[GitHub] guacamole-client pull request #319: GUACAMOLE-220: Add database support for ...
Github user mike-jumper commented on a diff in the pull request: https://github.com/apache/guacamole-client/pull/319#discussion_r220426560 --- Diff: extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/pom.xml --- @@ -109,33 +109,33 @@ org.mybatis mybatis -3.2.8 +3.4.6 --- End diff -- 1.8 may be worth considering across the board. The old discussion is here: https://lists.apache.org/thread.html/874edd3a19b0cf0302cbb56f2406f6050cf4296dc31703aa34b30be6@%3Cdev.guacamole.apache.org%3E I'm still antsy about requiring newer Java for guacamole-common, but we should be safe for the other parts of the webapp and stack. ---
[GitHub] guacamole-server pull request #186: GUACAMOLE-623: Add support for attaching...
Github user mike-jumper commented on a diff in the pull request: https://github.com/apache/guacamole-server/pull/186#discussion_r220423721 --- Diff: src/protocols/kubernetes/settings.h --- @@ -0,0 +1,279 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#ifndef GUAC_KUBERNETES_SETTINGS_H +#define GUAC_KUBERNETES_SETTINGS_H + +#include + +#include + +/** + * The name of the font to use for the terminal if no name is specified. + */ +#define GUAC_KUBERNETES_DEFAULT_FONT_NAME "monospace" + +/** + * The size of the font to use for the terminal if no font size is specified, + * in points. + */ +#define GUAC_KUBERNETES_DEFAULT_FONT_SIZE 12 + +/** + * The port to connect to when initiating any Kubernetes connection, if no + * other port is specified. + */ +#define GUAC_KUBERNETES_DEFAULT_PORT 8080 + +/** + * The name of the Kubernetes namespace that should be used by default if no + * specific Kubernetes namespace is provided. + */ +#define GUAC_KUBERNETES_DEFAULT_NAMESPACE "default" + +/** + * The filename to use for the typescript, if not specified. + */ +#define GUAC_KUBERNETES_DEFAULT_TYPESCRIPT_NAME "typescript" + +/** + * The filename to use for the screen recording, if not specified. + */ +#define GUAC_KUBERNETES_DEFAULT_RECORDING_NAME "recording" + +/** + * The default maximum scrollback size in rows. + */ +#define GUAC_KUBERNETES_DEFAULT_MAX_SCROLLBACK 1000 + +/** + * Settings for the Kubernetes connection. The values for this structure are + * parsed from the arguments given during the Guacamole protocol handshake + * using the guac_kubernetes_parse_args() function. + */ +typedef struct guac_kubernetes_settings { + +/** + * The hostname of the Kubernetes server to connect to. + */ +char* hostname; + +/** + * The port of the Kubernetes server to connect to. + */ +int port; + +/** + * The name of the Kubernetes namespace of the pod containing the container + * being attached to. + */ +char* kubernetes_namespace; + +/** + * The name of the Kubernetes pod containing with the container being + * attached to. + */ +char* kubernetes_pod; + +/** + * The name of the container to attach to, or NULL to arbitrarily attach to + * the first container in the pod. + */ +char* kubernetes_container; + +/** + * Whether SSL/TLS should be used. + */ +bool use_ssl; + +/** + * The certificate to use if performing SSL/TLS client authentication to + * authenticate with the Kubernetes server, in PEM format. If omitted, SSL + * client authentication will not be performed. + */ +char* client_cert; + +/** + * The key to use if performing SSL/TLS client authentication to + * authenticate with the Kubernetes server, in PEM format. If omitted, SSL + * client authentication will not be performed. + */ +char* client_key; + +/** + * The certificate of the certificate authority that signed the certificate + * of the Kubernetes server, in PEM format. If omitted. verification of + * the Kubernetes server certificate will use the systemwide certificate + * authorities. + */ +char* ca_cert; + +/** + * Whether the certificate used by the Kubernetes server for SSL/TLS should + * be ignored if it cannot be validated. + */ +bool ignore_cert; + +/** + * Whether this connection is read-only, and user input should be dropped. + */ +bool read_only; + +/** + * The maximum size of the scrollback buffer in rows. + */ +int max_scrollback; + +/** + * Th
[GitHub] guacamole-server pull request #186: GUACAMOLE-623: Add support for attaching...
