diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderModule.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderModule.java index 17dfc5db0..48c95c77b 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderModule.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderModule.java @@ -60,6 +60,7 @@ import org.apache.guacamole.auth.jdbc.activeconnection.ActiveConnectionPermissio import org.apache.guacamole.auth.jdbc.activeconnection.ActiveConnectionService; import org.apache.guacamole.auth.jdbc.activeconnection.TrackedActiveConnection; import org.apache.guacamole.auth.jdbc.base.EntityMapper; +import org.apache.guacamole.auth.jdbc.base.EntityService; import org.apache.guacamole.auth.jdbc.connection.ConnectionParameterMapper; import org.apache.guacamole.auth.jdbc.permission.SharingProfilePermissionMapper; import org.apache.guacamole.auth.jdbc.permission.SharingProfilePermissionService; @@ -161,6 +162,7 @@ public class JDBCAuthenticationProviderModule extends MyBatisModule { bind(ConnectionPermissionService.class); bind(ConnectionSharingService.class); bind(ConnectionService.class); + bind(EntityService.class); bind(GuacamoleTunnelService.class).to(RestrictedGuacamoleTunnelService.class); bind(PasswordEncryptionService.class).to(SHA256PasswordEncryptionService.class); bind(PasswordPolicyService.class); diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java index a0511b8f8..e7cbd5db5 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java @@ -27,12 +27,13 @@ import java.util.HashSet; import java.util.Set; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleSecurityException; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; import org.apache.guacamole.auth.jdbc.permission.AbstractPermissionService; import org.apache.guacamole.auth.jdbc.permission.ObjectPermissionService; import org.apache.guacamole.auth.jdbc.tunnel.ActiveConnectionRecord; import org.apache.guacamole.auth.jdbc.tunnel.GuacamoleTunnelService; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; import org.apache.guacamole.net.auth.permission.ObjectPermission; import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; @@ -58,12 +59,13 @@ public class ActiveConnectionPermissionService @Override public boolean hasPermission(ModeledAuthenticatedUser user, - ModeledUser targetUser, ObjectPermission.Type type, - String identifier, Set effectiveGroups) throws GuacamoleException { + ModeledPermissions targetEntity, + ObjectPermission.Type type, String identifier, + Set effectiveGroups) throws GuacamoleException { // Retrieve permissions Set permissions = retrievePermissions(user, - targetUser, effectiveGroups); + targetEntity, effectiveGroups); // Permission is granted if retrieved permissions contains the // requested permission @@ -74,14 +76,14 @@ public class ActiveConnectionPermissionService @Override public Set retrievePermissions(ModeledAuthenticatedUser user, - ModeledUser targetUser, Set effectiveGroups) - throws GuacamoleException { + ModeledPermissions targetEntity, + Set effectiveGroups) throws GuacamoleException { // Retrieve permissions only if allowed - if (canReadPermissions(user, targetUser)) { + if (canReadPermissions(user, targetEntity)) { // Only administrators may access active connections - boolean isAdmin = targetUser.isAdministrator(); + boolean isAdmin = targetEntity.isAdministrator(); // Get all active connections Collection records = tunnelService.getActiveConnections(user); @@ -110,11 +112,12 @@ public class ActiveConnectionPermissionService @Override public Collection retrieveAccessibleIdentifiers(ModeledAuthenticatedUser user, - ModeledUser targetUser, Collection permissionTypes, + ModeledPermissions targetEntity, + Collection permissionTypes, Collection identifiers, Set effectiveGroups) throws GuacamoleException { - Set permissions = retrievePermissions(user, targetUser, effectiveGroups); + Set permissions = retrievePermissions(user, targetEntity, effectiveGroups); Collection accessibleObjects = new ArrayList(permissions.size()); // For each identifier/permission combination @@ -137,12 +140,12 @@ public class ActiveConnectionPermissionService @Override public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user, - ModeledUser targetUser, Set effectiveGroups) - throws GuacamoleException { + ModeledPermissions targetEntity, + Set effectiveGroups) throws GuacamoleException { - // Create permission set for requested user + // Create permission set for requested entity ActiveConnectionPermissionSet permissionSet = activeConnectionPermissionSetProvider.get(); - permissionSet.init(user, targetUser, effectiveGroups); + permissionSet.init(user, targetEntity, effectiveGroups); return permissionSet; @@ -150,7 +153,8 @@ public class ActiveConnectionPermissionService @Override public void createPermissions(ModeledAuthenticatedUser user, - ModeledUser targetUser, Collection permissions) + ModeledPermissions targetEntity, + Collection permissions) throws GuacamoleException { // Creating active connection permissions is not implemented @@ -160,7 +164,8 @@ public class ActiveConnectionPermissionService @Override public void deletePermissions(ModeledAuthenticatedUser user, - ModeledUser targetUser, Collection permissions) + ModeledPermissions targetEntity, + Collection permissions) throws GuacamoleException { // Deleting active connection permissions is not implemented diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/EntityMapper.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/EntityMapper.java index 14657ce26..31efad5fc 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/EntityMapper.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/EntityMapper.java @@ -19,6 +19,8 @@ package org.apache.guacamole.auth.jdbc.base; +import java.util.Collection; +import java.util.Set; import org.apache.ibatis.annotations.Param; /** @@ -40,4 +42,24 @@ public interface EntityMapper { */ int insert(@Param("entity") EntityModel entity); + /** + * Returns the set of all group identifiers of which the given entity is a + * member, taking into account the given collection of known group + * memberships which are not necessarily defined within the database. + * + * @param entity + * The entity whose effective groups should be returned. + * + * @param effectiveGroups + * The identifiers of any known effective groups that should be taken + * into account, such as those defined externally to the database. + * + * @return + * The set of identifiers of all groups that the given entity is a + * member of, including those where membership is inherited through + * membership in other groups. + */ + Set selectEffectiveGroupIdentifiers(@Param("entity") EntityModel entity, + @Param("effectiveGroups") Collection effectiveGroups); + } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/EntityService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/EntityService.java new file mode 100644 index 000000000..fa71feee0 --- /dev/null +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/EntityService.java @@ -0,0 +1,65 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.jdbc.base; + +import com.google.inject.Inject; +import java.util.Collection; +import java.util.Set; + +/** + * Service which provides convenience methods for creating, retrieving, and + * manipulating entities. + */ +public class EntityService { + + /** + * Mapper for Entity model objects. + */ + @Inject + private EntityMapper entityMapper; + + /** + * Returns the set of all group identifiers of which the given entity is a + * member, taking into account the given collection of known group + * memberships which are not necessarily defined within the database. + * + * Note that group visibility with respect to the queried entity is NOT + * taken into account. If the entity is a member of a group, the identifier + * of that group will be included in the returned set even if the current + * user lacks "READ" permission for that group. + * + * @param entity + * The entity whose effective groups should be returned. + * + * @param effectiveGroups + * The identifiers of any known effective groups that should be taken + * into account, such as those defined externally to the database. + * + * @return + * The set of identifiers of all groups that the given entity is a + * member of, including those where membership is inherited through + * membership in other groups. + */ + public Set retrieveEffectiveGroups(ModeledPermissions entity, + Collection effectiveGroups) { + return entityMapper.selectEffectiveGroupIdentifiers(entity.getModel(), effectiveGroups); + } + +} diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledPermissions.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledPermissions.java new file mode 100644 index 000000000..2f7808d2c --- /dev/null +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledPermissions.java @@ -0,0 +1,266 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.jdbc.base; + +import com.google.inject.Inject; +import java.util.Collections; +import java.util.Set; +import org.apache.guacamole.auth.jdbc.permission.SystemPermissionService; +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.jdbc.activeconnection.ActiveConnectionPermissionService; +import org.apache.guacamole.auth.jdbc.permission.ConnectionGroupPermissionService; +import org.apache.guacamole.auth.jdbc.permission.ConnectionPermissionService; +import org.apache.guacamole.auth.jdbc.permission.SharingProfilePermissionService; +import org.apache.guacamole.auth.jdbc.permission.UserPermissionService; +import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; +import org.apache.guacamole.net.auth.Permissions; +import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; +import org.apache.guacamole.net.auth.permission.SystemPermission; +import org.apache.guacamole.net.auth.permission.SystemPermissionSet; +import org.apache.guacamole.net.auth.simple.SimpleObjectPermissionSet; + +/** + * An implementation of the base Permissions interface which is common to both + * Users and UserGroups, backed by a database model. + * + * @param + * The type of model object that corresponds to this object. + */ +public abstract class ModeledPermissions + extends ModeledDirectoryObject implements Permissions { + + /** + * Service for retrieving entity details. + */ + @Inject + private EntityService entityService; + + /** + * Service for retrieving system permissions. + */ + @Inject + private SystemPermissionService systemPermissionService; + + /** + * Service for retrieving connection permissions. + */ + @Inject + private ConnectionPermissionService connectionPermissionService; + + /** + * Service for retrieving connection group permissions. + */ + @Inject + private ConnectionGroupPermissionService connectionGroupPermissionService; + + /** + * Service for retrieving sharing profile permissions. + */ + @Inject + private SharingProfilePermissionService sharingProfilePermissionService; + + /** + * Service for retrieving active connection permissions. + */ + @Inject + private ActiveConnectionPermissionService activeConnectionPermissionService; + + /** + * Service for retrieving user permissions. + */ + @Inject + private UserPermissionService userPermissionService; + + /** + * Returns whether the underlying entity is a user. Entities may be either + * users or user groups. + * + * @return + * true if the underlying entity is a user, false otherwise. + */ + public boolean isUser() { + return getModel().getEntityType() == EntityType.USER; + } + + /** + * Returns whether the underlying entity is a user group. Entities may be + * either users or user groups. + * + * @return + * true if the underlying entity is a user group, false otherwise. + */ + public boolean isUserGroup() { + return getModel().getEntityType() == EntityType.USER_GROUP; + } + + /** + * Returns whether this entity is a system administrator, and thus is not + * restricted by permissions, taking into account permission inheritance + * via user groups. + * + * @return + * true if this entity is a system administrator, false otherwise. + * + * @throws GuacamoleException + * If an error occurs while determining the entity's system administrator + * status. + */ + public boolean isAdministrator() throws GuacamoleException { + SystemPermissionSet systemPermissionSet = getEffective().getSystemPermissions(); + return systemPermissionSet.hasPermission(SystemPermission.Type.ADMINISTER); + } + + @Override + public SystemPermissionSet getSystemPermissions() + throws GuacamoleException { + return systemPermissionService.getPermissionSet(getCurrentUser(), this, + Collections.emptySet()); + } + + @Override + public ObjectPermissionSet getConnectionPermissions() + throws GuacamoleException { + return connectionPermissionService.getPermissionSet(getCurrentUser(), + this, Collections.emptySet()); + } + + @Override + public ObjectPermissionSet getConnectionGroupPermissions() + throws GuacamoleException { + return connectionGroupPermissionService.getPermissionSet( + getCurrentUser(), this, Collections.emptySet()); + } + + @Override + public ObjectPermissionSet getSharingProfilePermissions() + throws GuacamoleException { + return sharingProfilePermissionService.getPermissionSet( + getCurrentUser(), this, Collections.emptySet()); + } + + @Override + public ObjectPermissionSet getActiveConnectionPermissions() + throws GuacamoleException { + return activeConnectionPermissionService.getPermissionSet( + getCurrentUser(), this, Collections.emptySet()); + } + + @Override + public ObjectPermissionSet getUserPermissions() + throws GuacamoleException { + return userPermissionService.getPermissionSet(getCurrentUser(), this, + Collections.emptySet()); + } + + @Override + public ObjectPermissionSet getUserGroupPermissions() throws GuacamoleException { + // FIXME: STUB + return new SimpleObjectPermissionSet(); + } + + /** + * Returns the identifiers of all user groups defined within the database + * which apply to this user, including any groups inherited through + * membership in yet more groups. + * + * @return + * The identifiers of all user groups defined within the database which + * apply to this user. + */ + public Set getEffectiveUserGroups() { + return entityService.retrieveEffectiveGroups(this, + Collections.emptySet()); + } + + /** + * Returns a Permissions object which represents all permissions granted to + * this entity, including any permissions inherited through group + * membership. + * + * @return + * A Permissions object which represents all permissions granted to + * this entity. + */ + public Permissions getEffective() { + + final ModeledAuthenticatedUser authenticatedUser = getCurrentUser(); + final Set effectiveGroups; + + // If this user is the currently-authenticated user, include any + // additional effective groups declared by the authentication system + if (authenticatedUser.getIdentifier().equals(getIdentifier())) + effectiveGroups = entityService.retrieveEffectiveGroups(this, + authenticatedUser.getEffectiveUserGroups()); + + // Otherwise, just include effective groups from the database + else + effectiveGroups = getEffectiveUserGroups(); + + // Return a permissions object which describes all effective + // permissions, including any permissions inherited via user groups + return new Permissions() { + + @Override + public ObjectPermissionSet getActiveConnectionPermissions() + throws GuacamoleException { + return activeConnectionPermissionService.getPermissionSet(authenticatedUser, ModeledPermissions.this, effectiveGroups); + } + + @Override + public ObjectPermissionSet getConnectionGroupPermissions() + throws GuacamoleException { + return connectionGroupPermissionService.getPermissionSet(authenticatedUser, ModeledPermissions.this, effectiveGroups); + } + + @Override + public ObjectPermissionSet getConnectionPermissions() + throws GuacamoleException { + return connectionPermissionService.getPermissionSet(authenticatedUser, ModeledPermissions.this, effectiveGroups); + } + + @Override + public ObjectPermissionSet getSharingProfilePermissions() + throws GuacamoleException { + return