safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 13:17:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Ticket #269: Major cleanup of permissions service.

Browse Source
This commit is contained in:
Michael Jumper
2013-03-01 03:39:49 -08:00
parent a42167ecc3
commit dbafe68cd4
5 changed files with 459 additions and 922 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/ConnectionDirectory.java
View File

@@ -38,7 +38,7 @@ package net.sourceforge.guacamole.net.auth.mysql;
* ***** END LICENSE BLOCK ***** */
import com.google.inject.Inject;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import net.sourceforge.guacamole.GuacamoleException;
import net.sourceforge.guacamole.net.auth.Connection;
@@ -102,19 +102,34 @@ public class ConnectionDirectory implements Directory<String, Connection>{
@Transactional
@Override
public Connection get(String identifier) throws GuacamoleException {
permissionCheckService.verifyConnectionReadAccess(this.user_id, identifier);
return connectionService.retrieveConnection(identifier);
// Get connection
MySQLConnection connection =
connectionService.retrieveConnection(identifier);
// Verify access is granted
permissionCheckService.verifyConnectionAccess(
this.user_id,
connection.getConnectionID(),
MySQLConstants.CONNECTION_READ);
// Return connection
return connection;
}
@Transactional
@Override
public Set<String> getIdentifiers() throws GuacamoleException {
Set<String> connectionNameSet = new HashSet<String>();
Set<MySQLConnection> connections = permissionCheckService.getReadableConnections(this.user_id);
for(MySQLConnection mySQLConnection : connections) {
connectionNameSet.add(mySQLConnection.getIdentifier());
}
return connectionNameSet;
// List of all connection IDs for which this user has read access
List<Integer> connectionIDs =
permissionCheckService.retrieveConnectionIDs(this.user_id,
MySQLConstants.CONNECTION_READ);
// Query all associated connections
return connectionService.translateNames(connectionIDs).keySet();
}
@Transactional
@@ -122,7 +137,8 @@ public class ConnectionDirectory implements Directory<String, Connection>{
public void add(Connection object) throws GuacamoleException {
// Verify permission to create
permissionCheckService.verifyCreateConnectionPermission(this.user_id);
permissionCheckService.verifySystemAccess(this.user_id,
MySQLConstants.SYSTEM_CONNECTION_CREATE);
// Create connection
MySQLConnection connection = connectionService.createConnection(
@@ -192,10 +208,14 @@ public class ConnectionDirectory implements Directory<String, Connection>{
if (!(object instanceof MySQLConnection))
throw new GuacamoleException("Connection not from database.");
// Verify permission to update
permissionCheckService.verifyConnectionUpdateAccess(this.user_id, object.getIdentifier());
MySQLConnection mySQLConnection = (MySQLConnection) object;
// Verify permission to update
permissionCheckService.verifyConnectionAccess(this.user_id,
mySQLConnection.getConnectionID(),
MySQLConstants.CONNECTION_UPDATE);
// Perform update
connectionService.updateConnection(mySQLConnection);
// Delete old connection parameters
@@ -213,13 +233,15 @@ public class ConnectionDirectory implements Directory<String, Connection>{
@Override
public void remove(String identifier) throws GuacamoleException {
// Verify permission to delete
permissionCheckService.verifyConnectionDeleteAccess(this.user_id, identifier);
// Get connection
MySQLConnection mySQLConnection =
connectionService.retrieveConnection(identifier);
// Verify permission to delete
permissionCheckService.verifyConnectionAccess(this.user_id,
mySQLConnection.getConnectionID(),
MySQLConstants.CONNECTION_DELETE);
// Delete the connection itself
connectionService.deleteConnection(mySQLConnection.getConnectionID());

253
extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/UserDirectory.java
View File

@@ -41,8 +41,6 @@ import com.google.common.base.Preconditions;
import com.google.inject.Inject;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
@@ -143,23 +141,32 @@ public class UserDirectory implements Directory<String, net.sourceforge.guacamol
@Override
public net.sourceforge.guacamole.net.auth.User get(String identifier)
throws GuacamoleException {
permissionCheckService.verifyUserReadAccess(this.user_id, identifier);
// Get user
MySQLUser user = userService.retrieveUser(identifier);
// Verify access is granted
permissionCheckService.verifyUserAccess(this.user_id,
user.getUserID(),
MySQLConstants.USER_READ);
// Return user
return userService.retrieveUser(identifier);
}
@Transactional
@Override
public Set<String> getIdentifiers() throws GuacamoleException {
// Get set of all readable users
Set<MySQLUser> users = permissionCheckService.getReadableUsers(this.user_id);
// List of all user IDs for which this user has read access
List<Integer> userIDs =
permissionCheckService.retrieveConnectionIDs(this.user_id,
MySQLConstants.USER_READ);
// Build set of usernames of readable users
Set<String> userNameSet = new HashSet<String>();
for (MySQLUser mySQLUser : users)
userNameSet.add(mySQLUser.getUsername());
// Query all associated users
return userService.translateUsernames(userIDs).keySet();
return userNameSet;
}
@Override
@@ -168,7 +175,8 @@ public class UserDirectory implements Directory<String, net.sourceforge.guacamol
throws GuacamoleException {
// Verify current user has permission to create users
permissionCheckService.verifyCreateUserPermission(this.user_id);
permissionCheckService.verifySystemAccess(this.user_id,
MySQLConstants.SYSTEM_USER_CREATE);
Preconditions.checkNotNull(object);
// Create new user
@@ -285,51 +293,43 @@ public class UserDirectory implements Directory<String, net.sourceforge.guacamol
Collection<UserPermission> permissions)
throws GuacamoleException {
// If no permissions given, stop now
if(permissions.isEmpty())
return;
// Get set of administerable users
Set<Integer> administerableUsers =
permissionCheckService.getAdministerableUserIDs(this.user_id);
// Get list of administerable user IDs
List<Integer> administerableUserIDs =
permissionCheckService.retrieveUserIDs(this.user_id,
MySQLConstants.USER_ADMINISTER);
// Get list of usernames for all given user permissions.
List<String> usernames = new ArrayList<String>();
for (UserPermission permission : permissions)
usernames.add(permission.getObjectIdentifier());
// Find all the users by username
List<MySQLUser> users = userService.retrieveUsersByUsername(usernames);
// Build map of found users, indexed by username
Map<String, MySQLUser> userMap = new HashMap<String, MySQLUser>();
for (MySQLUser user : users)
userMap.put(user.getUsername(), user);
// Get set of usernames corresponding to administerable users
Map<String, Integer> administerableUsers =
userService.translateUsernames(administerableUserIDs);
// Insert all given permissions
for (UserPermission permission : permissions) {
// Get user
MySQLUser affectedUser =
userMap.get(permission.getObjectIdentifier());
if (affectedUser == null)
throw new GuacamoleException(
"User '" + permission.getObjectIdentifier()
+ "' not found.");
// Get original ID
Integer affected_id =
administerableUsers.get(permission.getObjectIdentifier());
// Verify that the user actually has permission to administrate
// every one of these users
if (!administerableUsers.contains(affectedUser.getUserID()))
if (affected_id == null)
throw new GuacamoleSecurityException(
"User #" + this.user_id
+ " does not have permission to administrate user "
+ affectedUser.getUsername());
+ permission.getObjectIdentifier());
// Create new permission
UserPermissionKey newPermission = new UserPermissionKey();
newPermission.setAffected_user_id(affectedUser.getUserID());
newPermission.setPermission(permission.getType().name());
newPermission.setUser_id(user_id);
newPermission.setPermission(MySQLConstants.getUserConstant(permission.getType()));
newPermission.setAffected_user_id(affected_id);
userPermissionDAO.insert(newPermission);
}
}
/**
@@ -345,54 +345,44 @@ public class UserDirectory implements Directory<String, net.sourceforge.guacamol
Collection<UserPermission> permissions)
throws GuacamoleException {
// If no permissions given, stop now
if(permissions.isEmpty())
return;
// Get set of administerable users
Set<Integer> administerableUsers =
permissionCheckService.getAdministerableUserIDs(this.user_id);
// Get list of administerable user IDs
List<Integer> administerableUserIDs =
permissionCheckService.retrieveUserIDs(this.user_id,
MySQLConstants.USER_ADMINISTER);
// Get list of usernames for all given user permissions.
