// Token: 0x0600045C RID: 1116 RVA: 0x0000F930 File Offset: 0x0000DB30
internal static void VerifyServerIsWithinScope(Database database, Task.ErrorLoggerDelegate errorHandler, ITopologyConfigurationSession adConfigSession)
{
ADObjectId[] array = database.IsExchange2009OrLater ? database.Servers : new ADObjectId[]
{
database.Server
};
if (array == null || array.Length == 0)
{
errorHandler(new NoServersForDatabaseException(database.Name), ExchangeErrorCategory.Client, null);
}
bool flag = false;
ADScopeException ex = null;
foreach (ADObjectId adObjectId in array)
{
Server mailboxServer = MapiTaskHelper.GetMailboxServer(new ServerIdParameter(adObjectId), adConfigSession, errorHandler);
if (adConfigSession.TryVerifyIsWithinScopes(mailboxServer, true, out ex))
{
flag = true;
break;
}
}
if (!flag)
{
errorHandler(new IsOutofDatabaseScopeException(database.Name, ex.Message), ExchangeErrorCategory.Authorization, null);
}
}
internal static ADObjectId GetExecutingUserAndCheckGroupOwnership(Task task, IDirectorySession dataSession, IRecipientSession gcSession, ADGroup group, bool bypassSecurityGroupManagerCheck)
{
ADScopeException ex2 = null;
ADObjectId adobjectId = null;
bool flag = task.TryGetExecutingUserId(out adobjectId);
LocalizedException ex = null;
ExchangeErrorCategory errCategory = ExchangeErrorCategory.Client;
object targetObj = null;
bool flag2 = false;
if (flag && adobjectId != null && !dataSession.TryVerifyIsWithinScopes(group, true, out ex2))
{
task.WriteVerbose(Strings.VerboseDGOwnershipDeepSearch(adobjectId.ToString(), group.Identity.ToString()));
RecipientTaskHelper.ValidateUserIsGroupManager(adobjectId, group, delegate(LocalizedException exception, ExchangeErrorCategory category, object target)
{
ex = exception;
errCategory = category;
targetObj = target;
}, true, gcSession);
flag2 = true;
group.IsExecutingUserGroupOwner = (ex == null);
}
if (RecipientType.MailUniversalSecurityGroup == group.RecipientType && !bypassSecurityGroupManagerCheck)
{
if (!flag)
{
task.WriteError(new RecipientTaskException(Strings.ErrorExecutingUserOutOfTargetOrg(task.MyInvocation.MyCommand.Name)), ExchangeErrorCategory.Client, group.Identity.ToString());
}
if (!flag2)
{
task.WriteVerbose(Strings.VerboseDGOwnershipDeepSearch(adobjectId.ToString(), group.Identity.ToString()));
RecipientTaskHelper.ValidateUserIsGroupManager(adobjectId, group, new Task.ErrorLoggerDelegate(task.WriteError), true, gcSession);
group.IsExecutingUserGroupOwner = true;
}
else if (ex != null)
{
task.WriteError(ex, errCategory, targetObj);
}
}
group.propertyBag.ResetChangeTracking(ADGroupSchema.IsExecutingUserGroupOwner);
return(adobjectId);
}
private void CheckRbac()
{
ADScopeException ex = null;
MultiValuedProperty <string> multiValuedProperty = (MultiValuedProperty <string>) this.DataObject[ADObjectSchema.ObjectClass];
if (multiValuedProperty.Contains("person") || multiValuedProperty.Contains("msExchDynamicDistributionList") || multiValuedProperty.Contains("group") || multiValuedProperty.Contains("publicFolder") || multiValuedProperty.Contains("msExchPublicMDB") || multiValuedProperty.Contains("msExchSystemMailbox") || multiValuedProperty.Contains(ADMicrosoftExchangeRecipient.MostDerivedClass) || multiValuedProperty.Contains("exchangeAdminService") || multiValuedProperty.Contains("computer"))
{