Github user mike-jumper commented on a diff in the pull request: https://github.com/apache/guacamole-server/pull/186#discussion_r220423526 --- Diff: src/protocols/kubernetes/settings.h --- @@ -0,0 +1,279 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#ifndef GUAC_KUBERNETES_SETTINGS_H +#define GUAC_KUBERNETES_SETTINGS_H + +#include + +#include + +/** + * The name of the font to use for the terminal if no name is specified. + */ +#define GUAC_KUBERNETES_DEFAULT_FONT_NAME "monospace" + +/** + * The size of the font to use for the terminal if no font size is specified, + * in points. + */ +#define GUAC_KUBERNETES_DEFAULT_FONT_SIZE 12 + +/** + * The port to connect to when initiating any Kubernetes connection, if no + * other port is specified. + */ +#define GUAC_KUBERNETES_DEFAULT_PORT 8080 + +/** + * The name of the Kubernetes namespace that should be used by default if no + * specific Kubernetes namespace is provided. + */ +#define GUAC_KUBERNETES_DEFAULT_NAMESPACE "default" + +/** + * The filename to use for the typescript, if not specified. + */ +#define GUAC_KUBERNETES_DEFAULT_TYPESCRIPT_NAME "typescript" + +/** + * The filename to use for the screen recording, if not specified. + */ +#define GUAC_KUBERNETES_DEFAULT_RECORDING_NAME "recording" + +/** + * The default maximum scrollback size in rows. + */ +#define GUAC_KUBERNETES_DEFAULT_MAX_SCROLLBACK 1000 + +/** + * Settings for the Kubernetes connection. The values for this structure are + * parsed from the arguments given during the Guacamole protocol handshake + * using the guac_kubernetes_parse_args() function. + */ +typedef struct guac_kubernetes_settings { + +/** + * The hostname of the Kubernetes server to connect to. + */ +char* hostname; + +/** + * The port of the Kubernetes server to connect to. + */ +int port; + +/** + * The name of the Kubernetes namespace of the pod containing the container + * being attached to. + */ +char* kubernetes_namespace; + +/** + * The name of the Kubernetes pod containing with the container being + * attached to. + */ +char* kubernetes_pod; + +/** + * The name of the container to attach to, or NULL to arbitrarily attach to + * the first container in the pod. + */ +char* kubernetes_container; + +/** + * Whether SSL/TLS should be used. + */ +bool use_ssl; + +/** + * The certificate to use if performing SSL/TLS client authentication to + * authenticate with the Kubernetes server, in PEM format. If omitted, SSL + * client authentication will not be performed. + */ +char* client_cert; + +/** + * The key to use if performing SSL/TLS client authentication to + * authenticate with the Kubernetes server, in PEM format. If omitted, SSL + * client authentication will not be performed. + */ +char* client_key; + +/** + * The certificate of the certificate authority that signed the certificate + * of the Kubernetes server, in PEM format. If omitted. verification of + * the Kubernetes server certificate will use the systemwide certificate + * authorities. + */ +char* ca_cert; + +/** + * Whether the certificate used by the Kubernetes server for SSL/TLS should + * be ignored if it cannot be validated. + */ +bool ignore_cert; + +/** + * Whether this connection is read-only, and user input should be dropped. + */ +bool read_only; + +/** + * The maximum size of the scrollback buffer in rows. + */ +int max_scrollback; + +/** + * Th
[GitHub] guacamole-server pull request #186: GUACAMOLE-623: Add support for attaching...
Github user jmuehlner commented on a diff in the pull request: https://github.com/apache/guacamole-server/pull/186#discussion_r220423463 --- Diff: src/protocols/kubernetes/settings.h --- @@ -0,0 +1,279 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#ifndef GUAC_KUBERNETES_SETTINGS_H +#define GUAC_KUBERNETES_SETTINGS_H + +#include + +#include + +/** + * The name of the font to use for the terminal if no name is specified. + */ +#define GUAC_KUBERNETES_DEFAULT_FONT_NAME "monospace" + +/** + * The size of the font to use for the terminal if no font size is specified, + * in points. + */ +#define GUAC_KUBERNETES_DEFAULT_FONT_SIZE 12 + +/** + * The port to connect to when initiating any Kubernetes connection, if no + * other port is specified. + */ +#define GUAC_KUBERNETES_DEFAULT_PORT 8080 + +/** + * The name of the Kubernetes namespace that should be used by default if no + * specific Kubernetes namespace is provided. + */ +#define GUAC_KUBERNETES_DEFAULT_NAMESPACE "default" + +/** + * The filename to use for the typescript, if not specified. + */ +#define GUAC_KUBERNETES_DEFAULT_TYPESCRIPT_NAME "typescript" + +/** + * The filename to use for the screen recording, if not specified. + */ +#define GUAC_KUBERNETES_DEFAULT_RECORDING_NAME "recording" + +/** + * The default maximum scrollback size in rows. + */ +#define GUAC_KUBERNETES_DEFAULT_MAX_SCROLLBACK 1000 + +/** + * Settings for the Kubernetes connection. The values for this structure are + * parsed from the arguments given during the Guacamole protocol handshake + * using the guac_kubernetes_parse_args() function. + */ +typedef struct guac_kubernetes_settings { + +/** + * The hostname of the Kubernetes server to connect to. + */ +char* hostname; + +/** + * The port of the Kubernetes server to connect to. + */ +int port; + +/** + * The name of the Kubernetes namespace of the pod containing the container + * being attached to. + */ +char* kubernetes_namespace; + +/** + * The name of the Kubernetes pod containing with the container being + * attached to. + */ +char* kubernetes_pod; + +/** + * The name of the container to attach to, or NULL to arbitrarily attach to + * the first container in the pod. + */ +char* kubernetes_container; + +/** + * Whether SSL/TLS should be used. + */ +bool use_ssl; + +/** + * The certificate to use if performing SSL/TLS client authentication to + * authenticate with the Kubernetes server, in PEM format. If omitted, SSL + * client authentication will not be performed. + */ +char* client_cert; + +/** + * The key to use if performing SSL/TLS client authentication to + * authenticate with the Kubernetes server, in PEM format. If omitted, SSL + * client authentication will not be performed. + */ +char* client_key; + +/** + * The certificate of the certificate authority that signed the certificate + * of the Kubernetes server, in PEM format. If omitted. verification of + * the Kubernetes server certificate will use the systemwide certificate + * authorities. + */ +char* ca_cert; + +/** + * Whether the certificate used by the Kubernetes server for SSL/TLS should + * be ignored if it cannot be validated. + */ +bool ignore_cert; + +/** + * Whether this connection is read-only, and user input should be dropped. + */ +bool read_only; + +/** + * The maximum size of the scrollback buffer in rows. + */ +int max_scrollback; + +/** + * The
[GitHub] guacamole-client pull request #319: GUACAMOLE-220: Add database support for ...
