public static void ValidateLocalCertificate(string thumbprint, DateTime?futurePublishDate, bool skipAutomatedDeploymentChecks, Task.TaskErrorLoggingDelegate writeError)
{
if (writeError == null)
{
throw new ArgumentNullException("writeError");
}
if (string.IsNullOrEmpty(thumbprint))
{
return;
}
X509Store x509Store = null;
try
{
x509Store = new X509Store(StoreLocation.LocalMachine);
x509Store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection x509Certificate2Collection = x509Store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false);
if (x509Certificate2Collection.Count == 0)
{
writeError(new TaskException(Strings.ErrorThumbprintNotFound(thumbprint)), ErrorCategory.InvalidArgument, null);
}
ExchangeCertificate certificate = new ExchangeCertificate(x509Certificate2Collection[0]);
OAuthTaskHelper.ValidateCertificate(certificate, futurePublishDate, skipAutomatedDeploymentChecks, writeError);
}
finally
{
if (x509Store != null)
{
x509Store.Close();
}
}
}
public static void FetchAuthMetadata(PartnerApplication partnerApplication, bool trustSslCert, bool updatePidOrRealmOrIssuer, Task.TaskWarningLoggingDelegate writeWarning, Task.TaskErrorLoggingDelegate writeError)
{
if (partnerApplication == null)
{
throw new ArgumentNullException("partnerApplication");
}
if (writeWarning == null)
{
throw new ArgumentNullException("writeWarning");
}
if (writeError == null)
{
throw new ArgumentNullException("writeError");
}
AuthMetadata authMetadata = OAuthTaskHelper.FetchAuthMetadata(partnerApplication.AuthMetadataUrl, trustSslCert, false, writeWarning, writeError);
if (updatePidOrRealmOrIssuer)
{
partnerApplication.ApplicationIdentifier = authMetadata.ServiceName;
partnerApplication.IssuerIdentifier = authMetadata.Issuer;
partnerApplication.Realm = authMetadata.Realm;
}
else if (!OAuthCommon.IsIdMatch(partnerApplication.ApplicationIdentifier, authMetadata.ServiceName) || !OAuthCommon.IsRealmMatchIncludingEmpty(partnerApplication.Realm, authMetadata.Realm) || !string.Equals(partnerApplication.IssuerIdentifier, authMetadata.Issuer))
{
writeError(new TaskException(Strings.ErrorPidRealmIssuerDifferentFromMetadata(authMetadata.ServiceName, authMetadata.Realm, authMetadata.Issuer, partnerApplication.ApplicationIdentifier, partnerApplication.Realm, partnerApplication.IssuerIdentifier)), ErrorCategory.InvalidData, null);
}
partnerApplication.CertificateBytes = OAuthTaskHelper.InternalCertificateFromBase64String(authMetadata.CertificateStrings, writeError);
}
public static void FetchAuthMetadata(AuthServer authServer, bool trustSslCert, bool updateIdRealm, Task.TaskWarningLoggingDelegate writeWarning, Task.TaskErrorLoggingDelegate writeError)
{
if (authServer == null)
{
throw new ArgumentNullException("authServer");
}
if (writeWarning == null)
{
throw new ArgumentNullException("writeWarning");
}
if (writeError == null)
{
throw new ArgumentNullException("writeError");
}
AuthMetadata authMetadata = OAuthTaskHelper.FetchAuthMetadata(authServer.AuthMetadataUrl, trustSslCert, true, writeWarning, writeError);
AuthMetadataParser.SetEndpointsIfWSFed(authMetadata, authServer.Type, authServer.AuthMetadataUrl);
if (updateIdRealm)
{
authServer.IssuerIdentifier = authMetadata.ServiceName;
authServer.Realm = authMetadata.Realm;
}
else if (!OAuthCommon.IsIdMatch(authServer.IssuerIdentifier, authMetadata.ServiceName) || !OAuthCommon.IsRealmMatchIncludingEmpty(authServer.Realm, authMetadata.Realm))
