512 lines
21 KiB
C#
Raw Normal View History

//------------------------------------------------------------------------------
// Copyright (c) Microsoft Corporation. All rights reserved.
//------------------------------------------------------------------------------
namespace System.ServiceModel.Security
{
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IdentityModel.Protocols.WSTrust;
using System.IdentityModel.Selectors;
using System.IdentityModel.Tokens;
using System.Runtime;
using System.Runtime.InteropServices;
using System.ServiceModel;
using System.ServiceModel.Channels;
using System.ServiceModel.Description;
using IM = System.IdentityModel;
/// <summary>
/// A <see cref="ChannelFactory" /> that produces <see cref="WSTrustChannel" /> objects used to
/// communicate to a WS-Trust endpoint.
/// </summary>
[ComVisible(false)]
public class WSTrustChannelFactory : ChannelFactory<IWSTrustChannelContract>
{
//
// NOTE: The properties on this class are designed to facilitate ease of use of the component and
// to reduce the complexity of the constructors. The base class already gifts us with 8 constructor
// overloads.
//
// Therefore, it is advisable that the fields *not* be used unless absolutely required.
//
/// <summary>
/// These fields represent the property values that are "locked down" once the first channel is created.
/// </summary>
class WSTrustChannelLockedProperties
{
public TrustVersion TrustVersion;
public WSTrustSerializationContext Context;
public WSTrustRequestSerializer RequestSerializer;
public WSTrustResponseSerializer ResponseSerializer;
}
//
// Once we create a channel, our properties can be locked down.
//
object _factoryLock = new object();
bool _locked = false;
WSTrustChannelLockedProperties _lockedProperties;
//
// The TrustVersion property can be set to an instance of TrustVersion.WSTrust13 or TrustVersion.WSTrustFeb2005
// to generate the built-in serializers for these trust namespaces.
//
TrustVersion _trustVersion;
//
// These fields contain the values used to construct the WSTrustSerializationContext used by the channels
// we generate.
//
// _securityTokenResolver and _useKeyTokenResolver imply special behavior if they are null; however,
// _securityTokenHandlerCollectionManager is not permitted to be null.
//
SecurityTokenResolver _securityTokenResolver;
SecurityTokenResolver _useKeyTokenResolver;
SecurityTokenHandlerCollectionManager _securityTokenHandlerCollectionManager
= SecurityTokenHandlerCollectionManager.CreateDefaultSecurityTokenHandlerCollectionManager();
//
// These serializers determine how the channels serialize RST and RSTR messages.
//
WSTrustRequestSerializer _wsTrustRequestSerializer;
WSTrustResponseSerializer _wsTrustResponseSerializer;
/// <summary>
/// Initializes a new instance of the <see cref="WSTrustChannelFactory" /> class.
/// </summary>
public WSTrustChannelFactory()
: base()
{
}
/// <summary>
/// Initializes a new instance of the <see cref="WSTrustChannelFactory" /> class with a specified endpoint
/// configuration name.
/// </summary>
/// <param name="endpointConfigurationName">The configuration name used for the endpoint.</param>
public WSTrustChannelFactory(string endpointConfigurationName)
: base(endpointConfigurationName)
{
}
/// <summary>
/// Initializes a new instance of the <see cref="WSTrustChannelFactory" /> class.
/// </summary>
/// <param name="binding">The <see cref="Binding" /> specified for the channels produced by the factory</param>
public WSTrustChannelFactory(Binding binding)
: base(binding)
{
}
/// <summary>
/// Initializes a new instance of the <see cref="WSTrustChannelFactory" /> class with a specified endpoint.
/// </summary>
/// <param name="endpoint">The <see cref="ServiceEndpoint" />for the channels produced by the factory.</param>
public WSTrustChannelFactory(ServiceEndpoint endpoint)
: base(endpoint)
{
}
/// <summary>
/// Initializes a new instance of the <see cref="WSTrustChannelFactory" /> class associated with a specified
/// name for the endpoint configuration and remote address.
