Search in sources :

Example 11 with LdapDomain

use of com.zimbra.cs.account.ldap.entry.LdapDomain in project zm-mailbox by Zimbra.

the class TestACLAll method execTest.

private void execTest(String note, TargetType grantedOnTargetType, TestGranteeType testGranteeType, Right right) throws Exception {
    System.out.println("testing (" + note + "): " + "grant target=" + grantedOnTargetType.getCode() + ", grantee type=" + testGranteeType.getCode() + ", right=" + right.getName());
    //
    // 1. some basic preparation
    //    create a domain
    //
    Domain domain = createDomain();
    boolean isUserRight = right.isUserRight();
    //
    // 2. setup grantee
    //
    List<Account> allowedAccts = new ArrayList<Account>();
    List<Account> deniedAccts = new ArrayList<Account>();
    NamedEntry grantee = null;
    String granteeName = null;
    String secret = null;
    Object gt = testGranteeType.getGranteeType();
    GranteeType granteeType = null;
    if (gt instanceof GranteeType) {
        granteeType = (GranteeType) gt;
        switch(granteeType) {
            case GT_USER:
                if (isUserRight) {
                    grantee = createUserAccount(domain);
                    allowedAccts.add((Account) grantee);
                    deniedAccts.add(createUserAccount(domain));
                } else {
                    grantee = createDelegatedAdminAccount(domain);
                    allowedAccts.add((Account) grantee);
                    deniedAccts.add(createDelegatedAdminAccount(domain));
                }
                granteeName = grantee.getName();
                break;
            case GT_GROUP:
                if (isUserRight) {
                    grantee = createUserDistributionList(domain);
                    Account allowedAcct = createUserAccount(domain);
                    allowedAccts.add(allowedAcct);
                    prov.addMembers((DistributionList) grantee, new String[] { allowedAcct.getName() });
                    // external members are also honored if the right is a user right
                    Account guestAcct = createGuestAccount("guest@guest.com", "test123");
                    allowedAccts.add(guestAcct);
                    prov.addMembers((DistributionList) grantee, new String[] { guestAcct.getName() });
                    deniedAccts.add(createUserAccount(domain));
                } else {
                    grantee = createAdminDistributionList(domain);
                    Account allowedAcct = createDelegatedAdminAccount(domain);
                    allowedAccts.add(allowedAcct);
                    prov.addMembers((DistributionList) grantee, new String[] { allowedAcct.getName() });
                    deniedAccts.add(createDelegatedAdminAccount(domain));
                }
                granteeName = grantee.getName();
                break;
            case GT_EXT_GROUP:
                // create a domain and use it for the external group
                Domain extDomain = createDomain();
                String extDomainDN = ((LdapDomain) extDomain).getDN();
                String acctLocalpart = "acct-ext";
                //
                // Configure the domain for external AD auth
                //
                Map<String, Object> domainAttrs = Maps.newHashMap();
                if (isUserRight) {
                    domain.setAuthMech(AuthMech.ad.name(), domainAttrs);
                } else {
                    domain.setAuthMechAdmin(AuthMech.ad.name(), domainAttrs);
                }
                /*  ==== mock test ====
                    // setup auth
                    domain.addAuthLdapURL("ldap://localhost:389", domainAttrs);
                    domain.setAuthLdapBindDn("uid=%u,ou=people," + extDomainDN, domainAttrs);
                    // setup external group search parameters
                    domain.setAuthLdapSearchBindDn(LC.zimbra_ldap_userdn.value(), domainAttrs);
                    domain.setAuthLdapSearchBindPassword(LC.zimbra_ldap_password.value(), domainAttrs);
                    domain.setExternalGroupLdapSearchBase(extDomainDN, domainAttrs);
                    domain.setExternalGroupLdapSearchFilter("(&(objectClass=zimbraGroup)(cn=%u))", domainAttrs);
                    domain.setExternalGroupHandlerClass("com.zimbra.qa.unittest.UnittestGroupHandler", domainAttrs);
                    mProv.modifyAttrs(domain, domainAttrs);

