Search in sources :

Example 1 with ZimbraACE

use of com.zimbra.cs.account.accesscontrol.ZimbraACE in project zm-mailbox by Zimbra.

the class MailSenderTest method getSenderHeadersDelegatedAuth.

@Test
public void getSenderHeadersDelegatedAuth() throws Exception {
    Provisioning prov = Provisioning.getInstance();
    Account account = prov.getAccount(MockProvisioning.DEFAULT_ACCOUNT_ID);
    Map<String, Object> attrs = new HashMap<String, Object>();
    attrs.put(Provisioning.A_zimbraId, UUID.randomUUID().toString());
    Account account2 = prov.createAccount("test2@zimbra.com", "secret", attrs);
    MailSender mailSender = new MailSender();
    Pair<InternetAddress, InternetAddress> pair;
    String target = "test@zimbra.com";
    String mail = "test2@zimbra.com";
    String alias = "test-alias@zimbra.com";
    String invalid1 = "foo@zimbra.com";
    String invalid2 = "bar@zimbra.com";
    Right right = RightManager.getInstance().getUserRight("sendOnBehalfOf");
    ZimbraACE ace = new ZimbraACE(account2.getId(), GranteeType.GT_USER, right, null, null);
    Set<ZimbraACE> aces = new HashSet<ZimbraACE>();
    aces.add(ace);
    ACLUtil.grantRight(Provisioning.getInstance(), account, aces);
    pair = mailSender.getSenderHeaders(null, null, account, account2, false);
    Assert.assertEquals(mail, pair.getFirst().toString());
    Assert.assertNull(pair.getSecond());
    pair = mailSender.getSenderHeaders(new InternetAddress(mail), null, account, account2, false);
    Assert.assertEquals(mail, pair.getFirst().toString());
    Assert.assertNull(pair.getSecond());
    pair = mailSender.getSenderHeaders(null, new InternetAddress(mail), account, account2, false);
    Assert.assertEquals(mail, pair.getFirst().toString());
    Assert.assertNull(pair.getSecond());
    pair = mailSender.getSenderHeaders(new InternetAddress(mail), new InternetAddress(mail), account, account2, false);
    Assert.assertEquals(mail, pair.getFirst().toString());
    Assert.assertNull(pair.getSecond());
    pair = mailSender.getSenderHeaders(new InternetAddress(alias), null, account, account2, false);
    Assert.assertEquals(alias, pair.getFirst().toString());
    Assert.assertEquals(mail, pair.getSecond().toString());
    pair = mailSender.getSenderHeaders(null, new InternetAddress(alias), account, account2, false);
    Assert.assertEquals(alias, pair.getFirst().toString());
    Assert.assertEquals(mail, pair.getSecond().toString());
    pair = mailSender.getSenderHeaders(new InternetAddress(alias), new InternetAddress(alias), account, account2, false);
    Assert.assertEquals(alias, pair.getFirst().toString());
    Assert.assertEquals(mail, pair.getSecond().toString());
    pair = mailSender.getSenderHeaders(new InternetAddress(invalid1), null, account, account2, false);
    Assert.assertEquals(mail, pair.getFirst().toString());
    Assert.assertNull(pair.getSecond());
    pair = mailSender.getSenderHeaders(null, new InternetAddress(invalid1), account, account2, false);
    Assert.assertEquals(mail, pair.getFirst().toString());
    Assert.assertNull(pair.getSecond());
    pair = mailSender.getSenderHeaders(new InternetAddress(invalid1), new InternetAddress(invalid2), account, account2, false);
    Assert.assertEquals(mail, pair.getFirst().toString());
    Assert.assertNull(pair.getSecond());
    pair = mailSender.getSenderHeaders(new InternetAddress(alias), new InternetAddress(mail), account, account2, false);
    Assert.assertEquals(alias, pair.getFirst().toString());
    Assert.assertEquals(mail, pair.getSecond().toString());
    pair = mailSender.getSenderHeaders(new InternetAddress(mail), new InternetAddress(alias), account, account2, false);
    Assert.assertEquals(mail, pair.getFirst().toString());
    Assert.assertNull(pair.getSecond());
    pair = mailSender.getSenderHeaders(new InternetAddress(alias), new InternetAddress(invalid1), account, account2, false);
    Assert.assertEquals(alias, pair.getFirst().toString());
    Assert.assertEquals(mail, pair.getSecond().toString());
    pair = mailSender.getSenderHeaders(new InternetAddress(invalid1), new InternetAddress(alias), account, account2, false);
    Assert.assertEquals(mail, pair.getFirst().toString());
    Assert.assertNull(pair.getSecond());
    pair = mailSender.getSenderHeaders(new InternetAddress(mail), new InternetAddress(invalid1), account, account2, false);
    Assert.assertEquals(mail, pair.getFirst().toString());
    Assert.assertNull(pair.getSecond());
    pair = mailSender.getSenderHeaders(new InternetAddress(invalid1), new InternetAddress(mail), account, account2, false);
    Assert.assertEquals(mail, pair.getFirst().toString());
    Assert.assertNull(pair.getSecond());
}
Also used : Account(com.zimbra.cs.account.Account) InternetAddress(javax.mail.internet.InternetAddress) JavaMailInternetAddress(com.zimbra.common.mime.shim.JavaMailInternetAddress) HashMap(java.util.HashMap) Right(com.zimbra.cs.account.accesscontrol.Right) MockProvisioning(com.zimbra.cs.account.MockProvisioning) Provisioning(com.zimbra.cs.account.Provisioning) ZimbraACE(com.zimbra.cs.account.accesscontrol.ZimbraACE) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 2 with ZimbraACE

