use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class TestACLAttrRight method someAllDiffLevel.
/*
* 2 grants
* allow some at closer level, deny all at farther level
* => should allow some
*/
public void someAllDiffLevel(AllowOrDeny some, AllowOrDeny all, // whether some or all is the closer grant
boolean someIsCloser, GetOrSet getOrSet, AllowedAttrs expected) throws Exception {
String testName = "someAllDiffLevel-" + some.name() + "-some-" + all.name() + "-all-" + (someIsCloser ? "someIsCloser" : "allIsCloser") + "-" + getOrSet.name();
System.out.println("Testing " + testName);
/*
* setup authed account
*/
Account authedAcct = globalAdmin;
/*
* grantees
*/
Account GA = provUtil.createDelegatedAdmin(getAddress(testName, "GA"));
Group GG = provUtil.createAdminGroup(getAddress(testName, "GG"));
prov.addGroupMembers(GG, new String[] { GA.getName() });
/*
* grants
*/
Right someRight;
Right allRight;
if (getOrSet.isGet()) {
someRight = ATTR_RIGHT_GET_SOME;
allRight = ATTR_RIGHT_GET_ALL;
} else {
someRight = ATTR_RIGHT_SET_SOME;
allRight = ATTR_RIGHT_SET_ALL;
}
/*
* targets
*/
Account TA = createAccount(getAddress(testName, "TA"));
if (someIsCloser) {
grantRight(authedAcct, TargetType.account, TA, GranteeType.GT_USER, GA, someRight, some);
grantRight(authedAcct, TargetType.account, TA, GranteeType.GT_GROUP, GG, allRight, all);
} else {
grantRight(authedAcct, TargetType.account, TA, GranteeType.GT_USER, GA, allRight, all);
grantRight(authedAcct, TargetType.account, TA, GranteeType.GT_GROUP, GG, someRight, some);
}
verify(GA, TA, getOrSet, expected);
}
use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class TestACLNegativeGrant method groupGranteeTest2.
/*
* Verify denied takes precedence
*
*
* Membership:
* G1(A) G4(D)
* / \ / \
* A G2(D) A G5(A)
* / \ / \
* A G3(A) A G6(D)
* | |
* A A
*
*
* Grantee:
* GG1(allow), GG2(deny), GG3(allow), GG4(deny), GG5(allow), GG6(deny)
*
* Target:
* granted on the same target entry - TA
*
* Expected:
* Denied via grants to G2 or G4 or G6
*
*/
public void groupGranteeTest2() throws Exception {
Domain domain = provUtil.createDomain(genDomainSegmentName() + "." + BASE_DOMAIN_NAME);
/*
* setup authed account
*/
Account authedAcct = globalAdmin;
Right right = ACLTestUtil.ADMIN_PRESET_ACCOUNT;
/*
* setup grantees
*/
Account account = provUtil.createDelegatedAdmin(genAcctNameLocalPart("account"), domain);
/*
* setup groups
*/
Group GG1 = provUtil.createAdminGroup(genGroupNameLocalPart("GG1"), domain);
Group GG2 = provUtil.createAdminGroup(genGroupNameLocalPart("GG2"), domain);
Group GG3 = provUtil.createAdminGroup(genGroupNameLocalPart("GG3"), domain);
Group GG4 = provUtil.createAdminGroup(genGroupNameLocalPart("GG4"), domain);
Group GG5 = provUtil.createAdminGroup(genGroupNameLocalPart("GG5"), domain);
Group GG6 = provUtil.createAdminGroup(genGroupNameLocalPart("GG6"), domain);
prov.addGroupMembers(GG1, new String[] { account.getName(), GG2.getName() });
prov.addGroupMembers(GG2, new String[] { account.getName(), GG3.getName() });
prov.addGroupMembers(GG3, new String[] { account.getName() });
prov.addGroupMembers(GG4, new String[] { account.getName(), GG5.getName() });
prov.addGroupMembers(GG5, new String[] { account.getName(), GG6.getName() });
prov.addGroupMembers(GG6, new String[] { account.getName() });
/*
* setup targets
*/
Account target = provUtil.createAccount(genAcctNameLocalPart("target"), domain);
grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, GG1, right, AllowOrDeny.ALLOW);
grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, GG2, right, AllowOrDeny.DENY);
grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, GG3, right, AllowOrDeny.ALLOW);
grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, GG4, right, AllowOrDeny.DENY);
grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, GG5, right, AllowOrDeny.ALLOW);
grantRight(authedAcct, TargetType.account, target, GranteeType.GT_GROUP, GG6, right, AllowOrDeny.DENY);
TestViaGrant via;
via = new TestViaGrant(TargetType.account, target, GranteeType.GT_GROUP, GG2.getName(), right, TestViaGrant.NEGATIVE);
via.addCanAlsoVia(new TestViaGrant(TargetType.account, target, GranteeType.GT_GROUP, GG4.getName(), right, TestViaGrant.NEGATIVE));
via.addCanAlsoVia(new TestViaGrant(TargetType.account, target, GranteeType.GT_GROUP, GG6.getName(), right, TestViaGrant.NEGATIVE));
verify(account, target, right, AsAdmin.AS_ADMIN, AllowOrDeny.DENY, via);
}
use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class TestACLPermissionCache method testGranteeGroupMembershipChanged.
