Example 56 with Group
use of com.zimbra.cs.account.Group in project zm-mailbox by Zimbra.
the class TestACLNegativeGrant method groupGranteeTest3.
/*
Combining Target Scope and Grantee Scope: Grantee Relativity takes Precedence over Target Relativity
For example, for this target hierarchy:
domain D
group G1 (allow right R to group GC)
group G2 (deny right R to group GB)
group G3 (deny right R to group GA)
user account U
And this grantee hierarchy:
group GA
group GB
group GC
(admin) account A
Then A is *allowed* for right R on target account U, because GC is more specific to A than GA and GB.
Even if on the target side, grant on G3(grant to GA) and G2(grant to GB) is more specific than the
grant on G1(grant to GC).
The above is no longer true, it should be DENIED.
*/
@Test
public void groupGranteeTest3() throws Exception {
Domain domain = provUtil.createDomain(genDomainSegmentName() + "." + BASE_DOMAIN_NAME);
/*
* setup authed account
*/
Account authedAcct = globalAdmin;
Right right = ACLTestUtil.ADMIN_PRESET_ACCOUNT;
/*
* setup grantees
*/
Account account = provUtil.createDelegatedAdmin(genAcctNameLocalPart("account"), domain);
/*
* setup grantee groups
*/
Group GA = provUtil.createAdminGroup(genGroupNameLocalPart("GA"), domain);
Group GB = provUtil.createAdminGroup(genGroupNameLocalPart("GB"), domain);
Group GC = provUtil.createAdminGroup(genGroupNameLocalPart("GC"), domain);
prov.addGroupMembers(GA, new String[] { GB.getName() });
prov.addGroupMembers(GB, new String[] { GC.getName() });
prov.addGroupMembers(GC, new String[] { account.getName() });
/*
* setup targets
*/
TestViaGrant via;
Account target = provUtil.createAccount(genAcctNameLocalPart("target"), domain);
Group G1 = provUtil.createDistributionList(genGroupNameLocalPart("G1"), domain);
Group G2 = provUtil.createDistributionList(genGroupNameLocalPart("G2"), domain);
Group G3 = provUtil.createDistributionList(genGroupNameLocalPart("G3"), domain);
prov.addGroupMembers(G1, new String[] { G2.getName() });
prov.addGroupMembers(G2, new String[] { G3.getName() });
prov.addGroupMembers(G3, new String[] { target.getName() });
grantRight(authedAcct, TargetType.dl, G1, GranteeType.GT_GROUP, GC, right, AllowOrDeny.ALLOW);
grantRight(authedAcct, TargetType.dl, G2, GranteeType.GT_GROUP, GB, right, AllowOrDeny.DENY);
grantRight(authedAcct, TargetType.dl, G3, GranteeType.GT_GROUP, GA, right, AllowOrDeny.DENY);
/* NO longer the case
// the right should be allowed via the grant on G1, granted to group GC
via = new TestViaGrant(TargetType.dl, G1, GranteeType.GT_GROUP, GC.getName(), right, TestViaGrant.POSITIVE);
verify(account, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.ALLOW, via);
*/
via = new TestViaGrant(TargetType.dl, G2, GranteeType.GT_GROUP, GB.getName(), right, TestViaGrant.NEGATIVE);
via.addCanAlsoVia(new TestViaGrant(TargetType.dl, G3, GranteeType.GT_GROUP, GA.getName(), right, TestViaGrant.NEGATIVE));
verify(account, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
}
Also used :
GuestAccount(com.zimbra.cs.account.GuestAccount)
Account(com.zimbra.cs.account.Account)
Group(com.zimbra.cs.account.Group)
Right(com.zimbra.cs.account.accesscontrol.Right)
Domain(com.zimbra.cs.account.Domain)
TestViaGrant(com.zimbra.qa.unittest.prov.ldap.ACLTestUtil.TestViaGrant)
Test(org.junit.Test)
Example 57 with Group
use of com.zimbra.cs.account.Group in project zm-mailbox by Zimbra.
the class TestACLNegativeGrant method groupGranteeTest1.
