//------------------------------------------------------------------------------
//
// Copyright (c) Microsoft Corporation. All rights reserved.
//
//------------------------------------------------------------------------------
/*
* RolePrincipal
*
* Copyright (c) 2002 Microsoft Corporation
*/
namespace System.Web.Security {
using System.Collections.Specialized;
using System.Configuration;
using System.Configuration.Provider;
using System.Diagnostics.CodeAnalysis;
using System.Globalization;
using System.IO;
using System.Reflection;
using System.Runtime.Serialization;
using System.Runtime.Serialization.Formatters.Binary;
using System.Security;
using System.Security.Claims;
using System.Security.Permissions;
using System.Security.Principal;
using System.Text;
using System.Web;
using System.Web.Hosting;
using System.Web.Security.Cryptography;
using System.Web.Util;
[Serializable]
public class RolePrincipal : ClaimsPrincipal, ISerializable
{
[NonSerialized]
static Type s_type;
public RolePrincipal(IIdentity identity, string encryptedTicket)
{
if (identity == null)
throw new ArgumentNullException( "identity" );
if (encryptedTicket == null)
throw new ArgumentNullException( "encryptedTicket" );
_Identity = identity;
_ProviderName = Roles.Provider.Name;
if (identity.IsAuthenticated)
InitFromEncryptedTicket(encryptedTicket);
else
Init();
}
public RolePrincipal(IIdentity identity)
{
if (identity == null)
throw new ArgumentNullException( "identity" );
_Identity = identity;
Init();
}
public RolePrincipal(string providerName, IIdentity identity )
{
if (identity == null)
throw new ArgumentNullException( "identity" );
if( providerName == null)
throw new ArgumentException( SR.GetString(SR.Role_provider_name_invalid) , "providerName" );
_ProviderName = providerName;
if (Roles.Providers[providerName] == null)
throw new ArgumentException(SR.GetString(SR.Role_provider_name_invalid), "providerName");
_Identity = identity;
Init();
}
public RolePrincipal(string providerName, IIdentity identity, string encryptedTicket )
{
if (identity == null)
throw new ArgumentNullException( "identity" );
if (encryptedTicket == null)
throw new ArgumentNullException( "encryptedTicket" );
if( providerName == null)
throw new ArgumentException( SR.GetString(SR.Role_provider_name_invalid) , "providerName" );
_ProviderName = providerName;
if (Roles.Providers[_ProviderName] == null)
throw new ArgumentException(SR.GetString(SR.Role_provider_name_invalid), "providerName");
_Identity = identity;
if (identity.IsAuthenticated)
InitFromEncryptedTicket(encryptedTicket);
else
Init();
}
private void InitFromEncryptedTicket( string encryptedTicket )
{
if (HostingEnvironment.IsHosted && EtwTrace.IsTraceEnabled(EtwTraceLevel.Information, EtwTraceFlags.AppSvc) && HttpContext.Current != null)
EtwTrace.Trace(EtwTraceType.ETW_TYPE_ROLE_BEGIN, HttpContext.Current.WorkerRequest);
if (string.IsNullOrEmpty(encryptedTicket))
goto Exit;
byte[] bTicket = CookieProtectionHelper.Decode(Roles.CookieProtectionValue, encryptedTicket, Purpose.RolePrincipal_Ticket);
if (bTicket == null)
goto Exit;
RolePrincipal rp = null;
MemoryStream ms = null;
try{
ms = new System.IO.MemoryStream(bTicket);
rp = (new BinaryFormatter()).Deserialize(ms) as RolePrincipal;
} catch {
} finally {
ms.Close();
}
if (rp == null)
goto Exit;
if (!StringUtil.EqualsIgnoreCase(rp._Username, _Identity.Name))
goto Exit;
if (!StringUtil.EqualsIgnoreCase(rp._ProviderName, _ProviderName))
goto Exit;
if (DateTime.UtcNow > rp._ExpireDate)
goto Exit;
_Version = rp._Version;
_ExpireDate = rp._ExpireDate;
_IssueDate = rp._IssueDate;
_IsRoleListCached = rp._IsRoleListCached;
_CachedListChanged = false;
_Username = rp._Username;
_Roles = rp._Roles;
// will it be the case that _Identity.Name != _Username?
