Example 1 with ZGrant
use of com.zimbra.client.ZGrant in project zm-mailbox by Zimbra.
the class ImapHandler method doSETACL.
boolean doSETACL(String tag, ImapPath path, String principal, String i4rights, StoreAction action) throws IOException {
if (!checkState(tag, State.AUTHENTICATED))
return true;
// RFC 4314 2: "If rights are tied in an implementation, the implementation must be
// conservative in granting rights in response to SETACL commands--unless
// all rights in a tied set are specified, none of that set should be
// included in the ACL entry for that identifier."
short rights = 0;
for (int i = 0; i < i4rights.length(); i++) {
char c = i4rights.charAt(i);
if (IMAP_READ_RIGHTS.indexOf(c) != -1) {
if (allRightsPresent(i4rights, IMAP_READ_RIGHTS))
rights |= ACL.RIGHT_READ;
} else if (IMAP_WRITE_RIGHTS.indexOf(c) != -1) {
if (allRightsPresent(i4rights, IMAP_WRITE_RIGHTS))
rights |= ACL.RIGHT_WRITE;
} else if (IMAP_INSERT_RIGHTS.indexOf(c) != -1) {
if (allRightsPresent(i4rights, IMAP_INSERT_RIGHTS))
rights |= ACL.RIGHT_INSERT;
} else if (IMAP_DELETE_RIGHTS.indexOf(c) != -1) {
if (allRightsPresent(i4rights, IMAP_DELETE_RIGHTS))
rights |= ACL.RIGHT_DELETE;
} else if (IMAP_ADMIN_RIGHTS.indexOf(c) != -1) {
if (allRightsPresent(i4rights, IMAP_ADMIN_RIGHTS))
rights |= ACL.RIGHT_ADMIN;
} else {
// RFC 4314 3.1: "Note that an unrecognized right MUST cause the command to return
// the BAD response. In particular, the server MUST NOT silently
// ignore unrecognized rights."
ZimbraLog.imap.info("SETACL failed: invalid rights string: %s", i4rights);
sendBAD(tag, "SETACL failed: invalid right");
return true;
}
}
try {
// make sure the requester has sufficient permissions to make the request
if ((path.getFolderRights() & ACL.RIGHT_ADMIN) == 0) {
ZimbraLog.imap.info("SETACL failed: user does not have admin access: %s", path);
sendNO(tag, "SETACL failed");
return true;
}
// detect a no-op early and short-circuit out here
if (action != StoreAction.REPLACE && rights == 0) {
sendNotifications(true, false);
sendOK(tag, "SETACL completed");
return true;
}
// figure out who's being granted permissions
String granteeId = null;
byte granteeType;
if (principal.equals("anyone")) {
granteeId = GuestAccount.GUID_AUTHUSER;
granteeType = ACL.GRANTEE_AUTHUSER;
} else {
granteeType = ACL.GRANTEE_USER;
NamedEntry entry = Provisioning.getInstance().get(AccountBy.name, principal);
if (entry == null) {
entry = Provisioning.getInstance().get(Key.DistributionListBy.name, principal);
granteeType = ACL.GRANTEE_GROUP;
}
if (entry != null) {
granteeId = entry.getId();
}
}
if (granteeId == null) {
ZimbraLog.imap.info("SETACL failed: cannot resolve principal: %s", principal);
sendNO(tag, "SETACL failed");
return true;
}
// figure out the rights already granted on the folder
short oldRights = 0, newRights;
Object folderobj = path.getFolder();
if (folderobj instanceof Folder) {
ACL acl = ((Folder) folderobj).getEffectiveACL();
if (acl != null) {
for (ACL.Grant grant : acl.getGrants()) {
if (granteeId.equalsIgnoreCase(grant.getGranteeId()) || (granteeType == ACL.GRANTEE_AUTHUSER && (grant.getGranteeType() == ACL.GRANTEE_AUTHUSER || grant.getGranteeType() == ACL.GRANTEE_PUBLIC))) {
oldRights |= grant.getGrantedRights();
}
}
}
} else {
for (ZGrant zgrant : ((ZFolder) folderobj).getGrants()) {
if (granteeId.equalsIgnoreCase(zgrant.getGranteeId()) || (granteeType == ACL.GRANTEE_AUTHUSER && (zgrant.getGranteeType() == ZGrant.GranteeType.all || zgrant.getGranteeType() == ZGrant.GranteeType.pub))) {
