mirror of
https://github.com/gyurix1968/guacamole-client.git
synced 2025-09-06 05:07:41 +00:00
GUACAMOLE-1723: Enforce access time restrictions for logged in users.
This commit is contained in:
James Muehlner
@@ -94,6 +94,12 @@
|
||||
<artifactId>guice</artifactId>
|
||||
</dependency>
|
||||
|
||||
<!-- Guice Assisted Inject Extension -->
|
||||
<dependency>
|
||||
<groupId>com.google.inject.extensions</groupId>
|
||||
<artifactId>guice-assistedinject</artifactId>
|
||||
</dependency>
|
||||
|
||||
<!-- Guava - Utility Library -->
|
||||
<dependency>
|
||||
<groupId>com.google.guava</groupId>
|
||||
|
||||
@@ -20,6 +20,8 @@
|
||||
package org.apache.guacamole.auth.jdbc;
|
||||
|
||||
import com.google.inject.Scopes;
|
||||
import com.google.inject.assistedinject.FactoryModuleBuilder;
|
||||
|
||||
import javax.sql.DataSource;
|
||||
import org.apache.guacamole.auth.jdbc.user.ModeledUserContext;
|
||||
import org.apache.guacamole.auth.jdbc.connectiongroup.RootConnectionGroup;
|
||||
@@ -38,6 +40,8 @@ import org.apache.guacamole.auth.jdbc.permission.SystemPermissionMapper;
|
||||
import org.apache.guacamole.auth.jdbc.user.UserMapper;
|
||||
import org.apache.guacamole.auth.jdbc.connectiongroup.ConnectionGroupService;
|
||||
import org.apache.guacamole.auth.jdbc.connection.ConnectionService;
|
||||
import org.apache.guacamole.auth.jdbc.tunnel.AccessEnforcingDelegatingTunnel;
|
||||
import org.apache.guacamole.auth.jdbc.tunnel.AccessEnforcingDelegatingTunnelFactory;
|
||||
import org.apache.guacamole.auth.jdbc.tunnel.GuacamoleTunnelService;
|
||||
import org.apache.guacamole.auth.jdbc.security.PasswordEncryptionService;
|
||||
import org.apache.guacamole.auth.jdbc.security.SHA256PasswordEncryptionService;
|
||||
@@ -196,7 +200,14 @@ public class JDBCAuthenticationProviderModule extends MyBatisModule {
|
||||
bind(UserGroupPermissionService.class);
|
||||
bind(UserPermissionService.class);
|
||||
bind(UserService.class);
|
||||
|
||||
|
||||
// Bind Factories
|
||||
install(new FactoryModuleBuilder()
|
||||
.implement(
|
||||
AccessEnforcingDelegatingTunnel.class,
|
||||
AccessEnforcingDelegatingTunnel.class)
|
||||
.build(AccessEnforcingDelegatingTunnelFactory.class));
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -227,4 +227,19 @@ public abstract class JDBCEnvironment extends DelegatingEnvironment {
|
||||
*/
|
||||
public abstract boolean trackExternalConnectionHistory() throws GuacamoleException;
|
||||
|
||||
/**
|
||||
* Returns a boolean value representing whether access time windows should
|
||||
* be enforced for active connections - i.e. whether a currently-connected
|
||||
* user should be disconnected upon the closure of an access window, or
|
||||
* when the user is disabled.
|
||||
*
|
||||
* @return
|
||||
* True if a connected user should be disconnected upon an access time
|
||||
* window closing, or the user being disabled.
|
||||
*
|
||||
* @throws GuacamoleException
|
||||
* If guacamole.properties cannot be parsed.
