safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-07 13:41:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-220: Merge add base extension API support for user groups.

Browse Source
This commit is contained in:
Nick Couchman
2018-04-22 15:45:46 -04:00
parent 456ad7f28e e75e9715f7
commit 1ac08257bc
35 changed files with 875 additions and 167 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharing/user/SharedAuthenticatedUser.java
View File

@@ -19,6 +19,8 @@
package org.apache.guacamole.auth.jdbc.sharing.user;
import java.util.Collections;
import java.util.Set;
import org.apache.guacamole.auth.jdbc.user.RemoteAuthenticatedUser;
import org.apache.guacamole.net.auth.AuthenticatedUser;
import org.apache.guacamole.net.auth.AuthenticationProvider;
@@ -100,4 +102,9 @@ public class SharedAuthenticatedUser extends RemoteAuthenticatedUser {
throw new UnsupportedOperationException("Users authenticated via share keys are immutable.");
}
@Override
public Set<String> getEffectiveUserGroups() {
return Collections.<String>emptySet();
}
}

18
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharing/user/SharedUser.java
View File

@@ -30,10 +30,13 @@ import org.apache.guacamole.net.auth.AuthenticatedUser;
import org.apache.guacamole.net.auth.Connection;
import org.apache.guacamole.net.auth.ConnectionGroup;
import org.apache.guacamole.net.auth.Directory;
import org.apache.guacamole.net.auth.Permissions;
import org.apache.guacamole.net.auth.RelatedObjectSet;
import org.apache.guacamole.net.auth.User;
import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
import org.apache.guacamole.net.auth.permission.SystemPermissionSet;
import org.apache.guacamole.net.auth.simple.SimpleObjectPermissionSet;
import org.apache.guacamole.net.auth.simple.SimpleRelatedObjectSet;
import org.apache.guacamole.net.auth.simple.SimpleSystemPermissionSet;
/**
@@ -140,6 +143,11 @@ public class SharedUser implements User {
return new SharedObjectPermissionSet(userDirectory.getIdentifiers());
}
@Override
public ObjectPermissionSet getUserGroupPermissions() throws GuacamoleException {
return new SimpleObjectPermissionSet();
}
@Override
public ObjectPermissionSet getSharingProfilePermissions() throws GuacamoleException {
return new SimpleObjectPermissionSet();
@@ -150,4 +158,14 @@ public class SharedUser implements User {
return new SimpleObjectPermissionSet();
}
@Override
public RelatedObjectSet getUserGroups() throws GuacamoleException {
return new SimpleRelatedObjectSet();
}
@Override
public Permissions getEffectivePermissions() throws GuacamoleException {
return this;
}
}

5
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledAuthenticatedUser.java
View File

@@ -169,4 +169,9 @@ public class ModeledAuthenticatedUser extends RemoteAuthenticatedUser {
user.setIdentifier(identifier);
}
@Override
public Set<String> getEffectiveUserGroups() {
return Collections.<String>emptySet();
}
}

19
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java
View File

@@ -52,10 +52,14 @@ import org.apache.guacamole.form.TextField;
import org.apache.guacamole.form.TimeField;
import org.apache.guacamole.form.TimeZoneField;
import org.apache.guacamole.net.auth.ActivityRecord;
import org.apache.guacamole.net.auth.Permissions;
import org.apache.guacamole.net.auth.RelatedObjectSet;
import org.apache.guacamole.net.auth.User;
import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
import org.apache.guacamole.net.auth.permission.SystemPermission;
import org.apache.guacamole.net.auth.permission.SystemPermissionSet;
import org.apache.guacamole.net.auth.simple.SimpleObjectPermissionSet;
import org.apache.guacamole.net.auth.simple.SimpleRelatedObjectSet;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -379,6 +383,11 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
return userPermissionService.getPermissionSet(getCurrentUser(), this);
}
@Override
public ObjectPermissionSet getUserGroupPermissions() throws GuacamoleException {
return new SimpleObjectPermissionSet();
}
/**
* Stores all restricted (privileged) attributes within the given Map,
* pulling the values of those attributes from the underlying user model.
@@ -839,4 +848,14 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
return userService.retrieveHistory(getCurrentUser(), this);
}
@Override
public RelatedObjectSet getUserGroups() throws GuacamoleException {
return new SimpleRelatedObjectSet();
}
@Override
public Permissions getEffectivePermissions() throws GuacamoleException {
return this;
}
}

13
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUserContext.java
View File

@@ -26,6 +26,7 @@ import org.apache.guacamole.auth.jdbc.connection.ConnectionDirectory;
import com.google.inject.Inject;
import com.google.inject.Provider;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.auth.jdbc.base.RestrictedObject;
@@ -46,6 +47,8 @@ import org.apache.guacamole.net.auth.ConnectionGroup;
import org.apache.guacamole.net.auth.Directory;
import org.apache.guacamole.net.auth.SharingProfile;
import org.apache.guacamole.net.auth.User;
import org.apache.guacamole.net.auth.UserGroup;
import org.apache.guacamole.net.auth.simple.SimpleDirectory;
/**
* UserContext implementation which is driven by an arbitrary, underlying
@@ -161,6 +164,11 @@ public class ModeledUserContext extends RestrictedObject
return userDirectory;
}
@Override
public Directory<UserGroup> getUserGroupDirectory() throws GuacamoleException {
return new SimpleDirectory<UserGroup>();
}
@Override
public Directory<Connection> getConnectionDirectory() throws GuacamoleException {
return connectionDirectory;
@@ -214,6 +222,11 @@ public class ModeledUserContext extends RestrictedObject
return ModeledUser.ATTRIBUTES;
}
@Override
public Collection<Form> getUserGroupAttributes() {
return Collections.<Form>emptyList();
}
@Override
public Collection<Form> getConnectionAttributes() {
return ModeledConnection.ATTRIBUTES;

7
guacamole-ext/src/main/java/org/apache/guacamole/net/auth/AbstractAuthenticatedUser.java
View File

@@ -19,6 +19,8 @@
package org.apache.guacamole.net.auth;
import java.util.Collections;
import java.util.Set;
/**
* Basic implementation of an AuthenticatedUser which uses the username to
@@ -29,6 +31,11 @@ public abstract class AbstractAuthenticatedUser extends AbstractIdentifiable
// Prior functionality now resides within AbstractIdentifiable
@Override
public Set<String> getEffectiveUserGroups() {
return Collections.<String>emptySet();
}
@Override
public void invalidate() {
// Nothing to invalidate

