use of com.zimbra.cs.account.DistributionList in project zm-mailbox by Zimbra.
the class TestACLAllEffRights method disinheritSubGroupModifier.
/*
zmprov cdl dl@test.com
zmprov cdl subdl@test.com
zmprov cdl subsubdl@test.com
zmprov ca da1@test.com test123 zimbraIsDelegatedAdminAccount TRUE
zmprov ca da2@test.com test123 zimbraIsDelegatedAdminAccount TRUE
zmprov ca a_dl@test.com test123
zmprov ca a_subdl@test.com test123
zmprov ca a_subsubdl@test.com test123
zmprov adlm dl@test.com subdl@test.com a_dl@test.com
zmprov adlm subdl@test.com subsubdl@test.com a_subdl@test.com
zmprov adlm subsubdl@test.com a_subsubdl@test.com
zmprov grr dl dl@test.com usr da1@test.com addDistributionListMember
zmprov grr dl dl@test.com usr da1@test.com modifyDistributionList
zmprov grr dl dl@test.com usr da1@test.com modifyAccount
zmprov grr dl dl@test.com usr da1@test.com listAccount
zmprov grr dl dl@test.com usr da2@test.com ^addDistributionListMember
zmprov grr dl dl@test.com usr da2@test.com ^modifyDistributionList
zmprov grr dl dl@test.com usr da2@test.com ^modifyAccount
zmprov grr dl dl@test.com usr da2@test.com ^listAccount
*/
@Test
public void disinheritSubGroupModifier() throws Exception {
/*
* setup
*/
/*
* dl has members:
* subdl
* a_dl
*
* subdl has members:
* subsubdl
* a_subdl
*
* subsubdl has members:
* a_subsubdl
*/
String domainName = genDomainName(baseDomainName());
Domain domain = provUtil.createDomain(domainName);
// groups
DistributionList dl = provUtil.createDistributionList("dl", domain);
DistributionList subdl = provUtil.createDistributionList("subdl", domain);
DistributionList subsubdl = provUtil.createDistributionList("subsubdl", domain);
// users
Account a_dl = provUtil.createAccount("a_dl", domain);
Account a_subdl = provUtil.createAccount("a_subdl", domain);
Account a_subsubdl = provUtil.createAccount("a_subsubdl", domain);
// delegated admins
Account da1 = provUtil.createDelegatedAdmin("da1", domain);
Account da2 = provUtil.createDelegatedAdmin("da2", domain);
dl.addMembers(new String[] { subdl.getName(), a_dl.getName() });
subdl.addMembers(new String[] { subsubdl.getName(), a_subdl.getName() });
subsubdl.addMembers(new String[] { a_subsubdl.getName() });
Right DL_RESET_RIGHT = Admin.R_addDistributionListMember;
Right DL_ATTR_RIGHT = Admin.R_modifyDistributionList;
Right ACCT_PRESET_RIGHT = Admin.R_listAccount;
Right ACCT_ATTR_RIGHT = Admin.R_modifyAccount;
RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da1.getName(), null, DL_RESET_RIGHT.getName(), null);
RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da1.getName(), null, DL_ATTR_RIGHT.getName(), null);
RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da1.getName(), null, ACCT_PRESET_RIGHT.getName(), null);
RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da1.getName(), null, ACCT_ATTR_RIGHT.getName(), null);
RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da2.getName(), null, DL_RESET_RIGHT.getName(), RightModifier.RM_DENY);
RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da2.getName(), null, DL_ATTR_RIGHT.getName(), RightModifier.RM_DENY);
RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da2.getName(), null, ACCT_PRESET_RIGHT.getName(), RightModifier.RM_DENY);
RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da2.getName(), null, ACCT_ATTR_RIGHT.getName(), RightModifier.RM_DENY);
}
use of com.zimbra.cs.account.DistributionList in project zm-mailbox by Zimbra.
the class TestACLAllEffRights method shapeTest1.
