Examples with ZimbraACE com.zimbra.cs.account.accesscontrol.ZimbraACE used on opensource projects

Search in sources :

Example 1 with ZimbraACE

use of com.zimbra.cs.account.accesscontrol.ZimbraACE in project zm-mailbox by Zimbra.

the class MailSenderTest method getSenderHeadersDelegatedAuth.

@Test
public void getSenderHeadersDelegatedAuth() throws Exception {
    Provisioning prov = Provisioning.getInstance();
    Account account = prov.getAccount(MockProvisioning.DEFAULT_ACCOUNT_ID);
    Map<String, Object> attrs = new HashMap<String, Object>();
    attrs.put(Provisioning.A_zimbraId, UUID.randomUUID().toString());
    Account account2 = prov.createAccount("test2@zimbra.com", "secret", attrs);
    MailSender mailSender = new MailSender();
    Pair<InternetAddress, InternetAddress> pair;
    String target = "test@zimbra.com";
    String mail = "test2@zimbra.com";
    String alias = "test-alias@zimbra.com";
    String invalid1 = "foo@zimbra.com";
    String invalid2 = "bar@zimbra.com";
    Right right = RightManager.getInstance().getUserRight("sendOnBehalfOf");
    ZimbraACE ace = new ZimbraACE(account2.getId(), GranteeType.GT_USER, right, null, null);
    Set<ZimbraACE> aces = new HashSet<ZimbraACE>();
    aces.add(ace);
    ACLUtil.grantRight(Provisioning.getInstance(), account, aces);
    pair = mailSender.getSenderHeaders(null, null, account, account2, false);
    Assert.assertEquals(mail, pair.getFirst().toString());
    Assert.assertNull(pair.getSecond());
    pair = mailSender.getSenderHeaders(new InternetAddress(mail), null, account, account2, false);
    Assert.assertEquals(mail, pair.getFirst().toString());
    Assert.assertNull(pair.getSecond());
    pair = mailSender.getSenderHeaders(null, new InternetAddress(mail), account, account2, false);
    Assert.assertEquals(mail, pair.getFirst().toString());
    Assert.assertNull(pair.getSecond());
    pair = mailSender.getSenderHeaders(new InternetAddress(mail), new InternetAddress(mail), account, account2, false);
    Assert.assertEquals(mail, pair.getFirst().toString());
    Assert.assertNull(pair.getSecond());
    pair = mailSender.getSenderHeaders(new InternetAddress(alias), null, account, account2, false);
    Assert.assertEquals(alias, pair.getFirst().toString());
    Assert.assertEquals(mail, pair.getSecond().toString());
    pair = mailSender.getSenderHeaders(null, new InternetAddress(alias), account, account2, false);
    Assert.assertEquals(alias, pair.getFirst().toString());
    Assert.assertEquals(mail, pair.getSecond().toString());
    pair = mailSender.getSenderHeaders(new InternetAddress(alias), new InternetAddress(alias), account, account2, false);
    Assert.assertEquals(alias, pair.getFirst().toString());
    Assert.assertEquals(mail, pair.getSecond().toString());
    pair = mailSender.getSenderHeaders(new InternetAddress(invalid1), null, account, account2, false);
    Assert.assertEquals(mail, pair.getFirst().toString());
    Assert.assertNull(pair.getSecond());
    pair = mailSender.getSenderHeaders(null, new InternetAddress(invalid1), account, account2, false);
    Assert.assertEquals(mail, pair.getFirst().toString());
    Assert.assertNull(pair.getSecond());
    pair = mailSender.getSenderHeaders(new InternetAddress(invalid1), new InternetAddress(invalid2), account, account2, false);
    Assert.assertEquals(mail, pair.getFirst().toString());
    Assert.assertNull(pair.getSecond());
    pair = mailSender.getSenderHeaders(new InternetAddress(alias), new InternetAddress(mail), account, account2, false);
    Assert.assertEquals(alias, pair.getFirst().toString());
    Assert.assertEquals(mail, pair.getSecond().toString());
    pair = mailSender.getSenderHeaders(new InternetAddress(mail), new InternetAddress(alias), account, account2, false);
    Assert.assertEquals(mail, pair.getFirst().toString());
    Assert.assertNull(pair.getSecond());
    pair = mailSender.getSenderHeaders(new InternetAddress(alias), new InternetAddress(invalid1), account, account2, false);
    Assert.assertEquals(alias, pair.getFirst().toString());
    Assert.assertEquals(mail, pair.getSecond().toString());
    pair = mailSender.getSenderHeaders(new InternetAddress(invalid1), new InternetAddress(alias), account, account2, false);
    Assert.assertEquals(mail, pair.getFirst().toString());
    Assert.assertNull(pair.getSecond());
    pair = mailSender.getSenderHeaders(new InternetAddress(mail), new InternetAddress(invalid1), account, account2, false);
    Assert.assertEquals(mail, pair.getFirst().toString());
    Assert.assertNull(pair.getSecond());
    pair = mailSender.getSenderHeaders(new InternetAddress(invalid1), new InternetAddress(mail), account, account2, false);
    Assert.assertEquals(mail, pair.getFirst().toString());
    Assert.assertNull(pair.getSecond());
}
Also used : Account(com.zimbra.cs.account.Account) InternetAddress(javax.mail.internet.InternetAddress) JavaMailInternetAddress(com.zimbra.common.mime.shim.JavaMailInternetAddress) HashMap(java.util.HashMap) Right(com.zimbra.cs.account.accesscontrol.Right) MockProvisioning(com.zimbra.cs.account.MockProvisioning) Provisioning(com.zimbra.cs.account.Provisioning) ZimbraACE(com.zimbra.cs.account.accesscontrol.ZimbraACE) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 2 with ZimbraACE

