Example 1 with Domain
use of com.zimbra.cs.account.Domain in project zm-mailbox by Zimbra.
the class JMSessionTest method messageID.
@Test
public void messageID() throws Exception {
Provisioning prov = Provisioning.getInstance();
Domain domain = prov.createDomain("example.com", new HashMap<String, Object>());
Account account = prov.createAccount("user1@example.com", "test123", new HashMap<String, Object>());
MimeMessage mm = new MimeMessage(JMSession.getSmtpSession(account));
mm.saveChanges();
Assert.assertEquals("message ID contains account domain", domain.getName() + '>', mm.getMessageID().split("@")[1]);
}
Also used :
Account(com.zimbra.cs.account.Account)
MimeMessage(javax.mail.internet.MimeMessage)
Domain(com.zimbra.cs.account.Domain)
MockProvisioning(com.zimbra.cs.account.MockProvisioning)
Provisioning(com.zimbra.cs.account.Provisioning)
Test(org.junit.Test)
Example 2 with Domain
use of com.zimbra.cs.account.Domain in project zm-mailbox by Zimbra.
the class CheckAttrRight method computeAccessibleAttrs.
private AllowedAttrs computeAccessibleAttrs() throws ServiceException {
if (mGrantee == null) {
return AllowedAttrs.DENY_ALL_ATTRS();
}
Map<String, Integer> allowSome = new HashMap<String, Integer>();
Map<String, Integer> denySome = new HashMap<String, Integer>();
Integer relativity = Integer.valueOf(1);
// we iterate through all the targets from which grants can be inherited
// by the perspective target. More specific targets are visited before
// less specific targets. For each target, there are two "ranks" of
// grantee types: individual and group. Therefore, each time when we
// visit the next target, we bump up the relativity by 2.
int granteeRanksPerTarget = 2;
//
// collecting phase
//
CollectAttrsResult car = CollectAttrsResult.SOME;
// check the target entry itself
List<ZimbraACE> acl = ACLUtil.getAllACEs(mTarget);
if (acl != null) {
car = checkTarget(acl, relativity, false, allowSome, denySome);
relativity += granteeRanksPerTarget;
}
//
// if the target is a domain-ed entry, get the domain of the target.
// It is need for checking the cross domain right.
//
Domain targetDomain = TargetType.getTargetDomain(mProv, mTarget);
if (!car.isAll()) {
// check grants granted on entries from which the target entry can inherit
boolean expandTargetGroups = CheckRight.allowGroupTarget(mRightNeeded);
TargetIterator iter = TargetIterator.getTargetIeterator(mProv, mTarget, expandTargetGroups);
Entry grantedOn;
GroupACLs groupACLs = null;
while ((grantedOn = iter.next()) != null && (!car.isAll())) {
acl = ACLUtil.getAllACEs(grantedOn);
if (grantedOn instanceof Group) {
if (acl == null)
continue;
boolean skipPositiveGrants = false;
// members in the group can be in different domains, no point checking it.
if (mGrantee.isAccount()) {
skipPositiveGrants = !CrossDomain.crossDomainOK(mProv, mGrantee.getAccount(), mGrantee.getDomain(), targetDomain, (Group) grantedOn);
}
// don't check yet, collect all acls on all target groups
if (groupACLs == null) {
groupACLs = new GroupACLs(mTarget);
}
groupACLs.collectACL((Group) grantedOn, skipPositiveGrants);
} else {
// We put denied in the front, so it is consistent with ZimbraACL.getAllACEs
if (groupACLs != null) {
List<ZimbraACE> aclsOnGroupTargets = groupACLs.getAllACLs();
if (aclsOnGroupTargets != null) {
car = checkTarget(aclsOnGroupTargets, relativity, false, allowSome, denySome);
relativity += granteeRanksPerTarget;
if (car.isAll())
break;
// else continue with the next target
}
// set groupACLs to null, we are done with group targets
groupACLs = null;
}
if (acl == null)
continue;
boolean subDomain = (mTargetType == TargetType.domain && (grantedOn instanceof Domain));
car = checkTarget(acl, relativity, subDomain, allowSome, denySome);
relativity += granteeRanksPerTarget;
}
}
}
// log collecting phase result
if (sLog.isDebugEnabled()) {
StringBuilder sb = new StringBuilder();
sb.append("Allowed: {");
for (Map.Entry<String, Integer> as : allowSome.entrySet()) {
sb.append("(" + as.getKey() + ", " + as.getValue() + ")");
}
sb.append("}");
sb.append(" Denied: {");
for (Map.Entry<String, Integer> ds : denySome.entrySet()) {
sb.append("(" + ds.getKey() + ", " + ds.getValue() + ")");
}
sb.append("}");
// the value SOME itself is correct function-wise.