25
guacamole-ext/src/main/java/org/apache/guacamole/net/auth/AbstractUserContext.java
View File

@@ -67,6 +67,19 @@ public abstract class AbstractUserContext implements UserContext {
return new SimpleDirectory<User>(self());
}
/**
* {@inheritDoc}
*
* <p>This implementation simply returns an empty {@link Directory}.
* Implementations that wish to expose user groups should override this
* function.
*/
@Override
public Directory<UserGroup> getUserGroupDirectory()
throws GuacamoleException {
return new SimpleDirectory<UserGroup>();
}
/**
* {@inheritDoc}
*
@@ -181,6 +194,18 @@ public abstract class AbstractUserContext implements UserContext {
return Collections.<Form>emptyList();
}
/**
* {@inheritDoc}
*
* <p>This implementation simply returns an empty {@link Collection}.
* Implementations that wish to expose custom user group attributes as
* fields within user group edit screens should override this function.
*/
@Override
public Collection<Form> getUserGroupAttributes() {
return Collections.<Form>emptyList();
}
/**
* {@inheritDoc}
*

19
guacamole-ext/src/main/java/org/apache/guacamole/net/auth/AuthenticatedUser.java
View File

@@ -19,6 +19,7 @@
package org.apache.guacamole.net.auth;
import java.util.Set;
/**
* A user of the Guacamole web application who has been authenticated by an
@@ -49,6 +50,24 @@ public interface AuthenticatedUser extends Identifiable {
*/
Credentials getCredentials();
/**
* Returns a read-only set of the identifiers of all user groups which
* apply to this authenticated user. The exact semantics of what user
* groups apply are up to the implementation, and the user groups within
* this set may be implied, derived dynamically, inherited through multiple
* levels of group membership, etc.
*
* Note that, as with user identifiers, user group identifiers form the
* basis of identity which applies across authentication providers. It is
* expected that any two user groups having the same identifier represent
* the same group, even if defined by different authentication providers.
*
* @return
* A read-only set of the identifiers of all user groups which apply
* to this authenticated user.
*/
Set<String> getEffectiveUserGroups();
/**
* Invalidates this authenticated user and their associated token such that
* they are no longer logged in. This function will be automatically

16
guacamole-ext/src/main/java/org/apache/guacamole/net/auth/DelegatingUser.java
View File

@@ -124,4 +124,20 @@ public class DelegatingUser implements User {
return user.getUserPermissions();
}
@Override
public ObjectPermissionSet getUserGroupPermissions()
throws GuacamoleException {
return user.getUserGroupPermissions();
}
@Override
public RelatedObjectSet getUserGroups() throws GuacamoleException {
return user.getUserGroups();
}
@Override
public Permissions getEffectivePermissions() throws GuacamoleException {
return user.getEffectivePermissions();
}
}

10
guacamole-ext/src/main/java/org/apache/guacamole/net/auth/DelegatingUserContext.java
View File

@@ -65,6 +65,11 @@ public class DelegatingUserContext implements UserContext {
return userContext.getUserDirectory();
}
@Override
public Directory<UserGroup> getUserGroupDirectory() throws GuacamoleException {
return userContext.getUserGroupDirectory();
}
@Override
public Directory<Connection> getConnectionDirectory()
throws GuacamoleException {
@@ -111,6 +116,11 @@ public class DelegatingUserContext implements UserContext {
return userContext.getUserAttributes();
}
@Override
public Collection<Form> getUserGroupAttributes() {
return userContext.getUserGroupAttributes();
}
@Override
public Collection<Form> getConnectionAttributes() {
return userContext.getConnectionAttributes();

125
guacamole-ext/src/main/java/org/apache/guacamole/net/auth/DelegatingUserGroup.java Normal file
View File

@@ -0,0 +1,125 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.net.auth;
import java.util.Map;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
import org.apache.guacamole.net.auth.permission.SystemPermissionSet;
/**
* UserGroup implementation which simply delegates all function calls to an
* underlying UserGroup.
*/
public class DelegatingUserGroup implements UserGroup {
/**
* The wrapped UserGroup.
*/
private final UserGroup userGroup;
/**
* Wraps the given UserGroup such that all function calls against this
* DelegatingUserGroup will be delegated to it.
*
* @param userGroup
* The UserGroup to wrap.
*/
public DelegatingUserGroup(UserGroup userGroup) {
this.userGroup = userGroup;
}
@Override
public String getIdentifier() {
return userGroup.getIdentifier();
}
@Override
public void setIdentifier(String identifier) {
userGroup.setIdentifier(identifier);
}
@Override
public Map<String, String> getAttributes() {
return userGroup.getAttributes();
}
@Override
public void setAttributes(Map<String, String> attributes) {
userGroup.setAttributes(attributes);
}
@Override
public SystemPermissionSet getSystemPermissions()
throws GuacamoleException {
return userGroup.getSystemPermissions();
}
@Override
public ObjectPermissionSet getConnectionPermissions()
throws GuacamoleException {
return userGroup.getConnectionPermissions();
}
@Override
public ObjectPermissionSet getConnectionGroupPermissions()
throws GuacamoleException {
return userGroup.getConnectionGroupPermissions();
}
@Override
public ObjectPermissionSet getSharingProfilePermissions()
throws GuacamoleException {
return userGroup.getSharingProfilePermissions();
}
@Override
public ObjectPermissionSet getActiveConnectionPermissions()
throws GuacamoleException {
return userGroup.getActiveConnectionPermissions();
}
@Override
public ObjectPermissionSet getUserPermissions() throws GuacamoleException {
return userGroup.getUserPermissions();
}
@Override
public ObjectPermissionSet getUserGroupPermissions()
throws GuacamoleException {
return userGroup.getUserGroupPermissions();
}
@Override
public RelatedObjectSet getUserGroups() throws GuacamoleException {
return userGroup.getUserGroups();
}
@Override
public RelatedObjectSet getMemberUsers() throws GuacamoleException {
return userGroup.getMemberUsers();
}
@Override
public RelatedObjectSet getMemberUserGroups() throws GuacamoleException {
return userGroup.getMemberUserGroups();
}
}

129
guacamole-ext/src/main/java/org/apache/guacamole/net/auth/Permissions.java Normal file
View File