List<String> usernames = new ArrayList<String>();
for (UserPermission permission : permissions)
usernames.add(permission.getObjectIdentifier());
// Get set of usernames corresponding to administerable users
Map<String, Integer> administerableUsers =
userService.translateUsernames(administerableUserIDs);
// Find all the users by username
List<MySQLUser> users = userService.retrieveUsersByUsername(usernames);
List<Integer> userIDs = new ArrayList<Integer>();
// Build map of found users, indexed by username
Map<String, MySQLUser> userMap = new HashMap<String, MySQLUser>();
for (MySQLUser user : users) {
userMap.put(user.getUsername(), user);
userIDs.add(user.getUserID());
}
// Verify we have permission to delete each user permission.
// Delete requested permissions
for (UserPermission permission : permissions) {
// Get user
MySQLUser affectedUser = userMap.get(permission.getObjectIdentifier());
if (affectedUser == null)
throw new GuacamoleException(
"User '" + permission.getObjectIdentifier()
+ "' not found.");
// Get original ID
Integer affected_id =
administerableUsers.get(permission.getObjectIdentifier());
// Verify that the user actually has permission to administrate
// every one of these users
if (!administerableUsers.contains(affectedUser.getUserID()))
if (affected_id == null)
throw new GuacamoleSecurityException(
"User #" + this.user_id
+ " does not have permission to administrate user "
+ affectedUser.getUsername());
+ permission.getObjectIdentifier());
// Delete requested permission
UserPermissionExample userPermissionExample = new UserPermissionExample();
userPermissionExample.createCriteria()
.andUser_idEqualTo(user_id)
.andPermissionEqualTo(MySQLConstants.getUserConstant(permission.getType()))
.andAffected_user_idEqualTo(affected_id);
userPermissionDAO.deleteByExample(userPermissionExample);
}
if(!userIDs.isEmpty()) {
UserPermissionExample userPermissionExample = new UserPermissionExample();
userPermissionExample.createCriteria().andUser_idEqualTo(user_id)
.andAffected_user_idIn(userIDs);
userPermissionDAO.deleteByExample(userPermissionExample);
}
}
/**
@@ -409,51 +399,42 @@ public class UserDirectory implements Directory<String, net.sourceforge.guacamol
Collection<ConnectionPermission> permissions)
throws GuacamoleException {
// If no permissions given, stop now
if(permissions.isEmpty())
return;
// Get adminsterable connection identifiers
Set<Integer> administerableConnections =
permissionCheckService.getAdministerableConnectionIDs(this.user_id);
// Get list of administerable connection IDs
List<Integer> administerableConnectionIDs =
permissionCheckService.retrieveUserIDs(this.user_id,
MySQLConstants.CONNECTION_ADMINISTER);
// Build list of affected connection names from the permissions given
List<String> connectionNames = new ArrayList<String>();
for (ConnectionPermission permission : permissions)
connectionNames.add(permission.getObjectIdentifier());
// Get set of names corresponding to administerable connections
Map<String, Integer> administerableConnections =
userService.translateUsernames(administerableConnectionIDs);
// Find all the connections by connection name
List<MySQLConnection> connections = connectionService.retrieveConnectionsByName(connectionNames);
// Build map of found connections, indexed by name
Map<String, MySQLConnection> connectionMap = new HashMap<String, MySQLConnection>();
for (MySQLConnection connection : connections)
connectionMap.put(connection.getIdentifier(), connection);
// Finally, insert the new permissions
// Insert all given permissions
for (ConnectionPermission permission : permissions) {
// Get permission
MySQLConnection connection = connectionMap.get(permission.getObjectIdentifier());
if (connection == null)
throw new GuacamoleException(
"Connection '" + permission.getObjectIdentifier()
+ "' not found.");
// Get original ID
Integer connection_id =
administerableConnections.get(permission.getObjectIdentifier());
// Throw exception if permission to administer this connection
// is not granted
if (!administerableConnections.contains(connection.getConnectionID()))
if (connection_id == null)
throw new GuacamoleSecurityException(
"User #" + this.user_id
+ " does not have permission to administrate connection "
+ connection.getIdentifier());
+ permission.getObjectIdentifier());
// Insert previously-non-existent connection permission
// Create new permission
ConnectionPermissionKey newPermission = new ConnectionPermissionKey();
newPermission.setConnection_id(connection.getConnectionID());
newPermission.setPermission(permission.getType().name());
newPermission.setUser_id(user_id);
newPermission.setPermission(MySQLConstants.getConnectionConstant(permission.getType()));
newPermission.setConnection_id(connection_id);
connectionPermissionDAO.insert(newPermission);
}
}
@@ -470,54 +451,43 @@ public class UserDirectory implements Directory<String, net.sourceforge.guacamol
Collection<ConnectionPermission> permissions)
throws GuacamoleException {
// If no permissions given, stop now
if(permissions.isEmpty())
return;
// Get set of administerable users
Set<Integer> administerableConnections =
permissionCheckService.getAdministerableConnectionIDs(this.user_id);
// Get list of administerable connection IDs
List<Integer> administerableConnectionIDs =
permissionCheckService.retrieveUserIDs(this.user_id,
MySQLConstants.CONNECTION_ADMINISTER);
// Get list of identifiers for all given user permissions.
List<String> identifiers = new ArrayList<String>();
for (ConnectionPermission permission : permissions)
identifiers.add(permission.getObjectIdentifier());
// Get set of names corresponding to administerable connections
Map<String, Integer> administerableConnections =
userService.translateUsernames(administerableConnectionIDs);
// Find all the connections by identifiers
List<MySQLConnection> connections = connectionService.retrieveConnectionsByName(identifiers);
List<Integer> connectionIDs = new ArrayList<Integer>();
// Build map of found connections, indexed by identifier
Map<String, MySQLConnection> connectionMap = new HashMap<String, MySQLConnection>();
for (MySQLConnection connection : connections) {
connectionMap.put(connection.getIdentifier(), connection);
connectionIDs.add(connection.getConnectionID());
}
// Verify we have permission to delete each connection permission.
