Example 1 with AdminRight
use of com.zimbra.cs.account.accesscontrol.AdminRight in project zm-mailbox by Zimbra.
the class CountObjects method handle.
@Override
public Element handle(Element request, Map<String, Object> context) throws ServiceException {
ZimbraSoapContext zsc = getZimbraSoapContext(context);
CountObjectsRequest req = zsc.elementToJaxb(request);
CountObjectsType countObjectsType = req.getType();
if (countObjectsType == null) {
throw ServiceException.INVALID_REQUEST("No type specified", null);
}
Provisioning prov = Provisioning.getInstance();
UCService ucService = null;
UCServiceSelector ucserviceSelector = req.getUcService();
if (null != ucserviceSelector) {
if (!countObjectsType.allowsUCService()) {
throw ServiceException.INVALID_REQUEST("UCService cannot be specified for type: " + countObjectsType.name(), null);
}
String value = ucserviceSelector.getKey();
ucService = prov.get(Key.UCServiceBy.fromString(ucserviceSelector.getBy().name()), value);
if (ucService == null) {
throw AccountServiceException.NO_SUCH_UC_SERVICE(value);
}
}
List<DomainSelector> specifiedDomains = req.getDomains();
if (!countObjectsType.allowsDomain() && !specifiedDomains.isEmpty()) {
throw ServiceException.INVALID_REQUEST("domain cannot be specified for type: " + countObjectsType.name(), null);
}
long count = 0;
if (specifiedDomains.isEmpty() && !zsc.getAuthToken().isAdmin() && countObjectsType.allowsDomain() && !countObjectsType.equals(CountObjectsType.domain)) {
// if a delegated admin is trying to count objects that exist within
// a domain, count only within this admin's domains
List<Domain> domains = prov.getAllDomains();
AdminAccessControl aac = AdminAccessControl.getAdminAccessControl(zsc);
AdminRight associatedRight = getAssociatedRight(countObjectsType);
for (Iterator<Domain> it = domains.iterator(); it.hasNext(); ) {
Domain domain = it.next();
if (!aac.hasRight(domain, associatedRight)) {
it.remove();
}
}
count = 0;
int threshold = DebugConfig.minimumDomainsToUseThreadsForDomainAdminCountObjects;
if (threshold > 0 && domains.size() >= threshold) {
// For a large number of domains, counting can be slow. Do the LDAP queries in parallel.
// As they all use different bases, they don't interfere with each other much.
AtomicLong atomicCount = new AtomicLong(0);
List<Thread> threads = Lists.newArrayList();
final int chunkSize = (domains.size() / DebugConfig.numberOfThreadsToUseForDomainAdminCountObjects) + 1;
int lastIndex = domains.size() - 1;
int begin = 0;
int end = (lastIndex < chunkSize) ? lastIndex : chunkSize - 1;
while (end <= lastIndex) {
threads.add(new Thread(new GetDomainCountsThread(atomicCount, prov, domains.subList(begin, end + 1), countObjectsType, ucService), String.format("%s-CountsForDomains-%d", Thread.currentThread().getName(), threads.size())));
if (end >= lastIndex) {
break;
}
begin += chunkSize;
end += chunkSize;
if (end > lastIndex) {
end = lastIndex;
}
}
for (Thread thread : threads) {
thread.start();
}
for (Thread thread : threads) {
try {
thread.join();
} catch (InterruptedException e) {
ZimbraLog.search.debug("Unexpected exception counting for domain", e);
}
}
count = atomicCount.get();
} else {
for (Domain domain : domains) {
count += prov.countObjects(countObjectsType, domain, ucService);
}
}
} else if (!specifiedDomains.isEmpty() && countObjectsType.allowsDomain()) {
// count objects within specified domains
for (DomainSelector specifiedDomain : specifiedDomains) {
DomainBy by = specifiedDomain.getBy();
String domValue = specifiedDomain.getKey();
Domain domain = prov.get(Key.DomainBy.fromString(by.name()), domValue);
if (domain == null) {
throw AccountServiceException.NO_SUCH_DOMAIN(domValue);
}
checkDomainRight(zsc, domain, getAssociatedRight(countObjectsType));
count += prov.countObjects(countObjectsType, domain, ucService);
}
} else if (countObjectsType.equals(CountObjectsType.domain) && (zsc.getAuthToken().isDelegatedAdmin() || zsc.getAuthToken().isDomainAdmin()) && req.getOnlyRelated()) {
RightCommand.Grants grants = prov.getGrants(null, null, null, GranteeType.GT_USER.getCode(), GranteeSelector.GranteeBy.id, zsc.getAuthtokenAccountId(), false);
if (grants != null) {
Set<RightCommand.ACE> acEs = grants.getACEs();
Set<String> domainIds = new HashSet<String>();
for (RightCommand.ACE acE : acEs) {
if (acE.targetType().equals(TargetType.domain.getCode()) && !domainIds.contains(acE.targetId())) {
count++;
domainIds.add(acE.targetId());
}
}
}
} else {
// count objects globally
this.checkRight(zsc, context, null, getAssociatedRight(countObjectsType));
count += prov.countObjects(countObjectsType, null, ucService);
}
return zsc.jaxbToElement(new CountObjectsResponse(count, countObjectsType.name()));
}
Also used :
UCServiceSelector(com.zimbra.soap.admin.type.UCServiceSelector)
DomainSelector(com.zimbra.soap.admin.type.DomainSelector)
Provisioning(com.zimbra.cs.account.Provisioning)
RightCommand(com.zimbra.cs.account.accesscontrol.RightCommand)
HashSet(java.util.HashSet)
UCService(com.zimbra.cs.account.UCService)
CountObjectsRequest(com.zimbra.soap.admin.message.CountObjectsRequest)
CountObjectsType(com.zimbra.soap.admin.type.CountObjectsType)
AtomicLong(java.util.concurrent.atomic.AtomicLong)
AdminRight(com.zimbra.cs.account.accesscontrol.AdminRight)
ZimbraSoapContext(com.zimbra.soap.ZimbraSoapContext)
DomainBy(com.zimbra.soap.admin.type.DomainSelector.DomainBy)
Domain(com.zimbra.cs.account.Domain)
CountObjectsResponse(com.zimbra.soap.admin.message.CountObjectsResponse)
Example 2 with AdminRight
use of com.zimbra.cs.account.accesscontrol.AdminRight in project zm-mailbox by Zimbra.
the class TestLockoutMailbox method createDelegatedAdmin.
public void createDelegatedAdmin(List<AdminRight> relatedRights) throws ServiceException {
Map<String, Object> attrs = new HashMap<String, Object>();
StringUtil.addToMultiMap(attrs, Provisioning.A_zimbraIsDelegatedAdminAccount, LdapConstants.LDAP_TRUE);
domainAdmin = adminSoapProv.createAccount(DELEGATED_ADMIN_NAME, TestUtil.DEFAULT_PASSWORD, attrs);
assertNotNull("failed to create domin admin account", domainAdmin);
for (AdminRight r : relatedRights) {
String target = null;
com.zimbra.cs.account.accesscontrol.TargetType targetType = null;
if (r.getTargetType() == com.zimbra.cs.account.accesscontrol.TargetType.domain) {
targetType = com.zimbra.cs.account.accesscontrol.TargetType.domain;
target = MY_DOMAIN;
} else if (r.getTargetType() == com.zimbra.cs.account.accesscontrol.TargetType.account || r.getTargetType() == com.zimbra.cs.account.accesscontrol.TargetType.calresource) {
targetType = com.zimbra.cs.account.accesscontrol.TargetType.domain;
target = MY_DOMAIN;
} else if (r.getTargetType() == com.zimbra.cs.account.accesscontrol.TargetType.server) {
targetType = com.zimbra.cs.account.accesscontrol.TargetType.server;
target = Provisioning.getInstance().getLocalServer().getName();
}
grantRightToAdmin(adminSoapProv, com.zimbra.soap.type.TargetType.fromString(targetType.toString()), target, DELEGATED_ADMIN_NAME, r.getName());
}
adminSoapProv.flushCache(CacheEntryType.acl, null);
delegatedSoapProv = TestUtil.newDelegatedSoapProvisioning(DELEGATED_ADMIN_NAME, TestUtil.DEFAULT_PASSWORD);
}
Also used :
AdminRight(com.zimbra.cs.account.accesscontrol.AdminRight)
HashMap(java.util.HashMap)
Example 3 with AdminRight
use of com.zimbra.cs.account.accesscontrol.AdminRight in project zm-mailbox by Zimbra.
the class TestLockoutMailbox method testLockoutSufficientPermissions.
@Test
public void testLockoutSufficientPermissions() throws Exception {
Mailbox mbox = TestUtil.getMailbox(MY_USER);
TestUtil.addMessage(mbox, "test");
TestUtil.waitForMessage(TestUtil.getZMailbox(MY_USER), "test");
List<AdminRight> relatedRights = new ArrayList<AdminRight>();
List<String> notes = new ArrayList<String>();
AdminDocumentHandler handler = new LockoutMailbox();
handler.docRights(relatedRights, notes);
createDelegatedAdmin(relatedRights);
LockoutMailboxRequest req = LockoutMailboxRequest.create(AccountNameSelector.fromName(MY_USER));
req.setOperation(AdminConstants.A_START);
try {
LockoutMailboxResponse resp = delegatedSoapProv.invokeJaxb(req);
assertNotNull("LockoutMailboxResponse should not be null", resp);
} catch (SoapFaultException e) {
fail("should not be getting an exception");
}
req = LockoutMailboxRequest.create(AccountNameSelector.fromName(MY_NON_EXISTING_USER));
req.setOperation(AdminConstants.A_START);
try {
delegatedSoapProv.invokeJaxb(req);
fail("should have caught an exception");
} catch (SoapFaultException e) {
assertEquals("should be getting 'no such account' response", AccountServiceException.NO_SUCH_ACCOUNT, e.getCode());
}
}
Also used :
LockoutMailboxResponse(com.zimbra.soap.admin.message.LockoutMailboxResponse)
LockoutMailbox(com.zimbra.cs.service.admin.LockoutMailbox)
Mailbox(com.zimbra.cs.mailbox.Mailbox)
AdminRight(com.zimbra.cs.account.accesscontrol.AdminRight)
ArrayList(java.util.ArrayList)
AdminDocumentHandler(com.zimbra.cs.service.admin.AdminDocumentHandler)
LockoutMailbox(com.zimbra.cs.service.admin.LockoutMailbox)
SoapFaultException(com.zimbra.common.soap.SoapFaultException)
LockoutMailboxRequest(com.zimbra.soap.admin.message.LockoutMailboxRequest)
Test(org.junit.Test)
Example 4 with AdminRight
use of com.zimbra.cs.account.accesscontrol.AdminRight in project zm-mailbox by Zimbra.
