public static void ValidateLocalCertificate(string thumbprint, DateTime?futurePublishDate, bool skipAutomatedDeploymentChecks, Task.TaskErrorLoggingDelegate writeError) { if (writeError == null) { throw new ArgumentNullException("writeError"); } if (string.IsNullOrEmpty(thumbprint)) { return; } X509Store x509Store = null; try { x509Store = new X509Store(StoreLocation.LocalMachine); x509Store.Open(OpenFlags.ReadOnly); X509Certificate2Collection x509Certificate2Collection = x509Store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false); if (x509Certificate2Collection.Count == 0) { writeError(new TaskException(Strings.ErrorThumbprintNotFound(thumbprint)), ErrorCategory.InvalidArgument, null); } ExchangeCertificate certificate = new ExchangeCertificate(x509Certificate2Collection[0]); OAuthTaskHelper.ValidateCertificate(certificate, futurePublishDate, skipAutomatedDeploymentChecks, writeError); } finally { if (x509Store != null) { x509Store.Close(); } } }
public static void FetchAuthMetadata(PartnerApplication partnerApplication, bool trustSslCert, bool updatePidOrRealmOrIssuer, Task.TaskWarningLoggingDelegate writeWarning, Task.TaskErrorLoggingDelegate writeError) { if (partnerApplication == null) { throw new ArgumentNullException("partnerApplication"); } if (writeWarning == null) { throw new ArgumentNullException("writeWarning"); } if (writeError == null) { throw new ArgumentNullException("writeError"); } AuthMetadata authMetadata = OAuthTaskHelper.FetchAuthMetadata(partnerApplication.AuthMetadataUrl, trustSslCert, false, writeWarning, writeError); if (updatePidOrRealmOrIssuer) { partnerApplication.ApplicationIdentifier = authMetadata.ServiceName; partnerApplication.IssuerIdentifier = authMetadata.Issuer; partnerApplication.Realm = authMetadata.Realm; } else if (!OAuthCommon.IsIdMatch(partnerApplication.ApplicationIdentifier, authMetadata.ServiceName) || !OAuthCommon.IsRealmMatchIncludingEmpty(partnerApplication.Realm, authMetadata.Realm) || !string.Equals(partnerApplication.IssuerIdentifier, authMetadata.Issuer)) { writeError(new TaskException(Strings.ErrorPidRealmIssuerDifferentFromMetadata(authMetadata.ServiceName, authMetadata.Realm, authMetadata.Issuer, partnerApplication.ApplicationIdentifier, partnerApplication.Realm, partnerApplication.IssuerIdentifier)), ErrorCategory.InvalidData, null); } partnerApplication.CertificateBytes = OAuthTaskHelper.InternalCertificateFromBase64String(authMetadata.CertificateStrings, writeError); }
public static void FetchAuthMetadata(AuthServer authServer, bool trustSslCert, bool updateIdRealm, Task.TaskWarningLoggingDelegate writeWarning, Task.TaskErrorLoggingDelegate writeError) { if (authServer == null) { throw new ArgumentNullException("authServer"); } if (writeWarning == null) { throw new ArgumentNullException("writeWarning"); } if (writeError == null) { throw new ArgumentNullException("writeError"); } AuthMetadata authMetadata = OAuthTaskHelper.FetchAuthMetadata(authServer.AuthMetadataUrl, trustSslCert, true, writeWarning, writeError); AuthMetadataParser.SetEndpointsIfWSFed(authMetadata, authServer.Type, authServer.AuthMetadataUrl); if (updateIdRealm) { authServer.IssuerIdentifier = authMetadata.ServiceName; authServer.Realm = authMetadata.Realm; } else if (!OAuthCommon.IsIdMatch(authServer.IssuerIdentifier, authMetadata.ServiceName) || !OAuthCommon.IsRealmMatchIncludingEmpty(authServer.Realm, authMetadata.Realm)) { writeError(new TaskException(Strings.ErrorPidRealmDifferentFromMetadata(authMetadata.ServiceName, authMetadata.Realm, authServer.IssuerIdentifier, authServer.Realm)), ErrorCategory.InvalidData, null); } authServer.CertificateBytes = OAuthTaskHelper.InternalCertificateFromBase64String(authMetadata.CertificateStrings, writeError); authServer.TokenIssuingEndpoint = authMetadata.IssuingEndpoint; authServer.AuthorizationEndpoint = authMetadata.AuthorizationEndpoint; }
private void TryPushCertificateInSameSite(string thumbprint) { if (this.SkipImmediateCertificateDeployment) { return; } if (!OAuthTaskHelper.IsDatacenter()) { try { if (this.serverObject != null) { FederationCertificate.PushCertificate(this.serverObject, new Task.TaskProgressLoggingDelegate(base.WriteProgress), new Task.TaskWarningLoggingDelegate(this.WriteWarning), thumbprint); } else { FederationCertificate.PushCertificate(new Task.TaskProgressLoggingDelegate(base.WriteProgress), new Task.TaskWarningLoggingDelegate(this.WriteWarning), thumbprint); } } catch (InvalidOperationException exception) { base.WriteError(exception, ErrorCategory.InvalidArgument, null); } catch (LocalizedException exception2) { base.WriteError(exception2, ErrorCategory.InvalidArgument, null); } } }
protected override IConfigurable PrepareDataObject() { this.CreateAuthServersContainer(); AuthServer authServer = (AuthServer)base.PrepareDataObject(); ADObjectId containerId = AuthServer.GetContainerId(this.ConfigurationSession); authServer.SetId(containerId.GetChildId(authServer.Name)); if (base.Fields.IsModified("AppSecretParameter")) { if (authServer.Type != AuthServerType.Facebook && authServer.Type != AuthServerType.LinkedIn) { base.WriteError(new TaskException(Strings.ErrorInvalidAuthServerTypeValue), ErrorCategory.InvalidArgument, null); } authServer.CurrentEncryptedAppSecret = OAuthTaskHelper.EncryptSecretWithDKM(this.AppSecret, new Task.TaskErrorLoggingDelegate(base.WriteError)); } else if (authServer.IsModified(AuthServerSchema.AuthMetadataUrl)) { if (!authServer.IsModified(AuthServerSchema.Type)) { authServer.Type = AuthServerType.MicrosoftACS; } else if (authServer.Type != AuthServerType.ADFS && authServer.Type != AuthServerType.AzureAD) { base.WriteError(new TaskException(Strings.ErrorInvalidAuthServerTypeValue), ErrorCategory.InvalidArgument, null); } OAuthTaskHelper.FixAuthMetadataUrl(authServer, new Task.TaskErrorLoggingDelegate(base.WriteError)); OAuthTaskHelper.FetchAuthMetadata(authServer, this.TrustAnySSLCertificate, true, new Task.TaskWarningLoggingDelegate(this.WriteWarning), new Task.TaskErrorLoggingDelegate(base.WriteError)); } OAuthTaskHelper.ValidateAuthServerRealmAndUniqueness(authServer, this.ConfigurationSession, new Task.TaskErrorLoggingDelegate(base.WriteError)); return(this.DataObject); }
protected override void InternalProcessRecord() { if (this.RefreshAuthMetadata) { OAuthTaskHelper.FetchAuthMetadata(this.DataObject, this.TrustAnySSLCertificate, false, new Task.TaskWarningLoggingDelegate(this.WriteWarning), new Task.TaskErrorLoggingDelegate(base.WriteError)); } base.InternalProcessRecord(); }
