mono/mcs/class/referencesource/System.ServiceModel/System/ServiceModel/Security/InfoCardHelper.cs

//-----------------------------------------------------------------------------
// Copyright (c) Microsoft Corporation.  All rights reserved.
//-----------------------------------------------------------------------------
//
// Presharp uses the c# pragma mechanism to supress its warnings.
// These are not recognised by the base compiler so we need to explictly
// disable the following warnings. See http://winweb/cse/Tools/PREsharp/userguide/default.asp 
// for details. 
//
#pragma warning disable 1634, 1691      // unknown message, unknown pragma

namespace System.ServiceModel.Security
{
    using System.Collections.ObjectModel;
    using System.Collections.Generic;
    using System.IdentityModel.Selectors;
    using System.IdentityModel.Tokens;
    using System.ServiceModel;
    using System.ServiceModel.Description;
    using System.ServiceModel.Security.Tokens;
    using System.ServiceModel.Channels;
    using System.ServiceModel.Dispatcher;
    using System.Xml;
    using System.IO;
    using System.Text;
    using System.Runtime;
    using System.Diagnostics.CodeAnalysis;


    //
    // Summary:
    //  delegate definition for invokation of the GetToken method.
    //
    delegate SecurityToken GetInfoCardTokenCallback(bool requiresInfoCard, CardSpacePolicyElement[] chain, SecurityTokenSerializer tokenSerializer);

    static class InfoCardHelper
    {
        const string WSIdentityNamespace = @"http://schemas.microsoft.com/ws/2005/05/identity";
        const string IsManagedElementName = @"IsManaged";
        static Uri selfIssuerUri;

        // Summary:
        //  If interactive support is requested and an IssuedSecurityTokenParameters is specified this method 
        //  will return an instance of an InfoCardTokenProvider. 
        //  Otherwise this method defers to the base implementation.
        //
        // Parameters
        //  parameters  - The security token parameters associated with this ChannelFactory.
        //
        // Note
        //  The target and issuer information will not be available in this call
        //
        public static bool TryCreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, ClientCredentialsSecurityTokenManager clientCredentialsTokenManager, out SecurityTokenProvider provider)
        {
            if (tokenRequirement == null)
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement");
            if (clientCredentialsTokenManager == null)
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("clientCredentialsTokenManager");

            provider = null;

            if (!clientCredentialsTokenManager.ClientCredentials.SupportInteractive
                || (null != clientCredentialsTokenManager.ClientCredentials.IssuedToken.LocalIssuerAddress && null != clientCredentialsTokenManager.ClientCredentials.IssuedToken.LocalIssuerBinding)
                || !clientCredentialsTokenManager.IsIssuedSecurityTokenRequirement(tokenRequirement)
                )
            {
                //IDT.TraceDebug("ICARDTOKPROV: Non Issued SecurityToken requirement submitted to InfoCardClientCredentialsSecurityTokenManager:\n{0}", tokenRequirement);
                //IDT.TraceDebug("ICARDTOKPROV: Defering to the base class to create the token provider");
            }
            else
            {
                ChannelParameterCollection channelParameter;
                InfoCardChannelParameter infocardChannelParameter = null;
                if (tokenRequirement.TryGetProperty<ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, out channelParameter))
                {
                    foreach (object obj in channelParameter)
                    {
                        if (obj is InfoCardChannelParameter)
                        {
                            infocardChannelParameter = (InfoCardChannelParameter)obj;
                            break;
                        }
                    }
                }

                if (null == infocardChannelParameter || !infocardChannelParameter.RequiresInfoCard)
                {
                    return false;
                }

                EndpointAddress target = tokenRequirement.GetProperty<EndpointAddress>(ServiceModelSecurityTokenRequirement.TargetAddressProperty);
                IssuedSecurityTokenParameters issuedTokenParameters = tokenRequirement.GetProperty<IssuedSecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);

