Examples with GuestAccount com.zimbra.cs.account.GuestAccount used on opensource projects

Example 1 with GuestAccount

use of com.zimbra.cs.account.GuestAccount in project zm-mailbox by Zimbra.

the class PermissionCache method buildCacheKey.

/*
     * returns cache key for entries on the map cached on the entry
     * cache key is in the format of
     *
     * <GRANTEE-IDENTIFIER><ADMIN-FLAG><CAN-DELEDATE-NEEDED>
     *
     * GRANTEE-IDENTIFIER         := <GUEST-ACCOUNT-BY-USER-PASS>|<GUEST-ACCOUNT-BY-ACCESSKEY>|<zimra-account-id>
     *
     * GUEST-ACCOUNT-BY-USER-PASS := <user-pass-digest>G
     *
     * GUEST-ACCOUNT-BY-ACCESSKEY := <accesskey>K
     *
     * ADMIN-FLAG                 := <USER-FLAG>|<DELEGATED-ADMIN-FLAG>|<GLOABL-ADMIN-FLAG>
     *
     * USER-FLAG                  := 0
     *
     * DELEGATED-ADMIN-FLAG       := 1
     *
     * GLOABL-ADMIN-FLAG          := 2
     *
     * CAN-DELEDATE-NEEDED        := 0 | 1
     *
     * e.g.
     * (no space in between segments in the actual key)
     * d3a5c239-bac9-45ca-87b3-441a990c931b 0 0
     * cv30B19SfmLg1HYQd2CX4qZp908=G 0 0
     */
static String buildCacheKey(MailTarget grantee, Right rightNeeded, boolean canDelegateNeeded) {
    if (!rightNeeded.isCacheable())
        return null;
    //
    if (!rightNeeded.isUserRight() && Admin.R_adminLoginAs != rightNeeded)
        return null;
    String id = null;
    if (grantee instanceof GuestAccount) {
        // note: do NOT use account id as part of the cache key for GuestAccount,
        //       the account id is always 999...
        // put "G"/"K" at the end (instead of the beginning) for better key distribution for the hash
        id = ((GuestAccount) grantee).getDigest();
        if (id != null) {
            id = id + "G";
        } else {
            id = ((GuestAccount) grantee).getAccessKey();
            if (id != null) {
                id = id + "K";
            }
        }
    } else {
        id = grantee.getId();
    }
    if (id == null) {
        // for some weird reason, there is no identifier for the accessing account
        ZimbraLog.acl.debug("unable to build cache key: " + grantee.getName());
        return null;
    }
    char adminFlag;
    if (grantee instanceof Account) {
        Account granteeAcct = (Account) grantee;
        adminFlag = granteeAcct.isIsAdminAccount() ? '2' : granteeAcct.isIsDelegatedAdminAccount() ? '1' : '0';
    } else {
        adminFlag = '0';
    }
    char canDelegate = canDelegateNeeded ? '1' : '0';
    return id + adminFlag + canDelegate;
}

Example 2 with GuestAccount

use of com.zimbra.cs.account.GuestAccount in project zm-mailbox by Zimbra.

the class DomainACLAccessManager method canDo.

public boolean canDo(AuthToken grantee, Entry target, Right rightNeeded, boolean asAdmin, boolean defaultGrant) {
    try {
        Account granteeAcct;
        if (grantee == null)
            granteeAcct = GuestAccount.ANONYMOUS_ACCT;
        else if (grantee.isZimbraUser())
            granteeAcct = Provisioning.getInstance().get(Key.AccountBy.id, grantee.getAccountId());
        else
            granteeAcct = new GuestAccount(grantee);
        return canDo(granteeAcct, target, rightNeeded, asAdmin, defaultGrant);
    } catch (ServiceException e) {
        ZimbraLog.account.warn("ACL checking failed: " + "grantee=" + grantee.getAccountId() + ", target=" + target.getLabel() + ", right=" + rightNeeded.getName() + " => denied", e);
    }
    return false;
}

Example 3 with GuestAccount

use of com.zimbra.cs.account.GuestAccount in project zm-mailbox by Zimbra.

the class ZimbraSoapContext method validateDelegatedAccess.

