512 lines
21 KiB
C#
512 lines
21 KiB
C#
//------------------------------------------------------------------------------
|
|
// Copyright (c) Microsoft Corporation. All rights reserved.
|
|
//------------------------------------------------------------------------------
|
|
|
|
namespace System.ServiceModel.Security
|
|
{
|
|
using System;
|
|
using System.Collections.Generic;
|
|
using System.Diagnostics;
|
|
using System.IdentityModel.Protocols.WSTrust;
|
|
using System.IdentityModel.Selectors;
|
|
using System.IdentityModel.Tokens;
|
|
using System.Runtime;
|
|
using System.Runtime.InteropServices;
|
|
using System.ServiceModel;
|
|
using System.ServiceModel.Channels;
|
|
using System.ServiceModel.Description;
|
|
using IM = System.IdentityModel;
|
|
|
|
/// <summary>
|
|
/// A <see cref="ChannelFactory" /> that produces <see cref="WSTrustChannel" /> objects used to
|
|
/// communicate to a WS-Trust endpoint.
|
|
/// </summary>
|
|
[ComVisible(false)]
|
|
public class WSTrustChannelFactory : ChannelFactory<IWSTrustChannelContract>
|
|
{
|
|
//
|
|
// NOTE: The properties on this class are designed to facilitate ease of use of the component and
|
|
// to reduce the complexity of the constructors. The base class already gifts us with 8 constructor
|
|
// overloads.
|
|
//
|
|
// Therefore, it is advisable that the fields *not* be used unless absolutely required.
|
|
//
|
|
|
|
/// <summary>
|
|
/// These fields represent the property values that are "locked down" once the first channel is created.
|
|
/// </summary>
|
|
class WSTrustChannelLockedProperties
|
|
{
|
|
public TrustVersion TrustVersion;
|
|
public WSTrustSerializationContext Context;
|
|
public WSTrustRequestSerializer RequestSerializer;
|
|
public WSTrustResponseSerializer ResponseSerializer;
|
|
}
|
|
|
|
//
|
|
// Once we create a channel, our properties can be locked down.
|
|
//
|
|
object _factoryLock = new object();
|
|
bool _locked = false;
|
|
WSTrustChannelLockedProperties _lockedProperties;
|
|
|
|
//
|
|
// The TrustVersion property can be set to an instance of TrustVersion.WSTrust13 or TrustVersion.WSTrustFeb2005
|
|
// to generate the built-in serializers for these trust namespaces.
|
|
//
|
|
TrustVersion _trustVersion;
|
|
|
|
//
|
|
// These fields contain the values used to construct the WSTrustSerializationContext used by the channels
|
|
// we generate.
|
|
//
|
|
// _securityTokenResolver and _useKeyTokenResolver imply special behavior if they are null; however,
|
|
// _securityTokenHandlerCollectionManager is not permitted to be null.
|
|
//
|
|
SecurityTokenResolver _securityTokenResolver;
|
|
SecurityTokenResolver _useKeyTokenResolver;
|
|
SecurityTokenHandlerCollectionManager _securityTokenHandlerCollectionManager
|
|
= SecurityTokenHandlerCollectionManager.CreateDefaultSecurityTokenHandlerCollectionManager();
|
|
|
|
//
|
|
// These serializers determine how the channels serialize RST and RSTR messages.
|
|
//
|
|
WSTrustRequestSerializer _wsTrustRequestSerializer;
|
|
WSTrustResponseSerializer _wsTrustResponseSerializer;
|
|
|
|
/// <summary>
|
|
/// Initializes a new instance of the <see cref="WSTrustChannelFactory" /> class.
|
|
/// </summary>
|
|
public WSTrustChannelFactory()
|
|
: base()
|
|
{
|
|
}
|
|
|
|
/// <summary>
|
|
/// Initializes a new instance of the <see cref="WSTrustChannelFactory" /> class with a specified endpoint
|
|
/// configuration name.
|
|
/// </summary>
|
|
/// <param name="endpointConfigurationName">The configuration name used for the endpoint.</param>
|
|
public WSTrustChannelFactory(string endpointConfigurationName)
|
|
: base(endpointConfigurationName)
|
|
{
|
|
}
|
|
|
|
/// <summary>
|
|
/// Initializes a new instance of the <see cref="WSTrustChannelFactory" /> class.