the class TestLockoutMailbox method testLockAccountEnumeration.
@Test
public void testLockAccountEnumeration() throws Exception {
Mailbox mbox = TestUtil.getMailbox(MY_USER);
TestUtil.addMessage(mbox, "test");
TestUtil.waitForMessage(TestUtil.getZMailbox(MY_USER), "test");
List<AdminRight> relatedRights = new ArrayList<AdminRight>();
List<String> notes = new ArrayList<String>();
AdminDocumentHandler handler = new LockoutMailbox();
handler.docRights(relatedRights, notes);
createDelegatedAdmin(relatedRights);
LockoutMailboxRequest req = LockoutMailboxRequest.create(AccountNameSelector.fromName(OFFLIMITS_NON_EXISTING_USER));
req.setOperation(AdminConstants.A_START);
try {
delegatedSoapProv.invokeJaxb(req);
fail("should have caught an exception");
} catch (SoapFaultException e) {
assertEquals("should be getting 'Permission Denied' response", ServiceException.PERM_DENIED, e.getCode());
}
}
Also used :
LockoutMailbox(com.zimbra.cs.service.admin.LockoutMailbox)
Mailbox(com.zimbra.cs.mailbox.Mailbox)
AdminRight(com.zimbra.cs.account.accesscontrol.AdminRight)
ArrayList(java.util.ArrayList)
AdminDocumentHandler(com.zimbra.cs.service.admin.AdminDocumentHandler)
LockoutMailbox(com.zimbra.cs.service.admin.LockoutMailbox)
SoapFaultException(com.zimbra.common.soap.SoapFaultException)
LockoutMailboxRequest(com.zimbra.soap.admin.message.LockoutMailboxRequest)
Test(org.junit.Test)
Example 5 with AdminRight
use of com.zimbra.cs.account.accesscontrol.AdminRight in project zm-mailbox by Zimbra.
the class GetRightsDoc method genNotUsed.
private void genNotUsed(Set<AdminRight> usedRights, Element response) throws ServiceException {
Set<AdminRight> allRights = new HashSet<AdminRight>();
allRights.addAll(RightManager.getInstance().getAllAdminRights().values());
Set<AdminRight> notUsed = SetUtil.subtract(allRights, usedRights);
for (AdminRight nu : notUsed) response.addElement("notUsed").setText(nu.getName());
}
Also used :
AdminRight(com.zimbra.cs.account.accesscontrol.AdminRight)
HashSet(java.util.HashSet)
Aggregations
AdminRight (com.zimbra.cs.account.accesscontrol.AdminRight)12
ArrayList (java.util.ArrayList)8
SoapFaultException (com.zimbra.common.soap.SoapFaultException)6
AdminDocumentHandler (com.zimbra.cs.service.admin.AdminDocumentHandler)6
Test (org.junit.Test)6
Attr (com.zimbra.soap.admin.type.Attr)4
HashMap (java.util.HashMap)4
HashSet (java.util.HashSet)4
Element (com.zimbra.common.soap.Element)2
Mailbox (com.zimbra.cs.mailbox.Mailbox)2
LockoutMailbox (com.zimbra.cs.service.admin.LockoutMailbox)2
ModifyAccount (com.zimbra.cs.service.admin.ModifyAccount)2
ModifyCalendarResource (com.zimbra.cs.service.admin.ModifyCalendarResource)2
DocumentDispatcher (com.zimbra.soap.DocumentDispatcher)2
DocumentHandler (com.zimbra.soap.DocumentHandler)2
SoapEngine (com.zimbra.soap.SoapEngine)2
LockoutMailboxRequest (com.zimbra.soap.admin.message.LockoutMailboxRequest)2
ModifyAccountRequest (com.zimbra.soap.admin.message.ModifyAccountRequest)2
ModifyCalendarResourceRequest (com.zimbra.soap.admin.message.ModifyCalendarResourceRequest)2
Map (java.util.Map)2