|
||||
*/
|
||||
public abstract boolean enforceAccessWindowsForActiveSessions() throws GuacamoleException;
|
||||
|
||||
}
|
||||
|
||||
@@ -44,34 +44,40 @@ public class ActiveConnectionDirectory extends RestrictedObject
|
||||
|
||||
@Override
|
||||
public ActiveConnection get(String identifier) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
return activeConnectionService.retrieveObject(getCurrentUser(), identifier);
|
||||
}
|
||||
|
||||
@Override
|
||||
public Collection<ActiveConnection> getAll(Collection<String> identifiers)
|
||||
throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
Collection<TrackedActiveConnection> objects = activeConnectionService.retrieveObjects(getCurrentUser(), identifiers);
|
||||
return Collections.<ActiveConnection>unmodifiableCollection(objects);
|
||||
}
|
||||
|
||||
@Override
|
||||
public Set<String> getIdentifiers() throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
return activeConnectionService.getIdentifiers(getCurrentUser());
|
||||
}
|
||||
|
||||
@Override
|
||||
public void add(ActiveConnection object) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
activeConnectionService.createObject(getCurrentUser(), object);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void update(ActiveConnection object) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
TrackedActiveConnection connection = (TrackedActiveConnection) object;
|
||||
activeConnectionService.updateObject(getCurrentUser(), connection);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void remove(String identifier) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
activeConnectionService.deleteObject(getCurrentUser(), identifier);
|
||||
}
|
||||
|
||||
|
||||
@@ -19,7 +19,13 @@
|
||||
|
||||
package org.apache.guacamole.auth.jdbc.base;
|
||||
|
||||
import org.apache.guacamole.GuacamoleException;
|
||||
import org.apache.guacamole.GuacamoleUnauthorizedException;
|
||||
import org.apache.guacamole.auth.jdbc.JDBCEnvironment;
|
||||
import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
|
||||
import org.apache.guacamole.auth.jdbc.user.ModeledUser;
|
||||
|
||||
import com.google.inject.Inject;
|
||||
|
||||
/**
|
||||
* Common base class for objects that are associated with the users that
|
||||
@@ -33,6 +39,12 @@ public abstract class RestrictedObject {
|
||||
*/
|
||||
private ModeledAuthenticatedUser currentUser;
|
||||
|
||||
/**
|
||||
* The environment of the Guacamole server.
|
||||
*/
|
||||
@Inject
|
||||
private JDBCEnvironment environment;
|
||||
|
||||
/**
|
||||
* Initializes this object, associating it with the current authenticated
|
||||
* user and populating it with data from the given model object
|
||||
@@ -68,4 +80,39 @@ public abstract class RestrictedObject {
|
||||
this.currentUser = currentUser;
|
||||
}
|
||||
|
||||
/**
|
||||
* Validate that the current user is within a valid access time window
|
||||
* and not disabled. If the user account is disabled or not within a
|
||||
* valid access window, a GuacamoleUnauthorizedException will be thrown.
|
||||
*
|
||||
* This method can be called by RestrictedObject implementations before
|
||||
* any operation that's specific to the current logged in user, to make
|
||||
* sure that their access is still valid and enabled.
|
||||
*
|
||||
* If accessWindowCheckEnabled is set to false, the check will be skipped,
|
||||
* and GuacamoleUnauthorizedException will never be thrown.
|
||||
*
|
||||
* @throws GuacamoleException
|
||||
* If the user is outside of a valid access window, the user is
|
||||
* disabled, or an error occurs while trying to determine access time
|
||||
* restriction configuration.
|
||||
*/
|
||||
protected void validateUserAccess() throws GuacamoleException {
|
||||
|
||||
// If access windows shouldn't be checked for active sessions, skip
|
||||
// this check entirely
|
||||
if (!environment.enforceAccessWindowsForActiveSessions())
|
||||
return;
|
||||
|
||||
// If the user is outside of a valid access time window or disabled,
|
||||
// throw an exception to immediately log them out
|
||||
ModeledUser modeledUser = getCurrentUser().getUser();
|
||||
if (
|
||||
!modeledUser.isAccountAccessible()
|
||||
|| !modeledUser.isAccountValid()
|
||||
|| modeledUser.isDisabled()
|
||||
)
|
||||
throw new GuacamoleUnauthorizedException("Permission Denied.");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -45,12 +45,14 @@ public class ConnectionDirectory extends RestrictedObject
|
||||
|
||||
@Override
|
||||
public Connection get(String identifier) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
return connectionService.retrieveObject(getCurrentUser(), identifier);
|
||||
}
|
||||
|
||||
@Override
|
||||
@Transactional
|
||||
public Collection<Connection> getAll(Collection<String> identifiers) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
Collection<ModeledConnection> objects = connectionService.retrieveObjects(getCurrentUser(), identifiers);
|
||||
return Collections.<Connection>unmodifiableCollection(objects);
|
||||
}
|
||||
@@ -58,18 +60,21 @@ public class ConnectionDirectory extends RestrictedObject
|
||||
@Override
|
||||
@Transactional
|
||||
public Set<String> getIdentifiers() throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
return connectionService.getIdentifiers(getCurrentUser());
|
||||
}
|
||||
|
||||
@Override
|
||||
@Transactional
|
||||
public void add(Connection object) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
connectionService.createObject(getCurrentUser(), object);