@@ -0,0 +1,129 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.net.auth;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
import org.apache.guacamole.net.auth.permission.SystemPermissionSet;
/**
* An object which may be granted permissions to access/manipulate various
* other objects or aspects of the system. The permissions granted are exposed
* through subclasses of PermissionSet, and may be mutable depending on the
* access level of the current user.
*/
public interface Permissions {
/**
* Returns all permissions given to this object regarding currently-active
* connections.
*
* @return
* An ObjectPermissionSet of all active connection permissions granted
* to this object.
*
* @throws GuacamoleException
* If an error occurs while retrieving permissions, or if reading all
* permissions is not allowed.
*/
ObjectPermissionSet getActiveConnectionPermissions()
throws GuacamoleException;
/**
* Returns all connection group permissions given to this object.
*
* @return
* An ObjectPermissionSet of all connection group permissions granted
* to this object.
*
* @throws GuacamoleException
* If an error occurs while retrieving permissions, or if reading all
* permissions is not allowed.
*/
ObjectPermissionSet getConnectionGroupPermissions()
throws GuacamoleException;
/**
* Returns all connection permissions given to this object.
*
* @return
* An ObjectPermissionSet of all connection permissions granted to this
* object.
*
* @throws GuacamoleException
* If an error occurs while retrieving permissions, or if reading all
* permissions is not allowed.
*/
ObjectPermissionSet getConnectionPermissions() throws GuacamoleException;
/**
* Returns all sharing profile permissions given to this object.
*
* @return
* An ObjectPermissionSet of all sharing profile permissions granted to
* this object.
*
* @throws GuacamoleException
* If an error occurs while retrieving permissions, or if reading all
* permissions is not allowed.
*/
ObjectPermissionSet getSharingProfilePermissions()
throws GuacamoleException;
/**
* Returns all system-level permissions given to this object.
*
* @return
* A SystemPermissionSet of all system-level permissions granted to
* this object.
*
* @throws GuacamoleException
* If an error occurs while retrieving permissions, or if reading all
* permissions is not allowed.
*/
SystemPermissionSet getSystemPermissions() throws GuacamoleException;
/**
* Returns all user permissions given to this object.
*
* @return
* An ObjectPermissionSet of all user permissions granted to this
* object.
*
* @throws GuacamoleException
* If an error occurs while retrieving permissions, or if reading all
* permissions is not allowed.
*/
ObjectPermissionSet getUserPermissions() throws GuacamoleException;
/**
* Returns all user group permissions given to this object.
*
* @return
* An ObjectPermissionSet of all user group permissions granted to this
* object.
*
* @throws GuacamoleException
* If an error occurs while retrieving permissions, or if reading all
* permissions is not allowed.
*/
ObjectPermissionSet getUserGroupPermissions() throws GuacamoleException;
}

78
guacamole-ext/src/main/java/org/apache/guacamole/net/auth/RelatedObjectSet.java Normal file
View File

@@ -0,0 +1,78 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.net.auth;
import java.util.Set;
import org.apache.guacamole.GuacamoleException;
/**
* An arbitrary set of existing objects sharing some common relation. Unlike a
* Directory, which provides for maintaining the entire lifecycle of its
* objects, a RelatedObjectSet only maintains the relation between its
* containing object and the objects within the set. Adding/removing an object
* from a RelatedObjectSet affects only the status of the specific relationship
* represented by the RelatedObjectSet, not the existence of the objects
* themselves.
*/
public interface RelatedObjectSet {
/**
* Returns a Set which contains the identifiers of all objects contained
* within this RelatedObjectSet.
*
* @return
* A Set which contains the identifiers of all objects contained
* within this RelatedObjectSet.
*
* @throws GuacamoleException
* If an error occurs while retrieving the objects within the set, or
* if objects cannot be retrieved due to lack of permissions to do so.
*/
Set<String> getObjects() throws GuacamoleException;
/**
* Adds the objects having the given identifiers, if not already present.
* If a specified object is already present, no operation is performed
* regarding that object.
*
* @param identifiers
* The identifiers of all objects being added.
*
* @throws GuacamoleException
* If an error occurs while adding the objects, or if permission to add
* objects is denied.
*/
void addObjects(Set<String> identifiers) throws GuacamoleException;
/**
* Removes each of the objects having the specified identifiers, if
* present. If a specified object is not present, no operation is performed
* regarding that object.
*
* @param identifiers
* The identifiers of all objects being removed.
*
* @throws GuacamoleException
* If an error occurs while removing the objects, or if permission to
* remove objects is denied.
*/
void removeObjects(Set<String> identifiers) throws GuacamoleException;
}

