public IEnumerable <AcePermissionRecipientRow> ResolveSecurityPrincipalId(IEnumerable <SecurityPrincipalIdParameter> sidPrincipalId)
{
if (sidPrincipalId != null && sidPrincipalId.Any <SecurityPrincipalIdParameter>())
{
IRecipientSession recipientSession = (IRecipientSession)this.CreateAdSession();
List <AcePermissionRecipientRow> list = new List <AcePermissionRecipientRow>();
foreach (SecurityPrincipalIdParameter securityPrincipalIdParameter in sidPrincipalId)
{
SecurityIdentifier securityIdentifier = securityPrincipalIdParameter.SecurityIdentifier;
if (!securityIdentifier.IsWellKnown(WellKnownSidType.SelfSid))
{
MiniRecipient miniRecipient = recipientSession.FindMiniRecipientBySid <MiniRecipient>(securityIdentifier, AcePermissionRecipientRow.Properties.AsEnumerable <PropertyDefinition>());
if (miniRecipient != null)
{
Identity identity;
if (miniRecipient.MasterAccountSid == securityIdentifier)
{
identity = new Identity(miniRecipient.Guid.ToString(), securityPrincipalIdParameter.ToString());
}
else
{
identity = new Identity(miniRecipient.Guid.ToString(), string.IsNullOrEmpty(miniRecipient.DisplayName) ? miniRecipient.Name : miniRecipient.DisplayName);
}
list.Add(new AcePermissionRecipientRow(identity));
}
}
}
return(list);
}
return(new List <AcePermissionRecipientRow>());
}
internal override IThrottlingPolicy InternalLookup()
{
IRecipientSession session = DirectorySessionFactory.Default.GetTenantOrRootOrgRecipientSession(true, ConsistencyMode.PartiallyConsistent, this.SessionSettings, 201, "InternalLookup", "f:\\15.00.1497\\sources\\dev\\data\\src\\directory\\throttling\\SidBudgetKey.cs");
return(base.ADRetryLookup(delegate
{
MiniRecipient recipient = session.FindMiniRecipientBySid <MiniRecipient>(this.Sid, null);
return this.GetPolicyForRecipient(recipient);
}));
}
public OWAMiniRecipient CreateOWAMiniRecipientBySid()
{
IRecipientSession recipientSession = Utilities.CreateScopedRecipientSession(true, ConsistencyMode.FullyConsistent, this.DomainName);
OWAMiniRecipient owaminiRecipient = recipientSession.FindMiniRecipientBySid <OWAMiniRecipient>(this.UserSid, OWAMiniRecipientSchema.AdditionalProperties);
this.LastRecipientSessionDCServerName = recipientSession.LastUsedDc;
if (owaminiRecipient == null)
{
throw new OwaADObjectNotFoundException();
}
return(owaminiRecipient);
}
private static MiniRecipient FindMiniRecipientBySid(ADSessionSettings sessionSettings, SecurityIdentifier sid)
{
IRecipientSession tenantOrRootOrgRecipientSession = DirectorySessionFactory.Default.GetTenantOrRootOrgRecipientSession(true, ConsistencyMode.PartiallyConsistent, sessionSettings, 303, "FindMiniRecipientBySid", "f:\\15.00.1497\\sources\\dev\\DoMT\\src\\Service\\NspiPrincipal.cs");
try
{
return(tenantOrRootOrgRecipientSession.FindMiniRecipientBySid <MiniRecipient>(sid, null));
}
catch (NonUniqueRecipientException)
{
}
catch (ObjectNotFoundException)
{
}
return(null);
}
internal static ADRawEntry FindUserEntry(SecurityIdentifier userSid, WindowsIdentity windowsIdentity, SerializedIdentity serializedIdentity, PartitionId partitionId)
{
ADRawEntry result;