RenewIfOld();
if (HostingEnvironment.IsHosted && EtwTrace.IsTraceEnabled(EtwTraceLevel.Information, EtwTraceFlags.AppSvc) && HttpContext.Current != null)
EtwTrace.Trace( EtwTraceType.ETW_TYPE_ROLE_END, HttpContext.Current.WorkerRequest, "RolePrincipal", _Identity.Name);
return;
Exit:
Init();
_CachedListChanged = true;
if (HostingEnvironment.IsHosted && EtwTrace.IsTraceEnabled(EtwTraceLevel.Information, EtwTraceFlags.AppSvc) && HttpContext.Current != null)
EtwTrace.Trace(EtwTraceType.ETW_TYPE_ROLE_END, HttpContext.Current.WorkerRequest, "RolePrincipal", _Identity.Name);
return;
}
////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////
private void Init() {
_Version = 1;
_IssueDate = DateTime.UtcNow;
_ExpireDate = DateTime.UtcNow.AddMinutes(Roles.CookieTimeout);
//_CookiePath = Roles.CookiePath;
_IsRoleListCached = false;
_CachedListChanged = false;
if (_ProviderName == null)
_ProviderName = Roles.Provider.Name;
if (_Roles == null)
_Roles = new HybridDictionary(true);
if (_Identity != null)
_Username = _Identity.Name;
AddIdentityAttachingRoles(_Identity);
}
///
/// helper method to bind roles with an identity.
///
[SecuritySafeCritical]
void AddIdentityAttachingRoles(IIdentity identity)
{
ClaimsIdentity claimsIdentity = null;
if (identity is ClaimsIdentity)
{
claimsIdentity = (identity as ClaimsIdentity).Clone();
}
else
{
claimsIdentity = new ClaimsIdentity(identity);
}
AttachRoleClaims(claimsIdentity);
base.AddIdentity(claimsIdentity);
}
[SecuritySafeCritical]
void AttachRoleClaims(ClaimsIdentity claimsIdentity)
{
RoleClaimProvider claimProvider = new RoleClaimProvider(this, claimsIdentity);
if (s_type == null)
{
s_type = typeof(DynamicRoleClaimProvider);
}
s_type.InvokeMember("AddDynamicRoleClaims", BindingFlags.InvokeMethod | BindingFlags.Public | BindingFlags.Static, null, null, new object[] { claimsIdentity, claimProvider.Claims }, CultureInfo.InvariantCulture);
}
////////////////////////////////////////////////////////////
// Public properties
public int Version { get { return _Version;}}
public DateTime ExpireDate { get { return _ExpireDate.ToLocalTime();}}
public DateTime IssueDate { get { return _IssueDate.ToLocalTime();}}
// DevDiv Bugs: 9446
// Expired should check against DateTime.UtcNow instead of DateTime.Now because
// _ExpireData is a Utc DateTime.
public bool Expired { get { return _ExpireDate < DateTime.UtcNow;}}
public String CookiePath { get { return Roles.CookiePath;}} //
public override IIdentity Identity { get { return _Identity; }}
public bool IsRoleListCached { get { return _IsRoleListCached; }}
public bool CachedListChanged { get { return _CachedListChanged; }}
public string ProviderName { get { return _ProviderName; } }
////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////
// Public functions
[SecurityPermission(SecurityAction.Assert, Flags = SecurityPermissionFlag.SerializationFormatter)]
public string ToEncryptedTicket()
{
if (!Roles.Enabled)
return null;
if (_Identity != null && !_Identity.IsAuthenticated)
return null;
if (_Identity == null && string.IsNullOrEmpty(_Username))
return null;
if (_Roles.Count > Roles.MaxCachedResults)
return null;
MemoryStream ms = new System.IO.MemoryStream();
byte[] buf = null;
IIdentity id = _Identity;
try {
_Identity = null;
BinaryFormatter bf = new BinaryFormatter();
bool originalSerializingForCookieValue = _serializingForCookie;
try {
// DevDiv 481327: ClaimsPrincipal is an expensive type to serialize and deserialize. If the developer is using
// role management, then he is going to be querying regular ASP.NET membership roles rather than claims, so
// we can cut back on the number of bytes sent across the wire by ignoring any claims in the underlying
// identity. Otherwise we risk sending a cookie too large for the browser to handle.