87
guacamole-ext/src/main/java/org/apache/guacamole/net/auth/User.java
View File

@@ -22,14 +22,11 @@ package org.apache.guacamole.net.auth;
import java.util.Date;
import java.util.List;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
import org.apache.guacamole.net.auth.permission.SystemPermissionSet;
/**
* A user of the Guacamole web application.
*/
public interface User extends Identifiable, Attributes {
public interface User extends Identifiable, Attributes, Permissions {
/**
* All standard attribute names with semantics defined by the Guacamole web
@@ -109,85 +106,33 @@ public interface User extends Identifiable, Attributes {
List<? extends ActivityRecord> getHistory() throws GuacamoleException;
/**
* Returns all system-level permissions given to this user.
* Returns a set of all readable user groups of which this user is a member.
* If permission is granted for the current user to modify the membership of
* this user, then the returned set will be mutable, and any such
* modifications should be made through changes to the returned set.
*
* @return
* A SystemPermissionSet of all system-level permissions granted to
* this user.
* The set of all readable user groups of which this user is a member.
*
* @throws GuacamoleException
* If an error occurs while retrieving permissions, or if reading all
* permissions is not allowed.
* @throws GuacamoleException
* If an error occurs while retrieving the user groups.
*/
SystemPermissionSet getSystemPermissions() throws GuacamoleException;
RelatedObjectSet getUserGroups() throws GuacamoleException;
/**
* Returns all connection permissions given to this user.
* Returns a read-only view of all permissions granted to this user. The
* exact semantics of what permissions are granted are up to the
* implementation, and the permissions within this view may be implied,
* derived dynamically, inherited through multiple levels of group
* membership, etc.
*
* @return
* An ObjectPermissionSet of all connection permissions granted to this
* user.
*
* @throws GuacamoleException
* If an error occurs while retrieving permissions, or if reading all
* permissions is not allowed.
*/
ObjectPermissionSet getConnectionPermissions()
throws GuacamoleException;
/**
* Returns all connection group permissions given to this user.
*
* @return
* An ObjectPermissionSet of all connection group permissions granted
* to this user.
* A read-only view of the permissions which are granted to this user.
*
* @throws GuacamoleException
* If an error occurs while retrieving permissions, or if reading all
* permissions is not allowed.
*/
ObjectPermissionSet getConnectionGroupPermissions()
throws GuacamoleException;
/**
* Returns all sharing profile permissions given to this user.
*
* @return
* An ObjectPermissionSet of all sharing profile permissions granted to
* this user.
*
* @throws GuacamoleException
* If an error occurs while retrieving permissions, or if reading all
* permissions is not allowed.
*/
ObjectPermissionSet getSharingProfilePermissions()
throws GuacamoleException;
/**
* Returns all permissions given to this user regarding currently-active
* connections.
*
* @return
* An ObjectPermissionSet of all active connection permissions granted
* to this user.
*
* @throws GuacamoleException
* If an error occurs while retrieving permissions, or if reading all
* permissions is not allowed.
*/
ObjectPermissionSet getActiveConnectionPermissions()
throws GuacamoleException;
/**
* Returns all user permissions given to this user.
*
* @return
* An ObjectPermissionSet of all user permissions granted to this user.
*
* @throws GuacamoleException
* If an error occurs while retrieving permissions, or if reading all
* permissions is not allowed.
*/
ObjectPermissionSet getUserPermissions() throws GuacamoleException;
Permissions getEffectivePermissions() throws GuacamoleException;
}

25
guacamole-ext/src/main/java/org/apache/guacamole/net/auth/UserContext.java
View File

@@ -84,6 +84,20 @@ public interface UserContext {
*/
Directory<User> getUserDirectory() throws GuacamoleException;
/**
* Retrieves a Directory which can be used to view and manipulate user
* groups, but only as allowed by the permissions given to the user of this
* UserContext.
*
* @return
* A Directory whose operations are bound by the restrictions
* of this UserContext.
*
* @throws GuacamoleException
* If an error occurs while creating the Directory.
*/
Directory<UserGroup> getUserGroupDirectory() throws GuacamoleException;
/**
* Retrieves a Directory which can be used to view and manipulate
* connections and their configurations, but only as allowed by the
@@ -197,6 +211,17 @@ public interface UserContext {
*/
Collection<Form> getUserAttributes();
/**
* Retrieves a collection of all attributes applicable to user groups. This
* collection will contain only those attributes which the current user has
* general permission to view or modify. If there are no such attributes,
* this collection will be empty.
*
* @return
* A collection of all attributes applicable to user groups.
*/
Collection<Form> getUserGroupAttributes();
/**
* Retrieves a collection of all attributes applicable to connections. This
* collection will contain only those attributes which the current user has

77
guacamole-ext/src/main/java/org/apache/guacamole/net/auth/UserGroup.java Normal file
View File

@@ -0,0 +1,77 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.net.auth;
import org.apache.guacamole.GuacamoleException;
/**
* A user group of the Guacamole web application. Each user group may contain
* any number of Guacamole users and other user groups, and defines the
* permissions implicitly granted to its members.
*/
public interface UserGroup extends Identifiable, Attributes, Permissions {
/**
* Returns a set of all readable user groups of which this user group is a
* member. If permission is granted for the current user to modify the
* membership of this user group, then the returned set will be mutable,
* and any such modifications should be made through changes to the
* returned set.
*
* @return
* The set of all readable user groups of which this user group is a
* member.
*
* @throws GuacamoleException
* If an error occurs while retrieving the user groups.
*/
RelatedObjectSet getUserGroups() throws GuacamoleException;
/**
* Returns a set of all readable users that are members of this user group.
* If permission is granted for the current user to modify the members of
* this group, then the returned set will be mutable, and any such
* modifications should be made through changes to the returned set.
*
* @return
* The set all readable users that are members of this user group,
* which may be mutable.
*
* @throws GuacamoleException
* If an error occurs while retrieving the users.
*/
RelatedObjectSet getMemberUsers() throws GuacamoleException;
/**
* Returns a set of all readable user groups that are members of this user
* group. If permission is granted for the current user to modify the
* members of this group, then the returned set will be mutable, and any
* such modifications should be made through changes to the returned set.
*
* @return
* The set of all readable user groups that are members of this user
* group, which may be mutable.
*
* @throws GuacamoleException
* If an error occurs while retrieving the user groups.
*/
RelatedObjectSet getMemberUserGroups() throws GuacamoleException;
}

7
guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleAuthenticationProvider.java
View File

@@ -19,7 +19,9 @@
package org.apache.guacamole.net.auth.simple;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.net.auth.AbstractAuthenticatedUser;
@@ -131,6 +133,11 @@ public abstract class SimpleAuthenticationProvider
return credentials;
}
@Override
public Set<String> getEffectiveUserGroups() {
return Collections.<String>emptySet();
}
}
/**

88
guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleRelatedObjectSet.java Normal file
View File

@@ -0,0 +1,88 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.net.auth.simple;
import java.util.Collections;
import java.util.Set;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleSecurityException;
import org.apache.guacamole.net.auth.RelatedObjectSet;
/**
* A read-only implementation of RelatedObjectSet which uses a backing Set
* of identifiers to determine which objects are present.
*/
public class SimpleRelatedObjectSet implements RelatedObjectSet {
/**
* A set containing the identifiers of all objects currently present.
*/
private Set<String> identifiers = Collections.<String>emptySet();
/**
* Creates a new empty SimpleObjectPermissionSet.
*/
public SimpleRelatedObjectSet() {
}
/**
* Creates a new SimpleRelatedObjectSet which contains the objects having
* the identifiers within the given Set. The given Set backs the contents
* of the new SimpleRelatedObjectSet. While the SimpleRelatedObjectSet is
* read-only, any changes to the underlying Set will be reflected in the
* SimpleRelatedObjectSet.
*
* @param identifiers
* The Set containing the identifiers of all objects which should be
* present within the new SimpleRelatedObjectSet.
*/
public SimpleRelatedObjectSet(Set<String> identifiers) {
this.identifiers = identifiers;
}
/**
* Replaces the Set of object identifiers which backs this
* SimpleRelatedObjectSet. Future function calls on this
* SimpleRelatedObjectSet will instead use the provided Set.
*
* @param identifiers
* The Set containing the identifiers of all objects which should be
* present within this SimpleRelatedObjectSet.
*/
protected void setObjects(Set<String> identifiers) {
this.identifiers = identifiers;
}
@Override
public Set<String> getObjects() {
return identifiers;
}
@Override
public void addObjects(Set<String> identifiers) throws GuacamoleException {
throw new GuacamoleSecurityException("Permission denied.");
}
@Override
public void removeObjects(Set<String> identifiers) throws GuacamoleException {
throw new GuacamoleSecurityException("Permission denied.");
}
}

