From 9f22d6bd715c280c91c9f7e11818db6ce65147c7 Mon Sep 17 00:00:00 2001 From: Michael Jumper Date: Sat, 28 Feb 2015 19:27:14 -0800 Subject: [PATCH] GUAC-1101: Implement querying of connection group permissions. --- .../JDBCAuthenticationProviderModule.java | 10 +- .../ConnectionGroupPermissionMapper.java | 30 ++++++ .../ConnectionGroupPermissionService.java | 69 +++++++++++++ .../ConnectionGroupPermissionSet.java | 47 +++++++++ .../guacamole/auth/jdbc/user/ModeledUser.java | 12 ++- .../connectiongroup/ConnectionGroupMapper.xml | 2 +- .../ConnectionGroupPermissionMapper.xml | 99 +++++++++++++++++++ 7 files changed, 263 insertions(+), 6 deletions(-) create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ConnectionGroupPermissionMapper.java create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ConnectionGroupPermissionSet.java create mode 100644 extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/glyptodon/guacamole/auth/jdbc/permission/ConnectionGroupPermissionMapper.xml diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/JDBCAuthenticationProviderModule.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/JDBCAuthenticationProviderModule.java index 6c99b5aef..0421d5e1f 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/JDBCAuthenticationProviderModule.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/JDBCAuthenticationProviderModule.java @@ -49,6 +49,9 @@ import org.glyptodon.guacamole.auth.jdbc.permission.SystemPermissionService; import org.glyptodon.guacamole.auth.jdbc.socket.UnrestrictedGuacamoleSocketService; import org.glyptodon.guacamole.auth.jdbc.user.UserService; import org.apache.ibatis.transaction.jdbc.JdbcTransactionFactory; +import org.glyptodon.guacamole.auth.jdbc.permission.ConnectionGroupPermissionMapper; +import org.glyptodon.guacamole.auth.jdbc.permission.ConnectionGroupPermissionService; +import org.glyptodon.guacamole.auth.jdbc.permission.ConnectionGroupPermissionSet; import org.glyptodon.guacamole.auth.jdbc.permission.ConnectionPermissionMapper; import org.glyptodon.guacamole.auth.jdbc.permission.ConnectionPermissionService; import org.glyptodon.guacamole.auth.jdbc.permission.ConnectionPermissionSet; @@ -94,6 +97,7 @@ public class JDBCAuthenticationProviderModule extends MyBatisModule { // Add MyBatis mappers addMapperClass(ConnectionMapper.class); addMapperClass(ConnectionGroupMapper.class); + addMapperClass(ConnectionGroupPermissionMapper.class); addMapperClass(ConnectionPermissionMapper.class); addMapperClass(ConnectionRecordMapper.class); addMapperClass(ParameterMapper.class); @@ -104,20 +108,22 @@ public class JDBCAuthenticationProviderModule extends MyBatisModule { bind(Environment.class).toInstance(environment); bind(ConnectionDirectory.class); bind(ConnectionGroupDirectory.class); + bind(ConnectionGroupPermissionSet.class); + bind(ConnectionPermissionSet.class); bind(ModeledConnection.class); bind(ModeledConnectionGroup.class); bind(ModeledGuacamoleConfiguration.class); bind(ModeledUser.class); bind(RootConnectionGroup.class); - bind(ConnectionPermissionSet.class); bind(SystemPermissionSet.class); bind(UserContext.class); bind(UserDirectory.class); // Bind services + bind(ConnectionGroupPermissionService.class); + bind(ConnectionGroupService.class); bind(ConnectionPermissionService.class); bind(ConnectionService.class); - bind(ConnectionGroupService.class); bind(PasswordEncryptionService.class).to(SHA256PasswordEncryptionService.class); bind(SaltService.class).to(SecureRandomSaltService.class); bind(SystemPermissionService.class); diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ConnectionGroupPermissionMapper.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ConnectionGroupPermissionMapper.java new file mode 100644 index 000000000..cc791d628 --- /dev/null +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ConnectionGroupPermissionMapper.java @@ -0,0 +1,30 @@ +/* + * Copyright (C) 2015 Glyptodon LLC + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +package org.glyptodon.guacamole.auth.jdbc.permission; + +/** + * Mapper for connection group permissions. + * + * @author Michael Jumper + */ +public interface ConnectionGroupPermissionMapper extends ObjectPermissionMapper {} diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java new file mode 100644 index 000000000..e64d6c71f --- /dev/null +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2015 Glyptodon LLC + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +package org.glyptodon.guacamole.auth.jdbc.permission; + +import com.google.inject.Inject; +import com.google.inject.Provider; +import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser; +import org.glyptodon.guacamole.GuacamoleException; +import org.glyptodon.guacamole.auth.jdbc.user.ModeledUser; + +/** + * Service which provides convenience methods for creating, retrieving, and + * deleting connection group permissions. This service will automatically + * enforce the permissions of the current user. + * + * @author Michael Jumper + */ +public class ConnectionGroupPermissionService extends ObjectPermissionService { + + /** + * Mapper for connection group permissions. + */ + @Inject + private ConnectionGroupPermissionMapper connectionGroupPermissionMapper; + + /** + * Provider for connection group permission sets. + */ + @Inject + private Provider connectionGroupPermissionSetProvider; + + @Override + protected ObjectPermissionMapper getPermissionMapper() { + return connectionGroupPermissionMapper; + } + + @Override + public ObjectPermissionSet getPermissionSet(AuthenticatedUser user, + ModeledUser targetUser) throws GuacamoleException { + + // Create permission set for requested user + ObjectPermissionSet permissionSet = connectionGroupPermissionSetProvider.get(); + permissionSet.init(user, targetUser); + + return permissionSet; + + } + +} diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ConnectionGroupPermissionSet.