Search in sources :

Example 21 with DistributionList

use of com.zimbra.cs.account.DistributionList in project zm-mailbox by Zimbra.

the class TestACLAllEffRights method disinheritSubGroupModifier.

/*
    zmprov cdl dl@test.com
    zmprov cdl subdl@test.com
    zmprov cdl subsubdl@test.com

    zmprov ca da1@test.com test123 zimbraIsDelegatedAdminAccount TRUE
    zmprov ca da2@test.com test123 zimbraIsDelegatedAdminAccount TRUE

    zmprov ca a_dl@test.com test123
    zmprov ca a_subdl@test.com test123
    zmprov ca a_subsubdl@test.com test123

    zmprov adlm dl@test.com subdl@test.com a_dl@test.com
    zmprov adlm subdl@test.com subsubdl@test.com a_subdl@test.com
    zmprov adlm subsubdl@test.com a_subsubdl@test.com

    zmprov grr dl dl@test.com usr da1@test.com addDistributionListMember
    zmprov grr dl dl@test.com usr da1@test.com modifyDistributionList
    zmprov grr dl dl@test.com usr da1@test.com modifyAccount
    zmprov grr dl dl@test.com usr da1@test.com listAccount

    zmprov grr dl dl@test.com usr da2@test.com ^addDistributionListMember
    zmprov grr dl dl@test.com usr da2@test.com ^modifyDistributionList
    zmprov grr dl dl@test.com usr da2@test.com ^modifyAccount
    zmprov grr dl dl@test.com usr da2@test.com ^listAccount
     */
@Test
public void disinheritSubGroupModifier() throws Exception {
    /*
         * setup
         */
    /*
         * dl has members:
         *    subdl
         *    a_dl
         *
         * subdl has members:
         *    subsubdl
         *    a_subdl
         *
         * subsubdl has members:
         *    a_subsubdl
         */
    String domainName = genDomainName(baseDomainName());
    Domain domain = provUtil.createDomain(domainName);
    // groups
    DistributionList dl = provUtil.createDistributionList("dl", domain);
    DistributionList subdl = provUtil.createDistributionList("subdl", domain);
    DistributionList subsubdl = provUtil.createDistributionList("subsubdl", domain);
    // users
    Account a_dl = provUtil.createAccount("a_dl", domain);
    Account a_subdl = provUtil.createAccount("a_subdl", domain);
    Account a_subsubdl = provUtil.createAccount("a_subsubdl", domain);
    // delegated admins
    Account da1 = provUtil.createDelegatedAdmin("da1", domain);
    Account da2 = provUtil.createDelegatedAdmin("da2", domain);
    dl.addMembers(new String[] { subdl.getName(), a_dl.getName() });
    subdl.addMembers(new String[] { subsubdl.getName(), a_subdl.getName() });
    subsubdl.addMembers(new String[] { a_subsubdl.getName() });
    Right DL_RESET_RIGHT = Admin.R_addDistributionListMember;
    Right DL_ATTR_RIGHT = Admin.R_modifyDistributionList;
    Right ACCT_PRESET_RIGHT = Admin.R_listAccount;
    Right ACCT_ATTR_RIGHT = Admin.R_modifyAccount;
    RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da1.getName(), null, DL_RESET_RIGHT.getName(), null);
    RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da1.getName(), null, DL_ATTR_RIGHT.getName(), null);
    RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da1.getName(), null, ACCT_PRESET_RIGHT.getName(), null);
    RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da1.getName(), null, ACCT_ATTR_RIGHT.getName(), null);
    RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da2.getName(), null, DL_RESET_RIGHT.getName(), RightModifier.RM_DENY);
    RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da2.getName(), null, DL_ATTR_RIGHT.getName(), RightModifier.RM_DENY);
    RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da2.getName(), null, ACCT_PRESET_RIGHT.getName(), RightModifier.RM_DENY);
    RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da2.getName(), null, ACCT_ATTR_RIGHT.getName(), RightModifier.RM_DENY);
}
Also used : Account(com.zimbra.cs.account.Account) Right(com.zimbra.cs.account.accesscontrol.Right) Domain(com.zimbra.cs.account.Domain) DistributionList(com.zimbra.cs.account.DistributionList) Test(org.junit.Test)

Example 22 with DistributionList

use of com.zimbra.cs.account.DistributionList in project zm-mailbox by Zimbra.

the class TestACLAllEffRights method shapeTest1.

