Examples with Grantee com.zimbra.cs.account.accesscontrol.RightBearer.Grantee used on opensource projects

Search in sources :

Example 1 with Grantee

use of com.zimbra.cs.account.accesscontrol.RightBearer.Grantee in project zm-mailbox by Zimbra.

the class ParticallyDenied method checkPartiallyDenied.

/**
     * Returns if rightToGrant is (partically) denied to grantor(or groups it belongs)
     * on sub-targets of targetToGrant.
     *
     * @param grantor              the "grantor" of the granting attempt
     * @param targetTypeToGrant    the target type of the granting attempt
     * @param targetToGrant        the target of the granting attempt
     * @param rightToGrant  the right of the granting attremp
     * @throws ServiceException
     */
static void checkPartiallyDenied(Account grantor, TargetType targetTypeToGrant, Entry targetToGrant, Right rightToGrant) throws ServiceException {
    if (AccessControlUtil.isGlobalAdmin(grantor, true))
        return;
    Provisioning prov = Provisioning.getInstance();
    // set of sub target types
    Set<TargetType> subTargetTypes = targetTypeToGrant.subTargetTypes();
    // set of target types any sub-right can be granted
    Set<TargetType> subRightsGrantableOnTargetTypes = new HashSet<TargetType>();
    getAllGrantableTargetTypes(rightToGrant, subRightsGrantableOnTargetTypes);
    // get the interset of the two, that would be the target types to search for
    Set<TargetType> targetTypesToSearch = SetUtil.intersect(subTargetTypes, subRightsGrantableOnTargetTypes);
    // if the intersect is empty, no need to search
    if (targetTypesToSearch.isEmpty())
        return;
    // get the set of zimbraId of the grantees to search for
    Grantee grantee = Grantee.getGrantee(grantor);
    Set<String> granteeIdsToSearch = grantee.getIdAndGroupIds();
    SearchGrants searchGrants = new SearchGrants(prov, targetTypesToSearch, granteeIdsToSearch);
    Set<GrantsOnTarget> grantsOnTargets = searchGrants.doSearch().getResults();
    // check grants granted to the grantor
    checkDenied(prov, targetToGrant, rightToGrant, grantsOnTargets, grantor.getId(), null);
    // check grants granted to any groups of the grantor
    checkDenied(prov, targetToGrant, rightToGrant, grantsOnTargets, null, granteeIdsToSearch);
// all is well, or else PERM_DENIED would've been thrown in one of the checkDenied calls
// yes, you can grant the rightToGrant on targetToGrant.
}
Also used : Grantee(com.zimbra.cs.account.accesscontrol.RightBearer.Grantee) GrantsOnTarget(com.zimbra.cs.account.accesscontrol.SearchGrants.GrantsOnTarget) Provisioning(com.zimbra.cs.account.Provisioning) HashSet(java.util.HashSet)

Example 2 with Grantee

use of com.zimbra.cs.account.accesscontrol.RightBearer.Grantee in project zm-mailbox by Zimbra.

the class TestACLAttrRight method verify.

private void verify(Account grantee, Entry target, GetOrSet getOrSet, AllowedAttrs expected) throws Exception {
    // call RightChecker directly instead of mAM, we want to verify the interim result.
    AllowedAttrs allowedAttrs = getOrSet.isGet() ? CheckAttrRight.accessibleAttrs(new Grantee(grantee), target, AdminRight.PR_GET_ATTRS, false) : CheckAttrRight.accessibleAttrs(new Grantee(grantee), target, AdminRight.PR_SET_ATTRS, false);
    // System.out.println("========== Test result ==========\n" + allowedAttrs.dump());
    verifyEquals(expected, allowedAttrs);
}
Also used : Grantee(com.zimbra.cs.account.accesscontrol.RightBearer.Grantee) AllowedAttrs(com.zimbra.cs.account.accesscontrol.AllowedAttrs)

Example 3 with Grantee

use of com.zimbra.cs.account.accesscontrol.RightBearer.Grantee in project zm-mailbox by Zimbra.

the class RightCommand method getGrants.

