Search in sources :

Example 16 with TargetType

use of com.zimbra.cs.account.accesscontrol.TargetType in project zm-mailbox by Zimbra.

the class TestACLAll method testGrantee.

/*
     * test a particular grantee type and a range of rights for all target types
     */
private void testGrantee() throws Exception {
    SKIP_FOR_REAL_LDAP_SERVER(SkipTestReason.LONG_TEST);
    /*
         * TestGranteeType.GRANTEE_DYNAMIC_GROUP
         * GT_USER
         * GT_GROUP
         * GT_EXT_GROUP
         * GT_AUTHUSER
         * GT_DOMAIN
         * GT_GUEST
         * GT_KEY
         * GT_PUBLIC
         */
    TestGranteeType granteeType = TestGranteeType.GRANTEE_DYNAMIC_GROUP;
    // sRights.indexOf(ADMIN_COMBO_ACCOUNT);  // inclusive
    int beginRight = 0;
    // inclusive
    int endRight = rights.size() - 1;
    int totalTests = TargetType.values().length * rights.size();
    int curTest = 1;
    for (TargetType targetType : TargetType.values()) {
        for (Right right : rights) {
            doTest((curTest++) + "/" + totalTests, targetType, granteeType, right, false);
        }
    }
}
Also used : TargetType(com.zimbra.cs.account.accesscontrol.TargetType) RightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.RightsByTargetType) DomainedRightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.DomainedRightsByTargetType) ComboRight(com.zimbra.cs.account.accesscontrol.ComboRight) CheckRight(com.zimbra.cs.account.accesscontrol.CheckRight) UserRight(com.zimbra.cs.account.accesscontrol.UserRight) AttrRight(com.zimbra.cs.account.accesscontrol.AttrRight) PresetRight(com.zimbra.cs.account.accesscontrol.PresetRight) Right(com.zimbra.cs.account.accesscontrol.Right)

Example 17 with TargetType

use of com.zimbra.cs.account.accesscontrol.TargetType in project zm-mailbox by Zimbra.

the class TestACLAll method testRight.

/*
     * test a particular right for all target types and grantee types
     */
private void testRight() throws Exception {
    SKIP_FOR_REAL_LDAP_SERVER(SkipTestReason.LONG_TEST);
    Right right = ACLTestUtil.ADMIN_COMBO_ACCOUNT;
    int totalTests = TargetType.values().length * TestGranteeType.TEST_GRANTEE_TYPES.size() * rights.size();
    int curTest = 1;
    for (TargetType targetType : TargetType.values()) {
        for (TestGranteeType granteeType : TestGranteeType.TEST_GRANTEE_TYPES) {
            boolean skip = EXCLUDE_GRANTEE_TYPES.contains(granteeType.getCode());
            doTest((curTest++) + "/" + totalTests, targetType, granteeType, right, skip);
        }
    }
}
Also used : ComboRight(com.zimbra.cs.account.accesscontrol.ComboRight) CheckRight(com.zimbra.cs.account.accesscontrol.CheckRight) UserRight(com.zimbra.cs.account.accesscontrol.UserRight) AttrRight(com.zimbra.cs.account.accesscontrol.AttrRight) PresetRight(com.zimbra.cs.account.accesscontrol.PresetRight) Right(com.zimbra.cs.account.accesscontrol.Right) TargetType(com.zimbra.cs.account.accesscontrol.TargetType) RightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.RightsByTargetType) DomainedRightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.DomainedRightsByTargetType)

Example 18 with TargetType

use of com.zimbra.cs.account.accesscontrol.TargetType in project zm-mailbox by Zimbra.

the class TestACLAll method expectedIsUserRightGrantableOnTargetType.

