private bool HierarchicalCheckForCannedRoleGroups(ADGroup group, out ADGroup cannedRoleGroup)
 {
     cannedRoleGroup = null;
     if (group.OrganizationId.Equals(OrganizationId.ForestWideOrgId))
     {
         cannedRoleGroup = this.recipientSession.ResolveWellKnownGuid <ADGroup>(WellKnownGuid.EoaWkGuid, this.configurationSession.ConfigurationNamingContext);
         if (cannedRoleGroup == null)
         {
             this.writeError(new ExOrgAdminSGroupNotFoundException(WellKnownGuid.EoaWkGuid), ExchangeErrorCategory.ServerOperation, null);
         }
         this.excludedFromEmptinessValidation.Add(group.Id);
         return(!cannedRoleGroup.ContainsMember(group.Id, false) || !this.IsGroupEmpty(cannedRoleGroup));
     }
     return(true);
 }
Esempio n. 2
0
        private static bool IsAllowedByFreeBusyAccessScope(FreeBusyQuery freeBusyQuery, OrganizationRelationship organizationRelationship)
        {
            if (organizationRelationship.FreeBusyAccessScope == null)
            {
                FreeBusyPermission.SecurityTracer.TraceDebug <object, ADObjectId>(0L, "{0}: OrganizationRelationship {1} doesn't restrict any mailbox to share externally.", TraceContext.Get(), organizationRelationship.Id);
                return(true);
            }
            IRecipientSession tenantOrRootOrgRecipientSession = DirectorySessionFactory.Default.GetTenantOrRootOrgRecipientSession(ConsistencyMode.IgnoreInvalid, organizationRelationship.Session.SessionSettings, 620, "IsAllowedByFreeBusyAccessScope", "f:\\15.00.1497\\sources\\dev\\infoworker\\src\\common\\Availability\\FreeBusyPermission.cs");
            ADGroup           adgroup = tenantOrRootOrgRecipientSession.Read(organizationRelationship.FreeBusyAccessScope) as ADGroup;

            if (adgroup == null)
            {
                FreeBusyPermission.SecurityTracer.TraceError <object, ADObjectId>(0L, "{0}: OrganizationRelationship.FreeBusyAccessScope is defined as {1}, but cannot be found in AD.", TraceContext.Get(), organizationRelationship.FreeBusyAccessScope);
                return(false);
            }
            if (!adgroup.ContainsMember(freeBusyQuery.RecipientData.Id, false))
            {
                FreeBusyPermission.SecurityTracer.TraceDebug <object, EmailAddress, ADObjectId>(0L, "{0}: mailbox {1} is not member of OrganizationRelationship.FreeBusyAccessScope {2}.", TraceContext.Get(), freeBusyQuery.Email, organizationRelationship.FreeBusyAccessScope);
                return(false);
            }
            return(true);
        }
Esempio n. 3
0
        internal MailTipsPermission Lookup(RecipientData recipientData)
        {
            if (this.ExternalClientContext == null)
            {
                this.tracer.TraceDebug <object, EmailAddress>((long)this.traceId, "{0}: InternalMailTipsPermission used for {1} because requester is not external", TraceContext.Get(), recipientData.EmailAddress);
                return(MailTipsPermission.AllAccess);
            }
            if (recipientData.IsEmpty)
            {
                this.tracer.TraceDebug <object, EmailAddress>((long)this.traceId, "{0}: InternalMailTipsPermission used for {1} because recipient did not resolve in AD", TraceContext.Get(), recipientData.EmailAddress);
                return(MailTipsPermission.AllAccess);
            }
            MailTipsPermission mailTipsPermission;

            if (this.permissionMap.TryGetValue(recipientData.OrganizationId, out mailTipsPermission))
            {
                return(mailTipsPermission);
            }
            OrganizationRelationship organizationRelationship = FreeBusyPermission.GetOrganizationRelationship(recipientData.OrganizationId, this.ExternalClientContext.EmailAddress.Domain);

            if (organizationRelationship == null || !organizationRelationship.Enabled)
            {
                this.tracer.TraceDebug <object, OrganizationId, string>((long)this.traceId, "{0}: No organization relationship found in organization {1} for domain {2}", TraceContext.Get(), recipientData.OrganizationId, this.ExternalClientContext.EmailAddress.Domain);
                return(MailTipsPermission.NoAccess);
            }
            bool requesterInAccessScope = false;

            if (organizationRelationship.MailTipsAccessScope == null)
            {
                requesterInAccessScope = true;
            }
            else if (organizationRelationship.MailTipsAccessEnabled && organizationRelationship.MailTipsAccessLevel != MailTipsAccessLevel.None)
            {
                IRecipientSession tenantOrRootOrgRecipientSession = DirectorySessionFactory.Default.GetTenantOrRootOrgRecipientSession(ConsistencyMode.IgnoreInvalid, ADSessionSettings.FromOrganizationIdWithoutRbacScopesServiceOnly(recipientData.OrganizationId), 127, "Lookup", "f:\\15.00.1497\\sources\\dev\\infoworker\\src\\common\\MailTips\\MailTipsPerRequesterPermissionMap.cs");
                ADGroup           adgroup = tenantOrRootOrgRecipientSession.Read(organizationRelationship.MailTipsAccessScope) as ADGroup;
                if (adgroup == null)
                {
                    this.tracer.TraceError <object, OrganizationId, ADObjectId>((long)this.traceId, "{0}: OrganizationRelationship for organization {1} has invalid MailTipsAccessScope {2} which cannot be resolved in ad as an ADGroup", TraceContext.Get(), recipientData.OrganizationId, organizationRelationship.MailTipsAccessScope);
                }
                else if (adgroup.ContainsMember(recipientData.Id, false))
                {
                    this.tracer.TraceDebug((long)this.traceId, "{0}: {1} is a member of MailTipsAccessScope {2} for OrganizationRelationship of organization {3}", new object[]
                    {
                        TraceContext.Get(),
                        recipientData.EmailAddress,
                        organizationRelationship.MailTipsAccessScope,
                        recipientData.OrganizationId
                    });
                    requesterInAccessScope = true;
                }
                else
                {
                    this.tracer.TraceDebug((long)this.traceId, "{0}: {1} is not a member of MailTipsAccessScope {2} for OrganizationRelationship of organization {3}", new object[]
                    {
                        TraceContext.Get(),
                        recipientData.EmailAddress,
                        organizationRelationship.MailTipsAccessScope,
                        recipientData.OrganizationId
                    });
                }
            }
            mailTipsPermission = new MailTipsPermission(organizationRelationship.MailTipsAccessEnabled, organizationRelationship.MailTipsAccessLevel, requesterInAccessScope);
            this.permissionMap[recipientData.OrganizationId] = mailTipsPermission;
            return(mailTipsPermission);
        }