private void RetrieveAllScopes(ScopeRestrictionType scopeType, ADRawEntry givenObject, out Dictionary <ADObjectId, ADScope> customScopes, out Dictionary <ADObjectId, ADScope> exclusiveScopes)
{
customScopes = new Dictionary <ADObjectId, ADScope>();
exclusiveScopes = new Dictionary <ADObjectId, ADScope>();
ScopeType scopeType2 = ScopeType.ExclusiveConfigScope;
ScopeType scopeType3 = ScopeType.CustomConfigScope;
if (scopeType == ScopeRestrictionType.RecipientScope)
{
scopeType2 = ScopeType.ExclusiveRecipientScope;
scopeType3 = ScopeType.CustomRecipientScope;
}
ADPagedReader <ManagementScope> allScopes = this.configSession.GetAllScopes(this.orgId, scopeType);
foreach (ManagementScope managementScope in allScopes)
{
if (managementScope.ScopeRestrictionType == scopeType)
{
ExchangeRunspaceConfiguration.TryStampQueryFilterOnManagementScope(managementScope);
if (managementScope.Exclusive)
{
RbacScope rbacScope = new RbacScope(scopeType2, managementScope);
rbacScope.PopulateRootAndFilter(this.orgId, givenObject);
exclusiveScopes.Add(managementScope.OriginalId, rbacScope);
}
RbacScope rbacScope2 = new RbacScope(scopeType3, managementScope);
rbacScope2.PopulateRootAndFilter(this.orgId, givenObject);
customScopes.Add(managementScope.OriginalId, rbacScope2);
}
}
}
internal RoleAssignmentScopeSet GetEffectiveScopeSet(Dictionary <ADObjectId, ManagementScope> scopeCache, ISecurityAccessToken securityAccessToken)
{
RbacScope recipientReadScope = (this.RecipientReadScope == ScopeType.MyGAL) ? new RbacScope(this.RecipientReadScope, securityAccessToken) : new RbacScope(this.RecipientReadScope);
RbacScope recipientWriteRbacScope = ExchangeRoleAssignment.GetRecipientWriteRbacScope(this.RecipientWriteScope, this.CustomRecipientWriteScope, scopeCache, securityAccessToken, this.IsFromEndUserRole);
if (recipientWriteRbacScope == null)
{
return(null);
}
RbacScope configReadScope = new RbacScope(this.ConfigReadScope);
ConfigWriteScopeType configWriteScope = this.ConfigWriteScope;
RbacScope configWriteScope2;
switch (configWriteScope)
{
case ConfigWriteScopeType.None:
break;
case ConfigWriteScopeType.NotApplicable:
configWriteScope2 = new RbacScope(ScopeType.NotApplicable);
goto IL_E0;
default:
switch (configWriteScope)
{
case ConfigWriteScopeType.OrganizationConfig:
goto IL_85;
case ConfigWriteScopeType.CustomConfigScope:
case ConfigWriteScopeType.ExclusiveConfigScope:
{
ManagementScope managementScope = scopeCache[this.CustomConfigWriteScope];
if (managementScope == null)
{
return(null);
}
configWriteScope2 = new RbacScope((ScopeType)this.ConfigWriteScope, managementScope);
goto IL_E0;
}
case ConfigWriteScopeType.PartnerDelegatedTenantScope:
if (scopeCache[this.CustomConfigWriteScope] == null)
{
return(null);
}
configWriteScope2 = new RbacScope(ScopeType.OrganizationConfig);
goto IL_E0;
}
configWriteScope2 = null;
goto IL_E0;
}
IL_85:
configWriteScope2 = new RbacScope((ScopeType)this.ConfigWriteScope);
IL_E0:
return(new RoleAssignmentScopeSet(recipientReadScope, recipientWriteRbacScope, configReadScope, configWriteScope2));
}
internal bool AllPresentScopesMatch(ScopeSet rbacScopeSet)
{
if (rbacScopeSet.RecipientReadScope is RbacScope)
{
RbacScope rbacScope = rbacScopeSet.RecipientReadScope as RbacScope;
if (!rbacScope.IsScopeTypeSmallerOrEqualThan(this.RecipientReadScope))
{
return(false);
}
}
else if (!rbacScopeSet.RecipientReadScope.IsEmpty)
{
