Example 1 with GranteeType
use of com.zimbra.cs.account.accesscontrol.GranteeType in project zm-mailbox by Zimbra.
the class ProvUtil method getRightArgsGrantee.
private void getRightArgsGrantee(RightArgs ra, boolean needGranteeType, boolean needSecret) throws ServiceException, ArgException {
if (ra.mCurPos >= ra.mArgs.length) {
throw new ArgException("not enough arguments");
}
GranteeType gt = null;
if (needGranteeType) {
ra.mGranteeType = ra.mArgs[ra.mCurPos++];
gt = GranteeType.fromCode(ra.mGranteeType);
} else {
ra.mGranteeType = null;
}
if (gt == GranteeType.GT_AUTHUSER || gt == GranteeType.GT_PUBLIC) {
return;
}
if (ra.mCurPos >= ra.mArgs.length) {
throw new ArgException("not enough arguments");
}
ra.mGranteeIdOrName = ra.mArgs[ra.mCurPos++];
if (needSecret && gt != null) {
if (gt.allowSecret()) {
if (ra.mCurPos >= ra.mArgs.length) {
throw new ArgException("not enough arguments");
}
ra.mSecret = ra.mArgs[ra.mCurPos++];
}
}
}
Also used :
GranteeType(com.zimbra.cs.account.accesscontrol.GranteeType)
Example 2 with GranteeType
use of com.zimbra.cs.account.accesscontrol.GranteeType in project zm-mailbox by Zimbra.
the class GrantRights method handleACE.
/**
* @param eACE
* @param zsc
* @param granting true if granting, false if revoking
* @return
* @throws ServiceException
*/
static ZimbraACE handleACE(Element eACE, ZimbraSoapContext zsc, boolean granting) throws ServiceException {
/*
* Interface and parameter checking style was modeled after FolderAction,
* not admin Grant/RevokeRight
*/
Right right = RightManager.getInstance().getUserRight(eACE.getAttribute(AccountConstants.A_RIGHT));
GranteeType gtype = GranteeType.fromCode(eACE.getAttribute(AccountConstants.A_GRANT_TYPE));
String zid = eACE.getAttribute(AccountConstants.A_ZIMBRA_ID, null);
boolean deny = eACE.getAttributeBool(AccountConstants.A_DENY, false);
boolean checkGranteeType = eACE.getAttributeBool(AccountConstants.A_CHECK_GRANTEE_TYPE, false);
String secret = null;
NamedEntry nentry = null;
if (gtype == GranteeType.GT_AUTHUSER) {
zid = GuestAccount.GUID_AUTHUSER;
} else if (gtype == GranteeType.GT_PUBLIC) {
zid = GuestAccount.GUID_PUBLIC;
} else if (gtype == GranteeType.GT_GUEST) {
zid = eACE.getAttribute(AccountConstants.A_DISPLAY);
if (zid == null || zid.indexOf('@') < 0)
throw ServiceException.INVALID_REQUEST("invalid guest id or password", null);
// make sure they didn't accidentally specify "guest" instead of "usr"
try {
nentry = lookupGranteeByName(zid, GranteeType.GT_USER, zsc);
zid = nentry.getId();
gtype = nentry instanceof DistributionList ? GranteeType.GT_GROUP : GranteeType.GT_USER;
} catch (ServiceException e) {
// this is the normal path, where lookupGranteeByName throws account.NO_SUCH_USER
secret = eACE.getAttribute(AccountConstants.A_PASSWORD);
}
} else if (gtype == GranteeType.GT_KEY) {
zid = eACE.getAttribute(AccountConstants.A_DISPLAY);
// unlike guest, we do not require the display name to be an email address
/*
if (zid == null || zid.indexOf('@') < 0)
throw ServiceException.INVALID_REQUEST("invalid guest id or key", null);
*/
// unlike guest, we do not fixup grantee type for key grantees if they specify an internal user
// get the optional accesskey
secret = eACE.getAttribute(AccountConstants.A_ACCESSKEY, null);
} else if (zid != null) {
nentry = lookupGranteeByZimbraId(zid, gtype, granting);
} else {
nentry = lookupGranteeByName(eACE.getAttribute(AccountConstants.A_DISPLAY), gtype, zsc);
zid = nentry.getId();
// make sure they didn't accidentally specify "usr" instead of "grp"
if (gtype == GranteeType.GT_USER && nentry instanceof Group) {
if (checkGranteeType) {
throw AccountServiceException.INVALID_REQUEST(eACE.getAttribute(AccountConstants.A_DISPLAY) + " is not a valid grantee for grantee type '" + gtype.getCode() + "'.", null);
} else {
gtype = GranteeType.GT_GROUP;
}
}
}
RightModifier rightModifier = null;
if (deny)
rightModifier = RightModifier.RM_DENY;
return new ZimbraACE(zid, gtype, right, rightModifier, secret);
}
Also used :
ZimbraACE(com.zimbra.cs.account.accesscontrol.ZimbraACE)
NamedEntry(com.zimbra.cs.account.NamedEntry)
Group(com.zimbra.cs.account.Group)
GranteeType(com.zimbra.cs.account.accesscontrol.GranteeType)
AccountServiceException(com.zimbra.cs.account.AccountServiceException)
ServiceException(com.zimbra.common.service.ServiceException)
Right(com.zimbra.cs.account.accesscontrol.Right)
RightModifier(com.zimbra.cs.account.accesscontrol.RightModifier)
DistributionList(com.zimbra.cs.account.DistributionList)
Example 3 with GranteeType
use of com.zimbra.cs.account.accesscontrol.GranteeType in project zm-mailbox by Zimbra.
the class GrantPermission method handleACE.
/**
* // orig: FolderAction
*
* @param eACE
* @param zsc
* @param granting true if granting, false if revoking
* @return
* @throws ServiceException
*/
static ZimbraACE handleACE(Element eACE, ZimbraSoapContext zsc, boolean granting) throws ServiceException {
Right right = RightManager.getInstance().getUserRight(eACE.getAttribute(MailConstants.A_RIGHT));
GranteeType gtype = GranteeType.fromCode(eACE.getAttribute(MailConstants.A_GRANT_TYPE));
String zid = eACE.getAttribute(MailConstants.A_ZIMBRA_ID, null);
boolean deny = eACE.getAttributeBool(MailConstants.A_DENY, false);
String secret = null;
NamedEntry nentry = null;
if (gtype == GranteeType.GT_AUTHUSER) {
zid = GuestAccount.GUID_AUTHUSER;
} else if (gtype == GranteeType.GT_PUBLIC) {
zid = GuestAccount.GUID_PUBLIC;
} else if (gtype == GranteeType.GT_GUEST) {
zid = eACE.getAttribute(MailConstants.A_DISPLAY);
if (zid == null || zid.indexOf('@') < 0)
throw ServiceException.INVALID_REQUEST("invalid guest id or password", null);
// make sure they didn't accidentally specify "guest" instead of "usr"
try {
nentry = lookupGranteeByName(zid, GranteeType.GT_USER, zsc);
zid = nentry.getId();
gtype = nentry instanceof DistributionList ? GranteeType.GT_GROUP : GranteeType.GT_USER;
} catch (ServiceException e) {
// this is the normal path, where lookupGranteeByName throws account.NO_SUCH_USER
secret = eACE.getAttribute(MailConstants.A_PASSWORD);
}
} else if (gtype == GranteeType.GT_KEY) {
zid = eACE.getAttribute(MailConstants.A_DISPLAY);
// unlike guest, we do not require the display name to be an email address
/*
if (zid == null || zid.indexOf('@') < 0)
throw ServiceException.INVALID_REQUEST("invalid guest id or key", null);
*/
// unlike guest, we do not fixup grantee type for key grantees if they specify an internal user
// get the optional accesskey
secret = eACE.getAttribute(MailConstants.A_ACCESSKEY, null);
} else if (zid != null) {
nentry = lookupGranteeByZimbraId(zid, gtype, granting);
} else {
nentry = lookupGranteeByName(eACE.getAttribute(MailConstants.A_DISPLAY), gtype, zsc);
zid = nentry.getId();
// make sure they didn't accidentally specify "usr" instead of "grp"
if (gtype == GranteeType.GT_USER && nentry instanceof DistributionList)
gtype = GranteeType.GT_GROUP;
}
RightModifier rightModifier = null;
if (deny)
rightModifier = RightModifier.RM_DENY;
return new ZimbraACE(zid, gtype, right, rightModifier, secret);
}
Also used :
ZimbraACE(com.zimbra.cs.account.accesscontrol.ZimbraACE)
NamedEntry(com.zimbra.cs.account.NamedEntry)
GranteeType(com.zimbra.cs.account.accesscontrol.GranteeType)
AccountServiceException(com.zimbra.cs.account.AccountServiceException)
ServiceException(com.zimbra.common.service.ServiceException)
Right(com.zimbra.cs.account.accesscontrol.Right)
RightModifier(com.zimbra.cs.account.accesscontrol.RightModifier)
DistributionList(com.zimbra.cs.account.DistributionList)
Example 4 with GranteeType
use of com.zimbra.cs.account.accesscontrol.GranteeType in project zm-mailbox by Zimbra.
the class TestACLEffectiveRights method getEffectiveRights.
@Test
public void getEffectiveRights() throws Exception {
Domain domain = provUtil.createDomain(genDomainSegmentName() + "." + BASE_DOMAIN_NAME);
Account target = provUtil.createAccount(genAcctNameLocalPart("user"), domain);
Account grantee = provUtil.createDelegatedAdmin(genAcctNameLocalPart("da"), domain);
Account grantingAccount = globalAdmin;
TargetType targetType = TargetType.getTargetType(target);
GranteeType granteeType = GranteeType.GT_USER;
Right right = ADMIN_PRESET_ACCOUNT;
RightCommand.grantRight(prov, grantingAccount, targetType.getCode(), TargetBy.name, target.getName(), granteeType.getCode(), GranteeBy.name, grantee.getName(), null, right.getName(), null);
EffectiveRights effRights = RightCommand.getEffectiveRights(prov, TargetType.account.getCode(), TargetBy.name, target.getName(), GranteeBy.name, grantee.getName(), false, false);
assertTrue(effRights.presetRights().contains(right.getName()));
}
Also used :
Account(com.zimbra.cs.account.Account)
GranteeType(com.zimbra.cs.account.accesscontrol.GranteeType)
EffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights)
AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights)
RightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.RightsByTargetType)
TargetType(com.zimbra.cs.account.accesscontrol.TargetType)
InlineAttrRight(com.zimbra.cs.account.accesscontrol.InlineAttrRight)
Right(com.zimbra.cs.account.accesscontrol.Right)
Domain(com.zimbra.cs.account.Domain)
Test(org.junit.Test)
Example 5 with GranteeType
use of com.zimbra.cs.account.accesscontrol.GranteeType in project zm-mailbox by Zimbra.
the class GetAllEffectiveRights method handle.
@Override
public Element handle(Element request, Map<String, Object> context) throws ServiceException {
ZimbraSoapContext zsc = getZimbraSoapContext(context);
Pair<Boolean, Boolean> expandAttrs = parseExpandAttrs(request);
boolean expandSetAttrs = expandAttrs.getFirst();
boolean expandGetAttrs = expandAttrs.getSecond();
Element eGrantee = request.getOptionalElement(AdminConstants.E_GRANTEE);
String granteeType;
GranteeBy granteeBy;
String grantee;
if (eGrantee != null) {
granteeType = eGrantee.getAttribute(AdminConstants.A_TYPE, GranteeType.GT_USER.getCode());
granteeBy = GranteeBy.fromString(eGrantee.getAttribute(AdminConstants.A_BY));
grantee = eGrantee.getText();
} else {
granteeType = GranteeType.GT_USER.getCode();
granteeBy = GranteeBy.id;
grantee = zsc.getRequestedAccountId();
}
GranteeType gt = GranteeType.fromCode(granteeType);
if (!grantee.equals(zsc.getAuthtokenAccountId())) {
checkCheckRightRight(zsc, gt, granteeBy, grantee);
}
RightCommand.AllEffectiveRights aer = RightCommand.getAllEffectiveRights(Provisioning.getInstance(), granteeType, granteeBy, grantee, expandSetAttrs, expandGetAttrs);
Element resp = zsc.createElement(AdminConstants.GET_ALL_EFFECTIVE_RIGHTS_RESPONSE);
aer.toXML(resp);
return resp;
}
Also used :
GranteeType(com.zimbra.cs.account.accesscontrol.GranteeType)
ZimbraSoapContext(com.zimbra.soap.ZimbraSoapContext)
Element(com.zimbra.common.soap.Element)
GranteeBy(com.zimbra.soap.admin.type.GranteeSelector.GranteeBy)
RightCommand(com.zimbra.cs.account.accesscontrol.RightCommand)
Aggregations
GranteeType (com.zimbra.cs.account.accesscontrol.GranteeType)8
Right (com.zimbra.cs.account.accesscontrol.Right)5
Account (com.zimbra.cs.account.Account)4
NamedEntry (com.zimbra.cs.account.NamedEntry)4
ServiceException (com.zimbra.common.service.ServiceException)3
Domain (com.zimbra.cs.account.Domain)3
Element (com.zimbra.common.soap.Element)2
AccountServiceException (com.zimbra.cs.account.AccountServiceException)2
DistributionList (com.zimbra.cs.account.DistributionList)2
Group (com.zimbra.cs.account.Group)2
GuestAccount (com.zimbra.cs.account.GuestAccount)2
InlineAttrRight (com.zimbra.cs.account.accesscontrol.InlineAttrRight)2
RightCommand (com.zimbra.cs.account.accesscontrol.RightCommand)2
AllEffectiveRights (com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights)2
EffectiveRights (com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights)2
RightsByTargetType (com.zimbra.cs.account.accesscontrol.RightCommand.RightsByTargetType)2
RightModifier (com.zimbra.cs.account.accesscontrol.RightModifier)2
TargetType (com.zimbra.cs.account.accesscontrol.TargetType)2
ZimbraACE (com.zimbra.cs.account.accesscontrol.ZimbraACE)2
ZimbraSoapContext (com.zimbra.soap.ZimbraSoapContext)2
