1 /* 2 * Licensed to the Apache Software Foundation (ASF) under one 3 * or more contributor license agreements. See the NOTICE file 4 * distributed with this work for additional information 5 * regarding copyright ownership. The ASF licenses this file 6 * to you under the Apache License, Version 2.0 (the 7 * "License"); you may not use this file except in compliance 8 * with the License. You may obtain a copy of the License at 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, 13 * software distributed under the License is distributed on an 14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 * KIND, either express or implied. See the License for the 16 * specific language governing permissions and limitations 17 * under the License. 18 */ 19 20 package org.apache.guacamole.rest.permission; 21 22 import java.util.EnumSet; 23 import java.util.HashMap; 24 import java.util.Map; 25 import java.util.Set; 26 import org.apache.guacamole.GuacamoleException; 27 import org.apache.guacamole.net.auth.Permissions; 28 import org.apache.guacamole.net.auth.permission.ObjectPermission; 29 import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; 30 import org.apache.guacamole.net.auth.permission.SystemPermission; 31 import org.apache.guacamole.net.auth.permission.SystemPermissionSet; 32 33 /** 34 * The set of permissions which are granted to a specific user or user group, 35 * organized by object type and, if applicable, identifier. This object can be 36 * constructed with arbitrary permissions present, or manipulated after creation 37 * through the manipulation or replacement of its collections of permissions, 38 * but is otherwise not intended for internal use as a data structure for 39 * permissions. Its primary purpose is as a hierarchical format for exchanging 40 * granted permissions with REST clients. 41 */ 42 public class APIPermissionSet { 43 44 /** 45 * Map of connection ID to the set of granted permissions. 46 */ 47 private Map<String, Set<ObjectPermission.Type>> connectionPermissions = 48 new HashMap<String, Set<ObjectPermission.Type>>(); 49 50 /** 51 * Map of connection group ID to the set of granted permissions. 52 */ 53 private Map<String, Set<ObjectPermission.Type>> connectionGroupPermissions = 54 new HashMap<String, Set<ObjectPermission.Type>>(); 55 56 /** 57 * Map of sharing profile ID to the set of granted permissions. 58 */ 59 private Map<String, Set<ObjectPermission.Type>> sharingProfilePermissions = 60 new HashMap<String, Set<ObjectPermission.Type>>(); 61 62 /** 63 * Map of active connection ID to the set of granted permissions. 64 */ 65 private Map<String, Set<ObjectPermission.Type>> activeConnectionPermissions = 66 new HashMap<String, Set<ObjectPermission.Type>>(); 67 68 /** 69 * Map of user ID to the set of granted permissions. 70 */ 71 private Map<String, Set<ObjectPermission.Type>> userPermissions = 72 new HashMap<String, Set<ObjectPermission.Type>>(); 73 74 /** 75 * Map of user group ID to the set of granted permissions. 76 */ 77 private Map<String, Set<ObjectPermission.Type>> userGroupPermissions = 78 new HashMap<String, Set<ObjectPermission.Type>>(); 79 80 /** 81 * Set of all granted system-level permissions. 82 */ 83 private Set<SystemPermission.Type> systemPermissions = 84 EnumSet.noneOf(SystemPermission.Type.class); 85 86 /** 87 * Creates a new permission set which contains no granted permissions. Any 88 * permissions must be added by manipulating or replacing the applicable 89 * permission collection. 90 */ APIPermissionSet()91 public APIPermissionSet() { 92 } 93 94 /** 95 * Adds the system permissions from the given SystemPermissionSet to the 96 * Set of system permissions provided. 97 * 98 * @param permissions 99 * The Set to add system permissions to. 100 * 101 * @param permSet 102 * The SystemPermissionSet containing the system permissions to add. 103 * 104 * @throws GuacamoleException 105 * If an error occurs while retrieving system permissions from the 106 * SystemPermissionSet. 107 */ addSystemPermissions(Set<SystemPermission.Type> permissions, SystemPermissionSet permSet)108 private void addSystemPermissions(Set<SystemPermission.Type> permissions, 109 SystemPermissionSet permSet) throws GuacamoleException { 110 111 // Add all provided system permissions 112 for (SystemPermission permission : permSet.getPermissions()) 113 permissions.add(permission.getType()); 114 115 } 116 117 /** 118 * Adds the object permissions from the given ObjectPermissionSet to the 119 * Map of object permissions provided. 120 * 121 * @param permissions 122 * The Map to add object permissions to. 123 * 124 * @param permSet 125 * The ObjectPermissionSet containing the object permissions to add. 126 * 127 * @throws GuacamoleException 128 * If an error occurs while retrieving object permissions from the 129 * ObjectPermissionSet. 130 */ addObjectPermissions(Map<String, Set<ObjectPermission.Type>> permissions, ObjectPermissionSet permSet)131 private void addObjectPermissions(Map<String, Set<ObjectPermission.Type>> permissions, 132 ObjectPermissionSet permSet) throws GuacamoleException { 133 134 // Add all provided object permissions 135 for (ObjectPermission permission : permSet.getPermissions()) { 136 137 // Get associated set of permissions 138 String identifier = permission.getObjectIdentifier(); 139 Set<ObjectPermission.Type> objectPermissions = permissions.get(identifier); 140 141 // Create new set if none yet exists 142 if (objectPermissions == null) 143 permissions.put(identifier, EnumSet.of(permission.getType())); 144 145 // Otherwise add to existing set 146 else 147 objectPermissions.add(permission.getType()); 148 149 } 150 151 } 152 153 /** 154 * Creates a new permission set containing all permissions currently 155 * granted within the given Permissions object. 156 * 157 * @param permissions 158 * The permissions that should be stored within this permission set. 159 * 160 * @throws GuacamoleException 161 * If an error occurs while retrieving the permissions. 162 */ APIPermissionSet(Permissions permissions)163 public APIPermissionSet(Permissions permissions) throws GuacamoleException { 164 165 // Add all permissions from the provided user 166 addSystemPermissions(systemPermissions, permissions.getSystemPermissions()); 167 addObjectPermissions(connectionPermissions, permissions.getConnectionPermissions()); 168 addObjectPermissions(connectionGroupPermissions, permissions.getConnectionGroupPermissions()); 169 addObjectPermissions(sharingProfilePermissions, permissions.getSharingProfilePermissions()); 170 addObjectPermissions(activeConnectionPermissions, permissions.getActiveConnectionPermissions()); 171 addObjectPermissions(userPermissions, permissions.getUserPermissions()); 172 addObjectPermissions(userGroupPermissions, permissions.getUserGroupPermissions()); 173 174 } 175 176 /** 177 * Returns a map of connection IDs to the set of permissions granted for 178 * that connection. If no permissions are granted to a particular 179 * connection, its ID will not be present as a key in the map. This map is 180 * mutable, and changes to this map will affect the permission set 181 * directly. 182 * 183 * @return 184 * A map of connection IDs to the set of permissions granted for that 185 * connection. 186 */ getConnectionPermissions()187 public Map<String, Set<ObjectPermission.Type>> getConnectionPermissions() { 188 return connectionPermissions; 189 } 190 191 /** 192 * Returns a map of connection group IDs to the set of permissions granted 193 * for that connection group. If no permissions are granted to a particular 194 * connection group, its ID will not be present as a key in the map. This 195 * map is mutable, and changes to this map will affect the permission set 196 * directly. 197 * 198 * @return 199 * A map of connection group IDs to the set of permissions granted for 200 * that connection group. 201 */ getConnectionGroupPermissions()202 public Map<String, Set<ObjectPermission.Type>> getConnectionGroupPermissions() { 203 return connectionGroupPermissions; 204 } 205 206 /** 207 * Returns a map of sharing profile identifiers to the set of permissions 208 * granted for that sharing profile. If no permissions are granted to a 209 * particular sharing profile, its identifier will not be present as a key 210 * in the map. This map is mutable, and changes to this map will affect the 211 * permission set directly. 212 * 213 * @return 214 * A map of sharing profile identifiers to the set of permissions 215 * granted for that sharing profile. 216 */ getSharingProfilePermissions()217 public Map<String, Set<ObjectPermission.Type>> getSharingProfilePermissions() { 218 return sharingProfilePermissions; 219 } 220 221 /** 222 * Returns a map of active connection IDs to the set of permissions granted 223 * for that active connection. If no permissions are granted to a particular 224 * active connection, its ID will not be present as a key in the map. This 225 * map is mutable, and changes to this map will affect the permission set 226 * directly. 227 * 228 * @return 229 * A map of active connection IDs to the set of permissions granted for 230 * that active connection. 231 */ getActiveConnectionPermissions()232 public Map<String, Set<ObjectPermission.Type>> getActiveConnectionPermissions() { 233 return activeConnectionPermissions; 234 } 235 236 /** 237 * Returns a map of user IDs to the set of permissions granted for that 238 * user. If no permissions are granted for a particular user, its ID will 239 * not be present as a key in the map. This map is mutable, and changes to 240 * to this map will affect the permission set directly. 241 * 242 * @return 243 * A map of user IDs to the set of permissions granted for that user. 244 */ getUserPermissions()245 public Map<String, Set<ObjectPermission.Type>> getUserPermissions() { 246 return userPermissions; 247 } 248 249 /** 250 * Returns a map of user group IDs to the set of permissions granted for 251 * that user group. If no permissions are granted for a particular user 252 * group, its ID will not be present as a key in the map. This map is 253 * mutable, and changes to to this map will affect the permission set 254 * directly. 