internal static bool CheckFullAccessPermissions(ADUser executingAdUser, ADUser accessRequestedForADUser, IRecipientSession session)
{
ExTraceGlobals.TaskTracer.TraceDebug <string, string>(0L, "Checking if {0} has full access for mailbox {1}", executingAdUser.Alias, accessRequestedForADUser.Alias);
ActiveManager activeManagerInstance = ActiveManager.GetActiveManagerInstance();
DatabaseLocationInfo serverForDatabase = activeManagerInstance.GetServerForDatabase(accessRequestedForADUser.Database.ObjectGuid);
RawSecurityDescriptor rawSecurityDescriptor = null;
using (MapiMessageStoreSession mapiMessageStoreSession = new MapiMessageStoreSession(serverForDatabase.ServerLegacyDN, Server.GetSystemAttendantLegacyDN(serverForDatabase.ServerLegacyDN), Fqdn.Parse(serverForDatabase.ServerFqdn)))
{
MailboxId mailboxId = new MailboxId(new DatabaseId(accessRequestedForADUser.Database.ObjectGuid), accessRequestedForADUser.ExchangeGuid);
try
{
rawSecurityDescriptor = mapiMessageStoreSession.GetMailboxSecurityDescriptor(mailboxId);
}
catch (MailboxNotFoundException)
{
ExTraceGlobals.TaskTracer.TraceDebug <MailboxId>(0L, "Could not find mailbox {0} when attempting to read its security descriptor.", mailboxId);
return(false);
}
}
byte[] array = new byte[rawSecurityDescriptor.BinaryLength];
rawSecurityDescriptor.GetBinaryForm(array, 0);
ActiveDirectorySecurity activeDirectorySecurity = new ActiveDirectorySecurity();
activeDirectorySecurity.SetSecurityDescriptorBinaryForm(array);
int num = AuthzAuthorization.CheckGenericPermission(executingAdUser.Sid, rawSecurityDescriptor, AccessMask.CreateChild);
return((num & 1) == 1);
}
private Permission DeterminePermissions(SecurityIdentifier sid)
{
Permission result = Permission.None;
RawSecurityDescriptor rawSecurityDescriptor = this.GetSecurityDescriptor();
try
{
if (rawSecurityDescriptor != null)
{
result = AuthzAuthorization.CheckPermissions(sid, rawSecurityDescriptor, null);
}
}
catch (Win32Exception)
{
}
return(result);
}
// Token: 0x06001055 RID: 4181 RVA: 0x0004F074 File Offset: 0x0004D274
internal void PopulateRootAndFilter(OrganizationId organizationId, IReadOnlyPropertyBag propertyBag)
{
if (this.Root != null || this.Filter != null)
{
return;
}
if (this.isFromEndUserRole && propertyBag == null)
{
throw new ArgumentNullException("propertyBag");
}
if (organizationId != null)
{
this.SelfRoot = organizationId.OrganizationalUnit;
}
if (propertyBag != null)
{
this.SelfFilter = new ComparisonFilter(ComparisonOperator.Equal, ADObjectSchema.Id, propertyBag[ADObjectSchema.Id]);
}
switch (this.scopeType)
{
case ScopeType.None:
this.Root = null;
this.Filter = ADScope.NoObjectFilter;
return;
case ScopeType.NotApplicable:
this.Root = null;
this.Filter = null;
return;
case ScopeType.Organization:
this.Root = organizationId.OrganizationalUnit;
this.Filter = null;
return;
case ScopeType.MyGAL:
{
AddressBookBase globalAddressList = this.GetGlobalAddressList(organizationId);
this.Root = organizationId.OrganizationalUnit;
if (globalAddressList == null)
{
this.Filter = ADScope.NoObjectFilter;
return;
}
this.Filter = new ComparisonFilter(ComparisonOperator.Equal, ADRecipientSchema.AddressListMembership, globalAddressList.Id);
return;
}
case ScopeType.Self:
this.Root = organizationId.OrganizationalUnit;
this.Filter = new ComparisonFilter(ComparisonOperator.Equal, ADObjectSchema.Id, propertyBag[ADObjectSchema.Id]);
return;
case ScopeType.MyDirectReports:
this.Root = organizationId.OrganizationalUnit;
this.Filter = new ComparisonFilter(ComparisonOperator.Equal, ADOrgPersonSchema.Manager, propertyBag[ADObjectSchema.Id]);
return;
case ScopeType.OU:
this.Root = this.ouId;
this.Filter = null;
return;
case ScopeType.CustomRecipientScope:
case ScopeType.CustomConfigScope:
case ScopeType.PartnerDelegatedTenantScope:
case ScopeType.ExclusiveRecipientScope:
case ScopeType.ExclusiveConfigScope:
this.Root = this.managementScope.RecipientRoot;
this.Filter = this.managementScope.QueryFilter;
return;
case ScopeType.MyDistributionGroups:
{
this.Root = organizationId.OrganizationalUnit;
QueryFilter[] array = new QueryFilter[3];
array[0] = new ComparisonFilter(ComparisonOperator.Equal, ADGroupSchema.ManagedBy, propertyBag[ADObjectSchema.Id]);
array[1] = new ComparisonFilter(ComparisonOperator.Equal, ADGroupSchema.CoManagedBy, propertyBag[ADObjectSchema.Id]);
array[2] = new CSharpFilter <IReadOnlyPropertyBag>(delegate(IReadOnlyPropertyBag obj)
{
ADGroup adgroup = obj as ADGroup;
return(adgroup != null && adgroup.IsExecutingUserGroupOwner);