throw new ArgumentException("rbacScopeSet");
}
if (rbacScopeSet.ConfigReadScope is RbacScope)
{
RbacScope rbacScope2 = rbacScopeSet.ConfigReadScope as RbacScope;
if (!rbacScope2.IsScopeTypeSmallerOrEqualThan(this.ConfigReadScope))
{
return(false);
}
}
else if (!rbacScopeSet.ConfigReadScope.IsEmpty)
{
throw new ArgumentException("rbacScopeSet");
}
if (rbacScopeSet.RecipientWriteScopes != null && rbacScopeSet.RecipientWriteScopes.Count != 0 && rbacScopeSet.RecipientWriteScopes[0].Count != 0)
{
bool flag = false;
foreach (ADScope adscope in rbacScopeSet.RecipientWriteScopes[0])
{
RbacScope rbacScope3 = adscope as RbacScope;
if (rbacScope3 == null)
{
throw new ArgumentException("rbacScopeSet");
}
ScopeType recipientWriteScope = (ScopeType)this.RecipientWriteScope;
if (rbacScope3.IsScopeTypeSmallerOrEqualThan(recipientWriteScope))
{
flag = true;
break;
}
}
if (!flag)
{
return(false);
}
}
return(true);
}
internal static bool IsRunningUnderMyOptionsRole(Task task, IRecipientSession recipientSession, ADSessionSettings settings)
{
if (task.ExchangeRunspaceConfig == null)
{
return(false);
}
ADObjectId entryId;
if (!task.ExchangeRunspaceConfig.TryGetExecutingUserId(out entryId))
{
return(false);
}
RbacScope rbacScope = new RbacScope(ScopeType.Self);
ADUser aduser = (ADUser)recipientSession.Read(entryId);
if (aduser == null)
{
return(false);
}
rbacScope.PopulateRootAndFilter(task.ExecutingUserOrganizationId, aduser);
return(settings.RecipientReadScope.Equals(rbacScope));
}
internal static RbacScope GetRecipientWriteRbacScope(RecipientWriteScopeType recipientWriteScope, ADObjectId customRecipientWriteScope, Dictionary <ADObjectId, ManagementScope> scopeCache, ISecurityAccessToken securityAccessToken, bool isEndUserRole)
{
RbacScope result = null;
switch (recipientWriteScope)
{
case RecipientWriteScopeType.None:
case RecipientWriteScopeType.Organization:
case RecipientWriteScopeType.Self:
case RecipientWriteScopeType.MyDirectReports:
case RecipientWriteScopeType.MyDistributionGroups:
case RecipientWriteScopeType.MyExecutive:
return(new RbacScope((ScopeType)recipientWriteScope, isEndUserRole));
case RecipientWriteScopeType.NotApplicable:
return(new RbacScope(ScopeType.NotApplicable, isEndUserRole));
case RecipientWriteScopeType.MyGAL:
case RecipientWriteScopeType.MailboxICanDelegate:
return(new RbacScope((ScopeType)recipientWriteScope, securityAccessToken, isEndUserRole));
case RecipientWriteScopeType.OU:
return(new RbacScope(ScopeType.OU, customRecipientWriteScope, isEndUserRole));
case RecipientWriteScopeType.CustomRecipientScope:
case RecipientWriteScopeType.ExclusiveRecipientScope:
{
ManagementScope managementScope = scopeCache[customRecipientWriteScope];
if (managementScope != null)
{
return(new RbacScope((ScopeType)recipientWriteScope, managementScope, isEndUserRole));
}
return(result);
}
}
result = null;
return(result);
}
protected override void ValidateRead(List <ValidationError> errors)
{
base.ValidateRead(errors);
ADObjectId adobjectId = (null != base.OrganizationId) ? base.OrganizationId.ConfigurationUnit : null;
if (this.User == null)
{
errors.Add(new PropertyValidationError(DirectoryStrings.UserIsMandatoryInRoleAssignment(this.Identity.ToString()), ExchangeRoleAssignmentSchema.User, null));
}
else if (adobjectId != null && this.User.IsDescendantOf(adobjectId) && this.RoleAssigneeType != RoleAssigneeType.RoleAssignmentPolicy)
{
