diff options
Diffstat (limited to 'src/DotNetOpenAuth.OpenId/Configuration')
5 files changed, 640 insertions, 0 deletions
diff --git a/src/DotNetOpenAuth.OpenId/Configuration/OpenIdElement.cs b/src/DotNetOpenAuth.OpenId/Configuration/OpenIdElement.cs index e45e56e..c6b17a8 100644 --- a/src/DotNetOpenAuth.OpenId/Configuration/OpenIdElement.cs +++ b/src/DotNetOpenAuth.OpenId/Configuration/OpenIdElement.cs @@ -23,6 +23,16 @@ namespace DotNetOpenAuth.Configuration { private const string SectionName = DotNetOpenAuthSection.SectionName + "/openid"; /// <summary> + /// The name of the <relyingParty> sub-element. + /// </summary> + private const string RelyingPartyElementName = "relyingParty"; + + /// <summary> + /// The name of the <provider> sub-element. + /// </summary> + private const string ProviderElementName = "provider"; + + /// <summary> /// The name of the <extensions> sub-element. /// </summary> private const string ExtensionFactoriesElementName = "extensionFactories"; @@ -103,6 +113,24 @@ namespace DotNetOpenAuth.Configuration { } /// <summary> + /// Gets or sets the configuration specific for Relying Parties. + /// </summary> + [ConfigurationProperty(RelyingPartyElementName)] + internal OpenIdRelyingPartyElement RelyingParty { + get { return (OpenIdRelyingPartyElement)indexer[RelyingPartyElementName] ?? new OpenIdRelyingPartyElement(); } + set { indexer[RelyingPartyElementName] = value; } + } + + /// <summary> + /// Gets or sets the configuration specific for Providers. + /// </summary> + [ConfigurationProperty(ProviderElementName)] + internal OpenIdProviderElement Provider { + get { return (OpenIdProviderElement)indexer[ProviderElementName] ?? new OpenIdProviderElement(); } + set { indexer[ProviderElementName] = value; } + } + + /// <summary> /// Gets or sets the registered OpenID extension factories. /// </summary> [ConfigurationProperty(ExtensionFactoriesElementName, IsDefaultCollection = false)] diff --git a/src/DotNetOpenAuth.OpenId/Configuration/OpenIdProviderElement.cs b/src/DotNetOpenAuth.OpenId/Configuration/OpenIdProviderElement.cs new file mode 100644 index 0000000..6f5a043 --- /dev/null +++ b/src/DotNetOpenAuth.OpenId/Configuration/OpenIdProviderElement.cs @@ -0,0 +1,72 @@ +//----------------------------------------------------------------------- +// <copyright file="OpenIdProviderElement.cs" company="Andrew Arnott"> +// Copyright (c) Andrew Arnott. All rights reserved. +// </copyright> +//----------------------------------------------------------------------- + +namespace DotNetOpenAuth.Configuration { + using System.Configuration; + using System.Diagnostics.Contracts; + using DotNetOpenAuth.OpenId; + using DotNetOpenAuth.OpenId.Provider; + + /// <summary> + /// The section in the .config file that allows customization of OpenID Provider behaviors. + /// </summary> + [ContractVerification(true)] + internal class OpenIdProviderElement : ConfigurationElement { + /// <summary> + /// The name of the <provider> sub-element. + /// </summary> + private const string ProviderElementName = "provider"; + + /// <summary> + /// The name of the security sub-element. + /// </summary> + private const string SecuritySettingsConfigName = "security"; + + /// <summary> + /// Gets the name of the <behaviors> sub-element. + /// </summary> + private const string BehaviorsElementName = "behaviors"; + + /// <summary> + /// The name of the custom store sub-element. + /// </summary> + private const string StoreConfigName = "store"; + + /// <summary> + /// Initializes a new instance of the <see cref="OpenIdProviderElement"/> class. + /// </summary> + public OpenIdProviderElement() { + } + + /// <summary> + /// Gets or sets the security