use of com.zimbra.cs.account.accesscontrol.ZimbraACE in project zm-mailbox by Zimbra.

the class GrantRights method handleACE.

/**
 * @param eACE
 * @param zsc
 * @param granting true if granting, false if revoking
 * @return
 * @throws ServiceException
 */
static ZimbraACE handleACE(Element eACE, ZimbraSoapContext zsc, boolean granting) throws ServiceException {
    /*
         * Interface and parameter checking style was modeled after FolderAction, 
         * not admin Grant/RevokeRight
         */
    Right right = RightManager.getInstance().getUserRight(eACE.getAttribute(AccountConstants.A_RIGHT));
    GranteeType gtype = GranteeType.fromCode(eACE.getAttribute(AccountConstants.A_GRANT_TYPE));
    String zid = eACE.getAttribute(AccountConstants.A_ZIMBRA_ID, null);
    boolean deny = eACE.getAttributeBool(AccountConstants.A_DENY, false);
    boolean checkGranteeType = eACE.getAttributeBool(AccountConstants.A_CHECK_GRANTEE_TYPE, false);
    String secret = null;
    NamedEntry nentry = null;
    if (gtype == GranteeType.GT_AUTHUSER) {
        zid = GuestAccount.GUID_AUTHUSER;
    } else if (gtype == GranteeType.GT_PUBLIC) {
        zid = GuestAccount.GUID_PUBLIC;
    } else if (gtype == GranteeType.GT_GUEST) {
        zid = eACE.getAttribute(AccountConstants.A_DISPLAY);
        if (zid == null || zid.indexOf('@') < 0)
            throw ServiceException.INVALID_REQUEST("invalid guest id or password", null);
        // make sure they didn't accidentally specify "guest" instead of "usr"
        try {
            nentry = lookupGranteeByName(zid, GranteeType.GT_USER, zsc);
            zid = nentry.getId();
            gtype = nentry instanceof DistributionList ? GranteeType.GT_GROUP : GranteeType.GT_USER;
        } catch (ServiceException e) {
            // this is the normal path, where lookupGranteeByName throws account.NO_SUCH_USER
            secret = eACE.getAttribute(AccountConstants.A_PASSWORD);
        }
    } else if (gtype == GranteeType.GT_KEY) {
        zid = eACE.getAttribute(AccountConstants.A_DISPLAY);
        // unlike guest, we do not require the display name to be an email address
        /*
            if (zid == null || zid.indexOf('@') < 0)
                throw ServiceException.INVALID_REQUEST("invalid guest id or key", null);
            */
        // unlike guest, we do not fixup grantee type for key grantees if they specify an internal user
        // get the optional accesskey
        secret = eACE.getAttribute(AccountConstants.A_ACCESSKEY, null);
    } else if (zid != null) {
        nentry = lookupGranteeByZimbraId(zid, gtype, granting);
    } else {
        nentry = lookupGranteeByName(eACE.getAttribute(AccountConstants.A_DISPLAY), gtype, zsc);
        zid = nentry.getId();
        // make sure they didn't accidentally specify "usr" instead of "grp"
        if (gtype == GranteeType.GT_USER && nentry instanceof Group) {
            if (checkGranteeType) {
                throw AccountServiceException.INVALID_REQUEST(eACE.getAttribute(AccountConstants.A_DISPLAY) + " is not a valid grantee for grantee type '" + gtype.getCode() + "'.", null);
            } else {
                gtype = GranteeType.GT_GROUP;
            }
        }
    }
    RightModifier rightModifier = null;
    if (deny)
        rightModifier = RightModifier.RM_DENY;
    return new ZimbraACE(zid, gtype, right, rightModifier, secret);
}
Also used : ZimbraACE(com.zimbra.cs.account.accesscontrol.ZimbraACE) NamedEntry(com.zimbra.cs.account.NamedEntry) Group(com.zimbra.cs.account.Group) GranteeType(com.zimbra.cs.account.accesscontrol.GranteeType) AccountServiceException(com.zimbra.cs.account.AccountServiceException) ServiceException(com.zimbra.common.service.ServiceException) Right(com.zimbra.cs.account.accesscontrol.Right) RightModifier(com.zimbra.cs.account.accesscontrol.RightModifier) DistributionList(com.zimbra.cs.account.DistributionList)

