2014-08-13 10:39:27 +01:00
|
|
|
//
|
|
|
|
|
// SamlAuthorizationDecisionStatement.cs
|
|
|
|
|
//
|
|
|
|
|
// Author:
|
|
|
|
|
// Atsushi Enomoto <atsushi@ximian.com>
|
|
|
|
|
//
|
|
|
|
|
// Copyright (C) 2005 Novell, Inc. http://www.novell.com
|
|
|
|
|
//
|
|
|
|
|
// Permission is hereby granted, free of charge, to any person obtaining
|
|
|
|
|
// a copy of this software and associated documentation files (the
|
|
|
|
|
// "Software"), to deal in the Software without restriction, including
|
|
|
|
|
// without limitation the rights to use, copy, modify, merge, publish,
|
|
|
|
|
// distribute, sublicense, and/or sell copies of the Software, and to
|
|
|
|
|
// permit persons to whom the Software is furnished to do so, subject to
|
|
|
|
|
// the following conditions:
|
|
|
|
|
//
|
|
|
|
|
// The above copyright notice and this permission notice shall be
|
|
|
|
|
// included in all copies or substantial portions of the Software.
|
|
|
|
|
//
|
|
|
|
|
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
|
|
|
// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
|
|
|
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
|
|
|
// NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
|
|
|
// LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
|
|
|
// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
|
|
|
// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
|
|
|
//
|
|
|
|
|
using System;
|
|
|
|
|
using System.Collections.Generic;
|
|
|
|
|
using System.Xml;
|
|
|
|
|
using System.IdentityModel.Claims;
|
|
|
|
|
using System.IdentityModel.Policy;
|
|
|
|
|
using System.IdentityModel.Selectors;
|
|
|
|
|
|
|
|
|
|
namespace System.IdentityModel.Tokens
|
|
|
|
|
{
|
|
|
|
|
public class SamlAuthorizationDecisionStatement : SamlSubjectStatement
|
|
|
|
|
{
|
|
|
|
|
public static string ClaimType {
|
|
|
|
|
get { return "http://schemas.microsoft.com/mb/2005/09/ClaimType/SamlAuthorizationDecision"; }
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public SamlAuthorizationDecisionStatement ()
|
|
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public SamlAuthorizationDecisionStatement (
|
|
|
|
|
SamlSubject samlSubject, string resource,
|
|
|
|
|
SamlAccessDecision accessDecision,
|
|
|
|
|
IEnumerable<SamlAction> samlActions)
|
|
|
|
|
: base (samlSubject)
|
|
|
|
|
{
|
|
|
|
|
if (samlActions == null)
|
|
|
|
|
throw new ArgumentNullException ("samlActions");
|
|
|
|
|
if (resource == null || resource.Length == 0)
|
|
|
|
|
throw new SecurityTokenException ("non-zero length string must be set to Resource of SAML AuthorizationDecisionStatement.");
|
|
|
|
|
Resource = resource;
|
|
|
|
|
AccessDecision = accessDecision;
|
|
|
|
|
foreach (SamlAction a in samlActions) {
|
|
|
|
|
if (a == null)
|
|
|
|
|
throw new ArgumentException ("samlActions contain null item.");
|
|
|
|
|
actions.Add (a);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public SamlAuthorizationDecisionStatement (
|
|
|
|
|
SamlSubject samlSubject, string resource,
|
|
|
|
|
SamlAccessDecision accessDecision,
|
|
|
|
|
IEnumerable<SamlAction> samlActions,
|
|
|
|
|
SamlEvidence samlEvidence)
|
|
|
|
|
: this (samlSubject, resource, accessDecision, samlActions)
|
|
|
|
|
{
|
|
|
|
|
evidence = samlEvidence;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SamlAccessDecision access_decision;