errors.Add(new PropertyValidationError(DirectoryStrings.WrongAssigneeTypeForPolicyOrPartnerApplication(this.Identity.ToString()), ExchangeRoleAssignmentSchema.User, null));
}
if (this.RoleAssigneeType == RoleAssigneeType.RoleAssignmentPolicy && this.RoleAssignmentDelegationType != RoleAssignmentDelegationType.Regular)
{
errors.Add(new PropertyValidationError(DirectoryStrings.WrongDelegationTypeForPolicy(this.Identity.ToString()), ExchangeRoleAssignmentSchema.User, null));
}
if (this.Role == null)
{
errors.Add(new PropertyValidationError(DirectoryStrings.RoleIsMandatoryInRoleAssignment(this.Identity.ToString()), ExchangeRoleAssignmentSchema.Role, null));
}
ScopeType recipientWriteScope = (ScopeType)this.RecipientWriteScope;
if (this.RecipientReadScope != recipientWriteScope && !RbacScope.IsScopeTypeSmaller(recipientWriteScope, this.RecipientReadScope))
{
errors.Add(new ObjectValidationError(DirectoryStrings.RecipientWriteScopeNotLessThan(recipientWriteScope.ToString(), this.RecipientReadScope.ToString()), this.Identity, base.OriginatingServer));
}
ScopeType configWriteScope = (ScopeType)this.ConfigWriteScope;
if (this.ConfigReadScope != configWriteScope && !RbacScope.IsScopeTypeSmaller(configWriteScope, this.ConfigReadScope))
{
errors.Add(new ObjectValidationError(DirectoryStrings.ConfigScopeNotLessThan(configWriteScope.ToString(), this.ConfigReadScope.ToString()), this.Identity, base.OriginatingServer));
}
bool flag = this.CustomRecipientWriteScope == null || (string.IsNullOrEmpty(this.CustomRecipientWriteScope.DistinguishedName) && this.CustomRecipientWriteScope.ObjectGuid == Guid.Empty);
RecipientWriteScopeType recipientWriteScope2 = this.RecipientWriteScope;
switch (recipientWriteScope2)
{
case RecipientWriteScopeType.OU:
case RecipientWriteScopeType.CustomRecipientScope:
break;
default:
if (recipientWriteScope2 != RecipientWriteScopeType.ExclusiveRecipientScope)
{
if (!flag)
{
errors.Add(new ObjectValidationError(DirectoryStrings.CustomRecipientWriteScopeMustBeEmpty(this.RecipientWriteScope), this.Identity, base.OriginatingServer));
goto IL_25C;
}
goto IL_25C;
}
break;
}
if (flag)
{
errors.Add(new ObjectValidationError(DirectoryStrings.CustomRecipientWriteScopeCannotBeEmpty(this.RecipientWriteScope), this.Identity, base.OriginatingServer));
}
if (this.RoleAssignmentDelegationType == RoleAssignmentDelegationType.DelegatingOrgWide)
{
errors.Add(new ObjectValidationError(DirectoryStrings.OrgWideDelegatingWriteScopeMustBeTheSameAsRoleImplicitWriteScope(this.RecipientWriteScope), this.Identity, base.OriginatingServer));
}
IL_25C:
bool flag2 = this.CustomConfigWriteScope == null || (string.IsNullOrEmpty(this.CustomConfigWriteScope.DistinguishedName) && this.CustomConfigWriteScope.ObjectGuid == Guid.Empty);
switch (this.ConfigWriteScope)
{
case ConfigWriteScopeType.CustomConfigScope:
case ConfigWriteScopeType.PartnerDelegatedTenantScope:
case ConfigWriteScopeType.ExclusiveConfigScope:
if (flag2)
{
errors.Add(new ObjectValidationError(DirectoryStrings.ConfigScopeCannotBeEmpty(this.ConfigWriteScope), this.Identity, base.OriginatingServer));
}
if (this.RoleAssignmentDelegationType == RoleAssignmentDelegationType.DelegatingOrgWide)
{
errors.Add(new ObjectValidationError(DirectoryStrings.OrgWideDelegatingConfigScopeMustBeTheSameAsRoleImplicitWriteScope(this.ConfigWriteScope), this.Identity, base.OriginatingServer));
return;
}
return;
}
if (!flag2)
{
