Examples with Right com.zimbra.cs.account.accesscontrol.Right used on opensource projects

Example 6 with Right

use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.

the class GrantPermission method handleACE.

/**
     * // orig: FolderAction
     * 
     * @param eACE
     * @param zsc
     * @param granting true if granting, false if revoking
     * @return
     * @throws ServiceException
     */
static ZimbraACE handleACE(Element eACE, ZimbraSoapContext zsc, boolean granting) throws ServiceException {
    Right right = RightManager.getInstance().getUserRight(eACE.getAttribute(MailConstants.A_RIGHT));
    GranteeType gtype = GranteeType.fromCode(eACE.getAttribute(MailConstants.A_GRANT_TYPE));
    String zid = eACE.getAttribute(MailConstants.A_ZIMBRA_ID, null);
    boolean deny = eACE.getAttributeBool(MailConstants.A_DENY, false);
    String secret = null;
    NamedEntry nentry = null;
    if (gtype == GranteeType.GT_AUTHUSER) {
        zid = GuestAccount.GUID_AUTHUSER;
    } else if (gtype == GranteeType.GT_PUBLIC) {
        zid = GuestAccount.GUID_PUBLIC;
    } else if (gtype == GranteeType.GT_GUEST) {
        zid = eACE.getAttribute(MailConstants.A_DISPLAY);
        if (zid == null || zid.indexOf('@') < 0)
            throw ServiceException.INVALID_REQUEST("invalid guest id or password", null);
        // make sure they didn't accidentally specify "guest" instead of "usr"
        try {
            nentry = lookupGranteeByName(zid, GranteeType.GT_USER, zsc);
            zid = nentry.getId();
            gtype = nentry instanceof DistributionList ? GranteeType.GT_GROUP : GranteeType.GT_USER;
        } catch (ServiceException e) {
            // this is the normal path, where lookupGranteeByName throws account.NO_SUCH_USER
            secret = eACE.getAttribute(MailConstants.A_PASSWORD);
        }
    } else if (gtype == GranteeType.GT_KEY) {
        zid = eACE.getAttribute(MailConstants.A_DISPLAY);
        // unlike guest, we do not require the display name to be an email address
        /*
            if (zid == null || zid.indexOf('@') < 0)
                throw ServiceException.INVALID_REQUEST("invalid guest id or key", null);
            */
        // unlike guest, we do not fixup grantee type for key grantees if they specify an internal user
        // get the optional accesskey
        secret = eACE.getAttribute(MailConstants.A_ACCESSKEY, null);
    } else if (zid != null) {
        nentry = lookupGranteeByZimbraId(zid, gtype, granting);
    } else {
        nentry = lookupGranteeByName(eACE.getAttribute(MailConstants.A_DISPLAY), gtype, zsc);
        zid = nentry.getId();
        // make sure they didn't accidentally specify "usr" instead of "grp"
        if (gtype == GranteeType.GT_USER && nentry instanceof DistributionList)
            gtype = GranteeType.GT_GROUP;
    }
    RightModifier rightModifier = null;
    if (deny)
        rightModifier = RightModifier.RM_DENY;
    return new ZimbraACE(zid, gtype, right, rightModifier, secret);
}

Example 7 with Right

use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.

the class TestACLAttrRight method someAllSameLevel.

private void someAllSameLevel(AllowOrDeny some, AllowOrDeny all, GetOrSet getOrSet, AllowedAttrs expected) throws Exception {
    String testName = "someAllSameLevel-" + some.name() + "-some-" + all.name() + "-all-" + getOrSet.name();
    System.out.println("Testing " + testName);
    /*
         * setup authed account
         */
    Account authedAcct = globalAdmin;
    /*
         * grantees
         */
    Account GA = provUtil.createDelegatedAdmin(getAddress(testName, "GA"));
    /*
         * grants
         */
    Right someRight;
    Right allRight;
    if (getOrSet.isGet()) {
        someRight = ATTR_RIGHT_GET_SOME;
        allRight = ATTR_RIGHT_GET_ALL;
    } else {
        someRight = ATTR_RIGHT_SET_SOME;
        allRight = ATTR_RIGHT_SET_ALL;
    }
    /*
         * targets
         */
    Account TA = createAccount(getAddress(testName, "TA"));
    grantRight(authedAcct, TargetType.account, TA, GranteeType.GT_USER, GA, someRight, some);
    grantRight(authedAcct, TargetType.account, TA, GranteeType.GT_USER, GA, allRight, all);
    verify(GA, TA, getOrSet, expected);
}

Example 8 with Right

use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.

the class TestACLEffectiveRights method getEffectiveRights.

