use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class TestGroups method doAnyRightsTestForAccount.
private void doAnyRightsTestForAccount(String acctName, int expected, int adminOnlyExpected) throws ServiceException {
Set<Right> rights = Sets.newHashSet();
Account acct = soapProv.getAccountByName(acctName);
doGetGroupMembershipWithRights(acct, rights, expected, adminOnlyExpected);
doGetGroupMembershipWithRights(acct, null, expected, adminOnlyExpected);
}
use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class GetInfo method handle.
@Override
public Element handle(Element request, Map<String, Object> context) throws ServiceException {
ZimbraSoapContext zsc = getZimbraSoapContext(context);
Account account = getRequestedAccount(zsc);
if (!canAccessAccount(zsc, account)) {
throw ServiceException.PERM_DENIED("can not access account");
}
// figure out the subset of data the caller wants (default to all data)
String secstr = request.getAttribute(AccountConstants.A_SECTIONS, null);
Set<Section> sections;
if (secstr != null) {
sections = EnumSet.noneOf(Section.class);
for (String sec : Splitter.on(',').omitEmptyStrings().trimResults().split(secstr)) {
sections.add(Section.lookup(sec));
}
} else {
sections = EnumSet.allOf(Section.class);
}
String rightsStr = request.getAttribute(AccountConstants.A_RIGHTS, null);
Set<Right> rights = null;
if (rightsStr != null) {
RightManager rightMgr = RightManager.getInstance();
rights = Sets.newHashSet();
for (String right : Splitter.on(',').omitEmptyStrings().trimResults().split(rightsStr)) {
rights.add(rightMgr.getUserRight(right));
}
}
Element response = zsc.createElement(AccountConstants.GET_INFO_RESPONSE);
response.addAttribute(AccountConstants.E_VERSION, BuildInfo.FULL_VERSION, Element.Disposition.CONTENT);
response.addAttribute(AccountConstants.E_ID, account.getId(), Element.Disposition.CONTENT);
response.addAttribute(AccountConstants.E_NAME, account.getUnicodeName(), Element.Disposition.CONTENT);
try {
response.addAttribute(AccountConstants.E_CRUMB, zsc.getAuthToken().getCrumb(), Element.Disposition.CONTENT);
} catch (AuthTokenException e) {
// shouldn't happen
ZimbraLog.account.warn("can't generate crumb", e);
}
long lifetime = zsc.getAuthToken().getExpires() - System.currentTimeMillis();
response.addAttribute(AccountConstants.E_LIFETIME, lifetime, Element.Disposition.CONTENT);
Provisioning prov = Provisioning.getInstance();
// bug 53770, return if the request is using a delegated authtoken issued to an admin account
AuthToken authToken = zsc.getAuthToken();
if (authToken.isDelegatedAuth()) {
Account admin = prov.get(AccountBy.id, authToken.getAdminAccountId());
if (admin != null) {
boolean isAdmin = AdminAccessControl.isAdequateAdminAccount(admin);
if (isAdmin) {
response.addAttribute(AccountConstants.E_ADMIN_DELEGATED, true, Element.Disposition.CONTENT);
}
}
}
try {
Server server = prov.getLocalServer();
if (server != null) {
response.addAttribute(AccountConstants.A_DOCUMENT_SIZE_LIMIT, server.getFileUploadMaxSize());
}
Config config = prov.getConfig();
if (config != null) {
long maxAttachSize = config.getMtaMaxMessageSize();
if (maxAttachSize == 0) {
maxAttachSize = -1;
/* means unlimited */
}
response.addAttribute(AccountConstants.A_ATTACHMENT_SIZE_LIMIT, maxAttachSize);
}
} catch (ServiceException e) {
}
if (sections.contains(Section.MBOX) && Provisioning.onLocalServer(account)) {
response.addAttribute(AccountConstants.E_REST, UserServlet.getRestUrl(account), Element.Disposition.CONTENT);
try {
Mailbox mbox = getRequestedMailbox(zsc);
response.addAttribute(AccountConstants.E_QUOTA_USED, mbox.getSize(), Element.Disposition.CONTENT);
