internal RoleAssignmentScopeSet GetEffectiveScopeSet(Dictionary <ADObjectId, ManagementScope> scopeCache, ISecurityAccessToken securityAccessToken)
{
RbacScope recipientReadScope = (this.RecipientReadScope == ScopeType.MyGAL) ? new RbacScope(this.RecipientReadScope, securityAccessToken) : new RbacScope(this.RecipientReadScope);
RbacScope recipientWriteRbacScope = ExchangeRoleAssignment.GetRecipientWriteRbacScope(this.RecipientWriteScope, this.CustomRecipientWriteScope, scopeCache, securityAccessToken, this.IsFromEndUserRole);
if (recipientWriteRbacScope == null)
{
return(null);
}
RbacScope configReadScope = new RbacScope(this.ConfigReadScope);
ConfigWriteScopeType configWriteScope = this.ConfigWriteScope;
RbacScope configWriteScope2;
switch (configWriteScope)
{
case ConfigWriteScopeType.None:
break;
case ConfigWriteScopeType.NotApplicable:
configWriteScope2 = new RbacScope(ScopeType.NotApplicable);
goto IL_E0;
default:
switch (configWriteScope)
{
case ConfigWriteScopeType.OrganizationConfig:
goto IL_85;
case ConfigWriteScopeType.CustomConfigScope:
case ConfigWriteScopeType.ExclusiveConfigScope:
{
ManagementScope managementScope = scopeCache[this.CustomConfigWriteScope];
if (managementScope == null)
{
return(null);
}
configWriteScope2 = new RbacScope((ScopeType)this.ConfigWriteScope, managementScope);
goto IL_E0;
}
case ConfigWriteScopeType.PartnerDelegatedTenantScope:
if (scopeCache[this.CustomConfigWriteScope] == null)
{
return(null);
}
configWriteScope2 = new RbacScope(ScopeType.OrganizationConfig);
goto IL_E0;
}
configWriteScope2 = null;
goto IL_E0;
}
IL_85:
configWriteScope2 = new RbacScope((ScopeType)this.ConfigWriteScope);
IL_E0:
return(new RoleAssignmentScopeSet(recipientReadScope, recipientWriteRbacScope, configReadScope, configWriteScope2));
}
internal static ExchangeRoleAssignment FindOneWithMaximumWriteScope(IList <ExchangeRoleAssignment> roleAssignments, IDictionary <ADObjectId, ManagementScope> scopeCache, bool compareRecipientWriteScope, out LocalizedString notFoundReason)
{
ExTraceGlobals.AccessCheckTracer.TraceFunction <bool>(10002L, "-->FindOneWithMaximumWriteScope: compareRecipientWriteScope = {0}", compareRecipientWriteScope);
notFoundReason = LocalizedString.Empty;
if (roleAssignments == null || roleAssignments.Count == 0)
{
ExTraceGlobals.AccessCheckTracer.TraceError(10002L, "FindOneWithMaximumWriteScope: there is not any role assignment to be worked against, we return NULL here.");
return(null);
}
ExTraceGlobals.AccessCheckTracer.TraceDebug(10002L, "FindOneWithMaximumWriteScope: Going through all the role assignments and find the assignment with maximum recipient or config scope");
ExchangeRoleAssignment exchangeRoleAssignment = roleAssignments[0];
for (int i = 1; i < roleAssignments.Count; i++)
{
LocalizedString localizedString;
if (compareRecipientWriteScope)
{
if (exchangeRoleAssignment.IsRecipientWriteScopeSmallerOrEqualThan(roleAssignments[i], scopeCache, out localizedString))
{
exchangeRoleAssignment = roleAssignments[i];
}
}
else if (exchangeRoleAssignment.IsConfigWriteScopeSmallerOrEqualThan(roleAssignments[i], scopeCache, out localizedString))
{
exchangeRoleAssignment = roleAssignments[i];
}
}
ExTraceGlobals.AccessCheckTracer.TraceDebug <ADObjectId>(10002L, "FindOneWithMaximumWriteScope: The temporary role assignment we found with maximum recipient or config scope is {0}.", exchangeRoleAssignment.Id);
ExTraceGlobals.AccessCheckTracer.TraceDebug(10002L, "FindOneWithMaximumWriteScope: Re-iterate the whole array to make sure it is really the assignment with maximum recipient or config scope");
