Example 1 with RightModifier
use of com.zimbra.cs.account.accesscontrol.RightModifier in project zm-mailbox by Zimbra.
the class ProvUtil method doGetGrants.
private void doGetGrants(String[] args) throws ServiceException, ArgException {
RightArgs ra = new RightArgs(args);
boolean granteeIncludeGroupsGranteeBelongs = true;
while (ra.hasNext()) {
String arg = ra.getNextArg();
if ("-t".equals(arg)) {
getRightArgsTarget(ra);
} else if ("-g".equals(arg)) {
getRightArgsGrantee(ra, true, false);
if (ra.hasNext()) {
String includeGroups = ra.getNextArg();
if ("1".equals(includeGroups)) {
granteeIncludeGroupsGranteeBelongs = true;
} else if ("0".equals(includeGroups)) {
granteeIncludeGroupsGranteeBelongs = false;
} else {
throw ServiceException.INVALID_REQUEST("invalid value for the include group flag, must be 0 or 1", null);
}
}
}
}
TargetBy targetBy = (ra.mTargetIdOrName == null) ? null : guessTargetBy(ra.mTargetIdOrName);
GranteeBy granteeBy = (ra.mGranteeIdOrName == null) ? null : guessGranteeBy(ra.mGranteeIdOrName);
RightCommand.Grants grants = prov.getGrants(ra.mTargetType, targetBy, ra.mTargetIdOrName, ra.mGranteeType, granteeBy, ra.mGranteeIdOrName, granteeIncludeGroupsGranteeBelongs);
String format = "%-12.12s %-36.36s %-30.30s %-12.12s %-36.36s %-30.30s %s\n";
console.printf(format, "target type", "target id", "target name", "grantee type", "grantee id", "grantee name", "right");
console.printf(format, "------------", "------------------------------------", "------------------------------", "------------", "------------------------------------", "------------------------------", "--------------------");
for (RightCommand.ACE ace : grants.getACEs()) {
// String deny = ace.deny()?"-":"";
RightModifier rightModifier = ace.rightModifier();
String rm = (rightModifier == null) ? "" : String.valueOf(rightModifier.getModifier());
console.printf(format, ace.targetType(), ace.targetId(), ace.targetName(), ace.granteeType(), ace.granteeId(), ace.granteeName(), rm + ace.right());
}
console.println();
}
Also used :
GranteeBy(com.zimbra.soap.admin.type.GranteeSelector.GranteeBy)
RightModifier(com.zimbra.cs.account.accesscontrol.RightModifier)
TargetBy(com.zimbra.soap.type.TargetBy)
RightCommand(com.zimbra.cs.account.accesscontrol.RightCommand)
Example 2 with RightModifier
use of com.zimbra.cs.account.accesscontrol.RightModifier in project zm-mailbox by Zimbra.
the class GrantRights method handleACE.
/**
* @param eACE
* @param zsc
* @param granting true if granting, false if revoking
* @return
* @throws ServiceException
*/
static ZimbraACE handleACE(Element eACE, ZimbraSoapContext zsc, boolean granting) throws ServiceException {
/*
* Interface and parameter checking style was modeled after FolderAction,
* not admin Grant/RevokeRight
*/
Right right = RightManager.getInstance().getUserRight(eACE.getAttribute(AccountConstants.A_RIGHT));
GranteeType gtype = GranteeType.fromCode(eACE.getAttribute(AccountConstants.A_GRANT_TYPE));
String zid = eACE.getAttribute(AccountConstants.A_ZIMBRA_ID, null);
boolean deny = eACE.getAttributeBool(AccountConstants.A_DENY, false);
boolean checkGranteeType = eACE.getAttributeBool(AccountConstants.A_CHECK_GRANTEE_TYPE, false);
String secret = null;
NamedEntry nentry = null;
if (gtype == GranteeType.GT_AUTHUSER) {
zid = GuestAccount.GUID_AUTHUSER;
} else if (gtype == GranteeType.GT_PUBLIC) {
zid = GuestAccount.GUID_PUBLIC;
} else if (gtype == GranteeType.GT_GUEST) {
zid = eACE.getAttribute(AccountConstants.A_DISPLAY);
if (zid == null || zid.indexOf('@') < 0)
