Examples with Right com.zimbra.cs.account.accesscontrol.Right used on opensource projects

Search in sources :

Example 46 with Right

use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.

the class TestACLGrant method testDelegateToNonAdmin.

public void testDelegateToNonAdmin() throws Exception {
    String testName = getTestName();
    /*
         * sys admin
         */
    Account sysAdmin = getSystemAdminAccount(getEmailAddr(testName, "authed"));
    /*
         * grantees
         */
    Account GA = createAccount(getEmailAddr(testName, "GA"));
    DistributionList GG = createGroup(getEmailAddr(testName, "GG"));
    // add a member to the group
    Account member = createAccount(getEmailAddr(testName, "member"));
    mProv.addMembers(GG, new String[] { member.getName() });
    /*
         * target
         */
    String domainName = getSubDomainName(testName).toLowerCase();
    Domain TD = mProv.createDomain(domainName, new HashMap<String, Object>());
    // a user in the domain
    Account TA = createAccount("acct@" + domainName);
    /*
         * right
         */
    Right right = getRight("test-combo-account-domain");
    // authed as sys admin
    // cannot grant to a non-admin account/group
    doTestGrant(sysAdmin, TargetType.domain, TD, GranteeType.GT_USER, GA, right, DELEGABLE, Result.INVALID_REQUEST);
    doTestGrant(sysAdmin, TargetType.domain, TD, GranteeType.GT_GROUP, GG, right, DELEGABLE, Result.INVALID_REQUEST);
    // revoke should be OK though, the admin bit is not checked for revoking
    doTestRevoke(sysAdmin, TargetType.domain, TD, GranteeType.GT_USER, GA, right, DELEGABLE, Result.GOOD);
    doTestRevoke(sysAdmin, TargetType.domain, TD, GranteeType.GT_GROUP, GG, right, DELEGABLE, Result.GOOD);
    // turn the account/group into admin
    makeAccountAdmin(GA);
    makeGroupAdmin(GG);
    // now can grant to the account/group
    grantDelegableRight(sysAdmin, TargetType.domain, TD, GranteeType.GT_USER, GA, right);
    grantDelegableRight(sysAdmin, TargetType.domain, TD, GranteeType.GT_GROUP, GG, right);
    // make sure the account do get the right, test it on an account in the target domain
    verify(GA, TA, getRight("test-preset-account"), null, ALLOW);
    // but the group member does not yet get the right, because it is not an admin account
    verify(member, TA, getRight("test-preset-account"), null, DENY);
    // make the member an admin account and then it should get the right
    makeAccountAdmin(member);
    verify(member, TA, getRight("test-preset-account"), null, ALLOW);
    // make the group grantee no longer an admin group, the member will automatically lose his right
    makeGroupNonAdmin(GG);
    // flush the cached account entry, because group info an account is a member of are cached on the account entr
    flushAccountCache(member);
    verify(member, TA, getRight("test-preset-account"), null, DENY);
    // make the group admin again, the right should come back
    makeGroupAdmin(GG);
    // flush the cached account entry, because group info an account is a member of are cached on the account entr
    flushAccountCache(member);
    verify(member, TA, getRight("test-preset-account"), null, ALLOW);
}
Also used : Account(com.zimbra.cs.account.Account) Right(com.zimbra.cs.account.accesscontrol.Right) Domain(com.zimbra.cs.account.Domain) DistributionList(com.zimbra.cs.account.DistributionList)

Example 47 with Right

use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.

the class TestACLGrant method testDelegate.

