Search in sources :

Example 21 with TargetType

use of com.zimbra.cs.account.accesscontrol.TargetType in project zm-mailbox by Zimbra.

the class CheckPermission method handle.

public Element handle(Element request, Map<String, Object> context) throws ServiceException {
    ZimbraSoapContext zsc = getZimbraSoapContext(context);
    Provisioning prov = Provisioning.getInstance();
    Element eTarget = request.getElement(MailConstants.E_TARGET);
    String targetType = eTarget.getAttribute(MailConstants.A_TARGET_TYPE);
    TargetType tt = TargetType.fromCode(targetType);
    String targetBy = eTarget.getAttribute(MailConstants.A_TARGET_BY);
    String targetValue = eTarget.getText();
    NamedEntry entry = null;
    Element response = zsc.createElement(MailConstants.CHECK_PERMISSION_RESPONSE);
    if (TargetType.account == tt) {
        AccountBy acctBy = AccountBy.fromString(targetBy);
        entry = prov.get(acctBy, targetValue, zsc.getAuthToken());
        if (entry == null && acctBy == AccountBy.id) {
            throw AccountServiceException.NO_SUCH_ACCOUNT(targetValue);
        }
    // otherwise, the target could be an external user, let it fall through
    // to return the default permission.
    } else if (TargetType.calresource == tt) {
        Key.CalendarResourceBy crBy = Key.CalendarResourceBy.fromString(targetBy);
        entry = prov.get(crBy, targetValue);
        if (entry == null && crBy == Key.CalendarResourceBy.id) {
            throw AccountServiceException.NO_SUCH_CALENDAR_RESOURCE(targetValue);
        }
    } else if (TargetType.dl == tt) {
        Key.DistributionListBy dlBy = Key.DistributionListBy.fromString(targetBy);
        entry = prov.getGroupBasic(dlBy, targetValue);
        if (entry == null && dlBy == Key.DistributionListBy.id) {
            throw AccountServiceException.NO_SUCH_CALENDAR_RESOURCE(targetValue);
        }
    } else {
        throw ServiceException.INVALID_REQUEST("invalid target type: " + targetType, null);
    }
    List<UserRight> rights = new ArrayList<UserRight>();
    for (Element eRight : request.listElements(MailConstants.E_RIGHT)) {
        UserRight r = RightManager.getInstance().getUserRight(eRight.getText());
        rights.add(r);
    }
    boolean finalResult = true;
    AccessManager am = AccessManager.getInstance();
    for (UserRight right : rights) {
        boolean allow = am.canDo(zsc.getAuthToken(), entry, right, false);
        if (allow && DiscoverRights.isDelegatedSendRight(right) && TargetBy.name.name().equals(targetBy)) {
            allow = AccountUtil.isAllowedSendAddress(entry, targetValue);
        }
        response.addElement(MailConstants.E_RIGHT).addAttribute(MailConstants.A_ALLOW, allow).setText(right.getName());
        finalResult = finalResult & allow;
    }
    return returnResponse(response, finalResult);
}
Also used : AccessManager(com.zimbra.cs.account.AccessManager) UserRight(com.zimbra.cs.account.accesscontrol.UserRight) Element(com.zimbra.common.soap.Element) ArrayList(java.util.ArrayList) Provisioning(com.zimbra.cs.account.Provisioning) AccountBy(com.zimbra.common.account.Key.AccountBy) NamedEntry(com.zimbra.cs.account.NamedEntry) ZimbraSoapContext(com.zimbra.soap.ZimbraSoapContext) TargetType(com.zimbra.cs.account.accesscontrol.TargetType) Key(com.zimbra.common.account.Key)

Example 22 with TargetType

use of com.zimbra.cs.account.accesscontrol.TargetType in project zm-mailbox by Zimbra.

the class TestACLGrant method testAccountRight.

public void testAccountRight() throws Exception {
    String testName = getTestName();
    /*
         * setup authed account
         */
    Account authedAcct = getSystemAdminAccount(getEmailAddr(testName, "authed"));
    /*
         * grantees
         */
    Account GA = createAdminAccount(getEmailAddr(testName, "GA"));
    /*
         * expected
         */
    Set<TargetType> expected = new HashSet<TargetType>();
    /*
         * single target rights
         */
    expected.add(TargetType.account);
    expected.add(TargetType.calresource);
    expected.add(TargetType.dl);
    expected.add(TargetType.domain);
    expected.add(TargetType.global);
    // preset right
    doTargetTest(authedAcct, GA, getRight("test-preset-account"), expected);
    // getAttrs right
    doTargetTest(authedAcct, GA, getRight("test-getAttrs-account"), expected);
    doTargetTest(authedAcct, GA, getRight(inlineRightGet(TargetType.account, "description")), expected);
    // setAttrs right
    doTargetTest(authedAcct, GA, getRight("test-setAttrs-account"), expected);
    doTargetTest(authedAcct, GA, getRight(inlineRightSet(TargetType.account, "description")), expected);
    // combo right
    doTargetTest(authedAcct, GA, getRight("test-combo-account"), expected);
    /*
         * multi targets rights
         */
    expected.clear();
    expected.add(TargetType.account);
    expected.add(TargetType.cos);
    expected.add(TargetType.calresource);
    expected.add(TargetType.dl);
    expected.add(TargetType.domain);
    expected.add(TargetType.global);
    doTargetTest(authedAcct, GA, getRight("test-getAttrs-accountCos"), expected);
    doTargetTest(authedAcct, GA, getRight("test-setAttrs-accountCos"), expected);
    expected.clear();
    expected.add(TargetType.global);
    doTargetTest(authedAcct, GA, getRight("test-combo-account-cos-accountCos"), expected);
}
Also used : Account(com.zimbra.cs.account.Account) TargetType(com.zimbra.cs.account.accesscontrol.TargetType) HashSet(java.util.HashSet)

Example 23 with TargetType

use of com.zimbra.cs.account.accesscontrol.TargetType in project zm-mailbox by Zimbra.

the class GetRightsDoc method genDomainAdminRights.

//  handle dynamic group
@ACLTODO
private void genDomainAdminRights(Map<String, Object> context, Element response) throws ServiceException {
    Element eDomainAdmin = response.addElement("domainAdmin-copypaste-to-zimbra-rights-domainadmin-xml-template");
    SoapEngine engine = (SoapEngine) context.get(SoapEngine.ZIMBRA_ENGINE);
    DocumentDispatcher dispatcher = engine.getDocumentDispatcher();
    Map<QName, DocumentHandler> handlers = dispatcher.getHandlers();
    // keys are sorted by targetType
    // values are sets sorted by attr name
    Map<TargetType, TreeSet<String>> rights = new TreeMap<TargetType, TreeSet<String>>();
    for (TargetType tt : TargetType.values()) rights.put(tt, new TreeSet<String>());
    // add our domain admin attr rights, which are generated by RightManager
    rights.get(TargetType.account).add(Admin.R_setDomainAdminAccountAndCalendarResourceAttrs.getName());
    rights.get(TargetType.calresource).add(Admin.R_setDomainAdminAccountAndCalendarResourceAttrs.getName());
    rights.get(TargetType.calresource).add(Admin.R_setDomainAdminCalendarResourceAttrs.getName());
    rights.get(TargetType.dl).add(Admin.R_setDomainAdminDistributionListAttrs.getName());
    rights.get(TargetType.domain).add(Admin.R_setDomainAdminDomainAttrs.getName());
    for (Map.Entry<QName, DocumentHandler> handler : handlers.entrySet()) {
        DocumentHandler soapHandler = handler.getValue();
        // only works for AdminDocumentHandler
        if (soapHandler instanceof AdminRightCheckPoint && soapHandler instanceof AdminDocumentHandler) {
            AdminDocumentHandler adminHandler = (AdminDocumentHandler) soapHandler;
            if (adminHandler.domainAuthSufficient(context)) {
                List<AdminRight> relatedRights = new ArrayList<AdminRight>();
                List<String> notes = new ArrayList<String>();
                adminHandler.docRights(relatedRights, notes);
                for (AdminRight r : relatedRights) {
                    if (r.isPresetRight()) {
                        TargetType tt = r.getTargetType();
                        rights.get(tt).add(r.getName());
                    } else if (r.isAttrRight()) {
                        Set<TargetType> tts = ((AttrRight) r).getTargetTypes();
                        for (TargetType tt : tts) rights.get(tt).add(r.getName());
                    }
                }
            }
        }
    }
    for (Map.Entry<TargetType, TreeSet<String>> entry : rights.entrySet()) {
        TargetType tt = entry.getKey();
        if (entry.getValue().size() > 0) {
            Element eRight = eDomainAdmin.addElement("right").addAttribute("name", "domainAdmin" + tt.getPrettyName() + "Rights").addAttribute("type", "combo");
            eRight.addElement("desc").setText("domain admin " + tt.getCode() + " right");
            Element eRights = eRight.addElement("rights");
            for (String r : entry.getValue()) {
                eRights.addElement("r").addAttribute("n", r);
            }
        }
    }
}
Also used : Set(java.util.Set) TreeSet(java.util.TreeSet) HashSet(java.util.HashSet) QName(org.dom4j.QName) Element(com.zimbra.common.soap.Element) ArrayList(java.util.ArrayList) SoapEngine(com.zimbra.soap.SoapEngine) TreeMap(java.util.TreeMap) DocumentHandler(com.zimbra.soap.DocumentHandler) AdminRight(com.zimbra.cs.account.accesscontrol.AdminRight) TreeSet(java.util.TreeSet) DocumentDispatcher(com.zimbra.soap.DocumentDispatcher) TargetType(com.zimbra.cs.account.accesscontrol.TargetType) HashMap(java.util.HashMap) TreeMap(java.util.TreeMap) Map(java.util.Map)

Aggregations

TargetType (com.zimbra.cs.account.accesscontrol.TargetType)23 RightsByTargetType (com.zimbra.cs.account.accesscontrol.RightCommand.RightsByTargetType)13 DomainedRightsByTargetType (com.zimbra.cs.account.accesscontrol.RightCommand.DomainedRightsByTargetType)11 Right (com.zimbra.cs.account.accesscontrol.Right)7 UserRight (com.zimbra.cs.account.accesscontrol.UserRight)7 Element (com.zimbra.common.soap.Element)6 Account (com.zimbra.cs.account.Account)4 Entry (com.zimbra.cs.account.Entry)4 NamedEntry (com.zimbra.cs.account.NamedEntry)4 Provisioning (com.zimbra.cs.account.Provisioning)4 AttrRight (com.zimbra.cs.account.accesscontrol.AttrRight)4 CheckRight (com.zimbra.cs.account.accesscontrol.CheckRight)4 ComboRight (com.zimbra.cs.account.accesscontrol.ComboRight)4 PresetRight (com.zimbra.cs.account.accesscontrol.PresetRight)4 RightCommand (com.zimbra.cs.account.accesscontrol.RightCommand)4 AllEffectiveRights (com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights)4 EffectiveRights (com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights)4 Map (java.util.Map)4 AccessManager (com.zimbra.cs.account.AccessManager)3 ZimbraSoapContext (com.zimbra.soap.ZimbraSoapContext)3