c
/
mono
mirror of https://github.com/mono/mono.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336
							//-----------------------------------------------------------------------------
// Copyright (c) Microsoft Corporation.  All rights reserved.
//-----------------------------------------------------------------------------

namespace System.ServiceModel.Description
{
    using System.Collections.Generic;
    using System.Collections.ObjectModel;
    using System.IdentityModel.Configuration;
    using System.IdentityModel.Selectors;
    using System.IdentityModel.Tokens;
    using System.Security.Claims;
    using System.Security.Cryptography.X509Certificates;
    using System.ServiceModel.Channels;
    using System.ServiceModel.Security;
    using System.ServiceModel.Security.Tokens;
    using System.ServiceModel.Dispatcher;

    public class ServiceCredentials : SecurityCredentialsManager, IServiceBehavior
    {
        UserNamePasswordServiceCredential userName;
        X509CertificateInitiatorServiceCredential clientCertificate;
        X509CertificateRecipientServiceCredential serviceCertificate;
        WindowsServiceCredential windows;
        IssuedTokenServiceCredential issuedToken;
        PeerCredential peer;
        SecureConversationServiceCredential secureConversation;
        bool useIdentityConfiguration = false;

        bool isReadOnly = false;
        bool saveBootstrapTokenInSession = true;

        IdentityConfiguration identityConfiguration;
        ExceptionMapper exceptionMapper;

        public ServiceCredentials()
        {
            this.userName = new UserNamePasswordServiceCredential();
            this.clientCertificate = new X509CertificateInitiatorServiceCredential();
            this.serviceCertificate = new X509CertificateRecipientServiceCredential();
            this.windows = new WindowsServiceCredential();
            this.issuedToken = new IssuedTokenServiceCredential();
            this.peer = new PeerCredential();
            this.secureConversation = new SecureConversationServiceCredential();
            this.exceptionMapper = new ExceptionMapper();
            this.UseIdentityConfiguration = false;
        }

        protected ServiceCredentials(ServiceCredentials other)
        {
            if (other == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("other");
            }
            this.userName = new UserNamePasswordServiceCredential(other.userName);
            this.clientCertificate = new X509CertificateInitiatorServiceCredential(other.clientCertificate);
            this.serviceCertificate = new X509CertificateRecipientServiceCredential(other.serviceCertificate);
            this.windows = new WindowsServiceCredential(other.windows);
            this.issuedToken = new IssuedTokenServiceCredential(other.issuedToken);
            this.peer = new PeerCredential(other.peer);
            this.secureConversation = new SecureConversationServiceCredential(other.secureConversation);
            this.identityConfiguration = other.identityConfiguration;
            this.saveBootstrapTokenInSession = other.saveBootstrapTokenInSession;
            this.exceptionMapper = other.exceptionMapper;
            this.UseIdentityConfiguration = other.useIdentityConfiguration;
        }

        public UserNamePasswordServiceCredential UserNameAuthentication
        {
            get
            {
                return this.userName;
            }
        }

        public X509CertificateInitiatorServiceCredential ClientCertificate
        {
            get
            {
                return this.clientCertificate;
            }
        }

        public X509CertificateRecipientServiceCredential ServiceCertificate
        {
            get
            {
                return this.serviceCertificate;
            }
        }

        public WindowsServiceCredential WindowsAuthentication
        {
            get
            {
                return this.windows;
            }
        }

        public IssuedTokenServiceCredential IssuedTokenAuthentication
        {
            get
            {
                return this.issuedToken;
            }
        }

        public PeerCredential Peer
        {
            get
            {
                return this.peer;
            }
        }

        public SecureConversationServiceCredential SecureConversationAuthentication
        {
            get
            {
                return this.secureConversation;
            }
        }

        /// <summary>
        /// Gets or sets the ExceptionMapper to be used when throwing exceptions.
        /// </summary>
        public ExceptionMapper ExceptionMapper
        {
            get
            {
                return this.exceptionMapper;
            }
            set
            {
                ThrowIfImmutable();
                if (value == null)
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("value");
                }
                this.exceptionMapper = value;
            }
        }

        public IdentityConfiguration IdentityConfiguration
        {
            get
            {
                return this.identityConfiguration;
            }
            set
            {
                ThrowIfImmutable();
                this.identityConfiguration = value;
            }
        }

        public bool UseIdentityConfiguration
        {
            get
            {
                return this.useIdentityConfiguration;
            }
            set
            {
                ThrowIfImmutable();
                this.useIdentityConfiguration = value;

                if (this.identityConfiguration == null && this.useIdentityConfiguration)
                {
                    this.identityConfiguration = new IdentityConfiguration();
                }
            }
        }

        internal static ServiceCredentials CreateDefaultCredentials()
        {
            return new ServiceCredentials();
        }

        public override SecurityTokenManager CreateSecurityTokenManager()
        {
            if (this.useIdentityConfiguration)
            {
                //
                // Note: the token manager we create here is always a wrapper over the default collection of token handlers
                //
                return new FederatedSecurityTokenManager(this.Clone());
            }
            else
            {
                return new ServiceCredentialsSecurityTokenManager(this.Clone());
            }
        }

        protected virtual ServiceCredentials CloneCore()
        {
            return new ServiceCredentials(this);
        }

        public ServiceCredentials Clone()
        {
            ServiceCredentials result = CloneCore();
            if (result == null || result.GetType() != this.GetType())
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotImplementedException(SR.GetString(SR.CloneNotImplementedCorrectly, this.GetType(), (result != null) ? result.ToString() : "null")));
            }
            return result;
        }

        void IServiceBehavior.Validate(ServiceDescription description, ServiceHostBase serviceHostBase)
        {
            //
            // Only pass a name if there was a name explicitly given to this class, otherwise ServiceConfig will require 
            // a config section with the default configuration.
            //
            if (this.UseIdentityConfiguration)
            {
                ConfigureServiceHost(serviceHostBase);
            }
        }

