From 419166b3a1dfa9b24f8b7292f91468e7dcb7a546 Mon Sep 17 00:00:00 2001
From: James Muehlner <james.muehlner@guac-dev.org>
Date: Wed, 7 Aug 2013 21:55:25 -0700
Subject: [PATCH] Ticket #263: Finalizing changes.

---
 .../net/auth/mysql/ConnectionDirectory.java   |  90 +++++++--
 .../auth/mysql/ConnectionGroupDirectory.java  | 177 ++++++++++++++++--
 .../net/auth/mysql/MySQLConnectionGroup.java  |   9 +-
 .../net/auth/mysql/MySQLConstants.java        |  11 ++
 .../net/auth/mysql/MySQLUserContext.java      |  13 +-
 .../net/auth/mysql/UserDirectory.java         |   6 +
 .../mysql/service/ConnectionGroupService.java |  75 +++++++-
 .../auth/mysql/service/ConnectionService.java |  33 +++-
 .../mysql/service/PermissionCheckService.java |  57 +++---
 .../guacamole/net/auth/Directory.java         |  13 ++
 .../simple/SimpleConnectionDirectory.java     |   6 +
 .../SimpleConnectionGroupDirectory.java       |   6 +
 .../net/auth/simple/SimpleUserDirectory.java  |   6 +
 13 files changed, 422 insertions(+), 80 deletions(-)

diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/ConnectionDirectory.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/ConnectionDirectory.java
index d66f72fc8..23bb0c34b 100644
--- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/ConnectionDirectory.java
+++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/ConnectionDirectory.java
@@ -48,6 +48,7 @@ import net.sourceforge.guacamole.net.auth.mysql.dao.ConnectionPermissionMapper;
 import net.sourceforge.guacamole.net.auth.mysql.model.ConnectionParameter;
 import net.sourceforge.guacamole.net.auth.mysql.model.ConnectionParameterExample;
 import net.sourceforge.guacamole.net.auth.mysql.model.ConnectionPermissionKey;
+import net.sourceforge.guacamole.net.auth.mysql.service.ConnectionGroupService;
 import net.sourceforge.guacamole.net.auth.mysql.service.ConnectionService;
 import net.sourceforge.guacamole.net.auth.mysql.service.PermissionCheckService;
 import net.sourceforge.guacamole.protocol.GuacamoleConfiguration;
@@ -83,6 +84,12 @@ public class ConnectionDirectory implements Directory<String, Connection>{
     @Inject
     private ConnectionService connectionService;
 
+    /**
+     * Service managing connection groups.
+     */
+    @Inject
+    private ConnectionGroupService connectionGroupService;
+
     /**
      * Service for manipulating connection permissions in the database.
      */
@@ -108,11 +115,18 @@ public class ConnectionDirectory implements Directory<String, Connection>{
 
     @Transactional
     @Override
-    public Connection get(String name) throws GuacamoleException {
+    public Connection get(String identifier) throws GuacamoleException {
 
         // Get connection
         MySQLConnection connection =
-                connectionService.retrieveConnection(name, parentID, user_id);
+                connectionService.retrieveConnection(identifier, user_id);
+        
+        if(connection == null)
+            return null;
+        
+        // Verify permission to use the parent connection group for organizational purposes
+        permissionCheckService.verifyConnectionGroupUsageAccess
+                (connection.getParentID(), user_id, MySQLConstants.CONNECTION_GROUP_ORGANIZATIONAL);
 
         // Verify access is granted
         permissionCheckService.verifyConnectionAccess(
@@ -133,7 +147,7 @@ public class ConnectionDirectory implements Directory<String, Connection>{
         permissionCheckService.verifyConnectionGroupUsageAccess
                 (parentID, user_id, MySQLConstants.CONNECTION_GROUP_ORGANIZATIONAL);
         
-        return permissionCheckService.retrieveConnectionNames(user_id, 
+        return permissionCheckService.retrieveConnectionIdentifiers(user_id, 
                 parentID, MySQLConstants.CONNECTION_READ);
     }
 
@@ -141,9 +155,9 @@ public class ConnectionDirectory implements Directory<String, Connection>{
     @Override
     public void add(Connection object) throws GuacamoleException {
 
-        String identifier = object.getIdentifier().trim();
-        if(identifier.isEmpty())
-            throw new GuacamoleClientException("The connection identifier cannot be blank.");
+        String name = object.getName().trim();
+        if(name.isEmpty())
+            throw new GuacamoleClientException("The connection name cannot be blank.");
         
         // Verify permission to create
         permissionCheckService.verifySystemAccess(this.user_id,
@@ -157,16 +171,15 @@ public class ConnectionDirectory implements Directory<String, Connection>{
         permissionCheckService.verifyConnectionGroupUsageAccess
                 (parentID, user_id, MySQLConstants.CONNECTION_GROUP_ORGANIZATIONAL);
 
