protected OutOfProcessServerSessionTransportManager CreateSessionTransportManager(string configurationName, PSRemotingCryptoHelperServer cryptoHelper, string workingDirectory) { PSSenderInfo senderInfo; #if !UNIX WindowsIdentity currentIdentity = WindowsIdentity.GetCurrent(); PSPrincipal userPrincipal = new PSPrincipal( new PSIdentity(string.Empty, true, currentIdentity.Name, null), currentIdentity); senderInfo = new PSSenderInfo(userPrincipal, "http://localhost"); #else PSPrincipal userPrincipal = new PSPrincipal( new PSIdentity(string.Empty, true, string.Empty, null), null); senderInfo = new PSSenderInfo(userPrincipal, "http://localhost"); #endif OutOfProcessServerSessionTransportManager tm = new OutOfProcessServerSessionTransportManager(originalStdOut, originalStdErr, cryptoHelper); ServerRemoteSession.CreateServerRemoteSession( senderInfo, _initialCommand, tm, configurationName, workingDirectory); return(tm); }
private OutOfProcessServerSessionTransportManager CreateSessionTransportManager() { WindowsIdentity current = WindowsIdentity.GetCurrent(); PSPrincipal userPrincipal = new PSPrincipal(new PSIdentity("", true, current.Name, null), current); PSSenderInfo senderInfo = new PSSenderInfo(userPrincipal, "http://localhost"); OutOfProcessServerSessionTransportManager transportManager = new OutOfProcessServerSessionTransportManager(this.originalStdOut); ServerRemoteSession.CreateServerRemoteSession(senderInfo, this._initialCommand, transportManager); return(transportManager); }
public Guid CreateSession(string connection, string username, string password, int authMechanism, int protocolVersion) { Guid sessionId = Guid.NewGuid(); var identity = new PSIdentity("", true, username, null); var principal = new PSPrincipal(identity, WindowsIdentity.GetCurrent()); var sender = new PSSenderInfo(principal, connection); var session = ServerRemoteSession.CreateServerRemoteSession(sender, null, new WSManServerSessionTransportManager()); lock (_lock) { _sessions.Add(sessionId, session); } return(sessionId); }
public Guid CreateSession() { var username = System.Threading.Thread.CurrentPrincipal.Identity.Name; string connection = OperationContext.Current.Host.Description.Endpoints[0].Address.Uri.ToString(); var identity = new PSIdentity("", true, username, null); var principal = new PSPrincipal(identity, WindowsIdentity.GetCurrent()); var sender = new PSSenderInfo(principal, connection); var session = ServerRemoteSession.CreateServerRemoteSession(sender, null, sessionTransportManager); lock (_lock) { _sessions.Add(session.InstanceId, session); } return(session.InstanceId); }
public static SecurityIdentifier GetExecutingUserSecurityIdentifier(PSPrincipal psPrincipal, string connectionUrl) { if (psPrincipal == null) { throw new ArgumentNullException("psPrincipal"); } UserToken userToken = null; Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType; string text; string text2; IIdentity identity = ExchangeAuthorizationPlugin.InternalGetExecutingUserIdentity(psPrincipal, connectionUrl, out userToken, out authenticationType, out text, out text2); return(identity.GetSecurityIdentifier()); }
public InitialSessionState Create(UserContext userContext, string membershipId) { InitialSessionState initialSessionState; using (OperationTracerWithTimeout operationTracerWithTimeout = new OperationTracerWithTimeout(new Action <string>(TraceHelper.Current.PSSessionCallStart), new Action <string>(TraceHelper.Current.PSSessionCallEnd), "InitialSessionState", new Action <string>(TraceHelper.Current.PSSessionMethodExceededTimeLimit), 30)) { PSCertificateDetails pSCertificateDetail = null; if (userContext.ClientCertificate != null) { pSCertificateDetail = new PSCertificateDetails(userContext.ClientCertificate.Subject, userContext.ClientCertificate.Issuer, userContext.ClientCertificate.Thumbprint); } PSIdentity pSIdentity = new PSIdentity(userContext.AuthenticationType, userContext.IsAuthenticated, userContext.Name, pSCertificateDetail); PSPrincipal pSPrincipal = new PSPrincipal(pSIdentity, userContext.GetIdentity() as WindowsIdentity); PSSenderInfo