private void ValidateToken(RequestedToken requestedToken, TokenValidator tokenValidator)
{
try
{
TokenValidationResults tokenValidationResults = tokenValidator.ValidateToken(requestedToken.SecurityToken, TestFederationTrust.TokenOffer);
if (tokenValidationResults.Result == TokenValidationResult.Valid)
{
this.Log(EventTypeEnumeration.Success, TestFederationTrust.TestFederationTrustEventId.TokenValidation, Strings.DelegationTokenValidationSuccess);
}
else
{
this.Log(EventTypeEnumeration.Error, TestFederationTrust.TestFederationTrustEventId.TokenValidation, Strings.TokenValidationFailed);
base.WriteVerbose(Strings.FailureAndReason(Strings.TokenValidationFailed.ToString(), tokenValidationResults.Result.ToString()));
}
}
catch (LocalizedException ex)
{
this.Log(EventTypeEnumeration.Error, TestFederationTrust.TestFederationTrustEventId.TokenValidation, Strings.TokenValidationFailed);
base.WriteVerbose(Strings.FailureAndReason(Strings.TokenValidationFailed.ToString(), ex.ToString()));
}
}
// Token: 0x060003D2 RID: 978 RVA: 0x000159C4 File Offset: 0x00013BC4
internal string FindAddressFromWsSecurity(Stream stream, WsSecurityHeaderType headerType, out bool isDelegationToken)
{
isDelegationToken = false;
long position = stream.Position;
try
{
XmlReader xmlReader = XmlReader.Create(stream);
if (xmlReader.Settings != null && xmlReader.Settings.DtdProcessing != DtdProcessing.Prohibit)
{
xmlReader.Settings.DtdProcessing = DtdProcessing.Prohibit;
}
XmlElement xmlElement = null;
XmlElement xmlElement2 = null;
XmlElement xmlElement3 = null;
xmlReader.MoveToContent();
bool flag = true;
while (flag && xmlReader.Read())
{
if (xmlReader.NodeType == XmlNodeType.Element && xmlReader.LocalName == "Header")
{
if (!(xmlReader.NamespaceURI == "http://schemas.xmlsoap.org/soap/envelope/"))
{
if (!(xmlReader.NamespaceURI == "http://www.w3.org/2003/05/soap-envelope"))
{
continue;
}
}
while (flag && xmlReader.Read())
{
if (stream.Position > 73628L)
{
throw new QuotaExceededException();
}
if (xmlReader.NodeType == XmlNodeType.EndElement && xmlReader.LocalName == "Header" && (xmlReader.NamespaceURI == "http://schemas.xmlsoap.org/soap/envelope/" || xmlReader.NamespaceURI == "http://www.w3.org/2003/05/soap-envelope"))
{
if (ExTraceGlobals.VerboseTracer.IsTraceEnabled(1))
{
ExTraceGlobals.VerboseTracer.TraceDebug <int>((long)this.GetHashCode(), "[WsSecurityParser::FindAddressFromWsSecurity]: Context {0}; Hit the end of the SOAP header unexpectedly", this.TraceContext);
}
flag = false;
break;
}
if (headerType != WsSecurityHeaderType.PartnerAuth)
{
if (xmlReader.NodeType == XmlNodeType.Element && xmlReader.LocalName == "Security" && xmlReader.NamespaceURI == "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd")
{
while (flag)
{
if (!xmlReader.Read())
{
break;
}
if (stream.Position > 73628L)
{
throw new QuotaExceededException();
}
if (xmlReader.NodeType == XmlNodeType.EndElement && xmlReader.LocalName == "Security" && xmlReader.NamespaceURI == "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd")
{
if (ExTraceGlobals.VerboseTracer.IsTraceEnabled(1))
{
ExTraceGlobals.VerboseTracer.TraceDebug <int>((long)this.GetHashCode(), "[WsSecurityParser::FindAddressFromWsSecurity]: Context {0}; Hit the end of the WS-Security header unexpectedly", this.TraceContext);
}
flag = false;
break;
}
if (xmlReader.NodeType == XmlNodeType.Element && ((headerType == WsSecurityHeaderType.WSSecurityAuth && xmlReader.LocalName == "EncryptedData" && xmlReader.NamespaceURI == "http://www.w3.org/2001/04/xmlenc#") || (headerType == WsSecurityHeaderType.X509CertAuth && xmlReader.LocalName == "BinarySecurityToken" && xmlReader.NamespaceURI == "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd")))
{
using (XmlReader xmlReader2 = xmlReader.ReadSubtree())
{
XmlDocument xmlDocument = new XmlDocument();
xmlDocument.Load(xmlReader2);
xmlElement = xmlDocument.DocumentElement;
}
flag = false;
break;
}
}
}
}
else
{
if (xmlReader.NodeType == XmlNodeType.Element && xmlReader.LocalName == "ExchangeImpersonation" && xmlReader.NamespaceURI == "http://schemas.microsoft.com/exchange/services/2006/types")
{
using (XmlReader xmlReader3 = xmlReader.ReadSubtree())
{
XmlDocument xmlDocument2 = new XmlDocument();
xmlDocument2.Load(xmlReader3);
xmlElement2 = xmlDocument2.DocumentElement;
}
flag = false;
break;
}
if (xmlReader.NodeType == XmlNodeType.Element && xmlReader.LocalName == "Attribute" && xmlReader.NamespaceURI == "urn:oasis:names:tc:SAML:1.0:assertion" && xmlReader.HasAttributes && xmlReader.GetAttribute("AttributeName") == "targettenant")
{
using (XmlReader xmlReader4 = xmlReader.ReadSubtree())
{
XmlDocument xmlDocument3 = new XmlDocument();
xmlDocument3.Load(xmlReader4);
xmlElement3 = xmlDocument3.DocumentElement;
}
flag = false;
break;
}
}
}
}
}
if (headerType == WsSecurityHeaderType.PartnerAuth)
{
if (xmlElement2 != null)
{
if (xmlElement2.NodeType == XmlNodeType.Element && xmlElement2.FirstChild.NodeType == XmlNodeType.Element && xmlElement2.FirstChild.LocalName == "ConnectingSID")
{
XmlNode firstChild = xmlElement2.FirstChild.FirstChild;
if (firstChild.LocalName == "PrincipalName" || firstChild.LocalName == "PrimarySmtpAddress" || firstChild.LocalName == "SmtpAddress" || firstChild.LocalName == "SID")
{
return(firstChild.InnerXml);
}
if (ExTraceGlobals.VerboseTracer.IsTraceEnabled(1))
{
ExTraceGlobals.VerboseTracer.TraceDebug <int, string>((long)this.GetHashCode(), "[WsSecurityParser::FindAddressFromWsSecurity]: Context {0}; Unexpected type {1} in ConnectingSID in impersonation header", this.TraceContext, firstChild.Name);
}
return(null);
}
}
else if (xmlElement3 != null && xmlElement3.NodeType == XmlNodeType.Element && xmlElement3.FirstChild.LocalName == "AttributeValue")
{
return(xmlElement3.FirstChild.InnerText);
}
}
else if (xmlElement != null)
{
ExternalAuthentication current = ExternalAuthentication.GetCurrent();
if (!current.Enabled)
{
if (ExTraceGlobals.VerboseTracer.IsTraceEnabled(1))
{
ExTraceGlobals.VerboseTracer.TraceDebug((long)this.GetHashCode(), "[WsSecurityParser::FindAddressFromWsSecurity]: ExternalAuthentication is not enabled");
}
return(null);
}
if (headerType == WsSecurityHeaderType.X509CertAuth)
{
AuthorizationContext authorizationContext;
if (current.TokenValidator.AuthorizationContextFromToken(xmlElement, ref authorizationContext).Result == null)
{
ReadOnlyCollection <ClaimSet> claimSets = authorizationContext.ClaimSets;
X509CertUser x509CertUser = null;
if (!X509CertUser.TryCreateX509CertUser(claimSets, ref x509CertUser))
{
if (ExTraceGlobals.VerboseTracer.IsTraceEnabled(1))
{
ExTraceGlobals.VerboseTracer.TraceDebug <int>((long)this.GetHashCode(), "[WsSecurityParser::FindAddressFromWsSecurity]: Context {0}; Unable to create the x509certuser", this.TraceContext);
}
return(null);
}
OrganizationId organizationId;
WindowsIdentity windowsIdentity;
string text;
if (!x509CertUser.TryGetWindowsIdentity(ref organizationId, ref windowsIdentity, ref text))
{
if (ExTraceGlobals.VerboseTracer.IsTraceEnabled(1))
{
ExTraceGlobals.VerboseTracer.TraceDebug <int, X509CertUser, string>((long)this.GetHashCode(), "[WsSecurityParser::FindAddressFromWsSecurity]: Context {0}; unable to find the windows identity for cert user: {1}, reason: {2}", this.TraceContext, x509CertUser, text);
}
return(null);
}
return(x509CertUser.UserPrincipalName);
}
}
else
{
TokenValidationResults tokenValidationResults = current.TokenValidator.FindEmailAddress(xmlElement, ref isDelegationToken);
if (!string.IsNullOrEmpty(tokenValidationResults.EmailAddress))
{
return(tokenValidationResults.EmailAddress);
}
}
}
}
catch (XmlException ex)
{
if (ExTraceGlobals.VerboseTracer.IsTraceEnabled(1))
{
ExTraceGlobals.VerboseTracer.TraceDebug <int, XmlException>((long)this.GetHashCode(), "[WsSecurityParser::FindAddressFromWsSecurity]: Context {0}; XmlException {1}", this.TraceContext, ex);
}
}
if (ExTraceGlobals.VerboseTracer.IsTraceEnabled(1))
{
ExTraceGlobals.VerboseTracer.TraceDebug <int>((long)this.GetHashCode(), "[WsSecurityParser::FindAddressFromWsSecurity]: Context {0}; No email address found in Ws-Trust token", this.TraceContext);
}
return(null);
}
// Token: 0x06000284 RID: 644 RVA: 0x000115F4 File Offset: 0x0000F7F4
private static bool CheckClaimSetsForExternalUser(AuthorizationContext authorizationContext, OperationContext operationContext)
{
HttpContext.Current.Items["AuthType"] = "External";
SamlSecurityToken samlSecurityToken = null;
foreach (SupportingTokenSpecification supportingTokenSpecification in operationContext.SupportingTokens)
{
samlSecurityToken = (supportingTokenSpecification.SecurityToken as SamlSecurityToken);
if (samlSecurityToken != null)
{
break;
}
}
if (samlSecurityToken == null)
{
ExTraceGlobals.AuthenticationTracer.TraceError(0L, "Found no security token in authorization context");
return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Cannot find security token in authorization context"));
}
ExternalAuthentication current = ExternalAuthentication.GetCurrent();
if (!current.Enabled)
{
ExTraceGlobals.AuthenticationTracer.TraceError(0L, "Federation is not enabled");
return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Federation is not enabled"));
}
TokenValidationResults tokenValidationResults = current.TokenValidator.ValidateToken(samlSecurityToken, Offer.Autodiscover);
if (tokenValidationResults.Result != TokenValidationResult.Valid || !SmtpAddress.IsValidSmtpAddress(tokenValidationResults.EmailAddress))
{
ExTraceGlobals.AuthenticationTracer.TraceError <TokenValidationResults>(0L, "Validation of security token in WS-Security header failed: {0}", tokenValidationResults);
return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Validation of the delegation failed"));
}
SmtpAddress smtpAddress = SmtpAddress.Empty;
int num = -1;
try
{
num = operationContext.IncomingMessageHeaders.FindHeader("SharingSecurity", "http://schemas.microsoft.com/exchange/services/2006/types");
}
catch (MessageHeaderException ex)
{
AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Exception when looking for SharingSecurity header in request: " + ex.ToString());
return(false);
}
if (num < 0)
{
ExTraceGlobals.AuthenticationTracer.TraceDebug(0L, "Request has no SharingSecurity header");
}
else
{
XmlElement header = operationContext.IncomingMessageHeaders.GetHeader <XmlElement>(num);
smtpAddress = SharingKeyHandler.Decrypt(header, tokenValidationResults.ProofToken);
if (smtpAddress == SmtpAddress.Empty)
{
ExTraceGlobals.AuthenticationTracer.TraceError <string>(0L, "SharingSecurity is present but invalid: {0}", header.OuterXml);
AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Validation of the SharingSecurity failed");
return(false);
}
ExTraceGlobals.AuthenticationTracer.TraceDebug <SmtpAddress>(0L, "SharingSecurity header contains external identity: {0}", smtpAddress);
}
AutodiscoverAuthorizationManager.PushUserAndOrgInfoToContext(tokenValidationResults.EmailAddress, null);
HttpContext.Current.User = new GenericPrincipal(new ExternalIdentity(new SmtpAddress(tokenValidationResults.EmailAddress), smtpAddress), null);
return(true);
}
public SharedFolderData TryDecrypt(EncryptedSharedFolderData encryptedSharedFolderData)
{
if (encryptedSharedFolderData.Token == null)
{
SharedFolderDataEncryption.Tracer.TraceError <SharedFolderDataEncryption>((long)this.GetHashCode(), "{0}: EncryptedSharedFolderData is missing Token element.", this);
return(null);
}
if (encryptedSharedFolderData.Token.EncryptedData == null)
{
SharedFolderDataEncryption.Tracer.TraceError <SharedFolderDataEncryption>((long)this.GetHashCode(), "{0}: EncryptedSharedFolderData.Token is missing <EncryptedData> element.", this);
return(null);
}
if (encryptedSharedFolderData.Data == null)
{
SharedFolderDataEncryption.Tracer.TraceError <SharedFolderDataEncryption>((long)this.GetHashCode(), "{0}: EncryptedSharedFolderData is missing <Data> element.", this);
return(null);
}
if (encryptedSharedFolderData.Data.EncryptedData == null)
{
SharedFolderDataEncryption.Tracer.TraceError <SharedFolderDataEncryption>((long)this.GetHashCode(), "{0}: EncryptedSharedFolderData.Data is missing <EncryptedData> element.", this);
return(null);
}
TokenValidationResults tokenValidationResults = this.externalAuthentication.TokenValidator.ValidateToken(encryptedSharedFolderData.Token.EncryptedData, Offer.SharingInviteMessage);
if (tokenValidationResults.Result != TokenValidationResult.Valid)
{
SharedFolderDataEncryption.Tracer.TraceError <SharedFolderDataEncryption, TokenValidationResults>((long)this.GetHashCode(), "{0}: Token is not valid. TokenValidationResults={1}", this, tokenValidationResults);
return(null);
}
SymmetricSecurityKey proofToken = tokenValidationResults.ProofToken;
if (proofToken == null)
{
SharedFolderDataEncryption.Tracer.TraceError <SharedFolderDataEncryption>((long)this.GetHashCode(), "{0}: Unable to retrieve the security key from the token.", this);
return(null);
}
XmlElement xmlElement;
try
{
xmlElement = SymmetricEncryptedXml.Decrypt(encryptedSharedFolderData.Data.EncryptedData, proofToken);
}
catch (CryptographicException arg)
{
SharedFolderDataEncryption.Tracer.TraceError <SharedFolderDataEncryption, CryptographicException>((long)this.GetHashCode(), "{0}: Unable to decrypt the data element. Exception={1}", this, arg);
return(null);
}
SharedFolderData result;
try
{
result = SharedFolderData.DeserializeFromXmlELement(xmlElement);
}
catch (InvalidOperationException arg2)
{
SharedFolderDataEncryption.Tracer.TraceError <SharedFolderDataEncryption, InvalidOperationException>((long)this.GetHashCode(), "{0}: Unable to deserialize the data element. InvalidOperationException={1}", this, arg2);
result = null;
}
catch (XmlException arg3)
{
SharedFolderDataEncryption.Tracer.TraceError <SharedFolderDataEncryption, XmlException>((long)this.GetHashCode(), "{0}: Unable to deserialize the data element. XmlException={1}", this, arg3);
result = null;
}
return(result);
}
