public static FreeBusyPermissionLevel DetermineAllowedAccess(ClientContext clientContext, MailboxSession session, CalendarFolder calendarFolder, FreeBusyQuery freeBusyQuery, bool defaultFreeBusyOnly) { RawSecurityDescriptor rawSecurityDescriptor = calendarFolder.TryGetProperty(CalendarFolderSchema.FreeBusySecurityDescriptor) as RawSecurityDescriptor; if (rawSecurityDescriptor == null) { FreeBusyPermission.SecurityTracer.TraceDebug <object, CalendarFolder>(0L, "{0}: Unable to retrieve FreeBusySecurityDescriptor from folder {1}. Using None as permission level.", TraceContext.Get(), calendarFolder); return(FreeBusyPermissionLevel.None); } if (FreeBusyPermission.SecurityTracer.IsTraceEnabled(TraceType.DebugTrace)) { string sddlForm = rawSecurityDescriptor.GetSddlForm(AccessControlSections.All); FreeBusyPermission.SecurityTracer.TraceDebug <object, EmailAddress, string>(0L, "{0}: The SDDL form of calendar folder security descriptor of mailbox {1} is: {2}.", TraceContext.Get(), freeBusyQuery.Email, sddlForm); } if (defaultFreeBusyOnly) { FreeBusyPermission.SecurityTracer.TraceDebug(0L, "{0}: Using DefaultClientSecurityContext because of defaultFreeBusyOnly is set.", new object[] { TraceContext.Get() }); return(FreeBusyPermission.AccessCheck(rawSecurityDescriptor, ClientSecurityContext.FreeBusyPermissionDefaultClientSecurityContext)); } InternalClientContext internalClientContext = clientContext as InternalClientContext; if (internalClientContext != null) { return(FreeBusyPermission.FromInternalClient(internalClientContext, rawSecurityDescriptor, freeBusyQuery)); } ExternalClientContext externalClientContext = clientContext as ExternalClientContext; return(FreeBusyPermission.FromExternalClient(externalClientContext, session, rawSecurityDescriptor, freeBusyQuery)); }
private static string GetExternalIdentity(ExternalClientContext externalClientContext, MailboxSession session) { FreeBusyPermission.SecurityTracer.TraceDebug <object, ExternalClientContext, IExchangePrincipal>(0L, "{0}: searching for external identity for caller {1} in mailbox {2}", TraceContext.Get(), externalClientContext, session.MailboxOwner); Stopwatch stopwatch = Stopwatch.StartNew(); try { PersonalClientContext personalClientContext = externalClientContext as PersonalClientContext; if (personalClientContext != null) { using (ExternalUserCollection externalUsers = session.GetExternalUsers()) { ExternalUser externalUser = externalUsers.FindExternalUser(personalClientContext.ExternalId.ToString()); if (externalUser != null) { string text = externalUser.Sid.ToString(); FreeBusyPermission.SecurityTracer.TraceDebug <object, string>(0L, "{0}: found personal client context from external identity: {1}", TraceContext.Get(), text); return(text); } } } } finally { stopwatch.Stop(); PerformanceCounters.AverageExternalAuthenticationIdentityMappingTime.IncrementBy(stopwatch.ElapsedTicks); PerformanceCounters.AverageExternalAuthenticationIdentityMappingTimeBase.Increment(); } return(null); }
private static FreeBusyPermissionLevel FromExternalClient(ExternalClientContext externalClientContext, MailboxSession mailboxSession, RawSecurityDescriptor securityDescriptor, FreeBusyQuery freeBusyQuery) { FreeBusyPermissionLevel val = FreeBusyPermission.FromExternalClientWithPersonalRelationship(externalClientContext, mailboxSession, securityDescriptor, freeBusyQuery); FreeBusyPermissionLevel val2 = FreeBusyPermission.FromExternalClientWithOrganizationalRelationship(externalClientContext, mailboxSession, securityDescriptor, freeBusyQuery); FreeBusyPermissionLevel freeBusyPermissionLevel = (FreeBusyPermissionLevel)Math.Max((int)val2, (int)val); FreeBusyPermission.SecurityTracer.TraceDebug <object, SmtpAddress, FreeBusyPermissionLevel>(0L, "{0}: permission level for {1} is {2}", TraceContext.Get(), externalClientContext.EmailAddress, freeBusyPermissionLevel); return(freeBusyPermissionLevel); }
