protected override void WriteResult(IConfigurable dataObject)
{
TaskLogger.LogEnter();
base.HasObjectMatchingIdentity = true;
ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor((ADRawEntry)dataObject, (IConfigurationSession)base.DataSession, new Task.TaskErrorLoggingDelegate(base.WriteError));
if (!base.Owner.IsPresent)
{
AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier));
int num = 0;
while (accessRules.Count > num)
{
ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)accessRules[num];
if (base.SecurityPrincipal == null || (base.SecurityPrincipal != null && base.SecurityPrincipal == activeDirectoryAccessRule.IdentityReference))
{
ADAcePresentationObject adacePresentationObject = new ADAcePresentationObject(activeDirectoryAccessRule, ((ADRawEntry)dataObject).Id);
adacePresentationObject.ResetChangeTracking(true);
base.WriteResult(adacePresentationObject);
}
num++;
}
}
else
{
IdentityReference owner = activeDirectorySecurity.GetOwner(typeof(NTAccount));
base.WriteResult(new OwnerPresentationObject(((ADRawEntry)dataObject).Id, owner.ToString()));
}
TaskLogger.LogExit();
}
protected override void WriteResult(IConfigurable dataObject)
{
TaskLogger.LogEnter();
IDirectorySession directorySession = (IDirectorySession)base.DataSession;
if (TaskHelper.ShouldUnderscopeDataSessionToOrganization(directorySession, (ADObject)dataObject))
{
directorySession = TaskHelper.UnderscopeSessionToOrganization(directorySession, ((ADObject)dataObject).OrganizationId, true);
}
ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor((ADRawEntry)dataObject, directorySession, new Task.TaskErrorLoggingDelegate(base.WriteError));
AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier));
foreach (object obj in accessRules)
{
ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj;
if (this.Trustee == null || this.trusteeSid == activeDirectoryAccessRule.IdentityReference)
{
RecipientAccessRight?recipientAccessRight = this.FilterByRecipientAccessRights(activeDirectoryAccessRule, this.AccessRights);
if (recipientAccessRight != null)
{
string text = string.Empty;
if (Globals.IsDatacenter && base.TenantGlobalCatalogSession != null)
{
try
{
SecurityIdentifier sId = (SecurityIdentifier)activeDirectoryAccessRule.IdentityReference;
ADRecipient adrecipient = base.TenantGlobalCatalogSession.FindBySid(sId);
if (adrecipient != null)
{
text = ((!string.IsNullOrEmpty(adrecipient.DisplayName)) ? adrecipient.DisplayName : adrecipient.Name);
}
}
catch
{
}
}
if (string.IsNullOrEmpty(text))
{
text = RecipientPermissionTaskHelper.GetFriendlyNameOfSecurityIdentifier((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference, base.TenantGlobalCatalogSession, new Task.TaskErrorLoggingDelegate(base.WriteError), new Task.TaskVerboseLoggingDelegate(base.WriteVerbose));
}
RecipientPermission dataObject2 = new RecipientPermission(activeDirectoryAccessRule, ((ADRawEntry)dataObject).Id, text, recipientAccessRight.Value);
base.WriteResult(dataObject2);
}
}
}
TaskLogger.LogExit();
}
protected override void InternalProcessRecord()
{
TaskLogger.LogEnter();
if (base.IsInherited)
{
return;
}
if ("Owner" == base.ParameterSetName)
{
IConfigurationSession writableSession = base.GetWritableSession(this.DataObject.Id);
ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor(this.DataObject, writableSession, new Task.TaskErrorLoggingDelegate(base.WriteError));
SecurityIdentifier sid = this.owner;
activeDirectorySecurity.SetOwner(sid);
RawSecurityDescriptor sd = new RawSecurityDescriptor(activeDirectorySecurity.GetSecurityDescriptorBinaryForm(), 0);
writableSession.SaveSecurityDescriptor(this.DataObject.Id, sd, true);
