safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 05:07:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUAC-1132: Rename DirectoryObject to ModeledDirectoryObject.

Browse Source
This commit is contained in:
Michael Jumper
2015-03-20 16:28:54 -07:00
parent 55fb19c87b
commit c2bffcba23
16 changed files with 543 additions and 542 deletions
Download Patch File Download Diff File Expand all files Collapse all files

432
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/base/DirectoryObjectService.java
View File

@@ -22,23 +22,16 @@
package org.glyptodon.guacamole.auth.jdbc.base;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Set;
import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.GuacamoleSecurityException;
import org.glyptodon.guacamole.auth.jdbc.permission.ObjectPermissionMapper;
import org.glyptodon.guacamole.auth.jdbc.permission.ObjectPermissionModel;
import org.glyptodon.guacamole.auth.jdbc.user.UserModel;
import org.glyptodon.guacamole.net.auth.permission.ObjectPermission;
import org.glyptodon.guacamole.net.auth.permission.ObjectPermissionSet;
/**
* Service which provides convenience methods for creating, retrieving, and
* manipulating objects within directories. This service will automatically
* enforce the permissions of the current user.
* manipulating objects that have unique identifiers, such as the objects
* within directories. This service will automatically enforce the permissions
* of the current user.
*
* @author Michael Jumper
* @param <InternalType>
@@ -48,384 +41,115 @@ import org.glyptodon.guacamole.net.auth.permission.ObjectPermissionSet;
* @param <ExternalType>
* The external interface or implementation of the type of object this
* service provides access to, as defined by the guacamole-ext API.
*
* @param <ModelType>
* The underlying model object used to represent InternalType in the
* database.
*/
public abstract class DirectoryObjectService<InternalType extends DirectoryObject<ModelType>,
ExternalType, ModelType extends ObjectModel>
implements IdentifiableObjectService<InternalType, ExternalType> {
public interface DirectoryObjectService<InternalType, ExternalType> {
/**
* All object permissions which are implicitly granted upon creation to the
* creator of the object.
* Retrieves the single object that has the given identifier, if it exists
* and the user has permission to read it.
*
* @param user
* The user retrieving the object.
*
* @param identifier
* The identifier of the object to retrieve.
*
* @return
* The object having the given identifier, or null if no such object
* exists.
*
* @throws GuacamoleException
* If an error occurs while retrieving the requested object.
*/
private static final ObjectPermission.Type[] IMPLICIT_OBJECT_PERMISSIONS = {
ObjectPermission.Type.READ,
ObjectPermission.Type.UPDATE,
ObjectPermission.Type.DELETE,
ObjectPermission.Type.ADMINISTER
};
InternalType retrieveObject(AuthenticatedUser user, String identifier)
throws GuacamoleException;
/**
* Returns an instance of a mapper for the type of object used by this
* service.
*
* @return
* A mapper which provides access to the model objects associated with
* the objects used by this service.
*/
protected abstract DirectoryObjectMapper<ModelType> getObjectMapper();
/**
* Returns an instance of a mapper for the type of permissions that affect
* the type of object used by this service.
*
* @return
* A mapper which provides access to the model objects associated with
* the permissions that affect the objects used by this service.
*/
protected abstract ObjectPermissionMapper getPermissionMapper();
/**
* Returns an instance of an object which is backed by the given model
* object.
*
* @param currentUser
* The user for whom this object is being created.
*
* @param model
* The model object to use to back the returned object.
*
* @return
* An object which is backed by the given model object.
*/
protected abstract InternalType getObjectInstance(AuthenticatedUser currentUser,
ModelType model);
/**
* Returns an instance of a model object which is based on the given
* object.
*
* @param currentUser
* The user for whom this model object is being created.
*
* @param object
* The object to use to produce the returned model object.
*
* @return
* A model object which is based on the given object.
*/
protected abstract ModelType getModelInstance(AuthenticatedUser currentUser,
ExternalType object);
/**
* Returns whether the given user has permission to create the type of
* objects that this directory object service manages.
* Retrieves all objects that have the identifiers in the given collection.
* Only objects that the user has permission to read will be returned.
*
* @param user
* The user being checked.
* The user retrieving the objects.
*
* @param identifiers
* The identifiers of the objects to retrieve.
*
* @return
* true if the user has object creation permission relevant to this
* directory object service, false otherwise.
*
* The objects having the given identifiers.
*
* @throws GuacamoleException
* If permission to read the user's permissions is denied.
* If an error occurs while retrieving the requested objects.
*/
protected abstract boolean hasCreatePermission(AuthenticatedUser user)
throws GuacamoleException;
Collection<InternalType> retrieveObjects(AuthenticatedUser user,
Collection<String> identifiers) throws GuacamoleException;
/**
* Returns whether the given user has permission to perform a certain
* action on a specific object managed by this directory object service.
*
* @param user
* The user being checked.
*
* @param identifier
* The identifier of the object to check.
*
* @param type
* The type of action that will be performed.
*
* @return
* true if the user has object permission relevant described, false
* otherwise.
*
* @throws GuacamoleException
* If permission to read the user's permissions is denied.
*/
protected boolean hasObjectPermission(AuthenticatedUser user,
String identifier, ObjectPermission.Type type)
throws GuacamoleException {
// Get object permissions
ObjectPermissionSet permissionSet = getPermissionSet(user);
// Return whether permission is granted
return user.getUser().isAdministrator()
|| permissionSet.hasPermission(type, identifier);
}
/**
* Returns the permission set associated with the given user and related
* to the type of objects handled by this directory object service.
*
* @param user
* The user whose permissions are being retrieved.
*
* @return
* A permission set which contains the permissions associated with the
* given user and related to the type of objects handled by this
* directory object service.
*
* @throws GuacamoleException
* If permission to read the user's permissions is denied.
*/
protected abstract ObjectPermissionSet getPermissionSet(AuthenticatedUser user)
throws GuacamoleException;
/**
* Returns a collection of objects which are backed by the models in the
* given collection.
*
* @param currentUser
* The user for whom these objects are being created.
*
* @param models
* The model objects to use to back the objects within the returned
* collection.
*
* @return
* A collection of objects which are backed by the models in the given
* collection.
*/
protected Collection<InternalType> getObjectInstances(AuthenticatedUser currentUser,
Collection<ModelType> models) {
// Create new collection of objects by manually converting each model
Collection<InternalType> objects = new ArrayList<InternalType>(models.size());
for (ModelType model : models)