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ConnectionGroupPermissionSet.java new file mode 100644 index 000000000..5f057dc2d --- /dev/null +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/permission/ConnectionGroupPermissionSet.java @@ -0,0 +1,47 @@ +/* + * Copyright (C) 2015 Glyptodon LLC + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +package org.glyptodon.guacamole.auth.jdbc.permission; + +import com.google.inject.Inject; + +/** + * A database implementation of ObjectPermissionSet which uses an injected + * service to query and manipulate the connection group permissions associated + * with a particular user. + * + * @author Michael Jumper + */ +public class ConnectionGroupPermissionSet extends ObjectPermissionSet { + + /** + * Service for querying and manipulating connection group permissions. + */ + @Inject + private ConnectionGroupPermissionService connectionGroupPermissionService; + + @Override + protected ObjectPermissionService getObjectPermissionService() { + return connectionGroupPermissionService; + } + +} diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/user/ModeledUser.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/user/ModeledUser.java index 55085be25..5c568a511 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/user/ModeledUser.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/user/ModeledUser.java @@ -28,6 +28,7 @@ import org.glyptodon.guacamole.auth.jdbc.security.PasswordEncryptionService; import org.glyptodon.guacamole.auth.jdbc.security.SaltService; import org.glyptodon.guacamole.auth.jdbc.permission.SystemPermissionService; import org.glyptodon.guacamole.GuacamoleException; +import org.glyptodon.guacamole.auth.jdbc.permission.ConnectionGroupPermissionService; import org.glyptodon.guacamole.auth.jdbc.permission.ConnectionPermissionService; import org.glyptodon.guacamole.net.auth.User; import org.glyptodon.guacamole.net.auth.permission.ObjectPermissionSet; @@ -66,7 +67,13 @@ public class ModeledUser extends DirectoryObject implements User { */ @Inject private ConnectionPermissionService connectionPermissionService; - + + /** + * Service for retrieving connection group permissions. + */ + @Inject + private ConnectionGroupPermissionService connectionGroupPermissionService; + /** * The plaintext password previously set by a call to setPassword(), if * any. The password of a user cannot be retrieved once saved into the @@ -144,8 +151,7 @@ public class ModeledUser extends DirectoryObject implements User { @Override public ObjectPermissionSet getConnectionGroupPermissions() throws GuacamoleException { - // STUB - return new SimpleObjectPermissionSet(); + return connectionGroupPermissionService.getPermissionSet(getCurrentUser(), this); } @Override diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/glyptodon/guacamole/auth/jdbc/connectiongroup/ConnectionGroupMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/glyptodon/guacamole/auth/jdbc/connectiongroup/ConnectionGroupMapper.xml index 7ee627d0f..3e3f8c156 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/glyptodon/guacamole/auth/jdbc/connectiongroup/ConnectionGroupMapper.xml +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/glyptodon/guacamole/auth/jdbc/connectiongroup/ConnectionGroupMapper.xml @@ -95,7 +95,7 @@ guacamole_connection_group.connection_group_id, connection_group_name, parent_id, - protocol + type FROM guacamole_connection_group JOIN guacamole_connection_group_permission ON guacamole_connection_group_permission.connection_group_id = guacamole_connection_group.connection_group_id WHERE guacamole_connection_group.connection_group_id IN diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/glyptodon/guacamole/auth/jdbc/permission/ConnectionGroupPermissionMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/glyptodon/guacamole/auth/jdbc/permission/ConnectionGroupPermissionMapper.xml new file mode 100644 index 000000000..c7d40e3aa --- /dev/null +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/glyptodon/guacamole/auth/jdbc/permission/ConnectionGroupPermissionMapper.xml @@ -0,0 +1,99 @@ + + + + + + + + + + + + + + + + + + + + + + + + + DELETE FROM guacamole_connection_group_permission + WHERE (user_id, permission, connection_group_id) IN + + (#{permission.userID,jdbcType=INTEGER}, + #{permission.type,jdbcType=VARCHAR}, + #{permission.objectIdentifier,jdbcType=VARCHAR}) + + + + + + + + INSERT IGNORE INTO guacamole_connection_group_permission ( + user_id, + permission, + connection_group_id + ) + VALUES + + (#{permission.userID,jdbcType=INTEGER}, + #{permission.type,jdbcType=VARCHAR}, + #{permission.objectIdentifier,jdbcType=VARCHAR}) + + + + + \ No newline at end of file