use of com.zimbra.cs.account.DynamicGroup in project zm-mailbox by Zimbra.
the class SmtpRecipientValidator method validate.
@Override
public Iterable<String> validate(String recipient) {
try {
Provisioning prov = Provisioning.getInstance();
Account account = prov.get(AccountBy.name, recipient);
if (account != null) {
return Arrays.asList(account.getName());
} else {
Group group = prov.getGroup(Key.DistributionListBy.name, recipient);
if (group != null) {
String[] members;
if (group instanceof DynamicGroup) {
members = ((DynamicGroup) group).getAllMembers(true);
} else {
members = group.getAllMembers();
}
return Arrays.asList(members);
}
}
} catch (ServiceException e) {
log.error("Unable to validate recipient %s", recipient, e);
}
return Collections.emptyList();
}
use of com.zimbra.cs.account.DynamicGroup in project zm-mailbox by Zimbra.
the class TestACLAll method execTest.
private void execTest(String note, TargetType grantedOnTargetType, TestGranteeType testGranteeType, Right right) throws Exception {
System.out.println("testing (" + note + "): " + "grant target=" + grantedOnTargetType.getCode() + ", grantee type=" + testGranteeType.getCode() + ", right=" + right.getName());
//
// 1. some basic preparation
// create a domain
//
Domain domain = createDomain();
boolean isUserRight = right.isUserRight();
//
// 2. setup grantee
//
List<Account> allowedAccts = new ArrayList<Account>();
List<Account> deniedAccts = new ArrayList<Account>();
NamedEntry grantee = null;
String granteeName = null;
String secret = null;
Object gt = testGranteeType.getGranteeType();
GranteeType granteeType = null;
if (gt instanceof GranteeType) {
granteeType = (GranteeType) gt;
switch(granteeType) {
case GT_USER:
if (isUserRight) {
grantee = createUserAccount(domain);
allowedAccts.add((Account) grantee);
deniedAccts.add(createUserAccount(domain));
} else {
grantee = createDelegatedAdminAccount(domain);
allowedAccts.add((Account) grantee);
deniedAccts.add(createDelegatedAdminAccount(domain));
}
granteeName = grantee.getName();
break;
case GT_GROUP:
if (isUserRight) {
grantee = createUserDistributionList(domain);
Account allowedAcct = createUserAccount(domain);
allowedAccts.add(allowedAcct);
prov.addMembers((DistributionList) grantee, new String[] { allowedAcct.getName() });
// external members are also honored if the right is a user right
Account guestAcct = createGuestAccount("guest@guest.com", "test123");
allowedAccts.add(guestAcct);
prov.addMembers((DistributionList) grantee, new String[] { guestAcct.getName() });
deniedAccts.add(createUserAccount(domain));
} else {
grantee = createAdminDistributionList(domain);
Account allowedAcct = createDelegatedAdminAccount(domain);
allowedAccts.add(allowedAcct);
prov.addMembers((DistributionList) grantee, new String[] { allowedAcct.getName() });
deniedAccts.add(createDelegatedAdminAccount(domain));
}
granteeName = grantee.getName();
break;
case GT_EXT_GROUP:
// create a domain and use it for the external group
Domain extDomain = createDomain();
String extDomainDN = ((LdapDomain) extDomain).getDN();
String acctLocalpart = "acct-ext";
//
// Configure the domain for external AD auth
//
Map<String, Object> domainAttrs = Maps.newHashMap();
if (isUserRight) {
domain.setAuthMech(AuthMech.ad.name(), domainAttrs);
} else {
domain.setAuthMechAdmin(AuthMech.ad.name(), domainAttrs);
}
/* ==== mock test ====
// setup auth
domain.addAuthLdapURL("ldap://localhost:389", domainAttrs);
domain.setAuthLdapBindDn("uid=%u,ou=people," + extDomainDN, domainAttrs);
// setup external group search parameters
domain.setAuthLdapSearchBindDn(LC.zimbra_ldap_userdn.value(), domainAttrs);
