safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 13:17:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUAC-801 Merge master.

Browse Source
This commit is contained in:
James Muehlner
2015-03-10 18:52:03 -07:00
parent f513fa6e2e d57af488fa
commit 59d794ef96
48 changed files with 3026 additions and 564 deletions
Download Patch File Download Diff File Expand all files Collapse all files

120
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/base/DirectoryObjectService.java
View File

@@ -37,8 +37,8 @@ import org.glyptodon.guacamole.net.auth.permission.ObjectPermissionSet;
/**
* Service which provides convenience methods for creating, retrieving, and
* manipulating users. This service will automatically enforce the
* permissions of the current user.
* manipulating objects within directories. This service will automatically
* enforce the permissions of the current user.
*
* @author Michael Jumper
* @param <InternalType>
@@ -215,52 +215,77 @@ public abstract class DirectoryObjectService<InternalType extends DirectoryObjec
}
/**
* Returns whether the contents of the given model are valid and can be
* used to create a new object as-is. The object does not yet exist in the
* database, but the user desires to create a new object with the given
* model. This function will be called prior to any creation operation, and
* provides a means for the implementation to abort prior to completion. The
* default implementation does nothing.
* Called before any object is created through this directory object
* service. This function serves as a final point of validation before
* the create operation occurs. In its default implementation,
* beforeCreate() performs basic permissions checks.
*
* @param user
* The user creating the object.
*
* @param model
* The model to validate.
* The model of the object being created.
*
* @throws GuacamoleException
* If the object is invalid, or an error prevents validating the given
* object.
*/
protected void validateNewModel(AuthenticatedUser user,
ModelType model) throws GuacamoleException {
protected void beforeCreate(AuthenticatedUser user,
ModelType model ) throws GuacamoleException {
// By default, do nothing.
// Verify permission to create objects
if (!user.getUser().isAdministrator() && !hasCreatePermission(user))
throw new GuacamoleSecurityException("Permission denied.");
}
/**
* Returns whether the given model is valid and can be used to update an
* existing object as-is. The object already exists in the database, but the
* user desires to update the object to the given model. This function will
* be called prior to update operation, and provides a means for the
* implementation to abort prior to completion. The default implementation
* does nothing.
* Called before any object is updated through this directory object
* service. This function serves as a final point of validation before
* the update operation occurs. In its default implementation,
* beforeUpdate() performs basic permissions checks.
*
* @param user
* The user updating the existing object.
*
* @param model
* The model to validate.
* The model of the object being updated.
*
* @throws GuacamoleException
* If the object is invalid, or an error prevents validating the given
* object.
*/
protected void validateExistingModel(AuthenticatedUser user,
protected void beforeUpdate(AuthenticatedUser user,
ModelType model) throws GuacamoleException {
// By default, do nothing.
if (!hasObjectPermission(user, model.getIdentifier(), ObjectPermission.Type.UPDATE))
throw new GuacamoleSecurityException("Permission denied.");
}
/**
* Called before any object is deleted through this directory object
* service. This function serves as a final point of validation before
* the delete operation occurs. In its default implementation,
* beforeDelete() performs basic permissions checks.
*
* @param user
* The user deleting the existing object.
*
* @param identifier
* The identifier of the object being deleted.
*
* @throws GuacamoleException
* If the object is invalid, or an error prevents validating the given
* object.
*/
protected void beforeDelete(AuthenticatedUser user,
String identifier) throws GuacamoleException {
// Verify permission to delete objects
if (!hasObjectPermission(user, identifier, ObjectPermission.Type.DELETE))
throw new GuacamoleSecurityException("Permission denied.");
}
@@ -400,24 +425,16 @@ public abstract class DirectoryObjectService<InternalType extends DirectoryObjec
public InternalType createObject(AuthenticatedUser user, ExternalType object)
throws GuacamoleException {
// Only create object if user has permission to do so
if (user.getUser().isAdministrator() || hasCreatePermission(user)) {
ModelType model = getModelInstance(user, object);
beforeCreate(user, model);
// Create object
getObjectMapper().insert(model);
// Validate object prior to creation
ModelType model = getModelInstance(user, object);
validateNewModel(user, model);
// Add implicit permissions
getPermissionMapper().insert(getImplicitPermissions(user, model));
// Create object
getObjectMapper().insert(model);
// Add implicit permissions
getPermissionMapper().insert(getImplicitPermissions(user, model));
return getObjectInstance(user, model);
}
// User lacks permission to create
throw new GuacamoleSecurityException("Permission denied.");
return getObjectInstance(user, model);
}
@@ -438,14 +455,10 @@ public abstract class DirectoryObjectService<InternalType extends DirectoryObjec
public void deleteObject(AuthenticatedUser user, String identifier)
throws GuacamoleException {
// Only delete object if user has permission to do so
if (hasObjectPermission(user, identifier, ObjectPermission.Type.DELETE)) {
getObjectMapper().delete(identifier);
return;
}
// User lacks permission to delete
throw new GuacamoleSecurityException("Permission denied.");
beforeDelete(user, identifier);
// Delete object
getObjectMapper().delete(identifier);
}
@@ -466,20 +479,11 @@ public abstract class DirectoryObjectService<InternalType extends DirectoryObjec
public void updateObject(AuthenticatedUser user, InternalType object)
throws GuacamoleException {
// Only update object if user has permission to do so
if (hasObjectPermission(user, object.getIdentifier(), ObjectPermission.Type.UPDATE)) {
// Validate object prior to creation
ModelType model = object.getModel();
validateExistingModel(user, model);
// Update object
getObjectMapper().update(model);
return;
}
// User lacks permission to update
throw new GuacamoleSecurityException("Permission denied.");
ModelType model = object.getModel();
beforeUpdate(user, model);
// Update object
getObjectMapper().update(model);
}

78
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/base/GroupedDirectoryObject.java Normal file
View File

@@ -0,0 +1,78 @@
/*
* Copyright (C) 2015 Glyptodon LLC
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
package org.glyptodon.guacamole.auth.jdbc.base;
import org.glyptodon.guacamole.auth.jdbc.connectiongroup.RootConnectionGroup;
/**
* Common base class for objects that will ultimately be made available through
* the Directory class. All such objects will need the same base set of queries
* to fulfill the needs of the Directory class.
*
* @author Michael Jumper
* @param <ModelType>
* The type of model object that corresponds to this object.
*/
public abstract class GroupedDirectoryObject<ModelType extends GroupedObjectModel>
extends DirectoryObject<ModelType> {
/**
* Returns the identifier of the parent connection group, which cannot be
* null. If the parent is the root connection group, this will be
* RootConnectionGroup.IDENTIFIER.
*
* @return
* The identifier of the parent connection group.
*/
public String getParentIdentifier() {
// Translate null parent to proper identifier
String parentIdentifier = getModel().getParentIdentifier();
if (parentIdentifier == null)
return RootConnectionGroup.IDENTIFIER;
return parentIdentifier;
}
/**
* Sets the identifier of the associated parent connection group. If the
* parent is the root connection group, this should be
* RootConnectionGroup.IDENTIFIER.
*
* @param parentIdentifier
* The identifier of the connection group to associate as this object's
* parent.
*/
public void setParentIdentifier(String parentIdentifier) {
// Translate root identifier back into null
if (parentIdentifier != null
&& parentIdentifier.equals(RootConnectionGroup.IDENTIFIER))
parentIdentifier = null;
getModel().setParentIdentifier(parentIdentifier);
}
}

196
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/base/GroupedDirectoryObjectService.java Normal file
View File