{
writeError(new TaskException(Strings.ErrorPidRealmDifferentFromMetadata(authMetadata.ServiceName, authMetadata.Realm, authServer.IssuerIdentifier, authServer.Realm)), ErrorCategory.InvalidData, null);
}
authServer.CertificateBytes = OAuthTaskHelper.InternalCertificateFromBase64String(authMetadata.CertificateStrings, writeError);
authServer.TokenIssuingEndpoint = authMetadata.IssuingEndpoint;
authServer.AuthorizationEndpoint = authMetadata.AuthorizationEndpoint;
}
private void TryPushCertificateInSameSite(string thumbprint)
{
if (this.SkipImmediateCertificateDeployment)
{
return;
}
if (!OAuthTaskHelper.IsDatacenter())
{
try
{
if (this.serverObject != null)
{
FederationCertificate.PushCertificate(this.serverObject, new Task.TaskProgressLoggingDelegate(base.WriteProgress), new Task.TaskWarningLoggingDelegate(this.WriteWarning), thumbprint);
}
else
{
FederationCertificate.PushCertificate(new Task.TaskProgressLoggingDelegate(base.WriteProgress), new Task.TaskWarningLoggingDelegate(this.WriteWarning), thumbprint);
}
}
catch (InvalidOperationException exception)
{
base.WriteError(exception, ErrorCategory.InvalidArgument, null);
}
catch (LocalizedException exception2)
{
base.WriteError(exception2, ErrorCategory.InvalidArgument, null);
}
}
}
protected override IConfigurable PrepareDataObject()
{
this.CreateAuthServersContainer();
AuthServer authServer = (AuthServer)base.PrepareDataObject();
ADObjectId containerId = AuthServer.GetContainerId(this.ConfigurationSession);
authServer.SetId(containerId.GetChildId(authServer.Name));
if (base.Fields.IsModified("AppSecretParameter"))
{
if (authServer.Type != AuthServerType.Facebook && authServer.Type != AuthServerType.LinkedIn)
{
base.WriteError(new TaskException(Strings.ErrorInvalidAuthServerTypeValue), ErrorCategory.InvalidArgument, null);
}
authServer.CurrentEncryptedAppSecret = OAuthTaskHelper.EncryptSecretWithDKM(this.AppSecret, new Task.TaskErrorLoggingDelegate(base.WriteError));
}
else if (authServer.IsModified(AuthServerSchema.AuthMetadataUrl))
{
if (!authServer.IsModified(AuthServerSchema.Type))
{
authServer.Type = AuthServerType.MicrosoftACS;
}
else if (authServer.Type != AuthServerType.ADFS && authServer.Type != AuthServerType.AzureAD)
{
base.WriteError(new TaskException(Strings.ErrorInvalidAuthServerTypeValue), ErrorCategory.InvalidArgument, null);
}
OAuthTaskHelper.FixAuthMetadataUrl(authServer, new Task.TaskErrorLoggingDelegate(base.WriteError));
OAuthTaskHelper.FetchAuthMetadata(authServer, this.TrustAnySSLCertificate, true, new Task.TaskWarningLoggingDelegate(this.WriteWarning), new Task.TaskErrorLoggingDelegate(base.WriteError));
}
OAuthTaskHelper.ValidateAuthServerRealmAndUniqueness(authServer, this.ConfigurationSession, new Task.TaskErrorLoggingDelegate(base.WriteError));
return(this.DataObject);
}
protected override void InternalProcessRecord()
{
if (this.RefreshAuthMetadata)
{
OAuthTaskHelper.FetchAuthMetadata(this.DataObject, this.TrustAnySSLCertificate, false, new Task.TaskWarningLoggingDelegate(this.WriteWarning), new Task.TaskErrorLoggingDelegate(base.WriteError));
}
base.InternalProcessRecord();
}
protected override IConfigurable PrepareDataObject()
{
AuthServer authServer = (AuthServer)base.PrepareDataObject();
