예제 #1
0
        // Token: 0x06000286 RID: 646 RVA: 0x000118C4 File Offset: 0x0000FAC4
        private static bool CheckClaimSetsForX509CertUser(AuthorizationContext authorizationContext, OperationContext operationContext)
        {
            HttpContext.Current.Items["AuthType"] = "X509Cert";
            ReadOnlyCollection <ClaimSet> claimSets = authorizationContext.ClaimSets;

            claimSets.TraceClaimSets();
            X509CertUser x509CertUser = null;

            if (!X509CertUser.TryCreateX509CertUser(claimSets, out x509CertUser))
            {
                ExTraceGlobals.AuthenticationTracer.TraceDebug(0L, "[AutodiscoverAuthorizationManager.CheckClaimSetsForX509CertUser] unable to create the x509certuser");
                AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "unable to create the X509CertUser based on the given claim sets.");
                return(false);
            }
            OrganizationId  value;
            WindowsIdentity windowsIdentity;
            string          arg;

            if (!x509CertUser.TryGetWindowsIdentity(out value, out windowsIdentity, out arg))
            {
                ExTraceGlobals.AuthenticationTracer.TraceDebug <X509CertUser>(0L, "[AutodiscoverAuthorizationManager.CheckClaimSetsForX509CertUser] unable to find the windows identity for cert user: {0}", x509CertUser);
                string reason = string.Format("unable to find the windows identity for the given cert {0}, reason: {1}", x509CertUser, arg);
                AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, reason);
                return(false);
            }
            ExTraceGlobals.AuthenticationTracer.TraceDebug <string, string>(0L, "[AutodiscoverAuthorizationManager.CheckClaimSetsForX509CertUser] ws-security header contains the x509 cert user identity: {0}, upn: {1}", Common.GetIdentityNameForTrace(windowsIdentity), x509CertUser.UserPrincipalName);
            AutodiscoverAuthorizationManager.PushUserAndOrgInfoToContext(x509CertUser.UserPrincipalName, null);
            HttpContext.Current.User = new WindowsPrincipal(windowsIdentity);
            HttpContext.Current.Items["UserOrganizationId"] = value;
            return(true);
        }
예제 #2
0
        // Token: 0x06000285 RID: 645 RVA: 0x000117FC File Offset: 0x0000F9FC
        private static bool CheckClaimSetsForPartnerUser(AuthorizationContext authorizationContext, OperationContext operationContext)
        {
            HttpContext.Current.Items["AuthType"] = "Partner";
            PerformanceCounters.UpdateRequestsReceivedWithPartnerToken();
            ReadOnlyCollection <ClaimSet> claimSets = authorizationContext.ClaimSets;

            claimSets.TraceClaimSets();
            DelegatedPrincipal delegatedPrincipal      = null;
            OrganizationId     delegatedOrganizationId = null;
            string             text = null;

            if (!PartnerToken.TryGetDelegatedPrincipalAndOrganizationId(claimSets, out delegatedPrincipal, out delegatedOrganizationId, out text))
            {
                ExTraceGlobals.AuthenticationTracer.TraceError <string>(0L, "[AutodiscoverAuthorizationManager.CheckClaimSetsForPartnerUser] unable to create partner identity, error message: {0}", text);
                PerformanceCounters.UpdateUnauthorizedRequestsReceivedWithPartnerToken();
                AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, text);
                return(false);
            }
            ExTraceGlobals.AuthenticationTracer.TraceDebug <DelegatedPrincipal>(0L, "[AutodiscoverAuthorizationManager.CheckClaimSetsForPartnerUser] ws-security header contains the partner identity: {0}", delegatedPrincipal);
            string text2 = delegatedPrincipal.ToString();

            if (!string.IsNullOrEmpty(text2))
            {
                AutodiscoverAuthorizationManager.PushUserAndOrgInfoToContext(text2, text2.Split(new char[]
                {
                    '\\'
                })[0]);
            }
            HttpContext.Current.User = new WindowsPrincipal(PartnerIdentity.Create(delegatedPrincipal, delegatedOrganizationId));
            return(true);
        }
예제 #3
0
        // Token: 0x06000284 RID: 644 RVA: 0x000115F4 File Offset: 0x0000F7F4
        private static bool CheckClaimSetsForExternalUser(AuthorizationContext authorizationContext, OperationContext operationContext)
        {
            HttpContext.Current.Items["AuthType"] = "External";
            SamlSecurityToken samlSecurityToken = null;

            foreach (SupportingTokenSpecification supportingTokenSpecification in operationContext.SupportingTokens)
            {
                samlSecurityToken = (supportingTokenSpecification.SecurityToken as SamlSecurityToken);
                if (samlSecurityToken != null)
                {
                    break;
                }
            }
            if (samlSecurityToken == null)
            {
                ExTraceGlobals.AuthenticationTracer.TraceError(0L, "Found no security token in authorization context");
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Cannot find security token in authorization context"));
            }
            ExternalAuthentication current = ExternalAuthentication.GetCurrent();