|
||||
}
|
||||
|
||||
@Override
|
||||
@Transactional
|
||||
public void update(Connection object) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
ModeledConnection connection = (ModeledConnection) object;
|
||||
connectionService.updateObject(getCurrentUser(), connection);
|
||||
}
|
||||
@@ -77,6 +82,7 @@ public class ConnectionDirectory extends RestrictedObject
|
||||
@Override
|
||||
@Transactional
|
||||
public void remove(String identifier) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
connectionService.deleteObject(getCurrentUser(), identifier);
|
||||
}
|
||||
|
||||
|
||||
@@ -45,12 +45,14 @@ public class ConnectionGroupDirectory extends RestrictedObject
|
||||
|
||||
@Override
|
||||
public ConnectionGroup get(String identifier) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
return connectionGroupService.retrieveObject(getCurrentUser(), identifier);
|
||||
}
|
||||
|
||||
@Override
|
||||
@Transactional
|
||||
public Collection<ConnectionGroup> getAll(Collection<String> identifiers) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
Collection<ModeledConnectionGroup> objects = connectionGroupService.retrieveObjects(getCurrentUser(), identifiers);
|
||||
return Collections.<ConnectionGroup>unmodifiableCollection(objects);
|
||||
}
|
||||
@@ -58,18 +60,21 @@ public class ConnectionGroupDirectory extends RestrictedObject
|
||||
@Override
|
||||
@Transactional
|
||||
public Set<String> getIdentifiers() throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
return connectionGroupService.getIdentifiers(getCurrentUser());
|
||||
}
|
||||
|
||||
@Override
|
||||
@Transactional
|
||||
public void add(ConnectionGroup object) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
connectionGroupService.createObject(getCurrentUser(), object);
|
||||
}
|
||||
|
||||
@Override
|
||||
@Transactional
|
||||
public void update(ConnectionGroup object) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
ModeledConnectionGroup connectionGroup = (ModeledConnectionGroup) object;
|
||||
connectionGroupService.updateObject(getCurrentUser(), connectionGroup);
|
||||
}
|
||||
@@ -77,6 +82,7 @@ public class ConnectionGroupDirectory extends RestrictedObject
|
||||
@Override
|
||||
@Transactional
|
||||
public void remove(String identifier) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
connectionGroupService.deleteObject(getCurrentUser(), identifier);
|
||||
}
|
||||
|
||||
|
||||
@@ -44,12 +44,14 @@ public class SharingProfileDirectory extends RestrictedObject
|
||||
|
||||
@Override
|
||||
public SharingProfile get(String identifier) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
return sharingProfileService.retrieveObject(getCurrentUser(), identifier);
|
||||
}
|
||||
|
||||
@Override
|
||||
@Transactional
|
||||
public Collection<SharingProfile> getAll(Collection<String> identifiers) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
return Collections.<SharingProfile>unmodifiableCollection(
|
||||
sharingProfileService.retrieveObjects(getCurrentUser(), identifiers)
|
||||
);
|
||||
@@ -58,18 +60,21 @@ public class SharingProfileDirectory extends RestrictedObject
|
||||
@Override
|
||||
@Transactional
|
||||
public Set<String> getIdentifiers() throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
return sharingProfileService.getIdentifiers(getCurrentUser());
|
||||
}
|
||||
|
||||
@Override
|
||||
@Transactional
|
||||
public void add(SharingProfile object) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
sharingProfileService.createObject(getCurrentUser(), object);
|
||||
}
|
||||
|
||||
@Override
|
||||
@Transactional
|
||||
public void update(SharingProfile object) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
ModeledSharingProfile sharingProfile = (ModeledSharingProfile) object;
|
||||
sharingProfileService.updateObject(getCurrentUser(), sharingProfile);
|
||||
}
|
||||
@@ -77,6 +82,7 @@ public class SharingProfileDirectory extends RestrictedObject
|
||||
@Override
|
||||
@Transactional
|
||||
public void remove(String identifier) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
sharingProfileService.deleteObject(getCurrentUser(), identifier);
|
||||
}
|
||||
|
||||
|
||||
@@ -46,6 +46,7 @@ import org.apache.guacamole.GuacamoleResourceNotFoundException;
|
||||
import org.apache.guacamole.GuacamoleSecurityException;
|
||||
import org.apache.guacamole.GuacamoleServerException;
|
||||
import org.apache.guacamole.GuacamoleUpstreamException;
|
||||
import org.apache.guacamole.auth.jdbc.JDBCEnvironment;
|
||||
import org.apache.guacamole.auth.jdbc.connection.ConnectionMapper;
|
||||
import org.apache.guacamole.net.GuacamoleSocket;
|
||||
import org.apache.guacamole.net.GuacamoleTunnel;
|
||||
@@ -63,6 +64,7 @@ import org.apache.guacamole.auth.jdbc.sharingprofile.ModeledSharingProfile;
|
||||
import org.apache.guacamole.auth.jdbc.sharingprofile.SharingProfileParameterMapper;
|
||||
import org.apache.guacamole.auth.jdbc.sharingprofile.SharingProfileParameterModel;
|
||||
import org.apache.guacamole.auth.jdbc.user.RemoteAuthenticatedUser;
|
||||
import org.apache.guacamole.auth.jdbc.user.UserService;
|
||||
import org.apache.guacamole.net.auth.GuacamoleProxyConfiguration;
|
||||
import org.apache.guacamole.protocol.FailoverGuacamoleSocket;
|
||||
import org.slf4j.Logger;
|
||||
@@ -117,6 +119,24 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
|
||||
@Inject
|
||||
private SharedConnectionMap connectionMap;
|
||||
|
||||
/**
|
||||
* Service for fetching users.