/*
* Verify denied takes precedence
*
* Grant to two unrelated groups: one allowed, one denied
* account is a member of both groups
*
* Expected: account should be denied
*/
@Test
public void groupGranteeTest1() throws Exception {
Account authedAcct = globalAdmin;
Right right = ACLTestUtil.ADMIN_PRESET_ACCOUNT;
/*
* setup grantees
*/
Account account = provUtil.createDelegatedAdmin(genAcctNameLocalPart("acct"), baseDomain);
Group group1 = provUtil.createAdminGroup(genAcctNameLocalPart("group1"), baseDomain);
Group group2 = provUtil.createAdminGroup(genAcctNameLocalPart("group2"), baseDomain);
prov.addGroupMembers(group1, new String[] { account.getName() });
prov.addGroupMembers(group2, new String[] { account.getName() });
/*
* setup targets
*/
Account target = provUtil.createAccount(genAcctNameLocalPart("target"), baseDomain);
grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, group1, right, AllowOrDeny.ALLOW);
grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, group2, right, AllowOrDeny.DENY);
TestViaGrant via;
via = new TestViaGrant(TargetType.account, target, GranteeType.GT_GROUP, group2.getName(), right, TestViaGrant.NEGATIVE);
verify(account, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
}
Also used :
GuestAccount(com.zimbra.cs.account.GuestAccount)
Account(com.zimbra.cs.account.Account)
Group(com.zimbra.cs.account.Group)
Right(com.zimbra.cs.account.accesscontrol.Right)
TestViaGrant(com.zimbra.qa.unittest.prov.ldap.ACLTestUtil.TestViaGrant)
Test(org.junit.Test)
Example 58 with Group
use of com.zimbra.cs.account.Group in project zm-mailbox by Zimbra.
the class TestGroups method doGetCustomDynamicGroupMembership.
private void doGetCustomDynamicGroupMembership(int acctNum) throws ServiceException {
String acctName = String.format(acctPatt, acctNum);
Account acct = ldapProv.getAccountByName(acctName);
GroupMembership membership = ldapProv.getCustomDynamicGroupMembership(acct, false);
String groupNames = groupInfo(membership.groupIds());
assertEquals(String.format("Number of dynamic groups with custom memberURL s which contain %s groups=%s", acct.getName(), groupNames), 1, membership.groupIds().size());
String cosName = String.format(customDLPatt, acctNum % NUM_COS + 1);
Group grp = groups.get(membership.groupIds().get(0));
String groupName = (grp == null) ? "UNKNOWN(not created by this test)" : grp.getName();
assertEquals(String.format("Name of dynamic group with custom memberURL s which contains %s", acctName), cosName, groupName);
}
Also used :
Account(com.zimbra.cs.account.Account)
Group(com.zimbra.cs.account.Group)
GroupMembership(com.zimbra.cs.account.Provisioning.GroupMembership)
Example 59 with Group
use of com.zimbra.cs.account.Group in project zm-mailbox by Zimbra.
the class TestACLAll method execTest.
