internal static void AddGroupMailboxAccessSid(ClientSecurityContext clientSecurityContext, Guid groupMailboxGuid, UnifiedGroupMemberType memberType) { ArgumentValidator.ThrowIfInvalidValue <UnifiedGroupMemberType>("memberType", memberType, (UnifiedGroupMemberType x) => memberType != UnifiedGroupMemberType.Unknown || memberType != UnifiedGroupMemberType.None); SecurityIdentity.GroupMailboxMemberType groupMailboxMemberType = (memberType == UnifiedGroupMemberType.Member) ? SecurityIdentity.GroupMailboxMemberType.Member : SecurityIdentity.GroupMailboxMemberType.Owner; if (!clientSecurityContext.AddGroupSids(GroupMailboxAuthorizationHandler.GetGroupMailboxSidBinaryAndAttributes(groupMailboxGuid, groupMailboxMemberType))) { GroupMailboxAuthorizationHandler.Tracer.TraceError <SecurityIdentifier, Guid, uint>(0L, "GroupMailboxAccess: Unable to add well known group sid to user {0} for the mailbox = {1}...Error = {2}", clientSecurityContext.UserSid, groupMailboxGuid, NativeMethods.GetLastError()); return; } GroupMailboxAuthorizationHandler.Tracer.TraceDebug <SecurityIdentifier, Guid>(0L, "GroupMailboxAccess: Successfully munged the token of the user {0} for the mailbox = {1}", clientSecurityContext.UserSid, groupMailboxGuid); }
private bool UpdateAccessTokenIfNeeded(Uri sharepointUrl, ExchangePrincipal siteMailbox, ICredentials accessingUserCredential, ClientSecurityContext accessingUserSecurityContext, int sessionHashCode, out Exception exception, bool isTest = false) { exception = null; if (siteMailbox == null) { throw new ArgumentNullException("siteMailbox"); } if (accessingUserSecurityContext == null) { throw new ArgumentNullException("accessingUserSecurityContext"); } if (sharepointUrl == null) { ExTraceGlobals.SiteMailboxPermissionCheckTracer.TraceDebug <string>((long)sessionHashCode, "SharepointAccessManager.UpdateAccessTokenIfNeeded: Skip site mailbox {0} because its Sharepoint URL is null", siteMailbox.MailboxInfo.PrimarySmtpAddress.ToString()); return(false); } ExTraceGlobals.SiteMailboxPermissionCheckTracer.TraceDebug <ClientSecurityContext, string, string>((long)sessionHashCode, "SharepointAccessManager.UpdateAccessTokenIfNeeded: Entered with user {0}, site mailbox {1}, URL {2}", accessingUserSecurityContext, siteMailbox.MailboxInfo.PrimarySmtpAddress.ToString(), sharepointUrl.AbsoluteUri); LoggingContext loggingContext = new LoggingContext(siteMailbox.MailboxInfo.MailboxGuid, sharepointUrl.AbsoluteUri, accessingUserSecurityContext.ToString(), null); AccessState accessState = AccessState.Denied; bool flag = false; SharepointAccessManager.Key key = this.GetKey(accessingUserSecurityContext.UserSid, siteMailbox.MailboxInfo.MailboxGuid); if (!SharepointAccessManager.Instance.TryGetValue(key, out accessState)) { flag = true; ExTraceGlobals.SiteMailboxPermissionCheckTracer.TraceDebug((long)sessionHashCode, "SharepointAccessManager.UpdateAccessTokenIfNeeded: Cache miss, query Sharepoint"); SharepointAccessManager.PermissionCheckerClient permissionCheckerClient = new SharepointAccessManager.PermissionCheckerClient(sessionHashCode, siteMailbox.MailboxInfo.MailboxGuid, sharepointUrl.AbsoluteUri, accessingUserSecurityContext.UserSid, key, accessingUserCredential, this.requestTimeout, this.requestThroughLocalProxy, isTest); LazyAsyncResult lazyAsyncResult = (LazyAsyncResult)permissionCheckerClient.BeginExecute(new AsyncCallback(SharepointAccessManager.OnCheckComplete), permissionCheckerClient); int num = (int)this.synchronousWaitTimeout.TotalSeconds * 2; int num2 = 0; while (!lazyAsyncResult.IsCompleted || lazyAsyncResult.Result == null) { Thread.Sleep(500); num2++; if (num2 > num) { break; } } object result = lazyAsyncResult.Result; if (!(result is AccessState)) { exception = ((lazyAsyncResult.Result is Exception) ? (lazyAsyncResult.Result as Exception) : new TimeoutException("Timed out")); WebException ex = exception as WebException; if (ex != null) { SharePointException exception2 = new SharePointException(sharepointUrl.AbsoluteUri, ex, false); ExTraceGlobals.SiteMailboxPermissionCheckTracer.TraceError <WebExceptionStatus, string, Exception>((long)permissionCheckerClient.SessionHashCode, "SharepointAccessManager.UpdateAccessTokenIfNeeded: Query failed with WebException. Status: {0}, Message: {1}, InnerException: {2}", ex.Status, ex.Message, ex.InnerException); ProtocolLog.LogError(ProtocolLog.Component.SharepointAccessManager, loggingContext, "Query failed with SharePointException", exception2); } else { ExTraceGlobals.SiteMailboxPermissionCheckTracer.TraceError <Type, string, Exception>((long)permissionCheckerClient.SessionHashCode, "SharepointAccessManager.UpdateAccessTokenIfNeeded: Query failed with {0}, Message: {1}, InnerException: {2}", exception.GetType(), exception.Message, exception.InnerException); ProtocolLog.LogError(ProtocolLog.Component.SharepointAccessManager, loggingContext, string.Format("Query failed with {0}", exception.GetType()), exception); } return(false); } accessState = (AccessState)result; } else if (accessState == AccessState.Pending) { ExTraceGlobals.SiteMailboxPermissionCheckTracer.TraceDebug((long)sessionHashCode, "SharepointAccessManager.UpdateAccessTokenIfNeeded: Skip because there is an pending request"); return(true); } if (accessState == AccessState.Allowed) { if (!accessingUserSecurityContext.AddGroupSids(new SidBinaryAndAttributes[] { new SidBinaryAndAttributes(WellKnownSids.SiteMailboxGrantedAccessMembers, 4U) })) { ExTraceGlobals.SiteMailboxPermissionCheckTracer.TraceError((long)sessionHashCode, "SharepointAccessManager.UpdateAccessTokenIfNeeded: Failed to add SiteMailboxGrantedAccessMembers group sid to access token"); return(false); } ExTraceGlobals.SiteMailboxPermissionCheckTracer.TraceDebug <ClientSecurityContext, string, string>((long)sessionHashCode, "SharepointAccessManager.UpdateAccessTokenIfNeeded: Access is allowed for user {0}, site mailbox {1}, URL {2}", accessingUserSecurityContext, siteMailbox.MailboxInfo.PrimarySmtpAddress.ToString(), sharepointUrl.AbsoluteUri); if (flag) { ProtocolLog.LogInformation(ProtocolLog.Component.SharepointAccessManager, loggingContext, string.Format("Allow access for site mailbox {0}, URL {1}", siteMailbox.MailboxInfo.PrimarySmtpAddress.ToString(), sharepointUrl)); } } else if (flag) { ProtocolLog.LogInformation(ProtocolLog.Component.SharepointAccessManager, loggingContext, string.Format("Deny access for site mailbox {0}, URL {1}", siteMailbox.MailboxInfo.PrimarySmtpAddress.ToString(), sharepointUrl)); } return(true); }