|
||||
*/
|
||||
@Inject
|
||||
private UserService userService;
|
||||
|
||||
/**
|
||||
* The environment of the Guacamole server.
|
||||
*/
|
||||
@Inject
|
||||
private JDBCEnvironment environment;
|
||||
|
||||
/**
|
||||
* Provider for creating AccessEnforcingDelegatingTunnel instances.
|
||||
*/
|
||||
@Inject
|
||||
private AccessEnforcingDelegatingTunnelFactory accessEnforcingTunnelFactory;
|
||||
|
||||
/**
|
||||
* All active connections through the tunnel having a given UUID.
|
||||
*/
|
||||
@@ -385,13 +405,21 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
|
||||
* connection, which MUST already be acquired via acquire(). The given
|
||||
* client information will be passed to guacd when the connection is
|
||||
* established.
|
||||
*
|
||||
*
|
||||
* The connection will be automatically released when it closes, or if it
|
||||
* fails to establish entirely.
|
||||
*
|
||||
* If user access window restrictions are enabled for active sessions,
|
||||
* they will be automatically enforced for any valid database users as the
|
||||
* tunnel is used.
|
||||
*
|
||||
* @param activeConnection
|
||||
* The active connection record of the connection in use.
|
||||
*
|
||||
* @param user
|
||||
* The user record in the database for the user connecting to the
|
||||
* connection, if any.
|
||||
*
|
||||
* @param info
|
||||
* Information describing the Guacamole client connecting to the given
|
||||
* connection.
|
||||
@@ -412,8 +440,10 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
|
||||
* If an error occurs while the connection is being established, or
|
||||
* while connection configuration information is being retrieved.
|
||||
*/
|
||||
private GuacamoleTunnel assignGuacamoleTunnel(ActiveConnectionRecord activeConnection,
|
||||
GuacamoleClientInformation info, Map<String, String> tokens,
|
||||
private GuacamoleTunnel assignGuacamoleTunnel(
|
||||
ActiveConnectionRecord activeConnection,
|
||||
ModeledAuthenticatedUser user, GuacamoleClientInformation info,
|
||||
Map<String, String> tokens,
|
||||
boolean interceptErrors) throws GuacamoleException {
|
||||
|
||||
// Record new active connection
|
||||
@@ -476,12 +506,21 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
|
||||
getUnconfiguredGuacamoleSocket(connection.getGuacamoleProxyConfiguration(),
|
||||
cleanupTask), config, info);
|
||||
|
||||
// Assign and return new tunnel
|
||||
// Assign new tunnel
|
||||
GuacamoleTunnel tunnel;
|
||||
if (interceptErrors)
|
||||
return activeConnection.assignGuacamoleTunnel(new FailoverGuacamoleSocket(socket), socket.getConnectionID());
|
||||
tunnel = activeConnection.assignGuacamoleTunnel(new FailoverGuacamoleSocket(socket), socket.getConnectionID());
|
||||
else
|
||||
return activeConnection.assignGuacamoleTunnel(socket, socket.getConnectionID());
|
||||
|
||||
tunnel = activeConnection.assignGuacamoleTunnel(socket, socket.getConnectionID());
|
||||
|
||||
// If there is an associated database user, and access window
|
||||
// restrictions are enabled for active sessions, wrap the tunnel
|
||||
// in order to check user login validity on every instruction read
|
||||
if (user != null && environment.enforceAccessWindowsForActiveSessions()) {
|
||||
tunnel = accessEnforcingTunnelFactory.create(tunnel, user);
|
||||
}
|
||||
|
||||
return tunnel;
|
||||
}
|
||||
|
||||
// Execute cleanup if socket could not be created
|
||||
@@ -631,8 +670,10 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
|
||||
acquire(user, Collections.singletonList(connection), true);
|
||||
|
||||
// Connect only if the connection was successfully acquired
|
||||
ActiveConnectionRecord connectionRecord = new ActiveConnectionRecord(connectionMap, user, connection);
|
||||
return assignGuacamoleTunnel(connectionRecord, info, tokens, false);
|
||||
ActiveConnectionRecord connectionRecord = new ActiveConnectionRecord(
|
||||
connectionMap, user, connection);
|
||||
return assignGuacamoleTunnel(
|
||||
connectionRecord, user, info, tokens, false);
|
||||
|
||||
}
|
||||
|
||||
@@ -677,9 +718,10 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
|
||||
try {
|
||||
|
||||
// Connect to acquired child
|
||||
ActiveConnectionRecord connectionRecord = new ActiveConnectionRecord(connectionMap, user, connectionGroup, connection);
|
||||
GuacamoleTunnel tunnel = assignGuacamoleTunnel(connectionRecord,
|
||||
info, tokens, connections.size() > 1);
|
||||
ActiveConnectionRecord connectionRecord = new ActiveConnectionRecord(
|
||||
connectionMap, user, connectionGroup, connection);
|
||||
GuacamoleTunnel tunnel = assignGuacamoleTunnel(
|
||||
connectionRecord, user, info, tokens, connections.size() > 1);
|
||||
|
||||
// If session affinity is enabled, prefer this connection going forward
|
||||
if (connectionGroup.isSessionAffinityEnabled())
|
||||
@@ -736,7 +778,10 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
|
||||
user, definition.getActiveConnection(), definition.getSharingProfile());
|
||||
|
||||
// Connect to shared connection described by the created record
|
||||
GuacamoleTunnel tunnel = assignGuacamoleTunnel(connectionRecord, info, tokens, false);
|
||||
GuacamoleTunnel tunnel = assignGuacamoleTunnel(
|
||||
connectionRecord, userService.retrieveAuthenticatedUser(
|
||||
user.getAuthenticationProvider(), user.getCredentials()),
|
||||
info, tokens, false);
|
||||
|
||||
// Register tunnel, such that it is closed when the
|
||||
// SharedConnectionDefinition is invalidated
|
||||
|
||||
@@ -0,0 +1,196 @@
|
||||
/*
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
|
||||
package org.apache.guacamole.auth.jdbc.tunnel;
|
||||
|
||||
import java.util.concurrent.atomic.AtomicReference;
|
||||
|
||||
import javax.annotation.Nonnull;
|
||||
|
||||
import org.apache.guacamole.GuacamoleException;
|
||||
import org.apache.guacamole.GuacamoleUnauthorizedException;
|
||||
import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
|
||||
import org.apache.guacamole.auth.jdbc.user.ModeledUser;
|
||||
import org.apache.guacamole.auth.jdbc.user.UserService;
|
||||
import org.apache.guacamole.io.GuacamoleReader;
|
||||
import org.apache.guacamole.net.DelegatingGuacamoleTunnel;
|
||||
import org.apache.guacamole.net.GuacamoleTunnel;
|
||||
import org.apache.guacamole.protocol.FilteredGuacamoleReader;
|
||||
import org.apache.guacamole.protocol.GuacamoleFilter;
|
||||
import org.apache.guacamole.protocol.GuacamoleInstruction;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.assistedinject.Assisted;
|
||||
import com.google.inject.assistedinject.AssistedInject;
|
||||
|
||||
/**
|
||||
* A tunnel implementation that enforces access window restriction for the
|
||||
* provided ModeledUser, throwing a GuacamoleUnauthorizedException if the
|
||||
* user's configured access window has closed, or if the user has become
|
||||
* disabled. All other tunnel implementation is delegated to the underlying
|
||||
* tunnel object.
|
||||
*/
|
||||
public class AccessEnforcingDelegatingTunnel extends DelegatingGuacamoleTunnel {
|
||||
|
||||
/**
|
||||
* Logger for this class.
|
||||
*/
|
||||
private static final Logger logger = LoggerFactory.getLogger(
|
||||
AccessEnforcingDelegatingTunnel.class);
|
||||
|
||||
/**
|
||||
* The number of milliseconds between subsequent refreshes of the user
|
||||
* from the DB.
|
||||
*/
|
||||
private static final long USER_MODEL_REFRESH_INTERVAL = 10000;
|
||||
|
||||
/**
|
||||
* The user who's access window restrictions should be applied for the
|
||||
* wrapped tunnel.
|
||||
*/
|
||||
private final AtomicReference<ModeledUser> user;
|
||||
|
||||
/**
|
||||
* A thread that will continously refresh the user
|
||||
*/
|
||||
private final Thread userRefreshThread;
|
||||
|
||||
/**
|
||||
* A service to use for refreshing the user from the DB.
