public static FreeBusyPermissionLevel DetermineAllowedAccess(ClientContext clientContext, MailboxSession session, CalendarFolder calendarFolder, FreeBusyQuery freeBusyQuery, bool defaultFreeBusyOnly)
{
RawSecurityDescriptor rawSecurityDescriptor = calendarFolder.TryGetProperty(CalendarFolderSchema.FreeBusySecurityDescriptor) as RawSecurityDescriptor;
if (rawSecurityDescriptor == null)
{
FreeBusyPermission.SecurityTracer.TraceDebug <object, CalendarFolder>(0L, "{0}: Unable to retrieve FreeBusySecurityDescriptor from folder {1}. Using None as permission level.", TraceContext.Get(), calendarFolder);
return(FreeBusyPermissionLevel.None);
}
if (FreeBusyPermission.SecurityTracer.IsTraceEnabled(TraceType.DebugTrace))
{
string sddlForm = rawSecurityDescriptor.GetSddlForm(AccessControlSections.All);
FreeBusyPermission.SecurityTracer.TraceDebug <object, EmailAddress, string>(0L, "{0}: The SDDL form of calendar folder security descriptor of mailbox {1} is: {2}.", TraceContext.Get(), freeBusyQuery.Email, sddlForm);
}
if (defaultFreeBusyOnly)
{
FreeBusyPermission.SecurityTracer.TraceDebug(0L, "{0}: Using DefaultClientSecurityContext because of defaultFreeBusyOnly is set.", new object[]
{
TraceContext.Get()
});
return(FreeBusyPermission.AccessCheck(rawSecurityDescriptor, ClientSecurityContext.FreeBusyPermissionDefaultClientSecurityContext));
}
InternalClientContext internalClientContext = clientContext as InternalClientContext;
if (internalClientContext != null)
{
return(FreeBusyPermission.FromInternalClient(internalClientContext, rawSecurityDescriptor, freeBusyQuery));
}
ExternalClientContext externalClientContext = clientContext as ExternalClientContext;
return(FreeBusyPermission.FromExternalClient(externalClientContext, session, rawSecurityDescriptor, freeBusyQuery));
}
private static string GetExternalIdentity(ExternalClientContext externalClientContext, MailboxSession session)
{
FreeBusyPermission.SecurityTracer.TraceDebug <object, ExternalClientContext, IExchangePrincipal>(0L, "{0}: searching for external identity for caller {1} in mailbox {2}", TraceContext.Get(), externalClientContext, session.MailboxOwner);
Stopwatch stopwatch = Stopwatch.StartNew();
try
{
PersonalClientContext personalClientContext = externalClientContext as PersonalClientContext;
if (personalClientContext != null)
{
using (ExternalUserCollection externalUsers = session.GetExternalUsers())
{
ExternalUser externalUser = externalUsers.FindExternalUser(personalClientContext.ExternalId.ToString());
if (externalUser != null)
{
string text = externalUser.Sid.ToString();
FreeBusyPermission.SecurityTracer.TraceDebug <object, string>(0L, "{0}: found personal client context from external identity: {1}", TraceContext.Get(), text);
return(text);
}
}
}
}
finally
{
stopwatch.Stop();
PerformanceCounters.AverageExternalAuthenticationIdentityMappingTime.IncrementBy(stopwatch.ElapsedTicks);
PerformanceCounters.AverageExternalAuthenticationIdentityMappingTimeBase.Increment();
}
return(null);
}
private static FreeBusyPermissionLevel FromExternalClient(ExternalClientContext externalClientContext, MailboxSession mailboxSession, RawSecurityDescriptor securityDescriptor, FreeBusyQuery freeBusyQuery)
{
FreeBusyPermissionLevel val = FreeBusyPermission.FromExternalClientWithPersonalRelationship(externalClientContext, mailboxSession, securityDescriptor, freeBusyQuery);
FreeBusyPermissionLevel val2 = FreeBusyPermission.FromExternalClientWithOrganizationalRelationship(externalClientContext, mailboxSession, securityDescriptor, freeBusyQuery);
FreeBusyPermissionLevel freeBusyPermissionLevel = (FreeBusyPermissionLevel)Math.Max((int)val2, (int)val);