@Test
public void shapeTest1() throws Exception {
    /*
         * setup
         */
    String domainName = genDomainName(baseDomainName());
    Domain domain = provUtil.createDomain(domainName);
    DistributionList groupA = provUtil.createDistributionList("groupA", domain);
    DistributionList groupB = provUtil.createDistributionList("groupB", domain);
    DistributionList groupC = provUtil.createDistributionList("groupC", domain);
    DistributionList groupD = provUtil.createDistributionList("groupD", domain);
    Account A = provUtil.createAccount("A", domain);
    Account B = provUtil.createAccount("B", domain);
    Account C = provUtil.createAccount("C", domain);
    Account D = provUtil.createAccount("D", domain);
    Account AB = provUtil.createAccount("AB", domain);
    Account AC = provUtil.createAccount("AC", domain);
    Account AD = provUtil.createAccount("AD", domain);
    Account BC = provUtil.createAccount("BC", domain);
    Account BD = provUtil.createAccount("BD", domain);
    Account CD = provUtil.createAccount("CD", domain);
    Account ABC = provUtil.createAccount("ABC", domain);
    Account ABD = provUtil.createAccount("ABD", domain);
    Account ACD = provUtil.createAccount("ACD", domain);
    Account BCD = provUtil.createAccount("BCD", domain);
    Account ABCD = provUtil.createAccount("ABCD", domain);
    groupA.addMembers(new String[] { A.getName(), AB.getName(), AC.getName(), AD.getName(), ABC.getName(), ABD.getName(), ACD.getName(), ABCD.getName() });
    groupB.addMembers(new String[] { B.getName(), AB.getName(), BC.getName(), BD.getName(), ABC.getName(), ABD.getName(), BCD.getName(), ABCD.getName() });
    groupC.addMembers(new String[] { C.getName(), AC.getName(), BC.getName(), CD.getName(), ABC.getName(), ACD.getName(), BCD.getName(), ABCD.getName() });
    groupD.addMembers(new String[] { D.getName(), AD.getName(), BD.getName(), CD.getName(), ABD.getName(), ACD.getName(), BCD.getName(), ABCD.getName() });
    /*
         * test
         */
    Set<DistributionList> groupsWithGrants = new HashSet<DistributionList>();
    groupsWithGrants.add(groupA);
    groupsWithGrants.add(groupB);
    groupsWithGrants.add(groupC);
    groupsWithGrants.add(groupD);
    Set<GroupShape> accountShapes = new HashSet<GroupShape>();
    Set<GroupShape> calendarResourceShapes = new HashSet<GroupShape>();
    Set<GroupShape> distributionListShapes = new HashSet<GroupShape>();
    for (DistributionList group : groupsWithGrants) {
        DistributionList dl = prov.get(DistributionListBy.id, group.getId());
        AllGroupMembers allMembers = allGroupMembers(dl);
        GroupShape.shapeMembers(TargetType.account, accountShapes, allMembers);
        GroupShape.shapeMembers(TargetType.calresource, calendarResourceShapes, allMembers);
        GroupShape.shapeMembers(TargetType.dl, distributionListShapes, allMembers);
    }
    /*
         * verify
         */
    Set<String> result = new HashSet<String>();
    int count = 1;
    for (GroupShape shape : accountShapes) {
        List<String> elements = new ArrayList<String>();
        System.out.println("\n" + count++);
        for (String group : shape.getGroups()) {
            System.out.println("group " + group);
            elements.add("group " + group);
        }
        for (String member : shape.getMembers()) {
            System.out.println("    member" + member);
            elements.add("member " + member);
        }
        Collections.sort(elements);
        // but it does not affect functionality
        if (shape.getMembers().size() > 0) {
            result.add(Verify.makeResultStr(elements));
        }
    }
    Set<String> expected = new HashSet<String>();
    expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupA.getName(), "member " + A.getName())));
    expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupB.getName(), "member " + B.getName())));
    expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupC.getName(), "member " + C.getName())));
    expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupD.getName(), "member " + D.getName())));
    expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupA.getName(), "group " + groupB.getName(), "member " + AB.getName())));
    expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupA.getName(), "group " + groupC.getName(), "member " + AC.getName())));
    expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupA.getName(), "group " + groupD.getName(), "member " + AD.getName())));
    expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupB.getName(), "group " + groupC.getName(), "member " + BC.getName())));
    expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupB.getName(), "group " + groupD.getName(), "member " + BD.getName())));
    expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupC.getName(), "group " + groupD.getName(), "member " + CD.getName())));
    expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupA.getName(), "group " + groupB.getName(), "group " + groupC.getName(), "member " + ABC.getName())));
    expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupA.getName(), "group " + groupB.getName(), "group " + groupD.getName(), "member " + ABD.getName())));
    expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupA.getName(), "group " + groupC.getName(), "group " + groupD.getName(), "member " + ACD.getName())));
    expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupB.getName(), "group " + groupC.getName(), "group " + groupD.getName(), "member " + BCD.getName())));
    expected.add(Verify.makeResultStr(Lists.newArrayList("group " + groupA.getName(), "group " + groupB.getName(), "group " + groupC.getName(), "group " + groupD.getName(), "member " + ABCD.getName())));
    Verify.verifyEquals(expected, result);
}
Also used : Account(com.zimbra.cs.account.Account) ArrayList(java.util.ArrayList) AllGroupMembers(com.zimbra.cs.account.accesscontrol.CollectAllEffectiveRights.AllGroupMembers) GroupShape(com.zimbra.cs.account.accesscontrol.CollectAllEffectiveRights.GroupShape) Domain(com.zimbra.cs.account.Domain) DistributionList(com.zimbra.cs.account.DistributionList) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 23 with DistributionList

