Code:
/ WCF / WCF / 3.5.30729.1 / untmp / Orcas / SP / ndp / cdf / src / WCF / infocard / Service / managed / Microsoft / InfoCards / InfoCardPolicy.cs / 1 / InfoCardPolicy.cs
//------------------------------------------------------------------------------ // Copyright (c) Microsoft Corporation. All rights reserved. //----------------------------------------------------------------------------- // // Presharp uses the c# pragma mechanism to supress its warnings. // These are not recognised by the base compiler so we need to explictly // disable the following warnings. See http://winweb/cse/Tools/PREsharp/userguide/default.asp // for details. // #pragma warning disable 1634, 1691 // unknown message, unknown pragma namespace Microsoft.InfoCards { using System; using System.Collections.Generic; using System.Diagnostics; using System.IO; //Stream using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; using System.Security.Cryptography.Xml; using System.IdentityModel.Tokens; using System.IdentityModel.Selectors; using System.ServiceModel; using System.ServiceModel.Channels; using System.ServiceModel.Security; using System.ServiceModel.Security.Tokens; using System.Text; using System.Xml; using System.Globalization; using System.Xml.Schema; using IDT = Microsoft.InfoCards.Diagnostics.InfoCardTrace; // // Summary // This is hopefully a temporary enum until Indigo's SecurityKeyType // supports NoProofKey. // internal enum SecurityKeyTypeInternal { SymmetricKey, AsymmetricKey, NoKey } internal enum PolicyUsageContext { Browser, Intermediate, GetToken } // // Summary: // Given WS-Identity policy (from PS or STS) in the form of XML strings reads the policy and populates appropriate properties. // internal class InfoCardPolicy { static XmlNamespaceManager m_defNamespaces = XmlNames.CreateNamespaceManager( new NameTable() ); EndpointAddress m_issuer; // Issuer of the security token as specified by the RP's security policy string m_privacyPolicyLink = String.Empty; // The link to RP's privacy policy uint m_privacyPolicyVersion; // RP's privacy policy version bool m_isManaged; // Does the policy belong to a STS requiring a managed card. bool m_requiresManagedCard; // Determines if only managed card can satisfy policy. RecipientIdentity m_immediateTokenRecipientIdentity; // The term "immediateTokenRecipient" refers to the STS/party we are encrypting the token to RecipientIdentity m_recipientIdentity; // The term "Recipient" refers to the relying party Policy m_policyPrimary; // Policy that originated from the Client (developer settings + Indigo applied defaults). Policy m_policySecondary; // Original policy that was specified by the Relying Party. // // A merged policy that exposes the appropriate values from both Primary and Secondary policy. Whenever possible, // the merged policy will take its values from the Primary policy. If the value is missing, then it will retrieve it from // the Secondary policy. See CreateMergedPolicy(). // Policy m_policyMerged; readonly PolicyUsageContext m_policyUsageContext; // // Helper constructor to gate constructor // public InfoCardPolicy( EndpointAddress immediateTokenRecipient, EndpointAddress issuer, ParsedPolicy policy, PolicyUsageContext policyUsageContext, string privacyUrl, uint privacyVersion, RecipientIdentity recipientIdentity, bool isManaged ) { m_policyUsageContext = policyUsageContext; m_issuer = issuer; m_recipientIdentity = recipientIdentity; m_immediateTokenRecipientIdentity = RecipientIdentity.CreateIdentity( immediateTokenRecipient, false ); m_isManaged = isManaged; if( null != policy ) { ParseIncomingPolicy( policy ); } if( !IsSelfIssuedUriPresent( m_issuer ) ) { // // SelfIssuedUri absent --> either it is null/anonymous or it is a managed issuer // if( issuer != null && !Utility.CompareUri( issuer.Uri, new Uri( XmlNames.WSIdentity.AnonymousIssuerUri ) ) ) { //If not null, then only a managed card can satisfy policy m_requiresManagedCard = true; } } m_privacyPolicyLink = privacyUrl; m_privacyPolicyVersion = privacyVersion; } private void ParseIncomingPolicy( ParsedPolicy parsedPolicy ) { // // Check to see if we are receiving a single policy or a set of RP and Client policies. // if( PolicyType.Composite == parsedPolicy.PolicyType ) { try { m_policyPrimary = PolicyFactory.CreatePolicyFromUnwrappedPolicyXml( parsedPolicy.PolicyXmlPrimary ); m_policySecondary = PolicyFactory.CreatePolicyFromUnwrappedPolicyXml( parsedPolicy.PolicyXmlSecondary ); m_policyMerged = Policy.CreateMergedPolicy( parsedPolicy.PolicyXmlOriginal, m_policyPrimary, m_policySecondary ); } catch( XmlSchemaValidationException e ) { throw IDT.ThrowHelperError( new PolicyValidationException( SR.GetString( SR.SchemaValidationFailed ), e ) ); } } else if( PolicyType.PrimaryOnly == parsedPolicy.PolicyType ) { try { m_policyPrimary = PolicyFactory.CreatePolicyFromUnwrappedPolicyXml( parsedPolicy.PolicyXmlPrimary ); // // Since we only have one policy in this case, make it the official "merged" policy. // m_policyMerged = m_policyPrimary; } catch( XmlSchemaValidationException e ) { throw IDT.ThrowHelperError( new PolicyValidationException( SR.GetString( SR.SchemaValidationFailed ), e ) ); } } else if( PolicyType.SecondaryOnly == parsedPolicy.PolicyType ) { try { m_policySecondary = PolicyFactory.CreatePolicyFromUnwrappedPolicyXml( parsedPolicy.PolicyXmlSecondary ); // // Since we only have one policy in this case, make it the official "merged" policy. // m_policyMerged = m_policySecondary; } catch( XmlSchemaValidationException e ) { throw IDT.ThrowHelperError( new PolicyValidationException( SR.GetString( SR.SchemaValidationFailed ), e ) ); } } else { // // We are ensured that this case will not happen since ParsedPolicy will throw if it gets a null/empty for both primary // and secondary policy. // } } public Policy MergedPolicy { get { return m_policyMerged; } } public string RequestType { get { return m_policyMerged.RequestType; } } public Policy ClientPolicy { get { return m_policyPrimary; } } public Policy RelyingPartyPolicy { get { return m_policySecondary; } } public OptionalRstParameters OptionalRstParams { get { return m_policyMerged.OptionalRstParams; } } public string[] RequiredClaims { get { return m_policyMerged.RequiredClaims; } } public string[] OptionalClaims { get { return m_policyMerged.OptionalClaims; } } public SecurityKeyTypeInternal KeyType { get { return m_policyMerged.KeyType; } } public bool KeyTypeSpecified { get { return m_policyMerged.KeyTypeSpecified; } } public EndpointAddress PolicyAppliesTo { get { return m_policyMerged.PolicyAppliesTo; } } public MemoryStream UnprocessedPolicyElements { get { return m_policyMerged.UnprocessedPolicyElements; } } public bool KeySizeSpecified { get { return m_policyMerged.KeySizeSpecified; } } public uint KeySize { get { return m_policyMerged.KeySize; } /* SSS_WARNINGS_OFF */ } public bool NonWhiteListElementsFound { get { return m_policyMerged.NonWhiteListElementsFound; } } public ListNonWhiteListElements { get { return m_policyMerged.NonWhiteListElements; } } /* SSS_WARNINGS_ON */ public ProtocolProfile ProtocolVersionProfile { get { return m_policyMerged.ProtocolVersionProfile; } } public RecipientIdentity ImmediateTokenRecipient { get { return m_immediateTokenRecipientIdentity; } } public EndpointAddress Issuer { get { return m_issuer; } } public RecipientIdentity Recipient { get { return m_recipientIdentity; } } public UInt32 GetIntelligentKeySize(bool isSelfIssuedCardSelected) { if( isSelfIssuedCardSelected ) { throw IDT.ThrowHelperError( new InvalidOperationException() ); } else { // // Managed card case - sending RST to IP/STS // if( SecurityKeyTypeInternal.AsymmetricKey == KeyType ) { // // We only support 2048 in useKey currently, so override what's in policy // return InfoCard.KeySize; } else if( SecurityKeyTypeInternal.SymmetricKey == KeyType ) { if( !KeySizeSpecified ) { return (UInt32)SecurityAlgorithmSuite.Default.DefaultSymmetricKeyLength; } else { return KeySize; } } else { IDT.Assert( false, "Should access this property only in managed card non-no proof key scenario" ); throw IDT.ThrowHelperError( new InvalidOperationException() ); } } } public string GetKeyTypeString() { switch( KeyType ) { case SecurityKeyTypeInternal.AsymmetricKey: return m_policyMerged.ProtocolVersionProfile.WSTrust.KeyTypeAsymmetric.ToString(); case SecurityKeyTypeInternal.SymmetricKey: return m_policyMerged.ProtocolVersionProfile.WSTrust.KeyTypeSymmetric.ToString(); case SecurityKeyTypeInternal.NoKey: return m_policyMerged.ProtocolVersionProfile.WSTrust.KeyTypeBearer.ToString(); default: IDT.Assert( false, "Impossible condition in code" ); throw IDT.ThrowHelperError( new InvalidOperationException() ); } } public