            if (!current.Enabled)
            {
                ExTraceGlobals.AuthenticationTracer.TraceError(0L, "Federation is not enabled");
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Federation is not enabled"));
            }
            TokenValidationResults tokenValidationResults = current.TokenValidator.ValidateToken(samlSecurityToken, Offer.Autodiscover);

            if (tokenValidationResults.Result != TokenValidationResult.Valid || !SmtpAddress.IsValidSmtpAddress(tokenValidationResults.EmailAddress))
            {
                ExTraceGlobals.AuthenticationTracer.TraceError <TokenValidationResults>(0L, "Validation of security token in WS-Security header failed: {0}", tokenValidationResults);
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Validation of the delegation failed"));
            }
            SmtpAddress smtpAddress = SmtpAddress.Empty;
            int         num         = -1;

            try
            {
                num = operationContext.IncomingMessageHeaders.FindHeader("SharingSecurity", "http://schemas.microsoft.com/exchange/services/2006/types");
            }
            catch (MessageHeaderException ex)
            {
                AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Exception when looking for SharingSecurity header in request: " + ex.ToString());
                return(false);
            }
            if (num < 0)
            {
                ExTraceGlobals.AuthenticationTracer.TraceDebug(0L, "Request has no SharingSecurity header");
            }
            else
            {
                XmlElement header = operationContext.IncomingMessageHeaders.GetHeader <XmlElement>(num);
                smtpAddress = SharingKeyHandler.Decrypt(header, tokenValidationResults.ProofToken);
                if (smtpAddress == SmtpAddress.Empty)
                {
                    ExTraceGlobals.AuthenticationTracer.TraceError <string>(0L, "SharingSecurity is present but invalid: {0}", header.OuterXml);
                    AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Validation of the SharingSecurity failed");
                    return(false);
                }
                ExTraceGlobals.AuthenticationTracer.TraceDebug <SmtpAddress>(0L, "SharingSecurity header contains external identity: {0}", smtpAddress);
            }
            AutodiscoverAuthorizationManager.PushUserAndOrgInfoToContext(tokenValidationResults.EmailAddress, null);
            HttpContext.Current.User = new GenericPrincipal(new ExternalIdentity(new SmtpAddress(tokenValidationResults.EmailAddress), smtpAddress), null);
            return(true);
        }
예제 #4
0
        // Token: 0x0600027D RID: 637 RVA: 0x00010D88 File Offset: 0x0000EF88
        private static bool CheckClaimSets(OperationContext operationContext, ReadOnlyCollection <ClaimSet> claimSets)
        {
            HttpContext.Current.Items["AuthType"] = "LiveIdToken";
            claimSets.TraceClaimSets();
            bool   flag  = false;
            bool   flag2 = false;
            bool   flag3 = false;
            string text  = null;
            string text2 = null;

            foreach (ClaimSet claimSet in claimSets)
            {
                foreach (Claim claim in claimSet)
                {
                    if (AutodiscoverAuthorizationManager.DoesClaimMatch(claim, "http://schemas.xmlsoap.org/claims/PUID", Rights.PossessProperty))
                    {
                        flag = AutodiscoverAuthorizationManager.DoesClaimHaveProperResource <string>(claim, out text);
                    }
                    else if (AutodiscoverAuthorizationManager.DoesClaimMatch(claim, "http://schemas.xmlsoap.org/claims/ConsumerPUID", Rights.PossessProperty))
                    {
                        flag2 = AutodiscoverAuthorizationManager.DoesClaimHaveProperResource <string>(claim, out text2);
                    }
                    else if (AutodiscoverAuthorizationManager.DoesClaimMatch(claim, ClaimTypes.Authentication, Rights.PossessProperty))
                    {
                        flag3 = true;
                    }
                    if (flag && flag2 && flag3)
                    {
                        break;
                    }
                }
                if (flag && flag2 && flag3)
                {
                    break;
                }
            }
            if (!flag3 || (text == null && text2 == null))
            {
                string reason = string.Format("Did not find all necessary claims. PUID: {0}; ConsumerPUID: {1}; Auth/Possess: {2}", flag, flag2, flag3);
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, reason));
            }
            string userId = (text2 == null) ? text : text2;

            RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("UserPUID", userId);

            SmtpAddress smtpAddress;

            if (!AutodiscoverAuthorizationManager.TryGetEmailAddressInClaimSets(claimSets, out smtpAddress))
            {
                string reason2 = string.Format("Did not find EmailAddress claim for PUID: {0}; ", userId);
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, reason2));
            }
            PropertyDefinition[] propertyDefinitionArrayUPN = new PropertyDefinition[]
            {
                ADUserSchema.UserPrincipalName,
                ADMailboxRecipientSchema.SamAccountName,
                ADObjectSchema.OrganizationId
            };
            ADRawEntry adRawEntry = null;

