GUACAMOLE-220: Deprecate built-in support for storage of permissions in SimpleUser. Add convenience constructors for SimpleObjectPermissionSet.
Project: http://git-wip-us.apache.org/repos/asf/guacamole-client/repo Commit: http://git-wip-us.apache.org/repos/asf/guacamole-client/commit/d10256e1 Tree: http://git-wip-us.apache.org/repos/asf/guacamole-client/tree/d10256e1 Diff: http://git-wip-us.apache.org/repos/asf/guacamole-client/diff/d10256e1 Branch: refs/heads/master Commit: d10256e15112bb476f22f28f878e3972bc83e34c Parents: aa0c654 Author: Michael Jumper <mjum...@apache.org> Authored: Sat Nov 3 13:58:50 2018 -0700 Committer: Michael Jumper <mjum...@apache.org> Committed: Sat Nov 3 13:58:50 2018 -0700 ---------------------------------------------------------------------- .../guacamole/auth/ldap/user/UserContext.java | 32 +++++++--- .../quickconnect/QuickConnectUserContext.java | 19 ++++-- .../auth/simple/SimpleObjectPermissionSet.java | 61 ++++++++++++++++++++ .../guacamole/net/auth/simple/SimpleUser.java | 56 +++++------------- .../net/auth/simple/SimpleUserContext.java | 23 ++++---- 5 files changed, 127 insertions(+), 64 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/d10256e1/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserContext.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserContext.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserContext.java index 7c520d3..826b4ec 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserContext.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserContext.java @@ -34,8 +34,10 @@ import org.apache.guacamole.net.auth.ConnectionGroup; import org.apache.guacamole.net.auth.Directory; import org.apache.guacamole.net.auth.User; import org.apache.guacamole.net.auth.UserGroup; +import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; import org.apache.guacamole.net.auth.simple.SimpleConnectionGroup; import org.apache.guacamole.net.auth.simple.SimpleDirectory; +import org.apache.guacamole.net.auth.simple.SimpleObjectPermissionSet; import org.apache.guacamole.net.auth.simple.SimpleUser; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -149,13 +151,29 @@ public class UserContext extends AbstractUserContext { ); // Init self with basic permissions - self = new SimpleUser( - user.getIdentifier(), - userDirectory.getIdentifiers(), - userGroupDirectory.getIdentifiers(), - connectionDirectory.getIdentifiers(), - Collections.singleton(LDAPAuthenticationProvider.ROOT_CONNECTION_GROUP) - ); + self = new SimpleUser(user.getIdentifier()) { + + @Override + public ObjectPermissionSet getUserPermissions() throws GuacamoleException { + return new SimpleObjectPermissionSet(userDirectory.getIdentifiers()); + } + + @Override + public ObjectPermissionSet getUserGroupPermissions() throws GuacamoleException { + return new SimpleObjectPermissionSet(userGroupDirectory.getIdentifiers()); + } + + @Override + public ObjectPermissionSet getConnectionPermissions() throws GuacamoleException { + return new SimpleObjectPermissionSet(connectionDirectory.getIdentifiers()); + } + + @Override + public ObjectPermissionSet getConnectionGroupPermissions() throws GuacamoleException { + return new SimpleObjectPermissionSet(Collections.singleton(LDAPAuthenticationProvider.ROOT_CONNECTION_GROUP)); + } + + }; } http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/d10256e1/extensions/guacamole-auth-quickconnect/src/main/java/org/apache/guacamole/auth/quickconnect/QuickConnectUserContext.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-quickconnect/src/main/java/org/apache/guacamole/auth/quickconnect/QuickConnectUserContext.java b/extensions/guacamole-auth-quickconnect/src/main/java/org/apache/guacamole/auth/quickconnect/QuickConnectUserContext.java index d7e23ed..dad0505 100644 --- a/extensions/guacamole-auth-quickconnect/src/main/java/org/apache/guacamole/auth/quickconnect/QuickConnectUserContext.java +++ b/extensions/guacamole-auth-quickconnect/src/main/java/org/apache/guacamole/auth/quickconnect/QuickConnectUserContext.java @@ -26,6 +26,8 @@ import org.apache.guacamole.net.auth.AbstractUserContext; import org.apache.guacamole.net.auth.AuthenticationProvider; import org.apache.guacamole.net.auth.ConnectionGroup; import org.apache.guacamole.net.auth.User; +import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; +import org.apache.guacamole.net.auth.simple.SimpleObjectPermissionSet; import org.apache.guacamole.net.auth.simple.SimpleUser; /** @@ -93,10 +95,19 @@ public class QuickConnectUserContext extends AbstractUserContext { // Initialize the user to a SimpleUser with the provided