oldRights |= ACL.stringToRights(zgrant.getPermissions());
}
}
}
// calculate the new rights we want granted on the folder
if (action == StoreAction.REMOVE) {
newRights = (short) (oldRights & ~rights);
} else if (action == StoreAction.ADD) {
newRights = (short) (oldRights | rights);
} else {
newRights = rights;
}
// and update the folder appropriately, if necessary
if (newRights != oldRights) {
if (folderobj instanceof Folder) {
Mailbox mbox = (Mailbox) path.getOwnerMailbox();
mbox.grantAccess(getContext(), ((Folder) folderobj).getId(), granteeId, granteeType, newRights, null);
} else {
ZMailbox zmbx = (ZMailbox) path.getOwnerMailbox();
ZGrant.GranteeType type = (granteeType == ACL.GRANTEE_AUTHUSER ? ZGrant.GranteeType.all : ZGrant.GranteeType.usr);
zmbx.modifyFolderGrant(((ZFolder) folderobj).getId(), type, principal, ACL.rightsToString(newRights), null);
}
}
} catch (ServiceException e) {
if (e.getCode().equals(ServiceException.PERM_DENIED)) {
ZimbraLog.imap.info("SETACL failed: permission denied on folder: %s", path);
} else if (e.getCode().equals(MailServiceException.NO_SUCH_FOLDER)) {
ZimbraLog.imap.info("SETACL failed: no such folder: %s", path);
} else if (e.getCode().equals(AccountServiceException.NO_SUCH_ACCOUNT)) {
ZimbraLog.imap.info("SETACL failed: no such account: %s", principal);
} else {
ZimbraLog.imap.warn("SETACL failed", e);
}
sendNO(tag, "SETACL failed");
return true;
}
sendNotifications(true, false);
sendOK(tag, "SETACL completed");
return true;
}
Also used :
ACL(com.zimbra.cs.mailbox.ACL)
SearchFolder(com.zimbra.cs.mailbox.SearchFolder)
Folder(com.zimbra.cs.mailbox.Folder)
ZFolder(com.zimbra.client.ZFolder)
Mountpoint(com.zimbra.cs.mailbox.Mountpoint)
NamedEntry(com.zimbra.cs.account.NamedEntry)
ZGrant(com.zimbra.client.ZGrant)
ZMailbox(com.zimbra.client.ZMailbox)
Mailbox(com.zimbra.cs.mailbox.Mailbox)
ZMailbox(com.zimbra.client.ZMailbox)
AccountServiceException(com.zimbra.cs.account.AccountServiceException)
ServiceException(com.zimbra.common.service.ServiceException)
MailServiceException(com.zimbra.cs.mailbox.MailServiceException)
ZFolder(com.zimbra.client.ZFolder)
Example 2 with ZGrant
use of com.zimbra.client.ZGrant in project zm-mailbox by Zimbra.
the class ZMailboxUtil method doGetFolderGrant.
private void doGetFolderGrant(String[] args) throws ServiceException {
ZFolder f = getFolderWithFullGrantInfo(args[0]);
if (verboseOpt()) {
StringBuilder sb = new StringBuilder();
for (ZGrant g : f.getGrants()) {
if (sb.length() > 0)
sb.append(",\n");
sb.append(g.dump());
}
stdout.format("[%n%s%n]%n", sb.toString());
} else {
String format = "%11.11s %8.8s %s%n";
stdout.format(format, "Permissions", "Type", "Display");
stdout.format(format, "-----------", "--------", "-------");
for (ZGrant g : f.getGrants()) {
GranteeType gt = g.getGranteeType();
String dn = (gt == GranteeType.all || gt == GranteeType.pub) ? "" : ((gt == GranteeType.guest || gt == GranteeType.key) ? g.getGranteeId() : (g.getGranteeName() != null ? g.getGranteeName() : g.getGranteeId()));
stdout.format(format, g.getPermissions(), getGranteeDisplay(g.getGranteeType()), dn);
}
}
}
Also used :
GranteeType(com.zimbra.client.ZGrant.GranteeType)
ZGrant(com.zimbra.client.ZGrant)
ZFolder(com.zimbra.client.ZFolder)
Example 3 with ZGrant
use of com.zimbra.client.ZGrant in project zm-mailbox by Zimbra.
the class ZMailboxUtil method doModifyFolderGrant.
