2 // System.Web.Security.RolePrincipal
5 // Ben Maurer (bmaurer@users.sourceforge.net)
6 // Sebastien Pouliot <sebastien@ximian.com>
9 // Copyright (C) 2005 Novell, Inc (http://www.novell.com)
11 // Permission is hereby granted, free of charge, to any person obtaining
12 // a copy of this software and associated documentation files (the
13 // "Software"), to deal in the Software without restriction, including
14 // without limitation the rights to use, copy, modify, merge, publish,
15 // distribute, sublicense, and/or sell copies of the Software, and to
16 // permit persons to whom the Software is furnished to do so, subject to
17 // the following conditions:
19 // The above copyright notice and this permission notice shall be
20 // included in all copies or substantial portions of the Software.
22 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
23 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
24 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
25 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
26 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
27 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
28 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
33 using System.Collections.Specialized;
34 using System.Security.Cryptography;
35 using System.Security.Permissions;
36 using System.Security.Principal;
37 using System.Web.Configuration;
41 namespace System.Web.Security {
44 [AspNetHostingPermission (SecurityAction.LinkDemand, Level = AspNetHostingPermissionLevel.Minimal)]
45 public sealed class RolePrincipal : IPrincipal {
49 string[] _cachedArray;
50 HybridDictionary _cachedRoles;
51 readonly string _providerName;
59 public RolePrincipal (IIdentity identity)
62 throw new ArgumentNullException ("identity");
64 this._identity = identity;
65 this._cookiePath = RoleManagerConfig.CookiePath;
66 this._issueDate = DateTime.Now;
67 this._expireDate = _issueDate.Add (RoleManagerConfig.CookieTimeout);
70 public RolePrincipal (IIdentity identity, string encryptedTicket)
73 DecryptTicket (encryptedTicket);
76 public RolePrincipal (string providerName, IIdentity identity)
79 if (providerName == null)
80 throw new ArgumentNullException ("providerName");
82 this._providerName = providerName;
85 public RolePrincipal (string providerName, IIdentity identity, string encryptedTicket)
86 : this (providerName, identity)
88 DecryptTicket (encryptedTicket);
91 public string [] GetRoles ()
93 if (!_identity.IsAuthenticated)
96 if (!IsRoleListCached || Expired) {
97 _cachedArray = Provider.GetRolesForUser (_identity.Name);
98 _cachedRoles = new HybridDictionary (true);
100 foreach (string r in _cachedArray)
101 _cachedRoles.Add(r, r);
109 public bool IsInRole (string role)
111 if (!_identity.IsAuthenticated)
116 return _cachedRoles [role] != null;
119 public string ToEncryptedTicket ()
121 string roles = string.Join (",", GetRoles ());
122 string cookiePath = RoleManagerConfig.CookiePath;
123 int approxTicketLen = roles.Length + cookiePath.Length + 64;
125 if (_cachedArray.Length > Roles.MaxCachedResults)
128 MemoryStream ticket = new MemoryStream (approxTicketLen);
129 BinaryWriter writer = new BinaryWriter (ticket);
132 writer.Write (Version);
135 DateTime issueDate = DateTime.Now;
136 writer.Write (issueDate.Ticks);
138 // expiration datetime
139 writer.Write (_expireDate.Ticks);
141 writer.Write (cookiePath);
142 writer.Write (roles);
144 CookieProtection cookieProtection = RoleManagerConfig.CookieProtection;
146 if (cookieProtection == CookieProtection.None)
147 return GetBase64FromBytes (ticket.GetBuffer (), 0, (int) ticket.Position);
149 if (cookieProtection == CookieProtection.All || cookieProtection == CookieProtection.Validation) {
151 byte [] hashBytes = null;
152 byte [] validationBytes = MachineKeySectionUtils.ValidationKeyBytes (MachineConfig);
153 writer.Write (validationBytes);
155 switch (MachineConfig.Validation) {
156 case MachineKeyValidation.MD5:
157 hashBytes = MD5.Create ().ComputeHash (ticket.GetBuffer (), 0, (int) ticket.Position);
160 case MachineKeyValidation.TripleDES:
161 case MachineKeyValidation.SHA1:
162 hashBytes = SHA1.Create ().ComputeHash (ticket.GetBuffer (), 0, (int) ticket.Position);
166 writer.Seek (-validationBytes.Length, SeekOrigin.Current);
167 writer.Write (hashBytes);
170 byte [] ticketBytes = null;
171 if (cookieProtection == CookieProtection.All || cookieProtection == CookieProtection.Encryption) {
172 ICryptoTransform enc;
173 enc = TripleDES.Create ().CreateEncryptor (MachineKeySectionUtils.DecryptionKey192Bits (MachineConfig),
175 ticketBytes = enc.TransformFinalBlock (ticket.GetBuffer (), 0, (int) ticket.Position);
178 if (ticketBytes == null)
