Пример #1
0
        // Token: 0x0600027F RID: 639 RVA: 0x0001122C File Offset: 0x0000F42C
        private static bool CheckClaimSetsForTOUClaims(OperationContext operationContext, ReadOnlyCollection <ClaimSet> claimSets, bool checkConsumerClaims)
        {
            string claimTypeToTest  = checkConsumerClaims ? "http://schemas.xmlsoap.org/claims/ConsumerChild" : "http://schemas.xmlsoap.org/claims/Child";
            string claimTypeToTest2 = checkConsumerClaims ? "http://schemas.xmlsoap.org/claims/ConsumerTOUAccepted" : "http://schemas.xmlsoap.org/claims/TOUAccepted";
            string claimTypeToTest3 = checkConsumerClaims ? "http://schemas.xmlsoap.org/claims/ConsumerConsentLevel" : "http://schemas.xmlsoap.org/claims/ConsentLevel";

            AutodiscoverAuthorizationManager.ConsentLevel?consentLevel = null;
            bool?flag  = null;
            bool?flag2 = null;

            foreach (ClaimSet claimSet in claimSets)
            {
                foreach (Claim claim in claimSet)
                {
                    if (AutodiscoverAuthorizationManager.DoesClaimMatch(claim, claimTypeToTest, Rights.PossessProperty))
                    {
                        flag = AutodiscoverAuthorizationManager.ProcessTrueFalseClaim(claim);
                    }
                    else if (AutodiscoverAuthorizationManager.DoesClaimMatch(claim, claimTypeToTest2, Rights.PossessProperty))
                    {
                        flag2 = AutodiscoverAuthorizationManager.ProcessTrueFalseClaim(claim);
                    }
                    else if (AutodiscoverAuthorizationManager.DoesClaimMatch(claim, claimTypeToTest3, Rights.PossessProperty))
                    {
                        consentLevel = AutodiscoverAuthorizationManager.ProcessConsentLevelClaim(claim);
                    }
                    if (flag != null && flag2 != null && (!flag.Value || consentLevel != null))
                    {
                        break;
                    }
                }
                if (flag != null && flag2 != null && (!flag.Value || consentLevel != null))
                {
                    break;
                }
            }
            if (checkConsumerClaims && flag == null && flag2 == null && consentLevel == null)
            {
                return(false);
            }
            if (flag == null)
            {
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Didn't find child claim"));
            }
            if (flag2 == null)
            {
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Didn't find TOU claim"));
            }
            if (flag.Value && consentLevel == null)
            {
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Didn't find consent level claim for child"));
            }
            if (!flag2.Value)
            {
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "TOU was not accepted"));
            }
            return(!flag.Value || consentLevel.Value != AutodiscoverAuthorizationManager.ConsentLevel.None || AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Child with no consent"));
        }
Пример #2
0
        // Token: 0x0600027D RID: 637 RVA: 0x00010D88 File Offset: 0x0000EF88
        private static bool CheckClaimSets(OperationContext operationContext, ReadOnlyCollection <ClaimSet> claimSets)
        {
            HttpContext.Current.Items["AuthType"] = "LiveIdToken";
            claimSets.TraceClaimSets();
            bool   flag  = false;
            bool   flag2 = false;
            bool   flag3 = false;
            string text  = null;
            string text2 = null;

            foreach (ClaimSet claimSet in claimSets)
            {
                foreach (Claim claim in claimSet)
                {
                    if (AutodiscoverAuthorizationManager.DoesClaimMatch(claim, "http://schemas.xmlsoap.org/claims/PUID", Rights.PossessProperty))
                    {
                        flag = AutodiscoverAuthorizationManager.DoesClaimHaveProperResource <string>(claim, out text);
                    }
                    else if (AutodiscoverAuthorizationManager.DoesClaimMatch(claim, "http://schemas.xmlsoap.org/claims/ConsumerPUID", Rights.PossessProperty))
                    {
                        flag2 = AutodiscoverAuthorizationManager.DoesClaimHaveProperResource <string>(claim, out text2);
                    }
                    else if (AutodiscoverAuthorizationManager.DoesClaimMatch(claim, ClaimTypes.Authentication, Rights.PossessProperty))
                    {
                        flag3 = true;
                    }
                    if (flag && flag2 && flag3)
                    {
                        break;
                    }
                }
                if (flag && flag2 && flag3)
                {
                    break;
                }
            }
            if (!flag3 || (text == null && text2 == null))
            {
                string reason = string.Format("Did not find all necessary claims. PUID: {0}; ConsumerPUID: {1}; Auth/Possess: {2}", flag, flag2, flag3);
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, reason));
            }
            string userId = (text2 == null) ? text : text2;

            RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("UserPUID", userId);

