internal static List<CLAIMS_ARRAY> Run(CLAIMS_ARRAY[] input, string ruletext)
{
List<CLAIMS_ARRAY> ret = new List<CLAIMS_ARRAY>();
string[] rules = ruletext.Split(new string[] { ";" }, StringSplitOptions.RemoveEmptyEntries);
Dictionary<string, bool> supportedClaimIDs = new Dictionary<string, bool>();
foreach (string r in rules)
{
if (!r.StartsWith("C1:[Type==\"") || !r.EndsWith("\"]=>Issue(claim=C1)"))
{
throw new Exception("unsupported claim type from Simple CTA engine. Only valid kind is C1:[Type==\"%your claim id%\"]=>Issue(claim=C1)");
}
supportedClaimIDs.Add(r.Replace("C1:[Type==\"", "").Replace("\"]=>Issue(claim=C1)", ""), true);
}
foreach(CLAIMS_ARRAY array in input)
{
List<CLAIM_ENTRY> tmp = new List<CLAIM_ENTRY>();
foreach (CLAIM_ENTRY entry in array.ClaimEntries)
{
if (supportedClaimIDs.ContainsKey(entry.Id))
{
tmp.Add(entry);
}
}
if (tmp.Count > 0)
{
CLAIMS_ARRAY tmpArray = new CLAIMS_ARRAY();
tmpArray.ClaimEntries = tmp.ToArray();
tmpArray.ulClaimsCount = (uint)tmpArray.ClaimEntries.Length;
tmpArray.usClaimsSourceType = array.usClaimsSourceType;
ret.Add(tmpArray);
}
}
return ret;
}
/// <summary>
/// Get Claims for provided principal without encode
/// </summary>
/// <param name="principal">Distinguished Name of the principal</param>
/// <param name="principalClass">class of principal, user or device</param>
/// <param name="source">claim source type, AD or Certificate</param>
/// <returns>a list of CLAIMS_ARRAY for the principal</returns>
public List <CLAIMS_ARRAY> GetClaimsForPrincipalWithoutEncode(string principal, ClaimsPrincipalClass principalClass, ClaimsSource source)
{
List <CLAIMS_ARRAY> ret = new List <CLAIMS_ARRAY>();
#region get principal object
using (DirectoryEntry princ = new DirectoryEntry("LDAP://" + principal,
domainDNS + "\\" + UserName, Password, AuthenticationTypes.Secure))
{
#endregion
#region AD source
if (source.HasFlag(ClaimsSource.AD))
{
CLAIMS_ARRAY ad = getADSoucredClaims(princ, principalClass);
ret.Add(ad);
//Constructed claims use the CLAIMS_SOURCE_TYPE_AD source type
ad = getConstructedClaims(princ, principalClass);
ret.Add(ad);
}
#endregion
#region certificate source
//not implemented
#endregion
return(ret);
}
}
internal static List <CLAIMS_ARRAY> Run(CLAIMS_ARRAY[] input, string ruletext)
{
List <CLAIMS_ARRAY> ret = new List <CLAIMS_ARRAY>();
string[] rules = ruletext.Split(new string[] { ";" }, StringSplitOptions.RemoveEmptyEntries);
Dictionary <string, bool> supportedClaimIDs = new Dictionary <string, bool>();
foreach (string r in rules)
{
if (!r.StartsWith("C1:[Type==\"") || !r.EndsWith("\"]=>Issue(claim=C1)"))
{
throw new Exception("unsupported claim type from Simple CTA engine. Only valid kind is C1:[Type==\"%your claim id%\"]=>Issue(claim=C1)");
}
supportedClaimIDs.Add(r.Replace("C1:[Type==\"", "").Replace("\"]=>Issue(claim=C1)", ""), true);
}
foreach (CLAIMS_ARRAY array in input)
{
List <CLAIM_ENTRY> tmp = new List <CLAIM_ENTRY>();
foreach (CLAIM_ENTRY entry in array.ClaimEntries)
{
if (supportedClaimIDs.ContainsKey(entry.Id))
{
tmp.Add(entry);
}
}
if (tmp.Count > 0)
{