settings. + /// </summary> + [ConfigurationProperty(SecuritySettingsConfigName)] + public OpenIdProviderSecuritySettingsElement SecuritySettings { + get { return (OpenIdProviderSecuritySettingsElement)this[SecuritySettingsConfigName] ?? new OpenIdProviderSecuritySettingsElement(); } + set { this[SecuritySettingsConfigName] = value; } + } + + /// <summary> + /// Gets or sets the special behaviors to apply. + /// </summary> + [ConfigurationProperty(BehaviorsElementName, IsDefaultCollection = false)] + [ConfigurationCollection(typeof(TypeConfigurationCollection<IProviderBehavior>))] + public TypeConfigurationCollection<IProviderBehavior> Behaviors { + get { return (TypeConfigurationCollection<IProviderBehavior>)this[BehaviorsElementName] ?? new TypeConfigurationCollection<IProviderBehavior>(); } + set { this[BehaviorsElementName] = value; } + } + + /// <summary> + /// Gets or sets the type to use for storing application state. + /// </summary> + [ConfigurationProperty(StoreConfigName)] + public TypeConfigurationElement<IOpenIdApplicationStore> ApplicationStore { + get { return (TypeConfigurationElement<IOpenIdApplicationStore>)this[StoreConfigName] ?? new TypeConfigurationElement<IOpenIdApplicationStore>(); } + set { this[StoreConfigName] = value; } + } + } +} diff --git a/src/DotNetOpenAuth.OpenId/Configuration/OpenIdProviderSecuritySettingsElement.cs b/src/DotNetOpenAuth.OpenId/Configuration/OpenIdProviderSecuritySettingsElement.cs new file mode 100644 index 0000000..0d8e8b4 --- /dev/null +++ b/src/DotNetOpenAuth.OpenId/Configuration/OpenIdProviderSecuritySettingsElement.cs @@ -0,0 +1,154 @@ +//----------------------------------------------------------------------- +// <copyright file="OpenIdProviderSecuritySettingsElement.cs" company="Andrew Arnott"> +// Copyright (c) Andrew Arnott. All rights reserved. +// </copyright> +//----------------------------------------------------------------------- + +namespace DotNetOpenAuth.Configuration { + using System.Configuration; + using System.Diagnostics.Contracts; + using DotNetOpenAuth.OpenId; + using DotNetOpenAuth.OpenId.Provider; + + /// <summary> + /// Represents the .config file element that allows for setting the security policies of the Provider. + /// </summary> + [ContractVerification(true)] + internal class OpenIdProviderSecuritySettingsElement : ConfigurationElement { + /// <summary> + /// Gets the name of the @protectDownlevelReplayAttacks attribute. + /// </summary> + private const string ProtectDownlevelReplayAttacksConfigName = "protectDownlevelReplayAttacks"; + + /// <summary> + /// Gets the name of the @minimumHashBitLength attribute. + /// </summary> + private const string MinimumHashBitLengthConfigName = "minimumHashBitLength"; + + /// <summary> + /// Gets the name of the @maximumHashBitLength attribute. + /// </summary> + private const string MaximumHashBitLengthConfigName = "maximumHashBitLength"; + + /// <summary> + /// The name of the associations collection sub-element. + /// </summary> + private const string AssociationsConfigName = "associations"; + + /// <summary> + /// The name of the @encodeAssociationSecretsInHandles attribute. + /// </summary> + private const string EncodeAssociationSecretsInHandlesConfigName = "encodeAssociationSecretsInHandles"; + + /// <summary> + /// Gets the name of the @requireSsl attribute. + /// </summary> + private const string RequireSslConfigName = "requireSsl"; + + /// <summary> + /// Gets the name of the @unsolicitedAssertionVerification attribute. + /// </summary> + private const string UnsolicitedAssertionVerificationConfigName = "unsolicitedAssertionVerification"; + + /// <summary> + /// Initializes a new instance of the <see cref="OpenIdProviderSecuritySettingsElement"/> class. + /// </summary> + public