Session s = (Session) context.get(SoapEngine.ZIMBRA_SESSION);
if (s instanceof SoapSession) {
// we have a valid session; get the stats on this session
response.addAttribute(AccountConstants.E_PREVIOUS_SESSION, ((SoapSession) s).getPreviousSessionTime(), Element.Disposition.CONTENT);
response.addAttribute(AccountConstants.E_LAST_ACCESS, ((SoapSession) s).getLastWriteAccessTime(), Element.Disposition.CONTENT);
response.addAttribute(AccountConstants.E_RECENT_MSGS, ((SoapSession) s).getRecentMessageCount(), Element.Disposition.CONTENT);
} else {
// we have no session; calculate the stats from the mailbox and the other SOAP sessions
long lastAccess = mbox.getLastSoapAccessTime();
response.addAttribute(AccountConstants.E_PREVIOUS_SESSION, lastAccess, Element.Disposition.CONTENT);
response.addAttribute(AccountConstants.E_LAST_ACCESS, lastAccess, Element.Disposition.CONTENT);
response.addAttribute(AccountConstants.E_RECENT_MSGS, mbox.getRecentMessageCount(), Element.Disposition.CONTENT);
}
} catch (ServiceException e) {
}
}
doCos(account, response);
Map<String, Object> attrMap = account.getUnicodeAttrs();
Locale locale = Provisioning.getInstance().getLocale(account);
if (sections.contains(Section.PREFS)) {
Element prefs = response.addUniqueElement(AccountConstants.E_PREFS);
GetPrefs.doPrefs(account, prefs, attrMap, null);
}
if (sections.contains(Section.ATTRS)) {
Element attrs = response.addUniqueElement(AccountConstants.E_ATTRS);
doAttrs(account, locale.toString(), attrs, attrMap);
}
if (sections.contains(Section.ZIMLETS)) {
Element zimlets = response.addUniqueElement(AccountConstants.E_ZIMLETS);
doZimlets(zimlets, account);
}
if (sections.contains(Section.PROPS)) {
Element props = response.addUniqueElement(AccountConstants.E_PROPERTIES);
doProperties(props, account);
}
if (sections.contains(Section.IDENTS)) {
Element ids = response.addUniqueElement(AccountConstants.E_IDENTITIES);
doIdentities(ids, account);
}
if (sections.contains(Section.SIGS)) {
Element sigs = response.addUniqueElement(AccountConstants.E_SIGNATURES);
doSignatures(sigs, account);
}
if (sections.contains(Section.DSRCS)) {
Element ds = response.addUniqueElement(AccountConstants.E_DATA_SOURCES);
doDataSources(ds, account);
}
if (sections.contains(Section.CHILDREN)) {
Element ca = response.addUniqueElement(AccountConstants.E_CHILD_ACCOUNTS);
doChildAccounts(ca, account, zsc.getAuthToken());
}
if (rights != null && !rights.isEmpty()) {
Element eRights = response.addUniqueElement(AccountConstants.E_RIGHTS);
doDiscoverRights(eRights, account, rights);
}
GetAccountInfo.addUrls(response, account);
for (GetInfoExt extension : extensions) {
extension.handle(zsc, response);
}
return response;
}
use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class DiscoverRights method handle.
@Override
public Element handle(Element request, Map<String, Object> context) throws ServiceException {
ZimbraSoapContext zsc = getZimbraSoapContext(context);
Account account = getRequestedAccount(zsc);
if (!canAccessAccount(zsc, account)) {
throw ServiceException.PERM_DENIED("can not access account");
}
RightManager rightMgr = RightManager.getInstance();
Set<Right> rights = Sets.newHashSet();
for (Element eRight : request.listElements(AccountConstants.E_RIGHT)) {
UserRight r = rightMgr.getUserRight(eRight.getText());
rights.add(r);
}
if (rights.size() == 0) {
throw ServiceException.INVALID_REQUEST("no right is specified", null);
}
Element response = zsc.createElement(AccountConstants.DISCOVER_RIGHTS_RESPONSE);
discoverRights(account, rights, response, true);
return response;
}
use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class GrantRights method handleACE.