public void testDelegate() throws Exception {
    String testName = getTestName();
    /*
         * sys admin
         */
    Account sysAdmin = getSystemAdminAccount(getEmailAddr(testName, "authed"));
    /*
         * grantees
         */
    Account GA_DELEGATOR = createAdminAccount(getEmailAddr(testName, "GA_DELEGATOR"));
    Account GA_DELEGATEE = createAdminAccount(getEmailAddr(testName, "GA_DELEGATEE"));
    DistributionList GG_DELEGATEE = createAdminGroup(getEmailAddr(testName, "GG_DELEGATEE"));
    /*
         * target
         */
    String domainName = getSubDomainName(testName).toLowerCase();
    Domain TD = mProv.createDomain(domainName, new HashMap<String, Object>());
    /*
         * right
         */
    Right right = getRight("test-combo-account-domain");
    // authed as sys admin, can always grant
    // grant a delegate right
    grantDelegableRight(sysAdmin, TargetType.domain, TD, GranteeType.GT_USER, GA_DELEGATOR, right);
    /*
         * setup other targets
         */
    DistributionList subTargetDl = createGroup("dl@" + domainName);
    Account subTargetAcct = createAccount("acct@" + domainName);
    Domain otherDomain = mProv.createDomain("other." + domainName, new HashMap<String, Object>());
    // authed as a regular admin
    /*
         * delegate the same right
         */
    // on the same target
    doTestDelegate(GA_DELEGATOR, TargetType.domain, TD, GranteeType.GT_USER, GA_DELEGATEE, right, Result.GOOD);
    doTestDelegate(GA_DELEGATOR, TargetType.domain, TD, GranteeType.GT_GROUP, GG_DELEGATEE, right, Result.GOOD);
    // on sub target
    doTestDelegate(GA_DELEGATOR, TargetType.dl, subTargetDl, GranteeType.GT_USER, GA_DELEGATEE, right, Result.INVALID_REQUEST);
    doTestDelegate(GA_DELEGATOR, TargetType.dl, subTargetDl, GranteeType.GT_GROUP, GG_DELEGATEE, right, Result.INVALID_REQUEST);
    doTestDelegate(GA_DELEGATOR, TargetType.account, subTargetAcct, GranteeType.GT_USER, GA_DELEGATEE, right, Result.INVALID_REQUEST);
    doTestDelegate(GA_DELEGATOR, TargetType.account, subTargetAcct, GranteeType.GT_GROUP, GG_DELEGATEE, right, Result.INVALID_REQUEST);
    // on unrelated target
    doTestDelegate(GA_DELEGATOR, TargetType.domain, otherDomain, GranteeType.GT_USER, GA_DELEGATEE, right, Result.PERM_DENIED);
    doTestDelegate(GA_DELEGATOR, TargetType.domain, otherDomain, GranteeType.GT_GROUP, GG_DELEGATEE, right, Result.PERM_DENIED);
    // on super target
    doTestDelegate(GA_DELEGATOR, TargetType.global, null, GranteeType.GT_USER, GA_DELEGATEE, right, Result.PERM_DENIED);
    doTestDelegate(GA_DELEGATOR, TargetType.global, null, GranteeType.GT_GROUP, GG_DELEGATEE, right, Result.PERM_DENIED);
    /*
         * delegate part of the right
         */
    // on the same target
    doDelegatePartialRight(GA_DELEGATOR, TargetType.domain, TD, GranteeType.GT_USER, GA_DELEGATEE, Result.GOOD);
    doDelegatePartialRight(GA_DELEGATOR, TargetType.domain, TD, GranteeType.GT_GROUP, GG_DELEGATEE, Result.GOOD);
    // on sub target
    doDelegatePartialRight(GA_DELEGATOR, TargetType.dl, subTargetDl, GranteeType.GT_USER, GA_DELEGATEE, Result.GOOD);
    doDelegatePartialRight(GA_DELEGATOR, TargetType.dl, subTargetDl, GranteeType.GT_GROUP, GG_DELEGATEE, Result.GOOD);
    doDelegatePartialRight(GA_DELEGATOR, TargetType.account, subTargetAcct, GranteeType.GT_USER, GA_DELEGATEE, Result.GOOD);
    doDelegatePartialRight(GA_DELEGATOR, TargetType.account, subTargetAcct, GranteeType.GT_GROUP, GG_DELEGATEE, Result.GOOD);
    // on unrelated target
    doDelegatePartialRight(GA_DELEGATOR, TargetType.domain, otherDomain, GranteeType.GT_USER, GA_DELEGATEE, Result.PERM_DENIED);
    doDelegatePartialRight(GA_DELEGATOR, TargetType.domain, otherDomain, GranteeType.GT_GROUP, GG_DELEGATEE, Result.PERM_DENIED);
    // on super target
    doDelegatePartialRight(GA_DELEGATOR, TargetType.global, otherDomain, GranteeType.GT_USER, GA_DELEGATEE, Result.PERM_DENIED);
    doDelegatePartialRight(GA_DELEGATOR, TargetType.global, otherDomain, GranteeType.GT_GROUP, GG_DELEGATEE, Result.PERM_DENIED);
}
Also used : Account(com.zimbra.cs.account.Account) Right(com.zimbra.cs.account.accesscontrol.Right) Domain(com.zimbra.cs.account.Domain) DistributionList(com.zimbra.cs.account.DistributionList)