objects.add(getObjectInstance(currentUser, model));
return objects;
}
/**
* Called before any object is created through this directory object
* service. This function serves as a final point of validation before
* the create operation occurs. In its default implementation,
* beforeCreate() performs basic permissions checks.
* Creates the given object. If the object already exists, an error will be
* thrown.
*
* @param user
* The user creating the object.
*
* @param model
* The model of the object being created.
* @param object
* The object to create.
*
* @return
* The newly-created object.
*
* @throws GuacamoleException
* If the object is invalid, or an error prevents validating the given
* object.
* If the user lacks permission to create the object, or an error
* occurs while creating the object.
*/
protected void beforeCreate(AuthenticatedUser user,
ModelType model ) throws GuacamoleException {
// Verify permission to create objects
if (!user.getUser().isAdministrator() && !hasCreatePermission(user))
throw new GuacamoleSecurityException("Permission denied.");
}
InternalType createObject(AuthenticatedUser user, ExternalType object)
throws GuacamoleException;
/**
* Called before any object is updated through this directory object
* service. This function serves as a final point of validation before
* the update operation occurs. In its default implementation,
* beforeUpdate() performs basic permissions checks.
* Deletes the object having the given identifier. If no such object
* exists, this function has no effect.
*
* @param user
* The user updating the existing object.
*
* @param model
* The model of the object being updated.
*
* @throws GuacamoleException
* If the object is invalid, or an error prevents validating the given
* object.
*/
protected void beforeUpdate(AuthenticatedUser user,
ModelType model) throws GuacamoleException {
// By default, do nothing.
if (!hasObjectPermission(user, model.getIdentifier(), ObjectPermission.Type.UPDATE))
throw new GuacamoleSecurityException("Permission denied.");
}
/**
* Called before any object is deleted through this directory object
* service. This function serves as a final point of validation before
* the delete operation occurs. In its default implementation,
* beforeDelete() performs basic permissions checks.
*
* @param user
* The user deleting the existing object.
* The user deleting the object.
*
* @param identifier
* The identifier of the object being deleted.
* The identifier of the object to delete.
*
* @throws GuacamoleException
* If the object is invalid, or an error prevents validating the given
* object.
* If the user lacks permission to delete the object, or an error
* occurs while deleting the object.
*/
protected void beforeDelete(AuthenticatedUser user,
String identifier) throws GuacamoleException {
// Verify permission to delete objects
if (!hasObjectPermission(user, identifier, ObjectPermission.Type.DELETE))
throw new GuacamoleSecurityException("Permission denied.");
}
@Override
public InternalType retrieveObject(AuthenticatedUser user,
String identifier) throws GuacamoleException {
// Pull objects having given identifier
Collection<InternalType> objects = retrieveObjects(user, Collections.singleton(identifier));
// If no such object, return null
if (objects.isEmpty())
return null;
// The object collection will have exactly one element unless the
// database has seriously lost integrity
assert(objects.size() == 1);
// Return first and only object
return objects.iterator().next();
}
@Override
public Collection<InternalType> retrieveObjects(AuthenticatedUser user,
Collection<String> identifiers) throws GuacamoleException {
// Do not query if no identifiers given
if (identifiers.isEmpty())
return Collections.EMPTY_LIST;
Collection<ModelType> objects;
// Bypass permission checks if the user is a system admin
if (user.getUser().isAdministrator())
objects = getObjectMapper().select(identifiers);
// Otherwise only return explicitly readable identifiers
else
objects = getObjectMapper().selectReadable(user.getUser().getModel(), identifiers);
// Return collection of requested objects
return getObjectInstances(user, objects);
}
void deleteObject(AuthenticatedUser user, String identifier)
throws GuacamoleException;
/**
* Returns a collection of permissions that should be granted due to the
* creation of the given object. These permissions need not be granted
* solely to the user creating the object.
*
* Updates the given object, applying any changes that have been made. If
* no such object exists, this function has no effect.
*
* @param user
* The user creating the object.
*
* @param model
* The object being created.
*
* @return
* The collection of implicit permissions that should be granted due to
* the creation of the given object.
* The user updating the object.
*
* @param object
* The object to update.
*
* @throws GuacamoleException
* If the user lacks permission to update the object, or an error
* occurs while updating the object.
*/
protected Collection<ObjectPermissionModel> getImplicitPermissions(AuthenticatedUser user,
ModelType model) {
// Build list of implicit permissions
Collection<ObjectPermissionModel> implicitPermissions =
new ArrayList<ObjectPermissionModel>(IMPLICIT_OBJECT_PERMISSIONS.length);
void updateObject(AuthenticatedUser user, InternalType object)
throws GuacamoleException;
UserModel userModel = user.getUser().getModel();
for (ObjectPermission.Type permission : IMPLICIT_OBJECT_PERMISSIONS) {
// Create model which grants this permission to the current user
ObjectPermissionModel permissionModel = new ObjectPermissionModel();
permissionModel.setUserID(userModel.getObjectID());
permissionModel.setUsername(userModel.getIdentifier());
permissionModel.setType(permission);
permissionModel.setObjectIdentifier(model.getIdentifier());
// Add permission
implicitPermissions.add(permissionModel);
}
return implicitPermissions;
}
@Override
public InternalType createObject(AuthenticatedUser user, ExternalType object)
throws GuacamoleException {
ModelType model = getModelInstance(user, object);
beforeCreate(user, model);
// Create object
getObjectMapper().insert(model);
// Add implicit permissions
getPermissionMapper().insert(getImplicitPermissions(user, model));
return getObjectInstance(user, model);
}
@Override
public void deleteObject(AuthenticatedUser user, String identifier)
throws GuacamoleException {
beforeDelete(user, identifier);
// Delete object
getObjectMapper().delete(identifier);
}
@Override
public void updateObject(AuthenticatedUser user, InternalType object)
throws GuacamoleException {
ModelType model = object.getModel();
beforeUpdate(user, model);
// Update object
getObjectMapper().update(model);
}
@Override
public Set<String> getIdentifiers(AuthenticatedUser user)
throws GuacamoleException {
// Bypass permission checks if the user is a system admin
if (user.getUser().isAdministrator())
return getObjectMapper().selectIdentifiers();
// Otherwise only return explicitly readable identifiers
else
return getObjectMapper().selectReadableIdentifiers(user.getUser().getModel());
}
/**
* Returns the set of all identifiers for all objects that the user has
* read access to.
*
* @param user
* The user retrieving the identifiers.
*
* @return
* The set of all identifiers for all objects.
*
* @throws GuacamoleException
* If an error occurs while reading identifiers.
*/
Set<String> getIdentifiers(AuthenticatedUser user) throws GuacamoleException;
}

155
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/base/IdentifiableObjectService.java
View File

@@ -1,155 +0,0 @@
/*
* Copyright (C) 2013 Glyptodon LLC
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
package org.glyptodon.guacamole.auth.jdbc.base;
import java.util.Collection;
import java.util.Set;
import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser;
import org.glyptodon.guacamole.GuacamoleException;
/**
* Service which provides convenience methods for creating, retrieving, and
* manipulating objects that have unique identifiers, such as the objects
* within directories. This service will automatically enforce the permissions
* of the current user.
*
* @author Michael Jumper
* @param <InternalType>
* The specific internal implementation of the type of object this service
* provides access to.
*
* @param <ExternalType>
* The external interface or implementation of the type of object this
* service provides access to, as defined by the guacamole-ext API.
*/
public interface IdentifiableObjectService<InternalType, ExternalType> {
/**
* Retrieves the single object that has the given identifier, if it exists
* and the user has permission to read it.
*
* @param user
* The user retrieving the object.
*
* @param identifier
* The identifier of the object to retrieve.
*
* @return
* The object having the given identifier, or null if no such object
* exists.
*
* @throws GuacamoleException
* If an error occurs while retrieving the requested object.
*/
InternalType retrieveObject(AuthenticatedUser user, String identifier)
throws GuacamoleException;
/**
* Retrieves all objects that have the identifiers in the given collection.
* Only objects that the user has permission to read will be returned.
*
* @param user
* The user retrieving the objects.
*
* @param identifiers
* The identifiers of the objects to retrieve.
*
* @return
* The objects having the given identifiers.
*
* @throws GuacamoleException
* If an error occurs while retrieving the requested objects.
*/
Collection<InternalType> retrieveObjects(AuthenticatedUser user,
Collection<String> identifiers) throws GuacamoleException;
/**
* Creates the given object. If the object already exists, an error will be
* thrown.
*
* @param user
* The user creating the object.
*
* @param object
* The object to create.
*
* @return
* The newly-created object.
*
* @throws GuacamoleException
* If the user lacks permission to create the object, or an error
* occurs while creating the object.
*/
InternalType createObject(AuthenticatedUser user, ExternalType object)
throws GuacamoleException;
/**
* Deletes the object having the given identifier. If no such object
* exists, this function has no effect.
*
* @param user
* The user deleting the object.
*
* @param identifier
* The identifier of the object to delete.
*
* @throws GuacamoleException
* If the user lacks permission to delete the object, or an error
* occurs while deleting the object.
*/
void deleteObject(AuthenticatedUser user, String identifier)
throws GuacamoleException;
/**
* Updates the given object, applying any changes that have been made. If
* no such object exists, this function has no effect.
*
* @param user
* The user updating the object.
*
* @param object
* The object to update.
*
* @throws GuacamoleException
* If the user lacks permission to update the object, or an error
* occurs while updating the object.
*/
void updateObject(AuthenticatedUser user, InternalType object)
throws GuacamoleException;
/**
* Returns the set of all identifiers for all objects that the user has
* read access to.
*
* @param user
* The user retrieving the identifiers.
*
* @return
* The set of all identifiers for all objects.
*
* @throws GuacamoleException
* If an error occurs while reading identifiers.
*/
Set<String> getIdentifiers(AuthenticatedUser user) throws GuacamoleException;
}

