Example #1
0
        protected override void WriteResult(IConfigurable dataObject)
        {
            TaskLogger.LogEnter();
            base.HasObjectMatchingIdentity = true;
            ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor((ADRawEntry)dataObject, (IConfigurationSession)base.DataSession, new Task.TaskErrorLoggingDelegate(base.WriteError));

            if (!base.Owner.IsPresent)
            {
                AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier));
                int num = 0;
                while (accessRules.Count > num)
                {
                    ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)accessRules[num];
                    if (base.SecurityPrincipal == null || (base.SecurityPrincipal != null && base.SecurityPrincipal == activeDirectoryAccessRule.IdentityReference))
                    {
                        ADAcePresentationObject adacePresentationObject = new ADAcePresentationObject(activeDirectoryAccessRule, ((ADRawEntry)dataObject).Id);
                        adacePresentationObject.ResetChangeTracking(true);
                        base.WriteResult(adacePresentationObject);
                    }
                    num++;
                }
            }
            else
            {
                IdentityReference owner = activeDirectorySecurity.GetOwner(typeof(NTAccount));
                base.WriteResult(new OwnerPresentationObject(((ADRawEntry)dataObject).Id, owner.ToString()));
            }
            TaskLogger.LogExit();
        }
Example #2
0
        protected override void WriteResult(IConfigurable dataObject)
        {
            TaskLogger.LogEnter();
            IDirectorySession directorySession = (IDirectorySession)base.DataSession;

            if (TaskHelper.ShouldUnderscopeDataSessionToOrganization(directorySession, (ADObject)dataObject))
            {
                directorySession = TaskHelper.UnderscopeSessionToOrganization(directorySession, ((ADObject)dataObject).OrganizationId, true);
            }
            ActiveDirectorySecurity     activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor((ADRawEntry)dataObject, directorySession, new Task.TaskErrorLoggingDelegate(base.WriteError));
            AuthorizationRuleCollection accessRules             = activeDirectorySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier));

            foreach (object obj in accessRules)
            {
                ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj;
                if (this.Trustee == null || this.trusteeSid == activeDirectoryAccessRule.IdentityReference)
                {
                    RecipientAccessRight?recipientAccessRight = this.FilterByRecipientAccessRights(activeDirectoryAccessRule, this.AccessRights);
                    if (recipientAccessRight != null)
                    {
                        string text = string.Empty;
                        if (Globals.IsDatacenter && base.TenantGlobalCatalogSession != null)
                        {
                            try
                            {
                                SecurityIdentifier sId         = (SecurityIdentifier)activeDirectoryAccessRule.IdentityReference;
                                ADRecipient        adrecipient = base.TenantGlobalCatalogSession.FindBySid(sId);
                                if (adrecipient != null)
                                {
                                    text = ((!string.IsNullOrEmpty(adrecipient.DisplayName)) ? adrecipient.DisplayName : adrecipient.Name);
                                }
                            }
                            catch
                            {
                            }
                        }
                        if (string.IsNullOrEmpty(text))
                        {
                            text = RecipientPermissionTaskHelper.GetFriendlyNameOfSecurityIdentifier((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference, base.TenantGlobalCatalogSession, new Task.TaskErrorLoggingDelegate(base.WriteError), new Task.TaskVerboseLoggingDelegate(base.WriteVerbose));
                        }
                        RecipientPermission dataObject2 = new RecipientPermission(activeDirectoryAccessRule, ((ADRawEntry)dataObject).Id, text, recipientAccessRight.Value);
                        base.WriteResult(dataObject2);
                    }
                }
            }
            TaskLogger.LogExit();
        }
 protected override void InternalProcessRecord()
 {
     TaskLogger.LogEnter();
     if (base.IsInherited)
     {
         return;
     }
     if ("Owner" == base.ParameterSetName)
     {
         IConfigurationSession   writableSession         = base.GetWritableSession(this.DataObject.Id);
         ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor(this.DataObject, writableSession, new Task.TaskErrorLoggingDelegate(base.WriteError));
         SecurityIdentifier      sid = this.owner;
         activeDirectorySecurity.SetOwner(sid);
         RawSecurityDescriptor sd = new RawSecurityDescriptor(activeDirectorySecurity.GetSecurityDescriptorBinaryForm(), 0);
         writableSession.SaveSecurityDescriptor(this.DataObject.Id, sd, true);
         string friendlyUserName = SecurityPrincipalIdParameter.GetFriendlyUserName(sid, new Task.TaskVerboseLoggingDelegate(base.WriteVerbose));
         base.WriteObject(new OwnerPresentationObject(this.DataObject.Id, friendlyUserName));
     }
     else
     {
         base.InternalProcessRecord();
     }
     TaskLogger.LogExit();
 }
Example #4
0
        private static bool CheckPermissionsOnDkmObjects(IEnumerable <ADRawEntry> dkmObjects, IRootOrganizationRecipientSession session, Dictionary <SecurityIdentifier, ActiveDirectoryRights> expectedAccessRights, StringBuilder detailStatus)
        {
            bool result = true;

