Example 16 with Group
use of com.zimbra.cs.account.Group in project zm-mailbox by Zimbra.
the class TestACLEffectiveRights method bug70206.
@Bug(bug = 70206)
@Test
public void bug70206() throws Exception {
Account acct = provUtil.createDelegatedAdmin(genAcctNameLocalPart(), domain);
Group group = provUtil.createGroup(genGroupNameLocalPart(), domain, false);
Account grantingAccount = globalAdmin;
String presetRightUnderTest = Right.RT_deleteDistributionList;
String attrUnderTest = Provisioning.A_zimbraHideInGal;
String attrRightUnderTest = InlineAttrRight.composeSetRight(TargetType.dl, attrUnderTest);
// grant a combo right on global level
RightCommand.grantRight(prov, grantingAccount, TargetType.global.getCode(), null, null, GranteeType.GT_USER.getCode(), GranteeBy.name, acct.getName(), null, Right.RT_adminConsoleDLRights, null);
// deny a preset right (in the combo right) on global level
RightCommand.grantRight(prov, grantingAccount, TargetType.global.getCode(), null, null, GranteeType.GT_USER.getCode(), GranteeBy.name, acct.getName(), null, presetRightUnderTest, RightModifier.RM_DENY);
// grant the preset right on the target
RightCommand.grantRight(prov, grantingAccount, TargetType.dl.getCode(), TargetBy.name, group.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, acct.getName(), null, attrRightUnderTest, null);
// deny an attr right (in the combo right) on global level
RightCommand.grantRight(prov, grantingAccount, TargetType.global.getCode(), null, null, GranteeType.GT_USER.getCode(), GranteeBy.name, acct.getName(), null, attrRightUnderTest, RightModifier.RM_DENY);
// grant the attr right on the target
RightCommand.grantRight(prov, grantingAccount, TargetType.dl.getCode(), TargetBy.name, group.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, acct.getName(), null, presetRightUnderTest, null);
EffectiveRights effRights = RightCommand.getEffectiveRights(prov, TargetType.dl.getCode(), TargetBy.name, group.getName(), GranteeBy.name, acct.getName(), false, false);
List<String> presetRights = effRights.presetRights();
SortedMap<String, EffectiveAttr> setAttrRights = effRights.canSetAttrs();
/*
for (String right : presetRights) {
System.out.println(right);
}
*/
assertTrue(presetRights.contains(Right.RT_deleteDistributionList));
assertTrue(setAttrRights.containsKey(attrUnderTest));
}
Also used :
Account(com.zimbra.cs.account.Account)
Group(com.zimbra.cs.account.Group)
EffectiveAttr(com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveAttr)
EffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights)
AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights)
Bug(com.zimbra.qa.QA.Bug)
Test(org.junit.Test)
Example 17 with Group
use of com.zimbra.cs.account.Group in project zm-mailbox by Zimbra.
the class TestACLNegativeGrant method groupGranteeTest3.
/*
Combining Target Scope and Grantee Scope: Grantee Relativity takes Precedence over Target Relativity
For example, for this target hierarchy:
domain D
group G1 (allow right R to group GC)
group G2 (deny right R to group GB)
group G3 (deny right R to group GA)
user account U
And this grantee hierarchy:
group GA
group GB
group GC
(admin) account A
Then A is *allowed* for right R on target account U, because GC is more specific to A than GA and GB.
Even if on the target side, grant on G3(grant to GA) and G2(grant to GB) is more specific than the
grant on G1(grant to GC).
The above is no longer true, it should be DENIED.
*/
@Test
public void groupGranteeTest3() throws Exception {
Domain domain = provUtil.createDomain(genDomainSegmentName() + "." + BASE_DOMAIN_NAME);
/*
* setup authed account
*/
Account authedAcct = globalAdmin;
Right right = ACLTestUtil.ADMIN_PRESET_ACCOUNT;
/*
* setup grantees
*/
Account account = provUtil.createDelegatedAdmin(genAcctNameLocalPart("account"), domain);
/*
* setup grantee groups
*/
Group GA = provUtil.createAdminGroup(genGroupNameLocalPart("GA"), domain);
Group GB = provUtil.createAdminGroup(genGroupNameLocalPart("GB"), domain);
Group GC = provUtil.createAdminGroup(genGroupNameLocalPart("GC"), domain);
prov.addGroupMembers(GA, new String[] { GB.getName() });
prov.addGroupMembers(GB, new String[] { GC.getName() });
prov.addGroupMembers(GC, new String[] { account.getName() });
/*
* setup targets
*/
TestViaGrant via;
Account target = provUtil.createAccount(genAcctNameLocalPart("target"), domain);
Group G1 = provUtil.createDistributionList(genGroupNameLocalPart("G1"), domain);
Group G2 = provUtil.createDistributionList(genGroupNameLocalPart("G2"), domain);
Group G3 = provUtil.createDistributionList(genGroupNameLocalPart("G3"), domain);
prov.addGroupMembers(G1, new String[] { G2.getName() });
prov.addGroupMembers(G2, new String[] { G3.getName() });
prov.addGroupMembers(G3, new String[] { target.getName() });
grantRight(authedAcct, TargetType.dl, G1, GranteeType.GT_GROUP, GC, right, AllowOrDeny.ALLOW);
grantRight(authedAcct, TargetType.dl, G2, GranteeType.GT_GROUP, GB, right, AllowOrDeny.DENY);
grantRight(authedAcct, TargetType.dl, G3, GranteeType.GT_GROUP, GA, right, AllowOrDeny.DENY);
/* NO longer the case
// the right should be allowed via the grant on G1, granted to group GC
via = new TestViaGrant(TargetType.dl, G1, GranteeType.GT_GROUP, GC.getName(), right, TestViaGrant.POSITIVE);
verify(account, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.ALLOW, via);
*/
via = new TestViaGrant(TargetType.dl, G2, GranteeType.GT_GROUP, GB.getName(), right, TestViaGrant.NEGATIVE);
via.addCanAlsoVia(new TestViaGrant(TargetType.dl, G3, GranteeType.GT_GROUP, GA.getName(), right, TestViaGrant.NEGATIVE));
verify(account, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
}
Also used :
GuestAccount(com.zimbra.cs.account.GuestAccount)
Account(com.zimbra.cs.account.Account)
Group(com.zimbra.cs.account.Group)
Right(com.zimbra.cs.account.accesscontrol.Right)
Domain(com.zimbra.cs.account.Domain)
TestViaGrant(com.zimbra.qa.unittest.prov.ldap.ACLTestUtil.TestViaGrant)
Test(org.junit.Test)
Example 18 with Group
use of com.zimbra.cs.account.Group in project zm-mailbox by Zimbra.
the class TestACLNegativeGrant method groupGranteeTest1.
/*
* Verify denied takes precedence
*
* Grant to two unrelated groups: one allowed, one denied
* account is a member of both groups
*
* Expected: account should be denied
*/
@Test
public void groupGranteeTest1() throws Exception {
Account authedAcct = globalAdmin;
Right right = ACLTestUtil.ADMIN_PRESET_ACCOUNT;
/*
* setup grantees
*/
Account account = provUtil.createDelegatedAdmin(genAcctNameLocalPart("acct"), baseDomain);
Group group1 = provUtil.createAdminGroup(genAcctNameLocalPart("group1"), baseDomain);
Group group2 = provUtil.createAdminGroup(genAcctNameLocalPart("group2"), baseDomain);
prov.addGroupMembers(group1, new String[] { account.getName() });
prov.addGroupMembers(group2, new String[] { account.getName() });
/*
* setup targets
*/
Account target = provUtil.createAccount(genAcctNameLocalPart("target"), baseDomain);
grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, group1, right, AllowOrDeny.ALLOW);
grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, group2, right, AllowOrDeny.DENY);
TestViaGrant via;
via = new TestViaGrant(TargetType.account, target, GranteeType.GT_GROUP, group2.getName(), right, TestViaGrant.NEGATIVE);
verify(account, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
}
Also used :
GuestAccount(com.zimbra.cs.account.GuestAccount)
Account(com.zimbra.cs.account.Account)
Group(com.zimbra.cs.account.Group)
Right(com.zimbra.cs.account.accesscontrol.Right)
TestViaGrant(com.zimbra.qa.unittest.prov.ldap.ACLTestUtil.TestViaGrant)
Test(org.junit.Test)
Example 19 with Group
use of com.zimbra.cs.account.Group in project zm-mailbox by Zimbra.
