GitHub user mike-jumper opened a pull request: https://github.com/apache/guacamole-client/pull/274
GUACAMOLE-220: Add base extension API support for user groups. This change adds the base classes necessary for exposing user groups via extensions, and for declaring the permissions which apply to a user *but are not necessarily directly granted to that user*. Overall, this involves: * A new `UserGroup` interface, as well as the usual `DelegatingUserGroup`, and `Directory<UserGroup>` on `UserContext`. * A new base interface, `Permissions`, which `User` and `UserGroup` share, defining the interface common to any object which can be granted permissions. * A new `getEffectivePermissions()` function on `User` which returns a `Permissions` that represents all permissions which apply to the user, even if those permissions are inherited through some arbitrary means (such as user groups). The traditional `getUserPermissions()`, `getConnectionPermissions()`, etc. directly on the `User` return permission sets which describe permissions which are directly granted only. * A new `getEffectiveUserGroups()` function on `AuthenticatedUser` which allows implementations to expose the identity of a user's group memberships in addition to the user's own identity. This forms the means by which membership in groups can be shared across extensions (for example, LDAP group membership can affect a user in MySQL so long as an identical MySQL group exists, even if that user does not exist in MySQL). * A new `RelatedObjectSet` interface, similar to `PermissionSet`, which abstracts batch add/remove operations on a group of objects sharing some arbitrary relation, such as the member users of a user group, the parent user groups of a user, etc. This allows relations between specific objects to be established or removed without affecting the existence of those objects (as `Directory` would require) nor necessarily other relations to those objects. The user groups themselves are exposed via a `Directory<UserGroup>` at the `UserContext` level, like all other objects. A new `ObjectPermissionSet` for user group permissions is exposed within `Permissions`. User membership within groups, group membership within groups, the set of groups containing a particular user, and the set of groups containing a particular group can all be maintained through the various getters returning `RelatedObjectSet` instances. Other than (1) updating the REST services and JavaScript to use *effective* permissions rather than directly-granted permissions and (2) any stubs necessary to allow the database auth to continue working, no changes outside the API are made here. Assuming these changes move forward, I will open further pull requests for the REST API changes, interface changes, and finally database auth changes. You can merge this pull request into a Git repository by running: $ git pull https://github.com/mike-jumper/guacamole-client user-group-ext Alternatively you can review and apply these changes as the patch at: https://github.com/apache/guacamole-client/pull/274.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #274 ---- commit dfb07edf2967a3f3a4317b062786f88b390f8dae Author: Michael Jumper <mjumper@...> Date: 2018-04-19T21:17:25Z GUACAMOLE-220: Add base API support for user groups. Refactor as minimally necessary. commit 393e1ab647e5e8f766f9485cf411651ac82f41d0 Author: Michael Jumper <mjumper@...> Date: 2018-04-19T21:18:02Z GUACAMOLE-220: Use effective permissions to test user access to resources. ---- ---