Example 6 with AllEffectiveRights
use of com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights in project zm-mailbox by Zimbra.
the class TestACLAll method verifyGetAttrs.
private void verifyGetAttrs(Account grantee, Entry target, AttrRight attrRight, boolean canGrantBeInheritedForCreate, Set<String> attrs, boolean expectedResult) throws ServiceException {
boolean allow = false;
//
try {
allow = accessMgr.canGetAttrs(grantee, target, attrs, true);
} catch (ServiceException e) {
// the only reasonable exception is PERM_DENIED
if (!ServiceException.PERM_DENIED.equals(e.getCode())) {
e.printStackTrace();
fail();
}
}
assertEquals(expectedResult, allow);
//
// verify getEffectiveRights
//
EffectiveRights effRights = getEffectiveRights(grantee, target);
if (effRights != null) {
allow = isAttrRightInEffectiveRights(effRights, RightType.getAttrs, attrRight.allAttrs(), attrs);
assertEquals(expectedResult, allow);
}
//
// verify getAllEffectiveRights
//
AllEffectiveRights allEffRights = getAllEffectiveRights(grantee);
if (allEffRights != null) {
allow = isRightInGetAllEffectiveRights(allEffRights, grantee, target, attrRight, RightType.getAttrs, attrRight.allAttrs(), attrs);
assertEquals(expectedResult, allow);
}
//
// verify getCreateObjectAttrs
//
EffectiveRights effRightsCreate = getCreateObjectAttrs(grantee, target);
if (effRightsCreate != null) {
// getAttr rights are not returned by getCreateObjectAttrs via SOAP,
// but they exist in the java object, just verify it.
// Note: only inherited attr rights should be expected
allow = isAttrRightInEffectiveRights(effRightsCreate, RightType.getAttrs, attrRight.allAttrs(), attrs);
assertEquals(expectedResult && canGrantBeInheritedForCreate, allow);
}
}
Also used :
AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights)
EffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights)
ServiceException(com.zimbra.common.service.ServiceException)
AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights)
Example 7 with AllEffectiveRights
use of com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights in project zm-mailbox by Zimbra.
the class TestJaxbProvisioning method testGetAllEffectiveRights.
@Test
public void testGetAllEffectiveRights() throws Exception {
ZimbraLog.test.debug("Starting testGetAllEffectiveRights");
AllEffectiveRights aer = prov.getAllEffectiveRights(null, null, null, false, /* expandSetAttrs */
true);
assertNotNull("AllEffectiveRights", aer);
}
Also used :
AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights)
Test(org.junit.Test)
Example 8 with AllEffectiveRights
use of com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights in project zm-mailbox by Zimbra.
the class TestACLAll method isRightInGetAllEffectiveRights.
private boolean isRightInGetAllEffectiveRights(AllEffectiveRights allEffRights, Account grantee, Entry target, Right right, RightType rightType, boolean allAttrs, Set<String> attrs) throws ServiceException {
TargetType targetType = TargetType.getTargetType(target);
Map<TargetType, RightsByTargetType> rbttMap = allEffRights.rightsByTargetType();
RightsByTargetType rbtt = rbttMap.get(targetType);
if (rbtt != null) {
boolean found = false;
// all entries
EffectiveRights effRights = rbtt.all();
if (effRights != null) {
found = isRightInEffectiveRights(effRights, right, rightType, allAttrs, attrs);
if (found) {
return true;
}
}
// check domained entries
if (rbtt instanceof DomainedRightsByTargetType) {
DomainedRightsByTargetType domainedRights = (DomainedRightsByTargetType) rbtt;
for (RightAggregation rightsByDomains : domainedRights.domains()) {
found = isRightInRightAggregation(rightsByDomains, true, target, right, rightType, allAttrs, attrs);
if (found) {
return true;
}
}
}
// check individual entry
for (RightCommand.RightAggregation rightsByEntries : rbtt.entries()) {
found = isRightInRightAggregation(rightsByEntries, false, target, right, rightType, allAttrs, attrs);
if (found) {
return true;
}
}
}
return false;
}
Also used :
AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights)
EffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights)
RightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.RightsByTargetType)
DomainedRightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.DomainedRightsByTargetType)
DomainedRightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.DomainedRightsByTargetType)
RightAggregation(com.zimbra.cs.account.accesscontrol.RightCommand.RightAggregation)
TargetType(com.zimbra.cs.account.accesscontrol.TargetType)
RightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.RightsByTargetType)
DomainedRightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.DomainedRightsByTargetType)
RightAggregation(com.zimbra.cs.account.accesscontrol.RightCommand.RightAggregation)
RightCommand(com.zimbra.cs.account.accesscontrol.RightCommand)
Example 9 with AllEffectiveRights
use of com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights in project zm-mailbox by Zimbra.
the class TestACLEffectiveRights method getAllEffectiveRights.
@Test
public void getAllEffectiveRights() throws Exception {
Domain domain = provUtil.createDomain(genDomainSegmentName() + "." + BASE_DOMAIN_NAME);
Account target = provUtil.createAccount(genAcctNameLocalPart("user"), domain);
Account grantee = provUtil.createDelegatedAdmin(genAcctNameLocalPart("da"), domain);
Account grantingAccount = globalAdmin;
TargetType targetType = TargetType.getTargetType(target);
GranteeType granteeType = GranteeType.GT_USER;
Right right = ADMIN_PRESET_ACCOUNT;
RightCommand.grantRight(prov, grantingAccount, targetType.getCode(), TargetBy.name, target.getName(), granteeType.getCode(), GranteeBy.name, grantee.getName(), null, right.getName(), null);
AllEffectiveRights allEffRights = RightCommand.getAllEffectiveRights(prov, granteeType.getCode(), GranteeBy.name, grantee.getName(), false, false);
Map<TargetType, RightsByTargetType> rbttMap = allEffRights.rightsByTargetType();
RightsByTargetType rbtt = rbttMap.get(targetType);
boolean found = false;
for (RightCommand.RightAggregation rightsByEntries : rbtt.entries()) {
Set<String> targetNames = rightsByEntries.entries();
if (targetNames.contains(target.getName())) {
// this RightAggregation contains our target
// see if it contains out right
EffectiveRights effRights = rightsByEntries.effectiveRights();
List<String> presetRights = effRights.presetRights();
if (presetRights.contains(right.getName())) {
found = true;
}
}
}
assertTrue(found);
}
Also used :
Account(com.zimbra.cs.account.Account)
GranteeType(com.zimbra.cs.account.accesscontrol.GranteeType)
EffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights)
AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights)
AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights)
InlineAttrRight(com.zimbra.cs.account.accesscontrol.InlineAttrRight)
Right(com.zimbra.cs.account.accesscontrol.Right)
RightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.RightsByTargetType)
RightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.RightsByTargetType)
TargetType(com.zimbra.cs.account.accesscontrol.TargetType)
RightCommand(com.zimbra.cs.account.accesscontrol.RightCommand)
Domain(com.zimbra.cs.account.Domain)
Test(org.junit.Test)
Example 10 with AllEffectiveRights
use of com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights in project zm-mailbox by Zimbra.
the class CollectAllEffectiveRights method computeRightsOnGroupShape.
/*
* We do not have a group scope in AllEffectiveRights.
*
* Reasons:
* 1. If we return something like:
* have effective rights X, Y, Z on members in groups A, B, C
* have effective rights P, Q, R on members in groups M, N
* then client will have to figure out if an account/cr/dl are in which groups.
*
* 2. If a group-ed(i.e. account/cr/dl) are in multiple groups, that's even messier
* for the client (admin console).
*
* Instead, we classify group-ed entries in groups with grants into "shapes", and
* represent them in a RightAggregation, like:
* - has effective rights X, Y on accounts user1, user5, user8
* - has effective rights X on accounts user2, user3, user4
* - has effective rights on calendar resources cr1, cr88
* - has effective rights on distribution lists dl38, dl99
*/
private void computeRightsOnGroupShape(TargetType targetType, Set<GroupShape> groupShapes, Set<String> entryIdsHasGrants) throws ServiceException {
for (GroupShape shape : groupShapes) {
// get any one member in the shape and use that as a pilot target to get
// an EffectiveRights. Note, the pilot target entry itself cannot have
// any grants or else it will not result in the same EffectiveRights for
// the group shape. Entries have grants will be recorded in stage 3; and
// will overwrite the entry rights recorded here.
//
// if for some reason the member cannot be found (e.g. account is deleted
// but somehow not removed from a group, l=not likely though), just skip
// to use another one in the shape.
//
//
Entry target = null;
EffectiveRights er = null;
for (String memberName : shape.getMembers()) {
target = TargetType.lookupTarget(mProv, targetType, TargetBy.name, memberName, false);
if (target != null) {
String targetId = TargetType.getId(target);
if (!entryIdsHasGrants.contains(targetId)) {
er = new EffectiveRights(targetType.getCode(), targetId, target.getLabel(), mGrantee.getId(), mGrantee.getName());
CollectEffectiveRights.getEffectiveRights(mGrantee, target, mExpandSetAttrs, mExpandGetAttrs, er);
break;
}
// else the member itself has grants, skip it for being used as a pilot target entry
}
}
if (er != null) {
mResult.addAggregation(targetType, shape.getMembers(), er);
}
}
}
Also used :
NamedEntry(com.zimbra.cs.account.NamedEntry)
Entry(com.zimbra.cs.account.Entry)
EffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights)
AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights)
Aggregations
AllEffectiveRights (com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights)10
EffectiveRights (com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights)8
ServiceException (com.zimbra.common.service.ServiceException)4
Entry (com.zimbra.cs.account.Entry)3
NamedEntry (com.zimbra.cs.account.NamedEntry)3
Domain (com.zimbra.cs.account.Domain)2
RightCommand (com.zimbra.cs.account.accesscontrol.RightCommand)2
RightsByTargetType (com.zimbra.cs.account.accesscontrol.RightCommand.RightsByTargetType)2
TargetType (com.zimbra.cs.account.accesscontrol.TargetType)2
Test (org.junit.Test)2
Account (com.zimbra.cs.account.Account)1
DistributionList (com.zimbra.cs.account.DistributionList)1
DynamicGroup (com.zimbra.cs.account.DynamicGroup)1
Group (com.zimbra.cs.account.Group)1
GranteeType (com.zimbra.cs.account.accesscontrol.GranteeType)1
InlineAttrRight (com.zimbra.cs.account.accesscontrol.InlineAttrRight)1
Right (com.zimbra.cs.account.accesscontrol.Right)1
GlobalAdmin (com.zimbra.cs.account.accesscontrol.RightBearer.GlobalAdmin)1
DomainedRightsByTargetType (com.zimbra.cs.account.accesscontrol.RightCommand.DomainedRightsByTargetType)1
RightAggregation (com.zimbra.cs.account.accesscontrol.RightCommand.RightAggregation)1
