safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-07 21:51:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUAC-932: Migrate to PermissionSet for reading permissions.

Browse Source
This commit is contained in:
Michael Jumper
2014-12-15 14:19:29 -08:00
parent b1db52541d
commit 68d3b7741e
15 changed files with 792 additions and 718 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/RESTModule.java
View File

@@ -25,7 +25,6 @@ package org.glyptodon.guacamole.net.basic.rest;
import com.google.inject.AbstractModule; import com.google.inject.AbstractModule;
import org.glyptodon.guacamole.net.basic.rest.connection.ConnectionService; import org.glyptodon.guacamole.net.basic.rest.connection.ConnectionService;
import org.glyptodon.guacamole.net.basic.rest.connectiongroup.ConnectionGroupService; import org.glyptodon.guacamole.net.basic.rest.connectiongroup.ConnectionGroupService;
import org.glyptodon.guacamole.net.basic.rest.permission.PermissionService;
import org.glyptodon.guacamole.net.basic.rest.protocol.ProtocolRetrievalService; import org.glyptodon.guacamole.net.basic.rest.protocol.ProtocolRetrievalService;
/** /**
@@ -42,7 +41,6 @@ public class RESTModule extends AbstractModule {
// Bind generic low-level services // Bind generic low-level services
bind(ConnectionService.class); bind(ConnectionService.class);
bind(ConnectionGroupService.class); bind(ConnectionGroupService.class);
bind(PermissionService.class);
bind(ProtocolRetrievalService.class); bind(ProtocolRetrievalService.class);
} }

2
guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/RESTServletModule.java
View File

@@ -30,7 +30,6 @@ import org.glyptodon.guacamole.net.basic.rest.auth.TokenRESTService;
import org.glyptodon.guacamole.net.basic.rest.clipboard.ClipboardRESTService; import org.glyptodon.guacamole.net.basic.rest.clipboard.ClipboardRESTService;
import org.glyptodon.guacamole.net.basic.rest.connection.ConnectionRESTService; import org.glyptodon.guacamole.net.basic.rest.connection.ConnectionRESTService;
import org.glyptodon.guacamole.net.basic.rest.connectiongroup.ConnectionGroupRESTService; import org.glyptodon.guacamole.net.basic.rest.connectiongroup.ConnectionGroupRESTService;
import org.glyptodon.guacamole.net.basic.rest.permission.PermissionRESTService;
import org.glyptodon.guacamole.net.basic.rest.protocol.ProtocolRESTService; import org.glyptodon.guacamole.net.basic.rest.protocol.ProtocolRESTService;
import org.glyptodon.guacamole.net.basic.rest.user.UserRESTService; import org.glyptodon.guacamole.net.basic.rest.user.UserRESTService;
@@ -48,7 +47,6 @@ public class RESTServletModule extends ServletModule {
bind(ClipboardRESTService.class); bind(ClipboardRESTService.class);
bind(ConnectionRESTService.class); bind(ConnectionRESTService.class);
bind(ConnectionGroupRESTService.class); bind(ConnectionGroupRESTService.class);
bind(PermissionRESTService.class);
bind(ProtocolRESTService.class); bind(ProtocolRESTService.class);
bind(UserRESTService.class); bind(UserRESTService.class);
bind(TokenRESTService.class); bind(TokenRESTService.class);

228
guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/permission/APIPermission.java
View File

@@ -1,228 +0,0 @@
/*
* Copyright (C) 2014 Glyptodon LLC
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
package org.glyptodon.guacamole.net.basic.rest.permission;
import org.codehaus.jackson.annotate.JsonIgnoreProperties;
import org.codehaus.jackson.map.annotate.JsonSerialize;
import org.glyptodon.guacamole.net.auth.permission.ConnectionGroupPermission;
import org.glyptodon.guacamole.net.auth.permission.ConnectionPermission;
import org.glyptodon.guacamole.net.auth.permission.ObjectPermission;
import org.glyptodon.guacamole.net.auth.permission.Permission;
import org.glyptodon.guacamole.net.auth.permission.SystemPermission;
import org.glyptodon.guacamole.net.auth.permission.UserPermission;
/**
* A simple user permission to expose through the REST endpoints.
*
* @author James Muehlner
*/
@JsonIgnoreProperties(ignoreUnknown = true)
@JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL)
public class APIPermission {
/**
* Create an empty APIPermission.
*/
public APIPermission() {}
/**
* The type of object that this permission refers to.
*/
private ObjectType objectType;
/**
* The type of object that a permission can refer to.
*/
public enum ObjectType {
/**
* A normal connection.
*/
CONNECTION,
/**
* A connection group.
*/
CONNECTION_GROUP,
/**
* A Guacamole user.
*/
USER,
/**
* The Guacamole system itself.
*/
SYSTEM
}
/**
* The identifier of the object that this permission refers to.
*/
private String objectIdentifier;
/**
* The object permission type for this APIPermission, if relevant. This is
* only used if this.objectType is CONNECTION, CONNECTION_GROUP, or USER.
*/
private ObjectPermission.Type objectPermissionType;
/**
* The system permission type for this APIPermission, if relevant. This is
* only used if this.objectType is SYSTEM.
*/
private SystemPermission.Type systemPermissionType;
/**
* Create an APIConnection from a Connection record.
*
* @param permission The permission to create this APIPermission from.
*/
public APIPermission(Permission permission) {
// Connection permission
if (permission instanceof ConnectionPermission) {
this.objectType = ObjectType.CONNECTION;
this.objectPermissionType = ((ConnectionPermission) permission).getType();
this.objectIdentifier = ((ConnectionPermission) permission).getObjectIdentifier();
}
// Connection group permission
else if (permission instanceof ConnectionGroupPermission) {
this.objectType = ObjectType.CONNECTION_GROUP;
this.objectPermissionType = ((ConnectionGroupPermission) permission).getType();
this.objectIdentifier = ((ConnectionGroupPermission) permission).getObjectIdentifier();
}
// User permission
else if (permission instanceof UserPermission) {
this.objectType = ObjectType.USER;
this.objectPermissionType = ((UserPermission) permission).getType();
this.objectIdentifier = ((UserPermission) permission).getObjectIdentifier();
}
// System permission
else if (permission instanceof SystemPermission) {
this.objectType = ObjectType.SYSTEM;
this.systemPermissionType = ((SystemPermission) permission).getType();
}
}
/**
* Returns the type of object that this permission refers to.
*
* @return The type of object that this permission refers to.
*/
public ObjectType getObjectType() {
return objectType;
}
/**
* Set the type of object that this permission refers to.
* @param objectType The type of object that this permission refers to.
*/
public void setObjectType(ObjectType objectType) {
this.objectType = objectType;
}
/**
* Returns a string representation of the permission type.
*
* @return A string representation of the permission type.
*/
public String getPermissionType() {
switch(this.objectType) {
case CONNECTION:
case CONNECTION_GROUP:
case USER:
return this.objectPermissionType.toString();
case SYSTEM:
return this.systemPermissionType.toString();
default:
return null;
}
}
/**
* Set the permission type from a string representation of that type.
* Since it's not clear at this point whether this is an object permission or
* system permission, try to set both of them.
*
* @param permissionType The string representation of the permission type.
*/
public void setPermissionType(String permissionType) {
try {
this.objectPermissionType = ObjectPermission.Type.valueOf(permissionType);
} catch(IllegalArgumentException e) {}
try {
this.systemPermissionType = SystemPermission.Type.valueOf(permissionType);
} catch(IllegalArgumentException e) {}
}
/**
* Returns the identifier of the object that this permission refers to.
*
* @return The identifier of the object that this permission refers to.
*/
public String getObjectIdentifier() {
return objectIdentifier;
}
/**
* Set the identifier of the object that this permission refers to.
*
* @param objectIdentifier The identifier of the object that this permission refers to.
*/
public void setObjectIdentifier(String objectIdentifier) {
this.objectIdentifier = objectIdentifier;
}
/**
* Returns an org.glyptodon.guacamole.net.auth.permission.Permission
* representation of this APIPermission.
*
* @return An org.glyptodon.guacamole.net.auth.permission.Permission
* representation of this APIPermission.
*/
public Permission toPermission() {
switch(this.objectType) {
case CONNECTION:
return new ConnectionPermission
(this.objectPermissionType, this.objectIdentifier);
case CONNECTION_GROUP:
return new ConnectionGroupPermission
(this.objectPermissionType, this.objectIdentifier);
case USER:
return new UserPermission
(this.objectPermissionType, this.objectIdentifier);
case SYSTEM:
return new SystemPermission(this.systemPermissionType);
default:
return null;
}
}
}