                Uri privacyNoticeLink;
                if (!tokenRequirement.TryGetProperty<Uri>(ServiceModelSecurityTokenRequirement.PrivacyNoticeUriProperty, out privacyNoticeLink))
                {
                    privacyNoticeLink = null;
                }

                int privacyNoticeVersion;
                if (!tokenRequirement.TryGetProperty<int>(ServiceModelSecurityTokenRequirement.PrivacyNoticeVersionProperty, out privacyNoticeVersion))
                {
                    privacyNoticeVersion = 0;
                }
                //
                // This analysis of this chain indicates that interactive support will be required
                // The InternalClientCredentials class handles that.
                //
                provider = CreateTokenProviderForNextLeg(tokenRequirement, target, issuedTokenParameters.IssuerAddress, infocardChannelParameter.RelyingPartyIssuer, clientCredentialsTokenManager, infocardChannelParameter);
            }

            return provider != null;
        }


        public static bool IsInfocardRequired(Binding binding, ClientCredentials clientCreds, SecurityTokenManager clientCredentialsTokenManager, EndpointAddress target, out CardSpacePolicyElement[] infocardChain, out Uri relyingPartyIssuer)
        {
            infocardChain = null;
            bool requiresInfoCard = false;
            relyingPartyIssuer = null;
            if (!clientCreds.SupportInteractive
                || (null != clientCreds.IssuedToken.LocalIssuerAddress && null != clientCreds.IssuedToken.LocalIssuerBinding)
                )
            {
                return false;
            }
            IssuedSecurityTokenParameters parameters = TryGetNextStsIssuedTokenParameters(binding);
            if (null != parameters)
            {

                Uri privacyNotice;
                int privacyVersion;
                GetPrivacyNoticeLinkFromIssuerBinding(binding, out privacyNotice, out privacyVersion);

                PolicyElement[] policyChain = GetPolicyChain(target, binding, parameters, privacyNotice, privacyVersion, clientCredentialsTokenManager);
                relyingPartyIssuer = null;
                if (null != policyChain)
                {
                    requiresInfoCard = RequiresInfoCard(policyChain, out relyingPartyIssuer);
                }
                if (requiresInfoCard)
                {
                    infocardChain = new CardSpacePolicyElement[policyChain.Length];
                    for (int i = 0; i < policyChain.Length; i++)
                    {
                        infocardChain[i] = policyChain[i].ToCardSpacePolicyElement();
                    }

                }
            }
            return requiresInfoCard;
        }

        static Uri SelfIssuerUri
        {
            get
            {
                if (selfIssuerUri == null)

                    selfIssuerUri = new Uri(WSIdentityNamespace + "/issuer/self");
                return selfIssuerUri;
            }
        }

        static PolicyElement[] GetPolicyChain(EndpointAddress target, Binding outerBinding, IssuedSecurityTokenParameters parameters, Uri firstPrivacyNoticeLink, int firstPrivacyNoticeVersion, SecurityTokenManager clientCredentialsTokenManager)
        {
            EndpointAddress nextTarget = target;
            IssuedSecurityTokenParameters nextParameters = parameters;

            List<PolicyElement> chain = new List<PolicyElement>();

            Uri privacyNoticeLink = firstPrivacyNoticeLink;
            int privacyNoticeVersion = firstPrivacyNoticeVersion;
            bool isManagedIssuer = false;