FreeBusyPermission.SecurityTracer.TraceDebug <object, SmtpAddress, FreeBusyPermissionLevel>(0L, "{0}: permission level for {1} is {2}", TraceContext.Get(), externalClientContext.EmailAddress, freeBusyPermissionLevel);
return(freeBusyPermissionLevel);
}
private static FreeBusyPermissionLevel FromExternalClientWithOrganizationalRelationship(ExternalClientContext externalClientContext, MailboxSession mailboxSession, RawSecurityDescriptor securityDescriptor, FreeBusyQuery freeBusyQuery)
{
OrganizationRelationship organizationRelationship = FreeBusyPermission.GetOrganizationRelationship(mailboxSession.MailboxOwner.MailboxInfo.OrganizationId, externalClientContext.EmailAddress.Domain);
if (organizationRelationship == null)
{
FreeBusyPermission.SecurityTracer.TraceDebug <object, SmtpAddress, string>(0L, "{0}: No organization relationship for {1} with organization id {2}", TraceContext.Get(), externalClientContext.EmailAddress, (mailboxSession.MailboxOwner.MailboxInfo.OrganizationId == null) ? "<null>" : mailboxSession.MailboxOwner.MailboxInfo.OrganizationId.ToString());
return(FreeBusyPermissionLevel.None);
}
FreeBusyPermissionLevel freeBusyPermissionLevel = FreeBusyPermissionLevel.Detail;
if (organizationRelationship != null)
{
freeBusyPermissionLevel = FreeBusyPermission.GetMaximumFreeBusyPermissionLevel(organizationRelationship);
if (freeBusyPermissionLevel == FreeBusyPermissionLevel.None)
{
FreeBusyPermission.SecurityTracer.TraceDebug <object, ADObjectId>(0L, "{0}: OrganizationRelationship {1} restricts permission level to None.", TraceContext.Get(), organizationRelationship.Id);
return(FreeBusyPermissionLevel.None);
}
}
FreeBusyPermissionLevel freeBusyPermissionLevel2 = FreeBusyPermission.AccessCheck(securityDescriptor, ClientSecurityContext.FreeBusyPermissionDefaultClientSecurityContext);
if (freeBusyPermissionLevel2 == FreeBusyPermissionLevel.None)
{
return(FreeBusyPermissionLevel.None);
}
if (freeBusyPermissionLevel2 > freeBusyPermissionLevel)
{
FreeBusyPermission.SecurityTracer.TraceDebug(0L, "{0}: OrganizationRelationship {1} restricts permission level to {2}. Lowering permission from {3}.", new object[]
{
TraceContext.Get(),
organizationRelationship.Id,
freeBusyPermissionLevel,
freeBusyPermissionLevel2
});
freeBusyPermissionLevel2 = freeBusyPermissionLevel;
}
if (!FreeBusyPermission.IsAllowedByFreeBusyAccessScope(freeBusyQuery, organizationRelationship))
{
freeBusyPermissionLevel2 = FreeBusyPermissionLevel.None;
}
return(freeBusyPermissionLevel2);
}
private static FreeBusyPermissionLevel FromExternalClientWithPersonalRelationship(ExternalClientContext externalClientContext, MailboxSession mailboxSession, RawSecurityDescriptor securityDescriptor, FreeBusyQuery freeBusyQuery)
{
string externalIdentity = FreeBusyPermission.GetExternalIdentity(externalClientContext, mailboxSession);
if (externalIdentity == null)
{
FreeBusyPermission.SecurityTracer.TraceDebug <object, SmtpAddress, IExchangePrincipal>(0L, "{0}: No external identity for {1} in mailbox {2}.", TraceContext.Get(), externalClientContext.EmailAddress, mailboxSession.MailboxOwner);
return(FreeBusyPermissionLevel.None);
}
ISecurityAccessToken securityAccessToken = new SecurityAccessToken
{
UserSid = externalIdentity,
GroupSids = ClientSecurityContext.DisabledEveryoneOnlySidStringAndAttributesArray
};
FreeBusyPermissionLevel result;
using (ClientSecurityContext clientSecurityContext = new ClientSecurityContext(securityAccessToken, AuthzFlags.AuthzSkipTokenGroups))
{
result = FreeBusyPermission.AccessCheck(securityDescriptor, clientSecurityContext);
}
return(result);
}