CLAIMS_ARRAY tmpArray = new CLAIMS_ARRAY();
tmpArray.ClaimEntries = tmp.ToArray();
tmpArray.ulClaimsCount = (uint)tmpArray.ClaimEntries.Length;
tmpArray.usClaimsSourceType = array.usClaimsSourceType;
ret.Add(tmpArray);
}
}
return(ret);
}
public Win32ErrorCode_32 TransformClaimsOnTrustTraversal(CLAIMS_ARRAY[] input, string trustName, bool fIncomingDirection, out List<CLAIMS_ARRAY> output)
{
output = null;
//found trust
SearchRequest search = new SearchRequest(
"cn=system," + domainNC,
"(cn=" + trustName + ")",
SearchScope.OneLevel,
new string[] { "*" });
bool hasException = false;
SearchResponse response = null;
do
{
try
{
using (LdapConnection connection = connect())
{
response = (SearchResponse)connection.SendRequest(search);
}
}
catch
{
hasException = true;
}
} while (hasException);
if (response.ResultCode != ResultCode.Success || response.Entries.Count == 0)
return Win32ErrorCode_32.ERROR_INVALID_PARAMETER;
string xml = null;
Win32ErrorCode_32 err = getClaimsTransformationRuleXml(trustName, response.Entries[0].DistinguishedName, fIncomingDirection, out xml);
if (err != Win32ErrorCode_32.ERROR_SUCCESS && err != Win32ErrorCode_32.ERROR_INVALID_FUNCTION)
return Win32ErrorCode_32.ERROR_SUCCESS;
string text = null;
if (xml != null)
{
getTransformRulesText(xml, out text);
}
output = SimpleCTAEngine.Run(input, text);
return Win32ErrorCode_32.ERROR_SUCCESS;
}
/// <summary>
/// get Constructed claims for a principal
/// </summary>
/// <param name="principal">the target principal</param>
/// <param name="principalClass">user or device</param>
/// <returns>a CLAIMS_ARRAY contains claims of the principal</returns>
CLAIMS_ARRAY getConstructedClaims(DirectoryEntry principal, ClaimsPrincipalClass principalClass)
{
CLAIMS_ARRAY ret = new CLAIMS_ARRAY();
DirectoryEntry root = new DirectoryEntry(ConstValue.claimTypesPath + domainNC);
List <CLAIM_ENTRY> claims = new List <CLAIM_ENTRY>();
DirectoryEntries children = root.Children;
foreach (DirectoryEntry de in children)
{
//source type should be Constructed
if ((de.Properties[ConstValue.msDSClaimSourceType] == null) ||
((ClaimsSourceType)Enum.Parse(typeof(ClaimsSourceType), de.Properties[ConstValue.msDSClaimSourceType].Value.ToString(), true) != ClaimsSourceType.Constructed) ||
(de.Properties[ConstValue.msDSClaimTypeAppliesToClass] == null))
{
continue;
}
//should applies to this principal class
bool classMatched = false;
foreach (object str in de.Properties[ConstValue.msDSClaimTypeAppliesToClass])
{
string tmp = str.ToString();
if (tmp.ToLower() == (ConstValue.userRDN + domainNC.ToLower()) && principalClass == ClaimsPrincipalClass.User)
{
classMatched = true;
break;
}
if ((tmp.ToLower() == (ConstValue.computerRDN + domainNC).ToLower()) && principalClass == ClaimsPrincipalClass.Device)
{
classMatched = true;
break;
}
}
if (!classMatched)
{
continue;
}
//validate claim definition
if (!validateClaimDefinition(de))
{
continue;
}
if (de.Properties[ConstValue.name] == null || de.Properties[ConstValue.name].Value == null)
{
continue;
}
//Currently only the AuthenticationSilo claim is supported
if (de.Properties[ConstValue.name].Value.ToString().Equals(ConstValue.authSiloClaimName, StringComparison.OrdinalIgnoreCase))
{
CLAIM_ENTRY?claim = getAuthSiloClaim(principal);
if (claim.HasValue)
{
claims.Add(claim.Value);
}
break;
}
}
ret.ulClaimsCount = (uint)claims.Count;
ret.ClaimEntries = claims.ToArray();
ret.usClaimsSourceType = 1;
return(ret);
}
/// <summary>
/// get AD sourced claims for a principal
/// </summary>
/// <param name="principal">the target principal</param>
/// <param name="principalClass">user or device</param>
/// <returns>a CLAIMS_ARRAY contains claims of the principal</returns>
CLAIMS_ARRAY getADSoucredClaims(DirectoryEntry principal, ClaimsPrincipalClass principalClass)
{
CLAIMS_ARRAY ret = new CLAIMS_ARRAY();
using (DirectoryEntry root = new DirectoryEntry(ConstValue.claimTypesPath + domainNC))
{
List <CLAIM_ENTRY> claims = new List <CLAIM_ENTRY>();
DirectoryEntries children = root.Children;
foreach (DirectoryEntry de in children)
{
//source type should be AD
if ((!de.Properties.Contains(ConstValue.msDSClaimSourceType)) ||
((ClaimsSourceType)Enum.Parse(typeof(ClaimsSourceType), de.Properties[ConstValue.msDSClaimSourceType].Value.ToString(), true) != ClaimsSourceType.AD) ||
(!de.Properties.Contains(ConstValue.msDSClaimTypeAppliesToClass)))
{
continue;
}
//should applies to this principal class
bool classMatched = false;
foreach (object str in de.Properties[ConstValue.msDSClaimTypeAppliesToClass])
{
string tmp = str.ToString();
if (tmp.ToLower() == (ConstValue.userRDN + domainNC.ToLower()) && principalClass == ClaimsPrincipalClass.User)
{
classMatched = true;
break;
}
if ((tmp.ToLower() == (ConstValue.computerRDN + domainNC).ToLower()) && principalClass == ClaimsPrincipalClass.Device)
{
classMatched = true;
break;
}
}
if (!classMatched)
{
continue;
}
//validate claim definition
if (!validateClaimDefinition(de))
{
continue;
}
//create CLAIM_ENTRY record
CLAIM_ENTRY claim;
claim.Id = de.Properties["cn"].Value.ToString();
claim.Type = getClaimValueType(de.Properties[ConstValue.distinguishedname].Value.ToString(), DomainController);
claim.Values = new CLAIM_ENTRY_VALUE_UNION();
using (DirectoryEntry source = new DirectoryEntry("LDAP://" + de.Properties[ConstValue.msDSClaimAttributeSource].Value.ToString()))
{
PropertyValueCollection values = principal.Properties[source.Properties["ldapdisplayName"].Value.ToString()];
//parse values
switch (claim.Type)
{
case CLAIM_TYPE.CLAIM_TYPE_STRING:
claim.Values.Struct3 = new CLAIM_TYPE_VALUE_LPWSTR();
claim.Values.Struct3.ValueCount = (uint)values.Count;
claim.Values.Struct3.StringValues = new string[values.Count];
for (int i = 0; i < values.Count; i++)
{
claim.Values.Struct3.StringValues[i] = values[i].ToString();
}
break;
case CLAIM_TYPE.CLAIM_TYPE_INT64:
claim.Values.Struct1 = new CLAIM_TYPE_VALUE_INT64();
claim.Values.Struct1.ValueCount = (uint)values.Count;
claim.Values.Struct1.Int64Values = new long[values.Count];
for (int i = 0; i < values.Count; i++)
{
claim.Values.Struct1.Int64Values[i] = (long)values[i];
}
break;
case CLAIM_TYPE.CLAIM_TYPE_UINT64:
claim.Values.Struct2 = new CLAIM_TYPE_VALUE_UINT64();
claim.Values.Struct2.ValueCount = (uint)values.Count;
claim.Values.Struct2.Uint64Values = new ulong[values.Count];
for (int i = 0; i < values.Count; i++)
{
claim.Values.Struct2.Uint64Values[i] = (ulong)values[i];
}
break;
case CLAIM_TYPE.CLAIM_TYPE_BOOLEAN:
claim.Values.Struct4 = new CLAIM_TYPE_VALUE_BOOL();
claim.Values.Struct4.ValueCount = (uint)values.Count;
claim.Values.Struct4.BooleanValues = new bool[values.Count];
for (int i = 0; i < values.Count; i++)
{
claim.Values.Struct4.BooleanValues[i] = (bool)values[i];
}
break;
}
claims.Add(claim);
ret.ulClaimsCount = (uint)claims.Count;
ret.ClaimEntries = claims.ToArray();
ret.usClaimsSourceType = 1;
}
}
}
return(ret);
}
/// <summary>
/// get Constructed claims for a principal
/// </summary>
/// <param name="principal">the target principal</param>
/// <param name="principalClass">user or device</param>
/// <returns>a CLAIMS_ARRAY contains claims of the principal</returns>
CLAIMS_ARRAY getConstructedClaims(DirectoryEntry principal, ClaimsPrincipalClass principalClass)
{
CLAIMS_ARRAY ret = new CLAIMS_ARRAY();
DirectoryEntry root = new DirectoryEntry(ConstValue.claimTypesPath + domainNC);
List<CLAIM_ENTRY> claims = new List<CLAIM_ENTRY>();
DirectoryEntries children = root.Children;
foreach (DirectoryEntry de in children)
{
//source type should be Constructed
if ((de.Properties[ConstValue.msDSClaimSourceType] == null)
|| ((ClaimsSourceType)Enum.Parse(typeof(ClaimsSourceType), de.Properties[ConstValue.msDSClaimSourceType].Value.ToString(), true) != ClaimsSourceType.Constructed)
|| (de.Properties[ConstValue.msDSClaimTypeAppliesToClass] == null))
continue;
//should applies to this principal class
bool classMatched = false;
foreach (object str in de.Properties[ConstValue.msDSClaimTypeAppliesToClass])
{
string tmp = str.ToString();
if (tmp.ToLower() == (ConstValue.userRDN + domainNC.ToLower()) && principalClass == ClaimsPrincipalClass.User)
{
classMatched = true;
break;
}
if ((tmp.ToLower() == (ConstValue.computerRDN + domainNC).ToLower()) && principalClass == ClaimsPrincipalClass.Device)
{
classMatched = true;
break;
}
}
if (!classMatched)
continue;
//validate claim definition
if (!validateClaimDefinition(de))
continue;
if (de.Properties[ConstValue.name] == null || de.Properties[ConstValue.name].Value == null)
continue;
//Currently only the AuthenticationSilo claim is supported
if (de.Properties[ConstValue.name].Value.ToString().Equals(ConstValue.authSiloClaimName, StringComparison.OrdinalIgnoreCase))
{
CLAIM_ENTRY? claim = getAuthSiloClaim(principal);
if (claim.HasValue)
{
claims.Add(claim.Value);
}
break;
}
}
ret.ulClaimsCount = (uint)claims.Count;
ret.ClaimEntries = claims.ToArray();
ret.usClaimsSourceType = 1;
return ret;
}
/// <summary>
/// get AD sourced claims for a principal
/// </summary>
/// <param name="principal">the target principal</param>
/// <param name="principalClass">user or device</param>
/// <returns>a CLAIMS_ARRAY contains claims of the principal</returns>
CLAIMS_ARRAY getADSoucredClaims(DirectoryEntry principal, ClaimsPrincipalClass principalClass)
{
CLAIMS_ARRAY ret = new CLAIMS_ARRAY();
using (DirectoryEntry root = new DirectoryEntry(ConstValue.claimTypesPath + domainNC))
{
List<CLAIM_ENTRY> claims = new List<CLAIM_ENTRY>();
DirectoryEntries children = root.Children;
foreach (DirectoryEntry de in children)
{
//source type should be AD
if ((!de.Properties.Contains(ConstValue.msDSClaimSourceType))
|| ((ClaimsSourceType)Enum.Parse(typeof(ClaimsSourceType), de.Properties[ConstValue.msDSClaimSourceType].Value.ToString(), true) != ClaimsSourceType.AD)
|| (!de.Properties.Contains(ConstValue.msDSClaimTypeAppliesToClass)))
continue;
//should applies to this principal class
bool classMatched = false;
foreach (object str in de.Properties[ConstValue.msDSClaimTypeAppliesToClass])
{
string tmp = str.ToString();
if (tmp.ToLower() == (ConstValue.userRDN + domainNC.ToLower()) && principalClass == ClaimsPrincipalClass.User)
{
classMatched = true;
break;
}
if ((tmp.ToLower() == (ConstValue.computerRDN + domainNC).ToLower()) && principalClass == ClaimsPrincipalClass.Device)
{
classMatched = true;
break;
}
}
if (!classMatched)
continue;
//validate claim definition
if (!validateClaimDefinition(de))
continue;
//create CLAIM_ENTRY record
CLAIM_ENTRY claim;
claim.Id = de.Properties["cn"].Value.ToString();
claim.Type = getClaimValueType(de.Properties[ConstValue.distinguishedname].Value.ToString(), DomainController);
claim.Values = new CLAIM_ENTRY_VALUE_UNION();
using (DirectoryEntry source = new DirectoryEntry("LDAP://" + de.Properties[ConstValue.msDSClaimAttributeSource].Value.ToString()))
{
PropertyValueCollection values = principal.Properties[source.Properties["ldapdisplayName"].Value.ToString()];
//parse values
switch (claim.Type)
{
case CLAIM_TYPE.CLAIM_TYPE_STRING:
claim.Values.Struct3 = new CLAIM_TYPE_VALUE_LPWSTR();
claim.Values.Struct3.ValueCount = (uint)values.Count;
claim.Values.Struct3.StringValues = new string[values.Count];
for (int i = 0; i < values.Count; i++)
{
claim.Values.Struct3.StringValues[i] = values[i].ToString();
}
break;
case CLAIM_TYPE.CLAIM_TYPE_INT64:
claim.Values.Struct1 = new CLAIM_TYPE_VALUE_INT64();
claim.Values.Struct1.ValueCount = (uint)values.Count;
claim.Values.Struct1.Int64Values = new long[values.Count];
for (int i = 0; i < values.Count; i++)
{
claim.Values.Struct1.Int64Values[i] = (long)values[i];
}
break;
case CLAIM_TYPE.CLAIM_TYPE_UINT64:
claim.Values.Struct2 = new CLAIM_TYPE_VALUE_UINT64();
claim.Values.Struct2.ValueCount = (uint)values.Count;
claim.Values.Struct2.Uint64Values = new ulong[values.Count];
for (int i = 0; i < values.Count; i++)
{
claim.Values.Struct2.Uint64Values[i] = (ulong)values[i];
}
break;
case CLAIM_TYPE.CLAIM_TYPE_BOOLEAN:
claim.Values.Struct4 = new CLAIM_TYPE_VALUE_BOOL();
claim.Values.Struct4.ValueCount = (uint)values.Count;
claim.Values.Struct4.BooleanValues = new bool[values.Count];
for (int i = 0; i < values.Count; i++)
{
claim.Values.Struct4.BooleanValues[i] = (bool)values[i];
}
break;
}
claims.Add(claim);
ret.ulClaimsCount = (uint)claims.Count;
ret.ClaimEntries = claims.ToArray();
ret.usClaimsSourceType = 1;
}
}
}
return ret;
}