if ((base.ParameterSetName == "AppSecretParameterSet" && !SetAuthServer.IsOneOfAuthServerTypes(authServer.Type, new AuthServerType[]
{
AuthServerType.Facebook,
AuthServerType.LinkedIn
})) || (base.ParameterSetName == "AuthMetadataUrlParameterSet" && !SetAuthServer.IsOneOfAuthServerTypes(authServer.Type, new AuthServerType[]
{
AuthServerType.MicrosoftACS,
AuthServerType.AzureAD,
AuthServerType.ADFS
})) || (base.ParameterSetName == "NativeClientAuthServerParameterSet" && !SetAuthServer.IsOneOfAuthServerTypes(authServer.Type, new AuthServerType[]
{
AuthServerType.AzureAD,
AuthServerType.ADFS
})))
{
base.WriteError(new TaskException(Strings.ErrorAuthServerCannotSwitchType), ErrorCategory.InvalidArgument, null);
}
if (base.Fields.IsModified("AppSecretParameter"))
{
authServer.CurrentEncryptedAppSecret = OAuthTaskHelper.EncryptSecretWithDKM(this.AppSecret, new Task.TaskErrorLoggingDelegate(base.WriteError));
}
if (base.Fields.IsModified(AuthServerSchema.IssuerIdentifier))
{
authServer.IssuerIdentifier = this.IssuerIdentifier;
}
if (base.Fields.IsModified(AuthServerSchema.TokenIssuingEndpoint))
{
authServer.TokenIssuingEndpoint = this.TokenIssuingEndpoint;
}
if (base.Fields.IsModified(AuthServerSchema.ApplicationIdentifier))
{
authServer.ApplicationIdentifier = this.ApplicationIdentifier;
}
if (base.Fields.IsModified(AuthServerSchema.AuthMetadataUrl))
{
authServer.AuthMetadataUrl = this.AuthMetadataUrl;
OAuthTaskHelper.FixAuthMetadataUrl(authServer, new Task.TaskErrorLoggingDelegate(base.WriteError));
OAuthTaskHelper.FetchAuthMetadata(authServer, this.TrustAnySSLCertificate, false, new Task.TaskWarningLoggingDelegate(this.WriteWarning), new Task.TaskErrorLoggingDelegate(base.WriteError));
OAuthTaskHelper.ValidateAuthServerRealmAndUniqueness(authServer, this.ConfigurationSession, new Task.TaskErrorLoggingDelegate(base.WriteError));
}
if (base.Fields.IsModified(AuthServerSchema.IsDefaultAuthorizationEndpoint))
{
authServer.IsDefaultAuthorizationEndpoint = this.IsDefaultAuthorizationEndpoint;
OAuthTaskHelper.ValidateAuthServerAuthorizationEndpoint(authServer, this.ConfigurationSession, new Task.TaskWarningLoggingDelegate(this.WriteWarning), new Task.TaskErrorLoggingDelegate(base.WriteError));
}
return(authServer);
}
private void ValidateCertificate(string thumbprint, DateTime?futurePublishDate)
{
if (this.DataObject.OrganizationId.OrganizationalUnit != null)
{
base.WriteError(new TaskException(Strings.ErrorSettingCertOnTenant), ErrorCategory.InvalidArgument, null);
}
bool skipAutomatedDeploymentChecks = OAuthTaskHelper.IsDatacenter() || this.Force;
if (this.Server == null)
{
OAuthTaskHelper.ValidateLocalCertificate(thumbprint, futurePublishDate, skipAutomatedDeploymentChecks, new Task.TaskErrorLoggingDelegate(base.WriteError));
return;
}
OAuthTaskHelper.ValidateRemoteCertificate((string)this.Server, thumbprint, futurePublishDate, skipAutomatedDeploymentChecks, new Task.TaskErrorLoggingDelegate(base.WriteError));
}
private bool ProcessEmergencyCertificateUpdate()
{
if (!string.IsNullOrEmpty(this.DataObject.CurrentCertificateThumbprint) && string.Compare(this.DataObject.CurrentCertificateThumbprint, this.CertificateThumbprint, StringComparison.OrdinalIgnoreCase) == 0)
{
this.DataObject.CurrentCertificateThumbprint = this.CertificateThumbprint;
return(true);
}
