GUACAMOLE-220: Refactor handling of JDBC permissions to abstract away users vs. user groups.
Project: http://git-wip-us.apache.org/repos/asf/guacamole-client/repo Commit: http://git-wip-us.apache.org/repos/asf/guacamole-client/commit/69f58c8c Tree: http://git-wip-us.apache.org/repos/asf/guacamole-client/tree/69f58c8c Diff: http://git-wip-us.apache.org/repos/asf/guacamole-client/diff/69f58c8c Branch: refs/heads/master Commit: 69f58c8ca314c44822e0eaab354b5f722a01ac89 Parents: 14d10fb Author: Michael Jumper <mjum...@apache.org> Authored: Sat Apr 7 19:10:38 2018 -0700 Committer: Michael Jumper <mjum...@apache.org> Committed: Wed Sep 19 23:56:51 2018 -0700 ---------------------------------------------------------------------- .../jdbc/JDBCAuthenticationProviderModule.java | 2 + .../ActiveConnectionPermissionService.java | 37 +-- .../guacamole/auth/jdbc/base/EntityMapper.java | 22 ++ .../guacamole/auth/jdbc/base/EntityService.java | 65 +++++ .../auth/jdbc/base/ModeledPermissions.java | 266 +++++++++++++++++++ .../permission/AbstractPermissionService.java | 59 +++- .../ConnectionGroupPermissionService.java | 11 +- .../permission/ConnectionPermissionService.java | 11 +- .../ModeledObjectPermissionService.java | 68 ++--- .../permission/ModeledPermissionService.java | 37 +-- .../permission/ObjectPermissionService.java | 37 +-- .../jdbc/permission/ObjectPermissionSet.java | 42 +-- .../auth/jdbc/permission/PermissionService.java | 66 ++--- .../SharingProfilePermissionService.java | 11 +- .../permission/SystemPermissionService.java | 42 +-- .../jdbc/permission/SystemPermissionSet.java | 40 +-- .../jdbc/permission/UserPermissionService.java | 11 +- .../guacamole/auth/jdbc/user/ModeledUser.java | 191 +------------ .../guacamole/auth/jdbc/user/UserMapper.java | 22 -- .../guacamole/auth/jdbc/user/UserService.java | 28 -- .../guacamole/auth/jdbc/base/EntityMapper.xml | 38 +++ .../guacamole/auth/jdbc/user/UserMapper.xml | 38 --- 22 files changed, 673 insertions(+), 471 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/69f58c8c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderModule.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderModule.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderModule.java index 17dfc5d..48c95c7 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderModule.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderModule.java @@ -60,6 +60,7 @@ import org.apache.guacamole.auth.jdbc.activeconnection.ActiveConnectionPermissio import org.apache.guacamole.auth.jdbc.activeconnection.ActiveConnectionService; import org.apache.guacamole.auth.jdbc.activeconnection.TrackedActiveConnection; import org.apache.guacamole.auth.jdbc.base.EntityMapper; +import org.apache.guacamole.auth.jdbc.base.EntityService; import org.apache.guacamole.auth.jdbc.connection.ConnectionParameterMapper; import org.apache.guacamole.auth.jdbc.permission.SharingProfilePermissionMapper; import org.apache.guacamole.auth.jdbc.permission.SharingProfilePermissionService; @@ -161,6 +162,7 @@ public class JDBCAuthenticationProviderModule extends MyBatisModule { bind(ConnectionPermissionService.class); bind(ConnectionSharingService.class); bind(ConnectionService.class); + bind(EntityService.class); bind(GuacamoleTunnelService.class).to(RestrictedGuacamoleTunnelService.class); bind(PasswordEncryptionService.class).to(SHA256PasswordEncryptionService.class); bind(PasswordPolicyService.class); http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/69f58c8c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java index a0511b8..e7cbd5d 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java @@ -27,12 +27,13 @@ import java.util.HashSet; import java.util.Set; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleSecurityException; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; import org.apache.guacamole.auth.jdbc.permission.AbstractPermissionService; import org.apache.guacamole.auth.jdbc.permission.ObjectPermissionService; import org.apache.guacamole.auth.jdbc.tunnel.ActiveConnectionRecord; import org.apache.guacamole.auth.jdbc.tunnel.GuacamoleTunnelService; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; import org.apache.guacamole.net.auth.permission.ObjectPermission; import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; @@ -58,12 +59,13 @@ public class ActiveConnectionPermissionService @Override public boolean hasPermission(ModeledAuthenticatedUser user, - ModeledUser targetUser, ObjectPermission.Type type, - String identifier, Set<String> effectiveGroups) throws GuacamoleException { + ModeledPermissions<? extends EntityModel> targetEntity, + ObjectPermission.Type type, String identifier, + Set<String> effectiveGroups) throws GuacamoleException { // Retrieve permissions Set<ObjectPermission> permissions = retrievePermissions(user, - targetUser, effectiveGroups); + targetEntity, effectiveGroups); // Permission is granted if retrieved permissions contains the // requested permission @@ -74,14 +76,14 @@ public class ActiveConnectionPermissionService @Override public Set<ObjectPermission> retrievePermissions(ModeledAuthenticatedUser user, - ModeledUser targetUser, Set<String> effectiveGroups) - throws GuacamoleException { + ModeledPermissions<? extends EntityModel> targetEntity, + Set<String> effectiveGroups) throws GuacamoleException { // Retrieve permissions only if allowed - if (canReadPermissions(user, targetUser)) { + if (canReadPermissions(user, targetEntity)) { // Only administrators may access active connections - boolean isAdmin = targetUser.isAdministrator(); + boolean isAdmin = targetEntity.isAdministrator(); // Get all active connections Collection<ActiveConnectionRecord> records = tunnelService.getActiveConnections(user); @@ -110,11 +112,12 @@ public class ActiveConnectionPermissionService @Override public Collection<String> retrieveAccessibleIdentifiers(ModeledAuthenticatedUser user, - ModeledUser targetUser, Collection<ObjectPermission.Type> permissionTypes, + ModeledPermissions<? extends EntityModel> targetEntity, + Collection<ObjectPermission.Type> permissionTypes, Collection<String> identifiers, Set<String> effectiveGroups) throws GuacamoleException { - Set<ObjectPermission> permissions = retrievePermissions(user, targetUser, effectiveGroups); + Set<ObjectPermission> permissions = retrievePermissions(user, targetEntity, effectiveGroups); Collection<String> accessibleObjects = new ArrayList<String>(permissions.size()); // For each identifier/permission combination @@ -137,12 +140,12 @@ public class ActiveConnectionPermissionService @Override public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user, - ModeledUser targetUser, Set<String> effectiveGroups) - throws GuacamoleException { + ModeledPermissions<? extends EntityModel> targetEntity, + Set<String> effectiveGroups) throws GuacamoleException { - // Create permission set for requested user + // Create permission set for requested entity ActiveConnectionPermissionSet permissionSet = activeConnectionPermissionSetProvider.get(); - permissionSet.init(user, targetUser, effectiveGroups); + permissionSet.init(user, targetEntity, effectiveGroups); return permissionSet; @@ -150,7 +153,8 @@ public class ActiveConnectionPermissionService @Override public void createPermissions(ModeledAuthenticatedUser user, - ModeledUser targetUser, Collection<ObjectPermission> permissions) + ModeledPermissions<? extends EntityModel> targetEntity, + Collection<ObjectPermission> permissions) throws GuacamoleException { // Creating active connection permissions is not implemented @@ -160,7 +164,8 @@ public class ActiveConnectionPermissionService @Override public void deletePermissions(ModeledAuthenticatedUser user, - ModeledUser targetUser, Collection<ObjectPermission> permissions) + ModeledPermissions<? extends EntityModel> targetEntity, + Collection<ObjectPermission> permissions) throws GuacamoleException { // Deleting active connection permissions is not implemented http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/69f58c8c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/EntityMapper.