Пример #1
0
  /*
   * This method is called for searching for negative grants granted on a
   * "sub-target" of a target on which we are granting a right.  If the
   * granting account has any negative grants for a right that is a
   * "sub-right" of the right he is trying to grant to someone else,
   * and this negative grant is on a "sub-target" of the target he is
   * trying to grant on, then sorry, it is not allowed.  Because otherwise
   * the person receiving the grant can end up getting "more" rights
   * than the granting person.
   *
   * e.g. on domain D.com, adminA +domainAdminRights
   *      on dl [email protected],  adminA -setPassword
   *
   *      When adminA tries to grant domainAdminRights to adminB on
   *      domain D.com, it should not be allowed; otherwise adminB
   *      can setPassword for accounts in [email protected], but adminA cannot.
   *
   * The targetTypes parameter contains a set of target types that are
   * "sub-target" of the target type on which we are trying to grant.
   *
   * SO, for the search base:
   *   - for domain-ed targets, dls must be under the domain, but accounts
   *     in dls can be in any domain, so the search base is the mail branch base.
   *   - for non domain-ed targets, the search base is the base DN for the type
   *
   *   we go through all wanted target types, find the least common base
   */
  static Map<String, Set<String>> getSearchBasesAndOCs(
      Provisioning prov, Set<TargetType> targetTypes) throws ServiceException {

    // sanity check, is really an internal error if targetTypes is empty
    if (targetTypes.isEmpty()) return null;

    Map<String, Set<String>> tempResult = new HashMap<String, Set<String>>();

    for (TargetType tt : targetTypes) {
      String base = getSearchBase(prov, tt);

      String oc = tt.getAttributeClass().getOCName();
      Set<String> ocs = tempResult.get(base);
      if (ocs == null) ocs = new HashSet<String>();
      ocs.add(oc);
      tempResult.put(base, ocs);
    }

    // optimize
    LdapDIT dit = ((LdapProvisioning) prov).getDIT();
    String configBranchBase = dit.configBranchBaseDN();
    Set<String> mailBranchOCs = new HashSet<String>();
    Set<String> configBranchOCs = new HashSet<String>();

    String leastCommonBaseInMailBranch = null;
    String leastCommonBaseInConfigBranch = null;

    for (Map.Entry<String, Set<String>> entry : tempResult.entrySet()) {
      String base = entry.getKey();
      Set<String> ocs = entry.getValue();

      boolean inConfigBranch = base.endsWith(configBranchBase);
      if (inConfigBranch) {
        configBranchOCs.addAll(ocs);

        if (leastCommonBaseInConfigBranch == null) leastCommonBaseInConfigBranch = base;
        else leastCommonBaseInConfigBranch = getCommonBase(base, leastCommonBaseInConfigBranch);

      } else {
        mailBranchOCs.addAll(ocs);

        if (leastCommonBaseInMailBranch == null) leastCommonBaseInMailBranch = base;
        else leastCommonBaseInMailBranch = getCommonBase(base, leastCommonBaseInMailBranch);
      }
    }

    Map<String, Set<String>> result = new HashMap<String, Set<String>>();

    // if zimbra default DIT and both mail branch and config branch are needed, merge the two
    if (LdapDIT.isZimbraDefault(dit)) {
      if (leastCommonBaseInMailBranch != null && leastCommonBaseInConfigBranch != null) {
        // merge the two
        String commonBase =
            getCommonBase(leastCommonBaseInMailBranch, leastCommonBaseInConfigBranch);
        Set<String> allOCs = SetUtil.union(mailBranchOCs, configBranchOCs);
        result.put(commonBase, allOCs);
        return result;
      }
    }

    // bug 48272, do two searches, one based at the mail branch, one based on the config branch.
    if (leastCommonBaseInMailBranch != null) result.put(leastCommonBaseInMailBranch, mailBranchOCs);
    if (leastCommonBaseInConfigBranch != null)
      result.put(leastCommonBaseInConfigBranch, configBranchOCs);

    return result;
  }
Пример #2
0
 static Set<String> getAttrsInClass(Entry target) throws ServiceException {
   AttributeClass klass = TargetType.getAttributeClass(target);
   return AttributeManager.getInstance().getAllAttrsInClass(klass);
 }