errors.Add(new ObjectValidationError(DirectoryStrings.ConfigScopeMustBeEmpty(this.ConfigWriteScope), this.Identity, base.OriginatingServer));
}
}
private List <ExchangeRoleAssignment> GetEffectiveRoleAssignmentsForRecipient(ADRawEntry recipientObject, IEnumerable <ExchangeRoleAssignment> roleAssignments, Dictionary <ADObjectId, ADScope> customConfigScopes, Dictionary <ADObjectId, ADScope> exclusiveConfigScopes, bool onlyExclusive)
{
List <ExchangeRoleAssignment> list = new List <ExchangeRoleAssignment>();
if (onlyExclusive)
{
return(this.GetExclusiveEffectiveRoleAssignmentsForRecipient(recipientObject, roleAssignments, exclusiveConfigScopes));
}
ADObjectId[] array = null;
foreach (ExchangeRoleAssignment exchangeRoleAssignment in roleAssignments)
{
if (this.IsValid(exchangeRoleAssignment))
{
switch (exchangeRoleAssignment.RecipientWriteScope)
{
case RecipientWriteScopeType.Organization:
list.Add(exchangeRoleAssignment);
break;
case RecipientWriteScopeType.Self:
if (array == null)
{
List <string> tokenSids = this.recipientSession.GetTokenSids(recipientObject, AssignmentMethod.All);
if (tokenSids == null || tokenSids.Count < 1)
{
ExTraceGlobals.ADConfigTracer.TraceError(0L, "ManagementReporting: GetEffectedRoleAssignmentForRecipient(), Token Sid is emptry, there should be at least one entry");
break;
}
array = this.recipientSession.ResolveSidsToADObjectIds(tokenSids.ToArray());
if (this.sharedConfig != null)
{
array = this.sharedConfig.GetSharedRoleGroupIds(array);
}
}
foreach (ADObjectId adobjectId in array)
{
if (adobjectId.Equals(exchangeRoleAssignment.User))
{
list.Add(exchangeRoleAssignment);
break;
}
}
break;
case RecipientWriteScopeType.OU:
{
RbacScope rbacScope = new RbacScope(ScopeType.OU, exchangeRoleAssignment.CustomRecipientWriteScope, exchangeRoleAssignment.IsFromEndUserRole);
ADRecipient adrecipient = this.recipientSession.Read(exchangeRoleAssignment.User);
if (adrecipient == null)
{
ExTraceGlobals.ADConfigTracer.TraceError(0L, "ManagementReporting: GetEffectedRoleAssignmentForRecipient(), roleAssignment.User does not have a corresponding entry in AD");
}
else
{
rbacScope.PopulateRootAndFilter(this.orgId, adrecipient);
if (ManagementReporting.VerifyIsWithinScopes(recipientObject, null, rbacScope, new RbacScope(exchangeRoleAssignment.RecipientReadScope)))
{
list.Add(exchangeRoleAssignment);
}
}
break;
}
case RecipientWriteScopeType.CustomRecipientScope:
if (customConfigScopes.ContainsKey(exchangeRoleAssignment.CustomRecipientWriteScope))
{
if (ManagementReporting.VerifyIsWithinScopes(recipientObject, null, customConfigScopes[exchangeRoleAssignment.CustomRecipientWriteScope], new RbacScope(exchangeRoleAssignment.RecipientReadScope)))
{
list.Add(exchangeRoleAssignment);
}
}
else
{
ExTraceGlobals.ADConfigTracer.TraceError <ADObjectId>(0L, "Custom Recipient Scope '{0}' was not found.", exchangeRoleAssignment.CustomRecipientWriteScope);
}
break;
}
}
}
return(list);
}
protected override void InternalProcessRecord()
{
TaskLogger.LogEnter();
if (!this.Force && SharedConfiguration.IsSharedConfiguration(this.DataObject.OrganizationId) && !base.ShouldContinue(Strings.ConfirmSharedConfiguration(this.DataObject.OrganizationId.OrganizationalUnit.Name)))
{
TaskLogger.LogExit();
return;
}
if (base.Fields.IsModified(RbacCommonParameters.ParameterEnabled))
{
this.DataObject.Enabled = this.Enabled;
}