Example 3 with ZimbraACE

use of com.zimbra.cs.account.accesscontrol.ZimbraACE in project zm-mailbox by Zimbra.

the class RevokePermission method handle.

@Override
public Element handle(Element request, Map<String, Object> context) throws ServiceException {
    ZimbraSoapContext zsc = getZimbraSoapContext(context);
    Account account = getRequestedAccount(zsc);
    if (!canAccessAccount(zsc, account))
        throw ServiceException.PERM_DENIED("can not access account");
    Set<ZimbraACE> aces = new HashSet<ZimbraACE>();
    for (Element eACE : request.listElements(MailConstants.E_ACE)) {
        ZimbraACE ace = GrantPermission.handleACE(eACE, zsc, false);
        aces.add(ace);
    }
    // TODO, change to Provisioning.grantPermission?
    List<ZimbraACE> revoked = ACLUtil.revokeRight(Provisioning.getInstance(), account, aces);
    Element response = zsc.createElement(MailConstants.REVOKE_PERMISSION_RESPONSE);
    if (aces != null) {
        for (ZimbraACE ace : revoked) ToXML.encodeACE(response, ace);
    }
    return response;
}
Also used : ZimbraACE(com.zimbra.cs.account.accesscontrol.ZimbraACE) Account(com.zimbra.cs.account.Account) ZimbraSoapContext(com.zimbra.soap.ZimbraSoapContext) Element(com.zimbra.common.soap.Element) HashSet(java.util.HashSet)

Example 4 with ZimbraACE

use of com.zimbra.cs.account.accesscontrol.ZimbraACE in project zm-mailbox by Zimbra.

the class GrantPermission method handleACE.

/**
 * // orig: FolderAction
 *
 * @param eACE
 * @param zsc
 * @param granting true if granting, false if revoking
 * @return
 * @throws ServiceException
 */
static ZimbraACE handleACE(Element eACE, ZimbraSoapContext zsc, boolean granting) throws ServiceException {
    Right right = RightManager.getInstance().getUserRight(eACE.getAttribute(MailConstants.A_RIGHT));
    GranteeType gtype = GranteeType.fromCode(eACE.getAttribute(MailConstants.A_GRANT_TYPE));
    String zid = eACE.getAttribute(MailConstants.A_ZIMBRA_ID, null);
    boolean deny = eACE.getAttributeBool(MailConstants.A_DENY, false);
    String secret = null;
    NamedEntry nentry = null;
    if (gtype == GranteeType.GT_AUTHUSER) {
        zid = GuestAccount.GUID_AUTHUSER;
    } else if (gtype == GranteeType.GT_PUBLIC) {
        zid = GuestAccount.GUID_PUBLIC;
    } else if (gtype == GranteeType.GT_GUEST) {
        zid = eACE.getAttribute(MailConstants.A_DISPLAY);
        if (zid == null || zid.indexOf('@') < 0)
            throw ServiceException.INVALID_REQUEST("invalid guest id or password", null);
        // make sure they didn't accidentally specify "guest" instead of "usr"
        try {
            nentry = lookupGranteeByName(zid, GranteeType.GT_USER, zsc);
            zid = nentry.getId();
            gtype = nentry instanceof DistributionList ? GranteeType.GT_GROUP : GranteeType.GT_USER;
        } catch (ServiceException e) {
            // this is the normal path, where lookupGranteeByName throws account.NO_SUCH_USER
            secret = eACE.getAttribute(MailConstants.A_PASSWORD);
        }
    } else if (gtype == GranteeType.GT_KEY) {
        zid = eACE.getAttribute(MailConstants.A_DISPLAY);
        // unlike guest, we do not require the display name to be an email address
        /*
            if (zid == null || zid.indexOf('@') < 0)
                throw ServiceException.INVALID_REQUEST("invalid guest id or key", null);
            */
        // unlike guest, we do not fixup grantee type for key grantees if they specify an internal user
        // get the optional accesskey
        secret = eACE.getAttribute(MailConstants.A_ACCESSKEY, null);
    } else if (zid != null) {
        nentry = lookupGranteeByZimbraId(zid, gtype, granting);
    } else {
        nentry = lookupGranteeByName(eACE.getAttribute(MailConstants.A_DISPLAY), gtype, zsc);
        zid = nentry.getId();
        // make sure they didn't accidentally specify "usr" instead of "grp"
        if (gtype == GranteeType.GT_USER && nentry instanceof DistributionList)
            gtype = GranteeType.GT_GROUP;
    }
    RightModifier rightModifier = null;
    if (deny)
        rightModifier = RightModifier.RM_DENY;
    return new ZimbraACE(zid, gtype, right, rightModifier, secret);
}
Also used : ZimbraACE(com.zimbra.cs.account.accesscontrol.ZimbraACE) NamedEntry(com.zimbra.cs.account.NamedEntry) GranteeType(com.zimbra.cs.account.accesscontrol.GranteeType) AccountServiceException(com.zimbra.cs.account.AccountServiceException) ServiceException(com.zimbra.common.service.ServiceException) Right(com.zimbra.cs.account.accesscontrol.Right) RightModifier(com.zimbra.cs.account.accesscontrol.RightModifier) DistributionList(com.zimbra.cs.account.DistributionList)

