// Sebastien Pouliot <sebastien@ximian.com>
//
// (C) 2003 Ben Maurer
-// Copyright (C) 2005 Novell, Inc (http://www.novell.com)
+// Copyright (C) 2005-2010 Novell, Inc (http://www.novell.com)
//
// Permission is hereby granted, free of charge, to any person obtaining
// a copy of this software and associated documentation files (the
// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
-#if NET_2_0
-
using System.Collections.Specialized;
-using System.Security.Cryptography;
using System.Security.Permissions;
using System.Security.Principal;
using System.Web.Configuration;
+using System.Web.Util;
using System.IO;
using System.Text;
[Serializable]
[AspNetHostingPermission (SecurityAction.LinkDemand, Level = AspNetHostingPermissionLevel.Minimal)]
- public sealed class RolePrincipal : IPrincipal {
+#if NET_4_0
+ public
+#else
+ public sealed
+#endif
+ class RolePrincipal : IPrincipal {
- private IIdentity _identity;
- private bool _listChanged;
- private string[] _cachedArray;
- private HybridDictionary _cachedRoles;
+ IIdentity _identity;
+ bool _listChanged;
+ string[] _cachedArray;
+ HybridDictionary _cachedRoles;
readonly string _providerName;
- private int _version = 1;
- private string _cookiePath;
- private DateTime _issueDate;
- private DateTime _exprireDate;
+ int _version = 1;
+ string _cookiePath;
+ DateTime _issueDate;
+ DateTime _expireDate;
public RolePrincipal (IIdentity identity)
this._identity = identity;
this._cookiePath = RoleManagerConfig.CookiePath;
this._issueDate = DateTime.Now;
- this._exprireDate = _issueDate.Add (RoleManagerConfig.CookieTimeout);
+ this._expireDate = _issueDate.Add (RoleManagerConfig.CookieTimeout);
}
public RolePrincipal (IIdentity identity, string encryptedTicket)
if (!_identity.IsAuthenticated)
return new string[0];
- if (!IsRoleListCached && !Expired) {
+ if (!IsRoleListCached || Expired) {
_cachedArray = Provider.GetRolesForUser (_identity.Name);
_cachedRoles = new HybridDictionary (true);
string cookiePath = RoleManagerConfig.CookiePath;
int approxTicketLen = roles.Length + cookiePath.Length + 64;
+ if (_cachedArray.Length > Roles.MaxCachedResults)
+ return null;
+
MemoryStream ticket = new MemoryStream (approxTicketLen);
BinaryWriter writer = new BinaryWriter (ticket);
writer.Write (issueDate.Ticks);
// expiration datetime
- writer.Write (issueDate.Add(RoleManagerConfig.CookieTimeout).Ticks);
+ writer.Write (_expireDate.Ticks);
writer.Write (cookiePath);
writer.Write (roles);
CookieProtection cookieProtection = RoleManagerConfig.CookieProtection;
- if (cookieProtection == CookieProtection.None)
- return GetBase64FromBytes (ticket.GetBuffer (), 0, (int) ticket.Position);
-
- if (cookieProtection == CookieProtection.All || cookieProtection == CookieProtection.Validation) {
-
- byte [] hashBytes = null;
- byte [] validationBytes = MachineConfig.ValidationKeyBytes;
- writer.Write (validationBytes);
-
- switch (MachineConfig.Validation) {
- case MachineKeyValidation.MD5:
- hashBytes = MD5.Create ().ComputeHash (ticket.GetBuffer (), 0, (int) ticket.Position);
- break;
-
- case MachineKeyValidation.TripleDES:
- case MachineKeyValidation.SHA1:
- hashBytes = SHA1.Create ().ComputeHash (ticket.GetBuffer (), 0, (int) ticket.Position);
- break;
- }
-
- writer.Seek (-validationBytes.Length, SeekOrigin.Current);
- writer.Write (hashBytes);
+ byte[] ticket_data = ticket.GetBuffer ();
+ if (cookieProtection == CookieProtection.All) {
+ ticket_data = MachineKeySectionUtils.EncryptSign (MachineConfig, ticket_data);
+ } else if (cookieProtection == CookieProtection.Encryption) {
+ ticket_data = MachineKeySectionUtils.Encrypt (MachineConfig, ticket_data);
+ } else if (cookieProtection == CookieProtection.Validation) {
+ ticket_data = MachineKeySectionUtils.Sign (MachineConfig, ticket_data);
}
- byte [] ticketBytes = null;
- if (cookieProtection == CookieProtection.All || cookieProtection == CookieProtection.Encryption) {
- ICryptoTransform enc;
- enc = TripleDES.Create ().CreateEncryptor (MachineConfig.DecryptionKey192Bits, InitVector);
- ticketBytes = enc.TransformFinalBlock (ticket.GetBuffer (), 0, (int) ticket.Position);
- }
-
- if (ticketBytes == null)
- return GetBase64FromBytes (ticket.GetBuffer (), 0, (int) ticket.Position);
