public void InitializeFrom(EndpointIdentity identity)
{
if (identity == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("identity");
}
Claim identityClaim = identity.IdentityClaim;
if (ClaimTypes.Dns.Equals(identityClaim.ClaimType))
{
this.Dns.Value = (string) identityClaim.Resource;
}
else if (ClaimTypes.Spn.Equals(identityClaim.ClaimType))
{
this.ServicePrincipalName.Value = (string) identityClaim.Resource;
}
else if (ClaimTypes.Upn.Equals(identityClaim.ClaimType))
{
this.UserPrincipalName.Value = (string) identityClaim.Resource;
}
else if (ClaimTypes.Rsa.Equals(identityClaim.ClaimType))
{
this.Rsa.Value = ((RSA) identityClaim.Resource).ToXmlString(false);
}
else if (identity is X509CertificateEndpointIdentity)
{
X509Certificate2Collection certificates = ((X509CertificateEndpointIdentity) identity).Certificates;
this.Certificate.EncodedValue = Convert.ToBase64String(certificates.Export((certificates.Count == 1) ? X509ContentType.SerializedCert : X509ContentType.SerializedStore));
}
}
public override bool TryGetIdentity (
EndpointAddress reference,
out EndpointIdentity identity)
{
// FIXME: implement
throw new NotImplementedException ();
}
public EndpointAddressBuilder (EndpointAddress address)
{
identity = address.Identity;
uri = address.Uri;
foreach (AddressHeader h in address.Headers)
headers.Add (h);
}
/// <summary>
/// Setup endpoints
/// </summary>
static ServiceHostUtil()
{
_serviceHostName = ServicesIniFile.Read("ServiceHost", "localhost");
_serviceBasePort = int.Parse(ServicesIniFile.Read("ServiceBasePort", "7700"));
string serviceIdentityType = ServicesIniFile.Read("ServiceIdentityType", "dns");
string serviceIdentity = ServicesIniFile.Read("ServiceIdentity", "localhost");
if (serviceIdentityType == "dns")
{
_serviceEndpointIdentity =
new System.ServiceModel.DnsEndpointIdentity(serviceIdentity);
}
else if (serviceIdentityType == "upn")
{
_serviceEndpointIdentity =
new System.ServiceModel.UpnEndpointIdentity(serviceIdentity);
}
else if (serviceIdentityType == "spn")
{
_serviceEndpointIdentity =
new System.ServiceModel.SpnEndpointIdentity(serviceIdentity);
}
else
{
throw new InvalidOperationException("Only identity types \"dns\", \"upn\", and \"spn\" (with a corresponding valid ServiceIdentity) are supported.");
}
}
public override bool CheckAccess (
EndpointIdentity identity,
AuthorizationContext authContext)
{
// FIXME: implement
throw new NotImplementedException ();
}
public override bool CheckAccess(EndpointIdentity identity, System.IdentityModel.Policy.AuthorizationContext authContext)
{
bool returnvalue = false;
foreach (ClaimSet claimset in authContext.ClaimSets)
{
foreach (Claim claim in claimset)
{
// if (claim.ClaimType == "http://schemas.microsoft.com/ws/2005/05/identity/claims/x500distinguishedname")
// {
// X500DistinguishedName name = (X500DistinguishedName)claim.Resource;
//if (name.Name.Contains(((OrgEndpointIdentity)identity).OrganizationClaim))
// {
// Console.WriteLine("Claim Type: {0}", claim.ClaimType);
// Console.WriteLine("Right: {0}", claim.Right);
// Console.WriteLine("Resource: {0}", claim.Resource);
// Console.WriteLine();
returnvalue = true;
break;
//}
//}
}
}
return returnvalue;
}
public EndpointAddress(System.Uri uri, EndpointIdentity identity, params AddressHeader[] addressHeaders)
{
if (uri == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("uri");
}
this.Init(uri, identity, addressHeaders);
}
public EndpointAddress(System.Uri uri, EndpointIdentity identity, AddressHeaderCollection headers)
{
if (uri == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("uri");
}
this.Init(uri, identity, headers, null, -1, -1, -1);
}
public EndpointIdentityExtension(EndpointIdentity identity)
{
if (identity == null)
{
throw FxTrace.Exception.ArgumentNull("identity");
}
this.ClaimType = identity.IdentityClaim.ClaimType;
this.ClaimRight = identity.IdentityClaim.Right;
this.ClaimResource = identity.IdentityClaim.Resource;
}
internal EndpointInfo(ServiceEndpoint endpoint, string serviceName)
{
this.endpoint = endpoint;
this.address = endpoint.Address.Uri;
this.headers = endpoint.Address.Headers;
this.identity = endpoint.Address.Identity;
this.behaviors = endpoint.Behaviors;
