2 // System.Web.Security.RolePrincipal
5 // Ben Maurer (bmaurer@users.sourceforge.net)
6 // Sebastien Pouliot <sebastien@ximian.com>
9 // Copyright (C) 2005-2010 Novell, Inc (http://www.novell.com)
11 // Permission is hereby granted, free of charge, to any person obtaining
12 // a copy of this software and associated documentation files (the
13 // "Software"), to deal in the Software without restriction, including
14 // without limitation the rights to use, copy, modify, merge, publish,
15 // distribute, sublicense, and/or sell copies of the Software, and to
16 // permit persons to whom the Software is furnished to do so, subject to
17 // the following conditions:
19 // The above copyright notice and this permission notice shall be
20 // included in all copies or substantial portions of the Software.
22 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
23 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
24 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
25 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
26 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
27 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
28 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
31 using System.Collections.Specialized;
32 using System.Security.Permissions;
33 using System.Security.Principal;
34 using System.Web.Configuration;
35 using System.Web.Util;
39 namespace System.Web.Security {
42 [AspNetHostingPermission (SecurityAction.LinkDemand, Level = AspNetHostingPermissionLevel.Minimal)]
44 class RolePrincipal : IPrincipal {
48 string[] _cachedArray;
49 HybridDictionary _cachedRoles;
50 readonly string _providerName;
58 public RolePrincipal (IIdentity identity)
61 throw new ArgumentNullException ("identity");
63 this._identity = identity;
64 this._cookiePath = RoleManagerConfig.CookiePath;
65 this._issueDate = DateTime.Now;
66 this._expireDate = _issueDate.Add (RoleManagerConfig.CookieTimeout);
69 public RolePrincipal (IIdentity identity, string encryptedTicket)
72 DecryptTicket (encryptedTicket);
75 public RolePrincipal (string providerName, IIdentity identity)
78 if (providerName == null)
79 throw new ArgumentNullException ("providerName");
81 this._providerName = providerName;
84 public RolePrincipal (string providerName, IIdentity identity, string encryptedTicket)
85 : this (providerName, identity)
87 DecryptTicket (encryptedTicket);
90 public string [] GetRoles ()
92 if (!_identity.IsAuthenticated)
95 if (!IsRoleListCached || Expired) {
96 _cachedArray = Provider.GetRolesForUser (_identity.Name);
97 _cachedRoles = new HybridDictionary (true);
99 foreach (string r in _cachedArray)
100 _cachedRoles.Add(r, r);
108 public bool IsInRole (string role)
110 if (!_identity.IsAuthenticated)
115 return _cachedRoles [role] != null;
118 public string ToEncryptedTicket ()
120 string roles = string.Join (",", GetRoles ());
121 string cookiePath = RoleManagerConfig.CookiePath;
122 int approxTicketLen = roles.Length + cookiePath.Length + 64;
124 if (_cachedArray.Length > Roles.MaxCachedResults)
127 MemoryStream ticket = new MemoryStream (approxTicketLen);
128 BinaryWriter writer = new BinaryWriter (ticket);
131 writer.Write (Version);
134 DateTime issueDate = DateTime.Now;
135 writer.Write (issueDate.Ticks);
137 // expiration datetime
138 writer.Write (_expireDate.Ticks);
140 writer.Write (cookiePath);
141 writer.Write (roles);
143 CookieProtection cookieProtection = RoleManagerConfig.CookieProtection;
145 byte[] ticket_data = ticket.GetBuffer ();
146 if (cookieProtection == CookieProtection.All) {
147 ticket_data = MachineKeySectionUtils.EncryptSign (MachineConfig, ticket_data);