/// </summary>
/// <param name="endpointConfigurationName">The configuration name used for the endpoint.</param>
/// <param name="remoteAddress">The <see cref="EndpointAddress" /> that provides the location of the service.</param>
public WSTrustChannelFactory(string endpointConfigurationName, EndpointAddress remoteAddress)
: base(endpointConfigurationName, remoteAddress)
{
}
/// <summary>
/// Initializes a new instance of the <see cref="WSTrustChannelFactory" /> class with a specified binding
/// and endpoint address.
/// </summary>
/// <param name="binding">The <see cref="Binding" /> specified for the channels produced by the factory</param>
/// <param name="remoteAddress">The <see cref="EndpointAddress" /> that provides the location of the service.</param>
public WSTrustChannelFactory(Binding binding, EndpointAddress remoteAddress)
: base(binding, remoteAddress)
{
}
/// <summary>
/// Initializes a new instance of the <see cref="WSTrustChannelFactory" /> class with a specified binding
/// and remote address.
/// </summary>
/// <param name="binding">The <see cref="Binding" /> specified for the channels produced by the factory</param>
/// <param name="remoteAddress">The <see cref="EndpointAddress" /> that provides the location of the service.</param>
public WSTrustChannelFactory(Binding binding, string remoteAddress)
: base(binding, remoteAddress)
{
}
/// <summary>
/// Gets or sets the version of WS-Trust the created channels will use for serializing messages.
/// </summary>
/// <remarks>
/// <para>If this property is not set, created channels will use the <see cref="TrustVersion" /> set on any
/// <see cref="SecurityBindingElement" /> found on the channel factory's Endpoint object if one exists.
/// </para>
/// <para>This class will not support changing the value of this property after a channel is created.</para>
/// </remarks>
public TrustVersion TrustVersion
{
get
{
return _trustVersion;
}
set
{
lock (_factoryLock)
{
if (_locked)
{
throw IM.DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID3287));
}
_trustVersion = value;
}
}
}
/// <summary>
/// Gets or sets the <see cref="SecurityTokenHandlerCollectionManager" /> containing the set of
/// <see cref="SecurityTokenHandler" /> objects used by created channels for serializing and validating
/// tokens found in WS-Trust messages.
/// </summary>
/// <remarks>
/// This class will not support changing the value of this property after a channel is created.
/// </remarks>
public SecurityTokenHandlerCollectionManager SecurityTokenHandlerCollectionManager
{
get
{
return _securityTokenHandlerCollectionManager;
}
set
{
if (value == null)
{
throw IM.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("value");
}
lock (_factoryLock)
{
if (_locked)
{
throw IM.DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID3287));
}
_securityTokenHandlerCollectionManager = value;
}
}
}
/// <summary>
/// Gets or sets the <see cref="SecurityTokenResolver"/> used to resolve security token references found in most
/// elements of WS-Trust messages.
/// </summary>
/// <remarks>
/// <para>
/// If this property is not set created channels will use the ClientCertificate set on the factory's
/// Endpoint's ClientCredentials behavior to create a resolver. If no such certificate is found, an empty
/// resolver is used.
/// </para>
/// <para>
/// This class will not support changing the value of this property after a channel is created.
/// </para>
/// </remarks>
public SecurityTokenResolver SecurityTokenResolver
{
get
{
return _securityTokenResolver;
}
set
{
lock (_factoryLock)
{
if (_locked)
{
throw IM.DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID3287));
}
_securityTokenResolver = value;
}
}
}
/// <summary>
/// The <see cref="SecurityTokenResolver"/> used to resolve security token references found in the
/// UseKey element of RST messages as well as the RenewTarget element found in RST messages.
/// </summary>
/// <remarks>
/// <para>
/// If this property is not set an empty resolver is used.
/// </para>
/// <para>
/// This class will not support changing the value of this property after a channel is created.
/// </para>
/// </remarks>
public SecurityTokenResolver UseKeyTokenResolver
{
get
{
return _useKeyTokenResolver;
}
set
{
lock (_factoryLock)
{
if (_locked)
{
throw IM.DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID3287));
}
_useKeyTokenResolver = value;
}
}
}
/// <summary>
/// Gets or sets the WSTrustRequestSerializer to use for serializing RequestSecurityTokens messages.