/**
     * Validate delegation rights. Request for delegated access requires a grant on at least one object in the target
     * account or admin login rights.
     * @param targetAccount - Account which requested is targeted for
     * @param requestedKey - The key sent in request which mapped to target account.
     *                       Passed in so error only reports back what was requested (i.e. can't harvest accountId if
     *                       you only know the email or vice-versa)
     * @param requestName - The SOAP request name - may be null
     * @throws ServiceException
     */
private void validateDelegatedAccess(Account targetAccount, DocumentHandler handler, QName requestName, String requestedKey) throws ServiceException {
    if (!isDelegatedRequest()) {
        return;
    }
    if ((handler != null) && handler.handlesAccountHarvesting()) {
        return;
    }
    //if delegated one of the following MUST be true
    //1. authed account is an admin AND has admin rights for the target
    //2. authed account has been granted access (i.e. login) to the target account
    //3. target account has shared at least one item with authed account or enclosing group/cos/domain
    //4. target account has granted sendAs or sendOnBehalfOf right to authed account
    Account authAccount = null;
    boolean isAdmin = AuthToken.isAnyAdmin(mAuthToken);
    if (!GuestAccount.GUID_PUBLIC.equals(mAuthToken.getAccountId())) {
        authAccount = mAuthToken.getAccount();
        if (isAdmin && AccessManager.getInstance().canAccessAccount(mAuthToken, targetAccount, true)) {
            //case 1 - admin
            return;
        }
        if (isAdmin && (handler != null) && handler.defendsAgainstDelegateAdminAccountHarvesting()) {
            return;
        }
        if (AccessManager.getInstance().canAccessAccount(mAuthToken, targetAccount, false)) {
            //case 2 - access rights
            return;
        }
    }
    String externalEmail = null;
    if (authAccount != null && authAccount.getBooleanAttr(Provisioning.A_zimbraIsExternalVirtualAccount, false)) {
        externalEmail = authAccount.getAttr(Provisioning.A_zimbraExternalUserMailAddress, externalEmail);
    }
    Provisioning prov = Provisioning.getInstance();
    //case 3 - shared items
    boolean needRecheck = false;
    do {
        String[] sharedItems = targetAccount.getSharedItem();
        Set<String> groupIds = null;
        for (String sharedItem : sharedItems) {
            ShareInfoData shareData = AclPushSerializer.deserialize(sharedItem);
            switch(shareData.getGranteeTypeCode()) {
                case ACL.GRANTEE_USER:
                    if (authAccount != null && authAccount.getId().equals(shareData.getGranteeId())) {
                        return;
                    }
                    break;
                case ACL.GRANTEE_GUEST:
                    if (shareData.getGranteeId().equals(externalEmail)) {
                        return;
                    }
                    break;
                case ACL.GRANTEE_PUBLIC:
                    return;
                case ACL.GRANTEE_GROUP:
                    if (authAccount != null) {
                        if (groupIds == null) {
                            groupIds = new HashSet<String>();
                        }
                        groupIds.add(shareData.getGranteeId());
                    }
                    break;
                case ACL.GRANTEE_AUTHUSER:
                    if (authAccount != null) {
                        return;
                    }
                    break;
                case ACL.GRANTEE_DOMAIN:
                    if (authAccount != null && authAccount.getDomainId() != null && authAccount.getDomainId().equals(shareData.getGranteeId())) {
                        return;
                    }
                    break;
                case ACL.GRANTEE_COS:
                    if (authAccount != null && authAccount.getCOSId() != null && authAccount.getCOSId().equals(shareData.getGranteeId())) {
                        return;
                    }
                    break;
                case ACL.GRANTEE_KEY:
                    if (authAccount instanceof GuestAccount && mAuthToken.getAccessKey() != null) {
                        return;
                    }
                    break;
            }
        }
        if (groupIds != null) {
            for (String groupId : groupIds) {
                if (prov.inACLGroup(authAccount, groupId)) {
                    return;
                }
            }
        }
        if (needRecheck) {
            break;
        } else if (!Provisioning.onLocalServer(targetAccount)) {
            //if target on different server we might not have up-to-date shared item list
            //reload and check one more time to be sure
            prov.reload(targetAccount);
            needRecheck = true;
        }
    } while (needRecheck);
    //case 4 - sendAs/sendOnBehalfOf
    AccessManager accessMgr = AccessManager.getInstance();
    if (accessMgr.canDo(authAccount, targetAccount, Rights.User.R_sendAs, isAdmin) || accessMgr.canDo(authAccount, targetAccount, Rights.User.R_sendOnBehalfOf, isAdmin)) {
        return;
    }
    throw ServiceException.DEFEND_ACCOUNT_HARVEST(requestedKey);
}