sharingProfilePermissionService.getPermissionSet(authenticatedUser, ModeledPermissions.this, effectiveGroups); + } + + @Override + public SystemPermissionSet getSystemPermissions() + throws GuacamoleException { + return systemPermissionService.getPermissionSet(authenticatedUser, ModeledPermissions.this, effectiveGroups); + } + + @Override + public ObjectPermissionSet getUserPermissions() + throws GuacamoleException { + return userPermissionService.getPermissionSet(authenticatedUser, ModeledPermissions.this, effectiveGroups); + } + + @Override + public ObjectPermissionSet getUserGroupPermissions() + throws GuacamoleException { + // FIXME: STUB + return new SimpleObjectPermissionSet(); + } + + }; + } + +} diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/AbstractPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/AbstractPermissionService.java index 74f35fb58..6e4ddfab3 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/AbstractPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/AbstractPermissionService.java @@ -20,8 +20,10 @@ package org.apache.guacamole.auth.jdbc.permission; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; +import org.apache.guacamole.auth.jdbc.user.ModeledUser; import org.apache.guacamole.net.auth.permission.ObjectPermission; import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; import org.apache.guacamole.net.auth.permission.Permission; @@ -41,17 +43,51 @@ public abstract class AbstractPermissionService implements PermissionService { + /** + * Returns the ObjectPermissionSet related to the type of the given entity. + * If the given entity represents a user, then the ObjectPermissionSet + * containing user permissions is returned. If the given entity represents + * a user group, then the ObjectPermissionSet containing user group + * permissions is returned. + * + * @param user + * The user to retrieve the ObjectPermissionSet from. + * + * @param targetEntity + * The entity whose type dictates the ObjectPermissionSet returned. + * + * @return + * The ObjectPermissionSet related to the type of the given entity. + * + * @throws GuacamoleException + * If the relevant ObjectPermissionSet cannot be retrieved. + */ + protected ObjectPermissionSet getRelevantPermissionSet(ModeledUser user, + ModeledPermissions targetEntity) + throws GuacamoleException { + + if (targetEntity.isUser()) + return user.getUserPermissions(); + + if (targetEntity.isUserGroup()) + return user.getUserGroupPermissions(); + + // Entities should be only users or groups + throw new UnsupportedOperationException("Unexpected entity type."); + + } + /** * Determines whether the given user can read the permissions currently - * granted to the given target user. If the reading user and the target - * user are not the same, then explicit READ or SYSTEM_ADMINISTER access is - * required. Permission inheritance via user groups is taken into account. + * granted to the given target entity. If the reading user and the target + * entity are not the same, then explicit READ or SYSTEM_ADMINISTER access + * is required. Permission inheritance via user groups is taken into account. * * @param user * The user attempting to read permissions. * - * @param targetUser - * The user whose permissions are being read. + * @param targetEntity + * The entity whose permissions are being read. * * @return * true if permission is granted, false otherwise. @@ -61,19 +97,20 @@ public abstract class AbstractPermissionService targetEntity) + throws GuacamoleException { // A user can always read their own permissions - if (user.getUser().getIdentifier().equals(targetUser.getIdentifier())) + if (targetEntity.isUser() && user.getUser().getIdentifier().equals(targetEntity.getIdentifier())) return true; // A system adminstrator can do anything if (user.getUser().isAdministrator()) return true; - // Can read permissions on target user if explicit READ is granted - ObjectPermissionSet userPermissionSet = user.getUser().getEffectivePermissions().getUserPermissions(); - return userPermissionSet.hasPermission(ObjectPermission.Type.READ, targetUser.getIdentifier()); + // Can read permissions on target entity if explicit READ is granted + ObjectPermissionSet permissionSet = getRelevantPermissionSet(user.getUser(), targetEntity); + return permissionSet.hasPermission(ObjectPermission.Type.READ, targetEntity.getIdentifier()); } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java index afabbc735..d0f1f0b98 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java @@ -24,7 +24,8 @@ import com.google.inject.Provider; import java.util.Set; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; /** * Service which provides convenience methods for creating, retrieving, and @@ -52,12 +53,12 @@ public class ConnectionGroupPermissionService extends ModeledObjectPermissionSer @Override public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user, - ModeledUser targetUser, Set effectiveGroups) - throws GuacamoleException { + ModeledPermissions targetEntity, + Set effectiveGroups) throws GuacamoleException { - // Create permission set for requested user + // Create permission set for requested entity ObjectPermissionSet permissionSet = connectionGroupPermissionSetProvider.get(); - permissionSet.init(user, targetUser, effectiveGroups); + permissionSet.init(user, targetEntity, effectiveGroups); return permissionSet; diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionService.java index 0cc69df17..1dc70ad7b 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionService.java @@ -24,7 +24,8 @@ import com.google.inject.Provider; import java.util.Set; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; /** * Service which provides convenience methods for creating, retrieving, and @@ -52,12 +53,12 @@ public class ConnectionPermissionService extends ModeledObjectPermissionService @Override public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user, - ModeledUser targetUser, Set effectiveGroups) - throws GuacamoleException { + ModeledPermissions targetEntity, + Set effectiveGroups) throws GuacamoleException { - // Create permission set for requested user + // Create permission set for requested entity ObjectPermissionSet permissionSet = connectionPermissionSetProvider.get(); - permissionSet.init(user, targetUser, effectiveGroups); + permissionSet.init(user, targetEntity, effectiveGroups); return permissionSet; diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java index f1105ed60..d9bb6bc28 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java @@ -24,9 +24,10 @@ import java.util.Collections; import java.util.HashSet; import java.util.Set; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleSecurityException; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; import org.apache.guacamole.net.auth.permission.ObjectPermission; import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; @@ -48,13 +49,14 @@ public abstract class ModeledObjectPermissionService } @Override - protected ObjectPermissionModel getModelInstance(ModeledUser targetUser, + protected ObjectPermissionModel getModelInstance( + ModeledPermissions targetEntity, ObjectPermission permission) { ObjectPermissionModel model = new ObjectPermissionModel(); - // Populate model object with data from user and permission - model.setEntityID(targetUser.getModel().getEntityID()); + // Populate model object with data from entity and permission + model.setEntityID(targetEntity.getModel().getEntityID()); model.setType(permission.getType()); model.setObjectIdentifier(permission.getObjectIdentifier()); @@ -64,31 +66,32 @@ public abstract class ModeledObjectPermissionService /** * Determines whether the current user has permission to update the given - * target user, adding or removing the given permissions. Such permission + * target entity, adding or removing the given permissions. Such permission * depends on whether the current user is a system administrator, whether - * they have explicit UPDATE permission on the target user, and whether + * they have explicit UPDATE