pSSenderInfo = new PSSenderInfo(pSPrincipal, DataServiceController.Current.GetCurrentResourceUri().ToString()); try { InitialSessionState initialSessionState1 = this.sessionConfiguration.GetInitialSessionState(pSSenderInfo); if (initialSessionState1 != null) { TraceHelper.Current.GetInitialSessionStateRequestSucceeded(userContext.Name); initialSessionState1.Trace(); initialSessionState = initialSessionState1; } else { object[] objArray = new object[2]; objArray[0] = "PSSessionState.GetInitialSessionState"; objArray[1] = "null"; throw new InvalidOperationException(ExceptionHelpers.GetExceptionMessage(Resources.MethodReturnedInvalidOutput, objArray)); } } catch (Exception exception1) { Exception exception = exception1; TraceHelper.Current.GetInitialSessionStateRequestFailed(userContext.Name, exception.Message); if (!exception.IsSevereException()) { throw new CustomModuleInvocationFailedException(this.sessionConfiguration.GetType().AssemblyQualifiedName, "GetInitialState", exception); } else { throw; } } } return(initialSessionState); }
/// <summary> /// Finds group for a PSPrincipal /// </summary> /// <param name="principal">PSPrincipal instance</param> /// <returns>Group associated with the identity</returns> private RbacGroup FindGroup(PSPrincipal principal) { if (principal == null) { throw new ArgumentNullException("principal"); } if (principal.Identity == null) { throw new ArgumentException("Null identity passed"); } if (principal.Identity.IsAuthenticated == false) { throw new UnauthorizedAccessException(); } PSIdentity powerShellIdentity = principal.Identity; GenericIdentity identity = new GenericIdentity(powerShellIdentity.Name, powerShellIdentity.AuthenticationType); RbacUser.RbacUserInfo userInfo = new RbacUser.RbacUserInfo(identity, powerShellIdentity.CertificateDetails); RbacUser user = this.Users.Find(item => item.UserInfo.Equals(userInfo)); if (user == null) { throw new ArgumentException("User not found: name=" + userInfo.Name + ", authentication=" + userInfo.AuthenticationType); } RbacGroup group = this.Groups.Find(item => item.Name == user.Group.Name); if (group == null) { throw new ArgumentException("group not found = " + user.Group.Name); } return(group); }
protected OutOfProcessServerSessionTransportManager CreateSessionTransportManager( string configurationName, string configurationFile, PSRemotingCryptoHelperServer cryptoHelper, string workingDirectory) { PSSenderInfo senderInfo; #if !UNIX WindowsIdentity currentIdentity = WindowsIdentity.GetCurrent(); PSPrincipal userPrincipal = new PSPrincipal( new PSIdentity(string.Empty, true, currentIdentity.Name, null), currentIdentity); senderInfo = new PSSenderInfo(userPrincipal, "http://localhost"); #else PSPrincipal userPrincipal = new PSPrincipal( new PSIdentity(string.Empty, true, string.Empty, null), null); senderInfo = new PSSenderInfo(userPrincipal, "http://localhost"); #endif var tm = new OutOfProcessServerSessionTransportManager( originalStdOut, originalStdErr, cryptoHelper); ServerRemoteSession.CreateServerRemoteSession( senderInfo: senderInfo, configurationProviderId: "Microsoft.PowerShell", initializationParameters: string.Empty, transportManager: tm, initialCommand: _initialCommand, configurationName: configurationName, configurationFile: configurationFile, initialLocation: workingDirectory); return(tm); }
/// <summary> /// Gets collection of cmdlets for a user /// </summary> /// <param name="userInfo">User information</param> /// <returns>Collection of cmdlet names </returns> public List <string> GetCmdlets(PSPrincipal userInfo) { RbacGroup group = this.FindGroup(userInfo); return(new List <string>(group.Cmdlets)); }
/// <summary> /// Gets collection of modules for a user /// </summary> /// <param name="userInfo">User information </param> /// <returns>Collection of module names</returns> public List <string> GetModules(PSPrincipal userInfo) { RbacGroup group = this.FindGroup(userInfo); return(new List <string>(group.Modules)); }
