safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 21:27:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-360: Change ActiveConnection elements to use the ObjectPermissionSet mechanism.

Browse Source
This commit is contained in:
Nick Couchman
2018-06-12 21:17:12 -04:00
parent 85c7b511e1
commit 5e16518569
2 changed files with 57 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java
View File

@@ -96,8 +96,8 @@ public class ActiveConnectionPermissionService
String identifier = record.getUUID().toString();
permissions.add(new ObjectPermission(ObjectPermission.Type.READ, identifier));
// If we're and admin, then we also have DELETE
if (isAdmin)
// If we're and admin, or the connection is ours, then we also have DELETE
if (isAdmin || targetUser.getIdentifier().equals(record.getUsername()))
permissions.add(new ObjectPermission(ObjectPermission.Type.DELETE, identifier));
}

59
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionService.java
View File

@@ -34,6 +34,8 @@ import org.apache.guacamole.auth.jdbc.tunnel.ActiveConnectionRecord;
import org.apache.guacamole.auth.jdbc.tunnel.GuacamoleTunnelService;
import org.apache.guacamole.net.GuacamoleTunnel;
import org.apache.guacamole.net.auth.ActiveConnection;
import org.apache.guacamole.net.auth.permission.ObjectPermission;
import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
/**
* Service which provides convenience methods for creating, retrieving, and
@@ -111,11 +113,10 @@ public class ActiveConnectionService
public void deleteObject(ModeledAuthenticatedUser user, String identifier)
throws GuacamoleException {
// Close connection, if it exists (and we have permission)
// Close connection, if it exists and we have permission
ActiveConnection activeConnection = retrieveObject(user, identifier);
if (activeConnection != null &&
(user.getUser().isAdministrator()
|| user.getIdentifier().equals(activeConnection.getUsername()))) {
if (activeConnection != null
&& hasObjectPermissions(user, identifier, ObjectPermission.Type.DELETE)) {
// Close connection if not already closed
GuacamoleTunnel tunnel = activeConnection.getTunnel();
@@ -161,5 +162,55 @@ public class ActiveConnectionService
throw new GuacamoleSecurityException("Permission denied.");
}
/**
* Retrieve the permission set for the specified user that relates
* to access to active connections.
*
* @param user
* The user for which to retrieve the permission set.
*
* @return
* A permission set associated with the given user that specifies
* the permissions available for active connection objects.
*
* @throws GuacamoleException
* If permission to read permissions for the user is denied.
*/
private ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user)
throws GuacamoleException {
return user.getUser().getActiveConnectionPermissions();
}
/**
* Return a boolean value representing whether or not a user has the given
* permission available to them on the active connection with the given
* identifier.
*
* @param user
* The user for which the permissions are being queried.
*
* @param identifier
* The identifier of the active connection we are wondering about.
*
* @param type
* The type of permission being requested.
*
* @return
* True if the user has the necessary permission; otherwise false.
*
* @throws GuacamoleException
* If the user does not have access to read permissions.
*/
private boolean hasObjectPermissions(ModeledAuthenticatedUser user,
String identifier, ObjectPermission.Type type)
throws GuacamoleException {
ObjectPermissionSet permissionSet = getPermissionSet(user);
return user.getUser().isAdministrator()
|| permissionSet.hasPermission(type, identifier);
}
}