use of com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights in project zm-mailbox by Zimbra.
the class CollectAllEffectiveRights method collect.
private void collect() throws ServiceException {
if (mRightBearer instanceof GlobalAdmin) {
for (TargetType tt : TargetType.values()) {
EffectiveRights er = new EffectiveRights(tt.getCode(), null, null, mRightBearer.getId(), mRightBearer.getName());
Entry target;
if (TargetType.config == tt) {
target = mProv.getConfig();
} else if (TargetType.global == tt) {
target = mProv.getGlobalGrant();
} else {
target = PseudoTarget.createPseudoTarget(mProv, tt, null, null, true, null, null, null);
}
CollectEffectiveRights.getEffectiveRights(mRightBearer, target, tt, mExpandSetAttrs, mExpandGetAttrs, er);
mResult.setAll(tt, er);
}
return;
}
// we want all target types
Set<TargetType> targetTypesToSearch = new HashSet<TargetType>(Arrays.asList(TargetType.values()));
// get the set of zimbraId of the grantees to search for
Set<String> granteeIdsToSearch = mGrantee.getIdAndGroupIds();
// add external group grants that *may* apply
if (mGrantee.isAccount()) {
Domain domain = mProv.getDomain(mGrantee.getAccount());
granteeIdsToSearch.add(ZimbraACE.ExternalGroupInfo.encode(domain.getId(), ""));
}
SearchGrants searchGrants = new SearchGrants(mProv, targetTypesToSearch, granteeIdsToSearch);
Set<GrantsOnTarget> grantsOnTargets = searchGrants.doSearch().getResults(true);
// staging for group grants
Set<Group> groupsWithGrants = new HashSet<Group>();
//
for (GrantsOnTarget grantsOnTarget : grantsOnTargets) {
Entry grantedOnEntry = grantsOnTarget.getTargetEntry();
ZimbraACL acl = grantsOnTarget.getAcl();
TargetType targetType = TargetType.getTargetType(grantedOnEntry);
if (targetType == TargetType.global) {
computeRightsInheritedFromGlobalGrant();
} else if (targetType == TargetType.domain) {
computeRightsInheritedFromDomain((Domain) grantedOnEntry);
computeSubDomainRightsInheritedFromDomain(acl, (Domain) grantedOnEntry);
} else if (targetType == TargetType.dl) {
groupsWithGrants.add((DistributionList) grantedOnEntry);
} else if (targetType == TargetType.group) {
groupsWithGrants.add((DynamicGroup) grantedOnEntry);
}
}
//
// Stage 2
//
// process group grants
//
// first, shape all members in all groups with grants into "shapes"
//
// e.g. if the grant search returned three groups: A, B, C
// group A contains members m1, m2, m3
// group B contains members m2, m3, m4
// group C contains members m5
//
// (assuming all m{X} are accounts)
//
// After "shaping", the accountShapes Set will contain 4 shapes:
// shape A - m1
// shape AB - m2, m3
// shape B - m4
// shape C - m5
//
/*
* because of bug 68820, we have to also take into accounts all sub groups
* of groupsWithGrants when we build shapes - even if the sub groups don't
* have any grants.
*
* Prior to bug 68820, we didn't have to do this(i.e. add in sub groups
* that don't have any grants when shapes are computed), because sub groups
* dont't have grants would never affect how grants are inherited - all grants
* get inherited to sub groups and their member accounts/crs.
*
* But bug 68820 introduced a new right modifier - DISINHERIT_SUB_GROUPS,
* that controls whether a grant on a group can be inherited by sub groups and
* their account/cr members.
*
* Now the input groups for calculating shapes are:
* union of (groups have grants and all their sub groups)
*
* This will result in more shares than before if non ofthe sub groups has grants,
* but if spawned shapes actually have the same effective rights, they will be
* merged by RightsByTargetType.addAggregation(), in that it checks if ther are
* already an aggregation with the exact the same right. If there are, then just
* add the targets to the existing aggregation, instead of adding new ones.
*/
Set<String> processedGroups = new HashSet<String>();
Set<GroupShape> accountShapes = new HashSet<GroupShape>();
Set<GroupShape> calendarResourceShapes = new HashSet<GroupShape>();
Set<GroupShape> distributionListShapes = new HashSet<GroupShape>();
for (Group group : groupsWithGrants) {
String groupName = group.getName().toLowerCase();
if (processedGroups.contains(groupName)) {
continue;
} else {
processedGroups.add(groupName);
}
AllGroupMembers allMembers = getAllGroupMembers(group);
GroupShape.shapeMembers(TargetType.account, accountShapes, allMembers);
GroupShape.shapeMembers(TargetType.calresource, calendarResourceShapes, allMembers);
GroupShape.shapeMembers(TargetType.dl, distributionListShapes, allMembers);
// no need to get TargetType.group members of the group, because
// dynamic group cannot be a member of a Distribution list or another
// dynamic group
processedGroups.add(group.getId());
/*
* handle sub groups. allMembers already contains a flat set of all members
* of group that is a DistributionList, just go through the flat set and compute
* shares for each. If group is a dynamic group, we should never get into
* the following loop, because there should be no nested groups member of
* dynamic group.
*/
for (String nestedGoupMember : allMembers.getMembers(TargetType.dl)) {
String nestedGoupMemberName = nestedGoupMember.toLowerCase();
if (processedGroups.contains(nestedGoupMemberName)) {
continue;
} else {
processedGroups.add(nestedGoupMemberName);
}
DistributionList subDl = mProv.get(DistributionListBy.name, nestedGoupMemberName);
// sanity check, shout not be null
if (subDl != null) {
AllGroupMembers allMembersOfSubDl = getAllGroupMembers(subDl);
GroupShape.shapeMembers(TargetType.account, accountShapes, allMembersOfSubDl);
GroupShape.shapeMembers(TargetType.calresource, calendarResourceShapes, allMembersOfSubDl);
GroupShape.shapeMembers(TargetType.dl, distributionListShapes, allMembersOfSubDl);
}
}
}
if (ZimbraLog.acl.isDebugEnabled()) {
GroupShape.debug("accountShapes", accountShapes);
GroupShape.debug("calendarResourceShapes", calendarResourceShapes);
GroupShape.debug("distributionListShapes", distributionListShapes);
}
// then, for each group shape, generate a RightAggregation and record in the AllEffectiveRights.
// if any of the entries in a shape also have grants as an individual, the effective rigths for
// those entries will be replaced in stage 3.
Set<String> entryIdsHasGrants = new HashSet<String>();
for (GrantsOnTarget grantsOnTarget : grantsOnTargets) {
Entry grantedOnEntry = grantsOnTarget.getTargetEntry();
if (grantedOnEntry instanceof NamedEntry) {
entryIdsHasGrants.add(((NamedEntry) grantedOnEntry).getId());
}
}
computeRightsOnGroupShape(TargetType.account, accountShapes, entryIdsHasGrants);
computeRightsOnGroupShape(TargetType.calresource, calendarResourceShapes, entryIdsHasGrants);
computeRightsOnGroupShape(TargetType.dl, distributionListShapes, entryIdsHasGrants);
//
for (GrantsOnTarget grantsOnTarget : grantsOnTargets) {
Entry grantedOnEntry = grantsOnTarget.getTargetEntry();
ZimbraACL acl = grantsOnTarget.getAcl();
TargetType targetType = TargetType.getTargetType(grantedOnEntry);
if (targetType != TargetType.global) {
computeRightsOnEntry(targetType, grantedOnEntry);
}
}
}
use of com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights in project zm-mailbox by Zimbra.
the class CollectAllEffectiveRights method computeRightsInheritedFromDomain.
private void computeRightsInheritedFromDomain(TargetType targetType, Domain grantedOnDomain) throws ServiceException {
String domainId = TargetType.getId(grantedOnDomain);
String domainName = grantedOnDomain.getLabel();
// create a pseudo object(account, cr, dl) in this domain
Entry pseudoTarget = PseudoTarget.createPseudoTarget(mProv, targetType, DomainBy.id, grantedOnDomain.getId(), false, null, null);
// get effective rights on the pseudo target
EffectiveRights er = new EffectiveRights(targetType.getCode(), TargetType.getId(pseudoTarget), pseudoTarget.getLabel(), mGrantee.getId(), mGrantee.getName());
CollectEffectiveRights.getEffectiveRights(mGrantee, pseudoTarget, mExpandSetAttrs, mExpandGetAttrs, er);
// add to the domianed scope in AllEffectiveRights
mResult.addDomainEntry(targetType, domainName, er);
}
use of com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights in project zm-mailbox by Zimbra.
the class TestACLAll method getAllEffectiveRights.
private AllEffectiveRights getAllEffectiveRights(Account grantee) {
AllEffectiveRights allEffRights = null;
boolean expectFailure = !grantee.isIsDelegatedAdminAccount();
try {
allEffRights = RightCommand.getAllEffectiveRights(prov, GranteeType.GT_USER.getCode(), GranteeBy.name, grantee.getName(), false, false);
} catch (ServiceException e) {
// The only expected exception is when the grantee is not a delegated admin
if (!expectFailure) {
e.printStackTrace();
fail();
}
}
if (expectFailure) {
assertNull(allEffRights);
} else {
assertNotNull(allEffRights);
}
return allEffRights;
}
use of com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights in project zm-mailbox by Zimbra.
the class TestACLAll method verifyPresetRight.
private void verifyPresetRight(Account grantee, Entry target, Right right, boolean expectedResult) throws ServiceException {
//
// verify canDo
//
boolean allow = false;
try {
allow = accessMgr.canDo(grantee, target, right, asAdmin(grantee), null);
} catch (ServiceException e) {
// the only reasonable exception is PERM_DENIED
if (!ServiceException.PERM_DENIED.equals(e.getCode())) {
fail();
}
}
assertEquals(expectedResult, allow);
//
// verify getEffectiveRights
//
EffectiveRights effRights = getEffectiveRights(grantee, target);
if (effRights != null) {
allow = isPresetRightInEffectiveRights(effRights, right);
assertEquals(expectedResult && !right.isUserRight(), allow);
}
//
// verify getAllEffectiveRights
//
AllEffectiveRights allEffRights = getAllEffectiveRights(grantee);
if (allEffRights != null) {
allow = isRightInGetAllEffectiveRights(allEffRights, grantee, target, right, null, false, null);
assertEquals(expectedResult && !right.isUserRight(), allow);
}
}
use of com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights in project zm-mailbox by Zimbra.
the class TestACLAll method verifySetAttrs.
private void verifySetAttrs(Account grantee, Entry target, AttrRight attrRight, boolean canGrantBeInheritedForCreate, Set<String> attrs, boolean expectedResult) throws ServiceException {
boolean allow = false;
//
try {
allow = accessMgr.canSetAttrs(grantee, target, attrs, true);
} catch (ServiceException e) {
// the only reasonable exception is PERM_DENIED
if (!ServiceException.PERM_DENIED.equals(e.getCode())) {
fail();
}
}
assertEquals(expectedResult, allow);
//
// verify getEffectiveRights
//
EffectiveRights effRights = getEffectiveRights(grantee, target);
if (effRights != null) {
allow = isAttrRightInEffectiveRights(effRights, RightType.setAttrs, attrRight.allAttrs(), attrs);
assertEquals(expectedResult, allow);
}
//
// verify getAllEffectiveRights
//
AllEffectiveRights allEffRights = getAllEffectiveRights(grantee);
if (allEffRights != null) {
allow = isRightInGetAllEffectiveRights(allEffRights, grantee, target, attrRight, RightType.setAttrs, attrRight.allAttrs(), attrs);
assertEquals(expectedResult, allow);
}
//
// verify getCreateObjectAttrs
//
EffectiveRights effRightsCreate = getCreateObjectAttrs(grantee, target);
if (effRightsCreate != null) {
// Note: only inherited attr rights should be expected
allow = isAttrRightInEffectiveRights(effRightsCreate, RightType.setAttrs, attrRight.allAttrs(), attrs);
assertEquals(expectedResult && canGrantBeInheritedForCreate, allow);
}
}
Aggregations