this.serviceName = serviceName;
this.binding = (endpoint.Binding == null) ? new CustomBinding() : new CustomBinding(endpoint.Binding);
this.contract = endpoint.Contract;
}
public override bool TryGetIdentity(EndpointAddress reference, out EndpointIdentity identity)
{
if (reference == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reference");
}
identity = reference.Identity;
if (identity == null)
{
identity = new PeerEndpointIdentity();
}
return true;
}
public override bool CheckAccess(EndpointIdentity identity, AuthorizationContext authzContext) {
List<Claim> dnsClaims = new List<Claim>();
foreach( ClaimSet claimSet in authzContext.ClaimSets ) {
foreach( Claim claim in claimSet ) {
if ( ClaimTypes.Dns == claim.ClaimType ) {
dnsClaims.Add(claim);
}
}
}
if ( 1 != dnsClaims.Count ) {
throw new InvalidOperationException(String.Format("Found {0} DNS claims in authorization context.", dnsClaims.Count));
}
return String.Equals((string) this.expectedIdentity.IdentityClaim.Resource, (string) dnsClaims[0].Resource, StringComparison.OrdinalIgnoreCase);
}
internal EndpointInfo(ServiceEndpoint endpoint, string serviceName)
{
Fx.Assert(null != endpoint, "endpoint cannot be null");
this.endpoint = endpoint;
this.address = endpoint.Address.Uri;
this.headers = endpoint.Address.Headers;
this.identity = endpoint.Address.Identity;
this.behaviors = endpoint.Behaviors;
this.serviceName = serviceName;
this.binding = null == endpoint.Binding ? new CustomBinding() : new CustomBinding(endpoint.Binding);
this.contract = endpoint.Contract;
}
public EndpointAddressBuilder(EndpointAddress address)
{
if (address == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("address");
}
this.epr = address;
this.uri = address.Uri;
this.identity = address.Identity;
this.headers = new Collection<AddressHeader>();
for (int i = 0; i < address.Headers.Count; i++)
{
this.headers.Add(address.Headers[i]);
}
}
public EndpointAddress (
Uri uri, EndpointIdentity identity,
AddressHeaderCollection headers,
XmlDictionaryReader metadataReader,
XmlDictionaryReader extensionReader)
{
if (uri == null)
throw new ArgumentNullException ("uri");
if (!uri.IsAbsoluteUri)
throw new ArgumentException ("The argument uri must be absolute");
this.address = uri;
this.identity = identity;
this.headers = headers;
metadata_reader = metadataReader;
extension_reader = extensionReader;
}
private Exception CreateIdentityCheckException(EndpointIdentity identity, AuthorizationContext authorizationContext, string errorString, EndpointAddress serviceReference)
{
if (((identity.IdentityClaim == null) || !(identity.IdentityClaim.ClaimType == ClaimTypes.Dns)) || (!(identity.IdentityClaim.Right == Rights.PossessProperty) || !(identity.IdentityClaim.Resource is string)))
{
return new MessageSecurityException(System.ServiceModel.SR.GetString(errorString, new object[] { identity, serviceReference }));
}
string resource = (string) identity.IdentityClaim.Resource;
string str2 = null;
for (int i = 0; i < authorizationContext.ClaimSets.Count; i++)
{
ClaimSet set = authorizationContext.ClaimSets[i];
foreach (Claim claim in set.FindClaims(ClaimTypes.Dns, Rights.PossessProperty))
{
if (claim.Resource is string)
{
str2 = (string) claim.Resource;
break;
}
}
if (str2 != null)
{
break;
}
}
if ("IdentityCheckFailedForIncomingMessage".Equals(errorString))
{
if (str2 == null)
{
return new MessageSecurityException(System.ServiceModel.SR.GetString("DnsIdentityCheckFailedForIncomingMessageLackOfDnsClaim", new object[] { resource }));
}
return new MessageSecurityException(System.ServiceModel.SR.GetString("DnsIdentityCheckFailedForIncomingMessage", new object[] { resource, str2 }));
}
if ("IdentityCheckFailedForOutgoingMessage".Equals(errorString))
{
if (str2 == null)
{
return new MessageSecurityException(System.ServiceModel.SR.GetString("DnsIdentityCheckFailedForOutgoingMessageLackOfDnsClaim", new object[] { resource }));
}
return new MessageSecurityException(System.ServiceModel.SR.GetString("DnsIdentityCheckFailedForOutgoingMessage", new object[] { resource, str2 }));
}
return new MessageSecurityException(System.ServiceModel.SR.GetString(errorString, new object[] { identity, serviceReference }));
}
// Code to be added.