-        // Verify that no connection already exists with this identifier.
+        // Verify that no connection already exists with this name.
         MySQLConnection previousConnection =
-                connectionService.retrieveConnection(identifier, user_id, parentID);
+                connectionService.retrieveConnection(name, user_id, parentID);
         if(previousConnection != null)
-            throw new GuacamoleClientException("That connection identifier is already in use.");
+            throw new GuacamoleClientException("That connection name is already in use.");
 
         // Create connection
         MySQLConnection connection = connectionService.createConnection(
-                identifier, object.getConfiguration().getProtocol(),
-                user_id);
+                name, object.getConfiguration().getProtocol(), user_id);
 
         // Add connection parameters
         createConfigurationValues(connection.getConnectionID(),
@@ -258,7 +271,14 @@ public class ConnectionDirectory implements Directory<String, Connection>{
 
         // Get connection
         MySQLConnection mySQLConnection =
-                connectionService.retrieveConnection(identifier, parentID, user_id);
+                connectionService.retrieveConnection(identifier, user_id);
+        
+        if(mySQLConnection == null)
+            throw new GuacamoleException("Connection not found.");
+        
+        // Verify permission to use the parent connection group for organizational purposes
+        permissionCheckService.verifyConnectionGroupUsageAccess
+                (mySQLConnection.getParentID(), user_id, MySQLConstants.CONNECTION_GROUP_ORGANIZATIONAL);
 
         // Verify permission to delete
         permissionCheckService.verifyConnectionAccess(this.user_id,
@@ -270,4 +290,50 @@ public class ConnectionDirectory implements Directory<String, Connection>{
 
     }
 
+    @Override
+    public void move(String identifier, String groupIdentifier) 
+            throws GuacamoleException {
+
+        // Get connection
+        MySQLConnection mySQLConnection =
+                connectionService.retrieveConnection(identifier, user_id);
+        
+        if(mySQLConnection == null)
+            throw new GuacamoleException("Connection not found.");
+
+        // Verify permission to update the connection
+        permissionCheckService.verifyConnectionAccess(this.user_id,
+                mySQLConnection.getConnectionID(),
+                MySQLConstants.CONNECTION_UPDATE);
+        
+        // Verify permission to use the from connection group for organizational purposes
+        permissionCheckService.verifyConnectionGroupUsageAccess
+                (mySQLConnection.getParentID(), user_id, MySQLConstants.CONNECTION_GROUP_ORGANIZATIONAL);
+
+        // Verify permission to update the from connection group
+        permissionCheckService.verifyConnectionGroupAccess(this.user_id,
+                mySQLConnection.getParentID(), MySQLConstants.CONNECTION_GROUP_UPDATE);
+        
+        Integer toConnectionGroupID;
+        if(groupIdentifier.equals(MySQLConstants.CONNECTION_GROUP_ROOT_IDENTIFIER))
+            toConnectionGroupID = null;
+        try {
+            toConnectionGroupID = Integer.valueOf(groupIdentifier);
+        } catch(NumberFormatException e) {
+            throw new GuacamoleException("Invalid connection group identifier.");
+        }
+        
+        // Verify permission to use the to connection group for organizational purposes
+        permissionCheckService.verifyConnectionGroupUsageAccess
+                (toConnectionGroupID, user_id, MySQLConstants.CONNECTION_GROUP_ORGANIZATIONAL);
+
+        // Verify permission to update the to connection group
+        permissionCheckService.verifyConnectionGroupAccess(this.user_id,
+                toConnectionGroupID, MySQLConstants.CONNECTION_GROUP_UPDATE);
+        
+        // Update the connection
+        mySQLConnection.setParentID(toConnectionGroupID);
+        connectionService.updateConnection(mySQLConnection);
+    }
+
 }
diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/ConnectionGroupDirectory.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/ConnectionGroupDirectory.java
index a9cd27a46..95a24c95e 100644
--- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/ConnectionGroupDirectory.java
+++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/ConnectionGroupDirectory.java
@@ -41,17 +41,12 @@ import com.google.inject.Inject;
 import java.util.Set;
 import net.sourceforge.guacamole.GuacamoleClientException;
 import net.sourceforge.guacamole.GuacamoleException;
-import net.sourceforge.guacamole.net.auth.Connection;
 import net.sourceforge.guacamole.net.auth.ConnectionGroup;
 import net.sourceforge.guacamole.net.auth.Directory;
-import net.sourceforge.guacamole.net.auth.mysql.dao.ConnectionParameterMapper;
-import net.sourceforge.guacamole.net.auth.mysql.dao.ConnectionPermissionMapper;
-import net.sourceforge.guacamole.net.auth.mysql.model.ConnectionParameter;
-import net.sourceforge.guacamole.net.auth.mysql.model.ConnectionParameterExample;
-import net.sourceforge.guacamole.net.auth.mysql.model.ConnectionPermissionKey;
+import net.sourceforge.guacamole.net.auth.mysql.dao.ConnectionGroupPermissionMapper;
+import net.sourceforge.guacamole.net.auth.mysql.model.ConnectionGroupPermissionKey;
 import net.sourceforge.guacamole.net.auth.mysql.service.ConnectionGroupService;
 import net.sourceforge.guacamole.net.auth.mysql.service.PermissionCheckService;
-import net.sourceforge.guacamole.protocol.GuacamoleConfiguration;
 import org.mybatis.guice.transactional.Transactional;
 
