Search in sources :

Example 1 with GranteeType

use of com.zimbra.cs.account.accesscontrol.GranteeType in project zm-mailbox by Zimbra.

the class ProvUtil method getRightArgsGrantee.

private void getRightArgsGrantee(RightArgs ra, boolean needGranteeType, boolean needSecret) throws ServiceException, ArgException {
    if (ra.mCurPos >= ra.mArgs.length) {
        throw new ArgException("not enough arguments");
    }
    GranteeType gt = null;
    if (needGranteeType) {
        ra.mGranteeType = ra.mArgs[ra.mCurPos++];
        gt = GranteeType.fromCode(ra.mGranteeType);
    } else {
        ra.mGranteeType = null;
    }
    if (gt == GranteeType.GT_AUTHUSER || gt == GranteeType.GT_PUBLIC) {
        return;
    }
    if (ra.mCurPos >= ra.mArgs.length) {
        throw new ArgException("not enough arguments");
    }
    ra.mGranteeIdOrName = ra.mArgs[ra.mCurPos++];
    if (needSecret && gt != null) {
        if (gt.allowSecret()) {
            if (ra.mCurPos >= ra.mArgs.length) {
                throw new ArgException("not enough arguments");
            }
            ra.mSecret = ra.mArgs[ra.mCurPos++];
        }
    }
}
Also used : GranteeType(com.zimbra.cs.account.accesscontrol.GranteeType)

Example 2 with GranteeType

use of com.zimbra.cs.account.accesscontrol.GranteeType in project zm-mailbox by Zimbra.

the class GrantRights method handleACE.

/**
 * @param eACE
 * @param zsc
 * @param granting true if granting, false if revoking
 * @return
 * @throws ServiceException
 */
static ZimbraACE handleACE(Element eACE, ZimbraSoapContext zsc, boolean granting) throws ServiceException {
    /*
         * Interface and parameter checking style was modeled after FolderAction, 
         * not admin Grant/RevokeRight
         */
    Right right = RightManager.getInstance().getUserRight(eACE.getAttribute(AccountConstants.A_RIGHT));
    GranteeType gtype = GranteeType.fromCode(eACE.getAttribute(AccountConstants.A_GRANT_TYPE));
    String zid = eACE.getAttribute(AccountConstants.A_ZIMBRA_ID, null);
    boolean deny = eACE.getAttributeBool(AccountConstants.A_DENY, false);
    boolean checkGranteeType = eACE.getAttributeBool(AccountConstants.A_CHECK_GRANTEE_TYPE, false);
    String secret = null;
    NamedEntry nentry = null;
    if (gtype == GranteeType.GT_AUTHUSER) {
        zid = GuestAccount.GUID_AUTHUSER;
    } else if (gtype == GranteeType.GT_PUBLIC) {
        zid = GuestAccount.GUID_PUBLIC;
    } else if (gtype == GranteeType.GT_GUEST) {
        zid = eACE.getAttribute(AccountConstants.A_DISPLAY);
        if (zid == null || zid.indexOf('@') < 0)
            throw ServiceException.INVALID_REQUEST("invalid guest id or password", null);
        // make sure they didn't accidentally specify "guest" instead of "usr"
        try {
            nentry = lookupGranteeByName(zid, GranteeType.GT_USER, zsc);
            zid = nentry.getId();
            gtype = nentry instanceof DistributionList ? GranteeType.GT_GROUP : GranteeType.GT_USER;
        } catch (ServiceException e) {
            // this is the normal path, where lookupGranteeByName throws account.NO_SUCH_USER
            secret = eACE.getAttribute(AccountConstants.A_PASSWORD);
        }
    } else if (gtype == GranteeType.GT_KEY) {
        zid = eACE.getAttribute(AccountConstants.A_DISPLAY);
        // unlike guest, we do not require the display name to be an email address
        /*
            if (zid == null || zid.indexOf('@') < 0)
                throw ServiceException.INVALID_REQUEST("invalid guest id or key", null);
            */
        // unlike guest, we do not fixup grantee type for key grantees if they specify an internal user
        // get the optional accesskey
        secret = eACE.getAttribute(AccountConstants.A_ACCESSKEY, null);
    } else if (zid != null) {
        nentry = lookupGranteeByZimbraId(zid, gtype, granting);
    } else {
        nentry = lookupGranteeByName(eACE.getAttribute(AccountConstants.A_DISPLAY), gtype, zsc);
        zid = nentry.getId();
        // make sure they didn't accidentally specify "usr" instead of "grp"
        if (gtype == GranteeType.GT_USER && nentry instanceof Group) {
            if (checkGranteeType) {
                throw AccountServiceException.INVALID_REQUEST(eACE.getAttribute(AccountConstants.A_DISPLAY) + " is not a valid grantee for grantee type '" + gtype.getCode() + "'.", null);
            } else {
                gtype = GranteeType.GT_GROUP;
            }
        }
    }
    RightModifier rightModifier = null;
    if (deny)
        rightModifier = RightModifier.RM_DENY;
    return new ZimbraACE(zid, gtype, right, rightModifier, secret);
}
Also used : ZimbraACE(com.zimbra.cs.account.accesscontrol.ZimbraACE) NamedEntry(com.zimbra.cs.account.NamedEntry) Group(com.zimbra.cs.account.Group) GranteeType(com.zimbra.cs.account.accesscontrol.GranteeType) AccountServiceException(com.zimbra.cs.account.AccountServiceException) ServiceException(com.zimbra.common.service.ServiceException) Right(com.zimbra.cs.account.accesscontrol.Right) RightModifier(com.zimbra.cs.account.accesscontrol.RightModifier) DistributionList(com.zimbra.cs.account.DistributionList)

Example 3 with GranteeType

use of com.zimbra.cs.account.accesscontrol.GranteeType in project zm-mailbox by Zimbra.

the class GrantPermission method handleACE.

/**
 * // orig: FolderAction
 *
 * @param eACE
 * @param zsc
 * @param granting true if granting, false if revoking
 * @return
 * @throws ServiceException
 */
static ZimbraACE handleACE(Element eACE, ZimbraSoapContext zsc, boolean granting) throws ServiceException {
    Right right = RightManager.getInstance().getUserRight(eACE.getAttribute(MailConstants.A_RIGHT));
    GranteeType gtype = GranteeType.fromCode(eACE.getAttribute(MailConstants.A_GRANT_TYPE));
    String zid = eACE.getAttribute(MailConstants.A_ZIMBRA_ID, null);
    boolean deny = eACE.getAttributeBool(MailConstants.A_DENY, false);
    String secret = null;
    NamedEntry nentry = null;
    if (gtype == GranteeType.GT_AUTHUSER) {
        zid = GuestAccount.GUID_AUTHUSER;
    } else if (gtype == GranteeType.GT_PUBLIC) {
        zid = GuestAccount.GUID_PUBLIC;
    } else if (gtype == GranteeType.GT_GUEST) {
        zid = eACE.getAttribute(MailConstants.A_DISPLAY);
        if (zid == null || zid.indexOf('@') < 0)
            throw ServiceException.INVALID_REQUEST("invalid guest id or password", null);
        // make sure they didn't accidentally specify "guest" instead of "usr"
        try {
            nentry = lookupGranteeByName(zid, GranteeType.GT_USER, zsc);
            zid = nentry.getId();
            gtype = nentry instanceof DistributionList ? GranteeType.GT_GROUP : GranteeType.GT_USER;
        } catch (ServiceException e) {
            // this is the normal path, where lookupGranteeByName throws account.NO_SUCH_USER
            secret = eACE.getAttribute(MailConstants.A_PASSWORD);
        }
    } else if (gtype == GranteeType.GT_KEY) {
        zid = eACE.getAttribute(MailConstants.A_DISPLAY);
        // unlike guest, we do not require the display name to be an email address
        /*
            if (zid == null || zid.indexOf('@') < 0)
                throw ServiceException.INVALID_REQUEST("invalid guest id or key", null);
            */
        // unlike guest, we do not fixup grantee type for key grantees if they specify an internal user
        // get the optional accesskey
        secret = eACE.getAttribute(MailConstants.A_ACCESSKEY, null);
    } else if (zid != null) {
        nentry = lookupGranteeByZimbraId(zid, gtype, granting);
    } else {
        nentry = lookupGranteeByName(eACE.getAttribute(MailConstants.A_DISPLAY), gtype, zsc);
        zid = nentry.getId();
        // make sure they didn't accidentally specify "usr" instead of "grp"
        if (gtype == GranteeType.GT_USER && nentry instanceof DistributionList)
            gtype = GranteeType.GT_GROUP;
    }
    RightModifier rightModifier = null;
    if (deny)
        rightModifier = RightModifier.RM_DENY;
    return new ZimbraACE(zid, gtype, right, rightModifier, secret);
}
Also used : ZimbraACE(com.zimbra.cs.account.accesscontrol.ZimbraACE) NamedEntry(com.zimbra.cs.account.NamedEntry) GranteeType(com.zimbra.cs.account.accesscontrol.GranteeType) AccountServiceException(com.zimbra.cs.account.AccountServiceException) ServiceException(com.zimbra.common.service.ServiceException) Right(com.zimbra.cs.account.accesscontrol.Right) RightModifier(com.zimbra.cs.account.accesscontrol.RightModifier) DistributionList(com.zimbra.cs.account.DistributionList)

Example 4 with GranteeType

use of com.zimbra.cs.account.accesscontrol.GranteeType in project zm-mailbox by Zimbra.

the class TestACLEffectiveRights method getEffectiveRights.

@Test
public void getEffectiveRights() throws Exception {
    Domain domain = provUtil.createDomain(genDomainSegmentName() + "." + BASE_DOMAIN_NAME);
    Account target = provUtil.createAccount(genAcctNameLocalPart("user"), domain);
    Account grantee = provUtil.createDelegatedAdmin(genAcctNameLocalPart("da"), domain);
    Account grantingAccount = globalAdmin;
    TargetType targetType = TargetType.getTargetType(target);
    GranteeType granteeType = GranteeType.GT_USER;
    Right right = ADMIN_PRESET_ACCOUNT;
    RightCommand.grantRight(prov, grantingAccount, targetType.getCode(), TargetBy.name, target.getName(), granteeType.getCode(), GranteeBy.name, grantee.getName(), null, right.getName(), null);
    EffectiveRights effRights = RightCommand.getEffectiveRights(prov, TargetType.account.getCode(), TargetBy.name, target.getName(), GranteeBy.name, grantee.getName(), false, false);
    assertTrue(effRights.presetRights().contains(right.getName()));
}
Also used : Account(com.zimbra.cs.account.Account) GranteeType(com.zimbra.cs.account.accesscontrol.GranteeType) EffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights) AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights) RightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.RightsByTargetType) TargetType(com.zimbra.cs.account.accesscontrol.TargetType) InlineAttrRight(com.zimbra.cs.account.accesscontrol.InlineAttrRight) Right(com.zimbra.cs.account.accesscontrol.Right) Domain(com.zimbra.cs.account.Domain) Test(org.junit.Test)

Example 5 with GranteeType

use of com.zimbra.cs.account.accesscontrol.GranteeType in project zm-mailbox by Zimbra.

the class GetAllEffectiveRights method handle.

@Override
public Element handle(Element request, Map<String, Object> context) throws ServiceException {
    ZimbraSoapContext zsc = getZimbraSoapContext(context);
    Pair<Boolean, Boolean> expandAttrs = parseExpandAttrs(request);
    boolean expandSetAttrs = expandAttrs.getFirst();
    boolean expandGetAttrs = expandAttrs.getSecond();
    Element eGrantee = request.getOptionalElement(AdminConstants.E_GRANTEE);
    String granteeType;
    GranteeBy granteeBy;
    String grantee;
    if (eGrantee != null) {
        granteeType = eGrantee.getAttribute(AdminConstants.A_TYPE, GranteeType.GT_USER.getCode());
        granteeBy = GranteeBy.fromString(eGrantee.getAttribute(AdminConstants.A_BY));
        grantee = eGrantee.getText();
    } else {
        granteeType = GranteeType.GT_USER.getCode();
        granteeBy = GranteeBy.id;
        grantee = zsc.getRequestedAccountId();
    }
    GranteeType gt = GranteeType.fromCode(granteeType);
    if (!grantee.equals(zsc.getAuthtokenAccountId())) {
        checkCheckRightRight(zsc, gt, granteeBy, grantee);
    }
    RightCommand.AllEffectiveRights aer = RightCommand.getAllEffectiveRights(Provisioning.getInstance(), granteeType, granteeBy, grantee, expandSetAttrs, expandGetAttrs);
    Element resp = zsc.createElement(AdminConstants.GET_ALL_EFFECTIVE_RIGHTS_RESPONSE);
    aer.toXML(resp);
    return resp;
}
Also used : GranteeType(com.zimbra.cs.account.accesscontrol.GranteeType) ZimbraSoapContext(com.zimbra.soap.ZimbraSoapContext) Element(com.zimbra.common.soap.Element) GranteeBy(com.zimbra.soap.admin.type.GranteeSelector.GranteeBy) RightCommand(com.zimbra.cs.account.accesscontrol.RightCommand)

Aggregations

GranteeType (com.zimbra.cs.account.accesscontrol.GranteeType)8 Right (com.zimbra.cs.account.accesscontrol.Right)5 Account (com.zimbra.cs.account.Account)4 NamedEntry (com.zimbra.cs.account.NamedEntry)4 ServiceException (com.zimbra.common.service.ServiceException)3 Domain (com.zimbra.cs.account.Domain)3 Element (com.zimbra.common.soap.Element)2 AccountServiceException (com.zimbra.cs.account.AccountServiceException)2 DistributionList (com.zimbra.cs.account.DistributionList)2 Group (com.zimbra.cs.account.Group)2 GuestAccount (com.zimbra.cs.account.GuestAccount)2 InlineAttrRight (com.zimbra.cs.account.accesscontrol.InlineAttrRight)2 RightCommand (com.zimbra.cs.account.accesscontrol.RightCommand)2 AllEffectiveRights (com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights)2 EffectiveRights (com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights)2 RightsByTargetType (com.zimbra.cs.account.accesscontrol.RightCommand.RightsByTargetType)2 RightModifier (com.zimbra.cs.account.accesscontrol.RightModifier)2 TargetType (com.zimbra.cs.account.accesscontrol.TargetType)2 ZimbraACE (com.zimbra.cs.account.accesscontrol.ZimbraACE)2 ZimbraSoapContext (com.zimbra.soap.ZimbraSoapContext)2