OpenIdProviderSecuritySettingsElement() { + } + + /// <summary> + /// Gets or sets a value indicating whether all discovery and authentication should require SSL security. + /// </summary> + [ConfigurationProperty(RequireSslConfigName, DefaultValue = false)] + public bool RequireSsl { + get { return (bool)this[RequireSslConfigName]; } + set { this[RequireSslConfigName] = value; } + } + + /// <summary> + /// Gets or sets the minimum length of the hash that protects the protocol from hijackers. + /// </summary> + [ConfigurationProperty(MinimumHashBitLengthConfigName, DefaultValue = SecuritySettings.MinimumHashBitLengthDefault)] + public int MinimumHashBitLength { + get { return (int)this[MinimumHashBitLengthConfigName]; } + set { this[MinimumHashBitLengthConfigName] = value; } + } + + /// <summary> + /// Gets or sets the maximum length of the hash that protects the protocol from hijackers. + /// </summary> + [ConfigurationProperty(MaximumHashBitLengthConfigName, DefaultValue = SecuritySettings.MaximumHashBitLengthRPDefault)] + public int MaximumHashBitLength { + get { return (int)this[MaximumHashBitLengthConfigName]; } + set { this[MaximumHashBitLengthConfigName] = value; } + } + + /// <summary> + /// Gets or sets a value indicating whether the Provider should take special care + /// to protect OpenID 1.x relying parties against replay attacks. + /// </summary> + [ConfigurationProperty(ProtectDownlevelReplayAttacksConfigName, DefaultValue = ProviderSecuritySettings.ProtectDownlevelReplayAttacksDefault)] + public bool ProtectDownlevelReplayAttacks { + get { return (bool)this[ProtectDownlevelReplayAttacksConfigName]; } + set { this[ProtectDownlevelReplayAttacksConfigName] = value; } + } + + /// <summary> + /// Gets or sets the level of verification a Provider performs on an identifier before + /// sending an unsolicited assertion for it. + /// </summary> + /// <value>The default value is <see cref="ProviderSecuritySettings.UnsolicitedAssertionVerificationLevel.RequireSuccess"/>.</value> + [ConfigurationProperty(UnsolicitedAssertionVerificationConfigName, DefaultValue = ProviderSecuritySettings.UnsolicitedAssertionVerificationDefault)] + public ProviderSecuritySettings.UnsolicitedAssertionVerificationLevel UnsolicitedAssertionVerification { + get { return (ProviderSecuritySettings.UnsolicitedAssertionVerificationLevel)this[UnsolicitedAssertionVerificationConfigName]; } + set { this[UnsolicitedAssertionVerificationConfigName] = value; } + } + + /// <summary> + /// Gets or sets the configured lifetimes of the various association types. + /// </summary> + [ConfigurationProperty(AssociationsConfigName, IsDefaultCollection = false)] + [ConfigurationCollection(typeof(AssociationTypeCollection))] + public AssociationTypeCollection AssociationLifetimes { + get { + Contract.Ensures(Contract.Result<AssociationTypeCollection>() != null); + return (AssociationTypeCollection)this[AssociationsConfigName] ?? new AssociationTypeCollection(); + } + + set { + this[AssociationsConfigName] = value; + } + } + + /// <summary> + /// Gets or sets a value indicating whether the Provider should ease the burden of storing associations + /// by encoding their secrets (in signed, encrypted form) into the association handles themselves, storing only + /// a few rotating, private symmetric keys in the Provider's store instead. + /// </summary> + [ConfigurationProperty(EncodeAssociationSecretsInHandlesConfigName, DefaultValue = ProviderSecuritySettings.EncodeAssociationSecretsInHandlesDefault)] + public bool EncodeAssociationSecretsInHandles { + get { return (bool)this[EncodeAssociationSecretsInHandlesConfigName]; } + set { this[EncodeAssociationSecretsInHandlesConfigName] = value; } + } + + /// <summary> + /// Initializes a programmatically manipulatable bag of these security settings with the settings from the config file. + /// </summary> + /// <returns>The newly created security settings object.