use of com.zimbra.cs.account.DistributionList in project zm-mailbox by Zimbra.

the class TestACLNegativeGrant method targetPrecedence.

/*
     * Original grants:
     *     global grant (allow)
     *         domain (deny)
     *             group1 (allow)
     *                 group2 (deny)
     *                     target account (allow)
     * => should allow
     *
     * then revoke the grant on account, should deny
     * then revoke the grant on group2, should allow
     * then revoke the grant on group1, should deny
     * then revoke the grant on domain, should allow
     * then revoke the grant on global grant, should deny
     */
@Test
public void targetPrecedence() throws Exception {
    Domain domain = provUtil.createDomain(genDomainSegmentName() + "." + BASE_DOMAIN_NAME);
    /*
         * setup authed account
         */
    Account authedAcct = globalAdmin;
    Right right = ACLTestUtil.ADMIN_PRESET_ACCOUNT;
    /*
         * setup grantees
         */
    Account grantee = provUtil.createDelegatedAdmin(genAcctNameLocalPart("grantee"), domain);
    /*
         * setup targets
         */
    // 1. target account itself
    Account target = provUtil.createAccount(genAcctNameLocalPart("target"), domain);
    grantRight(authedAcct, TargetType.account, target, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
    // 2. groups the target account is a member of
    DistributionList group1 = provUtil.createDistributionList(genGroupNameLocalPart("group1"), domain);
    DistributionList group2 = provUtil.createDistributionList(genGroupNameLocalPart("group2"), domain);
    prov.addMembers(group1, new String[] { group2.getName() });
    prov.addMembers(group2, new String[] { target.getName() });
    grantRight(authedAcct, TargetType.dl, group2, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
    grantRight(authedAcct, TargetType.dl, group1, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
    // 3. domain the target account is in
    grantRight(authedAcct, TargetType.domain, domain, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
    // 4. global grant
    GlobalGrant globalGrant = prov.getGlobalGrant();
    grantRight(authedAcct, TargetType.global, null, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
    /*
         * test targets
         */
    TestViaGrant via;
    via = new TestViaGrant(TargetType.account, target, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.POSITIVE);
    verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.ALLOW, via);
    // revoke the grant on target account, then grant on group2 should take effect
    revokeRight(authedAcct, TargetType.account, target, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
    via = new TestViaGrant(TargetType.dl, group2, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.NEGATIVE);
    verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
    // revoke the grant on group2, then grant on group1 should take effect
    revokeRight(authedAcct, TargetType.dl, group2, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
    via = new TestViaGrant(TargetType.dl, group1, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.POSITIVE);
    verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.ALLOW, via);
    // revoke the grant on group1, then grant on domain should take effect
    revokeRight(authedAcct, TargetType.dl, group1, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
    via = new TestViaGrant(TargetType.domain, domain, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.NEGATIVE);
    verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
    // revoke the grant on domain, then grant on globalgrant shuld take effect
    revokeRight(authedAcct, TargetType.domain, domain, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
    via = new TestViaGrant(TargetType.global, globalGrant, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.POSITIVE);
    verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.ALLOW, via);
    // revoke the grant on globalgrant, then there is no grant and callsite default should be honored
    revokeRight(authedAcct, TargetType.global, null, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
    via = null;
    verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
}
Also used : GuestAccount(com.zimbra.cs.account.GuestAccount) Account(com.zimbra.cs.account.Account) GlobalGrant(com.zimbra.cs.account.GlobalGrant) Right(com.zimbra.cs.account.accesscontrol.Right) Domain(com.zimbra.cs.account.Domain) TestViaGrant(com.zimbra.qa.unittest.prov.ldap.ACLTestUtil.TestViaGrant) DistributionList(com.zimbra.cs.account.DistributionList) Test(org.junit.Test)

Example 24 with DistributionList

use of com.zimbra.cs.account.DistributionList in project zm-mailbox by Zimbra.

the class TestACLPermissionCache method testGrantChangeOnIndirectlyInheritedDistributionList.

