Examples with Group com.zimbra.cs.account.Group used on opensource projects

Example 61 with Group

use of com.zimbra.cs.account.Group in project zm-mailbox by Zimbra.

the class TestACLNegativeGrant method groupGranteeTest2.

/*
     * Verify denied takes precedence
     *
     *
     * Membership:
     *          G1(A)                      G4(D)
     *          / \                        / \
     *         A  G2(D)                  A  G5(A)
     *             / \                        / \
     *            A  G3(A)                   A  G6(D)
     *                 |                          |
     *                 A                          A
     *
     *
     * Grantee:
     *     GG1(allow), GG2(deny), GG3(allow), GG4(deny), GG5(allow), GG6(deny)
     *
     * Target:
     *     granted on the same target entry - TA
     *
     * Expected:
     *     Denied via grants to G2 or G4 or G6
     *
     */
public void groupGranteeTest2() throws Exception {
    Domain domain = provUtil.createDomain(genDomainSegmentName() + "." + BASE_DOMAIN_NAME);
    /*
         * setup authed account
         */
    Account authedAcct = globalAdmin;
    Right right = ACLTestUtil.ADMIN_PRESET_ACCOUNT;
    /*
         * setup grantees
         */
    Account account = provUtil.createDelegatedAdmin(genAcctNameLocalPart("account"), domain);
    /*
         * setup groups
         */
    Group GG1 = provUtil.createAdminGroup(genGroupNameLocalPart("GG1"), domain);
    Group GG2 = provUtil.createAdminGroup(genGroupNameLocalPart("GG2"), domain);
    Group GG3 = provUtil.createAdminGroup(genGroupNameLocalPart("GG3"), domain);
    Group GG4 = provUtil.createAdminGroup(genGroupNameLocalPart("GG4"), domain);
    Group GG5 = provUtil.createAdminGroup(genGroupNameLocalPart("GG5"), domain);
    Group GG6 = provUtil.createAdminGroup(genGroupNameLocalPart("GG6"), domain);
    prov.addGroupMembers(GG1, new String[] { account.getName(), GG2.getName() });
    prov.addGroupMembers(GG2, new String[] { account.getName(), GG3.getName() });
    prov.addGroupMembers(GG3, new String[] { account.getName() });
    prov.addGroupMembers(GG4, new String[] { account.getName(), GG5.getName() });
    prov.addGroupMembers(GG5, new String[] { account.getName(), GG6.getName() });
    prov.addGroupMembers(GG6, new String[] { account.getName() });
    /*
         * setup targets
         */
    Account target = provUtil.createAccount(genAcctNameLocalPart("target"), domain);
    grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, GG1, right, AllowOrDeny.ALLOW);
    grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, GG2, right, AllowOrDeny.DENY);
    grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, GG3, right, AllowOrDeny.ALLOW);
    grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, GG4, right, AllowOrDeny.DENY);
    grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, GG5, right, AllowOrDeny.ALLOW);
    grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, GG6, right, AllowOrDeny.DENY);
    TestViaGrant via;
    via = new TestViaGrant(TargetType.account, target, GranteeType.GT_GROUP, GG2.getName(), right, TestViaGrant.NEGATIVE);
    via.addCanAlsoVia(new TestViaGrant(TargetType.account, target, GranteeType.GT_GROUP, GG4.getName(), right, TestViaGrant.NEGATIVE));
    via.addCanAlsoVia(new TestViaGrant(TargetType.account, target, GranteeType.GT_GROUP, GG6.getName(), right, TestViaGrant.NEGATIVE));
    verify(account, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
}

Example 62 with Group

use of com.zimbra.cs.account.Group in project zm-mailbox by Zimbra.

the class CollectEffectiveRights method getEffectiveAdminPresetRights.