using (new MonitoredScope("FindUserEntry", "FindUserEntry", AuthZLogHelper.AuthZPerfMonitors))
{
ADSessionSettings sessionSettings;
if (partitionId != null)
{
sessionSettings = ADSessionSettings.FromAllTenantsPartitionId(partitionId);
}
else
{
sessionSettings = ADSessionSettings.FromRootOrgScopeSet();
}
IRecipientSession tenantOrRootOrgRecipientSession = DirectorySessionFactory.Default.GetTenantOrRootOrgRecipientSession(ConsistencyMode.IgnoreInvalid, sessionSettings, 817, "FindUserEntry", "f:\\15.00.1497\\sources\\dev\\Configuration\\src\\ObjectModel\\rbac\\ExchangeAuthorizationPlugin.cs");
ADRawEntry adrawEntry = tenantOrRootOrgRecipientSession.FindMiniRecipientBySid <MiniRecipient>(userSid, ExchangeRunspaceConfiguration.userPropertyArray);
if (adrawEntry == null && VariantConfiguration.InvariantNoFlightingSnapshot.CmdletInfra.ServiceAccountForest.Enabled)
{
adrawEntry = PartitionDataAggregator.GetMiniRecipientFromUserId(userSid, ExchangeRunspaceConfiguration.userPropertyArray, ConsistencyMode.IgnoreInvalid);
}
if (adrawEntry == null)
{
ExTraceGlobals.AccessDeniedTracer.TraceWarning <SecurityIdentifier, string>(0L, "EAP.FindUserEntry user {0} could not be found in AD, partitionId: {1}", userSid, (partitionId == null) ? "null" : partitionId.ToString());
adrawEntry = ExchangeRunspaceConfiguration.TryFindComputer(userSid);
}
if (adrawEntry == null && (windowsIdentity != null || serializedIdentity != null))
{
ExTraceGlobals.AccessDeniedTracer.TraceWarning <SecurityIdentifier>(0L, "EAP.FindUserEntry computer {0} could not be found in AD", userSid);
IIdentity identity = (windowsIdentity != null) ? windowsIdentity : serializedIdentity;
ICollection <SecurityIdentifier> groupAccountsSIDs = identity.GetGroupAccountsSIDs();
tenantOrRootOrgRecipientSession = DirectorySessionFactory.Default.GetTenantOrRootOrgRecipientSession(ConsistencyMode.IgnoreInvalid, ADSessionSettings.FromRootOrgScopeSet(), 850, "FindUserEntry", "f:\\15.00.1497\\sources\\dev\\Configuration\\src\\ObjectModel\\rbac\\ExchangeAuthorizationPlugin.cs");
List <ADObjectId> list = null;
if (ExchangeRunspaceConfiguration.TryFindLinkedRoleGroupsBySidList(tenantOrRootOrgRecipientSession, groupAccountsSIDs, identity.Name, out list))
{
adrawEntry = new ADUser
{
RemotePowerShellEnabled = true
};
}
}
result = adrawEntry;
}
return(result);
}
public OWAMiniRecipient CreateOWAMiniRecipientBySid()
{
IRecipientSession recipientSession = (this.UserOrganizationId == null) ? UserContextUtilities.CreateScopedRecipientSession(true, ConsistencyMode.FullyConsistent, this.DomainName, null) : UserContextUtilities.CreateScopedRecipientSession(true, ConsistencyMode.FullyConsistent, null, this.UserOrganizationId);
bool flag = false;
bool enabled = VariantConfiguration.GetSnapshot(MachineSettingsContext.Local, null, null).OwaServer.OwaClientAccessRulesEnabled.Enabled;
if (enabled)
{
ClientAccessRuleCollection collection = ClientAccessRulesCache.Instance.GetCollection(this.UserOrganizationId ?? OrganizationId.ForestWideOrgId);
flag = (collection.Count > 0);
}
OWAMiniRecipient owaminiRecipient = recipientSession.FindMiniRecipientBySid <OWAMiniRecipient>(this.UserSid, flag ? OWAMiniRecipientSchema.AdditionalPropertiesWithClientAccessRules : OWAMiniRecipientSchema.AdditionalProperties);