 /**
@@ -85,24 +80,36 @@ public class ConnectionGroupDirectory implements Directory<String, ConnectionGro
     private ConnectionGroupService connectionGroupService;
 
     /**
-     * Service for manipulating connection permissions in the database.
+     * Service for manipulating connection group permissions in the database.
      */
     @Inject
-    private ConnectionPermissionMapper connectionPermissionDAO;
+    private ConnectionGroupPermissionMapper connectionGroupPermissionDAO;
 
     /**
-     * Service for manipulating connection parameters in the database.
+     * Set the user and parentID for this directory.
+     *
+     * @param user_id The ID of the user owning this connection group directory.
+     * @param parentID The ID of the parent connection group.
      */
-    @Inject
-    private ConnectionParameterMapper connectionParameterDAO;
+    public void init(int user_id, Integer parentID) {
+        this.parentID = parentID;
+        this.user_id = user_id;
+    }
 
     @Transactional
     @Override
-    public ConnectionGroup get(String name) throws GuacamoleException {
+    public ConnectionGroup get(String identifier) throws GuacamoleException {
 
         // Get connection
         MySQLConnectionGroup connectionGroup =
-                connectionGroupService.retrieveConnectionGroup(name, parentID, user_id);
+                connectionGroupService.retrieveConnectionGroup(identifier, user_id);
+        
+        if(connectionGroup == null)
+            return null;
+        
+        // Verify permission to use the parent connection group for organizational purposes
+        permissionCheckService.verifyConnectionGroupUsageAccess
+                (connectionGroup.getParentID(), user_id, MySQLConstants.CONNECTION_GROUP_ORGANIZATIONAL);
 
         // Verify access is granted
         permissionCheckService.verifyConnectionGroupAccess(
@@ -123,24 +130,156 @@ public class ConnectionGroupDirectory implements Directory<String, ConnectionGro
         permissionCheckService.verifyConnectionGroupUsageAccess
                 (parentID, user_id, MySQLConstants.CONNECTION_GROUP_ORGANIZATIONAL);
         
-        return permissionCheckService.retrieveConnectionGroupNames(user_id, 
+        return permissionCheckService.retrieveConnectionGroupIdentifiers(user_id, 
                 parentID, MySQLConstants.CONNECTION_GROUP_READ);
     }
 
+    @Transactional
     @Override
     public void add(ConnectionGroup object) throws GuacamoleException {
-        throw new UnsupportedOperationException("Not supported yet.");
+
+        String name = object.getName().trim();
+        if(name.isEmpty())
+            throw new GuacamoleClientException("The connection group name cannot be blank.");
+        
+        // Verify permission to create
+        permissionCheckService.verifySystemAccess(this.user_id,
+                MySQLConstants.SYSTEM_CONNECTION_GROUP_CREATE);
+        
+        // Verify permission to edit the parent connection group
+        permissionCheckService.verifyConnectionGroupAccess(this.user_id, 
+                this.parentID, MySQLConstants.CONNECTION_GROUP_UPDATE);
+        
+        // Verify permission to use the parent connection group for organizational purposes
+        permissionCheckService.verifyConnectionGroupUsageAccess
+                (parentID, user_id, MySQLConstants.CONNECTION_GROUP_ORGANIZATIONAL);
+
+        // Verify that no connection already exists with this name.
+        MySQLConnectionGroup previousConnectionGroup =
+                connectionGroupService.retrieveConnectionGroup(name, user_id, parentID);
+        if(previousConnectionGroup != null)
+            throw new GuacamoleClientException("That connection group name is already in use.");
+
+        // Create connection group
+        MySQLConnectionGroup connectionGroup = connectionGroupService
+                .createConnectionGroup(name, user_id);
+
+        // Finally, give the current user full access to the newly created
+        // connection group.
+        ConnectionGroupPermissionKey newConnectionGroupPermission = new ConnectionGroupPermissionKey();
+        newConnectionGroupPermission.setUser_id(this.user_id);
+        newConnectionGroupPermission.setConnection_group_id(connectionGroup.getConnectionGroupID());
+
+        // Read permission
+        newConnectionGroupPermission.setPermission(MySQLConstants.CONNECTION_GROUP_READ);
+        connectionGroupPermissionDAO.insert(newConnectionGroupPermission);
+
+        // Update permission
+        newConnectionGroupPermission.setPermission(MySQLConstants.CONNECTION_GROUP_UPDATE);
+        connectionGroupPermissionDAO.insert(newConnectionGroupPermission);
+
+        // Delete permission
+        newConnectionGroupPermission.setPermission(MySQLConstants.CONNECTION_GROUP_DELETE);
+        connectionGroupPermissionDAO.insert(newConnectionGroupPermission);
+
+        // Administer permission
+        newConnectionGroupPermission.setPermission(MySQLConstants.CONNECTION_GROUP_ADMINISTER);
+        connectionGroupPermissionDAO.insert(newConnectionGroupPermission);
+
     }
 