for (int j = 1; j < roleAssignments.Count; j++)
{
LocalizedString value;
if (compareRecipientWriteScope)
{
if (!roleAssignments[j].IsRecipientWriteScopeSmallerOrEqualThan(exchangeRoleAssignment, scopeCache, out value))
{
ExTraceGlobals.AccessCheckTracer.TraceError <ADObjectId, ADObjectId>(10002L, "FindOneWithMaximumWriteScope: role assignment {0} has conflicting recipient write scope with {1}.", exchangeRoleAssignment.Id, roleAssignments[j].Id);
notFoundReason = DirectoryStrings.AssignmentsWithConflictingScope(exchangeRoleAssignment.Id.ToString(), roleAssignments[j].Id.ToString(), value);
return(null);
}
}
else if (!roleAssignments[j].IsConfigWriteScopeSmallerOrEqualThan(exchangeRoleAssignment, scopeCache, out value))
{
ExTraceGlobals.AccessCheckTracer.TraceError <ADObjectId, ADObjectId>(10002L, "FindOneWithMaximumWriteScope: role assignment {0} has conflicting config write scope with {1}.", exchangeRoleAssignment.Id, roleAssignments[j].Id);
notFoundReason = DirectoryStrings.AssignmentsWithConflictingScope(exchangeRoleAssignment.Id.ToString(), roleAssignments[j].Id.ToString(), value);
return(null);
}
}
ExTraceGlobals.AccessCheckTracer.TraceFunction <ADObjectId>(10002L, "<--FindOneWithMaximumWriteScope: returns {0}.", exchangeRoleAssignment.Id);
return(exchangeRoleAssignment);
}
internal void PopulateRoles(Result <ExchangeRoleAssignment>[] roleAssignmentResults)
{
if (roleAssignmentResults != null)
{
foreach (Result <ExchangeRoleAssignment> result in roleAssignmentResults)
{
ExchangeRoleAssignment data = result.Data;
this.RoleAssignments.Add(data.Id);
if (data.Role != null && !this.AssignedRoles.Contains(data.Role))
{
this.AssignedRoles.Add(data.Role);
}
}
}
}
internal static RoleAssigneeType RoleAssigneeTypeFromADRecipient(ADRecipient recipient)
{
if (recipient is ADGroup)
{
RoleGroupType roleGroupType = ((ADGroup)recipient).RoleGroupType;
if (roleGroupType == RoleGroupType.Linked)
{
return(RoleAssigneeType.LinkedRoleGroup);
}
if (roleGroupType == RoleGroupType.PartnerLinked)
{
return(RoleAssigneeType.PartnerLinkedRoleGroup);
}
}
return(ExchangeRoleAssignment.RoleAssigneeTypeFromRecipientTypeDetails(recipient.RecipientTypeDetails));
}
private bool IsDelegationLevelSmallerOrEqual(ExchangeRoleAssignment roleAssignment, out LocalizedString notTrueReason, bool isRecipientScope)
{
notTrueReason = LocalizedString.Empty;
if ((this.RoleAssignmentDelegationType == RoleAssignmentDelegationType.DelegatingOrgWide && roleAssignment.RoleAssignmentDelegationType != RoleAssignmentDelegationType.DelegatingOrgWide) || (this.RoleAssignmentDelegationType == RoleAssignmentDelegationType.Delegating && roleAssignment.RoleAssignmentDelegationType == RoleAssignmentDelegationType.Regular))
{
ExTraceGlobals.AccessCheckTracer.TraceDebug(10000L, "this instance has the same write scope as the other role assignment, but it has a larger delegating scope");
if (isRecipientScope)
{
notTrueReason = DirectoryStrings.RecipientWriteScopeNotLessThanBecauseOfDelegationFlags(this.RoleAssignmentDelegationType.ToString(), roleAssignment.RoleAssignmentDelegationType.ToString());
}
else
{
notTrueReason = DirectoryStrings.ConfigWriteScopeNotLessThanBecauseOfDelegationFlags(this.RoleAssignmentDelegationType.ToString(), roleAssignment.RoleAssignmentDelegationType.ToString());
}
return(false);
}
ExTraceGlobals.AccessCheckTracer.TraceDebug(10000L, "this instance has exactly the same write scope as the other role assignment and smaller or equal delegation scope");
