safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-10-30 16:43:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Ticket #269: Added permissions checks to UserDirectory actions, and improved PermissionCheckUtility

Browse Source
This commit is contained in:
James Muehlner
2013-02-13 19:02:41 -08:00
parent 3e484ab8f8
commit 66fdcbe0b1
3 changed files with 373 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/GuacamolePermissionException.java Normal file
View File

@@ -0,0 +1,78 @@
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is guacamole-auth-mysql.
*
* The Initial Developer of the Original Code is
* James Muehlner.
* Portions created by the Initial Developer are Copyright (C) 2010
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
package net.sourceforge.guacamole.net.auth.mysql;
import net.sourceforge.guacamole.GuacamoleException;
/**
* Represents an error condition when a user tries to perform an action
* that he/she does not have permission to do.
* @author James Muehlner
*/
public class GuacamolePermissionException extends GuacamoleException {
/**
* Creates a new GuacamoleException with the given message and cause.
*
* @param message A human readable description of the exception that
* occurred.
* @param cause The cause of this exception.
*/
public GuacamolePermissionException(String message, Throwable cause) {
super(message, cause);
}
/**
* Creates a new GuacamoleException with the given message.
*
* @param message A human readable description of the exception that
* occurred.
*/
public GuacamolePermissionException(String message) {
super(message);
}
/**
* Creates a new GuacamoleException with the given cause.
*
* @param cause The cause of this exception.
*/
public GuacamolePermissionException(Throwable cause) {
super(cause);
}
}

6
extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/UserDirectory.java
View File

@@ -147,6 +147,7 @@ public class UserDirectory implements Directory<String, User> {
@Transactional
@Override
public User get(String identifier) throws GuacamoleException {
permissionCheckUtility.verifyUserReadAccess(this.user.getUserID(), identifier);
return getExistingMySQLUser(identifier);
}
@@ -164,7 +165,10 @@ public class UserDirectory implements Directory<String, User> {
@Override
@Transactional
public void add(User object) throws GuacamoleException {
permissionCheckUtility.verifyCreateUserPermission(this.user.getUserID());
Preconditions.checkNotNull(object);
permissionCheckUtility.verifyUserUpdateAccess(user.getUserID(), object.getUsername());
//create user in database
MySQLUser mySQLUser = getNewMySQLUser(object);
userDAO.insert(mySQLUser.getUser());
@@ -356,6 +360,7 @@ public class UserDirectory implements Directory<String, User> {
@Override
@Transactional
public void update(User object) throws GuacamoleException {
permissionCheckUtility.verifyUserUpdateAccess(this.user.getUserID(), object.getUsername());
//update the user in the database
MySQLUser mySQLUser = getExistingMySQLUser(object);
userDAO.updateByPrimaryKey(mySQLUser.getUser());
@@ -367,6 +372,7 @@ public class UserDirectory implements Directory<String, User> {
@Override
@Transactional
public void remove(String identifier) throws GuacamoleException {
permissionCheckUtility.verifyUserDeleteAccess(this.user.getUserID(), identifier);
MySQLUser mySQLUser = getExistingMySQLUser(identifier);

295
extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/utility/PermissionCheckUtility.java
View File

@@ -43,6 +43,7 @@ import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import net.sourceforge.guacamole.net.auth.mysql.GuacamolePermissionException;
import net.sourceforge.guacamole.net.auth.mysql.MySQLConnection;
import net.sourceforge.guacamole.net.auth.mysql.MySQLConstants;
import net.sourceforge.guacamole.net.auth.mysql.MySQLUser;
@@ -96,34 +97,170 @@ public class PermissionCheckUtility {
@Inject
Provider<MySQLConnection> mySQLConnectionProvider;
/**
* Verifies that the user has read access to the given user. If not, throws a GuacamolePermissionException.
* @param userID
* @param affectedUserID
* @throws GuacamolePermissionException
*/
public void verifyUserReadAccess(int userID, int affectedUserID) throws GuacamolePermissionException {
if(!checkUserReadAccess(userID, affectedUserID))
throw new GuacamolePermissionException("User " + userID + " does not have read access to user " + affectedUserID);
}
/**
* Verifies that the user has update access to the given user. If not, throws a GuacamolePermissionException.
