|
//------------------------------------------------------------
// Copyright (c) Microsoft Corporation. All rights reserved.
//------------------------------------------------------------
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IdentityModel;
using System.IdentityModel.Policy;
using System.IdentityModel.Selectors;
using System.IdentityModel.Tokens;
using System.Security.Claims;
using System.Runtime;
using System.ServiceModel;
using System.ServiceModel.Security;
using System.ServiceModel.Security.Tokens;
using System.Xml;
namespace System.ServiceModel.Security
{
/// <summary>
/// This class derives from System.ServiceModel.Security.WSSecurityTokenSerializer and wraps a collection of SecurityTokenHandlers.
/// Any call to this serilaizer is delegated to the token handler and delegated to the base class if no token handler
/// is registered to handle this particular token or KeyIdentifier.
/// </summary>
class WsSecurityTokenSerializerAdapter : WSSecurityTokenSerializer
{
SecureConversationVersion _scVersion;
SecurityTokenHandlerCollection _securityTokenHandlers;
bool _mapExceptionsToSoapFaults;
ExceptionMapper _exceptionMapper = new ExceptionMapper();
/// <summary>
/// Initializes an instance of <see cref="WsSecurityTokenSerializerAdapter"/>
/// </summary>
/// <param name="securityTokenHandlerCollection">
/// The <see cref="SecurityTokenHandlerCollection" /> containing the set of <see cref="SecurityTokenHandler" />
/// objects used for serializing and validating tokens found in WS-Trust messages.
/// </param>
public WsSecurityTokenSerializerAdapter( SecurityTokenHandlerCollection securityTokenHandlerCollection )
: this( securityTokenHandlerCollection, MessageSecurityVersion.Default.SecurityVersion )
{
}
/// <summary>
/// Initializes an instance of <see cref="WsSecurityTokenSerializerAdapter"/>
/// </summary>
/// <param name="securityTokenHandlerCollection">
/// The <see cref="SecurityTokenHandlerCollection" /> containing the set of <see cref="SecurityTokenHandler" />
/// objects used for serializing and validating tokens found in WS-Trust messages.
/// </param>
/// <param name="securityVersion">The SecurityTokenVersion of the base WSSecurityTokenSerializer.</param>
public WsSecurityTokenSerializerAdapter( SecurityTokenHandlerCollection securityTokenHandlerCollection, SecurityVersion securityVersion )
: this( securityTokenHandlerCollection, securityVersion, true, new SamlSerializer(), null, null )
{
}
/// <summary>
/// Initializes an instance of <see cref="WsSecurityTokenSerializerAdapter"/>
/// </summary>
/// <param name="securityTokenHandlerCollection">
/// The <see cref="SecurityTokenHandlerCollection" /> containing the set of <see cref="SecurityTokenHandler" />
/// objects used for serializing and validating tokens found in WS-Trust messages.
/// </param>
/// <param name="securityVersion">The SecurityVersion of the base WSSecurityTokenSerializer.</param>
/// <param name="emitBspAttributes">Flag that determines if the serailization shoudl be BSP compliant.</param>
/// <param name="samlSerializer">Serializer for SAML 1.1 tokens.</param>
/// <param name="stateEncoder">SecurityStateEncoder used for resolving SCT.</param>
/// <param name="knownTypes">The collection of known claim types.</param>
public WsSecurityTokenSerializerAdapter( SecurityTokenHandlerCollection securityTokenHandlerCollection, SecurityVersion securityVersion, bool emitBspAttributes, SamlSerializer samlSerializer, SecurityStateEncoder stateEncoder, IEnumerable<Type> knownTypes )
: this( securityTokenHandlerCollection, securityVersion, TrustVersion.WSTrust13, SecureConversationVersion.WSSecureConversation13, emitBspAttributes, samlSerializer, stateEncoder, knownTypes )
{
}
/// <summary>
/// Initializes an instance of <see cref="WsSecurityTokenSerializerAdapter"/>
/// </summary>
/// <param name="securityTokenHandlerCollection">
/// The <see cref="SecurityTokenHandlerCollection" /> containing the set of <see cref="SecurityTokenHandler" />
/// objects used for serializing and validating tokens found in WS-Trust messages.
