private DelegationRestrictionType ReadDelegates(XmlReader reader)
{
CustomTextTraceSource ts = new CustomTextTraceSource("CommercialVehicleCollisionWebservice.CustomSaml2SecurityTokenHandler.ReadDelegates",
"MyTraceSource", SourceLevels.Information);
DelegationRestrictionType delegate2 = null;
if (reader == null)
{
throw new ArgumentNullException("reader");
}
bool requireDeclaration = false;
if (reader.IsStartElement("Condition", "urn:oasis:names:tc:SAML:2.0:assertion"))
{
reader.Read();
requireDeclaration = true;
}
else if (!reader.IsStartElement("Delegate", "urn:oasis:names:tc:SAML:2.0:conditions:delegation"))
{
reader.ReadStartElement("Delegate", "urn:oasis:names:tc:SAML:2.0:conditions:delegation");
}
try
{
XmlUtil.ValidateXsiType(reader, "DelegationRestrictionType", "urn:oasis:names:tc:SAML:2.0:conditions:delegation", requireDeclaration);
if (reader.IsEmptyElement)
{
string errorMsg = string.Format("The given element ('{0}','{1}') is empty.", reader.LocalName, reader.NamespaceURI);
throw DiagnosticUtil.ThrowHelperXml(reader, errorMsg);
}
List<DelegateType> delegates = new List<DelegateType>();
ts.TraceInformation("Before while (reader.IsStartElement(Delegate, urn:oasis:names:tc:SAML:2.0:conditions:delegation)" );
ts.TraceInformation("\treader: " + reader.Name);
while (reader.IsStartElement("Delegate", "urn:oasis:names:tc:SAML:2.0:conditions:delegation"))
{
ts.TraceInformation("Inside while (reader.IsStartElement(Delegate, urn:oasis:names:tc:SAML:2.0:conditions:delegation)");
ts.TraceInformation("\treader: " + reader.Name);
DelegateType delegateType = new DelegateType();
string attribute = reader.GetAttribute("DelegationInstant");
if (!string.IsNullOrEmpty(attribute))
{
delegateType.DelegationInstant = XmlConvert.ToDateTime(attribute, DateTimeFormats.Accepted);
}
reader.Read();
ts.TraceInformation("After reader.Read()");
ts.TraceInformation("\treader: " + reader.Name);
if (!reader.IsStartElement("NameID", "urn:oasis:names:tc:SAML:2.0:assertion"))
{
ts.TraceInformation("Inside !reader.IsStartElement(NameID, urn:oasis:names:tc:SAML:2.0:assertion)");
ts.TraceInformation("\treader: " + reader.Name);
reader.ReadStartElement("NameID", "urn:oasis:names:tc:SAML:2.0:assertion");
}
delegateType.Item = ReadSimpleUriElement(reader, UriKind.RelativeOrAbsolute, true);
ts.TraceInformation("Delegate NameID: " + delegateType.Item.ToString());
delegates.Add(delegateType);
reader.ReadEndElement();
}
DelegationRestrictionType delegate1 = new DelegationRestrictionType();
delegate1.Delegate = delegates.ToArray();
delegate2 = delegate1;
}
catch (Exception exception)
{
Exception exception2 = DiagnosticUtil.TryWrapReadException(reader, exception);
if (exception2 == null)
{
throw;
}
throw exception2;
}
return delegate2;
}
protected override Saml2Conditions CreateConditions(Microsoft.IdentityModel.Protocols.WSTrust.Lifetime tokenLifetime,
string relyingPartyAddress, SecurityTokenDescriptor tokenDescriptor)
{
if (null == tokenLifetime && !string.IsNullOrEmpty(relyingPartyAddress))
{
return null;
}
Saml2ConditionsDelegateWrapper conditions = new Saml2ConditionsDelegateWrapper();
conditions.NotBefore = tokenLifetime.Created;
conditions.NotOnOrAfter = tokenLifetime.Expires;
// GFIPM S2S 8.8.2.6.a
string relyingPartyEntityID = _trustFabric.GetWspEntityIdFromEndpointAddress(relyingPartyAddress);
// Make sure that the entity id is present in the <microsoft.identityModel><service><audienceUris> collection in the
// WSP configuration file
conditions.AudienceRestrictions.Add(new Saml2AudienceRestriction(new Uri(relyingPartyEntityID, UriKind.RelativeOrAbsolute)));
// check if the actors are set in the subject and create the delegates from the actors
IClaimsIdentity currentDelegate = tokenDescriptor.Subject.Actor;
List<DelegateType> delegates = new List<DelegateType>();
while (currentDelegate != null)
{
DelegateType delegateType = CreateDelegate(currentDelegate.Claims[0].Value, currentDelegate.Claims[1].Value);
delegates.Add(delegateType);
// most recent delegate, synchronize token creation and delegationInstant
if (currentDelegate.Actor == null)
{
if (conditions.NotBefore.HasValue)
{
delegateType.DelegationInstant = conditions.NotBefore.Value;
}
}
currentDelegate = currentDelegate.Actor;
}
DelegationRestrictionType delegate1 = new DelegationRestrictionType();
delegate1.Delegate = delegates.ToArray();
conditions.Delegates = delegate1;
return conditions;
}
// This is actually augmenting the claims in the subject. At the WSP, this should not return any claims!
