You've already forked linux-packaging-mono
							
							
		
			
	
	
		
			310 lines
		
	
	
		
			14 KiB
		
	
	
	
		
			C#
		
	
	
	
	
	
		
		
			
		
	
	
			310 lines
		
	
	
		
			14 KiB
		
	
	
	
		
			C#
		
	
	
	
	
	
|   | //----------------------------------------------------------------------------- | ||
|  | // Copyright (c) Microsoft Corporation.  All rights reserved. | ||
|  | //----------------------------------------------------------------------------- | ||
|  | namespace System.ServiceModel.Security.Tokens | ||
|  | { | ||
|  |     using System.Collections.Generic; | ||
|  |     using System.Collections.ObjectModel; | ||
|  |     using System.IdentityModel.Claims; | ||
|  |     using System.IdentityModel.Policy; | ||
|  |     using System.IO; | ||
|  |     using System.Runtime; | ||
|  |     using System.Runtime.Serialization; | ||
|  |     using System.Security.Principal; | ||
|  |     using System.ServiceModel; | ||
|  |     using System.ServiceModel.Dispatcher; | ||
|  |     using System.Xml; | ||
|  | 
 | ||
|  |     struct SecurityContextCookieSerializer | ||
|  |     { | ||
|  |         const int SupportedPersistanceVersion = 1; | ||
|  | 
 | ||
|  |         SecurityStateEncoder securityStateEncoder; | ||
|  |         IList<Type> knownTypes; | ||
|  | 
 | ||
|  |         public SecurityContextCookieSerializer(SecurityStateEncoder securityStateEncoder, IList<Type> knownTypes) | ||
|  |         { | ||
|  |             if (securityStateEncoder == null) | ||
|  |             { | ||
|  |                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("securityStateEncoder"); | ||
|  |             } | ||
|  |             this.securityStateEncoder = securityStateEncoder; | ||
|  |             this.knownTypes = knownTypes ?? new List<Type>(); | ||
|  |         } | ||
|  | 
 | ||
|  |         SecurityContextSecurityToken DeserializeContext(byte[] serializedContext, byte[] cookieBlob, string id, XmlDictionaryReaderQuotas quotas) | ||
|  |         { | ||
|  |             SctClaimDictionary dictionary = SctClaimDictionary.Instance; | ||
|  |             XmlDictionaryReader reader = XmlDictionaryReader.CreateBinaryReader(serializedContext, 0, serializedContext.Length, dictionary, quotas, null, null); | ||
|  |             int cookieVersion = -1; | ||
|  |             UniqueId cookieContextId = null; | ||
|  |             DateTime effectiveTime = SecurityUtils.MinUtcDateTime; | ||
|  |             DateTime expiryTime = SecurityUtils.MaxUtcDateTime; | ||
|  |             byte[] key = null; | ||
|  |             string localId = null; | ||
|  |             UniqueId keyGeneration = null; | ||
|  |             DateTime keyEffectiveTime = SecurityUtils.MinUtcDateTime; | ||
|  |             DateTime keyExpirationTime = SecurityUtils.MaxUtcDateTime; | ||
|  |             List<ClaimSet> claimSets = null; | ||
|  |             IList<IIdentity> identities = null; | ||
|  |             bool isCookie = true; | ||
|  | 
 | ||
|  |             reader.ReadFullStartElement(dictionary.SecurityContextSecurityToken, dictionary.EmptyString); | ||
|  | 
 | ||
|  |             while (reader.IsStartElement()) | ||
|  |             { | ||
|  |                 if (reader.IsStartElement(dictionary.Version, dictionary.EmptyString)) | ||
|  |                 { | ||
|  |                     cookieVersion = reader.ReadElementContentAsInt(); | ||
|  |                 } | ||
|  |                 else if (reader.IsStartElement(dictionary.ContextId, dictionary.EmptyString)) | ||
|  |                 { | ||
|  |                     cookieContextId = reader.ReadElementContentAsUniqueId(); | ||
|  |                 } | ||
|  |                 else if (reader.IsStartElement(dictionary.Id, dictionary.EmptyString)) | ||
|  |                 { | ||
|  |                     localId = reader.ReadElementContentAsString(); | ||
|  |                 } | ||
|  |                 else if (reader.IsStartElement(dictionary.EffectiveTime, dictionary.EmptyString)) | ||
|  |                 { | ||
|  |                     effectiveTime = new DateTime(XmlHelper.ReadElementContentAsInt64(reader), DateTimeKind.Utc); | ||
|  |                 } | ||
|  |                 else if (reader.IsStartElement(dictionary.ExpiryTime, dictionary.EmptyString)) | ||
|  |                 { | ||
|  |                     expiryTime = new DateTime(XmlHelper.ReadElementContentAsInt64(reader), DateTimeKind.Utc); | ||
|  |                 } | ||