private boolean expectedIsUserRightGrantableOnTargetType(UserRight userRight, TargetType targetType) throws Exception {
    TargetType rightTarget = userRight.getTargetType();
    TargetType rightGrantTarget = userRight.getGrantTargetType();
    switch(rightTarget) {
        case account:
            if (rightGrantTarget == null) {
                return targetType == TargetType.account || targetType == TargetType.calresource || targetType == TargetType.dl || targetType == TargetType.group || targetType == TargetType.domain || targetType == TargetType.global;
            } else if (rightGrantTarget == TargetType.account) {
                return targetType == TargetType.account || targetType == TargetType.calresource;
            } else if (rightGrantTarget == TargetType.dl) {
                return targetType == TargetType.dl || targetType == TargetType.group;
            } else if (rightGrantTarget == TargetType.domain) {
                return targetType == TargetType.domain;
            } else if (rightGrantTarget == TargetType.global) {
                return targetType == TargetType.global;
            } else {
                return false;
            }
        case calresource:
            fail();
        case cos:
            fail();
        case dl:
            if (rightGrantTarget == null) {
                return targetType == TargetType.dl || targetType == TargetType.group || targetType == TargetType.domain || targetType == TargetType.global;
            } else if (rightGrantTarget == TargetType.dl) {
                return targetType == TargetType.dl || targetType == TargetType.group;
            } else if (rightGrantTarget == TargetType.domain) {
                return targetType == TargetType.domain;
            } else if (rightGrantTarget == TargetType.global) {
                return targetType == TargetType.global;
            } else {
                return false;
            }
        case domain:
            if (rightGrantTarget == null) {
                return targetType == TargetType.domain || targetType == TargetType.global;
            } else if (rightGrantTarget == TargetType.global) {
                return targetType == TargetType.global;
            } else {
                return false;
            }
        case group:
        case server:
        case alwaysoncluster:
        case ucservice:
        case xmppcomponent:
        case zimlet:
        case config:
        case global:
        default:
            fail();
    }
    return false;
}
Also used : TargetType(com.zimbra.cs.account.accesscontrol.TargetType) RightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.RightsByTargetType) DomainedRightsByTargetType(com.zimbra.cs.account.accesscontrol.RightCommand.DomainedRightsByTargetType)

Example 19 with TargetType

use of com.zimbra.cs.account.accesscontrol.TargetType in project zm-mailbox by Zimbra.

the class CheckRights method handle.

@Override
public Element handle(Element request, Map<String, Object> context) throws ServiceException {
    ZimbraSoapContext zsc = getZimbraSoapContext(context);
    Provisioning prov = Provisioning.getInstance();
    List<RequestedTarget> requestedTargets = Lists.newArrayList();
    for (Element eTarget : request.listElements(AccountConstants.E_TARGET)) {
        TargetType targetType = TargetType.fromCode(eTarget.getAttribute(AccountConstants.A_TYPE));
        TargetBy targetBy = TargetBy.fromString(eTarget.getAttribute(AccountConstants.A_BY));
        String key = eTarget.getAttribute(AccountConstants.A_KEY);
        Entry entry = findEntry(prov, targetType, targetBy, key);
        RequestedTarget target = new RequestedTarget(entry, targetType, targetBy, key);
        requestedTargets.add(target);
        for (Element eRight : eTarget.listElements(AccountConstants.E_RIGHT)) {
            // can only be user right, not admim rights
            target.addRight(RightManager.getInstance().getUserRight(eRight.getText()));
        }
        if (target.getRights().size() == 0) {
            throw ServiceException.INVALID_REQUEST("missing right for target: " + key, null);
        }
    }
    Element response = zsc.createElement(AccountConstants.CHECK_RIGHTS_RESPONSE);
    AccessManager accessMgr = AccessManager.getInstance();
    for (RequestedTarget target : requestedTargets) {
        Entry targetEntry = target.getTargetEntry();
        Element eTarget = response.addElement(AccountConstants.E_TARGET);
        eTarget.addAttribute(AccountConstants.A_TYPE, target.getTargetType().getCode());
        eTarget.addAttribute(AccountConstants.A_BY, target.getTargetBy().name());
        eTarget.addAttribute(AccountConstants.A_KEY, target.getTargetKey());
        boolean combinedResult = true;
        for (UserRight right : target.getRights()) {
            boolean allow = accessMgr.canDo(zsc.getAuthToken(), targetEntry, right, false);
            if (allow && DiscoverRights.isDelegatedSendRight(right) && TargetBy.name == target.getTargetBy()) {
                allow = AccountUtil.isAllowedSendAddress((NamedEntry) targetEntry, target.getTargetKey());
            }
            eTarget.addElement(AccountConstants.E_RIGHT).addAttribute(AccountConstants.A_ALLOW, allow).setText(right.getName());
            combinedResult = combinedResult & allow;
        }
        eTarget.addAttribute(AccountConstants.A_ALLOW, combinedResult);
    }
    return response;
}
Also used : AccessManager(com.zimbra.cs.account.AccessManager) UserRight(com.zimbra.cs.account.accesscontrol.UserRight) Element(com.zimbra.common.soap.Element) TargetBy(com.zimbra.soap.type.TargetBy) Provisioning(com.zimbra.cs.account.Provisioning) NamedEntry(com.zimbra.cs.account.NamedEntry) NamedEntry(com.zimbra.cs.account.NamedEntry) Entry(com.zimbra.cs.account.Entry) ZimbraSoapContext(com.zimbra.soap.ZimbraSoapContext) TargetType(com.zimbra.cs.account.accesscontrol.TargetType)

Example 20 with TargetType

use of com.zimbra.cs.account.accesscontrol.TargetType in project zm-mailbox by Zimbra.

the class DiscoverRights method discoverRights.