Github user mike-jumper commented on a diff in the pull request: https://github.com/apache/guacamole-client/pull/319#discussion_r220420011 --- Diff: extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionRecordMapper.xml --- @@ -79,7 +79,10 @@ #{record.sharingProfileIdentifier,jdbcType=VARCHAR}, #{record.sharingProfileName,jdbcType=VARCHAR}, (SELECT user_id FROM guacamole_user - WHERE username = #{record.username,jdbcType=VARCHAR}), + JOIN guacamole_entity ON guacamole_user.entity_id = guacamole_entity.entity_id --- End diff -- Hm... I'm not sure I know what you mean. What about the code seems that way? ---
[GitHub] guacamole-client pull request #319: GUACAMOLE-220: Add database support for ...
Github user jmuehlner commented on a diff in the pull request: https://github.com/apache/guacamole-client/pull/319#discussion_r220419865 --- Diff: extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/pom.xml --- @@ -109,33 +109,33 @@ org.mybatis mybatis -3.2.8 +3.4.6 --- End diff -- On that note, public updates for Java 1.6 ended in 2013, and public updates for 1.7 ended in 2015. I think maybe it's time to reevaluate our reasons for sticking to 1.6. It's certainly end of life at this point, and upgrading to 1.8 would help us have to worry less about things like this. Are there really a lot of users running Guacamole in environments where the highest available Java version is 1.6? As far as Mybatis 3.46 goes, I had a look at the project POM and the docs, and it's actually not obvious to me how to tell if this supports 1.6 without just building the whole thing and attempting to run it in a 1.6 environment. Maybe we shouldn't care though... ---
[GitHub] guacamole-client pull request #319: GUACAMOLE-220: Add database support for ...
Github user necouchman commented on a diff in the pull request: https://github.com/apache/guacamole-client/pull/319#discussion_r220396450 --- Diff: extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/upgrade/upgrade-pre-1.0.0.sql --- @@ -17,6 +17,319 @@ -- under the License. -- +-- +-- Add new system-level permission +-- + +ALTER TABLE `guacamole_system_permission` +MODIFY `permission` enum('CREATE_CONNECTION', + 'CREATE_CONNECTION_GROUP', + 'CREATE_SHARING_PROFILE', + 'CREATE_USER', + 'CREATE_USER_GROUP', + 'ADMINISTER') NOT NULL; + +-- +-- Table of base entities which may each be either a user or user group. Other +-- tables which represent qualities shared by both users and groups will point +-- to guacamole_entity, while tables which represent qualities specific to +-- users or groups will point to guacamole_user or guacamole_user_group. +-- + +CREATE TABLE `guacamole_entity` ( + + `entity_id` int(11)NOT NULL AUTO_INCREMENT, + `name` varchar(128) NOT NULL, + `type` enum('USER', + 'USER_GROUP') NOT NULL, + + PRIMARY KEY (`entity_id`), + UNIQUE KEY `guacamole_entity_name_scope` (`type`, `name`) + +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +-- +-- Table of user groups. Each user group may have an arbitrary set of member +-- users and member groups, with those members inheriting the permissions +-- granted to that group. +-- + +CREATE TABLE `guacamole_user_group` ( + + `user_group_id` int(11) NOT NULL AUTO_INCREMENT, + `entity_id` int(11) NOT NULL, + + -- Group disabled status + `disabled` boolean NOT NULL DEFAULT 0, + + PRIMARY KEY (`user_group_id`), + + UNIQUE KEY `guacamole_user_group_single_entity` (`entity_id`), + + CONSTRAINT `guacamole_user_group_entity` +FOREIGN KEY (`entity_id`) +REFERENCES `guacamole_entity` (`entity_id`) +ON DELETE CASCADE + +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +-- +-- Table of users which are members of given user groups. +-- + +CREATE TABLE `guacamole_user_group_member` ( + + `user_group_id`int(11) NOT NULL, + `member_entity_id` int(11) NOT NULL, + + PRIMARY KEY (`user_group_id`, `member_entity_id`), + + -- Parent must be a user group + CONSTRAINT `guacamole_user_group_member_parent_id` +FOREIGN KEY (`user_group_id`) +REFERENCES `guacamole_user_group` (`user_group_id`) ON DELETE CASCADE, + + -- Member may be either a user or a user group (any entity) + CONSTRAINT `guacamole_user_group_member_entity_id` +FOREIGN KEY (`member_entity_id`) +REFERENCES `guacamole_entity` (`entity_id`) ON DELETE CASCADE + +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +-- +-- Table of user group permissions. Each user group permission grants a user +-- or user group access to a another user group (the "affected" user group) for +-- a specific type of operation. +-- + +CREATE TABLE `guacamole_user_group_permission` ( + + `entity_id` int(11) NOT NULL, + `affected_user_group_id` int(11) NOT