MultifactorLab
diff --git a/‎.editorconfig‎
Lines changed: 176 additions & 0 deletions b/‎.editorconfig‎
Lines changed: 176 additions & 0 deletions
diff --git a/‎ActiveSync/Module.cs‎
Lines changed: 219 additions & 0 deletions b/‎ActiveSync/Module.cs‎
Lines changed: 219 additions & 0 deletions
@@ -0,0 +1,176 @@
+root = true
+
+[*.{cs,vb}]
+dotnet_style_operator_placement_when_wrapping = beginning_of_line
+tab_width = 4
+indent_style = space
+indent_size = 4
+end_of_line = crlf
+max_line_length = 160
+dotnet_style_coalesce_expression = true:suggestion
+dotnet_style_null_propagation = true:suggestion
+dotnet_style_prefer_is_null_check_over_reference_equality_method = true:suggestion
+dotnet_style_prefer_auto_properties = true:silent
+dotnet_style_object_initializer = true:suggestion
+dotnet_style_prefer_collection_expression = true:suggestion
+dotnet_style_collection_initializer = true:suggestion
+dotnet_style_prefer_simplified_boolean_expressions = true:suggestion
+dotnet_style_prefer_conditional_expression_over_assignment = true:silent
+dotnet_style_prefer_conditional_expression_over_return = true:silent
+dotnet_style_explicit_tuple_names = true:suggestion
+dotnet_style_prefer_inferred_tuple_names = true:suggestion
+dotnet_style_prefer_inferred_anonymous_type_member_names = false:suggestion
+dotnet_style_prefer_compound_assignment = true:suggestion
+dotnet_style_prefer_simplified_interpolation = true:warning
+dotnet_style_namespace_match_folder = true:suggestion
+dotnet_diagnostic.CA1851.severity = error
+#### Naming styles ####
+
+# Naming rules
+
+dotnet_naming_rule.interface_should_be_begins_with_i.severity = warning
+dotnet_naming_rule.interface_should_be_begins_with_i.symbols = interface
+dotnet_naming_rule.interface_should_be_begins_with_i.style = begins_with_i
+
+dotnet_naming_rule.types_should_be_pascal_case.severity = warning
+dotnet_naming_rule.types_should_be_pascal_case.symbols = types
+dotnet_naming_rule.types_should_be_pascal_case.style = pascal_case
+
+dotnet_naming_rule.non_field_members_should_be_pascal_case.severity = suggestion
+dotnet_naming_rule.non_field_members_should_be_pascal_case.symbols = non_field_members
+dotnet_naming_rule.non_field_members_should_be_pascal_case.style = pascal_case
+
+# Symbol specifications
+
+dotnet_naming_symbols.interface.applicable_kinds = interface
+dotnet_naming_symbols.interface.applicable_accessibilities = public, internal, private, protected, protected_internal, private_protected
+dotnet_naming_symbols.interface.required_modifiers =
+
+dotnet_naming_symbols.types.applicable_kinds = class, struct, interface, enum
+dotnet_naming_symbols.types.applicable_accessibilities = public, internal, private, protected, protected_internal, private_protected
+dotnet_naming_symbols.types.required_modifiers =
+
+dotnet_naming_symbols.non_field_members.applicable_kinds = property, event, method
+dotnet_naming_symbols.non_field_members.applicable_accessibilities = public, internal, private, protected, protected_internal, private_protected
+dotnet_naming_symbols.non_field_members.required_modifiers =
+
+# Naming styles
+
+dotnet_naming_style.begins_with_i.required_prefix = I
+dotnet_naming_style.begins_with_i.required_suffix =
+dotnet_naming_style.begins_with_i.word_separator =
+dotnet_naming_style.begins_with_i.capitalization = pascal_case
+
+dotnet_naming_style.pascal_case.required_prefix =
+dotnet_naming_style.pascal_case.required_suffix =
+dotnet_naming_style.pascal_case.word_separator =
+dotnet_naming_style.pascal_case.capitalization = pascal_case
+
+dotnet_style_predefined_type_for_locals_parameters_members = true:silent
+dotnet_style_readonly_field = true:error
+dotnet_style_predefined_type_for_member_access = true:silent
+dotnet_style_require_accessibility_modifiers = for_non_interface_members:silent
+dotnet_style_allow_statement_immediately_after_block_experimental = false:suggestion
+dotnet_style_allow_multiple_blank_lines_experimental = true:silent
+dotnet_code_quality_unused_parameters = all:silent
+dotnet_style_parentheses_in_other_binary_operators = always_for_clarity:silent
+dotnet_style_parentheses_in_arithmetic_binary_operators = always_for_clarity:silent
+dotnet_style_parentheses_in_relational_binary_operators = always_for_clarity:silent
+dotnet_style_parentheses_in_other_operators = never_if_unnecessary:silent
+dotnet_style_qualification_for_field = false:silent
+dotnet_style_qualification_for_property = false:silent
+dotnet_style_qualification_for_method = false:silent
+dotnet_style_qualification_for_event = false:silent
+insert_final_newline = true
+dotnet_diagnostic.CA1069.severity = warning
+
+[*.cs]
+
+# CA1822: Mark members as static
+resharper_redundant_empty_object_creation_argument_list_highlighting=error
+dotnet_diagnostic.CA1822.severity = none
+csharp_indent_labels = one_less_than_current
+csharp_space_around_binary_operators = before_and_after
+csharp_using_directive_placement = outside_namespace:silent
+csharp_prefer_simple_using_statement = true:suggestion
+csharp_prefer_braces = true:error
+csharp_style_namespace_declarations = block_scoped:silent
+csharp_style_prefer_method_group_conversion = true:silent
+csharp_style_prefer_top_level_statements = true:silent
+csharp_style_prefer_primary_constructors = true:suggestion
+csharp_style_expression_bodied_methods = false:silent
+csharp_style_expression_bodied_constructors = false:silent
+csharp_style_expression_bodied_operators = false:silent
+csharp_style_expression_bodied_properties = true:silent
+csharp_style_expression_bodied_indexers = true:silent
+csharp_style_expression_bodied_accessors = true:silent
+csharp_style_expression_bodied_lambdas = true:silent
+csharp_style_expression_bodied_local_functions = false:silent
+csharp_style_throw_expression = true:suggestion
+csharp_style_prefer_null_check_over_type_check = true:suggestion
+csharp_prefer_simple_default_expression = true:suggestion
+csharp_style_prefer_local_over_anonymous_function = true:suggestion
+csharp_style_prefer_index_operator = true:suggestion
+csharp_style_prefer_range_operator = true:suggestion
+csharp_style_implicit_object_creation_when_type_is_apparent = true:suggestion
+csharp_style_prefer_tuple_swap = true:suggestion
+csharp_style_prefer_utf8_string_literals = true:suggestion
+csharp_style_inlined_variable_declaration = true:suggestion
+csharp_style_deconstructed_variable_declaration = true:suggestion
+csharp_style_unused_value_assignment_preference = discard_variable:suggestion
+csharp_new_line_before_else = true
+csharp_new_line_before_catch = true
+csharp_new_line_before_finally = true
+csharp_new_line_before_members_in_object_initializers = true
+csharp_new_line_before_members_in_anonymous_types = true
+csharp_new_line_between_query_expression_clauses = true
+csharp_new_line_before_open_brace = all
+#### Naming styles ####
+
+# Naming rules
+
+dotnet_naming_rule.private_or_internal_field_should_be__fieldname.severity = suggestion
+dotnet_naming_rule.private_or_internal_field_should_be__fieldname.symbols = private_or_internal_field
+dotnet_naming_rule.private_or_internal_field_should_be__fieldname.style = _fieldname
+
+# Symbol specifications
+
+dotnet_naming_symbols.private_or_internal_field.applicable_kinds = field
+dotnet_naming_symbols.private_or_internal_field.applicable_accessibilities = internal, private, private_protected
+dotnet_naming_symbols.private_or_internal_field.required_modifiers = 
+
+# Naming styles
+
+dotnet_naming_style._fieldname.required_prefix = _
+dotnet_naming_style._fieldname.word_separator = 
+dotnet_naming_style._fieldname.capitalization = camel_case
+dotnet_diagnostic.xUnit2008.severity = error
+dotnet_diagnostic.xUnit2009.severity = error
+dotnet_diagnostic.ASP0000.severity = error
+csharp_style_unused_value_expression_statement_preference = discard_variable:silent
+csharp_style_prefer_readonly_struct = true:suggestion
+csharp_prefer_static_local_function = true:suggestion
+csharp_style_prefer_readonly_struct_member = true:suggestion
+csharp_style_allow_blank_lines_between_consecutive_braces_experimental = true:silent
+csharp_style_allow_embedded_statements_on_same_line_experimental = false:error
+csharp_style_allow_blank_line_after_token_in_conditional_expression_experimental = true:silent
+csharp_style_allow_blank_line_after_colon_in_constructor_initializer_experimental = true:silent
+csharp_style_allow_blank_line_after_token_in_arrow_expression_clause_experimental = true:silent
+csharp_style_prefer_switch_expression = false:silent