|
|
/// </summary>
|
|
/// <param name="binding">The <see cref="Binding" /> specified for the channels produced by the factory</param>
|
|
public WSTrustChannelFactory(Binding binding)
|
|
: base(binding)
|
|
{
|
|
}
|
|
|
|
/// <summary>
|
|
/// Initializes a new instance of the <see cref="WSTrustChannelFactory" /> class with a specified endpoint.
|
|
/// </summary>
|
|
/// <param name="endpoint">The <see cref="ServiceEndpoint" />for the channels produced by the factory.</param>
|
|
public WSTrustChannelFactory(ServiceEndpoint endpoint)
|
|
: base(endpoint)
|
|
{
|
|
}
|
|
|
|
/// <summary>
|
|
/// Initializes a new instance of the <see cref="WSTrustChannelFactory" /> class associated with a specified
|
|
/// name for the endpoint configuration and remote address.
|
|
/// </summary>
|
|
/// <param name="endpointConfigurationName">The configuration name used for the endpoint.</param>
|
|
/// <param name="remoteAddress">The <see cref="EndpointAddress" /> that provides the location of the service.</param>
|
|
public WSTrustChannelFactory(string endpointConfigurationName, EndpointAddress remoteAddress)
|
|
: base(endpointConfigurationName, remoteAddress)
|
|
{
|
|
}
|
|
|
|
/// <summary>
|
|
/// Initializes a new instance of the <see cref="WSTrustChannelFactory" /> class with a specified binding
|
|
/// and endpoint address.
|
|
/// </summary>
|
|
/// <param name="binding">The <see cref="Binding" /> specified for the channels produced by the factory</param>
|
|
/// <param name="remoteAddress">The <see cref="EndpointAddress" /> that provides the location of the service.</param>
|
|
public WSTrustChannelFactory(Binding binding, EndpointAddress remoteAddress)
|
|
: base(binding, remoteAddress)
|
|
{
|
|
}
|
|
|
|
/// <summary>
|
|
/// Initializes a new instance of the <see cref="WSTrustChannelFactory" /> class with a specified binding
|
|
/// and remote address.
|
|
/// </summary>
|
|
/// <param name="binding">The <see cref="Binding" /> specified for the channels produced by the factory</param>
|
|
/// <param name="remoteAddress">The <see cref="EndpointAddress" /> that provides the location of the service.</param>
|
|
public WSTrustChannelFactory(Binding binding, string remoteAddress)
|
|
: base(binding, remoteAddress)
|
|
{
|
|
}
|
|
|
|
/// <summary>
|
|
/// Gets or sets the version of WS-Trust the created channels will use for serializing messages.
|
|
/// </summary>
|
|
/// <remarks>
|
|
/// <para>If this property is not set, created channels will use the <see cref="TrustVersion" /> set on any
|
|
/// <see cref="SecurityBindingElement" /> found on the channel factory's Endpoint object if one exists.
|
|
/// </para>
|
|
/// <para>This class will not support changing the value of this property after a channel is created.</para>
|
|
/// </remarks>
|
|
public TrustVersion TrustVersion
|
|
{
|
|
get
|
|
{
|
|
return _trustVersion;
|
|
}
|
|
set
|
|
{
|
|
lock (_factoryLock)
|
|
{
|
|
if (_locked)
|
|
{
|
|
throw IM.DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID3287));
|
|
}
|
|
_trustVersion = value;
|
|
}
|
|
}
|
|
}
|
|
|
|
/// <summary>
|
|
/// Gets or sets the <see cref="SecurityTokenHandlerCollectionManager" /> containing the set of
|
|
/// <see cref="SecurityTokenHandler" /> objects used by created channels for serializing and validating
|
|
/// tokens found in WS-Trust messages.
|
|
/// </summary>
|
|
/// <remarks>
|
|
/// This class will not support changing the value of this property after a channel is created.
|
|
/// </remarks>
|
|
public SecurityTokenHandlerCollectionManager SecurityTokenHandlerCollectionManager
|
|
{
|
|
get
|
|
{
|
|
return _securityTokenHandlerCollectionManager;
|
|
}
|
|
set
|
|
{
|
|
if (value == null)
|
|
{
|
|
throw IM.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("value");
|
|
}
|
|
|
|
lock (_factoryLock)
|
|
{
|
|
if (_locked)
|
|
{
|
|
throw IM.DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID3287));
|
|
}
|
|
_securityTokenHandlerCollectionManager = value;
|
|
}
|
|
}
|
|
}
|
|
|
|
/// <summary>
|
|
/// Gets or sets the <see cref="SecurityTokenResolver"/> used to resolve security token references found in most
|
|
/// elements of WS-Trust messages.
