use of com.zimbra.cs.account.DistributionList in project zm-mailbox by Zimbra.
the class TestACLNegativeGrant method targetPrecedence.
/*
* Original grants:
* global grant (allow)
* domain (deny)
* group1 (allow)
* group2 (deny)
* target account (allow)
* => should allow
*
* then revoke the grant on account, should deny
* then revoke the grant on group2, should allow
* then revoke the grant on group1, should deny
* then revoke the grant on domain, should allow
* then revoke the grant on global grant, should deny
*/
@Test
public void targetPrecedence() throws Exception {
Domain domain = provUtil.createDomain(genDomainSegmentName() + "." + BASE_DOMAIN_NAME);
/*
* setup authed account
*/
Account authedAcct = globalAdmin;
Right right = ACLTestUtil.ADMIN_PRESET_ACCOUNT;
/*
* setup grantees
*/
Account grantee = provUtil.createDelegatedAdmin(genAcctNameLocalPart("grantee"), domain);
/*
* setup targets
*/
// 1. target account itself
Account target = provUtil.createAccount(genAcctNameLocalPart("target"), domain);
grantRight(authedAcct, TargetType.account, target, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
// 2. groups the target account is a member of
DistributionList group1 = provUtil.createDistributionList(genGroupNameLocalPart("group1"), domain);
DistributionList group2 = provUtil.createDistributionList(genGroupNameLocalPart("group2"), domain);
prov.addMembers(group1, new String[] { group2.getName() });
prov.addMembers(group2, new String[] { target.getName() });
grantRight(authedAcct, TargetType.dl, group2, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
grantRight(authedAcct, TargetType.dl, group1, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
// 3. domain the target account is in
grantRight(authedAcct, TargetType.domain, domain, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
// 4. global grant
GlobalGrant globalGrant = prov.getGlobalGrant();
grantRight(authedAcct, TargetType.global, null, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
/*
* test targets
*/
TestViaGrant via;
via = new TestViaGrant(TargetType.account, target, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.POSITIVE);
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.ALLOW, via);
// revoke the grant on target account, then grant on group2 should take effect
revokeRight(authedAcct, TargetType.account, target, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
via = new TestViaGrant(TargetType.dl, group2, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.NEGATIVE);
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
// revoke the grant on group2, then grant on group1 should take effect
revokeRight(authedAcct, TargetType.dl, group2, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
via = new TestViaGrant(TargetType.dl, group1, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.POSITIVE);
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.ALLOW, via);
// revoke the grant on group1, then grant on domain should take effect
revokeRight(authedAcct, TargetType.dl, group1, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
via = new TestViaGrant(TargetType.domain, domain, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.NEGATIVE);
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
// revoke the grant on domain, then grant on globalgrant shuld take effect
revokeRight(authedAcct, TargetType.domain, domain, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
via = new TestViaGrant(TargetType.global, globalGrant, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.POSITIVE);
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.ALLOW, via);
// revoke the grant on globalgrant, then there is no grant and callsite default should be honored
revokeRight(authedAcct, TargetType.global, null, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
via = null;
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
}
use of com.zimbra.cs.account.DistributionList in project zm-mailbox by Zimbra.
the class TestACLPermissionCache method testGrantChangeOnIndirectlyInheritedDistributionList.
@Test
public void testGrantChangeOnIndirectlyInheritedDistributionList() throws Exception {
Right right = A_USER_RIGHT_DISTRIBUTION_LIST;
Domain domain = createDomain();
DistributionList grantTarget = createUserDistributionList(GRANTTARGET_USER_GROUP, domain);
DistributionList subGroup = createUserDistributionList(SUBGROUP_OF_GRANTTARGET_USER_GROUP, domain);
DistributionList target = createUserDistributionList(TARGET_USER_GROUP, domain);
Account grantee = createUserAccount(GRANTEE_USER_ACCT, domain);
mProv.addMembers(grantTarget, new String[] { subGroup.getName() });
mProv.addMembers(subGroup, new String[] { target.getName() });
boolean allow;
grantRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
allow = accessMgr.canDo(grantee, target, right, false, null);
assertTrue(allow);
revokeRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
allow = accessMgr.canDo(grantee, target, right, false, null);
assertFalse(allow);
grantRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
allow = accessMgr.canDo(grantee, target, right, false, null);
assertTrue(allow);
}
use of com.zimbra.cs.account.DistributionList in project zm-mailbox by Zimbra.
the class TestACLPermissionCache method testGrantChangeOnDirectlyInheritedDistributionList.
@Test
public void testGrantChangeOnDirectlyInheritedDistributionList() throws Exception {
Right right = A_USER_RIGHT_DISTRIBUTION_LIST;
Domain domain = createDomain();
DistributionList grantTarget = createUserDistributionList(GRANTTARGET_USER_GROUP, domain);
DistributionList target = createUserDistributionList(TARGET_USER_GROUP, domain);
Account grantee = createUserAccount(GRANTEE_USER_ACCT, domain);
mProv.addMembers(grantTarget, new String[] { target.getName() });
boolean allow;
grantRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
allow = accessMgr.canDo(grantee, target, right, false, null);
assertTrue(allow);
revokeRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
allow = accessMgr.canDo(grantee, target, right, false, null);
assertFalse(allow);
grantRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
allow = accessMgr.canDo(grantee, target, right, false, null);
assertTrue(allow);
}
use of com.zimbra.cs.account.DistributionList in project zm-mailbox by Zimbra.
the class TestACLPermissionCache method testIndirectGroupMembershipChanged.
