825 lines
35 KiB
C#
825 lines
35 KiB
C#
|
//------------------------------------------------------------
|
||
|
// Copyright (c) Microsoft Corporation. All rights reserved.
|
||
|
//------------------------------------------------------------
|
||
|
|
||
|
namespace System.IdentityModel.Tokens
|
||
|
{
|
||
|
using System.Collections.Generic;
|
||
|
using System.Collections.ObjectModel;
|
||
|
using System.Diagnostics;
|
||
|
using System.IdentityModel.Configuration;
|
||
|
using System.IdentityModel.Diagnostics;
|
||
|
using System.IdentityModel.Selectors;
|
||
|
using System.IO;
|
||
|
using System.Runtime;
|
||
|
using System.Security.Claims;
|
||
|
using System.ServiceModel.Security;
|
||
|
using System.Xml;
|
||
|
using SessionDictionary = System.IdentityModel.Claims.SessionDictionary;
|
||
|
using SysUniqueId = System.Xml.UniqueId;
|
||
|
using System.Security.Cryptography.X509Certificates;
|
||
|
using System.Runtime.Serialization.Formatters.Binary;
|
||
|
|
||
|
/// <summary>
|
||
|
/// A <see cref="SecurityTokenHandler"/> that processes <see cref="SessionSecurityToken"/>.
|
||
|
/// </summary>
|
||
|
public class SessionSecurityTokenHandler : SecurityTokenHandler
|
||
|
{
|
||
|
const string DefaultCookieElementName = "Cookie";
|
||
|
const string DefaultCookieNamespace = "http://schemas.microsoft.com/ws/2006/05/security";
|
||
|
private const string SecureConversationTokenIdentifier = "http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation";
|
||
|
|
||
|
#pragma warning disable 1591
|
||
|
public static readonly TimeSpan DefaultLifetime = TimeSpan.FromHours(10);
|
||
|
public static readonly ReadOnlyCollection<CookieTransform> DefaultCookieTransforms = (new List<CookieTransform>(new CookieTransform[] { new DeflateCookieTransform(), new ProtectedDataCookieTransform() }).AsReadOnly());
|
||
|
#pragma warning restore 1591
|
||
|
|
||
|
TimeSpan _tokenLifetime = DefaultLifetime;
|
||
|
ReadOnlyCollection<CookieTransform> _transforms;
|
||
|
|
||
|
/// <summary>
|
||
|
/// Initializes an instance of <see cref="SessionSecurityTokenHandler"/>
|
||
|
/// </summary>
|
||
|
/// <remarks>
|
||
|
/// Properties are used for defaults:
|
||
|
/// DefaultCookieTransforms
|
||
|
/// DefaultLifetime
|
||
|
/// </remarks>
|
||
|
public SessionSecurityTokenHandler()
|
||
|
: this(SessionSecurityTokenHandler.DefaultCookieTransforms)
|
||
|
{
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Initializes an instance of <see cref="SessionSecurityTokenHandler"/>
|
||
|
/// </summary>
|
||
|
/// <param name="transforms">The transforms to apply when encoding the cookie.</param>
|
||
|
/// <remarks>
|
||
|
/// Properties are used for the remaining defaults:
|
||
|
/// DefaultLifetime
|
||
|
/// </remarks>
|
||
|
public SessionSecurityTokenHandler(ReadOnlyCollection<CookieTransform> transforms)
|
||
|
: this(transforms, DefaultLifetime)
|
||
|
{ }
|
||
|
|
||
|
/// <summary>
|
||
|
/// Initializes an instance of <see cref="SessionSecurityTokenHandler"/>
|
||
|
/// </summary>
|
||
|
/// <param name="transforms">The transforms to apply when encoding the cookie.</param>
|
||
|
/// <param name="tokenLifetime">The default for a token.</param>
|
||
|
/// <exception cref="ArgumentNullException">Is thrown if 'transforms' is null.</exception>
|
||
|
/// <exception cref="InvalidOperationException">Is thrown if 'tokenLifetime' is less than or equal to TimeSpan.Zero.</exception>
|
||
|
public SessionSecurityTokenHandler(ReadOnlyCollection<CookieTransform> transforms, TimeSpan tokenLifetime)
|
||
|
{
|
||
|
if (transforms == null)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("transforms");
|
||
|
}
|
||
|
|
||
|
if (tokenLifetime <= TimeSpan.Zero)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID0016)));
|
||
|
}
|
||
|
|
||
|
_transforms = transforms;
|
||
|
_tokenLifetime = tokenLifetime;
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Load custom configuration from Xml
|
||
|
/// </summary>
|
||
|
/// <param name="customConfigElements">XmlElement to custom configuration.</param>
|
||
|