if (!string.IsNullOrEmpty(this.DataObject.NextCertificateThumbprint) && string.Compare(this.DataObject.NextCertificateThumbprint, this.CertificateThumbprint, StringComparison.OrdinalIgnoreCase) == 0)
{
base.WriteError(new TaskException(Strings.ErrorCertificateAlreadyinPublish(this.CertificateThumbprint)), ErrorCategory.InvalidArgument, null);
}
if (!OAuthTaskHelper.IsDatacenter() && !this.Force && !base.ShouldContinue(Strings.ConfirmationMessageAuthSettingOutage))
{
return(false);
}
this.DataObject.PreviousCertificateThumbprint = this.DataObject.CurrentCertificateThumbprint;
this.DataObject.CurrentCertificateThumbprint = this.CertificateThumbprint;
this.TryPushCertificateInSameSite(this.CertificateThumbprint);
return(true);
}
public static MultiValuedProperty <byte[]> CertificateFromBase64String(MultiValuedProperty <string> rawStrings, Task.TaskErrorLoggingDelegate writeError)
{
if (writeError == null)
{
throw new ArgumentNullException("writeError");
}
if (rawStrings == null)
{
return(null);
}
string[] rawStringArray = null;
try
{
rawStringArray = rawStrings.ToArray();
}
catch (InvalidOperationException innerException)
{
writeError(new TaskException(Strings.ErrorNotSupportedModifyMultivaluedProperties, innerException), ErrorCategory.InvalidArgument, null);
}
return(OAuthTaskHelper.InternalCertificateFromBase64String(rawStringArray, writeError));
}
private static MultiValuedProperty <byte[]> InternalCertificateFromBase64String(string[] rawStringArray, Task.TaskErrorLoggingDelegate writeError)
{
MultiValuedProperty <byte[]> result;
try
{
result = OAuthTaskHelper.InternalCertificateFromRawBytes((from s in rawStringArray
select Convert.FromBase64String(s)).ToArray <byte[]>(), writeError);
}
catch (ArgumentNullException innerException)
{
writeError(new TaskException(Strings.ErrorInvalidBase64String, innerException), ErrorCategory.InvalidArgument, null);
throw;
}
catch (FormatException innerException2)
{
writeError(new TaskException(Strings.ErrorInvalidBase64String, innerException2), ErrorCategory.InvalidArgument, null);
throw;
}
return(result);
}
protected override IConfigurable PrepareDataObject()
{
PartnerApplication partnerApplication = (PartnerApplication)base.PrepareDataObject();
if (base.Fields.IsModified(PartnerApplicationSchema.AuthMetadataUrl))
{
if (partnerApplication.UseAuthServer)
{
base.WriteError(new TaskException(Strings.ErrorPartnerApplicationUseAuthServerCannotSetUrl), ErrorCategory.InvalidArgument, null);
}
partnerApplication.AuthMetadataUrl = this.AuthMetadataUrl;
OAuthTaskHelper.FetchAuthMetadata(partnerApplication, this.TrustAnySSLCertificate, false, new Task.TaskWarningLoggingDelegate(this.WriteWarning), new Task.TaskErrorLoggingDelegate(base.WriteError));
}
else if (base.Fields.IsModified(PartnerApplicationSchema.Realm) || base.Fields.IsModified(PartnerApplicationSchema.ApplicationIdentifier) || base.Fields.IsModified(PartnerApplicationSchema.IssuerIdentifier))
{
base.WriteError(new TaskException(Strings.ErrorChangePartnerApplicationDirectTrust), ErrorCategory.InvalidArgument, null);
}
if (base.Fields.IsModified(PartnerApplicationSchema.LinkedAccount))
{
if (this.LinkedAccount == null)
{
partnerApplication.LinkedAccount = null;
}
else
{
ADRecipient adrecipient = (ADRecipient)base.GetDataObject <ADRecipient>(this.LinkedAccount, base.TenantGlobalCatalogSession, null, new LocalizedString?(Strings.ErrorRecipientNotFound(this.LinkedAccount.ToString())), new LocalizedString?(Strings.ErrorRecipientNotUnique(this.LinkedAccount.ToString())));
