// Token: 0x0600027F RID: 639 RVA: 0x0001122C File Offset: 0x0000F42C private static bool CheckClaimSetsForTOUClaims(OperationContext operationContext, ReadOnlyCollection <ClaimSet> claimSets, bool checkConsumerClaims) { string claimTypeToTest = checkConsumerClaims ? "http://schemas.xmlsoap.org/claims/ConsumerChild" : "http://schemas.xmlsoap.org/claims/Child"; string claimTypeToTest2 = checkConsumerClaims ? "http://schemas.xmlsoap.org/claims/ConsumerTOUAccepted" : "http://schemas.xmlsoap.org/claims/TOUAccepted"; string claimTypeToTest3 = checkConsumerClaims ? "http://schemas.xmlsoap.org/claims/ConsumerConsentLevel" : "http://schemas.xmlsoap.org/claims/ConsentLevel"; AutodiscoverAuthorizationManager.ConsentLevel?consentLevel = null; bool?flag = null; bool?flag2 = null; foreach (ClaimSet claimSet in claimSets) { foreach (Claim claim in claimSet) { if (AutodiscoverAuthorizationManager.DoesClaimMatch(claim, claimTypeToTest, Rights.PossessProperty)) { flag = AutodiscoverAuthorizationManager.ProcessTrueFalseClaim(claim); } else if (AutodiscoverAuthorizationManager.DoesClaimMatch(claim, claimTypeToTest2, Rights.PossessProperty)) { flag2 = AutodiscoverAuthorizationManager.ProcessTrueFalseClaim(claim); } else if (AutodiscoverAuthorizationManager.DoesClaimMatch(claim, claimTypeToTest3, Rights.PossessProperty)) { consentLevel = AutodiscoverAuthorizationManager.ProcessConsentLevelClaim(claim); } if (flag != null && flag2 != null && (!flag.Value || consentLevel != null)) { break; } } if (flag != null && flag2 != null && (!flag.Value || consentLevel != null)) { break; } } if (checkConsumerClaims && flag == null && flag2 == null && consentLevel == null) { return(false); } if (flag == null) { return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Didn't find child claim")); } if (flag2 == null) { return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Didn't find TOU claim")); } if (flag.Value && consentLevel == null) { return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Didn't find consent level claim for child")); } if (!flag2.Value) { return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "TOU was not accepted")); } return(!flag.Value || consentLevel.Value != AutodiscoverAuthorizationManager.ConsentLevel.None || AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Child with no consent")); }
// Token: 0x0600027D RID: 637 RVA: 0x00010D88 File Offset: 0x0000EF88 private static bool CheckClaimSets(OperationContext operationContext, ReadOnlyCollection <ClaimSet> claimSets) { HttpContext.Current.Items["AuthType"] = "LiveIdToken"; claimSets.TraceClaimSets(); bool flag = false; bool flag2 = false; bool flag3 = false; string text = null; string text2 = null; foreach (ClaimSet claimSet in claimSets) { foreach (Claim claim in claimSet) { if (AutodiscoverAuthorizationManager.DoesClaimMatch(claim, "http://schemas.xmlsoap.org/claims/PUID", Rights.PossessProperty)) { flag = AutodiscoverAuthorizationManager.DoesClaimHaveProperResource <string>(claim, out text); } else if (AutodiscoverAuthorizationManager.DoesClaimMatch(claim, "http://schemas.xmlsoap.org/claims/ConsumerPUID", Rights.PossessProperty)) { flag2 = AutodiscoverAuthorizationManager.DoesClaimHaveProperResource <string>(claim, out text2); } else if (AutodiscoverAuthorizationManager.DoesClaimMatch(claim, ClaimTypes.Authentication, Rights.PossessProperty)) { flag3 = true; } if (flag && flag2 && flag3) { break; } } if (flag && flag2 && flag3) { break; } } if (!flag3 || (text == null && text2 == null)) { string reason = string.Format("Did not find all necessary claims. PUID: {0}; ConsumerPUID: {1}; Auth/Possess: {2}", flag, flag2, flag3); return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, reason)); } string userId = (text2 == null) ? text : text2; RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("UserPUID", userId); SmtpAddress smtpAddress; if (!AutodiscoverAuthorizationManager.TryGetEmailAddressInClaimSets(claimSets, out smtpAddress)) { string reason2 = string.Format("Did not find EmailAddress claim for PUID: {0}; ", userId); return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, reason2)); } PropertyDefinition[] propertyDefinitionArrayUPN = new PropertyDefinition[] { ADUserSchema.UserPrincipalName, ADMailboxRecipientSchema.SamAccountName, ADObjectSchema.OrganizationId }; ADRawEntry adRawEntry = null; try { bool isRootOrgLookup = false; RequestDetailsLoggerBase <RequestDetailsLogger> .Current.TrackLatency(ServiceLatencyMetadata.CallerADLatency, delegate() { DateTime utcNow = DateTime.UtcNow; ADSessionSettings adsessionSettings = Common.SessionSettingsFromAddress(smtpAddress.ToString()); RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("CheckClaimSets_SmtpAddress", smtpAddress.ToString()); RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("AD_ChkClaim_SessionSettingsFromAddress", (DateTime.UtcNow - utcNow).TotalMilliseconds); utcNow = DateTime.UtcNow; isRootOrgLookup = OrganizationId.ForestWideOrgId.Equals(adsessionSettings.CurrentOrganizationId); if (!isRootOrgLookup) { ITenantRecipientSession tenantRecipientSession = DirectorySessionFactory.Default.CreateTenantRecipientSession(true, ConsistencyMode.IgnoreInvalid, adsessionSettings, 596, "CheckClaimSets", "f:\\15.00.1497\\sources\\dev\\autodisc\\src\\WCF\\AutodiscoverAuthorizationManager.cs"); RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("AD_TenantRecipientSession", (DateTime.UtcNow - utcNow).TotalMilliseconds); utcNow = DateTime.UtcNow; adRawEntry = tenantRecipientSession.FindUniqueEntryByNetID(userId, propertyDefinitionArrayUPN); RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("AD_FindUniqueEntryByNetID", (DateTime.UtcNow - utcNow).TotalMilliseconds); } }); if (isRootOrgLookup) { return(AutodiscoverAuthorizationManager.Return403UnauthorizedResponse(operationContext, "NetID lookup for root org user is not allowed")); } } catch (NonUniqueRecipientException arg) { ExTraceGlobals.AuthenticationTracer.TraceDebug <NonUniqueRecipientException>(0L, "FindUniqueEntryByNetId threw exception: {0}", arg); return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Found more than 1 user by NetID in AD")); } if (adRawEntry == null) { RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericError("Redirect as we are unable to find user:.", userId); return(AutodiscoverAuthorizationManager.RedirectCaller(operationContext, smtpAddress.ToString())); } string arg2 = (string)adRawEntry[ADMailboxRecipientSchema.SamAccountName]; string text3 = string.Format("{0}@{1}", arg2, adRawEntry.Id.GetPartitionId().ForestFQDN); string text4 = (string)adRawEntry[ADUserSchema.UserPrincipalName]; OrganizationId organizationId = (OrganizationId)adRawEntry[ADObjectSchema.OrganizationId]; HttpContext.Current.Items["UserOrganizationId"] = organizationId; OrganizationProperties organizationProperties; if (!OrganizationPropertyCache.TryGetOrganizationProperties(organizationId, out organizationProperties)) { ExTraceGlobals.AuthenticationTracer.TraceError <OrganizationId, string>(0L, "[AutodiscoverAuthorizationManager::CheckClaimSets] Logon failed: could not locate org info for organization {0} even though user from this org was found {1}", organizationId, text4); return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Could not find organization info via OrganizationPropertyCache")); } if (!organizationProperties.SkipToUAndParentalControlCheck && !AutodiscoverAuthorizationManager.CheckClaimSetsForTOUClaims(operationContext, claimSets, true) && !AutodiscoverAuthorizationManager.CheckClaimSetsForTOUClaims(operationContext, claimSets, false)) { return(false); } WindowsIdentity windowsIdentity = null; try { windowsIdentity = new WindowsIdentity(text3); } catch (UnauthorizedAccessException ex) { RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendAuthError("WindowsIdentity_UnauthorizedAccessException", ex.ToString()); ExTraceGlobals.AuthenticationTracer.TraceError <string, string, object>(0L, "[AutodiscoverAuthorizationManager::CheckClaimSets] UnauthorizedAccessException encountered. UPN: {0}, Exception message: {1}, Identity: {2}", text3, ex.Message, (windowsIdentity == null) ? "<NULL>" : windowsIdentity.User); return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Creating WindowsIdentity from UPN failed with a UnauthorizedAccessException")); } catch (SecurityException ex2) { RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendAuthError("WindowsIdentity_SecurityException", ex2.ToString()); ExTraceGlobals.AuthenticationTracer.TraceError <string, string, object>(0L, "[AutodiscoverAuthorizationManager::CheckClaimSets] SecurityException encountered. UPN: {0}, Exception message: {1}, Identity: {2}", text3, ex2.Message, (windowsIdentity == null) ? "<NULL>" : windowsIdentity.User); return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Creating WindowsIdentity from UPN failed with a SecurityException")); } string org = null; if (organizationId != null && organizationId.OrganizationalUnit != null) { org = organizationId.OrganizationalUnit.Name; } AutodiscoverAuthorizationManager.PushUserAndOrgInfoToContext(text4, org); HttpContext.Current.User = new WindowsPrincipal(windowsIdentity); return(true); }