});
this.Filter = new OrFilter(array);
return;
}
case ScopeType.MyExecutive:
break;
case ScopeType.OrganizationConfig:
this.Root = organizationId.ConfigurationUnit;
this.Filter = null;
return;
case ScopeType.MailboxICanDelegate:
{
this.Root = organizationId.OrganizationalUnit;
QueryFilter[] array2 = new QueryFilter[2];
array2[0] = new ComparisonFilter(ComparisonOperator.Equal, ADRecipientSchema.MasterAccountSid, this.securityAccessToken.UserSid);
array2[1] = new CSharpFilter <IReadOnlyPropertyBag>(delegate(IReadOnlyPropertyBag obj)
{
RawSecurityDescriptor rawSecurityDescriptor = ((ADObject)obj).ReadSecurityDescriptor();
if (rawSecurityDescriptor != null)
{
using (AuthzContextHandle authzContext = AuthzAuthorization.GetAuthzContext(new SecurityIdentifier(this.securityAccessToken.UserSid), false))
{
bool[] array3 = AuthzAuthorization.CheckExtendedRights(authzContext, rawSecurityDescriptor, new Guid[]
{
WellKnownGuid.PersonalInfoPropSetGuid
}, null, AccessMask.WriteProp);
return(array3[0]);
}
return(false);
}
return(false);
});
this.Filter = new OrFilter(array2);
return;
}
default:
this.Root = null;
this.Filter = ADScope.NoObjectFilter;
break;
}
}
private static bool CheckPermissionsOnDkmObjects(IEnumerable <ADRawEntry> dkmObjects, IRootOrganizationRecipientSession session, Dictionary <SecurityIdentifier, ActiveDirectoryRights> expectedAccessRights, StringBuilder detailStatus)
{
bool result = true;
foreach (ADRawEntry adrawEntry in dkmObjects)
{
RawSecurityDescriptor rawSecurityDescriptor;
ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor(adrawEntry, session, null, out rawSecurityDescriptor);
if (activeDirectorySecurity == null)
{
result = false;
detailStatus.AppendFormat("Failed to read security descriptor for DKM object {0}. Examine the ACL settings on DKM objects.\r\n", adrawEntry.Id.DistinguishedName);
}
else
{
AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier));
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.AppendLine(string.Format("Object DN: {0}\r\n", adrawEntry.Id.DistinguishedName));
bool flag = false;
Dictionary <SecurityIdentifier, ActiveDirectoryRights> dictionary = new Dictionary <SecurityIdentifier, ActiveDirectoryRights>();
foreach (object obj in accessRules)
{
ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj;
try
{
if (!expectedAccessRights.ContainsKey((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference))
{
int num = AuthzAuthorization.CheckGenericPermission((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference, rawSecurityDescriptor, AccessMask.MaximumAllowed);
if (num != 0)
{
stringBuilder.AppendFormat("Unexpected ACE with Identity: {0}, Rights: {1}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(activeDirectoryAccessRule.IdentityReference.ToString()), (ActiveDirectoryRights)num);
result = false;
flag = true;
}
}
else
{
dictionary[(SecurityIdentifier)activeDirectoryAccessRule.IdentityReference] = (ActiveDirectoryRights)AuthzAuthorization.CheckGenericPermission((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference, rawSecurityDescriptor, AccessMask.MaximumAllowed);
}
}
catch (Win32Exception ex)
{
stringBuilder.AppendFormat("Failed to check ACL for Identity: {0} with Win32Exception {1} and ErrorCode {2}\r\n", TestDataCenterDKMAccess.AccountNameFromSid(activeDirectoryAccessRule.IdentityReference.ToString()), ex.Message, ex.ErrorCode);
result = false;
flag = true;
}
}
Dictionary <SecurityIdentifier, ActiveDirectoryRights> dictionary2 = new Dictionary <SecurityIdentifier, ActiveDirectoryRights>(expectedAccessRights);
foreach (KeyValuePair <SecurityIdentifier, ActiveDirectoryRights> keyValuePair in dictionary)
{
if (dictionary2[keyValuePair.Key] != keyValuePair.Value)
{
stringBuilder.AppendFormat("Wrong rights in ACE for Identity {0}\r\nExpected Rights: {1}\r\nActual Rights: {2}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(keyValuePair.Key.ToString()), dictionary2[keyValuePair.Key], keyValuePair.Value);
result = false;
flag = true;
}
dictionary2.Remove(keyValuePair.Key);
}
if (dictionary2.Count > 0)
{
foreach (KeyValuePair <SecurityIdentifier, ActiveDirectoryRights> keyValuePair2 in dictionary2)
{
stringBuilder.AppendFormat("Missing expected ACE for Identity {0}\r\nExpected Rights: {1}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(keyValuePair2.Key.ToString()), keyValuePair2.Value);
result = false;
flag = true;
}
}
if (flag)
{
detailStatus.AppendLine(stringBuilder.ToString());
}
}
}
return(result);
}
