private void ValidateToken(RequestedToken requestedToken, TokenValidator tokenValidator) { try { TokenValidationResults tokenValidationResults = tokenValidator.ValidateToken(requestedToken.SecurityToken, TestFederationTrust.TokenOffer); if (tokenValidationResults.Result == TokenValidationResult.Valid) { this.Log(EventTypeEnumeration.Success, TestFederationTrust.TestFederationTrustEventId.TokenValidation, Strings.DelegationTokenValidationSuccess); } else { this.Log(EventTypeEnumeration.Error, TestFederationTrust.TestFederationTrustEventId.TokenValidation, Strings.TokenValidationFailed); base.WriteVerbose(Strings.FailureAndReason(Strings.TokenValidationFailed.ToString(), tokenValidationResults.Result.ToString())); } } catch (LocalizedException ex) { this.Log(EventTypeEnumeration.Error, TestFederationTrust.TestFederationTrustEventId.TokenValidation, Strings.TokenValidationFailed); base.WriteVerbose(Strings.FailureAndReason(Strings.TokenValidationFailed.ToString(), ex.ToString())); } }
// Token: 0x060003D2 RID: 978 RVA: 0x000159C4 File Offset: 0x00013BC4 internal string FindAddressFromWsSecurity(Stream stream, WsSecurityHeaderType headerType, out bool isDelegationToken) { isDelegationToken = false; long position = stream.Position; try { XmlReader xmlReader = XmlReader.Create(stream); if (xmlReader.Settings != null && xmlReader.Settings.DtdProcessing != DtdProcessing.Prohibit) { xmlReader.Settings.DtdProcessing = DtdProcessing.Prohibit; } XmlElement xmlElement = null; XmlElement xmlElement2 = null; XmlElement xmlElement3 = null; xmlReader.MoveToContent(); bool flag = true; while (flag && xmlReader.Read()) { if (xmlReader.NodeType == XmlNodeType.Element && xmlReader.LocalName == "Header") { if (!(xmlReader.NamespaceURI == "http://schemas.xmlsoap.org/soap/envelope/")) { if (!(xmlReader.NamespaceURI == "http://www.w3.org/2003/05/soap-envelope")) { continue; } } while (flag && xmlReader.Read()) { if (stream.Position > 73628L) { throw new QuotaExceededException(); } if (xmlReader.NodeType == XmlNodeType.EndElement && xmlReader.LocalName == "Header" && (xmlReader.NamespaceURI == "http://schemas.xmlsoap.org/soap/envelope/" || xmlReader.NamespaceURI == "http://www.w3.org/2003/05/soap-envelope")) { if (ExTraceGlobals.VerboseTracer.IsTraceEnabled(1)) { ExTraceGlobals.VerboseTracer.TraceDebug <int>((long)this.GetHashCode(), "[WsSecurityParser::FindAddressFromWsSecurity]: Context {0}; Hit the end of the SOAP header unexpectedly", this.TraceContext); } flag = false; break; } if (headerType != WsSecurityHeaderType.PartnerAuth) { if (xmlReader.NodeType == XmlNodeType.Element && xmlReader.LocalName == "Security" && xmlReader.NamespaceURI == "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd") { while (flag) { if (!xmlReader.Read()) { break; } if (stream.Position > 73628L) { throw new QuotaExceededException(); } if (xmlReader.NodeType == XmlNodeType.EndElement && xmlReader.LocalName == "Security" && xmlReader.NamespaceURI == "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd") { if (ExTraceGlobals.VerboseTracer.IsTraceEnabled(1)) { ExTraceGlobals.VerboseTracer.TraceDebug <int>((long)this.GetHashCode(), "[WsSecurityParser::FindAddressFromWsSecurity]: Context {0}; Hit the end of the WS-Security header unexpectedly", this.TraceContext); } flag = false; break; } if (xmlReader.NodeType == XmlNodeType.Element && ((headerType == WsSecurityHeaderType.WSSecurityAuth && xmlReader.LocalName == "EncryptedData" && xmlReader.NamespaceURI == "http://www.w3.org/2001/04/xmlenc#") || (headerType == WsSecurityHeaderType.X509CertAuth && xmlReader.LocalName == "BinarySecurityToken" && xmlReader.NamespaceURI == "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"))) { using (XmlReader xmlReader2 = xmlReader.ReadSubtree()) { XmlDocument xmlDocument = new XmlDocument(); xmlDocument.Load(xmlReader2); xmlElement = xmlDocument.DocumentElement; } flag = false; break; } } } } else { if (xmlReader.NodeType == XmlNodeType.Element && xmlReader.LocalName == "ExchangeImpersonation" && xmlReader.NamespaceURI == "http://schemas.microsoft.com/exchange/services/2006/types") { using (XmlReader xmlReader3 = xmlReader.ReadSubtree()) { XmlDocument xmlDocument2 = new XmlDocument(); xmlDocument2.Load(xmlReader3); xmlElement2 = xmlDocument2.DocumentElement; } flag = false; break; } if (xmlReader.NodeType == XmlNodeType.Element && xmlReader.LocalName == "Attribute" && xmlReader.NamespaceURI == "urn:oasis:names:tc:SAML:1.0:assertion" && xmlReader.HasAttributes && xmlReader.GetAttribute("AttributeName") == "targettenant") { using (XmlReader xmlReader4 = xmlReader.ReadSubtree()) { XmlDocument xmlDocument3 = new XmlDocument(); xmlDocument3.Load(xmlReader4); xmlElement3 = xmlDocument3.DocumentElement; } flag = false; break; } } } } } if (headerType == WsSecurityHeaderType.PartnerAuth) { if (xmlElement2 != null) { if (xmlElement2.NodeType == XmlNodeType.Element && xmlElement2.FirstChild.NodeType == XmlNodeType.Element && xmlElement2.FirstChild.LocalName == "ConnectingSID") { XmlNode firstChild = xmlElement2.FirstChild.FirstChild; if (firstChild.LocalName == "PrincipalName" || firstChild.LocalName == "PrimarySmtpAddress" || firstChild.LocalName == "SmtpAddress" || firstChild.LocalName == "SID") { return(firstChild.InnerXml); } if (ExTraceGlobals.VerboseTracer.IsTraceEnabled(1)) { ExTraceGlobals.VerboseTracer.TraceDebug <int, string>((long)this.GetHashCode(), "[WsSecurityParser::FindAddressFromWsSecurity]: Context {0}; Unexpected type {1} in ConnectingSID in impersonation header", this.TraceContext, firstChild.Name); } return(null); } } else if (xmlElement3 != null && xmlElement3.NodeType == XmlNodeType.Element && xmlElement3.FirstChild.LocalName == "AttributeValue") { return(xmlElement3.FirstChild.InnerText); } } else if (xmlElement != null) { ExternalAuthentication current = ExternalAuthentication.GetCurrent(); if (!current.Enabled) { if (ExTraceGlobals.VerboseTracer.IsTraceEnabled(1)) { ExTraceGlobals.VerboseTracer.TraceDebug((long)this.GetHashCode(), "[WsSecurityParser::FindAddressFromWsSecurity]: ExternalAuthentication is not enabled"); } return(null); } if (headerType == WsSecurityHeaderType.X509CertAuth) { AuthorizationContext authorizationContext; if (current.TokenValidator.AuthorizationContextFromToken(xmlElement, ref authorizationContext).Result == null) { ReadOnlyCollection <ClaimSet> claimSets = authorizationContext.ClaimSets; X509CertUser x509CertUser = null; if (!X509CertUser.TryCreateX509CertUser(claimSets, ref x509CertUser)) { if (ExTraceGlobals.VerboseTracer.IsTraceEnabled(1)) { ExTraceGlobals.VerboseTracer.TraceDebug <int>((long)this.GetHashCode(), "[WsSecurityParser::FindAddressFromWsSecurity]: Context {0}; Unable to create the x509certuser", this.TraceContext); } return(null); } OrganizationId organizationId; WindowsIdentity windowsIdentity; string text; if (!x509CertUser.TryGetWindowsIdentity(ref organizationId, ref windowsIdentity, ref text)) { if (ExTraceGlobals.VerboseTracer.IsTraceEnabled(1)) { ExTraceGlobals.VerboseTracer.TraceDebug <int, X509CertUser, string>((long)this.GetHashCode(), "[WsSecurityParser::FindAddressFromWsSecurity]: Context {0}; unable to find the windows identity for cert user: {1}, reason: {2}", this.TraceContext, x509CertUser, text); } return(null); } return(x509CertUser.UserPrincipalName); } } else { TokenValidationResults tokenValidationResults = current.TokenValidator.FindEmailAddress(xmlElement, ref isDelegationToken); if (!string.IsNullOrEmpty(tokenValidationResults.EmailAddress)) { return(tokenValidationResults.EmailAddress); } } } } catch (XmlException ex) { if (ExTraceGlobals.VerboseTracer.IsTraceEnabled(1)) { ExTraceGlobals.VerboseTracer.TraceDebug <int, XmlException>((long)this.GetHashCode(), "[WsSecurityParser::FindAddressFromWsSecurity]: Context {0}; XmlException {1}", this.TraceContext, ex); } } if (ExTraceGlobals.VerboseTracer.IsTraceEnabled(1)) { ExTraceGlobals.VerboseTracer.TraceDebug <int>((long)this.GetHashCode(), "[WsSecurityParser::FindAddressFromWsSecurity]: Context {0}; No email address found in Ws-Trust token", this.TraceContext); } return(null); }
// Token: 0x06000284 RID: 644 RVA: 0x000115F4 File Offset: 0x0000F7F4 private static bool CheckClaimSetsForExternalUser(AuthorizationContext authorizationContext, OperationContext operationContext) { HttpContext.Current.Items["AuthType"] = "External"; SamlSecurityToken samlSecurityToken = null; foreach (SupportingTokenSpecification supportingTokenSpecification in operationContext.SupportingTokens) { samlSecurityToken = (supportingTokenSpecification.SecurityToken as SamlSecurityToken); if (samlSecurityToken != null) { break; } } if (samlSecurityToken == null) { ExTraceGlobals.AuthenticationTracer.TraceError(0L, "Found no security token in authorization context"); return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Cannot find security token in authorization context")); } ExternalAuthentication current = ExternalAuthentication.GetCurrent(); if (!current.Enabled) { ExTraceGlobals.AuthenticationTracer.TraceError(0L, "Federation is not enabled"); return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Federation is not enabled")); } TokenValidationResults tokenValidationResults = current.TokenValidator.ValidateToken(samlSecurityToken, Offer.Autodiscover); if (tokenValidationResults.Result != TokenValidationResult.Valid || !SmtpAddress.IsValidSmtpAddress(tokenValidationResults.EmailAddress)) { ExTraceGlobals.AuthenticationTracer.TraceError <TokenValidationResults>(0L, "Validation of security token in WS-Security header failed: {0}", tokenValidationResults); return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Validation of the delegation failed")); } SmtpAddress smtpAddress = SmtpAddress.Empty; int num = -1; try { num = operationContext.IncomingMessageHeaders.FindHeader("SharingSecurity", "http://schemas.microsoft.com/exchange/services/2006/types"); } catch (MessageHeaderException ex) { AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Exception when looking for SharingSecurity header in request: " + ex.ToString()); return(false); } if (num < 0) { ExTraceGlobals.AuthenticationTracer.TraceDebug(0L, "Request has no SharingSecurity header"); } else { XmlElement header = operationContext.IncomingMessageHeaders.GetHeader <XmlElement>(num); smtpAddress = SharingKeyHandler.Decrypt(header, tokenValidationResults.ProofToken); if (smtpAddress == SmtpAddress.Empty) { ExTraceGlobals.AuthenticationTracer.TraceError <string>(0L, "SharingSecurity is present but invalid: {0}", header.OuterXml); AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Validation of the SharingSecurity failed"); return(false); } ExTraceGlobals.AuthenticationTracer.TraceDebug <SmtpAddress>(0L, "SharingSecurity header contains external identity: {0}", smtpAddress); } AutodiscoverAuthorizationManager.PushUserAndOrgInfoToContext(tokenValidationResults.EmailAddress, null); HttpContext.Current.User = new GenericPrincipal(new ExternalIdentity(new SmtpAddress(tokenValidationResults.EmailAddress), smtpAddress), null); return(true); }
public SharedFolderData TryDecrypt(EncryptedSharedFolderData encryptedSharedFolderData) { if (encryptedSharedFolderData.Token == null) { SharedFolderDataEncryption.Tracer.TraceError <SharedFolderDataEncryption>((long)this.GetHashCode(), "{0}: EncryptedSharedFolderData is missing Token element.", this); return(null); } if (encryptedSharedFolderData.Token.EncryptedData == null) { SharedFolderDataEncryption.Tracer.TraceError <SharedFolderDataEncryption>((long)this.GetHashCode(), "{0}: EncryptedSharedFolderData.Token is missing <EncryptedData> element.", this); return(null); } if (encryptedSharedFolderData.Data == null) { SharedFolderDataEncryption.Tracer.TraceError <SharedFolderDataEncryption>((long)this.GetHashCode(), "{0}: EncryptedSharedFolderData is missing <Data> element.", this); return(null); } if (encryptedSharedFolderData.Data.EncryptedData == null) { SharedFolderDataEncryption.Tracer.TraceError <SharedFolderDataEncryption>((long)this.GetHashCode(), "{0}: EncryptedSharedFolderData.Data is missing <EncryptedData> element.", this); return(null); } TokenValidationResults tokenValidationResults = this.externalAuthentication.TokenValidator.ValidateToken(encryptedSharedFolderData.Token.EncryptedData, Offer.SharingInviteMessage); if (tokenValidationResults.Result != TokenValidationResult.Valid) { SharedFolderDataEncryption.Tracer.TraceError <SharedFolderDataEncryption, TokenValidationResults>((long)this.GetHashCode(), "{0}: Token is not valid. TokenValidationResults={1}", this, tokenValidationResults); return(null); } SymmetricSecurityKey proofToken = tokenValidationResults.ProofToken; if (proofToken == null) { SharedFolderDataEncryption.Tracer.TraceError <SharedFolderDataEncryption>((long)this.GetHashCode(), "{0}: Unable to retrieve the security key from the token.", this); return(null); } XmlElement xmlElement; try { xmlElement = SymmetricEncryptedXml.Decrypt(encryptedSharedFolderData.Data.EncryptedData, proofToken); } catch (CryptographicException arg) { SharedFolderDataEncryption.Tracer.TraceError <SharedFolderDataEncryption, CryptographicException>((long)this.GetHashCode(), "{0}: Unable to decrypt the data element. Exception={1}", this, arg); return(null); } SharedFolderData result; try { result = SharedFolderData.DeserializeFromXmlELement(xmlElement); } catch (InvalidOperationException arg2) { SharedFolderDataEncryption.Tracer.TraceError <SharedFolderDataEncryption, InvalidOperationException>((long)this.GetHashCode(), "{0}: Unable to deserialize the data element. InvalidOperationException={1}", this, arg2); result = null; } catch (XmlException arg3) { SharedFolderDataEncryption.Tracer.TraceError <SharedFolderDataEncryption, XmlException>((long)this.GetHashCode(), "{0}: Unable to deserialize the data element. XmlException={1}", this, arg3); result = null; } return(result); }