use of com.zimbra.cs.account.ldap.entry.LdapDomain in project zm-mailbox by Zimbra.
the class TestACLAll method execTest.
private void execTest(String note, TargetType grantedOnTargetType, TestGranteeType testGranteeType, Right right) throws Exception {
System.out.println("testing (" + note + "): " + "grant target=" + grantedOnTargetType.getCode() + ", grantee type=" + testGranteeType.getCode() + ", right=" + right.getName());
//
// 1. some basic preparation
// create a domain
//
Domain domain = createDomain();
boolean isUserRight = right.isUserRight();
//
// 2. setup grantee
//
List<Account> allowedAccts = new ArrayList<Account>();
List<Account> deniedAccts = new ArrayList<Account>();
NamedEntry grantee = null;
String granteeName = null;
String secret = null;
Object gt = testGranteeType.getGranteeType();
GranteeType granteeType = null;
if (gt instanceof GranteeType) {
granteeType = (GranteeType) gt;
switch(granteeType) {
case GT_USER:
if (isUserRight) {
grantee = createUserAccount(domain);
allowedAccts.add((Account) grantee);
deniedAccts.add(createUserAccount(domain));
} else {
grantee = createDelegatedAdminAccount(domain);
allowedAccts.add((Account) grantee);
deniedAccts.add(createDelegatedAdminAccount(domain));
}
granteeName = grantee.getName();
break;
case GT_GROUP:
if (isUserRight) {
grantee = createUserDistributionList(domain);
Account allowedAcct = createUserAccount(domain);
allowedAccts.add(allowedAcct);
prov.addMembers((DistributionList) grantee, new String[] { allowedAcct.getName() });
// external members are also honored if the right is a user right
Account guestAcct = createGuestAccount("guest@guest.com", "test123");
allowedAccts.add(guestAcct);
prov.addMembers((DistributionList) grantee, new String[] { guestAcct.getName() });
deniedAccts.add(createUserAccount(domain));
} else {
grantee = createAdminDistributionList(domain);
Account allowedAcct = createDelegatedAdminAccount(domain);
allowedAccts.add(allowedAcct);
prov.addMembers((DistributionList) grantee, new String[] { allowedAcct.getName() });
deniedAccts.add(createDelegatedAdminAccount(domain));
}
granteeName = grantee.getName();
break;
case GT_EXT_GROUP:
// create a domain and use it for the external group
Domain extDomain = createDomain();
String extDomainDN = ((LdapDomain) extDomain).getDN();
String acctLocalpart = "acct-ext";
//
// Configure the domain for external AD auth
//
Map<String, Object> domainAttrs = Maps.newHashMap();
if (isUserRight) {
domain.setAuthMech(AuthMech.ad.name(), domainAttrs);
} else {
domain.setAuthMechAdmin(AuthMech.ad.name(), domainAttrs);
}
/* ==== mock test ====
// setup auth
domain.addAuthLdapURL("ldap://localhost:389", domainAttrs);
domain.setAuthLdapBindDn("uid=%u,ou=people," + extDomainDN, domainAttrs);
// setup external group search parameters
domain.setAuthLdapSearchBindDn(LC.zimbra_ldap_userdn.value(), domainAttrs);
domain.setAuthLdapSearchBindPassword(LC.zimbra_ldap_password.value(), domainAttrs);
domain.setExternalGroupLdapSearchBase(extDomainDN, domainAttrs);
domain.setExternalGroupLdapSearchFilter("(&(objectClass=zimbraGroup)(cn=%u))", domainAttrs);
domain.setExternalGroupHandlerClass("com.zimbra.qa.unittest.UnittestGroupHandler", domainAttrs);
mProv.modifyAttrs(domain, domainAttrs);
// create a group in the external directory and add a member
Group extGroup = createUserDynamicGroup(extDomain); // doesn't matter if the group is user or admin