throw ServiceException.INVALID_REQUEST("invalid guest id or password", null);
// make sure they didn't accidentally specify "guest" instead of "usr"
try {
nentry = lookupGranteeByName(zid, GranteeType.GT_USER, zsc);
zid = nentry.getId();
gtype = nentry instanceof DistributionList ? GranteeType.GT_GROUP : GranteeType.GT_USER;
} catch (ServiceException e) {
// this is the normal path, where lookupGranteeByName throws account.NO_SUCH_USER
secret = eACE.getAttribute(AccountConstants.A_PASSWORD);
}
} else if (gtype == GranteeType.GT_KEY) {
zid = eACE.getAttribute(AccountConstants.A_DISPLAY);
// unlike guest, we do not require the display name to be an email address
/*
if (zid == null || zid.indexOf('@') < 0)
throw ServiceException.INVALID_REQUEST("invalid guest id or key", null);
*/
// unlike guest, we do not fixup grantee type for key grantees if they specify an internal user
// get the optional accesskey
secret = eACE.getAttribute(AccountConstants.A_ACCESSKEY, null);
} else if (zid != null) {
nentry = lookupGranteeByZimbraId(zid, gtype, granting);
} else {
nentry = lookupGranteeByName(eACE.getAttribute(AccountConstants.A_DISPLAY), gtype, zsc);
zid = nentry.getId();
// make sure they didn't accidentally specify "usr" instead of "grp"
if (gtype == GranteeType.GT_USER && nentry instanceof Group) {
if (checkGranteeType) {
throw AccountServiceException.INVALID_REQUEST(eACE.getAttribute(AccountConstants.A_DISPLAY) + " is not a valid grantee for grantee type '" + gtype.getCode() + "'.", null);
} else {
gtype = GranteeType.GT_GROUP;
}
}
}
RightModifier rightModifier = null;
if (deny)
rightModifier = RightModifier.RM_DENY;
return new ZimbraACE(zid, gtype, right, rightModifier, secret);
}
Also used :
ZimbraACE(com.zimbra.cs.account.accesscontrol.ZimbraACE)
NamedEntry(com.zimbra.cs.account.NamedEntry)
Group(com.zimbra.cs.account.Group)
GranteeType(com.zimbra.cs.account.accesscontrol.GranteeType)
AccountServiceException(com.zimbra.cs.account.AccountServiceException)
ServiceException(com.zimbra.common.service.ServiceException)
Right(com.zimbra.cs.account.accesscontrol.Right)
RightModifier(com.zimbra.cs.account.accesscontrol.RightModifier)
DistributionList(com.zimbra.cs.account.DistributionList)
Example 3 with RightModifier
use of com.zimbra.cs.account.accesscontrol.RightModifier in project zm-mailbox by Zimbra.
the class GrantRight method getRightModifier.
static RightModifier getRightModifier(RightModifierInfo eRight) throws ServiceException {
boolean deny = ZmBoolean.toBool(eRight.getDeny(), false);
boolean canDelegate = ZmBoolean.toBool(eRight.getCanDelegate(), false);
boolean disinheritSubGroups = ZmBoolean.toBool(eRight.getDisinheritSubGroups(), false);
boolean subDomain = ZmBoolean.toBool(eRight.getSubDomain(), false);
int numModifiers = 0;
if (deny) {
numModifiers++;
}
if (canDelegate) {
numModifiers++;
}
if (disinheritSubGroups) {
numModifiers++;
}
if (subDomain) {
numModifiers++;
}
if (numModifiers > 1) {
throw ServiceException.INVALID_REQUEST("can only have one modifier", null);
}
RightModifier rightModifier = null;
if (deny) {
rightModifier = RightModifier.RM_DENY;
} else if (canDelegate) {
rightModifier = RightModifier.RM_CAN_DELEGATE;
} else if (disinheritSubGroups) {
rightModifier = RightModifier.RM_DISINHERIT_SUB_GROUPS;
} else if (subDomain) {
rightModifier = RightModifier.RM_SUBDOMAIN;
}
return rightModifier;
}
Also used :
RightModifier(com.zimbra.cs.account.accesscontrol.RightModifier)
Example 4 with RightModifier
use of com.zimbra.cs.account.accesscontrol.RightModifier in project zm-mailbox by Zimbra.
the class GrantPermission method handleACE.
