GUACAMOLE-220: Deprecate built-in support for storage of permissions in SimpleUser. Add convenience constructors for SimpleObjectPermissionSet.

extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserContext.java

@@ -34,8 +34,10 @@ import org.apache.guacamole.net.auth.ConnectionGroup;
 import org.apache.guacamole.net.auth.Directory;
 import org.apache.guacamole.net.auth.User;
 import org.apache.guacamole.net.auth.UserGroup;
+import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
 import org.apache.guacamole.net.auth.simple.SimpleConnectionGroup;
 import org.apache.guacamole.net.auth.simple.SimpleDirectory;
+import org.apache.guacamole.net.auth.simple.SimpleObjectPermissionSet;
 import org.apache.guacamole.net.auth.simple.SimpleUser;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -149,13 +151,29 @@ public class UserContext extends AbstractUserContext {
         );
 
         // Init self with basic permissions
-        self = new SimpleUser(
-            user.getIdentifier(),
-            userDirectory.getIdentifiers(),
-            userGroupDirectory.getIdentifiers(),
-            connectionDirectory.getIdentifiers(),
-            Collections.singleton(LDAPAuthenticationProvider.ROOT_CONNECTION_GROUP)
-        );
+        self = new SimpleUser(user.getIdentifier()) {
+
+            @Override
+            public ObjectPermissionSet getUserPermissions() throws GuacamoleException {
+                return new SimpleObjectPermissionSet(userDirectory.getIdentifiers());
+            }
+
+            @Override
+            public ObjectPermissionSet getUserGroupPermissions() throws GuacamoleException {
+                return new SimpleObjectPermissionSet(userGroupDirectory.getIdentifiers());
+            }
+
+            @Override
+            public ObjectPermissionSet getConnectionPermissions() throws GuacamoleException {
+                return new SimpleObjectPermissionSet(connectionDirectory.getIdentifiers());
+            }
+
+            @Override
+            public ObjectPermissionSet getConnectionGroupPermissions() throws GuacamoleException {
+                return new SimpleObjectPermissionSet(Collections.singleton(LDAPAuthenticationProvider.ROOT_CONNECTION_GROUP));
+            }
+
+        };
 
     }
 

extensions/guacamole-auth-quickconnect/src/main/java/org/apache/guacamole/auth/quickconnect/QuickConnectUserContext.java

@@ -26,6 +26,8 @@ import org.apache.guacamole.net.auth.AbstractUserContext;
 import org.apache.guacamole.net.auth.AuthenticationProvider;
 import org.apache.guacamole.net.auth.ConnectionGroup;
 import org.apache.guacamole.net.auth.User;
+import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
+import org.apache.guacamole.net.auth.simple.SimpleObjectPermissionSet;
 import org.apache.guacamole.net.auth.simple.SimpleUser;
 
 /**
@@ -93,10 +95,19 @@ public class QuickConnectUserContext extends AbstractUserContext {
 
         // Initialize the user to a SimpleUser with the provided username,
         // no connections, and the single root group.
-        this.self = new SimpleUser(username,
-            connectionDirectory.getIdentifiers(),
-            Collections.singleton(ROOT_IDENTIFIER)
-        );
+        this.self = new SimpleUser(username) {
+
+            @Override
+            public ObjectPermissionSet getConnectionPermissions() throws GuacamoleException {
+                return new SimpleObjectPermissionSet(connectionDirectory.getIdentifiers());
+            }
+
+            @Override
+            public ObjectPermissionSet getConnectionGroupPermissions() throws GuacamoleException {
+                return new SimpleObjectPermissionSet(Collections.singleton(ROOT_IDENTIFIER));
+            }
+
+        };
 
         // Set the authProvider to the calling authProvider object.
         this.authProvider = authProvider;

guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleObjectPermissionSet.java

@@ -22,6 +22,7 @@ package org.apache.guacamole.net.auth.simple;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.Set;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.GuacamoleSecurityException;
@@ -45,6 +46,66 @@ public class SimpleObjectPermissionSet implements ObjectPermissionSet {
     public SimpleObjectPermissionSet() {
     }
 
+    /**
+     * Creates a new set of ObjectPermissions for each possible combination of
+     * the given identifiers and permission types.
+     *
+     * @param identifiers
+     *     The identifiers which should have one ObjectPermission for each of
+     *     the given permission types.
+     *
+     * @param types
+     *     The permissions which should be granted for each of the given
+     *     identifiers.
+     *
+     * @return
+     *     A new set of ObjectPermissions containing one ObjectPermission for
+     *     each possible combination of the given identifiers and permission
+     *     types.
+     */
+    private static Set<ObjectPermission> createPermissions(Collection<String> identifiers,
+            Collection<ObjectPermission.Type> types) {
+
+        // Add a permission of each type to the set for each identifier given
+        Set<ObjectPermission> permissions = new HashSet<>(identifiers.size());
+        types.forEach(type -> {
+            identifiers.forEach(identifier -> permissions.add(new ObjectPermission(type, identifier)));
+        });
+
+        return permissions;
+
+    }
+
+    /**
+     * Creates a new SimpleObjectPermissionSet which contains permissions for
+     * all possible unique combinations of the given identifiers and permission
+     * types.
+     *
+     * @param identifiers
+     *     The identifiers which should be associated permissions having each
+     *     of the given permission types.
+     *
+     * @param types
+     *     The types of permissions which should be granted for each of the
+     *     given identifiers.
+     */
+    public SimpleObjectPermissionSet(Collection<String> identifiers,
+            Collection<ObjectPermission.Type> types) {
+        this(createPermissions(identifiers, types));
+    }
+
+    /**
+     * Creates a new SimpleObjectPermissionSet which contains only READ
+     * permissions for each of the given identifiers.
+     *
+     * @param identifiers
+     *     The identifiers which should each be associated with READ
+     *     permission.
+     */
+    public SimpleObjectPermissionSet(Collection<String> identifiers) {
+        this(identifiers, Collections.singletonList(ObjectPermission.Type.READ));
+    }
+
     /**
      * Creates a new SimpleObjectPermissionSet which contains the permissions
      * within the given Set.

guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleUser.java

@@ -45,11 +45,6 @@ public class SimpleUser extends AbstractUser {
      */
     private final Set<ObjectPermission> userPermissions = new HashSet<>();
 
-    /**
-     * All user group permissions granted to this user.
-     */
-    private final Set<ObjectPermission> userGroupPermissions = new HashSet<>();
-
     /**
      * All connection permissions granted to this user.
      */
@@ -115,7 +110,15 @@ public class SimpleUser extends AbstractUser {
      * @param connectionGroupIdentifiers
      *     The identifiers of all connection groups this user has READ access
      *     to.
+     *
+     * @deprecated
+     *     Extend and override the applicable permission set getters instead,
+     *     relying on SimpleUser to expose no permissions by default for all
+     *     permission sets that aren't overridden. See {@link SimpleObjectPermissionSet}
+     *     for convenient methods of providing a read-only permission set with
+     *     specific permissions.
      */
+    @Deprecated
     public SimpleUser(String username,
             Collection<String> connectionIdentifiers,
             Collection<String> connectionGroupIdentifiers) {
@@ -128,43 +131,6 @@ public class SimpleUser extends AbstractUser {
 
     }
 
-    /**
-     * Creates a new SimpleUser having the given username and READ access to
-     * the users, user groups, connections, and connection groups having the
-     * given identifiers.
-     *
-     * @param username
-     *     The username to assign to this SimpleUser.
-     *
-     * @param userIdentifiers
-     *     The identifiers of all users this user has READ access to.
-     *
-     * @param userGroupIdentifiers
-     *     The identifiers of all user groups this user has READ access to.
-     *
-     * @param connectionIdentifiers
-     *     The identifiers of all connections this user has READ access to.
-     *
-     * @param connectionGroupIdentifiers
-     *     The identifiers of all connection groups this user has READ access
-     *     to.
-     */
-    public SimpleUser(String username,
-            Collection<String> userIdentifiers,
-            Collection<String> userGroupIdentifiers,
-            Collection<String> connectionIdentifiers,
-            Collection<String> connectionGroupIdentifiers) {
-
-        this(username);
-
-        // Add permissions
-        addReadPermissions(userPermissions,            userIdentifiers);
-        addReadPermissions(userGroupPermissions,       userGroupIdentifiers);
-        addReadPermissions(connectionPermissions,      connectionIdentifiers);
-        addReadPermissions(connectionGroupPermissions, connectionGroupIdentifiers);
-
-    }
-
     /**
      * Creates a new SimpleUser having the given username and READ access to
      * the users, connections, and groups having the given identifiers.
@@ -181,7 +147,15 @@ public class SimpleUser extends AbstractUser {
      * @param connectionGroupIdentifiers
      *     The identifiers of all connection groups this user has READ access
      *     to.
+     *
+     * @deprecated
+     *     Extend and override the applicable permission set getters instead,
+     *     relying on SimpleUser to expose no permissions by default for all
+     *     permission sets that aren't overridden. See {@link SimpleObjectPermissionSet}
+     *     for convenient methods of providing a read-only permission set with
+     *     specific permissions.
      */
+    @Deprecated
     public SimpleUser(String username,
             Collection<String> userIdentifiers,
             Collection<String> connectionIdentifiers,

guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleUserContext.java

@@ -19,7 +19,6 @@
 
 package org.apache.guacamole.net.auth.simple;
 
-import java.util.Collections;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 import org.apache.guacamole.GuacamoleException;
@@ -29,6 +28,7 @@ import org.apache.guacamole.net.auth.AuthenticationProvider;
 import org.apache.guacamole.net.auth.Connection;
 import org.apache.guacamole.net.auth.Directory;
 import org.apache.guacamole.net.auth.User;
+import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
 import org.apache.guacamole.protocol.GuacamoleConfiguration;
 
 /**
@@ -113,20 +113,19 @@ public class SimpleUserContext extends AbstractUserContext {
 
     @Override
     public User self() {
+        return new SimpleUser(username) {
 
-        try {
-            return new SimpleUser(username,
-                    getConnectionDirectory().getIdentifiers(),
-                    getConnectionGroupDirectory().getIdentifiers()
-            );
+            @Override
+            public ObjectPermissionSet getConnectionGroupPermissions() throws GuacamoleException {
+                return new SimpleObjectPermissionSet(getConnectionDirectory().getIdentifiers());
             }
 
-        catch (GuacamoleException e) {
-            return new SimpleUser(username,
-                    Collections.<String>emptySet(),
-                    Collections.<String>emptySet());
+            @Override
+            public ObjectPermissionSet getConnectionPermissions() throws GuacamoleException {
+                return new SimpleObjectPermissionSet(getConnectionGroupDirectory().getIdentifiers());
             }
 
+        };
     }
 
     @Override