|
|
|
|
|
SamlEvidence evidence;
|
|
|
|
|
string resource;
|
|
|
|
|
List<SamlAction> actions = new List<SamlAction> ();
|
|
|
|
|
|
|
|
|
|
public IList<SamlAction> SamlActions {
|
|
|
|
|
get { return actions; }
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public SamlAccessDecision AccessDecision {
|
|
|
|
|
get { return access_decision; }
|
|
|
|
|
set {
|
|
|
|
|
CheckReadOnly ();
|
|
|
|
|
access_decision = value;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public SamlEvidence Evidence {
|
|
|
|
|
get { return evidence; }
|
|
|
|
|
set {
|
|
|
|
|
CheckReadOnly ();
|
|
|
|
|
evidence = value;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public string Resource {
|
|
|
|
|
get { return resource; }
|
|
|
|
|
set {
|
|
|
|
|
CheckReadOnly ();
|
|
|
|
|
if (value == null || value.Length == 0)
|
|
|
|
|
throw new ArgumentException ("non-zero length string must be set to Resource of SAML AuthorizationDecisionStatement.");
|
|
|
|
|
resource = value;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public override bool IsReadOnly {
|
|
|
|
|
get { return base.IsReadOnly; }
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private void CheckReadOnly ()
|
|
|
|
|
{
|
|
|
|
|
if (IsReadOnly)
|
|
|
|
|
throw new InvalidOperationException ("This SAML assertion is read-only.");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public override void MakeReadOnly ()
|
|
|
|
|
{
|
|
|
|
|
base.MakeReadOnly ();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
[MonoTODO]
|
|
|
|
|
protected override void AddClaimsToList (IList<Claim> claims)
|
|
|
|
|
{
|
|
|
|
|
throw new NotImplementedException ();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public override void ReadXml (XmlDictionaryReader reader,
|
|
|
|
|
SamlSerializer samlSerializer,
|
|
|
|
|
SecurityTokenSerializer keyInfoSerializer,
|
2017-06-07 13:16:24 +00:00
|
|
|
SecurityTokenResolver outOfBandTokenResolver)
|
2014-08-13 10:39:27 +01:00
|
|
|
{
|
|
|
|
|
if (reader == null)
|
|
|
|
|
throw new ArgumentNullException ("reader");
|
|
|
|
|
if (samlSerializer == null)
|
|
|
|
|
throw new ArgumentNullException ("samlSerializer");
|
|
|
|
|
|
|
|
|
|
string decision = reader.GetAttribute ("Decision");
|
|
|
|
|
switch (decision) {
|
|
|
|
|
case "Permit":
|
|
|
|
|
AccessDecision = SamlAccessDecision.Permit;
|
|
|
|
|
break;
|
|
|
|
|
case "Deny":
|
|
|
|
|
AccessDecision = SamlAccessDecision.Deny;
|
|
|
|
|
break;
|
|
|
|
|
case "Indeterminate":
|
|
|
|
|
AccessDecision = SamlAccessDecision.Indeterminate;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
throw new SecurityTokenException (String.Format ("AccessDecision value is wrong: {0}", decision));
|
|
|
|
|
}
|
|
|
|
|
Resource = reader.GetAttribute ("Resource");
|
|
|
|
|
|
|
|
|
|
reader.ReadStartElement ("AuthorizationDecisionStatement", SamlConstants.Namespace);
|
|
|
|
|
|
|
|
|
|
reader.MoveToContent ();
|
|
|
|
|
SamlSubject = new SamlSubject ();
|
2017-06-07 13:16:24 +00:00
|
|
|
SamlSubject.ReadXml (reader, samlSerializer, keyInfoSerializer, outOfBandTokenResolver);
|
2014-08-13 10:39:27 +01:00
|
|
|
SamlActions.Clear ();
|
|
|
|
|
for (reader.MoveToContent ();
|
|
|
|
|
reader.LocalName == "Action" &&
|
|
|
|
|
reader.NamespaceURI == SamlConstants.Namespace;
