mike-jumper commented on a change in pull request #389: GUACAMOLE-708: Enable
auto-creation of users in JDBC modules
URL: https://github.com/apache/guacamole-client/pull/389#discussion_r386144643
##########
File path:
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
##########
@@ -460,6 +460,47 @@ public ModeledUser
retrieveSkeletonUser(AuthenticationProvider authenticationPro
return user;
}
+
+ /**
+ * Create a user in the database that does not already exist, setting up an
+ * empty model and inserting both the entity and the user object, and
+ * generating a random password for the account.
+ *
+ * @param authenticationProvider
+ * The authentication provider that authenticated the user.
+ *
+ * @param authenticatedUser
+ * The authenticated user that is being added to the database.
+ *
+ * @return
+ * The ModeledUser associated with the newly-created database object
+ * for the user.
+ *
+ * @throws GuacamoleException
+ * If a ModeledUser cannot be created, or if the user cannot be
+ * inserted into the database.
+ */
+ public ModeledUser createMissingUser(AuthenticationProvider
authenticationProvider,
+ AuthenticatedUser authenticatedUser) throws GuacamoleException {
+
+ ModeledUser user = getObjectInstance(null,
+ new UserModel(authenticatedUser.getIdentifier()));
+
+ // Insert the database object
+ entityMapper.insert(user.getModel());
+
+ // Auto-generate a password
+ user.setPassword(null);
+
+ // Set up cyclic reference
+ user.setCurrentUser(new ModeledAuthenticatedUser(authenticatedUser,
+ authenticationProvider, user));
+
+ // Insert the user object
+ userMapper.insert(user.getModel());
Review comment:
Looking over creation of a user and the functionality of `createObject()`,
the main beast appears to be the automatic permission creation. When a user `X`
attempts to create a user `Y`, the following permissions are automatically
added:
This user... | ...can do this... | ...to this object
------------ | ----------------- | -----------------
`X` | `READ` | User `Y`
`X` | `UPDATE` | User `Y`
`X` | `DELETE` | User `Y`
`X` | `ADMINISTER` | User `Y`
`Y` | `READ` | User `Y`
This will be problematic where `X` is the special system user, as then `X`
does not exist and we really only want to grant the following permissions:
This user... | ...can do this... | ...to this object
------------ | ----------------- | -----------------
`Y` | `READ` | User `Y`
Perhaps we really can't avoid having a special-case
`createMissingUser()`-type function specific to `UserService`...
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
