private void RunClientAccessRules() { long ticks = DateTime.UtcNow.Ticks; ClientAccessRuleCollection clientAccessRuleCollection = this.FetchClientAccessRulesCollection(); ADRawEntry adrawEntry = this.FetchADRawEntry(this.User); string usernameFromADRawEntry = ClientAccessRulesUtils.GetUsernameFromADRawEntry(adrawEntry); base.WriteVerbose(RulesTasksStrings.TestClientAccessRuleFoundUsername(usernameFromADRawEntry)); ClientAccessRulesEvaluationContext context = new ClientAccessRulesEvaluationContext(clientAccessRuleCollection, usernameFromADRawEntry, new IPEndPoint(this.RemoteAddress, this.RemotePort), this.Protocol, this.AuthenticationType, adrawEntry, ObjectSchema.GetInstance <ClientAccessRulesRecipientFilterSchema>(), delegate(ClientAccessRulesEvaluationContext evaluationContext) { }, delegate(Rule rule, ClientAccessRulesAction action) { ObjectId identity = null; ClientAccessRule clientAccessRule = rule as ClientAccessRule; if (clientAccessRule != null) { identity = clientAccessRule.Identity; } this.WriteResult(new ClientAccessRulesEvaluationResult { Identity = identity, Name = rule.Name, Action = action }); }, ticks); clientAccessRuleCollection.Run(context); }
public ClientAccessRuleCollection GetCollection(OrganizationId orgId) { if (OrganizationId.ForestWideOrgId.Equals(orgId)) { return(this.GetValue(orgId).ClientAccessRuleCollection); } ClientAccessRuleCollection clientAccessRuleCollection = new ClientAccessRuleCollection(orgId.ToString()); clientAccessRuleCollection.AddClientAccessRuleCollection(this.GetValue(OrganizationId.ForestWideOrgId).ClientAccessRuleCollection); clientAccessRuleCollection.AddClientAccessRuleCollection(this.GetValue(orgId).ClientAccessRuleCollection); return(clientAccessRuleCollection); }
private ClientAccessRuleCollection FetchClientAccessRulesCollection() { ClientAccessRuleCollection clientAccessRuleCollection = new ClientAccessRuleCollection((base.Identity == null) ? OrganizationId.ForestWideOrgId.ToString() : base.Identity.ToString()); OrganizationId organizationId = ((IConfigurationSession)base.DataSession).GetOrgContainer().OrganizationId; if (organizationId != null && !OrganizationId.ForestWideOrgId.Equals(organizationId)) { IConfigurationSession tenantOrTopologyConfigurationSession = DirectorySessionFactory.Default.GetTenantOrTopologyConfigurationSession(true, ConsistencyMode.PartiallyConsistent, ADSessionSettings.FromOrganizationIdWithoutRbacScopes(ADSystemConfigurationSession.GetRootOrgContainerIdForLocalForest(), OrganizationId.ForestWideOrgId, OrganizationId.ForestWideOrgId, false), 133, "FetchClientAccessRulesCollection", "f:\\15.00.1497\\sources\\dev\\Management\\src\\Management\\SystemConfigurationTasks\\ClientAccessRules\\TestClientAccessRule.cs"); clientAccessRuleCollection.AddClientAccessRuleCollection(this.FetchClientAccessRulesCollection(tenantOrTopologyConfigurationSession)); } clientAccessRuleCollection.AddClientAccessRuleCollection(this.FetchClientAccessRulesCollection((IConfigurationSession)base.DataSession)); return(clientAccessRuleCollection); }
internal static bool ShouldBlockConnection(OrganizationId organizationId, string username, ClientAccessProtocol protocol, IPEndPoint remoteEndpoint, ClientAccessAuthenticationMethod authenticationType, IReadOnlyPropertyBag propertyBag, Action <ClientAccessRulesEvaluationContext> blockLoggerDelegate, Action <double> latencyLoggerDelegate) { DateTime utcNow = DateTime.UtcNow; bool shouldBlock = false; long ticks = utcNow.Ticks; if (organizationId == null) { ExTraceGlobals.ClientAccessRulesTracer.TraceDebug(ticks, "[Client Access Rules] ShouldBlockConnection assuming OrganizationId.ForestWideOrgId for null OrganizationId"); organizationId = OrganizationId.ForestWideOrgId; } if (remoteEndpoint != null) { ExTraceGlobals.ClientAccessRulesTracer.TraceDebug(ticks, "[Client Access Rules] ShouldBlockConnection - Initializing context to run rules"); ClientAccessRuleCollection collection = ClientAccessRulesCache.Instance.GetCollection(organizationId); ClientAccessRulesEvaluationContext context = new ClientAccessRulesEvaluationContext(collection, username, remoteEndpoint, protocol, authenticationType, propertyBag, ObjectSchema.GetInstance <ClientAccessRulesRecipientFilterSchema>(), delegate(ClientAccessRulesEvaluationContext evaluationContext) { shouldBlock = true; blockLoggerDelegate(evaluationContext); }, null, ticks); collection.Run(context); } ClientAccessRulesPerformanceCounters.TotalClientAccessRulesEvaluationCalls.Increment(); if (shouldBlock) { ClientAccessRulesPerformanceCounters.TotalConnectionsBlockedByClientAccessRules.Increment(); } double totalMilliseconds = (DateTime.UtcNow - utcNow).TotalMilliseconds; latencyLoggerDelegate(totalMilliseconds); if (totalMilliseconds > 50.0) { ClientAccessRulesPerformanceCounters.TotalClientAccessRulesEvaluationCallsOver50ms.Increment(); } if (totalMilliseconds > 10.0) { ClientAccessRulesPerformanceCounters.TotalClientAccessRulesEvaluationCallsOver10ms.Increment(); } ExTraceGlobals.ClientAccessRulesTracer.TraceDebug(ticks, string.Format("[Client Access Rules] ShouldBlockConnection - Evaluate - Org: {0} - Protocol: {1} - Username: {2} - IP: {3} - Port: {4} - Auth Type: {5} - Blocked: {6} - Latency: {7}", new object[] { organizationId.ToString(), protocol.ToString(), username.ToString(), remoteEndpoint.Address.ToString(), remoteEndpoint.Port.ToString(), authenticationType.ToString(), shouldBlock.ToString(), totalMilliseconds.ToString() })); return(shouldBlock); }
private ClientAccessRuleCollection FetchClientAccessRulesCollection(IConfigurationSession session) { ClientAccessRulesPriorityManager clientAccessRulesPriorityManager = new ClientAccessRulesPriorityManager(ClientAccessRulesStorageManager.GetClientAccessRules(session)); ClientAccessRuleCollection clientAccessRuleCollection = new ClientAccessRuleCollection((base.Identity == null) ? OrganizationId.ForestWideOrgId.ToString() : base.Identity.ToString()); foreach (ADClientAccessRule adclientAccessRule in clientAccessRulesPriorityManager.ADClientAccessRules) { ClientAccessRule clientAccessRule = adclientAccessRule.GetClientAccessRule(); if (clientAccessRule.Enabled == RuleState.Disabled) { base.WriteVerbose(RulesTasksStrings.ClientAccessRuleWillBeConsideredEnabled(clientAccessRule.Name)); clientAccessRule.Enabled = RuleState.Enabled; } base.WriteVerbose(RulesTasksStrings.ClientAccessRuleWillBeAddedToCollection(clientAccessRule.Name)); clientAccessRuleCollection.Add(clientAccessRule); } return(clientAccessRuleCollection); }
public OWAMiniRecipient CreateOWAMiniRecipientBySid() { IRecipientSession recipientSession = (this.UserOrganizationId == null) ? UserContextUtilities.CreateScopedRecipientSession(true, ConsistencyMode.FullyConsistent, this.DomainName, null) : UserContextUtilities.CreateScopedRecipientSession(true, ConsistencyMode.FullyConsistent, null, this.UserOrganizationId); bool flag = false; bool enabled = VariantConfiguration.GetSnapshot(MachineSettingsContext.Local, null, null).OwaServer.OwaClientAccessRulesEnabled.Enabled; if (enabled) { ClientAccessRuleCollection collection = ClientAccessRulesCache.Instance.GetCollection(this.UserOrganizationId ?? OrganizationId.ForestWideOrgId); flag = (collection.Count > 0); } OWAMiniRecipient owaminiRecipient = recipientSession.FindMiniRecipientBySid <OWAMiniRecipient>(this.UserSid, flag ? OWAMiniRecipientSchema.AdditionalPropertiesWithClientAccessRules : OWAMiniRecipientSchema.AdditionalProperties); if (owaminiRecipient == null) { ExTraceGlobals.CoreTracer.TraceDebug <SecurityIdentifier>(0L, "OwaIdentity.CreateOWAMiniRecipientBySid: got null OWAMiniRecipient for Sid: {0}", this.UserSid); throw new OwaADUserNotFoundException(this.SafeGetRenderableName()); } return(owaminiRecipient); }
public override void ReadData(IConfigurationSession configurationSession) { IEnumerable <ADClientAccessRule> enumerable = this.ReadRawData(configurationSession); this.ClientAccessRuleCollection = new ClientAccessRuleCollection(configurationSession.GetOrgContainerId().ToString()); this.estimatedSize = 0; if (VariantConfiguration.InvariantNoFlightingSnapshot.ClientAccessRulesCommon.ImplicitAllowLocalClientAccessRulesEnabled.Enabled && (null == configurationSession.SessionSettings.CurrentOrganizationId || OrganizationId.ForestWideOrgId.Equals(configurationSession.SessionSettings.CurrentOrganizationId))) { ClientAccessRule allowLocalClientAccessRule = ClientAccessRulesUtils.GetAllowLocalClientAccessRule(); if (allowLocalClientAccessRule != null) { this.ClientAccessRuleCollection.AddWithoutNameCheck(allowLocalClientAccessRule); this.estimatedSize += allowLocalClientAccessRule.GetEstimatedSize(); } } foreach (ADClientAccessRule adclientAccessRule in enumerable) { ClientAccessRule clientAccessRule = adclientAccessRule.GetClientAccessRule(); this.ClientAccessRuleCollection.AddWithoutNameCheck(clientAccessRule); this.estimatedSize += clientAccessRule.GetEstimatedSize(); } }