domain.setAuthLdapSearchBindPassword(LC.zimbra_ldap_password.value(), domainAttrs);
domain.setExternalGroupLdapSearchBase(extDomainDN, domainAttrs);
domain.setExternalGroupLdapSearchFilter("(&(objectClass=zimbraGroup)(cn=%u))", domainAttrs);
domain.setExternalGroupHandlerClass("com.zimbra.qa.unittest.UnittestGroupHandler", domainAttrs);
mProv.modifyAttrs(domain, domainAttrs);
// create a group in the external directory and add a member
Group extGroup = createUserDynamicGroup(extDomain); // doesn't matter if the group is user or admin
String extGroupName = extGroup.getName();
Account extAcct = createUserAccount(acctLocalpart, extDomain);
mProv.addGroupMembers(extGroup, new String[]{extAcct.getName()});
// create the admin account in Zimbra directory and map it to the external account
Account zimbraAcct = createDelegatedAdminAccount(acctLocalpart, domain);
allowedAccts.add(zimbraAcct);
*/
domain.addAuthLdapURL("***", domainAttrs);
domain.setAuthLdapSearchBindDn("***", domainAttrs);
domain.setAuthLdapSearchBindPassword("***", domainAttrs);
domain.setExternalGroupLdapSearchBase("OU=Engineering,DC=vmware,DC=com", domainAttrs);
domain.setExternalGroupLdapSearchFilter("(&(objectClass=group)(mail=%n))", domainAttrs);
domain.setExternalGroupHandlerClass("com.zimbra.cs.account.grouphandler.ADGroupHandler", domainAttrs);
prov.modifyAttrs(domain, domainAttrs);
// "ESPPEnrollment-USA@vmware.com";
String extGroupName = "ENG_pao_users_home4@vmware.com";
// create the admin account in Zimbra directory and map it to the external account
Account zimbraAcct = createDelegatedAdminAccount(acctLocalpart, domain);
zimbraAcct.setAuthLdapExternalDn("CN=Phoebe Shao,OU=PAO_Users,OU=PaloAlto_California_USA,OU=NALA,OU=SITES,OU=Engineering,DC=vmware,DC=com");
allowedAccts.add(zimbraAcct);
// =======================
granteeName = domain.getName() + ":" + extGroupName;
break;
case GT_AUTHUSER:
if (isUserRight) {
allowedAccts.add(createUserAccount("allowed-user-acct", domain));
deniedAccts.add(createGuestAccount("not-my-guest@external.com", "test123"));
} else {
deniedAccts.add(createDelegatedAdminAccount("denied-da-acct", domain));
}
break;
case GT_DOMAIN:
grantee = createDomain();
if (isUserRight) {
allowedAccts.add(createUserAccount("allowed-user-acct", (Domain) grantee));
Domain notGrantee = createDomain();
deniedAccts.add(createUserAccount("denied-user-acct", notGrantee));
} else {
deniedAccts.add(createDelegatedAdminAccount("denied-da-acct", (Domain) grantee));
// TODO: TEST R_crossDomainAdmin
}
granteeName = grantee.getName();
break;
case GT_GUEST:
// an email address
granteeName = "be-my-guest@guest.com";
// password
secret = "test123";
if (isUserRight) {
allowedAccts.add(createGuestAccount(granteeName, secret));
deniedAccts.add(createGuestAccount("not-my-guest@external.com", "bad"));
} else {
deniedAccts.add(createDelegatedAdminAccount("denied-da-acct", domain));
deniedAccts.add(createGuestAccount(granteeName, secret));
}
break;
case GT_KEY:
// a display name
granteeName = "be-my-guest";
// access key
secret = "test123";
if (isUserRight) {
allowedAccts.add(createKeyAccount(granteeName, secret));
deniedAccts.add(createKeyAccount("not-my-guest", "bad"));
} else {
deniedAccts.add(createDelegatedAdminAccount("denied-da-acct", domain));
deniedAccts.add(createKeyAccount(granteeName, secret));
}
break;
case GT_PUBLIC:
if (isUserRight) {
allowedAccts.add(anonAccount());
} else {
deniedAccts.add(anonAccount());
}
break;
default:
fail();
}
} else {
// dynamic group
assertEquals(TestGranteeType.GRANTEE_DYNAMIC_GROUP, testGranteeType);
granteeType = GranteeType.GT_GROUP;
if (isUserRight) {
grantee = createUserDynamicGroup(domain);
