Exemplo n.º 1
0
        private static FreeBusyPermissionLevel FromInternalClient(InternalClientContext internalClientContext, RawSecurityDescriptor securityDescriptor, FreeBusyQuery freeBusyQuery)
        {
            if (internalClientContext.ClientSecurityContext == null)
            {
                FreeBusyPermission.SecurityTracer.TraceDebug <object, EmailAddress>(0L, "{0}: Caller {1} has no ClientSecurityContext, using default context as 'everyone'.", TraceContext.Get(), freeBusyQuery.Email);
                return(FreeBusyPermission.AccessCheck(securityDescriptor, ClientSecurityContext.FreeBusyPermissionDefaultClientSecurityContext));
            }
            if (!Configuration.UseDisabledAccount || VariantConfiguration.GetSnapshot(MachineSettingsContext.Local, null, null).Global.MultiTenancy.Enabled)
            {
                return(FreeBusyPermission.GetPermissionLevel(internalClientContext.ClientSecurityContext, freeBusyQuery, securityDescriptor));
            }
            FreeBusyPermission.SecurityTracer.TraceDebug <object, InternalClientContext>(0L, "{0}: Creating a munged security context for caller {1}.", TraceContext.Get(), internalClientContext);
            ClientSecurityContext clientSecurityContext = null;

            try
            {
                clientSecurityContext = new SlaveAccountTokenMunger().MungeToken(internalClientContext.ClientSecurityContext, OrganizationId.ForestWideOrgId);
                return(FreeBusyPermission.GetPermissionLevel(clientSecurityContext, freeBusyQuery, securityDescriptor));
            }
            catch (TokenMungingException arg)
            {
                FreeBusyPermission.SecurityTracer.TraceError <object, InternalClientContext, TokenMungingException>(0L, "{0}: Unable to get the munged token for Caller {1}, error {2}, using the client context supplied.", TraceContext.Get(), internalClientContext, arg);
            }
            finally
            {
                if (clientSecurityContext != null)
                {
                    clientSecurityContext.Dispose();
                }
            }
            return(FreeBusyPermission.GetPermissionLevel(internalClientContext.ClientSecurityContext, freeBusyQuery, securityDescriptor));
        }
Exemplo n.º 2
0
        public static FreeBusyPermissionLevel DetermineAllowedAccess(ClientContext clientContext, MailboxSession session, CalendarFolder calendarFolder, FreeBusyQuery freeBusyQuery, bool defaultFreeBusyOnly)
        {
            RawSecurityDescriptor rawSecurityDescriptor = calendarFolder.TryGetProperty(CalendarFolderSchema.FreeBusySecurityDescriptor) as RawSecurityDescriptor;

            if (rawSecurityDescriptor == null)
            {
                FreeBusyPermission.SecurityTracer.TraceDebug <object, CalendarFolder>(0L, "{0}: Unable to retrieve FreeBusySecurityDescriptor from folder {1}. Using None as permission level.", TraceContext.Get(), calendarFolder);
                return(FreeBusyPermissionLevel.None);
            }
            if (FreeBusyPermission.SecurityTracer.IsTraceEnabled(TraceType.DebugTrace))
            {
                string sddlForm = rawSecurityDescriptor.GetSddlForm(AccessControlSections.All);
                FreeBusyPermission.SecurityTracer.TraceDebug <object, EmailAddress, string>(0L, "{0}: The SDDL form of calendar folder security descriptor of mailbox {1} is: {2}.", TraceContext.Get(), freeBusyQuery.Email, sddlForm);
            }
            if (defaultFreeBusyOnly)
            {
                FreeBusyPermission.SecurityTracer.TraceDebug(0L, "{0}: Using DefaultClientSecurityContext because of defaultFreeBusyOnly is set.", new object[]
                {
                    TraceContext.Get()
                });
                return(FreeBusyPermission.AccessCheck(rawSecurityDescriptor, ClientSecurityContext.FreeBusyPermissionDefaultClientSecurityContext));
            }
            InternalClientContext internalClientContext = clientContext as InternalClientContext;

            if (internalClientContext != null)
            {
                return(FreeBusyPermission.FromInternalClient(internalClientContext, rawSecurityDescriptor, freeBusyQuery));
            }
            ExternalClientContext externalClientContext = clientContext as ExternalClientContext;