/// </param>
/// <param name="securityVersion">The SecurityVersion of the base WSSecurityTokenSerializer.</param>
/// <param name="trustVersion">The TrustVersion of the serializer uses.</param>
/// <param name="secureConversationVersion">The SecureConversationVersion of the serializer.</param>
/// <param name="emitBspAttributes">Flag that determines if the serailization shoudl be BSP compliant.</param>
/// <param name="samlSerializer">Serializer for SAML 1.1 tokens.</param>
/// <param name="stateEncoder">SecurityStateEncoder used for resolving SCT.</param>
/// <param name="knownTypes">The collection of known claim types.</param>
public WsSecurityTokenSerializerAdapter( SecurityTokenHandlerCollection securityTokenHandlerCollection, SecurityVersion securityVersion, TrustVersion trustVersion, SecureConversationVersion secureConversationVersion, bool emitBspAttributes, SamlSerializer samlSerializer, SecurityStateEncoder stateEncoder, IEnumerable<Type> knownTypes )
: base( securityVersion, trustVersion, secureConversationVersion, emitBspAttributes, samlSerializer, stateEncoder, knownTypes )
{
if ( securityTokenHandlerCollection == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "securityTokenHandlerCollection" );
}
_scVersion = secureConversationVersion;
_securityTokenHandlers = securityTokenHandlerCollection;
}
/// <summary>
/// Gets and Sets the property that describes if exceptions
/// should be mapped to SOAP Fault exceptions. Default is false.
/// </summary>
public bool MapExceptionsToSoapFaults
{
get
{
return _mapExceptionsToSoapFaults;
}
set
{
_mapExceptionsToSoapFaults = value;
}
}
/// <summary>
/// Gets the SecurityTokenHandlerCollection.
/// </summary>
public SecurityTokenHandlerCollection SecurityTokenHandlers
{
get
{
return _securityTokenHandlers;
}
}
/// <summary>
/// Gets or sets the ExceptionMapper to be used when throwing exceptions.
/// </summary>
public ExceptionMapper ExceptionMapper
{
get
{
return _exceptionMapper;
}
set
{
if ( value == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "value" );
}
_exceptionMapper = value;
}
}
/// <summary>
/// Checks if one of the wrapped SecurityTokenHandlers or the base WSSecurityTokenSerializer
/// can read the security token.
/// </summary>
/// <param name="reader">Reader to a Security token.</param>
/// <returns>'True' if the serializer can read the given Security Token.</returns>
/// <exception cref="ArgumentNullException">The input parameter 'reader' is null.</exception>
protected override bool CanReadTokenCore( XmlReader reader )
{
if ( reader == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "reader" );
}
if ( _securityTokenHandlers.CanReadToken( reader ) )
{
return true;
}
return base.CanReadTokenCore( reader );
}
/// <summary>
/// Checks if one of the wrapped SecurityTokenHandlers or the base WSSecurityTokenSerializer
/// can write the given security token.
/// </summary>
/// <param name="token">SecurityToken instance.</param>
/// <returns>'True' if the serializer can write the given security token.</returns>
/// <exception cref="ArgumentNullException">The input parameter 'token' is null.</exception>
protected override bool CanWriteTokenCore( SecurityToken token )
{
if ( token == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "token" );
}
if ( _securityTokenHandlers.CanWriteToken( token ) )
{
return true;
}
return base.CanWriteTokenCore( token );
}
/// <summary>
/// Deserializes the SecurityToken from the given XmlReader.
/// </summary>
/// <param name="reader">Reader to a Security token.</param>
/// <param name="tokenResolver">Instance of SecurityTokenResolver.</param>
/// <returns>'True' if the serializer can read the given Security Token.</returns>
/// <exception cref="ArgumentNullException">The input parameter 'reader' is null.</exception>
protected override SecurityToken ReadTokenCore( XmlReader reader, SecurityTokenResolver tokenResolver )
{
if ( reader == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "reader" );
}
try
{
foreach ( SecurityTokenHandler securityTokenHandler in _securityTokenHandlers )
{
if ( securityTokenHandler.CanReadToken( reader ) )
{
SecurityToken token = securityTokenHandler.ReadToken( reader, tokenResolver );
SessionSecurityToken sessionToken = token as SessionSecurityToken;
if ( sessionToken != null )
{
if ( sessionToken.SecureConversationVersion.AbsoluteUri != _scVersion.Namespace.Value )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation( SR.GetString( SR.ID4053, sessionToken.SecureConversationVersion, _scVersion ) );
}
return SecurityContextSecurityTokenHelper.ConvertSessionTokenToSecurityContextSecurityToken(sessionToken);
}
else
{
return token;
}
}
}
return base.ReadTokenCore( reader, tokenResolver );
}
catch ( Exception ex )
{
if ( !( MapExceptionsToSoapFaults && _exceptionMapper.HandleSecurityTokenProcessingException( ex ) ) )
{
throw;
}
Fx.Assert( false, "ExceptionMapper did not handle an exception correctly." );
// This should never happen. ExceptionMapper will handle the exception, in which case,
// a fault exception is thrown or the original exception gets thrown.
