GUAC-1101: Add permission service classes.

2025-09-06 13:17:41 +00:00 · 2015-02-13 01:27:38 -08:00
parent b1ae37adb3
commit 57d252c463
2 changed files with 230 additions and 0 deletions
--- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/ObjectPermissionService.java
+++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/ObjectPermissionService.java
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2013 Glyptodon LLC
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package net.sourceforge.guacamole.net.auth.mysql.service;
+
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Set;
+import net.sourceforge.guacamole.net.auth.mysql.AuthenticatedUser;
+import net.sourceforge.guacamole.net.auth.mysql.MySQLUser;
+import net.sourceforge.guacamole.net.auth.mysql.dao.PermissionMapper;
+import org.glyptodon.guacamole.GuacamoleException;
+import org.glyptodon.guacamole.GuacamoleSecurityException;
+import org.glyptodon.guacamole.net.auth.permission.ObjectPermission;
+import org.glyptodon.guacamole.net.auth.permission.ObjectPermissionSet;
+import org.glyptodon.guacamole.net.auth.permission.Permission;
+import org.glyptodon.guacamole.net.auth.permission.PermissionSet;
+
+/**
+ * Service which provides convenience methods for creating, retrieving, and
+ * deleting object permissions.
+ *
+ * @author Michael Jumper
+ * @param <ObjectPermissionType>
+ *     The type of object permission this service provides access to.
+ *
+ * @param <ModelType>
+ *     The underlying model object used to represent PermissionType in the
+ *     database.
+ */
+public abstract class ObjectPermissionService<ObjectPermissionType extends ObjectPermission, ModelType>
+    extends PermissionService<ObjectPermissionType, ModelType> {
+
+    /**
+     * Returns the permission set associated with the given user and related
+     * to the type of objects affected the permissions handled by this
+     * permission service.
+     *
+     * @param user
+     *     The user whose permissions are being retrieved.
+     *
+     * @return
+     *     A permission set which contains the permissions associated with the
+     *     given user and related to the type of objects handled by this
+     *     directory object service.
+     * 
+     * @throws GuacamoleException
+     *     If permission to read the user's permissions is denied.
+     */
+    protected abstract PermissionSet<ObjectPermissionType> getAffectedPermissionSet(AuthenticatedUser user)
+            throws GuacamoleException;
+
+    /* TODO: Override create/delete testing permissions for affected objects */
+
+}
--- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/PermissionService.java
+++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/PermissionService.java
@@ -0,0 +1,156 @@
+/*
+ * Copyright (C) 2013 Glyptodon LLC
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package net.sourceforge.guacamole.net.auth.mysql.service;
+
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Set;
+import net.sourceforge.guacamole.net.auth.mysql.AuthenticatedUser;
+import net.sourceforge.guacamole.net.auth.mysql.MySQLUser;
+import net.sourceforge.guacamole.net.auth.mysql.dao.PermissionMapper;
+import org.glyptodon.guacamole.GuacamoleException;
+import org.glyptodon.guacamole.GuacamoleSecurityException;
+import org.glyptodon.guacamole.net.auth.permission.Permission;
+
+/**
+ * Service which provides convenience methods for creating, retrieving, and
+ * deleting permissions.
+ *
+ * @author Michael Jumper
+ * @param <PermissionType>
+ *     The type of permission this service provides access to.
+ *
+ * @param <ModelType>
+ *     The underlying model object used to represent PermissionType in the
+ *     database.
+ */
+public abstract class PermissionService<PermissionType extends Permission, ModelType> {
+
+    /**
+     * Returns an instance of a mapper for the type of permission used by this
+     * service.
+     *
+     * @return
+     *     A mapper which provides access to the model objects associated with
+     *     the permissions used by this service.
+     */
+    protected abstract PermissionMapper<ModelType> getPermissionMapper();
+
+    /**
+     * Returns an instance of a permission which is backed by the given model
+     * object.
+     *
+     * @param model
+     *     The model object to use to back the returned permission.
+     *
+     * @return
+     *     A permission which is backed by the given model object.
+     */
+    protected abstract PermissionType getPermissionInstance(ModelType model);
+
+    /**
+     * Returns a collection of permissions which are backed by the models in
+     * the given collection.
+     *
+     * @param models
+     *     The model objects to use to back the permissions within the returned
+     *     set.
+     *
+     * @return
+     *     A set of permissions which are backed by the models in the given
+     *     collection.
+     */
+    protected Set<PermissionType> getPermissionInstances(Collection<ModelType> models) {
+
+        // Create new collection of permissions by manually converting each model
+        Set<PermissionType> permissions = new HashSet<PermissionType>(models.size());
+        for (ModelType model : models)
+            permissions.add(getPermissionInstance(model));
+
+        return permissions;
+        
+    }
+
+    /**
+     * Retrieves all permissions associated with the given user.
+     *
+     * @param user
+     *     The user retrieving the permissions.
+     *
+     * @param targetUser
+     *     The user associated with the permissions to be retrieved.
+     *
+     * @return
+     *     The permissions associated with the given user.
+     *
+     * @throws GuacamoleException
+     *     If an error occurs while retrieving the requested permissions.
+     */
+    public Set<PermissionType> retrievePermissions(AuthenticatedUser user,
+            MySQLUser targetUser) throws GuacamoleException {
+
+        // Only an admin can read permissions that aren't his own
+        if (user.getUser().getIdentifier().equals(targetUser.getIdentifier())
+                || user.getUser().isAdministrator())
+            return getPermissionInstances(getPermissionMapper().select(targetUser.getModel()));
+
+        // User cannot read this user's permissions
+        throw new GuacamoleSecurityException("Permision denied.");
+        
+    }
+
+    /**
+     * Creates the given permissions within the database. If any permissions
+     * already exist, they will be ignored.
+     *
+     * @param user
+     *     The user creating the permissions.
+     *
+     * @param permissions 
+     *     The permissions to create.
+     *
+     * @throws GuacamoleException
+     *     If the user lacks permission to create the permissions, or an error
+     *     occurs while creating the permissions.
+     */
+    public abstract void createPermissions(AuthenticatedUser user,
+            Collection<PermissionType> permissions) throws GuacamoleException;
+
+    /**
+     * Deletes the given permissions. If any permissions do not exist, they
+     * will be ignored.
+     *
+     * @param user
+     *     The user deleting the permissions.
+     *
+     * @param permissions
+     *     The permissions to delete.
+     *
+     * @throws GuacamoleException
+     *     If the user lacks permission to delete the permissions, or an error
+     *     occurs while deleting the permissions.
+     */
+    public abstract void deletePermissions(AuthenticatedUser user,
+            Collection<PermissionType> permissions) throws GuacamoleException;
+
+}