/**
* // orig: FolderAction
*
* @param eACE
* @param zsc
* @param granting true if granting, false if revoking
* @return
* @throws ServiceException
*/
static ZimbraACE handleACE(Element eACE, ZimbraSoapContext zsc, boolean granting) throws ServiceException {
Right right = RightManager.getInstance().getUserRight(eACE.getAttribute(MailConstants.A_RIGHT));
GranteeType gtype = GranteeType.fromCode(eACE.getAttribute(MailConstants.A_GRANT_TYPE));
String zid = eACE.getAttribute(MailConstants.A_ZIMBRA_ID, null);
boolean deny = eACE.getAttributeBool(MailConstants.A_DENY, false);
String secret = null;
NamedEntry nentry = null;
if (gtype == GranteeType.GT_AUTHUSER) {
zid = GuestAccount.GUID_AUTHUSER;
} else if (gtype == GranteeType.GT_PUBLIC) {
zid = GuestAccount.GUID_PUBLIC;
} else if (gtype == GranteeType.GT_GUEST) {
zid = eACE.getAttribute(MailConstants.A_DISPLAY);
if (zid == null || zid.indexOf('@') < 0)
throw ServiceException.INVALID_REQUEST("invalid guest id or password", null);
// make sure they didn't accidentally specify "guest" instead of "usr"
try {
nentry = lookupGranteeByName(zid, GranteeType.GT_USER, zsc);
zid = nentry.getId();
gtype = nentry instanceof DistributionList ? GranteeType.GT_GROUP : GranteeType.GT_USER;
} catch (ServiceException e) {
// this is the normal path, where lookupGranteeByName throws account.NO_SUCH_USER
secret = eACE.getAttribute(MailConstants.A_PASSWORD);
}
} else if (gtype == GranteeType.GT_KEY) {
zid = eACE.getAttribute(MailConstants.A_DISPLAY);
// unlike guest, we do not require the display name to be an email address
/*
if (zid == null || zid.indexOf('@') < 0)
throw ServiceException.INVALID_REQUEST("invalid guest id or key", null);
*/
// unlike guest, we do not fixup grantee type for key grantees if they specify an internal user
// get the optional accesskey
secret = eACE.getAttribute(MailConstants.A_ACCESSKEY, null);
} else if (zid != null) {
nentry = lookupGranteeByZimbraId(zid, gtype, granting);
} else {
nentry = lookupGranteeByName(eACE.getAttribute(MailConstants.A_DISPLAY), gtype, zsc);
zid = nentry.getId();
// make sure they didn't accidentally specify "usr" instead of "grp"
if (gtype == GranteeType.GT_USER && nentry instanceof DistributionList)
gtype = GranteeType.GT_GROUP;
}
RightModifier rightModifier = null;
if (deny)
rightModifier = RightModifier.RM_DENY;
return new ZimbraACE(zid, gtype, right, rightModifier, secret);
}
Also used :
ZimbraACE(com.zimbra.cs.account.accesscontrol.ZimbraACE)
NamedEntry(com.zimbra.cs.account.NamedEntry)
GranteeType(com.zimbra.cs.account.accesscontrol.GranteeType)
AccountServiceException(com.zimbra.cs.account.AccountServiceException)
ServiceException(com.zimbra.common.service.ServiceException)
Right(com.zimbra.cs.account.accesscontrol.Right)
RightModifier(com.zimbra.cs.account.accesscontrol.RightModifier)
DistributionList(com.zimbra.cs.account.DistributionList)
Example 5 with RightModifier
use of com.zimbra.cs.account.accesscontrol.RightModifier in project zm-mailbox by Zimbra.
the class RevokeRight method handle.
@Override
public Element handle(Element request, Map<String, Object> context) throws ServiceException {
ZimbraSoapContext zsc = getZimbraSoapContext(context);
RevokeRightRequest rrReq = zsc.elementToJaxb(request);
RightModifier rightModifier = GrantRight.getRightModifier(rrReq.getRight());
// right checking is done in RightCommand
RightCommand.revokeRight(Provisioning.getInstance(), getAuthenticatedAccount(zsc), rrReq.getTarget(), rrReq.getGrantee(), rrReq.getRight().getValue(), rightModifier);
Element response = zsc.createElement(AdminConstants.REVOKE_RIGHT_RESPONSE);
return response;
}
Also used :
ZimbraSoapContext(com.zimbra.soap.ZimbraSoapContext)
Element(com.zimbra.common.soap.Element)
RightModifier(com.zimbra.cs.account.accesscontrol.RightModifier)
RevokeRightRequest(com.zimbra.soap.admin.message.RevokeRightRequest)
Aggregations
RightModifier (com.zimbra.cs.account.accesscontrol.RightModifier)6
ServiceException (com.zimbra.common.service.ServiceException)3
Element (com.zimbra.common.soap.Element)2
AccountServiceException (com.zimbra.cs.account.AccountServiceException)2
DistributionList (com.zimbra.cs.account.DistributionList)2
NamedEntry (com.zimbra.cs.account.NamedEntry)2
GranteeType (com.zimbra.cs.account.accesscontrol.GranteeType)2
Right (com.zimbra.cs.account.accesscontrol.Right)2
ZimbraACE (com.zimbra.cs.account.accesscontrol.ZimbraACE)2
ZimbraSoapContext (com.zimbra.soap.ZimbraSoapContext)2
TargetBy (com.zimbra.soap.type.TargetBy)2
Group (com.zimbra.cs.account.Group)1
RightCommand (com.zimbra.cs.account.accesscontrol.RightCommand)1
FlushCacheRequest (com.zimbra.soap.admin.message.FlushCacheRequest)1
GrantRightRequest (com.zimbra.soap.admin.message.GrantRightRequest)1
RevokeRightRequest (com.zimbra.soap.admin.message.RevokeRightRequest)1
CacheEntrySelector (com.zimbra.soap.admin.type.CacheEntrySelector)1
CacheSelector (com.zimbra.soap.admin.type.CacheSelector)1
EffectiveRightsTargetSelector (com.zimbra.soap.admin.type.EffectiveRightsTargetSelector)1
GranteeBy (com.zimbra.soap.admin.type.GranteeSelector.GranteeBy)1