}
return null;
}
/// <summary>
/// Serializes the SecurityToken to the XmlWriter.
/// </summary>
/// <param name="writer">XmlWriter to write to.</param>
/// <param name="token">The SecurityToken to serializer.</param>
/// <exception cref="ArgumentNullException">The input parameter 'writer' or 'token' is null.</exception>
protected override void WriteTokenCore( XmlWriter writer, SecurityToken token )
{
if ( writer == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "writer" );
}
if ( token == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "token" );
}
try
{
//
// Wire the session handler for SCT
//
SecurityContextSecurityToken sct = token as SecurityContextSecurityToken;
if ( sct != null )
{
//
// Bare SCT tokens are wrapped with a SessionSecurityToken.
// The property SessionSecurityToken.IsSecurityContextSecurityTokenWrapper will be true.
//
token = SecurityContextSecurityTokenHelper.ConvertSctToSessionToken( sct, _scVersion );
}
SecurityTokenHandler securityTokenHandler = _securityTokenHandlers[token];
if ( ( securityTokenHandler != null ) && ( securityTokenHandler.CanWriteToken ) )
{
securityTokenHandler.WriteToken( writer, token );
return;
}
base.WriteTokenCore( writer, token );
}
catch ( Exception ex )
{
if ( !( MapExceptionsToSoapFaults && _exceptionMapper.HandleSecurityTokenProcessingException( ex ) ) )
{
throw;
}
Fx.Assert( false, "ExceptionMapper did not handle an exception correctly." );
// This should never happen. ExceptionMapper will handle the exception, in which case,
// a fault exception is thrown or the original exception gets thrown.
}
}
/// <summary>
/// Checks if one of the wrapped SecurityTokenHandlers or the base WSSecurityTokenSerializer
/// can read the security key identifier.
/// </summary>
/// <param name="reader">Reader pointing at a Security Key Identifier {ds:Keyinfo}.</param>
/// <returns>'True' if the serializer can read the given Security Key Identifier.</returns>
/// <exception cref="ArgumentNullException">The <paramref name="reader"/> is null.</exception>
protected override bool CanReadKeyIdentifierCore( XmlReader reader )
{
if ( reader == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "reader" );
}
if ( reader.IsStartElement( XmlSignatureConstants.Elements.KeyInfo, XmlSignatureConstants.Namespace ) )
{
return true;
}
else
{
return base.CanReadKeyIdentifierCore( reader );
}
}
/// <summary>
/// Reads an SecurityKeyIdentifier from a XML stream.
/// </summary>
/// <param name="reader">An XML reader positioned at an SecurityKeyIdentifier (ds: KeyInfo) as defined in 'http://www.w3.org/TR/xmldsig-core'.</param>
/// <returns>SecurityKeyIdentifier.</returns>
/// <exception cref="ArgumentNullException">The <paramref name="reader"/> is null.</exception>
/// <exception cref="InvalidOperationException">If the <paramref name="reader"/> is not positioned at KeyInfo element.</exception>
protected override SecurityKeyIdentifier ReadKeyIdentifierCore( XmlReader reader )
{
if ( reader == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "reader" );
}
if ( reader.IsStartElement( XmlSignatureConstants.Elements.KeyInfo, XmlSignatureConstants.Namespace ) )
{
KeyInfo keyInfo = new KeyInfo( this );
keyInfo.ReadXml( XmlDictionaryReader.CreateDictionaryReader( reader ) );
return keyInfo.KeyIdentifier;
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperXml( reader, SR.GetString( SR.ID4192 ) );
}
}
/// <summary>
/// Checks if the wrapped SecurityTokenHandler or the base WSSecurityTokenSerializer can read the
/// SecurityKeyIdentifierClause.