return(true);
}
internal bool IsConfigWriteScopeSmallerOrEqualThan(ExchangeRoleAssignment roleAssignment, IDictionary <ADObjectId, ManagementScope> scopeCache, out LocalizedString notTrueReason)
{
if (roleAssignment == null)
{
throw new ArgumentNullException("roleAssignment");
}
ExTraceGlobals.AccessCheckTracer.TraceFunction <ADObjectId, ADObjectId, int>(10001L, "-->IsConfigReadScopeSmallerOrEqualThan: this = {0}, other = {1} (scopeCache Count = {2})", base.Id, roleAssignment.Id, (scopeCache == null) ? 0 : scopeCache.Count);
notTrueReason = LocalizedString.Empty;
if (roleAssignment.ConfigWriteScope == this.ConfigWriteScope && ADObjectId.Equals(roleAssignment.CustomConfigWriteScope, this.CustomConfigWriteScope))
{
return(this.IsDelegationLevelSmallerOrEqual(roleAssignment, out notTrueReason, false));
}
if (roleAssignment.ConfigWriteScope == ConfigWriteScopeType.OrganizationConfig)
{
ExTraceGlobals.AccessCheckTracer.TraceDebug(10001L, "the other role assignment has the biggest config scope: ConfigWriteScopeType.OrganizationConfig");
return(true);
}
ExTraceGlobals.AccessCheckTracer.TraceDebug(10001L, "IsConfigWriteScopeSmallerOrEqualThan: this instance has config write scope '{0}' with link '{1}', other has type '{2}' with link '{3}'.", new object[]
{
this.ConfigWriteScope,
(this.CustomConfigWriteScope == null) ? "null" : this.CustomConfigWriteScope.ToString(),
roleAssignment.ConfigWriteScope,
(roleAssignment.CustomConfigWriteScope == null) ? "null" : roleAssignment.CustomConfigWriteScope.ToString()
});
ConfigWriteScopeType configWriteScope = this.ConfigWriteScope;
bool flag;
switch (configWriteScope)
{
case ConfigWriteScopeType.None:
flag = (roleAssignment.ConfigWriteScope != ConfigWriteScopeType.NotApplicable);
break;
case ConfigWriteScopeType.NotApplicable:
flag = true;
break;
default:
switch (configWriteScope)
{
case ConfigWriteScopeType.OrganizationConfig:
flag = (roleAssignment.ConfigWriteScope == ConfigWriteScopeType.OrganizationConfig);
goto IL_27C;
case ConfigWriteScopeType.CustomConfigScope:
case ConfigWriteScopeType.ExclusiveConfigScope:
if (roleAssignment.ConfigWriteScope != this.ConfigWriteScope)
{
flag = (roleAssignment.ConfigWriteScope == ConfigWriteScopeType.OrganizationConfig);
goto IL_27C;
}
if (scopeCache != null && this.CustomConfigWriteScope != null && roleAssignment.CustomConfigWriteScope != null && scopeCache.ContainsKey(this.CustomConfigWriteScope) && scopeCache.ContainsKey(roleAssignment.CustomConfigWriteScope) && scopeCache[this.CustomConfigWriteScope] != null && scopeCache[roleAssignment.CustomConfigWriteScope] != null)
{
flag = scopeCache[this.CustomConfigWriteScope].IsScopeSmallerOrEqualThan(scopeCache[roleAssignment.CustomConfigWriteScope], out notTrueReason);
goto IL_27C;
}
ExTraceGlobals.AccessCheckTracer.TraceError <string, string>(10000L, "IsConfigWriteScopeSmallerOrEqualThan: we don't find the the key '{0}' or '{1}' within the scope cache or either of their values are $null.", (this.CustomConfigWriteScope == null) ? "null" : this.CustomConfigWriteScope.ToString(), (roleAssignment.CustomConfigWriteScope == null) ? "null" : roleAssignment.CustomConfigWriteScope.ToString());
notTrueReason = DirectoryStrings.CannotCompareAssignmentsMissingScope(base.Id.ToString(), roleAssignment.Id.ToString());
flag = false;
goto IL_27C;
case ConfigWriteScopeType.PartnerDelegatedTenantScope:
flag = (roleAssignment.ConfigWriteScope == ConfigWriteScopeType.OrganizationConfig || roleAssignment.ConfigWriteScope == ConfigWriteScopeType.CustomConfigScope);