@Test
public void testGrantChangeOnIndirectlyInheritedDistributionList() throws Exception {
    Right right = A_USER_RIGHT_DISTRIBUTION_LIST;
    Domain domain = createDomain();
    DistributionList grantTarget = createUserDistributionList(GRANTTARGET_USER_GROUP, domain);
    DistributionList subGroup = createUserDistributionList(SUBGROUP_OF_GRANTTARGET_USER_GROUP, domain);
    DistributionList target = createUserDistributionList(TARGET_USER_GROUP, domain);
    Account grantee = createUserAccount(GRANTEE_USER_ACCT, domain);
    mProv.addMembers(grantTarget, new String[] { subGroup.getName() });
    mProv.addMembers(subGroup, new String[] { target.getName() });
    boolean allow;
    grantRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
    allow = accessMgr.canDo(grantee, target, right, false, null);
    assertTrue(allow);
    revokeRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
    allow = accessMgr.canDo(grantee, target, right, false, null);
    assertFalse(allow);
    grantRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
    allow = accessMgr.canDo(grantee, target, right, false, null);
    assertTrue(allow);
}
Also used : GuestAccount(com.zimbra.cs.account.GuestAccount) Account(com.zimbra.cs.account.Account) Right(com.zimbra.cs.account.accesscontrol.Right) Domain(com.zimbra.cs.account.Domain) DistributionList(com.zimbra.cs.account.DistributionList) Test(org.junit.Test)

Example 25 with DistributionList

use of com.zimbra.cs.account.DistributionList in project zm-mailbox by Zimbra.

the class TestACLPermissionCache method testGrantChangeOnDirectlyInheritedDistributionList.

@Test
public void testGrantChangeOnDirectlyInheritedDistributionList() throws Exception {
    Right right = A_USER_RIGHT_DISTRIBUTION_LIST;
    Domain domain = createDomain();
    DistributionList grantTarget = createUserDistributionList(GRANTTARGET_USER_GROUP, domain);
    DistributionList target = createUserDistributionList(TARGET_USER_GROUP, domain);
    Account grantee = createUserAccount(GRANTEE_USER_ACCT, domain);
    mProv.addMembers(grantTarget, new String[] { target.getName() });
    boolean allow;
    grantRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
    allow = accessMgr.canDo(grantee, target, right, false, null);
    assertTrue(allow);
    revokeRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
    allow = accessMgr.canDo(grantee, target, right, false, null);
    assertFalse(allow);
    grantRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
    allow = accessMgr.canDo(grantee, target, right, false, null);
    assertTrue(allow);
}
Also used : GuestAccount(com.zimbra.cs.account.GuestAccount) Account(com.zimbra.cs.account.Account) Right(com.zimbra.cs.account.accesscontrol.Right) Domain(com.zimbra.cs.account.Domain) DistributionList(com.zimbra.cs.account.DistributionList) Test(org.junit.Test)

Aggregations

DistributionList (com.zimbra.cs.account.DistributionList)120 Account (com.zimbra.cs.account.Account)58 Domain (com.zimbra.cs.account.Domain)43 HashMap (java.util.HashMap)24 Test (org.junit.Test)24 Provisioning (com.zimbra.cs.account.Provisioning)22 NamedEntry (com.zimbra.cs.account.NamedEntry)18 HashSet (java.util.HashSet)18 ArrayList (java.util.ArrayList)14 ServiceException (com.zimbra.common.service.ServiceException)13 AccountServiceException (com.zimbra.cs.account.AccountServiceException)13 Right (com.zimbra.cs.account.accesscontrol.Right)12 DynamicGroup (com.zimbra.cs.account.DynamicGroup)10 LdapDistributionList (com.zimbra.cs.account.ldap.entry.LdapDistributionList)10 Group (com.zimbra.cs.account.Group)9 GuestAccount (com.zimbra.cs.account.GuestAccount)9 LdapProv (com.zimbra.cs.account.ldap.LdapProv)8 List (java.util.List)7 Entry (com.zimbra.cs.account.Entry)6 LdapEntry (com.zimbra.cs.account.ldap.entry.LdapEntry)6