|
||||
*/
|
||||
@Inject
|
||||
private UserService userService;
|
||||
|
||||
/**
|
||||
* Create a new tunnel that will enforce the access window restrictions of
|
||||
* the provided user, during usage of the provided tunnel.
|
||||
*
|
||||
* @param tunnel
|
||||
* The tunnel to delegate to.
|
||||
*
|
||||
* @param modeledAuthenticatedUser
|
||||
* The user whose access restrictions should be applied.
|
||||
*
|
||||
*/
|
||||
@AssistedInject
|
||||
public AccessEnforcingDelegatingTunnel(
|
||||
@Nonnull @Assisted GuacamoleTunnel tunnel,
|
||||
@Nonnull @Assisted ModeledAuthenticatedUser modeledAuthenticatedUser) {
|
||||
|
||||
super(tunnel);
|
||||
this.user = new AtomicReference<>(modeledAuthenticatedUser.getUser());
|
||||
|
||||
this.userRefreshThread = new Thread(() -> {
|
||||
while (true) {
|
||||
|
||||
try {
|
||||
|
||||
// Fetch an up-to-date user record from the DB to ensure
|
||||
// that any access restrictions modified while this tunnel
|
||||
// is open will be taken into account
|
||||
this.user.set(userService.retrieveUser(
|
||||
modeledAuthenticatedUser.getAuthenticationProvider(),
|
||||
modeledAuthenticatedUser));
|
||||
}
|
||||
|
||||
// If an error occurs while trying to fetch the updated user,
|
||||
// log the warning / exception and stop the refresh thread
|
||||
catch (GuacamoleException e) {
|
||||
|
||||
logger.warn(
|
||||
"Aborting user refresh thread due to error: {}",
|
||||
e.getMessage());
|
||||
logger.debug(
|
||||
"Exception caught while attempting to refresh user.", e);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
|
||||
// Wait a bit before refreshing the user record again
|
||||
Thread.sleep(USER_MODEL_REFRESH_INTERVAL);
|
||||
}
|
||||
|
||||
// If interrupted by the tunnel, exit immediately
|
||||
catch (InterruptedException e) {
|
||||
return;
|
||||
}
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
@Override
|
||||
public GuacamoleReader acquireReader() {
|
||||
|
||||
// Start periodically refreshing the user record
|
||||
userRefreshThread.start();
|
||||
|
||||
// Filter received instructions, checking if the user's login
|
||||
// is still valid for each one. If the login is invalid,
|
||||
// log them out immediately and close the tunnel.
|
||||
return new FilteredGuacamoleReader(
|
||||
super.acquireReader(),
|
||||
new GuacamoleFilter() {
|
||||
|
||||
@Override
|
||||
public GuacamoleInstruction filter(
|
||||
GuacamoleInstruction instruction) throws GuacamoleException {
|
||||
|
||||
// The user record, at most USER_MODEL_REFRESH_INTERVAL
|
||||
// milliseconds old
|
||||
ModeledUser modeledUser = user.get();
|
||||
|
||||
// If the user is outside of a valid access time window,
|
||||
// or disabled, throw an exception to immediately log them out
|
||||
if (
|
||||
!modeledUser.isAccountAccessible()
|
||||
|| !modeledUser.isAccountValid()
|
||||
|| modeledUser.isDisabled()
|
||||
) {
|
||||
throw new GuacamoleUnauthorizedException("Permission Denied.");
|
||||
}
|
||||
|
||||
return instruction;
|
||||
}
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void releaseReader() {
|
||||
|
||||
// Interrupt the refresh thread; it will clean itself up
|
||||
userRefreshThread.interrupt();
|
||||
|
||||
super.releaseReader();
|
||||
}
|
||||
|
||||
@Override
|
||||
public void close() throws GuacamoleException {
|
||||
|
||||
// Interrupt the refresh thread; it will clean itself up
|
||||
userRefreshThread.interrupt();
|
||||
|
||||
super.close();
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1,54 @@
|
||||
/*
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
|
||||
package org.apache.guacamole.auth.jdbc.tunnel;
|
||||
|
||||
import javax.annotation.Nonnull;
|
||||
|
||||
import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
|
||||
import org.apache.guacamole.net.GuacamoleTunnel;
|
||||
|
||||
/**
|
||||
* A factory for creating AccessEnforcingDelegatingTunnel instances.
|
||||
*/
|
||||
public interface AccessEnforcingDelegatingTunnelFactory {
|
||||
|
||||
/**
|
||||
* Create and return a new AccessEnforcingDelegatingTunnel wrapping the
|
||||
* provided tunnel and enforcing the user restrictions associated with the
|
||||
* provided user.
