Search in sources :

Example 71 with DistributionList

use of com.zimbra.cs.account.DistributionList in project zm-mailbox by Zimbra.

the class TestACLNegativeGrant method targetPrecedence.

/*
     * Original grants:
     *     global grant (allow)
     *         domain (deny)
     *             group1 (allow)
     *                 group2 (deny)
     *                     target account (allow)
     * => should allow
     *
     * then revoke the grant on account, should deny
     * then revoke the grant on group2, should allow
     * then revoke the grant on group1, should deny
     * then revoke the grant on domain, should allow
     * then revoke the grant on global grant, should deny
     */
@Test
public void targetPrecedence() throws Exception {
    Domain domain = provUtil.createDomain(genDomainSegmentName() + "." + BASE_DOMAIN_NAME);
    /*
         * setup authed account
         */
    Account authedAcct = globalAdmin;
    Right right = ACLTestUtil.ADMIN_PRESET_ACCOUNT;
    /*
         * setup grantees
         */
    Account grantee = provUtil.createDelegatedAdmin(genAcctNameLocalPart("grantee"), domain);
    /*
         * setup targets
         */
    // 1. target account itself
    Account target = provUtil.createAccount(genAcctNameLocalPart("target"), domain);
    grantRight(authedAcct, TargetType.account, target, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
    // 2. groups the target account is a member of
    DistributionList group1 = provUtil.createDistributionList(genGroupNameLocalPart("group1"), domain);
    DistributionList group2 = provUtil.createDistributionList(genGroupNameLocalPart("group2"), domain);
    prov.addMembers(group1, new String[] { group2.getName() });
    prov.addMembers(group2, new String[] { target.getName() });
    grantRight(authedAcct, TargetType.dl, group2, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
    grantRight(authedAcct, TargetType.dl, group1, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
    // 3. domain the target account is in
    grantRight(authedAcct, TargetType.domain, domain, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
    // 4. global grant
    GlobalGrant globalGrant = prov.getGlobalGrant();
    grantRight(authedAcct, TargetType.global, null, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
    /*
         * test targets
         */
    TestViaGrant via;
    via = new TestViaGrant(TargetType.account, target, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.POSITIVE);
    verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.ALLOW, via);
    // revoke the grant on target account, then grant on group2 should take effect
    revokeRight(authedAcct, TargetType.account, target, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
    via = new TestViaGrant(TargetType.dl, group2, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.NEGATIVE);
    verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
    // revoke the grant on group2, then grant on group1 should take effect
    revokeRight(authedAcct, TargetType.dl, group2, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
    via = new TestViaGrant(TargetType.dl, group1, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.POSITIVE);
    verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.ALLOW, via);
    // revoke the grant on group1, then grant on domain should take effect
    revokeRight(authedAcct, TargetType.dl, group1, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
    via = new TestViaGrant(TargetType.domain, domain, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.NEGATIVE);
    verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
    // revoke the grant on domain, then grant on globalgrant shuld take effect
    revokeRight(authedAcct, TargetType.domain, domain, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
    via = new TestViaGrant(TargetType.global, globalGrant, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.POSITIVE);
    verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.ALLOW, via);
    // revoke the grant on globalgrant, then there is no grant and callsite default should be honored
    revokeRight(authedAcct, TargetType.global, null, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
    via = null;
    verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
}
Also used : GuestAccount(com.zimbra.cs.account.GuestAccount) Account(com.zimbra.cs.account.Account) GlobalGrant(com.zimbra.cs.account.GlobalGrant) Right(com.zimbra.cs.account.accesscontrol.Right) Domain(com.zimbra.cs.account.Domain) TestViaGrant(com.zimbra.qa.unittest.prov.ldap.ACLTestUtil.TestViaGrant) DistributionList(com.zimbra.cs.account.DistributionList) Test(org.junit.Test)

Example 72 with DistributionList

use of com.zimbra.cs.account.DistributionList in project zm-mailbox by Zimbra.

the class TestACLPermissionCache method testGrantChangeOnIndirectlyInheritedDistributionList.

@Test
public void testGrantChangeOnIndirectlyInheritedDistributionList() throws Exception {
    Right right = A_USER_RIGHT_DISTRIBUTION_LIST;
    Domain domain = createDomain();
    DistributionList grantTarget = createUserDistributionList(GRANTTARGET_USER_GROUP, domain);
    DistributionList subGroup = createUserDistributionList(SUBGROUP_OF_GRANTTARGET_USER_GROUP, domain);
    DistributionList target = createUserDistributionList(TARGET_USER_GROUP, domain);
    Account grantee = createUserAccount(GRANTEE_USER_ACCT, domain);
    mProv.addMembers(grantTarget, new String[] { subGroup.getName() });
    mProv.addMembers(subGroup, new String[] { target.getName() });
    boolean allow;
    grantRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
    allow = accessMgr.canDo(grantee, target, right, false, null);
    assertTrue(allow);
    revokeRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
    allow = accessMgr.canDo(grantee, target, right, false, null);
    assertFalse(allow);
    grantRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
    allow = accessMgr.canDo(grantee, target, right, false, null);
    assertTrue(allow);
}
Also used : GuestAccount(com.zimbra.cs.account.GuestAccount) Account(com.zimbra.cs.account.Account) Right(com.zimbra.cs.account.accesscontrol.Right) Domain(com.zimbra.cs.account.Domain) DistributionList(com.zimbra.cs.account.DistributionList) Test(org.junit.Test)

Example 73 with DistributionList

use of com.zimbra.cs.account.DistributionList in project zm-mailbox by Zimbra.

the class TestACLPermissionCache method testGrantChangeOnDirectlyInheritedDistributionList.

