diff options
| author | Andrew Arnott <andrewarnott@gmail.com> | 2009-05-30 19:36:35 -0700 |
|---|---|---|
| committer | Andrew Arnott <andrewarnott@gmail.com> | 2009-05-31 07:17:09 -0700 |
| commit | 434668c1e32fcc0087b220067bb1e4eec2ccbca9 (patch) | |
| tree | d4e6305bb8acc6cb32e1404039132ff51ccdaec1 /src | |
| parent | 711727fe280964cf0155da7f843d3e910a03d763 (diff) | |
| download | DotNetOpenAuth-434668c1e32fcc0087b220067bb1e4eec2ccbca9.zip DotNetOpenAuth-434668c1e32fcc0087b220067bb1e4eec2ccbca9.tar.gz DotNetOpenAuth-434668c1e32fcc0087b220067bb1e4eec2ccbca9.tar.bz2 | |
Added RP security configuration option to forcibly ignore unsigned extensions in response messages.
Diffstat (limited to 'src')
4 files changed, 51 insertions, 6 deletions
diff --git a/src/DotNetOpenAuth/Configuration/OpenIdRelyingPartySecuritySettingsElement.cs b/src/DotNetOpenAuth/Configuration/OpenIdRelyingPartySecuritySettingsElement.cs index 7cfc388..437a0da 100644 --- a/src/DotNetOpenAuth/Configuration/OpenIdRelyingPartySecuritySettingsElement.cs +++ b/src/DotNetOpenAuth/Configuration/OpenIdRelyingPartySecuritySettingsElement.cs @@ -56,6 +56,11 @@ namespace DotNetOpenAuth.Configuration { private const string RejectDelegatingIdentifiersConfigName = "rejectDelegatingIdentifiers"; /// <summary> + /// Gets the name of the @ignoreUnsignedExtensions attribute. + /// </summary> + private const string IgnoreUnsignedExtensionsConfigName = "ignoreUnsignedExtensions"; + + /// <summary> /// Gets the name of the @privateSecretMaximumAge attribute. /// </summary> private const string PrivateSecretMaximumAgeConfigName = "privateSecretMaximumAge"; @@ -164,6 +169,20 @@ namespace DotNetOpenAuth.Configuration { } /// <summary> + /// Gets or sets a value indicating whether unsigned extensions in authentication responses should be ignored. + /// </summary> + /// <value>The default value is <c>false</c>.</value> + /// <remarks> + /// When set to true, the <see cref="IAuthenticationResponse.GetUntrustedExtension"/> methods + /// will not return any extension that was not signed by the Provider. + /// </remarks> + [ConfigurationProperty(IgnoreUnsignedExtensionsConfigName, DefaultValue = false)] + public bool IgnoreUnsignedExtensions { + get { return (bool)this[IgnoreUnsignedExtensionsConfigName]; } + set { this[IgnoreUnsignedExtensionsConfigName] = value; } + } + + /// <summary> /// Initializes a programmatically manipulatable bag of these security settings with the settings from the config file. /// </summary> /// <returns>The newly created security settings object.</returns> @@ -180,6 +199,7 @@ namespace DotNetOpenAuth.Configuration { settings.PrivateSecretMaximumAge = this.PrivateSecretMaximumAge; settings.RejectUnsolicitedAssertions = this.RejectUnsolicitedAssertions; settings.RejectDelegatingIdentifiers = this.RejectDelegatingIdentifiers; + settings.IgnoreUnsignedExtensions = this.IgnoreUnsignedExtensions; return settings; } } diff --git a/src/DotNetOpenAuth/OpenId/ChannelElements/ExtensionsBindingElement.cs b/src/DotNetOpenAuth/OpenId/ChannelElements/ExtensionsBindingElement.cs index d9c244f..5fc8a31 100644 --- a/src/DotNetOpenAuth/OpenId/ChannelElements/ExtensionsBindingElement.cs +++ b/src/DotNetOpenAuth/OpenId/ChannelElements/ExtensionsBindingElement.cs @@ -23,13 +23,26 @@ namespace DotNetOpenAuth.OpenId.ChannelElements { /// </summary> internal class ExtensionsBindingElement : IChannelBindingElement { /// <summary> + /// The security settings that apply to this binding element. + /// </summary> + private readonly SecuritySettings securitySettings; + + /// <summary> + /// The security settings that apply to this relying party, if it is a relying party. + /// </summary> + private readonly RelyingPartySecuritySettings relyingPartySecuritySettings; + + /// <summary> /// Initializes a new instance of the <see cref="ExtensionsBindingElement"/> class. /// </summary> /// <param name="extensionFactory">The extension factory.</param> - internal ExtensionsBindingElement(IOpenIdExtensionFactory extensionFactory) { + internal ExtensionsBindingElement(IOpenIdExtensionFactory extensionFactory, SecuritySettings securitySettings) { ErrorUtilities.VerifyArgumentNotNull(extensionFactory, "extensionFactory"); + ErrorUtilities.VerifyArgumentNotNull(securitySettings, "securitySettings"); this.ExtensionFactory = extensionFactory; + this.securitySettings = securitySettings; + this.relyingPartySecuritySettings = securitySettings as RelyingPartySecuritySettings; } #region IChannelBindingElement Members @@ -141,10 +154,12 @@ namespace DotNetOpenAuth.OpenId.ChannelElements { // Now search again, considering ALL extensions whether they are signed or not, // skipping the signed ones and adding the new ones as unsigned extensions. - Func<string, bool> isNotSigned = typeUri => !extendableMessage.Extensions.Cast<IOpenIdMessageExtension>().Any(ext => ext.TypeUri == typeUri); - foreach (IOpenIdMessageExtension unsignedExtension in this.GetExtensions(extendableMessage, false, isNotSigned)) { - unsignedExtension.IsSignedByRemoteParty = false; - extendableMessage.Extensions.Add(unsignedExtension); + if (this.relyingPartySecuritySettings == null || !this.relyingPartySecuritySettings.IgnoreUnsignedExtensions) { + Func<string, bool> isNotSigned = typeUri => !extendableMessage.Extensions.Cast<IOpenIdMessageExtension>().Any(ext => ext.TypeUri == typeUri); + foreach (IOpenIdMessageExtension unsignedExtension in this.GetExtensions(extendableMessage, false, isNotSigned)) { + unsignedExtension.IsSignedByRemoteParty = false; + extendableMessage.Extensions.Add(unsignedExtension); + } } return MessageProtections.None; diff --git a/src/DotNetOpenAuth/OpenId/ChannelElements/OpenIdChannel.cs b/src/DotNetOpenAuth/OpenId/ChannelElements/OpenIdChannel.cs index 2719276..0f71ebc 100644 --- a/src/DotNetOpenAuth/OpenId/ChannelElements/OpenIdChannel.cs +++ b/src/DotNetOpenAuth/OpenId/ChannelElements/OpenIdChannel.cs @@ -341,7 +341,7 @@ namespace DotNetOpenAuth.OpenId.ChannelElements { var extensionFactory = OpenIdExtensionFactoryAggregator.LoadFromConfiguration(); List<IChannelBindingElement> elements = new List<IChannelBindingElement>(8); - elements.Add(new ExtensionsBindingElement(extensionFactory)); + elements.Add(new ExtensionsBindingElement(extensionFactory, securitySettings)); if (isRelyingPartyRole) { elements.Add(new RelyingPartySecurityOptions(rpSecuritySettings)); elements.Add(new BackwardCompatibilityBindingElement()); diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/RelyingPartySecuritySettings.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/RelyingPartySecuritySettings.cs index a925e07..7d910d2 100644 --- a/src/DotNetOpenAuth/OpenId/RelyingParty/RelyingPartySecuritySettings.cs +++ b/src/DotNetOpenAuth/OpenId/RelyingParty/RelyingPartySecuritySettings.cs @@ -90,6 +90,16 @@ namespace DotNetOpenAuth.OpenId.RelyingParty { public bool RejectDelegatingIdentifiers { get; set; } /// <summary> + /// Gets or sets a value indicating whether unsigned extensions in authentication responses should be ignored. + /// </summary> + /// <value>The default value is <c>false</c>.</value> + /// <remarks> + /// When set to true, the <see cref="IAuthenticationResponse.GetUntrustedExtension"/> methods + /// will not return any extension that was not signed by the Provider. + /// </remarks> + public bool IgnoreUnsignedExtensions { get; set; } + + /// <summary> /// Gets or sets a value indicating whether authentication requests will only be /// sent to Providers with whom we can create a shared association. /// </summary> |