if (car == CollectAttrsResult.SOME && allowSome.isEmpty() && denySome.isEmpty()) {
sLog.debug("accessibleAttrs: NONE");
} else {
sLog.debug("accessibleAttrs: " + car.name() + ". " + sb.toString());
}
}
//
// computing phase
//
AllowedAttrs result;
AttributeClass klass = TargetType.getAttributeClass(mTarget);
if (car == CollectAttrsResult.ALLOW_ALL)
result = processAllowAll(allowSome, denySome, klass);
else if (car == CollectAttrsResult.DENY_ALL)
result = processDenyAll(allowSome, denySome, klass);
else {
// now allowSome and denySome contain attrs allowed/denied and their shortest distance
// to the target, remove denied ones from allowed if they've got a shorter distance
Set<String> conflicts = SetUtil.intersect(allowSome.keySet(), denySome.keySet());
if (!conflicts.isEmpty()) {
for (String attr : conflicts) {
if (denySome.get(attr) <= allowSome.get(attr))
allowSome.remove(attr);
}
}
result = AllowedAttrs.ALLOW_SOME_ATTRS(allowSome.keySet());
}
// computeCanDo(result, target, rightNeeded, attrs);
return result;
}Example 3 with Domain
use of com.zimbra.cs.account.Domain in project zm-mailbox by Zimbra.
the class CheckPresetRight method checkRight.
private Boolean checkRight() throws ServiceException {
if (!mRightNeeded.isPresetRight()) {
throw ServiceException.INVALID_REQUEST("RightChecker.canDo can only check preset right, right " + mRightNeeded.getName() + " is a " + mRightNeeded.getRightType() + " right", null);
}
boolean adminRight = !mRightNeeded.isUserRight();
Domain granteeDomain = null;
if (adminRight) {
// if the grantee is no longer legitimate, e.g. not an admin any more, ignore all his grants
if (!RightBearer.isValidGranteeForAdminRights(GranteeType.GT_USER, mGranteeMailTarget)) {
return null;
}
granteeDomain = mProv.getDomain(mGranteeMailTarget);
// if we ever get here, the grantee must have a domain
if (granteeDomain == null) {
throw ServiceException.FAILURE("internal error, cannot find domain for " + mGranteeMailTarget.getName(), null);
}
// should only come from granting/revoking check
if (mRightNeeded == Admin.R_crossDomainAdmin) {
return CrossDomain.checkCrossDomainAdminRight(mProv, granteeDomain, mTarget, mCanDelegateNeeded);
}
}
Boolean result = null;
// check grants explicitly granted on the target entry
// we don't return the target entry itself in TargetIterator because if
// target is a dl, we need to know if the dl returned from TargetIterator
// is the target itself or one of the groups the target is in. So we check
// the actual target separately
List<ZimbraACE> acl = ACLUtil.getAllACEs(mTarget);
if (acl != null) {
result = checkTarget(acl, false);
if (result != null) {
return result;
}
}
//
// if the target is a domain-ed entry, get the domain of the target.
// It is needed for checking the cross domain right.
//
Domain targetDomain = TargetType.getTargetDomain(mProv, mTarget);
// group target is only supported for admin rights
boolean expandTargetGroups = CheckRight.allowGroupTarget(mRightNeeded);
// check grants granted on entries from which the target entry can inherit from
TargetIterator iter = TargetIterator.getTargetIeterator(mProv, mTarget, expandTargetGroups);
Entry grantedOn;
GroupACLs groupACLs = null;
while ((grantedOn = iter.next()) != null) {
acl = ACLUtil.getAllACEs(grantedOn);
if (grantedOn instanceof Group) {
if (acl == null) {
continue;
}
boolean skipPositiveGrants = false;
if (adminRight) {
skipPositiveGrants = !CrossDomain.crossDomainOK(mProv, mGranteeMailTarget, granteeDomain, targetDomain, (Group) grantedOn);
}
// don't check yet, collect all acls on all target groups
if (groupACLs == null) {
groupACLs = new GroupACLs(mTarget);
}
groupACLs.collectACL((Group) grantedOn, skipPositiveGrants);
} else {
// We put denied in the front, so it is consistent with ZimbraACL.getAllACEs
if (groupACLs != null) {
List<ZimbraACE> aclsOnGroupTargets = groupACLs.getAllACLs();
if (aclsOnGroupTargets != null) {
result = checkTarget(aclsOnGroupTargets, false);
}
if (result != null) {
return result;
}
// set groupACLs to null, we are done with group targets
groupACLs = null;
}
// didn't encounter any group grantedOn, or none of them matches, just check this grantedOn entry
if (acl == null) {
continue;
}
boolean subDomain = (mTargetType == TargetType.domain && (grantedOn instanceof Domain));
result = checkTarget(acl, subDomain);
if (result != null) {
return result;
}
}
}
if (mSeenRight.seenRight()) {
return Boolean.FALSE;
} else {
return null;
}
}Example 4 with Domain
use of com.zimbra.cs.account.Domain in project zm-mailbox by Zimbra.
the class CollectAllEffectiveRights method computeSubDomainRightsInheritedFromDomain.
private void computeSubDomainRightsInheritedFromDomain(ZimbraACL acl, Domain grantedOnDomain) throws ServiceException {
boolean noSubDomainGrants = acl.getSubDomainACEs().isEmpty();
if (noSubDomainGrants) {
return;
}
// get all sub domains of the grantedOnDomain
List<Domain> subDomains = searchSubDomains(grantedOnDomain);
for (Domain subDomain : subDomains) {
String targetId = subDomain.getId();
String targetName = subDomain.getName();
EffectiveRights er = new EffectiveRights(TargetType.domain.getCode(), targetId, targetName, mGrantee.getId(), mGrantee.getName());
CollectEffectiveRights.getEffectiveRights(mGrantee, subDomain, mExpandSetAttrs, mExpandGetAttrs, er);
mResult.addEntry(TargetType.domain, targetName, er);
}
}
Also used :
EffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights)
AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights)
Domain(com.zimbra.cs.account.Domain)
Example 5 with Domain
use of com.zimbra.cs.account.Domain in project zm-mailbox by Zimbra.
the class CollectAllEffectiveRights method collect.
private void collect() throws ServiceException {
if (mRightBearer instanceof GlobalAdmin) {
for (TargetType tt : TargetType.values()) {
EffectiveRights er = new EffectiveRights(tt.getCode(), null, null, mRightBearer.getId(), mRightBearer.getName());
Entry target;
if (TargetType.config == tt) {
target = mProv.getConfig();
} else if (TargetType.global == tt) {
target = mProv.getGlobalGrant();
} else {
target = PseudoTarget.createPseudoTarget(mProv, tt, null, null, true, null, null, null);
}
CollectEffectiveRights.getEffectiveRights(mRightBearer, target, tt, mExpandSetAttrs, mExpandGetAttrs, er);
mResult.setAll(tt, er);
}
return;
}
// we want all target types
Set<TargetType> targetTypesToSearch = new HashSet<TargetType>(Arrays.asList(TargetType.values()));
// get the set of zimbraId of the grantees to search for
Set<String> granteeIdsToSearch = mGrantee.getIdAndGroupIds();
// add external group grants that *may* apply
if (mGrantee.isAccount()) {
Domain domain = mProv.getDomain(mGrantee.getAccount());
granteeIdsToSearch.add(ZimbraACE.ExternalGroupInfo.encode(domain.getId(), ""));
}
SearchGrants searchGrants = new SearchGrants(mProv, targetTypesToSearch, granteeIdsToSearch);
Set<GrantsOnTarget> grantsOnTargets = searchGrants.doSearch().getResults(true);
// staging for group grants
Set<Group> groupsWithGrants = new HashSet<Group>();
//
for (GrantsOnTarget grantsOnTarget : grantsOnTargets) {
Entry grantedOnEntry = grantsOnTarget.getTargetEntry();
ZimbraACL acl = grantsOnTarget.getAcl();
TargetType targetType = TargetType.getTargetType(grantedOnEntry);
if (targetType == TargetType.global) {
computeRightsInheritedFromGlobalGrant();
} else if (targetType == TargetType.domain) {
computeRightsInheritedFromDomain((Domain) grantedOnEntry);
computeSubDomainRightsInheritedFromDomain(acl, (Domain) grantedOnEntry);
} else if (targetType == TargetType.dl) {
groupsWithGrants.add((DistributionList) grantedOnEntry);
} else if (targetType == TargetType.group) {
groupsWithGrants.add((DynamicGroup) grantedOnEntry);
}
}
//
// Stage 2
//
// process group grants
//
// first, shape all members in all groups with grants into "shapes"
//
// e.g. if the grant search returned three groups: A, B, C
// group A contains members m1, m2, m3
// group B contains members m2, m3, m4
// group C contains members m5
//
// (assuming all m{X} are accounts)
//
// After "shaping", the accountShapes Set will contain 4 shapes:
// shape A - m1
// shape AB - m2, m3
// shape B - m4
// shape C - m5
//
/*
* because of bug 68820, we have to also take into accounts all sub groups
* of groupsWithGrants when we build shapes - even if the sub groups don't
* have any grants.
*
* Prior to bug 68820, we didn't have to do this(i.e. add in sub groups
* that don't have any grants when shapes are computed), because sub groups
* dont't have grants would never affect how grants are inherited - all grants
* get inherited to sub groups and their member accounts/crs.
*
* But bug 68820 introduced a new right modifier - DISINHERIT_SUB_GROUPS,
* that controls whether a grant on a group can be inherited by sub groups and
* their account/cr members.
*
* Now the input groups for calculating shapes are:
* union of (groups have grants and all their sub groups)
*
* This will result in more shares than before if non ofthe sub groups has grants,
* but if spawned shapes actually have the same effective rights, they will be
* merged by RightsByTargetType.addAggregation(), in that it checks if ther are
* already an aggregation with the exact the same right. If there are, then just
* add the targets to the existing aggregation, instead of adding new ones.
*/
Set<String> processedGroups = new HashSet<String>();
Set<GroupShape> accountShapes = new HashSet<GroupShape>();
Set<GroupShape> calendarResourceShapes = new HashSet<GroupShape>();
Set<GroupShape> distributionListShapes = new HashSet<GroupShape>();
for (Group group : groupsWithGrants) {
String groupName = group.getName().toLowerCase();
if (processedGroups.contains(groupName)) {
continue;
} else {
processedGroups.add(groupName);
}
AllGroupMembers allMembers = getAllGroupMembers(group);
GroupShape.shapeMembers(TargetType.account, accountShapes, allMembers);
GroupShape.shapeMembers(TargetType.calresource, calendarResourceShapes, allMembers);
GroupShape.shapeMembers(TargetType.dl, distributionListShapes, allMembers);
// no need to get TargetType.group members of the group, because
// dynamic group cannot be a member of a Distribution list or another
// dynamic group
processedGroups.add(group.getId());
/*
* handle sub groups. allMembers already contains a flat set of all members
* of group that is a DistributionList, just go through the flat set and compute
* shares for each. If group is a dynamic group, we should never get into
* the following loop, because there should be no nested groups member of
* dynamic group.