/// <exception cref="ArgumentNullException">The param customConfigElements is null.</exception>
|
||
|
/// <exception cref="InvalidOperationException">Custom configuration specified was invalid.</exception>
|
||
|
public override void LoadCustomConfiguration(XmlNodeList customConfigElements)
|
||
|
{
|
||
|
if (customConfigElements == null)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("customConfigElements");
|
||
|
}
|
||
|
|
||
|
List<XmlElement> configNodes = XmlUtil.GetXmlElements(customConfigElements);
|
||
|
|
||
|
bool foundValidConfig = false;
|
||
|
|
||
|
foreach (XmlElement customConfigElement in configNodes)
|
||
|
{
|
||
|
if (!StringComparer.Ordinal.Equals(customConfigElement.LocalName, ConfigurationStrings.SessionTokenRequirement))
|
||
|
{
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
if (foundValidConfig)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7026, ConfigurationStrings.SessionTokenRequirement)));
|
||
|
}
|
||
|
|
||
|
_tokenLifetime = DefaultLifetime;
|
||
|
|
||
|
foreach (XmlAttribute attribute in customConfigElement.Attributes)
|
||
|
{
|
||
|
if (StringComparer.OrdinalIgnoreCase.Equals(attribute.LocalName, ConfigurationStrings.Lifetime))
|
||
|
{
|
||
|
TimeSpan outTokenLifetime = DefaultLifetime;
|
||
|
if (!TimeSpan.TryParse(attribute.Value, out outTokenLifetime))
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7017, attribute.Value)));
|
||
|
}
|
||
|
if (outTokenLifetime < TimeSpan.Zero)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7018)));
|
||
|
}
|
||
|
_tokenLifetime = outTokenLifetime;
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID7004, attribute.LocalName, customConfigElement.LocalName)));
|
||
|
}
|
||
|
}
|
||
|
|
||
|
foundValidConfig = true;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Gets the name for the cookie element.
|
||
|
/// </summary>
|
||
|
public virtual string CookieElementName
|
||
|
{
|
||
|
get { return DefaultCookieElementName; }
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Gets the namspace for the cookie element.
|
||
|
/// </summary>
|
||
|
public virtual string CookieNamespace
|
||
|
{
|
||
|
get { return DefaultCookieNamespace; }
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Applies Transforms to the cookie.
|
||
|
/// </summary>
|
||
|
/// <param name="cookie">The cookie that will be transformed.</param>
|
||
|
/// <param name="outbound">Controls if the cookie should be encoded (true) or decoded (false)</param>
|
||
|
/// <returns>Encoded cookie.</returns>
|
||
|
protected virtual byte[] ApplyTransforms(byte[] cookie, bool outbound)
|
||
|
{
|
||
|
byte[] transformedCookie = cookie;
|
||
|
|
||
|
if (Transforms == null)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID4296)));
|
||
|
}
|
||
|
|
||
|
if (outbound)
|
||
|
{
|
||
|
for (int i = 0; i < _transforms.Count; i++)
|
||
|
{
|
||
|
transformedCookie = _transforms[i].Encode(transformedCookie);
|
||
|
}
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
for (int i = _transforms.Count; i > 0; i--)
|
||
|
{
|
||
|
transformedCookie = _transforms[i - 1].Decode(transformedCookie);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
return transformedCookie;
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Checks the reader if this is a SecurityContextToken.
|
||
|
/// </summary>
|
||
|
/// <param name="reader">XmlReader over the incoming SecurityToken.</param>
|
||
|
/// <returns>'True' if the reader points to a SecurityContextToken.</returns>
|
||
|
/// <exception cref="ArgumentNullException">The input argument 'reader' is null.</exception>
|
||
|
public override bool CanReadToken(XmlReader reader)
|
||
|
{
|
||
|
if (reader == null)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
|
||
|
}
|
||
|
|
||
|
return (reader.IsStartElement(WSSecureConversationFeb2005Constants.ElementNames.Name, WSSecureConversationFeb2005Constants.Namespace)
|
||
|
|| reader.IsStartElement(WSSecureConversation13Constants.ElementNames.Name, WSSecureConversation13Constants.Namespace));
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Indicates whether this handler supports validation of tokens.