/// </summary>
/// <remarks>
/// <para>
/// If this property is not set, either <see cref="WSTrust13RequestSerializer" /> or
/// <see cref="WSTrustFeb2005RequestSerializer" /> will be used. The serializer will correspond to the
/// version of WS-Trust indicated by the <see cref="TrustVersion" /> property.
/// </para>
/// <para>
/// This class will not support changing the value of this property after a channel is created.
/// </para>
/// </remarks>
public WSTrustRequestSerializer WSTrustRequestSerializer
{
get
{
return _wsTrustRequestSerializer;
}
set
{
lock (_factoryLock)
{
if (_locked)
{
throw IM.DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID3287));
}
_wsTrustRequestSerializer = value;
}
}
}
/// <summary>
/// Gets or sets the WSTrustResponseSerializer to use for serializing RequestSecurityTokensResponse messages.
/// </summary>
/// <remarks>
/// <para>
/// If this property is not set, either <see cref="WSTrust13ResponseSerializer" /> or
/// <see cref="WSTrustFeb2005ResponseSerializer" /> will be used. The serializer will correspond to the
/// version of WS-Trust indicated by the <see cref="TrustVersion" /> property.
/// </para>
/// <para>
/// This class will not support changing the value of this property after a channel is created.
/// </para>
/// </remarks>
public WSTrustResponseSerializer WSTrustResponseSerializer
{
get
{
return _wsTrustResponseSerializer;
}
set
{
lock (_factoryLock)
{
if (_locked)
{
throw IM.DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID3287));
}
_wsTrustResponseSerializer = value;
}
}
}
/// <summary>
/// Creates a <see cref="WSTrustChannel" /> that is used to send messages to a service at a specific
/// endpoint address through a specified transport address.
/// </summary>
/// <param name="address">The <see cref="EndpointAddress" /> that provides the location of the service.</param>
/// <param name="via">The <see cref="Uri" /> that contains the transport address to which the channel sends messages.</param>
/// <returns></returns>
public override IWSTrustChannelContract CreateChannel(EndpointAddress address, Uri via)
{
IWSTrustChannelContract innerChannel = base.CreateChannel(address, via);
WSTrustChannelLockedProperties lockedProperties = GetLockedProperties();
return CreateTrustChannel(innerChannel,
lockedProperties.TrustVersion,
lockedProperties.Context,
lockedProperties.RequestSerializer,
lockedProperties.ResponseSerializer);
}
/// <summary>
/// Creates a <see cref="WSTrustChannel" /> using parameters that reflect the configuration of
/// this factory.
/// </summary>
/// <param name="innerChannel">The channel created by the base class capable of sending and
/// receiving messages.</param>
/// <param name="trustVersion">The version of WS-Trust that should be used.</param>
/// <param name="context">
/// The <see cref="WSTrustSerializationContext" /> that should be used to serialize WS-Trust messages.
/// </param>
/// <param name="requestSerializer">
/// The <see cref="WSTrustRequestSerializer" /> that should be used to serialize WS-Trust request messages.
/// </param>
/// <param name="responseSerializer">
/// The <see cref="WSTrustResponseSerializer" /> that should be used to serialize WS-Trust response messages.
