use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class TestACLAttrRight method oneGrantSome.
private void oneGrantSome(AllowOrDeny grant, GetOrSet getOrSet, AllowedAttrs expected) throws Exception {
String testName = "oneGrantSome-" + grant.name() + "-" + getOrSet.name();
System.out.println("Testing " + testName);
/*
* setup authed account
*/
Account authedAcct = globalAdmin;
/*
* grantees
*/
Account GA = provUtil.createDelegatedAdmin(getAddress(testName, "GA"));
/*
* grants
*/
Right someRight;
if (getOrSet.isGet()) {
someRight = ATTR_RIGHT_GET_SOME;
} else {
someRight = ATTR_RIGHT_SET_SOME;
}
/*
* targets
*/
Account TA = createAccount(getAddress(testName, "TA"));
grantRight(authedAcct, TargetType.account, TA, GranteeType.GT_USER, GA, someRight, grant);
verify(GA, TA, getOrSet, expected);
}
use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class TestACLAll method testAll.
/*
* full test
*/
private void testAll() throws Exception {
SKIP_FOR_REAL_LDAP_SERVER(SkipTestReason.LONG_TEST);
int totalTests = TargetType.values().length * TestGranteeType.TEST_GRANTEE_TYPES.size() * rights.size();
int curTest = 1;
for (TargetType targetType : TargetType.values()) {
for (TestGranteeType granteeType : TestGranteeType.TEST_GRANTEE_TYPES) {
boolean skip = EXCLUDE_GRANTEE_TYPES.contains(granteeType.getCode());
for (Right right : rights) {
doTest((curTest++) + "/" + totalTests, targetType, granteeType, right, skip);
}
}
}
}
use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class TestACLNegativeGrant method groupGranteeTest1.
/*
* Verify denied takes precedence
*
* Grant to two unrelated groups: one allowed, one denied
* account is a member of both groups
*
* Expected: account should be denied
*/
@Test
public void groupGranteeTest1() throws Exception {
Account authedAcct = globalAdmin;
Right right = ACLTestUtil.ADMIN_PRESET_ACCOUNT;
/*
* setup grantees
*/
Account account = provUtil.createDelegatedAdmin(genAcctNameLocalPart("acct"), baseDomain);
Group group1 = provUtil.createAdminGroup(genAcctNameLocalPart("group1"), baseDomain);
Group group2 = provUtil.createAdminGroup(genAcctNameLocalPart("group2"), baseDomain);
prov.addGroupMembers(group1, new String[] { account.getName() });
prov.addGroupMembers(group2, new String[] { account.getName() });
/*
* setup targets
*/
Account target = provUtil.createAccount(genAcctNameLocalPart("target"), baseDomain);
grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, group1, right, AllowOrDeny.ALLOW);
grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, group2, right, AllowOrDeny.DENY);
TestViaGrant via;
via = new TestViaGrant(TargetType.account, target, GranteeType.GT_GROUP, group2.getName(), right, TestViaGrant.NEGATIVE);
verify(account, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
}
use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class TestACLNegativeGrant method targetPrecedence.
/*
* Original grants:
* global grant (allow)
* domain (deny)
* group1 (allow)
* group2 (deny)
* target account (allow)
* => should allow
*
* then revoke the grant on account, should deny
* then revoke the grant on group2, should allow
* then revoke the grant on group1, should deny
* then revoke the grant on domain, should allow
* then revoke the grant on global grant, should deny
*/
@Test
public void targetPrecedence() throws Exception {
Domain domain = provUtil.createDomain(genDomainSegmentName() + "." + BASE_DOMAIN_NAME);
/*
* setup authed account
*/
Account authedAcct = globalAdmin;
Right right = ACLTestUtil.ADMIN_PRESET_ACCOUNT;
/*
* setup grantees
*/
Account grantee = provUtil.createDelegatedAdmin(genAcctNameLocalPart("grantee"), domain);
/*
* setup targets
*/
// 1. target account itself
Account target = provUtil.createAccount(genAcctNameLocalPart("target"), domain);
grantRight(authedAcct, TargetType.account, target, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
// 2. groups the target account is a member of
DistributionList group1 = provUtil.createDistributionList(genGroupNameLocalPart("group1"), domain);
DistributionList group2 = provUtil.createDistributionList(genGroupNameLocalPart("group2"), domain);
prov.addMembers(group1, new String[] { group2.getName() });
prov.addMembers(group2, new String[] { target.getName() });
grantRight(authedAcct, TargetType.dl, group2, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
grantRight(authedAcct, TargetType.dl, group1, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
// 3. domain the target account is in
grantRight(authedAcct, TargetType.domain, domain, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
// 4. global grant
GlobalGrant globalGrant = prov.getGlobalGrant();
grantRight(authedAcct, TargetType.global, null, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
/*
* test targets
*/
TestViaGrant via;
via = new TestViaGrant(TargetType.account, target, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.POSITIVE);
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.ALLOW, via);
// revoke the grant on target account, then grant on group2 should take effect
revokeRight(authedAcct, TargetType.account, target, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
via = new TestViaGrant(TargetType.dl, group2, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.NEGATIVE);
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
// revoke the grant on group2, then grant on group1 should take effect
revokeRight(authedAcct, TargetType.dl, group2, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
via = new TestViaGrant(TargetType.dl, group1, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.POSITIVE);
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.ALLOW, via);
// revoke the grant on group1, then grant on domain should take effect
revokeRight(authedAcct, TargetType.dl, group1, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
via = new TestViaGrant(TargetType.domain, domain, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.NEGATIVE);
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
// revoke the grant on domain, then grant on globalgrant shuld take effect
revokeRight(authedAcct, TargetType.domain, domain, GranteeType.GT_USER, grantee, right, AllowOrDeny.DENY);
via = new TestViaGrant(TargetType.global, globalGrant, GranteeType.GT_USER, grantee.getName(), right, TestViaGrant.POSITIVE);
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.ALLOW, via);
// revoke the grant on globalgrant, then there is no grant and callsite default should be honored
revokeRight(authedAcct, TargetType.global, null, GranteeType.GT_USER, grantee, right, AllowOrDeny.ALLOW);
via = null;
verify(grantee, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
}
use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class TestACLPermissionCache method testGrantChangeOnIndirectlyInheritedDistributionList.
@Test
public void testGrantChangeOnIndirectlyInheritedDistributionList() throws Exception {
Right right = A_USER_RIGHT_DISTRIBUTION_LIST;
Domain domain = createDomain();
DistributionList grantTarget = createUserDistributionList(GRANTTARGET_USER_GROUP, domain);
DistributionList subGroup = createUserDistributionList(SUBGROUP_OF_GRANTTARGET_USER_GROUP, domain);
DistributionList target = createUserDistributionList(TARGET_USER_GROUP, domain);
Account grantee = createUserAccount(GRANTEE_USER_ACCT, domain);
mProv.addMembers(grantTarget, new String[] { subGroup.getName() });
mProv.addMembers(subGroup, new String[] { target.getName() });
boolean allow;
grantRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
allow = accessMgr.canDo(grantee, target, right, false, null);
assertTrue(allow);
revokeRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
allow = accessMgr.canDo(grantee, target, right, false, null);
assertFalse(allow);
grantRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
allow = accessMgr.canDo(grantee, target, right, false, null);
assertTrue(allow);
}
Aggregations