7
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/base/DirectoryObject.java → extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/base/ModeledDirectoryObject.java
View File

@@ -26,14 +26,15 @@ import org.glyptodon.guacamole.net.auth.Identifiable;
/**
* Common base class for objects that will ultimately be made available through
* the Directory class. All such objects will need the same base set of queries
* to fulfill the needs of the Directory class.
* the Directory class and are persisted to an underlying database model. All
* such objects will need the same base set of queries to fulfill the needs of
* the Directory class.
*
* @author Michael Jumper
* @param <ModelType>
* The type of model object that corresponds to this object.
*/
public abstract class DirectoryObject<ModelType extends ObjectModel>
public abstract class ModeledDirectoryObject<ModelType extends ObjectModel>
extends ModeledObject<ModelType> implements Identifiable {
@Override

2
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/base/DirectoryObjectMapper.java → extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/base/ModeledDirectoryObjectMapper.java
View File

@@ -37,7 +37,7 @@ import org.apache.ibatis.annotations.Param;
* The type of object contained within the directory whose objects are
* mapped by this mapper.
*/
public interface DirectoryObjectMapper<ModelType> {
public interface ModeledDirectoryObjectMapper<ModelType> {
/**
* Selects the identifiers of all objects, regardless of whether they

431
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java Normal file
View File