@@ -0,0 +1,196 @@
/*
* Copyright (C) 2015 Glyptodon LLC
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
package org.glyptodon.guacamole.auth.jdbc.base;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.GuacamoleSecurityException;
import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser;
import org.glyptodon.guacamole.net.auth.permission.ObjectPermission;
import org.glyptodon.guacamole.net.auth.permission.ObjectPermissionSet;
/**
* Service which provides convenience methods for creating, retrieving, and
* manipulating objects that can be within connection groups. This service will
* automatically enforce the permissions of the current user.
*
* @author Michael Jumper
* @param <InternalType>
* The specific internal implementation of the type of object this service
* provides access to.
*
* @param <ExternalType>
* The external interface or implementation of the type of object this
* service provides access to, as defined by the guacamole-ext API.
*
* @param <ModelType>
* The underlying model object used to represent InternalType in the
* database.
*/
public abstract class GroupedDirectoryObjectService<InternalType extends GroupedDirectoryObject<ModelType>,
ExternalType, ModelType extends GroupedObjectModel>
extends DirectoryObjectService<InternalType, ExternalType, ModelType> {
/**
* Returns the set of parent connection groups that are modified by the
* given model object (by virtue of the object changing parent groups). If
* the model is not changing parents, the resulting collection will be
* empty.
*
* @param user
* The user making the given changes to the model.
*
* @param identifier
* The identifier of the object that has been modified, if it exists.
* If the object is being created, this will be null.
*
* @param model
* The model that has been modified, if any. If the object is being
* deleted, this will be null.
*
* @return
* A collection of the identifiers of all parent connection groups
* that will be affected (updated) by the change.
*
* @throws GuacamoleException
* If an error occurs while determining which parent connection groups
* are affected.
*/
protected Collection<String> getModifiedGroups(AuthenticatedUser user,
String identifier, ModelType model) throws GuacamoleException {
// Get old parent identifier
String oldParentIdentifier = null;
if (identifier != null) {
ModelType current = retrieveObject(user, identifier).getModel();
oldParentIdentifier = current.getParentIdentifier();
}
// Get new parent identifier
String parentIdentifier = null;
if (model != null) {
parentIdentifier = model.getParentIdentifier();
// If both parents have the same identifier, nothing has changed
if (parentIdentifier != null && parentIdentifier.equals(oldParentIdentifier))
return Collections.EMPTY_LIST;
}
// Return collection of all non-root groups involved
Collection<String> groups = new ArrayList<String>(2);
if (oldParentIdentifier != null) groups.add(oldParentIdentifier);
if (parentIdentifier != null) groups.add(parentIdentifier);
return groups;
}
/**
* Returns whether the given user has permission to modify the parent
* connection groups affected by the modifications made to the given model
* object.
*
* @param user
* The user who changed the model object.
*
* @param identifier
* The identifier of the object that has been modified, if it exists.
* If the object is being created, this will be null.
*
* @param model
* The model that has been modified, if any. If the object is being
* deleted, this will be null.
*
* @return
* true if the user has update permission for all modified groups,
* false otherwise.
*
* @throws GuacamoleException
* If an error occurs while determining which parent connection groups
* are affected.
*/
protected boolean canUpdateModifiedGroups(AuthenticatedUser user,
String identifier, ModelType model) throws GuacamoleException {
// If user is an administrator, no need to check
if (user.getUser().isAdministrator())
return true;
// Verify that we have permission to modify any modified groups
Collection<String> modifiedGroups = getModifiedGroups(user, identifier, model);
if (!modifiedGroups.isEmpty()) {
ObjectPermissionSet permissionSet = user.getUser().getConnectionGroupPermissions();
Collection<String> updateableGroups = permissionSet.getAccessibleObjects(
Collections.singleton(ObjectPermission.Type.UPDATE),
modifiedGroups
);
return updateableGroups.size() == modifiedGroups.size();
}
return true;
}
@Override
protected void beforeCreate(AuthenticatedUser user,
ModelType model) throws GuacamoleException {
super.beforeCreate(user, model);
// Validate that we can update all applicable parent groups
if (!canUpdateModifiedGroups(user, null, model))
throw new GuacamoleSecurityException("Permission denied.");
}
@Override
protected void beforeUpdate(AuthenticatedUser user,
ModelType model) throws GuacamoleException {
super.beforeUpdate(user, model);
// Validate that we can update all applicable parent groups
if (!canUpdateModifiedGroups(user, model.getIdentifier(), model))
throw new GuacamoleSecurityException("Permission denied.");
}
@Override
protected void beforeDelete(AuthenticatedUser user,
String identifier) throws GuacamoleException {
super.beforeDelete(user, identifier);
// Validate that we can update all applicable parent groups
if (!canUpdateModifiedGroups(user, identifier, null))
throw new GuacamoleSecurityException("Permission denied.");
}
}

67
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/base/GroupedObjectModel.java Normal file
View File

@@ -0,0 +1,67 @@
/*
* Copyright (C) 2015 Glyptodon LLC
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
package org.glyptodon.guacamole.auth.jdbc.base;
/**
* Object representation of a Guacamole object, such as a user or connection,
* as represented in the database.
*
* @author Michael Jumper
*/
public abstract class GroupedObjectModel extends ObjectModel {
/**
* The unique identifier which identifies the parent of this object.
*/
private String parentIdentifier;
/**
* Creates a new, empty object.
*/
public GroupedObjectModel() {
}
/**
* Returns the identifier of the parent connection group, or null if the
* parent connection group is the root connection group.
*
* @return
* The identifier of the parent connection group, or null if the parent
* connection group is the root connection group.
*/
public String getParentIdentifier() {
return parentIdentifier;
}
/**
* Sets the identifier of the parent connection group.
*
* @param parentIdentifier
* The identifier of the parent connection group, or null if the parent
* connection group is the root connection group.
*/
public void setParentIdentifier(String parentIdentifier) {
this.parentIdentifier = parentIdentifier;
}
}

33
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connection/ConnectionModel.java
View File

@@ -22,7 +22,7 @@
package org.glyptodon.guacamole.auth.jdbc.connection;
import org.glyptodon.guacamole.auth.jdbc.base.ObjectModel;
import org.glyptodon.guacamole.auth.jdbc.base.GroupedObjectModel;
/**
* Object representation of a Guacamole connection, as represented in the
@@ -30,14 +30,8 @@ import org.glyptodon.guacamole.auth.jdbc.base.ObjectModel;
*
* @author Michael Jumper
*/
public class ConnectionModel extends ObjectModel {
public class ConnectionModel extends GroupedObjectModel {
/**
* The identifier of the parent connection group in the database, or null
* if the parent connection group is the root group.
*/
private String parentIdentifier;
/**
* The human-readable name associated with this connection.
*/
@@ -95,29 +89,6 @@ public class ConnectionModel extends ObjectModel {
this.protocol = protocol;
}
/**
* Returns the identifier of the parent connection group, or null if the
* parent connection group is the root connection group.
*
* @return
* The identifier of the parent connection group, or null if the parent
* connection group is the root connection group.
*/
public String getParentIdentifier() {
return parentIdentifier;
}
/**
* Sets the identifier of the parent connection group.
*
* @param parentIdentifier
* The identifier of the parent connection group, or null if the parent
* connection group is the root connection group.
*/
public void setParentIdentifier(String parentIdentifier) {
this.parentIdentifier = parentIdentifier;
}
@Override
public String getIdentifier() {

14
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connection/ConnectionService.java
View File

