Example 1 with GlobalGrant
use of com.zimbra.cs.account.GlobalGrant in project zm-mailbox by Zimbra.
the class LdapProvisioning method flushCache.
@Override
public void flushCache(CacheEntryType type, CacheEntry[] entries) throws ServiceException {
switch(type) {
case all:
if (entries != null) {
throw ServiceException.INVALID_REQUEST("cannot specify entry for flushing all", null);
}
ZimbraLog.account.info("Flushing all LDAP entry caches");
flushCache(CacheEntryType.account, null);
flushCache(CacheEntryType.group, null);
flushCache(CacheEntryType.config, null);
flushCache(CacheEntryType.globalgrant, null);
flushCache(CacheEntryType.cos, null);
flushCache(CacheEntryType.domain, null);
flushCache(CacheEntryType.mime, null);
flushCache(CacheEntryType.server, null);
flushCache(CacheEntryType.alwaysOnCluster, null);
flushCache(CacheEntryType.zimlet, null);
break;
case account:
if (entries != null) {
for (CacheEntry entry : entries) {
AccountBy accountBy = (entry.mEntryBy == Key.CacheEntryBy.id) ? AccountBy.id : AccountBy.name;
Account account = getFromCache(accountBy, entry.mEntryIdentity);
/*
* We now call removeFromCache instead of reload for flushing an account
* from cache. This change was originally for bug 25028, but that would still
* need an extrat step to flush cache after the account's zimbraCOSId changed.
* (if we call reload insteasd of removeFromCache, flush cache of the account would
* not clear the mDefaults for inherited attrs, that was the bug.)
* Bug 25028 is now taken care of by the callback. We still call removeFromCache
* for flushing account cache, because that does a cleaner flush.
*
* Note, we only call removeFromCache for account.
* We should *NOT* do removeFromCache when flushing global config and cos caches.
*
* Because the "mDefaults" Map(contains a ref to the old instance of COS.mAccountDefaults for
* all the accountInherited COS attrs) stored in all the cached accounts. Same for the
* inherited attrs of server/domain from global config. If we do removeFromCache for flushing
* cos/global config, then after FlushCache(cos) if you do a ga on a cached account, it still
* shows the old COS value for values that are inherited from COS. Although, for newly loaded
* accounts or when a cached account is going thru auth(that'll trigger a reload) they will get
* the new COS values(refreshed as a result of FlushCache(cos)).
*/
if (account != null) {
removeFromCache(account);
}
}
} else {
accountCache.clear();
}
return;
case group:
if (entries != null) {
for (CacheEntry entry : entries) {
Key.DistributionListBy dlBy = (entry.mEntryBy == Key.CacheEntryBy.id) ? Key.DistributionListBy.id : Key.DistributionListBy.name;
removeGroupFromCache(dlBy, entry.mEntryIdentity);
}
} else {
allDLs.clear();
groupCache.clear();
}
return;
case config:
if (entries != null) {
throw ServiceException.INVALID_REQUEST("cannot specify entry for flushing global config", null);
}
Config config = getConfig();
reload(config, false);
EphemeralStore.clearFactory();
return;
case globalgrant:
if (entries != null) {
throw ServiceException.INVALID_REQUEST("cannot specify entry for flushing global grant", null);
}
GlobalGrant globalGrant = getGlobalGrant();
reload(globalGrant, false);
return;
case cos:
if (entries != null) {
for (CacheEntry entry : entries) {
Key.CosBy cosBy = (entry.mEntryBy == Key.CacheEntryBy.id) ? Key.CosBy.id : Key.CosBy.name;
Cos cos = getFromCache(cosBy, entry.mEntryIdentity);
if (cos != null)
reload(cos, false);
}
} else
cosCache.clear();
return;
case domain:
if (entries != null) {
for (CacheEntry entry : entries) {
Key.DomainBy domainBy = (entry.mEntryBy == Key.CacheEntryBy.id) ? Key.DomainBy.id : Key.DomainBy.name;
Domain domain = getFromCache(domainBy, entry.mEntryIdentity, GetFromDomainCacheOption.BOTH);
if (domain != null) {