IRecipientSession tenantOrRootOrgRecipientSession = DirectorySessionFactory.Default.GetTenantOrRootOrgRecipientSession(base.DomainController, true, ConsistencyMode.PartiallyConsistent, ADSessionSettings.FromCustomScopeSet(base.ScopeSet, this.DataObject.Id, base.CurrentOrganizationId, base.ExecutingUserOrganizationId, true), 581, "CheckRbac", "f:\\15.00.1497\\sources\\dev\\Management\\src\\Management\\RecipientTasks\\permission\\SetADPermissionTaskBase.cs");
ADRecipient adrecipient = tenantOrRootOrgRecipientSession.Read(this.DataObject.Id);
if (adrecipient == null)
{
base.WriteError(new ManagementObjectNotFoundException(Strings.ErrorObjectNotFound(this.Identity.ToString())), ErrorCategory.InvalidArgument, null);
}
if (!tenantOrRootOrgRecipientSession.TryVerifyIsWithinScopes(adrecipient, true, out ex))
{
base.WriteError(new TaskInvalidOperationException(Strings.ErrorCannotChangeObjectOutOfWriteScope(adrecipient.Identity.ToString(), (ex == null) ? string.Empty : ex.Message), ex), ExchangeErrorCategory.Client, adrecipient.Identity);
return;
}
}
else
{
ADObject adobject = null;
bool flag = false;
IConfigurationSession tenantOrTopologyConfigurationSession = DirectorySessionFactory.Default.GetTenantOrTopologyConfigurationSession(base.DomainController, true, ConsistencyMode.PartiallyConsistent, ADSessionSettings.FromCustomScopeSet(base.ScopeSet, this.DataObject.Id, base.CurrentOrganizationId, base.ExecutingUserOrganizationId, true), 620, "CheckRbac", "f:\\15.00.1497\\sources\\dev\\Management\\src\\Management\\RecipientTasks\\permission\\SetADPermissionTaskBase.cs");
if (multiValuedProperty.Contains("msExchOabVirtualDirectory"))
{
adobject = tenantOrTopologyConfigurationSession.Read <ADOabVirtualDirectory>(this.DataObject.Id);
flag = true;
}
else if (multiValuedProperty.Contains("ServiceConnectionPoint"))
{
adobject = tenantOrTopologyConfigurationSession.Read <ADServiceConnectionPoint>(this.DataObject.Id);
flag = true;
}
else if (multiValuedProperty.Contains("RpcClientAccess"))
{
adobject = tenantOrTopologyConfigurationSession.Read <ExchangeRpcClientAccess>(this.DataObject.Id);
flag = true;
}
else if (multiValuedProperty.Contains("msExchProtocolCfgHTTPContainer"))
{
adobject = tenantOrTopologyConfigurationSession.Read <HttpContainer>(this.DataObject.Id);
flag = true;
}
else if (multiValuedProperty.Contains("msExchProtocolCfgIMAPContainer"))
{
adobject = tenantOrTopologyConfigurationSession.Read <Imap4Container>(this.DataObject.Id);
flag = true;
}
else if (multiValuedProperty.Contains("msExchInformationStore"))
{
adobject = tenantOrTopologyConfigurationSession.Read <InformationStore>(this.DataObject.Id);
flag = true;
}
else if (multiValuedProperty.Contains("mTA"))
{
adobject = tenantOrTopologyConfigurationSession.Read <MicrosoftMTAConfiguration>(this.DataObject.Id);
flag = true;
}
else if (multiValuedProperty.Contains("msExchProtocolCfgPOPContainer"))
{
adobject = tenantOrTopologyConfigurationSession.Read <Pop3Container>(this.DataObject.Id);
flag = true;
}
else if (multiValuedProperty.Contains("protocolCfgSharedServer"))
{
adobject = tenantOrTopologyConfigurationSession.Read <ProtocolsContainer>(this.DataObject.Id);
flag = true;
}
else if (multiValuedProperty.Contains("msExchSmtpReceiveConnector"))
{
adobject = tenantOrTopologyConfigurationSession.Read <ReceiveConnector>(this.DataObject.Id);
flag = true;
}
else if (multiValuedProperty.Contains("msExchExchangeServer"))
{
adobject = tenantOrTopologyConfigurationSession.Read <Server>(this.DataObject.Id);
flag = true;
}
else if (multiValuedProperty.Contains("msExchProtocolCfgSMTPContainer"))
{
adobject = tenantOrTopologyConfigurationSession.Read <SmtpContainer>(this.DataObject.Id);
flag = true;
}
else if (multiValuedProperty.Contains("protocolCfgSMTPServer"))
{
adobject = tenantOrTopologyConfigurationSession.Read <SmtpVirtualServerConfiguration>(this.DataObject.Id);
flag = true;
}
else if (multiValuedProperty.Contains("msExchMDB"))
{
adobject = tenantOrTopologyConfigurationSession.Read <Database>(this.DataObject.Id);
flag = true;
}
else if (multiValuedProperty.Contains("msExchPrivateMDB"))
{
adobject = tenantOrTopologyConfigurationSession.Read <MailboxDatabase>(this.DataObject.Id);
flag = true;
}
else if (multiValuedProperty.Contains(ADOrganizationalUnit.MostDerivedClass))
{
tenantOrTopologyConfigurationSession.UseConfigNC = false;
adobject = tenantOrTopologyConfigurationSession.Read <ADOrganizationalUnit>(this.DataObject.Id);
flag = true;
}
else if (multiValuedProperty.Contains("domain"))
{
tenantOrTopologyConfigurationSession.UseConfigNC = false;
adobject = tenantOrTopologyConfigurationSession.Read <ADDomain>(this.DataObject.Id);
flag = true;
}
if (flag)
{
if (adobject == null)
{
base.WriteError(new ManagementObjectNotFoundException(Strings.ErrorObjectNotFound(this.Identity.ToString())), ErrorCategory.InvalidArgument, null);
}
if (!tenantOrTopologyConfigurationSession.TryVerifyIsWithinScopes(adobject, true, out ex))
{
base.WriteError(new TaskInvalidOperationException(Strings.ErrorCannotChangeObjectOutOfWriteScope(adobject.Identity.ToString(), (ex == null) ? string.Empty : ex.Message), ex), ExchangeErrorCategory.Client, adobject.Identity);
}
}
}
}
protected override IConfigurable PrepareDataObject()
{
TaskLogger.LogEnter();
ADGroup group = (ADGroup)base.PrepareDataObject();
this.flagCloseGroupMemberJoinForNoArbitrationMbx = false;
this.flagCloseGroupMemberDepartForNoArbitrationMbx = false;
this.UpdateRecipientDisplayType(group);
ADObjectId adobjectId;
bool flag = base.TryGetExecutingUserId(out adobjectId);
if (!this.IgnoreNamingPolicy.IsPresent && (base.UserSpecifiedParameters.IsChanged(ADObjectSchema.Name.Name) || base.UserSpecifiedParameters.IsChanged(MailEnabledRecipientSchema.DisplayName.Name)))
{
Organization organization;
if (group.OrganizationId.ConfigurationUnit == null && group.OrganizationId.OrganizationalUnit == null)
{
organization = this.ConfigurationSession.GetOrgContainer();
}
else
{
organization = this.ConfigurationSession.Read <ExchangeConfigurationUnit>(group.OrganizationId.ConfigurationUnit);
}
if (flag)
{
IRecipientSession recipientSession = RecipientTaskHelper.CreatePartitionOrRootOrgScopedGcSession(null, adobjectId);
ADUser user = (ADUser)recipientSession.Read(adobjectId);
if (base.UserSpecifiedParameters.IsChanged(ADObjectSchema.Name.Name))
{
group.Name = DistributionGroupTaskHelper.GetGroupNameWithNamingPolicy(organization, user, group, group.Name, ADObjectSchema.Name, new Task.ErrorLoggerDelegate(base.WriteError));
}
if (base.UserSpecifiedParameters.IsChanged(MailEnabledRecipientSchema.DisplayName.Name))
{
group.DisplayName = DistributionGroupTaskHelper.GetGroupNameWithNamingPolicy(organization, user, group, group.DisplayName, ADRecipientSchema.DisplayName, new Task.ErrorLoggerDelegate(base.WriteError));
}
}
}
bool flag2 = false;
ADScopeException ex = null;
if (flag && adobjectId != null && !((IDirectorySession)base.DataSession).TryVerifyIsWithinScopes(group, true, out ex))
{
group.IsExecutingUserGroupOwner = true;
flag2 = true;
base.WriteVerbose(Strings.VerboseDGOwnershipDeepSearch(adobjectId.ToString(), group.Identity.ToString()));
