internal RoleAssignmentScopeSet GetEffectiveScopeSet(Dictionary <ADObjectId, ManagementScope> scopeCache, ISecurityAccessToken securityAccessToken) { RbacScope recipientReadScope = (this.RecipientReadScope == ScopeType.MyGAL) ? new RbacScope(this.RecipientReadScope, securityAccessToken) : new RbacScope(this.RecipientReadScope); RbacScope recipientWriteRbacScope = ExchangeRoleAssignment.GetRecipientWriteRbacScope(this.RecipientWriteScope, this.CustomRecipientWriteScope, scopeCache, securityAccessToken, this.IsFromEndUserRole); if (recipientWriteRbacScope == null) { return(null); } RbacScope configReadScope = new RbacScope(this.ConfigReadScope); ConfigWriteScopeType configWriteScope = this.ConfigWriteScope; RbacScope configWriteScope2; switch (configWriteScope) { case ConfigWriteScopeType.None: break; case ConfigWriteScopeType.NotApplicable: configWriteScope2 = new RbacScope(ScopeType.NotApplicable); goto IL_E0; default: switch (configWriteScope) { case ConfigWriteScopeType.OrganizationConfig: goto IL_85; case ConfigWriteScopeType.CustomConfigScope: case ConfigWriteScopeType.ExclusiveConfigScope: { ManagementScope managementScope = scopeCache[this.CustomConfigWriteScope]; if (managementScope == null) { return(null); } configWriteScope2 = new RbacScope((ScopeType)this.ConfigWriteScope, managementScope); goto IL_E0; } case ConfigWriteScopeType.PartnerDelegatedTenantScope: if (scopeCache[this.CustomConfigWriteScope] == null) { return(null); } configWriteScope2 = new RbacScope(ScopeType.OrganizationConfig); goto IL_E0; } configWriteScope2 = null; goto IL_E0; } IL_85: configWriteScope2 = new RbacScope((ScopeType)this.ConfigWriteScope); IL_E0: return(new RoleAssignmentScopeSet(recipientReadScope, recipientWriteRbacScope, configReadScope, configWriteScope2)); }
internal static ExchangeRoleAssignment FindOneWithMaximumWriteScope(IList <ExchangeRoleAssignment> roleAssignments, IDictionary <ADObjectId, ManagementScope> scopeCache, bool compareRecipientWriteScope, out LocalizedString notFoundReason) { ExTraceGlobals.AccessCheckTracer.TraceFunction <bool>(10002L, "-->FindOneWithMaximumWriteScope: compareRecipientWriteScope = {0}", compareRecipientWriteScope); notFoundReason = LocalizedString.Empty; if (roleAssignments == null || roleAssignments.Count == 0) { ExTraceGlobals.AccessCheckTracer.TraceError(10002L, "FindOneWithMaximumWriteScope: there is not any role assignment to be worked against, we return NULL here."); return(null); } ExTraceGlobals.AccessCheckTracer.TraceDebug(10002L, "FindOneWithMaximumWriteScope: Going through all the role assignments and find the assignment with maximum recipient or config scope"); ExchangeRoleAssignment exchangeRoleAssignment = roleAssignments[0]; for (int i = 1; i < roleAssignments.Count; i++) { LocalizedString localizedString; if (compareRecipientWriteScope) { if (exchangeRoleAssignment.IsRecipientWriteScopeSmallerOrEqualThan(roleAssignments[i], scopeCache, out localizedString)) { exchangeRoleAssignment = roleAssignments[i]; } } else if (exchangeRoleAssignment.IsConfigWriteScopeSmallerOrEqualThan(roleAssignments[i], scopeCache, out localizedString)) { exchangeRoleAssignment = roleAssignments[i]; } } ExTraceGlobals.AccessCheckTracer.TraceDebug <ADObjectId>(10002L, "FindOneWithMaximumWriteScope: The temporary role assignment we found with maximum recipient or config scope is {0}.", exchangeRoleAssignment.Id); ExTraceGlobals.AccessCheckTracer.TraceDebug(10002L, "FindOneWithMaximumWriteScope: Re-iterate the whole array to make