|
||
|
/// </summary>
|
||
|
/// <returns>'True' if the class is capable of SecurityToken validation.</returns>
|
||
|
public override bool CanValidateToken
|
||
|
{
|
||
|
get { return true; }
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Gets information on whether this Token Handler can write tokens.
|
||
|
/// </summary>
|
||
|
public override bool CanWriteToken
|
||
|
{
|
||
|
get
|
||
|
{
|
||
|
return true;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Creates a security token based on a token descriptor.
|
||
|
/// </summary>
|
||
|
/// <param name="tokenDescriptor">The token descriptor.</param>
|
||
|
/// <returns>A security token.</returns>
|
||
|
/// <exception cref="ArgumentNullException">Thrown if 'tokenDescriptor' is null.</exception>
|
||
|
public override SecurityToken CreateToken(SecurityTokenDescriptor tokenDescriptor)
|
||
|
{
|
||
|
if (null == tokenDescriptor)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenDescriptor");
|
||
|
}
|
||
|
|
||
|
if (this.Configuration == null)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID4272)));
|
||
|
}
|
||
|
|
||
|
ClaimsPrincipal principal = new ClaimsPrincipal(tokenDescriptor.Subject);
|
||
|
|
||
|
if (this.Configuration.SaveBootstrapContext)
|
||
|
{
|
||
|
SecurityTokenHandlerCollection bootstrapTokenCollection = CreateBootstrapTokenHandlerCollection();
|
||
|
if (!bootstrapTokenCollection.CanWriteToken(tokenDescriptor.Token))
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID4010, tokenDescriptor.Token.GetType().ToString())));
|
||
|
}
|
||
|
|
||
|
(principal.Identities as ReadOnlyCollection<ClaimsIdentity>)[0].BootstrapContext = new BootstrapContext(tokenDescriptor.Token, bootstrapTokenCollection[tokenDescriptor.Token.GetType()]);
|
||
|
}
|
||
|
|
||
|
DateTime validFrom = (tokenDescriptor.Lifetime.Created.HasValue) ? (DateTime)tokenDescriptor.Lifetime.Created : DateTime.UtcNow;
|
||
|
DateTime validTo = (tokenDescriptor.Lifetime.Expires.HasValue) ? (DateTime)tokenDescriptor.Lifetime.Expires : DateTime.UtcNow + SessionSecurityTokenHandler.DefaultTokenLifetime;
|
||
|
|
||
|
return new SessionSecurityToken(principal, null, validFrom, validTo);
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Creates a <see cref="SessionSecurityToken"/> based on an <see cref="ClaimsPrincipal"/> and a valid time range.
|
||
|
/// </summary>
|
||
|
/// <param name="principal"><see cref="ClaimsPrincipal"/></param>
|
||
|
/// <param name="context">Caller defined context string</param>
|
||
|
/// <param name="endpointId">Identifier of the endpoint to which the token is scoped.</param>
|
||
|
/// <param name="validFrom">Earliest valid time.</param>
|
||
|
/// <param name="validTo">Latest valid time.</param>
|
||
|
public virtual SessionSecurityToken CreateSessionSecurityToken(
|
||
|
ClaimsPrincipal principal,
|
||
|
string context,
|
||
|
string endpointId,
|
||
|
DateTime validFrom,
|
||
|
DateTime validTo)
|
||
|
{
|
||
|
if (null == principal)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("principal");
|
||
|
}
|
||
|
|
||
|
if (this.Configuration == null)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID4272)));
|
||
|
}
|
||
|
|
||
|
return new SessionSecurityToken(principal, context, endpointId, validFrom, validTo);
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Gets the default token lifetime
|
||
|
/// </summary>
|
||
|
public static TimeSpan DefaultTokenLifetime
|
||
|
{
|
||
|
get { return DefaultLifetime; }
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Reads the SessionSecurityToken from a stream of bytes.
|
||
|
/// </summary>
|
||
|
/// <param name="token">token.</param>
|
||
|
/// <param name="tokenResolver">SecurityTokenResolver that can be used to resolve the SessionSecurityToken.</param>
|
||
|
/// <returns>Instance of SessionSecurityToken.</returns>
|
||
|
public virtual SecurityToken ReadToken(byte[] token, SecurityTokenResolver tokenResolver)
|
||
|
{
|
||
|
// Our implementation of ReadToken( byte[] ) will always return null. We make the above call not to
|
||
|
// break SharePoint. SharePoint has overridden ReadToken(byte[] token) and expect the SessionAuthenticationModule to
|
||
|
// call that. So SessionAuthenticationModule will calls this method which does the correct thing.
|
||
|
using (XmlReader reader = XmlDictionaryReader.CreateTextReader(token, XmlDictionaryReaderQuotas.Max))
|
||
|
{
|
||
|
return this.ReadToken(reader, tokenResolver);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Reads the SessionSecurityToken from the given reader.
|
||
|
/// </summary>
|
||
|
/// <param name="reader">XmlReader over the SessionSecurityToken.</param>
|
||
|
/// <returns>An instance of <see cref="SessionSecurityToken"/>.</returns>
|
||
|
/// <exception cref="ArgumentNullException">The input argument 'reader' is null.</exception>
|
||
|
/// <exception cref="SecurityTokenException">The 'reader' is not positioned at a SessionSecurityToken
|
||
|
/// or the SessionSecurityToken cannot be read.</exception>
|
||
|
public override SecurityToken ReadToken(XmlReader reader)
|
||
|
{
|
||
|
return this.ReadToken(reader, EmptySecurityTokenResolver.Instance);
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Reads the SessionSecurityToken from the given reader.
|
||
|
/// </summary>
|
||
|
/// <param name="reader">XmlReader over the SessionSecurityToken.</param>
|
||
|
/// <param name="tokenResolver">SecurityTokenResolver that can used to resolve SessionSecurityToken.</param>
|
||
|
/// <returns>An instance of <see cref="SessionSecurityToken"/>.</returns>
|
||
|
/// <exception cref="ArgumentNullException">The input argument 'reader' is null.</exception>
|
||
|
/// <exception cref="SecurityTokenException">The 'reader' is not positioned at a SessionSecurityToken
|
||
|
/// or the SessionSecurityToken cannot be read.</exception>
|
||
|
public override SecurityToken ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver)
|
||
|
{
|
||
|
if (reader == null)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
|
||
|
}
|
||
|
|
||
|
if (tokenResolver == null)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenResolver");
|
||
|
}
|
||
|
|
||
|
byte[] encodedCookie = null;
|
||
|
SysUniqueId contextId = null;
|
||
|
SysUniqueId keyGeneration = null;
|
||
|
|
||
|
string ns = null;
|
||
|
string identifier = null;
|
||
|
string instance = null;
|
||
|
|
||
|
SecurityToken securityContextToken = null;
|
||
|
SessionDictionary dictionary = SessionDictionary.Instance;
|
||
|
|
||
|
XmlDictionaryReader dicReader = XmlDictionaryReader.CreateDictionaryReader(reader);
|
||
|
|
||
|
if (dicReader.IsStartElement(WSSecureConversationFeb2005Constants.ElementNames.Name, WSSecureConversationFeb2005Constants.Namespace))
|
||
|
{
|
||
|
ns = WSSecureConversationFeb2005Constants.Namespace;
|
||
|
identifier = WSSecureConversationFeb2005Constants.ElementNames.Identifier;
|
||
|
instance = WSSecureConversationFeb2005Constants.ElementNames.Instance;
|
||
|
}
|
||
|
else if (dicReader.IsStartElement(WSSecureConversation13Constants.ElementNames.Name, WSSecureConversation13Constants.Namespace))
|
||
|
{
|
||
|
ns = WSSecureConversation13Constants.Namespace;
|
||
|
identifier = WSSecureConversation13Constants.ElementNames.Identifier;
|
||
|
instance = WSSecureConversation13Constants.ElementNames.Instance;
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
//
|
||
|
// Something is wrong
|
||
|
//
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(
|
||
|
SR.GetString(SR.ID4230, WSSecureConversationFeb2005Constants.ElementNames.Name, dicReader.Name)));
|
||
|
}
|
||
|
|
||
|
string id = dicReader.GetAttribute(WSUtilityConstants.Attributes.IdAttribute, WSUtilityConstants.NamespaceURI);
|
||
|
|
||
|
dicReader.ReadFullStartElement();
|
||
|
if (!dicReader.IsStartElement(identifier, ns))
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(
|
||
|
SR.GetString(SR.ID4230, WSSecureConversation13Constants.ElementNames.Identifier, dicReader.Name)));
|
||
|
}
|
||
|
|
||
|
contextId = dicReader.ReadElementContentAsUniqueId();
|
||
|
if (contextId == null || string.IsNullOrEmpty(contextId.ToString()))
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.ID4242)));
|
||
|
}
|
||
|
|
||
|
//
|
||
|
// The token can be a renewed token, in which case we need to know the
|
||
|
// instance id, which will be the secondary key to the context id for
|
||
|
// cache lookups
|
||
|
//
|
||
|
if (dicReader.IsStartElement(instance, ns))
|
||
|
{
|
||
|
keyGeneration = dicReader.ReadElementContentAsUniqueId();
|
||
|
}
|
||
|
|
||
|
if (dicReader.IsStartElement(CookieElementName, CookieNamespace))
|
||
|
{
|
||
|
// Get the token from the Cache, which is returned as an SCT
|
||
|
SecurityToken cachedToken = null;
|
||
|
|
||
|
SecurityContextKeyIdentifierClause sctClause = null;
|
||
|
if (keyGeneration == null)
|
||
|
{
|
||
|
sctClause = new SecurityContextKeyIdentifierClause(contextId);
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
sctClause = new SecurityContextKeyIdentifierClause(contextId, keyGeneration);
|
||
|
}
|
||
|
|
||
|
tokenResolver.TryResolveToken(sctClause, out cachedToken);
|
||
|
|
||
|
if (cachedToken != null)
|
||
|
{
|
||
|
securityContextToken = cachedToken;
|
||
|
|
||
|
dicReader.Skip();
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
//
|
||
|
// CookieMode
|
||
|
//
|
||
|
encodedCookie = dicReader.ReadElementContentAsBase64();
|
||
|
|
||
|
if (encodedCookie == null)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.ID4237)));
|
||
|
}
|
||
|
//
|
||
|
// appply transforms
|
||
|
//
|
||
|
byte[] decodedCookie = ApplyTransforms(encodedCookie, false);
|
||
|
|
||
|
using (MemoryStream ms = new MemoryStream(decodedCookie))
|
||
|
{
|
||
|
BinaryFormatter formatter = new BinaryFormatter();
|
||
|
securityContextToken = formatter.Deserialize(ms) as SecurityToken;
|
||
|
}
|
||
|
|
||
|
SessionSecurityToken sessionToken = securityContextToken as SessionSecurityToken;
|
||
|
if (sessionToken != null && sessionToken.ContextId != contextId)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.ID4229, sessionToken.ContextId, contextId)));
|
||
|
}
|
||
|
|
||
|
if (sessionToken != null && sessionToken.Id != id)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.ID4227, sessionToken.Id, id)));
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
//
|
||
|
// SessionMode
|
||
|
//
|
||
|
|
||
|
// Get the token from the Cache.
|
||
|
SecurityToken cachedToken = null;
|
||
|
|
||
|
SecurityContextKeyIdentifierClause sctClause = null;
|
||
|
if (keyGeneration == null)
|
||
|
{
|
||
|
sctClause = new SecurityContextKeyIdentifierClause(contextId);
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
sctClause = new SecurityContextKeyIdentifierClause(contextId, keyGeneration);
|
||
|
}
|
||
|
|
||
|
tokenResolver.TryResolveToken(sctClause, out cachedToken);
|
||
|
|
||
|
if (cachedToken != null)
|
||
|
{
|
||
|
securityContextToken = cachedToken;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
dicReader.ReadEndElement();
|
||
|
|
||
|
if (securityContextToken == null)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.ID4243)));
|
||
|
}
|
||
|
|
||
|
return securityContextToken;
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Gets or sets the TokenLifetime.
|
||
|
/// </summary>
|
||
|
public virtual TimeSpan TokenLifetime
|
||
|
{
|
||
|
get { return _tokenLifetime; }
|
||
|
set
|
||
|
{
|
||
|
if (value <= TimeSpan.Zero)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("value", SR.GetString(SR.ID0016));
|
||
|
}
|
||
|
|
||
|
_tokenLifetime = value;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Gets the bootstrap token handler collection.
|
||
|
/// </summary>
|
||
|
SecurityTokenHandlerCollection CreateBootstrapTokenHandlerCollection()
|
||
|
{
|
||
|
SecurityTokenHandlerCollection tokenHandlerCollection = this.ContainingCollection ?? SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
|
||
|
return tokenHandlerCollection;
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Gets the token type URIs
|
||
|
/// </summary>
|
||
|
public override string[] GetTokenTypeIdentifiers()
|
||
|
{
|
||
|
return new string[] { SecureConversationTokenIdentifier,
|
||
|
WSSecureConversation13Constants.TokenTypeURI,
|
||
|
WSSecureConversationFeb2005Constants.TokenTypeURI };
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Gets the type of token this handler can work with.
|
||
|
/// </summary>
|
||
|
public override Type TokenType
|
||
|
{
|
||
|
get { return typeof(SessionSecurityToken); }
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Gets the transforms that will be applied to the cookie.
|
||
|
/// </summary>
|
||
|
public ReadOnlyCollection<CookieTransform> Transforms
|
||
|
{
|
||
|
get
|
||
|
{
|
||
|
return _transforms;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Sets the transforms that will be applied to cookies.
|
||
|
/// </summary>
|
||
|
/// <param name="transforms">The <see cref="CookieTransform"/> objects to use. </param>
|
||
|
protected void SetTransforms(IEnumerable<CookieTransform> transforms)
|
||
|
{
|
||
|
_transforms = new List<CookieTransform>(transforms).AsReadOnly();
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Validates a <see cref="SessionSecurityToken"/>.
|
||
|
/// </summary>
|
||
|
/// <param name="token">The <see cref="SessionSecurityToken"/> to validate.</param>
|
||
|
/// <returns>A <see cref="ReadOnlyCollection{T}"/> of <see cref="ClaimsIdentity"/> representing the identities contained in the token.</returns>
|
||
|
/// <exception cref="ArgumentNullException">The parameter 'token' is null.</exception>
|
||
|
/// <exception cref="ArgumentException">The token is not assignable from <see cref="SessionSecurityToken"/>.</exception>
|
||
|
public override ReadOnlyCollection<ClaimsIdentity> ValidateToken(SecurityToken token)
|
||
|
{
|
||
|
if (token == null)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
|
||
|
}
|
||
|
|
||
|
SessionSecurityToken sessionToken = token as SessionSecurityToken;
|
||
|
if (sessionToken == null)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID4292, token.GetType().ToString(), this.GetType().ToString())));
|
||
|
}
|
||
|
|
||
|
try
|
||
|
{
|
||
|
if (DiagnosticUtility.ShouldTrace(TraceEventType.Verbose))
|
||
|
{
|
||
|
TraceUtility.TraceEvent(
|
||
|
TraceEventType.Verbose,
|
||
|
TraceCode.Diagnostics,
|
||
|
SR.GetString(SR.TraceValidateToken),
|
||
|
new SecurityTraceRecordHelper.TokenTraceRecord(token),
|
||
|
null,
|
||
|
null);
|
||
|
}
|
||
|
|
||
|
this.ValidateSession(sessionToken);
|
||
|
|
||
|
this.TraceTokenValidationSuccess(token);
|
||
|
|
||
|
List<ClaimsIdentity> identitites = new List<ClaimsIdentity>(1);
|
||
|
identitites.AddRange(sessionToken.ClaimsPrincipal.Identities);
|
||
|
return identitites.AsReadOnly();
|
||
|
}
|
||
|
catch (Exception e)
|
||
|
{
|
||
|
if (Fx.IsFatal(e))
|
||
|
{
|
||
|
throw;
|
||
|
}
|
||
|
|
||
|
this.TraceTokenValidationFailure(token, e.Message);
|
||
|
throw e;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Validates a token and returns its claims.