if (owaminiRecipient == null)
{
ExTraceGlobals.CoreTracer.TraceDebug <SecurityIdentifier>(0L, "OwaIdentity.CreateOWAMiniRecipientBySid: got null OWAMiniRecipient for Sid: {0}", this.UserSid);
throw new OwaADUserNotFoundException(this.SafeGetRenderableName());
}
return(owaminiRecipient);
}
public static MiniRecipient GetMiniRecipientFromUserId(SecurityIdentifier sid, IEnumerable <PropertyDefinition> properties, ConsistencyMode consistencyMode)
{
MiniRecipient miniRecipient = null;
foreach (PartitionId partitionId in ADAccountPartitionLocator.GetAllAccountPartitionIds())
{
IRecipientSession tenantOrRootOrgRecipientSession = DirectorySessionFactory.Default.GetTenantOrRootOrgRecipientSession(true, consistencyMode, ADSessionSettings.FromAllTenantsPartitionId(partitionId), 249, "GetMiniRecipientFromUserId", "f:\\15.00.1497\\sources\\dev\\data\\src\\directory\\PartitionDataAggregator.cs");
try
{
miniRecipient = tenantOrRootOrgRecipientSession.FindMiniRecipientBySid <MiniRecipient>(sid, properties);
}
catch (NonUniqueRecipientException)
{
}
if (miniRecipient != null)
{
break;
}
}
return(miniRecipient);
}
internal OWAMiniRecipient FixCorruptOWAMiniRecipientCultureEntry()
{
if (ExTraceGlobals.CoreTracer.IsTraceEnabled(TraceType.DebugTrace))
{
ExTraceGlobals.CoreTracer.TraceDebug <string>(0L, "User {0} has corrupt culture, setting client culture to empty", this.SafeGetRenderableName());
}
IRecipientSession recipientSession = Utilities.CreateScopedRecipientSession(true, ConsistencyMode.FullyConsistent, this.DomainName);
ADUser aduser = recipientSession.FindBySid(this.UserSid) as ADUser;
this.LastRecipientSessionDCServerName = recipientSession.LastUsedDc;
if (aduser != null)
{
aduser.Languages = new MultiValuedProperty <CultureInfo>();
if (ExTraceGlobals.CoreTracer.IsTraceEnabled(TraceType.DebugTrace))
{
ExTraceGlobals.CoreTracer.TraceDebug <string>(0L, "Saving culture for User {0}, setting client culture to empty", this.SafeGetRenderableName());
}
recipientSession.Save(aduser);
return(recipientSession.FindMiniRecipientBySid <OWAMiniRecipient>(this.UserSid, OWAMiniRecipientSchema.AdditionalProperties));
}
return(null);
}
internal OWAMiniRecipient FixCorruptOWAMiniRecipientCultureEntry()
{
if (ExTraceGlobals.CoreTracer.IsTraceEnabled(TraceType.DebugTrace))
{
ExTraceGlobals.CoreTracer.TraceDebug <string>(0L, "User {0} has corrupt culture, setting client culture to empty", this.SafeGetRenderableName());
}
IRecipientSession recipientSession = (this.UserOrganizationId == null) ? UserContextUtilities.CreateScopedRecipientSession(false, ConsistencyMode.PartiallyConsistent, this.DomainName, null) : UserContextUtilities.CreateScopedRecipientSession(false, ConsistencyMode.PartiallyConsistent, null, this.UserOrganizationId);
ADUser aduser = recipientSession.FindBySid(this.UserSid) as ADUser;
if (aduser != null)
{
aduser.Languages = new MultiValuedProperty <CultureInfo>();
if (ExTraceGlobals.CoreTracer.IsTraceEnabled(TraceType.DebugTrace))
{
ExTraceGlobals.CoreTracer.TraceDebug <string>(0L, "Saving culture for User {0}, setting client culture to empty", this.SafeGetRenderableName());
}
recipientSession.Save(aduser);
return(recipientSession.FindMiniRecipientBySid <OWAMiniRecipient>(this.UserSid, OWAMiniRecipientSchema.AdditionalProperties));
}
ExTraceGlobals.CoreTracer.TraceDebug <SecurityIdentifier>(0L, "OwaIdentity.FixCorruptOWAMiniRecipientCultureEntry: got null adUser for Sid: {0}", this.UserSid);
return(null);
}
private static List <AclTableEntry> BuildAclTableFromSecurityDescriptor(RawSecurityDescriptor securityDescriptor, RawSecurityDescriptor freeBusySecurityDescriptor, LazilyInitialized <ExternalUserCollection> lazilyInitializedExternalUserCollection, IRecipientSession recipientSession, AclTableIdMap aclTableIdMap, out bool isCanonical, out string canonicalErrorInformation)
{
FolderSecurity.AnnotatedAceList annotatedAceList = new FolderSecurity.AnnotatedAceList(securityDescriptor, freeBusySecurityDescriptor, (SecurityIdentifier securityIdentifier) => AclModifyTable.GetSecurityIdentifierType(recipientSession, securityIdentifier));
isCanonical = annotatedAceList.IsCanonical(out canonicalErrorInformation);
IList <FolderSecurity.SecurityIdentifierAndFolderRights> list;
if (isCanonical)
{
list = annotatedAceList.GetSecurityIdentifierAndRightsList();
}
else
{
ExTraceGlobals.StorageTracer.TraceWarning <string, string>(0L, "Got non canonical SD: {0}, ErrorInfo: ", securityDescriptor.GetSddlForm(AccessControlSections.All), canonicalErrorInformation);
list = Array <FolderSecurity.SecurityIdentifierAndFolderRights> .Empty;
}
List <AclTableEntry> list2 = new List <AclTableEntry>(list.Count + 1);
foreach (FolderSecurity.SecurityIdentifierAndFolderRights securityIdentifierAndFolderRights in list)
{
MemberRights memberRights = (MemberRights)(securityIdentifierAndFolderRights.AllowRights & ~(MemberRights)securityIdentifierAndFolderRights.DenyRights);
bool flag = false;
bool flag2 = false;
byte[] entryId;
string text;
List <SecurityIdentifier> list3;
SecurityIdentifier securityIdentifier;
if (securityIdentifierAndFolderRights.SecurityIdentifier.IsWellKnown(WellKnownSidType.WorldSid))
{
entryId = Array <byte> .Empty;
text = string.Empty;
string legacyDN = string.Empty;
securityIdentifier = securityIdentifierAndFolderRights.SecurityIdentifier;
list3 = null;
flag2 = true;
}
else if (securityIdentifierAndFolderRights.SecurityIdentifier.IsWellKnown(WellKnownSidType.AnonymousSid))
{
entryId = Array <byte> .Empty;
text = "Anonymous";
securityIdentifier = securityIdentifierAndFolderRights.SecurityIdentifier;
list3 = null;
}
else if (ExternalUser.IsExternalUserSid(securityIdentifierAndFolderRights.SecurityIdentifier))
{
ExternalUser externalUser = AclHelper.TryGetExternalUser(securityIdentifierAndFolderRights.SecurityIdentifier, lazilyInitializedExternalUserCollection);
if (externalUser == null)
{
ExTraceGlobals.StorageTracer.TraceWarning <SecurityIdentifier>(0L, "Cannot find external user with SID {0}, build entry from information we have", securityIdentifierAndFolderRights.SecurityIdentifier);
string text2 = AclHelper.CreateLocalUserStrignRepresentation(securityIdentifierAndFolderRights.SecurityIdentifier);