Account allowedAcct = createUserAccount(domain);
allowedAccts.add(allowedAcct);
prov.addGroupMembers((DynamicGroup) grantee, new String[] { allowedAcct.getName() });
// external members are also honored if the right is a user right
Account guestAcct = createGuestAccount("guest@guest.com", "test123");
allowedAccts.add(guestAcct);
prov.addGroupMembers((DynamicGroup) grantee, new String[] { guestAcct.getName() });
deniedAccts.add(createUserAccount(domain));
} else {
grantee = createAdminDynamicGroup(domain);
Account allowedAcct = createDelegatedAdminAccount(domain);
allowedAccts.add(allowedAcct);
prov.addGroupMembers((DynamicGroup) grantee, new String[] { allowedAcct.getName() });
deniedAccts.add(createDelegatedAdminAccount(domain));
}
granteeName = grantee.getName();
}
//
// 3. setup expectations for the granting action
//
boolean expectInvalidRequest = false;
if (isUserRight) {
expectInvalidRequest = !expectedIsRightGrantableOnTargetType(right, grantedOnTargetType);
} else {
// is admin right
if (!granteeType.allowedForAdminRights()) {
expectInvalidRequest = true;
}
if (!expectInvalidRequest) {
if (granteeType == GranteeType.GT_DOMAIN && right != Admin.R_crossDomainAdmin) {
expectInvalidRequest = true;
}
}
if (!expectInvalidRequest) {
expectInvalidRequest = !expectedIsRightGrantableOnTargetType(right, grantedOnTargetType);
}
}
//
// 4. setup target on which the right is to be granted
//
Entry grantedOnTarget = null;
String targetName = null;
switch(grantedOnTargetType) {
case account:
grantedOnTarget = createUserAccount("target-acct", domain);
targetName = ((Account) grantedOnTarget).getName();
break;
case calresource:
grantedOnTarget = createCalendarResource("target-cr", domain);
targetName = ((CalendarResource) grantedOnTarget).getName();
break;
case cos:
grantedOnTarget = createCos();
targetName = ((Cos) grantedOnTarget).getName();
break;
case dl:
grantedOnTarget = createUserDistributionList("target-distributionlist", domain);
targetName = ((DistributionList) grantedOnTarget).getName();
break;
case group:
grantedOnTarget = createUserDynamicGroup("target-dynamicgroup", domain);
targetName = ((DynamicGroup) grantedOnTarget).getName();
break;
case domain:
grantedOnTarget = domain;
targetName = domain.getName();
break;
case server:
grantedOnTarget = createServer();
targetName = ((Server) grantedOnTarget).getName();
break;
case alwaysoncluster:
grantedOnTarget = createAlwaysOnCluster();
targetName = ((AlwaysOnCluster) grantedOnTarget).getName();
break;
case ucservice:
grantedOnTarget = createUCService();
targetName = ((UCService) grantedOnTarget).getName();
break;
case xmppcomponent:
// skip for now
return;
case zimlet:
grantedOnTarget = createZimlet();
targetName = ((Zimlet) grantedOnTarget).getName();
break;
case config:
grantedOnTarget = getConfig();
break;
case global:
grantedOnTarget = getGlobalGrant();
break;
default:
fail();
}
//
// grant right on the target
//
boolean gotInvalidRequestException = false;
try {
// TODO: in a different test, test granting by a different authed account:
// global admin, delegated admin, user
//
Account grantingAccount = globalAdmin;
RightCommand.grantRight(prov, grantingAccount, grantedOnTargetType.getCode(), TargetBy.name, targetName, granteeType.getCode(), GranteeBy.name, granteeName, secret, right.getName(), null);
} catch (ServiceException e) {
if (ServiceException.INVALID_REQUEST.equals(e.getCode())) {
gotInvalidRequestException = true;
} else {
e.printStackTrace();
fail();
}
}
//
// 5. verify the grant
//
assertEquals(expectInvalidRequest, gotInvalidRequestException);
// after group creation using the target object returned from the create call.
if (grantedOnTarget instanceof Group) {
grantedOnTarget = prov.getGroupBasic(Key.DistributionListBy.id, ((Group) grantedOnTarget).getId());
}
//
if (right.isComboRight()) {
for (Right rt : ((ComboRight) right).getAllRights()) {
setupTargetAndVerify(domain, grantedOnTarget, grantedOnTargetType, rt, true, allowedAccts, deniedAccts, !gotInvalidRequestException);
}
} else {
setupTargetAndVerify(domain, grantedOnTarget, grantedOnTargetType, right, false, allowedAccts, deniedAccts, !gotInvalidRequestException);
}
}
use of com.zimbra.cs.account.DynamicGroup in project zm-mailbox by Zimbra.
the class TestACLAll method setupTarget.
private void setupTarget(List<Entry> goodTargets, List<Entry> badTargets, Domain domain, Entry grantedOnTarget, TargetType grantedOnTargetType, TargetType targetTypeOfRight, Right right) throws Exception {
Entry good = null;
Entry bad = null;
switch(targetTypeOfRight) {
case account:
if (grantedOnTargetType == TargetType.account) {
goodTargets.add(grantedOnTarget);
badTargets.add(createUserAccount(domain));
} else if (grantedOnTargetType == TargetType.calresource) {
if (right.isUserRight()) {
goodTargets.add(grantedOnTarget);
badTargets.add(createCalendarResource(domain));
} else {
badTargets.add(grantedOnTarget);
}
} else if (grantedOnTargetType == TargetType.dl) {
if (CheckRight.allowGroupTarget(right)) {
good = createUserAccount(domain);
goodTargets.add(good);
// create a subgroup of the group on which the right is granted (testing multi levels of dl)
DistributionList subGroup = createUserDistributionList(domain);
prov.addMembers((DistributionList) grantedOnTarget, new String[] { subGroup.getName() });
prov.addMembers(subGroup, new String[] { ((Account) good).getName() });
} else {
bad = createUserAccount(domain);
prov.addMembers((DistributionList) grantedOnTarget, new String[] { ((Account) bad).getName() });
badTargets.add(bad);
}
} else if (grantedOnTargetType == TargetType.group) {
if (CheckRight.allowGroupTarget(right)) {
good = createUserAccount(domain);
prov.addGroupMembers((DynamicGroup) grantedOnTarget, new String[] { ((Account) good).getName() });
goodTargets.add(good);
} else {
bad = createUserAccount(domain);
prov.addGroupMembers((DynamicGroup) grantedOnTarget, new String[] { ((Account) bad).getName() });
badTargets.add(bad);
}
} else if (grantedOnTargetType == TargetType.domain) {
goodTargets.add(createUserAccount(domain));
Domain anyDomain = createDomain();
badTargets.add(createUserAccount(anyDomain));
} else if (grantedOnTargetType == TargetType.global) {
Domain anyDomain = createDomain();
goodTargets.add(createUserAccount(anyDomain));
} else {
badTargets.add(grantedOnTarget);
}
break;
case calresource:
if (grantedOnTargetType == TargetType.calresource) {
goodTargets.add(grantedOnTarget);
badTargets.add(createCalendarResource(domain));
} else if (grantedOnTargetType == TargetType.dl) {
if (CheckRight.allowGroupTarget(right)) {
good = createCalendarResource(domain);
prov.addMembers((DistributionList) grantedOnTarget, new String[] { ((Account) good).getName() });
goodTargets.add(good);
} else {
bad = createCalendarResource(domain);
prov.addMembers((DistributionList) grantedOnTarget, new String[] { ((Account) bad).getName() });
badTargets.add(bad);
}
} else if (grantedOnTargetType == TargetType.group) {
if (CheckRight.allowGroupTarget(right)) {
good = createCalendarResource(domain);
prov.addGroupMembers((DynamicGroup) grantedOnTarget, new String[] { ((Account) good).getName() });
goodTargets.add(good);
} else {
bad = createCalendarResource(domain);
prov.addGroupMembers((DynamicGroup) grantedOnTarget, new String[] { ((Account) bad).getName() });
badTargets.add(bad);
}
} else if (grantedOnTargetType == TargetType.domain) {
good = createCalendarResource(domain);
goodTargets.add(good);
Domain anyDomain = createDomain();
bad = createUserAccount(anyDomain);
badTargets.add(bad);
} else if (grantedOnTargetType == TargetType.global) {
Domain anyDomain = createDomain();
goodTargets.add(createCalendarResource(anyDomain));
} else {
badTargets.add(grantedOnTarget);
}
break;
case cos:
if (grantedOnTargetType == TargetType.cos) {
good = grantedOnTarget;
} else if (grantedOnTargetType == TargetType.global) {
good = createCos();
}
if (good == null) {
bad = grantedOnTarget;
badTargets.add(bad);
} else {
goodTargets.add(good);
}
break;
case dl:
if (grantedOnTargetType == TargetType.dl) {
// create a subgroup of the group on which the right is granted (testing multi levels of dl)
DistributionList subGroup = createUserDistributionList(domain);
prov.addMembers((DistributionList) grantedOnTarget, new String[] { subGroup.getName() });
goodTargets.add(subGroup);
goodTargets.add(grantedOnTarget);
badTargets.add(createUserDistributionList(domain));
} else if (grantedOnTargetType == TargetType.group) {
// dl rights apply to dynamic groups only for user rights
if (right.isUserRight()) {
goodTargets.add(grantedOnTarget);
} else {
badTargets.add(grantedOnTarget);
}
} else if (grantedOnTargetType == TargetType.domain) {
goodTargets.add(createUserDistributionList(domain));
if (right.isUserRight()) {
goodTargets.add(createUserDynamicGroup(domain));
} else {
badTargets.add(createUserDynamicGroup(domain));
}
Domain anyDomain = createDomain();
badTargets.add(createUserDistributionList(anyDomain));
badTargets.add(createUserDynamicGroup(anyDomain));
} else if (grantedOnTargetType == TargetType.global) {
Domain anyDomain = createDomain();
goodTargets.add(createUserDistributionList(anyDomain));
if (right.isUserRight()) {
goodTargets.add(createUserDynamicGroup(anyDomain));
} else {
badTargets.add(createUserDynamicGroup(anyDomain));
}
} else {
badTargets.add(grantedOnTarget);
}
break;
case group:
if (grantedOnTargetType == TargetType.dl) {
badTargets.add(grantedOnTarget);
} else if (grantedOnTargetType == TargetType.group) {
goodTargets.add(grantedOnTarget);
} else if (grantedOnTargetType == TargetType.domain) {
goodTargets.add(createUserDynamicGroup(domain));
badTargets.add(createUserDistributionList(domain));
Domain anyDomain = createDomain();
badTargets.add(createUserDistributionList(anyDomain));
badTargets.add(createUserDynamicGroup(anyDomain));
} else if (grantedOnTargetType == TargetType.global) {
Domain anyDomain = createDomain();
goodTargets.add(createUserDynamicGroup(anyDomain));
badTargets.add(createUserDistributionList(anyDomain));
} else {
badTargets.add(grantedOnTarget);
}
break;
case domain:
if (grantedOnTargetType == TargetType.domain) {
goodTargets.add(grantedOnTarget);
badTargets.add(createDomain());
} else if (grantedOnTargetType == TargetType.global) {
goodTargets.add(createDomain());
} else {
badTargets.add(grantedOnTarget);
}
break;
case server:
if (grantedOnTargetType == TargetType.server) {
goodTargets.add(grantedOnTarget);
badTargets.add(createServer());
} else if (grantedOnTargetType == TargetType.global) {
goodTargets.add(createServer());
} else {
badTargets.add(grantedOnTarget);
}
break;
case alwaysoncluster:
if (grantedOnTargetType == TargetType.alwaysoncluster) {
goodTargets.add(grantedOnTarget);
badTargets.add(createAlwaysOnCluster());
} else if (grantedOnTargetType == TargetType.global) {
goodTargets.add(createAlwaysOnCluster());
} else {
badTargets.add(grantedOnTarget);