|
|
|
|
|
reader.MoveToContent ()) {
|
|
|
|
|
SamlAction action = new SamlAction ();
|
2017-06-07 13:16:24 +00:00
|
|
|
action.ReadXml (reader, samlSerializer, keyInfoSerializer, outOfBandTokenResolver);
|
2014-08-13 10:39:27 +01:00
|
|
|
SamlActions.Add (action);
|
|
|
|
|
}
|
|
|
|
|
if (reader.LocalName == "Evidence" &&
|
|
|
|
|
reader.NamespaceURI == SamlConstants.Namespace) {
|
|
|
|
|
Evidence = new SamlEvidence ();
|
2017-06-07 13:16:24 +00:00
|
|
|
Evidence.ReadXml (reader, samlSerializer, keyInfoSerializer, outOfBandTokenResolver);
|
2014-08-13 10:39:27 +01:00
|
|
|
reader.MoveToContent ();
|
|
|
|
|
}
|
|
|
|
|
reader.ReadEndElement ();
|
|
|
|
|
|
|
|
|
|
// verify contents
|
|
|
|
|
if (SamlActions.Count == 0)
|
|
|
|
|
throw new SecurityTokenException ("SAML AuthorizationDecisionStatement must contain at least one Action.");
|
|
|
|
|
|
|
|
|
|
if (SamlSubject == null)
|
|
|
|
|
throw new SecurityTokenException ("SAML Subject must be set to SAML AuthorizationDecisionStatement before being written.");
|
|
|
|
|
if (Resource == null || Resource.Length == 0)
|
|
|
|
|
throw new SecurityTokenException ("non-zero string must be set to Resource on SAML AuthorizationDecisionStatement.");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public override void WriteXml (XmlDictionaryWriter writer,
|
|
|
|
|
SamlSerializer samlSerializer,
|
|
|
|
|
SecurityTokenSerializer keyInfoSerializer)
|
|
|
|
|
{
|
|
|
|
|
if (writer == null)
|
|
|
|
|
throw new ArgumentNullException ("writer");
|
|
|
|
|
if (samlSerializer == null)
|
|
|
|
|
throw new ArgumentNullException ("samlSerializer");
|
|
|
|
|
if (SamlActions.Count == 0)
|
|
|
|
|
throw new SecurityTokenException ("SAML AuthorizationDecisionStatement must contain at least one Action.");
|
|
|
|
|
|
|
|
|
|
if (SamlSubject == null)
|
|
|
|
|
throw new SecurityTokenException ("SAML Subject must be set to SAML AuthorizationDecisionStatement before being written.");
|
|
|
|
|
if (Resource == null || Resource.Length == 0)
|
|
|
|
|
throw new SecurityTokenException ("non-zero string must be set to Resource on SAML AuthorizationDecisionStatement.");
|
|
|
|
|
|
|
|
|
|
writer.WriteStartElement ("saml", "AuthorizationDecisionStatement", SamlConstants.Namespace);
|
|
|
|
|
|
|
|
|
|
writer.WriteStartAttribute ("Decision");
|
|
|
|
|
switch (AccessDecision) {
|
|
|
|
|
case SamlAccessDecision.Permit:
|
|
|
|
|
writer.WriteString ("Permit");
|
|
|
|
|
break;
|
|
|
|
|
case SamlAccessDecision.Deny:
|
|
|
|
|
writer.WriteString ("Deny");
|
|
|
|
|
break;
|
|
|
|
|
case SamlAccessDecision.Indeterminate:
|
|
|
|
|
writer.WriteString ("Indeterminate");
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
throw new ArgumentOutOfRangeException ("AccessDecision value is wrong.");
|
|
|
|
|
}
|
|
|
|
|
writer.WriteEndAttribute ();
|
|
|
|
|
|
|
|
|
|
writer.WriteAttributeString ("Resource", Resource);
|
|
|
|
|
SamlSubject.WriteXml (writer, samlSerializer, keyInfoSerializer);
|
|
|
|
|
foreach (SamlAction action in SamlActions)
|
|
|
|
|
action.WriteXml (writer, samlSerializer, keyInfoSerializer);
|
|
|
|
|
if (Evidence != null)
|
|
|
|
|
Evidence.WriteXml (writer, samlSerializer, keyInfoSerializer);
|
|
|
|
|
|
|
|
|
|
writer.WriteEndElement ();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
