PolicyValidator.cs source code in C# .NET

Source code for the .NET framework in C#

                        

Code:

/ WCF / WCF / 3.5.30729.1 / untmp / Orcas / SP / ndp / cdf / src / WCF / infocard / Service / managed / Microsoft / InfoCards / PolicyValidator.cs / 2 / PolicyValidator.cs

                            //------------------------------------------------------------------------------ 
// Copyright (c) Microsoft Corporation.  All rights reserved.
//-----------------------------------------------------------------------------
//
// Presharp uses the c# pragma mechanism to supress its warnings. 
// These are not recognised by the base compiler so we need to explictly
// disable the following warnings. See http://winweb/cse/Tools/PREsharp/userguide/default.asp 
// for details. 
//
#pragma warning disable 1634, 1691      // unknown message, unknown pragma 



namespace Microsoft.InfoCards 
{
    using System; 
    using System.Text; 
    using System.Collections.Generic;
    using System.ServiceModel.Security; 

    using IDT = Microsoft.InfoCards.Diagnostics.InfoCardTrace;

    // 
    // Summary:
    // Validates an InfoCardPolicy. 
    // 
    internal class PolicyValidator
    { 
        InfoCardPolicy m_policy;

        public PolicyValidator( InfoCardPolicy policy )
        { 
            IDT.Assert( null != policy, "PolicyValidator: policy cannot be null." );
 
            m_policy = policy; 
        }
 
        public virtual void Validate()
        {
            ValidateClaims();			/* SSS_WARNINGS_OFF */
 
            ValidateNonWhiteListElements();
 
            ValidateRequestType();		/* SSS_WARNINGS_ON */ 

            ValidateTokenType(); 

            ValidateKeySize();

            ValidatePrivacyVersion(); 

            ValidateKeyTypeSpecified(); 
 
            ValidateKeyType();
 
            ValidateKeyWrapAlgorithm();

            ValidateAppliesTo();
 
            ValidateRecipients();
        } 
 
        protected void ValidateClaims()
        { 
            string[] requiredClaims = m_policy.RequiredClaims;
            if( null == requiredClaims || 0 == requiredClaims.Length )
            {
                throw IDT.ThrowHelperError( new PolicyValidationException( SR.GetString( SR.NoClaimsFoundInPolicy ) ) ); 
            }
 
            // 
            // Check to ensure the claims are valid self issued URIs.
            // 
            foreach( string clm in m_policy.RequiredClaims )
            {
                if( !PolicyUtility.IsSelfIssuedClaim( clm ) )
                { 
                    string error = SR.GetString( SR.ServiceDoesNotSupportThisClaim );
                    ThrowIfSelfIssued( new UnsupportedPolicyOptionsException( error ) ); 
                } 
            }
        } 
 	/* SSS_WARNINGS_OFF */
        protected void ValidateNonWhiteListElements()
        {
            if( m_policy.NonWhiteListElementsFound ) 
            {
                StringBuilder sb = new StringBuilder(); 
                foreach( string s in m_policy.NonWhiteListElements ) 
                {
                    sb.Append( " " ); 
                    sb.Append( s );
                }
                string error = SR.GetString( SR.ServiceUnsupportedPolicyElementFound, sb.ToString() );
                ThrowIfSelfIssued( new UnsupportedPolicyOptionsException( error ) ); 
            }
 
        } /* SSS_WARNINGS_ON */	 

        protected void ValidateRequestType() 
        {
            //
            // Check request type. Cardspace v1 only supports '\Issue' as the request type
            // 
            if( !String.IsNullOrEmpty( m_policy.RequestType )
                && m_policy.MergedPolicy.ProtocolVersionProfile.WSTrust.IssueRequestType != m_policy.RequestType ) 
            { 
                throw IDT.ThrowHelperError( new UnsupportedPolicyOptionsException( SR.GetString(
                    SR.OnlyIssueRequestTypeSupported, 
                    m_policy.RequestType,
                    m_policy.MergedPolicy.ProtocolVersionProfile.WSTrust.IssueRequestType ) ) );
            }
 
        }
 
        protected void ValidateTokenType() 
        {
            // 
            // Check token type. Only saml tokens are supported for v1.
            //
            if( !String.IsNullOrEmpty( m_policy.OptionalRstParams.TokenType )
                && !PolicyUtility.IsSelfIssuedTokenType( m_policy.OptionalRstParams.TokenType ) ) 
            {
                string error = SR.GetString( SR.ServiceDoesNotSupportThisTokenType ); 
                ThrowIfSelfIssued( new UnsupportedPolicyOptionsException( error ) ); 
            }
        } 

        protected void ValidateKeySize()
        {
            // 
            // Check approved keysize
            // For asymmetric only the size 2048 is supported - true for both self issued and managed cases 
            // 
            //
            // 

            if( SecurityKeyTypeInternal.AsymmetricKey == m_policy.KeyType
                && m_policy.KeySizeSpecified
                && InfoCard.KeySize != m_policy.KeySize ) 
            {
                throw IDT.ThrowHelperError( new UnsupportedPolicyOptionsException( SR.GetString( SR.ServiceInvalidAsymmetricKeySize ) ) ); 
            } 
        }
 
        protected void ValidatePrivacyVersion()
        {
            //
            // Check privacy version. Privacy version has to be greater than 0. 
            //
            if( ( 0 == m_policy.PrivacyPolicyVersion && !String.IsNullOrEmpty( m_policy.PrivacyPolicyLink ) ) || 
               ( 0 != m_policy.PrivacyPolicyVersion && String.IsNullOrEmpty( m_policy.PrivacyPolicyLink ) ) ) 
            {
                throw IDT.ThrowHelperError( new PolicyValidationException( SR.GetString( SR.ServiceInvalidPrivacyNoticeVersion ) ) ); 
            }
        }

