|
public ValidateBeforeActivate ( |
||
| context | ||
| clientSignature | SignatureData | |
| clientSoftwareCertificates | List |
|
| userIdentityToken | ExtensionObject | |
| userTokenSignature | SignatureData | |
| localeIds | StringCollection | |
| serverNonce | byte | |
| identityToken | UserIdentityToken | |
| userTokenPolicy | UserTokenPolicy | |
| return | void | |
public void ValidateBeforeActivate(
OperationContext context,
SignatureData clientSignature,
List<SoftwareCertificate> clientSoftwareCertificates,
ExtensionObject userIdentityToken,
SignatureData userTokenSignature,
StringCollection localeIds,
byte[] serverNonce,
out UserIdentityToken identityToken,
out UserTokenPolicy userTokenPolicy)
{
lock (m_lock)
{
// verify that a secure channel was specified.
if (context.ChannelContext == null)
{
throw new ServiceResultException(StatusCodes.BadSecureChannelIdInvalid);
}
// verify that the same security policy has been used.
EndpointDescription endpoint = context.ChannelContext.EndpointDescription;
if (endpoint.SecurityPolicyUri != m_endpoint.SecurityPolicyUri || endpoint.SecurityMode != m_endpoint.SecurityMode)
{
throw new ServiceResultException(StatusCodes.BadSecurityPolicyRejected);
}
// verify the client signature.
if (m_clientCertificate != null)
{
byte[] dataToSign = Utils.Append(m_serverCertificate.RawData, m_serverNonce);
//byte[] dataToSign = Utils.Append(m_serverCertificateChain, m_serverNonce);
if (!SecurityPolicies.Verify(m_clientCertificate, m_endpoint.SecurityPolicyUri, dataToSign, clientSignature))
{
throw new ServiceResultException(StatusCodes.BadApplicationSignatureInvalid);
}
}
if (!m_activated)
{
// must active the session on the channel that was used to create it.
if (m_secureChannelId != context.ChannelContext.SecureChannelId)
{
throw new ServiceResultException(StatusCodes.BadSecureChannelIdInvalid);
}
}
else
{
// cannot change the certificates after activation.
if (clientSoftwareCertificates != null && clientSoftwareCertificates.Count > 0)
{
throw new ServiceResultException(StatusCodes.BadInvalidArgument);
}
}
// validate the user identity token.
identityToken = ValidateUserIdentityToken(userIdentityToken, userTokenSignature, out userTokenPolicy);
TraceState("VALIDATED");
}
}
/// <summary>
/// Activates an existing session
/// </summary>
public virtual bool ActivateSession(
OperationContext context,
NodeId authenticationToken,
SignatureData clientSignature,
List <SoftwareCertificate> clientSoftwareCertificates,
ExtensionObject userIdentityToken,
SignatureData userTokenSignature,
StringCollection localeIds,
out byte[] serverNonce)
{
serverNonce = null;
Session session = null;
UserIdentityToken newIdentity = null;
UserTokenPolicy userTokenPolicy = null;
lock (m_lock)
{
// find session.
if (!m_sessions.TryGetValue(authenticationToken, out session))
{
throw new ServiceResultException(StatusCodes.BadSessionClosed);
}
// check if session timeout has expired.
if (session.HasExpired)
{
m_server.CloseSession(null, session.Id, false);
throw new ServiceResultException(StatusCodes.BadSessionClosed);
}
// create new server nonce.
serverNonce = Utils.Nonce.CreateNonce((uint)m_minNonceLength);
// validate before activation.
session.ValidateBeforeActivate(
context,
clientSignature,
clientSoftwareCertificates,
userIdentityToken,
userTokenSignature,
localeIds,
serverNonce,
out newIdentity,
out userTokenPolicy);
}
IUserIdentity identity = null;
IUserIdentity effectiveIdentity = null;
ServiceResult error = null;
try
{
// check if the application has a callback which validates the identity tokens.
lock (m_eventLock)
{
if (m_ImpersonateUser != null)
{
ImpersonateEventArgs args = new ImpersonateEventArgs(newIdentity, userTokenPolicy);
m_ImpersonateUser(session, args);
if (ServiceResult.IsBad(args.IdentityValidationError))
{
error = args.IdentityValidationError;
}
else
{
identity = args.Identity;
effectiveIdentity = args.EffectiveIdentity;
}
}
}
// parse the token manually if the identity is not provided.
if (identity == null)
{
identity = new UserIdentity(newIdentity);
}
// use the identity as the effectiveIdentity if not provided.
if (effectiveIdentity == null)
{
effectiveIdentity = identity;
}
}
catch (Exception e)
{
if (e is ServiceResultException)
{
throw e;
}
throw ServiceResultException.Create(
StatusCodes.BadIdentityTokenInvalid,
e,
"Could not validate user identity token: {0}",
newIdentity);
}
// check for validation error.
if (ServiceResult.IsBad(error))
{
throw new ServiceResultException(error);
}
// activate session.
bool contextChanged = session.Activate(
context,
clientSoftwareCertificates,
newIdentity,
identity,
effectiveIdentity,
localeIds,
serverNonce);
// raise session related event.
if (contextChanged)
{
RaiseSessionEvent(session, SessionEventReason.Activated);
}
// indicates that the identity context for the session has changed.
return(contextChanged);
}