// Delete requested permissions
for (ConnectionPermission permission : permissions) {
// Get user
MySQLConnection connection = connectionMap.get(permission.getObjectIdentifier());
if (connection == null)
throw new GuacamoleException(
"User '" + permission.getObjectIdentifier()
+ "' not found.");
// Get original ID
Integer connection_id =
administerableConnections.get(permission.getObjectIdentifier());
// Verify that the user actually has permission to administrate
// every one of these connections
if (!administerableConnections.contains(connection.getConnectionID()))
if (connection_id == null)
throw new GuacamoleSecurityException(
"User #" + this.user_id
+ " does not have permission to administrate connection "
+ connection.getIdentifier());
+ permission.getObjectIdentifier());
ConnectionPermissionExample connectionPermissionExample = new ConnectionPermissionExample();
connectionPermissionExample.createCriteria()
.andUser_idEqualTo(user_id)
.andPermissionEqualTo(MySQLConstants.getConnectionConstant(permission.getType()))
.andConnection_idEqualTo(connection_id);
connectionPermissionDAO.deleteByExample(connectionPermissionExample);
}
if(!connectionIDs.isEmpty()) {
ConnectionPermissionExample connectionPermissionExample = new ConnectionPermissionExample();
connectionPermissionExample.createCriteria().andUser_idEqualTo(user_id)
.andConnection_idIn(connectionIDs);
connectionPermissionDAO.deleteByExample(connectionPermissionExample);
}
}
/**
@@ -538,7 +508,7 @@ public class UserDirectory implements Directory<String, net.sourceforge.guacamol
List<String> systemPermissionTypes = new ArrayList<String>();
for (SystemPermission permission : permissions) {
switch (permission.getType()) {
switch (permission.getType()) { // TODO: Move this into MySQLConstants
// Create connection permission
case CREATE_CONNECTION:
@@ -627,12 +597,14 @@ public class UserDirectory implements Directory<String, net.sourceforge.guacamol
if (!(object instanceof MySQLUser))
throw new GuacamoleException("User not from database.");
MySQLUser mySQLUser = (MySQLUser) object;
// Validate permission to update this user is granted
permissionCheckService.verifyUserUpdateAccess(this.user_id,
object.getUsername());
permissionCheckService.verifyUserAccess(this.user_id,
mySQLUser.getUserID(),
MySQLConstants.USER_UPDATE);
// Update the user in the database
MySQLUser mySQLUser = (MySQLUser) object;
userService.updateUser(mySQLUser);
// Update permissions in database
@@ -649,17 +621,16 @@ public class UserDirectory implements Directory<String, net.sourceforge.guacamol
@Transactional
public void remove(String identifier) throws GuacamoleException {
// FIXME: Querying permissions here will query the user to determine
// its ID, and that same user will be queried AGAIN later when
// deleted, again - to determine its ID. Perhaps we want cascading
// deletes in the schema?
// Get user pending deletion
MySQLUser user = userService.retrieveUser(identifier);
// Validate current user has permission to remove the specified user
permissionCheckService.verifyUserDeleteAccess(this.user_id,
identifier);
permissionCheckService.verifyUserAccess(this.user_id,
user.getUserID(),
MySQLConstants.USER_DELETE);
// Delete specified user
userService.deleteUser(identifier);
userService.deleteUser(user.getUserID());
}

76
extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/ConnectionService.java
View File

@@ -41,7 +41,9 @@ import com.google.inject.Inject;
import com.google.inject.Provider;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import net.sourceforge.guacamole.GuacamoleException;
import net.sourceforge.guacamole.net.GuacamoleSocket;
import net.sourceforge.guacamole.net.InetGuacamoleSocket;
@@ -163,56 +165,63 @@ public class ConnectionService {
}
/**
* Retrieves the connections having the given IDs from the database.
* Retrieves a translation map of connection names to their corresponding
* IDs.
*
* @param ids The IDs of the connections to retrieve.
* @return A list of existing MySQLConnection objects.
* @param ids The IDs of the connections to retrieve the names of.
* @return A map containing the names of all connections and their
* corresponding IDs.
*/
public List<MySQLConnection> retrieveConnectionsByID(List<Integer> ids) {
public Map<String, Integer> translateNames(List<Integer> ids) {
// If no IDs given, just return empty list
// If no IDs given, just return empty map
if (ids.isEmpty())
return Collections.EMPTY_LIST;
return Collections.EMPTY_MAP;
// Query connections by ID
// Map of all names onto their corresponding IDs.
Map<String, Integer> names = new HashMap<String, Integer>();
// Get all connections having the given IDs
ConnectionExample example = new ConnectionExample();
example.createCriteria().andConnection_idIn(ids);
List<Connection> connections = connectionDAO.selectByExample(example);
// Convert to MySQLConnection list
List<MySQLConnection> mySQLConnections = new ArrayList<MySQLConnection>(connections.size());
// Produce set of names
for (Connection connection : connections)
mySQLConnections.add(toMySQLConnection(connection));
names.put(connection.getConnection_name(),
connection.getConnection_id());
// Return found connections
return mySQLConnections;
return names;
}
/**
* Retrieves the connections having the given names from the database.
* Retrieves a map of all connection names for the given IDs.
*
* @param names The names of the connections to retrieve.
* @return A list of existing MySQLConnection objects.
* @param ids The IDs of the connections to retrieve the names of.
* @return A map containing the names of all connections and their
* corresponding IDs.
*/
public List<MySQLConnection> retrieveConnectionsByName(List<String> names) {
public Map<Integer, String> retrieveNames(List<Integer> ids) {
// If no names given, just return empty list
if (names.isEmpty())
return Collections.EMPTY_LIST;
// If no IDs given, just return empty map
if (ids.isEmpty())
return Collections.EMPTY_MAP;
// Query connections by ID
// Map of all names onto their corresponding IDs.
Map<Integer, String> names = new HashMap<Integer, String>();
// Get all connections having the given IDs
ConnectionExample example = new ConnectionExample();
example.createCriteria().andConnection_nameIn(names);
example.createCriteria().andConnection_idIn(ids);
List<Connection> connections = connectionDAO.selectByExample(example);
// Convert to MySQLConnection list
List<MySQLConnection> mySQLConnections = new ArrayList<MySQLConnection>(connections.size());
// Produce set of names
for (Connection connection : connections)
mySQLConnections.add(toMySQLConnection(connection));
names.put(connection.getConnection_id(),
connection.getConnection_name());
// Return found connections
return mySQLConnections;
return names;
}
@@ -352,21 +361,6 @@ public class ConnectionService {
}
/**
* Deletes the connection having the given name from the database.
* @param name The name of the connection to delete.
*/
public void deleteConnection(String name) {
// Get specified connection
MySQLConnection mySQLConnection = retrieveConnection(name);
int connection_id = mySQLConnection.getConnectionID();
// Delete the connection in the database
deleteConnection(connection_id);
}
/**
* Deletes the connection having the given ID from the database.
* @param id The ID of the connection to delete.

841
extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/PermissionCheckService.java
View File

@@ -35,19 +35,14 @@
* ***** END LICENSE BLOCK ***** */
package net.sourceforge.guacamole.net.auth.mysql.service;
import com.google.common.collect.Lists;
import com.google.inject.Inject;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import net.sourceforge.guacamole.GuacamoleSecurityException;
import net.sourceforge.guacamole.net.auth.mysql.MySQLConnection;
import net.sourceforge.guacamole.net.auth.mysql.MySQLConstants;
import net.sourceforge.guacamole.net.auth.mysql.MySQLUser;
import net.sourceforge.guacamole.net.auth.mysql.dao.ConnectionPermissionMapper;
import net.sourceforge.guacamole.net.auth.mysql.dao.SystemPermissionMapper;
import net.sourceforge.guacamole.net.auth.mysql.dao.UserPermissionMapper;
@@ -80,744 +75,299 @@ public class PermissionCheckService {
@Inject
private ConnectionService connectionService;
/**
* DAO for accessing permissions related to users.
*/
@Inject
private UserPermissionMapper userPermissionDAO;
/**
* DAO for accessing permissions related to connections.