+csharp_style_conditional_delegate_call = true:suggestion
+csharp_style_pattern_matching_over_as_with_null_check = true:suggestion
+csharp_style_prefer_pattern_matching = true:silent
+csharp_style_pattern_matching_over_is_with_cast_check = true:suggestion
+csharp_style_prefer_not_pattern = true:suggestion
+csharp_style_prefer_extended_property_pattern = true:suggestion
+csharp_style_var_for_built_in_types = false:silent
+csharp_style_var_when_type_is_apparent = false:silent
+csharp_style_var_elsewhere = false:silent
+csharp_preserve_single_line_blocks = true
+csharp_preserve_single_line_statements = true
+csharp_space_before_dot = false
+csharp_space_after_dot = false
+dotnet_diagnostic.xUnit2000.severity = error
+
+#### Custom rules ####
+dotnet_diagnostic.Multifactor_EnforceNamedArgumentsForLiterals.severity = warning
@@ -0,0 +1,219 @@
+using System;
+using System.Linq;
+using System.Net;
+using System.Security.Principal;
+using System.Web;
+using MultiFactor.IIS.Adapter.Extensions;
+using MultiFactor.IIS.Adapter.Owa;
+using MultiFactor.IIS.Adapter.Services;
+using System.Runtime.Caching;
+
+namespace MultiFactor.IIS.Adapter.ActiveSync
+{
+    public class Module : IHttpModule
+    {
+        private MemoryCache _memoryCache;
+        private readonly string _applicationName = "/microsoft-server-activesync";
+
+        public void Init(HttpApplication context)
+        {
+            context.PostAuthorizeRequest += (sender, e) =>
+                OnPostAuthorizeRequest(new HttpContextWrapper(((HttpApplication)sender).Context));
+            _memoryCache = MemoryCache.Default;
+        }
+
+        public void OnPostAuthorizeRequest(HttpContextBase context)
+        {
+            var path = context.Request.Url?.GetComponents(UriComponents.Path, UriFormat.Unescaped);
+
+            if (string.IsNullOrWhiteSpace(path))
+            {
+                return;
+            }
+
+            if (context.Request.ApplicationPath?.ToLower().StartsWith(_applicationName) != true)
+            {
+                return;
+            }
+
+            //static resources
+            if (WebUtil.IsStaticResourceRequest(context.Request.Url))
+            {
+                return;
+            }
+
+            if (!context.User.Identity.IsAuthenticated)
+                //not yet authenticated with login/pwd
+            {
+                return;
+            }
+
+            var user = context.User.Identity.Name;
+            if (user.StartsWith("S-1-5-21")) //SID
+            {
+                user = TryGetUpnFromSid(context.User.Identity);
+            }
+
+            var canonicalUserName = Util.CanonicalizeUserName(user);
+            if (Constants.EXCHANGE_SYSTEM_MAILBOX_PREFIX.Any(sm => canonicalUserName.StartsWith(sm)))
+                //system mailbox
+            {
+                return;
+            }
+
+            var ad = new ActiveDirectoryService(context.GetCacheAdapter(), Logger.ActiveSync);
+            var secondFactorRequired = new UserRequiredSecondFactor(ad);
+            if (!secondFactorRequired.Execute(canonicalUserName))
+                //bypass 2fa
+            {
+                return;
+            }
+
+            if (WebUtil.IsXhrRequest(context.Request))
+            {
+                AccessDenied(context);
+                return;
+            }
+
+            if (WebUtil.IsInitialProvisionCommand(context.Request))
+            {
+                var cacheKey = BuildCacheKey(context);
+                var cachedValue = _memoryCache.Get(cacheKey);
+                var val = cachedValue as int?;
+
+                if (val == 0)
+                {
+                    AccessDenied(context);
+                    return;
+                }
+
+                if (val == 1 || context.HasApiUnreachableFlag())
+                {
+                    return;
+                }
+
+                //call to mfa
+                var secondFactorIsSuccessed = StartSecondFactorAuth(context);
+                if (secondFactorIsSuccessed)
+                {
+                    _memoryCache.Set(cacheKey, 1, DateTimeOffset.Now.AddSeconds(5));
+                    return;
+                }
+
+                _memoryCache.Set(cacheKey, 0, DateTimeOffset.Now.AddSeconds(5));