the class GetDistributionList method handle.
@Override
public Element handle(Element request, Map<String, Object> context) throws ServiceException {
ZimbraSoapContext zsc = getZimbraSoapContext(context);
GetDistributionListRequest req = JaxbUtil.elementToJaxb(request);
int limit = (req.getLimit() == null) ? 0 : req.getLimit();
if (limit < 0) {
throw ServiceException.INVALID_REQUEST("limit" + limit + " is negative", null);
}
int offset = (req.getOffset() == null) ? 0 : req.getOffset();
if (offset < 0) {
throw ServiceException.INVALID_REQUEST("offset" + offset + " is negative", null);
}
boolean sortAscending = !Boolean.FALSE.equals(req.isSortAscending());
Set<String> reqAttrs = getReqAttrs(req.getAttrs(), AttributeClass.distributionList);
DistributionListSelector dlSel = req.getDl();
DistributionListBy dlBy = dlSel.getBy().toKeyDistributionListBy();
AttrRightChecker arc = null;
Group group = getGroupFromContext(context);
if (group == null) {
if (DistributionListBy.name.equals(dlBy)) {
Entry pseudoTarget = pseudoTargetInSameDomainAsEmail(TargetType.dl, dlSel.getKey());
if (null != pseudoTarget) {
AdminAccessControl aac = checkDistributionListRight(zsc, (DistributionList) pseudoTarget, AdminRight.PR_ALWAYS_ALLOW);
arc = aac.getAttrRightChecker(pseudoTarget);
}
}
if (arc != null) {
defendAgainstGroupHarvestingWhenAbsent(dlBy, dlSel.getKey(), zsc, new GroupHarvestingCheckerUsingGetAttrsPerms(zsc, arc, Arrays.asList(minimumAttrs)));
} else {
defendAgainstGroupHarvestingWhenAbsent(dlBy, dlSel.getKey(), zsc, Admin.R_getDistributionList);
}
} else if (group.isDynamic()) {
AdminAccessControl aac = checkDynamicGroupRight(zsc, (DynamicGroup) group, AdminRight.PR_ALWAYS_ALLOW);
arc = aac.getAttrRightChecker(group);
} else {
AdminAccessControl aac = checkDistributionListRight(zsc, (DistributionList) group, AdminRight.PR_ALWAYS_ALLOW);
arc = aac.getAttrRightChecker(group);
}
defendAgainstGroupHarvesting(group, dlBy, dlSel.getKey(), zsc, new GroupHarvestingCheckerUsingGetAttrsPerms(zsc, arc, Arrays.asList(minimumAttrs)));
Element response = zsc.createElement(AdminConstants.GET_DISTRIBUTION_LIST_RESPONSE);
Element eDL = encodeDistributionList(response, group, true, false, reqAttrs, arc);
// return member info only if the authed has right to see zimbraMailForwardingAddress
boolean allowMembers = true;
if (group.isDynamic()) {
allowMembers = arc == null ? true : arc.allowAttr(Provisioning.A_member);
} else {
allowMembers = arc == null ? true : arc.allowAttr(Provisioning.A_zimbraMailForwardingAddress);
}
if (allowMembers) {
encodeMembers(response, eDL, group, offset, limit, sortAscending);
}
return response;
}
Also used :
DynamicGroup(com.zimbra.cs.account.DynamicGroup)
Group(com.zimbra.cs.account.Group)
DynamicGroup(com.zimbra.cs.account.DynamicGroup)
DistributionListBy(com.zimbra.common.account.Key.DistributionListBy)
Element(com.zimbra.common.soap.Element)
DistributionListSelector(com.zimbra.soap.admin.type.DistributionListSelector)
GetDistributionListRequest(com.zimbra.soap.admin.message.GetDistributionListRequest)
AttrRightChecker(com.zimbra.cs.account.AccessManager.AttrRightChecker)
Entry(com.zimbra.cs.account.Entry)
ZimbraSoapContext(com.zimbra.soap.ZimbraSoapContext)
DistributionList(com.zimbra.cs.account.DistributionList)
Example 20 with Group
use of com.zimbra.cs.account.Group in project zm-mailbox by Zimbra.