NULL, + `permission` enum('READ', +'UPDATE', +'DELETE', +'ADMINISTER') NOT NULL, + + PRIMARY KEY (`entity_id`, `affected_user_group_id`, `permission`), + + CONSTRAINT `guacamole_user_group_permission_affected_user_group` +FOREIGN KEY (`affected_user_group_id`) +REFERENCES `guacamole_user_group` (`user_group_id`) ON DELETE CASCADE, + + CONSTRAINT `guacamole_user_group_permission_entity` +FOREIGN KEY (`entity_id`) +REFERENCES `guacamole_entity` (`entity_id`) ON DELETE CASCADE + +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +-- +-- Modify guacamole_user table to use guacamole_entity as a base +-- + +-- Add new entity_id column +ALTER TABLE guacamole_user ADD COLUMN entity_id int(11); + +-- Create user entities for each guacamole_user entry +INSERT INTO guacamole_entity (name, type) +SELECT username, 'USER' FROM guacamole_user; + +-- Update guacamole_user to point to corresponding guacamole_entity +UPDATE guacamole_user SET entity_id = ( +SELECT entity_id FROM guacamole_entity +WHERE +username = guacamole_entity.name +AND type = 'USER' +); + +-- The entity_id column should now be safely non-NULL +ALTER TABLE guacamole_use
[GitHub] guacamole-client pull request #319: GUACAMOLE-220: Add database support for ...
Github user necouchman commented on a diff in the pull request: https://github.com/apache/guacamole-client/pull/319#discussion_r220395193 --- Diff: extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/usergroup/UserGroupService.java --- @@ -0,0 +1,189 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.jdbc.usergroup; + +import com.google.inject.Inject; +import com.google.inject.Provider; +import java.util.Collection; +import java.util.Collections; +import org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObjectMapper; +import org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObjectService; +import org.apache.guacamole.GuacamoleClientException; +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.jdbc.base.EntityMapper; +import org.apache.guacamole.auth.jdbc.permission.ObjectPermissionMapper; +import org.apache.guacamole.auth.jdbc.permission.UserGroupPermissionMapper; +import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; +import org.apache.guacamole.net.auth.UserGroup; +import org.apache.guacamole.net.auth.permission.ObjectPermission; +import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; +import org.apache.guacamole.net.auth.permission.SystemPermission; +import org.apache.guacamole.net.auth.permission.SystemPermissionSet; + +/** + * Service which provides convenience methods for creating, retrieving, and + * manipulating user groups. + */ +public class UserGroupService extends ModeledDirectoryObjectService { + +/** + * Mapper for creating/deleting entities. + */ +@Inject +private EntityMapper entityMapper; + +/** + * Mapper for accessing user groups. + */ +@Inject +private UserGroupMapper userGroupMapper; + +/** + * Mapper for manipulating user group permissions. + */ +@Inject +private UserGroupPermissionMapper userGroupPermissionMapper; + +/** + * Provider for creating user groups. + */ +@Inject +private Provider userGroupProvider; + +@Override +protected ModeledDirectoryObjectMapper getObjectMapper() { +return userGroupMapper; +} + +@Override +protected ObjectPermissionMapper getPermissionMapper() { +return userGroupPermissionMapper; +} + +@Override +protected ModeledUserGroup getObjectInstance(ModeledAuthenticatedUser currentUser, +UserGroupModel model) throws GuacamoleException { + +boolean exposeRestrictedAttributes; + +// Expose restricted attributes if the user group does not yet exist +if (model.getObjectID() == null) +exposeRestrictedAttributes = true; + +// Otherwise, expose restricted attributes only if the user has +// ADMINISTER permission +else +exposeRestrictedAttributes = hasObjectPermission(currentUser, +model.getIdentifier(), ObjectPermission.Type.ADMINISTER); + +// Produce ModeledUserGroup exposing only those attributes for which the +// current user has permission +ModeledUserGroup group = userGroupProvider.get(); +group.init(currentUser, model, exposeRestrictedAttributes); +return group; + +} + +@Override +protected UserGroupModel getModelInstance(ModeledAuthenticatedUser currentUser, +final UserGroup object) throws GuacamoleException { + +// Create new ModeledUserGroup backed by blank model +UserGroupModel model = new UserGroupModel(); +ModeledUserGroup group = getObjectInstance(currentUser, model); + +// Set model contents through ModeledUser, copying the provided group +
[GitHub] guacamole-client pull request #319: GUACAMOLE-220: Add database support for ...