|
|
/// </summary>
|
|
/// <remarks>
|
|
/// <para>
|
|
/// If this property is not set created channels will use the ClientCertificate set on the factory's
|
|
/// Endpoint's ClientCredentials behavior to create a resolver. If no such certificate is found, an empty
|
|
/// resolver is used.
|
|
/// </para>
|
|
/// <para>
|
|
/// This class will not support changing the value of this property after a channel is created.
|
|
/// </para>
|
|
/// </remarks>
|
|
public SecurityTokenResolver SecurityTokenResolver
|
|
{
|
|
get
|
|
{
|
|
return _securityTokenResolver;
|
|
}
|
|
set
|
|
{
|
|
lock (_factoryLock)
|
|
{
|
|
if (_locked)
|
|
{
|
|
throw IM.DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID3287));
|
|
}
|
|
_securityTokenResolver = value;
|
|
}
|
|
}
|
|
}
|
|
|
|
/// <summary>
|
|
/// The <see cref="SecurityTokenResolver"/> used to resolve security token references found in the
|
|
/// UseKey element of RST messages as well as the RenewTarget element found in RST messages.
|
|
/// </summary>
|
|
/// <remarks>
|
|
/// <para>
|
|
/// If this property is not set an empty resolver is used.
|
|
/// </para>
|
|
/// <para>
|
|
/// This class will not support changing the value of this property after a channel is created.
|
|
/// </para>
|
|
/// </remarks>
|
|
public SecurityTokenResolver UseKeyTokenResolver
|
|
{
|
|
get
|
|
{
|
|
return _useKeyTokenResolver;
|
|
}
|
|
set
|
|
{
|
|
lock (_factoryLock)
|
|
{
|
|
if (_locked)
|
|
{
|
|
throw IM.DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID3287));
|
|
}
|
|
_useKeyTokenResolver = value;
|
|
}
|
|
}
|
|
}
|
|
|
|
/// <summary>
|
|
/// Gets or sets the WSTrustRequestSerializer to use for serializing RequestSecurityTokens messages.
|
|
/// </summary>
|
|
/// <remarks>
|
|
/// <para>
|
|
/// If this property is not set, either <see cref="WSTrust13RequestSerializer" /> or
|
|
/// <see cref="WSTrustFeb2005RequestSerializer" /> will be used. The serializer will correspond to the
|
|
/// version of WS-Trust indicated by the <see cref="TrustVersion" /> property.
|
|
/// </para>
|
|
/// <para>
|
|
/// This class will not support changing the value of this property after a channel is created.
|
|
/// </para>
|
|
/// </remarks>
|
|
public WSTrustRequestSerializer WSTrustRequestSerializer
|
|
{
|
|
get
|
|
{
|
|
return _wsTrustRequestSerializer;
|
|
}
|
|
set
|
|
{
|
|
lock (_factoryLock)
|
|
{
|
|
if (_locked)
|
|
{
|
|
throw IM.DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID3287));
|
|
}
|
|
_wsTrustRequestSerializer = value;
|
|
}
|
|
}
|
|
}
|
|
|
|
/// <summary>
|
|
/// Gets or sets the WSTrustResponseSerializer to use for serializing RequestSecurityTokensResponse messages.
|
|
/// </summary>
|
|
/// <remarks>
|
|
/// <para>
|
|
/// If this property is not set, either <see cref="WSTrust13ResponseSerializer" /> or
|
|
/// <see cref="WSTrustFeb2005ResponseSerializer" /> will be used. The serializer will correspond to the
|
|
/// version of WS-Trust indicated by the <see cref="TrustVersion" /> property.
|
|
/// </para>
|
|
/// <para>
|
|
/// This class will not support changing the value of this property after a channel is created.