the class RemoveDistributionListMember method handle.
@Override
public Element handle(Element request, Map<String, Object> context) throws ServiceException {
ZimbraSoapContext zsc = getZimbraSoapContext(context);
Provisioning prov = Provisioning.getInstance();
List<String> memberList = getMemberList(request, context);
Group group = getGroupFromContext(context);
String id = request.getAttribute(AdminConstants.E_ID);
defendAgainstGroupHarvesting(group, DistributionListBy.id, id, zsc, Admin.R_removeGroupMember, Admin.R_removeDistributionListMember);
memberList = addMembersFromAccountElements(request, memberList, group);
String[] members = memberList.toArray(new String[0]);
prov.removeGroupMembers(group, members);
ZimbraLog.security.info(ZimbraLog.encodeAttrs(new String[] { "cmd", "RemoveDistributionListMember", "name", group.getName(), "member", Arrays.deepToString(members) }));
return zsc.jaxbToElement(new RemoveDistributionListMemberResponse());
}
Also used :
Group(com.zimbra.cs.account.Group)
ZimbraSoapContext(com.zimbra.soap.ZimbraSoapContext)
RemoveDistributionListMemberResponse(com.zimbra.soap.admin.message.RemoveDistributionListMemberResponse)
Provisioning(com.zimbra.cs.account.Provisioning)
Aggregations
Group (com.zimbra.cs.account.Group)110
Account (com.zimbra.cs.account.Account)53
Test (org.junit.Test)42
DynamicGroup (com.zimbra.cs.account.DynamicGroup)27
ServiceException (com.zimbra.common.service.ServiceException)23
SoapTransport (com.zimbra.common.soap.SoapTransport)23
Provisioning (com.zimbra.cs.account.Provisioning)23
LdapDynamicGroup (com.zimbra.cs.account.ldap.entry.LdapDynamicGroup)21
Domain (com.zimbra.cs.account.Domain)17
GuestAccount (com.zimbra.cs.account.GuestAccount)17
ZimbraSoapContext (com.zimbra.soap.ZimbraSoapContext)17
Element (com.zimbra.common.soap.Element)16
AccountServiceException (com.zimbra.cs.account.AccountServiceException)15
NamedEntry (com.zimbra.cs.account.NamedEntry)14
LdapAccount (com.zimbra.cs.account.ldap.entry.LdapAccount)12
DistributionListActionRequest (com.zimbra.soap.account.message.DistributionListActionRequest)12
DistributionListAction (com.zimbra.soap.account.type.DistributionListAction)12
DistributionListActionResponse (com.zimbra.soap.account.message.DistributionListActionResponse)11
DistributionList (com.zimbra.cs.account.DistributionList)9
Entry (com.zimbra.cs.account.Entry)9