ExchangeRole exchangeRole = (ExchangeRole)base.GetDataObject <ExchangeRole>(new RoleIdParameter(this.DataObject.Role), this.ConfigurationSession, null, new LocalizedString?(Strings.ErrorRoleNotFound(this.DataObject.Role.ToString())), new LocalizedString?(Strings.ErrorRoleNotUnique(this.DataObject.Role.ToString())));
if (base.Fields.IsModified(RbacCommonParameters.ParameterRecipientRelativeWriteScope))
{
this.DataObject.RecipientWriteScope = this.RecipientRelativeWriteScope;
this.DataObject.CustomRecipientWriteScope = null;
}
else
{
if (base.Fields.IsModified(RbacCommonParameters.ParameterRecipientOrganizationalUnitScope))
{
this.DataObject.RecipientWriteScope = RecipientWriteScopeType.OU;
bool useConfigNC = this.ConfigurationSession.UseConfigNC;
bool useGlobalCatalog = this.ConfigurationSession.UseGlobalCatalog;
try
{
this.ConfigurationSession.UseConfigNC = false;
this.ConfigurationSession.UseGlobalCatalog = true;
ExchangeOrganizationalUnit exchangeOrganizationalUnit = (ExchangeOrganizationalUnit)base.GetDataObject <ExchangeOrganizationalUnit>(this.RecipientOrganizationalUnitScope, this.ConfigurationSession, this.DataObject.OrganizationalUnitRoot, new LocalizedString?(Strings.ErrorOrganizationalUnitNotFound(this.RecipientOrganizationalUnitScope.ToString())), new LocalizedString?(Strings.ErrorOrganizationalUnitNotUnique(this.RecipientOrganizationalUnitScope.ToString())));
this.DataObject.CustomRecipientWriteScope = exchangeOrganizationalUnit.Id;
goto IL_321;
}
finally
{
this.ConfigurationSession.UseConfigNC = useConfigNC;
this.ConfigurationSession.UseGlobalCatalog = useGlobalCatalog;
}
}
if (base.Fields.IsModified(RbacCommonParameters.ParameterCustomRecipientWriteScope))
{
if (this.CustomRecipientWriteScope == null)
{
this.DataObject.CustomRecipientWriteScope = null;
this.DataObject.RecipientWriteScope = (RecipientWriteScopeType)exchangeRole.ImplicitRecipientWriteScope;
}
else
{
ManagementScope andValidateDomainScope = RoleHelper.GetAndValidateDomainScope(this.CustomRecipientWriteScope, this.ConfigurationSession, new DataAccessHelper.GetDataObjectDelegate(base.GetDataObject <ManagementScope>), this.DataObject, new Task.TaskErrorLoggingDelegate(base.WriteError));
if (andValidateDomainScope.Exclusive)
{
base.WriteError(new ArgumentException(Strings.ErrorScopeExclusive(andValidateDomainScope.Id.ToString(), RbacCommonParameters.ParameterCustomRecipientWriteScope)), ErrorCategory.InvalidArgument, null);
}
this.DataObject.CustomRecipientWriteScope = andValidateDomainScope.Id;
this.DataObject.RecipientWriteScope = RecipientWriteScopeType.CustomRecipientScope;
}
}
else if (base.Fields.IsModified("ExclusiveRecipientWriteScope"))
{
ManagementScope andValidateDomainScope2 = RoleHelper.GetAndValidateDomainScope(this.ExclusiveRecipientWriteScope, this.ConfigurationSession, new DataAccessHelper.GetDataObjectDelegate(base.GetDataObject <ManagementScope>), this.DataObject, new Task.TaskErrorLoggingDelegate(base.WriteError));
if (!andValidateDomainScope2.Exclusive)
{
base.WriteError(new ArgumentException(Strings.ErrorScopeNotExclusive(andValidateDomainScope2.Id.ToString(), "ExclusiveRecipientWriteScope")), ErrorCategory.InvalidArgument, null);
}
this.DataObject.CustomRecipientWriteScope = andValidateDomainScope2.Id;
this.DataObject.RecipientWriteScope = RecipientWriteScopeType.ExclusiveRecipientScope;
}
}
IL_321:
RoleHelper.VerifyNoScopeForUnScopedRole(base.Fields, exchangeRole, new Task.TaskErrorLoggingDelegate(base.WriteError));
