// Token: 0x06001274 RID: 4724 RVA: 0x0003B65C File Offset: 0x0003985C
internal static PswsAuthZUserToken GetAuthZPluginUserToken(UserToken userToken)
{
ExAssert.RetailAssert(userToken != null, "[PswsAuthorization.GetAuthZPluginUserToken] userToken can't be null.");
Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType = userToken.AuthenticationType;
SecurityIdentifier userSid = userToken.UserSid;
DelegatedPrincipal delegatedPrincipal = userToken.DelegatedPrincipal;
ExAssert.RetailAssert(userSid != null, "The user sid is invalid (null).");
PartitionId partitionId = userToken.PartitionId;
string text = AuthenticatedUserCache.CreateKeyForPsws(userSid, userToken.AuthenticationType, partitionId);
ExTraceGlobals.PublicPluginAPITracer.TraceDebug <string>(0L, "[PswsAuthZHelper.GetAuthZPluginUserToken] User cache key = \"{0}\".", text);
AuthZPluginUserToken authZPluginUserToken;
if (!AuthenticatedUserCache.Instance.TryGetValue(text, out authZPluginUserToken))
{
ExTraceGlobals.PublicPluginAPITracer.TraceDebug(0L, "[PswsAuthZHelper.GetAuthZPluginUserToken] User not found in cache.");
IIdentity identity = HttpContext.Current.Items["X-Psws-CurrentLogonUser"] as IIdentity;
SerializedIdentity serializedIdentity = null;
if (identity is WindowsTokenIdentity)
{
serializedIdentity = ((WindowsTokenIdentity)identity).ToSerializedIdentity();
}
ADRawEntry adrawEntry = ExchangeAuthorizationPlugin.FindUserEntry(userSid, null, serializedIdentity, partitionId);
ExAssert.RetailAssert(adrawEntry != null, "UnAuthorized. Unable to find the user.");
bool condition = (adrawEntry is MiniRecipient || adrawEntry is ADUser) && (bool)adrawEntry[ADRecipientSchema.RemotePowerShellEnabled];
ExAssert.RetailAssert(condition, "UnAuthorized. PSWS not enabled user.");
authZPluginUserToken = new AuthZPluginUserToken(delegatedPrincipal, adrawEntry, authenticationType, userSid.Value);
AuthenticatedUserCache.Instance.AddUserToCache(text, authZPluginUserToken);
}
return(new PswsAuthZUserToken(authZPluginUserToken.DelegatedPrincipal, authZPluginUserToken.UserEntry, authenticationType, authZPluginUserToken.DefaultUserName, userToken.UserName));
}
// Token: 0x060012F9 RID: 4857 RVA: 0x0003E2D0 File Offset: 0x0003C4D0
internal static IIdentity ConstructAuthZUser(UserToken userToken, Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType)
{
SecurityIdentifier userSid = userToken.UserSid;
string partitionId = null;
if (userToken.PartitionId != null)
{
partitionId = userToken.PartitionId.ToString();
}
return(new GenericSidIdentity(userSid.ToString(), authenticationType.ToString(), userSid, partitionId));
}
// Token: 0x06001273 RID: 4723 RVA: 0x0003B5D8 File Offset: 0x000397D8
internal static IIdentity GetExecutingAuthZUser(UserToken userToken)
{
Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType = userToken.AuthenticationType;
ExTraceGlobals.PublicPluginAPITracer.TraceDebug <Microsoft.Exchange.Configuration.Core.AuthenticationType>(0L, "[PswsAuthZHelper.GetExecutingAuthZUser] authenticationType = \"{0}\".", authenticationType);
IIdentity identity = HttpContext.Current.Items["X-Psws-CurrentLogonUser"] as IIdentity;
if (identity is SidOAuthIdentity)
{
AuthZLogger.SafeAppendGenericInfo("PswsLogonUser", "SidOAuthIdentity");
return(identity);
}
if (identity is WindowsTokenIdentity)
{
AuthZLogger.SafeAppendGenericInfo("PswsLogonUser", "WindowsTokenIdentity");
return(((WindowsTokenIdentity)identity).ToSerializedIdentity());
}
return(AuthZPluginHelper.ConstructAuthZUser(userToken, authenticationType));
}
// Token: 0x060012D4 RID: 4820 RVA: 0x0003D290 File Offset: 0x0003B490
internal static string CreateKeyForPsws(SecurityIdentifier userSid, Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType, PartitionId partitionId)
{
ExAssert.RetailAssert(userSid != null, "The user sid is invalid (null).");
return(string.Format("{0}:{1}:{2}", authenticationType, partitionId, userSid.Value));
}
// Token: 0x0600126C RID: 4716 RVA: 0x0003B42B File Offset: 0x0003962B
protected override IIdentity GetExecutingUserIdentity(PSPrincipal psPrincipal, string connectionUrl, out UserToken userToken, out Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType)
{
userToken = HttpContext.Current.CurrentUserToken();
authenticationType = userToken.AuthenticationType;
return(PswsAuthZHelper.GetExecutingAuthZUser(userToken));
}
internal AuthZPluginUserToken(DelegatedPrincipal delegatedPrincipal, ADRawEntry userEntry, Microsoft.Exchange.Configuration.Core.AuthenticationType authenticatedType, string defaultUserName)
{
this.DelegatedPrincipal = delegatedPrincipal;
this.UserEntry = userEntry;
this.AuthenticationType = authenticatedType;
this.DefaultUserName = defaultUserName;
}