                    // create a group in the external directory and add a member
                    Group extGroup = createUserDynamicGroup(extDomain);  // doesn't matter if the group is user or admin
                    String extGroupName = extGroup.getName();
                    Account extAcct = createUserAccount(acctLocalpart, extDomain);
                    mProv.addGroupMembers(extGroup, new String[]{extAcct.getName()});

                    // create the admin account in Zimbra directory and map it to the external account
                    Account zimbraAcct = createDelegatedAdminAccount(acctLocalpart, domain);
                    allowedAccts.add(zimbraAcct);
                    */
                domain.addAuthLdapURL("***", domainAttrs);
                domain.setAuthLdapSearchBindDn("***", domainAttrs);
                domain.setAuthLdapSearchBindPassword("***", domainAttrs);
                domain.setExternalGroupLdapSearchBase("OU=Engineering,DC=vmware,DC=com", domainAttrs);
                domain.setExternalGroupLdapSearchFilter("(&(objectClass=group)(mail=%n))", domainAttrs);
                domain.setExternalGroupHandlerClass("com.zimbra.cs.account.grouphandler.ADGroupHandler", domainAttrs);
                prov.modifyAttrs(domain, domainAttrs);
                // "ESPPEnrollment-USA@vmware.com";
                String extGroupName = "ENG_pao_users_home4@vmware.com";
                // create the admin account in Zimbra directory and map it to the external account
                Account zimbraAcct = createDelegatedAdminAccount(acctLocalpart, domain);
                zimbraAcct.setAuthLdapExternalDn("CN=Phoebe Shao,OU=PAO_Users,OU=PaloAlto_California_USA,OU=NALA,OU=SITES,OU=Engineering,DC=vmware,DC=com");
                allowedAccts.add(zimbraAcct);
                // =======================
                granteeName = domain.getName() + ":" + extGroupName;
                break;
            case GT_AUTHUSER:
                if (isUserRight) {
                    allowedAccts.add(createUserAccount("allowed-user-acct", domain));
                    deniedAccts.add(createGuestAccount("not-my-guest@external.com", "test123"));
                } else {
                    deniedAccts.add(createDelegatedAdminAccount("denied-da-acct", domain));
                }
                break;
            case GT_DOMAIN:
                grantee = createDomain();
                if (isUserRight) {
                    allowedAccts.add(createUserAccount("allowed-user-acct", (Domain) grantee));
                    Domain notGrantee = createDomain();
                    deniedAccts.add(createUserAccount("denied-user-acct", notGrantee));
                } else {
                    deniedAccts.add(createDelegatedAdminAccount("denied-da-acct", (Domain) grantee));
                // TODO: TEST R_crossDomainAdmin
                }
                granteeName = grantee.getName();
                break;
            case GT_GUEST:
                // an email address
                granteeName = "be-my-guest@guest.com";
                // password
                secret = "test123";
                if (isUserRight) {
                    allowedAccts.add(createGuestAccount(granteeName, secret));
                    deniedAccts.add(createGuestAccount("not-my-guest@external.com", "bad"));
                } else {
                    deniedAccts.add(createDelegatedAdminAccount("denied-da-acct", domain));
                    deniedAccts.add(createGuestAccount(granteeName, secret));
                }
                break;
            case GT_KEY:
                // a display name
                granteeName = "be-my-guest";
                // access key
                secret = "test123";
                if (isUserRight) {
                    allowedAccts.add(createKeyAccount(granteeName, secret));
                    deniedAccts.add(createKeyAccount("not-my-guest", "bad"));
                } else {
                    deniedAccts.add(createDelegatedAdminAccount("denied-da-acct", domain));
                    deniedAccts.add(createKeyAccount(granteeName, secret));
                }
                break;
            case GT_PUBLIC:
                if (isUserRight) {
                    allowedAccts.add(anonAccount());
                } else {
                    deniedAccts.add(anonAccount());
                }
                break;
            default:
                fail();
        }
    } else {
        // dynamic group
        assertEquals(TestGranteeType.GRANTEE_DYNAMIC_GROUP, testGranteeType);
        granteeType = GranteeType.GT_GROUP;
        if (isUserRight) {
            grantee = createUserDynamicGroup(domain);
            Account allowedAcct = createUserAccount(domain);
            allowedAccts.add(allowedAcct);
            prov.addGroupMembers((DynamicGroup) grantee, new String[] { allowedAcct.getName() });
            // external members are also honored if the right is a user right
            Account guestAcct = createGuestAccount("guest@guest.com", "test123");
            allowedAccts.add(guestAcct);
            prov.addGroupMembers((DynamicGroup) grantee, new String[] { guestAcct.getName() });
            deniedAccts.add(createUserAccount(domain));
        } else {
            grantee = createAdminDynamicGroup(domain);
            Account allowedAcct = createDelegatedAdminAccount(domain);
            allowedAccts.add(allowedAcct);
            prov.addGroupMembers((DynamicGroup) grantee, new String[] { allowedAcct.getName() });
