[03/12] guacamole-client git commit: GUACAMOLE-360: Change ActiveConnection elements to use the ObjectPermissionSet mechanism.

mjumper Wed, 20 Jun 2018 11:03:01 -0700

GUACAMOLE-360: Change ActiveConnection elements to use the ObjectPermissionSet 
mechanism.


Project: http://git-wip-us.apache.org/repos/asf/guacamole-client/repo
Commit: http://git-wip-us.apache.org/repos/asf/guacamole-client/commit/5e165185
Tree: http://git-wip-us.apache.org/repos/asf/guacamole-client/tree/5e165185
Diff: http://git-wip-us.apache.org/repos/asf/guacamole-client/diff/5e165185

Branch: refs/heads/master
Commit: 5e165185691fbbdede494abc55f9713cd96a0d31
Parents: 85c7b51
Author: Nick Couchman <[email protected]>
Authored: Tue Jun 12 21:17:12 2018 -0400
Committer: Nick Couchman <[email protected]>
Committed: Wed Jun 13 06:17:52 2018 -0400

----------------------------------------------------------------------
 .../ActiveConnectionPermissionService.java      |  4 +-
 .../ActiveConnectionService.java                | 59 ++++++++++++++++++--
 2 files changed, 57 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/5e165185/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java
----------------------------------------------------------------------
diff --git 
a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java
 
b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java
index 91ad11d..261b8bd 100644
--- 
a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java
+++ 
b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java
@@ -96,8 +96,8 @@ public class ActiveConnectionPermissionService
                 String identifier = record.getUUID().toString();
                 permissions.add(new 
ObjectPermission(ObjectPermission.Type.READ, identifier));
 
-                // If we're and admin, then we also have DELETE
-                if (isAdmin)
+                // If we're and admin, or the connection is ours, then we also 
have DELETE
+                if (isAdmin || 
targetUser.getIdentifier().equals(record.getUsername()))
                     permissions.add(new 
ObjectPermission(ObjectPermission.Type.DELETE, identifier));
 
             }

http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/5e165185/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionService.java
----------------------------------------------------------------------
diff --git 
a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionService.java
 
b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionService.java
index c14d341..47a97c2 100644
--- 
a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionService.java
+++ 
b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionService.java
@@ -34,6 +34,8 @@ import 
org.apache.guacamole.auth.jdbc.tunnel.ActiveConnectionRecord;
 import org.apache.guacamole.auth.jdbc.tunnel.GuacamoleTunnelService;
 import org.apache.guacamole.net.GuacamoleTunnel;
 import org.apache.guacamole.net.auth.ActiveConnection;
+import org.apache.guacamole.net.auth.permission.ObjectPermission;
+import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
 
 /**
  * Service which provides convenience methods for creating, retrieving, and
@@ -111,11 +113,10 @@ public class ActiveConnectionService
     public void deleteObject(ModeledAuthenticatedUser user, String identifier)
         throws GuacamoleException {
         
-        // Close connection, if it exists (and we have permission)
+        // Close connection, if it exists and we have permission
         ActiveConnection activeConnection = retrieveObject(user, identifier);
-        if (activeConnection != null && 
-                (user.getUser().isAdministrator() 
-                || 
user.getIdentifier().equals(activeConnection.getUsername()))) {
+        if (activeConnection != null 
+                && hasObjectPermissions(user, identifier, 
ObjectPermission.Type.DELETE)) {
 
             // Close connection if not already closed
             GuacamoleTunnel tunnel = activeConnection.getTunnel();
@@ -161,5 +162,55 @@ public class ActiveConnectionService
         throw new GuacamoleSecurityException("Permission denied.");
 
     }
+    
+    /**
+     * Retrieve the permission set for the specified user that relates
+     * to access to active connections.
+     * 
+     * @param user
+     *     The user for which to retrieve the permission set.
+     * 
+     * @return
+     *     A permission set associated with the given user that specifies
+     *     the permissions available for active connection objects.
+     * 
+     * @throws GuacamoleException
+     *     If permission to read permissions for the user is denied.
+     */
+    private ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser 
user) 
+            throws GuacamoleException {
+        return user.getUser().getActiveConnectionPermissions();
+    }
+    
+    /**
+     * Return a boolean value representing whether or not a user has the given
+     * permission available to them on the active connection with the given
+     * identifier.
+     * 
+     * @param user
+     *     The user for which the permissions are being queried.
+     * 
+     * @param identifier
+     *     The identifier of the active connection we are wondering about.
+     * 
+     * @param type
+     *     The type of permission being requested.
+     * 
+     * @return
+     *     True if the user has the necessary permission; otherwise false.
+     * 
+     * @throws GuacamoleException 
+     *     If the user does not have access to read permissions.
+     */
+    private boolean hasObjectPermissions(ModeledAuthenticatedUser user,
+            String identifier, ObjectPermission.Type type)
+            throws GuacamoleException {
+        
+        ObjectPermissionSet permissionSet = getPermissionSet(user);
+        
+        return user.getUser().isAdministrator() 
+                || permissionSet.hasPermission(type, identifier);
+        
+    }
 
 }

[03/12] guacamole-client git commit: GUACAMOLE-360: Change ActiveConnection elements to use the ObjectPermissionSet mechanism.

Reply via email to