/// </summary>
/// <param name="reader">Reader to a SecurityKeyIdentifierClause.</param>
/// <returns>'True' if the SecurityKeyIdentifierCause can be read.</returns>
/// <exception cref="ArgumentNullException">The input parameter 'reader' is null.</exception>
protected override bool CanReadKeyIdentifierClauseCore( XmlReader reader )
{
if ( reader == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "reader" );
}
foreach ( SecurityTokenHandler securityTokenHandler in _securityTokenHandlers )
{
if ( securityTokenHandler.CanReadKeyIdentifierClause( reader ) )
{
return true;
}
}
return base.CanReadKeyIdentifierClauseCore( reader );
}
/// <summary>
/// Checks if the wrapped SecurityTokenHandler or the base WSSecurityTokenSerializer can write the
/// given SecurityKeyIdentifierClause.
/// </summary>
/// <param name="keyIdentifierClause">SecurityKeyIdentifierClause to be checked.</param>
/// <returns>'True' if the SecurityTokenKeyIdentifierClause can be written.</returns>
/// <exception cref="ArgumentNullException">The input parameter 'keyIdentifierClause' is null.</exception>
protected override bool CanWriteKeyIdentifierClauseCore( SecurityKeyIdentifierClause keyIdentifierClause )
{
if ( keyIdentifierClause == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "keyIdentifierClause" );
}
foreach ( SecurityTokenHandler securityTokenHandler in _securityTokenHandlers )
{
if ( securityTokenHandler.CanWriteKeyIdentifierClause( keyIdentifierClause ) )
{
return true;
}
}
return base.CanWriteKeyIdentifierClauseCore( keyIdentifierClause );
}
/// <summary>
/// Deserializes a SecurityKeyIdentifierClause from the given reader.
/// </summary>
/// <param name="reader">XmlReader to a SecurityKeyIdentifierClause.</param>
/// <returns>The deserialized SecurityKeyIdentifierClause.</returns>
/// <exception cref="ArgumentNullException">The input parameter 'reader' is null.</exception>
protected override SecurityKeyIdentifierClause ReadKeyIdentifierClauseCore( XmlReader reader )
{
if ( reader == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "reader" );
}
try
{
foreach ( SecurityTokenHandler securityTokenHandler in _securityTokenHandlers )
{
if ( securityTokenHandler.CanReadKeyIdentifierClause( reader ) )
{
return securityTokenHandler.ReadKeyIdentifierClause( reader );
}
}
return base.ReadKeyIdentifierClauseCore( reader );
}
catch ( Exception ex )
{
if ( !( MapExceptionsToSoapFaults && _exceptionMapper.HandleSecurityTokenProcessingException( ex ) ) )
{
throw;
}
Fx.Assert( false, "ExceptionMapper did not handle an exception correctly." );
// This should never happen. ExceptionMapper will handle the exception, in which case,
// a fault exception is thrown or the original exception gets thrown.
}
return null;
}
/// <summary>
/// Serializes the given SecurityKeyIdentifierClause in a XmlWriter.
/// </summary>
/// <param name="writer">XmlWriter to write into.</param>
/// <param name="keyIdentifierClause">SecurityKeyIdentifierClause to be written.</param>
/// <exception cref="ArgumentNullException">The input parameter 'writer' or 'keyIdentifierClause' is null.</exception>
protected override void WriteKeyIdentifierClauseCore( XmlWriter writer, SecurityKeyIdentifierClause keyIdentifierClause )
{
if ( writer == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "writer" );
}
if ( keyIdentifierClause == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "keyIdentifierClause" );
}
try
{
foreach ( SecurityTokenHandler securityTokenHandler in _securityTokenHandlers )
{
if ( securityTokenHandler.CanWriteKeyIdentifierClause( keyIdentifierClause ) )
{
securityTokenHandler.WriteKeyIdentifierClause( writer, keyIdentifierClause );
return;
}
}
base.WriteKeyIdentifierClauseCore( writer, keyIdentifierClause );
}
catch ( Exception ex )
{
if ( !( MapExceptionsToSoapFaults && _exceptionMapper.HandleSecurityTokenProcessingException( ex ) ) )
{
throw;
}
Fx.Assert( false, "ExceptionMapper did not handle an exception correctly." );
// This should never happen. ExceptionMapper will handle the exception, in which case,
// a fault exception is thrown or the original exception gets thrown.
}
}
}
}
|