Пример #1
0
        private ExchangeRole TryFindSafeDCRoleOrUseDefault(ExchangeRole cannedRole)
        {
            string dcsafeNameForRole = RoleDefinition.GetDCSafeNameForRole(cannedRole.Name);

            ExchangeRole[] array = this.configurationSession.Find <ExchangeRole>(cannedRole.Id, QueryScope.OneLevel, new ComparisonFilter(ComparisonOperator.Equal, ADObjectSchema.Name, dcsafeNameForRole), null, 1);
            if (array != null && array.Length == 1)
            {
                return(array[0]);
            }
            return(cannedRole);
        }
Пример #2
0
        private void PurgeInvalidAssignmentsFromRoleGroup(RoleGroupRoleMapping rgMapping, ADGroup roleGroup, List <ExchangeRole> topCannedRoles)
        {
            TaskLogger.LogEnter();
            if (!InstallCannedRbacRoleAssignments.MonitoredDCOnlyRoleGroups.Contains(rgMapping.RoleGroup))
            {
                return;
            }
            List <string> list = new List <string>(rgMapping.Assignments.Length * 2);

            RoleAssignmentDefinition[] assignments = rgMapping.Assignments;
            for (int i = 0; i < assignments.Length; i++)
            {
                RoleAssignmentDefinition assignmentDefinition = assignments[i];
                List <ExchangeRole>      list2 = topCannedRoles.FindAll((ExchangeRole x) => x.RoleType.Equals(assignmentDefinition.RoleType));
                if (list2 != null)
                {
                    foreach (ExchangeRole exchangeRole in list2)
                    {
                        list.Add(exchangeRole.DistinguishedName);
                        list.Add(exchangeRole.Id.GetChildId(RoleDefinition.GetDCSafeNameForRole(exchangeRole.Name)).DistinguishedName);
                    }
                }
            }
            ADPagedReader <ExchangeRoleAssignment> adpagedReader = this.configurationSession.FindPaged <ExchangeRoleAssignment>(base.OrgContainerId.GetDescendantId(ExchangeRoleAssignment.RdnContainer), QueryScope.SubTree, new ComparisonFilter(ComparisonOperator.Equal, ExchangeRoleAssignmentSchema.User, roleGroup.Id), null, 0);

            using (IEnumerator <ExchangeRoleAssignment> enumerator2 = adpagedReader.GetEnumerator())
            {
                while (enumerator2.MoveNext())
                {
                    ExchangeRoleAssignment roleAssignment = enumerator2.Current;
                    if (!list.Contains(roleAssignment.Role.DistinguishedName, StringComparer.OrdinalIgnoreCase))
                    {
                        if (topCannedRoles.Find((ExchangeRole x) => x.Name.Equals(roleAssignment.Role.Name, StringComparison.OrdinalIgnoreCase) && x.RoleType.Equals(RoleType.UnScoped)) == null)
                        {
                            ExchangeRole exchangeRole2 = this.configurationSession.Read <ExchangeRole>(roleAssignment.Role);
                            if (exchangeRole2 != null && !exchangeRole2.RoleType.Equals(RoleType.UnScoped))
                            {
                                this.RemoveRoleAssignment(roleAssignment);
                            }
                        }
                    }
                }
            }
            TaskLogger.LogExit();
        }
Пример #3
0
        protected void FindAndUpdateDerivedRoles(ExchangeRole updatedParentRole, RoleEntry[] oldParentRoleEntries, RoleDefinition roleDefinition, ref int recursionCount)
        {
            ExTraceGlobals.AccessCheckTracer.TraceFunction(20005L, "-->FindAndUpdateDerivedRoles: updatedParentRole.Name = {0}, updatedParentRole.RoleEntries.Count = {1}, oldParentRoleEntries.Length = {2}, recursionCount = {3}", new object[]
            {
                updatedParentRole.Name,
                updatedParentRole.RoleEntries.Count,
                oldParentRoleEntries.Length,
                recursionCount
            });
            if (++recursionCount >= 1000)
            {
                return;
            }
            bool flag  = false;
            bool flag2 = this.settings.Organization == null && (Datacenter.IsMicrosoftHostedOnly(false) || Datacenter.IsDatacenterDedicated(false)) && roleDefinition.ContainsProhibitedActions(InstallCannedRbacRoles.DCProhibitedActions);
            ADPagedReader <ExchangeRole> adpagedReader = this.settings.ConfigurationSession.FindPaged <ExchangeRole>(updatedParentRole.Id, QueryScope.OneLevel, null, null, 0);

            foreach (ExchangeRole exchangeRole in adpagedReader)
            {
                this.settings.LogReadObject(exchangeRole);
                RoleEntry[]      array = this.PrepareRoleForUpgradeAndGetOldSortedEntries(exchangeRole, false);
                List <RoleEntry> value;
                if (1 == recursionCount && flag2 && exchangeRole.Name.Equals(RoleDefinition.GetDCSafeNameForRole(updatedParentRole.Name), StringComparison.OrdinalIgnoreCase))
                {
                    value = roleDefinition.GetRoleEntriesFilteringProhibitedActions(null, InstallCannedRbacRoles.DCProhibitedActions);
                    flag  = true;
                }
                else
                {
                    value = this.GetListOfRoleEntriesForChildRole(oldParentRoleEntries, array, updatedParentRole.RoleEntries.ToArray(), exchangeRole.IsChanged(ADObjectSchema.ExchangeVersion));
                }
                exchangeRole.RoleEntries = new MultiValuedProperty <RoleEntry>(value);
                this.FindAndUpdateDerivedRoles(exchangeRole, array, roleDefinition, ref recursionCount);
                this.SaveDerivedRoleAndWarnOnValidationErrors(exchangeRole);
                ExTraceGlobals.AccessCheckTracer.TraceFunction <string, int>(20005L, "----FindAndUpdateDerivedRoles: role.Name = {0}, role.RoleEntries.Count = {1}", exchangeRole.Name, exchangeRole.RoleEntries.Count);
            }
            if (1 == recursionCount && !flag)
            {
                this.CreateDCSafeRoleIfNeeded(updatedParentRole, roleDefinition);
            }
            recursionCount--;
            ExTraceGlobals.AccessCheckTracer.TraceFunction <int>(20005L, "<--FindAndUpdateDerivedRoles: recursionCount = {0}", recursionCount);
        }
Пример #4
0
        protected void CreateDCSafeRoleIfNeeded(ExchangeRole cannedRole, RoleDefinition roleDefinition)
        {
            if (this.settings.Organization != null || !Datacenter.IsMicrosoftHostedOnly(false))
            {
                return;
            }
            if (!roleDefinition.ContainsProhibitedActions(InstallCannedRbacRoles.DCProhibitedActions))
            {
                return;
            }
            ExchangeRole exchangeRole = roleDefinition.GenerateRole(null, cannedRole.Id, null, null);

            exchangeRole.Name           = RoleDefinition.GetDCSafeNameForRole(cannedRole.Name);
            exchangeRole.RoleEntries    = new MultiValuedProperty <RoleEntry>(roleDefinition.GetRoleEntriesFilteringProhibitedActions(null, InstallCannedRbacRoles.DCProhibitedActions));
            exchangeRole.OrganizationId = this.settings.OrganizationId;
            if (exchangeRole.RoleEntries.Count != 0)
            {
                this.SaveRoleAndWarnOnFailure(exchangeRole);
            }
        }