_serializingForCookie = true;
bf.Serialize(ms, this);
}
finally {
_serializingForCookie = originalSerializingForCookieValue;
}
buf = ms.ToArray();
} finally {
ms.Close();
_Identity = id;
}
return CookieProtectionHelper.Encode(Roles.CookieProtectionValue, buf, Purpose.RolePrincipal_Ticket);
}
////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////
private void RenewIfOld() {
if (!Roles.CookieSlidingExpiration)
return;
DateTime dtN = DateTime.UtcNow;
TimeSpan t1 = dtN - _IssueDate;
TimeSpan t2 = _ExpireDate - dtN;
if (t2 > t1)
return;
_ExpireDate = dtN + (_ExpireDate - _IssueDate);
_IssueDate = dtN;
_CachedListChanged = true;
}
////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////
public string[] GetRoles()
{
if (_Identity == null)
throw new ProviderException(SR.GetString(SR.Role_Principal_not_fully_constructed));
if (!_Identity.IsAuthenticated)
return new string[0];
string[] roles;
if (!_IsRoleListCached || !_GetRolesCalled) {
_Roles.Clear();
roles = Roles.Providers[_ProviderName].GetRolesForUser(Identity.Name);
foreach (string role in roles)
if (_Roles[role] == null)
_Roles.Add(role, String.Empty);
_IsRoleListCached = true;
_CachedListChanged = true;
_GetRolesCalled = true;
return roles;
} else {
roles = new string[_Roles.Count];
int index = 0;
foreach (string role in _Roles.Keys)
roles[index++] = role;
return roles;
}
}
////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////
public override bool IsInRole(string role)
{
if (_Identity == null)
throw new ProviderException(SR.GetString(SR.Role_Principal_not_fully_constructed));
if (!_Identity.IsAuthenticated || role == null)
return false;
role = role.Trim();
if (!IsRoleListCached) {
_Roles.Clear();
string[] roles = Roles.Providers[_ProviderName].GetRolesForUser(Identity.Name);
foreach(string roleTemp in roles)
if (_Roles[roleTemp] == null)
_Roles.Add(roleTemp, String.Empty);
_IsRoleListCached = true;
_CachedListChanged = true;
}
if (_Roles[role] != null)
return true;
//
return base.IsInRole(role);
}
public void SetDirty()
{
_IsRoleListCached = false;
_CachedListChanged = true;
}
protected RolePrincipal(SerializationInfo info, StreamingContext context)
:base(info, context)
{
_Version = info.GetInt32("_Version");
_ExpireDate = info.GetDateTime("_ExpireDate");
_IssueDate = info.GetDateTime("_IssueDate");
try {
_Identity = info.GetValue("_Identity", typeof(IIdentity)) as IIdentity;
} catch { } // Ignore Exceptions
_ProviderName = info.GetString("_ProviderName");
_Username = info.GetString("_Username");
_IsRoleListCached = info.GetBoolean("_IsRoleListCached");
_Roles = new HybridDictionary(true);
string allRoles = info.GetString("_AllRoles");
if (allRoles != null) {
foreach(string role in allRoles.Split(new char[] {','}))
if (_Roles[role] == null)
_Roles.Add(role, String.Empty);
}
// attach ourselves to the first valid claimsIdentity.
bool found = false;
foreach (var claimsIdentity in base.Identities)
{
if (claimsIdentity != null)
{
AttachRoleClaims(claimsIdentity);
found = true;
break;
}
}
if (!found)
{
AddIdentityAttachingRoles(new ClaimsIdentity(_Identity));
}
}
void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context)
{
GetObjectData(info, context);
}
protected override void GetObjectData(SerializationInfo info, StreamingContext context)
{
if (!_serializingForCookie) {
base.GetObjectData(info, context);
}
info.AddValue("_Version", _Version);
info.AddValue("_ExpireDate", _ExpireDate);
info.AddValue("_IssueDate", _IssueDate);
try {
info.AddValue("_Identity", _Identity);
} catch { } // Ignore Exceptions
info.AddValue("_ProviderName", _ProviderName);
info.AddValue("_Username", _Identity == null ? _Username : _Identity.Name);
info.AddValue("_IsRoleListCached", _IsRoleListCached);
if (_Roles.Count > 0) {
StringBuilder sb = new StringBuilder(_Roles.Count * 10);
foreach(object role in _Roles.Keys)
sb.Append(((string)role) + ",");
string allRoles = sb.ToString();
info.AddValue("_AllRoles", allRoles.Substring(0, allRoles.Length - 1));
} else {
info.AddValue("_AllRoles", String.Empty);
}
}
////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////
private int _Version;
private DateTime _ExpireDate;
private DateTime _IssueDate;
private IIdentity _Identity;
private string _ProviderName;
private string _Username;
private bool _IsRoleListCached;
private bool _CachedListChanged;
[ThreadStatic]
private static bool _serializingForCookie;
[NonSerialized]
private HybridDictionary _Roles = null;
[NonSerialized]
private bool _GetRolesCalled;
////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////
}
}