예제 #1
0
        // Token: 0x0600027C RID: 636 RVA: 0x00010BB8 File Offset: 0x0000EDB8
        private static AutodiscoverAuthorizationManager.ConsentLevel?ProcessConsentLevelClaim(Claim claim)
        {
            string text;

            if (!AutodiscoverAuthorizationManager.DoesClaimHaveProperResource <string>(claim, out text))
            {
                return(null);
            }
            AutodiscoverAuthorizationManager.ConsentLevel value;
            if (string.Equals(text, "NONE"))
            {
                value = AutodiscoverAuthorizationManager.ConsentLevel.None;
            }
            else if (string.Equals(text, "PARTIAL"))
            {
                value = AutodiscoverAuthorizationManager.ConsentLevel.Partial;
            }
            else
            {
                if (!string.Equals(text, "FULL"))
                {
                    ExTraceGlobals.AuthenticationTracer.TraceDebug <string, string, string>(0L, "{0}/{1} claim resource was not a known value: {2}", claim.ClaimType, claim.Right, text);
                    return(null);
                }
                value = AutodiscoverAuthorizationManager.ConsentLevel.Full;
            }
            return(new AutodiscoverAuthorizationManager.ConsentLevel?(value));
        }
예제 #2
0
        // Token: 0x0600027B RID: 635 RVA: 0x00010B44 File Offset: 0x0000ED44
        private static bool?ProcessTrueFalseClaim(Claim claim)
        {
            string text;

            if (!AutodiscoverAuthorizationManager.DoesClaimHaveProperResource <string>(claim, out text))
            {
                return(null);
            }
            bool value;

            if (string.Equals(text, "TRUE"))
            {
                value = true;
            }
            else
            {
                if (!string.Equals(text, "FALSE"))
                {
                    ExTraceGlobals.AuthenticationTracer.TraceDebug <string, string, string>(0L, "{0}/{1} claim resource was not a known value: {2}", claim.ClaimType, claim.Right, text);
                    return(null);
                }
                value = false;
            }
            return(new bool?(value));
        }
예제 #3
0
        // Token: 0x0600027D RID: 637 RVA: 0x00010D88 File Offset: 0x0000EF88
        private static bool CheckClaimSets(OperationContext operationContext, ReadOnlyCollection <ClaimSet> claimSets)
        {
            HttpContext.Current.Items["AuthType"] = "LiveIdToken";
            claimSets.TraceClaimSets();
            bool   flag  = false;
            bool   flag2 = false;
            bool   flag3 = false;
            string text  = null;
            string text2 = null;

            foreach (ClaimSet claimSet in claimSets)
            {
                foreach (Claim claim in claimSet)
                {
                    if (AutodiscoverAuthorizationManager.DoesClaimMatch(claim, "http://schemas.xmlsoap.org/claims/PUID", Rights.PossessProperty))
                    {
                        flag = AutodiscoverAuthorizationManager.DoesClaimHaveProperResource <string>(claim, out text);
                    }
                    else if (AutodiscoverAuthorizationManager.DoesClaimMatch(claim, "http://schemas.xmlsoap.org/claims/ConsumerPUID", Rights.PossessProperty))
                    {
                        flag2 = AutodiscoverAuthorizationManager.DoesClaimHaveProperResource <string>(claim, out text2);
                    }
                    else if (AutodiscoverAuthorizationManager.DoesClaimMatch(claim, ClaimTypes.Authentication, Rights.PossessProperty))
                    {
                        flag3 = true;
                    }
                    if (flag && flag2 && flag3)
                    {
                        break;
                    }
                }
                if (flag && flag2 && flag3)
                {
                    break;
                }
            }
            if (!flag3 || (text == null && text2 == null))
            {
                string reason = string.Format("Did not find all necessary claims. PUID: {0}; ConsumerPUID: {1}; Auth/Possess: {2}", flag, flag2, flag3);
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, reason));
            }
            string userId = (text2 == null) ? text : text2;

            RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("UserPUID", userId);

            SmtpAddress smtpAddress;

            if (!AutodiscoverAuthorizationManager.TryGetEmailAddressInClaimSets(claimSets, out smtpAddress))
            {
                string reason2 = string.Format("Did not find EmailAddress claim for PUID: {0}; ", userId);
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, reason2));
            }
            PropertyDefinition[] propertyDefinitionArrayUPN = new PropertyDefinition[]
            {
                ADUserSchema.UserPrincipalName,
                ADMailboxRecipientSchema.SamAccountName,
                ADObjectSchema.OrganizationId
            };
            ADRawEntry adRawEntry = null;

