use of com.zimbra.cs.account.accesscontrol.TargetType in project zm-mailbox by Zimbra.
the class CheckPermission method handle.
public Element handle(Element request, Map<String, Object> context) throws ServiceException {
ZimbraSoapContext zsc = getZimbraSoapContext(context);
Provisioning prov = Provisioning.getInstance();
Element eTarget = request.getElement(MailConstants.E_TARGET);
String targetType = eTarget.getAttribute(MailConstants.A_TARGET_TYPE);
TargetType tt = TargetType.fromCode(targetType);
String targetBy = eTarget.getAttribute(MailConstants.A_TARGET_BY);
String targetValue = eTarget.getText();
NamedEntry entry = null;
Element response = zsc.createElement(MailConstants.CHECK_PERMISSION_RESPONSE);
if (TargetType.account == tt) {
AccountBy acctBy = AccountBy.fromString(targetBy);
entry = prov.get(acctBy, targetValue, zsc.getAuthToken());
if (entry == null && acctBy == AccountBy.id) {
throw AccountServiceException.NO_SUCH_ACCOUNT(targetValue);
}
// otherwise, the target could be an external user, let it fall through
// to return the default permission.
} else if (TargetType.calresource == tt) {
Key.CalendarResourceBy crBy = Key.CalendarResourceBy.fromString(targetBy);
entry = prov.get(crBy, targetValue);
if (entry == null && crBy == Key.CalendarResourceBy.id) {
throw AccountServiceException.NO_SUCH_CALENDAR_RESOURCE(targetValue);
}
} else if (TargetType.dl == tt) {
Key.DistributionListBy dlBy = Key.DistributionListBy.fromString(targetBy);
entry = prov.getGroupBasic(dlBy, targetValue);
if (entry == null && dlBy == Key.DistributionListBy.id) {
throw AccountServiceException.NO_SUCH_CALENDAR_RESOURCE(targetValue);
}
} else {
throw ServiceException.INVALID_REQUEST("invalid target type: " + targetType, null);
}
List<UserRight> rights = new ArrayList<UserRight>();
for (Element eRight : request.listElements(MailConstants.E_RIGHT)) {
UserRight r = RightManager.getInstance().getUserRight(eRight.getText());
rights.add(r);
}
boolean finalResult = true;
AccessManager am = AccessManager.getInstance();
for (UserRight right : rights) {
boolean allow = am.canDo(zsc.getAuthToken(), entry, right, false);
if (allow && DiscoverRights.isDelegatedSendRight(right) && TargetBy.name.name().equals(targetBy)) {
allow = AccountUtil.isAllowedSendAddress(entry, targetValue);
}
response.addElement(MailConstants.E_RIGHT).addAttribute(MailConstants.A_ALLOW, allow).setText(right.getName());
finalResult = finalResult & allow;
}
return returnResponse(response, finalResult);
}
use of com.zimbra.cs.account.accesscontrol.TargetType in project zm-mailbox by Zimbra.
the class TestACLGrant method testAccountRight.
public void testAccountRight() throws Exception {
String testName = getTestName();
/*
* setup authed account
*/
Account authedAcct = getSystemAdminAccount(getEmailAddr(testName, "authed"));
/*
* grantees
*/
Account GA = createAdminAccount(getEmailAddr(testName, "GA"));
/*
* expected
*/
Set<TargetType> expected = new HashSet<TargetType>();
/*
* single target rights
*/
expected.add(TargetType.account);
expected.add(TargetType.calresource);
expected.add(TargetType.dl);
expected.add(TargetType.domain);
expected.add(TargetType.global);
// preset right
doTargetTest(authedAcct, GA, getRight("test-preset-account"), expected);
// getAttrs right
doTargetTest(authedAcct, GA, getRight("test-getAttrs-account"), expected);
doTargetTest(authedAcct, GA, getRight(inlineRightGet(TargetType.account, "description")), expected);
// setAttrs right
doTargetTest(authedAcct, GA, getRight("test-setAttrs-account"), expected);
doTargetTest(authedAcct, GA, getRight(inlineRightSet(TargetType.account, "description")), expected);
// combo right
doTargetTest(authedAcct, GA, getRight("test-combo-account"), expected);
/*
* multi targets rights
*/
expected.clear();
expected.add(TargetType.account);
expected.add(TargetType.cos);
expected.add(TargetType.calresource);
expected.add(TargetType.dl);
expected.add(TargetType.domain);
expected.add(TargetType.global);
doTargetTest(authedAcct, GA, getRight("test-getAttrs-accountCos"), expected);
doTargetTest(authedAcct, GA, getRight("test-setAttrs-accountCos"), expected);
expected.clear();
expected.add(TargetType.global);
doTargetTest(authedAcct, GA, getRight("test-combo-account-cos-accountCos"), expected);
}
use of com.zimbra.cs.account.accesscontrol.TargetType in project zm-mailbox by Zimbra.
