
# This file contains utility functions related to Microsoft App Proxy

# Get's bootstrap configuration
# Apr 2nd 2020
function Get-BootstrapConfiguration

        # Get the tenant id and instance id from the certificate
        $TenantId = $Certificate.Subject.Split("=")[1]
        $InstanceID = [guid]$Certificate.GetSerialNumberString()

        # Actually, it is not the serial number but this oid for Private Enterprise Number. Microsoft =
        foreach($extension in $cert.Extensions)
            if($extension.Oid.Value -eq "")
                $InstanceID = [guid]$extension.RawData

        <BootstrapRequest xmlns="" xmlns:i="">
            <FailedRequestMetrics xmlns:a=""/>
            <PerformanceMetrics xmlns:a=""/>
            <SuccessRequestMetrics xmlns:a=""/>

        $response = Invoke-WebRequest -UseBasicParsing -Uri $url -Method Post -Certificate $Certificate -Body $body -ContentType "application/xml; charset=utf-8"
        [xml]$xmlResponse = $response.Content

        return $xmlResponse.OuterXml


# Creates a CSR from the scratch
# Apr 2nd 2020
function NewCSRforSync
        $ADadminUser ="NotYourBusiness!!"
        $exeName = "AADConnectProvisioningAgentWizard.exe"


        # Construct the CSR for signin
            Add-DERSequence -Data @(                       
                Add-DERInteger -Data 0                          
                0x30, 0x00                                     
                Add-DERSequence -Data @(                  
                    Add-DERSequence -Data @(          
                        Add-DERTag -Tag 0x06 -Data @(           # Object Identifier
                                                                # rsaEncryption (1.2.840.113549.1.1.1)
                            0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01
                        0x05, 0x00                              # Null
                    Add-DERTag -Tag 0x03 -Data @(           # BitString

                Add-DERTag -Tag 0xA0 -Data @(                   # Context specific (block #0)

                    # Attributes: osVersion
                    Add-DERSequence -Data @(               

                        Add-DERTag -Tag 0x06 -Data @(           # Object Identifier
                                                                # osVersion (
                            0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x0D, 0x02, 0x03
                        Add-DERSet -Data @(           # SET
                            Add-DERIA5String -Text $osVersion

                    # Extension Request
                    Add-DERSequence -Data @(               
                        Add-DERTag -Tag 0x06 -Data @(           # Object Identifier
                                                                # extensionRequest (1.2.840.113549.1.9.14)
                            0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x0E
                        Add-DERSet -Data @(           
                            Add-DERSequence -Data @(       
                                # Key Usage
                                Add-DERSequence -Data @(   
                                    Add-DERTag -Tag 0x06 -Data @( # Object Identifier
                                        0x55, 0x1D, 0x0F        # keyUsage (
                                    Add-DERTag 0x01 -Data @(0xFF) # Boolean (true)
                                    Add-DERTag 0x04 -Data @(0x03, 0x02, 0x04, 0xF0) # Octet string
                                # Ext Key Usage
                                Add-DERSequence -Data @(   
                                    Add-DERTag -Tag 0x06 -Data @( # Object Identifier
                                        0x55, 0x1D, 0x25        # extKeyUsage (
                                    Add-DERTag 0x04 -Data @(    
                                        Add-DERSequence -Data @(
                                            Add-DERTag -Tag 0x06 -Data @( # Object Identifier
                                                0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02        # clientAuth (


                                # Subject Key Identifier
                                Add-DERSequence -Data @(   
                                    Add-DERTag -Tag 0x06 -Data @( # subjectKeyIdentifier (
                                        0x55, 0x1D, 0x0E        
                                    Add-DERTag 0x04 -Data @(    # Octet string
                                        0x04, 0x14#, 0xEB, 0x4F, 0xD9, 0xFF, 0x3A, 0x20, 0xA9, 0xDB, 0x63, 0xBA, 0x50, 0x2A, 0xF1, 0x5B, 0x96, 0x5F, 0x5C, 0x3C, 0xCD, 0xF4

                    # Request Client Info
                    Add-DERSequence -Data @(                    
                        Add-DERTag -Tag 0x06 -Data @(           # Object Identifier
                                                                # requestClientInfo (
                           0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x14
                        Add-DERSet -Data @(           # Set
                            Add-DERSequence -Data @(
                                Add-DERInteger -Data 0x05
                                Add-DERUtf8String -Tag 0x0C -Text $machineName
                                Add-DERUtf8String -Tag 0x0C -Text $ADadminUser
                                Add-DERUtf8String -Tag 0x0C -Text $exeName


