GUACAMOLE-220: Implement base API changes within database auth allowing for permission inheritance.
Project: http://git-wip-us.apache.org/repos/asf/guacamole-client/repo Commit: http://git-wip-us.apache.org/repos/asf/guacamole-client/commit/0a69630c Tree: http://git-wip-us.apache.org/repos/asf/guacamole-client/tree/0a69630c Diff: http://git-wip-us.apache.org/repos/asf/guacamole-client/diff/0a69630c Branch: refs/heads/master Commit: 0a69630cbb0f80cd819136dce4127dfa6366e1a2 Parents: 72bac09 Author: Michael Jumper <mjum...@apache.org> Authored: Tue Apr 3 21:32:38 2018 -0700 Committer: Michael Jumper <mjum...@apache.org> Committed: Wed Sep 19 23:56:51 2018 -0700 ---------------------------------------------------------------------- .../ActiveConnectionPermissionService.java | 26 ++++----- .../ConnectionGroupPermissionService.java | 4 +- .../permission/ConnectionPermissionService.java | 4 +- .../ModeledObjectPermissionService.java | 23 +++----- .../permission/ModeledPermissionService.java | 12 ++-- .../jdbc/permission/ObjectPermissionMapper.java | 20 +++++-- .../permission/ObjectPermissionService.java | 27 ++++++--- .../jdbc/permission/ObjectPermissionSet.java | 23 ++++++-- .../auth/jdbc/permission/PermissionMapper.java | 8 ++- .../auth/jdbc/permission/PermissionService.java | 19 ++++--- .../SharingProfilePermissionService.java | 4 +- .../jdbc/permission/SystemPermissionMapper.java | 10 +++- .../permission/SystemPermissionService.java | 35 ++++++------ .../jdbc/permission/SystemPermissionSet.java | 19 ++++++- .../jdbc/permission/UserPermissionService.java | 4 +- .../guacamole/auth/jdbc/user/ModeledUser.java | 59 +++++++++++++++++--- 16 files changed, 198 insertions(+), 99 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java index 91ad11d..405b237 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java @@ -23,7 +23,6 @@ import com.google.inject.Inject; import com.google.inject.Provider; import java.util.ArrayList; import java.util.Collection; -import java.util.Collections; import java.util.HashSet; import java.util.Set; import org.apache.guacamole.GuacamoleException; @@ -58,26 +57,23 @@ public class ActiveConnectionPermissionService private Provider<ActiveConnectionPermissionSet> activeConnectionPermissionSetProvider; @Override - public ObjectPermission retrievePermission(ModeledAuthenticatedUser user, + public boolean hasPermission(ModeledAuthenticatedUser user, ModeledUser targetUser, ObjectPermission.Type type, - String identifier) throws GuacamoleException { + String identifier, boolean inherit) throws GuacamoleException { // Retrieve permissions - Set<ObjectPermission> permissions = retrievePermissions(user, targetUser); + Set<ObjectPermission> permissions = retrievePermissions(user, targetUser, inherit); - // If retrieved permissions contains the requested permission, return it + // Permission is granted if retrieved permissions contains the + // requested permission ObjectPermission permission = new ObjectPermission(type, identifier); - if (permissions.contains(permission)) - return permission; - - // Otherwise, no such permission - return null; + return permissions.contains(permission); } @Override public Set<ObjectPermission> retrievePermissions(ModeledAuthenticatedUser user, - ModeledUser targetUser) throws GuacamoleException { + ModeledUser targetUser, boolean inherit) throws GuacamoleException { // Retrieve permissions only if allowed if (canReadPermissions(user, targetUser)) { @@ -113,9 +109,9 @@ public class ActiveConnectionPermissionService @Override public Collection<String> retrieveAccessibleIdentifiers(ModeledAuthenticatedUser user, ModeledUser targetUser, Collection<ObjectPermission.Type> permissionTypes, - Collection<String> identifiers) throws GuacamoleException { + Collection<String> identifiers, boolean inherit) throws GuacamoleException { - Set<ObjectPermission> permissions = retrievePermissions(user, targetUser); + Set<ObjectPermission> permissions = retrievePermissions(user, targetUser, inherit); Collection<String> accessibleObjects = new ArrayList<String>(permissions.size()); // For each identifier/permission combination @@ -138,11 +134,11 @@ public class ActiveConnectionPermissionService @Override public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user, - ModeledUser targetUser) throws GuacamoleException { + ModeledUser targetUser, boolean inherit) throws GuacamoleException { // Create permission set for requested user ActiveConnectionPermissionSet permissionSet = activeConnectionPermissionSetProvider.get(); - permissionSet.init(user, targetUser); + permissionSet.init(user, targetUser, inherit); return permissionSet; http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java index 68fc3ed..3027d81 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java @@ -51,11 +51,11 @@ public class ConnectionGroupPermissionService extends ModeledObjectPermissionSer @Override public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user, - ModeledUser targetUser) throws GuacamoleException { + ModeledUser targetUser, boolean inherit) throws GuacamoleException { // Create permission set for requested user ObjectPermissionSet permissionSet = connectionGroupPermissionSetProvider.get(); - permissionSet.init(user, targetUser); + permissionSet.init(user, targetUser, inherit); return permissionSet; http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionService.java index 80c4b0b..19c30c0 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionService.java @@ -51,11 +51,11 @@ public class ConnectionPermissionService extends ModeledObjectPermissionService @Override public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user, - ModeledUser targetUser) throws GuacamoleException { + ModeledUser targetUser, boolean inherit) throws GuacamoleException { // Create permission set for requested user ObjectPermissionSet permissionSet = connectionPermissionSetProvider.get(); - permissionSet.init(user, targetUser); + permissionSet.init(user, targetUser, inherit); return permissionSet; http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java index 9197217..30ea5d7 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java @@ -105,7 +105,7 @@ public abstract class ModeledObjectPermissionService affectedIdentifiers.add(permission.getObjectIdentifier()); // Determine subset of affected identifiers that we have admin access to - ObjectPermissionSet affectedPermissionSet = getPermissionSet(user, user.getUser()); + ObjectPermissionSet affectedPermissionSet = getPermissionSet(user, user.getUser(), true); Collection<String> allowedSubset = affectedPermissionSet.getAccessibleObjects( Collections.singleton(ObjectPermission.Type.ADMINISTER), affectedIdentifiers @@ -154,21 +154,13 @@ public abstract class ModeledObjectPermissionService } @Override - public ObjectPermission retrievePermission(ModeledAuthenticatedUser user, + public boolean hasPermission(ModeledAuthenticatedUser user, ModeledUser targetUser, ObjectPermission.Type type, - String identifier) throws GuacamoleException { + String identifier, boolean inherit) throws GuacamoleException { // Retrieve permissions only if allowed - if (canReadPermissions(user, targetUser)) { - - // Read permission from database, return null if not found - ObjectPermissionModel model = getPermissionMapper().selectOne(targetUser.getModel(), type, identifier); - if (model == null) - return null; - - return getPermissionInstance(model); - - } + if (canReadPermissions(user, targetUser)) + return getPermissionMapper().selectOne(targetUser.getModel(), type, identifier, inherit) != null; // User cannot read this user's permissions throw new GuacamoleSecurityException("Permission denied."); @@ -178,7 +170,8 @@ public abstract class ModeledObjectPermissionService @Override public Collection<String> retrieveAccessibleIdentifiers(ModeledAuthenticatedUser user, ModeledUser targetUser, Collection<ObjectPermission.Type> permissions, - Collection<String> identifiers) throws GuacamoleException { + Collection<String> identifiers, boolean inherit) + throws GuacamoleException { // Nothing is always accessible if (identifiers.isEmpty()) @@ -192,7 +185,7 @@ public abstract class ModeledObjectPermissionService return identifiers; // Otherwise, return explicitly-retrievable identifiers - return getPermissionMapper().selectAccessibleIdentifiers(targetUser.getModel(), permissions, identifiers); + return getPermissionMapper().selectAccessibleIdentifiers(targetUser.getModel(), permissions, identifiers, inherit); } http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledPermissionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledPermissionService.java index 2800845..4d0fcf6 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledPermissionService.java @@ -92,7 +92,7 @@ public abstract class ModeledPermissionService<PermissionSetType extends Permiss permissions.add(getPermissionInstance(model)); return permissions; - + } /** @@ -111,7 +111,7 @@ public abstract class ModeledPermissionService<PermissionSetType extends Permiss */ protected abstract ModelType getModelInstance(ModeledUser