- else
- return GetBase64FromBytes (ticketBytes, 0, ticketBytes.Length);
+ return GetBase64FromBytes (ticket_data, 0, ticket_data.Length);
}
- private void DecryptTicket (string encryptedTicket)
+ void DecryptTicket (string encryptedTicket)
{
if (encryptedTicket == null || encryptedTicket == String.Empty)
throw new ArgumentException ("Invalid encrypted ticket", "encryptedTicket");
byte [] decryptedTicketBytes = null;
CookieProtection cookieProtection = RoleManagerConfig.CookieProtection;
- if (cookieProtection == CookieProtection.All || cookieProtection == CookieProtection.Encryption) {
- ICryptoTransform decryptor;
- decryptor = TripleDES.Create ().CreateDecryptor (MachineConfig.DecryptionKey192Bits, InitVector);
- decryptedTicketBytes = decryptor.TransformFinalBlock (ticketBytes, 0, ticketBytes.Length);
- }
- else
- decryptedTicketBytes = ticketBytes;
-
- if (cookieProtection == CookieProtection.All || cookieProtection == CookieProtection.Validation) {
- byte [] validationBytes = MachineConfig.ValidationKeyBytes;
- byte [] rolesWithValidationBytes = null;
- byte [] tmpValidation = null;
-
- int hashSize = (MachineConfig.Validation == MachineKeyValidation.MD5) ? 16 : 20; //md5 is 16 bytes, sha1 is 20 bytes
-
- rolesWithValidationBytes = new byte [decryptedTicketBytes.Length - hashSize + validationBytes.Length];
-
- Buffer.BlockCopy (decryptedTicketBytes, 0, rolesWithValidationBytes, 0, decryptedTicketBytes.Length - hashSize);
- Buffer.BlockCopy (validationBytes, 0, rolesWithValidationBytes, decryptedTicketBytes.Length - hashSize, validationBytes.Length);
-
- switch (MachineConfig.Validation) {
- case MachineKeyValidation.MD5:
- tmpValidation = MD5.Create ().ComputeHash (rolesWithValidationBytes);
- break;
- case MachineKeyValidation.TripleDES:
- case MachineKeyValidation.SHA1:
- tmpValidation = SHA1.Create ().ComputeHash (rolesWithValidationBytes);
- break;
- }
- for (int i = 0; i < tmpValidation.Length; i++) {
- if (i >= decryptedTicketBytes.Length ||
- tmpValidation [i] != decryptedTicketBytes [i + decryptedTicketBytes.Length - hashSize])
- throw new HttpException ("ticket validation failed");
- }
+ if (cookieProtection == CookieProtection.All) {
+ decryptedTicketBytes = MachineKeySectionUtils.VerifyDecrypt (MachineConfig, ticketBytes);
+ } else if (cookieProtection == CookieProtection.Encryption) {
+ decryptedTicketBytes = MachineKeySectionUtils.Decrypt (MachineConfig, ticketBytes);
+ } else if (cookieProtection == CookieProtection.Validation) {
+ decryptedTicketBytes = MachineKeySectionUtils.Verify (MachineConfig, ticketBytes);
}
+ if (decryptedTicketBytes == null)
+ throw new HttpException ("ticket validation failed");
+
MemoryStream ticket = new MemoryStream (decryptedTicketBytes);
BinaryReader reader = new BinaryReader (ticket);
_issueDate = new DateTime (reader.ReadInt64 ());
// expire date
- _exprireDate = new DateTime (reader.ReadInt64 ());
+ _expireDate = new DateTime (reader.ReadInt64 ());
+ // cookie path
+ _cookiePath = reader.ReadString ();
+
// roles
string roles = reader.ReadString ();
- if (!Expired)
- InitializeRoles (roles);
- // cookie path
- _cookiePath = reader.ReadString ();
+ if (!Expired) {
+ InitializeRoles (roles);
+ //update ticket if less than half of CookieTimeout remaining.
+ if (Roles.CookieSlidingExpiration){
+ if (_expireDate-DateTime.Now < TimeSpan.FromTicks (RoleManagerConfig.CookieTimeout.Ticks/2)) {
+ _issueDate = DateTime.Now;
+ _expireDate = DateTime.Now.Add (RoleManagerConfig.CookieTimeout);
+ SetDirty ();
+ }
+ }
+ } else {
+ // issue a new ticket
+ _issueDate = DateTime.Now;
+ _expireDate = _issueDate.Add (RoleManagerConfig.CookieTimeout);
+ }
}
- private void InitializeRoles (string decryptedRoles)
+ void InitializeRoles (string decryptedRoles)
{
_cachedArray = decryptedRoles.Split (',');
_cachedRoles = new HybridDictionary (true);
_cachedRoles.Add (r, r);
}
- private byte [] InitVector
- {
- get { return new byte [] { 1, 2, 3, 4, 5, 6, 7, 8 }; }
- }
-
public bool CachedListChanged {
get { return _listChanged; }
}
}
public DateTime ExpireDate {
- get { return _exprireDate; }
+ get { return _expireDate; }
}
public IIdentity Identity {
}
}
}
-#endif
+