@@ -0,0 +1,431 @@
/*
* Copyright (C) 2013 Glyptodon LLC
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
package org.glyptodon.guacamole.auth.jdbc.base;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Set;
import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.GuacamoleSecurityException;
import org.glyptodon.guacamole.auth.jdbc.permission.ObjectPermissionMapper;
import org.glyptodon.guacamole.auth.jdbc.permission.ObjectPermissionModel;
import org.glyptodon.guacamole.auth.jdbc.user.UserModel;
import org.glyptodon.guacamole.net.auth.permission.ObjectPermission;
import org.glyptodon.guacamole.net.auth.permission.ObjectPermissionSet;
/**
* Service which provides convenience methods for creating, retrieving, and
* manipulating objects within directories. This service will automatically
* enforce the permissions of the current user.
*
* @author Michael Jumper
* @param <InternalType>
* The specific internal implementation of the type of object this service
* provides access to.
*
* @param <ExternalType>
* The external interface or implementation of the type of object this
* service provides access to, as defined by the guacamole-ext API.
*
* @param <ModelType>
* The underlying model object used to represent InternalType in the
* database.
*/
public abstract class ModeledDirectoryObjectService<InternalType extends ModeledDirectoryObject<ModelType>,
ExternalType, ModelType extends ObjectModel>
implements DirectoryObjectService<InternalType, ExternalType> {
/**
* All object permissions which are implicitly granted upon creation to the
* creator of the object.
*/
private static final ObjectPermission.Type[] IMPLICIT_OBJECT_PERMISSIONS = {
ObjectPermission.Type.READ,
ObjectPermission.Type.UPDATE,
ObjectPermission.Type.DELETE,
ObjectPermission.Type.ADMINISTER
};
/**
* Returns an instance of a mapper for the type of object used by this
* service.
*
* @return
* A mapper which provides access to the model objects associated with
* the objects used by this service.
*/
protected abstract ModeledDirectoryObjectMapper<ModelType> getObjectMapper();
/**
* Returns an instance of a mapper for the type of permissions that affect
* the type of object used by this service.
*
* @return
* A mapper which provides access to the model objects associated with
* the permissions that affect the objects used by this service.
*/
protected abstract ObjectPermissionMapper getPermissionMapper();
/**
* Returns an instance of an object which is backed by the given model
* object.
*
* @param currentUser
* The user for whom this object is being created.
*
* @param model
* The model object to use to back the returned object.
*
* @return
* An object which is backed by the given model object.
*/
protected abstract InternalType getObjectInstance(AuthenticatedUser currentUser,
ModelType model);
/**
* Returns an instance of a model object which is based on the given
* object.
*
* @param currentUser
* The user for whom this model object is being created.
*
* @param object
* The object to use to produce the returned model object.
*
* @return
* A model object which is based on the given object.
*/
protected abstract ModelType getModelInstance(AuthenticatedUser currentUser,
ExternalType object);
/**
* Returns whether the given user has permission to create the type of
* objects that this directory object service manages.
*
* @param user
* The user being checked.
*
* @return
* true if the user has object creation permission relevant to this
* directory object service, false otherwise.
*
* @throws GuacamoleException
* If permission to read the user's permissions is denied.
*/
protected abstract boolean hasCreatePermission(AuthenticatedUser user)
throws GuacamoleException;
/**
* Returns whether the given user has permission to perform a certain
* action on a specific object managed by this directory object service.
*
* @param user
* The user being checked.
*
* @param identifier
* The identifier of the object to check.
*
* @param type
* The type of action that will be performed.
*
* @return
* true if the user has object permission relevant described, false
* otherwise.
*
* @throws GuacamoleException
* If permission to read the user's permissions is denied.
*/
protected boolean hasObjectPermission(AuthenticatedUser user,
String identifier, ObjectPermission.Type type)
throws GuacamoleException {
// Get object permissions
ObjectPermissionSet permissionSet = getPermissionSet(user);
// Return whether permission is granted
return user.getUser().isAdministrator()
|| permissionSet.hasPermission(type, identifier);
}
/**
* Returns the permission set associated with the given user and related
* to the type of objects handled by this directory object service.
*
* @param user
* The user whose permissions are being retrieved.
*
* @return
* A permission set which contains the permissions associated with the
* given user and related to the type of objects handled by this
* directory object service.
*
* @throws GuacamoleException
* If permission to read the user's permissions is denied.
*/
protected abstract ObjectPermissionSet getPermissionSet(AuthenticatedUser user)
throws GuacamoleException;
/**
* Returns a collection of objects which are backed by the models in the
* given collection.
*
* @param currentUser
* The user for whom these objects are being created.
*
* @param models
* The model objects to use to back the objects within the returned
* collection.
*
* @return
* A collection of objects which are backed by the models in the given
* collection.
*/
protected Collection<InternalType> getObjectInstances(AuthenticatedUser currentUser,
Collection<ModelType> models) {
// Create new collection of objects by manually converting each model
Collection<InternalType> objects = new ArrayList<InternalType>(models.size());
for (ModelType model : models)
objects.add(getObjectInstance(currentUser, model));
return objects;
}
/**
* Called before any object is created through this directory object
* service. This function serves as a final point of validation before
* the create operation occurs. In its default implementation,
* beforeCreate() performs basic permissions checks.
*
* @param user
* The user creating the object.
*
* @param model
* The model of the object being created.
*
* @throws GuacamoleException
* If the object is invalid, or an error prevents validating the given
* object.
*/
protected void beforeCreate(AuthenticatedUser user,
ModelType model ) throws GuacamoleException {
// Verify permission to create objects
if (!user.getUser().isAdministrator() && !hasCreatePermission(user))
throw new GuacamoleSecurityException("Permission denied.");
}
/**
* Called before any object is updated through this directory object
* service. This function serves as a final point of validation before
* the update operation occurs. In its default implementation,
* beforeUpdate() performs basic permissions checks.
*
* @param user
* The user updating the existing object.
*
* @param model
* The model of the object being updated.
*
* @throws GuacamoleException
* If the object is invalid, or an error prevents validating the given
* object.
*/
protected void beforeUpdate(AuthenticatedUser user,
ModelType model) throws GuacamoleException {
// By default, do nothing.
if (!hasObjectPermission(user, model.getIdentifier(), ObjectPermission.Type.UPDATE))
throw new GuacamoleSecurityException("Permission denied.");
}
/**
* Called before any object is deleted through this directory object
* service. This function serves as a final point of validation before
* the delete operation occurs. In its default implementation,
* beforeDelete() performs basic permissions checks.
*
* @param user
* The user deleting the existing object.
*
* @param identifier
* The identifier of the object being deleted.
*
* @throws GuacamoleException
* If the object is invalid, or an error prevents validating the given
* object.
*/
protected void beforeDelete(AuthenticatedUser user,
String identifier) throws GuacamoleException {
// Verify permission to delete objects
if (!hasObjectPermission(user, identifier, ObjectPermission.Type.DELETE))
throw new GuacamoleSecurityException("Permission denied.");
}
@Override
public InternalType retrieveObject(AuthenticatedUser user,
String identifier) throws GuacamoleException {
// Pull objects having given identifier
Collection<InternalType> objects = retrieveObjects(user, Collections.singleton(identifier));
// If no such object, return null
if (objects.isEmpty())
return null;
// The object collection will have exactly one element unless the
// database has seriously lost integrity
assert(objects.size() == 1);
// Return first and only object
return objects.iterator().next();
}
@Override
public Collection<InternalType> retrieveObjects(AuthenticatedUser user,
Collection<String> identifiers) throws GuacamoleException {
// Do not query if no identifiers given
if (identifiers.isEmpty())
return Collections.EMPTY_LIST;
Collection<ModelType> objects;
// Bypass permission checks if the user is a system admin
if (user.getUser().isAdministrator())
objects = getObjectMapper().select(identifiers);
// Otherwise only return explicitly readable identifiers
else
objects = getObjectMapper().selectReadable(user.getUser().getModel(), identifiers);
// Return collection of requested objects
return getObjectInstances(user, objects);
}
/**
* Returns a collection of permissions that should be granted due to the
* creation of the given object. These permissions need not be granted
* solely to the user creating the object.
*
* @param user
* The user creating the object.
*
* @param model
* The object being created.
*
* @return
* The collection of implicit permissions that should be granted due to
* the creation of the given object.
*/
protected Collection<ObjectPermissionModel> getImplicitPermissions(AuthenticatedUser user,
ModelType model) {
// Build list of implicit permissions
Collection<ObjectPermissionModel> implicitPermissions =
new ArrayList<ObjectPermissionModel>(IMPLICIT_OBJECT_PERMISSIONS.length);
UserModel userModel = user.getUser().getModel();
for (ObjectPermission.Type permission : IMPLICIT_OBJECT_PERMISSIONS) {
// Create model which grants this permission to the current user
ObjectPermissionModel permissionModel = new ObjectPermissionModel();
permissionModel.setUserID(userModel.getObjectID());
permissionModel.setUsername(userModel.getIdentifier());
permissionModel.setType(permission);
permissionModel.setObjectIdentifier(model.getIdentifier());
// Add permission
implicitPermissions.add(permissionModel);
}
return implicitPermissions;
}
@Override
public InternalType createObject(AuthenticatedUser user, ExternalType object)
throws GuacamoleException {
ModelType model = getModelInstance(user, object);
beforeCreate(user, model);
// Create object
getObjectMapper().insert(model);
// Add implicit permissions
getPermissionMapper().insert(getImplicitPermissions(user, model));
return getObjectInstance(user, model);
}
@Override
public void deleteObject(AuthenticatedUser user, String identifier)
throws GuacamoleException {
beforeDelete(user, identifier);
// Delete object
getObjectMapper().delete(identifier);
}
@Override
public void updateObject(AuthenticatedUser user, InternalType object)
throws GuacamoleException {
ModelType model = object.getModel();
beforeUpdate(user, model);
// Update object
getObjectMapper().update(model);
}
@Override
public Set<String> getIdentifiers(AuthenticatedUser user)
throws GuacamoleException {
// Bypass permission checks if the user is a system admin
if (user.getUser().isAdministrator())
return getObjectMapper().selectIdentifiers();
// Otherwise only return explicitly readable identifiers
else
return getObjectMapper().selectReadableIdentifiers(user.getUser().getModel());
}
}