/*
* =================
* grantee side test
* =================
*/
@Test
public void testGranteeGroupMembershipChanged() throws Exception {
Right right = A_USER_RIGHT;
Domain domain = createDomain();
Account grantTarget = createUserAccount(GRANTTARGET_USER_ACCT, domain);
Account target = grantTarget;
DistributionList grantee = createUserDistributionList(GRANTEE_USER_GROUP, domain);
Account account = createUserAccount(GRANTEE_USER_ACCT, domain);
mProv.addMembers(grantee, new String[] { account.getName() });
boolean allow;
grantRight(TargetType.account, grantTarget, GranteeType.GT_GROUP, grantee, right);
allow = accessMgr.canDo(account, target, right, false, null);
assertTrue(allow);
mProv.removeMembers(grantee, new String[] { account.getName() });
allow = accessMgr.canDo(account, target, right, false, null);
assertFalse(allow);
}
use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class TestACLPermissionCache method testGuestAccount.
/*
* =================
* target side test
* =================
*/
@Test
public void testGuestAccount() throws Exception {
Right right = A_USER_RIGHT;
Domain domain = createDomain();
Account grantTarget = createUserAccount(GRANTTARGET_USER_ACCT, domain);
Account target = grantTarget;
Account grantee = createGuestAccount(GRANTEE_GUEST_ACCT, GRANTEE_GUEST_ACCT_PASSWORD);
Account notGrantee = createGuestAccount(GRANTEE_USER_ACCT + "not", GRANTEE_GUEST_ACCT_PASSWORD);
boolean allow;
grantRight(TargetType.account, grantTarget, GranteeType.GT_GUEST, grantee, GRANTEE_GUEST_ACCT_PASSWORD, right);
allow = accessMgr.canDo(grantee, target, right, false, null);
assertTrue(allow);
allow = accessMgr.canDo(notGrantee, target, right, false, null);
assertFalse(allow);
}
use of com.zimbra.cs.account.accesscontrol.Right in project zm-mailbox by Zimbra.
the class TestACLPermissionCache method GrantTargetDeleted.
@Test
public void GrantTargetDeleted() throws Exception {
Right right = A_USER_RIGHT_DISTRIBUTION_LIST;
Domain domain = createDomain();
DistributionList grantTarget = createUserDistributionList(GRANTTARGET_USER_GROUP, domain);
DistributionList subGroup = createUserDistributionList(SUBGROUP_OF_GRANTTARGET_USER_GROUP, domain);
DistributionList target = createUserDistributionList(TARGET_USER_GROUP, domain);
Account grantee = createUserAccount(GRANTEE_USER_ACCT, domain);
mProv.addMembers(grantTarget, new String[] { subGroup.getName() });
mProv.addMembers(subGroup, new String[] { target.getName() });
boolean allow;
grantRight(TargetType.dl, grantTarget, GranteeType.GT_USER, grantee, right);
allow = accessMgr.canDo(grantee, target, right, false, null);
assertTrue(allow);
// this test won't work because although the permission cache is cleared,
// the upward groups are still cached on the account, it has been the
// behavior predates the permission cache enhancement
// mProv.deleteDistributionList(grantTarget.getId());
// allow = accessMgr.canDo(grantee, target, right, false, null);
// assertFalse(allow);
}
Aggregations