private void execTest(String note, TargetType grantedOnTargetType, TestGranteeType testGranteeType, Right right) throws Exception {
System.out.println("testing (" + note + "): " + "grant target=" + grantedOnTargetType.getCode() + ", grantee type=" + testGranteeType.getCode() + ", right=" + right.getName());
//
// 1. some basic preparation
// create a domain
//
Domain domain = createDomain();
boolean isUserRight = right.isUserRight();
//
// 2. setup grantee
//
List<Account> allowedAccts = new ArrayList<Account>();
List<Account> deniedAccts = new ArrayList<Account>();
NamedEntry grantee = null;
String granteeName = null;
String secret = null;
Object gt = testGranteeType.getGranteeType();
GranteeType granteeType = null;
if (gt instanceof GranteeType) {
granteeType = (GranteeType) gt;
switch(granteeType) {
case GT_USER:
if (isUserRight) {
grantee = createUserAccount(domain);
allowedAccts.add((Account) grantee);
deniedAccts.add(createUserAccount(domain));
} else {
grantee = createDelegatedAdminAccount(domain);
allowedAccts.add((Account) grantee);
deniedAccts.add(createDelegatedAdminAccount(domain));
}
granteeName = grantee.getName();
break;
case GT_GROUP:
if (isUserRight) {
grantee = createUserDistributionList(domain);
Account allowedAcct = createUserAccount(domain);
allowedAccts.add(allowedAcct);
prov.addMembers((DistributionList) grantee, new String[] { allowedAcct.getName() });
// external members are also honored if the right is a user right
Account guestAcct = createGuestAccount("guest@guest.com", "test123");
allowedAccts.add(guestAcct);
prov.addMembers((DistributionList) grantee, new String[] { guestAcct.getName() });
deniedAccts.add(createUserAccount(domain));
} else {
grantee = createAdminDistributionList(domain);
Account allowedAcct = createDelegatedAdminAccount(domain);
allowedAccts.add(allowedAcct);
prov.addMembers((DistributionList) grantee, new String[] { allowedAcct.getName() });
deniedAccts.add(createDelegatedAdminAccount(domain));
}
granteeName = grantee.getName();
break;
case GT_EXT_GROUP:
// create a domain and use it for the external group
Domain extDomain = createDomain();
String extDomainDN = ((LdapDomain) extDomain).getDN();
String acctLocalpart = "acct-ext";
//
// Configure the domain for external AD auth
//
Map<String, Object> domainAttrs = Maps.newHashMap();
if (isUserRight) {
domain.setAuthMech(AuthMech.ad.name(), domainAttrs);
} else {
domain.setAuthMechAdmin(AuthMech.ad.name(), domainAttrs);
}
/* ==== mock test ====
// setup auth
domain.addAuthLdapURL("ldap://localhost:389", domainAttrs);
domain.setAuthLdapBindDn("uid=%u,ou=people," + extDomainDN, domainAttrs);
// setup external group search parameters
domain.setAuthLdapSearchBindDn(LC.zimbra_ldap_userdn.value(), domainAttrs);
domain.setAuthLdapSearchBindPassword(LC.zimbra_ldap_password.value(), domainAttrs);
domain.setExternalGroupLdapSearchBase(extDomainDN, domainAttrs);
domain.setExternalGroupLdapSearchFilter("(&(objectClass=zimbraGroup)(cn=%u))", domainAttrs);
domain.setExternalGroupHandlerClass("com.zimbra.qa.unittest.UnittestGroupHandler", domainAttrs);
mProv.modifyAttrs(domain, domainAttrs);
// create a group in the external directory and add a member
Group extGroup = createUserDynamicGroup(extDomain); // doesn't matter if the group is user or admin
String extGroupName = extGroup.getName();
Account extAcct = createUserAccount(acctLocalpart, extDomain);
mProv.addGroupMembers(extGroup, new String[]{extAcct.getName()});
// create the admin account in Zimbra directory and map it to the external account
Account zimbraAcct = createDelegatedAdminAccount(acctLocalpart, domain);
allowedAccts.add(zimbraAcct);
*/
domain.addAuthLdapURL("***", domainAttrs);
domain.setAuthLdapSearchBindDn("***", domainAttrs);
domain.setAuthLdapSearchBindPassword("***", domainAttrs);
domain.setExternalGroupLdapSearchBase("OU=Engineering,DC=vmware,DC=com", domainAttrs);
