From f32dbac4586572eb381b84c2b5b9f21227dbafa4 Mon Sep 17 00:00:00 2001 From: Michael Jumper Date: Sat, 20 Aug 2016 18:23:34 -0700 Subject: [PATCH] GUACAMOLE-81: Enforce parent/child permissions between SharingProfile and Connection. --- .../sharingprofile/ModeledSharingProfile.java | 8 ++--- .../sharingprofile/SharingProfileMapper.java | 4 +-- .../sharingprofile/SharingProfileModel.java | 34 ++----------------- .../sharingprofile/SharingProfileService.java | 17 +++++++--- .../sharingprofile/SharingProfileMapper.xml | 12 +++---- .../sharingprofile/SharingProfileMapper.xml | 12 +++---- 6 files changed, 33 insertions(+), 54 deletions(-) diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/ModeledSharingProfile.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/ModeledSharingProfile.java index 318efedb4..a300c23a4 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/ModeledSharingProfile.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/ModeledSharingProfile.java @@ -23,7 +23,7 @@ import com.google.inject.Inject; import java.util.Collection; import java.util.Collections; import java.util.Map; -import org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObject; +import org.apache.guacamole.auth.jdbc.base.ModeledChildDirectoryObject; import org.apache.guacamole.form.Form; import org.apache.guacamole.net.auth.SharingProfile; @@ -34,7 +34,7 @@ import org.apache.guacamole.net.auth.SharingProfile; * @author Michael Jumper */ public class ModeledSharingProfile - extends ModeledDirectoryObject + extends ModeledChildDirectoryObject implements SharingProfile { /** @@ -72,12 +72,12 @@ public class ModeledSharingProfile @Override public String getPrimaryConnectionIdentifier() { - return getModel().getPrimaryConnectionIdentifier(); + return getModel().getParentIdentifier(); } @Override public void setPrimaryConnectionIdentifier(String identifier) { - getModel().setPrimaryConnectionIdentifier(identifier); + getModel().setParentIdentifier(identifier); } @Override diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.java index 7cd962e61..f2904804a 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.java @@ -35,7 +35,7 @@ public interface SharingProfileMapper * and having the given name. If no such sharing profile exists, null is * returned. * - * @param primaryConnectionIdentifier + * @param parentIdentifier * The identifier of the primary connection to search against. * * @param name @@ -46,7 +46,7 @@ public interface SharingProfileMapper * given primary connection, or null if no such sharing profile exists. */ SharingProfileModel selectOneByName( - @Param("primaryConnectionIdentifier") String primaryConnectionIdentifier, + @Param("parentIdentifier") String parentIdentifier, @Param("name") String name); } \ No newline at end of file diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileModel.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileModel.java index 939884b6d..bf286de75 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileModel.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileModel.java @@ -19,7 +19,7 @@ package org.apache.guacamole.auth.jdbc.sharingprofile; -import org.apache.guacamole.auth.jdbc.base.ObjectModel; +import org.apache.guacamole.auth.jdbc.base.ChildObjectModel; /** * Object representation of a Guacamole sharing profile, as represented in the @@ -27,19 +27,13 @@ import org.apache.guacamole.auth.jdbc.base.ObjectModel; * * @author Michael Jumper */ -public class SharingProfileModel extends ObjectModel { +public class SharingProfileModel extends ChildObjectModel { /** * The human-readable name associated with this sharing profile. */ private String name; - /** - * The identifier of the primary connection associated with this - * sharing profile. - */ - private String primaryConnectionIdentifier; - /** * Creates a new, empty sharing profile. */ @@ -66,30 +60,6 @@ public class SharingProfileModel extends ObjectModel { this.name = name; } - /** - * Returns the identifier of the primary connection associated with this - * sharing profile. - * - * @return - * The identifier of the primary connection associated with this - * sharing profile. - */ - public String getPrimaryConnectionIdentifier() { - return primaryConnectionIdentifier; - } - - /** - * Sets the identifier of the primary connection associated with this - * sharing profile. - * - * @param primaryConnectionIdentifier - * The identifier of the primary connection associated with this - * sharing profile. - */ - public void setPrimaryConnectionIdentifier(String primaryConnectionIdentifier) { - this.primaryConnectionIdentifier = primaryConnectionIdentifier; - } - @Override