goto IL_27C;
}
flag = false;
break;
}
IL_27C:
if (!flag && LocalizedString.Empty == notTrueReason)
{
notTrueReason = DirectoryStrings.ConfigScopeNotLessThan(this.ConfigWriteScope.ToString(), roleAssignment.ConfigWriteScope.ToString());
}
ExTraceGlobals.AccessCheckTracer.TraceFunction <bool>(10001L, "<--IsConfigWriteScopeSmallerOrEqualThan: returns {0}", flag);
return(flag);
}
internal bool IsRecipientWriteScopeSmallerOrEqualThan(ExchangeRoleAssignment roleAssignment, IDictionary <ADObjectId, ManagementScope> scopeCache, out LocalizedString notTrueReason)
{
if (roleAssignment == null)
{
throw new ArgumentNullException("roleAssignment");
}
ExTraceGlobals.AccessCheckTracer.TraceFunction <ADObjectId, ADObjectId, int>(10000L, "-->IsRecipientWriteScopeSmallerOrEqualThan: this = {0}, other = {1} (scopeCache Count = {2})", base.Id, roleAssignment.Id, (scopeCache == null) ? 0 : scopeCache.Count);
notTrueReason = LocalizedString.Empty;
if (roleAssignment.RecipientWriteScope == this.RecipientWriteScope && ADObjectId.Equals(roleAssignment.CustomRecipientWriteScope, this.CustomRecipientWriteScope))
{
return(this.IsDelegationLevelSmallerOrEqual(roleAssignment, out notTrueReason, true));
}
ExTraceGlobals.AccessCheckTracer.TraceDebug(10000L, "IsRecipientWriteScopeSmallerOrEqualThan: this instance has domain write restriction type '{0}' with link '{1}', other has type '{2}' with link '{3}'.", new object[]
{
this.RecipientWriteScope,
(this.CustomRecipientWriteScope == null) ? "null" : this.CustomRecipientWriteScope.ToString(),
roleAssignment.RecipientWriteScope,
(roleAssignment.CustomRecipientWriteScope == null) ? "null" : roleAssignment.CustomRecipientWriteScope.ToString()
});
if (this.CustomRecipientWriteScope == null && (this.RecipientWriteScope == RecipientWriteScopeType.OU || this.RecipientWriteScope == RecipientWriteScopeType.CustomRecipientScope || this.RecipientWriteScope == RecipientWriteScopeType.ExclusiveRecipientScope))
{
ExTraceGlobals.AccessCheckTracer.TraceError(10000L, "IsRecipientWriteScopeSmallerOrEqualThan: this instance has invalid NULL CustomRecipientWriteScope.");
notTrueReason = DirectoryStrings.CustomRecipientWriteScopeCannotBeEmpty(this.RecipientWriteScope);
return(false);
}
if (roleAssignment.CustomRecipientWriteScope == null && (roleAssignment.RecipientWriteScope == RecipientWriteScopeType.OU || roleAssignment.RecipientWriteScope == RecipientWriteScopeType.CustomRecipientScope || roleAssignment.RecipientWriteScope == RecipientWriteScopeType.ExclusiveRecipientScope))
{
ExTraceGlobals.AccessCheckTracer.TraceError(10000L, "IsRecipientWriteScopeSmallerOrEqualThan: the other instance has invalid NULL CustomRecipientWriteScope.");
notTrueReason = DirectoryStrings.CustomRecipientWriteScopeCannotBeEmpty(roleAssignment.RecipientWriteScope);
return(false);
}
bool flag;
switch (this.RecipientWriteScope)
{
case RecipientWriteScopeType.None:
flag = (roleAssignment.RecipientWriteScope != RecipientWriteScopeType.NotApplicable);
goto IL_41E;
case RecipientWriteScopeType.NotApplicable:
flag = true;
goto IL_41E;
case RecipientWriteScopeType.Organization:
flag = (roleAssignment.RecipientWriteScope == RecipientWriteScopeType.Organization);
goto IL_41E;
case RecipientWriteScopeType.MyGAL:
case RecipientWriteScopeType.Self:
case RecipientWriteScopeType.MyDirectReports:
case RecipientWriteScopeType.MyDistributionGroups:
case RecipientWriteScopeType.MyExecutive:
case RecipientWriteScopeType.MailboxICanDelegate:
flag = (roleAssignment.RecipientWriteScope == RecipientWriteScopeType.MyGAL || roleAssignment.RecipientWriteScope == RecipientWriteScopeType.Organization);
goto IL_41E;
case RecipientWriteScopeType.OU:
if (roleAssignment.RecipientWriteScope != RecipientWriteScopeType.OU)
{
flag = (roleAssignment.RecipientWriteScope == RecipientWriteScopeType.Organization);
goto IL_41E;
}
ExTraceGlobals.AccessCheckTracer.TraceDebug(10000L, "IsRecipientWriteScopeSmallerOrEqualThan: comparing the OU DistinguishedName(s) between two role assignments.");
if (this.CustomRecipientWriteScope.IsDescendantOf(roleAssignment.CustomRecipientWriteScope))
{
flag = true;
goto IL_41E;
}
notTrueReason = DirectoryStrings.OUsNotSmallerOrEqual(this.CustomRecipientWriteScope.ToString(), roleAssignment.CustomRecipientWriteScope.ToString());
flag = false;
goto IL_41E;
case RecipientWriteScopeType.CustomRecipientScope:
case RecipientWriteScopeType.ExclusiveRecipientScope:
if (roleAssignment.RecipientWriteScope == RecipientWriteScopeType.OU)
{
if (scopeCache != null && scopeCache.ContainsKey(this.CustomRecipientWriteScope) && scopeCache[this.CustomRecipientWriteScope] != null)
{
flag = scopeCache[this.CustomRecipientWriteScope].IsFullyCoveredByOU(roleAssignment.CustomRecipientWriteScope, out notTrueReason);
goto IL_41E;
}
ExTraceGlobals.AccessCheckTracer.TraceError <string>(10000L, "IsRecipientWriteScopeSmallerOrEqualThan: we don't find the the key '{0}' within the scope cache or its value is $null.", (this.CustomRecipientWriteScope == null) ? "null" : this.CustomRecipientWriteScope.ToString());
notTrueReason = DirectoryStrings.CannotCompareAssignmentsMissingScope(base.Id.ToString(), roleAssignment.Id.ToString());
flag = false;
goto IL_41E;
}
else
{
if (roleAssignment.RecipientWriteScope != RecipientWriteScopeType.CustomRecipientScope && roleAssignment.RecipientWriteScope != RecipientWriteScopeType.ExclusiveRecipientScope)
{
flag = (roleAssignment.RecipientWriteScope == RecipientWriteScopeType.Organization);
goto IL_41E;
}
if (scopeCache != null && this.CustomRecipientWriteScope != null && roleAssignment.CustomRecipientWriteScope != null && scopeCache.ContainsKey(this.CustomRecipientWriteScope) && scopeCache.ContainsKey(roleAssignment.CustomRecipientWriteScope) && scopeCache[this.CustomRecipientWriteScope] != null && scopeCache[roleAssignment.CustomRecipientWriteScope] != null)
{
flag = scopeCache[this.CustomRecipientWriteScope].IsScopeSmallerOrEqualThan(scopeCache[roleAssignment.CustomRecipientWriteScope], out notTrueReason);
goto IL_41E;
}
ExTraceGlobals.AccessCheckTracer.TraceError <string, string>(10000L, "IsRecipientWriteScopeSmallerOrEqualThan: we don't find the the key '{0}' or '{1}' within the scope cache or either of their values are $null.", (this.CustomRecipientWriteScope == null) ? "null" : this.CustomRecipientWriteScope.ToString(), (roleAssignment.CustomRecipientWriteScope == null) ? "null" : roleAssignment.CustomRecipientWriteScope.ToString());
notTrueReason = DirectoryStrings.CannotCompareAssignmentsMissingScope(base.Id.ToString(), roleAssignment.Id.ToString());
flag = false;
goto IL_41E;
}
break;
}
flag = false;
IL_41E:
if (!flag && LocalizedString.Empty == notTrueReason)
{
notTrueReason = DirectoryStrings.RecipientWriteScopeNotLessThan(this.RecipientWriteScope.ToString(), roleAssignment.RecipientWriteScope.ToString());
}
ExTraceGlobals.AccessCheckTracer.TraceFunction <bool>(10000L, "<--IsRecipientWriteScopeSmallerOrEqualThan: returns {0}", flag);
return(flag);
}