permission on the target entity, and whether * they have explicit ADMINISTER permission on all affected objects. * Permission inheritance via user groups is taken into account. * * @param user * The user who is changing permissions. * - * @param targetUser - * The user whose permissions are being changed. + * @param targetEntity + * The entity whose permissions are being changed. * * @param permissions * The permissions that are being added or removed from the target - * user. + * entity. * * @return - * true if the user has permission to change the target users + * true if the user has permission to change the target entity's * permissions as specified, false otherwise. * * @throws GuacamoleException * If an error occurs while checking permission status, or if * permission is denied to read the current user's permissions. */ - protected boolean canAlterPermissions(ModeledAuthenticatedUser user, ModeledUser targetUser, + protected boolean canAlterPermissions(ModeledAuthenticatedUser user, + ModeledPermissions targetEntity, Collection permissions) throws GuacamoleException { @@ -96,9 +99,9 @@ public abstract class ModeledObjectPermissionService if (user.getUser().isAdministrator()) return true; - // Verify user has update permission on the target user - ObjectPermissionSet userPermissionSet = user.getUser().getEffectivePermissions().getUserPermissions(); - if (!userPermissionSet.hasPermission(ObjectPermission.Type.UPDATE, targetUser.getIdentifier())) + // Verify user has update permission on the target entity + ObjectPermissionSet permissionSet = getRelevantPermissionSet(user.getUser(), targetEntity); + if (!permissionSet.hasPermission(ObjectPermission.Type.UPDATE, targetEntity.getIdentifier())) return false; // Produce collection of affected identifiers @@ -122,13 +125,14 @@ public abstract class ModeledObjectPermissionService } @Override - public void createPermissions(ModeledAuthenticatedUser user, ModeledUser targetUser, + public void createPermissions(ModeledAuthenticatedUser user, + ModeledPermissions targetEntity, Collection permissions) throws GuacamoleException { // Create permissions only if user has permission to do so - if (canAlterPermissions(user, targetUser, permissions)) { - Collection models = getModelInstances(targetUser, permissions); + if (canAlterPermissions(user, targetEntity, permissions)) { + Collection models = getModelInstances(targetEntity, permissions); getPermissionMapper().insert(models); return; } @@ -139,13 +143,14 @@ public abstract class ModeledObjectPermissionService } @Override - public void deletePermissions(ModeledAuthenticatedUser user, ModeledUser targetUser, + public void deletePermissions(ModeledAuthenticatedUser user, + ModeledPermissions targetEntity, Collection permissions) throws GuacamoleException { // Delete permissions only if user has permission to do so - if (canAlterPermissions(user, targetUser, permissions)) { - Collection models = getModelInstances(targetUser, permissions); + if (canAlterPermissions(user, targetEntity, permissions)) { + Collection models = getModelInstances(targetEntity, permissions); getPermissionMapper().delete(models); return; } @@ -157,23 +162,24 @@ public abstract class ModeledObjectPermissionService @Override public boolean hasPermission(ModeledAuthenticatedUser user, - ModeledUser targetUser, ObjectPermission.Type type, - String identifier, Set effectiveGroups) - throws GuacamoleException { + ModeledPermissions targetEntity, + ObjectPermission.Type type, String identifier, + Set effectiveGroups) throws GuacamoleException { // Retrieve permissions only if allowed - if (canReadPermissions(user, targetUser)) - return getPermissionMapper().selectOne(targetUser.getModel(), type, - identifier, effectiveGroups) != null; + if (canReadPermissions(user, targetEntity)) + return getPermissionMapper().selectOne(targetEntity.getModel(), + type, identifier, effectiveGroups) != null; - // User cannot read this user's permissions + // User cannot read this entity's permissions throw new GuacamoleSecurityException("Permission denied."); } @Override public Collection retrieveAccessibleIdentifiers(ModeledAuthenticatedUser user, - ModeledUser targetUser, Collection permissions, + ModeledPermissions targetEntity, + Collection permissions, Collection identifiers, Set effectiveGroups) throws GuacamoleException { @@ -182,7 +188,7 @@ public abstract class ModeledObjectPermissionService return identifiers; // Retrieve permissions only if allowed - if (canReadPermissions(user, targetUser)) { + if (canReadPermissions(user, targetEntity)) { // If user is an admin, everything is accessible if (user.getUser().isAdministrator()) @@ -190,12 +196,12 @@ public abstract class ModeledObjectPermissionService // Otherwise, return explicitly-retrievable identifiers return getPermissionMapper().selectAccessibleIdentifiers( - targetUser.getModel(), permissions, identifiers, + targetEntity.getModel(), permissions, identifiers, effectiveGroups); } - // User cannot read this user's permissions + // User cannot read this entity's permissions throw new GuacamoleSecurityException("Permission denied."); } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledPermissionService.java index dadaea619..a102f3434 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledPermissionService.java @@ -24,9 +24,10 @@ import java.util.Collection; import java.util.HashSet; import java.util.Set; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleSecurityException; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; import org.apache.guacamole.net.auth.permission.Permission; import org.apache.guacamole.net.auth.permission.PermissionSet; @@ -97,42 +98,44 @@ public abstract class ModeledPermissionService targetEntity, PermissionType permission); /** * Returns a collection of model objects which are based on the given - * permissions and target user. + * permissions and target entity. * - * @param targetUser - * The user to whom this permission is granted. + * @param targetEntity + * The entity to whom this permission is granted. * * @param permissions * The permissions to use to produce the returned model objects. * * @return * A collection of model objects which are based on the given - * permissions and target user. + * permissions and target entity. */ - protected Collection getModelInstances(ModeledUser targetUser, + protected Collection getModelInstances( + ModeledPermissions targetEntity, Collection permissions) { // Create new collection of models by manually converting each permission Collection models = new ArrayList(permissions.size()); for (PermissionType permission : permissions) - models.add(getModelInstance(targetUser, permission)); + models.add(getModelInstance(targetEntity, permission)); return models; @@ -140,14 +143,14 @@ public abstract class ModeledPermissionService retrievePermissions(ModeledAuthenticatedUser user, - ModeledUser targetUser, Set effectiveGroups) - throws GuacamoleException { + ModeledPermissions targetEntity, + Set effectiveGroups) throws GuacamoleException { // Retrieve permissions only if allowed - if (canReadPermissions(user, targetUser)) - return getPermissionInstances(getPermissionMapper().select(targetUser.getModel(), effectiveGroups)); + if (canReadPermissions(user, targetEntity)) + return getPermissionInstances(getPermissionMapper().select(targetEntity.getModel(), effectiveGroups)); - // User cannot read this user's permissions + // User cannot read this entity's permissions throw new GuacamoleSecurityException("Permission denied."); } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionService.java index 3f39881cb..a841c96c3 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionService.java @@ -22,8 +22,9 @@ package org.apache.guacamole.auth.jdbc.permission; import java.util.Collection; import java.util.Set; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; import org.apache.guacamole.net.auth.permission.ObjectPermission; import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; @@ -37,13 +38,13 @@ public