((self.User == wid.Owner) ||
(wid.Owner != null && self.Groups.Contains(wid.Owner)) ||
(wid.Owner != SecurityUtils.AdministratorsSid && self.Groups.Contains(SecurityUtils.AdministratorsSid)))
{
authenticationType = wid.AuthenticationType;
}
}
if (!String.IsNullOrEmpty(authenticationType))
{
writer.WriteAttributeString(dictionary.AuthenticationType, dictionary.EmptyString, authenticationType);
}
writer.WriteString(wid.Name);
writer.WriteEndElement();
}
else if (identity is WindowsSidIdentity)
{
WindowsSidIdentity wsid = (WindowsSidIdentity)identity;
writer.WriteStartElement(dictionary.WindowsSidIdentity, dictionary.EmptyString);
WriteSidAttribute(wsid.SecurityIdentifier, dictionary, writer);
if (!String.IsNullOrEmpty(wsid.AuthenticationType))
{
writer.WriteAttributeString(dictionary.AuthenticationType, dictionary.EmptyString, wsid.AuthenticationType);
}
writer.WriteString(wsid.Name);
writer.WriteEndElement();
}
else if (identity is GenericIdentity)
{
GenericIdentity genericIdentity = (GenericIdentity)identity;
writer.WriteStartElement(dictionary.GenericIdentity, dictionary.EmptyString);
if (!String.IsNullOrEmpty(genericIdentity.AuthenticationType))
{
writer.WriteAttributeString(dictionary.AuthenticationType, dictionary.EmptyString, genericIdentity.AuthenticationType);
}
writer.WriteString(genericIdentity.Name);
writer.WriteEndElement();
}
else
{
serializer.WriteObject(writer, identity);
}
writer.WriteEndElement();
}
}
private static void SerializePrimaryIdentity(IIdentity identity, SctClaimDictionary dictionary, XmlDictionaryWriter writer, XmlObjectSerializer serializer)
{
if ((identity != null) && (identity != System.ServiceModel.Security.SecurityUtils.AnonymousIdentity))
{
writer.WriteStartElement(dictionary.PrimaryIdentity, dictionary.EmptyString);
if (identity is WindowsIdentity)
{
WindowsIdentity identity2 = (WindowsIdentity)identity;
writer.WriteStartElement(dictionary.WindowsSidIdentity, dictionary.EmptyString);
WriteSidAttribute(identity2.User, dictionary, writer);
string authenticationType = null;
using (WindowsIdentity identity3 = WindowsIdentity.GetCurrent())
{
if (((identity3.User == identity2.Owner) || ((identity2.Owner != null) && identity3.Groups.Contains(identity2.Owner))) || ((identity2.Owner != System.ServiceModel.Security.SecurityUtils.AdministratorsSid) && identity3.Groups.Contains(System.ServiceModel.Security.SecurityUtils.AdministratorsSid)))
{
authenticationType = identity2.AuthenticationType;
}
}
if (!string.IsNullOrEmpty(authenticationType))
{
writer.WriteAttributeString(dictionary.AuthenticationType, dictionary.EmptyString, authenticationType);
}
writer.WriteString(identity2.Name);
writer.WriteEndElement();
}
else if (identity is WindowsSidIdentity)
{
WindowsSidIdentity identity4 = (WindowsSidIdentity)identity;
writer.WriteStartElement(dictionary.WindowsSidIdentity, dictionary.EmptyString);
WriteSidAttribute(identity4.SecurityIdentifier, dictionary, writer);
if (!string.IsNullOrEmpty(identity4.AuthenticationType))
{
writer.WriteAttributeString(dictionary.AuthenticationType, dictionary.EmptyString, identity4.AuthenticationType);
}
writer.WriteString(identity4.Name);
writer.WriteEndElement();
}
else if (identity is GenericIdentity)
{
GenericIdentity identity5 = (GenericIdentity)identity;
writer.WriteStartElement(dictionary.GenericIdentity, dictionary.EmptyString);
if (!string.IsNullOrEmpty(identity5.AuthenticationType))
{
writer.WriteAttributeString(dictionary.AuthenticationType, dictionary.EmptyString, identity5.AuthenticationType);
}
writer.WriteString(identity5.Name);
writer.WriteEndElement();
}
else
{
serializer.WriteObject(writer, identity);
}
writer.WriteEndElement();
}
}
private IPrincipal GetWindowsPrincipal(ServiceSecurityContext securityContext)
{
WindowsIdentity windowsIdentity = securityContext.WindowsIdentity;
if (!windowsIdentity.IsAnonymous)
{
return(new WindowsPrincipal(windowsIdentity));
}
WindowsSidIdentity primaryIdentity = securityContext.PrimaryIdentity as WindowsSidIdentity;
if (primaryIdentity != null)
{
return(new WindowsSidPrincipal(primaryIdentity, securityContext));
}
return(AnonymousWindowsPrincipal);
}
IPrincipal GetWindowsPrincipal(ServiceSecurityContext securityContext)
{
WindowsIdentity wid = securityContext.WindowsIdentity;
if (!wid.IsAnonymous)
{
return(new WindowsPrincipal(wid));
}
WindowsSidIdentity wsid = securityContext.PrimaryIdentity as WindowsSidIdentity;
if (wsid != null)
{
return(new WindowsSidPrincipal(wsid, securityContext));
}
return(AnonymousWindowsPrincipal);
}
internal static void AppendIdentityName(StringBuilder str, IIdentity identity)
{
string name = null;
try
{
name = identity.Name;
}
#pragma warning suppress 56500
catch (Exception e)
{
if (Fx.IsFatal(e))
{
throw;
}
// suppress exception, this is just info.