private static IIdentity InternalGetExecutingUserIdentity(PSPrincipal psPrincipal, string connectionUrl, out UserToken userToken, out Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType, out string sessionId, out string firstRequestId)
{
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Unknown;
userToken = null;
sessionId = null;
firstRequestId = null;
if (psPrincipal.Identity.AuthenticationType.StartsWith("Cafe-", StringComparison.OrdinalIgnoreCase))
{
using (WinRMDataReceiver winRMDataReceiver = new WinRMDataReceiver(connectionUrl, psPrincipal.Identity.Name, psPrincipal.Identity.AuthenticationType, AuthZLogHelper.LantencyTracker))
{
userToken = winRMDataReceiver.UserToken;
sessionId = winRMDataReceiver.SessionId;
firstRequestId = winRMDataReceiver.RequestId;
string text = winRMDataReceiver.AuthenticationType.Substring("Cafe-".Length);
if (text.Equals("GenericIdentity", StringComparison.OrdinalIgnoreCase))
{
return(AuthZPluginHelper.ConstructGenericIdentityFromUserToken(userToken));
}
if (userToken.CommonAccessToken != null)
{
return(new WindowsTokenIdentity(userToken.CommonAccessToken.WindowsAccessToken).ToSerializedIdentity());
}
}
}
if (DelegatedPrincipal.DelegatedAuthenticationType.Equals(psPrincipal.Identity.AuthenticationType, StringComparison.OrdinalIgnoreCase))
{
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.RemotePowerShellDelegated;
return(DelegatedPrincipal.GetDelegatedIdentity(psPrincipal.Identity.Name));
}
if (psPrincipal.WindowsIdentity != null)
{
string authenticationType2 = psPrincipal.Identity.AuthenticationType;
if (authenticationType2 != null && authenticationType2.StartsWith("Converted-", StringComparison.OrdinalIgnoreCase))
{
if (authenticationType2.StartsWith("Converted-Kerberos", StringComparison.OrdinalIgnoreCase))
{
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Kerberos;
}
else
{
AuthZLogger.SafeAppendGenericError("InternalGetExecutingUserIdentity", "Unexpected AuthenticationType " + authenticationType2, true);
}
using (WinRMDataReceiver winRMDataReceiver2 = new WinRMDataReceiver(connectionUrl, psPrincipal.Identity.Name, psPrincipal.Identity.AuthenticationType, AuthZLogHelper.LantencyTracker))
{
userToken = winRMDataReceiver2.UserToken;
sessionId = winRMDataReceiver2.SessionId;
firstRequestId = winRMDataReceiver2.RequestId;
if (userToken.CommonAccessToken == null)
{
throw new AuthzException("DEV BUG, the CommonAccessToken should not be NULL when passing from Locally Kerberos logon.");
}
return(new WindowsTokenIdentity(userToken.CommonAccessToken.WindowsAccessToken).ToSerializedIdentity());
}
}
if ("CertificateLinkedUser".Equals(authenticationType2, StringComparison.OrdinalIgnoreCase))
{
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.CertificateLinkedUser;
return(new GenericIdentity(psPrincipal.Identity.Name));
}
try
{
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Certificate;
new SecurityIdentifier(psPrincipal.Identity.Name);
return(new GenericIdentity(psPrincipal.Identity.Name));
}
catch (ArgumentException)
{
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Unknown;
return(psPrincipal.WindowsIdentity);
}
}
if ("RPS".Equals(psPrincipal.Identity.AuthenticationType, StringComparison.OrdinalIgnoreCase) || "Kerberos".Equals(psPrincipal.Identity.AuthenticationType, StringComparison.OrdinalIgnoreCase) || "Basic".Equals(psPrincipal.Identity.AuthenticationType, StringComparison.OrdinalIgnoreCase))
{
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Kerberos;
SecurityIdentifier securityIdentifier = (SecurityIdentifier) new NTAccount(psPrincipal.Identity.Name).Translate(typeof(SecurityIdentifier));
return(new GenericIdentity(securityIdentifier.ToString()));
}
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Unknown;
return(new GenericIdentity(psPrincipal.Identity.Name));
}
protected virtual IIdentity GetExecutingUserIdentity(PSPrincipal psPrincipal, string connectionUrl, out UserToken userToken, out Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType)
{
return(ExchangeAuthorizationPlugin.InternalGetExecutingUserIdentity(psPrincipal, connectionUrl, out userToken, out authenticationType, out this.sessionId, out this.firstRequestId));
}
// Token: 0x0600128C RID: 4748 RVA: 0x0003BF11 File Offset: 0x0003A111
internal PswsAuthZUserToken(DelegatedPrincipal delegatedPrincipal, ADRawEntry userEntry, Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType, string defaultUserName, string executingUserName) : base(delegatedPrincipal, userEntry, authenticationType, defaultUserName)
{
ExAssert.RetailAssert(!string.IsNullOrWhiteSpace(executingUserName), "The executingUserName should not be null or white space.");
this.ExecutingUserName = executingUserName;
}