</returns> + public ProviderSecuritySettings CreateSecuritySettings() { + ProviderSecuritySettings settings = new ProviderSecuritySettings(); + settings.RequireSsl = this.RequireSsl; + settings.MinimumHashBitLength = this.MinimumHashBitLength; + settings.MaximumHashBitLength = this.MaximumHashBitLength; + settings.ProtectDownlevelReplayAttacks = this.ProtectDownlevelReplayAttacks; + settings.UnsolicitedAssertionVerification = this.UnsolicitedAssertionVerification; + settings.EncodeAssociationSecretsInHandles = this.EncodeAssociationSecretsInHandles; + foreach (AssociationTypeElement element in this.AssociationLifetimes) { + Contract.Assume(element != null); + settings.AssociationLifetimes.Add(element.AssociationType, element.MaximumLifetime); + } + + return settings; + } + } +} diff --git a/src/DotNetOpenAuth.OpenId/Configuration/OpenIdRelyingPartyElement.cs b/src/DotNetOpenAuth.OpenId/Configuration/OpenIdRelyingPartyElement.cs new file mode 100644 index 0000000..c80141a --- /dev/null +++ b/src/DotNetOpenAuth.OpenId/Configuration/OpenIdRelyingPartyElement.cs @@ -0,0 +1,120 @@ +//----------------------------------------------------------------------- +// <copyright file="OpenIdRelyingPartyElement.cs" company="Andrew Arnott"> +// Copyright (c) Andrew Arnott. All rights reserved. +// </copyright> +//----------------------------------------------------------------------- + +namespace DotNetOpenAuth.Configuration { + using System; + using System.Configuration; + using System.Diagnostics.Contracts; + using DotNetOpenAuth.OpenId; + using DotNetOpenAuth.OpenId.RelyingParty; + + /// <summary> + /// The section in the .config file that allows customization of OpenID Relying Party behaviors. + /// </summary> + [ContractVerification(true)] + internal class OpenIdRelyingPartyElement : ConfigurationElement { + /// <summary> + /// The name of the custom store sub-element. + /// </summary> + private const string StoreConfigName = "store"; + + /// <summary> + /// The name of the <relyingParty> sub-element. + /// </summary> + private const string RelyingPartyElementName = "relyingParty"; + + /// <summary> + /// The name of the attribute that specifies whether dnoa.userSuppliedIdentifier is tacked onto the openid.return_to URL. + /// </summary> + private const string PreserveUserSuppliedIdentifierConfigName = "preserveUserSuppliedIdentifier"; + + /// <summary> + /// Gets the name of the security sub-element. + /// </summary> + private const string SecuritySettingsConfigName = "security"; + + /// <summary> + /// The name of the <behaviors> sub-element. + /// </summary> + private const string BehaviorsElementName = "behaviors"; + + /// <summary> + /// The name of the <discoveryServices> sub-element. + /// </summary> + private const string DiscoveryServicesElementName = "discoveryServices"; + + /// <summary> + /// The built-in set of identifier discovery services. + /// </summary> + private static readonly TypeConfigurationCollection<IIdentifierDiscoveryService> defaultDiscoveryServices = new TypeConfigurationCollection<IIdentifierDiscoveryService>(new Type[] { typeof(UriDiscoveryService), typeof(XriDiscoveryProxyService) }); + + /// <summary> + /// Initializes a new instance of the <see cref="OpenIdRelyingPartyElement"/> class. + /// </summary> + public OpenIdRelyingPartyElement() { + } + + /// <summary> + /// Gets or sets a value indicating whether "dnoa.userSuppliedIdentifier" is tacked onto the openid.return_to URL in order to preserve what