            //
            // this is the binding to the final STS in the chain. Start from here and walk the 
            // chain backwards to the 1st STS in the chain
            //
            while (null != nextParameters)
            {
                MessageSecurityVersion bindingSecurityVersion = null;
                if (nextParameters.IssuerBinding == null)
                {
                    bindingSecurityVersion = GetBindingSecurityVersionOrDefault(outerBinding);
                }
                else
                {
                    bindingSecurityVersion = GetBindingSecurityVersionOrDefault(nextParameters.IssuerBinding);
                }
                chain.Add(new PolicyElement(nextTarget,
                 nextParameters.IssuerAddress,
                 nextParameters.CreateRequestParameters(bindingSecurityVersion, clientCredentialsTokenManager.CreateSecurityTokenSerializer(bindingSecurityVersion.SecurityTokenVersion)),
                 privacyNoticeLink,
                 privacyNoticeVersion,
                 isManagedIssuer,
                 nextParameters.IssuerBinding));

                isManagedIssuer = IsReferralToManagedIssuer(nextParameters.IssuerBinding);
                GetPrivacyNoticeLinkFromIssuerBinding(nextParameters.IssuerBinding, out privacyNoticeLink, out privacyNoticeVersion);
                nextTarget = nextParameters.IssuerAddress;
                outerBinding = nextParameters.IssuerBinding;
                nextParameters = TryGetNextStsIssuedTokenParameters(nextParameters.IssuerBinding);
            }

            //
            // Add the last element for the MCIP case
            //
            if (isManagedIssuer)
            {
                chain.Add(new PolicyElement(nextTarget,
                            null,
                            null,
                            privacyNoticeLink,
                            privacyNoticeVersion,
                            isManagedIssuer,
                            null));
            }
            return chain.ToArray();
        }

        //
        // Summary:
        //  Checks the policy chain to determine which target and issuer in the chain the InfoCard system should be invoked with.
        //
        //  Cases:
        //         
        //    i     Frame(n-1)          Frame(n)                            RP Index
        //    -     ----------          --------                             ---------
        //    1     empty               Self/Anon/null                       n 
        //    2     empty               mcip                                 error
        //    3     empty               anything other than self/anon        federated token provider
        //                              null/mcip
        //    4     any issuer          mcip                                 n-1
        //    5     any issuer          Self/Anon/null                       n   
        //    6     any issuer          anything other than self/anon        federated token provider
        //                              null/mcip
        //   
        //      
        // Parameters
        //  relyingPartyIssuer  - The output Uri of the issuer of the relying party requiring 
        //                        interactive support.
        //    
        // Returns:
        //  true    - A policy frame was identified to require interactive support from the infocard system.
        //  false   - Interactive support not required
        //
        static bool RequiresInfoCard(PolicyElement[] chain, out Uri relyingPartyIssuer)
        {
            relyingPartyIssuer = null;

            //IDT.TraceDebug("ICARDTOKPROV: Attempting to identify the relying party requiring infocard support.");

            if (0 == chain.Length)
            {
                //IDT.TraceDebug("ICARDTOKPROV: Zero length policy chain, returning false.");
                return false;
            }

            int n = chain.Length - 1;
            int relyingPartyIndex = -1;
            bool infocardSupportRequired = false;

            //
            // Handle a chain which contains only one element - cases 1 and 2
            //
            if (1 == chain.Length)
            {
                if (null == chain[n].Issuer
                    || chain[n].Issuer.IsAnonymous
                    || SelfIssuerUri.Equals(chain[n].Issuer.Uri)
                    || (null != chain[n].Issuer && null == chain[n].Binding))
                {
                    //IDT.TraceDebug("ICARDTOKPROV: Policy frame n was selected (case 1).");

                    //
                    // Case 1: Return frame n 
                    //
                    relyingPartyIndex = n;
                    infocardSupportRequired = true;
                }
                //
                // Case 2: Asert if mcip is at the bottom of the chain and is the only element
                //
                else if (chain[n].IsManagedIssuer)
                {
                    Fx.Assert("MCIP was found at the bottom of the chain when the chain length was 1");
                }
                else
                {
                    //
                    // Case 3: Do nothing so that Indigo will use the default federated token provider.
                    //
                    infocardSupportRequired = false;
                }
            }
            else
            {
                if (chain[n].IsManagedIssuer)
                {
                    //
                    // Case 4: MCIP followed by a token supported by infocard was found. Return frame n-1.
                    //
                    relyingPartyIndex = n - 1;
                    infocardSupportRequired = true;

                }
                //
                // Case 5: Federated chain ending in self issued/null/anon. Return frame n.
                //
                else if (null == chain[n].Issuer ||
                    chain[n].Issuer.IsAnonymous ||
                    SelfIssuerUri.Equals(chain[n].Issuer.Uri) ||
                    (null != chain[n].Issuer && null == chain[n].Binding))
                {
                    relyingPartyIndex = n;
                    infocardSupportRequired = true;
                }
                else
                {
                    //
                    // Case 6: Do nothing so that Indigo will use the default federated token provider.
                    //
                    infocardSupportRequired = false;
                }

                //
                // Check to make sure that no other leg in the chain specifically requires infocard
                //
                for (int k = 0; k < n; k++)
                {
                    if (chain[k].IsManagedIssuer
                        || SelfIssuerUri.Equals(chain[k].Issuer.Uri)
                        || null == chain[k].Issuer
                        || chain[k].Issuer.IsAnonymous)
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.InfoCardInvalidChain)));
                    }
                }
            }

            //
            // Get the issuer Uri from the policy chain. Also, handle the case where
            // the issuer may not have been specified.
            //
            if (infocardSupportRequired)
            {
                relyingPartyIssuer = (null == chain[relyingPartyIndex].Issuer) ? null : chain[relyingPartyIndex].Issuer.Uri;
            }

            return infocardSupportRequired;
        }

        static SecurityTokenProvider CreateTokenProviderForNextLeg(SecurityTokenRequirement tokenRequirement, EndpointAddress target, EndpointAddress issuerAddress, Uri relyingPartyIssuer, ClientCredentialsSecurityTokenManager clientCredentialsTokenManager, InfoCardChannelParameter infocardChannelParameter)
        {
            if (((null == relyingPartyIssuer && null == issuerAddress) || issuerAddress.Uri == relyingPartyIssuer))
            {
                return new InternalInfoCardTokenProvider(infocardChannelParameter);
            }
            else
            {
                // create a federation token provider and add an internal client credentials shim that contains the chain
                IssuedSecurityTokenProvider federationTokenProvider = (IssuedSecurityTokenProvider)clientCredentialsTokenManager.CreateSecurityTokenProvider(tokenRequirement, true);
                federationTokenProvider.IssuerChannelBehaviors.Remove<SecurityCredentialsManager>();
                federationTokenProvider.IssuerChannelBehaviors.Add(new InternalClientCredentials(clientCredentialsTokenManager.ClientCredentials, target, relyingPartyIssuer, infocardChannelParameter));
                return federationTokenProvider;

            }
        }

        //
        // Summary:
        //  Looks for a standards manager on the security binding element of the specified binding.
        //  If one is not found it returns the default.
        //
        // Parameters
        //  binding     - Collection
        //  parameters  - Security parameters for current invocation.
        //    
        // Returns:
        //  Always returns an instance of the SecurityVersion class
        //
        public static MessageSecurityVersion GetBindingSecurityVersionOrDefault(Binding binding)
        {
            if (null != binding)
            {
                SecurityBindingElement sbe = binding.CreateBindingElements().Find<SecurityBindingElement>();
                if (null != sbe)
                {
                    return sbe.MessageSecurityVersion;
                }
            }

            return MessageSecurityVersion.Default;
        }

        //
        // Summary:
        // Given an Issuer binding determines whether that issuer is a managed card provider.
        //
        //
        static bool IsReferralToManagedIssuer(Binding issuerBinding)
        {
            bool bRetVal = false;

            if (null != issuerBinding)
            {
                //
                // If the UseManagedPresentationBindingElement is present then this is a ManagedCardProvider.
                //
                UseManagedPresentationBindingElement useManagedPresentationBE =
                    issuerBinding.CreateBindingElements().Find<UseManagedPresentationBindingElement>();