public static Grants getGrants(Provisioning prov, String targetType, TargetBy targetBy, String target, String granteeType, GranteeBy granteeBy, String grantee, boolean granteeIncludeGroupsGranteeBelongs) throws ServiceException {
    verifyAccessManager();
    if (targetType == null && granteeType == null) {
        throw ServiceException.INVALID_REQUEST("at least one of target or grantee must be specified", null);
    }
    // target
    TargetType tt = null;
    Entry targetEntry = null;
    if (targetType != null) {
        tt = TargetType.fromCode(targetType);
        targetEntry = TargetType.lookupTarget(prov, tt, targetBy, target);
    }
    // grantee
    GranteeType gt = null;
    NamedEntry granteeEntry = null;
    Set<String> granteeFilter = null;
    Boolean isGranteeAnAdmin = null;
    if (granteeType != null) {
        gt = GranteeType.fromCode(granteeType);
        granteeEntry = GranteeType.lookupGrantee(prov, gt, granteeBy, grantee);
        isGranteeAnAdmin = RightBearer.isValidGranteeForAdminRights(gt, granteeEntry);
        if (granteeIncludeGroupsGranteeBelongs) {
            Grantee theGrantee = Grantee.getGrantee(granteeEntry, false);
            granteeFilter = theGrantee.getIdAndGroupIds();
        } else {
            granteeFilter = new HashSet<String>();
            granteeFilter.add(granteeEntry.getId());
        }
    }
    Grants grants = new Grants();
    if (targetEntry != null) {
        // get ACL from the target
        ZimbraACL zimbraAcl = ACLUtil.getACL(targetEntry);
        // then filter by grnatee if grantee is specified
        grants.addGrants(tt, targetEntry, zimbraAcl, granteeFilter, isGranteeAnAdmin);
    } else {
        /*
             * no specific target, search for grants granted to
             * the grantee (and optionally groups the specified
             * grantee belongs to)
             *
             * If we come to this path, grantee must have been
             * specified.
             */
        // we want all target types
        Set<TargetType> targetTypesToSearch = new HashSet<TargetType>(Arrays.asList(TargetType.values()));
        SearchGrants searchGrants = new SearchGrants(prov, targetTypesToSearch, granteeFilter);
        Set<GrantsOnTarget> grantsOnTargets = searchGrants.doSearch().getResults();
        for (GrantsOnTarget grantsOnTarget : grantsOnTargets) {
            Entry grantedOnEntry = grantsOnTarget.getTargetEntry();
            ZimbraACL acl = grantsOnTarget.getAcl();
            TargetType grantedOnTargetType = TargetType.getTargetType(grantedOnEntry);
            grants.addGrants(grantedOnTargetType, grantedOnEntry, acl, granteeFilter, isGranteeAnAdmin);
        }
    }
    return grants;
}
Also used : GrantsOnTarget(com.zimbra.cs.account.accesscontrol.SearchGrants.GrantsOnTarget) NamedEntry(com.zimbra.cs.account.NamedEntry) Grantee(com.zimbra.cs.account.accesscontrol.RightBearer.Grantee) NamedEntry(com.zimbra.cs.account.NamedEntry) Entry(com.zimbra.cs.account.Entry) HashSet(java.util.HashSet)

Example 4 with Grantee

use of com.zimbra.cs.account.accesscontrol.RightBearer.Grantee in project zm-mailbox by Zimbra.

the class CollectEffectiveRights method getEffectiveAdminPresetRights.