String extGroupName = extGroup.getName();
Account extAcct = createUserAccount(acctLocalpart, extDomain);
mProv.addGroupMembers(extGroup, new String[]{extAcct.getName()});
// create the admin account in Zimbra directory and map it to the external account
Account zimbraAcct = createDelegatedAdminAccount(acctLocalpart, domain);
allowedAccts.add(zimbraAcct);
*/
domain.addAuthLdapURL("***", domainAttrs);
domain.setAuthLdapSearchBindDn("***", domainAttrs);
domain.setAuthLdapSearchBindPassword("***", domainAttrs);
domain.setExternalGroupLdapSearchBase("OU=Engineering,DC=vmware,DC=com", domainAttrs);
domain.setExternalGroupLdapSearchFilter("(&(objectClass=group)(mail=%n))", domainAttrs);
domain.setExternalGroupHandlerClass("com.zimbra.cs.account.grouphandler.ADGroupHandler", domainAttrs);
prov.modifyAttrs(domain, domainAttrs);
// "ESPPEnrollment-USA@vmware.com";
String extGroupName = "ENG_pao_users_home4@vmware.com";
// create the admin account in Zimbra directory and map it to the external account
Account zimbraAcct = createDelegatedAdminAccount(acctLocalpart, domain);
zimbraAcct.setAuthLdapExternalDn("CN=Phoebe Shao,OU=PAO_Users,OU=PaloAlto_California_USA,OU=NALA,OU=SITES,OU=Engineering,DC=vmware,DC=com");
allowedAccts.add(zimbraAcct);
// =======================
granteeName = domain.getName() + ":" + extGroupName;
break;
case GT_AUTHUSER:
if (isUserRight) {
allowedAccts.add(createUserAccount("allowed-user-acct", domain));
deniedAccts.add(createGuestAccount("not-my-guest@external.com", "test123"));
} else {
deniedAccts.add(createDelegatedAdminAccount("denied-da-acct", domain));
}
break;
case GT_DOMAIN:
grantee = createDomain();
if (isUserRight) {
allowedAccts.add(createUserAccount("allowed-user-acct", (Domain) grantee));
Domain notGrantee = createDomain();
deniedAccts.add(createUserAccount("denied-user-acct", notGrantee));
} else {
deniedAccts.add(createDelegatedAdminAccount("denied-da-acct", (Domain) grantee));
// TODO: TEST R_crossDomainAdmin
}
granteeName = grantee.getName();
break;
case GT_GUEST:
// an email address
granteeName = "be-my-guest@guest.com";
// password
secret = "test123";
if (isUserRight) {
allowedAccts.add(createGuestAccount(granteeName, secret));
deniedAccts.add(createGuestAccount("not-my-guest@external.com", "bad"));
} else {
deniedAccts.add(createDelegatedAdminAccount("denied-da-acct", domain));
deniedAccts.add(createGuestAccount(granteeName, secret));
}
break;
case GT_KEY:
// a display name
granteeName = "be-my-guest";
// access key
secret = "test123";
if (isUserRight) {
allowedAccts.add(createKeyAccount(granteeName, secret));
deniedAccts.add(createKeyAccount("not-my-guest", "bad"));
} else {
deniedAccts.add(createDelegatedAdminAccount("denied-da-acct", domain));
deniedAccts.add(createKeyAccount(granteeName, secret));
}
break;
case GT_PUBLIC:
if (isUserRight) {
allowedAccts.add(anonAccount());
} else {
deniedAccts.add(anonAccount());
}
break;
default:
fail();
}
} else {
// dynamic group
assertEquals(TestGranteeType.GRANTEE_DYNAMIC_GROUP, testGranteeType);
granteeType = GranteeType.GT_GROUP;
if (isUserRight) {
grantee = createUserDynamicGroup(domain);
Account allowedAcct = createUserAccount(domain);
allowedAccts.add(allowedAcct);
prov.addGroupMembers((DynamicGroup) grantee, new String[] { allowedAcct.getName() });
// external members are also honored if the right is a user right