                if (null != useManagedPresentationBE)
                {
                    bRetVal = true;
                }
            }

            return bRetVal;
        }

        //
        // Summary:
        // Given an issuer Binding retrieves any privacy notice links that might be present.
        //
        static void GetPrivacyNoticeLinkFromIssuerBinding(Binding issuerBinding, out Uri privacyNotice, out int privacyNoticeVersion)
        {
            privacyNotice = null;
            privacyNoticeVersion = 0;

            if (null != issuerBinding)
            {
                PrivacyNoticeBindingElement privacyNoticeBE =
                    issuerBinding.CreateBindingElements().Find<PrivacyNoticeBindingElement>();

                if (null != privacyNoticeBE)
                {
                    privacyNotice = privacyNoticeBE.Url;
                    privacyNoticeVersion = privacyNoticeBE.Version;
                }
            }
        }

        // Summary:
        //  Searches a binding for a single IssuedSecurityTokenParameters.  This method will throw an 
        //  argument exception if more than one is found.
        //
        // Parameters:
        //  currentStsBinding   -  The Binding to search.
        //
        // Return Value:
        //  Returns an IssuedSecurityTokenParameters if one is found, otherwise null.
        //
        static IssuedSecurityTokenParameters TryGetNextStsIssuedTokenParameters(Binding currentStsBinding)
        {
            if (null == currentStsBinding)
            {
                return null;
            }

            BindingElementCollection bindingElements = currentStsBinding.CreateBindingElements();
            SecurityBindingElement secBindingElement = bindingElements.Find<SecurityBindingElement>();

            return TryGetNextStsIssuedTokenParameters(secBindingElement);
        }

        // Summary:
        //  Searches a security binding element for a single IssuedSecurityTokenParameters.  This method will throw an 
        //  argument exception if more than one is found.
        //
        // Parameters:
        //  securityBindingEle   -  The SecurityBindingElement to search.
        //
        // Return Value:
        //  Returns an IssuedSecurityTokenParameters if one is found, otherwise null.
        //
        static IssuedSecurityTokenParameters TryGetNextStsIssuedTokenParameters(SecurityBindingElement securityBindingEle)
        {
            if (securityBindingEle == null)
            {
                return null;
            }

            //
            // This object can have a value assigned to it exactly once.  After one assignment of a non-null value
            // any other non-null assignment will cause the object to throw an argument excaption.
            //
            ThrowOnMultipleAssignment<IssuedSecurityTokenParameters> issuedTokenParameters =
                new ThrowOnMultipleAssignment<IssuedSecurityTokenParameters>(SR.GetString(SR.TooManyIssuedSecurityTokenParameters));

            FindInfoCardIssuerBinding(securityBindingEle, issuedTokenParameters);

            return issuedTokenParameters.Value;
        }

        static void FindInfoCardIssuerBinding(SecurityBindingElement secBindingElement, ThrowOnMultipleAssignment<IssuedSecurityTokenParameters> issuedSecurityTokenParameters)
        {
            if (secBindingElement == null)
                return;

            //
            // Go down the list of possible places for an IssuedSecurityTokenParameters, and hope we don't 
            // miss anything.
            //
            SecurityTokenParametersEnumerable tokenParamEnumerator = new SecurityTokenParametersEnumerable(secBindingElement);
            foreach (SecurityTokenParameters param in tokenParamEnumerator)
            {
                IssuedSecurityTokenParameters issuedTokenParam = param as IssuedSecurityTokenParameters;
                if (issuedTokenParam != null &&
                    ((issuedTokenParam.IssuerBinding == null ||
                    issuedTokenParam.IssuerAddress == null ||
                    issuedTokenParam.IssuerAddress.IsAnonymous ||
                    SelfIssuerUri.Equals(issuedTokenParam.IssuerAddress)) ||
                    (IsReferralToManagedIssuer(issuedTokenParam.IssuerBinding))))
                {
                    if (issuedSecurityTokenParameters != null)
                        issuedSecurityTokenParameters.Value = issuedTokenParam;
                }
                else if (param is SecureConversationSecurityTokenParameters)
                {
                    IssuedSecurityTokenParameters istp = TryGetNextStsIssuedTokenParameters(((SecureConversationSecurityTokenParameters)param).BootstrapSecurityBindingElement);
                    if ((istp != null) && (issuedSecurityTokenParameters != null))
                    {
                        issuedSecurityTokenParameters.Value = istp;
                    }
                }
                else if ((issuedTokenParam != null) && (issuedTokenParam.IssuerBinding != null))
                {
                    BindingElementCollection bindingElements = issuedTokenParam.IssuerBinding.CreateBindingElements();
                    SecurityBindingElement innerSecurityBindingElement = bindingElements.Find<SecurityBindingElement>();
                    IssuedSecurityTokenParameters istp = TryGetNextStsIssuedTokenParameters(innerSecurityBindingElement);
                    if ((istp != null) && (issuedSecurityTokenParameters != null))
                    {
                        issuedSecurityTokenParameters.Value = issuedTokenParam;
                    }
                }
            }

        }

        //
        // Summary:
        //  This class throws an Argument exception if an attempt is made to assign a non-null
        //  value to the Value property more than once.
        //
        class ThrowOnMultipleAssignment<T>
        {

            string m_errorString;
            T m_value;

            public T Value
            {
                get { return m_value; }
                set
                {
                    if (null != m_value && null != value)
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(m_errorString);
                    }
                    else if (null == m_value)
                    {
                        m_value = value;
                    }
                }
            }

            //
            // Parameters:
            //  errorString  - If Value gets assigned to more than once an argument exception will be thrown with this
            //                 string as the Exception string.
            //
            public ThrowOnMultipleAssignment(string errorString)
            {
                Fx.Assert(!String.IsNullOrEmpty(errorString), "Must have an error string");

                m_errorString = errorString;
            }
        }

        class InternalInfoCardTokenProvider : SecurityTokenProvider, IDisposable
        {
            InfoCardChannelParameter m_infocardChannelParameter;

            public InternalInfoCardTokenProvider(InfoCardChannelParameter infocardChannelParameter)
            {
                this.m_infocardChannelParameter = infocardChannelParameter;
            }


            protected override SecurityToken GetTokenCore(TimeSpan timeout)
            {
                if (null != m_infocardChannelParameter && null != m_infocardChannelParameter.Token)
                {
                    if (m_infocardChannelParameter.Token.ValidTo < DateTime.UtcNow)
                    {
                        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ExpiredSecurityTokenException((SR.GetString(SR.ExpiredTokenInChannelParameters))));
                    }
                    else
                    {
                        return m_infocardChannelParameter.Token;
                    }
                }
                else
                {
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException((SR.GetString(SR.NoTokenInChannelParameters))));
                }
            }

            public void Dispose()
            {
                //
                // Don't want to pull the rug under the user when channel is aborted
                // as user may be managing cards - nothing to do.
                //
            }

        }

        //
        // Summary:
        //  This class knows how to walk a chain of IssuedSecurityTokenParameters and figure out at what point
        //  in the chain the InfoCard system should be invoked.  The idea is to identify the single most 
        //  appropriate place in the referral chain to involve user selection(if at all) . This decision is affected
        //  by the previously established relationships that the user has with some issuers. Some issuers may have 
        //  issued "InfoCards" to the user allowing them to choose which collection of claims should be used to generate
        //  a token for the relying party.
        //
        //  When asked for a token provider this class will return a FederatedServiceTokenProvider for
        //  an IssuedSecurityTokenParameters until it reaches the previously identified relyingparty/issuer, 
        //  at which point it will return an InternalTokenProvider instance, which will invoke the infocard 
        //  system allowing the user to get involved in the token generatio process.
        // 
        class InternalClientCredentials : ClientCredentials
        {
            Uri m_relyingPartyIssuer;
            ClientCredentials m_clientCredentials;
            InfoCardChannelParameter m_infocardChannelParameter;