targetUser, PermissionType permission); - + /** * Returns a collection of model objects which are based on the given * permissions and target user. @@ -129,7 +129,7 @@ public abstract class ModeledPermissionService<PermissionSetType extends Permiss protected Collection<ModelType> getModelInstances(ModeledUser targetUser, Collection<PermissionType> permissions) { - // Create new collection of models by manually converting each permission + // Create new collection of models by manually converting each permission Collection<ModelType> models = new ArrayList<ModelType>(permissions.size()); for (PermissionType permission : permissions) models.add(getModelInstance(targetUser, permission)); @@ -140,15 +140,15 @@ public abstract class ModeledPermissionService<PermissionSetType extends Permiss @Override public Set<PermissionType> retrievePermissions(ModeledAuthenticatedUser user, - ModeledUser targetUser) throws GuacamoleException { + ModeledUser targetUser, boolean inherit) throws GuacamoleException { // Retrieve permissions only if allowed if (canReadPermissions(user, targetUser)) - return getPermissionInstances(getPermissionMapper().select(targetUser.getModel())); + return getPermissionInstances(getPermissionMapper().select(targetUser.getModel(), inherit)); // User cannot read this user's permissions throw new GuacamoleSecurityException("Permission denied."); - + } } http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionMapper.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionMapper.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionMapper.java index f744fbf..e5efad0 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionMapper.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionMapper.java @@ -36,20 +36,26 @@ public interface ObjectPermissionMapper extends PermissionMapper<ObjectPermissio * * @param entity * The entity to retrieve permissions for. - * + * * @param type * The type of permission to return. - * + * * @param identifier * The identifier of the object affected by the permission to return. * + * @param inherit + * Whether permissions inherited through user groups should be taken + * into account. If false, only permissions granted directly will be + * included. + * * @return * The requested permission, or null if no such permission is granted * to the given entity for the given object. */ ObjectPermissionModel selectOne(@Param("entity") EntityModel entity, @Param("type") ObjectPermission.Type type, - @Param("identifier") String identifier); + @Param("identifier") String identifier, + @Param("inherit") boolean inherit); /** * Retrieves the subset of the given identifiers for which the given entity @@ -67,12 +73,18 @@ public interface ObjectPermissionMapper extends PermissionMapper<ObjectPermissio * The identifiers of the objects affected by the permissions being * checked. * + * @param inherit + * Whether permissions inherited through user groups should be taken + * into account. If false, only permissions granted directly will be + * included. + * * @return * A collection containing the subset of identifiers for which at least * one of the specified permissions is granted. */ Collection<String> selectAccessibleIdentifiers(@Param("entity") EntityModel entity, @Param("permissions") Collection<ObjectPermission.Type> permissions, - @Param("identifiers") Collection<String> identifiers); + @Param("identifiers") Collection<String> identifiers, + @Param("inherit") boolean inherit); } http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionService.java index 5eead24..fa1ee2d 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionService.java @@ -35,31 +35,36 @@ public interface ObjectPermissionService extends PermissionService<ObjectPermissionSet, ObjectPermission> { /** - * Retrieves the permission of the given type associated with the given - * user and object, if it exists. If no such permission exists, null is + * Returns whether the permission of the given type and associated with the + * given object has been granted to the given user. * * @param user * The user retrieving the permission. * * @param targetUser * The user associated with the permission to be retrieved. - * + * * @param type * The type of permission to retrieve. * * @param identifier * The identifier of the object affected by the permission to return. * + * @param inherit + * Whether permissions inherited through user groups should be taken + * into account. If false, only permissions granted directly will be + * included. + * * @return - * The permission of the given type associated