use of com.zimbra.cs.account.Provisioning in project zm-mailbox by Zimbra.
the class CollectAllEffectiveRights method groupTest.
private static void groupTest() throws ServiceException {
Provisioning prov = Provisioning.getInstance();
DistributionList dl = prov.get(DistributionListBy.name, "group1@phoebe.mac");
AllGroupMembers allMembers = allGroupMembers(dl);
System.out.println("\naccounts");
for (String member : allMembers.getMembers(TargetType.account)) System.out.println(" " + member);
System.out.println("\ncalendar resources");
for (String member : allMembers.getMembers(TargetType.calresource)) System.out.println(" " + member);
System.out.println("\ngroups");
for (String member : allMembers.getMembers(TargetType.dl)) System.out.println(" " + member);
}
use of com.zimbra.cs.account.Provisioning in project zm-mailbox by Zimbra.
the class ParticallyDenied method checkPartiallyDenied.
/**
* Returns if rightToGrant is (partically) denied to grantor(or groups it belongs)
* on sub-targets of targetToGrant.
*
* @param grantor the "grantor" of the granting attempt
* @param targetTypeToGrant the target type of the granting attempt
* @param targetToGrant the target of the granting attempt
* @param rightToGrant the right of the granting attremp
* @throws ServiceException
*/
static void checkPartiallyDenied(Account grantor, TargetType targetTypeToGrant, Entry targetToGrant, Right rightToGrant) throws ServiceException {
if (AccessControlUtil.isGlobalAdmin(grantor, true))
return;
Provisioning prov = Provisioning.getInstance();
// set of sub target types
Set<TargetType> subTargetTypes = targetTypeToGrant.subTargetTypes();
// set of target types any sub-right can be granted
Set<TargetType> subRightsGrantableOnTargetTypes = new HashSet<TargetType>();
getAllGrantableTargetTypes(rightToGrant, subRightsGrantableOnTargetTypes);
// get the interset of the two, that would be the target types to search for
Set<TargetType> targetTypesToSearch = SetUtil.intersect(subTargetTypes, subRightsGrantableOnTargetTypes);
// if the intersect is empty, no need to search
if (targetTypesToSearch.isEmpty())
return;
// get the set of zimbraId of the grantees to search for
Grantee grantee = Grantee.getGrantee(grantor);
Set<String> granteeIdsToSearch = grantee.getIdAndGroupIds();
SearchGrants searchGrants = new SearchGrants(prov, targetTypesToSearch, granteeIdsToSearch);
Set<GrantsOnTarget> grantsOnTargets = searchGrants.doSearch().getResults();
// check grants granted to the grantor
checkDenied(prov, targetToGrant, rightToGrant, grantsOnTargets, grantor.getId(), null);
// check grants granted to any groups of the grantor
checkDenied(prov, targetToGrant, rightToGrant, grantsOnTargets, null, granteeIdsToSearch);
// all is well, or else PERM_DENIED would've been thrown in one of the checkDenied calls
// yes, you can grant the rightToGrant on targetToGrant.
}
use of com.zimbra.cs.account.Provisioning in project zm-mailbox by Zimbra.
the class CollectAllEffectiveRights method setupShapeTest2.
private static void setupShapeTest2() throws ServiceException {
Provisioning prov = Provisioning.getInstance();
// create test
String domainName = "test.com";
Domain domain = prov.createDomain(domainName, new HashMap<String, Object>());
DistributionList groupA = prov.createDistributionList("groupA@" + domainName, new HashMap<String, Object>());
DistributionList groupB = prov.createDistributionList("groupB@" + domainName, new HashMap<String, Object>());
DistributionList groupC = prov.createDistributionList("groupC@" + domainName, new HashMap<String, Object>());
DistributionList groupD = prov.createDistributionList("groupD@" + domainName, new HashMap<String, Object>());
String pw = "test123";
Account A = prov.createAccount("A@" + domainName, pw, null);
Account B = prov.createAccount("B@" + domainName, pw, null);
Account C = prov.createAccount("C@" + domainName, pw, null);
Account D = prov.createAccount("D@" + domainName, pw, null);
groupA.addMembers(new String[] { A.getName(), groupB.getName() });
groupB.addMembers(new String[] { B.getName(), groupC.getName() });
groupC.addMembers(new String[] { C.getName(), groupD.getName() });
groupD.addMembers(new String[] { D.getName() });
}
use of com.zimbra.cs.account.Provisioning in project zm-mailbox by Zimbra.
the class CollectAllEffectiveRights method shapeTest2.