@Test
public void shapeTest1() throws Exception {
/*
* setup
*/
String domainName = genDomainName(baseDomainName());
Domain domain = provUtil.createDomain(domainName);
DistributionList groupA = provUtil.createDistributionList("groupA", domain);
DistributionList groupB = provUtil.createDistributionList("groupB", domain);
DistributionList groupC = provUtil.createDistributionList("groupC", domain);
DistributionList groupD = provUtil.createDistributionList("groupD", domain);
Account A = provUtil.createAccount("A", domain);
Account B = provUtil.createAccount("B", domain);
Account C = provUtil.createAccount("C", domain);
Account D = provUtil.createAccount("D", domain);
Account AB = provUtil.createAccount("AB", domain);
Account AC = provUtil.createAccount("AC", domain);
Account AD = provUtil.createAccount("AD", domain);
Account BC = provUtil.createAccount("BC", domain);
Account BD = provUtil.createAccount("BD", domain);
Account CD = provUtil.createAccount("CD", domain);
Account ABC = provUtil.createAccount("ABC", domain);
Account ABD = provUtil.createAccount("ABD", domain);
Account ACD = provUtil.createAccount("ACD", domain);
Account BCD = provUtil.createAccount("BCD", domain);
Account ABCD = provUtil.createAccount("ABCD", domain);
groupA.addMembers(new String[] { A.getName(), AB.getName(), AC.getName(), AD.getName(), ABC.getName(), ABD.getName(), ACD.getName(), ABCD.getName() });
groupB.addMembers(new String[] { B.getName(), AB.getName(), BC.getName(), BD.getName(), ABC.getName(), ABD.getName(), BCD.getName(), ABCD.getName() });
groupC.addMembers(new String[] { C.getName(), AC.getName(), BC.getName(), CD.getName(), ABC.getName(), ACD.getName(), BCD.getName(), ABCD.getName() });
groupD.addMembers(new String[] { D.getName(), AD.getName(), BD.getName(), CD.getName(), ABD.getName(), ACD.getName(), BCD.getName(), ABCD.getName() });
/*
* test
*/
Set<DistributionList> groupsWithGrants = new HashSet<DistributionList>();
groupsWithGrants.add(groupA);
groupsWithGrants.add(groupB);
groupsWithGrants.add(groupC);
groupsWithGrants.add(groupD);
Set<GroupShape> accountShapes = new HashSet<GroupShape>();
Set<GroupShape> calendarResourceShapes = new HashSet<GroupShape>();
Set<GroupShape> distributionListShapes = new HashSet<GroupShape>();
for (DistributionList group : groupsWithGrants) {
DistributionList dl = prov.get(DistributionListBy.id, group.getId());
AllGroupMembers allMembers = allGroupMembers(dl);
GroupShape.shapeMembers(TargetType.account, accountShapes, allMembers);
GroupShape.shapeMembers(TargetType.calresource, calendarResourceShapes, allMembers);
GroupShape.shapeMembers(TargetType.dl, distributionListShapes, allMembers);
}
/*
* verify
*/
Set<String> result = new HashSet<String>();
int count = 1;
for (GroupShape shape : accountShapes) {
List<String> elements = new ArrayList<String>();
System.out.println("\n" + count++);
for (String group : shape.getGroups()) {
System.out.println("group " + group);
elements.add("group " + group);
}
for (String member : shape.getMembers()) {
System.out.println(" member" + member);
elements.add("member " + member);
}
Collections.sort(elements);
// but it does not affect functionality
if (shape.getMembers().size() > 0) {
result.add(Verify.makeResultStr(elements));
}
}
Set<String> expected = new HashSet<String>();
expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupA.getName(), "member " + A.getName())));
expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupB.getName(), "member " + B.getName())));
expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupC.getName(), "member " + C.getName())));
expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupD.getName(), "member " + D.getName())));
expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupA.getName(), "group " + groupB.getName(), "member " + AB.getName())));
expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupA.getName(), "group " + groupC.getName(), "member " + AC.getName())));
expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupA.getName(), "group " + groupD.getName(), "member " + AD.getName())));
expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupB.getName(), "group " + groupC.getName(), "member " + BC.getName())));
expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupB.getName(), "group " + groupD.getName(), "member " + BD.getName())));
expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupC.getName(), "group " + groupD.getName(), "member " + CD.getName())));
expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupA.getName(), "group " + groupB.getName(), "group " + groupC.getName(), "member " + ABC.getName())));
expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupA.getName(), "group " + groupB.getName(), "group " + groupD.getName(), "member " + ABD.getName())));
expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupA.getName(), "group " + groupC.getName(), "group " + groupD.getName(), "member " + ACD.getName())));
expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupB.getName(), "group " + groupC.getName(), "group " + groupD.getName(), "member " + BCD.getName())));
expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupA.getName(), "group " + groupB.getName(), "group " + groupC.getName(), "group " + groupD.getName(), "member " + ABCD.getName())));
Verify.verifyEquals(expected, result);
}
use of com.zimbra.cs.account.DistributionList in project zm-mailbox by Zimbra.
the class TestACLNegativeGrant method targetPrecedence.