with the given user and - * object, or null if no such permission exists. + * true if permission of the given type and associated with the given + * object has been granted to the given user, false otherwise. * * @throws GuacamoleException * If an error occurs while retrieving the requested permission. */ - ObjectPermission retrievePermission(ModeledAuthenticatedUser user, + boolean hasPermission(ModeledAuthenticatedUser user, ModeledUser targetUser, ObjectPermission.Type type, - String identifier) throws GuacamoleException; + String identifier, boolean inherit) throws GuacamoleException; /** * Retrieves the subset of the given identifiers for which the given user @@ -80,6 +85,11 @@ public interface ObjectPermissionService * The identifiers of the objects affected by the permissions being * checked. * + * @param inherit + * Whether permissions inherited through user groups should be taken + * into account. If false, only permissions granted directly will be + * included. + * * @return * A collection containing the subset of identifiers for which at least * one of the specified permissions is granted. @@ -89,6 +99,7 @@ public interface ObjectPermissionService */ Collection<String> retrieveAccessibleIdentifiers(ModeledAuthenticatedUser user, ModeledUser targetUser, Collection<ObjectPermission.Type> permissions, - Collection<String> identifiers) throws GuacamoleException; + Collection<String> identifiers, boolean inherit) + throws GuacamoleException; } http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionSet.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionSet.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionSet.java index 712a422..cedb45d 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionSet.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionSet.java @@ -43,6 +43,12 @@ public abstract class ObjectPermissionSet extends RestrictedObject private ModeledUser user; /** + * Whether permissions inherited through user groups should be taken into + * account. If false, only permissions granted directly will be included. + */ + boolean inherit; + + /** * Creates a new ObjectPermissionSet. The resulting permission set * must still be initialized by a call to init(), or the information * necessary to read and modify this set will be missing. @@ -60,10 +66,17 @@ public abstract class ObjectPermissionSet extends RestrictedObject * * @param user * The user to whom the permissions in this set are granted. + * + * @param inherit + * Whether permissions inherited through user groups should be taken + * into account. If false, only permissions granted directly will be + * included. */ - public void init(ModeledAuthenticatedUser currentUser, ModeledUser user) { + public void init(ModeledAuthenticatedUser currentUser, ModeledUser user, + boolean inherit) { super.init(currentUser); this.user = user; + this.inherit = inherit; } /** @@ -75,16 +88,16 @@ public abstract class ObjectPermissionSet extends RestrictedObject * permissions contained within this permission set. */ protected abstract ObjectPermissionService getObjectPermissionService(); - + @Override public Set<ObjectPermission> getPermissions() throws GuacamoleException { - return getObjectPermissionService().retrievePermissions(getCurrentUser(), user); + return getObjectPermissionService().retrievePermissions(getCurrentUser(), user, inherit); } @Override public boolean hasPermission(ObjectPermission.Type permission, String identifier) throws GuacamoleException { - return getObjectPermissionService().retrievePermission(getCurrentUser(), user, permission, identifier) != null; + return getObjectPermissionService().hasPermission(getCurrentUser(), user, permission, identifier, inherit); } @Override @@ -102,7 +115,7 @@ public abstract class ObjectPermissionSet extends RestrictedObject @Override public Collection<String> getAccessibleObjects(Collection<ObjectPermission.Type> permissions, Collection<String> identifiers) throws GuacamoleException { - return getObjectPermissionService().retrieveAccessibleIdentifiers(getCurrentUser(), user, permissions, identifiers); + return getObjectPermissionService().retrieveAccessibleIdentifiers(getCurrentUser(), user, permissions, identifiers, inherit); } @Override http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionMapper.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionMapper.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionMapper.java index 7b476b3..1c2d23b 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionMapper.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionMapper.java @@ -38,10 +38,16 @@ public interface PermissionMapper<PermissionType> { * @param entity * The entity to retrieve permissions for. * + * @param inherit + * Whether permissions inherited through user groups should be taken + * into account. If false, only permissions granted directly will be + * included. + * * @return * All permissions associated with the given entity. */ - Collection<PermissionType> select(@Param("entity") EntityModel entity); + Collection<PermissionType> select(@Param("entity") EntityModel entity, + @Param("inherit") boolean inherit); /** * Inserts the given permissions into the database. If any permissions http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionService.java index 12b046b..6e59634 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionService.java @@ -19,16 +19,11 @@ package org.apache.guacamole.auth.jdbc.permission; -import java.util.ArrayList; import java.util.Collection; -import java.util.HashSet; import java.util.Set; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; import org.apache.guacamole.auth.jdbc.user.ModeledUser; import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.GuacamoleSecurityException; -import org.apache.guacamole.net.auth.permission.ObjectPermission; -import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; import org.apache.guacamole.net.auth.permission.Permission; import org.apache.guacamole.net.auth.permission.PermissionSet; @@ -59,6 +54,11 @@ public interface PermissionService<PermissionSetType extends PermissionSet<Permi * The user to whom the permissions in the returned permission set are * granted. * + * @param inherit + * Whether permissions inherited through user groups should be taken + * into account. If false, only permissions granted directly will be + * included. + * * @return * A permission set that contains all permissions associated with the * given user, and can be used to manipulate that user's permissions. @@ -69,7 +69,7 @@ public interface PermissionService<PermissionSetType extends PermissionSet<Permi * user is denied. */ PermissionSetType getPermissionSet(ModeledAuthenticatedUser user, - ModeledUser targetUser) throws GuacamoleException; + ModeledUser targetUser, boolean inherit) throws GuacamoleException; /** * Retrieves all permissions associated with the given user. @@ -80,6 +80,11 @@ public interface PermissionService<PermissionSetType extends PermissionSet<Permi * @param targetUser * The user associated with the permissions to be retrieved. * + * @param inherit + * Whether permissions inherited through user groups should be taken + * into account. If false, only permissions granted directly will be + * included. + * * @return * The permissions associated with the given user. * @@ -87,7 +92,7 @@ public interface PermissionService<PermissionSetType extends PermissionSet<Permi * If an error occurs while retrieving the requested permissions. */ Set<PermissionType> retrievePermissions(ModeledAuthenticatedUser user, - ModeledUser targetUser) throws GuacamoleException; + ModeledUser targetUser, boolean inherit) throws GuacamoleException; /** * Creates the given permissions within the database. If any permissions http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionService.java index ac16fc2..3cdf9d1 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionService.java @@ -51,11 +51,11 @@ public class SharingProfilePermissionService extends ModeledObjectPermissionServ @Override public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user, - ModeledUser targetUser) throws GuacamoleException { + ModeledUser targetUser, boolean inherit) throws GuacamoleException { // Create permission set for requested user ObjectPermissionSet permissionSet = sharingProfilePermissionSetProvider.get(); - permissionSet.init(user, targetUser); + permissionSet.init(user, targetUser, inherit); return permissionSet; http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionMapper.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionMapper.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionMapper.java index 738062c..c05f405 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionMapper.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionMapper.java @@ -34,15 +34,21 @@ public interface SystemPermissionMapper extends PermissionMapper<SystemPermissio * * @param entity * The entity to retrieve permissions for. - * + * * @param type * The type of permission to return. * + * @param inherit + * Whether permissions inherited through user groups should be taken + * into account. If false, only permissions granted directly will be + * included. + * * @return * The requested permission, or null if no such permission is granted * to the given entity. */ SystemPermissionModel selectOne(@Param("entity") EntityModel entity, - @Param("type") SystemPermission.Type type); + @Param("type") SystemPermission.Type type, + @Param("inherit") boolean inherit); } http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java index e50a47f..5909569 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java @@ -75,11 +75,11 @@ public class SystemPermissionService @Override public SystemPermissionSet getPermissionSet(ModeledAuthenticatedUser user, - ModeledUser targetUser) throws GuacamoleException { + ModeledUser targetUser, boolean inherit) throws GuacamoleException { // Create permission set for requested user SystemPermissionSet permissionSet = systemPermissionSetProvider.get(); - permissionSet.init(user, targetUser); + permissionSet.init(user, targetUser, inherit); return permissionSet; @@ -123,8 +123,9 @@ public class SystemPermissionService } /** - * Retrieves the permission of the given type associated with the given - * user, if it exists. If no such permission exists, null is returned. + * Retrieves whether the permission of the given type has been granted to + * the given user. Permission inheritance through group membership is taken + * into account. * * @param user * The user retrieving the permission. @@ -135,27 +136,25 @@ public class SystemPermissionService * @param type * The type of permission to retrieve. * + * @param inherit + * Whether permissions inherited through user groups should be taken + * into account. If false, only permissions granted directly will be + * included. + * * @return - * The permission of the given type associated with the given user, or - * null if no such permission exists. + * true if permission of the given type has been granted to the given + * user, false otherwise. * * @throws GuacamoleException * If an error occurs while retrieving the requested permission. */ - public SystemPermission retrievePermission(ModeledAuthenticatedUser user, - ModeledUser targetUser, SystemPermission.Type type) throws GuacamoleException { + public boolean hasPermission(ModeledAuthenticatedUser user, + ModeledUser targetUser, SystemPermission.Type type, + boolean inherit) throws GuacamoleException { // Retrieve permissions only if allowed - if (canReadPermissions(user, targetUser)) { - - // Read permission from database, return null if not found - SystemPermissionModel model = getPermissionMapper().selectOne(targetUser.getModel(), type); - if (model == null) - return null; - - return getPermissionInstance(model); - - } + if (canReadPermissions(user, targetUser)) + return getPermissionMapper().selectOne(targetUser.getModel(), type, inherit) != null; // User cannot read this user's permissions throw new GuacamoleSecurityException("Permission denied."); http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionSet.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionSet.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionSet.java index 9c84a84..bb5af11 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionSet.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionSet.java @@ -43,6 +43,12 @@ public class SystemPermissionSet extends RestrictedObject private ModeledUser user; /** + * Whether permissions inherited through user groups should be taken into + * account. If false, only permissions granted directly will be included. + */ + private boolean inherit; + + /** * Service for reading and manipulating system permissions. */ @Inject @@ -66,21 +72,28 @@ public class SystemPermissionSet extends RestrictedObject * * @param user * The user to whom the permissions in this set are granted. + * + * @param inherit + * Whether permissions inherited through user groups should be taken + * into account. If false, only permissions granted directly will be + * included. */ - public void init(ModeledAuthenticatedUser currentUser, ModeledUser user) { + public void init(ModeledAuthenticatedUser currentUser, ModeledUser user, + boolean inherit) { super.init(currentUser); this.user = user; + this.inherit = inherit; } @Override public Set<SystemPermission> getPermissions() throws GuacamoleException { - return systemPermissionService.retrievePermissions(getCurrentUser(), user); + return systemPermissionService.retrievePermissions(getCurrentUser(), user, inherit); } @Override public boolean