@Test
public void testGrantChangeOnDirectlyInheritedDistributionList() throws Exception {
    Right right = A_USER_RIGHT_DISTRIBUTION_LIST;
    Domain domain = createDomain();
    DistributionList grantTarget = createUserDistributionList(GRANTTARGET_USER_GROUP, domain);
    DistributionList target = createUserDistributionList(TARGET_USER_GROUP, domain);
    Account grantee = createUserAccount(GRANTEE_USER_ACCT, domain);
    mProv.addMembers(grantTarget, new String[] { target.getName() });
    boolean allow;
    grantRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
    allow = accessMgr.canDo(grantee, target, right, false, null);
    assertTrue(allow);
    revokeRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
    allow = accessMgr.canDo(grantee, target, right, false, null);
    assertFalse(allow);
    grantRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
    allow = accessMgr.canDo(grantee, target, right, false, null);
    assertTrue(allow);
}
Also used : GuestAccount(com.zimbra.cs.account.GuestAccount) Account(com.zimbra.cs.account.Account) Right(com.zimbra.cs.account.accesscontrol.Right) Domain(com.zimbra.cs.account.Domain) DistributionList(com.zimbra.cs.account.DistributionList) Test(org.junit.Test)

Example 74 with DistributionList

use of com.zimbra.cs.account.DistributionList in project zm-mailbox by Zimbra.

the class TestACLPermissionCache method testIndirectGroupMembershipChanged.

@Test
public void testIndirectGroupMembershipChanged() throws Exception {
    Right right = A_USER_RIGHT_DISTRIBUTION_LIST;
    Domain domain = createDomain();
    DistributionList grantTarget = createUserDistributionList(GRANTTARGET_USER_GROUP, domain);
    DistributionList subGroup = createUserDistributionList(SUBGROUP_OF_GRANTTARGET_USER_GROUP, domain);
    DistributionList target = createUserDistributionList(TARGET_USER_GROUP, domain);
    Account grantee = createUserAccount(GRANTEE_USER_ACCT, domain);
    mProv.addMembers(grantTarget, new String[] { subGroup.getName() });
    mProv.addMembers(subGroup, new String[] { target.getName() });
    boolean allow;
    grantRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
    allow = accessMgr.canDo(grantee, target, right, false, null);
    assertTrue(allow);
    // this test won't work because although the permission cache is cleared,
    // the upward groups are still cached on the account, it has been the
    // behavior predates the permission cache enhancement
    // mProv.removeMembers(grantTarget, new String[]{subGroup.getName()});
    // allow = accessMgr.canDo(grantee, target, right, false, null);
    // assertFalse(allow);
    // this works
    mProv.removeMembers(subGroup, new String[] { target.getName() });
    allow = accessMgr.canDo(grantee, target, right, false, null);
    assertFalse(allow);
    mProv.addMembers(subGroup, new String[] { target.getName() });
    allow = accessMgr.canDo(grantee, target, right, false, null);
    assertTrue(allow);
}
Also used : GuestAccount(com.zimbra.cs.account.GuestAccount) Account(com.zimbra.cs.account.Account) Right(com.zimbra.cs.account.accesscontrol.Right) Domain(com.zimbra.cs.account.Domain) DistributionList(com.zimbra.cs.account.DistributionList) Test(org.junit.Test)

Example 75 with DistributionList

use of com.zimbra.cs.account.DistributionList in project zm-mailbox by Zimbra.

the class CalendarUtils method getRemovedAttendees.

// Compare the old and new attendee lists to figure out which attendees are being removed.
// Distribution lists are taken into consideration if requested.
public static List<ZAttendee> getRemovedAttendees(List<ZAttendee> oldAttendees, List<ZAttendee> newAttendees, boolean checkListMembership, Account account) throws ServiceException {
    List<ZAttendee> list = new ArrayList<ZAttendee>();
    Provisioning prov = Provisioning.getInstance();
    // if attendees have been removed, then we need to send them individual cancellation messages
    for (ZAttendee old : oldAttendees) {
        boolean matches = false;
        String oldAddr = old.getAddress();
        if (oldAddr != null) {
            Account oldAcct = prov.get(AccountBy.name, oldAddr);
            if (oldAcct != null) {
                // local user - consider aliases
                AccountAddressMatcher acctMatcher = new AccountAddressMatcher(oldAcct);
                for (ZAttendee newAt : newAttendees) {
                    if (acctMatcher.matches(newAt.getAddress())) {
                        matches = true;
                        break;
                    }
                }
            } else {
                // external email - simple string comparison of email addresses
                for (ZAttendee newAt : newAttendees) {
                    if (oldAddr.equalsIgnoreCase(newAt.getAddress())) {
                        matches = true;
                        break;
                    }
                }
            }
        }
        if (!matches)
            list.add(old);
    }
    if (list.isEmpty())
        return list;
    //bug 68728, skip checking in ZD
    checkListMembership = checkListMembership && LC.check_dl_membership_enabled.booleanValue();
    // Find out which of the new attendees are local distribution lists or GAL groups.
    if (checkListMembership) {
        List<DistributionList> newAtsDL = new ArrayList<DistributionList>();
        List<String> /* GAL group email */
        newAtsGALGroup = new ArrayList<String>();
        for (ZAttendee at : newAttendees) {
            String addr = at.getAddress();
            if (addr != null) {
                DistributionList dl = prov.get(Key.DistributionListBy.name, addr);
                if (dl != null)
                    newAtsDL.add(dl);
                else if (GalGroup.isGroup(addr, account))
                    newAtsGALGroup.add(addr);
            }
        }
        // GAL groups: Iterate over GAL groups first because fetching member list is expensive.
        for (String galAddr : newAtsGALGroup) {
            if (list.isEmpty())
                break;
            Set<String> galMembers = GalGroupMembers.getGroupMembers(galAddr, account);
            for (Iterator<ZAttendee> removedIter = list.iterator(); removedIter.hasNext(); ) {
                ZAttendee removedAt = removedIter.next();
                String addr = removedAt.getAddress();
                if (addr != null && galMembers.contains(addr))
                    removedIter.remove();
            }
        }
        Set<String> remoteAddrs = new HashSet<String>();
        // via alias address.
        for (Iterator<ZAttendee> removedIter = list.iterator(); removedIter.hasNext(); ) {
            ZAttendee removedAt = removedIter.next();
            String addr = removedAt.getAddress();
            if (addr != null) {
                Account removedAcct = prov.get(AccountBy.name, addr);
                if (removedAcct != null) {
                    Set<String> acctDLs = prov.getDistributionLists(removedAcct);
                    for (DistributionList dl : newAtsDL) {
                        if (acctDLs.contains(dl.getId())) {
                            removedIter.remove();
                            break;
                        }
                    }
                } else {
                    // Removed address is not a local account.
                    remoteAddrs.add(addr);
                }
            }
        }
        // Check non-local attendee membership in local DLs.  Only direct membership is checked.
        if (!remoteAddrs.isEmpty()) {
            for (DistributionList dl : newAtsDL) {
                // Get list members.  We won't do recursive expansion; let's keep it sane.
                String[] members = dl.getAllMembers();
                if (members != null && members.length > 0) {
                    Set<String> membersLower = new HashSet<String>();
                    for (String member : members) {
                        membersLower.add(member.toLowerCase());
                    }
                    for (Iterator<ZAttendee> removedIter = list.iterator(); removedIter.hasNext(); ) {
                        ZAttendee removedAt = removedIter.next();
                        String addr = removedAt.getAddress();
                        if (addr != null && remoteAddrs.contains(addr) && membersLower.contains(addr.toLowerCase())) {
                            removedIter.remove();
                        }
                    }
                }
            }
        }
    }
    return list;
}
Also used : Account(com.zimbra.cs.account.Account) ArrayList(java.util.ArrayList) Provisioning(com.zimbra.cs.account.Provisioning) AccountAddressMatcher(com.zimbra.cs.util.AccountUtil.AccountAddressMatcher) ZAttendee(com.zimbra.cs.mailbox.calendar.ZAttendee) DistributionList(com.zimbra.cs.account.DistributionList) HashSet(java.util.HashSet)

Aggregations

DistributionList (com.zimbra.cs.account.DistributionList)120 Account (com.zimbra.cs.account.Account)58 Domain (com.zimbra.cs.account.Domain)43 HashMap (java.util.HashMap)24 Test (org.junit.Test)24 Provisioning (com.zimbra.cs.account.Provisioning)22 NamedEntry (com.zimbra.cs.account.NamedEntry)18 HashSet (java.util.HashSet)18 ArrayList (java.util.ArrayList)14 ServiceException (com.zimbra.common.service.ServiceException)13 AccountServiceException (com.zimbra.cs.account.AccountServiceException)13 Right (com.zimbra.cs.account.accesscontrol.Right)12 DynamicGroup (com.zimbra.cs.account.DynamicGroup)10 LdapDistributionList (com.zimbra.cs.account.ldap.entry.LdapDistributionList)10 Group (com.zimbra.cs.account.Group)9 GuestAccount (com.zimbra.cs.account.GuestAccount)9 LdapProv (com.zimbra.cs.account.ldap.LdapProv)8 List (java.util.List)7 Entry (com.zimbra.cs.account.Entry)6 LdapEntry (com.zimbra.cs.account.ldap.entry.LdapEntry)6