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/EntityMapper.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/EntityMapper.java index 14657ce..31efad5 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/EntityMapper.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/EntityMapper.java @@ -19,6 +19,8 @@ package org.apache.guacamole.auth.jdbc.base; +import java.util.Collection; +import java.util.Set; import org.apache.ibatis.annotations.Param; /** @@ -40,4 +42,24 @@ public interface EntityMapper { */ int insert(@Param("entity") EntityModel entity); + /** + * Returns the set of all group identifiers of which the given entity is a + * member, taking into account the given collection of known group + * memberships which are not necessarily defined within the database. + * + * @param entity + * The entity whose effective groups should be returned. + * + * @param effectiveGroups + * The identifiers of any known effective groups that should be taken + * into account, such as those defined externally to the database. + * + * @return + * The set of identifiers of all groups that the given entity is a + * member of, including those where membership is inherited through + * membership in other groups. + */ + Set<String> selectEffectiveGroupIdentifiers(@Param("entity") EntityModel entity, + @Param("effectiveGroups") Collection<String> effectiveGroups); + } http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/69f58c8c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/EntityService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/EntityService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/EntityService.java new file mode 100644 index 0000000..fa71fee --- /dev/null +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/EntityService.java @@ -0,0 +1,65 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.jdbc.base; + +import com.google.inject.Inject; +import java.util.Collection; +import java.util.Set; + +/** + * Service which provides convenience methods for creating, retrieving, and + * manipulating entities. + */ +public class EntityService { + + /** + * Mapper for Entity model objects. + */ + @Inject + private EntityMapper entityMapper; + + /** + * Returns the set of all group identifiers of which the given entity is a + * member, taking into account the given collection of known group + * memberships which are not necessarily defined within the database. + * + * Note that group visibility with respect to the queried entity is NOT + * taken into account. If the entity is a member of a group, the identifier + * of that group will be included in the returned set even if the current + * user lacks "READ" permission for that group. + * + * @param entity + * The entity whose effective groups should be returned. + * + * @param effectiveGroups + * The identifiers of any known effective groups that should be taken + * into account, such as those defined externally to the database. + * + * @return + * The set of identifiers of all groups that the given entity is a + * member of, including those where membership is inherited through + * membership in other groups. + */ + public Set<String> retrieveEffectiveGroups(ModeledPermissions<? extends EntityModel> entity, + Collection<String> effectiveGroups) { + return entityMapper.selectEffectiveGroupIdentifiers(entity.getModel(), effectiveGroups); + } + +} http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/69f58c8c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledPermissions.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledPermissions.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledPermissions.java new file mode 100644 index 0000000..2f7808d --- /dev/null +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledPermissions.java @@ -0,0 +1,266 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.jdbc.base; + +import com.google.inject.Inject; +import java.util.Collections; +import java.util.Set; +import org.apache.guacamole.auth.jdbc.permission.SystemPermissionService; +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.jdbc.activeconnection.ActiveConnectionPermissionService; +import org.apache.guacamole.auth.jdbc.permission.ConnectionGroupPermissionService; +import org.apache.guacamole.auth.jdbc.permission.ConnectionPermissionService; +import org.apache.guacamole.auth.jdbc.permission.SharingProfilePermissionService; +import org.apache.guacamole.auth.jdbc.permission.UserPermissionService; +import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; +import org.apache.guacamole.net.auth.Permissions; +import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; +import org.apache.guacamole.net.auth.permission.SystemPermission; +import org.apache.guacamole.net.auth.permission.SystemPermissionSet; +import org.apache.guacamole.net.auth.simple.SimpleObjectPermissionSet; + +/** + * An implementation of the base Permissions interface which is common to both + * Users and UserGroups, backed by a database model. + * + * @param <ModelType> + * The type of model object that corresponds to this object. + */ +public abstract class ModeledPermissions<ModelType extends EntityModel> + extends ModeledDirectoryObject<ModelType> implements Permissions { + + /** + * Service for retrieving entity details. + */ + @Inject + private EntityService entityService; + + /** + * Service for retrieving system permissions. + */ + @Inject + private SystemPermissionService systemPermissionService; + + /** + * Service for retrieving connection permissions. + */ + @Inject + private ConnectionPermissionService connectionPermissionService; + + /** + * Service for retrieving connection group permissions. + */ + @Inject + private ConnectionGroupPermissionService connectionGroupPermissionService; + + /** + * Service for retrieving sharing profile permissions. + */ + @Inject + private SharingProfilePermissionService sharingProfilePermissionService; + + /** + * Service for retrieving active connection permissions. + */ + @Inject + private ActiveConnectionPermissionService activeConnectionPermissionService; + + /** + * Service for retrieving user permissions. + */ + @Inject + private UserPermissionService userPermissionService; + + /** + * Returns whether the underlying entity is a user. Entities may be either + * users or user groups. + * + * @return + * true if the underlying entity is a user, false otherwise. + */ + public boolean isUser() { + return getModel().getEntityType() == EntityType.USER; + } + + /** + * Returns whether the underlying entity is a user group. Entities may be + * either users or user groups. + * + * @return + * true if the underlying entity is a user group, false otherwise. + */ + public boolean isUserGroup() { + return getModel().getEntityType() == EntityType.USER_GROUP; + } + + /** + * Returns whether this entity is a system administrator, and thus is not + * restricted by permissions, taking into account permission inheritance + * via user groups. + * + * @return + * true if this entity is a system administrator, false otherwise. + * + * @throws GuacamoleException + * If an error occurs while determining the entity's system administrator + * status. + */ + public boolean isAdministrator() throws GuacamoleException { + SystemPermissionSet systemPermissionSet = getEffective().getSystemPermissions(); + return systemPermissionSet.hasPermission(SystemPermission.Type.ADMINISTER); + } + + @Override + public SystemPermissionSet getSystemPermissions() + throws GuacamoleException { + return systemPermissionService.getPermissionSet(getCurrentUser(), this, + Collections.