private void RunClientAccessRules()
{
long ticks = DateTime.UtcNow.Ticks;
ClientAccessRuleCollection clientAccessRuleCollection = this.FetchClientAccessRulesCollection();
ADRawEntry adrawEntry = this.FetchADRawEntry(this.User);
string usernameFromADRawEntry = ClientAccessRulesUtils.GetUsernameFromADRawEntry(adrawEntry);
base.WriteVerbose(RulesTasksStrings.TestClientAccessRuleFoundUsername(usernameFromADRawEntry));
ClientAccessRulesEvaluationContext context = new ClientAccessRulesEvaluationContext(clientAccessRuleCollection, usernameFromADRawEntry, new IPEndPoint(this.RemoteAddress, this.RemotePort), this.Protocol, this.AuthenticationType, adrawEntry, ObjectSchema.GetInstance <ClientAccessRulesRecipientFilterSchema>(), delegate(ClientAccessRulesEvaluationContext evaluationContext)
{
}, delegate(Rule rule, ClientAccessRulesAction action)
{
ObjectId identity = null;
ClientAccessRule clientAccessRule = rule as ClientAccessRule;
if (clientAccessRule != null)
{
identity = clientAccessRule.Identity;
}
this.WriteResult(new ClientAccessRulesEvaluationResult
{
Identity = identity,
Name = rule.Name,
Action = action
});
}, ticks);
clientAccessRuleCollection.Run(context);
}
public ClientAccessRuleCollection GetCollection(OrganizationId orgId)
{
if (OrganizationId.ForestWideOrgId.Equals(orgId))
{
return(this.GetValue(orgId).ClientAccessRuleCollection);
}
ClientAccessRuleCollection clientAccessRuleCollection = new ClientAccessRuleCollection(orgId.ToString());
clientAccessRuleCollection.AddClientAccessRuleCollection(this.GetValue(OrganizationId.ForestWideOrgId).ClientAccessRuleCollection);
clientAccessRuleCollection.AddClientAccessRuleCollection(this.GetValue(orgId).ClientAccessRuleCollection);
return(clientAccessRuleCollection);
}
private ClientAccessRuleCollection FetchClientAccessRulesCollection()
{
ClientAccessRuleCollection clientAccessRuleCollection = new ClientAccessRuleCollection((base.Identity == null) ? OrganizationId.ForestWideOrgId.ToString() : base.Identity.ToString());
OrganizationId organizationId = ((IConfigurationSession)base.DataSession).GetOrgContainer().OrganizationId;
if (organizationId != null && !OrganizationId.ForestWideOrgId.Equals(organizationId))
{
IConfigurationSession tenantOrTopologyConfigurationSession = DirectorySessionFactory.Default.GetTenantOrTopologyConfigurationSession(true, ConsistencyMode.PartiallyConsistent, ADSessionSettings.FromOrganizationIdWithoutRbacScopes(ADSystemConfigurationSession.GetRootOrgContainerIdForLocalForest(), OrganizationId.ForestWideOrgId, OrganizationId.ForestWideOrgId, false), 133, "FetchClientAccessRulesCollection", "f:\\15.00.1497\\sources\\dev\\Management\\src\\Management\\SystemConfigurationTasks\\ClientAccessRules\\TestClientAccessRule.cs");
clientAccessRuleCollection.AddClientAccessRuleCollection(this.FetchClientAccessRulesCollection(tenantOrTopologyConfigurationSession));
}
clientAccessRuleCollection.AddClientAccessRuleCollection(this.FetchClientAccessRulesCollection((IConfigurationSession)base.DataSession));
return(clientAccessRuleCollection);
}
internal static bool ShouldBlockConnection(OrganizationId organizationId, string username, ClientAccessProtocol protocol, IPEndPoint remoteEndpoint, ClientAccessAuthenticationMethod authenticationType, IReadOnlyPropertyBag propertyBag, Action <ClientAccessRulesEvaluationContext> blockLoggerDelegate, Action <double> latencyLoggerDelegate)
{
DateTime utcNow = DateTime.UtcNow;
bool shouldBlock = false;
long ticks = utcNow.Ticks;
if (organizationId == null)
{
ExTraceGlobals.ClientAccessRulesTracer.TraceDebug(ticks, "[Client Access Rules] ShouldBlockConnection assuming OrganizationId.ForestWideOrgId for null OrganizationId");
organizationId = OrganizationId.ForestWideOrgId;
}
if (remoteEndpoint != null)
{
ExTraceGlobals.ClientAccessRulesTracer.TraceDebug(ticks, "[Client Access Rules] ShouldBlockConnection - Initializing context to run rules");
ClientAccessRuleCollection collection = ClientAccessRulesCache.Instance.GetCollection(organizationId);
ClientAccessRulesEvaluationContext context = new ClientAccessRulesEvaluationContext(collection, username, remoteEndpoint, protocol, authenticationType, propertyBag, ObjectSchema.GetInstance <ClientAccessRulesRecipientFilterSchema>(), delegate(ClientAccessRulesEvaluationContext evaluationContext)
{
shouldBlock = true;
blockLoggerDelegate(evaluationContext);
}, null, ticks);
collection.Run(context);
}
ClientAccessRulesPerformanceCounters.TotalClientAccessRulesEvaluationCalls.Increment();
