internal RoleAssignmentScopeSet GetEffectiveScopeSet(Dictionary <ADObjectId, ManagementScope> scopeCache, ISecurityAccessToken securityAccessToken)
{
RbacScope recipientReadScope = (this.RecipientReadScope == ScopeType.MyGAL) ? new RbacScope(this.RecipientReadScope, securityAccessToken) : new RbacScope(this.RecipientReadScope);
RbacScope recipientWriteRbacScope = ExchangeRoleAssignment.GetRecipientWriteRbacScope(this.RecipientWriteScope, this.CustomRecipientWriteScope, scopeCache, securityAccessToken, this.IsFromEndUserRole);
if (recipientWriteRbacScope == null)
{
return(null);
}
RbacScope configReadScope = new RbacScope(this.ConfigReadScope);
ConfigWriteScopeType configWriteScope = this.ConfigWriteScope;
RbacScope configWriteScope2;
switch (configWriteScope)
{
case ConfigWriteScopeType.None:
break;
case ConfigWriteScopeType.NotApplicable:
configWriteScope2 = new RbacScope(ScopeType.NotApplicable);
goto IL_E0;
default:
switch (configWriteScope)
{
case ConfigWriteScopeType.OrganizationConfig:
goto IL_85;
case ConfigWriteScopeType.CustomConfigScope:
case ConfigWriteScopeType.ExclusiveConfigScope:
{
ManagementScope managementScope = scopeCache[this.CustomConfigWriteScope];
if (managementScope == null)
{
return(null);
}
configWriteScope2 = new RbacScope((ScopeType)this.ConfigWriteScope, managementScope);
goto IL_E0;
}
case ConfigWriteScopeType.PartnerDelegatedTenantScope:
if (scopeCache[this.CustomConfigWriteScope] == null)
{
return(null);
}
configWriteScope2 = new RbacScope(ScopeType.OrganizationConfig);
goto IL_E0;
}
configWriteScope2 = null;
goto IL_E0;
}
IL_85:
configWriteScope2 = new RbacScope((ScopeType)this.ConfigWriteScope);
IL_E0:
return(new RoleAssignmentScopeSet(recipientReadScope, recipientWriteRbacScope, configReadScope, configWriteScope2));
}
internal bool IsConfigWriteScopeSmallerOrEqualThan(ExchangeRoleAssignment roleAssignment, IDictionary <ADObjectId, ManagementScope> scopeCache, out LocalizedString notTrueReason)
{
if (roleAssignment == null)
{
throw new ArgumentNullException("roleAssignment");
}
ExTraceGlobals.AccessCheckTracer.TraceFunction <ADObjectId, ADObjectId, int>(10001L, "-->IsConfigReadScopeSmallerOrEqualThan: this = {0}, other = {1} (scopeCache Count = {2})", base.Id, roleAssignment.Id, (scopeCache == null) ? 0 : scopeCache.Count);
notTrueReason = LocalizedString.Empty;
if (roleAssignment.ConfigWriteScope == this.ConfigWriteScope && ADObjectId.Equals(roleAssignment.CustomConfigWriteScope, this.CustomConfigWriteScope))
{
return(this.IsDelegationLevelSmallerOrEqual(roleAssignment, out notTrueReason, false));
}
if (roleAssignment.ConfigWriteScope == ConfigWriteScopeType.OrganizationConfig)
{
ExTraceGlobals.AccessCheckTracer.TraceDebug(10001L, "the other role assignment has the biggest config scope: ConfigWriteScopeType.OrganizationConfig");
return(true);
}
ExTraceGlobals.AccessCheckTracer.TraceDebug(10001L, "IsConfigWriteScopeSmallerOrEqualThan: this instance has config write scope '{0}' with link '{1}', other has type '{2}' with link '{3}'.", new object[]
{
this.ConfigWriteScope,
(this.CustomConfigWriteScope == null) ? "null" : this.CustomConfigWriteScope.ToString(),
roleAssignment.ConfigWriteScope,
(roleAssignment.CustomConfigWriteScope == null) ? "null" : roleAssignment.CustomConfigWriteScope.ToString()
});
ConfigWriteScopeType configWriteScope = this.ConfigWriteScope;
bool flag;
switch (configWriteScope)
{
case ConfigWriteScopeType.None:
flag = (roleAssignment.ConfigWriteScope != ConfigWriteScopeType.NotApplicable);
break;
case ConfigWriteScopeType.NotApplicable:
flag = true;
break;
default:
switch (configWriteScope)
{
case ConfigWriteScopeType.OrganizationConfig:
flag = (roleAssignment.ConfigWriteScope == ConfigWriteScopeType.OrganizationConfig);
goto IL_27C;
case ConfigWriteScopeType.CustomConfigScope:
case ConfigWriteScopeType.ExclusiveConfigScope:
if (roleAssignment.ConfigWriteScope != this.ConfigWriteScope)
{
