Example 1 with ComboRight
use of com.zimbra.cs.account.accesscontrol.ComboRight in project zm-mailbox by Zimbra.
the class ProvUtil method dumpComboRight.
private void dumpComboRight(ComboRight comboRight, boolean expandComboRight, String indent, Set<String> seen) {
// detect circular combo rights
if (seen.contains(comboRight.getName())) {
console.println("Circular combo right: " + comboRight.getName() + " !!");
return;
}
String indent2 = indent + indent;
for (Right r : comboRight.getRights()) {
String tt = r.getTargetTypeStr();
tt = tt == null ? "" : " (" + tt + ")";
// console.format("%s%10.10s: %s %s\n", indent2, r.getRightType().name(), r.getName(), tt);
console.format("%s %s: %s %s\n", indent2, r.getRightType().name(), r.getName(), tt);
seen.add(comboRight.getName());
if (r.isComboRight() && expandComboRight) {
dumpComboRight((ComboRight) r, expandComboRight, indent2, seen);
}
seen.clear();
}
}
Also used :
AdminRight(com.zimbra.cs.account.accesscontrol.AdminRight)
Right(com.zimbra.cs.account.accesscontrol.Right)
ComboRight(com.zimbra.cs.account.accesscontrol.ComboRight)
AttrRight(com.zimbra.cs.account.accesscontrol.AttrRight)
Example 2 with ComboRight
use of com.zimbra.cs.account.accesscontrol.ComboRight in project zm-mailbox by Zimbra.
the class ProvUtil method dumpRight.
private void dumpRight(Right right, boolean expandComboRight) {
String tab = " ";
String indent = tab;
String indent2 = indent + indent;
console.println();
console.println("------------------------------");
console.println(right.getName());
console.println(indent + " description: " + right.getDesc());
console.println(indent + " right type: " + right.getRightType().name());
String targetType = right.getTargetTypeStr();
console.println(indent + " target type(s): " + (targetType == null ? "" : targetType));
String grantTargetType = right.getGrantTargetTypeStr();
console.println(indent + "grant target type: " + (grantTargetType == null ? "(default)" : grantTargetType));
console.println(indent + " right class: " + right.getRightClass().name());
if (right.isAttrRight()) {
AttrRight attrRight = (AttrRight) right;
console.println();
console.println(indent + "attributes:");
if (attrRight.allAttrs()) {
console.println(indent2 + "all attributes");
} else {
for (String attrName : attrRight.getAttrs()) {
console.println(indent2 + attrName);
}
}
} else if (right.isComboRight()) {
ComboRight comboRight = (ComboRight) right;
console.println();
console.println(indent + "rights:");
dumpComboRight(comboRight, expandComboRight, indent, new HashSet<String>());
}
console.println();
Help help = right.getHelp();
if (help != null) {
console.println(help.getDesc());
List<String> helpItems = help.getItems();
for (String helpItem : helpItems) {
// console.println(FileGenUtil.wrapComments(helpItem, 70, prefix) + "\n");
console.println("- " + helpItem.trim());
console.println();
}
}
console.println();
}
Also used :
AttrRight(com.zimbra.cs.account.accesscontrol.AttrRight)
Help(com.zimbra.cs.account.accesscontrol.Help)
ComboRight(com.zimbra.cs.account.accesscontrol.ComboRight)
HashSet(java.util.HashSet)
Example 3 with ComboRight
use of com.zimbra.cs.account.accesscontrol.ComboRight in project zm-mailbox by Zimbra.
the class TestACLAll method execTest.
private void execTest(String note, TargetType grantedOnTargetType, TestGranteeType testGranteeType, Right right) throws Exception {
System.out.println("testing (" + note + "): " + "grant target=" + grantedOnTargetType.getCode() + ", grantee type=" + testGranteeType.getCode() + ", right=" + right.getName());
//
// 1. some basic preparation
// create a domain
//
Domain domain = createDomain();
boolean isUserRight = right.isUserRight();
//
// 2. setup grantee
//
List<Account> allowedAccts = new ArrayList<Account>();
List<Account> deniedAccts = new ArrayList<Account>();
NamedEntry grantee = null;
String granteeName = null;
String secret = null;
Object gt = testGranteeType.getGranteeType();
GranteeType granteeType = null;
if (gt instanceof GranteeType) {
granteeType = (GranteeType) gt;
switch(granteeType) {
case GT_USER:
if (isUserRight) {
grantee = createUserAccount(domain);
allowedAccts.add((Account) grantee);
deniedAccts.add(createUserAccount(domain));
} else {
grantee = createDelegatedAdminAccount(domain);
allowedAccts.add((Account) grantee);
deniedAccts.add(createDelegatedAdminAccount(domain));
}
granteeName = grantee.getName();
break;
case GT_GROUP:
if (isUserRight) {
grantee = createUserDistributionList(domain);
Account allowedAcct = createUserAccount(domain);
allowedAccts.add(allowedAcct);
prov.addMembers((DistributionList) grantee, new String[] { allowedAcct.getName() });
// external members are also honored if the right is a user right
Account guestAcct = createGuestAccount("guest@guest.com", "test123");
allowedAccts.add(guestAcct);
prov.addMembers((DistributionList) grantee, new String[] { guestAcct.getName() });
deniedAccts.add(createUserAccount(domain));
} else {
grantee = createAdminDistributionList(domain);
Account allowedAcct = createDelegatedAdminAccount(domain);
allowedAccts.add(allowedAcct);
prov.addMembers((DistributionList) grantee, new String[] { allowedAcct.getName() });
deniedAccts.add(createDelegatedAdminAccount(domain));
}
granteeName = grantee.getName();
break;
case GT_EXT_GROUP:
// create a domain and use it for the external group
Domain extDomain = createDomain();
String extDomainDN = ((LdapDomain) extDomain).getDN();
String acctLocalpart = "acct-ext";
//
// Configure the domain for external AD auth
//
Map<String, Object> domainAttrs = Maps.newHashMap();
if (isUserRight) {
domain.setAuthMech(AuthMech.ad.name(), domainAttrs);
} else {
domain.setAuthMechAdmin(AuthMech.ad.name(), domainAttrs);
}
/* ==== mock test ====
// setup auth
domain.addAuthLdapURL("ldap://localhost:389", domainAttrs);
domain.setAuthLdapBindDn("uid=%u,ou=people," + extDomainDN, domainAttrs);
// setup external group search parameters
domain.setAuthLdapSearchBindDn(LC.zimbra_ldap_userdn.value(), domainAttrs);
domain.setAuthLdapSearchBindPassword(LC.zimbra_ldap_password.value(), domainAttrs);
domain.setExternalGroupLdapSearchBase(extDomainDN, domainAttrs);
domain.setExternalGroupLdapSearchFilter("(&(objectClass=zimbraGroup)(cn=%u))", domainAttrs);
domain.setExternalGroupHandlerClass("com.zimbra.qa.unittest.UnittestGroupHandler", domainAttrs);
mProv.modifyAttrs(domain, domainAttrs);
// create a group in the external directory and add a member
Group extGroup = createUserDynamicGroup(extDomain); // doesn't matter if the group is user or admin
String extGroupName = extGroup.getName();
Account extAcct = createUserAccount(acctLocalpart, extDomain);
mProv.addGroupMembers(extGroup, new String[]{extAcct.getName()});
// create the admin account in Zimbra directory and map it to the external account
Account zimbraAcct = createDelegatedAdminAccount(acctLocalpart, domain);
allowedAccts.add(zimbraAcct);
*/
domain.addAuthLdapURL("***", domainAttrs);
domain.setAuthLdapSearchBindDn("***", domainAttrs);
domain.setAuthLdapSearchBindPassword("***", domainAttrs);
domain.setExternalGroupLdapSearchBase("OU=Engineering,DC=vmware,DC=com", domainAttrs);
domain.setExternalGroupLdapSearchFilter("(&(objectClass=group)(mail=%n))", domainAttrs);
domain.setExternalGroupHandlerClass("com.zimbra.cs.account.grouphandler.ADGroupHandler", domainAttrs);
prov.modifyAttrs(domain, domainAttrs);
// "ESPPEnrollment-USA@vmware.com";
String extGroupName = "ENG_pao_users_home4@vmware.com";
// create the admin account in Zimbra directory and map it to the external account
Account zimbraAcct = createDelegatedAdminAccount(acctLocalpart, domain);
zimbraAcct.setAuthLdapExternalDn("CN=Phoebe Shao,OU=PAO_Users,OU=PaloAlto_California_USA,OU=NALA,OU=SITES,OU=Engineering,DC=vmware,DC=com");
allowedAccts.add(zimbraAcct);
// =======================
granteeName = domain.getName() + ":" + extGroupName;
break;
case GT_AUTHUSER:
if (isUserRight) {
allowedAccts.add(createUserAccount("allowed-user-acct", domain));
deniedAccts.add(createGuestAccount("not-my-guest@external.com", "test123"));
} else {
deniedAccts.add(createDelegatedAdminAccount("denied-da-acct", domain));
}
break;
case GT_DOMAIN:
grantee = createDomain();
if (isUserRight) {
allowedAccts.add(createUserAccount("allowed-user-acct", (Domain) grantee));
Domain notGrantee = createDomain();
deniedAccts.add(createUserAccount("denied-user-acct", notGrantee));
} else {
deniedAccts.add(createDelegatedAdminAccount("denied-da-acct", (Domain) grantee));
// TODO: TEST R_crossDomainAdmin
}
granteeName = grantee.getName();
break;
case GT_GUEST:
// an email address
granteeName = "be-my-guest@guest.com";
// password
secret = "test123";
if (isUserRight) {
allowedAccts.add(createGuestAccount(granteeName, secret));
deniedAccts.add(createGuestAccount("not-my-guest@external.com", "bad"));
} else {
deniedAccts.add(createDelegatedAdminAccount("denied-da-acct", domain));
deniedAccts.add(createGuestAccount(granteeName, secret));
}
break;
case GT_KEY:
// a display name
granteeName = "be-my-guest";
// access key
secret = "test123";
if (isUserRight) {
allowedAccts.add(createKeyAccount(granteeName, secret));
deniedAccts.add(createKeyAccount("not-my-guest", "bad"));
} else {
deniedAccts.add(createDelegatedAdminAccount("denied-da-acct", domain));
deniedAccts.add(createKeyAccount(granteeName, secret));
}
break;
case GT_PUBLIC:
if (isUserRight) {
allowedAccts.add(anonAccount());
} else {
deniedAccts.add(anonAccount());
}
break;
default:
fail();
}
} else {
// dynamic group
assertEquals(TestGranteeType.GRANTEE_DYNAMIC_GROUP, testGranteeType);
granteeType = GranteeType.GT_GROUP;
if (isUserRight) {
grantee = createUserDynamicGroup(domain);
Account allowedAcct = createUserAccount(domain);
allowedAccts.add(allowedAcct);
prov.addGroupMembers((DynamicGroup) grantee, new String[] { allowedAcct.getName() });
// external members are also honored if the right is a user right
Account guestAcct = createGuestAccount("guest@guest.com", "test123");
allowedAccts.add(guestAcct);
prov.addGroupMembers((DynamicGroup) grantee, new String[] { guestAcct.getName() });
deniedAccts.add(createUserAccount(domain));
} else {
grantee = createAdminDynamicGroup(domain);
Account allowedAcct = createDelegatedAdminAccount(domain);
allowedAccts.add(allowedAcct);
prov.addGroupMembers((DynamicGroup) grantee, new String[] { allowedAcct.getName() });
deniedAccts.add(createDelegatedAdminAccount(domain));
}
granteeName = grantee.getName();
}
//
// 3. setup expectations for the granting action
//
boolean expectInvalidRequest = false;
if (isUserRight) {
expectInvalidRequest = !expectedIsRightGrantableOnTargetType(right, grantedOnTargetType);
} else {
// is admin right
if (!granteeType.allowedForAdminRights()) {
expectInvalidRequest = true;
}
if (!expectInvalidRequest) {
if (granteeType == GranteeType.GT_DOMAIN && right != Admin.R_crossDomainAdmin) {
expectInvalidRequest = true;
}
}
if (!expectInvalidRequest) {
expectInvalidRequest = !expectedIsRightGrantableOnTargetType(right, grantedOnTargetType);
}
}
//
// 4. setup target on which the right is to be granted
//
Entry grantedOnTarget = null;
String targetName = null;
switch(grantedOnTargetType) {
case account:
grantedOnTarget = createUserAccount("target-acct", domain);
targetName = ((Account) grantedOnTarget).getName();
break;
case calresource:
grantedOnTarget = createCalendarResource("target-cr", domain);
targetName = ((CalendarResource) grantedOnTarget).getName();
break;
case cos:
grantedOnTarget = createCos();
targetName = ((Cos) grantedOnTarget).getName();
break;
case dl:
grantedOnTarget = createUserDistributionList("target-distributionlist", domain);
targetName = ((DistributionList) grantedOnTarget).getName();
break;
case group:
grantedOnTarget = createUserDynamicGroup("target-dynamicgroup", domain);
targetName = ((DynamicGroup) grantedOnTarget).getName();
break;
case domain:
grantedOnTarget = domain;
targetName = domain.getName();
break;
case server:
grantedOnTarget = createServer();
targetName = ((Server) grantedOnTarget).getName();
break;
case alwaysoncluster:
grantedOnTarget = createAlwaysOnCluster();
targetName = ((AlwaysOnCluster) grantedOnTarget).getName();
break;
case ucservice:
grantedOnTarget = createUCService();
targetName = ((UCService) grantedOnTarget).getName();
break;
case xmppcomponent:
// skip for now
return;
case zimlet:
grantedOnTarget = createZimlet();
targetName = ((Zimlet) grantedOnTarget).getName();
break;
case config:
grantedOnTarget = getConfig();
break;
case global:
grantedOnTarget = getGlobalGrant();
break;
default:
fail();
}
//
// grant right on the target
//
boolean gotInvalidRequestException = false;
try {
// TODO: in a different test, test granting by a different authed account:
// global admin, delegated admin, user
//
Account grantingAccount = globalAdmin;
RightCommand.grantRight(prov, grantingAccount, grantedOnTargetType.getCode(), TargetBy.name, targetName, granteeType.getCode(), GranteeBy.name, granteeName, secret, right.getName(), null);
} catch (ServiceException e) {
if (ServiceException.INVALID_REQUEST.equals(e.getCode())) {
gotInvalidRequestException = true;
} else {
e.printStackTrace();
fail();
}
}
//
// 5. verify the grant
//
assertEquals(expectInvalidRequest, gotInvalidRequestException);
// after group creation using the target object returned from the create call.
if (grantedOnTarget instanceof Group) {
grantedOnTarget = prov.getGroupBasic(Key.DistributionListBy.id, ((Group) grantedOnTarget).getId());
}
//
if (right.isComboRight()) {
for (Right rt : ((ComboRight) right).getAllRights()) {
setupTargetAndVerify(domain, grantedOnTarget, grantedOnTargetType, rt, true, allowedAccts, deniedAccts, !gotInvalidRequestException);
}
} else {
setupTargetAndVerify(domain, grantedOnTarget, grantedOnTargetType, right, false, allowedAccts, deniedAccts, !gotInvalidRequestException);
}
}
Also used :
GuestAccount(com.zimbra.cs.account.GuestAccount)
Account(com.zimbra.cs.account.Account)
DynamicGroup(com.zimbra.cs.account.DynamicGroup)
Group(com.zimbra.cs.account.Group)
GranteeType(com.zimbra.cs.account.accesscontrol.GranteeType)
LdapDomain(com.zimbra.cs.account.ldap.entry.LdapDomain)
ArrayList(java.util.ArrayList)
ComboRight(com.zimbra.cs.account.accesscontrol.ComboRight)
CheckRight(com.zimbra.cs.account.accesscontrol.CheckRight)
UserRight(com.zimbra.cs.account.accesscontrol.UserRight)
AttrRight(com.zimbra.cs.account.accesscontrol.AttrRight)
PresetRight(com.zimbra.cs.account.accesscontrol.PresetRight)
Right(com.zimbra.cs.account.accesscontrol.Right)
ComboRight(com.zimbra.cs.account.accesscontrol.ComboRight)
NamedEntry(com.zimbra.cs.account.NamedEntry)
NamedEntry(com.zimbra.cs.account.NamedEntry)
Entry(com.zimbra.cs.account.Entry)
ServiceException(com.zimbra.common.service.ServiceException)
LdapDomain(com.zimbra.cs.account.ldap.entry.LdapDomain)
Domain(com.zimbra.cs.account.Domain)
Aggregations
AttrRight (com.zimbra.cs.account.accesscontrol.AttrRight)3
ComboRight (com.zimbra.cs.account.accesscontrol.ComboRight)3
Right (com.zimbra.cs.account.accesscontrol.Right)2
ServiceException (com.zimbra.common.service.ServiceException)1
Account (com.zimbra.cs.account.Account)1
Domain (com.zimbra.cs.account.Domain)1
DynamicGroup (com.zimbra.cs.account.DynamicGroup)1
Entry (com.zimbra.cs.account.Entry)1
Group (com.zimbra.cs.account.Group)1
GuestAccount (com.zimbra.cs.account.GuestAccount)1
NamedEntry (com.zimbra.cs.account.NamedEntry)1
AdminRight (com.zimbra.cs.account.accesscontrol.AdminRight)1
CheckRight (com.zimbra.cs.account.accesscontrol.CheckRight)1
GranteeType (com.zimbra.cs.account.accesscontrol.GranteeType)1
Help (com.zimbra.cs.account.accesscontrol.Help)1
PresetRight (com.zimbra.cs.account.accesscontrol.PresetRight)1
UserRight (com.zimbra.cs.account.accesscontrol.UserRight)1
LdapDomain (com.zimbra.cs.account.ldap.entry.LdapDomain)1
ArrayList (java.util.ArrayList)1
HashSet (java.util.HashSet)1
