Search in sources :

Example 1 with AllEffectiveRights

use of com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights in project zm-mailbox by Zimbra.

the class CollectAllEffectiveRights method collect.

private void collect() throws ServiceException {
    if (mRightBearer instanceof GlobalAdmin) {
        for (TargetType tt : TargetType.values()) {
            EffectiveRights er = new EffectiveRights(tt.getCode(), null, null, mRightBearer.getId(), mRightBearer.getName());
            Entry target;
            if (TargetType.config == tt) {
                target = mProv.getConfig();
            } else if (TargetType.global == tt) {
                target = mProv.getGlobalGrant();
            } else {
                target = PseudoTarget.createPseudoTarget(mProv, tt, null, null, true, null, null, null);
            }
            CollectEffectiveRights.getEffectiveRights(mRightBearer, target, tt, mExpandSetAttrs, mExpandGetAttrs, er);
            mResult.setAll(tt, er);
        }
        return;
    }
    // we want all target types
    Set<TargetType> targetTypesToSearch = new HashSet<TargetType>(Arrays.asList(TargetType.values()));
    // get the set of zimbraId of the grantees to search for
    Set<String> granteeIdsToSearch = mGrantee.getIdAndGroupIds();
    // add external group grants that *may* apply
    if (mGrantee.isAccount()) {
        Domain domain = mProv.getDomain(mGrantee.getAccount());
        granteeIdsToSearch.add(ZimbraACE.ExternalGroupInfo.encode(domain.getId(), ""));
    }
    SearchGrants searchGrants = new SearchGrants(mProv, targetTypesToSearch, granteeIdsToSearch);
    Set<GrantsOnTarget> grantsOnTargets = searchGrants.doSearch().getResults(true);
    // staging for group grants
    Set<Group> groupsWithGrants = new HashSet<Group>();
    //
    for (GrantsOnTarget grantsOnTarget : grantsOnTargets) {
        Entry grantedOnEntry = grantsOnTarget.getTargetEntry();
        ZimbraACL acl = grantsOnTarget.getAcl();
        TargetType targetType = TargetType.getTargetType(grantedOnEntry);
        if (targetType == TargetType.global) {
            computeRightsInheritedFromGlobalGrant();
        } else if (targetType == TargetType.domain) {
            computeRightsInheritedFromDomain((Domain) grantedOnEntry);
            computeSubDomainRightsInheritedFromDomain(acl, (Domain) grantedOnEntry);
        } else if (targetType == TargetType.dl) {
            groupsWithGrants.add((DistributionList) grantedOnEntry);
        } else if (targetType == TargetType.group) {
            groupsWithGrants.add((DynamicGroup) grantedOnEntry);
        }
    }
    //
    // Stage 2
    //
    // process group grants
    //
    // first, shape all members in all groups with grants into "shapes"
    //
    // e.g. if the grant search returned three groups: A, B, C
    //      group A contains members m1, m2, m3
    //      group B contains members m2, m3, m4
    //      group C contains members m5
    //
    //      (assuming all m{X} are accounts)
    //
    //      After "shaping", the accountShapes Set will contain 4 shapes:
    //      shape A  - m1
    //      shape AB - m2, m3
    //      shape B  - m4
    //      shape C  - m5
    //
    /*
         * because of bug 68820, we have to also take into accounts all sub groups
         * of groupsWithGrants when we build shapes - even if the sub groups don't
         * have any grants.
         *
         * Prior to bug 68820, we didn't have to do this(i.e. add in sub groups
         * that don't have any grants when shapes are computed), because sub groups
         * dont't have grants would never affect how grants are inherited - all grants
         * get inherited to sub groups and their member accounts/crs.
         *
         * But bug 68820 introduced a new right modifier - DISINHERIT_SUB_GROUPS,
         * that controls whether a grant on a group can be inherited by sub groups and
         * their account/cr members.
         *
         * Now the input groups for calculating shapes are:
         * union of (groups have grants and all their sub groups)
         *
         * This will result in more shares than before if non ofthe sub groups has grants,
         * but if spawned shapes actually have the same effective rights, they will be
         * merged by RightsByTargetType.addAggregation(), in that it checks if ther are
         * already an aggregation with the exact the same right.  If there are, then just
         * add the targets to the existing aggregation, instead of adding new ones.
         */
    Set<String> processedGroups = new HashSet<String>();
    Set<GroupShape> accountShapes = new HashSet<GroupShape>();
    Set<GroupShape> calendarResourceShapes = new HashSet<GroupShape>();
    Set<GroupShape> distributionListShapes = new HashSet<GroupShape>();
    for (Group group : groupsWithGrants) {
        String groupName = group.getName().toLowerCase();
        if (processedGroups.contains(groupName)) {
            continue;
        } else {
            processedGroups.add(groupName);
        }
        AllGroupMembers allMembers = getAllGroupMembers(group);
        GroupShape.shapeMembers(TargetType.account, accountShapes, allMembers);
        GroupShape.shapeMembers(TargetType.calresource, calendarResourceShapes, allMembers);
        GroupShape.shapeMembers(TargetType.dl, distributionListShapes, allMembers);
        // no need to get TargetType.group members of the group, because
        // dynamic group cannot be a member of a Distribution list or another
        // dynamic group
        processedGroups.add(group.getId());
        /*
             * handle sub groups.  allMembers already contains a flat set of all members
             * of group that is a DistributionList, just go through the flat set and compute
             * shares for each.  If group is a dynamic group, we should never get into
             * the following loop, because there should be no nested groups member of
             * dynamic group.
             */
        for (String nestedGoupMember : allMembers.getMembers(TargetType.dl)) {
            String nestedGoupMemberName = nestedGoupMember.toLowerCase();
            if (processedGroups.contains(nestedGoupMemberName)) {
                continue;
            } else {
                processedGroups.add(nestedGoupMemberName);
            }
            DistributionList subDl = mProv.get(DistributionListBy.name, nestedGoupMemberName);
            // sanity check, shout not be null
            if (subDl != null) {
                AllGroupMembers allMembersOfSubDl = getAllGroupMembers(subDl);
                GroupShape.shapeMembers(TargetType.account, accountShapes, allMembersOfSubDl);
                GroupShape.shapeMembers(TargetType.calresource, calendarResourceShapes, allMembersOfSubDl);
                GroupShape.shapeMembers(TargetType.dl, distributionListShapes, allMembersOfSubDl);
            }
        }
    }
    if (ZimbraLog.acl.isDebugEnabled()) {
        GroupShape.debug("accountShapes", accountShapes);
        GroupShape.debug("calendarResourceShapes", calendarResourceShapes);
        GroupShape.debug("distributionListShapes", distributionListShapes);
    }
    // then, for each group shape, generate a RightAggregation and record in the AllEffectiveRights.
    // if any of the entries in a shape also have grants as an individual, the effective rigths for
    // those entries will be replaced in stage 3.
    Set<String> entryIdsHasGrants = new HashSet<String>();
    for (GrantsOnTarget grantsOnTarget : grantsOnTargets) {
        Entry grantedOnEntry = grantsOnTarget.getTargetEntry();
        if (grantedOnEntry instanceof NamedEntry) {
            entryIdsHasGrants.add(((NamedEntry) grantedOnEntry).getId());
        }
    }
    computeRightsOnGroupShape(TargetType.account, accountShapes, entryIdsHasGrants);
    computeRightsOnGroupShape(TargetType.calresource, calendarResourceShapes, entryIdsHasGrants);
    computeRightsOnGroupShape(TargetType.dl, distributionListShapes, entryIdsHasGrants);
    //
    for (GrantsOnTarget grantsOnTarget : grantsOnTargets) {
        Entry grantedOnEntry = grantsOnTarget.getTargetEntry();
        ZimbraACL acl = grantsOnTarget.getAcl();
        TargetType targetType = TargetType.getTargetType(grantedOnEntry);
        if (targetType != TargetType.global) {
            computeRightsOnEntry(targetType, grantedOnEntry);
        }
    }
}
Also used : DynamicGroup(com.zimbra.cs.account.DynamicGroup) Group(com.zimbra.cs.account.Group) DynamicGroup(com.zimbra.cs.account.DynamicGroup) EffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights) AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights) GrantsOnTarget(com.zimbra.cs.account.accesscontrol.SearchGrants.GrantsOnTarget) NamedEntry(com.zimbra.cs.account.NamedEntry) NamedEntry(com.zimbra.cs.account.NamedEntry) Entry(com.zimbra.cs.account.Entry) Domain(com.zimbra.cs.account.Domain) GlobalAdmin(com.zimbra.cs.account.accesscontrol.RightBearer.GlobalAdmin) HashSet(java.util.HashSet) DistributionList(com.zimbra.cs.account.DistributionList)

Example 2 with AllEffectiveRights

use of com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights in project zm-mailbox by Zimbra.

the class CollectAllEffectiveRights method computeRightsInheritedFromDomain.

private void computeRightsInheritedFromDomain(TargetType targetType, Domain grantedOnDomain) throws ServiceException {
    String domainId = TargetType.getId(grantedOnDomain);
    String domainName = grantedOnDomain.getLabel();
    // create a pseudo object(account, cr, dl) in this domain
    Entry pseudoTarget = PseudoTarget.createPseudoTarget(mProv, targetType, DomainBy.id, grantedOnDomain.getId(), false, null, null);
    // get effective rights on the pseudo target
    EffectiveRights er = new EffectiveRights(targetType.getCode(), TargetType.getId(pseudoTarget), pseudoTarget.getLabel(), mGrantee.getId(), mGrantee.getName());
    CollectEffectiveRights.getEffectiveRights(mGrantee, pseudoTarget, mExpandSetAttrs, mExpandGetAttrs, er);
    // add to the domianed scope in AllEffectiveRights
    mResult.addDomainEntry(targetType, domainName, er);
}
Also used : NamedEntry(com.zimbra.cs.account.NamedEntry) Entry(com.zimbra.cs.account.Entry) EffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights) AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights)

Example 3 with AllEffectiveRights

use of com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights in project zm-mailbox by Zimbra.

the class TestACLAll method getAllEffectiveRights.

private AllEffectiveRights getAllEffectiveRights(Account grantee) {
    AllEffectiveRights allEffRights = null;
    boolean expectFailure = !grantee.isIsDelegatedAdminAccount();
    try {
        allEffRights = RightCommand.getAllEffectiveRights(prov, GranteeType.GT_USER.getCode(), GranteeBy.name, grantee.getName(), false, false);
    } catch (ServiceException e) {
        // The only expected exception is when the grantee is not a delegated admin
        if (!expectFailure) {
            e.printStackTrace();
            fail();
        }
    }
    if (expectFailure) {
        assertNull(allEffRights);
    } else {
        assertNotNull(allEffRights);
    }
    return allEffRights;
}
Also used : AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights) ServiceException(com.zimbra.common.service.ServiceException)

Example 4 with AllEffectiveRights

use of com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights in project zm-mailbox by Zimbra.

the class TestACLAll method verifyPresetRight.

private void verifyPresetRight(Account grantee, Entry target, Right right, boolean expectedResult) throws ServiceException {
    //
    // verify canDo
    //
    boolean allow = false;
    try {
        allow = accessMgr.canDo(grantee, target, right, asAdmin(grantee), null);
    } catch (ServiceException e) {
        // the only reasonable exception is PERM_DENIED
        if (!ServiceException.PERM_DENIED.equals(e.getCode())) {
            fail();
        }
    }
    assertEquals(expectedResult, allow);
    //
    // verify getEffectiveRights
    //
    EffectiveRights effRights = getEffectiveRights(grantee, target);
    if (effRights != null) {
        allow = isPresetRightInEffectiveRights(effRights, right);
        assertEquals(expectedResult && !right.isUserRight(), allow);
    }
    //
    // verify getAllEffectiveRights
    //
    AllEffectiveRights allEffRights = getAllEffectiveRights(grantee);
    if (allEffRights != null) {
        allow = isRightInGetAllEffectiveRights(allEffRights, grantee, target, right, null, false, null);
        assertEquals(expectedResult && !right.isUserRight(), allow);
    }
}
Also used : AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights) EffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights) ServiceException(com.zimbra.common.service.ServiceException) AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights)

Example 5 with AllEffectiveRights

use of com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights in project zm-mailbox by Zimbra.

the class TestACLAll method verifySetAttrs.

private void verifySetAttrs(Account grantee, Entry target, AttrRight attrRight, boolean canGrantBeInheritedForCreate, Set<String> attrs, boolean expectedResult) throws ServiceException {
    boolean allow = false;
    //
    try {
        allow = accessMgr.canSetAttrs(grantee, target, attrs, true);
    } catch (ServiceException e) {
        // the only reasonable exception is PERM_DENIED
        if (!ServiceException.PERM_DENIED.equals(e.getCode())) {
            fail();
        }
    }
    assertEquals(expectedResult, allow);
    //
    // verify getEffectiveRights
    //
    EffectiveRights effRights = getEffectiveRights(grantee, target);
    if (effRights != null) {
        allow = isAttrRightInEffectiveRights(effRights, RightType.setAttrs, attrRight.allAttrs(), attrs);
        assertEquals(expectedResult, allow);
    }
    //
    // verify getAllEffectiveRights
    //
    AllEffectiveRights allEffRights = getAllEffectiveRights(grantee);
    if (allEffRights != null) {
        allow = isRightInGetAllEffectiveRights(allEffRights, grantee, target, attrRight, RightType.setAttrs, attrRight.allAttrs(), attrs);
        assertEquals(expectedResult, allow);
    }
    //
    // verify getCreateObjectAttrs
    //
    EffectiveRights effRightsCreate = getCreateObjectAttrs(grantee, target);
    if (effRightsCreate != null) {
        // Note: only inherited attr rights should be expected
        allow = isAttrRightInEffectiveRights(effRightsCreate, RightType.setAttrs, attrRight.allAttrs(), attrs);
        assertEquals(expectedResult && canGrantBeInheritedForCreate, allow);
    }
}
Also used : AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights) EffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights) ServiceException(com.zimbra.common.service.ServiceException) AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights)

Aggregations

AllEffectiveRights (com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights)10 EffectiveRights (com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights)8 ServiceException (com.zimbra.common.service.ServiceException)4 Entry (com.zimbra.cs.account.Entry)3 NamedEntry (com.zimbra.cs.account.NamedEntry)3 Domain (com.zimbra.cs.account.Domain)2 RightCommand (com.zimbra.cs.account.accesscontrol.RightCommand)2 RightsByTargetType (com.zimbra.cs.account.accesscontrol.RightCommand.RightsByTargetType)2 TargetType (com.zimbra.cs.account.accesscontrol.TargetType)2 Test (org.junit.Test)2 Account (com.zimbra.cs.account.Account)1 DistributionList (com.zimbra.cs.account.DistributionList)1 DynamicGroup (com.zimbra.cs.account.DynamicGroup)1 Group (com.zimbra.cs.account.Group)1 GranteeType (com.zimbra.cs.account.accesscontrol.GranteeType)1 InlineAttrRight (com.zimbra.cs.account.accesscontrol.InlineAttrRight)1 Right (com.zimbra.cs.account.accesscontrol.Right)1 GlobalAdmin (com.zimbra.cs.account.accesscontrol.RightBearer.GlobalAdmin)1 DomainedRightsByTargetType (com.zimbra.cs.account.accesscontrol.RightCommand.DomainedRightsByTargetType)1 RightAggregation (com.zimbra.cs.account.accesscontrol.RightCommand.RightAggregation)1