4
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/base/GroupedDirectoryObject.java → extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/base/ModeledGroupedDirectoryObject.java
View File

@@ -33,8 +33,8 @@ import org.glyptodon.guacamole.auth.jdbc.connectiongroup.RootConnectionGroup;
* @param <ModelType>
* The type of model object that corresponds to this object.
*/
public abstract class GroupedDirectoryObject<ModelType extends GroupedObjectModel>
extends DirectoryObject<ModelType> {
public abstract class ModeledGroupedDirectoryObject<ModelType extends GroupedObjectModel>
extends ModeledDirectoryObject<ModelType> {
/**
* Returns the identifier of the parent connection group, which cannot be

4
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/base/GroupedDirectoryObjectService.java → extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/base/ModeledGroupedDirectoryObjectService.java
View File

@@ -49,9 +49,9 @@ import org.glyptodon.guacamole.net.auth.permission.ObjectPermissionSet;
* The underlying model object used to represent InternalType in the
* database.
*/
public abstract class GroupedDirectoryObjectService<InternalType extends GroupedDirectoryObject<ModelType>,
public abstract class ModeledGroupedDirectoryObjectService<InternalType extends ModeledGroupedDirectoryObject<ModelType>,
ExternalType, ModelType extends GroupedObjectModel>
extends DirectoryObjectService<InternalType, ExternalType, ModelType> {
extends ModeledDirectoryObjectService<InternalType, ExternalType, ModelType> {
/**
* Returns the set of parent connection groups that are modified by the

4
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connection/ConnectionMapper.java
View File

@@ -23,7 +23,7 @@
package org.glyptodon.guacamole.auth.jdbc.connection;
import java.util.Set;
import org.glyptodon.guacamole.auth.jdbc.base.DirectoryObjectMapper;
import org.glyptodon.guacamole.auth.jdbc.base.ModeledDirectoryObjectMapper;
import org.glyptodon.guacamole.auth.jdbc.user.UserModel;
import org.apache.ibatis.annotations.Param;
@@ -32,7 +32,7 @@ import org.apache.ibatis.annotations.Param;
*
* @author Michael Jumper
*/
public interface ConnectionMapper extends DirectoryObjectMapper<ConnectionModel> {
public interface ConnectionMapper extends ModeledDirectoryObjectMapper<ConnectionModel> {
/**
* Selects the identifiers of all connections within the given parent

