GUACAMOLE-220: Use effective permissions when deciding whether a user has permission to perform an action.
Project: http://git-wip-us.apache.org/repos/asf/guacamole-client/repo Commit: http://git-wip-us.apache.org/repos/asf/guacamole-client/commit/199f518c Tree: http://git-wip-us.apache.org/repos/asf/guacamole-client/tree/199f518c Diff: http://git-wip-us.apache.org/repos/asf/guacamole-client/diff/199f518c Branch: refs/heads/master Commit: 199f518cdb7e888de1f574d871e5f3847041a327 Parents: 0a69630 Author: Michael Jumper <mjum...@apache.org> Authored: Sun Apr 8 00:16:12 2018 -0700 Committer: Michael Jumper <mjum...@apache.org> Committed: Wed Sep 19 23:56:51 2018 -0700 ---------------------------------------------------------------------- .../jdbc/base/ModeledChildDirectoryObjectService.java | 7 ++++--- .../auth/jdbc/base/ModeledDirectoryObjectService.java | 13 ++++++++----- .../auth/jdbc/connection/ConnectionService.java | 10 +++++----- .../jdbc/connectiongroup/ConnectionGroupService.java | 10 +++++----- .../jdbc/permission/AbstractPermissionService.java | 4 ++-- .../permission/ModeledObjectPermissionService.java | 3 ++- .../jdbc/sharingprofile/SharingProfileService.java | 10 +++++----- .../apache/guacamole/auth/jdbc/user/ModeledUser.java | 5 +++-- .../apache/guacamole/auth/jdbc/user/UserService.java | 6 +++--- 9 files changed, 37 insertions(+), 31 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/199f518c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledChildDirectoryObjectService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledChildDirectoryObjectService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledChildDirectoryObjectService.java index 74ca5bb..f517e27 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledChildDirectoryObjectService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledChildDirectoryObjectService.java @@ -53,7 +53,8 @@ public abstract class ModeledChildDirectoryObjectService<InternalType extends Mo /** * Returns the permission set associated with the given user and related * to the type of objects which can be parents of the child objects handled - * by this directory object service. + * by this directory object service, taking into account permission + * inheritance via user groups. * * @param user * The user whose permissions are being retrieved. @@ -66,7 +67,7 @@ public abstract class ModeledChildDirectoryObjectService<InternalType extends Mo * @throws GuacamoleException * If permission to read the user's permissions is denied. */ - protected abstract ObjectPermissionSet getParentPermissionSet( + protected abstract ObjectPermissionSet getParentEffectivePermissionSet( ModeledAuthenticatedUser user) throws GuacamoleException; /** @@ -155,7 +156,7 @@ public abstract class ModeledChildDirectoryObjectService<InternalType extends Mo Collection<String> modifiedParents = getModifiedParents(user, identifier, model); if (!modifiedParents.isEmpty()) { - ObjectPermissionSet permissionSet = getParentPermissionSet(user); + ObjectPermissionSet permissionSet = getParentEffectivePermissionSet(user); Collection<String> updateableParents = permissionSet.getAccessibleObjects( Collections.singleton(ObjectPermission.Type.UPDATE), modifiedParents http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/199f518c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java index 3e3e707..e87d664 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java @@ -126,7 +126,8 @@ public abstract class ModeledDirectoryObjectService<InternalType extends Modeled /** * Returns whether the given user has permission to create the type of - * objects that this directory object service manages. + * objects that this directory object service manages, taking into account + * permission inheritance through user groups. * * @param user * The user being checked. @@ -143,7 +144,8 @@ public abstract class ModeledDirectoryObjectService<InternalType extends Modeled /** * Returns whether the given user has permission to perform a certain - * action on a specific object managed by this directory object service. + * action on a specific object managed by this directory object service, + * taking into account permission inheritance through user groups. * * @param user * The user being checked. @@ -166,7 +168,7 @@ public abstract class ModeledDirectoryObjectService<InternalType extends Modeled throws GuacamoleException { // Get object permissions - ObjectPermissionSet permissionSet = getPermissionSet(user); + ObjectPermissionSet permissionSet = getEffectivePermissionSet(user); // Return whether permission is granted return user.getUser().isAdministrator() @@ -176,7 +178,8 @@ public abstract class ModeledDirectoryObjectService<InternalType extends Modeled /** * Returns the permission set associated with the given user and related - * to the type of objects handled by this directory object service. + * to the type of objects handled by this directory object service, taking + * into account permission inheritance via user groups. * * @param user * The user whose permissions are being retrieved. @@ -189,7 +192,7 @@ public abstract class ModeledDirectoryObjectService<InternalType extends Modeled * @throws GuacamoleException * If permission to read the user's permissions is denied. */ - protected abstract ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user) + protected abstract ObjectPermissionSet getEffectivePermissionSet(ModeledAuthenticatedUser user) throws GuacamoleException; /** http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/199f518c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionService.java index 983f395..11e3792 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionService.java @@ -131,26 +131,26 @@ public class ConnectionService extends ModeledChildDirectoryObjectService<Modele throws GuacamoleException { // Return whether user has explicit connection creation permission - SystemPermissionSet permissionSet = user.getUser().getSystemPermissions(); + SystemPermissionSet permissionSet = user.getUser().getEffectivePermissions().getSystemPermissions(); return permissionSet.hasPermission(SystemPermission.Type.CREATE_CONNECTION); } @Override - protected ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user) + protected ObjectPermissionSet getEffectivePermissionSet(ModeledAuthenticatedUser user) throws GuacamoleException { // Return permissions related to connections - return user.getUser().getConnectionPermissions(); + return user.getUser().getEffectivePermissions().getConnectionPermissions(); } @Override - protected ObjectPermissionSet getParentPermissionSet(ModeledAuthenticatedUser user) + protected ObjectPermissionSet getParentEffectivePermissionSet(ModeledAuthenticatedUser user) throws GuacamoleException { // Connections are contained by connection groups - return user.getUser().getConnectionGroupPermissions(); + return user.getUser().getEffectivePermissions().getConnectionGroupPermissions(); } http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/199f518c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupService.java index e23081c..34d039c 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupService.java @@ -112,26 +112,26 @@ public class ConnectionGroupService extends ModeledChildDirectoryObjectService<M throws GuacamoleException { // Return whether user has explicit connection group creation permission - SystemPermissionSet permissionSet = user.getUser().getSystemPermissions(); + SystemPermissionSet permissionSet = user.getUser().getEffectivePermissions().getSystemPermissions(); return permissionSet.hasPermission(SystemPermission.Type.CREATE_CONNECTION_GROUP); } @Override - protected ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user) + protected ObjectPermissionSet getEffectivePermissionSet(ModeledAuthenticatedUser user) throws GuacamoleException { // Return permissions related to connection groups - return user.getUser().getConnectionGroupPermissions(); + return user.getUser().getEffectivePermissions().getConnectionGroupPermissions(); } @Override - protected ObjectPermissionSet getParentPermissionSet(ModeledAuthenticatedUser user) + protected ObjectPermissionSet getParentEffectivePermissionSet(ModeledAuthenticatedUser user) throws GuacamoleException { // Connection groups are contained by other connection groups - return user.getUser().getConnectionGroupPermissions(); + return user.getUser().getEffectivePermissions().getConnectionGroupPermissions(); } http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/199f518c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/AbstractPermissionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/AbstractPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/AbstractPermissionService.java index 8635488..74f35fb 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/AbstractPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/AbstractPermissionService.java @@ -45,7 +45,7 @@ public abstract class AbstractPermissionService<PermissionSetType extends Permis * Determines whether the given user can read the permissions currently * granted to the given target user. If the reading user and the target * user are not the same, then explicit READ or SYSTEM_ADMINISTER access is - * required. + * required. Permission inheritance via user groups is taken into account. * * @param user * The user attempting to read permissions. @@ -72,7 +72,7 @@ public abstract class AbstractPermissionService<PermissionSetType extends Permis return true; // Can read permissions on target user if explicit READ is granted - ObjectPermissionSet userPermissionSet = user.getUser().getUserPermissions(); + ObjectPermissionSet userPermissionSet = user.getUser().getEffectivePermissions().getUserPermissions(); return userPermissionSet.hasPermission(ObjectPermission.Type.READ, targetUser.getIdentifier()); } http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/199f518c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java index 30ea5d7..b1229ae 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java @@ -67,6 +67,7 @@ public abstract class ModeledObjectPermissionService * depends on whether the current user is a system administrator, whether * they have explicit UPDATE permission on the target user, and whether * they have explicit ADMINISTER permission on all affected objects. + * Permission inheritance via user groups is taken into account. * * @param user * The user who is changing permissions. @@ -95,7 +96,7 @@ public abstract class ModeledObjectPermissionService return true; // Verify user has update permission on the target user - ObjectPermissionSet userPermissionSet = user.getUser().getUserPermissions(); + ObjectPermissionSet userPermissionSet = user.getUser().getEffectivePermissions().getUserPermissions(); if (!userPermissionSet.hasPermission(ObjectPermission.Type.UPDATE, targetUser.getIdentifier())) return false; http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/199f518c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileService.java index 4b4d2d1..4ca492c 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileService.java @@ -112,26 +112,26 @@ public class SharingProfileService throws GuacamoleException { // Return whether user has explicit sharing profile creation permission - SystemPermissionSet permissionSet = user.getUser().getSystemPermissions(); + SystemPermissionSet permissionSet = user.getUser().getEffectivePermissions().getSystemPermissions(); return permissionSet.hasPermission(SystemPermission.Type.CREATE_SHARING_PROFILE); } @Override - protected ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user) + protected ObjectPermissionSet getEffectivePermissionSet(ModeledAuthenticatedUser user) throws GuacamoleException { // Return permissions related to sharing profiles - return user.getUser().getSharingProfilePermissions(); + return user.getUser().getEffectivePermissions().getSharingProfilePermissions(); } @Override - protected ObjectPermissionSet getParentPermissionSet(ModeledAuthenticatedUser user) + protected ObjectPermissionSet getParentEffectivePermissionSet(ModeledAuthenticatedUser user) throws GuacamoleException { // Sharing profiles are children of connections - return user.getUser().getConnectionPermissions(); + return user.getUser().getEffectivePermissions().getConnectionPermissions(); } http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/199f518c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java index 39f1636..737aec8 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java @@ -333,7 +333,8 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us /** * Returns whether this user is a system administrator, and thus is not - * restricted by permissions. + * restricted by permissions, taking into account permission inheritance + * via user groups. * * @return * true if this user is a system administrator, false otherwise. @@ -343,7 +344,7 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us * status. */ public boolean isAdministrator() throws GuacamoleException { - SystemPermissionSet systemPermissionSet = getSystemPermissions(); + SystemPermissionSet systemPermissionSet = getEffectivePermissions().getSystemPermissions(); return systemPermissionSet.hasPermission(SystemPermission.Type.ADMINISTER); } http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/199f518c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java index 9f7fb87..2c70e22 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java @@ -216,17 +216,17 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User throws GuacamoleException { // Return whether user has explicit user creation permission - SystemPermissionSet permissionSet = user.getUser().getSystemPermissions(); + SystemPermissionSet permissionSet = user.getUser().getEffectivePermissions().getSystemPermissions(); return permissionSet.hasPermission(SystemPermission.Type.CREATE_USER); } @Override - protected ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user) + protected ObjectPermissionSet getEffectivePermissionSet(ModeledAuthenticatedUser user) throws GuacamoleException { // Return permissions related to users - return user.getUser().getUserPermissions(); + return user.getUser().getEffectivePermissions().getUserPermissions(); }