            //
            // Summary:
            //  Constructs the policy chain and determines the depth at which to invoke the InfoCard system.
            //
            // Parameters
            //  target      - Target specified in CreateChannel call. This will fully specify a referral chain.
            //  parameters  - Security parameters for current invocation.
            //    
            public InternalClientCredentials(
                            ClientCredentials infocardCredentials,
                            EndpointAddress target,
                            Uri relyingPartyIssuer,
                            InfoCardChannelParameter infocardChannelParameter)
                : base(infocardCredentials)
            {
                m_relyingPartyIssuer = relyingPartyIssuer;
                m_clientCredentials = infocardCredentials;
                m_infocardChannelParameter = infocardChannelParameter;

            }

            InternalClientCredentials(InternalClientCredentials other)
                : base(other)
            {
                m_relyingPartyIssuer = other.m_relyingPartyIssuer;
                m_clientCredentials = other.m_clientCredentials;
                m_infocardChannelParameter = other.InfoCardChannelParameter;
            }

            public InfoCardChannelParameter InfoCardChannelParameter
            {
                get
                {
                    return m_infocardChannelParameter;
                }
            }
            public override SecurityTokenManager CreateSecurityTokenManager()
            {
                return new InternalClientCredentialsSecurityTokenManager(this, m_infocardChannelParameter);
            }

            public override void ApplyClientBehavior(ServiceEndpoint serviceEndpoint, ClientRuntime behavior)
            {
            }

            protected override ClientCredentials CloneCore()
            {
                return new InternalClientCredentials(this);
            }


            class InternalClientCredentialsSecurityTokenManager : ClientCredentialsSecurityTokenManager
            {
                Uri m_relyingPartyIssuer;
                InfoCardChannelParameter m_infocardChannelParameter;

                public InternalClientCredentialsSecurityTokenManager(InternalClientCredentials internalClientCredentials, InfoCardChannelParameter infocardChannelParameter)
                    : base(internalClientCredentials)
                {
                    m_relyingPartyIssuer = internalClientCredentials.m_relyingPartyIssuer;
                    m_infocardChannelParameter = infocardChannelParameter;

                }

                public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
                {
                    if (IsIssuedSecurityTokenRequirement(tokenRequirement))
                    {
                        EndpointAddress target = tokenRequirement.GetProperty<EndpointAddress>(ServiceModelSecurityTokenRequirement.TargetAddressProperty);
                        IssuedSecurityTokenParameters issuedTokenParameters = tokenRequirement.GetProperty<IssuedSecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty);
                        return InfoCardHelper.CreateTokenProviderForNextLeg(tokenRequirement, target, issuedTokenParameters.IssuerAddress, m_relyingPartyIssuer, this, m_infocardChannelParameter);
                    }
                    else
                    {
                        return base.CreateSecurityTokenProvider(tokenRequirement);
                    }
                }
            }
        }

        class PolicyElement
        {
            EndpointAddress m_target;
            EndpointAddress m_issuer;
            Collection<XmlElement> m_parameters;
            Uri m_policyNoticeLink;
            int m_policyNoticeVersion;
            bool m_isManagedIssuer;
            Binding m_binding;

            public bool IsManagedIssuer
            {
                get { return m_isManagedIssuer; }
            }

            public EndpointAddress Issuer
            {
                get { return m_issuer; }
            }

            public Binding Binding
            {
                get { return m_binding; }
            }