            return(FreeBusyPermission.FromExternalClient(externalClientContext, session, rawSecurityDescriptor, freeBusyQuery));
        }
Exemplo n.º 3
0
 private static FreeBusyPermissionLevel GetPermissionLevel(ClientSecurityContext clientSecurityContext, FreeBusyQuery freeBusyQuery, RawSecurityDescriptor securityDescriptor)
 {
     if (FreeBusyPermission.CallerHasFullPermission(clientSecurityContext, freeBusyQuery))
     {
         FreeBusyPermission.SecurityTracer.TraceDebug <object, ClientSecurityContext, EmailAddress>(0L, "{0}: Caller {1} has owner access on mailbox {2}.", TraceContext.Get(), clientSecurityContext, freeBusyQuery.Email);
         return(FreeBusyPermissionLevel.Owner);
     }
     return(FreeBusyPermission.AccessCheck(securityDescriptor, clientSecurityContext));
 }
Exemplo n.º 4
0
        private static FreeBusyPermissionLevel FromExternalClientWithOrganizationalRelationship(ExternalClientContext externalClientContext, MailboxSession mailboxSession, RawSecurityDescriptor securityDescriptor, FreeBusyQuery freeBusyQuery)
        {
            OrganizationRelationship organizationRelationship = FreeBusyPermission.GetOrganizationRelationship(mailboxSession.MailboxOwner.MailboxInfo.OrganizationId, externalClientContext.EmailAddress.Domain);

            if (organizationRelationship == null)
            {
                FreeBusyPermission.SecurityTracer.TraceDebug <object, SmtpAddress, string>(0L, "{0}: No organization relationship for {1} with organization id {2}", TraceContext.Get(), externalClientContext.EmailAddress, (mailboxSession.MailboxOwner.MailboxInfo.OrganizationId == null) ? "<null>" : mailboxSession.MailboxOwner.MailboxInfo.OrganizationId.ToString());
                return(FreeBusyPermissionLevel.None);
            }
            FreeBusyPermissionLevel freeBusyPermissionLevel = FreeBusyPermissionLevel.Detail;

            if (organizationRelationship != null)
            {
                freeBusyPermissionLevel = FreeBusyPermission.GetMaximumFreeBusyPermissionLevel(organizationRelationship);
                if (freeBusyPermissionLevel == FreeBusyPermissionLevel.None)
                {
                    FreeBusyPermission.SecurityTracer.TraceDebug <object, ADObjectId>(0L, "{0}: OrganizationRelationship {1} restricts permission level to None.", TraceContext.Get(), organizationRelationship.Id);
                    return(FreeBusyPermissionLevel.None);
                }
            }
            FreeBusyPermissionLevel freeBusyPermissionLevel2 = FreeBusyPermission.AccessCheck(securityDescriptor, ClientSecurityContext.FreeBusyPermissionDefaultClientSecurityContext);

            if (freeBusyPermissionLevel2 == FreeBusyPermissionLevel.None)
            {
                return(FreeBusyPermissionLevel.None);
            }
            if (freeBusyPermissionLevel2 > freeBusyPermissionLevel)
            {
                FreeBusyPermission.SecurityTracer.TraceDebug(0L, "{0}: OrganizationRelationship {1} restricts permission level to {2}. Lowering permission from {3}.", new object[]
                {
                    TraceContext.Get(),
                    organizationRelationship.Id,
                    freeBusyPermissionLevel,
                    freeBusyPermissionLevel2
                });
                freeBusyPermissionLevel2 = freeBusyPermissionLevel;
            }
            if (!FreeBusyPermission.IsAllowedByFreeBusyAccessScope(freeBusyQuery, organizationRelationship))
            {
                freeBusyPermissionLevel2 = FreeBusyPermissionLevel.None;
            }
            return(freeBusyPermissionLevel2);
        }
Exemplo n.º 5
0
        private static FreeBusyPermissionLevel FromExternalClientWithPersonalRelationship(ExternalClientContext externalClientContext, MailboxSession mailboxSession, RawSecurityDescriptor securityDescriptor, FreeBusyQuery freeBusyQuery)
        {
            string externalIdentity = FreeBusyPermission.GetExternalIdentity(externalClientContext, mailboxSession);

            if (externalIdentity == null)
            {
                FreeBusyPermission.SecurityTracer.TraceDebug <object, SmtpAddress, IExchangePrincipal>(0L, "{0}: No external identity for {1} in mailbox {2}.", TraceContext.Get(), externalClientContext.EmailAddress, mailboxSession.MailboxOwner);
                return(FreeBusyPermissionLevel.None);
            }
            ISecurityAccessToken securityAccessToken = new SecurityAccessToken
            {
                UserSid   = externalIdentity,
                GroupSids = ClientSecurityContext.DisabledEveryoneOnlySidStringAndAttributesArray
            };
            FreeBusyPermissionLevel result;

            using (ClientSecurityContext clientSecurityContext = new ClientSecurityContext(securityAccessToken, AuthzFlags.AuthzSkipTokenGroups))
            {
                result = FreeBusyPermission.AccessCheck(securityDescriptor, clientSecurityContext);
            }
            return(result);
        }