username, // no connections, and the single root group. - this.self = new SimpleUser(username, - connectionDirectory.getIdentifiers(), - Collections.singleton(ROOT_IDENTIFIER) - ); + this.self = new SimpleUser(username) { + + @Override + public ObjectPermissionSet getConnectionPermissions() throws GuacamoleException { + return new SimpleObjectPermissionSet(connectionDirectory.getIdentifiers()); + } + + @Override + public ObjectPermissionSet getConnectionGroupPermissions() throws GuacamoleException { + return new SimpleObjectPermissionSet(Collections.singleton(ROOT_IDENTIFIER)); + } + + }; // Set the authProvider to the calling authProvider object. this.authProvider = authProvider; http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/d10256e1/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleObjectPermissionSet.java ---------------------------------------------------------------------- diff --git a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleObjectPermissionSet.java b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleObjectPermissionSet.java index 7cf54bd..53a30ce 100644 --- a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleObjectPermissionSet.java +++ b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleObjectPermissionSet.java @@ -22,6 +22,7 @@ package org.apache.guacamole.net.auth.simple; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; +import java.util.HashSet; import java.util.Set; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleSecurityException; @@ -46,6 +47,66 @@ public class SimpleObjectPermissionSet implements ObjectPermissionSet { } /** + * Creates a new set of ObjectPermissions for each possible combination of + * the given identifiers and permission types. + * + * @param identifiers + * The identifiers which should have one ObjectPermission for each of + * the given permission types. + * + * @param types + * The permissions which should be granted for each of the given + * identifiers. + * + * @return + * A new set of ObjectPermissions containing one ObjectPermission for + * each possible combination of the given identifiers and permission + * types. + */ + private static Set<ObjectPermission> createPermissions(Collection<String> identifiers, + Collection<ObjectPermission.Type> types) { + + // Add a permission of each type to the set for each identifier given + Set<ObjectPermission> permissions = new HashSet<>(identifiers.size()); + types.forEach(type -> { + identifiers.forEach(identifier -> permissions.add(new ObjectPermission(type, identifier))); + }); + + return permissions; + + } + + /** + * Creates a new SimpleObjectPermissionSet which contains permissions for + * all possible unique combinations of the given identifiers and permission + * types. + * + * @param identifiers + * The identifiers which should be associated permissions having each + * of the given permission types. + * + * @param types + * The types of permissions which should be granted for each of the + * given identifiers. + */ + public SimpleObjectPermissionSet(Collection<String> identifiers, + Collection<ObjectPermission.Type> types) { + this(createPermissions(identifiers, types)); + } + + /** + * Creates a new SimpleObjectPermissionSet which contains only READ + * permissions for each of the given identifiers. + * + * @param identifiers + * The identifiers which should each be associated with READ + * permission. + */ + public SimpleObjectPermissionSet(Collection<String> identifiers) { + this(identifiers, Collections.singletonList(ObjectPermission.Type.READ)); + } + + /** * Creates a new SimpleObjectPermissionSet which contains the permissions * within the given Set. * http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/d10256e1/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleUser.java ---------------------------------------------------------------------- diff --git a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleUser.java b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleUser.java index 302150e..cce8bf0 100644 --- a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleUser.java +++ b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleUser.java @@ -46,11 +46,6 @@ public class SimpleUser extends AbstractUser { private final Set<ObjectPermission> userPermissions = new HashSet<>(); /** - * All user group permissions granted to this user. - */ - private final Set<ObjectPermission> userGroupPermissions = new HashSet<>(); - - /** * All connection permissions granted to this user. */ private final Set<ObjectPermission> connectionPermissions = new HashSet<>(); @@ -115,51 +110,22 @@ public class SimpleUser extends AbstractUser { * @param connectionGroupIdentifiers * The identifiers of all connection groups this user has READ access * to. - */ - public SimpleUser(String username, - Collection<String> connectionIdentifiers, - Collection<String> connectionGroupIdentifiers) { - - this(username); - - // Add permissions - addReadPermissions(connectionPermissions, connectionIdentifiers); - addReadPermissions(connectionGroupPermissions, connectionGroupIdentifiers); - - } - - /** - * Creates a new SimpleUser having the given username and READ access to - * the users, user groups, connections, and connection groups having the - * given identifiers. * - * @param username - * The username to assign to this SimpleUser. - * - * @param userIdentifiers - * The identifiers of all users this user has READ access to. - * - * @param userGroupIdentifiers - * The identifiers of all user groups this user has READ access to. - * - * @param connectionIdentifiers - * The identifiers of all connections this user has READ access to. - * - * @param connectionGroupIdentifiers - * The identifiers of all connection groups this user has READ access - * to. + * @deprecated + * Extend and override the applicable permission set getters instead, + * relying on SimpleUser to expose no permissions by default for all + * permission sets that aren't overridden. See {@link SimpleObjectPermissionSet} + * for convenient methods of providing a read-only permission set with + * specific permissions. */ + @Deprecated public SimpleUser(String username, - Collection<String> userIdentifiers, - Collection<String> userGroupIdentifiers, Collection<String> connectionIdentifiers, Collection<String> connectionGroupIdentifiers) { this(username); // Add permissions - addReadPermissions(userPermissions, userIdentifiers); - addReadPermissions(userGroupPermissions, userGroupIdentifiers); addReadPermissions(connectionPermissions, connectionIdentifiers); addReadPermissions(connectionGroupPermissions, connectionGroupIdentifiers); @@ -181,7 +147,15 @@ public class SimpleUser extends AbstractUser { * @param connectionGroupIdentifiers * The identifiers of all connection groups this user has READ access * to. + * + * @deprecated + * Extend and override the applicable permission set getters instead, + * relying on SimpleUser to expose no permissions by default for all + * permission sets that aren't overridden. See {@link SimpleObjectPermissionSet} + * for convenient methods of providing a read-only permission set with + * specific permissions. */ + @Deprecated public SimpleUser(String username, Collection<String> userIdentifiers, Collection<String> connectionIdentifiers, http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/d10256e1/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleUserContext.java ---------------------------------------------------------------------- diff --git a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleUserContext.java b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleUserContext.java index 26978e9..03e94fb 100644 --- a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleUserContext.java +++ b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleUserContext.java @@ -19,7 +19,6 @@ package org.apache.guacamole.net.auth.simple; -import java.util.Collections; import java.util.Map; import java.util.concurrent.ConcurrentHashMap; import org.apache.guacamole.GuacamoleException; @@ -29,6 +28,7 @@ import org.apache.guacamole.net.auth.AuthenticationProvider; import org.apache.guacamole.net.auth.Connection; import org.apache.guacamole.net.auth.Directory; import org.apache.guacamole.net.auth.User; +import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; import org.apache.guacamole.protocol.GuacamoleConfiguration; /** @@ -113,20 +113,19 @@ public class SimpleUserContext extends AbstractUserContext { @Override public User self() { + return new SimpleUser(username) { - try { - return new SimpleUser(username, - getConnectionDirectory().getIdentifiers(), - getConnectionGroupDirectory().getIdentifiers() - ); - } + @Override + public ObjectPermissionSet getConnectionGroupPermissions() throws GuacamoleException { + return new SimpleObjectPermissionSet(getConnectionDirectory().getIdentifiers()); + } - catch (GuacamoleException e) { - return new SimpleUser(username, - Collections.<String>emptySet(), - Collections.<String>emptySet()); - } + @Override + public ObjectPermissionSet getConnectionPermissions() throws GuacamoleException { + return new SimpleObjectPermissionSet(getConnectionGroupDirectory().getIdentifiers()); + } + }; } @Override