|  |                 else if (reader.IsStartElement(dictionary.Key, dictionary.EmptyString)) | ||
|  |                 { | ||
|  |                     key = reader.ReadElementContentAsBase64(); | ||
|  |                 } | ||
|  |                 else if (reader.IsStartElement(dictionary.KeyGeneration, dictionary.EmptyString)) | ||
|  |                 { | ||
|  |                     keyGeneration = reader.ReadElementContentAsUniqueId(); | ||
|  |                 } | ||
|  |                 else if (reader.IsStartElement(dictionary.KeyEffectiveTime, dictionary.EmptyString)) | ||
|  |                 { | ||
|  |                     keyEffectiveTime = new DateTime(XmlHelper.ReadElementContentAsInt64(reader), DateTimeKind.Utc); | ||
|  |                 } | ||
|  |                 else if (reader.IsStartElement(dictionary.KeyExpiryTime, dictionary.EmptyString)) | ||
|  |                 { | ||
|  |                     keyExpirationTime = new DateTime(XmlHelper.ReadElementContentAsInt64(reader), DateTimeKind.Utc); | ||
|  |                 } | ||
|  |                 else if (reader.IsStartElement(dictionary.Identities, dictionary.EmptyString)) | ||
|  |                 { | ||
|  |                     identities = SctClaimSerializer.DeserializeIdentities(reader, dictionary, DataContractSerializerDefaults.CreateSerializer(typeof(IIdentity), this.knownTypes, int.MaxValue)); | ||
|  |                 } | ||
|  |                 else if (reader.IsStartElement(dictionary.ClaimSets, dictionary.EmptyString)) | ||
|  |                 { | ||
|  |                     reader.ReadStartElement(); | ||
|  | 
 | ||
|  |                     DataContractSerializer claimSetSerializer = DataContractSerializerDefaults.CreateSerializer(typeof(ClaimSet), this.knownTypes, int.MaxValue); | ||
|  |                     DataContractSerializer claimSerializer = DataContractSerializerDefaults.CreateSerializer(typeof(Claim), this.knownTypes, int.MaxValue); | ||
|  |                     claimSets = new List<ClaimSet>(1); | ||
|  |                     while (reader.IsStartElement()) | ||
|  |                     { | ||
|  |                         claimSets.Add(SctClaimSerializer.DeserializeClaimSet(reader, dictionary, claimSetSerializer, claimSerializer)); | ||
|  |                     } | ||
|  |                      | ||
|  |                     reader.ReadEndElement(); | ||
|  |                 } | ||
|  |                 else if (reader.IsStartElement(dictionary.IsCookieMode, dictionary.EmptyString)) | ||
|  |                 { | ||
|  |                     isCookie = reader.ReadElementString() == "1" ? true : false; | ||
|  |                 } | ||
|  |                 else | ||
|  |                 { | ||
|  |                     OnInvalidCookieFailure(SR.GetString(SR.SctCookieXmlParseError)); | ||
|  |                 } | ||
|  |             } | ||
|  |             reader.ReadEndElement(); | ||
|  |             if (cookieVersion != SupportedPersistanceVersion) | ||
|  |             { | ||
|  |                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.SerializedTokenVersionUnsupported, cookieVersion))); | ||
|  |             } | ||
|  |             if (cookieContextId == null) | ||
|  |             { | ||
|  |                 OnInvalidCookieFailure(SR.GetString(SR.SctCookieValueMissingOrIncorrect, "ContextId")); | ||
|  |             } | ||
|  |             if (key == null || key.Length == 0) | ||
|  |             { | ||
|  |                 OnInvalidCookieFailure(SR.GetString(SR.SctCookieValueMissingOrIncorrect, "Key")); | ||
|  |             } | ||
|  |             if (localId != id) | ||
|  |             { | ||
|  |                 OnInvalidCookieFailure(SR.GetString(SR.SctCookieValueMissingOrIncorrect, "Id")); | ||
|  |             } | ||
|  |             List<IAuthorizationPolicy> authorizationPolicies; | ||
|  |             if (claimSets != null) | ||
|  |             { | ||
|  |                 authorizationPolicies = new List<IAuthorizationPolicy>(1); | ||
|  |                 authorizationPolicies.Add(new SctUnconditionalPolicy(identities, claimSets, expiryTime)); | ||
|  |             } | ||
|  |             else | ||
|  |             { | ||
|  |                 authorizationPolicies = null; | ||
|  |             } | ||
|  |             return new SecurityContextSecurityToken(cookieContextId, localId, key, effectiveTime, expiryTime, | ||
|  |                 authorizationPolicies != null ? authorizationPolicies.AsReadOnly() : null, isCookie, cookieBlob, keyGeneration, keyEffectiveTime, keyExpirationTime); | ||