        /// <summary>
        /// Helper method that Initializes the SecurityTokenManager used by the ServiceHost. 
        /// By default the method sets the SecurityTokenHandlers initialized with IdentityConfiguration on the ServiceHost.
        /// </summary>
        /// <param name="serviceHost">ServiceHost instance to configure with FederatedSecurityTokenManager.</param>
        /// <exception cref="ArgumentNullException">One of the input argument is null.</exception>
        void ConfigureServiceHost(ServiceHostBase serviceHost)
        {
            if (serviceHost == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("serviceHost");
            }

            // Throw if the serviceHost is in a bad state to do the configuration
            if (!(serviceHost.State == CommunicationState.Created || serviceHost.State == CommunicationState.Opening))
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4041, serviceHost));
            }

#pragma warning suppress 56506

            if (this.ServiceCertificate != null)
            {
                X509Certificate2 serverCert = this.ServiceCertificate.Certificate;
                if (serverCert != null)
                {
                    this.IdentityConfiguration.ServiceCertificate = serverCert;
                }
            }

            if (this.IssuedTokenAuthentication != null && this.IssuedTokenAuthentication.KnownCertificates != null && this.IssuedTokenAuthentication.KnownCertificates.Count > 0)
            {
                this.IdentityConfiguration.KnownIssuerCertificates = new List<X509Certificate2> (this.IssuedTokenAuthentication.KnownCertificates);
            }

            //
            // Initialize the service configuration
            //
            if (!this.IdentityConfiguration.IsInitialized)
            {
                this.IdentityConfiguration.Initialize();
            }

            // 

#pragma warning suppress 56506 // serviceHost.Authorization is never null.
            if (serviceHost.Authorization.ServiceAuthorizationManager == null)
            {
                serviceHost.Authorization.ServiceAuthorizationManager = new IdentityModelServiceAuthorizationManager();
            }
            else if (!(serviceHost.Authorization.ServiceAuthorizationManager is IdentityModelServiceAuthorizationManager))
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID4039)));
            }

            // If SecuritySessionTokenHandler is being used then null the WCF SecurityStateEncoder.
            if ((this.IdentityConfiguration.SecurityTokenHandlers[typeof(SecurityContextSecurityToken)] != null) &&
                (serviceHost.Credentials.SecureConversationAuthentication.SecurityStateEncoder == null))
            {
                serviceHost.Credentials.SecureConversationAuthentication.SecurityStateEncoder = new NoOpSecurityStateEncoder();
            }
        }

        void IServiceBehavior.AddBindingParameters(ServiceDescription description, ServiceHostBase serviceHostBase, Collection<ServiceEndpoint> endpoints, BindingParameterCollection parameters)
        {
            if (parameters == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("parameters");
            }
            // throw if bindingParameters already has a SecurityCredentialsManager
            SecurityCredentialsManager otherCredentialsManager = parameters.Find<SecurityCredentialsManager>();
            if (otherCredentialsManager != null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.MultipleSecurityCredentialsManagersInServiceBindingParameters, otherCredentialsManager)));
            }
            parameters.Add(this);
        }

        void IServiceBehavior.ApplyDispatchBehavior(ServiceDescription description, ServiceHostBase serviceHostBase)
        {
            for (int i = 0; i < serviceHostBase.ChannelDispatchers.Count; i++)
            {
                ChannelDispatcher channelDispatcher = serviceHostBase.ChannelDispatchers[i] as ChannelDispatcher;
                if (channelDispatcher != null && !ServiceMetadataBehavior.IsHttpGetMetadataDispatcher(description, channelDispatcher))
                {
                    foreach (EndpointDispatcher endpointDispatcher in channelDispatcher.Endpoints)
                    {
                        DispatchRuntime behavior = endpointDispatcher.DispatchRuntime;
                        behavior.RequireClaimsPrincipalOnOperationContext = this.useIdentityConfiguration;
                    }
                }
            }
        }

        internal void MakeReadOnly()
        {
            this.isReadOnly = true;
            this.ClientCertificate.MakeReadOnly();
            this.IssuedTokenAuthentication.MakeReadOnly();
            this.Peer.MakeReadOnly();
            this.SecureConversationAuthentication.MakeReadOnly();
            this.ServiceCertificate.MakeReadOnly();
            this.UserNameAuthentication.MakeReadOnly();
            this.WindowsAuthentication.MakeReadOnly();
        }

        void ThrowIfImmutable()
        {
            if (this.isReadOnly)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ObjectIsReadOnly)));
            }
        }
    }
}