From 26d9dd85935bd526b3ddb954709b7a10cbfea3cd Mon Sep 17 00:00:00 2001
From: Michael Jumper <mjumper@apache.org>
Date: Sat, 20 Aug 2016 18:03:32 -0700
Subject: [PATCH 1/2] GUACAMOLE-81: Generalize permissions surrounding
 parent/child relationship.

---
 ...ObjectModel.java => ChildObjectModel.java} |  9 +-
 ....java => ModeledChildDirectoryObject.java} |  2 +-
 ...> ModeledChildDirectoryObjectService.java} | 89 +++++++++++--------
 .../auth/jdbc/connection/ConnectionModel.java |  4 +-
 .../jdbc/connection/ConnectionService.java    | 13 ++-
 .../jdbc/connection/ModeledConnection.java    |  4 +-
 .../connectiongroup/ConnectionGroupModel.java |  4 +-
 .../ConnectionGroupService.java               | 13 ++-
 .../ModeledConnectionGroup.java               |  4 +-
 9 files changed, 88 insertions(+), 54 deletions(-)
 rename extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/{GroupedObjectModel.java => ChildObjectModel.java} (87%)
 rename extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/{ModeledGroupedDirectoryObject.java => ModeledChildDirectoryObject.java} (96%)
 rename extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/{ModeledGroupedDirectoryObjectService.java => ModeledChildDirectoryObjectService.java} (63%)

diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/GroupedObjectModel.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ChildObjectModel.java
similarity index 87%
rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/GroupedObjectModel.java
rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ChildObjectModel.java
index 18dffeeaf..5a458ca85 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/GroupedObjectModel.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ChildObjectModel.java
@@ -20,12 +20,13 @@
 package org.apache.guacamole.auth.jdbc.base;
 
 /**
- * Object representation of a Guacamole object, such as a user or connection,
- * as represented in the database.
+ * Object representation of a Guacamole object which can be the child of another
+ * object, such as a connection or sharing profile, as represented in the
+ * database.
  *
  * @author Michael Jumper
  */
-public abstract class GroupedObjectModel extends ObjectModel {
+public abstract class ChildObjectModel extends ObjectModel {
 
     /**
      * The unique identifier which identifies the parent of this object.
@@ -35,7 +36,7 @@ public abstract class GroupedObjectModel extends ObjectModel {
     /**
      * Creates a new, empty object.
      */
-    public GroupedObjectModel() {
+    public ChildObjectModel() {
     }
 
     /**
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledGroupedDirectoryObject.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledChildDirectoryObject.java
similarity index 96%
rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledGroupedDirectoryObject.java
rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledChildDirectoryObject.java
index 6aca74060..f086112df 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledGroupedDirectoryObject.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledChildDirectoryObject.java
@@ -30,7 +30,7 @@ import org.apache.guacamole.auth.jdbc.connectiongroup.RootConnectionGroup;
  * @param <ModelType>
  *     The type of model object that corresponds to this object.
  */
-public abstract class ModeledGroupedDirectoryObject<ModelType extends GroupedObjectModel>
+public abstract class ModeledChildDirectoryObject<ModelType extends ChildObjectModel>
     extends ModeledDirectoryObject<ModelType> {
 
     /**
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledGroupedDirectoryObjectService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledChildDirectoryObjectService.java
similarity index 63%
rename from extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledGroupedDirectoryObjectService.java
rename to extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledChildDirectoryObjectService.java
index 718def70a..61f48d4d5 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledGroupedDirectoryObjectService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledChildDirectoryObjectService.java
@@ -31,7 +31,7 @@ import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
 
 /**
  * Service which provides convenience methods for creating, retrieving, and
- * manipulating objects that can be within connection groups. This service will
+ * manipulating objects that can be children of other objects. This service will
  * automatically enforce the permissions of the current user.
  *
  * @author Michael Jumper
@@ -47,15 +47,33 @@ import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
  *     The underlying model object used to represent InternalType in the
  *     database.
  */
-public abstract class ModeledGroupedDirectoryObjectService<InternalType extends ModeledGroupedDirectoryObject<ModelType>,
-        ExternalType extends Identifiable, ModelType extends GroupedObjectModel>
+public abstract class ModeledChildDirectoryObjectService<InternalType extends ModeledChildDirectoryObject<ModelType>,
+        ExternalType extends Identifiable, ModelType extends ChildObjectModel>
         extends ModeledDirectoryObjectService<InternalType, ExternalType, ModelType> {
 