the class GetRightsDoc method genDomainAdminRights.
// handle dynamic group
@ACLTODO
private void genDomainAdminRights(Map<String, Object> context, Element response) throws ServiceException {
Element eDomainAdmin = response.addElement("domainAdmin-copypaste-to-zimbra-rights-domainadmin-xml-template");
SoapEngine engine = (SoapEngine) context.get(SoapEngine.ZIMBRA_ENGINE);
DocumentDispatcher dispatcher = engine.getDocumentDispatcher();
Map<QName, DocumentHandler> handlers = dispatcher.getHandlers();
// keys are sorted by targetType
// values are sets sorted by attr name
Map<TargetType, TreeSet<String>> rights = new TreeMap<TargetType, TreeSet<String>>();
for (TargetType tt : TargetType.values()) rights.put(tt, new TreeSet<String>());
// add our domain admin attr rights, which are generated by RightManager
rights.get(TargetType.account).add(Admin.R_setDomainAdminAccountAndCalendarResourceAttrs.getName());
rights.get(TargetType.calresource).add(Admin.R_setDomainAdminAccountAndCalendarResourceAttrs.getName());
rights.get(TargetType.calresource).add(Admin.R_setDomainAdminCalendarResourceAttrs.getName());
rights.get(TargetType.dl).add(Admin.R_setDomainAdminDistributionListAttrs.getName());
rights.get(TargetType.domain).add(Admin.R_setDomainAdminDomainAttrs.getName());
for (Map.Entry<QName, DocumentHandler> handler : handlers.entrySet()) {
DocumentHandler soapHandler = handler.getValue();
// only works for AdminDocumentHandler
if (soapHandler instanceof AdminRightCheckPoint && soapHandler instanceof AdminDocumentHandler) {
AdminDocumentHandler adminHandler = (AdminDocumentHandler) soapHandler;
if (adminHandler.domainAuthSufficient(context)) {
List<AdminRight> relatedRights = new ArrayList<AdminRight>();
List<String> notes = new ArrayList<String>();
adminHandler.docRights(relatedRights, notes);
for (AdminRight r : relatedRights) {
if (r.isPresetRight()) {
TargetType tt = r.getTargetType();
rights.get(tt).add(r.getName());
} else if (r.isAttrRight()) {
Set<TargetType> tts = ((AttrRight) r).getTargetTypes();
for (TargetType tt : tts) rights.get(tt).add(r.getName());
}
}
}
}
}
for (Map.Entry<TargetType, TreeSet<String>> entry : rights.entrySet()) {
TargetType tt = entry.getKey();
if (entry.getValue().size() > 0) {
Element eRight = eDomainAdmin.addElement("right").addAttribute("name", "domainAdmin" + tt.getPrettyName() + "Rights").addAttribute("type", "combo");
eRight.addElement("desc").setText("domain admin " + tt.getCode() + " right");
Element eRights = eRight.addElement("rights");
for (String r : entry.getValue()) {
eRights.addElement("r").addAttribute("n", r);
}
}
}
}
Aggregations