flag = (roleAssignment.ConfigWriteScope == ConfigWriteScopeType.OrganizationConfig);
goto IL_27C;
}
if (scopeCache != null && this.CustomConfigWriteScope != null && roleAssignment.CustomConfigWriteScope != null && scopeCache.ContainsKey(this.CustomConfigWriteScope) && scopeCache.ContainsKey(roleAssignment.CustomConfigWriteScope) && scopeCache[this.CustomConfigWriteScope] != null && scopeCache[roleAssignment.CustomConfigWriteScope] != null)
{
flag = scopeCache[this.CustomConfigWriteScope].IsScopeSmallerOrEqualThan(scopeCache[roleAssignment.CustomConfigWriteScope], out notTrueReason);
goto IL_27C;
}
ExTraceGlobals.AccessCheckTracer.TraceError <string, string>(10000L, "IsConfigWriteScopeSmallerOrEqualThan: we don't find the the key '{0}' or '{1}' within the scope cache or either of their values are $null.", (this.CustomConfigWriteScope == null) ? "null" : this.CustomConfigWriteScope.ToString(), (roleAssignment.CustomConfigWriteScope == null) ? "null" : roleAssignment.CustomConfigWriteScope.ToString());
notTrueReason = DirectoryStrings.CannotCompareAssignmentsMissingScope(base.Id.ToString(), roleAssignment.Id.ToString());
flag = false;
goto IL_27C;
case ConfigWriteScopeType.PartnerDelegatedTenantScope:
flag = (roleAssignment.ConfigWriteScope == ConfigWriteScopeType.OrganizationConfig || roleAssignment.ConfigWriteScope == ConfigWriteScopeType.CustomConfigScope);
goto IL_27C;
}
flag = false;
break;
}
IL_27C:
if (!flag && LocalizedString.Empty == notTrueReason)
{
notTrueReason = DirectoryStrings.ConfigScopeNotLessThan(this.ConfigWriteScope.ToString(), roleAssignment.ConfigWriteScope.ToString());
}
ExTraceGlobals.AccessCheckTracer.TraceFunction <bool>(10001L, "<--IsConfigWriteScopeSmallerOrEqualThan: returns {0}", flag);
return(flag);
}
private bool TryUpdateRoleAssigneeTypeAndScope(ExchangeRoleAssignment assignment)
{
RoleAssigneeType roleAssigneeType = RoleAssigneeType.User;
ADRawEntry adrawEntry = this.recipientSession.ReadADRawEntry(assignment.User, InstallCannedRbacRoleAssignments.principalProperties);
if (adrawEntry == null)
{
adrawEntry = this.configurationSession.ReadADRawEntry(assignment.User, InstallCannedRbacRoleAssignments.principalProperties);
if (adrawEntry == null)
{
return(false);
}
}
MultiValuedProperty <string> multiValuedProperty = (MultiValuedProperty <string>)adrawEntry[ADObjectSchema.ObjectClass];
foreach (string value in multiValuedProperty)
{
if ("group".Equals(value, StringComparison.OrdinalIgnoreCase))
{
roleAssigneeType = RoleAssigneeType.SecurityGroup;
break;
}
if ("msExchRBACPolicy".Equals(value, StringComparison.OrdinalIgnoreCase))
{
roleAssigneeType = RoleAssigneeType.RoleAssignmentPolicy;
break;
}
if ("user".Equals(value, StringComparison.OrdinalIgnoreCase))
{
if (RecipientTypeDetails.MailboxPlan == (RecipientTypeDetails)adrawEntry[ADRecipientSchema.RecipientTypeDetails])
{
roleAssigneeType = RoleAssigneeType.MailboxPlan;
break;
}
roleAssigneeType = RoleAssigneeType.User;
break;
}
}
ConfigWriteScopeType configWriteScopeType = assignment.ConfigWriteScope;
ScopeType scopeType = assignment.ConfigReadScope;
if (configWriteScopeType == ConfigWriteScopeType.None)
{
ExchangeRole exchangeRole = this.configurationSession.Read <ExchangeRole>(assignment.Role);
if (exchangeRole != null)
{
base.LogReadObject(exchangeRole);
ValidationError[] array = exchangeRole.Validate();
if (array.Length > 0)
{
this.WriteWarning(Strings.WarningCannotUpgradeRole(exchangeRole.Identity.ToString(), array[0].Description));
return(false);
}
scopeType = exchangeRole.ImplicitConfigReadScope;
configWriteScopeType = (ConfigWriteScopeType)exchangeRole.ImplicitConfigWriteScope;
}
}
if (assignment.RoleAssigneeType != roleAssigneeType || assignment.ConfigWriteScope != configWriteScopeType || assignment.ConfigReadScope != scopeType)
{
assignment.RoleAssigneeType = roleAssigneeType;
assignment.ConfigReadScope = scopeType;
assignment.ConfigWriteScope = configWriteScopeType;
}
return(true);
}