sure it is really the assignment with maximum recipient or config scope"); for (int j = 1; j < roleAssignments.Count; j++) { LocalizedString value; if (compareRecipientWriteScope) { if (!roleAssignments[j].IsRecipientWriteScopeSmallerOrEqualThan(exchangeRoleAssignment, scopeCache, out value)) { ExTraceGlobals.AccessCheckTracer.TraceError <ADObjectId, ADObjectId>(10002L, "FindOneWithMaximumWriteScope: role assignment {0} has conflicting recipient write scope with {1}.", exchangeRoleAssignment.Id, roleAssignments[j].Id); notFoundReason = DirectoryStrings.AssignmentsWithConflictingScope(exchangeRoleAssignment.Id.ToString(), roleAssignments[j].Id.ToString(), value); return(null); } } else if (!roleAssignments[j].IsConfigWriteScopeSmallerOrEqualThan(exchangeRoleAssignment, scopeCache, out value)) { ExTraceGlobals.AccessCheckTracer.TraceError <ADObjectId, ADObjectId>(10002L, "FindOneWithMaximumWriteScope: role assignment {0} has conflicting config write scope with {1}.", exchangeRoleAssignment.Id, roleAssignments[j].Id); notFoundReason = DirectoryStrings.AssignmentsWithConflictingScope(exchangeRoleAssignment.Id.ToString(), roleAssignments[j].Id.ToString(), value); return(null); } } ExTraceGlobals.AccessCheckTracer.TraceFunction <ADObjectId>(10002L, "<--FindOneWithMaximumWriteScope: returns {0}.", exchangeRoleAssignment.Id); return(exchangeRoleAssignment); }
internal void PopulateRoles(Result <ExchangeRoleAssignment>[] roleAssignmentResults) { if (roleAssignmentResults != null) { foreach (Result <ExchangeRoleAssignment> result in roleAssignmentResults) { ExchangeRoleAssignment data = result.Data; this.RoleAssignments.Add(data.Id); if (data.Role != null && !this.AssignedRoles.Contains(data.Role)) { this.AssignedRoles.Add(data.Role); } } } }
internal static RoleAssigneeType RoleAssigneeTypeFromADRecipient(ADRecipient recipient) { if (recipient is ADGroup) { RoleGroupType roleGroupType = ((ADGroup)recipient).RoleGroupType; if (roleGroupType == RoleGroupType.Linked) { return(RoleAssigneeType.LinkedRoleGroup); } if (roleGroupType == RoleGroupType.PartnerLinked) { return(RoleAssigneeType.PartnerLinkedRoleGroup); } } return(ExchangeRoleAssignment.RoleAssigneeTypeFromRecipientTypeDetails(recipient.RecipientTypeDetails)); }
private bool IsDelegationLevelSmallerOrEqual(ExchangeRoleAssignment roleAssignment, out LocalizedString notTrueReason, bool isRecipientScope) { notTrueReason = LocalizedString.Empty; if ((this.RoleAssignmentDelegationType == RoleAssignmentDelegationType.DelegatingOrgWide && roleAssignment.RoleAssignmentDelegationType != RoleAssignmentDelegationType.DelegatingOrgWide) || (this.RoleAssignmentDelegationType == RoleAssignmentDelegationType.Delegating && roleAssignment.RoleAssignmentDelegationType == RoleAssignmentDelegationType.Regular)) { ExTraceGlobals.AccessCheckTracer.TraceDebug(10000L, "this instance has the same write scope as the other role assignment, but it has a larger delegating scope"); if (isRecipientScope) { notTrueReason = DirectoryStrings.RecipientWriteScopeNotLessThanBecauseOfDelegationFlags(this.RoleAssignmentDelegationType.ToString(), roleAssignment.RoleAssignmentDelegationType.ToString()); } else { notTrueReason = DirectoryStrings.ConfigWriteScopeNotLessThanBecauseOfDelegationFlags(this.RoleAssignmentDelegationType.ToString(), roleAssignment.RoleAssignmentDelegationType.ToString()); } return(false); } ExTraceGlobals.AccessCheckTracer.TraceDebug(10000L, "this instance has exactly the same write scope as the other role assignment and smaller or equal delegation scope"); return(true); }