293
guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/permission/APIPermissionSet.java Normal file
View File

@@ -0,0 +1,293 @@
/*
* Copyright (C) 2014 Glyptodon LLC
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
package org.glyptodon.guacamole.net.basic.rest.permission;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.GuacamoleServerException;
import org.glyptodon.guacamole.net.auth.permission.ConnectionGroupPermission;
import org.glyptodon.guacamole.net.auth.permission.ConnectionPermission;
import org.glyptodon.guacamole.net.auth.permission.ObjectPermission;
import org.glyptodon.guacamole.net.auth.permission.Permission;
import org.glyptodon.guacamole.net.auth.permission.SystemPermission;
import org.glyptodon.guacamole.net.auth.permission.UserPermission;
/**
* The set of permissions which are granted to a specific user, organized by
* object type and, if applicable, identifier. This object can be constructed
* with arbitrary permissions present, or manipulated after creation through
* the manipulation or replacement of its collections of permissions, but is
* otherwise not intended for internal use as a data structure for permissions.
* Its primary purpose is as a hierarchical format for exchanging granted
* permissions with REST clients.
*/
public class APIPermissionSet {
/**
* Map of connection ID to the set of granted permissions.
*/
private Map<String, EnumSet<ObjectPermission.Type>> connectionPermissions = new HashMap<String, EnumSet<ObjectPermission.Type>>();
/**
* Map of connection group ID to the set of granted permissions.
*/
private Map<String, EnumSet<ObjectPermission.Type>> connectionGroupPermissions = new HashMap<String, EnumSet<ObjectPermission.Type>>();
/**
* Map of user ID to the set of granted permissions.
*/
private Map<String, EnumSet<ObjectPermission.Type>> userPermissions = new HashMap<String, EnumSet<ObjectPermission.Type>>();
/**
* Set of all granted system-level permissions.
*/
private EnumSet<SystemPermission.Type> systemPermissions = EnumSet.noneOf(SystemPermission.Type.class);
/**
* Adds the given object permission to the given map of object identifier
* to permission set.
*
* @param permissions
* The map to add the given permission to.
*
* @param permission
* The permission to add.
*/
private void addPermission(Map<String, EnumSet<ObjectPermission.Type>> permissions, ObjectPermission<String> permission) {
// Pull set of permissions for given object
String id = permission.getObjectIdentifier();
EnumSet<ObjectPermission.Type> types = permissions.get(id);
// If set does not yet exist, create it
if (types == null) {
types = EnumSet.of(permission.getType());
permissions.put(id, types);
}
// Otherwise, add the specified permission
else
types.add(permission.getType());
}
/**
* Adds the given system-level permission to the given set of granted
* system permissions.
*
* @param permissions
* The set of system permissions to add the given permission to.
*
* @param permission
* The permission to add.
*/
private void addPermission(EnumSet<SystemPermission.Type> permissions, SystemPermission permission) {
permissions.add(permission.getType());
}
/**
* Adds the given permission to the appropriate type-specific set or map of
* permissions based on the permission class. Only connection, connection
* group, user, and system permissions are supported. Unsupported
* permission types will result in a GuacamoleException being thrown.
*
* @param permission The permission to add.
* @throws GuacamoleException If the permission is of an unsupported type.
*/
private void addPermission(Permission<?> permission) throws GuacamoleException {
// Connection permissions
if (permission instanceof ConnectionPermission)
addPermission(connectionPermissions, (ConnectionPermission) permission);
// Connection group permissions
else if (permission instanceof ConnectionGroupPermission)
addPermission(connectionGroupPermissions, (ConnectionGroupPermission) permission);
// User permissions
else if (permission instanceof UserPermission)
addPermission(userPermissions, (UserPermission) permission);
// System permissions
else if (permission instanceof SystemPermission)
addPermission(systemPermissions, (SystemPermission) permission);
// Unknown / unsupported permission type
else
throw new GuacamoleServerException("Serialization of permission type \"" + permission.getClass() + "\" not implemented.");
}
/**
* Creates a new permission set which contains no granted permissions. Any
* permissions must be added by manipulating or replacing the applicable
* permission collection.
*/
public APIPermissionSet() {
}
/**
* Creates a new permission set having the given permissions.
*
* @param permissions
* The permissions to initially store within the permission set.
*
* @throws GuacamoleException
* If any of the given permissions are of an unsupported type.
*/
public APIPermissionSet(Iterable<Permission> permissions) throws GuacamoleException {
// Add all provided permissions
for (Permission permission : permissions)
addPermission(permission);
}
/**
* Creates a new permission set having the given permissions.
*
* @param permissions
* The permissions to initially store within the permission set.
*
* @throws GuacamoleException
* If any of the given permissions are of an unsupported type.
*/
public APIPermissionSet(Permission... permissions) throws GuacamoleException {
// Add all provided permissions
for (Permission permission : permissions)
addPermission(permission);
}
/**
* Returns a map of connection IDs to the set of permissions granted for
* that connection. If no permissions are granted to a particular
* connection, its ID will not be present as a key in the map. This map is
* mutable, and changes to this map will affect the permission set
* directly.
*
* @return
* A map of connection IDs to the set of permissions granted for that
* connection.
*/
public Map<String, EnumSet<ObjectPermission.Type>> getConnectionPermissions() {
return connectionPermissions;
}
/**
* Returns a map of connection group IDs to the set of permissions granted
* for that connection group. If no permissions are granted to a particular
* connection group, its ID will not be present as a key in the map. This
* map is mutable, and changes to this map will affect the permission set
* directly.
*
* @return
* A map of connection group IDs to the set of permissions granted for
* that connection group.
*/
public Map<String, EnumSet<ObjectPermission.Type>> getConnectionGroupPermissions() {
return connectionGroupPermissions;
}
/**
* Returns a map of user IDs to the set of permissions granted for that
* user. If no permissions are granted to a particular user, its ID will