|
|
/// </para>
|
|
/// </remarks>
|
|
public WSTrustResponseSerializer WSTrustResponseSerializer
|
|
{
|
|
get
|
|
{
|
|
return _wsTrustResponseSerializer;
|
|
}
|
|
set
|
|
{
|
|
lock (_factoryLock)
|
|
{
|
|
if (_locked)
|
|
{
|
|
throw IM.DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID3287));
|
|
}
|
|
_wsTrustResponseSerializer = value;
|
|
}
|
|
}
|
|
}
|
|
|
|
/// <summary>
|
|
/// Creates a <see cref="WSTrustChannel" /> that is used to send messages to a service at a specific
|
|
/// endpoint address through a specified transport address.
|
|
/// </summary>
|
|
/// <param name="address">The <see cref="EndpointAddress" /> that provides the location of the service.</param>
|
|
/// <param name="via">The <see cref="Uri" /> that contains the transport address to which the channel sends messages.</param>
|
|
/// <returns></returns>
|
|
public override IWSTrustChannelContract CreateChannel(EndpointAddress address, Uri via)
|
|
{
|
|
IWSTrustChannelContract innerChannel = base.CreateChannel(address, via);
|
|
|
|
WSTrustChannelLockedProperties lockedProperties = GetLockedProperties();
|
|
return CreateTrustChannel(innerChannel,
|
|
lockedProperties.TrustVersion,
|
|
lockedProperties.Context,
|
|
lockedProperties.RequestSerializer,
|
|
lockedProperties.ResponseSerializer);
|
|
}
|
|
|
|
/// <summary>
|
|
/// Creates a <see cref="WSTrustChannel" /> using parameters that reflect the configuration of
|
|
/// this factory.
|
|
/// </summary>
|
|
/// <param name="innerChannel">The channel created by the base class capable of sending and
|
|
/// receiving messages.</param>
|
|
/// <param name="trustVersion">The version of WS-Trust that should be used.</param>
|
|
/// <param name="context">
|
|
/// The <see cref="WSTrustSerializationContext" /> that should be used to serialize WS-Trust messages.
|
|
/// </param>
|
|
/// <param name="requestSerializer">
|
|
/// The <see cref="WSTrustRequestSerializer" /> that should be used to serialize WS-Trust request messages.
|
|
/// </param>
|
|
/// <param name="responseSerializer">
|
|
/// The <see cref="WSTrustResponseSerializer" /> that should be used to serialize WS-Trust response messages.
|
|
/// </param>
|
|
/// <returns></returns>
|
|
protected virtual WSTrustChannel CreateTrustChannel(IWSTrustChannelContract innerChannel,
|
|
TrustVersion trustVersion,
|
|
WSTrustSerializationContext context,
|
|
WSTrustRequestSerializer requestSerializer,
|
|
WSTrustResponseSerializer responseSerializer)
|
|
{
|
|
return new WSTrustChannel(this, innerChannel, trustVersion, context, requestSerializer, responseSerializer);
|
|
}
|
|
|
|
private WSTrustChannelLockedProperties GetLockedProperties()
|
|
{
|
|
lock (_factoryLock)
|
|
{
|
|
if (_lockedProperties == null)
|
|
{
|
|
WSTrustChannelLockedProperties tmpLockedProperties = new WSTrustChannelLockedProperties();
|
|
tmpLockedProperties.TrustVersion = GetTrustVersion();
|
|
tmpLockedProperties.Context = CreateSerializationContext();
|
|
tmpLockedProperties.RequestSerializer = GetRequestSerializer(tmpLockedProperties.TrustVersion);
|
|
tmpLockedProperties.ResponseSerializer = GetResponseSerializer(tmpLockedProperties.TrustVersion);
|
|
|
|
_lockedProperties = tmpLockedProperties;
|
|
_locked = true;
|
|
}
|
|
return _lockedProperties;
|
|
}
|
|
}
|
|
|
|
private WSTrustRequestSerializer GetRequestSerializer(TrustVersion trustVersion)
|
|
{
|
|
Fx.Assert(trustVersion != null, "trustVersion != null");
|
|
|
|
if (_wsTrustRequestSerializer != null)
|
|
{
|
|
return _wsTrustRequestSerializer;
|
|
}
|
|
|
|
