Refactor to support new SystemPermission organization (no more *DirectoryPermission classes).

2025-09-08 06:01:22 +00:00 · 2013-02-27 16:20:09 -08:00
parent 65a31775b6
commit a84b9d2094
5 changed files with 99 additions and 195 deletions
--- a/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/connections/List.java
+++ b/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/connections/List.java
@@ -32,11 +32,9 @@ import net.sourceforge.guacamole.net.auth.ConnectionRecord;
 import net.sourceforge.guacamole.net.auth.Directory;
 import net.sourceforge.guacamole.net.auth.User;
 import net.sourceforge.guacamole.net.auth.UserContext;
 import net.sourceforge.guacamole.net.auth.permission.ConnectionDirectoryPermission;
 import net.sourceforge.guacamole.net.auth.permission.ConnectionPermission;
 import net.sourceforge.guacamole.net.auth.permission.ObjectPermission;
 import net.sourceforge.guacamole.net.auth.permission.Permission;
 import net.sourceforge.guacamole.net.auth.permission.SystemPermission;
 import net.sourceforge.guacamole.net.basic.AuthenticatingHttpServlet;
 import net.sourceforge.guacamole.protocol.GuacamoleConfiguration;
@@ -48,35 +46,6 @@ import net.sourceforge.guacamole.protocol.GuacamoleConfiguration;
 */
 public class List extends AuthenticatingHttpServlet {
    /**
     * Checks whether the given user has permission to perform the given
     * system operation. Security exceptions are handled appropriately - only
     * non-security exceptions pass through.
     *
     * @param user The user whose permissions should be verified.
     * @param type The type of operation to check for permission for.
     * @return true if permission is granted, false otherwise.
     *
     * @throws GuacamoleException If an error occurs while checking permissions.
     */
    private boolean hasConfigPermission(User user, SystemPermission.Type type)
    throws GuacamoleException {
        // Build permission
        Permission permission =
                new ConnectionDirectoryPermission(type);
        try {
            // Return result of permission check, if possible
            return user.hasPermission(permission);
        }
        catch (GuacamoleSecurityException e) {
            // If cannot check due to security restrictions, no permission
            return false;
        }
    }
    /**
     * Checks whether the given user has permission to perform the given
     * object operation. Security exceptions are handled appropriately - only
@@ -148,10 +117,6 @@ public class List extends AuthenticatingHttpServlet {
            xml.writeStartDocument();
            xml.writeStartElement("connections");
            // Save connection create permission attribute
            if (hasConfigPermission(self, SystemPermission.Type.CREATE))
                xml.writeAttribute("create", "yes");
            // For each entry, write corresponding connection element
            for (String identifier : directory.getIdentifiers()) {
@@ -164,22 +129,10 @@ public class List extends AuthenticatingHttpServlet {
                xml.writeAttribute("protocol",
                        connection.getConfiguration().getProtocol());
-                // Save admin permission attribute
+                // If update permission available, include parameters
                if (hasConfigPermission(self, ObjectPermission.Type.ADMINISTER,
                        identifier))
                    xml.writeAttribute("admin", "yes");
                // Save delete permission attribute
                if (hasConfigPermission(self, ObjectPermission.Type.DELETE,
                        identifier))
                    xml.writeAttribute("delete", "yes");
                // Save update permission attribute, include parameters
                if (hasConfigPermission(self, ObjectPermission.Type.UPDATE,
                        identifier)) {
                    xml.writeAttribute("update", "yes");
                    // As update permission is present, also list parameters
                    GuacamoleConfiguration config = connection.getConfiguration();
                    for (String name : config.getParameterNames()) {
--- a/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/permissions/List.java
+++ b/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/permissions/List.java
@@ -30,12 +30,10 @@ import net.sourceforge.guacamole.GuacamoleSecurityException;
 import net.sourceforge.guacamole.net.auth.Directory;
 import net.sourceforge.guacamole.net.auth.User;
 import net.sourceforge.guacamole.net.auth.UserContext;
 import net.sourceforge.guacamole.net.auth.permission.ConnectionDirectoryPermission;
 import net.sourceforge.guacamole.net.auth.permission.ConnectionPermission;
 import net.sourceforge.guacamole.net.auth.permission.ObjectPermission;
 import net.sourceforge.guacamole.net.auth.permission.Permission;
 import net.sourceforge.guacamole.net.auth.permission.SystemPermission;
 import net.sourceforge.guacamole.net.auth.permission.UserDirectoryPermission;
 import net.sourceforge.guacamole.net.auth.permission.UserPermission;
 import net.sourceforge.guacamole.net.basic.AuthenticatingHttpServlet;
@@ -61,7 +59,9 @@ public class List extends AuthenticatingHttpServlet {
        throws GuacamoleException {
        switch (type) {
-            case CREATE: return "create";
+            case CREATE_USER:       return "create-user";
            case CREATE_CONNECTION: return "create-connection";
            case ADMINISTER:        return "admin";
        }
        throw new GuacamoleException("Unknown permission type: " + type);
@@ -136,16 +136,15 @@ public class List extends AuthenticatingHttpServlet {
            // For each entry, write corresponding user element
            for (Permission permission : user.getPermissions()) {
-                // Config directory permission
+                // System permission
-                if (permission instanceof ConnectionDirectoryPermission) {
+                if (permission instanceof SystemPermission) {
                    // Get permission
-                    ConnectionDirectoryPermission cdp =
+                    SystemPermission sp = (SystemPermission) permission;
                            (ConnectionDirectoryPermission) permission;
                    // Write permission
-                    xml.writeEmptyElement("connections");
+                    xml.writeEmptyElement("system");
-                    xml.writeAttribute("type", toString(cdp.getType()));
+                    xml.writeAttribute("type", toString(sp.getType()));
                }
@@ -163,19 +162,6 @@ public class List extends AuthenticatingHttpServlet {
                }
                // User directory permission
                else if (permission instanceof UserDirectoryPermission) {
                    // Get permission
                    UserDirectoryPermission udp =
                            (UserDirectoryPermission) permission;
                    // Write permission
                    xml.writeEmptyElement("users");
                    xml.writeAttribute("type", toString(udp.getType()));
                }
                // User permission
                else if (permission instanceof UserPermission) {
--- a/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/users/List.java
+++ b/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/users/List.java
@@ -31,11 +31,6 @@ import net.sourceforge.guacamole.GuacamoleSecurityException;
 import net.sourceforge.guacamole.net.auth.Directory;
 import net.sourceforge.guacamole.net.auth.User;
 import net.sourceforge.guacamole.net.auth.UserContext;
 import net.sourceforge.guacamole.net.auth.permission.ObjectPermission;
 import net.sourceforge.guacamole.net.auth.permission.Permission;
 import net.sourceforge.guacamole.net.auth.permission.SystemPermission;
 import net.sourceforge.guacamole.net.auth.permission.UserDirectoryPermission;
 import net.sourceforge.guacamole.net.auth.permission.UserPermission;
 import net.sourceforge.guacamole.net.basic.AuthenticatingHttpServlet;
 /**
@@ -45,65 +40,6 @@ import net.sourceforge.guacamole.net.basic.AuthenticatingHttpServlet;
 */
 public class List extends AuthenticatingHttpServlet {
    /**
     * Checks whether the given user has permission to perform the given
     * system operation. Security exceptions are handled appropriately - only
     * non-security exceptions pass through.
     *
     * @param user The user whose permissions should be verified.
     * @param type The type of operation to check for permission for.
     * @return true if permission is granted, false otherwise.
     *
     * @throws GuacamoleException If an error occurs while checking permissions.
     */
    private boolean hasUserPermission(User user, SystemPermission.Type type)
    throws GuacamoleException {
        // Build permission
        Permission permission = new UserDirectoryPermission(type);
        try {
            // Return result of permission check, if possible
            return user.hasPermission(permission);
        }
        catch (GuacamoleSecurityException e) {
            // If cannot check due to security restrictions, no permission
            return false;
        }
    }
    /**
     * Checks whether the given user has permission to perform the given
     * object operation. Security exceptions are handled appropriately - only
     * non-security exceptions pass through.
     *
     * @param user The user whose permissions should be verified.
     * @param type The type of operation to check for permission for.
     * @param identifier The identifier of the user the operation would be
     *                   performed upon.
     * @return true if permission is granted, false otherwise.
     *
     * @throws GuacamoleException If an error occurs while checking permissions.
     */
    private boolean hasUserPermission(User user, ObjectPermission.Type type,
            String identifier)
    throws GuacamoleException {
        // Build permission
        Permission permission = new UserPermission(type, identifier);
        try {
            // Return result of permission check, if possible
            return user.hasPermission(permission);
        }
        catch (GuacamoleSecurityException e) {
            // If cannot check due to security restrictions, no permission
            return false;
        }
    }
    @Override
    protected void authenticatedService(
            UserContext context,
@@ -135,10 +71,6 @@ public class List extends AuthenticatingHttpServlet {
            xml.writeStartDocument();
            xml.writeStartElement("users");
            // Save user create permission attribute
            if (hasUserPermission(self, SystemPermission.Type.CREATE))
                xml.writeAttribute("create", "yes");
            // For each entry, write corresponding user element
            for (String username : users) {
@@ -149,21 +81,6 @@ public class List extends AuthenticatingHttpServlet {
                xml.writeEmptyElement("user");
                xml.writeAttribute("name", user.getUsername());
                // Save update permission attribute
                if (hasUserPermission(self, ObjectPermission.Type.UPDATE,
                        user.getUsername()))
                    xml.writeAttribute("update", "yes");
                // Save admin permission attribute
                if (hasUserPermission(self, ObjectPermission.Type.ADMINISTER,
                        user.getUsername()))
                    xml.writeAttribute("admin", "yes");
                // Save delete permission attribute
                if (hasUserPermission(self, ObjectPermission.Type.DELETE,
                        user.getUsername()))
                    xml.writeAttribute("delete", "yes");
            }
            // End document
--- a/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/users/Update.java
+++ b/guacamole/src/main/java/net/sourceforge/guacamole/net/basic/crud/users/Update.java
@@ -26,12 +26,10 @@ import net.sourceforge.guacamole.GuacamoleException;
 import net.sourceforge.guacamole.net.auth.Directory;
 import net.sourceforge.guacamole.net.auth.User;
 import net.sourceforge.guacamole.net.auth.UserContext;
 import net.sourceforge.guacamole.net.auth.permission.ConnectionDirectoryPermission;
 import net.sourceforge.guacamole.net.auth.permission.ConnectionPermission;
 import net.sourceforge.guacamole.net.auth.permission.ObjectPermission;
 import net.sourceforge.guacamole.net.auth.permission.Permission;
 import net.sourceforge.guacamole.net.auth.permission.SystemPermission;
 import net.sourceforge.guacamole.net.auth.permission.UserDirectoryPermission;
 import net.sourceforge.guacamole.net.auth.permission.UserPermission;
 import net.sourceforge.guacamole.net.basic.AuthenticatingHttpServlet;
@@ -43,9 +41,19 @@ import net.sourceforge.guacamole.net.basic.AuthenticatingHttpServlet;
 public class Update extends AuthenticatingHttpServlet {
    /**
-     * String given for directory creation permission.
+     * String given for user creation permission.
     */
-    private static final String CREATE_PERMISSION = "create";
+    private static final String CREATE_USER_PERMISSION = "create-user";
    /**
     * String given for connection creation permission.
     */
    private static final String CREATE_CONNECTION_PERMISSION = "create-connection";
    /**
     * String given for system administration permission.
     */
    private static final String ADMIN_PERMISSION = "admin";
    /**
     * Prefix given before an object identifier for read permission.
@@ -67,6 +75,32 @@ public class Update extends AuthenticatingHttpServlet {
     */
    private static final String ADMIN_PREFIX  = "admin:";
    /**
     * Given a permission string, returns the corresponding system permission.
     *
     * @param str The permission string to parse.
     * @return The parsed system permission.
     * @throws GuacamoleException If the given string could not be parsed.
     */
    private Permission parseSystemPermission(String str)
            throws GuacamoleException {
        // Create user 
        if (str.startsWith(CREATE_USER_PERMISSION))
            return new SystemPermission(SystemPermission.Type.CREATE_USER);
        // Create connection 
        if (str.startsWith(CREATE_CONNECTION_PERMISSION))
            return new SystemPermission(SystemPermission.Type.CREATE_CONNECTION);
        // Administration
        if (str.startsWith(ADMIN_PERMISSION))
            return new SystemPermission(SystemPermission.Type.ADMINISTER);
        throw new GuacamoleException("Invalid permission string.");
    }
    /**
     * Given a permission string, returns the corresponding user permission.
     *
@@ -77,10 +111,6 @@ public class Update extends AuthenticatingHttpServlet {
    private Permission parseUserPermission(String str)
            throws GuacamoleException {
        // Create permission
        if (str.equals(CREATE_PERMISSION))
            return new UserDirectoryPermission(SystemPermission.Type.CREATE);
        // Read
        if (str.startsWith(READ_PREFIX))
            return new UserPermission(ObjectPermission.Type.READ,
@@ -116,10 +146,6 @@ public class Update extends AuthenticatingHttpServlet {
    private Permission parseConnectionPermission(String str)
            throws GuacamoleException {
        // Create permission
        if (str.equals(CREATE_PERMISSION))
            return new ConnectionDirectoryPermission(SystemPermission.Type.CREATE);
        // Read
        if (str.startsWith(READ_PREFIX))
            return new ConnectionPermission(ObjectPermission.Type.READ,
@@ -166,28 +192,50 @@ public class Update extends AuthenticatingHttpServlet {
            if (password != null)
                user.setPassword(password);
-            // Set user permissions
+            /*
             * NEW PERMISSIONS
             */
            // Set added system permissions
            String[] add_sys_permission = request.getParameterValues("+sys");
            if (add_sys_permission != null) {
                for (String str : add_sys_permission)
                    user.addPermission(parseSystemPermission(str));
            }
            // Set added user permissions
            String[] add_user_permission = request.getParameterValues("+user");
            if (add_user_permission != null) {
                for (String str : add_user_permission)
                    user.addPermission(parseUserPermission(str));
            }
-            // Set connection permissions
+            // Set added connection permissions
            String[] add_connection_permission = request.getParameterValues("+connection");
            if (add_connection_permission != null) {
                for (String str : add_connection_permission)
                    user.addPermission(parseConnectionPermission(str));
            }
-            // Set user permissions
+            /*
             * REMOVED PERMISSIONS
             */
            // Unset removed system permissions
            String[] remove_sys_permission = request.getParameterValues("-sys");
            if (remove_sys_permission != null) {
                for (String str : remove_sys_permission)
                    user.removePermission(parseSystemPermission(str));
            }
            // Unset removed user permissions
            String[] remove_user_permission = request.getParameterValues("-user");
            if (remove_user_permission != null) {
                for (String str : remove_user_permission)
                    user.removePermission(parseUserPermission(str));
            }
-            // Set connection permissions
+            // Unset removed connection permissions
            String[] remove_connection_permission = request.getParameterValues("-connection");
            if (remove_connection_permission != null) {
                for (String str : remove_connection_permission)
--- a/guacamole/src/main/webapp/scripts/service.js
+++ b/guacamole/src/main/webapp/scripts/service.js
@@ -117,6 +117,11 @@ GuacamoleService.PermissionSet = function() {
     */
    this.create_connection = false;
    /**
     * Whether permission to administer the system in general is granted.
     */
    this.administer = false;
    /**
     * Object with a property entry for each readable user.
     */
@@ -416,9 +421,10 @@ GuacamoleService.Users = {
        var name;
-        // Creation permissions
+        // System permissions
-        if (permissions_added.create_user)       data += "&%2Buser=create";
+        if (permissions_added.create_user)       data += "&%2Bsys=create-user";
-        if (permissions_added.create_connection) data += "&%2Bconnection=create";
+        if (permissions_added.create_connection) data += "&%2Bsys=create-connection";
        if (permissions_added.administer)        data += "&%2Bsys=admin";
        // User permissions 
        for (name in permissions_added.read_user)
@@ -441,8 +447,9 @@ GuacamoleService.Users = {
            data += "&%2Bconnection=delete:" + encodeURIComponent(name);
        // Creation permissions
-        if (permissions_removed.create_user)       data += "&-user=create";
+        if (permissions_removed.create_user)       data += "&-sys=create-user";
-        if (permissions_removed.create_connection) data += "&-connection=create";
+        if (permissions_removed.create_connection) data += "&-sys=create-connection";
        if (permissions_removed.administer)        data += "&-sys=admin";
        // User permissions 
        for (name in permissions_removed.read_user)
@@ -574,19 +581,29 @@ GuacamoleService.Permissions = {
        var i, type, name;
        var permissions = new GuacamoleService.PermissionSet();
-        // Read connections permissions
+        // Read system permissions
-        var connectionsElements = xhr.responseXML.getElementsByTagName("connections");
+        var connectionsElements = xhr.responseXML.getElementsByTagName("system");
        for (i=0; i<connectionsElements.length; i++) {
            // Get type
            type = connectionsElements[i].getAttribute("type");
            switch (type) {
-                // Create permission
+                // Create connection permission
-                case "create":
+                case "create-connection":
                    permissions.create_connection = true;
                    break;
                // Create user permission
                case "create-user":
                    permissions.create_user = true;
                    break;
                // System admin permission
                case "admin":
                    permissions.administer = true;
                    break;
            }
        }
@@ -625,23 +642,6 @@ GuacamoleService.Permissions = {
        }
        // Read users permissions
        var usersElements = xhr.responseXML.getElementsByTagName("users");
        for (i=0; i<usersElements.length; i++) {
            // Get type
            type = usersElements[i].getAttribute("type");
            switch (type) {
                // Create permission
                case "create":
                    permissions.create_user = true;
                    break;
            }
        }
        // Read user permissions
        var userElements = xhr.responseXML.getElementsByTagName("user");
        for (i=0; i<userElements.length; i++) {