diff --git a/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/RESTModule.java b/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/RESTModule.java index c9ed5a30a..48ac52b75 100644 --- a/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/RESTModule.java +++ b/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/RESTModule.java @@ -25,7 +25,6 @@ package org.glyptodon.guacamole.net.basic.rest; import com.google.inject.AbstractModule; import org.glyptodon.guacamole.net.basic.rest.connection.ConnectionService; import org.glyptodon.guacamole.net.basic.rest.connectiongroup.ConnectionGroupService; -import org.glyptodon.guacamole.net.basic.rest.permission.PermissionService; import org.glyptodon.guacamole.net.basic.rest.protocol.ProtocolRetrievalService; /** @@ -42,7 +41,6 @@ public class RESTModule extends AbstractModule { // Bind generic low-level services bind(ConnectionService.class); bind(ConnectionGroupService.class); - bind(PermissionService.class); bind(ProtocolRetrievalService.class); } diff --git a/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/RESTServletModule.java b/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/RESTServletModule.java index 6d8487fdf..cc4e90e6d 100644 --- a/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/RESTServletModule.java +++ b/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/RESTServletModule.java @@ -30,7 +30,6 @@ import org.glyptodon.guacamole.net.basic.rest.auth.TokenRESTService; import org.glyptodon.guacamole.net.basic.rest.clipboard.ClipboardRESTService; import org.glyptodon.guacamole.net.basic.rest.connection.ConnectionRESTService; import org.glyptodon.guacamole.net.basic.rest.connectiongroup.ConnectionGroupRESTService; -import org.glyptodon.guacamole.net.basic.rest.permission.PermissionRESTService; import org.glyptodon.guacamole.net.basic.rest.protocol.ProtocolRESTService; import org.glyptodon.guacamole.net.basic.rest.user.UserRESTService; @@ -48,7 +47,6 @@ public class RESTServletModule extends ServletModule { bind(ClipboardRESTService.class); bind(ConnectionRESTService.class); bind(ConnectionGroupRESTService.class); - bind(PermissionRESTService.class); bind(ProtocolRESTService.class); bind(UserRESTService.class); bind(TokenRESTService.class); diff --git a/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/permission/APIPermission.java b/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/permission/APIPermission.java deleted file mode 100644 index ee97de0fd..000000000 --- a/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/permission/APIPermission.java +++ /dev/null @@ -1,228 +0,0 @@ -/* - * Copyright (C) 2014 Glyptodon LLC - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN - * THE SOFTWARE. - */ - -package org.glyptodon.guacamole.net.basic.rest.permission; - -import org.codehaus.jackson.annotate.JsonIgnoreProperties; -import org.codehaus.jackson.map.annotate.JsonSerialize; -import org.glyptodon.guacamole.net.auth.permission.ConnectionGroupPermission; -import org.glyptodon.guacamole.net.auth.permission.ConnectionPermission; -import org.glyptodon.guacamole.net.auth.permission.ObjectPermission; -import org.glyptodon.guacamole.net.auth.permission.Permission; -import org.glyptodon.guacamole.net.auth.permission.SystemPermission; -import org.glyptodon.guacamole.net.auth.permission.UserPermission; - -/** - * A simple user permission to expose through the REST endpoints. - * - * @author James Muehlner - */ -@JsonIgnoreProperties(ignoreUnknown = true) -@JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL) -public class APIPermission { - - /** - * Create an empty APIPermission. - */ - public APIPermission() {} - - /** - * The type of object that this permission refers to. - */ - private ObjectType objectType; - - /** - * The type of object that a permission can refer to. - */ - public enum ObjectType { - - /** - * A normal connection. - */ - CONNECTION, - - /** - * A connection group. - */ - CONNECTION_GROUP, - - /** - * A Guacamole user. - */ - USER, - - /** - * The Guacamole system itself. - */ - SYSTEM - - } - - /** - * The identifier of the object that this permission refers to. - */ - private String objectIdentifier; - - /** - * The object permission type for this APIPermission, if relevant. This is - * only used if this.objectType is CONNECTION, CONNECTION_GROUP, or USER. - */ - private ObjectPermission.Type objectPermissionType; - - /** - * The system permission type for this APIPermission, if relevant. This is - * only used if this.objectType is SYSTEM. - */ - private SystemPermission.Type systemPermissionType; - - /** - * Create an APIConnection from a Connection record. - * - * @param permission The permission to create this APIPermission from. - */ - public APIPermission(Permission permission) { - - // Connection permission - if (permission instanceof ConnectionPermission) { - this.objectType = ObjectType.CONNECTION; - this.objectPermissionType = ((ConnectionPermission) permission).getType(); - this.objectIdentifier = ((ConnectionPermission) permission).getObjectIdentifier(); - } - - // Connection group permission - else if (permission instanceof ConnectionGroupPermission) { - this.objectType = ObjectType.CONNECTION_GROUP; - this.objectPermissionType = ((ConnectionGroupPermission) permission).getType(); - this.objectIdentifier = ((ConnectionGroupPermission) permission).getObjectIdentifier(); - } - - // User permission - else if (permission instanceof UserPermission) { - this.objectType = ObjectType.USER; - this.objectPermissionType = ((UserPermission) permission).getType(); - this.objectIdentifier = ((UserPermission) permission).getObjectIdentifier(); - } - - // System permission - else if (permission instanceof SystemPermission) { - this.objectType = ObjectType.SYSTEM; - this.systemPermissionType = ((SystemPermission) permission).getType(); - } - - } - - /** - * Returns the type of object that this permission refers to. - * - * @return The type of object that this permission refers to. - */ - public ObjectType getObjectType() { - return objectType; - } - - /** - * Set the type of object that this permission refers to. - * @param objectType The type of object that this permission refers to. - */ - public void setObjectType(ObjectType objectType) { - this.objectType = objectType; - } - - /** - * Returns a string representation of the permission type. - * - * @return A string representation of the permission type. - */ - public String getPermissionType() { - switch(this.objectType) { - case CONNECTION: - case CONNECTION_GROUP: - case USER: - return this.objectPermissionType.toString(); - case SYSTEM: - return this.systemPermissionType.toString(); - default: - return null; - } - } - - /** - * Set the permission type from a string representation of that type. - * Since it's not clear at this point whether this is an object permission or - * system permission, try to set both of them. - * - * @param permissionType The string representation of the permission type. - */ - public void setPermissionType(String permissionType) { - try { - this.objectPermissionType = ObjectPermission.Type.valueOf(permissionType); - } catch(IllegalArgumentException e) {} - - try { - this.systemPermissionType = SystemPermission.Type.valueOf(permissionType); - } catch(IllegalArgumentException e) {} - } - - /** - * Returns the identifier of the object that this permission refers to. - * - * @return The identifier of the object that this permission refers to. - */ - public String getObjectIdentifier() { - return objectIdentifier; - } - - /** - * Set the identifier of the object that this permission refers to. - * - * @param objectIdentifier The identifier of the object that this permission refers to. - */ - public void setObjectIdentifier(String objectIdentifier) { - this.objectIdentifier = objectIdentifier; - } - - /** - * Returns an org.glyptodon.guacamole.net.auth.permission.Permission - * representation of this APIPermission. - * - * @return An org.glyptodon.guacamole.net.auth.permission.Permission - * representation of this APIPermission. - */ - public Permission toPermission() { - switch(this.objectType) { - case CONNECTION: - return new ConnectionPermission - (this.objectPermissionType, this.objectIdentifier); - case CONNECTION_GROUP: - return new ConnectionGroupPermission - (this.objectPermissionType, this.objectIdentifier); - case USER: - return new UserPermission - (this.objectPermissionType, this.objectIdentifier); - case SYSTEM: - return new SystemPermission(this.systemPermissionType); - default: - return null; - } - } - -} diff --git a/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/permission/APIPermissionSet.java b/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/permission/APIPermissionSet.java new file mode 100644 index 000000000..450cbc823 --- /dev/null +++ b/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/permission/APIPermissionSet.java @@ -0,0 +1,293 @@ +/* + * Copyright (C) 2014 Glyptodon LLC + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +package org.glyptodon.guacamole.net.basic.rest.permission; + +import java.util.EnumSet; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import java.util.Set; +import org.glyptodon.guacamole.GuacamoleException; +import org.glyptodon.guacamole.GuacamoleServerException; +import org.glyptodon.guacamole.net.auth.permission.ConnectionGroupPermission; +import org.glyptodon.guacamole.net.auth.permission.ConnectionPermission; +import org.glyptodon.guacamole.net.auth.permission.ObjectPermission; +import org.glyptodon.guacamole.net.auth.permission.Permission; +import org.glyptodon.guacamole.net.auth.permission.SystemPermission; +import org.glyptodon.guacamole.net.auth.permission.UserPermission; + +/** + * The set of permissions which are granted to a specific user, organized by + * object type and, if applicable, identifier. This object can be constructed + * with arbitrary permissions present, or manipulated after creation through + * the manipulation or replacement of its collections of permissions, but is + * otherwise not intended for internal use as a data structure for permissions. + * Its primary purpose is as a hierarchical format for exchanging granted + * permissions with REST clients. + */ +public class APIPermissionSet { + + /** + * Map of connection ID to the set of granted permissions. + */ + private Map> connectionPermissions = new HashMap>(); + + /** + * Map of connection group ID to the set of granted permissions. + */ + private Map> connectionGroupPermissions = new HashMap>(); + + /** + * Map of user ID to the set of granted permissions. + */ + private Map> userPermissions = new HashMap>(); + + /** + * Set of all granted system-level permissions. + */ + private EnumSet systemPermissions = EnumSet.noneOf(SystemPermission.Type.class); + + /** + * Adds the given object permission to the given map of object identifier + * to permission set. + * + * @param permissions + * The map to add the given permission to. + * + * @param permission + * The permission to add. + */ + private void addPermission(Map> permissions, ObjectPermission permission) { + + // Pull set of permissions for given object + String id = permission.getObjectIdentifier(); + EnumSet types = permissions.get(id); + + // If set does not yet exist, create it + if (types == null) { + types = EnumSet.of(permission.getType()); + permissions.put(id, types); + } + + // Otherwise, add the specified permission + else + types.add(permission.getType()); + + } + + /** + * Adds the given system-level permission to the given set of granted + * system permissions. + * + * @param permissions + * The set of system permissions to add the given permission to. + * + * @param permission + * The permission to add. + */ + private void addPermission(EnumSet permissions, SystemPermission permission) { + permissions.add(permission.getType()); + } + + /** + * Adds the given permission to the appropriate type-specific set or map of + * permissions based on the permission class. Only connection, connection + * group, user, and system permissions are supported. Unsupported + * permission types will result in a GuacamoleException being thrown. + * + * @param permission The permission to add. + * @throws GuacamoleException If the permission is of an unsupported type. + */ + private void addPermission(Permission permission) throws GuacamoleException { + + // Connection permissions + if (permission instanceof ConnectionPermission) + addPermission(connectionPermissions, (ConnectionPermission) permission); + + // Connection group permissions + else if (permission instanceof ConnectionGroupPermission) + addPermission(connectionGroupPermissions, (ConnectionGroupPermission) permission); + + // User permissions + else if (permission instanceof UserPermission) + addPermission(userPermissions, (UserPermission) permission); + + // System permissions + else if (permission instanceof SystemPermission) + addPermission(systemPermissions, (SystemPermission) permission); + + // Unknown / unsupported permission type + else + throw new GuacamoleServerException("Serialization of permission type \"" + permission.getClass() + "\" not implemented."); + + } + + /** + * Creates a new permission set which contains no granted permissions. Any + * permissions must be added by manipulating or replacing the applicable + * permission collection. + */ + public APIPermissionSet() { + } + + /** + * Creates a new permission set having the given permissions. + * + * @param permissions + * The permissions to initially store within the permission set. + * + * @throws GuacamoleException + * If any of the given permissions are of an unsupported type. + */ + public APIPermissionSet(Iterable permissions) throws GuacamoleException { + + // Add all provided