use of com.zimbra.cs.account.accesscontrol.ZimbraACE in project zm-mailbox by Zimbra.

the class GrantRights method handleACE.

/**
 * @param eACE
 * @param zsc
 * @param granting true if granting, false if revoking
 * @return
 * @throws ServiceException
 */
static ZimbraACE handleACE(Element eACE, ZimbraSoapContext zsc, boolean granting) throws ServiceException {
    /*
         * Interface and parameter checking style was modeled after FolderAction, 
         * not admin Grant/RevokeRight
         */
    Right right = RightManager.getInstance().getUserRight(eACE.getAttribute(AccountConstants.A_RIGHT));
    GranteeType gtype = GranteeType.fromCode(eACE.getAttribute(AccountConstants.A_GRANT_TYPE));
    String zid = eACE.getAttribute(AccountConstants.A_ZIMBRA_ID, null);
    boolean deny = eACE.getAttributeBool(AccountConstants.A_DENY, false);
    boolean checkGranteeType = eACE.getAttributeBool(AccountConstants.A_CHECK_GRANTEE_TYPE, false);
    String secret = null;
    NamedEntry nentry = null;
    if (gtype == GranteeType.GT_AUTHUSER) {
        zid = GuestAccount.GUID_AUTHUSER;
    } else if (gtype == GranteeType.GT_PUBLIC) {
        zid = GuestAccount.GUID_PUBLIC;
    } else if (gtype == GranteeType.GT_GUEST) {
        zid = eACE.getAttribute(AccountConstants.A_DISPLAY);
        if (zid == null || zid.indexOf('@') < 0)
            throw ServiceException.INVALID_REQUEST("invalid guest id or password", null);
        // make sure they didn't accidentally specify "guest" instead of "usr"
        try {
            nentry = lookupGranteeByName(zid, GranteeType.GT_USER, zsc);
            zid = nentry.getId();
            gtype = nentry instanceof DistributionList ? GranteeType.GT_GROUP : GranteeType.GT_USER;
        } catch (ServiceException e) {
            // this is the normal path, where lookupGranteeByName throws account.NO_SUCH_USER
            secret = eACE.getAttribute(AccountConstants.A_PASSWORD);
        }
    } else if (gtype == GranteeType.GT_KEY) {
        zid = eACE.getAttribute(AccountConstants.A_DISPLAY);
        // unlike guest, we do not require the display name to be an email address
        /*
            if (zid == null || zid.indexOf('@') < 0)
                throw ServiceException.INVALID_REQUEST("invalid guest id or key", null);
            */
        // unlike guest, we do not fixup grantee type for key grantees if they specify an internal user
        // get the optional accesskey
        secret = eACE.getAttribute(AccountConstants.A_ACCESSKEY, null);
    } else if (zid != null) {
        nentry = lookupGranteeByZimbraId(zid, gtype, granting);
    } else {
        nentry = lookupGranteeByName(eACE.getAttribute(AccountConstants.A_DISPLAY), gtype, zsc);
        zid = nentry.getId();
        // make sure they didn't accidentally specify "usr" instead of "grp"
        if (gtype == GranteeType.GT_USER && nentry instanceof Group) {
            if (checkGranteeType) {
                throw AccountServiceException.INVALID_REQUEST(eACE.getAttribute(AccountConstants.A_DISPLAY) + " is not a valid grantee for grantee type '" + gtype.getCode() + "'.", null);
            } else {
                gtype = GranteeType.GT_GROUP;
            }
        }
    }
    RightModifier rightModifier = null;
    if (deny)
        rightModifier = RightModifier.RM_DENY;
    return new ZimbraACE(zid, gtype, right, rightModifier, secret);
}
Also used : ZimbraACE(com.zimbra.cs.account.accesscontrol.ZimbraACE) NamedEntry(com.zimbra.cs.account.NamedEntry) Group(com.zimbra.cs.account.Group) GranteeType(com.zimbra.cs.account.accesscontrol.GranteeType) AccountServiceException(com.zimbra.cs.account.AccountServiceException) ServiceException(com.zimbra.common.service.ServiceException) Right(com.zimbra.cs.account.accesscontrol.Right) RightModifier(com.zimbra.cs.account.accesscontrol.RightModifier) DistributionList(com.zimbra.cs.account.DistributionList)