interface ObjectPermissionService /** * Returns whether the permission of the given type and associated with the - * given object has been granted to the given user. + * given object has been granted to the given entity. * * @param user * The user retrieving the permission. * - * @param targetUser - * The user associated with the permission to be retrieved. + * @param targetEntity + * The entity associated with the permission to be retrieved. * * @param type * The type of permission to retrieve. @@ -53,30 +54,31 @@ public interface ObjectPermissionService * * @param effectiveGroups * The identifiers of all groups that should be taken into account - * when determining the permissions effectively granted to the user. If - * no groups are given, only permissions directly granted to the user - * will be used. + * when determining the permissions effectively granted to the entity. + * If no groups are given, only permissions directly granted to the + * entity will be used. * * @return * true if permission of the given type and associated with the given - * object has been granted to the given user, false otherwise. + * object has been granted to the given entity, false otherwise. * * @throws GuacamoleException * If an error occurs while retrieving the requested permission. */ boolean hasPermission(ModeledAuthenticatedUser user, - ModeledUser targetUser, ObjectPermission.Type type, - String identifier, Set effectiveGroups) throws GuacamoleException; + ModeledPermissions targetEntity, + ObjectPermission.Type type, String identifier, + Set effectiveGroups) throws GuacamoleException; /** - * Retrieves the subset of the given identifiers for which the given user + * Retrieves the subset of the given identifiers for which the given entity * has at least one of the given permissions. * * @param user * The user checking the permissions. * - * @param targetUser - * The user to check permissions of. + * @param targetEntity + * The entity to check permissions of. * * @param permissions * The permissions to check. An identifier will be included in the @@ -89,9 +91,9 @@ public interface ObjectPermissionService * * @param effectiveGroups * The identifiers of all groups that should be taken into account - * when determining the permissions effectively granted to the user. If - * no groups are given, only permissions directly granted to the user - * will be used. + * when determining the permissions effectively granted to the entity. + * If no groups are given, only permissions directly granted to the + * entity will be used. * * @return * A collection containing the subset of identifiers for which at least @@ -101,7 +103,8 @@ public interface ObjectPermissionService * If an error occurs while retrieving permissions. */ Collection retrieveAccessibleIdentifiers(ModeledAuthenticatedUser user, - ModeledUser targetUser, Collection permissions, + ModeledPermissions targetEntity, + Collection permissions, Collection identifiers, Set effectiveGroups) throws GuacamoleException; diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionSet.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionSet.java index c15b1af5b..d179c686a 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionSet.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionSet.java @@ -19,29 +19,34 @@ package org.apache.guacamole.auth.jdbc.permission; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; import java.util.Collection; import java.util.Collections; import java.util.Set; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; import org.apache.guacamole.auth.jdbc.base.RestrictedObject; import org.apache.guacamole.net.auth.permission.ObjectPermission; /** * A database implementation of ObjectPermissionSet which uses an injected * service to query and manipulate the object-level permissions associated with - * a particular user. + * a particular entity. */ public abstract class ObjectPermissionSet extends RestrictedObject implements org.apache.guacamole.net.auth.permission.ObjectPermissionSet { /** - * The user associated with this permission set. Each of the permissions in - * this permission set is granted to this user. + * The entity associated with this permission set. Each of the permissions + * in this permission set is granted to this entity. */ - private ModeledUser user; + private ModeledPermissions entity; + /** + * The identifiers of all groups that should be taken into account + * when determining the permissions effectively granted to the entity. + */ private Set effectiveGroups; /** @@ -53,26 +58,27 @@ public abstract class ObjectPermissionSet extends RestrictedObject } /** - * Initializes this permission set with the current user and the user + * Initializes this permission set with the current user and the entity * to whom the permissions in this set are granted. * * @param currentUser * The user who queried this permission set, and whose permissions * dictate the access level of all operations performed on this set. * - * @param user - * The user to whom the permissions in this set are granted. + * @param entity + * The entity to whom the permissions in this set are granted. * * @param effectiveGroups * The identifiers of all groups that should be taken into account - * when determining the permissions effectively granted to the user. If - * no groups are given, only permissions directly granted to the user - * will be used. + * when determining the permissions effectively granted to the entity. + * If no groups are given, only permissions directly granted to the + * entity will be used. */ - public void init(ModeledAuthenticatedUser currentUser, ModeledUser user, + public void init(ModeledAuthenticatedUser currentUser, + ModeledPermissions entity, Set effectiveGroups) { super.init(currentUser); - this.user = user; + this.entity = entity; this.effectiveGroups = effectiveGroups; } @@ -88,13 +94,13 @@ public abstract class ObjectPermissionSet extends RestrictedObject @Override public Set getPermissions() throws GuacamoleException { - return getObjectPermissionService().retrievePermissions(getCurrentUser(), user, effectiveGroups); + return getObjectPermissionService().retrievePermissions(getCurrentUser(), entity, effectiveGroups); } @Override public boolean hasPermission(ObjectPermission.Type permission, String identifier) throws GuacamoleException { - return getObjectPermissionService().hasPermission(getCurrentUser(), user, permission, identifier, effectiveGroups); + return getObjectPermissionService().hasPermission(getCurrentUser(), entity, permission, identifier, effectiveGroups); } @Override @@ -112,19 +118,19 @@ public abstract class ObjectPermissionSet extends RestrictedObject @Override public Collection getAccessibleObjects(Collection permissions, Collection identifiers) throws GuacamoleException { - return getObjectPermissionService().retrieveAccessibleIdentifiers(getCurrentUser(), user, permissions, identifiers, effectiveGroups); + return getObjectPermissionService().retrieveAccessibleIdentifiers(getCurrentUser(), entity, permissions, identifiers, effectiveGroups); } @Override public void addPermissions(Set permissions) throws GuacamoleException { - getObjectPermissionService().createPermissions(getCurrentUser(), user, permissions); + getObjectPermissionService().createPermissions(getCurrentUser(), entity, permissions); } @Override public void removePermissions(Set permissions) throws GuacamoleException { - getObjectPermissionService().deletePermissions(getCurrentUser(), user, permissions); + getObjectPermissionService().deletePermissions(getCurrentUser(), entity, permissions); } } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionService.java index 3caa5874c..5d88887e7 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionService.java @@ -22,8 +22,9 @@ package org.apache.guacamole.auth.jdbc.permission; import java.util.Collection; import java.util.Set; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; import org.apache.guacamole.net.auth.permission.Permission; import org.apache.guacamole.net.auth.permission.PermissionSet; @@ -44,59 +45,60 @@ public interface PermissionService effectiveGroups) - throws GuacamoleException; + ModeledPermissions targetEntity, + Set effectiveGroups) throws GuacamoleException; /** - * Retrieves all permissions associated with the given user. + * Retrieves all permissions associated with the given entity. * * @param user * The user retrieving the permissions. * - * @param targetUser - * The user associated with the permissions to be retrieved. + * @param targetEntity + * The entity associated with the permissions to be retrieved. * * @param effectiveGroups * The identifiers of all groups that should be taken into account - * when determining the permissions effectively granted to the user. If - * no groups are given, only permissions directly granted to the user - * will be used. + * when determining the permissions effectively granted to the entity. + * If no groups are given, only permissions directly granted to the + * entity will be used. * * @return - * The permissions associated with the given user. + * The permissions associated with the given entity. * * @throws GuacamoleException * If an error occurs while retrieving the requested permissions. */ Set retrievePermissions(ModeledAuthenticatedUser user, - ModeledUser targetUser, Set effectiveGroups) - throws GuacamoleException; + ModeledPermissions targetEntity, + Set effectiveGroups) throws GuacamoleException; /** * Creates the given permissions within the database. If any permissions @@ -105,8 +107,8 @@ public interface PermissionService permissions) throws GuacamoleException; + void createPermissions(ModeledAuthenticatedUser user, + ModeledPermissions targetEntity, + Collection permissions) + throws GuacamoleException; /** * Deletes the given permissions. If any permissions do not exist, they @@ -125,17 +129,19 @@ public interface PermissionService permissions) throws GuacamoleException; + void deletePermissions(ModeledAuthenticatedUser user, + ModeledPermissions targetEntity, + Collection permissions) + throws GuacamoleException; } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionService.java index 3018b290d..c30ff73b6 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionService.java @@ -24,7 +24,8 @@ import com.google.inject.Provider; import java.util.Set; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; /** * Service which provides convenience methods for creating, retrieving, and @@ -52,12 +53,12 @@ public class SharingProfilePermissionService extends ModeledObjectPermissionServ @Override public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user, - ModeledUser targetUser, Set effectiveGroups) - throws GuacamoleException { + ModeledPermissions targetEntity, + Set effectiveGroups) throws GuacamoleException { - // Create permission set for requested user + // Create permission set for requested entity ObjectPermissionSet permissionSet = sharingProfilePermissionSetProvider.get(); - permissionSet.init(user, targetUser, effectiveGroups); + permissionSet.init(user, targetEntity, effectiveGroups); return permissionSet; diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java index b534ad3fa..c94a260c6 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java @@ -24,10 +24,11 @@ import com.google.inject.Provider; import java.util.Collection; import java.util.Set; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleSecurityException; import org.apache.guacamole.GuacamoleUnsupportedException; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; import org.apache.guacamole.net.auth.permission.SystemPermission; /** @@ -61,13 +62,14 @@ public class SystemPermissionService } @Override - protected SystemPermissionModel getModelInstance(final ModeledUser targetUser, + protected SystemPermissionModel getModelInstance( + final ModeledPermissions targetEntity, final SystemPermission permission) { SystemPermissionModel model = new SystemPermissionModel(); // Populate model object with data from user and permission - model.setEntityID(targetUser.getModel().getEntityID()); + model.setEntityID(targetEntity.getModel().getEntityID()); model.setType(permission.getType()); return model; @@ -76,23 +78,25 @@ public class SystemPermissionService @Override public SystemPermissionSet getPermissionSet(ModeledAuthenticatedUser user, - ModeledUser targetUser, Set effectiveGroups) throws GuacamoleException { + ModeledPermissions targetEntity, + Set effectiveGroups) throws GuacamoleException { // Create permission set for requested user SystemPermissionSet permissionSet = systemPermissionSetProvider.get(); - permissionSet.init(user, targetUser, effectiveGroups); + permissionSet.init(user, targetEntity, effectiveGroups); return permissionSet; } @Override - public void createPermissions(ModeledAuthenticatedUser user, ModeledUser targetUser, + public void createPermissions(ModeledAuthenticatedUser user, + ModeledPermissions targetEntity, Collection permissions) throws GuacamoleException { // Only an admin can create system permissions if (user.getUser().isAdministrator()) { - Collection models = getModelInstances(targetUser, permissions); + Collection models = getModelInstances(targetEntity, permissions); systemPermissionMapper.insert(models); return; } @@ -103,17 +107,18 @@ public class SystemPermissionService } @Override - public void deletePermissions(ModeledAuthenticatedUser user, ModeledUser targetUser, + public void deletePermissions(ModeledAuthenticatedUser user, + ModeledPermissions targetEntity, Collection permissions) throws GuacamoleException { // Only an admin can delete system permissions if (user.getUser().isAdministrator()) { // Do not allow users to remove their own admin powers - if (user.getUser().getIdentifier().equals(targetUser.getIdentifier())) + if (user.getUser().getIdentifier().equals(targetEntity.getIdentifier())) throw new GuacamoleUnsupportedException("Removing your own administrative permissions is not allowed."); - Collection models = getModelInstances(targetUser, permissions); + Collection models = getModelInstances(targetEntity, permissions); systemPermissionMapper.delete(models); return; } @@ -125,14 +130,14 @@ public class SystemPermissionService /** * Retrieves whether the permission of the given type has been granted to - * the given user. Permission inheritance through group membership is taken - * into account. + * the given entity. Permission inheritance through group membership is + * taken into account. * * @param user * The user retrieving the permission. * - * @param targetUser - * The user associated with the permission to be retrieved. + * @param targetEntity + * The entity associated with the permission to be retrieved. * * @param type * The type of permission to retrieve. @@ -151,12 +156,13 @@ public class SystemPermissionService * If an error occurs while retrieving the requested permission. */ public boolean hasPermission(ModeledAuthenticatedUser user, - ModeledUser targetUser, SystemPermission.Type type, - Set effectiveGroups) throws GuacamoleException { + ModeledPermissions targetEntity, + SystemPermission.Type type, Set effectiveGroups) + throws GuacamoleException { // Retrieve permissions only if allowed - if (canReadPermissions(user, targetUser)) - return getPermissionMapper().selectOne(targetUser.getModel(), type, effectiveGroups) != null; + if (canReadPermissions(user, targetEntity)) + return getPermissionMapper().selectOne(targetEntity.getModel(), type, effectiveGroups) != null; // User cannot read this user's permissions throw new GuacamoleSecurityException("Permission denied."); diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionSet.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionSet.java index dd8887901..1948facaa 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionSet.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionSet.java @@ -19,29 +19,34 @@ package org.apache.guacamole.auth.jdbc.permission; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; import com.google.inject.Inject; import java.util.Collections; import java.util.Set; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; import org.apache.guacamole.auth.jdbc.base.RestrictedObject; import org.apache.guacamole.net.auth.permission.SystemPermission; /** * A database implementation of SystemPermissionSet which uses an injected * service to query and manipulate the system permissions associated with a - * particular user. + * particular entity. */ public class SystemPermissionSet extends RestrictedObject implements org.apache.guacamole.net.auth.permission.SystemPermissionSet { /** - * The user associated with this permission set. Each of the permissions in - * this permission set is granted to this user. + * The entity associated with this permission set. Each of the permissions + * in this permission set is granted to this entity. */ - private ModeledUser user; + private ModeledPermissions entity; + /** + * The identifiers of all groups that should be taken into account when + * determining the permissions effectively granted to the entity. + */ private Set effectiveGroups; /** @@ -59,38 +64,39 @@ public class SystemPermissionSet extends RestrictedObject } /** - * Initializes this permission set with the current user and the user + * Initializes this permission set with the current user and the entity * to whom the permissions in this set are granted. * * @param currentUser * The user who queried this permission set, and whose permissions * dictate the access level of all operations performed on this set. * - * @param user - * The user to whom the permissions in this set are granted. + * @param entity + * The entity to whom the permissions in this set are granted. * * @param effectiveGroups * The identifiers of all groups that should be taken into account - * when determining the permissions effectively granted to the user. If - * no groups are given, only permissions directly granted to the user - * will be used. + * when determining the permissions effectively granted to the entity. + * If no groups are given, only permissions directly granted to the + * entity will be used. */ - public void init(ModeledAuthenticatedUser currentUser, ModeledUser user, + public void init(ModeledAuthenticatedUser currentUser, + ModeledPermissions entity, Set effectiveGroups) { super.init(currentUser); - this.user = user; + this.entity = entity; this.effectiveGroups = effectiveGroups; } @Override public Set getPermissions() throws GuacamoleException { - return systemPermissionService.retrievePermissions(getCurrentUser(), user, effectiveGroups); + return systemPermissionService.retrievePermissions(getCurrentUser(), entity, effectiveGroups); } @Override public boolean hasPermission(SystemPermission.Type permission) throws GuacamoleException { - return systemPermissionService.hasPermission(getCurrentUser(), user, permission, effectiveGroups); + return systemPermissionService.hasPermission(getCurrentUser(), entity, permission, effectiveGroups); } @Override @@ -108,13 +114,13 @@ public class SystemPermissionSet extends RestrictedObject @Override public void addPermissions(Set permissions) throws GuacamoleException { - systemPermissionService.createPermissions(getCurrentUser(), user, permissions); + systemPermissionService.createPermissions(getCurrentUser(), entity, permissions); } @Override public void removePermissions(Set permissions) throws GuacamoleException { - systemPermissionService.deletePermissions(getCurrentUser(), user, permissions); + systemPermissionService.deletePermissions(getCurrentUser(), entity, permissions); } } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/UserPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/UserPermissionService.java index fabbf72fd..ed8689a7f 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/UserPermissionService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/UserPermissionService.java @@ -24,7 +24,8 @@ import com.google.inject.Provider; import java.util.Set; import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.auth.jdbc.user.ModeledUser; +import org.apache.guacamole.auth.jdbc.base.EntityModel; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; /** * Service which provides convenience methods for creating, retrieving, and @@ -52,12 +53,12 @@ public class UserPermissionService extends ModeledObjectPermissionService { @Override public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user, - ModeledUser targetUser, Set effectiveGroups) - throws GuacamoleException { + ModeledPermissions targetEntity, + Set effectiveGroups) throws GuacamoleException { - // Create permission set for requested user + // Create permission set for requested entity ObjectPermissionSet permissionSet = userPermissionSetProvider.get(); - permissionSet.init(user, targetUser, effectiveGroups); + permissionSet.init(user, targetEntity, effectiveGroups); return permissionSet; diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java index 0bb199e23..9b6547139 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java @@ -33,16 +33,10 @@ import java.util.List; import java.util.Map; import java.util.Set; import java.util.TimeZone; -import org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObject; import org.apache.guacamole.auth.jdbc.security.PasswordEncryptionService; import org.apache.guacamole.auth.jdbc.security.SaltService; -import org.apache.guacamole.auth.jdbc.permission.SystemPermissionService; import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.auth.jdbc.activeconnection.ActiveConnectionPermissionService; -import org.apache.guacamole.auth.jdbc.permission.ConnectionGroupPermissionService; -import org.apache.guacamole.auth.jdbc.permission.ConnectionPermissionService; -import org.apache.guacamole.auth.jdbc.permission.SharingProfilePermissionService; -import org.apache.guacamole.auth.jdbc.permission.UserPermissionService; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; import org.apache.guacamole.form.BooleanField; import org.apache.guacamole.form.DateField; import org.apache.guacamole.form.EmailField; @@ -55,10 +49,6 @@ import org.apache.guacamole.net.auth.ActivityRecord; import org.apache.guacamole.net.auth.Permissions; import org.apache.guacamole.net.auth.RelatedObjectSet; import org.apache.guacamole.net.auth.User; -import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; -import org.apache.guacamole.net.auth.permission.SystemPermission; -import org.apache.guacamole.net.auth.permission.SystemPermissionSet; -import org.apache.guacamole.net.auth.simple.SimpleObjectPermissionSet; import org.apache.guacamole.net.auth.simple.SimpleRelatedObjectSet; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -66,7 +56,7 @@ import org.slf4j.LoggerFactory; /** * An implementation of the User object which is backed by a database model. */ -public class ModeledUser extends ModeledDirectoryObject implements User { +public class ModeledUser extends ModeledPermissions implements User { /** * Logger for this class. @@ -186,42 +176,6 @@ public class ModeledUser extends ModeledDirectoryObject implements Us @Inject private SaltService saltService; - /** - * Service for retrieving system permissions. - */ - @Inject - private SystemPermissionService systemPermissionService; - - /** - * Service for retrieving connection permissions. - */ - @Inject - private ConnectionPermissionService connectionPermissionService; - - /** - * Service for retrieving connection group permissions. - */ - @Inject - private ConnectionGroupPermissionService connectionGroupPermissionService; - - /** - * Service for retrieving sharing profile permissions. - */ - @Inject - private SharingProfilePermissionService sharingProfilePermissionService; - - /** - * Service for retrieving active connection permissions. - */ - @Inject - private ActiveConnectionPermissionService activeConnectionPermissionService; - - /** - * Service for retrieving user permissions. - */ - @Inject - private UserPermissionService userPermissionService; - /** * Whether attributes which control access restrictions should be exposed * via getAttributes() or allowed to be set