// Token: 0x0600126C RID: 4716 RVA: 0x0003B42B File Offset: 0x0003962B protected override IIdentity GetExecutingUserIdentity(PSPrincipal psPrincipal, string connectionUrl, out UserToken userToken, out Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType) { userToken = HttpContext.Current.CurrentUserToken(); authenticationType = userToken.AuthenticationType; return(PswsAuthZHelper.GetExecutingAuthZUser(userToken)); }
private InitialSessionState GetInitialSessionStateCore(PSSenderInfo senderInfo) { InitialSessionState result; using (new MonitoredScope("GetInitialSessionStateCore", "GetInitialSessionStateCore", AuthZLogHelper.AuthZPerfMonitors)) { if (senderInfo == null || senderInfo.UserInfo == null || senderInfo.UserInfo.Identity == null || senderInfo.UserInfo.Identity.Name == null) { throw new ArgumentException("senderInfo"); } PSPrincipal userInfo = senderInfo.UserInfo; ExTraceGlobals.PublicPluginAPITracer.TraceDebug <string>((long)this.GetHashCode(), "Entering EAP.GetInitialSessionState({0})", userInfo.Identity.Name); UserToken userToken = null; Microsoft.Exchange.Configuration.Core.AuthenticationType authenticatedType; IIdentity executingUserIdentity = this.GetExecutingUserIdentity(userInfo, senderInfo.ConnectionString, out userToken, out authenticatedType); ExchangeRunspaceConfigurationSettings exchangeRunspaceConfigurationSettings = this.BuildRunspaceConfigurationSettings(senderInfo.ConnectionString, executingUserIdentity); if (userToken != null) { exchangeRunspaceConfigurationSettings.UserToken = userToken; } if (AppSettings.Current.SiteRedirectTemplate != null) { ExTraceGlobals.PublicPluginAPITracer.TraceDebug <string, string, string>((long)this.GetHashCode(), "EAP.GetInitialSessionState({0}) site redirection template used is {1}, pod redirection template used is {2}", userInfo.Identity.Name, AppSettings.Current.SiteRedirectTemplate, AppSettings.Current.PodRedirectTemplate); exchangeRunspaceConfigurationSettings.SiteRedirectionTemplate = AppSettings.Current.SiteRedirectTemplate; exchangeRunspaceConfigurationSettings.PodRedirectionTemplate = AppSettings.Current.PodRedirectTemplate; } ExchangeExpiringRunspaceConfiguration exchangeExpiringRunspaceConfiguration; using (new MonitoredScope("GetInitialSessionStateCore", "ExchangeExpiringRunspaceConfiguration", AuthZLogHelper.AuthZPerfMonitors)) { if (DatacenterRegistry.IsForefrontForOffice()) { try { using (RegistryKey registryKey = Registry.LocalMachine.OpenSubKey(string.Format("SOFTWARE\\Microsoft\\ExchangeServer\\{0}\\Setup", "v15"))) { string name = "Microsoft.Exchange.Hygiene.Security.Authorization.ForefrontExpiringDatacenterRunspaceConfiguration"; string path = (string)registryKey.GetValue("MsiInstallPath"); string assemblyFile = Path.Combine(path, "Bin", "Microsoft.Exchange.Hygiene.Security.Authorization.dll"); Assembly assembly = Assembly.LoadFrom(assemblyFile); Type type = assembly.GetType(name); exchangeExpiringRunspaceConfiguration = (ExchangeExpiringRunspaceConfiguration)type.InvokeMember("Instance", BindingFlags.InvokeMethod, Type.DefaultBinder, null, new object[] { executingUserIdentity, exchangeRunspaceConfigurationSettings, senderInfo.ConnectionString, Constants.IsPowerShellWebService }); } goto IL_1FA; } catch (TargetInvocationException ex) { throw ex.InnerException ?? ex; } } exchangeExpiringRunspaceConfiguration = new ExchangeExpiringRunspaceConfiguration(executingUserIdentity, exchangeRunspaceConfigurationSettings, Constants.IsPowerShellWebService); IL_1FA :; } this.currentAuthZUserToken = new AuthZPluginUserToken(exchangeExpiringRunspaceConfiguration.DelegatedPrincipal, exchangeExpiringRunspaceConfiguration.LogonUser, authenticatedType, exchangeExpiringRunspaceConfiguration.IdentityName); ADRawEntry logonUser = exchangeExpiringRunspaceConfiguration.LogonUser; if (logonUser[ADRecipientSchema.RemotePowerShellEnabled] != null && !