RecipientTaskHelper.ValidateUserIsGroupManager(adobjectId, group, delegate(LocalizedException exception, ExchangeErrorCategory category, object taget)
{
group.IsExecutingUserGroupOwner = false;
}, true, base.TenantGlobalCatalogSession);
group.propertyBag.ResetChangeTracking(ADGroupSchema.IsExecutingUserGroupOwner);
}
if (group.RecipientDisplayType == RecipientDisplayType.SecurityDistributionGroup && !flag2 && !this.BypassSecurityGroupManagerCheck && (base.Fields.IsChanged(DistributionGroupSchema.ManagedBy) || base.Fields.IsChanged(MailEnabledRecipientSchema.GrantSendOnBehalfTo) || base.Fields.IsChanged(ADObjectSchema.Name) || base.Fields.IsChanged(DistributionGroupSchema.SamAccountName)))
{
if (!flag)
{
base.WriteError(new RecipientTaskException(Strings.ErrorExecutingUserOutOfTargetOrg(base.MyInvocation.MyCommand.Name)), ExchangeErrorCategory.Client, group.Identity.ToString());
}
RecipientTaskHelper.ValidateUserIsGroupManager(adobjectId, group, new Task.ErrorLoggerDelegate(base.WriteError), true, base.TenantGlobalCatalogSession);
group.IsExecutingUserGroupOwner = true;
group.propertyBag.ResetChangeTracking(ADGroupSchema.IsExecutingUserGroupOwner);
}
base.SetMultiReferenceParameter <GeneralRecipientIdParameter>(DistributionGroupSchema.ManagedBy, this.ManagedBy, group, new GetRecipientDelegate <GeneralRecipientIdParameter>(this.GetRecipient));
if (base.Fields.IsModified(ADGroupSchema.MemberJoinRestriction))
{
group.MemberJoinRestriction = this.MemberJoinRestriction;
}
if (base.Fields.IsModified(ADGroupSchema.MemberDepartRestriction))
{
group.MemberDepartRestriction = this.MemberDepartRestriction;
}
if (base.Fields.IsModified(ADRecipientSchema.ArbitrationMailbox))
{
if (base.ArbitrationMailbox == null)
{
base.WriteError(new RecipientTaskException(Strings.ErrorNullParameter(ADRecipientSchema.ArbitrationMailbox.Name)), ExchangeErrorCategory.Client, group.Identity);
}
ADObjectId arbitrationMailbox = group.ArbitrationMailbox;
}
if (!group.ExchangeVersion.IsOlderThan(ADRecipientSchema.ArbitrationMailbox.VersionAdded) && (group.ArbitrationMailbox == null || group.ArbitrationMailbox.IsDescendantOf(ADSession.GetDeletedObjectsContainer(group.ArbitrationMailbox.DomainId))))
{
group.ArbitrationMailbox = MailboxTaskHelper.GetArbitrationMailbox(base.TenantGlobalCatalogSession, group.ConfigurationUnit ?? base.RootOrgContainerId);
if (group.ArbitrationMailbox == null)
{
if (group.MemberJoinRestriction == MemberUpdateType.ApprovalRequired)
{
if (base.Fields.IsModified(ADGroupSchema.MemberJoinRestriction))
{
base.WriteError(new RecipientTaskException(Strings.ErrorArbitrationMbxNotSetForApproval(this.Identity.ToString())), ExchangeErrorCategory.Client, group.Identity);
}
else
{
group.MemberJoinRestriction = MemberUpdateType.Closed;
this.flagCloseGroupMemberJoinForNoArbitrationMbx = true;
}
}
if (group.MemberDepartRestriction == MemberUpdateType.ApprovalRequired)
{
if (base.Fields.IsModified(ADGroupSchema.MemberDepartRestriction))
{
base.WriteError(new RecipientTaskException(Strings.ErrorArbitrationMbxNotSetForApproval(this.Identity.ToString())), ExchangeErrorCategory.Client, group.Identity);
}
else
{
group.MemberDepartRestriction = MemberUpdateType.Closed;
this.flagCloseGroupMemberDepartForNoArbitrationMbx = true;
}
}
}
}
TaskLogger.LogExit();
return(group);
}
bool IDirectorySession.TryVerifyIsWithinScopes(ADObject entry, bool isModification, out ADScopeException exception)
{
FfoDirectorySession.LogNotSupportedInFFO(null);
exception = null;
return(true);
}