Github user necouchman commented on a diff in the pull request: https://github.com/apache/guacamole-client/pull/319#discussion_r220397742 --- Diff: extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionRecordMapper.xml --- @@ -79,7 +79,10 @@ #{record.sharingProfileIdentifier,jdbcType=VARCHAR}, #{record.sharingProfileName,jdbcType=VARCHAR}, (SELECT user_id FROM guacamole_user - WHERE username = #{record.username,jdbcType=VARCHAR}), + JOIN guacamole_entity ON guacamole_user.entity_id = guacamole_entity.entity_id --- End diff -- Seems like this code here expects that, when users are deleted from the database, their entries will remain present in the `guacamole_entity` table? Just want to confirm... ---
[GitHub] guacamole-client pull request #319: GUACAMOLE-220: Add database support for ...
Github user necouchman commented on a diff in the pull request: https://github.com/apache/guacamole-client/pull/319#discussion_r220395046 --- Diff: extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/usergroup/UserGroupService.java --- @@ -0,0 +1,189 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.jdbc.usergroup; + +import com.google.inject.Inject; +import com.google.inject.Provider; +import java.util.Collection; +import java.util.Collections; +import org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObjectMapper; +import org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObjectService; +import org.apache.guacamole.GuacamoleClientException; +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.jdbc.base.EntityMapper; +import org.apache.guacamole.auth.jdbc.permission.ObjectPermissionMapper; +import org.apache.guacamole.auth.jdbc.permission.UserGroupPermissionMapper; +import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; +import org.apache.guacamole.net.auth.UserGroup; +import org.apache.guacamole.net.auth.permission.ObjectPermission; +import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; +import org.apache.guacamole.net.auth.permission.SystemPermission; +import org.apache.guacamole.net.auth.permission.SystemPermissionSet; + +/** + * Service which provides convenience methods for creating, retrieving, and + * manipulating user groups. + */ +public class UserGroupService extends ModeledDirectoryObjectService { + +/** + * Mapper for creating/deleting entities. + */ +@Inject +private EntityMapper entityMapper; + +/** + * Mapper for accessing user groups. + */ +@Inject +private UserGroupMapper userGroupMapper; + +/** + * Mapper for manipulating user group permissions. + */ +@Inject +private UserGroupPermissionMapper userGroupPermissionMapper; + +/** + * Provider for creating user groups. + */ +@Inject +private Provider userGroupProvider; + +@Override +protected ModeledDirectoryObjectMapper getObjectMapper() { +return userGroupMapper; +} + +@Override +protected ObjectPermissionMapper getPermissionMapper() { +return userGroupPermissionMapper; +} + +@Override +protected ModeledUserGroup getObjectInstance(ModeledAuthenticatedUser currentUser, +UserGroupModel model) throws GuacamoleException { + +boolean exposeRestrictedAttributes; + +// Expose restricted attributes if the user group does not yet exist +if (model.getObjectID() == null) +exposeRestrictedAttributes = true; + +// Otherwise, expose restricted attributes only if the user has +// ADMINISTER permission +else +exposeRestrictedAttributes = hasObjectPermission(currentUser, +model.getIdentifier(), ObjectPermission.Type.ADMINISTER); + +// Produce ModeledUserGroup exposing only those attributes for which the +// current user has permission +ModeledUserGroup group = userGroupProvider.get(); +group.init(currentUser, model, exposeRestrictedAttributes); +return group; + +} + +@Override +protected UserGroupModel getModelInstance(ModeledAuthenticatedUser currentUser, +final UserGroup object) throws GuacamoleException { + +// Create new ModeledUserGroup backed by blank model +UserGroupModel model = new UserGroupModel(); +ModeledUserGroup group = getObjectInstance(currentUser, model); + +// Set model contents through ModeledUser, copying the provided group +
[GitHub] guacamole-client pull request #319: GUACAMOLE-220: Add database support for ...
Github user necouchman commented on a diff in the pull request: https://github.com/apache/guacamole-client/pull/319#discussion_r219670482 --- Diff: extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/pom.xml --- @@ -109,33 +109,33 @@ org.mybatis mybatis -3.2.8 +3.4.6 --- End diff -- When I was doing some playing around in the past with updating this is seems like one of these versions may have required a higher target version of Java than 1.6. Probably worth double-checking to make sure we're still good with 1.6 with all these updates. ---
[GitHub] guacamole-client pull request #319: GUACAMOLE-220: Add database support for ...