Account guestAcct = createGuestAccount("guest@guest.com", "test123");
allowedAccts.add(guestAcct);
prov.addGroupMembers((DynamicGroup) grantee, new String[] { guestAcct.getName() });
deniedAccts.add(createUserAccount(domain));
} else {
grantee = createAdminDynamicGroup(domain);
Account allowedAcct = createDelegatedAdminAccount(domain);
allowedAccts.add(allowedAcct);
prov.addGroupMembers((DynamicGroup) grantee, new String[] { allowedAcct.getName() });
deniedAccts.add(createDelegatedAdminAccount(domain));
}
granteeName = grantee.getName();
}
//
// 3. setup expectations for the granting action
//
boolean expectInvalidRequest = false;
if (isUserRight) {
expectInvalidRequest = !expectedIsRightGrantableOnTargetType(right, grantedOnTargetType);
} else {
// is admin right
if (!granteeType.allowedForAdminRights()) {
expectInvalidRequest = true;
}
if (!expectInvalidRequest) {
if (granteeType == GranteeType.GT_DOMAIN && right != Admin.R_crossDomainAdmin) {
expectInvalidRequest = true;
}
}
if (!expectInvalidRequest) {
expectInvalidRequest = !expectedIsRightGrantableOnTargetType(right, grantedOnTargetType);
}
}
//
// 4. setup target on which the right is to be granted
//
Entry grantedOnTarget = null;
String targetName = null;
switch(grantedOnTargetType) {
case account:
grantedOnTarget = createUserAccount("target-acct", domain);
targetName = ((Account) grantedOnTarget).getName();
break;
case calresource:
grantedOnTarget = createCalendarResource("target-cr", domain);
targetName = ((CalendarResource) grantedOnTarget).getName();
break;
case cos:
grantedOnTarget = createCos();
targetName = ((Cos) grantedOnTarget).getName();
break;
case dl:
grantedOnTarget = createUserDistributionList("target-distributionlist", domain);
targetName = ((DistributionList) grantedOnTarget).getName();
break;
case group:
grantedOnTarget = createUserDynamicGroup("target-dynamicgroup", domain);
targetName = ((DynamicGroup) grantedOnTarget).getName();
break;
case domain:
grantedOnTarget = domain;
targetName = domain.getName();
break;
case server:
grantedOnTarget = createServer();
targetName = ((Server) grantedOnTarget).getName();
break;
case alwaysoncluster:
grantedOnTarget = createAlwaysOnCluster();
targetName = ((AlwaysOnCluster) grantedOnTarget).getName();
break;
case ucservice:
grantedOnTarget = createUCService();
targetName = ((UCService) grantedOnTarget).getName();
break;
case xmppcomponent:
// skip for now
return;
case zimlet:
grantedOnTarget = createZimlet();
targetName = ((Zimlet) grantedOnTarget).getName();
break;
case config:
grantedOnTarget = getConfig();
break;
case global:
grantedOnTarget = getGlobalGrant();
break;
default:
fail();
}
//
// grant right on the target
//
boolean gotInvalidRequestException = false;
try {
// TODO: in a different test, test granting by a different authed account:
// global admin, delegated admin, user
//
Account grantingAccount = globalAdmin;
RightCommand.grantRight(prov, grantingAccount, grantedOnTargetType.getCode(), TargetBy.name, targetName, granteeType.getCode(), GranteeBy.name, granteeName, secret, right.getName(), null);
} catch (ServiceException e) {
if (ServiceException.INVALID_REQUEST.equals(e.getCode())) {
gotInvalidRequestException = true;
} else {
e.printStackTrace();
fail();
}
}
//
// 5. verify the grant
//
assertEquals(expectInvalidRequest, gotInvalidRequestException);
// after group creation using the target object returned from the create call.
if (grantedOnTarget instanceof Group) {
grantedOnTarget = prov.getGroupBasic(Key.DistributionListBy.id, ((Group) grantedOnTarget).getId());
}
//
if (right.isComboRight()) {
for (Right rt : ((ComboRight) right).getAllRights()) {
setupTargetAndVerify(domain, grantedOnTarget, grantedOnTargetType, rt, true, allowedAccts, deniedAccts, !gotInvalidRequestException);
}
} else {
setupTargetAndVerify(domain, grantedOnTarget, grantedOnTargetType, right, false, allowedAccts, deniedAccts, !gotInvalidRequestException);
}
}
use of com.zimbra.cs.account.ldap.entry.LdapDomain in project zm-mailbox by Zimbra.
the class LdapProvisioning method getDomainByKrb5RealmInternal.
private Domain getDomainByKrb5RealmInternal(String krb5Realm, GetFromDomainCacheOption option) throws ServiceException {
Domain d = domainCache.getByKrb5Realm(krb5Realm, option);
if (d instanceof DomainCache.NonExistingDomain)
return null;
LdapDomain domain = (LdapDomain) d;
if (domain == null) {
domain = getDomainByQuery(filterFactory.domainByKrb5Realm(krb5Realm), null);
domainCache.put(Key.DomainBy.krb5Realm, krb5Realm, domain);
}
return domain;
}
use of com.zimbra.cs.account.ldap.entry.LdapDomain in project zm-mailbox by Zimbra.
the class TestLdapProvSearchDirectory method renameDomainSearchAcctCrDl.
@Test
public void renameDomainSearchAcctCrDl() throws Exception {
Account acct = createAccount(genAcctNameLocalPart("acct"));
CalendarResource cr = createCalendarResource(genAcctNameLocalPart("cr"));
DistributionList dl = createDistributionList(genGroupNameLocalPart("dl"));
String domainDN = ((LdapDomain) domain).getDN();
String searchBase = ((LdapProv) prov).getDIT().domainDNToAccountSearchDN(domainDN);
final List<NamedEntry> entries = Lists.newArrayList();
NamedEntry.Visitor visitor = new NamedEntry.Visitor() {
@Override
public void visit(NamedEntry entry) throws ServiceException {
// System.out.println(entry.getName());
entries.add(entry);
}
};
SearchDirectoryOptions options = new SearchDirectoryOptions();
options.setDomain(domain);
options.setOnMaster(true);
options.setFilterString(FilterId.RENAME_DOMAIN, null);
options.setTypes(ObjectType.accounts, ObjectType.resources, ObjectType.distributionlists);
prov.searchDirectory(options, visitor);
Verify.verifyEquals(Lists.newArrayList(acct, cr, dl), entries, false);
/*
// legacy code and ldap trace
int flags = Provisioning.SD_ACCOUNT_FLAG + Provisioning.SD_CALENDAR_RESOURCE_FLAG + Provisioning.SD_DISTRIBUTION_LIST_FLAG;
((LdapProvisioning) prov).searchObjects(null, null, searchBase, flags, visitor, 0);
*
Oct 12 22:10:43 pshao-macbookpro-2 slapd[3065]: conn=1081 op=434 SRCH base="ou=people,dc=com,dc=zimbra,dc=qa,dc=unittest,dc=testldapprovsearchdirectory" scope=2 deref=0 filter="(|(objectClass=zimbraAccount)(objectClass=zimbraDistributionList)(objectClass=zimbraCalendarResource))"
Oct 12 22:10:43 pshao-macbookpro-2 slapd[3065]: conn=1081 op=434 SEARCH RESULT tag=101 err=0 nentries=3 text=
*/
deleteAccount(acct);
deleteAccount(cr);
deleteGroup(dl);
}
use of com.zimbra.cs.account.ldap.entry.LdapDomain in project zm-mailbox by Zimbra.
the class TestLdapHelper method hasSubordinates.
@Test
public void hasSubordinates() throws Exception {
Domain domain = provUtil.createDomain(genDomainName(baseDomainName()));
Account acct = provUtil.createAccount(genAcctNameLocalPart(), domain);
Group group = provUtil.createGroup(genGroupNameLocalPart(), domain, true);
String domainDn = ((LdapDomain) domain).getDN();
String acctBaseDn = prov.getDIT().domainDNToAccountBaseDN(domainDn);
String dynGroupsBaseDn = prov.getDIT().domainDNToDynamicGroupsBaseDN(domainDn);
ZLdapContext zlc = null;
try {
zlc = LdapClient.getContext(LdapServerType.MASTER, LdapUsage.UNITTEST);
// verify dn has Subordinates
assertTrue(hasSubordinates(zlc, acctBaseDn));
assertTrue(hasSubordinates(zlc, dynGroupsBaseDn));
provUtil.deleteAccount(acct);
provUtil.deleteGroup(group);
// verify dn don't have Subordinates
assertFalse(hasSubordinates(zlc, acctBaseDn));
assertFalse(hasSubordinates(zlc, dynGroupsBaseDn));
} finally {
LdapClient.closeContext(zlc);
}
}
use of com.zimbra.cs.account.ldap.entry.LdapDomain in project zm-mailbox by Zimbra.
the class LdapProvisioning method searchDirectoryInternal.
private List<NamedEntry> searchDirectoryInternal(SearchDirectoryOptions options, NamedEntry.Visitor visitor) throws ServiceException {
Set<ObjectType> types = options.getTypes();
if (types == null) {
throw ServiceException.INVALID_REQUEST("missing types", null);
}
/*
* base
*/
Domain domain = options.getDomain();
String[] bases = getSearchBases(domain, types);
/*
* filter
*/
int flags = options.getTypesAsFlags();
ZLdapFilter filter = options.getFilter();
String filterStr = options.getFilterString();
// exact one of filter or filterString has to be set
if (filter != null && filterStr != null) {
throw ServiceException.INVALID_REQUEST("only one of filter or filterString can be set", null);
}
if (filter == null) {
if (options.getConvertIDNToAscii() && !Strings.isNullOrEmpty(filterStr)) {
filterStr = LdapEntrySearchFilter.toLdapIDNFilter(filterStr);
}
// prepend objectClass filters
String objectClass = getObjectClassQuery(flags);
if (filterStr == null || filterStr.equals("")) {
filterStr = objectClass;
} else {
if (filterStr.startsWith("(") && filterStr.endsWith(")")) {
filterStr = "(&" + objectClass + filterStr + ")";
} else {
filterStr = "(&" + objectClass + "(" + filterStr + ")" + ")";
}
}
FilterId filterId = options.getFilterId();
if (filterId == null) {
throw ServiceException.INVALID_REQUEST("missing filter id", null);
}
filter = filterFactory.fromFilterString(options.getFilterId(), filterStr);
}
if (domain != null && !InMemoryLdapServer.isOn()) {
boolean groupsTree = false;
boolean peopleTree = false;
if (types.contains(ObjectType.dynamicgroups)) {
groupsTree = true;
}
if (types.contains(ObjectType.accounts) || types.contains(ObjectType.aliases) || types.contains(ObjectType.distributionlists) || types.contains(ObjectType.resources)) {
peopleTree = true;
}
if (groupsTree && peopleTree) {
ZLdapFilter dnSubtreeMatchFilter = ((LdapDomain) domain).getDnSubtreeMatchFilter();
filter = filterFactory.andWith(filter, dnSubtreeMatchFilter);
}
}
/*
* return attrs
*/
String[] returnAttrs = fixReturnAttrs(options.getReturnAttrs(), flags);
return searchObjects(bases, filter, returnAttrs, options, visitor);
}
Aggregations