@Test
public void getEffectiveRights() throws Exception {
    Domain domain = provUtil.createDomain(genDomainSegmentName() + "." + BASE_DOMAIN_NAME);
    Account target = provUtil.createAccount(genAcctNameLocalPart("user"), domain);
    Account grantee = provUtil.createDelegatedAdmin(genAcctNameLocalPart("da"), domain);
    Account grantingAccount = globalAdmin;
    TargetType targetType = TargetType.getTargetType(target);
    GranteeType granteeType = GranteeType.GT_USER;
    Right right = ADMIN_PRESET_ACCOUNT;
    RightCommand.grantRight(prov, grantingAccount, targetType.getCode(), TargetBy.name, target.getName(), granteeType.getCode(), GranteeBy.name, grantee.getName(), null, right.getName(), null);
    EffectiveRights effRights = RightCommand.getEffectiveRights(prov, TargetType.account.getCode(), TargetBy.name, target.getName(), GranteeBy.name, grantee.getName(), false, false);
    assertTrue(effRights.presetRights().contains(right.getName()));
}

Example 9 with Right

use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.

the class TestACLNegativeGrant method groupGranteeTest3.

/*
    Combining Target Scope and Grantee Scope: Grantee Relativity takes Precedence over Target Relativity
      For example, for this target hierarchy:
          domain D
              group G1 (allow right R to group GC)
                  group G2 (deny right R to group GB)
                      group G3 (deny right R to group GA)
                          user account U

      And this grantee hierarchy:
          group GA
              group GB
                  group GC
                      (admin) account A

      Then A is *allowed* for right R on target account U, because GC is more specific to A than GA and GB.
      Even if on the target side, grant on G3(grant to GA) and G2(grant to GB) is more specific than the
      grant on G1(grant to GC).

      The above is no longer true, it should be DENIED.
    */
@Test
public void groupGranteeTest3() throws Exception {
    Domain domain = provUtil.createDomain(genDomainSegmentName() + "." + BASE_DOMAIN_NAME);
    /*
         * setup authed account
         */
    Account authedAcct = globalAdmin;
    Right right = ACLTestUtil.ADMIN_PRESET_ACCOUNT;
    /*
         * setup grantees
         */
    Account account = provUtil.createDelegatedAdmin(genAcctNameLocalPart("account"), domain);
    /*
         * setup grantee groups
         */
    Group GA = provUtil.createAdminGroup(genGroupNameLocalPart("GA"), domain);
    Group GB = provUtil.createAdminGroup(genGroupNameLocalPart("GB"), domain);
    Group GC = provUtil.createAdminGroup(genGroupNameLocalPart("GC"), domain);
    prov.addGroupMembers(GA, new String[] { GB.getName() });
    prov.addGroupMembers(GB, new String[] { GC.getName() });
    prov.addGroupMembers(GC, new String[] { account.getName() });
    /*
         * setup targets
         */
    TestViaGrant via;
    Account target = provUtil.createAccount(genAcctNameLocalPart("target"), domain);
    Group G1 = provUtil.createDistributionList(genGroupNameLocalPart("G1"), domain);
    Group G2 = provUtil.createDistributionList(genGroupNameLocalPart("G2"), domain);
    Group G3 = provUtil.createDistributionList(genGroupNameLocalPart("G3"), domain);
    prov.addGroupMembers(G1, new String[] { G2.getName() });
    prov.addGroupMembers(G2, new String[] { G3.getName() });
    prov.addGroupMembers(G3, new String[] { target.getName() });
    grantRight(authedAcct, TargetType.dl, G1, GranteeType.GT_GROUP, GC, right, AllowOrDeny.ALLOW);
    grantRight(authedAcct, TargetType.dl, G2, GranteeType.GT_GROUP, GB, right, AllowOrDeny.DENY);
    grantRight(authedAcct, TargetType.dl, G3, GranteeType.GT_GROUP, GA, right, AllowOrDeny.DENY);
    /* NO longer the case
        // the right should be allowed via the grant on G1, granted to group GC
        via = new TestViaGrant(TargetType.dl, G1, GranteeType.GT_GROUP, GC.getName(), right, TestViaGrant.POSITIVE);
        verify(account, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.ALLOW, via);
        */
    via = new TestViaGrant(TargetType.dl, G2, GranteeType.GT_GROUP, GB.getName(), right, TestViaGrant.NEGATIVE);
    via.addCanAlsoVia(new TestViaGrant(TargetType.dl, G3, GranteeType.GT_GROUP, GA.getName(), right, TestViaGrant.NEGATIVE));
    verify(account, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
}

Example 10 with Right

use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.

the class TestACLAllEffRights method disinheritSubGroupModifier.

/*
    zmprov cdl dl@test.com
    zmprov cdl subdl@test.com
    zmprov cdl subsubdl@test.com

    zmprov ca da1@test.com test123 zimbraIsDelegatedAdminAccount TRUE
    zmprov ca da2@test.com test123 zimbraIsDelegatedAdminAccount TRUE

    zmprov ca a_dl@test.com test123
    zmprov ca a_subdl@test.com test123
    zmprov ca a_subsubdl@test.com test123

    zmprov adlm dl@test.com subdl@test.com a_dl@test.com
    zmprov adlm subdl@test.com subsubdl@test.com a_subdl@test.com
    zmprov adlm subsubdl@test.com a_subsubdl@test.com

    zmprov grr dl dl@test.com usr da1@test.com addDistributionListMember
    zmprov grr dl dl@test.com usr da1@test.com modifyDistributionList
    zmprov grr dl dl@test.com usr da1@test.com modifyAccount
    zmprov grr dl dl@test.com usr da1@test.com listAccount

    zmprov grr dl dl@test.com usr da2@test.com ^addDistributionListMember
    zmprov grr dl dl@test.com usr da2@test.com ^modifyDistributionList
    zmprov grr dl dl@test.com usr da2@test.com ^modifyAccount
    zmprov grr dl dl@test.com usr da2@test.com ^listAccount
     */
@Test
public void disinheritSubGroupModifier() throws Exception {
    /*
         * setup
         */
    /*
         * dl has members:
         *    subdl
         *    a_dl
         *
         * subdl has members:
         *    subsubdl
         *    a_subdl
         *
         * subsubdl has members:
         *    a_subsubdl
         */
    String domainName = genDomainName(baseDomainName());
    Domain domain = provUtil.createDomain(domainName);
    // groups
    DistributionList dl = provUtil.createDistributionList("dl", domain);
    DistributionList subdl = provUtil.createDistributionList("subdl", domain);
    DistributionList subsubdl = provUtil.createDistributionList("subsubdl", domain);
    // users
    Account a_dl = provUtil.createAccount("a_dl", domain);
    Account a_subdl = provUtil.createAccount("a_subdl", domain);
    Account a_subsubdl = provUtil.createAccount("a_subsubdl", domain);
    // delegated admins
    Account da1 = provUtil.createDelegatedAdmin("da1", domain);
    Account da2 = provUtil.createDelegatedAdmin("da2", domain);
    dl.addMembers(new String[] { subdl.getName(), a_dl.getName() });
    subdl.addMembers(new String[] { subsubdl.getName(), a_subdl.getName() });
    subsubdl.addMembers(new String[] { a_subsubdl.getName() });
    Right DL_RESET_RIGHT = Admin.R_addDistributionListMember;
    Right DL_ATTR_RIGHT = Admin.R_modifyDistributionList;
    Right ACCT_PRESET_RIGHT = Admin.R_listAccount;
    Right ACCT_ATTR_RIGHT = Admin.R_modifyAccount;
    RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da1.getName(), null, DL_RESET_RIGHT.getName(), null);
    RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da1.getName(), null, DL_ATTR_RIGHT.getName(), null);
    RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da1.getName(), null, ACCT_PRESET_RIGHT.getName(), null);
    RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da1.getName(), null, ACCT_ATTR_RIGHT.getName(), null);
    RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da2.getName(), null, DL_RESET_RIGHT.getName(), RightModifier.RM_DENY);
    RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da2.getName(), null, DL_ATTR_RIGHT.getName(), RightModifier.RM_DENY);
    RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da2.getName(), null, ACCT_PRESET_RIGHT.getName(), RightModifier.RM_DENY);
    RightCommand.grantRight(prov, null, TargetType.dl.getCode(), TargetBy.name, dl.getName(), GranteeType.GT_USER.getCode(), GranteeBy.name, da2.getName(), null, ACCT_ATTR_RIGHT.getName(), RightModifier.RM_DENY);
}