Example 48 with Right

use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.

the class TestGroups method doGetGroupMembershipWithRights.

private GroupMembership doGetGroupMembershipWithRights(Account acct, Set<Right> rights, int expected, int adminOnlyExpected) throws ServiceException {
    String rightsDesc;
    if (rights == null) {
        rightsDesc = "rights={ALL(null)}";
    } else if (rights.isEmpty()) {
        rightsDesc = "rights={ALL(empty)}";
    } else {
        StringBuilder sb = new StringBuilder("rights=");
        for (Right right : rights) {
            if (sb.length() > 7) {
                sb.append(',');
            }
            sb.append(right.getName());
        }
        rightsDesc = sb.toString();
    }
    long before = System.currentTimeMillis();
    GroupMembership membership = ldapProv.getGroupMembershipWithRights(acct, rights, false);
    long after = System.currentTimeMillis();
    String groupNames = groupInfo(membership.groupIds());
    ZimbraLog.test.info("YYY getGroupMembershipWithRights %s ms=%s acct=%s size=%s\n%s\ngroupNames=%s", rightsDesc, after - before, acct.getName(), membership.groupIds().size(), membership, groupNames);
    before = System.currentTimeMillis();
    GroupMembership adminOnlyMembership = ldapProv.getGroupMembershipWithRights(acct, rights, true);
    after = System.currentTimeMillis();
    String adminOnlyGroupNames = groupInfo(membership.groupIds());
    ZimbraLog.test.info("YYY getGroupMembershipWithRights [adminOnly] %s ms=%s acct=%s size=%s\n%s\ngroupNames=%s", rightsDesc, after - before, acct.getName(), adminOnlyMembership.groupIds().size(), adminOnlyMembership, adminOnlyGroupNames);
    assertEquals(String.format("Number of groups with %s which contain %s groups=%s", rightsDesc, acct.getName(), groupNames), expected, membership.groupIds().size());
    assertEquals(String.format("Number of adminOnly groups with %s which contain %s groups=%s", rightsDesc, acct.getName(), adminOnlyGroupNames), adminOnlyExpected, adminOnlyMembership.groupIds().size());
    return membership;
}
Also used : Right(com.zimbra.cs.account.accesscontrol.Right) GroupMembership(com.zimbra.cs.account.Provisioning.GroupMembership)

Example 49 with Right

use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.

the class TestGroups method ENABLE_FOR_PERFORMANCE_TESTStestCustomDynamicGroups.