/// </param>
/// <returns></returns>
protected virtual WSTrustChannel CreateTrustChannel(IWSTrustChannelContract innerChannel,
TrustVersion trustVersion,
WSTrustSerializationContext context,
WSTrustRequestSerializer requestSerializer,
WSTrustResponseSerializer responseSerializer)
{
return new WSTrustChannel(this, innerChannel, trustVersion, context, requestSerializer, responseSerializer);
}
private WSTrustChannelLockedProperties GetLockedProperties()
{
lock (_factoryLock)
{
if (_lockedProperties == null)
{
WSTrustChannelLockedProperties tmpLockedProperties = new WSTrustChannelLockedProperties();
tmpLockedProperties.TrustVersion = GetTrustVersion();
tmpLockedProperties.Context = CreateSerializationContext();
tmpLockedProperties.RequestSerializer = GetRequestSerializer(tmpLockedProperties.TrustVersion);
tmpLockedProperties.ResponseSerializer = GetResponseSerializer(tmpLockedProperties.TrustVersion);
_lockedProperties = tmpLockedProperties;
_locked = true;
}
return _lockedProperties;
}
}
private WSTrustRequestSerializer GetRequestSerializer(TrustVersion trustVersion)
{
Fx.Assert(trustVersion != null, "trustVersion != null");
if (_wsTrustRequestSerializer != null)
{
return _wsTrustRequestSerializer;
}
if (trustVersion == TrustVersion.WSTrust13)
{
return new WSTrust13RequestSerializer();
}
else if (trustVersion == TrustVersion.WSTrustFeb2005)
{
return new WSTrustFeb2005RequestSerializer();
}
else
{
throw IM.DiagnosticUtility.ExceptionUtility.ThrowHelperError( new NotSupportedException(SR.GetString(SR.ID3137, trustVersion.ToString())));
}
}
private WSTrustResponseSerializer GetResponseSerializer(TrustVersion trustVersion)
{
Fx.Assert(trustVersion != null, "trustVersion != null");
if (_wsTrustResponseSerializer != null)
{
return _wsTrustResponseSerializer;
}
if (trustVersion == TrustVersion.WSTrust13)
{
return new WSTrust13ResponseSerializer();
}
else if (trustVersion == TrustVersion.WSTrustFeb2005)
{
return new WSTrustFeb2005ResponseSerializer();
}
else
{
throw IM.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.ID3137, trustVersion.ToString())));
}
}
private TrustVersion GetTrustVersion()
{
TrustVersion trustVersion = _trustVersion;
if (trustVersion == null)
{
BindingElementCollection elements = Endpoint.Binding.CreateBindingElements();
SecurityBindingElement sbe = elements.Find<SecurityBindingElement>();
if (null == sbe)
{
throw IM.DiagnosticUtility.ExceptionUtility.ThrowHelperError( new InvalidOperationException( SR.GetString(SR.ID3269)));
}
trustVersion = sbe.MessageSecurityVersion.TrustVersion;
}
return trustVersion;
}
/// <summary>
/// Creates a <see cref="WSTrustSerializationContext" /> used by <see cref="WSTrustChannel" /> objects created
/// by this factory.
/// </summary>
/// <remarks>
/// <para>
/// If <see cref="WSTrustChannelFactory.SecurityTokenResolver" /> is set to null, the
/// ClientCertificate set on the factory's Endpoint's ClientCredentials behavior will be used to
/// create a resolver. If no such certificate is found, an empty resolver is used.
/// </para>
/// <para>
/// If <see cref="WSTrustChannelFactory.UseKeyTokenResolver" /> is set to null, an empty resolver
/// will be used.
/// </para>
/// </remarks>
/// <returns>A WSTrustSerializationContext initialized with the trust client's properties.</returns>
protected virtual WSTrustSerializationContext CreateSerializationContext()
{
//
// Create a resolver with the ClientCredential's ClientCertificate if a resolver is not set.
//
SecurityTokenResolver resolver = _securityTokenResolver;
if (resolver == null)
{
ClientCredentials factoryCredentials = Credentials;
if (null != factoryCredentials.ClientCertificate && null != factoryCredentials.ClientCertificate.Certificate)
{
List<SecurityToken> clientCredentialTokens = new List<SecurityToken>();
clientCredentialTokens.Add(new X509SecurityToken(factoryCredentials.ClientCertificate.Certificate));
resolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(clientCredentialTokens.AsReadOnly(), false);
}
}
//
// If it is _still_ null, then make it empty.
//
if (resolver == null)
{
resolver = EmptySecurityTokenResolver.Instance;
}
//
// UseKeyTokenResolver is empty if null.
//
SecurityTokenResolver useKeyResolver = _useKeyTokenResolver ?? EmptySecurityTokenResolver.Instance;
return new WSTrustSerializationContext(_securityTokenHandlerCollectionManager, resolver, useKeyResolver);
}
}
}