Ejemplo n.º 1
0
        internal RoleAssignmentScopeSet GetEffectiveScopeSet(Dictionary <ADObjectId, ManagementScope> scopeCache, ISecurityAccessToken securityAccessToken)
        {
            RbacScope recipientReadScope      = (this.RecipientReadScope == ScopeType.MyGAL) ? new RbacScope(this.RecipientReadScope, securityAccessToken) : new RbacScope(this.RecipientReadScope);
            RbacScope recipientWriteRbacScope = ExchangeRoleAssignment.GetRecipientWriteRbacScope(this.RecipientWriteScope, this.CustomRecipientWriteScope, scopeCache, securityAccessToken, this.IsFromEndUserRole);

            if (recipientWriteRbacScope == null)
            {
                return(null);
            }
            RbacScope            configReadScope  = new RbacScope(this.ConfigReadScope);
            ConfigWriteScopeType configWriteScope = this.ConfigWriteScope;
            RbacScope            configWriteScope2;

            switch (configWriteScope)
            {
            case ConfigWriteScopeType.None:
                break;

            case ConfigWriteScopeType.NotApplicable:
                configWriteScope2 = new RbacScope(ScopeType.NotApplicable);
                goto IL_E0;

            default:
                switch (configWriteScope)
                {
                case ConfigWriteScopeType.OrganizationConfig:
                    goto IL_85;

                case ConfigWriteScopeType.CustomConfigScope:
                case ConfigWriteScopeType.ExclusiveConfigScope:
                {
                    ManagementScope managementScope = scopeCache[this.CustomConfigWriteScope];
                    if (managementScope == null)
                    {
                        return(null);
                    }
                    configWriteScope2 = new RbacScope((ScopeType)this.ConfigWriteScope, managementScope);
                    goto IL_E0;
                }

                case ConfigWriteScopeType.PartnerDelegatedTenantScope:
                    if (scopeCache[this.CustomConfigWriteScope] == null)
                    {
                        return(null);
                    }
                    configWriteScope2 = new RbacScope(ScopeType.OrganizationConfig);
                    goto IL_E0;
                }
                configWriteScope2 = null;
                goto IL_E0;
            }
IL_85:
            configWriteScope2 = new RbacScope((ScopeType)this.ConfigWriteScope);
IL_E0:
            return(new RoleAssignmentScopeSet(recipientReadScope, recipientWriteRbacScope, configReadScope, configWriteScope2));
        }
Ejemplo n.º 2
0
        internal bool IsConfigWriteScopeSmallerOrEqualThan(ExchangeRoleAssignment roleAssignment, IDictionary <ADObjectId, ManagementScope> scopeCache, out LocalizedString notTrueReason)
        {
            if (roleAssignment == null)
            {
                throw new ArgumentNullException("roleAssignment");
            }
            ExTraceGlobals.AccessCheckTracer.TraceFunction <ADObjectId, ADObjectId, int>(10001L, "-->IsConfigReadScopeSmallerOrEqualThan: this = {0}, other = {1} (scopeCache Count = {2})", base.Id, roleAssignment.Id, (scopeCache == null) ? 0 : scopeCache.Count);
            notTrueReason = LocalizedString.Empty;
            if (roleAssignment.ConfigWriteScope == this.ConfigWriteScope && ADObjectId.Equals(roleAssignment.CustomConfigWriteScope, this.CustomConfigWriteScope))
            {
                return(this.IsDelegationLevelSmallerOrEqual(roleAssignment, out notTrueReason, false));
            }
            if (roleAssignment.ConfigWriteScope == ConfigWriteScopeType.OrganizationConfig)
            {
                ExTraceGlobals.AccessCheckTracer.TraceDebug(10001L, "the other role assignment has the biggest config scope: ConfigWriteScopeType.OrganizationConfig");
                return(true);
            }
            ExTraceGlobals.AccessCheckTracer.TraceDebug(10001L, "IsConfigWriteScopeSmallerOrEqualThan: this instance has config write scope '{0}' with link '{1}', other has type '{2}' with link '{3}'.", new object[]
            {
                this.ConfigWriteScope,
                (this.CustomConfigWriteScope == null) ? "null" : this.CustomConfigWriteScope.ToString(),
                roleAssignment.ConfigWriteScope,
                (roleAssignment.CustomConfigWriteScope == null) ? "null" : roleAssignment.CustomConfigWriteScope.ToString()
            });
            ConfigWriteScopeType configWriteScope = this.ConfigWriteScope;
            bool flag;

            switch (configWriteScope)
            {
            case ConfigWriteScopeType.None:
                flag = (roleAssignment.ConfigWriteScope != ConfigWriteScopeType.NotApplicable);
                break;

            case ConfigWriteScopeType.NotApplicable:
                flag = true;
                break;

            default:
                switch (configWriteScope)
                {
                case ConfigWriteScopeType.OrganizationConfig:
                    flag = (roleAssignment.ConfigWriteScope == ConfigWriteScopeType.OrganizationConfig);
                    goto IL_27C;