private void doModifyFolderGrant(String[] args) throws ServiceException {
String folderId = lookupFolderId(args[0], false);
GranteeType type = getGranteeType(args[1]);
String grantee = null;
String perms = null;
String password = null;
switch(type) {
case usr:
case grp:
case cos:
case dom:
if (args.length != 4) {
throw ZClientException.CLIENT_ERROR("not enough args", null);
}
grantee = args[2];
perms = args[3];
break;
case pub:
grantee = GuestAccount.GUID_PUBLIC;
perms = args[2];
break;
case all:
grantee = GuestAccount.GUID_AUTHUSER;
perms = args[2];
break;
case guest:
if (args.length != 4 && args.length != 5)
throw ZClientException.CLIENT_ERROR("not enough args", null);
grantee = args[2];
if (args.length == 5) {
password = args[3];
perms = args[4];
} else {
password = null;
perms = args[3];
}
break;
case key:
if (args.length != 4 && args.length != 5)
throw ZClientException.CLIENT_ERROR("not enough args", null);
grantee = args[2];
if (args.length == 5) {
password = args[3];
perms = args[4];
} else {
perms = args[3];
}
break;
}
boolean revoke = (perms != null && (perms.equalsIgnoreCase("none") || perms.length() == 0));
if (revoke) {
// convert grantee to grantee id if it is a name
ZFolder f = getFolderWithFullGrantInfo(folderId);
String zid = null;
for (ZGrant g : f.getGrants()) {
if (grantee.equalsIgnoreCase(g.getGranteeName()) || grantee.equalsIgnoreCase(g.getGranteeId())) {
zid = g.getGranteeId();
break;
}
}
if (zid != null || (type == GranteeType.all || type == GranteeType.pub)) {
if (zid != null)
grantee = zid;
mMbox.modifyFolderRevokeGrant(folderId, grantee);
} else {
// zid is null
/*
* It could be we are trying to revoke a grant on a sub folder.
* e.g. /top/sub
* mfg /top account user2 r
* mfg /top/sub account user2 none
* or
* mfg /top account all r
* mfg /top/sub account user3 none
*
* or simply just want to grant "no right" to a user
* e.g.
* mfg /top account user2 none
*
* If this is the case zid wil be null because there is no such
* grant on the specified folder. Just let it go through by issuing
* a grant action, instead of revoke.
*/
mMbox.modifyFolderGrant(folderId, type, grantee, "", password);
}
} else {
mMbox.modifyFolderGrant(folderId, type, grantee, perms, password);
}
}
Also used :
GranteeType(com.zimbra.client.ZGrant.GranteeType)
ZGrant(com.zimbra.client.ZGrant)
ZFolder(com.zimbra.client.ZFolder)
Example 4 with ZGrant
use of com.zimbra.client.ZGrant in project zm-mailbox by Zimbra.
the class TestAccessKeyGrant method dumpGrants.
private void dumpGrants(ZMailbox mbox, String folderId) throws Exception {
ZFolder folder = mbox.getFolderRequestById(folderId);
System.out.println("--------------------");
System.out.println(mbox.getName() + ", folder=" + folderId);
List<ZGrant> grants = folder.getGrants();
for (ZGrant grant : grants) {
System.out.println(" type: " + grant.getGranteeType().toString());
System.out.println(" id: " + grant.getGranteeId());
System.out.println(" name: " + grant.getGranteeName());
System.out.println(" rights: " + grant.getPermissions());
if (grant.getGranteeType() == ZGrant.GranteeType.key)
System.out.println(" accesskey: " + grant.getArgs());
else if (grant.getGranteeType() == ZGrant.GranteeType.guest)
System.out.println(" password: " + grant.getArgs());
else
assertNull(grant.getArgs());
System.out.println();
}
}Example 5 with ZGrant
use of com.zimbra.client.ZGrant in project zm-mailbox by Zimbra.
the class ImapHandler method doGETACL.