8
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connection/ConnectionService.java
View File

@@ -32,12 +32,12 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser;
import org.glyptodon.guacamole.auth.jdbc.base.DirectoryObjectMapper;
import org.glyptodon.guacamole.auth.jdbc.base.ModeledDirectoryObjectMapper;
import org.glyptodon.guacamole.auth.jdbc.tunnel.GuacamoleTunnelService;
import org.glyptodon.guacamole.GuacamoleClientException;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.GuacamoleSecurityException;
import org.glyptodon.guacamole.auth.jdbc.base.GroupedDirectoryObjectService;
import org.glyptodon.guacamole.auth.jdbc.base.ModeledGroupedDirectoryObjectService;
import org.glyptodon.guacamole.auth.jdbc.permission.ConnectionPermissionMapper;
import org.glyptodon.guacamole.auth.jdbc.permission.ObjectPermissionMapper;
import org.glyptodon.guacamole.net.GuacamoleTunnel;
@@ -55,7 +55,7 @@ import org.glyptodon.guacamole.protocol.GuacamoleClientInformation;
*
* @author Michael Jumper, James Muehlner
*/
public class ConnectionService extends GroupedDirectoryObjectService<ModeledConnection, Connection, ConnectionModel> {
public class ConnectionService extends ModeledGroupedDirectoryObjectService<ModeledConnection, Connection, ConnectionModel> {
/**
* Mapper for accessing connections.
@@ -94,7 +94,7 @@ public class ConnectionService extends GroupedDirectoryObjectService<ModeledConn
private GuacamoleTunnelService tunnelService;
@Override
protected DirectoryObjectMapper<ConnectionModel> getObjectMapper() {
protected ModeledDirectoryObjectMapper<ConnectionModel> getObjectMapper() {
return connectionMapper;
}

4
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connection/ModeledConnection.java
View File

@@ -27,7 +27,7 @@ import com.google.inject.Provider;
import java.util.List;
import org.glyptodon.guacamole.auth.jdbc.tunnel.GuacamoleTunnelService;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.auth.jdbc.base.GroupedDirectoryObject;
import org.glyptodon.guacamole.auth.jdbc.base.ModeledGroupedDirectoryObject;
import org.glyptodon.guacamole.net.GuacamoleTunnel;
import org.glyptodon.guacamole.net.auth.Connection;
import org.glyptodon.guacamole.net.auth.ConnectionRecord;
@@ -41,7 +41,7 @@ import org.glyptodon.guacamole.protocol.GuacamoleConfiguration;
* @author James Muehlner
* @author Michael Jumper
*/
public class ModeledConnection extends GroupedDirectoryObject<ConnectionModel>
public class ModeledConnection extends ModeledGroupedDirectoryObject<ConnectionModel>
implements Connection {
/**

4
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connectiongroup/ConnectionGroupMapper.java
View File

@@ -23,7 +23,7 @@
package org.glyptodon.guacamole.auth.jdbc.connectiongroup;
import java.util.Set;
import org.glyptodon.guacamole.auth.jdbc.base.DirectoryObjectMapper;
import org.glyptodon.guacamole.auth.jdbc.base.ModeledDirectoryObjectMapper;
import org.glyptodon.guacamole.auth.jdbc.user.UserModel;
import org.apache.ibatis.annotations.Param;
@@ -32,7 +32,7 @@ import org.apache.ibatis.annotations.Param;
*
* @author Michael Jumper
*/
public interface ConnectionGroupMapper extends DirectoryObjectMapper<ConnectionGroupModel> {
public interface ConnectionGroupMapper extends ModeledDirectoryObjectMapper<ConnectionGroupModel> {
/**
* Selects the identifiers of all connection groups within the given parent

8
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connectiongroup/ConnectionGroupService.java
View File

@@ -26,13 +26,13 @@ import com.google.inject.Inject;
import com.google.inject.Provider;
import java.util.Set;
import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser;
import org.glyptodon.guacamole.auth.jdbc.base.DirectoryObjectMapper;
import org.glyptodon.guacamole.auth.jdbc.base.ModeledDirectoryObjectMapper;
import org.glyptodon.guacamole.auth.jdbc.tunnel.GuacamoleTunnelService;
import org.glyptodon.guacamole.GuacamoleClientException;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.GuacamoleSecurityException;
import org.glyptodon.guacamole.GuacamoleUnsupportedException;
import org.glyptodon.guacamole.auth.jdbc.base.GroupedDirectoryObjectService;
import org.glyptodon.guacamole.auth.jdbc.base.ModeledGroupedDirectoryObjectService;
import org.glyptodon.guacamole.auth.jdbc.permission.ConnectionGroupPermissionMapper;
import org.glyptodon.guacamole.auth.jdbc.permission.ObjectPermissionMapper;
import org.glyptodon.guacamole.net.GuacamoleTunnel;
@@ -49,7 +49,7 @@ import org.glyptodon.guacamole.protocol.GuacamoleClientInformation;
*
* @author Michael Jumper, James Muehlner
*/
public class ConnectionGroupService extends GroupedDirectoryObjectService<ModeledConnectionGroup,
public class ConnectionGroupService extends ModeledGroupedDirectoryObjectService<ModeledConnectionGroup,
ConnectionGroup, ConnectionGroupModel> {
/**
@@ -77,7 +77,7 @@ public class ConnectionGroupService extends GroupedDirectoryObjectService<Modele
private GuacamoleTunnelService tunnelService;
@Override
protected DirectoryObjectMapper<ConnectionGroupModel> getObjectMapper() {
protected ModeledDirectoryObjectMapper<ConnectionGroupModel> getObjectMapper() {
return connectionGroupMapper;
}