*/
for (String nestedGoupMember : allMembers.getMembers(TargetType.dl)) {
String nestedGoupMemberName = nestedGoupMember.toLowerCase();
if (processedGroups.contains(nestedGoupMemberName)) {
continue;
} else {
processedGroups.add(nestedGoupMemberName);
}
DistributionList subDl = mProv.get(DistributionListBy.name, nestedGoupMemberName);
// sanity check, shout not be null
if (subDl != null) {
AllGroupMembers allMembersOfSubDl = getAllGroupMembers(subDl);
GroupShape.shapeMembers(TargetType.account, accountShapes, allMembersOfSubDl);
GroupShape.shapeMembers(TargetType.calresource, calendarResourceShapes, allMembersOfSubDl);
GroupShape.shapeMembers(TargetType.dl, distributionListShapes, allMembersOfSubDl);
}
}
}
if (ZimbraLog.acl.isDebugEnabled()) {
GroupShape.debug("accountShapes", accountShapes);
GroupShape.debug("calendarResourceShapes", calendarResourceShapes);
GroupShape.debug("distributionListShapes", distributionListShapes);
}
// then, for each group shape, generate a RightAggregation and record in the AllEffectiveRights.
// if any of the entries in a shape also have grants as an individual, the effective rigths for
// those entries will be replaced in stage 3.
Set<String> entryIdsHasGrants = new HashSet<String>();
for (GrantsOnTarget grantsOnTarget : grantsOnTargets) {
Entry grantedOnEntry = grantsOnTarget.getTargetEntry();
if (grantedOnEntry instanceof NamedEntry) {
entryIdsHasGrants.add(((NamedEntry) grantedOnEntry).getId());
}
}
computeRightsOnGroupShape(TargetType.account, accountShapes, entryIdsHasGrants);
computeRightsOnGroupShape(TargetType.calresource, calendarResourceShapes, entryIdsHasGrants);
computeRightsOnGroupShape(TargetType.dl, distributionListShapes, entryIdsHasGrants);
//
for (GrantsOnTarget grantsOnTarget : grantsOnTargets) {
Entry grantedOnEntry = grantsOnTarget.getTargetEntry();
ZimbraACL acl = grantsOnTarget.getAcl();
TargetType targetType = TargetType.getTargetType(grantedOnEntry);
if (targetType != TargetType.global) {
computeRightsOnEntry(targetType, grantedOnEntry);
}
}
}
Also used :
DynamicGroup(com.zimbra.cs.account.DynamicGroup)
Group(com.zimbra.cs.account.Group)
DynamicGroup(com.zimbra.cs.account.DynamicGroup)
EffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights)
AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights)
GrantsOnTarget(com.zimbra.cs.account.accesscontrol.SearchGrants.GrantsOnTarget)
NamedEntry(com.zimbra.cs.account.NamedEntry)
NamedEntry(com.zimbra.cs.account.NamedEntry)
Entry(com.zimbra.cs.account.Entry)
Domain(com.zimbra.cs.account.Domain)
GlobalAdmin(com.zimbra.cs.account.accesscontrol.RightBearer.GlobalAdmin)
HashSet(java.util.HashSet)
DistributionList(com.zimbra.cs.account.DistributionList)
Aggregations
Domain (com.zimbra.cs.account.Domain)296
Account (com.zimbra.cs.account.Account)145
HashMap (java.util.HashMap)75
Provisioning (com.zimbra.cs.account.Provisioning)71
ServiceException (com.zimbra.common.service.ServiceException)61
Test (org.junit.Test)55
DistributionList (com.zimbra.cs.account.DistributionList)45
AccountServiceException (com.zimbra.cs.account.AccountServiceException)41
LdapDomain (com.zimbra.cs.account.ldap.entry.LdapDomain)36
Element (com.zimbra.common.soap.Element)33
GuestAccount (com.zimbra.cs.account.GuestAccount)32
ZimbraSoapContext (com.zimbra.soap.ZimbraSoapContext)32
NamedEntry (com.zimbra.cs.account.NamedEntry)27
Server (com.zimbra.cs.account.Server)25
Right (com.zimbra.cs.account.accesscontrol.Right)22
HashSet (java.util.HashSet)21
AuthFailedServiceException (com.zimbra.cs.account.AccountServiceException.AuthFailedServiceException)17
Group (com.zimbra.cs.account.Group)17
ZLdapContext (com.zimbra.cs.ldap.ZLdapContext)17
Map (java.util.Map)15