private Set<Right> getEffectiveAdminPresetRights() throws ServiceException {
    Provisioning prov = Provisioning.getInstance();
    Grantee grantee = getGrantee();
    TargetType targetType = TargetType.getTargetType(mTarget);
    Map<Right, Integer> allowed = new HashMap<Right, Integer>();
    Map<Right, Integer> denied = new HashMap<Right, Integer>();
    Integer relativity = Integer.valueOf(1);
    //
    // collecting phase
    //
    CheckAttrRight.CollectAttrsResult car = CheckAttrRight.CollectAttrsResult.SOME;
    // check the target entry itself
    List<ZimbraACE> acl = ACLUtil.getAllACEs(mTarget);
    if (acl != null) {
        collectAdminPresetRightOnTarget(acl, targetType, relativity, false, allowed, denied);
        relativity += 2;
    }
    //
    // if the target is a domain-ed entry, get the domain of the target.
    // It is need for checking the cross domain right.
    //
    Domain targetDomain = TargetType.getTargetDomain(prov, mTarget);
    // check grants granted on entries from which the target entry can inherit from
    boolean expandTargetGroups = CheckRight.allowGroupTarget(AdminRight.PR_ADMIN_PRESET_RIGHT);
    TargetIterator iter = TargetIterator.getTargetIeterator(prov, mTarget, expandTargetGroups);
    Entry grantedOn;
    GroupACLs groupACLs = null;
    while ((grantedOn = iter.next()) != null && (!car.isAll())) {
        acl = ACLUtil.getAllACEs(grantedOn);
        if (grantedOn instanceof Group) {
            if (acl == null)
                continue;
            boolean skipPositiveGrants = false;
            // members in the group can be in different domains, no point checking it.
            if (grantee.isAccount()) {
                skipPositiveGrants = !CrossDomain.crossDomainOK(prov, grantee.getAccount(), grantee.getDomain(), targetDomain, (Group) grantedOn);
            }
            // don't check yet, collect all acls on all target groups
            if (groupACLs == null) {
                groupACLs = new GroupACLs(mTarget);
            }
            groupACLs.collectACL((Group) grantedOn, skipPositiveGrants);
        } else {
            // consistent with ZimbraACL.getAllACEs
            if (groupACLs != null) {
                List<ZimbraACE> aclsOnGroupTargets = groupACLs.getAllACLs();
                if (aclsOnGroupTargets != null) {
                    collectAdminPresetRightOnTarget(aclsOnGroupTargets, targetType, relativity, false, allowed, denied);
                    relativity += 2;
                }
                // set groupACLs to null, we are done with group targets
                groupACLs = null;
            }
            if (acl == null) {
                continue;
            }
            boolean subDomain = (mTargetType == TargetType.domain && (grantedOn instanceof Domain));
            collectAdminPresetRightOnTarget(acl, targetType, relativity, subDomain, allowed, denied);
            relativity += 2;
        }
    }
    if (sLog.isDebugEnabled()) {
        StringBuilder sbAllowed = new StringBuilder();
        for (Map.Entry<Right, Integer> a : allowed.entrySet()) {
            sbAllowed.append("(" + a.getKey().getName() + ", " + a.getValue() + ") ");
        }
        sLog.debug("allowed: " + sbAllowed.toString());
        StringBuilder sbDenied = new StringBuilder();
        for (Map.Entry<Right, Integer> a : denied.entrySet()) {
            sbDenied.append("(" + a.getKey().getName() + ", " + a.getValue() + ") ");
        }
        sLog.debug("denied: " + sbDenied.toString());
    }
    Set<Right> conflicts = SetUtil.intersect(allowed.keySet(), denied.keySet());
    if (!conflicts.isEmpty()) {
        for (Right right : conflicts) {
            if (denied.get(right) <= allowed.get(right))
                allowed.remove(right);
        }
    }
    return allowed.keySet();
}

Example 63 with Group

use of com.zimbra.cs.account.Group in project zm-mailbox by Zimbra.

the class DiscoverUserRights method handle.

