Produced by Araxis Merge on 12/5/2018 3:28:14 PM Eastern Standard Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.
# | Location | File | Last Modified |
---|---|---|---|
1 | VSE_P2_SD5.3686_v8.zip\ClinSchd\Desktop\ClinSchd.Infrastructure\SSOi | GetSSOiToken.cs | Thu Nov 29 20:55:50 2018 UTC |
2 | VSE_P2_SD5.3686_v8.zip\ClinSchd\Desktop\ClinSchd.Infrastructure\SSOi | GetSSOiToken.cs | Wed Dec 5 16:28:24 2018 UTC |
Description | Between Files 1 and 2 |
|
---|---|---|
Text Blocks | Lines | |
Unchanged | 3 | 548 |
Changed | 2 | 4 |
Inserted | 0 | 0 |
Removed | 0 | 0 |
Whitespace | |
---|---|
Character case | Differences in character case are significant |
Line endings | Differences in line endings (CR and LF characters) are ignored |
CR/LF characters | Not shown in the comparison detail |
No regular expressions were active.
1 | using Syst em; | |
2 | ||
3 | using Syst em.IO; | |
4 | using Syst em.Net; | |
5 | using Syst em.Net.Net workInform ation; | |
6 | using Syst em.Reflect ion; | |
7 | using Syst em.Securit y.Cryptogr aphy.X509C ertificate s; | |
8 | using Syst em.Windows .Forms; | |
9 | using Syst em.Xml; | |
10 | using Syst em.Xml.Sch ema; | |
11 | ||
12 | ||
13 | namespace ClinSchd.I nfrastruct ure.SSOi | |
14 | { | |
15 | public class Get SSOiToken | |
16 | { | |
17 | pu blic stati c string G etSAML() | |
18 | { | |
19 | System.N et.Service PointManag er.Securit yProtocol = (Securit yProtocolT ype)768 | (SecurityP rotocolTyp e)3072; | |
20 | HttpWebR equest req = CreateW ebRequest( get509Cert ificate()) ; | |
21 | return G etSTSRespo nse(req); | |
22 | } | |
23 | // / <summary > | |
24 | // / Returnin g a SAML w ith a spec fic certif icate sele cted by th e user | |
25 | // / </summar y> | |
26 | // / <returns ></returns > | |
27 | pu blic stati c string G etSAML(Str ing serial ) | |
28 | { | |
29 | System.N et.Service PointManag er.Securit yProtocol = (Securit yProtocolT ype)768 | (SecurityP rotocolTyp e)3072; | |
30 | HttpWebR equest req = CreateW ebRequest( get509Cert ificate(se rial)); | |
31 | return G etSTSRespo nse(req); | |
32 | } | |
33 | ||
34 | pr ivate stat ic string GetSTSResp onse(HttpW ebRequest req) | |
35 | { | |
36 | string s oapresult; | |
37 | Cursor.C urrent = C ursors.Wai tCursor; | |
38 | try | |
39 | { | |
40 | usin g (WebResp onse respo nse = req. GetRespons e()) | |
41 | { | |
42 | XmlReaderS ettings xs dSettings = new XmlR eaderSetti ngs | |
43 | { | |
44 | Valida tionType = Validatio nType.Sche ma, | |
45 | DtdPro cessing = DtdProcess ing.Prohib it | |
46 | }; | |
47 | ||
48 | xsdSetting s.Validati onFlags |= XmlSchema Validation Flags.Proc essSchemaL ocation; | |
49 | Assembly a = Assembl y.GetExecu tingAssemb ly(); | |
50 | Stream str eam = a.Ge tManifestR esourceStr eam("ClinS chd.Infras tructure.S SOi.SAML.x sd"); | |
51 | ||
52 | if (stream != null) | |
53 | { | |
54 | XmlSch ema x = Xm lSchema.Re ad(stream, STSRespon seEventHan dler); | |
55 | #pragma wa rning disa ble 618 | |
56 | x.Comp ile(STSRes ponseEvent Handler, n ew XmlUrlR esolverHel per(a, "Cl inSchd.Inf rastructur e.SSOi")); | |
57 | #pragma wa rning rest ore 618 | |
58 | ||
59 | xsdSet tings.Sche mas.Add(x) ; | |
60 | } | |
61 | ||
62 | using (Xml Reader rd = XmlReade r.Create(r esponse.Ge tResponseS tream(), x sdSettings )) | |
63 | { | |
64 | XmlDoc ument xdoc = new Xml Document() ; | |
65 | xdoc.L oad(rd); | |
66 | ||
67 | soapre sult = xdo c.InnerXml ; | |
68 | soapre sult = soa presult.Re place("\r" , ""); | |
69 | soapre sult = soa presult.Re place("\n" , ""); | |
70 | soapre sult = soa presult.Re place("\r\ n", ""); | |
71 | } | |
72 | } | |
73 | } | |
74 | catch (E xception e ) | |
75 | { | |
76 | //FF - 10/18/2 018 - Comm enting out line to s uprerss Fo rtify Low warning - Using Wri teLine() r ather than a dedicat ed logging facility makes it d ifficult t o monitor the behavi or of the program. | |
77 | //Co nsole.Writ eLine(e); | |
78 | Curs or.Current = Cursors .Default; | |
79 | retu rn e.Messa ge; | |
80 | } | |
81 | Cursor.C urrent = C ursors.Def ault; | |
82 | return s oapresult; | |
83 | } | |
84 | ||
85 | pr ivate stat ic void ST SResponseE ventHandle r(object s ender, Val idationEve ntArgs e) | |
86 | { | |
87 | TraceLog .LogExcept ion("GetSS OiToken", "GetSTSRes ponse", e. Exception) ; | |
88 | } | |
89 | ||
90 | pu blic stati c bool isS AMLValid(S tring saml ) | |
91 | { | |
92 | if (saml .Contains( "<X509Cert ificate>") && | |
93 | saml .Contains( "saml:Asse rtion") && | |
94 | saml .Contains( "SECID")) | |
95 | { | |
96 | //SA ML is prop erly forme d | |
97 | retu rn true; | |
98 | } | |
99 | else | |
100 | { | |
101 | retu rn false; | |
102 | } | |
103 | ||
104 | } | |
105 | pr ivate stat ic X509Cer tificate2 get509Cert ificate() | |
106 | { | |
107 | X509Cert ificate2Co llection c ertColl; | |
108 | var stor e = Open50 9Store(out certColl) ; | |
109 | ||
110 | foreach (X509Certi ficate2 xc ert in sto re.Certifi cates) | |
111 | { | |
112 | if ( xcert.Frie ndlyName.C ontains("P IV Authent ication")) | |
113 | { | |
114 | certColl.A dd(xcert); | |
115 | } | |
116 | } | |
117 | try | |
118 | { | |
119 | X509 Certificat e2 cert = certColl[0 ]; | |
120 | retu rn cert; | |
121 | } | |
122 | catch (E xception e ) | |
123 | { | |
124 | //FF - 10/17/2 018 - Comm enting out line to s uprerss Fo rtify Low warning - Using Wri teLine() r ather than a dedicat ed logging facility makes it d ifficult t o monitor the behavi or of the program. | |
125 | //Co nsole.Writ eLine(e); | |
126 | ||
127 | X509 Certificat e2 emptyCe rt = new X 509Certifi cate2(); | |
128 | retu rn emptyCe rt; | |
129 | } | |
130 | ||
131 | } | |
132 | pr ivate stat ic X509Cer tificate2 get509Cert ificate(st ring seria l) | |
133 | { | |
134 | X509Cert ificate2Co llection c ertColl; | |
135 | var stor e = Open50 9Store(out certColl) ; | |
136 | ||
137 | foreach (X509Certi ficate2 xc ert in sto re.Certifi cates) | |
138 | { | |
139 | if ( xcert.Seri alNumber = = serial) | |
140 | { | |