            foreach (ADRawEntry adrawEntry in dkmObjects)
            {
                RawSecurityDescriptor   rawSecurityDescriptor;
                ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor(adrawEntry, session, null, out rawSecurityDescriptor);
                if (activeDirectorySecurity == null)
                {
                    result = false;
                    detailStatus.AppendFormat("Failed to read security descriptor for DKM object {0}. Examine the ACL settings on DKM objects.\r\n", adrawEntry.Id.DistinguishedName);
                }
                else
                {
                    AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier));
                    StringBuilder stringBuilder             = new StringBuilder();
                    stringBuilder.AppendLine(string.Format("Object DN: {0}\r\n", adrawEntry.Id.DistinguishedName));
                    bool flag = false;
                    Dictionary <SecurityIdentifier, ActiveDirectoryRights> dictionary = new Dictionary <SecurityIdentifier, ActiveDirectoryRights>();
                    foreach (object obj in accessRules)
                    {
                        ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj;
                        try
                        {
                            if (!expectedAccessRights.ContainsKey((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference))
                            {
                                int num = AuthzAuthorization.CheckGenericPermission((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference, rawSecurityDescriptor, AccessMask.MaximumAllowed);
                                if (num != 0)
                                {
                                    stringBuilder.AppendFormat("Unexpected ACE with Identity: {0}, Rights: {1}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(activeDirectoryAccessRule.IdentityReference.ToString()), (ActiveDirectoryRights)num);
                                    result = false;
                                    flag   = true;
                                }
                            }
                            else
                            {
                                dictionary[(SecurityIdentifier)activeDirectoryAccessRule.IdentityReference] = (ActiveDirectoryRights)AuthzAuthorization.CheckGenericPermission((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference, rawSecurityDescriptor, AccessMask.MaximumAllowed);
                            }
                        }
                        catch (Win32Exception ex)
                        {
                            stringBuilder.AppendFormat("Failed to check ACL for Identity: {0} with Win32Exception {1} and ErrorCode {2}\r\n", TestDataCenterDKMAccess.AccountNameFromSid(activeDirectoryAccessRule.IdentityReference.ToString()), ex.Message, ex.ErrorCode);
                            result = false;
                            flag   = true;
                        }
                    }
                    Dictionary <SecurityIdentifier, ActiveDirectoryRights> dictionary2 = new Dictionary <SecurityIdentifier, ActiveDirectoryRights>(expectedAccessRights);
                    foreach (KeyValuePair <SecurityIdentifier, ActiveDirectoryRights> keyValuePair in dictionary)
                    {
                        if (dictionary2[keyValuePair.Key] != keyValuePair.Value)
                        {
                            stringBuilder.AppendFormat("Wrong rights in ACE for Identity {0}\r\nExpected Rights: {1}\r\nActual Rights: {2}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(keyValuePair.Key.ToString()), dictionary2[keyValuePair.Key], keyValuePair.Value);
                            result = false;
                            flag   = true;
                        }
                        dictionary2.Remove(keyValuePair.Key);
                    }
                    if (dictionary2.Count > 0)
                    {
                        foreach (KeyValuePair <SecurityIdentifier, ActiveDirectoryRights> keyValuePair2 in dictionary2)
                        {
                            stringBuilder.AppendFormat("Missing expected ACE for Identity {0}\r\nExpected Rights: {1}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(keyValuePair2.Key.ToString()), keyValuePair2.Value);
                            result = false;
                            flag   = true;
                        }
                    }
                    if (flag)
                    {
                        detailStatus.AppendLine(stringBuilder.ToString());
                    }
                }
            }
            return(result);
        }