internal RoleAssignmentScopeSet GetEffectiveScopeSet(Dictionary <ADObjectId, ManagementScope> scopeCache, ISecurityAccessToken securityAccessToken) { RbacScope recipientReadScope = (this.RecipientReadScope == ScopeType.MyGAL) ? new RbacScope(this.RecipientReadScope, securityAccessToken) : new RbacScope(this.RecipientReadScope); RbacScope recipientWriteRbacScope = ExchangeRoleAssignment.GetRecipientWriteRbacScope(this.RecipientWriteScope, this.CustomRecipientWriteScope, scopeCache, securityAccessToken, this.IsFromEndUserRole); if (recipientWriteRbacScope == null) { return(null); } RbacScope configReadScope = new RbacScope(this.ConfigReadScope); ConfigWriteScopeType configWriteScope = this.ConfigWriteScope; RbacScope configWriteScope2; switch (configWriteScope) { case ConfigWriteScopeType.None: break; case ConfigWriteScopeType.NotApplicable: configWriteScope2 = new RbacScope(ScopeType.NotApplicable); goto IL_E0; default: switch (configWriteScope) { case ConfigWriteScopeType.OrganizationConfig: goto IL_85; case ConfigWriteScopeType.CustomConfigScope: case ConfigWriteScopeType.ExclusiveConfigScope: { ManagementScope managementScope = scopeCache[this.CustomConfigWriteScope]; if (managementScope == null) { return(null); } configWriteScope2 = new RbacScope((ScopeType)this.ConfigWriteScope, managementScope); goto IL_E0; } case ConfigWriteScopeType.PartnerDelegatedTenantScope: if (scopeCache[this.CustomConfigWriteScope] == null) { return(null); } configWriteScope2 = new RbacScope(ScopeType.OrganizationConfig); goto IL_E0; } configWriteScope2 = null; goto IL_E0; } IL_85: configWriteScope2 = new RbacScope((ScopeType)this.ConfigWriteScope); IL_E0: return(new RoleAssignmentScopeSet(recipientReadScope, recipientWriteRbacScope, configReadScope, configWriteScope2)); }
internal bool IsConfigWriteScopeSmallerOrEqualThan(ExchangeRoleAssignment roleAssignment, IDictionary <ADObjectId, ManagementScope> scopeCache, out LocalizedString notTrueReason) { if (roleAssignment == null) { throw new ArgumentNullException("roleAssignment"); } ExTraceGlobals.AccessCheckTracer.TraceFunction <ADObjectId, ADObjectId, int>(10001L, "-->IsConfigReadScopeSmallerOrEqualThan: this = {0}, other = {1} (scopeCache Count = {2})", base.Id, roleAssignment.Id, (scopeCache == null) ? 0 : scopeCache.Count); notTrueReason = LocalizedString.Empty; if (roleAssignment.ConfigWriteScope == this.ConfigWriteScope && ADObjectId.Equals(roleAssignment.CustomConfigWriteScope, this.CustomConfigWriteScope)) { return(this.IsDelegationLevelSmallerOrEqual(roleAssignment, out notTrueReason, false)); } if (roleAssignment.ConfigWriteScope == ConfigWriteScopeType.OrganizationConfig) { ExTraceGlobals.AccessCheckTracer.TraceDebug(10001L, "the other role assignment has the biggest config scope: ConfigWriteScopeType.OrganizationConfig"); return(true); } ExTraceGlobals.AccessCheckTracer.TraceDebug(10001L, "IsConfigWriteScopeSmallerOrEqualThan: this instance has config write scope '{0}' with link '{1}', other has type '{2}' with link '{3}'.", new object[] { this.ConfigWriteScope, (this.CustomConfigWriteScope == null) ? "null" : this.CustomConfigWriteScope.ToString(), roleAssignment.ConfigWriteScope, (roleAssignment.CustomConfigWriteScope == null) ? "null" : roleAssignment.CustomConfigWriteScope.ToString() }); ConfigWriteScopeType configWriteScope = this.ConfigWriteScope; bool flag; switch (configWriteScope) { case ConfigWriteScopeType.None: flag = (roleAssignment.ConfigWriteScope != ConfigWriteScopeType.NotApplicable); break; case ConfigWriteScopeType.NotApplicable: flag = true; break; default: switch (configWriteScope) { case ConfigWriteScopeType.OrganizationConfig: flag = (roleAssignment.ConfigWriteScope == ConfigWriteScopeType.OrganizationConfig); goto IL_27C; case ConfigWriteScopeType.CustomConfigScope: case ConfigWriteScopeType.ExclusiveConfigScope: if (roleAssignment.ConfigWriteScope != this.ConfigWriteScope) { flag = (roleAssignment.ConfigWriteScope == ConfigWriteScopeType.OrganizationConfig); goto IL_27C; } if (scopeCache != null && this.CustomConfigWriteScope != null && roleAssignment.CustomConfigWriteScope != null && scopeCache.ContainsKey(this.CustomConfigWriteScope) && scopeCache.ContainsKey(roleAssignment.CustomConfigWriteScope) && scopeCache[this.CustomConfigWriteScope] != null && scopeCache[roleAssignment.CustomConfigWriteScope] != null) { flag = scopeCache[this.CustomConfigWriteScope].IsScopeSmallerOrEqualThan(scopeCache[roleAssignment.CustomConfigWriteScope], out notTrueReason); goto IL_27C; } ExTraceGlobals.AccessCheckTracer.TraceError <string, string>(10000L, "IsConfigWriteScopeSmallerOrEqualThan: we don't find the the key '{0}' or '{1}' within the scope cache or either of their values are $null.", (this.CustomConfigWriteScope == null) ? "null" : this.CustomConfigWriteScope.ToString(), (roleAssignment.CustomConfigWriteScope == null) ? "null" : roleAssignment.CustomConfigWriteScope.ToString()); notTrueReason = DirectoryStrings.CannotCompareAssignmentsMissingScope(base.Id.ToString(), roleAssignment.Id.ToString()); flag = false; goto IL_27C; case ConfigWriteScopeType.PartnerDelegatedTenantScope: flag = (roleAssignment.ConfigWriteScope == ConfigWriteScopeType.OrganizationConfig || roleAssignment.ConfigWriteScope == ConfigWriteScopeType.CustomConfigScope); goto IL_27C; } flag = false; break; } IL_27C: if (!flag && LocalizedString.Empty == notTrueReason) { notTrueReason = DirectoryStrings.ConfigScopeNotLessThan(this.ConfigWriteScope.ToString(), roleAssignment.ConfigWriteScope.ToString()); } ExTraceGlobals.AccessCheckTracer.TraceFunction <bool>(10001L, "<--IsConfigWriteScopeSmallerOrEqualThan: returns {0}", flag); return(flag); }
private bool TryUpdateRoleAssigneeTypeAndScope(ExchangeRoleAssignment assignment) { RoleAssigneeType roleAssigneeType = RoleAssigneeType.User; ADRawEntry adrawEntry = this.recipientSession.ReadADRawEntry(assignment.User, InstallCannedRbacRoleAssignments.principalProperties); if (adrawEntry == null) { adrawEntry = this.configurationSession.ReadADRawEntry(assignment.User, InstallCannedRbacRoleAssignments.principalProperties); if (adrawEntry == null) { return(false); } } MultiValuedProperty <string> multiValuedProperty = (MultiValuedProperty <string>)adrawEntry[ADObjectSchema.ObjectClass]; foreach (string value in multiValuedProperty) { if ("group".Equals(value, StringComparison.OrdinalIgnoreCase)) { roleAssigneeType = RoleAssigneeType.SecurityGroup; break; } if ("msExchRBACPolicy".Equals(value, StringComparison.OrdinalIgnoreCase)) { roleAssigneeType = RoleAssigneeType.RoleAssignmentPolicy; break; } if ("user".Equals(value, StringComparison.OrdinalIgnoreCase)) { if (RecipientTypeDetails.MailboxPlan == (RecipientTypeDetails)adrawEntry[ADRecipientSchema.RecipientTypeDetails]) { roleAssigneeType = RoleAssigneeType.MailboxPlan; break; } roleAssigneeType = RoleAssigneeType.User; break; } } ConfigWriteScopeType configWriteScopeType = assignment.ConfigWriteScope; ScopeType scopeType = assignment.ConfigReadScope; if (configWriteScopeType == ConfigWriteScopeType.None) { ExchangeRole exchangeRole = this.configurationSession.Read <ExchangeRole>(assignment.Role); if (exchangeRole != null) { base.LogReadObject(exchangeRole); ValidationError[] array = exchangeRole.Validate(); if (array.Length > 0) { this.WriteWarning(Strings.WarningCannotUpgradeRole(exchangeRole.Identity.ToString(), array[0].Description)); return(false); } scopeType = exchangeRole.ImplicitConfigReadScope; configWriteScopeType = (ConfigWriteScopeType)exchangeRole.ImplicitConfigWriteScope; } } if (assignment.RoleAssigneeType != roleAssigneeType || assignment.ConfigWriteScope != configWriteScopeType || assignment.ConfigReadScope != scopeType) { assignment.RoleAssigneeType = roleAssigneeType; assignment.ConfigReadScope = scopeType; assignment.ConfigWriteScope = configWriteScopeType; } return(true); }