private static void shapeTest2() throws ServiceException {
setupShapeTest2();
Provisioning prov = Provisioning.getInstance();
// create test
Set<DistributionList> groupsWithGrants = new HashSet<DistributionList>();
String domainName = "test.com";
groupsWithGrants.add(prov.get(DistributionListBy.name, "groupA@" + domainName));
groupsWithGrants.add(prov.get(DistributionListBy.name, "groupB@" + domainName));
groupsWithGrants.add(prov.get(DistributionListBy.name, "groupC@" + domainName));
groupsWithGrants.add(prov.get(DistributionListBy.name, "groupD@" + domainName));
Set<GroupShape> accountShapes = new HashSet<GroupShape>();
Set<GroupShape> calendarResourceShapes = new HashSet<GroupShape>();
Set<GroupShape> distributionListShapes = new HashSet<GroupShape>();
for (DistributionList group : groupsWithGrants) {
// group is an AclGroup, which contains only upward membership, not downward membership.
// re-get the DistributionList object, which has the downward membership.
DistributionList dl = prov.get(DistributionListBy.id, group.getId());
AllGroupMembers allMembers = allGroupMembers(dl);
GroupShape.shapeMembers(TargetType.account, accountShapes, allMembers);
GroupShape.shapeMembers(TargetType.calresource, calendarResourceShapes, allMembers);
GroupShape.shapeMembers(TargetType.dl, distributionListShapes, allMembers);
}
int count = 1;
for (GroupShape shape : accountShapes) {
System.out.println("\n" + count++);
for (String group : shape.getGroups()) System.out.println("group " + group);
for (String member : shape.getMembers()) System.out.println(" " + member);
}
}
use of com.zimbra.cs.account.Provisioning in project zm-mailbox by Zimbra.
the class ChildAccount method preModify.
@Override
public void preModify(CallbackContext context, String attrName, Object value, Map attrsToModify, Entry entry) throws ServiceException {
/*
* This callback is for both zimbraPrefChildVisibleAccount and zimbraChildAccount, and it handles
* both in one shot. If we've been called just return.
*/
if (context.isDoneAndSetIfNot(ChildAccount.class)) {
return;
}
// the +/- has been striped off from attrName but we need that info, it is in attrsToModify
MultiValueMod visibleChildrenMod = multiValueMod(attrsToModify, Provisioning.A_zimbraPrefChildVisibleAccount);
MultiValueMod allChildrenMod = multiValueMod(attrsToModify, Provisioning.A_zimbraChildAccount);
Set<String> visibleChildren = newValuesToBe(visibleChildrenMod, entry, Provisioning.A_zimbraPrefChildVisibleAccount);
Set<String> allChildren = newValuesToBe(allChildrenMod, entry, Provisioning.A_zimbraChildAccount);
//if child account has already been deleted, let it go
if (allChildren != null && !allChildren.contains(value)) {
return;
}
if (allChildrenMod != null && allChildrenMod.deleting()) {
attrsToModify.put(Provisioning.A_zimbraPrefChildVisibleAccount, "");
} else {
Set<String> vidsToRemove = new HashSet<String>();
for (String vid : visibleChildren) {
if (!allChildren.contains(vid)) {
/*
* if the request is removing children but not updating the visible children,
* we remove the visible children that are no longer a child.
* otherwise, throw exception if the mod results into a situation where a
* visible child is not one of the children.
*/
if (allChildrenMod != null && allChildrenMod.removing() && visibleChildrenMod == null)
vidsToRemove.add(vid);
else
throw ServiceException.INVALID_REQUEST("visible child id " + vid + " is not one of " + Provisioning.A_zimbraChildAccount, null);
}
}
if (vidsToRemove.size() > 0)
attrsToModify.put("-" + Provisioning.A_zimbraPrefChildVisibleAccount, vidsToRemove.toArray(new String[vidsToRemove.size()]));
}
// check circular relationship
if (entry instanceof Account) {
Provisioning prov = Provisioning.getInstance();
Account parentAcct = (Account) entry;
String parentId = parentAcct.getId();
for (String childId : allChildren) {
Account childAcct = prov.get(AccountBy.id, childId);
if (childAcct == null)
throw AccountServiceException.NO_SUCH_ACCOUNT(childId);
String[] children = childAcct.getChildAccount();
for (String child : children) {
if (child.equals(parentId))
throw ServiceException.INVALID_REQUEST("child account " + childId + "(" + childAcct.getName() + ")" + " is parent of the parent account " + parentId + "(" + parentAcct.getName() + ")", null);
}
}
}
}
Aggregations