private Set<Right> getEffectiveAdminPresetRights() throws ServiceException {
    Provisioning prov = Provisioning.getInstance();
    Grantee grantee = getGrantee();
    TargetType targetType = TargetType.getTargetType(mTarget);
    Map<Right, Integer> allowed = new HashMap<Right, Integer>();
    Map<Right, Integer> denied = new HashMap<Right, Integer>();
    Integer relativity = Integer.valueOf(1);
    //
    // collecting phase
    //
    CheckAttrRight.CollectAttrsResult car = CheckAttrRight.CollectAttrsResult.SOME;
    // check the target entry itself
    List<ZimbraACE> acl = ACLUtil.getAllACEs(mTarget);
    if (acl != null) {
        collectAdminPresetRightOnTarget(acl, targetType, relativity, false, allowed, denied);
        relativity += 2;
    }
    //
    // if the target is a domain-ed entry, get the domain of the target.
    // It is need for checking the cross domain right.
    //
    Domain targetDomain = TargetType.getTargetDomain(prov, mTarget);
    // check grants granted on entries from which the target entry can inherit from
    boolean expandTargetGroups = CheckRight.allowGroupTarget(AdminRight.PR_ADMIN_PRESET_RIGHT);
    TargetIterator iter = TargetIterator.getTargetIeterator(prov, mTarget, expandTargetGroups);
    Entry grantedOn;
    GroupACLs groupACLs = null;
    while ((grantedOn = iter.next()) != null && (!car.isAll())) {
        acl = ACLUtil.getAllACEs(grantedOn);
        if (grantedOn instanceof Group) {
            if (acl == null)
                continue;
            boolean skipPositiveGrants = false;
            // members in the group can be in different domains, no point checking it.
            if (grantee.isAccount()) {
                skipPositiveGrants = !CrossDomain.crossDomainOK(prov, grantee.getAccount(), grantee.getDomain(), targetDomain, (Group) grantedOn);
            }
            // don't check yet, collect all acls on all target groups
            if (groupACLs == null) {
                groupACLs = new GroupACLs(mTarget);
            }
            groupACLs.collectACL((Group) grantedOn, skipPositiveGrants);
        } else {
            // consistent with ZimbraACL.getAllACEs
            if (groupACLs != null) {
                List<ZimbraACE> aclsOnGroupTargets = groupACLs.getAllACLs();
                if (aclsOnGroupTargets != null) {
                    collectAdminPresetRightOnTarget(aclsOnGroupTargets, targetType, relativity, false, allowed, denied);
                    relativity += 2;
                }
                // set groupACLs to null, we are done with group targets
                groupACLs = null;
            }
            if (acl == null) {
                continue;
            }
            boolean subDomain = (mTargetType == TargetType.domain && (grantedOn instanceof Domain));
            collectAdminPresetRightOnTarget(acl, targetType, relativity, subDomain, allowed, denied);
            relativity += 2;
        }
    }
    if (sLog.isDebugEnabled()) {
        StringBuilder sbAllowed = new StringBuilder();
        for (Map.Entry<Right, Integer> a : allowed.entrySet()) {
            sbAllowed.append("(" + a.getKey().getName() + ", " + a.getValue() + ") ");
        }
        sLog.debug("allowed: " + sbAllowed.toString());
        StringBuilder sbDenied = new StringBuilder();
        for (Map.Entry<Right, Integer> a : denied.entrySet()) {
            sbDenied.append("(" + a.getKey().getName() + ", " + a.getValue() + ") ");
        }
        sLog.debug("denied: " + sbDenied.toString());
    }
    Set<Right> conflicts = SetUtil.intersect(allowed.keySet(), denied.keySet());
    if (!conflicts.isEmpty()) {
        for (Right right : conflicts) {
            if (denied.get(right) <= allowed.get(right))
                allowed.remove(right);
        }
    }
    return allowed.keySet();
}
Also used : Group(com.zimbra.cs.account.Group) HashMap(java.util.HashMap) Provisioning(com.zimbra.cs.account.Provisioning) Grantee(com.zimbra.cs.account.accesscontrol.RightBearer.Grantee) Entry(com.zimbra.cs.account.Entry) Domain(com.zimbra.cs.account.Domain) HashMap(java.util.HashMap) TreeMap(java.util.TreeMap) Map(java.util.Map) SortedMap(java.util.SortedMap)

Example 5 with Grantee

use of com.zimbra.cs.account.accesscontrol.RightBearer.Grantee in project zm-mailbox by Zimbra.

the class TestACL method verify.

protected void verify(Account grantee, Entry target, GetOrSet getOrSet, AllowedAttrs expected) {
    try {
        // call RightChecker directly instead of mAM, we want to verify the interim result.
        AllowedAttrs allowedAttrs = getOrSet.isGet() ? CheckAttrRight.accessibleAttrs(new Grantee(grantee), target, AdminRight.PR_GET_ATTRS, false) : CheckAttrRight.accessibleAttrs(new Grantee(grantee), target, AdminRight.PR_SET_ATTRS, false);
        // System.out.println("========== Test result ==========\n" + allowedAttrs.dump());
        assertEquals(expected, allowedAttrs);
    } catch (ServiceException e) {
        fail();
    }
}
Also used : Grantee(com.zimbra.cs.account.accesscontrol.RightBearer.Grantee) AllowedAttrs(com.zimbra.cs.account.accesscontrol.AllowedAttrs) ServiceException(com.zimbra.common.service.ServiceException)

Aggregations

Grantee (com.zimbra.cs.account.accesscontrol.RightBearer.Grantee)6 Entry (com.zimbra.cs.account.Entry)2 Provisioning (com.zimbra.cs.account.Provisioning)2 AllowedAttrs (com.zimbra.cs.account.accesscontrol.AllowedAttrs)2 GrantsOnTarget (com.zimbra.cs.account.accesscontrol.SearchGrants.GrantsOnTarget)2 HashSet (java.util.HashSet)2 ServiceException (com.zimbra.common.service.ServiceException)1 Domain (com.zimbra.cs.account.Domain)1 Group (com.zimbra.cs.account.Group)1 NamedEntry (com.zimbra.cs.account.NamedEntry)1 HashMap (java.util.HashMap)1 Map (java.util.Map)1 SortedMap (java.util.SortedMap)1 TreeMap (java.util.TreeMap)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial