private void RunClientAccessRules()
{
long ticks = DateTime.UtcNow.Ticks;
ClientAccessRuleCollection clientAccessRuleCollection = this.FetchClientAccessRulesCollection();
ADRawEntry adrawEntry = this.FetchADRawEntry(this.User);
string usernameFromADRawEntry = ClientAccessRulesUtils.GetUsernameFromADRawEntry(adrawEntry);
base.WriteVerbose(RulesTasksStrings.TestClientAccessRuleFoundUsername(usernameFromADRawEntry));
ClientAccessRulesEvaluationContext context = new ClientAccessRulesEvaluationContext(clientAccessRuleCollection, usernameFromADRawEntry, new IPEndPoint(this.RemoteAddress, this.RemotePort), this.Protocol, this.AuthenticationType, adrawEntry, ObjectSchema.GetInstance <ClientAccessRulesRecipientFilterSchema>(), delegate(ClientAccessRulesEvaluationContext evaluationContext)
{
}, delegate(Rule rule, ClientAccessRulesAction action)
{
ObjectId identity = null;
ClientAccessRule clientAccessRule = rule as ClientAccessRule;
if (clientAccessRule != null)
{
identity = clientAccessRule.Identity;
}
this.WriteResult(new ClientAccessRulesEvaluationResult
{
Identity = identity,
Name = rule.Name,
Action = action
});
}, ticks);
clientAccessRuleCollection.Run(context);
}
// Token: 0x06000729 RID: 1833 RVA: 0x0001A9EC File Offset: 0x00018BEC
private void OnPostAuthenticateRequest(object source, EventArgs args)
{
ExTraceGlobals.HttpModuleTracer.TraceFunction((long)this.GetHashCode(), "[ClientAccessRulesHttpModule::OnPostAuthenticateRequest] Entering");
if (VariantConfiguration.GetSnapshot(MachineSettingsContext.Local, null, null).CmdletInfra.RpsClientAccessRulesEnabled.Enabled&& HttpRuntime.AppDomainAppVirtualPath.IndexOf("/PowerShell", StringComparison.OrdinalIgnoreCase) == 0)
{
IClientAccessRulesAuthorizer clientAccessRulesAuthorizer = new RemotePowershellClientAccessRulesAuthorizer();
HttpContext httpContext = HttpContext.Current;
if (httpContext.Request.IsAuthenticated)
{
ExTraceGlobals.HttpModuleTracer.TraceDebug((long)this.GetHashCode(), "[ClientAccessRulesHttpModule::OnPostAuthenticateRequest] Request is already authenticated.");
OrganizationId userOrganization = clientAccessRulesAuthorizer.GetUserOrganization();
if (userOrganization == null)
{
ExTraceGlobals.HttpModuleTracer.TraceDebug((long)this.GetHashCode(), "[ClientAccessRulesHttpModule::OnPostAuthenticateRequest] orgId = null.");
return;
}
UserToken userToken = HttpContext.Current.CurrentUserToken();
bool flag = ClientAccessRulesUtils.ShouldBlockConnection(userOrganization, ClientAccessRulesUtils.GetUsernameFromContext(httpContext), clientAccessRulesAuthorizer.Protocol, ClientAccessRulesUtils.GetRemoteEndPointFromContext(httpContext), ClientAccessRulesHttpModule.GetAuthenticationTypeFromContext(httpContext), userToken.Recipient, delegate(ClientAccessRulesEvaluationContext context)
{
clientAccessRulesAuthorizer.SafeAppendGenericInfo(httpContext, ClientAccessRulesConstants.ClientAccessRuleName, context.CurrentRule.Name);
}, delegate(double latency)
{
if (latency > 50.0)
{
clientAccessRulesAuthorizer.SafeAppendGenericInfo(httpContext, ClientAccessRulesConstants.ClientAccessRulesLatency, latency.ToString());
ExTraceGlobals.HttpModuleTracer.TraceDebug <string, string>((long)this.GetHashCode(), "[ClientAccessRulesHttpModule::OnPostAuthenticateRequest] {0} = {1}.", ClientAccessRulesConstants.ClientAccessRulesLatency, latency.ToString());
}
});
if (flag)
{
ExTraceGlobals.HttpModuleTracer.TraceDebug((long)this.GetHashCode(), "[ClientAccessRulesHttpModule::OnPostAuthenticateRequest] ClientAccessRules' evaluation for the organization blocks the connection");
clientAccessRulesAuthorizer.ResponseToError(httpContext);
httpContext.ApplicationInstance.CompleteRequest();
}
}
ExTraceGlobals.HttpModuleTracer.TraceFunction((long)this.GetHashCode(), "[ClientAccessRulesHttpModule::OnPostAuthenticateRequest] Exit");
return;
}
ExTraceGlobals.HttpModuleTracer.TraceFunction((long)this.GetHashCode(), "[ClientAccessRulesHttpModule::OnPostAuthenticateRequest] Exit");
}
private static bool ShouldBlockConnection(HttpContext httpContext, OwaIdentity logonIdentity)
{
if (!VariantConfiguration.GetSnapshot(MachineSettingsContext.Local, null, null).OwaServer.OwaClientAccessRulesEnabled.Enabled)
{
return(false);
}
RequestDetailsLogger logger = OwaApplication.GetRequestDetailsLogger;
Action <ClientAccessRulesEvaluationContext> blockLoggerDelegate = delegate(ClientAccessRulesEvaluationContext context)
