summaryrefslogtreecommitdiffstats
path: root/src/DotNetOpenAuth/OpenId/RelyingParty/RelyingPartySecuritySettings.cs
diff options
context:
space:
mode:
Diffstat (limited to 'src/DotNetOpenAuth/OpenId/RelyingParty/RelyingPartySecuritySettings.cs')
-rw-r--r--src/DotNetOpenAuth/OpenId/RelyingParty/RelyingPartySecuritySettings.cs82
1 files changed, 54 insertions, 28 deletions
diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/RelyingPartySecuritySettings.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/RelyingPartySecuritySettings.cs
index f7ac3c2..ff29498 100644
--- a/src/DotNetOpenAuth/OpenId/RelyingParty/RelyingPartySecuritySettings.cs
+++ b/src/DotNetOpenAuth/OpenId/RelyingParty/RelyingPartySecuritySettings.cs
@@ -6,6 +6,9 @@
namespace DotNetOpenAuth.OpenId.RelyingParty {
using System;
+ using System.Collections.Generic;
+ using System.Collections.ObjectModel;
+ using System.Linq;
using DotNetOpenAuth.Messaging;
/// <summary>
@@ -13,11 +16,6 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
/// </summary>
public sealed class RelyingPartySecuritySettings : SecuritySettings {
/// <summary>
- /// Backing field for the <see cref="RequireSsl"/> property.
- /// </summary>
- private bool requireSsl;
-
- /// <summary>
/// Initializes a new instance of the <see cref="RelyingPartySecuritySettings"/> class.
/// </summary>
internal RelyingPartySecuritySettings()
@@ -26,11 +24,6 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
}
/// <summary>
- /// Fired when the <see cref="RequireSsl"/> property is changed.
- /// </summary>
- internal event EventHandler RequireSslChanged;
-
- /// <summary>
/// Gets or sets a value indicating whether the entire pipeline from Identifier discovery to
/// Provider redirect is guaranteed to be encrypted using HTTPS for authentication to succeed.
/// </summary>
@@ -58,19 +51,13 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
/// A <see cref="ProtocolException"/> is thrown during discovery or authentication when a secure pipeline cannot be established.
/// </para>
/// </remarks>
- public bool RequireSsl {
- get {
- return this.requireSsl;
- }
+ public bool RequireSsl { get; set; }
- set {
- if (this.requireSsl == value) {
- return;
- }
- this.requireSsl = value;
- this.OnRequireSslChanged();
- }
- }
+ /// <summary>
+ /// Gets or sets a value indicating whether only OP Identifiers will be discoverable
+ /// when creating authentication requests.
+ /// </summary>
+ public bool RequireDirectedIdentity { get; set; }
/// <summary>
/// Gets or sets the oldest version of OpenID the remote party is allowed to implement.
@@ -86,13 +73,52 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
public TimeSpan PrivateSecretMaximumAge { get; set; }
/// <summary>
- /// Fires the <see cref="RequireSslChanged"/> event.
+ /// Gets or sets a value indicating whether all unsolicited assertions should be ignored.
+ /// </summary>
+ /// <value>The default value is <c>false</c>.</value>
+ public bool RejectUnsolicitedAssertions { get; set; }
+
+ /// <summary>
+ /// Gets or sets a value indicating whether delegating identifiers are refused for authentication.
+ /// </summary>
+ /// <value>The default value is <c>false</c>.</value>
+ /// <remarks>
+ /// When set to <c>true</c>, login attempts that start at the RP or arrive via unsolicited
+ /// assertions will be rejected if discovery on the identifier shows that OpenID delegation
+ /// is used for the identifier. This is useful for an RP that should only accept identifiers
+ /// directly issued by the Provider that is sending the assertion.
+ /// </remarks>
+ public bool RejectDelegatingIdentifiers { get; set; }
+
+ /// <summary>
+ /// Gets or sets a value indicating whether unsigned extensions in authentication responses should be ignored.
+ /// </summary>
+ /// <value>The default value is <c>false</c>.</value>
+ /// <remarks>
+ /// When set to true, the <see cref="IAuthenticationResponse.GetUntrustedExtension"/> methods
+ /// will not return any extension that was not signed by the Provider.
+ /// </remarks>
+ public bool IgnoreUnsignedExtensions { get; set; }
+
+ /// <summary>
+ /// Gets or sets a value indicating whether authentication requests will only be
+ /// sent to Providers with whom we can create a shared association.
+ /// </summary>
+ /// <value>
+ /// <c>true</c> to immediately fail authentication if an association with the Provider cannot be established; otherwise, <c>false</c>.
+ /// The default value is <c>false</c>.
+ /// </value>
+ public bool RequireAssociation { get; set; }
+
+ /// <summary>
+ /// Filters out any disallowed endpoints.
/// </summary>
- private void OnRequireSslChanged() {
- EventHandler requireSslChanged = this.RequireSslChanged;
- if (requireSslChanged != null) {
- requireSslChanged(this, new EventArgs());
- }
+ /// <param name="endpoints">The endpoints discovered on an Identifier.</param>
+ /// <returns>A sequence of endpoints that satisfy all security requirements.</returns>
+ internal IEnumerable<ServiceEndpoint> FilterEndpoints(IEnumerable<ServiceEndpoint> endpoints) {
+ return endpoints
+ .Where(se => !this.RejectDelegatingIdentifiers || se.ClaimedIdentifier == se.ProviderLocalIdentifier)
+ .Where(se => !this.RequireDirectedIdentity || se.ClaimedIdentifier == se.Protocol.ClaimedIdentifierForOPIdentifier);
}
}
}
generated by cgit v1.1 at 2025-05-28 21:06:20 +0000