     /**
-     * Returns the set of parent connection groups that are modified by the
-     * given model object (by virtue of the object changing parent groups). If
-     * the model is not changing parents, the resulting collection will be
-     * empty.
+     * Returns the permission set associated with the given user and related
+     * to the type of objects which can be parents of the child objects handled
+     * by this directory object service.
+     *
+     * @param user
+     *     The user whose permissions are being retrieved.
+     *
+     * @return
+     *     A permission set which contains the permissions associated with the
+     *     given user and related to the type of objects which can be parents
+     *     of the child objects handled by this directory object service.
+     *
+     * @throws GuacamoleException
+     *     If permission to read the user's permissions is denied.
+     */
+    protected abstract ObjectPermissionSet getParentPermissionSet(
+            ModeledAuthenticatedUser user) throws GuacamoleException;
+
+    /**
+     * Returns the set of parent objects that are modified by the given model
+     * object (by virtue of the object changing parents). If the model is not
+     * changing parents, the resulting collection will be empty.
      *
      * @param user
      *     The user making the given changes to the model.
@@ -69,14 +87,13 @@ public abstract class ModeledGroupedDirectoryObjectService<InternalType extends
      *     deleted, this will be null.
      *
      * @return
-     *     A collection of the identifiers of all parent connection groups
-     *     that will be affected (updated) by the change.
+     *     A collection of the identifiers of all parents that will be affected
+     *     (updated) by the change.
      *
      * @throws GuacamoleException
-     *     If an error occurs while determining which parent connection groups
-     *     are affected.
+     *     If an error occurs while determining which parents are affected.
      */
-    protected Collection<String> getModifiedGroups(ModeledAuthenticatedUser user,
+    protected Collection<String> getModifiedParents(ModeledAuthenticatedUser user,
             String identifier, ModelType model) throws GuacamoleException {
 
         // Get old parent identifier
@@ -98,18 +115,17 @@ public abstract class ModeledGroupedDirectoryObjectService<InternalType extends
 
         }
 
-        // Return collection of all non-root groups involved
-        Collection<String> groups = new ArrayList<String>(2);
-        if (oldParentIdentifier != null) groups.add(oldParentIdentifier);
-        if (parentIdentifier    != null) groups.add(parentIdentifier);
-        return groups;
+        // Return collection of all non-root parents involved
+        Collection<String> parents = new ArrayList<String>(2);
+        if (oldParentIdentifier != null) parents.add(oldParentIdentifier);
+        if (parentIdentifier    != null) parents.add(parentIdentifier);
+        return parents;
 
     }
 
     /**
-     * Returns whether the given user has permission to modify the parent
-     * connection groups affected by the modifications made to the given model
-     * object.
+     * Returns whether the given user has permission to modify the parents
+     * affected by the modifications made to the given model object.
      *
      * @param user
      *     The user who changed the model object.
@@ -123,31 +139,30 @@ public abstract class ModeledGroupedDirectoryObjectService<InternalType extends
      *     deleted, this will be null.
      *
      * @return
-     *     true if the user has update permission for all modified groups,
+     *     true if the user has update permission for all modified parents,
      *     false otherwise.
      *
      * @throws GuacamoleException
-     *     If an error occurs while determining which parent connection groups
-     *     are affected.
+     *     If an error occurs while determining which parents are affected.
      */
-    protected boolean canUpdateModifiedGroups(ModeledAuthenticatedUser user,
+    protected boolean canUpdateModifiedParents(ModeledAuthenticatedUser user,
             String identifier, ModelType model) throws GuacamoleException {
 
         // If user is an administrator, no need to check
         if (user.getUser().isAdministrator())
             return true;
         
-        // Verify that we have permission to modify any modified groups
-        Collection<String> modifiedGroups = getModifiedGroups(user, identifier, model);
-        if (!modifiedGroups.isEmpty()) {
+        // Verify that we have permission to modify any modified parents
+        Collection<String> modifiedParents = getModifiedParents(user, identifier, model);
+        if (!modifiedParents.isEmpty()) {
 