protected override IConfigurable PrepareDataObject() { AuthServer authServer = (AuthServer)base.PrepareDataObject(); if ((base.ParameterSetName == "AppSecretParameterSet" && !SetAuthServer.IsOneOfAuthServerTypes(authServer.Type, new AuthServerType[] { AuthServerType.Facebook, AuthServerType.LinkedIn })) || (base.ParameterSetName == "AuthMetadataUrlParameterSet" && !SetAuthServer.IsOneOfAuthServerTypes(authServer.Type, new AuthServerType[] { AuthServerType.MicrosoftACS, AuthServerType.AzureAD, AuthServerType.ADFS })) || (base.ParameterSetName == "NativeClientAuthServerParameterSet" && !SetAuthServer.IsOneOfAuthServerTypes(authServer.Type, new AuthServerType[] { AuthServerType.AzureAD, AuthServerType.ADFS }))) { base.WriteError(new TaskException(Strings.ErrorAuthServerCannotSwitchType), ErrorCategory.InvalidArgument, null); } if (base.Fields.IsModified("AppSecretParameter")) { authServer.CurrentEncryptedAppSecret = OAuthTaskHelper.EncryptSecretWithDKM(this.AppSecret, new Task.TaskErrorLoggingDelegate(base.WriteError)); } if (base.Fields.IsModified(AuthServerSchema.IssuerIdentifier)) { authServer.IssuerIdentifier = this.IssuerIdentifier; } if (base.Fields.IsModified(AuthServerSchema.TokenIssuingEndpoint)) { authServer.TokenIssuingEndpoint = this.TokenIssuingEndpoint; } if (base.Fields.IsModified(AuthServerSchema.ApplicationIdentifier)) { authServer.ApplicationIdentifier = this.ApplicationIdentifier; } if (base.Fields.IsModified(AuthServerSchema.AuthMetadataUrl)) { authServer.AuthMetadataUrl = this.AuthMetadataUrl; OAuthTaskHelper.FixAuthMetadataUrl(authServer, new Task.TaskErrorLoggingDelegate(base.WriteError)); OAuthTaskHelper.FetchAuthMetadata(authServer, this.TrustAnySSLCertificate, false, new Task.TaskWarningLoggingDelegate(this.WriteWarning), new Task.TaskErrorLoggingDelegate(base.WriteError)); OAuthTaskHelper.ValidateAuthServerRealmAndUniqueness(authServer, this.ConfigurationSession, new Task.TaskErrorLoggingDelegate(base.WriteError)); } if (base.Fields.IsModified(AuthServerSchema.IsDefaultAuthorizationEndpoint)) { authServer.IsDefaultAuthorizationEndpoint = this.IsDefaultAuthorizationEndpoint; OAuthTaskHelper.ValidateAuthServerAuthorizationEndpoint(authServer, this.ConfigurationSession, new Task.TaskWarningLoggingDelegate(this.WriteWarning), new Task.TaskErrorLoggingDelegate(base.WriteError)); } return(authServer); }
private void ValidateCertificate(string thumbprint, DateTime?futurePublishDate) { if (this.DataObject.OrganizationId.OrganizationalUnit != null) { base.WriteError(new TaskException(Strings.ErrorSettingCertOnTenant), ErrorCategory.InvalidArgument, null); } bool skipAutomatedDeploymentChecks = OAuthTaskHelper.IsDatacenter() || this.Force; if (this.Server == null) { OAuthTaskHelper.ValidateLocalCertificate(thumbprint, futurePublishDate, skipAutomatedDeploymentChecks, new Task.TaskErrorLoggingDelegate(base.WriteError)); return; } OAuthTaskHelper.ValidateRemoteCertificate((string)this.Server, thumbprint, futurePublishDate, skipAutomatedDeploymentChecks, new Task.TaskErrorLoggingDelegate(base.WriteError)); }
private bool ProcessEmergencyCertificateUpdate() { if (!string.IsNullOrEmpty(this.DataObject.CurrentCertificateThumbprint) && string.Compare(this.DataObject.CurrentCertificateThumbprint, this.CertificateThumbprint, StringComparison.OrdinalIgnoreCase) == 0) { this.DataObject.CurrentCertificateThumbprint = this.CertificateThumbprint; return(true); } if (!string.IsNullOrEmpty(this.DataObject.NextCertificateThumbprint) && string.Compare(this.DataObject.NextCertificateThumbprint, this.CertificateThumbprint, StringComparison.OrdinalIgnoreCase) == 0) { base.WriteError(new TaskException(Strings.ErrorCertificateAlreadyinPublish(this.CertificateThumbprint)), ErrorCategory.InvalidArgument, null); } if (!OAuthTaskHelper.IsDatacenter() && !this.Force && !base.ShouldContinue(Strings.ConfirmationMessageAuthSettingOutage)) { return(false); } this.DataObject.PreviousCertificateThumbprint = this.DataObject.CurrentCertificateThumbprint; this.DataObject.CurrentCertificateThumbprint = this.CertificateThumbprint; this.TryPushCertificateInSameSite(this.CertificateThumbprint); return(true); }
public static MultiValuedProperty <byte[]> CertificateFromBase64String(MultiValuedProperty <string> rawStrings, Task.TaskErrorLoggingDelegate writeError) { if (writeError == null) { throw new ArgumentNullException("writeError"); } if (rawStrings == null) { return(null); } string[] rawStringArray = null; try { rawStringArray = rawStrings.ToArray(); } catch (InvalidOperationException innerException) { writeError(new TaskException(Strings.ErrorNotSupportedModifyMultivaluedProperties, innerException), ErrorCategory.InvalidArgument, null); } return(OAuthTaskHelper.InternalCertificateFromBase64String(rawStringArray, writeError)); }
private static MultiValuedProperty <byte[]> InternalCertificateFromBase64String(string[] rawStringArray, Task.TaskErrorLoggingDelegate writeError) { MultiValuedProperty <byte[]> result; try { result = OAuthTaskHelper.InternalCertificateFromRawBytes((from s in rawStringArray select Convert.FromBase64String(s)).ToArray <byte[]>(), writeError); } catch (ArgumentNullException innerException) { writeError(new TaskException(Strings.ErrorInvalidBase64String, innerException), ErrorCategory.InvalidArgument, null); throw; } catch (FormatException innerException2) { writeError(new TaskException(Strings.ErrorInvalidBase64String, innerException2), ErrorCategory.InvalidArgument, null); throw; } return(result); }
protected override IConfigurable PrepareDataObject() { PartnerApplication partnerApplication = (PartnerApplication)base.PrepareDataObject(); if (base.Fields.IsModified(PartnerApplicationSchema.AuthMetadataUrl)) { if (partnerApplication.UseAuthServer) { base.WriteError(new TaskException(Strings.ErrorPartnerApplicationUseAuthServerCannotSetUrl), ErrorCategory.InvalidArgument, null); } partnerApplication.AuthMetadataUrl = this.AuthMetadataUrl; OAuthTaskHelper.FetchAuthMetadata(partnerApplication, this.TrustAnySSLCertificate, false, new Task.TaskWarningLoggingDelegate(this.WriteWarning), new Task.TaskErrorLoggingDelegate(base.WriteError)); } else if (base.Fields.IsModified(PartnerApplicationSchema.Realm) || base.Fields.IsModified(PartnerApplicationSchema.ApplicationIdentifier) || base.Fields.IsModified(PartnerApplicationSchema.IssuerIdentifier)) { base.WriteError(new TaskException(Strings.ErrorChangePartnerApplicationDirectTrust), ErrorCategory.InvalidArgument, null); } if (base.Fields.IsModified(PartnerApplicationSchema.LinkedAccount)) { if (this.LinkedAccount == null) { partnerApplication.LinkedAccount = null; } else { ADRecipient adrecipient = (ADRecipient)base.GetDataObject <ADRecipient>(this.LinkedAccount, base.TenantGlobalCatalogSession, null, new LocalizedString?(Strings.ErrorRecipientNotFound(this.LinkedAccount.ToString())), new LocalizedString?(Strings.ErrorRecipientNotUnique(this.LinkedAccount.ToString()))); partnerApplication.LinkedAccount = adrecipient.Id; } } if (base.Fields.IsModified(PartnerApplicationSchema.AppOnlyPermissions)) { partnerApplication.AppOnlyPermissions = this.AppOnlyPermissions; } if (base.Fields.IsModified(PartnerApplicationSchema.ActAsPermissions)) { partnerApplication.ActAsPermissions = this.ActAsPermissions; } OAuthTaskHelper.ValidateApplicationRealmAndUniqueness(partnerApplication, this.ConfigurationSession, new Task.TaskErrorLoggingDelegate(base.WriteError)); return(partnerApplication); }
public static void ValidateRemoteCertificate(string server, string thumbprint, DateTime?futurePublishDate, bool skipAutomatedDeploymentChecks, Task.TaskErrorLoggingDelegate writeError) { if (writeError == null) { throw new ArgumentNullException("writeError"); } if (string.IsNullOrEmpty(thumbprint)) { return; } ExchangeCertificate certificate = null; FederationTrustCertificateState federationTrustCertificateState = FederationCertificate.TestForCertificate(server, thumbprint, out certificate); if (federationTrustCertificateState == FederationTrustCertificateState.ServerUnreachable) { writeError(new TaskException(Strings.ErrorCannotContactServerForCert(server, thumbprint)), ErrorCategory.InvalidArgument, null); } else if (federationTrustCertificateState != FederationTrustCertificateState.Installed) { writeError(new TaskException(Strings.ErrorThumbprintNotFound(thumbprint)), ErrorCategory.InvalidArgument, null); } OAuthTaskHelper.ValidateCertificate(certificate, futurePublishDate, skipAutomatedDeploymentChecks, writeError); }
protected override IConfigurable PrepareDataObject() { this.CreatePartnerApplicationsContainer(); PartnerApplication partnerApplication = (PartnerApplication)base.PrepareDataObject(); ADObjectId containerId = PartnerApplication.GetContainerId(this.ConfigurationSession); partnerApplication.SetId(containerId.GetChildId(partnerApplication.Name)); partnerApplication.UseAuthServer = true; if (partnerApplication.IsModified(PartnerApplicationSchema.AuthMetadataUrl)) { partnerApplication.UseAuthServer = false; OAuthTaskHelper.FetchAuthMetadata(partnerApplication, this.TrustAnySSLCertificate, true, new Task.TaskWarningLoggingDelegate(this.WriteWarning), new Task.TaskErrorLoggingDelegate(base.WriteError)); } if (base.Fields.IsModified(PartnerApplicationSchema.LinkedAccount)) { if (this.LinkedAccount == null) { partnerApplication.LinkedAccount = null; } else { ADRecipient adrecipient = (ADRecipient)base.GetDataObject <ADRecipient>(this.LinkedAccount, base.TenantGlobalCatalogSession, null, new LocalizedString?(Strings.ErrorRecipientNotFound(this.LinkedAccount.ToString())), new LocalizedString?(Strings.ErrorRecipientNotUnique(this.LinkedAccount.ToString()))); partnerApplication.LinkedAccount = adrecipient.Id; } } if (base.Fields.IsModified(PartnerApplicationSchema.AppOnlyPermissions)) { partnerApplication.AppOnlyPermissions = this.AppOnlyPermissions; } if (base.Fields.IsModified(PartnerApplicationSchema.ActAsPermissions)) { partnerApplication.ActAsPermissions = this.ActAsPermissions; } OAuthTaskHelper.ValidateApplicationRealmAndUniqueness(partnerApplication, this.ConfigurationSession, new Task.TaskErrorLoggingDelegate(base.WriteError)); return(partnerApplication); }