if (shouldBlock)
{
ClientAccessRulesPerformanceCounters.TotalConnectionsBlockedByClientAccessRules.Increment();
}
double totalMilliseconds = (DateTime.UtcNow - utcNow).TotalMilliseconds;
latencyLoggerDelegate(totalMilliseconds);
if (totalMilliseconds > 50.0)
{
ClientAccessRulesPerformanceCounters.TotalClientAccessRulesEvaluationCallsOver50ms.Increment();
}
if (totalMilliseconds > 10.0)
{
ClientAccessRulesPerformanceCounters.TotalClientAccessRulesEvaluationCallsOver10ms.Increment();
}
ExTraceGlobals.ClientAccessRulesTracer.TraceDebug(ticks, string.Format("[Client Access Rules] ShouldBlockConnection - Evaluate - Org: {0} - Protocol: {1} - Username: {2} - IP: {3} - Port: {4} - Auth Type: {5} - Blocked: {6} - Latency: {7}", new object[]
{
organizationId.ToString(),
protocol.ToString(),
username.ToString(),
remoteEndpoint.Address.ToString(),
remoteEndpoint.Port.ToString(),
authenticationType.ToString(),
shouldBlock.ToString(),
totalMilliseconds.ToString()
}));
return(shouldBlock);
}
private ClientAccessRuleCollection FetchClientAccessRulesCollection(IConfigurationSession session)
{
ClientAccessRulesPriorityManager clientAccessRulesPriorityManager = new ClientAccessRulesPriorityManager(ClientAccessRulesStorageManager.GetClientAccessRules(session));
ClientAccessRuleCollection clientAccessRuleCollection = new ClientAccessRuleCollection((base.Identity == null) ? OrganizationId.ForestWideOrgId.ToString() : base.Identity.ToString());
foreach (ADClientAccessRule adclientAccessRule in clientAccessRulesPriorityManager.ADClientAccessRules)
{
ClientAccessRule clientAccessRule = adclientAccessRule.GetClientAccessRule();
if (clientAccessRule.Enabled == RuleState.Disabled)
{
base.WriteVerbose(RulesTasksStrings.ClientAccessRuleWillBeConsideredEnabled(clientAccessRule.Name));
clientAccessRule.Enabled = RuleState.Enabled;
}
base.WriteVerbose(RulesTasksStrings.ClientAccessRuleWillBeAddedToCollection(clientAccessRule.Name));
clientAccessRuleCollection.Add(clientAccessRule);
}
return(clientAccessRuleCollection);
}
public OWAMiniRecipient CreateOWAMiniRecipientBySid()
{
IRecipientSession recipientSession = (this.UserOrganizationId == null) ? UserContextUtilities.CreateScopedRecipientSession(true, ConsistencyMode.FullyConsistent, this.DomainName, null) : UserContextUtilities.CreateScopedRecipientSession(true, ConsistencyMode.FullyConsistent, null, this.UserOrganizationId);
bool flag = false;
bool enabled = VariantConfiguration.GetSnapshot(MachineSettingsContext.Local, null, null).OwaServer.OwaClientAccessRulesEnabled.Enabled;
if (enabled)
{
ClientAccessRuleCollection collection = ClientAccessRulesCache.Instance.GetCollection(this.UserOrganizationId ?? OrganizationId.ForestWideOrgId);
flag = (collection.Count > 0);
}
OWAMiniRecipient owaminiRecipient = recipientSession.FindMiniRecipientBySid <OWAMiniRecipient>(this.UserSid, flag ? OWAMiniRecipientSchema.AdditionalPropertiesWithClientAccessRules : OWAMiniRecipientSchema.AdditionalProperties);
if (owaminiRecipient == null)
{
ExTraceGlobals.CoreTracer.TraceDebug <SecurityIdentifier>(0L, "OwaIdentity.CreateOWAMiniRecipientBySid: got null OWAMiniRecipient for Sid: {0}", this.UserSid);
throw new OwaADUserNotFoundException(this.SafeGetRenderableName());
}
return(owaminiRecipient);
}
public override void ReadData(IConfigurationSession configurationSession)
{
IEnumerable <ADClientAccessRule> enumerable = this.ReadRawData(configurationSession);
this.ClientAccessRuleCollection = new ClientAccessRuleCollection(configurationSession.GetOrgContainerId().ToString());
this.estimatedSize = 0;
if (VariantConfiguration.InvariantNoFlightingSnapshot.ClientAccessRulesCommon.ImplicitAllowLocalClientAccessRulesEnabled.Enabled && (null == configurationSession.SessionSettings.CurrentOrganizationId || OrganizationId.ForestWideOrgId.Equals(configurationSession.SessionSettings.CurrentOrganizationId)))
{
ClientAccessRule allowLocalClientAccessRule = ClientAccessRulesUtils.GetAllowLocalClientAccessRule();
if (allowLocalClientAccessRule != null)
{
this.ClientAccessRuleCollection.AddWithoutNameCheck(allowLocalClientAccessRule);
this.estimatedSize += allowLocalClientAccessRule.GetEstimatedSize();
}
}
foreach (ADClientAccessRule adclientAccessRule in enumerable)
{
ClientAccessRule clientAccessRule = adclientAccessRule.GetClientAccessRule();
this.ClientAccessRuleCollection.AddWithoutNameCheck(clientAccessRule);
this.estimatedSize += clientAccessRule.GetEstimatedSize();
}
}