            try
            {
                bool isRootOrgLookup = false;
                RequestDetailsLoggerBase <RequestDetailsLogger> .Current.TrackLatency(ServiceLatencyMetadata.CallerADLatency, delegate()
                {
                    DateTime utcNow = DateTime.UtcNow;
                    ADSessionSettings adsessionSettings = Common.SessionSettingsFromAddress(smtpAddress.ToString());
                    RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("CheckClaimSets_SmtpAddress", smtpAddress.ToString());
                    RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("AD_ChkClaim_SessionSettingsFromAddress", (DateTime.UtcNow - utcNow).TotalMilliseconds);
                    utcNow          = DateTime.UtcNow;
                    isRootOrgLookup = OrganizationId.ForestWideOrgId.Equals(adsessionSettings.CurrentOrganizationId);
                    if (!isRootOrgLookup)
                    {
                        ITenantRecipientSession tenantRecipientSession = DirectorySessionFactory.Default.CreateTenantRecipientSession(true, ConsistencyMode.IgnoreInvalid, adsessionSettings, 596, "CheckClaimSets", "f:\\15.00.1497\\sources\\dev\\autodisc\\src\\WCF\\AutodiscoverAuthorizationManager.cs");
                        RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("AD_TenantRecipientSession", (DateTime.UtcNow - utcNow).TotalMilliseconds);
                        utcNow     = DateTime.UtcNow;
                        adRawEntry = tenantRecipientSession.FindUniqueEntryByNetID(userId, propertyDefinitionArrayUPN);
                        RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("AD_FindUniqueEntryByNetID", (DateTime.UtcNow - utcNow).TotalMilliseconds);
                    }
                });

                if (isRootOrgLookup)
                {
                    return(AutodiscoverAuthorizationManager.Return403UnauthorizedResponse(operationContext, "NetID lookup for root org user is not allowed"));
                }
            }
            catch (NonUniqueRecipientException arg)
            {
                ExTraceGlobals.AuthenticationTracer.TraceDebug <NonUniqueRecipientException>(0L, "FindUniqueEntryByNetId threw exception: {0}", arg);
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Found more than 1 user by NetID in AD"));
            }
            if (adRawEntry == null)
            {
                RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericError("Redirect as we are unable to find user:.", userId);

                return(AutodiscoverAuthorizationManager.RedirectCaller(operationContext, smtpAddress.ToString()));
            }
            string         arg2           = (string)adRawEntry[ADMailboxRecipientSchema.SamAccountName];
            string         text3          = string.Format("{0}@{1}", arg2, adRawEntry.Id.GetPartitionId().ForestFQDN);
            string         text4          = (string)adRawEntry[ADUserSchema.UserPrincipalName];
            OrganizationId organizationId = (OrganizationId)adRawEntry[ADObjectSchema.OrganizationId];

            HttpContext.Current.Items["UserOrganizationId"] = organizationId;
            OrganizationProperties organizationProperties;

            if (!OrganizationPropertyCache.TryGetOrganizationProperties(organizationId, out organizationProperties))
            {
                ExTraceGlobals.AuthenticationTracer.TraceError <OrganizationId, string>(0L, "[AutodiscoverAuthorizationManager::CheckClaimSets] Logon failed: could not locate org info for organization {0} even though user from this org was found {1}", organizationId, text4);
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Could not find organization info via OrganizationPropertyCache"));
            }
            if (!organizationProperties.SkipToUAndParentalControlCheck && !AutodiscoverAuthorizationManager.CheckClaimSetsForTOUClaims(operationContext, claimSets, true) && !AutodiscoverAuthorizationManager.CheckClaimSetsForTOUClaims(operationContext, claimSets, false))
            {
                return(false);
            }
            WindowsIdentity windowsIdentity = null;

            try
            {
                windowsIdentity = new WindowsIdentity(text3);
            }
            catch (UnauthorizedAccessException ex)
            {
                RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendAuthError("WindowsIdentity_UnauthorizedAccessException", ex.ToString());

                ExTraceGlobals.AuthenticationTracer.TraceError <string, string, object>(0L, "[AutodiscoverAuthorizationManager::CheckClaimSets] UnauthorizedAccessException encountered. UPN: {0}, Exception message: {1}, Identity: {2}", text3, ex.Message, (windowsIdentity == null) ? "<NULL>" : windowsIdentity.User);
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Creating WindowsIdentity from UPN failed with a UnauthorizedAccessException"));
            }
            catch (SecurityException ex2)
            {
                RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendAuthError("WindowsIdentity_SecurityException", ex2.ToString());

                ExTraceGlobals.AuthenticationTracer.TraceError <string, string, object>(0L, "[AutodiscoverAuthorizationManager::CheckClaimSets] SecurityException encountered. UPN: {0}, Exception message: {1}, Identity: {2}", text3, ex2.Message, (windowsIdentity == null) ? "<NULL>" : windowsIdentity.User);
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Creating WindowsIdentity from UPN failed with a SecurityException"));
            }
            string org = null;

            if (organizationId != null && organizationId.OrganizationalUnit != null)
            {
                org = organizationId.OrganizationalUnit.Name;
            }
            AutodiscoverAuthorizationManager.PushUserAndOrgInfoToContext(text4, org);
            HttpContext.Current.User = new WindowsPrincipal(windowsIdentity);
            return(true);
        }