hasPermission(SystemPermission.Type permission) throws GuacamoleException { - return systemPermissionService.retrievePermission(getCurrentUser(), user, permission) != null; + return systemPermissionService.hasPermission(getCurrentUser(), user, permission, inherit); } @Override http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/UserPermissionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/UserPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/UserPermissionService.java index d56ed28..8e65862 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/UserPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/UserPermissionService.java @@ -51,11 +51,11 @@ public class UserPermissionService extends ModeledObjectPermissionService { @Override public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user, - ModeledUser targetUser) throws GuacamoleException { + ModeledUser targetUser, boolean inherit) throws GuacamoleException { // Create permission set for requested user ObjectPermissionSet permissionSet = userPermissionSetProvider.get(); - permissionSet.init(user, targetUser); + permissionSet.init(user, targetUser, inherit); return permissionSet; http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java index 583aa7f..39f1636 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java @@ -350,37 +350,37 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us @Override public SystemPermissionSet getSystemPermissions() throws GuacamoleException { - return systemPermissionService.getPermissionSet(getCurrentUser(), this); + return systemPermissionService.getPermissionSet(getCurrentUser(), this, false); } @Override public ObjectPermissionSet getConnectionPermissions() throws GuacamoleException { - return connectionPermissionService.getPermissionSet(getCurrentUser(), this); + return connectionPermissionService.getPermissionSet(getCurrentUser(), this, false); } @Override public ObjectPermissionSet getConnectionGroupPermissions() throws GuacamoleException { - return connectionGroupPermissionService.getPermissionSet(getCurrentUser(), this); + return connectionGroupPermissionService.getPermissionSet(getCurrentUser(), this, false); } @Override public ObjectPermissionSet getSharingProfilePermissions() throws GuacamoleException { - return sharingProfilePermissionService.getPermissionSet(getCurrentUser(), this); + return sharingProfilePermissionService.getPermissionSet(getCurrentUser(), this, false); } @Override public ObjectPermissionSet getActiveConnectionPermissions() throws GuacamoleException { - return activeConnectionPermissionService.getPermissionSet(getCurrentUser(), this); + return activeConnectionPermissionService.getPermissionSet(getCurrentUser(), this, false); } @Override public ObjectPermissionSet getUserPermissions() throws GuacamoleException { - return userPermissionService.getPermissionSet(getCurrentUser(), this); + return userPermissionService.getPermissionSet(getCurrentUser(), this, false); } @Override @@ -855,7 +855,52 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us @Override public Permissions getEffectivePermissions() throws GuacamoleException { - return this; + return new Permissions() { + + @Override + public ObjectPermissionSet getActiveConnectionPermissions() + throws GuacamoleException { + return activeConnectionPermissionService.getPermissionSet(getCurrentUser(), ModeledUser.this, true); + } + + @Override + public ObjectPermissionSet getConnectionGroupPermissions() + throws GuacamoleException { + return connectionGroupPermissionService.getPermissionSet(getCurrentUser(), ModeledUser.this, true); + } + + @Override + public ObjectPermissionSet getConnectionPermissions() + throws GuacamoleException { + return connectionPermissionService.getPermissionSet(getCurrentUser(), ModeledUser.this, true); + } + + @Override + public ObjectPermissionSet getSharingProfilePermissions() + throws GuacamoleException { + return sharingProfilePermissionService.getPermissionSet(getCurrentUser(), ModeledUser.this, true); + } + + @Override + public SystemPermissionSet getSystemPermissions() + throws GuacamoleException { + return systemPermissionService.getPermissionSet(getCurrentUser(), ModeledUser.this, true); + } + + @Override + public ObjectPermissionSet getUserPermissions() + throws GuacamoleException { + return userPermissionService.getPermissionSet(getCurrentUser(), ModeledUser.this, true); + } + + @Override + public ObjectPermissionSet getUserGroupPermissions() + throws GuacamoleException { + // FIXME: STUB + return new SimpleObjectPermissionSet(); + } + + }; } }
