fix: [CO-3221] filter distribution list rights (#932)

* chore: filter out distribution list rights not belonging user

* test: rights in GetInfo API

Author: zextrasGiovanniDefacci

store/src/main/java/com/zimbra/cs/account/accesscontrol/DiscoverUserRights.java

@@ -5,6 +5,7 @@
 
 package com.zimbra.cs.account.accesscontrol;
 
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
@@ -66,11 +67,13 @@ Map<Right, Set<Entry>> handle() throws ServiceException {
 
         Map<Right, Set<Entry>> result = Maps.newHashMap();
 
+        Set<String> accountDistributionLists = prov.getDistributionLists(acct);
         for (SearchGrants.GrantsOnTarget grants : searchResults) {
             Entry targetEntry = grants.getTargetEntry();
             ZimbraACL acl = grants.getAcl();
 
-            for (ZimbraACE ace : acl.getAllACEs()) {
+            List<ZimbraACE> aces = filterAccountACEs(acl.getAllACEs(), accountDistributionLists);
+            for (ZimbraACE ace : aces) {
                 Right right = ace.getRight();
 
                 if (rights.contains(right) && !isSameEntry(targetEntry, acct)) {
@@ -83,11 +86,11 @@ Map<Right, Set<Entry>> handle() throws ServiceException {
                         }
                     }
                     TargetType targetTypeForRight = right.getTargetType();
-                    TargetType taregtTypeOfEntry = TargetTypeLookup.getTargetType(targetEntry);
-                    if (targetTypeForRight.equals(taregtTypeOfEntry) ||
-                        (targetTypeForRight==TargetType.account && taregtTypeOfEntry==TargetType.calresource) ||
-                        (targetTypeForRight==TargetType.dl && taregtTypeOfEntry==TargetType.group) ||
-                        (targetTypeForRight==TargetType.group && taregtTypeOfEntry==TargetType.dl)) {
+                    TargetType targetTypeOfEntry = TargetTypeLookup.getTargetType(targetEntry);
+                    if (targetTypeForRight.equals(targetTypeOfEntry) ||
+                        (targetTypeForRight==TargetType.account && targetTypeOfEntry==TargetType.calresource) ||
+                        (targetTypeForRight==TargetType.dl && targetTypeOfEntry==TargetType.group) ||
+                        (targetTypeForRight==TargetType.group && targetTypeOfEntry==TargetType.dl)) {
                         Set<Entry> entries = result.get(right);
                         if (entries == null) {
                             entries = Sets.newHashSet();
@@ -101,6 +104,13 @@ Map<Right, Set<Entry>> handle() throws ServiceException {
         return result;
     }
 
+    private static List<ZimbraACE> filterAccountACEs(List<ZimbraACE> aces, Set<String> accountDistributionLists) {
+        return aces.stream().filter(ace -> {
+            boolean isDistributionList = ace.getGranteeType().equals(GranteeType.GT_GROUP);
+            return !isDistributionList || (accountDistributionLists.contains(ace.getGrantee()));
+        }).toList();
+    }
+
     private boolean isSameEntry(Entry entry1, Entry entry2) throws ServiceException {
         if ((entry1 instanceof LdapEntry) && (entry2 instanceof LdapEntry)) {
             String entry1DN = ((LdapEntry) entry1).getDN();

store/src/test/java/com/zimbra/cs/service/account/GetInfoTest.java

@@ -9,12 +9,24 @@
 import com.zimbra.cs.account.Account;
 import com.zimbra.cs.account.AttributeInfo;
 import com.zimbra.cs.account.AttributeManager;
+import com.zimbra.cs.account.DistributionList;
 import com.zimbra.cs.account.Provisioning;
+import com.zimbra.soap.account.message.DistributionListActionRequest;
 import com.zimbra.soap.account.message.GetInfoRequest;
+
+import java.util.HashMap;
 import java.util.List;
+
+import com.zimbra.soap.account.type.DistributionListAction;
+import com.zimbra.soap.account.type.DistributionListGranteeSelector;
+import com.zimbra.soap.account.type.DistributionListRightSpec;
+import com.zimbra.soap.type.DistributionListBy;
+import com.zimbra.soap.type.DistributionListGranteeBy;
+import com.zimbra.soap.type.DistributionListSelector;
+import com.zimbra.soap.type.GranteeType;
 import org.apache.http.HttpStatus;
 import org.junit.jupiter.api.Assertions;
- import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Tag;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
@@ -98,6 +110,11 @@ private SoapResponse getAttributesSection(Account account) throws Exception {
 		return getSoapClient().executeSoap(account, request);
   }
 
+  private SoapResponse getResponseIncludingRights(Account account) throws Exception {
+    final var request = new GetInfoRequest().setRights("sendAs","sendAsDistList","viewFreeBusy","sendOnBehalfOf","sendOnBehalfOfDistList");
+    return getSoapClient().executeSoap(account, request);
+  }
+
   @Test
   void attributesSectionProvidesAccountStatusAttribute() throws Exception {
     final var account =
@@ -125,6 +142,75 @@ void getInfo_shouldReturnAlsoDeprecatedAttributes() throws Exception {
     final var body = response.body();
     assertTrue(body.contains("<attr name=\"zimbraFeatureMailEnabled\">FALSE</attr>"));
   }
+
+  @Test
+  void getInfo_shouldContainRightsSection_sendAsDistList_singleAccount() throws Exception {
+    final var admin = createAccount().asGlobalAdmin().create();
+    final var grantee =  createAccount().create();
+
+    var dl = getProvisioning().createDistributionList("dl@test.com", new HashMap<>());
+    getSoapClient().executeSoap(admin, createGrantRightsDistributionListActionRequest("sendAsDistList", grantee.getName(), dl));
+    final var response = getResponseIncludingRights(grantee);
+
+    assertEquals(HttpStatus.SC_OK, response.statusCode());
+    final var body = response.body();
+
+    assertTrue(body.contains("""
+            <rights><targets right="sendAsDistList"><target type="dl"><email addr="dl@test.com"/></target></targets></rights>"""));
+  }
+
+  @Test
+  void getInfo_shouldContainRightsSection_sendAsDistList_distributionList() throws Exception {
+    final var admin = createAccount().asGlobalAdmin().create();
+    final var member =  createAccount().create();
+
+    var targetDl = getProvisioning().createDistributionList("target-dl@test.com", new HashMap<>());
+    var granteeDl = getProvisioning().createDistributionList("grantee-dl@test.com", new HashMap<>());
+
+    getProvisioning().addGroupMembers(granteeDl, new String[] { member.getName() });
+    getSoapClient().executeSoap(admin, createGrantRightsDistributionListActionRequest("sendAsDistList", granteeDl.getName(), targetDl));
+
+    final var response = getResponseIncludingRights(member);
+
+    assertEquals(HttpStatus.SC_OK, response.statusCode());
+    final var body = response.body();
+
+    assertTrue(body.contains("""
+            <rights><targets right="sendAsDistList"><target type="dl"><email addr="target-dl@test.com"/></target></targets></rights>"""));
+  }
+
+  @Test
+  void getInfo_shouldContainRightsSection_sendAsDistList_distributionLists() throws Exception {
+    final var admin = createAccount().asGlobalAdmin().create();
+    final var member =  createAccount().create();
+
+    var targetDl = getProvisioning().createDistributionList("target-1-dl@test.com", new HashMap<>());
+    var granteeDl = getProvisioning().createDistributionList("grantee-1-dl@test.com", new HashMap<>());
+    var otherGranteeDl = getProvisioning().createDistributionList("other-grantee-1-dl@test.com", new HashMap<>());
+
+    getProvisioning().addGroupMembers(granteeDl, new String[] { member.getName() });
+
+    getSoapClient().executeSoap(admin, createGrantRightsDistributionListActionRequest("sendAsDistList", granteeDl.getName(), targetDl));
+    getSoapClient().executeSoap(admin, createGrantRightsDistributionListActionRequest("sendOnBehalfOfDistList", otherGranteeDl.getName(), targetDl));
+
+    final var response = getResponseIncludingRights(member);
+
+    assertEquals(HttpStatus.SC_OK, response.statusCode());
+    final var body = response.body();
+
+    assertTrue(body.contains("""
+            <rights><targets right="sendAsDistList"><target type="dl"><email addr="target-1-dl@test.com"/></target></targets></rights>"""));
+  }
+
+  private static DistributionListActionRequest createGrantRightsDistributionListActionRequest(String right, String granteeName, DistributionList targetDl) {
+    DistributionListAction distributionListAction = new DistributionListAction(DistributionListAction.Operation.grantRights);
+    DistributionListRightSpec distributionListRightSpec = new DistributionListRightSpec(right);
+    distributionListRightSpec.addGrantee(new DistributionListGranteeSelector(
+            GranteeType.email, DistributionListGranteeBy.name, granteeName
+    ));
+    distributionListAction.setRights(List.of(distributionListRightSpec));
+    return new DistributionListActionRequest(new DistributionListSelector(DistributionListBy.id, targetDl.getId()), distributionListAction);
+  }
 }