internal bool IsConfigWriteScopeSmallerOrEqualThan(ExchangeRoleAssignment roleAssignment, IDictionary <ADObjectId, ManagementScope> scopeCache, out LocalizedString notTrueReason) { if (roleAssignment == null) { throw new ArgumentNullException("roleAssignment"); } ExTraceGlobals.AccessCheckTracer.TraceFunction <ADObjectId, ADObjectId, int>(10001L, "-->IsConfigReadScopeSmallerOrEqualThan: this = {0}, other = {1} (scopeCache Count = {2})", base.Id, roleAssignment.Id, (scopeCache == null) ? 0 : scopeCache.Count); notTrueReason = LocalizedString.Empty; if (roleAssignment.ConfigWriteScope == this.ConfigWriteScope && ADObjectId.Equals(roleAssignment.CustomConfigWriteScope, this.CustomConfigWriteScope)) { return(this.IsDelegationLevelSmallerOrEqual(roleAssignment, out notTrueReason, false)); } if (roleAssignment.ConfigWriteScope == ConfigWriteScopeType.OrganizationConfig) { ExTraceGlobals.AccessCheckTracer.TraceDebug(10001L, "the other role assignment has the biggest config scope: ConfigWriteScopeType.OrganizationConfig"); return(true); } ExTraceGlobals.AccessCheckTracer.TraceDebug(10001L, "IsConfigWriteScopeSmallerOrEqualThan: this instance has config write scope '{0}' with link '{1}', other has type '{2}' with link '{3}'.", new object[] { this.ConfigWriteScope, (this.CustomConfigWriteScope == null) ? "null" : this.CustomConfigWriteScope.ToString(), roleAssignment.ConfigWriteScope, (roleAssignment.CustomConfigWriteScope == null) ? "null" : roleAssignment.CustomConfigWriteScope.ToString() }); ConfigWriteScopeType configWriteScope = this.ConfigWriteScope; bool flag; switch (configWriteScope) { case ConfigWriteScopeType.None: flag = (roleAssignment.ConfigWriteScope != ConfigWriteScopeType.NotApplicable); break; case ConfigWriteScopeType.NotApplicable: flag = true; break; default: switch (configWriteScope) { case ConfigWriteScopeType.OrganizationConfig: flag = (roleAssignment.ConfigWriteScope == ConfigWriteScopeType.OrganizationConfig); goto IL_27C; case ConfigWriteScopeType.CustomConfigScope: case ConfigWriteScopeType.ExclusiveConfigScope: if (roleAssignment.ConfigWriteScope != this.ConfigWriteScope) { flag = (roleAssignment.ConfigWriteScope == ConfigWriteScopeType.OrganizationConfig); goto IL_27C; } if (scopeCache != null && this.CustomConfigWriteScope != null && roleAssignment.CustomConfigWriteScope != null && scopeCache.ContainsKey(this.CustomConfigWriteScope) && scopeCache.ContainsKey(roleAssignment.CustomConfigWriteScope) && scopeCache[this.CustomConfigWriteScope] != null && scopeCache[roleAssignment.CustomConfigWriteScope] != null) { flag = scopeCache[this.CustomConfigWriteScope].IsScopeSmallerOrEqualThan(scopeCache[roleAssignment.CustomConfigWriteScope], out notTrueReason); goto IL_27C; } ExTraceGlobals.AccessCheckTracer.TraceError <string, string>(10000L, "IsConfigWriteScopeSmallerOrEqualThan: we don't find the the key '{0}' or '{1}' within the scope cache or either of their values are $null.", (this.CustomConfigWriteScope == null) ? "null" : this.CustomConfigWriteScope.ToString(), (roleAssignment.CustomConfigWriteScope == null) ? "null" : roleAssignment.CustomConfigWriteScope.ToString()); notTrueReason = DirectoryStrings.CannotCompareAssignmentsMissingScope(base.Id.ToString(), roleAssignment.Id.ToString()); flag = false; goto IL_27C; case ConfigWriteScopeType.PartnerDelegatedTenantScope: flag = (roleAssignment.ConfigWriteScope == ConfigWriteScopeType.OrganizationConfig || roleAssignment.ConfigWriteScope == ConfigWriteScopeType.CustomConfigScope); goto IL_27C; } flag = false; break; } IL_27C: if (!flag && LocalizedString.Empty == notTrueReason) { notTrueReason = DirectoryStrings.ConfigScopeNotLessThan(this.ConfigWriteScope.ToString(), roleAssignment.ConfigWriteScope.ToString()); } ExTraceGlobals.AccessCheckTracer.TraceFunction <bool>(10001L, "<--IsConfigWriteScopeSmallerOrEqualThan: returns {0}", flag); return(flag); }