            deniedAccts.add(createDelegatedAdminAccount(domain));
        }
        granteeName = grantee.getName();
    }
    //
    // 3. setup expectations for the granting action
    //
    boolean expectInvalidRequest = false;
    if (isUserRight) {
        expectInvalidRequest = !expectedIsRightGrantableOnTargetType(right, grantedOnTargetType);
    } else {
        // is admin right
        if (!granteeType.allowedForAdminRights()) {
            expectInvalidRequest = true;
        }
        if (!expectInvalidRequest) {
            if (granteeType == GranteeType.GT_DOMAIN && right != Admin.R_crossDomainAdmin) {
                expectInvalidRequest = true;
            }
        }
        if (!expectInvalidRequest) {
            expectInvalidRequest = !expectedIsRightGrantableOnTargetType(right, grantedOnTargetType);
        }
    }
    //
    // 4. setup target on which the right is to be granted
    //
    Entry grantedOnTarget = null;
    String targetName = null;
    switch(grantedOnTargetType) {
        case account:
            grantedOnTarget = createUserAccount("target-acct", domain);
            targetName = ((Account) grantedOnTarget).getName();
            break;
        case calresource:
            grantedOnTarget = createCalendarResource("target-cr", domain);
            targetName = ((CalendarResource) grantedOnTarget).getName();
            break;
        case cos:
            grantedOnTarget = createCos();
            targetName = ((Cos) grantedOnTarget).getName();
            break;
        case dl:
            grantedOnTarget = createUserDistributionList("target-distributionlist", domain);
            targetName = ((DistributionList) grantedOnTarget).getName();
            break;
        case group:
            grantedOnTarget = createUserDynamicGroup("target-dynamicgroup", domain);
            targetName = ((DynamicGroup) grantedOnTarget).getName();
            break;
        case domain:
            grantedOnTarget = domain;
            targetName = domain.getName();
            break;
        case server:
            grantedOnTarget = createServer();
            targetName = ((Server) grantedOnTarget).getName();
            break;
        case alwaysoncluster:
            grantedOnTarget = createAlwaysOnCluster();
            targetName = ((AlwaysOnCluster) grantedOnTarget).getName();
            break;
        case ucservice:
            grantedOnTarget = createUCService();
            targetName = ((UCService) grantedOnTarget).getName();
            break;
        case xmppcomponent:
            // skip for now
            return;
        case zimlet:
            grantedOnTarget = createZimlet();
            targetName = ((Zimlet) grantedOnTarget).getName();
            break;
        case config:
            grantedOnTarget = getConfig();
            break;
        case global:
            grantedOnTarget = getGlobalGrant();
            break;
        default:
            fail();
    }
    //
    // grant right on the target
    //
    boolean gotInvalidRequestException = false;
    try {
        // TODO: in a different test, test granting by a different authed account:
        //       global admin, delegated admin, user
        //
        Account grantingAccount = globalAdmin;
        RightCommand.grantRight(prov, grantingAccount, grantedOnTargetType.getCode(), TargetBy.name, targetName, granteeType.getCode(), GranteeBy.name, granteeName, secret, right.getName(), null);
    } catch (ServiceException e) {
        if (ServiceException.INVALID_REQUEST.equals(e.getCode())) {
            gotInvalidRequestException = true;
        } else {
            e.printStackTrace();
            fail();
        }
    }
    //
    // 5. verify the grant
    //
    assertEquals(expectInvalidRequest, gotInvalidRequestException);
    // after group creation using the target object returned from the create call.
    if (grantedOnTarget instanceof Group) {
        grantedOnTarget = prov.getGroupBasic(Key.DistributionListBy.id, ((Group) grantedOnTarget).getId());
    }
    //
    if (right.isComboRight()) {
        for (Right rt : ((ComboRight) right).getAllRights()) {
            setupTargetAndVerify(domain, grantedOnTarget, grantedOnTargetType, rt, true, allowedAccts, deniedAccts, !gotInvalidRequestException);
        }
    } else {
        setupTargetAndVerify(domain, grantedOnTarget, grantedOnTargetType, right, false, allowedAccts, deniedAccts, !gotInvalidRequestException);
    }
}
Also used : GuestAccount(com.zimbra.cs.account.GuestAccount) Account(com.zimbra.cs.account.Account) DynamicGroup(com.zimbra.cs.account.DynamicGroup) Group(com.zimbra.cs.account.Group) GranteeType(com.zimbra.cs.account.accesscontrol.GranteeType) LdapDomain(com.zimbra.cs.account.ldap.entry.LdapDomain) ArrayList(java.util.ArrayList) ComboRight(com.zimbra.cs.account.accesscontrol.ComboRight) CheckRight(com.zimbra.cs.account.accesscontrol.CheckRight) UserRight(com.zimbra.cs.account.accesscontrol.UserRight) AttrRight(com.zimbra.cs.account.accesscontrol.AttrRight) PresetRight(com.zimbra.cs.account.accesscontrol.PresetRight) Right(com.zimbra.cs.account.accesscontrol.Right) ComboRight(com.zimbra.cs.account.accesscontrol.ComboRight) NamedEntry(com.zimbra.cs.account.NamedEntry) NamedEntry(com.zimbra.cs.account.NamedEntry) Entry(com.zimbra.cs.account.Entry) ServiceException(com.zimbra.common.service.ServiceException) LdapDomain(com.zimbra.cs.account.ldap.entry.LdapDomain) Domain(com.zimbra.cs.account.Domain)