*/
@Inject
private ConnectionPermissionMapper connectionPermissionDAO;
/**
* DAO for accessing permissions related to the system as a whole.
*/
@Inject
private SystemPermissionMapper systemPermissionDAO;
/**
* Verifies that the user has read access to the given user. If not, throws a GuacamoleSecurityException.
* @param userID
* @param affectedUserID
* @throws GuacamoleSecurityException
* Verifies that the user has the specified access to the given other
* user. If permission is denied, a GuacamoleSecurityException is thrown.
*
* @param userID The ID of the user to check.
* @param affectedUserID The user that would be affected by the operation
* if permission is granted.
* @param permissionType The type of permission to check for.
* @throws GuacamoleSecurityException If the specified permission is not
* granted.
*/
public void verifyUserReadAccess(int userID, int affectedUserID) throws GuacamoleSecurityException {
if(!checkUserReadAccess(userID, affectedUserID))
throw new GuacamoleSecurityException("User " + userID + " does not have read access to user " + affectedUserID);
public void verifyUserAccess(int userID, int affectedUserID,
String permissionType) throws GuacamoleSecurityException {
// If permission does not exist, throw exception
if(!checkUserAccess(userID, affectedUserID, permissionType))
throw new GuacamoleSecurityException("Permission denied.");
}
/**
* Verifies that the user has update access to the given user. If not, throws a GuacamoleSecurityException.
* @param userID
* @param affectedUserID
* @throws GuacamoleSecurityException
* Verifies that the user has the specified access to the given connection.
* If permission is denied, a GuacamoleSecurityException is thrown.
*
* @param userID The ID of the user to check.
* @param affectedConnectionID The connection that would be affected by the
* operation if permission is granted.
* @param permissionType The type of permission to check for.
* @throws GuacamoleSecurityException If the specified permission is not
* granted.
*/
public void verifyUserUpdateAccess(int userID, int affectedUserID) throws GuacamoleSecurityException {
if(!checkUserUpdateAccess(userID, affectedUserID))
throw new GuacamoleSecurityException("User " + userID + " does not have update access to user " + affectedUserID);
public void verifyConnectionAccess(int userID, int affectedConnectionID, String permissionType) throws GuacamoleSecurityException {
// If permission does not exist, throw exception
if(!checkConnectionAccess(userID, affectedConnectionID, permissionType))
throw new GuacamoleSecurityException("Permission denied.");
}
/**
* Verifies that the user has the specified access to the system. If
* permission is denied, a GuacamoleSecurityException is thrown.
*
* @param userID The ID of the user to check.
* @param systemPermissionType The type of permission to check for.
* @throws GuacamoleSecurityException If the specified permission is not
* granted.
*/
public void verifySystemAccess(int userID, String systemPermissionType)
throws GuacamoleSecurityException {
// If permission does not exist, throw exception
if(!checkSystemAccess(userID, systemPermissionType))
throw new GuacamoleSecurityException("Permission denied.");
}
/**
* Verifies that the user has delete access to the given user. If not, throws a GuacamoleSecurityException.
* @param userID
* @param affectedUserID
* @throws GuacamoleSecurityException
* Checks whether a user has the specified type of access to the affected
* user.
*
* @param userID The ID of the user to check.
* @param affectedUserID The user that would be affected by the operation
* if permission is granted.
* @param permissionType The type of permission to check for.
* @return true if the specified permission is granted, false otherwise.
*/
public void verifyUserDeleteAccess(int userID, int affectedUserID) throws GuacamoleSecurityException {
if(!checkUserDeleteAccess(userID, affectedUserID))
throw new GuacamoleSecurityException("User " + userID + " does not have delete access to user " + affectedUserID);
}
public boolean checkUserAccess(int userID, Integer affectedUserID, String permissionType) {
/**
* Verifies that the user has administer access to the given user. If not, throws a GuacamoleSecurityException.
* @param userID
* @param affectedUserID
* @throws GuacamoleSecurityException
*/
public void verifyUserAdministerAccess(int userID, int affectedUserID) throws GuacamoleSecurityException {
if(!checkUserAdministerAccess(userID, affectedUserID))
throw new GuacamoleSecurityException("User " + userID + " does not have administer access to user " + affectedUserID);
}
/**
* Verifies that the user has read access to the given user. If not, throws a GuacamoleSecurityException.
* @param userID
* @param affectedUsername
* @throws GuacamoleSecurityException
*/
public void verifyUserReadAccess(int userID, String affectedUsername) throws GuacamoleSecurityException {
if(!checkUserReadAccess(userID, affectedUsername))
throw new GuacamoleSecurityException("User " + userID + " does not have read access to user '" + affectedUsername + "'");
}
/**
* Verifies that the user has update access to the given user. If not, throws a GuacamoleSecurityException.
* @param userID
* @param affectedUsername
* @throws GuacamoleSecurityException
*/
public void verifyUserUpdateAccess(int userID, String affectedUsername) throws GuacamoleSecurityException {
if(!checkUserUpdateAccess(userID, affectedUsername))
throw new GuacamoleSecurityException("User " + userID + " does not have update access to user '" + affectedUsername + "'");
}
/**
* Verifies that the user has delete access to the given user. If not, throws a GuacamoleSecurityException.
* @param userID
* @param affectedUsername
* @throws GuacamoleSecurityException
*/
public void verifyUserDeleteAccess(int userID, String affectedUsername) throws GuacamoleSecurityException {
if(!checkUserDeleteAccess(userID, affectedUsername))
throw new GuacamoleSecurityException("User " + userID + " does not have delete access to user '" + affectedUsername + "'");
}
/**
* Verifies that the user has administer access to the given user. If not, throws a GuacamoleSecurityException.
* @param userID
* @param affectedUsername
* @throws GuacamoleSecurityException
*/
public void verifyUserAdministerAccess(int userID, String affectedUsername) throws GuacamoleSecurityException {
if(!checkUserAdministerAccess(userID, affectedUsername))
throw new GuacamoleSecurityException("User " + userID + " does not have administer access to user '" + affectedUsername + "'");
}
/**
* Checks if the user has read access to the given user.
* @param userID
* @param affectedUserID
* @return true if the user has access to this user.
*/
public boolean checkUserReadAccess(int userID, int affectedUserID) {
return checkUserAccess(userID, affectedUserID, MySQLConstants.USER_READ);
}
/**
* Checks if the user has update access to the given user.
* @param userID
* @param affectedUserID
* @return true if the user has access to this user.
*/
public boolean checkUserUpdateAccess(int userID, int affectedUserID) {
return checkUserAccess(userID, affectedUserID, MySQLConstants.USER_UPDATE);
}
/**
* Checks if the user has delete access to the given user.
* @param userID
* @param affectedUserID
* @return true if the user has access to this user.
*/
public boolean checkUserDeleteAccess(int userID, int affectedUserID) {
return checkUserAccess(userID, affectedUserID, MySQLConstants.USER_DELETE);
}
/**
* Checks if the user has administer access to the given user.
* @param userID
* @param affectedUserID
* @return true if the user has access to this user.
*/
public boolean checkUserAdministerAccess(int userID, int affectedUserID) {
return checkUserAccess(userID, affectedUserID, MySQLConstants.USER_ADMINISTER);
}
/**
* Checks if the user has read access to the given user.
* @param userID
* @param affectedUsername
* @return true if the user has access to this user.
*/
public boolean checkUserReadAccess(int userID, String affectedUsername) {
return checkUserAccess(userID, affectedUsername, MySQLConstants.USER_READ);
}
/**
* Checks if the user has update access to the given user.
* @param userID
* @param affectedUsername
* @return true if the user has access to this user.
*/
public boolean checkUserUpdateAccess(int userID, String affectedUsername) {
return checkUserAccess(userID, affectedUsername, MySQLConstants.USER_UPDATE);
}
/**
* Checks if the user has delete access to the given user.
* @param userID
* @param affectedUsername
* @return true if the user has access to this user.
*/
public boolean checkUserDeleteAccess(int userID, String affectedUsername) {
return checkUserAccess(userID, affectedUsername, MySQLConstants.USER_DELETE);
}
/**
* Checks if the user has administer access to the given user.
* @param userID
* @param affectedUsername
* @return true if the user has access to this user.
*/
public boolean checkUserAdministerAccess(int userID, String affectedUsername) {
return checkUserAccess(userID, affectedUsername, MySQLConstants.USER_ADMINISTER);
}
/**
* Check if the user has the selected type of access to the affected user.
* @param userID
* @param affectedUsername
* @param permissionType
* @return
*/
private boolean checkUserAccess(int userID, String affectedUsername, String permissionType) {
MySQLUser affectedUser = userService.retrieveUser(affectedUsername);
if(affectedUser != null)
return checkUserAccess(userID, affectedUser.getUserID(), permissionType);
return false;
}
/**
* Check if the user has the selected type of access to the affected user.
* @param userID
* @param affectedUserID
* @param permissionType
* @return
*/
private boolean checkUserAccess(int userID, Integer affectedUserID, String permissionType) {
// Check existence of requested permission
UserPermissionExample example = new UserPermissionExample();
example.createCriteria().andUser_idEqualTo(userID).andAffected_user_idEqualTo(affectedUserID).andPermissionEqualTo(permissionType);
int count = userPermissionDAO.countByExample(example);
return count > 0;
return userPermissionDAO.countByExample(example) > 0;
}
/**
* Find the list of all user IDs a user has permission to administer.
* @param userID
* @return the list of all user IDs this user has administer access to
* Checks whether a user has the specified type of access to the affected
* connection.
*
* @param userID The ID of the user to check.
* @param affectedConnectionID The connection that would be affected by the
* operation if permission is granted.
* @param permissionType The type of permission to check for.
* @return true if the specified permission is granted, false otherwise.
*/
public Set<Integer> getAdministerableUserIDs(int userID) {
return getUserIDs(userID, MySQLConstants.USER_ADMINISTER);
public boolean checkConnectionAccess(int userID, Integer affectedConnectionID, String permissionType) {
// Check existence of requested permission
ConnectionPermissionExample example = new ConnectionPermissionExample();
example.createCriteria().andUser_idEqualTo(userID).andConnection_idEqualTo(affectedConnectionID).andPermissionEqualTo(permissionType);
return connectionPermissionDAO.countByExample(example) > 0;
}
/**
* Find the list of all user IDs a user has permission to delete.
* @param userID
* @return the list of all user IDs this user has delete access to
* Checks whether a user has the specified type of access to the system.
*
* @param userID The ID of the user to check.
* @param systemPermissionType The type of permission to check for.
* @return true if the specified permission is granted, false otherwise.
*/
public Set<Integer> getDeletableUserIDs(int userID) {
return getUserIDs(userID, MySQLConstants.USER_DELETE);
}
private boolean checkSystemAccess(int userID, String systemPermissionType) {
/**
* Find the list of all user IDs a user has permission to write.
* @param userID
* @return the list of all user IDs this user has write access to
*/
public Set<Integer> getUpdateableUserIDs(int userID) {
return getUserIDs(userID, MySQLConstants.USER_UPDATE);
}
/**
* Find the list of all user IDs a user has permission to read.
* @param userID
* @return the list of all user IDs this user has read access to
*/
public Set<Integer> getReadableUserIDs(int userID) {
return getUserIDs(userID, MySQLConstants.USER_READ);
}
/**
* Find the list of all users a user has permission to administer.
* @param userID
* @return the list of all users this user has administer access to
*/
public Set<MySQLUser> getAdministerableUsers(int userID) {
return getUsers(userID, MySQLConstants.USER_ADMINISTER);
}
/**
* Find the list of all users a user has permission to delete.
* @param userID
* @return the list of all users this user has delete access to
*/
public Set<MySQLUser> getDeletableUsers(int userID) {
return getUsers(userID, MySQLConstants.USER_DELETE);
}
/**
* Find the list of all users a user has permission to write.
* @param userID
* @return the list of all users this user has write access to
*/
public Set<MySQLUser> getUpdateableUsers(int userID) {
return getUsers(userID, MySQLConstants.USER_UPDATE);
}
/**
* Find the list of all users a user has permission to read.
* @param userID
* @return the list of all users this user read has access to
*/
public Set<MySQLUser> getReadableUsers(int userID) {
return getUsers(userID, MySQLConstants.USER_READ);
}
/**
* Find the list of all users a user has permission to.
* The access type is defined by permissionType.
* @param userID
* @param permissionType
* @return the list of all users this user has access to
*/
@Deprecated /* FIXME: Totally useless (we only ever need usernames, and querying ALL USER DATA will take ages) */
private Set<MySQLUser> getUsers(int userID, String permissionType) {
// Get all IDs of all users that the given user can perform the given
// operation on
Set<Integer> affectedUserIDs = getUserIDs(userID, permissionType);
// If no affected users at all, return empty set
if (affectedUserIDs.isEmpty())
return Collections.EMPTY_SET;
// Query corresponding user data for each retrieved ID
return new HashSet<MySQLUser>(userService.retrieveUsersByID(
Lists.newArrayList(affectedUserIDs)));
// Check existence of requested permission
SystemPermissionExample example = new SystemPermissionExample();
example.createCriteria().andUser_idEqualTo(userID).andPermissionEqualTo(systemPermissionType);
return systemPermissionDAO.countByExample(example) > 0;
}
/**
* Find the list of the IDs of all users a user has permission to.
* The access type is defined by permissionType.
* @param userID
* @param permissionType
* @return the list of all user IDs this user has access to
*
* @param userID The ID of the user to check.
* @param permissionType The type of permission to check for.
* @return A list of all user IDs this user has the specified access to.
*/
private Set<Integer> getUserIDs(int userID, String permissionType) {
Set<Integer> userIDs = new HashSet<Integer>();
public List<Integer> retrieveUserIDs(int userID, String permissionType) {
// Query all user permissions for the given user and permission type
UserPermissionExample example = new UserPermissionExample();
example.createCriteria().andUser_idEqualTo(userID).andPermissionEqualTo(permissionType);
List<UserPermissionKey> userPermissions = userPermissionDAO.selectByExample(example);
example.setDistinct(true);
List<UserPermissionKey> userPermissions =
userPermissionDAO.selectByExample(example);
// Convert result into list of IDs
List<Integer> userIDs = new ArrayList<Integer>(userPermissions.size());
for(UserPermissionKey permission : userPermissions)
userIDs.add(permission.getAffected_user_id());
return userIDs;
}
/**
* Verifies that the user has read access to the given connection. If not, throws a GuacamoleSecurityException.
* @param userID
* @param affectedConnectionID
* @throws GuacamoleSecurityException
*/
public void verifyConnectionReadAccess(int userID, int affectedConnectionID) throws GuacamoleSecurityException {
if(!checkConnectionReadAccess(userID, affectedConnectionID))
throw new GuacamoleSecurityException("User " + userID + " does not have read access to connection " + affectedConnectionID);
}
/**
* Verifies that the user has update access to the given connection. If not, throws a GuacamoleSecurityException.
