Repository: incubator-guacamole-client Updated Branches: refs/heads/master 07fb473da -> be3bc6cde
GUACAMOLE-292: Require ADMINISTER permission to get/set attributes which control scheduled access. Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/ae7c792d Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/ae7c792d Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/ae7c792d Branch: refs/heads/master Commit: ae7c792d10f1252a4e3a483bdf10a9023ae04883 Parents: 0a4b1f3 Author: Michael Jumper <[email protected]> Authored: Tue Feb 21 23:54:32 2017 -0800 Committer: Michael Jumper <[email protected]> Committed: Fri May 26 20:15:02 2017 -0700 ---------------------------------------------------------------------- .../guacamole/auth/jdbc/user/ModeledUser.java | 74 ++++++++++++++++++-- .../guacamole/auth/jdbc/user/UserService.java | 32 +++++++-- 2 files changed, 95 insertions(+), 11 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/ae7c792d/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java index c2b16ef..0528495 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java @@ -177,6 +177,34 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us private UserPermissionService userPermissionService; /** + * Whether attributes which control access restrictions should be exposed + * via getAttributes() or allowed to be set via setAttributes(). + */ + private boolean exposeRestrictedAttributes = false; + + /** + * Initializes this ModeledUser, associating it with the current + * authenticated user and populating it with data from the given user + * model. + * + * @param currentUser + * The user that created or retrieved this object. + * + * @param model + * The backing model object. + * + * @param exposeRestrictedAttributes + * Whether attributes which control access restrictions should be + * exposed via getAttributes() or allowed to be set via + * setAttributes(). + */ + public void init(ModeledAuthenticatedUser currentUser, UserModel model, + boolean exposeRestrictedAttributes) { + super.init(currentUser, model); + this.exposeRestrictedAttributes = exposeRestrictedAttributes; + } + + /** * The plaintext password previously set by a call to setPassword(), if * any. The password of a user cannot be retrieved once saved into the * database, so this serves to ensure getPassword() returns a reasonable @@ -309,10 +337,16 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us return userPermissionService.getPermissionSet(getCurrentUser(), this); } - @Override - public Map<String, String> getAttributes() { - - Map<String, String> attributes = new HashMap<String, String>(); + /** + * Stores all restricted (privileged) attributes within the given Map, + * pulling the values of those attributes from the underlying user model. + * If no value is yet defined for an attribute, that attribute will be set + * to null. + * + * @param attributes + * The Map to store all restricted attributes within. + */ + private void putRestrictedAttributes(Map<String, String> attributes) { // Set disabled attribute attributes.put(DISABLED_ATTRIBUTE_NAME, getModel().isDisabled() ? "true" : null); @@ -335,7 +369,6 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us // Set timezone attribute attributes.put(TIMEZONE_ATTRIBUTE_NAME, getModel().getTimeZone()); - return attributes; } /** @@ -396,8 +429,14 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us } - @Override - public void setAttributes(Map<String, String> attributes) { + /** + * Stores all restricted (privileged) attributes within the underlying user + * model, pulling the values of those attributes from the given Map. + * + * @param attributes + * The Map to pull all restricted attributes from. + */ + private void setRestrictedAttributes(Map<String, String> attributes) { // Translate disabled attribute getModel().setDisabled("true".equals(attributes.get(DISABLED_ATTRIBUTE_NAME))); @@ -438,6 +477,27 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us } + @Override + public Map<String, String> getAttributes() { + + Map<String, String> attributes = new HashMap<String, String>(); + + // Include restricted attributes only if they should be exposed + if (exposeRestrictedAttributes) + putRestrictedAttributes(attributes); + + return attributes; + } + + @Override + public void setAttributes(Map<String, String> attributes) { + + // Assign restricted attributes only if they are exposed + if (exposeRestrictedAttributes) + setRestrictedAttributes(attributes); + + } + /** * Returns the time zone associated with this user. This time zone must be * used when interpreting all date/time restrictions related to this user. http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/ae7c792d/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java index 76a05f8..7935f86 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java @@ -147,15 +147,35 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User @Override protected ModeledUser getObjectInstance(ModeledAuthenticatedUser currentUser, - UserModel model) { + UserModel model) throws GuacamoleException { + + boolean exposeRestrictedAttributes; + + // Expose restricted attributes if the user does not yet exist + if (model.getObjectID() == null) + exposeRestrictedAttributes = true; + + // Otherwise, if the user permissions are available, expose restricted + // attributes only if the user has ADMINISTER permission + else if (currentUser != null) + exposeRestrictedAttributes = hasObjectPermission(currentUser, + model.getIdentifier(), ObjectPermission.Type.ADMINISTER); + + // If user permissions are not available, do not expose anything + else + exposeRestrictedAttributes = false; + + // Produce ModeledUser exposing only those attributes for which the + // current user has permission ModeledUser user = userProvider.get(); - user.init(currentUser, model); + user.init(currentUser, model, exposeRestrictedAttributes); return user; + } @Override protected UserModel getModelInstance(ModeledAuthenticatedUser currentUser, - final User object) { + final User object) throws GuacamoleException { // Create new ModeledUser backed by blank model UserModel model = new UserModel(); @@ -362,9 +382,13 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User * @return * The ModeledUser which corresponds to the given AuthenticatedUser, or * null if no such user exists. + * + * @throws GuacamoleException + * If a ModeledUser object for the user corresponding to the given + * AuthenticatedUser cannot be created. */ public ModeledUser retrieveUser(AuthenticationProvider authenticationProvider, - AuthenticatedUser authenticatedUser) { + AuthenticatedUser authenticatedUser) throws GuacamoleException { // If we already queried this user, return that rather than querying again if (authenticatedUser instanceof ModeledAuthenticatedUser)