boolean doGETACL(String tag, ImapPath path) throws IOException {
if (!checkState(tag, State.AUTHENTICATED)) {
return true;
}
StringBuilder i4acl = new StringBuilder("ACL ").append(path.asUtf7String());
try {
// make sure the requester has sufficient permissions to make the request
if ((path.getFolderRights() & ACL.RIGHT_ADMIN) == 0) {
ZimbraLog.imap.info("GETACL failed: user does not have admin access: %s", path);
sendNO(tag, "GETACL failed");
return true;
}
// the target folder's owner always has full rights
Account owner = path.getOwnerAccount();
if (owner != null) {
i4acl.append(" \"").append(owner.getName()).append("\" ").append(IMAP_CONCATENATED_RIGHTS);
}
// write out the grants to all users and groups
Short anyoneRights = null;
Object folderobj = path.getFolder();
if (folderobj instanceof Folder) {
ACL acl = ((Folder) folderobj).getEffectiveACL();
if (acl != null) {
for (ACL.Grant grant : acl.getGrants()) {
byte type = grant.getGranteeType();
short rights = grant.getGrantedRights();
if (type == ACL.GRANTEE_AUTHUSER || type == ACL.GRANTEE_PUBLIC) {
anyoneRights = (short) ((anyoneRights == null ? 0 : anyoneRights) | rights);
} else if (type == ACL.GRANTEE_USER || type == ACL.GRANTEE_GROUP) {
NamedEntry entry = FolderAction.lookupGranteeByZimbraId(grant.getGranteeId(), type);
if (entry != null) {
i4acl.append(" \"").append(entry.getName()).append("\" ").append(exportRights(rights));
}
}
}
}
} else {
for (ZGrant zgrant : ((ZFolder) folderobj).getGrants()) {
ZGrant.GranteeType ztype = zgrant.getGranteeType();
short rights = ACL.stringToRights(zgrant.getPermissions());
if (ztype == ZGrant.GranteeType.pub || ztype == ZGrant.GranteeType.all) {
anyoneRights = (short) ((anyoneRights == null ? 0 : anyoneRights) | rights);
} else if (ztype == ZGrant.GranteeType.usr || ztype == ZGrant.GranteeType.grp) {
byte granteeType = ztype == ZGrant.GranteeType.usr ? ACL.GRANTEE_USER : ACL.GRANTEE_GROUP;
NamedEntry entry = FolderAction.lookupGranteeByZimbraId(zgrant.getGranteeId(), granteeType);
if (entry != null) {
i4acl.append(" \"").append(entry.getName()).append("\" ").append(exportRights(rights));
}
}
}
}
// aggregate all the "public" and "auth user" grants into the "anyone" IMAP ACL
if (anyoneRights != null) {
i4acl.append(" anyone ").append(exportRights(anyoneRights));
}
} catch (ServiceException e) {
if (e.getCode().equals(ServiceException.PERM_DENIED)) {
ZimbraLog.imap.info("GETACL failed: permission denied on folder: %s", path);
} else if (e.getCode().equals(MailServiceException.NO_SUCH_FOLDER)) {
ZimbraLog.imap.info("GETACL failed: no such folder: %s", path);
} else {
ZimbraLog.imap.warn("GETACL failed", e);
}
sendNO(tag, "GETACL failed");
return true;
}
sendUntagged(i4acl.toString());
sendNotifications(true, false);
sendOK(tag, "GETACL completed");
return true;
}
Also used :
GuestAccount(com.zimbra.cs.account.GuestAccount)
Account(com.zimbra.cs.account.Account)
ACL(com.zimbra.cs.mailbox.ACL)
SearchFolder(com.zimbra.cs.mailbox.SearchFolder)
Folder(com.zimbra.cs.mailbox.Folder)
ZFolder(com.zimbra.client.ZFolder)
NamedEntry(com.zimbra.cs.account.NamedEntry)
ZGrant(com.zimbra.client.ZGrant)
AccountServiceException(com.zimbra.cs.account.AccountServiceException)
ServiceException(com.zimbra.common.service.ServiceException)
MailServiceException(com.zimbra.cs.mailbox.MailServiceException)
ZFolder(com.zimbra.client.ZFolder)
Aggregations
ZGrant (com.zimbra.client.ZGrant)6
ZFolder (com.zimbra.client.ZFolder)5
ServiceException (com.zimbra.common.service.ServiceException)3
GranteeType (com.zimbra.client.ZGrant.GranteeType)2
AccountServiceException (com.zimbra.cs.account.AccountServiceException)2
NamedEntry (com.zimbra.cs.account.NamedEntry)2
ACL (com.zimbra.cs.mailbox.ACL)2
Folder (com.zimbra.cs.mailbox.Folder)2
MailServiceException (com.zimbra.cs.mailbox.MailServiceException)2
SearchFolder (com.zimbra.cs.mailbox.SearchFolder)2
ToZJSONObject (com.zimbra.client.ToZJSONObject)1
ZJSONObject (com.zimbra.client.ZJSONObject)1
ZMailbox (com.zimbra.client.ZMailbox)1
Account (com.zimbra.cs.account.Account)1
GuestAccount (com.zimbra.cs.account.GuestAccount)1
Mailbox (com.zimbra.cs.mailbox.Mailbox)1
Mountpoint (com.zimbra.cs.mailbox.Mountpoint)1
JSONException (org.json.JSONException)1
