protected OutOfProcessServerSessionTransportManager CreateSessionTransportManager(string configurationName, PSRemotingCryptoHelperServer cryptoHelper, string workingDirectory)
{
PSSenderInfo senderInfo;
#if !UNIX
WindowsIdentity currentIdentity = WindowsIdentity.GetCurrent();
PSPrincipal userPrincipal = new PSPrincipal(
new PSIdentity(string.Empty, true, currentIdentity.Name, null),
currentIdentity);
senderInfo = new PSSenderInfo(userPrincipal, "http://localhost");
#else
PSPrincipal userPrincipal = new PSPrincipal(
new PSIdentity(string.Empty, true, string.Empty, null),
null);
senderInfo = new PSSenderInfo(userPrincipal, "http://localhost");
#endif
OutOfProcessServerSessionTransportManager tm = new OutOfProcessServerSessionTransportManager(originalStdOut, originalStdErr, cryptoHelper);
ServerRemoteSession.CreateServerRemoteSession(
senderInfo,
_initialCommand,
tm,
configurationName,
workingDirectory);
return(tm);
}
private OutOfProcessServerSessionTransportManager CreateSessionTransportManager()
{
WindowsIdentity current = WindowsIdentity.GetCurrent();
PSPrincipal userPrincipal = new PSPrincipal(new PSIdentity("", true, current.Name, null), current);
PSSenderInfo senderInfo = new PSSenderInfo(userPrincipal, "http://localhost");
OutOfProcessServerSessionTransportManager transportManager = new OutOfProcessServerSessionTransportManager(this.originalStdOut);
ServerRemoteSession.CreateServerRemoteSession(senderInfo, this._initialCommand, transportManager);
return(transportManager);
}
public Guid CreateSession(string connection, string username, string password, int authMechanism, int protocolVersion)
{
Guid sessionId = Guid.NewGuid();
var identity = new PSIdentity("", true, username, null);
var principal = new PSPrincipal(identity, WindowsIdentity.GetCurrent());
var sender = new PSSenderInfo(principal, connection);
var session = ServerRemoteSession.CreateServerRemoteSession(sender, null, new WSManServerSessionTransportManager());
lock (_lock) {
_sessions.Add(sessionId, session);
}
return(sessionId);
}
public Guid CreateSession()
{
var username = System.Threading.Thread.CurrentPrincipal.Identity.Name;
string connection = OperationContext.Current.Host.Description.Endpoints[0].Address.Uri.ToString();
var identity = new PSIdentity("", true, username, null);
var principal = new PSPrincipal(identity, WindowsIdentity.GetCurrent());
var sender = new PSSenderInfo(principal, connection);
var session = ServerRemoteSession.CreateServerRemoteSession(sender, null, sessionTransportManager);
lock (_lock) {
_sessions.Add(session.InstanceId, session);
}
return(session.InstanceId);
}
public static SecurityIdentifier GetExecutingUserSecurityIdentifier(PSPrincipal psPrincipal, string connectionUrl)
{
if (psPrincipal == null)
{
throw new ArgumentNullException("psPrincipal");
}
UserToken userToken = null;
Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType;
string text;
string text2;
IIdentity identity = ExchangeAuthorizationPlugin.InternalGetExecutingUserIdentity(psPrincipal, connectionUrl, out userToken, out authenticationType, out text, out text2);
return(identity.GetSecurityIdentifier());
}
public InitialSessionState Create(UserContext userContext, string membershipId)
{
InitialSessionState initialSessionState;