internal bool IsRecipientWriteScopeSmallerOrEqualThan(ExchangeRoleAssignment roleAssignment, IDictionary <ADObjectId, ManagementScope> scopeCache, out LocalizedString notTrueReason) { if (roleAssignment == null) { throw new ArgumentNullException("roleAssignment"); } ExTraceGlobals.AccessCheckTracer.TraceFunction <ADObjectId, ADObjectId, int>(10000L, "-->IsRecipientWriteScopeSmallerOrEqualThan: this = {0}, other = {1} (scopeCache Count = {2})", base.Id, roleAssignment.Id, (scopeCache == null) ? 0 : scopeCache.Count); notTrueReason = LocalizedString.Empty; if (roleAssignment.RecipientWriteScope == this.RecipientWriteScope && ADObjectId.Equals(roleAssignment.CustomRecipientWriteScope, this.CustomRecipientWriteScope)) { return(this.IsDelegationLevelSmallerOrEqual(roleAssignment, out notTrueReason, true)); } ExTraceGlobals.AccessCheckTracer.TraceDebug(10000L, "IsRecipientWriteScopeSmallerOrEqualThan: this instance has domain write restriction type '{0}' with link '{1}', other has type '{2}' with link '{3}'.", new object[] { this.RecipientWriteScope, (this.CustomRecipientWriteScope == null) ? "null" : this.CustomRecipientWriteScope.ToString(), roleAssignment.RecipientWriteScope, (roleAssignment.CustomRecipientWriteScope == null) ? "null" : roleAssignment.CustomRecipientWriteScope.ToString() }); if (this.CustomRecipientWriteScope == null && (this.RecipientWriteScope == RecipientWriteScopeType.OU || this.RecipientWriteScope == RecipientWriteScopeType.CustomRecipientScope || this.RecipientWriteScope == RecipientWriteScopeType.ExclusiveRecipientScope)) { ExTraceGlobals.AccessCheckTracer.TraceError(10000L, "IsRecipientWriteScopeSmallerOrEqualThan: this instance has invalid NULL CustomRecipientWriteScope."); notTrueReason = DirectoryStrings.CustomRecipientWriteScopeCannotBeEmpty(this.RecipientWriteScope); return(false); } if (roleAssignment.CustomRecipientWriteScope == null && (roleAssignment.RecipientWriteScope == RecipientWriteScopeType.OU || roleAssignment.RecipientWriteScope == RecipientWriteScopeType.CustomRecipientScope || roleAssignment.RecipientWriteScope == RecipientWriteScopeType.ExclusiveRecipientScope)) { ExTraceGlobals.AccessCheckTracer.TraceError(10000L, "IsRecipientWriteScopeSmallerOrEqualThan: the other instance has invalid NULL CustomRecipientWriteScope."); notTrueReason = DirectoryStrings.CustomRecipientWriteScopeCannotBeEmpty(roleAssignment.RecipientWriteScope); return(false); } bool flag; switch (this.RecipientWriteScope) { case RecipientWriteScopeType.None: flag = (roleAssignment.RecipientWriteScope != RecipientWriteScopeType.NotApplicable); goto IL_41E; case RecipientWriteScopeType.NotApplicable: flag = true; goto IL_41E; case RecipientWriteScopeType.Organization: flag = (roleAssignment.RecipientWriteScope == RecipientWriteScopeType.Organization); goto IL_41E; case RecipientWriteScopeType.MyGAL: case RecipientWriteScopeType.Self: case RecipientWriteScopeType.MyDirectReports: case RecipientWriteScopeType.MyDistributionGroups: case RecipientWriteScopeType.MyExecutive: case RecipientWriteScopeType.MailboxICanDelegate: flag = (roleAssignment.RecipientWriteScope == RecipientWriteScopeType.MyGAL || roleAssignment.RecipientWriteScope == RecipientWriteScopeType.Organization); goto IL_41E; case RecipientWriteScopeType.OU: if (roleAssignment.RecipientWriteScope != RecipientWriteScopeType.OU) { flag = (roleAssignment.RecipientWriteScope == RecipientWriteScopeType.Organization); goto IL_41E; } ExTraceGlobals.AccessCheckTracer.TraceDebug(10000L, "IsRecipientWriteScopeSmallerOrEqualThan: comparing the OU DistinguishedName(s) between two role assignments."); if (this.CustomRecipientWriteScope.IsDescendantOf(roleAssignment.CustomRecipientWriteScope)) { flag = true; goto IL_41E; } notTrueReason = DirectoryStrings.OUsNotSmallerOrEqual(this.CustomRecipientWriteScope.ToString(), roleAssignment.CustomRecipientWriteScope.ToString()); flag = false; goto IL_41E; case RecipientWriteScopeType.CustomRecipientScope: case RecipientWriteScopeType.ExclusiveRecipientScope: if (roleAssignment.RecipientWriteScope == RecipientWriteScopeType.OU) { if (scopeCache != null && scopeCache.ContainsKey(this.CustomRecipientWriteScope) && scopeCache[this.CustomRecipientWriteScope] != null) { flag = scopeCache[this.CustomRecipientWriteScope].IsFullyCoveredByOU(roleAssignment.CustomRecipientWriteScope, out notTrueReason); goto IL_41E; } ExTraceGlobals.AccessCheckTracer.TraceError <string>(10000L, "IsRecipientWriteScopeSmallerOrEqualThan: we don't find the the key '{0}' within the scope cache or its value is $null.", (this.CustomRecipientWriteScope == null) ? "null" : this.CustomRecipientWriteScope.ToString()); notTrueReason = DirectoryStrings.CannotCompareAssignmentsMissingScope(base.Id.ToString(), roleAssignment.Id.ToString()); flag = false; goto IL_41E; } else { if (roleAssignment.RecipientWriteScope != RecipientWriteScopeType.CustomRecipientScope && roleAssignment.RecipientWriteScope != RecipientWriteScopeType.ExclusiveRecipientScope) { flag = (roleAssignment.RecipientWriteScope == RecipientWriteScopeType.Organization); goto IL_41E; } if (scopeCache != null && this.CustomRecipientWriteScope != null && roleAssignment.CustomRecipientWriteScope != null && scopeCache.ContainsKey(this.CustomRecipientWriteScope) && scopeCache.ContainsKey(roleAssignment.CustomRecipientWriteScope) && scopeCache[this.CustomRecipientWriteScope] != null && scopeCache[roleAssignment.CustomRecipientWriteScope] != null) { flag = scopeCache[this.CustomRecipientWriteScope].IsScopeSmallerOrEqualThan(scopeCache[roleAssignment.CustomRecipientWriteScope], out notTrueReason); goto IL_41E; } ExTraceGlobals.AccessCheckTracer.TraceError <string, string>(10000L, "IsRecipientWriteScopeSmallerOrEqualThan: we don't find the the key '{0}' or '{1}' within the scope cache or either of their values are $null.", (this.CustomRecipientWriteScope == null) ? "null" : this.CustomRecipientWriteScope.ToString(), (roleAssignment.CustomRecipientWriteScope == null) ? "null" : roleAssignment.CustomRecipientWriteScope.ToString()); notTrueReason = DirectoryStrings.CannotCompareAssignmentsMissingScope(base.Id.ToString(), roleAssignment.Id.ToString()); flag = false; goto IL_41E; } break; } flag = false; IL_41E: if (!flag && LocalizedString.Empty == notTrueReason) { notTrueReason = DirectoryStrings.RecipientWriteScopeNotLessThan(this.RecipientWriteScope.ToString(), roleAssignment.RecipientWriteScope.ToString()); } ExTraceGlobals.AccessCheckTracer.TraceFunction <bool>(10000L, "<--IsRecipientWriteScopeSmallerOrEqualThan: returns {0}", flag); return(flag); }