public String getIdentifier() { diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileService.java index 907a3a945..bf07a13d2 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileService.java @@ -29,7 +29,7 @@ import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; import org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObjectMapper; import org.apache.guacamole.GuacamoleClientException; import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObjectService; +import org.apache.guacamole.auth.jdbc.base.ModeledChildDirectoryObjectService; import org.apache.guacamole.auth.jdbc.permission.SharingProfilePermissionMapper; import org.apache.guacamole.auth.jdbc.permission.ObjectPermissionMapper; import org.apache.guacamole.net.auth.SharingProfile; @@ -45,7 +45,7 @@ import org.apache.guacamole.net.auth.permission.SystemPermissionSet; * @author Michael Jumper */ public class SharingProfileService - extends ModeledDirectoryObjectService { /** @@ -128,6 +128,15 @@ public class SharingProfileService } + @Override + protected ObjectPermissionSet getParentPermissionSet(ModeledAuthenticatedUser user) + throws GuacamoleException { + + // Sharing profiles are children of connections + return user.getUser().getConnectionPermissions(); + + } + @Override protected void beforeCreate(ModeledAuthenticatedUser user, SharingProfileModel model) throws GuacamoleException { @@ -139,7 +148,7 @@ public class SharingProfileService throw new GuacamoleClientException("Sharing profile names must not be blank."); // Do not attempt to create duplicate sharing profiles - SharingProfileModel existing = sharingProfileMapper.selectOneByName(model.getPrimaryConnectionIdentifier(), model.getName()); + SharingProfileModel existing = sharingProfileMapper.selectOneByName(model.getParentIdentifier(), model.getName()); if (existing != null) throw new GuacamoleClientException("The sharing profile \"" + model.getName() + "\" already exists."); @@ -156,7 +165,7 @@ public class SharingProfileService throw new GuacamoleClientException("Sharing profile names must not be blank."); // Check whether such a sharing profile is already present - SharingProfileModel existing = sharingProfileMapper.selectOneByName(model.getPrimaryConnectionIdentifier(), model.getName()); + SharingProfileModel existing = sharingProfileMapper.selectOneByName(model.getParentIdentifier(), model.getName()); if (existing != null) { // If the specified name matches a DIFFERENT existing sharing profile, the update cannot continue diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.xml index 7614574c8..49bb337e1 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.xml +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.xml @@ -25,9 +25,9 @@ - - - + + + @@ -89,7 +89,7 @@ primary_connection_id FROM guacamole_sharing_profile WHERE - primary_connection_id = #{primaryConnectionIdentifier,jdbcType=VARCHAR} + primary_connection_id = #{parentIdentifier,jdbcType=VARCHAR} AND sharing_profile_name = #{name,jdbcType=VARCHAR} @@ -110,7 +110,7 @@ ) VALUES ( #{object.name,jdbcType=VARCHAR}, - #{object.primaryConnectionIdentifier,jdbcType=VARCHAR} + #{object.parentIdentifier,jdbcType=VARCHAR} ) @@ -119,7 +119,7 @@ UPDATE guacamole_sharing_profile SET sharing_profile_name = #{object.name,jdbcType=VARCHAR}, - primary_connection_id = #{object.primaryConnectionIdentifier,jdbcType=VARCHAR} + primary_connection_id = #{object.parentIdentifier,jdbcType=VARCHAR} WHERE sharing_profile_id = #{object.objectID,jdbcType=INTEGER} diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.xml b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.xml index 36a3beb5d..0af493751 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.xml +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.xml @@ -25,9 +25,9 @@ - - - + + + @@ -89,7 +89,7 @@ primary_connection_id FROM guacamole_sharing_profile WHERE - primary_connection_id = #{primaryConnectionIdentifier,jdbcType=INTEGER}::integer + primary_connection_id = #{parentIdentifier,jdbcType=INTEGER}::integer AND sharing_profile_name = #{name,jdbcType=VARCHAR} @@ -110,7 +110,7 @@ ) VALUES ( #{object.name,jdbcType=VARCHAR}, - #{object.primaryConnectionIdentifier,jdbcType=INTEGER}::integer + #{object.parentIdentifier,jdbcType=INTEGER}::integer ) @@ -119,7 +119,7 @@ UPDATE guacamole_sharing_profile SET sharing_profile_name = #{object.name,jdbcType=VARCHAR}, - primary_connection_id = #{object.primaryConnectionIdentifier,jdbcType=INTEGER}::integer + primary_connection_id = #{object.parentIdentifier,jdbcType=INTEGER}::integer WHERE sharing_profile_id = #{object.objectID,jdbcType=INTEGER}::integer