//-----------------------------------------------------------------------
//
// Copyright (c) Outercurve Foundation. All rights reserved.
//
//-----------------------------------------------------------------------
namespace DotNetOpenAuth.Configuration {
using System.Configuration;
using DotNetOpenAuth.OpenId;
using DotNetOpenAuth.OpenId.Provider;
///
/// Represents the .config file element that allows for setting the security policies of the Provider.
///
internal class OpenIdProviderSecuritySettingsElement : ConfigurationElement {
///
/// Gets the name of the @protectDownlevelReplayAttacks attribute.
///
private const string ProtectDownlevelReplayAttacksConfigName = "protectDownlevelReplayAttacks";
///
/// Gets the name of the @minimumHashBitLength attribute.
///
private const string MinimumHashBitLengthConfigName = "minimumHashBitLength";
///
/// Gets the name of the @maximumHashBitLength attribute.
///
private const string MaximumHashBitLengthConfigName = "maximumHashBitLength";
///
/// The name of the associations collection sub-element.
///
private const string AssociationsConfigName = "associations";
///
/// The name of the @encodeAssociationSecretsInHandles attribute.
///
private const string EncodeAssociationSecretsInHandlesConfigName = "encodeAssociationSecretsInHandles";
///
/// Gets the name of the @requireSsl attribute.
///
private const string RequireSslConfigName = "requireSsl";
///
/// Gets the name of the @unsolicitedAssertionVerification attribute.
///
private const string UnsolicitedAssertionVerificationConfigName = "unsolicitedAssertionVerification";
///
/// Initializes a new instance of the class.
///
public OpenIdProviderSecuritySettingsElement() {
}
///
/// Gets or sets a value indicating whether all discovery and authentication should require SSL security.
///
[ConfigurationProperty(RequireSslConfigName, DefaultValue = false)]
public bool RequireSsl {
get { return (bool)this[RequireSslConfigName]; }
set { this[RequireSslConfigName] = value; }
}
///
/// Gets or sets the minimum length of the hash that protects the protocol from hijackers.
///
[ConfigurationProperty(MinimumHashBitLengthConfigName, DefaultValue = SecuritySettings.MinimumHashBitLengthDefault)]
public int MinimumHashBitLength {
get { return (int)this[MinimumHashBitLengthConfigName]; }
set { this[MinimumHashBitLengthConfigName] = value; }
}
///
/// Gets or sets the maximum length of the hash that protects the protocol from hijackers.
///
[ConfigurationProperty(MaximumHashBitLengthConfigName, DefaultValue = SecuritySettings.MaximumHashBitLengthRPDefault)]
public int MaximumHashBitLength {
get { return (int)this[MaximumHashBitLengthConfigName]; }
set { this[MaximumHashBitLengthConfigName] = value; }
}
///
/// Gets or sets a value indicating whether the Provider should take special care
/// to protect OpenID 1.x relying parties against replay attacks.
///
[ConfigurationProperty(ProtectDownlevelReplayAttacksConfigName, DefaultValue = ProviderSecuritySettings.ProtectDownlevelReplayAttacksDefault)]
public bool ProtectDownlevelReplayAttacks {
get { return (bool)this[ProtectDownlevelReplayAttacksConfigName]; }
set { this[ProtectDownlevelReplayAttacksConfigName] = value; }
}
///
/// Gets or sets the level of verification a Provider performs on an identifier before
/// sending an unsolicited assertion for it.
///
/// The default value is .
[ConfigurationProperty(UnsolicitedAssertionVerificationConfigName, DefaultValue = ProviderSecuritySettings.UnsolicitedAssertionVerificationDefault)]
public ProviderSecuritySettings.UnsolicitedAssertionVerificationLevel UnsolicitedAssertionVerification {
get { return (ProviderSecuritySettings.UnsolicitedAssertionVerificationLevel)this[UnsolicitedAssertionVerificationConfigName]; }
set { this[UnsolicitedAssertionVerificationConfigName] = value; }
}
///
/// Gets or sets the configured lifetimes of the various association types.
///
[ConfigurationProperty(AssociationsConfigName, IsDefaultCollection = false)]
[ConfigurationCollection(typeof(AssociationTypeCollection))]
public AssociationTypeCollection AssociationLifetimes {
get {
return (AssociationTypeCollection)this[AssociationsConfigName] ?? new AssociationTypeCollection();
}
set {
this[AssociationsConfigName] = value;
}
}
///
/// Gets or sets a value indicating whether the Provider should ease the burden of storing associations
/// by encoding their secrets (in signed, encrypted form) into the association handles themselves, storing only
/// a few rotating, private symmetric keys in the Provider's store instead.
///
[ConfigurationProperty(EncodeAssociationSecretsInHandlesConfigName, DefaultValue = ProviderSecuritySettings.EncodeAssociationSecretsInHandlesDefault)]
public bool EncodeAssociationSecretsInHandles {
get { return (bool)this[EncodeAssociationSecretsInHandlesConfigName]; }
set { this[EncodeAssociationSecretsInHandlesConfigName] = value; }
}
///
/// Initializes a programmatically manipulatable bag of these security settings with the settings from the config file.
///
/// The newly created security settings object.
public ProviderSecuritySettings CreateSecuritySettings() {
ProviderSecuritySettings settings = new ProviderSecuritySettings();
settings.RequireSsl = this.RequireSsl;
settings.MinimumHashBitLength = this.MinimumHashBitLength;
settings.MaximumHashBitLength = this.MaximumHashBitLength;
settings.ProtectDownlevelReplayAttacks = this.ProtectDownlevelReplayAttacks;
settings.UnsolicitedAssertionVerification = this.UnsolicitedAssertionVerification;
settings.EncodeAssociationSecretsInHandles = this.EncodeAssociationSecretsInHandles;
foreach (AssociationTypeElement element in this.AssociationLifetimes) {
Assumes.True(element != null);
settings.AssociationLifetimes.Add(element.AssociationType, element.MaximumLifetime);
}
return settings;
}
}
}