string PrivacyPolicyLink { get { return m_privacyPolicyLink; } } public uint PrivacyPolicyVersion { get { return m_privacyPolicyVersion; } } public bool IsManaged { get { return m_isManaged; } } public bool RequiresManagedCard { get { return m_requiresManagedCard; } } public bool RequiresSelfIssuedCard { get { if( null == m_issuer ) { return false; } return Utility.CompareUri( m_issuer.Uri, new Uri( XmlNames.WSIdentity.SelfIssuerUri ) ); } } // // Summary: // Set the recipient info (the party we show in the RIP page) so that it can be be validated and used // // Arguments: // recipientIdentity - the identity information for the final recipient // privacyUrl - the privacy URL for the recipient // privacyVersion - the privacy version // public void SetRecipientInfo( RecipientIdentity recipientIdentity, string privacyUrl, uint privacyVersion) { m_recipientIdentity = recipientIdentity; m_privacyPolicyLink = privacyUrl; m_privacyPolicyVersion = privacyVersion; } // // Summary: // Computes the IsManaged flag based on recieved policy. If the flag is already set to true this method // will not reset it. // private void ComputeRequiresManagedCardFlag() /* SSS_WARNINGS_OFF */ { if( m_policyMerged.NonWhiteListElementsFound ) { m_requiresManagedCard = true; } /* SSS_WARNINGS_ON */ foreach( string clm in m_policyMerged.RequiredClaims ) { if( !PolicyUtility.IsSelfIssuedClaim( clm ) ) { m_requiresManagedCard = true; } } // // Check token type. Only saml tokens are supported for v1. // if( !String.IsNullOrEmpty( m_policyMerged.OptionalRstParams.TokenType ) && !PolicyUtility.IsSelfIssuedTokenType( m_policyMerged.OptionalRstParams.TokenType ) ) { m_requiresManagedCard = true; } // // Check is the keytype is correct // if( !( m_immediateTokenRecipientIdentity is X509RecipientIdentity ) && SecurityKeyTypeInternal.SymmetricKey == m_policyMerged.KeyType ) { m_requiresManagedCard = true; } // // Check the KeyWrapAlgorithm. The local token factory only supports the default algorithm. // if( ( !String.IsNullOrEmpty( m_policyMerged.OptionalRstParams.KeyWrapAlgorithm ) ) && ( m_policyMerged.OptionalRstParams.KeyWrapAlgorithm != SecurityAlgorithmSuite.Default.DefaultAsymmetricKeyWrapAlgorithm ) ) { m_requiresManagedCard = true; } } private void FillComputedPolicy() { ComputeRequiresManagedCardFlag(); } public void Validate() { // // Check requested claims // bool noRequiredClaimsInPolicy = ( null == m_policyMerged.RequiredClaims || 0 == m_policyMerged.RequiredClaims.Length ); PolicyValidator validator = null; if( PolicyUsageContext.Browser == m_policyUsageContext ) { if( noRequiredClaimsInPolicy ) { throw IDT.ThrowHelperError( new PolicyValidationException( SR.GetString( SR.NoClaimsFoundInPolicy ) ) ); } FillComputedPolicy(); validator = new BrowserPolicyValidator( this ); } else if( PolicyUsageContext.GetToken == m_policyUsageContext ) { if( noRequiredClaimsInPolicy ) { throw IDT.ThrowHelperError( new PolicyValidationException( SR.GetString( SR.NoClaimsFoundInPolicy ) ) ); } FillComputedPolicy(); validator = new PolicyValidator( this ); } else { // // Intermediate policy does not need to calculate computed policy elements // validator = new IntermediatePolicyValidator( this ); } validator.Validate(); } // // Summary: // If the IP/STS (using self-issued card for authentication)asks anything else but the PPID claim // we will throw a PolicyValidationException // public void ThrowIfNonPpidClaimsPresent() { IDT.ThrowInvalidArgumentConditional( m_policyMerged.RequiredClaims == null || m_policyMerged.OptionalClaims == null , "claims" ); if( m_policyMerged.RequiredClaims.Length == 1 && m_policyMerged.RequiredClaims[ 0 ] == InfoCardConstants.PPIDClaimsUri && m_policyMerged.OptionalClaims.Length == 0 ) { // // We're OK // ; } else { throw IDT.ThrowHelperError( new PolicyValidationException( SR.GetString( SR.IPStsPolicyRequestingNonPpidClaims ) ) ); } } // // Utility functions // public static bool IsSelfIssuedUriPresent( EndpointAddress address ) { if( null == address ) { // // Policy is stating null issuer, so self issued URI not present // return false; } if( Utility.CompareUri( address.Uri, XmlNames.WSIdentity.SelfIssuerUriValue ) ) { return true; } return false; } } } // File provided for Reference Use Only by Microsoft Corporation (c) 2007. // Copyright (c) Microsoft Corporation. All rights reserved.