Example 5 with ZimbraACE

use of com.zimbra.cs.account.accesscontrol.ZimbraACE in project zm-mailbox by Zimbra.

the class GrantRights method handle.

@Override
public Element handle(Element request, Map<String, Object> context) throws ServiceException {
    ZimbraSoapContext zsc = getZimbraSoapContext(context);
    Account account = getRequestedAccount(zsc);
    if (!canAccessAccount(zsc, account)) {
        throw ServiceException.PERM_DENIED("can not access account");
    }
    Set<ZimbraACE> aces = new HashSet<ZimbraACE>();
    for (Element eACE : request.listElements(AccountConstants.E_ACE)) {
        ZimbraACE ace = handleACE(eACE, zsc, true);
        aces.add(ace);
    }
    List<ZimbraACE> granted = ACLUtil.grantRight(Provisioning.getInstance(), account, aces);
    Element response = zsc.createElement(AccountConstants.GRANT_RIGHTS_RESPONSE);
    if (aces != null) {
        for (ZimbraACE ace : granted) {
            ToXML.encodeACE(response, ace);
        }
    }
    return response;
}
Also used : ZimbraACE(com.zimbra.cs.account.accesscontrol.ZimbraACE) GuestAccount(com.zimbra.cs.account.GuestAccount) Account(com.zimbra.cs.account.Account) ZimbraSoapContext(com.zimbra.soap.ZimbraSoapContext) Element(com.zimbra.common.soap.Element) HashSet(java.util.HashSet)

Aggregations

ZimbraACE (com.zimbra.cs.account.accesscontrol.ZimbraACE)11 Account (com.zimbra.cs.account.Account)7 HashSet (java.util.HashSet)7 Element (com.zimbra.common.soap.Element)6 ZimbraSoapContext (com.zimbra.soap.ZimbraSoapContext)6 Right (com.zimbra.cs.account.accesscontrol.Right)5 NamedEntry (com.zimbra.cs.account.NamedEntry)4 ServiceException (com.zimbra.common.service.ServiceException)2 AccountServiceException (com.zimbra.cs.account.AccountServiceException)2 DistributionList (com.zimbra.cs.account.DistributionList)2 Entry (com.zimbra.cs.account.Entry)2 GuestAccount (com.zimbra.cs.account.GuestAccount)2 Zimlet (com.zimbra.cs.account.Zimlet)2 GranteeType (com.zimbra.cs.account.accesscontrol.GranteeType)2 RightModifier (com.zimbra.cs.account.accesscontrol.RightModifier)2 JavaMailInternetAddress (com.zimbra.common.mime.shim.JavaMailInternetAddress)1 Group (com.zimbra.cs.account.Group)1 MockProvisioning (com.zimbra.cs.account.MockProvisioning)1 Provisioning (com.zimbra.cs.account.Provisioning)1 CacheEntry (com.zimbra.cs.account.Provisioning.CacheEntry)1