@Test
public void testIndirectGroupMembershipChanged() throws Exception {
Right right = A_USER_RIGHT_DISTRIBUTION_LIST;
Domain domain = createDomain();
DistributionList grantTarget = createUserDistributionList(GRANTTARGET_USER_GROUP, domain);
DistributionList subGroup = createUserDistributionList(SUBGROUP_OF_GRANTTARGET_USER_GROUP, domain);
DistributionList target = createUserDistributionList(TARGET_USER_GROUP, domain);
Account grantee = createUserAccount(GRANTEE_USER_ACCT, domain);
mProv.addMembers(grantTarget, new String[] { subGroup.getName() });
mProv.addMembers(subGroup, new String[] { target.getName() });
boolean allow;
grantRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
allow = accessMgr.canDo(grantee, target, right, false, null);
assertTrue(allow);
// this test won't work because although the permission cache is cleared,
// the upward groups are still cached on the account, it has been the
// behavior predates the permission cache enhancement
// mProv.removeMembers(grantTarget, new String[]{subGroup.getName()});
// allow = accessMgr.canDo(grantee, target, right, false, null);
// assertFalse(allow);
// this works
mProv.removeMembers(subGroup, new String[] { target.getName() });
allow = accessMgr.canDo(grantee, target, right, false, null);
assertFalse(allow);
mProv.addMembers(subGroup, new String[] { target.getName() });
allow = accessMgr.canDo(grantee, target, right, false, null);
assertTrue(allow);
}
use of com.zimbra.cs.account.DistributionList in project zm-mailbox by Zimbra.
the class CalendarUtils method getRemovedAttendees.
// Compare the old and new attendee lists to figure out which attendees are being removed.
// Distribution lists are taken into consideration if requested.
public static List<ZAttendee> getRemovedAttendees(List<ZAttendee> oldAttendees, List<ZAttendee> newAttendees, boolean checkListMembership, Account account) throws ServiceException {
List<ZAttendee> list = new ArrayList<ZAttendee>();
Provisioning prov = Provisioning.getInstance();
// if attendees have been removed, then we need to send them individual cancellation messages
for (ZAttendee old : oldAttendees) {
boolean matches = false;
String oldAddr = old.getAddress();
if (oldAddr != null) {
Account oldAcct = prov.get(AccountBy.name, oldAddr);
if (oldAcct != null) {
// local user - consider aliases
AccountAddressMatcher acctMatcher = new AccountAddressMatcher(oldAcct);
for (ZAttendee newAt : newAttendees) {
if (acctMatcher.matches(newAt.getAddress())) {
matches = true;
break;
}
}
} else {
// external email - simple string comparison of email addresses
for (ZAttendee newAt : newAttendees) {
if (oldAddr.equalsIgnoreCase(newAt.getAddress())) {
matches = true;
break;
}
}
}
}
if (!matches)
list.add(old);
}
if (list.isEmpty())
return list;
//bug 68728, skip checking in ZD
checkListMembership = checkListMembership && LC.check_dl_membership_enabled.booleanValue();
// Find out which of the new attendees are local distribution lists or GAL groups.
if (checkListMembership) {
List<DistributionList> newAtsDL = new ArrayList<DistributionList>();
List<String> /* GAL group email */
newAtsGALGroup = new ArrayList<String>();
for (ZAttendee at : newAttendees) {
String addr = at.getAddress();
if (addr != null) {
DistributionList dl = prov.get(Key.DistributionListBy.name, addr);
if (dl != null)
newAtsDL.add(dl);
else if (GalGroup.isGroup(addr, account))
newAtsGALGroup.add(addr);
}
}
// GAL groups: Iterate over GAL groups first because fetching member list is expensive.
for (String galAddr : newAtsGALGroup) {
if (list.isEmpty())
break;
Set<String> galMembers = GalGroupMembers.getGroupMembers(galAddr, account);
for (Iterator<ZAttendee> removedIter = list.iterator(); removedIter.hasNext(); ) {
ZAttendee removedAt = removedIter.next();
String addr = removedAt.getAddress();
if (addr != null && galMembers.contains(addr))
removedIter.remove();
}
}
Set<String> remoteAddrs = new HashSet<String>();
// via alias address.
for (Iterator<ZAttendee> removedIter = list.iterator(); removedIter.hasNext(); ) {
ZAttendee removedAt = removedIter.next();
String addr = removedAt.getAddress();
if (addr != null) {
Account removedAcct = prov.get(AccountBy.name, addr);
if (removedAcct != null) {
Set<String> acctDLs = prov.getDistributionLists(removedAcct);
for (DistributionList dl : newAtsDL) {
if (acctDLs.contains(dl.getId())) {
removedIter.remove();
break;
}
}
} else {
// Removed address is not a local account.
remoteAddrs.add(addr);
}
}
}
// Check non-local attendee membership in local DLs. Only direct membership is checked.
if (!remoteAddrs.isEmpty()) {
for (DistributionList dl : newAtsDL) {
// Get list members. We won't do recursive expansion; let's keep it sane.
String[] members = dl.getAllMembers();
if (members != null && members.length > 0) {
Set<String> membersLower = new HashSet<String>();
for (String member : members) {
membersLower.add(member.toLowerCase());
}
for (Iterator<ZAttendee> removedIter = list.iterator(); removedIter.hasNext(); ) {
ZAttendee removedAt = removedIter.next();
String addr = removedAt.getAddress();
if (addr != null && remoteAddrs.contains(addr) && membersLower.contains(addr.toLowerCase())) {
removedIter.remove();
}
}
}
}
}
}
return list;
}
Aggregations