141 | certColl.A dd(xcert); | |
142 | } | |
143 | } | |
144 | try | |
145 | { | |
146 | X509 Certificat e2 cert = certColl[0 ]; | |
147 | retu rn cert; | |
148 | } | |
149 | catch (E xception) | |
150 | { | |
151 | //FF - 10/18/2 018 - Comm enting out line to s uprerss Fo rtify Low warning - Using Wri teLine() r ather than a dedicat ed logging facility makes it d ifficult t o monitor the behavi or of the program. | |
152 | //Co nsole.Writ eLine(e); | |
153 | X509 Certificat e2 emptyCe rt = new X 509Certifi cate2(); | |
154 | retu rn emptyCe rt; | |
155 | } | |
156 | ||
157 | } | |
158 | pr ivate stat ic X509Sto re Open509 Store(out X509Certif icate2Coll ection cer tColl) | |
159 | { | |
160 | X509Stor e store = new X509St ore("My", StoreLocat ion.Curren tUser); | |
161 | store.Op en(OpenFla gs.ReadOnl y); | |
162 | certColl = new X50 9Certifica te2Collect ion(); | |
163 | return s tore; | |
164 | } | |
165 | ||
166 | pu blic stati c X509Cert ificate2Co llection G etAllCerti ficates() | |
167 | { | |
168 | X509Cert ificate2Co llection c ertCollect ion = new X509Certif icate2Coll ection(); | |
169 | X509Stor e store = new X509St ore("My", StoreLocat ion.Curren tUser); | |
170 | store.Op en(OpenFla gs.ReadOnl y); | |
171 | ||
172 | foreach (X509Certi ficate2 xc ert in sto re.Certifi cates) | |
173 | { | |
174 | if ( xcert.Seri alNumber ! = null) | |
175 | { | |
176 | certCollec tion.Add(x cert); | |
177 | } | |
178 | ||
179 | } | |
180 | ||
181 | return c ertCollect ion; | |
182 | } | |
183 | ||
184 | pr ivate stat ic HttpWeb Request Cr eateWebReq uest(X509C ertificate 2 cert) | |
185 | { | |
186 | HttpWebR equest req = | |
187 | (HttpWebRe quest)WebR equest.Cre ate("https :// DNS . URL : PORT /STS/Reque stSecurity Token"); | |
188 | req.Clie ntCertific ates.Add(c ert); | |
189 | req.Head ers.Add(@" SOAP:Actio n"); | |
190 | req.Cont entType = @"text/xml ; charset= ""utf-8"" "; | |
191 | req.Acce pt = "text /xml"; | |
192 | req.Meth od = "POST "; | |
193 | ||
194 | ||
195 | XmlReade rSettings xsdSetting s = new Xm lReaderSet tings | |
196 | { | |
197 | Vali dationType = Validat ionType.Sc hema, | |
198 | DtdP rocessing = DtdProce ssing.Proh ibit | |
199 | }; | |
200 | ||
201 | xsdSetti ngs.Valida tionFlags |= XmlSche maValidati onFlags.Pr ocessSchem aLocation; | |
202 | ||
203 | ||
204 | Assembly a = Assem bly.GetExe cutingAsse mbly(); | |
205 | Stream s tream = a. GetManifes tResourceS tream("Cli nSchd.Infr astructure .SSOi.GetS SOiToken.x sd"); | |
206 | if (stre am != null ) | |
207 | { | |
208 | XmlS chema x = XmlSchema. Read(strea m, CreateW ebRequestE ventHandle r); | |
209 | #pragma wa rning disa ble 618 | |
210 | x.Co mpile(Crea teWebReque stEventHan dler, new XmlUrlReso lverHelper (a, "ClinS chd.Infras tructure.S SOi")); | |
211 | #pragma wa rning rest ore 618 | |
212 | ||
213 | xsdS ettings.Sc hemas.Add( x); | |
214 | } | |
215 | var srea der = new StringRead er(buildSO AP()); | |
216 | ||
217 | XmlReade r reader = XmlReader .Create(sr eader, xsd Settings); | |