public static void discoverRights(Account account, Set<Right> rights, Element eParent, boolean onMaster) throws ServiceException {
    AccessManager accessMgr = AccessManager.getInstance();
    Map<Right, Set<Entry>> discoveredRights = accessMgr.discoverUserRights(account, rights, onMaster);
    Locale locale = account.getLocale();
    for (Map.Entry<Right, Set<Entry>> targetsForRight : discoveredRights.entrySet()) {
        Right right = targetsForRight.getKey();
        Set<Entry> targets = targetsForRight.getValue();
        List<Entry> sortedTargets = Entry.sortByDisplayName(targets, locale);
        boolean isDelegatedSendRight = isDelegatedSendRight(right);
        Element eTargets = eParent.addElement(AccountConstants.E_TARGETS);
        eTargets.addAttribute(AccountConstants.A_RIGHT, right.getName());
        for (Entry target : sortedTargets) {
            TargetType targetType = TargetType.getTargetType(target);
            Element eTarget = eTargets.addElement(AccountConstants.E_TARGET);
            eTarget.addAttribute(AccountConstants.A_TYPE, targetType.getCode());
            if (isDelegatedSendRight) {
                if (target instanceof Account || target instanceof Group) {
                    String[] addrs = AccountUtil.getAllowedSendAddresses((NamedEntry) target);
                    NamedEntry entry = (NamedEntry) target;
                    for (String addr : addrs) {
                        Element eEmail = eTarget.addElement(AccountConstants.E_EMAIL);
                        eEmail.addAttribute(AccountConstants.A_ADDR, addr);
                    }
                    if (target instanceof Account) {
                        eTarget.addAttribute(AccountConstants.A_DISPLAY, ((Account) entry).getDisplayName());
                    } else if (target instanceof Group) {
                        eTarget.addAttribute(AccountConstants.A_DISPLAY, ((Group) entry).getDisplayName());
                    }
                } else {
                    throw ServiceException.FAILURE("internal error, target for " + " delegated send rights must be account or group", null);
                }
            } else {
                if (target instanceof NamedEntry) {
                    NamedEntry entry = (NamedEntry) target;
                    eTarget.addAttribute(AccountConstants.A_ID, entry.getId());
                    eTarget.addAttribute(AccountConstants.A_NAME, entry.getName());
                    if (target instanceof Account) {
                        eTarget.addAttribute(AccountConstants.A_DISPLAY, ((Account) entry).getDisplayName());
                    } else if (target instanceof Group) {
                        eTarget.addAttribute(AccountConstants.A_DISPLAY, ((Group) entry).getDisplayName());
                    }
                } else {
                    eTarget.addAttribute(AccountConstants.A_NAME, target.getLabel());
                }
            }
        }
    }
}
Also used : AccessManager(com.zimbra.cs.account.AccessManager) Locale(java.util.Locale) Account(com.zimbra.cs.account.Account) Group(com.zimbra.cs.account.Group) Set(java.util.Set) Element(com.zimbra.common.soap.Element) UserRight(com.zimbra.cs.account.accesscontrol.UserRight) Right(com.zimbra.cs.account.accesscontrol.Right) NamedEntry(com.zimbra.cs.account.NamedEntry) NamedEntry(com.zimbra.cs.account.NamedEntry) Entry(com.zimbra.cs.account.Entry) TargetType(com.zimbra.cs.account.accesscontrol.TargetType) Map(java.util.Map)

Aggregations

TargetType (com.zimbra.cs.account.accesscontrol.TargetType)23 RightsByTargetType (com.zimbra.cs.account.accesscontrol.RightCommand.RightsByTargetType)13 DomainedRightsByTargetType (com.zimbra.cs.account.accesscontrol.RightCommand.DomainedRightsByTargetType)11 Right (com.zimbra.cs.account.accesscontrol.Right)7 UserRight (com.zimbra.cs.account.accesscontrol.UserRight)7 Element (com.zimbra.common.soap.Element)6 Account (com.zimbra.cs.account.Account)4 Entry (com.zimbra.cs.account.Entry)4 NamedEntry (com.zimbra.cs.account.NamedEntry)4 Provisioning (com.zimbra.cs.account.Provisioning)4 AttrRight (com.zimbra.cs.account.accesscontrol.AttrRight)4 CheckRight (com.zimbra.cs.account.accesscontrol.CheckRight)4 ComboRight (com.zimbra.cs.account.accesscontrol.ComboRight)4 PresetRight (com.zimbra.cs.account.accesscontrol.PresetRight)4 RightCommand (com.zimbra.cs.account.accesscontrol.RightCommand)4 AllEffectiveRights (com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights)4 EffectiveRights (com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights)4 Map (java.util.Map)4 AccessManager (com.zimbra.cs.account.AccessManager)3 ZimbraSoapContext (com.zimbra.soap.ZimbraSoapContext)3