public IEnumerable<Claim> GetClaims(IClaimsPrincipal principal, RequestDetails requestDetails) { var userName = principal.Identity.Name; var claims = new List<Claim>(); // email address string email = Membership.FindUsersByName(userName)[userName].Email; if (!String.IsNullOrEmpty(email)) { claims.Add(new Claim(ClaimTypes.Email, email)); } // roles GetRoles(userName, RoleTypes.Client).ToList().ForEach(role => claims.Add(new Claim(ClaimTypes.Role, role))); // profile claims if (ProfileManager.Enabled) { var profile = ProfileBase.Create(userName, true); if (profile != null) { foreach (SettingsProperty prop in ProfileBase.Properties) { string value = profile.GetPropertyValue(prop.Name).ToString(); if (!String.IsNullOrWhiteSpace(value)) { claims.Add(new Claim(ProfileClaimPrefix + prop.Name.ToLowerInvariant(), value)); } } } } return claims; }
public static List<Claim> GetOutputClaims(IClaimsPrincipal principal, RequestDetails requestDetails, IUserRepository userRepository) { var name = principal.FindClaims(ClaimTypes.Name).First().Value; var nameId = new Claim(ClaimTypes.NameIdentifier, name); var userClaims = new List<Claim> { new Claim(ClaimTypes.Name, name), nameId, new Claim(ClaimTypes.AuthenticationMethod, principal.FindClaims(ClaimTypes.AuthenticationMethod).First().Value), AuthenticationInstantClaim.Now }; userClaims.AddRange(userRepository.GetClaims(principal, requestDetails)); return userClaims; }
public IEnumerable<Claim> GetClaims(IClaimsPrincipal principal, RequestDetails requestDetails) { var userName = principal.Identity.Name; var claims = new List<Claim>(); // email address var email = "*****@*****.**"; if (!string.IsNullOrEmpty(email)) { claims.Add(new Claim(ClaimTypes.Email, email)); } // roles GetRoles(userName, RoleTypes.Client).ToList().ForEach(role => claims.Add(new Claim(ClaimTypes.Role, role))); // profile claims claims.Add(new Claim(ProfileClaimPrefix + "fullname", "Michael Noonan")); return claims; }
protected virtual void ValidateSsl(RequestDetails details) { // check if SSL is used (for passive only) if (_configuration.RequireSsl && !details.UsesSsl) { if (!details.IsActive) { Tracing.Tracing.Error("Configuration requires SSL - but clear text reply address used"); throw new InvalidRequestException("SSL is required"); } } }
private void ValidateTokenType(RequestDetails details) { if (details.TokenType == SimpleWebToken.OasisTokenProfile) { if (details.RelyingPartyRegistration == null || details.RelyingPartyRegistration.SymmetricSigningKey == null || details.RelyingPartyRegistration.SymmetricSigningKey.Length == 0) { Tracing.Tracing.Error("SWT token requested, but no symmetric signing key found"); throw new InvalidRequestException("SWT token requested, but no symmetric signing key found"); } } }
protected virtual void ValidateKnownRealm(RequestDetails details) { // check if realm is allowed if (_configuration.AllowKnownRealmsOnly && (!details.IsKnownRealm)) { Tracing.Tracing.Error("Configuration requires a known realm - but realm is not registered"); throw new InvalidScopeException(details.Realm.Uri.AbsoluteUri); } }
protected virtual void ValidateReplyTo(RequestDetails details) { // check if replyto is part of a registered realm (when not explicitly registered in config) if (!details.IsReplyToFromConfiguration) { if (_configuration.RequireReplyToWithinRealm && (!details.ReplyToAddressIsWithinRealm)) { Tracing.Tracing.Error("Configuration requires that ReplyTo is a sub-address of the realm - this is not the case"); throw new InvalidRequestException("Invalid ReplyTo"); } } }
protected virtual void AnalyzeOperationContext(RequestDetails details) { // determine if this is a WCF call if (OperationContext.Current != null) { details.IsActive = true; Tracing.Tracing.Information("Active request"); } else { Tracing.Tracing.Information("Passive request"); } }
protected virtual void ValidateEncryption(RequestDetails details) { // check if token must be encrypted if (_configuration.RequireEncryption && (!details.UsesEncryption)) { Tracing.Tracing.Error("Configuration requires encryption - but no key available"); throw new InvalidRequestException("No encryption key available"); } }