permissions + for (Permission permission : permissions) + addPermission(permission); + + } + + /** + * Creates a new permission set having the given permissions. + * + * @param permissions + * The permissions to initially store within the permission set. + * + * @throws GuacamoleException + * If any of the given permissions are of an unsupported type. + */ + public APIPermissionSet(Permission... permissions) throws GuacamoleException { + + // Add all provided permissions + for (Permission permission : permissions) + addPermission(permission); + + } + + /** + * Returns a map of connection IDs to the set of permissions granted for + * that connection. If no permissions are granted to a particular + * connection, its ID will not be present as a key in the map. This map is + * mutable, and changes to this map will affect the permission set + * directly. + * + * @return + * A map of connection IDs to the set of permissions granted for that + * connection. + */ + public Map> getConnectionPermissions() { + return connectionPermissions; + } + + /** + * Returns a map of connection group IDs to the set of permissions granted + * for that connection group. If no permissions are granted to a particular + * connection group, its ID will not be present as a key in the map. This + * map is mutable, and changes to this map will affect the permission set + * directly. + * + * @return + * A map of connection group IDs to the set of permissions granted for + * that connection group. + */ + public Map> getConnectionGroupPermissions() { + return connectionGroupPermissions; + } + + /** + * Returns a map of user IDs to the set of permissions granted for that + * user. If no permissions are granted to a particular user, its ID will + * not be present as a key in the map. This map is mutable, and changes to + * to this map will affect the permission set directly. + * + * @return + * A map of user IDs to the set of permissions granted for that user. + */ + public Map> getUserPermissions() { + return userPermissions; + } + + /** + * Returns the set of granted system-level permissions. If no permissions + * are granted at the system level, this will be an empty set. This set is + * mutable, and changes to this set will affect the permission set + * directly. + * + * @return + * The set of granted system-level permissions. + */ + public EnumSet getSystemPermissions() { + return systemPermissions; + } + + /** + * Replaces the current map of connection permissions with the given map, + * which must map connection ID to its corresponding set of granted + * permissions. If a connection has no permissions, its ID must not be + * present as a key in the map. + * + * @param connectionPermissions + * The map which must replace the currently-stored map of permissions. + */ + public void setConnectionPermissions(Map> connectionPermissions) { + this.connectionPermissions = connectionPermissions; + } + + /** + * Replaces the current map of connection group permissions with the given + * map, which must map connection group ID to its corresponding set of + * granted permissions. If a connection group has no permissions, its ID + * must not be present as a key in the map. + * + * @param connectionGroupPermissions + * The map which must replace the currently-stored map of permissions. + */ + public void setConnectionGroupPermissions(Map> connectionGroupPermissions) { + this.connectionGroupPermissions = connectionGroupPermissions; + } + + /** + * Replaces the current map of user permissions with the given map, which + * must map user ID to its corresponding set of granted permissions. If a + * user has no permissions, its ID must not be present as a key in the map. + * + * @param userPermissions + * The map which must replace the currently-stored map of permissions. + */ + public void setUserPermissions(Map> userPermissions) { + this.userPermissions = userPermissions; + } + + /** + * Replaces the current set of system-level permissions with the given set. + * If no system-level permissions are granted, the empty set must be + * specified. + * + * @param systemPermissions + * The set which must replace the currently-stored set of permissions. + */ + public void setSystemPermissions(EnumSet systemPermissions) { + this.systemPermissions = systemPermissions; + } + +} diff --git a/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/permission/PermissionRESTService.java b/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/permission/PermissionRESTService.java deleted file mode 100644 index 85760f5a4..000000000 --- a/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/permission/PermissionRESTService.java +++ /dev/null @@ -1,157 +0,0 @@ -/* - * Copyright (C) 2014 Glyptodon LLC - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN - * THE SOFTWARE. - */ - -package org.glyptodon.guacamole.net.basic.rest.permission; - -import com.google.inject.Inject; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import javax.ws.rs.Consumes; -import javax.ws.rs.GET; -import javax.ws.rs.Path; -import javax.ws.rs.PathParam; -import javax.ws.rs.Produces; -import javax.ws.rs.QueryParam; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.core.Response.Status; -import org.glyptodon.guacamole.GuacamoleException; -import org.glyptodon.guacamole.net.auth.Directory; -import org.glyptodon.guacamole.net.auth.User; -import org.glyptodon.guacamole.net.auth.UserContext; -import org.glyptodon.guacamole.net.auth.permission.Permission; -import org.glyptodon.guacamole.net.basic.rest.APIPatch; -import org.glyptodon.guacamole.net.basic.rest.AuthProviderRESTExposure; -import org.glyptodon.guacamole.net.basic.rest.HTTPException; -import org.glyptodon.guacamole.net.basic.rest.PATCH; -import org.glyptodon.guacamole.net.basic.rest.auth.AuthenticationService; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * A REST Service for handling connection CRUD operations. - * - * @author James Muehlner - */ -@Path("/permission") -@Produces(MediaType.APPLICATION_JSON) -@Consumes(MediaType.APPLICATION_JSON) -public class PermissionRESTService { - - /** - * Logger for this class. - */ - private static final Logger logger = LoggerFactory.getLogger(PermissionRESTService.class); - - /** - * A service for authenticating users from auth tokens. - */ - @Inject - private AuthenticationService authenticationService; - - /** - * A service for managing the REST endpoint APIPermission objects. - */ - @Inject - private PermissionService permissionService; - - /** - * Gets a list of permissions for the user with the given userID. - * - * @param authToken The authentication token that is used to authenticate - * the user performing the operation. - * @param userID The ID of the user to retrieve permissions for. - * @return The permission list. - * @throws GuacamoleException If a problem is encountered while listing permissions. - */ - @GET - @Path("/{userID}") - @AuthProviderRESTExposure - public List getPermissions(@QueryParam("token") String authToken, @PathParam("userID") String userID) - throws GuacamoleException { - - UserContext userContext = authenticationService.getUserContext(authToken); - - // Get the user - User user = userContext.getUserDirectory().get(userID); - if (user == null) - throw new HTTPException(Status.NOT_FOUND, "User not found with the provided userID."); - - return permissionService.convertPermissionList(user.getPermissions()); - - } - - /** - * Applies a given list of permission patches. - * - * @param authToken The authentication token that is used to authenticate - * the user performing the operation. - * @param patches The permission patches to apply for this request. - * @throws GuacamoleException If a problem is encountered while removing the permission. - */ - @PATCH - @AuthProviderRESTExposure - public void patchPermissions(@QueryParam("token") String authToken, - List> patches) throws GuacamoleException { - - UserContext userContext = authenticationService.getUserContext(authToken); - - // Get the user directory - Directory userDirectory = userContext.getUserDirectory(); - - // All users who have had permissions added or removed - Map modifiedUsers = new HashMap(); - - for (APIPatch patch : patches) { - - String userID = patch.getPath(); - Permission permission = patch.getValue().toPermission(); - - // See if we've already modified this user in this request - User user = modifiedUsers.get(userID); - if (user == null) - user = userDirectory.get(userID); - - if (user == null) - throw new HTTPException(Status.NOT_FOUND, "User not found with userID " + userID + "."); - - // Only the add and remove operations are supported for permissions - switch(patch.getOp()) { - case add: - user.addPermission(permission); - modifiedUsers.put(userID, user); - break; - case remove: - user.removePermission(permission); - modifiedUsers.put(userID, user); - break; - } - - } - - // Save the permission changes for all modified users - for (User user : modifiedUsers.values()) - userDirectory.update(user); - - } - -} diff --git a/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/permission/PermissionService.java b/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/permission/PermissionService.java deleted file mode 100644 index bdff3d84b..000000000 --- a/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/permission/PermissionService.java +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Copyright (C) 2014 Glyptodon LLC - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN - * THE SOFTWARE. - */ - -package org.glyptodon.guacamole.net.basic.rest.permission; - -import java.util.ArrayList; -import java.util.HashSet; -import java.util.List; -import java.util.Set; -import org.glyptodon.guacamole.net.auth.permission.Permission; - -/** - * A service for performing useful manipulations on REST Permissions. - * - * @author James Muehlner - */ -public class PermissionService { - - /** - * Converts a list of Permission to a list of APIPermission objects for - * exposing with the REST endpoints. - * - * @param permissions The Connections to convert for REST endpoint use. - * @return A List of APIPermission objects for use with the REST endpoint. - */ - public List convertPermissionList(Iterable permissions) { - - List restPermissions = new ArrayList(); - - for(Permission permission : permissions) - restPermissions.add(new APIPermission(permission)); - - return restPermissions; - - } - - /** - * Converts a list of APIPermission to a set of Permission objects for internal - * Guacamole use. - * - * @param restPermissions The APIPermission objects from the REST endpoints. - * @return a List of Permission objects for internal Guacamole use. - */ - public Set convertAPIPermissionList(Iterable restPermissions) { - - Set permissions = new HashSet(); - - for(APIPermission restPermission : restPermissions) - permissions.add(restPermission.toPermission()); - - return permissions; - - } - -} diff --git a/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/user/UserRESTService.java b/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/user/UserRESTService.java index fdc66fd7d..5927b1b35 100644 --- a/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/user/UserRESTService.java +++ b/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/user/UserRESTService.java @@ -36,14 +36,25 @@ import javax.ws.rs.Produces; import javax.ws.rs.QueryParam; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; +import javax.ws.rs.core.Response.Status; import org.glyptodon.guacamole.GuacamoleException; import org.glyptodon.guacamole.net.auth.Directory; import org.glyptodon.guacamole.net.auth.User; import org.glyptodon.guacamole.net.auth.UserContext; +import org.glyptodon.guacamole.net.auth.permission.ConnectionGroupPermission; +import org.glyptodon.guacamole.net.auth.permission.ConnectionPermission; +import org.glyptodon.guacamole.net.auth.permission.ObjectPermission; +import org.glyptodon.guacamole.net.auth.permission.Permission; +import org.glyptodon.guacamole.net.auth.permission.SystemPermission; import org.glyptodon.guacamole.net.auth.permission.UserPermission; +import org.glyptodon.guacamole.net.basic.rest.APIPatch; +import static org.glyptodon.guacamole.net.basic.rest.APIPatch.Operation.add; +import static org.glyptodon.guacamole.net.basic.rest.APIPatch.Operation.remove; import org.glyptodon.guacamole.net.basic.rest.AuthProviderRESTExposure; import org.glyptodon.guacamole.net.basic.rest.HTTPException; +import org.glyptodon.guacamole.net.basic.rest.PATCH; import org.glyptodon.guacamole.net.basic.rest.auth.AuthenticationService; +import org.glyptodon.guacamole.net.basic.rest.permission.APIPermissionSet; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -61,6 +72,30 @@ public class UserRESTService { * Logger for this class. */ private static final Logger logger = LoggerFactory.getLogger(UserRESTService.class); + + /** + * The prefix of any path within an operation of a JSON patch which + * modifies the permissions of a user regarding a specific connection. + */ + private static final String CONNECTION_PERMISSION_PATCH_PATH_PREFIX = "/connectionPermissions/"; + + /** + * The prefix of any path within an operation of a JSON patch which + * modifies the permissions of a user regarding a specific connection group. + */ + private static final String CONNECTION_GROUP_PERMISSION_PATCH_PATH_PREFIX = "/connectionGroupPermissions/"; + + /** + * The prefix of any path within an operation of a JSON patch which + * modifies the permissions of a user regarding another, specific user. + */ + private static final String USER_PERMISSION_PATCH_PATH_PREFIX = "/userPermissions/"; + + /** + * The path of any operation within a JSON patch which modifies the + * permissions of a user regarding the entire system. + */ + private static final String SYSTEM_PERMISSION_PATCH_PATH = "/systemPermissions"; /** * A service for authenticating users from auth tokens. @@ -239,4 +274,152 @@ public class UserRESTService { } + /** + * Gets a list of permissions for the user with the given userID. + * + * @param authToken The authentication token that is used to authenticate + * the user performing the operation. + * @param userID The ID of the user to retrieve permissions for. + * @return The permission list. + * @throws GuacamoleException If a problem is encountered while listing permissions. + */ + @GET + @Path("/{userID}/permissions") + @AuthProviderRESTExposure + public APIPermissionSet getPermissions(@QueryParam("token") String authToken, @PathParam("userID") String userID) + throws GuacamoleException { + + UserContext userContext = authenticationService.getUserContext(authToken); + + // Get the user + User user = userContext.getUserDirectory().get(userID); + if (user == null) + throw new HTTPException(Status.NOT_FOUND, "User not found with the provided userID."); + + return new APIPermissionSet(user.getPermissions()); + + } + + /** + * Applies a given list of permission patches. Each patch specifies either + * an "add" or a "remove" operation for a permission type, represented by + * a string. Valid permission types depend on the path of each patch + * operation, as the path dictates the permission being modified, such as + * "/connectionPermissions/42" or "/systemPermissions". + * + * @param authToken + * The authentication token that is used to authenticate the user + * performing the operation. + * + * @param userID + * The ID of the user to modify the permissions of. + * + * @param patches + * The permission patches to apply for this request. + * + * @throws GuacamoleException + * If a problem is encountered while modifying permissions. + */ + @PATCH + @Path("/{userID}/permissions") + @AuthProviderRESTExposure + public void patchPermissions(@QueryParam("token") String authToken, + @PathParam("userID") String userID, + List> patches) throws GuacamoleException { + + UserContext userContext = authenticationService.getUserContext(authToken); + + // Get the user directory + Directory userDirectory = userContext.getUserDirectory(); + + // Get the user + User user = userContext.getUserDirectory().get(userID); + if (user == null) + throw new HTTPException(Status.NOT_FOUND, "User not found with the provided userID."); + + // Apply all patch operations individually + for (APIPatch patch : patches) { + + Permission permission; + + String path = patch.getPath(); + + // Create connection permission if path has connection prefix + if (path.startsWith(CONNECTION_PERMISSION_PATCH_PATH_PREFIX)) { + + // Get identifier and type from patch operation + String identifier = path.substring(CONNECTION_PERMISSION_PATCH_PATH_PREFIX.length()); + ObjectPermission.Type type = ObjectPermission.Type.valueOf(patch.getValue()); + + // Create corresponding permission + permission = new ConnectionPermission(type, identifier); + + } + + // Create connection group permission if path has connection group prefix + else if (path.startsWith(CONNECTION_GROUP_PERMISSION_PATCH_PATH_PREFIX)) { + + // Get identifier and type from patch operation + String identifier = path.substring(CONNECTION_GROUP_PERMISSION_PATCH_PATH_PREFIX.length()); + ObjectPermission.Type type = ObjectPermission.Type.valueOf(patch.getValue()); + + // Create corresponding permission + permission = new ConnectionGroupPermission(type, identifier); + + } + + // Create user permission if path has user prefix + else if (path.startsWith(USER_PERMISSION_PATCH_PATH_PREFIX)) { + + // Get identifier and type from patch operation + String identifier = path.substring(USER_PERMISSION_PATCH_PATH_PREFIX.length()); + ObjectPermission.Type type = ObjectPermission.Type.valueOf(patch.getValue()); + + // Create corresponding permission + permission = new UserPermission(type, identifier); + + } + + // Create system permission if path is system path + else if (path.startsWith(SYSTEM_PERMISSION_PATCH_PATH)) { + + // Get identifier and type from patch operation + SystemPermission.Type type = SystemPermission.Type.valueOf(patch.getValue()); + + // Create corresponding permission + permission = new SystemPermission(type); + + } + + // Otherwise, the path is not supported + else + throw new HTTPException(Status.BAD_REQUEST, "Unsupported patch path: \"" + path + "\""); + + // Add or remove permission based on operation + switch (patch.getOp()) { + + // Add permission + case add: + user.addPermission(permission); + break; + + // Remove permission + case remove: + user.removePermission(permission); + break; + + // Unsupported patch operation + default: + throw new HTTPException(Status.BAD_REQUEST, "Unsupported patch operation: \"" + patch.getOp() + "\""); + + } + + } // end for each patch operation + + // Save the permission changes + userDirectory.update(user); + + } + + } diff --git a/guacamole/src/main/webapp/app/index/controllers/indexController.js b/guacamole/src/main/webapp/app/index/controllers/indexController.js index cc256fc38..25ca651b6 100644 --- a/guacamole/src/main/webapp/app/index/controllers/indexController.js +++ b/guacamole/src/main/webapp/app/index/controllers/indexController.js @@ -25,10 +25,12 @@ */ angular.module('index').controller('indexController', ['$scope', '$injector', function indexController($scope, $injector) { - - // Get the dependencies commonJS style - var permissionService = $injector.get("permissionService"), - permissionCheckService = $injector.get("permissionCheckService"), + + // Get class dependencies + var PermissionSet = $injector.get("PermissionSet"); + + // Get services + var permissionService = $injector.get("permissionService"), authenticationService = $injector.get("authenticationService"), $q = $injector.get("$q"), $document = $injector.get("$document"), @@ -169,13 +171,15 @@ angular.module('index').controller('indexController', ['$scope', '$injector', permissionService.getPermissions($scope.currentUserID).success(function fetchCurrentUserPermissions(permissions) { $scope.currentUserPermissions = permissions; - // Will be true if the user is an admin - $scope.currentUserIsAdmin = permissionCheckService.checkPermission($scope.currentUserPermissions, "SYSTEM", undefined, "ADMINISTER"); + // Whether the user has system-wide admin permission + $scope.currentUserIsAdmin = PermissionSet.hasSystemPermission($scope.currentUserPermissions, PermissionSet.SystemPermissionType.ADMINISTER); + + // Whether the user can update at least one object + $scope.currentUserHasUpdate = $scope.currentUserIsAdmin + || PermissionSet.hasConnectionPermission($scope.currentUserPermissions, "UPDATE") + || PermissionSet.hasConnectionGroupPermission($scope.currentUserPermissions, "UPDATE") + || PermissionSet.hasUserPermission($scope.currentUserPermissions, "UPDATE"); - // Will be true if the user is an admin or has update access to any object - $scope.currentUserHasUpdate = $scope.currentUserIsAdmin || - permissionCheckService.checkPermission($scope.currentUserPermissions, undefined, undefined, "UPDATE"); - permissionsLoaded.resolve(); }); }; diff --git a/guacamole/src/main/webapp/app/manage/controllers/manageController.js b/guacamole/src/main/webapp/app/manage/controllers/manageController.js index b3a771975..77ce0c77f 100644 --- a/guacamole/src/main/webapp/app/manage/controllers/manageController.js +++ b/guacamole/src/main/webapp/app/manage/controllers/manageController.js @@ -27,7 +27,7 @@ angular.module('manage').controller('manageController', ['$scope', '$injector', function manageController($scope, $injector) { // Required types - var Permission = $injector.get('Permission'); + var PermissionSet = $injector.get('PermissionSet'); // Required services var legacyConnectionGroupService = $injector.get('legacyConnectionGroupService'); @@ -68,7 +68,7 @@ angular.module('manage').controller('manageController', ['$scope', '$injector', }); // Retrieve all users for whom we have UPDATE permission - userService.getUsers(Permission.Type.UPDATE).success(function usersReceived(users) { + userService.getUsers(PermissionSet.ObjectPermissionType.UPDATE).success(function usersReceived(users) { $scope.users = users; $scope.loadingUsers = false; }); diff --git a/guacamole/src/main/webapp/app/rest/services/legacyConnectionGroupService.js b/guacamole/src/main/webapp/app/rest/services/legacyConnectionGroupService.js index a9e4e71b3..e8eb9748b 100644 --- a/guacamole/src/main/webapp/app/rest/services/legacyConnectionGroupService.js +++ b/guacamole/src/main/webapp/app/rest/services/legacyConnectionGroupService.js @@ -25,9 +25,12 @@ */ angular.module('rest').factory('legacyConnectionGroupService', ['$injector', function legacyConnectionGroupService($injector) { - var connectionGroupService = $injector.get('connectionGroupService'); + // Get class dependencies + var PermissionSet = $injector.get("PermissionSet"); + + // Get services + var connectionGroupService = $injector.get('connectionGroupService'); var connectionService = $injector.get('connectionService'); - var permissionCheckService = $injector.get('permissionCheckService'); var $q = $injector.get('$q'); var displayObjectPreparationService = $injector.get('displayObjectPreparationService'); @@ -196,8 +199,7 @@ angular.module('rest').factory('legacyConnectionGroupService', ['$injector', fun * item, check now to see if the permission exists. If not, * remove the item. */ - if(!permissionCheckService.checkPermission(permissionList, - "CONNECTION", item.identifier, requiredConnectionPermission)) { + if(!PermissionSet.hasConnectionPermission(permissionList, item.identifier, requiredConnectionPermission)) { items.splice(i, 1); continue; } @@ -210,8 +212,7 @@ angular.module('rest').factory('legacyConnectionGroupService', ['$injector', fun * remove the item. */ if(requiredConnectionGroupPermission) { - if(!permissionCheckService.checkPermission(permissionList, - "CONNECTION_GROUP", item.identifier, requiredConnectionGroupPermission)) { + if(!PermissionSet.hasConnectionGroupPermission(permissionList, item.identifier, requiredConnectionGroupPermission)) { items.splice(i, 1); continue; } diff --git a/guacamole/src/main/webapp/app/rest/services/permissionCheckService.js b/guacamole/src/main/webapp/app/rest/services/permissionCheckService.js deleted file mode 100644 index 80ee4cd39..000000000 --- a/guacamole/src/main/webapp/app/rest/services/permissionCheckService.js +++ /dev/null @@ -1,73 +0,0 @@ -/* - * Copyright (C) 2014 Glyptodon LLC - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN - * THE SOFTWARE. - */ - -/** - * A service for checking if a specific permission exists - * in a given list of permissions. - */ -angular.module('rest').factory('permissionCheckService', [ - function permissionCheckService() { - - var service = {}; - - /** - * A service for checking if the given permission list contains the given - * permission, defined by the objectType, objectID, and permissionType. - * If the objectType or objectID are not passed, they will not be checked. - * - * For example, checkPermission(list, "CONNECTION", undefined, "READ") would - * check if the permission list contains permission to read any connection. - * - * @param {array} permissions The array of permissions to check. - * @param {string} objectType The object type for the permission. - * If not passed, this will not be checked. - * @param {string} objectID The ID of the object the permission is for. - * If not passed, this will not be checked. - * @param {string} permissionType The actual permission type to check for. - * @returns {boolean} True if the given permissions contain the requested permission, false otherwise. - */ - service.checkPermission = function checkPermission(permissions, objectType, objectID, permissionType) { - - // Loop through all the permissions and check if any of them match the given parameters - for(var i = 0; i < permissions.length; i++) { - var permission = permissions[i]; - - if(objectType === "SYSTEM") { - // System permissions have no object ID, we only need to check the type. - if(permission.permissionType === permissionType) - return true; - } - else { - // Object permissions need to match the object ID and type if given. - if(permission.permissionType === permissionType && - (!objectType || permission.objectType === objectType) && - (!objectID || permission.objectID === objectID)) - return true; - } - } - - // Didn't find any that matched - return false; - } - - return service; -}]); diff --git a/guacamole/src/main/webapp/app/rest/services/permissionService.js b/guacamole/src/main/webapp/app/rest/services/permissionService.js index 7268f9f43..88e42a421 100644 --- a/guacamole/src/main/webapp/app/rest/services/permissionService.js +++ b/guacamole/src/main/webapp/app/rest/services/permissionService.js @@ -37,12 +37,12 @@ angular.module('rest').factory('permissionService', ['$http', 'authenticationSer * @param {String} userID * The ID of the user to retrieve the permissions for. * - * @returns {Promise.} - * A promise which will resolve with an array of @link{Permission} - * objects upon success. + * @returns {Promise.} + * A promise which will resolve with a @link{PermissionSet} upon + * success. */ service.getPermissions = function getPermissions(userID) { - return $http.get("api/permission/" + userID + "/?token=" + authenticationService.getCurrentToken()); + return $http.get("api/user/" + userID + "/permissions?token=" + authenticationService.getCurrentToken()); }; /** @@ -51,14 +51,14 @@ angular.module('rest').factory('permissionService', ['$http', 'authenticationSer * call. * * @param {String} userID The ID of the user to add the permission for. - * @param {Permission[]} permissions The permissions to add. + * @param {PermissionSet} permissions The permissions to add. * * @returns {Promise} * A promise for the HTTP call which will succeed if and only if the * add operation is successful. */ service.addPermissions = function addPermissions(userID, permissions) { - return service.patchPermissions(userID, permissions, []); + return service.patchPermissions(userID, permissions, null); }; /** @@ -67,14 +67,14 @@ angular.module('rest').factory('permissionService', ['$http', 'authenticationSer * call. * * @param {String} userID The ID of the user to remove the permission for. - * @param {Permission[]} permissions The permissions to remove. + * @param {PermissionSet} permissions The permissions to remove. * * @returns {Promise} * A promise for the HTTP call which will succeed if and only if the * remove operation is successful. */ service.removePermissions = function removePermissions(userID, permissions) { - return service.patchPermissions(userID, [], permissions); + return service.patchPermissions(userID, null, permissions); }; /** @@ -83,8 +83,8 @@ angular.module('rest').factory('permissionService', ['$http', 'authenticationSer * the call. * * @param {String} userID The ID of the user to remove the permission for. - * @param {Permission[]} permissionsToAdd The permissions to add. - * @param {Permission[]} permissionsToRemove The permissions to remove. + * @param {PermissionSet} [permissionsToAdd] The permissions to add. + * @param {PermissionSet} [permissionsToRemove] The permissions to remove. * * @returns {Promise} * A promise for the HTTP call which will succeed if and only if the @@ -92,6 +92,8 @@ angular.module('rest').factory('permissionService', ['$http', 'authenticationSer */ service.patchPermissions = function patchPermissions(userID, permissionsToAdd, permissionsToRemove) { + // FIXME: This will NOT work, now that PermissionSet is used + var i; var permissionPatch = []; diff --git a/guacamole/src/main/webapp/app/rest/services/userService.js b/guacamole/src/main/webapp/app/rest/services/userService.js index 2a42d5a8d..72b70458c 100644 --- a/guacamole/src/main/webapp/app/rest/services/userService.js +++ b/guacamole/src/main/webapp/app/rest/services/userService.js @@ -36,7 +36,7 @@ angular.module('rest').factory('userService', ['$http', 'authenticationService', * @param {String} [permissionType] * The permission type string of the permission that the current user * must have for a given user to appear within the list. Valid values - * are listed within Permission.Type. + * are listed within PermissionSet.ObjectType. * * @returns {Promise.} * A promise which will resolve with an array of @link{User} objects diff --git a/guacamole/src/main/webapp/app/rest/types/Permission.js b/guacamole/src/main/webapp/app/rest/types/Permission.js deleted file mode 100644 index 1fe739056..000000000 --- a/guacamole/src/main/webapp/app/rest/types/Permission.js +++ /dev/null @@ -1,153 +0,0 @@ -/* - * Copyright (C) 2014 Glyptodon LLC - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN - * THE SOFTWARE. - */ - -/** - * Service which defines the Permission class. - */ -angular.module('rest').factory('Permission', [function definePermission() { - - /** - * The object returned by REST API calls when representing the data - * associated with a supported remote desktop protocol. - * - * @constructor - * @param {Permission|Object} [template={}] - * The object whose properties should be copied within the new - * Permission. - */ - var Permission = function Permission(template) { - - // Use empty object by default - template = template || {}; - - /** - * The type of object associated with this permission. - * - * @type String - */ - this.objectType = template.objectType; - - /** - * The identifier of the specific object associated with this - * permission. If the objectType is Permission.ObjectType.SYSTEM, this - * property is not applicable. - * - * @type String - */ - this.objectIdentifier = template.objectIdentifier; - - /** - * The type of this permission, representing the actions granted if - * this permission is present, such as the ability to read or update - * specific objects. Legal values are specified within - * Permission.Type and depend on this permission's objectType. - * - * @type String - */ - this.permissionType = template.permissionType; - - }; - - /** - * Valid object type strings. - */ - Permission.ObjectType = { - - /** - * The permission refers to a specific connection, identified by the - * value of objectIdentifier. - */ - CONNECTION : "CONNECTION", - - /** - * The permission refers to a specific connection group, identified by - * the value of objectIdentifier. - */ - CONNECTION_GROUP : "CONNECTION_GROUP", - - /** - * The permission refers to a specific user, identified by the value of - * objectIdentifier. - */ - USER : "USER", - - /** - * The permission refers to the system as a whole, and the - * objectIdentifier propery is not applicable. - */ - SYSTEM : "SYSTEM" - - }; - - /** - * Valid permission type strings. - */ - Permission.Type = { - - /** - * Permission to read from the specified object. This permission type - * does not apply to SYSTEM permissions. - */ - READ : "READ", - - /** - * Permission to update the specified object. This permission type does - * not apply to SYSTEM permissions. - */ - UPDATE : "UPDATE", - - /** - * Permission to delete the specified object. This permission type does - * not apply to SYSTEM permissions. - */ - DELETE : "DELETE", - - /** - * Permission to administer the specified object or, if the permission - * refers to the system as a whole, permission to administer the entire - * system. - */ - ADMINISTER : "ADMINISTER", - - /** - * Permission to create new users. This permission type may only be - * applied to the system as a whole. - */ - CREATE_USER : "CREATE_USER", - - /** - * Permission to create new connections. This permission type may only - * be applied to the system as a whole. - */ - CREATE_CONNECTION : "CREATE_CONNECTION", - - /** - * Permission to create new connection groups. This permission type may - * only be applied to the system as a whole. - */ - CREATE_CONNECTION_GROUP : "CREATE_CONNECTION_GROUP" - - }; - - return Permission; - -}]); \ No newline at end of file diff --git a/guacamole/src/main/webapp/app/rest/types/PermissionSet.js b/guacamole/src/main/webapp/app/rest/types/PermissionSet.js new file mode 100644 index 000000000..ca8e2f30f --- /dev/null +++ b/guacamole/src/main/webapp/app/rest/types/PermissionSet.js @@ -0,0 +1,280 @@ +/* + * Copyright (C) 2014 Glyptodon LLC + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +/** + * Service which defines the PermissionSet class. + */ +angular.module('rest').factory('PermissionSet', [function definePermissionSet() { + + /** + * The object returned by REST API calls when representing the permissions + * granted to a specific user. + * + * @constructor + * @param {PermissionSet|Object} [template={}] + * The object whose properties should be copied within the new + * PermissionSet. + */ + var PermissionSet = function Permission(template) { + + // Use empty object by default + template = template || {}; + + /** + * Map of connection identifiers to the corresponding array of granted + * permissions. Each permission is represented by a string listed + * within PermissionSet.ObjectPermissionType. + * + * @type Object. + */ + this.connectionPermissions = template.connectionPermissions || {}; + + /** + * Map of connection group identifiers to the corresponding array of + * granted permissions. Each permission is represented by a string + * listed within PermissionSet.ObjectPermissionType. + * + * @type Object. + */ + this.connectionGroupPermissions = template.connectionGroupPermissions || {}; + + /** + * Map of user identifiers to the corresponding array of granted + * permissions. Each permission is represented by a string listed + * within PermissionSet.ObjectPermissionType. + * + * @type Object. + */ + this.userPermissions = template.userPermissions || {}; + + /** + * Array of granted system permissions. Each permission is represented + * by a string listed within PermissionSet.SystemPermissionType. + * + * @type String[] + */ + this.systemPermissions = template.systemPermissions || []; + + }; + + /** + * Valid object permission type strings. + */ + PermissionSet.ObjectPermissionType = { + + /** + * Permission to read from the specified object. + */ + READ : "READ", + + /** + * Permission to update the specified object. + */ + UPDATE : "UPDATE", + + /** + * Permission to delete the specified object. + */ + DELETE : "DELETE", + + /** + * Permission to administer the specified object + */ + ADMINISTER : "ADMINISTER" + + }; + + /** + * Valid system permission type strings. + */ + PermissionSet.SystemPermissionType = { + + /** + * Permission to administer the entire system. + */ + ADMINISTER : "ADMINISTER", + + /** + * Permission to create new users. + */ + CREATE_USER : "CREATE_USER", + + /** + * Permission to create new connections. + */ + CREATE_CONNECTION : "CREATE_CONNECTION", + + /** + * Permission to create new connection groups. + */ + CREATE_CONNECTION_GROUP : "CREATE_CONNECTION_GROUP" + + }; + + /** + * Returns whether the given permission is granted for at least one + * arbitrary object, regardless of ID. + * + * @param {Object.} permMap + * The permission map to check, where each entry maps an object + * identifer to the array of granted permissions. + * + * @param {String} type + * The permission to search for, as defined by + * PermissionSet.ObjectPermissionType. + * + * @returns {Boolean} + * true if the permission is present (granted), false otherwise. + */ + var containsPermission = function containsPermission(permMap, type) { + + // Search all identifiers for given permission + for (var identifier in permMap) { + + // If permission is granted, then no further searching is necessary + if (permMap[identifier].indexOf(type) !== -1) + return true; + + } + + // No such permission exists + return false; + + }; + + /** + * Returns whether the given permission is granted for the arbitrary + * object having the given ID. If no ID is given, this function determines + * whether the permission is granted at all for any such arbitrary object. + * + * @param {Object.} permMap + * The permission map to check, where each entry maps an object + * identifer to the array of granted permissions. + * + * @param {String} type + * The permission to search for, as defined by + * PermissionSet.ObjectPermissionType. + * + * @param {String} [identifier] + * The identifier of the object to which the permission applies. + * + * @returns {Boolean} + * true if the permission is present (granted), false otherwise. + */ + var hasPermission = function hasPermission(permMap, type, identifier) { + + // If no identifier given, search ignoring the identifier + if (!identifier) + return containsPermission(permMap, type); + + // If identifier not present at all, there are no such permissions + if (!(identifier in permMap)) + return false; + + return permMap[identifier].indexOf(type) !== -1; + + }; + + /** + * Returns whether the given permission is granted for the connection + * having the given ID. + * + * @param {PermissionSet|Object} permSet + * The permission set to check. + * + * @param {String} type + * The permission to search for, as defined by + * PermissionSet.ObjectPermissionType. + * + * @param {String} identifier + * The identifier of the connection to which the permission applies. + * + * @returns {Boolean} + * true if the permission is present (granted), false otherwise. + */ + PermissionSet.hasConnectionPermission = function hasConnectionPermission(permSet, type, identifier) { + return hasPermission(permSet.connectionPermissions, type, identifier); + }; + + /** + * Returns whether the given permission is granted for the connection group + * having the given ID. + * + * @param {PermissionSet|Object} permSet + * The permission set to check. + * + * @param {String} type + * The permission to search for, as defined by + * PermissionSet.ObjectPermissionType. + * + * @param {String} identifier + * The identifier of the connection group to which the permission + * applies. + * + * @returns {Boolean} + * true if the permission is present (granted), false otherwise. + */ + PermissionSet.hasConnectionGroupPermission = function hasConnectionGroupPermission(permSet, type, identifier) { + return hasPermission(permSet.connectionGroupPermissions, type, identifier); + }; + + /** + * Returns whether the given permission is granted for the user having the + * given ID. + * + * @param {PermissionSet|Object} permSet + * The permission set to check. + * + * @param {String} type + * The permission to search for, as defined by + * PermissionSet.ObjectPermissionType. + * + * @param {String} identifier + * The identifier of the user to which the permission applies. + * + * @returns {Boolean} + * true if the permission is present (granted), false otherwise. + */ + PermissionSet.hasUserPermission = function hasUserPermission(permSet, type, identifier) { + return hasPermission(permSet.userPermissions, type, identifier); + }; + + /** + * Returns whether the given permission is granted at the system level. + * + * @param {PermissionSet|Object} permSet + * The permission set to check. + * + * @param {String} type + * The permission to search for, as defined by + * PermissionSet.SystemPermissionType. + * + * @returns {Boolean} + * true if the permission is present (granted), false otherwise. + */ + PermissionSet.hasSystemPermission = function hasSystemPermission(permSet, type) { + return permSet.systemPermissions.indexOf(type) !== -1; + }; + + return PermissionSet; + +}]); \ No newline at end of file