* @param userID
* @param affectedConnectionID
* @throws GuacamoleSecurityException
*/
public void verifyConnectionUpdateAccess(int userID, int affectedConnectionID) throws GuacamoleSecurityException {
if(!checkConnectionUpdateAccess(userID, affectedConnectionID))
throw new GuacamoleSecurityException("User " + userID + " does not have update access to connection " + affectedConnectionID);
}
/**
* Verifies that the user has delete access to the given connection. If not, throws a GuacamoleSecurityException.
* @param userID
* @param affectedConnectionID
* @throws GuacamoleSecurityException
*/
public void verifyConnectionDeleteAccess(int userID, int affectedConnectionID) throws GuacamoleSecurityException {
if(!checkConnectionDeleteAccess(userID, affectedConnectionID))
throw new GuacamoleSecurityException("User " + userID + " does not have delete access to connection " + affectedConnectionID);
}
/**
* Verifies that the user has administer access to the given connection. If not, throws a GuacamoleSecurityException.
* @param userID
* @param affectedConnectionID
* @throws GuacamoleSecurityException
*/
public void verifyConnectionAdministerAccess(int userID, int affectedConnectionID) throws GuacamoleSecurityException {
if(!checkConnectionAdministerAccess(userID, affectedConnectionID))
throw new GuacamoleSecurityException("User " + userID + " does not have administer access to connection " + affectedConnectionID);
}
/**
* Verifies that the user has read access to the given connection. If not, throws a GuacamoleSecurityException.
* @param userID
* @param affectedConnectionName
* @throws GuacamoleSecurityException
*/
public void verifyConnectionReadAccess(int userID, String affectedConnectionName) throws GuacamoleSecurityException {
if(!checkConnectionReadAccess(userID, affectedConnectionName))
throw new GuacamoleSecurityException("User " + userID + " does not have read access to connection '" + affectedConnectionName + "'");
}
/**
* Verifies that the user has update access to the given connection. If not, throws a GuacamoleSecurityException.
* @param userID
* @param affectedConnectionName
* @throws GuacamoleSecurityException
*/
public void verifyConnectionUpdateAccess(int userID, String affectedConnectionName) throws GuacamoleSecurityException {
if(!checkConnectionUpdateAccess(userID, affectedConnectionName))
throw new GuacamoleSecurityException("User " + userID + " does not have update access to connection '" + affectedConnectionName + "'");
}
/**
* Verifies that the user has delete access to the given connection. If not, throws a GuacamoleSecurityException.
* @param userID
* @param affectedConnectionName
* @throws GuacamoleSecurityException
*/
public void verifyConnectionDeleteAccess(int userID, String affectedConnectionName) throws GuacamoleSecurityException {
if(!checkConnectionDeleteAccess(userID, affectedConnectionName))
throw new GuacamoleSecurityException("User " + userID + " does not have delete access to connection '" + affectedConnectionName + "'");
}
/**
* Verifies that the user has administer access to the given connection. If not, throws a GuacamoleSecurityException.
* @param userID
* @param affectedConnectionName
* @throws GuacamoleSecurityException
*/
public void verifyConnectionAdministerAccess(int userID, String affectedConnectionName) throws GuacamoleSecurityException {
if(!checkConnectionAdministerAccess(userID, affectedConnectionName))
throw new GuacamoleSecurityException("User " + userID + " does not have administer access to connection '" + affectedConnectionName + "'");
}
/**
* Checks if the user has read access to the given connection.
* @param userID
* @param affectedConnectionID
* @return true if the user has access to this connection.
*/
public boolean checkConnectionReadAccess(int userID, int affectedConnectionID) {
return checkConnectionAccess(userID, affectedConnectionID, MySQLConstants.CONNECTION_READ);
}
/**
* Checks if the user has update access to the given connection.
* @param userID
* @param affectedConnectionID
* @return true if the user has access to this connection.
*/
public boolean checkConnectionUpdateAccess(int userID, int affectedConnectionID) {
return checkConnectionAccess(userID, affectedConnectionID, MySQLConstants.CONNECTION_UPDATE);
}
/**
* Checks if the user has delete access to the given connection.
* @param userID
* @param affectedConnectionID
* @return true if the user has access to this connection.
*/
public boolean checkConnectionDeleteAccess(int userID, int affectedConnectionID) {
return checkConnectionAccess(userID, affectedConnectionID, MySQLConstants.CONNECTION_DELETE);
}
/**
* Checks if the user has administer access to the given connection.
* @param userID
* @param affectedConnectionID
* @return true if the user has access to this connection.
*/
public boolean checkConnectionAdministerAccess(int userID, int affectedConnectionID) {
return checkConnectionAccess(userID, affectedConnectionID, MySQLConstants.CONNECTION_ADMINISTER);
}
/**
* Checks if the user has read access to the given connection.
* @param userID
* @param affectedConnectionName
* @return true if the user has access to this connection.
*/
public boolean checkConnectionReadAccess(int userID, String affectedConnectionName) {
return checkConnectionAccess(userID, affectedConnectionName, MySQLConstants.CONNECTION_READ);
}
/**
* Checks if the user has update access to the given connection.
* @param userID
* @param affectedConnectionName
* @return true if the user has access to this connection.
*/
public boolean checkConnectionUpdateAccess(int userID, String affectedConnectionName) {
return checkConnectionAccess(userID, affectedConnectionName, MySQLConstants.CONNECTION_UPDATE);
}
/**
* Checks if the user has delete access to the given connection.
* @param userID
* @param affectedConnectionID
* @return true if the user has access to this connection.
*/
public boolean checkConnectionDeleteAccess(int userID, String affectedConnectionname) {
return checkConnectionAccess(userID, affectedConnectionname, MySQLConstants.CONNECTION_DELETE);
}
/**
* Checks if the user has administer access to the given connection.
* @param userID
* @param affectedConnectionName
* @return true if the user has access to this connection.
*/
public boolean checkConnectionAdministerAccess(int userID, String affectedConnectionName) {
return checkConnectionAccess(userID, affectedConnectionName, MySQLConstants.CONNECTION_ADMINISTER);
}
/**
* Check if the user has the selected type of access to the affected connection.
* @param connectionID
* @param affectedConnectionname
* @param permissionType
* @return
*/
private boolean checkConnectionAccess(int userID, String affectedConnectionName, String permissionType) {
MySQLConnection connection = connectionService.retrieveConnection(affectedConnectionName);
if(connection != null)
return checkConnectionAccess(userID, connection.getConnectionID(), permissionType);
return false;
}
/**
* Check if the user has the selected type of access to the affected connection.
* @param connectionID
* @param affectedConnectionID
* @param permissionType
* @return
*/
private boolean checkConnectionAccess(int userID, Integer affectedConnectionID, String permissionType) {
ConnectionPermissionExample example = new ConnectionPermissionExample();
example.createCriteria().andUser_idEqualTo(userID).andConnection_idEqualTo(affectedConnectionID).andPermissionEqualTo(permissionType);
int count = connectionPermissionDAO.countByExample(example);
return count > 0;
}
/**
* Find the list of all connection IDs a user has permission to administer.
* @param userID
* @return the list of all connection IDs this user has administer access to
*/
public Set<Integer> getAdministerableConnectionIDs(int userID) {
return getConnectionIDs(userID, MySQLConstants.CONNECTION_ADMINISTER);
}
/**
* Find the list of all connection IDs a user has permission to delete.