the user typed into the OpenID box. + /// </summary> + /// <value> + /// The default value is <c>true</c>. + /// </value> + [ConfigurationProperty(PreserveUserSuppliedIdentifierConfigName, DefaultValue = true)] + public bool PreserveUserSuppliedIdentifier { + get { return (bool)this[PreserveUserSuppliedIdentifierConfigName]; } + set { this[PreserveUserSuppliedIdentifierConfigName] = value; } + } + + /// <summary> + /// Gets or sets the security settings. + /// </summary> + [ConfigurationProperty(SecuritySettingsConfigName)] + public OpenIdRelyingPartySecuritySettingsElement SecuritySettings { + get { return (OpenIdRelyingPartySecuritySettingsElement)this[SecuritySettingsConfigName] ?? new OpenIdRelyingPartySecuritySettingsElement(); } + set { this[SecuritySettingsConfigName] = value; } + } + + /// <summary> + /// Gets or sets the special behaviors to apply. + /// </summary> + [ConfigurationProperty(BehaviorsElementName, IsDefaultCollection = false)] + [ConfigurationCollection(typeof(TypeConfigurationCollection<IRelyingPartyBehavior>))] + public TypeConfigurationCollection<IRelyingPartyBehavior> Behaviors { + get { return (TypeConfigurationCollection<IRelyingPartyBehavior>)this[BehaviorsElementName] ?? new TypeConfigurationCollection<IRelyingPartyBehavior>(); } + set { this[BehaviorsElementName] = value; } + } + + /// <summary> + /// Gets or sets the type to use for storing application state. + /// </summary> + [ConfigurationProperty(StoreConfigName)] + public TypeConfigurationElement<IOpenIdApplicationStore> ApplicationStore { + get { return (TypeConfigurationElement<IOpenIdApplicationStore>)this[StoreConfigName] ?? new TypeConfigurationElement<IOpenIdApplicationStore>(); } + set { this[StoreConfigName] = value; } + } + + /// <summary> + /// Gets or sets the services to use for discovering service endpoints for identifiers. + /// </summary> + /// <remarks> + /// If no discovery services are defined in the (web) application's .config file, + /// the default set of discovery services built into the library are used. + /// </remarks> + [ConfigurationProperty(DiscoveryServicesElementName, IsDefaultCollection = false)] + [ConfigurationCollection(typeof(TypeConfigurationCollection<IIdentifierDiscoveryService>))] + internal TypeConfigurationCollection<IIdentifierDiscoveryService> DiscoveryServices { + get { + var configResult = (TypeConfigurationCollection<IIdentifierDiscoveryService>)this[DiscoveryServicesElementName]; + return configResult != null && configResult.Count > 0 ? configResult : defaultDiscoveryServices; + } + + set { + this[DiscoveryServicesElementName] = value; + } + } + } +} diff --git a/src/DotNetOpenAuth.OpenId/Configuration/OpenIdRelyingPartySecuritySettingsElement.cs b/src/DotNetOpenAuth.OpenId/Configuration/OpenIdRelyingPartySecuritySettingsElement.cs new file mode 100644 index 0000000..225b1e7 --- /dev/null +++ b/src/DotNetOpenAuth.OpenId/Configuration/OpenIdRelyingPartySecuritySettingsElement.cs @@ -0,0 +1,266 @@ +//----------------------------------------------------------------------- +// <copyright file="OpenIdRelyingPartySecuritySettingsElement.cs" company="Andrew Arnott"> +// Copyright (c) Andrew Arnott. All rights reserved. +// </copyright> +//----------------------------------------------------------------------- + +namespace DotNetOpenAuth.Configuration { + using System; + using System.Configuration; + using System.Diagnostics.Contracts; + using DotNetOpenAuth.OpenId; + using DotNetOpenAuth.OpenId.RelyingParty; + + /// <summary> + /// Represents the .config file element that allows for setting the security policies of the Relying Party. + /// </summary> + internal class OpenIdRelyingPartySecuritySettingsElement : ConfigurationElement { + /// <summary> + /// Gets the name of the @minimumRequiredOpenIdVersion attribute. + /// </summary> + private const string MinimumRequiredOpenIdVersionConfigName = "minimumRequiredOpenIdVersion"; + + /// <summary> + /// Gets the name of the @minimumHashBitLength attribute. + /// </summary> + private const string MinimumHashBitLengthConfigName = "minimumHashBitLength"; + + /// <summary> + /// Gets the name of the @maximumHashBitLength attribute. + /// </summary> + private const string MaximumHashBitLengthConfigName = "maximumHashBitLength"; + + /// <summary> + /// Gets the name of the @requireSsl attribute. + /// </summary> + private const string RequireSslConfigName = "requireSsl"; + + /// <summary> + /// Gets the name of the @requireDirectedIdentity attribute. + /// </summary> + private const string RequireDirectedIdentityConfigName = "requireDirectedIdentity"; + + /// <summary> + /// Gets the name of the @requireAssociation attribute. + /// </summary> + private const string RequireAssociationConfigName = "requireAssociation"; + + /// <summary> + /// Gets the name of the @rejectUnsolicitedAssertions attribute. + /// </summary> + private const string RejectUnsolicitedAssertionsConfigName = "rejectUnsolicitedAssertions"; + + /// <summary> + /// Gets the name of the @rejectDelegatedIdentifiers attribute. + /// </summary> + private const string RejectDelegatingIdentifiersConfigName = "rejectDelegatingIdentifiers"; + + /// <summary> + /// Gets the name of the @ignoreUnsignedExtensions attribute. + /// </summary> + private const string IgnoreUnsignedExtensionsConfigName = "ignoreUnsignedExtensions"; + + /// <summary> + /// Gets the name of the @allowDualPurposeIdentifiers attribute. + /// </summary> + private const string AllowDualPurposeIdentifiersConfigName = "allowDualPurposeIdentifiers"; + + /// <summary> + /// Gets the name of the @allowApproximateIdentifierDiscovery attribute. + /// </summary> + private const string AllowApproximateIdentifierDiscoveryConfigName = "allowApproximateIdentifierDiscovery"; + + /// <summary> + /// Gets the name of the @protectDownlevelReplayAttacks attribute. + /// </summary> + private const string ProtectDownlevelReplayAttacksConfigName = "protectDownlevelReplayAttacks"; + + /// <summary> + /// The name of the <trustedProviders> sub-element. + /// </summary> + private const string TrustedProvidersElementName = "trustedProviders"; + + /// <summary> + /// Initializes a new instance of the <see cref="OpenIdRelyingPartySecuritySettingsElement"/> class. + /// </summary> + public OpenIdRelyingPartySecuritySettingsElement() { + } + + /// <summary> + /// Gets or sets a value indicating whether all discovery and authentication should require SSL security. + /// </summary> + [ConfigurationProperty(RequireSslConfigName, DefaultValue = false)] + public bool RequireSsl { + get { return (bool)this[RequireSslConfigName]; } + set { this[RequireSslConfigName] = value; } + } + + /// <summary> + /// Gets or sets a value indicating whether only OP Identifiers will be discoverable + /// when creating authentication requests. + /// </summary> + [ConfigurationProperty(RequireDirectedIdentityConfigName, DefaultValue = false)] + public bool RequireDirectedIdentity { + get { return (bool)this[RequireDirectedIdentityConfigName]; } + set { this[RequireDirectedIdentityConfigName] = value; } + } + + /// <summary> + /// Gets or sets a value indicating whether authentication requests + /// will only be created where an association with the Provider can be established. + /// </summary> + [ConfigurationProperty(RequireAssociationConfigName, DefaultValue = false)] + public bool RequireAssociation { + get { return (bool)this[RequireAssociationConfigName]; } + set { this[RequireAssociationConfigName] = value; } + } + + /// <summary> + /// Gets or sets the minimum OpenID version a Provider is required to support in order for this library to interoperate with it. + /// </summary> + /// <remarks> + /// Although the earliest versions of OpenID are supported, for security reasons it may be desirable to require the + /// remote party to support a later version of OpenID. + /// </remarks> + [ConfigurationProperty(MinimumRequiredOpenIdVersionConfigName, DefaultValue = "V10")] + public ProtocolVersion MinimumRequiredOpenIdVersion { + get { return (ProtocolVersion)this[MinimumRequiredOpenIdVersionConfigName]; } + set { this[MinimumRequiredOpenIdVersionConfigName] = value; } + } + + /// <summary> + /// Gets or sets the minimum length of the hash that protects the protocol from hijackers. + /// </summary> + [ConfigurationProperty(MinimumHashBitLengthConfigName, DefaultValue = SecuritySettings.MinimumHashBitLengthDefault)] + public int MinimumHashBitLength { + get { return (int)this[MinimumHashBitLengthConfigName]; } + set { this[MinimumHashBitLengthConfigName] = value; } + } + + /// <summary> + /// Gets or sets the maximum length of the hash that protects the protocol from hijackers. + /// </summary> + [ConfigurationProperty(MaximumHashBitLengthConfigName, DefaultValue = SecuritySettings.MaximumHashBitLengthRPDefault)] + public int MaximumHashBitLength { + get { return (int)this[MaximumHashBitLengthConfigName]; } + set { this[MaximumHashBitLengthConfigName] = value; } + } + + /// <summary> + /// Gets or sets a value indicating whether all unsolicited assertions should be ignored. + /// </summary> + /// <value>The default value is <c>false</c>.</value> + [ConfigurationProperty(RejectUnsolicitedAssertionsConfigName, DefaultValue = false)] + public bool RejectUnsolicitedAssertions { + get { return (bool)this[RejectUnsolicitedAssertionsConfigName]; } + set { this[RejectUnsolicitedAssertionsConfigName] = value; } + } + + /// <summary> + /// Gets or sets a value indicating whether delegating identifiers are refused for authentication. + /// </summary> + /// <value>The default value is <c>false</c>.</value> + /// <remarks> + /// When set to <c>true</c>, login attempts that start at the RP or arrive via unsolicited + /// assertions will be rejected if discovery on the identifier shows that OpenID delegation + /// is used for the identifier. This is useful for an RP that should only accept identifiers + /// directly issued by the Provider that is sending the assertion. + /// </remarks> + [ConfigurationProperty(RejectDelegatingIdentifiersConfigName, DefaultValue = false)] + public bool RejectDelegatingIdentifiers { + get { return (bool)this[RejectDelegatingIdentifiersConfigName]; } + set { this[RejectDelegatingIdentifiersConfigName] = value; } + } + + /// <summary> + /// Gets or sets a value indicating whether unsigned extensions in authentication responses should be ignored. + /// </summary> + /// <value>The default value is <c>false</c>.</value> + /// <remarks> + /// When set to true, the <see cref="IAuthenticationResponse.GetUntrustedExtension"/> methods + /// will not return any extension that was not signed by the Provider. + /// </remarks> + [ConfigurationProperty(IgnoreUnsignedExtensionsConfigName, DefaultValue = false)] + public bool IgnoreUnsignedExtensions { + get { return (bool)this[IgnoreUnsignedExtensionsConfigName]; } + set { this[IgnoreUnsignedExtensionsConfigName] = value; } + } + + /// <summary> + /// Gets or sets a value indicating whether identifiers that are both OP Identifiers and Claimed Identifiers + /// should ever be recognized as claimed identifiers. + /// </summary> + /// <value> + /// The default value