Search in sources :

Example 11 with EffectiveRights

use of com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights in project zm-mailbox by Zimbra.

the class TestACLAll method verifyGetAttrs.

private void verifyGetAttrs(Account grantee, Entry target, AttrRight attrRight, boolean canGrantBeInheritedForCreate, Set<String> attrs, boolean expectedResult) throws ServiceException {
    boolean allow = false;
    //
    try {
        allow = accessMgr.canGetAttrs(grantee, target, attrs, true);
    } catch (ServiceException e) {
        // the only reasonable exception is PERM_DENIED
        if (!ServiceException.PERM_DENIED.equals(e.getCode())) {
            e.printStackTrace();
            fail();
        }
    }
    assertEquals(expectedResult, allow);
    //
    // verify getEffectiveRights
    //
    EffectiveRights effRights = getEffectiveRights(grantee, target);
    if (effRights != null) {
        allow = isAttrRightInEffectiveRights(effRights, RightType.getAttrs, attrRight.allAttrs(), attrs);
        assertEquals(expectedResult, allow);
    }
    //
    // verify getAllEffectiveRights
    //
    AllEffectiveRights allEffRights = getAllEffectiveRights(grantee);
    if (allEffRights != null) {
        allow = isRightInGetAllEffectiveRights(allEffRights, grantee, target, attrRight, RightType.getAttrs, attrRight.allAttrs(), attrs);
        assertEquals(expectedResult, allow);
    }
    //
    // verify getCreateObjectAttrs
    //
    EffectiveRights effRightsCreate = getCreateObjectAttrs(grantee, target);
    if (effRightsCreate != null) {
        // getAttr rights are not returned by getCreateObjectAttrs via SOAP,
        // but they exist in the java object, just verify it.
        // Note: only inherited attr rights should be expected
        allow = isAttrRightInEffectiveRights(effRightsCreate, RightType.getAttrs, attrRight.allAttrs(), attrs);
        assertEquals(expectedResult && canGrantBeInheritedForCreate, allow);
    }
}
Also used : AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights) EffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights) ServiceException(com.zimbra.common.service.ServiceException) AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights)

Example 12 with EffectiveRights

use of com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights in project zm-mailbox by Zimbra.

the class TestACLAll method isRightInGetAllEffectiveRights.

private boolean isRightInGetAllEffectiveRights(AllEffectiveRights allEffRights, Account grantee, Entry target, Right right, RightType rightType, boolean allAttrs, Set<String> attrs) throws ServiceException {
    TargetType targetType = TargetType.getTargetType(target);
    Map<TargetType, RightsByTargetType> rbttMap = allEffRights.rightsByTargetType();
    RightsByTargetType rbtt = rbttMap.get(targetType);
    if (rbtt != null) {
        boolean found = false;
        // all entries
        EffectiveRights effRights = rbtt.all();
        if (effRights != null) {
            found = isRightInEffectiveRights(effRights, right, rightType, allAttrs, attrs);
            if (found) {
                return true;
            }
        }
        // check domained entries
        if (rbtt instanceof DomainedRightsByTargetType) {
            DomainedRightsByTargetType domainedRights = (DomainedRightsByTargetType) rbtt;
            for (RightAggregation rightsByDomains : domainedRights.domains()) {
                found = isRightInRightAggregation(rightsByDomains, true, target, right, rightType, allAttrs, attrs);
                if (found) {
                    return true;
                }
            }
        }
        // check individual entry
        for (RightCommand.RightAggregation rightsByEntries : rbtt.entries()) {
            found = isRightInRightAggregation(rightsByEntries, false, target, right, rightType, allAttrs, attrs);
            if (found) {
                return true;
            }
        }
    }
    return false;
}
Also used : AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights) EffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights) RightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.RightsByTargetType) DomainedRightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.DomainedRightsByTargetType) DomainedRightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.DomainedRightsByTargetType) RightAggregation(com.zimbra.cs.account.accesscontrol.RightCommand.RightAggregation) TargetType(com.zimbra.cs.account.accesscontrol.TargetType) RightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.RightsByTargetType) DomainedRightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.DomainedRightsByTargetType) RightAggregation(com.zimbra.cs.account.accesscontrol.RightCommand.RightAggregation) RightCommand(com.zimbra.cs.account.accesscontrol.RightCommand)

Example 13 with EffectiveRights

use of com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights in project zm-mailbox by Zimbra.

the class TestACLAll method getCreateObjectAttrs.

private EffectiveRights getCreateObjectAttrs(Account grantee, Entry target) {
    EffectiveRights effRights = null;
    boolean expectFailure = false;
    try {
        String domainName = TargetType.getTargetDomainName(prov, target);
        TargetType targetType = TargetType.getTargetType(target);
        expectFailure = !grantee.isIsDelegatedAdminAccount() || targetType == TargetType.config || targetType == TargetType.global;
        effRights = RightCommand.getCreateObjectAttrs(prov, TargetType.getTargetType(target).getCode(), Key.DomainBy.name, domainName, null, null, GranteeBy.name, grantee.getName());
    } catch (ServiceException e) {
        if (!expectFailure) {
            e.printStackTrace();
            fail();
        }
    }
    if (expectFailure) {
        assertNull(effRights);
    } else {
        assertNotNull(effRights);
    }
    return effRights;
}
Also used : AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights) EffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights) ServiceException(com.zimbra.common.service.ServiceException) TargetType(com.zimbra.cs.account.accesscontrol.TargetType) RightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.RightsByTargetType) DomainedRightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.DomainedRightsByTargetType)

Example 14 with EffectiveRights

use of com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights in project zm-mailbox by Zimbra.

the class TestACLEffectiveRights method getAllEffectiveRights.