Example 12 with LdapDomain

use of com.zimbra.cs.account.ldap.entry.LdapDomain in project zm-mailbox by Zimbra.

the class LdapProvisioning method getDomainByKrb5RealmInternal.

private Domain getDomainByKrb5RealmInternal(String krb5Realm, GetFromDomainCacheOption option) throws ServiceException {
    Domain d = domainCache.getByKrb5Realm(krb5Realm, option);
    if (d instanceof DomainCache.NonExistingDomain)
        return null;
    LdapDomain domain = (LdapDomain) d;
    if (domain == null) {
        domain = getDomainByQuery(filterFactory.domainByKrb5Realm(krb5Realm), null);
        domainCache.put(Key.DomainBy.krb5Realm, krb5Realm, domain);
    }
    return domain;
}
Also used : LdapDomain(com.zimbra.cs.account.ldap.entry.LdapDomain) LdapDomain(com.zimbra.cs.account.ldap.entry.LdapDomain) Domain(com.zimbra.cs.account.Domain)

Example 13 with LdapDomain

use of com.zimbra.cs.account.ldap.entry.LdapDomain in project zm-mailbox by Zimbra.

the class TestLdapProvSearchDirectory method renameDomainSearchAcctCrDl.

@Test
public void renameDomainSearchAcctCrDl() throws Exception {
    Account acct = createAccount(genAcctNameLocalPart("acct"));
    CalendarResource cr = createCalendarResource(genAcctNameLocalPart("cr"));
    DistributionList dl = createDistributionList(genGroupNameLocalPart("dl"));
    String domainDN = ((LdapDomain) domain).getDN();
    String searchBase = ((LdapProv) prov).getDIT().domainDNToAccountSearchDN(domainDN);
    final List<NamedEntry> entries = Lists.newArrayList();
    NamedEntry.Visitor visitor = new NamedEntry.Visitor() {