public override bool CheckAccess(EndpointIdentity identity, AuthorizationContext authContext)
{
StreamWriter file = new StreamWriter("c:\\temp\\TestClient.CustomIdentityVerifier - CheckAccess.txt", true);
file.WriteLine("_________________________________________");
file.WriteLine("DateTime: " + DateTime.Now.ToString());
bool returnvalue = false;
foreach (ClaimSet claimset in authContext.ClaimSets)
{
foreach (Claim claim in claimset)
{
file.WriteLine("claim.ClaimType: " + claim.ClaimType);
file.WriteLine("\tclaim.Right: " + claim.Right);
file.WriteLine("\t\tclaim.Resource: " + claim.Resource.ToString());
if (claim.ClaimType == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname")
{
X500DistinguishedName name = (X500DistinguishedName)claim.Resource;
file.WriteLine("X500DistinguishedName: " + name.Name);
//if (name.Name.Contains(((OrgEndpointIdentity)identity).OrganizationClaim))
//if ("CN=zpatlittrs239.ittl.gtri.org" == name.Name)
if ("[email protected], CN=HA50WSP, O=Hawaii Five0, L=Honolulu, S=Hawaii, C=US" == name.Name)
{
file.WriteLine("\tClaim Type: {0}", claim.ClaimType);
file.WriteLine("\tRight: {0}", claim.Right);
file.WriteLine("\tResource: {0}", claim.Resource);
file.WriteLine();
returnvalue = true;
}
}
}
}
file.Close();
return returnvalue;
}
internal EndpointAddress(System.Uri uri, EndpointIdentity identity, AddressHeaderCollection headers, XmlDictionaryReader metadataReader, XmlDictionaryReader extensionReader, XmlDictionaryReader pspReader)
{
EndpointIdentity identity2;
int num;
if (uri == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("uri");
}
XmlBuffer buffer = null;
this.PossiblyPopulateBuffer(metadataReader, ref buffer, out this.metadataSection);
buffer = ReadExtensions(extensionReader, null, buffer, out identity2, out num);
if ((identity != null) && (identity2 != null))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentException(System.ServiceModel.SR.GetString("MultipleIdentities"), "extensionReader"));
}
this.PossiblyPopulateBuffer(pspReader, ref buffer, out this.pspSection);
if (buffer != null)
{
buffer.Close();
}
this.Init(uri, identity ?? identity2, headers, buffer, this.metadataSection, num, this.pspSection);
}
static ClousotWCFServiceCommon()
{
Identity = new DnsEndpointIdentity("research.microsoft.com"); // Used by the client to be sure that we are who we say we are
#if DEBUG
SecurityMode = SecurityMode.None; // Mehdi: "Very complex things", we ignore them
#else
SecurityMode = SecurityMode.None; // TODO
#endif
#if WS_HTTP_BINDING
#if DEBUG
// This address does not need administrator privilege
// Namespace created during the installation of Visual Studio
BaseAddress = "http://localhost:8732/Design_Time_Addresses/ClousotService/";
#else
// Need administrator privilege
BaseAddress = "http://localhost:8732/Microsoft.Research/ClousotService/";
#endif
#elif NET_TCP_BINDING
BaseAddress = "net.tcp://localhost:9922/ClousotService/";
#endif
BaseUri = new Uri(BaseAddress);
}
/// <summary>
/// Processes the Auth Context to get the IdentityClaims
/// </summary>
/// <returns></returns>
protected void FindIdentityClaims()
{
// Pick up the claim type to use for generating the UniqueID claim
string identificationClaimType = System.Configuration.ConfigurationManager.AppSettings["IdentityClaimType"];
// Or, default to PPID
if (string.IsNullOrEmpty(identificationClaimType))
identificationClaimType = System.IdentityModel.Claims.ClaimTypes.PPID;
ClaimSet result = null;
m_endpointIdentity = null;
foreach (ClaimSet claimSet in m_authorizationContext.ClaimSets)
{
//
// This loops through the claims looking for the configured claim type
// that will be used as part of the generation of the unique id.
//
foreach (Claim claim in claimSet.FindClaims(identificationClaimType, Rights.PossessProperty))
{
// found a matching claim. This is good.
m_issuer = CreateIdentityFromClaimSet(claimSet.Issuer);
byte[] issuerkey;
// we need to get a byte array that represents the issuer's key
// to use as part of the hash to generate a unique id.
// currently supported: (byte[]) or an RSACryptoServiceProvider,
// This could be expanded to support other types. The key just
// needs to be extracted as a byte array.
issuerkey = m_issuer.IdentityClaim.Resource as byte[];
if (null == issuerkey)
{
RSACryptoServiceProvider csp = m_issuer.IdentityClaim.Resource as RSACryptoServiceProvider;
if (null != csp)
issuerkey = csp.ExportCspBlob(false);
// Can't use this claim to get the key.
if (null == issuerkey)
throw new Exception("Unsupported IdentityClaim resource type");
}
// It doesn't matter what encoding type we use, as long as it is consistent.
// this conversion is just to get a consistent set of bytes from the claim.
byte[] uniqueClaim = Encoding.UTF8.GetBytes(GetResourceValue(claim));
// copy the thumbprint data and the uniqueClaim together.
byte[] thumbprintData = new byte[uniqueClaim.Length + issuerkey.Length];
issuerkey.CopyTo(thumbprintData, 0);
uniqueClaim.CopyTo(thumbprintData, issuerkey.Length);
// generate a hash.
using (SHA256 sha = new SHA256Managed())
{
Claim thumbprintClaim = new Claim(ClaimTypes.Thumbprint, Convert.ToBase64String(sha.ComputeHash(thumbprintData)), Rights.Identity);
m_endpointIdentity = EndpointIdentity.CreateIdentity(thumbprintClaim);
}
m_identityClaims = claimSet;
return;
}
if (null == m_endpointIdentity)
{
//
// check for identity claim, if found, hold on to it, we may need to use it :)
//
result = claimSet;
m_endpointIdentity = CreateIdentityFromClaimSet(claimSet);
}
}
if (null != m_endpointIdentity)
{
m_identityClaims = result;
return;
}
//
// we have looped all claim sets with out finding an identity claim.
// we will return the ppidIdentity and claimset if they were found.
//
throw new Exception("The XML Token data provided no Identity claim.");
}
internal static bool IsMatch(EndpointIdentity identity)
{
return (identity.IdentityClaim.ClaimType == "http://schemas.microsoft.com/net/2006/05/peer/peer");
}
private static bool ReadContentsFrom10(XmlDictionaryReader reader, out Uri uri, out AddressHeaderCollection headers, out EndpointIdentity identity, out XmlBuffer buffer, out int metadataSection, out int extensionSection)
{
buffer = null;
extensionSection = -1;
metadataSection = -1;
// Cache address string
if (!reader.IsStartElement(XD.AddressingDictionary.Address, XD.Addressing10Dictionary.Namespace))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(CreateXmlException(reader, SR.Format(SR.UnexpectedElementExpectingElement, reader.LocalName, reader.NamespaceURI, XD.AddressingDictionary.Address.Value, XD.Addressing10Dictionary.Namespace.Value)));
}
string address = reader.ReadElementContentAsString();
// Headers
if (reader.IsStartElement(XD.AddressingDictionary.ReferenceParameters, XD.Addressing10Dictionary.Namespace))
{
headers = AddressHeaderCollection.ReadServiceParameters(reader);
}
else
{
headers = null;
}
// Metadata
if (reader.IsStartElement(XD.Addressing10Dictionary.Metadata, XD.Addressing10Dictionary.Namespace))
{
reader.ReadFullStartElement(); // the wsa10:Metadata element is never stored in the buffer
buffer = new XmlBuffer(short.MaxValue);
metadataSection = 0;
XmlDictionaryWriter writer = buffer.OpenSection(reader.Quotas);
writer.WriteStartElement(DummyName, DummyNamespace);
while (reader.NodeType != XmlNodeType.EndElement && !reader.EOF)
{
writer.WriteNode(reader, true);
}
writer.Flush();
buffer.CloseSection();
reader.ReadEndElement();
}
// Extensions
buffer = ReadExtensions(reader, AddressingVersion.WSAddressing10, buffer, out identity, out extensionSection);
if (buffer != null)
{
buffer.Close();
}
// Process Address
if (address == Addressing10Strings.Anonymous)
{
uri = AddressingVersion.WSAddressing10.AnonymousUri;
if (headers == null && identity == null)
{
return(true);
}
}
else if (address == Addressing10Strings.NoneAddress)
{
uri = AddressingVersion.WSAddressing10.NoneUri;
return(false);
}
else
{
if (!Uri.TryCreate(address, UriKind.Absolute, out uri))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.Format(SR.InvalidUriValue, address, XD.AddressingDictionary.Address.Value, XD.Addressing10Dictionary.Namespace.Value)));
}
}
return(false);
}
public EndpointAddress (Uri uri, EndpointIdentity identity, AddressHeaderCollection headers)
: this (uri, identity, headers, null, null) {}
public override bool TryGetIdentity(EndpointAddress reference, out EndpointIdentity identity)
{
return IdentityVerifier.CreateDefault().TryGetIdentity(reference, out identity);
}
internal bool TryGetIdentity(EndpointAddress reference, Uri via, out EndpointIdentity identity)
{
AdjustAddress(ref reference, via);
return this.TryGetIdentity(reference, out identity);
}
public abstract bool CheckAccess(EndpointIdentity identity, AuthorizationContext authContext);
public override bool TryGetIdentity(EndpointAddress reference, out EndpointIdentity identity)
{
if (reference == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reference");
identity = reference.Identity;
if (identity == null)
{
identity = this.TryCreateDnsIdentity(reference);
}
if (identity == null)
{
SecurityTraceRecordHelper.TraceIdentityDeterminationFailure(reference, typeof(DefaultIdentityVerifier));
return false;
}
else
{
SecurityTraceRecordHelper.TraceIdentityDeterminationSuccess(reference, identity, typeof(DefaultIdentityVerifier));
return true;
}
}
private static bool ReadContentsFrom200408(XmlDictionaryReader reader, out Uri uri, out AddressHeaderCollection headers, out EndpointIdentity identity, out XmlBuffer buffer, out int metadataSection, out int extensionSection, out int pspSection)
{
buffer = null;
headers = null;
extensionSection = -1;
metadataSection = -1;
pspSection = -1;
// Cache address string
reader.MoveToContent();
if (!reader.IsStartElement(XD.AddressingDictionary.Address, AddressingVersion.WSAddressingAugust2004.DictionaryNamespace))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(CreateXmlException(reader, SR.Format(SR.UnexpectedElementExpectingElement, reader.LocalName, reader.NamespaceURI, XD.AddressingDictionary.Address.Value, XD.Addressing200408Dictionary.Namespace.Value)));
}
string address = reader.ReadElementContentAsString();
// ReferenceProperites
reader.MoveToContent();
if (reader.IsStartElement(XD.AddressingDictionary.ReferenceProperties, AddressingVersion.WSAddressingAugust2004.DictionaryNamespace))
{
headers = AddressHeaderCollection.ReadServiceParameters(reader, true);
}
// ReferenceParameters
reader.MoveToContent();
if (reader.IsStartElement(XD.AddressingDictionary.ReferenceParameters, AddressingVersion.WSAddressingAugust2004.DictionaryNamespace))
{
if (headers != null)
{
