use of com.zimbra.cs.account.accesscontrol.ZimbraACE in project zm-mailbox by Zimbra.
the class MailSenderTest method getSenderHeadersDelegatedAuth.
@Test
public void getSenderHeadersDelegatedAuth() throws Exception {
Provisioning prov = Provisioning.getInstance();
Account account = prov.getAccount(MockProvisioning.DEFAULT_ACCOUNT_ID);
Map<String, Object> attrs = new HashMap<String, Object>();
attrs.put(Provisioning.A_zimbraId, UUID.randomUUID().toString());
Account account2 = prov.createAccount("test2@zimbra.com", "secret", attrs);
MailSender mailSender = new MailSender();
Pair<InternetAddress, InternetAddress> pair;
String target = "test@zimbra.com";
String mail = "test2@zimbra.com";
String alias = "test-alias@zimbra.com";
String invalid1 = "foo@zimbra.com";
String invalid2 = "bar@zimbra.com";
Right right = RightManager.getInstance().getUserRight("sendOnBehalfOf");
ZimbraACE ace = new ZimbraACE(account2.getId(), GranteeType.GT_USER, right, null, null);
Set<ZimbraACE> aces = new HashSet<ZimbraACE>();
aces.add(ace);
ACLUtil.grantRight(Provisioning.getInstance(), account, aces);
pair = mailSender.getSenderHeaders(null, null, account, account2, false);
Assert.assertEquals(mail, pair.getFirst().toString());
Assert.assertNull(pair.getSecond());
pair = mailSender.getSenderHeaders(new InternetAddress(mail), null, account, account2, false);
Assert.assertEquals(mail, pair.getFirst().toString());
Assert.assertNull(pair.getSecond());
pair = mailSender.getSenderHeaders(null, new InternetAddress(mail), account, account2, false);
Assert.assertEquals(mail, pair.getFirst().toString());
Assert.assertNull(pair.getSecond());
pair = mailSender.getSenderHeaders(new InternetAddress(mail), new InternetAddress(mail), account, account2, false);
Assert.assertEquals(mail, pair.getFirst().toString());
Assert.assertNull(pair.getSecond());
pair = mailSender.getSenderHeaders(new InternetAddress(alias), null, account, account2, false);
Assert.assertEquals(alias, pair.getFirst().toString());
Assert.assertEquals(mail, pair.getSecond().toString());
pair = mailSender.getSenderHeaders(null, new InternetAddress(alias), account, account2, false);
Assert.assertEquals(alias, pair.getFirst().toString());
Assert.assertEquals(mail, pair.getSecond().toString());
pair = mailSender.getSenderHeaders(new InternetAddress(alias), new InternetAddress(alias), account, account2, false);
Assert.assertEquals(alias, pair.getFirst().toString());
Assert.assertEquals(mail, pair.getSecond().toString());
pair = mailSender.getSenderHeaders(new InternetAddress(invalid1), null, account, account2, false);
Assert.assertEquals(mail, pair.getFirst().toString());
Assert.assertNull(pair.getSecond());
pair = mailSender.getSenderHeaders(null, new InternetAddress(invalid1), account, account2, false);
Assert.assertEquals(mail, pair.getFirst().toString());
Assert.assertNull(pair.getSecond());
pair = mailSender.getSenderHeaders(new InternetAddress(invalid1), new InternetAddress(invalid2), account, account2, false);
Assert.assertEquals(mail, pair.getFirst().toString());
Assert.assertNull(pair.getSecond());
pair = mailSender.getSenderHeaders(new InternetAddress(alias), new InternetAddress(mail), account, account2, false);
Assert.assertEquals(alias, pair.getFirst().toString());
Assert.assertEquals(mail, pair.getSecond().toString());
pair = mailSender.getSenderHeaders(new InternetAddress(mail), new InternetAddress(alias), account, account2, false);
Assert.assertEquals(mail, pair.getFirst().toString());
Assert.assertNull(pair.getSecond());
pair = mailSender.getSenderHeaders(new InternetAddress(alias), new InternetAddress(invalid1), account, account2, false);
Assert.assertEquals(alias, pair.getFirst().toString());
Assert.assertEquals(mail, pair.getSecond().toString());
pair = mailSender.getSenderHeaders(new InternetAddress(invalid1), new InternetAddress(alias), account, account2, false);
Assert.assertEquals(mail, pair.getFirst().toString());
Assert.assertNull(pair.getSecond());
pair = mailSender.getSenderHeaders(new InternetAddress(mail), new InternetAddress(invalid1), account, account2, false);
Assert.assertEquals(mail, pair.getFirst().toString());
Assert.assertNull(pair.getSecond());
pair = mailSender.getSenderHeaders(new InternetAddress(invalid1), new InternetAddress(mail), account, account2, false);
Assert.assertEquals(mail, pair.getFirst().toString());
Assert.assertNull(pair.getSecond());
}
use of com.zimbra.cs.account.accesscontrol.ZimbraACE in project zm-mailbox by Zimbra.
the class GrantRights method handleACE.
/**
* @param eACE
* @param zsc
* @param granting true if granting, false if revoking
* @return
* @throws ServiceException
*/
static ZimbraACE handleACE(Element eACE, ZimbraSoapContext zsc, boolean granting) throws ServiceException {
/*
* Interface and parameter checking style was modeled after FolderAction,
* not admin Grant/RevokeRight
*/
Right right = RightManager.getInstance().getUserRight(eACE.getAttribute(AccountConstants.A_RIGHT));
GranteeType gtype = GranteeType.fromCode(eACE.getAttribute(AccountConstants.A_GRANT_TYPE));
String zid = eACE.getAttribute(AccountConstants.A_ZIMBRA_ID, null);
boolean deny = eACE.getAttributeBool(AccountConstants.A_DENY, false);
boolean checkGranteeType = eACE.getAttributeBool(AccountConstants.A_CHECK_GRANTEE_TYPE, false);
String secret = null;
NamedEntry nentry = null;
if (gtype == GranteeType.GT_AUTHUSER) {
zid = GuestAccount.GUID_AUTHUSER;
} else if (gtype == GranteeType.GT_PUBLIC) {
zid = GuestAccount.GUID_PUBLIC;
} else if (gtype == GranteeType.GT_GUEST) {
zid = eACE.getAttribute(AccountConstants.A_DISPLAY);
if (zid == null || zid.indexOf('@') < 0)
throw ServiceException.INVALID_REQUEST("invalid guest id or password", null);
// make sure they didn't accidentally specify "guest" instead of "usr"
try {
nentry = lookupGranteeByName(zid, GranteeType.GT_USER, zsc);
zid = nentry.getId();
gtype = nentry instanceof DistributionList ? GranteeType.GT_GROUP : GranteeType.GT_USER;
} catch (ServiceException e) {
// this is the normal path, where lookupGranteeByName throws account.NO_SUCH_USER
secret = eACE.getAttribute(AccountConstants.A_PASSWORD);
}
} else if (gtype == GranteeType.GT_KEY) {
zid = eACE.getAttribute(AccountConstants.A_DISPLAY);
// unlike guest, we do not require the display name to be an email address
/*
if (zid == null || zid.indexOf('@') < 0)
throw ServiceException.INVALID_REQUEST("invalid guest id or key", null);
*/
// unlike guest, we do not fixup grantee type for key grantees if they specify an internal user
// get the optional accesskey
secret = eACE.getAttribute(AccountConstants.A_ACCESSKEY, null);
} else if (zid != null) {
nentry = lookupGranteeByZimbraId(zid, gtype, granting);
} else {
nentry = lookupGranteeByName(eACE.getAttribute(AccountConstants.A_DISPLAY), gtype, zsc);
zid = nentry.getId();
// make sure they didn't accidentally specify "usr" instead of "grp"
if (gtype == GranteeType.GT_USER && nentry instanceof Group) {
if (checkGranteeType) {
throw AccountServiceException.INVALID_REQUEST(eACE.getAttribute(AccountConstants.A_DISPLAY) + " is not a valid grantee for grantee type '" + gtype.getCode() + "'.", null);
} else {
gtype = GranteeType.GT_GROUP;
}
}
}
RightModifier rightModifier = null;
if (deny)
rightModifier = RightModifier.RM_DENY;
return new ZimbraACE(zid, gtype, right, rightModifier, secret);
}
use of com.zimbra.cs.account.accesscontrol.ZimbraACE in project zm-mailbox by Zimbra.
the class RevokePermission method handle.
@Override
public Element handle(Element request, Map<String, Object> context) throws ServiceException {
ZimbraSoapContext zsc = getZimbraSoapContext(context);
Account account = getRequestedAccount(zsc);
if (!canAccessAccount(zsc, account))
throw ServiceException.PERM_DENIED("can not access account");
Set<ZimbraACE> aces = new HashSet<ZimbraACE>();
for (Element eACE : request.listElements(MailConstants.E_ACE)) {
ZimbraACE ace = GrantPermission.handleACE(eACE, zsc, false);
aces.add(ace);
}
// TODO, change to Provisioning.grantPermission?
List<ZimbraACE> revoked = ACLUtil.revokeRight(Provisioning.getInstance(), account, aces);
Element response = zsc.createElement(MailConstants.REVOKE_PERMISSION_RESPONSE);
if (aces != null) {
for (ZimbraACE ace : revoked) ToXML.encodeACE(response, ace);
}
return response;
}
use of com.zimbra.cs.account.accesscontrol.ZimbraACE in project zm-mailbox by Zimbra.
the class GrantPermission method handleACE.
/**
* // orig: FolderAction
*
* @param eACE
* @param zsc
* @param granting true if granting, false if revoking
* @return
* @throws ServiceException
*/
static ZimbraACE handleACE(Element eACE, ZimbraSoapContext zsc, boolean granting) throws ServiceException {
Right right = RightManager.getInstance().getUserRight(eACE.getAttribute(MailConstants.A_RIGHT));
GranteeType gtype = GranteeType.fromCode(eACE.getAttribute(MailConstants.A_GRANT_TYPE));
String zid = eACE.getAttribute(MailConstants.A_ZIMBRA_ID, null);
boolean deny = eACE.getAttributeBool(MailConstants.A_DENY, false);
String secret = null;
NamedEntry nentry = null;
if (gtype == GranteeType.GT_AUTHUSER) {
zid = GuestAccount.GUID_AUTHUSER;
} else if (gtype == GranteeType.GT_PUBLIC) {
zid = GuestAccount.GUID_PUBLIC;
} else if (gtype == GranteeType.GT_GUEST) {
zid = eACE.getAttribute(MailConstants.A_DISPLAY);
if (zid == null || zid.indexOf('@') < 0)
throw ServiceException.INVALID_REQUEST("invalid guest id or password", null);
// make sure they didn't accidentally specify "guest" instead of "usr"
try {
nentry = lookupGranteeByName(zid, GranteeType.GT_USER, zsc);
zid = nentry.getId();
gtype = nentry instanceof DistributionList ? GranteeType.GT_GROUP : GranteeType.GT_USER;
} catch (ServiceException e) {
// this is the normal path, where lookupGranteeByName throws account.NO_SUCH_USER
secret = eACE.getAttribute(MailConstants.A_PASSWORD);
}
} else if (gtype == GranteeType.GT_KEY) {
zid = eACE.getAttribute(MailConstants.A_DISPLAY);
// unlike guest, we do not require the display name to be an email address
/*
if (zid == null || zid.indexOf('@') < 0)
throw ServiceException.INVALID_REQUEST("invalid guest id or key", null);
*/
// unlike guest, we do not fixup grantee type for key grantees if they specify an internal user
// get the optional accesskey
secret = eACE.getAttribute(MailConstants.A_ACCESSKEY, null);
} else if (zid != null) {
nentry = lookupGranteeByZimbraId(zid, gtype, granting);
} else {
nentry = lookupGranteeByName(eACE.getAttribute(MailConstants.A_DISPLAY), gtype, zsc);
zid = nentry.getId();
// make sure they didn't accidentally specify "usr" instead of "grp"
if (gtype == GranteeType.GT_USER && nentry instanceof DistributionList)
gtype = GranteeType.GT_GROUP;
}
RightModifier rightModifier = null;
if (deny)
rightModifier = RightModifier.RM_DENY;
return new ZimbraACE(zid, gtype, right, rightModifier, secret);
}
use of com.zimbra.cs.account.accesscontrol.ZimbraACE in project zm-mailbox by Zimbra.
the class GrantRights method handle.
@Override
public Element handle(Element request, Map<String, Object> context) throws ServiceException {
ZimbraSoapContext zsc = getZimbraSoapContext(context);
Account account = getRequestedAccount(zsc);
if (!canAccessAccount(zsc, account)) {
throw ServiceException.PERM_DENIED("can not access account");
}
Set<ZimbraACE> aces = new HashSet<ZimbraACE>();
for (Element eACE : request.listElements(AccountConstants.E_ACE)) {
ZimbraACE ace = handleACE(eACE, zsc, true);
aces.add(ace);
}
List<ZimbraACE> granted = ACLUtil.grantRight(Provisioning.getInstance(), account, aces);
Element response = zsc.createElement(AccountConstants.GRANT_RIGHTS_RESPONSE);
if (aces != null) {
for (ZimbraACE ace : granted) {
ToXML.encodeACE(response, ace);
}
}
return response;
}
Aggregations