                case ConfigWriteScopeType.CustomConfigScope:
                case ConfigWriteScopeType.ExclusiveConfigScope:
                    if (roleAssignment.ConfigWriteScope != this.ConfigWriteScope)
                    {
                        flag = (roleAssignment.ConfigWriteScope == ConfigWriteScopeType.OrganizationConfig);
                        goto IL_27C;
                    }
                    if (scopeCache != null && this.CustomConfigWriteScope != null && roleAssignment.CustomConfigWriteScope != null && scopeCache.ContainsKey(this.CustomConfigWriteScope) && scopeCache.ContainsKey(roleAssignment.CustomConfigWriteScope) && scopeCache[this.CustomConfigWriteScope] != null && scopeCache[roleAssignment.CustomConfigWriteScope] != null)
                    {
                        flag = scopeCache[this.CustomConfigWriteScope].IsScopeSmallerOrEqualThan(scopeCache[roleAssignment.CustomConfigWriteScope], out notTrueReason);
                        goto IL_27C;
                    }
                    ExTraceGlobals.AccessCheckTracer.TraceError <string, string>(10000L, "IsConfigWriteScopeSmallerOrEqualThan: we don't find the the key '{0}' or '{1}' within the scope cache or either of their values are $null.", (this.CustomConfigWriteScope == null) ? "null" : this.CustomConfigWriteScope.ToString(), (roleAssignment.CustomConfigWriteScope == null) ? "null" : roleAssignment.CustomConfigWriteScope.ToString());
                    notTrueReason = DirectoryStrings.CannotCompareAssignmentsMissingScope(base.Id.ToString(), roleAssignment.Id.ToString());
                    flag          = false;
                    goto IL_27C;

                case ConfigWriteScopeType.PartnerDelegatedTenantScope:
                    flag = (roleAssignment.ConfigWriteScope == ConfigWriteScopeType.OrganizationConfig || roleAssignment.ConfigWriteScope == ConfigWriteScopeType.CustomConfigScope);
                    goto IL_27C;
                }
                flag = false;
                break;
            }
IL_27C:
            if (!flag && LocalizedString.Empty == notTrueReason)
            {
                notTrueReason = DirectoryStrings.ConfigScopeNotLessThan(this.ConfigWriteScope.ToString(), roleAssignment.ConfigWriteScope.ToString());
            }
            ExTraceGlobals.AccessCheckTracer.TraceFunction <bool>(10001L, "<--IsConfigWriteScopeSmallerOrEqualThan: returns {0}", flag);
            return(flag);
        }
        private bool TryUpdateRoleAssigneeTypeAndScope(ExchangeRoleAssignment assignment)
        {
            RoleAssigneeType roleAssigneeType = RoleAssigneeType.User;
            ADRawEntry       adrawEntry       = this.recipientSession.ReadADRawEntry(assignment.User, InstallCannedRbacRoleAssignments.principalProperties);

            if (adrawEntry == null)
            {
                adrawEntry = this.configurationSession.ReadADRawEntry(assignment.User, InstallCannedRbacRoleAssignments.principalProperties);
                if (adrawEntry == null)
                {
                    return(false);
                }
            }
            MultiValuedProperty <string> multiValuedProperty = (MultiValuedProperty <string>)adrawEntry[ADObjectSchema.ObjectClass];

            foreach (string value in multiValuedProperty)
            {
                if ("group".Equals(value, StringComparison.OrdinalIgnoreCase))
                {
                    roleAssigneeType = RoleAssigneeType.SecurityGroup;
                    break;
                }
                if ("msExchRBACPolicy".Equals(value, StringComparison.OrdinalIgnoreCase))
                {
                    roleAssigneeType = RoleAssigneeType.RoleAssignmentPolicy;
                    break;
                }
                if ("user".Equals(value, StringComparison.OrdinalIgnoreCase))
                {
                    if (RecipientTypeDetails.MailboxPlan == (RecipientTypeDetails)adrawEntry[ADRecipientSchema.RecipientTypeDetails])
                    {
                        roleAssigneeType = RoleAssigneeType.MailboxPlan;
                        break;
                    }
                    roleAssigneeType = RoleAssigneeType.User;
                    break;
                }
            }
            ConfigWriteScopeType configWriteScopeType = assignment.ConfigWriteScope;
            ScopeType            scopeType            = assignment.ConfigReadScope;

            if (configWriteScopeType == ConfigWriteScopeType.None)
            {
                ExchangeRole exchangeRole = this.configurationSession.Read <ExchangeRole>(assignment.Role);
                if (exchangeRole != null)
                {
                    base.LogReadObject(exchangeRole);
                    ValidationError[] array = exchangeRole.Validate();
                    if (array.Length > 0)
                    {
                        this.WriteWarning(Strings.WarningCannotUpgradeRole(exchangeRole.Identity.ToString(), array[0].Description));
                        return(false);
                    }
                    scopeType            = exchangeRole.ImplicitConfigReadScope;
                    configWriteScopeType = (ConfigWriteScopeType)exchangeRole.ImplicitConfigWriteScope;
                }
            }
            if (assignment.RoleAssigneeType != roleAssigneeType || assignment.ConfigWriteScope != configWriteScopeType || assignment.ConfigReadScope != scopeType)
            {
                assignment.RoleAssigneeType = roleAssigneeType;
                assignment.ConfigReadScope  = scopeType;
                assignment.ConfigWriteScope = configWriteScopeType;
            }
            return(true);
        }