/*
* Original grants:
* global grant (allow)
* domain (deny)
* group1 (allow)
* group2 (deny)
* target account (allow)
* => should allow
*
* then revoke the grant on account, should deny
* then revoke the grant on group2, should allow
* then revoke the grant on group1, should deny
* then revoke the grant on domain, should allow
* then revoke the grant on global grant, should deny
*/
@Test
public void targetPrecedence() throws Exception {
Domain domain = provUtil.createDomain(genDomainSegmentName() + "." + BASE_DOMAIN_NAME);
/*
* setup authed account
*/
Account authedAcct = globalAdmin;
Right right = ACLTestUtil.ADMIN_PRESET_ACCOUNT;
/*
* setup grantees
*/
Account grantee = provUtil.createDelegatedAdmin(genAcctNameLocalPart("grantee"), domain);
/*
* setup targets
*/
// 1. target account itself
Account target = provUtil.createAccount(genAcctNameLocalPart("target"), domain);
grantRight(authedAcct, TargetType.account, target, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
// 2. groups the target account is a member of
DistributionList group1 = provUtil.createDistributionList(genGroupNameLocalPart("group1"), domain);
DistributionList group2 = provUtil.createDistributionList(genGroupNameLocalPart("group2"), domain);
prov.addMembers(group1, new String[] { group2.getName() });
prov.addMembers(group2, new String[] { target.getName() });
grantRight(authedAcct, TargetType.dl, group2, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
grantRight(authedAcct, TargetType.dl, group1, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
// 3. domain the target account is in
grantRight(authedAcct, TargetType.domain, domain, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
// 4. global grant
GlobalGrant globalGrant = prov.getGlobalGrant();
grantRight(authedAcct, TargetType.global, null, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
/*
* test targets
*/
TestViaGrant via;
via = new TestViaGrant(TargetType.account, target, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.POSITIVE);
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.ALLOW, via);
// revoke the grant on target account, then grant on group2 should take effect
revokeRight(authedAcct, TargetType.account, target, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
via = new TestViaGrant(TargetType.dl, group2, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.NEGATIVE);
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
// revoke the grant on group2, then grant on group1 should take effect
revokeRight(authedAcct, TargetType.dl, group2, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
via = new TestViaGrant(TargetType.dl, group1, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.POSITIVE);
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.ALLOW, via);
// revoke the grant on group1, then grant on domain should take effect
revokeRight(authedAcct, TargetType.dl, group1, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
via = new TestViaGrant(TargetType.domain, domain, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.NEGATIVE);
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
// revoke the grant on domain, then grant on globalgrant shuld take effect
revokeRight(authedAcct, TargetType.domain, domain, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
via = new TestViaGrant(TargetType.global, globalGrant, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.POSITIVE);
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.ALLOW, via);
// revoke the grant on globalgrant, then there is no grant and callsite default should be honored
revokeRight(authedAcct, TargetType.global, null, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
via = null;
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
}
use of com.zimbra.cs.account.DistributionList in project zm-mailbox by Zimbra.
the class TestACLPermissionCache method testGrantChangeOnIndirectlyInheritedDistributionList.
@Test
public void testGrantChangeOnIndirectlyInheritedDistributionList() throws Exception {
Right right = A_USER_RIGHT_DISTRIBUTION_LIST;
Domain domain = createDomain();
DistributionList grantTarget = createUserDistributionList(GRANTTARGET_USER_GROUP, domain);
DistributionList subGroup = createUserDistributionList(SUBGROUP_OF_GRANTTARGET_USER_GROUP, domain);
DistributionList target = createUserDistributionList(TARGET_USER_GROUP, domain);
Account grantee = createUserAccount(GRANTEE_USER_ACCT, domain);
mProv.addMembers(grantTarget, new String[] { subGroup.getName() });
mProv.addMembers(subGroup, new String[] { target.getName() });
boolean allow;
grantRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
allow = accessMgr.canDo(grantee, target, right, false, null);
assertTrue(allow);
revokeRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
allow = accessMgr.canDo(grantee, target, right, false, null);
assertFalse(allow);
grantRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
allow = accessMgr.canDo(grantee, target, right, false, null);
assertTrue(allow);
}
use of com.zimbra.cs.account.DistributionList in project zm-mailbox by Zimbra.
the class TestACLPermissionCache method testGrantChangeOnDirectlyInheritedDistributionList.
@Test
public void testGrantChangeOnDirectlyInheritedDistributionList() throws Exception {
Right right = A_USER_RIGHT_DISTRIBUTION_LIST;
Domain domain = createDomain();
DistributionList grantTarget = createUserDistributionList(GRANTTARGET_USER_GROUP, domain);
DistributionList target = createUserDistributionList(TARGET_USER_GROUP, domain);
Account grantee = createUserAccount(GRANTEE_USER_ACCT, domain);
mProv.addMembers(grantTarget, new String[] { target.getName() });
boolean allow;
grantRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
allow = accessMgr.canDo(grantee, target, right, false, null);
assertTrue(allow);
revokeRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
allow = accessMgr.canDo(grantee, target, right, false, null);
assertFalse(allow);
grantRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
allow = accessMgr.canDo(grantee, target, right, false, null);
assertTrue(allow);
}
Aggregations