if (domain instanceof DomainCache.NonExistingDomain)
domainCache.removeFromNegativeCache(domainBy, entry.mEntryIdentity);
else
reload(domain, false);
}
}
} else
domainCache.clear();
return;
case mime:
mimeTypeCache.flushCache(this);
return;
case server:
if (entries != null) {
for (CacheEntry entry : entries) {
Key.ServerBy serverBy = (entry.mEntryBy == Key.CacheEntryBy.id) ? Key.ServerBy.id : Key.ServerBy.name;
Server server = get(serverBy, entry.mEntryIdentity);
if (server != null)
reload(server, false);
}
} else
serverCache.clear();
return;
case alwaysOnCluster:
if (entries != null) {
for (CacheEntry entry : entries) {
Key.AlwaysOnClusterBy clusterBy = Key.AlwaysOnClusterBy.id;
AlwaysOnCluster cluster = get(clusterBy, entry.mEntryIdentity);
if (cluster != null)
reload(cluster, false);
}
} else
alwaysOnClusterCache.clear();
return;
case zimlet:
if (entries != null) {
for (CacheEntry entry : entries) {
Key.ZimletBy zimletBy = (entry.mEntryBy == Key.CacheEntryBy.id) ? Key.ZimletBy.id : Key.ZimletBy.name;
Zimlet zimlet = getFromCache(zimletBy, entry.mEntryIdentity);
if (zimlet != null)
reload(zimlet, false);
}
} else
zimletCache.clear();
return;
default:
throw ServiceException.INVALID_REQUEST("invalid cache type " + type, null);
}
}
Also used :
Account(com.zimbra.cs.account.Account)
GuestAccount(com.zimbra.cs.account.GuestAccount)
LdapAccount(com.zimbra.cs.account.ldap.entry.LdapAccount)
InMemoryLdapServer(com.zimbra.cs.ldap.unboundid.InMemoryLdapServer)
LdapServer(com.zimbra.cs.account.ldap.entry.LdapServer)
Server(com.zimbra.cs.account.Server)
LdapAlwaysOnCluster(com.zimbra.cs.account.ldap.entry.LdapAlwaysOnCluster)
AlwaysOnCluster(com.zimbra.cs.account.AlwaysOnCluster)
Config(com.zimbra.cs.account.Config)
LdapConfig(com.zimbra.cs.account.ldap.entry.LdapConfig)
ExternalLdapConfig(com.zimbra.cs.ldap.LdapServerConfig.ExternalLdapConfig)
GalSearchConfig(com.zimbra.cs.gal.GalSearchConfig)
LdapCos(com.zimbra.cs.account.ldap.entry.LdapCos)
Cos(com.zimbra.cs.account.Cos)
DistributionListBy(com.zimbra.common.account.Key.DistributionListBy)
AccountBy(com.zimbra.common.account.Key.AccountBy)
Zimlet(com.zimbra.cs.account.Zimlet)
LdapZimlet(com.zimbra.cs.account.ldap.entry.LdapZimlet)
LdapGlobalGrant(com.zimbra.cs.account.ldap.entry.LdapGlobalGrant)
GlobalGrant(com.zimbra.cs.account.GlobalGrant)
LdapDomain(com.zimbra.cs.account.ldap.entry.LdapDomain)
Domain(com.zimbra.cs.account.Domain)
EntryCacheDataKey(com.zimbra.cs.account.EntryCacheDataKey)
Key(com.zimbra.common.account.Key)
EphemeralKey(com.zimbra.cs.ephemeral.EphemeralKey)
DataKey(com.zimbra.cs.account.callback.CallbackContext.DataKey)
PreAuthKey(com.zimbra.cs.account.PreAuthKey)
Example 2 with GlobalGrant
use of com.zimbra.cs.account.GlobalGrant in project zm-mailbox by Zimbra.
the class ParticallyDenied method isSubTarget.
private static boolean isSubTarget(Provisioning prov, Entry targetSup, Entry targetSub) throws ServiceException {
if (targetSup instanceof Domain) {
Domain domain = (Domain) targetSup;
Domain targetSubInDomain = TargetType.getTargetDomain(prov, targetSub);
if (targetSubInDomain == null)
// not a domain-ed entry
return false;
else {
if (domain.getId().equals(targetSubInDomain.getId()))
return true;
else {
// see if targetSub is in a group that is in the domain
GroupMembership groups = null;
if (targetSub instanceof Account)
groups = prov.getGroupMembership((Account) targetSub, false);
else if (targetSub instanceof DistributionList)
groups = prov.getGroupMembership((DistributionList) targetSub, false);
else
return false;
for (String groupId : groups.groupIds()) {
DistributionList group = prov.getDLBasic(Key.DistributionListBy.id, groupId);
Domain groupInDomain = prov.getDomain(group);
if (// hmm, log a warn if groupInDomain is null? throw internal err?