Example 4 with GuestAccount

use of com.zimbra.cs.account.GuestAccount in project zm-mailbox by Zimbra.

the class AuthUtil method basicAuthRequest.

public static Account basicAuthRequest(HttpServletRequest req, boolean allowGuest, boolean isDav) throws IOException, ServiceException, UserServletException {
    String auth = req.getHeader(HTTP_AUTH_HEADER);
    // TODO: more liberal parsing of Authorization value...
    if (auth == null || !auth.startsWith("Basic ")) {
        throw new UserServletException(HttpServletResponse.SC_UNAUTHORIZED, "must authenticate");
    }
    // 6 comes from "Basic ".length();
    String userPass = new String(Base64.decodeBase64(auth.substring(6).getBytes()), "UTF-8");
    int loc = userPass.indexOf(":");
    if (loc == -1) {
        throw new UserServletException(HttpServletResponse.SC_BAD_REQUEST, "invalid basic auth credentials");
    }
    String userPassedIn = userPass.substring(0, loc);
    String user = userPassedIn;
    String pass = userPass.substring(loc + 1);
    Provisioning prov = Provisioning.getInstance();
    if (user.indexOf('@') == -1) {
        String host = HttpUtil.getVirtualHost(req);
        if (host != null) {
            Domain d = prov.get(Key.DomainBy.virtualHostname, host.toLowerCase());
            if (d != null)
                user += "@" + d.getName();
        }
    }
    Account acct = prov.get(AccountBy.name, user);
    if (acct == null) {
        if (allowGuest) {
            return new GuestAccount(user, pass);
        }
        throw new UserServletException(HttpServletResponse.SC_UNAUTHORIZED, "invalid username/password");
    }
    try {
        Map<String, Object> authCtxt = new HashMap<String, Object>();
        authCtxt.put(AuthContext.AC_ORIGINATING_CLIENT_IP, ZimbraServlet.getOrigIp(req));
        authCtxt.put(AuthContext.AC_REMOTE_IP, ZimbraServlet.getClientIp(req));
        authCtxt.put(AuthContext.AC_ACCOUNT_NAME_PASSEDIN, userPassedIn);
        authCtxt.put(AuthContext.AC_USER_AGENT, req.getHeader("User-Agent"));
        Protocol proto = isDav ? Protocol.http_dav : Protocol.http_basic;
        prov.authAccount(acct, pass, proto, authCtxt);
    } catch (ServiceException se) {
        throw new UserServletException(HttpServletResponse.SC_UNAUTHORIZED, "invalid username/password");
    }
    return acct;
}

Example 5 with GuestAccount

use of com.zimbra.cs.account.GuestAccount in project zm-mailbox by Zimbra.

the class DocumentHandler method getAuthenticatedAccount.

/** Returns the {@link Account} corresponding to the authenticated user.
     *  The authenticated user is determined from the serialized
     *  {@link com.zimbra.cs.account.AuthToken} in the SOAP request's
     *  <pre>&lt;context></pre> header element. */
public static Account getAuthenticatedAccount(ZimbraSoapContext zsc) throws ServiceException {
    String id = zsc.getAuthtokenAccountId();
    AuthToken at = zsc.getAuthToken();
    if (GuestAccount.GUID_PUBLIC.equals(id) || (at != null && !at.isZimbraUser())) {
        return new GuestAccount(at);
    }
    Account acct = Provisioning.getInstance().get(AccountBy.id, id, zsc.getAuthToken());
    if (acct == null && !(at != null && at.isZMGAppBootstrap())) {
        throw ServiceException.AUTH_REQUIRED();
    }
    return acct;
}