+                AccessDenied(context);
+            }
+        }
+
+        private bool StartSecondFactorAuth(HttpContextBase context)
+        {
+            var ad = new ActiveDirectoryService(context.GetCacheAdapter(), Logger.ActiveSync);
+
+            var userName = context.User.Identity.Name;
+
+            var identity = Util.CanonicalizeUserName(userName);
+            Logger.ActiveSync.Info($"Applying identity canonicalization: {userName}->{identity}");
+
+            var profile = ad.GetProfile(identity);
+
+            if (profile == null)
+            {
+                // redirect to (custom?) error page
+                throw new Exception($"Profile {identity} not found");
+            }
+
+            if (Configuration.Current.HasTwoFaIdentityAttribute && !string.IsNullOrEmpty(profile.TwoFAIdentity))
+            {
+                Logger.ActiveSync.Info($"Applying 2fa identity attribute: {identity}->{profile.TwoFAIdentity}");
+                identity = profile.TwoFAIdentity;
+            }
+
+            var response = CreateAccessRequest(context, identity, profile?.Phone);
+
+            return response.Granted;
+        }
+
+        private MultiFactorAccessRequest CreateAccessRequest(HttpContextBase context, string identity, string phone)
+        {
+            var api = new MultiFactorApiClient(Logger.ActiveSync, MfTraceIdFactory.CreateTraceActiveSync);
+
+            try
+            {
+                var response = api.CreateNonInteractiveAccessRequest("/access/requests/ex", identity, phone);
+                return response;
+            }
+            catch (WebException wex) when (Configuration.Current.BypassSecondFactorWhenApiUnreachable)
+            {
+                if (wex.Response != null)
+                {
+                    var httpStatusCode = ((HttpWebResponse)wex.Response).StatusCode;
+                    if ((int)httpStatusCode == 429)
+                    {
+                        Logger.ActiveSync.Error($"Too many requests. Please try again later.");
+                    }
+
+                    Logger.ActiveSync.Error(wex.Message);
+
+                    return new MultiFactorAccessRequest { Status = "Denied" };
+                }
+
+                var errmsg = $"Multifactor API host unreachable: {Configuration.Current.ApiUrl}. Reason: {wex.Message}";
+                Logger.ActiveSync.Error(errmsg);
+                Logger.ActiveSync.Warn($"Bypassing the second factor for user '{identity}'.");
+                context
+                    .GetCacheAdapter()
+                    .SetApiUnreachable(Util.CanonicalizeUserName(identity), true);
+                return new MultiFactorAccessRequest { Status = "Granted" };
+            }
+            catch (Exception ex)
+            {
+                Logger.ActiveSync.Error(ex.Message);
+            }
+
+            return new MultiFactorAccessRequest { Status = "Denied" };
+        }
+
+        public static string TryGetUpnFromSid(IIdentity identity)
+        {
+            //for download domains exchange uses OAuthIdentity with SID name
+            //lets try find UPN with reflection
+            var actAsUser = GetPropValue(identity, "ActAsUser");
+            var upn = GetPropValue(actAsUser, "UserPrincipalName");
+            return upn as string;
+        }
+
+        public static object GetPropValue(object src, string propName)
+        {
+            try
+            {
+                if (src == null)
+                {
+                    return null;
+                }
+
+                return src.GetType().GetProperty(propName).GetValue(src, null);
+            }
+            catch
+            {
+                return null;
+            }
+        }
+
+        private void AccessDenied(HttpContextBase context)
+        {
+            context.Response.StatusCode = 440;
+            context.Response.End();
+        }
+
+        private string BuildCacheKey(HttpContextBase context)
+        {
+            var userName = context.User.Identity.Name;
+            var deviceId = context.Request.Params["DeviceId"];
+            return $"{userName}-{deviceId}";
+        }
+
+        public void Dispose()
+        {
+        }
+    }
+}