string friendlyUserName = SecurityPrincipalIdParameter.GetFriendlyUserName(sid, new Task.TaskVerboseLoggingDelegate(base.WriteVerbose));
base.WriteObject(new OwnerPresentationObject(this.DataObject.Id, friendlyUserName));
}
else
{
base.InternalProcessRecord();
}
TaskLogger.LogExit();
}
private static bool CheckPermissionsOnDkmObjects(IEnumerable <ADRawEntry> dkmObjects, IRootOrganizationRecipientSession session, Dictionary <SecurityIdentifier, ActiveDirectoryRights> expectedAccessRights, StringBuilder detailStatus)
{
bool result = true;
foreach (ADRawEntry adrawEntry in dkmObjects)
{
RawSecurityDescriptor rawSecurityDescriptor;
ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor(adrawEntry, session, null, out rawSecurityDescriptor);
if (activeDirectorySecurity == null)
{
result = false;
detailStatus.AppendFormat("Failed to read security descriptor for DKM object {0}. Examine the ACL settings on DKM objects.\r\n", adrawEntry.Id.DistinguishedName);
}
else
{
AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier));
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.AppendLine(string.Format("Object DN: {0}\r\n", adrawEntry.Id.DistinguishedName));
bool flag = false;
Dictionary <SecurityIdentifier, ActiveDirectoryRights> dictionary = new Dictionary <SecurityIdentifier, ActiveDirectoryRights>();
foreach (object obj in accessRules)
{
ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj;
try
{
if (!expectedAccessRights.ContainsKey((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference))
{
int num = AuthzAuthorization.CheckGenericPermission((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference, rawSecurityDescriptor, AccessMask.MaximumAllowed);
if (num != 0)
{
stringBuilder.AppendFormat("Unexpected ACE with Identity: {0}, Rights: {1}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(activeDirectoryAccessRule.IdentityReference.ToString()), (ActiveDirectoryRights)num);
result = false;
flag = true;
}
}
else
{
dictionary[(SecurityIdentifier)activeDirectoryAccessRule.IdentityReference] = (ActiveDirectoryRights)AuthzAuthorization.CheckGenericPermission((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference, rawSecurityDescriptor, AccessMask.MaximumAllowed);
}
}
catch (Win32Exception ex)
{
stringBuilder.AppendFormat("Failed to check ACL for Identity: {0} with Win32Exception {1} and ErrorCode {2}\r\n", TestDataCenterDKMAccess.AccountNameFromSid(activeDirectoryAccessRule.IdentityReference.ToString()), ex.Message, ex.ErrorCode);
result = false;
flag = true;
}
}
Dictionary <SecurityIdentifier, ActiveDirectoryRights> dictionary2 = new Dictionary <SecurityIdentifier, ActiveDirectoryRights>(expectedAccessRights);
foreach (KeyValuePair <SecurityIdentifier, ActiveDirectoryRights> keyValuePair in dictionary)
{
if (dictionary2[keyValuePair.Key] != keyValuePair.Value)
{
stringBuilder.AppendFormat("Wrong rights in ACE for Identity {0}\r\nExpected Rights: {1}\r\nActual Rights: {2}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(keyValuePair.Key.ToString()), dictionary2[keyValuePair.Key], keyValuePair.Value);
result = false;
flag = true;
}
dictionary2.Remove(keyValuePair.Key);
}
if (dictionary2.Count > 0)
{
foreach (KeyValuePair <SecurityIdentifier, ActiveDirectoryRights> keyValuePair2 in dictionary2)
{
stringBuilder.AppendFormat("Missing expected ACE for Identity {0}\r\nExpected Rights: {1}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(keyValuePair2.Key.ToString()), keyValuePair2.Value);
result = false;
flag = true;
}
}
if (flag)
{
detailStatus.AppendLine(stringBuilder.ToString());
}
}
}
return(result);
}