<String>emptySet()); + } + + @Override + public ObjectPermissionSet getConnectionPermissions() + throws GuacamoleException { + return connectionPermissionService.getPermissionSet(getCurrentUser(), + this, Collections.<String>emptySet()); + } + + @Override + public ObjectPermissionSet getConnectionGroupPermissions() + throws GuacamoleException { + return connectionGroupPermissionService.getPermissionSet( + getCurrentUser(), this, Collections.<String>emptySet()); + } + + @Override + public ObjectPermissionSet getSharingProfilePermissions() + throws GuacamoleException { + return sharingProfilePermissionService.getPermissionSet( + getCurrentUser(), this, Collections.<String>emptySet()); + } + + @Override + public ObjectPermissionSet getActiveConnectionPermissions() + throws GuacamoleException { + return activeConnectionPermissionService.getPermissionSet( + getCurrentUser(), this, Collections.<String>emptySet()); + } + + @Override + public ObjectPermissionSet getUserPermissions() + throws GuacamoleException { + return userPermissionService.getPermissionSet(getCurrentUser(), this, + Collections.<String>emptySet()); + } + + @Override + public ObjectPermissionSet getUserGroupPermissions() throws GuacamoleException { + // FIXME: STUB + return new SimpleObjectPermissionSet(); + } + + /** + * Returns the identifiers of all user groups defined within the database + * which apply to this user, including any groups inherited through + * membership in yet more groups. + * + * @return + * The identifiers of all user groups defined within the database which + * apply to this user. + */ + public Set<String> getEffectiveUserGroups() { + return entityService.retrieveEffectiveGroups(this, + Collections.<String>emptySet()); + } + + /** + * Returns a Permissions object which represents all permissions granted to + * this entity, including any permissions inherited through group + * membership. + * + * @return + * A Permissions object which represents all permissions granted to + * this entity. + */ + public Permissions getEffective() { + + final ModeledAuthenticatedUser authenticatedUser = getCurrentUser(); + final Set<String> effectiveGroups; + + // If this user is the currently-authenticated user, include any + // additional effective groups declared by the authentication system + if (authenticatedUser.getIdentifier().equals(getIdentifier())) + effectiveGroups = entityService.retrieveEffectiveGroups(this, + authenticatedUser.getEffectiveUserGroups()); + + // Otherwise, just include effective groups from the database + else + effectiveGroups = getEffectiveUserGroups(); + + // Return a permissions object which describes all effective + // permissions, including any permissions inherited via user groups + return new Permissions() { + + @Override + public ObjectPermissionSet getActiveConnectionPermissions() + throws GuacamoleException { + return activeConnectionPermissionService.getPermissionSet(authenticatedUser, ModeledPermissions.this, effectiveGroups); + } + + @Override + public ObjectPermissionSet getConnectionGroupPermissions() + throws GuacamoleException { + return connectionGroupPermissionService.getPermissionSet(authenticatedUser, ModeledPermissions.this, effectiveGroups); + } + + @Override + public ObjectPermissionSet getConnectionPermissions() + throws GuacamoleException { + return connectionPermissionService.getPermissionSet(authenticatedUser, ModeledPermissions.this, effectiveGroups); + } + + @Override + public ObjectPermissionSet getSharingProfilePermissions() + throws GuacamoleException { + return sharingProfilePermissionService.getPermissionSet(authenticatedUser, ModeledPermissions.this, effectiveGroups); + } + + @Override + public SystemPermissionSet getSystemPermissions() + throws GuacamoleException { + return systemPermissionService.getPermissionSet(authenticatedUser, ModeledPermissions.this, effectiveGroups); + } + + @Override + public ObjectPermissionSet getUserPermissions() + throws GuacamoleException { + return userPermissionService.getPermissionSet(authenticatedUser, ModeledPermissions.this, effectiveGroups); + } + + @Override + public ObjectPermissionSet getUserGroupPermissions() + throws GuacamoleException { + // FIXME: STUB + return new SimpleObjectPermissionSet(); + } + + }; + } + +} http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/69f58c8c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/AbstractPermissionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/AbstractPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/AbstractPermissionService.java index 74f35fb..6e4ddfa 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/AbstractPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/AbstractPermissionService.java @@ -20,8 +20,10 @@ package org.apache.guacamole.auth.jdbc.permission; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; +import org.apache.guacamole.auth.jdbc.user.ModeledUser; import org.apache.guacamole.net.auth.permission.ObjectPermission; import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; import org.apache.guacamole.net.auth.permission.Permission; @@ -42,16 +44,50 @@ public abstract class AbstractPermissionService<PermissionSetType extends Permis implements PermissionService<PermissionSetType, PermissionType> { /** + * Returns the ObjectPermissionSet related to the type of the given entity. + * If the given entity represents a user, then the ObjectPermissionSet + * containing user permissions is returned. If the given entity represents + * a user group, then the ObjectPermissionSet containing user group + * permissions is returned. + * + * @param user + * The user to retrieve the ObjectPermissionSet from. + * + * @param targetEntity + * The entity whose type dictates the ObjectPermissionSet returned. + * + * @return + * The ObjectPermissionSet related to the type of the given entity. + * + * @throws GuacamoleException + * If the relevant ObjectPermissionSet cannot be retrieved. + */ + protected ObjectPermissionSet getRelevantPermissionSet(ModeledUser user, + ModeledPermissions<? extends EntityModel> targetEntity) + throws GuacamoleException { + + if (targetEntity.isUser()) + return user.getUserPermissions(); + + if (targetEntity.isUserGroup()) + return user.getUserGroupPermissions(); + + // Entities should be only users or groups + throw new UnsupportedOperationException("Unexpected entity type."); + + } + + /** * Determines whether the given user can read the permissions currently - * granted to the given target user. If the reading user and the target - * user are not the same, then explicit READ or SYSTEM_ADMINISTER access is - * required. Permission inheritance via user groups is taken into account. + * granted to the given target entity. If the reading user and the target + * entity are not the same, then explicit READ or SYSTEM_ADMINISTER access + * is required. Permission inheritance via user groups is taken into account. * * @param user * The user attempting to read permissions. * - * @param targetUser - * The user whose permissions are being read. + * @param targetEntity + * The entity whose permissions are being read. * * @return * true if permission is granted, false otherwise. @@ -61,19 +97,20 @@ public abstract class AbstractPermissionService<PermissionSetType extends Permis * permission is denied to read the current user's permissions. */ protected boolean canReadPermissions(ModeledAuthenticatedUser user, - ModeledUser targetUser) throws GuacamoleException { + ModeledPermissions<? extends EntityModel> targetEntity) + throws GuacamoleException { // A user can always read their own permissions - if (user.getUser().getIdentifier().equals(targetUser.getIdentifier())) + if (targetEntity.isUser() && user.getUser().getIdentifier().equals(targetEntity.getIdentifier())) return true; // A system adminstrator can do anything if (user.getUser().isAdministrator()) return true; - // Can read permissions on target user if explicit READ is granted - ObjectPermissionSet userPermissionSet = user.getUser().getEffectivePermissions().getUserPermissions(); - return userPermissionSet.hasPermission(ObjectPermission.Type.READ, targetUser.getIdentifier()); + // Can read permissions on target entity if explicit READ is granted + ObjectPermissionSet permissionSet = getRelevantPermissionSet(user.getUser(), targetEntity); + return permissionSet.hasPermission(ObjectPermission.Type.READ, targetEntity.getIdentifier()); } http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/69f58c8c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java index afabbc7..d0f1f0b 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java @@ -24,7 +24,8 @@ import com.google.inject.Provider; import java.util.Set; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; /** * Service which provides convenience methods for creating, retrieving, and @@ -52,12 +53,12 @@ public class ConnectionGroupPermissionService extends ModeledObjectPermissionSer @Override public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user, - ModeledUser targetUser, Set<String> effectiveGroups) - throws GuacamoleException { + ModeledPermissions<? extends EntityModel> targetEntity, + Set<String> effectiveGroups) throws GuacamoleException { - // Create permission set for requested user + // Create permission set for requested entity ObjectPermissionSet permissionSet = connectionGroupPermissionSetProvider.get(); - permissionSet.init(user, targetUser, effectiveGroups); + permissionSet.init(user, targetEntity, effectiveGroups); return permissionSet; http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/69f58c8c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionService.java index 0cc69df..1dc70ad 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionService.java @@ -24,7 +24,8 @@ import com.google.inject.Provider; import java.util.Set; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; /** * Service which provides convenience methods for creating, retrieving, and @@ -52,12 +53,12 @@ public class ConnectionPermissionService extends ModeledObjectPermissionService @Override public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user, - ModeledUser targetUser, Set<String> effectiveGroups) - throws GuacamoleException { + ModeledPermissions<? extends EntityModel> targetEntity, + Set<String> effectiveGroups) throws GuacamoleException { - // Create permission set for requested user + // Create permission set for requested entity ObjectPermissionSet permissionSet = connectionPermissionSetProvider.get(); - permissionSet.init(user, targetUser, effectiveGroups); + permissionSet.init(user, targetEntity, effectiveGroups); return permissionSet; http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/69f58c8c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java index f1105ed..d9bb6bc 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java @@ -24,9 +24,10 @@ import java.util.Collections; import java.util.HashSet; import java.util.Set; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleSecurityException; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; import org.apache.guacamole.net.auth.permission.ObjectPermission; import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; @@ -48,13 +49,14 @@ public abstract class ModeledObjectPermissionService } @Override - protected ObjectPermissionModel getModelInstance(ModeledUser targetUser, + protected ObjectPermissionModel getModelInstance( + ModeledPermissions<? extends EntityModel> targetEntity, ObjectPermission permission) { ObjectPermissionModel model = new ObjectPermissionModel(); - // Populate model object with data from user and permission - model.setEntityID(targetUser.getModel().getEntityID()); + // Populate model object with data from entity and permission + model.setEntityID(targetEntity.getModel().getEntityID()); model.setType(permission.getType()); model.setObjectIdentifier(permission.getObjectIdentifier()); @@ -64,31 +66,32 @@ public abstract class ModeledObjectPermissionService /** * Determines whether the current user has permission to update the given - * target user, adding or removing the given permissions. Such permission + * target entity, adding or removing the given permissions. Such permission * depends on whether the current user is a system administrator, whether - * they have explicit UPDATE permission on the target user, and whether + * they have explicit UPDATE permission on the target entity, and whether * they have explicit ADMINISTER permission on all affected objects. * Permission inheritance via user groups is taken into account. * * @param user * The user who is changing permissions. * - * @param targetUser - * The user whose permissions are being changed. + * @param targetEntity + * The entity whose permissions are being changed. * * @param permissions * The permissions that are being added or removed from the target - * user. + * entity. * * @return - * true if the user has permission to change the target users + * true if the user has permission to change the target entity's * permissions as specified, false otherwise. * * @throws GuacamoleException * If an error occurs while checking permission status, or if * permission is denied to read the current user's permissions. */ - protected boolean canAlterPermissions(ModeledAuthenticatedUser user, ModeledUser targetUser, + protected boolean canAlterPermissions(ModeledAuthenticatedUser user, + ModeledPermissions<? extends EntityModel> targetEntity, Collection<ObjectPermission> permissions) throws GuacamoleException { @@ -96,9 +99,9 @@ public abstract class ModeledObjectPermissionService if (user.getUser().isAdministrator()) return true; - // Verify user has update permission on the target user - ObjectPermissionSet userPermissionSet = user.getUser().getEffectivePermissions().getUserPermissions(); - if (!userPermissionSet.hasPermission(ObjectPermission.Type.UPDATE, targetUser.getIdentifier())) + // Verify user has update permission on the target entity + ObjectPermissionSet permissionSet = getRelevantPermissionSet(user.getUser(), targetEntity); + if (!permissionSet.hasPermission(ObjectPermission.Type.UPDATE, targetEntity.getIdentifier())) return false; // Produce collection of affected identifiers @@ -122,13 +125,14 @@ public abstract class ModeledObjectPermissionService } @Override - public void createPermissions(ModeledAuthenticatedUser user, ModeledUser targetUser, + public void createPermissions(ModeledAuthenticatedUser user, + ModeledPermissions<? extends EntityModel> targetEntity, Collection<ObjectPermission> permissions) throws GuacamoleException { // Create permissions only if user has permission to do so - if (canAlterPermissions(user, targetUser, permissions)) { - Collection<ObjectPermissionModel> models = getModelInstances(targetUser, permissions); + if (canAlterPermissions(user, targetEntity, permissions)) { + Collection<ObjectPermissionModel> models = getModelInstances(targetEntity, permissions); getPermissionMapper().insert(models); return; } @@ -139,13 +143,14 @@ public abstract class ModeledObjectPermissionService } @Override - public void deletePermissions(ModeledAuthenticatedUser user, ModeledUser targetUser, + public void deletePermissions(ModeledAuthenticatedUser user, + ModeledPermissions<? extends EntityModel> targetEntity, Collection<ObjectPermission> permissions) throws GuacamoleException { // Delete permissions only if user has permission to do so - if (canAlterPermissions(user, targetUser, permissions)) { - Collection<ObjectPermissionModel> models = getModelInstances(targetUser, permissions); + if (canAlterPermissions(user, targetEntity, permissions)) { + Collection<ObjectPermissionModel> models = getModelInstances(targetEntity, permissions); getPermissionMapper().delete(models); return; } @@ -157,23 +162,24 @@ public abstract class ModeledObjectPermissionService @Override public boolean hasPermission(ModeledAuthenticatedUser user, - ModeledUser targetUser, ObjectPermission.Type type, - String identifier, Set<String> effectiveGroups) - throws GuacamoleException { + ModeledPermissions<? extends EntityModel> targetEntity, + ObjectPermission.Type type, String identifier, + Set<String> effectiveGroups) throws GuacamoleException { // Retrieve permissions only if allowed - if (canReadPermissions(user, targetUser)) - return getPermissionMapper().selectOne(targetUser.getModel(), type, - identifier, effectiveGroups) != null; + if (canReadPermissions(user, targetEntity)) + return getPermissionMapper().selectOne(targetEntity.getModel(), + type, identifier, effectiveGroups) != null; - // User cannot read this user's permissions + // User cannot read this entity's permissions throw new GuacamoleSecurityException("Permission denied."); } @Override public Collection<String> retrieveAccessibleIdentifiers(ModeledAuthenticatedUser user, - ModeledUser targetUser, Collection<ObjectPermission.Type> permissions, + ModeledPermissions<? extends EntityModel> targetEntity, + Collection<ObjectPermission.Type> permissions, Collection<String> identifiers, Set<String> effectiveGroups) throws GuacamoleException { @@ -182,7 +188,7 @@ public abstract class ModeledObjectPermissionService return identifiers; // Retrieve permissions only if allowed - if (canReadPermissions(user, targetUser)) { + if (canReadPermissions(user, targetEntity)) { // If user is an admin, everything is accessible if (user.getUser().isAdministrator()) @@ -190,12 +196,12 @@ public abstract class ModeledObjectPermissionService // Otherwise, return explicitly-retrievable identifiers return getPermissionMapper().selectAccessibleIdentifiers( - targetUser.getModel(), permissions, identifiers, + targetEntity.getModel(), permissions, identifiers, effectiveGroups); } - // User cannot read this user's permissions + // User cannot read this entity's permissions throw new GuacamoleSecurityException("Permission denied."); } http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/69f58c8c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledPermissionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledPermissionService.java index dadaea6..a102f34 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledPermissionService.java @@ -24,9 +24,10 @@ import java.util.Collection; import java.util.HashSet; import java.util.Set; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleSecurityException; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; import org.apache.guacamole.net.auth.permission.Permission; import org.apache.guacamole.net.auth.permission.PermissionSet; @@ -97,42 +98,44 @@ public abstract class ModeledPermissionService<PermissionSetType extends Permiss /** * Returns an instance of a model object which is based on the given - * permission and target user. + * permission and target entity. * - * @param targetUser - * The user to whom this permission is granted. + * @param targetEntity + * The entity to whom this permission is granted. * * @param permission * The permission to use to produce the returned model object. * * @return * A model object which is based on the given permission and target - * user. + * entity. */ - protected abstract ModelType getModelInstance(ModeledUser targetUser, + protected abstract ModelType getModelInstance( + ModeledPermissions<? extends EntityModel> targetEntity, PermissionType permission); /** * Returns a collection of model objects which are based on the given - * permissions and target user. + * permissions and target entity. * - * @param targetUser - * The user to whom this permission is granted. + * @param targetEntity + * The entity to whom this permission is granted. * * @param permissions * The permissions to use to produce the returned model objects. * * @return * A collection of model objects which are based on the given - * permissions and target user. + * permissions and target entity. */ - protected Collection<ModelType> getModelInstances(ModeledUser targetUser, + protected Collection<ModelType> getModelInstances( + ModeledPermissions<? extends EntityModel> targetEntity, Collection<PermissionType> permissions) { // Create new collection of models by manually converting each permission Collection<ModelType> models = new ArrayList<ModelType>(permissions.size()); for (PermissionType permission : permissions) - models.add(getModelInstance(targetUser, permission)); + models.add(getModelInstance(targetEntity, permission)); return models; @@ -140,14 +143,14 @@ public abstract class ModeledPermissionService<PermissionSetType extends Permiss @Override public Set<PermissionType> retrievePermissions(ModeledAuthenticatedUser user, - ModeledUser targetUser, Set<String> effectiveGroups) - throws GuacamoleException { + ModeledPermissions<? extends EntityModel> targetEntity, + Set<String> effectiveGroups) throws GuacamoleException { // Retrieve permissions only if allowed - if (canReadPermissions(user, targetUser)) - return getPermissionInstances(getPermissionMapper().select(targetUser.getModel(), effectiveGroups)); + if (canReadPermissions(user, targetEntity)) + return getPermissionInstances(getPermissionMapper().select(targetEntity.getModel(), effectiveGroups)); - // User cannot read this user's permissions + // User cannot read this entity's permissions throw new GuacamoleSecurityException("Permission denied."); } http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/69f58c8c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionService.java index 3f39881..a841c96 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionService.java @@ -22,8 +22,9 @@ package org.apache.guacamole.auth.jdbc.permission; import java.util.Collection; import java.util.Set; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; import org.apache.guacamole.net.auth.permission.ObjectPermission; import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; @@ -37,13 +38,13 @@ public interface ObjectPermissionService /** * Returns whether the permission of the given type and associated with the - * given object has been granted to the given user. + * given object has been granted to the given entity. * * @param user * The user retrieving the permission. * - * @param targetUser - * The user associated with the permission to be retrieved. + * @param targetEntity + * The entity associated with the permission to be retrieved. * * @param type * The type of permission to retrieve. @@ -53,30 +54,31 @@ public interface ObjectPermissionService * * @param effectiveGroups * The identifiers of all groups that should be taken into account - * when determining the permissions effectively granted to the user. If - * no groups are given, only permissions directly granted to the user - * will be used. + * when determining the permissions effectively granted to the entity. + * If no groups are given, only permissions directly granted to the + * entity will be used. * * @return * true if permission of the given type and associated with the given - * object has been granted to the given user, false otherwise. + * object has been granted to the given entity, false otherwise. * * @throws GuacamoleException * If an error occurs while retrieving the requested permission. */ boolean hasPermission(ModeledAuthenticatedUser user, - ModeledUser targetUser, ObjectPermission.Type type, - String identifier, Set<String> effectiveGroups) throws GuacamoleException; + ModeledPermissions<? extends EntityModel> targetEntity, + ObjectPermission.Type type, String identifier, + Set<String> effectiveGroups) throws GuacamoleException; /** - * Retrieves the subset of the given identifiers for which the given user + * Retrieves the subset of the given identifiers for which the given entity * has at least one of the given permissions. * * @param user * The user checking the permissions. * - * @param targetUser - * The user to check permissions of. + * @param targetEntity + * The entity to check permissions of. * * @param permissions * The permissions to check. An identifier will be included in the @@ -89,9 +91,9 @@ public interface ObjectPermissionService * * @param effectiveGroups * The identifiers of all groups that should be taken into account - * when determining the permissions effectively granted to the user. If - * no groups are given, only permissions directly granted to the user - * will be used. + * when determining the permissions effectively granted to the entity. + * If no groups are given, only permissions directly granted to the + * entity will be used. * * @return * A collection containing the subset of identifiers for which at least @@ -101,7 +103,8 @@ public interface ObjectPermissionService * If an error occurs while retrieving permissions. */ Collection<String> retrieveAccessibleIdentifiers(ModeledAuthenticatedUser user, - ModeledUser targetUser, Collection<ObjectPermission.Type> permissions, + ModeledPermissions<? extends EntityModel> targetEntity, + Collection<ObjectPermission.Type> permissions, Collection<String> identifiers, Set<String> effectiveGroups) throws GuacamoleException; http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/69f58c8c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionSet.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionSet.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionSet.java index c15b1af..d179c68 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionSet.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionSet.java @@ -19,29 +19,34 @@ package org.apache.guacamole.auth.jdbc.permission; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; import java.util.Collection; import java.util.Collections; import java.util.Set; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; import org.apache.guacamole.auth.jdbc.base.RestrictedObject; import org.apache.guacamole.net.auth.permission.ObjectPermission; /** * A database implementation of ObjectPermissionSet which uses an injected * service to query and manipulate the object-level permissions associated with - * a particular user. + * a particular entity. */ public abstract class ObjectPermissionSet extends RestrictedObject implements org.apache.guacamole.net.auth.permission.ObjectPermissionSet { /** - * The user associated with this permission set. Each of the permissions in - * this permission set is granted to this user. + * The entity associated with this permission set. Each of the permissions + * in this permission set is granted to this entity. */ - private ModeledUser user; + private ModeledPermissions<? extends EntityModel> entity; + /** + * The identifiers of all groups that should be taken into account + * when determining the permissions effectively granted to the entity. + */ private Set<String> effectiveGroups; /** @@ -53,26 +58,27 @@ public abstract class ObjectPermissionSet extends RestrictedObject } /** - * Initializes this permission set with the current user and the user + * Initializes this permission set with the current user and the entity * to whom the permissions in this set are granted. * * @param currentUser * The user who queried this permission set, and whose permissions * dictate the access level of all operations performed on this set. * - * @param user - * The user to whom the permissions in this set are granted. + * @param entity + * The entity to whom the permissions in this set are granted. * * @param effectiveGroups * The identifiers of all groups that should be taken into account - * when determining the permissions effectively granted to the user. If - * no groups are given, only permissions directly granted to the user - * will be used. + * when determining the permissions effectively granted to the entity. + * If no groups are given, only permissions directly granted to the + * entity will be used. */ - public void init(ModeledAuthenticatedUser currentUser, ModeledUser user, + public void init(ModeledAuthenticatedUser currentUser, + ModeledPermissions<? extends EntityModel> entity, Set<String> effectiveGroups) { super.init(currentUser); - this.user = user; + this.entity = entity; this.effectiveGroups = effectiveGroups; } @@ -88,13 +94,13 @@ public abstract class ObjectPermissionSet extends RestrictedObject @Override public Set<ObjectPermission> getPermissions() throws GuacamoleException { - return getObjectPermissionService().retrievePermissions(getCurrentUser(), user, effectiveGroups); + return getObjectPermissionService().retrievePermissions(getCurrentUser(), entity, effectiveGroups); } @Override public boolean hasPermission(ObjectPermission.Type permission, String identifier) throws GuacamoleException { - return getObjectPermissionService().hasPermission(getCurrentUser(), user, permission, identifier, effectiveGroups); + return getObjectPermissionService().hasPermission(getCurrentUser(), entity, permission, identifier, effectiveGroups); } @Override @@ -112,19 +118,19 @@ public abstract class ObjectPermissionSet extends RestrictedObject @Override public Collection<String> getAccessibleObjects(Collection<ObjectPermission.Type> permissions, Collection<String> identifiers) throws GuacamoleException { - return getObjectPermissionService().retrieveAccessibleIdentifiers(getCurrentUser(), user, permissions, identifiers, effectiveGroups); + return getObjectPermissionService().retrieveAccessibleIdentifiers(getCurrentUser(), entity, permissions, identifiers, effectiveGroups); } @Override public void addPermissions(Set<ObjectPermission> permissions) throws GuacamoleException { - getObjectPermissionService().createPermissions(getCurrentUser(), user, permissions); + getObjectPermissionService().createPermissions(getCurrentUser(), entity, permissions); } @Override public void removePermissions(Set<ObjectPermission> permissions) throws GuacamoleException { - getObjectPermissionService().deletePermissions(getCurrentUser(), user, permissions); + getObjectPermissionService().deletePermissions(getCurrentUser(), entity, permissions); } } http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/69f58c8c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionService.java index 3caa587..5d88887 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionService.java @@ -22,8 +22,9 @@ package org.apache.guacamole.auth.jdbc.permission; import java.util.Collection; import java.util.Set; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; import org.apache.guacamole.net.auth.permission.Permission; import org.apache.guacamole.net.auth.permission.PermissionSet; @@ -44,59 +45,60 @@ public interface PermissionService<PermissionSetType extends PermissionSet<Permi /** * Returns a permission set that can be used to retrieve and manipulate the - * permissions of the given user. + * permissions of the given entity. * * @param user * The user who will be retrieving or manipulating permissions through * the returned permission set. * - * @param targetUser - * The user to whom the permissions in the returned permission set are + * @param targetEntity + * The entity to whom the permissions in the returned permission set are * granted. * * @param effectiveGroups * The identifiers of all groups that should be taken into account - * when determining the permissions effectively granted to the user. If - * no groups are given, only permissions directly granted to the user - * will be used. + * when determining the permissions effectively granted to the entity. + * If no groups are given, only permissions directly granted to the + * entity will be used. * * @return * A permission set that contains all permissions associated with the - * given user, and can be used to manipulate that user's permissions. + * given entity, and can be used to manipulate that entity's + * permissions. * * @throws GuacamoleException * If an error occurs while retrieving the permissions of the given - * user, or if permission to retrieve the permissions of the given - * user is denied. + * entity, or if permission to retrieve the permissions of the given + * entity is denied. */ PermissionSetType getPermissionSet(ModeledAuthenticatedUser user, - ModeledUser targetUser, Set<String> effectiveGroups) - throws GuacamoleException; + ModeledPermissions<? extends EntityModel> targetEntity, + Set<String> effectiveGroups) throws GuacamoleException; /** - * Retrieves all permissions associated with the given user. + * Retrieves all permissions associated with the given entity. * * @param user * The user retrieving the permissions. * - * @param targetUser - * The user associated with the permissions to be retrieved. + * @param targetEntity + * The entity associated with the permissions to be retrieved. * * @param effectiveGroups * The identifiers of all groups that should be taken into account - * when determining the permissions effectively granted to the user. If - * no groups are given, only permissions directly granted to the user - * will be used. + * when determining the permissions effectively granted to the entity. + * If no groups are given, only permissions directly granted to the + * entity will be used. * * @return - * The permissions associated with the given user. + * The permissions associated with the given entity. * * @throws GuacamoleException * If an error occurs while retrieving the requested permissions. */ Set<PermissionType> retrievePermissions(ModeledAuthenticatedUser user, - ModeledUser targetUser, Set<String> effectiveGroups) - throws GuacamoleException; + ModeledPermissions<? extends EntityModel> targetEntity, + Set<String> effectiveGroups) throws GuacamoleException; /** * Creates the given permissions within the database. If any permissions @@ -105,8 +107,8 @@ public interface PermissionService<PermissionSetType extends PermissionSet<Permi * @param user * The user creating the permissions. * - * @param targetUser - * The user associated with the permissions to be created. + * @param targetEntity + * The entity associated with the permissions to be created. * * @param permissions * The permissions to create. @@ -115,8 +117,10 @@ public interface PermissionService<PermissionSetType extends PermissionSet<Permi * If the user lacks permission to create the permissions, or an error * occurs while creating the permissions. */ - void createPermissions(ModeledAuthenticatedUser user, ModeledUser targetUser, - Collection<PermissionType> permissions) throws GuacamoleException; + void createPermissions(ModeledAuthenticatedUser user, + ModeledPermissions<? extends EntityModel> targetEntity, + Collection<PermissionType> permissions) + throws GuacamoleException; /** * Deletes the given permissions. If any permissions do not exist, they @@ -125,17 +129,19 @@ public interface PermissionService<PermissionSetType extends PermissionSet<Permi * @param user * The user deleting the permissions. * - * @param targetUser - * The user associated with the permissions to be deleted. + * @param targetEntity + * The entity associated with the permissions to be deleted. * * @param permissions * The permissions to delete. * * @throws GuacamoleException - * If the user lacks permission to delete the permissions, or an error + * If the entity lacks permission to delete the permissions, or an error * occurs while deleting the permissions. */ - void deletePermissions(ModeledAuthenticatedUser user, ModeledUser targetUser, - Collection<PermissionType> permissions) throws GuacamoleException; + void deletePermissions(ModeledAuthenticatedUser user, + ModeledPermissions<? extends EntityModel> targetEntity, + Collection<PermissionType> permissions) + throws GuacamoleException; } http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/69f58c8c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionService.java index 3018b29..c30ff73 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionService.java @@ -24,7 +24,8 @@ import com.google.inject.Provider; import java.util.Set; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; /** * Service which provides convenience methods for creating, retrieving, and @@ -52,12 +53,12 @@ public class SharingProfilePermissionService extends ModeledObjectPermissionServ @Override public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user, - ModeledUser targetUser, Set<String> effectiveGroups) - throws GuacamoleException { + ModeledPermissions<? extends EntityModel> targetEntity, + Set<String> effectiveGroups) throws GuacamoleException { - // Create permission set for requested user + // Create permission set for requested entity ObjectPermissionSet permissionSet = sharingProfilePermissionSetProvider.get(); - permissionSet.init(user, targetUser, effectiveGroups); + permissionSet.init(user, targetEntity, effectiveGroups); return permissionSet; http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/69f58c8c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java index b534ad3..c94a260 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java @@ -24,10 +24,11 @@ import com.google.inject.Provider; import java.util.Collection; import java.util.Set; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleSecurityException; import org.apache.guacamole.GuacamoleUnsupportedException; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; import org.apache.guacamole.net.auth.permission.SystemPermission; /** @@ -61,13 +62,14 @@ public class SystemPermissionService } @Override - protected SystemPermissionModel getModelInstance(final ModeledUser targetUser, + protected SystemPermissionModel getModelInstance( + final ModeledPermissions<? extends EntityModel> targetEntity, final SystemPermission permission) { SystemPermissionModel model = new SystemPermissionModel(); // Populate model object with data from user and permission - model.setEntityID(targetUser.getModel().getEntityID()); + model.setEntityID(targetEntity.getModel().getEntityID()); model.setType(permission.getType()); return model; @@ -76,23 +78,25 @@ public class SystemPermissionService @Override public SystemPermissionSet getPermissionSet(ModeledAuthenticatedUser user, - ModeledUser targetUser, Set<String> effectiveGroups) throws GuacamoleException { + ModeledPermissions<? extends EntityModel> targetEntity, + Set<String> effectiveGroups) throws GuacamoleException { // Create permission set for requested user SystemPermissionSet permissionSet = systemPermissionSetProvider.get(); - permissionSet.init(user, targetUser, effectiveGroups); + permissionSet.init(user, targetEntity, effectiveGroups); return permissionSet; } @Override - public void createPermissions(ModeledAuthenticatedUser user, ModeledUser targetUser, + public void createPermissions(ModeledAuthenticatedUser user, + ModeledPermissions<? extends EntityModel> targetEntity, Collection<SystemPermission> permissions) throws GuacamoleException { // Only an admin can create system permissions if (user.getUser().isAdministrator()) { - Collection<SystemPermissionModel> models = getModelInstances(targetUser, permissions); + Collection<SystemPermissionModel> models = getModelInstances(targetEntity, permissions); systemPermissionMapper.insert(models); return; } @@ -103,17 +107,18 @@ public class SystemPermissionService } @Override - public void deletePermissions(ModeledAuthenticatedUser user, ModeledUser targetUser, + public void deletePermissions(ModeledAuthenticatedUser user, + ModeledPermissions<? extends EntityModel> targetEntity, Collection<SystemPermission> permissions) throws GuacamoleException { // Only an admin can delete system permissions if (user.getUser().isAdministrator()) { // Do not allow users to remove their own admin powers - if (user.getUser().getIdentifier().equals(targetUser.getIdentifier())) + if (user.getUser().getIdentifier().equals(targetEntity.getIdentifier())) throw new GuacamoleUnsupportedException("Removing your own administrative permissions is not allowed."); - Collection<SystemPermissionModel> models = getModelInstances(targetUser, permissions); + Collection<SystemPermissionModel> models = getModelInstances(targetEntity, permissions); systemPermissionMapper.delete(models); return; } @@ -125,14 +130,14 @@ public class SystemPermissionService /** * Retrieves whether the permission of the given type has been granted to - * the given user. Permission inheritance through group membership is taken - * into account. + * the given entity. Permission inheritance through group membership is + * taken into account. * * @param user * The user retrieving the permission. * - * @param targetUser - * The user associated with the permission to be retrieved. + * @param targetEntity + * The entity associated with the permission to be retrieved. * * @param type * The type of permission to retrieve. @@ -151,12 +156,13 @@ public class SystemPermissionService * If an error occurs while retrieving the requested permission. */ public boolean hasPermission(ModeledAuthenticatedUser user, - ModeledUser targetUser, SystemPermission.Type type, - Set<String> effectiveGroups) throws GuacamoleException { + ModeledPermissions<? extends EntityModel> targetEntity, + SystemPermission.Type type, Set<String> effectiveGroups) + throws GuacamoleException { // Retrieve permissions only if allowed - if (canReadPermissions(user, targetUser)) - return getPermissionMapper().selectOne(targetUser.getModel(), type, effectiveGroups) != null; + if (canReadPermissions(user, targetEntity)) + return getPermissionMapper().selectOne(targetEntity.getModel(), type, effectiveGroups) != null; // User cannot read this user's permissions throw new GuacamoleSecurityException("Permission denied."); http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/69f58c8c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionSet.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionSet.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionSet.java index dd88879..1948fac 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionSet.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionSet.java @@ -19,29 +19,34 @@ package org.apache.guacamole.auth.jdbc.permission; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; import com.google.inject.Inject; import java.util.Collections; import java.util.Set; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; import org.apache.guacamole.auth.jdbc.base.RestrictedObject; import org.apache.guacamole.net.auth.permission.SystemPermission; /** * A database implementation of SystemPermissionSet which uses an injected * service to query and manipulate the system permissions associated with a - * particular user. + * particular entity. */ public class SystemPermissionSet extends RestrictedObject implements org.apache.guacamole.net.auth.permission.SystemPermissionSet { /** - * The user associated with this permission set. Each of the permissions in - * this permission set is granted to this user. + * The entity associated with this permission set. Each of the permissions + * in this permission set is granted to this entity. */ - private ModeledUser user; + private ModeledPermissions<? extends EntityModel> entity; + /** + * The identifiers of all groups that should be taken into account when + * determining the permissions effectively granted to the entity. + */ private Set<String> effectiveGroups; /** @@ -59,38 +64,39 @@ public class SystemPermissionSet extends RestrictedObject } /** - * Initializes this permission set with the current user and the user + * Initializes this permission set with the current user and the entity * to whom the permissions in this set are granted. * * @param currentUser * The user who queried this permission set, and whose permissions * dictate the access level of all operations performed on this set. * - * @param user - * The user to whom the permissions in this set are granted. + * @param entity + * The entity to whom the permissions in this set are granted. * * @param effectiveGroups * The identifiers of all groups that should be taken into account - * when determining the permissions effectively granted to the user. If - * no groups are given, only permissions directly granted to the user - * will be used. + * when determining the permissions effectively granted to the entity. + * If no groups are given, only permissions directly granted to the + * entity will be used. */ - public void init(ModeledAuthenticatedUser currentUser, ModeledUser user, + public void init(ModeledAuthenticatedUser currentUser, + ModeledPermissions<? extends EntityModel> entity, Set<String> effectiveGroups) { super.init(currentUser); - this.user = user; + this.entity = entity; this.effectiveGroups = effectiveGroups; } @Override public Set<SystemPermission> getPermissions() throws GuacamoleException { - return systemPermissionService.retrievePermissions(getCurrentUser(), user, effectiveGroups); + return systemPermissionService.retrievePermissions(getCurrentUser(), entity, effectiveGroups); } @Override public boolean hasPermission(SystemPermission.Type permission) throws GuacamoleException { - return systemPermissionService.hasPermission(getCurrentUser(), user, permission, effectiveGroups); + return systemPermissionService.hasPermission(getCurrentUser(), entity, permission, effectiveGroups); } @Override @@ -108,13 +114,13 @@ public class SystemPermissionSet extends RestrictedObject @Override public void addPermissions(Set<SystemPermission> permissions) throws GuacamoleException { - systemPermissionService.createPermissions(getCurrentUser(), user, permissions); + systemPermissionService.createPermissions(getCurrentUser(), entity, permissions); } @Override public void removePermissions(Set<SystemPermission> permissions) throws GuacamoleException { - systemPermissionService.deletePermissions(getCurrentUser(), user, permissions); + systemPermissionService.deletePermissions(getCurrentUser(), entity, permissions); } } http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/69f58c8c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/UserPermissionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/UserPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/UserPermissionService.java index fabbf72..ed8689a 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/UserPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/UserPermissionService.java @@ -24,7 +24,8 @@ import com.google.inject.Provider; import java.util.Set; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; /** * Service which provides convenience methods for creating, retrieving, and @@ -52,12 +53,12 @@ public class UserPermissionService extends ModeledObjectPermissionService { @Override public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user, - ModeledUser targetUser, Set<String> effectiveGroups) - throws GuacamoleException { + ModeledPermissions<? extends EntityModel> targetEntity, + Set<String> effectiveGroups) throws GuacamoleException { - // Create permission set for requested user + // Create permission set for requested entity ObjectPermissionSet permissionSet = userPermissionSetProvider.get(); - permissionSet.init(user, targetUser, effectiveGroups); + permissionSet.init(user, targetEntity, effectiveGroups); return permissionSet;