* not be present as a key in the map. This map is mutable, and changes to
* to this map will affect the permission set directly.
*
* @return
* A map of user IDs to the set of permissions granted for that user.
*/
public Map<String, EnumSet<ObjectPermission.Type>> getUserPermissions() {
return userPermissions;
}
/**
* Returns the set of granted system-level permissions. If no permissions
* are granted at the system level, this will be an empty set. This set is
* mutable, and changes to this set will affect the permission set
* directly.
*
* @return
* The set of granted system-level permissions.
*/
public EnumSet<SystemPermission.Type> getSystemPermissions() {
return systemPermissions;
}
/**
* Replaces the current map of connection permissions with the given map,
* which must map connection ID to its corresponding set of granted
* permissions. If a connection has no permissions, its ID must not be
* present as a key in the map.
*
* @param connectionPermissions
* The map which must replace the currently-stored map of permissions.
*/
public void setConnectionPermissions(Map<String, EnumSet<ObjectPermission.Type>> connectionPermissions) {
this.connectionPermissions = connectionPermissions;
}
/**
* Replaces the current map of connection group permissions with the given
* map, which must map connection group ID to its corresponding set of
* granted permissions. If a connection group has no permissions, its ID
* must not be present as a key in the map.
*
* @param connectionGroupPermissions
* The map which must replace the currently-stored map of permissions.
*/
public void setConnectionGroupPermissions(Map<String, EnumSet<ObjectPermission.Type>> connectionGroupPermissions) {
this.connectionGroupPermissions = connectionGroupPermissions;
}
/**
* Replaces the current map of user permissions with the given map, which
* must map user ID to its corresponding set of granted permissions. If a
* user has no permissions, its ID must not be present as a key in the map.
*
* @param userPermissions
* The map which must replace the currently-stored map of permissions.
*/
public void setUserPermissions(Map<String, EnumSet<ObjectPermission.Type>> userPermissions) {
this.userPermissions = userPermissions;
}
/**
* Replaces the current set of system-level permissions with the given set.
* If no system-level permissions are granted, the empty set must be
* specified.
*
* @param systemPermissions
* The set which must replace the currently-stored set of permissions.
*/
public void setSystemPermissions(EnumSet<SystemPermission.Type> systemPermissions) {
this.systemPermissions = systemPermissions;
}
}

157
guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/permission/PermissionRESTService.java
View File

@@ -1,157 +0,0 @@
/*
* Copyright (C) 2014 Glyptodon LLC
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
package org.glyptodon.guacamole.net.basic.rest.permission;
import com.google.inject.Inject;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response.Status;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.net.auth.Directory;
import org.glyptodon.guacamole.net.auth.User;
import org.glyptodon.guacamole.net.auth.UserContext;
import org.glyptodon.guacamole.net.auth.permission.Permission;
import org.glyptodon.guacamole.net.basic.rest.APIPatch;
import org.glyptodon.guacamole.net.basic.rest.AuthProviderRESTExposure;
import org.glyptodon.guacamole.net.basic.rest.HTTPException;
import org.glyptodon.guacamole.net.basic.rest.PATCH;
import org.glyptodon.guacamole.net.basic.rest.auth.AuthenticationService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* A REST Service for handling connection CRUD operations.
*
* @author James Muehlner
*/
@Path("/permission")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
public class PermissionRESTService {
/**
* Logger for this class.
*/
private static final Logger logger = LoggerFactory.getLogger(PermissionRESTService.class);
/**
* A service for authenticating users from auth tokens.
*/
@Inject
private AuthenticationService authenticationService;
/**
* A service for managing the REST endpoint APIPermission objects.
*/
@Inject
private PermissionService permissionService;
/**
* Gets a list of permissions for the user with the given userID.
*
* @param authToken The authentication token that is used to authenticate
* the user performing the operation.
* @param userID The ID of the user to retrieve permissions for.
* @return The permission list.
* @throws GuacamoleException If a problem is encountered while listing permissions.
*/
@GET
@Path("/{userID}")
@AuthProviderRESTExposure
public List<APIPermission> getPermissions(@QueryParam("token") String authToken, @PathParam("userID") String userID)
throws GuacamoleException {
UserContext userContext = authenticationService.getUserContext(authToken);
// Get the user
User user = userContext.getUserDirectory().get(userID);
if (user == null)
throw new HTTPException(Status.NOT_FOUND, "User not found with the provided userID.");
return permissionService.convertPermissionList(user.getPermissions());
}
/**
* Applies a given list of permission patches.
*
* @param authToken The authentication token that is used to authenticate
* the user performing the operation.
* @param patches The permission patches to apply for this request.
* @throws GuacamoleException If a problem is encountered while removing the permission.
*/
@PATCH
@AuthProviderRESTExposure
public void patchPermissions(@QueryParam("token") String authToken,
List<APIPatch<APIPermission>> patches) throws GuacamoleException {
UserContext userContext = authenticationService.getUserContext(authToken);
// Get the user directory
Directory<String, User> userDirectory = userContext.getUserDirectory();
// All users who have had permissions added or removed
Map<String, User> modifiedUsers = new HashMap<String, User>();
for (APIPatch<APIPermission> patch : patches) {
String userID = patch.getPath();
Permission permission = patch.getValue().toPermission();
// See if we've already modified this user in this request
User user = modifiedUsers.get(userID);
if (user == null)
user = userDirectory.get(userID);
if (user == null)
throw new HTTPException(Status.NOT_FOUND, "User not found with userID " + userID + ".");
// Only the add and remove operations are supported for permissions
switch(patch.getOp()) {
case add:
user.addPermission(permission);
modifiedUsers.put(userID, user);
break;
case remove:
user.removePermission(permission);
modifiedUsers.put(userID, user);
break;
}
}
// Save the permission changes for all modified users
for (User user : modifiedUsers.values())
userDirectory.update(user);
}
}

74
guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/permission/PermissionService.java
View File

@@ -1,74 +0,0 @@
/*
* Copyright (C) 2014 Glyptodon LLC
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
package org.glyptodon.guacamole.net.basic.rest.permission;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.glyptodon.guacamole.net.auth.permission.Permission;
/**
* A service for performing useful manipulations on REST Permissions.
*
* @author James Muehlner
*/
public class PermissionService {
/**
* Converts a list of Permission to a list of APIPermission objects for
* exposing with the REST endpoints.
*
* @param permissions The Connections to convert for REST endpoint use.
* @return A List of APIPermission objects for use with the REST endpoint.
*/
public List<APIPermission> convertPermissionList(Iterable<? extends Permission> permissions) {
List<APIPermission> restPermissions = new ArrayList<APIPermission>();
for(Permission permission : permissions)
restPermissions.add(new APIPermission(permission));
return restPermissions;
}
/**
* Converts a list of APIPermission to a set of Permission objects for internal
* Guacamole use.
*
* @param restPermissions The APIPermission objects from the REST endpoints.
* @return a List of Permission objects for internal Guacamole use.
*/
public Set<Permission> convertAPIPermissionList(Iterable<APIPermission> restPermissions) {
Set<Permission> permissions = new HashSet<Permission>();
for(APIPermission restPermission : restPermissions)
permissions.add(restPermission.toPermission());
return permissions;
}
}

183
guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/user/UserRESTService.java
View File

@@ -36,14 +36,25 @@ import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam; import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response; import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.Status;
import org.glyptodon.guacamole.GuacamoleException; import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.net.auth.Directory; import org.glyptodon.guacamole.net.auth.Directory;
import org.glyptodon.guacamole.net.auth.User; import org.glyptodon.guacamole.net.auth.User;
import org.glyptodon.guacamole.net.auth.UserContext; import org.glyptodon.guacamole.net.auth.UserContext;
import org.glyptodon.guacamole.net.auth.permission.ConnectionGroupPermission;
import org.glyptodon.guacamole.net.auth.permission.ConnectionPermission;
import org.glyptodon.guacamole.net.auth.permission.ObjectPermission;
import org.glyptodon.guacamole.net.auth.permission.Permission;
import org.glyptodon.guacamole.net.auth.permission.SystemPermission;
import org.glyptodon.guacamole.net.auth.permission.UserPermission; import org.glyptodon.guacamole.net.auth.permission.UserPermission;
import org.glyptodon.guacamole.net.basic.rest.APIPatch;
import static org.glyptodon.guacamole.net.basic.rest.APIPatch.Operation.add;
import static org.glyptodon.guacamole.net.basic.rest.APIPatch.Operation.remove;
import org.glyptodon.guacamole.net.basic.rest.AuthProviderRESTExposure; import org.glyptodon.guacamole.net.basic.rest.AuthProviderRESTExposure;
import org.glyptodon.guacamole.net.basic.rest.HTTPException; import org.glyptodon.guacamole.net.basic.rest.HTTPException;
import org.glyptodon.guacamole.net.basic.rest.PATCH;
import org.glyptodon.guacamole.net.basic.rest.auth.AuthenticationService; import org.glyptodon.guacamole.net.basic.rest.auth.AuthenticationService;
import org.glyptodon.guacamole.net.basic.rest.permission.APIPermissionSet;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@@ -61,6 +72,30 @@ public class UserRESTService {
* Logger for this class. * Logger for this class.
*/ */
private static final Logger logger = LoggerFactory.getLogger(UserRESTService.class); private static final Logger logger = LoggerFactory.getLogger(UserRESTService.class);
/**
* The prefix of any path within an operation of a JSON patch which
* modifies the permissions of a user regarding a specific connection.
*/
private static final String CONNECTION_PERMISSION_PATCH_PATH_PREFIX = "/connectionPermissions/";
/**
* The prefix of any path within an operation of a JSON patch which
* modifies the permissions of a user regarding a specific connection group.
*/
private static final String CONNECTION_GROUP_PERMISSION_PATCH_PATH_PREFIX = "/connectionGroupPermissions/";
/**
* The prefix of any path within an operation of a JSON patch which
* modifies the permissions of a user regarding another, specific user.
*/
private static final String USER_PERMISSION_PATCH_PATH_PREFIX = "/userPermissions/";
/**
* The path of any operation within a JSON patch which modifies the
* permissions of a user regarding the entire system.
*/
private static final String SYSTEM_PERMISSION_PATCH_PATH = "/systemPermissions";
/** /**
* A service for authenticating users from auth tokens. * A service for authenticating users from auth tokens.
@@ -239,4 +274,152 @@ public class UserRESTService {
} }
/**
* Gets a list of permissions for the user with the given userID.
*
* @param authToken The authentication token that is used to authenticate
* the user performing the operation.
* @param userID The ID of the user to retrieve permissions for.
* @return The permission list.
* @throws GuacamoleException If a problem is encountered while listing permissions.
*/
@GET
@Path("/{userID}/permissions")
@AuthProviderRESTExposure
public APIPermissionSet getPermissions(@QueryParam("token") String authToken, @PathParam("userID") String userID)
throws GuacamoleException {
UserContext userContext = authenticationService.getUserContext(authToken);
// Get the user
User user = userContext.getUserDirectory().get(userID);
if (user == null)
throw new HTTPException(Status.NOT_FOUND, "User not found with the provided userID.");
return new APIPermissionSet(user.getPermissions());
}
/**
* Applies a given list of permission patches. Each patch specifies either
* an "add" or a "remove" operation for a permission type, represented by
* a string. Valid permission types depend on the path of each patch
* operation, as the path dictates the permission being modified, such as
* "/connectionPermissions/42" or "/systemPermissions".
*
* @param authToken
* The authentication token that is used to authenticate the user
* performing the operation.
*
* @param userID
* The ID of the user to modify the permissions of.
*
* @param patches
* The permission patches to apply for this request.
*
* @throws GuacamoleException
* If a problem is encountered while modifying permissions.
*/
@PATCH
@Path("/{userID}/permissions")
@AuthProviderRESTExposure
public void patchPermissions(@QueryParam("token") String authToken,
@PathParam("userID") String userID,
List<APIPatch<String>> patches) throws GuacamoleException {
UserContext userContext = authenticationService.getUserContext(authToken);
// Get the user directory
Directory<String, User> userDirectory = userContext.getUserDirectory();
// Get the user
User user = userContext.getUserDirectory().get(userID);
if (user == null)
throw new HTTPException(Status.NOT_FOUND, "User not found with the provided userID.");
// Apply all patch operations individually
for (APIPatch<String> patch : patches) {
Permission permission;
String path = patch.getPath();
// Create connection permission if path has connection prefix
if (path.startsWith(CONNECTION_PERMISSION_PATCH_PATH_PREFIX)) {
// Get identifier and type from patch operation
String identifier = path.substring(CONNECTION_PERMISSION_PATCH_PATH_PREFIX.length());
ObjectPermission.Type type = ObjectPermission.Type.valueOf(patch.getValue());
// Create corresponding permission
permission = new ConnectionPermission(type, identifier);
}
// Create connection group permission if path has connection group prefix
else if (path.startsWith(CONNECTION_GROUP_PERMISSION_PATCH_PATH_PREFIX)) {
// Get identifier and type from patch operation
String identifier = path.substring(CONNECTION_GROUP_PERMISSION_PATCH_PATH_PREFIX.length());
ObjectPermission.Type type = ObjectPermission.Type.valueOf(patch.getValue());
// Create corresponding permission
permission = new ConnectionGroupPermission(type, identifier);
}
// Create user permission if path has user prefix
else if (path.startsWith(USER_PERMISSION_PATCH_PATH_PREFIX)) {
// Get identifier and type from patch operation
String identifier = path.substring(USER_PERMISSION_PATCH_PATH_PREFIX.length());
ObjectPermission.Type type = ObjectPermission.Type.valueOf(patch.getValue());
// Create corresponding permission
permission = new UserPermission(type, identifier);
}
// Create system permission if path is system path
else if (path.startsWith(SYSTEM_PERMISSION_PATCH_PATH)) {
// Get identifier and type from patch operation
SystemPermission.Type type = SystemPermission.Type.valueOf(patch.getValue());
// Create corresponding permission
permission = new SystemPermission(type);
}
// Otherwise, the path is not supported
else
throw new HTTPException(Status.BAD_REQUEST, "Unsupported patch path: \"" + path + "\"");
// Add or remove permission based on operation
switch (patch.getOp()) {
// Add permission
case add:
user.addPermission(permission);
break;
// Remove permission
case remove:
user.removePermission(permission);
break;
// Unsupported patch operation
default:
throw new HTTPException(Status.BAD_REQUEST, "Unsupported patch operation: \"" + patch.getOp() + "\"");
}
} // end for each patch operation
// Save the permission changes
userDirectory.update(user);
}
} }

24
guacamole/src/main/webapp/app/index/controllers/indexController.js
View File

@@ -25,10 +25,12 @@
*/ */
angular.module('index').controller('indexController', ['$scope', '$injector', angular.module('index').controller('indexController', ['$scope', '$injector',
function indexController($scope, $injector) { function indexController($scope, $injector) {
// Get the dependencies commonJS style // Get class dependencies
var permissionService = $injector.get("permissionService"), var PermissionSet = $injector.get("PermissionSet");
permissionCheckService = $injector.get("permissionCheckService"),
// Get services
var permissionService = $injector.get("permissionService"),
authenticationService = $injector.get("authenticationService"), authenticationService = $injector.get("authenticationService"),
$q = $injector.get("$q"), $q = $injector.get("$q"),
$document = $injector.get("$document"), $document = $injector.get("$document"),
@@ -169,13 +171,15 @@ angular.module('index').controller('indexController', ['$scope', '$injector',
permissionService.getPermissions($scope.currentUserID).success(function fetchCurrentUserPermissions(permissions) { permissionService.getPermissions($scope.currentUserID).success(function fetchCurrentUserPermissions(permissions) {
$scope.currentUserPermissions = permissions; $scope.currentUserPermissions = permissions;
// Will be true if the user is an admin // Whether the user has system-wide admin permission
$scope.currentUserIsAdmin = permissionCheckService.checkPermission($scope.currentUserPermissions, "SYSTEM", undefined, "ADMINISTER"); $scope.currentUserIsAdmin = PermissionSet.hasSystemPermission($scope.currentUserPermissions, PermissionSet.SystemPermissionType.ADMINISTER);
// Whether the user can update at least one object
$scope.currentUserHasUpdate = $scope.currentUserIsAdmin
|| PermissionSet.hasConnectionPermission($scope.currentUserPermissions, "UPDATE")
|| PermissionSet.hasConnectionGroupPermission($scope.currentUserPermissions, "UPDATE")
|| PermissionSet.hasUserPermission($scope.currentUserPermissions, "UPDATE");
// Will be true if the user is an admin or has update access to any object
$scope.currentUserHasUpdate = $scope.currentUserIsAdmin ||
permissionCheckService.checkPermission($scope.currentUserPermissions, undefined, undefined, "UPDATE");
permissionsLoaded.resolve(); permissionsLoaded.resolve();
}); });
}; };

4
guacamole/src/main/webapp/app/manage/controllers/manageController.js
View File

@@ -27,7 +27,7 @@ angular.module('manage').controller('manageController', ['$scope', '$injector',
function manageController($scope, $injector) { function manageController($scope, $injector) {
// Required types // Required types
var Permission = $injector.get('Permission'); var PermissionSet = $injector.get('PermissionSet');
// Required services // Required services
var legacyConnectionGroupService = $injector.get('legacyConnectionGroupService'); var legacyConnectionGroupService = $injector.get('legacyConnectionGroupService');
@@ -68,7 +68,7 @@ angular.module('manage').controller('manageController', ['$scope', '$injector',
}); });
// Retrieve all users for whom we have UPDATE permission // Retrieve all users for whom we have UPDATE permission
userService.getUsers(Permission.Type.UPDATE).success(function usersReceived(users) { userService.getUsers(PermissionSet.ObjectPermissionType.UPDATE).success(function usersReceived(users) {
$scope.users = users; $scope.users = users;
$scope.loadingUsers = false; $scope.loadingUsers = false;
}); });

13
guacamole/src/main/webapp/app/rest/services/legacyConnectionGroupService.js
View File

@@ -25,9 +25,12 @@
*/ */
angular.module('rest').factory('legacyConnectionGroupService', ['$injector', function legacyConnectionGroupService($injector) { angular.module('rest').factory('legacyConnectionGroupService', ['$injector', function legacyConnectionGroupService($injector) {
var connectionGroupService = $injector.get('connectionGroupService'); // Get class dependencies
var PermissionSet = $injector.get("PermissionSet");
// Get services
var connectionGroupService = $injector.get('connectionGroupService');
var connectionService = $injector.get('connectionService'); var connectionService = $injector.get('connectionService');
var permissionCheckService = $injector.get('permissionCheckService');
var $q = $injector.get('$q'); var $q = $injector.get('$q');
var displayObjectPreparationService = $injector.get('displayObjectPreparationService'); var displayObjectPreparationService = $injector.get('displayObjectPreparationService');
@@ -196,8 +199,7 @@ angular.module('rest').factory('legacyConnectionGroupService', ['$injector', fun
* item, check now to see if the permission exists. If not, * item, check now to see if the permission exists. If not,
* remove the item. * remove the item.
*/ */
if(!permissionCheckService.checkPermission(permissionList, if(!PermissionSet.hasConnectionPermission(permissionList, item.identifier, requiredConnectionPermission)) {
"CONNECTION", item.identifier, requiredConnectionPermission)) {
items.splice(i, 1); items.splice(i, 1);
continue; continue;
} }
@@ -210,8 +212,7 @@ angular.module('rest').factory('legacyConnectionGroupService', ['$injector', fun
* remove the item. * remove the item.
*/ */
if(requiredConnectionGroupPermission) { if(requiredConnectionGroupPermission) {
if(!permissionCheckService.checkPermission(permissionList, if(!PermissionSet.hasConnectionGroupPermission(permissionList, item.identifier, requiredConnectionGroupPermission)) {
"CONNECTION_GROUP", item.identifier, requiredConnectionGroupPermission)) {
items.splice(i, 1); items.splice(i, 1);
continue; continue;
} }

73
guacamole/src/main/webapp/app/rest/services/permissionCheckService.js
View File

@@ -1,73 +0,0 @@
/*
* Copyright (C) 2014 Glyptodon LLC
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
/**
* A service for checking if a specific permission exists
* in a given list of permissions.
*/
angular.module('rest').factory('permissionCheckService', [
function permissionCheckService() {
var service = {};
/**
* A service for checking if the given permission list contains the given
* permission, defined by the objectType, objectID, and permissionType.
* If the objectType or objectID are not passed, they will not be checked.
*
* For example, checkPermission(list, "CONNECTION", undefined, "READ") would
* check if the permission list contains permission to read any connection.
*
* @param {array} permissions The array of permissions to check.
* @param {string} objectType The object type for the permission.
* If not passed, this will not be checked.
* @param {string} objectID The ID of the object the permission is for.
* If not passed, this will not be checked.
* @param {string} permissionType The actual permission type to check for.
* @returns {boolean} True if the given permissions contain the requested permission, false otherwise.
*/
service.checkPermission = function checkPermission(permissions, objectType, objectID, permissionType) {
// Loop through all the permissions and check if any of them match the given parameters
for(var i = 0; i < permissions.length; i++) {
var permission = permissions[i];
if(objectType === "SYSTEM") {
// System permissions have no object ID, we only need to check the type.
if(permission.permissionType === permissionType)
return true;
}
else {
// Object permissions need to match the object ID and type if given.
if(permission.permissionType === permissionType &&
(!objectType || permission.objectType === objectType) &&
(!objectID || permission.objectID === objectID))
return true;
}
}
// Didn't find any that matched
return false;
}
return service;
}]);

22
guacamole/src/main/webapp/app/rest/services/permissionService.js
View File

@@ -37,12 +37,12 @@ angular.module('rest').factory('permissionService', ['$http', 'authenticationSer
* @param {String} userID * @param {String} userID
* The ID of the user to retrieve the permissions for. * The ID of the user to retrieve the permissions for.
* *
* @returns {Promise.<Permission[]>} * @returns {Promise.<PermissionSet>}
* A promise which will resolve with an array of @link{Permission} * A promise which will resolve with a @link{PermissionSet} upon
* objects upon success. * success.
*/ */
service.getPermissions = function getPermissions(userID) { service.getPermissions = function getPermissions(userID) {
return $http.get("api/permission/" + userID + "/?token=" + authenticationService.getCurrentToken()); return $http.get("api/user/" + userID + "/permissions?token=" + authenticationService.getCurrentToken());
}; };
/** /**
@@ -51,14 +51,14 @@ angular.module('rest').factory('permissionService', ['$http', 'authenticationSer
* call. * call.
* *
* @param {String} userID The ID of the user to add the permission for. * @param {String} userID The ID of the user to add the permission for.
* @param {Permission[]} permissions The permissions to add. * @param {PermissionSet} permissions The permissions to add.
* *
* @returns {Promise} * @returns {Promise}
* A promise for the HTTP call which will succeed if and only if the * A promise for the HTTP call which will succeed if and only if the
* add operation is successful. * add operation is successful.
*/ */
service.addPermissions = function addPermissions(userID, permissions) { service.addPermissions = function addPermissions(userID, permissions) {
return service.patchPermissions(userID, permissions, []); return service.patchPermissions(userID, permissions, null);
}; };
/** /**
@@ -67,14 +67,14 @@ angular.module('rest').factory('permissionService', ['$http', 'authenticationSer
* call. * call.
* *
* @param {String} userID The ID of the user to remove the permission for. * @param {String} userID The ID of the user to remove the permission for.
* @param {Permission[]} permissions The permissions to remove. * @param {PermissionSet} permissions The permissions to remove.
* *
* @returns {Promise} * @returns {Promise}
* A promise for the HTTP call which will succeed if and only if the * A promise for the HTTP call which will succeed if and only if the
* remove operation is successful. * remove operation is successful.
*/ */
service.removePermissions = function removePermissions(userID, permissions) { service.removePermissions = function removePermissions(userID, permissions) {
return service.patchPermissions(userID, [], permissions); return service.patchPermissions(userID, null, permissions);
}; };
/** /**
@@ -83,8 +83,8 @@ angular.module('rest').factory('permissionService', ['$http', 'authenticationSer
* the call. * the call.
* *
* @param {String} userID The ID of the user to remove the permission for. * @param {String} userID The ID of the user to remove the permission for.
* @param {Permission[]} permissionsToAdd The permissions to add. * @param {PermissionSet} [permissionsToAdd] The permissions to add.
* @param {Permission[]} permissionsToRemove The permissions to remove. * @param {PermissionSet} [permissionsToRemove] The permissions to remove.
* *
* @returns {Promise} * @returns {Promise}
* A promise for the HTTP call which will succeed if and only if the * A promise for the HTTP call which will succeed if and only if the
@@ -92,6 +92,8 @@ angular.module('rest').factory('permissionService', ['$http', 'authenticationSer
*/ */
service.patchPermissions = function patchPermissions(userID, permissionsToAdd, permissionsToRemove) { service.patchPermissions = function patchPermissions(userID, permissionsToAdd, permissionsToRemove) {
// FIXME: This will NOT work, now that PermissionSet is used
var i; var i;
var permissionPatch = []; var permissionPatch = [];

2
guacamole/src/main/webapp/app/rest/services/userService.js
View File

@@ -36,7 +36,7 @@ angular.module('rest').factory('userService', ['$http', 'authenticationService',
* @param {String} [permissionType] * @param {String} [permissionType]
* The permission type string of the permission that the current user * The permission type string of the permission that the current user
* must have for a given user to appear within the list. Valid values * must have for a given user to appear within the list. Valid values
* are listed within Permission.Type. * are listed within PermissionSet.ObjectType.
* *
* @returns {Promise.<User[]>} * @returns {Promise.<User[]>}
* A promise which will resolve with an array of @link{User} objects * A promise which will resolve with an array of @link{User} objects

153
guacamole/src/main/webapp/app/rest/types/Permission.js
View File

@@ -1,153 +0,0 @@
/*
* Copyright (C) 2014 Glyptodon LLC
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
/**
* Service which defines the Permission class.
*/
angular.module('rest').factory('Permission', [function definePermission() {
/**
* The object returned by REST API calls when representing the data
* associated with a supported remote desktop protocol.
*
* @constructor
* @param {Permission|Object} [template={}]
* The object whose properties should be copied within the new
* Permission.
*/
var Permission = function Permission(template) {
// Use empty object by default
template = template || {};
/**
* The type of object associated with this permission.
*
* @type String
*/
this.objectType = template.objectType;
/**
* The identifier of the specific object associated with this
* permission. If the objectType is Permission.ObjectType.SYSTEM, this
* property is not applicable.
*
* @type String
*/
this.objectIdentifier = template.objectIdentifier;
/**
* The type of this permission, representing the actions granted if
* this permission is present, such as the ability to read or update
* specific objects. Legal values are specified within
* Permission.Type and depend on this permission's objectType.
*
* @type String
*/
this.permissionType = template.permissionType;
};
/**
* Valid object type strings.
*/
Permission.ObjectType = {
/**
* The permission refers to a specific connection, identified by the
* value of objectIdentifier.
*/
CONNECTION : "CONNECTION",
/**
* The permission refers to a specific connection group, identified by
* the value of objectIdentifier.
*/
CONNECTION_GROUP : "CONNECTION_GROUP",
/**
* The permission refers to a specific user, identified by the value of
* objectIdentifier.
*/
USER : "USER",
/**
* The permission refers to the system as a whole, and the
* objectIdentifier propery is not applicable.
*/
SYSTEM : "SYSTEM"
};
/**
* Valid permission type strings.
*/
Permission.Type = {
/**
* Permission to read from the specified object. This permission type
* does not apply to SYSTEM permissions.
*/
READ : "READ",
/**
* Permission to update the specified object. This permission type does
* not apply to SYSTEM permissions.
*/
UPDATE : "UPDATE",
/**
* Permission to delete the specified object. This permission type does
* not apply to SYSTEM permissions.
*/
DELETE : "DELETE",
/**
* Permission to administer the specified object or, if the permission
* refers to the system as a whole, permission to administer the entire
* system.
*/
ADMINISTER : "ADMINISTER",
/**
* Permission to create new users. This permission type may only be
* applied to the system as a whole.
*/
CREATE_USER : "CREATE_USER",
/**
* Permission to create new connections. This permission type may only
* be applied to the system as a whole.
*/
CREATE_CONNECTION : "CREATE_CONNECTION",
/**
* Permission to create new connection groups. This permission type may
* only be applied to the system as a whole.
*/
CREATE_CONNECTION_GROUP : "CREATE_CONNECTION_GROUP"
};
return Permission;
}]);

280
guacamole/src/main/webapp/app/rest/types/PermissionSet.js Normal file
View File

@@ -0,0 +1,280 @@
/*
* Copyright (C) 2014 Glyptodon LLC
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
/**
* Service which defines the PermissionSet class.
*/
angular.module('rest').factory('PermissionSet', [function definePermissionSet() {
/**
* The object returned by REST API calls when representing the permissions
* granted to a specific user.
*
* @constructor
* @param {PermissionSet|Object} [template={}]
* The object whose properties should be copied within the new
* PermissionSet.
*/
var PermissionSet = function Permission(template) {
// Use empty object by default
template = template || {};
/**
* Map of connection identifiers to the corresponding array of granted
* permissions. Each permission is represented by a string listed
* within PermissionSet.ObjectPermissionType.
*
* @type Object.<String, String[]>
*/
this.connectionPermissions = template.connectionPermissions || {};
/**
* Map of connection group identifiers to the corresponding array of
* granted permissions. Each permission is represented by a string
* listed within PermissionSet.ObjectPermissionType.
*
* @type Object.<String, String[]>
*/
this.connectionGroupPermissions = template.connectionGroupPermissions || {};
/**
* Map of user identifiers to the corresponding array of granted
* permissions. Each permission is represented by a string listed
* within PermissionSet.ObjectPermissionType.
*
* @type Object.<String, String[]>
*/
this.userPermissions = template.userPermissions || {};
/**
* Array of granted system permissions. Each permission is represented
* by a string listed within PermissionSet.SystemPermissionType.
*
* @type String[]
*/
this.systemPermissions = template.systemPermissions || [];
};
/**
* Valid object permission type strings.
*/
PermissionSet.ObjectPermissionType = {
/**
* Permission to read from the specified object.
*/
READ : "READ",
/**
* Permission to update the specified object.
*/
UPDATE : "UPDATE",
/**
* Permission to delete the specified object.
*/
DELETE : "DELETE",
/**
* Permission to administer the specified object
*/
ADMINISTER : "ADMINISTER"
};
/**
* Valid system permission type strings.
*/
PermissionSet.SystemPermissionType = {
/**
* Permission to administer the entire system.
*/
ADMINISTER : "ADMINISTER",
/**
* Permission to create new users.
*/
CREATE_USER : "CREATE_USER",
/**
* Permission to create new connections.
*/
CREATE_CONNECTION : "CREATE_CONNECTION",
/**
* Permission to create new connection groups.
*/
CREATE_CONNECTION_GROUP : "CREATE_CONNECTION_GROUP"
};
/**
* Returns whether the given permission is granted for at least one
* arbitrary object, regardless of ID.
*
* @param {Object.<String, String[]>} permMap
* The permission map to check, where each entry maps an object
* identifer to the array of granted permissions.
*
* @param {String} type
* The permission to search for, as defined by
* PermissionSet.ObjectPermissionType.
*
* @returns {Boolean}
* true if the permission is present (granted), false otherwise.
*/
var containsPermission = function containsPermission(permMap, type) {
// Search all identifiers for given permission
for (var identifier in permMap) {
// If permission is granted, then no further searching is necessary
if (permMap[identifier].indexOf(type) !== -1)
return true;
}
// No such permission exists
return false;
};
/**
* Returns whether the given permission is granted for the arbitrary
* object having the given ID. If no ID is given, this function determines
* whether the permission is granted at all for any such arbitrary object.
*
* @param {Object.<String, String[]>} permMap
* The permission map to check, where each entry maps an object
* identifer to the array of granted permissions.
*
* @param {String} type
* The permission to search for, as defined by
* PermissionSet.ObjectPermissionType.
*
* @param {String} [identifier]
* The identifier of the object to which the permission applies.
*
* @returns {Boolean}
* true if the permission is present (granted), false otherwise.
*/
var hasPermission = function hasPermission(permMap, type, identifier) {
// If no identifier given, search ignoring the identifier
if (!identifier)
return containsPermission(permMap, type);
// If identifier not present at all, there are no such permissions
if (!(identifier in permMap))
return false;
return permMap[identifier].indexOf(type) !== -1;
};
/**
* Returns whether the given permission is granted for the connection
* having the given ID.
*
* @param {PermissionSet|Object} permSet
* The permission set to check.
*
* @param {String} type
* The permission to search for, as defined by
* PermissionSet.ObjectPermissionType.
*
* @param {String} identifier
* The identifier of the connection to which the permission applies.
*
* @returns {Boolean}
* true if the permission is present (granted), false otherwise.
*/
PermissionSet.hasConnectionPermission = function hasConnectionPermission(permSet, type, identifier) {
return hasPermission(permSet.connectionPermissions, type, identifier);
};
/**
* Returns whether the given permission is granted for the connection group
* having the given ID.
*
* @param {PermissionSet|Object} permSet
* The permission set to check.
*
* @param {String} type
* The permission to search for, as defined by
* PermissionSet.ObjectPermissionType.
*
* @param {String} identifier
* The identifier of the connection group to which the permission
* applies.
*
* @returns {Boolean}
* true if the permission is present (granted), false otherwise.
*/
PermissionSet.hasConnectionGroupPermission = function hasConnectionGroupPermission(permSet, type, identifier) {
return hasPermission(permSet.connectionGroupPermissions, type, identifier);
};
/**
* Returns whether the given permission is granted for the user having the
* given ID.
*
* @param {PermissionSet|Object} permSet
* The permission set to check.
*
* @param {String} type
* The permission to search for, as defined by
* PermissionSet.ObjectPermissionType.
*
* @param {String} identifier
* The identifier of the user to which the permission applies.
*
* @returns {Boolean}
* true if the permission is present (granted), false otherwise.
*/
PermissionSet.hasUserPermission = function hasUserPermission(permSet, type, identifier) {
return hasPermission(permSet.userPermissions, type, identifier);
};
/**
* Returns whether the given permission is granted at the system level.
*
* @param {PermissionSet|Object} permSet
* The permission set to check.
*
* @param {String} type
* The permission to search for, as defined by
* PermissionSet.SystemPermissionType.
*
* @returns {Boolean}
* true if the permission is present (granted), false otherwise.
*/
PermissionSet.hasSystemPermission = function hasSystemPermission(permSet, type) {
return permSet.systemPermissions.indexOf(type) !== -1;
};
return PermissionSet;
}]);