148 } else if (cookieProtection == CookieProtection.Encryption) {
149 ticket_data = MachineKeySectionUtils.Encrypt (MachineConfig, ticket_data);
150 } else if (cookieProtection == CookieProtection.Validation) {
151 ticket_data = MachineKeySectionUtils.Sign (MachineConfig, ticket_data);
154 return GetBase64FromBytes (ticket_data, 0, ticket_data.Length);
157 void DecryptTicket (string encryptedTicket)
159 if (encryptedTicket == null || encryptedTicket == String.Empty)
160 throw new ArgumentException ("Invalid encrypted ticket", "encryptedTicket");
162 byte [] ticketBytes = GetBytesFromBase64 (encryptedTicket);
163 byte [] decryptedTicketBytes = null;
165 CookieProtection cookieProtection = RoleManagerConfig.CookieProtection;
167 if (cookieProtection == CookieProtection.All) {
168 decryptedTicketBytes = MachineKeySectionUtils.VerifyDecrypt (MachineConfig, ticketBytes);
169 } else if (cookieProtection == CookieProtection.Encryption) {
170 decryptedTicketBytes = MachineKeySectionUtils.Decrypt (MachineConfig, ticketBytes);
171 } else if (cookieProtection == CookieProtection.Validation) {
172 decryptedTicketBytes = MachineKeySectionUtils.Verify (MachineConfig, ticketBytes);
175 if (decryptedTicketBytes == null)
176 throw new HttpException ("ticket validation failed");
178 MemoryStream ticket = new MemoryStream (decryptedTicketBytes);
179 BinaryReader reader = new BinaryReader (ticket);
182 _version = reader.ReadInt32 ();
185 _issueDate = new DateTime (reader.ReadInt64 ());
188 _expireDate = new DateTime (reader.ReadInt64 ());
191 _cookiePath = reader.ReadString ();
194 string roles = reader.ReadString ();
197 InitializeRoles (roles);
198 //update ticket if less than half of CookieTimeout remaining.
199 if (Roles.CookieSlidingExpiration){
200 if (_expireDate-DateTime.Now < TimeSpan.FromTicks (RoleManagerConfig.CookieTimeout.Ticks/2)) {
201 _issueDate = DateTime.Now;
202 _expireDate = DateTime.Now.Add (RoleManagerConfig.CookieTimeout);
207 // issue a new ticket
208 _issueDate = DateTime.Now;
209 _expireDate = _issueDate.Add (RoleManagerConfig.CookieTimeout);
213 void InitializeRoles (string decryptedRoles)
215 _cachedArray = decryptedRoles.Split (',');
216 _cachedRoles = new HybridDictionary (true);
218 foreach (string r in _cachedArray)
219 _cachedRoles.Add (r, r);
222 public bool CachedListChanged {
223 get { return _listChanged; }
226 public string CookiePath {
227 get { return _cookiePath; }
230 public bool Expired {
231 get { return ExpireDate < DateTime.Now; }
234 public DateTime ExpireDate {
235 get { return _expireDate; }
238 public IIdentity Identity {
239 get { return _identity; }
242 public bool IsRoleListCached {
243 get { return (_cachedRoles != null) && RoleManagerConfig.CacheRolesInCookie; }
246 public DateTime IssueDate {
247 get { return _issueDate; }
250 public string ProviderName {
251 get { return String.IsNullOrEmpty(_providerName) ? Provider.Name : _providerName; }
255 get { return _version; }
258 RoleProvider Provider {
260 if (String.IsNullOrEmpty (_providerName))
261 return Roles.Provider;
263 return Roles.Providers [_providerName];
267 public void SetDirty ()
274 static string GetBase64FromBytes (byte [] bytes, int offset, int len)
276 return Convert.ToBase64String (bytes, offset, len);
279 static byte [] GetBytesFromBase64 (string base64String)
281 return Convert.FromBase64String (base64String);
284 RoleManagerSection RoleManagerConfig
286 get { return (RoleManagerSection) WebConfigurationManager.GetSection ("system.web/roleManager"); }
289 MachineKeySection MachineConfig
291 get { return (MachineKeySection) WebConfigurationManager.GetSection ("system.web/machineKey"); }