From 63be247db6ca3292afec9ecc532c3bd88d3a7ed0 Mon Sep 17 00:00:00 2001
From: Michael Jumper <mjumper@apache.org>
Date: Tue, 10 Apr 2018 13:39:16 -0700
Subject: [PATCH] GUACAMOLE-220: Map and allow manipulation of the user group
 members of user groups.

---
 .../JDBCAuthenticationProviderModule.java     |  2 +
 .../auth/jdbc/usergroup/ModeledUserGroup.java | 11 ++-
 .../UserGroupMemberUserGroupMapper.java       | 28 ++++++
 .../UserGroupMemberUserGroupSet.java          | 57 ++++++++++++
 .../UserGroupMemberUserGroupMapper.xml        | 93 +++++++++++++++++++
 5 files changed, 190 insertions(+), 1 deletion(-)
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/usergroup/UserGroupMemberUserGroupMapper.java
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/usergroup/UserGroupMemberUserGroupSet.java
 create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/usergroup/UserGroupMemberUserGroupMapper.xml

diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderModule.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderModule.java
index 0750b109f..ab7547f2c 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderModule.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderModule.java
@@ -85,6 +85,7 @@ import org.apache.guacamole.auth.jdbc.user.UserRecordMapper;
 import org.apache.guacamole.auth.jdbc.usergroup.ModeledUserGroup;
 import org.apache.guacamole.auth.jdbc.usergroup.UserGroupDirectory;
 import org.apache.guacamole.auth.jdbc.usergroup.UserGroupMapper;
+import org.apache.guacamole.auth.jdbc.usergroup.UserGroupMemberUserGroupMapper;
 import org.apache.guacamole.auth.jdbc.usergroup.UserGroupMemberUserMapper;
 import org.apache.guacamole.auth.jdbc.usergroup.UserGroupService;
 import org.mybatis.guice.MyBatisModule;
@@ -137,6 +138,7 @@ public class JDBCAuthenticationProviderModule extends MyBatisModule {
         addMapperClass(SharingProfileParameterMapper.class);
         addMapperClass(SharingProfilePermissionMapper.class);
         addMapperClass(UserGroupMapper.class);
+        addMapperClass(UserGroupMemberUserGroupMapper.class);
         addMapperClass(UserGroupMemberUserMapper.class);
         addMapperClass(UserGroupPermissionMapper.class);
         addMapperClass(UserMapper.class);
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/usergroup/ModeledUserGroup.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/usergroup/ModeledUserGroup.java
index 3612eead2..fcf12508c 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/usergroup/ModeledUserGroup.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/usergroup/ModeledUserGroup.java
@@ -81,6 +81,13 @@ public class ModeledUserGroup extends ModeledPermissions<UserGroupModel>
     @Inject
     private Provider<UserGroupMemberUserSet> memberUserSetProvider;
 
+    /**
+     * Provider for RelatedObjectSets containing the user groups that are
+     * members of this user group.
+     */
+    @Inject
+    private Provider<UserGroupMemberUserGroupSet> memberUserGroupSetProvider;
+
     /**
      * Whether attributes which control access restrictions should be exposed
      * via getAttributes() or allowed to be set via setAttributes().
@@ -189,7 +196,9 @@ public class ModeledUserGroup extends ModeledPermissions<UserGroupModel>
 
     @Override
     public RelatedObjectSet getMemberUserGroups() throws GuacamoleException {
-        return new SimpleRelatedObjectSet();
+        UserGroupMemberUserGroupSet memberUserGroupSet = memberUserGroupSetProvider.get();
+        memberUserGroupSet.init(getCurrentUser(), this);
+        return memberUserGroupSet;
     }
 
 }
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/usergroup/UserGroupMemberUserGroupMapper.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/usergroup/UserGroupMemberUserGroupMapper.java
new file mode 100644
index 000000000..70baef713
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/usergroup/UserGroupMemberUserGroupMapper.java
@@ -0,0 +1,28 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.jdbc.usergroup;
+
+import org.apache.guacamole.auth.jdbc.base.ObjectRelationMapper;
+
+/**
+ * Mapper for the one-to-many relationship between a user group and its user
+ * group members.
+ */
+public interface UserGroupMemberUserGroupMapper extends ObjectRelationMapper<UserGroupModel> {}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/usergroup/UserGroupMemberUserGroupSet.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/usergroup/UserGroupMemberUserGroupSet.java
new file mode 100644
index 000000000..9684a47b6
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/usergroup/UserGroupMemberUserGroupSet.java
@@ -0,0 +1,57 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.jdbc.usergroup;
+
+import com.google.inject.Inject;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.auth.jdbc.base.ObjectRelationMapper;
+import org.apache.guacamole.auth.jdbc.base.RelatedObjectSet;
+import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
+
+/**
+ * RelatedObjectSet implementation which represents the one-to-many
+ * relationship between a particular user group and its user group members.
+ */
+public class UserGroupMemberUserGroupSet extends RelatedObjectSet<ModeledUserGroup, UserGroupModel> {
+
+    /**
+     * Mapper for the relation between user groups and their user group members.
+     */
+    @Inject
+    private UserGroupMemberUserGroupMapper userGroupMemberUserGroupMapper;
+
+    @Override
+    protected ObjectRelationMapper<UserGroupModel> getObjectRelationMapper() {
+        return userGroupMemberUserGroupMapper;
+    }
+
+    @Override
+    protected ObjectPermissionSet
+        getParentObjectEffectivePermissionSet() throws GuacamoleException {
+        return getCurrentUser().getUser().getEffectivePermissions().getUserGroupPermissions();
+    }
+
+    @Override
+    protected ObjectPermissionSet getChildObjectEffectivePermissionSet()
+            throws GuacamoleException {
+        return getCurrentUser().getUser().getEffectivePermissions().getUserGroupPermissions();
+    }
+
+}
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/usergroup/UserGroupMemberUserGroupMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/usergroup/UserGroupMemberUserGroupMapper.xml
new file mode 100644
index 000000000..13f4d71a9
--- /dev/null
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/usergroup/UserGroupMemberUserGroupMapper.xml
@@ -0,0 +1,93 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.usergroup.UserGroupMemberUserGroupMapper" >
+
+    <!-- Select the names of all member user groups -->
+    <select id="selectChildIdentifiers" resultType="string">
+        SELECT name
+        FROM guacamole_user_group_member
+        JOIN guacamole_entity ON guacamole_entity.entity_id = guacamole_user_group_member.member_entity_id
+        WHERE
+            guacamole_user_group_member.user_group_id = #{parent.objectID,jdbcType=INTEGER}
+            AND guacamole_entity.type = 'USER_GROUP'::guacamole_entity_type
+    </select>
+
+    <!-- Select the names of all readable member user groups -->
+    <select id="selectReadableChildIdentifiers" resultType="string">
+        SELECT guacamole_entity.name
+        FROM guacamole_user_group_member
+        JOIN guacamole_entity ON guacamole_entity.entity_id = guacamole_user_group_member.member_entity_id
+        JOIN guacamole_user_group ON guacamole_user_group.entity_id = guacamole_entity.entity_id
+        JOIN guacamole_user_group_permission ON affected_user_group_id = guacamole_user_group.user_group_id
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="guacamole_user_group_permission.entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND guacamole_user_group_member.user_group_id = #{parent.objectID,jdbcType=INTEGER}
+            AND guacamole_entity.type = 'USER_GROUP'::guacamole_entity_type
+            AND permission = 'READ'
+    </select>
+
+    <!-- Delete member groups by name -->
+    <delete id="delete">
+        DELETE FROM guacamole_user_group_member
+        USING guacamole_entity
+        WHERE
+            user_group_id = #{parent.objectID,jdbcType=INTEGER}
+            AND guacamole_entity.entity_id = member_entity_id
+            AND guacamole_entity.type = 'USER_GROUP'::guacamole_entity_type
+            AND guacamole_entity.name IN
+                <foreach collection="children" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier,jdbcType=VARCHAR}
+                </foreach>
+    </delete>
+
+    <!-- Insert member groups by name -->
+    <insert id="insert">
+        INSERT INTO guacamole_user_group_member (
+            user_group_id,
+            member_entity_id
+        )
+        SELECT DISTINCT
+            #{parent.objectID,jdbcType=INTEGER},
+            guacamole_entity.entity_id
+        FROM guacamole_entity
+        WHERE
+            guacamole_entity.name IN
+                <foreach collection="children" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier}
+                </foreach>
+            AND guacamole_entity.type = 'USER_GROUP'::guacamole_entity_type
+            AND guacamole_entity.entity_id NOT IN (
+                SELECT guacamole_user_group_member.member_entity_id
+                FROM guacamole_user_group_member
+                WHERE guacamole_user_group_member.user_group_id = #{parent.objectID,jdbcType=INTEGER}
+            )
+    </insert>
+
+</mapper>