        protected void ValidateKeyTypeSpecified() 
        {
            // 
            // No proof key only supported in browser scenario. 
            // FYI e.g. in CustomTokenProvider (self issued for managed)
            // we do proof-of-possession with a symmetric/asymmetric key, 
            // so the below path holds for that as well.
            //
            if( SecurityKeyTypeInternal.NoKey == m_policy.MergedPolicy.KeyType )
            { 
                throw IDT.ThrowHelperError( new PolicyValidationException(
                        SR.GetString( SR.NoProofKeyOnlyAllowedInBrowser, XmlNames.WSIdentity.NoProofKeyTypeValue ) ) ); 
            } 
        }
 
        protected void ValidateKeyType()
        {
            //
            // Check is the keytype is correct 
            //
            if( !( m_policy.ImmediateTokenRecipient is X509RecipientIdentity ) 
                && m_policy.KeyTypeSpecified 
                && SecurityKeyTypeInternal.SymmetricKey == m_policy.KeyType )
            { 
                string error = SR.GetString( SR.InvalidKeyOption );
                ThrowIfSelfIssued( new UnsupportedPolicyOptionsException( error ) );
            }
        } 

        protected void ValidateKeyWrapAlgorithm() 
        { 
            //
            // If the KeyWrapAlgorithm differs from the default algorithm, then we throw in the case of a self issued card. 
            //
            if( ( !String.IsNullOrEmpty( m_policy.OptionalRstParams.KeyWrapAlgorithm ) ) &&
                ( m_policy.OptionalRstParams.KeyWrapAlgorithm != SecurityAlgorithmSuite.Default.DefaultAsymmetricKeyWrapAlgorithm ) )
            { 
                string error = SR.GetString( SR.ServiceInvalidArguments );
                ThrowIfSelfIssued( new UnsupportedPolicyOptionsException( error ) ); 
            } 
        }
 
        protected void ValidateRecipients()
        {
            m_policy.Recipient.Validate();
            m_policy.ImmediateTokenRecipient.Validate(); 

            IDT.DebugAssert( !String.IsNullOrEmpty( m_policy.Recipient.GetIdentifier() ), 
                             "Recipid should have been populated here" ); 

            IDT.DebugAssert( !String.IsNullOrEmpty( m_policy.Recipient.GetOrganizationIdentifier() ), 
                             "Recipid should have been populated here" );

            IDT.DebugAssert(!String.IsNullOrEmpty(m_policy.Recipient.GetOrganizationPPIDIdentifier() ),
                             "Recipid should have been populated here"); 
        }
 
        protected void ValidateAppliesTo() 
        {
            if( null == m_policy.MergedPolicy.PolicyAppliesTo ) 
            {
                //
                // Nothing to validate.
                // 
                return;
            } 
 
            //
            // First we compare scheme, host and port. 
            //
            if( 0 != Uri.Compare(
                        m_policy.MergedPolicy.PolicyAppliesTo.Uri,
                        m_policy.ImmediateTokenRecipient.Address.Uri, 
                        UriComponents.SchemeAndServer,
                        UriFormat.UriEscaped, 
                        StringComparison.OrdinalIgnoreCase ) ) 
            {
                throw IDT.ThrowHelperError( 
                                new PolicyValidationException(
                                    SR.GetString(
                                        SR.InvalidAppliesToInPolicy,
                                        SR.GetString( SR.RecipientNotFromSameSecurityDomain ) ) ) ); 
            }
 
 
            string appliesToPath = m_policy.MergedPolicy.PolicyAppliesTo.Uri.GetComponents( UriComponents.Path, UriFormat.UriEscaped );
            string recipPath = m_policy.ImmediateTokenRecipient.Address.Uri.GetComponents( UriComponents.Path, UriFormat.UriEscaped ); 

            if( !String.IsNullOrEmpty( appliesToPath ) )
            {
                // 
                // If the recipient has no path, there is no way for it to be scoped to the applies To if it does.
                // 
                if( String.IsNullOrEmpty( recipPath ) ) 
                {
                    throw IDT.ThrowHelperError( 
                                    new PolicyValidationException(
                                        SR.GetString(
                                            SR.InvalidAppliesToInPolicy,
                                            SR.GetString( SR.RecipientNotFromSameSecurityDomain ) ) ) ); 
                }
 
                appliesToPath = appliesToPath.ToLowerInvariant(); 
                recipPath = recipPath.ToLowerInvariant();
 
                if( !recipPath.StartsWith( appliesToPath, StringComparison.OrdinalIgnoreCase ) )
                {
                    throw IDT.ThrowHelperError(
                                    new PolicyValidationException( 
                                        SR.GetString(
                                            SR.InvalidAppliesToInPolicy, 
                                            SR.GetString( SR.RecipientNotFromSameSecurityDomain ) ) ) ); 
                }
            } 
        }

        private void ThrowIfSelfIssued( Exception e )
        { 
            if( InfoCardPolicy.IsSelfIssuedUriPresent( m_policy.Issuer ) )
            { 
                throw IDT.ThrowHelperError( e ); 
            }
        } 
    }
}

// File provided for Reference Use Only by Microsoft Corporation (c) 2007.
// Copyright (c) Microsoft Corporation. All rights reserved.


                        

Link Menu

Network programming in C#, Network Programming in VB.NET, Network Programming in .NET
This book is available now!
Buy at Amazon US or
Buy at Amazon UK