* @param userID
* @param affectedUserID
* @throws GuacamolePermissionException
*/
public void verifyUserUpdateAccess(int userID, int affectedUserID) throws GuacamolePermissionException {
if(!checkUserUpdateAccess(userID, affectedUserID))
throw new GuacamolePermissionException("User " + userID + " does not have update access to user " + affectedUserID);
}
/**
* Verifies that the user has delete access to the given user. If not, throws a GuacamolePermissionException.
* @param userID
* @param affectedUserID
* @throws GuacamolePermissionException
*/
public void verifyUserDeleteAccess(int userID, int affectedUserID) throws GuacamolePermissionException {
if(!checkUserDeleteAccess(userID, affectedUserID))
throw new GuacamolePermissionException("User " + userID + " does not have delete access to user " + affectedUserID);
}
/**
* Verifies that the user has administer access to the given user. If not, throws a GuacamolePermissionException.
* @param userID
* @param affectedUserID
* @throws GuacamolePermissionException
*/
public void verifyUserAdministerAccess(int userID, int affectedUserID) throws GuacamolePermissionException {
if(!checkUserAdministerAccess(userID, affectedUserID))
throw new GuacamolePermissionException("User " + userID + " does not have administer access to user " + affectedUserID);
}
/**
* Verifies that the user has read access to the given user. If not, throws a GuacamolePermissionException.
* @param userID
* @param affectedUsername
* @throws GuacamolePermissionException
*/
public void verifyUserReadAccess(int userID, String affectedUsername) throws GuacamolePermissionException {
if(!checkUserReadAccess(userID, affectedUsername))
throw new GuacamolePermissionException("User " + userID + " does not have read access to user '" + affectedUsername + "'");
}
/**
* Verifies that the user has update access to the given user. If not, throws a GuacamolePermissionException.
* @param userID
* @param affectedUsername
* @throws GuacamolePermissionException
*/
public void verifyUserUpdateAccess(int userID, String affectedUsername) throws GuacamolePermissionException {
if(!checkUserUpdateAccess(userID, affectedUsername))
throw new GuacamolePermissionException("User " + userID + " does not have update access to user '" + affectedUsername + "'");
}
/**
* Verifies that the user has delete access to the given user. If not, throws a GuacamolePermissionException.
* @param userID
* @param affectedUsername
* @throws GuacamolePermissionException
*/
public void verifyUserDeleteAccess(int userID, String affectedUsername) throws GuacamolePermissionException {
if(!checkUserDeleteAccess(userID, affectedUsername))
throw new GuacamolePermissionException("User " + userID + " does not have delete access to user '" + affectedUsername + "'");
}
/**
* Verifies that the user has administer access to the given user. If not, throws a GuacamolePermissionException.
* @param userID
* @param affectedUsername
* @throws GuacamolePermissionException
*/
public void verifyUserAdministerAccess(int userID, String affectedUsername) throws GuacamolePermissionException {
if(!checkUserAdministerAccess(userID, affectedUsername))
throw new GuacamolePermissionException("User " + userID + " does not have administer access to user '" + affectedUsername + "'");
}
/**
* Checks if the user has read access to the given user.
* @param userID
* @param affectedUserID
* @return true if the user has access to this user.
*/
public boolean checkUserReadAccess(int userID, int affectedUserID) {
return checkUserAccess(userID, affectedUserID, MySQLConstants.USER_READ);
}
/**
* Checks if the user has update access to the given user.
* @param userID
* @param affectedUserID
* @return true if the user has access to this user.
*/
public boolean checkUserUpdateAccess(int userID, int affectedUserID) {
return checkUserAccess(userID, affectedUserID, MySQLConstants.USER_UPDATE);
}
/**
* Checks if the user has delete access to the given user.
* @param userID
* @param affectedUserID
* @return true if the user has access to this user.
*/
public boolean checkUserDeleteAccess(int userID, int affectedUserID) {
return checkUserAccess(userID, affectedUserID, MySQLConstants.USER_DELETE);
}
/**
* Checks if the user has administer access to the given user.
* @param userID
* @param affectedUserID
* @return true if the user has access to this user.
*/
public boolean checkUserAdministerAccess(int userID, int affectedUserID) {
return checkUserAccess(userID, affectedUserID, MySQLConstants.USER_ADMINISTER);
}
/**
* Checks if the user has read access to the given user.
* @param userID
* @param affectedUsername
* @return true if the user has access to this user.
*/
public boolean checkUserReadAccess(int userID, String affectedUsername) {
return checkUserAccess(userID, affectedUsername, MySQLConstants.USER_READ);
}
/**
* Checks if the user has update access to the given user.
* @param userID
* @param affectedUsername
* @return true if the user has access to this user.
*/
public boolean checkUserUpdateAccess(int userID, String affectedUsername) {
return checkUserAccess(userID, affectedUsername, MySQLConstants.USER_UPDATE);
}
/**
* Checks if the user has delete access to the given user.
* @param userID
* @param affectedUsername
* @return true if the user has access to this user.
*/
public boolean checkUserDeleteAccess(int userID, String affectedUsername) {
return checkUserAccess(userID, affectedUsername, MySQLConstants.USER_DELETE);
}
/**
* Checks if the user has administer access to the given user.
* @param userID
* @param affectedUsername
* @return true if the user has access to this user.
*/
public boolean checkUserAdministerAccess(int userID, String affectedUsername) {
return checkUserAccess(userID, affectedUsername, MySQLConstants.USER_ADMINISTER);
}
@@ -233,36 +370,172 @@ public class PermissionCheckUtility {
return userIDs;
}
/**
* Verifies that the user has read access to the given connection. If not, throws a GuacamolePermissionException.
* @param userID
* @param affectedConnectionID
* @throws GuacamolePermissionException
*/
public void verifyConnectionReadAccess(int userID, int affectedConnectionID) throws GuacamolePermissionException {
if(!checkConnectionReadAccess(userID, affectedConnectionID))
throw new GuacamolePermissionException("User " + userID + " does not have read access to connection " + affectedConnectionID);
}
/**
* Verifies that the user has update access to the given connection. If not, throws a GuacamolePermissionException.
* @param userID
* @param affectedConnectionID
* @throws GuacamolePermissionException
*/
public void verifyConnectionUpdateAccess(int userID, int affectedConnectionID) throws GuacamolePermissionException {
if(!checkConnectionUpdateAccess(userID, affectedConnectionID))
throw new GuacamolePermissionException("User " + userID + " does not have update access to connection " + affectedConnectionID);
}
/**
* Verifies that the user has delete access to the given connection. If not, throws a GuacamolePermissionException.
* @param userID
* @param affectedConnectionID
* @throws GuacamolePermissionException
*/
public void verifyConnectionDeleteAccess(int userID, int affectedConnectionID) throws GuacamolePermissionException {
if(!checkConnectionDeleteAccess(userID, affectedConnectionID))
throw new GuacamolePermissionException("User " + userID + " does not have delete access to connection " + affectedConnectionID);
}
/**
* Verifies that the user has administer access to the given connection. If not, throws a GuacamolePermissionException.
* @param userID
* @param affectedConnectionID
* @throws GuacamolePermissionException
*/
public void verifyConnectionAdministerAccess(int userID, int affectedConnectionID) throws GuacamolePermissionException {
if(!checkConnectionAdministerAccess(userID, affectedConnectionID))
throw new GuacamolePermissionException("User " + userID + " does not have administer access to connection " + affectedConnectionID);
}
/**
* Verifies that the user has read access to the given connection. If not, throws a GuacamolePermissionException.
* @param userID
* @param affectedConnectionName
* @throws GuacamolePermissionException
*/
public void verifyConnectionReadAccess(int userID, String affectedConnectionName) throws GuacamolePermissionException {
if(!checkConnectionReadAccess(userID, affectedConnectionName))
throw new GuacamolePermissionException("User " + userID + " does not have read access to connection '" + affectedConnectionName + "'");
}
/**
* Verifies that the user has update access to the given connection. If not, throws a GuacamolePermissionException.
* @param userID
* @param affectedConnectionName
* @throws GuacamolePermissionException
*/
public void verifyConnectionUpdateAccess(int userID, String affectedConnectionName) throws GuacamolePermissionException {
if(!checkConnectionUpdateAccess(userID, affectedConnectionName))
throw new GuacamolePermissionException("User " + userID + " does not have update access to connection '" + affectedConnectionName + "'");
}
/**
* Verifies that the user has delete access to the given connection. If not, throws a GuacamolePermissionException.
* @param userID
* @param affectedConnectionName
* @throws GuacamolePermissionException
*/
public void verifyConnectionDeleteAccess(int userID, String affectedConnectionName) throws GuacamolePermissionException {
if(!checkConnectionDeleteAccess(userID, affectedConnectionName))
throw new GuacamolePermissionException("User " + userID + " does not have delete access to connection '" + affectedConnectionName + "'");
}
/**
* Verifies that the user has administer access to the given connection. If not, throws a GuacamolePermissionException.
* @param userID
* @param affectedConnectionName
* @throws GuacamolePermissionException
*/
public void verifyConnectionAdministerAccess(int userID, String affectedConnectionName) throws GuacamolePermissionException {
if(!checkConnectionAdministerAccess(userID, affectedConnectionName))
throw new GuacamolePermissionException("User " + userID + " does not have administer access to connection '" + affectedConnectionName + "'");
}
/**
* Checks if the user has read access to the given connection.
* @param userID
* @param affectedConnectionID
* @return true if the user has access to this connection.
*/
public boolean checkConnectionReadAccess(int userID, int affectedConnectionID) {
return checkConnectionAccess(userID, affectedConnectionID, MySQLConstants.CONNECTION_READ);
}
/**
* Checks if the user has update access to the given connection.
* @param userID
* @param affectedConnectionID
* @return true if the user has access to this connection.
*/
public boolean checkConnectionUpdateAccess(int userID, int affectedConnectionID) {
return checkConnectionAccess(userID, affectedConnectionID, MySQLConstants.CONNECTION_UPDATE);
}
/**
* Checks if the user has delete access to the given connection.
* @param userID
* @param affectedConnectionID
* @return true if the user has access to this connection.
*/
public boolean checkConnectionDeleteAccess(int userID, int affectedConnectionID) {
return checkConnectionAccess(userID, affectedConnectionID, MySQLConstants.CONNECTION_DELETE);
}
/**
* Checks if the user has administer access to the given connection.
* @param userID
* @param affectedConnectionID
* @return true if the user has access to this connection.
*/
public boolean checkConnectionAdministerAccess(int userID, int affectedConnectionID) {
return checkConnectionAccess(userID, affectedConnectionID, MySQLConstants.CONNECTION_ADMINISTER);
}
public boolean checkConnectionReadAccess(int userID, String affectedConnectionname) {
return checkConnectionAccess(userID, affectedConnectionname, MySQLConstants.CONNECTION_READ);
/**
* Checks if the user has read access to the given connection.
* @param userID
* @param affectedConnectionName
* @return true if the user has access to this connection.
*/
public boolean checkConnectionReadAccess(int userID, String affectedConnectionName) {
return checkConnectionAccess(userID, affectedConnectionName, MySQLConstants.CONNECTION_READ);
}
public boolean checkConnectionUpdateAccess(int userID, String affectedConnectionname) {
return checkConnectionAccess(userID, affectedConnectionname, MySQLConstants.CONNECTION_UPDATE);
/**
* Checks if the user has update access to the given connection.
* @param userID
* @param affectedConnectionName
* @return true if the user has access to this connection.
*/
public boolean checkConnectionUpdateAccess(int userID, String affectedConnectionName) {
return checkConnectionAccess(userID, affectedConnectionName, MySQLConstants.CONNECTION_UPDATE);
}
/**
* Checks if the user has delete access to the given connection.
* @param userID
* @param affectedConnectionID
* @return true if the user has access to this connection.
*/
public boolean checkConnectionDeleteAccess(int userID, String affectedConnectionname) {
return checkConnectionAccess(userID, affectedConnectionname, MySQLConstants.CONNECTION_DELETE);
}
public boolean checkConnectionAdministerAccess(int userID, String affectedConnectionname) {
return checkConnectionAccess(userID, affectedConnectionname, MySQLConstants.CONNECTION_ADMINISTER);
/**
* Checks if the user has administer access to the given connection.
* @param userID
* @param affectedConnectionName
* @return true if the user has access to this connection.
*/
public boolean checkConnectionAdministerAccess(int userID, String affectedConnectionName) {
return checkConnectionAccess(userID, affectedConnectionName, MySQLConstants.CONNECTION_ADMINISTER);
}
/**
@@ -370,6 +643,16 @@ public class PermissionCheckUtility {
return connectionIDs;
}
public void verifyCreateUserPermission(int userID) throws GuacamolePermissionException {
if(!checkCreateUserPermission(userID))
throw new GuacamolePermissionException("User " + userID + " does not have permission to create users.");
}
public void verifyCreateConnectionPermission(int userID) throws GuacamolePermissionException {
if(!checkCreateConnectionPermission(userID))
throw new GuacamolePermissionException("User " + userID + " does not have permission to create connections.");
}
/**
* Check if the user has the permission to create users.
* @param userID