text = text2;
}
else
{
text = externalUser.Name;
string legacyDN = externalUser.LegacyDn;
}
entryId = AddressBookEntryId.MakeAddressBookEntryIDFromLocalDirectorySid(securityIdentifierAndFolderRights.SecurityIdentifier);
securityIdentifier = securityIdentifierAndFolderRights.SecurityIdentifier;
list3 = null;
}
else
{
MiniRecipient miniRecipient = recipientSession.FindMiniRecipientBySid <MiniRecipient>(securityIdentifierAndFolderRights.SecurityIdentifier, Array <PropertyDefinition> .Empty);
string legacyDN;
if (miniRecipient == null)
{
ExTraceGlobals.StorageTracer.TraceWarning <SecurityIdentifier>(0L, "Cannot find recipient with SID {0}, build entry from the information we have", securityIdentifierAndFolderRights.SecurityIdentifier);
flag = (securityIdentifierAndFolderRights.SecurityIdentifierType == FolderSecurity.SecurityIdentifierType.Group);
string text3 = AclHelper.CreateNTUserStrignRepresentation(securityIdentifierAndFolderRights.SecurityIdentifier);
text = text3;
legacyDN = text3;
securityIdentifier = securityIdentifierAndFolderRights.SecurityIdentifier;
list3 = null;
}
else
{
flag = AclHelper.IsGroupRecipientType(miniRecipient.RecipientType);
if (string.IsNullOrEmpty(miniRecipient.DisplayName))
{
text = AclHelper.CreateNTUserStrignRepresentation(securityIdentifierAndFolderRights.SecurityIdentifier);
}
else
{
text = miniRecipient.DisplayName;
}
if (string.IsNullOrEmpty(miniRecipient.LegacyExchangeDN))
{
legacyDN = text;
}
else
{
legacyDN = miniRecipient.LegacyExchangeDN;
}
SecurityIdentifier masterAccountSid = miniRecipient.MasterAccountSid;
if (masterAccountSid != null && !masterAccountSid.IsWellKnown(WellKnownSidType.SelfSid))
{
securityIdentifier = masterAccountSid;
list3 = null;
}
else
{
securityIdentifier = miniRecipient.Sid;
MultiValuedProperty <SecurityIdentifier> sidHistory = miniRecipient.SidHistory;
if (sidHistory != null && sidHistory.Count != 0)
{
list3 = new List <SecurityIdentifier>(sidHistory);
}
else
{
list3 = null;
}
}
}
entryId = AddressBookEntryId.MakeAddressBookEntryID(legacyDN, flag);
}
AclTableEntry aclTableEntry = list2.Find((AclTableEntry entry) => entry.SecurityIdentifier == securityIdentifier);
if (aclTableEntry == null && list3 != null)
{
using (List <SecurityIdentifier> .Enumerator enumerator2 = list3.GetEnumerator())
{
while (enumerator2.MoveNext())
{
SecurityIdentifier sid = enumerator2.Current;
aclTableEntry = list2.Find((AclTableEntry entry) => entry.SecurityIdentifier == sid);
if (aclTableEntry != null)
{
break;
}
}
}
}
if (aclTableEntry == null)
{
aclTableEntry = new AclTableEntry(AclModifyTable.GetIdForSecurityIdentifier(securityIdentifier, list3, aclTableIdMap), entryId, text, memberRights);
aclTableEntry.SetSecurityIdentifier(securityIdentifier, flag);
if (flag2)
{
list2.Insert(0, aclTableEntry);
}
else
{
list2.Add(aclTableEntry);
}
}
else
{
aclTableEntry.MemberRights &= memberRights;
if (aclTableEntry.IsGroup != flag)
{
throw new NonCanonicalACLException(annotatedAceList.CreateErrorInformation((LID)35788U, new int[0]));
}
aclTableEntry.SetSecurityIdentifier(securityIdentifier, flag);
}
}
return(list2);
}