Github user necouchman commented on a diff in the pull request: https://github.com/apache/guacamole-client/pull/319#discussion_r220393130 --- Diff: extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/usergroup/ModeledUserGroup.java --- @@ -0,0 +1,212 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.jdbc.usergroup; + +import com.google.inject.Inject; +import com.google.inject.Provider; +import java.util.Arrays; +import java.util.Collection; +import java.util.Collections; +import java.util.HashSet; +import java.util.Map; +import java.util.Set; +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.jdbc.base.ModeledPermissions; +import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; +import org.apache.guacamole.form.BooleanField; +import org.apache.guacamole.form.Field; +import org.apache.guacamole.form.Form; +import org.apache.guacamole.net.auth.RelatedObjectSet; +import org.apache.guacamole.net.auth.UserGroup; + +/** + * An implementation of the UserGroup object which is backed by a database model. + */ +public class ModeledUserGroup extends ModeledPermissions +implements UserGroup { + +/** + * The name of the attribute which controls whether a user group is + * disabled. + */ +public static final String DISABLED_ATTRIBUTE_NAME = "disabled"; + +/** + * All attributes related to restricting user groups, within a logical + * form. + */ +public static final Form ACCOUNT_RESTRICTIONS = new Form("restrictions", Arrays.asList( +new BooleanField(DISABLED_ATTRIBUTE_NAME, "true") +)); + +/** + * All possible attributes of user groups organized as individual, + * logical forms. + */ +public static final Collection ATTRIBUTES = Collections.unmodifiableCollection(Arrays.asList( +ACCOUNT_RESTRICTIONS +)); + +/** + * The names of all attributes which are explicitly supported by this + * extension's UserGroup objects. + */ +public static final Set ATTRIBUTE_NAMES = +Collections.unmodifiableSet(new HashSet(Arrays.asList( +DISABLED_ATTRIBUTE_NAME +))); + +/** + * Provider for RelatedObjectSets containing the user groups of which this + * user group is a member. + */ +@Inject +private Provider parentUserGroupSetProvider; + +/** + * Provider for RelatedObjectSets containing the users that are members of + * this user group. + */ +@Inject +private Provider memberUserSetProvider; + +/** + * Provider for RelatedObjectSets containing the user groups that are + * members of this user group. + */ +@Inject +private Provider memberUserGroupSetProvider; + +/** + * Whether attributes which control access restrictions should be exposed + * via getAttributes() or allowed to be set via setAttributes(). + */ +private boolean exposeRestrictedAttributes = false; + +/** + * Initializes this ModeledUserGroup, associating it with the current + * authenticated user and populating it with data from the given user group + * model. + * + * @param currentUser + * The user that created or retrieved this object. + * + * @param model + * The backing model object. + * + * @param exposeRestrictedAttributes + * Whether attributes which control access restrictions should be + * exposed via getAttributes() or allowed to be set via + * setAttributes(). + */ +public void init(ModeledAuthenticatedUser currentUser, UserGroupModel model, +
[GitHub] guacamole-client pull request #319: GUACAMOLE-220: Add database support for ...
Github user necouchman commented on a diff in the pull request: https://github.com/apache/guacamole-client/pull/319#discussion_r220390959 --- Diff: extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java --- @@ -124,39 +129,40 @@ public void deletePermissions(ModeledAuthenticatedUser user, ModeledUser targetU } /** - * Retrieves the permission of the given type associated with the given - * user, if it exists. If no such permission exists, null is returned. + * Retrieves whether the permission of the given type has been granted to + * the given entity. Permission inheritance through group membership is + * taken into account. * * @param user * The user retrieving the permission. * - * @param targetUser - * The user associated with the permission to be retrieved. + * @param targetEntity + * The entity associated with the permission to be retrieved. * * @param type * The type of permission to retrieve. * + * @param effectiveGroups + * The identifiers of all groups that should be taken into account + * when determining the permissions effectively granted to the user. If + * no groups are given, only permissions directly granted to the user + * will be used. + * * @return - * The permission of the given type associated with the given user, or - * null if no such permission exists. + * true if permission of the given type has been granted to the given + * user, false otherwise. * * @throws GuacamoleException * If an error occurs while retrieving the requested permission. */ -public SystemPermission retrievePermission(ModeledAuthenticatedUser user, -ModeledUser targetUser, SystemPermission.Type type) throws GuacamoleException { +public boolean hasPermission(ModeledAuthenticatedUser user, +ModeledPermissions targetEntity, +SystemPermission.Type type, Set effectiveGroups) +throws GuacamoleException { // Retrieve permissions only if allowed -if (canReadPermissions(user, targetUser)) { - -// Read permission from database, return null if not found -SystemPermissionModel model = getPermissionMapper().selectOne(targetUser.getModel(), type); -if (model == null) -return null; - -return getPermissionInstance(model); - -} +if (canReadPermissions(user, targetEntity)) +return getPermissionMapper().selectOne(targetEntity.getModel(), type, effectiveGroups) != null; // User cannot read this user's permissions --- End diff -- user's -> entity's ---
[GitHub] guacamole-client pull request #319: GUACAMOLE-220: Add database support for ...