+    @Transactional
     @Override
     public void update(ConnectionGroup object) throws GuacamoleException {
-        throw new UnsupportedOperationException("Not supported yet.");
+
+        // If connection not actually from this auth provider, we can't handle
+        // the update
+        if (!(object instanceof MySQLConnectionGroup))
+            throw new GuacamoleException("Connection not from database.");
+
+        MySQLConnectionGroup mySQLConnectionGroup = (MySQLConnectionGroup) object;
+
+        // Verify permission to update
+        permissionCheckService.verifyConnectionAccess(this.user_id,
+                mySQLConnectionGroup.getConnectionGroupID(),
+                MySQLConstants.CONNECTION_UPDATE);
+
+        // Perform update
+        connectionGroupService.updateConnectionGroup(mySQLConnectionGroup);
+    }
+
+    @Transactional
+    @Override
+    public void remove(String identifier) throws GuacamoleException {
+
+        // Get connection
+        MySQLConnectionGroup mySQLConnectionGroup =
+                connectionGroupService.retrieveConnectionGroup(identifier, user_id);
+        
+        if(mySQLConnectionGroup == null)
+            throw new GuacamoleException("Connection group not found.");
+        
+        // Verify permission to use the parent connection group for organizational purposes
+        permissionCheckService.verifyConnectionGroupUsageAccess
+                (mySQLConnectionGroup.getParentID(), user_id, MySQLConstants.CONNECTION_GROUP_ORGANIZATIONAL);
+
+        // Verify permission to delete
+        permissionCheckService.verifyConnectionGroupAccess(this.user_id,
+                mySQLConnectionGroup.getConnectionGroupID(),
+                MySQLConstants.CONNECTION_GROUP_DELETE);
+
+        // Delete the connection group itself
+        connectionGroupService.deleteConnectionGroup
+                (mySQLConnectionGroup.getConnectionGroupID());
+
     }
 
     @Override
-    public void remove(String identifier) throws GuacamoleException {
-        throw new UnsupportedOperationException("Not supported yet.");
+    public void move(String identifier, String groupIdentifier) 
+            throws GuacamoleException {
+
+        // Get connection
+        MySQLConnectionGroup mySQLConnectionGroup =
+                connectionGroupService.retrieveConnectionGroup(identifier, user_id);
+        
+        if(mySQLConnectionGroup == null)
+            throw new GuacamoleException("Connection not found.");
+
+        // Verify permission to update the connection
+        permissionCheckService.verifyConnectionAccess(this.user_id,
+                mySQLConnectionGroup.getConnectionGroupID(),
+                MySQLConstants.CONNECTION_GROUP_UPDATE);
+        
+        // Verify permission to use the from connection group for organizational purposes
+        permissionCheckService.verifyConnectionGroupUsageAccess
+                (mySQLConnectionGroup.getParentID(), user_id, MySQLConstants.CONNECTION_GROUP_ORGANIZATIONAL);
+
+        // Verify permission to update the from connection group
+        permissionCheckService.verifyConnectionGroupAccess(this.user_id,
+                mySQLConnectionGroup.getParentID(), MySQLConstants.CONNECTION_GROUP_UPDATE);
+        
+        Integer toConnectionGroupID;
+        if(groupIdentifier.equals(MySQLConstants.CONNECTION_GROUP_ROOT_IDENTIFIER))
+            toConnectionGroupID = null;
+        try {
+            toConnectionGroupID = Integer.valueOf(groupIdentifier);
+        } catch(NumberFormatException e) {
+            throw new GuacamoleException("Invalid connection group identifier.");
+        }
+        
+        // Verify permission to use the to connection group for organizational purposes
+        permissionCheckService.verifyConnectionGroupUsageAccess
+                (toConnectionGroupID, user_id, MySQLConstants.CONNECTION_GROUP_ORGANIZATIONAL);
+
+        // Verify permission to update the to connection group
+        permissionCheckService.verifyConnectionGroupAccess(this.user_id,
+                toConnectionGroupID, MySQLConstants.CONNECTION_GROUP_UPDATE);
+        
+        // Update the connection
+        mySQLConnectionGroup.setParentID(toConnectionGroupID);
+        connectionGroupService.updateConnectionGroup(mySQLConnectionGroup);
     }
 
 
+
 }
diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLConnectionGroup.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLConnectionGroup.java
index d7952e3cb..a42848437 100644
--- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLConnectionGroup.java
+++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLConnectionGroup.java
@@ -46,7 +46,6 @@ import net.sourceforge.guacamole.net.auth.Connection;
 import net.sourceforge.guacamole.net.auth.ConnectionGroup;
 import net.sourceforge.guacamole.net.auth.Directory;
 import net.sourceforge.guacamole.net.auth.mysql.service.ConnectionGroupService;
-import net.sourceforge.guacamole.net.auth.mysql.service.ConnectionService;
 import net.sourceforge.guacamole.net.auth.mysql.service.PermissionCheckService;
 import net.sourceforge.guacamole.protocol.GuacamoleClientInformation;
 
@@ -86,12 +85,6 @@ public class MySQLConnectionGroup extends AbstractConnectionGroup {
      */
     private ConnectionGroupDirectory connectionGroupDirectory = null;
 
-    /**
-     * Service managing connections.
-     */
-    @Inject
-    private ConnectionService connectionService;
-
     /**
      * Service managing connection groups.
      */
@@ -174,7 +167,7 @@ public class MySQLConnectionGroup extends AbstractConnectionGroup {
         connectionDirectory.init(userID, parentID);
         
         connectionGroupDirectory = connectionGroupDirectoryProvider.get();
-        //connectionGroupDirectory.init(userID, parentID);
+        connectionGroupDirectory.init(userID, parentID);
     }
 
     @Override
diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLConstants.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLConstants.java
index e08a7a996..c9b7fd072 100644
--- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLConstants.java
+++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLConstants.java
@@ -132,6 +132,11 @@ public final class MySQLConstants {
      */
     public static final String CONNECTION_GROUP_ORGANIZATIONAL = 
             "ORGANIZATIONAL";
+    
+    /**
+     * The identifier used to mark the root connection group.
+     */
+    public static final String CONNECTION_GROUP_ROOT_IDENTIFIER = "ROOT";
 
     /**
      * The string stored in the database to represent permission to create
@@ -145,6 +150,12 @@ public final class MySQLConstants {
      */
     public static final String SYSTEM_CONNECTION_CREATE = "CREATE_CONNECTION";
 
+    /**
+     * The string stored in the database to represent permission to create
+     * connection groups.
+     */
+    public static final String SYSTEM_CONNECTION_GROUP_CREATE = "CREATE_CONNECTION_GROUP";
+
     /**
      * The string stored in the database to represent permission to administer
      * the system as a whole.
diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLUserContext.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLUserContext.java
index b0fa2a63f..b86e14f8a 100644
--- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLUserContext.java
+++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLUserContext.java
@@ -39,7 +39,6 @@ package net.sourceforge.guacamole.net.auth.mysql;
 
 import com.google.inject.Inject;
 import net.sourceforge.guacamole.GuacamoleException;
-import net.sourceforge.guacamole.net.auth.Connection;
 import net.sourceforge.guacamole.net.auth.ConnectionGroup;
 import net.sourceforge.guacamole.net.auth.Directory;
 import net.sourceforge.guacamole.net.auth.User;
@@ -65,6 +64,13 @@ public class MySQLUserContext implements UserContext {
     @Inject
     private UserDirectory userDirectory;
 
+    /**
+     * User directory restricted by the permissions of the user associated
+     * with this context.
+     */
+    @Inject
+    private MySQLConnectionGroup mySQLConnectionGroup;
+
     /**
      * Service for accessing users.
      */
@@ -79,6 +85,9 @@ public class MySQLUserContext implements UserContext {
     public void init(int user_id) {
         this.user_id = user_id;
         userDirectory.init(user_id);
+        mySQLConnectionGroup.init(null, null, MySQLConstants.CONNECTION_GROUP_ROOT_IDENTIFIER, 
+                MySQLConstants.CONNECTION_GROUP_ROOT_IDENTIFIER, 
+                MySQLConstants.CONNECTION_GROUP_ORGANIZATIONAL, user_id);
     }
 
     @Override
@@ -93,7 +102,7 @@ public class MySQLUserContext implements UserContext {
 
     @Override
     public ConnectionGroup getConnectionGroup() throws GuacamoleException {
-        throw new UnsupportedOperationException("Not supported yet.");
+        return mySQLConnectionGroup;
     }
 
 }
diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/UserDirectory.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/UserDirectory.java
index 475a7f61c..0e492a43e 100644
--- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/UserDirectory.java
+++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/UserDirectory.java
@@ -730,4 +730,10 @@ public class UserDirectory implements Directory<String, net.sourceforge.guacamol
 
     }
 
+    @Override
+    public void move(String identifier, String groupIdentifier) 
+            throws GuacamoleException {
+        throw new GuacamoleSecurityException("Permission denied.");
+    }
+
 }
diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/ConnectionGroupService.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/ConnectionGroupService.java
index 173283692..6201397ca 100644
--- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/ConnectionGroupService.java
+++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/ConnectionGroupService.java
@@ -49,10 +49,8 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import net.sourceforge.guacamole.net.GuacamoleSocket;
-import net.sourceforge.guacamole.net.auth.mysql.MySQLConnection;
 import net.sourceforge.guacamole.net.auth.mysql.MySQLConnectionGroup;
 import net.sourceforge.guacamole.net.auth.mysql.dao.ConnectionGroupMapper;
-import net.sourceforge.guacamole.net.auth.mysql.model.Connection;
 import net.sourceforge.guacamole.net.auth.mysql.model.ConnectionGroup;
 import net.sourceforge.guacamole.net.auth.mysql.model.ConnectionGroupExample;
 import net.sourceforge.guacamole.net.auth.mysql.model.ConnectionGroupExample.Criteria;
@@ -113,6 +111,29 @@ public class ConnectionGroupService {
         return toMySQLConnectionGroup(connectionGroups.get(0), userID);
 
     }
+
+    /**
+     * Retrieves the connection group having the given unique identifier 
+     * from the database.
+     *
+     * @param uniqueIdentifier The unique identifier of the connection group to retrieve.
+     * @param userID The ID of the user who queried this connection group.
+     * @return The connection group having the given unique identifier, 
+     *         or null if no such connection group was found.
+     */
+    public MySQLConnectionGroup retrieveConnectionGroup(String uniqueIdentifier, int userID) {
+
+        // The unique identifier for a MySQLConnectionGroup is the database ID
+        int connectionGroupID;
+        try {
+            connectionGroupID = Integer.parseInt(uniqueIdentifier);
+        } catch(NumberFormatException e) {
+            // Invalid number means it can't be a DB record; not found
+            return null;
+        }
+        
+        return retrieveConnectionGroup(connectionGroupID, userID);
+    }
     
     /**
      * Retrieves the connection group having the given ID from the database.
@@ -296,4 +317,54 @@ public class ConnectionGroupService {
         return connectionGroupIDs;
 
     }
+
+    /**
+     * Creates a new connection group having the given name and protocol.
+     *
+     * @param name The name to assign to the new connection group.
+     * @param userID The ID of the user who created this connection group.
+     * @return A new MySQLConnectionGroup containing the data of the newly created
+     *         connection group.
+     */
+    public MySQLConnectionGroup createConnectionGroup(String name, int userID) {
+
+        // Initialize database connection
+        ConnectionGroup connectionGroup = new ConnectionGroup();
+        connectionGroup.setConnection_group_name(name);
+
+        // Create connection
+        connectionGroupDAO.insert(connectionGroup);
+        return toMySQLConnectionGroup(connectionGroup, userID);
+
+    }
+
+    /**
+     * Updates the connection group in the database corresponding to the given
+     * MySQLConnectionGroup.
+     *
+     * @param mySQLConnectionGroup The MySQLConnectionGroup to update (save) 
+     *                             to the database. 
+     *                             This connection must already exist.
+     */
+    public void updateConnectionGroup(MySQLConnectionGroup mySQLConnectionGroup) {
+
+        // Populate connection
+        ConnectionGroup connectionGroup = new ConnectionGroup();
+        connectionGroup.setConnection_group_id(mySQLConnectionGroup.getConnectionGroupID());
+        connectionGroup.setParent_id(mySQLConnectionGroup.getParentID());
+        connectionGroup.setConnection_group_name(mySQLConnectionGroup.getName());
+        connectionGroup.setType(mySQLConnectionGroup.getType());
+
+        // Update the connection in the database
+        connectionGroupDAO.updateByPrimaryKeySelective(connectionGroup);
+
+    }
+
+    /**
+     * Deletes the connection group having the given ID from the database.
+     * @param id The ID of the connection group to delete.
+     */
+    public void deleteConnectionGroup(int id) {
+        connectionGroupDAO.deleteByPrimaryKey(id);
+    }
 }
diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/ConnectionService.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/ConnectionService.java
index 70f59feb2..38cca7ff5 100644
--- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/ConnectionService.java
+++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/ConnectionService.java
@@ -158,6 +158,29 @@ public class ConnectionService {
 
     }
 
+    /**
+     * Retrieves the connection having the given unique identifier 
+     * from the database.
+     *
+     * @param uniqueIdentifier The unique identifier of the connection to retrieve.
+     * @param userID The ID of the user who queried this connection.
+     * @return The connection having the given unique identifier, 
+     *         or null if no such connection was found.
+     */
+    public MySQLConnection retrieveConnection(String uniqueIdentifier, int userID) {
+
+        // The unique identifier for a MySQLConnection is the database ID
+        int connectionID;
+        try {
+            connectionID = Integer.parseInt(uniqueIdentifier);
+        } catch(NumberFormatException e) {
+            // Invalid number means it can't be a DB record; not found
+            return null;
+        }
+        
+        return retrieveConnection(connectionID, userID);
+    }
+
     /**
      * Retrieves the connection having the given ID from the database.
      *
@@ -450,7 +473,8 @@ public class ConnectionService {
         // Populate connection
         Connection connection = new Connection();
         connection.setConnection_id(mySQLConnection.getConnectionID());
-        connection.setConnection_name(mySQLConnection.getIdentifier());
+        connection.setParent_id(mySQLConnection.getParentID());
+        connection.setConnection_name(mySQLConnection.getName());
         connection.setProtocol(mySQLConnection.getConfiguration().getProtocol());
 
         // Update the connection in the database
@@ -491,8 +515,6 @@ public class ConnectionService {
     /**
      * Get the connection IDs of all the connections defined in the system 
      * with a certain parent connection group.
-     * 
-     * @param parentID The parent connection group ID.
      *
      * @return A list of connection IDs of all the connections defined in the system.
      */
@@ -503,11 +525,6 @@ public class ConnectionService {
 
         // Create the criteria
         ConnectionExample example = new ConnectionExample();
-        /*Criteria criteria = example.createCriteria();
-        if(parentID != null)
-            criteria.andParent_idEqualTo(parentID);
-        else
-            criteria.andParent_idIsNull();*/
         
         // Query the connections
         List<Connection> connections =
diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/PermissionCheckService.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/PermissionCheckService.java
index 16a46f6b5..8269dabd0 100644
--- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/PermissionCheckService.java
+++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/PermissionCheckService.java
@@ -245,6 +245,10 @@ public class PermissionCheckService {
      */
     public boolean checkConnectionGroupAccess(int userID, Integer affectedConnectionGroupID, String permissionType) {
 
+        // All users have implicit permission to use the root group
+        if(affectedConnectionGroupID == null)
+            return true;
+        
         // A system administrator has full access to everything.
         if(checkSystemAdministratorAccess(userID))
             return true;
@@ -340,19 +344,6 @@ public class PermissionCheckService {
         return connectionGroup.getType().equals(usage);
         
     }
-    
-    /**
-     * 
-     * @param userID
-     * @throws GuacamoleSecurityException 
-     */
-    private void verifySystemAdministratorAccess(int userID)
-            throws GuacamoleSecurityException {
-
-        // If permission does not exist, throw exception
-        if(!checkSystemAdministratorAccess(userID))
-            throw new GuacamoleSecurityException("Permission denied.");
-    }
 
 
     /**
@@ -572,16 +563,16 @@ public class PermissionCheckService {
     }
 
     /**
-     * Retrieve all existing connection names that the given user has permission
-     * to perform the given operation upon.
+     * Retrieve all existing connection identifiers that the given user has 
+     * permission to perform the given operation upon.
      *
      * @param userID The user whose permissions should be checked.
      * @param permissionType The permission to check.
      * @param parentID The parent connection group.
-     * @return A set of all connection names for which the given user has the
-     *         given permission.
+     * @return A set of all connection identifiers for which the given user 
+     *         has the given permission.
      */
-    public Set<String> retrieveConnectionNames(int userID, Integer parentID,
+    public Set<String> retrieveConnectionIdentifiers(int userID, Integer parentID,
             String permissionType) {
 
         // A system administrator has access to all connections.
@@ -591,23 +582,27 @@ public class PermissionCheckService {
         // List of all connection IDs for which this user has access
         List<Integer> connectionIDs =
                 retrieveConnectionIDs(userID, parentID, permissionType);
+        
+        // Unique Identifiers for MySQLConnections are the database IDs
+        Set<String> connectionIdentifiers = new HashSet<String>();
+        
+        for(Integer connectionID : connectionIDs)
+            connectionIdentifiers.add(Integer.toString(connectionID));
 
-        // Query all associated connections
-        return connectionService.translateNames(connectionIDs).keySet();
-
+        return connectionIdentifiers;
     }
 
     /**
-     * Retrieve all existing connection names that the given user has permission
-     * to perform the given operation upon.
+     * Retrieve all existing connection group identifiers that the given user 
+     * has permission to perform the given operation upon.
      *
      * @param userID The user whose permissions should be checked.
      * @param permissionType The permission to check.
      * @param parentID The parent connection group.
-     * @return A set of all connection names for which the given user has the
-     *         given permission.
+     * @return A set of all connection group identifiers for which the given 
+     *         user has the given permission.
      */
-    public Set<String> retrieveConnectionGroupNames(int userID, Integer parentID,
+    public Set<String> retrieveConnectionGroupIdentifiers(int userID, Integer parentID,
             String permissionType) {
 
         // A system administrator has access to all connections.
@@ -617,10 +612,14 @@ public class PermissionCheckService {
         // List of all connection group IDs for which this user has access
         List<Integer> connectionGroupIDs =
                 retrieveConnectionGroupIDs(userID, parentID, permissionType);
+        
+        // Unique Identifiers for MySQLConnectionGroups are the database IDs
+        Set<String> connectionGroupIdentifiers = new HashSet<String>();
+        
+        for(Integer connectionGroupID : connectionGroupIDs)
+            connectionGroupIdentifiers.add(Integer.toString(connectionGroupID));
 
-        // Query all associated connections
-        return connectionGroupService.translateNames(connectionGroupIDs).keySet();
-
+        return connectionGroupIdentifiers;
     }
 
     /**
diff --git a/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/Directory.java b/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/Directory.java
index 0847ede83..4b472bdc8 100644
--- a/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/Directory.java
+++ b/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/Directory.java
@@ -114,4 +114,17 @@ public interface Directory<IdentifierType, ObjectType> {
      */
     void remove(IdentifierType identifier) throws GuacamoleException;
 
+    /**
+     * Moves the object with the given identifier to the group with the given
+     * group identifier.
+     *
+     * @param identifier The identifier of the object to remove.
+     * @param groupIdentifier The identifier of the group to move the object to.
+     *
+     * @throws GuacamoleException If an error occurs while moving the object,
+     *                            or if moving object is not allowed.
+     */
+    void move(IdentifierType identifier, IdentifierType groupIdentifier) 
+            throws GuacamoleException;
+
 }
diff --git a/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/simple/SimpleConnectionDirectory.java b/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/simple/SimpleConnectionDirectory.java
index 54c55a60b..392cd51b1 100644
--- a/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/simple/SimpleConnectionDirectory.java
+++ b/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/simple/SimpleConnectionDirectory.java
@@ -109,4 +109,10 @@ public class SimpleConnectionDirectory
         throw new GuacamoleSecurityException("Permission denied.");
     }
 
+    @Override
+    public void move(String identifier, String groupIdentifier) 
+            throws GuacamoleException {
+        throw new GuacamoleSecurityException("Permission denied.");
+    }
+
 }
diff --git a/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/simple/SimpleConnectionGroupDirectory.java b/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/simple/SimpleConnectionGroupDirectory.java
index 38cd107bc..b6bb4076a 100644
--- a/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/simple/SimpleConnectionGroupDirectory.java
+++ b/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/simple/SimpleConnectionGroupDirectory.java
@@ -86,4 +86,10 @@ public class SimpleConnectionGroupDirectory
         throw new GuacamoleSecurityException("Permission denied.");
     }
 
+    @Override
+    public void move(String identifier, String groupIdentifier) 
+            throws GuacamoleException {
+        throw new GuacamoleSecurityException("Permission denied.");
+    }
+
 }
diff --git a/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/simple/SimpleUserDirectory.java b/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/simple/SimpleUserDirectory.java
index 49af4605b..80fea37c5 100644
--- a/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/simple/SimpleUserDirectory.java
+++ b/guacamole-ext/src/main/java/net/sourceforge/guacamole/net/auth/simple/SimpleUserDirectory.java
@@ -100,4 +100,10 @@ public class SimpleUserDirectory implements Directory<String, User> {
         throw new GuacamoleSecurityException("Permission denied.");
     }
 
+    @Override
+    public void move(String identifier, String groupIdentifier) 
+            throws GuacamoleException {
+        throw new GuacamoleSecurityException("Permission denied.");
+    }
+
 }