|  |         } | ||
|  | 
 | ||
|  |         public byte[] CreateCookieFromSecurityContext(UniqueId contextId, string id, byte[] key, DateTime tokenEffectiveTime, | ||
|  |             DateTime tokenExpirationTime, UniqueId keyGeneration, DateTime keyEffectiveTime, DateTime keyExpirationTime, | ||
|  |             ReadOnlyCollection<IAuthorizationPolicy> authorizationPolicies) | ||
|  |         { | ||
|  |             if (contextId == null) | ||
|  |             { | ||
|  |                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("contextId"); | ||
|  |             } | ||
|  | 
 | ||
|  |             if (key == null) | ||
|  |             { | ||
|  |                 throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("key"); | ||
|  |             } | ||
|  | 
 | ||
|  |             MemoryStream stream = new MemoryStream(); | ||
|  |             XmlDictionaryWriter writer = XmlDictionaryWriter.CreateBinaryWriter(stream, SctClaimDictionary.Instance, null); | ||
|  | 
 | ||
|  |             SctClaimDictionary dictionary = SctClaimDictionary.Instance; | ||
|  |             writer.WriteStartElement(dictionary.SecurityContextSecurityToken, dictionary.EmptyString); | ||
|  |             writer.WriteStartElement(dictionary.Version, dictionary.EmptyString); | ||
|  |             writer.WriteValue(SupportedPersistanceVersion); | ||
|  |             writer.WriteEndElement(); | ||
|  |             if (id != null) | ||
|  |                 writer.WriteElementString(dictionary.Id, dictionary.EmptyString, id); | ||
|  |             XmlHelper.WriteElementStringAsUniqueId(writer, dictionary.ContextId, dictionary.EmptyString, contextId); | ||
|  | 
 | ||
|  |             writer.WriteStartElement(dictionary.Key, dictionary.EmptyString); | ||
|  |             writer.WriteBase64(key, 0, key.Length); | ||
|  |             writer.WriteEndElement(); | ||
|  | 
 | ||
|  |             if (keyGeneration != null) | ||
|  |             { | ||
|  |                 XmlHelper.WriteElementStringAsUniqueId(writer, dictionary.KeyGeneration, dictionary.EmptyString, keyGeneration); | ||
|  |             } | ||
|  | 
 | ||
|  |             XmlHelper.WriteElementContentAsInt64(writer, dictionary.EffectiveTime, dictionary.EmptyString, tokenEffectiveTime.ToUniversalTime().Ticks); | ||
|  |             XmlHelper.WriteElementContentAsInt64(writer, dictionary.ExpiryTime, dictionary.EmptyString, tokenExpirationTime.ToUniversalTime().Ticks); | ||
|  |             XmlHelper.WriteElementContentAsInt64(writer, dictionary.KeyEffectiveTime, dictionary.EmptyString, keyEffectiveTime.ToUniversalTime().Ticks); | ||
|  |             XmlHelper.WriteElementContentAsInt64(writer, dictionary.KeyExpiryTime, dictionary.EmptyString, keyExpirationTime.ToUniversalTime().Ticks); | ||
|  | 
 | ||
|  |             AuthorizationContext authContext = null; | ||
|  |             if (authorizationPolicies != null) | ||
|  |                 authContext = AuthorizationContext.CreateDefaultAuthorizationContext(authorizationPolicies); | ||
|  | 
 | ||
|  |             if (authContext != null && authContext.ClaimSets.Count != 0) | ||
|  |             { | ||
|  |                 DataContractSerializer identitySerializer = DataContractSerializerDefaults.CreateSerializer(typeof(IIdentity), this.knownTypes, int.MaxValue); | ||
|  |                 DataContractSerializer claimSetSerializer = DataContractSerializerDefaults.CreateSerializer(typeof(ClaimSet), this.knownTypes, int.MaxValue); | ||
|  |                 DataContractSerializer claimSerializer = DataContractSerializerDefaults.CreateSerializer(typeof(Claim), this.knownTypes, int.MaxValue); | ||
|  |                 SctClaimSerializer.SerializeIdentities(authContext, dictionary, writer, identitySerializer); | ||
|  | 
 | ||
|  |                 writer.WriteStartElement(dictionary.ClaimSets, dictionary.EmptyString); | ||
|  |                 for (int i = 0; i < authContext.ClaimSets.Count; i++) | ||
|  |                 { | ||
|  |                     SctClaimSerializer.SerializeClaimSet(authContext.ClaimSets[i], dictionary, writer, claimSetSerializer, claimSerializer); | ||
|  |                 } | ||
|  |                 writer.WriteEndElement(); | ||
|  |             } | ||
|  | 
 | ||
|  |             writer.WriteEndElement(); | ||
|  |             writer.Flush(); | ||
|  | 
 | ||
|  |             byte[] serializedContext = stream.ToArray(); | ||