using (OperationTracerWithTimeout operationTracerWithTimeout = new OperationTracerWithTimeout(new Action <string>(TraceHelper.Current.PSSessionCallStart), new Action <string>(TraceHelper.Current.PSSessionCallEnd), "InitialSessionState", new Action <string>(TraceHelper.Current.PSSessionMethodExceededTimeLimit), 30))
{
PSCertificateDetails pSCertificateDetail = null;
if (userContext.ClientCertificate != null)
{
pSCertificateDetail = new PSCertificateDetails(userContext.ClientCertificate.Subject, userContext.ClientCertificate.Issuer, userContext.ClientCertificate.Thumbprint);
}
PSIdentity pSIdentity = new PSIdentity(userContext.AuthenticationType, userContext.IsAuthenticated, userContext.Name, pSCertificateDetail);
PSPrincipal pSPrincipal = new PSPrincipal(pSIdentity, userContext.GetIdentity() as WindowsIdentity);
PSSenderInfo pSSenderInfo = new PSSenderInfo(pSPrincipal, DataServiceController.Current.GetCurrentResourceUri().ToString());
try
{
InitialSessionState initialSessionState1 = this.sessionConfiguration.GetInitialSessionState(pSSenderInfo);
if (initialSessionState1 != null)
{
TraceHelper.Current.GetInitialSessionStateRequestSucceeded(userContext.Name);
initialSessionState1.Trace();
initialSessionState = initialSessionState1;
}
else
{
object[] objArray = new object[2];
objArray[0] = "PSSessionState.GetInitialSessionState";
objArray[1] = "null";
throw new InvalidOperationException(ExceptionHelpers.GetExceptionMessage(Resources.MethodReturnedInvalidOutput, objArray));
}
}
catch (Exception exception1)
{
Exception exception = exception1;
TraceHelper.Current.GetInitialSessionStateRequestFailed(userContext.Name, exception.Message);
if (!exception.IsSevereException())
{
throw new CustomModuleInvocationFailedException(this.sessionConfiguration.GetType().AssemblyQualifiedName, "GetInitialState", exception);
}
else
{
throw;
}
}
}
return(initialSessionState);
}
/// <summary>
/// Finds group for a PSPrincipal
/// </summary>
/// <param name="principal">PSPrincipal instance</param>
/// <returns>Group associated with the identity</returns>
private RbacGroup FindGroup(PSPrincipal principal)
{
if (principal == null)
{
throw new ArgumentNullException("principal");
}
if (principal.Identity == null)
{
throw new ArgumentException("Null identity passed");
}
if (principal.Identity.IsAuthenticated == false)
{
throw new UnauthorizedAccessException();
}
PSIdentity powerShellIdentity = principal.Identity;
GenericIdentity identity = new GenericIdentity(powerShellIdentity.Name, powerShellIdentity.AuthenticationType);
RbacUser.RbacUserInfo userInfo = new RbacUser.RbacUserInfo(identity, powerShellIdentity.CertificateDetails);
RbacUser user = this.Users.Find(item => item.UserInfo.Equals(userInfo));
if (user == null)
{
throw new ArgumentException("User not found: name=" + userInfo.Name + ", authentication=" + userInfo.AuthenticationType);
}
RbacGroup group = this.Groups.Find(item => item.Name == user.Group.Name);
if (group == null)
{
throw new ArgumentException("group not found = " + user.Group.Name);
}
return(group);
}
protected OutOfProcessServerSessionTransportManager CreateSessionTransportManager(
string configurationName,
string configurationFile,
PSRemotingCryptoHelperServer cryptoHelper,
string workingDirectory)
{
PSSenderInfo senderInfo;
#if !UNIX
WindowsIdentity currentIdentity = WindowsIdentity.GetCurrent();
PSPrincipal userPrincipal = new PSPrincipal(
new PSIdentity(string.Empty, true, currentIdentity.Name, null),
currentIdentity);
senderInfo = new PSSenderInfo(userPrincipal, "http://localhost");
#else
PSPrincipal userPrincipal = new PSPrincipal(
new PSIdentity(string.Empty, true, string.Empty, null),
null);
senderInfo = new PSSenderInfo(userPrincipal, "http://localhost");
#endif
var tm = new OutOfProcessServerSessionTransportManager(
originalStdOut,
originalStdErr,
cryptoHelper);
ServerRemoteSession.CreateServerRemoteSession(
senderInfo: senderInfo,
configurationProviderId: "Microsoft.PowerShell",
initializationParameters: string.Empty,
transportManager: tm,
initialCommand: _initialCommand,
configurationName: configurationName,
configurationFile: configurationFile,
initialLocation: workingDirectory);
return(tm);
}
/// <summary>
/// Gets collection of cmdlets for a user
/// </summary>
/// <param name="userInfo">User information</param>
/// <returns>Collection of cmdlet names </returns>
public List <string> GetCmdlets(PSPrincipal userInfo)
{
RbacGroup group = this.FindGroup(userInfo);
return(new List <string>(group.Cmdlets));
}
/// <summary>
/// Gets collection of modules for a user
/// </summary>
/// <param name="userInfo">User information </param>
/// <returns>Collection of module names</returns>
public List <string> GetModules(PSPrincipal userInfo)
{
RbacGroup group = this.FindGroup(userInfo);
return(new List <string>(group.Modules));
}
// Token: 0x0600126C RID: 4716 RVA: 0x0003B42B File Offset: 0x0003962B
protected override IIdentity GetExecutingUserIdentity(PSPrincipal psPrincipal, string connectionUrl, out UserToken userToken, out Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType)
{
userToken = HttpContext.Current.CurrentUserToken();
authenticationType = userToken.AuthenticationType;
return(PswsAuthZHelper.GetExecutingAuthZUser(userToken));
}
private InitialSessionState GetInitialSessionStateCore(PSSenderInfo senderInfo)
{
InitialSessionState result;
using (new MonitoredScope("GetInitialSessionStateCore", "GetInitialSessionStateCore", AuthZLogHelper.AuthZPerfMonitors))
{
if (senderInfo == null || senderInfo.UserInfo == null || senderInfo.UserInfo.Identity == null || senderInfo.UserInfo.Identity.Name == null)
{
throw new ArgumentException("senderInfo");
}
PSPrincipal userInfo = senderInfo.UserInfo;
ExTraceGlobals.PublicPluginAPITracer.TraceDebug <string>((long)this.GetHashCode(), "Entering EAP.GetInitialSessionState({0})", userInfo.Identity.Name);
UserToken userToken = null;
Microsoft.Exchange.Configuration.Core.AuthenticationType authenticatedType;
IIdentity executingUserIdentity = this.GetExecutingUserIdentity(userInfo, senderInfo.ConnectionString, out userToken, out authenticatedType);
ExchangeRunspaceConfigurationSettings exchangeRunspaceConfigurationSettings = this.BuildRunspaceConfigurationSettings(senderInfo.ConnectionString, executingUserIdentity);
if (userToken != null)
{
exchangeRunspaceConfigurationSettings.UserToken = userToken;
}
if (AppSettings.Current.SiteRedirectTemplate != null)
{
ExTraceGlobals.PublicPluginAPITracer.TraceDebug <string, string, string>((long)this.GetHashCode(), "EAP.GetInitialSessionState({0}) site redirection template used is {1}, pod redirection template used is {2}", userInfo.Identity.Name, AppSettings.Current.SiteRedirectTemplate, AppSettings.Current.PodRedirectTemplate);
exchangeRunspaceConfigurationSettings.SiteRedirectionTemplate = AppSettings.Current.SiteRedirectTemplate;
exchangeRunspaceConfigurationSettings.PodRedirectionTemplate = AppSettings.Current.PodRedirectTemplate;
}
ExchangeExpiringRunspaceConfiguration exchangeExpiringRunspaceConfiguration;
using (new MonitoredScope("GetInitialSessionStateCore", "ExchangeExpiringRunspaceConfiguration", AuthZLogHelper.AuthZPerfMonitors))
{
if (DatacenterRegistry.IsForefrontForOffice())
{
try
{
using (RegistryKey registryKey = Registry.LocalMachine.OpenSubKey(string.Format("SOFTWARE\\Microsoft\\ExchangeServer\\{0}\\Setup", "v15")))
{
string name = "Microsoft.Exchange.Hygiene.Security.Authorization.ForefrontExpiringDatacenterRunspaceConfiguration";
string path = (string)registryKey.GetValue("MsiInstallPath");
string assemblyFile = Path.Combine(path, "Bin", "Microsoft.Exchange.Hygiene.Security.Authorization.dll");
Assembly assembly = Assembly.LoadFrom(assemblyFile);
Type type = assembly.GetType(name);
exchangeExpiringRunspaceConfiguration = (ExchangeExpiringRunspaceConfiguration)type.InvokeMember("Instance", BindingFlags.InvokeMethod, Type.DefaultBinder, null, new object[]
{
executingUserIdentity,
exchangeRunspaceConfigurationSettings,
senderInfo.ConnectionString,
Constants.IsPowerShellWebService
});
}
goto IL_1FA;
}
catch (TargetInvocationException ex)
{
throw ex.InnerException ?? ex;
}
}
exchangeExpiringRunspaceConfiguration = new ExchangeExpiringRunspaceConfiguration(executingUserIdentity, exchangeRunspaceConfigurationSettings, Constants.IsPowerShellWebService);
IL_1FA :;
}
this.currentAuthZUserToken = new AuthZPluginUserToken(exchangeExpiringRunspaceConfiguration.DelegatedPrincipal, exchangeExpiringRunspaceConfiguration.LogonUser, authenticatedType, exchangeExpiringRunspaceConfiguration.IdentityName);
ADRawEntry logonUser = exchangeExpiringRunspaceConfiguration.LogonUser;
if (logonUser[ADRecipientSchema.RemotePowerShellEnabled] != null && !(bool)logonUser[ADRecipientSchema.RemotePowerShellEnabled])
{
AuthZLogger.SafeAppendGenericError("GetInitialSessionStateCore", "RemotePowerShellEnabled false", false);
ExTraceGlobals.AccessDeniedTracer.TraceError <string>(0L, "EAP.GetInitialSessionStateCore user {0} is not allowed to use remote Powershell, access denied", executingUserIdentity.Name);
AuthZPluginHelper.TriggerFailFastForAuthZFailure(this.currentAuthZUserToken.WindowsLiveId);
throw new RemotePowerShellNotEnabledException(Strings.ErrorRemotePowerShellNotEnabled);
}
if (exchangeExpiringRunspaceConfiguration.DelegatedPrincipal == null)
{
ExchangeAuthorizationPlugin.ValidateQueryString(senderInfo.ConnectionString, logonUser);
}
else if (exchangeExpiringRunspaceConfiguration.DelegatedPrincipal.UserOrganizationId == null)
{
AuthZLogger.SafeAppendGenericError("GetInitialSessionStateCore", "User Token is delegated user, but user.OrgId is null.", false);
ExTraceGlobals.AccessDeniedTracer.TraceError(0L, "EAP.GetInitialSessionStateCore delegated user is not in organization.");
AuthZPluginHelper.TriggerFailFastForAuthZFailure(this.currentAuthZUserToken.WindowsLiveId);
throw new DelegatedUserNotInOrgException(Strings.ErrorDelegatedUserNotInOrg);
}
string friendlyName = exchangeExpiringRunspaceConfiguration.OrganizationId.GetFriendlyName();
if (exchangeExpiringRunspaceConfiguration.HasAdminRoles && exchangeExpiringRunspaceConfiguration.IsAppPasswordUsed)
{
AuthZLogger.SafeAppendGenericError("GetInitialSessionStateCore", string.Format("User {0} of Domain {1} is not allowed to create session using app password.", userInfo.Identity.Name, friendlyName), false);