/*
     * Discover grants that are granted on the designated target type for the
     * specified rights.  Note: grants granted on other targets are not searched/returned.
     *
     * e.g. for an account right, returns grants that are granted on account entries that
     *      are applicable to the account.  Grants granted on DL, group, domain, and global
     *      are NOT returned.
     */
Map<Right, Set<Entry>> handle() throws ServiceException {
    Provisioning prov = Provisioning.getInstance();
    // collect target types for requested rights
    Set<TargetType> targetTypesToSearch = Sets.newHashSet();
    for (Right right : rights) {
        TargetType targetType = right.getTargetType();
        targetTypesToSearch.add(targetType);
        // for user rights, dl rights apply to dynamci groups and vice versa
        if (targetType == TargetType.dl) {
            targetTypesToSearch.add(TargetType.group);
        } else if (targetType == TargetType.group) {
            targetTypesToSearch.add(TargetType.dl);
        }
    }
    SearchGrants search = new SearchGrants(prov, targetTypesToSearch, acct, rights, onMaster);
    Set<SearchGrants.GrantsOnTarget> searchResults = search.doSearch().getResults();
    Map<Right, Set<Entry>> result = Maps.newHashMap();
    for (SearchGrants.GrantsOnTarget grants : searchResults) {
        Entry targetEntry = grants.getTargetEntry();
        ZimbraACL acl = grants.getAcl();
        for (ZimbraACE ace : acl.getAllACEs()) {
            Right right = ace.getRight();
            if (rights.contains(right) && !isSameEntry(targetEntry, acct)) {
                // include the entry only if it is the designated target type for the right
                if ((targetEntry instanceof Account || targetEntry instanceof Group) && (ace.getGranteeType() == GranteeType.GT_USER)) {
                    if (!StringUtil.equal(this.acct.getId(), ace.getGrantee())) {
                        // bug 75512, if grantee is user, include entry only if grantee is target
                        continue;
                    }
                }
                TargetType targetTypeForRight = right.getTargetType();
                TargetType taregtTypeOfEntry = TargetType.getTargetType(targetEntry);
                if (targetTypeForRight.equals(taregtTypeOfEntry) || (targetTypeForRight == TargetType.account && taregtTypeOfEntry == TargetType.calresource) || (targetTypeForRight == TargetType.dl && taregtTypeOfEntry == TargetType.group) || (targetTypeForRight == TargetType.group && taregtTypeOfEntry == TargetType.dl)) {
                    Set<Entry> entries = result.get(right);
                    if (entries == null) {
                        entries = Sets.newHashSet();
                        result.put(right, entries);
                    }
                    entries.add(targetEntry);
                }
            }
        }
    }
    return result;
}

Example 64 with Group

use of com.zimbra.cs.account.Group in project zm-mailbox by Zimbra.

the class TestDistListACL method doCheckSentToDistListDomRight.

private void doCheckSentToDistListDomRight(DistributionList targetDl, String email, String grantDomain, boolean expected) throws ServiceException {
    ZimbraLog.test.info("DL name %s ID %s", targetDl.getName(), targetDl.getId());
    Group group = prov.getGroupBasic(Key.DistributionListBy.name, listAddress);
    Assert.assertNotNull("Unable to find Group object for DL by name", group);
    AccessManager.ViaGrant via = new AccessManager.ViaGrant();
    NamedEntry ne = GranteeType.lookupGrantee(prov, GranteeType.GT_EMAIL, GranteeBy.name, email);
    MailTarget grantee = null;
    if (ne instanceof MailTarget) {
        grantee = (MailTarget) ne;
    }
    boolean result = RightCommand.checkRight(prov, "dl", /* targetType */
    TargetBy.name, listAddress, grantee, RightConsts.RT_sendToDistList, null, /* attrs */
    via);
    if (expected) {
        Assert.assertTrue(String.format("%s should be able to send to DL (because in domain %s)", email, grantDomain), accessMgr.canDo(email, group, User.R_sendToDistList, false));
        Assert.assertTrue(String.format("%s should have right to send to DL (because in domain %s)", email, grantDomain), result);
        ZimbraLog.test.info("Test for %s against dom %s Via=%s", email, grantDomain, via);
    } else {
        Assert.assertFalse(String.format("%s should NOT be able to send to DL (because not in domain %s)", email, grantDomain), accessMgr.canDo(email, group, User.R_sendToDistList, false));
        Assert.assertFalse(String.format("%s should NOT have right to send to DL (because not in domain %s)", email, grantDomain), result);
    }
}

Example 65 with Group

use of com.zimbra.cs.account.Group in project zm-mailbox by Zimbra.

the class TestLdapProvSearchDirectory method getAllGroups.

@Test
public void getAllGroups() throws Exception {
    DistributionList dl = createDistributionList(genGroupNameLocalPart("dl"));
    DynamicGroup dg = createDynamicGroup(genGroupNameLocalPart("dg"));
    // create a sub domain
    String SUB_DOMAIN_NAME = "sub." + baseDomainName();
    Domain subDomain = provUtil.createDomain(SUB_DOMAIN_NAME, null);
    // create a DL and a DG in the sub domain
    DistributionList dlSub = createDistributionList(genGroupNameLocalPart("dl-sub"), subDomain);
    DynamicGroup dgSub = createDynamicGroup(genGroupNameLocalPart("dg-sub"), subDomain);
    List<Group> groups = prov.getAllGroups(domain);
    Verify.verifyEquals(Lists.newArrayList(dg, dl), groups, true);
    deleteGroup(dl);
    deleteGroup(dg);
    deleteGroup(dlSub);
    deleteGroup(dgSub);
}