private static FreeBusyPermissionLevel FromExternalClientWithOrganizationalRelationship(ExternalClientContext externalClientContext, MailboxSession mailboxSession, RawSecurityDescriptor securityDescriptor, FreeBusyQuery freeBusyQuery) { OrganizationRelationship organizationRelationship = FreeBusyPermission.GetOrganizationRelationship(mailboxSession.MailboxOwner.MailboxInfo.OrganizationId, externalClientContext.EmailAddress.Domain); if (organizationRelationship == null) { FreeBusyPermission.SecurityTracer.TraceDebug <object, SmtpAddress, string>(0L, "{0}: No organization relationship for {1} with organization id {2}", TraceContext.Get(), externalClientContext.EmailAddress, (mailboxSession.MailboxOwner.MailboxInfo.OrganizationId == null) ? "<null>" : mailboxSession.MailboxOwner.MailboxInfo.OrganizationId.ToString()); return(FreeBusyPermissionLevel.None); } FreeBusyPermissionLevel freeBusyPermissionLevel = FreeBusyPermissionLevel.Detail; if (organizationRelationship != null) { freeBusyPermissionLevel = FreeBusyPermission.GetMaximumFreeBusyPermissionLevel(organizationRelationship); if (freeBusyPermissionLevel == FreeBusyPermissionLevel.None) { FreeBusyPermission.SecurityTracer.TraceDebug <object, ADObjectId>(0L, "{0}: OrganizationRelationship {1} restricts permission level to None.", TraceContext.Get(), organizationRelationship.Id); return(FreeBusyPermissionLevel.None); } } FreeBusyPermissionLevel freeBusyPermissionLevel2 = FreeBusyPermission.AccessCheck(securityDescriptor, ClientSecurityContext.FreeBusyPermissionDefaultClientSecurityContext); if (freeBusyPermissionLevel2 == FreeBusyPermissionLevel.None) { return(FreeBusyPermissionLevel.None); } if (freeBusyPermissionLevel2 > freeBusyPermissionLevel) { FreeBusyPermission.SecurityTracer.TraceDebug(0L, "{0}: OrganizationRelationship {1} restricts permission level to {2}. Lowering permission from {3}.", new object[] { TraceContext.Get(), organizationRelationship.Id, freeBusyPermissionLevel, freeBusyPermissionLevel2 }); freeBusyPermissionLevel2 = freeBusyPermissionLevel; } if (!FreeBusyPermission.IsAllowedByFreeBusyAccessScope(freeBusyQuery, organizationRelationship)) { freeBusyPermissionLevel2 = FreeBusyPermissionLevel.None; } return(freeBusyPermissionLevel2); }
private static FreeBusyPermissionLevel FromExternalClientWithPersonalRelationship(ExternalClientContext externalClientContext, MailboxSession mailboxSession, RawSecurityDescriptor securityDescriptor, FreeBusyQuery freeBusyQuery) { string externalIdentity = FreeBusyPermission.GetExternalIdentity(externalClientContext, mailboxSession); if (externalIdentity == null) { FreeBusyPermission.SecurityTracer.TraceDebug <object, SmtpAddress, IExchangePrincipal>(0L, "{0}: No external identity for {1} in mailbox {2}.", TraceContext.Get(), externalClientContext.EmailAddress, mailboxSession.MailboxOwner); return(FreeBusyPermissionLevel.None); } ISecurityAccessToken securityAccessToken = new SecurityAccessToken { UserSid = externalIdentity, GroupSids = ClientSecurityContext.DisabledEveryoneOnlySidStringAndAttributesArray }; FreeBusyPermissionLevel result; using (ClientSecurityContext clientSecurityContext = new ClientSecurityContext(securityAccessToken, AuthzFlags.AuthzSkipTokenGroups)) { result = FreeBusyPermission.AccessCheck(securityDescriptor, clientSecurityContext); } return(result); }