protected virtual void AnalyzeSsl(RequestDetails details) { // determine if reply to is via SSL details.UsesSsl = (details.ReplyToAddress.Scheme == Uri.UriSchemeHttps); Tracing.Tracing.Information(String.Format("SSL used:{0}", details.UsesSsl)); }
protected virtual IClaimsIdentity GetActAsClaimsIdentity(IClaimsIdentity clientIdentity, RequestDetails requestDetails) { var actAsSubject = requestDetails.Request.ActAs.GetSubject()[0]; var actAsIdentity = actAsSubject.Copy(); // find the last actor in the actAs identity IClaimsIdentity lastActor = actAsIdentity; while (lastActor.Actor != null) { lastActor = lastActor.Actor; } // set the caller's identity as the last actor in the delegation chain lastActor.Actor = clientIdentity; Tracing.Tracing.Information("ActAs client identity: " + actAsIdentity.Name); Tracing.Tracing.Information("ActAs actor identity : " + actAsIdentity.Actor.Name); // return the actAsIdentity instead of the caller's identity in this case return actAsIdentity; }
protected virtual void AnalyzeRequestClaims(RequestDetails details) { // check if specific claims are requested if (details.Request.Claims != null && details.Request.Claims.Count > 0) { details.ClaimsRequested = true; details.RequestClaims = details.Request.Claims; var requestClaims = new StringBuilder(20); details.RequestClaims.ToList().ForEach(rq => requestClaims.AppendFormat("{0}\n", rq.ClaimType)); Tracing.Tracing.Information("Specific claims requested"); Tracing.Tracing.Information(String.Format("Request claims: {0}", requestClaims)); } else { Tracing.Tracing.Information("No request claims"); } }
protected virtual void AnalyzeRst(RequestSecurityToken rst, RequestDetails options) { if (rst == null) { throw new ArgumentNullException("request"); } options.Request = rst; }
protected virtual void AnalyzeReplyTo(RequestDetails details) { var rp = details.RelyingPartyRegistration; // determine the reply to address (only relevant for passive requests) if (rp != null && rp.ReplyTo != null) { details.ReplyToAddress = rp.ReplyTo; details.IsReplyToFromConfiguration = true; // check if reply to is a sub-address of the realm address if (details.ReplyToAddress.AbsoluteUri.StartsWith(details.Realm.Uri.AbsoluteUri, StringComparison.OrdinalIgnoreCase)) { details.ReplyToAddressIsWithinRealm = true; } Tracing.Tracing.Information(String.Format("ReplyTo Address set from configuration: {0}", details.ReplyToAddress.AbsoluteUri)); } else { if (!String.IsNullOrEmpty(details.Request.ReplyTo)) { if (_configuration.AllowReplyTo) { // explicit address details.ReplyToAddress = new Uri(details.Request.ReplyTo); Tracing.Tracing.Information(String.Format("Explicit ReplyTo address set: {0}", details.ReplyToAddress.AbsoluteUri)); // check if reply to is a sub-address of the realm address if (details.ReplyToAddress.AbsoluteUri.StartsWith(details.Realm.Uri.AbsoluteUri, StringComparison.OrdinalIgnoreCase)) { details.ReplyToAddressIsWithinRealm = true; } Tracing.Tracing.Information(String.Format("ReplyTo Address is within Realm: {0}", details.ReplyToAddressIsWithinRealm)); } else { // same as realm details.ReplyToAddress = details.Realm.Uri; details.ReplyToAddressIsWithinRealm = true; Tracing.Tracing.Warning(string.Format("ReplyTo address of ({0}) was supplied, but since configuration does not allow ReplyTo, the realm address is used", details.Request.ReplyTo)); } } else { // same as realm details.ReplyToAddress = details.Realm.Uri; details.ReplyToAddressIsWithinRealm = true; Tracing.Tracing.Information("ReplyTo address set to realm address"); } } }