Github user necouchman commented on a diff in the pull request: https://github.com/apache/guacamole-client/pull/319#discussion_r220394415 --- Diff: extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/usergroup/UserGroupService.java --- @@ -0,0 +1,189 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.jdbc.usergroup; + +import com.google.inject.Inject; +import com.google.inject.Provider; +import java.util.Collection; +import java.util.Collections; +import org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObjectMapper; +import org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObjectService; +import org.apache.guacamole.GuacamoleClientException; +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.jdbc.base.EntityMapper; +import org.apache.guacamole.auth.jdbc.permission.ObjectPermissionMapper; +import org.apache.guacamole.auth.jdbc.permission.UserGroupPermissionMapper; +import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser; +import org.apache.guacamole.net.auth.UserGroup; +import org.apache.guacamole.net.auth.permission.ObjectPermission; +import org.apache.guacamole.net.auth.permission.ObjectPermissionSet; +import org.apache.guacamole.net.auth.permission.SystemPermission; +import org.apache.guacamole.net.auth.permission.SystemPermissionSet; + +/** + * Service which provides convenience methods for creating, retrieving, and + * manipulating user groups. + */ +public class UserGroupService extends ModeledDirectoryObjectService { + +/** + * Mapper for creating/deleting entities. + */ +@Inject +private EntityMapper entityMapper; + +/** + * Mapper for accessing user groups. + */ +@Inject +private UserGroupMapper userGroupMapper; + +/** + * Mapper for manipulating user group permissions. + */ +@Inject +private UserGroupPermissionMapper userGroupPermissionMapper; + +/** + * Provider for creating user groups. + */ +@Inject +private Provider userGroupProvider; + +@Override +protected ModeledDirectoryObjectMapper getObjectMapper() { +return userGroupMapper; +} + +@Override +protected ObjectPermissionMapper getPermissionMapper() { +return userGroupPermissionMapper; +} + +@Override +protected ModeledUserGroup getObjectInstance(ModeledAuthenticatedUser currentUser, +UserGroupModel model) throws GuacamoleException { + +boolean exposeRestrictedAttributes; + +// Expose restricted attributes if the user group does not yet exist +if (model.getObjectID() == null) +exposeRestrictedAttributes = true; + +// Otherwise, expose restricted attributes only if the user has +// ADMINISTER permission +else +exposeRestrictedAttributes = hasObjectPermission(currentUser, +model.getIdentifier(), ObjectPermission.Type.ADMINISTER); + +// Produce ModeledUserGroup exposing only those attributes for which the +// current user has permission +ModeledUserGroup group = userGroupProvider.get(); +group.init(currentUser, model, exposeRestrictedAttributes); +return group; + +} + +@Override +protected UserGroupModel getModelInstance(ModeledAuthenticatedUser currentUser, +final UserGroup object) throws GuacamoleException { + +// Create new ModeledUserGroup backed by blank model +UserGroupModel model = new UserGroupModel(); +ModeledUserGroup group = getObjectInstance(currentUser, model); + +// Set model contents through ModeledUser, copying the provided group +
[GitHub] guacamole-client pull request #319: GUACAMOLE-220: Add database support for ...
Github user necouchman commented on a diff in the pull request: https://github.com/apache/guacamole-client/pull/319#discussion_r220390391 --- Diff: extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java --- @@ -76,23 +78,25 @@ protected SystemPermissionModel getModelInstance(final ModeledUser targetUser, @Override public SystemPermissionSet getPermissionSet(ModeledAuthenticatedUser user, -ModeledUser targetUser) throws GuacamoleException { +ModeledPermissions targetEntity, +Set effectiveGroups) throws GuacamoleException { // Create permission set for requested user --- End diff -- user -> entity ? ---
[GitHub] guacamole-client pull request #319: GUACAMOLE-220: Add database support for ...
Github user necouchman commented on a diff in the pull request: https://github.com/apache/guacamole-client/pull/319#discussion_r219843129 --- Diff: extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ObjectRelationMapper.java --- @@ -0,0 +1,126 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.jdbc.base; + +import java.util.Collection; +import java.util.Set; +import org.apache.guacamole.auth.jdbc.user.UserModel; +import org.apache.ibatis.annotations.Param; + +/** + * Mapper for the relations represented by a particular RelatedObjectSet + * implementation. + * + * @param + * The underlying database model of the object on the parent side of the + * one-to-many relationship represented by the RelatedObjectSet mapped by + * this ObjectRelationMapper. + */ +public interface ObjectRelationMapper { + +/** + * Inserts rows as necessary to establish the one-to-many relationship + * represented by the RelatedObjectSet between the given parent and + * children. If the relation for any parent/child pair is already present, + * no attempt is made to insert a new row for that relation. + * + * @param parent + * The model of the object on the parent side of the one-to-many + * relationship represented by the RelatedObjectSet. + * + * @param children + * The identifiers of the objects on the child side of the one-to-many + * relationship represented by the RelatedObjectSet. + * + * @return + * The number of rows inserted. + */ +int insert(@Param("parent") ParentModelType parent, +@Param("children") Collection children); + +/** + * Deletes rows as necessary to establish the one-to-many relationship --- End diff -- Is "to establish" the correct language, here? Or is this to modify/remove one-to-many relationships? ---
[GitHub] guacamole-server pull request #190: GUACAMOLE-632: Dynamically scale JPEG/We...