255 * 256 * @return 257 * A map of user IDs to the set of permissions granted for that user. 258 */ getUserGroupPermissions()259 public Map<String, Set<ObjectPermission.Type>> getUserGroupPermissions() { 260 return userGroupPermissions; 261 } 262 263 /** 264 * Returns the set of granted system-level permissions. If no permissions 265 * are granted at the system level, this will be an empty set. This set is 266 * mutable, and changes to this set will affect the permission set 267 * directly. 268 * 269 * @return 270 * The set of granted system-level permissions. 271 */ getSystemPermissions()272 public Set<SystemPermission.Type> getSystemPermissions() { 273 return systemPermissions; 274 } 275 276 /** 277 * Replaces the current map of connection permissions with the given map, 278 * which must map connection ID to its corresponding set of granted 279 * permissions. If a connection has no permissions, its ID must not be 280 * present as a key in the map. 281 * 282 * @param connectionPermissions 283 * The map which must replace the currently-stored map of permissions. 284 */ setConnectionPermissions(Map<String, Set<ObjectPermission.Type>> connectionPermissions)285 public void setConnectionPermissions(Map<String, Set<ObjectPermission.Type>> connectionPermissions) { 286 this.connectionPermissions = connectionPermissions; 287 } 288 289 /** 290 * Replaces the current map of connection group permissions with the given 291 * map, which must map connection group ID to its corresponding set of 292 * granted permissions. If a connection group has no permissions, its ID 293 * must not be present as a key in the map. 294 * 295 * @param connectionGroupPermissions 296 * The map which must replace the currently-stored map of permissions. 297 */ setConnectionGroupPermissions(Map<String, Set<ObjectPermission.Type>> connectionGroupPermissions)298 public void setConnectionGroupPermissions(Map<String, Set<ObjectPermission.Type>> connectionGroupPermissions) { 299 this.connectionGroupPermissions = connectionGroupPermissions; 300 } 301 302 /** 303 * Replaces the current map of sharing profile permissions with the given 304 * map, which must map each sharing profile identifier to its corresponding 305 * set of granted permissions. If a sharing profile has no permissions, its 306 * identifier must not be present as a key in the map. 307 * 308 * @param sharingProfilePermissions 309 * The map which must replace the currently-stored map of permissions. 310 */ setSharingProfilePermissions(Map<String, Set<ObjectPermission.Type>> sharingProfilePermissions)311 public void setSharingProfilePermissions(Map<String, Set<ObjectPermission.Type>> sharingProfilePermissions) { 312 this.sharingProfilePermissions = sharingProfilePermissions; 313 } 314 315 /** 316 * Replaces the current map of active connection permissions with the give 317 * map, which must map active connection ID to its corresponding set of 318 * granted permissions. If an active connection has no permissions, its ID 319 * must not be present as a key in the map. 320 * 321 * @param activeConnectionPermissions 322 * The map which must replace the currently-stored map of permissions. 323 */ setActiveConnectionPermissions(Map<String, Set<ObjectPermission.Type>> activeConnectionPermissions)324 public void setActiveConnectionPermissions(Map<String, Set<ObjectPermission.Type>> activeConnectionPermissions) { 325 this.activeConnectionPermissions = activeConnectionPermissions; 326 } 327 328 /** 329 * Replaces the current map of user permissions with the given map, which 330 * must map user ID to its corresponding set of granted permissions. If a 331 * user has no permissions, its ID must not be present as a key in the map. 332 * 333 * @param userPermissions 334 * The map which must replace the currently-stored map of permissions. 335 */ setUserPermissions(Map<String, Set<ObjectPermission.Type>> userPermissions)336 public void setUserPermissions(Map<String, Set<ObjectPermission.Type>> userPermissions) { 337 this.userPermissions = userPermissions; 338 } 339 340 /** 341 * Replaces the current map of user group permissions with the given map, 342 * which must map user group ID to its corresponding set of granted 343 * permissions. If a user group has no permissions, its ID must not be 344 * present as a key in the map. 345 * 346 * @param userGroupPermissions 347 * The map which must replace the currently-stored map of permissions. 348 */ setUserGroupPermissions(Map<String, Set<ObjectPermission.Type>> userGroupPermissions)349 public void setUserGroupPermissions(Map<String, Set<ObjectPermission.Type>> userGroupPermissions) { 350 this.userGroupPermissions = userGroupPermissions; 351 } 352 353 /** 354 * Replaces the current set of system-level permissions with the given set. 355 * If no system-level permissions are granted, the empty set must be 356 * specified. 357 * 358 * @param systemPermissions 359 * The set which must replace the currently-stored set of permissions. 360 */ setSystemPermissions(Set<SystemPermission.Type> systemPermissions)361 public void setSystemPermissions(Set<SystemPermission.Type> systemPermissions) { 362 this.systemPermissions = systemPermissions; 363 } 364 365 } 366