|  |             return this.securityStateEncoder.EncodeSecurityState(serializedContext); | ||
|  |         } | ||
|  | 
 | ||
|  | 
 | ||
|  |         public SecurityContextSecurityToken CreateSecurityContextFromCookie(byte[] encodedCookie, UniqueId contextId, UniqueId generation, string id, XmlDictionaryReaderQuotas quotas) | ||
|  |         { | ||
|  |             byte[] cookie = null; | ||
|  | 
 | ||
|  |             try | ||
|  |             { | ||
|  |                 cookie = this.securityStateEncoder.DecodeSecurityState(encodedCookie); | ||
|  |             } | ||
|  |             catch (Exception e) | ||
|  |             { | ||
|  |                 if (Fx.IsFatal(e)) | ||
|  |                 { | ||
|  |                     throw; | ||
|  |                 } | ||
|  |                 OnInvalidCookieFailure(SR.GetString(SR.SctCookieBlobDecodeFailure), e); | ||
|  |             } | ||
|  |             SecurityContextSecurityToken sct = DeserializeContext(cookie, encodedCookie, id, quotas); | ||
|  |             if (sct.ContextId != contextId) | ||
|  |             { | ||
|  |                 OnInvalidCookieFailure(SR.GetString(SR.SctCookieValueMissingOrIncorrect, "ContextId")); | ||
|  |             } | ||
|  |             if (sct.KeyGeneration != generation) | ||
|  |             { | ||
|  |                 OnInvalidCookieFailure(SR.GetString(SR.SctCookieValueMissingOrIncorrect, "KeyGeneration")); | ||
|  |             } | ||
|  | 
 | ||
|  |             return sct; | ||
|  |         } | ||
|  |          | ||
|  |         internal static void OnInvalidCookieFailure(string reason) | ||
|  |         { | ||
|  |             OnInvalidCookieFailure(reason, null); | ||
|  |         } | ||
|  | 
 | ||
|  |         internal static void OnInvalidCookieFailure(string reason, Exception e) | ||
|  |         { | ||
|  |             throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.InvalidSecurityContextCookie, reason), e)); | ||
|  |         } | ||
|  | 
 | ||
|  |         class SctUnconditionalPolicy : IAuthorizationPolicy | ||
|  |         { | ||
|  |             SecurityUniqueId id = SecurityUniqueId.Create(); | ||
|  |             IList<IIdentity> identities;  | ||
|  |             IList<ClaimSet> claimSets; | ||
|  |             DateTime expirationTime; | ||
|  | 
 | ||
|  |             public SctUnconditionalPolicy(IList<IIdentity> identities, IList<ClaimSet> claimSets, DateTime expirationTime) | ||
|  |             { | ||
|  |                 this.identities = identities; | ||
|  |                 this.claimSets = claimSets; | ||
|  |                 this.expirationTime = expirationTime; | ||
|  |             } | ||
|  | 
 | ||
|  |             public string Id | ||
|  |             { | ||
|  |                 get { return this.id.Value; } | ||
|  |             } | ||
|  | 
 | ||
|  |             public ClaimSet Issuer  | ||
|  |             {  | ||
|  |                 get { return ClaimSet.System; }  | ||
|  |             } | ||
|  | 
 | ||
|  |             public bool Evaluate(EvaluationContext evaluationContext, ref object state) | ||
|  |             { | ||
|  |                 for (int i = 0; i < this.claimSets.Count; ++i) | ||
|  |                 { | ||
|  |                     evaluationContext.AddClaimSet(this, this.claimSets[i]); | ||
|  |                 } | ||
|  | 
 | ||
|  |                 if (this.identities != null) | ||
|  |                 { | ||
|  |                     object obj; | ||
|  |                     if (!evaluationContext.Properties.TryGetValue(SecurityUtils.Identities, out obj)) | ||
|  |                     { | ||
|  |                         evaluationContext.Properties.Add(SecurityUtils.Identities, this.identities); | ||
|  |                     } | ||
|  |                     else | ||
|  |                     { | ||
|  |                         // null if other overrides the property with something else | ||
|  |                         List<IIdentity> dstIdentities = obj as List<IIdentity>; | ||
|  |                         if (dstIdentities != null) | ||
|  |                         { | ||
|  |                             dstIdentities.AddRange(this.identities); | ||
|  |                         } | ||
|  |                     } | ||
|  |                 } | ||
|  |                 evaluationContext.RecordExpirationTime(this.expirationTime); | ||
|  |                 return true; | ||
|  |             } | ||
|  |         } | ||
|  |     } | ||
|  | } |