-            ObjectPermissionSet permissionSet = user.getUser().getConnectionGroupPermissions();
-            Collection<String> updateableGroups = permissionSet.getAccessibleObjects(
+            ObjectPermissionSet permissionSet = getParentPermissionSet(user);
+            Collection<String> updateableParents = permissionSet.getAccessibleObjects(
                 Collections.singleton(ObjectPermission.Type.UPDATE),
-                modifiedGroups
+                modifiedParents
             );
 
-            return updateableGroups.size() == modifiedGroups.size();
+            return updateableParents.size() == modifiedParents.size();
             
         }
 
@@ -161,8 +176,8 @@ public abstract class ModeledGroupedDirectoryObjectService<InternalType extends
 
         super.beforeCreate(user, model);
         
-        // Validate that we can update all applicable parent groups
-        if (!canUpdateModifiedGroups(user, null, model))
+        // Validate that we can update all applicable parents
+        if (!canUpdateModifiedParents(user, null, model))
             throw new GuacamoleSecurityException("Permission denied.");
         
     }
@@ -173,8 +188,8 @@ public abstract class ModeledGroupedDirectoryObjectService<InternalType extends
 
         super.beforeUpdate(user, model);
 
-        // Validate that we can update all applicable parent groups
-        if (!canUpdateModifiedGroups(user, model.getIdentifier(), model))
+        // Validate that we can update all applicable parents
+        if (!canUpdateModifiedParents(user, model.getIdentifier(), model))
             throw new GuacamoleSecurityException("Permission denied.");
         
     }
@@ -185,8 +200,8 @@ public abstract class ModeledGroupedDirectoryObjectService<InternalType extends
 
         super.beforeDelete(user, identifier);
 
-        // Validate that we can update all applicable parent groups
-        if (!canUpdateModifiedGroups(user, identifier, null))
+        // Validate that we can update all applicable parents
+        if (!canUpdateModifiedParents(user, identifier, null))
             throw new GuacamoleSecurityException("Permission denied.");
         
     }
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionModel.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionModel.java
index 0a1a475b4..5e8a8f3e0 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionModel.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionModel.java
@@ -21,7 +21,7 @@ package org.apache.guacamole.auth.jdbc.connection;
 
 import java.util.HashSet;
 import java.util.Set;
-import org.apache.guacamole.auth.jdbc.base.GroupedObjectModel;
+import org.apache.guacamole.auth.jdbc.base.ChildObjectModel;
 
 /**
  * Object representation of a Guacamole connection, as represented in the
@@ -29,7 +29,7 @@ import org.apache.guacamole.auth.jdbc.base.GroupedObjectModel;
  *
  * @author Michael Jumper
  */
-public class ConnectionModel extends GroupedObjectModel {
+public class ConnectionModel extends ChildObjectModel {
 
     /**
      * The human-readable name associated with this connection.
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionService.java
index cf64f8a2c..d6de326cd 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionService.java
@@ -34,7 +34,7 @@ import org.apache.guacamole.auth.jdbc.tunnel.GuacamoleTunnelService;
 import org.apache.guacamole.GuacamoleClientException;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.GuacamoleSecurityException;
-import org.apache.guacamole.auth.jdbc.base.ModeledGroupedDirectoryObjectService;
+import org.apache.guacamole.auth.jdbc.base.ModeledChildDirectoryObjectService;
 import org.apache.guacamole.auth.jdbc.permission.ConnectionPermissionMapper;
 import org.apache.guacamole.auth.jdbc.permission.ObjectPermissionMapper;
 import org.apache.guacamole.net.GuacamoleTunnel;
@@ -52,7 +52,7 @@ import org.apache.guacamole.protocol.GuacamoleClientInformation;
  *
  * @author Michael Jumper, James Muehlner
  */
-public class ConnectionService extends ModeledGroupedDirectoryObjectService<ModeledConnection, Connection, ConnectionModel> {
+public class ConnectionService extends ModeledChildDirectoryObjectService<ModeledConnection, Connection, ConnectionModel> {
 
     /**
      * Mapper for accessing connections.
@@ -145,6 +145,15 @@ public class ConnectionService extends ModeledGroupedDirectoryObjectService<Mode
 
     }
 
+    @Override
+    protected ObjectPermissionSet getParentPermissionSet(ModeledAuthenticatedUser user)
+            throws GuacamoleException {
+
+        // Connections are contained by connection groups
+        return user.getUser().getConnectionGroupPermissions();
+
+    }
+
     @Override
     protected void beforeCreate(ModeledAuthenticatedUser user,
             ConnectionModel model) throws GuacamoleException {
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ModeledConnection.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ModeledConnection.java
index 1ee896a03..ead81ec55 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ModeledConnection.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ModeledConnection.java
@@ -31,7 +31,7 @@ import java.util.Set;
 import org.apache.guacamole.auth.jdbc.tunnel.GuacamoleTunnelService;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.auth.jdbc.JDBCEnvironment;
-import org.apache.guacamole.auth.jdbc.base.ModeledGroupedDirectoryObject;
+import org.apache.guacamole.auth.jdbc.base.ModeledChildDirectoryObject;
 import org.apache.guacamole.form.Field;
 import org.apache.guacamole.form.Form;
 import org.apache.guacamole.form.NumericField;
@@ -50,7 +50,7 @@ import org.slf4j.LoggerFactory;
  * @author James Muehlner
  * @author Michael Jumper
  */
-public class ModeledConnection extends ModeledGroupedDirectoryObject<ConnectionModel>
+public class ModeledConnection extends ModeledChildDirectoryObject<ConnectionModel>
     implements Connection {
 
     /**
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupModel.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupModel.java
index 1d938c963..378457898 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupModel.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupModel.java
@@ -21,7 +21,7 @@ package org.apache.guacamole.auth.jdbc.connectiongroup;
 
 import java.util.HashSet;
 import java.util.Set;
-import org.apache.guacamole.auth.jdbc.base.GroupedObjectModel;
+import org.apache.guacamole.auth.jdbc.base.ChildObjectModel;
 import org.apache.guacamole.net.auth.ConnectionGroup;
 
 /**
@@ -30,7 +30,7 @@ import org.apache.guacamole.net.auth.ConnectionGroup;
  *
  * @author Michael Jumper
  */
-public class ConnectionGroupModel extends GroupedObjectModel {
+public class ConnectionGroupModel extends ChildObjectModel {
 
     /**
      * The human-readable name associated with this connection group.
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupService.java
index 68ebdae86..0382c35dc 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupService.java
@@ -29,7 +29,7 @@ import org.apache.guacamole.GuacamoleClientException;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.GuacamoleSecurityException;
 import org.apache.guacamole.GuacamoleUnsupportedException;
-import org.apache.guacamole.auth.jdbc.base.ModeledGroupedDirectoryObjectService;
+import org.apache.guacamole.auth.jdbc.base.ModeledChildDirectoryObjectService;
 import org.apache.guacamole.auth.jdbc.permission.ConnectionGroupPermissionMapper;
 import org.apache.guacamole.auth.jdbc.permission.ObjectPermissionMapper;
 import org.apache.guacamole.net.GuacamoleTunnel;
@@ -46,7 +46,7 @@ import org.apache.guacamole.protocol.GuacamoleClientInformation;
  *
  * @author Michael Jumper, James Muehlner
  */
-public class ConnectionGroupService extends ModeledGroupedDirectoryObjectService<ModeledConnectionGroup,
+public class ConnectionGroupService extends ModeledChildDirectoryObjectService<ModeledConnectionGroup,
         ConnectionGroup, ConnectionGroupModel> {
 
     /**
@@ -128,6 +128,15 @@ public class ConnectionGroupService extends ModeledGroupedDirectoryObjectService
 
     }
 
+    @Override
+    protected ObjectPermissionSet getParentPermissionSet(ModeledAuthenticatedUser user)
+            throws GuacamoleException {
+
+        // Connection groups are contained by other connection groups
+        return user.getUser().getConnectionGroupPermissions();
+
+    }
+
     @Override
     protected void beforeCreate(ModeledAuthenticatedUser user,
             ConnectionGroupModel model) throws GuacamoleException {
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ModeledConnectionGroup.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ModeledConnectionGroup.java
index 59a93ec68..5fdf6f7e6 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ModeledConnectionGroup.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ModeledConnectionGroup.java
@@ -28,7 +28,7 @@ import java.util.Map;
 import java.util.Set;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.auth.jdbc.JDBCEnvironment;
-import org.apache.guacamole.auth.jdbc.base.ModeledGroupedDirectoryObject;
+import org.apache.guacamole.auth.jdbc.base.ModeledChildDirectoryObject;
 import org.apache.guacamole.auth.jdbc.tunnel.GuacamoleTunnelService;
 import org.apache.guacamole.form.BooleanField;
 import org.apache.guacamole.form.Field;
@@ -47,7 +47,7 @@ import org.slf4j.LoggerFactory;
  * @author James Muehlner
  * @author Michael Jumper
  */
-public class ModeledConnectionGroup extends ModeledGroupedDirectoryObject<ConnectionGroupModel>
+public class ModeledConnectionGroup extends ModeledChildDirectoryObject<ConnectionGroupModel>
     implements ConnectionGroup {
 
     /**

From f32dbac4586572eb381b84c2b5b9f21227dbafa4 Mon Sep 17 00:00:00 2001
From: Michael Jumper <mjumper@apache.org>
Date: Sat, 20 Aug 2016 18:23:34 -0700
Subject: [PATCH 2/2] GUACAMOLE-81: Enforce parent/child permissions between
 SharingProfile and Connection.

---
 .../sharingprofile/ModeledSharingProfile.java |  8 ++---
 .../sharingprofile/SharingProfileMapper.java  |  4 +--
 .../sharingprofile/SharingProfileModel.java   | 34 ++-----------------
 .../sharingprofile/SharingProfileService.java | 17 +++++++---
 .../sharingprofile/SharingProfileMapper.xml   | 12 +++----
 .../sharingprofile/SharingProfileMapper.xml   | 12 +++----
 6 files changed, 33 insertions(+), 54 deletions(-)

diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/ModeledSharingProfile.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/ModeledSharingProfile.java
index 318efedb4..a300c23a4 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/ModeledSharingProfile.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/ModeledSharingProfile.java
@@ -23,7 +23,7 @@ import com.google.inject.Inject;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Map;
-import org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObject;
+import org.apache.guacamole.auth.jdbc.base.ModeledChildDirectoryObject;
 import org.apache.guacamole.form.Form;
 import org.apache.guacamole.net.auth.SharingProfile;
 
@@ -34,7 +34,7 @@ import org.apache.guacamole.net.auth.SharingProfile;
  * @author Michael Jumper
  */
 public class ModeledSharingProfile
-        extends ModeledDirectoryObject<SharingProfileModel>
+        extends ModeledChildDirectoryObject<SharingProfileModel>
         implements SharingProfile {
 
     /**
@@ -72,12 +72,12 @@ public class ModeledSharingProfile
 
     @Override
     public String getPrimaryConnectionIdentifier() {
-        return getModel().getPrimaryConnectionIdentifier();
+        return getModel().getParentIdentifier();
     }
 
     @Override
     public void setPrimaryConnectionIdentifier(String identifier) {
-        getModel().setPrimaryConnectionIdentifier(identifier);
+        getModel().setParentIdentifier(identifier);
     }
 
     @Override
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.java
index 7cd962e61..f2904804a 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.java
@@ -35,7 +35,7 @@ public interface SharingProfileMapper
      * and having the given name. If no such sharing profile exists, null is
      * returned.
      *
-     * @param primaryConnectionIdentifier
+     * @param parentIdentifier
      *     The identifier of the primary connection to search against.
      *
      * @param name
@@ -46,7 +46,7 @@ public interface SharingProfileMapper
      *     given primary connection, or null if no such sharing profile exists.
      */
     SharingProfileModel selectOneByName(
-            @Param("primaryConnectionIdentifier") String primaryConnectionIdentifier,
+            @Param("parentIdentifier") String parentIdentifier,
             @Param("name") String name);
     
 }
\ No newline at end of file
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileModel.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileModel.java
index 939884b6d..bf286de75 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileModel.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileModel.java
@@ -19,7 +19,7 @@
 
 package org.apache.guacamole.auth.jdbc.sharingprofile;
 
-import org.apache.guacamole.auth.jdbc.base.ObjectModel;
+import org.apache.guacamole.auth.jdbc.base.ChildObjectModel;
 
 /**
  * Object representation of a Guacamole sharing profile, as represented in the
@@ -27,19 +27,13 @@ import org.apache.guacamole.auth.jdbc.base.ObjectModel;
  *
  * @author Michael Jumper
  */
-public class SharingProfileModel extends ObjectModel {
+public class SharingProfileModel extends ChildObjectModel {
 
     /**
      * The human-readable name associated with this sharing profile.
      */
     private String name;
 
-    /**
-     * The identifier of the primary connection associated with this
-     * sharing profile.
-     */
-    private String primaryConnectionIdentifier;
-
     /**
      * Creates a new, empty sharing profile.
      */
@@ -66,30 +60,6 @@ public class SharingProfileModel extends ObjectModel {
         this.name = name;
     }
 
-    /**
-     * Returns the identifier of the primary connection associated with this
-     * sharing profile.
-     *
-     * @return
-     *     The identifier of the primary connection associated with this
-     *     sharing profile.
-     */
-    public String getPrimaryConnectionIdentifier() {
-        return primaryConnectionIdentifier;
-    }
-
-    /**
-     * Sets the identifier of the primary connection associated with this
-     * sharing profile.
-     *
-     * @param primaryConnectionIdentifier
-     *     The identifier of the primary connection associated with this
-     *     sharing profile.
-     */
-    public void setPrimaryConnectionIdentifier(String primaryConnectionIdentifier) {
-        this.primaryConnectionIdentifier = primaryConnectionIdentifier;
-    }
-
     @Override
     public String getIdentifier() {
 
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileService.java
index 907a3a945..bf07a13d2 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileService.java
@@ -29,7 +29,7 @@ import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
 import org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObjectMapper;
 import org.apache.guacamole.GuacamoleClientException;
 import org.apache.guacamole.GuacamoleException;
-import org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObjectService;
+import org.apache.guacamole.auth.jdbc.base.ModeledChildDirectoryObjectService;
 import org.apache.guacamole.auth.jdbc.permission.SharingProfilePermissionMapper;
 import org.apache.guacamole.auth.jdbc.permission.ObjectPermissionMapper;
 import org.apache.guacamole.net.auth.SharingProfile;
@@ -45,7 +45,7 @@ import org.apache.guacamole.net.auth.permission.SystemPermissionSet;
  * @author Michael Jumper
  */
 public class SharingProfileService
-        extends ModeledDirectoryObjectService<ModeledSharingProfile,
+        extends ModeledChildDirectoryObjectService<ModeledSharingProfile,
             SharingProfile, SharingProfileModel> {
 
     /**
@@ -128,6 +128,15 @@ public class SharingProfileService
 
     }
 
+    @Override
+    protected ObjectPermissionSet getParentPermissionSet(ModeledAuthenticatedUser user)
+            throws GuacamoleException {
+
+        // Sharing profiles are children of connections
+        return user.getUser().getConnectionPermissions();
+
+    }
+
     @Override
     protected void beforeCreate(ModeledAuthenticatedUser user,
             SharingProfileModel model) throws GuacamoleException {
@@ -139,7 +148,7 @@ public class SharingProfileService
             throw new GuacamoleClientException("Sharing profile names must not be blank.");
 
         // Do not attempt to create duplicate sharing profiles
-        SharingProfileModel existing = sharingProfileMapper.selectOneByName(model.getPrimaryConnectionIdentifier(), model.getName());
+        SharingProfileModel existing = sharingProfileMapper.selectOneByName(model.getParentIdentifier(), model.getName());
         if (existing != null)
             throw new GuacamoleClientException("The sharing profile \"" + model.getName() + "\" already exists.");
 
@@ -156,7 +165,7 @@ public class SharingProfileService
             throw new GuacamoleClientException("Sharing profile names must not be blank.");
         
         // Check whether such a sharing profile is already present
-        SharingProfileModel existing = sharingProfileMapper.selectOneByName(model.getPrimaryConnectionIdentifier(), model.getName());
+        SharingProfileModel existing = sharingProfileMapper.selectOneByName(model.getParentIdentifier(), model.getName());
         if (existing != null) {
 
             // If the specified name matches a DIFFERENT existing sharing profile, the update cannot continue
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.xml
index 7614574c8..49bb337e1 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.xml
@@ -25,9 +25,9 @@
 
     <!-- Result mapper for sharing profile objects -->
     <resultMap id="SharingProfileResultMap" type="org.apache.guacamole.auth.jdbc.sharingprofile.SharingProfileModel">
-        <id     column="sharing_profile_id"    property="objectID"                    jdbcType="INTEGER"/>
-        <result column="sharing_profile_name"  property="name"                        jdbcType="VARCHAR"/>
-        <result column="primary_connection_id" property="primaryConnectionIdentifier" jdbcType="INTEGER"/>
+        <id     column="sharing_profile_id"    property="objectID"         jdbcType="INTEGER"/>
+        <result column="sharing_profile_name"  property="name"             jdbcType="VARCHAR"/>
+        <result column="primary_connection_id" property="parentIdentifier" jdbcType="INTEGER"/>
     </resultMap>
 
     <!-- Select all sharing profile identifiers -->
@@ -89,7 +89,7 @@
             primary_connection_id
         FROM guacamole_sharing_profile
         WHERE 
-            primary_connection_id = #{primaryConnectionIdentifier,jdbcType=VARCHAR}
+            primary_connection_id = #{parentIdentifier,jdbcType=VARCHAR}
             AND sharing_profile_name = #{name,jdbcType=VARCHAR}
 
     </select>
@@ -110,7 +110,7 @@
         )
         VALUES (
             #{object.name,jdbcType=VARCHAR},
-            #{object.primaryConnectionIdentifier,jdbcType=VARCHAR}
+            #{object.parentIdentifier,jdbcType=VARCHAR}
         )
 
     </insert>
@@ -119,7 +119,7 @@
     <update id="update" parameterType="org.apache.guacamole.auth.jdbc.sharingprofile.SharingProfileModel">
         UPDATE guacamole_sharing_profile
         SET sharing_profile_name  = #{object.name,jdbcType=VARCHAR},
-            primary_connection_id = #{object.primaryConnectionIdentifier,jdbcType=VARCHAR}
+            primary_connection_id = #{object.parentIdentifier,jdbcType=VARCHAR}
         WHERE sharing_profile_id = #{object.objectID,jdbcType=INTEGER}
     </update>
 
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.xml
index 36a3beb5d..0af493751 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.xml
@@ -25,9 +25,9 @@
 
     <!-- Result mapper for sharing profile objects -->
     <resultMap id="SharingProfileResultMap" type="org.apache.guacamole.auth.jdbc.sharingprofile.SharingProfileModel">
-        <id     column="sharing_profile_id"    property="objectID"                    jdbcType="INTEGER"/>
-        <result column="sharing_profile_name"  property="name"                        jdbcType="VARCHAR"/>
-        <result column="primary_connection_id" property="primaryConnectionIdentifier" jdbcType="INTEGER"/>
+        <id     column="sharing_profile_id"    property="objectID"         jdbcType="INTEGER"/>
+        <result column="sharing_profile_name"  property="name"             jdbcType="VARCHAR"/>
+        <result column="primary_connection_id" property="parentIdentifier" jdbcType="INTEGER"/>
     </resultMap>
 
     <!-- Select all sharing profile identifiers -->
@@ -89,7 +89,7 @@
             primary_connection_id
         FROM guacamole_sharing_profile
         WHERE 
-            primary_connection_id = #{primaryConnectionIdentifier,jdbcType=INTEGER}::integer
+            primary_connection_id = #{parentIdentifier,jdbcType=INTEGER}::integer
             AND sharing_profile_name = #{name,jdbcType=VARCHAR}
 
     </select>
@@ -110,7 +110,7 @@
         )
         VALUES (
             #{object.name,jdbcType=VARCHAR},
-            #{object.primaryConnectionIdentifier,jdbcType=INTEGER}::integer
+            #{object.parentIdentifier,jdbcType=INTEGER}::integer
         )
 
     </insert>
@@ -119,7 +119,7 @@
     <update id="update" parameterType="org.apache.guacamole.auth.jdbc.sharingprofile.SharingProfileModel">
         UPDATE guacamole_sharing_profile
         SET sharing_profile_name  = #{object.name,jdbcType=VARCHAR},
-            primary_connection_id = #{object.primaryConnectionIdentifier,jdbcType=INTEGER}::integer
+            primary_connection_id = #{object.parentIdentifier,jdbcType=INTEGER}::integer
         WHERE sharing_profile_id = #{object.objectID,jdbcType=INTEGER}::integer
     </update>