        @Override
        public void visit(NamedEntry entry) throws ServiceException {
            // System.out.println(entry.getName());
            entries.add(entry);
        }
    };
    SearchDirectoryOptions options = new SearchDirectoryOptions();
    options.setDomain(domain);
    options.setOnMaster(true);
    options.setFilterString(FilterId.RENAME_DOMAIN, null);
    options.setTypes(ObjectType.accounts, ObjectType.resources, ObjectType.distributionlists);
    prov.searchDirectory(options, visitor);
    Verify.verifyEquals(Lists.newArrayList(acct, cr, dl), entries, false);
    /*
         // legacy code and ldap trace
        int flags = Provisioning.SD_ACCOUNT_FLAG + Provisioning.SD_CALENDAR_RESOURCE_FLAG + Provisioning.SD_DISTRIBUTION_LIST_FLAG;
        ((LdapProvisioning) prov).searchObjects(null, null, searchBase, flags, visitor, 0);
         *
         Oct 12 22:10:43 pshao-macbookpro-2 slapd[3065]: conn=1081 op=434 SRCH base="ou=people,dc=com,dc=zimbra,dc=qa,dc=unittest,dc=testldapprovsearchdirectory" scope=2 deref=0 filter="(|(objectClass=zimbraAccount)(objectClass=zimbraDistributionList)(objectClass=zimbraCalendarResource))"
         Oct 12 22:10:43 pshao-macbookpro-2 slapd[3065]: conn=1081 op=434 SEARCH RESULT tag=101 err=0 nentries=3 text=

         */
    deleteAccount(acct);
    deleteAccount(cr);
    deleteGroup(dl);
}
Also used : Account(com.zimbra.cs.account.Account) NamedEntry(com.zimbra.cs.account.NamedEntry) SearchDirectoryOptions(com.zimbra.cs.account.SearchDirectoryOptions) LdapDomain(com.zimbra.cs.account.ldap.entry.LdapDomain) CalendarResource(com.zimbra.cs.account.CalendarResource) DistributionList(com.zimbra.cs.account.DistributionList) ProvTest(com.zimbra.qa.unittest.prov.ProvTest)

Example 14 with LdapDomain

use of com.zimbra.cs.account.ldap.entry.LdapDomain in project zm-mailbox by Zimbra.

the class TestLdapHelper method hasSubordinates.

@Test
public void hasSubordinates() throws Exception {
    Domain domain = provUtil.createDomain(genDomainName(baseDomainName()));
    Account acct = provUtil.createAccount(genAcctNameLocalPart(), domain);
    Group group = provUtil.createGroup(genGroupNameLocalPart(), domain, true);
    String domainDn = ((LdapDomain) domain).getDN();
    String acctBaseDn = prov.getDIT().domainDNToAccountBaseDN(domainDn);
    String dynGroupsBaseDn = prov.getDIT().domainDNToDynamicGroupsBaseDN(domainDn);
    ZLdapContext zlc = null;
    try {
        zlc = LdapClient.getContext(LdapServerType.MASTER, LdapUsage.UNITTEST);
        // verify dn has Subordinates
        assertTrue(hasSubordinates(zlc, acctBaseDn));
        assertTrue(hasSubordinates(zlc, dynGroupsBaseDn));
        provUtil.deleteAccount(acct);
        provUtil.deleteGroup(group);
        // verify dn don't have Subordinates
        assertFalse(hasSubordinates(zlc, acctBaseDn));
        assertFalse(hasSubordinates(zlc, dynGroupsBaseDn));
    } finally {
        LdapClient.closeContext(zlc);
    }
}
Also used : Account(com.zimbra.cs.account.Account) Group(com.zimbra.cs.account.Group) ZLdapContext(com.zimbra.cs.ldap.ZLdapContext) LdapDomain(com.zimbra.cs.account.ldap.entry.LdapDomain) Domain(com.zimbra.cs.account.Domain) LdapDomain(com.zimbra.cs.account.ldap.entry.LdapDomain)

Example 15 with LdapDomain

use of com.zimbra.cs.account.ldap.entry.LdapDomain in project zm-mailbox by Zimbra.

the class LdapProvisioning method searchDirectoryInternal.

private List<NamedEntry> searchDirectoryInternal(SearchDirectoryOptions options, NamedEntry.Visitor visitor) throws ServiceException {
    Set<ObjectType> types = options.getTypes();
    if (types == null) {
        throw ServiceException.INVALID_REQUEST("missing types", null);
    }
    /*
         * base
         */
    Domain domain = options.getDomain();
    String[] bases = getSearchBases(domain, types);
    /*
         * filter
         */
    int flags = options.getTypesAsFlags();
    ZLdapFilter filter = options.getFilter();
    String filterStr = options.getFilterString();
    // exact one of filter or filterString has to be set
    if (filter != null && filterStr != null) {
        throw ServiceException.INVALID_REQUEST("only one of filter or filterString can be set", null);
    }
    if (filter == null) {
        if (options.getConvertIDNToAscii() && !Strings.isNullOrEmpty(filterStr)) {
            filterStr = LdapEntrySearchFilter.toLdapIDNFilter(filterStr);
        }
        // prepend objectClass filters
        String objectClass = getObjectClassQuery(flags);
        if (filterStr == null || filterStr.equals("")) {
            filterStr = objectClass;
        } else {
            if (filterStr.startsWith("(") && filterStr.endsWith(")")) {
                filterStr = "(&" + objectClass + filterStr + ")";
            } else {
                filterStr = "(&" + objectClass + "(" + filterStr + ")" + ")";
            }
        }
        FilterId filterId = options.getFilterId();
        if (filterId == null) {
            throw ServiceException.INVALID_REQUEST("missing filter id", null);
        }
        filter = filterFactory.fromFilterString(options.getFilterId(), filterStr);
    }
    if (domain != null && !InMemoryLdapServer.isOn()) {
        boolean groupsTree = false;
        boolean peopleTree = false;
        if (types.contains(ObjectType.dynamicgroups)) {
            groupsTree = true;
        }
        if (types.contains(ObjectType.accounts) || types.contains(ObjectType.aliases) || types.contains(ObjectType.distributionlists) || types.contains(ObjectType.resources)) {
            peopleTree = true;
        }
        if (groupsTree && peopleTree) {
            ZLdapFilter dnSubtreeMatchFilter = ((LdapDomain) domain).getDnSubtreeMatchFilter();
            filter = filterFactory.andWith(filter, dnSubtreeMatchFilter);
        }
    }
    /*
         * return attrs
         */
    String[] returnAttrs = fixReturnAttrs(options.getReturnAttrs(), flags);
    return searchObjects(bases, filter, returnAttrs, options, visitor);
}
Also used : ZLdapFilter(com.zimbra.cs.ldap.ZLdapFilter) ObjectType(com.zimbra.cs.account.SearchDirectoryOptions.ObjectType) LdapDomain(com.zimbra.cs.account.ldap.entry.LdapDomain) LdapDomain(com.zimbra.cs.account.ldap.entry.LdapDomain) Domain(com.zimbra.cs.account.Domain) FilterId(com.zimbra.cs.ldap.ZLdapFilterFactory.FilterId)

Aggregations

LdapDomain (com.zimbra.cs.account.ldap.entry.LdapDomain)16 Domain (com.zimbra.cs.account.Domain)12 Account (com.zimbra.cs.account.Account)4 ServiceException (com.zimbra.common.service.ServiceException)3 AccountServiceException (com.zimbra.cs.account.AccountServiceException)3 DynamicGroup (com.zimbra.cs.account.DynamicGroup)3 NamedEntry (com.zimbra.cs.account.NamedEntry)3 LdapException (com.zimbra.cs.ldap.LdapException)3 LdapEntryAlreadyExistException (com.zimbra.cs.ldap.LdapException.LdapEntryAlreadyExistException)3 ZLdapContext (com.zimbra.cs.ldap.ZLdapContext)3 AuthFailedServiceException (com.zimbra.cs.account.AccountServiceException.AuthFailedServiceException)2 DistributionList (com.zimbra.cs.account.DistributionList)2 Group (com.zimbra.cs.account.Group)2 SearchDirectoryOptions (com.zimbra.cs.account.SearchDirectoryOptions)2 ObjectType (com.zimbra.cs.account.SearchDirectoryOptions.ObjectType)2 CallbackContext (com.zimbra.cs.account.callback.CallbackContext)2 ZLdapFilter (com.zimbra.cs.ldap.ZLdapFilter)2 ZMutableEntry (com.zimbra.cs.ldap.ZMutableEntry)2 ProvTest (com.zimbra.qa.unittest.prov.ProvTest)2 Date (java.util.Date)2