AuthZPluginHelper.TriggerFailFastForAuthZFailure(this.currentAuthZUserToken.WindowsLiveId);
throw new AppPasswordLoginException(Strings.ErrorAdminLoginUsingAppPassword);
}
if (string.Equals(executingUserIdentity.AuthenticationType, "LiveIdBasic", StringComparison.OrdinalIgnoreCase) || DelegatedPrincipal.DelegatedAuthenticationType.Equals(executingUserIdentity.AuthenticationType, StringComparison.OrdinalIgnoreCase))
{
using (new MonitoredScope("GetInitialSessionStateCore", "ValidateFilteringOnlyUser", AuthZLogHelper.AuthZPerfMonitors))
{
if (UserValidationHelper.ValidateFilteringOnlyUser(friendlyName, this.currentAuthZUserToken.WindowsLiveId))
{
AuthZLogger.SafeAppendGenericError("GetInitialSessionStateCore", string.Format("User {0} of Domain {1} doesn't have valid subscriptions for Exchange Hosted.", userInfo.Identity.Name, friendlyName), false);
AuthZPluginHelper.TriggerFailFastForAuthZFailure(this.currentAuthZUserToken.WindowsLiveId);
throw new FilteringOnlyUserLoginException(Strings.ErrorFilteringOnlyUserLogin);
}
}
}
InitialSessionState initialSessionState;
using (new MonitoredScope("GetInitialSessionStateCore", "exchangeRunspaceConfig.CreateInitialSessionState", AuthZLogHelper.AuthZPerfMonitors))
{
initialSessionState = exchangeExpiringRunspaceConfiguration.CreateInitialSessionState();
}
ExTraceGlobals.PublicPluginAPITracer.TraceDebug <int>((long)this.GetHashCode(), "EAP.GetInitialSessionState(PSSenderInfo) returns ISS with {0} commands", initialSessionState.Commands.Count);
result = initialSessionState;
}
return(result);
}
private static IIdentity InternalGetExecutingUserIdentity(PSPrincipal psPrincipal, string connectionUrl, out UserToken userToken, out Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType, out string sessionId, out string firstRequestId)
{
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Unknown;
userToken = null;
sessionId = null;
firstRequestId = null;
if (psPrincipal.Identity.AuthenticationType.StartsWith("Cafe-", StringComparison.OrdinalIgnoreCase))
{
using (WinRMDataReceiver winRMDataReceiver = new WinRMDataReceiver(connectionUrl, psPrincipal.Identity.Name, psPrincipal.Identity.AuthenticationType, AuthZLogHelper.LantencyTracker))
{
userToken = winRMDataReceiver.UserToken;
sessionId = winRMDataReceiver.SessionId;
firstRequestId = winRMDataReceiver.RequestId;
string text = winRMDataReceiver.AuthenticationType.Substring("Cafe-".Length);
if (text.Equals("GenericIdentity", StringComparison.OrdinalIgnoreCase))
{
return(AuthZPluginHelper.ConstructGenericIdentityFromUserToken(userToken));
}
if (userToken.CommonAccessToken != null)
{
return(new WindowsTokenIdentity(userToken.CommonAccessToken.WindowsAccessToken).ToSerializedIdentity());
}
}
}
if (DelegatedPrincipal.DelegatedAuthenticationType.Equals(psPrincipal.Identity.AuthenticationType, StringComparison.OrdinalIgnoreCase))
{
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.RemotePowerShellDelegated;
return(DelegatedPrincipal.GetDelegatedIdentity(psPrincipal.Identity.Name));
}
if (psPrincipal.WindowsIdentity != null)
{
string authenticationType2 = psPrincipal.Identity.AuthenticationType;
if (authenticationType2 != null && authenticationType2.StartsWith("Converted-", StringComparison.OrdinalIgnoreCase))
{
if (authenticationType2.StartsWith("Converted-Kerberos", StringComparison.OrdinalIgnoreCase))
{
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Kerberos;
}
else
