You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@guacamole.apache.org by vn...@apache.org on 2018/10/01 18:08:07 UTC
[06/38] guacamole-client git commit: GUACAMOLE-220: Implement base
API changes within database auth allowing for permission inheritance.
GUACAMOLE-220: Implement base API changes within database auth allowing for permission inheritance.
Project: http://git-wip-us.apache.org/repos/asf/guacamole-client/repo
Commit: http://git-wip-us.apache.org/repos/asf/guacamole-client/commit/0a69630c
Tree: http://git-wip-us.apache.org/repos/asf/guacamole-client/tree/0a69630c
Diff: http://git-wip-us.apache.org/repos/asf/guacamole-client/diff/0a69630c
Branch: refs/heads/master
Commit: 0a69630cbb0f80cd819136dce4127dfa6366e1a2
Parents: 72bac09
Author: Michael Jumper <mj...@apache.org>
Authored: Tue Apr 3 21:32:38 2018 -0700
Committer: Michael Jumper <mj...@apache.org>
Committed: Wed Sep 19 23:56:51 2018 -0700
----------------------------------------------------------------------
.../ActiveConnectionPermissionService.java | 26 ++++-----
.../ConnectionGroupPermissionService.java | 4 +-
.../permission/ConnectionPermissionService.java | 4 +-
.../ModeledObjectPermissionService.java | 23 +++-----
.../permission/ModeledPermissionService.java | 12 ++--
.../jdbc/permission/ObjectPermissionMapper.java | 20 +++++--
.../permission/ObjectPermissionService.java | 27 ++++++---
.../jdbc/permission/ObjectPermissionSet.java | 23 ++++++--
.../auth/jdbc/permission/PermissionMapper.java | 8 ++-
.../auth/jdbc/permission/PermissionService.java | 19 ++++---
.../SharingProfilePermissionService.java | 4 +-
.../jdbc/permission/SystemPermissionMapper.java | 10 +++-
.../permission/SystemPermissionService.java | 35 ++++++------
.../jdbc/permission/SystemPermissionSet.java | 19 ++++++-
.../jdbc/permission/UserPermissionService.java | 4 +-
.../guacamole/auth/jdbc/user/ModeledUser.java | 59 +++++++++++++++++---
16 files changed, 198 insertions(+), 99 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java
index 91ad11d..405b237 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java
@@ -23,7 +23,6 @@ import com.google.inject.Inject;
import com.google.inject.Provider;
import java.util.ArrayList;
import java.util.Collection;
-import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import org.apache.guacamole.GuacamoleException;
@@ -58,26 +57,23 @@ public class ActiveConnectionPermissionService
private Provider<ActiveConnectionPermissionSet> activeConnectionPermissionSetProvider;
@Override
- public ObjectPermission retrievePermission(ModeledAuthenticatedUser user,
+ public boolean hasPermission(ModeledAuthenticatedUser user,
ModeledUser targetUser, ObjectPermission.Type type,
- String identifier) throws GuacamoleException {
+ String identifier, boolean inherit) throws GuacamoleException {
// Retrieve permissions
- Set<ObjectPermission> permissions = retrievePermissions(user, targetUser);
+ Set<ObjectPermission> permissions = retrievePermissions(user, targetUser, inherit);
- // If retrieved permissions contains the requested permission, return it
+ // Permission is granted if retrieved permissions contains the
+ // requested permission
ObjectPermission permission = new ObjectPermission(type, identifier);
- if (permissions.contains(permission))
- return permission;
-
- // Otherwise, no such permission
- return null;
+ return permissions.contains(permission);
}
@Override
public Set<ObjectPermission> retrievePermissions(ModeledAuthenticatedUser user,
- ModeledUser targetUser) throws GuacamoleException {
+ ModeledUser targetUser, boolean inherit) throws GuacamoleException {
// Retrieve permissions only if allowed
if (canReadPermissions(user, targetUser)) {
@@ -113,9 +109,9 @@ public class ActiveConnectionPermissionService
@Override
public Collection<String> retrieveAccessibleIdentifiers(ModeledAuthenticatedUser user,
ModeledUser targetUser, Collection<ObjectPermission.Type> permissionTypes,
- Collection<String> identifiers) throws GuacamoleException {
+ Collection<String> identifiers, boolean inherit) throws GuacamoleException {
- Set<ObjectPermission> permissions = retrievePermissions(user, targetUser);
+ Set<ObjectPermission> permissions = retrievePermissions(user, targetUser, inherit);
Collection<String> accessibleObjects = new ArrayList<String>(permissions.size());
// For each identifier/permission combination
@@ -138,11 +134,11 @@ public class ActiveConnectionPermissionService
@Override
public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user,
- ModeledUser targetUser) throws GuacamoleException {
+ ModeledUser targetUser, boolean inherit) throws GuacamoleException {
// Create permission set for requested user
ActiveConnectionPermissionSet permissionSet = activeConnectionPermissionSetProvider.get();
- permissionSet.init(user, targetUser);
+ permissionSet.init(user, targetUser, inherit);
return permissionSet;
http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java
index 68fc3ed..3027d81 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java
@@ -51,11 +51,11 @@ public class ConnectionGroupPermissionService extends ModeledObjectPermissionSer
@Override
public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user,
- ModeledUser targetUser) throws GuacamoleException {
+ ModeledUser targetUser, boolean inherit) throws GuacamoleException {
// Create permission set for requested user
ObjectPermissionSet permissionSet = connectionGroupPermissionSetProvider.get();
- permissionSet.init(user, targetUser);
+ permissionSet.init(user, targetUser, inherit);
return permissionSet;
http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionService.java
index 80c4b0b..19c30c0 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionService.java
@@ -51,11 +51,11 @@ public class ConnectionPermissionService extends ModeledObjectPermissionService
@Override
public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user,
- ModeledUser targetUser) throws GuacamoleException {
+ ModeledUser targetUser, boolean inherit) throws GuacamoleException {
// Create permission set for requested user
ObjectPermissionSet permissionSet = connectionPermissionSetProvider.get();
- permissionSet.init(user, targetUser);
+ permissionSet.init(user, targetUser, inherit);
return permissionSet;
http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java
index 9197217..30ea5d7 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java
@@ -105,7 +105,7 @@ public abstract class ModeledObjectPermissionService
affectedIdentifiers.add(permission.getObjectIdentifier());
// Determine subset of affected identifiers that we have admin access to
- ObjectPermissionSet affectedPermissionSet = getPermissionSet(user, user.getUser());
+ ObjectPermissionSet affectedPermissionSet = getPermissionSet(user, user.getUser(), true);
Collection<String> allowedSubset = affectedPermissionSet.getAccessibleObjects(
Collections.singleton(ObjectPermission.Type.ADMINISTER),
affectedIdentifiers
@@ -154,21 +154,13 @@ public abstract class ModeledObjectPermissionService
}
@Override
- public ObjectPermission retrievePermission(ModeledAuthenticatedUser user,
+ public boolean hasPermission(ModeledAuthenticatedUser user,
ModeledUser targetUser, ObjectPermission.Type type,
- String identifier) throws GuacamoleException {
+ String identifier, boolean inherit) throws GuacamoleException {
// Retrieve permissions only if allowed
- if (canReadPermissions(user, targetUser)) {
-
- // Read permission from database, return null if not found
- ObjectPermissionModel model = getPermissionMapper().selectOne(targetUser.getModel(), type, identifier);
- if (model == null)
- return null;
-
- return getPermissionInstance(model);
-
- }
+ if (canReadPermissions(user, targetUser))
+ return getPermissionMapper().selectOne(targetUser.getModel(), type, identifier, inherit) != null;
// User cannot read this user's permissions
throw new GuacamoleSecurityException("Permission denied.");
@@ -178,7 +170,8 @@ public abstract class ModeledObjectPermissionService
@Override
public Collection<String> retrieveAccessibleIdentifiers(ModeledAuthenticatedUser user,
ModeledUser targetUser, Collection<ObjectPermission.Type> permissions,
- Collection<String> identifiers) throws GuacamoleException {
+ Collection<String> identifiers, boolean inherit)
+ throws GuacamoleException {
// Nothing is always accessible
if (identifiers.isEmpty())
@@ -192,7 +185,7 @@ public abstract class ModeledObjectPermissionService
return identifiers;
// Otherwise, return explicitly-retrievable identifiers
- return getPermissionMapper().selectAccessibleIdentifiers(targetUser.getModel(), permissions, identifiers);
+ return getPermissionMapper().selectAccessibleIdentifiers(targetUser.getModel(), permissions, identifiers, inherit);
}
http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledPermissionService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledPermissionService.java
index 2800845..4d0fcf6 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledPermissionService.java
@@ -92,7 +92,7 @@ public abstract class ModeledPermissionService<PermissionSetType extends Permiss
permissions.add(getPermissionInstance(model));
return permissions;
-
+
}
/**
@@ -111,7 +111,7 @@ public abstract class ModeledPermissionService<PermissionSetType extends Permiss
*/
protected abstract ModelType getModelInstance(ModeledUser targetUser,
PermissionType permission);
-
+
/**
* Returns a collection of model objects which are based on the given
* permissions and target user.
@@ -129,7 +129,7 @@ public abstract class ModeledPermissionService<PermissionSetType extends Permiss
protected Collection<ModelType> getModelInstances(ModeledUser targetUser,
Collection<PermissionType> permissions) {
- // Create new collection of models by manually converting each permission
+ // Create new collection of models by manually converting each permission
Collection<ModelType> models = new ArrayList<ModelType>(permissions.size());
for (PermissionType permission : permissions)
models.add(getModelInstance(targetUser, permission));
@@ -140,15 +140,15 @@ public abstract class ModeledPermissionService<PermissionSetType extends Permiss
@Override
public Set<PermissionType> retrievePermissions(ModeledAuthenticatedUser user,
- ModeledUser targetUser) throws GuacamoleException {
+ ModeledUser targetUser, boolean inherit) throws GuacamoleException {
// Retrieve permissions only if allowed
if (canReadPermissions(user, targetUser))
- return getPermissionInstances(getPermissionMapper().select(targetUser.getModel()));
+ return getPermissionInstances(getPermissionMapper().select(targetUser.getModel(), inherit));
// User cannot read this user's permissions
throw new GuacamoleSecurityException("Permission denied.");
-
+
}
}
http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionMapper.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionMapper.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionMapper.java
index f744fbf..e5efad0 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionMapper.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionMapper.java
@@ -36,20 +36,26 @@ public interface ObjectPermissionMapper extends PermissionMapper<ObjectPermissio
*
* @param entity
* The entity to retrieve permissions for.
- *
+ *
* @param type
* The type of permission to return.
- *
+ *
* @param identifier
* The identifier of the object affected by the permission to return.
*
+ * @param inherit
+ * Whether permissions inherited through user groups should be taken
+ * into account. If false, only permissions granted directly will be
+ * included.
+ *
* @return
* The requested permission, or null if no such permission is granted
* to the given entity for the given object.
*/
ObjectPermissionModel selectOne(@Param("entity") EntityModel entity,
@Param("type") ObjectPermission.Type type,
- @Param("identifier") String identifier);
+ @Param("identifier") String identifier,
+ @Param("inherit") boolean inherit);
/**
* Retrieves the subset of the given identifiers for which the given entity
@@ -67,12 +73,18 @@ public interface ObjectPermissionMapper extends PermissionMapper<ObjectPermissio
* The identifiers of the objects affected by the permissions being
* checked.
*
+ * @param inherit
+ * Whether permissions inherited through user groups should be taken
+ * into account. If false, only permissions granted directly will be
+ * included.
+ *
* @return
* A collection containing the subset of identifiers for which at least
* one of the specified permissions is granted.
*/
Collection<String> selectAccessibleIdentifiers(@Param("entity") EntityModel entity,
@Param("permissions") Collection<ObjectPermission.Type> permissions,
- @Param("identifiers") Collection<String> identifiers);
+ @Param("identifiers") Collection<String> identifiers,
+ @Param("inherit") boolean inherit);
}
http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionService.java
index 5eead24..fa1ee2d 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionService.java
@@ -35,31 +35,36 @@ public interface ObjectPermissionService
extends PermissionService<ObjectPermissionSet, ObjectPermission> {
/**
- * Retrieves the permission of the given type associated with the given
- * user and object, if it exists. If no such permission exists, null is
+ * Returns whether the permission of the given type and associated with the
+ * given object has been granted to the given user.
*
* @param user
* The user retrieving the permission.
*
* @param targetUser
* The user associated with the permission to be retrieved.
- *
+ *
* @param type
* The type of permission to retrieve.
*
* @param identifier
* The identifier of the object affected by the permission to return.
*
+ * @param inherit
+ * Whether permissions inherited through user groups should be taken
+ * into account. If false, only permissions granted directly will be
+ * included.
+ *
* @return
- * The permission of the given type associated with the given user and
- * object, or null if no such permission exists.
+ * true if permission of the given type and associated with the given
+ * object has been granted to the given user, false otherwise.
*
* @throws GuacamoleException
* If an error occurs while retrieving the requested permission.
*/
- ObjectPermission retrievePermission(ModeledAuthenticatedUser user,
+ boolean hasPermission(ModeledAuthenticatedUser user,
ModeledUser targetUser, ObjectPermission.Type type,
- String identifier) throws GuacamoleException;
+ String identifier, boolean inherit) throws GuacamoleException;
/**
* Retrieves the subset of the given identifiers for which the given user
@@ -80,6 +85,11 @@ public interface ObjectPermissionService
* The identifiers of the objects affected by the permissions being
* checked.
*
+ * @param inherit
+ * Whether permissions inherited through user groups should be taken
+ * into account. If false, only permissions granted directly will be
+ * included.
+ *
* @return
* A collection containing the subset of identifiers for which at least
* one of the specified permissions is granted.
@@ -89,6 +99,7 @@ public interface ObjectPermissionService
*/
Collection<String> retrieveAccessibleIdentifiers(ModeledAuthenticatedUser user,
ModeledUser targetUser, Collection<ObjectPermission.Type> permissions,
- Collection<String> identifiers) throws GuacamoleException;
+ Collection<String> identifiers, boolean inherit)
+ throws GuacamoleException;
}
http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionSet.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionSet.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionSet.java
index 712a422..cedb45d 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionSet.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionSet.java
@@ -43,6 +43,12 @@ public abstract class ObjectPermissionSet extends RestrictedObject
private ModeledUser user;
/**
+ * Whether permissions inherited through user groups should be taken into
+ * account. If false, only permissions granted directly will be included.
+ */
+ boolean inherit;
+
+ /**
* Creates a new ObjectPermissionSet. The resulting permission set
* must still be initialized by a call to init(), or the information
* necessary to read and modify this set will be missing.
@@ -60,10 +66,17 @@ public abstract class ObjectPermissionSet extends RestrictedObject
*
* @param user
* The user to whom the permissions in this set are granted.
+ *
+ * @param inherit
+ * Whether permissions inherited through user groups should be taken
+ * into account. If false, only permissions granted directly will be
+ * included.
*/
- public void init(ModeledAuthenticatedUser currentUser, ModeledUser user) {
+ public void init(ModeledAuthenticatedUser currentUser, ModeledUser user,
+ boolean inherit) {
super.init(currentUser);
this.user = user;
+ this.inherit = inherit;
}
/**
@@ -75,16 +88,16 @@ public abstract class ObjectPermissionSet extends RestrictedObject
* permissions contained within this permission set.
*/
protected abstract ObjectPermissionService getObjectPermissionService();
-
+
@Override
public Set<ObjectPermission> getPermissions() throws GuacamoleException {
- return getObjectPermissionService().retrievePermissions(getCurrentUser(), user);
+ return getObjectPermissionService().retrievePermissions(getCurrentUser(), user, inherit);
}
@Override
public boolean hasPermission(ObjectPermission.Type permission,
String identifier) throws GuacamoleException {
- return getObjectPermissionService().retrievePermission(getCurrentUser(), user, permission, identifier) != null;
+ return getObjectPermissionService().hasPermission(getCurrentUser(), user, permission, identifier, inherit);
}
@Override
@@ -102,7 +115,7 @@ public abstract class ObjectPermissionSet extends RestrictedObject
@Override
public Collection<String> getAccessibleObjects(Collection<ObjectPermission.Type> permissions,
Collection<String> identifiers) throws GuacamoleException {
- return getObjectPermissionService().retrieveAccessibleIdentifiers(getCurrentUser(), user, permissions, identifiers);
+ return getObjectPermissionService().retrieveAccessibleIdentifiers(getCurrentUser(), user, permissions, identifiers, inherit);
}
@Override
http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionMapper.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionMapper.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionMapper.java
index 7b476b3..1c2d23b 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionMapper.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionMapper.java
@@ -38,10 +38,16 @@ public interface PermissionMapper<PermissionType> {
* @param entity
* The entity to retrieve permissions for.
*
+ * @param inherit
+ * Whether permissions inherited through user groups should be taken
+ * into account. If false, only permissions granted directly will be
+ * included.
+ *
* @return
* All permissions associated with the given entity.
*/
- Collection<PermissionType> select(@Param("entity") EntityModel entity);
+ Collection<PermissionType> select(@Param("entity") EntityModel entity,
+ @Param("inherit") boolean inherit);
/**
* Inserts the given permissions into the database. If any permissions
http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionService.java
index 12b046b..6e59634 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionService.java
@@ -19,16 +19,11 @@
package org.apache.guacamole.auth.jdbc.permission;
-import java.util.ArrayList;
import java.util.Collection;
-import java.util.HashSet;
import java.util.Set;
import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
import org.apache.guacamole.auth.jdbc.user.ModeledUser;
import org.apache.guacamole.GuacamoleException;
-import org.apache.guacamole.GuacamoleSecurityException;
-import org.apache.guacamole.net.auth.permission.ObjectPermission;
-import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
import org.apache.guacamole.net.auth.permission.Permission;
import org.apache.guacamole.net.auth.permission.PermissionSet;
@@ -59,6 +54,11 @@ public interface PermissionService<PermissionSetType extends PermissionSet<Permi
* The user to whom the permissions in the returned permission set are
* granted.
*
+ * @param inherit
+ * Whether permissions inherited through user groups should be taken
+ * into account. If false, only permissions granted directly will be
+ * included.
+ *
* @return
* A permission set that contains all permissions associated with the
* given user, and can be used to manipulate that user's permissions.
@@ -69,7 +69,7 @@ public interface PermissionService<PermissionSetType extends PermissionSet<Permi
* user is denied.
*/
PermissionSetType getPermissionSet(ModeledAuthenticatedUser user,
- ModeledUser targetUser) throws GuacamoleException;
+ ModeledUser targetUser, boolean inherit) throws GuacamoleException;
/**
* Retrieves all permissions associated with the given user.
@@ -80,6 +80,11 @@ public interface PermissionService<PermissionSetType extends PermissionSet<Permi
* @param targetUser
* The user associated with the permissions to be retrieved.
*
+ * @param inherit
+ * Whether permissions inherited through user groups should be taken
+ * into account. If false, only permissions granted directly will be
+ * included.
+ *
* @return
* The permissions associated with the given user.
*
@@ -87,7 +92,7 @@ public interface PermissionService<PermissionSetType extends PermissionSet<Permi
* If an error occurs while retrieving the requested permissions.
*/
Set<PermissionType> retrievePermissions(ModeledAuthenticatedUser user,
- ModeledUser targetUser) throws GuacamoleException;
+ ModeledUser targetUser, boolean inherit) throws GuacamoleException;
/**
* Creates the given permissions within the database. If any permissions
http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionService.java
index ac16fc2..3cdf9d1 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionService.java
@@ -51,11 +51,11 @@ public class SharingProfilePermissionService extends ModeledObjectPermissionServ
@Override
public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user,
- ModeledUser targetUser) throws GuacamoleException {
+ ModeledUser targetUser, boolean inherit) throws GuacamoleException {
// Create permission set for requested user
ObjectPermissionSet permissionSet = sharingProfilePermissionSetProvider.get();
- permissionSet.init(user, targetUser);
+ permissionSet.init(user, targetUser, inherit);
return permissionSet;
http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionMapper.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionMapper.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionMapper.java
index 738062c..c05f405 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionMapper.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionMapper.java
@@ -34,15 +34,21 @@ public interface SystemPermissionMapper extends PermissionMapper<SystemPermissio
*
* @param entity
* The entity to retrieve permissions for.
- *
+ *
* @param type
* The type of permission to return.
*
+ * @param inherit
+ * Whether permissions inherited through user groups should be taken
+ * into account. If false, only permissions granted directly will be
+ * included.
+ *
* @return
* The requested permission, or null if no such permission is granted
* to the given entity.
*/
SystemPermissionModel selectOne(@Param("entity") EntityModel entity,
- @Param("type") SystemPermission.Type type);
+ @Param("type") SystemPermission.Type type,
+ @Param("inherit") boolean inherit);
}
http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java
index e50a47f..5909569 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java
@@ -75,11 +75,11 @@ public class SystemPermissionService
@Override
public SystemPermissionSet getPermissionSet(ModeledAuthenticatedUser user,
- ModeledUser targetUser) throws GuacamoleException {
+ ModeledUser targetUser, boolean inherit) throws GuacamoleException {
// Create permission set for requested user
SystemPermissionSet permissionSet = systemPermissionSetProvider.get();
- permissionSet.init(user, targetUser);
+ permissionSet.init(user, targetUser, inherit);
return permissionSet;
@@ -123,8 +123,9 @@ public class SystemPermissionService
}
/**
- * Retrieves the permission of the given type associated with the given
- * user, if it exists. If no such permission exists, null is returned.
+ * Retrieves whether the permission of the given type has been granted to
+ * the given user. Permission inheritance through group membership is taken
+ * into account.
*
* @param user
* The user retrieving the permission.
@@ -135,27 +136,25 @@ public class SystemPermissionService
* @param type
* The type of permission to retrieve.
*
+ * @param inherit
+ * Whether permissions inherited through user groups should be taken
+ * into account. If false, only permissions granted directly will be
+ * included.
+ *
* @return
- * The permission of the given type associated with the given user, or
- * null if no such permission exists.
+ * true if permission of the given type has been granted to the given
+ * user, false otherwise.
*
* @throws GuacamoleException
* If an error occurs while retrieving the requested permission.
*/
- public SystemPermission retrievePermission(ModeledAuthenticatedUser user,
- ModeledUser targetUser, SystemPermission.Type type) throws GuacamoleException {
+ public boolean hasPermission(ModeledAuthenticatedUser user,
+ ModeledUser targetUser, SystemPermission.Type type,
+ boolean inherit) throws GuacamoleException {
// Retrieve permissions only if allowed
- if (canReadPermissions(user, targetUser)) {
-
- // Read permission from database, return null if not found
- SystemPermissionModel model = getPermissionMapper().selectOne(targetUser.getModel(), type);
- if (model == null)
- return null;
-
- return getPermissionInstance(model);
-
- }
+ if (canReadPermissions(user, targetUser))
+ return getPermissionMapper().selectOne(targetUser.getModel(), type, inherit) != null;
// User cannot read this user's permissions
throw new GuacamoleSecurityException("Permission denied.");
http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionSet.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionSet.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionSet.java
index 9c84a84..bb5af11 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionSet.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionSet.java
@@ -43,6 +43,12 @@ public class SystemPermissionSet extends RestrictedObject
private ModeledUser user;
/**
+ * Whether permissions inherited through user groups should be taken into
+ * account. If false, only permissions granted directly will be included.
+ */
+ private boolean inherit;
+
+ /**
* Service for reading and manipulating system permissions.
*/
@Inject
@@ -66,21 +72,28 @@ public class SystemPermissionSet extends RestrictedObject
*
* @param user
* The user to whom the permissions in this set are granted.
+ *
+ * @param inherit
+ * Whether permissions inherited through user groups should be taken
+ * into account. If false, only permissions granted directly will be
+ * included.
*/
- public void init(ModeledAuthenticatedUser currentUser, ModeledUser user) {
+ public void init(ModeledAuthenticatedUser currentUser, ModeledUser user,
+ boolean inherit) {
super.init(currentUser);
this.user = user;
+ this.inherit = inherit;
}
@Override
public Set<SystemPermission> getPermissions() throws GuacamoleException {
- return systemPermissionService.retrievePermissions(getCurrentUser(), user);
+ return systemPermissionService.retrievePermissions(getCurrentUser(), user, inherit);
}
@Override
public boolean hasPermission(SystemPermission.Type permission)
throws GuacamoleException {
- return systemPermissionService.retrievePermission(getCurrentUser(), user, permission) != null;
+ return systemPermissionService.hasPermission(getCurrentUser(), user, permission, inherit);
}
@Override
http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/UserPermissionService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/UserPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/UserPermissionService.java
index d56ed28..8e65862 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/UserPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/UserPermissionService.java
@@ -51,11 +51,11 @@ public class UserPermissionService extends ModeledObjectPermissionService {
@Override
public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user,
- ModeledUser targetUser) throws GuacamoleException {
+ ModeledUser targetUser, boolean inherit) throws GuacamoleException {
// Create permission set for requested user
ObjectPermissionSet permissionSet = userPermissionSetProvider.get();
- permissionSet.init(user, targetUser);
+ permissionSet.init(user, targetUser, inherit);
return permissionSet;
http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/0a69630c/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java
index 583aa7f..39f1636 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java
@@ -350,37 +350,37 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
@Override
public SystemPermissionSet getSystemPermissions()
throws GuacamoleException {
- return systemPermissionService.getPermissionSet(getCurrentUser(), this);
+ return systemPermissionService.getPermissionSet(getCurrentUser(), this, false);
}
@Override
public ObjectPermissionSet getConnectionPermissions()
throws GuacamoleException {
- return connectionPermissionService.getPermissionSet(getCurrentUser(), this);
+ return connectionPermissionService.getPermissionSet(getCurrentUser(), this, false);
}
@Override
public ObjectPermissionSet getConnectionGroupPermissions()
throws GuacamoleException {
- return connectionGroupPermissionService.getPermissionSet(getCurrentUser(), this);
+ return connectionGroupPermissionService.getPermissionSet(getCurrentUser(), this, false);
}
@Override
public ObjectPermissionSet getSharingProfilePermissions()
throws GuacamoleException {
- return sharingProfilePermissionService.getPermissionSet(getCurrentUser(), this);
+ return sharingProfilePermissionService.getPermissionSet(getCurrentUser(), this, false);
}
@Override
public ObjectPermissionSet getActiveConnectionPermissions()
throws GuacamoleException {
- return activeConnectionPermissionService.getPermissionSet(getCurrentUser(), this);
+ return activeConnectionPermissionService.getPermissionSet(getCurrentUser(), this, false);
}
@Override
public ObjectPermissionSet getUserPermissions()
throws GuacamoleException {
- return userPermissionService.getPermissionSet(getCurrentUser(), this);
+ return userPermissionService.getPermissionSet(getCurrentUser(), this, false);
}
@Override
@@ -855,7 +855,52 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
@Override
public Permissions getEffectivePermissions() throws GuacamoleException {
- return this;
+ return new Permissions() {
+
+ @Override
+ public ObjectPermissionSet getActiveConnectionPermissions()
+ throws GuacamoleException {
+ return activeConnectionPermissionService.getPermissionSet(getCurrentUser(), ModeledUser.this, true);
+ }
+
+ @Override
+ public ObjectPermissionSet getConnectionGroupPermissions()
+ throws GuacamoleException {
+ return connectionGroupPermissionService.getPermissionSet(getCurrentUser(), ModeledUser.this, true);
+ }
+
+ @Override
+ public ObjectPermissionSet getConnectionPermissions()
+ throws GuacamoleException {
+ return connectionPermissionService.getPermissionSet(getCurrentUser(), ModeledUser.this, true);
+ }
+
+ @Override
+ public ObjectPermissionSet getSharingProfilePermissions()
+ throws GuacamoleException {
+ return sharingProfilePermissionService.getPermissionSet(getCurrentUser(), ModeledUser.this, true);
+ }
+
+ @Override
+ public SystemPermissionSet getSystemPermissions()
+ throws GuacamoleException {
+ return systemPermissionService.getPermissionSet(getCurrentUser(), ModeledUser.this, true);
+ }
+
+ @Override
+ public ObjectPermissionSet getUserPermissions()
+ throws GuacamoleException {
+ return userPermissionService.getPermissionSet(getCurrentUser(), ModeledUser.this, true);
+ }
+
+ @Override
+ public ObjectPermissionSet getUserGroupPermissions()
+ throws GuacamoleException {
+ // FIXME: STUB
+ return new SimpleObjectPermissionSet();
+ }
+
+ };
}
}