            //
            // Parameters:
            //  target     - The target of the token being described.
            //  parameters - describes the type of token required by the target.
            //
            public PolicyElement(EndpointAddress target, EndpointAddress issuer, Collection<XmlElement> parameters, Uri privacyNoticeLink, int privacyNoticeVersion, bool isManagedIssuer, Binding binding)
            {
                m_target = target;
                m_issuer = issuer;
                m_parameters = parameters;
                m_policyNoticeLink = privacyNoticeLink;
                m_policyNoticeVersion = privacyNoticeVersion;
                m_isManagedIssuer = isManagedIssuer;
                m_binding = binding;
            }

            //
            // Summary:
            //   Convert the PolicyElement to an CardSpacePolicyElement
            //
            // Returns:
            //  The CardSpacePolicyElement object
            //
            [SuppressMessage(FxCop.Category.Security, FxCop.Rule.AptcaMethodsShouldOnlyCallAptcaMethods, Justification = "The call to CardSpacePolicyElement is safe.")]
            public CardSpacePolicyElement ToCardSpacePolicyElement()
            {
                return new CardSpacePolicyElement(EndPointAddressToXmlElement(m_target),
                                                  EndPointAddressToXmlElement(m_issuer),
                                                  m_parameters,
                                                  m_policyNoticeLink,
                                                  m_policyNoticeVersion,
                                                  m_isManagedIssuer);

            }

            //
            // Summary:
            //   Convert an endpoint address to an XmlElement
            //
            // Parameters:
            //   epr - EndPointAddress that need to be converted
            //
            // Returns:
            //  The XmlElement version of the epr
            //
            private XmlElement EndPointAddressToXmlElement(EndpointAddress epr)
            {
                if (null == epr)
                    return null;

                using (MemoryStream buffer = new MemoryStream())
                {
                    using (XmlWriter writer = new XmlTextWriter(buffer, Encoding.UTF8))
                    {
                        epr.WriteTo(AddressingVersion.WSAddressing10, writer);
                        //
                        // Skip the BOM and trailing padding.
                        //
                        writer.Flush();
                        buffer.Flush();
                        buffer.Seek(0, 0);
                        using (XmlReader reader = XmlReader.Create(buffer))
                        {
                            XmlDocument doc = new XmlDocument();
                            return (XmlElement)doc.ReadNode(reader);
                        }

                    }

                }
            }
        }

        class SecurityTokenParametersEnumerable : IEnumerable<SecurityTokenParameters>
        {
            SecurityBindingElement sbe;

            public SecurityTokenParametersEnumerable(SecurityBindingElement sbe)
            {
                if (sbe == null)
                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sbe");
                this.sbe = sbe;
            }

            public IEnumerator<SecurityTokenParameters> GetEnumerator()
            {
                foreach (SecurityTokenParameters stp in this.sbe.EndpointSupportingTokenParameters.Endorsing)
                    if (stp != null)
                        yield return stp;
                foreach (SecurityTokenParameters stp in this.sbe.EndpointSupportingTokenParameters.SignedEndorsing)
                    if (stp != null)
                        yield return stp;
                foreach (SupportingTokenParameters str in this.sbe.OperationSupportingTokenParameters.Values)
                    if (str != null)
                    {
                        foreach (SecurityTokenParameters stp in str.Endorsing)
                            if (stp != null)
                                yield return stp;
                        foreach (SecurityTokenParameters stp in str.SignedEndorsing)
                            if (stp != null)
                                yield return stp;
                    }
                if (this.sbe is SymmetricSecurityBindingElement)
                {
                    SymmetricSecurityBindingElement ssbe = (SymmetricSecurityBindingElement)sbe;
                    if (ssbe.ProtectionTokenParameters != null)
                        yield return ssbe.ProtectionTokenParameters;
                }
                else if (this.sbe is AsymmetricSecurityBindingElement)
                {
                    AsymmetricSecurityBindingElement asbe = (AsymmetricSecurityBindingElement)sbe;
                    if (asbe.RecipientTokenParameters != null)
                        yield return asbe.RecipientTokenParameters;
                }
            }

            System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator()
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotImplementedException());
            }
        }

    }
}