|
||
|
/// </summary>
|
||
|
/// <param name="token">The <see cref="SessionSecurityToken"/> to validate.</param>
|
||
|
/// <param name="endpointId">Identifier to the endpoint to which the token is scoped.</param>
|
||
|
/// <returns>A <see cref="ReadOnlyCollection{T}"/> of <see cref="ClaimsIdentity"/> representing the identities contained in the token.</returns>
|
||
|
/// <exception cref="ArgumentNullException">The parameter 'token' is null.</exception>
|
||
|
/// <exception cref="ArgumentNullException">The parameter 'endpointId' is null.</exception>
|
||
|
/// <exception cref="SecurityTokenException">token.EndpointId != endpointId.</exception>
|
||
|
public virtual ReadOnlyCollection<ClaimsIdentity> ValidateToken(SessionSecurityToken token, string endpointId)
|
||
|
{
|
||
|
if (token == null)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
|
||
|
}
|
||
|
|
||
|
if (endpointId == null)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("endpointId");
|
||
|
}
|
||
|
|
||
|
// We consider SessionTokens with String.Empty as the endpoint Id to be
|
||
|
// globally scoped tokens. This in insecure, we are allowing this only
|
||
|
// for compatibility with customers who have overriden SessionSecurityTokenHandler.
|
||
|
if (!string.IsNullOrEmpty(token.EndpointId))
|
||
|
{
|
||
|
if (token.EndpointId != endpointId)
|
||
|
{
|
||
|
string errorMessage = SR.GetString(SR.ID4291, token);
|
||
|
this.TraceTokenValidationFailure(token, errorMessage);
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(errorMessage));
|
||
|
}
|
||
|
}
|
||
|
|
||
|
return this.ValidateToken(token);
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Checks the valid time of a SecurityToken.
|
||
|
/// </summary>
|
||
|
/// <remarks>
|
||
|
/// The token is invalid if the securityToken.ValidFrom > DateTime.UtcNow OR securityToken.ValidTo < DateTime.UtcNow
|
||
|
/// </remarks>
|
||
|
/// <param name="token">The <see cref="SessionSecurityToken"/> to validate.</param>
|
||
|
/// <exception cref="ArgumentNullException">Thrown if 'securityToken' is null.</exception>
|
||
|
/// <exception cref="InvalidOperationException">Thrown if 'Configuration' is null.</exception>
|
||
|
/// <exception cref="SecurityTokenNotYetValidException">Thrown if securityToken.ValidFrom > DateTime.UtcNow.</exception>
|
||
|
/// <exception cref="SecurityTokenExpiredException">Thrown if securityToken.ValidTo < DateTime.UtcNow.</exception>
|
||
|
protected virtual void ValidateSession(SessionSecurityToken securityToken)
|
||
|
{
|
||
|
if (securityToken == null)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("securityToken");
|
||
|
}
|
||
|
|
||
|
if (this.Configuration == null)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID4274)));
|
||
|
}
|
||
|
|
||
|
Fx.Assert(this.Configuration != null, SR.GetString(SR.ID8027));
|
||
|
|
||
|
DateTime utcNow = DateTime.UtcNow;
|
||
|
|
||
|
// apply clock skew here.
|
||
|
DateTime maxTime = DateTimeUtil.Add(utcNow, Configuration.MaxClockSkew);
|
||
|
DateTime minTime = DateTimeUtil.Add(utcNow, -Configuration.MaxClockSkew);
|
||
|
|
||
|
if (securityToken.ValidFrom > maxTime)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenNotYetValidException(SR.GetString(SR.ID4255, securityToken.ValidTo, securityToken.ValidFrom, utcNow)));
|
||
|
}
|
||
|
|
||
|
if (securityToken.ValidTo < minTime)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenExpiredException(SR.GetString(SR.ID4255, securityToken.ValidTo, securityToken.ValidFrom, utcNow)));
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Writes the token into a byte array.
|
||
|
/// </summary>
|
||
|
/// <param name="sessionToken">The SessionSecurityToken to write.</param>
|
||
|
/// <exception cref="ArgumentNullException">Thrown if 'sessiontoken' is null.</exception>
|
||
|
/// <returns>An encoded byte array.</returns>
|
||
|
public virtual byte[] WriteToken(SessionSecurityToken sessionToken)
|
||
|
{
|
||
|
if (sessionToken == null)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sessionToken");
|
||
|
}
|
||
|
|
||
|
using (MemoryStream ms = new MemoryStream())
|
||
|
{
|
||
|
using (XmlWriter writer = XmlWriter.Create(ms))
|
||
|
{
|
||
|
WriteToken(writer, sessionToken);
|
||
|
writer.Flush();
|
||
|
}
|
||
|
|
||
|
return ms.ToArray();
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/// <summary>
|
||
|
/// Serializes the given token to the XmlWriter.
|
||
|
/// </summary>
|
||
|
/// <param name="writer">XmlWriter to which the token needs to be serialized</param>
|
||
|
/// <param name="token">The SecurityToken to be serialized.</param>
|
||
|
/// <exception cref="ArgumentNullException">The input argument 'writer' is null.</exception>
|
||
|
/// <exception cref="InvalidOperationException">The input argument 'token' is either null or not of type
|
||
|
/// SessionSecurityToken.</exception>
|
||
|
public override void WriteToken(XmlWriter writer, SecurityToken token)
|
||
|
{
|
||
|
if (writer == null)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer");
|
||
|
}
|
||
|
|
||
|
if (token == null)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
|
||
|
}
|
||
|
|
||
|
SessionSecurityToken sessionToken = token as SessionSecurityToken;
|
||
|
if (sessionToken == null)
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID4046, token, TokenType)));
|
||
|
}
|
||
|
|
||
|
string ns, elementName, contextIdElementName, instance;
|
||
|
|
||
|
if (sessionToken.SecureConversationVersion == WSSecureConversationFeb2005Constants.NamespaceUri)
|
||
|
{
|
||
|
ns = WSSecureConversationFeb2005Constants.Namespace;
|
||
|
elementName = WSSecureConversationFeb2005Constants.ElementNames.Name;
|
||
|
contextIdElementName = WSSecureConversationFeb2005Constants.ElementNames.Identifier;
|
||
|
instance = WSSecureConversationFeb2005Constants.ElementNames.Instance;
|
||
|
}
|
||
|
else if (sessionToken.SecureConversationVersion == WSSecureConversation13Constants.NamespaceUri)
|
||
|
{
|
||
|
ns = WSSecureConversation13Constants.Namespace;
|
||
|
elementName = WSSecureConversation13Constants.ElementNames.Name;
|
||
|
contextIdElementName = WSSecureConversation13Constants.ElementNames.Identifier;
|
||
|
instance = WSSecureConversation13Constants.ElementNames.Instance;
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID4050)));
|
||
|
}
|
||
|
|
||
|
XmlDictionaryWriter dicWriter;
|
||
|
SessionDictionary dictionary = SessionDictionary.Instance;
|
||
|
|
||
|
if (writer is XmlDictionaryWriter)
|
||
|
{
|
||
|
dicWriter = (XmlDictionaryWriter)writer;
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
dicWriter = XmlDictionaryWriter.CreateDictionaryWriter(writer);
|
||
|
}
|
||
|
|
||
|
dicWriter.WriteStartElement(elementName, ns);
|
||
|
if (sessionToken.Id != null)
|
||
|
{
|
||
|
dicWriter.WriteAttributeString(WSUtilityConstants.Attributes.IdAttribute, WSUtilityConstants.NamespaceURI, sessionToken.Id);
|
||
|
}
|
||
|
|
||
|
dicWriter.WriteElementString(contextIdElementName, ns, sessionToken.ContextId.ToString());
|
||
|
|
||
|
if (sessionToken.KeyGeneration != null)
|
||
|
{
|
||
|
dicWriter.WriteStartElement(instance, ns);
|
||
|
dicWriter.WriteValue(sessionToken.KeyGeneration);
|
||
|
dicWriter.WriteEndElement();
|
||
|
}
|
||
|
|
||
|
if (!sessionToken.IsReferenceMode)
|
||
|
{
|
||
|
dicWriter.WriteStartElement(CookieElementName, CookieNamespace);
|
||
|
byte[] cookie;
|
||
|
|
||
|
using (MemoryStream ms = new MemoryStream())
|
||
|
{
|
||
|
BinaryFormatter formatter = new BinaryFormatter();
|
||
|
formatter.Serialize(ms, token);
|
||
|
cookie = ms.ToArray();
|
||
|
}
|
||
|
|
||
|
cookie = ApplyTransforms(cookie, true);
|
||
|
dicWriter.WriteBase64(cookie, 0, cookie.Length);
|
||
|
dicWriter.WriteEndElement();
|
||
|
}
|
||
|
|
||
|
dicWriter.WriteEndElement();
|
||
|
dicWriter.Flush();
|
||
|
}
|
||
|
|
||
|
}
|
||
|
}
|