From 57d252c463714c7600cf6ab7802d206a407fb865 Mon Sep 17 00:00:00 2001 From: Michael Jumper Date: Fri, 13 Feb 2015 01:27:38 -0800 Subject: [PATCH] GUAC-1101: Add permission service classes. --- .../service/ObjectPermissionService.java | 74 +++++++++ .../auth/mysql/service/PermissionService.java | 156 ++++++++++++++++++ 2 files changed, 230 insertions(+) create mode 100644 extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/ObjectPermissionService.java create mode 100644 extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/PermissionService.java diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/ObjectPermissionService.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/ObjectPermissionService.java new file mode 100644 index 000000000..e9aa87163 --- /dev/null +++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/ObjectPermissionService.java @@ -0,0 +1,74 @@ +/* + * Copyright (C) 2013 Glyptodon LLC + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +package net.sourceforge.guacamole.net.auth.mysql.service; + +import java.util.Collection; +import java.util.HashSet; +import java.util.Set; +import net.sourceforge.guacamole.net.auth.mysql.AuthenticatedUser; +import net.sourceforge.guacamole.net.auth.mysql.MySQLUser; +import net.sourceforge.guacamole.net.auth.mysql.dao.PermissionMapper; +import org.glyptodon.guacamole.GuacamoleException; +import org.glyptodon.guacamole.GuacamoleSecurityException; +import org.glyptodon.guacamole.net.auth.permission.ObjectPermission; +import org.glyptodon.guacamole.net.auth.permission.ObjectPermissionSet; +import org.glyptodon.guacamole.net.auth.permission.Permission; +import org.glyptodon.guacamole.net.auth.permission.PermissionSet; + +/** + * Service which provides convenience methods for creating, retrieving, and + * deleting object permissions. + * + * @author Michael Jumper + * @param + * The type of object permission this service provides access to. + * + * @param + * The underlying model object used to represent PermissionType in the + * database. + */ +public abstract class ObjectPermissionService + extends PermissionService { + + /** + * Returns the permission set associated with the given user and related + * to the type of objects affected the permissions handled by this + * permission service. + * + * @param user + * The user whose permissions are being retrieved. + * + * @return + * A permission set which contains the permissions associated with the + * given user and related to the type of objects handled by this + * directory object service. + * + * @throws GuacamoleException + * If permission to read the user's permissions is denied. + */ + protected abstract PermissionSet getAffectedPermissionSet(AuthenticatedUser user) + throws GuacamoleException; + + /* TODO: Override create/delete testing permissions for affected objects */ + +} diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/PermissionService.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/PermissionService.java new file mode 100644 index 000000000..d5be7d234 --- /dev/null +++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/PermissionService.java @@ -0,0 +1,156 @@ +/* + * Copyright (C) 2013 Glyptodon LLC + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +package net.sourceforge.guacamole.net.auth.mysql.service; + +import java.util.Collection; +import java.util.HashSet; +import java.util.Set; +import net.sourceforge.guacamole.net.auth.mysql.AuthenticatedUser; +import net.sourceforge.guacamole.net.auth.mysql.MySQLUser; +import net.sourceforge.guacamole.net.auth.mysql.dao.PermissionMapper; +import org.glyptodon.guacamole.GuacamoleException; +import org.glyptodon.guacamole.GuacamoleSecurityException; +import org.glyptodon.guacamole.net.auth.permission.Permission; + +/** + * Service which provides convenience methods for creating, retrieving, and + * deleting permissions. + * + * @author Michael Jumper + * @param + * The type of permission this service provides access to. + * + * @param + * The underlying model object used to represent PermissionType in the + * database. + */ +public abstract class PermissionService { + + /** + * Returns an instance of a mapper for the type of permission used by this + * service. + * + * @return + * A mapper which provides access to the model objects associated with + * the permissions used by this service. + */ + protected abstract PermissionMapper getPermissionMapper(); + + /** + * Returns an instance of a permission which is backed by the given model + * object. + * + * @param model + * The model object to use to back the returned permission. + * + * @return + * A permission which is backed by the given model object. + */ + protected abstract PermissionType getPermissionInstance(ModelType model); + + /** + * Returns a collection of permissions which are backed by the models in + * the given collection. + * + * @param models + * The model objects to use to back the permissions within the returned + * set. + * + * @return + * A set of permissions which are backed by the models in the given + * collection. + */ + protected Set getPermissionInstances(Collection models) { + + // Create new collection of permissions by manually converting each model + Set permissions = new HashSet(models.size()); + for (ModelType model : models) + permissions.add(getPermissionInstance(model)); + + return permissions; + + } + + /** + * Retrieves all permissions associated with the given user. + * + * @param user + * The user retrieving the permissions. + * + * @param targetUser + * The user associated with the permissions to be retrieved. + * + * @return + * The permissions associated with the given user. + * + * @throws GuacamoleException + * If an error occurs while retrieving the requested permissions. + */ + public Set retrievePermissions(AuthenticatedUser user, + MySQLUser targetUser) throws GuacamoleException { + + // Only an admin can read permissions that aren't his own + if (user.getUser().getIdentifier().equals(targetUser.getIdentifier()) + || user.getUser().isAdministrator()) + return getPermissionInstances(getPermissionMapper().select(targetUser.getModel())); + + // User cannot read this user's permissions + throw new GuacamoleSecurityException("Permision denied."); + + } + + /** + * Creates the given permissions within the database. If any permissions + * already exist, they will be ignored. + * + * @param user + * The user creating the permissions. + * + * @param permissions + * The permissions to create. + * + * @throws GuacamoleException + * If the user lacks permission to create the permissions, or an error + * occurs while creating the permissions. + */ + public abstract void createPermissions(AuthenticatedUser user, + Collection permissions) throws GuacamoleException; + + /** + * Deletes the given permissions. If any permissions do not exist, they + * will be ignored. + * + * @param user + * The user deleting the permissions. + * + * @param permissions + * The permissions to delete. + * + * @throws GuacamoleException + * If the user lacks permission to delete the permissions, or an error + * occurs while deleting the permissions. + */ + public abstract void deletePermissions(AuthenticatedUser user, + Collection permissions) throws GuacamoleException; + +}