is <c>false</c>, per the OpenID 2.0 spec. + /// </value> + [ConfigurationProperty(AllowDualPurposeIdentifiersConfigName, DefaultValue = false)] + public bool AllowDualPurposeIdentifiers { + get { return (bool)this[AllowDualPurposeIdentifiersConfigName]; } + set { this[AllowDualPurposeIdentifiersConfigName] = value; } + } + + /// <summary> + /// Gets or sets a value indicating whether certain Claimed Identifiers that exploit + /// features that .NET does not have the ability to send exact HTTP requests for will + /// still be allowed by using an approximate HTTP request. + /// </summary> + /// <value> + /// The default value is <c>true</c>. + /// </value> + [ConfigurationProperty(AllowApproximateIdentifierDiscoveryConfigName, DefaultValue = true)] + public bool AllowApproximateIdentifierDiscovery { + get { return (bool)this[AllowApproximateIdentifierDiscoveryConfigName]; } + set { this[AllowApproximateIdentifierDiscoveryConfigName] = value; } + } + + /// <summary> + /// Gets or sets a value indicating whether the Relying Party should take special care + /// to protect users against replay attacks when interoperating with OpenID 1.1 Providers. + /// </summary> + [ConfigurationProperty(ProtectDownlevelReplayAttacksConfigName, DefaultValue = RelyingPartySecuritySettings.ProtectDownlevelReplayAttacksDefault)] + public bool ProtectDownlevelReplayAttacks { + get { return (bool)this[ProtectDownlevelReplayAttacksConfigName]; } + set { this[ProtectDownlevelReplayAttacksConfigName] = value; } + } + + /// <summary> + /// Gets or sets the set of trusted OpenID Provider Endpoints. + /// </summary> + [ConfigurationProperty(TrustedProvidersElementName, IsDefaultCollection = false)] + [ConfigurationCollection(typeof(TrustedProviderConfigurationCollection))] + public TrustedProviderConfigurationCollection TrustedProviders { + get { return (TrustedProviderConfigurationCollection)this[TrustedProvidersElementName] ?? new TrustedProviderConfigurationCollection(); } + set { this[TrustedProvidersElementName] = value; } + } + + /// <summary> + /// Initializes a programmatically manipulatable bag of these security settings with the settings from the config file. + /// </summary> + /// <returns>The newly created security settings object.</returns> + public RelyingPartySecuritySettings CreateSecuritySettings() { + Contract.Ensures(Contract.Result<RelyingPartySecuritySettings>() != null); + + RelyingPartySecuritySettings settings = new RelyingPartySecuritySettings(); + settings.RequireSsl = this.RequireSsl; + settings.RequireDirectedIdentity = this.RequireDirectedIdentity; + settings.RequireAssociation = this.RequireAssociation; + settings.MinimumRequiredOpenIdVersion = this.MinimumRequiredOpenIdVersion; + settings.MinimumHashBitLength = this.MinimumHashBitLength; + settings.MaximumHashBitLength = this.MaximumHashBitLength; + settings.PrivateSecretMaximumAge = DotNetOpenAuthSection.Messaging.PrivateSecretMaximumAge; + settings.RejectUnsolicitedAssertions = this.RejectUnsolicitedAssertions; + settings.RejectDelegatingIdentifiers = this.RejectDelegatingIdentifiers; + settings.IgnoreUnsignedExtensions = this.IgnoreUnsignedExtensions; + settings.AllowDualPurposeIdentifiers = this.AllowDualPurposeIdentifiers; + settings.AllowApproximateIdentifierDiscovery = this.AllowApproximateIdentifierDiscovery; + settings.ProtectDownlevelReplayAttacks = this.ProtectDownlevelReplayAttacks; + + settings.RejectAssertionsFromUntrustedProviders = this.TrustedProviders.RejectAssertionsFromUntrustedProviders; + foreach (TrustedProviderEndpointConfigurationElement opEndpoint in this.TrustedProviders) { + settings.TrustedProviderEndpoints.Add(opEndpoint.ProviderEndpoint); + } + + return settings; + } + } +} |