groupInDomain != null && domain.getId().equals(groupInDomain.getId()))
return true;
}
}
}
return false;
} else if (targetSup instanceof DistributionList) {
DistributionList dl = (DistributionList) targetSup;
String subId = null;
if (// covers cr too
targetSub instanceof Account)
return prov.inDistributionList((Account) targetSub, dl.getId());
else if (targetSub instanceof DistributionList)
return prov.inDistributionList((DistributionList) targetSub, dl.getId());
else
return false;
} else if (targetSup instanceof GlobalGrant)
return true;
else {
/*
* is really an error, somehow our logic of finding sub-targets
* is wrong, throw FAILURE and fix if we get here. The granting attemp
* will be denied, but that's fine.
*/
throw ServiceException.FAILURE("internal error, unexpected entry type: " + targetSup.getLabel(), null);
}
}
Also used :
Account(com.zimbra.cs.account.Account)
GlobalGrant(com.zimbra.cs.account.GlobalGrant)
GroupMembership(com.zimbra.cs.account.Provisioning.GroupMembership)
Domain(com.zimbra.cs.account.Domain)
DistributionList(com.zimbra.cs.account.DistributionList)
Example 3 with GlobalGrant
use of com.zimbra.cs.account.GlobalGrant in project zm-mailbox by Zimbra.
the class TestACLNegativeGrant method targetPrecedence.
/*
* Original grants:
* global grant (allow)
* domain (deny)
* group1 (allow)
* group2 (deny)
* target account (allow)
* => should allow
*
* then revoke the grant on account, should deny
* then revoke the grant on group2, should allow
* then revoke the grant on group1, should deny
* then revoke the grant on domain, should allow
* then revoke the grant on global grant, should deny
*/
@Test
public void targetPrecedence() throws Exception {
Domain domain = provUtil.createDomain(genDomainSegmentName() + "." + BASE_DOMAIN_NAME);
/*
* setup authed account
*/
Account authedAcct = globalAdmin;
Right right = ACLTestUtil.ADMIN_PRESET_ACCOUNT;
/*
* setup grantees
*/
Account grantee = provUtil.createDelegatedAdmin(genAcctNameLocalPart("grantee"), domain);
/*
* setup targets
*/
// 1. target account itself
Account target = provUtil.createAccount(genAcctNameLocalPart("target"), domain);
grantRight(authedAcct, TargetType.account, target, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
// 2. groups the target account is a member of
DistributionList group1 = provUtil.createDistributionList(genGroupNameLocalPart("group1"), domain);
DistributionList group2 = provUtil.createDistributionList(genGroupNameLocalPart("group2"), domain);
prov.addMembers(group1, new String[] { group2.getName() });
prov.addMembers(group2, new String[] { target.getName() });
grantRight(authedAcct, TargetType.dl, group2, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
grantRight(authedAcct, TargetType.dl, group1, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
// 3. domain the target account is in
grantRight(authedAcct, TargetType.domain, domain, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
// 4. global grant
GlobalGrant globalGrant = prov.getGlobalGrant();
grantRight(authedAcct, TargetType.global, null, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
/*
* test targets
*/
TestViaGrant via;
via = new TestViaGrant(TargetType.account, target, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.POSITIVE);
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.ALLOW, via);
// revoke the grant on target account, then grant on group2 should take effect
revokeRight(authedAcct, TargetType.account, target, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
via = new TestViaGrant(TargetType.dl, group2, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.NEGATIVE);
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
// revoke the grant on group2, then grant on group1 should take effect
revokeRight(authedAcct, TargetType.dl, group2, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
via = new TestViaGrant(TargetType.dl, group1, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.POSITIVE);
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.ALLOW, via);
// revoke the grant on group1, then grant on domain should take effect
revokeRight(authedAcct, TargetType.dl, group1, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
via = new TestViaGrant(TargetType.domain, domain, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.NEGATIVE);
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
// revoke the grant on domain, then grant on globalgrant shuld take effect
revokeRight(authedAcct, TargetType.domain, domain, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
via = new TestViaGrant(TargetType.global, globalGrant, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.POSITIVE);
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.ALLOW, via);
// revoke the grant on globalgrant, then there is no grant and callsite default should be honored
revokeRight(authedAcct, TargetType.global, null, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
via = null;
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
}
Also used :
GuestAccount(com.zimbra.cs.account.GuestAccount)
Account(com.zimbra.cs.account.Account)
GlobalGrant(com.zimbra.cs.account.GlobalGrant)
Right(com.zimbra.cs.account.accesscontrol.Right)
Domain(com.zimbra.cs.account.Domain)
TestViaGrant(com.zimbra.qa.unittest.prov.ldap.ACLTestUtil.TestViaGrant)
DistributionList(com.zimbra.cs.account.DistributionList)
Test(org.junit.Test)
Example 4 with GlobalGrant
use of com.zimbra.cs.account.GlobalGrant in project zm-mailbox by Zimbra.
