GitHub user mike-jumper opened a pull request:
https://github.com/apache/guacamole-client/pull/274
GUACAMOLE-220: Add base extension API support for user groups.
This change adds the base classes necessary for exposing user groups via
extensions, and for declaring the permissions which apply to a user *but are
not necessarily directly granted to that user*.
Overall, this involves:
* A new `UserGroup` interface, as well as the usual `DelegatingUserGroup`,
and `Directory<UserGroup>` on `UserContext`.
* A new base interface, `Permissions`, which `User` and `UserGroup` share,
defining the interface common to any object which can be granted permissions.
* A new `getEffectivePermissions()` function on `User` which returns a
`Permissions` that represents all permissions which apply to the user, even if
those permissions are inherited through some arbitrary means (such as user
groups). The traditional `getUserPermissions()`, `getConnectionPermissions()`,
etc. directly on the `User` return permission sets which describe permissions
which are directly granted only.
* A new `getEffectiveUserGroups()` function on `AuthenticatedUser` which
allows implementations to expose the identity of a user's group memberships in
addition to the user's own identity. This forms the means by which membership
in groups can be shared across extensions (for example, LDAP group membership
can affect a user in MySQL so long as an identical MySQL group exists, even if
that user does not exist in MySQL).
* A new `RelatedObjectSet` interface, similar to `PermissionSet`, which
abstracts batch add/remove operations on a group of objects sharing some
arbitrary relation, such as the member users of a user group, the parent user
groups of a user, etc. This allows relations between specific objects to be
established or removed without affecting the existence of those objects (as
`Directory` would require) nor necessarily other relations to those objects.
The user groups themselves are exposed via a `Directory<UserGroup>` at the
`UserContext` level, like all other objects. A new `ObjectPermissionSet` for
user group permissions is exposed within `Permissions`. User membership within
groups, group membership within groups, the set of groups containing a
particular user, and the set of groups containing a particular group can all be
maintained through the various getters returning `RelatedObjectSet` instances.
Other than (1) updating the REST services and JavaScript to use *effective*
permissions rather than directly-granted permissions and (2) any stubs
necessary to allow the database auth to continue working, no changes outside
the API are made here.
Assuming these changes move forward, I will open further pull requests for
the REST API changes, interface changes, and finally database auth changes.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/mike-jumper/guacamole-client user-group-ext
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/guacamole-client/pull/274.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #274
----
commit dfb07edf2967a3f3a4317b062786f88b390f8dae
Author: Michael Jumper <mjumper@...>
Date: 2018-04-19T21:17:25Z
GUACAMOLE-220: Add base API support for user groups. Refactor as minimally
necessary.
commit 393e1ab647e5e8f766f9485cf411651ac82f41d0
Author: Michael Jumper <mjumper@...>
Date: 2018-04-19T21:18:02Z
GUACAMOLE-220: Use effective permissions to test user access to resources.
----
---
