safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-07 13:41:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-292: Require ADMINISTER permission to get/set attributes which control scheduled access.

Browse Source
This commit is contained in:
Michael Jumper
2017-02-21 23:54:32 -08:00
parent 0a4b1f33da
commit ae7c792d10
2 changed files with 95 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java
View File

@@ -176,6 +176,34 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
@Inject @Inject
private UserPermissionService userPermissionService; private UserPermissionService userPermissionService;
/**
* Whether attributes which control access restrictions should be exposed
* via getAttributes() or allowed to be set via setAttributes().
*/
private boolean exposeRestrictedAttributes = false;
/**
* Initializes this ModeledUser, associating it with the current
* authenticated user and populating it with data from the given user
* model.
*
* @param currentUser
* The user that created or retrieved this object.
*
* @param model
* The backing model object.
*
* @param exposeRestrictedAttributes
* Whether attributes which control access restrictions should be
* exposed via getAttributes() or allowed to be set via
* setAttributes().
*/
public void init(ModeledAuthenticatedUser currentUser, UserModel model,
boolean exposeRestrictedAttributes) {
super.init(currentUser, model);
this.exposeRestrictedAttributes = exposeRestrictedAttributes;
}
/** /**
* The plaintext password previously set by a call to setPassword(), if * The plaintext password previously set by a call to setPassword(), if
* any. The password of a user cannot be retrieved once saved into the * any. The password of a user cannot be retrieved once saved into the
@@ -309,10 +337,16 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
return userPermissionService.getPermissionSet(getCurrentUser(), this); return userPermissionService.getPermissionSet(getCurrentUser(), this);
} }
@Override /**
public Map<String, String> getAttributes() { * Stores all restricted (privileged) attributes within the given Map,
* pulling the values of those attributes from the underlying user model.
Map<String, String> attributes = new HashMap<String, String>(); * If no value is yet defined for an attribute, that attribute will be set
* to null.
*
* @param attributes
* The Map to store all restricted attributes within.
*/
private void putRestrictedAttributes(Map<String, String> attributes) {
// Set disabled attribute // Set disabled attribute
attributes.put(DISABLED_ATTRIBUTE_NAME, getModel().isDisabled() ? "true" : null); attributes.put(DISABLED_ATTRIBUTE_NAME, getModel().isDisabled() ? "true" : null);
@@ -335,7 +369,6 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
// Set timezone attribute // Set timezone attribute
attributes.put(TIMEZONE_ATTRIBUTE_NAME, getModel().getTimeZone()); attributes.put(TIMEZONE_ATTRIBUTE_NAME, getModel().getTimeZone());
return attributes;
} }
/** /**
@@ -396,8 +429,14 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
} }
@Override /**
public void setAttributes(Map<String, String> attributes) { * Stores all restricted (privileged) attributes within the underlying user
* model, pulling the values of those attributes from the given Map.
*
* @param attributes
* The Map to pull all restricted attributes from.
*/
private void setRestrictedAttributes(Map<String, String> attributes) {
// Translate disabled attribute // Translate disabled attribute
getModel().setDisabled("true".equals(attributes.get(DISABLED_ATTRIBUTE_NAME))); getModel().setDisabled("true".equals(attributes.get(DISABLED_ATTRIBUTE_NAME)));
@@ -438,6 +477,27 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
} }
@Override
public Map<String, String> getAttributes() {
Map<String, String> attributes = new HashMap<String, String>();
// Include restricted attributes only if they should be exposed
if (exposeRestrictedAttributes)
putRestrictedAttributes(attributes);
return attributes;
}
@Override
public void setAttributes(Map<String, String> attributes) {
// Assign restricted attributes only if they are exposed
if (exposeRestrictedAttributes)
setRestrictedAttributes(attributes);
}
/** /**
* Returns the time zone associated with this user. This time zone must be * Returns the time zone associated with this user. This time zone must be
* used when interpreting all date/time restrictions related to this user. * used when interpreting all date/time restrictions related to this user.

32
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
View File

@@ -147,15 +147,35 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
@Override @Override
protected ModeledUser getObjectInstance(ModeledAuthenticatedUser currentUser, protected ModeledUser getObjectInstance(ModeledAuthenticatedUser currentUser,
UserModel model) { UserModel model) throws GuacamoleException {
boolean exposeRestrictedAttributes;
// Expose restricted attributes if the user does not yet exist
if (model.getObjectID() == null)
exposeRestrictedAttributes = true;
// Otherwise, if the user permissions are available, expose restricted
// attributes only if the user has ADMINISTER permission
else if (currentUser != null)
exposeRestrictedAttributes = hasObjectPermission(currentUser,
model.getIdentifier(), ObjectPermission.Type.ADMINISTER);
// If user permissions are not available, do not expose anything
else
exposeRestrictedAttributes = false;
// Produce ModeledUser exposing only those attributes for which the
// current user has permission
ModeledUser user = userProvider.get(); ModeledUser user = userProvider.get();
user.init(currentUser, model); user.init(currentUser, model, exposeRestrictedAttributes);
return user; return user;
} }
@Override @Override
protected UserModel getModelInstance(ModeledAuthenticatedUser currentUser, protected UserModel getModelInstance(ModeledAuthenticatedUser currentUser,
final User object) { final User object) throws GuacamoleException {
// Create new ModeledUser backed by blank model // Create new ModeledUser backed by blank model
UserModel model = new UserModel(); UserModel model = new UserModel();
@@ -362,9 +382,13 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
* @return * @return
* The ModeledUser which corresponds to the given AuthenticatedUser, or * The ModeledUser which corresponds to the given AuthenticatedUser, or
* null if no such user exists. * null if no such user exists.
*
* @throws GuacamoleException
* If a ModeledUser object for the user corresponding to the given
* AuthenticatedUser cannot be created.
*/ */
public ModeledUser retrieveUser(AuthenticationProvider authenticationProvider, public ModeledUser retrieveUser(AuthenticationProvider authenticationProvider,
AuthenticatedUser authenticatedUser) { AuthenticatedUser authenticatedUser) throws GuacamoleException {
// If we already queried this user, return that rather than querying again // If we already queried this user, return that rather than querying again
if (authenticatedUser instanceof ModeledAuthenticatedUser) if (authenticatedUser instanceof ModeledAuthenticatedUser)