use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class TestACLGrant method testDelegateToNonAdmin.
public void testDelegateToNonAdmin() throws Exception {
String testName = getTestName();
/*
* sys admin
*/
Account sysAdmin = getSystemAdminAccount(getEmailAddr(testName, "authed"));
/*
* grantees
*/
Account GA = createAccount(getEmailAddr(testName, "GA"));
DistributionList GG = createGroup(getEmailAddr(testName, "GG"));
// add a member to the group
Account member = createAccount(getEmailAddr(testName, "member"));
mProv.addMembers(GG, new String[] { member.getName() });
/*
* target
*/
String domainName = getSubDomainName(testName).toLowerCase();
Domain TD = mProv.createDomain(domainName, new HashMap<String, Object>());
// a user in the domain
Account TA = createAccount("acct@" + domainName);
/*
* right
*/
Right right = getRight("test-combo-account-domain");
// authed as sys admin
// cannot grant to a non-admin account/group
doTestGrant(sysAdmin, TargetType.domain, TD, GranteeType.GT_USER, GA, right, DELEGABLE, Result.INVALID_REQUEST);
doTestGrant(sysAdmin, TargetType.domain, TD, GranteeType.GT_GROUP, GG, right, DELEGABLE, Result.INVALID_REQUEST);
// revoke should be OK though, the admin bit is not checked for revoking
doTestRevoke(sysAdmin, TargetType.domain, TD, GranteeType.GT_USER, GA, right, DELEGABLE, Result.GOOD);
doTestRevoke(sysAdmin, TargetType.domain, TD, GranteeType.GT_GROUP, GG, right, DELEGABLE, Result.GOOD);
// turn the account/group into admin
makeAccountAdmin(GA);
makeGroupAdmin(GG);
// now can grant to the account/group
grantDelegableRight(sysAdmin, TargetType.domain, TD, GranteeType.GT_USER, GA, right);
grantDelegableRight(sysAdmin, TargetType.domain, TD, GranteeType.GT_GROUP, GG, right);
// make sure the account do get the right, test it on an account in the target domain
verify(GA, TA, getRight("test-preset-account"), null, ALLOW);
// but the group member does not yet get the right, because it is not an admin account
verify(member, TA, getRight("test-preset-account"), null, DENY);
// make the member an admin account and then it should get the right
makeAccountAdmin(member);
verify(member, TA, getRight("test-preset-account"), null, ALLOW);
// make the group grantee no longer an admin group, the member will automatically lose his right
makeGroupNonAdmin(GG);
// flush the cached account entry, because group info an account is a member of are cached on the account entr
flushAccountCache(member);
verify(member, TA, getRight("test-preset-account"), null, DENY);
// make the group admin again, the right should come back
makeGroupAdmin(GG);
// flush the cached account entry, because group info an account is a member of are cached on the account entr
flushAccountCache(member);
verify(member, TA, getRight("test-preset-account"), null, ALLOW);
}
use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class TestACLGrant method testDelegate.
