GUACAMOLE-524: Deprecate and replace StandardTokens with arbitrary tokens provided to Connectable.connect().

2025-09-06 13:17:41 +00:00 · 2018-10-04 00:41:07 -07:00
parent 3089e71e60
commit 1210d5624c
22 changed files with 268 additions and 154 deletions
--- a/guacamole/src/main/java/org/apache/guacamole/rest/connection/APIConnectionWrapper.java
+++ b/guacamole/src/main/java/org/apache/guacamole/rest/connection/APIConnectionWrapper.java
@@ -128,7 +128,8 @@ public class APIConnectionWrapper implements Connection {
    }

    @Override
-    public GuacamoleTunnel connect(GuacamoleClientInformation info) throws GuacamoleException {
+    public GuacamoleTunnel connect(GuacamoleClientInformation info,
+            Map<String, String> tokens) throws GuacamoleException {
        throw new UnsupportedOperationException("Operation not supported.");
    }

--- a/guacamole/src/main/java/org/apache/guacamole/rest/connectiongroup/APIConnectionGroupWrapper.java
+++ b/guacamole/src/main/java/org/apache/guacamole/rest/connectiongroup/APIConnectionGroupWrapper.java
@@ -112,7 +112,8 @@ public class APIConnectionGroupWrapper implements ConnectionGroup {
    }

    @Override
-    public GuacamoleTunnel connect(GuacamoleClientInformation info) throws GuacamoleException {
+    public GuacamoleTunnel connect(GuacamoleClientInformation info,
+            Map<String, String> tokens) throws GuacamoleException {
        throw new UnsupportedOperationException("Operation not supported.");
    }

--- a/guacamole/src/main/java/org/apache/guacamole/tunnel/StandardTokenMap.java
+++ b/guacamole/src/main/java/org/apache/guacamole/tunnel/StandardTokenMap.java
@@ -0,0 +1,139 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.tunnel;
+
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Map;
+import org.apache.guacamole.net.auth.AuthenticatedUser;
+import org.apache.guacamole.net.auth.Credentials;
+
+/**
+ * Map which is automatically populated with the name/value pairs of all
+ * standardized tokens available for a particular AuthenticatedUser.
+ */
+public class StandardTokenMap extends HashMap<String, String> {
+
+    /**
+     * The name of the token containing the user's username.
+     */
+    public static final String USERNAME_TOKEN = "GUAC_USERNAME";
+
+    /**
+     * The name of the token containing the user's password.
+     */
+    public static final String PASSWORD_TOKEN = "GUAC_PASSWORD";
+
+    /**
+     * The name of the token containing the hostname/address of the machine the
+     * user authenticated from.
+     */
+    public static final String CLIENT_HOSTNAME_TOKEN = "GUAC_CLIENT_HOSTNAME";
+
+    /**
+     * The name of the token containing the IP address of the machine the user
+     * authenticated from.
+     */
+    public static final String CLIENT_ADDRESS_TOKEN = "GUAC_CLIENT_ADDRESS";
+
+    /**
+     * The name of the token containing the current date (server-local time).
+     */
+    public static final String DATE_TOKEN = "GUAC_DATE";
+
+    /**
+     * The name of the token containing the current time (server-local time).
+     */
+    public static final String TIME_TOKEN = "GUAC_TIME";
+
+    /**
+     * The date format that should be used for the date token. This format must
+     * be compatible with Java's SimpleDateFormat.
+     */
+    private static final String DATE_FORMAT = "yyyyMMdd";
+
+    /**
+     * The date format that should be used for the time token. This format must
+     * be compatible with Java's SimpleDateFormat.
+     */
+    private static final String TIME_FORMAT = "HHmmss";
+
+    /**
+     * The prefix of the arbitrary attribute tokens.
+     */
+    public static final String ATTR_TOKEN_PREFIX = "GUAC_ATTR_";
+
+    /**
+     * Creates a new StandardTokenMap which is pre-populated with the
+     * name/value pairs of all standardized tokens available for the given
+     * AuthenticatedUser.
+     *
+     * @param authenticatedUser
+     *     The AuthenticatedUser to generate standard tokens for.
+     */
+    public StandardTokenMap(AuthenticatedUser authenticatedUser) {
+
+        // Add date/time tokens (server-local time)
+        Date currentTime = new Date();
+        put(DATE_TOKEN, new SimpleDateFormat(DATE_FORMAT).format(currentTime));
+        put(TIME_TOKEN, new SimpleDateFormat(TIME_FORMAT).format(currentTime));
+
+        Credentials credentials = authenticatedUser.getCredentials();
+        Map<String, String> attributes = authenticatedUser.getAttributes();
+
+        // Add username token
+        String username = credentials.getUsername();
+        if (username != null)
+            put(USERNAME_TOKEN, username);
+
+        // Default to the authenticated user's username for the GUAC_USERNAME
+        // token
+        else
+            put(USERNAME_TOKEN, authenticatedUser.getIdentifier());
+
+        // Add password token
+        String password = credentials.getPassword();
+        if (password != null)
+            put(PASSWORD_TOKEN, password);
+
+        // Add client hostname token
+        String hostname = credentials.getRemoteHostname();
+        if (hostname != null)
+            put(CLIENT_HOSTNAME_TOKEN, hostname);
+
+        // Add client address token
+        String address = credentials.getRemoteAddress();
+        if (address != null)
+            put(CLIENT_ADDRESS_TOKEN, address);
+
+        // Add tokens for all attributes on the AuthenticatedUser
+        if (attributes != null) {
+            for (Map.Entry entry : attributes.entrySet()) {
+                String key = entry.getKey().toString();
+                String tokenName = ATTR_TOKEN_PREFIX + key.toUpperCase();
+                String tokenValue = entry.getValue().toString();
+                put(tokenName, tokenValue);
+            }
+        }
+
+    }
+
+}
--- a/guacamole/src/main/java/org/apache/guacamole/tunnel/TunnelRequestService.java
+++ b/guacamole/src/main/java/org/apache/guacamole/tunnel/TunnelRequestService.java
@@ -22,6 +22,7 @@ package org.apache.guacamole.tunnel;
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
 import java.util.List;
+import java.util.Map;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.GuacamoleSecurityException;
 import org.apache.guacamole.GuacamoleSession;
@@ -187,6 +188,10 @@ public class TunnelRequestService {
     * @param info
     *     Information describing the connected Guacamole client.
     *
+     * @param tokens
+     *     A Map containing the token names and corresponding values to be
+     *     applied as parameter tokens when establishing the connection.
+     *
     * @return
     *     A new tunnel, connected as required by the request.
     *
@@ -195,7 +200,7 @@ public class TunnelRequestService {
     */
    protected GuacamoleTunnel createConnectedTunnel(UserContext context,
            final TunnelRequest.Type type, String id,
-            GuacamoleClientInformation info)
+            GuacamoleClientInformation info, Map<String, String> tokens)
            throws GuacamoleException {