}
break;
case ucservice:
if (grantedOnTargetType == TargetType.ucservice) {
goodTargets.add(grantedOnTarget);
badTargets.add(createUCService());
} else if (grantedOnTargetType == TargetType.global) {
goodTargets.add(createUCService());
} else {
badTargets.add(grantedOnTarget);
}
break;
case xmppcomponent:
// skip for now
return;
case zimlet:
// zimlet is trouble, need to reload it or else the grant is not on the object
// ldapProvisioning.getZimlet does not return a cached entry so our grantedOnTarget
// object does not have the grant
prov.reload(grantedOnTarget);
if (grantedOnTargetType == TargetType.zimlet) {
goodTargets.add(grantedOnTarget);
badTargets.add(createZimlet());
} else if (grantedOnTargetType == TargetType.global) {
goodTargets.add(createZimlet());
} else {
badTargets.add(grantedOnTarget);
}
break;
case config:
if (grantedOnTargetType == TargetType.config)
goodTargets.add(grantedOnTarget);
else if (grantedOnTargetType == TargetType.global)
goodTargets.add(getConfig());
else
badTargets.add(grantedOnTarget);
break;
case global:
if (grantedOnTargetType == TargetType.global)
goodTargets.add(getGlobalGrant());
else
badTargets.add(grantedOnTarget);
break;
default:
fail();
}
}
use of com.zimbra.cs.account.DynamicGroup in project zm-mailbox by Zimbra.
the class TestLdapProvSearchDirectory method getAllGroups.
@Test
public void getAllGroups() throws Exception {
DistributionList dl = createDistributionList(genGroupNameLocalPart("dl"));
DynamicGroup dg = createDynamicGroup(genGroupNameLocalPart("dg"));
// create a sub domain
String SUB_DOMAIN_NAME = "sub." + baseDomainName();
Domain subDomain = provUtil.createDomain(SUB_DOMAIN_NAME, null);
// create a DL and a DG in the sub domain
DistributionList dlSub = createDistributionList(genGroupNameLocalPart("dl-sub"), subDomain);
DynamicGroup dgSub = createDynamicGroup(genGroupNameLocalPart("dg-sub"), subDomain);
List<Group> groups = prov.getAllGroups(domain);
Verify.verifyEquals(Lists.newArrayList(dg, dl), groups, true);
deleteGroup(dl);
deleteGroup(dg);
deleteGroup(dlSub);
deleteGroup(dgSub);
}
use of com.zimbra.cs.account.DynamicGroup in project zm-mailbox by Zimbra.
the class TestLdapProvAttrCallback method zimbraIsACLGroupAndMemberURLCreate.
@Test
public void zimbraIsACLGroupAndMemberURLCreate() throws Exception {
String SOME_URL = "blah";
Map<String, Object> attrs = Maps.newHashMap();
boolean caughtException;
DynamicGroup group;
// 1. specify memberURL and set zimbraIsACLGroup to false -> OK
attrs.clear();
attrs.put(Provisioning.A_zimbraIsACLGroup, ProvisioningConstants.FALSE);
attrs.put(Provisioning.A_memberURL, SOME_URL);
group = createDynamicGroup(genGroupNameLocalPart("1"), attrs);
verifyIsNotACLGroup(group, SOME_URL);
deleteDynamicGroup(group);
// 2. specify memberURL and set zimbraIsACLGroup to true -> FAIL
caughtException = false;
attrs.clear();
attrs.put(Provisioning.A_zimbraIsACLGroup, ProvisioningConstants.TRUE);
attrs.put(Provisioning.A_memberURL, SOME_URL);
try {
group = createDynamicGroup(genGroupNameLocalPart("2"), attrs);
} catch (ServiceException e) {
if (ServiceException.INVALID_REQUEST.equals(e.getCode())) {
caughtException = true;
} else {
throw e;
}
}
assertTrue(caughtException);
// 3. specify memberURL without setting zimbraIsACLGroup -> FAIL
caughtException = false;
attrs.clear();
attrs.put(Provisioning.A_memberURL, SOME_URL);
try {
group = createDynamicGroup(genGroupNameLocalPart("3"), attrs);
} catch (ServiceException e) {
if (ServiceException.INVALID_REQUEST.equals(e.getCode())) {
caughtException = true;
} else {
throw e;
}
}
assertTrue(caughtException);
}
Aggregations