Example 3 with ZimbraACE

use of com.zimbra.cs.account.accesscontrol.ZimbraACE in project zm-mailbox by Zimbra.

the class RevokePermission method handle.

@Override
public Element handle(Element request, Map<String, Object> context) throws ServiceException {
    ZimbraSoapContext zsc = getZimbraSoapContext(context);
    Account account = getRequestedAccount(zsc);
    if (!canAccessAccount(zsc, account))
        throw ServiceException.PERM_DENIED("can not access account");
    Set<ZimbraACE> aces = new HashSet<ZimbraACE>();
    for (Element eACE : request.listElements(MailConstants.E_ACE)) {
        ZimbraACE ace = GrantPermission.handleACE(eACE, zsc, false);
        aces.add(ace);
    }
    // TODO, change to Provisioning.grantPermission?
    List<ZimbraACE> revoked = ACLUtil.revokeRight(Provisioning.getInstance(), account, aces);
    Element response = zsc.createElement(MailConstants.REVOKE_PERMISSION_RESPONSE);
    if (aces != null) {
        for (ZimbraACE ace : revoked) ToXML.encodeACE(response, ace);
    }
    return response;
}
Also used : ZimbraACE(com.zimbra.cs.account.accesscontrol.ZimbraACE) Account(com.zimbra.cs.account.Account) ZimbraSoapContext(com.zimbra.soap.ZimbraSoapContext) Element(com.zimbra.common.soap.Element) HashSet(java.util.HashSet)

Example 4 with ZimbraACE

use of com.zimbra.cs.account.accesscontrol.ZimbraACE in project zm-mailbox by Zimbra.

the class GrantPermission method handleACE.

/**
 * // orig: FolderAction
 *
 * @param eACE
 * @param zsc
 * @param granting true if granting, false if revoking
 * @return
 * @throws ServiceException
 */
static ZimbraACE handleACE(Element eACE, ZimbraSoapContext zsc, boolean granting) throws ServiceException {
    Right right = RightManager.getInstance().getUserRight(eACE.getAttribute(MailConstants.A_RIGHT));
    GranteeType gtype = GranteeType.fromCode(eACE.getAttribute(MailConstants.A_GRANT_TYPE));
    String zid = eACE.getAttribute(MailConstants.A_ZIMBRA_ID, null);
    boolean deny = eACE.getAttributeBool(MailConstants.A_DENY, false);
    String secret = null;
    NamedEntry nentry = null;
    if (gtype == GranteeType.GT_AUTHUSER) {
        zid = GuestAccount.GUID_AUTHUSER;
    } else if (gtype == GranteeType.GT_PUBLIC) {
        zid = GuestAccount.GUID_PUBLIC;
    } else if (gtype == GranteeType.GT_GUEST) {
        zid = eACE.getAttribute(MailConstants.A_DISPLAY);
        if (zid == null || zid.indexOf('@') < 0)
            throw ServiceException.INVALID_REQUEST("invalid guest id or password", null);
        // make sure they didn't accidentally specify "guest" instead of "usr"
        try {
            nentry = lookupGranteeByName(zid, GranteeType.GT_USER, zsc);
            zid = nentry.getId();
            gtype = nentry instanceof DistributionList ? GranteeType.GT_GROUP : GranteeType.GT_USER;
        } catch (ServiceException e) {
            // this is the normal path, where lookupGranteeByName throws account.NO_SUCH_USER
            secret = eACE.getAttribute(MailConstants.A_PASSWORD);
        }
    } else if (gtype == GranteeType.GT_KEY) {
        zid = eACE.getAttribute(MailConstants.A_DISPLAY);
        // unlike guest, we do not require the display name to be an email address
        /*
            if (zid == null || zid.indexOf('@') < 0)
                throw ServiceException.INVALID_REQUEST("invalid guest id or key", null);
            */
        // unlike guest, we do not fixup grantee type for key grantees if they specify an internal user
        // get the optional accesskey
        secret = eACE.getAttribute(MailConstants.A_ACCESSKEY, null);
    } else if (zid != null) {
        nentry = lookupGranteeByZimbraId(zid, gtype, granting);
    } else {
        nentry = lookupGranteeByName(eACE.getAttribute(MailConstants.A_DISPLAY), gtype, zsc);
        zid = nentry.getId();
        // make sure they didn't accidentally specify "usr" instead of "grp"
        if (gtype == GranteeType.GT_USER && nentry instanceof DistributionList)
            gtype = GranteeType.GT_GROUP;
    }
    RightModifier rightModifier = null;
    if (deny)
        rightModifier = RightModifier.RM_DENY;
    return new ZimbraACE(zid, gtype, right, rightModifier, secret);
}
Also used : ZimbraACE(com.zimbra.cs.account.accesscontrol.ZimbraACE) NamedEntry(com.zimbra.cs.account.NamedEntry) GranteeType(com.zimbra.cs.account.accesscontrol.GranteeType) AccountServiceException(com.zimbra.cs.account.AccountServiceException) ServiceException(com.zimbra.common.service.ServiceException) Right(com.zimbra.cs.account.accesscontrol.Right) RightModifier(com.zimbra.cs.account.accesscontrol.RightModifier) DistributionList(com.zimbra.cs.account.DistributionList)

Example 5 with ZimbraACE

use of com.zimbra.cs.account.accesscontrol.ZimbraACE in project zm-mailbox by Zimbra.

the class GrantRights method handle.

@Override
public Element handle(Element request, Map<String, Object> context) throws ServiceException {
    ZimbraSoapContext zsc = getZimbraSoapContext(context);
    Account account = getRequestedAccount(zsc);
    if (!canAccessAccount(zsc, account)) {
        throw ServiceException.PERM_DENIED("can not access account");
    }
    Set<ZimbraACE> aces = new HashSet<ZimbraACE>();
    for (Element eACE : request.listElements(AccountConstants.E_ACE)) {
        ZimbraACE ace = handleACE(eACE, zsc, true);
        aces.add(ace);
    }
    List<ZimbraACE> granted = ACLUtil.grantRight(Provisioning.getInstance(), account, aces);
    Element response = zsc.createElement(AccountConstants.GRANT_RIGHTS_RESPONSE);
    if (aces != null) {
        for (ZimbraACE ace : granted) {
            ToXML.encodeACE(response, ace);
        }
    }
    return response;
}
Also used : ZimbraACE(com.zimbra.cs.account.accesscontrol.ZimbraACE) GuestAccount(com.zimbra.cs.account.GuestAccount) Account(com.zimbra.cs.account.Account) ZimbraSoapContext(com.zimbra.soap.ZimbraSoapContext) Element(com.zimbra.common.soap.Element) HashSet(java.util.HashSet)

Aggregations

ZimbraACE (com.zimbra.cs.account.accesscontrol.ZimbraACE)11 Account (com.zimbra.cs.account.Account)7 HashSet (java.util.HashSet)7 Element (com.zimbra.common.soap.Element)6 ZimbraSoapContext (com.zimbra.soap.ZimbraSoapContext)6 Right (com.zimbra.cs.account.accesscontrol.Right)5 NamedEntry (com.zimbra.cs.account.NamedEntry)4 ServiceException (com.zimbra.common.service.ServiceException)2 AccountServiceException (com.zimbra.cs.account.AccountServiceException)2 DistributionList (com.zimbra.cs.account.DistributionList)2 Entry (com.zimbra.cs.account.Entry)2 GuestAccount (com.zimbra.cs.account.GuestAccount)2 Zimlet (com.zimbra.cs.account.Zimlet)2 GranteeType (com.zimbra.cs.account.accesscontrol.GranteeType)2 RightModifier (com.zimbra.cs.account.accesscontrol.RightModifier)2 JavaMailInternetAddress (com.zimbra.common.mime.shim.JavaMailInternetAddress)1 Group (com.zimbra.cs.account.Group)1 MockProvisioning (com.zimbra.cs.account.MockProvisioning)1 Provisioning (com.zimbra.cs.account.Provisioning)1 CacheEntry (com.zimbra.cs.account.Provisioning.CacheEntry)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial