From 3cdcb1004fe727fcda6159d85fa01680463b4b51 Mon Sep 17 00:00:00 2001
From: Michael Jumper <mike.jumper@guac-dev.org>
Date: Thu, 8 Oct 2015 16:33:33 -0700
Subject: [PATCH] GUAC-1193: Move history record query and permission checks
 into ConnectionService.

---
 .../jdbc/connection/ConnectionRecordSet.java  | 22 +----
 .../jdbc/connection/ConnectionService.java    | 95 ++++++++++++++++++-
 2 files changed, 94 insertions(+), 23 deletions(-)

diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connection/ConnectionRecordSet.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connection/ConnectionRecordSet.java
index 0de048d3c..f9d00a104 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connection/ConnectionRecordSet.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connection/ConnectionRecordSet.java
@@ -43,10 +43,10 @@ public class ConnectionRecordSet extends RestrictedObject
         implements org.glyptodon.guacamole.net.auth.ConnectionRecordSet {
 
     /**
-     * Mapper for accessing connection history.
+     * Service for managing connection objects.
      */
     @Inject
-    private ConnectionRecordMapper connectionRecordMapper;
+    private ConnectionService connectionService;
     
     /**
      * The set of strings that each must occur somewhere within the returned 
@@ -75,22 +75,8 @@ public class ConnectionRecordSet extends RestrictedObject
     @Override
     public Collection<ConnectionRecord> asCollection()
             throws GuacamoleException {
-
-        // Perform the search against the database
-        List<ConnectionRecordModel> searchResults =
-                connectionRecordMapper.search(requiredContents,
-                        connectionRecordSortPredicates, limit);
-
-        List<ConnectionRecord> modeledSearchResults = 
-                new ArrayList<ConnectionRecord>();
-
-        // Convert raw DB records into ConnectionRecords
-        for(ConnectionRecordModel model : searchResults) {
-            modeledSearchResults.add(new ModeledConnectionRecord(model));
-        }
-
-        return modeledSearchResults;
-
+        return connectionService.retrieveHistory(getCurrentUser(),
+                requiredContents, connectionRecordSortPredicates, limit);
     }
 
     @Override
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connection/ConnectionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connection/ConnectionService.java
index c15e5e067..5d8d82a42 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connection/ConnectionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connection/ConnectionService.java
@@ -343,6 +343,43 @@ public class ConnectionService extends ModeledGroupedDirectoryObjectService<Mode
 
     }
 
+    /**
+     * Returns a connection records object which is backed by the given model.
+     *
+     * @param model
+     *     The model object to use to back the returned connection record
+     *     object.
+     *
+     * @return
+     *     A connection record object which is backed by the given model.
+     */
+    protected ConnectionRecord getObjectInstance(ConnectionRecordModel model) {
+        return new ModeledConnectionRecord(model);
+    }
+
+    /**
+     * Returns a list of connection records objects which are backed by the
+     * models in the given list.
+     *
+     * @param models
+     *     The model objects to use to back the connection record objects
+     *     within the returned list.
+     *
+     * @return
+     *     A list of connection record objects which are backed by the models
+     *     in the given list.
+     */
+    protected List<ConnectionRecord> getObjectInstances(List<ConnectionRecordModel> models) {
+
+        // Create new list of records by manually converting each model
+        List<ConnectionRecord> objects = new ArrayList<ConnectionRecord>(models.size());
+        for (ConnectionRecordModel model : models)
+            objects.add(getObjectInstance(model));
+
+        return objects;
+ 
+    }
+
     /**
      * Retrieves the connection history of the given connection, including any
      * active connections.
@@ -364,7 +401,7 @@ public class ConnectionService extends ModeledGroupedDirectoryObjectService<Mode
             ModeledConnection connection) throws GuacamoleException {
 
         String identifier = connection.getIdentifier();
-        
+
         // Retrieve history only if READ permission is granted
         if (hasObjectPermission(user, identifier, ObjectPermission.Type.READ)) {
 
@@ -377,18 +414,66 @@ public class ConnectionService extends ModeledGroupedDirectoryObjectService<Mode
 
             // Add past connections from model objects
             for (ConnectionRecordModel model : models)
-                records.add(new ModeledConnectionRecord(model));
+                records.add(getObjectInstance(model));
 
             // Return converted history list
             return records;
-            
+
         }
-        
+
         // The user does not have permission to read the history
         throw new GuacamoleSecurityException("Permission denied.");
 
     }
-    
+
+    /**
+     * Retrieves the connection history records matching the given criteria.
+     * Retrieves up to <code>limit</code> connection history records matching
+     * the given terms and sorted by the given predicates. Only history records
+     * associated with data that the given user can read are returned.
+     *
+     * @param user
+     *     The user retrieving the connection history.
+     *
+     * @param requiredContents
+     *     The search terms that must be contained somewhere within each of the
+     *     returned records.
+     *
+     * @param sortPredicates
+     *     A list of predicates to sort the returned records by, in order of
+     *     priority.
+     *
+     * @param limit
+     *     The maximum number of records that should be returned.
+     *
+     * @return
+     *     The connection history of the given connection, including any
+     *     active connections.
+     *
+     * @throws GuacamoleException
+     *     If permission to read the connection history is denied.
+     */
+    public List<ConnectionRecord> retrieveHistory(AuthenticatedUser user,
+            Collection<ConnectionRecordSearchTerm> requiredContents,
+            List<ConnectionRecordSortPredicate> sortPredicates, int limit)
+            throws GuacamoleException {
+
+        List<ConnectionRecordModel> searchResults;
+
+        // Bypass permission checks if the user is a system admin
+        if (user.getUser().isAdministrator())
+            searchResults = connectionRecordMapper.search(requiredContents,
+                    sortPredicates, limit);
+
+        // Otherwise only return explicitly readable history records
+        else
+            searchResults = connectionRecordMapper.searchReadable(user.getUser().getModel(),
+                    requiredContents, sortPredicates, limit);
+
+        return getObjectInstances(searchResults);
+
+    }
+
     /**
      * Connects to the given connection as the given user, using the given
      * client information. If the user does not have permission to read the