From 2d337531946c4caa6d33129e892305ae56be3ab0 Mon Sep 17 00:00:00 2001 From: Michael Jumper Date: Sun, 27 Jan 2013 01:52:56 -0800 Subject: [PATCH] Allow unrestricted access to all Users and GuacamoleConfigurations through the Environment. Restrict access to everything and provide CRUD operations within UserContext. Define contract of permissions. --- .../guacamole/net/auth/AbstractUser.java | 3 +- .../net/auth/AuthenticationProvider.java | 26 ++- .../guacamole/net/auth/Environment.java | 95 +--------- .../guacamole/net/auth/Restrictable.java | 116 ------------ .../guacamole/net/auth/RestrictedObject.java | 112 ------------ .../sourceforge/guacamole/net/auth/User.java | 2 +- .../guacamole/net/auth/UserContext.java | 170 ++++++++++++++++++ 7 files changed, 196 insertions(+), 328 deletions(-) delete mode 100644 guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/Restrictable.java delete mode 100644 guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/RestrictedObject.java create mode 100644 guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/UserContext.java diff --git a/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/AbstractUser.java b/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/AbstractUser.java index 4037672c0..8497f3627 100644 --- a/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/AbstractUser.java +++ b/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/AbstractUser.java @@ -46,8 +46,7 @@ import net.sourceforge.guacamole.GuacamoleException; * * @author Michael Jumper */ -public class AbstractUser extends RestrictedObject - implements User, Comparable { +public abstract class AbstractUser implements User, Comparable { /** * The name of this user. diff --git a/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/AuthenticationProvider.java b/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/AuthenticationProvider.java index 599410a29..5fccba9a8 100644 --- a/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/AuthenticationProvider.java +++ b/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/AuthenticationProvider.java @@ -50,16 +50,30 @@ import net.sourceforge.guacamole.GuacamoleException; public interface AuthenticationProvider { /** - * Returns the Environment authorized by the given credentials, or null if - * the given credentials are not authorized. + * Returns the environment exposed by this AuthenticationProvider. The + * environment provides unrestricted access to all available users and + * configurations, though operations which permanently affect users and + * configurations are only possible through a UserContext. + * + * @return An Environment containing all Users and GuacamoleConfigurations + * currently available through this AuthenticationProvider. + * + * @throws GuacamoleException If an error occurs while retrieving the + * environment. + */ + Environment getEnvironment() throws GuacamoleException; + + /** + * Returns the UserContext of the user authorized by the given credentials. * * @param credentials The credentials to use to retrieve the environment. - * @return An Environment containing all Users and GuacamoleConfigurations - * the credentials provide access to. + * @return The UserContext of the user authorized by the given credentials, + * or null if the credentials are not authorized. + * * @throws GuacamoleException If an error occurs while creating the - * Environment. + * UserContext. */ - Environment getAuthorizedEnvironment(Credentials credentials) + UserContext getUserContext(Credentials credentials) throws GuacamoleException; } diff --git a/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/Environment.java b/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/Environment.java index fc589bc45..7c251d5fe 100644 --- a/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/Environment.java +++ b/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/Environment.java @@ -57,24 +57,8 @@ import net.sourceforge.guacamole.protocol.GuacamoleConfiguration; public interface Environment { /** - * Returns the User represented by the Credentials that own this - * Environment. - * - * @return The User represented by the Credentials that own this - * Environment. - */ - User self(); - - - /* - * CONFIGURATION FUNCTIONS - */ - - - /** - * Returns a Map containing all GuacamoleConfigurations visible within this - * Environment. The keys of this Map are Strings which uniquely identify - * each configuration. + * Returns a Map containing absolutely all GuacamoleConfigurations. The + * keys of this Map are Strings which uniquely identify each configuration. * * @return A Map of all configurations visible. * @throws GuacamoleException If an error occurs while retrieving @@ -84,83 +68,12 @@ public interface Environment { throws GuacamoleException; /** - * Adds the given GuacamoleConfiguration to the overall set of available - * GuacamoleConfigurations, using the given unique identifier. - * - * @param identifier The identifier to assign to the configuration. - * @param config The configuration to add. - * @throws GuacamoleException If an error occurs while adding the - * configuration, or if adding the configuration - * is not allowed. - */ - void addConfiguration(String identifier, GuacamoleConfiguration config) - throws GuacamoleException; - - /** - * Updates the GuacamoleConfiguration having the given unique identifier - * with the data contained in the given GuacamoleConfiguration. - * - * @param identifier The identifier to use when locating the configuration - * to update. - * @param config The configuration to use when updating the stored - * configuration. - * @throws GuacamoleException If an error occurs while updating the - * configuration, or if updating the - * configuration is not allowed. - */ - void updateConfiguration(String identifier, GuacamoleConfiguration config) - throws GuacamoleException; - - /** - * Removes the GuacamoleConfiguration having the given unique identifier. - * - * @param identifier The identifier of the configuration to remove. - * @throws GuacamoleException If an error occurs while removing the - * configuration, or if removing the - * configuration is not allowed. - */ - void removeConfiguration(String identifier) throws GuacamoleException; - - - /* - * USER FUNCTIONS - */ - - - /** - * Returns a Set containing all Users visible within this Environment. + * Returns a Set containing absolutely all Users. * - * @return A Set of all users visible. + * @return A Set of all users. * @throws GuacamoleException If an error occurs while retrieving * users. */ Set getUsers() throws GuacamoleException; - /** - * Adds the given User to the overall set of available Users. - * - * @param user The user to add. - * @throws GuacamoleException If an error occurs while adding the user, or - * if adding the user is not allowed. - */ - void addUser(User user) throws GuacamoleException; - - /** - * Updates the User with the data contained in the given User. The user to - * update is identified using the username of the User given. - * - * @param user The user to use when updating the stored user. - * @throws GuacamoleException If an error occurs while updating the user, - * or if updating the user is not allowed. - */ - void updateUser(User user) throws GuacamoleException; - - /** - * Removes the given User from the overall set of available Users. - * - * @throws GuacamoleException If an error occurs while removing the user, - * or if removing user is not allowed. - */ - void removeUser(User user) throws GuacamoleException; - } diff --git a/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/Restrictable.java b/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/Restrictable.java deleted file mode 100644 index 6d89418bf..000000000 --- a/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/Restrictable.java +++ /dev/null @@ -1,116 +0,0 @@ - -package net.sourceforge.guacamole.net.auth; - -/* ***** BEGIN LICENSE BLOCK ***** - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is guacamole-auth. - * - * The Initial Developer of the Original Code is - * Michael Jumper. - * Portions created by the Initial Developer are Copyright (C) 2010 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * ***** END LICENSE BLOCK ***** */ - -import net.sourceforge.guacamole.GuacamoleException; - - -/** - * Interface which allows restricted objects to expose their restrictions. - * - * @author Michael Jumper - */ -public interface Restrictable { - - /** - * All possible permissions for a restricted object. - */ - public enum Permission { - - /** - * Access to read properties of the restricted object. - */ - READ, - - /** - * Access to write properties of the restricted object. - */ - WRITE, - - /** - * Access to change permissions of the restricted object. - */ - ADMINISTER - - } - - /** - * Checks whether the given user has the given permission on this object. - * Depending on the credentials given, access to reading permissions may - * be denied. - * - * @param credentials The credentials to use when reading permissions. - * @param user The user to read the permissions for. - * @param permission The permission to check. - * @return true if the user has the given permission, false otherwise. - * @throws GuacamoleException If an error occurs while reading the - * permissions, such as permission being denied. - */ - public boolean hasPermission(Credentials credentials, - User user, Permission permission) throws GuacamoleException; - - - /** - * Adds the given permission to the given user for this object. Depending - * on the credentials given, access to administering permissions may be - * denied. - * - * @param credentials The credentials to use when adding permissions. - * @param user The user to add the permission for. - * @param permission The permission to add. - * @throws GuacamoleException If an error occurs while adding the - * permission, such as permission being denied. - */ - public void addPermission(Credentials credentials, - User user, Permission permission) throws GuacamoleException; - - /** - * Removes the given permission from the given user for this object. - * Depending on the credentials given, access to administering permissions - * may be denied. - * - * @param credentials The credentials to use when removing permissions. - * @param user The user to remove the permission from. - * @param permission The permission to add. - * @throws GuacamoleException If an error occurs while removing the - * permission, such as permission being denied. - */ - public void removePermission(Credentials credentials, - User user, Permission permission) throws GuacamoleException; - -} diff --git a/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/RestrictedObject.java b/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/RestrictedObject.java deleted file mode 100644 index b556fcb1d..000000000 --- a/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/RestrictedObject.java +++ /dev/null @@ -1,112 +0,0 @@ - -package net.sourceforge.guacamole.net.auth; - -/* ***** BEGIN LICENSE BLOCK ***** - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is guacamole-auth. - * - * The Initial Developer of the Original Code is - * Michael Jumper. - * Portions created by the Initial Developer are Copyright (C) 2010 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * ***** END LICENSE BLOCK ***** */ - -import java.util.EnumSet; -import java.util.HashMap; -import java.util.Map; -import net.sourceforge.guacamole.GuacamoleException; - - -/** - * A basic object providing permissions access and storage. - * - * @author Michael Jumper - */ -public abstract class RestrictedObject implements Restrictable { - - /** - * Map of all user permissions. - */ - private Map> permissions = - new HashMap>(); - - - @Override - public boolean hasPermission(Credentials credentials, - User user, Permission permission) throws GuacamoleException { - - // Get permissions set, if any - EnumSet userPermissions = - permissions.get(user); - - // If permission set exists for this user, just test whether permission - // set contains the requested permission. - if (userPermissions != null) - return userPermissions.contains(permission); - - // Default to no permission - return false; - - } - - @Override - public void addPermission(Credentials credentials, - User user, Permission permission) throws GuacamoleException { - - // Get permissions set, if any - EnumSet userPermissions = - permissions.get(user); - - // If set does not exist, create it - if (userPermissions == null) { - userPermissions = EnumSet.of(permission); - permissions.put(user, userPermissions); - } - - // Otherwise, just add permission - else - userPermissions.add(permission); - - } - - @Override - public void removePermission(Credentials credentials, - User user, Permission permission) throws GuacamoleException { - - // Get permissions set, if any - EnumSet userPermissions = - permissions.get(user); - - // Remove permission - if (userPermissions != null) - userPermissions.remove(permission); - - } - -} diff --git a/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/User.java b/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/User.java index 0076f9e6f..c01a7f5ca 100644 --- a/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/User.java +++ b/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/User.java @@ -45,7 +45,7 @@ import net.sourceforge.guacamole.GuacamoleException; * * @author Michael Jumper */ -public interface User extends Restrictable { +public interface User { /** * Returns the name of this user, which must be unique across all users. diff --git a/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/UserContext.java b/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/UserContext.java new file mode 100644 index 000000000..ee28243e6 --- /dev/null +++ b/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/UserContext.java @@ -0,0 +1,170 @@ + +package net.sourceforge.guacamole.net.auth; + +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is guacamole-auth. + * + * The Initial Developer of the Original Code is + * Michael Jumper. + * Portions created by the Initial Developer are Copyright (C) 2010 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +import java.util.Map; +import java.util.Set; +import net.sourceforge.guacamole.GuacamoleException; +import net.sourceforge.guacamole.protocol.GuacamoleConfiguration; + +/** + * The context of an active user. The functions of this class enforce all + * permissions and act only within the rights of the associated user. + * + * @author Michael Jumper + */ +public interface UserContext { + + /** + * All possible permissions for user within a UserContext. + * + * Absolutely ALL possible operations that can possibly fail due to + * security issues within a UserContext must have a means of querying + * beforehand whether the operation will fail, and thus must have an + * associated permission value. + */ + public enum Permission { + + /* STUB */ + + } + + /** + * Returns the User whose access rights control the operations of this + * UserContext. + * + * @return The User whose access rights control the operations of this + * UserContext. + */ + User self(); + + /* + * USER FUNCTIONS + */ + + /** + * Returns a Set containing all Users visible within this UserContext. + * + * @return A Set of all users visible. + * @throws GuacamoleException If an error occurs while retrieving + * users. + */ + Set getUsers() throws GuacamoleException; + + /** + * Adds the given User to the overall set of available Users. + * + * @param user The user to add. + * @throws GuacamoleException If an error occurs while adding the user, or + * if adding the user is not allowed. + */ + void addUser(User user) throws GuacamoleException; + + /** + * Updates the User with the data contained in the given User. The user to + * update is identified using the username of the User given. + * + * @param user The user to use when updating the stored user. + * @throws GuacamoleException If an error occurs while updating the user, + * or if updating the user is not allowed. + */ + void updateUser(User user) throws GuacamoleException; + + /** + * Removes the given User from the overall set of available Users. + * + * @throws GuacamoleException If an error occurs while removing the user, + * or if removing user is not allowed. + */ + void removeUser(User user) throws GuacamoleException; + + /* + * CONFIGURATION FUNCTIONS + */ + + /** + * Returns a Map containing all GuacamoleConfigurations visible within this + * UserContext. The keys of this Map are Strings which uniquely identify + * each configuration. + * + * @return A Map of all configurations visible. + * @throws GuacamoleException If an error occurs while retrieving + * configurations. + */ + Map getConfigurations() + throws GuacamoleException; + + /** + * Adds the given GuacamoleConfiguration to the overall set of available + * GuacamoleConfigurations, using the given unique identifier. + * + * @param identifier The identifier to assign to the configuration. + * @param config The configuration to add. + * @throws GuacamoleException If an error occurs while adding the + * configuration, or if adding the configuration + * is not allowed. + */ + void addConfiguration(String identifier, GuacamoleConfiguration config) + throws GuacamoleException; + + /** + * Updates the GuacamoleConfiguration having the given unique identifier + * with the data contained in the given GuacamoleConfiguration. + * + * @param identifier The identifier to use when locating the configuration + * to update. + * @param config The configuration to use when updating the stored + * configuration. + * @throws GuacamoleException If an error occurs while updating the + * configuration, or if updating the + * configuration is not allowed. + */ + void updateConfiguration(String identifier, GuacamoleConfiguration config) + throws GuacamoleException; + + /** + * Removes the GuacamoleConfiguration having the given unique identifier. + * + * @param identifier The identifier of the configuration to remove. + * @throws GuacamoleException If an error occurs while removing the + * configuration, or if removing the + * configuration is not allowed. + */ + void removeConfiguration(String identifier) throws GuacamoleException; + +}