* @param userID
* @return the list of all connection IDs this user has delete access to
*/
public Set<Integer> getDeletableConnectionIDs(int userID) {
return getConnectionIDs(userID, MySQLConstants.CONNECTION_DELETE);
}
/**
* Find the list of all connection IDs a user has permission to write.
* @param userID
* @return the list of all connection IDs this user has write access to
*/
public Set<Integer> getUpdateableConnectionIDs(int userID) {
return getConnectionIDs(userID, MySQLConstants.CONNECTION_UPDATE);
}
/**
* Find the list of all connection IDs a user has permission to read.
* @param userID
* @return the list of all connection IDs this user has ready access to
*/
public Set<Integer> getReadableConnectionIDs(int userID) {
return getConnectionIDs(userID, MySQLConstants.CONNECTION_READ);
}
/**
* Find the list of all connections a user has permission to administer.
* @param userID
* @return the list of all connections this user has administer access to
*/
public Set<MySQLConnection> getAdministerableConnections(int userID) {
return getConnections(userID, MySQLConstants.CONNECTION_ADMINISTER);
}
/**
* Find the list of all connections a user has permission to delete.
* @param userID
* @return the list of all connections this user has delete access to
*/
public Set<MySQLConnection> getDeletableConnections(int userID) {
return getConnections(userID, MySQLConstants.CONNECTION_DELETE);
}
/**
* Find the list of all connections a user has permission to write.
* @param userID
* @return the list of all connections this user has write access to
*/
public Set<MySQLConnection> getUpdateableConnections(int userID) {
return getConnections(userID, MySQLConstants.CONNECTION_UPDATE);
}
/**
* Find the list of all connections a user has permission to read.
* @param userID
* @return the list of all connections this user has read access to
*/
public Set<MySQLConnection> getReadableConnections(int userID) {
return getConnections(userID, MySQLConstants.CONNECTION_READ);
}
/**
* Find the list of all connections a user has permission to.
* The access type is defined by permissionType.
* @param connectionID
* @param permissionType
* @return the list of all connections this user has access to
*/
@Deprecated /* FIXME: Totally useless (we only ever need identifiers, and querying ALL CONNECTION DATA will take ages) */
private Set<MySQLConnection> getConnections(int userID, String permissionType) {
Set<Integer> affectedConnectionIDs = getConnectionIDs(userID, permissionType);
return new HashSet<MySQLConnection>(
connectionService.retrieveConnectionsByID(Lists.newArrayList(affectedConnectionIDs)));
}
/**
* Find the list of the IDs of all connections a user has permission to.
* The access type is defined by permissionType.
* @param connectionID
* @param permissionType
* @return the list of all connection IDs this user has access to
*
* @param userID The ID of the user to check.
* @param permissionType The type of permission to check for.
* @return A list of all connection IDs this user has the specified access
* to.
*/
private Set<Integer> getConnectionIDs(int userID, String permissionType) {
Set<Integer> connectionIDs = new HashSet<Integer>();
public List<Integer> retrieveConnectionIDs(int userID,
String permissionType) {
// Query all connection permissions for the given user and permission type
ConnectionPermissionExample example = new ConnectionPermissionExample();
example.createCriteria().andUser_idEqualTo(userID).andPermissionEqualTo(permissionType);
List<ConnectionPermissionKey> connectionPermissions = connectionPermissionDAO.selectByExample(example);
example.setDistinct(true);
List<ConnectionPermissionKey> connectionPermissions =
connectionPermissionDAO.selectByExample(example);
// Convert result into list of IDs
List<Integer> connectionIDs = new ArrayList<Integer>(connectionPermissions.size());
for(ConnectionPermissionKey permission : connectionPermissions)
connectionIDs.add(permission.getConnection_id());
return connectionIDs;
}
public void verifyCreateUserPermission(int userID) throws GuacamoleSecurityException {
if(!checkCreateUserPermission(userID))
throw new GuacamoleSecurityException("User " + userID + " does not have permission to create users.");
}
public void verifyCreateConnectionPermission(int userID) throws GuacamoleSecurityException {
if(!checkCreateConnectionPermission(userID))
throw new GuacamoleSecurityException("User " + userID + " does not have permission to create connections.");
}
/**
* Check if the user has the permission to create users.
* @param userID
* @return
* Retrieves all user permissions granted to the user having the given ID.
*
* @param userID The ID of the user to retrieve permissions of.
* @return A set of all user permissions granted to the user having the
* given ID.
*/
public boolean checkCreateUserPermission(int userID) {
return checkSystemPermission(userID, MySQLConstants.SYSTEM_USER_CREATE);
}
public Set<UserPermission> retrieveUserPermissions(int userID) {
/**
* Check if the user has the permission to create connections.
* @param userID
* @return
*/
public boolean checkCreateConnectionPermission(int userID) {
return checkSystemPermission(userID, MySQLConstants.SYSTEM_CONNECTION_CREATE);
}
// Set of all permissions
Set<UserPermission> permissions = new HashSet<UserPermission>();
/**
* Check if the user has the selected system permission.
* @param userID
* @param systemPermissionType
* @return
*/
private boolean checkSystemPermission(int userID, String systemPermissionType) {
SystemPermissionExample example = new SystemPermissionExample();
example.createCriteria().andUser_idEqualTo(userID).andPermissionEqualTo(systemPermissionType);
int count = systemPermissionDAO.countByExample(example);
return count > 0;
}
/**
* Get all permissions a given user has.
* @param userID
* @return all permissions a user has.
*/
public Set<Permission> getAllPermissions(int userID) {
Set<Permission> allPermissions = new HashSet<Permission>();
// First, user permissions
// Query all user permissions
UserPermissionExample userPermissionExample = new UserPermissionExample();
userPermissionExample.createCriteria().andUser_idEqualTo(userID);
List<UserPermissionKey> userPermissions =
userPermissionDAO.selectByExample(userPermissionExample);
// If user permissions present, add permissions
if (!userPermissions.isEmpty()) {
// Get list of affected user IDs
List<Integer> affectedUserIDs = new ArrayList<Integer>();
for(UserPermissionKey userPermission : userPermissions)
affectedUserIDs.add(userPermission.getAffected_user_id());
// Query all affected users, store in map indexed by user ID
List<MySQLUser> users = userService.retrieveUsersByID(affectedUserIDs);
Map<Integer, MySQLUser> userMap = new HashMap<Integer, MySQLUser>();
for (MySQLUser user : users)
userMap.put(user.getUserID(), user);
// Get corresponding usernames
Map<Integer, String> affectedUsers =
userService.retrieveUsernames(affectedUserIDs);
// Add user permissions
for(UserPermissionKey userPermission : userPermissions) {
MySQLUser affectedUser = userMap.get(userPermission.getAffected_user_id());
UserPermission newPermission = new UserPermission(
// Construct permission from data
UserPermission permission = new UserPermission(
UserPermission.Type.valueOf(userPermission.getPermission()),
affectedUser.getUsername()
affectedUsers.get(userPermission.getUser_id())
);
allPermissions.add(newPermission);
}
// Add to set
permissions.add(permission);
}
// Secondly, connection permissions
return permissions;
}
/**
* Retrieves all connection permissions granted to the user having the
* given ID.
*
* @param userID The ID of the user to retrieve permissions of.
* @return A set of all user permissions granted to the user having the
* given ID.