domain.setExternalGroupLdapSearchFilter("(&(objectClass=group)(mail=%n))", domainAttrs);
domain.setExternalGroupHandlerClass("com.zimbra.cs.account.grouphandler.ADGroupHandler", domainAttrs);
prov.modifyAttrs(domain, domainAttrs);
// "ESPPEnrollment-USA@vmware.com";
String extGroupName = "ENG_pao_users_home4@vmware.com";
// create the admin account in Zimbra directory and map it to the external account
Account zimbraAcct = createDelegatedAdminAccount(acctLocalpart, domain);
zimbraAcct.setAuthLdapExternalDn("CN=Phoebe Shao,OU=PAO_Users,OU=PaloAlto_California_USA,OU=NALA,OU=SITES,OU=Engineering,DC=vmware,DC=com");
allowedAccts.add(zimbraAcct);
// =======================
granteeName = domain.getName() + ":" + extGroupName;
break;
case GT_AUTHUSER:
if (isUserRight) {
allowedAccts.add(createUserAccount("allowed-user-acct", domain));
deniedAccts.add(createGuestAccount("not-my-guest@external.com", "test123"));
} else {
deniedAccts.add(createDelegatedAdminAccount("denied-da-acct", domain));
}
break;
case GT_DOMAIN:
grantee = createDomain();
if (isUserRight) {
allowedAccts.add(createUserAccount("allowed-user-acct", (Domain) grantee));
Domain notGrantee = createDomain();
deniedAccts.add(createUserAccount("denied-user-acct", notGrantee));
} else {
deniedAccts.add(createDelegatedAdminAccount("denied-da-acct", (Domain) grantee));
// TODO: TEST R_crossDomainAdmin
}
granteeName = grantee.getName();
break;
case GT_GUEST:
// an email address
granteeName = "be-my-guest@guest.com";
// password
secret = "test123";
if (isUserRight) {
allowedAccts.add(createGuestAccount(granteeName, secret));
deniedAccts.add(createGuestAccount("not-my-guest@external.com", "bad"));
} else {
deniedAccts.add(createDelegatedAdminAccount("denied-da-acct", domain));
deniedAccts.add(createGuestAccount(granteeName, secret));
}
break;
case GT_KEY:
// a display name
granteeName = "be-my-guest";
// access key
secret = "test123";
if (isUserRight) {
allowedAccts.add(createKeyAccount(granteeName, secret));
deniedAccts.add(createKeyAccount("not-my-guest", "bad"));
} else {
deniedAccts.add(createDelegatedAdminAccount("denied-da-acct", domain));
deniedAccts.add(createKeyAccount(granteeName, secret));
}
break;
case GT_PUBLIC:
if (isUserRight) {
allowedAccts.add(anonAccount());
} else {
deniedAccts.add(anonAccount());
}
break;
default:
fail();
}
} else {
// dynamic group
assertEquals(TestGranteeType.GRANTEE_DYNAMIC_GROUP, testGranteeType);
granteeType = GranteeType.GT_GROUP;
if (isUserRight) {
grantee = createUserDynamicGroup(domain);
Account allowedAcct = createUserAccount(domain);
allowedAccts.add(allowedAcct);
prov.addGroupMembers((DynamicGroup) grantee, new String[] { allowedAcct.getName() });
// external members are also honored if the right is a user right
Account guestAcct = createGuestAccount("guest@guest.com", "test123");
allowedAccts.add(guestAcct);
prov.addGroupMembers((DynamicGroup) grantee, new String[] { guestAcct.getName() });
deniedAccts.add(createUserAccount(domain));
} else {
grantee = createAdminDynamicGroup(domain);
Account allowedAcct = createDelegatedAdminAccount(domain);
allowedAccts.add(allowedAcct);
prov.addGroupMembers((DynamicGroup) grantee, new String[] { allowedAcct.getName() });
deniedAccts.add(createDelegatedAdminAccount(domain));
}
granteeName = grantee.getName();
}
//
// 3. setup expectations for the granting action
//
boolean expectInvalidRequest = false;
if (isUserRight) {
expectInvalidRequest = !expectedIsRightGrantableOnTargetType(right, grantedOnTargetType);
} else {
// is admin right
if (!granteeType.allowedForAdminRights()) {
expectInvalidRequest = true;
}
if (!expectInvalidRequest) {
if (granteeType == GranteeType.GT_DOMAIN && right != Admin.R_crossDomainAdmin) {
expectInvalidRequest = true;
}
}
if (!expectInvalidRequest) {
expectInvalidRequest = !expectedIsRightGrantableOnTargetType(right, grantedOnTargetType);
}
}
//
// 4. setup target on which the right is to be granted
//