                    # Enrolment CSP
                    Add-DERSequence -Data @(                    
                        Add-DERTag -Tag 0x06 -Data @(           # Object Identifier
                                                                # enrolmentCSP (
                            0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x0D, 0x02, 0x02
                        Add-DERSet -Data @(           
                            Add-DERSequence -Data @(
                                Add-DERInteger 0x01
                                Add-DERUnicodeString -Tag 0x1E "Microsoft Enhanced RSA and AES Cryptographic Provider" -LE
                                Add-DERTag -Tag 0x03 -Data 0x00 # Bit string



        # Sign the CSR
        $signature = $rsa.SignData($CSRToBeSigned, [System.Security.Cryptography.HashAlgorithmName]::SHA256,[System.Security.Cryptography.RSASignaturePadding]::Pkcs1)

        # Construct the CSR
        $CSR = Add-DERSequence -Data @(
            Add-DERSequence -Data @(
                Add-DERTag -Tag 0x06 -Data @(
                    0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B
                0x05, 0x00 # null
            Add-DERTag -Tag 0x03 -Data @(
        # return

        return $CSR

# Connects to the given bus
function Connect-ToBus
        # Import AMQP.ps1
        . "$PSScriptRoot\AMQP.ps1"
        # Define AMQP messages
        [byte[]]$AMQP0 = @(
            0x41, 0x4D, 0X51, 0X50, # AMQP
            0x00, # Protocol
            0x01, # Major
            0x00, # Minor
            0x00) # Revision

        [byte[]]$AMQP1 = @(
            0x41, 0x4D, 0X51, 0X50, # AMQP
            0x01, # Protcol = AMQP
            0x01, # Major
            0x00, # Minor
            0x00) # Revision

        [byte[]]$AMQP2 = @(
            0x41, 0x4D, 0X51, 0X50, # AMQP
            0x02, # Protcol = TCP
            0x01, # Major
            0x00, # Minor
            0x00) # Revision

        [byte[]]$AMQP3 = @(
            0x41, 0x4D, 0X51, 0X50, # AMQP
            0x03, # Protocol = SASL
            0x01, # Major
            0x00, # Minor
            0x00) # Revision

        [byte[]]$EmptyAMQPHeader = @(0x00, 0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x00)

            # Define some needed variables
            $NameSpace = $bootStrap.NameSpace
            $url = "$`$servicebus/websocket"
            $connectionId = (New-Guid).ToString()
            $relayLinkGuid = (New-Guid).ToString()
            $trackingId = (New-Guid).ToString()

                $Status.status = "Connecting to $url"
                Write-Verbose "Connecting to $url"
            #$connector.Status = "Connecting to $url"
            # Create the socket
            $socket = New-Object System.Net.WebSockets.ClientWebSocket
            # Add wsrelayedamqp as sub protocol
            $socket.Options.ClientCertificates.Add($cert) | out-null
            # Create the token and open the connection
            $token = New-Object System.Threading.CancellationToken                                                   

            $connection = $socket.ConnectAsync("wss://$url", $token)
            While (!$connection.IsCompleted) { Start-Sleep -Milliseconds 5 }

            if($connection.IsFaulted -eq "True")
                Write-Error $connection.Exception

            # Start the Agent

            # Send SASL version header
            SendToSocket -Socket $socket -Token $token -Bytes ($AMQP3)

            # DEBUG

            # Start the loop
            while($socket.state -eq "Open")
                $outMessage = $null

                $response = ReadFromSocket -Socket $socket -Token $token  -KeepAlive
                $inMessage = Parse-BusMessage $response

                $close = $false

                    "Protocol SASL" {} # Do nothing
                    "SASL Mechanisms" 
                            # SASL init
                            $outMessage = New-SASLInit -Mechanics EXTERNAL
                    "SASL Outcome"
                            # Change protocol to AMQP
                            $outMessage = $AMQP0
                    "Protocol AMQP" 
                            # AMQP Open
                            $outMessage = New-AMQPOpen -ContainerId "RelayConnection_$connectionId" -HostName "$"
                    "AQMP Open"
                            # AMQP Begin
                            $outMessage = New-AMQPBegin
                    "AQMP Begin"
                            # AMQP Attach handle 0 and 1
                            SendToSocket -Socket $socket -Token $token -Bytes (New-AMQPAttach -Handle 0 -RelayLinkGuid $relayLinkGuid -Direction out -BootStrap $bootStrap -TrackingID $trackingId)
                            SendToSocket -Socket $socket -Token $token -Bytes (New-AMQPAttach -Handle 1 -RelayLinkGuid $relayLinkGuid -Direction in  -BootStrap $bootStrap -TrackingID $trackingId)

                            $outMessage = New-AMQPFlow
                    "AQMP Attach"
                            # Nothing to do
                    "AQMP Flow"
                            # Send an empty AMQP Header
                            $outMessage = $EmptyAMQPHeader
                                $Status.status += "`nWaiting for auth requests.."
                                Write-Verbose "Waiting for auth requests.."
                    "AQMP Detach"
                            # Send AMQP Detach
                            $outMessage = New-AMQPDetach -Handle ($inMessage.Handle)
                            Write-Verbose ($inMessage.Error)
                    "AQMP End"
                            # Send AMQP End
                            $outMessage = New-AMQPEnd
                    "AQMP Close"
                            # Send AMQP Close
                            $outMessage = New-AMQPClose

                            # Close the socket after sending the last message
                            $close = $True

                            # Set the status
                                $Status.status += "`nClosed."
                                Write-Verbose "Closed."
                            # Send the disposition message
                            SendToSocket -Socket $socket -Token $token -Bytes (New-AMQPDisposition)

                            # Time to create the relay!
                                $Status.status += "`nOpening relay to $($inMessage.RelayAddress)"
                                Write-Verbose "Opening relay to $($inMessage.RelayAddress)"

                                $relayOpened = $true
                                Connect-ToAuthRelay -Hostname $inMessage.RelayAddress -Id $inMessage.RelayId -Certificate $cert

                if($outMessage -ne $null)
                    SendToSocket -Socket $socket -Token $token -Bytes $outMessage



            $Exception = $error[0]
            Write-Host $Exception -ForegroundColor Red

            If ($socket) { 
                Write-Verbose "Closing websocket"


function SendToSocket
        [Parameter(Mandatory=$True, ParameterSetName="Bytes")]
        [Parameter(Mandatory=$True, ParameterSetName="Byte")]

        if($Bytes -eq $null)
            [byte[]]$Bytes = @($Byte)

        $connection = $Socket.SendAsync($Bytes,1,$true,$Token)
            Start-Sleep -Milliseconds 5 


function ReadFromSocket
        [byte[]]$EmptyAMQPHeader = @(0x00, 0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x00)
        $start = Get-Date

        $buffer = New-Object Byte[] $ArraySize

        $connection = $Socket.ReceiveAsync($buffer, $Token)
            # If KeepAlive, send an empty AMQP header after 30 seconds
            if($KeepAlive -and (Get-Date).Subtract($start).Seconds -gt 30)
                SendToSocket -Socket $socket -Token $token -Bytes $EmptyAMQPHeader
                $start = Get-Date
            if($TimeOut -and (Get-Date).Subtract($start).Seconds -gt 5)
                return $null
            Start-Sleep -Milliseconds 5 

        $retVal= $buffer[0..$($connection.Result.Count-1)]

        return $retVal

# Creates a SAS token
function Get-SASToken

        # Create the HMAC object
        $hmac = [System.Security.Cryptography.HMACSHA256]::new($keyBytes)

        # Convert to UNIX time

        # Form the string to sign (urlencoded uri + \n + expires)
        $namespace = $url.split("/")[2]
        $urlToSign = [System.Web.HttpUtility]::UrlEncode($url) + "`n" + [string]$exp

        # Calculate the signature
        $byteHash = $hmac.ComputeHash($byteUrl)
        $signature = [System.Convert]::ToBase64String($byteHash)
        # Form the token
        $SASToken = "SharedAccessSignature sr=" + [System.Web.HttpUtility]::UrlEncode($Url) + "&sig=" + [System.Web.HttpUtility]::UrlEncode($signature) + "&se=" + $exp + "&skn=" + $KeyName

        return $SASToken

function Connect-ToAuthRelay

            $url = "$Hostname/`$servicebus/websocket"


            # Create the socket
            $socket = New-Object System.Net.WebSockets.ClientWebSocket
            # Add wsrelayedamqp as sub protocol
            $socket.Options.ClientCertificates.Add($Certificate) | out-null

            # Create the token and open the connection
            $token = New-Object System.Threading.CancellationToken                                                   

            $connection = $socket.ConnectAsync("wss://$url", $token)
            While (!$connection.IsCompleted) { Start-Sleep -Milliseconds 5 }

            if($connection.IsFaulted -eq "True")
                Write-Error $connection.Exception

            # Send the two initial messages
            SendToSocket -Socket $socket -Token $token -Bytes (New-RelayConnect)

            SendToSocket -Socket $socket -Token $token -Bytes (New-RelayAccept -id $id)

            # Start the conversation loop

                #$Status.status += "`nSocket: $($socket.state)"

            # Define variables
            $SomeId = $null
            $SequenceId = $null
            $ConnectionId = New-Guid
            $RelayUrl = $null
            $ProxyUrl = $null
            $ProxyId = $null
            $SomeId2 = $null
            $ConId = $null

            while($socket.state -eq "Open")
                Remove-Variable outMessage
                $outMessage = $null

                $response = ReadFromSocket -Socket $socket -Token $token  -TimeOut

                if($response -eq $null)

                $inMessage = Parse-RelayMessage $response

                 # $Status.status += "`n$hostname InMessage: $($inMessage.Type) $($inMessage.Size). Response: $($response.length)"

                $close = $false


                    "Relay AcceptReply"  {} # Do nothing
                    "Relay ConnectReply" {} # Do nothing
                    "Relay Name" 
                            # Reply
                            SendToSocket -Socket $socket -Token $token -Byte (New-RelayNameReply)
                    "Relay Ids" 
                                $Status.status += "`nExtracting variables"
                            # Extract variables
                            $SomeId = $inMessage.SomeId
                            $SequenceId = $inMessage.SequenceId
                            $RelayUrl = $inMessage.Relay

                                $Status.status += "`nSending outmessage. SomeId: $someId ConnectionId $ConnectionId SequenceId: $SequenceId Relay $RelayUrl"
                            # Reply
                            $outMessage = New-RelayIdsReply -SomeId $SomeId -ConnectionId $ConnectionId -Relay $RelayUrl
                    "Relay ProxyConnect" 
                            # Extract variables
                            $ProxyUrl = $inMessage.ProxyUrl
                            $ProxyId = $inMessage.ProxyId
                            $SomeId2 = $inMessage.SomeId2
                            $ConId = $inMessage.ConId
                            $ConnectionId = $inMessage.ConnectionId

                                $Status.status += "`nProxy. SomeId2: $someId2 SequenceId: $SequenceId ConnectionId: $ConnectionId "

                            # Reply
                            $outMessage = New-RelayProxyConnectReply -SequenceId $SequenceId -SomeId2 $SomeId2 -ConnectionId $ConnectionId 

                            # Send NetRemote
                            SendToSocket -Socket $socket -Token $token -Bytes New-RelayNetRemote
                    "Relay NetRemoteReply" 
                            # Try to connect to the proxy!

                            # Get the ids..



                            # Create the socket
                            $socket2 = New-Object System.Net.WebSockets.ClientWebSocket

                            $socket2.options.SetRequestHeader("x-cwap-dnscachelookup-result" , "NotUsed")
                            $socket2.options.SetRequestHeader("x-cwap-connector-usesdefaultproxy" , "InUse")
                            $socket2.options.SetRequestHeader("x-cwap-connector-version" , "1.5.1542.0")
                            $socket2.options.SetRequestHeader("x-cwap-datamodel-version" , "1.5.1542.0")
                            $socket2.options.SetRequestHeader("x-cwap-connector-sp-connections" , "0")
                            $socket2.options.SetRequestHeader("x-cwap-transid" , $id)

                            # Create the token and open the connection
                            $token2 = New-Object System.Threading.CancellationToken                                                   

                            $connection2 = $socket2.ConnectAsync("wss://$($url.Substring(8))", $token2)
                            While (!$connection2.IsCompleted) { Start-Sleep -Milliseconds 5 }

                            if($connection2.IsFaulted -eq "True")
                                Write-Error $connection2.Exception
                            Write-Host "Connected to $Url" -ForegroundColor Yellow

                            # Send the message
                            $message = [text.encoding]::UTF8.GetBytes( "{`"ConnectionId`":`"$connectionId`",`"MessageType`":0}" )
                            SendToSocket -Socket $socket2 -Token $token -Bytes ($message)            

                            # Loop
                                # Get the authentication message
                                $response = ReadFromSocket -Socket $socket2 -Token $token2 -ArraySize 2048
                                # Debug -Step ($step++) -NameSpace $Hostname -Bytes $response -Direction in

                                $authRequest = [text.encoding]::UTF8.GetString($response)
                                Write-Verbose $authRequest
                                $credentials = Decode-PTACredential -AuthRequest $authRequest -Certificate $cert



                                Write-Verbose "Trying to send authentication response"
                                $backEndResponse = [convert]::ToBase64String([text.encoding]::UTF8.GetBytes($userClaim))

                                $headers = [ordered]@{
                                    "x-cwap-transid" = $id
                                    "x-cwap-backend-response" = $backEndResponse


                                # The cert must be "linked" to this web page by IE + it needs to be installed in the personal store.
                                    Invoke-RestMethod -Uri $url -Method Post -Certificate $cert -Headers $headers -ContentType "" -ErrorAction SilentlyContinue
                                    #$response = Invoke-WebRequest -UseBasicParsing -Uri $url -Method Post -Certificate $cert -Headers $headers -ContentType "" -ErrorAction SilentlyContinue
                                    Write-Error $_.Exception.Message

                if($outMessage -ne $null)
                        #$Status.status += "`nSendToSocket. $($outMessage.length). $($outMessage.GetType())"
                    SendToSocket -Socket $socket -Token $token -Bytes ([byte[]]$outMessage)


            $Exception = $error[0]
            Write-Host $_
            Write-Host $Exception -ForegroundColor Red

                $Status.status += "`n$($exception.toString())"

            If ($socket) { 
                Write-Verbose "Closing websocket $Namespace"