partnerApplication.LinkedAccount = adrecipient.Id;
}
}
if (base.Fields.IsModified(PartnerApplicationSchema.AppOnlyPermissions))
{
partnerApplication.AppOnlyPermissions = this.AppOnlyPermissions;
}
if (base.Fields.IsModified(PartnerApplicationSchema.ActAsPermissions))
{
partnerApplication.ActAsPermissions = this.ActAsPermissions;
}
OAuthTaskHelper.ValidateApplicationRealmAndUniqueness(partnerApplication, this.ConfigurationSession, new Task.TaskErrorLoggingDelegate(base.WriteError));
return(partnerApplication);
}
public static void ValidateRemoteCertificate(string server, string thumbprint, DateTime?futurePublishDate, bool skipAutomatedDeploymentChecks, Task.TaskErrorLoggingDelegate writeError)
{
if (writeError == null)
{
throw new ArgumentNullException("writeError");
}
if (string.IsNullOrEmpty(thumbprint))
{
return;
}
ExchangeCertificate certificate = null;
FederationTrustCertificateState federationTrustCertificateState = FederationCertificate.TestForCertificate(server, thumbprint, out certificate);
if (federationTrustCertificateState == FederationTrustCertificateState.ServerUnreachable)
{
writeError(new TaskException(Strings.ErrorCannotContactServerForCert(server, thumbprint)), ErrorCategory.InvalidArgument, null);
}
else if (federationTrustCertificateState != FederationTrustCertificateState.Installed)
{
writeError(new TaskException(Strings.ErrorThumbprintNotFound(thumbprint)), ErrorCategory.InvalidArgument, null);
}
OAuthTaskHelper.ValidateCertificate(certificate, futurePublishDate, skipAutomatedDeploymentChecks, writeError);
}
protected override IConfigurable PrepareDataObject()
{
this.CreatePartnerApplicationsContainer();
PartnerApplication partnerApplication = (PartnerApplication)base.PrepareDataObject();
ADObjectId containerId = PartnerApplication.GetContainerId(this.ConfigurationSession);
partnerApplication.SetId(containerId.GetChildId(partnerApplication.Name));
partnerApplication.UseAuthServer = true;
if (partnerApplication.IsModified(PartnerApplicationSchema.AuthMetadataUrl))
{
partnerApplication.UseAuthServer = false;
OAuthTaskHelper.FetchAuthMetadata(partnerApplication, this.TrustAnySSLCertificate, true, new Task.TaskWarningLoggingDelegate(this.WriteWarning), new Task.TaskErrorLoggingDelegate(base.WriteError));
}
if (base.Fields.IsModified(PartnerApplicationSchema.LinkedAccount))
{
if (this.LinkedAccount == null)
{
partnerApplication.LinkedAccount = null;
}
else
{
ADRecipient adrecipient = (ADRecipient)base.GetDataObject <ADRecipient>(this.LinkedAccount, base.TenantGlobalCatalogSession, null, new LocalizedString?(Strings.ErrorRecipientNotFound(this.LinkedAccount.ToString())), new LocalizedString?(Strings.ErrorRecipientNotUnique(this.LinkedAccount.ToString())));
partnerApplication.LinkedAccount = adrecipient.Id;
}
}
if (base.Fields.IsModified(PartnerApplicationSchema.AppOnlyPermissions))
{
partnerApplication.AppOnlyPermissions = this.AppOnlyPermissions;
}
if (base.Fields.IsModified(PartnerApplicationSchema.ActAsPermissions))
{
partnerApplication.ActAsPermissions = this.ActAsPermissions;
}
OAuthTaskHelper.ValidateApplicationRealmAndUniqueness(partnerApplication, this.ConfigurationSession, new Task.TaskErrorLoggingDelegate(base.WriteError));
return(partnerApplication);
}