Entry grantedOnTarget = null;
String targetName = null;
switch(grantedOnTargetType) {
case account:
grantedOnTarget = createUserAccount("target-acct", domain);
targetName = ((Account) grantedOnTarget).getName();
break;
case calresource:
grantedOnTarget = createCalendarResource("target-cr", domain);
targetName = ((CalendarResource) grantedOnTarget).getName();
break;
case cos:
grantedOnTarget = createCos();
targetName = ((Cos) grantedOnTarget).getName();
break;
case dl:
grantedOnTarget = createUserDistributionList("target-distributionlist", domain);
targetName = ((DistributionList) grantedOnTarget).getName();
break;
case group:
grantedOnTarget = createUserDynamicGroup("target-dynamicgroup", domain);
targetName = ((DynamicGroup) grantedOnTarget).getName();
break;
case domain:
grantedOnTarget = domain;
targetName = domain.getName();
break;
case server:
grantedOnTarget = createServer();
targetName = ((Server) grantedOnTarget).getName();
break;
case alwaysoncluster:
grantedOnTarget = createAlwaysOnCluster();
targetName = ((AlwaysOnCluster) grantedOnTarget).getName();
break;
case ucservice:
grantedOnTarget = createUCService();
targetName = ((UCService) grantedOnTarget).getName();
break;
case xmppcomponent:
// skip for now
return;
case zimlet:
grantedOnTarget = createZimlet();
targetName = ((Zimlet) grantedOnTarget).getName();
break;
case config:
grantedOnTarget = getConfig();
break;
case global:
grantedOnTarget = getGlobalGrant();
break;
default:
fail();
}
//
// grant right on the target
//
boolean gotInvalidRequestException = false;
try {
// TODO: in a different test, test granting by a different authed account:
// global admin, delegated admin, user
//
Account grantingAccount = globalAdmin;
RightCommand.grantRight(prov, grantingAccount, grantedOnTargetType.getCode(), TargetBy.name, targetName, granteeType.getCode(), GranteeBy.name, granteeName, secret, right.getName(), null);
} catch (ServiceException e) {
if (ServiceException.INVALID_REQUEST.equals(e.getCode())) {
gotInvalidRequestException = true;
} else {
e.printStackTrace();
fail();
}
}
//
// 5. verify the grant
//
assertEquals(expectInvalidRequest, gotInvalidRequestException);
// after group creation using the target object returned from the create call.
if (grantedOnTarget instanceof Group) {
grantedOnTarget = prov.getGroupBasic(Key.DistributionListBy.id, ((Group) grantedOnTarget).getId());
}
//
if (right.isComboRight()) {
for (Right rt : ((ComboRight) right).getAllRights()) {
setupTargetAndVerify(domain, grantedOnTarget, grantedOnTargetType, rt, true, allowedAccts, deniedAccts, !gotInvalidRequestException);
}
} else {
setupTargetAndVerify(domain, grantedOnTarget, grantedOnTargetType, right, false, allowedAccts, deniedAccts, !gotInvalidRequestException);
}
}
Also used :
GuestAccount(com.zimbra.cs.account.GuestAccount)
Account(com.zimbra.cs.account.Account)
DynamicGroup(com.zimbra.cs.account.DynamicGroup)
Group(com.zimbra.cs.account.Group)
GranteeType(com.zimbra.cs.account.accesscontrol.GranteeType)
LdapDomain(com.zimbra.cs.account.ldap.entry.LdapDomain)
ArrayList(java.util.ArrayList)
ComboRight(com.zimbra.cs.account.accesscontrol.ComboRight)
CheckRight(com.zimbra.cs.account.accesscontrol.CheckRight)
UserRight(com.zimbra.cs.account.accesscontrol.UserRight)
AttrRight(com.zimbra.cs.account.accesscontrol.AttrRight)
PresetRight(com.zimbra.cs.account.accesscontrol.PresetRight)
Right(com.zimbra.cs.account.accesscontrol.Right)
ComboRight(com.zimbra.cs.account.accesscontrol.ComboRight)
NamedEntry(com.zimbra.cs.account.NamedEntry)
NamedEntry(com.zimbra.cs.account.NamedEntry)
Entry(com.zimbra.cs.account.Entry)
ServiceException(com.zimbra.common.service.ServiceException)
LdapDomain(com.zimbra.cs.account.ldap.entry.LdapDomain)
Domain(com.zimbra.cs.account.Domain)
Example 60 with Group
use of com.zimbra.cs.account.Group in project zm-mailbox by Zimbra.
the class TestACLAttrRight method someAllDiffLevel.