|
||||
*
|
||||
* @param tunnel
|
||||
* The tunnel to delegate to.
|
||||
*
|
||||
* @param user
|
||||
* The user whose access window restrictions should be applied for the
|
||||
* wrapped tunel.
|
||||
*
|
||||
* @return
|
||||
* A new AccessEnforcingDelegatingTunnel wrapping the provided tunnel
|
||||
* and enforcing the user restrictions associated with the provided
|
||||
* user.
|
||||
*
|
||||
*/
|
||||
public AccessEnforcingDelegatingTunnel create(
|
||||
@Nonnull GuacamoleTunnel tunnel,
|
||||
@Nonnull ModeledAuthenticatedUser user);
|
||||
|
||||
}
|
||||
@@ -21,6 +21,9 @@ package org.apache.guacamole.auth.jdbc.tunnel;
|
||||
|
||||
import java.util.Date;
|
||||
import java.util.UUID;
|
||||
|
||||
import javax.annotation.Nonnull;
|
||||
|
||||
import org.apache.guacamole.auth.jdbc.connection.ConnectionRecordModel;
|
||||
import org.apache.guacamole.auth.jdbc.connection.ModeledConnection;
|
||||
import org.apache.guacamole.auth.jdbc.connection.ModeledConnectionRecord;
|
||||
@@ -377,6 +380,8 @@ public class ActiveConnectionRecord extends ModeledConnectionRecord {
|
||||
* @return
|
||||
* The newly-created tunnel associated with this connection record.
|
||||
*/
|
||||
@Nonnull
|
||||
@SuppressWarnings("null")
|
||||
public GuacamoleTunnel assignGuacamoleTunnel(final GuacamoleSocket socket,
|
||||
String connectionID) {
|
||||
|
||||
@@ -400,6 +405,8 @@ public class ActiveConnectionRecord extends ModeledConnectionRecord {
|
||||
this.connectionID = connectionID;
|
||||
|
||||
// Return newly-created tunnel
|
||||
// NOTE: Guaranteed to be non-null since it was just set in this
|
||||
// method, and there is no functionality to set it to null
|
||||
return this.tunnel;
|
||||
|
||||
}
|
||||
|
||||
@@ -45,12 +45,14 @@ public class UserDirectory extends RestrictedObject
|
||||
|
||||
@Override
|
||||
public User get(String identifier) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
return userService.retrieveObject(getCurrentUser(), identifier);
|
||||
}
|
||||
|
||||
@Override
|
||||
@Transactional
|
||||
public Collection<User> getAll(Collection<String> identifiers) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
Collection<ModeledUser> objects = userService.retrieveObjects(getCurrentUser(), identifiers);
|
||||
return Collections.<User>unmodifiableCollection(objects);
|
||||
}
|
||||
@@ -58,18 +60,21 @@ public class UserDirectory extends RestrictedObject
|
||||
@Override
|
||||
@Transactional
|
||||
public Set<String> getIdentifiers() throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
return userService.getIdentifiers(getCurrentUser());
|
||||
}
|
||||
|
||||
@Override
|
||||
@Transactional
|
||||
public void add(User object) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
userService.createObject(getCurrentUser(), object);
|
||||
}
|
||||
|
||||
@Override
|
||||
@Transactional
|
||||
public void update(User object) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
ModeledUser user = (ModeledUser) object;
|
||||
userService.updateObject(getCurrentUser(), user);
|
||||
}
|
||||
@@ -77,6 +82,7 @@ public class UserDirectory extends RestrictedObject
|
||||
@Override
|
||||
@Transactional
|
||||
public void remove(String identifier) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
userService.deleteObject(getCurrentUser(), identifier);
|
||||
}
|
||||
|
||||
|
||||
@@ -44,12 +44,14 @@ public class UserGroupDirectory extends RestrictedObject
|
||||
|
||||
@Override
|
||||
public UserGroup get(String identifier) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
return userGroupService.retrieveObject(getCurrentUser(), identifier);
|
||||
}
|
||||
|
||||
@Override
|
||||
@Transactional
|
||||
public Collection<UserGroup> getAll(Collection<String> identifiers) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
Collection<ModeledUserGroup> objects = userGroupService.retrieveObjects(getCurrentUser(), identifiers);
|
||||
return Collections.<UserGroup>unmodifiableCollection(objects);
|
||||
}
|
||||
@@ -57,18 +59,21 @@ public class UserGroupDirectory extends RestrictedObject
|
||||
@Override
|
||||
@Transactional
|
||||
public Set<String> getIdentifiers() throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
return userGroupService.getIdentifiers(getCurrentUser());
|
||||
}
|
||||
|
||||