if (trustVersion == TrustVersion.WSTrust13)
|
|
{
|
|
return new WSTrust13RequestSerializer();
|
|
}
|
|
else if (trustVersion == TrustVersion.WSTrustFeb2005)
|
|
{
|
|
return new WSTrustFeb2005RequestSerializer();
|
|
}
|
|
else
|
|
{
|
|
throw IM.DiagnosticUtility.ExceptionUtility.ThrowHelperError( new NotSupportedException(SR.GetString(SR.ID3137, trustVersion.ToString())));
|
|
}
|
|
}
|
|
|
|
private WSTrustResponseSerializer GetResponseSerializer(TrustVersion trustVersion)
|
|
{
|
|
Fx.Assert(trustVersion != null, "trustVersion != null");
|
|
|
|
if (_wsTrustResponseSerializer != null)
|
|
{
|
|
return _wsTrustResponseSerializer;
|
|
}
|
|
|
|
if (trustVersion == TrustVersion.WSTrust13)
|
|
{
|
|
return new WSTrust13ResponseSerializer();
|
|
}
|
|
else if (trustVersion == TrustVersion.WSTrustFeb2005)
|
|
{
|
|
return new WSTrustFeb2005ResponseSerializer();
|
|
}
|
|
else
|
|
{
|
|
throw IM.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.ID3137, trustVersion.ToString())));
|
|
}
|
|
}
|
|
|
|
private TrustVersion GetTrustVersion()
|
|
{
|
|
TrustVersion trustVersion = _trustVersion;
|
|
|
|
if (trustVersion == null)
|
|
{
|
|
BindingElementCollection elements = Endpoint.Binding.CreateBindingElements();
|
|
SecurityBindingElement sbe = elements.Find<SecurityBindingElement>();
|
|
if (null == sbe)
|
|
{
|
|
throw IM.DiagnosticUtility.ExceptionUtility.ThrowHelperError( new InvalidOperationException( SR.GetString(SR.ID3269)));
|
|
}
|
|
trustVersion = sbe.MessageSecurityVersion.TrustVersion;
|
|
}
|
|
|
|
return trustVersion;
|
|
}
|
|
|
|
/// <summary>
|
|
/// Creates a <see cref="WSTrustSerializationContext" /> used by <see cref="WSTrustChannel" /> objects created
|
|
/// by this factory.
|
|
/// </summary>
|
|
/// <remarks>
|
|
/// <para>
|
|
/// If <see cref="WSTrustChannelFactory.SecurityTokenResolver" /> is set to null, the
|
|
/// ClientCertificate set on the factory's Endpoint's ClientCredentials behavior will be used to
|
|
/// create a resolver. If no such certificate is found, an empty resolver is used.
|
|
/// </para>
|
|
/// <para>
|
|
/// If <see cref="WSTrustChannelFactory.UseKeyTokenResolver" /> is set to null, an empty resolver
|
|
/// will be used.
|
|
/// </para>
|
|
/// </remarks>
|
|
/// <returns>A WSTrustSerializationContext initialized with the trust client's properties.</returns>
|
|
protected virtual WSTrustSerializationContext CreateSerializationContext()
|
|
{
|
|
//
|
|
// Create a resolver with the ClientCredential's ClientCertificate if a resolver is not set.
|
|
//
|
|
SecurityTokenResolver resolver = _securityTokenResolver;
|
|
if (resolver == null)
|
|
{
|
|
ClientCredentials factoryCredentials = Credentials;
|
|
if (null != factoryCredentials.ClientCertificate && null != factoryCredentials.ClientCertificate.Certificate)
|
|
{
|
|
List<SecurityToken> clientCredentialTokens = new List<SecurityToken>();
|
|
clientCredentialTokens.Add(new X509SecurityToken(factoryCredentials.ClientCertificate.Certificate));
|
|
resolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(clientCredentialTokens.AsReadOnly(), false);
|
|
}
|
|
}
|
|
|
|
//
|
|
// If it is _still_ null, then make it empty.
|
|
//
|
|
if (resolver == null)
|
|
{
|
|
resolver = EmptySecurityTokenResolver.Instance;
|
|
}
|
|
|
|
//
|
|
// UseKeyTokenResolver is empty if null.
|
|
//
|
|
SecurityTokenResolver useKeyResolver = _useKeyTokenResolver ?? EmptySecurityTokenResolver.Instance;
|
|
|
|
return new WSTrustSerializationContext(_securityTokenHandlerCollectionManager, resolver, useKeyResolver);
|
|
}
|
|
}
|
|
}
|