4
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connectiongroup/ModeledConnectionGroup.java
View File

@@ -27,7 +27,7 @@ import java.util.Set;
import org.glyptodon.guacamole.auth.jdbc.connection.ConnectionService;
import org.glyptodon.guacamole.auth.jdbc.tunnel.GuacamoleTunnelService;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.auth.jdbc.base.GroupedDirectoryObject;
import org.glyptodon.guacamole.auth.jdbc.base.ModeledGroupedDirectoryObject;
import org.glyptodon.guacamole.net.GuacamoleTunnel;
import org.glyptodon.guacamole.net.auth.ConnectionGroup;
import org.glyptodon.guacamole.protocol.GuacamoleClientInformation;
@@ -38,7 +38,7 @@ import org.glyptodon.guacamole.protocol.GuacamoleClientInformation;
*
* @author James Muehlner
*/
public class ModeledConnectionGroup extends GroupedDirectoryObject<ConnectionGroupModel>
public class ModeledConnectionGroup extends ModeledGroupedDirectoryObject<ConnectionGroupModel>
implements ConnectionGroup {
/**

6
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/user/ModeledUser.java
View File

@@ -23,7 +23,7 @@
package org.glyptodon.guacamole.auth.jdbc.user;
import com.google.inject.Inject;
import org.glyptodon.guacamole.auth.jdbc.base.DirectoryObject;
import org.glyptodon.guacamole.auth.jdbc.base.ModeledDirectoryObject;
import org.glyptodon.guacamole.auth.jdbc.security.PasswordEncryptionService;
import org.glyptodon.guacamole.auth.jdbc.security.SaltService;
import org.glyptodon.guacamole.auth.jdbc.permission.SystemPermissionService;
@@ -42,7 +42,7 @@ import org.glyptodon.guacamole.net.auth.permission.SystemPermissionSet;
* @author James Muehlner
* @author Michael Jumper
*/
public class ModeledUser extends DirectoryObject<UserModel> implements User {
public class ModeledUser extends ModeledDirectoryObject<UserModel> implements User {
/**
* Service for hashing passwords.
@@ -73,7 +73,7 @@ public class ModeledUser extends DirectoryObject<UserModel> implements User {
*/
@Inject
private ConnectionGroupPermissionService connectionGroupPermissionService;
/**
* Service for retrieving user permissions.
*/

4
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/user/UserMapper.java
View File

@@ -22,7 +22,7 @@
package org.glyptodon.guacamole.auth.jdbc.user;
import org.glyptodon.guacamole.auth.jdbc.base.DirectoryObjectMapper;
import org.glyptodon.guacamole.auth.jdbc.base.ModeledDirectoryObjectMapper;
import org.apache.ibatis.annotations.Param;
/**
@@ -30,7 +30,7 @@ import org.apache.ibatis.annotations.Param;
*
* @author Michael Jumper
*/
public interface UserMapper extends DirectoryObjectMapper<UserModel> {
public interface UserMapper extends ModeledDirectoryObjectMapper<UserModel> {
/**
* Returns the user having the given username, if any. If no such user

8
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/user/UserService.java
View File

@@ -28,8 +28,8 @@ import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import org.glyptodon.guacamole.net.auth.Credentials;
import org.glyptodon.guacamole.auth.jdbc.base.DirectoryObjectMapper;
import org.glyptodon.guacamole.auth.jdbc.base.DirectoryObjectService;
import org.glyptodon.guacamole.auth.jdbc.base.ModeledDirectoryObjectMapper;
import org.glyptodon.guacamole.auth.jdbc.base.ModeledDirectoryObjectService;
import org.glyptodon.guacamole.GuacamoleClientException;
import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.GuacamoleUnsupportedException;
@@ -49,7 +49,7 @@ import org.glyptodon.guacamole.net.auth.permission.SystemPermissionSet;
*
* @author Michael Jumper, James Muehlner
*/
public class UserService extends DirectoryObjectService<ModeledUser, User, UserModel> {
public class UserService extends ModeledDirectoryObjectService<ModeledUser, User, UserModel> {
/**
* All user permissions which are implicitly granted to the new user upon
@@ -85,7 +85,7 @@ public class UserService extends DirectoryObjectService<ModeledUser, User, UserM
private PasswordEncryptionService encryptionService;
@Override
protected DirectoryObjectMapper<UserModel> getObjectMapper() {
protected ModeledDirectoryObjectMapper<UserModel> getObjectMapper() {
return userMapper;
}