private static void RefreshLimitsFromRegistryIfNeeded()
{
if (DateTime.UtcNow >= ExchangeExpiringRunspaceConfiguration.ExpiryRefreshTime)
{
lock (ExchangeExpiringRunspaceConfiguration.syncRoot)
{
if (DateTime.UtcNow >= ExchangeExpiringRunspaceConfiguration.ExpiryRefreshTime)
{
ExchangeExpiringRunspaceConfiguration.ExpiryPeriods[0] = ExchangeExpiringRunspaceConfiguration.GetMaximumAgeLimitFromRegistry(ExpirationLimit.RunspaceRefresh);
ExchangeExpiringRunspaceConfiguration.ExpiryPeriods[1] = ExchangeExpiringRunspaceConfiguration.GetMaximumAgeLimitFromRegistry(ExpirationLimit.ExternalAccountRunspaceTermination);
ExchangeExpiringRunspaceConfiguration.ExpiryRefreshTime = DateTime.UtcNow.AddMinutes(5.0);
}
}
}
}
private void SetMaxAgeLimit(ExpirationLimit limit)
{
this.maxAgeLimits[(int)limit] = DateTime.UtcNow.Add(ExchangeExpiringRunspaceConfiguration.GetMaximumAgeLimit(limit));
}
public static TimeSpan GetMaximumAgeLimit(ExpirationLimit limit)
{
ExchangeExpiringRunspaceConfiguration.RefreshLimitsFromRegistryIfNeeded();
return(ExchangeExpiringRunspaceConfiguration.ExpiryPeriods[(int)limit]);
}
private InitialSessionState GetInitialSessionStateCore(PSSenderInfo senderInfo)
{
InitialSessionState result;
using (new MonitoredScope("GetInitialSessionStateCore", "GetInitialSessionStateCore", AuthZLogHelper.AuthZPerfMonitors))
{
if (senderInfo == null || senderInfo.UserInfo == null || senderInfo.UserInfo.Identity == null || senderInfo.UserInfo.Identity.Name == null)
{
throw new ArgumentException("senderInfo");
}
PSPrincipal userInfo = senderInfo.UserInfo;
ExTraceGlobals.PublicPluginAPITracer.TraceDebug <string>((long)this.GetHashCode(), "Entering EAP.GetInitialSessionState({0})", userInfo.Identity.Name);
UserToken userToken = null;
Microsoft.Exchange.Configuration.Core.AuthenticationType authenticatedType;
IIdentity executingUserIdentity = this.GetExecutingUserIdentity(userInfo, senderInfo.ConnectionString, out userToken, out authenticatedType);
ExchangeRunspaceConfigurationSettings exchangeRunspaceConfigurationSettings = this.BuildRunspaceConfigurationSettings(senderInfo.ConnectionString, executingUserIdentity);
if (userToken != null)
{
exchangeRunspaceConfigurationSettings.UserToken = userToken;
}
if (AppSettings.Current.SiteRedirectTemplate != null)
{
ExTraceGlobals.PublicPluginAPITracer.TraceDebug <string, string, string>((long)this.GetHashCode(), "EAP.GetInitialSessionState({0}) site redirection template used is {1}, pod redirection template used is {2}", userInfo.Identity.Name, AppSettings.Current.SiteRedirectTemplate, AppSettings.Current.PodRedirectTemplate);
exchangeRunspaceConfigurationSettings.SiteRedirectionTemplate = AppSettings.Current.SiteRedirectTemplate;
exchangeRunspaceConfigurationSettings.PodRedirectionTemplate = AppSettings.Current.PodRedirectTemplate;
}
ExchangeExpiringRunspaceConfiguration exchangeExpiringRunspaceConfiguration;
using (new MonitoredScope("GetInitialSessionStateCore", "ExchangeExpiringRunspaceConfiguration", AuthZLogHelper.AuthZPerfMonitors))
{
if (DatacenterRegistry.IsForefrontForOffice())
{
try
{
using (RegistryKey registryKey = Registry.LocalMachine.OpenSubKey(string.Format("SOFTWARE\\Microsoft\\ExchangeServer\\{0}\\Setup", "v15")))
{
string name = "Microsoft.Exchange.Hygiene.Security.Authorization.ForefrontExpiringDatacenterRunspaceConfiguration";
string path = (string)registryKey.GetValue("MsiInstallPath");
string assemblyFile = Path.Combine(path, "Bin", "Microsoft.Exchange.Hygiene.Security.Authorization.dll");
Assembly assembly = Assembly.LoadFrom(assemblyFile);
Type type = assembly.GetType(name);
exchangeExpiringRunspaceConfiguration = (ExchangeExpiringRunspaceConfiguration)type.InvokeMember("Instance", BindingFlags.InvokeMethod, Type.DefaultBinder, null, new object[]
{
executingUserIdentity,
exchangeRunspaceConfigurationSettings,
senderInfo.ConnectionString,
Constants.IsPowerShellWebService
});
}
goto IL_1FA;
}
catch (TargetInvocationException ex)
{
throw ex.InnerException ?? ex;
}
}
exchangeExpiringRunspaceConfiguration = new ExchangeExpiringRunspaceConfiguration(executingUserIdentity, exchangeRunspaceConfigurationSettings, Constants.IsPowerShellWebService);
IL_1FA :;
}
this.currentAuthZUserToken = new AuthZPluginUserToken(exchangeExpiringRunspaceConfiguration.DelegatedPrincipal, exchangeExpiringRunspaceConfiguration.LogonUser, authenticatedType, exchangeExpiringRunspaceConfiguration.IdentityName);
ADRawEntry logonUser = exchangeExpiringRunspaceConfiguration.LogonUser;
if (logonUser[ADRecipientSchema.RemotePowerShellEnabled] != null && !(bool)logonUser[ADRecipientSchema.RemotePowerShellEnabled])
{
AuthZLogger.SafeAppendGenericError("GetInitialSessionStateCore", "RemotePowerShellEnabled false", false);
ExTraceGlobals.AccessDeniedTracer.TraceError <string>(0L, "EAP.GetInitialSessionStateCore user {0} is not allowed to use remote Powershell, access denied", executingUserIdentity.Name);
AuthZPluginHelper.TriggerFailFastForAuthZFailure(this.currentAuthZUserToken.WindowsLiveId);
throw new RemotePowerShellNotEnabledException(Strings.ErrorRemotePowerShellNotEnabled);
}
if (exchangeExpiringRunspaceConfiguration.DelegatedPrincipal == null)
{
ExchangeAuthorizationPlugin.ValidateQueryString(senderInfo.ConnectionString, logonUser);
}
else if (exchangeExpiringRunspaceConfiguration.DelegatedPrincipal.UserOrganizationId == null)
{
AuthZLogger.SafeAppendGenericError("GetInitialSessionStateCore", "User Token is delegated user, but user.OrgId is null.", false);
ExTraceGlobals.AccessDeniedTracer.TraceError(0L, "EAP.GetInitialSessionStateCore delegated user is not in organization.");
AuthZPluginHelper.TriggerFailFastForAuthZFailure(this.currentAuthZUserToken.WindowsLiveId);
throw new DelegatedUserNotInOrgException(Strings.ErrorDelegatedUserNotInOrg);
}
string friendlyName = exchangeExpiringRunspaceConfiguration.OrganizationId.GetFriendlyName();
if (exchangeExpiringRunspaceConfiguration.HasAdminRoles && exchangeExpiringRunspaceConfiguration.IsAppPasswordUsed)
{
AuthZLogger.SafeAppendGenericError("GetInitialSessionStateCore", string.Format("User {0} of Domain {1} is not allowed to create session using app password.", userInfo.Identity.Name, friendlyName), false);
AuthZPluginHelper.TriggerFailFastForAuthZFailure(this.currentAuthZUserToken.WindowsLiveId);
throw new AppPasswordLoginException(Strings.ErrorAdminLoginUsingAppPassword);
}
if (string.Equals(executingUserIdentity.AuthenticationType, "LiveIdBasic", StringComparison.OrdinalIgnoreCase) || DelegatedPrincipal.DelegatedAuthenticationType.Equals(executingUserIdentity.AuthenticationType, StringComparison.OrdinalIgnoreCase))
{
using (new MonitoredScope("GetInitialSessionStateCore", "ValidateFilteringOnlyUser", AuthZLogHelper.AuthZPerfMonitors))
{
if (UserValidationHelper.ValidateFilteringOnlyUser(friendlyName, this.currentAuthZUserToken.WindowsLiveId))
{
AuthZLogger.SafeAppendGenericError("GetInitialSessionStateCore", string.Format("User {0} of Domain {1} doesn't have valid subscriptions for Exchange Hosted.", userInfo.Identity.Name, friendlyName), false);
AuthZPluginHelper.TriggerFailFastForAuthZFailure(this.currentAuthZUserToken.WindowsLiveId);
throw new FilteringOnlyUserLoginException(Strings.ErrorFilteringOnlyUserLogin);
}
}
}
InitialSessionState initialSessionState;
using (new MonitoredScope("GetInitialSessionStateCore", "exchangeRunspaceConfig.CreateInitialSessionState", AuthZLogHelper.AuthZPerfMonitors))
{
initialSessionState = exchangeExpiringRunspaceConfiguration.CreateInitialSessionState();
}
ExTraceGlobals.PublicPluginAPITracer.TraceDebug <int>((long)this.GetHashCode(), "EAP.GetInitialSessionState(PSSenderInfo) returns ISS with {0} commands", initialSessionState.Commands.Count);
result = initialSessionState;
}
return(result);
}