/*
* 2 grants
* allow some at closer level, deny all at farther level
* => should allow some
*/
public void someAllDiffLevel(AllowOrDeny some, AllowOrDeny all, // whether some or all is the closer grant
boolean someIsCloser, GetOrSet getOrSet, AllowedAttrs expected) throws Exception {
String testName = "someAllDiffLevel-" + some.name() + "-some-" + all.name() + "-all-" + (someIsCloser ? "someIsCloser" : "allIsCloser") + "-" + getOrSet.name();
System.out.println("Testing " + testName);
/*
* setup authed account
*/
Account authedAcct = globalAdmin;
/*
* grantees
*/
Account GA = provUtil.createDelegatedAdmin(getAddress(testName, "GA"));
Group GG = provUtil.createAdminGroup(getAddress(testName, "GG"));
prov.addGroupMembers(GG, new String[] { GA.getName() });
/*
* grants
*/
Right someRight;
Right allRight;
if (getOrSet.isGet()) {
someRight = ATTR_RIGHT_GET_SOME;
allRight = ATTR_RIGHT_GET_ALL;
} else {
someRight = ATTR_RIGHT_SET_SOME;
allRight = ATTR_RIGHT_SET_ALL;
}
/*
* targets
*/
Account TA = createAccount(getAddress(testName, "TA"));
if (someIsCloser) {
grantRight(authedAcct, TargetType.account, TA, GranteeType.GT_USER, GA, someRight, some);
grantRight(authedAcct, TargetType.account, TA, GranteeType.GT_GROUP, GG, allRight, all);
} else {
grantRight(authedAcct, TargetType.account, TA, GranteeType.GT_USER, GA, allRight, all);
grantRight(authedAcct, TargetType.account, TA, GranteeType.GT_GROUP, GG, someRight, some);
}
verify(GA, TA, getOrSet, expected);
}
Also used :
Account(com.zimbra.cs.account.Account)
Group(com.zimbra.cs.account.Group)
CheckAttrRight(com.zimbra.cs.account.accesscontrol.CheckAttrRight)
AdminRight(com.zimbra.cs.account.accesscontrol.AdminRight)
Right(com.zimbra.cs.account.accesscontrol.Right)
Aggregations
Group (com.zimbra.cs.account.Group)110
Account (com.zimbra.cs.account.Account)53
Test (org.junit.Test)42
DynamicGroup (com.zimbra.cs.account.DynamicGroup)27
ServiceException (com.zimbra.common.service.ServiceException)23
SoapTransport (com.zimbra.common.soap.SoapTransport)23
Provisioning (com.zimbra.cs.account.Provisioning)23
LdapDynamicGroup (com.zimbra.cs.account.ldap.entry.LdapDynamicGroup)21
Domain (com.zimbra.cs.account.Domain)17
GuestAccount (com.zimbra.cs.account.GuestAccount)17
ZimbraSoapContext (com.zimbra.soap.ZimbraSoapContext)17
Element (com.zimbra.common.soap.Element)16
AccountServiceException (com.zimbra.cs.account.AccountServiceException)15
NamedEntry (com.zimbra.cs.account.NamedEntry)14
LdapAccount (com.zimbra.cs.account.ldap.entry.LdapAccount)12
DistributionListActionRequest (com.zimbra.soap.account.message.DistributionListActionRequest)12
DistributionListAction (com.zimbra.soap.account.type.DistributionListAction)12
DistributionListActionResponse (com.zimbra.soap.account.message.DistributionListActionResponse)11
DistributionList (com.zimbra.cs.account.DistributionList)9
Entry (com.zimbra.cs.account.Entry)9
