From 0ad00dda3ec16e42036ffba7743f104d237cc436 Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Fri, 19 Jun 2020 12:22:26 -0400 Subject: [PATCH 1/7] GUACAMOLE-708: Add properties for automatic account creation. --- .../guacamole/auth/jdbc/JDBCEnvironment.java | 16 ++++++++++++++++ .../auth/mysql/conf/MySQLEnvironment.java | 6 ++++++ .../mysql/conf/MySQLGuacamoleProperties.java | 8 ++++++++ .../postgresql/conf/PostgreSQLEnvironment.java | 6 ++++++ .../conf/PostgreSQLGuacamoleProperties.java | 12 ++++++++++++ .../SQLServerAuthenticationProviderModule.java | 4 +++- .../sqlserver/SQLServerInjectorProvider.java | 1 + .../sqlserver/{ => conf}/SQLServerDriver.java | 2 +- .../{ => conf}/SQLServerEnvironment.java | 8 +++++++- .../{ => conf}/SQLServerGuacamoleProperties.java | 10 +++++++++- .../{ => conf}/SQLServerPasswordPolicy.java | 2 +- 11 files changed, 70 insertions(+), 5 deletions(-) rename extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/{ => conf}/SQLServerDriver.java (96%) rename extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/{ => conf}/SQLServerEnvironment.java (97%) rename extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/{ => conf}/SQLServerGuacamoleProperties.java (95%) rename extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/{ => conf}/SQLServerPasswordPolicy.java (99%) diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCEnvironment.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCEnvironment.java index 9158afb85..7c9a4b113 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCEnvironment.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCEnvironment.java @@ -151,5 +151,21 @@ public abstract class JDBCEnvironment extends LocalEnvironment { * true if the database supports recursive queries, false otherwise. */ public abstract boolean isRecursiveQuerySupported(SqlSession session); + + /** + * Returns a boolean value representing whether or not the JDBC module + * should automatically create accounts within the database for users that + * are successfully authenticated via other extensions. Returns true if + * accounts should be auto-created, otherwise returns false. + * + * @return + * true if user accounts should be automatically created within the + * database when authentication succeeds from another extension; + * otherwise false. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed. + */ + public abstract boolean autoCreateAbsentAccounts() throws GuacamoleException; } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLEnvironment.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLEnvironment.java index a538ff395..0159c2452 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLEnvironment.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLEnvironment.java @@ -386,5 +386,11 @@ public class MySQLEnvironment extends JDBCEnvironment { public String getMYSQLSSLClientPassword() throws GuacamoleException { return getProperty(MySQLGuacamoleProperties.MYSQL_SSL_TRUST_PASSWORD); } + + @Override + public boolean autoCreateAbsentAccounts() throws GuacamoleException { + return getProperty(MySQLGuacamoleProperties.MYSQL_AUTO_CREATE_ACCOUNTS, + false); + } } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java index c87f4cf4b..96d13cbed 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java @@ -240,5 +240,13 @@ public class MySQLGuacamoleProperties { public String getName() { return "mysql-ssl-client-password"; } }; + + public static final BooleanGuacamoleProperty MYSQL_AUTO_CREATE_ACCOUNTS = + new BooleanGuacamoleProperty() { + + @Override + public String getName() { return "mysql-auto-create-accounts"; } + + }; } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLEnvironment.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLEnvironment.java index 24e286e5a..0ac1272e3 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLEnvironment.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLEnvironment.java @@ -328,4 +328,10 @@ public class PostgreSQLEnvironment extends JDBCEnvironment { return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_SSL_KEY_PASSWORD); } + @Override + public boolean autoCreateAbsentAccounts() throws GuacamoleException { + return getProperty(PostgreSQLGuacamoleProperties.POSTGRESQL_AUTO_CREATE_ACCOUNTS, + false); + } + } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java index 8bd1ff4f5..c2f7e01eb 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java @@ -233,4 +233,16 @@ public class PostgreSQLGuacamoleProperties { }; + /** + * Whether or not the PostgreSQL extension should automatically add database + * entries for users who are granted access through other extensions. + */ + public static final BooleanGuacamoleProperty POSTGRESQL_AUTO_CREATE_ACCOUNTS = + new BooleanGuacamoleProperty() { + + @Override + public String getName() { return "postgresql-auto-create-accounts"; } + + }; + } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerAuthenticationProviderModule.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerAuthenticationProviderModule.java index 2f9147a55..bcd4bc94c 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerAuthenticationProviderModule.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerAuthenticationProviderModule.java @@ -25,6 +25,8 @@ import com.google.inject.name.Names; import java.lang.UnsupportedOperationException; import java.util.Properties; import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.sqlserver.conf.SQLServerDriver; +import org.apache.guacamole.auth.sqlserver.conf.SQLServerEnvironment; import org.mybatis.guice.datasource.helper.JdbcHelper; /** @@ -45,7 +47,7 @@ public class SQLServerAuthenticationProviderModule implements Module { /** * Which SQL Server driver should be used. */ - private SQLServerDriver sqlServerDriver; + private final SQLServerDriver sqlServerDriver; /** * Creates a new SQLServer authentication provider module that configures diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerInjectorProvider.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerInjectorProvider.java index 32d12f6e2..667174ea1 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerInjectorProvider.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerInjectorProvider.java @@ -24,6 +24,7 @@ import com.google.inject.Injector; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.jdbc.JDBCAuthenticationProviderModule; import org.apache.guacamole.auth.jdbc.JDBCInjectorProvider; +import org.apache.guacamole.auth.sqlserver.conf.SQLServerEnvironment; /** * JDBCInjectorProvider implementation which configures Guice injections for diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerDriver.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerDriver.java similarity index 96% rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerDriver.java rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerDriver.java index d1fdc8f1d..4a4321e0c 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerDriver.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerDriver.java @@ -17,7 +17,7 @@ * under the License. */ -package org.apache.guacamole.auth.sqlserver; +package org.apache.guacamole.auth.sqlserver.conf; import org.apache.guacamole.properties.EnumGuacamoleProperty.PropertyValue; diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerEnvironment.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerEnvironment.java similarity index 97% rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerEnvironment.java rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerEnvironment.java index 9b61be0d2..563db0ea2 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerEnvironment.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerEnvironment.java @@ -17,7 +17,7 @@ * under the License. */ -package org.apache.guacamole.auth.sqlserver; +package org.apache.guacamole.auth.sqlserver.conf; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.jdbc.JDBCEnvironment; @@ -273,5 +273,11 @@ public class SQLServerEnvironment extends JDBCEnvironment { public boolean isRecursiveQuerySupported(SqlSession session) { return true; // All versions of SQL Server support recursive queries through CTEs } + + @Override + public boolean autoCreateAbsentAccounts() throws GuacamoleException { + return getProperty(SQLServerGuacamoleProperties.SQLSERVER_AUTO_CREATE_ACCOUNTS, + false); + } } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerGuacamoleProperties.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerGuacamoleProperties.java similarity index 95% rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerGuacamoleProperties.java rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerGuacamoleProperties.java index 257c07ed8..7299b3804 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerGuacamoleProperties.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerGuacamoleProperties.java @@ -17,7 +17,7 @@ * under the License. */ -package org.apache.guacamole.auth.sqlserver; +package org.apache.guacamole.auth.sqlserver.conf; import org.apache.guacamole.properties.BooleanGuacamoleProperty; import org.apache.guacamole.properties.EnumGuacamoleProperty; @@ -193,5 +193,13 @@ public class SQLServerGuacamoleProperties { public String getName() { return "sqlserver-driver"; } }; + + public static final BooleanGuacamoleProperty SQLSERVER_AUTO_CREATE_ACCOUNTS = + new BooleanGuacamoleProperty() { + + @Override + public String getName() { return "sqlserver-auto-create-accounts"; } + + }; } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerPasswordPolicy.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerPasswordPolicy.java similarity index 99% rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerPasswordPolicy.java rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerPasswordPolicy.java index f30b180bb..e18649b6a 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerPasswordPolicy.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerPasswordPolicy.java @@ -17,7 +17,7 @@ * under the License. */ -package org.apache.guacamole.auth.sqlserver; +package org.apache.guacamole.auth.sqlserver.conf; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.jdbc.JDBCEnvironment; From e0aedefd6f05152a5a5751cb9b5c855b369137e2 Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Fri, 19 Jun 2020 14:59:20 -0400 Subject: [PATCH 2/7] GUACAMOLE-708: Add calls for auto-creating DB users when so configured. --- .../auth/jdbc/JDBCAuthenticationProviderService.java | 11 +++++++++-- .../apache/guacamole/auth/jdbc/user/UserService.java | 8 ++++---- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java index 1bb2c68e7..a1883be2f 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java @@ -27,6 +27,7 @@ import org.apache.guacamole.auth.jdbc.sharing.user.SharedAuthenticatedUser; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; import org.apache.guacamole.auth.jdbc.user.ModeledUser; import org.apache.guacamole.auth.jdbc.user.ModeledUserContext; +import org.apache.guacamole.auth.jdbc.user.PrivilegedModeledAuthenticatedUser; import org.apache.guacamole.auth.jdbc.user.UserService; import org.apache.guacamole.language.TranslatableGuacamoleClientException; import org.apache.guacamole.net.auth.AuthenticatedUser; @@ -98,7 +99,7 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider ModeledUser user = userService.retrieveUser(authenticationProvider, authenticatedUser); ModeledUserContext context = userContextProvider.get(); if (user != null && !user.isDisabled()) { - + // Enforce applicable account restrictions if (databaseRestrictionsApplicable) { @@ -126,9 +127,15 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider } // If no user account is found, and database-specific account - // restrictions do not apply, get an empty user. + // restrictions do not apply, get a skeleton user. else if (!databaseRestrictionsApplicable) { user = userService.retrieveSkeletonUser(authenticationProvider, authenticatedUser); + + // If auto account creation is enabled, add user to DB. + if(environment.autoCreateAbsentAccounts()) { + userService.createObject(new PrivilegedModeledAuthenticatedUser(user.getCurrentUser()), user); + } + } // Veto authentication result only if database-specific account diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java index 0aecd10fa..e284205b2 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java @@ -52,6 +52,7 @@ import org.apache.guacamole.net.auth.ActivityRecord; import org.apache.guacamole.net.auth.AuthenticatedUser; import org.apache.guacamole.net.auth.AuthenticationProvider; import org.apache.guacamole.net.auth.User; +import org.apache.guacamole.net.auth.UserContext; import org.apache.guacamole.net.auth.credentials.CredentialsInfo; import org.apache.guacamole.net.auth.permission.ObjectPermission; import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; @@ -407,11 +408,8 @@ public class UserService extends ModeledDirectoryObjectService>>JDBC<<< Creating skeleton user {}", authenticatedUser.getIdentifier()); + // Set up an empty user model ModeledUser user = getObjectInstance(null, new UserModel(authenticatedUser.getIdentifier())); From 2888d6a3401d0d415079f3e6385c420ff998d0ac Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Fri, 19 Jun 2020 21:40:00 -0400 Subject: [PATCH 3/7] GUACAMOLE-708: Handle implicit permissions where no entity exists. --- .../JDBCAuthenticationProviderService.java | 2 +- .../base/ModeledDirectoryObjectService.java | 24 ++++++++++++------- .../guacamole/auth/jdbc/user/UserService.java | 10 ++++---- 3 files changed, 21 insertions(+), 15 deletions(-) diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java index a1883be2f..3f54be811 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java @@ -132,7 +132,7 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider user = userService.retrieveSkeletonUser(authenticationProvider, authenticatedUser); // If auto account creation is enabled, add user to DB. - if(environment.autoCreateAbsentAccounts()) { + if (environment.autoCreateAbsentAccounts()) { userService.createObject(new PrivilegedModeledAuthenticatedUser(user.getCurrentUser()), user); } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java index f8d0e8a8a..db86d35f9 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java @@ -410,9 +410,9 @@ public abstract class ModeledDirectoryObjectService getImplicitPermissions(ModeledAuthenticatedUser user, ModelType model) { + // Get the user model and check for an entity ID. + UserModel userModel = user.getUser().getModel(); + Integer entityId = userModel.getEntityID(); + if (entityId == null) + return Collections.emptyList(); + // Build list of implicit permissions Collection implicitPermissions = - new ArrayList(IMPLICIT_OBJECT_PERMISSIONS.length); + new ArrayList<>(IMPLICIT_OBJECT_PERMISSIONS.length); - UserModel userModel = user.getUser().getModel(); + for (ObjectPermission.Type permission : IMPLICIT_OBJECT_PERMISSIONS) { // Create model which grants this permission to the current user ObjectPermissionModel permissionModel = new ObjectPermissionModel(); - permissionModel.setEntityID(userModel.getEntityID()); + permissionModel.setEntityID(entityId); permissionModel.setType(permission); permissionModel.setObjectIdentifier(model.getIdentifier()); @@ -445,7 +451,7 @@ public abstract class ModeledDirectoryObjectService implicitPermissions = getImplicitPermissions(user, model); + if (implicitPermissions != null && !implicitPermissions.isEmpty()) + getPermissionMapper().insert(implicitPermissions); // Add any arbitrary attributes if (model.hasArbitraryAttributes()) diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java index e284205b2..50b9e4295 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java @@ -52,7 +52,6 @@ import org.apache.guacamole.net.auth.ActivityRecord; import org.apache.guacamole.net.auth.AuthenticatedUser; import org.apache.guacamole.net.auth.AuthenticationProvider; import org.apache.guacamole.net.auth.User; -import org.apache.guacamole.net.auth.UserContext; import org.apache.guacamole.net.auth.credentials.CredentialsInfo; import org.apache.guacamole.net.auth.permission.ObjectPermission; import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; @@ -297,8 +296,9 @@ public class UserService extends ModeledDirectoryObjectService getImplicitPermissions(ModeledAuthenticatedUser user, UserModel model) { - // Get original set of implicit permissions - Collection implicitPermissions = super.getImplicitPermissions(user, model); + // Get original set of implicit permissions and make a copy + Collection implicitPermissions = + new ArrayList<>(super.getImplicitPermissions(user, model)); // Grant implicit permissions to the new user for (ObjectPermission.Type permissionType : IMPLICIT_USER_PERMISSIONS) { @@ -313,7 +313,7 @@ public class UserService extends ModeledDirectoryObjectService>>JDBC<<< Creating skeleton user {}", authenticatedUser.getIdentifier()); - // Set up an empty user model ModeledUser user = getObjectInstance(null, new UserModel(authenticatedUser.getIdentifier())); From 76f7379f4659804c98c1281b5a421742db994a7d Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Sat, 20 Jun 2020 08:09:33 -0400 Subject: [PATCH 4/7] GUACAMOLE-708: Add and update JavaDoc comments. --- .../guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java | 5 +++++ .../auth/postgresql/conf/PostgreSQLGuacamoleProperties.java | 5 +++-- .../auth/sqlserver/conf/SQLServerGuacamoleProperties.java | 5 +++++ 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java index 96d13cbed..1212ea7be 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java @@ -241,6 +241,11 @@ public class MySQLGuacamoleProperties { }; + /** + * Wether or not to automatically create accounts in the MySQL database for + * users who successfully authenticate through another extension. By + * default users will not be automatically created. + */ public static final BooleanGuacamoleProperty MYSQL_AUTO_CREATE_ACCOUNTS = new BooleanGuacamoleProperty() { diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java index c2f7e01eb..470d0223c 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java @@ -234,8 +234,9 @@ public class PostgreSQLGuacamoleProperties { }; /** - * Whether or not the PostgreSQL extension should automatically add database - * entries for users who are granted access through other extensions. + * Wether or not to automatically create accounts in the PostgreSQL database + * for users who successfully authenticate through another extension. By + * default users will not be automatically created. */ public static final BooleanGuacamoleProperty POSTGRESQL_AUTO_CREATE_ACCOUNTS = new BooleanGuacamoleProperty() { diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerGuacamoleProperties.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerGuacamoleProperties.java index 7299b3804..090f13017 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerGuacamoleProperties.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerGuacamoleProperties.java @@ -194,6 +194,11 @@ public class SQLServerGuacamoleProperties { }; + /** + * Wether or not to automatically create accounts in the SQL Server database + * for users who successfully authenticate through another extension. By + * default users will not be automatically created. + */ public static final BooleanGuacamoleProperty SQLSERVER_AUTO_CREATE_ACCOUNTS = new BooleanGuacamoleProperty() { From 55fccff7a725735262fc5ff846349bb99df322ff Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Sat, 20 Jun 2020 16:24:35 -0400 Subject: [PATCH 5/7] GUACAMOLE-708: Spelling correction in JavaDoc comments. --- .../guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java | 6 +++--- .../auth/postgresql/conf/PostgreSQLGuacamoleProperties.java | 6 +++--- .../auth/sqlserver/conf/SQLServerGuacamoleProperties.java | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java index 1212ea7be..d222a0cbb 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/java/org/apache/guacamole/auth/mysql/conf/MySQLGuacamoleProperties.java @@ -242,9 +242,9 @@ public class MySQLGuacamoleProperties { }; /** - * Wether or not to automatically create accounts in the MySQL database for - * users who successfully authenticate through another extension. By - * default users will not be automatically created. + * Whether or not to automatically create accounts in the MySQL database for + * users who successfully authenticate through another extension. By default + * users will not be automatically created. */ public static final BooleanGuacamoleProperty MYSQL_AUTO_CREATE_ACCOUNTS = new BooleanGuacamoleProperty() { diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java index 470d0223c..fe3ce720b 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/java/org/apache/guacamole/auth/postgresql/conf/PostgreSQLGuacamoleProperties.java @@ -234,9 +234,9 @@ public class PostgreSQLGuacamoleProperties { }; /** - * Wether or not to automatically create accounts in the PostgreSQL database - * for users who successfully authenticate through another extension. By - * default users will not be automatically created. + * Whether or not to automatically create accounts in the PostgreSQL + * database for users who successfully authenticate through another + * extension. By default users will not be automatically created. */ public static final BooleanGuacamoleProperty POSTGRESQL_AUTO_CREATE_ACCOUNTS = new BooleanGuacamoleProperty() { diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerGuacamoleProperties.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerGuacamoleProperties.java index 090f13017..df63c53e9 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerGuacamoleProperties.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/conf/SQLServerGuacamoleProperties.java @@ -195,9 +195,9 @@ public class SQLServerGuacamoleProperties { }; /** - * Wether or not to automatically create accounts in the SQL Server database - * for users who successfully authenticate through another extension. By - * default users will not be automatically created. + * Whether or not to automatically create accounts in the SQL Server + * database for users who successfully authenticate through another + * extension. By default users will not be automatically created. */ public static final BooleanGuacamoleProperty SQLSERVER_AUTO_CREATE_ACCOUNTS = new BooleanGuacamoleProperty() { From 486ab9aefa15786e7f1baeba444e84833b3ab58d Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Sat, 20 Jun 2020 16:41:09 -0400 Subject: [PATCH 6/7] GUACAMOLE-708: Remove unnecessary null check --- .../guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java index db86d35f9..acfa2c213 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java @@ -471,7 +471,7 @@ public abstract class ModeledDirectoryObjectService implicitPermissions = getImplicitPermissions(user, model); - if (implicitPermissions != null && !implicitPermissions.isEmpty()) + if (!implicitPermissions.isEmpty()) getPermissionMapper().insert(implicitPermissions); // Add any arbitrary attributes From 2bf29a0d970c9f01acdbf9f1a27fb48482e6cca6 Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Sat, 20 Jun 2020 21:15:47 -0400 Subject: [PATCH 7/7] GUACAMOLE-708: Implement isSkeleton method for ModeledUser. --- .../auth/jdbc/base/ModeledDirectoryObjectService.java | 10 ++++++---- .../apache/guacamole/auth/jdbc/user/ModeledUser.java | 11 +++++++++++ 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java index acfa2c213..133e6628c 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java @@ -427,11 +427,13 @@ public abstract class ModeledDirectoryObjectService getImplicitPermissions(ModeledAuthenticatedUser user, ModelType model) { + // Check to see if the user granting permissions is a skeleton user, + // thus lacking database backing. + if (user.getUser().isSkeleton()) + return Collections.emptyList(); + // Get the user model and check for an entity ID. UserModel userModel = user.getUser().getModel(); - Integer entityId = userModel.getEntityID(); - if (entityId == null) - return Collections.emptyList(); // Build list of implicit permissions Collection implicitPermissions = @@ -442,7 +444,7 @@ public abstract class ModeledDirectoryObjectService implements User { public Permissions getEffectivePermissions() throws GuacamoleException { return super.getEffective(); } + + /** + * Returns true if this user is a skeleton user, lacking a database entity + * entry. + * + * @return + * True if this user is a skeleton user, otherwise false. + */ + public boolean isSkeleton() { + return (getModel().getEntityID() == null); + } }