List <AddressHeader> headerList = new List <AddressHeader>();
foreach (AddressHeader ah in headers)
{
headerList.Add(ah);
}
AddressHeaderCollection tmp = AddressHeaderCollection.ReadServiceParameters(reader);
foreach (AddressHeader ah in tmp)
{
headerList.Add(ah);
}
headers = new AddressHeaderCollection(headerList);
}
else
{
headers = AddressHeaderCollection.ReadServiceParameters(reader);
}
}
XmlDictionaryWriter bufferWriter = null;
// PortType
reader.MoveToContent();
if (reader.IsStartElement(XD.AddressingDictionary.PortType, AddressingVersion.WSAddressingAugust2004.DictionaryNamespace))
{
if (bufferWriter == null)
{
if (buffer == null)
{
buffer = new XmlBuffer(short.MaxValue);
}
bufferWriter = buffer.OpenSection(reader.Quotas);
bufferWriter.WriteStartElement(DummyName, DummyNamespace);
}
bufferWriter.WriteNode(reader, true);
}
// ServiceName
reader.MoveToContent();
if (reader.IsStartElement(XD.AddressingDictionary.ServiceName, AddressingVersion.WSAddressingAugust2004.DictionaryNamespace))
{
if (bufferWriter == null)
{
if (buffer == null)
{
buffer = new XmlBuffer(short.MaxValue);
}
bufferWriter = buffer.OpenSection(reader.Quotas);
bufferWriter.WriteStartElement(DummyName, DummyNamespace);
}
bufferWriter.WriteNode(reader, true);
}
// Policy
reader.MoveToContent();
while (reader.IsNamespaceUri(PolicyStrings.Namespace))
{
if (bufferWriter == null)
{
if (buffer == null)
{
buffer = new XmlBuffer(short.MaxValue);
}
bufferWriter = buffer.OpenSection(reader.Quotas);
bufferWriter.WriteStartElement(DummyName, DummyNamespace);
}
bufferWriter.WriteNode(reader, true);
reader.MoveToContent();
}
// Finish PSP
if (bufferWriter != null)
{
bufferWriter.WriteEndElement();
buffer.CloseSection();
pspSection = buffer.SectionCount - 1;
bufferWriter = null;
}
else
{
pspSection = -1;
}
// Metadata
if (reader.IsStartElement(System.ServiceModel.Description.MetadataStrings.MetadataExchangeStrings.Metadata,
System.ServiceModel.Description.MetadataStrings.MetadataExchangeStrings.Namespace))
{
if (bufferWriter == null)
{
if (buffer == null)
{
buffer = new XmlBuffer(short.MaxValue);
}
bufferWriter = buffer.OpenSection(reader.Quotas);
bufferWriter.WriteStartElement(DummyName, DummyNamespace);
}
bufferWriter.WriteNode(reader, true);
}
// Finish metadata
if (bufferWriter != null)
{
bufferWriter.WriteEndElement();
buffer.CloseSection();
metadataSection = buffer.SectionCount - 1;
bufferWriter = null;
}
else
{
metadataSection = -1;
}
// Extensions
reader.MoveToContent();
buffer = ReadExtensions(reader, AddressingVersion.WSAddressingAugust2004, buffer, out identity, out extensionSection);
// Finished reading
if (buffer != null)
{
buffer.Close();
}
// Process Address
if (address == Addressing200408Strings.Anonymous)
{
uri = AddressingVersion.WSAddressingAugust2004.AnonymousUri;
if (headers == null && identity == null)
{
return(true);
}
}
else
{
if (!Uri.TryCreate(address, UriKind.Absolute, out uri))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.Format(SR.InvalidUriValue, address, XD.AddressingDictionary.Address.Value, AddressingVersion.WSAddressingAugust2004.Namespace)));
}
}
return(false);
}
private EndpointAddress(AddressingVersion version, Uri uri, EndpointIdentity identity, AddressHeaderCollection headers, XmlBuffer buffer, int metadataSection, int extensionSection, int pspSection)
{
Init(version, uri, identity, headers, buffer, metadataSection, extensionSection, pspSection);
}
public override object ProvideValue(IServiceProvider serviceProvider)
{
Claim claim = new Claim(this.ClaimType, this.ClaimResource, this.ClaimRight);
return(EndpointIdentity.CreateIdentity(claim));
}
private static bool ReadContentsFrom200408(XmlDictionaryReader reader, out System.Uri uri, out AddressHeaderCollection headers, out EndpointIdentity identity, out XmlBuffer buffer, out int metadataSection, out int extensionSection, out int pspSection)
{
buffer = null;
headers = null;
extensionSection = -1;
metadataSection = -1;
pspSection = -1;
reader.MoveToContent();
if (!reader.IsStartElement(XD.AddressingDictionary.Address, AddressingVersion.WSAddressingAugust2004.DictionaryNamespace))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(CreateXmlException(reader, System.ServiceModel.SR.GetString("UnexpectedElementExpectingElement", new object[] { reader.LocalName, reader.NamespaceURI, XD.AddressingDictionary.Address.Value, XD.Addressing200408Dictionary.Namespace.Value })));
}
string uriString = reader.ReadElementContentAsString();
reader.MoveToContent();
if (reader.IsStartElement(XD.AddressingDictionary.ReferenceProperties, AddressingVersion.WSAddressingAugust2004.DictionaryNamespace))
{
headers = AddressHeaderCollection.ReadServiceParameters(reader, true);
}
reader.MoveToContent();
if (reader.IsStartElement(XD.AddressingDictionary.ReferenceParameters, AddressingVersion.WSAddressingAugust2004.DictionaryNamespace))
{
if (headers != null)
{
List <AddressHeader> addressHeaders = new List <AddressHeader>();
foreach (AddressHeader header in headers)
{
addressHeaders.Add(header);
}
foreach (AddressHeader header2 in AddressHeaderCollection.ReadServiceParameters(reader))
{
addressHeaders.Add(header2);
}
headers = new AddressHeaderCollection(addressHeaders);
}
else
{
headers = AddressHeaderCollection.ReadServiceParameters(reader);
}
}
XmlDictionaryWriter writer = null;
reader.MoveToContent();
if (reader.IsStartElement(XD.AddressingDictionary.PortType, AddressingVersion.WSAddressingAugust2004.DictionaryNamespace))
{
if (writer == null)
{
if (buffer == null)
{
buffer = new XmlBuffer(0x7fff);
}
writer = buffer.OpenSection(reader.Quotas);
writer.WriteStartElement("Dummy", "http://Dummy");
}
writer.WriteNode(reader, true);
}
reader.MoveToContent();
if (reader.IsStartElement(XD.AddressingDictionary.ServiceName, AddressingVersion.WSAddressingAugust2004.DictionaryNamespace))
{
if (writer == null)
{
if (buffer == null)
{
buffer = new XmlBuffer(0x7fff);
}
writer = buffer.OpenSection(reader.Quotas);
writer.WriteStartElement("Dummy", "http://Dummy");
}
writer.WriteNode(reader, true);
}
reader.MoveToContent();
while (reader.IsNamespaceUri(XD.PolicyDictionary.Namespace))
{
if (writer == null)
{
if (buffer == null)
{
buffer = new XmlBuffer(0x7fff);
}
writer = buffer.OpenSection(reader.Quotas);
writer.WriteStartElement("Dummy", "http://Dummy");
}
writer.WriteNode(reader, true);
reader.MoveToContent();
}
if (writer != null)
{
writer.WriteEndElement();
buffer.CloseSection();
pspSection = buffer.SectionCount - 1;
writer = null;
}
else
{
pspSection = -1;
}
if (reader.IsStartElement("Metadata", "http://schemas.xmlsoap.org/ws/2004/09/mex"))
{
if (writer == null)
{
if (buffer == null)
{
buffer = new XmlBuffer(0x7fff);
}
writer = buffer.OpenSection(reader.Quotas);
writer.WriteStartElement("Dummy", "http://Dummy");
}
writer.WriteNode(reader, true);
}
if (writer != null)
{
writer.WriteEndElement();
buffer.CloseSection();
metadataSection = buffer.SectionCount - 1;
writer = null;
}
else
{
metadataSection = -1;
}
reader.MoveToContent();
buffer = ReadExtensions(reader, AddressingVersion.WSAddressingAugust2004, buffer, out identity, out extensionSection);
if (buffer != null)
{
buffer.Close();
}
if (uriString == "http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous")
{
uri = AddressingVersion.WSAddressingAugust2004.AnonymousUri;
if ((headers == null) && (identity == null))
{
return(true);
}
}
else if (!System.Uri.TryCreate(uriString, UriKind.Absolute, out uri))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(System.ServiceModel.SR.GetString("InvalidUriValue", new object[] { uriString, XD.AddressingDictionary.Address.Value, AddressingVersion.WSAddressingAugust2004.Namespace })));
}
return(false);
}
private static bool ReadContentsFrom10(XmlDictionaryReader reader, out System.Uri uri, out AddressHeaderCollection headers, out EndpointIdentity identity, out XmlBuffer buffer, out int metadataSection, out int extensionSection)
{
buffer = null;
extensionSection = -1;
metadataSection = -1;
if (!reader.IsStartElement(XD.AddressingDictionary.Address, XD.Addressing10Dictionary.Namespace))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(CreateXmlException(reader, System.ServiceModel.SR.GetString("UnexpectedElementExpectingElement", new object[] { reader.LocalName, reader.NamespaceURI, XD.AddressingDictionary.Address.Value, XD.Addressing10Dictionary.Namespace.Value })));
}
string uriString = reader.ReadElementContentAsString();
if (reader.IsStartElement(XD.AddressingDictionary.ReferenceParameters, XD.Addressing10Dictionary.Namespace))
{
headers = AddressHeaderCollection.ReadServiceParameters(reader);
}
else
{
headers = null;
}
if (reader.IsStartElement(XD.Addressing10Dictionary.Metadata, XD.Addressing10Dictionary.Namespace))
{
reader.ReadFullStartElement();
buffer = new XmlBuffer(0x7fff);
metadataSection = 0;
XmlDictionaryWriter writer = buffer.OpenSection(reader.Quotas);
writer.WriteStartElement("Dummy", "http://Dummy");
while ((reader.NodeType != XmlNodeType.EndElement) && !reader.EOF)
{
writer.WriteNode(reader, true);
}
writer.Flush();
buffer.CloseSection();
reader.ReadEndElement();
}
buffer = ReadExtensions(reader, AddressingVersion.WSAddressing10, buffer, out identity, out extensionSection);
if (buffer != null)
{
buffer.Close();
}
if (uriString == "http://www.w3.org/2005/08/addressing/anonymous")
{
uri = AddressingVersion.WSAddressing10.AnonymousUri;
if ((headers == null) && (identity == null))
{
return(true);
}
}
else
{
if (uriString == "http://www.w3.org/2005/08/addressing/none")
{
uri = AddressingVersion.WSAddressing10.NoneUri;
return(false);
}
if (!System.Uri.TryCreate(uriString, UriKind.Absolute, out uri))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(System.ServiceModel.SR.GetString("InvalidUriValue", new object[] { uriString, XD.AddressingDictionary.Address.Value, XD.Addressing10Dictionary.Namespace.Value })));
}
}
return(false);
}
private void Init(System.Uri uri, EndpointIdentity identity, AddressHeaderCollection headers, XmlBuffer buffer, int metadataSection, int extensionSection, int pspSection)
{
this.Init(null, uri, identity, headers, buffer, metadataSection, extensionSection, pspSection);
}
Exception CreateIdentityCheckException(EndpointIdentity identity, AuthorizationContext authorizationContext, string errorString, EndpointAddress serviceReference)
{
Exception result;
if (identity.IdentityClaim != null
&& identity.IdentityClaim.ClaimType == ClaimTypes.Dns
&& identity.IdentityClaim.Right == Rights.PossessProperty
&& identity.IdentityClaim.Resource is string)
{
string expectedDnsName = (string)identity.IdentityClaim.Resource;
string actualDnsName = null;
for (int i = 0; i < authorizationContext.ClaimSets.Count; ++i)
{
ClaimSet claimSet = authorizationContext.ClaimSets[i];
foreach (Claim claim in claimSet.FindClaims(ClaimTypes.Dns, Rights.PossessProperty))
{
if (claim.Resource is string)
{
actualDnsName = (string)claim.Resource;
break;
}
}
if (actualDnsName != null)
{
break;
}
}
if (SR.IdentityCheckFailedForIncomingMessage.Equals(errorString))
{
if (actualDnsName == null)
{
result = new MessageSecurityException(SR.GetString(SR.DnsIdentityCheckFailedForIncomingMessageLackOfDnsClaim, expectedDnsName));
}
else
{
result = new MessageSecurityException(SR.GetString(SR.DnsIdentityCheckFailedForIncomingMessage, expectedDnsName, actualDnsName));
}
}
else if (SR.IdentityCheckFailedForOutgoingMessage.Equals(errorString))
{
if (actualDnsName == null)
{
result = new MessageSecurityException(SR.GetString(SR.DnsIdentityCheckFailedForOutgoingMessageLackOfDnsClaim, expectedDnsName));
}
else
{
result = new MessageSecurityException(SR.GetString(SR.DnsIdentityCheckFailedForOutgoingMessage, expectedDnsName, actualDnsName));
}
}
else
{
result = new MessageSecurityException(SR.GetString(errorString, identity, serviceReference));
}
}
else
{
result = new MessageSecurityException(SR.GetString(errorString, identity, serviceReference));
}
return result;
}
public EndpointAddress(Uri uri, EndpointIdentity identity, AddressHeaderCollection headers)
: this(uri, identity, headers, null, null)
{
}
public override bool CheckAccess(EndpointIdentity identity, AuthorizationContext authContext)
{
EventTraceActivity eventTraceActivity = null;
if (identity == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("identity");
if (authContext == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("authContext");
if (FxTrace.Trace.IsEnd2EndActivityTracingEnabled)
{
eventTraceActivity = EventTraceActivityHelper.TryExtractActivity((OperationContext.Current != null) ? OperationContext.Current.IncomingMessage : null);
}
for (int i = 0; i < authContext.ClaimSets.Count; ++i)
{
ClaimSet claimSet = authContext.ClaimSets[i];
if (claimSet.ContainsClaim(identity.IdentityClaim))
{
SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(eventTraceActivity, identity, identity.IdentityClaim, this.GetType());
return true;
}
// try Claim equivalence
string expectedSpn = null;
if (ClaimTypes.Dns.Equals(identity.IdentityClaim.ClaimType))
{
expectedSpn = string.Format(CultureInfo.InvariantCulture, "host/{0}", (string)identity.IdentityClaim.Resource);
Claim claim = CheckDnsEquivalence(claimSet, expectedSpn);
if (claim != null)
{
SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(eventTraceActivity, identity, claim, this.GetType());
return true;
}
}
// Allow a Sid claim to support UPN, and SPN identities
SecurityIdentifier identitySid = null;
if (ClaimTypes.Sid.Equals(identity.IdentityClaim.ClaimType))
{
identitySid = GetSecurityIdentifier(identity.IdentityClaim);
}
else if (ClaimTypes.Upn.Equals(identity.IdentityClaim.ClaimType))
{
identitySid = ((UpnEndpointIdentity)identity).GetUpnSid();
}
else if (ClaimTypes.Spn.Equals(identity.IdentityClaim.ClaimType))
{
identitySid = ((SpnEndpointIdentity)identity).GetSpnSid();
}
else if (ClaimTypes.Dns.Equals(identity.IdentityClaim.ClaimType))
{
identitySid = new SpnEndpointIdentity(expectedSpn).GetSpnSid();
}
if (identitySid != null)
{
Claim claim = CheckSidEquivalence(identitySid, claimSet);
if (claim != null)
{
SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(eventTraceActivity, identity, claim, this.GetType());
return true;
}
}
}
SecurityTraceRecordHelper.TraceIdentityVerificationFailure(identity, authContext, this.GetType());
if (TD.SecurityIdentityVerificationFailureIsEnabled())
{
TD.SecurityIdentityVerificationFailure(eventTraceActivity);
}
return false;
}
public EndpointAddress(Uri uri, EndpointIdentity identity, params AddressHeader [] headers)
: this(uri, identity, new AddressHeaderCollection(headers), null, null)
{
}
public abstract bool TryGetIdentity(EndpointAddress reference, out EndpointIdentity identity);
public EndpointAddress(Uri uri, EndpointIdentity identity, System.ServiceModel.Channels.AddressHeader[] addressHeaders)
{
Contract.Requires(uri != null);