(bool)logonUser[ADRecipientSchema.RemotePowerShellEnabled]) { AuthZLogger.SafeAppendGenericError("GetInitialSessionStateCore", "RemotePowerShellEnabled false", false); ExTraceGlobals.AccessDeniedTracer.TraceError <string>(0L, "EAP.GetInitialSessionStateCore user {0} is not allowed to use remote Powershell, access denied", executingUserIdentity.Name); AuthZPluginHelper.TriggerFailFastForAuthZFailure(this.currentAuthZUserToken.WindowsLiveId); throw new RemotePowerShellNotEnabledException(Strings.ErrorRemotePowerShellNotEnabled); } if (exchangeExpiringRunspaceConfiguration.DelegatedPrincipal == null) { ExchangeAuthorizationPlugin.ValidateQueryString(senderInfo.ConnectionString, logonUser); } else if (exchangeExpiringRunspaceConfiguration.DelegatedPrincipal.UserOrganizationId == null) { AuthZLogger.SafeAppendGenericError("GetInitialSessionStateCore", "User Token is delegated user, but user.OrgId is null.", false); ExTraceGlobals.AccessDeniedTracer.TraceError(0L, "EAP.GetInitialSessionStateCore delegated user is not in organization."); AuthZPluginHelper.TriggerFailFastForAuthZFailure(this.currentAuthZUserToken.WindowsLiveId); throw new DelegatedUserNotInOrgException(Strings.ErrorDelegatedUserNotInOrg); } string friendlyName = exchangeExpiringRunspaceConfiguration.OrganizationId.GetFriendlyName(); if (exchangeExpiringRunspaceConfiguration.HasAdminRoles && exchangeExpiringRunspaceConfiguration.IsAppPasswordUsed) { AuthZLogger.SafeAppendGenericError("GetInitialSessionStateCore", string.Format("User {0} of Domain {1} is not allowed to create session using app password.", userInfo.Identity.Name, friendlyName), false); AuthZPluginHelper.TriggerFailFastForAuthZFailure(this.currentAuthZUserToken.WindowsLiveId); throw new AppPasswordLoginException(Strings.ErrorAdminLoginUsingAppPassword); } if (string.Equals(executingUserIdentity.AuthenticationType, "LiveIdBasic", StringComparison.OrdinalIgnoreCase) || DelegatedPrincipal.DelegatedAuthenticationType.Equals(executingUserIdentity.AuthenticationType, StringComparison.OrdinalIgnoreCase)) { using (new MonitoredScope("GetInitialSessionStateCore", "ValidateFilteringOnlyUser", AuthZLogHelper.AuthZPerfMonitors)) { if (UserValidationHelper.ValidateFilteringOnlyUser(friendlyName, this.currentAuthZUserToken.WindowsLiveId)) { AuthZLogger.SafeAppendGenericError("GetInitialSessionStateCore", string.Format("User {0} of Domain {1} doesn't have valid subscriptions for Exchange Hosted.", userInfo.Identity.Name, friendlyName), false); AuthZPluginHelper.TriggerFailFastForAuthZFailure(this.currentAuthZUserToken.WindowsLiveId); throw new FilteringOnlyUserLoginException(Strings.ErrorFilteringOnlyUserLogin); } } } InitialSessionState initialSessionState; using (new MonitoredScope("GetInitialSessionStateCore", "exchangeRunspaceConfig.CreateInitialSessionState", AuthZLogHelper.AuthZPerfMonitors)) { initialSessionState = exchangeExpiringRunspaceConfiguration.CreateInitialSessionState(); } ExTraceGlobals.PublicPluginAPITracer.TraceDebug <int>((long)this.GetHashCode(), "EAP.GetInitialSessionState(PSSenderInfo) returns ISS with {0} commands", initialSessionState.Commands.Count); result = initialSessionState; } return(result); }
private static IIdentity InternalGetExecutingUserIdentity(PSPrincipal psPrincipal, string connectionUrl, out UserToken userToken, out Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType, out string sessionId, out string firstRequestId) { authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Unknown; userToken = null; sessionId = null; firstRequestId = null; if (psPrincipal.Identity.AuthenticationType.StartsWith("Cafe-", StringComparison.OrdinalIgnoreCase)) { using (WinRMDataReceiver winRMDataReceiver = new WinRMDataReceiver(connectionUrl, psPrincipal.Identity.Name, psPrincipal.Identity.AuthenticationType, AuthZLogHelper.LantencyTracker)) { userToken = winRMDataReceiver.UserToken; sessionId = winRMDataReceiver.SessionId; firstRequestId = winRMDataReceiver.RequestId; string text = winRMDataReceiver.AuthenticationType.Substring("Cafe-".Length); if (text.Equals("GenericIdentity", StringComparison.OrdinalIgnoreCase)) { return(AuthZPluginHelper.ConstructGenericIdentityFromUserToken(userToken)); } if (userToken.CommonAccessToken != null) { return(new WindowsTokenIdentity(userToken.CommonAccessToken.WindowsAccessToken).ToSerializedIdentity()); } } } if (DelegatedPrincipal.DelegatedAuthenticationType.Equals(psPrincipal.Identity.AuthenticationType, StringComparison.OrdinalIgnoreCase)) { authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.RemotePowerShellDelegated; return(DelegatedPrincipal.GetDelegatedIdentity(psPrincipal.Identity.Name)); } if (psPrincipal.WindowsIdentity != null) { string authenticationType2 = psPrincipal.Identity.AuthenticationType; if (authenticationType2 != null && authenticationType2.StartsWith("Converted-", StringComparison.OrdinalIgnoreCase)) { if (authenticationType2.StartsWith("Converted-Kerberos", StringComparison.OrdinalIgnoreCase)) { authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Kerberos; } else { AuthZLogger.SafeAppendGenericError("InternalGetExecutingUserIdentity", "Unexpected AuthenticationType " + authenticationType2, true); } using (WinRMDataReceiver winRMDataReceiver2 = new WinRMDataReceiver(connectionUrl, psPrincipal.Identity.Name, psPrincipal.Identity.AuthenticationType, AuthZLogHelper.LantencyTracker)) { userToken = winRMDataReceiver2.UserToken; sessionId = winRMDataReceiver2.SessionId; firstRequestId = winRMDataReceiver2.RequestId; if (userToken.CommonAccessToken == null) { throw new AuthzException("DEV BUG, the CommonAccessToken should not be NULL when passing from Locally Kerberos logon."); } return(new WindowsTokenIdentity(userToken.CommonAccessToken.WindowsAccessToken).ToSerializedIdentity()); } } if ("CertificateLinkedUser".Equals(authenticationType2, StringComparison.OrdinalIgnoreCase)) { authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.CertificateLinkedUser; return(new GenericIdentity(psPrincipal.Identity.Name)); } try { authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Certificate; new SecurityIdentifier(psPrincipal.Identity.Name); return(new GenericIdentity(psPrincipal.Identity.Name)); } catch (ArgumentException) { authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Unknown; return(psPrincipal.WindowsIdentity); } } if ("RPS".Equals(psPrincipal.Identity.AuthenticationType, StringComparison.OrdinalIgnoreCase) || "Kerberos".Equals(psPrincipal.Identity.AuthenticationType, StringComparison.OrdinalIgnoreCase) || "Basic".Equals(psPrincipal.Identity.AuthenticationType, StringComparison.OrdinalIgnoreCase)) { authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Kerberos; SecurityIdentifier securityIdentifier = (SecurityIdentifier) new NTAccount(psPrincipal.Identity.Name).Translate(typeof(SecurityIdentifier)); return(new GenericIdentity(securityIdentifier.ToString())); } authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Unknown; return(new GenericIdentity(psPrincipal.Identity.Name)); }
protected virtual IIdentity GetExecutingUserIdentity(PSPrincipal psPrincipal, string connectionUrl, out UserToken userToken, out Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType) { return(ExchangeAuthorizationPlugin.InternalGetExecutingUserIdentity(psPrincipal, connectionUrl, out userToken, out authenticationType, out this.sessionId, out this.firstRequestId)); }
internal PSSenderInfo(PSPrincipal userPrincipal, string httpURL) { this.userPrinicpal = userPrincipal; this.connectionString = httpURL; }
protected OutOfProcessServerSessionTransportManager CreateSessionTransportManager(string configurationName, PSRemotingCryptoHelperServer cryptoHelper) { PSSenderInfo senderInfo; #if !UNIX WindowsIdentity currentIdentity = WindowsIdentity.GetCurrent(); PSPrincipal userPrincipal = new PSPrincipal(new PSIdentity("", true, currentIdentity.Name, null), currentIdentity); senderInfo = new PSSenderInfo(userPrincipal, "http://localhost"); #else PSPrincipal userPrincipal = new PSPrincipal(new PSIdentity("", true, "", null), null); senderInfo = new PSSenderInfo(userPrincipal, "http://localhost"); #endif OutOfProcessServerSessionTransportManager tm = new OutOfProcessServerSessionTransportManager(originalStdOut, originalStdErr, cryptoHelper); ServerRemoteSession srvrRemoteSession = ServerRemoteSession.CreateServerRemoteSession(senderInfo, _initialCommand, tm, configurationName); return tm; }