218 | ||
219 | XmlDocum ent soapXm lDocument = new XmlD ocument() | |
220 | { | |
221 | XmlR esolver = null | |
222 | }; | |
223 | ||
224 | soapXmlD ocument.Lo ad(reader) ; | |
225 | ||
226 | using (S tream stm = req.GetR equestStre am()) | |
227 | { | |
228 | soap XmlDocumen t.Save(stm ); | |
229 | } | |
230 | ||
231 | return r eq; | |
232 | } | |
233 | ||
234 | pr ivate stat ic void Cr eateWebReq uestEventH andler(obj ect sender , Validati onEventArg s e) | |
235 | { | |
236 | TraceLog .LogExcept ion("GetSS OiToken", "CreateWeb Request",e .Exception ); | |
237 | } | |
238 | ||
239 | pr ivate stat ic String buildSOAP( ) | |
240 | { | |
241 | //mbs 20 180517 RTC # 743679 Fortify Co rrect Secu rity Issue s | |
242 | //This i s being fl agged by F ortify for "Often Mi sused: Aut henticatio n." The ho st name is not being used for | |
243 | //authen tication. The code i s simply g etting the local hos t's name t o build in to the SOA P message | |
244 | // string pcName = Dns.GetHos tName(); | |
245 | ||
246 | ||
247 | //FF - 1 0/05/2018 - Fortify scan fix, replacing call to Dn s.GetHostN ame with E nvironment .MachineNa me | |
248 | string d omainName = Environm ent.Machin eName + ". " + IPGlob alProperti es.GetIPGl obalProper ties().Dom ainName; | |
249 | ||
250 | String a ppName = A ssembly.Ge tExecuting Assembly() .GetName() .Name; | |
251 | string i am1 = @"<s oapenv:Env elope xmln s:soapenv= ""http://s chemas.xml soap.org/s oap/envelo pe/"" xmln s:ns=""htt p://docs.o asis-open. org/ws-sx/ ws-trust/2 00512"">" | |
252 | + "< soapenv:He ader/>" | |
253 | + "< soapenv:Bo dy>" | |
254 | + "< ns:Request SecurityTo ken>" | |
255 | + "< ns:Base>" | |
256 | + @" <wss:TLS x mlns:wss=" "http://do cs.oasis-o pen.org/ws s/2004/01/ oasis-2004 01-wss-wss ecurity-se cext-1.0.x sd""/>" | |
257 | + "< /ns:Base>" | |
258 | + @" <wsp:Appli esTo xmlns :wsp=""htt p://schema s.xmlsoap. org/ws/200 4/09/polic y"">" | |
259 | + @" <wsa:Endpo intReferen ce xmlns:w sa=""http: //schemas. xmlsoap.or g/ws/2004/ 08/address ing"">" | |
260 | + "< wsa:Addres s>"; | |
261 | string i am2 = "</w sa:Address >" | |
262 | + "< /wsa:Endpo intReferen ce>" | |
263 | + "< /wsp:Appli esTo>" | |
264 | + "< ns:Issuer> " | |
265 | + @"<wsa:A ddress xml ns:wsa=""h ttp://sche mas.xmlsoa p.org/ws/2 004/08/add ressing"" > https:// DNS . URL /Issuer/sm token/SAML 2</wsa:Add ress>" | |
266 | + "< /ns:Issuer >" | |
267 | + "< ns:Request Type>http: //schemas. xmlsoap.or g/ws/2005/ 02/trust/V alidate</n s:RequestT ype>" | |
268 | + "< /ns:Reques tSecurityT oken>" | |
269 | + "< /soapenv:B ody>" | |
270 | + "< /soapenv:E nvelope>"; | |
271 | string I amWholeMes sage = iam 1 + "https ://" + dom ainName + "/Delphi_R PC_Broker/ " + appNam e + iam2; | |
272 | ||
273 | return I amWholeMes sage; | |
274 | } | |
275 | } | |
276 | } |
Araxis Merge (but not the data content of this report) is Copyright © 1993-2016 Araxis Ltd (www.araxis.com). All rights reserved.