/**
     * For testing performance (after adjusting setup parameters) - see Bug 89504
     */
public void ENABLE_FOR_PERFORMANCE_TESTStestCustomDynamicGroups() throws Exception {
    long start = System.currentTimeMillis();
    RightManager rightMgr = RightManager.getInstance();
    Set<Right> rights = Sets.newHashSet();
    rights.add(rightMgr.getUserRight(RightConsts.RT_createDistList));
    Thread[] threads = new Thread[80];
    for (int i = 0; i < threads.length; i++) {
        String acctName = String.format(acctPatt, i % 10 + 1);
        Account acct = soapProv.getAccountByName(acctName);
        threads[i] = new Thread(new GetMembershipClientThread(ldapProv, acct, rights));
    }
    for (Thread thread : threads) {
        thread.start();
    }
    for (Thread thread : threads) {
        thread.join();
    }
    ZimbraLog.test.info("ZZZ testCustomDynamicGroups %s", ZimbraLog.elapsedTime(start, System.currentTimeMillis()));
}
Also used : Account(com.zimbra.cs.account.Account) RightManager(com.zimbra.cs.account.accesscontrol.RightManager) Right(com.zimbra.cs.account.accesscontrol.Right)

Example 50 with Right

use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.

the class GetRights method handle.

@Override
public Element handle(Element request, Map<String, Object> context) throws ServiceException {
    ZimbraSoapContext zsc = getZimbraSoapContext(context);
    Account account = getRequestedAccount(zsc);
    if (!canAccessAccount(zsc, account)) {
        throw ServiceException.PERM_DENIED("can not access account");
    }
    Set<Right> specificRights = null;
    for (Element eACE : request.listElements(AccountConstants.E_ACE)) {
        if (specificRights == null)
            specificRights = new HashSet<Right>();
        specificRights.add(RightManager.getInstance().getUserRight(eACE.getAttribute(AccountConstants.A_RIGHT)));
    }
    List<ZimbraACE> aces = (specificRights == null) ? ACLUtil.getAllACEs(account) : ACLUtil.getACEs(account, specificRights);
    Element response = zsc.createElement(AccountConstants.GET_RIGHTS_RESPONSE);
    if (aces != null) {
        for (ZimbraACE ace : aces) {
            ToXML.encodeACE(response, ace);
        }
    }
    return response;
}
Also used : ZimbraACE(com.zimbra.cs.account.accesscontrol.ZimbraACE) Account(com.zimbra.cs.account.Account) ZimbraSoapContext(com.zimbra.soap.ZimbraSoapContext) Element(com.zimbra.common.soap.Element) Right(com.zimbra.cs.account.accesscontrol.Right) HashSet(java.util.HashSet)

Aggregations

Right (com.zimbra.cs.account.accesscontrol.Right)52 Account (com.zimbra.cs.account.Account)38 Domain (com.zimbra.cs.account.Domain)22 Test (org.junit.Test)20 GuestAccount (com.zimbra.cs.account.GuestAccount)17 DistributionList (com.zimbra.cs.account.DistributionList)12 AdminRight (com.zimbra.cs.account.accesscontrol.AdminRight)8 Element (com.zimbra.common.soap.Element)7 Group (com.zimbra.cs.account.Group)7 AttrRight (com.zimbra.cs.account.accesscontrol.AttrRight)7 ComboRight (com.zimbra.cs.account.accesscontrol.ComboRight)7 TargetType (com.zimbra.cs.account.accesscontrol.TargetType)7 UserRight (com.zimbra.cs.account.accesscontrol.UserRight)7 RightsByTargetType (com.zimbra.cs.account.accesscontrol.RightCommand.RightsByTargetType)6 ZimbraSoapContext (com.zimbra.soap.ZimbraSoapContext)6 ServiceException (com.zimbra.common.service.ServiceException)5 CheckRight (com.zimbra.cs.account.accesscontrol.CheckRight)5 GranteeType (com.zimbra.cs.account.accesscontrol.GranteeType)5 PresetRight (com.zimbra.cs.account.accesscontrol.PresetRight)5 ZimbraACE (com.zimbra.cs.account.accesscontrol.ZimbraACE)5
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial