mcs/class/System.IdentityModel/System.IdentityModel.Selectors/X509SecurityTokenAuthenticator.cs

   1 //
   2 // X509SecurityTokenAuthenticator.cs
   3 //
   4 // Author:
   5 //      Atsushi Enomoto <atsushi@ximian.com>
   6 //
   7 // Copyright (C) 2006 Novell, Inc.  http://www.novell.com
   8 //
   9 // Permission is hereby granted, free of charge, to any person obtaining
  10 // a copy of this software and associated documentation files (the
  11 // "Software"), to deal in the Software without restriction, including
  12 // without limitation the rights to use, copy, modify, merge, publish,
  13 // distribute, sublicense, and/or sell copies of the Software, and to
  14 // permit persons to whom the Software is furnished to do so, subject to
  15 // the following conditions:
  16 //
  17 // The above copyright notice and this permission notice shall be
  18 // included in all copies or substantial portions of the Software.
  19 //
  20 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
  21 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
  22 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
  23 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
  24 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
  25 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
  26 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  27 //
  28 using System;
  29 using System.Collections.Generic;
  30 using System.Collections.ObjectModel;
  31 using System.IdentityModel.Claims;
  32 using System.IdentityModel.Policy;
  33 using System.IdentityModel.Tokens;
  34 using System.Security.Principal;
  35 using System.Security.Cryptography.X509Certificates;
  36 using System.Xml;
  37
  38 namespace System.IdentityModel.Selectors
  39 {
  40         public class X509SecurityTokenAuthenticator
  41                 : SecurityTokenAuthenticator
  42         {
  43                 bool map_to_windows, include_win_groups;
  44                 X509CertificateValidator validator;
  45
  46                 public X509SecurityTokenAuthenticator ()
  47                         : this (X509CertificateValidator.ChainTrust)
  48                 {
  49                 }
  50
  51                 public X509SecurityTokenAuthenticator (X509CertificateValidator validator)
  52                         : this (validator, false)
  53                 {
  54                 }
  55
  56                 public X509SecurityTokenAuthenticator (X509CertificateValidator validator, bool mapToWindows)
  57                         : this (validator, mapToWindows, false)
  58                 {
  59                 }
  60
  61                 public X509SecurityTokenAuthenticator (X509CertificateValidator validator, bool mapToWindows, bool includeWindowsGroups)
  62                 {
  63                         if (validator == null)
  64                                 throw new ArgumentNullException ("validator");
  65                         this.validator = validator;
  66                         map_to_windows = mapToWindows;
  67                         include_win_groups = includeWindowsGroups;
  68
  69                         if (map_to_windows || include_win_groups)
  70                                 throw new NotSupportedException ("Why on earth do you expect that mapToWindows or includeWindowsGroups are supported here?");
  71                 }
  72
  73                 protected override bool CanValidateTokenCore (SecurityToken token)
  74                 {
  75                         return token is X509SecurityToken;
  76                 }
  77
  78                 protected override ReadOnlyCollection<IAuthorizationPolicy>
  79                         ValidateTokenCore (SecurityToken token)
  80                 {
  81                         X509SecurityToken xt = token as X509SecurityToken;
  82                         if (xt == null)
  83                                 throw new InvalidOperationException (String.Format ("Security token '{0}' cannot be validated by this security token authenticator.", xt));
  84                         validator.Validate (xt.Certificate);
  85                         IAuthorizationPolicy policy =
  86                                 new X509AuthorizationPolicy (xt.Certificate);
  87                         return new ReadOnlyCollection<IAuthorizationPolicy> (new IAuthorizationPolicy [] {policy});
  88                 }
  89
  90                 class X509AuthorizationPolicy : SystemIdentityAuthorizationPolicy
  91                 {
  92                         X509Certificate2 cert;
  93
  94                         public X509AuthorizationPolicy (X509Certificate2 cert)
  95                                 : base (new UniqueId ().ToString ())
  96                         {
  97                                 this.cert = cert;
  98                         }
  99
 100                         public override DateTime ExpirationTime {
 101                                 // FIXME: should it really be converted to UTC?
 102                                 get { return cert.NotAfter.ToUniversalTime (); }
 103                         }
 104
 105                         public override ClaimSet CreateClaims ()
 106                         {
 107                                 return new DefaultClaimSet (Claim.CreateX500DistinguishedNameClaim (cert.SubjectName));
 108                         }
 109
 110                         public override IIdentity CreateIdentity ()
 111                         {
 112                                 return new GenericIdentity (String.Concat (cert.SubjectName, "; ", cert.Thumbprint), "X509");
 113                         }
 114                 }
 115         }
 116 }