//public override ClaimsIdentityCollection ValidateToken(SecurityToken token)
//{
// CustomTextTraceSource ts = new CustomTextTraceSource("CommercialVehicleCollisionWebservice.CustomSaml2SecurityTokenHandler.ValidateToken",
// "MyTraceSource", SourceLevels.Information);
// ClaimsIdentityCollection ret = null;
// SerializeTokenToStream(token as Saml2SecurityToken, ts, "ValidateToken");
// IClaimsIdentity claimsIdentity = null;
// if (token == null)
// {
// throw new ArgumentNullException("token");
// }
// Saml2SecurityToken token2 = token as Saml2SecurityToken;
// if (token2 == null)
// {
// throw new ArgumentNullException("null Saml2SecurityToken");
// }
// if (base.Configuration == null)
// {
// throw new InvalidOperationException("null Configuration");
// }
// Saml2Assertion assertion = token2.Assertion;
// //bool shouldEnforceAudienceRestriction = this.SamlSecurityTokenRequirement.ShouldEnforceAudienceRestriction(
// // base.Configuration.AudienceRestriction.AudienceMode, token2);
// this.ValidateConditions(assertion.Conditions,
// this.SamlSecurityTokenRequirement.ShouldEnforceAudienceRestriction(base.Configuration.AudienceRestriction.AudienceMode, token2));
// //Saml2SubjectConfirmation confirmation = assertion.Subject.SubjectConfirmations[0];
// // certificate that signed the assertion internally!
// X509SecurityToken issuerToken = token2.IssuerToken as X509SecurityToken;
// if (issuerToken != null)
// {
// // Here we validate the Issuer certificate
// this.CertificateValidator.Validate(issuerToken.Certificate);
// }
// claimsIdentity = this.CreateClaims(token2);
// if (base.Configuration.DetectReplayedTokens)
// {
// this.DetectReplayedTokens(token2);
// }
// // This will be needed if chaining WSP/WSC
// if (base.Configuration.SaveBootstrapTokens)
// {
// claimsIdentity.BootstrapToken = token;
// }
// // Debug
// ClaimsIdentityCollection ids = new ClaimsIdentityCollection();
// ids.Add(claimsIdentity);
// IClaimsPrincipal p = new ClaimsPrincipal(ids);
// ClaimsUtil.LogClaimsPrincipal(p, "CommercialVehicleCollisionWebservice.CustomSaml2SecurityTokenHandler.ValidateToken)");
// ret = new ClaimsIdentityCollection(new IClaimsIdentity[] { claimsIdentity });
// return ret;
//}
#endregion
protected void ValidateDelegates(DelegationRestrictionType delegation)
{
CustomTextTraceSource ts = new CustomTextTraceSource("CommercialVehicleCollisionWebservice.CustomSaml2SecurityTokenHandler.ValidateDelegates",
"MyTraceSource", SourceLevels.Information);
// get all intermediaries IDs
List<string> wscEndityIds = new List<string>();
foreach (DelegateType wscDelegate in delegation.Delegate)
{
ts.TraceInformation("Delegate NameID: " + wscDelegate.Item.ToString());
wscEndityIds.Add(wscDelegate.Item.ToString());
}
// Here we verify that all the entityIDs are part of the trust fabric
if (!_trustFabric.Contains(wscEndityIds))
{
throw new InvalidSecurityException("Not all of the intermediaries in the delegation chain are present in the Trust Fabric.");
}
}
private DelegationRestrictionType ReadDelegates(XmlReader reader)
{
CustomAdsTextTraceSource ts = new CustomAdsTextTraceSource("IdpAds.OnBehalfOfSaml2SecurityTokenHandler.ReadDelegates",
"AdsTraceSource", SourceLevels.Information);
//DelegationRestrictionType delegate2 = null;
if (reader == null)
{
throw new ArgumentNullException("reader");
}
bool requireDeclaration = false;
if (reader.IsStartElement("Condition", "urn:oasis:names:tc:SAML:2.0:assertion"))
{
reader.Read();
requireDeclaration = true;
}
else if (!reader.IsStartElement("Delegate", "urn:oasis:names:tc:SAML:2.0:conditions:delegation"))
{
reader.ReadStartElement("Delegate", "urn:oasis:names:tc:SAML:2.0:conditions:delegation");
}
bool isEmptyElement = reader.IsEmptyElement;
XmlUtil.ValidateXsiType(reader, "DelegationRestrictionType", "urn:oasis:names:tc:SAML:2.0:conditions:delegation", requireDeclaration);
if (isEmptyElement)
{
string errorMsg = string.Format("The given element ('{0}','{1}') is empty.", reader.LocalName, reader.NamespaceURI);
throw DiagnosticUtil.ThrowHelperXml(reader, errorMsg);
}
List<DelegateType> delegates = new List<DelegateType>();
while (reader.IsStartElement("Delegate", "urn:oasis:names:tc:SAML:2.0:conditions:delegation"))
{
DelegateType delegateType = new DelegateType();
string attribute = reader.GetAttribute("DelegationInstant");
if (!string.IsNullOrEmpty(attribute))
{
delegateType.DelegationInstant = XmlConvert.ToDateTime(attribute, DateTimeFormats.Accepted);
}
// What does this do?
reader.Read();
if (!reader.IsStartElement("NameID", "urn:oasis:names:tc:SAML:2.0:assertion"))
{
reader.ReadStartElement("NameID", "urn:oasis:names:tc:SAML:2.0:assertion");
}
// TODO: Investgate the proper way to read this
delegateType.Item = ReadSimpleUriElement(reader, UriKind.RelativeOrAbsolute, true);
delegates.Add(delegateType);
reader.ReadEndElement();
}
DelegationRestrictionType delegateRestriction = new DelegationRestrictionType();
delegateRestriction.Delegate = delegates.ToArray();
//delegate2 = delegate1;
return delegateRestriction;
//return delegate2;
}