        // Create connected tunnel from identifier
@@ -216,7 +221,7 @@ public class TunnelRequestService {
                }

                // Connect tunnel
-                tunnel = connection.connect(info);
+                tunnel = connection.connect(info, tokens);
                logger.info("User \"{}\" connected to connection \"{}\".", context.self().getIdentifier(), id);
                break;
            }
@@ -235,7 +240,7 @@ public class TunnelRequestService {
                }

                // Connect tunnel
-                tunnel = group.connect(info);
+                tunnel = group.connect(info, tokens);
                logger.info("User \"{}\" connected to group \"{}\".", context.self().getIdentifier(), id);
                break;
            }
@@ -385,16 +390,17 @@ public class TunnelRequestService {
        GuacamoleClientInformation info = getClientInformation(request);

        GuacamoleSession session = authenticationService.getGuacamoleSession(authToken);
+        AuthenticatedUser authenticatedUser = session.getAuthenticatedUser();
        UserContext userContext = session.getUserContext(authProviderIdentifier);

        try {

            // Create connected tunnel using provided connection ID and client information
-            GuacamoleTunnel tunnel = createConnectedTunnel(userContext, type, id, info);
+            GuacamoleTunnel tunnel = createConnectedTunnel(userContext, type,
+                    id, info, new StandardTokenMap(authenticatedUser));

            // Notify listeners to allow connection to be vetoed
-            fireTunnelConnectEvent(session.getAuthenticatedUser(),
-                    session.getAuthenticatedUser().getCredentials(), tunnel);
+            fireTunnelConnectEvent(authenticatedUser, authenticatedUser.getCredentials(), tunnel);

            // Associate tunnel with session
            return createAssociatedTunnel(tunnel, authToken, session, userContext, type, id);