179 return GetBase64FromBytes (ticket.GetBuffer (), 0, (int) ticket.Position);
181 return GetBase64FromBytes (ticketBytes, 0, ticketBytes.Length);
184 void DecryptTicket (string encryptedTicket)
186 if (encryptedTicket == null || encryptedTicket == String.Empty)
187 throw new ArgumentException ("Invalid encrypted ticket", "encryptedTicket");
189 byte [] ticketBytes = GetBytesFromBase64 (encryptedTicket);
190 byte [] decryptedTicketBytes = null;
192 CookieProtection cookieProtection = RoleManagerConfig.CookieProtection;
193 if (cookieProtection == CookieProtection.All || cookieProtection == CookieProtection.Encryption) {
194 ICryptoTransform decryptor;
195 decryptor = TripleDES.Create ().CreateDecryptor (
196 MachineKeySectionUtils.DecryptionKey192Bits (MachineConfig),
198 decryptedTicketBytes = decryptor.TransformFinalBlock (ticketBytes, 0, ticketBytes.Length);
201 decryptedTicketBytes = ticketBytes;
203 if (cookieProtection == CookieProtection.All || cookieProtection == CookieProtection.Validation) {
204 byte [] validationBytes = MachineKeySectionUtils.ValidationKeyBytes (MachineConfig);
205 byte [] rolesWithValidationBytes = null;
206 byte [] tmpValidation = null;
208 int hashSize = (MachineConfig.Validation == MachineKeyValidation.MD5) ? 16 : 20; //md5 is 16 bytes, sha1 is 20 bytes
210 rolesWithValidationBytes = new byte [decryptedTicketBytes.Length - hashSize + validationBytes.Length];
212 Buffer.BlockCopy (decryptedTicketBytes, 0, rolesWithValidationBytes, 0, decryptedTicketBytes.Length - hashSize);
213 Buffer.BlockCopy (validationBytes, 0, rolesWithValidationBytes, decryptedTicketBytes.Length - hashSize, validationBytes.Length);
215 switch (MachineConfig.Validation) {
216 case MachineKeyValidation.MD5:
217 tmpValidation = MD5.Create ().ComputeHash (rolesWithValidationBytes);
220 case MachineKeyValidation.TripleDES:
221 case MachineKeyValidation.SHA1:
222 tmpValidation = SHA1.Create ().ComputeHash (rolesWithValidationBytes);
225 for (int i = 0; i < tmpValidation.Length; i++) {
226 if (i >= decryptedTicketBytes.Length ||
227 tmpValidation [i] != decryptedTicketBytes [i + decryptedTicketBytes.Length - hashSize])
228 throw new HttpException ("ticket validation failed");
232 MemoryStream ticket = new MemoryStream (decryptedTicketBytes);
233 BinaryReader reader = new BinaryReader (ticket);
236 _version = reader.ReadInt32 ();
239 _issueDate = new DateTime (reader.ReadInt64 ());
242 _expireDate = new DateTime (reader.ReadInt64 ());
245 _cookiePath = reader.ReadString ();
248 string roles = reader.ReadString ();
251 InitializeRoles (roles);
252 //update ticket if less than half of CookieTimeout remaining.
253 if (Roles.CookieSlidingExpiration){
254 if (_expireDate-DateTime.Now < TimeSpan.FromTicks (RoleManagerConfig.CookieTimeout.Ticks/2)) {
255 _issueDate = DateTime.Now;
256 _expireDate = DateTime.Now.Add (RoleManagerConfig.CookieTimeout);
261 // issue a new ticket
262 _issueDate = DateTime.Now;
263 _expireDate = _issueDate.Add (RoleManagerConfig.CookieTimeout);
267 void InitializeRoles (string decryptedRoles)
269 _cachedArray = decryptedRoles.Split (',');
270 _cachedRoles = new HybridDictionary (true);
272 foreach (string r in _cachedArray)
273 _cachedRoles.Add (r, r);
278 get { return new byte [] { 1, 2, 3, 4, 5, 6, 7, 8 }; }
281 public bool CachedListChanged {
282 get { return _listChanged; }
285 public string CookiePath {
286 get { return _cookiePath; }
289 public bool Expired {
290 get { return ExpireDate < DateTime.Now; }
293 public DateTime ExpireDate {
294 get { return _expireDate; }
297 public IIdentity Identity {
298 get { return _identity; }
301 public bool IsRoleListCached {
302 get { return (_cachedRoles != null) && RoleManagerConfig.CacheRolesInCookie; }
305 public DateTime IssueDate {
306 get { return _issueDate; }
309 public string ProviderName {
310 get { return String.IsNullOrEmpty(_providerName) ? Provider.Name : _providerName; }
314 get { return _version; }
317 RoleProvider Provider {
319 if (String.IsNullOrEmpty (_providerName))
320 return Roles.Provider;
322 return Roles.Providers [_providerName];
326 public void SetDirty ()
333 static string GetBase64FromBytes (byte [] bytes, int offset, int len)
335 return Convert.ToBase64String (bytes, offset, len);
338 static byte [] GetBytesFromBase64 (string base64String)
340 return Convert.FromBase64String (base64String);
343 RoleManagerSection RoleManagerConfig
345 get { return (RoleManagerSection) WebConfigurationManager.GetSection ("system.web/roleManager"); }
348 MachineKeySection MachineConfig
350 get { return (MachineKeySection) WebConfigurationManager.GetSection ("system.web/machineKey"); }
projects / mono.git / blob