protected override void InternalProcessRecord()
{
bool flag = true;
StringBuilder stringBuilder = new StringBuilder();
ADDomain addomain = ADForest.GetLocalForest().FindRootDomain(true);
if (addomain == null)
{
flag = false;
stringBuilder.AppendLine("Failed to read root domain");
}
else
{
IRootOrganizationRecipientSession session = TestDataCenterDKMAccess.CreateAdSession();
foreach (Tuple <string, Dictionary <SecurityIdentifier, ActiveDirectoryRights> > tuple in this.ExpectedAccessRights)
{
flag &= TestDataCenterDKMAccess.VerifyDkmObjectPermissions(session, tuple.Item1, addomain.Id.ToDNString(), tuple.Item2, stringBuilder);
}
}
if (flag)
{
stringBuilder.Append("DKM has correct ACL settings");
}
this.ReportDkmAclStatus(flag, stringBuilder);
}
private static IEnumerable <ADRawEntry> ReadDkmAdObjects(IRootOrganizationRecipientSession session, string dkmContainerName, string rootDomain, StringBuilder detailStatus)
{
string dkmContainerDN = TestDataCenterDKMAccess.CreateDkmContainerDN(dkmContainerName, rootDomain);
ADRawEntry[] dkmObjects = null;
ADOperationResult adoperationResult = ADNotificationAdapter.TryRunADOperation(delegate()
{
dkmObjects = session.Find(new ADObjectId(dkmContainerDN), QueryScope.SubTree, new CustomLdapFilter("(objectClass=contact)"), null, -1, new ADPropertyDefinition[]
{
ADObjectSchema.Name
});
});
if (!adoperationResult.Succeeded)
{
detailStatus.AppendFormat("Failed to read DKM objects under DN {0} with exception {1}", dkmContainerDN, (adoperationResult.Exception == null) ? "N/A" : adoperationResult.Exception.Message);
return(null);
}
if (dkmObjects.Length == 0)
{
detailStatus.AppendFormat("Failed to find any DKM objects under DN {0}. Examine the ACL settings on DKM objects to ensure the Exchange Servers group is allowed.", dkmContainerDN);
return(null);
}
return(dkmObjects);
}
private static bool CheckPermissionsOnDkmObjects(IEnumerable <ADRawEntry> dkmObjects, IRootOrganizationRecipientSession session, Dictionary <SecurityIdentifier, ActiveDirectoryRights> expectedAccessRights, StringBuilder detailStatus)
{
bool result = true;
foreach (ADRawEntry adrawEntry in dkmObjects)
{
RawSecurityDescriptor rawSecurityDescriptor;
ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor(adrawEntry, session, null, out rawSecurityDescriptor);
if (activeDirectorySecurity == null)
{
result = false;
detailStatus.AppendFormat("Failed to read security descriptor for DKM object {0}. Examine the ACL settings on DKM objects.\r\n", adrawEntry.Id.DistinguishedName);
}
else
{
AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier));
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.AppendLine(string.Format("Object DN: {0}\r\n", adrawEntry.Id.DistinguishedName));
bool flag = false;
Dictionary <SecurityIdentifier, ActiveDirectoryRights> dictionary = new Dictionary <SecurityIdentifier, ActiveDirectoryRights>();
foreach (object obj in accessRules)
{
ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj;
try
{
if (!expectedAccessRights.ContainsKey((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference))
{
int num = AuthzAuthorization.CheckGenericPermission((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference, rawSecurityDescriptor, AccessMask.MaximumAllowed);
if (num != 0)
{
stringBuilder.AppendFormat("Unexpected ACE with Identity: {0}, Rights: {1}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(activeDirectoryAccessRule.IdentityReference.ToString()), (ActiveDirectoryRights)num);
result = false;
flag = true;
}
}
else
{
dictionary[(SecurityIdentifier)activeDirectoryAccessRule.IdentityReference] = (ActiveDirectoryRights)AuthzAuthorization.CheckGenericPermission((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference, rawSecurityDescriptor, AccessMask.MaximumAllowed);
}
}
catch (Win32Exception ex)
{
stringBuilder.AppendFormat("Failed to check ACL for Identity: {0} with Win32Exception {1} and ErrorCode {2}\r\n", TestDataCenterDKMAccess.AccountNameFromSid(activeDirectoryAccessRule.IdentityReference.ToString()), ex.Message, ex.ErrorCode);
result = false;
flag = true;
}
}
Dictionary <SecurityIdentifier, ActiveDirectoryRights> dictionary2 = new Dictionary <SecurityIdentifier, ActiveDirectoryRights>(expectedAccessRights);
foreach (KeyValuePair <SecurityIdentifier, ActiveDirectoryRights> keyValuePair in dictionary)
{
if (dictionary2[keyValuePair.Key] != keyValuePair.Value)
{
stringBuilder.AppendFormat("Wrong rights in ACE for Identity {0}\r\nExpected Rights: {1}\r\nActual Rights: {2}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(keyValuePair.Key.ToString()), dictionary2[keyValuePair.Key], keyValuePair.Value);
result = false;
flag = true;
}
dictionary2.Remove(keyValuePair.Key);
}
if (dictionary2.Count > 0)
{
foreach (KeyValuePair <SecurityIdentifier, ActiveDirectoryRights> keyValuePair2 in dictionary2)
{
stringBuilder.AppendFormat("Missing expected ACE for Identity {0}\r\nExpected Rights: {1}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(keyValuePair2.Key.ToString()), keyValuePair2.Value);
result = false;
flag = true;
}
}
if (flag)
{
detailStatus.AppendLine(stringBuilder.ToString());
}
}
}
return(result);
}
private static bool VerifyDkmObjectPermissions(IRootOrganizationRecipientSession session, string dkmContainerName, string rootDomain, Dictionary <SecurityIdentifier, ActiveDirectoryRights> expectedRights, StringBuilder detailStatus)
{
IEnumerable <ADRawEntry> enumerable = TestDataCenterDKMAccess.ReadDkmAdObjects(session, dkmContainerName, rootDomain, detailStatus);
return(enumerable != null && TestDataCenterDKMAccess.CheckPermissionsOnDkmObjects(enumerable, session, expectedRights, detailStatus));
}