@Override
|
||||
@Transactional
|
||||
public void add(UserGroup object) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
userGroupService.createObject(getCurrentUser(), object);
|
||||
}
|
||||
|
||||
@Override
|
||||
@Transactional
|
||||
public void update(UserGroup object) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
ModeledUserGroup group = (ModeledUserGroup) object;
|
||||
userGroupService.updateObject(getCurrentUser(), group);
|
||||
}
|
||||
@@ -76,6 +81,7 @@ public class UserGroupDirectory extends RestrictedObject
|
||||
@Override
|
||||
@Transactional
|
||||
public void remove(String identifier) throws GuacamoleException {
|
||||
validateUserAccess();
|
||||
userGroupService.deleteObject(getCurrentUser(), identifier);
|
||||
}
|
||||
|
||||
|
||||
@@ -412,4 +412,13 @@ public class MySQLEnvironment extends JDBCEnvironment {
|
||||
true);
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean enforceAccessWindowsForActiveSessions() throws GuacamoleException {
|
||||
|
||||
// Enforce access window restrictions for active sessions unless explicitly disabled
|
||||
return getProperty(
|
||||
MySQLGuacamoleProperties.MYSQL_ENFORCE_ACCESS_WINDOWS_FOR_ACTIVE_SESSIONS,
|
||||
true);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -278,4 +278,17 @@ public class MySQLGuacamoleProperties {
|
||||
|
||||
};
|
||||
|
||||
/**
|
||||
* Whether or not user-specific access time windows should be enforced for active sessions,
|
||||
* i.e. whether users with active sessions should be logged out immediately when an access
|
||||
* window closes or the user is disabled.
|
||||
*/
|
||||
public static final BooleanGuacamoleProperty MYSQL_ENFORCE_ACCESS_WINDOWS_FOR_ACTIVE_SESSIONS =
|
||||
new BooleanGuacamoleProperty() {
|
||||
|
||||
@Override
|
||||
public String getName() { return "mysql-enforce-access-windows-for-active-sessions"; }
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
|
||||
@@ -371,4 +371,13 @@ public class PostgreSQLEnvironment extends JDBCEnvironment {
|
||||
true);
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean enforceAccessWindowsForActiveSessions() throws GuacamoleException {
|
||||
|
||||
// Enforce access window restrictions for active sessions unless explicitly disabled
|
||||
return getProperty(
|
||||
PostgreSQLGuacamoleProperties.POSTGRESQL_ENFORCE_ACCESS_WINDOWS_FOR_ACTIVE_SESSIONS,
|
||||
true);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -290,4 +290,17 @@ public class PostgreSQLGuacamoleProperties {
|
||||
|
||||
};
|
||||
|
||||
/**
|
||||
* Whether or not user-specific access time windows should be enforced for active sessions,
|
||||
* i.e. whether users with active sessions should be logged out immediately when an access
|
||||
* window closes or the user is disabled.
|
||||
*/
|
||||
public static final BooleanGuacamoleProperty POSTGRESQL_ENFORCE_ACCESS_WINDOWS_FOR_ACTIVE_SESSIONS =
|
||||
new BooleanGuacamoleProperty() {
|
||||
|
||||
@Override
|
||||
public String getName() { return "postgresql-enforce-access-windows-for-active-sessions"; }
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
|
||||
@@ -268,4 +268,13 @@ public class SQLServerEnvironment extends JDBCEnvironment {
|
||||
true);
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean enforceAccessWindowsForActiveSessions() throws GuacamoleException {
|
||||
|
||||
// Enforce access window restrictions for active sessions unless explicitly disabled
|
||||
return getProperty(
|
||||
SQLServerGuacamoleProperties.SQLSERVER_ENFORCE_ACCESS_WINDOWS_FOR_ACTIVE_SESSIONS,
|
||||
true);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -220,4 +220,17 @@ public class SQLServerGuacamoleProperties {
|
||||
|
||||
};
|
||||
|
||||
/**
|
||||
* Whether or not user-specific access time windows should be enforced for active sessions,
|
||||
* i.e. whether users with active sessions should be logged out immediately when an access
|
||||
* window closes or the user is disabled.
|
||||
*/
|
||||
public static final BooleanGuacamoleProperty SQLSERVER_ENFORCE_ACCESS_WINDOWS_FOR_ACTIVE_SESSIONS =
|
||||
new BooleanGuacamoleProperty() {
|
||||
|
||||
@Override
|
||||
public String getName() { return "sqlserver-enforce-access-windows-for-active-sessions"; }
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user