GitHub user mike-jumper opened a pull request: https://github.com/apache/guacamole-server/pull/190 GUACAMOLE-632: Dynamically scale JPEG/WebP quality depending on measured processing lag. These changes dynamically scale JPEG/WebP quality based on real-time measurements of processing lag. This has the effect that slower clients will tend to be sent less data to process, and spikes in frame duration / processing tend to smooth out naturally. You can merge this pull request into a Git repository by running: $ git pull https://github.com/mike-jumper/guacamole-server dynamic-quality Alternatively you can review and apply these changes as the patch at: https://github.com/apache/guacamole-server/pull/190.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #190 commit 45e8503ead5aa90ee8f53ddf43257c019069653d Author: Michael Jumper Date: 2016-05-18T03:49:51Z GUACAMOLE-632: Dynamically scale JPEG/WebP quality depending on measured processing lag. ---
[GitHub] guacamole-client pull request #323: GUACAMOLE-629: Add support for creating ...
GitHub user mike-jumper opened a pull request: https://github.com/apache/guacamole-client/pull/323 GUACAMOLE-629: Add support for creating argument value streams using the "argv" instruction. These changes are the guacamole-common-js API changes which complement those of apache/guacamole-server#189. You can merge this pull request into a Git repository by running: $ git pull https://github.com/mike-jumper/guacamole-client argv-instruction Alternatively you can review and apply these changes as the patch at: https://github.com/apache/guacamole-client/pull/323.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #323 commit 75805e4cab5a56f61a9df588f1ab4f892285fe1e Author: Michael Jumper Date: 2018-09-24T08:33:11Z GUACAMOLE-629: Add support for creating argument value streams using the "argv" instruction. ---
[GitHub] guacamole-server pull request #189: GUACAMOLE-629: Add support for updating ...
GitHub user mike-jumper opened a pull request: https://github.com/apache/guacamole-server/pull/189 GUACAMOLE-629: Add support for updating connection parameters of in-progress connections. This is the non-handshake portion of changes which allow connection parameters to be sent via streams, rather than as elements of a single, handshake-only instruction. The expected flow is as follows: 1. While the connection is underway, the connected client may begin to stream an update to a connection parameter using an `argv` instruction. It is expected that not all parameters may be updated in this manner, that some updates will be refused for security reasons, and even that instruction filtering within the webapp may intercept the inbound stream and apply additional constraints. 2. If the underlying protocol supports updating that particular parameter, this will be indicated with a successful `ack`. If the parameter cannot be updated, either due to lack of support or the parameter being privileged, an unsuccessful `ack` indicating will be sent indicating why. 3. It is up to the underlying protocol support to implement actually applying the new parameter to the in-progress connection, including whether the data of that parameter is handled as a true stream or is internally buffered. Note that these changes are just the base framework changes to libguac. This new `argv` instruction is not currently used by any supported protocol, though I do have pending changes which leverage this for updating the `color-scheme` parameter of SSH/telnet. You can merge this pull request into a Git repository by running: $ git pull https://github.com/mike-jumper/guacamole-server argv-stream Alternatively you can review and apply these changes as the patch at: https://github.com/apache/guacamole-server/pull/189.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #189 commit 8456c050ea339be1daae82d8677d0a9a767aa80c Author: Michael Jumper Date: 2018-09-24T05:39:31Z GUACAMOLE-629: Add support for updating connection parameters of in-progress connections. ---
Re: Birds-of-a-Feather session at LISA18 (USENIX conference)
On Tue, Sep 25, 2018 at 2:37 PM Mike Jumper wrote: > Hello all, > > As I'll be attending LISA18 for day job matters, I'm looking into maybe > also scheduling a community BoF session (*not* for day job) to promote and > discuss Apache Guacamole with any interested people while I'm there: > > https://www.usenix.org/conference/lisa18/bofs > > Not that while the above link mainly focuses on "vendor BoFs", this does > not apply to us; we would be seeking a community BoF. > > Anyone else interested in participating who will be going to the > conference? > > Wish I was going - I think that would be very cool. Will have to look at the conference for next year and see if I can swing it... -Nick
Birds-of-a-Feather session at LISA18 (USENIX conference)
Hello all, As I'll be attending LISA18 for day job matters, I'm looking into maybe also scheduling a community BoF session (*not* for day job) to promote and discuss Apache Guacamole with any interested people while I'm there: https://www.usenix.org/conference/lisa18/bofs Not that while the above link mainly focuses on "vendor BoFs", this does not apply to us; we would be seeking a community BoF. Anyone else interested in participating who will be going to the conference? - Mike