{
RequestDetailsLoggerBase <RequestDetailsLogger> .SafeAppendGenericInfo(logger, ClientAccessRulesConstants.ClientAccessRuleName, context.CurrentRule.Name);
};
Action <double> latencyLoggerDelegate = delegate(double latency)
{
if (latency > 50.0)
{
RequestDetailsLoggerBase <RequestDetailsLogger> .SafeAppendGenericInfo(logger, ClientAccessRulesConstants.ClientAccessRulesLatency, latency);
}
};
OWAMiniRecipient owaminiRecipient = logonIdentity.GetOWAMiniRecipient();
string usernameFromIdInformation = ClientAccessRulesUtils.GetUsernameFromIdInformation(owaminiRecipient.WindowsLiveID, owaminiRecipient.MasterAccountSid, owaminiRecipient.Sid, owaminiRecipient.ObjectId);
return(ClientAccessRulesUtils.ShouldBlockConnection(logonIdentity.UserOrganizationId, usernameFromIdInformation, ClientAccessProtocol.OutlookWebApp, ClientAccessRulesUtils.GetRemoteEndPointFromContext(httpContext), httpContext.Request.IsAuthenticatedByAdfs() ? ClientAccessAuthenticationMethod.AdfsAuthentication : ClientAccessAuthenticationMethod.BasicAuthentication, owaminiRecipient, blockLoggerDelegate, latencyLoggerDelegate));
}
private static bool ShouldBlockConnection(HttpContext httpContext, ExchangeRunspaceConfiguration exchangeRunspaceConfiguration)
{
if (exchangeRunspaceConfiguration == null || exchangeRunspaceConfiguration.ExecutingUser == null || !VariantConfiguration.GetSnapshot(MachineSettingsContext.Local, null, null).Eac.EACClientAccessRulesEnabled.Enabled)
{
return(false);
}
double ruleLatency = 0.0;
string ruleName = string.Empty;
string usernameFromADRawEntry = ClientAccessRulesUtils.GetUsernameFromADRawEntry(exchangeRunspaceConfiguration.ExecutingUser);
bool flag = ClientAccessRulesUtils.ShouldBlockConnection(exchangeRunspaceConfiguration.OrganizationId, usernameFromADRawEntry, ClientAccessProtocol.ExchangeAdminCenter, ClientAccessRulesUtils.GetRemoteEndPointFromContext(httpContext), httpContext.Request.IsAuthenticatedByAdfs() ? ClientAccessAuthenticationMethod.AdfsAuthentication : ClientAccessAuthenticationMethod.BasicAuthentication, exchangeRunspaceConfiguration.ExecutingUser, delegate(ClientAccessRulesEvaluationContext context)
{
ruleName = context.CurrentRule.Name;
}, delegate(double latency)
{
ruleLatency = latency;
});
if (flag || ruleLatency > 50.0)
{
ActivityContextLogger.Instance.LogEvent(new ClientAccessRulesLogEvent(exchangeRunspaceConfiguration.OrganizationId, usernameFromADRawEntry, ClientAccessRulesUtils.GetRemoteEndPointFromContext(httpContext), httpContext.Request.IsAuthenticatedByAdfs() ? ClientAccessAuthenticationMethod.AdfsAuthentication : ClientAccessAuthenticationMethod.BasicAuthentication, ruleName, ruleLatency, flag));
}
return(flag);
}
// Token: 0x06001246 RID: 4678 RVA: 0x00039C60 File Offset: 0x00037E60
private bool ConnectionBlockedByClientAccessRules(PswsAuthZUserToken userToken, out string blockingRuleName)
{
blockingRuleName = null;
if (userToken.OrgId != null && VariantConfiguration.GetSnapshot(MachineSettingsContext.Local, null, null).CmdletInfra.PswsClientAccessRulesEnabled.Enabled)
{
string blockRuleName = null;
bool result = ClientAccessRulesUtils.ShouldBlockConnection(userToken.OrgId, ClientAccessRulesUtils.GetUsernameFromADRawEntry(userToken.UserEntry), ClientAccessProtocol.PowerShellWebServices, ClientAccessRulesUtils.GetRemoteEndPointFromContext(HttpContext.Current), ClientAccessAuthenticationMethod.BasicAuthentication, userToken.UserEntry, delegate(ClientAccessRulesEvaluationContext context)
{
blockRuleName = context.CurrentRule.Name;
AuthZLogger.SafeAppendGenericError(ClientAccessRulesConstants.ClientAccessRuleName, context.CurrentRule.Name, false);
ExTraceGlobals.PublicPluginAPITracer.TraceDebug <string, string>((long)this.GetHashCode(), "[PswsAuthorization.AuthorizeUser] Blocked by Client Access Rules ({0}={1})", ClientAccessRulesConstants.ClientAccessRuleName, context.CurrentRule.Name);
}, delegate(double latency)
{
if (latency > 50.0)
{
AuthZLogger.SafeAppendGenericInfo(ClientAccessRulesConstants.ClientAccessRulesLatency, latency.ToString());
ExTraceGlobals.PublicPluginAPITracer.TraceDebug <string, string>((long)this.GetHashCode(), "[PswsAuthorization.AuthorizeUser] Client Access Rules latency logger ({0}={1})", ClientAccessRulesConstants.ClientAccessRulesLatency, latency.ToString());
}
});
blockingRuleName = blockRuleName;
return(result);
}
return(false);
}