            try
            {
                bool isRootOrgLookup = false;
                RequestDetailsLoggerBase <RequestDetailsLogger> .Current.TrackLatency(ServiceLatencyMetadata.CallerADLatency, delegate()
                {
                    DateTime utcNow = DateTime.UtcNow;
                    ADSessionSettings adsessionSettings = Common.SessionSettingsFromAddress(smtpAddress.ToString());
                    RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("CheckClaimSets_SmtpAddress", smtpAddress.ToString());
                    RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("AD_ChkClaim_SessionSettingsFromAddress", (DateTime.UtcNow - utcNow).TotalMilliseconds);
                    utcNow          = DateTime.UtcNow;
                    isRootOrgLookup = OrganizationId.ForestWideOrgId.Equals(adsessionSettings.CurrentOrganizationId);
                    if (!isRootOrgLookup)
                    {
                        ITenantRecipientSession tenantRecipientSession = DirectorySessionFactory.Default.CreateTenantRecipientSession(true, ConsistencyMode.IgnoreInvalid, adsessionSettings, 596, "CheckClaimSets", "f:\\15.00.1497\\sources\\dev\\autodisc\\src\\WCF\\AutodiscoverAuthorizationManager.cs");
                        RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("AD_TenantRecipientSession", (DateTime.UtcNow - utcNow).TotalMilliseconds);
                        utcNow     = DateTime.UtcNow;
                        adRawEntry = tenantRecipientSession.FindUniqueEntryByNetID(userId, propertyDefinitionArrayUPN);
                        RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("AD_FindUniqueEntryByNetID", (DateTime.UtcNow - utcNow).TotalMilliseconds);
                    }
                });

                if (isRootOrgLookup)
                {
                    return(AutodiscoverAuthorizationManager.Return403UnauthorizedResponse(operationContext, "NetID lookup for root org user is not allowed"));
                }
            }
            catch (NonUniqueRecipientException arg)
            {
                ExTraceGlobals.AuthenticationTracer.TraceDebug <NonUniqueRecipientException>(0L, "FindUniqueEntryByNetId threw exception: {0}", arg);
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Found more than 1 user by NetID in AD"));
            }
            if (adRawEntry == null)
            {
                RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericError("Redirect as we are unable to find user:.", userId);

                return(AutodiscoverAuthorizationManager.RedirectCaller(operationContext, smtpAddress.ToString()));
            }
            string         arg2           = (string)adRawEntry[ADMailboxRecipientSchema.SamAccountName];
            string         text3          = string.Format("{0}@{1}", arg2, adRawEntry.Id.GetPartitionId().ForestFQDN);
            string         text4          = (string)adRawEntry[ADUserSchema.UserPrincipalName];
            OrganizationId organizationId = (OrganizationId)adRawEntry[ADObjectSchema.OrganizationId];

            HttpContext.Current.Items["UserOrganizationId"] = organizationId;
            OrganizationProperties organizationProperties;

            if (!OrganizationPropertyCache.TryGetOrganizationProperties(organizationId, out organizationProperties))
            {
                ExTraceGlobals.AuthenticationTracer.TraceError <OrganizationId, string>(0L, "[AutodiscoverAuthorizationManager::CheckClaimSets] Logon failed: could not locate org info for organization {0} even though user from this org was found {1}", organizationId, text4);
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Could not find organization info via OrganizationPropertyCache"));
            }
            if (!organizationProperties.SkipToUAndParentalControlCheck && !AutodiscoverAuthorizationManager.CheckClaimSetsForTOUClaims(operationContext, claimSets, true) && !AutodiscoverAuthorizationManager.CheckClaimSetsForTOUClaims(operationContext, claimSets, false))
            {
                return(false);
            }
            WindowsIdentity windowsIdentity = null;

            try
            {
                windowsIdentity = new WindowsIdentity(text3);
            }
            catch (UnauthorizedAccessException ex)
            {
                RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendAuthError("WindowsIdentity_UnauthorizedAccessException", ex.ToString());

                ExTraceGlobals.AuthenticationTracer.TraceError <string, string, object>(0L, "[AutodiscoverAuthorizationManager::CheckClaimSets] UnauthorizedAccessException encountered. UPN: {0}, Exception message: {1}, Identity: {2}", text3, ex.Message, (windowsIdentity == null) ? "<NULL>" : windowsIdentity.User);
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Creating WindowsIdentity from UPN failed with a UnauthorizedAccessException"));
            }
            catch (SecurityException ex2)
            {
                RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendAuthError("WindowsIdentity_SecurityException", ex2.ToString());

                ExTraceGlobals.AuthenticationTracer.TraceError <string, string, object>(0L, "[AutodiscoverAuthorizationManager::CheckClaimSets] SecurityException encountered. UPN: {0}, Exception message: {1}, Identity: {2}", text3, ex2.Message, (windowsIdentity == null) ? "<NULL>" : windowsIdentity.User);
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Creating WindowsIdentity from UPN failed with a SecurityException"));
            }
            string org = null;

            if (organizationId != null && organizationId.OrganizationalUnit != null)
            {
                org = organizationId.OrganizationalUnit.Name;
            }
            AutodiscoverAuthorizationManager.PushUserAndOrgInfoToContext(text4, org);
            HttpContext.Current.User = new WindowsPrincipal(windowsIdentity);
            return(true);
        }