*/
public Set<ConnectionPermission> retrieveConnectionPermissions(int userID) {
// Set of all permissions
Set<ConnectionPermission> permissions = new HashSet<ConnectionPermission>();
// Query all connection permissions
ConnectionPermissionExample connectionPermissionExample = new ConnectionPermissionExample();
connectionPermissionExample.createCriteria().andUser_idEqualTo(userID);
List<ConnectionPermissionKey> connectionPermissions =
connectionPermissionDAO.selectByExample(connectionPermissionExample);
// If connection permissions present, add permissions
if (!connectionPermissions.isEmpty()) {
// Get list of affected connection IDs
List<Integer> affectedConnectionIDs = new ArrayList<Integer>();
List<Integer> connectionIDs = new ArrayList<Integer>();
for(ConnectionPermissionKey connectionPermission : connectionPermissions)
affectedConnectionIDs.add(connectionPermission.getConnection_id());
connectionIDs.add(connectionPermission.getConnection_id());
// Query connections, store in map indexed by connection ID
List<MySQLConnection> connections =
connectionService.retrieveConnectionsByID(affectedConnectionIDs);
Map<Integer, MySQLConnection> connectionMap = new HashMap<Integer, MySQLConnection>();
for(MySQLConnection connection : connections)
connectionMap.put(connection.getConnectionID(), connection);
// Get corresponding names
Map<Integer, String> affectedUsers =
connectionService.retrieveNames(connectionIDs);
// Add connection permissions
for(ConnectionPermissionKey connectionPermission : connectionPermissions) {
MySQLConnection affectedConnection =
connectionMap.get(connectionPermission.getConnection_id());
ConnectionPermission newPermission = new ConnectionPermission(
// Construct permission from data
ConnectionPermission permission = new ConnectionPermission(
ConnectionPermission.Type.valueOf(connectionPermission.getPermission()),
affectedConnection.getIdentifier()
affectedUsers.get(connectionPermission.getUser_id())
);
allPermissions.add(newPermission);
}
// Add to set
permissions.add(permission);
}
return permissions;
}
/**
* Retrieves all permissions granted to the user having the given ID.
*
* @param userID The ID of the user to retrieve permissions of.
* @return A set of all permissions granted to the user having the given
* ID.
*/
public Set<Permission> retrieveAllPermissions(int userID) {
// Set which will contain all permissions
Set<Permission> allPermissions = new HashSet<Permission>();
// Add user permissions
allPermissions.addAll(retrieveUserPermissions(userID));
// Add connection permissions
allPermissions.addAll(retrieveConnectionPermissions(userID));
// TODO: Move to retrieveSystemPermissions()
// And finally, system permissions
SystemPermissionExample systemPermissionExample = new SystemPermissionExample();
systemPermissionExample.createCriteria().andUser_idEqualTo(userID);
@@ -841,4 +391,5 @@ public class PermissionCheckService {
return allPermissions;
}
}

133
extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/UserService.java
View File

@@ -39,9 +39,10 @@ package net.sourceforge.guacamole.net.auth.mysql.service;
import com.google.inject.Inject;
import com.google.inject.Provider;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import net.sourceforge.guacamole.GuacamoleException;
import net.sourceforge.guacamole.net.auth.Credentials;
import net.sourceforge.guacamole.net.auth.User;
@@ -143,7 +144,7 @@ public class UserService {
user.getUser_id(),
user.getUsername(),
null,
permissionCheckService.getAllPermissions(user.getUser_id())
permissionCheckService.retrieveAllPermissions(user.getUser_id())
);
// Return new user
@@ -171,60 +172,6 @@ public class UserService {
}
/**
* Retrieves the users having the given IDs from the database.
*
* @param ids The IDs of the users to retrieve.
* @return A list of existing MySQLUser objects.
*/
public List<MySQLUser> retrieveUsersByID(List<Integer> ids) {
// If no IDs given, just return empty list
if (ids.isEmpty())
return Collections.EMPTY_LIST;
// Query users by ID
UserExample example = new UserExample();
example.createCriteria().andUser_idIn(ids);
List<UserWithBLOBs> users = userDAO.selectByExampleWithBLOBs(example);
// Convert to MySQLUser list
List<MySQLUser> mySQLUsers = new ArrayList<MySQLUser>(users.size());
for (UserWithBLOBs user : users)
mySQLUsers.add(toMySQLUser(user));
// Return found users
return mySQLUsers;
}
/**
* Retrieves the users having the given usernames from the database.
*
* @param names The usernames of the users to retrieve.
* @return A list of existing MySQLUser objects.
*/
public List<MySQLUser> retrieveUsersByUsername(List<String> names) {
// If no names given, just return empty list
if (names.isEmpty())
return Collections.EMPTY_LIST;
// Query users by ID
UserExample example = new UserExample();
example.createCriteria().andUsernameIn(names);
List<UserWithBLOBs> users = userDAO.selectByExampleWithBLOBs(example);
// Convert to MySQLUser list
List<MySQLUser> mySQLUsers = new ArrayList<MySQLUser>(users.size());
for (UserWithBLOBs user : users)
mySQLUsers.add(toMySQLUser(user));
// Return found users
return mySQLUsers;
}
/**
* Retrieves the user having the given username from the database.
*
@@ -286,6 +233,66 @@ public class UserService {
}
/**
* Retrieves a translation map of usernames to their corresponding IDs.
*
* @param ids The IDs of the users to retrieve the usernames of.
* @return A map containing the names of all users and their corresponding
* IDs.
*/
public Map<String, Integer> translateUsernames(List<Integer> ids) {
// If no IDs given, just return empty map
if (ids.isEmpty())
return Collections.EMPTY_MAP;
// Map of all names onto their corresponding IDs
Map<String, Integer> names = new HashMap<String, Integer>();
// Get all users having the given IDs
UserExample example = new UserExample();
example.createCriteria().andUser_idIn(ids);
List<net.sourceforge.guacamole.net.auth.mysql.model.User> users =
userDAO.selectByExample(example);
// Produce set of names
for (net.sourceforge.guacamole.net.auth.mysql.model.User user : users)
names.put(user.getUsername(), user.getUser_id());
return names;
}
/**
* Retrieves a map of all usernames for the given IDs.
*
* @param ids The IDs of the users to retrieve the usernames of.
* @return A map containing the names of all users and their corresponding
* IDs.
*/
public Map<Integer, String> retrieveUsernames(List<Integer> ids) {
// If no IDs given, just return empty map
if (ids.isEmpty())
return Collections.EMPTY_MAP;
// Map of all names onto their corresponding IDs
Map<Integer, String> names = new HashMap<Integer, String>();
// Get all users having the given IDs
UserExample example = new UserExample();
example.createCriteria().andUser_idIn(ids);
List<net.sourceforge.guacamole.net.auth.mysql.model.User> users =
userDAO.selectByExample(example);
// Produce set of names
for (net.sourceforge.guacamole.net.auth.mysql.model.User user : users)
names.put(user.getUser_id(), user.getUsername());
return names;
}
/**
* Creates a new user having the given username and password.
*
@@ -315,21 +322,13 @@ public class UserService {
}
/**
* Deletes the user having the given username from the database.
* @param username The username of the user to delete.
* Deletes the user having the given ID from the database.
* @param user_id The ID of the user to delete.
*/
public void deleteUser(String username) {
// Get specified user
MySQLUser mySQLUser = retrieveUser(username);
int user_id = mySQLUser.getUserID();
// Delete the user in the database
public void deleteUser(int user_id) {
userDAO.deleteByPrimaryKey(user_id);
}
/**
* Updates the user in the database corresponding to the given MySQLUser.
*