@Test
public void getAllEffectiveRights() throws Exception {
    Domain domain = provUtil.createDomain(genDomainSegmentName() + "." + BASE_DOMAIN_NAME);
    Account target = provUtil.createAccount(genAcctNameLocalPart("user"), domain);
    Account grantee = provUtil.createDelegatedAdmin(genAcctNameLocalPart("da"), domain);
    Account grantingAccount = globalAdmin;
    TargetType targetType = TargetType.getTargetType(target);
    GranteeType granteeType = GranteeType.GT_USER;
    Right right = ADMIN_PRESET_ACCOUNT;
    RightCommand.grantRight(prov, grantingAccount, targetType.getCode(), TargetBy.name, target.getName(), granteeType.getCode(), GranteeBy.name, grantee.getName(), null, right.getName(), null);
    AllEffectiveRights allEffRights = RightCommand.getAllEffectiveRights(prov, granteeType.getCode(), GranteeBy.name, grantee.getName(), false, false);
    Map<TargetType, RightsByTargetType> rbttMap = allEffRights.rightsByTargetType();
    RightsByTargetType rbtt = rbttMap.get(targetType);
    boolean found = false;
    for (RightCommand.RightAggregation rightsByEntries : rbtt.entries()) {
        Set<String> targetNames = rightsByEntries.entries();
        if (targetNames.contains(target.getName())) {
            // this RightAggregation contains our target
            // see if it contains out right
            EffectiveRights effRights = rightsByEntries.effectiveRights();
            List<String> presetRights = effRights.presetRights();
            if (presetRights.contains(right.getName())) {
                found = true;
            }
        }
    }
    assertTrue(found);
}
Also used : Account(com.zimbra.cs.account.Account) GranteeType(com.zimbra.cs.account.accesscontrol.GranteeType) EffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights) AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights) AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights) InlineAttrRight(com.zimbra.cs.account.accesscontrol.InlineAttrRight) Right(com.zimbra.cs.account.accesscontrol.Right) RightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.RightsByTargetType) RightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.RightsByTargetType) TargetType(com.zimbra.cs.account.accesscontrol.TargetType) RightCommand(com.zimbra.cs.account.accesscontrol.RightCommand) Domain(com.zimbra.cs.account.Domain) Test(org.junit.Test)

Example 15 with EffectiveRights

use of com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights in project zm-mailbox by Zimbra.

the class CollectAllEffectiveRights method computeRightsOnEntry.

private void computeRightsOnEntry(TargetType grantedOnTargetType, Entry grantedOnEntry) throws ServiceException {
    String targetId = TargetType.getId(grantedOnEntry);
    String targetName = grantedOnEntry.getLabel();
    EffectiveRights er = new EffectiveRights(grantedOnTargetType.getCode(), targetId, targetName, mGrantee.getId(), mGrantee.getName());
    CollectEffectiveRights.getEffectiveRights(mGrantee, grantedOnEntry, mExpandSetAttrs, mExpandGetAttrs, er);
    mResult.addEntry(grantedOnTargetType, targetName, er);
}
Also used : EffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights) AllEffectiveRights(com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights)

Aggregations

AllEffectiveRights (com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights)17 EffectiveRights (com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights)17 ServiceException (com.zimbra.common.service.ServiceException)6 Domain (com.zimbra.cs.account.Domain)5 Entry (com.zimbra.cs.account.Entry)4 NamedEntry (com.zimbra.cs.account.NamedEntry)4 RightsByTargetType (com.zimbra.cs.account.accesscontrol.RightCommand.RightsByTargetType)4 TargetType (com.zimbra.cs.account.accesscontrol.TargetType)4 Test (org.junit.Test)4 Account (com.zimbra.cs.account.Account)3 Group (com.zimbra.cs.account.Group)2 GranteeType (com.zimbra.cs.account.accesscontrol.GranteeType)2 InlineAttrRight (com.zimbra.cs.account.accesscontrol.InlineAttrRight)2 Right (com.zimbra.cs.account.accesscontrol.Right)2 RightCommand (com.zimbra.cs.account.accesscontrol.RightCommand)2 DomainedRightsByTargetType (com.zimbra.cs.account.accesscontrol.RightCommand.DomainedRightsByTargetType)2 DistributionList (com.zimbra.cs.account.DistributionList)1 DynamicGroup (com.zimbra.cs.account.DynamicGroup)1 GlobalAdmin (com.zimbra.cs.account.accesscontrol.RightBearer.GlobalAdmin)1 EffectiveAttr (com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveAttr)1