/**
* @param eACE
* @param zsc
* @param granting true if granting, false if revoking
* @return
* @throws ServiceException
*/
static ZimbraACE handleACE(Element eACE, ZimbraSoapContext zsc, boolean granting) throws ServiceException {
/*
* Interface and parameter checking style was modeled after FolderAction,
* not admin Grant/RevokeRight
*/
Right right = RightManager.getInstance().getUserRight(eACE.getAttribute(AccountConstants.A_RIGHT));
GranteeType gtype = GranteeType.fromCode(eACE.getAttribute(AccountConstants.A_GRANT_TYPE));
String zid = eACE.getAttribute(AccountConstants.A_ZIMBRA_ID, null);
boolean deny = eACE.getAttributeBool(AccountConstants.A_DENY, false);
boolean checkGranteeType = eACE.getAttributeBool(AccountConstants.A_CHECK_GRANTEE_TYPE, false);
String secret = null;
NamedEntry nentry = null;
if (gtype == GranteeType.GT_AUTHUSER) {
zid = GuestAccount.GUID_AUTHUSER;
} else if (gtype == GranteeType.GT_PUBLIC) {
zid = GuestAccount.GUID_PUBLIC;
} else if (gtype == GranteeType.GT_GUEST) {
zid = eACE.getAttribute(AccountConstants.A_DISPLAY);
if (zid == null || zid.indexOf('@') < 0)
throw ServiceException.INVALID_REQUEST("invalid guest id or password", null);
// make sure they didn't accidentally specify "guest" instead of "usr"
try {
nentry = lookupGranteeByName(zid, GranteeType.GT_USER, zsc);
zid = nentry.getId();
gtype = nentry instanceof DistributionList ? GranteeType.GT_GROUP : GranteeType.GT_USER;
} catch (ServiceException e) {
// this is the normal path, where lookupGranteeByName throws account.NO_SUCH_USER
secret = eACE.getAttribute(AccountConstants.A_PASSWORD);
}
} else if (gtype == GranteeType.GT_KEY) {
zid = eACE.getAttribute(AccountConstants.A_DISPLAY);
// unlike guest, we do not require the display name to be an email address
/*
if (zid == null || zid.indexOf('@') < 0)
throw ServiceException.INVALID_REQUEST("invalid guest id or key", null);
*/
// unlike guest, we do not fixup grantee type for key grantees if they specify an internal user
// get the optional accesskey
secret = eACE.getAttribute(AccountConstants.A_ACCESSKEY, null);
} else if (zid != null) {
nentry = lookupGranteeByZimbraId(zid, gtype, granting);
} else {
nentry = lookupGranteeByName(eACE.getAttribute(AccountConstants.A_DISPLAY), gtype, zsc);
zid = nentry.getId();
// make sure they didn't accidentally specify "usr" instead of "grp"
if (gtype == GranteeType.GT_USER && nentry instanceof Group) {
if (checkGranteeType) {
throw AccountServiceException.INVALID_REQUEST(eACE.getAttribute(AccountConstants.A_DISPLAY) + " is not a valid grantee for grantee type '" + gtype.getCode() + "'.", null);
} else {
gtype = GranteeType.GT_GROUP;
}
}
}
RightModifier rightModifier = null;
if (deny)
rightModifier = RightModifier.RM_DENY;
return new ZimbraACE(zid, gtype, right, rightModifier, secret);
}
use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class GetPermission method handle.
@Override
public Element handle(Element request, Map<String, Object> context) throws ServiceException {
ZimbraSoapContext zsc = getZimbraSoapContext(context);
Account account = getRequestedAccount(zsc);
if (!canAccessAccount(zsc, account))
throw ServiceException.PERM_DENIED("can not access account");
Set<Right> specificRights = null;
for (Element eACE : request.listElements(MailConstants.E_ACE)) {
if (specificRights == null)
specificRights = new HashSet<Right>();
specificRights.add(RightManager.getInstance().getUserRight(eACE.getAttribute(MailConstants.A_RIGHT)));
}
List<ZimbraACE> aces = (specificRights == null) ? ACLUtil.getAllACEs(account) : ACLUtil.getACEs(account, specificRights);
Element response = zsc.createElement(MailConstants.GET_PERMISSION_RESPONSE);
if (aces != null) {
for (ZimbraACE ace : aces) ToXML.encodeACE(response, ace);
}
return response;
}
Aggregations