}
str.Append(String.IsNullOrEmpty(name) ? "<null>" : name);
#if SUPPORTS_WINDOWSIDENTITY // NegotiateStream
WindowsIdentity windows = identity as WindowsIdentity;
if (windows != null)
{
if (windows.User != null)
{
str.Append("; ");
str.Append(windows.User.ToString());
}
}
else
{
WindowsSidIdentity sid = identity as WindowsSidIdentity;
if (sid != null)
{
str.Append("; ");
str.Append(sid.SecurityIdentifier.ToString());
}
}
#else
throw ExceptionHelper.PlatformNotSupported(ExceptionHelper.WinsdowsStreamSecurityNotSupported);
#endif // SUPPORTS_WINDOWSIDENTITY
}
internal static void AppendIdentityName(StringBuilder str, IIdentity identity)
{
string name = null;
try
{
name = identity.Name;
}
catch (Exception e)
{
if (Fx.IsFatal(e))
{
throw;
}
// suppress exception, this is just info.
}
str.Append(string.IsNullOrEmpty(name) ? "<null>" : name);
WindowsIdentity windows = identity as WindowsIdentity;
if (windows != null)
{
if (windows.User != null)
{
str.Append("; ");
str.Append(windows.User.ToString());
}
}
else
{
WindowsSidIdentity sid = identity as WindowsSidIdentity;
if (sid != null)
{
str.Append("; ");
str.Append(sid.SecurityIdentifier.ToString());
}
}
}
public WindowsSidPrincipal(WindowsSidIdentity identity, ServiceSecurityContext securityContext)
{
_identity = identity;
_securityContext = securityContext;
}
private IDisposable StartImpersonation2(ref MessageRpc rpc, ServiceSecurityContext securityContext, bool isSecurityContextImpersonationOn)
{
IDisposable disposable = null;
try
{
if (isSecurityContextImpersonationOn)
{
if (securityContext == null)
{
throw TraceUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SFxSecurityContextPropertyMissingFromRequestMessage")), rpc.Request);
}
WindowsIdentity windowsIdentity = securityContext.WindowsIdentity;
if (windowsIdentity.User == null)
{
if (securityContext.PrimaryIdentity is WindowsSidIdentity)
{
WindowsSidIdentity primaryIdentity = (WindowsSidIdentity)securityContext.PrimaryIdentity;
if (primaryIdentity.SecurityIdentifier.IsWellKnown(WellKnownSidType.AnonymousSid))
{
disposable = new WindowsAnonymousIdentity().Impersonate();
goto Label_0103;
}
using (WindowsIdentity identity3 = new WindowsIdentity(this.GetUpnFromDownlevelName(primaryIdentity.Name), "Kerberos"))
{
disposable = identity3.Impersonate();
goto Label_0103;
}
}
throw TraceUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("SecurityContextDoesNotAllowImpersonation", new object[] { rpc.Operation.Action })), rpc.Request);
}
disposable = windowsIdentity.Impersonate();
}
else if (AspNetEnvironment.Current.RequiresImpersonation && (rpc.HostingProperty != null))
{
disposable = rpc.HostingProperty.Impersonate();
}
Label_0103:
SecurityTraceRecordHelper.TraceImpersonationSucceeded(rpc.Operation);
if (AuditLevel.Success == (this.auditLevel & AuditLevel.Success))
{
SecurityAuditHelper.WriteImpersonationSuccessEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Operation.Name, System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext));
}
}
catch (Exception exception)
{
if (Fx.IsFatal(exception))
{
throw;
}
SecurityTraceRecordHelper.TraceImpersonationFailed(rpc.Operation, exception);
if (AuditLevel.Failure == (this.auditLevel & AuditLevel.Failure))
{
try
{
string identityNamesFromContext;
if (securityContext != null)
{
identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext);
}
else
{
identityNamesFromContext = System.ServiceModel.Security.SecurityUtils.AnonymousIdentity.Name;
}
SecurityAuditHelper.WriteImpersonationFailureEvent(this.auditLogLocation, this.suppressAuditFailure, rpc.Operation.Name, identityNamesFromContext, exception);
}
catch (Exception exception2)
{
if (Fx.IsFatal(exception2))
{
throw;
}
System.ServiceModel.DiagnosticUtility.ExceptionUtility.TraceHandledException(exception2, TraceEventType.Error);
}
}
throw;
}
return(disposable);
}
IDisposable StartImpersonation2(ref MessageRpc rpc, ServiceSecurityContext securityContext, bool isSecurityContextImpersonationOn)
{
IDisposable impersonationContext = null;
try
{
if (isSecurityContextImpersonationOn)
{
if (securityContext == null)
{
throw TraceUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SFxSecurityContextPropertyMissingFromRequestMessage)), rpc.Request);
}
WindowsIdentity impersonationToken = securityContext.WindowsIdentity;
if (impersonationToken.User != null)
{
impersonationContext = impersonationToken.Impersonate();
}
else if (securityContext.PrimaryIdentity is WindowsSidIdentity)
{
WindowsSidIdentity sidIdentity = (WindowsSidIdentity)securityContext.PrimaryIdentity;
if (sidIdentity.SecurityIdentifier.IsWellKnown(WellKnownSidType.AnonymousSid))
{
impersonationContext = new WindowsAnonymousIdentity().Impersonate();
}
else
{
string fullyQualifiedDomainName = GetUpnFromDownlevelName(sidIdentity.Name);
using (WindowsIdentity windowsIdentity = new WindowsIdentity(fullyQualifiedDomainName, SecurityUtils.AuthTypeKerberos))
{
impersonationContext = windowsIdentity.Impersonate();
}
}
}
else
{
throw TraceUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SecurityContextDoesNotAllowImpersonation, rpc.Operation.Action)), rpc.Request);
}
}
else if (AspNetEnvironment.Current.RequiresImpersonation)
{
if (rpc.HostingProperty != null)
{
impersonationContext = rpc.HostingProperty.Impersonate();
}
}
SecurityTraceRecordHelper.TraceImpersonationSucceeded(rpc.EventTraceActivity, rpc.Operation);
// update the impersonation succeed audit
if (AuditLevel.Success == (this.auditLevel & AuditLevel.Success))
{
SecurityAuditHelper.WriteImpersonationSuccessEvent(this.auditLogLocation,
this.suppressAuditFailure, rpc.Operation.Name, SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext));
}
}
catch (Exception ex)
{
if (Fx.IsFatal(ex))
{
throw;
}
SecurityTraceRecordHelper.TraceImpersonationFailed(rpc.EventTraceActivity, rpc.Operation, ex);
//
// Update the impersonation failure audit
// Copy SecurityAuthorizationBehavior.Audit level to here!!!
//
if (AuditLevel.Failure == (this.auditLevel & AuditLevel.Failure))
{
try
{
string primaryIdentity;
if (securityContext != null)
{
primaryIdentity = SecurityUtils.GetIdentityNamesFromContext(securityContext.AuthorizationContext);
}
else
{
primaryIdentity = SecurityUtils.AnonymousIdentity.Name;
}
SecurityAuditHelper.WriteImpersonationFailureEvent(this.auditLogLocation,
this.suppressAuditFailure, rpc.Operation.Name, primaryIdentity, ex);
}
#pragma warning suppress 56500
catch (Exception auditException)
{
if (Fx.IsFatal(auditException))
{
throw;
}
DiagnosticUtility.TraceHandledException(auditException, TraceEventType.Error);
}
}
throw;
}
return(impersonationContext);
}
private void WriteAuditEvent(AuditLevel auditLevel, X509Certificate2 certificate, WindowsSidIdentity wsid, Exception exception)
{
try
{
string clientIdentity = string.Empty;
if (certificate != null)
{
clientIdentity = System.ServiceModel.Security.SecurityUtils.GetCertificateId(certificate);
}
else if (wsid != null)
{
clientIdentity = System.ServiceModel.Security.SecurityUtils.GetIdentityName(wsid);
}
if (auditLevel == AuditLevel.Success)
{
SecurityAuditHelper.WriteTransportAuthenticationSuccessEvent(base.AuditBehavior.AuditLogLocation, base.AuditBehavior.SuppressAuditFailure, null, this.Uri, clientIdentity);
}
else
{
SecurityAuditHelper.WriteTransportAuthenticationFailureEvent(base.AuditBehavior.AuditLogLocation, base.AuditBehavior.SuppressAuditFailure, null, this.Uri, clientIdentity, exception);
}
}
catch (Exception exception2)
{
if (Fx.IsFatal(exception2) || (auditLevel == AuditLevel.Success))
{
throw;
}
DiagnosticUtility.ExceptionUtility.TraceHandledException(exception2, TraceEventType.Error);
}
}
internal SecurityMessageProperty ValidateSecurity(MsmqInputMessage msmqMessage)
{
SecurityMessageProperty property = null;
X509Certificate2 certificate = null;
WindowsSidIdentity primaryIdentity = null;
try
{
if (MsmqAuthenticationMode.Certificate == base.ReceiveParameters.TransportSecurity.MsmqAuthenticationMode)
{
try
{
certificate = new X509Certificate2(msmqMessage.SenderCertificate.GetBufferCopy(msmqMessage.SenderCertificateLength.Value));
X509SecurityToken token = new X509SecurityToken(certificate, false);
ReadOnlyCollection <IAuthorizationPolicy> tokenPolicies = this.x509SecurityTokenAuthenticator.ValidateToken(token);
property = new SecurityMessageProperty {
TransportToken = new SecurityTokenSpecification(token, tokenPolicies),
ServiceSecurityContext = new ServiceSecurityContext(tokenPolicies)
};
goto Label_01C4;
}
catch (SecurityTokenValidationException exception)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ProtocolException(System.ServiceModel.SR.GetString("MsmqBadCertificate"), exception));
}
catch (CryptographicException exception2)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ProtocolException(System.ServiceModel.SR.GetString("MsmqBadCertificate"), exception2));
}
}
if (MsmqAuthenticationMode.WindowsDomain == base.ReceiveParameters.TransportSecurity.MsmqAuthenticationMode)
{
byte[] bufferCopy = msmqMessage.SenderId.GetBufferCopy(msmqMessage.SenderIdLength.Value);
if (bufferCopy.Length == 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ProtocolException(System.ServiceModel.SR.GetString("MsmqNoSid")));
}
SecurityIdentifier resource = new SecurityIdentifier(bufferCopy, 0);
List <Claim> claims = new List <Claim>(2)
{
new Claim(ClaimTypes.Sid, resource, Rights.Identity),
Claim.CreateWindowsSidClaim(resource)
};
ClaimSet issuance = new DefaultClaimSet(ClaimSet.System, claims);
List <IAuthorizationPolicy> list2 = new List <IAuthorizationPolicy>(1);
primaryIdentity = new WindowsSidIdentity(resource);
list2.Add(new UnconditionalPolicy(primaryIdentity, issuance));
ReadOnlyCollection <IAuthorizationPolicy> onlys2 = list2.AsReadOnly();
property = new SecurityMessageProperty {
TransportToken = new SecurityTokenSpecification(null, onlys2),
ServiceSecurityContext = new ServiceSecurityContext(onlys2)
};
}
}
catch (Exception exception3)
{
if (Fx.IsFatal(exception3))
{
throw;
}
if (AuditLevel.Failure == (base.AuditBehavior.MessageAuthenticationAuditLevel & AuditLevel.Failure))
{
this.WriteAuditEvent(AuditLevel.Failure, certificate, primaryIdentity, null);
}
throw;
}
Label_01C4:
if ((property != null) && (AuditLevel.Success == (base.AuditBehavior.MessageAuthenticationAuditLevel & AuditLevel.Success)))
{
this.WriteAuditEvent(AuditLevel.Success, certificate, primaryIdentity, null);
}
return(property);
}