if (exchangeRole.ImplicitRecipientWriteScope != (ScopeType)this.DataObject.RecipientWriteScope && !RbacScope.IsScopeTypeSmaller((ScopeType)this.DataObject.RecipientWriteScope, exchangeRole.ImplicitRecipientWriteScope))
{
this.WriteWarning(Strings.WriteScopeGreaterThanRoleScope(this.DataObject.RecipientWriteScope.ToString(), exchangeRole.Name, exchangeRole.ImplicitRecipientWriteScope.ToString()));
this.DataObject.CustomRecipientWriteScope = null;
this.DataObject.RecipientWriteScope = (RecipientWriteScopeType)exchangeRole.ImplicitRecipientWriteScope;
}
if (base.Fields.IsModified(RbacCommonParameters.ParameterCustomConfigWriteScope))
{
if (this.CustomConfigWriteScope == null)
{
this.DataObject.ConfigWriteScope = (ConfigWriteScopeType)exchangeRole.ImplicitConfigWriteScope;
this.DataObject.CustomConfigWriteScope = null;
}
else
{
this.DataObject.ConfigWriteScope = ConfigWriteScopeType.CustomConfigScope;
ManagementScope andValidateConfigScope = RoleHelper.GetAndValidateConfigScope(this.CustomConfigWriteScope, this.ConfigurationSession, new DataAccessHelper.GetDataObjectDelegate(base.GetDataObject <ManagementScope>), this.DataObject, new Task.TaskErrorLoggingDelegate(base.WriteError));
if (andValidateConfigScope.Exclusive)
{
base.WriteError(new ArgumentException(Strings.ErrorScopeExclusive(andValidateConfigScope.Id.ToString(), RbacCommonParameters.ParameterCustomConfigWriteScope)), ErrorCategory.InvalidArgument, null);
}
this.DataObject.CustomConfigWriteScope = andValidateConfigScope.Id;
this.DataObject.ConfigWriteScope = ((andValidateConfigScope.ScopeRestrictionType == ScopeRestrictionType.PartnerDelegatedTenantScope) ? ConfigWriteScopeType.PartnerDelegatedTenantScope : ConfigWriteScopeType.CustomConfigScope);
}
}
else if (base.Fields.IsModified("ExclusiveConfigWriteScope"))
{
ManagementScope andValidateConfigScope2 = RoleHelper.GetAndValidateConfigScope(this.ExclusiveConfigWriteScope, this.ConfigurationSession, new DataAccessHelper.GetDataObjectDelegate(base.GetDataObject <ManagementScope>), this.DataObject, new Task.TaskErrorLoggingDelegate(base.WriteError));
if (!andValidateConfigScope2.Exclusive)
{
base.WriteError(new ArgumentException(Strings.ErrorScopeNotExclusive(andValidateConfigScope2.Id.ToString(), "ExclusiveConfigWriteScope")), ErrorCategory.InvalidArgument, null);
}
this.DataObject.CustomConfigWriteScope = andValidateConfigScope2.Id;
this.DataObject.ConfigWriteScope = ConfigWriteScopeType.ExclusiveConfigScope;
}
if (exchangeRole.ImplicitConfigWriteScope != (ScopeType)this.DataObject.ConfigWriteScope && !RbacScope.IsScopeTypeSmaller((ScopeType)this.DataObject.ConfigWriteScope, exchangeRole.ImplicitConfigWriteScope))
{
this.WriteWarning(Strings.WriteScopeGreaterThanRoleScope(this.DataObject.CustomConfigWriteScope.ToString(), exchangeRole.Name, exchangeRole.ImplicitConfigWriteScope.ToString()));
this.DataObject.CustomConfigWriteScope = null;
this.DataObject.ConfigWriteScope = (ConfigWriteScopeType)exchangeRole.ImplicitConfigWriteScope;
}
RoleHelper.HierarchyRoleAssignmentChecking(this.DataObject, base.ExchangeRunspaceConfig, this.ConfigurationSession, base.ExecutingUserOrganizationId, new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskErrorLoggingDelegate(base.WriteError), new Task.TaskWarningLoggingDelegate(this.WriteWarning), !this.Enabled);
base.InternalProcessRecord();
TaskLogger.LogExit();
}