{
AuthZLogger.SafeAppendGenericError("InternalGetExecutingUserIdentity", "Unexpected AuthenticationType " + authenticationType2, true);
}
using (WinRMDataReceiver winRMDataReceiver2 = new WinRMDataReceiver(connectionUrl, psPrincipal.Identity.Name, psPrincipal.Identity.AuthenticationType, AuthZLogHelper.LantencyTracker))
{
userToken = winRMDataReceiver2.UserToken;
sessionId = winRMDataReceiver2.SessionId;
firstRequestId = winRMDataReceiver2.RequestId;
if (userToken.CommonAccessToken == null)
{
throw new AuthzException("DEV BUG, the CommonAccessToken should not be NULL when passing from Locally Kerberos logon.");
}
return(new WindowsTokenIdentity(userToken.CommonAccessToken.WindowsAccessToken).ToSerializedIdentity());
}
}
if ("CertificateLinkedUser".Equals(authenticationType2, StringComparison.OrdinalIgnoreCase))
{
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.CertificateLinkedUser;
return(new GenericIdentity(psPrincipal.Identity.Name));
}
try
{
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Certificate;
new SecurityIdentifier(psPrincipal.Identity.Name);
return(new GenericIdentity(psPrincipal.Identity.Name));
}
catch (ArgumentException)
{
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Unknown;
return(psPrincipal.WindowsIdentity);
}
}
if ("RPS".Equals(psPrincipal.Identity.AuthenticationType, StringComparison.OrdinalIgnoreCase) || "Kerberos".Equals(psPrincipal.Identity.AuthenticationType, StringComparison.OrdinalIgnoreCase) || "Basic".Equals(psPrincipal.Identity.AuthenticationType, StringComparison.OrdinalIgnoreCase))
{
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Kerberos;
SecurityIdentifier securityIdentifier = (SecurityIdentifier) new NTAccount(psPrincipal.Identity.Name).Translate(typeof(SecurityIdentifier));
return(new GenericIdentity(securityIdentifier.ToString()));
}
authenticationType = Microsoft.Exchange.Configuration.Core.AuthenticationType.Unknown;
return(new GenericIdentity(psPrincipal.Identity.Name));
}
protected virtual IIdentity GetExecutingUserIdentity(PSPrincipal psPrincipal, string connectionUrl, out UserToken userToken, out Microsoft.Exchange.Configuration.Core.AuthenticationType authenticationType)
{
return(ExchangeAuthorizationPlugin.InternalGetExecutingUserIdentity(psPrincipal, connectionUrl, out userToken, out authenticationType, out this.sessionId, out this.firstRequestId));
}
internal PSSenderInfo(PSPrincipal userPrincipal, string httpURL)
{
this.userPrinicpal = userPrincipal;
this.connectionString = httpURL;
}
protected OutOfProcessServerSessionTransportManager CreateSessionTransportManager(string configurationName, PSRemotingCryptoHelperServer cryptoHelper)
{
PSSenderInfo senderInfo;
#if !UNIX
WindowsIdentity currentIdentity = WindowsIdentity.GetCurrent();
PSPrincipal userPrincipal = new PSPrincipal(new PSIdentity("", true, currentIdentity.Name, null),
currentIdentity);
senderInfo = new PSSenderInfo(userPrincipal, "http://localhost");
#else
PSPrincipal userPrincipal = new PSPrincipal(new PSIdentity("", true, "", null),
null);
senderInfo = new PSSenderInfo(userPrincipal, "http://localhost");
#endif
OutOfProcessServerSessionTransportManager tm = new OutOfProcessServerSessionTransportManager(originalStdOut, originalStdErr, cryptoHelper);
ServerRemoteSession srvrRemoteSession = ServerRemoteSession.CreateServerRemoteSession(senderInfo,
_initialCommand, tm, configurationName);
return tm;
}
