/* * This method is called for searching for negative grants granted on a * "sub-target" of a target on which we are granting a right. If the * granting account has any negative grants for a right that is a * "sub-right" of the right he is trying to grant to someone else, * and this negative grant is on a "sub-target" of the target he is * trying to grant on, then sorry, it is not allowed. Because otherwise * the person receiving the grant can end up getting "more" rights * than the granting person. * * e.g. on domain D.com, adminA +domainAdminRights * on dl [email protected], adminA -setPassword * * When adminA tries to grant domainAdminRights to adminB on * domain D.com, it should not be allowed; otherwise adminB * can setPassword for accounts in [email protected], but adminA cannot. * * The targetTypes parameter contains a set of target types that are * "sub-target" of the target type on which we are trying to grant. * * SO, for the search base: * - for domain-ed targets, dls must be under the domain, but accounts * in dls can be in any domain, so the search base is the mail branch base. * - for non domain-ed targets, the search base is the base DN for the type * * we go through all wanted target types, find the least common base */ static Map<String, Set<String>> getSearchBasesAndOCs( Provisioning prov, Set<TargetType> targetTypes) throws ServiceException { // sanity check, is really an internal error if targetTypes is empty if (targetTypes.isEmpty()) return null; Map<String, Set<String>> tempResult = new HashMap<String, Set<String>>(); for (TargetType tt : targetTypes) { String base = getSearchBase(prov, tt); String oc = tt.getAttributeClass().getOCName(); Set<String> ocs = tempResult.get(base); if (ocs == null) ocs = new HashSet<String>(); ocs.add(oc); tempResult.put(base, ocs); } // optimize LdapDIT dit = ((LdapProvisioning) prov).getDIT(); String configBranchBase = dit.configBranchBaseDN(); Set<String> mailBranchOCs = new HashSet<String>(); Set<String> configBranchOCs = new HashSet<String>(); String leastCommonBaseInMailBranch = null; String leastCommonBaseInConfigBranch = null; for (Map.Entry<String, Set<String>> entry : tempResult.entrySet()) { String base = entry.getKey(); Set<String> ocs = entry.getValue(); boolean inConfigBranch = base.endsWith(configBranchBase); if (inConfigBranch) { configBranchOCs.addAll(ocs); if (leastCommonBaseInConfigBranch == null) leastCommonBaseInConfigBranch = base; else leastCommonBaseInConfigBranch = getCommonBase(base, leastCommonBaseInConfigBranch); } else { mailBranchOCs.addAll(ocs); if (leastCommonBaseInMailBranch == null) leastCommonBaseInMailBranch = base; else leastCommonBaseInMailBranch = getCommonBase(base, leastCommonBaseInMailBranch); } } Map<String, Set<String>> result = new HashMap<String, Set<String>>(); // if zimbra default DIT and both mail branch and config branch are needed, merge the two if (LdapDIT.isZimbraDefault(dit)) { if (leastCommonBaseInMailBranch != null && leastCommonBaseInConfigBranch != null) { // merge the two String commonBase = getCommonBase(leastCommonBaseInMailBranch, leastCommonBaseInConfigBranch); Set<String> allOCs = SetUtil.union(mailBranchOCs, configBranchOCs); result.put(commonBase, allOCs); return result; } } // bug 48272, do two searches, one based at the mail branch, one based on the config branch. if (leastCommonBaseInMailBranch != null) result.put(leastCommonBaseInMailBranch, mailBranchOCs); if (leastCommonBaseInConfigBranch != null) result.put(leastCommonBaseInConfigBranch, configBranchOCs); return result; }
static Set<String> getAttrsInClass(Entry target) throws ServiceException {
AttributeClass klass = TargetType.getAttributeClass(target);
return AttributeManager.getInstance().getAllAttrsInClass(klass);
}