@@ -33,11 +33,11 @@ import java.util.Map;
import java.util.Set;
import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser;
import org.glyptodon.guacamole.auth.jdbc.base.DirectoryObjectMapper;
import org.glyptodon.guacamole.auth.jdbc.base.DirectoryObjectService;
import org.glyptodon.guacamole.auth.jdbc.socket.GuacamoleSocketService;
import org.glyptodon.guacamole.GuacamoleClientException;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.GuacamoleSecurityException;
import org.glyptodon.guacamole.auth.jdbc.base.GroupedDirectoryObjectService;
import org.glyptodon.guacamole.auth.jdbc.permission.ConnectionPermissionMapper;
import org.glyptodon.guacamole.auth.jdbc.permission.ObjectPermissionMapper;
import org.glyptodon.guacamole.net.GuacamoleSocket;
@@ -55,7 +55,7 @@ import org.glyptodon.guacamole.protocol.GuacamoleClientInformation;
*
* @author Michael Jumper, James Muehlner
*/
public class ConnectionService extends DirectoryObjectService<ModeledConnection, Connection, ConnectionModel> {
public class ConnectionService extends GroupedDirectoryObjectService<ModeledConnection, Connection, ConnectionModel> {
/**
* Mapper for accessing connections.
@@ -148,9 +148,11 @@ public class ConnectionService extends DirectoryObjectService<ModeledConnection,
}
@Override
protected void validateNewModel(AuthenticatedUser user,
protected void beforeCreate(AuthenticatedUser user,
ConnectionModel model) throws GuacamoleException {
super.beforeCreate(user, model);
// Name must not be blank
if (model.getName().trim().isEmpty())
throw new GuacamoleClientException("Connection names must not be blank.");
@@ -163,9 +165,11 @@ public class ConnectionService extends DirectoryObjectService<ModeledConnection,
}
@Override
protected void validateExistingModel(AuthenticatedUser user,
protected void beforeUpdate(AuthenticatedUser user,
ConnectionModel model) throws GuacamoleException {
super.beforeUpdate(user, model);
// Name must not be blank
if (model.getName().trim().isEmpty())
throw new GuacamoleClientException("Connection names must not be blank.");
@@ -179,7 +183,7 @@ public class ConnectionService extends DirectoryObjectService<ModeledConnection,
throw new GuacamoleClientException("The connection \"" + model.getName() + "\" already exists.");
}
}
/**

31
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connection/ModeledConnection.java
View File

@@ -25,10 +25,9 @@ package org.glyptodon.guacamole.auth.jdbc.connection;
import com.google.inject.Inject;
import com.google.inject.Provider;
import java.util.List;
import org.glyptodon.guacamole.auth.jdbc.base.DirectoryObject;
import org.glyptodon.guacamole.auth.jdbc.connectiongroup.RootConnectionGroup;
import org.glyptodon.guacamole.auth.jdbc.socket.GuacamoleSocketService;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.auth.jdbc.base.GroupedDirectoryObject;
import org.glyptodon.guacamole.net.GuacamoleSocket;
import org.glyptodon.guacamole.net.auth.Connection;
import org.glyptodon.guacamole.net.auth.ConnectionRecord;
@@ -42,7 +41,7 @@ import org.glyptodon.guacamole.protocol.GuacamoleConfiguration;
* @author James Muehlner
* @author Michael Jumper
*/
public class ModeledConnection extends DirectoryObject<ConnectionModel>
public class ModeledConnection extends GroupedDirectoryObject<ConnectionModel>
implements Connection {
/**
@@ -67,7 +66,7 @@ public class ModeledConnection extends DirectoryObject<ConnectionModel>
* The manually-set GuacamoleConfiguration, if any.
*/
private GuacamoleConfiguration config = null;
/**
* Creates a new, empty ModeledConnection.
*/
@@ -84,30 +83,6 @@ public class ModeledConnection extends DirectoryObject<ConnectionModel>
getModel().setName(name);
}
@Override
public String getParentIdentifier() {
// Translate null parent to proper identifier
String parentIdentifier = getModel().getParentIdentifier();
if (parentIdentifier == null)
return RootConnectionGroup.IDENTIFIER;
return parentIdentifier;
}
@Override
public void setParentIdentifier(String parentIdentifier) {
// Translate root identifier back into null
if (parentIdentifier != null
&& parentIdentifier.equals(RootConnectionGroup.IDENTIFIER))
parentIdentifier = null;
getModel().setParentIdentifier(parentIdentifier);
}
@Override
public GuacamoleConfiguration getConfiguration() {

33
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connectiongroup/ConnectionGroupModel.java
View File

@@ -22,7 +22,7 @@
package org.glyptodon.guacamole.auth.jdbc.connectiongroup;
import org.glyptodon.guacamole.auth.jdbc.base.ObjectModel;
import org.glyptodon.guacamole.auth.jdbc.base.GroupedObjectModel;
import org.glyptodon.guacamole.net.auth.ConnectionGroup;
/**
@@ -31,14 +31,8 @@ import org.glyptodon.guacamole.net.auth.ConnectionGroup;
*
* @author Michael Jumper
*/
public class ConnectionGroupModel extends ObjectModel {
public class ConnectionGroupModel extends GroupedObjectModel {
/**
* The identifier of the parent connection group in the database, or null
* if the parent connection group is the root group.
*/
private String parentIdentifier;
/**
* The human-readable name associated with this connection group.
*/
@@ -75,29 +69,6 @@ public class ConnectionGroupModel extends ObjectModel {
this.name = name;
}
/**
* Returns the identifier of the parent connection group, or null if the
* parent connection group is the root connection group.
*
* @return
* The identifier of the parent connection group, or null if the parent
* connection group is the root connection group.
*/
public String getParentIdentifier() {
return parentIdentifier;
}
/**
* Sets the identifier of the parent connection group.
*
* @param parentIdentifier
* The identifier of the parent connection group, or null if the parent
* connection group is the root connection group.
*/
public void setParentIdentifier(String parentIdentifier) {
this.parentIdentifier = parentIdentifier;
}
/**
* Returns the type of this connection group, such as organizational or
* balancing.

29
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connectiongroup/ConnectionGroupService.java
View File

@@ -27,11 +27,12 @@ import com.google.inject.Provider;
import java.util.Set;
import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser;
import org.glyptodon.guacamole.auth.jdbc.base.DirectoryObjectMapper;
import org.glyptodon.guacamole.auth.jdbc.base.DirectoryObjectService;
import org.glyptodon.guacamole.auth.jdbc.socket.GuacamoleSocketService;
import org.glyptodon.guacamole.GuacamoleClientException;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.GuacamoleSecurityException;
import org.glyptodon.guacamole.GuacamoleUnsupportedException;
import org.glyptodon.guacamole.auth.jdbc.base.GroupedDirectoryObjectService;
import org.glyptodon.guacamole.auth.jdbc.permission.ConnectionGroupPermissionMapper;
import org.glyptodon.guacamole.auth.jdbc.permission.ObjectPermissionMapper;
import org.glyptodon.guacamole.net.GuacamoleSocket;
@@ -48,7 +49,7 @@ import org.glyptodon.guacamole.protocol.GuacamoleClientInformation;
*
* @author Michael Jumper, James Muehlner
*/
public class ConnectionGroupService extends DirectoryObjectService<ModeledConnectionGroup,
public class ConnectionGroupService extends GroupedDirectoryObjectService<ModeledConnectionGroup,
ConnectionGroup, ConnectionGroupModel> {
/**
@@ -130,9 +131,11 @@ public class ConnectionGroupService extends DirectoryObjectService<ModeledConnec
}
@Override
protected void validateNewModel(AuthenticatedUser user,
protected void beforeCreate(AuthenticatedUser user,
ConnectionGroupModel model) throws GuacamoleException {
super.beforeCreate(user, model);
// Name must not be blank
if (model.getName().trim().isEmpty())
throw new GuacamoleClientException("Connection group names must not be blank.");
@@ -145,9 +148,11 @@ public class ConnectionGroupService extends DirectoryObjectService<ModeledConnec
}
@Override
protected void validateExistingModel(AuthenticatedUser user,
protected void beforeUpdate(AuthenticatedUser user,
ConnectionGroupModel model) throws GuacamoleException {
super.beforeUpdate(user, model);
// Name must not be blank
if (model.getName().trim().isEmpty())
throw new GuacamoleClientException("Connection group names must not be blank.");
@@ -161,7 +166,21 @@ public class ConnectionGroupService extends DirectoryObjectService<ModeledConnec
throw new GuacamoleClientException("The connection group \"" + model.getName() + "\" already exists.");
}
// Verify that this connection group's location does not create a cycle
String relativeParentIdentifier = model.getParentIdentifier();
while (relativeParentIdentifier != null) {
// Abort if cycle is detected
if (relativeParentIdentifier.equals(model.getIdentifier()))
throw new GuacamoleUnsupportedException("A connection group may not contain itself.");
// Advance to next parent
ModeledConnectionGroup relativeParentGroup = retrieveObject(user, relativeParentIdentifier);
relativeParentIdentifier = relativeParentGroup.getModel().getParentIdentifier();
}
}
/**

28
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connectiongroup/ModeledConnectionGroup.java
View File

@@ -24,10 +24,10 @@ package org.glyptodon.guacamole.auth.jdbc.connectiongroup;
import com.google.inject.Inject;
import java.util.Set;
import org.glyptodon.guacamole.auth.jdbc.base.DirectoryObject;
import org.glyptodon.guacamole.auth.jdbc.connection.ConnectionService;
import org.glyptodon.guacamole.auth.jdbc.socket.GuacamoleSocketService;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.auth.jdbc.base.GroupedDirectoryObject;
import org.glyptodon.guacamole.net.GuacamoleSocket;
import org.glyptodon.guacamole.net.auth.ConnectionGroup;
import org.glyptodon.guacamole.protocol.GuacamoleClientInformation;
@@ -38,7 +38,7 @@ import org.glyptodon.guacamole.protocol.GuacamoleClientInformation;
*
* @author James Muehlner
*/
public class ModeledConnectionGroup extends DirectoryObject<ConnectionGroupModel>
public class ModeledConnectionGroup extends GroupedDirectoryObject<ConnectionGroupModel>
implements ConnectionGroup {
/**
@@ -75,30 +75,6 @@ public class ModeledConnectionGroup extends DirectoryObject<ConnectionGroupModel
getModel().setName(name);
}
@Override
public String getParentIdentifier() {
// Translate null parent to proper identifier
String parentIdentifier = getModel().getParentIdentifier();
if (parentIdentifier == null)
return RootConnectionGroup.IDENTIFIER;
return parentIdentifier;
}
@Override
public void setParentIdentifier(String parentIdentifier) {
// Translate root identifier back into null
if (parentIdentifier != null
&& parentIdentifier.equals(RootConnectionGroup.IDENTIFIER))
parentIdentifier = null;
getModel().setParentIdentifier(parentIdentifier);
}
@Override
public GuacamoleSocket connect(GuacamoleClientInformation info)
throws GuacamoleException {

14
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ObjectPermissionService.java
View File

@@ -185,9 +185,8 @@ public abstract class ObjectPermissionService
ModeledUser targetUser, ObjectPermission.Type type,
String identifier) throws GuacamoleException {
// Only an admin can read permissions that aren't his own
if (user.getUser().getIdentifier().equals(targetUser.getIdentifier())
|| user.getUser().isAdministrator()) {
// Retrieve permissions only if allowed
if (canReadPermissions(user, targetUser)) {
// Read permission from database, return null if not found
ObjectPermissionModel model = getPermissionMapper().selectOne(targetUser.getModel(), type, identifier);
@@ -237,14 +236,11 @@ public abstract class ObjectPermissionService
if (identifiers.isEmpty())
return identifiers;
// Determine whether the user is an admin
boolean isAdmin = user.getUser().isAdministrator();
// Only an admin can read permissions that aren't his own
if (isAdmin || user.getUser().getIdentifier().equals(targetUser.getIdentifier())) {
// Retrieve permissions only if allowed
if (canReadPermissions(user, targetUser)) {
// If user is an admin, everything is accessible
if (isAdmin)
if (user.getUser().isAdministrator())
return identifiers;
// Otherwise, return explicitly-retrievable identifiers

43
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/PermissionService.java
View File

@@ -30,6 +30,8 @@ import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser;
import org.glyptodon.guacamole.auth.jdbc.user.ModeledUser;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.GuacamoleSecurityException;
import org.glyptodon.guacamole.net.auth.permission.ObjectPermission;
import org.glyptodon.guacamole.net.auth.permission.ObjectPermissionSet;
import org.glyptodon.guacamole.net.auth.permission.Permission;
import org.glyptodon.guacamole.net.auth.permission.PermissionSet;
@@ -141,6 +143,42 @@ public abstract class PermissionService<PermissionSetType extends PermissionSet<
}
/**
* Determines whether the given user can read the permissions currently
* granted to the given target user. If the reading user and the target
* user are not the same, then explicit READ or SYSTEM_ADMINISTER access is
* required.
*
* @param user
* The user attempting to read permissions.
*
* @param targetUser
* The user whose permissions are being read.
*
* @return
* true if permission is granted, false otherwise.
*
* @throws GuacamoleException
* If an error occurs while checking permission status, or if
* permission is denied to read the current user's permissions.
*/
protected boolean canReadPermissions(AuthenticatedUser user,
ModeledUser targetUser) throws GuacamoleException {
// A user can always read their own permissions
if (user.getUser().getIdentifier().equals(targetUser.getIdentifier()))
return true;
// A system adminstrator can do anything
if (user.getUser().isAdministrator())
return true;
// Can read permissions on target user if explicit READ is granted
ObjectPermissionSet userPermissionSet = user.getUser().getUserPermissions();
return userPermissionSet.hasPermission(ObjectPermission.Type.READ, targetUser.getIdentifier());
}
/**
* Returns a permission set that can be used to retrieve and manipulate the
* permissions of the given user.
@@ -183,9 +221,8 @@ public abstract class PermissionService<PermissionSetType extends PermissionSet<
public Set<PermissionType> retrievePermissions(AuthenticatedUser user,
ModeledUser targetUser) throws GuacamoleException {
// Only an admin can read permissions that aren't his own
if (user.getUser().getIdentifier().equals(targetUser.getIdentifier())
|| user.getUser().isAdministrator())
// Retrieve permissions only if allowed
if (canReadPermissions(user, targetUser))
return getPermissionInstances(getPermissionMapper().select(targetUser.getModel()));
// User cannot read this user's permissions

6
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/SystemPermissionService.java
View File

@@ -29,6 +29,7 @@ import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser;
import org.glyptodon.guacamole.auth.jdbc.user.ModeledUser;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.GuacamoleSecurityException;
import org.glyptodon.guacamole.GuacamoleUnsupportedException;
import org.glyptodon.guacamole.net.auth.permission.SystemPermission;
/**
@@ -112,6 +113,11 @@ public class SystemPermissionService
// Only an admin can delete system permissions
if (user.getUser().isAdministrator()) {
// Do not allow users to remove their own admin powers
if (user.getUser().getIdentifier().equals(targetUser.getIdentifier()))
throw new GuacamoleUnsupportedException("Removing your own administrative permissions is not allowed.");
Collection<SystemPermissionModel> models = getModelInstances(targetUser, permissions);
systemPermissionMapper.delete(models);
return;

13
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/security/PasswordEncryptionService.java
View File

@@ -30,11 +30,16 @@ public interface PasswordEncryptionService {
/**
* Creates a password hash based on the provided username, password, and
* salt.
* salt. If the provided salt is null, only the password itself is hashed.
*
* @param password The password to hash.
* @param salt The salt to use when hashing the password.
* @return The generated password hash.
* @param password
* The password to hash.
*
* @param salt
* The salt to use when hashing the password, if any.
*
* @return
* The generated password hash.
*/
public byte[] createPasswordHash(String password, byte[] salt);

20
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/security/SHA256PasswordEncryptionService.java
View File

@@ -38,26 +38,26 @@ public class SHA256PasswordEncryptionService implements PasswordEncryptionServic
try {
// Build salted password
// Build salted password, if a salt was provided
StringBuilder builder = new StringBuilder();
builder.append(password);
builder.append(DatatypeConverter.printHexBinary(salt));
// Hash UTF-8 bytes of salted password
if (salt != null)
builder.append(DatatypeConverter.printHexBinary(salt));
// Hash UTF-8 bytes of possibly-salted password
MessageDigest md = MessageDigest.getInstance("SHA-256");
md.update(builder.toString().getBytes("UTF-8"));
return md.digest();
}
// Should not happen
catch (UnsupportedEncodingException ex) {
throw new RuntimeException(ex);
// Throw hard errors if standard pieces of Java are missing
catch (UnsupportedEncodingException e) {
throw new UnsupportedOperationException("Unexpected lack of UTF-8 support.", e);
}
// Should not happen
catch (NoSuchAlgorithmException ex) {
throw new RuntimeException(ex);
catch (NoSuchAlgorithmException e) {
throw new UnsupportedOperationException("Unexpected lack of SHA-256 support.", e);
}
}

258
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/socket/AbstractGuacamoleSocketService.java
View File

@@ -44,7 +44,6 @@ import org.glyptodon.guacamole.GuacamoleSecurityException;
import org.glyptodon.guacamole.auth.jdbc.connection.ConnectionMapper;
import org.glyptodon.guacamole.environment.Environment;
import org.glyptodon.guacamole.net.GuacamoleSocket;
import org.glyptodon.guacamole.net.InetGuacamoleSocket;
import org.glyptodon.guacamole.net.auth.Connection;
import org.glyptodon.guacamole.net.auth.ConnectionGroup;
import org.glyptodon.guacamole.net.auth.ConnectionRecord;
@@ -139,6 +138,37 @@ public abstract class AbstractGuacamoleSocketService implements GuacamoleSocketS
protected abstract void release(AuthenticatedUser user,
ModeledConnection connection);
/**
* Acquires possibly-exclusive access to the given connection group on
* behalf of the given user. If access is denied for any reason, an
* exception is thrown.
*
* @param user
* The user acquiring access.
*
* @param connectionGroup
* The connection group being accessed.
*
* @throws GuacamoleException
* If access is denied to the given user for any reason.
*/
protected abstract void acquire(AuthenticatedUser user,
ModeledConnectionGroup connectionGroup) throws GuacamoleException;
/**
* Releases possibly-exclusive access to the given connection group on
* behalf of the given user. If the given user did not already have access,
* the behavior of this function is undefined.
*
* @param user
* The user releasing access.
*
* @param connectionGroup
* The connection group being released.
*/
protected abstract void release(AuthenticatedUser user,
ModeledConnectionGroup connectionGroup);
/**
* Returns a guacamole configuration containing the protocol and parameters
* from the given connection. If tokens are used in the connection
@@ -183,19 +213,17 @@ public abstract class AbstractGuacamoleSocketService implements GuacamoleSocketS
}
/**
* Saves the given ActiveConnectionRecord to the database, associating it
* with the connection having the given identifier. The end date of the
* saved record will be populated with the current time.
*
* @param identifier
* The connection to associate the new record with.
* Saves the given ActiveConnectionRecord to the database. The end date of
* the saved record will be populated with the current time.
*
* @param record
* The record to save.
*/
private void saveConnectionRecord(String identifier,
ActiveConnectionRecord record) {
private void saveConnectionRecord(ActiveConnectionRecord record) {
// Get associated connection
ModeledConnection connection = record.getConnection();
// Get associated models
AuthenticatedUser user = record.getUser();
UserModel userModel = user.getUser().getModel();
@@ -204,7 +232,7 @@ public abstract class AbstractGuacamoleSocketService implements GuacamoleSocketS
// Copy user information and timestamps into new record
recordModel.setUserID(userModel.getObjectID());
recordModel.setUsername(userModel.getIdentifier());
recordModel.setConnectionIdentifier(identifier);
recordModel.setConnectionIdentifier(connection.getIdentifier());
recordModel.setStartDate(record.getStartDate());
recordModel.setEndDate(new Date());
@@ -224,24 +252,88 @@ public abstract class AbstractGuacamoleSocketService implements GuacamoleSocketS
* If an error occurs while connecting to guacd, or while parsing
* guacd-related properties.
*/
private GuacamoleSocket getUnconfiguredGuacamoleSocket()
private GuacamoleSocket getUnconfiguredGuacamoleSocket(Runnable socketClosedCallback)
throws GuacamoleException {
// Use SSL if requested
if (environment.getProperty(Environment.GUACD_SSL, true))
return new InetGuacamoleSocket(
return new ManagedInetGuacamoleSocket(
environment.getRequiredProperty(Environment.GUACD_HOSTNAME),
environment.getRequiredProperty(Environment.GUACD_PORT)
environment.getRequiredProperty(Environment.GUACD_PORT),
socketClosedCallback
);
// Otherwise, just use straight TCP
return new InetGuacamoleSocket(
return new ManagedInetGuacamoleSocket(
environment.getRequiredProperty(Environment.GUACD_HOSTNAME),
environment.getRequiredProperty(Environment.GUACD_PORT)
environment.getRequiredProperty(Environment.GUACD_PORT),
socketClosedCallback
);
}
/**
* Task which handles cleanup of a connection associated with some given
* ActiveConnectionRecord.
*/
private class ConnectionCleanupTask implements Runnable {
/**
* Whether this task has run.
*/
private final AtomicBoolean hasRun = new AtomicBoolean(false);
/**
* The ActiveConnectionRecord whose connection will be cleaned up once
* this task runs.
*/
private final ActiveConnectionRecord activeConnection;
/**
* Creates a new task which automatically cleans up after the
* connection associated with the given ActiveConnectionRecord. The
* connection and parent group will be removed from the maps of active
* connections and groups, and exclusive access will be released.
*
* @param activeConnection
* The ActiveConnectionRecord whose associated connection should be
* cleaned up once this task runs.
*/
public ConnectionCleanupTask(ActiveConnectionRecord activeConnection) {
this.activeConnection = activeConnection;
}
@Override
public void run() {
// Only run once
if (!hasRun.compareAndSet(false, true))
return;
// Get original user and connection
AuthenticatedUser user = activeConnection.getUser();
ModeledConnection connection = activeConnection.getConnection();
// Get associated identifiers
String identifier = connection.getIdentifier();
String parentIdentifier = connection.getParentIdentifier();
// Release connection
activeConnections.remove(identifier, activeConnection);
activeConnectionGroups.remove(parentIdentifier, activeConnection);
release(user, connection);
// Release any associated group
if (activeConnection.hasBalancingGroup())
release(user, activeConnection.getBalancingGroup());
// Save history record to database
saveConnectionRecord(activeConnection);
}
}
/**
* Creates a socket for the given user which connects to the given
* connection, which MUST already be acquired via acquire(). The given
@@ -269,73 +361,77 @@ public abstract class AbstractGuacamoleSocketService implements GuacamoleSocketS
* If an error occurs while the connection is being established, or
* while connection configuration information is being retrieved.
*/
private GuacamoleSocket connect(final AuthenticatedUser user,
final ModeledConnection connection, GuacamoleClientInformation info)
private GuacamoleSocket getGuacamoleSocket(ActiveConnectionRecord activeConnection,
GuacamoleClientInformation info)
throws GuacamoleException {
// Create record for active connection
final ActiveConnectionRecord activeConnection = new ActiveConnectionRecord(user);
ModeledConnection connection = activeConnection.getConnection();
// Record new active connection
Runnable cleanupTask = new ConnectionCleanupTask(activeConnection);
activeConnections.put(connection.getIdentifier(), activeConnection);
activeConnectionGroups.put(connection.getParentIdentifier(), activeConnection);
// Get relevant identifiers
final AtomicBoolean released = new AtomicBoolean(false);
final String identifier = connection.getIdentifier();
final String parentIdentifier = connection.getParentIdentifier();
// Return new socket
try {
// Record new active connection
activeConnections.put(identifier, activeConnection);
activeConnectionGroups.put(parentIdentifier, activeConnection);
// Return newly-reserved connection
return new ConfiguredGuacamoleSocket(
getUnconfiguredGuacamoleSocket(),
getGuacamoleConfiguration(user, connection),
getUnconfiguredGuacamoleSocket(cleanupTask),
getGuacamoleConfiguration(activeConnection.getUser(), connection),
info
) {
@Override
public void close() throws GuacamoleException {
// Attempt to close connection
super.close();
// Release connection upon close, if not already released
if (released.compareAndSet(false, true)) {
// Release connection
activeConnections.remove(identifier, activeConnection);
activeConnectionGroups.remove(parentIdentifier, activeConnection);
release(user, connection);
// Save record to database
saveConnectionRecord(identifier, activeConnection);
}
} // end close()
};
);
}
// Release connection in case of error
// Execute cleanup if socket could not be created
catch (GuacamoleException e) {
// Release connection if not already released
if (released.compareAndSet(false, true)) {
activeConnections.remove(identifier, activeConnection);
activeConnectionGroups.remove(parentIdentifier, activeConnection);
release(user, connection);
}
cleanupTask.run();
throw e;
}
}
/**
* Returns a list of all balanced connections within a given connection
* group. If the connection group is not balancing, or it contains no
* connections, an empty list is returned.
*
* @param user
* The user on whose behalf the balanced connections within the given
* connection group are being retrieved.
*
* @param connectionGroup
* The connection group to retrieve the balanced connections of.
*
* @return
* A list containing all balanced connections within the given group,
* or an empty list if there are no such connections.
*/
private List<ModeledConnection> getBalancedConnections(AuthenticatedUser user,
ModeledConnectionGroup connectionGroup) {
// If not a balancing group, there are no balanced connections
if (connectionGroup.getType() != ConnectionGroup.Type.BALANCING)
return Collections.EMPTY_LIST;
// If group has no children, there are no balanced connections
Collection<String> identifiers = connectionMapper.selectIdentifiersWithin(connectionGroup.getIdentifier());
if (identifiers.isEmpty())
return Collections.EMPTY_LIST;
// Retrieve all children
Collection<ConnectionModel> models = connectionMapper.select(identifiers);
List<ModeledConnection> connections = new ArrayList<ModeledConnection>(models.size());
// Convert each retrieved model to a modeled connection
for (ConnectionModel model : models) {
ModeledConnection connection = connectionProvider.get();
connection.init(user, model);
connections.add(connection);
}
return connections;
}
@Override
@Transactional
public GuacamoleSocket getGuacamoleSocket(final AuthenticatedUser user,
@@ -344,7 +440,7 @@ public abstract class AbstractGuacamoleSocketService implements GuacamoleSocketS
// Acquire and connect to single connection
acquire(user, Collections.singletonList(connection));
return connect(user, connection, info);
return getGuacamoleSocket(new ActiveConnectionRecord(user, connection), info);
}
@@ -359,29 +455,17 @@ public abstract class AbstractGuacamoleSocketService implements GuacamoleSocketS
ModeledConnectionGroup connectionGroup,
GuacamoleClientInformation info) throws GuacamoleException {
// If not a balancing group, cannot connect
if (connectionGroup.getType() != ConnectionGroup.Type.BALANCING)
throw new GuacamoleSecurityException("Permission denied.");
// If group has no children, cannot connect
Collection<String> identifiers = connectionMapper.selectIdentifiersWithin(connectionGroup.getIdentifier());
if (identifiers.isEmpty())
// If group has no associated balanced connections, cannot connect
List<ModeledConnection> connections = getBalancedConnections(user, connectionGroup);
if (connections.isEmpty())
throw new GuacamoleSecurityException("Permission denied.");
// Otherwise, retrieve all children
Collection<ConnectionModel> models = connectionMapper.select(identifiers);
List<ModeledConnection> connections = new ArrayList<ModeledConnection>(models.size());
// Convert each retrieved model to a modeled connection
for (ConnectionModel model : models) {
ModeledConnection connection = connectionProvider.get();
connection.init(user, model);
connections.add(connection);
}
// Acquire group
acquire(user, connectionGroup);
// Acquire and connect to any child
ModeledConnection connection = acquire(user, connections);
return connect(user, connection, info);
return getGuacamoleSocket(new ActiveConnectionRecord(user, connectionGroup, connection), info);
}

83
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/socket/ActiveConnectionRecord.java
View File

@@ -23,6 +23,8 @@
package org.glyptodon.guacamole.auth.jdbc.socket;
import java.util.Date;
import org.glyptodon.guacamole.auth.jdbc.connection.ModeledConnection;
import org.glyptodon.guacamole.auth.jdbc.connectiongroup.ModeledConnectionGroup;
import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser;
import org.glyptodon.guacamole.net.auth.ConnectionRecord;
@@ -43,21 +45,62 @@ public class ActiveConnectionRecord implements ConnectionRecord {
*/
private final AuthenticatedUser user;
/**
* The balancing group from which the associated connection was chosen, if
* any. If no balancing group was used, this will be null.
*/
private final ModeledConnectionGroup balancingGroup;
/**
* The connection associated with this connection record.
*/
private final ModeledConnection connection;
/**
* The time this connection record was created.
*/
private final Date startDate = new Date();
/**
* Creates a new connection record associated with the given user. The
* start date of this connection record will be the time of its creation.
* Creates a new connection record associated with the given user,
* connection, and balancing connection group. The given balancing
* connection group MUST be the connection group from which the given
* connection was chosen. The start date of this connection record will be
* the time of its creation.
*
* @param user
* The user that connected to the connection associated with this
* connection record.
*
* @param balancingGroup
* The balancing group from which the given connection was chosen.
*
* @param connection
* The connection to associate with this connection record.
*/
public ActiveConnectionRecord(AuthenticatedUser user) {
public ActiveConnectionRecord(AuthenticatedUser user,
ModeledConnectionGroup balancingGroup,
ModeledConnection connection) {
this.user = user;
this.balancingGroup = balancingGroup;
this.connection = connection;
}
/**
* Creates a new connection record associated with the given user and
* connection. The start date of this connection record will be the time of
* its creation.
*
* @param user
* The user that connected to the connection associated with this
* connection record.
*
* @param connection
* The connection to associate with this connection record.
*/
public ActiveConnectionRecord(AuthenticatedUser user,
ModeledConnection connection) {
this(user, null, connection);
}
/**
@@ -72,6 +115,40 @@ public class ActiveConnectionRecord implements ConnectionRecord {
return user;
}
/**
* Returns the balancing group from which the connection associated with
* this connection record was chosen.
*
* @return
* The balancing group from which the connection associated with this
* connection record was chosen.
*/
public ModeledConnectionGroup getBalancingGroup() {
return balancingGroup;
}
/**
* Returns the connection associated with this connection record.
*
* @return
* The connection associated with this connection record.
*/
public ModeledConnection getConnection() {
return connection;
}
/**
* Returns whether the connection associated with this connection record
* was chosen from a balancing group.
*
* @return
* true if the connection associated with this connection record was
* chosen from a balancing group, false otherwise.
*/
public boolean hasBalancingGroup() {
return balancingGroup != null;
}
@Override
public Date getStartDate() {
return startDate;

88
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/socket/BalancedGuacamoleSocketService.java Normal file
View File

@@ -0,0 +1,88 @@
/*
* Copyright (C) 2015 Glyptodon LLC
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
package org.glyptodon.guacamole.auth.jdbc.socket;
import com.google.inject.Singleton;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser;
import org.glyptodon.guacamole.auth.jdbc.connection.ModeledConnection;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.GuacamoleResourceConflictException;
import org.glyptodon.guacamole.auth.jdbc.connectiongroup.ModeledConnectionGroup;
/**
* GuacamoleSocketService implementation which allows only one user per
* connection at any time, but does not disallow concurrent use of connection
* groups. If a user attempts to use a connection group multiple times, they
* will receive different underlying connections each time until the group is
* exhausted.
*
* @author Michael Jumper
*/
@Singleton
public class BalancedGuacamoleSocketService
extends AbstractGuacamoleSocketService {
/**
* The set of all active connection identifiers.
*/
private final Set<String> activeConnections =
Collections.newSetFromMap(new ConcurrentHashMap<String, Boolean>());
@Override
protected ModeledConnection acquire(AuthenticatedUser user,
List<ModeledConnection> connections) throws GuacamoleException {
// Return the first unused connection
for (ModeledConnection connection : connections) {
if (activeConnections.add(connection.getIdentifier()))
return connection;
}
// Already in use
throw new GuacamoleResourceConflictException("Cannot connect. This connection is in use.");
}
@Override
protected void release(AuthenticatedUser user, ModeledConnection connection) {
activeConnections.remove(connection.getIdentifier());
}
@Override
protected void acquire(AuthenticatedUser user,
ModeledConnectionGroup connectionGroup) throws GuacamoleException {
// Do nothing
}
@Override
protected void release(AuthenticatedUser user,
ModeledConnectionGroup connectionGroup) {
// Do nothing
}
}

71
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/socket/ManagedInetGuacamoleSocket.java Normal file
View File

@@ -0,0 +1,71 @@
/*
* Copyright (C) 2015 Glyptodon LLC
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
package org.glyptodon.guacamole.auth.jdbc.socket;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.net.InetGuacamoleSocket;
/**
* Implementation of GuacamoleSocket which connects via TCP to a given hostname
* and port. If the socket is closed for any reason, a given task is run.
*
* @author Michael Jumper
*/
public class ManagedInetGuacamoleSocket extends InetGuacamoleSocket {
/**
* The task to run when the socket is closed.
*/
private final Runnable socketClosedTask;
/**
* Creates a new socket which connects via TCP to a given hostname and
* port. If the socket is closed for any reason, the given task is run.
*
* @param hostname
* The hostname of the Guacamole proxy server to connect to.
*
* @param port
* The port of the Guacamole proxy server to connect to.
*
* @param socketClosedTask
* The task to run when the socket is closed. This task will NOT be
* run if an exception occurs during connection, and this
* ManagedInetGuacamoleSocket instance is ultimately not created.
*
* @throws GuacamoleException
* If an error occurs while connecting to the Guacamole proxy server.
*/
public ManagedInetGuacamoleSocket(String hostname, int port,
Runnable socketClosedTask) throws GuacamoleException {
super(hostname, port);
this.socketClosedTask = socketClosedTask;
}
@Override
public void close() throws GuacamoleException {
super.close();
socketClosedTask.run();
}
}

110
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/socket/MultiseatGuacamoleSocketService.java
View File

@@ -23,20 +23,24 @@
package org.glyptodon.guacamole.auth.jdbc.socket;
import com.google.inject.Singleton;
import java.util.Arrays;
import java.util.Collections;
import java.util.Comparator;
import java.util.List;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import org.glyptodon.guacamole.GuacamoleClientTooManyException;
import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser;
import org.glyptodon.guacamole.auth.jdbc.connection.ModeledConnection;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.GuacamoleResourceConflictException;
import org.glyptodon.guacamole.auth.jdbc.connectiongroup.ModeledConnectionGroup;
/**
* GuacamoleSocketService implementation which restricts concurrency only on a
* per-user basis. Each connection may be used concurrently any number of
* times, but each concurrent use must be associated with a different user.
* per-user basis. Each connection or group may be used concurrently any number
* of times, but each concurrent use must be associated with a different user.
*
* @author Michael Jumper
*/
@@ -44,83 +48,40 @@ import org.glyptodon.guacamole.GuacamoleResourceConflictException;
public class MultiseatGuacamoleSocketService
extends AbstractGuacamoleSocketService {
/**
* A unique pairing of user and connection.
*/
private static class Seat {
/**
* The user using this seat.
*/
private final String username;
/**
* The connection associated with this seat.
*/
private final String connectionIdentifier;
/**
* Creates a new seat which associated the given user with the given
* connection.
*
* @param username
* The username of the user using this seat.
*
* @param connectionIdentifier
* The identifier of the connection associated with this seat.
*/
public Seat(String username, String connectionIdentifier) {
this.username = username;
this.connectionIdentifier = connectionIdentifier;
}
@Override
public int hashCode() {
// The various properties will never be null
assert(username != null);
assert(connectionIdentifier != null);
// Derive hashcode from username and connection identifier
int hash = 5;
hash = 37 * hash + username.hashCode();
hash = 37 * hash + connectionIdentifier.hashCode();
return hash;
}
@Override
public boolean equals(Object object) {
// We are only comparing against other seats here
assert(object instanceof Seat);
Seat seat = (Seat) object;
// The various properties will never be null
assert(seat.username != null);
assert(seat.connectionIdentifier != null);
return username.equals(seat.username)
&& connectionIdentifier.equals(seat.connectionIdentifier);
}
}
/**
* The set of all active user/connection pairs.
*/
private final Set<Seat> activeSeats =
Collections.newSetFromMap(new ConcurrentHashMap<Seat, Boolean>());
/**
* The set of all active user/connection group pairs.
*/
private final Set<Seat> activeGroupSeats =
Collections.newSetFromMap(new ConcurrentHashMap<Seat, Boolean>());
@Override
protected ModeledConnection acquire(AuthenticatedUser user,
List<ModeledConnection> connections) throws GuacamoleException {
String username = user.getUser().getIdentifier();
// Sort connections in ascending order of usage
ModeledConnection[] sortedConnections = connections.toArray(new ModeledConnection[connections.size()]);
Arrays.sort(sortedConnections, new Comparator<ModeledConnection>() {
@Override
public int compare(ModeledConnection a, ModeledConnection b) {
return getActiveConnections(a).size()
- getActiveConnections(b).size();
}
});
// Return the first unreserved connection
for (ModeledConnection connection : connections) {
for (ModeledConnection connection : sortedConnections) {
if (activeSeats.add(new Seat(username, connection.getIdentifier())))
return connection;
}
@@ -135,4 +96,21 @@ public class MultiseatGuacamoleSocketService
activeSeats.remove(new Seat(user.getUser().getIdentifier(), connection.getIdentifier()));
}
@Override
protected void acquire(AuthenticatedUser user,
ModeledConnectionGroup connectionGroup) throws GuacamoleException {
// Do not allow duplicate use of connection groups
Seat seat = new Seat(user.getUser().getIdentifier(), connectionGroup.getIdentifier());
if (!activeGroupSeats.add(seat))
throw new GuacamoleClientTooManyException("Cannot connect. Connection group already in use by this user.");
}
@Override
protected void release(AuthenticatedUser user,
ModeledConnectionGroup connectionGroup) {
activeGroupSeats.remove(new Seat(user.getUser().getIdentifier(), connectionGroup.getIdentifier()));
}
}

183
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/socket/ReservedGuacamoleSocketService.java
View File

@@ -1,183 +0,0 @@
/*
* Copyright (C) 2015 Glyptodon LLC
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
package org.glyptodon.guacamole.auth.jdbc.socket;
import com.google.inject.Singleton;
import java.util.List;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser;
import org.glyptodon.guacamole.auth.jdbc.connection.ModeledConnection;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.GuacamoleResourceConflictException;
/**
* GuacamoleSocketService implementation which allows only one user per
* connection at any time, but does not disallow concurrent use. Once
* connected, a user has effectively reserved that connection, and may
* continue to concurrently use that connection any number of times. The
* connection will remain reserved until all associated connections are closed.
* Other users will be denied access to that connection while it is reserved.
*
* @author Michael Jumper
*/
@Singleton
public class ReservedGuacamoleSocketService
extends AbstractGuacamoleSocketService {
/**
* An arbitrary number of reservations associated with a specific user.
* Initially, each Reservation instance represents exactly one reservation,
* but future calls to acquire() may increase this value. Once the
* reservation count is reduced to zero by calls to release(), a
* Reservation instance is empty and cannot be reused. It must be discarded
* and replaced with a fresh Reservation.
*
* This is necessary as each Reservation will be stored within a Map, and
* the effect of acquire() must be deterministic. If Reservations could be
* reused, the internal count could potentially increase after being
* removed from the map, resulting in a successful acquire() that really
* should have failed.
*/
private static class Reservation {
/**
* The username of the user associated with this reservation.
*/
private final String username;
/**
* The number of reservations effectively present under the associated
* username.
*/
private int count = 1;
/**
* Creates a new reservation which tracks the overall number of
* reservations for a given user.
* @param username
*/
public Reservation(String username) {
this.username = username;
}
/**
* Attempts to acquire a new reservation under the given username. If
* this reservation is for a different user, or the reservation has
* expired, this will fail.
*
* @param username
* The username of the user to acquire the reservation for.
*
* @return
* true if the reservation was successful, false otherwise.
*/
public boolean acquire(String username) {
// Acquire always fails if for the wrong user
if (!this.username.equals(username))
return false;
// Determine success/failure based on count
synchronized (this) {
// If already expired, no further reservations are allowed
if (count == 0)
return false;
// Otherwise, add another reservation, report success
count++;
return true;
}
}
/**
* Releases a previous reservation. The result of calling this function
* without a previous matching call to acquire is undefined.
*
* @return
* true if the last reservation has been released and this
* reservation is now empty, false otherwise.
*/
public boolean release() {
synchronized (this) {
// Reduce reservation count
count--;
// Empty if no reservations remain
return count == 0;
}
}
}
/**
* Map of connection identifier to associated reservations.
*/
private final ConcurrentMap<String, Reservation> reservations =
new ConcurrentHashMap<String, Reservation>();
@Override
protected ModeledConnection acquire(AuthenticatedUser user,
List<ModeledConnection> connections) throws GuacamoleException {
String username = user.getUser().getIdentifier();
// Return the first successfully-reserved connection
for (ModeledConnection connection : connections) {
String identifier = connection.getIdentifier();
// Attempt to reserve connection, return if successful
Reservation reservation = reservations.putIfAbsent(identifier, new Reservation(username));
if (reservation == null || reservation.acquire(username))
return connection;
}
// Already in use
throw new GuacamoleResourceConflictException("Cannot connect. This connection is in use.");
}
@Override
protected void release(AuthenticatedUser user, ModeledConnection connection) {
String identifier = connection.getIdentifier();
// Retrieve active reservation (which must exist)
Reservation reservation = reservations.get(identifier);
assert(reservation != null);
// Release reservation, remove from map if empty
if (reservation.release())
reservations.remove(identifier);
}
}

89
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/socket/Seat.java Normal file
View File

@@ -0,0 +1,89 @@
/*
* Copyright (C) 2015 Glyptodon LLC
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
package org.glyptodon.guacamole.auth.jdbc.socket;
/**
* A unique pairing of user and connection or connection group.
*
* @author Michael Jumper
*/
public class Seat {
/**
* The user using this seat.
*/
private final String username;
/**
* The connection or connection group associated with this seat.
*/
private final String identifier;
/**
* Creates a new seat which associated the given user with the given
* connection or connection group.
*
* @param username
* The username of the user using this seat.
*
* @param identifier
* The identifier of the connection or connection group associated with
* this seat.
*/
public Seat(String username, String identifier) {
this.username = username;
this.identifier = identifier;
}
@Override
public int hashCode() {
// The various properties will never be null
assert(username != null);
assert(identifier != null);
// Derive hashcode from username and connection identifier
int hash = 5;
hash = 37 * hash + username.hashCode();
hash = 37 * hash + identifier.hashCode();
return hash;
}
@Override
public boolean equals(Object object) {
// We are only comparing against other seats here
assert(object instanceof Seat);
Seat seat = (Seat) object;
// The various properties will never be null
assert(seat.username != null);
assert(seat.identifier != null);
return username.equals(seat.username)
&& identifier.equals(seat.identifier);
}
}

31
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/socket/SingleSeatGuacamoleSocketService.java
View File

@@ -27,15 +27,19 @@ import java.util.Collections;
import java.util.List;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import org.glyptodon.guacamole.GuacamoleClientTooManyException;
import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser;
import org.glyptodon.guacamole.auth.jdbc.connection.ModeledConnection;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.GuacamoleResourceConflictException;
import org.glyptodon.guacamole.auth.jdbc.connectiongroup.ModeledConnectionGroup;
/**
* GuacamoleSocketService implementation which allows exactly one use
* of any connection at any time. Concurrent usage of any kind is not allowed.
* of any connection at any time. Concurrent usage of connections is not
* allowed, and concurrent usage of connection groups is allowed only between
* different users.
*
* @author Michael Jumper
*/
@@ -48,7 +52,13 @@ public class SingleSeatGuacamoleSocketService
*/
private final Set<String> activeConnections =
Collections.newSetFromMap(new ConcurrentHashMap<String, Boolean>());
/**
* The set of all active user/connection group pairs.
*/
private final Set<Seat> activeGroupSeats =
Collections.newSetFromMap(new ConcurrentHashMap<Seat, Boolean>());
@Override
protected ModeledConnection acquire(AuthenticatedUser user,
List<ModeledConnection> connections) throws GuacamoleException {
@@ -69,4 +79,21 @@ public class SingleSeatGuacamoleSocketService
activeConnections.remove(connection.getIdentifier());
}
@Override
protected void acquire(AuthenticatedUser user,
ModeledConnectionGroup connectionGroup) throws GuacamoleException {
// Do not allow duplicate use of connection groups
Seat seat = new Seat(user.getUser().getIdentifier(), connectionGroup.getIdentifier());
if (!activeGroupSeats.add(seat))
throw new GuacamoleClientTooManyException("Cannot connect. Connection group already in use by this user.");
}
@Override
protected void release(AuthenticatedUser user,
ModeledConnectionGroup connectionGroup) {
activeGroupSeats.remove(new Seat(user.getUser().getIdentifier(), connectionGroup.getIdentifier()));
}
}

13
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/socket/UnrestrictedGuacamoleSocketService.java
View File

@@ -27,6 +27,7 @@ import java.util.List;
import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser;
import org.glyptodon.guacamole.auth.jdbc.connection.ModeledConnection;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.auth.jdbc.connectiongroup.ModeledConnectionGroup;
/**
@@ -66,4 +67,16 @@ public class UnrestrictedGuacamoleSocketService
// Do nothing
}
@Override
protected void acquire(AuthenticatedUser user,
ModeledConnectionGroup connectionGroup) throws GuacamoleException {
// Do nothing
}
@Override
protected void release(AuthenticatedUser user,
ModeledConnectionGroup connectionGroup) {
// Do nothing
}
}

19
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/user/UserService.java
View File

@@ -32,6 +32,7 @@ import org.glyptodon.guacamole.auth.jdbc.base.DirectoryObjectMapper;
import org.glyptodon.guacamole.auth.jdbc.base.DirectoryObjectService;
import org.glyptodon.guacamole.GuacamoleClientException;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.GuacamoleUnsupportedException;
import org.glyptodon.guacamole.auth.jdbc.permission.ObjectPermissionMapper;
import org.glyptodon.guacamole.auth.jdbc.permission.ObjectPermissionModel;
import org.glyptodon.guacamole.auth.jdbc.permission.UserPermissionMapper;
@@ -137,9 +138,11 @@ public class UserService extends DirectoryObjectService<ModeledUser, User, UserM
}
@Override
protected void validateNewModel(AuthenticatedUser user, UserModel model)
protected void beforeCreate(AuthenticatedUser user, UserModel model)
throws GuacamoleException {
super.beforeCreate(user, model);
// Username must not be blank
if (model.getIdentifier().trim().isEmpty())
throw new GuacamoleClientException("The username must not be blank.");
@@ -152,9 +155,11 @@ public class UserService extends DirectoryObjectService<ModeledUser, User, UserM
}
@Override
protected void validateExistingModel(AuthenticatedUser user,
protected void beforeUpdate(AuthenticatedUser user,
UserModel model) throws GuacamoleException {
super.beforeUpdate(user, model);
// Username must not be blank
if (model.getIdentifier().trim().isEmpty())
throw new GuacamoleClientException("The username must not be blank.");
@@ -193,7 +198,17 @@ public class UserService extends DirectoryObjectService<ModeledUser, User, UserM
}
return implicitPermissions;
}
@Override
protected void beforeDelete(AuthenticatedUser user, String identifier) throws GuacamoleException {
super.beforeDelete(user, identifier);
// Do not allow users to delete themselves
if (identifier.equals(user.getUser().getIdentifier()))
throw new GuacamoleUnsupportedException("Deleting your own user is not allowed.");
}
/**