diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserContext.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserContext.java index 7c520d314..826b4ec65 100644 --- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserContext.java +++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserContext.java @@ -34,8 +34,10 @@ import org.apache.guacamole.net.auth.ConnectionGroup; import org.apache.guacamole.net.auth.Directory; import org.apache.guacamole.net.auth.User; import org.apache.guacamole.net.auth.UserGroup; +import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; import org.apache.guacamole.net.auth.simple.SimpleConnectionGroup; import org.apache.guacamole.net.auth.simple.SimpleDirectory; +import org.apache.guacamole.net.auth.simple.SimpleObjectPermissionSet; import org.apache.guacamole.net.auth.simple.SimpleUser; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -149,13 +151,29 @@ public class UserContext extends AbstractUserContext { ); // Init self with basic permissions - self = new SimpleUser( - user.getIdentifier(), - userDirectory.getIdentifiers(), - userGroupDirectory.getIdentifiers(), - connectionDirectory.getIdentifiers(), - Collections.singleton(LDAPAuthenticationProvider.ROOT_CONNECTION_GROUP) - ); + self = new SimpleUser(user.getIdentifier()) { + + @Override + public ObjectPermissionSet getUserPermissions() throws GuacamoleException { + return new SimpleObjectPermissionSet(userDirectory.getIdentifiers()); + } + + @Override + public ObjectPermissionSet getUserGroupPermissions() throws GuacamoleException { + return new SimpleObjectPermissionSet(userGroupDirectory.getIdentifiers()); + } + + @Override + public ObjectPermissionSet getConnectionPermissions() throws GuacamoleException { + return new SimpleObjectPermissionSet(connectionDirectory.getIdentifiers()); + } + + @Override + public ObjectPermissionSet getConnectionGroupPermissions() throws GuacamoleException { + return new SimpleObjectPermissionSet(Collections.singleton(LDAPAuthenticationProvider.ROOT_CONNECTION_GROUP)); + } + + }; } diff --git a/extensions/guacamole-auth-quickconnect/src/main/java/org/apache/guacamole/auth/quickconnect/QuickConnectUserContext.java b/extensions/guacamole-auth-quickconnect/src/main/java/org/apache/guacamole/auth/quickconnect/QuickConnectUserContext.java index d7e23edb4..dad050556 100644 --- a/extensions/guacamole-auth-quickconnect/src/main/java/org/apache/guacamole/auth/quickconnect/QuickConnectUserContext.java +++ b/extensions/guacamole-auth-quickconnect/src/main/java/org/apache/guacamole/auth/quickconnect/QuickConnectUserContext.java @@ -26,6 +26,8 @@ import org.apache.guacamole.net.auth.AbstractUserContext; import org.apache.guacamole.net.auth.AuthenticationProvider; import org.apache.guacamole.net.auth.ConnectionGroup; import org.apache.guacamole.net.auth.User; +import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; +import org.apache.guacamole.net.auth.simple.SimpleObjectPermissionSet; import org.apache.guacamole.net.auth.simple.SimpleUser; /** @@ -93,10 +95,19 @@ public class QuickConnectUserContext extends AbstractUserContext { // Initialize the user to a SimpleUser with the provided username, // no connections, and the single root group. - this.self = new SimpleUser(username, - connectionDirectory.getIdentifiers(), - Collections.singleton(ROOT_IDENTIFIER) - ); + this.self = new SimpleUser(username) { + + @Override + public ObjectPermissionSet getConnectionPermissions() throws GuacamoleException { + return new SimpleObjectPermissionSet(connectionDirectory.getIdentifiers()); + } + + @Override + public ObjectPermissionSet getConnectionGroupPermissions() throws GuacamoleException { + return new SimpleObjectPermissionSet(Collections.singleton(ROOT_IDENTIFIER)); + } + + }; // Set the authProvider to the calling authProvider object. this.authProvider = authProvider; diff --git a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleObjectPermissionSet.java b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleObjectPermissionSet.java index 7cf54bd2d..53a30ce19 100644 --- a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleObjectPermissionSet.java +++ b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleObjectPermissionSet.java @@ -22,6 +22,7 @@ package org.apache.guacamole.net.auth.simple; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; +import java.util.HashSet; import java.util.Set; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleSecurityException; @@ -45,6 +46,66 @@ public class SimpleObjectPermissionSet implements ObjectPermissionSet { public SimpleObjectPermissionSet() { } + /** + * Creates a new set of ObjectPermissions for each possible combination of + * the given identifiers and permission types. + * + * @param identifiers + * The identifiers which should have one ObjectPermission for each of + * the given permission types. + * + * @param types + * The permissions which should be granted for each of the given + * identifiers. + * + * @return + * A new set of ObjectPermissions containing one ObjectPermission for + * each possible combination of the given identifiers and permission + * types. + */ + private static Set createPermissions(Collection identifiers, + Collection types) { + + // Add a permission of each type to the set for each identifier given + Set permissions = new HashSet<>(identifiers.size()); + types.forEach(type -> { + identifiers.forEach(identifier -> permissions.add(new ObjectPermission(type, identifier))); + }); + + return permissions; + + } + + /** + * Creates a new SimpleObjectPermissionSet which contains permissions for + * all possible unique combinations of the given identifiers and permission + * types. + * + * @param identifiers + * The identifiers which should be associated permissions having each + * of the given permission types. + * + * @param types + * The types of permissions which should be granted for each of the + * given identifiers. + */ + public SimpleObjectPermissionSet(Collection identifiers, + Collection types) { + this(createPermissions(identifiers, types)); + } + + /** + * Creates a new SimpleObjectPermissionSet which contains only READ + * permissions for each of the given identifiers. + * + * @param identifiers + * The identifiers which should each be associated with READ + * permission. + */ + public SimpleObjectPermissionSet(Collection identifiers) { + this(identifiers, Collections.singletonList(ObjectPermission.Type.READ)); + } + /** * Creates a new SimpleObjectPermissionSet which contains the permissions * within the given Set. diff --git a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleUser.java b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleUser.java index 302150e5a..cce8bf01b 100644 --- a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleUser.java +++ b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleUser.java @@ -45,11 +45,6 @@ public class SimpleUser extends AbstractUser { */ private final Set userPermissions = new HashSet<>(); - /** - * All user group permissions granted to this user. - */ - private final Set userGroupPermissions = new HashSet<>(); - /** * All connection permissions granted to this user. */ @@ -115,7 +110,15 @@ public class SimpleUser extends AbstractUser { * @param connectionGroupIdentifiers * The identifiers of all connection groups this user has READ access * to. + * + * @deprecated + * Extend and override the applicable permission set getters instead, + * relying on SimpleUser to expose no permissions by default for all + * permission sets that aren't overridden. See {@link SimpleObjectPermissionSet} + * for convenient methods of providing a read-only permission set with + * specific permissions. */ + @Deprecated public SimpleUser(String username, Collection connectionIdentifiers, Collection connectionGroupIdentifiers) { @@ -128,43 +131,6 @@ public class SimpleUser extends AbstractUser { } - /** - * Creates a new SimpleUser having the given username and READ access to - * the users, user groups, connections, and connection groups having the - * given identifiers. - * - * @param username - * The username to assign to this SimpleUser. - * - * @param userIdentifiers - * The identifiers of all users this user has READ access to. - * - * @param userGroupIdentifiers - * The identifiers of all user groups this user has READ access to. - * - * @param connectionIdentifiers - * The identifiers of all connections this user has READ access to. - * - * @param connectionGroupIdentifiers - * The identifiers of all connection groups this user has READ access - * to. - */ - public SimpleUser(String username, - Collection userIdentifiers, - Collection userGroupIdentifiers, - Collection connectionIdentifiers, - Collection connectionGroupIdentifiers) { - - this(username); - - // Add permissions - addReadPermissions(userPermissions, userIdentifiers); - addReadPermissions(userGroupPermissions, userGroupIdentifiers); - addReadPermissions(connectionPermissions, connectionIdentifiers); - addReadPermissions(connectionGroupPermissions, connectionGroupIdentifiers); - - } - /** * Creates a new SimpleUser having the given username and READ access to * the users, connections, and groups having the given identifiers. @@ -181,7 +147,15 @@ public class SimpleUser extends AbstractUser { * @param connectionGroupIdentifiers * The identifiers of all connection groups this user has READ access * to. + * + * @deprecated + * Extend and override the applicable permission set getters instead, + * relying on SimpleUser to expose no permissions by default for all + * permission sets that aren't overridden. See {@link SimpleObjectPermissionSet} + * for convenient methods of providing a read-only permission set with + * specific permissions. */ + @Deprecated public SimpleUser(String username, Collection userIdentifiers, Collection connectionIdentifiers, diff --git a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleUserContext.java b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleUserContext.java index 26978e9fb..03e94fbac 100644 --- a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleUserContext.java +++ b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleUserContext.java @@ -19,7 +19,6 @@ package org.apache.guacamole.net.auth.simple; -import java.util.Collections; import java.util.Map; import java.util.concurrent.ConcurrentHashMap; import org.apache.guacamole.GuacamoleException; @@ -29,6 +28,7 @@ import org.apache.guacamole.net.auth.AuthenticationProvider; import org.apache.guacamole.net.auth.Connection; import org.apache.guacamole.net.auth.Directory; import org.apache.guacamole.net.auth.User; +import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; import org.apache.guacamole.protocol.GuacamoleConfiguration; /** @@ -113,20 +113,19 @@ public class SimpleUserContext extends AbstractUserContext { @Override public User self() { + return new SimpleUser(username) { - try { - return new SimpleUser(username, - getConnectionDirectory().getIdentifiers(), - getConnectionGroupDirectory().getIdentifiers() - ); - } + @Override + public ObjectPermissionSet getConnectionGroupPermissions() throws GuacamoleException { + return new SimpleObjectPermissionSet(getConnectionDirectory().getIdentifiers()); + } - catch (GuacamoleException e) { - return new SimpleUser(username, - Collections.emptySet(), - Collections.emptySet()); - } + @Override + public ObjectPermissionSet getConnectionPermissions() throws GuacamoleException { + return new SimpleObjectPermissionSet(getConnectionGroupDirectory().getIdentifiers()); + } + }; } @Override