public void testDelegate() throws Exception {
String testName = getTestName();
/*
* sys admin
*/
Account sysAdmin = getSystemAdminAccount(getEmailAddr(testName, "authed"));
/*
* grantees
*/
Account GA_DELEGATOR = createAdminAccount(getEmailAddr(testName, "GA_DELEGATOR"));
Account GA_DELEGATEE = createAdminAccount(getEmailAddr(testName, "GA_DELEGATEE"));
DistributionList GG_DELEGATEE = createAdminGroup(getEmailAddr(testName, "GG_DELEGATEE"));
/*
* target
*/
String domainName = getSubDomainName(testName).toLowerCase();
Domain TD = mProv.createDomain(domainName, new HashMap<String, Object>());
/*
* right
*/
Right right = getRight("test-combo-account-domain");
// authed as sys admin, can always grant
// grant a delegate right
grantDelegableRight(sysAdmin, TargetType.domain, TD, GranteeType.GT_USER, GA_DELEGATOR, right);
/*
* setup other targets
*/
DistributionList subTargetDl = createGroup("dl@" + domainName);
Account subTargetAcct = createAccount("acct@" + domainName);
Domain otherDomain = mProv.createDomain("other." + domainName, new HashMap<String, Object>());
// authed as a regular admin
/*
* delegate the same right
*/
// on the same target
doTestDelegate(GA_DELEGATOR, TargetType.domain, TD, GranteeType.GT_USER, GA_DELEGATEE, right, Result.GOOD);
doTestDelegate(GA_DELEGATOR, TargetType.domain, TD, GranteeType.GT_GROUP, GG_DELEGATEE, right, Result.GOOD);
// on sub target
doTestDelegate(GA_DELEGATOR, TargetType.dl, subTargetDl, GranteeType.GT_USER, GA_DELEGATEE, right, Result.INVALID_REQUEST);
doTestDelegate(GA_DELEGATOR, TargetType.dl, subTargetDl, GranteeType.GT_GROUP, GG_DELEGATEE, right, Result.INVALID_REQUEST);
doTestDelegate(GA_DELEGATOR, TargetType.account, subTargetAcct, GranteeType.GT_USER, GA_DELEGATEE, right, Result.INVALID_REQUEST);
doTestDelegate(GA_DELEGATOR, TargetType.account, subTargetAcct, GranteeType.GT_GROUP, GG_DELEGATEE, right, Result.INVALID_REQUEST);
// on unrelated target
doTestDelegate(GA_DELEGATOR, TargetType.domain, otherDomain, GranteeType.GT_USER, GA_DELEGATEE, right, Result.PERM_DENIED);
doTestDelegate(GA_DELEGATOR, TargetType.domain, otherDomain, GranteeType.GT_GROUP, GG_DELEGATEE, right, Result.PERM_DENIED);
// on super target
doTestDelegate(GA_DELEGATOR, TargetType.global, null, GranteeType.GT_USER, GA_DELEGATEE, right, Result.PERM_DENIED);
doTestDelegate(GA_DELEGATOR, TargetType.global, null, GranteeType.GT_GROUP, GG_DELEGATEE, right, Result.PERM_DENIED);
/*
* delegate part of the right
*/
// on the same target
doDelegatePartialRight(GA_DELEGATOR, TargetType.domain, TD, GranteeType.GT_USER, GA_DELEGATEE, Result.GOOD);
doDelegatePartialRight(GA_DELEGATOR, TargetType.domain, TD, GranteeType.GT_GROUP, GG_DELEGATEE, Result.GOOD);
// on sub target
doDelegatePartialRight(GA_DELEGATOR, TargetType.dl, subTargetDl, GranteeType.GT_USER, GA_DELEGATEE, Result.GOOD);
doDelegatePartialRight(GA_DELEGATOR, TargetType.dl, subTargetDl, GranteeType.GT_GROUP, GG_DELEGATEE, Result.GOOD);
doDelegatePartialRight(GA_DELEGATOR, TargetType.account, subTargetAcct, GranteeType.GT_USER, GA_DELEGATEE, Result.GOOD);
doDelegatePartialRight(GA_DELEGATOR, TargetType.account, subTargetAcct, GranteeType.GT_GROUP, GG_DELEGATEE, Result.GOOD);
// on unrelated target
doDelegatePartialRight(GA_DELEGATOR, TargetType.domain, otherDomain, GranteeType.GT_USER, GA_DELEGATEE, Result.PERM_DENIED);
doDelegatePartialRight(GA_DELEGATOR, TargetType.domain, otherDomain, GranteeType.GT_GROUP, GG_DELEGATEE, Result.PERM_DENIED);
// on super target
doDelegatePartialRight(GA_DELEGATOR, TargetType.global, otherDomain, GranteeType.GT_USER, GA_DELEGATEE, Result.PERM_DENIED);
doDelegatePartialRight(GA_DELEGATOR, TargetType.global, otherDomain, GranteeType.GT_GROUP, GG_DELEGATEE, Result.PERM_DENIED);
}
use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class TestGroups method doGetGroupMembershipWithRights.
private GroupMembership doGetGroupMembershipWithRights(Account acct, Set<Right> rights, int expected, int adminOnlyExpected) throws ServiceException {
String rightsDesc;
if (rights == null) {
rightsDesc = "rights={ALL(null)}";
} else if (rights.isEmpty()) {
rightsDesc = "rights={ALL(empty)}";
} else {
StringBuilder sb = new StringBuilder("rights=");
for (Right right : rights) {
if (sb.length() > 7) {
sb.append(',');
}
sb.append(right.getName());
}
rightsDesc = sb.toString();
}
long before = System.currentTimeMillis();
GroupMembership membership = ldapProv.getGroupMembershipWithRights(acct, rights, false);
long after = System.currentTimeMillis();
String groupNames = groupInfo(membership.groupIds());
ZimbraLog.test.info("YYY getGroupMembershipWithRights %s ms=%s acct=%s size=%s\n%s\ngroupNames=%s", rightsDesc, after - before, acct.getName(), membership.groupIds().size(), membership, groupNames);
before = System.currentTimeMillis();
GroupMembership adminOnlyMembership = ldapProv.getGroupMembershipWithRights(acct, rights, true);
after = System.currentTimeMillis();
String adminOnlyGroupNames = groupInfo(membership.groupIds());
ZimbraLog.test.info("YYY getGroupMembershipWithRights [adminOnly] %s ms=%s acct=%s size=%s\n%s\ngroupNames=%s", rightsDesc, after - before, acct.getName(), adminOnlyMembership.groupIds().size(), adminOnlyMembership, adminOnlyGroupNames);
assertEquals(String.format("Number of groups with %s which contain %s groups=%s", rightsDesc, acct.getName(), groupNames), expected, membership.groupIds().size());
assertEquals(String.format("Number of adminOnly groups with %s which contain %s groups=%s", rightsDesc, acct.getName(), adminOnlyGroupNames), adminOnlyExpected, adminOnlyMembership.groupIds().size());
return membership;
}
use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class TestGroups method ENABLE_FOR_PERFORMANCE_TESTStestCustomDynamicGroups.
/**
* For testing performance (after adjusting setup parameters) - see Bug 89504
*/
public void ENABLE_FOR_PERFORMANCE_TESTStestCustomDynamicGroups() throws Exception {
long start = System.currentTimeMillis();
RightManager rightMgr = RightManager.getInstance();
Set<Right> rights = Sets.newHashSet();
rights.add(rightMgr.getUserRight(RightConsts.RT_createDistList));
Thread[] threads = new Thread[80];
for (int i = 0; i < threads.length; i++) {
String acctName = String.format(acctPatt, i % 10 + 1);
Account acct = soapProv.getAccountByName(acctName);
threads[i] = new Thread(new GetMembershipClientThread(ldapProv, acct, rights));
}
for (Thread thread : threads) {
thread.start();
}
for (Thread thread : threads) {
thread.join();
}
ZimbraLog.test.info("ZZZ testCustomDynamicGroups %s", ZimbraLog.elapsedTime(start, System.currentTimeMillis()));
}
use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class GetRights method handle.
@Override
public Element handle(Element request, Map<String, Object> context) throws ServiceException {
ZimbraSoapContext zsc = getZimbraSoapContext(context);
Account account = getRequestedAccount(zsc);
if (!canAccessAccount(zsc, account)) {
throw ServiceException.PERM_DENIED("can not access account");
}
Set<Right> specificRights = null;
for (Element eACE : request.listElements(AccountConstants.E_ACE)) {
if (specificRights == null)
specificRights = new HashSet<Right>();
specificRights.add(RightManager.getInstance().getUserRight(eACE.getAttribute(AccountConstants.A_RIGHT)));
}
List<ZimbraACE> aces = (specificRights == null) ? ACLUtil.getAllACEs(account) : ACLUtil.getACEs(account, specificRights);
Element response = zsc.createElement(AccountConstants.GET_RIGHTS_RESPONSE);
if (aces != null) {
for (ZimbraACE ace : aces) {
ToXML.encodeACE(response, ace);
}
}
return response;
}
Aggregations