use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class AccessManager method canSendInternal.
private boolean canSendInternal(Account grantee, Account targetAccount, String targetAddress, Right sendRight, boolean asAdmin) throws ServiceException {
boolean allowed = false;
Right dlSendRight;
if (User.R_sendAs.equals(sendRight)) {
dlSendRight = User.R_sendAsDistList;
} else if (User.R_sendOnBehalfOf.equals(sendRight)) {
dlSendRight = User.R_sendOnBehalfOfDistList;
} else {
throw ServiceException.FAILURE("invalid send right " + sendRight, null);
}
NamedEntry target = null;
if (AccountUtil.addressHasInternalDomain(targetAddress)) {
// If targetAddress has an internal domain, it could be another account or a distribution list.
Provisioning prov = Provisioning.getInstance();
if (prov.isDistributionList(targetAddress)) {
target = prov.getGroupBasic(DistributionListBy.name, targetAddress);
sendRight = dlSendRight;
} else {
target = prov.get(AccountBy.name, targetAddress);
}
} else if (targetAccount != null) {
// If targetAddress has an external domain, it must be a zimbraAllowFromAddress of the target account.
Set<String> addrs = new HashSet<String>();
String[] allowedFromAddrs = targetAccount.getMultiAttr(Provisioning.A_zimbraAllowFromAddress);
for (String addr : allowedFromAddrs) {
addrs.add(addr.toLowerCase());
}
if (addrs.contains(targetAddress.toLowerCase())) {
target = targetAccount;
}
}
if (target != null) {
allowed = canDo(grantee, target, sendRight, asAdmin);
if (allowed && !asAdmin) {
// Admins can send as any address of the target. Non-admins can only use the addresses designated
// by the target user/DL.
allowed = AccountUtil.isAllowedSendAddress(target, targetAddress);
}
}
return allowed;
}
use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class MailSenderTest method getSenderHeadersDelegatedAuth.
@Test
public void getSenderHeadersDelegatedAuth() throws Exception {
Provisioning prov = Provisioning.getInstance();
Account account = prov.getAccount(MockProvisioning.DEFAULT_ACCOUNT_ID);
Map<String, Object> attrs = new HashMap<String, Object>();
attrs.put(Provisioning.A_zimbraId, UUID.randomUUID().toString());
Account account2 = prov.createAccount("test2@zimbra.com", "secret", attrs);
MailSender mailSender = new MailSender();
Pair<InternetAddress, InternetAddress> pair;
String target = "test@zimbra.com";
String mail = "test2@zimbra.com";
String alias = "test-alias@zimbra.com";
String invalid1 = "foo@zimbra.com";
String invalid2 = "bar@zimbra.com";
Right right = RightManager.getInstance().getUserRight("sendOnBehalfOf");
ZimbraACE ace = new ZimbraACE(account2.getId(), GranteeType.GT_USER, right, null, null);
Set<ZimbraACE> aces = new HashSet<ZimbraACE>();
aces.add(ace);
ACLUtil.grantRight(Provisioning.getInstance(), account, aces);
pair = mailSender.getSenderHeaders(null, null, account, account2, false);
Assert.assertEquals(mail, pair.getFirst().toString());
Assert.assertNull(pair.getSecond());
pair = mailSender.getSenderHeaders(new InternetAddress(mail), null, account, account2, false);
Assert.assertEquals(mail, pair.getFirst().toString());
Assert.assertNull(pair.getSecond());
pair = mailSender.getSenderHeaders(null, new InternetAddress(mail), account, account2, false);
Assert.assertEquals(mail, pair.getFirst().toString());
Assert.assertNull(pair.getSecond());
pair = mailSender.getSenderHeaders(new InternetAddress(mail), new InternetAddress(mail), account, account2, false);
Assert.assertEquals(mail, pair.getFirst().toString());
Assert.assertNull(pair.getSecond());
pair = mailSender.getSenderHeaders(new InternetAddress(alias), null, account, account2, false);
Assert.assertEquals(alias, pair.getFirst().toString());
Assert.assertEquals(mail, pair.getSecond().toString());
pair = mailSender.getSenderHeaders(null, new InternetAddress(alias), account, account2, false);
Assert.assertEquals(alias, pair.getFirst().toString());
Assert.assertEquals(mail, pair.getSecond().toString());
pair = mailSender.getSenderHeaders(new InternetAddress(alias), new InternetAddress(alias), account, account2, false);
Assert.assertEquals(alias, pair.getFirst().toString());
Assert.assertEquals(mail, pair.getSecond().toString());
pair = mailSender.getSenderHeaders(new InternetAddress(invalid1), null, account, account2, false);
Assert.assertEquals(mail, pair.getFirst().toString());
Assert.assertNull(pair.getSecond());
pair = mailSender.getSenderHeaders(null, new InternetAddress(invalid1), account, account2, false);
Assert.assertEquals(mail, pair.getFirst().toString());
Assert.assertNull(pair.getSecond());
pair = mailSender.getSenderHeaders(new InternetAddress(invalid1), new InternetAddress(invalid2), account, account2, false);
Assert.assertEquals(mail, pair.getFirst().toString());
Assert.assertNull(pair.getSecond());
pair = mailSender.getSenderHeaders(new InternetAddress(alias), new InternetAddress(mail), account, account2, false);
Assert.assertEquals(alias, pair.getFirst().toString());
Assert.assertEquals(mail, pair.getSecond().toString());
pair = mailSender.getSenderHeaders(new InternetAddress(mail), new InternetAddress(alias), account, account2, false);
Assert.assertEquals(mail, pair.getFirst().toString());
Assert.assertNull(pair.getSecond());
pair = mailSender.getSenderHeaders(new InternetAddress(alias), new InternetAddress(invalid1), account, account2, false);
Assert.assertEquals(alias, pair.getFirst().toString());
Assert.assertEquals(mail, pair.getSecond().toString());
pair = mailSender.getSenderHeaders(new InternetAddress(invalid1), new InternetAddress(alias), account, account2, false);
Assert.assertEquals(mail, pair.getFirst().toString());
Assert.assertNull(pair.getSecond());
pair = mailSender.getSenderHeaders(new InternetAddress(mail), new InternetAddress(invalid1), account, account2, false);
Assert.assertEquals(mail, pair.getFirst().toString());
Assert.assertNull(pair.getSecond());
pair = mailSender.getSenderHeaders(new InternetAddress(invalid1), new InternetAddress(mail), account, account2, false);
Assert.assertEquals(mail, pair.getFirst().toString());
Assert.assertNull(pair.getSecond());
}
use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class ProvUtil method dumpComboRight.
private void dumpComboRight(ComboRight comboRight, boolean expandComboRight, String indent, Set<String> seen) {
// detect circular combo rights
if (seen.contains(comboRight.getName())) {
console.println("Circular combo right: " + comboRight.getName() + " !!");
return;
}
String indent2 = indent + indent;
for (Right r : comboRight.getRights()) {
String tt = r.getTargetTypeStr();
tt = tt == null ? "" : " (" + tt + ")";
// console.format("%s%10.10s: %s %s\n", indent2, r.getRightType().name(), r.getName(), tt);
console.format("%s %s: %s %s\n", indent2, r.getRightType().name(), r.getName(), tt);
seen.add(comboRight.getName());
if (r.isComboRight() && expandComboRight) {
dumpComboRight((ComboRight) r, expandComboRight, indent2, seen);
}
seen.clear();
}
}
use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class ProvUtil method doGetAllRights.
private void doGetAllRights(String[] args) throws ServiceException, ArgException {
boolean verbose = false;
String targetType = null;
String rightClass = null;
int i = 1;
while (i < args.length) {
String arg = args[i];
if (arg.equals("-v")) {
verbose = true;
} else if (arg.equals("-t")) {
i++;
if (i == args.length) {
throw new ArgException("not enough arguments");
} else {
targetType = args[i];
}
} else if (arg.equals("-c")) {
i++;
if (i == args.length) {
throw new ArgException("not enough arguments");
} else {
rightClass = args[i];
}
} else {
throw new ArgException("invalid arg: " + arg);
}
i++;
}
List<Right> allRights = prov.getAllRights(targetType, false, rightClass);
for (Right right : allRights) {
if (verbose) {
dumpRight(right);
} else {
console.println(right.getName());
}
}
}
use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class DiscoverRights method handle.
@Override
public Element handle(Element request, Map<String, Object> context) throws ServiceException {
ZimbraSoapContext zsc = getZimbraSoapContext(context);
Account account = getRequestedAccount(zsc);
if (!canAccessAccount(zsc, account)) {
throw ServiceException.PERM_DENIED("can not access account");
}
RightManager rightMgr = RightManager.getInstance();
Set<Right> rights = Sets.newHashSet();
for (Element eRight : request.listElements(AccountConstants.E_RIGHT)) {
UserRight r = rightMgr.getUserRight(eRight.getText());
rights.add(r);
}
if (rights.size() == 0) {
throw ServiceException.INVALID_REQUEST("no right is specified", null);
}
Element response = zsc.createElement(AccountConstants.DISCOVER_RIGHTS_RESPONSE);
discoverRights(account, rights, response, true);
return response;
}
Aggregations