the class TestACLPermissionCache method testGrantChangeOnGlobalGrant.
@Test
public void testGrantChangeOnGlobalGrant() throws Exception {
Right right = A_USER_RIGHT;
Domain domain = createDomain();
GlobalGrant grantTarget = mProv.getGlobalGrant();
Account target = createUserAccount(TARGET_USER_ACCT, domain);
Account grantee = createUserAccount(GRANTEE_USER_ACCT, domain);
boolean allow;
grantRight(TargetType.global, grantTarget, GranteeType.GT_USER, grantee, right);
allow = accessMgr.canDo(grantee, target, right, false, null);
assertTrue(allow);
revokeRight(TargetType.global, grantTarget, GranteeType.GT_USER, grantee, right);
allow = accessMgr.canDo(grantee, target, right, false, null);
assertFalse(allow);
grantRight(TargetType.global, grantTarget, GranteeType.GT_USER, grantee, right);
allow = accessMgr.canDo(grantee, target, right, false, null);
assertTrue(allow);
}
Also used :
GuestAccount(com.zimbra.cs.account.GuestAccount)
Account(com.zimbra.cs.account.Account)
GlobalGrant(com.zimbra.cs.account.GlobalGrant)
Right(com.zimbra.cs.account.accesscontrol.Right)
Domain(com.zimbra.cs.account.Domain)
Test(org.junit.Test)
Example 5 with GlobalGrant
use of com.zimbra.cs.account.GlobalGrant in project zm-mailbox by Zimbra.
the class TestLdapProvGlobalGrant method getGlobalGrant.
@Test
public void getGlobalGrant() throws Exception {
GlobalGrant globalGrant = prov.getGlobalGrant();
assertNotNull(globalGrant);
}
Also used :
GlobalGrant(com.zimbra.cs.account.GlobalGrant)
Aggregations
GlobalGrant (com.zimbra.cs.account.GlobalGrant)5
Account (com.zimbra.cs.account.Account)4
Domain (com.zimbra.cs.account.Domain)4
GuestAccount (com.zimbra.cs.account.GuestAccount)3
DistributionList (com.zimbra.cs.account.DistributionList)2
Right (com.zimbra.cs.account.accesscontrol.Right)2
Test (org.junit.Test)2
Key (com.zimbra.common.account.Key)1
AccountBy (com.zimbra.common.account.Key.AccountBy)1
DistributionListBy (com.zimbra.common.account.Key.DistributionListBy)1
AlwaysOnCluster (com.zimbra.cs.account.AlwaysOnCluster)1
Config (com.zimbra.cs.account.Config)1
Cos (com.zimbra.cs.account.Cos)1
EntryCacheDataKey (com.zimbra.cs.account.EntryCacheDataKey)1
PreAuthKey (com.zimbra.cs.account.PreAuthKey)1
GroupMembership (com.zimbra.cs.account.Provisioning.GroupMembership)1
Server (com.zimbra.cs.account.Server)1
Zimlet (com.zimbra.cs.account.Zimlet)1
DataKey (com.zimbra.cs.account.callback.CallbackContext.DataKey)1
LdapAccount (com.zimbra.cs.account.ldap.entry.LdapAccount)1