            SmtpAddress smtpAddress;

            if (!AutodiscoverAuthorizationManager.TryGetEmailAddressInClaimSets(claimSets, out smtpAddress))
            {
                string reason2 = string.Format("Did not find EmailAddress claim for PUID: {0}; ", userId);
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, reason2));
            }
            PropertyDefinition[] propertyDefinitionArrayUPN = new PropertyDefinition[]
            {
                ADUserSchema.UserPrincipalName,
                ADMailboxRecipientSchema.SamAccountName,
                ADObjectSchema.OrganizationId
            };
            ADRawEntry adRawEntry = null;

            try
            {
                bool isRootOrgLookup = false;
                RequestDetailsLoggerBase <RequestDetailsLogger> .Current.TrackLatency(ServiceLatencyMetadata.CallerADLatency, delegate()
                {
                    DateTime utcNow = DateTime.UtcNow;
                    ADSessionSettings adsessionSettings = Common.SessionSettingsFromAddress(smtpAddress.ToString());
                    RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("CheckClaimSets_SmtpAddress", smtpAddress.ToString());
                    RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("AD_ChkClaim_SessionSettingsFromAddress", (DateTime.UtcNow - utcNow).TotalMilliseconds);
                    utcNow          = DateTime.UtcNow;
                    isRootOrgLookup = OrganizationId.ForestWideOrgId.Equals(adsessionSettings.CurrentOrganizationId);
                    if (!isRootOrgLookup)
                    {
                        ITenantRecipientSession tenantRecipientSession = DirectorySessionFactory.Default.CreateTenantRecipientSession(true, ConsistencyMode.IgnoreInvalid, adsessionSettings, 596, "CheckClaimSets", "f:\\15.00.1497\\sources\\dev\\autodisc\\src\\WCF\\AutodiscoverAuthorizationManager.cs");
                        RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("AD_TenantRecipientSession", (DateTime.UtcNow - utcNow).TotalMilliseconds);
                        utcNow     = DateTime.UtcNow;
                        adRawEntry = tenantRecipientSession.FindUniqueEntryByNetID(userId, propertyDefinitionArrayUPN);
                        RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericInfo("AD_FindUniqueEntryByNetID", (DateTime.UtcNow - utcNow).TotalMilliseconds);
                    }
                });

                if (isRootOrgLookup)
                {
                    return(AutodiscoverAuthorizationManager.Return403UnauthorizedResponse(operationContext, "NetID lookup for root org user is not allowed"));
                }
            }
            catch (NonUniqueRecipientException arg)
            {
                ExTraceGlobals.AuthenticationTracer.TraceDebug <NonUniqueRecipientException>(0L, "FindUniqueEntryByNetId threw exception: {0}", arg);
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Found more than 1 user by NetID in AD"));
            }
            if (adRawEntry == null)
            {
                RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendGenericError("Redirect as we are unable to find user:.", userId);

                return(AutodiscoverAuthorizationManager.RedirectCaller(operationContext, smtpAddress.ToString()));
            }
            string         arg2           = (string)adRawEntry[ADMailboxRecipientSchema.SamAccountName];
            string         text3          = string.Format("{0}@{1}", arg2, adRawEntry.Id.GetPartitionId().ForestFQDN);
            string         text4          = (string)adRawEntry[ADUserSchema.UserPrincipalName];
            OrganizationId organizationId = (OrganizationId)adRawEntry[ADObjectSchema.OrganizationId];

            HttpContext.Current.Items["UserOrganizationId"] = organizationId;
            OrganizationProperties organizationProperties;

            if (!OrganizationPropertyCache.TryGetOrganizationProperties(organizationId, out organizationProperties))
            {
                ExTraceGlobals.AuthenticationTracer.TraceError <OrganizationId, string>(0L, "[AutodiscoverAuthorizationManager::CheckClaimSets] Logon failed: could not locate org info for organization {0} even though user from this org was found {1}", organizationId, text4);
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Could not find organization info via OrganizationPropertyCache"));
            }
            if (!organizationProperties.SkipToUAndParentalControlCheck && !AutodiscoverAuthorizationManager.CheckClaimSetsForTOUClaims(operationContext, claimSets, true) && !AutodiscoverAuthorizationManager.CheckClaimSetsForTOUClaims(operationContext, claimSets, false))
            {
                return(false);
            }
            WindowsIdentity windowsIdentity = null;

            try
            {
                windowsIdentity = new WindowsIdentity(text3);
            }
            catch (UnauthorizedAccessException ex)
            {
                RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendAuthError("WindowsIdentity_UnauthorizedAccessException", ex.ToString());

                ExTraceGlobals.AuthenticationTracer.TraceError <string, string, object>(0L, "[AutodiscoverAuthorizationManager::CheckClaimSets] UnauthorizedAccessException encountered. UPN: {0}, Exception message: {1}, Identity: {2}", text3, ex.Message, (windowsIdentity == null) ? "<NULL>" : windowsIdentity.User);
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Creating WindowsIdentity from UPN failed with a UnauthorizedAccessException"));
            }
            catch (SecurityException ex2)
            {
                RequestDetailsLoggerBase <RequestDetailsLogger> .Current.AppendAuthError("WindowsIdentity_SecurityException", ex2.ToString());

                ExTraceGlobals.AuthenticationTracer.TraceError <string, string, object>(0L, "[AutodiscoverAuthorizationManager::CheckClaimSets] SecurityException encountered. UPN: {0}, Exception message: {1}, Identity: {2}", text3, ex2.Message, (windowsIdentity == null) ? "<NULL>" : windowsIdentity.User);
                return(AutodiscoverAuthorizationManager.Return401UnauthorizedResponse(operationContext, "Creating WindowsIdentity from UPN failed with a SecurityException"));
            }
            string org = null;

            if (organizationId != null && organizationId.OrganizationalUnit != null)
            {
                org = organizationId.OrganizationalUnit.Name;
            }
            AutodiscoverAuthorizationManager.PushUserAndOrgInfoToContext(text4, org);
            HttpContext.Current.User = new WindowsPrincipal(windowsIdentity);
            return(true);
        }