protected virtual RelyingPartyModel AnalyzeRelyingParty(RequestDetails details) { // check if the relying party is registered RelyingPartyModel rp = null; if (_relyingPartyRepository.TryGet(details.Realm.Uri.AbsoluteUri, out rp)) { details.RelyingPartyRegistration = rp; details.IsKnownRealm = true; var traceString = String.Format("Relying Party found in registry - Realm: {0}", rp.Realm.AbsoluteUri); if (!string.IsNullOrEmpty(rp.Name)) { traceString += String.Format(" ({0})", rp.Name); } Tracing.Tracing.Information(traceString); if (rp.EncryptingCertificate != null) { details.EncryptingCertificate = rp.EncryptingCertificate; Tracing.Tracing.Information("Encrypting certificate set from registry"); } } else { Tracing.Tracing.Information("Relying party is not registered."); } return rp; }
protected virtual void AnalyzeRealm(RequestSecurityToken rst, RequestDetails options) { // check realm if (rst.AppliesTo == null || rst.AppliesTo.Uri == null) { throw new MissingAppliesToException("AppliesTo is missing"); } options.Realm = rst.AppliesTo; }
public RequestDetails Analyze(RequestSecurityToken rst, IClaimsPrincipal principal) { if (rst == null) { throw new ArgumentNullException("rst"); } if (principal == null) { throw new ArgumentNullException("principal"); } Tracing.Tracing.Information("Starting PolicyOptions creation"); var clientIdentity = AnalyzeClientIdentity(principal); var details = new RequestDetails { ClientIdentity = clientIdentity, IsActive = false, Realm = null, IsKnownRealm = false, UsesSsl = false, UsesEncryption = false, ReplyToAddress = null, ReplyToAddressIsWithinRealm = false, IsReplyToFromConfiguration = false, EncryptingCertificate = null, ClaimsRequested = false, RequestClaims = null, Request = null, IsActAsRequest = false, RelyingPartyRegistration = null }; AnalyzeRst(rst, details); AnalyzeTokenType(rst, details); AnalyzeKeyType(rst); AnalyzeRealm(rst, details); AnalyzeOperationContext(details); AnalyzeDelegation(rst, details); AnalyzeRelyingParty(details); AnalyzeEncryption(details); AnalyzeReplyTo(details); AnalyzeSsl(details); AnalyzeRequestClaims(details); Tracing.Tracing.Information("PolicyOptions creation done."); _details = details; return details; }
public void Validate(RequestDetails details) { if (details == null) { throw new ArgumentNullException("details"); } Tracing.Tracing.Information("Starting policy validation"); ValidateKnownRealm(details); ValidateTokenType(details); ValidateReplyTo(details); ValidateEncryption(details); ValidateSsl(details); ValidateDelegation(details); Tracing.Tracing.Information("Policy Validation succeeded"); }
protected virtual void AnalyzeDelegation(RequestSecurityToken rst, RequestDetails details) { // check for identity delegation request if (rst.ActAs != null) { details.IsActAsRequest = true; Tracing.Tracing.Information("Request is ActAs request"); } }
protected virtual void ValidateDelegation(RequestDetails details) { // check for ActAs request if (details.IsActAsRequest) { if (!_configuration.EnableDelegation) { Tracing.Tracing.Error("Request is ActAs request - but ActAs is not enabled"); throw new InvalidRequestException("Request is ActAs request - but ActAs is not enabled"); } if (!_delegationRepository.IsDelegationAllowed(details.ClientIdentity.Name, details.Realm.Uri.AbsoluteUri)) { Tracing.Tracing.Error(String.Format("ActAs mapping not found.")); throw new InvalidRequestException("ActAs mapping not found."); } } }
protected virtual void AnalyzeTokenType(RequestSecurityToken rst, RequestDetails details) { if (string.IsNullOrWhiteSpace(rst.TokenType)) { details.TokenType = _configuration.DefaultTokenType; Tracing.Tracing.Information("Token Type: not specified, falling back to default token type"); } else { Tracing.Tracing.Information("Token Type: " + rst.TokenType); details.TokenType = rst.TokenType; } }
protected virtual void AnalyzeEncryption(RequestDetails details) { if (details.EncryptingCertificate == null) { X509Certificate2 requestCertificate; if (TryGetEncryptionCertificateFromRequest(details.Realm, out requestCertificate)) { details.EncryptingCertificate = requestCertificate; Tracing.Tracing.Information("Encrypting certificate set from RST"); } } details.UsesEncryption = (details.EncryptingCertificate != null); Tracing.Tracing.Information("Token encryption: " + details.UsesEncryption); }