internal static bool CheckFullAccessPermissions(ADUser executingAdUser, ADUser accessRequestedForADUser, IRecipientSession session) { ExTraceGlobals.TaskTracer.TraceDebug <string, string>(0L, "Checking if {0} has full access for mailbox {1}", executingAdUser.Alias, accessRequestedForADUser.Alias); ActiveManager activeManagerInstance = ActiveManager.GetActiveManagerInstance(); DatabaseLocationInfo serverForDatabase = activeManagerInstance.GetServerForDatabase(accessRequestedForADUser.Database.ObjectGuid); RawSecurityDescriptor rawSecurityDescriptor = null; using (MapiMessageStoreSession mapiMessageStoreSession = new MapiMessageStoreSession(serverForDatabase.ServerLegacyDN, Server.GetSystemAttendantLegacyDN(serverForDatabase.ServerLegacyDN), Fqdn.Parse(serverForDatabase.ServerFqdn))) { MailboxId mailboxId = new MailboxId(new DatabaseId(accessRequestedForADUser.Database.ObjectGuid), accessRequestedForADUser.ExchangeGuid); try { rawSecurityDescriptor = mapiMessageStoreSession.GetMailboxSecurityDescriptor(mailboxId); } catch (MailboxNotFoundException) { ExTraceGlobals.TaskTracer.TraceDebug <MailboxId>(0L, "Could not find mailbox {0} when attempting to read its security descriptor.", mailboxId); return(false); } } byte[] array = new byte[rawSecurityDescriptor.BinaryLength]; rawSecurityDescriptor.GetBinaryForm(array, 0); ActiveDirectorySecurity activeDirectorySecurity = new ActiveDirectorySecurity(); activeDirectorySecurity.SetSecurityDescriptorBinaryForm(array); int num = AuthzAuthorization.CheckGenericPermission(executingAdUser.Sid, rawSecurityDescriptor, AccessMask.CreateChild); return((num & 1) == 1); }
private Permission DeterminePermissions(SecurityIdentifier sid) { Permission result = Permission.None; RawSecurityDescriptor rawSecurityDescriptor = this.GetSecurityDescriptor(); try { if (rawSecurityDescriptor != null) { result = AuthzAuthorization.CheckPermissions(sid, rawSecurityDescriptor, null); } } catch (Win32Exception) { } return(result); }
// Token: 0x06001055 RID: 4181 RVA: 0x0004F074 File Offset: 0x0004D274 internal void PopulateRootAndFilter(OrganizationId organizationId, IReadOnlyPropertyBag propertyBag) { if (this.Root != null || this.Filter != null) { return; } if (this.isFromEndUserRole && propertyBag == null) { throw new ArgumentNullException("propertyBag"); } if (organizationId != null) { this.SelfRoot = organizationId.OrganizationalUnit; } if (propertyBag != null) { this.SelfFilter = new ComparisonFilter(ComparisonOperator.Equal, ADObjectSchema.Id, propertyBag[ADObjectSchema.Id]); } switch (this.scopeType) { case ScopeType.None: this.Root = null; this.Filter = ADScope.NoObjectFilter; return; case ScopeType.NotApplicable: this.Root = null; this.Filter = null; return; case ScopeType.Organization: this.Root = organizationId.OrganizationalUnit; this.Filter = null; return; case ScopeType.MyGAL: { AddressBookBase globalAddressList = this.GetGlobalAddressList(organizationId); this.Root = organizationId.OrganizationalUnit; if (globalAddressList == null) { this.Filter = ADScope.NoObjectFilter; return; } this.Filter = new ComparisonFilter(ComparisonOperator.Equal, ADRecipientSchema.AddressListMembership, globalAddressList.Id); return; } case ScopeType.Self: this.Root = organizationId.OrganizationalUnit; this.Filter = new ComparisonFilter(ComparisonOperator.Equal, ADObjectSchema.Id, propertyBag[ADObjectSchema.Id]); return; case ScopeType.MyDirectReports: this.Root = organizationId.OrganizationalUnit; this.Filter = new ComparisonFilter(ComparisonOperator.Equal, ADOrgPersonSchema.Manager, propertyBag[ADObjectSchema.Id]); return; case ScopeType.OU: this.Root = this.ouId; this.Filter = null; return; case ScopeType.CustomRecipientScope: case ScopeType.CustomConfigScope: case ScopeType.PartnerDelegatedTenantScope: case ScopeType.ExclusiveRecipientScope: case ScopeType.ExclusiveConfigScope: this.Root = this.managementScope.RecipientRoot; this.Filter = this.managementScope.QueryFilter; return; case ScopeType.MyDistributionGroups: { this.Root = organizationId.OrganizationalUnit; QueryFilter[] array = new QueryFilter[3]; array[0] = new ComparisonFilter(ComparisonOperator.Equal, ADGroupSchema.ManagedBy, propertyBag[ADObjectSchema.Id]); array[1] = new ComparisonFilter(ComparisonOperator.Equal, ADGroupSchema.CoManagedBy, propertyBag[ADObjectSchema.Id]); array[2] = new CSharpFilter <IReadOnlyPropertyBag>(delegate(IReadOnlyPropertyBag obj) { ADGroup adgroup = obj as ADGroup; return(adgroup != null && adgroup.IsExecutingUserGroupOwner); }); this.Filter = new OrFilter(array); return; } case ScopeType.MyExecutive: break; case ScopeType.OrganizationConfig: this.Root = organizationId.ConfigurationUnit; this.Filter = null; return; case ScopeType.MailboxICanDelegate: { this.Root = organizationId.OrganizationalUnit; QueryFilter[] array2 = new QueryFilter[2]; array2[0] = new ComparisonFilter(ComparisonOperator.Equal, ADRecipientSchema.MasterAccountSid, this.securityAccessToken.UserSid); array2[1] = new CSharpFilter <IReadOnlyPropertyBag>(delegate(IReadOnlyPropertyBag obj) { RawSecurityDescriptor rawSecurityDescriptor = ((ADObject)obj).ReadSecurityDescriptor(); if (rawSecurityDescriptor != null) { using (AuthzContextHandle authzContext = AuthzAuthorization.GetAuthzContext(new SecurityIdentifier(this.securityAccessToken.UserSid), false)) { bool[] array3 = AuthzAuthorization.CheckExtendedRights(authzContext, rawSecurityDescriptor, new Guid[] { WellKnownGuid.PersonalInfoPropSetGuid }, null, AccessMask.WriteProp); return(array3[0]); } return(false); } return(false); }); this.Filter = new OrFilter(array2); return; } default: this.Root = null; this.Filter = ADScope.NoObjectFilter; break; } }
private static bool CheckPermissionsOnDkmObjects(IEnumerable <ADRawEntry> dkmObjects, IRootOrganizationRecipientSession session, Dictionary <SecurityIdentifier, ActiveDirectoryRights> expectedAccessRights, StringBuilder detailStatus) { bool result = true; foreach (ADRawEntry adrawEntry in dkmObjects) { RawSecurityDescriptor rawSecurityDescriptor; ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor(adrawEntry, session, null, out rawSecurityDescriptor); if (activeDirectorySecurity == null) { result = false; detailStatus.AppendFormat("Failed to read security descriptor for DKM object {0}. Examine the ACL settings on DKM objects.\r\n", adrawEntry.Id.DistinguishedName); } else { AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)); StringBuilder stringBuilder = new StringBuilder(); stringBuilder.AppendLine(string.Format("Object DN: {0}\r\n", adrawEntry.Id.DistinguishedName)); bool flag = false; Dictionary <SecurityIdentifier, ActiveDirectoryRights> dictionary = new Dictionary <SecurityIdentifier, ActiveDirectoryRights>(); foreach (object obj in accessRules) { ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj; try { if (!expectedAccessRights.ContainsKey((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference)) { int num = AuthzAuthorization.CheckGenericPermission((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference, rawSecurityDescriptor, AccessMask.MaximumAllowed); if (num != 0) { stringBuilder.AppendFormat("Unexpected ACE with Identity: {0}, Rights: {1}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(activeDirectoryAccessRule.IdentityReference.ToString()), (ActiveDirectoryRights)num); result = false; flag = true; } } else { dictionary[(SecurityIdentifier)activeDirectoryAccessRule.IdentityReference] = (ActiveDirectoryRights)AuthzAuthorization.CheckGenericPermission((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference, rawSecurityDescriptor, AccessMask.MaximumAllowed); } } catch (Win32Exception ex) { stringBuilder.AppendFormat("Failed to check ACL for Identity: {0} with Win32Exception {1} and ErrorCode {2}\r\n", TestDataCenterDKMAccess.AccountNameFromSid(activeDirectoryAccessRule.IdentityReference.ToString()), ex.Message, ex.ErrorCode); result = false; flag = true; } } Dictionary <SecurityIdentifier, ActiveDirectoryRights> dictionary2 = new Dictionary <SecurityIdentifier, ActiveDirectoryRights>(expectedAccessRights); foreach (KeyValuePair <SecurityIdentifier, ActiveDirectoryRights> keyValuePair in dictionary) { if (dictionary2[keyValuePair.Key] != keyValuePair.Value) { stringBuilder.AppendFormat("Wrong rights in ACE for Identity {0}\r\nExpected Rights: {1}\r\nActual Rights: {2}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(keyValuePair.Key.ToString()), dictionary2[keyValuePair.Key], keyValuePair.Value); result = false; flag = true; } dictionary2.Remove(keyValuePair.Key); } if (dictionary2.Count > 0) { foreach (KeyValuePair <SecurityIdentifier, ActiveDirectoryRights> keyValuePair2 in dictionary2) { stringBuilder.AppendFormat("Missing expected ACE for Identity {0}\r\nExpected Rights: {1}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(keyValuePair2.Key.ToString()), keyValuePair2.Value); result = false; flag = true; } } if (flag) { detailStatus.AppendLine(stringBuilder.ToString()); } } } return(result); }