mirror of
https://github.com/gyurix1968/guacamole-client.git
synced 2025-09-06 13:17:41 +00:00
GUACAMOLE-220: Inherit from groups even if not determined by database.
This commit is contained in:
Michael Jumper
@@ -59,10 +59,11 @@ public class ActiveConnectionPermissionService
|
||||
@Override
|
||||
public boolean hasPermission(ModeledAuthenticatedUser user,
|
||||
ModeledUser targetUser, ObjectPermission.Type type,
|
||||
String identifier, boolean inherit) throws GuacamoleException {
|
||||
String identifier, Set<String> effectiveGroups) throws GuacamoleException {
|
||||
|
||||
// Retrieve permissions
|
||||
Set<ObjectPermission> permissions = retrievePermissions(user, targetUser, inherit);
|
||||
Set<ObjectPermission> permissions = retrievePermissions(user,
|
||||
targetUser, effectiveGroups);
|
||||
|
||||
// Permission is granted if retrieved permissions contains the
|
||||
// requested permission
|
||||
@@ -73,7 +74,8 @@ public class ActiveConnectionPermissionService
|
||||
|
||||
@Override
|
||||
public Set<ObjectPermission> retrievePermissions(ModeledAuthenticatedUser user,
|
||||
ModeledUser targetUser, boolean inherit) throws GuacamoleException {
|
||||
ModeledUser targetUser, Set<String> effectiveGroups)
|
||||
throws GuacamoleException {
|
||||
|
||||
// Retrieve permissions only if allowed
|
||||
if (canReadPermissions(user, targetUser)) {
|
||||
@@ -109,9 +111,10 @@ public class ActiveConnectionPermissionService
|
||||
@Override
|
||||
public Collection<String> retrieveAccessibleIdentifiers(ModeledAuthenticatedUser user,
|
||||
ModeledUser targetUser, Collection<ObjectPermission.Type> permissionTypes,
|
||||
Collection<String> identifiers, boolean inherit) throws GuacamoleException {
|
||||
Collection<String> identifiers, Set<String> effectiveGroups)
|
||||
throws GuacamoleException {
|
||||
|
||||
Set<ObjectPermission> permissions = retrievePermissions(user, targetUser, inherit);
|
||||
Set<ObjectPermission> permissions = retrievePermissions(user, targetUser, effectiveGroups);
|
||||
Collection<String> accessibleObjects = new ArrayList<String>(permissions.size());
|
||||
|
||||
// For each identifier/permission combination
|
||||
@@ -134,11 +137,12 @@ public class ActiveConnectionPermissionService
|
||||
|
||||
@Override
|
||||
public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user,
|
||||
ModeledUser targetUser, boolean inherit) throws GuacamoleException {
|
||||
ModeledUser targetUser, Set<String> effectiveGroups)
|
||||
throws GuacamoleException {
|
||||
|
||||
// Create permission set for requested user
|
||||
ActiveConnectionPermissionSet permissionSet = activeConnectionPermissionSetProvider.get();
|
||||
permissionSet.init(user, targetUser, inherit);
|
||||
permissionSet.init(user, targetUser, effectiveGroups);
|
||||
|
||||
return permissionSet;
|
||||
|
||||
|
||||
@@ -57,10 +57,15 @@ public interface ModeledDirectoryObjectMapper<ModelType> {
|
||||
* The user whose permissions should determine whether an identifier
|
||||
* is returned.
|
||||
*
|
||||
* @param effectiveGroups
|
||||
* The identifiers of any known effective groups that should be taken
|
||||
* into account, such as those defined externally to the database.
|
||||
*
|
||||
* @return
|
||||
* A Set containing all identifiers of all readable objects.
|
||||
*/
|
||||
Set<String> selectReadableIdentifiers(@Param("user") UserModel user);
|
||||
Set<String> selectReadableIdentifiers(@Param("user") UserModel user,
|
||||
@Param("effectiveGroups") Collection<String> effectiveGroups);
|
||||
|
||||
/**
|
||||
* Selects all objects which have the given identifiers. If an identifier
|
||||
@@ -91,11 +96,16 @@ public interface ModeledDirectoryObjectMapper<ModelType> {
|
||||
* @param identifiers
|
||||
* The identifiers of the objects to return.
|
||||
*
|
||||
* @param effectiveGroups
|
||||
* The identifiers of any known effective groups that should be taken
|
||||
* into account, such as those defined externally to the database.
|
||||
*
|
||||
* @return
|
||||
* A Collection of all objects having the given identifiers.
|
||||
*/
|
||||
Collection<ModelType> selectReadable(@Param("user") UserModel user,
|
||||
@Param("identifiers") Collection<String> identifiers);
|
||||
@Param("identifiers") Collection<String> identifiers,
|
||||
@Param("effectiveGroups") Collection<String> effectiveGroups);
|
||||
|
||||
/**
|
||||
* Inserts the given object into the database. If the object already
|
||||
|
||||
@@ -401,7 +401,8 @@ public abstract class ModeledDirectoryObjectService<InternalType extends Modeled
|
||||
|
||||
// Otherwise only return explicitly readable identifiers
|
||||
else
|
||||
objects = getObjectMapper().selectReadable(user.getUser().getModel(), identifiers);
|
||||
objects = getObjectMapper().selectReadable(user.getUser().getModel(),
|
||||
identifiers, user.getEffectiveUserGroups());
|
||||
|
||||
// Return collection of requested objects
|
||||
return getObjectInstances(user, objects);
|
||||
@@ -512,7 +513,8 @@ public abstract class ModeledDirectoryObjectService<InternalType extends Modeled
|
||||
|
||||
// Otherwise only return explicitly readable identifiers
|
||||
else
|
||||
return getObjectMapper().selectReadableIdentifiers(user.getUser().getModel());
|
||||
return getObjectMapper().selectReadableIdentifiers(user.getUser().getModel(),
|
||||
user.getEffectiveUserGroups());
|
||||
|
||||
}
|
||||
|
||||
|
||||
@@ -19,6 +19,7 @@
|
||||
|
||||
package org.apache.guacamole.auth.jdbc.connection;
|
||||
|
||||
import java.util.Collection;
|
||||
import java.util.Set;
|
||||
import org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObjectMapper;
|
||||
import org.apache.guacamole.auth.jdbc.user.UserModel;
|
||||
@@ -61,11 +62,18 @@ public interface ConnectionMapper extends ModeledDirectoryObjectMapper<Connectio
|
||||
* The identifier of the parent connection group, or null if the root
|
||||
* connection group is to be queried.
|
||||
*
|
||||
* @param effectiveGroups
|
||||
* The identifiers of all groups that should be taken into account
|
||||
* when determining the permissions effectively granted to the user. If
|
||||
* no groups are given, only permissions directly granted to the user
|
||||
* will be used.
|
||||
*
|
||||
* @return
|
||||
* A Set containing all identifiers of all readable objects.
|
||||
*/
|
||||
Set<String> selectReadableIdentifiersWithin(@Param("user") UserModel user,
|
||||
@Param("parentIdentifier") String parentIdentifier);
|
||||
@Param("parentIdentifier") String parentIdentifier,
|
||||
@Param("effectiveGroups") Collection<String> effectiveGroups);
|
||||
|
||||
/**
|
||||
* Selects the connection within the given parent group and having the
|
||||
|
||||
@@ -102,12 +102,19 @@ public interface ConnectionRecordMapper {
|
||||
* @param limit
|
||||
* The maximum number of records that should be returned.
|
||||
*
|
||||
* @param effectiveGroups
|
||||
* The identifiers of all groups that should be taken into account
|
||||
* when determining the permissions effectively granted to the user. If
|
||||
* no groups are given, only permissions directly granted to the user
|
||||
* will be used.
|
||||
*
|
||||
* @return
|
||||
* The results of the search performed with the given parameters.
|
||||
*/
|
||||
List<ConnectionRecordModel> searchReadable(@Param("user") UserModel user,
|
||||
@Param("terms") Collection<ActivityRecordSearchTerm> terms,
|
||||
@Param("sortPredicates") List<ActivityRecordSortPredicate> sortPredicates,
|
||||
@Param("limit") int limit);
|
||||
@Param("limit") int limit,
|
||||
@Param("effectiveGroups") Collection<String> effectiveGroups);
|
||||
|
||||
}
|
||||
|
||||
@@ -303,7 +303,9 @@ public class ConnectionService extends ModeledChildDirectoryObjectService<Modele
|
||||
|
||||
// Otherwise only return explicitly readable identifiers
|
||||
else
|
||||
return connectionMapper.selectReadableIdentifiersWithin(user.getUser().getModel(), identifier);
|
||||
return connectionMapper.selectReadableIdentifiersWithin(
|
||||
user.getUser().getModel(), identifier,
|
||||
user.getEffectiveUserGroups());
|
||||
|
||||
}
|
||||
|
||||
@@ -475,8 +477,9 @@ public class ConnectionService extends ModeledChildDirectoryObjectService<Modele
|
||||
|
||||
// Otherwise only return explicitly readable history records
|
||||
else
|
||||
searchResults = connectionRecordMapper.searchReadable(user.getUser().getModel(),
|
||||
requiredContents, sortPredicates, limit);
|
||||
searchResults = connectionRecordMapper.searchReadable(
|
||||
user.getUser().getModel(), requiredContents, sortPredicates,
|
||||
limit, user.getEffectiveUserGroups());
|
||||
|
||||
return getObjectInstances(searchResults);
|
||||
|
||||
|
||||
@@ -19,6 +19,7 @@
|
||||
|
||||
package org.apache.guacamole.auth.jdbc.connectiongroup;
|
||||
|
||||
import java.util.Collection;
|
||||
import java.util.Set;
|
||||
import org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObjectMapper;
|
||||
import org.apache.guacamole.auth.jdbc.user.UserModel;
|
||||
@@ -61,11 +62,18 @@ public interface ConnectionGroupMapper extends ModeledDirectoryObjectMapper<Conn
|
||||
* The identifier of the parent connection group, or null if the root
|
||||
* connection group is to be queried.
|
||||
*
|
||||
* @param effectiveGroups
|
||||
* The identifiers of all groups that should be taken into account
|
||||
* when determining the permissions effectively granted to the user. If
|
||||
* no groups are given, only permissions directly granted to the user
|
||||
* will be used.
|
||||
*
|
||||
* @return
|
||||
* A Set containing all identifiers of all readable objects.
|
||||
*/
|
||||
Set<String> selectReadableIdentifiersWithin(@Param("user") UserModel user,
|
||||
@Param("parentIdentifier") String parentIdentifier);
|
||||
@Param("parentIdentifier") String parentIdentifier,
|
||||
@Param("effectiveGroups") Collection<String> effectiveGroups);
|
||||
|
||||
/**
|
||||
* Selects the connection group within the given parent group and having
|
||||
|
||||
@@ -223,7 +223,9 @@ public class ConnectionGroupService extends ModeledChildDirectoryObjectService<M
|
||||
|
||||
// Otherwise only return explicitly readable identifiers
|
||||
else
|
||||
return connectionGroupMapper.selectReadableIdentifiersWithin(user.getUser().getModel(), identifier);
|
||||
return connectionGroupMapper.selectReadableIdentifiersWithin(
|
||||
user.getUser().getModel(), identifier,
|
||||
user.getEffectiveUserGroups());
|
||||
|
||||
}
|
||||
|
||||
|
||||
@@ -21,6 +21,7 @@ package org.apache.guacamole.auth.jdbc.permission;
|
||||
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Provider;
|
||||
import java.util.Set;
|
||||
import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
|
||||
import org.apache.guacamole.GuacamoleException;
|
||||
import org.apache.guacamole.auth.jdbc.user.ModeledUser;
|
||||
@@ -51,11 +52,12 @@ public class ConnectionGroupPermissionService extends ModeledObjectPermissionSer
|
||||
|
||||
@Override
|
||||
public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user,
|
||||
ModeledUser targetUser, boolean inherit) throws GuacamoleException {
|
||||
ModeledUser targetUser, Set<String> effectiveGroups)
|
||||
throws GuacamoleException {
|
||||
|
||||
// Create permission set for requested user
|
||||
ObjectPermissionSet permissionSet = connectionGroupPermissionSetProvider.get();
|
||||
permissionSet.init(user, targetUser, inherit);
|
||||
permissionSet.init(user, targetUser, effectiveGroups);
|
||||
|
||||
return permissionSet;
|
||||
|
||||
|
||||
@@ -21,6 +21,7 @@ package org.apache.guacamole.auth.jdbc.permission;
|
||||
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Provider;
|
||||
import java.util.Set;
|
||||
import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
|
||||
import org.apache.guacamole.GuacamoleException;
|
||||
import org.apache.guacamole.auth.jdbc.user.ModeledUser;
|
||||
@@ -51,11 +52,12 @@ public class ConnectionPermissionService extends ModeledObjectPermissionService
|
||||
|
||||
@Override
|
||||
public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user,
|
||||
ModeledUser targetUser, boolean inherit) throws GuacamoleException {
|
||||
ModeledUser targetUser, Set<String> effectiveGroups)
|
||||
throws GuacamoleException {
|
||||
|
||||
// Create permission set for requested user
|
||||
ObjectPermissionSet permissionSet = connectionPermissionSetProvider.get();
|
||||
permissionSet.init(user, targetUser, inherit);
|
||||
permissionSet.init(user, targetUser, effectiveGroups);
|
||||
|
||||
return permissionSet;
|
||||
|
||||
|
||||
@@ -22,6 +22,7 @@ package org.apache.guacamole.auth.jdbc.permission;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
|
||||
import org.apache.guacamole.auth.jdbc.user.ModeledUser;
|
||||
import org.apache.guacamole.GuacamoleException;
|
||||
@@ -106,7 +107,7 @@ public abstract class ModeledObjectPermissionService
|
||||
affectedIdentifiers.add(permission.getObjectIdentifier());
|
||||
|
||||
// Determine subset of affected identifiers that we have admin access to
|
||||
ObjectPermissionSet affectedPermissionSet = getPermissionSet(user, user.getUser(), true);
|
||||
ObjectPermissionSet affectedPermissionSet = getPermissionSet(user, user.getUser(), user.getEffectiveUserGroups());
|
||||
Collection<String> allowedSubset = affectedPermissionSet.getAccessibleObjects(
|
||||
Collections.singleton(ObjectPermission.Type.ADMINISTER),
|
||||
affectedIdentifiers
|
||||
@@ -157,11 +158,13 @@ public abstract class ModeledObjectPermissionService
|
||||
@Override
|
||||
public boolean hasPermission(ModeledAuthenticatedUser user,
|
||||
ModeledUser targetUser, ObjectPermission.Type type,
|
||||
String identifier, boolean inherit) throws GuacamoleException {
|
||||
String identifier, Set<String> effectiveGroups)
|
||||
throws GuacamoleException {
|
||||
|
||||
// Retrieve permissions only if allowed
|
||||
if (canReadPermissions(user, targetUser))
|
||||
return getPermissionMapper().selectOne(targetUser.getModel(), type, identifier, inherit) != null;
|
||||
return getPermissionMapper().selectOne(targetUser.getModel(), type,
|
||||
identifier, effectiveGroups) != null;
|
||||
|
||||
// User cannot read this user's permissions
|
||||
throw new GuacamoleSecurityException("Permission denied.");
|
||||
@@ -171,7 +174,7 @@ public abstract class ModeledObjectPermissionService
|
||||
@Override
|
||||
public Collection<String> retrieveAccessibleIdentifiers(ModeledAuthenticatedUser user,
|
||||
ModeledUser targetUser, Collection<ObjectPermission.Type> permissions,
|
||||
Collection<String> identifiers, boolean inherit)
|
||||
Collection<String> identifiers, Set<String> effectiveGroups)
|
||||
throws GuacamoleException {
|
||||
|
||||
// Nothing is always accessible
|
||||
@@ -186,7 +189,9 @@ public abstract class ModeledObjectPermissionService
|
||||
return identifiers;
|
||||
|
||||
// Otherwise, return explicitly-retrievable identifiers
|
||||
return getPermissionMapper().selectAccessibleIdentifiers(targetUser.getModel(), permissions, identifiers, inherit);
|
||||
return getPermissionMapper().selectAccessibleIdentifiers(
|
||||
targetUser.getModel(), permissions, identifiers,
|
||||
effectiveGroups);
|
||||
|
||||
}
|
||||
|
||||
|
||||
@@ -140,11 +140,12 @@ public abstract class ModeledPermissionService<PermissionSetType extends Permiss
|
||||
|
||||
@Override
|
||||
public Set<PermissionType> retrievePermissions(ModeledAuthenticatedUser user,
|
||||
ModeledUser targetUser, boolean inherit) throws GuacamoleException {
|
||||
ModeledUser targetUser, Set<String> effectiveGroups)
|
||||
throws GuacamoleException {
|
||||
|
||||
// Retrieve permissions only if allowed
|
||||
if (canReadPermissions(user, targetUser))
|
||||
return getPermissionInstances(getPermissionMapper().select(targetUser.getModel(), inherit));
|
||||
return getPermissionInstances(getPermissionMapper().select(targetUser.getModel(), effectiveGroups));
|
||||
|
||||
// User cannot read this user's permissions
|
||||
throw new GuacamoleSecurityException("Permission denied.");
|
||||
|
||||
@@ -43,10 +43,11 @@ public interface ObjectPermissionMapper extends PermissionMapper<ObjectPermissio
|
||||
* @param identifier
|
||||
* The identifier of the object affected by the permission to return.
|
||||
*
|
||||
* @param inherit
|
||||
* Whether permissions inherited through user groups should be taken
|
||||
* into account. If false, only permissions granted directly will be
|
||||
* included.
|
||||
* @param effectiveGroups
|
||||
* The identifiers of all groups that should be taken into account
|
||||
* when determining the permissions effectively granted to the user. If
|
||||
* no groups are given, only permissions directly granted to the user
|
||||
* will be used.
|
||||
*
|
||||
* @return
|
||||
* The requested permission, or null if no such permission is granted
|
||||
@@ -55,7 +56,7 @@ public interface ObjectPermissionMapper extends PermissionMapper<ObjectPermissio
|
||||
ObjectPermissionModel selectOne(@Param("entity") EntityModel entity,
|
||||
@Param("type") ObjectPermission.Type type,
|
||||
@Param("identifier") String identifier,
|
||||
@Param("inherit") boolean inherit);
|
||||
@Param("effectiveGroups") Collection<String> effectiveGroups);
|
||||
|
||||
/**
|
||||
* Retrieves the subset of the given identifiers for which the given entity
|
||||
@@ -73,10 +74,11 @@ public interface ObjectPermissionMapper extends PermissionMapper<ObjectPermissio
|
||||
* The identifiers of the objects affected by the permissions being
|
||||
* checked.
|
||||
*
|
||||
* @param inherit
|
||||
* Whether permissions inherited through user groups should be taken
|
||||
* into account. If false, only permissions granted directly will be
|
||||
* included.
|
||||
* @param effectiveGroups
|
||||
* The identifiers of all groups that should be taken into account
|
||||
* when determining the permissions effectively granted to the user. If
|
||||
* no groups are given, only permissions directly granted to the user
|
||||
* will be used.
|
||||
*
|
||||
* @return
|
||||
* A collection containing the subset of identifiers for which at least
|
||||
@@ -85,6 +87,6 @@ public interface ObjectPermissionMapper extends PermissionMapper<ObjectPermissio
|
||||
Collection<String> selectAccessibleIdentifiers(@Param("entity") EntityModel entity,
|
||||
@Param("permissions") Collection<ObjectPermission.Type> permissions,
|
||||
@Param("identifiers") Collection<String> identifiers,
|
||||
@Param("inherit") boolean inherit);
|
||||
@Param("effectiveGroups") Collection<String> effectiveGroups);
|
||||
|
||||
}
|
||||
|
||||
@@ -20,6 +20,7 @@
|
||||
package org.apache.guacamole.auth.jdbc.permission;
|
||||
|
||||
import java.util.Collection;
|
||||
import java.util.Set;
|
||||
import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
|
||||
import org.apache.guacamole.auth.jdbc.user.ModeledUser;
|
||||
import org.apache.guacamole.GuacamoleException;
|
||||
@@ -50,10 +51,11 @@ public interface ObjectPermissionService
|
||||
* @param identifier
|
||||
* The identifier of the object affected by the permission to return.
|
||||
*
|
||||
* @param inherit
|
||||
* Whether permissions inherited through user groups should be taken
|
||||
* into account. If false, only permissions granted directly will be
|
||||
* included.
|
||||
* @param effectiveGroups
|
||||
* The identifiers of all groups that should be taken into account
|
||||
* when determining the permissions effectively granted to the user. If
|
||||
* no groups are given, only permissions directly granted to the user
|
||||
* will be used.
|
||||
*
|
||||
* @return
|
||||
* true if permission of the given type and associated with the given
|
||||
@@ -64,7 +66,7 @@ public interface ObjectPermissionService
|
||||
*/
|
||||
boolean hasPermission(ModeledAuthenticatedUser user,
|
||||
ModeledUser targetUser, ObjectPermission.Type type,
|
||||
String identifier, boolean inherit) throws GuacamoleException;
|
||||
String identifier, Set<String> effectiveGroups) throws GuacamoleException;
|
||||
|
||||
/**
|
||||
* Retrieves the subset of the given identifiers for which the given user
|
||||
@@ -85,10 +87,11 @@ public interface ObjectPermissionService
|
||||
* The identifiers of the objects affected by the permissions being
|
||||
* checked.
|
||||
*
|
||||
* @param inherit
|
||||
* Whether permissions inherited through user groups should be taken
|
||||
* into account. If false, only permissions granted directly will be
|
||||
* included.
|
||||
* @param effectiveGroups
|
||||
* The identifiers of all groups that should be taken into account
|
||||
* when determining the permissions effectively granted to the user. If
|
||||
* no groups are given, only permissions directly granted to the user
|
||||
* will be used.
|
||||
*
|
||||
* @return
|
||||
* A collection containing the subset of identifiers for which at least
|
||||
@@ -99,7 +102,7 @@ public interface ObjectPermissionService
|
||||
*/
|
||||
Collection<String> retrieveAccessibleIdentifiers(ModeledAuthenticatedUser user,
|
||||
ModeledUser targetUser, Collection<ObjectPermission.Type> permissions,
|
||||
Collection<String> identifiers, boolean inherit)
|
||||
Collection<String> identifiers, Set<String> effectiveGroups)
|
||||
throws GuacamoleException;
|
||||
|
||||
}
|
||||
|
||||
@@ -42,11 +42,7 @@ public abstract class ObjectPermissionSet extends RestrictedObject
|
||||
*/
|
||||
private ModeledUser user;
|
||||
|
||||
/**
|
||||
* Whether permissions inherited through user groups should be taken into
|
||||
* account. If false, only permissions granted directly will be included.
|
||||
*/
|
||||
boolean inherit;
|
||||
private Set<String> effectiveGroups;
|
||||
|
||||
/**
|
||||
* Creates a new ObjectPermissionSet. The resulting permission set
|
||||
@@ -67,16 +63,17 @@ public abstract class ObjectPermissionSet extends RestrictedObject
|
||||
* @param user
|
||||
* The user to whom the permissions in this set are granted.
|
||||
*
|
||||
* @param inherit
|
||||
* Whether permissions inherited through user groups should be taken
|
||||
* into account. If false, only permissions granted directly will be
|
||||
* included.
|
||||
* @param effectiveGroups
|
||||
* The identifiers of all groups that should be taken into account
|
||||
* when determining the permissions effectively granted to the user. If
|
||||
* no groups are given, only permissions directly granted to the user
|
||||
* will be used.
|
||||
*/
|
||||
public void init(ModeledAuthenticatedUser currentUser, ModeledUser user,
|
||||
boolean inherit) {
|
||||
Set<String> effectiveGroups) {
|
||||
super.init(currentUser);
|
||||
this.user = user;
|
||||
this.inherit = inherit;
|
||||
this.effectiveGroups = effectiveGroups;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -91,13 +88,13 @@ public abstract class ObjectPermissionSet extends RestrictedObject
|
||||
|
||||
@Override
|
||||
public Set<ObjectPermission> getPermissions() throws GuacamoleException {
|
||||
return getObjectPermissionService().retrievePermissions(getCurrentUser(), user, inherit);
|
||||
return getObjectPermissionService().retrievePermissions(getCurrentUser(), user, effectiveGroups);
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean hasPermission(ObjectPermission.Type permission,
|
||||
String identifier) throws GuacamoleException {
|
||||
return getObjectPermissionService().hasPermission(getCurrentUser(), user, permission, identifier, inherit);
|
||||
return getObjectPermissionService().hasPermission(getCurrentUser(), user, permission, identifier, effectiveGroups);
|
||||
}
|
||||
|
||||
@Override
|
||||
@@ -115,7 +112,7 @@ public abstract class ObjectPermissionSet extends RestrictedObject
|
||||
@Override
|
||||
public Collection<String> getAccessibleObjects(Collection<ObjectPermission.Type> permissions,
|
||||
Collection<String> identifiers) throws GuacamoleException {
|
||||
return getObjectPermissionService().retrieveAccessibleIdentifiers(getCurrentUser(), user, permissions, identifiers, inherit);
|
||||
return getObjectPermissionService().retrieveAccessibleIdentifiers(getCurrentUser(), user, permissions, identifiers, effectiveGroups);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
@@ -38,16 +38,17 @@ public interface PermissionMapper<PermissionType> {
|
||||
* @param entity
|
||||
* The entity to retrieve permissions for.
|
||||
*
|
||||
* @param inherit
|
||||
* Whether permissions inherited through user groups should be taken
|
||||
* into account. If false, only permissions granted directly will be
|
||||
* included.
|
||||
* @param effectiveGroups
|
||||
* The identifiers of all groups that should be taken into account
|
||||
* when determining the permissions effectively granted to the user. If
|
||||
* no groups are given, only permissions directly granted to the user
|
||||
* will be used.
|
||||
*
|
||||
* @return
|
||||
* All permissions associated with the given entity.
|
||||
*/
|
||||
Collection<PermissionType> select(@Param("entity") EntityModel entity,
|
||||
@Param("inherit") boolean inherit);
|
||||
@Param("effectiveGroups") Collection<String> effectiveGroups);
|
||||
|
||||
/**
|
||||
* Inserts the given permissions into the database. If any permissions
|
||||
|
||||
@@ -54,10 +54,11 @@ public interface PermissionService<PermissionSetType extends PermissionSet<Permi
|
||||
* The user to whom the permissions in the returned permission set are
|
||||
* granted.
|
||||
*
|
||||
* @param inherit
|
||||
* Whether permissions inherited through user groups should be taken
|
||||
* into account. If false, only permissions granted directly will be
|
||||
* included.
|
||||
* @param effectiveGroups
|
||||
* The identifiers of all groups that should be taken into account
|
||||
* when determining the permissions effectively granted to the user. If
|
||||
* no groups are given, only permissions directly granted to the user
|
||||
* will be used.
|
||||
*
|
||||
* @return
|
||||
* A permission set that contains all permissions associated with the
|
||||
@@ -69,7 +70,8 @@ public interface PermissionService<PermissionSetType extends PermissionSet<Permi
|
||||
* user is denied.
|
||||
*/
|
||||
PermissionSetType getPermissionSet(ModeledAuthenticatedUser user,
|
||||
ModeledUser targetUser, boolean inherit) throws GuacamoleException;
|
||||
ModeledUser targetUser, Set<String> effectiveGroups)
|
||||
throws GuacamoleException;
|
||||
|
||||
/**
|
||||
* Retrieves all permissions associated with the given user.
|
||||
@@ -80,10 +82,11 @@ public interface PermissionService<PermissionSetType extends PermissionSet<Permi
|
||||
* @param targetUser
|
||||
* The user associated with the permissions to be retrieved.
|
||||
*
|
||||
* @param inherit
|
||||
* Whether permissions inherited through user groups should be taken
|
||||
* into account. If false, only permissions granted directly will be
|
||||
* included.
|
||||
* @param effectiveGroups
|
||||
* The identifiers of all groups that should be taken into account
|
||||
* when determining the permissions effectively granted to the user. If
|
||||
* no groups are given, only permissions directly granted to the user
|
||||
* will be used.
|
||||
*
|
||||
* @return
|
||||
* The permissions associated with the given user.
|
||||
@@ -92,7 +95,8 @@ public interface PermissionService<PermissionSetType extends PermissionSet<Permi
|
||||
* If an error occurs while retrieving the requested permissions.
|
||||
*/
|
||||
Set<PermissionType> retrievePermissions(ModeledAuthenticatedUser user,
|
||||
ModeledUser targetUser, boolean inherit) throws GuacamoleException;
|
||||
ModeledUser targetUser, Set<String> effectiveGroups)
|
||||
throws GuacamoleException;
|
||||
|
||||
/**
|
||||
* Creates the given permissions within the database. If any permissions
|
||||
|
||||
@@ -21,6 +21,7 @@ package org.apache.guacamole.auth.jdbc.permission;
|
||||
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Provider;
|
||||
import java.util.Set;
|
||||
import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
|
||||
import org.apache.guacamole.GuacamoleException;
|
||||
import org.apache.guacamole.auth.jdbc.user.ModeledUser;
|
||||
@@ -51,11 +52,12 @@ public class SharingProfilePermissionService extends ModeledObjectPermissionServ
|
||||
|
||||
@Override
|
||||
public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user,
|
||||
ModeledUser targetUser, boolean inherit) throws GuacamoleException {
|
||||
ModeledUser targetUser, Set<String> effectiveGroups)
|
||||
throws GuacamoleException {
|
||||
|
||||
// Create permission set for requested user
|
||||
ObjectPermissionSet permissionSet = sharingProfilePermissionSetProvider.get();
|
||||
permissionSet.init(user, targetUser, inherit);
|
||||
permissionSet.init(user, targetUser, effectiveGroups);
|
||||
|
||||
return permissionSet;
|
||||
|
||||
|
||||
@@ -19,6 +19,7 @@
|
||||
|
||||
package org.apache.guacamole.auth.jdbc.permission;
|
||||
|
||||
import java.util.Collection;
|
||||
import org.apache.guacamole.auth.jdbc.base.EntityModel;
|
||||
import org.apache.ibatis.annotations.Param;
|
||||
import org.apache.guacamole.net.auth.permission.SystemPermission;
|
||||
@@ -38,10 +39,11 @@ public interface SystemPermissionMapper extends PermissionMapper<SystemPermissio
|
||||
* @param type
|
||||
* The type of permission to return.
|
||||
*
|
||||
* @param inherit
|
||||
* Whether permissions inherited through user groups should be taken
|
||||
* into account. If false, only permissions granted directly will be
|
||||
* included.
|
||||
* @param effectiveGroups
|
||||
* The identifiers of all groups that should be taken into account
|
||||
* when determining the permissions effectively granted to the user. If
|
||||
* no groups are given, only permissions directly granted to the user
|
||||
* will be used.
|
||||
*
|
||||
* @return
|
||||
* The requested permission, or null if no such permission is granted
|
||||
@@ -49,6 +51,6 @@ public interface SystemPermissionMapper extends PermissionMapper<SystemPermissio
|
||||
*/
|
||||
SystemPermissionModel selectOne(@Param("entity") EntityModel entity,
|
||||
@Param("type") SystemPermission.Type type,
|
||||
@Param("inherit") boolean inherit);
|
||||
@Param("effectiveGroups") Collection<String> effectiveGroups);
|
||||
|
||||
}
|
||||
|
||||
@@ -22,6 +22,7 @@ package org.apache.guacamole.auth.jdbc.permission;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Provider;
|
||||
import java.util.Collection;
|
||||
import java.util.Set;
|
||||
import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
|
||||
import org.apache.guacamole.auth.jdbc.user.ModeledUser;
|
||||
import org.apache.guacamole.GuacamoleException;
|
||||
@@ -75,11 +76,11 @@ public class SystemPermissionService
|
||||
|
||||
@Override
|
||||
public SystemPermissionSet getPermissionSet(ModeledAuthenticatedUser user,
|
||||
ModeledUser targetUser, boolean inherit) throws GuacamoleException {
|
||||
ModeledUser targetUser, Set<String> effectiveGroups) throws GuacamoleException {
|
||||
|
||||
// Create permission set for requested user
|
||||
SystemPermissionSet permissionSet = systemPermissionSetProvider.get();
|
||||
permissionSet.init(user, targetUser, inherit);
|
||||
permissionSet.init(user, targetUser, effectiveGroups);
|
||||
|
||||
return permissionSet;
|
||||
|
||||
@@ -136,10 +137,11 @@ public class SystemPermissionService
|
||||
* @param type
|
||||
* The type of permission to retrieve.
|
||||
*
|
||||
* @param inherit
|
||||
* Whether permissions inherited through user groups should be taken
|
||||
* into account. If false, only permissions granted directly will be
|
||||
* included.
|
||||
* @param effectiveGroups
|
||||
* The identifiers of all groups that should be taken into account
|
||||
* when determining the permissions effectively granted to the user. If
|
||||
* no groups are given, only permissions directly granted to the user
|
||||
* will be used.
|
||||
*
|
||||
* @return
|
||||
* true if permission of the given type has been granted to the given
|
||||
@@ -150,11 +152,11 @@ public class SystemPermissionService
|
||||
*/
|
||||
public boolean hasPermission(ModeledAuthenticatedUser user,
|
||||
ModeledUser targetUser, SystemPermission.Type type,
|
||||
boolean inherit) throws GuacamoleException {
|
||||
Set<String> effectiveGroups) throws GuacamoleException {
|
||||
|
||||
// Retrieve permissions only if allowed
|
||||
if (canReadPermissions(user, targetUser))
|
||||
return getPermissionMapper().selectOne(targetUser.getModel(), type, inherit) != null;
|
||||
return getPermissionMapper().selectOne(targetUser.getModel(), type, effectiveGroups) != null;
|
||||
|
||||
// User cannot read this user's permissions
|
||||
throw new GuacamoleSecurityException("Permission denied.");
|
||||
|
||||
@@ -42,11 +42,7 @@ public class SystemPermissionSet extends RestrictedObject
|
||||
*/
|
||||
private ModeledUser user;
|
||||
|
||||
/**
|
||||
* Whether permissions inherited through user groups should be taken into
|
||||
* account. If false, only permissions granted directly will be included.
|
||||
*/
|
||||
private boolean inherit;
|
||||
private Set<String> effectiveGroups;
|
||||
|
||||
/**
|
||||
* Service for reading and manipulating system permissions.
|
||||
@@ -73,27 +69,28 @@ public class SystemPermissionSet extends RestrictedObject
|
||||
* @param user
|
||||
* The user to whom the permissions in this set are granted.
|
||||
*
|
||||
* @param inherit
|
||||
* Whether permissions inherited through user groups should be taken
|
||||
* into account. If false, only permissions granted directly will be
|
||||
* included.
|
||||
* @param effectiveGroups
|
||||
* The identifiers of all groups that should be taken into account
|
||||
* when determining the permissions effectively granted to the user. If
|
||||
* no groups are given, only permissions directly granted to the user
|
||||
* will be used.
|
||||
*/
|
||||
public void init(ModeledAuthenticatedUser currentUser, ModeledUser user,
|
||||
boolean inherit) {
|
||||
Set<String> effectiveGroups) {
|
||||
super.init(currentUser);
|
||||
this.user = user;
|
||||
this.inherit = inherit;
|
||||
this.effectiveGroups = effectiveGroups;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Set<SystemPermission> getPermissions() throws GuacamoleException {
|
||||
return systemPermissionService.retrievePermissions(getCurrentUser(), user, inherit);
|
||||
return systemPermissionService.retrievePermissions(getCurrentUser(), user, effectiveGroups);
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean hasPermission(SystemPermission.Type permission)
|
||||
throws GuacamoleException {
|
||||
return systemPermissionService.hasPermission(getCurrentUser(), user, permission, inherit);
|
||||
return systemPermissionService.hasPermission(getCurrentUser(), user, permission, effectiveGroups);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
@@ -21,6 +21,7 @@ package org.apache.guacamole.auth.jdbc.permission;
|
||||
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Provider;
|
||||
import java.util.Set;
|
||||
import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
|
||||
import org.apache.guacamole.GuacamoleException;
|
||||
import org.apache.guacamole.auth.jdbc.user.ModeledUser;
|
||||
@@ -51,11 +52,12 @@ public class UserPermissionService extends ModeledObjectPermissionService {
|
||||
|
||||
@Override
|
||||
public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user,
|
||||
ModeledUser targetUser, boolean inherit) throws GuacamoleException {
|
||||
ModeledUser targetUser, Set<String> effectiveGroups)
|
||||
throws GuacamoleException {
|
||||
|
||||
// Create permission set for requested user
|
||||
ObjectPermissionSet permissionSet = userPermissionSetProvider.get();
|
||||
permissionSet.init(user, targetUser, inherit);
|
||||
permissionSet.init(user, targetUser, effectiveGroups);
|
||||
|
||||
return permissionSet;
|
||||
|
||||
|
||||
@@ -628,7 +628,9 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
|
||||
identifiers.add(record.getConnection().getIdentifier());
|
||||
|
||||
// Produce collection of readable connection identifiers
|
||||
Collection<ConnectionModel> connections = connectionMapper.selectReadable(user.getUser().getModel(), identifiers);
|
||||
Collection<ConnectionModel> connections =
|
||||
connectionMapper.selectReadable(user.getUser().getModel(),
|
||||
identifiers, user.getEffectiveUserGroups());
|
||||
|
||||
// Ensure set contains only identifiers of readable connections
|
||||
identifiers.clear();
|
||||
|
||||
@@ -351,37 +351,43 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
|
||||
@Override
|
||||
public SystemPermissionSet getSystemPermissions()
|
||||
throws GuacamoleException {
|
||||
return systemPermissionService.getPermissionSet(getCurrentUser(), this, false);
|
||||
return systemPermissionService.getPermissionSet(getCurrentUser(), this,
|
||||
Collections.<String>emptySet());
|
||||
}
|
||||
|
||||
@Override
|
||||
public ObjectPermissionSet getConnectionPermissions()
|
||||
throws GuacamoleException {
|
||||
return connectionPermissionService.getPermissionSet(getCurrentUser(), this, false);
|
||||
return connectionPermissionService.getPermissionSet(getCurrentUser(),
|
||||
this, Collections.<String>emptySet());
|
||||
}
|
||||
|
||||
@Override
|
||||
public ObjectPermissionSet getConnectionGroupPermissions()
|
||||
throws GuacamoleException {
|
||||
return connectionGroupPermissionService.getPermissionSet(getCurrentUser(), this, false);
|
||||
return connectionGroupPermissionService.getPermissionSet(
|
||||
getCurrentUser(), this, Collections.<String>emptySet());
|
||||
}
|
||||
|
||||
@Override
|
||||
public ObjectPermissionSet getSharingProfilePermissions()
|
||||
throws GuacamoleException {
|
||||
return sharingProfilePermissionService.getPermissionSet(getCurrentUser(), this, false);
|
||||
return sharingProfilePermissionService.getPermissionSet(
|
||||
getCurrentUser(), this, Collections.<String>emptySet());
|
||||
}
|
||||
|
||||
@Override
|
||||
public ObjectPermissionSet getActiveConnectionPermissions()
|
||||
throws GuacamoleException {
|
||||
return activeConnectionPermissionService.getPermissionSet(getCurrentUser(), this, false);
|
||||
return activeConnectionPermissionService.getPermissionSet(
|
||||
getCurrentUser(), this, Collections.<String>emptySet());
|
||||
}
|
||||
|
||||
@Override
|
||||
public ObjectPermissionSet getUserPermissions()
|
||||
throws GuacamoleException {
|
||||
return userPermissionService.getPermissionSet(getCurrentUser(), this, false);
|
||||
return userPermissionService.getPermissionSet(getCurrentUser(), this,
|
||||
Collections.<String>emptySet());
|
||||
}
|
||||
|
||||
@Override
|
||||
@@ -864,50 +870,64 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
|
||||
* apply to this user.
|
||||
*/
|
||||
public Set<String> getEffectiveUserGroups() {
|
||||
|
||||
// FIXME: STUB
|
||||
return /*retrieveEffectiveIdentifiers(this, */Collections.<String>emptySet()/*)*/;
|
||||
|
||||
return userService.retrieveEffectiveGroups(this,
|
||||
Collections.<String>emptySet());
|
||||
}
|
||||
|
||||
@Override
|
||||
public Permissions getEffectivePermissions() throws GuacamoleException {
|
||||
|
||||
final ModeledAuthenticatedUser authenticatedUser = getCurrentUser();
|
||||
final Set<String> effectiveGroups;
|
||||
|
||||
// If this user is the currently-authenticated user, include any
|
||||
// additional effective groups declared by the authentication system
|
||||
if (authenticatedUser.getIdentifier().equals(getIdentifier()))
|
||||
effectiveGroups = userService.retrieveEffectiveGroups(this,
|
||||
authenticatedUser.getEffectiveUserGroups());
|
||||
|
||||
// Otherwise, just include effective groups from the database
|
||||
else
|
||||
effectiveGroups = getEffectiveUserGroups();
|
||||
|
||||
// Return a permissions object which describes all effective
|
||||
// permissions, including any permissions inherited via user groups
|
||||
return new Permissions() {
|
||||
|
||||
@Override
|
||||
public ObjectPermissionSet getActiveConnectionPermissions()
|
||||
throws GuacamoleException {
|
||||
return activeConnectionPermissionService.getPermissionSet(getCurrentUser(), ModeledUser.this, true);
|
||||
return activeConnectionPermissionService.getPermissionSet(authenticatedUser, ModeledUser.this, effectiveGroups);
|
||||
}
|
||||
|
||||
@Override
|
||||
public ObjectPermissionSet getConnectionGroupPermissions()
|
||||
throws GuacamoleException {
|
||||
return connectionGroupPermissionService.getPermissionSet(getCurrentUser(), ModeledUser.this, true);
|
||||
return connectionGroupPermissionService.getPermissionSet(authenticatedUser, ModeledUser.this, effectiveGroups);
|
||||
}
|
||||
|
||||
@Override
|
||||
public ObjectPermissionSet getConnectionPermissions()
|
||||
throws GuacamoleException {
|
||||
return connectionPermissionService.getPermissionSet(getCurrentUser(), ModeledUser.this, true);
|
||||
return connectionPermissionService.getPermissionSet(authenticatedUser, ModeledUser.this, effectiveGroups);
|
||||
}
|
||||
|
||||
@Override
|
||||
public ObjectPermissionSet getSharingProfilePermissions()
|
||||
throws GuacamoleException {
|
||||
return sharingProfilePermissionService.getPermissionSet(getCurrentUser(), ModeledUser.this, true);
|
||||
return sharingProfilePermissionService.getPermissionSet(authenticatedUser, ModeledUser.this, effectiveGroups);
|
||||
}
|
||||
|
||||
@Override
|
||||
public SystemPermissionSet getSystemPermissions()
|
||||
throws GuacamoleException {
|
||||
return systemPermissionService.getPermissionSet(getCurrentUser(), ModeledUser.this, true);
|
||||
return systemPermissionService.getPermissionSet(authenticatedUser, ModeledUser.this, effectiveGroups);
|
||||
}
|
||||
|
||||
@Override
|
||||
public ObjectPermissionSet getUserPermissions()
|
||||
throws GuacamoleException {
|
||||
return userPermissionService.getPermissionSet(getCurrentUser(), ModeledUser.this, true);
|
||||
return userPermissionService.getPermissionSet(authenticatedUser, ModeledUser.this, effectiveGroups);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
@@ -19,6 +19,8 @@
|
||||
|
||||
package org.apache.guacamole.auth.jdbc.user;
|
||||
|
||||
import java.util.Collection;
|
||||
import java.util.Set;
|
||||
import org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObjectMapper;
|
||||
import org.apache.ibatis.annotations.Param;
|
||||
|
||||
@@ -39,4 +41,24 @@ public interface UserMapper extends ModeledDirectoryObjectMapper<UserModel> {
|
||||
*/
|
||||
UserModel selectOne(@Param("username") String username);
|
||||
|
||||
/**
|
||||
* Returns the set of all group identifiers of which the given user is a
|
||||
* member, taking into account the given collection of known group
|
||||
* memberships which are not necessarily defined within the database.
|
||||
*
|
||||
* @param user
|
||||
* The user whose effective groups should be returned.
|
||||
*
|
||||
* @param effectiveGroups
|
||||
* The identifiers of any known effective groups that should be taken
|
||||
* into account, such as those defined externally to the database.
|
||||
*
|
||||
* @return
|
||||
* The set of identifiers of all groups that the given user is a
|
||||
* member of, including those where membership is inherited through
|
||||
* membership in other groups.
|
||||
*/
|
||||
Set<String> selectEffectiveGroupIdentifiers(@Param("user") UserModel user,
|
||||
@Param("effectiveGroups") Collection<String> effectiveGroups);
|
||||
|
||||
}
|
||||
|
||||
@@ -113,12 +113,19 @@ public interface UserRecordMapper {
|
||||
* @param limit
|
||||
* The maximum number of records that should be returned.
|
||||
*
|
||||
* @param effectiveGroups
|
||||
* The identifiers of all groups that should be taken into account
|
||||
* when determining the permissions effectively granted to the user. If
|
||||
* no groups are given, only permissions directly granted to the user
|
||||
* will be used.
|
||||
*
|
||||
* @return
|
||||
* The results of the search performed with the given parameters.
|
||||
*/
|
||||
List<ActivityRecordModel> searchReadable(@Param("user") UserModel user,
|
||||
@Param("terms") Collection<ActivityRecordSearchTerm> terms,
|
||||
@Param("sortPredicates") List<ActivityRecordSortPredicate> sortPredicates,
|
||||
@Param("limit") int limit);
|
||||
@Param("limit") int limit,
|
||||
@Param("effectiveGroups") Collection<String> effectiveGroups);
|
||||
|
||||
}
|
||||
|
||||
@@ -26,6 +26,7 @@ import java.util.Arrays;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import org.apache.guacamole.net.auth.Credentials;
|
||||
import org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObjectMapper;
|
||||
@@ -591,11 +592,37 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
|
||||
// Otherwise only return explicitly readable history records
|
||||
else
|
||||
searchResults = userRecordMapper.searchReadable(user.getUser().getModel(),
|
||||
requiredContents, sortPredicates, limit);
|
||||
requiredContents, sortPredicates, limit, user.getEffectiveUserGroups());
|
||||
|
||||
return getObjectInstances(searchResults);
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the set of all group identifiers of which the given user is a
|
||||
* member, taking into account the given collection of known group
|
||||
* memberships which are not necessarily defined within the database.
|
||||
*
|
||||
* Note that group visibility with respect to the queried user is NOT taken
|
||||
* into account. If the user is a member of a group, the identifier of that
|
||||
* group will be included in the returned set even if the current user lacks
|
||||
* "READ" permission for that group.
|
||||
*
|
||||
* @param user
|
||||
* The user whose effective groups should be returned.
|
||||
*
|
||||
* @param effectiveGroups
|
||||
* The identifiers of any known effective groups that should be taken
|
||||
* into account, such as those defined externally to the database.
|
||||
*
|
||||
* @return
|
||||
* The set of identifiers of all groups that the given user is a
|
||||
* member of, including those where membership is inherited through
|
||||
* membership in other groups.
|
||||
*/
|
||||
public Set<String> retrieveEffectiveGroups(ModeledUser user,
|
||||
Collection<String> effectiveGroups) {
|
||||
return userMapper.selectEffectiveGroupIdentifiers(user.getModel(), effectiveGroups);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -23,21 +23,40 @@
|
||||
|
||||
<mapper namespace="org.apache.guacamole.auth.jdbc.base.EntityMapper" >
|
||||
|
||||
<!-- Retrieves the ID of the given entity. If inheritance is enabled, the
|
||||
IDs of the entities for all applicable user groups are retrieved, as well. -->
|
||||
<sql id="relatedEntities">
|
||||
<if test="!${inheritFlag}">${entityID}</if>
|
||||
<if test="${inheritFlag}">
|
||||
WITH RECURSIVE related_entity(entity_id) AS (
|
||||
VALUES (${entityID})
|
||||
UNION
|
||||
SELECT guacamole_user_group.entity_id
|
||||
FROM related_entity
|
||||
JOIN guacamole_user_group_member ON related_entity.entity_id = guacamole_user_group_member.member_entity_id
|
||||
JOIN guacamole_user_group ON guacamole_user_group.user_group_id = guacamole_user_group_member.user_group_id
|
||||
<!--
|
||||
* SQL fragment which tests whether the value of the given column matches
|
||||
* the given entity ID. If group identifiers are provided, the IDs of the
|
||||
* entities for all groups having those identifiers are tested, as well.
|
||||
*
|
||||
* @param column
|
||||
* The name of the column to test. This column MUST contain an entity
|
||||
* ID (a foreign key into the guacamole_entity table).
|
||||
*
|
||||
* @param entityID
|
||||
* The ID of the specific entity to test the column against.
|
||||
*
|
||||
* @param groups
|
||||
* A collection of group identifiers to additionally test the column
|
||||
* against. Though this functionality is optional, a collection must
|
||||
* always be given, even if that collection is empty.
|
||||
-->
|
||||
<sql id="isRelatedEntity">
|
||||
(
|
||||
${column} = ${entityID}
|
||||
<if test="!${groups}.isEmpty()">
|
||||
OR ${column} IN (
|
||||
SELECT entity_id
|
||||
FROM guacamole_entity
|
||||
WHERE
|
||||
type = 'USER_GROUP'::guacamole_entity_type
|
||||
AND name IN
|
||||
<foreach collection="${groups}" item="effectiveGroup"
|
||||
open="(" separator="," close=")">
|
||||
#{effectiveGroup,jdbcType=VARCHAR}
|
||||
</foreach>
|
||||
)
|
||||
SELECT entity_id FROM related_entity
|
||||
</if>
|
||||
)
|
||||
</sql>
|
||||
|
||||
<!-- Insert single entity -->
|
||||
|
||||
@@ -68,12 +68,11 @@
|
||||
SELECT connection_id
|
||||
FROM guacamole_connection_permission
|
||||
WHERE
|
||||
entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="true"/>
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND permission = 'READ'
|
||||
</select>
|
||||
|
||||
@@ -94,12 +93,11 @@
|
||||
WHERE
|
||||
<if test="parentIdentifier != null">parent_id = #{parentIdentifier,jdbcType=INTEGER}::integer</if>
|
||||
<if test="parentIdentifier == null">parent_id IS NULL</if>
|
||||
AND entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="true"/>
|
||||
AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND permission = 'READ'
|
||||
</select>
|
||||
|
||||
@@ -175,12 +173,11 @@
|
||||
open="(" separator="," close=")">
|
||||
#{identifier,jdbcType=INTEGER}::integer
|
||||
</foreach>
|
||||
AND guacamole_connection_permission.entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="true"/>
|
||||
AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="guacamole_connection_permission.entity_id"/>
|
||||
<property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND permission = 'READ'
|
||||
GROUP BY guacamole_connection.connection_id;
|
||||
|
||||
@@ -192,12 +189,11 @@
|
||||
open="(" separator="," close=")">
|
||||
#{identifier,jdbcType=INTEGER}::integer
|
||||
</foreach>
|
||||
AND entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="true"/>
|
||||
AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND permission = 'READ';
|
||||
|
||||
SELECT
|
||||
@@ -211,12 +207,11 @@
|
||||
open="(" separator="," close=")">
|
||||
#{identifier,jdbcType=INTEGER}::integer
|
||||
</foreach>
|
||||
AND entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="true"/>
|
||||
AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND permission = 'READ';
|
||||
|
||||
</select>
|
||||
|
||||
@@ -166,23 +166,21 @@
|
||||
<!-- Restrict to readable connections -->
|
||||
JOIN guacamole_connection_permission ON
|
||||
guacamole_connection_history.connection_id = guacamole_connection_permission.connection_id
|
||||
AND guacamole_connection_permission.entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="true"/>
|
||||
AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="guacamole_connection_permission.entity_id"/>
|
||||
<property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND guacamole_connection_permission.permission = 'READ'
|
||||
|
||||
<!-- Restrict to readable users -->
|
||||
JOIN guacamole_user_permission ON
|
||||
guacamole_connection_history.user_id = guacamole_user_permission.affected_user_id
|
||||
AND guacamole_user_permission.entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="true"/>
|
||||
AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="guacamole_user_permission.entity_id"/>
|
||||
<property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND guacamole_user_permission.permission = 'READ'
|
||||
|
||||
<!-- Search terms -->
|
||||
|
||||
@@ -69,12 +69,11 @@
|
||||
SELECT connection_group_id
|
||||
FROM guacamole_connection_group_permission
|
||||
WHERE
|
||||
entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="true"/>
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND permission = 'READ'
|
||||
</select>
|
||||
|
||||
@@ -95,12 +94,11 @@
|
||||
WHERE
|
||||
<if test="parentIdentifier != null">parent_id = #{parentIdentifier,jdbcType=INTEGER}::integer</if>
|
||||
<if test="parentIdentifier == null">parent_id IS NULL</if>
|
||||
AND entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="true"/>
|
||||
AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND permission = 'READ'
|
||||
</select>
|
||||
|
||||
@@ -171,12 +169,11 @@
|
||||
open="(" separator="," close=")">
|
||||
#{identifier,jdbcType=INTEGER}::integer
|
||||
</foreach>
|
||||
AND entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="true"/>
|
||||
AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND permission = 'READ';
|
||||
|
||||
SELECT parent_id, guacamole_connection_group.connection_group_id
|
||||
@@ -187,12 +184,11 @@
|
||||
open="(" separator="," close=")">
|
||||
#{identifier,jdbcType=INTEGER}::integer
|
||||
</foreach>
|
||||
AND entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="true"/>
|
||||
AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND permission = 'READ';
|
||||
|
||||
SELECT parent_id, guacamole_connection.connection_id
|
||||
@@ -203,12 +199,11 @@
|
||||
open="(" separator="," close=")">
|
||||
#{identifier,jdbcType=INTEGER}::integer
|
||||
</foreach>
|
||||
AND entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="true"/>
|
||||
AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND permission = 'READ';
|
||||
|
||||
SELECT
|
||||
@@ -222,12 +217,11 @@
|
||||
open="(" separator="," close=")">
|
||||
#{identifier,jdbcType=INTEGER}::integer
|
||||
</foreach>
|
||||
AND entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="true"/>
|
||||
AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND permission = 'READ';
|
||||
|
||||
</select>
|
||||
|
||||
@@ -40,12 +40,11 @@
|
||||
connection_group_id
|
||||
FROM guacamole_connection_group_permission
|
||||
WHERE
|
||||
entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="inherit"/>
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
|
||||
</select>
|
||||
|
||||
@@ -58,12 +57,11 @@
|
||||
connection_group_id
|
||||
FROM guacamole_connection_group_permission
|
||||
WHERE
|
||||
entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="inherit"/>
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND permission = #{type,jdbcType=VARCHAR}::guacamole_object_permission_type
|
||||
AND connection_group_id = #{identifier,jdbcType=INTEGER}::integer
|
||||
|
||||
@@ -75,12 +73,11 @@
|
||||
SELECT DISTINCT connection_group_id
|
||||
FROM guacamole_connection_group_permission
|
||||
WHERE
|
||||
entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="inherit"/>
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND connection_group_id IN
|
||||
<foreach collection="identifiers" item="identifier"
|
||||
open="(" separator="," close=")">
|
||||
|
||||
@@ -40,12 +40,11 @@
|
||||
connection_id
|
||||
FROM guacamole_connection_permission
|
||||
WHERE
|
||||
entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="inherit"/>
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
|
||||
</select>
|
||||
|
||||
@@ -58,12 +57,11 @@
|
||||
connection_id
|
||||
FROM guacamole_connection_permission
|
||||
WHERE
|
||||
entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="inherit"/>
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND permission = #{type,jdbcType=VARCHAR}::guacamole_object_permission_type
|
||||
AND connection_id = #{identifier,jdbcType=INTEGER}::integer
|
||||
|
||||
@@ -75,12 +73,11 @@
|
||||
SELECT DISTINCT connection_id
|
||||
FROM guacamole_connection_permission
|
||||
WHERE
|
||||
entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="inherit"/>
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND connection_id IN
|
||||
<foreach collection="identifiers" item="identifier"
|
||||
open="(" separator="," close=")">
|
||||
|
||||
@@ -40,13 +40,11 @@
|
||||
sharing_profile_id
|
||||
FROM guacamole_sharing_profile_permission
|
||||
WHERE
|
||||
entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="inherit"/>
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
|
||||
|
||||
</select>
|
||||
|
||||
@@ -59,12 +57,11 @@
|
||||
sharing_profile_id
|
||||
FROM guacamole_sharing_profile_permission
|
||||
WHERE
|
||||
entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="inherit"/>
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND permission = #{type,jdbcType=VARCHAR}::guacamole_object_permission_type
|
||||
AND sharing_profile_id = #{identifier,jdbcType=INTEGER}::integer
|
||||
|
||||
@@ -76,12 +73,11 @@
|
||||
SELECT DISTINCT sharing_profile_id
|
||||
FROM guacamole_sharing_profile_permission
|
||||
WHERE
|
||||
entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="inherit"/>
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND sharing_profile_id IN
|
||||
<foreach collection="identifiers" item="identifier"
|
||||
open="(" separator="," close=")">
|
||||
|
||||
@@ -38,12 +38,11 @@
|
||||
permission
|
||||
FROM guacamole_system_permission
|
||||
WHERE
|
||||
entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="inherit"/>
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
|
||||
</select>
|
||||
|
||||
@@ -55,12 +54,11 @@
|
||||
permission
|
||||
FROM guacamole_system_permission
|
||||
WHERE
|
||||
entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="inherit"/>
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND permission = #{type,jdbcType=VARCHAR}::guacamole_system_permission_type
|
||||
|
||||
</select>
|
||||
|
||||
@@ -42,12 +42,11 @@
|
||||
JOIN guacamole_user affected_user ON guacamole_user_permission.affected_user_id = affected_user.user_id
|
||||
JOIN guacamole_entity affected_entity ON affected_user.entity_id = affected_entity.entity_id
|
||||
WHERE
|
||||
guacamole_user_permission.entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="inherit"/>
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="guacamole_user_permission.entity_id"/>
|
||||
<property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND affected_entity.type = 'USER'::guacamole_entity_type
|
||||
|
||||
</select>
|
||||
@@ -63,12 +62,11 @@
|
||||
JOIN guacamole_user affected_user ON guacamole_user_permission.affected_user_id = affected_user.user_id
|
||||
JOIN guacamole_entity affected_entity ON affected_user.entity_id = affected_entity.entity_id
|
||||
WHERE
|
||||
guacamole_user_permission.entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="inherit"/>
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="guacamole_user_permission.entity_id"/>
|
||||
<property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND permission = #{type,jdbcType=VARCHAR}::guacamole_object_permission_type
|
||||
AND affected_entity.name = #{identifier,jdbcType=VARCHAR}
|
||||
AND affected_entity.type = 'USER'::guacamole_entity_type
|
||||
@@ -83,12 +81,11 @@
|
||||
JOIN guacamole_user affected_user ON guacamole_user_permission.affected_user_id = affected_user.user_id
|
||||
JOIN guacamole_entity affected_entity ON affected_user.entity_id = affected_entity.entity_id
|
||||
WHERE
|
||||
guacamole_user_permission.entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="inherit"/>
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="guacamole_user_permission.entity_id"/>
|
||||
<property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND affected_entity.name IN
|
||||
<foreach collection="identifiers" item="identifier"
|
||||
open="(" separator="," close=")">
|
||||
|
||||
@@ -52,12 +52,11 @@
|
||||
SELECT sharing_profile_id
|
||||
FROM guacamole_sharing_profile_permission
|
||||
WHERE
|
||||
entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="true"/>
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND permission = 'READ'
|
||||
</select>
|
||||
|
||||
@@ -104,12 +103,11 @@
|
||||
open="(" separator="," close=")">
|
||||
#{identifier,jdbcType=INTEGER}::integer
|
||||
</foreach>
|
||||
AND entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="true"/>
|
||||
AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND permission = 'READ';
|
||||
|
||||
SELECT
|
||||
@@ -123,12 +121,11 @@
|
||||
open="(" separator="," close=")">
|
||||
#{identifier,jdbcType=INTEGER}::integer
|
||||
</foreach>
|
||||
AND entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="true"/>
|
||||
AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="entity_id"/>
|
||||
<property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND permission = 'READ';
|
||||
|
||||
</select>
|
||||
|
||||
@@ -70,16 +70,53 @@
|
||||
JOIN guacamole_entity ON guacamole_user.entity_id = guacamole_entity.entity_id
|
||||
JOIN guacamole_user_permission ON affected_user_id = guacamole_user.user_id
|
||||
WHERE
|
||||
guacamole_user_permission.entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="true"/>
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="guacamole_user_permission.entity_id"/>
|
||||
<property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND guacamole_entity.type = 'USER'::guacamole_entity_type
|
||||
AND permission = 'READ'
|
||||
</select>
|
||||
|
||||
<!-- Select names of all effective (including inherited) groups -->
|
||||
<select id="selectEffectiveGroupIdentifiers" resultType="string">
|
||||
|
||||
WITH RECURSIVE related_entity(entity_id) AS (
|
||||
SELECT
|
||||
guacamole_user_group.entity_id
|
||||
FROM guacamole_user_group
|
||||
JOIN guacamole_user_group_member ON guacamole_user_group.user_group_id = guacamole_user_group_member.user_group_id
|
||||
WHERE
|
||||
guacamole_user_group_member.member_entity_id = #{user.entityID}
|
||||
<if test="!effectiveGroups.isEmpty()">
|
||||
UNION
|
||||
SELECT
|
||||
guacamole_entity.entity_id
|
||||
FROM guacamole_entity
|
||||
WHERE
|
||||
type = 'USER_GROUP'::guacamole_entity_type
|
||||
AND name IN
|
||||
<foreach collection="effectiveGroups" item="effectiveGroup"
|
||||
open="(" separator="," close=")">
|
||||
#{effectiveGroup,jdbcType=VARCHAR}
|
||||
</foreach>
|
||||
</if>
|
||||
UNION
|
||||
SELECT
|
||||
guacamole_user_group.entity_id
|
||||
FROM related_entity
|
||||
JOIN guacamole_user_group_member ON related_entity.entity_id = guacamole_user_group_member.member_entity_id
|
||||
JOIN guacamole_user_group ON guacamole_user_group.user_group_id = guacamole_user_group_member.user_group_id
|
||||
)
|
||||
SELECT name
|
||||
FROM related_entity
|
||||
JOIN guacamole_entity ON related_entity.entity_id = guacamole_entity.entity_id
|
||||
WHERE
|
||||
guacamole_entity.type = 'USER_GROUP'::guacamole_entity_type;
|
||||
|
||||
</select>
|
||||
|
||||
<!-- Select multiple users by username -->
|
||||
<select id="select" resultMap="UserResultMap"
|
||||
resultSets="users,arbitraryAttributes">
|
||||
@@ -163,12 +200,11 @@
|
||||
#{identifier,jdbcType=VARCHAR}
|
||||
</foreach>
|
||||
AND guacamole_entity.type = 'USER'::guacamole_entity_type
|
||||
AND guacamole_user_permission.entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="true"/>
|
||||
AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="guacamole_user_permission.entity_id"/>
|
||||
<property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND permission = 'READ'
|
||||
GROUP BY guacamole_user.user_id, guacamole_entity.entity_id;
|
||||
|
||||
@@ -186,12 +222,11 @@
|
||||
#{identifier,jdbcType=VARCHAR}
|
||||
</foreach>
|
||||
AND guacamole_entity.type = 'USER'::guacamole_entity_type
|
||||
AND guacamole_user_permission.entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="true"/>
|
||||
AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="guacamole_user_permission.entity_id"/>
|
||||
<property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND permission = 'READ';
|
||||
|
||||
</select>
|
||||
|
||||
@@ -156,12 +156,11 @@
|
||||
<!-- Restrict to readable users -->
|
||||
JOIN guacamole_user_permission ON
|
||||
guacamole_user_history.user_id = guacamole_user_permission.affected_user_id
|
||||
AND guacamole_user_permission.entity_id IN (
|
||||
<include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.relatedEntities">
|
||||
<property name="inheritFlag" value="true"/>
|
||||
AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
|
||||
<property name="column" value="guacamole_user_permission.entity_id"/>
|
||||
<property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
|
||||
<property name="groups" value="effectiveGroups"/>
|
||||
</include>
|
||||
)
|
||||
AND guacamole_user_permission.permission = 'READ'
|
||||
|
||||
<!-- Search terms -->
|
||||
|
||||
Reference in New Issue
Block a user