via setAttributes(). @@ -331,70 +285,6 @@ public class ModeledUser extends ModeledDirectoryObject implements Us return passwordRecord; } - /** - * Returns whether this user is a system administrator, and thus is not - * restricted by permissions, taking into account permission inheritance - * via user groups. - * - * @return - * true if this user is a system administrator, false otherwise. - * - * @throws GuacamoleException - * If an error occurs while determining the user's system administrator - * status. - */ - public boolean isAdministrator() throws GuacamoleException { - SystemPermissionSet systemPermissionSet = getEffectivePermissions().getSystemPermissions(); - return systemPermissionSet.hasPermission(SystemPermission.Type.ADMINISTER); - } - - @Override - public SystemPermissionSet getSystemPermissions() - throws GuacamoleException { - return systemPermissionService.getPermissionSet(getCurrentUser(), this, - Collections.emptySet()); - } - - @Override - public ObjectPermissionSet getConnectionPermissions() - throws GuacamoleException { - return connectionPermissionService.getPermissionSet(getCurrentUser(), - this, Collections.emptySet()); - } - - @Override - public ObjectPermissionSet getConnectionGroupPermissions() - throws GuacamoleException { - return connectionGroupPermissionService.getPermissionSet( - getCurrentUser(), this, Collections.emptySet()); - } - - @Override - public ObjectPermissionSet getSharingProfilePermissions() - throws GuacamoleException { - return sharingProfilePermissionService.getPermissionSet( - getCurrentUser(), this, Collections.emptySet()); - } - - @Override - public ObjectPermissionSet getActiveConnectionPermissions() - throws GuacamoleException { - return activeConnectionPermissionService.getPermissionSet( - getCurrentUser(), this, Collections.emptySet()); - } - - @Override - public ObjectPermissionSet getUserPermissions() - throws GuacamoleException { - return userPermissionService.getPermissionSet(getCurrentUser(), this, - Collections.emptySet()); - } - - @Override - public ObjectPermissionSet getUserGroupPermissions() throws GuacamoleException { - return new SimpleObjectPermissionSet(); - } - /** * Stores all restricted (privileged) attributes within the given Map, * pulling the values of those attributes from the underlying user model. @@ -860,84 +750,9 @@ public class ModeledUser extends ModeledDirectoryObject implements Us return new SimpleRelatedObjectSet(); } - /** - * Returns the identifiers of all user groups defined within the database - * which apply to this user, including any groups inherited through - * membership in yet more groups. - * - * @return - * The identifiers of all user groups defined within the database which - * apply to this user. - */ - public Set getEffectiveUserGroups() { - return userService.retrieveEffectiveGroups(this, - Collections.emptySet()); - } - @Override public Permissions getEffectivePermissions() throws GuacamoleException { - - final ModeledAuthenticatedUser authenticatedUser = getCurrentUser(); - final Set effectiveGroups; - - // If this user is the currently-authenticated user, include any - // additional effective groups declared by the authentication system - if (authenticatedUser.getIdentifier().equals(getIdentifier())) - effectiveGroups = userService.retrieveEffectiveGroups(this, - authenticatedUser.getEffectiveUserGroups()); - - // Otherwise, just include effective groups from the database - else - effectiveGroups = getEffectiveUserGroups(); - - // Return a permissions object which describes all effective - // permissions, including any permissions inherited via user groups - return new Permissions() { - - @Override - public ObjectPermissionSet getActiveConnectionPermissions() - throws GuacamoleException { - return activeConnectionPermissionService.getPermissionSet(authenticatedUser, ModeledUser.this, effectiveGroups); - } - - @Override - public ObjectPermissionSet getConnectionGroupPermissions() - throws GuacamoleException { - return connectionGroupPermissionService.getPermissionSet(authenticatedUser, ModeledUser.this, effectiveGroups); - } - - @Override - public ObjectPermissionSet getConnectionPermissions() - throws GuacamoleException { - return connectionPermissionService.getPermissionSet(authenticatedUser, ModeledUser.this, effectiveGroups); - } - - @Override - public ObjectPermissionSet getSharingProfilePermissions() - throws GuacamoleException { - return sharingProfilePermissionService.getPermissionSet(authenticatedUser, ModeledUser.this, effectiveGroups); - } - - @Override - public SystemPermissionSet getSystemPermissions() - throws GuacamoleException { - return systemPermissionService.getPermissionSet(authenticatedUser, ModeledUser.this, effectiveGroups); - } - - @Override - public ObjectPermissionSet getUserPermissions() - throws GuacamoleException { - return userPermissionService.getPermissionSet(authenticatedUser, ModeledUser.this, effectiveGroups); - } - - @Override - public ObjectPermissionSet getUserGroupPermissions() - throws GuacamoleException { - // FIXME: STUB - return new SimpleObjectPermissionSet(); - } - - }; + return super.getEffective(); } } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserMapper.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserMapper.java index 6b5110560..cf829be58 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserMapper.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserMapper.java @@ -19,8 +19,6 @@ package org.apache.guacamole.auth.jdbc.user; -import java.util.Collection; -import java.util.Set; import org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObjectMapper; import org.apache.ibatis.annotations.Param; @@ -41,24 +39,4 @@ public interface UserMapper extends ModeledDirectoryObjectMapper { */ UserModel selectOne(@Param("username") String username); - /** - * Returns the set of all group identifiers of which the given user is a - * member, taking into account the given collection of known group - * memberships which are not necessarily defined within the database. - * - * @param user - * The user whose effective groups should be returned. - * - * @param effectiveGroups - * The identifiers of any known effective groups that should be taken - * into account, such as those defined externally to the database. - * - * @return - * The set of identifiers of all groups that the given user is a - * member of, including those where membership is inherited through - * membership in other groups. - */ - Set selectEffectiveGroupIdentifiers(@Param("user") UserModel user, - @Param("effectiveGroups") Collection effectiveGroups); - } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java index 6d89125a9..60bd1e146 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java @@ -26,7 +26,6 @@ import java.util.Arrays; import java.util.Collection; import java.util.Collections; import java.util.List; -import java.util.Set; import javax.servlet.http.HttpServletRequest; import org.apache.guacamole.net.auth.Credentials; import org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObjectMapper; @@ -598,31 +597,4 @@ public class UserService extends ModeledDirectoryObjectService retrieveEffectiveGroups(ModeledUser user, - Collection effectiveGroups) { - return userMapper.selectEffectiveGroupIdentifiers(user.getModel(), effectiveGroups); - } - } diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/base/EntityMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/base/EntityMapper.xml index 01830d759..b2ae26c35 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/base/EntityMapper.xml +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/base/EntityMapper.xml @@ -59,6 +59,44 @@ ) + + + diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/user/UserMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/user/UserMapper.xml index 25d7659a2..1181b3774 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/user/UserMapper.xml +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/user/UserMapper.xml @@ -79,44 +79,6 @@ AND permission = 'READ' - - -