Link Menu
This book is available now!
Buy at Amazon US or
Buy at Amazon UK
- ToolStripItemTextRenderEventArgs.cs
- Form.cs
- RawStylusInputReport.cs
- XmlName.cs
- FontClient.cs
- ModuleConfigurationInfo.cs
- ShapeTypeface.cs
- DictionaryBase.cs
- RuntimeCompatibilityAttribute.cs
- FormsAuthenticationConfiguration.cs
- TextWriter.cs
- ContentPosition.cs
- WizardStepCollectionEditor.cs
- ChangeProcessor.cs
- OptionUsage.cs
- XmlSchemaImporter.cs
- Trigger.cs
- DictionaryEntry.cs
- MaterialGroup.cs
- UIElementHelper.cs
- InternalConfigConfigurationFactory.cs
- RectAnimationClockResource.cs
- BehaviorEditorPart.cs
- TextParagraphView.cs
- Site.cs
- ToolTipAutomationPeer.cs
- SimpleWorkerRequest.cs
- BreakSafeBase.cs
- EditingMode.cs
- RadialGradientBrush.cs
- DynamicPropertyReader.cs
- CacheOutputQuery.cs
- ChildTable.cs
- WSDualHttpBindingCollectionElement.cs
- TextTreeUndoUnit.cs
- _StreamFramer.cs
- ClockController.cs
- ServiceDescriptionContext.cs
- CachedPathData.cs
- ReaderWriterLock.cs
- RealProxy.cs
- XmlEncoding.cs
- MemberDomainMap.cs
- HandlerFactoryCache.cs
- Msmq4SubqueuePoisonHandler.cs
- HostingEnvironment.cs
- Attributes.cs
- LinearGradientBrush.cs
- QuerySettings.cs
- CheckBoxField.cs
- Hashtable.cs
- SqlRecordBuffer.cs
- DataSourceControl.cs
- WSUtilitySpecificationVersion.cs
- MediaTimeline.cs
- ByteBufferPool.cs
- CompiledIdentityConstraint.cs
- EventHandlersDesigner.cs
- RsaSecurityKey.cs
- SqlCommand.cs
- Geometry.cs
- Drawing.cs
- RuleProcessor.cs
- StatusBarItemAutomationPeer.cs
- HandlerWithFactory.cs
- XmlHierarchyData.cs
- Substitution.cs
- Mutex.cs
- AppDomainFactory.cs
- ObjectQueryProvider.cs
- Repeater.cs
- MediaContextNotificationWindow.cs
- TextModifierScope.cs
- HttpListener.cs
- FileSystemEventArgs.cs
- GorillaCodec.cs
- TypeExtensions.cs
- TcpDuplicateContext.cs
- MouseButtonEventArgs.cs
- IItemProperties.cs
- Encoder.cs
- InternalConfigRoot.cs
- TemplateNodeContextMenu.cs
- AutomationPatternInfo.cs
- BindingManagerDataErrorEventArgs.cs
- AttributeProviderAttribute.cs
- TransactionsSectionGroup.cs
- RequestCacheManager.cs
- AffineTransform3D.cs
- TokenBasedSetEnumerator.cs
- ProxyFragment.cs
- _BaseOverlappedAsyncResult.cs
- Schema.cs
- TraceHandler.cs
- FeatureAttribute.cs
- SqlInfoMessageEvent.cs
- SHA256.cs
- XmlNotation.cs
- AudioLevelUpdatedEventArgs.cs
- AssemblyAttributes.cs