18
guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleUser.java
View File

@@ -29,6 +29,8 @@ import java.util.Set;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.net.auth.AbstractUser;
import org.apache.guacamole.net.auth.ActivityRecord;
import org.apache.guacamole.net.auth.Permissions;
import org.apache.guacamole.net.auth.RelatedObjectSet;
import org.apache.guacamole.net.auth.permission.ObjectPermission;
import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
import org.apache.guacamole.net.auth.permission.SystemPermissionSet;
@@ -200,6 +202,12 @@ public class SimpleUser extends AbstractUser {
return new SimpleObjectPermissionSet(userPermissions);
}
@Override
public ObjectPermissionSet getUserGroupPermissions()
throws GuacamoleException {
return new SimpleObjectPermissionSet();
}
@Override
public ObjectPermissionSet getActiveConnectionPermissions()
throws GuacamoleException {
@@ -211,4 +219,14 @@ public class SimpleUser extends AbstractUser {
return new SimpleObjectPermissionSet();
}
@Override
public RelatedObjectSet getUserGroups() throws GuacamoleException {
return new SimpleRelatedObjectSet();
}
@Override
public Permissions getEffectivePermissions() throws GuacamoleException {
return this;
}
}

9
guacamole/src/main/java/org/apache/guacamole/rest/connection/ConnectionResource.java
View File

@@ -35,9 +35,9 @@ import org.apache.guacamole.GuacamoleSecurityException;
import org.apache.guacamole.net.auth.Connection;
import org.apache.guacamole.net.auth.ConnectionRecord;
import org.apache.guacamole.net.auth.Directory;
import org.apache.guacamole.net.auth.Permissions;
import org.apache.guacamole.rest.directory.DirectoryView;
import org.apache.guacamole.net.auth.SharingProfile;
import org.apache.guacamole.net.auth.User;
import org.apache.guacamole.net.auth.UserContext;
import org.apache.guacamole.net.auth.permission.ObjectPermission;
import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
@@ -119,11 +119,12 @@ public class ConnectionResource extends DirectoryObjectResource<Connection, APIC
public Map<String, String> getConnectionParameters()
throws GuacamoleException {
User self = userContext.self();
// Pull effective permissions
Permissions effective = userContext.self().getEffectivePermissions();
// Retrieve permission sets
SystemPermissionSet systemPermissions = self.getSystemPermissions();
ObjectPermissionSet connectionPermissions = self.getConnectionPermissions();
SystemPermissionSet systemPermissions = effective.getSystemPermissions();
ObjectPermissionSet connectionPermissions = effective.getConnectionPermissions();
// Deny access if adminstrative or update permission is missing
String identifier = connection.getIdentifier();

8
guacamole/src/main/java/org/apache/guacamole/rest/connectiongroup/ConnectionGroupTree.java
View File

@@ -29,8 +29,8 @@ import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.net.auth.Connection;
import org.apache.guacamole.net.auth.ConnectionGroup;
import org.apache.guacamole.net.auth.Directory;
import org.apache.guacamole.net.auth.Permissions;
import org.apache.guacamole.net.auth.SharingProfile;
import org.apache.guacamole.net.auth.User;
import org.apache.guacamole.net.auth.UserContext;
import org.apache.guacamole.net.auth.permission.ObjectPermission;
import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
@@ -356,9 +356,9 @@ public class ConnectionGroupTree {
retrievedGroups.put(root.getIdentifier(), this.rootAPIGroup);
// Store user's current permissions
User self = userContext.self();
this.connectionPermissions = self.getConnectionPermissions();
this.sharingProfilePermissions = self.getSharingProfilePermissions();
Permissions effective = userContext.self().getEffectivePermissions();
this.connectionPermissions = effective.getConnectionPermissions();
this.sharingProfilePermissions = effective.getSharingProfilePermissions();
// Store required directories
this.connectionDirectory = userContext.getConnectionDirectory();

8
guacamole/src/main/java/org/apache/guacamole/rest/directory/DirectoryResource.java
View File

@@ -37,7 +37,7 @@ import org.apache.guacamole.GuacamoleResourceNotFoundException;
import org.apache.guacamole.GuacamoleUnsupportedException;
import org.apache.guacamole.net.auth.Directory;
import org.apache.guacamole.net.auth.Identifiable;
import org.apache.guacamole.net.auth.User;
import org.apache.guacamole.net.auth.Permissions;
import org.apache.guacamole.net.auth.UserContext;
import org.apache.guacamole.net.auth.permission.ObjectPermission;
import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
@@ -142,14 +142,14 @@ public abstract class DirectoryResource<InternalType extends Identifiable, Exter
throws GuacamoleException {
// An admin user has access to all objects
User self = userContext.self();
SystemPermissionSet systemPermissions = self.getSystemPermissions();
Permissions effective = userContext.self().getEffectivePermissions();
SystemPermissionSet systemPermissions = effective.getSystemPermissions();
boolean isAdmin = systemPermissions.hasPermission(SystemPermission.Type.ADMINISTER);
// Filter objects, if requested
Collection<String> identifiers = directory.getIdentifiers();
if (!isAdmin && permissions != null && !permissions.isEmpty()) {
ObjectPermissionSet objectPermissions = self.getUserPermissions();
ObjectPermissionSet objectPermissions = effective.getUserPermissions();
identifiers = objectPermissions.getAccessibleObjects(permissions, identifiers);
}

41
guacamole/src/main/java/org/apache/guacamole/rest/permission/APIPermissionSet.java
View File

@@ -24,20 +24,20 @@ import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.net.auth.User;
import org.apache.guacamole.net.auth.Permissions;
import org.apache.guacamole.net.auth.permission.ObjectPermission;
import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
import org.apache.guacamole.net.auth.permission.SystemPermission;
import org.apache.guacamole.net.auth.permission.SystemPermissionSet;
/**
* The set of permissions which are granted to a specific user, organized by
* object type and, if applicable, identifier. This object can be constructed
* with arbitrary permissions present, or manipulated after creation through
* the manipulation or replacement of its collections of permissions, but is
* otherwise not intended for internal use as a data structure for permissions.
* Its primary purpose is as a hierarchical format for exchanging granted
* permissions with REST clients.
* The set of permissions which are granted to a specific user or user group,
* organized by object type and, if applicable, identifier. This object can be
* constructed with arbitrary permissions present, or manipulated after creation
* through the manipulation or replacement of its collections of permissions,
* but is otherwise not intended for internal use as a data structure for
* permissions. Its primary purpose is as a hierarchical format for exchanging
* granted permissions with REST clients.
*/
public class APIPermissionSet {
@@ -146,24 +146,23 @@ public class APIPermissionSet {
/**
* Creates a new permission set containing all permissions currently
* granted to the given user.
* granted within the given Permissions object.
*
* @param user
* The user whose permissions should be stored within this permission
* set.
* @param permissions
* The permissions that should be stored within this permission set.
*
* @throws GuacamoleException
* If an error occurs while retrieving the user's permissions.
* If an error occurs while retrieving the permissions.
*/
public APIPermissionSet(User user) throws GuacamoleException {
public APIPermissionSet(Permissions permissions) throws GuacamoleException {
// Add all permissions from the provided user
addSystemPermissions(systemPermissions, user.getSystemPermissions());
addObjectPermissions(connectionPermissions, user.getConnectionPermissions());
addObjectPermissions(connectionGroupPermissions, user.getConnectionGroupPermissions());
addObjectPermissions(sharingProfilePermissions, user.getSharingProfilePermissions());
addObjectPermissions(activeConnectionPermissions, user.getActiveConnectionPermissions());
addObjectPermissions(userPermissions, user.getUserPermissions());
addSystemPermissions(systemPermissions, permissions.getSystemPermissions());
addObjectPermissions(connectionPermissions, permissions.getConnectionPermissions());
addObjectPermissions(connectionGroupPermissions, permissions.getConnectionGroupPermissions());
addObjectPermissions(sharingProfilePermissions, permissions.getSharingProfilePermissions());
addObjectPermissions(activeConnectionPermissions, permissions.getActiveConnectionPermissions());
addObjectPermissions(userPermissions, permissions.getUserPermissions());
}
@@ -229,7 +228,7 @@ public class APIPermissionSet {
/**
* Returns a map of user IDs to the set of permissions granted for that
* user. If no permissions are granted to a particular user, its ID will
* user. If no permissions are granted for a particular user, its ID will
* not be present as a key in the map. This map is mutable, and changes to
* to this map will affect the permission set directly.
*

9
guacamole/src/main/java/org/apache/guacamole/rest/sharingprofile/SharingProfileResource.java
View File

@@ -30,8 +30,8 @@ import javax.ws.rs.core.MediaType;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleSecurityException;
import org.apache.guacamole.net.auth.Directory;
import org.apache.guacamole.net.auth.Permissions;
import org.apache.guacamole.net.auth.SharingProfile;
import org.apache.guacamole.net.auth.User;
import org.apache.guacamole.net.auth.UserContext;
import org.apache.guacamole.net.auth.permission.ObjectPermission;
import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
@@ -103,11 +103,12 @@ public class SharingProfileResource
public Map<String, String> getParameters()
throws GuacamoleException {
User self = userContext.self();
// Pull effective permissions
Permissions effective = userContext.self().getEffectivePermissions();
// Retrieve permission sets
SystemPermissionSet systemPermissions = self.getSystemPermissions();
ObjectPermissionSet sharingProfilePermissions = self.getSharingProfilePermissions();
SystemPermissionSet systemPermissions = effective.getSystemPermissions();
ObjectPermissionSet sharingProfilePermissions = effective.getSharingProfilePermissions();
// Deny access if adminstrative or update permission is missing
String identifier = sharingProfile.getIdentifier();

18
guacamole/src/main/java/org/apache/guacamole/rest/user/APIUserWrapper.java
View File

@@ -26,6 +26,8 @@ import java.util.Map;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleUnsupportedException;
import org.apache.guacamole.net.auth.ActivityRecord;
import org.apache.guacamole.net.auth.Permissions;
import org.apache.guacamole.net.auth.RelatedObjectSet;
import org.apache.guacamole.net.auth.User;
import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
import org.apache.guacamole.net.auth.permission.SystemPermissionSet;
@@ -110,12 +112,28 @@ public class APIUserWrapper implements User {
throw new GuacamoleUnsupportedException("APIUserWrapper does not provide permission access.");
}
@Override
public ObjectPermissionSet getUserGroupPermissions()
throws GuacamoleException {
throw new GuacamoleUnsupportedException("APIUserWrapper does not provide permission access.");
}
@Override
public ObjectPermissionSet getActiveConnectionPermissions()
throws GuacamoleException {
throw new GuacamoleUnsupportedException("APIUserWrapper does not provide permission access.");
}
@Override
public Permissions getEffectivePermissions() throws GuacamoleException {
throw new GuacamoleUnsupportedException("APIUserWrapper does not provide permission access.");
}
@Override
public RelatedObjectSet getUserGroups() throws GuacamoleException {
throw new GuacamoleUnsupportedException("APIUserWrapper does not provide group access.");
}
@Override
public Date getLastActive() {
return null;

21
guacamole/src/main/java/org/apache/guacamole/rest/user/UserResource.java
View File

@@ -43,6 +43,7 @@ import org.apache.guacamole.net.auth.credentials.GuacamoleCredentialsException;
import org.apache.guacamole.rest.directory.DirectoryObjectResource;
import org.apache.guacamole.rest.directory.DirectoryObjectTranslator;
import org.apache.guacamole.rest.history.APIActivityRecord;
import org.apache.guacamole.rest.permission.APIPermissionSet;
import org.apache.guacamole.rest.permission.PermissionSetResource;
/**
@@ -181,7 +182,8 @@ public class UserResource
/**
* Returns a resource which abstracts operations available on the overall
* permissions granted to the User represented by this UserResource.
* permissions granted directly to the User represented by this
* UserResource.
*
* @return
* A resource which representing the permissions granted to the User
@@ -192,4 +194,21 @@ public class UserResource
return new PermissionSetResource(user);
}
/**
* Returns a read-only view of the permissions effectively granted to this
* user, including permissions which may be inherited or implied.
*
* @return
* A read-only view of the permissions effectively granted to this
* user.
*
* @throws GuacamoleException
* If the effective permissions for this user cannot be retrieved.
*/
@GET
@Path("effectivePermissions")
public APIPermissionSet getEffectivePermissions() throws GuacamoleException {
return new APIPermissionSet(user.getEffectivePermissions());
}
}

2
guacamole/src/main/webapp/app/manage/controllers/manageConnectionController.js
View File

@@ -199,7 +199,7 @@ angular.module('manage').controller('manageConnectionController', ['$scope', '$i
});
// Query the user's permissions for the current connection
permissionService.getPermissions($scope.selectedDataSource, authenticationService.getCurrentUsername())
permissionService.getEffectivePermissions($scope.selectedDataSource, authenticationService.getCurrentUsername())
.success(function permissionsReceived(permissions) {
$scope.permissions = permissions;

2
guacamole/src/main/webapp/app/manage/controllers/manageConnectionGroupController.js
View File

@@ -134,7 +134,7 @@ angular.module('manage').controller('manageConnectionGroupController', ['$scope'
});
// Query the user's permissions for the current connection group
permissionService.getPermissions($scope.selectedDataSource, authenticationService.getCurrentUsername())
permissionService.getEffectivePermissions($scope.selectedDataSource, authenticationService.getCurrentUsername())
.success(function permissionsReceived(permissions) {
$scope.permissions = permissions;

2
guacamole/src/main/webapp/app/manage/controllers/manageSharingProfileController.js
View File

@@ -175,7 +175,7 @@ angular.module('manage').controller('manageSharingProfileController', ['$scope',
});
// Query the user's permissions for the current sharing profile
permissionService.getPermissions($scope.selectedDataSource, authenticationService.getCurrentUsername())
permissionService.getEffectivePermissions($scope.selectedDataSource, authenticationService.getCurrentUsername())
.success(function permissionsReceived(permissions) {
$scope.permissions = permissions;

2
guacamole/src/main/webapp/app/manage/controllers/manageUserController.js
View File

@@ -680,7 +680,7 @@ angular.module('manage').controller('manageUserController', ['$scope', '$injecto
// Query the user's permissions for the current user
dataSourceService.apply(
permissionService.getPermissions,
permissionService.getEffectivePermissions,
dataSources,
currentUsername
)

4
guacamole/src/main/webapp/app/navigation/services/userPageService.js
View File

@@ -329,7 +329,7 @@ angular.module('navigation').factory('userPageService', ['$injector',
// Retrieve current permissions
dataSourceService.apply(
permissionService.getPermissions,
permissionService.getEffectivePermissions,
authenticationService.getAvailableDataSources(),
authenticationService.getCurrentUsername()
)
@@ -422,7 +422,7 @@ angular.module('navigation').factory('userPageService', ['$injector',
// Retrieve current permissions
dataSourceService.apply(
permissionService.getPermissions,
permissionService.getEffectivePermissions,
authenticationService.getAvailableDataSources(),
authenticationService.getCurrentUsername()
)

137
guacamole/src/main/webapp/app/rest/services/permissionService.js
View File

@@ -36,8 +36,11 @@ angular.module('rest').factory('permissionService', ['$injector',
/**
* Returns the URL for the REST resource most appropriate for accessing
* the permissions of the user having the given username.
*
* the effective permissions of the user having the given username.
* Effective permissions differ from the permissions returned via
* getPermissions() in that permissions which are not directly granted to
* the user are included.
*
* It is important to note that a particular data source can authenticate
* and provide permissions for a user, even if that user does not exist
* within that data source (and thus cannot be found beneath
@@ -56,7 +59,7 @@ angular.module('rest').factory('permissionService', ['$injector',
* The URL for the REST resource representing the user having the given
* username.
*/
var getPermissionsResourceURL = function getPermissionsResourceURL(dataSource, username) {
var getEffectivePermissionsResourceURL = function getEffectivePermissionsResourceURL(dataSource, username) {
// Create base URL for data source
var base = 'api/session/data/' + encodeURIComponent(dataSource);
@@ -65,19 +68,21 @@ angular.module('rest').factory('permissionService', ['$injector',
// user actually existing (they may not). Access their permissions via
// "self" rather than the collection of defined users.
if (username === authenticationService.getCurrentUsername())
return base + '/self/permissions';
return base + '/self/effectivePermissions';
// Otherwise, the user must exist for their permissions to be
// accessible. Use the collection of defined users.
return base + '/users/' + encodeURIComponent(username) + '/permissions';
return base + '/users/' + encodeURIComponent(username) + '/effectivePermissions';
};
/**
* Makes a request to the REST API to get the list of permissions for a
* given user, returning a promise that provides an array of
* @link{Permission} objects if successful.
*
* Makes a request to the REST API to get the list of effective permissions
* for a given user, returning a promise that provides an array of
* @link{Permission} objects if successful. Effective permissions differ
* from the permissions returned via getPermissions() in that permissions
* which are not directly granted to the user are included.
*
* @param {String} dataSource
* The unique identifier of the data source containing the user whose
* permissions should be retrieved. This identifier corresponds to an
@@ -85,12 +90,12 @@ angular.module('rest').factory('permissionService', ['$injector',
*
* @param {String} userID
* The ID of the user to retrieve the permissions for.
*
*
* @returns {Promise.<PermissionSet>}
* A promise which will resolve with a @link{PermissionSet} upon
* success.
*/
service.getPermissions = function getPermissions(dataSource, userID) {
service.getEffectivePermissions = function getEffectivePermissions(dataSource, userID) {
// Build HTTP parameters set
var httpParameters = {
@@ -101,58 +106,89 @@ angular.module('rest').factory('permissionService', ['$injector',
return $http({
cache : cacheService.users,
method : 'GET',
url : getPermissionsResourceURL(dataSource, userID),
url : getEffectivePermissionsResourceURL(dataSource, userID),
params : httpParameters
});
};
/**
* Makes a request to the REST API to add permissions for a given user,
* returning a promise that can be used for processing the results of the
* call.
* Returns the URL for the REST resource most appropriate for accessing
* the permissions of the user having the given identifier. The permissions
* retrieved differ from effective permissions (those returned by
* getEffectivePermissions()) in that only permissions which are directly
* granted to the user are included.
*
* It is important to note that a particular data source can authenticate
* and provide permissions for a user, even if that user does not exist
* within that data source (and thus cannot be found beneath
* "api/session/data/{dataSource}/users")
*
* @param {String} dataSource
* The unique identifier of the data source containing the user whose
* permissions should be modified. This identifier corresponds to an
* permissions should be retrieved. This identifier corresponds to an
* AuthenticationProvider within the Guacamole web application.
*
* @param {String} userID
* The ID of the user to modify the permissions of.
*
* @param {PermissionSet} permissions
* The set of permissions to add.
*
* @returns {Promise}
* A promise for the HTTP call which will succeed if and only if the
* add operation is successful.
* @param {String} identifier
* The identifier of the user for which the URL of the proper REST
* resource should be derived.
*
* @returns {String}
* The URL for the REST resource representing the user having the given
* identifier.
*/
service.addPermissions = function addPermissions(dataSource, userID, permissions) {
return service.patchPermissions(dataSource, userID, permissions, null);
var getPermissionsResourceURL = function getPermissionsResourceURL(dataSource, identifier) {
// Create base URL for data source
var base = 'api/session/data/' + encodeURIComponent(dataSource);
// If the username is that of the current user, do not rely on the
// user actually existing (they may not). Access their permissions via
// "self" rather than the collection of defined users.
if (identifier === authenticationService.getCurrentUsername())
return base + '/self/permissions';
// Otherwise, the user must exist for their permissions to be
// accessible. Use the collection of defined users.
return base + '/users/' + encodeURIComponent(identifier) + '/permissions';
};
/**
* Makes a request to the REST API to remove permissions for a given user,
* returning a promise that can be used for processing the results of the
* call.
* Makes a request to the REST API to get the list of permissions for a
* given user, returning a promise that provides an array of
* @link{Permission} objects if successful. The permissions retrieved
* differ from effective permissions (those returned by
* getEffectivePermissions()) in that only permissions which are directly
* granted to the user included.
*
* @param {String} dataSource
* The unique identifier of the data source containing the user whose
* permissions should be modified. This identifier corresponds to an
* permissions should be retrieved. This identifier corresponds to an
* AuthenticationProvider within the Guacamole web application.
*
* @param {String} userID
* The ID of the user to modify the permissions of.
*
* @param {PermissionSet} permissions
* The set of permissions to remove.
*
* @returns {Promise}
* A promise for the HTTP call which will succeed if and only if the
* remove operation is successful.
* @param {String} identifier
* The identifier of the user to retrieve the permissions for.
*
* @returns {Promise.<PermissionSet>}
* A promise which will resolve with a @link{PermissionSet} upon
* success.
*/
service.removePermissions = function removePermissions(dataSource, userID, permissions) {
return service.patchPermissions(dataSource, userID, null, permissions);
service.getPermissions = function getPermissions(dataSource, identifier) {
// Build HTTP parameters set
var httpParameters = {
token : authenticationService.getCurrentToken()
};
// Retrieve user permissions
return $http({
cache : cacheService.users,
method : 'GET',
url : getPermissionsResourceURL(dataSource, identifier),
params : httpParameters
});
};
/**
@@ -240,27 +276,30 @@ angular.module('rest').factory('permissionService', ['$injector',
/**
* Makes a request to the REST API to modify the permissions for a given
* user, returning a promise that can be used for processing the results of
* the call.
* the call. This request affects only the permissions directly granted to
* the user, and may not affect permissions inherited through other means
* (effective permissions).
*
* @param {String} dataSource
* The unique identifier of the data source containing the user whose
* permissions should be modified. This identifier corresponds to an
* AuthenticationProvider within the Guacamole web application.
*
* @param {String} userID
* The ID of the user to modify the permissions of.
* @param {String} identifier
* The identifier of the user to modify the permissions of.
*
* @param {PermissionSet} [permissionsToAdd]
* The set of permissions to add, if any.
*
* @param {PermissionSet} [permissionsToRemove]
* The set of permissions to remove, if any.
*
*
* @returns {Promise}
* A promise for the HTTP call which will succeed if and only if the
* patch operation is successful.
*/
service.patchPermissions = function patchPermissions(dataSource, userID, permissionsToAdd, permissionsToRemove) {
service.patchPermissions = function patchPermissions(dataSource, identifier,
permissionsToAdd, permissionsToRemove) {
var permissionPatch = [];
@@ -278,7 +317,7 @@ angular.module('rest').factory('permissionService', ['$injector',
// Patch user permissions
return $http({
method : 'PATCH',
url : getPermissionsResourceURL(dataSource, userID),
url : getPermissionsResourceURL(dataSource, identifier),
params : httpParameters,
data : permissionPatch
})

2
guacamole/src/main/webapp/app/settings/directives/guacSettingsConnections.js
View File

@@ -404,7 +404,7 @@ angular.module('settings').directive('guacSettingsConnections', [function guacSe
};
// Retrieve current permissions
permissionService.getPermissions($scope.dataSource, currentUsername)
permissionService.getEffectivePermissions($scope.dataSource, currentUsername)
.success(function permissionsRetrieved(permissions) {
// Store retrieved permissions

2
guacamole/src/main/webapp/app/settings/directives/guacSettingsPreferences.js
View File

@@ -185,7 +185,7 @@ angular.module('settings').directive('guacSettingsPreferences', [function guacSe
});
// Retrieve current permissions
permissionService.getPermissions(dataSource, username)
permissionService.getEffectivePermissions(dataSource, username)
.success(function permissionsRetrieved(permissions) {
// Add action for changing password if permission is granted

2
guacamole/src/main/webapp/app/settings/directives/guacSettingsUsers.js
View File

@@ -232,7 +232,7 @@ angular.module('settings').directive('guacSettingsUsers', [function guacSettings
// Retrieve current permissions
dataSourceService.apply(
permissionService.getPermissions,
permissionService.getEffectivePermissions,
dataSources,
currentUsername
)