Contract.Requires(uri.IsAbsoluteUri);
}
public override bool CheckAccess(EndpointIdentity identity, AuthorizationContext authContext)
{
bool returnvalue = false;
foreach (ClaimSet claimset in authContext.ClaimSets)
{
foreach (Claim claim in claimset)
{
if (claim.ClaimType == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname")
{
X500DistinguishedName name = (X500DistinguishedName)claim.Resource;
if (name.Name.Contains(((OrgEndpointIdentity)identity).OrganizationClaim))
{
Console.WriteLine("Claim Type: {0}", claim.ClaimType);
Console.WriteLine("Right: {0}", claim.Right);
Console.WriteLine("Resource: {0}", claim.Resource);
Console.WriteLine();
returnvalue = true;
}
}
}
}
return returnvalue;
}
public EndpointAddress(Uri uri, EndpointIdentity identity, System.ServiceModel.Channels.AddressHeaderCollection headers, System.Xml.XmlDictionaryReader metadataReader, System.Xml.XmlDictionaryReader extensionReader)
{
Contract.Requires(uri != null);
Contract.Requires(uri.IsAbsoluteUri);
}
public EndpointAddress (Uri uri, EndpointIdentity identity, params AddressHeader [] headers)
: this (uri, identity, new AddressHeaderCollection (headers), null, null) {}
public override bool Equals(object other)
{
EndpointIdentity e = other as EndpointIdentity;
return(e != null && comparer.Equals(claim, e.claim));
}
internal static EndpointIdentity ReadIdentity(XmlDictionaryReader reader)
{
if (reader == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
}
EndpointIdentity readIdentity = null;
reader.MoveToContent();
if (reader.IsEmptyElement)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.GetString(SR.UnexpectedEmptyElementExpectingClaim, XD.AddressingDictionary.Identity.Value, XD.AddressingDictionary.IdentityExtensionNamespace.Value)));
}
reader.ReadStartElement(XD.AddressingDictionary.Identity, XD.AddressingDictionary.IdentityExtensionNamespace);
if (reader.IsStartElement(XD.AddressingDictionary.Spn, XD.AddressingDictionary.IdentityExtensionNamespace))
{
readIdentity = new SpnEndpointIdentity(reader.ReadElementString());
}
else if (reader.IsStartElement(XD.AddressingDictionary.Upn, XD.AddressingDictionary.IdentityExtensionNamespace))
{
readIdentity = new UpnEndpointIdentity(reader.ReadElementString());
}
else if (reader.IsStartElement(XD.AddressingDictionary.Dns, XD.AddressingDictionary.IdentityExtensionNamespace))
{
readIdentity = new DnsEndpointIdentity(reader.ReadElementString());
}
else if (reader.IsStartElement(XD.XmlSignatureDictionary.KeyInfo, XD.XmlSignatureDictionary.Namespace))
{
reader.ReadStartElement();
if (reader.IsStartElement(XD.XmlSignatureDictionary.X509Data, XD.XmlSignatureDictionary.Namespace))
{
readIdentity = new X509CertificateEndpointIdentity(reader);
}
else if (reader.IsStartElement(XD.XmlSignatureDictionary.RsaKeyValue, XD.XmlSignatureDictionary.Namespace))
{
readIdentity = new RsaEndpointIdentity(reader);
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.GetString(SR.UnrecognizedIdentityType, reader.Name, reader.NamespaceURI)));
}
reader.ReadEndElement();
}
else if (reader.NodeType == XmlNodeType.Element)
{
//
// Something unknown
//
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.GetString(SR.UnrecognizedIdentityType, reader.Name, reader.NamespaceURI)));
}
else
{
//
// EndpointIdentity element is empty or some other invalid xml
//
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.GetString(SR.InvalidIdentityElement)));
}
reader.ReadEndElement();
return(readIdentity);
}
internal static XmlBuffer ReadExtensions(XmlDictionaryReader reader, AddressingVersion version, XmlBuffer buffer, out EndpointIdentity identity, out int section)
{
if (reader == null)
{
identity = null;
section = -1;
return(buffer);
}
// EndpointIdentity and extensions
identity = null;
XmlDictionaryWriter bufferWriter = null;
reader.MoveToContent();
while (reader.IsStartElement())
{
if (reader.IsStartElement(XD.AddressingDictionary.Identity, XD.AddressingDictionary.IdentityExtensionNamespace))
{
if (identity != null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(CreateXmlException(reader, SR.Format(SR.UnexpectedDuplicateElement, XD.AddressingDictionary.Identity.Value, XD.AddressingDictionary.IdentityExtensionNamespace.Value)));
}
identity = EndpointIdentity.ReadIdentity(reader);
}
else if (version != null && reader.NamespaceURI == version.Namespace)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(CreateXmlException(reader, SR.Format(SR.AddressingExtensionInBadNS, reader.LocalName, reader.NamespaceURI)));
}
else
{
if (bufferWriter == null)
{
if (buffer == null)
{
buffer = new XmlBuffer(short.MaxValue);
}
bufferWriter = buffer.OpenSection(reader.Quotas);
bufferWriter.WriteStartElement(DummyName, DummyNamespace);
}
bufferWriter.WriteNode(reader, true);
}
reader.MoveToContent();
}
if (bufferWriter != null)
{
bufferWriter.WriteEndElement();
buffer.CloseSection();
section = buffer.SectionCount - 1;
}
else
{
section = -1;
}
return(buffer);
}
